npm - switchroom - Versions diffs - 0.15.36 → 0.15.38 - Mend

switchroom 0.15.36 → 0.15.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (78) hide show

package/telegram-plugin/dist/server.js CHANGED Viewed

@@ -23809,7 +23809,7 @@ function validateGatewayMessage(msg) {
     case "inbound":
       return typeof m.chatId === "string" && typeof m.text === "string";
     case "permission":
-      return typeof m.requestId === "string" && (m.behavior === "allow" || m.behavior === "deny") && (m.rule === undefined || typeof m.rule === "string" && m.rule.length > 0);
+      return typeof m.requestId === "string" && (m.behavior === "allow" || m.behavior === "deny") && (m.rule === undefined || typeof m.rule === "string" && m.rule.length > 0) && (m.message === undefined || typeof m.message === "string" && m.message.length > 0);
     case "status":
       return typeof m.status === "string";
     case "tool_call_result":
@@ -24047,6 +24047,28 @@ function createIpcClient(options) {
 }
 var init_ipc_client = () => {};
+// bridge/tool-filter.ts
+function buildEffectiveToolSchemas(schemas4, opts) {
+  return schemas4.filter((t) => opts.linearEnabled || !LINEAR_TOOLS.has(t.name)).map((t) => ALWAYS_LOAD_TOOLS.has(t.name) ? { ...t, _meta: { "anthropic/alwaysLoad": true } } : t);
+}
+var ALWAYS_LOAD_TOOLS, LINEAR_TOOLS, LINEAR_ENV = "SWITCHROOM_TELEGRAM_LINEAR";
+var init_tool_filter = __esm(() => {
+  ALWAYS_LOAD_TOOLS = new Set([
+    "reply",
+    "stream_reply",
+    "get_recent_messages",
+    "react",
+    "edit_message",
+    "send_typing",
+    "download_attachment"
+  ]);
+  LINEAR_TOOLS = new Set([
+    "linear_agent_activity",
+    "linear_create_issue",
+    "linear_agent_setup"
+  ]);
+});
 // permission-rule.ts
 import { basename as basename2 } from "node:path";
 function resolveSkillName(input) {
@@ -24171,7 +24193,8 @@ function onPermission(msg) {
     method: "notifications/claude/channel/permission",
     params: {
       request_id: msg.requestId,
-      behavior: msg.behavior
+      behavior: msg.behavior,
+      ...msg.message ? { message: msg.message } : {}
     }
   }).catch((err) => {
     process.stderr.write(`telegram bridge: failed to deliver permission to Claude: ${err}
@@ -24232,7 +24255,7 @@ async function main() {
   }
   await mcp.connect(new StdioServerTransport);
 }
-var STATE_DIR, SOCKET_PATH, TOPIC_ID, AGENT_NAME, mcp, TOOL_SCHEMAS, sessionAllowRules, ipc = null, sessionTailEnabled, sessionTailHandle = null, ptyTailEnabled, ptyTailHandle = null;
+var STATE_DIR, SOCKET_PATH, TOPIC_ID, AGENT_NAME, mcp, TOOL_SCHEMAS, EFFECTIVE_TOOL_SCHEMAS, sessionAllowRules, ipc = null, sessionTailEnabled, sessionTailHandle = null, ptyTailEnabled, ptyTailHandle = null;
 var init_bridge = __esm(async () => {
   init_server2();
   init_stdio2();
@@ -24242,6 +24265,7 @@ var init_bridge = __esm(async () => {
   init_session_tail();
   init_pty_tail();
   init_ipc_client();
+  init_tool_filter();
   init_permission_rule();
   installPluginLogger2();
   STATE_DIR = process.env.TELEGRAM_STATE_DIR ?? join5(homedir4(), ".claude", "channels", "telegram");
@@ -24684,9 +24708,45 @@ var init_bridge = __esm(async () => {
         },
         required: ["title", "body"]
       }
+    },
+    {
+      name: "linear_agent_setup",
+      description: 'Provision THIS agent as a Linear app actor (actor=app OAuth) from inside the container \u2014 the operator-approved in-container path that replaces the host-only `switchroom linear-agent setup` (which silently no-ops in a sandbox). Two steps. action="authorize_url": pass the OAuth app client_id + redirect_uri; returns the browser URL the operator opens to consent. action="complete": pass client_id, client_secret, redirect_uri, and the code from the redirect; exchanges it and stores the access token (linear/<agent>/token) + the durable refresh bundle (linear/<agent>/oauth) via the vault broker so the token auto-renews. Writing those NEW keys needs a write-grant \u2014 if the broker denies, the tool returns the exact vault_request_access calls to make (operator approves), then re-run "complete". After it stores the values, follow the returned guidance to config_propose_edit the linear_agent block + secrets[] ACL (also operator-approved) to make it durable. The client_secret and code are used in-process only \u2014 never stored in config or logged.',
+      inputSchema: {
+        type: "object",
+        properties: {
+          action: {
+            type: "string",
+            enum: ["authorize_url", "complete"],
+            description: '"authorize_url" to get the browser consent URL; "complete" to exchange the code and store the credentials.'
+          },
+          client_id: {
+            type: "string",
+            description: "Linear OAuth app client id (from Linear \u2192 Settings \u2192 API \u2192 your agent app)."
+          },
+          redirect_uri: {
+            type: "string",
+            description: "The redirect URI registered on the Linear OAuth app (e.g. http://localhost:3000/callback). Must match exactly in both steps."
+          },
+          client_secret: {
+            type: "string",
+            description: 'Linear OAuth app client secret. Required for action="complete"; used in-process for the token exchange, never stored or logged.'
+          },
+          code: {
+            type: "string",
+            description: 'The authorization code from the redirect URL (the `code=` query param). Required for action="complete"; single-use.'
+          }
+        },
+        required: ["action", "client_id", "redirect_uri"]
+      }
     }
   ];
-  mcp.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOL_SCHEMAS }));
+  EFFECTIVE_TOOL_SCHEMAS = buildEffectiveToolSchemas(TOOL_SCHEMAS, {
+    linearEnabled: process.env[LINEAR_ENV] === "1"
+  });
+  mcp.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: EFFECTIVE_TOOL_SCHEMAS
+  }));
   mcp.setRequestHandler(CallToolRequestSchema, async (req) => {
     const tool = req.params.name;
     const args = req.params.arguments ?? {};

package/telegram-plugin/gateway/auto-classify-mid-turn.ts CHANGED Viewed

@@ -7,7 +7,7 @@
  *
  * Today a no-prefix mid-turn message always QUEUES (the default flipped
  * 2026-04-17 away from the blunt "everything steers" — see
- * reference/steer-or-queue-mid-flight.md). This module is the basis for a
+ * reference/jobs/steer-or-queue-mid-flight.md). This module is the basis for a
  * smarter default. It ships first in SHADOW mode (the gateway logs what it WOULD
  * decide but still queues), to gather real-world data — how often mid-turn
  * messages are same-topic continuations vs cross-topic new tasks, and the

package/telegram-plugin/gateway/boot-card.ts CHANGED Viewed

@@ -46,6 +46,7 @@ import {
   probeBroker,
   probeKernel,
   probeSkills,
+  probeConnections,
   watchAgentProcess,
   AGENT_LIVE_WINDOW_MS,
   AGENT_LIVE_POLL_INTERVAL_MS,
@@ -120,6 +121,7 @@ export type ProbeKey =
   | 'broker'
   | 'kernel'
   | 'skills'
+  | 'connections'
 export type ProbeMap = Partial<Record<ProbeKey, ProbeResult | null>>
@@ -253,11 +255,12 @@ const PROBE_LABELS: Record<ProbeKey, string> = {
   broker:    'Broker',
   kernel:    'Kernel',
   skills:    'Skills',
+  connections: 'Connections',
 }
 const PROBE_KEYS: ReadonlyArray<ProbeKey> = [
   'account', 'agent', 'gateway', 'quota', 'hindsight',
-  'scheduler', 'broker', 'kernel', 'skills',
+  'scheduler', 'broker', 'kernel', 'skills', 'connections',
 ]
 const REASON_EMOJI: Record<RestartReason, string> = {
@@ -617,6 +620,7 @@ export async function runAllProbes(opts: RunProbesOpts): Promise<ProbeMap> {
     probeBroker(undefined, { dockerMode: opts.dockerMode }).then(r => { probes.broker = r }),
     probeKernel(undefined, { dockerMode: opts.dockerMode }).then(r => { probes.kernel = r }),
     probeSkills(opts.agentDir, { agentName: opts.agentSlug ?? opts.agentName }).then(r => { probes.skills = r }),
+    probeConnections(opts.agentDir).then(r => { probes.connections = r }),
   ])
   return probes

package/telegram-plugin/gateway/boot-probes.ts CHANGED Viewed

@@ -1421,6 +1421,68 @@ function renderBucketedSkills(switchroom: string[], agent: string[]): string {
   return parts.length === 0 ? 'none resolved' : parts.join(' · ')
 }
+// ─── Probe: Connections (configured-but-unauthed MCP integrations) ───────────
+/**
+ * Surface configured-but-unauthed MCP connections at agent start. The auth
+ * verdict can't be computed in-container (this boot probe must not do
+ * vault/grant work — see the module header), so `switchroom apply` computes
+ * it host-side and drops a snapshot at
+ * `<agentDir>/.claude/connection-health.json` (src/agents/connection-health.ts).
+ * This probe just reads it.
+ *
+ *   ok       — snapshot missing/unparseable (not yet computed → assume
+ *              healthy, don't nag) OR zero issues
+ *   degraded — ≥1 connection configured but not authed; detail names the
+ *              servers, nextStep carries the first fix
+ *
+ * Never `fail`: an unauthed integration degrades that one capability, it
+ * doesn't take the agent down, and the silent-when-healthy boot card
+ * should not red an agent over a missing third-party token.
+ */
+export interface ConnectionIssueShape {
+  server: string
+  key: string
+  kind: string
+  detail: string
+  fix: string
+}
+export async function probeConnections(
+  agentDir: string,
+  opts: { readFileImpl?: (path: string) => string } = {},
+): Promise<ProbeResult> {
+  return withTimeout('Connections', (async (): Promise<ProbeResult> => {
+    const path = join(agentDir, '.claude', 'connection-health.json')
+    const read = opts.readFileImpl ?? ((p: string) => readFileSync(p, 'utf8'))
+    let issues: ConnectionIssueShape[] = []
+    try {
+      const parsed = JSON.parse(read(path)) as { issues?: ConnectionIssueShape[] }
+      issues = Array.isArray(parsed.issues) ? parsed.issues : []
+    } catch {
+      // ENOENT (never applied with this build) or malformed — assume healthy.
+      return { status: 'ok', label: 'Connections', detail: 'no issues' }
+    }
+    if (issues.length === 0) {
+      return { status: 'ok', label: 'Connections', detail: 'all authed' }
+    }
+    const servers = [...new Set(issues.map((i) => i.server))]
+    const named = servers.slice(0, 4).join(', ')
+    const more = servers.length > 4 ? ` +${servers.length - 4} more` : ''
+    const first = issues[0]
+    const extra =
+      issues.length > 1
+        ? ` (+${issues.length - 1} more — run \`switchroom doctor\`)`
+        : ''
+    return {
+      status: 'degraded',
+      label: 'Connections',
+      detail: `${servers.length} integration(s) configured but not authed: ${named}${more}`,
+      nextStep: `${first.fix}${extra}`,
+    }
+  })())
+}
 export interface SkillsFsImpl {
   readdir: (p: string) => string[]
   exists: (p: string) => boolean

package/telegram-plugin/gateway/cron-session.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
- * Cheap-cron session identity — docs/rfcs/cheap-cron-sessions.md §3.3.
+ * Cheap-cron session identity — reference/rfcs/cheap-cron-sessions.md §3.3.
  *
  * Rather than rekey the gateway's hardened single-bridge machinery
  * (agentIndex / pendingInboundBuffer / handleRegister, each carrying