@desplega.ai/agent-swarm 1.79.4 → 1.80.1

package/src/be/scripts/typecheck.ts

@@ -0,0 +1,193 @@
+import ts from "typescript";
+
+export type ScriptTypecheckResult = { ok: true } | { ok: false; diagnostics: string[] };
+
+export const SCRIPT_SDK_TYPES = `
+export type JsonValue = null | boolean | number | string | JsonValue[] | { [key: string]: JsonValue };
+export type ScriptScope = "agent" | "global";
+export type ScriptFsMode = "none" | "workspace-rw";
+
+export interface Redacted<T> {
+  readonly __redactedBrand?: T;
+  toString(): "<redacted>";
+  toJSON(): "<redacted>";
+}
+
+export interface RedactedStatic {
+  value<T>(self: Redacted<T>): T;
+  meta<T>(self: Redacted<T>): { type: "system" | "user"; isSecret: boolean };
+  isSecret<T>(self: Redacted<T>): boolean;
+}
+
+export interface SwarmConfig {
+  apiKey: Redacted<string>;
+  agentId: Redacted<string>;
+  mcpBaseUrl: Redacted<string>;
+  get<T = string>(key: string): Redacted<T> | undefined;
+}
+
+export interface SwarmSdk {
+  memory_search(args: { query: string; scope?: "all" | "agent" | "swarm"; limit?: number; source?: string }): Promise<unknown>;
+  memory_get(args: { memoryId: string }): Promise<unknown>;
+  memory_rate(args: { id: string; useful: boolean; note?: string }): Promise<unknown>;
+  task_list(args?: Record<string, unknown>): Promise<unknown>;
+  task_get(args: { taskId: string }): Promise<unknown>;
+  task_storeProgress(args: Record<string, unknown>): Promise<unknown>;
+  kv_get(args: { key: string; namespace?: string }): Promise<unknown>;
+  kv_set(args: { key: string; value: unknown; namespace?: string; ttlSeconds?: number; valueType?: "string" | "json" | "integer" }): Promise<unknown>;
+  kv_del(args: { key: string; namespace?: string }): Promise<unknown>;
+  kv_incr(args: { key: string; by?: number; namespace?: string }): Promise<unknown>;
+  kv_list(args?: { prefix?: string; namespace?: string; limit?: number }): Promise<unknown>;
+  repo_list(args?: Record<string, unknown>): Promise<unknown>;
+  schedule_list(args?: Record<string, unknown>): Promise<unknown>;
+  script_search(args: { query?: string; scope?: ScriptScope; limit?: number }): Promise<unknown>;
+  script_run(args: { name?: string; source?: string; args?: unknown; intent?: string; scope?: ScriptScope; fsMode?: ScriptFsMode }): Promise<unknown>;
+}
+
+export interface ScriptStdlib {
+  fetch(input: string | URL | Request, init?: RequestInit): Promise<Response>;
+  fetchJson(input: string | URL | Request, init?: RequestInit): Promise<unknown>;
+  grep(pattern: string, files?: string | string[]): Promise<string>;
+  glob(pattern: string): Promise<string[]>;
+  table(rows: Array<Record<string, unknown>>): string;
+  Redacted: RedactedStatic;
+}
+
+export interface ScriptLogger extends Console {}
+
+export interface ScriptContext {
+  swarm: SwarmSdk & { config: SwarmConfig };
+  stdlib: ScriptStdlib;
+  logger: ScriptLogger;
+}
+
+// biome-ignore lint/suspicious/noExplicitAny: scripts may narrow their args type at the entrypoint.
+export type ScriptMain = (args: any, ctx: ScriptContext) => unknown | Promise<unknown>;
+`;
+
+export const SCRIPT_STDLIB_TYPES = `
+declare module "stdlib" {
+  export interface Redacted<T> {
+    readonly __redactedBrand?: T;
+    toString(): "<redacted>";
+    toJSON(): "<redacted>";
+  }
+  export const Redacted: {
+    value<T>(self: Redacted<T>): T;
+    meta<T>(self: Redacted<T>): { type: "system" | "user"; isSecret: boolean };
+    isSecret<T>(self: Redacted<T>): boolean;
+  };
+  export function fetch(input: string | URL | Request, init?: RequestInit): Promise<Response>;
+  export function fetchJson(input: string | URL | Request, init?: RequestInit): Promise<unknown>;
+  export function grep(pattern: string, files?: string | string[]): Promise<string>;
+  export function glob(pattern: string): Promise<string[]>;
+  export function table(rows: Array<Record<string, unknown>>): string;
+}
+
+declare module "swarm-sdk" {
+${SCRIPT_SDK_TYPES.replace(/^/gm, "  ")}
+}
+`;
+
+const USER_FILE = "/virtual/user-script.ts";
+const CHECK_FILE = "/virtual/check.ts";
+const SDK_FILE = "/virtual/swarm-sdk.d.ts";
+const STDLIB_FILE = "/virtual/stdlib.d.ts";
+
+function createCompilerHost(
+  files: Map<string, string>,
+  options: ts.CompilerOptions,
+): ts.CompilerHost {
+  const host = ts.createCompilerHost(options, true);
+  const originalGetSourceFile = host.getSourceFile.bind(host);
+
+  host.getSourceFile = (fileName, languageVersion, onError, shouldCreateNewSourceFile) => {
+    const normalized = fileName.replace(/\\/g, "/");
+    const source = files.get(normalized);
+    if (source !== undefined) {
+      return ts.createSourceFile(normalized, source, languageVersion, true, ts.ScriptKind.TS);
+    }
+    return originalGetSourceFile(fileName, languageVersion, onError, shouldCreateNewSourceFile);
+  };
+
+  host.fileExists = (fileName) => {
+    const normalized = fileName.replace(/\\/g, "/");
+    return files.has(normalized) || ts.sys.fileExists(fileName);
+  };
+
+  host.readFile = (fileName) => {
+    const normalized = fileName.replace(/\\/g, "/");
+    return files.get(normalized) ?? ts.sys.readFile(fileName);
+  };
+
+  host.resolveModuleNames = (moduleNames, containingFile) =>
+    moduleNames.map((moduleName) => {
+      if (moduleName === "./user-script") {
+        return { resolvedFileName: USER_FILE, extension: ts.Extension.Ts };
+      }
+      if (moduleName === "swarm-sdk") {
+        return { resolvedFileName: SDK_FILE, extension: ts.Extension.Dts };
+      }
+      if (moduleName === "stdlib") {
+        return { resolvedFileName: STDLIB_FILE, extension: ts.Extension.Dts };
+      }
+      return ts.resolveModuleName(moduleName, containingFile, options, host).resolvedModule;
+    });
+
+  // In compiled binary mode, TypeScript's lib .d.ts files live alongside
+  // typescript.js in /$bunfs/ — but .d.ts files are not embedded in the binary.
+  // Redirect lib lookups to TS_LIB_DIR where the Dockerfile copies real copies.
+  const tsLibDir = process.env.TS_LIB_DIR;
+  if (tsLibDir) {
+    host.getDefaultLibLocation = () => tsLibDir;
+  }
+
+  return host;
+}
+
+export function typecheckScript(source: string): ScriptTypecheckResult {
+  const options: ts.CompilerOptions = {
+    allowImportingTsExtensions: true,
+    module: ts.ModuleKind.ESNext,
+    moduleResolution: ts.ModuleResolutionKind.Bundler,
+    noEmit: true,
+    skipLibCheck: true,
+    strict: true,
+    target: ts.ScriptTarget.ES2022,
+    types: [],
+  };
+
+  const files = new Map<string, string>([
+    [USER_FILE, source],
+    [SDK_FILE, SCRIPT_SDK_TYPES],
+    [STDLIB_FILE, SCRIPT_STDLIB_TYPES],
+    [
+      CHECK_FILE,
+      `import run from "./user-script";
+import type { ScriptMain } from "swarm-sdk";
+const _scriptMain: ScriptMain = run;
+void _scriptMain;
+`,
+    ],
+  ]);
+
+  const host = createCompilerHost(files, options);
+  const program = ts.createProgram([USER_FILE, CHECK_FILE, SDK_FILE, STDLIB_FILE], options, host);
+  const diagnostics = [
+    ...program.getSyntacticDiagnostics(),
+    ...program.getSemanticDiagnostics(),
+  ].filter((diagnostic) => {
+    const fileName = diagnostic.file?.fileName.replace(/\\/g, "/");
+    return fileName === USER_FILE || fileName === CHECK_FILE;
+  });
+
+  if (diagnostics.length === 0) return { ok: true };
+
+  const formatted = ts.formatDiagnosticsWithColorAndContext(diagnostics, {
+    getCanonicalFileName: (fileName) => fileName,
+    getCurrentDirectory: () => "/virtual",
+    getNewLine: () => "\n",
+  });
+
+  return { ok: false, diagnostics: formatted.split("\n\n").filter(Boolean) };
+}

package/src/be/seed-pricing.ts

@@ -0,0 +1,293 @@
+/**
+ * Phase 2 of the cost-tracking plan — seed the `pricing` table at server boot.
+ *
+ * The vendored models.dev snapshot at `ui/src/lib/modelsdev-cache.json` is the
+ * single source of truth for per-token rates. We project it into rows keyed by
+ * `(provider, model, token_class)` so the recompute path in
+ * `src/http/session-data.ts` can rebuild USD from tokens regardless of which
+ * adapter wrote the row.
+ *
+ * Manual overrides (Anthropic runtime fee, Cognition ACU) live in
+ * {@link MANUAL_PRICING_OVERRIDES} — models.dev doesn't surface those.
+ *
+ * The seeder uses `INSERT OR IGNORE` keyed on the pricing PK
+ * `(provider, model, token_class, effective_from)` with `effective_from = 0`,
+ * so re-runs on every boot are no-ops once seeded. Operators who need to bump
+ * a rate insert a new row with a later `effective_from` via the existing
+ * admin route (`POST /api/pricing`) — we don't overwrite seed rows.
+ */
+
+import { readFileSync } from "node:fs";
+import path from "node:path";
+import type { PricingProvider, PricingTokenClass } from "../types";
+import { getDb } from "./db";
+import { normalizeModelKey } from "./pricing-normalize";
+
+interface ModelsDevCostBlock {
+  input?: number;
+  output?: number;
+  cache_read?: number;
+  cache_write?: number;
+}
+
+interface ModelsDevModel {
+  id?: string;
+  cost?: ModelsDevCostBlock;
+}
+
+interface ModelsDevProvider {
+  models?: Record<string, ModelsDevModel>;
+}
+
+type ModelsDevCache = Record<string, ModelsDevProvider>;
+
+/**
+ * Per-harness manual rates that models.dev doesn't carry. Keep the source URL
+ * and a verification date next to each entry so {@link MANUAL_PRICING_OVERRIDES}
+ * doubles as living documentation.
+ */
+const MANUAL_PRICING_OVERRIDES: Array<{
+  provider: PricingProvider;
+  model: string;
+  tokenClass: PricingTokenClass;
+  pricePerMillionUsd: number;
+  source: string;
+  verified: string; // YYYY-MM-DD
+}> = [
+  {
+    provider: "claude-managed",
+    // '*' = applies regardless of which Claude model the managed run picks.
+    // The runtime fee is per session-hour, not per model.
+    model: "*",
+    tokenClass: "runtime_hour",
+    // $0.08 / hour expressed as USD per "million units" so it fits the same
+    // rate table. The adapter will multiply by hours, not by tokens — the
+    // unit is a convention specific to `runtime_hour`.
+    pricePerMillionUsd: 0.08 * 1_000_000,
+    source: "https://docs.claude.com/en/api/agent-sdk/managed-runtime#pricing",
+    verified: "2026-04-28",
+  },
+  {
+    provider: "devin",
+    model: "*",
+    tokenClass: "acu",
+    pricePerMillionUsd: 2.25 * 1_000_000,
+    source: "https://devin.ai/pricing",
+    verified: "2026-04-28",
+  },
+];
+
+/**
+ * Adapter-specific shortname → models.dev key. Some adapters report `model`
+ * fields the models.dev snapshot doesn't index directly; we map them here.
+ */
+const ANTHROPIC_SHORTNAME_TO_MODELSDEV: Record<string, string> = {
+  opus: "claude-opus-4-7",
+  sonnet: "claude-sonnet-4-6",
+  haiku: "claude-haiku-4-5",
+};
+
+/**
+ * Resolve the path to the vendored models.dev cache. The UI copy is canonical.
+ * We treat this as best-effort: if the file is missing (developer ran the
+ * server without `ui/` checked out), we log and continue with manual rates
+ * only — better than crashing the boot.
+ */
+function loadModelsDevCache(): ModelsDevCache | null {
+  const candidates = [
+    path.join(process.cwd(), "ui", "src", "lib", "modelsdev-cache.json"),
+    path.join(process.cwd(), "..", "ui", "src", "lib", "modelsdev-cache.json"),
+  ];
+  for (const cand of candidates) {
+    try {
+      const raw = readFileSync(cand, "utf-8");
+      return JSON.parse(raw) as ModelsDevCache;
+    } catch {
+      // try next candidate
+    }
+  }
+  return null;
+}
+
+interface PricingSeedRow {
+  provider: PricingProvider;
+  model: string;
+  tokenClass: PricingTokenClass;
+  pricePerMillionUsd: number;
+}
+
+/**
+ * Project a models.dev `cost` block into our pricing-table token classes.
+ * Returns one row per non-null cost field.
+ */
+function projectCostBlock(
+  provider: PricingProvider,
+  model: string,
+  cost: ModelsDevCostBlock,
+): PricingSeedRow[] {
+  // Phase 2 fix — canonicalize the seed key with the same normalizer the
+  // lookup path uses. Idempotent for keys models.dev already serves in
+  // canonical form (the common case); also collapses any future drift.
+  const key = normalizeModelKey(provider, model);
+  const rows: PricingSeedRow[] = [];
+  if (typeof cost.input === "number") {
+    rows.push({ provider, model: key, tokenClass: "input", pricePerMillionUsd: cost.input });
+  }
+  if (typeof cost.output === "number") {
+    rows.push({ provider, model: key, tokenClass: "output", pricePerMillionUsd: cost.output });
+  }
+  if (typeof cost.cache_read === "number") {
+    rows.push({
+      provider,
+      model: key,
+      tokenClass: "cached_input",
+      pricePerMillionUsd: cost.cache_read,
+    });
+  }
+  if (typeof cost.cache_write === "number") {
+    rows.push({
+      provider,
+      model: key,
+      tokenClass: "cache_write",
+      pricePerMillionUsd: cost.cache_write,
+    });
+  }
+  return rows;
+}
+
+/**
+ * Build the full set of seed rows from a loaded models.dev cache.
+ *
+ * The mapping logic is intentionally per-provider so the matrix between
+ * "what the adapter writes for `model`" and "what models.dev keys by" is
+ * explicit and auditable.
+ */
+function buildModelsDevSeedRows(cache: ModelsDevCache): PricingSeedRow[] {
+  const rows: PricingSeedRow[] = [];
+
+  // ---- Anthropic / claude family ----------------------------------------
+  // The 'claude' provider (local-CLI adapter) reports the model id as the
+  // Anthropic CLI returns it. The 'claude-managed' provider may report
+  // either a dated full id or a non-dated id. We project both keyed forms
+  // for each model so the recompute path resolves either way.
+  const anthropic = cache.anthropic?.models ?? {};
+  for (const [id, model] of Object.entries(anthropic)) {
+    if (!model?.cost) continue;
+    for (const provider of ["claude", "claude-managed"] as const) {
+      for (const row of projectCostBlock(provider, id, model.cost)) {
+        rows.push(row);
+      }
+    }
+  }
+  // Anthropic shortnames (opus/sonnet/haiku) → resolve to the current default.
+  for (const [shortname, fullId] of Object.entries(ANTHROPIC_SHORTNAME_TO_MODELSDEV)) {
+    const target = anthropic[fullId];
+    if (!target?.cost) continue;
+    for (const provider of ["claude", "claude-managed"] as const) {
+      for (const row of projectCostBlock(provider, shortname, target.cost)) {
+        rows.push(row);
+      }
+    }
+  }
+  // Pi-mono uses anthropic models via OpenRouter mirrors; project those too.
+  for (const [shortname, fullId] of Object.entries(ANTHROPIC_SHORTNAME_TO_MODELSDEV)) {
+    const target = anthropic[fullId];
+    if (!target?.cost) continue;
+    for (const row of projectCostBlock("pi", shortname, target.cost)) {
+      rows.push(row);
+    }
+  }
+
+  // ---- OpenAI / codex family --------------------------------------------
+  const openai = cache.openai?.models ?? {};
+  for (const [id, model] of Object.entries(openai)) {
+    if (!model?.cost) continue;
+    for (const row of projectCostBlock("codex", id, model.cost)) {
+      rows.push(row);
+    }
+    // Phase 2 fix — pi-mono can route to openai models through the
+    // github-copilot proxy (`github-copilot/gpt-5.4`). The lookup helper
+    // strips the prefix, so we seed the bare id under `pi` too. Without this
+    // every gh-copilot-backed pi run fell through to `costSource='unpriced'`.
+    for (const row of projectCostBlock("pi", id, model.cost)) {
+      rows.push(row);
+    }
+  }
+
+  // ---- OpenRouter passthrough (covers gemini + every opencode-routed model)
+  const openrouter = cache.openrouter?.models ?? {};
+  for (const [id, model] of Object.entries(openrouter)) {
+    if (!model?.cost) continue;
+    // opencode routes whatever model the user picks; we project them all.
+    for (const row of projectCostBlock("opencode", id, model.cost)) {
+      rows.push(row);
+    }
+    // pi-mono also routes via OpenRouter when only OPENROUTER_API_KEY is set
+    // (see src/providers/pi-mono-adapter.ts). Without this projection, pi runs
+    // against non-anthropic models (e.g. deepseek/deepseek-v4-flash) fall
+    // through to costSource='unpriced' even though the model is in the
+    // models.dev snapshot.
+    for (const row of projectCostBlock("pi", id, model.cost)) {
+      rows.push(row);
+    }
+    // Gemini specifically: also project under the 'gemini' provider so
+    // internal-ai callers that tag with provider='gemini' find a hit.
+    if (id.startsWith("google/")) {
+      const geminiKey = id.replace(/^google\//, "");
+      for (const row of projectCostBlock("gemini", geminiKey, model.cost)) {
+        rows.push(row);
+      }
+      // Also store under the full openrouter id so the same row resolves
+      // whether the caller passes "google/..." or the stripped name.
+      for (const row of projectCostBlock("gemini", id, model.cost)) {
+        rows.push(row);
+      }
+    }
+  }
+
+  return rows;
+}
+
+/**
+ * Phase 2 entrypoint. Idempotent — safe to call on every boot. Logs a one-line
+ * summary so operators can tell whether the boot picked up new rates.
+ */
+export function seedPricingFromModelsDev(opts?: { quiet?: boolean }): {
+  inserted: number;
+  modelsdevFound: boolean;
+} {
+  const db = getDb();
+  const cache = loadModelsDevCache();
+  const modelsdevRows = cache ? buildModelsDevSeedRows(cache) : [];
+  const manualRows = MANUAL_PRICING_OVERRIDES.map((o) => ({
+    provider: o.provider,
+    model: o.model,
+    tokenClass: o.tokenClass,
+    pricePerMillionUsd: o.pricePerMillionUsd,
+  }));
+  const allRows = [...modelsdevRows, ...manualRows];
+
+  const insert = db.prepare<null, [string, string, string, number]>(
+    `INSERT OR IGNORE INTO pricing
+       (provider, model, token_class, effective_from, price_per_million_usd, createdAt, lastUpdatedAt)
+     VALUES (?, ?, ?, 0, ?, 0, 0)`,
+  );
+
+  let inserted = 0;
+  const tx = db.transaction((rows: PricingSeedRow[]) => {
+    for (const row of rows) {
+      const result = insert.run(row.provider, row.model, row.tokenClass, row.pricePerMillionUsd);
+      if (result.changes > 0) inserted += 1;
+    }
+  });
+  tx(allRows);
+
+  if (!opts?.quiet) {
+    console.log(
+      `[pricing] seed: ${inserted} new row(s); ${allRows.length} candidate(s); modelsdev=${
+        cache ? "loaded" : "missing"
+      }`,
+    );
+  }
+  return { inserted, modelsdevFound: !!cache };
+}

package/src/cli.tsx

@@ -9,6 +9,7 @@ import { runLead } from "./commands/lead.ts";
 import { Onboard } from "./commands/onboard.tsx";
 import { Setup as Connect } from "./commands/setup.tsx";
 import { runWorker } from "./commands/worker.ts";
+import { getApiKey, setApiKey } from "./utils/api-key.ts";
 
 // Get CLI name from bin field (assumes single key)
 const binName = Object.keys(pkg.bin)[0];
@@ -43,7 +44,7 @@ interface ParsedArgs {
 function parseArgs(args: string[]): ParsedArgs {
   const command = args[0] && !args[0].startsWith("-") ? args[0] : undefined;
   let port = process.env.PORT || "3013";
-  let key = process.env.API_KEY || "";
+  let key = getApiKey();
   let msg = "";
   let headless = false;
   let dryRun = false;
@@ -151,7 +152,7 @@ const COMMAND_HELP: Record<
   connect: {
     usage: `${binName} connect [options]`,
     description:
-      "Connect this project to an existing swarm.\nCreates .mcp.json and .claude/settings.local.json with server URL and API key.\nAuto-reads API_KEY from .env if present.",
+      "Connect this project to an existing swarm.\nCreates .mcp.json and .claude/settings.local.json with server URL and API key.\nAuto-reads AGENT_SWARM_API_KEY (or legacy API_KEY) from .env if present.",
     options: [
       "  --dry-run              Show what would be changed without writing",
       "  --restore              Restore files from .bak backups",
@@ -248,13 +249,19 @@ const COMMAND_HELP: Record<
     options: "  -h, --help             Show this help",
     examples: [`  ${binName} artifact serve`, `  ${binName} artifact help`].join("\n"),
   },
+  scripts: {
+    usage: `${binName} scripts reembed`,
+    description: "Maintenance commands for reusable swarm scripts.",
+    options: "  -h, --help             Show this help",
+    examples: `  ${binName} scripts reembed`,
+  },
   "codex-login": {
     usage: `${binName} codex-login [options]`,
     description:
       "Authenticate Codex via ChatGPT OAuth (browser or manual paste).\nPrompts interactively for the target API URL and a best-effort masked API key, then stores credentials in the swarm API config store for deployed workers.",
     options: [
       "  --api-url <url>    Swarm API URL (default: MCP_BASE_URL or http://localhost:3013)",
-      "  --api-key <key>    Swarm API key (default: API_KEY or 123123)",
+      "  --api-key <key>    Swarm API key (default: AGENT_SWARM_API_KEY or API_KEY, falling back to 123123)",
       "  -h, --help         Show this help",
     ].join("\n"),
     examples: [
@@ -269,7 +276,7 @@ const COMMAND_HELP: Record<
       "Bootstrap Anthropic Managed Agents for the swarm: create the cloud environment, upload plugin/commands/*.md skills, create the managed agent, and persist the resulting IDs to swarm_config so deployed workers restore them at boot. Prompts interactively for ANTHROPIC_API_KEY when not set in env. Idempotent — re-run with --force to recreate.",
     options: [
       "  --api-url <url>    Swarm API URL (default: MCP_BASE_URL or http://localhost:3013)",
-      "  --api-key <key>    Swarm API key (default: API_KEY or 123123)",
+      "  --api-key <key>    Swarm API key (default: AGENT_SWARM_API_KEY or API_KEY, falling back to 123123)",
       "  --force            Recreate Anthropic-side resources even if already configured",
       "  -h, --help         Show this help",
     ].join("\n"),
@@ -306,6 +313,7 @@ function printHelp(command?: string) {
     ["claude", "Run Claude CLI"],
     ["hook", "Handle Claude Code hook events (stdin)"],
     ["artifact", "Manage agent artifacts"],
+    ["scripts", "Reusable scripts maintenance"],
     ["docs", "Open documentation (--open to launch in browser)"],
     ["codex-login", "Authenticate Codex via ChatGPT OAuth"],
     ["claude-managed-setup", "Bootstrap Anthropic Managed Agents (agent + env + skills)"],
@@ -324,7 +332,7 @@ function McpServer({ port, apiKey, dbPath }: { port: string; apiKey: string; dbP
 
   useEffect(() => {
     process.env.PORT = port;
-    process.env.API_KEY = apiKey;
+    setApiKey(apiKey);
     if (dbPath) {
       process.env.DATABASE_PATH = dbPath;
     }
@@ -547,6 +555,15 @@ if (args.showHelp || args.command === "help" || args.command === undefined) {
     port: args.port,
     key: args.key,
   });
+} else if (args.command === "scripts") {
+  const scriptsArgs = process.argv.slice(process.argv.indexOf("scripts") + 1);
+  if (args.showHelp || scriptsArgs[0] !== "reembed") {
+    printHelp("scripts");
+    process.exit(scriptsArgs[0] === "reembed" || args.showHelp ? 0 : 1);
+  }
+  const { runScriptsMaintenanceCommand } = await import("./be/scripts/maintenance");
+  await runScriptsMaintenanceCommand(scriptsArgs);
+  console.log("Scripts re-embedded.");
 } else if (args.command === "codex-login") {
   const { runCodexLogin } = await import("./commands/codex-login");
   const codexLoginArgs = process.argv.slice(process.argv.indexOf("codex-login") + 1);

package/src/commands/artifact.ts

@@ -1,5 +1,6 @@
 import { Hono } from "hono";
 import { createArtifactServer } from "../artifact-sdk";
+import { getApiKey } from "../utils/api-key";
 
 interface ArtifactArgs {
   additionalArgs: string[];
@@ -137,7 +138,7 @@ async function artifactServe(args: ArtifactArgs) {
 }
 
 async function artifactList() {
-  const apiKey = process.env.API_KEY || "";
+  const apiKey = getApiKey();
   const mcpBaseUrl = process.env.MCP_BASE_URL || `http://localhost:${process.env.PORT || "3013"}`;
   const agentId = process.env.AGENT_ID || "";
 
@@ -195,7 +196,7 @@ async function artifactStop(args: ArtifactArgs) {
     process.exit(1);
   }
 
-  const apiKey = process.env.API_KEY || "";
+  const apiKey = getApiKey();
   const mcpBaseUrl = process.env.MCP_BASE_URL || `http://localhost:${process.env.PORT || "3013"}`;
   const agentId = process.env.AGENT_ID || "";
 

package/src/commands/claude-managed-setup.ts

@@ -33,6 +33,7 @@ import type { BetaEnvironment } from "@anthropic-ai/sdk/resources/beta/environme
 import type { SkillCreateResponse } from "@anthropic-ai/sdk/resources/beta/skills";
 import { toFile } from "@anthropic-ai/sdk/uploads";
 
+import { getApiKey } from "../utils/api-key";
 import { promptHiddenInput } from "./codex-login.js";
 
 // ─── Types ───────────────────────────────────────────────────────────────────
@@ -397,7 +398,7 @@ export async function resolveClaudeManagedSetupConfig(
   const isInteractive = deps.isInteractive ?? Boolean(process.stdin.isTTY && process.stdout.isTTY);
 
   const apiUrl = parsed.apiUrl ?? env.MCP_BASE_URL ?? "http://localhost:3013";
-  const apiKey = parsed.apiKey ?? env.API_KEY ?? "123123";
+  const apiKey = parsed.apiKey ?? (getApiKey(env) || "123123");
 
   let anthropicApiKey = env.ANTHROPIC_API_KEY ?? "";
   if (!anthropicApiKey && isInteractive) {
@@ -553,12 +554,28 @@ export async function runClaudeManagedSetupFlow(
     system: mcpServer
       ? "You are an agent-swarm worker. Per-task instructions arrive in the next user message. Use the agent-swarm MCP server for swarm operations."
       : "You are an agent-swarm worker. Per-task instructions arrive in the next user message. (No MCP tools available in this configuration.)",
+    // Headless workers can't satisfy interactive approval prompts — the
+    // Anthropic console parks tool calls in `awaiting approval` and the
+    // session stalls. Apply `always_allow` to both toolsets so the sandbox
+    // executes tool calls (incl. swarm MCP `store-progress`) without HITL.
     tools: mcpServer
       ? [
-          { type: "agent_toolset_20260401" },
-          { type: "mcp_toolset", mcp_server_name: mcpServer.name },
+          {
+            type: "agent_toolset_20260401",
+            default_config: { permission_policy: { type: "always_allow" } },
+          },
+          {
+            type: "mcp_toolset",
+            mcp_server_name: mcpServer.name,
+            default_config: { permission_policy: { type: "always_allow" } },
+          },
         ]
-      : [{ type: "agent_toolset_20260401" }],
+      : [
+          {
+            type: "agent_toolset_20260401",
+            default_config: { permission_policy: { type: "always_allow" } },
+          },
+        ],
     skills: skillsParam,
     ...(mcpServer ? { mcp_servers: [mcpServer] } : {}),
   };

package/src/commands/codex-login.ts

@@ -14,6 +14,7 @@ import { emitKeypressEvents } from "node:readline";
 
 import { loginCodexOAuth } from "../providers/codex-oauth/flow.js";
 import { storeCodexOAuth } from "../providers/codex-oauth/storage.js";
+import { getApiKey } from "../utils/api-key";
 
 type PromptTextFn = (label: string, defaultValue: string) => Promise<string>;
 type PromptSecretFn = (label: string, defaultValue: string, helpText?: string) => Promise<string>;
@@ -146,7 +147,8 @@ export async function resolveCodexLoginConfig(
   const promptSecret = deps.promptSecret ?? promptHiddenInput;
   const isInteractive = deps.isInteractive ?? Boolean(process.stdin.isTTY && process.stdout.isTTY);
   const defaultApiUrl = env.MCP_BASE_URL || "http://localhost:3013";
-  const defaultApiKey = env.API_KEY || "123123";
+  const envApiKey = getApiKey(env);
+  const defaultApiKey = envApiKey || "123123";
 
   let apiUrl = parsed.apiUrl ?? defaultApiUrl;
   let apiKey = parsed.apiKey ?? defaultApiKey;
@@ -156,8 +158,8 @@ export async function resolveCodexLoginConfig(
   }
 
   if (!parsed.apiKey && isInteractive) {
-    const apiKeyHelp = env.API_KEY
-      ? "Press Enter to use API_KEY from the environment"
+    const apiKeyHelp = envApiKey
+      ? "Press Enter to use AGENT_SWARM_API_KEY/API_KEY from the environment"
       : "Press Enter to use the default local API key";
     apiKey =
       (await promptSecret("Swarm API key", defaultApiKey, apiKeyHelp)).trim() || defaultApiKey;