switchroom 0.15.35 → 0.15.37

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.15.35",
+  "version": "0.15.37",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/profiles/_shared/agent-self-service.md.hbs

@@ -168,6 +168,31 @@ When you get such a reaction turn:
 
 Don't acknowledge with only a reaction or a bare "done" — the operator wants
 the link (or the honest reason it didn't file).
+
+### If your Linear auth breaks (a 401 / "can't reach Linear")
+
+Linear `actor=app` access tokens expire (~24h) and renew from a stored
+**refresh bundle** (`linear/<you>/oauth`). If that bundle is missing or its
+refresh token was revoked, your Linear calls 401 and the operator gets a
+"🔑 Linear auth needs you" alert. You can re-authorize yourself — it's an
+operator-approved, in-container flow (no host shell needed):
+
+1. Ask the operator for the Linear **OAuth app client_id + redirect_uri** (and
+   they'll have the client_secret ready for step 3).
+2. Call **`linear_agent_setup`** with `action: "authorize_url"`, the
+   `client_id`, and `redirect_uri`. Relay the returned URL — the operator opens
+   it, consents, and copies the `code=` value from the redirect.
+3. Call **`linear_agent_setup`** with `action: "complete"` + `client_id`,
+   `client_secret`, `redirect_uri`, and that `code`. It exchanges the code and
+   stores the access token + refresh bundle via the vault broker.
+   - If it returns **vault_request_access** instructions, the keys need a
+     write-grant — make those calls, the operator approves, then re-run
+     `complete` (re-open the authorize URL first if the code went stale).
+   - If it returns **config_propose_edit** guidance (durability/ACL), propose
+     that edit so the change survives restarts and auto-refresh keeps working.
+
+The client_secret and code are used only for the exchange — never store them in
+config or paste them into a normal message; pass them straight to the tool.
 {{/if}}
 
 ### Don't lie about scheduling

package/telegram-plugin/bridge/bridge.ts

@@ -510,6 +510,38 @@ const TOOL_SCHEMAS = [
       required: ['title', 'body'],
     },
   },
+  {
+    name: 'linear_agent_setup',
+    description:
+      'Provision THIS agent as a Linear app actor (actor=app OAuth) from inside the container — the operator-approved in-container path that replaces the host-only `switchroom linear-agent setup` (which silently no-ops in a sandbox). Two steps. action="authorize_url": pass the OAuth app client_id + redirect_uri; returns the browser URL the operator opens to consent. action="complete": pass client_id, client_secret, redirect_uri, and the code from the redirect; exchanges it and stores the access token (linear/<agent>/token) + the durable refresh bundle (linear/<agent>/oauth) via the vault broker so the token auto-renews. Writing those NEW keys needs a write-grant — if the broker denies, the tool returns the exact vault_request_access calls to make (operator approves), then re-run "complete". After it stores the values, follow the returned guidance to config_propose_edit the linear_agent block + secrets[] ACL (also operator-approved) to make it durable. The client_secret and code are used in-process only — never stored in config or logged.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        action: {
+          type: 'string',
+          enum: ['authorize_url', 'complete'],
+          description: '"authorize_url" to get the browser consent URL; "complete" to exchange the code and store the credentials.',
+        },
+        client_id: {
+          type: 'string',
+          description: 'Linear OAuth app client id (from Linear → Settings → API → your agent app).',
+        },
+        redirect_uri: {
+          type: 'string',
+          description: 'The redirect URI registered on the Linear OAuth app (e.g. http://localhost:3000/callback). Must match exactly in both steps.',
+        },
+        client_secret: {
+          type: 'string',
+          description: 'Linear OAuth app client secret. Required for action="complete"; used in-process for the token exchange, never stored or logged.',
+        },
+        code: {
+          type: 'string',
+          description: 'The authorization code from the redirect URL (the `code=` query param). Required for action="complete"; single-use.',
+        },
+      },
+      required: ['action', 'client_id', 'redirect_uri'],
+    },
+  },
 ]
 
 mcp.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOL_SCHEMAS }))