@swarmclawai/swarmclaw 0.9.5 → 0.9.7

package/README.md

@@ -129,10 +129,10 @@ npm i -g @swarmclawai/swarmclaw
 pnpm add -g @swarmclawai/swarmclaw
 yarn global add @swarmclawai/swarmclaw
 bun add -g @swarmclawai/swarmclaw
-swarmclaw server
+swarmclaw
 ```
 
-`swarmclaw` by itself opens the CLI. `swarmclaw server` launches the packaged standalone server on `http://localhost:3456`.
+Running `swarmclaw` with no arguments starts the server on `http://localhost:3456`. You can also use `swarmclaw server` explicitly, or pass a subcommand (e.g. `swarmclaw agents list`) to use the CLI.
 Global install runs `postinstall`, which rebuilds `better-sqlite3` and prepares the sandbox browser image when Docker is available.
 If Docker is not installed yet, SwarmClaw keeps running and falls back to host execution for shell, browser, and `sandbox_exec`.
 No Deno install is required for the local `sandbox_exec` path.
@@ -140,10 +140,10 @@ No Deno install is required for the local `sandbox_exec` path.
 ### One-off run
 
 ```bash
-npx @swarmclawai/swarmclaw server
-pnpm dlx @swarmclawai/swarmclaw server
-yarn dlx @swarmclawai/swarmclaw server
-bunx @swarmclawai/swarmclaw server
+npx @swarmclawai/swarmclaw
+pnpm dlx @swarmclawai/swarmclaw
+yarn dlx @swarmclawai/swarmclaw
+bunx @swarmclawai/swarmclaw
 ```
 
 ### Install script
@@ -155,7 +155,7 @@ curl -fsSL https://raw.githubusercontent.com/swarmclawai/swarmclaw/main/install.
 The installer resolves the latest stable release tag and installs that version by default.
 It also builds the production bundle so `npm run start` is ready immediately after install.
 No Deno install is required; local sandbox execution is Docker-first with automatic host Node fallback.
-To pin a version: `SWARMCLAW_VERSION=v0.9.4 curl ... | bash`
+To pin a version: `SWARMCLAW_VERSION=v0.9.6 curl ... | bash`
 
 Or run locally from the repo (friendly for non-technical users):
 
@@ -729,15 +729,15 @@ On `v*` tags, GitHub Actions will:
 2. Create a GitHub Release
 3. Build and publish Docker images to `ghcr.io/swarmclawai/swarmclaw` (`:vX.Y.Z`, `:latest`, `:sha-*`)
 
-#### v0.9.5 Release Readiness Notes
+#### v0.9.6 Release Readiness Notes
 
-Before shipping `v0.9.5`, confirm the following user-facing changes are reflected in docs:
+Before shipping `v0.9.6`, confirm the following user-facing changes are reflected in docs:
 
-1. Plugin/runtime docs mention the new typed lifecycle hooks: `beforePromptBuild`, `beforeToolCall`, `beforeModelResolve`, `llmInput`, `llmOutput`, `toolResultPersist`, `beforeMessageWrite`, plus session and subagent lifecycle hooks.
-2. Connector/memory docs explain that quiet-boundary memories are matched by identifiers and agent aliases, with explicit boundary metadata support, rather than relying on hardcoded person-name fallbacks.
-3. Skills docs still explain that local skills are discoverable by default, pinned skills stay always-on, and `use_skill` is the runtime path for selection/loading/dispatch.
-4. Site and README install/version strings are updated to `v0.9.5`, including release notes index text and any pinned install snippets.
-5. The release tag, npm package version, and generated GitHub release install snippet all agree on the non-prefixed npm version (`0.9.5`) versus the git tag (`v0.9.5`).
+1. Wallet docs explain the new global wallet approval override in Settings/Wallets, and note that per-wallet approval toggles remain stored but are ignored when the global switch is off.
+2. Runtime/autonomy docs mention the continuation hardening for long-running tasks: intent-only kickoff replies now get one bounded followthrough, and chat-originated progress runs can schedule a bounded main-loop continuation without waiting for another user ping.
+3. Skills/runtime docs still explain that local skills are discoverable by default, pinned skills stay always-on, and `use_skill` is the runtime path for selection/loading/dispatch.
+4. Site and README install/version strings are updated to `v0.9.6`, including release notes index text and any pinned install snippets.
+5. The release tag, npm package version, and generated GitHub release install snippet all agree on the non-prefixed npm version (`0.9.6`) versus the git tag (`v0.9.6`).
 
 ## CLI
 

package/bin/server-cmd.js

@@ -137,10 +137,8 @@ function runBuild() {
 
   // Run Next.js build
   log('Building Next.js application (this may take a minute)...')
-  // Use webpack for production build reliability in packaged/fresh-install
-  // environments (Turbopack has intermittently failed during prerender).
   const nextCli = path.join(SWARMCLAW_HOME, 'node_modules', 'next', 'dist', 'bin', 'next')
-  execFileSync(process.execPath, [nextCli, 'build', '--webpack'], {
+  execFileSync(process.execPath, [nextCli, 'build'], {
     cwd: SWARMCLAW_HOME,
     stdio: 'inherit',
     env: {

package/bin/swarmclaw.js

@@ -110,6 +110,12 @@ async function main() {
   const argv = process.argv.slice(2)
   const top = argv[0]
 
+  // Default to 'server' when invoked with no arguments.
+  if (!top) {
+    require('./server-cmd.js').main()
+    return
+  }
+
   // Route 'server', 'worker', and 'update' subcommands to CJS scripts (no TS dependency).
   if (top === 'server') {
     require('./server-cmd.js').main()

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swarmclawai/swarmclaw",
-  "version": "0.9.5",
+  "version": "0.9.7",
   "description": "Self-hosted AI agent orchestration dashboard — manage LLM providers, orchestrate agent swarms, schedule tasks, and bridge agents to chat platforms.",
   "license": "MIT",
   "publishConfig": {
@@ -66,6 +66,7 @@
     "lint:baseline:update": "node ./scripts/lint-baseline.mjs update",
     "cli": "node ./bin/swarmclaw.js",
     "test:cli": "node --test src/cli/*.test.js bin/*.test.js",
+    "test:setup": "tsx --test src/app/api/setup/check-provider/route.test.ts src/lib/server/provider-model-discovery.test.ts src/components/auth/setup-wizard/utils.test.ts src/components/auth/setup-wizard/types.test.ts src/hooks/setup-done-detection.test.ts",
     "test:openclaw": "tsx --test src/lib/openclaw/openclaw-agent-id.test.ts src/lib/openclaw/openclaw-endpoint.test.ts src/lib/server/agents/agent-runtime-config.test.ts src/lib/server/build-llm.test.ts src/lib/server/connectors/connector-routing.test.ts src/lib/server/connectors/openclaw.test.ts src/lib/server/gateway/protocol.test.ts src/lib/server/llm-response-cache.test.ts src/lib/server/mcp-conformance.test.ts src/lib/server/openclaw/agent-resolver.test.ts src/lib/server/openclaw/deploy.test.ts src/lib/server/openclaw/skills-normalize.test.ts src/lib/server/session-tools/openclaw-nodes.test.ts src/lib/server/tasks/task-quality-gate.test.ts src/lib/server/tasks/task-validation.test.ts src/lib/server/tool-capability-policy.test.ts",
     "test:mcp:conformance": "node --import tsx ./scripts/mcp-conformance-check.ts",
     "postinstall": "node ./scripts/postinstall.mjs"
@@ -76,6 +77,7 @@
     "@langchain/core": "^1.1.31",
     "@langchain/langgraph": "^1.2.2",
     "@langchain/openai": "^1.2.8",
+    "@modelcontextprotocol/sdk": "^1.27.1",
     "@multiavatar/multiavatar": "^1.0.7",
     "@playwright/mcp": "^0.0.68",
     "@slack/bolt": "^4.6.0",

package/src/app/api/auth/route.ts

@@ -1,5 +1,5 @@
 import { NextResponse } from 'next/server'
-import { validateAccessKey, isFirstTimeSetup, markSetupComplete } from '@/lib/server/storage'
+import { getAccessKey, validateAccessKey, isFirstTimeSetup, markSetupComplete, replaceAccessKey } from '@/lib/server/storage'
 import { AUTH_COOKIE_NAME, getCookieValue } from '@/lib/auth'
 import { isProductionRuntime } from '@/lib/runtime/runtime-env'
 import { hmrSingleton } from '@/lib/shared-utils'
@@ -51,12 +51,17 @@ function setAuthCookie(response: NextResponse, req: Request, key: string): NextR
   return response
 }
 
-/** GET /api/auth — returns setup state and whether the auth cookie is currently valid */
+/** GET /api/auth — returns setup state and whether the auth cookie is currently valid.
+ *  During first-time setup the generated access key is included so the UI can
+ *  display it with a copy button. Once setup completes the key is never exposed
+ *  over an unauthenticated endpoint again. */
 export async function GET(req: Request) {
   const cookieKey = getCookieValue(req.headers.get('cookie'), AUTH_COOKIE_NAME)
+  const firstTime = isFirstTimeSetup()
   return NextResponse.json({
-    firstTime: isFirstTimeSetup(),
+    firstTime,
     authenticated: !!cookieKey && validateAccessKey(cookieKey),
+    ...(firstTime ? { generatedKey: getAccessKey() } : {}),
   })
 }
 
@@ -73,7 +78,18 @@ export async function POST(req: Request) {
     ))
   }
 
-  const { key } = await req.json()
+  const { key, override } = await req.json()
+
+  // During first-time setup, allow the user to replace the generated key with their own
+  if (override && isFirstTimeSetup() && typeof key === 'string' && key.trim().length >= 8) {
+    replaceAccessKey(key.trim())
+    markSetupComplete()
+    if (rateLimitEnabled) authRateLimitMap.delete(clientIp)
+    const { ensureDaemonStarted } = await import('@/lib/server/runtime/daemon-state')
+    ensureDaemonStarted('api/auth:post')
+    return setAuthCookie(NextResponse.json({ ok: true }), req, key.trim())
+  }
+
   if (!key || !validateAccessKey(key)) {
     let remaining = MAX_ATTEMPTS
     if (rateLimitEnabled) {

package/src/app/api/settings/route.ts

@@ -129,6 +129,7 @@ export async function PUT(req: Request) {
   settings.taskQualityGateRequireReport = parseBoolSetting(settings.taskQualityGateRequireReport, false)
   settings.taskManagementEnabled = parseBoolSetting(settings.taskManagementEnabled, true)
   settings.projectManagementEnabled = parseBoolSetting(settings.projectManagementEnabled, true)
+  settings.walletApprovalsEnabled = parseBoolSetting(settings.walletApprovalsEnabled, true)
   settings.integrityMonitorEnabled = parseBoolSetting(settings.integrityMonitorEnabled, true)
   settings.daemonAutostartEnabled = parseBoolSetting(settings.daemonAutostartEnabled, true)
   settings.sessionResetMode = settings.sessionResetMode === 'daily' ? 'daily' : settings.sessionResetMode === 'idle' ? 'idle' : null

package/src/app/api/setup/check-provider/route.test.ts

@@ -1,7 +1,7 @@
 import assert from 'node:assert/strict'
 import test from 'node:test'
 
-import { normalizeOllamaSetupEndpoint } from './route'
+import { normalizeOllamaSetupEndpoint, normalizeOpenClawUrl, parseErrorMessage } from './route'
 
 test('normalizeOllamaSetupEndpoint strips local /v1 suffixes but preserves cloud endpoints', () => {
   assert.equal(
@@ -17,3 +17,87 @@ test('normalizeOllamaSetupEndpoint strips local /v1 suffixes but preserves cloud
     'https://ollama.com/v1',
   )
 })
+
+// ---------------------------------------------------------------------------
+// normalizeOpenClawUrl
+// ---------------------------------------------------------------------------
+
+test('normalizeOpenClawUrl adds http:// to bare host:port', () => {
+  const { httpUrl, wsUrl } = normalizeOpenClawUrl('myhost:18789')
+  assert.equal(httpUrl, 'http://myhost:18789')
+  assert.equal(wsUrl, 'ws://myhost:18789')
+})
+
+test('normalizeOpenClawUrl converts ws:// to http:// and vice-versa', () => {
+  const { httpUrl, wsUrl } = normalizeOpenClawUrl('ws://192.168.1.5:18789')
+  assert.equal(httpUrl, 'http://192.168.1.5:18789')
+  assert.equal(wsUrl, 'ws://192.168.1.5:18789')
+})
+
+test('normalizeOpenClawUrl converts wss:// to https:// and vice-versa', () => {
+  const { httpUrl, wsUrl } = normalizeOpenClawUrl('wss://gateway.example.com')
+  assert.equal(httpUrl, 'https://gateway.example.com')
+  assert.equal(wsUrl, 'wss://gateway.example.com')
+})
+
+test('normalizeOpenClawUrl strips trailing slashes', () => {
+  const { httpUrl, wsUrl } = normalizeOpenClawUrl('http://localhost:18789///')
+  assert.equal(httpUrl, 'http://localhost:18789')
+  assert.equal(wsUrl, 'ws://localhost:18789')
+})
+
+test('normalizeOpenClawUrl defaults to localhost when empty', () => {
+  const { httpUrl, wsUrl } = normalizeOpenClawUrl('')
+  assert.equal(httpUrl, 'http://localhost:18789')
+  assert.equal(wsUrl, 'ws://localhost:18789')
+})
+
+test('normalizeOpenClawUrl preserves existing http://', () => {
+  const { httpUrl, wsUrl } = normalizeOpenClawUrl('http://10.0.0.1:9999')
+  assert.equal(httpUrl, 'http://10.0.0.1:9999')
+  assert.equal(wsUrl, 'ws://10.0.0.1:9999')
+})
+
+test('normalizeOpenClawUrl preserves https://', () => {
+  const { httpUrl, wsUrl } = normalizeOpenClawUrl('https://secure.example.com')
+  assert.equal(httpUrl, 'https://secure.example.com')
+  assert.equal(wsUrl, 'wss://secure.example.com')
+})
+
+// ---------------------------------------------------------------------------
+// parseErrorMessage
+// ---------------------------------------------------------------------------
+
+function fakeResponse(body: string, status = 400): Response {
+  return new Response(body, { status })
+}
+
+test('parseErrorMessage extracts JSON .error.message', async () => {
+  const res = fakeResponse(JSON.stringify({ error: { message: 'bad key' } }))
+  assert.equal(await parseErrorMessage(res, 'fallback'), 'bad key')
+})
+
+test('parseErrorMessage extracts JSON .error string', async () => {
+  const res = fakeResponse(JSON.stringify({ error: 'rate limited' }))
+  assert.equal(await parseErrorMessage(res, 'fallback'), 'rate limited')
+})
+
+test('parseErrorMessage extracts JSON .detail string', async () => {
+  const res = fakeResponse(JSON.stringify({ detail: 'not found' }))
+  assert.equal(await parseErrorMessage(res, 'fallback'), 'not found')
+})
+
+test('parseErrorMessage returns raw text for non-JSON', async () => {
+  const res = fakeResponse('Service Unavailable')
+  assert.equal(await parseErrorMessage(res, 'fallback'), 'Service Unavailable')
+})
+
+test('parseErrorMessage returns fallback for empty body', async () => {
+  const res = fakeResponse('')
+  assert.equal(await parseErrorMessage(res, 'fallback'), 'fallback')
+})
+
+test('parseErrorMessage extracts .message from JSON', async () => {
+  const res = fakeResponse(JSON.stringify({ message: 'quota exceeded' }))
+  assert.equal(await parseErrorMessage(res, 'fallback'), 'quota exceeded')
+})

package/src/app/api/setup/check-provider/route.ts

@@ -40,7 +40,7 @@ function parseBody(input: unknown): SetupCheckBody {
   return input as SetupCheckBody
 }
 
-async function parseErrorMessage(res: Response, fallback: string): Promise<string> {
+export async function parseErrorMessage(res: Response, fallback: string): Promise<string> {
   const text = await res.text().catch(() => '')
   if (!text) return fallback
   try {
@@ -60,24 +60,66 @@ async function checkOpenAiCompatible(
   apiKey: string,
   endpointRaw: string,
   defaultEndpoint: string,
+  modelHint?: string,
 ): Promise<{ ok: boolean; message: string; normalizedEndpoint: string }> {
   const normalizedEndpoint = (endpointRaw || defaultEndpoint).replace(/\/+$/, '')
-  const res = await fetch(`${normalizedEndpoint}/models`, {
+
+  // First, discover a model to test with (prefer the hint, fall back to the first available model)
+  let testModel = modelHint || ''
+  if (!testModel) {
+    try {
+      const modelsRes = await fetch(`${normalizedEndpoint}/models`, {
+        headers: { authorization: `Bearer ${apiKey}` },
+        signal: AbortSignal.timeout(8_000),
+        cache: 'no-store',
+      })
+      if (modelsRes.ok) {
+        const modelsPayload = await modelsRes.json().catch(() => ({} as any))
+        const first = Array.isArray(modelsPayload?.data) ? modelsPayload.data[0] : null
+        if (first?.id) testModel = String(first.id)
+      }
+    } catch {
+      // Model discovery failed — we'll still try the chat endpoint with the provider's default
+    }
+  }
+
+  // Fall back to a reasonable default per provider
+  if (!testModel) {
+    const fallbacks: Record<string, string> = {
+      OpenAI: 'gpt-4o-mini',
+      'Google Gemini': 'gemini-2.0-flash',
+      DeepSeek: 'deepseek-chat',
+      Groq: 'llama-3.3-70b-versatile',
+      'Together AI': 'meta-llama/Llama-3.3-70B-Instruct-Turbo',
+      'Mistral AI': 'mistral-small-latest',
+      'xAI (Grok)': 'grok-3-mini-fast',
+      'Fireworks AI': 'accounts/fireworks/models/llama4-scout-instruct-basic',
+    }
+    testModel = fallbacks[providerName] || 'gpt-4o-mini'
+  }
+
+  // Test the chat completions endpoint with a minimal request
+  const res = await fetch(`${normalizedEndpoint}/chat/completions`, {
+    method: 'POST',
     headers: {
       authorization: `Bearer ${apiKey}`,
+      'content-type': 'application/json',
     },
-    signal: AbortSignal.timeout(10_000),
+    body: JSON.stringify({
+      model: testModel,
+      max_tokens: 8,
+      messages: [{ role: 'user', content: 'Reply OK' }],
+    }),
+    signal: AbortSignal.timeout(15_000),
     cache: 'no-store',
   })
   if (!res.ok) {
     const detail = await parseErrorMessage(res, `${providerName} returned ${res.status}.`)
     return { ok: false, message: detail, normalizedEndpoint }
   }
-  const payload = await res.json().catch(() => ({} as any))
-  const count = Array.isArray(payload?.data) ? payload.data.length : 0
   return {
     ok: true,
-    message: count > 0 ? `Connected to ${providerName}. ${count} model(s) available.` : `Connected to ${providerName}.`,
+    message: `Connected to ${providerName}. Chat endpoint verified with ${testModel}.`,
     normalizedEndpoint,
   }
 }
@@ -119,8 +161,7 @@ async function checkOllama(params: {
     apiEndpoint: params.endpointRaw,
   })
   const normalizedEndpoint = normalizeOllamaSetupEndpoint(runtime.endpoint, runtime.useCloud)
-  const tagsPath = runtime.useCloud ? '/v1/models' : '/api/tags'
-  const headers = runtime.apiKey ? { authorization: `Bearer ${runtime.apiKey}` } : undefined
+  const headers: Record<string, string> = runtime.apiKey ? { authorization: `Bearer ${runtime.apiKey}` } : {}
   if (runtime.useCloud && !runtime.apiKey) {
     return {
       ok: false,
@@ -128,40 +169,72 @@ async function checkOllama(params: {
       normalizedEndpoint,
     }
   }
-  const res = await fetch(`${normalizedEndpoint}${tagsPath}`, {
-    headers,
-    signal: AbortSignal.timeout(8_000),
+
+  // Discover a model to test with
+  let testModel = params.modelRaw || ''
+  let recommendedModel: string | undefined
+  if (!testModel) {
+    try {
+      const tagsPath = runtime.useCloud ? '/v1/models' : '/api/tags'
+      const res = await fetch(`${normalizedEndpoint}${tagsPath}`, {
+        headers: headers.authorization ? headers : undefined,
+        signal: AbortSignal.timeout(8_000),
+        cache: 'no-store',
+      })
+      if (res.ok) {
+        const payload = await res.json().catch(() => ({} as any))
+        const models = runtime.useCloud
+          ? (Array.isArray(payload?.data) ? payload.data : [])
+          : (Array.isArray(payload?.models) ? payload.models : [])
+        const firstModel = runtime.useCloud
+          ? (typeof models[0]?.id === 'string' ? String(models[0].id) : undefined)
+          : (typeof models[0]?.name === 'string' ? String(models[0].name).replace(/:latest$/, '') : undefined)
+        if (firstModel) {
+          testModel = firstModel
+          recommendedModel = firstModel
+        }
+        if (models.length === 0) {
+          return {
+            ok: true,
+            message: runtime.useCloud
+              ? 'Connected to Ollama Cloud, but no models were returned.'
+              : 'Connected to Ollama, but no models are installed yet. Run `ollama pull <model>` to add one.',
+            normalizedEndpoint,
+          }
+        }
+      }
+    } catch {
+      // Model discovery failed — try chat anyway
+    }
+  }
+
+  if (!testModel) testModel = 'llama3.2'
+
+  // Test the chat endpoint
+  const label = runtime.useCloud ? 'Ollama Cloud' : 'Ollama'
+  const chatEndpoint = `${normalizedEndpoint}/v1/chat/completions`
+  const chatBody = JSON.stringify({ model: testModel, max_tokens: 8, messages: [{ role: 'user', content: 'Reply OK' }] })
+
+  const chatRes = await fetch(chatEndpoint, {
+    method: 'POST',
+    headers: { ...headers, 'content-type': 'application/json' },
+    body: chatBody,
+    signal: AbortSignal.timeout(30_000),
     cache: 'no-store',
   })
-  if (!res.ok) {
-    const detail = await parseErrorMessage(res, `Ollama returned ${res.status}.`)
-    return { ok: false, message: detail, normalizedEndpoint }
-  }
-  const payload = await res.json().catch(() => ({} as any))
-  const models = runtime.useCloud
-    ? (Array.isArray(payload?.data) ? payload.data : [])
-    : (Array.isArray(payload?.models) ? payload.models : [])
-  const firstModel = runtime.useCloud
-    ? (typeof models[0]?.id === 'string' ? String(models[0].id) : undefined)
-    : (typeof models[0]?.name === 'string' ? String(models[0].name).replace(/:latest$/, '') : undefined)
-  if (models.length === 0) {
-    return {
-      ok: true,
-      message: runtime.useCloud
-        ? 'Connected to Ollama Cloud, but no models were returned.'
-        : 'Connected to Ollama, but no models are installed yet. Run `ollama pull <model>` to add one.',
-      normalizedEndpoint,
-    }
+  if (!chatRes.ok) {
+    const detail = await parseErrorMessage(chatRes, `${label} chat returned ${chatRes.status}.`)
+    return { ok: false, message: detail, normalizedEndpoint, recommendedModel }
   }
   return {
     ok: true,
-    message: `Connected to ${runtime.useCloud ? 'Ollama Cloud' : 'Ollama'}. ${models.length} model(s) available.`,
+    message: `Connected to ${label}. Chat verified with ${testModel}.`,
     normalizedEndpoint,
-    recommendedModel: firstModel,
+    recommendedModel: recommendedModel || testModel,
   }
 }
 
-function normalizeOpenClawUrl(raw: string): { httpUrl: string; wsUrl: string } {
+export function normalizeOpenClawUrl(raw: string): { httpUrl: string; wsUrl: string } {
   let url = (raw || 'http://localhost:18789').replace(/\/+$/, '')
   if (!/^(https?|wss?):\/\//i.test(url)) url = `http://${url}`
   const httpUrl = url.replace(/^ws:/i, 'http:').replace(/^wss:/i, 'https:')
@@ -214,7 +287,7 @@ export async function POST(req: Request) {
       case 'openai': {
         if (!apiKey) return NextResponse.json({ ok: false, message: 'OpenAI API key is required.' })
         const info = OPENAI_COMPATIBLE_DEFAULTS.openai
-        const result = await checkOpenAiCompatible(info.name, apiKey, endpoint, info.defaultEndpoint)
+        const result = await checkOpenAiCompatible(info.name, apiKey, endpoint, info.defaultEndpoint, model)
         return NextResponse.json(result)
       }
       case 'anthropic': {
@@ -231,7 +304,7 @@ export async function POST(req: Request) {
       case 'fireworks': {
         const info = OPENAI_COMPATIBLE_DEFAULTS[provider]
         if (!apiKey) return NextResponse.json({ ok: false, message: `${info.name} API key is required.` })
-        const result = await checkOpenAiCompatible(info.name, apiKey, endpoint, info.defaultEndpoint)
+        const result = await checkOpenAiCompatible(info.name, apiKey, endpoint, info.defaultEndpoint, model)
         return NextResponse.json(result)
       }
       case 'ollama': {

package/src/app/api/wallets/[id]/send/route.ts

@@ -1,12 +1,17 @@
 import { NextResponse } from 'next/server'
 import { genId } from '@/lib/id'
-import { loadWallets, upsertWalletTransaction } from '@/lib/server/storage'
+import { loadSettings, loadWallets, upsertWalletTransaction } from '@/lib/server/storage'
 import { notify } from '@/lib/server/ws-hub'
 import type { AgentWallet, WalletTransaction } from '@/types'
 import {
   normalizeAtomicString,
 } from '@/lib/wallet/wallet'
-import { isValidWalletAddress, sendWalletNativeAsset, validateWalletSendLimits } from '@/lib/server/wallet/wallet-service'
+import {
+  isValidWalletAddress,
+  sendWalletNativeAsset,
+  validateWalletSendLimits,
+  walletRequiresApproval,
+} from '@/lib/server/wallet/wallet-service'
 import { errorMessage } from '@/lib/shared-utils'
 export const dynamic = 'force-dynamic'
 
@@ -15,6 +20,7 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
   const wallets = loadWallets() as Record<string, AgentWallet>
   const wallet = wallets[id]
   if (!wallet) return NextResponse.json({ error: 'Wallet not found' }, { status: 404 })
+  const settings = loadSettings()
 
   const body = await req.json()
   const toAddress = typeof body.toAddress === 'string' ? body.toAddress.trim() : ''
@@ -32,8 +38,8 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
   const txId = genId(8)
   const now = Date.now()
 
-  // If requireApproval, create pending tx and return it
-  if (wallet.requireApproval) {
+  // When approvals are enabled globally and for this wallet, create a pending request instead of sending.
+  if (walletRequiresApproval(wallet, settings)) {
     const pendingTx: WalletTransaction = {
       id: txId,
       walletId: id,

package/src/app/api/wallets/route.ts

@@ -1,5 +1,5 @@
 import { NextResponse } from 'next/server'
-import { loadAgents, loadWallets } from '@/lib/server/storage'
+import { loadAgents, loadSettings, loadWallets } from '@/lib/server/storage'
 import { createAgentWallet, getAgentActiveWalletId, getWalletPortfolioSnapshot, stripWalletPrivateKey } from '@/lib/server/wallet/wallet-service'
 import { buildEmptyWalletPortfolio } from '@/lib/server/wallet/wallet-portfolio'
 import type { AgentWallet, WalletPortfolioSummary } from '@/types'
@@ -62,13 +62,16 @@ export async function GET(req: Request) {
 
 export async function POST(req: Request) {
   const body = await req.json()
+  const settings = loadSettings()
   try {
     const wallet = createAgentWallet({
       agentId: body.agentId,
       chain: body.chain,
       provider: body.provider,
       label: body.label,
-      requireApproval: body.requireApproval,
+      requireApproval: typeof body.requireApproval === 'boolean'
+        ? body.requireApproval
+        : settings.walletApprovalsEnabled !== false,
       spendingLimitAtomic: body.spendingLimitAtomic ?? body.spendingLimitLamports,
       dailyLimitAtomic: body.dailyLimitAtomic ?? body.dailyLimitLamports,
     })

package/src/app/login/page.tsx

@@ -1,9 +1,10 @@
 'use client'
 
-import { useRouter } from 'next/navigation'
 import { AccessKeyGate } from '@/components/auth/access-key-gate'
 
 export default function LoginPage() {
-  const router = useRouter()
-  return <AccessKeyGate onAuthenticated={() => router.replace('/home')} />
+  return <AccessKeyGate onAuthenticated={() => {
+    // Full navigation so the bootstrap re-checks auth from scratch with the new cookie.
+    window.location.replace('/home')
+  }} />
 }

package/src/app/settings/page.tsx

@@ -11,6 +11,7 @@ import { ThemeSection } from '@/views/settings/section-theme'
 import { OrchestratorSection } from '@/views/settings/section-orchestrator'
 import { RuntimeLoopSection } from '@/views/settings/section-runtime-loop'
 import { CapabilityPolicySection } from '@/views/settings/section-capability-policy'
+import { WalletsSection } from '@/views/settings/section-wallets'
 import { StorageSection } from '@/views/settings/section-storage'
 import { VoiceSection } from '@/views/settings/section-voice'
 import { WebSearchSection } from '@/views/settings/section-web-search'
@@ -147,6 +148,14 @@ export default function SettingsRoute() {
       keywords: ['storage', 'uploads', 'disk', 'cleanup', 'files'],
       render: () => <StorageSection {...sectionProps} />,
     },
+    {
+      id: 'wallets',
+      tabId: 'general',
+      title: 'Wallets',
+      description: 'Control global wallet approval behavior and auto-execution defaults.',
+      keywords: ['wallet', 'wallets', 'approval', 'approvals', 'crypto', 'send'],
+      render: () => <WalletsSection {...sectionProps} />,
+    },
     {
       id: 'theme',
       tabId: 'appearance',

package/src/app/setup/page.tsx

@@ -10,6 +10,7 @@ export default function SetupPage() {
     <SetupWizard
       onComplete={() => {
         safeStorageSet('sc_setup_done', '1')
+        window.dispatchEvent(new Event('sc:setup-complete'))
         router.replace('/home')
       }}
     />

package/src/components/agents/agent-sheet.tsx

@@ -224,6 +224,7 @@ export function AgentSheet() {
   const [proactiveMemory, setProactiveMemory] = useState(false)
   const [autoRecovery, setAutoRecovery] = useState(false)
   const [disabled, setDisabled] = useState(false)
+  const [filesystemScope, setFilesystemScope] = useState<'workspace' | 'machine'>('workspace')
   const [voiceId, setVoiceId] = useState('')
   const [heartbeatEnabled, setHeartbeatEnabled] = useState(false)
   const [heartbeatIntervalSec, setHeartbeatIntervalSec] = useState('')  // '' = default (30m)
@@ -422,6 +423,7 @@ export function AgentSheet() {
         setProactiveMemory(editing.proactiveMemory || false)
         setAutoRecovery(editing.autoRecovery || false)
         setDisabled(editing.disabled === true)
+        setFilesystemScope(editing.filesystemScope === 'machine' ? 'machine' : 'workspace')
         setVoiceId(editing.elevenLabsVoiceId || '')
         setHeartbeatEnabled(editing.heartbeatEnabled || false)
         setHeartbeatIntervalSec(parseDurationToSec(editing.heartbeatInterval, editing.heartbeatIntervalSec))
@@ -674,6 +676,7 @@ export function AgentSheet() {
       proactiveMemory,
       autoRecovery,
       disabled,
+      filesystemScope: filesystemScope === 'machine' ? 'machine' as const : undefined,
       elevenLabsVoiceId: voiceId.trim() || null,
       heartbeatEnabled,
       heartbeatInterval: heartbeatIntervalSec ? formatHbDuration(Number(heartbeatIntervalSec)) : null,
@@ -2239,6 +2242,22 @@ export function AgentSheet() {
         </div>
       )}
 
+      {/* Filesystem Access */}
+      <div className="mb-8">
+        <label className="block font-display text-[12px] font-600 text-text-2 uppercase tracking-[0.08em] mb-2">Filesystem Access</label>
+        <select
+          value={filesystemScope}
+          onChange={(e) => setFilesystemScope(e.target.value as 'workspace' | 'machine')}
+          className="w-full h-10 px-3 rounded-[10px] bg-white/[0.04] border border-white/[0.06] text-[14px] text-text-2"
+        >
+          <option value="workspace">Workspace only</option>
+          <option value="machine">Full machine</option>
+        </select>
+        {filesystemScope === 'machine' && (
+          <p className="mt-2 text-[12px] text-amber-400/80">Agent can access any file your user account can reach. Sensitive paths (.ssh, .env, .gnupg) are blocked by default.</p>
+        )}
+      </div>
+
       {/* Platform — hidden for providers that manage capabilities outside LangGraph */}
       {!hasNativeCapabilities && (
         <div className="mb-8">