@desplega.ai/agent-swarm 1.69.0 → 1.70.0

package/src/hooks/hook.ts

@@ -355,8 +355,10 @@ export async function handleHook(): Promise<void> {
     }
   };
 
-  // Minimum length for SOUL.md and IDENTITY.md to prevent accidental corruption
-  const IDENTITY_FILE_MIN_LENGTH = 100;
+  // Minimum length for SOUL.md and IDENTITY.md to prevent accidental corruption.
+  // Raised from 100 to 500 after Picateclas profile corruption recurrences where
+  // a 234-char test sentinel payload was syncing into the real agent's DB row.
+  const IDENTITY_FILE_MIN_LENGTH = 500;
 
   /**
    * Sync SOUL.md and IDENTITY.md content back to the server

package/src/http/core.ts

@@ -16,7 +16,27 @@ import { startSlackApp, stopSlackApp } from "../slack";
 import type { AgentStatus } from "../types";
 import { refreshSecretScrubberCache } from "../utils/secret-scrubber";
 import { generateOpenApiSpec, SCALAR_HTML } from "./openapi";
-import { agentWithCapacity, parseQueryParams } from "./utils";
+import { routeRegistry } from "./route-def";
+import { agentWithCapacity, getPathSegments, matchRoute, parseQueryParams } from "./utils";
+
+/**
+ * Check whether a request targets a route declared (via the `route()` factory)
+ * with `auth: { apiKey: false }` — i.e. one that opts out of the API-key
+ * bearer check. Handler files must use the `route()` factory for this to take
+ * effect; unknown paths fail closed (auth required).
+ */
+function isPublicRoute(method: string | undefined, pathSegments: string[]): boolean {
+  for (const def of routeRegistry) {
+    if (def.auth?.apiKey === false) {
+      if (
+        matchRoute(method, pathSegments, def.method.toUpperCase(), def.pattern, def.exact ?? true)
+      ) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
 
 /**
  * Load global swarm_config entries into process.env.
@@ -121,31 +141,21 @@ export async function handleCore(
     return true;
   }
 
-  // API key authentication (if API_KEY is configured)
-  // Skip auth for webhooks (they have their own signature verification)
-  const isGitHubWebhook = req.url?.startsWith("/api/github/webhook");
-  const isGitLabWebhook = req.url?.startsWith("/api/gitlab/webhook");
-  const isAgentMailWebhook = req.url?.startsWith("/api/agentmail/webhook");
-  const isTrackerAuth =
-    req.url?.startsWith("/api/trackers/linear/authorize") ||
-    req.url?.startsWith("/api/trackers/linear/callback") ||
-    req.url?.startsWith("/api/trackers/linear/webhook");
-  const isWorkflowWebhook = req.url?.startsWith("/api/webhooks/");
-  if (
-    apiKey &&
-    !isGitHubWebhook &&
-    !isGitLabWebhook &&
-    !isAgentMailWebhook &&
-    !isTrackerAuth &&
-    !isWorkflowWebhook
-  ) {
-    const authHeader = req.headers.authorization;
-    const providedKey = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
-
-    if (providedKey !== apiKey) {
-      res.writeHead(401, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: "Unauthorized" }));
-      return true;
+  // API-key authentication (if API_KEY is configured). Routes that opt out via
+  // `route({ auth: { apiKey: false } })` — webhooks, OAuth provider callbacks,
+  // etc. — are skipped based on the central `routeRegistry`. Unknown paths
+  // fall through to the bearer check (fail-closed).
+  if (apiKey) {
+    const pathSegments = getPathSegments(req.url || "");
+    if (!isPublicRoute(req.method, pathSegments)) {
+      const authHeader = req.headers.authorization;
+      const providedKey = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+
+      if (providedKey !== apiKey) {
+        res.writeHead(401, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "Unauthorized" }));
+        return true;
+      }
     }
   }
 

package/src/http/mcp-oauth.ts

@@ -158,6 +158,27 @@ const authorizeRoute = route({
   },
 });
 
+const authorizeUrlRoute = route({
+  method: "get",
+  path: "/api/mcp-oauth/{mcpServerId}/authorize-url",
+  pattern: ["api", "mcp-oauth", null, "authorize-url"],
+  summary:
+    "Build an OAuth authorize URL. Returns JSON so the browser can navigate without losing the Bearer auth header.",
+  tags: ["MCP OAuth"],
+  auth: { apiKey: true },
+  params: z.object({ mcpServerId: z.string() }),
+  query: z.object({
+    redirect: z.string().optional(),
+    userId: z.string().optional(),
+    scopes: z.string().optional(),
+  }),
+  responses: {
+    200: { description: "{ providerUrl: string }" },
+    400: { description: "MCP has no URL / does not require OAuth" },
+    404: { description: "MCP server not found" },
+  },
+});
+
 const callbackRoute = route({
   method: "get",
   path: "/api/mcp-oauth/callback",
@@ -236,6 +257,86 @@ const manualClientRoute = route({
   },
 });
 
+// ─── Shared authorize flow ───────────────────────────────────────────────────
+
+interface AuthorizeFlowQuery {
+  redirect?: string;
+  userId?: string;
+  scopes?: string;
+}
+
+/**
+ * Discover metadata, DCR-register (or fail), build the authorize URL, and
+ * persist the pending session. Returns the provider `providerUrl` the caller
+ * should redirect to / respond with. On failure, writes a JSON error response
+ * and returns null.
+ */
+async function prepareAuthorizeFlow(
+  res: ServerResponse,
+  mcpServerId: string,
+  server: NonNullable<ReturnType<typeof getMcpServerById>>,
+  q: AuthorizeFlowQuery,
+): Promise<string | null> {
+  const discovery = await discoverForMcp(server.url!);
+  if (!discovery) {
+    jsonError(res, "MCP server does not require OAuth", 400);
+    return null;
+  }
+
+  let clientId: string | null = null;
+  let clientSecret: string | null = null;
+  if (discovery.dcrSupported && discovery.registrationEndpoint) {
+    const dcr = await registerClient(discovery.registrationEndpoint, {
+      client_name: `agent-swarm (${server.name})`,
+      redirect_uris: [callbackRedirectUri()],
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      token_endpoint_auth_method: "client_secret_basic",
+      application_type: "web",
+      scope: (q.scopes ?? discovery.scopes.join(" ")) || undefined,
+    });
+    clientId = dcr.client_id;
+    clientSecret = dcr.client_secret ?? null;
+  } else {
+    jsonError(
+      res,
+      "DCR not supported — paste client_id/client_secret via POST /api/mcp-oauth/:id/manual-client first.",
+      400,
+    );
+    return null;
+  }
+
+  const scopes = q.scopes ? q.scopes.split(" ").filter(Boolean) : discovery.scopes;
+
+  const built = await buildAuthorizeUrl({
+    authorizeUrl: discovery.authorizeUrl,
+    tokenUrl: discovery.tokenUrl,
+    clientId: clientId!,
+    redirectUri: callbackRedirectUri(),
+    scopes,
+    resource: discovery.resourceUrl,
+  });
+
+  insertMcpOAuthPending({
+    state: built.state,
+    mcpServerId,
+    userId: q.userId ?? null,
+    codeVerifier: built.codeVerifier,
+    resourceUrl: discovery.resourceUrl,
+    authorizationServerIssuer: discovery.authorizationServerIssuer,
+    authorizeUrl: discovery.authorizeUrl,
+    tokenUrl: discovery.tokenUrl,
+    revocationUrl: discovery.revocationUrl,
+    scopes: scopes.join(" "),
+    dcrClientId: clientId!,
+    dcrClientSecret: clientSecret,
+    redirectUri: callbackRedirectUri(),
+    finalRedirect: q.redirect ?? null,
+  });
+
+  return built.url;
+}
+
 // ─── Handler ─────────────────────────────────────────────────────────────────
 
 export async function handleMcpOAuth(
@@ -398,69 +499,40 @@ export async function handleMcpOAuth(
     if (!server) return true;
 
     try {
-      const discovery = await discoverForMcp(server.url!);
-      if (!discovery) {
-        jsonError(res, "MCP server does not require OAuth", 400);
-        return true;
-      }
-
-      // Dynamic Client Registration if supported, otherwise expect the user to
-      // have already called /manual-client.
-      let clientId: string | null = null;
-      let clientSecret: string | null = null;
-      if (discovery.dcrSupported && discovery.registrationEndpoint) {
-        const dcr = await registerClient(discovery.registrationEndpoint, {
-          client_name: `agent-swarm (${server.name})`,
-          redirect_uris: [callbackRedirectUri()],
-          grant_types: ["authorization_code", "refresh_token"],
-          response_types: ["code"],
-          token_endpoint_auth_method: "client_secret_basic",
-          application_type: "web",
-          scope: (parsed.query.scopes ?? discovery.scopes.join(" ")) || undefined,
-        });
-        clientId = dcr.client_id;
-        clientSecret = dcr.client_secret ?? null;
-      } else {
-        jsonError(
-          res,
-          "DCR not supported — paste client_id/client_secret via POST /api/mcp-oauth/:id/manual-client first.",
-          400,
-        );
-        return true;
-      }
+      const providerUrl = await prepareAuthorizeFlow(
+        res,
+        parsed.params.mcpServerId,
+        server,
+        parsed.query,
+      );
+      if (!providerUrl) return true;
+      res.writeHead(302, { Location: providerUrl });
+      res.end();
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      jsonError(res, `Authorize failed: ${message}`, 502);
+    }
+    return true;
+  }
 
-      const scopes = parsed.query.scopes
-        ? parsed.query.scopes.split(" ").filter(Boolean)
-        : discovery.scopes;
-
-      const built = await buildAuthorizeUrl({
-        authorizeUrl: discovery.authorizeUrl,
-        tokenUrl: discovery.tokenUrl,
-        clientId: clientId!,
-        redirectUri: callbackRedirectUri(),
-        scopes,
-        resource: discovery.resourceUrl,
-      });
+  // GET /api/mcp-oauth/:id/authorize-url — JSON variant of /authorize so the
+  // dashboard can fetch the provider URL with Bearer auth and then navigate.
+  if (authorizeUrlRoute.match(req.method, pathSegments)) {
+    const parsed = await authorizeUrlRoute.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
 
-      insertMcpOAuthPending({
-        state: built.state,
-        mcpServerId: parsed.params.mcpServerId,
-        userId: parsed.query.userId ?? null,
-        codeVerifier: built.codeVerifier,
-        resourceUrl: discovery.resourceUrl,
-        authorizationServerIssuer: discovery.authorizationServerIssuer,
-        authorizeUrl: discovery.authorizeUrl,
-        tokenUrl: discovery.tokenUrl,
-        revocationUrl: discovery.revocationUrl,
-        scopes: scopes.join(" "),
-        dcrClientId: clientId!,
-        dcrClientSecret: clientSecret,
-        redirectUri: callbackRedirectUri(),
-        finalRedirect: parsed.query.redirect ?? null,
-      });
+    const server = getMcpOrError(res, parsed.params.mcpServerId);
+    if (!server) return true;
 
-      res.writeHead(302, { Location: built.url });
-      res.end();
+    try {
+      const providerUrl = await prepareAuthorizeFlow(
+        res,
+        parsed.params.mcpServerId,
+        server,
+        parsed.query,
+      );
+      if (!providerUrl) return true;
+      json(res, { providerUrl });
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
       jsonError(res, `Authorize failed: ${message}`, 502);

package/src/http/mcp-servers.ts

@@ -243,7 +243,11 @@ export async function handleMcpServers(
             try {
               const token = await ensureMcpToken(server.id);
               if (token && token.status === "connected") {
-                const prefix = token.tokenType || "Bearer";
+                // Normalize the bearer scheme to capital "Bearer": some resource
+                // servers reject the lowercase "bearer" RFC 6749 returns (issue #368).
+                // Non-bearer schemes (e.g. "MAC") are preserved verbatim.
+                const rawType = token.tokenType || "Bearer";
+                const prefix = rawType.toLowerCase() === "bearer" ? "Bearer" : rawType;
                 resolvedHeaders.Authorization = `${prefix} ${token.accessToken}`;
               } else if (!token) {
                 authError = "No OAuth token for this MCP server";

package/src/http/schedules.ts

@@ -3,7 +3,6 @@ import { CronExpressionParser } from "cron-parser";
 import { z } from "zod";
 import {
   createScheduledTask,
-  createTaskExtended,
   deleteScheduledTask,
   getAgentById,
   getDb,
@@ -12,6 +11,8 @@ import {
   updateScheduledTask,
 } from "../be/db";
 import { calculateNextRun } from "../scheduler/scheduler";
+import { scheduleContextKey } from "../tasks/context-key";
+import { createTaskWithSiblingAwareness } from "../tasks/sibling-awareness";
 import { getExecutorRegistry } from "../workflows";
 import { handleScheduleTrigger } from "../workflows/triggers";
 import { route } from "./route-def";
@@ -285,7 +286,7 @@ export async function handleSchedules(
       const now = new Date().toISOString();
 
       const task = getDb().transaction(() => {
-        const createdTask = createTaskExtended(schedule.taskTemplate, {
+        const createdTask = createTaskWithSiblingAwareness(schedule.taskTemplate, {
           creatorAgentId: schedule.createdByAgentId,
           taskType: schedule.taskType,
           tags: [...schedule.tags, "scheduled", `schedule:${schedule.name}`, "manual-run"],
@@ -294,6 +295,7 @@ export async function handleSchedules(
           model: schedule.model,
           scheduleId: schedule.id,
           source: "schedule",
+          contextKey: scheduleContextKey({ scheduleId: schedule.id }),
         });
 
         if (schedule.scheduleType === "one_time") {

package/src/http/tasks.ts

@@ -4,7 +4,6 @@ import { z } from "zod";
 import {
   cancelTask,
   completeTask,
-  createTaskExtended,
   failTask,
   getAllTasks,
   getDb,
@@ -19,6 +18,7 @@ import {
   updateTaskProgress,
   updateTaskVcs,
 } from "../be/db";
+import { createTaskWithSiblingAwareness } from "../tasks/sibling-awareness";
 import { telemetry } from "../telemetry";
 import { route } from "./route-def";
 import { json, jsonError } from "./utils";
@@ -63,6 +63,7 @@ const createTask = route({
     parentTaskId: z.string().optional(),
     source: z.string().optional(),
     outputSchema: z.record(z.string(), z.unknown()).optional(),
+    contextKey: z.string().optional(),
   }),
   responses: {
     201: { description: "Task created" },
@@ -240,7 +241,7 @@ export async function handleTasks(
     if (!parsed) return true;
 
     try {
-      const task = createTaskExtended(parsed.body.task, {
+      const task = createTaskWithSiblingAwareness(parsed.body.task, {
         agentId: parsed.body.agentId || undefined,
         creatorAgentId: myAgentId || undefined,
         taskType: parsed.body.taskType || undefined,
@@ -252,6 +253,7 @@ export async function handleTasks(
         parentTaskId: parsed.body.parentTaskId || undefined,
         source: (parsed.body.source as import("../types").AgentTaskSource) || "api",
         outputSchema: parsed.body.outputSchema || undefined,
+        contextKey: parsed.body.contextKey || undefined,
       });
 
       ensure({

package/src/linear/sync.ts

@@ -1,4 +1,4 @@
-import { cancelTask, createTaskExtended, getAllAgents, getTaskById, resolveUser } from "../be/db";
+import { cancelTask, getAllAgents, getTaskById, resolveUser } from "../be/db";
 import { getOAuthTokens } from "../be/db-queries/oauth";
 import {
   createTrackerSync,
@@ -8,6 +8,8 @@ import {
 } from "../be/db-queries/tracker";
 import { ensureToken } from "../oauth/ensure-token";
 import { resolveTemplate } from "../prompts/resolver";
+import { linearContextKey } from "../tasks/context-key";
+import { createTaskWithSiblingAwareness } from "../tasks/sibling-awareness";
 // Side-effect import: registers all Linear event templates in the in-memory registry
 import "./templates";
 
@@ -287,18 +289,26 @@ export async function handleAgentSessionEvent(event: Record<string, unknown>): P
   if (existing) {
     const existingTask = getTaskById(existing.swarmId);
 
-    // If the task is still active, acknowledge the new session but don't create a duplicate
+    // If the task is still active, post a user-visible response on the new
+    // session explaining that a sibling is already in flight and the new
+    // session can be closed. Do NOT create a duplicate swarm task. If the user
+    // wants to force a fresh run, they can re-assign the issue after the
+    // current task finishes.
     if (existingTask && !["completed", "failed", "cancelled"].includes(existingTask.status)) {
       console.log(
-        `[Linear Sync] Issue ${issueIdentifier} already tracked as active task ${existing.swarmId}, skipping`,
+        `[Linear Sync] Issue ${issueIdentifier} already tracked as active task ${existing.swarmId} (status: ${existingTask.status}), skipping duplicate`,
       );
       if (sessionId) {
         taskSessionMap.set(existingTask.id, sessionId);
-        acknowledgeAgentSession(
-          sessionId,
-          `This issue is already being worked on (task ${existing.swarmId}).`,
-        ).catch((err) => {
-          console.error("[Linear Sync] Failed to acknowledge duplicate AgentSession:", err);
+        const refuseMsg = [
+          `This issue is already being worked on — task \`${existing.swarmId}\` is currently \`${existingTask.status}\`.`,
+          "",
+          "To avoid duplicating work, I'm not starting a new session for this re-assignment. Progress on the active task will continue to be posted here.",
+          "",
+          "If you want to force a fresh run, wait for the current task to finish (or cancel it) and re-assign the issue.",
+        ].join("\n");
+        postAgentSessionResponse(sessionId, refuseMsg).catch((err) => {
+          console.error("[Linear Sync] Failed to post hard-refuse response:", err);
         });
       }
       return;
@@ -327,11 +337,12 @@ export async function handleAgentSessionEvent(event: Record<string, unknown>): P
     return;
   }
 
-  const task = createTaskExtended(templateResult.text, {
+  const task = createTaskWithSiblingAwareness(templateResult.text, {
     agentId: lead?.id ?? "",
     source: "linear",
     taskType: "linear-issue",
     requestedByUserId,
+    contextKey: linearContextKey({ issueIdentifier }),
   });
 
   // Delete old tracker_sync before creating new one (UNIQUE constraint)
@@ -570,11 +581,12 @@ export async function handleAgentSessionPrompted(event: Record<string, unknown>)
     return;
   }
 
-  const task = createTaskExtended(followupResult.text, {
+  const task = createTaskWithSiblingAwareness(followupResult.text, {
     agentId: lead?.id ?? "",
     source: "linear",
     taskType: "linear-issue",
     requestedByUserId: promptedRequestedByUserId,
+    contextKey: linearContextKey({ issueIdentifier }),
   });
 
   // Repoint the existing tracker_sync to the new follow-up task (can't create a

package/src/providers/claude-adapter.ts

@@ -106,6 +106,52 @@ async function fetchInstalledMcpServers(
   }
 }
 
+/**
+ * Merge a base MCP config (typically read from `.mcp.json`) with freshly-resolved
+ * installed servers from the API, and inject the per-task `X-Source-Task-Id` header
+ * into the `agent-swarm` entry.
+ *
+ * Precedence: installed servers from the API WIN over entries already in `.mcp.json`.
+ * This guards against stale credentials from a `.mcp.json` that was written once at
+ * container startup and never refreshed (see issue #369). The per-session fetch
+ * carries current OAuth tokens / rotated secrets / up-to-date installs.
+ *
+ * Exported for unit testing.
+ */
+export function mergeMcpConfig(
+  baseConfig: { mcpServers?: Record<string, unknown> } | null,
+  installedServers: Record<string, Record<string, unknown>> | null,
+  taskId: string,
+): { mcpServers: Record<string, unknown> } {
+  const config: { mcpServers: Record<string, unknown> } = {
+    mcpServers: { ...(baseConfig?.mcpServers ?? {}) },
+  };
+
+  // Installed servers from the API always win — fresh credentials replace stale ones.
+  if (installedServers) {
+    for (const [name, serverConfig] of Object.entries(installedServers)) {
+      config.mcpServers[name] = serverConfig;
+    }
+  }
+
+  // Find the agent-swarm server entry (could be named "agent-swarm" or similar)
+  const serverKey = Object.keys(config.mcpServers).find(
+    (k) =>
+      k === "agent-swarm" ||
+      ((config.mcpServers[k] as Record<string, unknown>)?.headers &&
+        ((config.mcpServers[k] as Record<string, Record<string, unknown>>).headers?.[
+          "X-Agent-ID"
+        ] as unknown)),
+  );
+  if (serverKey) {
+    const server = config.mcpServers[serverKey] as Record<string, unknown>;
+    if (!server.headers) server.headers = {};
+    (server.headers as Record<string, string>)["X-Source-Task-Id"] = taskId;
+  }
+
+  return config;
+}
+
 /**
  * Create a per-session MCP config file with X-Source-Task-Id header injected
  * and installed MCP servers merged in.
@@ -138,39 +184,14 @@ async function createSessionMcpConfig(
   if (!mcpJsonPath && !installedServers) return null;
 
   try {
-    let config: { mcpServers?: Record<string, unknown> } = { mcpServers: {} };
+    let baseConfig: { mcpServers?: Record<string, unknown> } = { mcpServers: {} };
     if (mcpJsonPath) {
       const file = Bun.file(mcpJsonPath);
-      config = await file.json();
-    }
-    const servers = config?.mcpServers;
-    if (!servers && !installedServers) return null;
-
-    if (!config.mcpServers) config.mcpServers = {};
-
-    // Find the agent-swarm server entry (could be named "agent-swarm" or similar)
-    const serverKey = Object.keys(config.mcpServers).find(
-      (k) =>
-        k === "agent-swarm" ||
-        ((config.mcpServers![k] as Record<string, unknown>)?.headers &&
-          ((config.mcpServers![k] as Record<string, Record<string, unknown>>).headers?.[
-            "X-Agent-ID"
-          ] as unknown)),
-    );
-    if (serverKey) {
-      const server = config.mcpServers[serverKey] as Record<string, unknown>;
-      if (!server.headers) server.headers = {};
-      (server.headers as Record<string, string>)["X-Source-Task-Id"] = taskId;
+      baseConfig = await file.json();
     }
+    if (!baseConfig?.mcpServers && !installedServers) return null;
 
-    // Merge installed MCP servers (don't overwrite existing entries)
-    if (installedServers) {
-      for (const [name, serverConfig] of Object.entries(installedServers)) {
-        if (!config.mcpServers[name]) {
-          config.mcpServers[name] = serverConfig;
-        }
-      }
-    }
+    const config = mergeMcpConfig(baseConfig, installedServers ?? null, taskId);
 
     // Write per-session config to /tmp — no race, each session has its own file
     const sessionConfigPath = `/tmp/mcp-${taskId}.json`;
@@ -212,6 +233,7 @@ class ClaudeSession implements ProviderSession {
     this.proc = Bun.spawn(cmd, {
       cwd: this.config.cwd,
       env: {
+        ENABLE_PROMPT_CACHING_1H: "1",
         ...(config.env || process.env),
         TASK_FILE: taskFilePath,
       } as Record<string, string>,

package/src/scheduler/scheduler.ts

@@ -1,12 +1,8 @@
 import { ensure } from "@desplega.ai/business-use";
 import { CronExpressionParser } from "cron-parser";
-import {
-  createTaskExtended,
-  getDb,
-  getDueScheduledTasks,
-  getScheduledTaskById,
-  updateScheduledTask,
-} from "@/be/db";
+import { getDb, getDueScheduledTasks, getScheduledTaskById, updateScheduledTask } from "@/be/db";
+import { scheduleContextKey } from "@/tasks/context-key";
+import { createTaskWithSiblingAwareness } from "@/tasks/sibling-awareness";
 import type { ScheduledTask } from "@/types";
 import type { ExecutorRegistry } from "@/workflows/executors/registry";
 import { handleScheduleTrigger } from "@/workflows/triggers";
@@ -49,7 +45,7 @@ async function recoverMissedSchedules(): Promise<void> {
 
       if (!triggeredWorkflows) {
         const tx = getDb().transaction(() => {
-          createTaskExtended(schedule.taskTemplate, {
+          createTaskWithSiblingAwareness(schedule.taskTemplate, {
             creatorAgentId: schedule.createdByAgentId,
             taskType: schedule.taskType,
             tags: [...schedule.tags, "scheduled", `schedule:${schedule.name}`, "recovered"],
@@ -58,6 +54,7 @@ async function recoverMissedSchedules(): Promise<void> {
             model: schedule.model,
             scheduleId: schedule.id,
             source: "schedule",
+            contextKey: scheduleContextKey({ scheduleId: schedule.id }),
           });
         });
         tx();
@@ -153,7 +150,7 @@ async function executeSchedule(schedule: ScheduledTask): Promise<void> {
     if (!triggeredWorkflows) {
       // No workflows linked — create standalone task (existing behavior)
       getDb().transaction(() => {
-        createTaskExtended(schedule.taskTemplate, {
+        createTaskWithSiblingAwareness(schedule.taskTemplate, {
           creatorAgentId: schedule.createdByAgentId,
           taskType: schedule.taskType,
           tags: [...schedule.tags, "scheduled", `schedule:${schedule.name}`],
@@ -162,6 +159,7 @@ async function executeSchedule(schedule: ScheduledTask): Promise<void> {
           model: schedule.model,
           scheduleId: schedule.id,
           source: "schedule",
+          contextKey: scheduleContextKey({ scheduleId: schedule.id }),
         });
       })();
     }
@@ -343,7 +341,7 @@ export async function runScheduleNow(scheduleId: string): Promise<void> {
   if (!triggeredWorkflows) {
     // No workflows linked — create standalone task (existing behavior)
     getDb().transaction(() => {
-      createTaskExtended(schedule.taskTemplate, {
+      createTaskWithSiblingAwareness(schedule.taskTemplate, {
         creatorAgentId: schedule.createdByAgentId,
         taskType: schedule.taskType,
         tags: [...schedule.tags, "scheduled", `schedule:${schedule.name}`, "manual-run"],
@@ -352,6 +350,7 @@ export async function runScheduleNow(scheduleId: string): Promise<void> {
         model: schedule.model,
         scheduleId: schedule.id,
         source: "schedule",
+        contextKey: scheduleContextKey({ scheduleId: schedule.id }),
       });
     })();
   }

package/src/server.ts

@@ -77,6 +77,7 @@ import { registerSlackListChannelsTool } from "./tools/slack-list-channels";
 import { registerSlackPostTool } from "./tools/slack-post";
 import { registerSlackReadTool } from "./tools/slack-read";
 import { registerSlackReplyTool } from "./tools/slack-reply";
+import { registerSlackStartThreadTool } from "./tools/slack-start-thread";
 import { registerSlackUploadFileTool } from "./tools/slack-upload-file";
 import { registerStoreProgressTool } from "./tools/store-progress";
 // Swarm config tools
@@ -189,6 +190,7 @@ export function createServer() {
   registerSlackReplyTool(server);
   registerSlackReadTool(server);
   registerSlackPostTool(server);
+  registerSlackStartThreadTool(server);
   registerSlackListChannelsTool(server);
   registerSlackUploadFileTool(server);
   registerSlackDownloadFileTool(server);