@swarmclawai/swarmclaw 1.1.4 → 1.1.6

package/README.md

@@ -177,6 +177,18 @@ The building blocks are the same: **agents, tools, memory, delegation, schedules
 
 ## Release Notes
 
+### v1.1.6 Highlights
+
+- **Org chart view**: visual agent hierarchy with drag-and-drop reparenting, team grouping, and context-menu actions for managing agent relationships directly from the canvas.
+- **Dashboard API**: server-side metrics endpoint with cost tracking, usage aggregation, and budget warning thresholds for operator visibility.
+- **Subagent lifecycle overhaul**: state-machine lineage tracking, `delegationDepth` limits, auto-announce on spawn, and cleaner parent-child session management.
+- **Chat execution refactor**: composable prompt sections replace monolithic prompt building, continuation evaluator consolidation, and extracted stream-continuation logic for maintainability.
+- **Per-agent cost attribution**: token costs are tracked and attributed per agent, enabling budget controls and cost reporting at the agent level.
+- **Capability-based task routing**: tasks can match agents by declared capabilities, not just explicit assignment, enabling smarter automatic dispatch.
+- **Bulk agent operations**: new `/api/agents/bulk` endpoint for batch updates across multiple agents in a single request.
+- **Document revisions API**: version history for documents with `/api/documents/[id]/revisions` endpoint.
+- **Store loader consolidation**: async loaders now use `createLoader()` and `setIfChanged` to eliminate redundant re-renders from polling.
+
 ### v1.1.4 Highlights
 
 - **Orchestrator agents return as a first-class autonomy mode**: eligible agents can now run scheduled orchestrator wake cycles with their own mission, governance policy, wake interval, cycle cap, Autonomy-desk controls, and setup/editor support.
@@ -189,6 +201,19 @@ The building blocks are the same: **agents, tools, memory, delegation, schedules
 - **Release integrity repair**: `build:ci` no longer trips over the langgraph checkpoint duplicate-column path, which restores clean build validation for the release line.
 - **Storage writes are safer**: credential and agent saves were tightened to upsert-only behavior and bulk-delete safety guards so tests or scripts cannot accidentally wipe live state.
 - **Plugin-to-extension cleanup finished**: remaining rename residue in scripts and tests was cleaned up so packaging and release tooling stay aligned with the current extensions model.
+- **Safe body parsing utility**: shared `safeParseBody()` replaces scattered `await req.json()` try/catch blocks across API routes.
+
+### v1.1.4 Highlights
+
+- **Orchestrator agents as a real agent mode**: eligible agents can now run scheduled orchestrator wake cycles with their own mission, governance policy, wake interval, and cycle cap.
+- **Runtime durability and recovery**: configurable parallel task execution, stuck-task idle timeout detection, orphaned running-task recovery on startup, and restart-safe swarm/provider-health persistence.
+- **Failover and safety improvements**: provider errors classified for smarter routing, agent budget limits block task execution before it starts.
+
+### v1.1.3 Highlights
+
+- **`build:ci` repair**: fixed the langgraph checkpoint duplicate-column crash that blocked CI/build validation.
+- **Safer storage writes**: credentials and agents use upsert-only save behavior, and a collection safety guard blocks accidental bulk-delete paths.
+>>>>>>> Stashed changes
 
 ### v1.1.2 Highlights
 

package/bin/install-root.js

@@ -98,11 +98,14 @@ function tryRealpath(targetPath) {
   }
 }
 
+const isWindows = process.platform === 'win32'
+
 function runRootCommand(command, args, execImpl = execFileSync) {
   try {
     return String(execImpl(command, args, {
       encoding: 'utf8',
       stdio: ['ignore', 'pipe', 'pipe'],
+      ...(isWindows && { shell: true }),
     })).trim()
   } catch {
     return null

package/bin/server-cmd.js

@@ -154,6 +154,8 @@ function resolveInstalledNext(pkgRoot = PKG_ROOT) {
   }
 }
 
+const isWindows = process.platform === 'win32'
+
 function ensurePackageDependencies(pkgRoot = PKG_ROOT) {
   const resolved = resolveInstalledNext(pkgRoot)
   if (resolved && fs.existsSync(resolved.nextCli)) return resolved
@@ -161,7 +163,7 @@ function ensurePackageDependencies(pkgRoot = PKG_ROOT) {
   const packageManager = detectPackageManager(pkgRoot, process.env)
   const install = getInstallCommand(packageManager)
   log(`Installing dependencies with ${packageManager}...`)
-  execFileSync(install.command, install.args, { cwd: pkgRoot, stdio: 'inherit' })
+  execFileSync(install.command, install.args, { cwd: pkgRoot, stdio: 'inherit', ...(isWindows && { shell: true }) })
 
   const installed = resolveInstalledNext(pkgRoot)
   if (installed && fs.existsSync(installed.nextCli)) return installed

package/bin/update-cmd.js

@@ -16,6 +16,8 @@ const {
   resolvePackageRoot,
 } = require('./install-root.js')
 
+const isWindows = process.platform === 'win32'
+
 const PKG_ROOT = resolvePackageRoot({
   moduleDir: __dirname,
   argv1: process.argv[1],
@@ -83,6 +85,7 @@ function runRegistrySelfUpdate(
       cwd: PKG_ROOT,
       stdio: 'inherit',
       timeout: 120_000,
+      ...(isWindows && { shell: true }),
     })
     logger.log(`Global update complete via ${packageManager}.`)
   } catch (err) {
@@ -170,7 +173,7 @@ If running from a registry install, update the global package with its owning pa
       const packageManager = detectPackageManager(PKG_ROOT, process.env)
       const install = getInstallCommand(packageManager, true)
       log(`Package files changed — running ${packageManager} install...`)
-      execFileSync(install.command, install.args, { cwd: PKG_ROOT, stdio: 'inherit', timeout: 120_000 })
+      execFileSync(install.command, install.args, { cwd: PKG_ROOT, stdio: 'inherit', timeout: 120_000, ...(isWindows && { shell: true }) })
     }
   } catch {
     // If diff fails, skip install check.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swarmclawai/swarmclaw",
-  "version": "1.1.4",
+  "version": "1.1.6",
   "description": "Self-hosted AI runtime for OpenClaw, delegation, autonomy, runtime skills, crypto wallets, and chat platform connectors.",
   "license": "MIT",
   "publishConfig": {
@@ -69,6 +69,7 @@
     "test:cli": "node --test src/cli/*.test.js bin/*.test.js scripts/postinstall.test.mjs",
     "test:setup": "tsx --test src/app/api/setup/check-provider/route.test.ts src/lib/server/provider-model-discovery.test.ts src/components/auth/setup-wizard/utils.test.ts src/components/auth/setup-wizard/types.test.ts src/hooks/setup-done-detection.test.ts src/lib/setup-defaults.test.ts",
     "test:openclaw": "tsx --test src/lib/openclaw/openclaw-agent-id.test.ts src/lib/openclaw/openclaw-endpoint.test.ts src/lib/server/agents/agent-runtime-config.test.ts src/lib/server/build-llm.test.ts src/lib/server/connectors/connector-routing.test.ts src/lib/server/connectors/openclaw.test.ts src/lib/server/gateway/protocol.test.ts src/lib/server/llm-response-cache.test.ts src/lib/server/mcp-conformance.test.ts src/lib/server/openclaw/agent-resolver.test.ts src/lib/server/openclaw/deploy.test.ts src/lib/server/openclaw/skills-normalize.test.ts src/lib/server/session-tools/openclaw-nodes.test.ts src/lib/server/tasks/task-quality-gate.test.ts src/lib/server/tasks/task-validation.test.ts src/lib/server/tool-capability-policy.test.ts src/lib/providers/openclaw-exports.test.ts src/app/api/openclaw/dashboard-url/route.test.ts",
+    "test:e2e": "tsx .workbench/browser-e2e/run.ts",
     "test:mcp:conformance": "node --import tsx ./scripts/mcp-conformance-check.ts",
     "prepack": "npm run build:ci",
     "postinstall": "node ./scripts/postinstall.mjs"

package/scripts/easy-setup.mjs

@@ -4,6 +4,7 @@ import fs from 'node:fs'
 import path from 'node:path'
 import { spawnSync } from 'node:child_process'
 
+const isWindows = process.platform === 'win32'
 const args = new Set(process.argv.slice(2))
 const startAfterSetup = args.has('--start') || args.has('--prod')
 const productionMode = args.has('--prod')
@@ -25,6 +26,7 @@ function run(command, commandArgs, options = {}) {
   const result = spawnSync(command, commandArgs, {
     cwd,
     stdio: 'inherit',
+    ...(isWindows && { shell: true }),
     ...options,
   })
   if (result.error) fail(result.error.message)
@@ -39,6 +41,7 @@ function runOptional(command, commandArgs, options = {}) {
   const result = spawnSync(command, commandArgs, {
     cwd,
     stdio: 'inherit',
+    ...(isWindows && { shell: true }),
     ...options,
   })
   if (result.error || (result.status ?? 1) !== 0) {
@@ -60,7 +63,7 @@ function ensureNodeVersion() {
 }
 
 function ensureNpm() {
-  const result = spawnSync('npm', ['--version'], { cwd, encoding: 'utf8' })
+  const result = spawnSync('npm', ['--version'], { cwd, encoding: 'utf8', ...(isWindows && { shell: true }) })
   if (result.error || (result.status ?? 1) !== 0) {
     fail('npm was not found. Install npm and rerun this setup command.')
   }
@@ -69,7 +72,7 @@ function ensureNpm() {
 
 function commandExists(name) {
   const lookup = process.platform === 'win32' ? 'where' : 'which'
-  const result = spawnSync(lookup, [name], { cwd, encoding: 'utf8' })
+  const result = spawnSync(lookup, [name], { cwd, encoding: 'utf8', ...(isWindows && { shell: true }) })
   return !result.error && (result.status ?? 1) === 0
 }
 

package/src/app/api/activity/route.ts

@@ -6,6 +6,7 @@ export async function GET(req: Request) {
   const { searchParams } = new URL(req.url)
   const entityType = searchParams.get('entityType')
   const entityId = searchParams.get('entityId')
+  const actor = searchParams.get('actor')
   const action = searchParams.get('action')
   const since = searchParams.get('since')
   const limit = Math.min(200, Math.max(1, Number(searchParams.get('limit')) || 50))
@@ -15,6 +16,7 @@ export async function GET(req: Request) {
 
   if (entityType) entries = entries.filter((e) => e.entityType === entityType)
   if (entityId) entries = entries.filter((e) => e.entityId === entityId)
+  if (actor) entries = entries.filter((e) => e.actor === actor)
   if (action) entries = entries.filter((e) => e.action === action)
   if (since) {
     const sinceMs = Number(since)

package/src/app/api/agents/[id]/route.ts

@@ -8,13 +8,15 @@ import { notify } from '@/lib/server/ws-hub'
 import { normalizeAgentSandboxConfig } from '@/lib/agent-sandbox-defaults'
 import { normalizeCapabilitySelection } from '@/lib/capability-selection'
 import { normalizeOrchestratorConfig } from '@/lib/orchestrator-config'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const ops: CollectionOps<any> = { load: () => loadAgents({ includeTrashed: true }), save: saveAgents, topic: 'agents', table: 'agents' }
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const body = await req.json()
+  const { data: body, error } = await safeParseBody(req)
+  if (error) return error
   const result = mutateItem(ops, id, (agent) => {
     Object.assign(agent, body, { updatedAt: Date.now() })
     if (body.tools !== undefined || body.extensions !== undefined) {
@@ -42,7 +44,7 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
     if (body.apiEndpoint !== undefined) {
       agent.apiEndpoint = normalizeProviderEndpoint(
         body.provider || agent.provider,
-        body.apiEndpoint,
+        body.apiEndpoint as string | null | undefined,
       )
     }
     if (body.provider !== undefined && body.provider !== 'ollama' && body.ollamaMode === undefined) {
@@ -111,7 +113,6 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
     }
     delete (agent as Record<string, unknown>).platformAssignScope
     delete (agent as Record<string, unknown>).subAgentIds
-    delete (agent as Record<string, unknown>).isOrchestrator
     delete (agent as Record<string, unknown>).id
     agent.id = id
     return agent

package/src/app/api/agents/bulk/route.ts

@@ -0,0 +1,55 @@
+import { NextResponse } from 'next/server'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
+import { patchAgent } from '@/lib/server/storage'
+import { logActivity } from '@/lib/server/storage'
+import { notify } from '@/lib/server/ws-hub'
+
+export async function PATCH(req: Request) {
+  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  if (error) return error
+
+  const patches = body.patches
+  if (!Array.isArray(patches) || patches.length === 0) {
+    return NextResponse.json({ error: 'patches must be a non-empty array' }, { status: 400 })
+  }
+
+  let updated = 0
+  const errors: string[] = []
+
+  for (const entry of patches) {
+    if (!entry || typeof entry !== 'object' || Array.isArray(entry)) {
+      errors.push('Invalid patch entry (not an object)')
+      continue
+    }
+    const { id, patch } = entry as { id?: unknown; patch?: unknown }
+    if (typeof id !== 'string' || !id.trim()) {
+      errors.push('Patch entry missing valid id')
+      continue
+    }
+    if (!patch || typeof patch !== 'object' || Array.isArray(patch)) {
+      errors.push(`Patch for ${id} is not a valid object`)
+      continue
+    }
+
+    const result = patchAgent(id, (current) => {
+      if (!current) return null
+      return { ...current, ...(patch as Record<string, unknown>), updatedAt: Date.now() }
+    })
+
+    if (result) {
+      updated++
+      logActivity({
+        entityType: 'agent',
+        entityId: id,
+        action: 'updated',
+        actor: 'user',
+        summary: `Bulk patch: updated agent "${result.name || id}"`,
+      })
+    } else {
+      errors.push(`Agent ${id} not found`)
+    }
+  }
+
+  if (updated > 0) notify('agents')
+  return NextResponse.json({ updated, errors })
+}

package/src/app/api/agents/route.ts

@@ -10,6 +10,7 @@ import { normalizeAgentSandboxConfig } from '@/lib/agent-sandbox-defaults'
 import { normalizeOrchestratorConfig } from '@/lib/orchestrator-config'
 import { AgentCreateSchema, formatZodError } from '@/lib/validation/schemas'
 import { z } from 'zod'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
 export const dynamic = 'force-dynamic'
 
 async function ensureDaemonIfNeeded(source: string) {
@@ -57,7 +58,8 @@ export async function GET(req: Request) {
 
 export async function POST(req: Request) {
   await ensureDaemonIfNeeded('api/agents:post')
-  const raw = await req.json()
+  const { data: raw, error } = await safeParseBody(req)
+  if (error) return error
   const rawRecord = raw && typeof raw === 'object' ? raw as Record<string, unknown> : null
   const parsed = AgentCreateSchema.safeParse(raw)
   if (!parsed.success) {

package/src/app/api/agents/trash/route.ts

@@ -3,6 +3,7 @@ import { loadTrashedAgents, loadAgents, saveAgents, deleteAgent } from '@/lib/se
 import { notify } from '@/lib/server/ws-hub'
 import { badRequest, notFound } from '@/lib/server/collection-helpers'
 import { purgeAgentReferences, restoreAgentSchedules } from '@/lib/server/agents/agent-cascade'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
 
 /** GET — list trashed agents */
 export async function GET() {
@@ -11,7 +12,8 @@ export async function GET() {
 
 /** POST { id } — restore a trashed agent */
 export async function POST(req: Request) {
-  const body = await req.json()
+  const { data: body, error } = await safeParseBody(req)
+  if (error) return error
   const id = body?.id as string | undefined
   if (!id) return badRequest('Missing agent id')
 
@@ -35,7 +37,8 @@ export async function POST(req: Request) {
 
 /** DELETE { id } — permanently delete a trashed agent */
 export async function DELETE(req: Request) {
-  const body = await req.json()
+  const { data: body, error: parseError } = await safeParseBody(req)
+  if (parseError) return parseError
   const id = body?.id as string | undefined
   if (!id) return badRequest('Missing agent id')
 

package/src/app/api/auth/route.ts

@@ -1,4 +1,5 @@
 import { NextResponse } from 'next/server'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
 import { getAccessKey, validateAccessKey, isFirstTimeSetup, markSetupComplete, replaceAccessKey } from '@/lib/server/storage'
 import { AUTH_COOKIE_NAME, getCookieValue } from '@/lib/auth'
 import { isProductionRuntime } from '@/lib/runtime/runtime-env'
@@ -65,9 +66,19 @@ export async function GET(req: Request) {
   })
 }
 
+function pruneExpiredEntries() {
+  const now = Date.now()
+  for (const [ip, entry] of authRateLimitMap) {
+    if (entry.lockedUntil > 0 && entry.lockedUntil < now) {
+      authRateLimitMap.delete(ip)
+    }
+  }
+}
+
 /** POST /api/auth — validate an access key */
 export async function POST(req: Request) {
   const rateLimitEnabled = isRateLimitEnabled()
+  if (rateLimitEnabled) pruneExpiredEntries()
   const clientIp = getClientIp(req)
   const entry = rateLimitEnabled ? authRateLimitMap.get(clientIp) : undefined
   if (rateLimitEnabled && entry && entry.lockedUntil > Date.now()) {
@@ -78,7 +89,9 @@ export async function POST(req: Request) {
     ))
   }
 
-  const { key, override } = await req.json()
+  const { data: body, error } = await safeParseBody<{ key: string; override?: boolean }>(req)
+  if (error) return error
+  const { key, override } = body
 
   // During first-time setup, allow the user to replace the generated key with their own
   if (override && isFirstTimeSetup() && typeof key === 'string' && key.trim().length >= 8) {

package/src/app/api/canvas/[sessionId]/route.ts

@@ -2,6 +2,7 @@ import { NextResponse } from 'next/server'
 import { loadSessions, saveSessions } from '@/lib/server/storage'
 import { notify } from '@/lib/server/ws-hub'
 import { normalizeCanvasContent } from '@/lib/canvas-content'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
 
 export async function GET(_req: Request, { params }: { params: Promise<{ sessionId: string }> }) {
   const { sessionId } = await params
@@ -17,7 +18,8 @@ export async function GET(_req: Request, { params }: { params: Promise<{ session
 
 export async function POST(req: Request, { params }: { params: Promise<{ sessionId: string }> }) {
   const { sessionId } = await params
-  const body = await req.json()
+  const { data: body, error } = await safeParseBody(req)
+  if (error) return error
   const sessions = loadSessions()
   const session = sessions[sessionId]
   if (!session) return NextResponse.json({ error: 'Session not found' }, { status: 404 })

package/src/app/api/chatrooms/[id]/chat/route.ts

@@ -3,6 +3,7 @@ import { genId } from '@/lib/id'
 import { loadChatrooms, saveChatrooms, loadAgents } from '@/lib/server/storage'
 import { notify } from '@/lib/server/ws-hub'
 import { notFound } from '@/lib/server/collection-helpers'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
 import { streamAgentChat } from '@/lib/server/chat-execution/stream-agent-chat'
 import { getProvider } from '@/lib/providers'
 import {
@@ -26,6 +27,7 @@ import { resolvePrimaryAgentRoute } from '@/lib/server/agents/agent-runtime-conf
 import { shouldSuppressHiddenControlText, stripHiddenControlTokens } from '@/lib/server/agents/assistant-control'
 import type { Chatroom, ChatroomMessage, Agent } from '@/types'
 import { errorMessage } from '@/lib/shared-utils'
+import { persistChatroomInteractionMemory } from '@/lib/server/chatrooms/chatroom-memory-bridge'
 
 export const dynamic = 'force-dynamic'
 export const maxDuration = 300
@@ -34,7 +36,8 @@ const MAX_CHAIN_DEPTH = 5
 
 export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const body = await req.json()
+  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  if (error) return error
 
   const chatrooms = loadChatrooms()
   const chatroom = chatrooms[id] as Chatroom | undefined
@@ -57,7 +60,7 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
   // Persist incoming message
   const senderName = senderId === 'user' ? 'You' : (agents[senderId]?.name || senderId)
   const replyTargetAgentId = resolveReplyTargetAgentId(replyToId, chatroom.messages, chatroom.agentIds)
-  let mentions = parseMentions(text, agents, chatroom.agentIds, { replyTargetAgentId })
+  let mentions = parseMentions(text, agents, chatroom.agentIds, { replyTargetAgentId, senderId: senderId !== 'user' ? senderId : null })
   // Routing rules: if no explicit mentions, evaluate keyword/capability rules
   if (mentions.length === 0 && chatroom.routingRules?.length) {
     const agentList = chatroom.agentIds.map((aid) => agents[aid]).filter(Boolean)
@@ -67,6 +70,11 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
   if (chatroom.autoAddress && mentions.length === 0) {
     mentions = [...chatroom.agentIds]
   }
+  // If a specific agent is targeted, ensure they're in the mentions
+  const incomingTargetAgentId = typeof body.targetAgentId === 'string' ? body.targetAgentId : undefined
+  if (incomingTargetAgentId && chatroom.agentIds.includes(incomingTargetAgentId) && !mentions.includes(incomingTargetAgentId)) {
+    mentions.push(incomingTargetAgentId)
+  }
   const mentionHealth = filterHealthyChatroomAgents(mentions, agents)
   mentions = mentionHealth.healthyAgentIds
   const userMessage: ChatroomMessage = {
@@ -81,6 +89,7 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
     ...(imagePath ? { imagePath } : {}),
     ...(attachedFiles ? { attachedFiles } : {}),
     ...(replyToId ? { replyToId } : {}),
+    ...(incomingTargetAgentId ? { targetAgentId: incomingTargetAgentId } : {}),
   }
   chatroom.messages.push(userMessage)
   compactChatroomMessages(chatroom)
@@ -90,6 +99,20 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
   notify('chatrooms')
   notify(`chatroom:${id}`)
 
+  // If sender is an agent (via triggerResponses tool), just persist the message — don't re-process agents
+  if (senderId !== 'user' && agents[senderId]) {
+    const encoder = new TextEncoder()
+    const noopStream = new ReadableStream({
+      start(controller) {
+        controller.enqueue(encoder.encode(`data: ${JSON.stringify({ t: 'done' })}\n\n`))
+        controller.close()
+      },
+    })
+    return new NextResponse(noopStream, {
+      headers: { 'Content-Type': 'text/event-stream', 'Cache-Control': 'no-cache', 'Connection': 'keep-alive', 'X-Accel-Buffering': 'no' },
+    })
+  }
+
   // Build reply context if replying to a message
   let replyContext = ''
   if (replyToId) {
@@ -243,7 +266,7 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
 
             if (responseText.trim() && !shouldSuppressHiddenControlText(rawResponseText)) {
               appendSyntheticSessionMessage(syntheticSession.id, 'assistant', responseText)
-              const parsedMentions = parseMentions(responseText, agents, freshChatroom.agentIds)
+              const parsedMentions = parseMentions(responseText, agents, freshChatroom.agentIds, { senderId: agent.id, skipImplicit: true })
               const chainedHealth = filterHealthyChatroomAgents(parsedMentions, agents)
               const newMentions = chainedHealth.healthyAgentIds
               if (chainedHealth.skipped.length > 0) {
@@ -273,6 +296,17 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
               // Extract and apply reactions (e.g. [REACTION]{"emoji":"👍","to":"..."})
               applyAgentReactionsFromText(responseText, id, agent.id)
 
+              // Persist interaction to agent memory (fire-and-forget)
+              persistChatroomInteractionMemory({
+                agentId: agent.id,
+                agent,
+                chatroomId: id,
+                chatroomName: chatroom.name,
+                senderName,
+                inboundText: text,
+                responseText,
+              }).catch(() => {})
+
               markProviderSuccess(agent.provider)
               writeEvent({ t: 'cr_agent_done', agentId: agent.id, agentName: agent.name })
 
@@ -319,7 +353,12 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
             )
             if (lastAgentMsg) {
               const truncated = lastAgentMsg.text.length > 500 ? lastAgentMsg.text.slice(0, 500) + '...' : lastAgentMsg.text
-              item.contextMessage = `${lastAgentMsg.senderName} said: "${truncated}" — They're requesting your help. Review the conversation and respond.`
+              const originalTruncated = text.length > 300 ? text.slice(0, 300) + '...' : text
+              item.contextMessage = [
+                `[Conversation context] The user said: "${originalTruncated}"`,
+                `${lastAgentMsg.senderName} then said: "${truncated}"`,
+                `They mentioned you — respond to the conversation naturally.`,
+              ].join('\n')
             }
           }
 

package/src/app/api/chatrooms/[id]/members/route.ts

@@ -2,16 +2,18 @@ import { NextResponse } from 'next/server'
 import { loadChatrooms, saveChatrooms, loadAgents } from '@/lib/server/storage'
 import { notify } from '@/lib/server/ws-hub'
 import { notFound } from '@/lib/server/collection-helpers'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
 import { genId } from '@/lib/id'
 
 export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const body = await req.json()
+  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  if (error) return error
   const chatrooms = loadChatrooms()
   const chatroom = chatrooms[id]
   if (!chatroom) return notFound()
 
-  const agentId = body.agentId as string
+  const agentId = typeof body.agentId === 'string' ? body.agentId : ''
   if (!agentId) return NextResponse.json({ error: 'agentId is required' }, { status: 400 })
 
   if (!chatroom.agentIds.includes(agentId)) {
@@ -44,12 +46,13 @@ export async function POST(req: Request, { params }: { params: Promise<{ id: str
 
 export async function DELETE(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const body = await req.json()
+  const { data: body, error: delError } = await safeParseBody<Record<string, unknown>>(req)
+  if (delError) return delError
   const chatrooms = loadChatrooms()
   const chatroom = chatrooms[id]
   if (!chatroom) return notFound()
 
-  const agentId = body.agentId as string
+  const agentId = typeof body.agentId === 'string' ? body.agentId : ''
   if (!agentId) return NextResponse.json({ error: 'agentId is required' }, { status: 400 })
 
   const wasPresent = chatroom.agentIds.includes(agentId)

package/src/app/api/chatrooms/[id]/moderate/route.ts

@@ -3,6 +3,7 @@ import crypto from 'crypto'
 import { loadChatrooms, saveChatrooms, appendModerationLog } from '@/lib/server/storage'
 import { notify } from '@/lib/server/ws-hub'
 import { notFound } from '@/lib/server/collection-helpers'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
 import { getMembers } from '@/lib/server/chatrooms/chatroom-helpers'
 import type { Chatroom, ChatroomMember } from '@/types'
 
@@ -26,7 +27,8 @@ function isValidRole(role: unknown): role is ChatroomMember['role'] {
 
 export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const body = await req.json() as Record<string, unknown>
+  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  if (error) return error
 
   const chatrooms = loadChatrooms()
   const chatroom = chatrooms[id] as Chatroom | undefined

package/src/app/api/chatrooms/[id]/pins/route.ts

@@ -2,16 +2,18 @@ import { NextResponse } from 'next/server'
 import { loadChatrooms, saveChatrooms } from '@/lib/server/storage'
 import { notify } from '@/lib/server/ws-hub'
 import { notFound } from '@/lib/server/collection-helpers'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
 import type { Chatroom } from '@/types'
 
 export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const body = await req.json()
+  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  if (error) return error
   const chatrooms = loadChatrooms()
   const chatroom = chatrooms[id] as Chatroom | undefined
   if (!chatroom) return notFound()
 
-  const messageId = body.messageId as string
+  const messageId = typeof body.messageId === 'string' ? body.messageId : ''
   if (!messageId) {
     return NextResponse.json({ error: 'messageId is required' }, { status: 400 })
   }

package/src/app/api/chatrooms/[id]/reactions/route.ts

@@ -2,18 +2,20 @@ import { NextResponse } from 'next/server'
 import { loadChatrooms, saveChatrooms } from '@/lib/server/storage'
 import { notify } from '@/lib/server/ws-hub'
 import { notFound } from '@/lib/server/collection-helpers'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
 import type { Chatroom, ChatroomMessage, ChatroomReaction } from '@/types'
 
 export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const body = await req.json()
+  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  if (error) return error
   const chatrooms = loadChatrooms()
   const chatroom = chatrooms[id] as Chatroom | undefined
   if (!chatroom) return notFound()
 
-  const messageId = body.messageId as string
-  const emoji = body.emoji as string
-  const reactorId = (body.reactorId as string) || 'user'
+  const messageId = typeof body.messageId === 'string' ? body.messageId : ''
+  const emoji = typeof body.emoji === 'string' ? body.emoji : ''
+  const reactorId = typeof body.reactorId === 'string' && body.reactorId ? body.reactorId : 'user'
   if (!messageId || !emoji) {
     return NextResponse.json({ error: 'messageId and emoji are required' }, { status: 400 })
   }

package/src/app/api/chatrooms/[id]/route.ts

@@ -2,6 +2,7 @@ import { NextResponse } from 'next/server'
 import { loadChatrooms, saveChatrooms, loadAgents, loadConnectors, saveConnectors } from '@/lib/server/storage'
 import { notify } from '@/lib/server/ws-hub'
 import { notFound } from '@/lib/server/collection-helpers'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
 import { genId } from '@/lib/id'
 
 export async function GET(_req: Request, { params }: { params: Promise<{ id: string }> }) {
@@ -14,7 +15,8 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
 
 export async function PUT(req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
-  const body = await req.json()
+  const { data: body, error } = await safeParseBody<Record<string, unknown>>(req)
+  if (error) return error
   const chatrooms = loadChatrooms()
   const chatroom = chatrooms[id]
   if (!chatroom) return notFound()
@@ -40,7 +42,8 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
       )
     }
     const agents = loadAgents()
-    const invalidAgentIds = (body.agentIds as string[]).filter((agentId) => !agents[agentId])
+    const agentIds = (body.agentIds as unknown[]).filter((v): v is string => typeof v === 'string' && v.trim().length > 0)
+    const invalidAgentIds = agentIds.filter((agentId) => !agents[agentId])
     if (invalidAgentIds.length > 0) {
       return NextResponse.json(
         { error: `Unknown chatroom member(s): ${invalidAgentIds.join(', ')}` },
@@ -49,8 +52,8 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
     }
 
     const oldIds = new Set(chatroom.agentIds)
-    const newIds = new Set(body.agentIds as string[])
-    const added = (body.agentIds as string[]).filter((aid: string) => !oldIds.has(aid))
+    const newIds = new Set(agentIds)
+    const added = agentIds.filter((aid: string) => !oldIds.has(aid))
     const removed = chatroom.agentIds.filter((aid: string) => !newIds.has(aid))
 
     if (added.length > 0 || removed.length > 0) {
@@ -83,7 +86,7 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
       }
     }
 
-    chatroom.agentIds = body.agentIds
+    chatroom.agentIds = agentIds
   }
 
   chatroom.updatedAt = Date.now()