switchroom 0.14.91 → 0.14.92

package/dist/auth-broker/index.js

@@ -10969,15 +10969,54 @@ var AgentBindMountSchema = exports_external.object({
   target: exports_external.string().optional().describe("Container path the source mounts to. Must be absolute. Defaults to " + "the same path as `source` (matches switchroom's existing dual-mount " + "convention so absolute paths in scaffolded scripts Just Work)."),
   mode: exports_external.enum(["ro", "rw"]).optional().describe("Read-only (default) or read-write. Use `rw` only when the agent " + "must mutate the host path (e.g. editing switchroom source). " + "Default: 'ro'.")
 });
+var HttpDiffPollSchema = exports_external.object({
+  type: exports_external.literal("http-diff"),
+  url: exports_external.string().url().describe("Poll target. Host MUST match the operator egress allowlist (§6.1) — " + "loopback/private/link-local/non-https are rejected; the IP is " + "resolve-then-pinned against DNS-rebind. Not agent-writable without " + "operator commit."),
+  method: exports_external.enum(["GET", "POST"]).default("GET"),
+  headers: exports_external.record(exports_external.string()).optional(),
+  secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault keys this poll may inject into request headers. Each is " + "HOST-PINNED (§6.1): a secret may only be sent to the host it is bound " + "to in operator config, so an approved poll cannot exfil it elsewhere."),
+  diff_jsonpath: exports_external.string().describe("JSONPath into the response; the extracted value is compared to state_key."),
+  state_key: exports_external.string().describe("Key under /state/agent/poll-state.json holding the last-seen value.")
+});
+var TelegramReactionsPollSchema = exports_external.object({
+  type: exports_external.literal("telegram-reactions"),
+  chat_id: exports_external.union([exports_external.string().min(1), exports_external.number().int()]).describe("Chat to scan for reactions (model-free internal gateway query)."),
+  emoji: exports_external.string().min(1).describe("Reaction emoji that marks a message for capture (e.g. \uD83D\uDC68‍\uD83D\uDCBB)."),
+  lookback: exports_external.number().int().positive().max(200).default(40),
+  state_key: exports_external.string().describe("Key under poll-state.json holding the last-processed message id.")
+});
+var PollSpecSchema = exports_external.discriminatedUnion("type", [
+  HttpDiffPollSchema,
+  TelegramReactionsPollSchema
+]);
 var ScheduleEntrySchema = exports_external.object({
   cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
-  prompt: exports_external.string().describe("Prompt to send at the scheduled time"),
-  model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated headless invocation and could set --model per " + "task. Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "— this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
+  prompt: exports_external.string().describe("Prompt to send at the scheduled time (the escalation prompt when kind=poll; templated with {{diff}})."),
+  kind: exports_external.enum(["poll", "prompt"]).optional().describe("Tier-0 routing (docs/rfcs/cheap-cron-sessions.md). 'prompt' (default) " + "fires a model turn every tick (Tier 1/2 per `context`). 'poll' runs a " + "model-free deterministic check (requires `poll`) and only escalates to " + "a model fire on a hit. Honoured only when SWITCHROOM_CHEAP_CRON is on."),
+  poll: PollSpecSchema.optional().describe("Required iff kind=poll. The declarative poll spec."),
+  model: exports_external.string().optional().describe("Cron model hint. Reactivated by SWITCHROOM_CHEAP_CRON (was DEPRECATED/" + "IGNORED in v0.8). A known-cheap id (sonnet/haiku family) routes the " + "fire to a fresh cheap cron session (Tier 1, `context: fresh`); 'opus', " + "a custom id, or unset routes to the agent's live session (Tier 2, " + "`context: agent`) — the conservative default that preserves pre-v0.8 " + "behaviour. Note: a live session's model is fixed at launch, so on Tier " + "2 this is informational. See docs/scheduling.md."),
+  context: exports_external.enum(["fresh", "agent"]).optional().describe("Does this cron need the agent, or just a model? 'fresh' → a minimal-" + "context cheap cron session (Tier 1). 'agent' → the agent's live " + "session with full persona/memory (Tier 2). Unset → inferred from " + "`model` (cheap→fresh, else agent). Honoured only when " + "SWITCHROOM_CHEAP_CRON is on."),
   secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default — broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary — " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing."),
   topic: exports_external.union([
     exports_external.string().min(1, "topic alias must be non-empty"),
     exports_external.number().int().positive("topic ID must be a positive integer")
   ]).optional().describe("Forum topic this cron fires into when the owning agent is in " + "supergroup-owned mode (channels.telegram.chat_id set). Either a " + 'string alias resolved against `topic_aliases` (e.g. "planning") ' + "or a numeric topic ID. Falls back to the agent's `default_topic_id` " + "when unset. Ignored for agents in fleet-shared or dm_only mode. " + "Alias-resolution happens at config-load — typos surface immediately. " + "See docs/rfcs/supergroup-mode.md.")
+}).superRefine((entry, ctx) => {
+  const kind = entry.kind ?? "prompt";
+  if (kind === "poll" && !entry.poll) {
+    ctx.addIssue({
+      code: exports_external.ZodIssueCode.custom,
+      path: ["poll"],
+      message: "kind: poll requires a `poll` spec (http-diff or telegram-reactions)."
+    });
+  }
+  if (kind === "prompt" && entry.poll) {
+    ctx.addIssue({
+      code: exports_external.ZodIssueCode.custom,
+      path: ["poll"],
+      message: "`poll` is only valid when kind: poll."
+    });
+  }
 });
 var AgentSoulSchema = exports_external.object({
   name: exports_external.string().describe("Agent persona name (e.g., 'Coach', 'Sage')"),
@@ -11424,6 +11463,13 @@ var HostdConfigSchema = exports_external.object({
   config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit §3). Default false — the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
   config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit §5). Default 3 cards/hour; min 1, " + "max 20. Implemented as a sqlite token bucket in PR 1c; the " + "field is wired here in PR 1a so operators can pin it before the " + "limiter is live. Above the cap, the verb returns " + "`E_RATE_LIMITED` without raising a card.")
 });
+var CronEgressSchema = exports_external.object({
+  allowed_hosts: exports_external.array(exports_external.string().min(1)).default([]).describe("Hosts a poll may reach (exact, https-only). loopback/private/IP-literal are always rejected."),
+  secret_bindings: exports_external.record(exports_external.string(), exports_external.string().min(1)).default({}).describe("secretName → the single host it may be sent to. A poll carrying a secret to any other host is rejected.")
+});
+var CronConfigSchema = exports_external.object({
+  egress: CronEgressSchema.optional().describe("SSRF/exfil fence for http-diff polls.")
+});
 var SwitchroomConfigSchema = exports_external.object({
   switchroom: exports_external.object({
     version: exports_external.literal(1).describe("Config schema version"),
@@ -11472,7 +11518,8 @@ var SwitchroomConfigSchema = exports_external.object({
   profiles: exports_external.record(exports_external.string(), ProfileSchema).optional().describe("Named profile definitions. Agents reference via `extends: <name>`. " + "Inline profiles declared here take priority over filesystem " + "profiles/<name>/ directories when both exist."),
   agents: exports_external.record(exports_external.string().regex(/^[a-z0-9][a-z0-9_-]{0,50}$/, {
     message: "Agent name must start with a letter/digit, contain only lowercase letters/digits/hyphens/underscores, and be at most 51 characters (Telegram callback_data byte limit)"
-  }), AgentSchema).describe("Map of agent name to agent configuration")
+  }), AgentSchema).describe("Map of agent name to agent configuration"),
+  cron: CronConfigSchema.optional().describe("Cheap-cron settings (docs/rfcs/cheap-cron-sessions.md). Operator-owned " + "egress allowlist + host-pinned secret bindings for Tier-0 http-diff " + "polls (§6.1). Required to enable any http-diff poll; not agent-writable.")
 });
 
 // src/config/paths.ts

package/dist/cli/notion-write-pretool.mjs

@@ -11717,15 +11717,54 @@ var AgentBindMountSchema = exports_external.object({
   target: exports_external.string().optional().describe("Container path the source mounts to. Must be absolute. Defaults to " + "the same path as `source` (matches switchroom's existing dual-mount " + "convention so absolute paths in scaffolded scripts Just Work)."),
   mode: exports_external.enum(["ro", "rw"]).optional().describe("Read-only (default) or read-write. Use `rw` only when the agent " + "must mutate the host path (e.g. editing switchroom source). " + "Default: 'ro'.")
 });
+var HttpDiffPollSchema = exports_external.object({
+  type: exports_external.literal("http-diff"),
+  url: exports_external.string().url().describe("Poll target. Host MUST match the operator egress allowlist (\u00a76.1) \u2014 " + "loopback/private/link-local/non-https are rejected; the IP is " + "resolve-then-pinned against DNS-rebind. Not agent-writable without " + "operator commit."),
+  method: exports_external.enum(["GET", "POST"]).default("GET"),
+  headers: exports_external.record(exports_external.string()).optional(),
+  secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault keys this poll may inject into request headers. Each is " + "HOST-PINNED (\u00a76.1): a secret may only be sent to the host it is bound " + "to in operator config, so an approved poll cannot exfil it elsewhere."),
+  diff_jsonpath: exports_external.string().describe("JSONPath into the response; the extracted value is compared to state_key."),
+  state_key: exports_external.string().describe("Key under /state/agent/poll-state.json holding the last-seen value.")
+});
+var TelegramReactionsPollSchema = exports_external.object({
+  type: exports_external.literal("telegram-reactions"),
+  chat_id: exports_external.union([exports_external.string().min(1), exports_external.number().int()]).describe("Chat to scan for reactions (model-free internal gateway query)."),
+  emoji: exports_external.string().min(1).describe("Reaction emoji that marks a message for capture (e.g. \uD83D\uDC68\u200d\uD83D\uDCBB)."),
+  lookback: exports_external.number().int().positive().max(200).default(40),
+  state_key: exports_external.string().describe("Key under poll-state.json holding the last-processed message id.")
+});
+var PollSpecSchema = exports_external.discriminatedUnion("type", [
+  HttpDiffPollSchema,
+  TelegramReactionsPollSchema
+]);
 var ScheduleEntrySchema = exports_external.object({
   cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
-  prompt: exports_external.string().describe("Prompt to send at the scheduled time"),
-  model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated headless invocation and could set --model per " + "task. Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "\u2014 this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
+  prompt: exports_external.string().describe("Prompt to send at the scheduled time (the escalation prompt when kind=poll; templated with {{diff}})."),
+  kind: exports_external.enum(["poll", "prompt"]).optional().describe("Tier-0 routing (docs/rfcs/cheap-cron-sessions.md). 'prompt' (default) " + "fires a model turn every tick (Tier 1/2 per `context`). 'poll' runs a " + "model-free deterministic check (requires `poll`) and only escalates to " + "a model fire on a hit. Honoured only when SWITCHROOM_CHEAP_CRON is on."),
+  poll: PollSpecSchema.optional().describe("Required iff kind=poll. The declarative poll spec."),
+  model: exports_external.string().optional().describe("Cron model hint. Reactivated by SWITCHROOM_CHEAP_CRON (was DEPRECATED/" + "IGNORED in v0.8). A known-cheap id (sonnet/haiku family) routes the " + "fire to a fresh cheap cron session (Tier 1, `context: fresh`); 'opus', " + "a custom id, or unset routes to the agent's live session (Tier 2, " + "`context: agent`) \u2014 the conservative default that preserves pre-v0.8 " + "behaviour. Note: a live session's model is fixed at launch, so on Tier " + "2 this is informational. See docs/scheduling.md."),
+  context: exports_external.enum(["fresh", "agent"]).optional().describe("Does this cron need the agent, or just a model? 'fresh' \u2192 a minimal-" + "context cheap cron session (Tier 1). 'agent' \u2192 the agent's live " + "session with full persona/memory (Tier 2). Unset \u2192 inferred from " + "`model` (cheap\u2192fresh, else agent). Honoured only when " + "SWITCHROOM_CHEAP_CRON is on."),
   secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default \u2014 broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary \u2014 " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing."),
   topic: exports_external.union([
     exports_external.string().min(1, "topic alias must be non-empty"),
     exports_external.number().int().positive("topic ID must be a positive integer")
   ]).optional().describe("Forum topic this cron fires into when the owning agent is in " + "supergroup-owned mode (channels.telegram.chat_id set). Either a " + 'string alias resolved against `topic_aliases` (e.g. "planning") ' + "or a numeric topic ID. Falls back to the agent's `default_topic_id` " + "when unset. Ignored for agents in fleet-shared or dm_only mode. " + "Alias-resolution happens at config-load \u2014 typos surface immediately. " + "See docs/rfcs/supergroup-mode.md.")
+}).superRefine((entry, ctx) => {
+  const kind = entry.kind ?? "prompt";
+  if (kind === "poll" && !entry.poll) {
+    ctx.addIssue({
+      code: exports_external.ZodIssueCode.custom,
+      path: ["poll"],
+      message: "kind: poll requires a `poll` spec (http-diff or telegram-reactions)."
+    });
+  }
+  if (kind === "prompt" && entry.poll) {
+    ctx.addIssue({
+      code: exports_external.ZodIssueCode.custom,
+      path: ["poll"],
+      message: "`poll` is only valid when kind: poll."
+    });
+  }
 });
 var AgentSoulSchema = exports_external.object({
   name: exports_external.string().describe("Agent persona name (e.g., 'Coach', 'Sage')"),
@@ -12172,6 +12211,13 @@ var HostdConfigSchema = exports_external.object({
   config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit \u00a73). Default false \u2014 the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
   config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit \u00a75). Default 3 cards/hour; min 1, " + "max 20. Implemented as a sqlite token bucket in PR 1c; the " + "field is wired here in PR 1a so operators can pin it before the " + "limiter is live. Above the cap, the verb returns " + "`E_RATE_LIMITED` without raising a card.")
 });
+var CronEgressSchema = exports_external.object({
+  allowed_hosts: exports_external.array(exports_external.string().min(1)).default([]).describe("Hosts a poll may reach (exact, https-only). loopback/private/IP-literal are always rejected."),
+  secret_bindings: exports_external.record(exports_external.string(), exports_external.string().min(1)).default({}).describe("secretName \u2192 the single host it may be sent to. A poll carrying a secret to any other host is rejected.")
+});
+var CronConfigSchema = exports_external.object({
+  egress: CronEgressSchema.optional().describe("SSRF/exfil fence for http-diff polls.")
+});
 var SwitchroomConfigSchema = exports_external.object({
   switchroom: exports_external.object({
     version: exports_external.literal(1).describe("Config schema version"),
@@ -12220,7 +12266,8 @@ var SwitchroomConfigSchema = exports_external.object({
   profiles: exports_external.record(exports_external.string(), ProfileSchema).optional().describe("Named profile definitions. Agents reference via `extends: <name>`. " + "Inline profiles declared here take priority over filesystem " + "profiles/<name>/ directories when both exist."),
   agents: exports_external.record(exports_external.string().regex(/^[a-z0-9][a-z0-9_-]{0,50}$/, {
     message: "Agent name must start with a letter/digit, contain only lowercase letters/digits/hyphens/underscores, and be at most 51 characters (Telegram callback_data byte limit)"
-  }), AgentSchema).describe("Map of agent name to agent configuration")
+  }), AgentSchema).describe("Map of agent name to agent configuration"),
+  cron: CronConfigSchema.optional().describe("Cheap-cron settings (docs/rfcs/cheap-cron-sessions.md). Operator-owned " + "egress allowlist + host-pinned secret bindings for Tier-0 http-diff " + "polls (\u00a76.1). Required to enable any http-diff poll; not agent-writable.")
 });
 
 // src/config/paths.ts