switchroom 0.15.25 → 0.15.27

package/dist/host-control/main.js

@@ -15013,6 +15013,13 @@ function validateAllCronTopicAliases(config, filePath) {
     throw new ConfigError(`Cron \`topic:\` alias references unknown topic_aliases in ${filePath}`, issues);
   }
 }
+function resolveAgentsDir(config) {
+  const override = process.env.SWITCHROOM_AGENTS_DIR;
+  if (override && override.length > 0 && override.startsWith("/")) {
+    return override;
+  }
+  return resolveDualPath(config.switchroom.agents_dir);
+}
 
 // src/agents/compose.ts
 import { createHash } from "node:crypto";
@@ -15045,7 +15052,7 @@ var BIND_MOUNT_EXACT_SOURCE_DENY = new Set(["/var/run/docker.sock"]);
 
 // src/host-control/server.ts
 import { createServer } from "node:net";
-import { spawn, spawnSync as spawnSync2 } from "node:child_process";
+import { spawn as spawn2, spawnSync as spawnSync3 } from "node:child_process";
 import { mkdir, chmod, chown, unlink, appendFile } from "node:fs/promises";
 import {
   readdirSync as readdirSync2,
@@ -15148,6 +15155,20 @@ var DoctorRequestSchema = exports_external.object({
   op: exports_external.literal("doctor"),
   args: exports_external.object({}).optional()
 });
+var AgentStatusRequestSchema = exports_external.object({
+  ...RequestEnvelope,
+  op: exports_external.literal("agent_status"),
+  args: exports_external.object({
+    name: AgentNameSchema.optional()
+  })
+});
+var AgentScheduleRequestSchema = exports_external.object({
+  ...RequestEnvelope,
+  op: exports_external.literal("agent_schedule"),
+  args: exports_external.object({
+    name: AgentNameSchema.optional()
+  })
+});
 var AgentSmokeRequestSchema = exports_external.object({
   ...RequestEnvelope,
   op: exports_external.literal("agent_smoke"),
@@ -15178,6 +15199,8 @@ var RequestSchema = exports_external.discriminatedUnion("op", [
   AgentExecRequestSchema,
   DoctorRequestSchema,
   AgentSmokeRequestSchema,
+  AgentStatusRequestSchema,
+  AgentScheduleRequestSchema,
   ConfigProposeEditRequestSchema
 ]);
 var ResultSchema = exports_external.enum(["started", "completed", "denied", "error"]);
@@ -15240,6 +15263,7 @@ var ResponseEnvelope = {
   audit_id: exports_external.string().min(1).optional(),
   stdout_tail: exports_external.string().optional(),
   stderr_tail: exports_external.string().optional(),
+  payload: exports_external.string().optional(),
   error: exports_external.string().optional(),
   error_envelope: ErrorEnvelopeSchema.optional()
 };
@@ -20896,12 +20920,148 @@ function classifyBlastRadius(beforeYaml, afterYaml) {
   };
 }
 
+// src/agents/lifecycle.ts
+import { execFileSync, spawn, spawnSync as spawnSync2 } from "node:child_process";
+
+// src/agents/tmux.ts
+var MAX_BYTES = 10 * 1024 * 1024;
+
+// src/agents/lifecycle.ts
+function containerName(name) {
+  return `switchroom-${name}`;
+}
+function getAllAgentStatuses(config) {
+  const agentNames = Object.keys(config.agents);
+  const statuses = {};
+  if (agentNames.length === 0)
+    return statuses;
+  const cnByAgent = new Map;
+  const agentByCn = new Map;
+  for (const a of agentNames) {
+    const cn = containerName(a);
+    cnByAgent.set(a, cn);
+    agentByCn.set(cn, a);
+    statuses[a] = { active: "inactive", uptime: null, memory: null, pid: null };
+  }
+  const insp = spawnSync2("docker", [
+    "inspect",
+    "--format",
+    "{{.Name}}|{{.State.Status}}|{{.State.StartedAt}}|{{.State.Pid}}",
+    ...cnByAgent.values()
+  ], { encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"], timeout: 15000 });
+  for (const line of (insp.stdout ?? "").split(`
+`)) {
+    const t = line.trim();
+    if (!t)
+      continue;
+    const [rawName, status, startedAt, pidStr] = t.split("|");
+    const cn = (rawName ?? "").replace(/^\//, "");
+    const agent = agentByCn.get(cn);
+    if (!agent)
+      continue;
+    const pidNum = parseInt(pidStr ?? "", 10);
+    statuses[agent] = {
+      active: status === "running" ? "active" : status || "inactive",
+      uptime: startedAt && startedAt !== "0001-01-01T00:00:00Z" ? startedAt : null,
+      memory: null,
+      pid: Number.isFinite(pidNum) && pidNum > 0 ? pidNum : null
+    };
+  }
+  const stats = spawnSync2("docker", ["stats", "--no-stream", "--format", "{{.Name}}|{{.MemUsage}}"], { encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"], timeout: 15000 });
+  if (stats.status === 0) {
+    for (const line of (stats.stdout ?? "").split(`
+`)) {
+      const t = line.trim();
+      if (!t)
+        continue;
+      const [cn, memUsage] = t.split("|");
+      const agent = cn ? agentByCn.get(cn) : undefined;
+      if (!agent || statuses[agent].active !== "active")
+        continue;
+      const first = (memUsage ?? "").split("/")[0]?.trim();
+      if (!first)
+        continue;
+      const m = first.match(/([\d.]+)\s*([KMG]i?B)/i);
+      if (m) {
+        const val = parseFloat(m[1]);
+        const unit = m[2].toUpperCase();
+        let mb = val;
+        if (unit.startsWith("K"))
+          mb = val / 1024;
+        else if (unit.startsWith("G"))
+          mb = val * 1024;
+        statuses[agent].memory = `${Math.round(mb)}MB`;
+      } else {
+        statuses[agent].memory = first;
+      }
+    }
+  }
+  return statuses;
+}
+
+// src/scheduler/dispatch.ts
+import { createHash as createHash4 } from "node:crypto";
+function collectScheduleEntries(config) {
+  const out = [];
+  const agentNames = Object.keys(config.agents).sort();
+  for (const agent of agentNames) {
+    const raw = config.agents[agent];
+    if (!raw)
+      continue;
+    const resolved = resolveAgentConfig(config.defaults, config.profiles, raw);
+    const schedule = resolved.schedule ?? [];
+    for (let i = 0;i < schedule.length; i++) {
+      const entry = schedule[i];
+      const auditMaterial = entry.prompt ?? `action:${JSON.stringify(entry.action ?? {})}`;
+      out.push({
+        agent,
+        scheduleIndex: i,
+        cron: entry.cron,
+        ...entry.prompt !== undefined ? { prompt: entry.prompt } : {},
+        promptKey: createHash4("sha256").update(auditMaterial).digest("hex").slice(0, 12),
+        ...entry.topic !== undefined ? { topic: entry.topic } : {},
+        ...entry.kind !== undefined ? { kind: entry.kind } : {},
+        ...entry.model !== undefined ? { model: entry.model } : {},
+        ...entry.context !== undefined ? { context: entry.context } : {},
+        ...entry.poll !== undefined ? { poll: entry.poll } : {},
+        ...entry.action !== undefined ? { action: entry.action } : {}
+      });
+    }
+  }
+  return out;
+}
+
+// src/agent-scheduler/replay.ts
+var STALE_LOOKBACK_MAX_MIN = 14 * 24 * 60;
+function readRecentFires(jsonlPath) {
+  const fs2 = __require("node:fs");
+  if (!fs2.existsSync(jsonlPath))
+    return [];
+  let raw;
+  try {
+    raw = fs2.readFileSync(jsonlPath, "utf8");
+  } catch {
+    return [];
+  }
+  const out = [];
+  for (const line of raw.split(`
+`)) {
+    const trimmed = line.trim();
+    if (trimmed.length === 0)
+      continue;
+    try {
+      out.push(JSON.parse(trimmed));
+    } catch {}
+  }
+  return out;
+}
+
 // src/host-control/server.ts
 function resolveDigests(imageRefs) {
   const out = new Map;
   for (const ref of imageRefs) {
     try {
-      const r = spawnSync2("docker", ["inspect", "--format={{index .RepoDigests 0}}", ref], { encoding: "utf-8", timeout: 5000 });
+      const r = spawnSync3("docker", ["inspect", "--format={{index .RepoDigests 0}}", ref], { encoding: "utf-8", timeout: 5000 });
       if (r.status !== 0)
         continue;
       const trimmed = (r.stdout ?? "").trim();
@@ -21204,6 +21364,12 @@ class HostdServer {
         case "agent_smoke":
           resp = await this.handleAgentSmoke(req, started);
           break;
+        case "agent_status":
+          resp = this.handleAgentStatus(req, started);
+          break;
+        case "agent_schedule":
+          resp = this.handleAgentSchedule(req, started);
+          break;
         case "config_propose_edit":
           resp = await this.handleConfigProposeEdit(req, caller, started);
           break;
@@ -21256,6 +21422,12 @@ class HostdServer {
         return callerAdmin ? null : `${req.op} cross-agent requires admin: true on caller "${caller.name}"`;
       case "doctor":
         return callerAdmin ? null : `doctor requires admin: true on caller "${caller.name}"`;
+      case "agent_status":
+      case "agent_schedule":
+        if (req.args.name !== undefined && req.args.name === caller.name) {
+          return null;
+        }
+        return callerAdmin ? null : `${req.op} ${req.args.name === undefined ? "fleet view" : "cross-agent"} requires admin: true on caller "${caller.name}"`;
       case "config_propose_edit":
         return null;
     }
@@ -21726,10 +21898,67 @@ class HostdServer {
     }));
     return respond("running", probes);
   }
+  handleAgentStatus(req, started) {
+    try {
+      const cfg = loadConfig(this.opts.configPath);
+      const all = getAllAgentStatuses(cfg);
+      const statuses = req.args.name ? req.args.name in all ? { [req.args.name]: all[req.args.name] } : {} : all;
+      return {
+        v: 1,
+        request_id: req.request_id,
+        result: "completed",
+        exit_code: 0,
+        duration_ms: Date.now() - started,
+        payload: JSON.stringify({ statuses })
+      };
+    } catch (e) {
+      return {
+        v: 1,
+        request_id: req.request_id,
+        result: "error",
+        exit_code: null,
+        duration_ms: Date.now() - started,
+        error: `agent_status failed: ${e.message}`
+      };
+    }
+  }
+  handleAgentSchedule(req, started) {
+    try {
+      const cfg = loadConfig(this.opts.configPath);
+      let entries = collectScheduleEntries(cfg);
+      if (req.args.name)
+        entries = entries.filter((e) => e.agent === req.args.name);
+      const agentsDir = resolveAgentsDir(cfg);
+      const recentByAgent = {};
+      for (const agent of new Set(entries.map((e) => e.agent))) {
+        const rows = readRecentFires(resolve5(agentsDir, agent, "scheduler.jsonl"));
+        if (rows.length > 0)
+          recentByAgent[agent] = rows;
+      }
+      const bounded = boundScheduleView(entries, recentByAgent);
+      return {
+        v: 1,
+        request_id: req.request_id,
+        result: "completed",
+        exit_code: 0,
+        duration_ms: Date.now() - started,
+        payload: JSON.stringify(bounded)
+      };
+    } catch (e) {
+      return {
+        v: 1,
+        request_id: req.request_id,
+        result: "error",
+        exit_code: null,
+        duration_ms: Date.now() - started,
+        error: `agent_schedule failed: ${e.message}`
+      };
+    }
+  }
   runDocker(args) {
     return new Promise((resolve6, reject) => {
       const bin = this.opts.dockerBin ?? "docker";
-      const child = spawn(bin, args, {
+      const child = spawn2(bin, args, {
         stdio: ["ignore", "pipe", "pipe"],
         env: { ...process.env }
       });
@@ -21752,7 +21981,7 @@ class HostdServer {
       const composePath = join3(this.opts.bindRoot ?? this.opts.homeDir, ".switchroom", "compose", "docker-compose.yml");
       if (!existsSync7(composePath))
         return [];
-      const r = spawnSync2("docker", [
+      const r = spawnSync3("docker", [
         "compose",
         "-p",
         "switchroom",
@@ -21895,7 +22124,7 @@ class HostdServer {
   runSwitchroom(args) {
     return new Promise((resolve6, reject) => {
       const bin = this.opts.switchroomBin ?? "switchroom";
-      const child = spawn(bin, args, {
+      const child = spawn2(bin, args, {
         stdio: ["ignore", "pipe", "pipe"],
         env: { ...process.env }
       });
@@ -21917,6 +22146,49 @@ function tail(s, bytes = TAIL_BYTES) {
     return s;
   return s.slice(s.length - bytes);
 }
+var SCHEDULE_PROMPT_MAX_CHARS = 160;
+var SCHEDULE_OUTPUT_SUMMARY_MAX_CHARS = 100;
+var SCHEDULE_MAX_FIRES_PER_AGENT = 8;
+var SCHEDULE_FRAME_BUDGET_BYTES = MAX_FRAME_BYTES - 2048;
+function slimScheduleEntry(e) {
+  const slim = {
+    agent: e.agent,
+    scheduleIndex: e.scheduleIndex,
+    cron: e.cron,
+    promptKey: e.promptKey
+  };
+  if (e.prompt !== undefined) {
+    slim.prompt = e.prompt.length > SCHEDULE_PROMPT_MAX_CHARS ? e.prompt.slice(0, SCHEDULE_PROMPT_MAX_CHARS) : e.prompt;
+  }
+  if (e.kind !== undefined)
+    slim.kind = e.kind;
+  if (e.model !== undefined)
+    slim.model = e.model;
+  if (e.context !== undefined)
+    slim.context = e.context;
+  if (e.topic !== undefined)
+    slim.topic = e.topic;
+  return slim;
+}
+function scheduleFrameBytes(view) {
+  return Buffer.byteLength(JSON.stringify(JSON.stringify(view)), "utf8");
+}
+function boundScheduleView(entries, recentByAgent) {
+  const slimEntries = entries.map(slimScheduleEntry);
+  const boundedRecent = {};
+  for (const [agent, rows] of Object.entries(recentByAgent)) {
+    boundedRecent[agent] = rows.slice(-SCHEDULE_MAX_FIRES_PER_AGENT).map((r) => typeof r.outputSummary === "string" && r.outputSummary.length > SCHEDULE_OUTPUT_SUMMARY_MAX_CHARS ? { ...r, outputSummary: r.outputSummary.slice(0, SCHEDULE_OUTPUT_SUMMARY_MAX_CHARS) } : { ...r });
+  }
+  let view = { entries: slimEntries, recentByAgent: boundedRecent };
+  if (scheduleFrameBytes(view) <= SCHEDULE_FRAME_BUDGET_BYTES)
+    return view;
+  view = { entries: slimEntries, recentByAgent: {}, truncated: true };
+  while (scheduleFrameBytes(view) > SCHEDULE_FRAME_BUDGET_BYTES && view.entries.length > 1) {
+    const keep = Math.max(1, Math.floor(view.entries.length * 0.8));
+    view = { entries: view.entries.slice(0, keep), recentByAgent: {}, truncated: true };
+  }
+  return view;
+}
 var READONLY_EXEC_ALLOWLIST = [
   "cat",
   "df",
@@ -22199,10 +22471,10 @@ function errMsg(err2) {
 }
 
 // src/host-control/release-watcher-shellouts.ts
-import { spawn as spawn2 } from "node:child_process";
+import { spawn as spawn3 } from "node:child_process";
 async function run(cmd, args, timeoutMs) {
   return new Promise((res) => {
-    const p = spawn2(cmd, args, { stdio: ["ignore", "pipe", "pipe"] });
+    const p = spawn3(cmd, args, { stdio: ["ignore", "pipe", "pipe"] });
     let stdout = "";
     let stderr = "";
     const to = setTimeout(() => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.15.25",
+  "version": "0.15.27",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {
@@ -27,12 +27,13 @@
     "test:vitest": "vitest run",
     "test:bun": "bun test src/watchdog/state.test.ts src/watchdog/policy.test.ts src/vault/grants.test.ts src/vault/write-grants.test.ts src/vault/broker/server-grants.test.ts src/vault/broker/server-write-grants.test.ts src/vault/broker/server-mint-grant-passphrase-attest.test.ts src/vault/broker/server-passphrase-attest.test.ts src/vault/broker/server-mint-grant-posture-attest.test.ts src/vault/broker/server-admin-only-keys.test.ts src/vault/broker/client-token.test.ts src/vault/broker/server-unlock.test.ts src/vault/broker/auto-unlock.test.ts src/vault/broker/drift-detection.test.ts tests/vault-broker-passphrase.test.ts src/cli/vault-get-broker.test.ts src/vault/resolver-via-broker.test.ts src/vault/broker/scope.test.ts src/vault/broker/server.test.ts src/drive/disconnect.test.ts src/drive/grants.test.ts src/drive/oauth.test.ts src/drive/onboarding.test.ts src/drive/reconciler.test.ts src/drive/vault-slots.test.ts src/drive/wrapper.test.ts src/vault/approvals/kernel.test.ts src/vault/approvals/approval-origin.test.ts src/vault/approvals/schema-idempotent.test.ts src/vault/broker/server-approvals.test.ts telegram-plugin/tests/boot-probes.test.ts telegram-plugin/tests/boot-version-string.test.ts telegram-plugin/tests/history.test.ts telegram-plugin/tests/history-reaper.test.ts telegram-plugin/tests/ipc-server-client.test.ts telegram-plugin/tests/ipc-server-race.test.ts telegram-plugin/tests/gateway-bridge.test.ts telegram-plugin/tests/gateway-startup-mutex.test.ts telegram-plugin/tests/gateway-clean-shutdown-marker.test.ts telegram-plugin/tests/boot-card-dedupe.test.ts telegram-plugin/tests/boot-card-reason.test.ts telegram-plugin/tests/progress-update.test.ts telegram-plugin/tests/quota-cache.test.ts telegram-plugin/tests/silent-reply-guard.test.ts telegram-plugin/tests/unhandled-rejection-policy.test.ts telegram-plugin/tests/registry-turns.test.ts telegram-plugin/registry/subagents.test.ts telegram-plugin/registry/subagents-bugs.test.ts telegram-plugin/tests/subagent-watcher-parent-turn-key.test.ts telegram-plugin/tests/turns-writer.test.ts telegram-plugin/tests/resume-inbound-builder.test.ts telegram-plugin/tests/subagent-tracker-hooks.test.ts telegram-plugin/tests/resolve-calling-subagent.test.ts telegram-plugin/tests/gateway-update-placeholder-dispatch.test.ts telegram-plugin/tests/reaction-trigger.test.ts telegram-plugin/tests/reaction-trigger-flow.test.ts telegram-plugin/uat/load-env.test.ts telegram-plugin/uat/feed-matcher.test.ts telegram-plugin/gateway/webhook-ingest-server.test.ts",
     "test:watch": "vitest",
-    "lint": "tsc --noEmit && node scripts/check-plugin-references.mjs && bash scripts/check-bot-api-wrapping.sh && node scripts/check-bun-test-imports.mjs && node scripts/check-no-pii-secrets.mjs && node scripts/check-vault-test-hermeticity.mjs && node scripts/check-no-broadcast-delivery.mjs && node scripts/check-stale-tool-descriptions.mjs",
+    "lint": "tsc --noEmit && node scripts/check-plugin-references.mjs && bash scripts/check-bot-api-wrapping.sh && node scripts/check-bun-test-imports.mjs && node scripts/check-no-pii-secrets.mjs && node scripts/check-vault-test-hermeticity.mjs && node scripts/check-no-broadcast-delivery.mjs && node scripts/check-stale-tool-descriptions.mjs && node scripts/check-web-subscription-honest.mjs",
     "lint:tsc": "tsc --noEmit",
     "lint:plugin-references": "node scripts/check-plugin-references.mjs",
     "lint:bot-api-wrapping": "bash scripts/check-bot-api-wrapping.sh",
     "lint:bun-test-imports": "node scripts/check-bun-test-imports.mjs",
     "lint:no-pii": "node scripts/check-no-pii-secrets.mjs",
+    "lint:web-subscription-honest": "node scripts/check-web-subscription-honest.mjs",
     "lint:no-broadcast-delivery": "node scripts/check-no-broadcast-delivery.mjs",
     "prepublishOnly": "npm run build && npm run lint && npm test"
   },

package/telegram-plugin/dist/gateway/gateway.js

@@ -46442,6 +46442,20 @@ var DoctorRequestSchema = exports_external.object({
   op: exports_external.literal("doctor"),
   args: exports_external.object({}).optional()
 });
+var AgentStatusRequestSchema = exports_external.object({
+  ...RequestEnvelope,
+  op: exports_external.literal("agent_status"),
+  args: exports_external.object({
+    name: AgentNameSchema2.optional()
+  })
+});
+var AgentScheduleRequestSchema = exports_external.object({
+  ...RequestEnvelope,
+  op: exports_external.literal("agent_schedule"),
+  args: exports_external.object({
+    name: AgentNameSchema2.optional()
+  })
+});
 var AgentSmokeRequestSchema = exports_external.object({
   ...RequestEnvelope,
   op: exports_external.literal("agent_smoke"),
@@ -46472,6 +46486,8 @@ var RequestSchema3 = exports_external.discriminatedUnion("op", [
   AgentExecRequestSchema,
   DoctorRequestSchema,
   AgentSmokeRequestSchema,
+  AgentStatusRequestSchema,
+  AgentScheduleRequestSchema,
   ConfigProposeEditRequestSchema
 ]);
 var ResultSchema = exports_external.enum(["started", "completed", "denied", "error"]);
@@ -46523,6 +46539,7 @@ var ResponseEnvelope = {
   audit_id: exports_external.string().min(1).optional(),
   stdout_tail: exports_external.string().optional(),
   stderr_tail: exports_external.string().optional(),
+  payload: exports_external.string().optional(),
   error: exports_external.string().optional(),
   error_envelope: ErrorEnvelopeSchema.optional()
 };
@@ -54424,10 +54441,10 @@ function readTurnActiveMarkerAgeMs(stateDir, now) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.15.25";
-var COMMIT_SHA = "0d066743";
-var COMMIT_DATE = "2026-06-15T02:15:36Z";
-var LATEST_PR = 2359;
+var VERSION = "0.15.27";
+var COMMIT_SHA = "97160057";
+var COMMIT_DATE = "2026-06-15T06:43:23Z";
+var LATEST_PR = 2372;
 var COMMITS_AHEAD_OF_TAG = 0;
 
 // gateway/boot-version.ts
@@ -54720,6 +54737,112 @@ async function revokeGrantViaBroker(id, opts) {
 
 // gateway/linear-activity.ts
 init_client2();
+
+// ../src/linear/oauth-refresh.ts
+var LINEAR_TOKEN_ENDPOINT = "https://api.linear.app/oauth/token";
+var DEFAULT_REFRESH_SKEW_SEC = 2 * 3600;
+async function refreshLinearAppToken(bundle, opts = {}) {
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const nowSec = opts.nowSec ?? (() => Math.floor(Date.now() / 1000));
+  const form = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: bundle.refreshToken,
+    client_id: bundle.clientId,
+    client_secret: bundle.clientSecret
+  });
+  let resp;
+  try {
+    resp = await fetchImpl(LINEAR_TOKEN_ENDPOINT, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: form.toString()
+    });
+  } catch (err) {
+    return { ok: false, reason: "network", detail: err.message };
+  }
+  if (!resp.ok) {
+    const txt = await resp.text().catch(() => "");
+    const revoked = resp.status === 400 || /invalid_grant|invalid_token/i.test(txt);
+    return {
+      ok: false,
+      reason: revoked ? "revoked" : "http_error",
+      detail: `HTTP ${resp.status}${txt ? ` ${txt.slice(0, 200)}` : ""}`
+    };
+  }
+  let json;
+  try {
+    json = await resp.json();
+  } catch {
+    return { ok: false, reason: "bad_response", detail: "non-JSON token response" };
+  }
+  const accessToken = json.access_token;
+  if (typeof accessToken !== "string" || accessToken.length === 0) {
+    return { ok: false, reason: "bad_response", detail: "no access_token in response" };
+  }
+  const expiresIn = typeof json.expires_in === "number" ? json.expires_in : 86400;
+  const rotated = typeof json.refresh_token === "string" && json.refresh_token.length > 0 ? json.refresh_token : bundle.refreshToken;
+  return {
+    ok: true,
+    accessToken,
+    refreshToken: rotated,
+    expiresAt: nowSec() + expiresIn,
+    ...typeof json.scope === "string" ? { scope: json.scope } : {}
+  };
+}
+function parseBundle(raw) {
+  if (raw == null || raw === "")
+    return null;
+  let o;
+  try {
+    o = JSON.parse(raw);
+  } catch {
+    return null;
+  }
+  if (typeof o.client_id === "string" && typeof o.client_secret === "string" && typeof o.refresh_token === "string" && o.client_id.length > 0 && o.client_secret.length > 0 && o.refresh_token.length > 0) {
+    return {
+      clientId: o.client_id,
+      clientSecret: o.client_secret,
+      refreshToken: o.refresh_token,
+      ...typeof o.expires_at === "number" ? { expiresAt: o.expires_at } : {}
+    };
+  }
+  return null;
+}
+function serializeBundle(b) {
+  return JSON.stringify({
+    client_id: b.clientId,
+    client_secret: b.clientSecret,
+    refresh_token: b.refreshToken,
+    ...b.expiresAt != null ? { expires_at: b.expiresAt } : {}
+  });
+}
+async function performLinearRefresh(io) {
+  const raw = await io.readBundle();
+  const bundle = parseBundle(raw);
+  if (!bundle) {
+    return { ok: false, reason: "no_bundle", detail: "no/invalid refresh bundle" };
+  }
+  const res = await refreshLinearAppToken(bundle, {
+    ...io.fetchImpl ? { fetchImpl: io.fetchImpl } : {},
+    ...io.nowSec ? { nowSec: io.nowSec } : {}
+  });
+  if (!res.ok)
+    return { ok: false, reason: res.reason, detail: res.detail };
+  try {
+    await io.writeBundle(serializeBundle({
+      clientId: bundle.clientId,
+      clientSecret: bundle.clientSecret,
+      refreshToken: res.refreshToken,
+      expiresAt: res.expiresAt
+    }));
+    await io.writeToken(res.accessToken);
+  } catch (err) {
+    return { ok: false, reason: "persist_failed", detail: err.message };
+  }
+  return { ok: true, accessToken: res.accessToken, expiresAt: res.expiresAt };
+}
+
+// gateway/linear-activity.ts
 var LINEAR_GRAPHQL_ENDPOINT = "https://api.linear.app/graphql";
 async function defaultResolveLinearToken(agent) {
   const key = `linear/${agent}/token`;
@@ -54736,6 +54859,53 @@ async function defaultResolveLinearToken(agent) {
     return { ok: false, reason: "denied" };
   return { ok: false, reason: "unknown" };
 }
+function brokerRefreshIO(agent, fetchImpl) {
+  const token = readVaultTokenFile(agent) ?? undefined;
+  const opt = token ? { token } : {};
+  return {
+    readBundle: async () => {
+      const r = await getViaBrokerStructured(`linear/${agent}/oauth`, opt);
+      return r.kind === "ok" && r.entry.kind === "string" ? r.entry.value : null;
+    },
+    writeToken: async (t) => {
+      const r = await putViaBroker(`linear/${agent}/token`, { kind: "string", value: t }, opt);
+      if (r.kind !== "ok")
+        throw new Error(`broker put linear/${agent}/token: ${r.kind}`);
+    },
+    writeBundle: async (j) => {
+      const r = await putViaBroker(`linear/${agent}/oauth`, { kind: "string", value: j }, opt);
+      if (r.kind !== "ok")
+        throw new Error(`broker put linear/${agent}/oauth: ${r.kind}`);
+    },
+    ...fetchImpl ? { fetchImpl } : {}
+  };
+}
+async function linearPostWithRefresh(body, token, agent, fetchImpl, log, refreshIO) {
+  const post = (t) => fetchImpl(LINEAR_GRAPHQL_ENDPOINT, {
+    method: "POST",
+    headers: { "Content-Type": "application/json", Authorization: t },
+    body
+  });
+  let resp = await post(token);
+  if (resp.status !== 401)
+    return { resp, token };
+  const io = (refreshIO ?? ((a) => brokerRefreshIO(a, fetchImpl)))(agent);
+  const refreshed = await performLinearRefresh({ ...io, fetchImpl });
+  if (!refreshed.ok) {
+    if (refreshed.reason === "revoked") {
+      log(`telegram gateway: linear token REVOKED agent=${agent} \u2014 refresh token is dead; ` + `operator must re-authorize (linear-agent setup --refresh-token \u2026)
+`);
+    } else {
+      log(`telegram gateway: linear token refresh failed agent=${agent} reason=${refreshed.reason}
+`);
+    }
+    return { resp, token };
+  }
+  log(`telegram gateway: linear token auto-refreshed agent=${agent} (was 401)
+`);
+  resp = await post(refreshed.accessToken);
+  return { resp, token: refreshed.accessToken };
+}
 async function emitLinearAgentActivity(args, deps = {}) {
   const log = deps.log ?? ((s) => process.stderr.write(s));
   const sessionId = args.agent_session_id;
@@ -54780,14 +54950,7 @@ async function emitLinearAgentActivity(args, deps = {}) {
   const fetchImpl = deps.fetchImpl ?? fetch;
   let resp;
   try {
-    resp = await fetchImpl(LINEAR_GRAPHQL_ENDPOINT, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: tokenResult.token
-      },
-      body: JSON.stringify({ query: mutation, variables })
-    });
+    ({ resp } = await linearPostWithRefresh(JSON.stringify({ query: mutation, variables }), tokenResult.token, agent, fetchImpl, log, deps.refreshIO));
   } catch (err) {
     return {
       content: [{ type: "text", text: `linear_agent_activity failed: request error: ${err.message}` }]
@@ -54847,15 +55010,13 @@ async function createLinearIssue(args, deps = {}) {
       ]
     };
   }
-  const token = tokenResult.token;
+  let activeToken = tokenResult.token;
   const gql = async (query2, variables) => {
     let resp;
     try {
-      resp = await fetchImpl(LINEAR_GRAPHQL_ENDPOINT, {
-        method: "POST",
-        headers: { "Content-Type": "application/json", Authorization: token },
-        body: JSON.stringify({ query: query2, variables })
-      });
+      const out = await linearPostWithRefresh(JSON.stringify({ query: query2, variables }), activeToken, agent, fetchImpl, log, deps.refreshIO);
+      resp = out.resp;
+      activeToken = out.token;
     } catch (err) {
       return { ok: false, text: `request error: ${err.message}` };
     }