@desplega.ai/agent-swarm 1.83.1 → 1.83.2

package/src/http/poll.ts

@@ -42,11 +42,13 @@ import { json, jsonError } from "./utils";
  * + workflow bus emit. See `src/be/budget-refusal-notify.ts`.
  */
 function buildBudgetRefusedTrigger(refusal: {
-  cause: "agent" | "global";
+  cause: "agent" | "global" | "user";
   agentSpend?: number;
   agentBudget?: number;
   globalSpend?: number;
   globalBudget?: number;
+  userSpend?: number;
+  userBudget?: number;
   resetAt: string;
 }): { type: "budget_refused"; [key: string]: unknown } {
   const trigger: { type: "budget_refused"; [key: string]: unknown } = {
@@ -58,6 +60,8 @@ function buildBudgetRefusedTrigger(refusal: {
   if (refusal.agentBudget !== undefined) trigger.agentBudget = refusal.agentBudget;
   if (refusal.globalSpend !== undefined) trigger.globalSpend = refusal.globalSpend;
   if (refusal.globalBudget !== undefined) trigger.globalBudget = refusal.globalBudget;
+  if (refusal.userSpend !== undefined) trigger.userSpend = refusal.userSpend;
+  if (refusal.userBudget !== undefined) trigger.userBudget = refusal.userBudget;
   return trigger;
 }
 
@@ -180,7 +184,7 @@ export async function handlePoll(
             // the capacity check so capacity AND budget gates share atomicity.
             // Phase 5 also records the dedup row + captures the side-effect
             // context here so the after-commit step can notify the lead.
-            const admission = canClaim(myAgentId, new Date());
+            const admission = canClaim(myAgentId, new Date(), pendingTask.requestedByUserId);
             if (!admission.allowed) {
               const utcDate = new Date().toISOString().slice(0, 10);
               const dedup = recordBudgetRefusalNotification({
@@ -192,6 +196,8 @@ export async function handlePoll(
                 agentBudgetUsd: admission.agentBudget,
                 globalSpendUsd: admission.globalSpend,
                 globalBudgetUsd: admission.globalBudget,
+                userSpendUsd: admission.userSpend,
+                userBudgetUsd: admission.userBudget,
               });
               return {
                 trigger: buildBudgetRefusedTrigger(admission),
@@ -200,6 +206,7 @@ export async function handlePoll(
                     task: {
                       id: pendingTask.id,
                       task: pendingTask.task,
+                      requestedByUserId: pendingTask.requestedByUserId,
                       slackChannelId: pendingTask.slackChannelId,
                       slackThreadTs: pendingTask.slackThreadTs,
                       slackUserId: pendingTask.slackUserId,
@@ -211,6 +218,8 @@ export async function handlePoll(
                     agentBudgetUsd: admission.agentBudget,
                     globalSpendUsd: admission.globalSpend,
                     globalBudgetUsd: admission.globalBudget,
+                    userSpendUsd: admission.userSpend,
+                    userBudgetUsd: admission.userBudget,
                     resetAt: admission.resetAt,
                   },
                   inserted: dedup.inserted,
@@ -303,10 +312,10 @@ export async function handlePoll(
             // refusal, and the dedup is per-(task,date) so subsequent same-day
             // refusals on the same lead-candidate are suppressed.
             if (unassignedIds.length > 0) {
-              const admission = canClaim(myAgentId, new Date());
+              const candidateId = unassignedIds[0]!;
+              const candidateTask = getTaskById(candidateId);
+              const admission = canClaim(myAgentId, new Date(), candidateTask?.requestedByUserId);
               if (!admission.allowed) {
-                const candidateId = unassignedIds[0]!;
-                const candidateTask = getTaskById(candidateId);
                 const utcDate = new Date().toISOString().slice(0, 10);
                 const dedup = recordBudgetRefusalNotification({
                   taskId: candidateId,
@@ -317,6 +326,8 @@ export async function handlePoll(
                   agentBudgetUsd: admission.agentBudget,
                   globalSpendUsd: admission.globalSpend,
                   globalBudgetUsd: admission.globalBudget,
+                  userSpendUsd: admission.userSpend,
+                  userBudgetUsd: admission.userBudget,
                 });
                 return {
                   trigger: buildBudgetRefusedTrigger(admission),
@@ -326,6 +337,7 @@ export async function handlePoll(
                           task: {
                             id: candidateTask.id,
                             task: candidateTask.task,
+                            requestedByUserId: candidateTask.requestedByUserId,
                             slackChannelId: candidateTask.slackChannelId,
                             slackThreadTs: candidateTask.slackThreadTs,
                             slackUserId: candidateTask.slackUserId,
@@ -337,6 +349,8 @@ export async function handlePoll(
                           agentBudgetUsd: admission.agentBudget,
                           globalSpendUsd: admission.globalSpend,
                           globalBudgetUsd: admission.globalBudget,
+                          userSpendUsd: admission.userSpend,
+                          userBudgetUsd: admission.userBudget,
                           resetAt: admission.resetAt,
                         },
                         inserted: dedup.inserted,

package/src/http/schedules.ts

@@ -466,11 +466,11 @@ export async function handleSchedules(
         const mergedTimezone =
           parsed.body.timezone !== undefined ? parsed.body.timezone : existing.timezone;
         if (timing.mergedCron || timing.mergedInterval) {
-          // biome-ignore lint/suspicious/noExplicitAny: need partial ScheduledTask for calculateNextRun
           body.nextRunAt = calculateNextRun({
             cronExpression: timing.mergedCron,
             intervalMs: timing.mergedInterval,
             timezone: mergedTimezone,
+            // biome-ignore lint/suspicious/noExplicitAny: need partial ScheduledTask for calculateNextRun
           } as any);
         }
       }

package/src/http/users.ts

@@ -7,8 +7,7 @@
  * pass it as the `IdentityActor` arg to the helpers in `src/be/users.ts` — so
  * every identity mutation lands an event row tagged `op:<sha256-16>`.
  *
- * Endpoint set (Core Req #6, minus `POST/DELETE /users/:id/mcp-tokens` which
- * are deferred to the MCP plan):
+ * Endpoint set:
  *
  *   GET    /api/users
  *   POST   /api/users
@@ -16,6 +15,8 @@
  *   POST   /api/users/unmapped/:kind/:externalId/resolve
  *   GET    /api/users/:id
  *   PATCH  /api/users/:id
+ *   POST   /api/users/:id/mcp-tokens
+ *   DELETE /api/users/:id/mcp-tokens/:tokenId
  *   POST   /api/users/:id/merge
  *   GET    /api/users/:id/events
  *   POST   /api/users/:id/identities
@@ -26,12 +27,14 @@ import type { IncomingMessage, ServerResponse } from "node:http";
 import { z } from "zod";
 import {
   createUser,
+  deleteBudget,
   deleteKv,
   deleteUser,
   getAllUsers,
   getUserById,
   listKv,
   updateUser,
+  upsertBudget,
 } from "../be/db";
 import {
   getUserIdentities,
@@ -39,7 +42,9 @@ import {
   linkIdentity,
   listUserEvents,
   listUserTokens,
+  mintToken,
   recordIdentityEvent,
+  revokeToken,
   unlinkIdentity,
 } from "../be/users";
 import { getOperatorActor } from "./operator-actor";
@@ -64,6 +69,15 @@ function composeUser(userId: string, recentEventLimit = 5) {
   };
 }
 
+function syncUserBudgetMirror(userId: string, dailyBudgetUsd: number | null | undefined): void {
+  if (dailyBudgetUsd === undefined) return;
+  if (dailyBudgetUsd === null) {
+    deleteBudget("user", userId);
+    return;
+  }
+  upsertBudget("user", userId, dailyBudgetUsd);
+}
+
 // ─── Route Definitions ───────────────────────────────────────────────────────
 
 const listUsers = route({
@@ -203,6 +217,41 @@ const updateUserRoute = route({
   auth: { apiKey: true },
 });
 
+const mintUserMcpTokenRoute = route({
+  method: "post",
+  path: "/api/users/{id}/mcp-tokens",
+  pattern: ["api", "users", null, "mcp-tokens"],
+  summary: "Mint a one-time plaintext MCP token for a user",
+  description:
+    "Returns the plaintext token exactly once. Subsequent reads only expose token summaries.",
+  tags: ["Users"],
+  params: z.object({ id: z.string() }),
+  body: z.object({
+    label: z.string().nullable().optional(),
+  }),
+  responses: {
+    200: { description: "Minted token plaintext, token summary and composed user" },
+    401: { description: "Unauthorized" },
+    404: { description: "User not found" },
+  },
+  auth: { apiKey: true },
+});
+
+const revokeUserMcpTokenRoute = route({
+  method: "delete",
+  path: "/api/users/{id}/mcp-tokens/{tokenId}",
+  pattern: ["api", "users", null, "mcp-tokens", null],
+  summary: "Revoke a user's MCP token",
+  tags: ["Users"],
+  params: z.object({ id: z.string(), tokenId: z.string() }),
+  responses: {
+    200: { description: "Composed user after token revocation" },
+    401: { description: "Unauthorized" },
+    404: { description: "User or token not found" },
+  },
+  auth: { apiKey: true },
+});
+
 const mergeUsersRoute = route({
   method: "post",
   path: "/api/users/{id}/merge",
@@ -370,6 +419,7 @@ export async function handleUsers(
     try {
       const { identities, ...userFields } = parsed.body;
       const user = createUser(userFields);
+      syncUserBudgetMirror(user.id, userFields.dailyBudgetUsd);
       for (const ident of identities ?? []) {
         linkIdentity(user.id, ident.kind, ident.externalId, actor);
       }
@@ -459,6 +509,60 @@ export async function handleUsers(
     return true;
   }
 
+  // ─── POST /api/users/:id/mcp-tokens ───────────────────────────────────────
+  if (mintUserMcpTokenRoute.match(req.method, pathSegments)) {
+    const parsed = await mintUserMcpTokenRoute.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const actor = getOperatorActor(req, res);
+    if (!actor) return true;
+    if (!getUserById(parsed.params.id)) {
+      jsonError(res, "User not found", 404);
+      return true;
+    }
+
+    try {
+      const { tokenId, plaintext } = mintToken(parsed.params.id, parsed.body.label ?? null, actor);
+      const token = listUserTokens(parsed.params.id).find((t) => t.id === tokenId);
+      json(res, { plaintext, token, user: composeUser(parsed.params.id) });
+    } catch (err) {
+      jsonError(res, err instanceof Error ? err.message : "Failed to mint token", 500);
+    }
+    return true;
+  }
+
+  // ─── DELETE /api/users/:id/mcp-tokens/:tokenId ────────────────────────────
+  if (revokeUserMcpTokenRoute.match(req.method, pathSegments)) {
+    const parsed = await revokeUserMcpTokenRoute.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const actor = getOperatorActor(req, res);
+    if (!actor) return true;
+    if (!getUserById(parsed.params.id)) {
+      jsonError(res, "User not found", 404);
+      return true;
+    }
+
+    const tokenBelongsToUser = listUserTokens(parsed.params.id).some(
+      (token) => token.id === parsed.params.tokenId,
+    );
+    if (!tokenBelongsToUser) {
+      jsonError(res, "Token not found", 404);
+      return true;
+    }
+
+    try {
+      revokeToken(parsed.params.tokenId, actor);
+      json(res, { user: composeUser(parsed.params.id) });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Failed to revoke token";
+      if (message.includes("Token not found")) {
+        jsonError(res, "Token not found", 404);
+      } else {
+        jsonError(res, message, 500);
+      }
+    }
+    return true;
+  }
+
   // ─── POST /api/users/:id/identities ────────────────────────────────────────
   if (addIdentityRoute.match(req.method, pathSegments)) {
     const parsed = await addIdentityRoute.parse(req, res, pathSegments, queryParams);
@@ -625,6 +729,7 @@ export async function handleUsers(
         jsonError(res, "User not found", 404);
         return true;
       }
+      syncUserBudgetMirror(parsed.params.id, parsed.body.dailyBudgetUsd);
 
       // Budget event
       if (

package/src/jira/client.ts

@@ -1,5 +1,5 @@
 import { getOAuthTokens } from "../be/db-queries/oauth";
-import { ensureToken } from "../oauth/ensure-token";
+import { ensureToken, ensureTokenOrThrow } from "../oauth/ensure-token";
 import { getJiraMetadata } from "./metadata";
 
 /**
@@ -36,8 +36,7 @@ export function getJiraCloudId(): string {
  * - Prepends `https://api.atlassian.com/ex/jira/{cloudId}` to `path`.
  * - Sets `Authorization: Bearer <token>` and `Accept: application/json`.
  * - Sets `Content-Type: application/json` when a body is provided.
- * - On 401: refreshes the token (forced via `ensureToken("jira", 0)`) and
- *   retries once.
+ * - On 401: forces a token refresh and retries once.
  * - On 429: respects `Retry-After` (in seconds) with a single retry.
  *
  * Returns the raw `Response` — callers handle `response.json()`/`response.text()`
@@ -64,8 +63,7 @@ export async function jiraFetch(path: string, init?: RequestInit): Promise<Respo
   let response = await send(token);
 
   if (response.status === 401) {
-    // Force refresh — bufferMs=0 means "always refresh if any expiry is set"
-    await ensureToken("jira", 0);
+    await ensureTokenOrThrow("jira", Number.MAX_SAFE_INTEGER);
     token = await getJiraAccessToken();
     response = await send(token);
   }

package/src/jira/oauth.ts

@@ -29,6 +29,7 @@ export function getJiraOAuthConfig(): OAuthProviderConfig | null {
     scopes: app.scopes.split(","),
     scopeSeparator: " ",
     extraParams: { audience: "api.atlassian.com" },
+    requiresRefreshTokenRotation: true,
   };
 }
 

package/src/jira/sync.ts

@@ -21,7 +21,7 @@ import {
   getTrackerSyncByExternalId,
   updateTrackerSyncSwarmId,
 } from "../be/db-queries/tracker";
-import { ensureToken } from "../oauth/ensure-token";
+import { ensureToken, ensureTokenOrThrow } from "../oauth/ensure-token";
 import { resolveTemplate } from "../prompts/resolver";
 import { buildJiraContextKey } from "../tasks/context-key";
 import { createTaskWithSiblingAwareness } from "../tasks/sibling-awareness";
@@ -91,7 +91,7 @@ export async function resolveBotAccountId(): Promise<string | null> {
     // Mirror jiraFetch's 401-retry pattern: a token may go stale between the
     // proactive ensureToken call and the request reaching Atlassian.
     if (res.status === 401) {
-      await ensureToken("jira", 0);
+      await ensureTokenOrThrow("jira", Number.MAX_SAFE_INTEGER);
       tokens = getOAuthTokens("jira");
       if (!tokens?.accessToken) {
         console.warn("[Jira Sync] /me returned 401 and refresh produced no token");

package/src/oauth/ensure-token.ts

@@ -18,6 +18,7 @@ function getOAuthConfig(provider: string): OAuthProviderConfig | null {
     redirectUri: app.redirectUri,
     scopes: app.scopes.split(","),
     extraParams: metadata.extraParams ?? (metadata.actor ? { actor: metadata.actor } : undefined),
+    requiresRefreshTokenRotation: provider === "jira",
   };
 }
 

package/src/oauth/wrapper.ts

@@ -1,5 +1,5 @@
 import * as oauth from "oauth4webapi";
-import { storeOAuthTokens } from "../be/db-queries/oauth";
+import { storeOAuthTokens, updateOAuthTokensAfterRefresh } from "../be/db-queries/oauth";
 
 // ─── Types ───────────────────────────────────────────────────────────────────
 
@@ -13,6 +13,12 @@ export interface OAuthProviderConfig {
   scopes: string[];
   /** Extra query params appended to the authorization URL (e.g. { actor: "app" } for Linear) */
   extraParams?: Record<string, string>;
+  /**
+   * Provider rotates refresh tokens on every refresh. When true, a refresh
+   * response without a new refresh token is unusable because the old one may
+   * already be invalidated server-side.
+   */
+  requiresRefreshTokenRotation?: boolean;
   /**
    * How to join `scopes` in the authorization URL.
    *
@@ -160,7 +166,7 @@ export async function exchangeCode(
 export async function refreshAccessToken(
   config: OAuthProviderConfig,
   refreshToken: string,
-): Promise<{ accessToken: string; refreshToken?: string; expiresIn?: number }> {
+): Promise<{ accessToken: string; refreshToken?: string; expiresIn?: number; scope?: string }> {
   const body = new URLSearchParams({
     grant_type: "refresh_token",
     client_id: config.clientId,
@@ -183,23 +189,48 @@ export async function refreshAccessToken(
     access_token: string;
     token_type: string;
     expires_in?: number;
+    scope?: string;
     refresh_token?: string;
   };
 
+  if (typeof data.access_token !== "string" || data.access_token.length === 0) {
+    throw new Error(`Token refresh failed: ${config.provider} response missing access_token`);
+  }
+
+  if (
+    config.requiresRefreshTokenRotation &&
+    (typeof data.refresh_token !== "string" || data.refresh_token.length === 0)
+  ) {
+    throw new Error(
+      `Token refresh failed: ${config.provider} response did not include a rotated refresh_token`,
+    );
+  }
+
   const expiresAt = data.expires_in
     ? new Date(Date.now() + data.expires_in * 1000).toISOString()
     : new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString();
 
-  storeOAuthTokens(config.provider, {
-    accessToken: data.access_token,
-    refreshToken: data.refresh_token ?? null,
-    expiresAt,
-  });
+  const nextRefreshToken = data.refresh_token ?? refreshToken;
+  try {
+    updateOAuthTokensAfterRefresh(config.provider, refreshToken, {
+      accessToken: data.access_token,
+      refreshToken: nextRefreshToken,
+      expiresAt,
+      scope: data.scope ?? null,
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.warn(
+      `[OAuth] Refusing to use refreshed ${config.provider} access token because persistence failed: ${message}`,
+    );
+    throw err;
+  }
 
   return {
     accessToken: data.access_token,
     refreshToken: data.refresh_token,
     expiresIn: data.expires_in,
+    scope: data.scope,
   };
 }
 

package/src/providers/claude-adapter.ts

@@ -395,6 +395,10 @@ class ClaudeSession implements ProviderSession {
       this.config.prompt,
     ];
 
+    if (this.config.resumeSessionId) {
+      cmd.push("--resume", this.config.resumeSessionId);
+    }
+
     if (this.config.additionalArgs?.length) {
       cmd.push(...this.config.additionalArgs);
     }
@@ -688,10 +692,11 @@ class ClaudeSession implements ProviderSession {
     // Stale session retry: if process failed because session not found and we used --resume,
     // strip --resume and retry with a fresh session
     if (result.exitCode !== 0 && this.errorTracker.isSessionNotFound()) {
-      const hasResume = (this.config.additionalArgs || []).includes("--resume");
+      const hasResume =
+        !!this.config.resumeSessionId || (this.config.additionalArgs || []).includes("--resume");
       if (hasResume) {
         console.log(
-          `\x1b[33m[${this.config.role}] Session not found for task ${this.config.taskId.slice(0, 8)} — retrying without --resume\x1b[0m`,
+          `\x1b[33m[${this.config.role}] Session resume failed for task ${this.config.taskId.slice(0, 8)} — retrying without --resume\x1b[0m`,
         );
 
         const freshArgs = (this.config.additionalArgs || []).filter((arg, idx, arr) => {

package/src/providers/claude-managed-adapter.ts

@@ -642,7 +642,7 @@ class ClaudeManagedSession implements ProviderSession {
       this.emit({
         type: "session_init",
         sessionId: this._sessionId,
-        provider: "claude" as const,
+        provider: "claude-managed",
         providerMeta: { managed: true },
       });
 

package/src/providers/codex-adapter.ts

@@ -71,6 +71,7 @@ import {
   clampContextPercent,
   computeContextUsedUnified,
 } from "../utils/context-window";
+import { SessionErrorTracker } from "../utils/error-tracker";
 import { summarizeSession as runSummarize } from "../utils/internal-ai";
 import { scrubSecrets } from "../utils/secret-scrubber";
 import { type CodexAgentsMdHandle, writeCodexAgentsMd } from "./codex-agents-md";
@@ -413,6 +414,7 @@ class CodexSession implements ProviderSession {
   private lastUsage: Usage | null = null;
   private aborted = false;
   private settled = false;
+  private readonly errorTracker = new SessionErrorTracker();
   /**
    * Result captured by `settle` but held back from `resolveCompletion` until
    * `runSession`'s `finally` block has fully cleaned up (log writer flush,
@@ -951,9 +953,11 @@ class CodexSession implements ProviderSession {
           }
           if (event.type === "turn.failed" && !terminalError) {
             terminalError = this.formatTerminalError(event.error.message);
+            this.errorTracker.processCodexUsageLimitMessage(event.error.message);
           }
           if (event.type === "error" && !terminalError) {
             terminalError = this.formatTerminalError(event.message);
+            this.errorTracker.processCodexUsageLimitMessage(event.message);
           }
         }
       } catch (err) {
@@ -970,6 +974,30 @@ class CodexSession implements ProviderSession {
           });
           return;
         }
+        // The Codex CLI exits with code 1 after emitting a UsageLimitReached or
+        // other terminal error event. The SDK then throws "Codex Exec exited with
+        // code 1: Reading prompt from stdin" AFTER the event loop ends, which
+        // would overwrite the structured terminalError we already captured above.
+        // Preserve the structured error so the [usage-limit] prefix survives to
+        // the runner's rate-limit resolver.
+        if (terminalError) {
+          const cost = this.buildCostData(this.lastUsage, true);
+          this.emit({
+            type: "result",
+            cost,
+            isError: true,
+            errorCategory: terminalError.category ?? "turn_failed",
+          });
+          this.settle({
+            exitCode: 1,
+            sessionId: this._sessionId,
+            cost,
+            isError: true,
+            failureReason: terminalError.message,
+            rateLimitResetAt: this.errorTracker.getRateLimitResetAt(),
+          });
+          return;
+        }
         throw err;
       }
 
@@ -987,6 +1015,7 @@ class CodexSession implements ProviderSession {
         cost,
         isError,
         failureReason: terminalError?.message,
+        rateLimitResetAt: this.errorTracker.getRateLimitResetAt(),
       });
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -1000,6 +1029,7 @@ class CodexSession implements ProviderSession {
         cost,
         isError: true,
         failureReason: message,
+        rateLimitResetAt: this.errorTracker.getRateLimitResetAt(),
       });
     } finally {
       // Session-end summarization. Pure addition for codex — no behavior to