@swarmclawai/swarmclaw 1.5.49 → 1.5.51

package/README.md

@@ -81,8 +81,11 @@ Extension tutorial: https://swarmclaw.ai/docs/extension-tutorial
 Download the one-click installer from [swarmclaw.ai/downloads](https://swarmclaw.ai/downloads).
 Available for macOS (Apple Silicon & Intel), Windows, and Linux (AppImage + .deb).
 
-Current builds are unsigned, so on first launch:
-- **macOS:** right-click the app in Finder → **Open** → **Open** to bypass Gatekeeper.
+Current builds are ad-hoc signed but not notarized, so on first launch:
+- **macOS:** right-click the app in Finder → **Open** → **Open** to bypass Gatekeeper. If macOS instead reports *"SwarmClaw is damaged and can't be opened"* (common on Apple Silicon when the dmg was quarantined by Safari), strip the quarantine attribute and relaunch:
+  ```bash
+  xattr -dr com.apple.quarantine /Applications/SwarmClaw.app
+  ```
 - **Windows:** if SmartScreen appears, click **More info** → **Run anyway**.
 - **Linux (AppImage):** `chmod +x` the downloaded file, then run it.
 
@@ -396,6 +399,22 @@ Operational docs: https://swarmclaw.ai/docs/observability
 
 ## Releases
 
+### v1.5.51 Highlights
+
+- **Desktop app now actually opens and renders on macOS**: packaged builds were broken in v1.5.50 by a stack of independent issues that each masked the next. This release unblocks the cold-boot path end to end. Measured cold-boot time on a populated install: ~1 second to first `/api/healthz` response, down from a hard 60-second timeout.
+  - Ad-hoc code signing (`identity: '-'`) via a new `scripts/electron-after-pack.cjs` hook that runs `codesign --sign - --force --deep` after electron-builder packages the bundle. The bundle identifier is now sealed as `ai.swarmclaw.desktop` with all 74k resources sealed, so quarantined dmgs surface as "unidentified developer" (right-click → Open) instead of the more confusing "damaged" error.
+  - Per-architecture native module sync: the afterPack hook copies `better-sqlite3`, `@mongodb-js/zstd`, `node-liblzma`, and `utf-8-validate` `.node` binaries from the electron-builder-rebuilt root `node_modules` into the packaged `.next/standalone/node_modules`. Without this, the standalone server hit `ERR_DLOPEN_FAILED: NODE_MODULE_VERSION 137` on launch because Next.js's output-tracing copied the Node-ABI build of better-sqlite3 into standalone while electron-builder only rebuilt the root tree for Electron's ABI.
+  - `scripts/run-next-build.mjs` now copies `mdn-data` (used by `css-tree` via `jsdom`) into standalone alongside the existing `css-tree/data` patch, so pages that depend on it don't 500 with `Cannot find module 'mdn-data/css/at-rules.json'`.
+  - `isomorphic-dompurify` replaced by the browser-only `dompurify` in `agent-avatar.tsx`. The isomorphic wrapper was pulling `jsdom`'s ESM-only `@exodus/bytes` dep into every server bundle the avatar was referenced from, which blew up SSR under Electron 33 (Node 20.18) with `ERR_REQUIRE_ESM` on every page.
+  - Session-consolidation migrations, `initWsServer`, and `ensureDaemonStarted` moved into a `setImmediate` deferred block in `src/instrumentation.ts` so Next.js can bind the HTTP listener before per-install work runs.
+- **App icon fixed**: the Dock no longer shows Electron's default `exec` placeholder. `scripts/gen-icons.mjs` generates `resources/icon.icns`, `resources/icon.ico`, and `resources/icon.png` from `public/branding/swarmclaw-org-avatar.png`; the main process sets the Dock icon at launch and passes it to every `BrowserWindow`.
+- **Embedded server log file + improved failure dialog**: the Electron wrapper now tees the child Next.js server's stdout/stderr into `<userData>/logs/server.log` (`~/Library/Application Support/@swarmclawai/swarmclaw/logs/server.log` on macOS, 1 MB rotation). If startup fails or the server exits, the error dialog shows the tail of the log inline and exposes an **Open Logs Folder** button that jumps Finder straight to the file. This is what made root-cause debugging possible in the first place — if you hit any kind of regression here, grab that log and open an issue.
+- **Embedded server timeout raised from 60s to 5 minutes**: a safety net. On a healthy install the server is up in about a second; 300 seconds is there for pathological cold boots (very large data dirs, contested Apple Silicon Gatekeeper verification on unsigned binaries, etc.) and should never be hit in normal use.
+
+### v1.5.50 Highlights
+
+- **Fix: opencode-web remote instances no longer fail with `EACCES`**: SwarmClaw used to send the local workspace path (e.g. `/root/.swarmclaw/workspace`) as a `directory=` query parameter on every opencode-web request. Remote opencode-web instances tried to `lstat` that path and rejected the call. The provider now auto-detects local vs. remote from the endpoint hostname (`localhost`, `127.0.0.1`, `::1`, `0.0.0.0`) and only sends `directory=` when the endpoint is local. Thanks to [@SteamedFish](https://github.com/SteamedFish) for the detailed root-cause writeup in [#45](https://github.com/swarmclawai/swarmclaw/issues/45).
+
 ### v1.5.49 Highlights
 
 - **Autonomous Missions**: a new first-class concept for long-running, goal-driven agent work. Hand your agent team a goal on Friday, come back Monday to see what they shipped. Each mission carries a title, a natural-language objective, bulleted success criteria, hard budgets (USD, tokens, turns, wallclock), periodic markdown reports, and a full milestone timeline. Missions drive any session through the existing heartbeat pipeline, so delegation to Claude Code, Codex, OpenCode, Cursor, Droid, Goose, Qwen, or native SwarmClaw agents all work without changes.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swarmclawai/swarmclaw",
-  "version": "1.5.49",
+  "version": "1.5.51",
   "description": "Build and run autonomous AI agents with OpenClaw, Hermes, multiple model providers, orchestration, delegation, memory, skills, schedules, and chat connectors.",
   "main": "electron-dist/main.js",
   "license": "MIT",
@@ -101,10 +101,10 @@
     "@langchain/langgraph": "^1.2.2",
     "@langchain/openai": "^1.2.8",
     "@modelcontextprotocol/sdk": "^1.27.1",
+    "@multiavatar/multiavatar": "^1.0.7",
     "@opentelemetry/api": "^1.9.1",
     "@opentelemetry/exporter-trace-otlp-http": "^0.214.0",
     "@opentelemetry/sdk-node": "^0.214.0",
-    "@multiavatar/multiavatar": "^1.0.7",
     "@playwright/mcp": "^0.0.68",
     "@slack/bolt": "^4.6.0",
     "@swarmdock/sdk": "^0.5.3",
@@ -127,17 +127,17 @@
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "commander": "^13.1.0",
-    "electron-updater": "^6.3.9",
     "cron-parser": "^5.5.0",
     "cronstrue": "^3.12.0",
     "dagre": "^0.8.5",
     "discord.js": "^14.25.1",
+    "electron-updater": "^6.3.9",
     "ethers": "^6.16.0",
     "exceljs": "^4.4.0",
     "grammy": "^1.40.0",
     "highlight.js": "^11.11.1",
+    "dompurify": "^3.3.3",
     "imapflow": "^1.2.11",
-    "isomorphic-dompurify": "^3.7.1",
     "just-bash": "^2.14.0",
     "langchain": "^1.2.30",
     "lucide-react": "^0.574.0",
@@ -175,7 +175,8 @@
     "electron": "^33.3.0",
     "electron-builder": "^25.1.8",
     "eslint": "^9",
-    "eslint-config-next": "16.1.7"
+    "eslint-config-next": "16.1.7",
+    "png-to-ico": "^3.0.1"
   },
   "optionalDependencies": {
     "botbuilder": "^4.23.3",

package/scripts/run-next-build.mjs

@@ -164,14 +164,27 @@ export function repairStandaloneCssTreeData(cwd = process.cwd()) {
   const standaloneDir = path.join(cwd, '.next', 'standalone')
   if (!fs.existsSync(standaloneDir)) return false
 
-  const dataDst = path.join(standaloneDir, 'node_modules', 'css-tree', 'data')
-  if (fs.existsSync(dataDst)) return false
+  let repaired = false
 
-  const dataSrc = path.join(cwd, 'node_modules', 'css-tree', 'data')
-  if (!fs.existsSync(dataSrc)) return false
+  const cssTreeDst = path.join(standaloneDir, 'node_modules', 'css-tree', 'data')
+  const cssTreeSrc = path.join(cwd, 'node_modules', 'css-tree', 'data')
+  if (!fs.existsSync(cssTreeDst) && fs.existsSync(cssTreeSrc)) {
+    fs.cpSync(cssTreeSrc, cssTreeDst, { recursive: true, force: true })
+    repaired = true
+  }
 
-  fs.cpSync(dataSrc, dataDst, { recursive: true, force: true })
-  return true
+  // css-tree's CJS entry calls require('mdn-data/css/*.json') at load time,
+  // and Next's output-tracing does not pull the raw JSON data files into the
+  // standalone tree. Copy them in so jsdom (via css-tree) loads correctly
+  // under the packaged app.
+  const mdnDataDst = path.join(standaloneDir, 'node_modules', 'mdn-data')
+  const mdnDataSrc = path.join(cwd, 'node_modules', 'mdn-data')
+  if (!fs.existsSync(mdnDataDst) && fs.existsSync(mdnDataSrc)) {
+    fs.cpSync(mdnDataSrc, mdnDataDst, { recursive: true, force: true })
+    repaired = true
+  }
+
+  return repaired
 }
 
 export function repairStandaloneNextMetadata(cwd = process.cwd()) {

package/src/components/agents/agent-avatar.tsx

@@ -2,9 +2,15 @@
 
 import { useMemo } from 'react'
 import multiavatar from '@multiavatar/multiavatar'
-import DOMPurify from 'isomorphic-dompurify'
+import DOMPurify from 'dompurify'
 
+// The browser DOMPurify package runs client-side only; this component is a
+// 'use client' boundary so sanitizeSvg only executes after hydration where
+// `window` is available. We previously used isomorphic-dompurify, but that
+// pulls jsdom (and its @exodus/bytes ESM deps) into every server bundle the
+// component is referenced from, which breaks SSR under Electron 33's Node 20.
 function sanitizeSvg(svg: string): string {
+  if (typeof window === 'undefined') return svg
   return DOMPurify.sanitize(svg, { USE_PROFILES: { svg: true, svgFilters: true } })
 }
 

package/src/instrumentation.ts

@@ -10,25 +10,29 @@ export async function register() {
     const { initWsServer, closeWsServer } = await import('./lib/server/ws-hub')
     const { ensureDaemonStarted } = await import('@/lib/server/runtime/daemon-state')
     await ensureOpenTelemetryStarted()
-    
-    // One-time migration: backfill allKnownPeerIds on existing connector sessions
-    try {
-      const { backfillAllKnownPeerIds, pruneThreadConnectorMirrors } = await import('@/lib/server/connectors/session-consolidation')
-      backfillAllKnownPeerIds()
-      pruneThreadConnectorMirrors()
-    } catch (err) {
-      log.error(TAG, 'connector session consolidation failed:', err)
-    }
 
-    // In worker-only mode, we FORCE the daemon to start, but skip the WebSocket listener
-    if (isWorkerOnly) {
-      log.info(TAG, 'Booting in WORKER ONLY mode')
-      ensureDaemonStarted('worker-boot')
-    } else {
-      // In normal mode, we start the WS server, and conditionally start the daemon if autostart allows
-      initWsServer()
-      ensureDaemonStarted('instrumentation')
-    }
+    // Defer migrations, WS init, and daemon startup so the HTTP listener can bind
+    // and /api/healthz can respond immediately. Heavy per-install work (session
+    // migrations on large data dirs, daemon recovery) no longer gates first boot.
+    setImmediate(() => {
+      void (async () => {
+        try {
+          const { backfillAllKnownPeerIds, pruneThreadConnectorMirrors } = await import('@/lib/server/connectors/session-consolidation')
+          backfillAllKnownPeerIds()
+          pruneThreadConnectorMirrors()
+        } catch (err) {
+          log.error(TAG, 'connector session consolidation failed:', err)
+        }
+
+        if (isWorkerOnly) {
+          log.info(TAG, 'Booting in WORKER ONLY mode')
+          ensureDaemonStarted('worker-boot')
+        } else {
+          initWsServer()
+          ensureDaemonStarted('instrumentation')
+        }
+      })()
+    })
 
     // Graceful shutdown: stop background services and close WS connections
     const shutdownState = hmrSingleton('__swarmclaw_shutdown_state__', () => ({

package/src/lib/providers/opencode-web.test.ts

@@ -6,6 +6,8 @@ import {
   parseModelId,
   joinUrl,
   SseLineParser,
+  isLocalEndpoint,
+  buildDirectoryQuery,
 } from '@/lib/providers/opencode-web'
 
 describe('opencode-web parseBasicAuth', () => {
@@ -77,6 +79,49 @@ describe('opencode-web joinUrl', () => {
   })
 })
 
+describe('opencode-web isLocalEndpoint', () => {
+  it('returns true for loopback hostnames', () => {
+    assert.equal(isLocalEndpoint('http://localhost:4096'), true)
+    assert.equal(isLocalEndpoint('http://127.0.0.1:4096'), true)
+    assert.equal(isLocalEndpoint('http://[::1]:4096'), true)
+    assert.equal(isLocalEndpoint('http://0.0.0.0:4096'), true)
+  })
+
+  it('honours https and no-port variants', () => {
+    assert.equal(isLocalEndpoint('https://localhost'), true)
+    assert.equal(isLocalEndpoint('https://127.0.0.1/'), true)
+  })
+
+  it('is case-insensitive on hostname', () => {
+    assert.equal(isLocalEndpoint('http://LOCALHOST:4096'), true)
+  })
+
+  it('returns false for public hostnames and LAN addresses', () => {
+    assert.equal(isLocalEndpoint('http://example.com'), false)
+    assert.equal(isLocalEndpoint('https://opencode.example.internal'), false)
+    assert.equal(isLocalEndpoint('http://192.168.1.100:4096'), false)
+    assert.equal(isLocalEndpoint('http://10.0.0.5:4096'), false)
+  })
+
+  it('fails safe (remote) on malformed input', () => {
+    assert.equal(isLocalEndpoint('not-a-url'), false)
+    assert.equal(isLocalEndpoint(''), false)
+  })
+})
+
+describe('opencode-web buildDirectoryQuery', () => {
+  it('returns an empty string when cwd is null / undefined / empty', () => {
+    assert.equal(buildDirectoryQuery(null), '')
+    assert.equal(buildDirectoryQuery(undefined), '')
+    assert.equal(buildDirectoryQuery(''), '')
+  })
+
+  it('returns a URL-encoded directory query when cwd is set', () => {
+    assert.equal(buildDirectoryQuery('/root/.swarmclaw/workspace'), '?directory=%2Froot%2F.swarmclaw%2Fworkspace')
+    assert.equal(buildDirectoryQuery('/tmp/has space'), '?directory=%2Ftmp%2Fhas%20space')
+  })
+})
+
 describe('opencode-web SseLineParser', () => {
   it('emits one event per data: line and ignores comments / event: / id:', () => {
     const events: unknown[] = []

package/src/lib/providers/opencode-web.ts

@@ -60,6 +60,35 @@ export function joinUrl(baseUrl: string, path: string): string {
   return `${base}${suffix}`
 }
 
+const LOCAL_HOSTNAMES = new Set(['localhost', '127.0.0.1', '::1', '0.0.0.0'])
+
+/**
+ * Returns true when the endpoint points at an opencode-web instance on the
+ * same machine as swarmclaw. Only local instances share swarmclaw's filesystem,
+ * so the `directory=` query parameter (which names a local workspace path) is
+ * only meaningful there. Remote instances get an `EACCES` when they try to
+ * `lstat` a path that exists only on the swarmclaw host (issue #45).
+ *
+ * Malformed URLs are treated as remote. That is the safe default: better to
+ * omit the directory hint than to leak a local path to an unknown host.
+ */
+export function isLocalEndpoint(endpoint: string): boolean {
+  try {
+    let hostname = new URL(endpoint).hostname
+    if (hostname.startsWith('[') && hostname.endsWith(']')) {
+      hostname = hostname.slice(1, -1)
+    }
+    return LOCAL_HOSTNAMES.has(hostname.toLowerCase())
+  } catch {
+    return false
+  }
+}
+
+export function buildDirectoryQuery(cwd: string | null | undefined): string {
+  if (!cwd) return ''
+  return `?directory=${encodeURIComponent(cwd)}`
+}
+
 /**
  * Stateful SSE line parser. Buffers across chunk boundaries and emits
  * one parsed JSON object per `data:` line. Lines that do not start with
@@ -125,11 +154,11 @@ interface CreateSessionResponse { id?: string; sessionID?: string; sessionId?: s
 
 async function createSession(opts: {
   endpoint: string
-  cwd: string
+  cwd: string | null
   authHeader: string | undefined
   signal: AbortSignal
 }): Promise<string> {
-  const url = `${joinUrl(opts.endpoint, '/session')}?directory=${encodeURIComponent(opts.cwd)}`
+  const url = `${joinUrl(opts.endpoint, '/session')}${buildDirectoryQuery(opts.cwd)}`
   const res = await fetch(url, {
     method: 'POST',
     headers: {
@@ -157,14 +186,14 @@ async function createSession(opts: {
 async function postPrompt(opts: {
   endpoint: string
   sessionId: string
-  cwd: string
+  cwd: string | null
   prompt: string
   providerID: string
   modelID: string
   authHeader: string | undefined
   signal: AbortSignal
 }): Promise<{ status: number }> {
-  const url = `${joinUrl(opts.endpoint, `/session/${encodeURIComponent(opts.sessionId)}/prompt_async`)}?directory=${encodeURIComponent(opts.cwd)}`
+  const url = `${joinUrl(opts.endpoint, `/session/${encodeURIComponent(opts.sessionId)}/prompt_async`)}${buildDirectoryQuery(opts.cwd)}`
   const res = await fetch(url, {
     method: 'POST',
     headers: {
@@ -209,7 +238,9 @@ export function streamOpenCodeWebChat(opts: StreamChatOptions): Promise<string>
   const { session, message, systemPrompt, apiKey, write, active, signal } = opts
 
   const endpoint = (session.apiEndpoint as string | undefined) || DEFAULT_ENDPOINT
-  const cwd = (session.cwd as string | undefined) || process.cwd()
+  const cwd = isLocalEndpoint(endpoint)
+    ? ((session.cwd as string | undefined) || process.cwd())
+    : null
   const auth = parseBasicAuth(apiKey)
   const authHeader = buildAuthHeader(auth)
   const { providerID, modelID } = parseModelId(session.model as string | undefined)