@swarmclawai/swarmclaw 0.6.7 → 0.7.0

package/src/app/api/memory/route.ts

@@ -1,7 +1,16 @@
 import { genId } from '@/lib/id'
 import fs from 'fs'
 import { NextResponse } from 'next/server'
-import { getMemoryDb, getMemoryLookupLimits, storeMemoryImageAsset, storeMemoryImageFromDataUrl } from '@/lib/server/memory-db'
+import {
+  filterMemoriesByScope,
+  getMemoryDb,
+  getMemoryLookupLimits,
+  normalizeMemoryScopeMode,
+  storeMemoryImageAsset,
+  storeMemoryImageFromDataUrl,
+  type MemoryRerankMode,
+  type MemoryScopeFilter,
+} from '@/lib/server/memory-db'
 import { resolveLookupRequest } from '@/lib/server/memory-graph'
 import type { MemoryReference, FileReference, MemoryImage } from '@/types'
 
@@ -21,10 +30,16 @@ export async function GET(req: Request) {
   const { searchParams } = new URL(req.url)
   const q = searchParams.get('q')
   const agentId = searchParams.get('agentId')
+  const rawScope = searchParams.get('scope')
   const envelope = searchParams.get('envelope') === 'true'
   const requestedDepth = parseOptionalInt(searchParams.get('depth'))
   const requestedLimit = parseOptionalInt(searchParams.get('limit'))
   const requestedLinkedLimit = parseOptionalInt(searchParams.get('linkedLimit'))
+  const scopeMode = normalizeMemoryScopeMode(rawScope ?? (agentId ? 'agent' : 'all'))
+  const scopeSessionId = searchParams.get('scopeSessionId')
+  const scopeProjectRoot = searchParams.get('projectRoot')
+  const rerankRaw = searchParams.get('rerank')
+  const rerankMode: MemoryRerankMode = rerankRaw === 'semantic' || rerankRaw === 'lexical' ? rerankRaw : 'balanced'
 
   const counts = searchParams.get('counts') === 'true'
   const db = getMemoryDb()
@@ -39,14 +54,27 @@ export async function GET(req: Request) {
     limit: requestedLimit,
     linkedLimit: requestedLinkedLimit,
   })
+  const scopeFilter: MemoryScopeFilter = {
+    mode: scopeMode,
+    agentId: agentId || null,
+    sessionId: scopeSessionId || null,
+    projectRoot: scopeProjectRoot || null,
+  }
 
   if (q) {
     if (limits.maxDepth > 0) {
-      const result = db.searchWithLinked(q, agentId || undefined, limits.maxDepth, limits.maxPerLookup, limits.maxLinkedExpansion)
+      const result = db.searchWithLinked(
+        q,
+        agentId || undefined,
+        limits.maxDepth,
+        limits.maxPerLookup,
+        limits.maxLinkedExpansion,
+        { scope: scopeFilter, rerankMode },
+      )
       if (envelope) return NextResponse.json(result)
       return NextResponse.json(result.entries)
     }
-    const base = db.search(q, agentId || undefined)
+    const base = db.search(q, agentId || undefined, { scope: scopeFilter, rerankMode })
     const entries = base.slice(0, limits.maxPerLookup)
     if (envelope) {
       return NextResponse.json({
@@ -59,11 +87,14 @@ export async function GET(req: Request) {
     return NextResponse.json(entries)
   }
 
-  const entries = db.list(agentId || undefined, limits.maxPerLookup)
+  const scanLimit = Math.max(limits.maxPerLookup, 200)
+  const listed = db.list(undefined, scanLimit)
+  const filtered = filterMemoriesByScope(listed, scopeFilter)
+  const entries = filtered.slice(0, limits.maxPerLookup)
   if (envelope) {
     return NextResponse.json({
       entries,
-      truncated: false,
+      truncated: filtered.length > entries.length,
       expandedLinkedCount: 0,
       limits,
     })

package/src/app/api/notifications/route.ts

@@ -13,6 +13,9 @@ export async function GET(req: Request) {
   const all = loadNotifications()
   let entries = Object.values(all) as AppNotification[]
 
+  // Approval requests now have a dedicated Approvals view/badge; keep notifications focused on ops/events.
+  entries = entries.filter((e) => e.entityType !== 'approval')
+
   if (unreadOnly) {
     entries = entries.filter((e) => !e.read)
   }

package/src/app/api/plugins/install/route.ts

@@ -1,12 +1,43 @@
 import { NextResponse } from 'next/server'
 import fs from 'fs'
 import path from 'path'
+import { getPluginManager } from '@/lib/server/plugins'
 
 const PLUGINS_DIR = path.join(process.cwd(), 'data', 'plugins')
 
+function toRawUrl(url: string): string {
+  if (url.includes('github.com') && url.includes('/blob/')) {
+    return url.replace('github.com', 'raw.githubusercontent.com').replace('/blob/', '/')
+  }
+  if (url.includes('gist.github.com')) {
+    return url.endsWith('/raw') ? url : `${url}/raw`
+  }
+  return url
+}
+
+function normalizeMarketplaceUrl(url: string): string {
+  const trimmed = typeof url === 'string' ? url.trim() : ''
+  if (!trimmed) return trimmed
+
+  let normalized = trimmed
+    .replace('github.com/swarmclawai/plugins/', 'github.com/swarmclawai/swarmforge/')
+    .replace('raw.githubusercontent.com/swarmclawai/plugins/', 'raw.githubusercontent.com/swarmclawai/swarmforge/')
+
+  normalized = toRawUrl(normalized)
+
+  // Legacy registry entries used master and old repo names.
+  normalized = normalized
+    .replace('/swarmclawai/swarmforge/master/', '/swarmclawai/swarmforge/main/')
+    .replace('/swarmclawai/plugins/master/', '/swarmclawai/swarmforge/main/')
+    .replace('/swarmclawai/plugins/main/', '/swarmclawai/swarmforge/main/')
+
+  return normalized
+}
+
 export async function POST(req: Request) {
   const body = await req.json()
   const { url, filename } = body
+  const rawUrl = normalizeMarketplaceUrl(url)
 
   // Validate URL
   if (!url || typeof url !== 'string' || !url.startsWith('https://')) {
@@ -34,11 +65,27 @@ export async function POST(req: Request) {
   }
 
   try {
-    const res = await fetch(url)
+    const res = await fetch(rawUrl, { signal: AbortSignal.timeout(15_000) })
     if (!res.ok) {
-      throw new Error(`Download failed: ${res.status}`)
+      return NextResponse.json(
+        { error: `Download failed (HTTP ${res.status}) from ${rawUrl}` },
+        { status: 502 },
+      )
     }
-    const code = await res.text()
+    const contentType = res.headers.get('content-type') || ''
+    let code = await res.text()
+
+    // Reject HTML responses (likely a GitHub page, not raw content)
+    if (contentType.includes('text/html') && code.includes('<!DOCTYPE')) {
+      return NextResponse.json(
+        { error: 'URL returned an HTML page instead of JavaScript. Use a raw/direct link to the .js file.' },
+        { status: 400 },
+      )
+    }
+
+    // Compatibility fix: Strip node-fetch requires if present, as modern Node has global fetch
+    code = code.replace(/const\s+fetch\s*=\s*require\(['"]node-fetch['"]\);?/g, '// node-fetch stripped for compatibility')
+    code = code.replace(/import\s+fetch\s+from\s+['"]node-fetch['"];?/g, '// node-fetch stripped for compatibility')
 
     // Ensure plugins directory exists
     if (!fs.existsSync(PLUGINS_DIR)) {
@@ -48,11 +95,16 @@ export async function POST(req: Request) {
     const dest = path.join(PLUGINS_DIR, sanitized)
     fs.writeFileSync(dest, code, 'utf8')
 
+    // Force plugin manager to re-scan so the new plugin appears in listings
+    getPluginManager().reload()
+
     return NextResponse.json({ ok: true, filename: sanitized })
   } catch (err: unknown) {
+    const msg = err instanceof Error ? err.message : String(err)
+    const isTimeout = msg.includes('abort') || msg.includes('timeout')
     return NextResponse.json(
-      { error: 'Failed to install plugin', message: err instanceof Error ? err.message : String(err) },
-      { status: 500 },
+      { error: isTimeout ? 'Download timed out — the plugin URL may be unreachable' : `Install failed: ${msg}` },
+      { status: isTimeout ? 504 : 500 },
     )
   }
 }

package/src/app/api/plugins/marketplace/route.ts

@@ -1,35 +1,86 @@
 import { NextResponse } from 'next/server'
-export const dynamic = 'force-dynamic'
+import { searchClawHub } from '@/lib/server/clawhub-client'
 
+export const dynamic = 'force-dynamic'
 
-const REGISTRY_URL = 'https://swarmclaw.ai/registry/plugins.json'
+const REGISTRY_URLS = [
+  'https://raw.githubusercontent.com/swarmclawai/swarmforge/main/registry.json',
+  'https://swarmclaw.ai/registry/plugins.json',
+]
 const CACHE_TTL = 5 * 60 * 1000 // 5 minutes
 
-let cache: { data: any; fetchedAt: number } | null = null
+let cache: { data: unknown; fetchedAt: number } | null = null
 
-export async function GET(_req: Request) {
-  const now = Date.now()
+function normalizeRegistryPluginUrl(url: unknown): string | null {
+  if (typeof url !== 'string') return null
+  const trimmed = url.trim()
+  if (!trimmed) return null
+  return trimmed
+    .replace('github.com/swarmclawai/plugins/', 'github.com/swarmclawai/swarmforge/')
+    .replace('raw.githubusercontent.com/swarmclawai/plugins/', 'raw.githubusercontent.com/swarmclawai/swarmforge/')
+    .replace('/swarmclawai/swarmforge/master/', '/swarmclawai/swarmforge/main/')
+    .replace('/swarmclawai/plugins/master/', '/swarmclawai/swarmforge/main/')
+    .replace('/swarmclawai/plugins/main/', '/swarmclawai/swarmforge/main/')
+}
 
-  if (cache && now - cache.fetchedAt < CACHE_TTL) {
+export async function GET(req: Request) {
+  const { searchParams } = new URL(req.url)
+  const query = searchParams.get('q') || ''
+  
+  const now = Date.now()
+  if (!query && cache && now - cache.fetchedAt < CACHE_TTL) {
     return NextResponse.json(cache.data)
   }
 
-  try {
-    const res = await fetch(REGISTRY_URL, { cache: 'no-store' })
-    if (!res.ok) {
-      throw new Error(`Registry returned ${res.status}`)
-    }
-    const data = await res.json()
-    cache = { data, fetchedAt: now }
-    return NextResponse.json(data)
-  } catch (err: any) {
-    // Return stale cache if available
-    if (cache) {
-      return NextResponse.json(cache.data)
+  const allPlugins: Record<string, unknown>[] = []
+
+  // 1. Fetch SwarmClaw Registry
+  for (const registryUrl of REGISTRY_URLS) {
+    try {
+      const res = await fetch(registryUrl, { cache: 'no-store' })
+      if (!res.ok) continue
+
+      const data = await res.json()
+      const filtered = (data as Array<{ name: string; description: string; url?: string }>).filter((p) => {
+        if (!p || typeof p.name !== 'string' || typeof p.description !== 'string') return false
+        return !query || p.name.toLowerCase().includes(query.toLowerCase()) || p.description.toLowerCase().includes(query.toLowerCase())
+      })
+
+      allPlugins.push(...filtered.map((p: { id?: string; name?: string; url?: string }) => ({
+        ...p,
+        id: p.id || (p.name || '').toLowerCase().replace(/[^a-z0-9]/g, '_'),
+        url: normalizeRegistryPluginUrl(p.url) || p.url,
+        source: 'swarmclaw',
+      })))
+      break
+    } catch (err: unknown) {
+      console.warn('[marketplace] SC Registry failed:', {
+        registryUrl,
+        error: err instanceof Error ? err.message : String(err),
+      })
     }
-    return NextResponse.json(
-      { error: 'Failed to fetch plugin registry', message: err.message },
-      { status: 502 },
-    )
   }
+
+  // 2. Fetch ClawHub Skills/Plugins
+  try {
+    const hubResults = await searchClawHub(query)
+    allPlugins.push(...hubResults.skills.map(s => ({
+      id: s.id, // Explicitly ensure ID is present
+      name: s.name,
+      description: s.description,
+      author: s.author,
+      version: s.version || '1.0.0',
+      url: s.url,
+      source: 'clawhub'
+    })))
+  } catch (err: unknown) {
+    console.warn('[marketplace] ClawHub failed:', err instanceof Error ? err.message : String(err))
+  }
+
+  // Update cache only for empty queries
+  if (!query) {
+    cache = { data: allPlugins, fetchedAt: now }
+  }
+
+  return NextResponse.json(allPlugins)
 }

package/src/app/api/plugins/route.ts

@@ -1,7 +1,33 @@
 import { NextResponse } from 'next/server'
 import { getPluginManager } from '@/lib/server/plugins'
-export const dynamic = 'force-dynamic'
 
+// Ensure all builtin plugins are registered by importing their modules
+import '@/lib/server/session-tools/shell'
+import '@/lib/server/session-tools/file'
+import '@/lib/server/session-tools/edit_file'
+import '@/lib/server/session-tools/web'
+import '@/lib/server/session-tools/memory'
+import '@/lib/server/session-tools/platform'
+import '@/lib/server/session-tools/monitor'
+import '@/lib/server/session-tools/discovery'
+import '@/lib/server/session-tools/sample-ui'
+import '@/lib/server/session-tools/git'
+import '@/lib/server/session-tools/wallet'
+import '@/lib/server/session-tools/connector'
+import '@/lib/server/session-tools/http'
+import '@/lib/server/session-tools/sandbox'
+import '@/lib/server/session-tools/canvas'
+import '@/lib/server/session-tools/chatroom'
+import '@/lib/server/session-tools/delegate'
+import '@/lib/server/session-tools/schedule'
+import '@/lib/server/session-tools/session-info'
+import '@/lib/server/session-tools/openclaw-nodes'
+import '@/lib/server/session-tools/openclaw-workspace'
+import '@/lib/server/session-tools/context-mgmt'
+import '@/lib/server/session-tools/subagent'
+import '@/lib/server/session-tools/plugin-creator'
+
+export const dynamic = 'force-dynamic'
 
 export async function GET(_req: Request) {
   const manager = getPluginManager()
@@ -21,3 +47,37 @@ export async function POST(req: Request) {
 
   return NextResponse.json({ ok: true })
 }
+
+export async function DELETE(req: Request) {
+  const { searchParams } = new URL(req.url)
+  const filename = searchParams.get('filename')
+  if (!filename) {
+    return NextResponse.json({ error: 'filename required' }, { status: 400 })
+  }
+  const manager = getPluginManager()
+  const deleted = manager.deletePlugin(filename)
+  if (!deleted) {
+    return NextResponse.json({ error: 'Cannot delete built-in or non-existent plugin' }, { status: 400 })
+  }
+  return NextResponse.json({ ok: true })
+}
+
+export async function PATCH(req: Request) {
+  const { searchParams } = new URL(req.url)
+  const id = searchParams.get('id')
+  const all = searchParams.get('all') === 'true'
+  
+  const manager = getPluginManager()
+  
+  if (all) {
+    await manager.updateAllPlugins()
+    return NextResponse.json({ ok: true, message: 'All plugins updated' })
+  }
+  
+  if (id) {
+    await manager.updatePlugin(id)
+    return NextResponse.json({ ok: true, message: `Plugin ${id} updated` })
+  }
+  
+  return NextResponse.json({ error: 'id or all=true required' }, { status: 400 })
+}

package/src/app/api/plugins/ui/route.ts

@@ -0,0 +1,34 @@
+import { NextResponse } from 'next/server'
+import { getPluginManager } from '@/lib/server/plugins'
+
+export const dynamic = 'force-dynamic'
+
+export async function GET(req: Request) {
+  const { searchParams } = new URL(req.url)
+  const type = searchParams.get('type') // 'sidebar', 'header', etc.
+  
+  const manager = getPluginManager()
+  const extensions = manager.getUIExtensions()
+  
+  if (type === 'sidebar') {
+    const items = extensions.flatMap(ui => ui.sidebarItems || [])
+    return NextResponse.json(items)
+  }
+  
+  if (type === 'header') {
+    const widgets = extensions.flatMap(ui => ui.headerWidgets || [])
+    return NextResponse.json(widgets)
+  }
+  
+  if (type === 'chat_actions') {
+    const actions = extensions.flatMap(ui => ui.chatInputActions || [])
+    return NextResponse.json(actions)
+  }
+  
+  if (type === 'connectors') {
+    const connectors = manager.getConnectors()
+    return NextResponse.json(connectors)
+  }
+
+  return NextResponse.json(extensions)
+}

package/src/app/api/sessions/[id]/checkpoints/route.ts

@@ -0,0 +1,31 @@
+import { NextResponse } from 'next/server'
+import { getCheckpointSaver } from '@/lib/server/langgraph-checkpoint'
+
+export const dynamic = 'force-dynamic'
+
+/** GET /api/sessions/[id]/checkpoints — returns checkpoint history for a thread */
+export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id: threadId } = await params
+  if (!threadId) return NextResponse.json({ error: 'Thread ID is required' }, { status: 400 })
+
+  const saver = getCheckpointSaver()
+  const checkpoints = []
+  
+  // LangGraph's list() is an async generator
+  const iterator = saver.list({ configurable: { thread_id: threadId } })
+  
+  for await (const tuple of iterator) {
+    checkpoints.push({
+      checkpointId: tuple.config.configurable?.checkpoint_id,
+      parentCheckpointId: tuple.parentConfig?.configurable?.checkpoint_id,
+      metadata: tuple.metadata,
+      createdAt: new Date(tuple.checkpoint.ts).getTime(),
+      values: tuple.checkpoint.channel_values,
+    })
+  }
+
+  // Sort by created_at descending (saver.list usually does this but we want to be sure)
+  checkpoints.sort((a, b) => (b.createdAt || 0) - (a.createdAt || 0))
+
+  return NextResponse.json(checkpoints)
+}

package/src/app/api/sessions/[id]/restore/route.ts

@@ -0,0 +1,36 @@
+import { NextResponse } from 'next/server'
+import { getCheckpointSaver } from '@/lib/server/langgraph-checkpoint'
+import { loadSessions, saveSessions } from '@/lib/server/storage'
+import { notify } from '@/lib/server/ws-hub'
+
+export const dynamic = 'force-dynamic'
+
+/** POST /api/sessions/[id]/restore — restores thread to a specific checkpoint */
+export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id: sessionId } = await params
+  const { checkpointId, timestamp } = await req.json()
+  
+  if (!checkpointId || !timestamp) {
+    return NextResponse.json({ error: 'checkpointId and timestamp are required' }, { status: 400 })
+  }
+
+  const saver = getCheckpointSaver()
+  
+  // 1. Delete all checkpoints after the target one
+  await saver.deleteCheckpointsAfter(sessionId, timestamp)
+
+  // 2. Truncate messages in the session to match the timestamp
+  // Both timestamp (from checkpoint.ts → getTime()) and Message.time use epoch milliseconds
+  const sessions = loadSessions()
+  const session = sessions[sessionId]
+  if (session) {
+    session.messages = session.messages.filter((m: { time: number }) => m.time <= timestamp)
+    session.lastActiveAt = Date.now()
+    saveSessions(sessions)
+  }
+
+  notify(`messages:${sessionId}`)
+  notify('sessions')
+  
+  return NextResponse.json({ ok: true, restoredTo: checkpointId })
+}

package/src/app/api/settings/route.ts

@@ -1,5 +1,6 @@
 import { NextResponse } from 'next/server'
 import { loadSettings, saveSettings } from '@/lib/server/storage'
+import { DEFAULT_DELEGATION_MAX_DEPTH } from '@/lib/runtime-loop'
 export const dynamic = 'force-dynamic'
 
 
@@ -9,6 +10,16 @@ const MEMORY_PER_LOOKUP_MIN = 1
 const MEMORY_PER_LOOKUP_MAX = 200
 const MEMORY_LINKED_MIN = 0
 const MEMORY_LINKED_MAX = 1000
+const DELEGATION_DEPTH_MIN = 1
+const DELEGATION_DEPTH_MAX = 12
+const RESPONSE_CACHE_TTL_MIN_SEC = 5
+const RESPONSE_CACHE_TTL_MAX_SEC = 7 * 24 * 3600
+const RESPONSE_CACHE_MAX_ENTRIES_MIN = 1
+const RESPONSE_CACHE_MAX_ENTRIES_MAX = 20_000
+const TASK_QG_MIN_RESULT_MIN = 10
+const TASK_QG_MIN_RESULT_MAX = 2000
+const TASK_QG_MIN_EVIDENCE_MIN = 0
+const TASK_QG_MIN_EVIDENCE_MAX = 8
 
 function parseIntSetting(value: unknown, fallback: number, min: number, max: number): number {
   const parsed = typeof value === 'number'
@@ -20,6 +31,16 @@ function parseIntSetting(value: unknown, fallback: number, min: number, max: num
   return Math.max(min, Math.min(max, Math.trunc(parsed)))
 }
 
+function parseBoolSetting(value: unknown, fallback: boolean): boolean {
+  if (typeof value === 'boolean') return value
+  if (typeof value === 'string') {
+    const normalized = value.trim().toLowerCase()
+    if (['1', 'true', 'yes', 'on'].includes(normalized)) return true
+    if (['0', 'false', 'no', 'off'].includes(normalized)) return false
+  }
+  return fallback
+}
+
 export async function GET(_req: Request) {
   return NextResponse.json(loadSettings())
 }
@@ -47,6 +68,36 @@ export async function PUT(req: Request) {
     MEMORY_LINKED_MIN,
     MEMORY_LINKED_MAX,
   )
+  const nextDelegationDepth = parseIntSetting(
+    settings.delegationMaxDepth,
+    DEFAULT_DELEGATION_MAX_DEPTH,
+    DELEGATION_DEPTH_MIN,
+    DELEGATION_DEPTH_MAX,
+  )
+  const nextResponseCacheTtlSec = parseIntSetting(
+    settings.responseCacheTtlSec,
+    15 * 60,
+    RESPONSE_CACHE_TTL_MIN_SEC,
+    RESPONSE_CACHE_TTL_MAX_SEC,
+  )
+  const nextResponseCacheMaxEntries = parseIntSetting(
+    settings.responseCacheMaxEntries,
+    500,
+    RESPONSE_CACHE_MAX_ENTRIES_MIN,
+    RESPONSE_CACHE_MAX_ENTRIES_MAX,
+  )
+  const nextTaskQgMinResultChars = parseIntSetting(
+    settings.taskQualityGateMinResultChars,
+    80,
+    TASK_QG_MIN_RESULT_MIN,
+    TASK_QG_MIN_RESULT_MAX,
+  )
+  const nextTaskQgMinEvidenceItems = parseIntSetting(
+    settings.taskQualityGateMinEvidenceItems,
+    2,
+    TASK_QG_MIN_EVIDENCE_MIN,
+    TASK_QG_MIN_EVIDENCE_MAX,
+  )
 
   // Keep new and legacy keys synchronized for backward compatibility.
   settings.memoryReferenceDepth = nextDepth
@@ -54,6 +105,17 @@ export async function PUT(req: Request) {
   settings.maxMemoriesPerLookup = nextPerLookup
   settings.memoryMaxPerLookup = nextPerLookup
   settings.maxLinkedMemoriesExpanded = nextLinked
+  settings.delegationMaxDepth = nextDelegationDepth
+  settings.responseCacheTtlSec = nextResponseCacheTtlSec
+  settings.responseCacheMaxEntries = nextResponseCacheMaxEntries
+  settings.responseCacheEnabled = parseBoolSetting(settings.responseCacheEnabled, true)
+  settings.taskQualityGateEnabled = parseBoolSetting(settings.taskQualityGateEnabled, true)
+  settings.taskQualityGateMinResultChars = nextTaskQgMinResultChars
+  settings.taskQualityGateMinEvidenceItems = nextTaskQgMinEvidenceItems
+  settings.taskQualityGateRequireVerification = parseBoolSetting(settings.taskQualityGateRequireVerification, false)
+  settings.taskQualityGateRequireArtifact = parseBoolSetting(settings.taskQualityGateRequireArtifact, false)
+  settings.taskQualityGateRequireReport = parseBoolSetting(settings.taskQualityGateRequireReport, false)
+  settings.integrityMonitorEnabled = parseBoolSetting(settings.integrityMonitorEnabled, true)
 
   saveSettings(settings)
 

package/src/app/api/setup/doctor/route.ts

@@ -37,8 +37,9 @@ function run(command: string, args: string[], timeoutMs = 8_000): CommandResult
       return { ok: false, output: '', error: err || `exit ${result.status}` }
     }
     return { ok: true, output: (result.stdout || '').trim() }
-  } catch (err: any) {
-    return { ok: false, output: '', error: err?.message || String(err) }
+  } catch (err: unknown) {
+    const message = err instanceof Error ? err.message : String(err)
+    return { ok: false, output: '', error: message }
   }
 }
 
@@ -75,8 +76,9 @@ function testDataWriteAccess(dataDir: string): { ok: boolean; error?: string } {
     fs.writeFileSync(probe, 'ok', 'utf8')
     fs.unlinkSync(probe)
     return { ok: true }
-  } catch (err: any) {
-    return { ok: false, error: err?.message || String(err) }
+  } catch (err: unknown) {
+    const message = err instanceof Error ? err.message : String(err)
+    return { ok: false, error: message }
   }
 }
 
@@ -104,6 +106,22 @@ export async function GET(req: Request) {
     actions.push('Install npm and rerun `npm run setup:easy`.')
   }
 
+  const denoCheck = run('deno', ['--version'], 5_000)
+  if (denoCheck.ok) {
+    const denoVersion = denoCheck.output.split('\n').map((line) => line.trim()).find(Boolean) || denoCheck.output
+    pushCheck(checks, 'deno', 'Deno (sandbox runtime)', 'pass', `${denoVersion} is available.`, true)
+  } else {
+    pushCheck(
+      checks,
+      'deno',
+      'Deno (sandbox runtime)',
+      'fail',
+      denoCheck.error || 'Deno was not found in PATH.',
+      true,
+    )
+    actions.push('Run `npm run setup:easy` to install Deno automatically, or install Deno from https://deno.land/#installation.')
+  }
+
   const dataDir = path.join(process.cwd(), 'data')
   const dataWrite = testDataWriteAccess(dataDir)
   if (dataWrite.ok) {
@@ -165,7 +183,6 @@ export async function GET(req: Request) {
     { id: 'claude-cli', label: 'Claude Code CLI', command: 'claude' },
     { id: 'codex-cli', label: 'OpenAI Codex CLI', command: 'codex' },
     { id: 'opencode-cli', label: 'OpenCode CLI', command: 'opencode' },
-    { id: 'deno', label: 'Deno (sandbox runtime)', command: 'deno' },
   ]
 
   for (const binary of optionalBinaries) {