switchroom 0.15.24 → 0.15.25

package/dist/cli/switchroom.js

@@ -50477,8 +50477,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.15.24";
-var COMMIT_SHA = "3fce3b89";
+var VERSION = "0.15.25";
+var COMMIT_SHA = "0d066743";
 
 // src/cli/agent.ts
 init_source();
@@ -52885,7 +52885,7 @@ function scaffoldAgent(name, agentConfigRaw, agentsDir, telegramConfig, switchro
   const tools = agentConfig.tools ?? { allow: [], deny: [] };
   const rawAllow = tools.allow ?? [];
   const hasAllWildcard = rawAllow.includes("all");
-  const baseAllow = hasAllWildcard ? ALL_BUILTIN_TOOLS : rawAllow.filter((t) => t !== "all");
+  const baseAllow = hasAllWildcard ? [...ALL_BUILTIN_TOOLS, ...rawAllow.filter((t) => t !== "all")] : rawAllow.filter((t) => t !== "all");
   const dangerousMode = agentConfig.dangerous_mode === true;
   const hadExplicitAllow = rawAllow.length > 0;
   const readOnlyDefaults = !dangerousMode && !hadExplicitAllow ? DEFAULT_READ_ONLY_PREAPPROVED_TOOLS : [];
@@ -53719,7 +53719,7 @@ function reconcileAgent(name, agentConfigRaw, agentsDir, telegramConfig, switchr
   const tools = agentConfig.tools ?? { allow: [], deny: [] };
   const rawAllow = tools.allow ?? [];
   const hasAllWildcard = rawAllow.includes("all");
-  const baseAllow = hasAllWildcard ? ALL_BUILTIN_TOOLS : rawAllow.filter((t) => t !== "all");
+  const baseAllow = hasAllWildcard ? [...ALL_BUILTIN_TOOLS, ...rawAllow.filter((t) => t !== "all")] : rawAllow.filter((t) => t !== "all");
   const reconcileDangerousMode = agentConfig.dangerous_mode === true;
   const reconcileHadExplicitAllow = rawAllow.length > 0;
   const reconcileReadOnlyDefaults = !reconcileDangerousMode && !reconcileHadExplicitAllow ? DEFAULT_READ_ONLY_PREAPPROVED_TOOLS : [];
@@ -82565,6 +82565,7 @@ Applying switchroom config...
     process.exit(6);
   }
   const composePath = options.outPath ?? DEFAULT_COMPOSE_PATH2;
+  const displayComposePath = toHostHomePath(composePath);
   const operatorUid = resolveOperatorUid();
   const { bytes: composeBytes } = await writeComposeFile({
     config,
@@ -82575,11 +82576,11 @@ Applying switchroom config...
     buildContext: options.buildContext
   });
   writeOut(source_default.bold(`
-Wrote `) + composePath + source_default.gray(` (${composeBytes} bytes)
+Wrote `) + displayComposePath + source_default.gray(` (${composeBytes} bytes)
 `));
   writeOut(`Bring the fleet up with:
-` + `  docker compose -p ${COMPOSE_PROJECT2} -f ${composePath} pull && \\
-` + `    docker compose -p ${COMPOSE_PROJECT2} -f ${composePath} up -d --remove-orphans
+` + `  docker compose -p ${COMPOSE_PROJECT2} -f ${displayComposePath} pull && \\
+` + `    docker compose -p ${COMPOSE_PROJECT2} -f ${displayComposePath} up -d --remove-orphans
 `);
   writeOut(source_default.gray(`  (If pull returns 401, login to ghcr.io first: see docs/operators/install.md#ghcr-auth)
 `));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.15.24",
+  "version": "0.15.25",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/telegram-plugin/dist/gateway/gateway.js

@@ -53639,7 +53639,11 @@ function scopedApprovalTtlMs(env = process.env) {
 }
 var FILE_RULE = /^(Edit|Write|MultiEdit|NotebookEdit|Read)\((.+)\)$/;
 var BASH_FAMILY_RULE = /^Bash\(([^:]+):\*\)$/;
+var READ_ONLY_WHOLE_TOOLS = new Set(["Grep", "Glob"]);
 function resolveTimeBox(toolName, inputPreview, choices) {
+  if (READ_ONLY_WHOLE_TOOLS.has(toolName) && choices?.broad) {
+    return { rule: choices.broad.rule, breadth: `any ${toolName}` };
+  }
   const specific = choices?.specific;
   if (!specific || specific.broad)
     return null;
@@ -54420,10 +54424,10 @@ function readTurnActiveMarkerAgeMs(stateDir, now) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.15.24";
-var COMMIT_SHA = "3fce3b89";
-var COMMIT_DATE = "2026-06-14T21:03:53Z";
-var LATEST_PR = 2354;
+var VERSION = "0.15.25";
+var COMMIT_SHA = "0d066743";
+var COMMIT_DATE = "2026-06-15T02:15:36Z";
+var LATEST_PR = 2359;
 var COMMITS_AHEAD_OF_TAG = 0;
 
 // gateway/boot-version.ts

package/telegram-plugin/scoped-approval.ts

@@ -83,6 +83,16 @@ export interface TimeBoxDecision {
 const FILE_RULE = /^(Edit|Write|MultiEdit|NotebookEdit|Read)\((.+)\)$/;
 const BASH_FAMILY_RULE = /^Bash\(([^:]+):\*\)$/;
 
+// Read-only whole-tool inspection tools. permission-rule.ts classifies these
+// as BROAD_ONLY (no meaningful path sub-scope — Grep/Glob match a pattern
+// across files), so they only ever offer a broad "any Grep/Glob" grant. They
+// are READ-ONLY — they cannot mutate anything — so time-boxing that broad grant
+// is low-risk and is exactly the dominant "stop re-asking for the same
+// low-risk inspection" case (e.g. grepping a file with several regexes). This
+// deliberately EXCLUDES WebFetch/WebSearch (also BROAD_ONLY): network egress is
+// a different risk class, and webkite denies them anyway.
+const READ_ONLY_WHOLE_TOOLS = new Set(["Grep", "Glob"]);
+
 /**
  * Conservative time-box eligibility. Given the already-resolved scope
  * choices for a permission request, return the NARROW rule to time-box
@@ -96,12 +106,24 @@ const BASH_FAMILY_RULE = /^Bash\(([^:]+):\*\)$/;
  *    triggering command itself is non-destructive. The family grant
  *    still covers the whole `<tok>` family for matching, but match-time
  *    re-checks each later command (see `lookupScopedGrant`).
+ *  - Read-only whole-tool inspection (Grep/Glob) → time-boxable on the
+ *    broad grant: no sub-scope exists, but they cannot mutate anything, so
+ *    "any Grep for 30 min" is the safe, dominant low-risk-repeat case.
  */
 export function resolveTimeBox(
   toolName: string,
   inputPreview: string | undefined,
   choices: ScopedAllowChoices | null,
 ): TimeBoxDecision | null {
+  // Read-only whole-tool inspection (Grep/Glob) has no narrow sub-scope, only
+  // a broad grant — but it is read-only, so the broad grant is safe to
+  // time-box and is the dominant low-risk-repeat case. A stored bare-tool
+  // rule ("Grep") matches every later Grep call (matchesAllowRule: rule ===
+  // toolName), so different regexes/paths all dedup for the window.
+  if (READ_ONLY_WHOLE_TOOLS.has(toolName) && choices?.broad) {
+    return { rule: choices.broad.rule, breadth: `any ${toolName}` };
+  }
+
   // Only ever time-box the narrow scope, and only when one exists.
   const specific = choices?.specific;
   if (!specific || specific.broad) return null;

package/telegram-plugin/tests/scoped-approval.test.ts

@@ -100,6 +100,26 @@ describe('resolveTimeBox — conservative eligibility', () => {
     expect(timeBoxRule('Skill', JSON.stringify({ skill: 'deep-research' }))).toBeNull()
     expect(timeBoxRule('TotallyUnknown', '{}')).toBeNull()
   })
+
+  it('time-boxes read-only whole-tool inspection (Grep/Glob) on the broad grant', () => {
+    // No narrow sub-scope exists (BROAD_ONLY), but they are read-only — so the
+    // broad grant is safe to time-box. This is the dominant "stop re-asking for
+    // the same low-risk inspection" case the operator wants.
+    expect(timeBoxRule('Grep', JSON.stringify({ pattern: 'foo', path: '/state/x.ts' }))).toBe('Grep')
+    expect(timeBoxRule('Glob', JSON.stringify({ pattern: '**/*.ts' }))).toBe('Glob')
+  })
+
+  it('honest breadth for the read-only whole-tool window', () => {
+    const choices = resolveScopedAllowChoices('Grep', JSON.stringify({ pattern: 'foo' }))
+    expect(resolveTimeBox('Grep', JSON.stringify({ pattern: 'foo' }), choices)?.breadth).toBe('any Grep')
+  })
+
+  it('still does NOT time-box network-egress broad-only tools (WebFetch/WebSearch)', () => {
+    // Read-only-of-the-filesystem is the bar; network egress is a different
+    // risk class and is excluded on purpose (also denied via webkite).
+    expect(timeBoxRule('WebFetch', JSON.stringify({ url: 'https://x' }))).toBeNull()
+    expect(timeBoxRule('WebSearch', JSON.stringify({ query: 'x' }))).toBeNull()
+  })
 })
 
 describe('lookupScopedGrant — no seed, no extend, fail closed', () => {
@@ -121,6 +141,19 @@ describe('lookupScopedGrant — no seed, no extend, fail closed', () => {
     expect(lookupScopedGrant(store, 'clerk', 'Edit', editInput('/state/y.ts'), T0 + 1)).toBeNull()
   })
 
+  it('a Grep grant dedups later Greps with DIFFERENT regexes (the spam case)', () => {
+    // Operator taps ✅ Allow on the first Grep → whole-tool window. The agent
+    // then greps the same file with 2 more regexes — both auto-allow, no
+    // re-prompt, for the life of the window.
+    const store: ScopedGrantStore = new Map()
+    const t = resolveTimeBox('Grep', JSON.stringify({ pattern: 'foo' }), resolveScopedAllowChoices('Grep', JSON.stringify({ pattern: 'foo' })))
+    recordScopedGrant(store, 'clerk', t!.rule, T0, TTL)
+    expect(lookupScopedGrant(store, 'clerk', 'Grep', JSON.stringify({ pattern: 'bar' }), T0 + 1_000)).toBe('Grep')
+    expect(lookupScopedGrant(store, 'clerk', 'Grep', JSON.stringify({ pattern: 'baz', path: '/state/other.ts' }), T0 + 2_000)).toBe('Grep')
+    // …and it still fails closed after the window.
+    expect(lookupScopedGrant(store, 'clerk', 'Grep', JSON.stringify({ pattern: 'bar' }), T0 + TTL)).toBeNull()
+  })
+
   it('FIXED window — a matching call never extends expiresAt', () => {
     const store: ScopedGrantStore = new Map()
     recordScopedGrant(store, 'clerk', 'Edit(/state/x.ts)', T0, TTL)