@desplega.ai/agent-swarm 1.94.0 → 1.95.0

package/src/tests/credential-check.test.ts

@@ -136,63 +136,98 @@ describe("checkCodexCredentials", () => {
 
 // ─── pi-mono ─────────────────────────────────────────────────────────────────
 
+/**
+ * Stub probes for Bedrock tests. These replace the real @aws-sdk/client-bedrock
+ * ListFoundationModels call so unit tests never hit AWS.
+ */
+const bedrockProbeSuccess = async () => {};
+const bedrockProbeAuthFail = async () => {
+  throw new Error("ExpiredTokenException: The security token included in the request is expired");
+};
+const bedrockProbeAccessFail = async () => {
+  throw new Error("AccessDeniedException: not authorized to perform: bedrock:ListFoundationModels");
+};
+const bedrockProbeRegionFail = async () => {
+  throw new Error(
+    "ValidationException: Provided region us-west-99 is not supported by Amazon Bedrock",
+  );
+};
+
 describe("checkPiMonoCredentials", () => {
   const HOME = "/home/worker";
   const AUTH = `${HOME}/.pi/agent/auth.json`;
 
-  test("ready (file) when ~/.pi/agent/auth.json exists", () => {
-    const status = checkPiMonoCredentials({}, { homeDir: HOME, fs: fsWith(new Set([AUTH])) });
+  test("ready (file) when ~/.pi/agent/auth.json exists", async () => {
+    const status = await checkPiMonoCredentials({}, { homeDir: HOME, fs: fsWith(new Set([AUTH])) });
     expect(status.ready).toBe(true);
     expect(status.satisfiedBy).toBe("file");
   });
 
-  test("permissive: ready when MODEL_OVERRIDE unset and any one supported key is present", () => {
+  test("permissive: ready when MODEL_OVERRIDE unset and any one supported key is present", async () => {
     expect(
-      checkPiMonoCredentials({ ANTHROPIC_API_KEY: "x" }, { homeDir: HOME, fs: noFiles }).ready,
+      (await checkPiMonoCredentials({ ANTHROPIC_API_KEY: "x" }, { homeDir: HOME, fs: noFiles }))
+        .ready,
     ).toBe(true);
     expect(
-      checkPiMonoCredentials({ OPENROUTER_API_KEY: "x" }, { homeDir: HOME, fs: noFiles }).ready,
+      (await checkPiMonoCredentials({ OPENROUTER_API_KEY: "x" }, { homeDir: HOME, fs: noFiles }))
+        .ready,
     ).toBe(true);
     expect(
-      checkPiMonoCredentials({ OPENAI_API_KEY: "x" }, { homeDir: HOME, fs: noFiles }).ready,
+      (await checkPiMonoCredentials({ OPENAI_API_KEY: "x" }, { homeDir: HOME, fs: noFiles })).ready,
     ).toBe(true);
   });
 
-  test("permissive: not ready when MODEL_OVERRIDE unset and no keys are set", () => {
-    const status = checkPiMonoCredentials({}, { homeDir: HOME, fs: noFiles });
+  test("permissive: not ready when MODEL_OVERRIDE unset and no keys are set", async () => {
+    const status = await checkPiMonoCredentials({}, { homeDir: HOME, fs: noFiles });
     expect(status.ready).toBe(false);
     expect(status.missing).toContain("ANTHROPIC_API_KEY");
     expect(status.missing).toContain("OPENROUTER_API_KEY");
     expect(status.missing).toContain("OPENAI_API_KEY");
   });
 
-  test("strict: MODEL_OVERRIDE=anthropic/... requires ANTHROPIC_API_KEY", () => {
+  test("strict: MODEL_OVERRIDE=anthropic/... requires ANTHROPIC_API_KEY", async () => {
     const env = { MODEL_OVERRIDE: "anthropic/claude-sonnet-4" };
-    expect(checkPiMonoCredentials(env, { homeDir: HOME, fs: noFiles }).ready).toBe(false);
+    expect((await checkPiMonoCredentials(env, { homeDir: HOME, fs: noFiles })).ready).toBe(false);
     expect(
-      checkPiMonoCredentials({ ...env, ANTHROPIC_API_KEY: "x" }, { homeDir: HOME, fs: noFiles })
-        .ready,
+      (
+        await checkPiMonoCredentials(
+          { ...env, ANTHROPIC_API_KEY: "x" },
+          { homeDir: HOME, fs: noFiles },
+        )
+      ).ready,
     ).toBe(true);
     // OPENROUTER_API_KEY does NOT satisfy an anthropic-prefixed model
     expect(
-      checkPiMonoCredentials({ ...env, OPENROUTER_API_KEY: "x" }, { homeDir: HOME, fs: noFiles })
-        .ready,
+      (
+        await checkPiMonoCredentials(
+          { ...env, OPENROUTER_API_KEY: "x" },
+          { homeDir: HOME, fs: noFiles },
+        )
+      ).ready,
     ).toBe(false);
   });
 
-  test("strict: MODEL_OVERRIDE=openrouter/... requires OPENROUTER_API_KEY", () => {
+  test("strict: MODEL_OVERRIDE=openrouter/... requires OPENROUTER_API_KEY", async () => {
     const env = { MODEL_OVERRIDE: "openrouter/google/gemini-2.5-flash-lite" };
     expect(
-      checkPiMonoCredentials({ ...env, OPENROUTER_API_KEY: "x" }, { homeDir: HOME, fs: noFiles })
-        .ready,
+      (
+        await checkPiMonoCredentials(
+          { ...env, OPENROUTER_API_KEY: "x" },
+          { homeDir: HOME, fs: noFiles },
+        )
+      ).ready,
     ).toBe(true);
     expect(
-      checkPiMonoCredentials({ ...env, ANTHROPIC_API_KEY: "x" }, { homeDir: HOME, fs: noFiles })
-        .ready,
+      (
+        await checkPiMonoCredentials(
+          { ...env, ANTHROPIC_API_KEY: "x" },
+          { homeDir: HOME, fs: noFiles },
+        )
+      ).ready,
     ).toBe(false);
   });
 
-  test("shortname `sonnet` accepts ANTHROPIC_API_KEY *or* OPENROUTER_API_KEY", () => {
+  test("shortname `sonnet` accepts ANTHROPIC_API_KEY *or* OPENROUTER_API_KEY", async () => {
     // Anthropic-shortname models (sonnet/haiku/opus) prefer the native
     // ANTHROPIC_* credential, but pi-mono-adapter reroutes through the
     // OpenRouter mirror when only OPENROUTER_API_KEY is available — so the
@@ -201,76 +236,180 @@ describe("checkPiMonoCredentials", () => {
     // tracked in HEARTBEAT.md (2026-04-13 → 2026-05-11).
     const env = { MODEL_OVERRIDE: "sonnet" };
     expect(
-      checkPiMonoCredentials({ ...env, ANTHROPIC_API_KEY: "x" }, { homeDir: HOME, fs: noFiles })
-        .ready,
+      (
+        await checkPiMonoCredentials(
+          { ...env, ANTHROPIC_API_KEY: "x" },
+          { homeDir: HOME, fs: noFiles },
+        )
+      ).ready,
     ).toBe(true);
     expect(
-      checkPiMonoCredentials({ ...env, OPENROUTER_API_KEY: "x" }, { homeDir: HOME, fs: noFiles })
-        .ready,
+      (
+        await checkPiMonoCredentials(
+          { ...env, OPENROUTER_API_KEY: "x" },
+          { homeDir: HOME, fs: noFiles },
+        )
+      ).ready,
     ).toBe(true);
     // Neither key set → still not ready, and missing includes both options.
-    const empty = checkPiMonoCredentials(env, { homeDir: HOME, fs: noFiles });
+    const empty = await checkPiMonoCredentials(env, { homeDir: HOME, fs: noFiles });
     expect(empty.ready).toBe(false);
     expect(empty.missing).toContain("ANTHROPIC_API_KEY");
     expect(empty.missing).toContain("OPENROUTER_API_KEY");
   });
 
-  test("haiku and opus shortnames also accept OPENROUTER_API_KEY", () => {
+  test("haiku and opus shortnames also accept OPENROUTER_API_KEY", async () => {
     for (const model of ["haiku", "opus"]) {
       const env = { MODEL_OVERRIDE: model };
       expect(
-        checkPiMonoCredentials({ ...env, OPENROUTER_API_KEY: "x" }, { homeDir: HOME, fs: noFiles })
-          .ready,
+        (
+          await checkPiMonoCredentials(
+            { ...env, OPENROUTER_API_KEY: "x" },
+            { homeDir: HOME, fs: noFiles },
+          )
+        ).ready,
       ).toBe(true);
     }
   });
 
-  // ─── amazon-bedrock: AWS SDK delegates credential resolution ───────────────
-  // When MODEL_OVERRIDE selects amazon-bedrock, pi-mono routes through the AWS
-  // SDK's default credential chain (env, ~/.aws/*, SSO, IMDS, assume-role,
-  // web-identity, …). agent-swarm does no presence check beyond detecting the
-  // `amazon-bedrock/` prefix — the SDK validates at first inference call.
-  // Mirrors the codex auth.json "presence-only" pattern.
+  // ─── amazon-bedrock prefix inference: probe triggered, result depends on creds ─
+  // When BEDROCK_AUTH_MODE is absent and MODEL_OVERRIDE starts with
+  // "amazon-bedrock/", the probe runs. Tests inject a stub to avoid hitting AWS.
 
-  test("amazon-bedrock: ready (sdk-delegated) with no env vars and no auth.json", () => {
+  test("amazon-bedrock: probe success → ready (sdk-delegated)", async () => {
     const env = { MODEL_OVERRIDE: "amazon-bedrock/anthropic.claude-sonnet-4-20250514-v1:0" };
-    const status = checkPiMonoCredentials(env, { homeDir: HOME, fs: noFiles });
+    const status = await checkPiMonoCredentials(env, {
+      homeDir: HOME,
+      fs: noFiles,
+      bedrockProbe: bedrockProbeSuccess,
+    });
     expect(status.ready).toBe(true);
     expect(status.satisfiedBy).toBe("sdk-delegated");
     expect(status.missing).toEqual([]);
   });
 
-  test("amazon-bedrock: stays sdk-delegated even when ANTHROPIC_API_KEY is also set", () => {
-    // The Anthropic-shape key is irrelevant here — the model is routed through
-    // AWS Bedrock, not Anthropic. Reporting satisfiedBy="env" would mislead.
+  test("amazon-bedrock: probe success even when ANTHROPIC_API_KEY also set (Bedrock wins)", async () => {
+    // The Anthropic-shape key is irrelevant — model is routed through AWS Bedrock.
     const env = {
       MODEL_OVERRIDE: "amazon-bedrock/anthropic.claude-sonnet-4-20250514-v1:0",
       ANTHROPIC_API_KEY: "x",
     };
-    const status = checkPiMonoCredentials(env, { homeDir: HOME, fs: noFiles });
+    const status = await checkPiMonoCredentials(env, {
+      homeDir: HOME,
+      fs: noFiles,
+      bedrockProbe: bedrockProbeSuccess,
+    });
     expect(status.ready).toBe(true);
     expect(status.satisfiedBy).toBe("sdk-delegated");
   });
 
-  test("amazon-bedrock: stays sdk-delegated even when auth.json exists", () => {
+  test("amazon-bedrock: probe success even when auth.json exists (Bedrock wins over file)", async () => {
     // auth.json holds Anthropic/OpenRouter/OpenAI creds — none used by Bedrock.
-    // Bedrock branch must win over the file probe.
     const env = { MODEL_OVERRIDE: "amazon-bedrock/anthropic.claude-sonnet-4-20250514-v1:0" };
-    const status = checkPiMonoCredentials(env, {
+    const status = await checkPiMonoCredentials(env, {
       homeDir: HOME,
       fs: fsWith(new Set([AUTH])),
+      bedrockProbe: bedrockProbeSuccess,
     });
     expect(status.ready).toBe(true);
     expect(status.satisfiedBy).toBe("sdk-delegated");
   });
 
-  test("amazon-bedrock: provider-prefix match is case-insensitive", () => {
-    // Mirrors modelToCredKeys' .toLowerCase() at line 54 of pi-mono-adapter.
+  test("amazon-bedrock: provider-prefix match is case-insensitive", async () => {
     const env = { MODEL_OVERRIDE: "Amazon-Bedrock/anthropic.claude-sonnet-4-20250514-v1:0" };
-    const status = checkPiMonoCredentials(env, { homeDir: HOME, fs: noFiles });
+    const status = await checkPiMonoCredentials(env, {
+      homeDir: HOME,
+      fs: noFiles,
+      bedrockProbe: bedrockProbeSuccess,
+    });
     expect(status.ready).toBe(true);
     expect(status.satisfiedBy).toBe("sdk-delegated");
   });
+
+  test("amazon-bedrock: probe auth failure → ready:false with aws-auth hint", async () => {
+    const env = { MODEL_OVERRIDE: "amazon-bedrock/anthropic.claude-sonnet-4-20250514-v1:0" };
+    const status = await checkPiMonoCredentials(env, {
+      homeDir: HOME,
+      fs: noFiles,
+      bedrockProbe: bedrockProbeAuthFail,
+    });
+    expect(status.ready).toBe(false);
+    expect(status.hint).toContain("aws sso login");
+  });
+
+  test("amazon-bedrock: probe access failure → ready:false with aws-access hint", async () => {
+    const env = { MODEL_OVERRIDE: "amazon-bedrock/anthropic.claude-sonnet-4-20250514-v1:0" };
+    const status = await checkPiMonoCredentials(env, {
+      homeDir: HOME,
+      fs: noFiles,
+      bedrockProbe: bedrockProbeAccessFail,
+    });
+    expect(status.ready).toBe(false);
+    expect(status.hint).toContain("bedrock:InvokeModel");
+  });
+
+  test("amazon-bedrock: probe region failure → ready:false (unclassified hint)", async () => {
+    const env = { MODEL_OVERRIDE: "amazon-bedrock/anthropic.claude-sonnet-4-20250514-v1:0" };
+    const status = await checkPiMonoCredentials(env, {
+      homeDir: HOME,
+      fs: noFiles,
+      bedrockProbe: bedrockProbeRegionFail,
+    });
+    expect(status.ready).toBe(false);
+    // Not matching a known AWS category → raw probe error surfaced in hint
+    expect(status.hint).toBeDefined();
+  });
+
+  // ─── BEDROCK_AUTH_MODE=sdk: explicit mode, decoupled from MODEL_OVERRIDE ────
+
+  test("BEDROCK_AUTH_MODE=sdk: probe triggered even without amazon-bedrock/ prefix", async () => {
+    // Explicit mode — MODEL_OVERRIDE can be anything (or absent); the Bedrock
+    // path is taken because the operator explicitly declared BEDROCK_AUTH_MODE=sdk.
+    const env = { BEDROCK_AUTH_MODE: "sdk", MODEL_OVERRIDE: "some-other-model" };
+    const status = await checkPiMonoCredentials(env, {
+      homeDir: HOME,
+      fs: noFiles,
+      bedrockProbe: bedrockProbeSuccess,
+    });
+    expect(status.ready).toBe(true);
+    expect(status.satisfiedBy).toBe("sdk-delegated");
+  });
+
+  test("BEDROCK_AUTH_MODE=sdk: probe failure → ready:false", async () => {
+    const env = { BEDROCK_AUTH_MODE: "sdk" };
+    const status = await checkPiMonoCredentials(env, {
+      homeDir: HOME,
+      fs: noFiles,
+      bedrockProbe: bedrockProbeAuthFail,
+    });
+    expect(status.ready).toBe(false);
+  });
+
+  test("BEDROCK_AUTH_MODE=bearer: does NOT trigger the sdk probe (falls through)", async () => {
+    // The bearer path is declared/validated but the full implementation is
+    // out of scope for PR1. With no other credentials set it should be not-ready
+    // via the standard permissive check, not via the sdk probe.
+    const env = { BEDROCK_AUTH_MODE: "bearer" };
+    // No other keys set, no auth.json → not-ready from the permissive path.
+    const status = await checkPiMonoCredentials(env, { homeDir: HOME, fs: noFiles });
+    expect(status.ready).toBe(false);
+    // Satisfying via any standard key still works for the bearer mode (PR1 scope).
+    const withKey = await checkPiMonoCredentials(
+      { BEDROCK_AUTH_MODE: "bearer", ANTHROPIC_API_KEY: "x" },
+      { homeDir: HOME, fs: noFiles },
+    );
+    expect(withKey.ready).toBe(true);
+    expect(withKey.satisfiedBy).toBe("env");
+  });
+
+  test("BEDROCK_AUTH_MODE absent + no MODEL_OVERRIDE=amazon-bedrock: no probe", async () => {
+    // Fallback inference: neither BEDROCK_AUTH_MODE nor an amazon-bedrock MODEL_OVERRIDE
+    // → standard permissive path, no AWS call.
+    const env = { ANTHROPIC_API_KEY: "x" };
+    const status = await checkPiMonoCredentials(env, { homeDir: HOME, fs: noFiles });
+    expect(status.ready).toBe(true);
+    expect(status.satisfiedBy).toBe("env");
+  });
 });
 
 // ─── opencode ────────────────────────────────────────────────────────────────

package/src/tests/harness-provider-resolution.test.ts

@@ -171,6 +171,29 @@ describe("validateConfigValue", () => {
     );
     expect(validateConfigValue("SWARM_USE_CLAUDE_BRIDGE", true)).toMatch(/SWARM_USE_CLAUDE_BRIDGE/);
   });
+
+  test("accepts valid BEDROCK_AUTH_MODE values: sdk, bearer", () => {
+    expect(validateConfigValue("BEDROCK_AUTH_MODE", "sdk")).toBeNull();
+    expect(validateConfigValue("BEDROCK_AUTH_MODE", "bearer")).toBeNull();
+    // key lookup is case-insensitive
+    expect(validateConfigValue("bedrock_auth_mode", "sdk")).toBeNull();
+  });
+
+  test("rejects invalid BEDROCK_AUTH_MODE values with a helpful error", () => {
+    const badValues = ["Sdk", "SDK", "BEARER", "iam", "sso", "basic", "", " sdk"];
+    for (const bad of badValues) {
+      const err = validateConfigValue("BEDROCK_AUTH_MODE", bad);
+      expect(err).not.toBeNull();
+      expect(err).toMatch(/BEDROCK_AUTH_MODE/);
+      expect(err).toMatch(/sdk/);
+      expect(err).toMatch(/bearer/);
+    }
+  });
+
+  test("BEDROCK_AUTH_MODE is optional — absent key is not validated (returns null)", () => {
+    // Undefined / unset key → no validator → null (no error)
+    expect(validateConfigValue("OTHER_KEY", "sdk")).toBeNull();
+  });
 });
 
 // ─── getResolvedConfig — scope precedence for HARNESS_PROVIDER ───────────────

package/src/tests/mcp-oauth-queries.test.ts

@@ -1,6 +1,13 @@
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import { unlink } from "node:fs/promises";
-import { closeDb, createMcpServer, createUser, initDb } from "../be/db";
+import {
+  closeDb,
+  createMcpServer,
+  createUser,
+  getMcpServerById,
+  initDb,
+  updateMcpServer,
+} from "../be/db";
 import {
   consumeMcpOAuthPending,
   deleteMcpOAuthToken,
@@ -221,6 +228,69 @@ describe("mcp_oauth_pending (state PK)", () => {
   });
 });
 
+describe("mcp_servers.extraAuthorizeParams round-trip", () => {
+  test("createMcpServer persists extraAuthorizeParams", () => {
+    const server = createMcpServer({
+      name: "bigquery-mcp",
+      transport: "http",
+      url: "https://bigquery.googleapis.com/",
+      scope: "swarm",
+      extraAuthorizeParams: '{"access_type":"offline","prompt":"consent"}',
+    });
+    expect(server.extraAuthorizeParams).toBe('{"access_type":"offline","prompt":"consent"}');
+
+    const fetched = getMcpServerById(server.id);
+    expect(fetched).not.toBeNull();
+    expect(fetched!.extraAuthorizeParams).toBe('{"access_type":"offline","prompt":"consent"}');
+  });
+
+  test("createMcpServer with no extraAuthorizeParams defaults to null", () => {
+    const server = createMcpServer({
+      name: "hubspot-mcp",
+      transport: "http",
+      url: "https://api.hubspot.com/",
+      scope: "swarm",
+    });
+    expect(server.extraAuthorizeParams).toBeNull();
+  });
+
+  test("updateMcpServer persists extraAuthorizeParams and bumps version", () => {
+    const server = createMcpServer({
+      name: "gdrive-mcp",
+      transport: "http",
+      url: "https://www.googleapis.com/drive/v3/",
+      scope: "swarm",
+    });
+    const versionBefore = server.version;
+
+    const updated = updateMcpServer(server.id, {
+      extraAuthorizeParams: '{"access_type":"offline","prompt":"consent"}',
+    });
+    expect(updated).not.toBeNull();
+    expect(updated!.extraAuthorizeParams).toBe('{"access_type":"offline","prompt":"consent"}');
+    expect(updated!.version).toBe(versionBefore + 1);
+  });
+
+  test("updateMcpServer can clear extraAuthorizeParams to null without bumping version twice", () => {
+    const server = createMcpServer({
+      name: "sheets-mcp",
+      transport: "http",
+      url: "https://sheets.googleapis.com/",
+      scope: "swarm",
+      extraAuthorizeParams: '{"access_type":"offline"}',
+    });
+
+    const cleared = updateMcpServer(server.id, { extraAuthorizeParams: undefined });
+    // No extraAuthorizeParams key → no version bump, field untouched
+    expect(cleared!.extraAuthorizeParams).toBe('{"access_type":"offline"}');
+    expect(cleared!.version).toBe(server.version);
+
+    const nulled = updateMcpServer(server.id, { extraAuthorizeParams: null as unknown as string });
+    expect(nulled!.extraAuthorizeParams).toBeNull();
+    expect(nulled!.version).toBe(server.version + 1);
+  });
+});
+
 describe("mcp_servers.authMethod accessor", () => {
   test("default is 'static' for newly created servers", () => {
     const server = makeServer("mcp-auth-default");

package/src/tests/mcp-oauth-wrapper.test.ts

@@ -137,6 +137,115 @@ describe("buildAuthorizeUrl (PKCE S256, RFC 8707)", () => {
     });
     expect(new URL(result.url).searchParams.has("scope")).toBe(false);
   });
+
+  test("extraParams are appended to the authorize URL (e.g. BigQuery offline access)", async () => {
+    const result = await buildAuthorizeUrl({
+      authorizeUrl: "https://as.example.com/authorize",
+      tokenUrl: "https://as.example.com/token",
+      clientId: "bq-client",
+      redirectUri: "https://swarm.example.com/callback",
+      scopes: ["https://www.googleapis.com/auth/bigquery"],
+      resource: "https://bigquery.googleapis.com/",
+      extraParams: { access_type: "offline", prompt: "consent" },
+    });
+
+    const u = new URL(result.url);
+    expect(u.searchParams.get("access_type")).toBe("offline");
+    expect(u.searchParams.get("prompt")).toBe("consent");
+  });
+
+  test("extraParams cannot override reserved OAuth params (redirect_uri, state, etc.)", async () => {
+    const result = await buildAuthorizeUrl({
+      authorizeUrl: "https://as.example.com/authorize",
+      tokenUrl: "https://as.example.com/token",
+      clientId: "c",
+      redirectUri: "https://swarm.example.com/cb",
+      scopes: ["read"],
+      resource: "https://mcp.example.com/",
+      state: "safe-state",
+      extraParams: {
+        redirect_uri: "https://evil.com",
+        state: "injected",
+        code_challenge: "malicious",
+        code_challenge_method: "plain",
+        response_type: "token",
+        client_id: "attacker",
+        scope: "admin",
+        resource: "https://evil.com/",
+      },
+    });
+    const u = new URL(result.url);
+    expect(u.searchParams.get("redirect_uri")).toBe("https://swarm.example.com/cb");
+    expect(u.searchParams.get("state")).toBe("safe-state");
+    expect(u.searchParams.get("code_challenge_method")).toBe("S256");
+    expect(u.searchParams.get("response_type")).toBe("code");
+    expect(u.searchParams.get("client_id")).toBe("c");
+    expect(u.searchParams.get("resource")).toBe("https://mcp.example.com/");
+    // Attacker values must not have landed
+    const challenge = u.searchParams.get("code_challenge");
+    expect(challenge).not.toBeNull();
+    expect(challenge).not.toBe("malicious");
+    expect(u.searchParams.get("scope")).toBe("read");
+  });
+
+  test("mixed-case reserved keys in extraParams are rejected (case-insensitive guard)", async () => {
+    const result = await buildAuthorizeUrl({
+      authorizeUrl: "https://as.example.com/authorize",
+      tokenUrl: "https://as.example.com/token",
+      clientId: "c",
+      redirectUri: "https://swarm.example.com/cb",
+      scopes: ["read"],
+      resource: "https://mcp.example.com/",
+      state: "safe-state",
+      extraParams: {
+        Redirect_Uri: "https://evil.example",
+        STATE: "evil-state",
+        Code_Challenge: "malicious-challenge",
+        SCOPE: "admin",
+      },
+    });
+    const u = new URL(result.url);
+    // Attacker mixed-case keys must NOT appear in the URL
+    expect(u.searchParams.get("Redirect_Uri")).toBeNull();
+    expect(u.searchParams.get("STATE")).toBeNull();
+    expect(u.searchParams.get("Code_Challenge")).toBeNull();
+    expect(u.searchParams.get("SCOPE")).toBeNull();
+    // Core params must retain their original legitimate values
+    expect(u.searchParams.get("redirect_uri")).toBe("https://swarm.example.com/cb");
+    expect(u.searchParams.get("state")).toBe("safe-state");
+    expect(u.searchParams.get("scope")).toBe("read");
+  });
+
+  test("null/undefined extraParams leaves URL unchanged (no blast radius for existing servers)", async () => {
+    const withExtra = await buildAuthorizeUrl({
+      authorizeUrl: "https://as.example.com/authorize",
+      tokenUrl: "https://as.example.com/token",
+      clientId: "c",
+      redirectUri: "https://swarm.example.com/cb",
+      scopes: ["read"],
+      resource: "https://mcp.example.com/",
+      extraParams: { access_type: "offline" },
+      state: "fixed-state",
+    });
+
+    const withoutExtra = await buildAuthorizeUrl({
+      authorizeUrl: "https://as.example.com/authorize",
+      tokenUrl: "https://as.example.com/token",
+      clientId: "c",
+      redirectUri: "https://swarm.example.com/cb",
+      scopes: ["read"],
+      resource: "https://mcp.example.com/",
+      state: "fixed-state",
+    });
+
+    const uWith = new URL(withExtra.url);
+    const uWithout = new URL(withoutExtra.url);
+    expect(uWith.searchParams.has("access_type")).toBe(true);
+    expect(uWithout.searchParams.has("access_type")).toBe(false);
+    // Core params are identical
+    expect(uWith.searchParams.get("client_id")).toBe(uWithout.searchParams.get("client_id"));
+    expect(uWith.searchParams.get("state")).toBe(uWithout.searchParams.get("state"));
+  });
 });
 
 // ─── Discovery (PRMD + AS metadata) ──────────────────────────────────────────

package/src/tests/opencode-adapter.test.ts

@@ -7,7 +7,7 @@
  */
 
 import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
-import { writeFileSync } from "node:fs";
+import { mkdirSync, rmSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
 import type { Event as OpencodeEvent } from "@opencode-ai/sdk";
 import type { ProviderEvent, ProviderResult, ProviderSessionConfig } from "../providers/types";
@@ -614,16 +614,22 @@ describe("OpencodeSession — context_usage emission (phase 9 fix)", () => {
 // ── DES-300: per-task isolation ────────────────────────────────────────────────
 
 describe("OpencodeAdapter — per-task isolation (DES-300)", () => {
+  let prevOpencodeSkillsDir: string | undefined;
+
   beforeEach(() => {
+    prevOpencodeSkillsDir = process.env.OPENCODE_SKILLS_DIR;
     lastPromptArgs = undefined;
     lastCreateOpencodeConfig = undefined;
     mock.restore();
   });
 
   afterEach(() => {
+    if (prevOpencodeSkillsDir === undefined) delete process.env.OPENCODE_SKILLS_DIR;
+    else process.env.OPENCODE_SKILLS_DIR = prevOpencodeSkillsDir;
     // Clean up any written files from tests
     Bun.$`rm -rf /tmp/opencode-task-1.json /tmp/opencode-data-task-1`.quiet().nothrow();
     Bun.$`rm -rf /tmp/test/.opencode`.quiet().nothrow();
+    rmSync("/tmp/opencode-skills-test", { recursive: true, force: true });
   });
 
   test("session.prompt receives agent=swarm-<taskId>", async () => {
@@ -638,6 +644,28 @@ describe("OpencodeAdapter — per-task isolation (DES-300)", () => {
     expect(args.body?.agent).toBe("swarm-task-1");
   });
 
+  test("inlines a leading slash skill before sending prompt", async () => {
+    const skillDir = "/tmp/opencode-skills-test/work-on-task";
+    mkdirSync(skillDir, { recursive: true });
+    writeFileSync(join(skillDir, "SKILL.md"), "Use the task worker procedure.");
+    process.env.OPENCODE_SKILLS_DIR = "/tmp/opencode-skills-test";
+
+    const events: OpencodeEvent[] = [
+      { type: "session.idle", properties: { sessionID: "sess-abc-123" } },
+    ];
+    const cfg = testConfig({
+      taskId: "task-1",
+      prompt: "/work-on-task task-123\n\nTask body.",
+    });
+    await driveSession(events, cfg);
+
+    const args = lastPromptArgs as { body?: { parts?: Array<{ type: string; text: string }> } };
+    const text = args.body?.parts?.[0]?.text ?? "";
+    expect(text).toStartWith("Use the task worker procedure.");
+    expect(text).toContain("User request: task-123\n\nTask body.");
+    expect(text).not.toContain("/work-on-task task-123");
+  });
+
   test("createOpencode receives config with model, mcp.swarm, and permission", async () => {
     const events: OpencodeEvent[] = [
       { type: "session.idle", properties: { sessionID: "sess-abc-123" } },

package/src/tests/provider-command-format.test.ts

@@ -2,12 +2,14 @@ import { describe, expect, test } from "bun:test";
 import { ClaudeAdapter } from "../providers/claude-adapter";
 import { CodexAdapter } from "../providers/codex-adapter";
 import { createProviderAdapter } from "../providers/index";
+import { OpencodeAdapter } from "../providers/opencode-adapter";
 import { PiMonoAdapter } from "../providers/pi-mono-adapter";
 
 describe("ProviderAdapter.formatCommand", () => {
   const claude = new ClaudeAdapter();
   const pi = new PiMonoAdapter();
   const codex = new CodexAdapter();
+  const opencode = new OpencodeAdapter();
 
   test("claude formats commands with / prefix", () => {
     expect(claude.formatCommand("work-on-task")).toBe("/work-on-task");
@@ -31,22 +33,32 @@ describe("ProviderAdapter.formatCommand", () => {
     expect(codex.formatCommand("swarm-chat")).toBe("/swarm-chat");
   });
 
+  test("opencode formats commands with / prefix (skill resolver inlines SKILL.md at runtime)", () => {
+    expect(opencode.formatCommand("work-on-task")).toBe("/work-on-task");
+    expect(opencode.formatCommand("review-offered-task")).toBe("/review-offered-task");
+    expect(opencode.formatCommand("swarm-chat")).toBe("/swarm-chat");
+  });
+
   test("adapter name matches expected provider", () => {
     expect(claude.name).toBe("claude");
     expect(pi.name).toBe("pi");
     expect(codex.name).toBe("codex");
+    expect(opencode.name).toBe("opencode");
   });
 
   test("createProviderAdapter returns adapters that implement formatCommand", async () => {
     const claudeAdapter = await createProviderAdapter("claude");
     const piAdapter = await createProviderAdapter("pi");
     const codexAdapter = await createProviderAdapter("codex");
+    const opencodeAdapter = await createProviderAdapter("opencode");
     expect(typeof claudeAdapter.formatCommand).toBe("function");
     expect(typeof piAdapter.formatCommand).toBe("function");
     expect(typeof codexAdapter.formatCommand).toBe("function");
+    expect(typeof opencodeAdapter.formatCommand).toBe("function");
     expect(claudeAdapter.formatCommand("work-on-task")).toBe("/work-on-task");
     expect(piAdapter.formatCommand("work-on-task")).toBe("/skill:work-on-task");
     expect(codexAdapter.formatCommand("work-on-task")).toBe("/work-on-task");
+    expect(opencodeAdapter.formatCommand("work-on-task")).toBe("/work-on-task");
   });
 });