switchroom 0.15.12 → 0.15.14

package/dist/host-control/main.js

@@ -13724,11 +13724,29 @@ var PollSpecSchema = exports_external.discriminatedUnion("type", [
   HttpDiffPollSchema,
   TelegramReactionsPollSchema
 ]);
+var TelegramMessageActionSchema = exports_external.object({
+  type: exports_external.literal("telegram-message"),
+  text: exports_external.string().min(1).describe("Operator-authored message text. Posts to the AGENT'S OWN chat only " + "(the chat is not configurable — fenced by construction), into the " + "entry-level `topic` when set. Supports ONLY deterministic placeholders " + "{{date}} / {{time}} (UTC, from the fire clock) and {{agent}}. NO vault " + "secrets (use a webhook action for secret-bearing requests) and NO model " + "output — the text is fully determined by config."),
+  parse_mode: exports_external.enum(["html", "text"]).default("html").describe("Telegram parse mode for the message body.")
+});
+var WebhookActionSchema = exports_external.object({
+  type: exports_external.literal("webhook"),
+  url: exports_external.string().url().describe("Webhook target. SAME egress fence as an http-diff poll (§6.1): https " + "only, host on the operator egress allowlist, loopback/private/link-local " + "rejected, resolved IP DNS-rebind-pinned. Not agent-writable without an " + "operator commit."),
+  method: exports_external.enum(["GET", "POST"]).default("POST"),
+  headers: exports_external.record(exports_external.string()).optional().describe("Static headers; {{secret}} substitution applies."),
+  body: exports_external.string().optional().describe("Static request body; {{secret}} substitution applies."),
+  secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault keys this webhook may inject into headers/body via {{name}}. Each " + "is HOST-PINNED (§6.1): a secret may only be sent to the host it is bound " + "to in operator config, so an approved action cannot exfil it elsewhere.")
+});
+var ActionSpecSchema = exports_external.discriminatedUnion("type", [
+  TelegramMessageActionSchema,
+  WebhookActionSchema
+]);
 var ScheduleEntrySchema = exports_external.object({
   cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
-  prompt: exports_external.string().describe("Prompt to send at the scheduled time (the escalation prompt when kind=poll; templated with {{diff}})."),
-  kind: exports_external.enum(["poll", "prompt"]).optional().describe("Tier-0 routing (docs/rfcs/cheap-cron-sessions.md). 'prompt' (default) " + "fires a model turn every tick (Tier 1/2 per `context`). 'poll' runs a " + "model-free deterministic check (requires `poll`) and only escalates to " + "a model fire on a hit. Honoured only when SWITCHROOM_CHEAP_CRON is on."),
+  prompt: exports_external.string().optional().describe("Prompt to send at the scheduled time (the escalation prompt when " + "kind=poll; templated with {{diff}}). Required for kind prompt/poll; " + "absent for kind=action (an action has no model fire, so no prompt)."),
+  kind: exports_external.enum(["poll", "prompt", "action"]).optional().describe("Tier-0 routing (docs/rfcs/cheap-cron-sessions.md). 'prompt' (default) " + "fires a model turn every tick (Tier 1/2 per `context`). 'poll' runs a " + "model-free deterministic check (requires `poll`) and only escalates to " + "a model fire on a hit. 'action' runs a model-free deterministic verb " + "(requires `action`) that COMPLETES the work and never escalates — zero " + "tokens, no session. poll/prompt are honoured only when " + "SWITCHROOM_CHEAP_CRON is on; an action is model-free regardless (the " + "kill-switch governs model tiering, not deterministic actions)."),
   poll: PollSpecSchema.optional().describe("Required iff kind=poll. The declarative poll spec."),
+  action: ActionSpecSchema.optional().describe("Required iff kind=action. The declarative action spec (telegram-message or webhook)."),
   model: exports_external.string().optional().describe("Cron model hint. Reactivated by SWITCHROOM_CHEAP_CRON (was DEPRECATED/" + "IGNORED in v0.8). A known-cheap id (sonnet/haiku family) routes the " + "fire to a fresh cheap cron session (Tier 1, `context: fresh`); 'opus', " + "a custom id, or unset routes to the agent's live session (Tier 2, " + "`context: agent`) — the conservative default that preserves pre-v0.8 " + "behaviour. Note: a live session's model is fixed at launch, so on Tier " + "2 this is informational. See docs/scheduling.md."),
   context: exports_external.enum(["fresh", "agent"]).optional().describe("Does this cron need the agent, or just a model? 'fresh' → a minimal-" + "context cheap cron session (Tier 1). 'agent' → the agent's live " + "session with full persona/memory (Tier 2). Unset → inferred from " + "`model` (cheap→fresh, else agent). Honoured only when " + "SWITCHROOM_CHEAP_CRON is on."),
   secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default — broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary — " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing."),
@@ -13745,13 +13763,41 @@ var ScheduleEntrySchema = exports_external.object({
       message: "kind: poll requires a `poll` spec (http-diff or telegram-reactions)."
     });
   }
-  if (kind === "prompt" && entry.poll) {
+  if (kind !== "poll" && entry.poll) {
     ctx.addIssue({
       code: exports_external.ZodIssueCode.custom,
       path: ["poll"],
       message: "`poll` is only valid when kind: poll."
     });
   }
+  if (kind === "action" && !entry.action) {
+    ctx.addIssue({
+      code: exports_external.ZodIssueCode.custom,
+      path: ["action"],
+      message: "kind: action requires an `action` spec (telegram-message or webhook)."
+    });
+  }
+  if (kind !== "action" && entry.action) {
+    ctx.addIssue({
+      code: exports_external.ZodIssueCode.custom,
+      path: ["action"],
+      message: "`action` is only valid when kind: action."
+    });
+  }
+  if (kind !== "action" && (entry.prompt === undefined || entry.prompt.trim() === "")) {
+    ctx.addIssue({
+      code: exports_external.ZodIssueCode.custom,
+      path: ["prompt"],
+      message: `kind: ${kind} requires a non-empty \`prompt\`.`
+    });
+  }
+  if (kind === "action" && entry.prompt !== undefined) {
+    ctx.addIssue({
+      code: exports_external.ZodIssueCode.custom,
+      path: ["prompt"],
+      message: "`prompt` is not valid for kind: action (an action never fires a model)."
+    });
+  }
 });
 var AgentSoulSchema = exports_external.object({
   name: exports_external.string().describe("Agent persona name (e.g., 'Coach', 'Sage')"),
@@ -13885,7 +13931,8 @@ var TelegramChannelSchema = exports_external.object({
   linear_agent: exports_external.object({
     enabled: exports_external.boolean(),
     token: exports_external.string().describe("vault:<key> reference to the Linear OAuth app token (actor=app). " + "Resolved at runtime via the vault broker (canonically " + "vault:linear/<agent>/token). Never an inline literal."),
-    workspace_id: exports_external.string().optional().describe("Optional Linear workspace (organization) id this agent is " + "installed into. Informational — used for setup hints and " + "multi-workspace disambiguation; the token already scopes the " + "app to its workspace.")
+    workspace_id: exports_external.string().optional().describe("Optional Linear workspace (organization) id this agent is " + "installed into. Informational — used for setup hints and " + "multi-workspace disambiguation; the token already scopes the " + "app to its workspace."),
+    default_team_id: exports_external.string().optional().describe("Optional Linear team id new captured issues file into when the " + "agent doesn't pass an explicit team_id. Unnecessary for a " + "single-team workspace (auto-resolved); set it only when the " + "workspace has multiple teams. Manage via " + "`switchroom linear-agent set-team <agent> <team>`.")
   }).optional().describe("Linear first-class agent integration (#2298). When enabled, the " + "agent appears in a Linear workspace as an app actor (own name/" + "avatar, @-mentionable, delegate-assignable). Linear AgentSessionEvent " + "webhooks (mention / delegation) wake the agent instantly via the " + "same gateway inject path as webhook_dispatch, tagged " + 'meta.source="linear" with the agent_session_id, and the agent ' + "responds with structured AgentActivity (thought/message/complete/" + "error) via the linear_agent_activity MCP tool. Builds the " + "session-lifecycle layer on top of the plain webhook_sources:[linear] " + "+ webhook_dispatch support (#2272). The OAuth app token is stored in " + "the vault and referenced here as vault:linear/<agent>/token; run " + "`switchroom linear-agent setup <agent>` to provision it. Off by " + "default — opt in per agent. Cascades from " + "defaults.channels.telegram.linear_agent."),
   chat_id: exports_external.string().regex(/^-\d+$/, 'supergroup chat_id must be a negative integer as a string (e.g. "-1001234567890")').optional().describe("Per-agent supergroup ID — overrides fleet `telegram.forum_chat_id`. " + "When set, requires `default_topic_id`. Negative integer as string. " + "Forbidden when `dm_only: true`. See docs/rfcs/supergroup-mode.md."),
   default_topic_id: exports_external.number().int().positive().optional().describe("Forum topic ID this agent's automated outbounds default to when " + "no more-specific alias resolves. Defaults to General (topic 1) when " + "`chat_id` is set and this is omitted — set it only to pin a different " + "fallback topic. " + "Telegram's General topic is `id=1` at MTProto but sends omit the " + "field — the outbound wrapper strips `message_thread_id === 1` " + "on send. Forbidden when `dm_only: true`."),
@@ -14769,6 +14816,16 @@ function mergeAgentConfig(defaultsIn, agentIn) {
     }
     merged.reaction_dispatch = combined;
   }
+  const linearEnabled = merged.channels?.telegram?.linear_agent?.enabled === true;
+  if (linearEnabled) {
+    const rd = merged.reaction_dispatch;
+    if (!rd || rd.emojis === undefined) {
+      merged.reaction_dispatch = {
+        enabled: rd?.enabled ?? true,
+        emojis: ["\uD83D\uDC68‍\uD83D\uDCBB", "\uD83D\uDCCC"]
+      };
+    }
+  }
   if (defaults.resources || merged.resources) {
     const d = defaults.resources ?? {};
     const a = merged.resources ?? {};

package/dist/vault/approvals/kernel-server.js

@@ -4305,6 +4305,16 @@ function mergeAgentConfig(defaultsIn, agentIn) {
     }
     merged.reaction_dispatch = combined;
   }
+  const linearEnabled = merged.channels?.telegram?.linear_agent?.enabled === true;
+  if (linearEnabled) {
+    const rd = merged.reaction_dispatch;
+    if (!rd || rd.emojis === undefined) {
+      merged.reaction_dispatch = {
+        enabled: rd?.enabled ?? true,
+        emojis: ["\uD83D\uDC68‍\uD83D\uDCBB", "\uD83D\uDCCC"]
+      };
+    }
+  }
   if (defaults.resources || merged.resources) {
     const d = defaults.resources ?? {};
     const a = merged.resources ?? {};
@@ -11289,7 +11299,7 @@ var init_dist = __esm(() => {
 });
 
 // src/config/schema.ts
-var CodeRepoEntrySchema, AgentBindMountSchema, HttpDiffPollSchema, TelegramReactionsPollSchema, PollSpecSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, webhookDispatchRule, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, MicrosoftWorkspaceConfigSchema, NotionWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, AgentMicrosoftWorkspaceConfigSchema, AgentNotionWorkspaceConfigSchema, ReactionsSchema, ReactionDispatchSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, AutoReleaseCheckSchema, HostControlConfigSchema, WebServiceConfigSchema, HostdConfigSchema, CronEgressSchema, CronConfigSchema, SwitchroomConfigSchema;
+var CodeRepoEntrySchema, AgentBindMountSchema, HttpDiffPollSchema, TelegramReactionsPollSchema, PollSpecSchema, TelegramMessageActionSchema, WebhookActionSchema, ActionSpecSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, webhookDispatchRule, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, MicrosoftWorkspaceConfigSchema, NotionWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, AgentMicrosoftWorkspaceConfigSchema, AgentNotionWorkspaceConfigSchema, ReactionsSchema, ReactionDispatchSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, AutoReleaseCheckSchema, HostControlConfigSchema, WebServiceConfigSchema, HostdConfigSchema, CronEgressSchema, CronConfigSchema, SwitchroomConfigSchema;
 var init_schema = __esm(() => {
   init_zod();
   CodeRepoEntrySchema = exports_external.object({
@@ -11322,11 +11332,29 @@ var init_schema = __esm(() => {
     HttpDiffPollSchema,
     TelegramReactionsPollSchema
   ]);
+  TelegramMessageActionSchema = exports_external.object({
+    type: exports_external.literal("telegram-message"),
+    text: exports_external.string().min(1).describe("Operator-authored message text. Posts to the AGENT'S OWN chat only " + "(the chat is not configurable — fenced by construction), into the " + "entry-level `topic` when set. Supports ONLY deterministic placeholders " + "{{date}} / {{time}} (UTC, from the fire clock) and {{agent}}. NO vault " + "secrets (use a webhook action for secret-bearing requests) and NO model " + "output — the text is fully determined by config."),
+    parse_mode: exports_external.enum(["html", "text"]).default("html").describe("Telegram parse mode for the message body.")
+  });
+  WebhookActionSchema = exports_external.object({
+    type: exports_external.literal("webhook"),
+    url: exports_external.string().url().describe("Webhook target. SAME egress fence as an http-diff poll (§6.1): https " + "only, host on the operator egress allowlist, loopback/private/link-local " + "rejected, resolved IP DNS-rebind-pinned. Not agent-writable without an " + "operator commit."),
+    method: exports_external.enum(["GET", "POST"]).default("POST"),
+    headers: exports_external.record(exports_external.string()).optional().describe("Static headers; {{secret}} substitution applies."),
+    body: exports_external.string().optional().describe("Static request body; {{secret}} substitution applies."),
+    secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault keys this webhook may inject into headers/body via {{name}}. Each " + "is HOST-PINNED (§6.1): a secret may only be sent to the host it is bound " + "to in operator config, so an approved action cannot exfil it elsewhere.")
+  });
+  ActionSpecSchema = exports_external.discriminatedUnion("type", [
+    TelegramMessageActionSchema,
+    WebhookActionSchema
+  ]);
   ScheduleEntrySchema = exports_external.object({
     cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
-    prompt: exports_external.string().describe("Prompt to send at the scheduled time (the escalation prompt when kind=poll; templated with {{diff}})."),
-    kind: exports_external.enum(["poll", "prompt"]).optional().describe("Tier-0 routing (docs/rfcs/cheap-cron-sessions.md). 'prompt' (default) " + "fires a model turn every tick (Tier 1/2 per `context`). 'poll' runs a " + "model-free deterministic check (requires `poll`) and only escalates to " + "a model fire on a hit. Honoured only when SWITCHROOM_CHEAP_CRON is on."),
+    prompt: exports_external.string().optional().describe("Prompt to send at the scheduled time (the escalation prompt when " + "kind=poll; templated with {{diff}}). Required for kind prompt/poll; " + "absent for kind=action (an action has no model fire, so no prompt)."),
+    kind: exports_external.enum(["poll", "prompt", "action"]).optional().describe("Tier-0 routing (docs/rfcs/cheap-cron-sessions.md). 'prompt' (default) " + "fires a model turn every tick (Tier 1/2 per `context`). 'poll' runs a " + "model-free deterministic check (requires `poll`) and only escalates to " + "a model fire on a hit. 'action' runs a model-free deterministic verb " + "(requires `action`) that COMPLETES the work and never escalates — zero " + "tokens, no session. poll/prompt are honoured only when " + "SWITCHROOM_CHEAP_CRON is on; an action is model-free regardless (the " + "kill-switch governs model tiering, not deterministic actions)."),
     poll: PollSpecSchema.optional().describe("Required iff kind=poll. The declarative poll spec."),
+    action: ActionSpecSchema.optional().describe("Required iff kind=action. The declarative action spec (telegram-message or webhook)."),
     model: exports_external.string().optional().describe("Cron model hint. Reactivated by SWITCHROOM_CHEAP_CRON (was DEPRECATED/" + "IGNORED in v0.8). A known-cheap id (sonnet/haiku family) routes the " + "fire to a fresh cheap cron session (Tier 1, `context: fresh`); 'opus', " + "a custom id, or unset routes to the agent's live session (Tier 2, " + "`context: agent`) — the conservative default that preserves pre-v0.8 " + "behaviour. Note: a live session's model is fixed at launch, so on Tier " + "2 this is informational. See docs/scheduling.md."),
     context: exports_external.enum(["fresh", "agent"]).optional().describe("Does this cron need the agent, or just a model? 'fresh' → a minimal-" + "context cheap cron session (Tier 1). 'agent' → the agent's live " + "session with full persona/memory (Tier 2). Unset → inferred from " + "`model` (cheap→fresh, else agent). Honoured only when " + "SWITCHROOM_CHEAP_CRON is on."),
     secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default — broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary — " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing."),
@@ -11343,13 +11371,41 @@ var init_schema = __esm(() => {
         message: "kind: poll requires a `poll` spec (http-diff or telegram-reactions)."
       });
     }
-    if (kind === "prompt" && entry.poll) {
+    if (kind !== "poll" && entry.poll) {
       ctx.addIssue({
         code: exports_external.ZodIssueCode.custom,
         path: ["poll"],
         message: "`poll` is only valid when kind: poll."
       });
     }
+    if (kind === "action" && !entry.action) {
+      ctx.addIssue({
+        code: exports_external.ZodIssueCode.custom,
+        path: ["action"],
+        message: "kind: action requires an `action` spec (telegram-message or webhook)."
+      });
+    }
+    if (kind !== "action" && entry.action) {
+      ctx.addIssue({
+        code: exports_external.ZodIssueCode.custom,
+        path: ["action"],
+        message: "`action` is only valid when kind: action."
+      });
+    }
+    if (kind !== "action" && (entry.prompt === undefined || entry.prompt.trim() === "")) {
+      ctx.addIssue({
+        code: exports_external.ZodIssueCode.custom,
+        path: ["prompt"],
+        message: `kind: ${kind} requires a non-empty \`prompt\`.`
+      });
+    }
+    if (kind === "action" && entry.prompt !== undefined) {
+      ctx.addIssue({
+        code: exports_external.ZodIssueCode.custom,
+        path: ["prompt"],
+        message: "`prompt` is not valid for kind: action (an action never fires a model)."
+      });
+    }
   });
   AgentSoulSchema = exports_external.object({
     name: exports_external.string().describe("Agent persona name (e.g., 'Coach', 'Sage')"),
@@ -11483,7 +11539,8 @@ var init_schema = __esm(() => {
     linear_agent: exports_external.object({
       enabled: exports_external.boolean(),
       token: exports_external.string().describe("vault:<key> reference to the Linear OAuth app token (actor=app). " + "Resolved at runtime via the vault broker (canonically " + "vault:linear/<agent>/token). Never an inline literal."),
-      workspace_id: exports_external.string().optional().describe("Optional Linear workspace (organization) id this agent is " + "installed into. Informational — used for setup hints and " + "multi-workspace disambiguation; the token already scopes the " + "app to its workspace.")
+      workspace_id: exports_external.string().optional().describe("Optional Linear workspace (organization) id this agent is " + "installed into. Informational — used for setup hints and " + "multi-workspace disambiguation; the token already scopes the " + "app to its workspace."),
+      default_team_id: exports_external.string().optional().describe("Optional Linear team id new captured issues file into when the " + "agent doesn't pass an explicit team_id. Unnecessary for a " + "single-team workspace (auto-resolved); set it only when the " + "workspace has multiple teams. Manage via " + "`switchroom linear-agent set-team <agent> <team>`.")
     }).optional().describe("Linear first-class agent integration (#2298). When enabled, the " + "agent appears in a Linear workspace as an app actor (own name/" + "avatar, @-mentionable, delegate-assignable). Linear AgentSessionEvent " + "webhooks (mention / delegation) wake the agent instantly via the " + "same gateway inject path as webhook_dispatch, tagged " + 'meta.source="linear" with the agent_session_id, and the agent ' + "responds with structured AgentActivity (thought/message/complete/" + "error) via the linear_agent_activity MCP tool. Builds the " + "session-lifecycle layer on top of the plain webhook_sources:[linear] " + "+ webhook_dispatch support (#2272). The OAuth app token is stored in " + "the vault and referenced here as vault:linear/<agent>/token; run " + "`switchroom linear-agent setup <agent>` to provision it. Off by " + "default — opt in per agent. Cascades from " + "defaults.channels.telegram.linear_agent."),
     chat_id: exports_external.string().regex(/^-\d+$/, 'supergroup chat_id must be a negative integer as a string (e.g. "-1001234567890")').optional().describe("Per-agent supergroup ID — overrides fleet `telegram.forum_chat_id`. " + "When set, requires `default_topic_id`. Negative integer as string. " + "Forbidden when `dm_only: true`. See docs/rfcs/supergroup-mode.md."),
     default_topic_id: exports_external.number().int().positive().optional().describe("Forum topic ID this agent's automated outbounds default to when " + "no more-specific alias resolves. Defaults to General (topic 1) when " + "`chat_id` is set and this is omitted — set it only to pin a different " + "fallback topic. " + "Telegram's General topic is `id=1` at MTProto but sends omit the " + "field — the outbound wrapper strips `message_thread_id === 1` " + "on send. Forbidden when `dm_only: true`."),

package/dist/vault/broker/server.js

@@ -339,6 +339,16 @@ function mergeAgentConfig(defaultsIn, agentIn) {
     }
     merged.reaction_dispatch = combined;
   }
+  const linearEnabled = merged.channels?.telegram?.linear_agent?.enabled === true;
+  if (linearEnabled) {
+    const rd = merged.reaction_dispatch;
+    if (!rd || rd.emojis === undefined) {
+      merged.reaction_dispatch = {
+        enabled: rd?.enabled ?? true,
+        emojis: ["\uD83D\uDC68‍\uD83D\uDCBB", "\uD83D\uDCCC"]
+      };
+    }
+  }
   if (defaults.resources || merged.resources) {
     const d = defaults.resources ?? {};
     const a = merged.resources ?? {};
@@ -11289,7 +11299,7 @@ var init_zod = __esm(() => {
 });
 
 // src/config/schema.ts
-var CodeRepoEntrySchema, AgentBindMountSchema, HttpDiffPollSchema, TelegramReactionsPollSchema, PollSpecSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, webhookDispatchRule, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, MicrosoftWorkspaceConfigSchema, NotionWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, AgentMicrosoftWorkspaceConfigSchema, AgentNotionWorkspaceConfigSchema, ReactionsSchema, ReactionDispatchSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, AutoReleaseCheckSchema, HostControlConfigSchema, WebServiceConfigSchema, HostdConfigSchema, CronEgressSchema, CronConfigSchema, SwitchroomConfigSchema;
+var CodeRepoEntrySchema, AgentBindMountSchema, HttpDiffPollSchema, TelegramReactionsPollSchema, PollSpecSchema, TelegramMessageActionSchema, WebhookActionSchema, ActionSpecSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, webhookDispatchRule, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, MicrosoftWorkspaceConfigSchema, NotionWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, AgentMicrosoftWorkspaceConfigSchema, AgentNotionWorkspaceConfigSchema, ReactionsSchema, ReactionDispatchSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, AutoReleaseCheckSchema, HostControlConfigSchema, WebServiceConfigSchema, HostdConfigSchema, CronEgressSchema, CronConfigSchema, SwitchroomConfigSchema;
 var init_schema = __esm(() => {
   init_zod();
   CodeRepoEntrySchema = exports_external.object({
@@ -11322,11 +11332,29 @@ var init_schema = __esm(() => {
     HttpDiffPollSchema,
     TelegramReactionsPollSchema
   ]);
+  TelegramMessageActionSchema = exports_external.object({
+    type: exports_external.literal("telegram-message"),
+    text: exports_external.string().min(1).describe("Operator-authored message text. Posts to the AGENT'S OWN chat only " + "(the chat is not configurable — fenced by construction), into the " + "entry-level `topic` when set. Supports ONLY deterministic placeholders " + "{{date}} / {{time}} (UTC, from the fire clock) and {{agent}}. NO vault " + "secrets (use a webhook action for secret-bearing requests) and NO model " + "output — the text is fully determined by config."),
+    parse_mode: exports_external.enum(["html", "text"]).default("html").describe("Telegram parse mode for the message body.")
+  });
+  WebhookActionSchema = exports_external.object({
+    type: exports_external.literal("webhook"),
+    url: exports_external.string().url().describe("Webhook target. SAME egress fence as an http-diff poll (§6.1): https " + "only, host on the operator egress allowlist, loopback/private/link-local " + "rejected, resolved IP DNS-rebind-pinned. Not agent-writable without an " + "operator commit."),
+    method: exports_external.enum(["GET", "POST"]).default("POST"),
+    headers: exports_external.record(exports_external.string()).optional().describe("Static headers; {{secret}} substitution applies."),
+    body: exports_external.string().optional().describe("Static request body; {{secret}} substitution applies."),
+    secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault keys this webhook may inject into headers/body via {{name}}. Each " + "is HOST-PINNED (§6.1): a secret may only be sent to the host it is bound " + "to in operator config, so an approved action cannot exfil it elsewhere.")
+  });
+  ActionSpecSchema = exports_external.discriminatedUnion("type", [
+    TelegramMessageActionSchema,
+    WebhookActionSchema
+  ]);
   ScheduleEntrySchema = exports_external.object({
     cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
-    prompt: exports_external.string().describe("Prompt to send at the scheduled time (the escalation prompt when kind=poll; templated with {{diff}})."),
-    kind: exports_external.enum(["poll", "prompt"]).optional().describe("Tier-0 routing (docs/rfcs/cheap-cron-sessions.md). 'prompt' (default) " + "fires a model turn every tick (Tier 1/2 per `context`). 'poll' runs a " + "model-free deterministic check (requires `poll`) and only escalates to " + "a model fire on a hit. Honoured only when SWITCHROOM_CHEAP_CRON is on."),
+    prompt: exports_external.string().optional().describe("Prompt to send at the scheduled time (the escalation prompt when " + "kind=poll; templated with {{diff}}). Required for kind prompt/poll; " + "absent for kind=action (an action has no model fire, so no prompt)."),
+    kind: exports_external.enum(["poll", "prompt", "action"]).optional().describe("Tier-0 routing (docs/rfcs/cheap-cron-sessions.md). 'prompt' (default) " + "fires a model turn every tick (Tier 1/2 per `context`). 'poll' runs a " + "model-free deterministic check (requires `poll`) and only escalates to " + "a model fire on a hit. 'action' runs a model-free deterministic verb " + "(requires `action`) that COMPLETES the work and never escalates — zero " + "tokens, no session. poll/prompt are honoured only when " + "SWITCHROOM_CHEAP_CRON is on; an action is model-free regardless (the " + "kill-switch governs model tiering, not deterministic actions)."),
     poll: PollSpecSchema.optional().describe("Required iff kind=poll. The declarative poll spec."),
+    action: ActionSpecSchema.optional().describe("Required iff kind=action. The declarative action spec (telegram-message or webhook)."),
     model: exports_external.string().optional().describe("Cron model hint. Reactivated by SWITCHROOM_CHEAP_CRON (was DEPRECATED/" + "IGNORED in v0.8). A known-cheap id (sonnet/haiku family) routes the " + "fire to a fresh cheap cron session (Tier 1, `context: fresh`); 'opus', " + "a custom id, or unset routes to the agent's live session (Tier 2, " + "`context: agent`) — the conservative default that preserves pre-v0.8 " + "behaviour. Note: a live session's model is fixed at launch, so on Tier " + "2 this is informational. See docs/scheduling.md."),
     context: exports_external.enum(["fresh", "agent"]).optional().describe("Does this cron need the agent, or just a model? 'fresh' → a minimal-" + "context cheap cron session (Tier 1). 'agent' → the agent's live " + "session with full persona/memory (Tier 2). Unset → inferred from " + "`model` (cheap→fresh, else agent). Honoured only when " + "SWITCHROOM_CHEAP_CRON is on."),
     secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default — broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary — " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing."),
@@ -11343,13 +11371,41 @@ var init_schema = __esm(() => {
         message: "kind: poll requires a `poll` spec (http-diff or telegram-reactions)."
       });
     }
-    if (kind === "prompt" && entry.poll) {
+    if (kind !== "poll" && entry.poll) {
       ctx.addIssue({
         code: exports_external.ZodIssueCode.custom,
         path: ["poll"],
         message: "`poll` is only valid when kind: poll."
       });
     }
+    if (kind === "action" && !entry.action) {
+      ctx.addIssue({
+        code: exports_external.ZodIssueCode.custom,
+        path: ["action"],
+        message: "kind: action requires an `action` spec (telegram-message or webhook)."
+      });
+    }
+    if (kind !== "action" && entry.action) {
+      ctx.addIssue({
+        code: exports_external.ZodIssueCode.custom,
+        path: ["action"],
+        message: "`action` is only valid when kind: action."
+      });
+    }
+    if (kind !== "action" && (entry.prompt === undefined || entry.prompt.trim() === "")) {
+      ctx.addIssue({
+        code: exports_external.ZodIssueCode.custom,
+        path: ["prompt"],
+        message: `kind: ${kind} requires a non-empty \`prompt\`.`
+      });
+    }
+    if (kind === "action" && entry.prompt !== undefined) {
+      ctx.addIssue({
+        code: exports_external.ZodIssueCode.custom,
+        path: ["prompt"],
+        message: "`prompt` is not valid for kind: action (an action never fires a model)."
+      });
+    }
   });
   AgentSoulSchema = exports_external.object({
     name: exports_external.string().describe("Agent persona name (e.g., 'Coach', 'Sage')"),
@@ -11483,7 +11539,8 @@ var init_schema = __esm(() => {
     linear_agent: exports_external.object({
       enabled: exports_external.boolean(),
       token: exports_external.string().describe("vault:<key> reference to the Linear OAuth app token (actor=app). " + "Resolved at runtime via the vault broker (canonically " + "vault:linear/<agent>/token). Never an inline literal."),
-      workspace_id: exports_external.string().optional().describe("Optional Linear workspace (organization) id this agent is " + "installed into. Informational — used for setup hints and " + "multi-workspace disambiguation; the token already scopes the " + "app to its workspace.")
+      workspace_id: exports_external.string().optional().describe("Optional Linear workspace (organization) id this agent is " + "installed into. Informational — used for setup hints and " + "multi-workspace disambiguation; the token already scopes the " + "app to its workspace."),
+      default_team_id: exports_external.string().optional().describe("Optional Linear team id new captured issues file into when the " + "agent doesn't pass an explicit team_id. Unnecessary for a " + "single-team workspace (auto-resolved); set it only when the " + "workspace has multiple teams. Manage via " + "`switchroom linear-agent set-team <agent> <team>`.")
     }).optional().describe("Linear first-class agent integration (#2298). When enabled, the " + "agent appears in a Linear workspace as an app actor (own name/" + "avatar, @-mentionable, delegate-assignable). Linear AgentSessionEvent " + "webhooks (mention / delegation) wake the agent instantly via the " + "same gateway inject path as webhook_dispatch, tagged " + 'meta.source="linear" with the agent_session_id, and the agent ' + "responds with structured AgentActivity (thought/message/complete/" + "error) via the linear_agent_activity MCP tool. Builds the " + "session-lifecycle layer on top of the plain webhook_sources:[linear] " + "+ webhook_dispatch support (#2272). The OAuth app token is stored in " + "the vault and referenced here as vault:linear/<agent>/token; run " + "`switchroom linear-agent setup <agent>` to provision it. Off by " + "default — opt in per agent. Cascades from " + "defaults.channels.telegram.linear_agent."),
     chat_id: exports_external.string().regex(/^-\d+$/, 'supergroup chat_id must be a negative integer as a string (e.g. "-1001234567890")').optional().describe("Per-agent supergroup ID — overrides fleet `telegram.forum_chat_id`. " + "When set, requires `default_topic_id`. Negative integer as string. " + "Forbidden when `dm_only: true`. See docs/rfcs/supergroup-mode.md."),
     default_topic_id: exports_external.number().int().positive().optional().describe("Forum topic ID this agent's automated outbounds default to when " + "no more-specific alias resolves. Defaults to General (topic 1) when " + "`chat_id` is set and this is omitted — set it only to pin a different " + "fallback topic. " + "Telegram's General topic is `id=1` at MTProto but sends omit the " + "field — the outbound wrapper strips `message_thread_id === 1` " + "on send. Forbidden when `dm_only: true`."),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.15.12",
+  "version": "0.15.14",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/profiles/_base/cron-session.sh.hbs

@@ -5,10 +5,15 @@
 # container, dedicated to cheap cron fires. It registers to the SAME gateway
 # as a DISTINCT bridge identity `<name>-cron` (start.sh's gateway sidecar
 # routes meta.session=cron fires here and gates all status surfaces off this
-# identity — see telegram-plugin/gateway/cron-session.ts). Minimal context:
-# its own CLAUDE_CONFIG_DIR (separate transcript) + a TRIMMED .mcp.json (only
-# switchroom-telegram) → it pays a fraction of the main session's schema +
-# cache-read tax, at the cheap cron model.
+# identity — see telegram-plugin/gateway/cron-session.ts).
+#
+# Tier-1 (#2307) is "a fresh conversation that STILL has the agent's memory +
+# tools, on a cheaper model." It loads the agent's FULL .mcp.json (its own
+# .claude-cron/.mcp.json — same hindsight bank baked from the BASE name, same
+# tools) with ENABLE_TOOL_SEARCH so the schema set DEFERS (low context cost).
+# The saving is dropping the accumulated main-session conversation context +
+# the cheaper model — NOT lobotomising the session. Its CLAUDE_CONFIG_DIR is
+# separate (own transcript) so each fire starts fresh and /clear-friendly.
 #
 # Forked as a supervised sidecar by start.sh ONLY when {{name}} actually has a
 # Tier-1 (context: fresh) cron entry AND SWITCHROOM_CHEAP_CRON is on — so the
@@ -35,12 +40,13 @@ esac
 CRON_NAME="{{name}}-cron"
 CRON_CONFIG_DIR="{{agentDir}}/.claude-cron"
 MAIN_CONFIG_DIR="{{agentDir}}/.claude"
-# TRIMMED MCP config (scaffold writes .claude-cron/.mcp.json with ONLY
-# switchroom-telegram) → the cron session pays a fraction of the main session's
-# ~31k-token MCP schema tax. The switchroom-telegram BRIDGE reads
-# SWITCHROOM_AGENT_NAME from the process env (exported below), NOT its .mcp.json
-# env block, so it registers as the cron identity. Fall back to the full
-# .mcp.json if the trimmed file is missing (older scaffold) so it still boots.
+# Cron .mcp.json (scaffold writes .claude-cron/.mcp.json with the agent's FULL
+# filtered MCP set — same hindsight bank, same tools — but the switchroom-
+# telegram entry carries a DISTINCT SWITCHROOM_BRIDGE_ALIVE_PATH so its liveness
+# file can't mask the main bridge). The bridge reads SWITCHROOM_AGENT_NAME from
+# the process env (exported below), NOT its .mcp.json env block, so it registers
+# as the cron identity. Fall back to the main .mcp.json if the cron file is
+# missing (older scaffold) so it still boots.
 CRON_MCP_CONFIG="{{agentDir}}/.claude-cron/.mcp.json"
 [ -f "$CRON_MCP_CONFIG" ] || CRON_MCP_CONFIG="{{agentDir}}/.mcp.json"
 CRON_SOCKET="switchroom-${CRON_NAME}"
@@ -63,12 +69,23 @@ fi
 export SWITCHROOM_AGENT_NAME="$CRON_NAME"
 export CLAUDE_CONFIG_DIR="$CRON_CONFIG_DIR"
 
-CRON_APPEND_PROMPT="You are the cheap background cron worker for {{name}}. You handle scheduled tasks only. Do the task, reply once with the result, and keep it brief. You do not have {{name}}'s full memory or persona — if a task needs them, say so rather than guessing."
+# Defer the (now full) MCP schema set via tool-search so the cron session keeps
+# its low-context cost — the heavy servers load on demand; switchroom-telegram
+# + hindsight stay alwaysLoad. Normally inherited from start.sh's env; set here
+# as a belt-and-braces default, honouring the operator kill-switch + any value
+# already in the env.
+if [ "${SWITCHROOM_DISABLE_TOOL_SEARCH:-}" != "1" ]; then
+  export ENABLE_TOOL_SEARCH="${ENABLE_TOOL_SEARCH:-auto}"
+fi
+
+CRON_APPEND_PROMPT="You are the cheap background cron worker for {{name}}. You run scheduled tasks in a fresh, low-context conversation on a cheaper model — but you SHARE {{name}}'s memory (hindsight) and tools, so use them: recall what you need, look things up, reply with real substance. Do the scheduled task, reply once with the result, and keep it tight."
 
 # Launch the cron claude in its OWN tmux session/socket so it never contends
 # with the main session's pane. Interactive (no -p). --strict-mcp-config pins
-# it to the trimmed config (switchroom-telegram only). Fresh each boot (no
-# --continue) — minimal context by construction.
+# it to the cron .mcp.json (full set, tool-search-deferred). Fresh each boot
+# (no --continue) — low context by construction. cd into the workspace so
+# claude's project key matches the pre-seeded trust state (.claude-cron).
+cd "{{agentDir}}" || exit 1
 exec tmux -L "$CRON_SOCKET" \
   new-session -A -s "$CRON_NAME" -x 400 -y 50 \
   claude \

package/profiles/_shared/agent-self-service.md.hbs

@@ -123,6 +123,43 @@ After a successful `schedule_add`, confirm to the user with:
 After a failed write (any `E_*` code from the rails above), surface the
 specific error verbatim, explain which rail tripped, and offer the
 closest legal alternative.
+{{#if linearAgentEnabled}}
+
+## Capture to Linear (👨‍💻 / 📌 reaction → new issue)
+
+You're connected to Linear as a first-class app actor. The operator has the
+**capture reactions** wired: when they react to a Telegram message with **👨‍💻**
+(laptop) or **📌** (pushpin), you're woken with a turn whose inbound is shaped
+`<channel … event="reaction" emoji="👨‍💻" message_id="…" chat_id="…">[the
+reacted message text]</channel>`. That reaction means: **"turn this into a
+Linear issue."**
+
+When you get such a reaction turn:
+
+1. **Read the reacted message + nearby context.** The `[reacted text]` is the
+   seed. Pull the surrounding thread (`get_recent_messages`) when the ask needs
+   it — the issue should stand on its own without the operator re-explaining.
+2. **Call `linear_create_issue`** with:
+   - `title` — a crisp, imperative one-liner ("Fix duplicate Brevo webhook
+     retries"), not a restatement of the chat.
+   - `body` — the ask, the context you gathered, and any acceptance criteria
+     you can reasonably infer. Markdown.
+   - `dedup_key` — set it to `"<chat_id>:<message_id>"` from the reaction event.
+     This makes a re-react of the same message idempotent (it returns the
+     existing issue instead of filing a duplicate).
+   - `team_id` — omit it. A single-team workspace auto-resolves; you'll only be
+     asked for one if the workspace has multiple teams (then tell the operator
+     to set a default via `switchroom linear-agent set-team`).
+3. **Reply in plain text, not an emoji.** On success the tool returns
+   `Filed: <title> → <url>` — reply that link so the operator can click
+   through ("📋 Filed: <url>"). On failure (vault denial, multi-team, API
+   error) the tool returns actionable text — relay it plainly ("Couldn't file
+   it — …") and, if it's a vault denial, follow the `vault_request_access`
+   instruction it gives you, then retry.
+
+Don't acknowledge with only a reaction or a bare "done" — the operator wants
+the link (or the honest reason it didn't file).
+{{/if}}
 
 ### Don't lie about scheduling
 

package/telegram-plugin/bridge/bridge.ts

@@ -479,6 +479,37 @@ const TOOL_SCHEMAS = [
       required: ['agent_session_id', 'type'],
     },
   },
+  {
+    name: 'linear_create_issue',
+    description:
+      'File a new Linear issue from a Telegram message the operator flagged for capture (#2312). Use this when a turn was triggered by a capture reaction (the inbound carries event="reaction" with a capture emoji like 👨‍💻 or 📌) — turn the reacted message + any relevant thread context into a well-formed issue. Write a crisp imperative title and a body that captures the ask, the context, and any acceptance criteria you can infer; the agent files it AS its own Linear app actor. Team is auto-resolved when the workspace has a single team; if there are multiple it returns text asking for an explicit team_id. Pass dedup_key (e.g. the chat_id:message_id of the reacted message) so a re-react of the same message does not file a duplicate. Resolves the agent\'s Linear app token from the vault; on VAULT-BROKER-DENIED it returns text instructing you to vault_request_access for `linear/<agent>/token`. Returns "Filed: <title> → <url>" on success — reply that link to the operator in plain text.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        title: {
+          type: 'string',
+          description: 'Issue title — a crisp, imperative one-liner (e.g. "Fix duplicate webhook retries on Brevo sync").',
+        },
+        body: {
+          type: 'string',
+          description: 'Issue description (Markdown). Capture the ask, relevant context from the message/thread, and any acceptance criteria you can infer.',
+        },
+        team_id: {
+          type: 'string',
+          description: 'Optional Linear team id. Omit to auto-resolve when the workspace has a single team; required only when the workspace has multiple teams.',
+        },
+        dedup_key: {
+          type: 'string',
+          description: 'Optional idempotency key (use the reacted message identity, e.g. "<chat_id>:<message_id>"). A prior capture with the same key short-circuits to "Already filed: <url>".',
+        },
+        priority: {
+          type: 'number',
+          description: 'Optional Linear priority (0 none, 1 urgent, 2 high, 3 normal, 4 low).',
+        },
+      },
+      required: ['title', 'body'],
+    },
+  },
 ]
 
 mcp.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOL_SCHEMAS }))
@@ -796,7 +827,13 @@ async function main(): Promise<void> {
     onPermission,
     onStatus,
     log: (msg) => process.stderr.write(`telegram bridge: ipc: ${msg}\n`),
-    livenessFilePath: join(STATE_DIR, ".bridge-alive"),
+    // #2307 Tier-1: the cron-session bridge shares the agent's STATE_DIR
+    // (access.json / history / gateway.sock) but writes its liveness file to a
+    // DISTINCT path (SWITCHROOM_BRIDGE_ALIVE_PATH, set in the cron .mcp.json) so
+    // a live <agent>-cron bridge can't mask a dead MAIN bridge in the
+    // dashboard/doctor liveness probe (RISK #2). Unset ⟹ the main bridge's
+    // canonical STATE_DIR/.bridge-alive, exactly as before.
+    livenessFilePath: process.env.SWITCHROOM_BRIDGE_ALIVE_PATH ?? join(STATE_DIR, ".bridge-alive"),
   })
   if (ipc.isConnected()) {
     process.stderr.write(`telegram bridge: connected to gateway at ${SOCKET_PATH}\n`)

package/telegram-plugin/dist/bridge/bridge.js

@@ -24957,6 +24957,36 @@ var TOOL_SCHEMAS = [
       },
       required: ["agent_session_id", "type"]
     }
+  },
+  {
+    name: "linear_create_issue",
+    description: 'File a new Linear issue from a Telegram message the operator flagged for capture (#2312). Use this when a turn was triggered by a capture reaction (the inbound carries event="reaction" with a capture emoji like \uD83D\uDC68\u200D\uD83D\uDCBB or \uD83D\uDCCC) \u2014 turn the reacted message + any relevant thread context into a well-formed issue. Write a crisp imperative title and a body that captures the ask, the context, and any acceptance criteria you can infer; the agent files it AS its own Linear app actor. Team is auto-resolved when the workspace has a single team; if there are multiple it returns text asking for an explicit team_id. Pass dedup_key (e.g. the chat_id:message_id of the reacted message) so a re-react of the same message does not file a duplicate. Resolves the agent\'s Linear app token from the vault; on VAULT-BROKER-DENIED it returns text instructing you to vault_request_access for `linear/<agent>/token`. Returns "Filed: <title> \u2192 <url>" on success \u2014 reply that link to the operator in plain text.',
+    inputSchema: {
+      type: "object",
+      properties: {
+        title: {
+          type: "string",
+          description: 'Issue title \u2014 a crisp, imperative one-liner (e.g. "Fix duplicate webhook retries on Brevo sync").'
+        },
+        body: {
+          type: "string",
+          description: "Issue description (Markdown). Capture the ask, relevant context from the message/thread, and any acceptance criteria you can infer."
+        },
+        team_id: {
+          type: "string",
+          description: "Optional Linear team id. Omit to auto-resolve when the workspace has a single team; required only when the workspace has multiple teams."
+        },
+        dedup_key: {
+          type: "string",
+          description: 'Optional idempotency key (use the reacted message identity, e.g. "<chat_id>:<message_id>"). A prior capture with the same key short-circuits to "Already filed: <url>".'
+        },
+        priority: {
+          type: "number",
+          description: "Optional Linear priority (0 none, 1 urgent, 2 high, 3 normal, 4 low)."
+        }
+      },
+      required: ["title", "body"]
+    }
   }
 ];
 mcp.setRequestHandler(ListToolsRequestSchema2, async () => ({ tools: TOOL_SCHEMAS }));
@@ -25176,7 +25206,7 @@ async function main() {
     onStatus,
     log: (msg) => process.stderr.write(`telegram bridge: ipc: ${msg}
 `),
-    livenessFilePath: join4(STATE_DIR, ".bridge-alive")
+    livenessFilePath: process.env.SWITCHROOM_BRIDGE_ALIVE_PATH ?? join4(STATE_DIR, ".bridge-alive")
   });
   if (ipc.isConnected()) {
     process.stderr.write(`telegram bridge: connected to gateway at ${SOCKET_PATH}