@desplega.ai/agent-swarm 1.67.3 → 1.67.5

package/openapi.json

@@ -2,7 +2,7 @@
   "openapi": "3.1.0",
   "info": {
     "title": "Agent Swarm API",
-    "version": "1.67.3",
+    "version": "1.67.5",
     "description": "Multi-agent orchestration API for Claude Code, Codex, and Gemini CLI. Enables task distribution, agent communication, and service discovery.\n\nMCP tools are documented separately in [MCP.md](./MCP.md)."
   },
   "servers": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@desplega.ai/agent-swarm",
-  "version": "1.67.3",
+  "version": "1.67.5",
   "description": "Multi-agent orchestration for Claude Code, Codex, Gemini CLI, and other AI coding assistants",
   "license": "MIT",
   "author": "desplega.sh <contact@desplega.sh>",

package/src/be/db.ts

@@ -57,6 +57,7 @@ import type {
   WorkflowVersion,
 } from "../types";
 import { deriveProviderFromKeyType } from "../utils/credentials";
+import { scrubSecrets } from "../utils/secret-scrubber";
 import { decryptSecret, encryptSecret, getEncryptionKey, resolveEncryptionKey } from "./crypto";
 import { normalizeDate, normalizeDateRequired } from "./date-utils";
 import { runMigrations } from "./migrations/runner";
@@ -3408,7 +3409,11 @@ export function createSessionLogs(logs: {
         logs.sessionId,
         logs.iteration,
         logs.cli,
-        line,
+        // Defense-in-depth: callers (runner.ts → POST /api/session-logs) send
+        // content that is already scrubbed at the adapter emit site. We scrub
+        // again here so any future write path that bypasses the adapter still
+        // lands clean text in the persistent session_logs table.
+        scrubSecrets(line),
         i,
       );
     }

package/src/http/core.ts

@@ -14,6 +14,7 @@ import { initGitHub, resetGitHub } from "../github";
 import { initLinear, resetLinear } from "../linear";
 import { startSlackApp, stopSlackApp } from "../slack";
 import type { AgentStatus } from "../types";
+import { refreshSecretScrubberCache } from "../utils/secret-scrubber";
 import { generateOpenApiSpec, SCALAR_HTML } from "./openapi";
 import { agentWithCapacity, parseQueryParams } from "./utils";
 
@@ -34,6 +35,11 @@ export function loadGlobalConfigsIntoEnv(override = false): string[] {
       updated.push(config.key);
     }
   }
+  // The scrubber caches process.env-derived secret values; invalidate so the
+  // next scrub picks up any new/rotated secrets we just injected.
+  if (updated.length > 0) {
+    refreshSecretScrubberCache();
+  }
   return updated;
 }
 

package/src/providers/claude-adapter.ts

@@ -7,6 +7,7 @@ import {
   SessionErrorTracker,
   trackErrorFromJson,
 } from "../utils/error-tracker";
+import { scrubSecrets } from "../utils/secret-scrubber";
 import type {
   CostData,
   ProviderAdapter,
@@ -278,7 +279,9 @@ class ClaudeSession implements ProviderSession {
       for await (const chunk of stdout) {
         stdoutChunks++;
         const text = new TextDecoder().decode(chunk);
-        logFileHandle.write(text);
+        // Scrub before every log-egress point: file write, listener emit, and
+        // downstream pretty-print / session-logs push (all consume event.content).
+        logFileHandle.write(scrubSecrets(text));
 
         const combined = partialLine + text;
         const parts = combined.split("\n");
@@ -288,7 +291,7 @@ class ClaudeSession implements ProviderSession {
           const trimmed = line.trim();
           if (!trimmed) continue;
 
-          this.emit({ type: "raw_log", content: trimmed });
+          this.emit({ type: "raw_log", content: scrubSecrets(trimmed) });
           this.processJsonLine(trimmed, (cost) => {
             lastCost = cost;
           });
@@ -297,7 +300,7 @@ class ClaudeSession implements ProviderSession {
 
       // Handle remaining partial line
       if (partialLine.trim()) {
-        this.emit({ type: "raw_log", content: partialLine.trim() });
+        this.emit({ type: "raw_log", content: scrubSecrets(partialLine.trim()) });
         this.processJsonLine(partialLine.trim(), (cost) => {
           lastCost = cost;
         });
@@ -314,10 +317,11 @@ class ClaudeSession implements ProviderSession {
         const text = new TextDecoder().decode(chunk);
         stderrOutput += text;
         parseStderrForErrors(text, this.errorTracker);
+        const scrubbedText = scrubSecrets(text);
         logFileHandle.write(
-          `${JSON.stringify({ type: "stderr", content: text, timestamp: new Date().toISOString() })}\n`,
+          `${JSON.stringify({ type: "stderr", content: scrubbedText, timestamp: new Date().toISOString() })}\n`,
         );
-        this.emit({ type: "raw_stderr", content: text });
+        this.emit({ type: "raw_stderr", content: scrubbedText });
       }
     })();
 
@@ -337,7 +341,7 @@ class ClaudeSession implements ProviderSession {
 
     if (exitCode !== 0 && stderrOutput) {
       console.error(
-        `\x1b[31m[${this.config.role}] Full stderr for task ${this.config.taskId.slice(0, 8)}:\x1b[0m\n${stderrOutput}`,
+        `\x1b[31m[${this.config.role}] Full stderr for task ${this.config.taskId.slice(0, 8)}:\x1b[0m\n${scrubSecrets(stderrOutput)}`,
       );
     }
 

package/src/providers/codex-adapter.ts

@@ -64,6 +64,7 @@ import {
   type Usage,
   type WebSearchItem,
 } from "@openai/codex-sdk";
+import { scrubSecrets } from "../utils/secret-scrubber";
 import { type CodexAgentsMdHandle, writeCodexAgentsMd } from "./codex-agents-md";
 import {
   CODEX_DEFAULT_MODEL,
@@ -344,9 +345,17 @@ class CodexSession implements ProviderSession {
   }
 
   private emit(event: ProviderEvent): void {
+    // Scrub secret values from raw_log / raw_stderr content before any egress
+    // (log file write, listener dispatch, downstream session-logs push). Keeps
+    // secrets out of /workspace/logs/*.jsonl, the session_logs SQLite table,
+    // and container stdout (pretty-print consumes event.content).
+    const scrubbed: ProviderEvent =
+      event.type === "raw_log" || event.type === "raw_stderr"
+        ? { ...event, content: scrubSecrets(event.content) }
+        : event;
     try {
       this.logFileHandle.write(
-        `${JSON.stringify({ ...event, timestamp: new Date().toISOString() })}\n`,
+        `${JSON.stringify({ ...scrubbed, timestamp: new Date().toISOString() })}\n`,
       );
     } catch {
       // Log writer failure must not break the event stream.
@@ -354,13 +363,13 @@ class CodexSession implements ProviderSession {
     if (this.listeners.length > 0) {
       for (const listener of this.listeners) {
         try {
-          listener(event);
+          listener(scrubbed);
         } catch {
           // Swallow listener errors — a bad listener must not kill the session.
         }
       }
     } else {
-      this.eventQueue.push(event);
+      this.eventQueue.push(scrubbed);
     }
   }
 

package/src/providers/pi-mono-adapter.ts

@@ -22,6 +22,7 @@ import {
   SessionManager,
 } from "@mariozechner/pi-coding-agent";
 import { type TSchema, Type } from "@sinclair/typebox";
+import { scrubSecrets } from "../utils/secret-scrubber";
 import { createSwarmHooksExtension } from "./pi-mono-extension";
 import { McpHttpClient } from "./pi-mono-mcp-client";
 import type {
@@ -164,17 +165,24 @@ class PiMonoSession implements ProviderSession {
   }
 
   private emit(event: ProviderEvent): void {
+    // Scrub secrets from raw_log / raw_stderr content before egress (log file
+    // write, listener dispatch, downstream session-logs push + pretty-print).
+    const scrubbed: ProviderEvent =
+      event.type === "raw_log" || event.type === "raw_stderr"
+        ? { ...event, content: scrubSecrets(event.content) }
+        : event;
+
     // Log all events
     this.logFileHandle.write(
-      `${JSON.stringify({ ...event, timestamp: new Date().toISOString() })}\n`,
+      `${JSON.stringify({ ...scrubbed, timestamp: new Date().toISOString() })}\n`,
     );
 
     if (this.listeners.length > 0) {
       for (const listener of this.listeners) {
-        listener(event);
+        listener(scrubbed);
       }
     } else {
-      this.eventQueue.push(event);
+      this.eventQueue.push(scrubbed);
     }
   }
 

package/src/slack/handlers.ts

@@ -13,7 +13,7 @@ import { resolveTemplate } from "../prompts/resolver";
 import { workflowEventBus } from "../workflows/event-bus";
 import { buildTreeBlocks, type TreeNode } from "./blocks";
 import type { SlackFile } from "./files";
-import { extractTaskFromMessage, routeMessage } from "./router";
+import { extractTaskFromMessage, hasOtherUserMention, routeMessage } from "./router";
 // Side-effect import: registers all Slack event templates in the in-memory registry
 import "./templates";
 import { bufferThreadMessage, getBufferMessageCount, instantFlush } from "./thread-buffer";
@@ -162,6 +162,12 @@ interface MessageEvent {
  * - `bot_id` present (newer Slack API, may lack subtype)
  * - `user` matches the bot's own user ID (catches edge cases where
  *    messages posted with `username` override lack `bot_id`)
+ *
+ * Note: intentionally does NOT filter on `app_id`/`bot_profile`/`username` —
+ * those signals also appear on human messages sent via Slack apps that proxy
+ * a user (e.g. Claude.ai's Slack integration sends with `app_id` + `bot_profile`
+ * set, but the poster is still a real human). Filtering those drops legitimate
+ * human @mentions of the swarm.
  */
 export function isBotMessage(
   event: { subtype?: string; bot_id?: string; user?: string },
@@ -439,8 +445,17 @@ export function registerMessageHandler(app: App): void {
       }
     }
 
-    // ADDITIVE_SLACK: Buffer non-mention thread messages
+    // ADDITIVE_SLACK: Buffer non-mention thread messages.
+    // Skip if the message @-mentions someone other than our bot (e.g. "@Devin wdyt?"):
+    // that message is directed at a different bot/user and must not be fed to
+    // the swarm as an implicit follow-up.
     if (additiveSlack && !botMentioned && msg.thread_ts && !requireMentionForThreadFollowup) {
+      if (hasOtherUserMention(effectiveText, botUserId)) {
+        console.log(
+          `[Slack] Skipping ADDITIVE buffer in ${msg.channel}/${msg.thread_ts}: message mentions another user`,
+        );
+        return;
+      }
       // Check if this thread has any swarm activity (existing tasks)
       const hasSwarmActivity = getAgentWorkingOnThread(msg.channel, msg.thread_ts) !== null;
 

package/src/slack/router.ts

@@ -6,6 +6,15 @@ export interface ThreadContext {
   threadTs: string;
 }
 
+/**
+ * Returns true if the text contains a `<@U...>` mention of anyone other than our bot.
+ * Exported for testing.
+ */
+export function hasOtherUserMention(text: string, botUserId: string): boolean {
+  const mentions = text.match(/<@([A-Z0-9]+)>/g) ?? [];
+  return mentions.some((m) => m !== `<@${botUserId}>`);
+}
+
 /**
  * Routes a Slack message to the appropriate agent(s) based on mentions.
  *
@@ -16,7 +25,7 @@ export interface ThreadContext {
  */
 export function routeMessage(
   text: string,
-  _botUserId: string,
+  botUserId: string,
   botMentioned: boolean,
   threadContext?: ThreadContext,
 ): AgentMatch[] {
@@ -46,8 +55,17 @@ export function routeMessage(
     }
   }
 
-  // Thread follow-up — route to agent already working in this thread
+  // Thread follow-up — route to agent already working in this thread.
+  // Skip if the message @-mentions someone other than our bot (e.g. "@Devin wdyt?")
+  // and does not mention our bot: that message is directed at a different bot/user,
+  // not a follow-up intended for the swarm.
   if (matches.length === 0 && threadContext && (!requireMentionForThreadFollowup || botMentioned)) {
+    if (!botMentioned && hasOtherUserMention(text, botUserId)) {
+      console.log(
+        `[Slack] Skipping thread follow-up in ${threadContext.channelId}/${threadContext.threadTs}: message mentions another user`,
+      );
+      return matches;
+    }
     const workingAgent = getAgentWorkingOnThread(threadContext.channelId, threadContext.threadTs);
     if (workingAgent && workingAgent.status !== "offline") {
       console.log(

package/src/tests/secret-scrubber.test.ts

@@ -0,0 +1,249 @@
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { refreshSecretScrubberCache, scrubSecrets } from "../utils/secret-scrubber";
+
+// Snapshot/restore process.env between tests so env-derived cache entries
+// don't leak across cases.
+let savedEnv: Record<string, string | undefined>;
+
+beforeEach(() => {
+  savedEnv = { ...process.env };
+  refreshSecretScrubberCache();
+});
+
+afterEach(() => {
+  for (const k of Object.keys(process.env)) {
+    if (!(k in savedEnv)) delete process.env[k];
+  }
+  for (const [k, v] of Object.entries(savedEnv)) {
+    if (v === undefined) delete process.env[k];
+    else process.env[k] = v;
+  }
+  refreshSecretScrubberCache();
+});
+
+describe("scrubSecrets — edge cases", () => {
+  test("empty string passes through", () => {
+    expect(scrubSecrets("")).toBe("");
+  });
+
+  test("null returns empty string", () => {
+    expect(scrubSecrets(null)).toBe("");
+  });
+
+  test("undefined returns empty string", () => {
+    expect(scrubSecrets(undefined)).toBe("");
+  });
+
+  test("plain text with no secrets passes through untouched", () => {
+    const s = "hello world, this is a regular log line with no secrets";
+    expect(scrubSecrets(s)).toBe(s);
+  });
+});
+
+describe("scrubSecrets — env-based replacement", () => {
+  test("redacts exact GITHUB_TOKEN value from env", () => {
+    process.env.GITHUB_TOKEN = "ghp_abcdefghijklmnopqrstuvwxyz0123456789";
+    refreshSecretScrubberCache();
+    const out = scrubSecrets("Authorization: Bearer ghp_abcdefghijklmnopqrstuvwxyz0123456789 end");
+    expect(out).toBe("Authorization: Bearer [REDACTED:GITHUB_TOKEN] end");
+  });
+
+  test("redacts any key with _API_KEY suffix", () => {
+    process.env.FOO_SERVICE_API_KEY = "supersecretFooApiKey_longerthan12chars";
+    refreshSecretScrubberCache();
+    const out = scrubSecrets("key=supersecretFooApiKey_longerthan12chars tail");
+    expect(out).toBe("key=[REDACTED:FOO_SERVICE_API_KEY] tail");
+  });
+
+  test("redacts any key with _TOKEN suffix", () => {
+    process.env.WEIRD_SERVICE_TOKEN = "weirdserviceTOKENvalue_1234567890";
+    refreshSecretScrubberCache();
+    const out = scrubSecrets("t=weirdserviceTOKENvalue_1234567890");
+    expect(out).toBe("t=[REDACTED:WEIRD_SERVICE_TOKEN]");
+  });
+
+  test("redacts any key with _SECRET suffix", () => {
+    process.env.MY_OAUTH_CLIENT_SECRET = "oauthsecret_verylong_1234567890abcdef";
+    refreshSecretScrubberCache();
+    const out = scrubSecrets("secret=oauthsecret_verylong_1234567890abcdef");
+    expect(out).toBe("secret=[REDACTED:MY_OAUTH_CLIENT_SECRET]");
+  });
+
+  test("does not redact safe keys like MCP_BASE_URL even though they could otherwise match suffix heuristics", () => {
+    // MCP_BASE_URL is on the exception allowlist — must not get scrubbed.
+    process.env.MCP_BASE_URL = "https://api.swarm.example.com:3013";
+    refreshSecretScrubberCache();
+    const out = scrubSecrets("connecting to https://api.swarm.example.com:3013");
+    expect(out).toBe("connecting to https://api.swarm.example.com:3013");
+  });
+
+  test("does not redact values shorter than the minimum length (defense against false positives)", () => {
+    process.env.SHORT_TOKEN = "abc12"; // 5 chars, below threshold
+    refreshSecretScrubberCache();
+    const out = scrubSecrets("contains abc12 somewhere");
+    expect(out).toBe("contains abc12 somewhere");
+  });
+
+  test("does not redact non-sensitive env vars", () => {
+    process.env.NODE_ENV = "production";
+    refreshSecretScrubberCache();
+    const out = scrubSecrets("env is production currently");
+    expect(out).toBe("env is production currently");
+  });
+
+  test("handles comma-separated pool values (scrubs both the full pool and each component)", () => {
+    process.env.POOL_TOKEN =
+      "ghp_poolfirst1234567890abcdefABCDEF1234567890,ghp_poolsecond1234567890abcdef1234567890AB";
+    refreshSecretScrubberCache();
+    const out = scrubSecrets("using ghp_poolfirst1234567890abcdefABCDEF1234567890");
+    expect(out).not.toContain("ghp_poolfirst1234567890abcdefABCDEF1234567890");
+    expect(out).toContain("[REDACTED:");
+  });
+
+  test("multi-secret line: both redacted", () => {
+    process.env.GITHUB_TOKEN = "ghp_abcdefghijklmnopqrstuvwxyz0123456789";
+    process.env.OPENAI_API_KEY = "sk-proj-abcd1234567890EFGHefgh1234567890";
+    refreshSecretScrubberCache();
+    const input =
+      "gh=ghp_abcdefghijklmnopqrstuvwxyz0123456789 and openai=sk-proj-abcd1234567890EFGHefgh1234567890";
+    const out = scrubSecrets(input);
+    expect(out).toContain("[REDACTED:GITHUB_TOKEN]");
+    expect(out).toContain("[REDACTED:OPENAI_API_KEY]");
+    expect(out).not.toContain("ghp_abcdefghijklmnopqrstuvwxyz");
+    expect(out).not.toContain("sk-proj-abcd1234567890");
+  });
+
+  test("cache rebuilds after refresh when new secret is added", () => {
+    const out1 = scrubSecrets("no secret yet here_abcdefghij");
+    expect(out1).toBe("no secret yet here_abcdefghij");
+
+    process.env.NEW_SERVICE_API_KEY = "here_abcdefghij_andmore1234567890";
+    refreshSecretScrubberCache();
+    const out2 = scrubSecrets("value=here_abcdefghij_andmore1234567890");
+    expect(out2).toBe("value=[REDACTED:NEW_SERVICE_API_KEY]");
+  });
+});
+
+describe("scrubSecrets — regex patterns", () => {
+  test("redacts github_pat_ fine-grained PATs", () => {
+    const out = scrubSecrets("PAT: github_pat_11B4WKYAA0Qe95fajGmt3o_ABCDEF1234567890abcdef");
+    expect(out).toContain("[REDACTED:github_pat]");
+    expect(out).not.toContain("github_pat_11B4WKYAA");
+  });
+
+  test("redacts ghp_ classic tokens", () => {
+    const out = scrubSecrets("PAT: ghp_1234567890abcdefABCDEF1234567890ABCD end");
+    expect(out).toContain("[REDACTED:github_token]");
+    expect(out).not.toContain("ghp_1234567890abcdef");
+  });
+
+  test("redacts gho_ OAuth tokens", () => {
+    const out = scrubSecrets("OAuth: gho_abcdef1234567890ABCDEF1234567890abcd");
+    expect(out).toContain("[REDACTED:github_token]");
+  });
+
+  test("redacts ghs_ installation tokens", () => {
+    const out = scrubSecrets("Installation: ghs_abcdef1234567890ABCDEF1234567890abcd");
+    expect(out).toContain("[REDACTED:github_token]");
+  });
+
+  test("redacts glpat- GitLab PATs", () => {
+    const out = scrubSecrets("GL: glpat-abcdef1234567890ABCDEFgh");
+    expect(out).toContain("[REDACTED:gitlab_pat]");
+    expect(out).not.toContain("glpat-abcdef");
+  });
+
+  test("redacts sk-ant- Anthropic keys", () => {
+    const out = scrubSecrets("Anthropic: sk-ant-api03-abc123def456ghi789jkl012mno345");
+    expect(out).toContain("[REDACTED:anthropic_key]");
+    expect(out).not.toContain("sk-ant-api03");
+  });
+
+  test("redacts sk-proj- OpenAI project keys (preferred over legacy sk-)", () => {
+    const out = scrubSecrets("OpenAI: sk-proj-abcdefghijklmnopqrstuvwxyz012345");
+    expect(out).toContain("[REDACTED:openai_proj_key]");
+    expect(out).not.toContain("sk-proj-abcdefghijkl");
+  });
+
+  test("redacts legacy sk- keys (catch-all)", () => {
+    const out = scrubSecrets("Legacy: sk-abcdefghijklmnopqrstuvwxyz0123");
+    expect(out).toContain("[REDACTED:sk_key]");
+  });
+
+  test("redacts Slack xoxb tokens", () => {
+    const out = scrubSecrets("slack=xoxb-1234567890-0987654321-abcdefghij");
+    expect(out).toContain("[REDACTED:slack_token]");
+    expect(out).not.toContain("xoxb-1234567890");
+  });
+
+  test("redacts AWS access key IDs", () => {
+    const out = scrubSecrets("AWS: AKIAIOSFODNN7EXAMPLE in config");
+    expect(out).toContain("[REDACTED:aws_access_key]");
+    expect(out).not.toContain("AKIAIOSFODNN7EXAMPLE");
+  });
+
+  test("redacts Google AIza API keys", () => {
+    // Google API key shape: `AIza` + exactly 35 word chars.
+    const out = scrubSecrets("gapi: AIzaSyABCDEFGHIJKLMNOPQRSTUVWXYZ0123456 tail");
+    expect(out).toContain("[REDACTED:google_api_key]");
+    expect(out).not.toContain("AIzaSyABCDEFGHI");
+  });
+
+  test("redacts JWT-shaped tokens", () => {
+    const jwt =
+      "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c";
+    const out = scrubSecrets(`auth: ${jwt}`);
+    expect(out).toContain("[REDACTED:jwt]");
+    expect(out).not.toContain("eyJhbGciOiJIUzI1NiJ9");
+  });
+
+  test("regex patterns catch tokens even when env is empty", () => {
+    // Fresh env — no secrets registered — regex should still catch well-known shapes.
+    const out = scrubSecrets("token=ghp_1234567890abcdefABCDEF1234567890ABCD");
+    expect(out).toContain("[REDACTED:github_token]");
+  });
+});
+
+describe("scrubSecrets — does not over-scrub", () => {
+  test("the word 'token' in prose is not redacted", () => {
+    const s = "Please provide your access token in the Authorization header.";
+    expect(scrubSecrets(s)).toBe(s);
+  });
+
+  test("short strings are never redacted by regex", () => {
+    const out = scrubSecrets("gh pr ghp_short or ghp_ghp_ or ghp_abc");
+    // "ghp_abc" is only 7 chars — below the 20-char threshold.
+    expect(out).toBe("gh pr ghp_short or ghp_ghp_ or ghp_abc");
+  });
+
+  test("arbitrary base64 strings that don't match any credential shape are preserved", () => {
+    const b64 = "SGVsbG8gV29ybGQhIFRoaXMgaXMgbm90IGEgc2VjcmV0Lg==";
+    const out = scrubSecrets(`data: ${b64}`);
+    expect(out).toContain(b64);
+  });
+
+  test("idempotent — scrubbing an already-scrubbed string is a no-op", () => {
+    process.env.GITHUB_TOKEN = "ghp_abcdefghijklmnopqrstuvwxyz0123456789";
+    refreshSecretScrubberCache();
+    const once = scrubSecrets("x=ghp_abcdefghijklmnopqrstuvwxyz0123456789");
+    const twice = scrubSecrets(once);
+    expect(twice).toBe(once);
+    expect(twice).toContain("[REDACTED:GITHUB_TOKEN]");
+  });
+
+  test("the `[REDACTED:...]` markers themselves don't get scrubbed", () => {
+    // Important: the marker strings include `_` so we need to ensure the regex
+    // patterns don't chew through `[REDACTED:github_pat]` etc.
+    const out = scrubSecrets("result=[REDACTED:github_token] OK");
+    expect(out).toBe("result=[REDACTED:github_token] OK");
+  });
+
+  test("preserves placeholder-style fake tokens in docs without env registration", () => {
+    // "ghp_YOUR_TOKEN_HERE" matches the regex because it has 17 chars after
+    // ghp_ which is > 20 total — but we'd rather scrub than leak, so accept
+    // this as expected (no test assertion that it's preserved).
+    // Instead, assert a shorter placeholder is NOT scrubbed.
+    const out = scrubSecrets("example: ghp_TOKEN and glpat-xyz (both too short)");
+    expect(out).toBe("example: ghp_TOKEN and glpat-xyz (both too short)");
+  });
+});

package/src/tests/slack-bot-filter.test.ts

@@ -0,0 +1,156 @@
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { unlinkSync } from "node:fs";
+import { closeDb, createAgent, createTaskExtended, initDb } from "../be/db";
+import { isBotMessage } from "../slack/handlers";
+import { hasOtherUserMention, routeMessage } from "../slack/router";
+import type { Agent } from "../types";
+
+const TEST_DB_PATH = "./test-slack-bot-filter.sqlite";
+
+let leadAgent: Agent;
+let workerAgent: Agent;
+
+beforeAll(() => {
+  initDb(TEST_DB_PATH);
+  leadAgent = createAgent({
+    name: "filter-lead",
+    isLead: true,
+    status: "idle",
+    capabilities: [],
+  });
+  workerAgent = createAgent({
+    name: "filter-worker",
+    isLead: false,
+    status: "idle",
+    capabilities: [],
+  });
+});
+
+afterAll(() => {
+  closeDb();
+  try {
+    unlinkSync(TEST_DB_PATH);
+    unlinkSync(`${TEST_DB_PATH}-wal`);
+    unlinkSync(`${TEST_DB_PATH}-shm`);
+  } catch {
+    // ignore
+  }
+});
+
+describe("isBotMessage", () => {
+  const BOT_ID = "UBOT123";
+
+  test("plain human message → false", () => {
+    expect(isBotMessage({ user: "UHUMAN" }, BOT_ID)).toBe(false);
+  });
+
+  test("subtype bot_message → true", () => {
+    expect(isBotMessage({ subtype: "bot_message", user: "UHUMAN" }, BOT_ID)).toBe(true);
+  });
+
+  test("bot_id present → true", () => {
+    expect(isBotMessage({ bot_id: "B001", user: "UHUMAN" }, BOT_ID)).toBe(true);
+  });
+
+  test("own bot user ID (self-posted) → true", () => {
+    expect(isBotMessage({ user: BOT_ID }, BOT_ID)).toBe(true);
+  });
+
+  test("empty event with no bot signals → false", () => {
+    expect(isBotMessage({ user: "UHUMAN" }, BOT_ID)).toBe(false);
+  });
+});
+
+describe("hasOtherUserMention", () => {
+  const BOT_ID = "UBOT123";
+
+  test("no mentions → false", () => {
+    expect(hasOtherUserMention("hello everyone", BOT_ID)).toBe(false);
+  });
+
+  test("only our bot mentioned → false", () => {
+    expect(hasOtherUserMention(`hey <@${BOT_ID}> pls`, BOT_ID)).toBe(false);
+  });
+
+  test("different user mentioned → true", () => {
+    expect(hasOtherUserMention("hey <@UDEVIN01> wdyt", BOT_ID)).toBe(true);
+  });
+
+  test("our bot AND another user mentioned → true", () => {
+    expect(hasOtherUserMention(`<@${BOT_ID}> and <@UDEVIN01> hi`, BOT_ID)).toBe(true);
+  });
+});
+
+describe("routeMessage — thread follow-up skips messages aimed at other users", () => {
+  const BOT_ID = "UBOT123";
+
+  test("plain follow-up (no mentions) still routes to active worker", () => {
+    const channelId = "C_BF_100";
+    const threadTs = "1100.0001";
+    createTaskExtended("original", {
+      agentId: workerAgent.id,
+      source: "slack",
+      slackChannelId: channelId,
+      slackThreadTs: threadTs,
+      slackUserId: "U_HUMAN",
+    });
+
+    const matches = routeMessage("and also the weather", BOT_ID, false, {
+      channelId,
+      threadTs,
+    });
+
+    expect(matches).toHaveLength(1);
+    expect(matches[0].agent.id).toBe(workerAgent.id);
+  });
+
+  test("follow-up mentioning another bot (Devin) does NOT route", () => {
+    const channelId = "C_BF_200";
+    const threadTs = "1200.0001";
+    createTaskExtended("original", {
+      agentId: workerAgent.id,
+      source: "slack",
+      slackChannelId: channelId,
+      slackThreadTs: threadTs,
+      slackUserId: "U_HUMAN",
+    });
+
+    const matches = routeMessage("<@UDEVIN01> wdyt?", BOT_ID, false, {
+      channelId,
+      threadTs,
+    });
+
+    expect(matches).toHaveLength(0);
+  });
+
+  test("follow-up mentioning BOTH our bot and another bot routes to swarm", () => {
+    const channelId = "C_BF_300";
+    const threadTs = "1300.0001";
+    createTaskExtended("original", {
+      agentId: workerAgent.id,
+      source: "slack",
+      slackChannelId: channelId,
+      slackThreadTs: threadTs,
+      slackUserId: "U_HUMAN",
+    });
+
+    const matches = routeMessage(`<@${BOT_ID}> and <@UDEVIN01> please coordinate`, BOT_ID, true, {
+      channelId,
+      threadTs,
+    });
+
+    expect(matches).toHaveLength(1);
+    expect(matches[0].agent.id).toBe(workerAgent.id);
+  });
+
+  test("no thread activity + only another bot mentioned → no match", () => {
+    const matches = routeMessage("<@UDEVIN01> hi", BOT_ID, false, {
+      channelId: "C_BF_400",
+      threadTs: "1400.0001",
+    });
+
+    expect(matches).toHaveLength(0);
+    // Silence unused lead warning — lead exists but should not be routed to
+    expect(leadAgent.id).toBeDefined();
+  });
+});

package/src/utils/secret-scrubber.ts

@@ -0,0 +1,231 @@
+/**
+ * Runtime secret scrubber for log/stdout/stderr emission.
+ *
+ * Exported `scrubSecrets(text)` replaces known sensitive values with
+ * `[REDACTED:<name>]` placeholders. Used at every text-egress point (adapter
+ * log files, session-log uploads, pretty-printed stdout, stderr dumps) so
+ * credentials set via `swarm_config` or container env never leak into
+ * /workspace/logs/*.jsonl, the `session_logs` SQLite table, or container
+ * stdout shipped to log aggregators.
+ *
+ * Two sources are combined:
+ *   1. `process.env` values of known-sensitive keys (either exact names or
+ *      suffix-matched like *_API_KEY, *_TOKEN, *_SECRET). These are the
+ *      concrete strings the worker actually holds.
+ *   2. Structural regex patterns for well-known token shapes (GitHub PATs,
+ *      OpenAI keys, Slack tokens, JWTs, …). Covers cases where a secret
+ *      arrived via a tool result without ever being in our env.
+ *
+ * This module is deliberately worker/API neutral — it reads only from
+ * `process.env` so it can be imported from both sides without violating the
+ * API↔worker DB boundary (scripts/check-db-boundary.sh).
+ */
+
+/** Env-var names that are always considered secrets, even without suffix hints. */
+const SENSITIVE_KEY_EXACT = new Set<string>([
+  "API_KEY",
+  "SECRETS_ENCRYPTION_KEY",
+  "GITHUB_TOKEN",
+  "GITLAB_TOKEN",
+  "CLAUDE_CODE_OAUTH_TOKEN",
+  "ANTHROPIC_API_KEY",
+  "OPENAI_API_KEY",
+  "OPENROUTER_API_KEY",
+  "SLACK_BOT_TOKEN",
+  "SLACK_SIGNING_SECRET",
+  "SLACK_CLIENT_SECRET",
+  "SLACK_USER_TOKEN",
+  "SLACK_APP_TOKEN",
+  "SENTRY_AUTH_TOKEN",
+  "VERCEL_TOKEN",
+  "RESEND_API_KEY",
+  "AGENTMAIL_API_KEY",
+  "AGENT_FS_API_KEY",
+  "BUSINESS_USE_API_KEY",
+  "QA_USE_API_KEY",
+  "DOCS_API_KEY",
+  "DOKPLOY_API_KEY",
+  "DEVTO_API_KEY",
+  "ELEVENLABS_API_KEY",
+  "ENGINY_API_KEY",
+  "OPENFORT_API_KEY",
+  "OPENFORT_TEST_SECRET_KEY",
+  "OPENFORT_TEST_WALLET_PRIVATE_KEY",
+  "OPENFORT_WALLET_SECRET",
+  "TURSO_API_TOKEN",
+  "TURSO_DB_TOKEN",
+  "TURSO_X_POSTS_DB_TOKEN",
+  "BROWSER_USE_API_KEY",
+  "PLAUSIBLE_API_KEY",
+  "IMGFLIP_PASSWORD",
+  "GSC_SERVICE_ACCOUNT_BASE64",
+  "LINEAR_API_KEY",
+  "LINEAR_OAUTH_CLIENT_SECRET",
+]);
+
+/** Suffixes that mark an env-var value as sensitive by convention. */
+const SENSITIVE_KEY_SUFFIXES = ["_API_KEY", "_TOKEN", "_SECRET", "_PASSWORD", "_PRIVATE_KEY"];
+
+/** Keys that match the sensitive suffix heuristic but are actually safe URLs/configs. */
+const NON_SECRET_EXCEPTIONS = new Set<string>([
+  "MCP_BASE_URL",
+  "APP_URL",
+  "API_URL",
+  "TEMPLATE_REGISTRY_URL",
+]);
+
+/**
+ * Minimum length for an env-var value to be considered scrub-worthy.
+ * Short values (< 12 chars) cause false-positive replacements across
+ * legitimate log content (e.g. a 6-char password would collide with a user
+ * name). For short secrets we rely on the regex pass only.
+ */
+const MIN_VALUE_LENGTH = 12;
+
+/**
+ * Structural regex patterns for common credential shapes. Applied AFTER the
+ * env-value substitution pass so env-sourced replacements keep their
+ * human-readable `[REDACTED:<KEY_NAME>]` labels instead of the generic
+ * pattern name.
+ *
+ * Order matters when one pattern is a prefix of another (e.g. `sk-ant-` must
+ * match before the more general `sk-`).
+ */
+const TOKEN_REGEXES: ReadonlyArray<{ name: string; re: RegExp }> = [
+  // GitHub fine-grained PATs
+  { name: "github_pat", re: /github_pat_[A-Za-z0-9_]{20,}/g },
+  // GitHub classic/OAuth tokens (ghp_, gho_, ghu_, ghs_, ghr_)
+  { name: "github_token", re: /\bgh[pousr]_[A-Za-z0-9]{20,}\b/g },
+  // GitLab personal access tokens
+  { name: "gitlab_pat", re: /\bglpat-[A-Za-z0-9_-]{20,}\b/g },
+  // Anthropic API keys (must match before the generic sk- rule below)
+  { name: "anthropic_key", re: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g },
+  // OpenAI project keys
+  { name: "openai_proj_key", re: /\bsk-proj-[A-Za-z0-9_-]{20,}\b/g },
+  // OpenRouter keys
+  { name: "openrouter_key", re: /\bsk-or-(?:v1-)?[A-Za-z0-9_-]{20,}\b/g },
+  // Generic sk- legacy OpenAI keys (must come AFTER the ant/proj/or variants)
+  { name: "sk_key", re: /\bsk-[A-Za-z0-9]{20,}\b/g },
+  // Slack tokens
+  { name: "slack_token", re: /\bxox[baprseo]-[A-Za-z0-9-]{10,}\b/g },
+  // AWS access key IDs
+  { name: "aws_access_key", re: /\bAKIA[0-9A-Z]{16}\b/g },
+  // Google API keys
+  { name: "google_api_key", re: /\bAIza[A-Za-z0-9_-]{35}\b/g },
+  // JWTs (3 dot-separated base64url segments)
+  {
+    name: "jwt",
+    re: /\beyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g,
+  },
+];
+
+interface EnvValueEntry {
+  value: string;
+  name: string;
+}
+
+interface ScrubCache {
+  entries: EnvValueEntry[];
+  snapshotKey: string;
+}
+
+let cache: ScrubCache | null = null;
+
+/** Fingerprint current env so we can invalidate cache cheaply when it changes. */
+function snapshotEnv(): string {
+  const parts: string[] = [];
+  for (const key of Object.keys(process.env).sort()) {
+    if (!isSensitiveKey(key)) continue;
+    const v = process.env[key];
+    if (!v) continue;
+    parts.push(`${key}=${v.length}`);
+  }
+  return parts.join("|");
+}
+
+function isSensitiveKey(key: string): boolean {
+  if (NON_SECRET_EXCEPTIONS.has(key)) return false;
+  if (SENSITIVE_KEY_EXACT.has(key)) return true;
+  for (const suffix of SENSITIVE_KEY_SUFFIXES) {
+    if (key.endsWith(suffix)) return true;
+  }
+  return false;
+}
+
+function buildCache(): ScrubCache {
+  const entries: EnvValueEntry[] = [];
+  const seen = new Set<string>();
+
+  for (const [key, rawValue] of Object.entries(process.env)) {
+    if (!rawValue) continue;
+    if (!isSensitiveKey(key)) continue;
+
+    // Credential pools: a single env var may hold a comma-separated list of
+    // tokens that the runner rotates through. Scrub each component too.
+    const candidates = rawValue.includes(",")
+      ? [rawValue, ...rawValue.split(",").map((s) => s.trim())]
+      : [rawValue];
+
+    for (const candidate of candidates) {
+      if (!candidate) continue;
+      if (candidate.length < MIN_VALUE_LENGTH) continue;
+      if (seen.has(candidate)) continue;
+      seen.add(candidate);
+      entries.push({ value: candidate, name: key });
+    }
+  }
+
+  // Replace longer values before shorter ones so prefix-overlapping secrets
+  // don't mangle each other (rare but possible with pool values).
+  entries.sort((a, b) => b.value.length - a.value.length);
+
+  return { entries, snapshotKey: snapshotEnv() };
+}
+
+function getCache(): ScrubCache {
+  const current = snapshotEnv();
+  if (!cache || cache.snapshotKey !== current) {
+    cache = buildCache();
+  }
+  return cache;
+}
+
+/**
+ * Replace known secret values in `text` with `[REDACTED:<name>]` markers.
+ * Null/undefined inputs return an empty string. Empty strings pass through.
+ */
+export function scrubSecrets(text: string | null | undefined): string {
+  if (text == null) return "";
+  if (text.length === 0) return text;
+
+  let out = text;
+
+  // Pass 1: exact-match env values (preserves the env-var name in the marker
+  // for debugging).
+  const { entries } = getCache();
+  for (const { value, name } of entries) {
+    if (out.includes(value)) {
+      // split/join is O(n) and faster than building a RegExp for every value.
+      out = out.split(value).join(`[REDACTED:${name}]`);
+    }
+  }
+
+  // Pass 2: structural patterns (catches secrets we never saw in env, e.g.
+  // a token pasted into a tool_result by the operator or fetched from a
+  // third-party API during a task).
+  for (const { name, re } of TOKEN_REGEXES) {
+    out = out.replace(re, `[REDACTED:${name}]`);
+  }
+
+  return out;
+}
+
+/**
+ * Force the env-value cache to rebuild on the next scrub call. Callers should
+ * invoke this whenever the swarm_config is reloaded (`/internal/reload-config`
+ * on the API, credential-selection on the worker) so new secrets get covered
+ * immediately.
+ */
+export function refreshSecretScrubberCache(): void {
+  cache = null;
+}