switchroom 0.15.17 → 0.15.18

package/dist/cli/switchroom.js

@@ -49571,9 +49571,9 @@ __export(exports_server, {
   dispatchTool: () => dispatchTool,
   TOOLS: () => TOOLS
 });
-import { spawnSync as spawnSync13 } from "node:child_process";
+import { spawnSync as spawnSync14 } from "node:child_process";
 function execCli(args, stdin) {
-  const r = spawnSync13(CLI_BIN, args, {
+  const r = spawnSync14(CLI_BIN, args, {
     encoding: "utf-8",
     env: process.env,
     timeout: 15000,
@@ -50459,8 +50459,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.15.17";
-var COMMIT_SHA = "a5129bd3";
+var VERSION = "0.15.18";
+var COMMIT_SHA = "d7c044b9";
 
 // src/cli/agent.ts
 init_source();
@@ -76809,6 +76809,194 @@ function registerUpdateCommand(program3) {
   });
 }
 
+// src/cli/rollout.ts
+init_helpers();
+import { spawnSync as spawnSync10 } from "node:child_process";
+function normalizeVersion(v) {
+  return v.trim().replace(/^v/, "");
+}
+function isVersionAssertable(target) {
+  return /^v?\d+\.\d+\.\d+$/.test(target.trim());
+}
+function orderAgentsCanaryFirst(agents) {
+  const canary = agents.filter((a) => a === "test-harness");
+  const rest = agents.filter((a) => a !== "test-harness");
+  return [...canary, ...rest];
+}
+function planRollout(agents, opts = {}) {
+  const steps = [{ kind: "apply" }];
+  for (const agent of orderAgentsCanaryFirst(agents)) {
+    steps.push({ kind: "restart-agent", agent });
+  }
+  if (!opts.skipWeb) {
+    steps.push({ kind: "refresh-web" });
+    steps.push({ kind: "refresh-hostd" });
+  }
+  steps.push({ kind: "sweep" });
+  return steps;
+}
+function formatRolloutPlan(steps, target) {
+  const lines = [`Rollout plan \u2192 ${target}:`];
+  let n = 0;
+  for (const s of steps) {
+    n += 1;
+    switch (s.kind) {
+      case "apply":
+        lines.push(`  ${n}. apply \u2014 regenerate compose with ${target} image refs`);
+        break;
+      case "restart-agent":
+        lines.push(`  ${n}. restart ${s.agent} (--wait --force) + assert --version=${target}`);
+        break;
+      case "refresh-web":
+        lines.push(`  ${n}. webd install --tag ${target} (separate compose project)`);
+        break;
+      case "refresh-hostd":
+        lines.push(`  ${n}. hostd install --tag ${target} (separate compose project)`);
+        break;
+      case "sweep":
+        lines.push(`  ${n}. sweep \u2014 print per-agent version table`);
+        break;
+    }
+  }
+  lines.push("");
+  lines.push("Stops on the first agent that doesn't come back on the target version.");
+  return lines.join(`
+`);
+}
+function executeRollout(steps, target, deps, pinOnApply) {
+  const targetNorm = normalizeVersion(target);
+  const rolled = [];
+  const warnings = [];
+  for (const step of steps) {
+    switch (step.kind) {
+      case "apply": {
+        deps.log(`\u2192 apply \u2014 regenerating compose for ${target}`);
+        const args = pinOnApply ? ["apply", "--pin", target] : ["apply"];
+        const r = deps.run(args);
+        if (r.status !== 0) {
+          return { ok: false, rolled, failedStep: "apply", warnings };
+        }
+        break;
+      }
+      case "restart-agent": {
+        deps.log(`\u2192 restart ${step.agent} (--wait --force)`);
+        deps.run(["agent", "restart", step.agent, "--wait", "--force"]);
+        const got = deps.probeVersion(step.agent);
+        if (got === null || normalizeVersion(got) !== targetNorm) {
+          deps.log(`  \u2717 ${step.agent} \u2192 ${got ?? "<unreachable>"} (expected ${target}) \u2014 STOPPING`);
+          return {
+            ok: false,
+            rolled,
+            failedStep: "restart-agent",
+            failedAgent: step.agent,
+            got,
+            warnings
+          };
+        }
+        rolled.push(step.agent);
+        deps.log(`  \u2713 ${step.agent} \u2192 ${got}`);
+        break;
+      }
+      case "refresh-web": {
+        deps.log(`\u2192 webd install --tag ${target}`);
+        const r = deps.run(["webd", "install", "--tag", target]);
+        if (r.status !== 0)
+          warnings.push(`web refresh failed (non-fatal); agents already rolled`);
+        break;
+      }
+      case "refresh-hostd": {
+        deps.log(`\u2192 hostd install --tag ${target}`);
+        const r = deps.run(["hostd", "install", "--tag", target]);
+        if (r.status !== 0)
+          warnings.push(`hostd refresh failed (non-fatal); agents already rolled`);
+        break;
+      }
+      case "sweep": {
+        deps.log(`\u2192 sweep`);
+        for (const a of rolled) {
+          const v = deps.probeVersion(a);
+          deps.log(`  ${a}: ${v ?? "<unreachable>"}`);
+        }
+        break;
+      }
+    }
+  }
+  return { ok: true, rolled, warnings };
+}
+function registerRolloutCommand(program3) {
+  program3.command("rollout").description("Deploy a pinned version to the fleet, safely (staggered restart + " + "per-agent version assert + web/hostd refresh). Run with sudo.").option("--pin <version>", "Version to roll (e.g. v0.15.18). Defaults to release.pin from config.").option("--agents <list>", "Comma-separated subset of agents to roll (default: all configured).").option("--skip-web", "Skip the web + hostd refresh step.").option("--dry-run", "Print the plan and exit without changing anything.").action(async (opts) => {
+    const config = getConfig(program3);
+    const target = opts.pin ?? config.release?.pin;
+    if (!target) {
+      process.stderr.write("rollout needs a pinned version: pass --pin vX.Y.Z, or set " + "`release.pin` in switchroom.yaml. (A floating channel has no " + `fixed version to assert against.)
+`);
+      process.exitCode = 2;
+      return;
+    }
+    if (!isVersionAssertable(target)) {
+      process.stderr.write(`rollout asserts the in-container \`switchroom --version\` (always a ` + `semver), so the target must be a tagged release like v0.15.18 \u2014 ` + `\`${target}\` isn't version-assertable. Pass --pin vX.Y.Z.
+`);
+      process.exitCode = 2;
+      return;
+    }
+    const allAgents = Object.keys(config.agents ?? {});
+    const requested = opts.agents ? opts.agents.split(",").map((s) => s.trim()).filter(Boolean) : allAgents;
+    const unknown = requested.filter((a) => !allAgents.includes(a));
+    if (unknown.length > 0) {
+      process.stderr.write(`unknown agent(s): ${unknown.join(", ")}
+`);
+      process.exitCode = 2;
+      return;
+    }
+    if (requested.length === 0) {
+      process.stderr.write(`no agents to roll.
+`);
+      process.exitCode = 2;
+      return;
+    }
+    const steps = planRollout(requested, { skipWeb: opts.skipWeb });
+    if (opts.dryRun) {
+      process.stdout.write(formatRolloutPlan(steps, target) + `
+`);
+      return;
+    }
+    const scriptPath = process.argv[1] ?? "switchroom";
+    const deps = {
+      run: (args) => {
+        const r = spawnSync10(process.execPath, [scriptPath, ...args], { stdio: "inherit" });
+        return { status: r.status ?? 1 };
+      },
+      probeVersion: (agent) => {
+        const r = spawnSync10("docker", ["exec", `switchroom-${agent}`, "sh", "-lc", "switchroom --version"], { encoding: "utf8" });
+        if (r.status !== 0)
+          return null;
+        return (r.stdout ?? "").trim().split(`
+`).pop()?.trim() ?? null;
+      },
+      log: (line) => process.stdout.write(line + `
+`)
+    };
+    process.stdout.write(`Rolling ${requested.length} agent(s) to ${target}\u2026
+`);
+    const result = executeRollout(steps, target, deps, opts.pin != null);
+    for (const w of result.warnings)
+      process.stderr.write(`\u26a0\ufe0f  ${w}
+`);
+    if (!result.ok) {
+      process.stderr.write(`
+\u2717 Rollout STOPPED at ${result.failedStep}` + (result.failedAgent ? ` (${result.failedAgent} \u2192 ${result.got ?? "unreachable"})` : "") + `.
+  Rolled before stop: ${result.rolled.join(", ") || "none"}.
+` + `  Fix the cause, then re-run \`switchroom rollout --pin ${target}\` ` + `(idempotent \u2014 already-current agents bounce back to the same version).
+`);
+      process.exitCode = 1;
+      return;
+    }
+    process.stdout.write(`
+\u2705 Rollout complete \u2014 ${result.rolled.length} agent(s) on ${target}` + `${result.warnings.length ? ` (with ${result.warnings.length} warning(s) above)` : ""}.
+`);
+  });
+}
+
 // src/cli/restart.ts
 init_source();
 init_helpers();
@@ -78264,7 +78452,7 @@ init_helpers();
 init_loader();
 import { existsSync as existsSync64 } from "node:fs";
 import { resolve as resolve39, sep as sep3 } from "node:path";
-import { spawnSync as spawnSync10 } from "node:child_process";
+import { spawnSync as spawnSync11 } from "node:child_process";
 
 // src/agents/workspace.ts
 import { readFile as readFile2, stat } from "node:fs/promises";
@@ -78977,7 +79165,7 @@ function registerWorkspaceCommand(program3) {
       process.exit(1);
     }
     const editor = process.env["EDITOR"] ?? process.env["VISUAL"] ?? "vi";
-    const child = spawnSync10(editor, [target], { stdio: "inherit" });
+    const child = spawnSync11(editor, [target], { stdio: "inherit" });
     if (child.status !== 0 && child.status !== null) {
       process.exit(child.status);
     }
@@ -79044,7 +79232,7 @@ function registerWorkspaceCommand(program3) {
 `);
       return;
     }
-    const statusResult = spawnSync10("git", ["status", "--short"], {
+    const statusResult = spawnSync11("git", ["status", "--short"], {
       cwd: dir,
       encoding: "utf-8"
     });
@@ -79059,7 +79247,7 @@ function registerWorkspaceCommand(program3) {
       return;
     }
     const message = opts.message || `checkpoint: ${new Date().toISOString()}`;
-    const addResult = spawnSync10("git", ["add", "-A"], {
+    const addResult = spawnSync11("git", ["add", "-A"], {
       cwd: dir,
       encoding: "utf-8"
     });
@@ -79068,7 +79256,7 @@ function registerWorkspaceCommand(program3) {
 `);
       process.exit(1);
     }
-    const commitResult = spawnSync10("git", ["commit", "-m", message], {
+    const commitResult = spawnSync11("git", ["commit", "-m", message], {
       cwd: dir,
       encoding: "utf-8"
     });
@@ -79077,7 +79265,7 @@ function registerWorkspaceCommand(program3) {
 `);
       process.exit(1);
     }
-    const shaResult = spawnSync10("git", ["rev-parse", "--short", "HEAD"], {
+    const shaResult = spawnSync11("git", ["rev-parse", "--short", "HEAD"], {
       cwd: dir,
       encoding: "utf-8"
     });
@@ -79098,7 +79286,7 @@ function registerWorkspaceCommand(program3) {
 `);
       return;
     }
-    const child = spawnSync10("git", ["status", "--short"], {
+    const child = spawnSync11("git", ["status", "--short"], {
       cwd: dir,
       stdio: "inherit"
     });
@@ -84093,7 +84281,7 @@ import {
 } from "node:fs";
 import { tmpdir as tmpdir5, homedir as homedir45 } from "node:os";
 import { dirname as dirname23, join as join79, relative as relative2, resolve as resolve47 } from "node:path";
-import { spawnSync as spawnSync11 } from "node:child_process";
+import { spawnSync as spawnSync12 } from "node:child_process";
 
 // src/cli/skill-common.ts
 var import_yaml22 = __toESM(require_dist(), 1);
@@ -84346,7 +84534,7 @@ function loadFromDir(dir) {
 function loadFromTarball(tarPath) {
   const isGz = tarPath.endsWith(".gz") || tarPath.endsWith(".tgz");
   const listFlags = isGz ? ["-tzf"] : ["-tf"];
-  const list2 = spawnSync11("tar", [...listFlags, tarPath], {
+  const list2 = spawnSync12("tar", [...listFlags, tarPath], {
     encoding: "utf-8",
     stdio: ["ignore", "pipe", "pipe"]
   });
@@ -84363,7 +84551,7 @@ function loadFromTarball(tarPath) {
   const staging = mkdtempSync5(join79(tmpdir5(), "skill-apply-extract-"));
   try {
     const flags = isGz ? ["-xzf"] : ["-xf"];
-    const r = spawnSync11("tar", [
+    const r = spawnSync12("tar", [
       ...flags,
       tarPath,
       "-C",
@@ -84438,7 +84626,7 @@ function validatePayload(name, files) {
   if (errors2.length === 0) {
     for (const [path8, content] of Object.entries(files)) {
       if (SH_SCRIPT_RE2.test(path8)) {
-        const r = spawnSync11("bash", ["-n"], {
+        const r = spawnSync12("bash", ["-n"], {
           input: content,
           encoding: "utf-8"
         });
@@ -84450,7 +84638,7 @@ function validatePayload(name, files) {
         const tmpPy = join79(tmp, "check.py");
         try {
           writeFileSync39(tmpPy, content);
-          const r = spawnSync11("python3", ["-m", "py_compile", tmpPy], {
+          const r = spawnSync12("python3", ["-m", "py_compile", tmpPy], {
             encoding: "utf-8"
           });
           if (r.status !== 0) {
@@ -84613,7 +84801,7 @@ function registerSkillCommand(program3) {
 \u2713 Wrote ${name} to ${currentDir}`));
     const applyBin = process.argv[1] ?? "switchroom";
     console.log(source_default.gray(`Running \`switchroom apply --non-interactive\`...`));
-    const r = spawnSync11(process.argv0, [applyBin, "apply", "--non-interactive"], { stdio: "inherit" });
+    const r = spawnSync12(process.argv0, [applyBin, "apply", "--non-interactive"], { stdio: "inherit" });
     if (r.status !== 0) {
       console.error(source_default.yellow(`(warning: \`switchroom apply\` exited ${r.status} \u2014 skill is ` + `in the pool but symlinks may not be refreshed. Re-run manually.)`));
     }
@@ -84645,7 +84833,7 @@ import {
 } from "node:fs";
 import { dirname as dirname24, join as join80, relative as relative3, resolve as resolve48 } from "node:path";
 import { homedir as homedir46, tmpdir as tmpdir6 } from "node:os";
-import { spawnSync as spawnSync12 } from "node:child_process";
+import { spawnSync as spawnSync13 } from "node:child_process";
 init_helpers();
 init_source();
 var PERSONAL_PREFIX = "personal-";
@@ -84834,7 +85022,7 @@ function behavioralValidate(files) {
   const errors2 = [];
   for (const [path8, content] of Object.entries(files)) {
     if (SH_SCRIPT_RE.test(path8)) {
-      const r = spawnSync12("bash", ["-n"], { input: content, encoding: "utf-8" });
+      const r = spawnSync13("bash", ["-n"], { input: content, encoding: "utf-8" });
       if (r.status !== 0) {
         errors2.push(`${path8} fails \`bash -n\`: ${(r.stderr ?? "").trim()}`);
       }
@@ -84843,7 +85031,7 @@ function behavioralValidate(files) {
       const tmpPy = join80(tmp, "check.py");
       try {
         writeFileSync40(tmpPy, content);
-        const r = spawnSync12("python3", ["-m", "py_compile", tmpPy], {
+        const r = spawnSync13("python3", ["-m", "py_compile", tmpPy], {
           encoding: "utf-8"
         });
         if (r.status !== 0) {
@@ -85536,7 +85724,7 @@ init_helpers();
 import { existsSync as existsSync84, mkdirSync as mkdirSync47, readdirSync as readdirSync33, readFileSync as readFileSync71, writeFileSync as writeFileSync41, statSync as statSync34, copyFileSync as copyFileSync12 } from "node:fs";
 import { homedir as homedir48 } from "node:os";
 import { join as join82 } from "node:path";
-import { spawnSync as spawnSync14 } from "node:child_process";
+import { spawnSync as spawnSync15 } from "node:child_process";
 init_audit_reader();
 function resolveHostdImageTag(explicitTag, release) {
   if (explicitTag)
@@ -85668,7 +85856,7 @@ function backupExistingCompose() {
   return bak;
 }
 function runDocker(args) {
-  const r = spawnSync14("docker", args, { encoding: "utf8" });
+  const r = spawnSync15("docker", args, { encoding: "utf8" });
   return {
     ok: r.status === 0,
     stdout: r.stdout ?? "",
@@ -85861,7 +86049,7 @@ init_helpers();
 import { existsSync as existsSync85, mkdirSync as mkdirSync48, writeFileSync as writeFileSync42, copyFileSync as copyFileSync13 } from "node:fs";
 import { homedir as homedir49 } from "node:os";
 import { join as join83 } from "node:path";
-import { spawnSync as spawnSync15 } from "node:child_process";
+import { spawnSync as spawnSync16 } from "node:child_process";
 function resolveWebImageTag(explicitTag, release) {
   if (explicitTag)
     return explicitTag;
@@ -85960,7 +86148,7 @@ function backupExistingCompose2() {
   return bak;
 }
 function runDocker2(args) {
-  const r = spawnSync15("docker", args, { encoding: "utf8" });
+  const r = spawnSync16("docker", args, { encoding: "utf8" });
   return {
     ok: r.status === 0,
     stdout: r.stdout ?? "",
@@ -86090,6 +86278,7 @@ var program3 = new Command().name("switchroom").description("Multi-agent orchest
 registerSetupCommand(program3);
 registerDoctorCommand(program3);
 registerUpdateCommand(program3);
+registerRolloutCommand(program3);
 registerRestartCommand(program3);
 registerVersionCommand(program3);
 registerVersionsCommand(program3);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.15.17",
+  "version": "0.15.18",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/telegram-plugin/dist/gateway/gateway.js

@@ -54158,11 +54158,11 @@ function readTurnActiveMarkerAgeMs(stateDir, now) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.15.17";
-var COMMIT_SHA = "a5129bd3";
-var COMMIT_DATE = "2026-06-13T22:07:37Z";
-var LATEST_PR = 2332;
-var COMMITS_AHEAD_OF_TAG = 0;
+var VERSION = "0.15.18";
+var COMMIT_SHA = "d7c044b9";
+var COMMIT_DATE = "2026-06-14T08:55:07+10:00";
+var LATEST_PR = null;
+var COMMITS_AHEAD_OF_TAG = 3;
 
 // gateway/boot-version.ts
 function formatRelativeAgo(iso) {
@@ -57206,10 +57206,8 @@ if (inboundSpool != null) {
   }
 }
 var pendingPermissionBuffer = createPendingPermissionBuffer();
-function buildPermissionActionRow(requestId, showAlways, showTimeBox = false) {
-  const kb = new import_grammy9.InlineKeyboard().text("\u274C Deny", `perm:deny:${requestId}`).text("\u2705 Allow once", `perm:allow:${requestId}`);
-  if (showTimeBox)
-    kb.text("\u23F1 30 min", `perm:tmb:${requestId}`);
+function buildPermissionActionRow(requestId, showAlways) {
+  const kb = new import_grammy9.InlineKeyboard().text("\u274C Deny", `perm:deny:${requestId}`).text("\u2705 Allow", `perm:allow:${requestId}`);
   if (showAlways)
     kb.text("\uD83D\uDD01 Always\u2026", `perm:always:${requestId}`);
   return kb;
@@ -57465,10 +57463,8 @@ var ipcServer = createIpcServer({
       description,
       agentName: _client.agentName
     });
-    const scopeChoices = resolveScopedAllowChoices(toolName, inputPreview);
-    const showAlways = scopeChoices != null;
-    const showTimeBox = scopedApprovalTtlMs() > 0 && resolveTimeBox(toolName, inputPreview, scopeChoices) != null;
-    const keyboard = buildPermissionActionRow(requestId, showAlways, showTimeBox);
+    const showAlways = resolveScopedAllowChoices(toolName, inputPreview) != null;
+    const keyboard = buildPermissionActionRow(requestId, showAlways);
     const activeTurn = currentTurn;
     const targets = resolvePermissionCardTargets();
     for (const { chatId, threadId } of targets) {
@@ -65080,8 +65076,8 @@ ${preBlock(formatSwitchroomOutput(err.message ?? "unknown error"))}`, { html: tr
     const cbMessageId = ctx.callbackQuery?.message?.message_id;
     const metaForMessage = cbMessageId != null ? agentButtonMeta.get(`${cbChatId}:${cbMessageId}`) : undefined;
     const tapMeta = metaForMessage?.get(agentCb.raw);
-    const ackText = typeof tapMeta?.ack_text === "string" && tapMeta.ack_text.length > 0 ? tapMeta.ack_text : "\u2713 received";
-    await ctx.answerCallbackQuery({ text: ackText }).catch(() => {});
+    const ackText2 = typeof tapMeta?.ack_text === "string" && tapMeta.ack_text.length > 0 ? tapMeta.ack_text : "\u2713 received";
+    await ctx.answerCallbackQuery({ text: ackText2 }).catch(() => {});
     const buttonText = (() => {
       const msg2 = ctx.callbackQuery?.message;
       const kb = msg2 && "reply_markup" in msg2 ? msg2.reply_markup : undefined;
@@ -65150,7 +65146,7 @@ ${preBlock(formatSwitchroomOutput(err.message ?? "unknown error"))}`, { html: tr
     }
     return;
   }
-  const m = /^perm:(allow|deny|always|asn|asb|back|tmb):([a-km-z]{5})$/.exec(data);
+  const m = /^perm:(allow|deny|always|asn|asb|back):([a-km-z]{5})$/.exec(data);
   if (!m) {
     await ctx.answerCallbackQuery().catch(() => {});
     return;
@@ -65170,9 +65166,7 @@ ${preBlock(formatSwitchroomOutput(err.message ?? "unknown error"))}`, { html: tr
     }
     let keyboard;
     if (behavior === "back") {
-      const backChoices = resolveScopedAllowChoices(details.tool_name, details.input_preview);
-      const backTimeBox = scopedApprovalTtlMs() > 0 && resolveTimeBox(details.tool_name, details.input_preview, backChoices) != null;
-      keyboard = buildPermissionActionRow(request_id, true, backTimeBox);
+      keyboard = buildPermissionActionRow(request_id, true);
     } else {
       const choices = resolveScopedAllowChoices(details.tool_name, details.input_preview);
       if (choices == null) {
@@ -65305,12 +65299,12 @@ ${preBlock(formatSwitchroomOutput(err.message ?? "unknown error"))}`, { html: tr
     }
     const ok = durable;
     const legacyNote = legacy && durable;
-    const ackText = ok ? legacyNote ? `\u2705 Saved. ${agentName3} can now ${grantPhrase} without asking (legacy path).` : `\u2705 Saved. ${agentName3} can now ${grantPhrase} without asking.` : editLockHint ? `\u26A0\uFE0F Allowed for now \u2014 config edits are locked. Enable hostd.config_edit_enabled.` : `\u26A0\uFE0F Allowed for now, but "always" did NOT save \u2014 it will ask again after restart. Check gateway log.`;
+    const ackText2 = ok ? legacyNote ? `\u2705 Saved. ${agentName3} can now ${grantPhrase} without asking (legacy path).` : `\u2705 Saved. ${agentName3} can now ${grantPhrase} without asking.` : editLockHint ? `\u26A0\uFE0F Allowed for now \u2014 config edits are locked. Enable hostd.config_edit_enabled.` : `\u26A0\uFE0F Allowed for now, but "always" did NOT save \u2014 it will ask again after restart. Check gateway log.`;
     const sourceMsg = ctx.callbackQuery?.message;
     const baseText2 = sourceMsg && "text" in sourceMsg && sourceMsg.text ? escapeHtmlForTg(sourceMsg.text) : "";
     const editLabel = ok ? legacyNote ? `\u2705 <b>${escapeHtmlForTg(agentName3)} can now ${escapeHtmlForTg(grantPhrase)}</b> without asking (legacy path); restart agent for full effect` : `\u2705 <b>${escapeHtmlForTg(agentName3)} can now ${escapeHtmlForTg(grantPhrase)}</b> without asking; restart agent for full effect` : editLockHint ? `\u26A0\uFE0F <b>Allowed for now \u2014 "always" did NOT save.</b> Config edits are locked; enable <code>hostd.config_edit_enabled</code>.` : `\u26A0\uFE0F <b>Allowed for now \u2014 "always" did NOT save.</b> It will ask again after restart. Check gateway log.`;
     await finalizeCallback(ctx, {
-      ackText: ackText.slice(0, 200),
+      ackText: ackText2.slice(0, 200),
       newText: baseText2 ? `${baseText2}
 
 ${editLabel}` : editLabel,
@@ -65318,64 +65312,28 @@ ${editLabel}` : editLabel,
     });
     return;
   }
-  if (behavior === "tmb") {
-    const details = pendingPermissions.get(request_id);
-    if (!details) {
-      await ctx.answerCallbackQuery({ text: "Details no longer available." }).catch(() => {});
-      return;
-    }
-    const ttl = scopedApprovalTtlMs();
-    if (ttl <= 0) {
-      await ctx.answerCallbackQuery({ text: "Time-boxed approvals are disabled." }).catch(() => {});
-      return;
-    }
-    const choices = resolveScopedAllowChoices(details.tool_name, details.input_preview);
-    const tb = resolveTimeBox(details.tool_name, details.input_preview, choices);
-    if (!tb) {
-      await ctx.answerCallbackQuery({ text: "This action can't be time-boxed." }).catch(() => {});
-      return;
-    }
-    const agentName3 = selfAgentName();
-    if (!agentName3) {
-      await ctx.answerCallbackQuery({ text: "Time-box needs SWITCHROOM_AGENT_NAME \u2014 gateway is misconfigured." }).catch(() => {});
-      return;
-    }
-    pendingPermissions.delete(request_id);
-    dispatchPermissionVerdict({ type: "permission", requestId: request_id, behavior: "allow" });
-    recordScopedGrant(scopedGrants, agentName3, tb.rule, Date.now(), ttl);
-    resumeReactionAfterVerdict();
-    postPermissionResumeMessage({
-      behavior: "allow",
-      action: naturalAction(details.tool_name, details.input_preview)
-    });
-    process.stderr.write(`telegram gateway: scoped-approval granted rule="${tb.rule}" agent=${agentName3} ttl_ms=${ttl} (request_id=${request_id})
+  const pd = pendingPermissions.get(request_id);
+  const resumeAction = pd ? naturalAction(pd.tool_name, pd.input_preview) : "";
+  const scopedTtl = scopedApprovalTtlMs();
+  const timeBox = behavior === "allow" && scopedTtl > 0 && pd ? resolveTimeBox(pd.tool_name, pd.input_preview, resolveScopedAllowChoices(pd.tool_name, pd.input_preview)) : null;
+  const grantAgent = selfAgentName();
+  pendingPermissions.delete(request_id);
+  if (timeBox && grantAgent) {
+    recordScopedGrant(scopedGrants, grantAgent, timeBox.rule, Date.now(), scopedTtl);
+    process.stderr.write(`telegram gateway: scoped-approval granted via Allow rule="${timeBox.rule}" agent=${grantAgent} ttl_ms=${scopedTtl} (request_id=${request_id})
 `);
-    const mins = Math.max(1, Math.round(ttl / 60000));
-    const sourceMsg = ctx.callbackQuery?.message;
-    const baseText2 = sourceMsg && "text" in sourceMsg && sourceMsg.text ? escapeHtmlForTg(sourceMsg.text) : "";
-    const editLabel = `\u23F1 <b>Allowed for ${mins} min \u2014 ${escapeHtmlForTg(tb.breadth)}</b> \xB7 re-asks after that, and now for anything else`;
-    await finalizeCallback(ctx, {
-      ackText: `\u23F1 Allowed for ${mins} min`.slice(0, 200),
-      newText: baseText2 ? `${baseText2}
-
-${editLabel}` : editLabel,
-      parseMode: "HTML"
-    });
-    return;
   }
-  const resumeAction = (() => {
-    const d = pendingPermissions.get(request_id);
-    return d ? naturalAction(d.tool_name, d.input_preview) : "";
-  })();
-  pendingPermissions.delete(request_id);
-  const label = behavior === "allow" ? "\u2705 Allowed" : "\u274C Denied";
+  const scopedMins = Math.max(1, Math.round(scopedTtl / 60000));
+  const windowGranted = timeBox != null && grantAgent !== "";
+  const ackText = behavior === "deny" ? "\u274C Denied" : windowGranted ? `\u2705 Allowed (${scopedMins} min)` : "\u2705 Allowed once";
+  const htmlLabel = behavior === "deny" ? "\u274C <b>Denied</b>" : windowGranted ? `\u2705 <b>Allowed \u2014 won't ask again about ${escapeHtmlForTg(timeBox.breadth)} for ${scopedMins} min</b>` : "\u2705 <b>Allowed once</b>";
   const msg = ctx.callbackQuery?.message;
   const baseText = msg && "text" in msg && msg.text ? escapeHtmlForTg(msg.text) : "";
   await finalizeCallback(ctx, {
-    ackText: label,
+    ackText: ackText.slice(0, 200),
     newText: baseText ? `${baseText}
 
-${label}` : label,
+${htmlLabel}` : htmlLabel,
     parseMode: "HTML",
     synthInbound: () => {
       dispatchPermissionVerdict({

package/telegram-plugin/gateway/gateway.ts

@@ -3660,8 +3660,9 @@ function sweepStaleAlwaysAllowCorrelations(now = Date.now()): void {
   }
 }
 
-// "⏱ 30 min" scoped-approval store (the middle tier between Allow-once and
-// 🔁 Always). Operator-tapped, gateway-side ONLY (never pushed to the
+// Scoped-approval store: the 30-min window that backs the "✅ Allow" tap for
+// narrow non-destructive scopes (not a separate button — it IS what Allow
+// means for those). Operator-tapped, gateway-side ONLY (never pushed to the
 // bridge's untimed sessionAllowRules), fixed-window, fail-closed. Keyed by
 // agent name for per-agent isolation. All policy lives in
 // ../scoped-approval.ts (pure + unit-tested); this gateway only wires it.
@@ -5605,24 +5606,27 @@ const pendingPermissionBuffer = createPendingPermissionBuffer()
  * are resolved at call-time, after module init.)
  */
 /**
- * The default permission-card action row: ❌ Deny · ✅ Allow once ·
+ * The default permission-card action row: ❌ Deny · ✅ Allow ·
  * 🔁 Always… (the last only when a meaningful always-rule exists).
  * Tapping "🔁 Always…" swaps this row for the scope sub-menu; "← Back"
  * rebuilds this row. callback_data stays tiny (verb + 5-char id) so we
  * never approach Telegram's 64-byte ceiling.
+ *
+ * "✅ Allow" is no longer always literally "once": for a NARROW,
+ * non-destructive scope it auto-grants a fixed 30-min window (so the same
+ * action stops re-asking) — that is the default behavior of the allow tap,
+ * not a separate button. Broad / MCP / destructive scopes stay truly once.
+ * The post-tap card states which happened (honest-card contract). The
+ * decision lives in the allow handler via resolveTimeBox; the label here is
+ * deliberately neutral ("Allow", not "Allow once" or "Allow 30 min").
  */
 function buildPermissionActionRow(
   requestId: string,
   showAlways: boolean,
-  showTimeBox = false,
 ): InlineKeyboard {
   const kb = new InlineKeyboard()
     .text('❌ Deny', `perm:deny:${requestId}`)
-    .text('✅ Allow once', `perm:allow:${requestId}`)
-  // "⏱ 30 min" sits between once and always. Only shown for a narrow,
-  // non-destructive scope (resolveTimeBox decides); broad/MCP/destructive
-  // requests get once/always only.
-  if (showTimeBox) kb.text('⏱ 30 min', `perm:tmb:${requestId}`)
+    .text('✅ Allow', `perm:allow:${requestId}`)
   if (showAlways) kb.text('🔁 Always…', `perm:always:${requestId}`)
   return kb
 }
@@ -6044,19 +6048,15 @@ const ipcServer: IpcServer = createIpcServer({
       description,
       agentName: _client.agentName,
     })
-    // Compact action row: ❌ Deny · ✅ Allow once · 🔁 Always… — the
-    // scope of an "always" grant stays hidden until the operator taps
-    // "🔁 Always…", which swaps the row for a scope choice (this file /
-    // any file ⚠️). The "🔁 Always…" button only appears when we can
-    // synthesize a meaningful rule for this tool; unknown tools get the
-    // two-button row only.
-    const scopeChoices = resolveScopedAllowChoices(toolName, inputPreview)
-    const showAlways = scopeChoices != null
-    // Offer "⏱ 30 min" only for a narrow, non-destructive scope, and only
-    // when the tier is enabled (TTL > 0).
-    const showTimeBox = scopedApprovalTtlMs() > 0 &&
-      resolveTimeBox(toolName, inputPreview, scopeChoices) != null
-    const keyboard = buildPermissionActionRow(requestId, showAlways, showTimeBox)
+    // Compact action row: ❌ Deny · ✅ Allow · 🔁 Always… — the scope of an
+    // "always" grant stays hidden until the operator taps "🔁 Always…",
+    // which swaps the row for a scope choice (this file / any file ⚠️). The
+    // "🔁 Always…" button only appears when we can synthesize a meaningful
+    // rule for this tool; unknown tools get the two-button row only. "Allow"
+    // itself auto-grants a 30-min window for narrow non-destructive scopes
+    // (decided in the allow handler), so there is no separate time-box button.
+    const showAlways = resolveScopedAllowChoices(toolName, inputPreview) != null
+    const keyboard = buildPermissionActionRow(requestId, showAlways)
     // Route the card to the SAME place the post-verdict resume message
     // lands (resolvePermissionCardTargets): the ORIGINATING chat+topic when
     // there's an active turn — so a supergroup agent's card appears IN the
@@ -19073,7 +19073,7 @@ bot.on('callback_query:data', async ctx => {
   }
 
   // Permission request buttons.
-  const m = /^perm:(allow|deny|always|asn|asb|back|tmb):([a-km-z]{5})$/.exec(data)
+  const m = /^perm:(allow|deny|always|asn|asb|back):([a-km-z]{5})$/.exec(data)
   if (!m) { await ctx.answerCallbackQuery().catch(() => {}); return }
   const access = loadAccess()
   const senderId = String(ctx.from.id)
@@ -19088,10 +19088,7 @@ bot.on('callback_query:data', async ctx => {
     if (!details) { await ctx.answerCallbackQuery({ text: 'Details no longer available.' }).catch(() => {}); return }
     let keyboard: InlineKeyboard
     if (behavior === 'back') {
-      const backChoices = resolveScopedAllowChoices(details.tool_name, details.input_preview)
-      const backTimeBox = scopedApprovalTtlMs() > 0 &&
-        resolveTimeBox(details.tool_name, details.input_preview, backChoices) != null
-      keyboard = buildPermissionActionRow(request_id, true, backTimeBox)
+      keyboard = buildPermissionActionRow(request_id, true)
     } else {
       const choices = resolveScopedAllowChoices(details.tool_name, details.input_preview)
       if (choices == null) {
@@ -19315,69 +19312,47 @@ bot.on('callback_query:data', async ctx => {
     return
   }
 
-  // "⏱ 30 min" — record a fixed-window scoped grant for the NARROW scope,
-  // then allow the in-flight call. Mirrors the asn/asb structure: dispatch
-  // the verdict immediately, then edit the card. CRITICAL: the verdict
-  // carries NO `rule` (unlike asn/asb), so the bridge does not cache it
-  // untimed — the window lives only in scopedGrants, gateway-side.
-  if (behavior === 'tmb') {
-    const details = pendingPermissions.get(request_id)
-    if (!details) { await ctx.answerCallbackQuery({ text: 'Details no longer available.' }).catch(() => {}); return }
-    const ttl = scopedApprovalTtlMs()
-    if (ttl <= 0) { await ctx.answerCallbackQuery({ text: 'Time-boxed approvals are disabled.' }).catch(() => {}); return }
-    const choices = resolveScopedAllowChoices(details.tool_name, details.input_preview)
-    const tb = resolveTimeBox(details.tool_name, details.input_preview, choices)
-    if (!tb) { await ctx.answerCallbackQuery({ text: 'This action can\'t be time-boxed.' }).catch(() => {}); return }
-    const agentName = selfAgentName()
-    if (!agentName) { await ctx.answerCallbackQuery({ text: 'Time-box needs SWITCHROOM_AGENT_NAME — gateway is misconfigured.' }).catch(() => {}); return }
-
-    pendingPermissions.delete(request_id)
-    // (1) Allow the in-flight call NOW — no `rule` (keeps the window
-    // strictly gateway-side; the bridge must not cache it untimed).
-    dispatchPermissionVerdict({ type: 'permission', requestId: request_id, behavior: 'allow' })
-    // (2) Record the fixed-window grant so matching calls auto-allow.
-    recordScopedGrant(scopedGrants, agentName, tb.rule, Date.now(), ttl)
-    resumeReactionAfterVerdict()
-    postPermissionResumeMessage({
-      behavior: 'allow',
-      action: naturalAction(details.tool_name, details.input_preview),
-    })
+  // Forward permission decision to connected bridges. Capture the pending
+  // details BEFORE deleting the entry — the resume message names the resumed
+  // work, and "Allow" on a narrow non-destructive scope auto-grants a 30-min
+  // window (resolveTimeBox) so the same action stops re-asking. This IS the
+  // default behavior of Allow (no separate button); broad / MCP / destructive
+  // scopes (resolveTimeBox → null) and the disabled tier (ttl<=0) stay truly
+  // once. The verdict is still dispatched WITHOUT a `rule` (below), so the
+  // bridge never caches it untimed — the window lives only in scopedGrants.
+  const pd = pendingPermissions.get(request_id)
+  const resumeAction = pd ? naturalAction(pd.tool_name, pd.input_preview) : ''
+  const scopedTtl = scopedApprovalTtlMs()
+  const timeBox = (behavior === 'allow' && scopedTtl > 0 && pd)
+    ? resolveTimeBox(pd.tool_name, pd.input_preview, resolveScopedAllowChoices(pd.tool_name, pd.input_preview))
+    : null
+  const grantAgent = selfAgentName()
+  pendingPermissions.delete(request_id)
+  if (timeBox && grantAgent) {
+    recordScopedGrant(scopedGrants, grantAgent, timeBox.rule, Date.now(), scopedTtl)
     process.stderr.write(
-      `telegram gateway: scoped-approval granted rule="${tb.rule}" agent=${agentName} ` +
-      `ttl_ms=${ttl} (request_id=${request_id})\n`,
+      `telegram gateway: scoped-approval granted via Allow rule="${timeBox.rule}" ` +
+      `agent=${grantAgent} ttl_ms=${scopedTtl} (request_id=${request_id})\n`,
     )
-
-    const mins = Math.max(1, Math.round(ttl / 60_000))
-    // Honest card: state the real BREADTH (e.g. "any `git` command"), not
-    // just the rule, plus the window — consent covers both (access-model
-    // honest-card contract).
-    const sourceMsg = ctx.callbackQuery?.message
-    const baseText = sourceMsg && 'text' in sourceMsg && sourceMsg.text
-      ? escapeHtmlForTg(sourceMsg.text)
-      : ''
-    const editLabel = `⏱ <b>Allowed for ${mins} min — ${escapeHtmlForTg(tb.breadth)}</b> · re-asks after that, and now for anything else`
-    await finalizeCallback(ctx, {
-      ackText: `⏱ Allowed for ${mins} min`.slice(0, 200),
-      newText: baseText ? `${baseText}\n\n${editLabel}` : editLabel,
-      parseMode: 'HTML',
-    })
-    return
   }
-
-  // Forward permission decision to connected bridges. Capture the work
-  // phrase BEFORE deleting the pending entry — postPermissionResumeMessage
-  // (fired in synthInbound below) names the resumed work.
-  const resumeAction = (() => {
-    const d = pendingPermissions.get(request_id)
-    return d ? naturalAction(d.tool_name, d.input_preview) : ''
-  })()
-  pendingPermissions.delete(request_id)
+  const scopedMins = Math.max(1, Math.round(scopedTtl / 60_000))
   // The card collapses to a plain verdict label. The distinct agent-voiced
   // "got it, continuing: …" message (posted on resume below) now carries
   // the "is it working or did my tap do nothing?" signal the old
   // `▶️ resuming…` card footnote used to — and names the work, which the
   // footnote never did. Keeps the card terse and the resume legible.
-  const label = behavior === 'allow' ? '✅ Allowed' : '❌ Denied'
+  // Honest-card: only claim the window when one was actually recorded
+  // (timeBox eligible AND we had an agent name to key it under) — never
+  // promise "won't ask again for 30 min" if nothing was stored.
+  const windowGranted = timeBox != null && grantAgent !== ''
+  const ackText = behavior === 'deny'
+    ? '❌ Denied'
+    : (windowGranted ? `✅ Allowed (${scopedMins} min)` : '✅ Allowed once')
+  const htmlLabel = behavior === 'deny'
+    ? '❌ <b>Denied</b>'
+    : (windowGranted
+        ? `✅ <b>Allowed — won't ask again about ${escapeHtmlForTg(timeBox!.breadth)} for ${scopedMins} min</b>`
+        : '✅ <b>Allowed once</b>')
   // HTML-escape the source text — same hazard as the scope-commit and
   // recent-denial paths above. The permission card body
   // (formatPermissionCardBody) appends claude-supplied `description`
@@ -19396,10 +19371,12 @@ bot.on('callback_query:data', async ctx => {
   // permission was already broadcast. Routing through finalizeCallback
   // strips the keyboard atomically with the status-line edit.
   await finalizeCallback(ctx, {
-    ackText: label,
-    newText: baseText ? `${baseText}\n\n${label}` : label,
+    ackText: ackText.slice(0, 200),
+    newText: baseText ? `${baseText}\n\n${htmlLabel}` : htmlLabel,
     parseMode: 'HTML',
     synthInbound: () => {
+      // No `rule` → the bridge does NOT cache this (truly once on the bridge);
+      // any 30-min stickiness lives only in scopedGrants (recorded above).
       dispatchPermissionVerdict({
         type: 'permission',
         requestId: request_id,

package/telegram-plugin/scoped-approval.ts

@@ -1,9 +1,13 @@
 /**
- * Scoped, time-boxed approval — the "⏱ 30 min" tier, the middle rung
- * between "✅ Allow once" (re-prompts on the very next call) and
- * "🔁 Always…" (a durable `tools.allow` write that lasts forever). After
- * the operator taps "⏱ 30 min" on a permission card, byte-identical
- * in-scope requests auto-allow for a fixed window without re-carding.
+ * Scoped, time-boxed approval — the default behavior of the "✅ Allow" tap
+ * for a NARROW, non-destructive scope. Tapping Allow on such a request
+ * auto-grants a fixed window so byte-identical in-scope requests auto-allow
+ * without re-carding (killing tap-fatigue on re-edits / re-runs). Broad /
+ * MCP / destructive scopes get no window — Allow stays truly once for them.
+ * "🔁 Always…" remains the separate durable (`tools.allow`, forever) tier.
+ * There is deliberately no separate time-box button: the window IS what
+ * "Allow" means for a narrow safe scope, disclosed honestly on the post-tap
+ * card ("won't ask again about <breadth> for 30 min" vs "allowed once").
  *
  * Design contract (reference/access-model.md — "you hold the leash"):
  *
@@ -21,14 +25,13 @@
  *  - **Conservative scope (this tier, v1).** Only the *narrow* scope is
  *    ever time-boxed: an exact file path (`Edit(/x.ts)`) or a Bash
  *    command-family (`Bash(git:*)`). Broad scopes ("any file", resource-
- *    blind MCP, "any command") are NOT offered the ⏱ button — they stay
- *    once / always. This covers the real fatigue (re-editing the same
+ *    blind MCP, "any command") get NO window — Allow stays truly once for them. This covers the real fatigue (re-editing the same
  *    file, re-running a safe command) without fanning one tap across an
  *    unbounded action set.
  *  - **Fail-closed on irreversible.** A Bash family grant (`Bash(git:*)`)
  *    must never auto-allow a destructive member of that family
  *    (`git push --force`, `git reset --hard`). `isDestructiveBashCommand`
- *    is re-checked at BOTH grant time (don't offer ⏱) and match time
+ *    is re-checked at BOTH grant time (no window granted) and match time
  *    (a cached family grant fails closed → re-cards) so per-call consent
  *    for irreversible actions is preserved.
  *
@@ -45,8 +48,8 @@ export const SCOPED_APPROVAL_DEFAULT_TTL_MS = 30 * 60 * 1000;
 
 /**
  * Resolve the configured window from the environment. `0` (or negative)
- * disables the tier — the gateway hides the ⏱ button and never
- * short-circuits. A blank/garbage value falls back to the 30-min default.
+ * disables the window — Allow becomes truly once for every scope and the
+ * gateway never short-circuits. A blank/garbage value falls back to the 30-min default.
  * Kill-switch: `SWITCHROOM_SCOPED_APPROVAL_TTL_MS=0`.
  */
 export function scopedApprovalTtlMs(
@@ -84,7 +87,7 @@ const BASH_FAMILY_RULE = /^Bash\(([^:]+):\*\)$/;
  * Conservative time-box eligibility. Given the already-resolved scope
  * choices for a permission request, return the NARROW rule to time-box
  * plus an honest breadth phrase — or `null` when this request must not
- * get a ⏱ button (broad-only tools, MCP, Skill, a destructive Bash
+ * get a window (broad-only tools, MCP, Skill, a destructive Bash
  * command, or any tool with no narrow sub-scope).
  *
  *  - File tools with an exact path → time-boxable (bounded to the one

package/telegram-plugin/tests/scoped-approval.test.ts

@@ -1,5 +1,5 @@
 /**
- * Tests for the "⏱ 30 min" scoped-approval tier (scoped-approval.ts) —
+ * Tests for scoped-approval.ts — the 30-min window backing the "Allow" tap
  * the middle rung between "Allow once" and "🔁 Always".
  *
  * These pin the access-model invariants the adversarial review flagged as
@@ -233,7 +233,7 @@ describe('isDestructiveBashCommand — fail-closed denylist', () => {
     recordScopedGrant(store, 'clerk', 'Bash(git:*)', T0, TTL)
     // first token is the harmless `git`, but the backtick hides `rm -rf`
     expect(lookupScopedGrant(store, 'clerk', 'Bash', bashInput('git status `rm -rf /important`'), T0 + 1)).toBeNull()
-    // and the request never gets offered the ⏱ button at grant time either
+    // and the request never gets a window at grant time either
     expect(timeBoxRule('Bash', bashInput('git status `rm -rf x`'))).toBeNull()
   })