@swarmclawai/swarmclaw 0.9.6 → 0.9.8

package/README.md

@@ -129,10 +129,10 @@ npm i -g @swarmclawai/swarmclaw
 pnpm add -g @swarmclawai/swarmclaw
 yarn global add @swarmclawai/swarmclaw
 bun add -g @swarmclawai/swarmclaw
-swarmclaw server
+swarmclaw
 ```
 
-`swarmclaw` by itself opens the CLI. `swarmclaw server` launches the packaged standalone server on `http://localhost:3456`.
+Running `swarmclaw` with no arguments starts the server on `http://localhost:3456`. You can also use `swarmclaw server` explicitly, or pass a subcommand (e.g. `swarmclaw agents list`) to use the CLI.
 Global install runs `postinstall`, which rebuilds `better-sqlite3` and prepares the sandbox browser image when Docker is available.
 If Docker is not installed yet, SwarmClaw keeps running and falls back to host execution for shell, browser, and `sandbox_exec`.
 No Deno install is required for the local `sandbox_exec` path.
@@ -140,10 +140,10 @@ No Deno install is required for the local `sandbox_exec` path.
 ### One-off run
 
 ```bash
-npx @swarmclawai/swarmclaw server
-pnpm dlx @swarmclawai/swarmclaw server
-yarn dlx @swarmclawai/swarmclaw server
-bunx @swarmclawai/swarmclaw server
+npx @swarmclawai/swarmclaw
+pnpm dlx @swarmclawai/swarmclaw
+yarn dlx @swarmclawai/swarmclaw
+bunx @swarmclawai/swarmclaw
 ```
 
 ### Install script

package/bin/server-cmd.js

@@ -137,10 +137,8 @@ function runBuild() {
 
   // Run Next.js build
   log('Building Next.js application (this may take a minute)...')
-  // Use webpack for production build reliability in packaged/fresh-install
-  // environments (Turbopack has intermittently failed during prerender).
   const nextCli = path.join(SWARMCLAW_HOME, 'node_modules', 'next', 'dist', 'bin', 'next')
-  execFileSync(process.execPath, [nextCli, 'build', '--webpack'], {
+  execFileSync(process.execPath, [nextCli, 'build', '--no-turbopack'], {
     cwd: SWARMCLAW_HOME,
     stdio: 'inherit',
     env: {

package/bin/swarmclaw.js

@@ -110,6 +110,12 @@ async function main() {
   const argv = process.argv.slice(2)
   const top = argv[0]
 
+  // Default to 'server' when invoked with no arguments.
+  if (!top) {
+    require('./server-cmd.js').main()
+    return
+  }
+
   // Route 'server', 'worker', and 'update' subcommands to CJS scripts (no TS dependency).
   if (top === 'server') {
     require('./server-cmd.js').main()

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swarmclawai/swarmclaw",
-  "version": "0.9.6",
+  "version": "0.9.8",
   "description": "Self-hosted AI agent orchestration dashboard — manage LLM providers, orchestrate agent swarms, schedule tasks, and bridge agents to chat platforms.",
   "license": "MIT",
   "publishConfig": {
@@ -66,6 +66,7 @@
     "lint:baseline:update": "node ./scripts/lint-baseline.mjs update",
     "cli": "node ./bin/swarmclaw.js",
     "test:cli": "node --test src/cli/*.test.js bin/*.test.js",
+    "test:setup": "tsx --test src/app/api/setup/check-provider/route.test.ts src/lib/server/provider-model-discovery.test.ts src/components/auth/setup-wizard/utils.test.ts src/components/auth/setup-wizard/types.test.ts src/hooks/setup-done-detection.test.ts",
     "test:openclaw": "tsx --test src/lib/openclaw/openclaw-agent-id.test.ts src/lib/openclaw/openclaw-endpoint.test.ts src/lib/server/agents/agent-runtime-config.test.ts src/lib/server/build-llm.test.ts src/lib/server/connectors/connector-routing.test.ts src/lib/server/connectors/openclaw.test.ts src/lib/server/gateway/protocol.test.ts src/lib/server/llm-response-cache.test.ts src/lib/server/mcp-conformance.test.ts src/lib/server/openclaw/agent-resolver.test.ts src/lib/server/openclaw/deploy.test.ts src/lib/server/openclaw/skills-normalize.test.ts src/lib/server/session-tools/openclaw-nodes.test.ts src/lib/server/tasks/task-quality-gate.test.ts src/lib/server/tasks/task-validation.test.ts src/lib/server/tool-capability-policy.test.ts",
     "test:mcp:conformance": "node --import tsx ./scripts/mcp-conformance-check.ts",
     "postinstall": "node ./scripts/postinstall.mjs"
@@ -74,6 +75,7 @@
     "@huggingface/transformers": "^3.8.1",
     "@langchain/anthropic": "^1.3.18",
     "@langchain/core": "^1.1.31",
+    "@modelcontextprotocol/sdk": "^1.27.1",
     "@langchain/langgraph": "^1.2.2",
     "@langchain/openai": "^1.2.8",
     "@multiavatar/multiavatar": "^1.0.7",

package/src/app/api/auth/route.ts

@@ -1,5 +1,5 @@
 import { NextResponse } from 'next/server'
-import { validateAccessKey, isFirstTimeSetup, markSetupComplete } from '@/lib/server/storage'
+import { getAccessKey, validateAccessKey, isFirstTimeSetup, markSetupComplete, replaceAccessKey } from '@/lib/server/storage'
 import { AUTH_COOKIE_NAME, getCookieValue } from '@/lib/auth'
 import { isProductionRuntime } from '@/lib/runtime/runtime-env'
 import { hmrSingleton } from '@/lib/shared-utils'
@@ -51,12 +51,17 @@ function setAuthCookie(response: NextResponse, req: Request, key: string): NextR
   return response
 }
 
-/** GET /api/auth — returns setup state and whether the auth cookie is currently valid */
+/** GET /api/auth — returns setup state and whether the auth cookie is currently valid.
+ *  During first-time setup the generated access key is included so the UI can
+ *  display it with a copy button. Once setup completes the key is never exposed
+ *  over an unauthenticated endpoint again. */
 export async function GET(req: Request) {
   const cookieKey = getCookieValue(req.headers.get('cookie'), AUTH_COOKIE_NAME)
+  const firstTime = isFirstTimeSetup()
   return NextResponse.json({
-    firstTime: isFirstTimeSetup(),
+    firstTime,
     authenticated: !!cookieKey && validateAccessKey(cookieKey),
+    ...(firstTime ? { generatedKey: getAccessKey() } : {}),
   })
 }
 
@@ -73,7 +78,18 @@ export async function POST(req: Request) {
     ))
   }
 
-  const { key } = await req.json()
+  const { key, override } = await req.json()
+
+  // During first-time setup, allow the user to replace the generated key with their own
+  if (override && isFirstTimeSetup() && typeof key === 'string' && key.trim().length >= 8) {
+    replaceAccessKey(key.trim())
+    markSetupComplete()
+    if (rateLimitEnabled) authRateLimitMap.delete(clientIp)
+    const { ensureDaemonStarted } = await import('@/lib/server/runtime/daemon-state')
+    ensureDaemonStarted('api/auth:post')
+    return setAuthCookie(NextResponse.json({ ok: true }), req, key.trim())
+  }
+
   if (!key || !validateAccessKey(key)) {
     let remaining = MAX_ATTEMPTS
     if (rateLimitEnabled) {

package/src/app/api/setup/check-provider/route.test.ts

@@ -1,7 +1,7 @@
 import assert from 'node:assert/strict'
 import test from 'node:test'
 
-import { normalizeOllamaSetupEndpoint } from './route'
+import { normalizeOllamaSetupEndpoint, normalizeOpenClawUrl, parseErrorMessage } from './route'
 
 test('normalizeOllamaSetupEndpoint strips local /v1 suffixes but preserves cloud endpoints', () => {
   assert.equal(
@@ -17,3 +17,87 @@ test('normalizeOllamaSetupEndpoint strips local /v1 suffixes but preserves cloud
     'https://ollama.com/v1',
   )
 })
+
+// ---------------------------------------------------------------------------
+// normalizeOpenClawUrl
+// ---------------------------------------------------------------------------
+
+test('normalizeOpenClawUrl adds http:// to bare host:port', () => {
+  const { httpUrl, wsUrl } = normalizeOpenClawUrl('myhost:18789')
+  assert.equal(httpUrl, 'http://myhost:18789')
+  assert.equal(wsUrl, 'ws://myhost:18789')
+})
+
+test('normalizeOpenClawUrl converts ws:// to http:// and vice-versa', () => {
+  const { httpUrl, wsUrl } = normalizeOpenClawUrl('ws://192.168.1.5:18789')
+  assert.equal(httpUrl, 'http://192.168.1.5:18789')
+  assert.equal(wsUrl, 'ws://192.168.1.5:18789')
+})
+
+test('normalizeOpenClawUrl converts wss:// to https:// and vice-versa', () => {
+  const { httpUrl, wsUrl } = normalizeOpenClawUrl('wss://gateway.example.com')
+  assert.equal(httpUrl, 'https://gateway.example.com')
+  assert.equal(wsUrl, 'wss://gateway.example.com')
+})
+
+test('normalizeOpenClawUrl strips trailing slashes', () => {
+  const { httpUrl, wsUrl } = normalizeOpenClawUrl('http://localhost:18789///')
+  assert.equal(httpUrl, 'http://localhost:18789')
+  assert.equal(wsUrl, 'ws://localhost:18789')
+})
+
+test('normalizeOpenClawUrl defaults to localhost when empty', () => {
+  const { httpUrl, wsUrl } = normalizeOpenClawUrl('')
+  assert.equal(httpUrl, 'http://localhost:18789')
+  assert.equal(wsUrl, 'ws://localhost:18789')
+})
+
+test('normalizeOpenClawUrl preserves existing http://', () => {
+  const { httpUrl, wsUrl } = normalizeOpenClawUrl('http://10.0.0.1:9999')
+  assert.equal(httpUrl, 'http://10.0.0.1:9999')
+  assert.equal(wsUrl, 'ws://10.0.0.1:9999')
+})
+
+test('normalizeOpenClawUrl preserves https://', () => {
+  const { httpUrl, wsUrl } = normalizeOpenClawUrl('https://secure.example.com')
+  assert.equal(httpUrl, 'https://secure.example.com')
+  assert.equal(wsUrl, 'wss://secure.example.com')
+})
+
+// ---------------------------------------------------------------------------
+// parseErrorMessage
+// ---------------------------------------------------------------------------
+
+function fakeResponse(body: string, status = 400): Response {
+  return new Response(body, { status })
+}
+
+test('parseErrorMessage extracts JSON .error.message', async () => {
+  const res = fakeResponse(JSON.stringify({ error: { message: 'bad key' } }))
+  assert.equal(await parseErrorMessage(res, 'fallback'), 'bad key')
+})
+
+test('parseErrorMessage extracts JSON .error string', async () => {
+  const res = fakeResponse(JSON.stringify({ error: 'rate limited' }))
+  assert.equal(await parseErrorMessage(res, 'fallback'), 'rate limited')
+})
+
+test('parseErrorMessage extracts JSON .detail string', async () => {
+  const res = fakeResponse(JSON.stringify({ detail: 'not found' }))
+  assert.equal(await parseErrorMessage(res, 'fallback'), 'not found')
+})
+
+test('parseErrorMessage returns raw text for non-JSON', async () => {
+  const res = fakeResponse('Service Unavailable')
+  assert.equal(await parseErrorMessage(res, 'fallback'), 'Service Unavailable')
+})
+
+test('parseErrorMessage returns fallback for empty body', async () => {
+  const res = fakeResponse('')
+  assert.equal(await parseErrorMessage(res, 'fallback'), 'fallback')
+})
+
+test('parseErrorMessage extracts .message from JSON', async () => {
+  const res = fakeResponse(JSON.stringify({ message: 'quota exceeded' }))
+  assert.equal(await parseErrorMessage(res, 'fallback'), 'quota exceeded')
+})

package/src/app/api/setup/check-provider/route.ts

@@ -40,7 +40,7 @@ function parseBody(input: unknown): SetupCheckBody {
   return input as SetupCheckBody
 }
 
-async function parseErrorMessage(res: Response, fallback: string): Promise<string> {
+export async function parseErrorMessage(res: Response, fallback: string): Promise<string> {
   const text = await res.text().catch(() => '')
   if (!text) return fallback
   try {
@@ -60,24 +60,66 @@ async function checkOpenAiCompatible(
   apiKey: string,
   endpointRaw: string,
   defaultEndpoint: string,
+  modelHint?: string,
 ): Promise<{ ok: boolean; message: string; normalizedEndpoint: string }> {
   const normalizedEndpoint = (endpointRaw || defaultEndpoint).replace(/\/+$/, '')
-  const res = await fetch(`${normalizedEndpoint}/models`, {
+
+  // First, discover a model to test with (prefer the hint, fall back to the first available model)
+  let testModel = modelHint || ''
+  if (!testModel) {
+    try {
+      const modelsRes = await fetch(`${normalizedEndpoint}/models`, {
+        headers: { authorization: `Bearer ${apiKey}` },
+        signal: AbortSignal.timeout(8_000),
+        cache: 'no-store',
+      })
+      if (modelsRes.ok) {
+        const modelsPayload = await modelsRes.json().catch(() => ({} as any))
+        const first = Array.isArray(modelsPayload?.data) ? modelsPayload.data[0] : null
+        if (first?.id) testModel = String(first.id)
+      }
+    } catch {
+      // Model discovery failed — we'll still try the chat endpoint with the provider's default
+    }
+  }
+
+  // Fall back to a reasonable default per provider
+  if (!testModel) {
+    const fallbacks: Record<string, string> = {
+      OpenAI: 'gpt-4o-mini',
+      'Google Gemini': 'gemini-2.0-flash',
+      DeepSeek: 'deepseek-chat',
+      Groq: 'llama-3.3-70b-versatile',
+      'Together AI': 'meta-llama/Llama-3.3-70B-Instruct-Turbo',
+      'Mistral AI': 'mistral-small-latest',
+      'xAI (Grok)': 'grok-3-mini-fast',
+      'Fireworks AI': 'accounts/fireworks/models/llama4-scout-instruct-basic',
+    }
+    testModel = fallbacks[providerName] || 'gpt-4o-mini'
+  }
+
+  // Test the chat completions endpoint with a minimal request
+  const res = await fetch(`${normalizedEndpoint}/chat/completions`, {
+    method: 'POST',
     headers: {
       authorization: `Bearer ${apiKey}`,
+      'content-type': 'application/json',
     },
-    signal: AbortSignal.timeout(10_000),
+    body: JSON.stringify({
+      model: testModel,
+      max_tokens: 8,
+      messages: [{ role: 'user', content: 'Reply OK' }],
+    }),
+    signal: AbortSignal.timeout(15_000),
     cache: 'no-store',
   })
   if (!res.ok) {
     const detail = await parseErrorMessage(res, `${providerName} returned ${res.status}.`)
     return { ok: false, message: detail, normalizedEndpoint }
   }
-  const payload = await res.json().catch(() => ({} as any))
-  const count = Array.isArray(payload?.data) ? payload.data.length : 0
   return {
     ok: true,
-    message: count > 0 ? `Connected to ${providerName}. ${count} model(s) available.` : `Connected to ${providerName}.`,
+    message: `Connected to ${providerName}. Chat endpoint verified with ${testModel}.`,
     normalizedEndpoint,
   }
 }
@@ -119,8 +161,7 @@ async function checkOllama(params: {
     apiEndpoint: params.endpointRaw,
   })
   const normalizedEndpoint = normalizeOllamaSetupEndpoint(runtime.endpoint, runtime.useCloud)
-  const tagsPath = runtime.useCloud ? '/v1/models' : '/api/tags'
-  const headers = runtime.apiKey ? { authorization: `Bearer ${runtime.apiKey}` } : undefined
+  const headers: Record<string, string> = runtime.apiKey ? { authorization: `Bearer ${runtime.apiKey}` } : {}
   if (runtime.useCloud && !runtime.apiKey) {
     return {
       ok: false,
@@ -128,40 +169,72 @@ async function checkOllama(params: {
       normalizedEndpoint,
     }
   }
-  const res = await fetch(`${normalizedEndpoint}${tagsPath}`, {
-    headers,
-    signal: AbortSignal.timeout(8_000),
+
+  // Discover a model to test with
+  let testModel = params.modelRaw || ''
+  let recommendedModel: string | undefined
+  if (!testModel) {
+    try {
+      const tagsPath = runtime.useCloud ? '/v1/models' : '/api/tags'
+      const res = await fetch(`${normalizedEndpoint}${tagsPath}`, {
+        headers: headers.authorization ? headers : undefined,
+        signal: AbortSignal.timeout(8_000),
+        cache: 'no-store',
+      })
+      if (res.ok) {
+        const payload = await res.json().catch(() => ({} as any))
+        const models = runtime.useCloud
+          ? (Array.isArray(payload?.data) ? payload.data : [])
+          : (Array.isArray(payload?.models) ? payload.models : [])
+        const firstModel = runtime.useCloud
+          ? (typeof models[0]?.id === 'string' ? String(models[0].id) : undefined)
+          : (typeof models[0]?.name === 'string' ? String(models[0].name).replace(/:latest$/, '') : undefined)
+        if (firstModel) {
+          testModel = firstModel
+          recommendedModel = firstModel
+        }
+        if (models.length === 0) {
+          return {
+            ok: true,
+            message: runtime.useCloud
+              ? 'Connected to Ollama Cloud, but no models were returned.'
+              : 'Connected to Ollama, but no models are installed yet. Run `ollama pull <model>` to add one.',
+            normalizedEndpoint,
+          }
+        }
+      }
+    } catch {
+      // Model discovery failed — try chat anyway
+    }
+  }
+
+  if (!testModel) testModel = 'llama3.2'
+
+  // Test the chat endpoint
+  const label = runtime.useCloud ? 'Ollama Cloud' : 'Ollama'
+  const chatEndpoint = `${normalizedEndpoint}/v1/chat/completions`
+  const chatBody = JSON.stringify({ model: testModel, max_tokens: 8, messages: [{ role: 'user', content: 'Reply OK' }] })
+
+  const chatRes = await fetch(chatEndpoint, {
+    method: 'POST',
+    headers: { ...headers, 'content-type': 'application/json' },
+    body: chatBody,
+    signal: AbortSignal.timeout(30_000),
     cache: 'no-store',
   })
-  if (!res.ok) {
-    const detail = await parseErrorMessage(res, `Ollama returned ${res.status}.`)
-    return { ok: false, message: detail, normalizedEndpoint }
-  }
-  const payload = await res.json().catch(() => ({} as any))
-  const models = runtime.useCloud
-    ? (Array.isArray(payload?.data) ? payload.data : [])
-    : (Array.isArray(payload?.models) ? payload.models : [])
-  const firstModel = runtime.useCloud
-    ? (typeof models[0]?.id === 'string' ? String(models[0].id) : undefined)
-    : (typeof models[0]?.name === 'string' ? String(models[0].name).replace(/:latest$/, '') : undefined)
-  if (models.length === 0) {
-    return {
-      ok: true,
-      message: runtime.useCloud
-        ? 'Connected to Ollama Cloud, but no models were returned.'
-        : 'Connected to Ollama, but no models are installed yet. Run `ollama pull <model>` to add one.',
-      normalizedEndpoint,
-    }
+  if (!chatRes.ok) {
+    const detail = await parseErrorMessage(chatRes, `${label} chat returned ${chatRes.status}.`)
+    return { ok: false, message: detail, normalizedEndpoint, recommendedModel }
   }
   return {
     ok: true,
-    message: `Connected to ${runtime.useCloud ? 'Ollama Cloud' : 'Ollama'}. ${models.length} model(s) available.`,
+    message: `Connected to ${label}. Chat verified with ${testModel}.`,
     normalizedEndpoint,
-    recommendedModel: firstModel,
+    recommendedModel: recommendedModel || testModel,
   }
 }
 
-function normalizeOpenClawUrl(raw: string): { httpUrl: string; wsUrl: string } {
+export function normalizeOpenClawUrl(raw: string): { httpUrl: string; wsUrl: string } {
   let url = (raw || 'http://localhost:18789').replace(/\/+$/, '')
   if (!/^(https?|wss?):\/\//i.test(url)) url = `http://${url}`
   const httpUrl = url.replace(/^ws:/i, 'http:').replace(/^wss:/i, 'https:')
@@ -214,7 +287,7 @@ export async function POST(req: Request) {
       case 'openai': {
         if (!apiKey) return NextResponse.json({ ok: false, message: 'OpenAI API key is required.' })
         const info = OPENAI_COMPATIBLE_DEFAULTS.openai
-        const result = await checkOpenAiCompatible(info.name, apiKey, endpoint, info.defaultEndpoint)
+        const result = await checkOpenAiCompatible(info.name, apiKey, endpoint, info.defaultEndpoint, model)
         return NextResponse.json(result)
       }
       case 'anthropic': {
@@ -231,7 +304,7 @@ export async function POST(req: Request) {
       case 'fireworks': {
         const info = OPENAI_COMPATIBLE_DEFAULTS[provider]
         if (!apiKey) return NextResponse.json({ ok: false, message: `${info.name} API key is required.` })
-        const result = await checkOpenAiCompatible(info.name, apiKey, endpoint, info.defaultEndpoint)
+        const result = await checkOpenAiCompatible(info.name, apiKey, endpoint, info.defaultEndpoint, model)
         return NextResponse.json(result)
       }
       case 'ollama': {

package/src/app/login/page.tsx

@@ -1,9 +1,10 @@
 'use client'
 
-import { useRouter } from 'next/navigation'
 import { AccessKeyGate } from '@/components/auth/access-key-gate'
 
 export default function LoginPage() {
-  const router = useRouter()
-  return <AccessKeyGate onAuthenticated={() => router.replace('/home')} />
+  return <AccessKeyGate onAuthenticated={() => {
+    // Full navigation so the bootstrap re-checks auth from scratch with the new cookie.
+    window.location.replace('/home')
+  }} />
 }

package/src/app/setup/page.tsx

@@ -10,6 +10,7 @@ export default function SetupPage() {
     <SetupWizard
       onComplete={() => {
         safeStorageSet('sc_setup_done', '1')
+        window.dispatchEvent(new Event('sc:setup-complete'))
         router.replace('/home')
       }}
     />

package/src/components/agents/agent-sheet.tsx

@@ -224,6 +224,7 @@ export function AgentSheet() {
   const [proactiveMemory, setProactiveMemory] = useState(false)
   const [autoRecovery, setAutoRecovery] = useState(false)
   const [disabled, setDisabled] = useState(false)
+  const [filesystemScope, setFilesystemScope] = useState<'workspace' | 'machine'>('workspace')
   const [voiceId, setVoiceId] = useState('')
   const [heartbeatEnabled, setHeartbeatEnabled] = useState(false)
   const [heartbeatIntervalSec, setHeartbeatIntervalSec] = useState('')  // '' = default (30m)
@@ -422,6 +423,7 @@ export function AgentSheet() {
         setProactiveMemory(editing.proactiveMemory || false)
         setAutoRecovery(editing.autoRecovery || false)
         setDisabled(editing.disabled === true)
+        setFilesystemScope(editing.filesystemScope === 'machine' ? 'machine' : 'workspace')
         setVoiceId(editing.elevenLabsVoiceId || '')
         setHeartbeatEnabled(editing.heartbeatEnabled || false)
         setHeartbeatIntervalSec(parseDurationToSec(editing.heartbeatInterval, editing.heartbeatIntervalSec))
@@ -674,6 +676,7 @@ export function AgentSheet() {
       proactiveMemory,
       autoRecovery,
       disabled,
+      filesystemScope: filesystemScope === 'machine' ? 'machine' as const : undefined,
       elevenLabsVoiceId: voiceId.trim() || null,
       heartbeatEnabled,
       heartbeatInterval: heartbeatIntervalSec ? formatHbDuration(Number(heartbeatIntervalSec)) : null,
@@ -2239,6 +2242,22 @@ export function AgentSheet() {
         </div>
       )}
 
+      {/* Filesystem Access */}
+      <div className="mb-8">
+        <label className="block font-display text-[12px] font-600 text-text-2 uppercase tracking-[0.08em] mb-2">Filesystem Access</label>
+        <select
+          value={filesystemScope}
+          onChange={(e) => setFilesystemScope(e.target.value as 'workspace' | 'machine')}
+          className="w-full h-10 px-3 rounded-[10px] bg-white/[0.04] border border-white/[0.06] text-[14px] text-text-2"
+        >
+          <option value="workspace">Workspace only</option>
+          <option value="machine">Full machine</option>
+        </select>
+        {filesystemScope === 'machine' && (
+          <p className="mt-2 text-[12px] text-amber-400/80">Agent can access any file your user account can reach. Sensitive paths (.ssh, .env, .gnupg) are blocked by default.</p>
+        )}
+      </div>
+
       {/* Platform — hidden for providers that manage capabilities outside LangGraph */}
       {!hasNativeCapabilities && (
         <div className="mb-8">