@desplega.ai/agent-swarm 1.84.1 → 1.85.0

package/src/tests/task-completion-idempotency.test.ts

@@ -13,6 +13,7 @@ import {
   initDb,
   startTask,
 } from "../be/db";
+import { createWorkerTaskFollowUp } from "../tasks/worker-follow-up";
 
 const TEST_DB_PATH = "./test-task-completion-idempotency.sqlite";
 
@@ -318,3 +319,91 @@ describe("store-progress idempotency on terminal status (integration via DB laye
     expect(after!.output).toBe("manually written");
   });
 });
+
+interface FollowUpRow {
+  id: string;
+  agentId: string | null;
+  parentTaskId: string | null;
+  taskType: string | null;
+  task: string;
+  slackChannelId: string | null;
+  slackThreadTs: string | null;
+  slackUserId: string | null;
+}
+
+function listFollowUpTasks(parentTaskId: string): FollowUpRow[] {
+  return getDb()
+    .prepare<FollowUpRow, [string]>(
+      `SELECT id, agentId, parentTaskId, taskType, task, slackChannelId, slackThreadTs, slackUserId
+       FROM agent_tasks
+       WHERE parentTaskId = ? AND taskType = 'follow-up'
+       ORDER BY createdAt ASC`,
+    )
+    .all(parentTaskId);
+}
+
+describe("worker task follow-up creation", () => {
+  test("creates lead follow-up for completed worker task", () => {
+    const lead = createAgent({
+      name: "follow-up-lead-1",
+      isLead: true,
+      status: "idle",
+      capabilities: [],
+    });
+    const worker = createAgent({
+      name: "follow-up-worker-1",
+      isLead: false,
+      status: "idle",
+      capabilities: [],
+    });
+    const task = createTaskExtended("Worker task", {
+      agentId: worker.id,
+      slackChannelId: "C123",
+      slackThreadTs: "1700000000.000001",
+      slackUserId: "U123",
+    });
+    startTask(task.id, worker.id);
+
+    const completed = completeTask(task.id, "Worker output");
+    expect(completed).not.toBeNull();
+
+    const followUp = createWorkerTaskFollowUp({
+      task: completed!,
+      status: "completed",
+      output: "Worker output",
+    });
+
+    expect(followUp).not.toBeNull();
+    const rows = listFollowUpTasks(task.id);
+    expect(rows).toHaveLength(1);
+    expect(rows[0]!.agentId).toBe(lead.id);
+    expect(rows[0]!.parentTaskId).toBe(task.id);
+    expect(rows[0]!.slackChannelId).toBe("C123");
+    expect(rows[0]!.slackThreadTs).toBe("1700000000.000001");
+    expect(rows[0]!.slackUserId).toBe("U123");
+    expect(rows[0]!.task).toContain("Worker output");
+  });
+
+  test("does not create follow-up for lead-owned task", () => {
+    const lead = createAgent({
+      name: "follow-up-lead-2",
+      isLead: true,
+      status: "idle",
+      capabilities: [],
+    });
+    const task = createTaskExtended("Lead task", { agentId: lead.id });
+    startTask(task.id, lead.id);
+
+    const completed = completeTask(task.id, "Lead output");
+    expect(completed).not.toBeNull();
+
+    const followUp = createWorkerTaskFollowUp({
+      task: completed!,
+      status: "completed",
+      output: "Lead output",
+    });
+
+    expect(followUp).toBeNull();
+    expect(listFollowUpTasks(task.id)).toHaveLength(0);
+  });
+});

package/src/tools/oauth-access-token.ts

@@ -0,0 +1,118 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import * as z from "zod";
+import { getOAuthTokens } from "@/be/db-queries/oauth";
+import { ensureTokenOrThrow } from "@/oauth/ensure-token";
+import { createToolRegistrar } from "@/tools/utils";
+import { registerVolatileSecret } from "@/utils/secret-scrubber";
+
+type OAuthProvider = string;
+
+export interface OAuthAccessTokenResult {
+  provider: OAuthProvider;
+  accessToken: string;
+  expiresAt: string;
+  tokenType: "Bearer";
+}
+
+function assertTokenUsable(
+  provider: OAuthProvider,
+  expiresAt: string,
+  minValidityMs: number,
+): void {
+  const expiresAtMs = Date.parse(expiresAt);
+  if (!Number.isFinite(expiresAtMs)) {
+    throw new Error(`${provider} OAuth token has an invalid expiry`);
+  }
+  if (expiresAtMs - Date.now() < minValidityMs) {
+    throw new Error(
+      `${provider} OAuth token is expired or expiring soon and could not be refreshed`,
+    );
+  }
+}
+
+export async function resolveOAuthAccessToken(
+  provider: OAuthProvider,
+  minValiditySeconds = 300,
+): Promise<OAuthAccessTokenResult> {
+  const minValidityMs = minValiditySeconds * 1000;
+  await ensureTokenOrThrow(provider, minValidityMs);
+
+  const tokens = getOAuthTokens(provider);
+  if (!tokens) {
+    throw new Error(`${provider} OAuth tokens are not connected`);
+  }
+
+  assertTokenUsable(provider, tokens.expiresAt, minValidityMs);
+  registerVolatileSecret(tokens.accessToken, `${provider.toUpperCase()}_OAUTH_ACCESS_TOKEN`);
+
+  return {
+    provider,
+    accessToken: tokens.accessToken,
+    expiresAt: tokens.expiresAt,
+    tokenType: "Bearer",
+  };
+}
+
+export const registerGetOauthAccessTokenTool = (server: McpServer) => {
+  createToolRegistrar(server)(
+    "get-oauth-access-token",
+    {
+      title: "Get OAuth access token",
+      description:
+        "Return a valid plaintext OAuth access token for an integrated tracker. The token is refreshed first when it is near expiry. Returns access_token only; never returns refresh_token.",
+      annotations: { destructiveHint: false, openWorldHint: true },
+      inputSchema: z.object({
+        provider: z
+          .string()
+          .min(1)
+          .max(64)
+          .regex(/^[A-Za-z0-9][A-Za-z0-9_-]*$/, "provider must be a slug")
+          .describe("OAuth provider slug to read from oauth_tokens (for example: linear, jira)."),
+        minValiditySeconds: z
+          .number()
+          .int()
+          .min(0)
+          .max(3600)
+          .optional()
+          .default(300)
+          .describe("Minimum remaining token lifetime required before returning it."),
+      }),
+      outputSchema: z.object({
+        success: z.boolean(),
+        message: z.string(),
+        provider: z.string().optional(),
+        accessToken: z.string().optional(),
+        expiresAt: z.string().optional(),
+        tokenType: z.literal("Bearer").optional(),
+      }),
+    },
+    async ({ provider, minValiditySeconds }, _requestInfo, _meta) => {
+      try {
+        const token = await resolveOAuthAccessToken(provider, minValiditySeconds);
+        const message = `${provider} OAuth access token resolved; expires at ${token.expiresAt}.`;
+        return {
+          content: [
+            {
+              type: "text",
+              text: `${message}\n\n${token.accessToken}`,
+            },
+          ],
+          structuredContent: {
+            success: true,
+            message,
+            ...token,
+          },
+        };
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+          content: [{ type: "text", text: `Failed to resolve OAuth access token: ${message}` }],
+          structuredContent: {
+            success: false,
+            message,
+          },
+        };
+      }
+    },
+  );
+};

package/src/tools/store-progress.ts

@@ -3,14 +3,11 @@ import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import * as z from "zod";
 import {
   completeTask,
-  createTaskExtended,
   failTask,
   getAgentById,
   getDb,
-  getLeadAgent,
   getResolvedConfig,
   getSessionLogsByTaskId,
-  getTaskAttachments,
   getTaskById,
   insertTaskAttachment,
   updateAgentStatusFromCapacity,
@@ -19,11 +16,9 @@ import {
 import { getEmbeddingProvider, getMemoryStore } from "@/be/memory";
 import { getRetrievalsForTask } from "@/be/memory/raters/retrieval";
 import { runServerRaters } from "@/be/memory/raters/run-server-raters";
-import { resolveTemplate } from "@/prompts/resolver";
+import { createWorkerTaskFollowUp } from "@/tasks/worker-follow-up";
 import { createToolRegistrar } from "@/tools/utils";
-import { AgentTaskSchema, AttachmentInputSchema, type TaskAttachment } from "@/types";
-// Side-effect import: registers task lifecycle templates in the in-memory registry
-import "./templates";
+import { AgentTaskSchema, AttachmentInputSchema } from "@/types";
 import { validateJsonSchema } from "@/workflows/json-schema-validator";
 
 // Phase 11: the `cost` / `costData` field was removed from this tool's input
@@ -33,29 +28,6 @@ import { validateJsonSchema } from "@/workflows/json-schema-validator";
 // echoed the schema example, producing noise rows keyed `mcp-<taskId>-<ts>`
 // that double-counted alongside the harness's authoritative entry.
 
-function attachmentPointer(a: TaskAttachment): string {
-  switch (a.kind) {
-    case "url":
-      return a.url ?? "";
-    case "page":
-      return `page:${a.pageId ?? ""}`;
-    case "agent-fs":
-      return `agent-fs:${a.path ?? ""}`;
-    case "shared-fs":
-      return `shared-fs:${a.path ?? ""}`;
-  }
-}
-
-function formatAttachmentsBlock(attachments: TaskAttachment[]): string {
-  if (attachments.length === 0) return "";
-  const lines = attachments.map((a) => {
-    const tag = a.isPrimary ? "[primary] " : "";
-    const intent = a.intent ? ` (intent: ${a.intent})` : "";
-    return `- ${tag}${a.name} — ${attachmentPointer(a)}${intent}`;
-  });
-  return `\n\nAttachments (${attachments.length}):\n${lines.join("\n")}`;
-}
-
 export const registerStoreProgressTool = (server: McpServer) => {
   createToolRegistrar(server)(
     "store-progress",
@@ -460,53 +432,16 @@ export const registerStoreProgressTool = (server: McpServer) => {
         !("wasNoOp" in result && result.wasNoOp)
       ) {
         try {
-          const taskAgent = getAgentById(result.task.agentId ?? "");
-          // Only create follow-ups for worker tasks (not lead's own tasks)
-          if (taskAgent && !taskAgent.isLead) {
-            const leadAgent = getLeadAgent();
-            if (leadAgent) {
-              const agentName = taskAgent.name || result.task.agentId?.slice(0, 8) || "Unknown";
-              const taskDesc = result.task.task.slice(0, 200);
-
-              let followUpDescription: string;
-              if (status === "completed") {
-                const attachmentsBlock = formatAttachmentsBlock(getTaskAttachments(taskId));
-                const outputSummary = output
-                  ? `${output.slice(0, 500)}${output.length > 500 ? "..." : ""}${attachmentsBlock}`
-                  : `(no output)${attachmentsBlock}`;
-                const completedResult = resolveTemplate("task.worker.completed", {
-                  agent_name: agentName,
-                  task_desc: taskDesc,
-                  output_summary: outputSummary,
-                  task_id: taskId,
-                });
-                followUpDescription = completedResult.text;
-              } else {
-                const reason = failureReason || "(no reason given)";
-                const failedResult = resolveTemplate("task.worker.failed", {
-                  agent_name: agentName,
-                  task_desc: taskDesc,
-                  failure_reason: reason,
-                  task_id: taskId,
-                });
-                followUpDescription = failedResult.text;
-              }
-
-              // If the original task came from Slack, forward context so lead can reply
-              createTaskExtended(followUpDescription, {
-                agentId: leadAgent.id,
-                source: "system",
-                taskType: "follow-up",
-                parentTaskId: taskId,
-                slackChannelId: result.task.slackChannelId,
-                slackThreadTs: result.task.slackThreadTs,
-                slackUserId: result.task.slackUserId,
-              });
-
-              console.log(
-                `[store-progress] Created follow-up task for lead (${leadAgent.name}) — ${status} task ${taskId.slice(0, 8)} by ${agentName}`,
-              );
-            }
+          const followUp = createWorkerTaskFollowUp({
+            task: result.task,
+            status,
+            output,
+            failureReason,
+          });
+          if (followUp) {
+            console.log(
+              `[store-progress] Created follow-up task ${followUp.id.slice(0, 8)} for ${status} task ${taskId.slice(0, 8)}`,
+            );
           }
         } catch (err) {
           // Non-blocking — follow-up task creation failure should not affect the store-progress response

package/src/tools/tool-config.ts

@@ -104,8 +104,9 @@ export const DEFERRED_TOOLS = new Set([
   "send-whatsapp-message",
   "reply-whatsapp-message",
 
-  // Tracker (6)
+  // Tracker (7)
   "tracker-status",
+  "get-oauth-access-token",
   "tracker-link-task",
   "tracker-unlink",
   "tracker-sync-status",

package/src/types.ts

@@ -212,6 +212,10 @@ export const AgentTaskSchema = z.object({
   // Provider tracking — which harness provider ran this task
   provider: ProviderNameSchema.optional(),
   providerMeta: z.record(z.string(), z.unknown()).optional(),
+
+  // Aggregated session cost for task list/read models. Undefined means no
+  // session cost rows have been recorded for this task.
+  totalCostUsd: z.number().min(0).optional(),
 });
 
 // ============================================================================
@@ -1328,6 +1332,7 @@ export type AgentTaskSummary = Pick<
   | "lastUpdatedAt"
   | "finishedAt"
   | "peakContextPercent"
+  | "totalCostUsd"
 >;
 
 export const PageVersionSchema = z.object({

package/src/utils/secret-scrubber.ts

@@ -142,6 +142,7 @@ interface ScrubCache {
 }
 
 let cache: ScrubCache | null = null;
+const volatileSecrets = new Map<string, string>();
 
 /** Fingerprint current env so we can invalidate cache cheaply when it changes. */
 function snapshotEnv(): string {
@@ -225,6 +226,12 @@ export function scrubSecrets(text: string | null | undefined): string {
     }
   }
 
+  for (const [value, name] of volatileSecrets) {
+    if (out.includes(value)) {
+      out = out.split(value).join(`[REDACTED:${name}]`);
+    }
+  }
+
   // Pass 2: structural patterns (catches secrets we never saw in env, e.g.
   // a token pasted into a tool_result by the operator or fetched from a
   // third-party API during a task).
@@ -265,3 +272,19 @@ export function scrubObject<T>(value: T, seen = new WeakSet<object>()): T {
 export function refreshSecretScrubberCache(): void {
   cache = null;
 }
+
+/**
+ * Register a runtime-fetched secret that is not present in process.env.
+ *
+ * Use this before returning short-lived tokens through an API/tool result so
+ * follow-on logs, telemetry previews, and session-log egress can redact the
+ * concrete value even though the caller still receives it.
+ */
+export function registerVolatileSecret(value: string, name: string): void {
+  if (value.length < MIN_VALUE_LENGTH) return;
+  volatileSecrets.set(value, name);
+}
+
+export function clearVolatileSecretsForTesting(): void {
+  volatileSecrets.clear();
+}