@swarmclawai/swarmclaw 1.2.6 → 1.2.9

package/src/lib/server/storage.ts

@@ -24,8 +24,6 @@ import type {
   GuardianCheckpoint,
   LearnedSkill,
   Message,
-  Mission,
-  MissionEvent,
   ProtocolTemplate,
   ProtocolRun,
   ProtocolRunEvent,
@@ -138,9 +136,6 @@ const COLLECTIONS = [
   'webhook_retry_queue',
   'notifications',
   'chatrooms',
-  'wallets',
-  'wallet_transactions',
-  'wallet_balance_history',
   'moderation_logs',
   'connector_health',
   'connector_outbox',
@@ -152,8 +147,6 @@ const COLLECTIONS = [
   'watch_jobs',
   'delegation_jobs',
   'external_agents',
-  'missions',
-  'mission_events',
   'protocol_templates',
   'protocol_runs',
   'protocol_run_events',
@@ -162,6 +155,8 @@ const COLLECTIONS = [
   'main_loop_states',
   'working_states',
   'daemon_status',
+  'wallets',
+  'wallet_transactions',
 ] as const
 
 export type StorageCollection = (typeof COLLECTIONS)[number]
@@ -545,8 +540,6 @@ const JSON_FILES: Record<string, string> = {
   documents: path.join(DATA_DIR, 'documents.json'),
   webhooks: path.join(DATA_DIR, 'webhooks.json'),
   external_agents: path.join(DATA_DIR, 'external-agents.json'),
-  missions: path.join(DATA_DIR, 'missions.json'),
-  mission_events: path.join(DATA_DIR, 'mission-events.json'),
   protocol_templates: path.join(DATA_DIR, 'protocol-templates.json'),
   protocol_runs: path.join(DATA_DIR, 'protocol-runs.json'),
   protocol_run_events: path.join(DATA_DIR, 'protocol-run-events.json'),
@@ -1208,25 +1201,6 @@ export const loadProjects = projectsStore.load
 export const saveProjects = projectsStore.save
 export const deleteProject = projectsStore.deleteItem
 
-// --- Missions ---
-const missionsStore = createCollectionStore('missions')
-export const loadMissions = missionsStore.load as () => Record<string, Mission>
-export const saveMissions = missionsStore.save as (items: Record<string, Mission>) => void
-export const loadMission = missionsStore.loadItem as (id: string) => Mission | null
-export const upsertMission = missionsStore.upsert as (id: string, value: Mission) => void
-export const patchMission = missionsStore.patch as (
-  id: string,
-  updater: (current: Mission | null) => Mission | null,
-) => Mission | null
-export const deleteMission = missionsStore.deleteItem
-
-const missionEventsStore = createCollectionStore('mission_events')
-export const loadMissionEvents = missionEventsStore.load as () => Record<string, MissionEvent>
-export const saveMissionEvents = missionEventsStore.save as (items: Record<string, MissionEvent>) => void
-export const loadMissionEvent = missionEventsStore.loadItem as (id: string) => MissionEvent | null
-export const upsertMissionEvent = missionEventsStore.upsert as (id: string, value: MissionEvent) => void
-export const upsertMissionEvents = missionEventsStore.upsertMany as (entries: Array<[string, MissionEvent]>) => void
-
 const protocolTemplatesStore = createCollectionStore('protocol_templates')
 export const loadProtocolTemplates = protocolTemplatesStore.load as () => Record<string, ProtocolTemplate>
 export const saveProtocolTemplates = protocolTemplatesStore.save as (items: Record<string, ProtocolTemplate>) => void
@@ -1541,23 +1515,6 @@ export function markNotificationRead(id: string) {
   }
 }
 
-// --- Wallets ---
-const walletsStore = createCollectionStore('wallets')
-export const loadWallets = walletsStore.load
-export const upsertWallet = walletsStore.upsert
-export const deleteWallet = walletsStore.deleteItem
-
-// --- Wallet Transactions ---
-const walletTransactionsStore = createCollectionStore('wallet_transactions')
-export const loadWalletTransactions = walletTransactionsStore.load
-export const upsertWalletTransaction = walletTransactionsStore.upsert
-export const deleteWalletTransaction = walletTransactionsStore.deleteItem
-
-// --- Wallet Balance History ---
-const walletBalanceHistoryStore = createCollectionStore('wallet_balance_history')
-export const loadWalletBalanceHistory = walletBalanceHistoryStore.load
-export const upsertWalletBalanceSnapshot = walletBalanceHistoryStore.upsert
-
 // --- Moderation Logs ---
 const moderationLogsStore = createCollectionStore('moderation_logs')
 export const loadModerationLogs = moderationLogsStore.load
@@ -1613,6 +1570,22 @@ export const loadPersistedWorkingState = workingStatesStore.loadItem
 export const upsertPersistedWorkingState = workingStatesStore.upsert
 export const deletePersistedWorkingState = workingStatesStore.deleteItem
 
+// --- Wallets ---
+const walletsStore = createCollectionStore('wallets')
+export const loadWallets = walletsStore.load
+export const saveWallets = walletsStore.save
+export const loadWallet = walletsStore.loadItem
+export const upsertWallet = walletsStore.upsert
+export const deleteWalletItem = walletsStore.deleteItem
+
+// --- Wallet Transactions ---
+const walletTransactionsStore = createCollectionStore('wallet_transactions')
+export const loadWalletTransactions = walletTransactionsStore.load
+export const saveWalletTransactions = walletTransactionsStore.save
+export const loadWalletTransaction = walletTransactionsStore.loadItem
+export const upsertWalletTransaction = walletTransactionsStore.upsert
+export const deleteWalletTransaction = walletTransactionsStore.deleteItem
+
 export function getSessionMessages(sessionId: string): Message[] {
   const session = loadSession(sessionId)
   return Array.isArray(session?.messages) ? session.messages : []

package/src/lib/server/tasks/task-checkout.ts

@@ -0,0 +1,59 @@
+import type { BoardTask } from '@/types'
+import { withTransaction } from '@/lib/server/persistence/transaction'
+import { loadTasks, saveTasks } from '@/lib/server/tasks/task-repository'
+
+/**
+ * Atomically transition a task from queued → running with a checkout run ID.
+ *
+ * Uses a SQLite IMMEDIATE transaction to prevent two runners from starting the
+ * same task concurrently (Paperclip-inspired atomic checkout pattern).
+ *
+ * Returns the checked-out task on success, or null if the task was already
+ * taken, missing, or no longer in queued status.
+ */
+export function checkoutTask(
+  taskId: string,
+  runId: string,
+): BoardTask | null {
+  return withTransaction(() => {
+    const tasks = loadTasks() as Record<string, BoardTask>
+    const task = tasks[taskId]
+    if (!task || task.status !== 'queued') return null
+    if (task.checkoutRunId) return null // already checked out
+
+    const now = Date.now()
+    task.status = 'running'
+    task.checkoutRunId = runId
+    task.startedAt = now
+    task.lastActivityAt = now
+    task.retryScheduledAt = null
+    task.deadLetteredAt = null
+    task.error = null
+    task.validation = null
+    task.updatedAt = now
+
+    saveTasks(tasks)
+    return { ...task }
+  })
+}
+
+/**
+ * Release a checkout after task completion or failure.
+ * Only the holder of the checkout (matching runId) can release it.
+ */
+export function releaseCheckout(
+  taskId: string,
+  runId: string,
+): boolean {
+  return withTransaction(() => {
+    const tasks = loadTasks() as Record<string, BoardTask>
+    const task = tasks[taskId]
+    if (!task) return false
+    if (task.checkoutRunId !== runId) return false
+
+    task.checkoutRunId = null
+    task.updatedAt = Date.now()
+    saveTasks(tasks)
+    return true
+  })
+}

package/src/lib/server/tasks/task-lifecycle.ts

@@ -176,6 +176,7 @@ export function markValidatedTaskCompleted(
   task.completedAt = options.preserveCompletedAt ? (task.completedAt || options.now) : options.now
   task.updatedAt = options.now
   task.error = null
+  task.checkoutRunId = null
   return task
 }
 
@@ -187,6 +188,7 @@ export function markInvalidCompletedTaskFailed(
   task.status = 'failed'
   task.completedAt = null
   task.updatedAt = options.now
+  task.checkoutRunId = null
   task.error = formatValidationFailure(validation.reasons).slice(0, 500)
   if (options.comment) {
     if (!task.comments) task.comments = []

package/src/lib/server/tasks/task-route-service.ts

@@ -6,11 +6,6 @@ import { logActivity } from '@/lib/server/activity/activity-log'
 import { createNotification } from '@/lib/server/create-notification'
 import { validateDag, cascadeUnblock } from '@/lib/server/dag-validation'
 import { getExtensionManager } from '@/lib/server/extensions'
-import {
-  enrichTaskWithMissionSummary,
-  ensureMissionForTask,
-  noteMissionTaskFinished,
-} from '@/lib/server/missions/mission-service'
 import {
   disableSessionHeartbeat,
   enqueueTask,
@@ -64,9 +59,7 @@ export function prepareTasksForListing() {
   validateCompletedTasksQueue()
   recoverStalledRunningTasks()
   const allTasks = loadTasks()
-  return Object.fromEntries(
-    Object.entries(allTasks).map(([id, task]) => [id, enrichTaskWithMissionSummary(task)]),
-  )
+  return allTasks
 }
 
 export function updateTaskFromRoute(id: string, body: Record<string, unknown>): ServiceResult<BoardTask> {
@@ -128,10 +121,6 @@ export function updateTaskFromRoute(id: string, body: Record<string, unknown>):
   }
 
   saveTask(id, tasks[id])
-  const mission = ensureMissionForTask(tasks[id], { source: 'manual' })
-  if (tasks[id].status === 'completed' || tasks[id].status === 'failed' || tasks[id].status === 'cancelled') {
-    noteMissionTaskFinished(tasks[id], tasks[id].status, tasks[id].id)
-  }
   logActivity({ entityType: 'task', entityId: id, action: 'updated', actor: 'user', summary: `Task updated: "${tasks[id].title}" (${prevStatus} → ${tasks[id].status})` })
   if (prevStatus !== tasks[id].status) {
     pushMainLoopEventToMainSessions({
@@ -143,10 +132,7 @@ export function updateTaskFromRoute(id: string, body: Record<string, unknown>):
   if (prevStatus !== tasks[id].status && tasks[id].status === 'cancelled') {
     disableSessionHeartbeat(tasks[id].sessionId)
     notify('tasks')
-    return serviceOk(enrichTaskWithMissionSummary({
-      ...tasks[id],
-      missionId: mission?.id || tasks[id].missionId || null,
-    }))
+    return serviceOk(tasks[id])
   }
 
   if (prevStatus !== tasks[id].status && (tasks[id].status === 'completed' || tasks[id].status === 'failed')) {
@@ -216,10 +202,7 @@ export function updateTaskFromRoute(id: string, body: Record<string, unknown>):
   }
 
   notify('tasks')
-  return serviceOk(enrichTaskWithMissionSummary({
-    ...tasks[id],
-    missionId: mission?.id || tasks[id].missionId || null,
-  }))
+  return serviceOk(tasks[id])
 }
 
 export function archiveTaskFromRoute(id: string): ServiceResult<BoardTask> {
@@ -346,11 +329,6 @@ export function createTaskFromRoute(body: Record<string, unknown>): ServiceResul
   }
 
   saveTask(id, task)
-  const mission = ensureMissionForTask(task, { source: 'manual' })
-  const finalTask = enrichTaskWithMissionSummary({
-    ...task,
-    missionId: mission?.id || task.missionId || null,
-  })
   logActivity({ entityType: 'task', entityId: id, action: 'created', actor: 'user', summary: `Task created: "${task.title}"` })
   pushMainLoopEventToMainSessions({
     type: 'task_created',
@@ -360,7 +338,7 @@ export function createTaskFromRoute(body: Record<string, unknown>): ServiceResul
     enqueueTask(id)
   }
   notify('tasks')
-  return serviceOk(finalTask)
+  return serviceOk(task)
 }
 
 export function bulkUpdateTasksFromRoute(body: Record<string, unknown>): ServiceResult<{ updated: number; ids: string[] }> {

package/src/lib/server/tasks/task-service.ts

@@ -106,13 +106,6 @@ export function applyTaskContinuationDefaults(
     if (!Object.prototype.hasOwnProperty.call(explicit, 'cwd') && typeof sourceTask.cwd === 'string' && sourceTask.cwd.trim()) {
       parsed.cwd = sourceTask.cwd.trim()
     }
-    if (
-      !Object.prototype.hasOwnProperty.call(explicit, 'missionId')
-      && typeof sourceTask.missionId === 'string'
-      && sourceTask.missionId.trim()
-    ) {
-      parsed.missionId = sourceTask.missionId.trim()
-    }
     const sourceSessionId = typeof sourceTask.checkpoint?.lastSessionId === 'string' && sourceTask.checkpoint.lastSessionId.trim()
       ? sourceTask.checkpoint.lastSessionId.trim()
       : typeof sourceTask.sessionId === 'string' && sourceTask.sessionId.trim()

package/src/lib/server/tool-aliases.ts

@@ -1,5 +1,6 @@
 const EXTENSION_ALIAS_GROUPS: string[][] = [
-  ['shell', 'execute_command', 'process_tool', 'git', 'sandbox', 'sandbox_exec', 'sandbox_list_runtimes'],
+  ['shell', 'execute_command', 'process_tool', 'git'],
+  ['execute', 'sandbox'],
   ['files', 'read_file', 'write_file', 'list_files', 'copy_file', 'move_file', 'delete_file', 'send_file'],
   ['edit_file'],
   ['web', 'web_search', 'web_fetch', 'http_request', 'http'],
@@ -21,7 +22,6 @@ const EXTENSION_ALIAS_GROUPS: string[][] = [
   ['schedule_wake', 'schedule'],
   // http_request/http now aliased into web group above
   ['memory', 'memory_tool', 'memory_search', 'memory_get', 'memory_store', 'memory_update'],
-  ['wallet', 'wallet_tool'],
   ['monitor', 'monitor_tool'],
   ['context_mgmt', 'context_status', 'context_summarize'],
   ['openclaw_workspace'],

package/src/lib/server/tool-capability-policy-advanced.test.ts

@@ -92,6 +92,13 @@ describe('strict mode', () => {
     assert.match(d.blockedExtensions[0].reason, /strict policy/)
   })
 
+  it('blocks execute (execution category)', () => {
+    const d = resolveSessionToolPolicy(['execute'], mode)
+    assert.equal(d.blockedExtensions.length, 1)
+    assert.equal(d.blockedExtensions[0].tool, 'execute')
+    assert.match(d.blockedExtensions[0].reason, /strict policy/)
+  })
+
   it('blocks files (filesystem category)', () => {
     const d = resolveSessionToolPolicy(['files'], mode)
     assert.equal(d.blockedExtensions.length, 1)
@@ -168,7 +175,7 @@ describe('safety blocks', () => {
     assert.equal(d.blockedExtensions[0].source, 'safety')
   })
 
-  it('safety block on concrete web_search blocks the web_search family', () => {
+  it('safety block on concrete web_search blocks the requested extension', () => {
     const d = resolveSessionToolPolicy(['web_search'], {
       safetyBlockedTools: ['web_search'],
     })
@@ -186,7 +193,7 @@ describe('safety blocks', () => {
     assert.equal(d.blockedExtensions[0].source, 'safety')
   })
 
-  it('safety block on delegate_to_claude_code blocks claude_code', () => {
+  it('safety block on delegate_to_claude_code blocks the requested extension', () => {
     const d = resolveSessionToolPolicy(['claude_code'], {
       safetyBlockedTools: ['delegate_to_claude_code'],
     })
@@ -416,17 +423,17 @@ describe('compound scenarios', () => {
     assert.match(tasksBlock.reason, /task management is disabled/)
   })
 
-  it('20 tools requested: correctly partitioned into enabled vs blocked', () => {
+  it('19 tools requested: correctly partitioned into enabled vs blocked', () => {
     const tools = [
       'shell', 'files', 'web', 'web_search', 'web_fetch', 'browser',
       'memory', 'delegate', 'manage_platform', 'manage_tasks',
-      'manage_schedules', 'wallet', 'delete_file', 'canvas',
+      'manage_schedules', 'wallet', 'delete_file',
       'manage_connectors', 'git', 'sandbox', 'claude_code',
       'monitor', 'http_request',
     ]
     const d = resolveSessionToolPolicy(tools, { capabilityPolicyMode: 'strict' })
-    assert.equal(d.requestedExtensions.length, 20)
-    assert.equal(d.enabledExtensions.length + d.blockedExtensions.length, 20)
+    assert.equal(d.requestedExtensions.length, 19)
+    assert.equal(d.enabledExtensions.length + d.blockedExtensions.length, 19)
 
     // memory, web, web_search, web_fetch should be enabled
     assert.ok(d.enabledExtensions.includes('memory'))

package/src/lib/server/tool-capability-policy.test.ts

@@ -20,11 +20,12 @@ test('capability policy balanced mode blocks destructive delete_file', () => {
 
 test('capability policy strict mode blocks execution/platform families', () => {
   const decision = resolveSessionToolPolicy(
-    ['shell', 'manage_tasks', 'web_search', 'memory'],
+    ['shell', 'execute', 'manage_tasks', 'web_search', 'memory'],
     { capabilityPolicyMode: 'strict' },
   )
   assert.deepEqual(decision.enabledExtensions, ['web_search', 'memory'])
   assert.equal(decision.blockedExtensions.some((entry) => entry.tool === 'shell'), true)
+  assert.equal(decision.blockedExtensions.some((entry) => entry.tool === 'execute'), true)
   assert.equal(decision.blockedExtensions.some((entry) => entry.tool === 'manage_tasks'), true)
 })
 

package/src/lib/server/tool-capability-policy.ts

@@ -1,5 +1,6 @@
 import type { AppSettings } from '@/types'
 import { dedup } from '@/lib/shared-utils'
+import { canonicalizeExtensionId } from './tool-aliases'
 
 export type CapabilityPolicyMode = 'permissive' | 'balanced' | 'strict'
 
@@ -37,6 +38,7 @@ interface ToolDescriptor {
 
 const TOOL_DESCRIPTORS: Record<string, ToolDescriptor> = {
   shell: { categories: ['execution'], concreteTools: ['shell', 'execute_command'] },
+  execute: { categories: ['execution'], concreteTools: ['execute'] },
   process: { categories: ['execution'], concreteTools: ['process', 'process_tool'] },
   files: { categories: ['filesystem'], concreteTools: ['files', 'read_file', 'write_file', 'list_files', 'send_file'] },
   read_file: { categories: ['filesystem'], concreteTools: ['read_file'] },
@@ -57,10 +59,7 @@ const TOOL_DESCRIPTORS: Record<string, ToolDescriptor> = {
   opencode_cli: { categories: ['delegation', 'execution'], concreteTools: ['delegate_to_opencode_cli'] },
   gemini_cli: { categories: ['delegation', 'execution'], concreteTools: ['delegate_to_gemini_cli'] },
   memory: { categories: ['memory'], concreteTools: ['memory', 'memory_tool', 'memory_search', 'memory_get', 'memory_store', 'memory_update', 'context_status', 'context_summarize'] },
-  // sandbox_exec/sandbox_list_runtimes routed through shell; git uses shell
   // http_request consolidated into web 'api' action — no separate descriptor
-  canvas: { categories: ['filesystem'], concreteTools: ['canvas'] },
-  wallet: { categories: ['outbound'], concreteTools: ['wallet', 'wallet_tool'] },
   monitor: { categories: ['execution'], concreteTools: ['monitor', 'monitor_tool'] },
   openclaw_workspace: { categories: ['filesystem', 'platform'], concreteTools: ['openclaw_workspace'] },
   openclaw_nodes: { categories: ['platform'], concreteTools: ['openclaw_nodes'] },
@@ -118,6 +117,55 @@ function normalizeList(value: unknown): string[] {
   return dedup(names)
 }
 
+function getDescriptor(toolName: string): ToolDescriptor | undefined {
+  const normalized = normalizeName(toolName)
+  if (!normalized) return undefined
+  return TOOL_DESCRIPTORS[normalized] || TOOL_DESCRIPTORS[normalizeName(canonicalizeExtensionId(normalized))]
+}
+
+function addComparableName(names: Set<string>, value: string | null | undefined): void {
+  const normalized = normalizeName(value)
+  if (!normalized) return
+  names.add(normalized)
+  const canonical = normalizeName(canonicalizeExtensionId(normalized))
+  if (canonical) names.add(canonical)
+  for (const mappedTool of CONCRETE_TOOL_TO_SESSION_TOOLS.get(normalized) || []) {
+    names.add(mappedTool)
+  }
+}
+
+function collectRequestedExtensionNames(toolName: string, descriptor?: ToolDescriptor): string[] {
+  const names = new Set<string>()
+  addComparableName(names, toolName)
+  for (const concreteName of descriptor?.concreteTools || []) {
+    addComparableName(names, concreteName)
+  }
+  return Array.from(names)
+}
+
+function entryMatchesSessionTool(entry: string, sessionTool: string): boolean {
+  const normalizedEntry = normalizeName(entry)
+  const normalizedTool = normalizeName(sessionTool)
+  if (!normalizedEntry || !normalizedTool) return false
+  if (normalizedEntry === normalizedTool) return true
+  if (!CONCRETE_TOOL_TO_SESSION_TOOLS.has(normalizedEntry)) {
+    return normalizeName(canonicalizeExtensionId(normalizedEntry)) === normalizedTool
+  }
+  return false
+}
+
+function matchesConcreteToolSetting(configuredNames: Set<string>, concreteToolName: string): boolean {
+  const normalizedName = normalizeName(concreteToolName)
+  if (!normalizedName || configuredNames.size === 0) return false
+  if (configuredNames.has(normalizedName)) return true
+  for (const sessionTool of CONCRETE_TOOL_TO_SESSION_TOOLS.get(normalizedName) || []) {
+    for (const entry of configuredNames) {
+      if (entryMatchesSessionTool(entry, sessionTool)) return true
+    }
+  }
+  return false
+}
+
 function getSettingsList(settings: Record<string, unknown>, key: string): string[] {
   return normalizeList(settings[key])
 }
@@ -138,29 +186,11 @@ function modeBlocksTool(mode: CapabilityPolicyMode, toolName: string, descriptor
 }
 
 function safetyMatchesTool(safetyBlocked: Set<string>, toolName: string, descriptor?: ToolDescriptor): boolean {
-  if (safetyBlocked.has(toolName)) return true
-  if (!descriptor) return false
-  for (const concreteName of descriptor.concreteTools) {
-    if (safetyBlocked.has(concreteName)) return true
-  }
-  if (toolName === 'memory' && safetyBlocked.has('memory_tool')) return true
-  if (toolName === 'manage_connectors' && safetyBlocked.has('connector_message_tool')) return true
-  if (toolName === 'manage_sessions' && (
-    safetyBlocked.has('sessions_tool')
-    || safetyBlocked.has('search_history_tool')
-    || safetyBlocked.has('whoami_tool')
-  )) return true
-  if (toolName === 'claude_code' && safetyBlocked.has('delegate_to_claude_code')) return true
-  if (toolName === 'codex_cli' && safetyBlocked.has('delegate_to_codex_cli')) return true
-  if (toolName === 'opencode_cli' && safetyBlocked.has('delegate_to_opencode_cli')) return true
-  if (toolName === 'gemini_cli' && safetyBlocked.has('delegate_to_gemini_cli')) return true
-  return false
+  return collectRequestedExtensionNames(toolName, descriptor).some((name) => safetyBlocked.has(name))
 }
 
 function policyMatchesTool(blockedNames: Set<string>, toolName: string, descriptor?: ToolDescriptor): boolean {
-  if (blockedNames.has(toolName)) return true
-  if (!descriptor) return false
-  return descriptor.concreteTools.some((concreteName) => blockedNames.has(concreteName))
+  return collectRequestedExtensionNames(toolName, descriptor).some((name) => blockedNames.has(name))
 }
 
 function categoryBlockReason(blockedCategories: Set<string>, descriptor?: ToolDescriptor): string | null {
@@ -232,7 +262,7 @@ export function resolveSessionToolPolicy(
   const blockedExtensions: CapabilityPolicyBlock[] = []
 
   for (const extensionName of requestedExtensions) {
-    const descriptor = TOOL_DESCRIPTORS[extensionName]
+    const descriptor = getDescriptor(extensionName)
     const settingsReason = settingsBlockReason(extensionName, normalizedSettings)
 
     if (settingsReason) {
@@ -296,24 +326,19 @@ export function resolveConcreteToolPolicyBlock(
 
   if (settingsReason) return settingsReason
 
-  if (safetyBlocked.has(name)) return 'blocked by safety policy'
-
   const mappedTools = CONCRETE_TOOL_TO_SESSION_TOOLS.get(name) || []
-  const safetyBlockedFamily = mappedTools.find((tool) => safetyBlocked.has(tool))
-  if (safetyBlockedFamily) return `blocked because "${safetyBlockedFamily}" is safety-blocked`
-
-  if (policyBlockedNames.has(name)) return 'blocked by explicit policy rule'
-  const policyBlockedFamily = mappedTools.find((tool) => policyBlockedNames.has(tool) && !policyAllowedNames.has(tool))
-  if (policyBlockedFamily) {
-    return `blocked because "${policyBlockedFamily}" is policy-blocked`
+  if (matchesConcreteToolSetting(safetyBlocked, name)) return 'blocked by safety policy'
+  const explicitlyAllowed = matchesConcreteToolSetting(policyAllowedNames, name)
+  if (matchesConcreteToolSetting(policyBlockedNames, name) && !explicitlyAllowed) {
+    return 'blocked by explicit policy rule'
   }
 
   if (mappedTools.length > 0) {
-    const enabledRoot = mappedTools.find((tool) => decision.enabledExtensions.includes(tool))
+    const enabledRoot = mappedTools.find((tool) => decision.enabledExtensions.some((entry) => entryMatchesSessionTool(entry, tool)))
     if (enabledRoot) return null
 
     const blockedRoot = mappedTools
-      .map((tool) => decision.blockedExtensions.find((entry) => entry.tool === tool))
+      .map((tool) => decision.blockedExtensions.find((entry) => entryMatchesSessionTool(entry.tool, tool)))
       .find(Boolean)
     if (blockedRoot) return blockedRoot.reason
 

package/src/lib/server/tool-planning.ts

@@ -13,8 +13,6 @@ export const TOOL_CAPABILITY = {
   deliveryMessage: 'delivery.message',
   deliveryMedia: 'delivery.media',
   deliveryVoiceNote: 'delivery.voice_note',
-  walletInspect: 'wallet.inspect',
-  walletExecute: 'wallet.execute',
 } as const
 
 export interface ToolPlanningEntry {
@@ -58,6 +56,17 @@ const CORE_TOOL_PLANNING: Record<string, LegacyToolPlanningEntry[]> = {
       requestMatchers: [],
     },
   ],
+  execute: [
+    {
+      toolName: 'execute',
+      capabilities: ['runtime.execute'],
+      disciplineGuidance: [
+        'For `execute`, pass the full bash script in `{"code":"..."}`. Use it for sandboxed command execution, curl-based fetches, and one-shot scripts.',
+        'Use `persistent=true` only when the agent is explicitly configured for host execution. Otherwise use `files` for persistent writes.',
+      ],
+      requestMatchers: [],
+    },
+  ],
   web: [
     {
       toolName: 'web_search',
@@ -362,16 +371,6 @@ const CORE_TOOL_PLANNING: Record<string, LegacyToolPlanningEntry[]> = {
       requestMatchers: [],
     },
   ],
-  wallet: [
-    {
-      toolName: 'wallet_tool',
-      capabilities: [TOOL_CAPABILITY.walletInspect, TOOL_CAPABILITY.walletExecute],
-      disciplineGuidance: [
-        'Inspect wallet state once, then act. Use `simulate_transaction` to validate before executing. Do not re-inspect balances between each operation unless the operation changes them.',
-      ],
-      requestMatchers: [],
-    },
-  ],
   image_gen: [
     {
       toolName: 'generate_image',

package/src/lib/server/universal-tool-access.ts

@@ -22,7 +22,6 @@ const UNIVERSAL_CORE_EXTENSION_IDS = [
   'manage_secrets',
   'manage_chatrooms',
   'spawn_subagent',
-  'canvas',
   'http_request',
   'wallet',
   'monitor',

package/src/lib/server/wallets/wallet-crypto.ts

@@ -0,0 +1,33 @@
+import { encryptKey, decryptKey } from '@/lib/server/storage'
+
+/**
+ * Generate a new Ethereum wallet (Base L2 compatible) with an encrypted private key.
+ * Uses ethers v6 for keypair generation and the existing AES-256-GCM encryption
+ * from storage.ts (CREDENTIAL_SECRET env var).
+ */
+export async function generateEthereumWallet(): Promise<{ address: string; encryptedPrivateKey: string }> {
+  const { Wallet } = await import('ethers')
+  const wallet = Wallet.createRandom()
+  const encryptedPrivateKey = encryptKey(wallet.privateKey)
+  return {
+    address: wallet.address,
+    encryptedPrivateKey,
+  }
+}
+
+export async function normalizeEthereumAddress(address: string): Promise<string | null> {
+  const { getAddress } = await import('ethers')
+  try {
+    return getAddress(address.trim())
+  } catch {
+    return null
+  }
+}
+
+/**
+ * Decrypt a wallet's private key for server-side use only.
+ * Never expose the result to API responses or the frontend.
+ */
+export function decryptWalletPrivateKey(encrypted: string): string {
+  return decryptKey(encrypted)
+}

package/src/lib/server/wallets/wallet-repository.ts

@@ -0,0 +1,24 @@
+import {
+  loadWallets as loadWalletsStore,
+  saveWallets as saveWalletsStore,
+  loadWallet as loadWalletItem,
+  upsertWallet,
+  deleteWalletItem,
+} from '@/lib/server/storage'
+import type { AgentWallet } from '@/types/swarmdock'
+
+export function loadWallets(): Record<string, AgentWallet> {
+  return loadWalletsStore() as Record<string, AgentWallet>
+}
+
+export function loadWallet(id: string): AgentWallet | null {
+  return loadWalletItem(id) as AgentWallet | null
+}
+
+export function saveWallet(id: string, wallet: AgentWallet): void {
+  upsertWallet(id, wallet)
+}
+
+export function deleteWallet(id: string): void {
+  deleteWalletItem(id)
+}