switchroom 0.15.19 → 0.15.20

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.15.19",
+  "version": "0.15.20",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/profiles/_shared/agent-self-service.md.hbs

@@ -38,22 +38,31 @@ tools is to let you do the edit yourself.
   derived from the entry content is assigned.
 
   **Mind the cost — pick the cheapest tier that does the job:**
-  - *Default (no `model`)* — the fire runs as a **full turn in your live
-    session**: your model, your whole context + memory. Right for work that
-    genuinely needs *you* (your persona, your conversation history). Costly for
-    routine checks — every fire pays your full context.
-  - *`model: "sonnet"`* (or `context: "fresh"`) — routes the fire to a **cheap,
-    minimal-context cron session** (Tier 1): a fresh Sonnet with just the
-    prompt, no heavy context. Use for light, self-contained recurring work
-    (summarise a feed, format a digest) where you don't need your memory. Much
-    cheaper per fire. *(Honoured only when the operator has enabled cheap-cron;
-    otherwise it still runs as a normal turn — never silently dropped.)*
+  - *Default (no `model`)* — a **frequent** cron (every ≤60min) is auto-routed
+    to a **cheap, minimal-context cron session** (Tier 1: a fresh Sonnet that
+    still shares your memory + tools but drops your accumulated conversation
+    context). A **daily/weekly** cron defaults to a **full turn in your live
+    session** (Tier 2: your model, your whole context). So routine frequent
+    checks are already cheap without you doing anything.
+  - *`model: "sonnet"` / `context: "fresh"`* — force the cheap Tier-1 session
+    even for a **daily/weekly** self-contained job (summarise a feed, format a
+    digest) — overrides the cadence default. *`context: "agent"`* does the
+    opposite: pins a fire to your full live session when it genuinely needs your
+    accumulated conversation context (this always wins).
+  - *"Post/send a FIXED thing on a schedule"* (a set reminder message, a webhook
+    ping — text fully determined, no thinking) — ask the **operator** for a
+    **`kind: action`**: it runs **model-free, zero tokens** (no session at all),
+    posting your fixed/templated text or firing a fixed request. The cheapest
+    tier there is.
   - *"Only act when X changes"* — don't poll with a frequent prompt cron (every
-    fire is a wasted turn when nothing changed). Ask the **operator** to set up
-    a **poll** (model-free check, e.g. a webpage/API via `kind: poll`) or, for
-    reaction-triggered work, **`reaction_dispatch`** (an emoji reaction wakes
-    you instantly — zero polling). These need an operator config commit
-    (egress/identity gates), so request them rather than authoring them yourself.
+    fire is a wasted turn when nothing changed). Ask the **operator** for a
+    **`kind: poll`** (model-free check, e.g. a webpage/API — only a *change*
+    wakes you) or, for reaction-triggered work, **`reaction_dispatch`** (an
+    emoji reaction wakes you instantly — zero polling).
+  - `kind: action` / `kind: poll` / `reaction_dispatch` need an operator config
+    commit (egress / identity gates), so **request** them rather than authoring
+    them yourself — you can only self-author plain prompt crons (plus the
+    `model`/`context` tier hints).
 
 - **`schedule_remove(name | cron_hash)`** — delete by `name` (the slug from
   add) or by 12-hex `cron_hash` (shown in `cron_list` output). Both

package/telegram-plugin/dist/gateway/gateway.js

@@ -43177,6 +43177,7 @@ function switchroomHelpText(agentName3) {
     `<code>/update</code> \u2014 dry-run plan; <code>/update apply</code> \u2014 actually pull images, reconcile, restart`,
     `<code>/restart [name|all]</code> \u2014 bounce agent (drains in-flight turn by default)`,
     `<code>/version</code> \u2014 show versions + running agent health summary`,
+    `<code>/whoami</code> \u2014 this agent's sandbox: tools, MCP, vault key-names, powers`,
     ``,
     `<b>Auth &amp; config</b>`,
     `<code>/auth</code> \u2014 auth status or actions`,
@@ -53646,6 +53647,15 @@ function readBashCommand(inputPreview) {
   }
 }
 
+// gateway/grant-restart.ts
+function grantRestartDecision(opts) {
+  if ((opts.killSwitch ?? "") === "0")
+    return "disabled";
+  if (!opts.selfAgent || opts.selfAgent !== opts.agentName)
+    return "disabled";
+  return opts.turnInFlight ? "deferred" : "now";
+}
+
 // permission-diff.ts
 var TARGET_HEADER_A = "--- a/switchroom.yaml";
 var TARGET_HEADER_B = "+++ b/switchroom.yaml";
@@ -54317,11 +54327,11 @@ function readTurnActiveMarkerAgeMs(stateDir, now) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.15.19";
-var COMMIT_SHA = "3f40c6f9";
-var COMMIT_DATE = "2026-06-14T00:06:47Z";
-var LATEST_PR = 2337;
-var COMMITS_AHEAD_OF_TAG = 0;
+var VERSION = "0.15.20";
+var COMMIT_SHA = "0b63ab9e";
+var COMMIT_DATE = "2026-06-14T10:58:14+10:00";
+var LATEST_PR = null;
+var COMMITS_AHEAD_OF_TAG = 5;
 
 // gateway/boot-version.ts
 function formatRelativeAgo(iso) {
@@ -61772,6 +61782,26 @@ async function sweepBeforeSelfRestart() {
 `);
   }
 }
+function scheduleGrantRestart(agentName3, chatId, threadId, reason) {
+  const decision = grantRestartDecision({
+    killSwitch: process.env.SWITCHROOM_AUTORESTART_ON_GRANT,
+    selfAgent: process.env.SWITCHROOM_AGENT_NAME,
+    agentName: agentName3,
+    turnInFlight: turnInFlightForGate()
+  });
+  if (decision === "disabled")
+    return decision;
+  if (chatId != null) {
+    writeRestartMarker({ chat_id: String(chatId), thread_id: threadId ?? null, ack_message_id: null, ts: Date.now() });
+  }
+  stampUserRestartReason(reason);
+  if (decision === "deferred") {
+    pendingRestarts.set(agentName3, Date.now());
+  } else {
+    sweepBeforeSelfRestart().finally(() => triggerSelfRestart(agentName3, reason, 1500));
+  }
+  return decision;
+}
 function formatAuthOutputForTelegram(output) {
   const trimmed = stripAnsi2(output).trim();
   const url = trimmed.match(/https:\/\/\S+/)?.[0] ?? null;
@@ -65051,6 +65081,56 @@ bot.command("version", async (ctx) => {
 ${preBlock(formatSwitchroomOutput(err.message ?? "unknown error"))}`, { html: true });
   }
 });
+bot.command("whoami", async (ctx) => {
+  if (!isAuthorizedSender(ctx))
+    return;
+  try {
+    let raw;
+    try {
+      raw = switchroomExecCombined(["config", "whoami"], 1e4);
+    } catch (err) {
+      raw = err.stdout ?? err.message ?? "whoami failed";
+    }
+    const trimmed = stripAnsi2(raw).trim();
+    let card;
+    try {
+      card = formatWhoamiCard(JSON.parse(trimmed.split(`
+`).pop() ?? trimmed));
+    } catch {
+      card = preBlock(formatSwitchroomOutput(trimmed || "whoami: no output"));
+    }
+    await switchroomReply(ctx, card, { html: true });
+  } catch (err) {
+    await switchroomReply(ctx, `<b>whoami failed:</b>
+${preBlock(formatSwitchroomOutput(err.message ?? "unknown error"))}`, { html: true });
+  }
+});
+function formatWhoamiCard(v) {
+  const esc = escapeHtmlForTg;
+  const yn = (b) => b ? "\u2713" : "\u2717";
+  const lines = [];
+  lines.push(`\uD83D\uDC64 <b>${esc(v.name ?? "?")}</b> \xB7 ${esc(v.tier ?? "standard")}`);
+  if (v.persona)
+    lines.push(esc(v.persona));
+  if (v.model)
+    lines.push(`Model: ${esc(v.model)}`);
+  const allow = v.tools?.allow ?? [];
+  lines.push(`Tools: ${allow.length ? esc(allow.slice(0, 8).join(", ")) + (allow.length > 8 ? ` \u2026(+${allow.length - 8})` : "") : "\u2014"}`);
+  if ((v.tools?.deny ?? []).length)
+    lines.push(`Denied: ${esc(v.tools.deny.join(", "))}`);
+  if ((v.mcpServers ?? []).length)
+    lines.push(`MCP: ${esc(v.mcpServers.join(", "))}`);
+  if ((v.skills ?? []).length)
+    lines.push(`Skills: ${esc(v.skills.join(", "))}`);
+  if ((v.vault ?? []).length) {
+    lines.push(`Vault keys (names only): ${v.vault.map((k) => `${esc(k.key)} ${yn(k.readable)}`).join(", ")}`);
+  }
+  const p = v.powers ?? {};
+  lines.push(`Powers: admin ${yn(p.admin)} \xB7 root ${yn(p.root)} \xB7 config-edit ${yn(p.configEdit)} \xB7 cross-agent verbs ${yn(p.crossAgentHostVerbs)}`);
+  lines.push(`Schedule: ${v.scheduleCount ?? 0} cron \xB7 Memory: ${esc(v.memoryBackend ?? "none")}`);
+  return lines.join(`
+`);
+}
 bot.command("commands", async (ctx) => {
   if (!isAuthorizedSender(ctx))
     return;
@@ -65515,10 +65595,12 @@ ${preBlock(formatSwitchroomOutput(err.message ?? "unknown error"))}`, { html: tr
     }
     const ok = durable;
     const legacyNote = legacy && durable;
-    const ackText2 = ok ? legacyNote ? `\u2705 Saved. ${agentName3} can now ${grantPhrase} without asking (legacy path).` : `\u2705 Saved. ${agentName3} can now ${grantPhrase} without asking.` : editLockHint ? `\u26A0\uFE0F Allowed for now \u2014 config edits are locked. Enable hostd.config_edit_enabled.` : `\u26A0\uFE0F Allowed for now, but "always" did NOT save \u2014 it will ask again after restart. Check gateway log.`;
+    const restartScheduled = ok && !legacy && scheduleGrantRestart(agentName3, ctx.chat?.id, ctx.callbackQuery?.message?.message_thread_id, `always-allow: ${grantPhrase}`) !== "disabled";
+    const liveSuffix = restartScheduled ? " \u2014 applying now (restarting to take effect)" : "";
+    const ackText2 = ok ? legacyNote ? `\u2705 Saved. ${agentName3} can now ${grantPhrase} without asking (legacy path).` : `\u2705 Saved. ${agentName3} can now ${grantPhrase} without asking.${liveSuffix}` : editLockHint ? `\u26A0\uFE0F Allowed for now \u2014 config edits are locked. Enable hostd.config_edit_enabled.` : `\u26A0\uFE0F Allowed for now, but "always" did NOT save \u2014 it will ask again after restart. Check gateway log.`;
     const sourceMsg = ctx.callbackQuery?.message;
     const baseText2 = sourceMsg && "text" in sourceMsg && sourceMsg.text ? escapeHtmlForTg(sourceMsg.text) : "";
-    const editLabel = ok ? legacyNote ? `\u2705 <b>${escapeHtmlForTg(agentName3)} can now ${escapeHtmlForTg(grantPhrase)}</b> without asking (legacy path); restart agent for full effect` : `\u2705 <b>${escapeHtmlForTg(agentName3)} can now ${escapeHtmlForTg(grantPhrase)}</b> without asking; restart agent for full effect` : editLockHint ? `\u26A0\uFE0F <b>Allowed for now \u2014 "always" did NOT save.</b> Config edits are locked; enable <code>hostd.config_edit_enabled</code>.` : `\u26A0\uFE0F <b>Allowed for now \u2014 "always" did NOT save.</b> It will ask again after restart. Check gateway log.`;
+    const editLabel = ok ? legacyNote ? `\u2705 <b>${escapeHtmlForTg(agentName3)} can now ${escapeHtmlForTg(grantPhrase)}</b> without asking (legacy path); restart agent for full effect` : restartScheduled ? `\u2705 <b>${escapeHtmlForTg(agentName3)} can now ${escapeHtmlForTg(grantPhrase)}</b> without asking \u2014 applying now (restarting to take effect).` : `\u2705 <b>${escapeHtmlForTg(agentName3)} can now ${escapeHtmlForTg(grantPhrase)}</b> without asking; restart agent for full effect` : editLockHint ? `\u26A0\uFE0F <b>Allowed for now \u2014 "always" did NOT save.</b> Config edits are locked; enable <code>hostd.config_edit_enabled</code>.` : `\u26A0\uFE0F <b>Allowed for now \u2014 "always" did NOT save.</b> It will ask again after restart. Check gateway log.`;
     await finalizeCallback(ctx, {
       ackText: ackText2.slice(0, 200),
       newText: baseText2 ? `${baseText2}

package/telegram-plugin/gateway/gateway.ts

@@ -438,6 +438,7 @@ import {
   lookupScopedGrant,
   sweepScopedGrants,
 } from '../scoped-approval.js'
+import { grantRestartDecision, type GrantRestartDecision } from './grant-restart.js'
 import { synthesizeAllowRuleDiff, extractAddedAllowRule } from '../permission-diff.js'
 import {
   readClaudeJsonOverage,
@@ -13401,6 +13402,54 @@ async function sweepBeforeSelfRestart(): Promise<void> {
   }
 }
 
+/**
+ * Schedule a marker-safe, turn-deferred SELF-restart so a just-persisted
+ * config change ACTUALLY takes effect. claude loads tools / MCP servers /
+ * settings at process start, so a durable "Always allow" write is inert in
+ * the running session until the next restart — the old "restart agent for
+ * full effect" text asked the operator to do this by hand, and most never
+ * did (so the grant didn't stick and the same prompt reappeared). This
+ * completes the flow the operator already approved.
+ *
+ * CALLER-AGENT ONLY (an "Always allow" edits the calling agent's own
+ * `agents.<self>.tools.allow`, a provably single-agent blast radius). The
+ * restart fires when the CURRENT turn completes (via `pendingRestarts`),
+ * never mid-turn — so the operator-approved action finishes first. If no
+ * turn is in flight, it fires immediately after a short drain delay. A
+ * marker is written first so the post-restart greeting lands in the chat
+ * the operator tapped. Kill-switch: `SWITCHROOM_AUTORESTART_ON_GRANT=0`.
+ *
+ * Returns 'disabled' | 'deferred' | 'now'.
+ */
+function scheduleGrantRestart(
+  agentName: string,
+  chatId: string | number | undefined,
+  threadId: number | undefined,
+  reason: string,
+): GrantRestartDecision {
+  const decision = grantRestartDecision({
+    killSwitch: process.env.SWITCHROOM_AUTORESTART_ON_GRANT,
+    selfAgent: process.env.SWITCHROOM_AGENT_NAME,
+    agentName,
+    turnInFlight: turnInFlightForGate(),
+  })
+  if (decision === "disabled") return decision
+  // Marker first → the post-restart greeting lands in the chat the operator
+  // tapped, not the default operator DM.
+  if (chatId != null) {
+    writeRestartMarker({ chat_id: String(chatId), thread_id: threadId ?? null, ack_message_id: null, ts: Date.now() })
+  }
+  stampUserRestartReason(reason)
+  if (decision === "deferred") {
+    pendingRestarts.set(agentName, Date.now()) // fires at turn-complete (marker-safe)
+  } else {
+    // No turn to drain — restart now, after a short delay so this callback's
+    // card edit flushes first.
+    void sweepBeforeSelfRestart().finally(() => triggerSelfRestart(agentName, reason, 1500))
+  }
+  return decision
+}
+
 /**
  * Shape the `switchroom auth ...` CLI stdout into a Telegram-friendly
  * HTML block. Returns the body text AND the OAuth authorize URL (if
@@ -18622,6 +18671,55 @@ bot.command('version', async ctx => {
 })
 
 
+// /whoami — the operator's view of THIS agent's sandbox (the same
+// `config whoami` the agent itself can call as an MCP tool, and the host CLI
+// exposes). Read-only, isAuthorizedSender-gated like /version — surfaces
+// tools / MCP / vault key-NAMES (never values) / powers so the operator can
+// see at a glance what this agent is authorized for.
+bot.command('whoami', async ctx => {
+  if (!isAuthorizedSender(ctx)) return
+  try {
+    let raw: string
+    try { raw = switchroomExecCombined(['config', 'whoami'], 10000) }
+    catch (err: unknown) { raw = (err as any).stdout ?? (err as any).message ?? 'whoami failed' }
+    const trimmed = stripAnsi(raw).trim()
+    let card: string
+    try { card = formatWhoamiCard(JSON.parse(trimmed.split('\n').pop() ?? trimmed)) }
+    catch { card = preBlock(formatSwitchroomOutput(trimmed || 'whoami: no output')) }
+    await switchroomReply(ctx, card, { html: true })
+  } catch (err: unknown) {
+    await switchroomReply(ctx, `<b>whoami failed:</b>\n${preBlock(formatSwitchroomOutput((err as any).message ?? 'unknown error'))}`, { html: true })
+  }
+})
+
+/** Compact HTML card from the `config whoami` JSON view. Names/booleans only. */
+function formatWhoamiCard(v: {
+  name?: string; persona?: string | null; model?: string | null; tier?: string;
+  tools?: { allow?: string[]; deny?: string[] }; mcpServers?: string[]; skills?: string[];
+  vault?: { key: string; readable: boolean }[];
+  powers?: { admin?: boolean; root?: boolean; configEdit?: boolean; crossAgentHostVerbs?: boolean };
+  scheduleCount?: number; memoryBackend?: string | null;
+}): string {
+  const esc = escapeHtmlForTg
+  const yn = (b?: boolean) => (b ? '✓' : '✗')
+  const lines: string[] = []
+  lines.push(`👤 <b>${esc(v.name ?? '?')}</b> · ${esc(v.tier ?? 'standard')}`)
+  if (v.persona) lines.push(esc(v.persona))
+  if (v.model) lines.push(`Model: ${esc(v.model)}`)
+  const allow = v.tools?.allow ?? []
+  lines.push(`Tools: ${allow.length ? esc(allow.slice(0, 8).join(', ')) + (allow.length > 8 ? ` …(+${allow.length - 8})` : '') : '—'}`)
+  if ((v.tools?.deny ?? []).length) lines.push(`Denied: ${esc((v.tools!.deny!).join(', '))}`)
+  if ((v.mcpServers ?? []).length) lines.push(`MCP: ${esc(v.mcpServers!.join(', '))}`)
+  if ((v.skills ?? []).length) lines.push(`Skills: ${esc(v.skills!.join(', '))}`)
+  if ((v.vault ?? []).length) {
+    lines.push(`Vault keys (names only): ${v.vault!.map(k => `${esc(k.key)} ${yn(k.readable)}`).join(', ')}`)
+  }
+  const p = v.powers ?? {}
+  lines.push(`Powers: admin ${yn(p.admin)} · root ${yn(p.root)} · config-edit ${yn(p.configEdit)} · cross-agent verbs ${yn(p.crossAgentHostVerbs)}`)
+  lines.push(`Schedule: ${v.scheduleCount ?? 0} cron · Memory: ${esc(v.memoryBackend ?? 'none')}`)
+  return lines.join('\n')
+}
+
 bot.command('commands', async ctx => {
   if (!isAuthorizedSender(ctx)) return
   await switchroomReply(ctx, buildSwitchroomHelpText(getMyAgentName()), { html: true })
@@ -19356,10 +19454,26 @@ bot.on('callback_query:data', async ctx => {
 
     const ok = durable
     const legacyNote = legacy && durable
+    // Make the durable grant LIVE: config_propose_edit's apply already
+    // regenerated the scaffold (settings.json with the new tools.allow), so a
+    // marker-safe, turn-deferred self-restart loads it — no more "restart by
+    // hand" hint that the operator ignores (leaving the grant inert until the
+    // next bounce). Only on the hostd-durable path (scaffold currency assured);
+    // legacy path keeps the manual hint. Self-agent only; kill-switch
+    // SWITCHROOM_AUTORESTART_ON_GRANT=0.
+    const restartScheduled =
+      ok && !legacy &&
+      scheduleGrantRestart(
+        agentName,
+        ctx.chat?.id,
+        (ctx.callbackQuery?.message as { message_thread_id?: number } | undefined)?.message_thread_id,
+        `always-allow: ${grantPhrase}`,
+      ) !== "disabled"
+    const liveSuffix = restartScheduled ? " — applying now (restarting to take effect)" : ""
     const ackText = ok
       ? (legacyNote
           ? `✅ Saved. ${agentName} can now ${grantPhrase} without asking (legacy path).`
-          : `✅ Saved. ${agentName} can now ${grantPhrase} without asking.`)
+          : `✅ Saved. ${agentName} can now ${grantPhrase} without asking.${liveSuffix}`)
       : (editLockHint
           ? `⚠️ Allowed for now — config edits are locked. Enable hostd.config_edit_enabled.`
           : `⚠️ Allowed for now, but "always" did NOT save — it will ask again after restart. Check gateway log.`)
@@ -19376,7 +19490,9 @@ bot.on('callback_query:data', async ctx => {
     const editLabel = ok
       ? (legacyNote
           ? `✅ <b>${escapeHtmlForTg(agentName)} can now ${escapeHtmlForTg(grantPhrase)}</b> without asking (legacy path); restart agent for full effect`
-          : `✅ <b>${escapeHtmlForTg(agentName)} can now ${escapeHtmlForTg(grantPhrase)}</b> without asking; restart agent for full effect`)
+          : restartScheduled
+            ? `✅ <b>${escapeHtmlForTg(agentName)} can now ${escapeHtmlForTg(grantPhrase)}</b> without asking — applying now (restarting to take effect).`
+            : `✅ <b>${escapeHtmlForTg(agentName)} can now ${escapeHtmlForTg(grantPhrase)}</b> without asking; restart agent for full effect`)
       : (editLockHint
           ? `⚠️ <b>Allowed for now — "always" did NOT save.</b> Config edits are locked; enable <code>hostd.config_edit_enabled</code>.`
           : `⚠️ <b>Allowed for now — "always" did NOT save.</b> It will ask again after restart. Check gateway log.`)

package/telegram-plugin/gateway/grant-restart.ts

@@ -0,0 +1,30 @@
+/**
+ * Pure decision for the "make a just-persisted grant LIVE" self-restart
+ * (the side-effecting `scheduleGrantRestart` in gateway.ts wraps this).
+ *
+ * Extracted so the gating — kill-switch, self-agent-only, and
+ * turn-deferred-vs-now — unit-tests without gateway.ts's boot side-effects
+ * (same pattern as scoped-approval.ts / admin-commands/index.ts).
+ *
+ * Contract (reference/access-model.md): the restart only ever follows an
+ * operator-approved, single-agent, additive `tools.allow` edit, and only
+ * ever bounces the CALLER's own agent — never a peer, never fleet-wide.
+ */
+export type GrantRestartDecision = "disabled" | "deferred" | "now";
+
+export function grantRestartDecision(opts: {
+  /** SWITCHROOM_AUTORESTART_ON_GRANT value ("0" disables; default on). */
+  killSwitch: string | undefined;
+  /** The gateway's own agent identity ($SWITCHROOM_AGENT_NAME). */
+  selfAgent: string | undefined;
+  /** The agent whose config was edited (must equal selfAgent — self only). */
+  agentName: string;
+  /** Whether a turn is currently in flight (defer the restart to its end). */
+  turnInFlight: boolean;
+}): GrantRestartDecision {
+  if ((opts.killSwitch ?? "") === "0") return "disabled";
+  // Self-only: an "Always allow" edits agents.<self>.tools.allow. We never
+  // bounce a peer or the fleet from this path.
+  if (!opts.selfAgent || opts.selfAgent !== opts.agentName) return "disabled";
+  return opts.turnInFlight ? "deferred" : "now";
+}

package/telegram-plugin/tests/grant-restart.test.ts

@@ -0,0 +1,38 @@
+/**
+ * Tests for grantRestartDecision — the gating for the "make a just-persisted
+ * grant LIVE" self-restart (item ② config-edit-takes-effect). Pins: kill-switch,
+ * self-agent-only (never a peer/fleet bounce), and turn-deferred-vs-now.
+ */
+
+import { describe, it, expect } from "vitest";
+import { grantRestartDecision } from "../gateway/grant-restart.js";
+
+const base = { killSwitch: undefined, selfAgent: "clerk", agentName: "clerk", turnInFlight: true };
+
+describe("grantRestartDecision", () => {
+  it("defers to turn-complete when a turn is in flight (marker-safe)", () => {
+    expect(grantRestartDecision({ ...base, turnInFlight: true })).toBe("deferred");
+  });
+
+  it("fires now when no turn is in flight", () => {
+    expect(grantRestartDecision({ ...base, turnInFlight: false })).toBe("now");
+  });
+
+  it("is disabled by the kill-switch (SWITCHROOM_AUTORESTART_ON_GRANT=0)", () => {
+    expect(grantRestartDecision({ ...base, killSwitch: "0" })).toBe("disabled");
+  });
+
+  it("default-on for any non-'0' kill-switch value", () => {
+    expect(grantRestartDecision({ ...base, killSwitch: "" })).toBe("deferred");
+    expect(grantRestartDecision({ ...base, killSwitch: "1" })).toBe("deferred");
+  });
+
+  it("NEVER restarts a peer — self-agent only", () => {
+    // edit targets a different agent than the gateway's own identity
+    expect(grantRestartDecision({ ...base, selfAgent: "clerk", agentName: "gymbro" })).toBe("disabled");
+  });
+
+  it("is disabled when self identity is unknown", () => {
+    expect(grantRestartDecision({ ...base, selfAgent: undefined })).toBe("disabled");
+  });
+});

package/telegram-plugin/welcome-text.ts

@@ -270,7 +270,7 @@ export const switchroomHelpCommandNames = [
   "agents", "agentstart", "stop", "restart", "logs", "memory",
   // Auth & config — consolidated onto the `/auth` dashboard.
   "auth", "model",
-  "topics", "update", "version",
+  "topics", "update", "version", "whoami",
   "permissions", "grant", "dangerous", "vault", "doctor",
   "commands",
   // Note: "reconcile" is a deprecated alias still handled as a bot command
@@ -374,6 +374,7 @@ export function switchroomHelpText(agentName: string): string {
     `<code>/update</code> — dry-run plan; <code>/update apply</code> — actually pull images, reconcile, restart`,
     `<code>/restart [name|all]</code> — bounce agent (drains in-flight turn by default)`,
     `<code>/version</code> — show versions + running agent health summary`,
+    `<code>/whoami</code> — this agent's sandbox: tools, MCP, vault key-names, powers`,
     ``,
     `<b>Auth &amp; config</b>`,
     `<code>/auth</code> — auth status or actions`,