@desplega.ai/agent-swarm 1.80.0 → 1.80.1

package/src/http/index.ts

@@ -14,9 +14,10 @@ import { initGitLab } from "../gitlab";
 import { stopHeartbeat } from "../heartbeat";
 import { initJira } from "../jira";
 import { initLinear } from "../linear";
-import { initOtel, startSpan, withRemoteContext } from "../otel";
+import { initOtel, isPollTracingEnabled, startSpan, withRemoteContext } from "../otel";
 import { startSlackApp, stopSlackApp } from "../slack";
 import { initTelemetry, telemetry } from "../telemetry";
+import { getApiKey } from "../utils/api-key";
 import { initWorkflows } from "../workflows";
 import { handleActiveSessions } from "./active-sessions";
 import { handleAgentRegister, handleAgentsRest } from "./agents";
@@ -45,6 +46,7 @@ import { handlePricing } from "./pricing";
 import { handlePromptTemplates } from "./prompt-templates";
 import { handleRepos } from "./repos";
 import { handleSchedules } from "./schedules";
+import { handleScripts } from "./scripts";
 import { handleSessionData } from "./session-data";
 import { handleSessions } from "./sessions";
 import { handleSkills } from "./skills";
@@ -69,7 +71,7 @@ process.on("unhandledRejection", (reason) => {
 });
 
 const port = parseInt(process.env.PORT || process.argv[2] || "3013", 10);
-const apiKey = process.env.API_KEY || "";
+const apiKey = getApiKey();
 
 // Use globalThis to persist state across hot reloads
 const globalState = globalThis as typeof globalThis & {
@@ -116,33 +118,39 @@ const httpServer = createHttpServer(async (req, res) => {
   });
 
   await withRemoteContext(req.headers as Record<string, unknown>, async () => {
-    const span = startSpan("http.server", {
-      "http.request.method": req.method ?? "",
-      "url.path": req.url?.split("?")[0] ?? "",
-      "agent.id": req.headers["x-agent-id"] as string | undefined,
-      "agentswarm.component": "api",
-    });
-
-    res.on("finish", () => {
-      if (spanEnded) return;
-      spanEnded = true;
-      span.setAttributes({
-        "http.response.status_code": statusCode,
-        "agentswarm.http.duration_ms": Math.round((performance.now() - startTime) * 10) / 10,
+    const reqPath = req.url?.split("?")[0] ?? "";
+    const skipSpan = reqPath === "/api/poll" && !isPollTracingEnabled();
+    const span = skipSpan
+      ? null
+      : startSpan("http.server", {
+          "http.request.method": req.method ?? "",
+          "url.path": reqPath,
+          "agent.id": req.headers["x-agent-id"] as string | undefined,
+          "agentswarm.component": "api",
+        });
+
+    if (span) {
+      res.on("finish", () => {
+        if (spanEnded) return;
+        spanEnded = true;
+        span.setAttributes({
+          "http.response.status_code": statusCode,
+          "agentswarm.http.duration_ms": Math.round((performance.now() - startTime) * 10) / 10,
+        });
+        if (statusCode >= 500) {
+          span.setStatus({ code: 2, message: `HTTP ${statusCode}` });
+        }
+        span.end();
       });
-      if (statusCode >= 500) {
-        span.setStatus({ code: 2, message: `HTTP ${statusCode}` });
-      }
-      span.end();
-    });
 
-    res.on("error", (err) => {
-      if (spanEnded) return;
-      spanEnded = true;
-      span.recordException(err);
-      span.setStatus({ code: 2, message: err.message });
-      span.end();
-    });
+      res.on("error", (err) => {
+        if (spanEnded) return;
+        spanEnded = true;
+        span.recordException(err);
+        span.setStatus({ code: 2, message: err.message });
+        span.end();
+      });
+    }
 
     setCorsHeaders(req, res);
 
@@ -180,6 +188,7 @@ const httpServer = createHttpServer(async (req, res) => {
       () => handleDbQuery(req, res, pathSegments, queryParams),
       () => handleRepos(req, res, pathSegments, queryParams),
       () => handleSkills(req, res, pathSegments, queryParams, myAgentId),
+      () => handleScripts(req, res, pathSegments, queryParams, myAgentId),
       () => handleMcpServers(req, res, pathSegments, queryParams),
       () => handleMcpOAuth(req, res, pathSegments, queryParams),
       () => handleMemory(req, res, pathSegments, myAgentId),
@@ -205,8 +214,10 @@ const httpServer = createHttpServer(async (req, res) => {
       res.writeHead(404);
       res.end("Not Found");
     } catch (err) {
-      span.recordException(err);
-      span.setStatus({ code: 2, message: err instanceof Error ? err.message : String(err) });
+      if (span) {
+        span.recordException(err);
+        span.setStatus({ code: 2, message: err instanceof Error ? err.message : String(err) });
+      }
       const message = err instanceof Error ? err.message : String(err);
       console.error(`[HTTP] ❌ ${req.method} ${req.url} → ${message}`);
       if (!res.headersSent) {

package/src/http/memory.ts

@@ -124,6 +124,20 @@ const deleteMemoryById = route({
   },
 });
 
+const getMemoryById = route({
+  method: "get",
+  path: "/api/memory/{id}",
+  pattern: ["api", "memory", null],
+  summary: "Get a single memory by ID",
+  tags: ["Memory"],
+  auth: { apiKey: true, agentId: true },
+  params: z.object({ id: z.string().uuid() }),
+  responses: {
+    200: { description: "Memory details" },
+    404: { description: "Memory not found" },
+  },
+});
+
 // Memory rater v1.5 — worker-facing rating endpoints. Plan:
 // thoughts/taras/plans/2026-05-05-memory-rater-v1.5/step-3.md
 //
@@ -618,5 +632,19 @@ export async function handleMemory(
     return true;
   }
 
+  if (getMemoryById.match(req.method, pathSegments)) {
+    const parsed = await getMemoryById.parse(req, res, pathSegments, new URLSearchParams());
+    if (!parsed) return true;
+
+    const memory = getMemoryStore().get(parsed.params.id);
+    if (!memory) {
+      jsonError(res, "Memory not found", 404);
+      return true;
+    }
+
+    json(res, { memory });
+    return true;
+  }
+
   return false;
 }

package/src/http/openapi.ts

@@ -64,6 +64,7 @@ export function generateOpenApiSpec(opts: OpenApiOptions): string {
     registry.registerPath({
       method: routeDef.method,
       path: routeDef.path,
+      operationId: routeDef.operationId,
       summary: routeDef.summary,
       description: routeDef.description,
       tags: routeDef.tags,

package/src/http/page-proxy.ts

@@ -1,5 +1,6 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import { getPage } from "../be/db";
+import { getApiKey } from "../utils/api-key";
 import { extractAndVerifyCookie } from "../utils/page-session";
 import { route } from "./route-def";
 import { jsonError } from "./utils";
@@ -147,7 +148,7 @@ export async function handlePageProxy(req: IncomingMessage, res: ServerResponse)
   const baseUrl = `http://127.0.0.1:${port}`;
   const targetUrl = `${baseUrl}${rewrittenPath}${queryPart}`;
 
-  const apiKey = process.env.API_KEY ?? "";
+  const apiKey = getApiKey();
   // `X-Page-Id` is the trust anchor for page-scoped KV: only the page-proxy
   // ever sets it (any external `X-Page-Id` header is dropped because we don't
   // forward the original headers). The KV handler treats this as the highest-

package/src/http/route-def.ts

@@ -20,6 +20,7 @@ export interface RouteDef<
   path: string; // OpenAPI-style: "/api/tasks/{id}"
   pattern: readonly (string | null)[]; // matchRoute-style: ["api", "tasks", null]
   exact?: boolean; // default true
+  operationId?: string;
   summary: string;
   description?: string;
   tags: string[];

package/src/http/schedules.ts

@@ -8,6 +8,7 @@ import {
   getDb,
   getScheduledTaskById,
   getScheduledTaskByName,
+  getScheduledTasks,
   updateScheduledTask,
 } from "../be/db";
 import { calculateNextRun } from "../scheduler/scheduler";
@@ -64,6 +65,29 @@ const runScheduleNow = route({
   },
 });
 
+const listSchedules = route({
+  method: "get",
+  path: "/api/schedules",
+  pattern: ["api", "schedules"],
+  summary: "List schedules",
+  tags: ["Schedules"],
+  query: z.object({
+    enabled: z
+      .enum(["true", "false"])
+      .optional()
+      .transform((v) => (v === undefined ? undefined : v === "true")),
+    name: z.string().optional(),
+    scheduleType: z.enum(["recurring", "one_time"]).optional(),
+    hideCompleted: z
+      .enum(["true", "false"])
+      .optional()
+      .transform((v) => (v === undefined ? undefined : v === "true")),
+  }),
+  responses: {
+    200: { description: "List of schedules" },
+  },
+});
+
 const getSchedule = route({
   method: "get",
   path: "/api/schedules/{id}",
@@ -129,6 +153,19 @@ export async function handleSchedules(
   queryParams: URLSearchParams,
   _myAgentId: string | undefined,
 ): Promise<boolean> {
+  if (listSchedules.match(req.method, pathSegments)) {
+    const parsed = await listSchedules.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const schedules = getScheduledTasks({
+      enabled: parsed.query.enabled,
+      name: parsed.query.name,
+      scheduleType: parsed.query.scheduleType,
+      hideCompleted: parsed.query.hideCompleted,
+    });
+    json(res, { schedules, count: schedules.length });
+    return true;
+  }
+
   if (createSchedule.match(req.method, pathSegments)) {
     const parsed = await createSchedule.parse(req, res, pathSegments, queryParams);
     if (!parsed) return true;

package/src/http/scripts.ts

@@ -0,0 +1,381 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { z } from "zod";
+import { getAgentById } from "../be/db";
+import { createEvent } from "../be/events";
+import { deleteScript, getScript, upsertScriptByName } from "../be/scripts/db";
+import { searchScripts } from "../be/scripts/embeddings";
+import { SCRIPT_SDK_TYPES, SCRIPT_STDLIB_TYPES, typecheckScript } from "../be/scripts/typecheck";
+import { extractScriptSignature } from "../scripts-runtime/extract-signature";
+import { runScript } from "../scripts-runtime/loader";
+import {
+  ScriptFsModeSchema,
+  type ScriptRecord,
+  type ScriptScope,
+  ScriptScopeSchema,
+} from "../types";
+import { scrubObject } from "../utils/secret-scrubber";
+import { route } from "./route-def";
+import { json, jsonError } from "./utils";
+
+const scriptNameSchema = z.string().min(1).max(200);
+
+const upsertBodySchema = z.object({
+  name: scriptNameSchema,
+  source: z.string().min(1),
+  description: z.string().default(""),
+  intent: z.string().default(""),
+  scope: ScriptScopeSchema.default("agent"),
+  fsMode: ScriptFsModeSchema.default("none"),
+});
+
+const runBodySchema = z
+  .object({
+    name: scriptNameSchema.optional(),
+    source: z.string().min(1).optional(),
+    args: z.unknown().optional(),
+    intent: z.string().default(""),
+    scope: ScriptScopeSchema.optional(),
+    fsMode: ScriptFsModeSchema.default("none"),
+  })
+  .refine((body) => Boolean(body.name) !== Boolean(body.source), {
+    message: "Provide exactly one of name or source",
+  });
+
+const searchBodySchema = z.object({
+  query: z.string().default(""),
+  scope: ScriptScopeSchema.optional(),
+  limit: z.number().int().min(1).max(100).default(10),
+});
+
+const nameParamsSchema = z.object({ name: scriptNameSchema });
+const scopeQuerySchema = z.object({ scope: ScriptScopeSchema.default("agent") });
+const optionalScopeQuerySchema = z.object({ scope: ScriptScopeSchema.optional() });
+
+const upsertRoute = route({
+  method: "post",
+  path: "/api/scripts/upsert",
+  pattern: ["api", "scripts", "upsert"],
+  operationId: "scripts_upsert",
+  summary: "Create or update a reusable script",
+  description: "Explicit script upserts run a TypeScript typecheck before writing.",
+  tags: ["Scripts"],
+  body: upsertBodySchema,
+  responses: {
+    200: { description: "Script upserted" },
+    400: { description: "Validation or typecheck failure" },
+    403: { description: "Global write requires lead agent" },
+  },
+});
+
+const runRoute = route({
+  method: "post",
+  path: "/api/scripts/run",
+  pattern: ["api", "scripts", "run"],
+  operationId: "scripts_run",
+  summary: "Run a reusable or inline script",
+  description:
+    "Inline source skips typecheck and is auto-saved as a scratch script only on success.",
+  tags: ["Scripts"],
+  body: runBodySchema,
+  responses: {
+    200: { description: "Script run completed" },
+    400: { description: "Validation error" },
+    404: { description: "Script not found" },
+    501: { description: "workspace-rw scripts are not supported in v1" },
+  },
+});
+
+const searchRoute = route({
+  method: "post",
+  path: "/api/scripts/search",
+  pattern: ["api", "scripts", "search"],
+  operationId: "scripts_search",
+  summary: "Search reusable scripts",
+  description: "Phase 3 search is substring-only over script name and metadata.",
+  tags: ["Scripts"],
+  body: searchBodySchema,
+  responses: {
+    200: { description: "Matching scripts" },
+    400: { description: "Validation error" },
+  },
+});
+
+const deleteRoute = route({
+  method: "delete",
+  path: "/api/scripts/{name}",
+  pattern: ["api", "scripts", null],
+  operationId: "scripts_delete",
+  summary: "Delete a reusable script",
+  tags: ["Scripts"],
+  params: nameParamsSchema,
+  query: scopeQuerySchema,
+  responses: {
+    200: { description: "Delete result" },
+    400: { description: "Validation error" },
+    403: { description: "Global delete requires lead agent" },
+  },
+});
+
+const typesRoute = route({
+  method: "get",
+  path: "/api/scripts/{name}/types",
+  pattern: ["api", "scripts", null, "types"],
+  operationId: "scripts_types",
+  summary: "Get script signature and authoring types",
+  tags: ["Scripts"],
+  params: nameParamsSchema,
+  query: optionalScopeQuerySchema,
+  responses: {
+    200: { description: "Script signature and type blobs" },
+    404: { description: "Script not found" },
+  },
+});
+
+function requireAgent(res: ServerResponse, agentId: string | undefined) {
+  if (!agentId) {
+    jsonError(res, "X-Agent-ID required for scripts API", 400);
+    return null;
+  }
+  const agent = getAgentById(agentId);
+  if (!agent) {
+    jsonError(res, "Agent not found", 404);
+    return null;
+  }
+  return agent;
+}
+
+function signatureJsonFor(source: string): string {
+  return JSON.stringify(extractScriptSignature(source));
+}
+
+function resolveScript(name: string, agentId: string, scope?: ScriptScope): ScriptRecord | null {
+  if (scope === "global") return getScript({ name, scope: "global" });
+  if (scope === "agent") return getScript({ name, scope: "agent", scopeId: agentId });
+  return (
+    getScript({ name, scope: "agent", scopeId: agentId }) ?? getScript({ name, scope: "global" })
+  );
+}
+
+function scratchSlug(intent: string, source: string): string {
+  const base = (intent || "inline-script")
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, "-")
+    .replace(/^-+|-+$/g, "")
+    .slice(0, 48);
+  const hash = new Bun.CryptoHasher("sha256").update(source).digest("hex").slice(0, 8);
+  return `scratch-${base || "inline-script"}-${hash}`;
+}
+
+function emitGlobalUpsertEvent(args: {
+  agentId: string;
+  script: ScriptRecord;
+  isNew: boolean;
+  isPromotion: boolean;
+}) {
+  createEvent({
+    category: "system",
+    event: "script.global_upsert",
+    source: "api",
+    agentId: args.agentId,
+    data: {
+      scriptId: args.script.id,
+      name: args.script.name,
+      version: args.script.version,
+      contentHash: args.script.contentHash,
+      changedByAgentId: args.agentId,
+      isNew: args.isNew,
+      isPromotion: args.isPromotion,
+    },
+  });
+}
+
+export async function handleScripts(
+  req: IncomingMessage,
+  res: ServerResponse,
+  pathSegments: string[],
+  queryParams: URLSearchParams,
+  agentId: string | undefined,
+): Promise<boolean> {
+  if (upsertRoute.match(req.method, pathSegments)) {
+    const parsed = await upsertRoute.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const agent = requireAgent(res, agentId);
+    if (!agent) return true;
+
+    if (parsed.body.scope === "global" && !agent.isLead) {
+      jsonError(res, "Global scripts require a lead agent", 403);
+      return true;
+    }
+
+    const typecheck = typecheckScript(parsed.body.source);
+    if (!typecheck.ok) {
+      json(res, { error: "typecheck_failed", diagnostics: typecheck.diagnostics }, 400);
+      return true;
+    }
+
+    const existingAgentScript =
+      parsed.body.scope === "global"
+        ? getScript({ name: parsed.body.name, scope: "agent", scopeId: agent.id })
+        : null;
+    const result = await upsertScriptByName({
+      name: parsed.body.name,
+      scope: parsed.body.scope,
+      scopeId: parsed.body.scope === "agent" ? agent.id : null,
+      source: parsed.body.source,
+      description: parsed.body.description,
+      intent: parsed.body.intent,
+      signatureJson: signatureJsonFor(parsed.body.source),
+      fsMode: parsed.body.fsMode,
+      agentId: agent.id,
+      isScratch: false,
+      typeChecked: true,
+    });
+
+    if (parsed.body.scope === "global" && !result.contentDeduped) {
+      emitGlobalUpsertEvent({
+        agentId: agent.id,
+        script: result.script,
+        isNew: result.isNew,
+        isPromotion: Boolean(existingAgentScript),
+      });
+    }
+
+    json(res, {
+      name: result.script.name,
+      version: result.script.version,
+      contentDeduped: result.contentDeduped,
+    });
+    return true;
+  }
+
+  if (runRoute.match(req.method, pathSegments)) {
+    const parsed = await runRoute.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const agent = requireAgent(res, agentId);
+    if (!agent) return true;
+
+    let source = parsed.body.source;
+    let fsMode = parsed.body.fsMode;
+    if (parsed.body.name) {
+      const script = resolveScript(parsed.body.name, agent.id, parsed.body.scope);
+      if (!script) {
+        jsonError(res, "Script not found", 404);
+        return true;
+      }
+      source = script.source;
+      fsMode = script.fsMode;
+    }
+
+    if (fsMode === "workspace-rw") {
+      jsonError(res, "workspace-rw scripts are not supported by /api/scripts/run in v1", 501);
+      return true;
+    }
+
+    const output = await runScript({
+      source: source as string,
+      args: parsed.body.args,
+      fsMode,
+      agentId: agent.id,
+    });
+
+    let autoSaved: { slug: string; reason: string } | undefined;
+    if (parsed.body.source && !output.error && output.exitCode === 0) {
+      const slug = scratchSlug(parsed.body.intent, parsed.body.source);
+      await upsertScriptByName({
+        name: slug,
+        scope: "agent",
+        scopeId: agent.id,
+        source: parsed.body.source,
+        description: `Scratch script: ${parsed.body.intent || slug}`,
+        intent: parsed.body.intent || "Inline script auto-saved after successful run",
+        signatureJson: signatureJsonFor(parsed.body.source),
+        fsMode: "none",
+        agentId: agent.id,
+        isScratch: true,
+        typeChecked: false,
+        changeReason: "Auto-saved successful inline run",
+      });
+      autoSaved = { slug, reason: "successful_inline_run" };
+    }
+
+    json(
+      res,
+      scrubObject({
+        result: output.result,
+        autoSaved,
+        truncated: output.truncated,
+        durationMs: output.durationMs,
+        stdout: output.stdout,
+        stderr: output.stderr,
+        exitCode: output.exitCode,
+        error: output.error,
+      }),
+    );
+    return true;
+  }
+
+  if (searchRoute.match(req.method, pathSegments)) {
+    const parsed = await searchRoute.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const agent = requireAgent(res, agentId);
+    if (!agent) return true;
+
+    const matches = await searchScripts({
+      query: parsed.body.query,
+      scope: parsed.body.scope,
+      scopeId: agent.id,
+      limit: parsed.body.limit,
+    });
+
+    json(res, {
+      results: matches.map(({ script, score }) => ({
+        name: script.name,
+        signature: JSON.parse(script.signatureJson),
+        description: script.description,
+        score,
+      })),
+    });
+    return true;
+  }
+
+  if (typesRoute.match(req.method, pathSegments)) {
+    const parsed = await typesRoute.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const agent = requireAgent(res, agentId);
+    if (!agent) return true;
+
+    const script = resolveScript(parsed.params.name, agent.id, parsed.query.scope);
+    if (!script) {
+      jsonError(res, "Script not found", 404);
+      return true;
+    }
+    json(res, {
+      signature: JSON.parse(script.signatureJson),
+      sdkTypes: SCRIPT_SDK_TYPES,
+      stdlibTypes: SCRIPT_STDLIB_TYPES,
+    });
+    return true;
+  }
+
+  if (deleteRoute.match(req.method, pathSegments)) {
+    const parsed = await deleteRoute.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const agent = requireAgent(res, agentId);
+    if (!agent) return true;
+
+    if (parsed.query.scope === "global" && !agent.isLead) {
+      jsonError(res, "Global scripts require a lead agent", 403);
+      return true;
+    }
+
+    const deleted = deleteScript({
+      name: parsed.params.name,
+      scope: parsed.query.scope,
+      scopeId: parsed.query.scope === "agent" ? agent.id : null,
+    });
+    json(res, { deleted });
+    return true;
+  }
+
+  return false;
+}

package/src/linear/outbound.ts

@@ -49,6 +49,10 @@ async function handleTaskCreated(data: unknown): Promise<void> {
   );
 }
 
+// Cap parameter length to avoid oversized Linear GraphQL payloads. Linear renders this in the
+// AgentSession panel; 2000 chars is plenty for a progress update.
+const PROGRESS_PARAMETER_MAX = 2000;
+
 async function handleTaskProgress(data: unknown): Promise<void> {
   const { taskId, progress } = data as { taskId: string; progress?: string };
   if (!taskId || !progress) return;
@@ -56,8 +60,11 @@ async function handleTaskProgress(data: unknown): Promise<void> {
   const sessionId = taskSessionMap.get(taskId);
   if (!sessionId) return;
 
-  // Use 'action' activity type — Linear renders it as a structured tool invocation card
-  postAgentSessionAction(sessionId, progress).catch((err) => {
+  // Post as `action` activity (renders as a structured card in Linear's AgentSession panel).
+  // Per Linear's agentActivityCreate spec, `action` requires BOTH `action` AND `parameter`;
+  // the original bug here was passing `progress` as `action` with `parameter` undefined.
+  const parameter = progress.slice(0, PROGRESS_PARAMETER_MAX);
+  postAgentSessionAction(sessionId, "Progress update", parameter).catch((err) => {
     console.error(`[Linear Outbound] Failed to post progress action for task ${taskId}:`, err);
   });
 }

package/src/otel.ts

@@ -48,6 +48,11 @@ export function isOtelEnabled(): boolean {
   return enabled;
 }
 
+export function isPollTracingEnabled(): boolean {
+  const v = (process.env.OTEL_TRACE_POLL ?? "").toLowerCase();
+  return v === "1" || v === "true" || v === "yes" || v === "on";
+}
+
 export async function initOtel(serviceRole = process.env.AGENT_ROLE || "api"): Promise<void> {
   if (!enabled || initialized) return;
   initialized = true;