@swarmclawai/swarmclaw 1.5.33 → 1.5.35

package/README.md

@@ -39,6 +39,10 @@ Extension tutorial: https://swarmclaw.ai/docs/extension-tutorial
   <td align="center"><img src="doc/assets/logos/codex.svg" width="32" alt="Codex"><br><sub>Codex</sub></td>
   <td align="center"><img src="doc/assets/logos/gemini-cli.svg" width="32" alt="Gemini CLI"><br><sub>Gemini CLI</sub></td>
   <td align="center"><img src="doc/assets/logos/opencode.svg" width="32" alt="OpenCode"><br><sub>OpenCode</sub></td>
+  <td align="center"><img src="doc/assets/logos/copilot-cli.svg" width="32" alt="Copilot CLI"><br><sub>Copilot</sub></td>
+  <td align="center"><img src="doc/assets/logos/cursor-cli.svg" width="32" alt="Cursor Agent CLI"><br><sub>Cursor</sub></td>
+  <td align="center"><img src="doc/assets/logos/qwen-code-cli.svg" width="32" alt="Qwen Code CLI"><br><sub>Qwen Code</sub></td>
+  <td align="center"><img src="doc/assets/logos/goose.svg" width="32" alt="Goose"><br><sub>Goose</sub></td>
   <td align="center"><img src="doc/assets/logos/anthropic.svg" width="32" alt="Anthropic"><br><sub>Anthropic</sub></td>
   <td align="center"><img src="doc/assets/logos/openai.svg" width="32" alt="OpenAI"><br><sub>OpenAI</sub></td>
   <td align="center"><img src="public/provider-logos/openrouter.png" width="32" alt="OpenRouter"><br><sub>OpenRouter</sub></td>
@@ -61,7 +65,7 @@ Extension tutorial: https://swarmclaw.ai/docs/extension-tutorial
 - Node.js 22.6+ (`nvm use` will pick up the repo's `.nvmrc`, which matches CI)
 - npm 10+ or another supported package manager
 - Docker Desktop is recommended for sandbox browser execution
-- Optional provider CLIs if you want delegated CLI backends such as Claude Code, Codex, OpenCode, or Gemini
+- Optional provider CLIs if you want delegated CLI backends such as Claude Code, Codex, OpenCode, Gemini, Copilot, Cursor Agent, Qwen Code, or Goose
 
 ## Quick Start
 
@@ -147,10 +151,10 @@ Full hosted deployment guides live at https://swarmclaw.ai/docs/deployment
 
 ## Core Capabilities
 
-- **Providers**: OpenClaw, OpenAI, OpenRouter, Anthropic, Ollama, Hermes Agent, Google, DeepSeek, Groq, Together, Mistral, xAI, Fireworks, Nebius, DeepInfra, plus compatible custom endpoints.
+- **Providers**: 23 built-in — Claude Code CLI, Codex CLI, OpenCode CLI, Gemini CLI, Copilot CLI, Cursor Agent CLI, Qwen Code CLI, Goose, Anthropic, OpenAI, OpenRouter, Google Gemini, DeepSeek, Groq, Together, Mistral, xAI, Fireworks, Nebius, DeepInfra, Ollama, OpenClaw, and Hermes Agent, plus compatible custom endpoints.
 - **OpenRouter**: <img src="public/provider-logos/openrouter.png" alt="OpenRouter logo" width="20" height="20" /> Use OpenRouter as a first-class built-in provider with its standard OpenAI-compatible endpoint and routed model IDs such as `openai/gpt-4.1-mini`.
 - **Hermes Agent**: <img src="public/provider-logos/hermes-agent.png" alt="Hermes Agent logo" width="20" height="20" /> Connect Hermes through its OpenAI-compatible API server, locally or through a reachable remote `/v1` endpoint.
-- **Delegation**: built-in delegation to Claude Code, Codex CLI, OpenCode CLI, Gemini CLI, and native SwarmClaw subagents.
+- **Delegation**: built-in delegation to Claude Code, Codex CLI, OpenCode CLI, Gemini CLI, Cursor Agent CLI, Qwen Code CLI, and native SwarmClaw subagents.
 - **Autonomy**: heartbeat loops, schedules, background jobs, task execution, supervisor recovery, and agent wakeups.
 - **Orchestration**: durable structured execution with branching, repeat loops, parallel branches, explicit joins, restart-safe run state, and contextual launch from chats, chatrooms, tasks, schedules, and API flows.
 - **Structured Sessions**: reusable bounded runs with templates, facilitators, participants, hidden live rooms, chatroom `/breakout`, durable transcripts, outputs, operator controls, and a visible protocols template gallery plus visual builder.
@@ -371,6 +375,20 @@ Operational docs: https://swarmclaw.ai/docs/observability
 
 ## Releases
 
+### v1.5.35 Highlights
+
+- **Update safety: prevent DB corruption on Linux**: `npm run update:easy`, `swarmclaw update`, and the in-app update endpoint now stop the running server (or checkpoint the SQLite WAL) before rebuilding native modules, preventing the WAL journal corruption that forced some Linux users back to the setup wizard.
+- **SQLite graceful shutdown**: the server now checkpoints and closes the database on SIGTERM/SIGINT, eliminating stale WAL state after any clean stop.
+- **Doctor: detect dangling gateway credentials**: the setup doctor now flags gateway profiles that reference deleted or missing credentials, explaining the "gateway token missing" connection errors.
+- **Gateway credential resolution logging**: when a gateway credential can't be resolved, the server now logs a clear warning identifying the missing credential ID.
+- **Credential decryption error logging**: when a stored credential can't be decrypted (e.g. after `CREDENTIAL_SECRET` changes), the server now logs the credential ID and provider so users know which key to re-add.
+
+### v1.5.34 Highlights
+
+- **Ollama Cloud auth fix**: SwarmClaw now normalizes `api.ollama.com` and `www.ollama.com` to `ollama.com` before making authenticated requests, avoiding the redirect that was dropping authorization headers and causing false provider-health/runtime failures.
+- **Chat execution context hardening**: tool invocation now resolves names case-insensitively, oversized tool results are truncated before they are fed back into the model, and proactive grounding/heartbeat prompts stay smaller under pressure to reduce avoidable context blowouts.
+- **API compatibility fixes**: OpenAI-compatible streaming now captures reasoning deltas from providers that emit them outside `delta.content`, and A2A endpoints are exempt from the main proxy access-key gate so they can rely on their own auth scheme.
+
 ### v1.5.33 Highlights
 
 - **CLI global flag compatibility**: legacy-routed commands now honor the documented `--access-key` and `--base-url` aliases even when they appear after the subcommand, so authenticated CLI automation works the same across binary entry points.
@@ -380,6 +398,13 @@ Operational docs: https://swarmclaw.ai/docs/observability
 
 - **Fix Docker first-run crash**: resolved `EISDIR: illegal operation on a directory, read` error when running `docker compose up` without a pre-existing `.env.local` file. Docker was creating a directory mount instead of a file, which crashed Next.js on startup. Replaced the file bind mount with `env_file` directive using `required: false`.
 
+### v1.5.4 Highlights
+
+- **Cursor Agent CLI built-in provider**: Cursor Agent CLI is now a first-class worker provider with session continuity, headless execution, and delegation support.
+- **Qwen Code CLI built-in provider**: Qwen Code CLI is now available as a built-in worker provider and delegation backend with structured headless execution support.
+- **Goose built-in provider**: Goose is now supported as a runtime-managed worker provider, using its own local auth and provider configuration while preserving SwarmClaw session continuity.
+- **CLI setup and health parity**: setup flows, provider checks, setup doctor, and provider-facing UI now recognize Cursor, Qwen Code, and Goose alongside the existing CLI-backed providers.
+
 ### v1.5.3 Highlights
 
 - **Copilot CLI v1.x compatibility**: the `copilot-cli` provider now handles the current event format (`assistant.message_delta`, `assistant.message`, updated `result` payload) while keeping backward compatibility with the legacy format. Also fixes `--resume` flag syntax. (Community contribution by [@borislavnnikolov](https://github.com/borislavnnikolov) -- PR #36)

package/bin/update-cmd.js

@@ -98,6 +98,29 @@ function runRegistrySelfUpdate(
   return 0
 }
 
+function stopRunningServer(logger = { log, logError }) {
+  // Stop the server gracefully before updating to prevent SQLite WAL corruption.
+  try {
+    const serverCmd = path.join(PKG_ROOT, 'bin', 'swarmclaw.js')
+    const status = execFileSync(process.execPath, [serverCmd, 'status'], {
+      encoding: 'utf-8',
+      cwd: PKG_ROOT,
+      timeout: 10_000,
+    }).trim()
+    if (status.toLowerCase().includes('running')) {
+      logger.log('Stopping running server before update...')
+      execFileSync(process.execPath, [serverCmd, 'stop'], {
+        encoding: 'utf-8',
+        cwd: PKG_ROOT,
+        timeout: 15_000,
+      })
+      logger.log('Server stopped.')
+    }
+  } catch {
+    // Server may not be running or status command unavailable — continue.
+  }
+}
+
 function main(args = process.argv.slice(3)) {
   if (args.includes('-h') || args.includes('--help')) {
     console.log(`
@@ -112,9 +135,12 @@ If running from a registry install, update the global package with its owning pa
   try {
     run('git rev-parse --git-dir')
   } catch {
+    stopRunningServer()
     process.exit(runRegistrySelfUpdate())
   }
 
+  stopRunningServer()
+
   const beforeRef = run('git rev-parse HEAD')
   const beforeSha = run('git rev-parse --short HEAD')
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swarmclawai/swarmclaw",
-  "version": "1.5.33",
+  "version": "1.5.35",
   "description": "Build and run autonomous AI agents with OpenClaw, Hermes, multiple model providers, orchestration, delegation, memory, skills, schedules, and chat connectors.",
   "license": "MIT",
   "publishConfig": {
@@ -74,7 +74,7 @@
     "test:cli": "node --test src/cli/*.test.js bin/*.test.js scripts/postinstall.test.mjs scripts/run-next-build.test.mjs scripts/run-next-typegen.test.mjs",
     "test:setup": "tsx --test src/app/api/setup/check-provider/route.test.ts src/lib/server/provider-model-discovery.test.ts src/components/auth/setup-wizard/utils.test.ts src/components/auth/setup-wizard/types.test.ts src/hooks/setup-done-detection.test.ts src/lib/setup-defaults.test.ts src/lib/server/storage-auth.test.ts src/lib/server/storage-auth-docker.test.ts",
     "test:openclaw": "tsx --test src/lib/openclaw/openclaw-agent-id.test.ts src/lib/openclaw/openclaw-endpoint.test.ts src/lib/server/agents/agent-runtime-config.test.ts src/lib/server/build-llm.test.ts src/lib/server/connectors/connector-routing.test.ts src/lib/server/connectors/openclaw.test.ts src/lib/server/connectors/swarmdock.test.ts src/lib/server/gateway/protocol.test.ts src/lib/server/llm-response-cache.test.ts src/lib/server/mcp-conformance.test.ts src/lib/server/openclaw/agent-resolver.test.ts src/lib/server/openclaw/deploy.test.ts src/lib/server/openclaw/skills-normalize.test.ts src/lib/server/session-tools/openclaw-nodes.test.ts src/lib/server/session-tools/swarmdock.test.ts src/lib/server/tasks/task-quality-gate.test.ts src/lib/server/tasks/task-validation.test.ts src/lib/server/tool-capability-policy.test.ts src/lib/providers/openclaw-exports.test.ts src/app/api/openclaw/dashboard-url/route.test.ts",
-    "test:runtime": "tsx --test src/lib/server/knowledge-sources.test.ts src/lib/server/chat-execution/chat-execution-grounding.test.ts src/lib/server/protocols/protocol-service.test.ts src/lib/server/runtime/run-ledger.test.ts src/lib/server/observability/otel-config.test.ts src/lib/server/safe-parse-body.test.ts src/app/api/approvals/route.test.ts src/app/api/chats/chat-route.test.ts src/app/api/connectors/connector-doctor-route.test.ts src/app/api/healthz/route.test.ts src/app/api/logs/route.test.ts src/app/api/tts/route.test.ts",
+    "test:runtime": "tsx --test src/lib/server/knowledge-sources.test.ts src/lib/server/chat-execution/chat-execution-grounding.test.ts src/lib/server/chat-execution/iteration-timers.test.ts src/lib/server/protocols/protocol-service.test.ts src/lib/server/runtime/run-ledger.test.ts src/lib/server/observability/otel-config.test.ts src/lib/server/safe-parse-body.test.ts src/app/api/approvals/route.test.ts src/app/api/agents/agents-route.test.ts src/app/api/chats/chat-route.test.ts src/app/api/connectors/connector-doctor-route.test.ts src/app/api/healthz/route.test.ts src/app/api/logs/route.test.ts src/app/api/tts/route.test.ts",
     "test:builder": "tsx --test src/features/protocols/builder/utils/nodes-to-template.test.ts src/features/protocols/builder/utils/template-to-nodes.test.ts src/features/protocols/builder/validators/dag-validator.test.ts",
     "test:e2e": "tsx .workbench/browser-e2e/run.ts",
     "test:mcp:conformance": "node --import tsx ./scripts/mcp-conformance-check.ts",

package/scripts/easy-update.mjs

@@ -1,5 +1,7 @@
 #!/usr/bin/env node
 
+import fs from 'node:fs'
+import path from 'node:path'
 import { spawnSync } from 'node:child_process'
 
 const args = new Set(process.argv.slice(2))
@@ -68,12 +70,33 @@ function getLatestStableTag() {
   return tags.find((tag) => RELEASE_TAG_RE.test(tag)) || null
 }
 
+function stopRunningServer() {
+  // Try to stop the SwarmClaw server gracefully before updating.
+  // An unclean shutdown while npm rebuild replaces native modules
+  // can corrupt the SQLite WAL journal on Linux.
+  const cliPath = path.join(cwd, 'bin', 'swarmclaw.js')
+  if (!fs.existsSync(cliPath)) return
+
+  const status = run('node', [cliPath, 'status'])
+  if (!status.ok || !status.out.toLowerCase().includes('running')) return
+
+  log('Stopping running SwarmClaw server before update...')
+  const stop = run('node', [cliPath, 'stop'])
+  if (stop.ok) {
+    log('Server stopped.')
+  } else {
+    log('Could not stop the server automatically. Please stop it manually before updating.')
+  }
+}
+
 function main() {
   const gitCheck = run('git', ['rev-parse', '--is-inside-work-tree'])
   if (!gitCheck.ok) {
     fail('This folder is not a git repository. Automatic updates require git.')
   }
 
+  stopRunningServer()
+
   const dirty = run('git', ['status', '--porcelain'])
   const isDirty = !!dirty.out
   if (isDirty && !allowDirty) {

package/src/app/api/secrets/[id]/route.ts

@@ -12,7 +12,8 @@ export async function GET(_req: Request, { params }: { params: Promise<{ id: str
   const secret = secrets[id]
   if (!secret) return notFound()
   // Never expose the encrypted value
-  const { encryptedValue, ...safe } = secret as Record<string, unknown>
+  const safe = { ...(secret as Record<string, unknown>) }
+  delete safe.encryptedValue
   return NextResponse.json(safe)
 }
 
@@ -36,6 +37,7 @@ export async function PUT(req: Request, { params }: { params: Promise<{ id: stri
     return secret
   })
   if (!result) return notFound()
-  const { encryptedValue, ...safe } = result as Record<string, unknown>
+  const safe = { ...(result as Record<string, unknown>) }
+  delete safe.encryptedValue
   return NextResponse.json(safe)
 }

package/src/app/api/setup/doctor/route.ts

@@ -3,7 +3,7 @@ import path from 'node:path'
 import { spawnSync } from 'node:child_process'
 import { NextResponse } from 'next/server'
 import { DATA_DIR } from '@/lib/server/data-dir'
-import { loadAgents, loadCredentials, loadSettings } from '@/lib/server/storage'
+import { loadAgents, loadCredentials, loadSettings, loadCollection } from '@/lib/server/storage'
 import { dedup, errorMessage } from '@/lib/shared-utils'
 import { detectDocker } from '@/lib/server/sandbox/docker-detect'
 
@@ -160,6 +160,7 @@ export async function GET(req: Request) {
   }
 
   const credentials = Object.values(loadCredentials() || {})
+  const credentialIds = new Set(credentials.map((c) => (c as Record<string, unknown>).id as string).filter(Boolean))
   if (credentials.length > 0) {
     pushCheck(checks, 'credentials', 'Credentials', 'pass', `${credentials.length} credential(s) saved.`)
   } else {
@@ -167,6 +168,35 @@ export async function GET(req: Request) {
     actions.push('If using cloud providers, add an API key in the setup wizard or Settings → Providers.')
   }
 
+  // Check for undecryptable credentials (CREDENTIAL_SECRET may have changed)
+  if (credentials.length > 0) {
+    try {
+      const { resolveCredentialSecret } = await import('@/lib/server/credentials/credential-service')
+      let undecryptable = 0
+      for (const cred of credentials) {
+        const c = cred as Record<string, unknown>
+        if (c.encryptedKey && !resolveCredentialSecret(c.id as string)) undecryptable++
+      }
+      if (undecryptable > 0) {
+        pushCheck(checks, 'credential-decrypt', 'Credential decryption', 'fail',
+          `${undecryptable} of ${credentials.length} credential(s) cannot be decrypted. CREDENTIAL_SECRET may have changed since these keys were stored.`, true)
+        actions.push('Your CREDENTIAL_SECRET changed (possibly from a container restart). Re-add your API keys in Settings → Providers.')
+      }
+    } catch { /* best-effort */ }
+  }
+
+  // Check for dangling credential references in gateway profiles
+  try {
+    const gateways = Object.values(loadCollection('gateway_profiles') || {}) as Array<Record<string, unknown>>
+    const dangling = gateways.filter((gw) => gw.credentialId && !credentialIds.has(gw.credentialId as string))
+    if (dangling.length > 0) {
+      const names = dangling.map((gw) => gw.name || gw.id).join(', ')
+      pushCheck(checks, 'gateway-credentials', 'Gateway credential references', 'warn',
+        `${dangling.length} gateway profile(s) reference missing credentials: ${names}. This causes "gateway token missing" errors.`)
+      actions.push('Re-add the missing API key in Settings → Gateways, or update the gateway profile to use an existing credential.')
+    }
+  } catch { /* best-effort */ }
+
   const optionalBinaries: Array<{ id: string; label: string; command: string }> = [
     { id: 'claude-cli', label: 'Claude Code CLI', command: 'claude' },
     { id: 'codex-cli', label: 'OpenAI Codex CLI', command: 'codex' },

package/src/app/api/version/update/route.ts

@@ -1,5 +1,6 @@
 import { NextResponse } from 'next/server'
 import { execSync } from 'child_process'
+import { getDb } from '@/lib/server/storage'
 
 const RELEASE_TAG_RE = /^v\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?$/
 
@@ -7,6 +8,19 @@ function run(cmd: string): string {
   return execSync(cmd, { encoding: 'utf-8', cwd: process.cwd(), timeout: 60_000 }).trim()
 }
 
+/**
+ * Checkpoint the SQLite WAL before operations that replace native modules
+ * (npm install rebuilds better-sqlite3). Without this, an unclean WAL state
+ * combined with a replaced native binary can corrupt the database on Linux.
+ */
+function checkpointDatabase(): void {
+  try {
+    getDb().pragma('wal_checkpoint(TRUNCATE)')
+  } catch {
+    // Best-effort — the database may already be in a good state.
+  }
+}
+
 function getLatestStableTag(): string | null {
   const tags = run(`git tag --list 'v*' --sort=-v:refname`)
     .split('\n')
@@ -67,6 +81,9 @@ export async function POST() {
     try {
       const diff = run(`git diff --name-only ${beforeSha}..HEAD`)
       if (diff.includes('package-lock.json') || diff.includes('package.json')) {
+        // Checkpoint WAL before npm install — the postinstall hook rebuilds
+        // better-sqlite3's native module, which can corrupt an open WAL journal.
+        checkpointDatabase()
         run('npm install --omit=dev')
         installedDeps = true
       }

package/src/lib/ollama-mode.test.ts

@@ -1,6 +1,6 @@
 import assert from 'node:assert/strict'
 import test from 'node:test'
-import { isOllamaCloudEndpoint, normalizeOllamaMode, resolveStoredOllamaMode } from './ollama-mode'
+import { isOllamaCloudEndpoint, normalizeOllamaCloudEndpoint, normalizeOllamaMode, resolveStoredOllamaMode } from './ollama-mode'
 
 test('normalizeOllamaMode only accepts explicit local and cloud values', () => {
   assert.equal(normalizeOllamaMode('local'), 'local')
@@ -31,3 +31,20 @@ test('resolveStoredOllamaMode falls back to endpoint only for legacy records', (
   assert.equal(resolveStoredOllamaMode({ apiEndpoint: 'http://localhost:11434' }), 'local')
   assert.equal(resolveStoredOllamaMode({}), 'local')
 })
+
+test('normalizeOllamaCloudEndpoint rewrites api.ollama.com to ollama.com', () => {
+  assert.equal(normalizeOllamaCloudEndpoint('https://api.ollama.com'), 'https://ollama.com')
+  assert.equal(normalizeOllamaCloudEndpoint('https://api.ollama.com/v1'), 'https://ollama.com/v1')
+  assert.equal(normalizeOllamaCloudEndpoint('http://api.ollama.com'), 'http://ollama.com')
+  assert.equal(normalizeOllamaCloudEndpoint('https://www.ollama.com'), 'https://ollama.com')
+})
+
+test('normalizeOllamaCloudEndpoint preserves correct ollama.com URLs', () => {
+  assert.equal(normalizeOllamaCloudEndpoint('https://ollama.com'), 'https://ollama.com')
+  assert.equal(normalizeOllamaCloudEndpoint('https://ollama.com/v1'), 'https://ollama.com/v1')
+})
+
+test('normalizeOllamaCloudEndpoint does not mangle non-Ollama endpoints', () => {
+  assert.equal(normalizeOllamaCloudEndpoint('http://localhost:11434'), 'http://localhost:11434')
+  assert.equal(normalizeOllamaCloudEndpoint('https://api.openai.com/v1'), 'https://api.openai.com/v1')
+})

package/src/lib/ollama-mode.ts

@@ -18,6 +18,14 @@ export function isOllamaCloudEndpoint(endpoint: string | null | undefined): bool
   return /^https?:\/\/(?:www\.|api\.)?ollama\.com(?:\/|$)/i.test(normalized)
 }
 
+/**
+ * Normalize an Ollama Cloud endpoint to avoid the api.ollama.com -> ollama.com
+ * 301 redirect which drops the Authorization header.
+ */
+export function normalizeOllamaCloudEndpoint(endpoint: string): string {
+  return endpoint.replace(/^(https?:\/\/)(?:www\.|api\.)?ollama\.com/i, '$1ollama.com')
+}
+
 export function resolveStoredOllamaMode(input: {
   ollamaMode?: string | null
   apiEndpoint?: string | null

package/src/lib/providers/openai.ts

@@ -165,7 +165,11 @@ export function streamOpenAiChat({ session, message, imagePath, imageUrl, apiKey
               if (data === '[DONE]') continue
               try {
                 const parsed = JSON.parse(data)
-                const delta = parsed.choices?.[0]?.delta?.content
+                const choice = parsed.choices?.[0]?.delta
+                const delta = choice?.content
+                  // Thinking/reasoning models (kimi-k2, etc.) put output in reasoning fields
+                  || choice?.reasoning_content
+                  || choice?.reasoning
                 if (delta) {
                   fullResponse += delta
                   writeSSE(write, 'd', delta)

package/src/lib/server/chat-execution/chat-turn-tool-routing.ts

@@ -453,12 +453,13 @@ async function invokeSessionTool(
   })
 
   try {
-    const directTool = tools.find((t) => t?.name === toolName) as StructuredToolInterface | undefined
+    const lowerName = toolName.toLowerCase()
+    const directTool = tools.find((t) => t?.name === toolName || t?.name?.toLowerCase() === lowerName) as StructuredToolInterface | undefined
     const availableToolNames = tools.map((candidate) => candidate?.name).filter(Boolean)
     const translated = directTool
-      ? { toolName, args }
+      ? { toolName: directTool.name, args }
       : translateRequestedToolInvocation(toolName, args, ctx.message, availableToolNames)
-    const selectedTool = directTool || tools.find((t) => t?.name === translated.toolName) as StructuredToolInterface | undefined
+    const selectedTool = directTool || tools.find((t) => t?.name === translated.toolName || t?.name?.toLowerCase() === translated.toolName.toLowerCase()) as StructuredToolInterface | undefined
     if (!selectedTool?.invoke) {
       const resolvedName = translated.toolName !== toolName ? translated.toolName : null
       const unavailableReason = resolvedName === 'delegate'
@@ -469,18 +470,19 @@ async function invokeSessionTool(
       return { invoked: false, responseOverride: null, unavailableReason }
     }
 
+    const resolvedToolName = selectedTool.name
     const toolCallId = genId()
-    ctx.emit({ t: 'tool_call', toolName, toolInput: JSON.stringify(translated.args), toolCallId })
+    ctx.emit({ t: 'tool_call', toolName: resolvedToolName, toolInput: JSON.stringify(translated.args), toolCallId })
     const toolOutput = await selectedTool.invoke(translated.args)
     const outputText = typeof toolOutput === 'string' ? toolOutput : JSON.stringify(toolOutput)
-    ctx.emit({ t: 'tool_result', toolName, toolOutput: outputText, toolCallId })
+    ctx.emit({ t: 'tool_result', toolName: resolvedToolName, toolOutput: outputText, toolCallId })
 
     const delegateResponse = (
-      toolName === 'delegate'
-      || toolName.startsWith('delegate_to_')
+      resolvedToolName === 'delegate'
+      || resolvedToolName.startsWith('delegate_to_')
     ) ? extractDelegateResponse(outputText) : null
 
-    calledNames.add(toolName)
+    calledNames.add(resolvedToolName)
 
     if (delegateResponse) {
       return { invoked: true, responseOverride: delegateResponse, toolOutputText: outputText }

package/src/lib/server/chat-execution/prompt-sections.ts

@@ -475,7 +475,7 @@ export async function buildProactiveMemorySection(
       )
       sections.push(`## Recalled Context\nRelevant memories from previous interactions:\n${recalledLines.join('\n')}`)
       if (knowledgeTrace?.hits.length) {
-        const groundingLines = knowledgeTrace.hits.map((hit) =>
+        const groundingLines = knowledgeTrace.hits.slice(0, 10).map((hit) =>
           `- [${hit.chunkIndex + 1}/${hit.chunkCount}] ${hit.sourceTitle}: ${hit.snippet}`,
         )
         sections.push(`## Source Grounding\nSource-backed knowledge retrieved for this turn:\n${groundingLines.join('\n')}`)
@@ -488,7 +488,7 @@ export async function buildProactiveMemorySection(
     }
 
     if (knowledgeTrace?.hits.length) {
-      const groundingLines = knowledgeTrace.hits.map((hit) =>
+      const groundingLines = knowledgeTrace.hits.slice(0, 10).map((hit) =>
         `- [${hit.chunkIndex + 1}/${hit.chunkCount}] ${hit.sourceTitle}: ${hit.snippet}`,
       )
       return {

package/src/lib/server/chat-execution/stream-agent-chat.ts

@@ -695,7 +695,7 @@ async function streamAgentChatCore(opts: StreamAgentChatOpts): Promise<StreamAge
         (result.summaryAdded ? ' (LLM summary)' : ' (sliding window fallback)'),
       )
     }
-  } catch { /* non-critical */ }
+  } catch (compactErr) { log.warn(TAG, `Auto-compaction failed for ${session.id}:`, compactErr) }
 
   // Truncate oversized assistant messages in history to prevent context blowout
   const HISTORY_MSG_MAX_CHARS = 8_000
@@ -787,7 +787,7 @@ async function streamAgentChatCore(opts: StreamAgentChatOpts): Promise<StreamAge
     if (warning) {
       prompt = joinPromptSegments(warning, prompt)
     }
-  } catch { /* non-critical */ }
+  } catch (degradeErr) { log.warn(TAG, `Context degradation check failed for ${session.id}:`, degradeErr) }
 
   await runCapabilityHook(
     'llmInput',

package/src/lib/server/credentials/credential-service.ts

@@ -9,6 +9,9 @@ import {
   loadCredentials,
   saveCredential,
 } from '@/lib/server/credentials/credential-repository'
+import { log } from '@/lib/server/logger'
+
+const TAG = 'credential-service'
 
 export type CredentialSummary = Pick<Credential, 'id' | 'provider' | 'name' | 'createdAt'>
 
@@ -55,7 +58,12 @@ export function resolveCredentialSecret(credentialId: string | null | undefined)
   if (!credential?.encryptedKey) return null
   try {
     return decryptKey(credential.encryptedKey)
-  } catch {
+  } catch (err) {
+    log.warn(TAG, `Failed to decrypt credential "${id}" — CREDENTIAL_SECRET may have changed since this key was stored. Re-add the API key to fix.`, {
+      credentialId: id,
+      provider: credential.provider,
+      error: err instanceof Error ? err.message : String(err),
+    })
     return null
   }
 }

package/src/lib/server/ollama-runtime.ts

@@ -1,5 +1,5 @@
 import { stripOllamaCloudModelSuffix } from '@/lib/ollama-model'
-import { isOllamaCloudEndpoint, resolveStoredOllamaMode } from '@/lib/ollama-mode'
+import { isOllamaCloudEndpoint, normalizeOllamaCloudEndpoint, resolveStoredOllamaMode } from '@/lib/ollama-mode'
 import { PROVIDER_DEFAULTS } from '@/lib/providers/provider-defaults'
 
 const OLLAMA_CLOUD_KEY_ENV_VARS = ['OLLAMA_API_KEY', 'OLLAMA_CLOUD_API_KEY'] as const
@@ -41,7 +41,7 @@ export function resolveOllamaRuntimeConfig(input: {
   const cloudApiKey = resolveOllamaCloudApiKey(explicitApiKey)
   const useCloud = ollamaMode === 'cloud'
   const endpoint = useCloud
-    ? (isOllamaCloudEndpoint(explicitEndpoint) ? explicitEndpoint! : PROVIDER_DEFAULTS.ollamaCloud)
+    ? normalizeOllamaCloudEndpoint(isOllamaCloudEndpoint(explicitEndpoint) ? explicitEndpoint! : PROVIDER_DEFAULTS.ollamaCloud)
     : (explicitEndpoint && !isOllamaCloudEndpoint(explicitEndpoint) ? explicitEndpoint : PROVIDER_DEFAULTS.ollama)
 
   return {

package/src/lib/server/openclaw/gateway.ts

@@ -81,7 +81,14 @@ function normalizeWsUrl(raw: string): string {
 }
 
 function resolveTokenForCredential(credentialId?: string | null): string | undefined {
-  return resolveCredentialSecret(credentialId) || undefined
+  if (!credentialId) return undefined
+  const secret = resolveCredentialSecret(credentialId)
+  if (!secret) {
+    log.warn(TAG, `Credential "${credentialId}" is referenced but could not be resolved — gateway connection will lack a token`, {
+      credentialId,
+    })
+  }
+  return secret || undefined
 }
 
 export function resolveGatewayConfig(target?: {

package/src/lib/server/provider-health.ts

@@ -305,8 +305,10 @@ export async function pingAnthropic(apiKey: string): Promise<{ ok: boolean; mess
 }
 
 export async function pingOllama(endpoint: string, apiKey?: string): Promise<{ ok: boolean; message: string }> {
-  const normalizedEndpoint = (endpoint || 'http://localhost:11434').replace(/\/+$/, '')
+  let normalizedEndpoint = (endpoint || 'http://localhost:11434').replace(/\/+$/, '')
   const useCloud = isOllamaCloudEndpoint(normalizedEndpoint)
+  // Normalize api.ollama.com -> ollama.com to avoid 301 redirect that drops auth
+  if (useCloud) normalizedEndpoint = normalizedEndpoint.replace(/^(https?:\/\/)(?:www\.|api\.)?ollama\.com/i, '$1ollama.com')
   if (useCloud && !apiKey) {
     return { ok: false, message: 'Ollama Cloud requires an API key.' }
   }

package/src/lib/server/runtime/heartbeat-service.ts

@@ -319,10 +319,11 @@ export function buildAgentHeartbeatPrompt(
   agent: HeartbeatPromptAgent | null | undefined,
   fallbackPrompt: string,
   heartbeatFileContent: string,
-  opts?: { approvals?: Record<string, ApprovalRequest>; chatrooms?: Record<string, Chatroom> },
+  opts?: { approvals?: Record<string, ApprovalRequest>; chatrooms?: Record<string, Chatroom>; lightContext?: boolean },
 ): string {
   if (!agent) return fallbackPrompt
 
+  const light = opts?.lightContext === true
   const sections: string[] = []
 
   // ── Phase 1: Identity context ──
@@ -331,11 +332,11 @@ export function buildAgentHeartbeatPrompt(
   const identityContext = buildIdentityContext(session, agent)
   const continuityContext = buildIdentityContinuityContext(session, agent)
   if (identityContext) sections.push(identityContext)
-  if (continuityContext) sections.push(continuityContext)
+  if (!light && continuityContext) sections.push(continuityContext)
   const description = agent.description || ''
   const soul = agent.soul || ''
   if (description) sections.push(`Description: ${description}`)
-  if (soul) sections.push(`Persona: ${soul.slice(0, 300)}`)
+  if (!light && soul) sections.push(`Persona: ${soul.slice(0, 300)}`)
 
   // ── Phase 2: Pending approvals ──
   const agentId = agent.id || session.agentId || ''
@@ -346,7 +347,7 @@ export function buildAgentHeartbeatPrompt(
         (a) => a.status === 'pending' && a.agentId === agentId,
       )
       if (pending.length > 0) {
-        const approvalLines = pending.slice(0, 5).map(
+        const approvalLines = pending.slice(0, light ? 2 : 5).map(
           (a) => `- [${a.category}] ${a.title}${a.description ? `: ${a.description.slice(0, 100)}` : ''}`,
         )
         sections.push(`### Pending Approvals (${pending.length})\n${approvalLines.join('\n')}`)
@@ -366,7 +367,7 @@ export function buildAgentHeartbeatPrompt(
   const dynamicGoal = agent.heartbeatGoal || ''
   const dynamicNextAction = agent.heartbeatNextAction || ''
   const systemPrompt = agent.systemPrompt || ''
-  const goalSummary = systemPrompt.slice(0, 500)
+  const goalSummary = systemPrompt.slice(0, light ? 200 : 500)
 
   if (dynamicGoal) {
     sections.push(`Current goal (self-set): ${dynamicGoal}`)
@@ -377,12 +378,13 @@ export function buildAgentHeartbeatPrompt(
 
   const strippedContent = stripBlockedItems(heartbeatFileContent)
   const effectiveFileContent = isHeartbeatContentEffectivelyEmpty(strippedContent) ? '' : strippedContent
-  if (effectiveFileContent) sections.push(`\nHEARTBEAT.md contents:\n${effectiveFileContent.slice(0, 2000)}`)
+  if (effectiveFileContent) sections.push(`\nHEARTBEAT.md contents:\n${effectiveFileContent.slice(0, light ? 500 : 2000)}`)
 
+  const messageCount = light ? 2 : 5
   const recentMessages = (
     Array.isArray(session.messages)
-      ? session.messages.slice(-5)
-      : (session.id ? getRecentMessages(session.id, 5) : [])
+      ? session.messages.slice(-messageCount)
+      : (session.id ? getRecentMessages(session.id, messageCount) : [])
   ) as HeartbeatPromptMessage[]
   const recentContext = recentMessages
     .map((m) => {
@@ -395,8 +397,8 @@ export function buildAgentHeartbeatPrompt(
     .join('\n')
   if (recentContext) sections.push(`Recent conversation:\n${recentContext}`)
 
-  // ── Phase 4b: Chatroom mentions since last heartbeat ──
-  try {
+  // ── Phase 4b: Chatroom mentions since last heartbeat (skip in light mode) ──
+  if (!light) try {
     const chatrooms = Object.values(opts?.chatrooms ?? loadChatrooms()) as Chatroom[]
     const myChatrooms = chatrooms.filter((c) => !c.archivedAt && c.agentIds?.includes(agentId))
     if (myChatrooms.length > 0) {
@@ -718,6 +720,7 @@ export async function tickHeartbeats() {
     const baseHeartbeatMessage = buildAgentHeartbeatPrompt(session, agent, cfg.prompt, heartbeatFileContent, {
       approvals: sharedApprovals,
       chatrooms: sharedChatrooms,
+      lightContext: cfg.lightContext,
     })
     let heartbeatMessage = isMainSession(session)
       ? buildMainLoopHeartbeatPrompt(session, baseHeartbeatMessage)

package/src/lib/server/session-tools/index.ts

@@ -6,6 +6,8 @@ import { loadSettings, loadSession, loadAgent, loadMcpServers, patchAgent, patch
 import { loadRuntimeSettings } from '@/lib/server/runtime/runtime-settings'
 import { log } from '../logger'
 import { resolveSessionToolPolicy } from '../tool-capability-policy'
+import { truncateToolResultText, calculateMaxToolResultChars } from '../chat-execution/tool-result-guard'
+import { getContextWindowSize } from '../context-manager'
 import { expandExtensionIds } from '../tool-aliases'
 import type { ToolContext, SessionToolsResult, ToolBuildContext, AbortSignalRef } from './context'
 
@@ -455,9 +457,17 @@ export async function buildSessionTools(cwd: string, enabledExtensions: string[]
             }
             const effectiveArgs = hookResult.input ?? guardedArgs
             const result = await candidate.invoke(effectiveArgs ?? {})
-            const outputText = typeof result === 'string' ? result : JSON.stringify(result)
+            const rawOutput = typeof result === 'string' ? result : JSON.stringify(result)
+            // Truncate oversized tool outputs before LangGraph feeds them back to
+            // the LLM.  Without this, a single large tool result (e.g. shell dump,
+            // large web fetch) can blow out the context window inside LangGraph's
+            // internal state, which the auto-compaction system cannot observe.
+            const currentSession = resolveCurrentSession()
+            const maxChars = calculateMaxToolResultChars(getContextWindowSize(currentSession?.provider || '', currentSession?.model || ''))
+            const outputText = truncateToolResultText(rawOutput, maxChars)
             setSpanAttributes(span, {
               'swarmclaw.tool.output_bytes': Buffer.byteLength(outputText, 'utf-8'),
+              ...(rawOutput.length !== outputText.length ? { 'swarmclaw.tool.truncated_from': rawOutput.length } : {}),
             })
             await runCapabilityHook(
               'afterToolExec',

package/src/lib/server/storage.ts

@@ -94,6 +94,21 @@ if (!IS_BUILD_BOOTSTRAP) {
 }
 db.pragma('foreign_keys = ON')
 
+// Graceful shutdown: checkpoint WAL and close the database to prevent
+// corruption when the process is killed (e.g. during npm run update:easy).
+if (!IS_BUILD_BOOTSTRAP) {
+  const shutdownDb = () => {
+    try {
+      db.pragma('wal_checkpoint(TRUNCATE)')
+      db.close()
+    } catch {
+      // Best-effort — process is exiting.
+    }
+  }
+  process.on('SIGTERM', shutdownDb)
+  process.on('SIGINT', shutdownDb)
+}
+
 /** Run a function inside an immediate SQLite transaction for atomicity. */
 export function withTransaction<T>(fn: () => T): T {
   const wrapped = db.transaction(fn)

package/src/proxy.ts

@@ -87,13 +87,19 @@ export function proxy(request: NextRequest) {
     })
   }
 
-  // Only protect API routes (not auth or inbound webhooks)
+  // A2A endpoints use their own authentication (Authorization: Bearer / x-a2a-access-key)
+  const isA2ARoute = pathname === '/api/a2a'
+    || pathname.startsWith('/api/a2a/')
+    || pathname === '/api/.well-known/agent-card'
+
+  // Only protect API routes (not auth, inbound webhooks, or A2A)
   if (
     !pathname.startsWith('/api/')
     || pathname === '/api/auth'
     || pathname === '/api/healthz'
     || isWebhookTrigger
     || isConnectorWebhook
+    || isA2ARoute
   ) {
     return NextResponse.next()
   }