@swarmclawai/swarmclaw 1.9.32 → 1.9.33

package/README.md

@@ -151,6 +151,16 @@ openclaw skills install swarmclaw
 
 [Browse on ClawHub](https://clawhub.ai/waydelyle/swarmclaw)
 
+## v1.9.33 Highlights
+
+Issue and PR validation release for credential durability, delegated task dispatch, connector output hygiene, and OpenClaw gateway protocol compatibility.
+
+- **Credential durability.** Execute-tool credential injection now reads the persisted `encryptedKey` field, and `CREDENTIAL_SECRET` now resolves in a stable order: explicit environment value, `DATA_DIR/credential-secret`, legacy env files, then generated fallback.
+- **Delegated task dispatch.** Agent-created tasks delegated to another agent auto-queue when no explicit status is supplied, and failed dead-lettered tasks can be requeued through `POST /api/tasks/:id/retry`.
+- **Connector output hygiene.** Connector replies now reuse the internal metadata scrubber before delivery and persistence, while successful non-connector delivery tool output is no longer overwritten as an unconfirmed send.
+- **Agent and gateway compatibility.** Agent updates preserve workspace filesystem settings, and OpenClaw gateway routes now use protocol version 4.
+- **Regression coverage.** Added tests for credential env injection, secret precedence, delegated queueing, failed-task retry, connector sanitization, agent workspace settings, and OpenClaw gateway protocol exports.
+
 ## v1.9.32 Highlights
 
 PR integration release for background model routing, reflection memory controls, and current ClawHub install guidance.
@@ -435,6 +445,16 @@ Operational docs: https://swarmclaw.ai/docs/observability
 
 ## Releases
 
+### v1.9.33 Highlights
+
+Issue and PR validation release for credential durability, delegated task dispatch, connector output hygiene, and OpenClaw gateway protocol compatibility.
+
+- **Credential durability.** Execute-tool credential injection now reads the persisted `encryptedKey` field, and `CREDENTIAL_SECRET` now resolves in a stable order: explicit environment value, `DATA_DIR/credential-secret`, legacy env files, then generated fallback.
+- **Delegated task dispatch.** Agent-created tasks delegated to another agent auto-queue when no explicit status is supplied, and failed dead-lettered tasks can be requeued through `POST /api/tasks/:id/retry`.
+- **Connector output hygiene.** Connector replies now reuse the internal metadata scrubber before delivery and persistence, while successful non-connector delivery tool output is no longer overwritten as an unconfirmed send.
+- **Agent and gateway compatibility.** Agent updates preserve workspace filesystem settings, and OpenClaw gateway routes now use protocol version 4.
+- **Regression coverage.** Added tests for credential env injection, secret precedence, delegated queueing, failed-task retry, connector sanitization, agent workspace settings, and OpenClaw gateway protocol exports.
+
 ### v1.9.32 Highlights
 
 PR integration release for background model routing, reflection memory controls, and current ClawHub install guidance.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swarmclawai/swarmclaw",
-  "version": "1.9.32",
+  "version": "1.9.33",
   "description": "Build and run autonomous AI agents with OpenClaw, Hermes, multiple model providers, orchestration, delegation, memory, skills, schedules, and chat connectors.",
   "main": "electron-dist/main.js",
   "license": "MIT",
@@ -154,7 +154,7 @@
     "next": "16.2.4",
     "next-themes": "^0.4.6",
     "nodemailer": "^8.0.1",
-    "openclaw": "^2026.4.22",
+    "openclaw": "^2026.5.12",
     "pdf-parse": "^2.4.5",
     "qrcode": "^1.5.4",
     "radix-ui": "^1.4.3",

package/src/app/api/agents/agents-route.test.ts

@@ -206,6 +206,42 @@ test('PUT /api/agents/:id updates planning mode without clobbering other fields'
   assert.equal(body.proactiveMemory, false)
 })
 
+test('PUT /api/agents/:id persists workspace filesystem settings', async () => {
+  seedAgent('agent-workspace-settings', {
+    name: 'Workspace Agent',
+    workspace: null,
+    filesystemScope: null,
+    fileAccessPolicy: null,
+  })
+
+  const response = await putAgent(new Request('http://local/api/agents/agent-workspace-settings', {
+    method: 'PUT',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({
+      workspace: '/tmp/swarmclaw-agent-workspace',
+      filesystemScope: 'workspace',
+      fileAccessPolicy: {
+        allowedPaths: ['/tmp/swarmclaw-agent-workspace'],
+        blockedPaths: ['/tmp/swarmclaw-agent-workspace/private'],
+      },
+    }),
+  }), routeParams('agent-workspace-settings'))
+
+  assert.equal(response.status, 200)
+  const body = await response.json()
+  assert.equal(body.workspace, '/tmp/swarmclaw-agent-workspace')
+  assert.equal(body.filesystemScope, 'workspace')
+  assert.deepEqual(body.fileAccessPolicy, {
+    allowedPaths: ['/tmp/swarmclaw-agent-workspace'],
+    blockedPaths: ['/tmp/swarmclaw-agent-workspace/private'],
+  })
+
+  const stored = loadAgents()['agent-workspace-settings']
+  assert.equal(stored.workspace, '/tmp/swarmclaw-agent-workspace')
+  assert.equal(stored.filesystemScope, 'workspace')
+  assert.deepEqual(stored.fileAccessPolicy, body.fileAccessPolicy)
+})
+
 test('PUT /api/agents/:id rejects non-string name', async () => {
   seedAgent('agent-bad-name', { name: 'Good' })
 

package/src/app/api/tasks/[id]/retry/route.ts

@@ -0,0 +1,12 @@
+import { NextResponse } from 'next/server'
+import { notFound } from '@/lib/server/collection-helpers'
+import { retryTaskFromRoute } from '@/lib/server/tasks/task-route-service'
+
+export async function POST(_req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params
+  const result = retryTaskFromRoute(id)
+  if (!result.ok && result.status === 404) return notFound()
+  return result.ok
+    ? NextResponse.json(result.payload)
+    : NextResponse.json(result.payload, { status: result.status })
+}

package/src/app/api/tasks/task-workspace-route.test.ts

@@ -19,6 +19,7 @@ let getTaskHandoff: typeof import('./[id]/handoff/route')['GET']
 let postTaskHandoff: typeof import('./[id]/handoff/route')['POST']
 let getTaskExecutionPolicy: typeof import('./[id]/execution-policy/route')['GET']
 let postTaskExecutionPolicy: typeof import('./[id]/execution-policy/route')['POST']
+let postTaskRetry: typeof import('./[id]/retry/route')['POST']
 let getTaskHandoffs: typeof import('./handoffs/route')['GET']
 let getTasks: typeof import('./route')['GET']
 let storage: typeof import('@/lib/server/storage')
@@ -57,6 +58,7 @@ before(async () => {
   const policyRoute = await import('./[id]/execution-policy/route')
   getTaskExecutionPolicy = policyRoute.GET
   postTaskExecutionPolicy = policyRoute.POST
+  postTaskRetry = (await import('./[id]/retry/route')).POST
   getTaskHandoffs = (await import('./handoffs/route')).GET
   getTasks = (await import('./route')).GET
 })
@@ -255,6 +257,66 @@ test('GET /api/tasks/:id/execution-policy returns policy summary', async () => {
   assert.equal(body.summary.status, 'waiting')
 })
 
+test('POST /api/tasks/:id/retry requeues a dead-lettered failed task', async () => {
+  seedTask('task-dead-letter-retry', {
+    title: 'Dead Letter Retry',
+    status: 'failed',
+    attempts: 3,
+    maxAttempts: 3,
+    retryScheduledAt: Date.now() + 60_000,
+    deadLetteredAt: Date.now(),
+    checkoutRunId: 'run-failed',
+    error: 'Dead-lettered after 3/3 attempts: timeout',
+    validation: { ok: false, reasons: ['No result'], checkedAt: Date.now() },
+  })
+
+  const response = await postTaskRetry(
+    new Request('http://local/api/tasks/task-dead-letter-retry/retry', { method: 'POST' }),
+    routeParams('task-dead-letter-retry'),
+  )
+
+  assert.equal(response.status, 200)
+  const body = await response.json() as BoardTask
+  assert.equal(body.status, 'queued')
+  assert.equal(body.attempts, 0)
+  assert.equal(body.retryScheduledAt, null)
+  assert.equal(body.deadLetteredAt, null)
+  assert.equal(body.checkoutRunId, null)
+  assert.equal(body.error, null)
+  assert.equal(body.validation, null)
+  assert.equal(storage.loadQueue().includes('task-dead-letter-retry'), true)
+  assert.equal(body.comments?.some((comment) => comment.text.includes('retry requested')), true)
+})
+
+test('POST /api/tasks/:id/retry rejects tasks still blocked by dependencies', async () => {
+  seedTask('task-blocked-retry', {
+    title: 'Blocked Retry',
+    status: 'failed',
+    blockedBy: ['retry-dep'],
+    deadLetteredAt: Date.now(),
+  })
+  const tasks = storage.loadTasks()
+  tasks['retry-dep'] = {
+    id: 'retry-dep',
+    title: 'Retry Dependency',
+    description: '',
+    status: 'running',
+    agentId: 'agent-1',
+    createdAt: Date.now(),
+    updatedAt: Date.now(),
+  } as BoardTask
+  storage.saveTasks(tasks)
+
+  const response = await postTaskRetry(
+    new Request('http://local/api/tasks/task-blocked-retry/retry', { method: 'POST' }),
+    routeParams('task-blocked-retry'),
+  )
+
+  assert.equal(response.status, 409)
+  assert.equal(storage.loadTasks()['task-blocked-retry']?.status, 'failed')
+  assert.equal(storage.loadQueue().includes('task-blocked-retry'), false)
+})
+
 test('POST /api/tasks/:id/handoff saves markdown and JSON snapshots into the workspace', async () => {
   seedTask('task-handoff-save', {
     title: 'Saved Handoff Task',

package/src/cli/index.js

@@ -761,6 +761,7 @@ const COMMAND_GROUPS = [
       cmd('handoffs', 'GET', '/tasks/handoffs', 'List task handoff readiness packets'),
       cmd('execution-policy', 'GET', '/tasks/:id/execution-policy', 'Get task execution policy state'),
       cmd('execution-policy-decision', 'POST', '/tasks/:id/execution-policy', 'Approve, request changes, or reset a task policy stage', { expectsJsonBody: true }),
+      cmd('retry', 'POST', '/tasks/:id/retry', 'Retry a failed task and requeue it'),
       cmd('create', 'POST', '/tasks', 'Create task', { expectsJsonBody: true }),
       cmd('bulk', 'POST', '/tasks/bulk', 'Bulk update tasks (status/agent/project)', { expectsJsonBody: true }),
       cmd('update', 'PUT', '/tasks/:id', 'Update task', { expectsJsonBody: true }),

package/src/cli/index.test.js

@@ -225,6 +225,36 @@ test('tasks execution-policy-decision posts policy decisions', async () => {
   assert.equal(stderr.toString(), '')
 })
 
+test('tasks retry posts to the failed-task retry endpoint', async () => {
+  const stdout = makeWritable()
+  const stderr = makeWritable()
+  const calls = []
+
+  const fetchImpl = async (url, init) => {
+    calls.push({ url: String(url), init })
+    return jsonResponse({ id: 'task-1', status: 'queued' })
+  }
+
+  const exitCode = await runCli(
+    ['tasks', 'retry', 'task-1', '--json'],
+    {
+      fetchImpl,
+      stdout,
+      stderr,
+      env: {},
+      cwd: process.cwd(),
+    }
+  )
+
+  assert.equal(exitCode, 0)
+  assert.equal(calls.length, 1)
+  assert.match(calls[0].url, /\/api\/tasks\/task-1\/retry$/)
+  assert.equal(calls[0].init.method, 'POST')
+  assert.equal(calls[0].init.body, undefined)
+  assert.match(stdout.toString(), /"queued"/)
+  assert.equal(stderr.toString(), '')
+})
+
 test('gateways drain command posts a lifecycle control action', async () => {
   const stdout = makeWritable()
   const stderr = makeWritable()

package/src/cli/spec.js

@@ -541,6 +541,7 @@ const COMMAND_GROUPS = {
       handoffs: { description: 'List task handoff readiness packets', method: 'GET', path: '/tasks/handoffs' },
       'execution-policy': { description: 'Get task execution policy state', method: 'GET', path: '/tasks/:id/execution-policy', params: ['id'] },
       'execution-policy-decision': { description: 'Approve, request changes, or reset a task policy stage', method: 'POST', path: '/tasks/:id/execution-policy', params: ['id'] },
+      retry: { description: 'Retry a failed task and requeue it', method: 'POST', path: '/tasks/:id/retry', params: ['id'] },
       create: { description: 'Create task', method: 'POST', path: '/tasks' },
       bulk: { description: 'Bulk update tasks (status/agent/project)', method: 'POST', path: '/tasks/bulk' },
       update: { description: 'Update task', method: 'PUT', path: '/tasks/:id', params: ['id'] },

package/src/lib/providers/openclaw.test.ts

@@ -1,7 +1,7 @@
 import assert from 'node:assert/strict'
 import { afterEach, test } from 'node:test'
 
-import { buildOpenClawSessionKey, resolveGatewayAgentId } from './openclaw'
+import { buildOpenClawConnectParams, buildOpenClawSessionKey, resolveGatewayAgentId } from './openclaw'
 import { loadAgents, saveAgents } from '../server/storage'
 import type { Agent } from '@/types'
 
@@ -72,3 +72,10 @@ test('buildOpenClawSessionKey honors explicit OpenClaw session keys when provide
 
   assert.equal(sessionKey, 'agent:ops:benchmark:fixed-key')
 })
+
+test('buildOpenClawConnectParams advertises the current gateway protocol', () => {
+  const params = buildOpenClawConnectParams('test-token', 'test-nonce')
+
+  assert.equal(params.minProtocol, 4)
+  assert.equal(params.maxProtocol, 4)
+})

package/src/lib/providers/openclaw.ts

@@ -113,6 +113,8 @@ export function getDeviceId(): string {
 
 // --- Protocol helpers ---
 
+export const OPENCLAW_GATEWAY_PROTOCOL_VERSION = 4
+
 /**
  * Build connect params for the OpenClaw gateway protocol.
  *
@@ -132,8 +134,8 @@ export function buildOpenClawConnectParams(
   const scopes = ['operator.admin']
 
   const params: Record<string, unknown> = {
-    minProtocol: 3,
-    maxProtocol: 3,
+    minProtocol: OPENCLAW_GATEWAY_PROTOCOL_VERSION,
+    maxProtocol: OPENCLAW_GATEWAY_PROTOCOL_VERSION,
     auth: token ? { token } : undefined,
     client: {
       id: clientId,

package/src/lib/server/chat-execution/chat-execution-connector-delivery.ts

@@ -1,5 +1,6 @@
 import type { MessageToolEvent } from '@/types'
 import { dedupeConsecutiveToolEvents } from '@/lib/server/chat-execution/chat-execution-tool-events'
+import { stripAllInternalMetadata } from '@/lib/strip-internal-metadata'
 
 function parseToolJsonObject(raw: string): Record<string, unknown> | null {
   const trimmed = raw.trim()
@@ -65,12 +66,23 @@ export function looksLikePositiveConnectorDeliveryText(
 
 export function reconcileConnectorDeliveryText(text: string, events: MessageToolEvent[]): string {
   const trimmed = text.trim()
-  const connectorEvents = dedupeConsecutiveToolEvents(events).filter((event) => event.name === 'connector_message_tool')
+  const dedupedEvents = dedupeConsecutiveToolEvents(events)
+  const connectorEvents = dedupedEvents.filter((event) => event.name === 'connector_message_tool')
   if (!looksLikePositiveConnectorDeliveryText(trimmed, {
     requireConnectorContext: connectorEvents.length === 0,
   })) return text
   if (connectorEvents.some((event) => connectorToolEventSucceeded(event))) return text
   if (connectorEvents.length === 0) {
+    // No connector_message_tool event was recorded for this turn, but the
+    // agent may have legitimately delivered the message through another tool
+    // — typically `execute` running nodemailer / smtp / curl against an
+    // outbound HTTP endpoint, or a future connector that doesn't route
+    // through connector_message_tool. If *any* tool ran this turn, the agent
+    // did real work; trust them rather than overwriting their response with
+    // a false-negative. Only reconcile (with the overwrite below) when there
+    // is genuine evidence of a failed send — i.e., a connector_message_tool
+    // event exists but didn't succeed.
+    if (dedupedEvents.length > 0) return text
     return `I couldn't confirm that the configured connector actually sent anything. No connector delivery tool call was recorded for this response.`
   }
 
@@ -84,3 +96,7 @@ export function reconcileConnectorDeliveryText(text: string, events: MessageTool
 
   return `I couldn't send that through the configured connector. ${failureSummary}`.trim()
 }
+
+export function sanitizeConnectorDeliveryText(text: string, events: MessageToolEvent[]): string {
+  return reconcileConnectorDeliveryText(stripAllInternalMetadata(text), events).trim()
+}

package/src/lib/server/chat-execution/chat-turn-finalization.ts

@@ -12,7 +12,7 @@ import { stripMainLoopMetaForPersistence } from '@/lib/server/agents/main-agent-
 import { shouldSuppressHiddenControlText, stripHiddenControlTokens } from '@/lib/server/agents/assistant-control'
 import { pruneStreamingAssistantArtifacts } from '@/lib/chat/chat-streaming-state'
 import { pruneIncompleteToolEvents } from '@/lib/server/chat-execution/chat-streaming-utils'
-import { reconcileConnectorDeliveryText } from '@/lib/server/chat-execution/chat-execution-connector-delivery'
+import { sanitizeConnectorDeliveryText } from '@/lib/server/chat-execution/chat-execution-connector-delivery'
 import {
   classifyHeartbeatResponse,
   estimateConversationTone,
@@ -347,7 +347,7 @@ export async function finalizeChatTurn(params: {
       // Outbound transforms are non-critical.
     }
   }
-  finalText = reconcileConnectorDeliveryText(finalText, persistedToolEvents)
+  finalText = sanitizeConnectorDeliveryText(finalText, persistedToolEvents)
   finalText = normalizeAssistantArtifactLinks(finalText, session.cwd)
   finalText = applyExactOutputContract({
     contract: await resolveExactOutputContractWithTimeout({

package/src/lib/server/chat-execution/post-stream-finalization.test.ts

@@ -2,6 +2,7 @@ import assert from 'node:assert/strict'
 import { describe, it } from 'node:test'
 
 import { stripLeakedClassificationJson } from './post-stream-finalization'
+import { sanitizeConnectorDeliveryText } from './chat-execution-connector-delivery'
 
 // A fully-valid MessageClassification serialized by the model. Mirrors the
 // real output we observed during a live delegation turn.
@@ -105,3 +106,26 @@ describe('stripLeakedClassificationJson', () => {
     assert.equal(cleaned, input)
   })
 })
+
+describe('sanitizeConnectorDeliveryText', () => {
+  it('strips internal metadata before connector delivery reconciliation', () => {
+    const input = [
+      '{ "isDeliverableTask": true, "confidence": 0.9 }',
+      'I sent the message via the endpoint. Message ID: abc123.',
+    ].join('\n')
+    const result = sanitizeConnectorDeliveryText(input, [
+      {
+        name: 'execute',
+        input: '{"code":"curl -X POST https://example.invalid/send"}',
+        output: 'ok',
+      },
+    ])
+
+    assert.equal(result, 'I sent the message via the endpoint. Message ID: abc123.')
+  })
+
+  it('preserves benign user JSON in non-delivery text', () => {
+    const input = 'The payload example is { "port": 3000 }.'
+    assert.equal(sanitizeConnectorDeliveryText(input, []), input)
+  })
+})

package/src/lib/server/connectors/connector-inbound.ts

@@ -92,7 +92,8 @@ import {
   resolveSenderPreferencePolicy,
 } from './contact-preferences'
 import { prepareConnectorVoiceNotePayload } from './voice-note'
-import { reconcileConnectorDeliveryText } from '@/lib/server/chat-execution/chat-execution-connector-delivery'
+import { sanitizeConnectorDeliveryText } from '@/lib/server/chat-execution/chat-execution-connector-delivery'
+import { stripAllInternalMetadata } from '@/lib/strip-internal-metadata'
 import { pruneIncompleteToolEvents, updateStreamedToolEvents } from '@/lib/server/chat-execution/chat-streaming-utils'
 import { guardUntrustedText, getUntrustedContentGuardMode } from '@/lib/server/untrusted-content'
 import {
@@ -432,7 +433,7 @@ export async function deliverQueuedConnectorRunResult(params: {
     session,
     toolEvents: params.result.toolEvents || [],
   })
-  fullText = reconcileConnectorDeliveryText(fullText, params.result.toolEvents || []).trim()
+  fullText = sanitizeConnectorDeliveryText(stripHiddenControlTokens(fullText), params.result.toolEvents || [])
 
   if (!fullText && !currentChannelDelivery) {
     await maybeSendStatusReaction(params.connector, params.msg, 'silent')
@@ -729,7 +730,7 @@ async function routeMessageToChatroom(connector: Connector, msg: InboundMessage)
         history,
       })
 
-      const responseText = stripHiddenControlTokens(result.finalResponse || result.fullText)
+      const responseText = stripAllInternalMetadata(stripHiddenControlTokens(result.finalResponse || result.fullText))
       if (responseText.trim() && !isNoMessage(responseText)) {
         // Persist agent response to chatroom
         const agentSource: MessageSource = {
@@ -1332,12 +1333,11 @@ If media sending fails, report the exact error and retry with a corrected path/t
   }
 
   const suppressHiddenResponse = shouldSuppressHiddenControlText(fullText)
-  fullText = stripHiddenControlTokens(fullText)
-  fullText = reconcileConnectorDeliveryText(fullText, settledConnectorToolEvents).trim()
+  fullText = sanitizeConnectorDeliveryText(stripHiddenControlTokens(fullText), settledConnectorToolEvents)
 
   // If the agent chose NO_MESSAGE, skip saving it to history — the user's message
   // is already recorded, and saving the sentinel would pollute the LLM's context
-  if (suppressHiddenResponse || isNoMessage(fullText)) {
+  if (suppressHiddenResponse || isNoMessage(fullText) || !fullText.trim()) {
     if (currentChannelDeliveryRef.current) {
       persistConnectorDeliveryMarker({
         session,

package/src/lib/server/connectors/openclaw.test.ts

@@ -66,6 +66,10 @@ function findReqAt(ws: MockWebSocket, method: string, index: number): WsFrame |
   return matches[index]
 }
 
+function frameParams<T extends Record<string, unknown>>(frame: WsFrame): T {
+  return (frame.params && typeof frame.params === 'object' ? frame.params : {}) as T
+}
+
 async function waitFor<T>(
   getValue: () => T | null | undefined,
   timeoutMs = 2_000,
@@ -114,13 +118,16 @@ async function bootstrapConnector(params?: {
 async function performHandshake(ws: MockWebSocket, helloPayload?: WsFrame) {
   ws.emit({ type: 'event', event: 'connect.challenge', payload: { nonce: 'test-nonce' } })
   const connectReq = await waitFor(() => findReq(ws, 'connect'), 1_500)
+  const connectParams = frameParams<{ minProtocol?: unknown; maxProtocol?: unknown }>(connectReq)
+  assert.equal(connectParams.minProtocol, 4)
+  assert.equal(connectParams.maxProtocol, 4)
   ws.emit({
     type: 'res',
     id: connectReq.id as string,
     ok: true,
     payload: helloPayload || {
       type: 'hello-ok',
-      protocol: 3,
+      protocol: 4,
       auth: { deviceToken: 'device-token-test' },
       policy: { tickIntervalMs: 15_000 },
     },
@@ -362,7 +369,7 @@ test('openclaw connector reconnects when tick watchdog detects stale connection'
   try {
     await performHandshake(ws, {
       type: 'hello-ok',
-      protocol: 3,
+      protocol: 4,
       policy: { tickIntervalMs: 200 },
     })
 

package/src/lib/server/connectors/openclaw.ts

@@ -25,7 +25,7 @@ const TAG = 'openclaw'
  * - chat traffic is event `chat` and RPC method `chat.send`
  */
 
-const PROTOCOL_VERSION = 3
+const PROTOCOL_VERSION = 4
 const RECONNECT_BASE_MS = 2_000
 const RECONNECT_MAX_MS = 30_000
 const RPC_TIMEOUT_MS = 25_000

package/src/lib/server/session-tools/credential-env.ts

@@ -36,7 +36,7 @@ export function buildCredentialEnv(credentialIds: string[]): CredentialEnv {
   const env: Record<string, string> = {}
   const secrets: string[] = []
 
-  const allCredentials = loadCredentials() as Record<string, Credential & { encrypted?: string }>
+  const allCredentials = loadCredentials() as Record<string, Credential & { encryptedKey?: string }>
 
   for (const credId of credentialIds) {
     const cred = allCredentials[credId]
@@ -45,8 +45,9 @@ export function buildCredentialEnv(credentialIds: string[]): CredentialEnv {
       continue
     }
 
-    // Decrypt the stored key
-    const encrypted = cred.encrypted
+    // Credentials persist ciphertext under `encryptedKey`; older reads of
+    // `cred.encrypted` silently skipped injection for execute tool calls.
+    const encrypted = cred.encryptedKey
     if (!encrypted || typeof encrypted !== 'string') {
       log.warn(TAG, `Credential has no encrypted value: ${credId}`)
       continue

package/src/lib/server/session-tools/crud.ts

@@ -603,6 +603,9 @@ export function buildCrudTools(bctx: ToolBuildContext): StructuredToolInterface[
               const raw = buildCrudPayload(normalized, action, data)
               const defaults = RESOURCE_DEFAULTS[toolKey]
               const parsed = defaults ? defaults(raw) : raw
+              if (toolKey === 'manage_tasks' && !Object.prototype.hasOwnProperty.call(raw, 'status')) {
+                delete (parsed as Record<string, unknown>).status
+              }
               if (parsed && typeof parsed === 'object' && 'id' in parsed) {
                 delete (parsed as Record<string, unknown>).id
               }
@@ -696,6 +699,8 @@ export function buildCrudTools(bctx: ToolBuildContext): StructuredToolInterface[
                   now,
                   settings: loadSettings(),
                   fallbackAgentId: ctx?.agentId || null,
+                  creatorAgentId: ctx?.agentId || null,
+                  autoQueueDelegatedTasks: true,
                   defaultCwd: cwd,
                   deriveTitleFromDescription: true,
                   requireMeaningfulTitle: true,

package/src/lib/server/session-tools/execute.test.ts

@@ -87,6 +87,35 @@ describe('credential-env', () => {
       const result = buildCredentialEnv(['nonexistent-id'])
       assert.deepEqual(result, { env: {}, secrets: [] })
     })
+
+    it('injects credentials stored under encryptedKey', () => {
+      const output = runWithTempDataDir<{
+        env: Record<string, string>
+        secrets: string[]
+      }>(`
+        process.env.CREDENTIAL_SECRET = 'a'.repeat(64)
+        const storageMod = await import('@/lib/server/storage')
+        const credentialEnvMod = await import('@/lib/server/session-tools/credential-env')
+        const storage = storageMod.default || storageMod
+        const credentialEnv = credentialEnvMod.default || credentialEnvMod
+        const encryptedKey = storage.encryptKey('github_pat_execute_tool')
+        storage.saveCredentials({
+          'cred-github': {
+            id: 'cred-github',
+            provider: 'github',
+            name: 'token',
+            encryptedKey,
+            createdAt: Date.now(),
+            updatedAt: Date.now(),
+          },
+        })
+        const result = credentialEnv.buildCredentialEnv(['cred-github'])
+        console.log(JSON.stringify(result))
+      `)
+
+      assert.equal(output.env.GITHUB_TOKEN, 'github_pat_execute_tool')
+      assert.deepEqual(output.secrets, ['github_pat_execute_tool'])
+    })
   })
 })
 

package/src/lib/server/session-tools/manage-tasks.test.ts

@@ -192,6 +192,61 @@ describe('manage_tasks tool', () => {
     assert.equal(output.stored.workflowStateId, 'in_progress')
   })
 
+  it('queues agent-delegated tasks when no explicit status is provided', () => {
+    const output = runWithTempDataDir(`
+      const storageMod = await import('./src/lib/server/storage')
+      const crudMod = await import('./src/lib/server/session-tools/crud')
+      const storage = storageMod.default || storageMod
+      const crud = crudMod.default || crudMod
+
+      const now = Date.now()
+      storage.saveAgents({
+        coordinator: {
+          id: 'coordinator',
+          name: 'Coordinator',
+          description: '',
+          systemPrompt: '',
+          provider: 'openai',
+          model: 'gpt-test',
+          createdAt: now,
+          updatedAt: now,
+        },
+        worker: {
+          id: 'worker',
+          name: 'Worker',
+          description: '',
+          systemPrompt: '',
+          provider: 'openai',
+          model: 'gpt-test',
+          createdAt: now,
+          updatedAt: now,
+        },
+      })
+
+      const tools = crud.buildCrudTools({
+        cwd: process.env.WORKSPACE_DIR,
+        ctx: { sessionId: 'session-delegate', agentId: 'coordinator', delegationEnabled: true, delegationTargetMode: 'all', delegationTargetAgentIds: [] },
+        hasExtension: (name) => name === 'manage_tasks',
+      })
+      const tool = tools.find((entry) => entry.name === 'manage_tasks')
+      const raw = await tool.invoke({
+        action: 'create',
+        title: 'Worker follow-up',
+        description: 'Please take this delegated implementation task.',
+        agentId: 'worker',
+      })
+      const response = JSON.parse(raw)
+      const stored = storage.loadTasks()[response.id]
+      const queue = storage.loadQueue()
+      console.log(JSON.stringify({ response, stored, queue }))
+    `)
+
+    assert.equal(output.response.status, 'queued')
+    assert.equal(output.stored.status, 'queued')
+    assert.equal(output.stored.agentId, 'worker')
+    assert.deepEqual(output.queue, [output.response.id])
+  })
+
   it('keeps an explicit assignee but returns delegation advisory when another teammate is a better fit', () => {
     const output = runWithTempDataDir(`
       const storageMod = await import('./src/lib/server/storage')

package/src/lib/server/storage-auth.test.ts

@@ -3,6 +3,71 @@ import { describe, it, beforeEach, afterEach } from 'node:test'
 import fs from 'node:fs'
 import path from 'node:path'
 import os from 'node:os'
+import { spawnSync } from 'node:child_process'
+
+const repoRoot = path.resolve(path.dirname(new URL(import.meta.url).pathname), '../../..')
+
+function runStorageAuthImport(options: {
+  envLocal?: string
+  generatedEnv?: string
+  credentialSecretFile?: string
+  externalCredentialSecret?: string
+}) {
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'storage-auth-import-'))
+  const dataDir = path.join(tmpDir, 'data')
+  const cwd = path.join(tmpDir, 'cwd')
+  fs.mkdirSync(dataDir, { recursive: true })
+  fs.mkdirSync(cwd, { recursive: true })
+  try {
+    if (options.envLocal !== undefined) {
+      fs.writeFileSync(path.join(cwd, '.env.local'), options.envLocal, 'utf8')
+    }
+    if (options.generatedEnv !== undefined) {
+      fs.writeFileSync(path.join(dataDir, '.env.generated'), options.generatedEnv, 'utf8')
+    }
+    if (options.credentialSecretFile !== undefined) {
+      fs.writeFileSync(path.join(dataDir, 'credential-secret'), options.credentialSecretFile, { encoding: 'utf8', mode: 0o600 })
+    }
+    const env: NodeJS.ProcessEnv = {
+      ...process.env,
+      DATA_DIR: dataDir,
+      WORKSPACE_DIR: path.join(tmpDir, 'workspace'),
+      SWARMCLAW_DAEMON_AUTOSTART: '0',
+    }
+    delete env.ACCESS_KEY
+    delete env.CREDENTIAL_SECRET
+    delete env.SWARMCLAW_BUILD_MODE
+    if (options.externalCredentialSecret !== undefined) {
+      env.CREDENTIAL_SECRET = options.externalCredentialSecret
+    }
+    const script = `
+      import fs from 'node:fs'
+      import path from 'node:path'
+      import { pathToFileURL } from 'node:url'
+      process.chdir(${JSON.stringify(cwd)})
+      await import(pathToFileURL(${JSON.stringify(path.join(repoRoot, 'src/lib/server/storage-auth.ts'))}).href)
+      const secretPath = path.join(process.env.DATA_DIR, 'credential-secret')
+      const fileSecret = fs.existsSync(secretPath) ? fs.readFileSync(secretPath, 'utf8').trim() : ''
+      const mode = fs.existsSync(secretPath) ? (fs.statSync(secretPath).mode & 0o777).toString(8) : ''
+      console.log(JSON.stringify({
+        credentialSecret: process.env.CREDENTIAL_SECRET || '',
+        fileSecret,
+        mode,
+      }))
+    `
+    const result = spawnSync(process.execPath, ['--import', 'tsx', '--input-type=module', '--eval', script], {
+      cwd: repoRoot,
+      env,
+      encoding: 'utf8',
+      timeout: 15_000,
+    })
+    assert.equal(result.status, 0, result.stderr || result.stdout || 'storage-auth subprocess failed')
+    const jsonLine = (result.stdout || '').trim().split('\n').reverse().find((line) => line.trim().startsWith('{'))
+    return JSON.parse(jsonLine || '{}') as { credentialSecret: string; fileSecret: string; mode: string }
+  } finally {
+    fs.rmSync(tmpDir, { recursive: true, force: true })
+  }
+}
 
 /**
  * Tests for storage-auth helpers.
@@ -148,3 +213,40 @@ describe('Docker key persistence fallback', () => {
     assert.equal(vars.ACCESS_KEY, 'original')
   })
 })
+
+describe('credential secret persistence precedence', () => {
+  it('migrates a legacy .env.local credential secret into DATA_DIR', () => {
+    const legacySecret = 'a'.repeat(64)
+    const output = runStorageAuthImport({
+      envLocal: `CREDENTIAL_SECRET=${legacySecret}\n`,
+    })
+
+    assert.equal(output.credentialSecret, legacySecret)
+    assert.equal(output.fileSecret, legacySecret)
+    assert.equal(output.mode, '600')
+  })
+
+  it('uses the DATA_DIR credential secret before legacy env files', () => {
+    const fileSecret = 'b'.repeat(64)
+    const legacySecret = 'a'.repeat(64)
+    const output = runStorageAuthImport({
+      credentialSecretFile: fileSecret,
+      envLocal: `CREDENTIAL_SECRET=${legacySecret}\n`,
+    })
+
+    assert.equal(output.credentialSecret, fileSecret)
+    assert.equal(output.fileSecret, fileSecret)
+  })
+
+  it('lets an explicitly supplied environment credential secret override the file', () => {
+    const externalSecret = 'c'.repeat(64)
+    const fileSecret = 'b'.repeat(64)
+    const output = runStorageAuthImport({
+      externalCredentialSecret: externalSecret,
+      credentialSecretFile: fileSecret,
+    })
+
+    assert.equal(output.credentialSecret, externalSecret)
+    assert.equal(output.fileSecret, fileSecret)
+  })
+})

package/src/lib/server/storage-auth.ts

@@ -11,24 +11,52 @@ const TAG = 'storage-auth'
 // because DATA_DIR is volume-mounted, unlike process.cwd()/.env.local.
 const GENERATED_ENV_PATH = path.join(DATA_DIR, '.env.generated')
 
+// Dedicated single-purpose file for the credential-encryption secret. Lives in
+// DATA_DIR so it survives both Docker volume mounts AND npm-global upgrades
+// (the latter changes process.cwd() per version, which made .env.local-only
+// persistence regenerate the secret every upgrade and orphan every credential
+// encrypted under the old value).
+const CREDENTIAL_SECRET_FILE = path.join(DATA_DIR, 'credential-secret')
+
 // --- .env loading ---
-function loadEnvFile(filePath: string): void {
-  if (!fs.existsSync(filePath)) return
+type LoadedEnvFile = Record<string, string>
+
+function loadEnvFile(filePath: string): LoadedEnvFile {
+  const loaded: LoadedEnvFile = {}
+  if (!fs.existsSync(filePath)) return loaded
   fs.readFileSync(filePath, 'utf8').split(/\r?\n/).forEach(line => {
     const [k, ...v] = line.split('=')
-    if (k && v.length) process.env[k.trim()] = v.join('=').trim()
+    if (k && v.length) loaded[k.trim()] = v.join('=').trim()
   })
+  return loaded
 }
 
-function loadEnv() {
-  // Load fallback first so that .env.local values take precedence.
-  // .env.generated is auto-created in Docker where .env.local isn't writable.
-  loadEnvFile(GENERATED_ENV_PATH)
-  loadEnvFile(path.join(process.cwd(), '.env.local'))
+function applyLoadedEnv(loaded: LoadedEnvFile, externalKeys: Set<string>, options?: { overwriteLoaded?: boolean }) {
+  for (const [key, value] of Object.entries(loaded)) {
+    if (externalKeys.has(key)) continue
+    if (options?.overwriteLoaded || process.env[key] === undefined || process.env[key] === '') {
+      process.env[key] = value
+    }
+  }
 }
-if (!IS_BUILD_BOOTSTRAP) {
-  loadEnv()
+
+function loadEnv(): { generated: LoadedEnvFile; local: LoadedEnvFile } {
+  const externalKeys = new Set(
+    Object.entries(process.env)
+      .filter(([, value]) => typeof value === 'string' && value.length > 0)
+      .map(([key]) => key),
+  )
+  const generated = loadEnvFile(GENERATED_ENV_PATH)
+  const local = loadEnvFile(path.join(process.cwd(), '.env.local'))
+
+  applyLoadedEnv(generated, externalKeys)
+  applyLoadedEnv(local, externalKeys, { overwriteLoaded: true })
+  return { generated, local }
 }
+const externalCredentialSecret = process.env.CREDENTIAL_SECRET?.trim() || ''
+const loadedEnv: { generated: LoadedEnvFile; local: LoadedEnvFile } = !IS_BUILD_BOOTSTRAP
+  ? loadEnv()
+  : { generated: {}, local: {} }
 
 /** Append a key=value to a file only if the key doesn't already exist in it. */
 function appendEnvKeyIfMissing(envPath: string, key: string, value: string): void {
@@ -59,12 +87,72 @@ function persistEnvKey(key: string, value: string): void {
   }
 }
 
-// Auto-generate CREDENTIAL_SECRET if missing
-if (!IS_BUILD_BOOTSTRAP && !process.env.CREDENTIAL_SECRET) {
-  const secret = crypto.randomBytes(32).toString('hex')
-  process.env.CREDENTIAL_SECRET = secret
-  persistEnvKey('CREDENTIAL_SECRET', secret)
-  log.info(TAG, 'Generated CREDENTIAL_SECRET')
+/** Read CREDENTIAL_SECRET from the dedicated file in DATA_DIR.
+ *  Returns the trimmed contents, or empty string if absent / unreadable. */
+function readCredentialSecretFile(): string {
+  try {
+    if (!fs.existsSync(CREDENTIAL_SECRET_FILE)) return ''
+    return fs.readFileSync(CREDENTIAL_SECRET_FILE, 'utf-8').trim()
+  } catch (err) {
+    log.warn(TAG, `Could not read CREDENTIAL_SECRET from ${CREDENTIAL_SECRET_FILE}`, {
+      error: err instanceof Error ? err.message : String(err),
+    })
+    return ''
+  }
+}
+
+/** Write CREDENTIAL_SECRET to the dedicated file with restrictive permissions. */
+function writeCredentialSecretFile(secret: string): boolean {
+  try {
+    fs.mkdirSync(path.dirname(CREDENTIAL_SECRET_FILE), { recursive: true })
+    fs.writeFileSync(CREDENTIAL_SECRET_FILE, secret, { encoding: 'utf-8', mode: 0o600 })
+    return true
+  } catch (err) {
+    log.warn(TAG, `Could not persist CREDENTIAL_SECRET to ${CREDENTIAL_SECRET_FILE}`, {
+      error: err instanceof Error ? err.message : String(err),
+    })
+    return false
+  }
+}
+
+// Resolve CREDENTIAL_SECRET in this precedence order:
+//   1. process.env (already set externally, e.g. by orchestrator)
+//   2. DATA_DIR/credential-secret (the stable home — survives upgrades)
+//   3. .env files (legacy — values loaded into process.env by loadEnv() above)
+//   4. Generate new secret + persist to DATA_DIR/credential-secret
+//
+// Step 2 is the key change: previously the secret only lived in a per-version
+// .env.local (cwd changes on npm-global upgrade), so each upgrade
+// silently regenerated it and orphaned every encrypted credential.
+if (!IS_BUILD_BOOTSTRAP) {
+  const legacyEnvSecret = loadedEnv.local.CREDENTIAL_SECRET?.trim()
+    || loadedEnv.generated.CREDENTIAL_SECRET?.trim()
+    || ''
+  const fileSecret = readCredentialSecretFile()
+  if (externalCredentialSecret) {
+    process.env.CREDENTIAL_SECRET = externalCredentialSecret
+    if (fileSecret && fileSecret !== externalCredentialSecret) {
+      log.warn(TAG, `CREDENTIAL_SECRET is set by the environment and differs from ${CREDENTIAL_SECRET_FILE}; using the environment value.`)
+    }
+  } else if (fileSecret) {
+    process.env.CREDENTIAL_SECRET = fileSecret
+    if (legacyEnvSecret && legacyEnvSecret !== fileSecret) {
+      // Both persisted locations exist and disagree. Trust DATA_DIR because it
+      // survives npm-global upgrades and Docker restarts.
+      log.warn(TAG, `CREDENTIAL_SECRET mismatch between legacy env files and ${CREDENTIAL_SECRET_FILE}; using the file value.`)
+    }
+  } else if (legacyEnvSecret) {
+    process.env.CREDENTIAL_SECRET = legacyEnvSecret
+    if (writeCredentialSecretFile(legacyEnvSecret)) {
+      log.info(TAG, `Migrated CREDENTIAL_SECRET from .env to ${CREDENTIAL_SECRET_FILE}`)
+    }
+  } else {
+    // First-ever launch on this DATA_DIR. Generate.
+    const secret = crypto.randomBytes(32).toString('hex')
+    process.env.CREDENTIAL_SECRET = secret
+    writeCredentialSecretFile(secret)
+    log.info(TAG, `Generated CREDENTIAL_SECRET and persisted to ${CREDENTIAL_SECRET_FILE}`)
+  }
 }
 
 // Auto-generate ACCESS_KEY if missing (used for simple auth)

package/src/lib/server/tasks/task-route-service.ts

@@ -290,6 +290,52 @@ export function updateTaskFromRoute(id: string, body: Record<string, unknown>):
   return serviceOk(tasks[id])
 }
 
+export function retryTaskFromRoute(id: string): ServiceResult<BoardTask> {
+  const tasks = loadTasks()
+  const task = tasks[id]
+  if (!task) return serviceFail(404, 'Task not found')
+  if (task.status !== 'failed') {
+    return serviceFail(409, 'Only failed tasks can be retried.')
+  }
+
+  const blockers = Array.isArray(task.blockedBy) ? task.blockedBy : []
+  const incompleteBlocker = blockers.find((bid: string) => tasks[bid] && tasks[bid].status !== 'completed')
+  if (incompleteBlocker) {
+    return serviceFail(409, 'Cannot retry: blocked by incomplete tasks')
+  }
+
+  const now = Date.now()
+  if (!task.comments) task.comments = []
+  task.comments.push({
+    id: genId(),
+    author: 'System',
+    text: 'Task retry requested by operator.',
+    createdAt: now,
+  })
+  task.status = 'queued'
+  task.attempts = 0
+  task.deadLetteredAt = null
+  task.retryScheduledAt = null
+  task.checkoutRunId = null
+  task.error = null
+  task.validation = null
+  task.startedAt = null
+  task.completedAt = null
+  task.queuedAt = now
+  task.updatedAt = now
+  task.liveness = computeTaskLiveness(task, tasks, { now })
+
+  saveTask(id, task)
+  enqueueTask(id)
+  logActivity({ entityType: 'task', entityId: id, action: 'queued', actor: 'user', summary: `Task retried: "${task.title}"` })
+  pushMainLoopEventToMainSessions({
+    type: 'task_queued',
+    text: `Task retried and queued: "${task.title}" (${id}).`,
+  })
+  notify('tasks')
+  return serviceOk(loadTask(id) || task)
+}
+
 export function decideTaskExecutionPolicyFromRoute(
   id: string,
   body: Record<string, unknown>,

package/src/lib/server/tasks/task-service.test.ts

@@ -154,6 +154,56 @@ describe('task-service assignment workflow transitions', () => {
     }
   })
 
+  it('auto-queues agent-created tasks delegated to a different agent', () => {
+    const prepared = prepareTaskCreation({
+      input: {
+        title: 'Build delegated client',
+        description: 'Hand this work to the builder.',
+        agentId: 'builder',
+      },
+      tasks: {},
+      now: 210,
+      creatorAgentId: 'coordinator',
+      autoQueueDelegatedTasks: true,
+    })
+
+    assert.equal(prepared.ok, true)
+    if (!prepared.ok) return
+    assert.equal(prepared.task.status, 'queued')
+    assert.equal(prepared.task.agentId, 'builder')
+  })
+
+  it('does not auto-queue self-assigned or explicitly backlogged tasks', () => {
+    const selfAssigned = prepareTaskCreation({
+      input: {
+        title: 'Self task',
+        description: '',
+        agentId: 'coordinator',
+      },
+      tasks: {},
+      now: 220,
+      creatorAgentId: 'coordinator',
+      autoQueueDelegatedTasks: true,
+    })
+    assert.equal(selfAssigned.ok, true)
+    if (selfAssigned.ok) assert.equal(selfAssigned.task.status, 'backlog')
+
+    const explicitBacklog = prepareTaskCreation({
+      input: {
+        title: 'Explicit backlog',
+        description: '',
+        agentId: 'builder',
+        status: 'backlog',
+      },
+      tasks: {},
+      now: 230,
+      creatorAgentId: 'coordinator',
+      autoQueueDelegatedTasks: true,
+    })
+    assert.equal(explicitBacklog.ok, true)
+    if (explicitBacklog.ok) assert.equal(explicitBacklog.task.status, 'backlog')
+  })
+
   it('leaves already-started workflow states alone', () => {
     const next = resolveAssignmentWorkflowStateTransition({
       previousAgentId: '',

package/src/lib/server/tasks/task-service.ts

@@ -171,6 +171,8 @@ export interface PrepareTaskCreationOptions {
   now: number
   settings?: AppSettings | Record<string, unknown> | null
   fallbackAgentId?: string | null
+  creatorAgentId?: string | null
+  autoQueueDelegatedTasks?: boolean
   defaultCwd?: string | null
   deriveTitleFromDescription?: boolean
   requireMeaningfulTitle?: boolean
@@ -194,11 +196,22 @@ export function prepareTaskCreation(options: PrepareTaskCreationOptions): Prepar
     return { ok: false, error: 'Error: manage_tasks create requires a specific title or a meaningful description.' }
   }
 
-  const normalizedStatus = normalizeTaskStatusInput(options.input.status) || 'backlog'
   const description = typeof options.input.description === 'string' ? options.input.description : ''
   const agentId = typeof options.input.agentId === 'string'
-    ? options.input.agentId
-    : (typeof options.fallbackAgentId === 'string' ? options.fallbackAgentId : '')
+    ? options.input.agentId.trim()
+    : (typeof options.fallbackAgentId === 'string' ? options.fallbackAgentId.trim() : '')
+  const explicitStatus = Object.prototype.hasOwnProperty.call(options.input, 'status')
+  let normalizedStatus = normalizeTaskStatusInput(options.input.status) || 'backlog'
+  const creatorAgentId = typeof options.creatorAgentId === 'string' ? options.creatorAgentId.trim() : ''
+  if (
+    !explicitStatus
+    && options.autoQueueDelegatedTasks === true
+    && creatorAgentId
+    && agentId
+    && agentId !== creatorAgentId
+  ) {
+    normalizedStatus = 'queued'
+  }
   const qualityGate = Object.prototype.hasOwnProperty.call(options.input, 'qualityGate')
     ? (options.input.qualityGate
       ? normalizeTaskQualityGate(options.input.qualityGate, options.settings || null)

package/src/lib/validation/schemas.ts

@@ -140,6 +140,18 @@ export const AgentCreateSchema = z.object({
   projectId: z.string().optional(),
   avatarSeed: z.string().optional(),
   avatarUrl: z.string().nullable().optional().default(null),
+  /** Per-agent working directory. Used as the cwd for execute tool calls and
+   *  as the root for workspace-scoped file operations. */
+  workspace: z.string().nullable().optional().default(null),
+  /** When 'workspace', the structured file tool's reads/writes are confined to
+   *  the agent's workspace directory; 'machine' allows the whole host. */
+  filesystemScope: z.enum(['workspace', 'machine']).nullable().optional().default(null),
+  /** Per-agent filesystem allow/block lists enforced by the file tool. Globs
+   *  are matched against fully-resolved absolute paths. */
+  fileAccessPolicy: z.object({
+    allowedPaths: z.array(z.string()).optional(),
+    blockedPaths: z.array(z.string()).optional(),
+  }).nullable().optional().default(null),
   sandboxConfig: AgentSandboxConfigSchema,
   executeConfig: AgentExecuteConfigSchema,
   autoRecovery: z.boolean().optional().default(false),

package/src/types/agent.ts

@@ -142,6 +142,7 @@ export interface Agent {
    */
   planningMode?: 'off' | 'strict' | null
   /** Controls whether file operations are confined to the workspace or allowed anywhere on the host. Default: 'workspace'. */
+  workspace?: string | null
   filesystemScope?: 'workspace' | 'machine' | null
   /** Per-agent filesystem restrictions. Globs matched against resolved paths. */
   fileAccessPolicy?: {