@desplega.ai/agent-swarm 1.87.0 → 1.89.0

package/src/e2b/dispatch.ts

@@ -14,6 +14,26 @@ export type E2BSandboxInfo = {
   startedAt?: string;
   endAt?: string;
   metadata?: Record<string, string>;
+  // Client-side fallback for the sandbox expiry. The raw `POST /sandboxes`
+  // create response uses E2B's `Sandbox` schema, which (unlike `ListedSandbox`
+  // / `SandboxDetail`) does NOT include `endAt`. We populate this from
+  // `now + timeoutSec*1000` at create time so `ttlRemaining` can report expiry
+  // immediately after a launch without an extra round-trip. `endAt` (when
+  // present, e.g. from `listSandboxes`) is always authoritative over this.
+  expiresAt?: string;
+};
+
+export type TtlRemaining = {
+  expiresAt?: string;
+  secondsLeft?: number;
+};
+
+export type SetSandboxTimeoutOptions = {
+  sandboxId: string;
+  apiKey: string;
+  apiBase?: string;
+  e2bEnv?: EnvMap;
+  timeoutMs: number;
 };
 
 export type E2BCommandResult = {
@@ -80,6 +100,25 @@ export type StartDetachedOptions = {
   cwd?: string;
 };
 
+export type StreamSandboxLogOptions = {
+  sandboxId: string;
+  role: E2BRole;
+  apiKey: string;
+  apiBase?: string;
+  e2bEnv?: EnvMap;
+  /** Number of trailing history lines to emit before following (default 200). */
+  tailLines?: number;
+  /** When true, keep streaming new output (`tail -f`) until the caller aborts. */
+  follow?: boolean;
+  /**
+   * Egress sink for each chunk. The caller MUST scrub here — log output is
+   * untrusted entrypoint stdout and can embed tokens/secrets.
+   */
+  onChunk: (chunk: string) => void;
+  /** Abort signal to stop a `--follow` stream (e.g. on SIGINT). */
+  signal?: AbortSignal;
+};
+
 type E2BSdkConnectionOptions = {
   apiKey: string;
   apiUrl?: string;
@@ -98,15 +137,24 @@ function e2bHeaders(apiKey: string): Record<string, string> {
   };
 }
 
-export function buildDetachedShell(command: string, logPath: string, pidPath: string): string {
-  return [
-    "set -e",
-    `nohup ${command} >${logPath} 2>&1 </dev/null & pid=$!`,
-    "sleep 2",
-    `if ! kill -0 "$pid" 2>/dev/null; then cat ${logPath} >&2; exit 1; fi`,
-    `echo "$pid" > ${pidPath}`,
-    'echo "$pid"',
-  ].join("; ");
+/**
+ * Build the shell payload for the envd-tracked entrypoint launch. Phase 5: the
+ * entrypoint is no longer detached via `nohup … >file &` (a grandchild envd
+ * never sees). Instead it runs as the SDK background command itself (envd owns
+ * and streams it; it survives client disconnect). We still `tee` to a
+ * deterministic file so `swarms logs` can retrieve FULL history later: the SDK's
+ * `commands.connect(pid)` only streams output going forward from the connect
+ * instant — it does NOT replay stdout produced while disconnected (verified
+ * against the e2b SDK types + docs) — so the file copy is the only reliable
+ * full-history source.
+ *
+ * `set -o pipefail` makes the pipeline's exit code reflect the ENTRYPOINT rather
+ * than `tee` (tee exits 0 on EOF even if the entrypoint crashed), so the early
+ * `exitCode` poll in {@link startDetachedProcess} can detect a launch failure.
+ * Invoked via `bash -lc` (both the api + worker images ship bash) for pipefail.
+ */
+export function buildTrackedShell(command: string, logPath: string): string {
+  return `set -o pipefail; ${command} 2>&1 | tee ${logPath}`;
 }
 
 export function e2bSdkConnectionOptions(
@@ -184,7 +232,10 @@ export async function e2bFetchJson<T>(
 }
 
 export async function createSandbox(opts: CreateSandboxOptions): Promise<E2BSandboxInfo> {
-  return e2bFetchJson<E2BSandboxInfo>(
+  // Capture the wall-clock create instant BEFORE the request so the client-side
+  // expiry fallback reflects when the TTL countdown begins.
+  const createdAt = Date.now();
+  const sandbox = await e2bFetchJson<E2BSandboxInfo>(
     "/sandboxes",
     opts.apiKey,
     {
@@ -200,6 +251,61 @@ export async function createSandbox(opts: CreateSandboxOptions): Promise<E2BSand
     },
     opts.apiBase,
   );
+  // Pre-flight check (resolved against node_modules/e2b types): the create
+  // response is E2B's `Sandbox` schema, which omits `endAt`. Compute a
+  // client-side expiry fallback so `ttlRemaining` works right after launch.
+  if (!sandbox.endAt && !sandbox.expiresAt) {
+    sandbox.expiresAt = new Date(createdAt + opts.timeoutSec * 1000).toISOString();
+  }
+  return sandbox;
+}
+
+/**
+ * Compute the remaining time-to-live for a sandbox. Prefers the authoritative
+ * `endAt` (present on listed/detail responses); falls back to the client-side
+ * `expiresAt` stamped by `createSandbox`. Returns an empty object when neither
+ * is available (e.g. a dry-run fake sandbox). `secondsLeft` is clamped at 0 so
+ * an already-expired sandbox never reports negative time.
+ */
+export function ttlRemaining(sandbox: E2BSandboxInfo): TtlRemaining {
+  const expiresAt = sandbox.endAt ?? sandbox.expiresAt;
+  if (!expiresAt) return {};
+  const expiryMs = Date.parse(expiresAt);
+  if (Number.isNaN(expiryMs)) return {};
+  const secondsLeft = Math.max(0, Math.round((expiryMs - Date.now()) / 1000));
+  return { expiresAt, secondsLeft };
+}
+
+/**
+ * Extend (or reduce) a live sandbox's TTL via the SDK and read back the actual
+ * `endAt` E2B applied (the server clamps to the tier max, so the requested
+ * timeout is not always honored verbatim). Connecting to a dead/expired sandbox
+ * throws; we translate that into a redacted "not found / already expired"
+ * error so a stale sandbox ID never leaks the controller key into logs.
+ */
+export async function setSandboxTimeout(opts: SetSandboxTimeoutOptions): Promise<TtlRemaining> {
+  const { Sandbox } = await import("e2b");
+  let sandbox: Awaited<ReturnType<typeof Sandbox.connect>>;
+  try {
+    sandbox = await Sandbox.connect(
+      opts.sandboxId,
+      e2bSdkConnectionOptions(opts.apiKey, opts.e2bEnv ?? {}, opts.apiBase),
+    );
+  } catch {
+    // Do not surface the underlying error verbatim — it can embed the
+    // controller API key / connection URL. Emit a fixed redacted message.
+    throw new Error(`sandbox ${opts.sandboxId} not found / already expired`);
+  }
+
+  await sandbox.setTimeout(opts.timeoutMs);
+  // `setTimeout` returns void; re-read the info to learn the clamped expiry.
+  const info = await sandbox.getInfo();
+  const expiresAt = info.endAt instanceof Date ? info.endAt.toISOString() : String(info.endAt);
+  return ttlRemaining({
+    sandboxID: opts.sandboxId,
+    templateID: info.templateId,
+    endAt: expiresAt,
+  });
 }
 
 export async function killSandbox(
@@ -222,27 +328,137 @@ export async function listSandboxes(
   return e2bFetchJson<E2BSandboxInfo[]>("/sandboxes", apiKey, {}, apiBase);
 }
 
+/**
+ * The deterministic per-role log path the entrypoint tees to. `swarms logs`
+ * recomputes it from the role alone (no PID bookkeeping needed) to `tail`/`cat`
+ * full history or `tail -f` for `--follow`.
+ */
+export function sandboxLogPath(role: E2BRole): string {
+  return `/tmp/agent-swarm-e2b-${role}.log`;
+}
+
+/**
+ * Launch the entrypoint as an envd-tracked BACKGROUND command (Phase 5). Returns
+ * the PID immediately. Replaces the old `nohup … >file & sleep 2; kill -0` hack:
+ * the SDK's background handle exposes `exitCode` (undefined while running), so we
+ * poll it once after a short grace period — a non-zero exit by then means the
+ * entrypoint died at launch, which we surface as a launch failure (reading the
+ * tee'd log for context). The `tee` preserves a file copy for full-history
+ * retrieval regardless of envd stdout-replay semantics.
+ */
 export async function startDetachedProcess(opts: StartDetachedOptions): Promise<string> {
-  const logPath = `/tmp/agent-swarm-e2b-${opts.role}.log`;
-  const pidPath = `/tmp/agent-swarm-e2b-${opts.role}.pid`;
-  const shell = buildDetachedShell(opts.command, logPath, pidPath);
+  const logPath = sandboxLogPath(opts.role);
+  const shell = buildTrackedShell(opts.command, logPath);
 
   const { Sandbox } = await import("e2b");
   const sandbox = await Sandbox.connect(
     opts.sandbox.sandboxID,
     e2bSdkConnectionOptions(opts.apiKey, opts.e2bEnv ?? {}, opts.apiBase),
   );
-  const result = await sandbox.commands.run(shell, {
+  // `bash -lc` (not `sh`) so `set -o pipefail` is honored on both images.
+  const handle = await sandbox.commands.run(`bash -lc ${shellQuote(shell)}`, {
     user: opts.user ?? "root",
     cwd: opts.cwd ?? "/",
     envs: opts.env,
-    timeoutMs: 30_000,
+    background: true,
   });
 
-  if (result.exitCode !== 0) {
-    throw new Error(`E2B start command failed: ${redactWithEnv(result.stderr, opts.env)}`);
+  // Early liveness poll: give the entrypoint a moment to fault, then check the
+  // handle's exit code. `undefined` = still running (the expected happy path).
+  await Bun.sleep(2_000);
+  if (typeof handle.exitCode === "number" && handle.exitCode !== 0) {
+    // The pipeline already exited non-zero — surface stderr/stdout (redacted, as
+    // entrypoint output can embed tokens) as a launch failure.
+    const detail = redactWithEnv(`${handle.stdout}\n${handle.stderr}`.trim(), opts.env);
+    throw new Error(`E2B start command exited ${handle.exitCode} at launch: ${detail}`);
+  }
+
+  return String(handle.pid);
+}
+
+/** Single-quote a string for safe embedding in a `bash -lc '<...>'` invocation. */
+function shellQuote(value: string): string {
+  return `'${value.split("'").join(`'\\''`)}'`;
+}
+
+/**
+ * Stream a sandbox's tee'd entrypoint log to the caller's `onChunk` sink.
+ *
+ * Design (Phase 5): we read from the deterministic per-role {@link sandboxLogPath}
+ * the entrypoint tees to — NOT from a tracked PID — so no PID bookkeeping is
+ * needed and history survives reconnect / a fresh CLI process. The SDK's
+ * `commands.connect(pid)` only streams forward from connect (no historical
+ * replay, verified against the SDK), so the file is the source of truth for
+ * full history.
+ *
+ * - History (no `--follow`): `tail -n <N> <logPath>` once (a CommandResult).
+ * - Follow: `tail -n <N> -F <logPath>` as a BACKGROUND command, piping each
+ *   `onStdout`/`onStderr` chunk to `onChunk` until the abort signal fires
+ *   (`-F` keeps following across truncation/rotation; tolerates a not-yet-created
+ *   file). The caller scrubs inside `onChunk`.
+ *
+ * Output is emitted RAW here; the caller is responsible for scrubbing in
+ * `onChunk` (it sees both this function's stdout and stderr).
+ */
+export async function streamSandboxLog(opts: StreamSandboxLogOptions): Promise<void> {
+  const logPath = sandboxLogPath(opts.role);
+  const tailLines = opts.tailLines ?? 200;
+
+  const { Sandbox } = await import("e2b");
+  const sandbox = await Sandbox.connect(
+    opts.sandboxId,
+    e2bSdkConnectionOptions(opts.apiKey, opts.e2bEnv ?? {}, opts.apiBase),
+  );
+
+  if (!opts.follow) {
+    // History only: a single `tail`. If the file does not exist yet (entrypoint
+    // hasn't written), `tail` exits non-zero with a message on stderr — we emit
+    // that to the sink rather than throwing, so a freshly-launched swarm reads as
+    // "no logs yet" instead of a hard error.
+    const result = await sandbox.commands.run(
+      `bash -lc ${shellQuote(`tail -n ${tailLines} ${logPath} 2>&1 || true`)}`,
+      { user: "root", timeoutMs: 30_000 },
+    );
+    if (result.stdout) opts.onChunk(result.stdout);
+    if (result.stderr) opts.onChunk(result.stderr);
+    return;
+  }
+
+  // Follow: background `tail -F` streaming forward. `-F` (vs `-f`) re-opens the
+  // file if it is rotated/recreated and waits for a not-yet-existing file.
+  const handle = await sandbox.commands.run(
+    `bash -lc ${shellQuote(`tail -n ${tailLines} -F ${logPath}`)}`,
+    {
+      user: "root",
+      background: true,
+      onStdout: (data) => opts.onChunk(data),
+      onStderr: (data) => opts.onChunk(data),
+    },
+  );
+
+  const stop = async () => {
+    try {
+      await handle.kill();
+    } catch {
+      // The command may already be gone (sandbox killed/expired); ignore.
+    }
+  };
+  if (opts.signal) {
+    if (opts.signal.aborted) {
+      await stop();
+      return;
+    }
+    opts.signal.addEventListener("abort", stop, { once: true });
+  }
+
+  try {
+    // `wait()` resolves when the stream ends (sandbox death) or the handle is
+    // killed by the abort listener above. `tail -F` otherwise runs indefinitely.
+    await handle.wait();
+  } catch {
+    // A kill / disconnect surfaces as a rejected wait — that is the expected exit
+    // path for `--follow`, not an error to propagate.
   }
-  return result.stdout.trim();
 }
 
 export async function waitForAgentRegistration(

package/src/github/handlers.ts

@@ -1,4 +1,4 @@
-import { failTask, findTaskByVcs, getAllAgents, incrKv, upsertKv } from "../be/db";
+import { failTask, findTaskByVcs, getAllAgents, getSwarmConfigs, incrKv, upsertKv } from "../be/db";
 import { findUserByExternalId } from "../be/users";
 import { resolveTemplate } from "../prompts/resolver";
 import { githubContextKey } from "../tasks/context-key";
@@ -46,6 +46,19 @@ function buildGithubContextKey(
   }
 }
 
+/**
+ * Runtime-config guards for cancel-on-unassign and cancel-on-review-request-removed.
+ * Absent key / any value other than "false" → true (cancel, current behavior).
+ * Value "false" → false (skip cancel, leave task untouched).
+ */
+function cancelFlagEnabled(key: string): boolean {
+  const row = getSwarmConfigs({ scope: "global", key })[0];
+  return row?.value !== "false";
+}
+const cancelOnUnassignEnabled = () => cancelFlagEnabled("github.cancelOnUnassign");
+const cancelOnReviewRequestRemovedEnabled = () =>
+  cancelFlagEnabled("github.cancelOnReviewRequestRemoved");
+
 /**
  * Get review state emoji and label
  */
@@ -278,6 +291,14 @@ export async function handlePullRequest(
       return { created: false };
     }
 
+    // Config gate: skip cancel if disabled
+    if (!cancelOnUnassignEnabled()) {
+      console.log(
+        `[GitHub] unassign cancel disabled by config — leaving task untouched (PR #${pr.number})`,
+      );
+      return { created: false };
+    }
+
     // Find the related task
     const task = findTaskByVcs(repository.full_name, pr.number);
     if (!task) {
@@ -378,6 +399,14 @@ export async function handlePullRequest(
       return { created: false };
     }
 
+    // Config gate: skip cancel if disabled
+    if (!cancelOnReviewRequestRemovedEnabled()) {
+      console.log(
+        `[GitHub] review-request-removed cancel disabled by config — leaving task untouched (PR #${pr.number})`,
+      );
+      return { created: false };
+    }
+
     // Find the related task
     const task = findTaskByVcs(repository.full_name, pr.number);
     if (!task) {
@@ -533,6 +562,7 @@ export async function handlePullRequest(
     vcsUrl: pr.html_url,
     vcsInstallationId: installation?.id,
     contextKey: buildGithubContextKey(repository.full_name, "pr", pr.number),
+    requestedByUserId,
   });
 
   if (lead) {
@@ -638,6 +668,14 @@ export async function handleIssue(
       return { created: false };
     }
 
+    // Config gate: skip cancel if disabled
+    if (!cancelOnUnassignEnabled()) {
+      console.log(
+        `[GitHub] unassign cancel disabled by config — leaving task untouched (issue #${issue.number})`,
+      );
+      return { created: false };
+    }
+
     // Find the related task
     const task = findTaskByVcs(repository.full_name, issue.number);
     if (!task) {
@@ -771,6 +809,7 @@ export async function handleIssue(
     vcsUrl: issue.html_url,
     vcsInstallationId: installation?.id,
     contextKey: buildGithubContextKey(repository.full_name, "issue", issue.number),
+    requestedByUserId,
   });
 
   if (lead) {

package/src/heartbeat/heartbeat.ts

@@ -1,5 +1,5 @@
 import {
-  claimTask,
+  assignUnassignedTaskPending,
   cleanupStaleSessions,
   createTaskExtended,
   deleteActiveSession,
@@ -461,7 +461,7 @@ function checkWorkerHealth(findings: HeartbeatFindings): void {
 
 /**
  * Auto-assign unassigned pool tasks to idle workers with capacity.
- * Uses atomic claimTask() to prevent races.
+ * Leaves tasks pending so the assigned worker's normal poll dispatches them.
  */
 function autoAssignPoolTasks(findings: HeartbeatFindings): void {
   getDb().transaction(() => {
@@ -472,16 +472,37 @@ function autoAssignPoolTasks(findings: HeartbeatFindings): void {
     if (poolTasks.length === 0) return;
 
     let workerIndex = 0;
+    const reservedByWorker = new Map<string, number>();
+    const reservedForWorker = (agentId: string): number => {
+      const cached = reservedByWorker.get(agentId);
+      if (cached !== undefined) return cached;
+      const row = getDb()
+        .prepare<{ count: number }, [string]>(
+          "SELECT COUNT(*) as count FROM agent_tasks WHERE agentId = ? AND status IN ('pending', 'in_progress')",
+        )
+        .get(agentId);
+      const reserved = row?.count ?? 0;
+      reservedByWorker.set(agentId, reserved);
+      return reserved;
+    };
+
     for (const task of poolTasks) {
       if (workerIndex >= idleWorkers.length) break;
 
       const worker = idleWorkers[workerIndex]!;
-      const claimed = claimTask(task.id, worker.id);
+      const maxTasks = worker.maxTasks ?? 1;
+      if (reservedForWorker(worker.id) >= maxTasks) {
+        workerIndex++;
+        continue;
+      }
+
+      const assigned = assignUnassignedTaskPending(task.id, worker.id);
 
-      if (claimed) {
+      if (assigned) {
         findings.autoAssigned.push({ taskId: task.id, agentId: worker.id });
+        reservedByWorker.set(worker.id, reservedForWorker(worker.id) + 1);
         // Check if this worker still has capacity for more
-        const remaining = (worker.maxTasks ?? 1) - getActiveTaskCount(worker.id);
+        const remaining = maxTasks - reservedForWorker(worker.id);
         if (remaining <= 0) {
           workerIndex++;
         }

package/src/http/active-sessions.ts

@@ -8,6 +8,7 @@ import {
   getActiveSessions,
   heartbeatActiveSession,
   insertActiveSession,
+  resetOrphanedInProgressTasksForAgent,
   updateActiveSessionProviderSessionId,
 } from "../be/db";
 import { route } from "./route-def";
@@ -115,6 +116,21 @@ const cleanupSessions = route({
   },
 });
 
+const recoverOrphanedTasks = route({
+  method: "post",
+  path: "/api/active-sessions/recover-orphaned-tasks",
+  pattern: ["api", "active-sessions", "recover-orphaned-tasks"],
+  summary: "Recover orphaned in-progress tasks for an agent",
+  tags: ["Active Sessions"],
+  body: z.object({
+    agentId: z.string().min(1),
+    minAgeSeconds: z.number().int().positive().optional(),
+  }),
+  responses: {
+    200: { description: "Recovery result" },
+  },
+});
+
 // ─── Handler ─────────────────────────────────────────────────────────────────
 
 export async function handleActiveSessions(
@@ -122,7 +138,7 @@ export async function handleActiveSessions(
   res: ServerResponse,
   pathSegments: string[],
   queryParams: URLSearchParams,
-  _myAgentId: string | undefined,
+  myAgentId: string | undefined,
 ): Promise<boolean> {
   if (listActiveSessions.match(req.method, pathSegments)) {
     const parsed = await listActiveSessions.parse(req, res, pathSegments, queryParams);
@@ -195,5 +211,20 @@ export async function handleActiveSessions(
     return true;
   }
 
+  if (recoverOrphanedTasks.match(req.method, pathSegments)) {
+    const parsed = await recoverOrphanedTasks.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    if (!myAgentId || parsed.body.agentId !== myAgentId) {
+      json(res, { error: "Can only recover orphaned tasks for the calling agent" }, 403);
+      return true;
+    }
+    const tasks = resetOrphanedInProgressTasksForAgent(
+      parsed.body.agentId,
+      parsed.body.minAgeSeconds ?? 60,
+    );
+    json(res, { recovered: tasks.length, tasks });
+    return true;
+  }
+
   return false;
 }

package/src/http/auth.ts

@@ -0,0 +1,36 @@
+import type { IncomingMessage } from "node:http";
+import { fingerprintApiKey, resolveUserByToken } from "../be/users";
+import type { User } from "../types";
+import type { HttpRequestAuth } from "../utils/request-auth-context";
+
+function extractBearer(req: IncomingMessage): string | null {
+  const raw = req.headers.authorization;
+  const header = Array.isArray(raw) ? raw[0] : raw;
+  if (!header?.startsWith("Bearer ")) return null;
+  return header.slice("Bearer ".length).trim();
+}
+
+export function resolveHttpRequestAuth(
+  req: IncomingMessage,
+  apiKey: string | undefined,
+): HttpRequestAuth | null {
+  const bearer = extractBearer(req);
+  if (!bearer) return null;
+
+  if (apiKey && bearer === apiKey) {
+    return { kind: "operator", fingerprint: fingerprintApiKey(bearer) };
+  }
+
+  if (bearer.startsWith("aswt_")) {
+    const user = resolveUserByToken(bearer);
+    if (isActiveUser(user)) {
+      return { kind: "user", userId: user.id, user };
+    }
+  }
+
+  return null;
+}
+
+function isActiveUser(user: User | null): user is User {
+  return !!user && user.status === "active";
+}

package/src/http/core.ts

@@ -15,7 +15,9 @@ import { initJira, resetJira } from "../jira";
 import { initLinear, resetLinear } from "../linear";
 import { startSlackApp, stopSlackApp } from "../slack";
 import type { AgentStatus } from "../types";
+import { setRequestAuth } from "../utils/request-auth-context";
 import { refreshSecretScrubberCache } from "../utils/secret-scrubber";
+import { resolveHttpRequestAuth } from "./auth";
 import { generateOpenApiSpec, SCALAR_HTML } from "./openapi";
 import { isPublicRoute } from "./route-def";
 import { agentWithCapacity, getPathSegments, parseQueryParams } from "./utils";
@@ -234,25 +236,27 @@ export async function handleCore(
     return true;
   }
 
-  // API-key authentication (if API_KEY is configured). Routes that opt out via
+  // API-key authentication. Routes that opt out via
   // `route({ auth: { apiKey: false } })` — webhooks, OAuth provider callbacks,
   // etc. — are skipped based on the central `routeRegistry`. Unknown paths
-  // fall through to the bearer check (fail-closed).
-  if (apiKey) {
-    const pathSegments = getPathSegments(req.url || "");
-    const isUserMcpRoute = req.url === "/mcp-user";
-    // `/mcp-user` runs its own `aswt_`-token auth in `handleMcpUser`; the swarm
-    // API key must not gate it.
-    if (!isUserMcpRoute && !isPublicRoute(req.method, pathSegments)) {
-      const authHeader = req.headers.authorization;
-      const providedKey = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
-
-      if (providedKey !== apiKey) {
-        res.writeHead(401, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ error: "Unauthorized" }));
-        return true;
-      }
+  // fall through to the bearer check (fail-closed). Normal API calls may use
+  // either the global swarm key or an active user-bound `aswt_` token.
+  const pathSegments = getPathSegments(req.url || "");
+  const isUserMcpRoute = req.url === "/mcp-user";
+  // `/mcp-user` runs its own `aswt_`-token auth in `handleMcpUser`; the swarm
+  // API key must not gate it.
+  if (isUserMcpRoute || isPublicRoute(req.method, pathSegments)) {
+    setRequestAuth(req, null);
+  } else {
+    const auth = resolveHttpRequestAuth(req, apiKey);
+
+    if (!auth) {
+      setRequestAuth(req, null);
+      res.writeHead(401, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Unauthorized" }));
+      return true;
     }
+    setRequestAuth(req, auth);
   }
 
   // POST /internal/reload-config — re-read swarm_config into process.env and re-init integrations

package/src/http/db-query.ts

@@ -11,6 +11,25 @@ export interface DbQueryResult {
   total: number;
 }
 
+function stripTrailingSemicolon(sql: string): string {
+  return sql.trim().replace(/;\s*$/, "").trim();
+}
+
+function assertSingleStatement(sql: string): void {
+  const stripped = stripTrailingSemicolon(sql);
+  if (stripped.includes(";")) {
+    throw new Error("Only one SQL statement is allowed");
+  }
+}
+
+export function assertSelectOnlyQuery(sql: string): void {
+  assertSingleStatement(sql);
+  const normalized = stripTrailingSemicolon(sql).toLowerCase();
+  if (!normalized.startsWith("select ") && !normalized.startsWith("with ")) {
+    throw new Error("Metric queries must start with SELECT or WITH");
+  }
+}
+
 /**
  * Execute a read-only SQL query against the swarm database.
  * Detects write statements via bun:sqlite's columnNames (empty for INSERT/UPDATE/DELETE/DROP).
@@ -20,6 +39,7 @@ export function executeReadOnlyQuery(
   params: unknown[] = [],
   maxRows?: number,
 ): DbQueryResult {
+  assertSingleStatement(sql);
   const stmt = getDb().prepare(sql);
 
   // bun:sqlite: columnNames is empty for write statements, populated for SELECT/PRAGMA/EXPLAIN

package/src/http/index.ts

@@ -46,6 +46,7 @@ import { handleMcpOAuth, startMcpOAuthPendingGc, stopMcpOAuthPendingGc } from ".
 import { handleMcpServers } from "./mcp-servers";
 import { handleMcpUser } from "./mcp-user";
 import { handleMemory } from "./memory";
+import { handleMetrics } from "./metrics";
 import { handlePageProxy } from "./page-proxy";
 import { handlePages } from "./pages";
 import { handlePagesPublic } from "./pages-public";
@@ -229,6 +230,7 @@ const httpServer = createHttpServer(async (req, res) => {
         () => handleIntegrations(req, res, pathSegments),
         () => handlePromptTemplates(req, res, pathSegments, queryParams),
         () => handleDbQuery(req, res, pathSegments, queryParams),
+        () => handleMetrics(req, res, pathSegments, queryParams, myAgentId),
         () => handleRepos(req, res, pathSegments, queryParams),
         () => handleSkills(req, res, pathSegments, queryParams, myAgentId),
         () => handleScripts(req, res, pathSegments, queryParams, myAgentId),