@swarmclawai/swarmclaw 1.5.34 → 1.5.36

package/README.md

@@ -69,6 +69,19 @@ Extension tutorial: https://swarmclaw.ai/docs/extension-tutorial
 
 ## Quick Start
 
+### Desktop app (recommended for non-technical users)
+
+Download the one-click installer from [swarmclaw.ai/downloads](https://swarmclaw.ai/downloads).
+Available for macOS (Apple Silicon & Intel), Windows, and Linux (AppImage + .deb).
+
+Current builds are unsigned, so on first launch:
+- **macOS:** right-click the app in Finder → **Open** → **Open** to bypass Gatekeeper.
+- **Windows:** if SmartScreen appears, click **More info** → **Run anyway**.
+- **Linux (AppImage):** `chmod +x` the downloaded file, then run it.
+
+Data lives in your OS app-data directory (`~/Library/Application Support/SwarmClaw`,
+`%APPDATA%\SwarmClaw`, or `~/.config/SwarmClaw`), separate from any CLI or Docker install.
+
 ### Global install
 
 ```bash
@@ -375,6 +388,20 @@ Operational docs: https://swarmclaw.ai/docs/observability
 
 ## Releases
 
+### v1.5.36 Highlights
+
+- **Desktop app (Electron)**: SwarmClaw now ships as a native desktop app for macOS (Apple Silicon + Intel), Windows, and Linux (AppImage + .deb). Download from [swarmclaw.ai/downloads](https://swarmclaw.ai/downloads). The app wraps the existing standalone server inside an Electron shell, stores data in the OS app-data directory, and auto-updates via GitHub Releases (notify-only on unsigned macOS builds).
+- **Desktop release CI**: new `desktop-release.yml` workflow builds and publishes installers for all three platforms to GitHub Releases on every version tag.
+- **UI cleanup**: removed sibling-product navigation links from the in-app sidebar rail and login gate so the open-source app focuses on SwarmClaw itself. Those links remain in the project README and on swarmclaw.ai.
+
+### v1.5.35 Highlights
+
+- **Update safety: prevent DB corruption on Linux**: `npm run update:easy`, `swarmclaw update`, and the in-app update endpoint now stop the running server (or checkpoint the SQLite WAL) before rebuilding native modules, preventing the WAL journal corruption that forced some Linux users back to the setup wizard.
+- **SQLite graceful shutdown**: the server now checkpoints and closes the database on SIGTERM/SIGINT, eliminating stale WAL state after any clean stop.
+- **Doctor: detect dangling gateway credentials**: the setup doctor now flags gateway profiles that reference deleted or missing credentials, explaining the "gateway token missing" connection errors.
+- **Gateway credential resolution logging**: when a gateway credential can't be resolved, the server now logs a clear warning identifying the missing credential ID.
+- **Credential decryption error logging**: when a stored credential can't be decrypted (e.g. after `CREDENTIAL_SECRET` changes), the server now logs the credential ID and provider so users know which key to re-add.
+
 ### v1.5.34 Highlights
 
 - **Ollama Cloud auth fix**: SwarmClaw now normalizes `api.ollama.com` and `www.ollama.com` to `ollama.com` before making authenticated requests, avoiding the redirect that was dropping authorization headers and causing false provider-health/runtime failures.

package/bin/update-cmd.js

@@ -98,6 +98,29 @@ function runRegistrySelfUpdate(
   return 0
 }
 
+function stopRunningServer(logger = { log, logError }) {
+  // Stop the server gracefully before updating to prevent SQLite WAL corruption.
+  try {
+    const serverCmd = path.join(PKG_ROOT, 'bin', 'swarmclaw.js')
+    const status = execFileSync(process.execPath, [serverCmd, 'status'], {
+      encoding: 'utf-8',
+      cwd: PKG_ROOT,
+      timeout: 10_000,
+    }).trim()
+    if (status.toLowerCase().includes('running')) {
+      logger.log('Stopping running server before update...')
+      execFileSync(process.execPath, [serverCmd, 'stop'], {
+        encoding: 'utf-8',
+        cwd: PKG_ROOT,
+        timeout: 15_000,
+      })
+      logger.log('Server stopped.')
+    }
+  } catch {
+    // Server may not be running or status command unavailable — continue.
+  }
+}
+
 function main(args = process.argv.slice(3)) {
   if (args.includes('-h') || args.includes('--help')) {
     console.log(`
@@ -112,9 +135,12 @@ If running from a registry install, update the global package with its owning pa
   try {
     run('git rev-parse --git-dir')
   } catch {
+    stopRunningServer()
     process.exit(runRegistrySelfUpdate())
   }
 
+  stopRunningServer()
+
   const beforeRef = run('git rev-parse HEAD')
   const beforeSha = run('git rev-parse --short HEAD')
 

package/package.json

@@ -1,7 +1,8 @@
 {
   "name": "@swarmclawai/swarmclaw",
-  "version": "1.5.34",
+  "version": "1.5.36",
   "description": "Build and run autonomous AI agents with OpenClaw, Hermes, multiple model providers, orchestration, delegation, memory, skills, schedules, and chat connectors.",
+  "main": "electron-dist/main.js",
   "license": "MIT",
   "publishConfig": {
     "access": "public",
@@ -78,6 +79,13 @@
     "test:builder": "tsx --test src/features/protocols/builder/utils/nodes-to-template.test.ts src/features/protocols/builder/utils/template-to-nodes.test.ts src/features/protocols/builder/validators/dag-validator.test.ts",
     "test:e2e": "tsx .workbench/browser-e2e/run.ts",
     "test:mcp:conformance": "node --import tsx ./scripts/mcp-conformance-check.ts",
+    "electron:compile": "tsc -p electron/tsconfig.json",
+    "electron:dev": "npm run electron:compile && electron electron-dist/main.js",
+    "electron:build": "node ./scripts/build-electron.mjs",
+    "electron:build:mac": "node ./scripts/build-electron.mjs --mac",
+    "electron:build:win": "node ./scripts/build-electron.mjs --win",
+    "electron:build:linux": "node ./scripts/build-electron.mjs --linux",
+    "electron:build:publish": "node ./scripts/build-electron.mjs --publish",
     "prepack": "npm run build:ci",
     "postinstall": "node ./scripts/postinstall.mjs"
   },
@@ -114,6 +122,7 @@
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "commander": "^13.1.0",
+    "electron-updater": "^6.3.9",
     "cron-parser": "^5.5.0",
     "cronstrue": "^3.12.0",
     "dagre": "^0.8.5",
@@ -156,7 +165,10 @@
     "zustand": "^5.0.11"
   },
   "devDependencies": {
+    "@electron/rebuild": "^3.7.2",
     "@types/dagre": "^0.7.54",
+    "electron": "^33.3.0",
+    "electron-builder": "^25.1.8",
     "eslint": "^9",
     "eslint-config-next": "16.1.7"
   },

package/scripts/easy-update.mjs

@@ -1,5 +1,7 @@
 #!/usr/bin/env node
 
+import fs from 'node:fs'
+import path from 'node:path'
 import { spawnSync } from 'node:child_process'
 
 const args = new Set(process.argv.slice(2))
@@ -68,12 +70,33 @@ function getLatestStableTag() {
   return tags.find((tag) => RELEASE_TAG_RE.test(tag)) || null
 }
 
+function stopRunningServer() {
+  // Try to stop the SwarmClaw server gracefully before updating.
+  // An unclean shutdown while npm rebuild replaces native modules
+  // can corrupt the SQLite WAL journal on Linux.
+  const cliPath = path.join(cwd, 'bin', 'swarmclaw.js')
+  if (!fs.existsSync(cliPath)) return
+
+  const status = run('node', [cliPath, 'status'])
+  if (!status.ok || !status.out.toLowerCase().includes('running')) return
+
+  log('Stopping running SwarmClaw server before update...')
+  const stop = run('node', [cliPath, 'stop'])
+  if (stop.ok) {
+    log('Server stopped.')
+  } else {
+    log('Could not stop the server automatically. Please stop it manually before updating.')
+  }
+}
+
 function main() {
   const gitCheck = run('git', ['rev-parse', '--is-inside-work-tree'])
   if (!gitCheck.ok) {
     fail('This folder is not a git repository. Automatic updates require git.')
   }
 
+  stopRunningServer()
+
   const dirty = run('git', ['status', '--porcelain'])
   const isDirty = !!dirty.out
   if (isDirty && !allowDirty) {

package/src/app/api/setup/doctor/route.ts

@@ -3,7 +3,7 @@ import path from 'node:path'
 import { spawnSync } from 'node:child_process'
 import { NextResponse } from 'next/server'
 import { DATA_DIR } from '@/lib/server/data-dir'
-import { loadAgents, loadCredentials, loadSettings } from '@/lib/server/storage'
+import { loadAgents, loadCredentials, loadSettings, loadCollection } from '@/lib/server/storage'
 import { dedup, errorMessage } from '@/lib/shared-utils'
 import { detectDocker } from '@/lib/server/sandbox/docker-detect'
 
@@ -160,6 +160,7 @@ export async function GET(req: Request) {
   }
 
   const credentials = Object.values(loadCredentials() || {})
+  const credentialIds = new Set(credentials.map((c) => (c as Record<string, unknown>).id as string).filter(Boolean))
   if (credentials.length > 0) {
     pushCheck(checks, 'credentials', 'Credentials', 'pass', `${credentials.length} credential(s) saved.`)
   } else {
@@ -167,6 +168,35 @@ export async function GET(req: Request) {
     actions.push('If using cloud providers, add an API key in the setup wizard or Settings → Providers.')
   }
 
+  // Check for undecryptable credentials (CREDENTIAL_SECRET may have changed)
+  if (credentials.length > 0) {
+    try {
+      const { resolveCredentialSecret } = await import('@/lib/server/credentials/credential-service')
+      let undecryptable = 0
+      for (const cred of credentials) {
+        const c = cred as Record<string, unknown>
+        if (c.encryptedKey && !resolveCredentialSecret(c.id as string)) undecryptable++
+      }
+      if (undecryptable > 0) {
+        pushCheck(checks, 'credential-decrypt', 'Credential decryption', 'fail',
+          `${undecryptable} of ${credentials.length} credential(s) cannot be decrypted. CREDENTIAL_SECRET may have changed since these keys were stored.`, true)
+        actions.push('Your CREDENTIAL_SECRET changed (possibly from a container restart). Re-add your API keys in Settings → Providers.')
+      }
+    } catch { /* best-effort */ }
+  }
+
+  // Check for dangling credential references in gateway profiles
+  try {
+    const gateways = Object.values(loadCollection('gateway_profiles') || {}) as Array<Record<string, unknown>>
+    const dangling = gateways.filter((gw) => gw.credentialId && !credentialIds.has(gw.credentialId as string))
+    if (dangling.length > 0) {
+      const names = dangling.map((gw) => gw.name || gw.id).join(', ')
+      pushCheck(checks, 'gateway-credentials', 'Gateway credential references', 'warn',
+        `${dangling.length} gateway profile(s) reference missing credentials: ${names}. This causes "gateway token missing" errors.`)
+      actions.push('Re-add the missing API key in Settings → Gateways, or update the gateway profile to use an existing credential.')
+    }
+  } catch { /* best-effort */ }
+
   const optionalBinaries: Array<{ id: string; label: string; command: string }> = [
     { id: 'claude-cli', label: 'Claude Code CLI', command: 'claude' },
     { id: 'codex-cli', label: 'OpenAI Codex CLI', command: 'codex' },

package/src/app/api/version/update/route.ts

@@ -1,5 +1,6 @@
 import { NextResponse } from 'next/server'
 import { execSync } from 'child_process'
+import { getDb } from '@/lib/server/storage'
 
 const RELEASE_TAG_RE = /^v\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?$/
 
@@ -7,6 +8,19 @@ function run(cmd: string): string {
   return execSync(cmd, { encoding: 'utf-8', cwd: process.cwd(), timeout: 60_000 }).trim()
 }
 
+/**
+ * Checkpoint the SQLite WAL before operations that replace native modules
+ * (npm install rebuilds better-sqlite3). Without this, an unclean WAL state
+ * combined with a replaced native binary can corrupt the database on Linux.
+ */
+function checkpointDatabase(): void {
+  try {
+    getDb().pragma('wal_checkpoint(TRUNCATE)')
+  } catch {
+    // Best-effort — the database may already be in a good state.
+  }
+}
+
 function getLatestStableTag(): string | null {
   const tags = run(`git tag --list 'v*' --sort=-v:refname`)
     .split('\n')
@@ -67,6 +81,9 @@ export async function POST() {
     try {
       const diff = run(`git diff --name-only ${beforeSha}..HEAD`)
       if (diff.includes('package-lock.json') || diff.includes('package.json')) {
+        // Checkpoint WAL before npm install — the postinstall hook rebuilds
+        // better-sqlite3's native module, which can corrupt an open WAL journal.
+        checkpointDatabase()
         run('npm install --omit=dev')
         installedDeps = true
       }

package/src/components/auth/access-key-gate.tsx

@@ -9,11 +9,6 @@ interface AccessKeyGateProps {
 }
 
 const AUTH_CHECK_TIMEOUT_MS = 8_000
-const NETWORK_LINKS = [
-  { href: 'https://www.swarmdock.ai', label: 'SwarmDock' },
-  { href: 'https://swarmrecall.ai', label: 'SwarmRecall' },
-  { href: 'https://swarmrelay.ai', label: 'SwarmRelay' },
-]
 
 function isExpectedAuthCheckError(err: unknown): boolean {
   return isAbortError(err) || isTimeoutError(err)
@@ -427,25 +422,6 @@ export function AccessKeyGate({ onAuthenticated }: AccessKeyGateProps) {
           </>
         )}
 
-        <div className="mt-10 border-t border-white/[0.06] pt-5" style={{ animation: 'fade-up 0.6s var(--ease-spring) 0.35s both' }}>
-          <p className="text-[10px] font-700 uppercase tracking-[0.18em] text-text-3/55">
-            Network
-          </p>
-          <div className="mt-3 flex flex-wrap items-center justify-center gap-2.5">
-            {NETWORK_LINKS.map((link) => (
-              <a
-                key={link.href}
-                href={link.href}
-                target="_blank"
-                rel="noopener noreferrer"
-                className="rounded-full border border-white/[0.08] bg-white/[0.03] px-3 py-1.5 text-[12px] text-text-3
-                  no-underline transition-all duration-200 hover:border-white/[0.14] hover:bg-white/[0.06] hover:text-text"
-              >
-                {link.label}
-              </a>
-            ))}
-          </div>
-        </div>
       </div>
     </div>
   )

package/src/components/layout/sidebar-rail.tsx

@@ -17,11 +17,6 @@ import type { AppView } from '@/types'
 const RAIL_EXPANDED_KEY = 'sc_rail_expanded'
 const GITHUB_REPO_URL = 'https://github.com/swarmclawai/swarmclaw'
 const DISCORD_URL = 'https://discord.gg/sbEavS8cPV'
-const NETWORK_LINKS = [
-  { href: 'https://www.swarmdock.ai', label: 'SwarmDock', abbr: 'DO' },
-  { href: 'https://swarmrecall.ai', label: 'SwarmRecall', abbr: 'RE' },
-  { href: 'https://swarmrelay.ai', label: 'SwarmRelay', abbr: 'RL' },
-]
 
 export function SidebarRail({
   onSwitchUser,
@@ -394,48 +389,6 @@ export function SidebarRail({
 
         {/* Bottom: Docs + Daemon + Settings + User */}
         <div className={`flex flex-col gap-1 ${railExpanded ? 'px-3' : 'items-center'}`}>
-          {railExpanded ? (
-            <div className="mb-1">
-              <div className="px-3 pb-1 text-[10px] font-700 uppercase tracking-[0.12em] text-text-3/45">Network</div>
-              <div className="flex flex-col gap-1">
-                {NETWORK_LINKS.map((link) => (
-                  <a
-                    key={link.href}
-                    href={link.href}
-                    target="_blank"
-                    rel="noopener noreferrer"
-                    className="w-full flex items-center gap-2.5 px-3 py-2 rounded-[10px] text-[13px] font-500 cursor-pointer transition-all
-                      bg-transparent text-text-3 hover:text-text hover:bg-white/[0.04] no-underline"
-                    style={{ fontFamily: 'inherit' }}
-                  >
-                    <span className="flex h-5 w-5 shrink-0 items-center justify-center rounded-[6px] border border-white/[0.08] bg-white/[0.03] text-[10px] font-700 uppercase tracking-[0.08em] text-text-3/80">
-                      {link.abbr}
-                    </span>
-                    {link.label}
-                    <svg width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2.5" strokeLinecap="round" className="ml-auto opacity-40">
-                      <path d="M18 13v6a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V8a2 2 0 0 1 2-2h6" /><polyline points="15 3 21 3 21 9" /><line x1="10" y1="14" x2="21" y2="3" />
-                    </svg>
-                  </a>
-                ))}
-              </div>
-            </div>
-          ) : (
-            <>
-              <div className="my-1 h-px w-6 bg-white/[0.06]" />
-              {NETWORK_LINKS.map((link) => (
-                <RailTooltip key={link.href} label={link.label} description="Open product site in a new tab">
-                  <a
-                    href={link.href}
-                    target="_blank"
-                    rel="noopener noreferrer"
-                    className="rail-btn text-[10px] font-700 uppercase tracking-[0.08em] no-underline"
-                  >
-                    {link.abbr}
-                  </a>
-                </RailTooltip>
-              ))}
-            </>
-          )}
           {railExpanded ? (
             <a
               href="https://swarmclaw.ai/docs"

package/src/lib/server/credentials/credential-service.ts

@@ -9,6 +9,9 @@ import {
   loadCredentials,
   saveCredential,
 } from '@/lib/server/credentials/credential-repository'
+import { log } from '@/lib/server/logger'
+
+const TAG = 'credential-service'
 
 export type CredentialSummary = Pick<Credential, 'id' | 'provider' | 'name' | 'createdAt'>
 
@@ -55,7 +58,12 @@ export function resolveCredentialSecret(credentialId: string | null | undefined)
   if (!credential?.encryptedKey) return null
   try {
     return decryptKey(credential.encryptedKey)
-  } catch {
+  } catch (err) {
+    log.warn(TAG, `Failed to decrypt credential "${id}" — CREDENTIAL_SECRET may have changed since this key was stored. Re-add the API key to fix.`, {
+      credentialId: id,
+      provider: credential.provider,
+      error: err instanceof Error ? err.message : String(err),
+    })
     return null
   }
 }

package/src/lib/server/openclaw/gateway.ts

@@ -81,7 +81,14 @@ function normalizeWsUrl(raw: string): string {
 }
 
 function resolveTokenForCredential(credentialId?: string | null): string | undefined {
-  return resolveCredentialSecret(credentialId) || undefined
+  if (!credentialId) return undefined
+  const secret = resolveCredentialSecret(credentialId)
+  if (!secret) {
+    log.warn(TAG, `Credential "${credentialId}" is referenced but could not be resolved — gateway connection will lack a token`, {
+      credentialId,
+    })
+  }
+  return secret || undefined
 }
 
 export function resolveGatewayConfig(target?: {

package/src/lib/server/storage.ts

@@ -94,6 +94,21 @@ if (!IS_BUILD_BOOTSTRAP) {
 }
 db.pragma('foreign_keys = ON')
 
+// Graceful shutdown: checkpoint WAL and close the database to prevent
+// corruption when the process is killed (e.g. during npm run update:easy).
+if (!IS_BUILD_BOOTSTRAP) {
+  const shutdownDb = () => {
+    try {
+      db.pragma('wal_checkpoint(TRUNCATE)')
+      db.close()
+    } catch {
+      // Best-effort — process is exiting.
+    }
+  }
+  process.on('SIGTERM', shutdownDb)
+  process.on('SIGINT', shutdownDb)
+}
+
 /** Run a function inside an immediate SQLite transaction for atomicity. */
 export function withTransaction<T>(fn: () => T): T {
   const wrapped = db.transaction(fn)