@swarmclawai/swarmclaw 1.5.49 → 1.5.50

package/README.md

@@ -396,6 +396,10 @@ Operational docs: https://swarmclaw.ai/docs/observability
 
 ## Releases
 
+### v1.5.50 Highlights
+
+- **Fix: opencode-web remote instances no longer fail with `EACCES`**: SwarmClaw used to send the local workspace path (e.g. `/root/.swarmclaw/workspace`) as a `directory=` query parameter on every opencode-web request. Remote opencode-web instances tried to `lstat` that path and rejected the call. The provider now auto-detects local vs. remote from the endpoint hostname (`localhost`, `127.0.0.1`, `::1`, `0.0.0.0`) and only sends `directory=` when the endpoint is local. Thanks to [@SteamedFish](https://github.com/SteamedFish) for the detailed root-cause writeup in [#45](https://github.com/swarmclawai/swarmclaw/issues/45).
+
 ### v1.5.49 Highlights
 
 - **Autonomous Missions**: a new first-class concept for long-running, goal-driven agent work. Hand your agent team a goal on Friday, come back Monday to see what they shipped. Each mission carries a title, a natural-language objective, bulleted success criteria, hard budgets (USD, tokens, turns, wallclock), periodic markdown reports, and a full milestone timeline. Missions drive any session through the existing heartbeat pipeline, so delegation to Claude Code, Codex, OpenCode, Cursor, Droid, Goose, Qwen, or native SwarmClaw agents all work without changes.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swarmclawai/swarmclaw",
-  "version": "1.5.49",
+  "version": "1.5.50",
   "description": "Build and run autonomous AI agents with OpenClaw, Hermes, multiple model providers, orchestration, delegation, memory, skills, schedules, and chat connectors.",
   "main": "electron-dist/main.js",
   "license": "MIT",

package/src/lib/providers/opencode-web.test.ts

@@ -6,6 +6,8 @@ import {
   parseModelId,
   joinUrl,
   SseLineParser,
+  isLocalEndpoint,
+  buildDirectoryQuery,
 } from '@/lib/providers/opencode-web'
 
 describe('opencode-web parseBasicAuth', () => {
@@ -77,6 +79,49 @@ describe('opencode-web joinUrl', () => {
   })
 })
 
+describe('opencode-web isLocalEndpoint', () => {
+  it('returns true for loopback hostnames', () => {
+    assert.equal(isLocalEndpoint('http://localhost:4096'), true)
+    assert.equal(isLocalEndpoint('http://127.0.0.1:4096'), true)
+    assert.equal(isLocalEndpoint('http://[::1]:4096'), true)
+    assert.equal(isLocalEndpoint('http://0.0.0.0:4096'), true)
+  })
+
+  it('honours https and no-port variants', () => {
+    assert.equal(isLocalEndpoint('https://localhost'), true)
+    assert.equal(isLocalEndpoint('https://127.0.0.1/'), true)
+  })
+
+  it('is case-insensitive on hostname', () => {
+    assert.equal(isLocalEndpoint('http://LOCALHOST:4096'), true)
+  })
+
+  it('returns false for public hostnames and LAN addresses', () => {
+    assert.equal(isLocalEndpoint('http://example.com'), false)
+    assert.equal(isLocalEndpoint('https://opencode.example.internal'), false)
+    assert.equal(isLocalEndpoint('http://192.168.1.100:4096'), false)
+    assert.equal(isLocalEndpoint('http://10.0.0.5:4096'), false)
+  })
+
+  it('fails safe (remote) on malformed input', () => {
+    assert.equal(isLocalEndpoint('not-a-url'), false)
+    assert.equal(isLocalEndpoint(''), false)
+  })
+})
+
+describe('opencode-web buildDirectoryQuery', () => {
+  it('returns an empty string when cwd is null / undefined / empty', () => {
+    assert.equal(buildDirectoryQuery(null), '')
+    assert.equal(buildDirectoryQuery(undefined), '')
+    assert.equal(buildDirectoryQuery(''), '')
+  })
+
+  it('returns a URL-encoded directory query when cwd is set', () => {
+    assert.equal(buildDirectoryQuery('/root/.swarmclaw/workspace'), '?directory=%2Froot%2F.swarmclaw%2Fworkspace')
+    assert.equal(buildDirectoryQuery('/tmp/has space'), '?directory=%2Ftmp%2Fhas%20space')
+  })
+})
+
 describe('opencode-web SseLineParser', () => {
   it('emits one event per data: line and ignores comments / event: / id:', () => {
     const events: unknown[] = []

package/src/lib/providers/opencode-web.ts

@@ -60,6 +60,35 @@ export function joinUrl(baseUrl: string, path: string): string {
   return `${base}${suffix}`
 }
 
+const LOCAL_HOSTNAMES = new Set(['localhost', '127.0.0.1', '::1', '0.0.0.0'])
+
+/**
+ * Returns true when the endpoint points at an opencode-web instance on the
+ * same machine as swarmclaw. Only local instances share swarmclaw's filesystem,
+ * so the `directory=` query parameter (which names a local workspace path) is
+ * only meaningful there. Remote instances get an `EACCES` when they try to
+ * `lstat` a path that exists only on the swarmclaw host (issue #45).
+ *
+ * Malformed URLs are treated as remote. That is the safe default: better to
+ * omit the directory hint than to leak a local path to an unknown host.
+ */
+export function isLocalEndpoint(endpoint: string): boolean {
+  try {
+    let hostname = new URL(endpoint).hostname
+    if (hostname.startsWith('[') && hostname.endsWith(']')) {
+      hostname = hostname.slice(1, -1)
+    }
+    return LOCAL_HOSTNAMES.has(hostname.toLowerCase())
+  } catch {
+    return false
+  }
+}
+
+export function buildDirectoryQuery(cwd: string | null | undefined): string {
+  if (!cwd) return ''
+  return `?directory=${encodeURIComponent(cwd)}`
+}
+
 /**
  * Stateful SSE line parser. Buffers across chunk boundaries and emits
  * one parsed JSON object per `data:` line. Lines that do not start with
@@ -125,11 +154,11 @@ interface CreateSessionResponse { id?: string; sessionID?: string; sessionId?: s
 
 async function createSession(opts: {
   endpoint: string
-  cwd: string
+  cwd: string | null
   authHeader: string | undefined
   signal: AbortSignal
 }): Promise<string> {
-  const url = `${joinUrl(opts.endpoint, '/session')}?directory=${encodeURIComponent(opts.cwd)}`
+  const url = `${joinUrl(opts.endpoint, '/session')}${buildDirectoryQuery(opts.cwd)}`
   const res = await fetch(url, {
     method: 'POST',
     headers: {
@@ -157,14 +186,14 @@ async function createSession(opts: {
 async function postPrompt(opts: {
   endpoint: string
   sessionId: string
-  cwd: string
+  cwd: string | null
   prompt: string
   providerID: string
   modelID: string
   authHeader: string | undefined
   signal: AbortSignal
 }): Promise<{ status: number }> {
-  const url = `${joinUrl(opts.endpoint, `/session/${encodeURIComponent(opts.sessionId)}/prompt_async`)}?directory=${encodeURIComponent(opts.cwd)}`
+  const url = `${joinUrl(opts.endpoint, `/session/${encodeURIComponent(opts.sessionId)}/prompt_async`)}${buildDirectoryQuery(opts.cwd)}`
   const res = await fetch(url, {
     method: 'POST',
     headers: {
@@ -209,7 +238,9 @@ export function streamOpenCodeWebChat(opts: StreamChatOptions): Promise<string>
   const { session, message, systemPrompt, apiKey, write, active, signal } = opts
 
   const endpoint = (session.apiEndpoint as string | undefined) || DEFAULT_ENDPOINT
-  const cwd = (session.cwd as string | undefined) || process.cwd()
+  const cwd = isLocalEndpoint(endpoint)
+    ? ((session.cwd as string | undefined) || process.cwd())
+    : null
   const auth = parseBasicAuth(apiKey)
   const authHeader = buildAuthHeader(auth)
   const { providerID, modelID } = parseModelId(session.model as string | undefined)