switchroom 0.8.1 → 0.11.0

package/telegram-plugin/foreman/state.ts

@@ -1,203 +0,0 @@
-/**
- * Foreman conversation state — SQLite-backed per-chat state for multi-turn
- * flows. Survives foreman restarts so a create-agent flow started before a
- * restart can resume cleanly.
- *
- * Location: ~/.switchroom/foreman/state.sqlite
- * Override via SWITCHROOM_FOREMAN_DIR env var.
- *
- * Schema:
- *   CREATE TABLE IF NOT EXISTS create_flow (
- *     chat_id TEXT PRIMARY KEY,
- *     step TEXT NOT NULL,   -- 'asked-name' | 'asked-profile' | 'asked-bot-token' | 'asked-oauth-code' | 'done'
- *     name TEXT,
- *     profile TEXT,
- *     bot_token TEXT,
- *     auth_session_name TEXT,
- *     login_url TEXT,
- *     started_at INTEGER NOT NULL,
- *     updated_at INTEGER NOT NULL
- *   );
- */
-
-import { Database } from 'bun:sqlite'
-import { chmodSync, mkdirSync } from 'fs'
-import { homedir } from 'os'
-import { join } from 'path'
-
-// ─── Types ────────────────────────────────────────────────────────────────
-
-export type CreateFlowStep =
-  | 'asked-name'
-  | 'asked-profile'
-  | 'asked-bot-token'
-  | 'asked-oauth-code'
-  | 'done'
-
-export interface CreateFlowState {
-  chatId: string
-  step: CreateFlowStep
-  name: string | null
-  profile: string | null
-  botToken: string | null
-  authSessionName: string | null
-  loginUrl: string | null
-  startedAt: number
-  updatedAt: number
-}
-
-// ─── DB singleton ─────────────────────────────────────────────────────────
-
-let _db: Database | null = null
-
-function getDb(): Database {
-  if (_db) return _db
-
-  const foremanDir =
-    process.env.SWITCHROOM_FOREMAN_DIR ?? join(homedir(), '.switchroom', 'foreman')
-
-  // 0o700 on the directory + 0o600 on the DB: this file stores in-flight
-  // BotFather tokens during /create-agent flows. On a multi-user host,
-  // default umask (0o022) would leave tokens world-readable otherwise.
-  mkdirSync(foremanDir, { recursive: true, mode: 0o700 })
-
-  const dbPath = join(foremanDir, 'state.sqlite')
-  _db = new Database(dbPath)
-  try {
-    chmodSync(dbPath, 0o600)
-  } catch {
-    // best-effort — fall through if chmod isn't supported
-  }
-
-  _db.exec(`
-    CREATE TABLE IF NOT EXISTS create_flow (
-      chat_id TEXT PRIMARY KEY,
-      step TEXT NOT NULL,
-      name TEXT,
-      profile TEXT,
-      bot_token TEXT,
-      auth_session_name TEXT,
-      login_url TEXT,
-      started_at INTEGER NOT NULL,
-      updated_at INTEGER NOT NULL
-    );
-  `)
-
-  return _db
-}
-
-// ─── Public API ───────────────────────────────────────────────────────────
-
-/** Upsert the state for a given chat. */
-export function setState(state: CreateFlowState): void {
-  const db = getDb()
-  db.prepare(`
-    INSERT INTO create_flow
-      (chat_id, step, name, profile, bot_token, auth_session_name, login_url, started_at, updated_at)
-    VALUES
-      ($chatId, $step, $name, $profile, $botToken, $authSessionName, $loginUrl, $startedAt, $updatedAt)
-    ON CONFLICT(chat_id) DO UPDATE SET
-      step = excluded.step,
-      name = excluded.name,
-      profile = excluded.profile,
-      bot_token = excluded.bot_token,
-      auth_session_name = excluded.auth_session_name,
-      login_url = excluded.login_url,
-      updated_at = excluded.updated_at
-  `).run({
-    $chatId: state.chatId,
-    $step: state.step,
-    $name: state.name,
-    $profile: state.profile,
-    $botToken: state.botToken,
-    $authSessionName: state.authSessionName,
-    $loginUrl: state.loginUrl,
-    $startedAt: state.startedAt,
-    $updatedAt: state.updatedAt,
-  })
-}
-
-/** Retrieve the state for a given chat, or null if none exists. */
-export function getState(chatId: string): CreateFlowState | null {
-  const db = getDb()
-  const row = db.prepare<{
-    chat_id: string
-    step: string
-    name: string | null
-    profile: string | null
-    bot_token: string | null
-    auth_session_name: string | null
-    login_url: string | null
-    started_at: number
-    updated_at: number
-  }, [string]>(`
-    SELECT chat_id, step, name, profile, bot_token, auth_session_name, login_url, started_at, updated_at
-    FROM create_flow
-    WHERE chat_id = ?
-  `).get(chatId)
-
-  if (!row) return null
-
-  return {
-    chatId: row.chat_id,
-    step: row.step as CreateFlowStep,
-    name: row.name,
-    profile: row.profile,
-    botToken: row.bot_token,
-    authSessionName: row.auth_session_name,
-    loginUrl: row.login_url,
-    startedAt: row.started_at,
-    updatedAt: row.updated_at,
-  }
-}
-
-/** Remove the state for a given chat (flow completed or cancelled). */
-export function clearState(chatId: string): void {
-  const db = getDb()
-  db.prepare('DELETE FROM create_flow WHERE chat_id = ?').run(chatId)
-}
-
-/**
- * List all in-progress flows updated within the last `maxAgeMs` ms.
- * Used at foreman startup to resume flows that survived a restart.
- */
-export function listActiveFlows(maxAgeMs = 60 * 60 * 1000): CreateFlowState[] {
-  const db = getDb()
-  const cutoff = Date.now() - maxAgeMs
-  const rows = db.prepare<{
-    chat_id: string
-    step: string
-    name: string | null
-    profile: string | null
-    bot_token: string | null
-    auth_session_name: string | null
-    login_url: string | null
-    started_at: number
-    updated_at: number
-  }, [number]>(`
-    SELECT chat_id, step, name, profile, bot_token, auth_session_name, login_url, started_at, updated_at
-    FROM create_flow
-    WHERE step != 'done' AND updated_at > ?
-    ORDER BY updated_at DESC
-  `).all(cutoff)
-
-  return rows.map(row => ({
-    chatId: row.chat_id,
-    step: row.step as CreateFlowStep,
-    name: row.name,
-    profile: row.profile,
-    botToken: row.bot_token,
-    authSessionName: row.auth_session_name,
-    loginUrl: row.login_url,
-    startedAt: row.started_at,
-    updatedAt: row.updated_at,
-  }))
-}
-
-/** Reset the DB singleton (useful in tests to avoid sharing state). */
-export function _resetDbForTest(): void {
-  if (_db) {
-    _db.close()
-    _db = null
-  }
-}

package/telegram-plugin/tests/auth-account-identity-surface.test.ts

@@ -1,118 +0,0 @@
-import { describe, it, expect } from "vitest";
-import {
-  buildDashboardText,
-  formatRateLimitTier,
-  type DashboardState,
-  type DashboardSlot,
-} from "../auth-dashboard";
-
-function slot(o: Partial<DashboardSlot> = {}): DashboardSlot {
-  return { slot: "default", active: false, health: "healthy", quotaExhaustedUntil: null, fiveHourPct: null, sevenDayPct: null, ...o };
-}
-
-/**
- * 2026-04-22 — account-identity surface.
- *
- * Context: a user reauths an agent onto their Max 20x account, but the
- * OAuth browser flow gets hijacked by Telegram's in-app WebView (which
- * uses a separate cookie jar from their main browser) and the saved
- * token ends up for a different account (e.g. a Max 5x) instead. The
- * dashboard header showed 'Plan: max' \u2014 indistinguishable between
- * 5x and 20x \u2014 so the mismatch was silent until the user hit a quota wall
- * hours later.
- *
- * Fix: surface the full `rateLimitTier` string on the dashboard so a
- * wrong-account reauth is IMMEDIATELY visible. User expected max_20x,
- * sees max_5x, acts.
- *
- * Pair fixes (out of scope for these tests but covered in the PR):
- * - Auth response now includes a \ud83d\udccb Copy URL button so the user can
- *   paste into their main browser instead of Telegram's WebView.
- * - Auth response text includes a tip about the in-app-browser pitfall.
- */
-
-describe("formatRateLimitTier", () => {
-  it("shortens default_claude_max_5x to max_5x", () => {
-    expect(formatRateLimitTier("default_claude_max_5x")).toBe("max_5x");
-  });
-
-  it("shortens default_claude_max_20x to max_20x", () => {
-    expect(formatRateLimitTier("default_claude_max_20x")).toBe("max_20x");
-  });
-
-  it("shortens default_claude_pro to pro", () => {
-    expect(formatRateLimitTier("default_claude_pro")).toBe("pro");
-  });
-
-  it("passes unknown tiers through unchanged", () => {
-    // We don't pretend to understand every future tier string. Passthrough
-    // means a new Anthropic tier name is visible verbatim until we
-    // update the formatter.
-    expect(formatRateLimitTier("team_custom_42")).toBe("team_custom_42");
-    expect(formatRateLimitTier("enterprise_unlimited")).toBe("enterprise_unlimited");
-  });
-
-  it("handles empty/null-ish input gracefully", () => {
-    expect(formatRateLimitTier("")).toBe("");
-  });
-});
-
-describe("dashboard header surfaces rateLimitTier when present", () => {
-  const base: DashboardState = {
-    agent: "lawgpt",
-    bankId: "lawgpt",
-    plan: "max",
-    slots: [slot({ active: true })],
-    quotaHot: false,
-  };
-
-  it("shows max_20x when on the bigger plan", () => {
-    const text = buildDashboardText({ ...base, rateLimitTier: "default_claude_max_20x" });
-    expect(text).toContain("Plan: <b>max_20x</b>");
-    // Should NOT just say 'max' \u2014 that's the ambiguous label that
-    // hid the account mismatch in the incident.
-    expect(text).not.toContain("Plan: <b>max</b>");
-  });
-
-  it("shows max_5x when on the smaller plan", () => {
-    const text = buildDashboardText({ ...base, rateLimitTier: "default_claude_max_5x" });
-    expect(text).toContain("Plan: <b>max_5x</b>");
-  });
-
-  it("falls back to plan label when rateLimitTier missing", () => {
-    const text = buildDashboardText({ ...base, rateLimitTier: null });
-    expect(text).toContain("Plan: <b>max</b>");
-  });
-
-  it("falls back to plan label when rateLimitTier undefined", () => {
-    const text = buildDashboardText({ ...base });
-    expect(text).toContain("Plan: <b>max</b>");
-  });
-
-  it("omits Plan: when neither tier nor plan are known", () => {
-    const text = buildDashboardText({ ...base, plan: null, rateLimitTier: null });
-    expect(text).not.toContain("Plan:");
-    expect(text).toContain("Bank: <code>lawgpt</code>");
-  });
-
-  it("escapes HTML in tier (injection guard)", () => {
-    const text = buildDashboardText({
-      ...base,
-      rateLimitTier: "<script>alert(1)</script>",
-    });
-    expect(text).not.toContain("<script>");
-    expect(text).toContain("&lt;script&gt;");
-  });
-
-  it("pair assertion: user can distinguish 5x from 20x without hunting", () => {
-    // Regression anchor: this was the exact confusion in the incident.
-    // The user saw 'Plan: max' for both accounts and couldn't tell
-    // which got authorized. With the tier string present, 5x and 20x
-    // look different in a glance.
-    const fivex = buildDashboardText({ ...base, rateLimitTier: "default_claude_max_5x" });
-    const twentyx = buildDashboardText({ ...base, rateLimitTier: "default_claude_max_20x" });
-    expect(fivex).not.toBe(twentyx);
-    expect(fivex).toContain("5x");
-    expect(twentyx).toContain("20x");
-  });
-});

package/telegram-plugin/tests/auth-dashboard-edge-cases.test.ts

@@ -1,260 +0,0 @@
-import { describe, it, expect } from "vitest";
-import {
-  buildDashboardText,
-  buildDashboardKeyboard,
-  parseCallbackData,
-  encodeCallbackData,
-  isQuotaHot,
-  buildRemoveConfirmKeyboard,
-  QUOTA_HOT_THRESHOLD_PCT,
-  type DashboardSlot,
-} from "../auth-dashboard";
-
-/**
- * Edge-case coverage for the /auth dashboard. Pair with
- * auth-dashboard.test.ts which covers the happy paths. This file
- * focuses on pathological input, security boundaries, and failure
- * modes we should not regress.
- */
-
-function slot(o: Partial<DashboardSlot> = {}): DashboardSlot {
-  return { slot: "default", active: false, health: "healthy", quotaExhaustedUntil: null, fiveHourPct: null, sevenDayPct: null, ...o };
-}
-
-describe("callback payload — hostile inputs", () => {
-  const cases: Array<[string, string]> = [
-    ["shell expansion", "auth:reauth:$(whoami)"],
-    ["backticks", "auth:reauth:`id`"],
-    ["semicolons", "auth:reauth:clerk;ls"],
-    ["pipes", "auth:reauth:clerk|nc attacker"],
-    ["dot-segments", "auth:use:../../../etc/passwd:default"],
-    ["null bytes", "auth:reauth:clerk\0xyz"],
-    ["tabs", "auth:reauth:clerk\ttab"],
-    ["newlines", "auth:reauth:clerk\nextra"],
-    ["leading space", "auth:reauth: clerk"],
-    ["trailing space", "auth:reauth:clerk "],
-    ["unicode lookalike", "auth:reauth:\u202eevil"],
-    ["empty agent", "auth:reauth:"],
-    ["empty slot for use", "auth:use:clerk:"],
-    ["slot too long (33 chars)", "auth:use:clerk:" + "a".repeat(33)],
-    ["agent too long (65 chars)", "auth:reauth:" + "a".repeat(65)],
-    ["slot contains dot", "auth:use:clerk:slot.name"],
-    ["slot contains slash", "auth:use:clerk:slot/name"],
-    ["slot contains space", "auth:use:clerk:slot name"],
-  ];
-
-  it.each(cases)("rejects %s as noop: %s", (_desc, data) => {
-    expect(parseCallbackData(data)).toEqual({ kind: "noop" });
-  });
-
-  it("accepts legitimately hyphenated slot names", () => {
-    expect(parseCallbackData("auth:use:clerk:backup-1")).toMatchObject({ kind: "use", slot: "backup-1" });
-  });
-
-  it("accepts underscored names", () => {
-    expect(parseCallbackData("auth:use:clerk:work_personal")).toMatchObject({ kind: "use", slot: "work_personal" });
-  });
-});
-
-describe("dashboard text — pathological slot states", () => {
-  it("renders 10 slots without breaking layout", () => {
-    const slots: DashboardSlot[] = Array.from({ length: 10 }, (_, i) => slot({
-      slot: `slot-${i}`,
-      active: i === 0,
-    }));
-    const text = buildDashboardText({ agent: "clerk", bankId: "assistant", plan: "max", slots, quotaHot: false });
-    // All 10 slot names appear in the output
-    for (let i = 0; i < 10; i++) {
-      expect(text).toContain(`slot-${i}`);
-    }
-  });
-
-  it("renders when ALL slots are quota-exhausted (fallback-impossible state)", () => {
-    const slots = [
-      slot({ slot: "default", active: true, health: "quota-exhausted", quotaExhaustedUntil: Date.now() + 60_000 }),
-      slot({ slot: "backup", active: false, health: "quota-exhausted", quotaExhaustedUntil: Date.now() + 120_000 }),
-    ];
-    const text = buildDashboardText({ agent: "clerk", bankId: "assistant", slots, quotaHot: true });
-    expect(text).toContain("default");
-    expect(text).toContain("backup");
-    expect(text.match(/quota-exhausted/g)?.length).toBe(2);
-  });
-
-  it("renders when a slot has zero quota data (no fiveHour/sevenDay pct)", () => {
-    const text = buildDashboardText({
-      agent: "clerk",
-      bankId: "assistant",
-      slots: [slot({ active: true, fiveHourPct: null, sevenDayPct: null })],
-      quotaHot: false,
-    });
-    // Shouldn't contain '5h:' or '7d:' if no data
-    expect(text).not.toContain("5h:");
-    expect(text).not.toContain("7d:");
-  });
-
-  it("handles plan=null gracefully", () => {
-    const text = buildDashboardText({
-      agent: "clerk",
-      bankId: "assistant",
-      plan: null,
-      slots: [slot({ active: true })],
-      quotaHot: false,
-    });
-    expect(text).toContain("assistant");
-    expect(text).not.toContain("Plan:");
-  });
-
-  it("handles 0% utilization (falsy but present)", () => {
-    const text = buildDashboardText({
-      agent: "clerk",
-      bankId: "a",
-      slots: [slot({ active: true, fiveHourPct: 0, sevenDayPct: 0 })],
-      quotaHot: false,
-    });
-    expect(text).toContain("5h: 0%");
-    expect(text).toContain("7d: 0%");
-  });
-
-  it("handles 100% utilization", () => {
-    const text = buildDashboardText({
-      agent: "clerk",
-      bankId: "a",
-      slots: [slot({ active: true, fiveHourPct: 100, sevenDayPct: 100 })],
-      quotaHot: true,
-    });
-    expect(text).toContain("5h: 100%");
-    expect(text).toContain("7d: 100%");
-  });
-
-  it("handles negative reset time (already expired)", () => {
-    const text = buildDashboardText({
-      agent: "clerk",
-      bankId: "a",
-      slots: [slot({ active: true, health: "quota-exhausted", quotaExhaustedUntil: Date.now() - 60_000 })],
-      quotaHot: true,
-    });
-    // Should clamp to 0 rather than show negative minutes
-    expect(text).toContain("resets in ~0m");
-  });
-
-  it("escapes very adversarial agent names", () => {
-    const text = buildDashboardText({
-      agent: '</b><script>alert("x")</script><b>',
-      bankId: "a",
-      slots: [slot({ active: true })],
-      quotaHot: false,
-    });
-    expect(text).not.toContain("<script>");
-    expect(text).toContain("&lt;script&gt;");
-  });
-});
-
-describe("dashboard keyboard — edge cases", () => {
-  it("caps non-active slot buttons at 3 (prevents runaway rows)", () => {
-    const slots = [
-      slot({ slot: "active", active: true }),
-      slot({ slot: "s1" }),
-      slot({ slot: "s2" }),
-      slot({ slot: "s3" }),
-      slot({ slot: "s4" }),
-      slot({ slot: "s5" }),
-    ];
-    const kb = buildDashboardKeyboard({ agent: "clerk", bankId: "a", slots, quotaHot: false });
-    const useButtons = kb.inline_keyboard.flat().filter((b) => b.text.startsWith("Use:"));
-    expect(useButtons.length).toBeLessThanOrEqual(3);
-  });
-
-  it("no [Reauth active] button when no active slot", () => {
-    const kb = buildDashboardKeyboard({ agent: "clerk", bankId: "a", slots: [slot({ slot: "a", active: false })], quotaHot: false });
-    const reauthButton = kb.inline_keyboard.flat().find((b) => b.text.includes("Reauth"));
-    // There IS still a Reauth button (agent-level, no slot) — expected behaviour
-    expect(reauthButton).toBeDefined();
-    // But it should NOT reference a specific slot name
-    expect(reauthButton!.text).not.toMatch(/Reauth \S+$/);
-  });
-
-  it("no Use/Remove rows at all when only the active slot exists", () => {
-    const kb = buildDashboardKeyboard({ agent: "clerk", bankId: "a", slots: [slot({ active: true })], quotaHot: false });
-    const flat = kb.inline_keyboard.flat();
-    expect(flat.some((b) => b.text.startsWith("Use:"))).toBe(false);
-    expect(flat.some((b) => b.text.startsWith("🗑 Remove:"))).toBe(false);
-  });
-
-  it("empty slot set still shows Add + Refresh", () => {
-    const kb = buildDashboardKeyboard({ agent: "clerk", bankId: "a", slots: [], quotaHot: false });
-    const flat = kb.inline_keyboard.flat();
-    expect(flat.some((b) => b.text.includes("Add slot"))).toBe(true);
-    expect(flat.some((b) => b.text.includes("Refresh"))).toBe(true);
-  });
-
-  it("Refresh callback always targets the correct agent", () => {
-    const kb = buildDashboardKeyboard({ agent: "specific-agent", bankId: "a", slots: [], quotaHot: false });
-    const refreshBtn = kb.inline_keyboard.flat().find((b) => b.text.includes("Refresh"));
-    if (refreshBtn && "callback_data" in refreshBtn) {
-      expect(refreshBtn.callback_data).toBe("auth:refresh:specific-agent");
-    }
-  });
-});
-
-describe("isQuotaHot — boundary conditions", () => {
-  it("99% 5h does NOT trip hot (cold, auto-fallback at 99.5%)", () => {
-    expect(isQuotaHot([slot({ fiveHourPct: 89 })])).toBe(false);
-  });
-
-  it("exactly QUOTA_HOT_THRESHOLD_PCT (90%) trips hot", () => {
-    expect(isQuotaHot([slot({ fiveHourPct: QUOTA_HOT_THRESHOLD_PCT })])).toBe(true);
-    expect(isQuotaHot([slot({ sevenDayPct: QUOTA_HOT_THRESHOLD_PCT })])).toBe(true);
-  });
-
-  it("one hot slot among many cold → hot", () => {
-    expect(isQuotaHot([
-      slot({ fiveHourPct: 10 }),
-      slot({ fiveHourPct: 20 }),
-      slot({ fiveHourPct: 95 }),
-      slot({ fiveHourPct: 0 }),
-    ])).toBe(true);
-  });
-
-  it("quota-exhausted always hot, even with 0% pct", () => {
-    expect(isQuotaHot([slot({ health: "quota-exhausted", fiveHourPct: 0, sevenDayPct: 0 })])).toBe(true);
-  });
-
-  it("null utilization doesn't trip", () => {
-    expect(isQuotaHot([slot({ fiveHourPct: null, sevenDayPct: null })])).toBe(false);
-  });
-});
-
-describe("remove confirm keyboard — edge cases", () => {
-  it("cancel button refreshes back to the dashboard (doesn't leave orphan)", () => {
-    const kb = buildRemoveConfirmKeyboard("clerk", "personal");
-    const cancelBtn = kb.inline_keyboard.flat().find((b) => b.text.includes("Cancel"));
-    if (cancelBtn && "callback_data" in cancelBtn) {
-      expect(cancelBtn.callback_data).toBe("auth:refresh:clerk");
-    }
-  });
-
-  it("handles slot names with hyphens/underscores in the confirm label", () => {
-    const kb = buildRemoveConfirmKeyboard("clerk", "backup_slot-v2");
-    const confirmBtn = kb.inline_keyboard.flat().find((b) => b.text.startsWith("⚠️"));
-    expect(confirmBtn?.text).toContain("backup_slot-v2");
-  });
-});
-
-describe("encode/parse round-trip — lots of identities", () => {
-  const actions = [
-    { kind: "refresh", agent: "a" },
-    { kind: "reauth", agent: "a" },
-    { kind: "reauth", agent: "a", slot: "b" },
-    { kind: "add", agent: "a" },
-    { kind: "use", agent: "a", slot: "b" },
-    { kind: "rm", agent: "a", slot: "b" },
-    { kind: "confirm-rm", agent: "a", slot: "b" },
-    { kind: "fallback", agent: "a" },
-    { kind: "usage", agent: "a" },
-  ] as const;
-
-  it.each(actions)("round-trips %s", (action) => {
-    const encoded = encodeCallbackData(action);
-    expect(parseCallbackData(encoded)).toEqual(action);
-  });
-});