switchroom 0.14.6 → 0.14.8

package/telegram-plugin/gateway/hostd-dispatch.ts

@@ -94,13 +94,14 @@ export function hostdWillBeUsed(agentName: string): boolean {
 export async function tryHostdDispatch(
   agentName: string,
   req: HostdRequest,
+  timeoutMs = 5000,
 ): Promise<HostdResponse | "not-configured"> {
   if (!isHostdEnabled()) return "not-configured";
   const sockPath = hostdSocketPath(agentName);
   if (!existsSync(sockPath)) return "not-configured";
   try {
     return await hostdRequest(
-      { socketPath: sockPath, timeoutMs: 5000 },
+      { socketPath: sockPath, timeoutMs },
       req,
     );
   } catch (err) {

package/telegram-plugin/permission-diff.ts

@@ -0,0 +1,382 @@
+/**
+ * Pure (no-I/O) helpers for the durable "🔁 Always allow" flow (#1977).
+ *
+ * The Telegram permission card's "Always allow" button used to shell
+ * `switchroom agent grant <agent> <rule>` which writes
+ * `/state/config/switchroom.yaml` — but that path is bind-mounted
+ * READ-ONLY into agent containers, so the write silently no-op'd.
+ * Durable host-config writes only land via the host-side `hostd`
+ * daemon's `config_propose_edit` flow, which takes a unified diff and
+ * runs it through `git apply --recount` against the live config.
+ *
+ * {@link synthesizeAllowRuleDiff} builds that diff by operating on the
+ * *literal* config text (never a parsed/merged object) so the diff's
+ * context lines byte-match the on-disk file — a requirement for
+ * `git apply` to succeed.
+ *
+ * {@link extractAddedAllowRule} is the inverse parse used by the
+ * single-tap auto-approve correlation: it returns the single
+ * `tools.allow` rule a diff adds, so the gateway can confirm that an
+ * inbound `request_config_approval` corresponds to a rule IT just
+ * queued (and so auto-approve without a second card), while any
+ * uncorrelated / forged edit still posts a real operator card.
+ *
+ * No file I/O, no yaml parsing of structure — deliberately. Callers
+ * read the raw config bytes and feed them in.
+ */
+
+const TARGET_HEADER_A = "--- a/switchroom.yaml";
+const TARGET_HEADER_B = "+++ b/switchroom.yaml";
+
+export interface SynthesizeAllowRuleDiffArgs {
+  /** Agent whose `tools.allow` gains the rule. */
+  agentName: string;
+  /** The rule token (e.g. `Bash`, `Skill(mail)`, `mcp__x__y`). */
+  rule: string;
+  /** RAW config file bytes (LF). NOT a parsed/merged object. */
+  configText: string;
+}
+
+/** Internal: a 0-based line index range describing a located block. */
+interface AgentBlock {
+  /** Indentation (spaces) of the `<agentName>:` key line. */
+  agentIndent: number;
+  /** 0-based index of the `<agentName>:` line. */
+  agentLineIdx: number;
+  /** 0-based index just past the agent block (exclusive). */
+  agentBlockEnd: number;
+}
+
+/** Count leading spaces of a line. */
+function indentOf(line: string): number {
+  let n = 0;
+  while (n < line.length && line[n] === " ") n++;
+  return n;
+}
+
+/** True if the line is blank or a comment (ignored for block scans). */
+function isBlankOrComment(line: string): boolean {
+  const t = line.trim();
+  return t.length === 0 || t.startsWith("#");
+}
+
+/**
+ * Locate the `agents:` → `<agentName>:` block in raw config text.
+ * Returns the agent key line index, its indentation, and the
+ * exclusive end of its block (first subsequent non-blank line at an
+ * indent ≤ the agent key's indent). Returns null if not found.
+ */
+function locateAgentBlock(
+  lines: string[],
+  agentName: string,
+): AgentBlock | null {
+  // Find a top-level `agents:` key (indent 0 by convention, but be
+  // lenient: any line whose trimmed form is exactly `agents:`).
+  let agentsIdx = -1;
+  let agentsIndent = 0;
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!;
+    if (isBlankOrComment(line)) continue;
+    if (line.trim() === "agents:") {
+      agentsIdx = i;
+      agentsIndent = indentOf(line);
+      break;
+    }
+  }
+  if (agentsIdx === -1) return null;
+
+  // The agent keys are the first indent level deeper than `agents:`.
+  // Scan within the agents block for `<agentName>:`.
+  let childIndent = -1;
+  for (let i = agentsIdx + 1; i < lines.length; i++) {
+    const line = lines[i]!;
+    if (isBlankOrComment(line)) continue;
+    const ind = indentOf(line);
+    if (ind <= agentsIndent) break; // left the agents block
+    if (childIndent === -1) childIndent = ind;
+    if (ind !== childIndent) continue; // nested deeper — not an agent key
+    const key = line.slice(ind).split(":")[0]!.trim();
+    if (key === agentName) {
+      // Found it. Now find the block end.
+      let end = lines.length;
+      for (let j = i + 1; j < lines.length; j++) {
+        const l2 = lines[j]!;
+        if (isBlankOrComment(l2)) continue;
+        if (indentOf(l2) <= ind) {
+          end = j;
+          break;
+        }
+      }
+      return { agentIndent: ind, agentLineIdx: i, agentBlockEnd: end };
+    }
+  }
+  return null;
+}
+
+/** Locate the `tools:` line within an agent block (or null). */
+function locateToolsLine(
+  lines: string[],
+  block: AgentBlock,
+): { idx: number; indent: number } | null {
+  for (let i = block.agentLineIdx + 1; i < block.agentBlockEnd; i++) {
+    const line = lines[i]!;
+    if (isBlankOrComment(line)) continue;
+    const ind = indentOf(line);
+    if (ind <= block.agentIndent) break;
+    const key = line.slice(ind).split(":")[0]!.trim();
+    if (key === "tools" && ind === block.agentIndent + 2) {
+      return { idx: i, indent: ind };
+    }
+  }
+  return null;
+}
+
+/**
+ * Locate the `allow:` line within a `tools:` mapping. Returns its
+ * index, indent, and whether it is a flow list (`allow: [..]`) or a
+ * block sequence (`allow:` then `- x` lines).
+ */
+function locateAllowLine(
+  lines: string[],
+  toolsIdx: number,
+  toolsIndent: number,
+  blockEnd: number,
+): { idx: number; indent: number; inline: string } | null {
+  for (let i = toolsIdx + 1; i < blockEnd; i++) {
+    const line = lines[i]!;
+    if (isBlankOrComment(line)) continue;
+    const ind = indentOf(line);
+    if (ind <= toolsIndent) break; // left the tools mapping
+    const key = line.slice(ind).split(":")[0]!.trim();
+    if (key === "allow" && ind === toolsIndent + 2) {
+      const after = line.slice(line.indexOf(":") + 1);
+      return { idx: i, indent: ind, inline: after };
+    }
+  }
+  return null;
+}
+
+/**
+ * Build a unified-diff hunk from a contiguous slice of the original
+ * file. `lines` is the whole file split on `\n`. The hunk replaces the
+ * lines in `[changeStart, changeEnd)` with `replacement` (an array of
+ * raw lines, no leading `+`). `contextN` context lines are copied
+ * verbatim before and after. `@@` numbers are best-effort (hostd runs
+ * `git apply --recount`), but context lines byte-match the source.
+ */
+function buildHunk(
+  lines: string[],
+  changeStart: number,
+  changeEnd: number,
+  removed: string[],
+  added: string[],
+  contextN = 3,
+): string {
+  const preStart = Math.max(0, changeStart - contextN);
+  let postEnd = Math.min(lines.length, changeEnd + contextN);
+  // A `configText` that ends in `\n` splits to a trailing "" element
+  // that is NOT a real file line — including it as a context line
+  // (` `) makes `git apply` reject the hunk ("patch does not apply").
+  // Drop it from the trailing context window.
+  if (postEnd === lines.length && lines.length > 0 && lines[lines.length - 1] === "") {
+    postEnd -= 1;
+  }
+  const pre = lines.slice(preStart, changeStart);
+  const post = lines.slice(changeEnd, Math.max(changeEnd, postEnd));
+
+  const oldCount = pre.length + removed.length + post.length;
+  const newCount = pre.length + added.length + post.length;
+  const oldStartLine = preStart + 1;
+  const newStartLine = preStart + 1;
+
+  const out: string[] = [];
+  out.push(`@@ -${oldStartLine},${oldCount} +${newStartLine},${newCount} @@`);
+  for (const l of pre) out.push(` ${l}`);
+  for (const l of removed) out.push(`-${l}`);
+  for (const l of added) out.push(`+${l}`);
+  for (const l of post) out.push(` ${l}`);
+  return out.join("\n");
+}
+
+function wrapDiff(hunk: string): string {
+  return `${TARGET_HEADER_A}\n${TARGET_HEADER_B}\n${hunk}\n`;
+}
+
+/**
+ * Synthesize a git-apply-compatible unified diff that adds `rule` to
+ * the target agent's `tools.allow` in raw `configText`. Returns null if
+ * the agent block can't be located.
+ *
+ * Three structural cases:
+ *   (a) flow list on one line: `allow: [ all ]` / `allow: [X, Y]`
+ *       → one-line replace appending `, <rule>` before the closing `]`.
+ *   (b) block sequence: `allow:\n  - Bash`
+ *       → insert a new `  - <rule>` line after the last `- ` entry.
+ *   (c) `tools.allow` absent: insert
+ *       `    tools:\n      allow:\n        - <rule>` under the agent.
+ */
+export function synthesizeAllowRuleDiff(
+  args: SynthesizeAllowRuleDiffArgs,
+): string | null {
+  const { agentName, rule, configText } = args;
+  if (!agentName || !rule || !configText) return null;
+  const lines = configText.split("\n");
+  const block = locateAgentBlock(lines, agentName);
+  if (!block) return null;
+
+  const tools = locateToolsLine(lines, block);
+
+  // Case (c): no tools: mapping at all → insert tools/allow/rule under
+  // the agent block, indented two deeper than the agent key.
+  if (!tools) {
+    const baseIndent = block.agentIndent + 2;
+    const insertAt = block.agentLineIdx + 1;
+    const added = [
+      `${" ".repeat(baseIndent)}tools:`,
+      `${" ".repeat(baseIndent + 2)}allow:`,
+      `${" ".repeat(baseIndent + 4)}- ${rule}`,
+    ];
+    const hunk = buildHunk(lines, insertAt, insertAt, [], added);
+    return wrapDiff(hunk);
+  }
+
+  const allow = locateAllowLine(
+    lines,
+    tools.idx,
+    tools.indent,
+    block.agentBlockEnd,
+  );
+
+  // tools: present but no allow: key → insert an allow block under it.
+  if (!allow) {
+    const baseIndent = tools.indent + 2;
+    const insertAt = tools.idx + 1;
+    const added = [
+      `${" ".repeat(baseIndent)}allow:`,
+      `${" ".repeat(baseIndent + 2)}- ${rule}`,
+    ];
+    const hunk = buildHunk(lines, insertAt, insertAt, [], added);
+    return wrapDiff(hunk);
+  }
+
+  const inlineTrimmed = allow.inline.trim();
+
+  // Case (a): flow list on one line.
+  if (inlineTrimmed.startsWith("[")) {
+    const original = lines[allow.idx]!;
+    const close = original.lastIndexOf("]");
+    if (close === -1) return null;
+    // Empty list `[]` / `[ ]` → first element, no leading comma.
+    const inner = original.slice(original.indexOf("[") + 1, close).trim();
+    const replacement =
+      inner.length === 0
+        ? `${original.slice(0, close)}${rule}${original.slice(close)}`
+        : `${original.slice(0, close).replace(/\s*$/, "")}, ${rule}${original.slice(close)}`;
+    const hunk = buildHunk(
+      lines,
+      allow.idx,
+      allow.idx + 1,
+      [original],
+      [replacement],
+    );
+    return wrapDiff(hunk);
+  }
+
+  // Case (b): block sequence. Find the last `- ` entry at indent
+  // allow.indent + 2 and insert a new entry after it.
+  const itemIndent = allow.indent + 2;
+  let lastItemIdx = -1;
+  for (let i = allow.idx + 1; i < block.agentBlockEnd; i++) {
+    const line = lines[i]!;
+    if (isBlankOrComment(line)) continue;
+    const ind = indentOf(line);
+    if (ind <= allow.indent) break; // left the allow sequence
+    const t = line.slice(ind);
+    if (ind === itemIndent && t.startsWith("- ")) {
+      lastItemIdx = i;
+    }
+  }
+  if (lastItemIdx === -1) {
+    // `allow:` with no entries (e.g. empty seq) — insert the first one.
+    const insertAt = allow.idx + 1;
+    const added = [`${" ".repeat(itemIndent)}- ${rule}`];
+    const hunk = buildHunk(lines, insertAt, insertAt, [], added);
+    return wrapDiff(hunk);
+  }
+  const insertAt = lastItemIdx + 1;
+  const added = [`${" ".repeat(itemIndent)}- ${rule}`];
+  const hunk = buildHunk(lines, insertAt, insertAt, [], added);
+  return wrapDiff(hunk);
+}
+
+/**
+ * Inverse of {@link synthesizeAllowRuleDiff} for the correlation check:
+ * return the single `tools.allow` rule token added by the diff, or null
+ * if the diff doesn't add exactly one such rule.
+ *
+ * Recognises both shapes the synthesizer emits:
+ *   - a block-sequence add: `+        - <rule>`
+ *   - a flow-list element appended on a replaced line: the `+` line
+ *     differs from the `-` line by a single trailing `, <rule>` (or a
+ *     first element inside an empty `[]`).
+ *
+ * Deliberately strict: returns null on multi-add / structural diffs so
+ * a forged edit touching arbitrary fields can never be mistaken for a
+ * queued always-allow rule.
+ */
+export function extractAddedAllowRule(unifiedDiff: string): string | null {
+  if (!unifiedDiff) return null;
+  const lines = unifiedDiff.split("\n");
+  const plus: string[] = [];
+  const minus: string[] = [];
+  for (const l of lines) {
+    if (l.startsWith("+++") || l.startsWith("---")) continue;
+    if (l.startsWith("@@")) continue;
+    if (l.startsWith("+")) plus.push(l.slice(1));
+    else if (l.startsWith("-")) minus.push(l.slice(1));
+  }
+
+  // Block-sequence add: exactly one `+` line of the form `  - <rule>`
+  // and no `-` (removal) lines, OR (case-c/no-allow insert) several
+  // `+` lines where exactly one is a `- <rule>` item.
+  if (minus.length === 0) {
+    const items = plus
+      .map((p) => {
+        const ind = indentOf(p);
+        const t = p.slice(ind);
+        return t.startsWith("- ") ? t.slice(2).trim() : null;
+      })
+      .filter((x): x is string => x !== null);
+    if (items.length === 1) return items[0]!;
+    return null;
+  }
+
+  // Flow-list append: one `-` line replaced by one `+` line that adds a
+  // trailing element. Diff the two for the new `]`-interior token(s).
+  if (minus.length === 1 && plus.length === 1) {
+    const before = extractFlowItems(minus[0]!);
+    const after = extractFlowItems(plus[0]!);
+    if (before === null || after === null) return null;
+    if (after.length !== before.length + 1) return null;
+    // The new element is the one in `after` not in `before` (by
+    // position — synthesizer appends, so it's the last).
+    const added = after[after.length - 1]!;
+    // Confirm prefix matches (defense against reordering forgery).
+    for (let i = 0; i < before.length; i++) {
+      if (before[i] !== after[i]) return null;
+    }
+    return added;
+  }
+
+  return null;
+}
+
+/** Parse the bracketed flow-list items from a `allow: [ ... ]` line. */
+function extractFlowItems(line: string): string[] | null {
+  const open = line.indexOf("[");
+  const close = line.lastIndexOf("]");
+  if (open === -1 || close === -1 || close < open) return null;
+  const inner = line.slice(open + 1, close).trim();
+  if (inner.length === 0) return [];
+  return inner.split(",").map((s) => s.trim()).filter((s) => s.length > 0);
+}

package/telegram-plugin/tests/always-allow-correlation.test.ts

@@ -0,0 +1,147 @@
+/**
+ * Single-tap correlation auto-resolve for the durable "🔁 Always allow"
+ * flow (#1977, security-critical).
+ *
+ * When the gateway dispatches a `config_propose_edit` to hostd in
+ * response to an operator tap, hostd calls back asking for operator
+ * approval. The `tryAutoResolve` hook lets the gateway auto-approve
+ * THAT (already-operator-tapped) edit WITHOUT posting a second card,
+ * while any uncorrelated (e.g. agent-forged) config edit still posts a
+ * real operator approval card.
+ *
+ * These tests pin the handler contract:
+ *   - tryAutoResolve → 'approve': sends config_approval_resolved
+ *     (verdict: approve), does NOT post a card, creates NO pending
+ *     entry, arms NO timer.
+ *   - tryAutoResolve → null (forge / normal path): posts the card AND
+ *     creates a pending entry (the real human-in-the-loop control).
+ */
+
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest'
+import {
+  handleRequestConfigApproval,
+  _resetPendingConfigApprovalsForTest,
+  _peekPendingConfigApprovalForTest,
+  type ConfigApprovalHandlerDeps,
+} from '../gateway/config-approval-handler.js'
+import type { RequestConfigApprovalMessage } from '../gateway/ipc-protocol.js'
+
+function makeMsg(overrides: Partial<RequestConfigApprovalMessage> = {}): RequestConfigApprovalMessage {
+  return {
+    type: 'request_config_approval',
+    requestId: 'req-abc123',
+    agentName: 'clerk',
+    reason: "Operator 'always allow' for Bash",
+    unifiedDiff: [
+      '--- a/switchroom.yaml',
+      '+++ b/switchroom.yaml',
+      '@@ -1,3 +1,4 @@',
+      ' agents:',
+      '   clerk:',
+      '     tools:',
+      '+      - Bash',
+    ].join('\n'),
+    timeoutMs: 600_000,
+    ...overrides,
+  }
+}
+
+interface SentMsg {
+  type: string
+  requestId?: string
+  verdict?: string
+  [k: string]: unknown
+}
+
+describe('always-allow correlation — auto-resolve path', () => {
+  beforeEach(() => {
+    _resetPendingConfigApprovalsForTest()
+    vi.useFakeTimers()
+  })
+  afterEach(() => {
+    vi.clearAllTimers()
+    vi.useRealTimers()
+    _resetPendingConfigApprovalsForTest()
+  })
+
+  it("tryAutoResolve → 'approve': sends approve verdict, NO card, NO pending entry, NO timer", async () => {
+    const sent: SentMsg[] = []
+    const postCard = vi.fn(async () => ({ messageId: 42 }))
+    const client = { send: (m: SentMsg) => sent.push(m) }
+    const msg = makeMsg()
+    const deps: ConfigApprovalHandlerDeps = {
+      agentName: 'clerk',
+      loadTargetChat: () => ({ chatId: 1001 }),
+      postCard,
+      buildKeyboard: () => ({ inline_keyboard: [] }),
+      editCard: async () => {},
+      log: () => {},
+      tryAutoResolve: () => 'approve',
+    }
+
+    await handleRequestConfigApproval(client, msg, deps)
+
+    // Verdict sent — approve.
+    expect(sent).toHaveLength(1)
+    expect(sent[0]).toMatchObject({
+      type: 'config_approval_resolved',
+      requestId: 'req-abc123',
+      verdict: 'approve',
+    })
+    // No card posted.
+    expect(postCard).not.toHaveBeenCalled()
+    // No pending entry created.
+    expect(_peekPendingConfigApprovalForTest('req-abc123')).toBeUndefined()
+    // No timer armed — advancing past the timeout fires nothing extra.
+    vi.advanceTimersByTime(700_000)
+    expect(sent).toHaveLength(1)
+  })
+
+  it('tryAutoResolve → null (forge / normal path): posts card AND creates a pending entry', async () => {
+    const sent: SentMsg[] = []
+    const postCard = vi.fn(async () => ({ messageId: 77 }))
+    const client = { send: (m: SentMsg) => sent.push(m) }
+    const msg = makeMsg({ requestId: 'req-forge99' })
+    const deps: ConfigApprovalHandlerDeps = {
+      agentName: 'clerk',
+      loadTargetChat: () => ({ chatId: 1001 }),
+      postCard,
+      buildKeyboard: () => ({ inline_keyboard: [] }),
+      editCard: async () => {},
+      log: () => {},
+      tryAutoResolve: () => null,
+    }
+
+    await handleRequestConfigApproval(client, msg, deps)
+
+    // Card WAS posted.
+    expect(postCard).toHaveBeenCalledTimes(1)
+    // A pending entry exists, awaiting the operator tap.
+    const entry = _peekPendingConfigApprovalForTest('req-forge99')
+    expect(entry).toBeDefined()
+    expect(entry?.messageId).toBe(77)
+    expect(entry?.resolved).toBe(false)
+    // No verdict sent yet — the operator hasn't tapped.
+    expect(sent).toHaveLength(0)
+  })
+
+  it('no tryAutoResolve dep at all: behaves as the normal card path', async () => {
+    const sent: SentMsg[] = []
+    const postCard = vi.fn(async () => ({ messageId: 88 }))
+    const client = { send: (m: SentMsg) => sent.push(m) }
+    const msg = makeMsg({ requestId: 'req-nohook' })
+    const deps: ConfigApprovalHandlerDeps = {
+      agentName: 'clerk',
+      loadTargetChat: () => ({ chatId: 1001 }),
+      postCard,
+      buildKeyboard: () => ({ inline_keyboard: [] }),
+      editCard: async () => {},
+      log: () => {},
+    }
+
+    await handleRequestConfigApproval(client, msg, deps)
+
+    expect(postCard).toHaveBeenCalledTimes(1)
+    expect(_peekPendingConfigApprovalForTest('req-nohook')).toBeDefined()
+  })
+})