@swarmclawai/swarmclaw 1.5.33 → 1.5.34

package/README.md

@@ -39,6 +39,10 @@ Extension tutorial: https://swarmclaw.ai/docs/extension-tutorial
   <td align="center"><img src="doc/assets/logos/codex.svg" width="32" alt="Codex"><br><sub>Codex</sub></td>
   <td align="center"><img src="doc/assets/logos/gemini-cli.svg" width="32" alt="Gemini CLI"><br><sub>Gemini CLI</sub></td>
   <td align="center"><img src="doc/assets/logos/opencode.svg" width="32" alt="OpenCode"><br><sub>OpenCode</sub></td>
+  <td align="center"><img src="doc/assets/logos/copilot-cli.svg" width="32" alt="Copilot CLI"><br><sub>Copilot</sub></td>
+  <td align="center"><img src="doc/assets/logos/cursor-cli.svg" width="32" alt="Cursor Agent CLI"><br><sub>Cursor</sub></td>
+  <td align="center"><img src="doc/assets/logos/qwen-code-cli.svg" width="32" alt="Qwen Code CLI"><br><sub>Qwen Code</sub></td>
+  <td align="center"><img src="doc/assets/logos/goose.svg" width="32" alt="Goose"><br><sub>Goose</sub></td>
   <td align="center"><img src="doc/assets/logos/anthropic.svg" width="32" alt="Anthropic"><br><sub>Anthropic</sub></td>
   <td align="center"><img src="doc/assets/logos/openai.svg" width="32" alt="OpenAI"><br><sub>OpenAI</sub></td>
   <td align="center"><img src="public/provider-logos/openrouter.png" width="32" alt="OpenRouter"><br><sub>OpenRouter</sub></td>
@@ -61,7 +65,7 @@ Extension tutorial: https://swarmclaw.ai/docs/extension-tutorial
 - Node.js 22.6+ (`nvm use` will pick up the repo's `.nvmrc`, which matches CI)
 - npm 10+ or another supported package manager
 - Docker Desktop is recommended for sandbox browser execution
-- Optional provider CLIs if you want delegated CLI backends such as Claude Code, Codex, OpenCode, or Gemini
+- Optional provider CLIs if you want delegated CLI backends such as Claude Code, Codex, OpenCode, Gemini, Copilot, Cursor Agent, Qwen Code, or Goose
 
 ## Quick Start
 
@@ -147,10 +151,10 @@ Full hosted deployment guides live at https://swarmclaw.ai/docs/deployment
 
 ## Core Capabilities
 
-- **Providers**: OpenClaw, OpenAI, OpenRouter, Anthropic, Ollama, Hermes Agent, Google, DeepSeek, Groq, Together, Mistral, xAI, Fireworks, Nebius, DeepInfra, plus compatible custom endpoints.
+- **Providers**: 23 built-in — Claude Code CLI, Codex CLI, OpenCode CLI, Gemini CLI, Copilot CLI, Cursor Agent CLI, Qwen Code CLI, Goose, Anthropic, OpenAI, OpenRouter, Google Gemini, DeepSeek, Groq, Together, Mistral, xAI, Fireworks, Nebius, DeepInfra, Ollama, OpenClaw, and Hermes Agent, plus compatible custom endpoints.
 - **OpenRouter**: <img src="public/provider-logos/openrouter.png" alt="OpenRouter logo" width="20" height="20" /> Use OpenRouter as a first-class built-in provider with its standard OpenAI-compatible endpoint and routed model IDs such as `openai/gpt-4.1-mini`.
 - **Hermes Agent**: <img src="public/provider-logos/hermes-agent.png" alt="Hermes Agent logo" width="20" height="20" /> Connect Hermes through its OpenAI-compatible API server, locally or through a reachable remote `/v1` endpoint.
-- **Delegation**: built-in delegation to Claude Code, Codex CLI, OpenCode CLI, Gemini CLI, and native SwarmClaw subagents.
+- **Delegation**: built-in delegation to Claude Code, Codex CLI, OpenCode CLI, Gemini CLI, Cursor Agent CLI, Qwen Code CLI, and native SwarmClaw subagents.
 - **Autonomy**: heartbeat loops, schedules, background jobs, task execution, supervisor recovery, and agent wakeups.
 - **Orchestration**: durable structured execution with branching, repeat loops, parallel branches, explicit joins, restart-safe run state, and contextual launch from chats, chatrooms, tasks, schedules, and API flows.
 - **Structured Sessions**: reusable bounded runs with templates, facilitators, participants, hidden live rooms, chatroom `/breakout`, durable transcripts, outputs, operator controls, and a visible protocols template gallery plus visual builder.
@@ -371,6 +375,12 @@ Operational docs: https://swarmclaw.ai/docs/observability
 
 ## Releases
 
+### v1.5.34 Highlights
+
+- **Ollama Cloud auth fix**: SwarmClaw now normalizes `api.ollama.com` and `www.ollama.com` to `ollama.com` before making authenticated requests, avoiding the redirect that was dropping authorization headers and causing false provider-health/runtime failures.
+- **Chat execution context hardening**: tool invocation now resolves names case-insensitively, oversized tool results are truncated before they are fed back into the model, and proactive grounding/heartbeat prompts stay smaller under pressure to reduce avoidable context blowouts.
+- **API compatibility fixes**: OpenAI-compatible streaming now captures reasoning deltas from providers that emit them outside `delta.content`, and A2A endpoints are exempt from the main proxy access-key gate so they can rely on their own auth scheme.
+
 ### v1.5.33 Highlights
 
 - **CLI global flag compatibility**: legacy-routed commands now honor the documented `--access-key` and `--base-url` aliases even when they appear after the subcommand, so authenticated CLI automation works the same across binary entry points.
@@ -380,6 +390,13 @@ Operational docs: https://swarmclaw.ai/docs/observability
 
 - **Fix Docker first-run crash**: resolved `EISDIR: illegal operation on a directory, read` error when running `docker compose up` without a pre-existing `.env.local` file. Docker was creating a directory mount instead of a file, which crashed Next.js on startup. Replaced the file bind mount with `env_file` directive using `required: false`.
 
+### v1.5.4 Highlights
+
+- **Cursor Agent CLI built-in provider**: Cursor Agent CLI is now a first-class worker provider with session continuity, headless execution, and delegation support.
+- **Qwen Code CLI built-in provider**: Qwen Code CLI is now available as a built-in worker provider and delegation backend with structured headless execution support.
+- **Goose built-in provider**: Goose is now supported as a runtime-managed worker provider, using its own local auth and provider configuration while preserving SwarmClaw session continuity.
+- **CLI setup and health parity**: setup flows, provider checks, setup doctor, and provider-facing UI now recognize Cursor, Qwen Code, and Goose alongside the existing CLI-backed providers.
+
 ### v1.5.3 Highlights
 
 - **Copilot CLI v1.x compatibility**: the `copilot-cli` provider now handles the current event format (`assistant.message_delta`, `assistant.message`, updated `result` payload) while keeping backward compatibility with the legacy format. Also fixes `--resume` flag syntax. (Community contribution by [@borislavnnikolov](https://github.com/borislavnnikolov) -- PR #36)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swarmclawai/swarmclaw",
-  "version": "1.5.33",
+  "version": "1.5.34",
   "description": "Build and run autonomous AI agents with OpenClaw, Hermes, multiple model providers, orchestration, delegation, memory, skills, schedules, and chat connectors.",
   "license": "MIT",
   "publishConfig": {
@@ -74,7 +74,7 @@
     "test:cli": "node --test src/cli/*.test.js bin/*.test.js scripts/postinstall.test.mjs scripts/run-next-build.test.mjs scripts/run-next-typegen.test.mjs",
     "test:setup": "tsx --test src/app/api/setup/check-provider/route.test.ts src/lib/server/provider-model-discovery.test.ts src/components/auth/setup-wizard/utils.test.ts src/components/auth/setup-wizard/types.test.ts src/hooks/setup-done-detection.test.ts src/lib/setup-defaults.test.ts src/lib/server/storage-auth.test.ts src/lib/server/storage-auth-docker.test.ts",
     "test:openclaw": "tsx --test src/lib/openclaw/openclaw-agent-id.test.ts src/lib/openclaw/openclaw-endpoint.test.ts src/lib/server/agents/agent-runtime-config.test.ts src/lib/server/build-llm.test.ts src/lib/server/connectors/connector-routing.test.ts src/lib/server/connectors/openclaw.test.ts src/lib/server/connectors/swarmdock.test.ts src/lib/server/gateway/protocol.test.ts src/lib/server/llm-response-cache.test.ts src/lib/server/mcp-conformance.test.ts src/lib/server/openclaw/agent-resolver.test.ts src/lib/server/openclaw/deploy.test.ts src/lib/server/openclaw/skills-normalize.test.ts src/lib/server/session-tools/openclaw-nodes.test.ts src/lib/server/session-tools/swarmdock.test.ts src/lib/server/tasks/task-quality-gate.test.ts src/lib/server/tasks/task-validation.test.ts src/lib/server/tool-capability-policy.test.ts src/lib/providers/openclaw-exports.test.ts src/app/api/openclaw/dashboard-url/route.test.ts",
-    "test:runtime": "tsx --test src/lib/server/knowledge-sources.test.ts src/lib/server/chat-execution/chat-execution-grounding.test.ts src/lib/server/protocols/protocol-service.test.ts src/lib/server/runtime/run-ledger.test.ts src/lib/server/observability/otel-config.test.ts src/lib/server/safe-parse-body.test.ts src/app/api/approvals/route.test.ts src/app/api/chats/chat-route.test.ts src/app/api/connectors/connector-doctor-route.test.ts src/app/api/healthz/route.test.ts src/app/api/logs/route.test.ts src/app/api/tts/route.test.ts",
+    "test:runtime": "tsx --test src/lib/server/knowledge-sources.test.ts src/lib/server/chat-execution/chat-execution-grounding.test.ts src/lib/server/chat-execution/iteration-timers.test.ts src/lib/server/protocols/protocol-service.test.ts src/lib/server/runtime/run-ledger.test.ts src/lib/server/observability/otel-config.test.ts src/lib/server/safe-parse-body.test.ts src/app/api/approvals/route.test.ts src/app/api/agents/agents-route.test.ts src/app/api/chats/chat-route.test.ts src/app/api/connectors/connector-doctor-route.test.ts src/app/api/healthz/route.test.ts src/app/api/logs/route.test.ts src/app/api/tts/route.test.ts",
     "test:builder": "tsx --test src/features/protocols/builder/utils/nodes-to-template.test.ts src/features/protocols/builder/utils/template-to-nodes.test.ts src/features/protocols/builder/validators/dag-validator.test.ts",
     "test:e2e": "tsx .workbench/browser-e2e/run.ts",
     "test:mcp:conformance": "node --import tsx ./scripts/mcp-conformance-check.ts",

package/src/app/api/secrets/[id]/route.ts

@@ -12,7 +12,8 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
   const secret = secrets[id]
   if (!secret) return notFound()
   // Never expose the encrypted value
-  const { encryptedValue, ...safe } = secret as Record<string, unknown>
+  const safe = { ...(secret as Record<string, unknown>) }
+  delete safe.encryptedValue
   return NextResponse.json(safe)
 }
 
@@ -36,6 +37,7 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
     return secret
   })
   if (!result) return notFound()
-  const { encryptedValue, ...safe } = result as Record<string, unknown>
+  const safe = { ...(result as Record<string, unknown>) }
+  delete safe.encryptedValue
   return NextResponse.json(safe)
 }

package/src/lib/ollama-mode.test.ts

@@ -1,6 +1,6 @@
 import assert from 'node:assert/strict'
 import test from 'node:test'
-import { isOllamaCloudEndpoint, normalizeOllamaMode, resolveStoredOllamaMode } from './ollama-mode'
+import { isOllamaCloudEndpoint, normalizeOllamaCloudEndpoint, normalizeOllamaMode, resolveStoredOllamaMode } from './ollama-mode'
 
 test('normalizeOllamaMode only accepts explicit local and cloud values', () => {
   assert.equal(normalizeOllamaMode('local'), 'local')
@@ -31,3 +31,20 @@ test('resolveStoredOllamaMode falls back to endpoint only for legacy records', (
   assert.equal(resolveStoredOllamaMode({ apiEndpoint: 'http://localhost:11434' }), 'local')
   assert.equal(resolveStoredOllamaMode({}), 'local')
 })
+
+test('normalizeOllamaCloudEndpoint rewrites api.ollama.com to ollama.com', () => {
+  assert.equal(normalizeOllamaCloudEndpoint('https://api.ollama.com'), 'https://ollama.com')
+  assert.equal(normalizeOllamaCloudEndpoint('https://api.ollama.com/v1'), 'https://ollama.com/v1')
+  assert.equal(normalizeOllamaCloudEndpoint('http://api.ollama.com'), 'http://ollama.com')
+  assert.equal(normalizeOllamaCloudEndpoint('https://www.ollama.com'), 'https://ollama.com')
+})
+
+test('normalizeOllamaCloudEndpoint preserves correct ollama.com URLs', () => {
+  assert.equal(normalizeOllamaCloudEndpoint('https://ollama.com'), 'https://ollama.com')
+  assert.equal(normalizeOllamaCloudEndpoint('https://ollama.com/v1'), 'https://ollama.com/v1')
+})
+
+test('normalizeOllamaCloudEndpoint does not mangle non-Ollama endpoints', () => {
+  assert.equal(normalizeOllamaCloudEndpoint('http://localhost:11434'), 'http://localhost:11434')
+  assert.equal(normalizeOllamaCloudEndpoint('https://api.openai.com/v1'), 'https://api.openai.com/v1')
+})

package/src/lib/ollama-mode.ts

@@ -18,6 +18,14 @@ export function isOllamaCloudEndpoint(endpoint: string | null | undefined): bool
   return /^https?:\/\/(?:www\.|api\.)?ollama\.com(?:\/|$)/i.test(normalized)
 }
 
+/**
+ * Normalize an Ollama Cloud endpoint to avoid the api.ollama.com -> ollama.com
+ * 301 redirect which drops the Authorization header.
+ */
+export function normalizeOllamaCloudEndpoint(endpoint: string): string {
+  return endpoint.replace(/^(https?:\/\/)(?:www\.|api\.)?ollama\.com/i, '$1ollama.com')
+}
+
 export function resolveStoredOllamaMode(input: {
   ollamaMode?: string | null
   apiEndpoint?: string | null

package/src/lib/providers/openai.ts

@@ -165,7 +165,11 @@ export function streamOpenAiChat({ session, message, imagePath, imageUrl, apiKey
               if (data === '[DONE]') continue
               try {
                 const parsed = JSON.parse(data)
-                const delta = parsed.choices?.[0]?.delta?.content
+                const choice = parsed.choices?.[0]?.delta
+                const delta = choice?.content
+                  // Thinking/reasoning models (kimi-k2, etc.) put output in reasoning fields
+                  || choice?.reasoning_content
+                  || choice?.reasoning
                 if (delta) {
                   fullResponse += delta
                   writeSSE(write, 'd', delta)

package/src/lib/server/chat-execution/chat-turn-tool-routing.ts

@@ -453,12 +453,13 @@ async function invokeSessionTool(
   })
 
   try {
-    const directTool = tools.find((t) => t?.name === toolName) as StructuredToolInterface | undefined
+    const lowerName = toolName.toLowerCase()
+    const directTool = tools.find((t) => t?.name === toolName || t?.name?.toLowerCase() === lowerName) as StructuredToolInterface | undefined
     const availableToolNames = tools.map((candidate) => candidate?.name).filter(Boolean)
     const translated = directTool
-      ? { toolName, args }
+      ? { toolName: directTool.name, args }
       : translateRequestedToolInvocation(toolName, args, ctx.message, availableToolNames)
-    const selectedTool = directTool || tools.find((t) => t?.name === translated.toolName) as StructuredToolInterface | undefined
+    const selectedTool = directTool || tools.find((t) => t?.name === translated.toolName || t?.name?.toLowerCase() === translated.toolName.toLowerCase()) as StructuredToolInterface | undefined
     if (!selectedTool?.invoke) {
       const resolvedName = translated.toolName !== toolName ? translated.toolName : null
       const unavailableReason = resolvedName === 'delegate'
@@ -469,18 +470,19 @@ async function invokeSessionTool(
       return { invoked: false, responseOverride: null, unavailableReason }
     }
 
+    const resolvedToolName = selectedTool.name
     const toolCallId = genId()
-    ctx.emit({ t: 'tool_call', toolName, toolInput: JSON.stringify(translated.args), toolCallId })
+    ctx.emit({ t: 'tool_call', toolName: resolvedToolName, toolInput: JSON.stringify(translated.args), toolCallId })
     const toolOutput = await selectedTool.invoke(translated.args)
     const outputText = typeof toolOutput === 'string' ? toolOutput : JSON.stringify(toolOutput)
-    ctx.emit({ t: 'tool_result', toolName, toolOutput: outputText, toolCallId })
+    ctx.emit({ t: 'tool_result', toolName: resolvedToolName, toolOutput: outputText, toolCallId })
 
     const delegateResponse = (
-      toolName === 'delegate'
-      || toolName.startsWith('delegate_to_')
+      resolvedToolName === 'delegate'
+      || resolvedToolName.startsWith('delegate_to_')
     ) ? extractDelegateResponse(outputText) : null
 
-    calledNames.add(toolName)
+    calledNames.add(resolvedToolName)
 
     if (delegateResponse) {
       return { invoked: true, responseOverride: delegateResponse, toolOutputText: outputText }

package/src/lib/server/chat-execution/prompt-sections.ts

@@ -475,7 +475,7 @@ export async function buildProactiveMemorySection(
       )
       sections.push(`## Recalled Context\nRelevant memories from previous interactions:\n${recalledLines.join('\n')}`)
       if (knowledgeTrace?.hits.length) {
-        const groundingLines = knowledgeTrace.hits.map((hit) =>
+        const groundingLines = knowledgeTrace.hits.slice(0, 10).map((hit) =>
           `- [${hit.chunkIndex + 1}/${hit.chunkCount}] ${hit.sourceTitle}: ${hit.snippet}`,
         )
         sections.push(`## Source Grounding\nSource-backed knowledge retrieved for this turn:\n${groundingLines.join('\n')}`)
@@ -488,7 +488,7 @@ export async function buildProactiveMemorySection(
     }
 
     if (knowledgeTrace?.hits.length) {
-      const groundingLines = knowledgeTrace.hits.map((hit) =>
+      const groundingLines = knowledgeTrace.hits.slice(0, 10).map((hit) =>
         `- [${hit.chunkIndex + 1}/${hit.chunkCount}] ${hit.sourceTitle}: ${hit.snippet}`,
       )
       return {

package/src/lib/server/chat-execution/stream-agent-chat.ts

@@ -695,7 +695,7 @@ async function streamAgentChatCore(opts: StreamAgentChatOpts): Promise<StreamAge
         (result.summaryAdded ? ' (LLM summary)' : ' (sliding window fallback)'),
       )
     }
-  } catch { /* non-critical */ }
+  } catch (compactErr) { log.warn(TAG, `Auto-compaction failed for ${session.id}:`, compactErr) }
 
   // Truncate oversized assistant messages in history to prevent context blowout
   const HISTORY_MSG_MAX_CHARS = 8_000
@@ -787,7 +787,7 @@ async function streamAgentChatCore(opts: StreamAgentChatOpts): Promise<StreamAge
     if (warning) {
       prompt = joinPromptSegments(warning, prompt)
     }
-  } catch { /* non-critical */ }
+  } catch (degradeErr) { log.warn(TAG, `Context degradation check failed for ${session.id}:`, degradeErr) }
 
   await runCapabilityHook(
     'llmInput',

package/src/lib/server/ollama-runtime.ts

@@ -1,5 +1,5 @@
 import { stripOllamaCloudModelSuffix } from '@/lib/ollama-model'
-import { isOllamaCloudEndpoint, resolveStoredOllamaMode } from '@/lib/ollama-mode'
+import { isOllamaCloudEndpoint, normalizeOllamaCloudEndpoint, resolveStoredOllamaMode } from '@/lib/ollama-mode'
 import { PROVIDER_DEFAULTS } from '@/lib/providers/provider-defaults'
 
 const OLLAMA_CLOUD_KEY_ENV_VARS = ['OLLAMA_API_KEY', 'OLLAMA_CLOUD_API_KEY'] as const
@@ -41,7 +41,7 @@ export function resolveOllamaRuntimeConfig(input: {
   const cloudApiKey = resolveOllamaCloudApiKey(explicitApiKey)
   const useCloud = ollamaMode === 'cloud'
   const endpoint = useCloud
-    ? (isOllamaCloudEndpoint(explicitEndpoint) ? explicitEndpoint! : PROVIDER_DEFAULTS.ollamaCloud)
+    ? normalizeOllamaCloudEndpoint(isOllamaCloudEndpoint(explicitEndpoint) ? explicitEndpoint! : PROVIDER_DEFAULTS.ollamaCloud)
     : (explicitEndpoint && !isOllamaCloudEndpoint(explicitEndpoint) ? explicitEndpoint : PROVIDER_DEFAULTS.ollama)
 
   return {

package/src/lib/server/provider-health.ts

@@ -305,8 +305,10 @@ export async function pingAnthropic(apiKey: string): Promise<{ ok: boolean; mess
 }
 
 export async function pingOllama(endpoint: string, apiKey?: string): Promise<{ ok: boolean; message: string }> {
-  const normalizedEndpoint = (endpoint || 'http://localhost:11434').replace(/\/+$/, '')
+  let normalizedEndpoint = (endpoint || 'http://localhost:11434').replace(/\/+$/, '')
   const useCloud = isOllamaCloudEndpoint(normalizedEndpoint)
+  // Normalize api.ollama.com -> ollama.com to avoid 301 redirect that drops auth
+  if (useCloud) normalizedEndpoint = normalizedEndpoint.replace(/^(https?:\/\/)(?:www\.|api\.)?ollama\.com/i, '$1ollama.com')
   if (useCloud && !apiKey) {
     return { ok: false, message: 'Ollama Cloud requires an API key.' }
   }

package/src/lib/server/runtime/heartbeat-service.ts

@@ -319,10 +319,11 @@ export function buildAgentHeartbeatPrompt(
   agent: HeartbeatPromptAgent | null | undefined,
   fallbackPrompt: string,
   heartbeatFileContent: string,
-  opts?: { approvals?: Record<string, ApprovalRequest>; chatrooms?: Record<string, Chatroom> },
+  opts?: { approvals?: Record<string, ApprovalRequest>; chatrooms?: Record<string, Chatroom>; lightContext?: boolean },
 ): string {
   if (!agent) return fallbackPrompt
 
+  const light = opts?.lightContext === true
   const sections: string[] = []
 
   // ── Phase 1: Identity context ──
@@ -331,11 +332,11 @@ export function buildAgentHeartbeatPrompt(
   const identityContext = buildIdentityContext(session, agent)
   const continuityContext = buildIdentityContinuityContext(session, agent)
   if (identityContext) sections.push(identityContext)
-  if (continuityContext) sections.push(continuityContext)
+  if (!light && continuityContext) sections.push(continuityContext)
   const description = agent.description || ''
   const soul = agent.soul || ''
   if (description) sections.push(`Description: ${description}`)
-  if (soul) sections.push(`Persona: ${soul.slice(0, 300)}`)
+  if (!light && soul) sections.push(`Persona: ${soul.slice(0, 300)}`)
 
   // ── Phase 2: Pending approvals ──
   const agentId = agent.id || session.agentId || ''
@@ -346,7 +347,7 @@ export function buildAgentHeartbeatPrompt(
         (a) => a.status === 'pending' && a.agentId === agentId,
       )
       if (pending.length > 0) {
-        const approvalLines = pending.slice(0, 5).map(
+        const approvalLines = pending.slice(0, light ? 2 : 5).map(
           (a) => `- [${a.category}] ${a.title}${a.description ? `: ${a.description.slice(0, 100)}` : ''}`,
         )
         sections.push(`### Pending Approvals (${pending.length})\n${approvalLines.join('\n')}`)
@@ -366,7 +367,7 @@ export function buildAgentHeartbeatPrompt(
   const dynamicGoal = agent.heartbeatGoal || ''
   const dynamicNextAction = agent.heartbeatNextAction || ''
   const systemPrompt = agent.systemPrompt || ''
-  const goalSummary = systemPrompt.slice(0, 500)
+  const goalSummary = systemPrompt.slice(0, light ? 200 : 500)
 
   if (dynamicGoal) {
     sections.push(`Current goal (self-set): ${dynamicGoal}`)
@@ -377,12 +378,13 @@ export function buildAgentHeartbeatPrompt(
 
   const strippedContent = stripBlockedItems(heartbeatFileContent)
   const effectiveFileContent = isHeartbeatContentEffectivelyEmpty(strippedContent) ? '' : strippedContent
-  if (effectiveFileContent) sections.push(`\nHEARTBEAT.md contents:\n${effectiveFileContent.slice(0, 2000)}`)
+  if (effectiveFileContent) sections.push(`\nHEARTBEAT.md contents:\n${effectiveFileContent.slice(0, light ? 500 : 2000)}`)
 
+  const messageCount = light ? 2 : 5
   const recentMessages = (
     Array.isArray(session.messages)
-      ? session.messages.slice(-5)
-      : (session.id ? getRecentMessages(session.id, 5) : [])
+      ? session.messages.slice(-messageCount)
+      : (session.id ? getRecentMessages(session.id, messageCount) : [])
   ) as HeartbeatPromptMessage[]
   const recentContext = recentMessages
     .map((m) => {
@@ -395,8 +397,8 @@ export function buildAgentHeartbeatPrompt(
     .join('\n')
   if (recentContext) sections.push(`Recent conversation:\n${recentContext}`)
 
-  // ── Phase 4b: Chatroom mentions since last heartbeat ──
-  try {
+  // ── Phase 4b: Chatroom mentions since last heartbeat (skip in light mode) ──
+  if (!light) try {
     const chatrooms = Object.values(opts?.chatrooms ?? loadChatrooms()) as Chatroom[]
     const myChatrooms = chatrooms.filter((c) => !c.archivedAt && c.agentIds?.includes(agentId))
     if (myChatrooms.length > 0) {
@@ -718,6 +720,7 @@ export async function tickHeartbeats() {
     const baseHeartbeatMessage = buildAgentHeartbeatPrompt(session, agent, cfg.prompt, heartbeatFileContent, {
       approvals: sharedApprovals,
       chatrooms: sharedChatrooms,
+      lightContext: cfg.lightContext,
     })
     let heartbeatMessage = isMainSession(session)
       ? buildMainLoopHeartbeatPrompt(session, baseHeartbeatMessage)

package/src/lib/server/session-tools/index.ts

@@ -6,6 +6,8 @@ import { loadSettings, loadSession, loadAgent, loadMcpServers, patchAgent, patch
 import { loadRuntimeSettings } from '@/lib/server/runtime/runtime-settings'
 import { log } from '../logger'
 import { resolveSessionToolPolicy } from '../tool-capability-policy'
+import { truncateToolResultText, calculateMaxToolResultChars } from '../chat-execution/tool-result-guard'
+import { getContextWindowSize } from '../context-manager'
 import { expandExtensionIds } from '../tool-aliases'
 import type { ToolContext, SessionToolsResult, ToolBuildContext, AbortSignalRef } from './context'
 
@@ -455,9 +457,17 @@ export async function buildSessionTools(cwd: string, enabledExtensions: string[]
             }
             const effectiveArgs = hookResult.input ?? guardedArgs
             const result = await candidate.invoke(effectiveArgs ?? {})
-            const outputText = typeof result === 'string' ? result : JSON.stringify(result)
+            const rawOutput = typeof result === 'string' ? result : JSON.stringify(result)
+            // Truncate oversized tool outputs before LangGraph feeds them back to
+            // the LLM.  Without this, a single large tool result (e.g. shell dump,
+            // large web fetch) can blow out the context window inside LangGraph's
+            // internal state, which the auto-compaction system cannot observe.
+            const currentSession = resolveCurrentSession()
+            const maxChars = calculateMaxToolResultChars(getContextWindowSize(currentSession?.provider || '', currentSession?.model || ''))
+            const outputText = truncateToolResultText(rawOutput, maxChars)
             setSpanAttributes(span, {
               'swarmclaw.tool.output_bytes': Buffer.byteLength(outputText, 'utf-8'),
+              ...(rawOutput.length !== outputText.length ? { 'swarmclaw.tool.truncated_from': rawOutput.length } : {}),
             })
             await runCapabilityHook(
               'afterToolExec',

package/src/proxy.ts

@@ -87,13 +87,19 @@ export function proxy(request: NextRequest) {
     })
   }
 
-  // Only protect API routes (not auth or inbound webhooks)
+  // A2A endpoints use their own authentication (Authorization: Bearer / x-a2a-access-key)
+  const isA2ARoute = pathname === '/api/a2a'
+    || pathname.startsWith('/api/a2a/')
+    || pathname === '/api/.well-known/agent-card'
+
+  // Only protect API routes (not auth, inbound webhooks, or A2A)
   if (
     !pathname.startsWith('/api/')
     || pathname === '/api/auth'
     || pathname === '/api/healthz'
     || isWebhookTrigger
     || isConnectorWebhook
+    || isA2ARoute
   ) {
     return NextResponse.next()
   }