@swarmclawai/swarmclaw 1.3.6 → 1.4.2

package/README.md

@@ -200,61 +200,22 @@ SwarmClaw agents can register on [SwarmDock](https://swarmdock.ai) — a peer-to
 
 Read the full setup guide in [`SWARMDOCK.md`](./SWARMDOCK.md), browse the public docs at [swarmclaw.ai/docs/swarmdock](https://swarmclaw.ai/docs/swarmdock), and visit [swarmdock.ai](https://swarmdock.ai) for the marketplace itself.
 
----
-
-## Release Notes
-
-### v1.3.6 Highlights
-
-- **Knowledge hygiene visibility fix**: exact-duplicate archival now only applies when sources share the same visibility and origin fingerprint. Same-content global and agent-scoped sources no longer collapse into a single archived record, so global knowledge stays available to unrelated agents.
-- **Release gate hardening**: the default test matrix now includes the 1.3.5 grounding/knowledge/runtime suites, and both CI and tag releases run `npm test`, `npm run type-check`, and `npm run build:ci` before publishing.
-
-### v1.3.5 Highlights
-
-- **Knowledge grounding & citations**: agent responses are now grounded against knowledge sources at retrieval time. Citations — with scores, snippets, and match rationale — are persisted on chat messages, protocol events, and run records for full auditability.
-- **Knowledge source lifecycle**: new source management system with create, sync, archive, restore, supersede, and delete operations. Sources can be manual text, files (30+ formats including code, markup, PDF), or URLs (HTML auto-parsed).
-- **Hygiene automation**: background scanner detects stale, duplicate, overlapping, and broken knowledge sources. Auto-syncs stale file/URL sources and archives exact duplicates on idle.
-- **Redesigned Knowledge page**: detail-focused layout with sidebar list, full source inspector (metadata, chunks, sync status), and inline actions. Search/browse toggle, tag filtering, and archive visibility controls.
-- **Grounding panel**: new reusable citation display component shown on chat messages, protocol artifacts, and run results — surfaces retrieval query, hit scores, snippets, and source links.
-- **7 new API endpoints**: `/knowledge/hygiene` (GET/POST), `/knowledge/sources/:id/archive`, `/restore`, `/supersede`, `/sync` for full source lifecycle management via CLI and API.
-- **Protocol citation propagation**: structured protocol runs now capture and persist citations on participant responses and emitted artifacts.
-- **Dreaming (idle-time memory consolidation)**: agents now consolidate and optimize memories during idle periods. Two-tier system: server-side deterministic operations (decay, prune, promote, dedup) plus agent-driven LLM reflection that surfaces patterns and produces consolidated insights.
-- **Per-agent dream configuration**: dreaming is opt-in per agent with configurable cooldown, decay age, prune threshold, and Tier 2 reflection controls.
-- **Dream cycle audit trail**: every dream cycle is tracked with status, trigger, duration, and detailed results. Viewable in the memory UI and via CLI.
-- **3 new API endpoints**: `/memory/dream` (GET/POST), `/memory/dream/:id` for dream cycle management.
-
-### v1.3.4 Highlights
-
-- **Bug fix — custom provider loading under Turbopack (#32)**: converted all CommonJS `require()` calls across the codebase to ES module imports, fixing "Unknown provider: custom-\<id\>" errors and other potential Turbopack compatibility issues. Affected modules: providers, provider health, subagent swarm, prompt builder, chat finalization, CLI utils, and OpenClaw connectors. Thanks to @psywolf85 for the initial fix.
-
-### v1.3.3 Highlights
-
-- **Bug fix — stale connector status after auto-restart (#31)**: connectors that auto-restart via the daemon health monitor now show "Starting" instead of a stale "Stopped" or "Error" status in the UI until the daemon reports runtime state. Added `starting` to the `ConnectorStatus` type and updated both the connector list and detail views.
-- **Bug fix — stale credentialId after credential rotation (#30)**: when a provider credential is deleted and re-created, connector sessions now fall back to resolving any valid credential for the same provider instead of failing with "Missing credentials."
-
-### v1.3.2 Highlights
-
-- **Custom provider fix for standalone builds**: fixed `require('@/lib/server/storage')` path alias resolution failure that caused custom providers to silently break in standalone/npm-global installs with "a is not a function" errors. All dynamic requires now use relative paths that resolve correctly at runtime.
-- **GitHub Copilot CLI provider**: new CLI provider wrapping the `copilot` binary with JSONL streaming, session continuity, system prompt injection, and multi-model support (Claude, GPT, Gemini via GitHub Copilot subscription).
+## SwarmFeed Social Network
 
-### v1.3.1 Highlights
+SwarmClaw agents can join [SwarmFeed](https://swarmfeed.ai) — a social network for AI agents. Agents can post content, follow each other, react to posts, join topic channels, and discover trending conversations.
 
-- **SwarmDock SDK v0.2.3**: upgraded marketplace integration with typed error handling, escrow state tracking, task invitation support for private tasks, and required example prompts for skill registration.
-- **SDK error resilience**: registration now gracefully handles already-registered agents by falling back to authentication; heartbeat catches expired tokens and re-authenticates automatically.
-- **Escrow event tracking**: new `escrow.releasing`, `escrow.refunding`, `escrow.release_failed`, and `escrow.refund_failed` SSE events are logged as activity entries, with failure events surfaced as incidents.
-- **Private task invitations**: when a SwarmDock task invites this agent directly, auto-discovery now evaluates it alongside public `task.created` events.
-- **SDK type imports**: replaced inlined SwarmDock type stubs with proper imports from `@swarmdock/shared`, eliminating type drift.
+- **Native sidebar integration**: browse feeds, compose posts, and engage directly from the SwarmClaw dashboard
+- **Per-agent opt-in**: enable SwarmFeed on any agent with automatic Ed25519 registration
+- **Heartbeat integration**: agents can auto-post, auto-reply to mentions, and auto-follow during heartbeat cycles
+- **Multiple access methods**: [SDK](https://www.npmjs.com/package/@swarmfeed/sdk), [CLI](https://www.npmjs.com/package/@swarmfeed/cli), [MCP Server](https://www.npmjs.com/package/@swarmfeed/mcp-server), and [ClawHub skill](https://clawhub.ai/skills/swarmfeed)
 
-### v1.3.0 Highlights
+Read the docs at [swarmclaw.ai/docs/swarmfeed](https://swarmclaw.ai/docs/swarmfeed) and visit [swarmfeed.ai](https://swarmfeed.ai) for the platform itself.
 
-- **SwarmDock SDK v0.2.0**: upgraded marketplace integration to handle the new task lifecycle — `review` and `disputed` states are now tracked on board tasks, skill registration supports `inputModes`/`outputModes`, task submission accepts `notes`, and connector config supports `paymentPrivateKey` for on-chain payment signing.
-- **Comprehensive audit logging**: activity log now covers approval decisions, settings changes, budget modifications, and credential operations, with SQL-indexed paginated queries replacing the in-memory full-collection scan.
-- **Push-based cost rollups**: agent spend fields (`spentHourlyCents`, `spentDailyCents`, `spentMonthlyCents`) update atomically on every usage event, with automatic budget warning/exceeded activity entries and window reset detection — replacing the pull-based full-scan approach.
-- **Goal hierarchy**: new goals system with organization → team → project → agent → task levels, parent-child chains, and automatic injection of the "why chain" into agent execution briefs. Full CRUD API and CLI support.
-- **Extended approval workflows**: new `agent_create`, `budget_change`, and `delegation_enable` approval categories with configurable policies in settings. When enabled, agent creation returns a pending approval instead of creating the agent directly.
-- **Shared validation schemas**: Zod schemas in `src/lib/validation/schemas.ts` are now safe for client-side import (server-only DAG validation moved to `server-schemas.ts`), enabling form-level pre-validation.
+## Releases
 
-*For older release notes (v1.2.x and earlier), see [swarmclaw.ai/docs/release-notes](https://swarmclaw.ai/docs/release-notes).*
+- GitHub releases: https://github.com/swarmclawai/swarmclaw/releases
+- npm package: https://www.npmjs.com/package/@swarmclawai/swarmclaw
+- Historical release notes: https://swarmclaw.ai/docs/release-notes
 
 
 ## What SwarmClaw Focuses On
@@ -310,6 +271,7 @@ Running `swarmclaw` starts the server on `http://localhost:3456`.
 ```bash
 git clone https://github.com/swarmclawai/swarmclaw.git
 cd swarmclaw
+nvm use
 npm run quickstart
 ```
 
@@ -347,12 +309,12 @@ Then open `http://localhost:3456`.
 - **Structured Sessions**: reusable bounded runs with templates, facilitators, participants, hidden live rooms, chatroom `/breakout`, durable transcripts, outputs, and operator controls.
 - **Memory**: hybrid recall, graph traversal, journaling, durable documents, project-scoped context, automatic reflection memory, communication preferences, profile and boundary memory, significant events, and open follow-up loops.
 - **Wallets**: linked Base wallet generation, address management, approval-oriented limits, and agent payout identity.
-- **Connectors**: Discord, Slack, Telegram, WhatsApp, Teams, Matrix, OpenClaw, SwarmDock, and more.
+- **Connectors**: Discord, Slack, Telegram, WhatsApp, Teams, Matrix, OpenClaw, SwarmDock, SwarmFeed, and more.
 - **Extensions**: external tool extensions, UI modules, hooks, and install/update flows.
 
 ## Requirements
 
-- Node.js 22.6+
+- Node.js 22.6+ (`nvm use` will pick up the repo's `.nvmrc`, which matches CI)
 - npm 10+ or another supported package manager
 - Docker Desktop is recommended for sandbox browser execution
 - Optional provider CLIs if you want delegated CLI backends such as Claude Code, Codex, OpenCode, or Gemini
@@ -372,5 +334,7 @@ Then open `http://localhost:3456`.
 - Connectors: https://swarmclaw.ai/docs/connectors
 - SwarmDock: https://swarmclaw.ai/docs/swarmdock
 - SwarmDock marketplace: https://swarmdock.ai
+- SwarmFeed: https://swarmclaw.ai/docs/swarmfeed
+- SwarmFeed platform: https://swarmfeed.ai
 - Extensions: https://swarmclaw.ai/docs/extensions
 - CLI reference: https://swarmclaw.ai/docs/cli

package/next.config.ts

@@ -6,6 +6,10 @@ import path from "path";
 import { fileURLToPath } from "url";
 
 const PROJECT_ROOT = path.dirname(fileURLToPath(import.meta.url))
+const RUNTIME_STATE_GLOBS = [
+  'data/**/*',
+  '.tmp-swarmclaw-build/**/*',
+]
 
 function getGitSha(): string {
   try {
@@ -46,10 +50,11 @@ function getAllowedDevOrigins(): string[] {
 const nextConfig: NextConfig = {
   output: 'standalone',
   outputFileTracingExcludes: {
-    '/api/**': ['data/browser-profiles/**/*', 'data/browser-profiles-regression/**/*'],
-    instrumentation: ['data/browser-profiles/**/*', 'data/browser-profiles-regression/**/*'],
-    '/instrumentation': ['data/browser-profiles/**/*', 'data/browser-profiles-regression/**/*'],
-    'next-server': ['data/browser-profiles/**/*', 'data/browser-profiles-regression/**/*'],
+    '/*': RUNTIME_STATE_GLOBS,
+    '/api/**': RUNTIME_STATE_GLOBS,
+    instrumentation: RUNTIME_STATE_GLOBS,
+    '/instrumentation': RUNTIME_STATE_GLOBS,
+    'next-server': RUNTIME_STATE_GLOBS,
   },
   turbopack: {
     // Pin workspace root to the project directory so a stale lockfile

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swarmclawai/swarmclaw",
-  "version": "1.3.6",
+  "version": "1.4.2",
   "description": "Self-hosted AI runtime for OpenClaw, delegation, autonomy, runtime skills, crypto wallets, and chat platform connectors.",
   "license": "MIT",
   "publishConfig": {
@@ -38,6 +38,9 @@
     "scripts/easy-update.mjs",
     "scripts/ensure-sandbox-browser-image.mjs",
     "scripts/postinstall.mjs",
+    "scripts/build-bootstrap-env.mjs",
+    "scripts/run-next-build.mjs",
+    "scripts/run-next-typegen.mjs",
     "scripts/sandbox-browser-entrypoint.sh",
     "next.config.ts",
     "tsconfig.json",
@@ -52,27 +55,27 @@
     "dev": "next dev --turbopack --hostname 0.0.0.0 -p 3456",
     "dev:webpack": "next dev --webpack --hostname 0.0.0.0 -p 3456",
     "dev:clean": "rm -rf .next && next dev --turbopack --hostname 0.0.0.0 -p 3456",
-    "build": "next build --webpack",
-    "build:ci": "NEXT_DISABLE_ESLINT=1 next build --webpack",
+    "typegen": "node ./scripts/run-next-typegen.mjs",
+    "build": "node ./scripts/run-next-build.mjs",
+    "build:ci": "NEXT_DISABLE_ESLINT=1 node ./scripts/run-next-build.mjs",
     "start": "node .next/standalone/server.js",
     "start:standalone": "node .next/standalone/server.js",
-    "smoke:browser": "node ./scripts/browser-route-smoke.mjs",
-    "smoke:browser:workbench": "node ./scripts/browser-workbench-smoke.mjs",
     "sandbox:build:browser": "docker build -f Dockerfile.sandbox-browser -t swarmclaw-sandbox-browser:bookworm-slim .",
     "benchmark:autonomy": "node ./scripts/benchmark-autonomy-harness.mjs",
     "benchmark:agent-regression": "node --import tsx ./scripts/run-agent-regression-suite.ts",
-    "type-check": "tsc --noEmit",
-    "test": "npm run test:cli && npm run test:setup && npm run test:openclaw && npm run test:runtime",
+    "type-check": "npm run typegen && tsc --noEmit --incremental false",
+    "test": "npm run test:cli && npm run test:setup && npm run test:openclaw && npm run test:runtime && npm run test:builder",
     "format": "eslint --fix",
     "lint": "eslint",
     "lint:fix": "eslint --fix",
     "lint:baseline": "node ./scripts/lint-baseline.mjs check",
     "lint:baseline:update": "node ./scripts/lint-baseline.mjs update",
     "cli": "node ./bin/swarmclaw.js",
-    "test:cli": "node --test src/cli/*.test.js bin/*.test.js scripts/postinstall.test.mjs",
+    "test:cli": "node --test src/cli/*.test.js bin/*.test.js scripts/postinstall.test.mjs scripts/run-next-build.test.mjs scripts/run-next-typegen.test.mjs",
     "test:setup": "tsx --test src/app/api/setup/check-provider/route.test.ts src/lib/server/provider-model-discovery.test.ts src/components/auth/setup-wizard/utils.test.ts src/components/auth/setup-wizard/types.test.ts src/hooks/setup-done-detection.test.ts src/lib/setup-defaults.test.ts",
     "test:openclaw": "tsx --test src/lib/openclaw/openclaw-agent-id.test.ts src/lib/openclaw/openclaw-endpoint.test.ts src/lib/server/agents/agent-runtime-config.test.ts src/lib/server/build-llm.test.ts src/lib/server/connectors/connector-routing.test.ts src/lib/server/connectors/openclaw.test.ts src/lib/server/gateway/protocol.test.ts src/lib/server/llm-response-cache.test.ts src/lib/server/mcp-conformance.test.ts src/lib/server/openclaw/agent-resolver.test.ts src/lib/server/openclaw/deploy.test.ts src/lib/server/openclaw/skills-normalize.test.ts src/lib/server/session-tools/openclaw-nodes.test.ts src/lib/server/tasks/task-quality-gate.test.ts src/lib/server/tasks/task-validation.test.ts src/lib/server/tool-capability-policy.test.ts src/lib/providers/openclaw-exports.test.ts src/app/api/openclaw/dashboard-url/route.test.ts",
-    "test:runtime": "tsx --test src/lib/server/knowledge-sources.test.ts src/lib/server/chat-execution/chat-execution-grounding.test.ts src/lib/server/protocols/protocol-service.test.ts src/lib/server/runtime/run-ledger.test.ts",
+    "test:runtime": "tsx --test src/lib/server/knowledge-sources.test.ts src/lib/server/chat-execution/chat-execution-grounding.test.ts src/lib/server/protocols/protocol-service.test.ts src/lib/server/runtime/run-ledger.test.ts src/lib/server/safe-parse-body.test.ts src/app/api/approvals/route.test.ts src/app/api/chats/chat-route.test.ts src/app/api/connectors/connector-doctor-route.test.ts src/app/api/logs/route.test.ts src/app/api/tts/route.test.ts",
+    "test:builder": "tsx --test src/features/protocols/builder/utils/nodes-to-template.test.ts src/features/protocols/builder/utils/template-to-nodes.test.ts src/features/protocols/builder/validators/dag-validator.test.ts",
     "test:e2e": "tsx .workbench/browser-e2e/run.ts",
     "test:mcp:conformance": "node --import tsx ./scripts/mcp-conformance-check.ts",
     "prepack": "npm run build:ci",
@@ -88,7 +91,7 @@
     "@multiavatar/multiavatar": "^1.0.7",
     "@playwright/mcp": "^0.0.68",
     "@slack/bolt": "^4.6.0",
-    "@swarmdock/sdk": "^0.2.3",
+    "@swarmdock/sdk": "^0.4.1",
     "@tailwindcss/postcss": "^4",
     "@tanstack/react-query": "^5.91.0",
     "@types/better-sqlite3": "^7.6.13",
@@ -100,6 +103,8 @@
     "@types/react-dom": "^19",
     "@types/ws": "^8.18.1",
     "@whiskeysockets/baileys": "^7.0.0-rc.9",
+    "@xyflow/react": "^12.10.2",
+    "@xyflow/system": "^0.0.76",
     "better-sqlite3": "^12.6.2",
     "bs58": "^5.0.0",
     "cheerio": "^1.2.0",
@@ -108,12 +113,14 @@
     "commander": "^13.1.0",
     "cron-parser": "^5.5.0",
     "cronstrue": "^3.12.0",
+    "dagre": "^0.8.5",
     "discord.js": "^14.25.1",
     "ethers": "^6.16.0",
     "exceljs": "^4.4.0",
     "grammy": "^1.40.0",
     "highlight.js": "^11.11.1",
     "imapflow": "^1.2.11",
+    "isomorphic-dompurify": "^3.7.1",
     "just-bash": "^2.14.0",
     "langchain": "^1.2.30",
     "lucide-react": "^0.574.0",
@@ -146,6 +153,7 @@
     "zustand": "^5.0.11"
   },
   "devDependencies": {
+    "@types/dagre": "^0.7.54",
     "eslint": "^9",
     "eslint-config-next": "16.1.7"
   },

package/scripts/build-bootstrap-env.mjs

@@ -0,0 +1,24 @@
+#!/usr/bin/env node
+
+import fs from 'node:fs'
+import path from 'node:path'
+
+export const BUILD_BOOTSTRAP_ROOT_NAME = '.tmp-swarmclaw-build'
+
+export function resolveBuildBootstrapPaths(cwd = process.cwd()) {
+  const rootDir = path.join(cwd, BUILD_BOOTSTRAP_ROOT_NAME)
+  return {
+    rootDir,
+    dataDir: path.join(rootDir, 'data'),
+    workspaceDir: path.join(rootDir, 'workspace'),
+    browserProfilesDir: path.join(rootDir, 'browser-profiles'),
+  }
+}
+
+export function ensureBuildBootstrapPaths(cwd = process.cwd()) {
+  const paths = resolveBuildBootstrapPaths(cwd)
+  for (const dir of [paths.rootDir, paths.dataDir, paths.workspaceDir, paths.browserProfilesDir]) {
+    fs.mkdirSync(dir, { recursive: true })
+  }
+  return paths
+}

package/scripts/run-next-build.mjs

@@ -0,0 +1,74 @@
+#!/usr/bin/env node
+
+import { spawnSync } from 'node:child_process'
+import { createRequire } from 'node:module'
+import { pathToFileURL } from 'node:url'
+
+import { ensureBuildBootstrapPaths } from './build-bootstrap-env.mjs'
+
+const require = createRequire(import.meta.url)
+
+export const DEFAULT_MAX_OLD_SPACE_SIZE_MB = '8192'
+export const TRACE_COPY_WARNING = 'Failed to copy traced files'
+
+export function mergeNodeOptions(nodeOptions = '', maxOldSpaceSizeMb = DEFAULT_MAX_OLD_SPACE_SIZE_MB) {
+  const trimmed = nodeOptions.trim()
+  if (/(^|\s)--max-old-space-size(?:=|\s|$)/.test(trimmed)) return trimmed
+  return trimmed
+    ? `${trimmed} --max-old-space-size=${maxOldSpaceSizeMb}`
+    : `--max-old-space-size=${maxOldSpaceSizeMb}`
+}
+
+export function buildNextBuildEnv(
+  env = process.env,
+  maxOldSpaceSizeMb = DEFAULT_MAX_OLD_SPACE_SIZE_MB,
+  cwd = process.cwd(),
+) {
+  const bootstrapPaths = ensureBuildBootstrapPaths(cwd)
+  return {
+    ...env,
+    DATA_DIR: bootstrapPaths.dataDir,
+    WORKSPACE_DIR: bootstrapPaths.workspaceDir,
+    BROWSER_PROFILES_DIR: bootstrapPaths.browserProfilesDir,
+    NODE_OPTIONS: mergeNodeOptions(env.NODE_OPTIONS || '', maxOldSpaceSizeMb),
+    SWARMCLAW_BUILD_MODE: env.SWARMCLAW_BUILD_MODE || '1',
+  }
+}
+
+export function hasTraceCopyWarning(output = '') {
+  return output.includes(TRACE_COPY_WARNING)
+}
+
+export function runNextBuild(args = process.argv.slice(2), env = process.env, cwd = process.cwd()) {
+  const nextBin = require.resolve('next/dist/bin/next')
+  return spawnSync(process.execPath, [nextBin, 'build', '--webpack', ...args], {
+    stdio: 'pipe',
+    encoding: 'utf-8',
+    env: buildNextBuildEnv(env, DEFAULT_MAX_OLD_SPACE_SIZE_MB, cwd),
+    cwd,
+  })
+}
+
+function main() {
+  const result = runNextBuild()
+  if (result.stdout) process.stdout.write(result.stdout)
+  if (result.stderr) process.stderr.write(result.stderr)
+  if (result.error) throw result.error
+  const combinedOutput = `${result.stdout || ''}\n${result.stderr || ''}`
+  if ((result.status ?? 1) === 0 && hasTraceCopyWarning(combinedOutput)) {
+    console.error('Build emitted standalone trace copy warnings; failing to keep CI deterministic.')
+    process.exit(1)
+  }
+  if (typeof result.status === 'number') {
+    process.exit(result.status)
+  }
+  if (result.signal) {
+    process.kill(process.pid, result.signal)
+    return
+  }
+  process.exit(1)
+}
+
+if (process.argv[1] && pathToFileURL(process.argv[1]).href === import.meta.url) {
+  main()
+}

package/scripts/run-next-typegen.mjs

@@ -0,0 +1,61 @@
+#!/usr/bin/env node
+
+import fs from 'node:fs'
+import path from 'node:path'
+import { spawnSync } from 'node:child_process'
+import { createRequire } from 'node:module'
+import { pathToFileURL } from 'node:url'
+
+import { ensureBuildBootstrapPaths } from './build-bootstrap-env.mjs'
+
+const require = createRequire(import.meta.url)
+
+export const TYPEGEN_ARTIFACT_PATHS = [
+  '.next/types',
+  '.next/dev/types',
+  'tsconfig.tsbuildinfo',
+]
+
+export function cleanupTypegenArtifacts(cwd = process.cwd()) {
+  for (const relativePath of TYPEGEN_ARTIFACT_PATHS) {
+    fs.rmSync(path.join(cwd, relativePath), { recursive: true, force: true })
+  }
+}
+
+export function buildNextTypegenEnv(env = process.env, cwd = process.cwd()) {
+  const bootstrapPaths = ensureBuildBootstrapPaths(cwd)
+  return {
+    ...env,
+    DATA_DIR: bootstrapPaths.dataDir,
+    WORKSPACE_DIR: bootstrapPaths.workspaceDir,
+    BROWSER_PROFILES_DIR: bootstrapPaths.browserProfilesDir,
+    SWARMCLAW_BUILD_MODE: env.SWARMCLAW_BUILD_MODE || '1',
+  }
+}
+
+export function runNextTypegen(args = process.argv.slice(2), env = process.env, cwd = process.cwd()) {
+  cleanupTypegenArtifacts(cwd)
+  const nextBin = require.resolve('next/dist/bin/next')
+  return spawnSync(process.execPath, [nextBin, 'typegen', ...args], {
+    stdio: 'inherit',
+    env: buildNextTypegenEnv(env, cwd),
+    cwd,
+  })
+}
+
+function main() {
+  const result = runNextTypegen()
+  if (result.error) throw result.error
+  if (typeof result.status === 'number') {
+    process.exit(result.status)
+  }
+  if (result.signal) {
+    process.kill(process.pid, result.signal)
+    return
+  }
+  process.exit(1)
+}
+
+if (process.argv[1] && pathToFileURL(process.argv[1]).href === import.meta.url) {
+  main()
+}

package/src/app/api/.well-known/agent-card/route.ts

@@ -0,0 +1,46 @@
+import { NextResponse } from 'next/server'
+import { getAgent, listAgents } from '@/lib/server/agents/agent-repository'
+import { generateAgentCard } from '@/lib/a2a/agent-card'
+
+export const dynamic = 'force-dynamic'
+
+/**
+ * GET /.well-known/agent-card.json?agentId=xxx
+ *
+ * A2A Agent Card discovery endpoint.
+ * If agentId is provided, returns the full card for that agent.
+ * Otherwise, returns a directory of all non-disabled agents.
+ *
+ * Publicly accessible per A2A spec — no auth required for discovery.
+ */
+export async function GET(req: Request) {
+  const { searchParams } = new URL(req.url)
+  const agentId = searchParams.get('agentId')
+  const baseUrl = `${new URL(req.url).origin}`
+
+  if (agentId) {
+    const agent = getAgent(agentId)
+    if (!agent) {
+      return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
+    }
+    if (agent.disabled) {
+      return NextResponse.json({ error: 'Agent is disabled' }, { status: 404 })
+    }
+    const card = generateAgentCard(agent, baseUrl)
+    return NextResponse.json(card)
+  }
+
+  // Return directory of all active agents
+  const agents = listAgents()
+  const directory = Object.values(agents)
+    .filter(a => !a.disabled)
+    .map(a => ({
+      name: a.name,
+      description: a.description || `SwarmClaw agent: ${a.name}`,
+      agentId: a.id,
+      apiEndpoint: `${baseUrl}/api/a2a`,
+      cardUrl: `${baseUrl}/api/.well-known/agent-card?agentId=${a.id}`,
+    }))
+
+  return NextResponse.json({ agents: directory, protocolVersion: '0.3.0' })
+}

package/src/app/api/a2a/route.ts

@@ -0,0 +1,56 @@
+import { NextResponse } from 'next/server'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
+import { validateA2ARequest, extractA2AHeaders } from '@/lib/a2a/auth'
+import { JsonRpcRequestSchema, JSON_RPC_ERRORS } from '@/lib/a2a/types'
+import type { A2AContext } from '@/lib/a2a/types'
+import { a2aRouter } from '@/lib/a2a/json-rpc-router'
+import { log } from '@/lib/server/logger'
+
+// Ensure handlers are registered
+import '@/lib/a2a/handlers'
+
+export const dynamic = 'force-dynamic'
+
+/**
+ * POST /api/a2a
+ *
+ * Main A2A JSON-RPC 2.0 endpoint.
+ * Accepts JSON-RPC requests and routes them to registered handlers.
+ */
+export async function POST(req: Request) {
+  // Authenticate
+  const auth = validateA2ARequest(req)
+  if (!auth.valid) {
+    return NextResponse.json({
+      jsonrpc: '2.0',
+      error: { code: JSON_RPC_ERRORS.AUTH_FAILED, message: auth.error ?? 'Authentication failed' },
+    }, { status: 401 })
+  }
+
+  // Parse body
+  const { data: body, error: parseError } = await safeParseBody(req)
+  if (parseError) return parseError
+
+  // Validate JSON-RPC envelope
+  const validation = JsonRpcRequestSchema.safeParse(body)
+  if (!validation.success) {
+    return NextResponse.json({
+      jsonrpc: '2.0',
+      error: { code: JSON_RPC_ERRORS.PARSE_ERROR, message: 'Invalid JSON-RPC request', data: validation.error.issues },
+    }, { status: 400 })
+  }
+
+  const rpcRequest = validation.data
+  const headers = extractA2AHeaders(req)
+
+  const context: A2AContext = {
+    agentId: headers.targetAgentId ?? '',
+    requesterId: headers.requesterAgentId ?? auth.agentId ?? 'unknown',
+    timestamp: new Date(),
+  }
+
+  log.info('a2a', `JSON-RPC ${rpcRequest.method}`, { agentId: context.agentId, requesterId: context.requesterId })
+
+  const response = await a2aRouter.route(rpcRequest, context)
+  return NextResponse.json(response)
+}

package/src/app/api/a2a/tasks/[taskId]/status/route.ts

@@ -0,0 +1,49 @@
+import { NextResponse } from 'next/server'
+import { validateA2ARequest } from '@/lib/a2a/auth'
+import { loadTask } from '@/lib/server/tasks/task-repository'
+import type { A2ATaskStatus } from '@/lib/a2a/types'
+import type { BoardTaskStatus } from '@/types/task'
+
+export const dynamic = 'force-dynamic'
+
+function mapTaskStatus(status: BoardTaskStatus): A2ATaskStatus {
+  switch (status) {
+    case 'queued': case 'backlog': return 'submitted'
+    case 'running': return 'working'
+    case 'completed': return 'completed'
+    case 'failed': return 'failed'
+    case 'cancelled': case 'archived': case 'deferred': return 'cancelled'
+    default: return 'submitted'
+  }
+}
+
+/**
+ * GET /api/a2a/tasks/:taskId/status
+ *
+ * Poll the status of an A2A task.
+ */
+export async function GET(
+  req: Request,
+  { params }: { params: Promise<{ taskId: string }> },
+) {
+  const auth = validateA2ARequest(req)
+  if (!auth.valid) {
+    return NextResponse.json({ error: auth.error }, { status: 401 })
+  }
+
+  const { taskId } = await params
+  const task = loadTask(taskId)
+
+  if (!task) {
+    return NextResponse.json({ error: 'Task not found' }, { status: 404 })
+  }
+
+  return NextResponse.json({
+    taskId: task.id,
+    status: mapTaskStatus(task.status),
+    title: task.title,
+    result: task.status === 'completed' ? (task.result ?? null) : null,
+    error: task.status === 'failed' ? (task.error ?? null) : null,
+    updatedAt: task.updatedAt,
+  })
+}

package/src/app/api/approvals/route.test.ts

@@ -47,7 +47,7 @@ test('GET and POST /api/approvals handle human-loop approvals only', () => {
       data: { question: 'Deploy now?' },
     })
 
-    const pendingBefore = await route.GET()
+    const pendingBefore = await route.GET(new Request('http://local/api/approvals'))
     const pendingBeforeJson = await pendingBefore.json()
 
     const approveResponse = await route.POST(new Request('http://local/api/approvals', {
@@ -57,7 +57,7 @@ test('GET and POST /api/approvals handle human-loop approvals only', () => {
     }))
     const approvePayload = await approveResponse.json()
 
-    const pendingAfter = await route.GET()
+    const pendingAfter = await route.GET(new Request('http://local/api/approvals'))
     const pendingAfterJson = await pendingAfter.json()
 
     const storedApproval = storage.loadApprovals()[humanApproval.id]
@@ -102,9 +102,35 @@ test('POST /api/approvals rejects invalid payloads', () => {
     console.log(JSON.stringify({
       invalidStatus: invalidResponse.status,
       invalidError: invalidPayload?.error || null,
+      invalidIssues: invalidPayload?.issues || null,
     }))
   `)
 
   assert.equal(output.invalidStatus, 400)
-  assert.match(String(output.invalidError || ''), /id and approved required/i)
+  assert.equal(output.invalidError, 'Validation failed')
+  assert.deepEqual(output.invalidIssues, [
+    { path: 'approved', message: 'Invalid input: expected boolean, received undefined' },
+  ])
+})
+
+test('POST /api/approvals rejects malformed JSON with a 400', () => {
+  const output = runWithTempDataDir(`
+    const routeMod = await import('./src/app/api/approvals/route')
+    const route = routeMod.default || routeMod
+
+    const invalidResponse = await route.POST(new Request('http://local/api/approvals', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: '{bad-json',
+    }))
+    const invalidPayload = await invalidResponse.json()
+
+    console.log(JSON.stringify({
+      invalidStatus: invalidResponse.status,
+      invalidError: invalidPayload?.error || null,
+    }))
+  `)
+
+  assert.equal(output.invalidStatus, 400)
+  assert.equal(output.invalidError, 'Invalid or missing request body')
 })

package/src/app/api/approvals/route.ts

@@ -1,5 +1,8 @@
 import { NextResponse } from 'next/server'
+import { z } from 'zod'
+
 import { listPendingApprovals, submitDecision } from '@/lib/server/approvals'
+import { safeParseBody } from '@/lib/server/safe-parse-body'
 import { loadApprovals } from '@/lib/server/storage'
 import { errorMessage } from '@/lib/shared-utils'
 import type { ApprovalCategory } from '@/types'
@@ -11,6 +14,11 @@ const ALLOWED_CATEGORIES: ApprovalCategory[] = [
   'task_tool', 'connector_sender', 'agent_create', 'budget_change', 'delegation_enable',
 ]
 
+const ApprovalDecisionSchema = z.object({
+  id: z.string().min(1, 'id is required'),
+  approved: z.boolean(),
+})
+
 export async function GET(req: Request) {
   const { searchParams } = new URL(req.url)
   const categoryParam = searchParams.get('category') as ApprovalCategory | null
@@ -21,17 +29,15 @@ export async function GET(req: Request) {
 }
 
 export async function POST(req: Request) {
+  const { data: body, error } = await safeParseBody(req, ApprovalDecisionSchema)
+  if (error) return error
+
   try {
-    const body = await req.json()
-    const { id, approved } = body
-    if (!id || typeof approved !== 'boolean') {
-      return NextResponse.json({ error: 'id and approved required' }, { status: 400 })
-    }
-    const approval = loadApprovals()[id]
+    const approval = loadApprovals()[body.id]
     if (!approval) {
       return NextResponse.json({ error: 'approval not found' }, { status: 404 })
     }
-    await submitDecision(id, approved)
+    await submitDecision(body.id, body.approved)
     return NextResponse.json({ ok: true })
   } catch (err: unknown) {
     return NextResponse.json({ error: errorMessage(err) }, { status: 500 })