@swarmclawai/swarmclaw 0.6.8 → 0.7.0

package/README.md

@@ -12,7 +12,7 @@ The orchestration dashboard for OpenClaw. Manage a swarm of OpenClaws + 14 other
 
 Inspired by [OpenClaw](https://github.com/openclaw).
 
-**[Documentation](https://swarmclaw.ai/docs)** | **[Website](https://swarmclaw.ai)**
+**[Documentation](https://swarmclaw.ai/docs)** | **[Plugin Tutorial](https://swarmclaw.ai/docs/plugin-tutorial)** | **[Website](https://swarmclaw.ai)**
 
 ![Dashboard](public/screenshots/dashboard.png)
 ![Agent Builder](public/screenshots/agents.png)
@@ -85,7 +85,7 @@ curl -fsSL https://raw.githubusercontent.com/swarmclawai/swarmclaw/main/install.
 ```
 
 The installer resolves the latest stable release tag and installs that version by default.
-To pin a version: `SWARMCLAW_VERSION=v0.6.6 curl ... | bash`
+To pin a version: `SWARMCLAW_VERSION=v0.7.0 curl ... | bash`
 
 Or run locally from the repo (friendly for non-technical users):
 
@@ -201,8 +201,9 @@ Notes:
 All config lives in `.env.local` (auto-generated):
 
 ```
-ACCESS_KEY=<your-access-key>       # Auth key for the dashboard
-CREDENTIAL_SECRET=<auto-generated> # AES-256 encryption key for stored credentials
+ACCESS_KEY=<your-access-key>                # Auth key for the dashboard
+CREDENTIAL_SECRET=<auto-generated>          # AES-256 encryption key for stored credentials
+SWARMCLAW_PLUGIN_FAILURE_THRESHOLD=3        # Consecutive failures before auto-disabling a plugin
 ```
 
 Data is stored in `data/swarmclaw.db` (SQLite with WAL mode), `data/memory.db` (agent memory with FTS5 + vector embeddings), `data/logs.db` (execution audit trail), and `data/langgraph-checkpoints.db` (orchestrator checkpoints). Back the `data/` directory up if you care about your sessions, agents, and credentials. Existing JSON file data is auto-migrated to SQLite on first run.
@@ -449,54 +450,68 @@ When enabled, new memories get vector embeddings. Search uses both FTS5 keyword
 
 Agents and sessions can have **fallback credentials**. If the primary API key gets a 401, 429, or 500 error, SwarmClaw automatically retries with the next credential. Configure fallback keys in the agent builder UI.
 
-## Plugins
+## Plugin System
 
-Extend agent behavior with JS plugins. Three ways to install:
+SwarmClaw features a powerful, modular plugin system designed for both agent enhancement and application extensibility. It is fully compatible with the **OpenClaw** plugin format.
 
-1. **Marketplace** — Browse and install approved plugins from Settings → Plugins → Marketplace
-2. **URL** — Install from any HTTPS URL via Settings → Plugins → Install from URL
-3. **Manual** — Drop `.js` files into `data/plugins/`
+Plugins can be managed in **Settings → Plugins** and installed via the Marketplace, URL, or by dropping `.js` files into `data/plugins/`.
 
-### Plugin Format (SwarmClaw)
+Docs:
+- Full docs: https://swarmclaw.ai/docs
+- Plugin tutorial: https://swarmclaw.ai/docs/plugin-tutorial
+
+### Extension Points
+
+Unlike standard tool systems, SwarmClaw plugins can modify the application itself:
+
+- **Agent Tools**: Define custom tools that agents can autonomously discover and use.
+- **Lifecycle Hooks**: Intercept events like `beforeAgentStart`, `afterToolExec`, and `onMessage`.
+- **UI Extensions**:
+  - `sidebarItems`: Inject new navigation links into the main sidebar.
+  - `headerWidgets`: Add status badges or indicators to the chat header (e.g., Wallet Balance).
+  - `chatInputActions`: Add custom action buttons next to the chat input (e.g., "Quick Scan").
+  - `plugin-ui` Messages: Render rich, interactive React cards in the chat stream.
+- **Deep Chat Hooks**:
+  - `transformInboundMessage`: Modify user messages before they reach the agent.
+  - `transformOutboundMessage`: Modify agent responses before they are saved or displayed.
+- **Custom Providers**: Add new LLM backends (e.g., a specialized local model or a new API).
+- **Custom Connectors**: Build new chat platform bridges (e.g., a proprietary internal messenger).
+
+### Autonomous Capability Discovery
+
+Agents in SwarmClaw are "aware" of the plugin system. If an agent lacks a tool needed for a task, it can:
+1. **Discover**: Scan the system for all installed plugins.
+2. **Search Marketplace**: Autonomously search **ClawHub** and the **SwarmClaw Registry** for new capabilities.
+3. **Request Access**: Prompt the user in-chat to enable a specific installed plugin.
+4. **Install Request**: Suggest installing a new plugin from a marketplace URL to fill a capability gap (requires user approval).
+
+### Example Plugin (SwarmClaw Format)
 
 ```js
 module.exports = {
-  name: 'my-plugin',
-  description: 'What it does',
-  hooks: {
-    beforeAgentStart: async ({ session, message }) => { /* ... */ },
-    afterAgentComplete: async ({ session, response }) => { /* ... */ },
-    beforeToolExec: async ({ toolName, input }) => { /* return { abort: true } to cancel */ },
-    afterToolExec: async ({ toolName, input, output }) => { /* ... */ },
-    onMessage: async ({ session, message }) => { /* ... */ },
-    onTaskComplete: async ({ taskId, result }) => { /* ... */ },
-    onAgentDelegation: async ({ sourceAgentId, targetAgentId, task }) => { /* ... */ },
+  name: 'my-custom-extension',
+  ui: {
+    sidebarItems: [{ id: 'dashboard', label: 'My View', href: '/custom-view' }],
+    headerWidgets: [{ id: 'status', label: '🟢 Active' }]
   },
-  // Plugins can also define custom tools that agents can use
-  tools: [
-    {
-      name: 'my_custom_tool',
-      description: 'Does something amazing',
-      parameters: { type: 'object', properties: { query: { type: 'string' } }, required: ['query'] },
-      execute: async (args, ctx) => 'Result: ' + args.query,
-    },
-  ],
-}
+  tools: [{
+    name: 'custom_action',
+    description: 'Perform a specialized task',
+    parameters: { type: 'object', properties: { input: { type: 'string' } } },
+    execute: async (args) => {
+      // Logic here
+      return { kind: 'plugin-ui', text: 'Rich result card content' };
+    }
+  }]
+};
 ```
 
-### OpenClaw Plugin Compatibility
+### Lifecycle Management
 
-SwarmClaw natively supports the OpenClaw plugin format. Drop an OpenClaw plugin into `data/plugins/` and it works automatically — lifecycle hooks are mapped:
-
-| OpenClaw Hook | SwarmClaw Hook |
-|-|-|
-| `onAgentStart` | `beforeAgentStart` |
-| `onAgentComplete` | `afterAgentComplete` |
-| `onToolCall` | `beforeToolExec` |
-| `onToolResult` | `afterToolExec` |
-| `onMessage` | `onMessage` |
-
-Plugin API: `GET /api/plugins`, `POST /api/plugins`, `GET /api/plugins/marketplace`, `POST /api/plugins/install`.
+- **Versioning**: All plugins support semantic versioning (e.g., `v1.2.3`).
+- **Updates**: Plugins can be updated individually or in bulk via the Plugins manager.
+- **Hot-Reload**: The system automatically reloads plugin logic when a file is updated or a new plugin is installed.
+- **Stability Guardrails**: Consecutive plugin failures are tracked in `data/plugin-failures.json`; failing plugins are auto-disabled, a warning notification is emitted in-app, and users can re-enable manually from the Plugins manager.
 
 ## Deploy to a VPS
 
@@ -586,7 +601,7 @@ npm run dev:webpack
 ### First-Run Helpers
 
 ```bash
-npm run setup:easy      # setup only (does not start server)
+npm run setup:easy      # setup only (installs Deno if missing; does not start server)
 npm run quickstart      # setup + start dev server
 npm run quickstart:prod # setup + build + start production server
 npm run update:easy     # safe update helper for local installs
@@ -597,8 +612,8 @@ npm run update:easy     # safe update helper for local installs
 SwarmClaw uses tag-based releases (`vX.Y.Z`) as the stable channel.
 
 ```bash
-# example patch release
-npm version patch
+# example minor release (v0.7.0 style)
+npm version minor
 git push origin main --follow-tags
 ```
 
@@ -607,6 +622,16 @@ On `v*` tags, GitHub Actions will:
 2. Create a GitHub Release
 3. Build and publish Docker images to `ghcr.io/swarmclawai/swarmclaw` (`:vX.Y.Z`, `:latest`, `:sha-*`)
 
+#### v0.7.0 Release Readiness Notes
+
+Before shipping `v0.7.0`, confirm the following user-facing changes are reflected in docs:
+
+1. Plugins UI now shows richer installed plugin details (description fallback, source/status, capability badges, and clearer detail sheet metadata).
+2. Marketplace plugin installs normalize legacy URLs from `swarmclawai/plugins` to `swarmclawai/swarmforge` to avoid 404 installs.
+3. Hydration fixes removed nested `<button>` structures in list-card UIs (Plugins, Providers, Secrets, MCP Servers).
+4. Clipboard actions now use a browser-safe fallback when `navigator.clipboard` is unavailable.
+5. Site docs/release notes are updated in `swarmclaw-site` (especially `content/docs/plugins.md`, `content/docs/release-notes.md`, and `public/registry/plugins.json`).
+
 ## CLI
 
 SwarmClaw ships a built-in CLI for core operational workflows:

package/next.config.ts

@@ -1,5 +1,7 @@
 import type { NextConfig } from "next";
 import { execSync } from "child_process";
+import { networkInterfaces } from "os";
+import { DIRECT_NAV_SEGMENTS } from "./view-route-paths";
 
 function getGitSha(): string {
   try {
@@ -9,6 +11,33 @@ function getGitSha(): string {
   }
 }
 
+function getAllowedDevOrigins(): string[] {
+  const allowed = new Set<string>([
+    'localhost',
+    '127.0.0.1',
+    '0.0.0.0',
+  ])
+
+  // Include all active local IPv4 interfaces so LAN devices can load /_next assets in dev.
+  for (const interfaces of Object.values(networkInterfaces())) {
+    for (const iface of interfaces ?? []) {
+      if ((iface.family === 'IPv4' || (iface.family as string | number) === 4) && !iface.internal) {
+        allowed.add(iface.address)
+      }
+    }
+  }
+
+  // Optional override for custom origins/hosts, e.g. `NEXT_ALLOWED_DEV_ORIGINS=host1,host2`.
+  const extra = (process.env.NEXT_ALLOWED_DEV_ORIGINS ?? '')
+    .split(',')
+    .map((v) => v.trim())
+    .filter(Boolean)
+    .map((v) => v.replace(/^https?:\/\//, '').replace(/\/$/, ''))
+  for (const host of extra) allowed.add(host)
+
+  return [...allowed]
+}
+
 const nextConfig: NextConfig = {
   output: 'standalone',
   turbopack: {
@@ -35,13 +64,9 @@ const nextConfig: NextConfig = {
     '@whiskeysockets/baileys',
     'qrcode',
   ],
-  allowedDevOrigins: [
-    'localhost',
-    '127.0.0.1',
-    '0.0.0.0',
-  ],
+  allowedDevOrigins: getAllowedDevOrigins(),
   async rewrites() {
-    const views = 'agents|chatrooms|schedules|memory|tasks|secrets|providers|skills|connectors|webhooks|mcp-servers|knowledge|plugins|usage|runs|logs|settings|projects|activity'
+    const views = DIRECT_NAV_SEGMENTS.join('|')
     return [
       {
         source: `/:view(${views})`,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swarmclawai/swarmclaw",
-  "version": "0.6.8",
+  "version": "0.7.0",
   "description": "Self-hosted AI agent orchestration dashboard — manage LLM providers, orchestrate agent swarms, schedule tasks, and bridge agents to chat platforms.",
   "license": "MIT",
   "repository": {
@@ -52,7 +52,8 @@
     "lint:baseline:update": "node ./scripts/lint-baseline.mjs update",
     "cli": "node ./bin/swarmclaw.js",
     "test:cli": "node --test src/cli/index.test.js",
-    "test:openclaw": "tsx --test src/lib/server/connectors/openclaw.test.ts src/lib/openclaw-endpoint.test.ts src/lib/server/gateway/protocol.test.ts src/lib/server/tool-capability-policy.test.ts",
+    "test:openclaw": "tsx --test src/lib/server/connectors/openclaw.test.ts src/lib/openclaw-endpoint.test.ts src/lib/server/gateway/protocol.test.ts src/lib/server/tool-capability-policy.test.ts src/lib/server/task-validation.test.ts src/lib/server/task-quality-gate.test.ts src/lib/server/llm-response-cache.test.ts src/lib/server/mcp-conformance.test.ts",
+    "test:mcp:conformance": "node --import tsx ./scripts/mcp-conformance-check.ts",
     "postinstall": "node ./scripts/postinstall.mjs"
   },
   "dependencies": {

package/src/app/api/agents/[id]/thread/route.ts

@@ -49,6 +49,7 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
     createdAt: now,
     lastActiveAt: now,
     active: false,
+    mainSession: true,
     sessionType: 'human' as const,
     agentId,
     tools: agent.tools || [],

package/src/app/api/agents/route.ts

@@ -1,9 +1,9 @@
 import { NextResponse } from 'next/server'
 import { genId } from '@/lib/id'
-import { loadAgents, saveAgents, logActivity } from '@/lib/server/storage'
+import { loadAgents, loadSessions, loadUsage, saveAgents, logActivity } from '@/lib/server/storage'
 import { normalizeProviderEndpoint } from '@/lib/openclaw-endpoint'
 import { notify } from '@/lib/server/ws-hub'
-import { getAgentMonthlySpend } from '@/lib/server/cost'
+import { getAgentSpendWindows } from '@/lib/server/cost'
 import { AgentCreateSchema, formatZodError } from '@/lib/validation/schemas'
 import { z } from 'zod'
 export const dynamic = 'force-dynamic'
@@ -11,10 +11,19 @@ export const dynamic = 'force-dynamic'
 
 export async function GET(req: Request) {
   const agents = loadAgents()
-  // Enrich agents that have a monthly budget with current spend
+  const sessions = loadSessions()
+  const usage = loadUsage()
+  // Enrich agents that have spend limits with current spend windows
   for (const agent of Object.values(agents)) {
-    if (typeof agent.monthlyBudget === 'number' && agent.monthlyBudget > 0) {
-      agent.monthlySpend = getAgentMonthlySpend(agent.id)
+    if (
+      (typeof agent.monthlyBudget === 'number' && agent.monthlyBudget > 0)
+      || (typeof agent.dailyBudget === 'number' && agent.dailyBudget > 0)
+      || (typeof agent.hourlyBudget === 'number' && agent.hourlyBudget > 0)
+    ) {
+      const spend = getAgentSpendWindows(agent.id, Date.now(), { sessions, usage })
+      if (typeof agent.monthlyBudget === 'number' && agent.monthlyBudget > 0) agent.monthlySpend = spend.monthly
+      if (typeof agent.dailyBudget === 'number' && agent.dailyBudget > 0) agent.dailySpend = spend.daily
+      if (typeof agent.hourlyBudget === 'number' && agent.hourlyBudget > 0) agent.hourlySpend = spend.hourly
     }
   }
 
@@ -54,6 +63,10 @@ export async function POST(req: Request) {
     capabilities: body.capabilities,
     thinkingLevel: body.thinkingLevel || undefined,
     autoRecovery: body.autoRecovery || false,
+    monthlyBudget: body.monthlyBudget ?? null,
+    dailyBudget: body.dailyBudget ?? null,
+    hourlyBudget: body.hourlyBudget ?? null,
+    budgetAction: body.budgetAction || 'warn',
     soul: body.soul || undefined,
     createdAt: now,
     updatedAt: now,

package/src/app/api/approvals/route.ts

@@ -0,0 +1,22 @@
+import { NextResponse } from 'next/server'
+import { listPendingApprovals, submitDecision } from '@/lib/server/approvals'
+
+export const dynamic = 'force-dynamic'
+
+export async function GET() {
+  return NextResponse.json(listPendingApprovals())
+}
+
+export async function POST(req: Request) {
+  try {
+    const body = await req.json()
+    const { id, approved } = body
+    if (!id || typeof approved !== 'boolean') {
+      return NextResponse.json({ error: 'id and approved required' }, { status: 400 })
+    }
+    await submitDecision(id, approved)
+    return NextResponse.json({ ok: true })
+  } catch (err: unknown) {
+    return NextResponse.json({ error: err instanceof Error ? err.message : String(err) }, { status: 500 })
+  }
+}

package/src/app/api/clawhub/install/route.ts

@@ -11,9 +11,9 @@ export async function POST(req: Request) {
   if (!content) {
     try {
       content = await fetchSkillContent(url)
-    } catch (err: any) {
+    } catch (err: unknown) {
       return NextResponse.json(
-        { error: err.message || 'Failed to fetch skill content' },
+        { error: err instanceof Error ? err.message : 'Failed to fetch skill content' },
         { status: 502 }
       )
     }

package/src/app/api/mcp-servers/[id]/conformance/route.ts

@@ -0,0 +1,26 @@
+import { NextResponse } from 'next/server'
+import { loadMcpServers } from '@/lib/server/storage'
+import { notFound } from '@/lib/server/collection-helpers'
+import { runMcpConformanceCheck } from '@/lib/server/mcp-conformance'
+
+export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params
+  const servers = loadMcpServers()
+  const server = servers[id]
+  if (!server) return notFound()
+
+  const body = await req.json().catch(() => ({}))
+  const timeoutMs = typeof body?.timeoutMs === 'number' ? body.timeoutMs : undefined
+  const smokeToolName = typeof body?.smokeToolName === 'string' ? body.smokeToolName : undefined
+  const smokeToolArgs = body?.smokeToolArgs && typeof body.smokeToolArgs === 'object' && !Array.isArray(body.smokeToolArgs)
+    ? body.smokeToolArgs
+    : undefined
+
+  const result = await runMcpConformanceCheck(server, {
+    timeoutMs,
+    smokeToolName,
+    smokeToolArgs,
+  })
+
+  return NextResponse.json(result, { status: result.ok ? 200 : 502 })
+}

package/src/app/api/mcp-servers/[id]/invoke/route.ts

@@ -0,0 +1,81 @@
+import { NextResponse } from 'next/server'
+import { loadMcpServers } from '@/lib/server/storage'
+import { notFound } from '@/lib/server/collection-helpers'
+import { connectMcpServer, disconnectMcpServer } from '@/lib/server/mcp-client'
+
+function parseArgs(value: unknown): Record<string, unknown> {
+  if (value && typeof value === 'object' && !Array.isArray(value)) {
+    return value as Record<string, unknown>
+  }
+  if (typeof value === 'string' && value.trim()) {
+    try {
+      const parsed = JSON.parse(value)
+      if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+        return parsed as Record<string, unknown>
+      }
+    } catch {
+      // Handled by caller via fallback validation error.
+    }
+  }
+  return {}
+}
+
+export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params
+  const servers = loadMcpServers()
+  const server = servers[id]
+  if (!server) return notFound()
+
+  const body = await req.json().catch(() => null)
+  const toolName = typeof body?.toolName === 'string' ? body.toolName.trim() : ''
+  if (!toolName) {
+    return NextResponse.json({ error: 'toolName is required' }, { status: 400 })
+  }
+
+  const argsRaw = body?.args
+  if (
+    argsRaw !== undefined
+    && typeof argsRaw !== 'string'
+    && (typeof argsRaw !== 'object' || Array.isArray(argsRaw))
+  ) {
+    return NextResponse.json({ error: 'args must be an object or JSON string' }, { status: 400 })
+  }
+  const args = parseArgs(argsRaw)
+
+  let client: unknown
+  let transport: unknown
+  try {
+    const conn = await connectMcpServer(server)
+    client = conn.client
+    transport = conn.transport
+    const result = await (client as { callTool: (opts: { name: string; arguments: Record<string, unknown> }) => Promise<Record<string, unknown>> }).callTool({
+      name: toolName,
+      arguments: args,
+    })
+    const textParts = Array.isArray(result?.content)
+      ? (result.content as Array<Record<string, unknown>>)
+          .filter((part) => part?.type === 'text' && typeof part?.text === 'string')
+          .map((part) => part.text as string)
+      : []
+    const text = textParts.join('\n').trim() || '(no text output)'
+
+    return NextResponse.json({
+      ok: true,
+      toolName,
+      args,
+      text,
+      result,
+      isError: result?.isError === true,
+    })
+  } catch (err: unknown) {
+    return NextResponse.json(
+      { ok: false, error: err instanceof Error ? err.message : 'MCP tool invocation failed' },
+      { status: 500 },
+    )
+  } finally {
+    if (client && transport) {
+      await disconnectMcpServer(client, transport)
+    }
+  }
+}
+

package/src/app/api/memory/route.ts

@@ -1,7 +1,16 @@
 import { genId } from '@/lib/id'
 import fs from 'fs'
 import { NextResponse } from 'next/server'
-import { getMemoryDb, getMemoryLookupLimits, storeMemoryImageAsset, storeMemoryImageFromDataUrl } from '@/lib/server/memory-db'
+import {
+  filterMemoriesByScope,
+  getMemoryDb,
+  getMemoryLookupLimits,
+  normalizeMemoryScopeMode,
+  storeMemoryImageAsset,
+  storeMemoryImageFromDataUrl,
+  type MemoryRerankMode,
+  type MemoryScopeFilter,
+} from '@/lib/server/memory-db'
 import { resolveLookupRequest } from '@/lib/server/memory-graph'
 import type { MemoryReference, FileReference, MemoryImage } from '@/types'
 
@@ -21,10 +30,16 @@ export async function GET(req: Request) {
   const { searchParams } = new URL(req.url)
   const q = searchParams.get('q')
   const agentId = searchParams.get('agentId')
+  const rawScope = searchParams.get('scope')
   const envelope = searchParams.get('envelope') === 'true'
   const requestedDepth = parseOptionalInt(searchParams.get('depth'))
   const requestedLimit = parseOptionalInt(searchParams.get('limit'))
   const requestedLinkedLimit = parseOptionalInt(searchParams.get('linkedLimit'))
+  const scopeMode = normalizeMemoryScopeMode(rawScope ?? (agentId ? 'agent' : 'all'))
+  const scopeSessionId = searchParams.get('scopeSessionId')
+  const scopeProjectRoot = searchParams.get('projectRoot')
+  const rerankRaw = searchParams.get('rerank')
+  const rerankMode: MemoryRerankMode = rerankRaw === 'semantic' || rerankRaw === 'lexical' ? rerankRaw : 'balanced'
 
   const counts = searchParams.get('counts') === 'true'
   const db = getMemoryDb()
@@ -39,14 +54,27 @@ export async function GET(req: Request) {
     limit: requestedLimit,
     linkedLimit: requestedLinkedLimit,
   })
+  const scopeFilter: MemoryScopeFilter = {
+    mode: scopeMode,
+    agentId: agentId || null,
+    sessionId: scopeSessionId || null,
+    projectRoot: scopeProjectRoot || null,
+  }
 
   if (q) {
     if (limits.maxDepth > 0) {
-      const result = db.searchWithLinked(q, agentId || undefined, limits.maxDepth, limits.maxPerLookup, limits.maxLinkedExpansion)
+      const result = db.searchWithLinked(
+        q,
+        agentId || undefined,
+        limits.maxDepth,
+        limits.maxPerLookup,
+        limits.maxLinkedExpansion,
+        { scope: scopeFilter, rerankMode },
+      )
       if (envelope) return NextResponse.json(result)
       return NextResponse.json(result.entries)
     }
-    const base = db.search(q, agentId || undefined)
+    const base = db.search(q, agentId || undefined, { scope: scopeFilter, rerankMode })
     const entries = base.slice(0, limits.maxPerLookup)
     if (envelope) {
       return NextResponse.json({
@@ -59,11 +87,14 @@ export async function GET(req: Request) {
     return NextResponse.json(entries)
   }
 
-  const entries = db.list(agentId || undefined, limits.maxPerLookup)
+  const scanLimit = Math.max(limits.maxPerLookup, 200)
+  const listed = db.list(undefined, scanLimit)
+  const filtered = filterMemoriesByScope(listed, scopeFilter)
+  const entries = filtered.slice(0, limits.maxPerLookup)
   if (envelope) {
     return NextResponse.json({
       entries,
-      truncated: false,
+      truncated: filtered.length > entries.length,
       expandedLinkedCount: 0,
       limits,
     })

package/src/app/api/notifications/route.ts

@@ -13,6 +13,9 @@ export async function GET(req: Request) {
   const all = loadNotifications()
   let entries = Object.values(all) as AppNotification[]
 
+  // Approval requests now have a dedicated Approvals view/badge; keep notifications focused on ops/events.
+  entries = entries.filter((e) => e.entityType !== 'approval')
+
   if (unreadOnly) {
     entries = entries.filter((e) => !e.read)
   }

package/src/app/api/plugins/install/route.ts

@@ -1,12 +1,43 @@
 import { NextResponse } from 'next/server'
 import fs from 'fs'
 import path from 'path'
+import { getPluginManager } from '@/lib/server/plugins'
 
 const PLUGINS_DIR = path.join(process.cwd(), 'data', 'plugins')
 
+function toRawUrl(url: string): string {
+  if (url.includes('github.com') && url.includes('/blob/')) {
+    return url.replace('github.com', 'raw.githubusercontent.com').replace('/blob/', '/')
+  }
+  if (url.includes('gist.github.com')) {
+    return url.endsWith('/raw') ? url : `${url}/raw`
+  }
+  return url
+}
+
+function normalizeMarketplaceUrl(url: string): string {
+  const trimmed = typeof url === 'string' ? url.trim() : ''
+  if (!trimmed) return trimmed
+
+  let normalized = trimmed
+    .replace('github.com/swarmclawai/plugins/', 'github.com/swarmclawai/swarmforge/')
+    .replace('raw.githubusercontent.com/swarmclawai/plugins/', 'raw.githubusercontent.com/swarmclawai/swarmforge/')
+
+  normalized = toRawUrl(normalized)
+
+  // Legacy registry entries used master and old repo names.
+  normalized = normalized
+    .replace('/swarmclawai/swarmforge/master/', '/swarmclawai/swarmforge/main/')
+    .replace('/swarmclawai/plugins/master/', '/swarmclawai/swarmforge/main/')
+    .replace('/swarmclawai/plugins/main/', '/swarmclawai/swarmforge/main/')
+
+  return normalized
+}
+
 export async function POST(req: Request) {
   const body = await req.json()
   const { url, filename } = body
+  const rawUrl = normalizeMarketplaceUrl(url)
 
   // Validate URL
   if (!url || typeof url !== 'string' || !url.startsWith('https://')) {
@@ -34,11 +65,27 @@ export async function POST(req: Request) {
   }
 
   try {
-    const res = await fetch(url)
+    const res = await fetch(rawUrl, { signal: AbortSignal.timeout(15_000) })
     if (!res.ok) {
-      throw new Error(`Download failed: ${res.status}`)
+      return NextResponse.json(
+        { error: `Download failed (HTTP ${res.status}) from ${rawUrl}` },
+        { status: 502 },
+      )
     }
-    const code = await res.text()
+    const contentType = res.headers.get('content-type') || ''
+    let code = await res.text()
+
+    // Reject HTML responses (likely a GitHub page, not raw content)
+    if (contentType.includes('text/html') && code.includes('<!DOCTYPE')) {
+      return NextResponse.json(
+        { error: 'URL returned an HTML page instead of JavaScript. Use a raw/direct link to the .js file.' },
+        { status: 400 },
+      )
+    }
+
+    // Compatibility fix: Strip node-fetch requires if present, as modern Node has global fetch
+    code = code.replace(/const\s+fetch\s*=\s*require\(['"]node-fetch['"]\);?/g, '// node-fetch stripped for compatibility')
+    code = code.replace(/import\s+fetch\s+from\s+['"]node-fetch['"];?/g, '// node-fetch stripped for compatibility')
 
     // Ensure plugins directory exists
     if (!fs.existsSync(PLUGINS_DIR)) {
@@ -48,11 +95,16 @@ export async function POST(req: Request) {
     const dest = path.join(PLUGINS_DIR, sanitized)
     fs.writeFileSync(dest, code, 'utf8')
 
+    // Force plugin manager to re-scan so the new plugin appears in listings
+    getPluginManager().reload()
+
     return NextResponse.json({ ok: true, filename: sanitized })
   } catch (err: unknown) {
+    const msg = err instanceof Error ? err.message : String(err)
+    const isTimeout = msg.includes('abort') || msg.includes('timeout')
     return NextResponse.json(
-      { error: 'Failed to install plugin', message: err instanceof Error ? err.message : String(err) },
-      { status: 500 },
+      { error: isTimeout ? 'Download timed out — the plugin URL may be unreachable' : `Install failed: ${msg}` },
+      { status: isTimeout ? 504 : 500 },
     )
   }
 }