switchroom 0.14.91 → 0.14.92

package/dist/cli/switchroom.js

@@ -13520,7 +13520,7 @@ var init_zod = __esm(() => {
 });
 
 // src/config/schema.ts
-var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, MicrosoftWorkspaceConfigSchema, NotionWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, AgentMicrosoftWorkspaceConfigSchema, AgentNotionWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, DEFAULT_PROFILE = "default", AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, AutoReleaseCheckSchema, HostControlConfigSchema, WebServiceConfigSchema, HostdConfigSchema, SwitchroomConfigSchema;
+var CodeRepoEntrySchema, AgentBindMountSchema, HttpDiffPollSchema, TelegramReactionsPollSchema, PollSpecSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, MicrosoftWorkspaceConfigSchema, NotionWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, AgentMicrosoftWorkspaceConfigSchema, AgentNotionWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, DEFAULT_PROFILE = "default", AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, AutoReleaseCheckSchema, HostControlConfigSchema, WebServiceConfigSchema, HostdConfigSchema, CronEgressSchema, CronConfigSchema, SwitchroomConfigSchema;
 var init_schema = __esm(() => {
   init_zod();
   CodeRepoEntrySchema = exports_external.object({
@@ -13533,15 +13533,54 @@ var init_schema = __esm(() => {
     target: exports_external.string().optional().describe("Container path the source mounts to. Must be absolute. Defaults to " + "the same path as `source` (matches switchroom's existing dual-mount " + "convention so absolute paths in scaffolded scripts Just Work)."),
     mode: exports_external.enum(["ro", "rw"]).optional().describe("Read-only (default) or read-write. Use `rw` only when the agent " + "must mutate the host path (e.g. editing switchroom source). " + "Default: 'ro'.")
   });
+  HttpDiffPollSchema = exports_external.object({
+    type: exports_external.literal("http-diff"),
+    url: exports_external.string().url().describe("Poll target. Host MUST match the operator egress allowlist (\u00a76.1) \u2014 " + "loopback/private/link-local/non-https are rejected; the IP is " + "resolve-then-pinned against DNS-rebind. Not agent-writable without " + "operator commit."),
+    method: exports_external.enum(["GET", "POST"]).default("GET"),
+    headers: exports_external.record(exports_external.string()).optional(),
+    secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault keys this poll may inject into request headers. Each is " + "HOST-PINNED (\u00a76.1): a secret may only be sent to the host it is bound " + "to in operator config, so an approved poll cannot exfil it elsewhere."),
+    diff_jsonpath: exports_external.string().describe("JSONPath into the response; the extracted value is compared to state_key."),
+    state_key: exports_external.string().describe("Key under /state/agent/poll-state.json holding the last-seen value.")
+  });
+  TelegramReactionsPollSchema = exports_external.object({
+    type: exports_external.literal("telegram-reactions"),
+    chat_id: exports_external.union([exports_external.string().min(1), exports_external.number().int()]).describe("Chat to scan for reactions (model-free internal gateway query)."),
+    emoji: exports_external.string().min(1).describe("Reaction emoji that marks a message for capture (e.g. \uD83D\uDC68\u200d\uD83D\uDCBB)."),
+    lookback: exports_external.number().int().positive().max(200).default(40),
+    state_key: exports_external.string().describe("Key under poll-state.json holding the last-processed message id.")
+  });
+  PollSpecSchema = exports_external.discriminatedUnion("type", [
+    HttpDiffPollSchema,
+    TelegramReactionsPollSchema
+  ]);
   ScheduleEntrySchema = exports_external.object({
     cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
-    prompt: exports_external.string().describe("Prompt to send at the scheduled time"),
-    model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated headless invocation and could set --model per " + "task. Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "\u2014 this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
+    prompt: exports_external.string().describe("Prompt to send at the scheduled time (the escalation prompt when kind=poll; templated with {{diff}})."),
+    kind: exports_external.enum(["poll", "prompt"]).optional().describe("Tier-0 routing (docs/rfcs/cheap-cron-sessions.md). 'prompt' (default) " + "fires a model turn every tick (Tier 1/2 per `context`). 'poll' runs a " + "model-free deterministic check (requires `poll`) and only escalates to " + "a model fire on a hit. Honoured only when SWITCHROOM_CHEAP_CRON is on."),
+    poll: PollSpecSchema.optional().describe("Required iff kind=poll. The declarative poll spec."),
+    model: exports_external.string().optional().describe("Cron model hint. Reactivated by SWITCHROOM_CHEAP_CRON (was DEPRECATED/" + "IGNORED in v0.8). A known-cheap id (sonnet/haiku family) routes the " + "fire to a fresh cheap cron session (Tier 1, `context: fresh`); 'opus', " + "a custom id, or unset routes to the agent's live session (Tier 2, " + "`context: agent`) \u2014 the conservative default that preserves pre-v0.8 " + "behaviour. Note: a live session's model is fixed at launch, so on Tier " + "2 this is informational. See docs/scheduling.md."),
+    context: exports_external.enum(["fresh", "agent"]).optional().describe("Does this cron need the agent, or just a model? 'fresh' \u2192 a minimal-" + "context cheap cron session (Tier 1). 'agent' \u2192 the agent's live " + "session with full persona/memory (Tier 2). Unset \u2192 inferred from " + "`model` (cheap\u2192fresh, else agent). Honoured only when " + "SWITCHROOM_CHEAP_CRON is on."),
     secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default \u2014 broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary \u2014 " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing."),
     topic: exports_external.union([
       exports_external.string().min(1, "topic alias must be non-empty"),
       exports_external.number().int().positive("topic ID must be a positive integer")
     ]).optional().describe("Forum topic this cron fires into when the owning agent is in " + "supergroup-owned mode (channels.telegram.chat_id set). Either a " + 'string alias resolved against `topic_aliases` (e.g. "planning") ' + "or a numeric topic ID. Falls back to the agent's `default_topic_id` " + "when unset. Ignored for agents in fleet-shared or dm_only mode. " + "Alias-resolution happens at config-load \u2014 typos surface immediately. " + "See docs/rfcs/supergroup-mode.md.")
+  }).superRefine((entry, ctx) => {
+    const kind = entry.kind ?? "prompt";
+    if (kind === "poll" && !entry.poll) {
+      ctx.addIssue({
+        code: exports_external.ZodIssueCode.custom,
+        path: ["poll"],
+        message: "kind: poll requires a `poll` spec (http-diff or telegram-reactions)."
+      });
+    }
+    if (kind === "prompt" && entry.poll) {
+      ctx.addIssue({
+        code: exports_external.ZodIssueCode.custom,
+        path: ["poll"],
+        message: "`poll` is only valid when kind: poll."
+      });
+    }
   });
   AgentSoulSchema = exports_external.object({
     name: exports_external.string().describe("Agent persona name (e.g., 'Coach', 'Sage')"),
@@ -13988,6 +14027,13 @@ var init_schema = __esm(() => {
     config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit \u00a73). Default false \u2014 the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
     config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit \u00a75). Default 3 cards/hour; min 1, " + "max 20. Implemented as a sqlite token bucket in PR 1c; the " + "field is wired here in PR 1a so operators can pin it before the " + "limiter is live. Above the cap, the verb returns " + "`E_RATE_LIMITED` without raising a card.")
   });
+  CronEgressSchema = exports_external.object({
+    allowed_hosts: exports_external.array(exports_external.string().min(1)).default([]).describe("Hosts a poll may reach (exact, https-only). loopback/private/IP-literal are always rejected."),
+    secret_bindings: exports_external.record(exports_external.string(), exports_external.string().min(1)).default({}).describe("secretName \u2192 the single host it may be sent to. A poll carrying a secret to any other host is rejected.")
+  });
+  CronConfigSchema = exports_external.object({
+    egress: CronEgressSchema.optional().describe("SSRF/exfil fence for http-diff polls.")
+  });
   SwitchroomConfigSchema = exports_external.object({
     switchroom: exports_external.object({
       version: exports_external.literal(1).describe("Config schema version"),
@@ -14036,7 +14082,8 @@ var init_schema = __esm(() => {
     profiles: exports_external.record(exports_external.string(), ProfileSchema).optional().describe("Named profile definitions. Agents reference via `extends: <name>`. " + "Inline profiles declared here take priority over filesystem " + "profiles/<name>/ directories when both exist."),
     agents: exports_external.record(exports_external.string().regex(/^[a-z0-9][a-z0-9_-]{0,50}$/, {
       message: "Agent name must start with a letter/digit, contain only lowercase letters/digits/hyphens/underscores, and be at most 51 characters (Telegram callback_data byte limit)"
-    }), AgentSchema).describe("Map of agent name to agent configuration")
+    }), AgentSchema).describe("Map of agent name to agent configuration"),
+    cron: CronConfigSchema.optional().describe("Cheap-cron settings (docs/rfcs/cheap-cron-sessions.md). Operator-owned " + "egress allowlist + host-pinned secret bindings for Tier-0 http-diff " + "polls (\u00a76.1). Required to enable any http-diff poll; not agent-writable.")
   });
 });
 
@@ -15311,6 +15358,58 @@ var init_helpers = __esm(() => {
   init_loader();
 });
 
+// src/scheduler/cron-routing.ts
+function isKnownCheapModel(model) {
+  return model !== undefined && CHEAP_MODEL_RE.test(model);
+}
+function resolveCronModel(model) {
+  return isKnownCheapModel(model) ? model : DEFAULT_CRON_MODEL;
+}
+function resolveCronRouting(input, opts) {
+  if (!opts.cheapCronEnabled) {
+    return { tier: "main", session: "main", customModelDowngrade: false };
+  }
+  const kind = input.kind ?? "prompt";
+  let context;
+  let customModelDowngrade = false;
+  if (input.context) {
+    context = input.context;
+  } else if (isKnownCheapModel(input.model)) {
+    context = "fresh";
+  } else {
+    context = "agent";
+    customModelDowngrade = input.model !== undefined && !isKnownCheapModel(input.model) && !OPUS_MODEL_RE.test(input.model);
+  }
+  if (kind === "poll") {
+    return { tier: "poll", session: null, customModelDowngrade };
+  }
+  if (context === "fresh") {
+    return {
+      tier: "cheap",
+      session: "cron",
+      cronModel: resolveCronModel(input.model),
+      customModelDowngrade
+    };
+  }
+  return { tier: "main", session: "main", customModelDowngrade };
+}
+function resolveEscalationRouting(input, opts) {
+  return resolveCronRouting({ ...input, kind: "prompt" }, opts);
+}
+function scheduleNeedsCronSession(entries, opts) {
+  if (!opts.cheapCronEnabled)
+    return false;
+  return entries.some((e) => {
+    const r = e.kind === "poll" ? resolveEscalationRouting(e, opts) : resolveCronRouting(e, opts);
+    return r.session === "cron";
+  });
+}
+var DEFAULT_CRON_MODEL = "claude-sonnet-4-6", CHEAP_MODEL_RE, OPUS_MODEL_RE;
+var init_cron_routing = __esm(() => {
+  CHEAP_MODEL_RE = /(^|[^a-z])(sonnet|haiku)([^a-z]|$)/i;
+  OPUS_MODEL_RE = /opus/i;
+});
+
 // src/config/timezone.ts
 import { readFileSync as readFileSync3, readlinkSync } from "node:fs";
 function defaultReadEtcTimezone() {
@@ -23078,7 +23177,20 @@ var init_tmux = __esm(() => {
 import { createHash as createHash3 } from "node:crypto";
 import { existsSync as existsSync14, mkdirSync as mkdirSync10, readFileSync as readFileSync12 } from "node:fs";
 import { join as join9 } from "node:path";
-function resolveResourceDefaults(agentName, profile, overrides) {
+function parseMemToMib(s) {
+  const m = /^(\d+(?:\.\d+)?)\s*([gmk]?)b?$/i.exec(s.trim());
+  if (!m)
+    return null;
+  const n = parseFloat(m[1]);
+  const unit = (m[2] || "m").toLowerCase();
+  const mult = unit === "g" ? 1024 : unit === "k" ? 1 / 1024 : 1;
+  return Math.round(n * mult);
+}
+function bumpMem(s, addMib) {
+  const mib = parseMemToMib(s);
+  return mib == null ? s : `${mib + addMib}m`;
+}
+function resolveResourceDefaults(agentName, profile, overrides, opts) {
   let base;
   if (agentName === "klanker") {
     base = RESOURCE_BY_PROFILE.klanker;
@@ -23087,18 +23199,26 @@ function resolveResourceDefaults(agentName, profile, overrides) {
   } else {
     base = RESOURCE_BY_PROFILE.default;
   }
-  if (!overrides)
-    return { ...base };
   const merged = { ...base };
-  if (overrides.memory !== undefined)
-    merged.memLimit = overrides.memory;
-  if (overrides.cpus !== undefined)
-    merged.cpus = overrides.cpus;
-  if (overrides.memory_reservation !== undefined) {
-    merged.memReservation = overrides.memory_reservation;
+  if (overrides) {
+    if (overrides.memory !== undefined)
+      merged.memLimit = overrides.memory;
+    if (overrides.cpus !== undefined)
+      merged.cpus = overrides.cpus;
+    if (overrides.memory_reservation !== undefined) {
+      merged.memReservation = overrides.memory_reservation;
+    }
+    if (overrides.pids_limit !== undefined) {
+      merged.pidsLimit = overrides.pids_limit;
+    }
   }
-  if (overrides.pids_limit !== undefined) {
-    merged.pidsLimit = overrides.pids_limit;
+  if (opts?.cronSession) {
+    if (overrides?.memory === undefined) {
+      merged.memLimit = bumpMem(merged.memLimit, CRON_SESSION_MEM_BUMP_MIB);
+    }
+    if (overrides?.pids_limit === undefined && merged.pidsLimit !== undefined) {
+      merged.pidsLimit = merged.pidsLimit + CRON_SESSION_PIDS_BUMP;
+    }
   }
   return merged;
 }
@@ -23153,7 +23273,8 @@ function describeAgents(config) {
     const resolved = resolveAgentConfig(config.defaults, config.profiles, agent);
     const profile = agent.extends ?? "default";
     const uid = allocateAgentUid(name);
-    const resources = resolveResourceDefaults(name, profile, resolved.resources);
+    const cronSession = scheduleNeedsCronSession((resolved.schedule ?? []).map((e) => ({ kind: e.kind, model: e.model, context: e.context })), { cheapCronEnabled: true });
+    const resources = resolveResourceDefaults(name, profile, resolved.resources, { cronSession });
     const strippedCaps = readStrippedCaps(agent);
     out.push({
       name,
@@ -23616,8 +23737,9 @@ function emitAgentService(lines, a, imageTag, buildMode, buildContext, homePrefi
   lines.push(`      - ${homePrefix}/.switchroom/logs/${a.name}:${homePrefix}/.switchroom/logs/${a.name}`);
   lines.push(``);
 }
-var AGENT_UID_MIN = 10001, AGENT_UID_MAX = 10999, RESOURCE_BY_PROFILE, BIND_MOUNT_SOURCE_DENYLIST, BIND_MOUNT_TARGET_DENYLIST, BIND_MOUNT_EXACT_SOURCE_DENY;
+var AGENT_UID_MIN = 10001, AGENT_UID_MAX = 10999, RESOURCE_BY_PROFILE, CRON_SESSION_MEM_BUMP_MIB = 512, CRON_SESSION_PIDS_BUMP = 128, BIND_MOUNT_SOURCE_DENYLIST, BIND_MOUNT_TARGET_DENYLIST, BIND_MOUNT_EXACT_SOURCE_DENY;
 var init_compose = __esm(() => {
+  init_cron_routing();
   init_merge();
   init_timezone();
   init_peercred();
@@ -49815,8 +49937,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.14.91";
-var COMMIT_SHA = "e938daab";
+var VERSION = "0.14.92";
+var COMMIT_SHA = "cd0b9973";
 
 // src/cli/agent.ts
 init_source();
@@ -49926,6 +50048,7 @@ var LEGACY_CRON_SCRIPT_BASENAME_RE = /^cron-(\d+)\.sh$/;
 
 // src/agents/scaffold.ts
 init_schema();
+init_cron_routing();
 init_merge();
 init_timezone();
 
@@ -50808,6 +50931,33 @@ function renderFleetInvariants() {
   ].join(`
 `);
 }
+function buildCronSessionContext(agentConfig) {
+  const entries = (agentConfig.schedule ?? []).map((e) => ({
+    kind: e.kind,
+    model: e.model,
+    context: e.context
+  }));
+  return {
+    cronSessionEnabled: scheduleNeedsCronSession(entries, { cheapCronEnabled: true }),
+    cronModelQ: shellSingleQuote(DEFAULT_CRON_MODEL)
+  };
+}
+function maybeWriteTrimmedCronMcp(agentDir, mcpServers, cronSessionEnabled) {
+  if (!cronSessionEnabled)
+    return null;
+  const telegram = mcpServers["switchroom-telegram"];
+  if (!telegram)
+    return null;
+  const cronDir = join8(agentDir, ".claude-cron");
+  mkdirSync9(cronDir, { recursive: true });
+  const path = join8(cronDir, ".mcp.json");
+  const content = JSON.stringify({ mcpServers: { "switchroom-telegram": telegram } }, null, 2) + `
+`;
+  if (!existsSync13(path) || readFileSync11(path, "utf-8") !== content) {
+    writeFileSync5(path, content, { encoding: "utf-8", mode: 384 });
+  }
+  return path;
+}
 function alignAgentUid(name, agentDir, uid, opts = {}) {
   const writeOut = opts.writeOut ?? ((s) => process.stdout.write(s));
   const logsDir = join8(homedir4(), ".switchroom", "logs", name);
@@ -51617,6 +51767,7 @@ function buildWorkspaceContext(args) {
     switchroomConfigPathQ: switchroomConfigPath ? shellSingleQuote(resolve11(switchroomConfigPath)) : undefined,
     hostHomeQ: process.env.HOME ? shellSingleQuote(process.env.HOME) : undefined,
     modelQ: shellSingleQuote(agentConfig.model ?? SWITCHROOM_DEFAULT_MAIN_MODEL),
+    ...buildCronSessionContext(agentConfig),
     thinkingEffort: agentConfig.thinking_effort ?? SWITCHROOM_DEFAULT_THINKING_EFFORT,
     permissionMode: agentConfig.permission_mode,
     fallbackModelQ: agentConfig.fallback_model ? shellSingleQuote(agentConfig.fallback_model) : undefined,
@@ -51856,6 +52007,12 @@ function scaffoldAgent(name, agentConfigRaw, agentsDir, telegramConfig, switchro
   if (existsSync13(join8(agentDir, "start.sh"))) {
     chmodSync2(join8(agentDir, "start.sh"), 448);
   }
+  if (context.cronSessionEnabled) {
+    writeIfChanged(join8(agentDir, "cron-session.sh"), () => renderTemplate(join8(basePath, "cron-session.sh.hbs"), context), created, skipped);
+    if (existsSync13(join8(agentDir, "cron-session.sh"))) {
+      chmodSync2(join8(agentDir, "cron-session.sh"), 448);
+    }
+  }
   writeIfMissing(join8(agentDir, ".claude", "settings.json"), () => renderTemplate(join8(basePath, "settings.json.hbs"), context), created, skipped, 384);
   if (switchroomConfig) {
     const settingsPath = join8(agentDir, ".claude", "settings.json");
@@ -51980,6 +52137,7 @@ function scaffoldAgent(name, agentConfigRaw, agentsDir, telegramConfig, switchro
     }
     writeIfChanged(mcpJsonPath, () => JSON.stringify({ mcpServers }, null, 2) + `
 `, created, skipped, 384);
+    maybeWriteTrimmedCronMcp(agentDir, mcpServers, buildCronSessionContext(agentConfig).cronSessionEnabled);
     mcpServerKeysToTrust = Object.keys(mcpServers);
     ensureMcpServersTrusted(agentDir, mcpServerKeysToTrust);
   }
@@ -52683,6 +52841,7 @@ function reconcileAgent(name, agentConfigRaw, agentsDir, telegramConfig, switchr
       hindsightTopicFilterMode,
       hostHomeQ: process.env.HOME ? shellSingleQuote(process.env.HOME) : undefined,
       modelQ: shellSingleQuote(agentConfig.model ?? SWITCHROOM_DEFAULT_MAIN_MODEL),
+      ...buildCronSessionContext(agentConfig),
       thinkingEffort: agentConfig.thinking_effort ?? SWITCHROOM_DEFAULT_THINKING_EFFORT,
       permissionMode: agentConfig.permission_mode,
       fallbackModelQ: agentConfig.fallback_model ? shellSingleQuote(agentConfig.fallback_model) : undefined,
@@ -52737,6 +52896,16 @@ function reconcileAgent(name, agentConfigRaw, agentsDir, telegramConfig, switchr
       chmodSync2(startShPath, 493);
       changes.push(startShPath);
     }
+    if (startShContext.cronSessionEnabled) {
+      const cronShPath = join8(agentDir, "cron-session.sh");
+      const beforeCronSh = existsSync13(cronShPath) ? readFileSync11(cronShPath, "utf-8") : "";
+      const afterCronSh = renderTemplate(join8(basePath, "cron-session.sh.hbs"), startShContext);
+      if (afterCronSh !== beforeCronSh) {
+        writeFileSync5(cronShPath, afterCronSh, "utf-8");
+        chmodSync2(cronShPath, 493);
+        changes.push(cronShPath);
+      }
+    }
   }
   if (!options.preserveClaudeMd && !options.skipProfileTemplates) {
     const profilePath = getProfilePath(agentConfig.extends ?? DEFAULT_PROFILE);
@@ -53024,6 +53193,9 @@ ${body}
       writeFileSync5(mcpJsonPath, after, { encoding: "utf-8", mode: 384 });
       changes.push(mcpJsonPath);
     }
+    const trimmedCronMcp = maybeWriteTrimmedCronMcp(agentDir, mcpServers, buildCronSessionContext(agentConfig).cronSessionEnabled);
+    if (trimmedCronMcp)
+      changes.push(trimmedCronMcp);
     ensureMcpServersTrusted(agentDir, Object.keys(mcpServers));
   }
   const reconcileWorkspaceDir = join8(agentDir, "workspace");
@@ -67170,7 +67342,11 @@ function collectScheduleEntries(config) {
         cron: entry.cron,
         prompt: entry.prompt,
         promptKey: createHash9("sha256").update(entry.prompt).digest("hex").slice(0, 12),
-        ...entry.topic !== undefined ? { topic: entry.topic } : {}
+        ...entry.topic !== undefined ? { topic: entry.topic } : {},
+        ...entry.kind !== undefined ? { kind: entry.kind } : {},
+        ...entry.model !== undefined ? { model: entry.model } : {},
+        ...entry.context !== undefined ? { context: entry.context } : {},
+        ...entry.poll !== undefined ? { poll: entry.poll } : {}
       });
     }
   }
@@ -81965,8 +82141,80 @@ function denyPendingScheduleEntry(opts) {
 }
 
 // src/cli/agent-config-write.ts
-init_protocol3();
 import { existsSync as existsSync78, readFileSync as readFileSync65 } from "node:fs";
+import { execFileSync as execFileSync25 } from "node:child_process";
+
+// src/scheduler/schedule-report.ts
+var TIER_WEIGHT = { poll: 0, cheap: 1, main: 5 };
+function summarizeScheduleReport(rows, opts = {}) {
+  const s = {
+    total: 0,
+    pollFires: 0,
+    cheapFires: 0,
+    mainFires: 0,
+    errors: 0,
+    deferred: 0,
+    costWeight: 0,
+    byModel: {}
+  };
+  for (const r of rows) {
+    if (opts.sinceMs !== undefined && (r.startedAt ?? 0) < opts.sinceMs)
+      continue;
+    s.total += 1;
+    const tier = r.tier ?? "main";
+    if (tier === "poll")
+      s.pollFires += 1;
+    else if (tier === "cheap")
+      s.cheapFires += 1;
+    else
+      s.mainFires += 1;
+    s.costWeight += TIER_WEIGHT[tier];
+    if (r.exitCode === -2)
+      s.deferred += 1;
+    else if (r.exitCode < 0)
+      s.errors += 1;
+    if (r.modelUsed)
+      s.byModel[r.modelUsed] = (s.byModel[r.modelUsed] ?? 0) + 1;
+  }
+  return s;
+}
+function parseScheduleJsonl(blob) {
+  const rows = [];
+  for (const line of blob.split(`
+`)) {
+    const t = line.trim();
+    if (!t)
+      continue;
+    try {
+      const o = JSON.parse(t);
+      if (typeof o.exitCode === "number")
+        rows.push(o);
+    } catch {}
+  }
+  return rows;
+}
+function formatScheduleReport(agent, s) {
+  const modelFires = s.cheapFires + s.mainFires;
+  const savedPct = s.total > 0 ? Math.round(s.pollFires / s.total * 100) : 0;
+  const lines = [
+    `cron report \u2014 ${agent}`,
+    `  total fires        ${s.total}`,
+    `  Tier 0 poll (free) ${s.pollFires}  (${savedPct}% model-free)`,
+    `  Tier 1 cheap       ${s.cheapFires}`,
+    `  Tier 2 main        ${s.mainFires}`,
+    `  model fires        ${modelFires}`,
+    `  errors / deferred  ${s.errors} / ${s.deferred}`,
+    `  cost-weight proxy  ${s.costWeight}  (poll\u00d70 + cheap\u00d71 + main\u00d75; relative, not $)`
+  ];
+  const models = Object.entries(s.byModel);
+  if (models.length)
+    lines.push(`  by model           ${models.map(([m, n]) => `${m}=${n}`).join("  ")}`);
+  return lines.join(`
+`);
+}
+
+// src/cli/agent-config-write.ts
+init_protocol3();
 var MAX_ENTRIES_PER_AGENT = 20;
 var MIN_CRON_INTERVAL_MIN = 5;
 function extractCronSmallestGapMin(expr) {
@@ -82441,6 +82689,43 @@ function registerAgentConfigWriteCommands(program3) {
 `);
     appendAudit(resolvedAgent, "schedule.remove", { ...opts, slug: r.slug }, 0);
   });
+  schedule.command("report [agent]").description("Cheap-cron cost breakdown from the agent's scheduler.jsonl (Tier 0/1/2 fire counts)").option("--jsonl <path>", "Read a local scheduler.jsonl instead of docker-exec into the container").option("--since <iso>", "Only count fires at/after this ISO timestamp").option("--json", "Emit the summary as JSON").action((agentArg, opts) => {
+    const agent = agentArg ?? process.env.SWITCHROOM_AGENT_NAME;
+    if (!agent) {
+      process.stderr.write(`schedule report: pass an agent name (or set $SWITCHROOM_AGENT_NAME)
+`);
+      process.exit(2);
+    }
+    let blob;
+    if (opts.jsonl) {
+      blob = existsSync78(opts.jsonl) ? readFileSync65(opts.jsonl, "utf-8") : "";
+    } else {
+      try {
+        blob = execFileSync25("docker", ["exec", `switchroom-${agent}`, "cat", "/state/agent/scheduler.jsonl"], {
+          encoding: "utf-8",
+          stdio: ["ignore", "pipe", "ignore"]
+        });
+      } catch {
+        process.stderr.write(`schedule report: could not read scheduler.jsonl from container switchroom-${agent} ` + `(is it running? try --jsonl <path>)
+`);
+        process.exit(1);
+      }
+    }
+    const sinceMs = opts.since ? Date.parse(opts.since) : undefined;
+    if (opts.since && Number.isNaN(sinceMs)) {
+      process.stderr.write(`schedule report: invalid --since '${opts.since}'
+`);
+      process.exit(2);
+    }
+    const summary = summarizeScheduleReport(parseScheduleJsonl(blob), sinceMs ? { sinceMs } : {});
+    if (opts.json) {
+      process.stdout.write(JSON.stringify({ agent, ...summary }) + `
+`);
+    } else {
+      process.stdout.write(formatScheduleReport(agent, summary) + `
+`);
+    }
+  });
 }
 
 // src/cli/agent-config-skill-write.ts

package/dist/host-control/main.js

@@ -13704,15 +13704,54 @@ var AgentBindMountSchema = exports_external.object({
   target: exports_external.string().optional().describe("Container path the source mounts to. Must be absolute. Defaults to " + "the same path as `source` (matches switchroom's existing dual-mount " + "convention so absolute paths in scaffolded scripts Just Work)."),
   mode: exports_external.enum(["ro", "rw"]).optional().describe("Read-only (default) or read-write. Use `rw` only when the agent " + "must mutate the host path (e.g. editing switchroom source). " + "Default: 'ro'.")
 });
+var HttpDiffPollSchema = exports_external.object({
+  type: exports_external.literal("http-diff"),
+  url: exports_external.string().url().describe("Poll target. Host MUST match the operator egress allowlist (§6.1) — " + "loopback/private/link-local/non-https are rejected; the IP is " + "resolve-then-pinned against DNS-rebind. Not agent-writable without " + "operator commit."),
+  method: exports_external.enum(["GET", "POST"]).default("GET"),
+  headers: exports_external.record(exports_external.string()).optional(),
+  secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault keys this poll may inject into request headers. Each is " + "HOST-PINNED (§6.1): a secret may only be sent to the host it is bound " + "to in operator config, so an approved poll cannot exfil it elsewhere."),
+  diff_jsonpath: exports_external.string().describe("JSONPath into the response; the extracted value is compared to state_key."),
+  state_key: exports_external.string().describe("Key under /state/agent/poll-state.json holding the last-seen value.")
+});
+var TelegramReactionsPollSchema = exports_external.object({
+  type: exports_external.literal("telegram-reactions"),
+  chat_id: exports_external.union([exports_external.string().min(1), exports_external.number().int()]).describe("Chat to scan for reactions (model-free internal gateway query)."),
+  emoji: exports_external.string().min(1).describe("Reaction emoji that marks a message for capture (e.g. \uD83D\uDC68‍\uD83D\uDCBB)."),
+  lookback: exports_external.number().int().positive().max(200).default(40),
+  state_key: exports_external.string().describe("Key under poll-state.json holding the last-processed message id.")
+});
+var PollSpecSchema = exports_external.discriminatedUnion("type", [
+  HttpDiffPollSchema,
+  TelegramReactionsPollSchema
+]);
 var ScheduleEntrySchema = exports_external.object({
   cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
-  prompt: exports_external.string().describe("Prompt to send at the scheduled time"),
-  model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated headless invocation and could set --model per " + "task. Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "— this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
+  prompt: exports_external.string().describe("Prompt to send at the scheduled time (the escalation prompt when kind=poll; templated with {{diff}})."),
+  kind: exports_external.enum(["poll", "prompt"]).optional().describe("Tier-0 routing (docs/rfcs/cheap-cron-sessions.md). 'prompt' (default) " + "fires a model turn every tick (Tier 1/2 per `context`). 'poll' runs a " + "model-free deterministic check (requires `poll`) and only escalates to " + "a model fire on a hit. Honoured only when SWITCHROOM_CHEAP_CRON is on."),
+  poll: PollSpecSchema.optional().describe("Required iff kind=poll. The declarative poll spec."),
+  model: exports_external.string().optional().describe("Cron model hint. Reactivated by SWITCHROOM_CHEAP_CRON (was DEPRECATED/" + "IGNORED in v0.8). A known-cheap id (sonnet/haiku family) routes the " + "fire to a fresh cheap cron session (Tier 1, `context: fresh`); 'opus', " + "a custom id, or unset routes to the agent's live session (Tier 2, " + "`context: agent`) — the conservative default that preserves pre-v0.8 " + "behaviour. Note: a live session's model is fixed at launch, so on Tier " + "2 this is informational. See docs/scheduling.md."),
+  context: exports_external.enum(["fresh", "agent"]).optional().describe("Does this cron need the agent, or just a model? 'fresh' → a minimal-" + "context cheap cron session (Tier 1). 'agent' → the agent's live " + "session with full persona/memory (Tier 2). Unset → inferred from " + "`model` (cheap→fresh, else agent). Honoured only when " + "SWITCHROOM_CHEAP_CRON is on."),
   secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default — broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary — " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing."),
   topic: exports_external.union([
     exports_external.string().min(1, "topic alias must be non-empty"),
     exports_external.number().int().positive("topic ID must be a positive integer")
   ]).optional().describe("Forum topic this cron fires into when the owning agent is in " + "supergroup-owned mode (channels.telegram.chat_id set). Either a " + 'string alias resolved against `topic_aliases` (e.g. "planning") ' + "or a numeric topic ID. Falls back to the agent's `default_topic_id` " + "when unset. Ignored for agents in fleet-shared or dm_only mode. " + "Alias-resolution happens at config-load — typos surface immediately. " + "See docs/rfcs/supergroup-mode.md.")
+}).superRefine((entry, ctx) => {
+  const kind = entry.kind ?? "prompt";
+  if (kind === "poll" && !entry.poll) {
+    ctx.addIssue({
+      code: exports_external.ZodIssueCode.custom,
+      path: ["poll"],
+      message: "kind: poll requires a `poll` spec (http-diff or telegram-reactions)."
+    });
+  }
+  if (kind === "prompt" && entry.poll) {
+    ctx.addIssue({
+      code: exports_external.ZodIssueCode.custom,
+      path: ["poll"],
+      message: "`poll` is only valid when kind: poll."
+    });
+  }
 });
 var AgentSoulSchema = exports_external.object({
   name: exports_external.string().describe("Agent persona name (e.g., 'Coach', 'Sage')"),
@@ -14159,6 +14198,13 @@ var HostdConfigSchema = exports_external.object({
   config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit §3). Default false — the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
   config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit §5). Default 3 cards/hour; min 1, " + "max 20. Implemented as a sqlite token bucket in PR 1c; the " + "field is wired here in PR 1a so operators can pin it before the " + "limiter is live. Above the cap, the verb returns " + "`E_RATE_LIMITED` without raising a card.")
 });
+var CronEgressSchema = exports_external.object({
+  allowed_hosts: exports_external.array(exports_external.string().min(1)).default([]).describe("Hosts a poll may reach (exact, https-only). loopback/private/IP-literal are always rejected."),
+  secret_bindings: exports_external.record(exports_external.string(), exports_external.string().min(1)).default({}).describe("secretName → the single host it may be sent to. A poll carrying a secret to any other host is rejected.")
+});
+var CronConfigSchema = exports_external.object({
+  egress: CronEgressSchema.optional().describe("SSRF/exfil fence for http-diff polls.")
+});
 var SwitchroomConfigSchema = exports_external.object({
   switchroom: exports_external.object({
     version: exports_external.literal(1).describe("Config schema version"),
@@ -14207,7 +14253,8 @@ var SwitchroomConfigSchema = exports_external.object({
   profiles: exports_external.record(exports_external.string(), ProfileSchema).optional().describe("Named profile definitions. Agents reference via `extends: <name>`. " + "Inline profiles declared here take priority over filesystem " + "profiles/<name>/ directories when both exist."),
   agents: exports_external.record(exports_external.string().regex(/^[a-z0-9][a-z0-9_-]{0,50}$/, {
     message: "Agent name must start with a letter/digit, contain only lowercase letters/digits/hyphens/underscores, and be at most 51 characters (Telegram callback_data byte limit)"
-  }), AgentSchema).describe("Map of agent name to agent configuration")
+  }), AgentSchema).describe("Map of agent name to agent configuration"),
+  cron: CronConfigSchema.optional().describe("Cheap-cron settings (docs/rfcs/cheap-cron-sessions.md). Operator-owned " + "egress allowlist + host-pinned secret bindings for Tier-0 http-diff " + "polls (§6.1). Required to enable any http-diff poll; not agent-writable.")
 });
 
 // src/config/paths.ts