switchroom 0.15.0 → 0.15.2

package/dist/agent-scheduler/index.js

@@ -11348,6 +11348,7 @@ var AgentSchema = exports_external.object({
   dangerous_mode: exports_external.boolean().optional().describe("If true, include --dangerously-skip-permissions in start.sh"),
   network_isolation: NetworkIsolationSchema,
   admin: exports_external.boolean().optional().describe("If true, the agent's Telegram gateway intercepts admin slash commands " + "(/agents, /logs, /restart, /delete, /update, /auth, /reconcile, etc.) " + "locally before forwarding to Claude. Commands are handled silently — " + "Claude never sees them. Requires the agent to use the switchroom-telegram " + "plugin. When false or absent, all messages pass through to Claude unchanged."),
+  root: exports_external.boolean().optional().describe("If true, this is a ROOT-tier debugging agent: a root-privileged " + "container (runs as uid 0, mounts /var/run/docker.sock, the whole " + "~/.switchroom tree, and the host root filesystem at /host) so you " + "can DM it to debug the whole fleet — read any agent's logs, " + "docker exec into peers, edit host files — instead of SSHing into " + "the host as root. Implies admin: true (all admin slash commands). " + "Standing root power, audited via the agent's own session transcript " + "and shell history; there is no per-action approval tap. Per-agent " + "only (never set at defaults/profile layers). Grant to exactly one " + "trusted operator-private agent — it ingests other agents' output, " + "which is attacker-influenced text. See docs/root-agent.md."),
   settings_raw: exports_external.record(exports_external.string(), exports_external.unknown()).optional().describe("Escape hatch: raw object deep-merged into the generated " + "settings.json as the final step. Use for Claude Code settings " + "keys switchroom doesn't wrap directly (e.g. effort, apiKeyHelper). " + "Power-user-only — prefer the typed fields when they exist."),
   claude_md_raw: exports_external.string().optional().describe("Escape hatch: markdown text appended verbatim to CLAUDE.md on " + "initial scaffold. Not re-applied on reconcile (CLAUDE.md is " + "user-protected). Use for one-off persona tuning that isn't " + "worth a template."),
   cli_args: exports_external.array(exports_external.string()).optional().describe("Escape hatch: extra arguments appended to the `exec claude` " + "invocation in start.sh. Use for Claude Code CLI flags switchroom " + "doesn't expose directly (e.g. --effort high, " + "--exclude-dynamic-system-prompt-sections)."),
@@ -13283,6 +13284,13 @@ var ProbeQuotaRequestSchema = exports_external.object({
   accounts: exports_external.array(exports_external.string().min(1)).min(1).max(32),
   timeoutMs: exports_external.number().int().positive().max(60000).optional()
 });
+var ClaimNotificationRequestSchema = exports_external.object({
+  v: exports_external.literal(PROTOCOL_VERSION),
+  op: exports_external.literal("claim-notification"),
+  id: exports_external.string().min(1),
+  key: exports_external.string().min(1).max(512),
+  windowMs: exports_external.number().int().positive().max(86400000)
+});
 var RequestSchema2 = exports_external.discriminatedUnion("op", [
   GetCredentialsRequestSchema,
   ListStateRequestSchema,
@@ -13294,7 +13302,8 @@ var RequestSchema2 = exports_external.discriminatedUnion("op", [
   SetOverrideRequestSchema,
   ListGoogleAccountsRequestSchema,
   ListMicrosoftAccountsRequestSchema,
-  ProbeQuotaRequestSchema
+  ProbeQuotaRequestSchema,
+  ClaimNotificationRequestSchema
 ]);
 var GetCredentialsDataSchema = exports_external.object({
   account: exports_external.string(),
@@ -13350,6 +13359,9 @@ var SetOverrideDataSchema = exports_external.object({
   agent: exports_external.string(),
   account: exports_external.string().nullable()
 });
+var ClaimNotificationDataSchema = exports_external.object({
+  granted: exports_external.boolean()
+});
 var GoogleAccountStateSchema = exports_external.object({
   account: exports_external.string(),
   expiresAt: exports_external.number(),
@@ -13556,6 +13568,16 @@ class AuthBrokerClient {
     const data = await this.send(req);
     return data;
   }
+  async claimNotification(key, windowMs) {
+    const data = await this.send({
+      v: PROTOCOL_VERSION,
+      id: randomUUID(),
+      op: "claim-notification",
+      key,
+      windowMs
+    });
+    return data;
+  }
   async refreshAccount(account) {
     const data = await this.send({
       v: PROTOCOL_VERSION,

package/dist/auth-broker/index.js

@@ -11348,6 +11348,7 @@ var AgentSchema = exports_external.object({
   dangerous_mode: exports_external.boolean().optional().describe("If true, include --dangerously-skip-permissions in start.sh"),
   network_isolation: NetworkIsolationSchema,
   admin: exports_external.boolean().optional().describe("If true, the agent's Telegram gateway intercepts admin slash commands " + "(/agents, /logs, /restart, /delete, /update, /auth, /reconcile, etc.) " + "locally before forwarding to Claude. Commands are handled silently — " + "Claude never sees them. Requires the agent to use the switchroom-telegram " + "plugin. When false or absent, all messages pass through to Claude unchanged."),
+  root: exports_external.boolean().optional().describe("If true, this is a ROOT-tier debugging agent: a root-privileged " + "container (runs as uid 0, mounts /var/run/docker.sock, the whole " + "~/.switchroom tree, and the host root filesystem at /host) so you " + "can DM it to debug the whole fleet — read any agent's logs, " + "docker exec into peers, edit host files — instead of SSHing into " + "the host as root. Implies admin: true (all admin slash commands). " + "Standing root power, audited via the agent's own session transcript " + "and shell history; there is no per-action approval tap. Per-agent " + "only (never set at defaults/profile layers). Grant to exactly one " + "trusted operator-private agent — it ingests other agents' output, " + "which is attacker-influenced text. See docs/root-agent.md."),
   settings_raw: exports_external.record(exports_external.string(), exports_external.unknown()).optional().describe("Escape hatch: raw object deep-merged into the generated " + "settings.json as the final step. Use for Claude Code settings " + "keys switchroom doesn't wrap directly (e.g. effort, apiKeyHelper). " + "Power-user-only — prefer the typed fields when they exist."),
   claude_md_raw: exports_external.string().optional().describe("Escape hatch: markdown text appended verbatim to CLAUDE.md on " + "initial scaffold. Not re-applied on reconcile (CLAUDE.md is " + "user-protected). Use for one-off persona tuning that isn't " + "worth a template."),
   cli_args: exports_external.array(exports_external.string()).optional().describe("Escape hatch: extra arguments appended to the `exec claude` " + "invocation in start.sh. Use for Claude Code CLI flags switchroom " + "doesn't expose directly (e.g. --effort high, " + "--exclude-dynamic-system-prompt-sections)."),
@@ -13367,6 +13368,13 @@ var ProbeQuotaRequestSchema = exports_external.object({
   accounts: exports_external.array(exports_external.string().min(1)).min(1).max(32),
   timeoutMs: exports_external.number().int().positive().max(60000).optional()
 });
+var ClaimNotificationRequestSchema = exports_external.object({
+  v: exports_external.literal(PROTOCOL_VERSION),
+  op: exports_external.literal("claim-notification"),
+  id: exports_external.string().min(1),
+  key: exports_external.string().min(1).max(512),
+  windowMs: exports_external.number().int().positive().max(86400000)
+});
 var RequestSchema = exports_external.discriminatedUnion("op", [
   GetCredentialsRequestSchema,
   ListStateRequestSchema,
@@ -13378,7 +13386,8 @@ var RequestSchema = exports_external.discriminatedUnion("op", [
   SetOverrideRequestSchema,
   ListGoogleAccountsRequestSchema,
   ListMicrosoftAccountsRequestSchema,
-  ProbeQuotaRequestSchema
+  ProbeQuotaRequestSchema,
+  ClaimNotificationRequestSchema
 ]);
 var GetCredentialsDataSchema = exports_external.object({
   account: exports_external.string(),
@@ -13434,6 +13443,9 @@ var SetOverrideDataSchema = exports_external.object({
   agent: exports_external.string(),
   account: exports_external.string().nullable()
 });
+var ClaimNotificationDataSchema = exports_external.object({
+  granted: exports_external.boolean()
+});
 var GoogleAccountStateSchema = exports_external.object({
   account: exports_external.string(),
   expiresAt: exports_external.number(),
@@ -13520,6 +13532,7 @@ var MARK_EXHAUSTED_DEFAULT_MS = 5 * 60 * 60 * 1000;
 var AUDIT_ROTATE_BYTES = 10 * 1024 * 1024;
 var AUDIT_KEEP = 5;
 var AUDIT_LINE_MAX = 4000;
+var NOTIFICATION_CLAIM_MAX_AGE_MS = 86400000;
 function sha256Hex(content) {
   return createHash2("sha256").update(content).digest("hex");
 }
@@ -13546,7 +13559,10 @@ function enrichMirrorContent(sourceJson) {
 function configToShape(cfg) {
   const auth = cfg.auth ?? {};
   const agentsMap = cfg.agents ?? {};
-  const adminAgents = Object.entries(agentsMap).filter(([, a]) => a.admin === true).map(([name]) => name);
+  const adminAgents = Object.entries(agentsMap).filter(([, a]) => {
+    const cfg2 = a;
+    return cfg2.admin === true || cfg2.root === true;
+  }).map(([name]) => name);
   return {
     agents: Object.keys(agentsMap),
     consumers: (auth.consumers ?? []).map((c) => c.name),
@@ -13573,6 +13589,7 @@ class AuthBroker {
   lastQuotaCache = {};
   shaIndex = {};
   thresholdViolations = {};
+  notificationClaims = {};
   lastWrittenExpiresAt = new Map;
   refreshInFlight = new Set;
   consumerLastSeen = {};
@@ -13761,7 +13778,8 @@ class AuthBroker {
     }
     const sockPath = this.agentSocketPath(agentName);
     const uid = allocateAgentUid(agentName);
-    const adminFlag = this.config.agents?.[agentName]?.admin === true;
+    const agentCfg = this.config.agents?.[agentName];
+    const adminFlag = agentCfg?.admin === true || agentCfg?.root === true;
     await this.bindListener(sockPath, uid, 432, {
       kind: "agent",
       name: agentName,
@@ -13971,6 +13989,9 @@ class AuthBroker {
         case "probe-quota":
           await this.opProbeQuota(socket, reqId, identity2, req.accounts, req.timeoutMs);
           break;
+        case "claim-notification":
+          this.opClaimNotification(socket, reqId, identity2, req.key, req.windowMs);
+          break;
       }
     } catch (err) {
       socket.write(encodeError(reqId, "INTERNAL", err.message));
@@ -14211,6 +14232,21 @@ class AuthBroker {
     this.audit({ op: "mark-exhausted", identity: identity2, account, ok: true });
     socket.write(encodeSuccess(id, { account, rolled, rolledTo }));
   }
+  opClaimNotification(socket, id, identity2, key, windowMs) {
+    const now = this.now();
+    const prev = this.notificationClaims[key];
+    const granted = prev === undefined || now - prev >= windowMs;
+    if (granted) {
+      this.notificationClaims[key] = now;
+      for (const [k, ts] of Object.entries(this.notificationClaims)) {
+        if (now - ts > NOTIFICATION_CLAIM_MAX_AGE_MS)
+          delete this.notificationClaims[k];
+      }
+      this.persistNotificationClaims();
+      this.audit({ op: "claim-notification", identity: identity2, account: key, ok: true });
+    }
+    socket.write(encodeSuccess(id, { granted }));
+  }
   async opRefreshAccount(socket, id, identity2, account) {
     if (!this.isAdmin(identity2)) {
       this.audit({ op: "refresh-account", identity: identity2, account, ok: false, error: "FORBIDDEN" });
@@ -14813,6 +14849,7 @@ class AuthBroker {
     this.quota = this.readJson("quota.json") ?? {};
     this.shaIndex = this.readJson("sha-index.json") ?? {};
     this.thresholdViolations = this.readJson("threshold-violations.json") ?? {};
+    this.notificationClaims = this.readJson("notification-claims.json") ?? {};
   }
   readJson(name) {
     const p = join4(this.stateDir, name);
@@ -14827,6 +14864,9 @@ class AuthBroker {
   persistQuota() {
     atomicWriteJsonSync(join4(this.stateDir, "quota.json"), this.quota, 384);
   }
+  persistNotificationClaims() {
+    atomicWriteJsonSync(join4(this.stateDir, "notification-claims.json"), this.notificationClaims, 384);
+  }
   persistShaIndex() {
     atomicWriteJsonSync(join4(this.stateDir, "sha-index.json"), this.shaIndex, 384);
   }

package/dist/cli/drive-write-pretool.mjs

@@ -4000,7 +4000,7 @@ function decodeResponse(line) {
   }
   return ResponseSchema.parse(parsed);
 }
-var MAX_FRAME_BYTES, PROTOCOL_VERSION = 1, ProviderNameSchema, GetCredentialsRequestSchema, ListStateRequestSchema, SetActiveRequestSchema, MarkExhaustedRequestSchema, RefreshAccountRequestSchema, AnthropicCredentialsSchema, GoogleCredentialsSchema, MicrosoftCredentialsSchema, ProviderCredentialsSchema, AddAccountRequestSchema, RmAccountRequestSchema, SetOverrideRequestSchema, ListGoogleAccountsRequestSchema, ListMicrosoftAccountsRequestSchema, ProbeQuotaRequestSchema, RequestSchema, GetCredentialsDataSchema, AccountStateSchema, AgentStateSchema, ConsumerStateSchema, ListStateDataSchema, SetActiveDataSchema, MarkExhaustedDataSchema, RefreshAccountDataSchema, AddAccountDataSchema, RmAccountDataSchema, SetOverrideDataSchema, GoogleAccountStateSchema, ListGoogleAccountsDataSchema, MicrosoftAccountStateSchema, ListMicrosoftAccountsDataSchema, ErrorBodySchema, SuccessResponseSchema, ErrorResponseSchema, ResponseSchema;
+var MAX_FRAME_BYTES, PROTOCOL_VERSION = 1, ProviderNameSchema, GetCredentialsRequestSchema, ListStateRequestSchema, SetActiveRequestSchema, MarkExhaustedRequestSchema, RefreshAccountRequestSchema, AnthropicCredentialsSchema, GoogleCredentialsSchema, MicrosoftCredentialsSchema, ProviderCredentialsSchema, AddAccountRequestSchema, RmAccountRequestSchema, SetOverrideRequestSchema, ListGoogleAccountsRequestSchema, ListMicrosoftAccountsRequestSchema, ProbeQuotaRequestSchema, ClaimNotificationRequestSchema, RequestSchema, GetCredentialsDataSchema, AccountStateSchema, AgentStateSchema, ConsumerStateSchema, ListStateDataSchema, SetActiveDataSchema, MarkExhaustedDataSchema, RefreshAccountDataSchema, AddAccountDataSchema, RmAccountDataSchema, SetOverrideDataSchema, ClaimNotificationDataSchema, GoogleAccountStateSchema, ListGoogleAccountsDataSchema, MicrosoftAccountStateSchema, ListMicrosoftAccountsDataSchema, ErrorBodySchema, SuccessResponseSchema, ErrorResponseSchema, ResponseSchema;
 var init_protocol = __esm(() => {
   init_zod();
   MAX_FRAME_BYTES = 64 * 1024;
@@ -4116,6 +4116,13 @@ var init_protocol = __esm(() => {
     accounts: exports_external.array(exports_external.string().min(1)).min(1).max(32),
     timeoutMs: exports_external.number().int().positive().max(60000).optional()
   });
+  ClaimNotificationRequestSchema = exports_external.object({
+    v: exports_external.literal(PROTOCOL_VERSION),
+    op: exports_external.literal("claim-notification"),
+    id: exports_external.string().min(1),
+    key: exports_external.string().min(1).max(512),
+    windowMs: exports_external.number().int().positive().max(86400000)
+  });
   RequestSchema = exports_external.discriminatedUnion("op", [
     GetCredentialsRequestSchema,
     ListStateRequestSchema,
@@ -4127,7 +4134,8 @@ var init_protocol = __esm(() => {
     SetOverrideRequestSchema,
     ListGoogleAccountsRequestSchema,
     ListMicrosoftAccountsRequestSchema,
-    ProbeQuotaRequestSchema
+    ProbeQuotaRequestSchema,
+    ClaimNotificationRequestSchema
   ]);
   GetCredentialsDataSchema = exports_external.object({
     account: exports_external.string(),
@@ -4183,6 +4191,9 @@ var init_protocol = __esm(() => {
     agent: exports_external.string(),
     account: exports_external.string().nullable()
   });
+  ClaimNotificationDataSchema = exports_external.object({
+    granted: exports_external.boolean()
+  });
   GoogleAccountStateSchema = exports_external.object({
     account: exports_external.string(),
     expiresAt: exports_external.number(),
@@ -4364,6 +4375,16 @@ class AuthBrokerClient {
     const data = await this.send(req);
     return data;
   }
+  async claimNotification(key, windowMs) {
+    const data = await this.send({
+      v: PROTOCOL_VERSION,
+      id: randomUUID(),
+      op: "claim-notification",
+      key,
+      windowMs
+    });
+    return data;
+  }
   async refreshAccount(account) {
     const data = await this.send({
       v: PROTOCOL_VERSION,

package/dist/cli/notion-write-pretool.mjs

@@ -12096,6 +12096,7 @@ var AgentSchema = exports_external.object({
   dangerous_mode: exports_external.boolean().optional().describe("If true, include --dangerously-skip-permissions in start.sh"),
   network_isolation: NetworkIsolationSchema,
   admin: exports_external.boolean().optional().describe("If true, the agent's Telegram gateway intercepts admin slash commands " + "(/agents, /logs, /restart, /delete, /update, /auth, /reconcile, etc.) " + "locally before forwarding to Claude. Commands are handled silently \u2014 " + "Claude never sees them. Requires the agent to use the switchroom-telegram " + "plugin. When false or absent, all messages pass through to Claude unchanged."),
+  root: exports_external.boolean().optional().describe("If true, this is a ROOT-tier debugging agent: a root-privileged " + "container (runs as uid 0, mounts /var/run/docker.sock, the whole " + "~/.switchroom tree, and the host root filesystem at /host) so you " + "can DM it to debug the whole fleet \u2014 read any agent's logs, " + "docker exec into peers, edit host files \u2014 instead of SSHing into " + "the host as root. Implies admin: true (all admin slash commands). " + "Standing root power, audited via the agent's own session transcript " + "and shell history; there is no per-action approval tap. Per-agent " + "only (never set at defaults/profile layers). Grant to exactly one " + "trusted operator-private agent \u2014 it ingests other agents' output, " + "which is attacker-influenced text. See docs/root-agent.md."),
   settings_raw: exports_external.record(exports_external.string(), exports_external.unknown()).optional().describe("Escape hatch: raw object deep-merged into the generated " + "settings.json as the final step. Use for Claude Code settings " + "keys switchroom doesn't wrap directly (e.g. effort, apiKeyHelper). " + "Power-user-only \u2014 prefer the typed fields when they exist."),
   claude_md_raw: exports_external.string().optional().describe("Escape hatch: markdown text appended verbatim to CLAUDE.md on " + "initial scaffold. Not re-applied on reconcile (CLAUDE.md is " + "user-protected). Use for one-off persona tuning that isn't " + "worth a template."),
   cli_args: exports_external.array(exports_external.string()).optional().describe("Escape hatch: extra arguments appended to the `exec claude` " + "invocation in start.sh. Use for Claude Code CLI flags switchroom " + "doesn't expose directly (e.g. --effort high, " + "--exclude-dynamic-system-prompt-sections)."),