@desplega.ai/agent-swarm 1.67.0 → 1.67.2

package/openapi.json

@@ -2,7 +2,7 @@
   "openapi": "3.1.0",
   "info": {
     "title": "Agent Swarm API",
-    "version": "1.67.0",
+    "version": "1.67.2",
     "description": "Multi-agent orchestration API for Claude Code, Codex, and Gemini CLI. Enables task distribution, agent communication, and service discovery.\n\nMCP tools are documented separately in [MCP.md](./MCP.md)."
   },
   "servers": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@desplega.ai/agent-swarm",
-  "version": "1.67.0",
+  "version": "1.67.2",
   "description": "Multi-agent orchestration for Claude Code, Codex, Gemini CLI, and other AI coding assistants",
   "license": "MIT",
   "author": "desplega.sh <contact@desplega.sh>",

package/src/be/crypto/key-bootstrap.ts

@@ -26,22 +26,39 @@ const ENV_KEY = "SECRETS_ENCRYPTION_KEY";
 const ENV_KEY_FILE = "SECRETS_ENCRYPTION_KEY_FILE";
 const KEY_FILENAME = ".encryption-key";
 
+const HEX_32_BYTE_RE = /^[0-9a-fA-F]{64}$/;
+
+function keyGenerationHelp(): string {
+  return [
+    "",
+    "How to generate a valid key:",
+    "  openssl rand -base64 32   # 43-char base64 (recommended)",
+    "  openssl rand -hex 32      # 64-char hex (also accepted)",
+    "",
+    "Common mistake: `openssl rand -base64 39` produces a 52-char string that",
+    "decodes to 39 bytes — the number passed to `openssl rand` is the decoded",
+    "byte count, and AES-256 requires exactly 32.",
+  ].join("\n");
+}
+
 function decodeAndValidate(source: string, content: string): Buffer {
   const trimmed = content.trim();
-  let decoded: Buffer;
-  try {
-    decoded = Buffer.from(trimmed, "base64");
-  } catch (err) {
-    throw new Error(
-      `Invalid encryption key at ${source}: base64 decode failed: ${(err as Error).message}`,
-    );
-  }
-  if (decoded.length !== AES_KEY_BYTES) {
-    throw new Error(
-      `Invalid encryption key at ${source}: expected ${AES_KEY_BYTES} bytes after base64 decode, got ${decoded.length} bytes`,
-    );
+
+  // Hex path: a 64-char string of [0-9a-fA-F] is unambiguously hex — it would
+  // decode to 48 bytes as base64, never 32, so there is no overlap with the
+  // base64 happy path.
+  if (HEX_32_BYTE_RE.test(trimmed)) {
+    const decoded = Buffer.from(trimmed, "hex");
+    if (decoded.length === AES_KEY_BYTES) return decoded;
   }
-  return decoded;
+
+  const decoded = Buffer.from(trimmed, "base64");
+  if (decoded.length === AES_KEY_BYTES) return decoded;
+
+  throw new Error(
+    `Invalid encryption key at ${source}: expected ${AES_KEY_BYTES} bytes, ` +
+      `got ${decoded.length} bytes after base64 decode.\n${keyGenerationHelp()}`,
+  );
 }
 
 type ResolveEncryptionKeyOptions = {

package/src/be/db.ts

@@ -100,12 +100,21 @@ export function initDb(dbPath = "./agent-swarm-db.sqlite"): Database {
   database.run("PRAGMA journal_mode = WAL;");
   database.run("PRAGMA foreign_keys = ON;");
 
-  // Load sqlite-vec extension for vector search
+  // Load sqlite-vec extension for vector search.
+  // In compiled binaries (`bun build --compile`) the JS lives in /$bunfs/ and
+  // `require.resolve("sqlite-vec-<platform>/vec0.so")` can't find the native
+  // asset — so we prefer an explicit filesystem path when set, and only fall
+  // back to the npm resolver for normal dev runs.
   try {
-    const sqliteVec = require("sqlite-vec");
-    sqliteVec.load(database);
+    const extensionPath = process.env.SQLITE_VEC_EXTENSION_PATH;
+    if (extensionPath) {
+      database.loadExtension(extensionPath);
+    } else {
+      const sqliteVec = require("sqlite-vec");
+      sqliteVec.load(database);
+    }
     sqliteVecAvailable = true;
-    console.log("[db] sqlite-vec loaded");
+    console.log(`[db] sqlite-vec loaded${extensionPath ? ` from ${extensionPath}` : ""}`);
   } catch (err) {
     console.warn(
       "[db] sqlite-vec not available, falling back to in-memory cosine:",

package/src/be/migrations/039_remove_seed_users.sql

@@ -0,0 +1,3 @@
+-- Migration 039: Remove hardcoded seed users from migration 031
+-- Re-add via scripts/backfill-seed-users.sql after deploy
+DELETE FROM users WHERE email IN ('t@desplega.ai', 'e@desplega.ai');

package/src/prompts/session-templates.ts

@@ -59,6 +59,8 @@ As the lead agent, you coordinate all worker agents in the swarm.
 - \`send-task\`: Assign a task to a specific worker or to the general pool. Slack/AgentMail metadata auto-inherits from parent task.
 - \`store-progress\`: Track coordination notes or update task status
 
+**User Registration:** When a task arrives from an unknown user (no \`requestedByUserId\`), use the \`manage-user\` tool to register them before proceeding. Resolve their identity from the Slack metadata (user ID, display name) attached to the task.
+
 **Slack:**
 - \`slack-reply\`: Reply to user in the Slack thread (use taskId for context)
 - \`slack-read\`: Read thread/channel history (use taskId or channelId)
@@ -66,6 +68,7 @@ As the lead agent, you coordinate all worker agents in the swarm.
 
 **Identity:**
 - \`update-profile\`: Update your own or other agents' profile fields (name, role, capabilities, soulMd, identityMd, heartbeatMd, claudeMd, toolsMd, setupScript)
+- \`manage-user\`: Register or update human users (resolve from Slack/GitHub/GitLab identity)
 
 #### Task Routing
 

package/src/tests/key-bootstrap.test.ts

@@ -157,6 +157,57 @@ describe("key-bootstrap: validation", () => {
     expect(() => resolveEncryptionKey(dbPath)).toThrow(/got 16 bytes/);
   });
 
+  it("error message includes openssl generation commands and the -base64 39 hint", () => {
+    process.env[ENV_KEY] = Buffer.alloc(16).toString("base64");
+    const dbPath = path.join(tmpDir, "test.sqlite");
+    let caught: Error | null = null;
+    try {
+      resolveEncryptionKey(dbPath);
+    } catch (err) {
+      caught = err as Error;
+    }
+    expect(caught).toBeTruthy();
+    const msg = caught?.message ?? "";
+    expect(msg).toContain("openssl rand -base64 32");
+    expect(msg).toContain("openssl rand -hex 32");
+    expect(msg).toContain("openssl rand -base64 39");
+  });
+
+  it("accepts a hex-encoded 32-byte key via SECRETS_ENCRYPTION_KEY env var", () => {
+    const keyBytes = randomBytes(AES_KEY_BYTES);
+    process.env[ENV_KEY] = keyBytes.toString("hex");
+    const dbPath = path.join(tmpDir, "test.sqlite");
+    const resolved = resolveEncryptionKey(dbPath);
+    expect(resolved.equals(keyBytes)).toBe(true);
+  });
+
+  it("accepts a hex-encoded 32-byte key via SECRETS_ENCRYPTION_KEY_FILE", () => {
+    const keyBytes = randomBytes(AES_KEY_BYTES);
+    const keyPath = path.join(tmpDir, "hex.key");
+    writeFileSync(keyPath, keyBytes.toString("hex"));
+    process.env[ENV_KEY_FILE] = keyPath;
+    const dbPath = path.join(tmpDir, "test.sqlite");
+    const resolved = resolveEncryptionKey(dbPath);
+    expect(resolved.equals(keyBytes)).toBe(true);
+  });
+
+  it("accepts a hex-encoded 32-byte key via on-disk .encryption-key", () => {
+    const keyBytes = randomBytes(AES_KEY_BYTES);
+    const keyFilePath = path.join(tmpDir, ".encryption-key");
+    writeFileSync(keyFilePath, keyBytes.toString("hex"));
+    const dbPath = path.join(tmpDir, "test.sqlite");
+    const resolved = resolveEncryptionKey(dbPath);
+    expect(resolved.equals(keyBytes)).toBe(true);
+  });
+
+  it("accepts uppercase hex-encoded keys", () => {
+    const keyBytes = randomBytes(AES_KEY_BYTES);
+    process.env[ENV_KEY] = keyBytes.toString("hex").toUpperCase();
+    const dbPath = path.join(tmpDir, "test.sqlite");
+    const resolved = resolveEncryptionKey(dbPath);
+    expect(resolved.equals(keyBytes)).toBe(true);
+  });
+
   it("throws when SECRETS_ENCRYPTION_KEY_FILE points to a malformed file", () => {
     const keyPath = path.join(tmpDir, "bad.key");
     writeFileSync(keyPath, Buffer.alloc(10).toString("base64"));