@desplega.ai/agent-swarm 1.94.0 → 1.96.0

package/src/be/skill-sync.ts

@@ -1,9 +1,8 @@
 /**
  * Filesystem sync for skills.
  *
- * Writes installed skills to ~/.claude/skills/<name>/SKILL.md,
- * ~/.pi/agent/skills/<name>/SKILL.md, and ~/.codex/skills/<name>/SKILL.md
- * so Claude Code, Pi, and Codex discover them natively.
+ * Writes installed skills to every local harness skill tree so Claude Code,
+ * Pi, Codex, OpenCode, and AGENTS.md-compatible adapters can discover them.
  *
  * This runs on the API side — workers call it via POST /api/skills/sync-filesystem.
  * The actual FS write logic lives in the worker-safe src/utils/skill-fs-writer.ts
@@ -13,6 +12,7 @@
 import { homedir } from "node:os";
 import {
   type SkillFsEntry,
+  type SkillHarnessTarget,
   type SkillSyncResult,
   writeSkillsToFilesystem,
 } from "../utils/skill-fs-writer";
@@ -32,7 +32,7 @@ export type { SkillSyncResult };
  */
 export function syncSkillsToFilesystem(
   agentId: string,
-  harnessType: "claude" | "pi" | "codex" | "all" = "all",
+  harnessType: SkillHarnessTarget = "all",
   homeOverride?: string,
 ): SkillSyncResult {
   const skills = getAgentSkills(agentId);

package/src/be/swarm-config-guard.ts

@@ -58,6 +58,14 @@ const VALIDATED_KEYS: Record<string, (value: unknown) => string | null> = {
     if (["true", "false", "1", "0"].includes(normalized)) return null;
     return "Invalid SWARM_USE_CLAUDE_BRIDGE value (must be one of: true, false, 1, 0)";
   },
+  // AWS credential mode for the Bedrock path on the pi harness.
+  //   sdk    — AWS SDK default credential chain (env, ~/.aws/*, SSO, IMDS, …)
+  //   bearer — explicit bearer token via AWS_BEARER_TOKEN_BEDROCK (future/Mantle)
+  // When absent the worker infers the mode from MODEL_OVERRIDE (sdk semantics).
+  BEDROCK_AUTH_MODE: (value) => {
+    if (value === "sdk" || value === "bearer") return null;
+    return "Invalid BEDROCK_AUTH_MODE value (must be one of: sdk, bearer)";
+  },
 };
 
 export function validateConfigValue(key: string, value: unknown): string | null {

package/src/commands/provider-credentials.ts

@@ -29,6 +29,21 @@ import { scrubSecrets } from "../utils/secret-scrubber";
 
 export type SupportedProvider = "claude" | "claude-managed" | "codex" | "devin" | "opencode" | "pi";
 
+/**
+ * True when the pi harness should use the AWS SDK Bedrock path: either an
+ * explicit `BEDROCK_AUTH_MODE=sdk`, or — preserving prefix-inference semantics —
+ * `BEDROCK_AUTH_MODE` absent with a `MODEL_OVERRIDE=amazon-bedrock/*` selection.
+ * Single source of truth for the gate so the live-test arm and the worker
+ * reconcile loop agree with `checkPiMonoCredentials`.
+ */
+export function isBedrockSdkMode(env: Record<string, string | undefined>): boolean {
+  const mode = env.BEDROCK_AUTH_MODE?.toLowerCase();
+  return (
+    mode === "sdk" ||
+    (mode === undefined && Boolean(env.MODEL_OVERRIDE?.toLowerCase().startsWith("amazon-bedrock/")))
+  );
+}
+
 /**
  * Static documentation of which env vars each provider considers when running
  * `checkCredentials`. Used by the dashboard to render hints before any worker
@@ -243,7 +258,7 @@ function parseCodexOAuthAccess(blob: string | undefined): string | null {
  * | `codex`          | `~/.codex/auth.json` (file) → `CODEX_OAUTH` (env OAuth) → `OPENAI_API_KEY` | OpenAI `/v1/models` (api-key path only) |
  * | `opencode`       | `OPENROUTER_API_KEY` → `ANTHROPIC_API_KEY` → `OPENAI_API_KEY` (pi-style) | matching provider's `/v1/models` |
  * | `pi`             | `OPENROUTER_API_KEY` → `ANTHROPIC_API_KEY` → `OPENAI_API_KEY`           | matching provider's `/v1/models` |
- * | `pi` (bedrock)   | `MODEL_OVERRIDE=amazon-bedrock/*` → AWS SDK default credential chain    | presence-only (validated at first inference call) |
+ * | `pi` (bedrock)   | `MODEL_OVERRIDE=amazon-bedrock/*` → AWS SDK default credential chain    | presence-only (real check is the worker-side Bedrock enumeration) |
  * | `devin`          | `DEVIN_API_KEY` (+ `DEVIN_API_BASE_URL` override)                       | `${baseUrl}/v1/sessions?limit=1` |
  *
  * Returns `{ok: true, latency_ms}` on 2xx, `{ok: false, error, latency_ms}`
@@ -302,14 +317,14 @@ export async function validateProviderCredentials(provider: string): Promise<Liv
       }
       case "pi":
       case "opencode": {
-        // pi-mono with MODEL_OVERRIDE=amazon-bedrock/* delegates credential
-        // resolution to the AWS SDK default chain (env, ~/.aws/*, SSO, IMDS,
-        // assume-role, …). pi-ai exposes no Bedrock-specific check we could
-        // call here, and the SDK chain may issue slow IMDS network calls on
-        // non-EC2 hosts — so the live test is a presence check, mirroring the
-        // codex-OAuth pattern above. Real validation happens at the first
-        // Bedrock inference call.
-        if (provider === "pi" && env.MODEL_OVERRIDE?.toLowerCase().startsWith("amazon-bedrock/")) {
+        // For the pi Bedrock path, the real credential check is the AWS SDK
+        // enumeration (`ListFoundationModels` + `ListInferenceProfiles`) that
+        // `checkProviderCredentials` (the `pi` dynamic-import arm) already ran.
+        // That result is already in `buildCredStatusReport` — the live-test is a
+        // pass-through / no-op so we never issue a second AWS SDK call here
+        // (which would drag the SDK into the wrong binary or make slow IMDS
+        // calls on non-EC2 hosts).
+        if (provider === "pi" && isBedrockSdkMode(env)) {
           return presenceCheckOk();
         }
         // Both pi-mono and opencode resolve credentials in the same order:
@@ -402,6 +417,18 @@ export async function buildCredStatusReport(
       testedAt: Date.now(),
     };
   }
+  // Include the Bedrock enumeration block when the pi probe ran in Bedrock SDK
+  // mode (bedrockRegion is only set by checkPiMonoCredentials in that branch).
+  const bedrock: AgentCredStatus["bedrock"] =
+    presence.bedrockRegion !== undefined
+      ? {
+          region: presence.bedrockRegion,
+          probedAt: Date.now(),
+          ready: presence.ready,
+          models: presence.bedrockModels ?? [],
+          error: presence.ready ? undefined : (presence.hint ?? undefined),
+        }
+      : null;
   return {
     ready: presence.ready,
     missing: presence.missing ?? [],
@@ -411,6 +438,7 @@ export async function buildCredStatusReport(
     latestModel: null,
     reportedAt: Date.now(),
     reportKind: kind,
+    bedrock,
   };
 }
 

package/src/commands/runner.ts

@@ -60,6 +60,7 @@ import { resolveClaudeMdPath, syncProfileFilesToServer } from "./profile-sync.ts
 import {
   buildCredStatusReport,
   buildLatestModelReport,
+  isBedrockSdkMode,
   isCredCheckDisabled,
   reportCredStatus,
   reportLatestModel,
@@ -436,6 +437,7 @@ const RELOADABLE_ENV_KEYS: ReadonlySet<string> = new Set([
   "MODEL_OVERRIDE",
   "AGENT_FS_SHARED_ORG_ID",
   "SWARM_USE_CLAUDE_BRIDGE",
+  "BEDROCK_AUTH_MODE",
 ]);
 
 /**
@@ -3847,6 +3849,16 @@ export async function runAgent(config: RunnerConfig, opts: RunnerOptions) {
   let lastHarnessReconcileAt = 0;
   const HARNESS_RECONCILE_INTERVAL_MS = 10_000;
 
+  // Throttle for the periodic Bedrock model-enumeration refresh. The credential
+  // report below only re-runs on a harness_provider change (boot + provider
+  // swap), so enabling Bedrock access after boot would otherwise never reach the
+  // picker. This timer re-runs the enumeration on a fixed interval, decoupled
+  // from the harness-change gate, so the UI stays accurate. 5 minutes keeps it
+  // cheap (one bounded AWS enumeration per tick) while still surfacing newly
+  // granted access within a few minutes.
+  let lastBedrockRefreshAt = 0;
+  const BEDROCK_REFRESH_INTERVAL_MS = 5 * 60 * 1000;
+
   // Create API config for ping/close
   const apiConfig: ApiConfig = { apiUrl, apiKey, agentId };
 
@@ -4571,6 +4583,22 @@ export async function runAgent(config: RunnerConfig, opts: RunnerOptions) {
           .catch((err) =>
             console.warn(`[${role}] cred_status post_task report failed (non-fatal): ${err}`),
           );
+      } else if (
+        currentHarness === "pi" &&
+        isBedrockSdkMode(process.env) &&
+        Date.now() - lastBedrockRefreshAt > BEDROCK_REFRESH_INTERVAL_MS
+      ) {
+        // Bedrock enumeration drifts independently of the harness_provider:
+        // access granted (or revoked) in the AWS console after boot won't flip
+        // the provider, so the harness-change gate above never fires. Re-run the
+        // enumeration on the throttled interval so the picker reflects the live
+        // account state. One bounded AWS round-trip per tick.
+        lastBedrockRefreshAt = Date.now();
+        buildCredStatusReport(currentHarness, process.env, {}, "post_task")
+          .then((snap) => reportCredStatus(apiUrl, apiKey, agentId, snap))
+          .catch((err) =>
+            console.warn(`[${role}] bedrock enumeration refresh failed (non-fatal): ${err}`),
+          );
       }
     }
 

package/src/http/agents.ts

@@ -615,6 +615,7 @@ export async function handleAgentsRest(
         latestModel: null,
         reportedAt: parsed.body.latest_model.reportedAt,
         reportKind: "post_task" as const,
+        bedrock: null,
       };
       finalAgent =
         updateAgentCredStatus(parsed.params.id, {

package/src/http/config.ts

@@ -14,6 +14,7 @@ import {
   reservedKeyError,
   validateConfigValue,
 } from "../be/swarm-config-guard";
+import { registerVolatileSecret } from "../utils/secret-scrubber";
 import { reloadGlobalConfigsAndIntegrations, scheduleIntegrationsReload } from "./core";
 import { route } from "./route-def";
 import { json, jsonError } from "./utils";
@@ -152,7 +153,15 @@ export async function handleConfig(
       parsed.query.agentId || undefined,
       parsed.query.repoId || undefined,
     );
-    json(res, { configs: includeSecrets ? configs : maskSecrets(configs) });
+    const result = includeSecrets ? configs : maskSecrets(configs);
+    if (includeSecrets) {
+      for (const c of result) {
+        if (c.isSecret && c.value) {
+          registerVolatileSecret(c.value, `config:${c.key}`);
+        }
+      }
+    }
+    json(res, { configs: result });
     return true;
   }
 
@@ -199,8 +208,11 @@ export async function handleConfig(
       jsonError(res, "Config not found", 404);
       return true;
     }
-    const result = includeSecrets ? config : maskSecrets([config])[0];
-    json(res, result);
+    const singleResult = includeSecrets ? config : maskSecrets([config])[0]!;
+    if (includeSecrets && singleResult.isSecret && singleResult.value) {
+      registerVolatileSecret(singleResult.value, `config:${singleResult.key}`);
+    }
+    json(res, singleResult);
     return true;
   }
 
@@ -212,7 +224,15 @@ export async function handleConfig(
       scope: parsed.query.scope || undefined,
       scopeId: parsed.query.scopeId || undefined,
     });
-    json(res, { configs: includeSecrets ? configs : maskSecrets(configs) });
+    const listResult = includeSecrets ? configs : maskSecrets(configs);
+    if (includeSecrets) {
+      for (const c of listResult) {
+        if (c.isSecret && c.value) {
+          registerVolatileSecret(c.value, `config:${c.key}`);
+        }
+      }
+    }
+    json(res, { configs: listResult });
     return true;
   }
 

package/src/http/index.ts

@@ -576,6 +576,15 @@ httpServer
       .catch((err) => {
         console.error("[boot-reembed-scripts] startup backfill failed (non-fatal):", err);
       });
+
+    // One-time scrub: retroactively redact any session_logs rows containing
+    // sensitive patterns that pre-date the defense-in-depth scrub layer.
+    // Idempotent, tracked via seed_state.
+    import("../be/boot-scrub-logs")
+      .then(({ runBootScrubLogs }) => runBootScrubLogs())
+      .catch((err) => {
+        console.error("[boot-scrub-logs] startup scrub failed (non-fatal):", err);
+      });
   })
   .on("error", (err) => {
     console.error("HTTP Server Error:", err);

package/src/http/mcp-oauth.ts

@@ -362,6 +362,19 @@ async function prepareAuthorizeFlow(
 
   const scopes = q.scopes ? splitScopes(q.scopes) : client.scopes;
 
+  let extraParams: Record<string, string> | undefined;
+  if (server.extraAuthorizeParams) {
+    try {
+      const parsed = JSON.parse(server.extraAuthorizeParams);
+      if (parsed && typeof parsed === "object") {
+        extraParams = Object.fromEntries(Object.entries(parsed).map(([k, v]) => [k, String(v)]));
+      }
+    } catch {
+      // Malformed config must never break the authorize flow — log + ignore.
+      console.warn(`[mcp-oauth] Ignoring malformed extraAuthorizeParams for server ${mcpServerId}`);
+    }
+  }
+
   const built = await buildAuthorizeUrl({
     authorizeUrl: client.authorizeUrl,
     tokenUrl: client.tokenUrl,
@@ -369,6 +382,7 @@ async function prepareAuthorizeFlow(
     redirectUri: callbackRedirectUri(),
     scopes,
     resource: client.resourceUrl,
+    extraParams,
   });
 
   insertMcpOAuthPending({

package/src/oauth/mcp-wrapper.ts

@@ -287,7 +287,21 @@ export async function buildAuthorizeUrl(input: BuildAuthorizeInput): Promise<Bui
   url.searchParams.set("resource", input.resource);
 
   if (input.extraParams) {
+    const RESERVED = new Set([
+      "response_type",
+      "client_id",
+      "redirect_uri",
+      "scope",
+      "state",
+      "code_challenge",
+      "code_challenge_method",
+      "resource",
+    ]);
     for (const [k, v] of Object.entries(input.extraParams)) {
+      if (RESERVED.has(k.toLowerCase())) {
+        console.warn(`[mcp-oauth] extraParams key "${k}" is reserved and skipped`);
+        continue;
+      }
       url.searchParams.set(k, v);
     }
   }

package/src/prompts/session-templates.ts

@@ -158,6 +158,27 @@ When you finish a task:
 - **Failure**: Use \`store-progress\` with status: "failed" and failureReason: "<what went wrong>"
 
 Always include meaningful output - the lead agent reviews your work.
+
+#### Credential Hygiene
+
+When you retrieve secrets via \`get-config\` (with \`includeSecrets: true\`), **never pass secret values directly on a command line or embed them in tool output**. Command arguments are logged.
+
+**Safe pattern:** Write the secret to a temporary \`.env\` file, then source it:
+\`\`\`bash
+# Write to temp file (not logged)
+echo "MY_TOKEN=<value>" > /tmp/.task-env && source /tmp/.task-env
+# Use the variable (value stays out of logs)
+curl -H "Authorization: Bearer $MY_TOKEN" https://api.example.com
+rm /tmp/.task-env
+\`\`\`
+
+**Unsafe pattern (NEVER do this):**
+\`\`\`bash
+# The literal secret appears in the logged command
+curl -H "Authorization: Bearer lin_oauth_abc123..." https://api.example.com
+\`\`\`
+
+The same applies to \`store-progress\` output — never include raw secret values in progress text, output, or failure reasons.
 `,
   variables: [],
   category: "system",

package/src/providers/codex-skill-resolver.ts

@@ -63,6 +63,21 @@ export async function resolveCodexPrompt(
   prompt: string,
   skillsDir?: string,
   emit?: (event: ProviderEvent) => void,
+): Promise<string> {
+  return resolveSlashSkillPrompt(prompt, {
+    providerLabel: "codex",
+    skillsDir: skillsDir ?? defaultSkillsDir(),
+    emit,
+  });
+}
+
+export async function resolveSlashSkillPrompt(
+  prompt: string,
+  opts: {
+    providerLabel: string;
+    skillsDir: string;
+    emit?: (event: ProviderEvent) => void;
+  },
 ): Promise<string> {
   if (!prompt) {
     return prompt;
@@ -81,15 +96,14 @@ export async function resolveCodexPrompt(
 
   const commandName: string = match[1];
   const trailingArgs: string = match[2] ?? "";
-  const dir = skillsDir ?? defaultSkillsDir();
-  const skillPath = join(dir, commandName, "SKILL.md");
+  const skillPath = join(opts.skillsDir, commandName, "SKILL.md");
 
   const file = Bun.file(skillPath);
   const exists = await file.exists();
   if (!exists) {
-    emit?.({
+    opts.emit?.({
       type: "raw_stderr",
-      content: `[codex] skill resolver: SKILL.md not found for /${commandName} (looked in ${skillPath})\n`,
+      content: `[${opts.providerLabel}] skill resolver: SKILL.md not found for /${commandName} (looked in ${skillPath})\n`,
     });
     return prompt;
   }
@@ -99,17 +113,17 @@ export async function resolveCodexPrompt(
     skillContent = await file.text();
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    emit?.({
+    opts.emit?.({
       type: "raw_stderr",
-      content: `[codex] skill resolver: failed to read SKILL.md for /${commandName}: ${message}\n`,
+      content: `[${opts.providerLabel}] skill resolver: failed to read SKILL.md for /${commandName}: ${message}\n`,
     });
     return prompt;
   }
 
   if (skillContent.length > MAX_SKILL_CHARS) {
-    emit?.({
+    opts.emit?.({
       type: "raw_stderr",
-      content: `[codex] skill resolver: SKILL.md for /${commandName} exceeds ${MAX_SKILL_CHARS} chars (${skillContent.length}), truncating\n`,
+      content: `[${opts.providerLabel}] skill resolver: SKILL.md for /${commandName} exceeds ${MAX_SKILL_CHARS} chars (${skillContent.length}), truncating\n`,
     });
     skillContent = skillContent.slice(0, MAX_SKILL_CHARS);
   }

package/src/providers/opencode-adapter.ts

@@ -20,6 +20,7 @@ import {
 import { validateOpencodeCredentials } from "../utils/credentials";
 import { fetchInstalledMcpServers } from "../utils/mcp-server-fetcher";
 import { scrubSecrets } from "../utils/secret-scrubber";
+import { resolveSlashSkillPrompt } from "./codex-skill-resolver";
 import { CTX_MODE_NUDGE_EVERY } from "./ctx-mode-env";
 import { readPkgVersion } from "./harness-version";
 import type {
@@ -102,6 +103,13 @@ function isAssistantMessage(msg: unknown): msg is AssistantMessage {
 }
 
 const DOCKER_PLUGIN_PATH = "/home/worker/.config/opencode/plugins/agent-swarm.ts";
+
+function defaultOpencodeSkillsDir(): string {
+  if (process.env.OPENCODE_SKILLS_DIR) {
+    return process.env.OPENCODE_SKILLS_DIR;
+  }
+  return join(process.env.HOME ?? "/home/worker", ".opencode", "skills");
+}
 const MODEL_CACHE_REFRESH_TIMEOUT_MS = 15_000;
 
 function isOpenRouterModel(model: string | undefined): boolean {
@@ -291,6 +299,10 @@ export class OpencodeSession implements ProviderSession {
     });
   }
 
+  emitProviderEvent(event: ProviderEvent): void {
+    this.emit(event);
+  }
+
   onEvent(listener: (event: ProviderEvent) => void): void {
     const wasEmpty = this.listeners.length === 0;
     this.listeners.push(listener);
@@ -738,13 +750,19 @@ export class OpencodeAdapter implements ProviderAdapter {
 
     let promptRefreshAttempted = false;
     let promptRefreshPromise: Promise<boolean> | undefined;
+    let session: OpencodeSession | undefined;
     const sendPrompt = async () => {
+      const resolvedPrompt = await resolveSlashSkillPrompt(config.prompt, {
+        providerLabel: "opencode",
+        skillsDir: defaultOpencodeSkillsDir(),
+        emit: (event) => session?.emitProviderEvent(event),
+      });
       await client.session.prompt({
         path: { id: sessionId },
         query: { directory: config.cwd },
         body: {
           agent: agentName,
-          parts: [{ type: "text", text: config.prompt }],
+          parts: [{ type: "text", text: resolvedPrompt }],
         },
       });
     };
@@ -760,7 +778,7 @@ export class OpencodeAdapter implements ProviderAdapter {
       return await promptRefreshPromise;
     };
 
-    const session = new OpencodeSession(
+    session = new OpencodeSession(
       sessionId,
       server,
       config.model,