@swarmclawai/swarmclaw 0.7.2 → 0.7.4

package/src/lib/server/ws-hub.ts

@@ -1,6 +1,7 @@
 import { WebSocketServer, WebSocket } from 'ws'
 import type { IncomingMessage } from 'http'
 import { validateAccessKey } from './storage'
+import { AUTH_COOKIE_NAME, getCookieValue } from '@/lib/auth'
 
 interface WsClient {
   ws: WebSocket
@@ -29,9 +30,10 @@ export function initWsServer() {
   ;(globalThis as any)[GK] = hub
 
   wss.on('connection', (ws: WebSocket, req: IncomingMessage) => {
-    // Auth: validate ?key= from upgrade URL
-    const url = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`)
-    const key = url.searchParams.get('key') || ''
+    const headerKey = req.headers['x-access-key']
+    const key = (Array.isArray(headerKey) ? headerKey[0] : headerKey)
+      || getCookieValue(req.headers.cookie, AUTH_COOKIE_NAME)
+      || ''
     if (!validateAccessKey(key)) {
       ws.close(4001, 'Unauthorized')
       return

package/src/lib/setup-defaults.ts

@@ -22,6 +22,7 @@ export interface SetupProviderOption {
   description: string
   requiresKey: boolean
   supportsEndpoint: boolean
+  allowMultiple?: boolean
   defaultEndpoint?: string
   keyUrl?: string
   keyLabel?: string
@@ -44,6 +45,18 @@ export const SETUP_PROVIDERS: SetupProviderOption[] = [
     badge: 'Recommended',
     icon: 'O',
   },
+  {
+    id: 'openclaw',
+    name: 'OpenClaw',
+    description: 'Connect one or more local or remote OpenClaw gateways and map different starter agents to each one.',
+    requiresKey: false,
+    supportsEndpoint: true,
+    allowMultiple: true,
+    defaultEndpoint: 'http://localhost:18789/v1',
+    optionalKey: true,
+    badge: 'First-Tier',
+    icon: 'C',
+  },
   {
     id: 'anthropic',
     name: 'Anthropic',
@@ -125,17 +138,6 @@ export const SETUP_PROVIDERS: SetupProviderOption[] = [
     keyLabel: 'fireworks.ai',
     icon: 'F',
   },
-  {
-    id: 'openclaw',
-    name: 'OpenClaw',
-    description: 'Connect to your local or remote OpenClaw gateway (multi-OpenClaw ready).',
-    requiresKey: false,
-    supportsEndpoint: true,
-    defaultEndpoint: 'http://localhost:18789/v1',
-    optionalKey: true,
-    badge: 'OpenClaw',
-    icon: 'C',
-  },
   {
     id: 'ollama',
     name: 'Ollama',
@@ -189,6 +191,341 @@ Behavior:
 - When the user asks for direct execution (for example browsing, screenshots, research, or file edits), use available tools and return real results instead of only describing what to do.
 - If a capability depends on provider/tool configuration, call that out explicitly.`
 
+const PERSONAL_ASSISTANT_PROMPT = `You are a personal AI copilot inside SwarmClaw.
+
+Primary objective:
+- Help the user make progress on whatever matters to them, whether that is research, planning, writing, building, organizing life admin, or running a business.
+
+Behavior:
+- Start from the user's intent, not from the tooling.
+- Turn vague goals into concrete next steps.
+- When useful, suggest tasks, schedules, or specialist agents, but do not force control-plane workflow on the user.
+- Stay concise, practical, and execution-oriented.`
+
+const RESEARCH_PROMPT = `You are a research copilot inside SwarmClaw.
+
+Primary objective:
+- Gather facts, compare options, summarize findings, and keep the user's work organized.
+
+Behavior:
+- Clarify the research question when needed.
+- Prefer structured findings, tradeoffs, and source-backed summaries.
+- Capture useful outputs in files or tasks when that helps the user continue.`
+
+const BUILDER_PROMPT = `You are a builder agent inside SwarmClaw.
+
+Primary objective:
+- Help the user design, implement, debug, and ship software or technical projects.
+
+Behavior:
+- Move from goal to concrete implementation steps quickly.
+- Use code, files, browser, and task tooling when helpful.
+- Surface blockers, assumptions, and verification clearly.`
+
+const REVIEWER_PROMPT = `You are a reviewer agent inside SwarmClaw.
+
+Primary objective:
+- Review plans, code, documents, and outputs for quality, correctness, and risk.
+
+Behavior:
+- Focus first on bugs, regressions, gaps, and unclear assumptions.
+- Be direct and specific.
+- Offer concrete follow-up actions when you find issues.`
+
+const WRITER_PROMPT = `You are a writing copilot inside SwarmClaw.
+
+Primary objective:
+- Help the user draft, refine, and structure written work for clarity and impact.
+
+Behavior:
+- Adapt tone, format, and level of detail to the user's context.
+- Suggest outlines, drafts, revisions, and packaging for different channels.
+- Keep momentum high and avoid generic filler.`
+
+const EDITOR_PROMPT = `You are an editor inside SwarmClaw.
+
+Primary objective:
+- Improve drafts for clarity, structure, tone, and quality.
+
+Behavior:
+- Tighten weak writing, call out inconsistencies, and preserve the intended voice.
+- Give concise, high-signal edits and rationale.
+- Flag missing evidence or unclear claims when relevant.`
+
+const OPERATOR_PROMPT = `You are an operations-focused SwarmClaw operator.
+
+Primary objective:
+- Keep work moving across agents, tasks, schedules, and approvals without losing sight of the user's real goals.
+
+Behavior:
+- Monitor progress, surface bottlenecks, and delegate when appropriate.
+- Be explicit about what is blocked, what is running, and what should happen next.
+- Treat the control plane as a means to an end, not the end itself.`
+
+export type OnboardingPath = 'quick' | 'intent' | 'manual'
+
+export interface OnboardingPathOption {
+  id: OnboardingPath
+  title: string
+  description: string
+  detail: string
+  badge?: string
+}
+
+export const ONBOARDING_PATHS: OnboardingPathOption[] = [
+  {
+    id: 'quick',
+    title: 'Quick Start',
+    description: 'Provider first, one starter kit, fastest path into chat.',
+    detail: 'Best when you already know which provider you want and want to get moving quickly.',
+    badge: 'Fastest',
+  },
+  {
+    id: 'intent',
+    title: 'Intent Guided',
+    description: 'Start from what you want to do, then shape a starter workspace around it.',
+    detail: 'Best for open-ended use cases like research, building, writing, planning, or mixed personal work.',
+    badge: 'Recommended',
+  },
+  {
+    id: 'manual',
+    title: 'Custom Setup',
+    description: 'Configure providers first and choose whether to start blank or from a template.',
+    detail: 'Best for advanced users who want control over the initial setup and agent mix.',
+  },
+]
+
+export interface StarterKitAgentTemplate {
+  id: string
+  name: string
+  description: string
+  systemPrompt: string
+  tools: string[]
+  capabilities?: string[]
+  recommendedProviders?: SetupProvider[]
+  platformAssignScope?: 'self' | 'all'
+}
+
+export interface StarterKit {
+  id: string
+  name: string
+  description: string
+  detail: string
+  badge?: string
+  recommendedFor?: OnboardingPath[]
+  agents: StarterKitAgentTemplate[]
+}
+
+const PERSONAL_AGENT_TOOLS = [
+  'memory',
+  'files',
+  'web_search',
+  'web_fetch',
+  'browser',
+  'manage_tasks',
+  'manage_schedules',
+  'manage_documents',
+]
+
+const RESEARCH_AGENT_TOOLS = [
+  'memory',
+  'files',
+  'web_search',
+  'web_fetch',
+  'browser',
+  'manage_tasks',
+  'manage_documents',
+]
+
+const BUILDER_AGENT_TOOLS = [
+  'memory',
+  'files',
+  'web_search',
+  'web_fetch',
+  'browser',
+  'manage_tasks',
+  'claude_code',
+  'codex_cli',
+  'opencode_cli',
+]
+
+const OPERATOR_AGENT_TOOLS = STARTER_AGENT_TOOLS
+const OPENCLAW_AGENT_TOOLS = [
+  'memory',
+  'files',
+  'web_search',
+  'web_fetch',
+  'browser',
+  'manage_tasks',
+  'manage_schedules',
+  'manage_sessions',
+  'openclaw_workspace',
+]
+
+export const STARTER_KITS: StarterKit[] = [
+  {
+    id: 'personal_assistant',
+    name: 'Personal Assistant',
+    description: 'One flexible agent for open-ended work.',
+    detail: 'A strong default for general planning, research, writing, and day-to-day execution.',
+    badge: 'Recommended',
+    recommendedFor: ['quick', 'intent'],
+    agents: [
+      {
+        id: 'sidekick',
+        name: 'Sidekick',
+        description: 'A versatile assistant for everyday work, planning, and follow-through.',
+        systemPrompt: PERSONAL_ASSISTANT_PROMPT,
+        tools: PERSONAL_AGENT_TOOLS,
+        capabilities: ['planning', 'research', 'writing', 'coordination'],
+      },
+    ],
+  },
+  {
+    id: 'research_copilot',
+    name: 'Research Copilot',
+    description: 'A focused setup for investigation and synthesis.',
+    detail: 'Useful for market scans, comparisons, technical investigation, and source-backed summaries.',
+    recommendedFor: ['intent', 'manual'],
+    agents: [
+      {
+        id: 'researcher',
+        name: 'Researcher',
+        description: 'Collects facts, compares options, and produces structured findings.',
+        systemPrompt: RESEARCH_PROMPT,
+        tools: RESEARCH_AGENT_TOOLS,
+        capabilities: ['research', 'analysis', 'summarization'],
+      },
+    ],
+  },
+  {
+    id: 'builder_studio',
+    name: 'Builder Studio',
+    description: 'Start with a builder and a reviewer.',
+    detail: 'Good for coding, prototyping, product work, and technical iteration.',
+    recommendedFor: ['intent', 'manual'],
+    agents: [
+      {
+        id: 'builder',
+        name: 'Builder',
+        description: 'Implements ideas, ships changes, and drives technical execution.',
+        systemPrompt: BUILDER_PROMPT,
+        tools: BUILDER_AGENT_TOOLS,
+        capabilities: ['coding', 'debugging', 'implementation'],
+        recommendedProviders: ['anthropic', 'openai', 'google', 'openclaw', 'ollama'],
+      },
+      {
+        id: 'reviewer',
+        name: 'Reviewer',
+        description: 'Reviews plans and outputs for bugs, regressions, and quality gaps.',
+        systemPrompt: REVIEWER_PROMPT,
+        tools: RESEARCH_AGENT_TOOLS,
+        capabilities: ['review', 'testing', 'risk assessment'],
+        recommendedProviders: ['anthropic', 'openai', 'google', 'openclaw'],
+      },
+    ],
+  },
+  {
+    id: 'content_studio',
+    name: 'Content Studio',
+    description: 'A writer and editor working together.',
+    detail: 'Useful for blogs, marketing copy, docs, newsletters, and publishing workflows.',
+    recommendedFor: ['intent', 'manual'],
+    agents: [
+      {
+        id: 'writer',
+        name: 'Writer',
+        description: 'Drafts content, outlines, and messaging in the user’s preferred style.',
+        systemPrompt: WRITER_PROMPT,
+        tools: PERSONAL_AGENT_TOOLS,
+        capabilities: ['writing', 'messaging', 'structuring'],
+      },
+      {
+        id: 'editor',
+        name: 'Editor',
+        description: 'Improves structure, tone, and quality before publishing.',
+        systemPrompt: EDITOR_PROMPT,
+        tools: RESEARCH_AGENT_TOOLS,
+        capabilities: ['editing', 'quality control', 'review'],
+      },
+    ],
+  },
+  {
+    id: 'operator_swarm',
+    name: 'Operator Swarm',
+    description: 'A coordination-heavy setup for multi-agent work.',
+    detail: 'Closest to the current SwarmClaw operator workflow, with an orchestrator plus an execution agent.',
+    recommendedFor: ['manual'],
+    agents: [
+      {
+        id: 'operator',
+        name: 'Operator',
+        description: 'Coordinates tasks, delegates work, and keeps the workspace moving.',
+        systemPrompt: OPERATOR_PROMPT,
+        tools: OPERATOR_AGENT_TOOLS,
+        capabilities: ['coordination', 'delegation', 'operations'],
+        platformAssignScope: 'all',
+        recommendedProviders: ['openclaw', 'anthropic', 'openai'],
+      },
+      {
+        id: 'maker',
+        name: 'Maker',
+        description: 'Executes focused work items assigned by the user or other agents.',
+        systemPrompt: BUILDER_PROMPT,
+        tools: BUILDER_AGENT_TOOLS,
+        capabilities: ['execution', 'implementation', 'research'],
+      },
+    ],
+  },
+  {
+    id: 'openclaw_fleet',
+    name: 'OpenClaw Fleet',
+    description: 'An OpenClaw-first starter setup for local or remote gateways.',
+    detail: 'Designed for users who want multiple OpenClaw-backed agents right away, including remote endpoint assignments.',
+    recommendedFor: ['manual'],
+    badge: 'OpenClaw',
+    agents: [
+      {
+        id: 'openclaw_operator',
+        name: 'OpenClaw Operator',
+        description: 'Coordinates OpenClaw-backed execution and keeps distributed agents aligned.',
+        systemPrompt: OPERATOR_PROMPT,
+        tools: OPERATOR_AGENT_TOOLS,
+        capabilities: ['coordination', 'delegation', 'openclaw'],
+        platformAssignScope: 'all',
+        recommendedProviders: ['openclaw'],
+      },
+      {
+        id: 'openclaw_builder',
+        name: 'Remote Builder',
+        description: 'A build-focused OpenClaw agent for implementation work on a chosen gateway.',
+        systemPrompt: BUILDER_PROMPT,
+        tools: OPENCLAW_AGENT_TOOLS,
+        capabilities: ['coding', 'implementation', 'openclaw'],
+        recommendedProviders: ['openclaw'],
+      },
+      {
+        id: 'openclaw_researcher',
+        name: 'Remote Researcher',
+        description: 'A research-focused OpenClaw agent for browser and knowledge work on a chosen gateway.',
+        systemPrompt: RESEARCH_PROMPT,
+        tools: OPENCLAW_AGENT_TOOLS,
+        capabilities: ['research', 'analysis', 'openclaw'],
+        recommendedProviders: ['openclaw'],
+      },
+    ],
+  },
+  {
+    id: 'blank_workspace',
+    name: 'Blank Workspace',
+    description: 'Finish setup without starter agents.',
+    detail: 'Use this if you want to land in the app first and create providers, agents, and workflows yourself.',
+    recommendedFor: ['manual'],
+    badge: 'Blank',
+    agents: [],
+  },
+]
+
 export interface DefaultAgentConfig {
   name: string
   description: string
@@ -276,3 +613,7 @@ export const DEFAULT_AGENTS: Record<SetupProvider, DefaultAgentConfig> = {
     tools: STARTER_AGENT_TOOLS,
   },
 }
+
+export function getDefaultModelForProvider(provider: SetupProvider): string {
+  return DEFAULT_AGENTS[provider].model
+}

package/src/lib/tool-definitions.ts

@@ -16,14 +16,14 @@ export const AVAILABLE_TOOLS: ToolDefinition[] = [
   { id: 'delegate', label: 'Delegate', description: 'Delegate complex tasks to specialized backends (Claude Code, Codex, OpenCode)' },
   { id: 'browser', label: 'Browser', description: 'Playwright — browse, scrape, interact with web pages' },
   { id: 'memory', label: 'Memory', description: 'Store and retrieve long-term memories across conversations' },
-  { id: 'sandbox', label: 'Sandbox', description: 'Secure isolated code execution for JS, TS, and Python' },
+  { id: 'sandbox', label: 'Sandbox', description: 'Deno-based isolated JS/TS execution for cases where custom code is necessary' },
   { id: 'create_document', label: 'Create Document', description: 'Render markdown to PDF, HTML, or image' },
   { id: 'create_spreadsheet', label: 'Create Spreadsheet', description: 'Create Excel or CSV files from structured data' },
-  { id: 'http_request', label: 'HTTP Request', description: 'Make direct HTTP API calls with custom methods, headers, and bodies' },
+  { id: 'http_request', label: 'HTTP Request', description: 'Make direct HTTP API calls without generating throwaway code' },
   { id: 'git', label: 'Git', description: 'Run structured git operations (status, commit, push, diff, etc.)' },
   { id: 'wallet', label: 'Wallet', description: 'Manage agent crypto wallet — check balance, send SOL, view transactions' },
   { id: 'monitor', label: 'Monitor', description: 'System observability: check resource usage, watch logs, and ping endpoints' },
-  { id: 'plugin_creator', label: 'Plugin Creator', description: 'Design, write, and test custom SwarmClaw plugins dynamically' },
+  { id: 'plugin_creator', label: 'Plugin Creator', description: 'Design focused plugins for durable capabilities and recurring automations' },
   { id: 'sample_ui', label: 'Sample UI', description: 'Demonstration of dynamic UI injection into Sidebar and Chat Header' },
   { id: 'image_gen', label: 'Image Generation', description: 'Generate images from text prompts using OpenAI, Stability AI, Replicate, fal.ai, and more' },
   { id: 'email', label: 'Email', description: 'Send emails via SMTP with plain text and HTML support' },
@@ -49,4 +49,3 @@ export const ALL_TOOLS: ToolDefinition[] = [...AVAILABLE_TOOLS, ...PLATFORM_TOOL
 export const TOOL_LABELS: Record<string, string> = Object.fromEntries(
   ALL_TOOLS.map((t) => [t.id, t.label]),
 )
-

package/src/lib/validation/schemas.test.ts

@@ -0,0 +1,26 @@
+import { describe, it } from 'node:test'
+import assert from 'node:assert/strict'
+import { AgentCreateSchema } from './schemas'
+
+describe('AgentCreateSchema', () => {
+  it('defaults platformAssignScope to self', () => {
+    const parsed = AgentCreateSchema.parse({
+      name: 'Solo Agent',
+      provider: 'openai',
+    })
+
+    assert.equal(parsed.platformAssignScope, 'self')
+  })
+
+  it('accepts explicit all-scope delegation without relying on legacy orchestrator flags', () => {
+    const parsed = AgentCreateSchema.parse({
+      name: 'Coordinator',
+      provider: 'openai',
+      platformAssignScope: 'all',
+      isOrchestrator: false,
+    })
+
+    assert.equal(parsed.platformAssignScope, 'all')
+    assert.equal(parsed.isOrchestrator, false)
+  })
+})

package/src/lib/validation/schemas.ts

@@ -1,5 +1,18 @@
 import { z } from 'zod'
 
+const AgentRoutingTargetSchema = z.object({
+  id: z.string().min(1),
+  label: z.string().optional(),
+  role: z.enum(['primary', 'economy', 'premium', 'reasoning', 'backup']).optional(),
+  provider: z.string().min(1),
+  model: z.string().optional().default(''),
+  credentialId: z.string().nullable().optional().default(null),
+  fallbackCredentialIds: z.array(z.string()).optional().default([]),
+  apiEndpoint: z.string().nullable().optional().default(null),
+  gatewayProfileId: z.string().nullable().optional().default(null),
+  priority: z.number().int().optional(),
+})
+
 export const AgentCreateSchema = z.object({
   name: z.string().min(1, 'Agent name is required'),
   provider: z.string().min(1, 'Provider is required'),
@@ -7,15 +20,41 @@ export const AgentCreateSchema = z.object({
   systemPrompt: z.string().optional().default(''),
   model: z.string().optional().default(''),
   credentialId: z.string().nullable().optional().default(null),
+  fallbackCredentialIds: z.array(z.string()).optional().default([]),
   apiEndpoint: z.string().nullable().optional().default(null),
+  gatewayProfileId: z.string().nullable().optional().default(null),
+  routingStrategy: z.enum(['single', 'balanced', 'economy', 'premium', 'reasoning']).nullable().optional().default(null),
+  routingTargets: z.array(AgentRoutingTargetSchema).optional().default([]),
   isOrchestrator: z.boolean().optional().default(false),
+  platformAssignScope: z.enum(['self', 'all']).optional().default('self'),
   subAgentIds: z.array(z.string()).optional().default([]),
   plugins: z.array(z.string()).optional().default([]),
   /** @deprecated Use plugins */
   tools: z.array(z.string()).optional(),
+  skills: z.array(z.string()).optional().default([]),
+  skillIds: z.array(z.string()).optional().default([]),
+  mcpServerIds: z.array(z.string()).optional().default([]),
+  mcpDisabledTools: z.array(z.string()).optional().default([]),
   capabilities: z.array(z.string()).optional().default([]),
   thinkingLevel: z.string().optional(),
   soul: z.string().optional(),
+  identityState: z.record(z.string(), z.unknown()).nullable().optional().default(null),
+  heartbeatEnabled: z.boolean().optional().default(false),
+  heartbeatInterval: z.union([z.string(), z.number()]).nullable().optional().default(null),
+  heartbeatIntervalSec: z.number().int().nonnegative().nullable().optional().default(null),
+  heartbeatModel: z.string().nullable().optional().default(null),
+  heartbeatPrompt: z.string().nullable().optional().default(null),
+  elevenLabsVoiceId: z.string().nullable().optional().default(null),
+  sessionResetMode: z.enum(['idle', 'daily']).nullable().optional().default(null),
+  sessionIdleTimeoutSec: z.number().int().nonnegative().nullable().optional().default(null),
+  sessionMaxAgeSec: z.number().int().nonnegative().nullable().optional().default(null),
+  sessionDailyResetAt: z.string().nullable().optional().default(null),
+  sessionResetTimezone: z.string().nullable().optional().default(null),
+  memoryScopeMode: z.enum(['auto', 'all', 'global', 'agent', 'session', 'project']).nullable().optional().default(null),
+  memoryTierPreference: z.enum(['working', 'durable', 'archive', 'blended']).nullable().optional().default(null),
+  projectId: z.string().optional(),
+  avatarSeed: z.string().optional(),
+  avatarUrl: z.string().nullable().optional().default(null),
   autoRecovery: z.boolean().optional().default(false),
   monthlyBudget: z.number().positive().nullable().optional().default(null),
   dailyBudget: z.number().positive().nullable().optional().default(null),
@@ -36,6 +75,28 @@ export const ConnectorCreateSchema = z.object({
   autoStart: z.boolean().optional(),
 })
 
+export const ExternalAgentRegisterSchema = z.object({
+  id: z.string().optional(),
+  name: z.string().min(1, 'External agent name is required'),
+  sourceType: z.enum(['codex', 'claude', 'opencode', 'openclaw', 'custom']).default('custom'),
+  status: z.enum(['online', 'idle', 'offline', 'stale']).optional().default('online'),
+  provider: z.string().nullable().optional().default(null),
+  model: z.string().nullable().optional().default(null),
+  workspace: z.string().nullable().optional().default(null),
+  transport: z.enum(['http', 'ws', 'cli', 'gateway', 'custom']).nullable().optional().default(null),
+  endpoint: z.string().nullable().optional().default(null),
+  agentId: z.string().nullable().optional().default(null),
+  gatewayProfileId: z.string().nullable().optional().default(null),
+  capabilities: z.array(z.string()).optional().default([]),
+  labels: z.array(z.string()).optional().default([]),
+  metadata: z.record(z.string(), z.unknown()).nullable().optional().default(null),
+  tokenStats: z.object({
+    inputTokens: z.number().nonnegative().optional(),
+    outputTokens: z.number().nonnegative().optional(),
+    totalTokens: z.number().nonnegative().optional(),
+  }).nullable().optional().default(null),
+})
+
 export const TaskCreateSchema = z.object({
   title: z.string().min(1, 'Task title is required'),
   description: z.string().optional().default(''),
@@ -64,7 +125,7 @@ export const TaskCreateSchema = z.object({
 
 export const ChatroomCreateSchema = z.object({
   name: z.string().min(1, 'Chatroom name is required'),
-  agentIds: z.array(z.string()).default([]),
+  agentIds: z.array(z.string()).min(1, 'Select at least one agent').default([]),
   description: z.string().optional().default(''),
   chatMode: z.enum(['sequential', 'parallel']).optional(),
   autoAddress: z.boolean().optional(),

package/src/lib/ws-client.ts

@@ -1,15 +1,15 @@
 type WsCallback = () => void
 
 let ws: WebSocket | null = null
-let accessKey = ''
+let wsEnabled = false
 let reconnectTimer: ReturnType<typeof setTimeout> | null = null
 let reconnectDelay = 1000
 const MAX_RECONNECT_DELAY = 30_000
 const listeners = new Map<string, Set<WsCallback>>()
 let connected = false
 
-function getWsUrl(key: string): string {
-  if (typeof window === 'undefined') return `ws://localhost:3457/ws?key=${encodeURIComponent(key)}`
+function getWsUrl(): string {
+  if (typeof window === 'undefined') return 'ws://localhost:3457/ws'
 
   const protocol = window.location.protocol === 'https:' ? 'wss' : 'ws'
   const pagePort = window.location.port
@@ -22,7 +22,7 @@ function getWsUrl(key: string): string {
   const behindProxy = !pagePort || pagePort === '80' || pagePort === '443' || pagePort !== appPort
   const wsHost = behindProxy ? window.location.host : `${window.location.hostname}:${buildPort}`
 
-  return `${protocol}://${wsHost}/ws?key=${encodeURIComponent(key)}`
+  return `${protocol}://${wsHost}/ws`
 }
 
 function handleMessage(event: MessageEvent) {
@@ -44,17 +44,18 @@ function scheduleReconnect() {
   const jitter = Math.random() * 2000
   reconnectTimer = setTimeout(() => {
     reconnectTimer = null
-    if (!accessKey) return
-    connect(accessKey)
+    if (!wsEnabled) return
+    connect()
   }, reconnectDelay + jitter)
   reconnectDelay = Math.min(reconnectDelay * 2, MAX_RECONNECT_DELAY)
 }
 
-function connect(key: string) {
+function connect() {
+  if (!wsEnabled) return
   if (ws && (ws.readyState === WebSocket.OPEN || ws.readyState === WebSocket.CONNECTING)) return
 
   try {
-    ws = new WebSocket(getWsUrl(key))
+    ws = new WebSocket(getWsUrl())
   } catch {
     scheduleReconnect()
     return
@@ -75,7 +76,7 @@ function connect(key: string) {
   ws.onclose = () => {
     connected = false
     ws = null
-    if (accessKey) scheduleReconnect()
+    if (wsEnabled) scheduleReconnect()
   }
 
   ws.onerror = () => {
@@ -84,13 +85,14 @@ function connect(key: string) {
 }
 
 export function connectWs(key: string) {
-  accessKey = key
+  void key
+  wsEnabled = true
   reconnectDelay = 1000
-  connect(key)
+  connect()
 }
 
 export function disconnectWs() {
-  accessKey = ''
+  wsEnabled = false
   if (reconnectTimer) {
     clearTimeout(reconnectTimer)
     reconnectTimer = null

package/src/proxy.ts

@@ -1,5 +1,6 @@
 import { NextResponse } from 'next/server'
 import type { NextRequest } from 'next/server'
+import { AUTH_COOKIE_NAME } from '@/lib/auth'
 
 /* ------------------------------------------------------------------ */
 /*  Rate-limit state — HMR-safe via globalThis                        */
@@ -44,7 +45,7 @@ function getClientIp(request: NextRequest): string {
 /* ------------------------------------------------------------------ */
 
 /** Access key auth proxy with brute-force rate limiting.
- *  Checks X-Access-Key header or ?key= param on all /api/ routes except /api/auth.
+ *  Checks X-Access-Key header or auth cookie on all /api/ routes except /api/auth.
  *  The key is validated against the ACCESS_KEY env var.
  *  After 5 failed attempts from a single IP the client is locked out for 15 minutes.
  */
@@ -55,11 +56,10 @@ export function proxy(request: NextRequest) {
   const isConnectorWebhook = request.method === 'POST'
     && /^\/api\/connectors\/[^/]+\/webhook\/?$/.test(pathname)
 
-  // Only protect API routes (not auth, uploads served as static assets, or inbound webhooks)
+  // Only protect API routes (not auth or inbound webhooks)
   if (
     !pathname.startsWith('/api/')
     || pathname === '/api/auth'
-    || pathname.startsWith('/api/uploads/')
     || isWebhookTrigger
     || isConnectorWebhook
   ) {
@@ -88,8 +88,8 @@ export function proxy(request: NextRequest) {
   }
 
   const providedKey =
-    request.headers.get('x-access-key')
-    || request.nextUrl.searchParams.get('key')
+    request.headers.get('x-access-key')?.trim()
+    || request.cookies.get(AUTH_COOKIE_NAME)?.value?.trim()
     || ''
 
   if (providedKey !== accessKey) {