opencode-swarm-plugin 0.12.4 → 0.12.6

package/src/beads.ts

@@ -55,6 +55,10 @@ export class BeadValidationError extends Error {
 
 /**
  * Build a bd create command from args
+ *
+ * Note: Bun's `$` template literal properly escapes arguments when passed as array.
+ * Each array element is treated as a separate argument, preventing shell injection.
+ * Example: ["bd", "create", "; rm -rf /"] becomes: bd create "; rm -rf /"
  */
 function buildCreateCommand(args: BeadCreateArgs): string[] {
   const parts = ["bd", "create", args.title];
@@ -250,25 +254,40 @@ export const beads_create_epic = tool({
 
       return JSON.stringify(result, null, 2);
     } catch (error) {
-      // Partial failure - return what was created with rollback hint
-      const rollbackHint = created
-        .map((b) => `bd close ${b.id} --reason "Rollback partial epic"`)
-        .join("\n");
+      // Partial failure - execute rollback automatically
+      const rollbackCommands: string[] = [];
+
+      for (const bead of created) {
+        try {
+          const closeCmd = [
+            "bd",
+            "close",
+            bead.id,
+            "--reason",
+            "Rollback partial epic",
+            "--json",
+          ];
+          await Bun.$`${closeCmd}`.quiet().nothrow();
+          rollbackCommands.push(
+            `bd close ${bead.id} --reason "Rollback partial epic"`,
+          );
+        } catch (rollbackError) {
+          // Log rollback failure but continue
+          console.error(`Failed to rollback bead ${bead.id}:`, rollbackError);
+        }
+      }
 
-      const result: EpicCreateResult = {
-        success: false,
-        epic: created[0] || ({} as Bead),
-        subtasks: created.slice(1),
-        rollback_hint: rollbackHint,
-      };
+      // Throw error with rollback info
+      const errorMsg = error instanceof Error ? error.message : String(error);
+      const rollbackInfo =
+        rollbackCommands.length > 0
+          ? `\n\nRolled back ${rollbackCommands.length} bead(s):\n${rollbackCommands.join("\n")}`
+          : "\n\nNo beads to rollback.";
 
-      return JSON.stringify(
-        {
-          ...result,
-          error: error instanceof Error ? error.message : String(error),
-        },
-        null,
-        2,
+      throw new BeadError(
+        `Epic creation failed: ${errorMsg}${rollbackInfo}`,
+        "beads_create_epic",
+        1,
       );
     }
   },
@@ -487,10 +506,38 @@ export const beads_sync = tool({
   },
   async execute(args, ctx) {
     const autoPull = args.auto_pull ?? true;
+    const TIMEOUT_MS = 30000; // 30 seconds
+
+    /**
+     * Helper to run a command with timeout
+     */
+    const withTimeout = async <T>(
+      promise: Promise<T>,
+      timeoutMs: number,
+      operation: string,
+    ): Promise<T> => {
+      const timeoutPromise = new Promise<never>((_, reject) =>
+        setTimeout(
+          () =>
+            reject(
+              new BeadError(
+                `Operation timed out after ${timeoutMs}ms`,
+                operation,
+              ),
+            ),
+          timeoutMs,
+        ),
+      );
+      return Promise.race([promise, timeoutPromise]);
+    };
 
     // 1. Pull if requested
     if (autoPull) {
-      const pullResult = await Bun.$`git pull --rebase`.quiet().nothrow();
+      const pullResult = await withTimeout(
+        Bun.$`git pull --rebase`.quiet().nothrow(),
+        TIMEOUT_MS,
+        "git pull --rebase",
+      );
       if (pullResult.exitCode !== 0) {
         throw new BeadError(
           `Failed to pull: ${pullResult.stderr.toString()}`,
@@ -501,7 +548,11 @@ export const beads_sync = tool({
     }
 
     // 2. Sync beads
-    const syncResult = await Bun.$`bd sync`.quiet().nothrow();
+    const syncResult = await withTimeout(
+      Bun.$`bd sync`.quiet().nothrow(),
+      TIMEOUT_MS,
+      "bd sync",
+    );
     if (syncResult.exitCode !== 0) {
       throw new BeadError(
         `Failed to sync beads: ${syncResult.stderr.toString()}`,
@@ -511,7 +562,11 @@ export const beads_sync = tool({
     }
 
     // 3. Push
-    const pushResult = await Bun.$`git push`.quiet().nothrow();
+    const pushResult = await withTimeout(
+      Bun.$`git push`.quiet().nothrow(),
+      TIMEOUT_MS,
+      "git push",
+    );
     if (pushResult.exitCode !== 0) {
       throw new BeadError(
         `Failed to push: ${pushResult.stderr.toString()}`,

package/src/rate-limiter.ts

@@ -122,9 +122,15 @@ export function getLimitsForEndpoint(endpoint: string): EndpointLimits {
   const perHourEnv =
     process.env[`OPENCODE_RATE_LIMIT_${upperEndpoint}_PER_HOUR`];
 
+  // Parse and validate env vars, fall back to defaults on NaN
+  const parsedPerMinute = perMinuteEnv ? parseInt(perMinuteEnv, 10) : NaN;
+  const parsedPerHour = perHourEnv ? parseInt(perHourEnv, 10) : NaN;
+
   return {
-    perMinute: perMinuteEnv ? parseInt(perMinuteEnv, 10) : defaults.perMinute,
-    perHour: perHourEnv ? parseInt(perHourEnv, 10) : defaults.perHour,
+    perMinute: Number.isNaN(parsedPerMinute)
+      ? defaults.perMinute
+      : parsedPerMinute,
+    perHour: Number.isNaN(parsedPerHour) ? defaults.perHour : parsedPerHour,
   };
 }
 
@@ -211,10 +217,11 @@ export class RedisRateLimiter implements RateLimiter {
     const windowDuration = this.getWindowDuration(window);
     const windowStart = now - windowDuration;
 
-    // Remove expired entries and count current ones in a pipeline
+    // Remove expired entries, count current ones, and fetch oldest in a single pipeline
     const pipeline = this.redis.pipeline();
     pipeline.zremrangebyscore(key, 0, windowStart);
     pipeline.zcard(key);
+    pipeline.zrange(key, 0, 0, "WITHSCORES"); // Fetch oldest entry atomically
 
     const results = await pipeline.exec();
     if (!results) {
@@ -225,11 +232,10 @@ export class RedisRateLimiter implements RateLimiter {
     const remaining = Math.max(0, limit - count);
     const allowed = count < limit;
 
-    // Calculate reset time based on oldest entry in window
+    // Calculate reset time based on oldest entry in window (fetched atomically)
     let resetAt = now + windowDuration;
     if (!allowed) {
-      // Get the oldest entry's timestamp to calculate precise reset
-      const oldest = await this.redis.zrange(key, 0, 0, "WITHSCORES");
+      const oldest = (results[2]?.[1] as string[]) || [];
       if (oldest.length >= 2) {
         const oldestTimestamp = parseInt(oldest[1], 10);
         resetAt = oldestTimestamp + windowDuration;

package/src/schemas/bead.ts

@@ -42,15 +42,15 @@ export type BeadDependency = z.infer<typeof BeadDependencySchema>;
 export const BeadSchema = z.object({
   id: z
     .string()
-    .regex(/^[a-z0-9-]+-[a-z0-9]+(\.\d+)?$/, "Invalid bead ID format"),
+    .regex(/^[a-z0-9]+(-[a-z0-9]+)+(\.\d+)?$/, "Invalid bead ID format"),
   title: z.string().min(1, "Title required"),
   description: z.string().optional().default(""),
   status: BeadStatusSchema.default("open"),
   priority: z.number().int().min(0).max(3).default(2),
   issue_type: BeadTypeSchema.default("task"),
-  created_at: z.string(), // ISO-8601
-  updated_at: z.string().optional(),
-  closed_at: z.string().optional(),
+  created_at: z.string().datetime({ offset: true }), // ISO-8601 with timezone offset
+  updated_at: z.string().datetime({ offset: true }).optional(),
+  closed_at: z.string().datetime({ offset: true }).optional(),
   parent_id: z.string().optional(),
   dependencies: z.array(BeadDependencySchema).optional().default([]),
   metadata: z.record(z.string(), z.unknown()).optional(),

package/src/schemas/evaluation.ts

@@ -53,7 +53,7 @@ export const EvaluationSchema = z.object({
   criteria: z.record(z.string(), CriterionEvaluationSchema),
   overall_feedback: z.string(),
   retry_suggestion: z.string().nullable(),
-  timestamp: z.string().optional(), // ISO-8601
+  timestamp: z.string().datetime({ offset: true }).optional(), // ISO-8601 with timezone
 });
 export type Evaluation = z.infer<typeof EvaluationSchema>;
 
@@ -91,7 +91,7 @@ export const WeightedEvaluationSchema = z.object({
   criteria: z.record(z.string(), WeightedCriterionEvaluationSchema),
   overall_feedback: z.string(),
   retry_suggestion: z.string().nullable(),
-  timestamp: z.string().optional(), // ISO-8601
+  timestamp: z.string().datetime({ offset: true }).optional(), // ISO-8601 with timezone
   /** Average weight across all criteria (indicates overall confidence) */
   average_weight: z.number().min(0).max(1).optional(),
   /** Raw score before weighting */

package/src/schemas/task.ts

@@ -94,7 +94,7 @@ export const SwarmSpawnResultSchema = z.object({
   coordinator_name: z.string(), // Agent Mail name of coordinator
   thread_id: z.string(), // Agent Mail thread for this swarm
   agents: z.array(SpawnedAgentSchema),
-  started_at: z.string(), // ISO-8601
+  started_at: z.string().datetime({ offset: true }), // ISO-8601 with timezone
 });
 export type SwarmSpawnResult = z.infer<typeof SwarmSpawnResultSchema>;
 
@@ -109,7 +109,7 @@ export const AgentProgressSchema = z.object({
   message: z.string().optional(),
   files_touched: z.array(z.string()).optional(),
   blockers: z.array(z.string()).optional(),
-  timestamp: z.string(), // ISO-8601
+  timestamp: z.string().datetime({ offset: true }), // ISO-8601 with timezone
 });
 export type AgentProgress = z.infer<typeof AgentProgressSchema>;
 
@@ -124,6 +124,6 @@ export const SwarmStatusSchema = z.object({
   failed: z.number().int().min(0),
   blocked: z.number().int().min(0),
   agents: z.array(SpawnedAgentSchema),
-  last_update: z.string(), // ISO-8601
+  last_update: z.string().datetime({ offset: true }), // ISO-8601 with timezone
 });
 export type SwarmStatus = z.infer<typeof SwarmStatusSchema>;

package/src/storage.ts

@@ -73,20 +73,35 @@ async function resolveSemanticMemoryCommand(): Promise<string[]> {
 async function execSemanticMemory(
   args: string[],
 ): Promise<{ exitCode: number; stdout: Buffer; stderr: Buffer }> {
-  const cmd = await resolveSemanticMemoryCommand();
-  const fullCmd = [...cmd, ...args];
-
-  // Use Bun.spawn for dynamic command arrays
-  const proc = Bun.spawn(fullCmd, {
-    stdout: "pipe",
-    stderr: "pipe",
-  });
+  try {
+    const cmd = await resolveSemanticMemoryCommand();
+    const fullCmd = [...cmd, ...args];
 
-  const stdout = Buffer.from(await new Response(proc.stdout).arrayBuffer());
-  const stderr = Buffer.from(await new Response(proc.stderr).arrayBuffer());
-  const exitCode = await proc.exited;
+    // Use Bun.spawn for dynamic command arrays
+    const proc = Bun.spawn(fullCmd, {
+      stdout: "pipe",
+      stderr: "pipe",
+    });
 
-  return { exitCode, stdout, stderr };
+    try {
+      const stdout = Buffer.from(await new Response(proc.stdout).arrayBuffer());
+      const stderr = Buffer.from(await new Response(proc.stderr).arrayBuffer());
+      const exitCode = await proc.exited;
+
+      return { exitCode, stdout, stderr };
+    } finally {
+      // Ensure process cleanup
+      proc.kill();
+    }
+  } catch (error) {
+    // Return structured error result on exceptions
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    return {
+      exitCode: 1,
+      stdout: Buffer.from(""),
+      stderr: Buffer.from(`Error executing semantic-memory: ${errorMessage}`),
+    };
+  }
 }
 
 /**
@@ -646,17 +661,22 @@ export async function createStorageWithFallback(
 // ============================================================================
 
 let globalStorage: LearningStorage | null = null;
+let globalStoragePromise: Promise<LearningStorage> | null = null;
 
 /**
  * Get or create the global storage instance
  *
  * Uses semantic-memory by default, with automatic fallback to in-memory.
+ * Prevents race conditions by storing the initialization promise.
  */
 export async function getStorage(): Promise<LearningStorage> {
-  if (!globalStorage) {
-    globalStorage = await createStorageWithFallback();
+  if (!globalStoragePromise) {
+    globalStoragePromise = createStorageWithFallback().then((storage) => {
+      globalStorage = storage;
+      return storage;
+    });
   }
-  return globalStorage;
+  return globalStoragePromise;
 }
 
 /**
@@ -666,6 +686,7 @@ export async function getStorage(): Promise<LearningStorage> {
  */
 export function setStorage(storage: LearningStorage): void {
   globalStorage = storage;
+  globalStoragePromise = Promise.resolve(storage);
 }
 
 /**
@@ -676,4 +697,5 @@ export async function resetStorage(): Promise<void> {
     await globalStorage.close();
     globalStorage = null;
   }
+  globalStoragePromise = null;
 }

package/src/swarm.ts

@@ -1343,6 +1343,19 @@ export const swarm_validate_decomposition = tool({
       for (let i = 0; i < validated.subtasks.length; i++) {
         const deps = validated.subtasks[i].dependencies;
         for (const dep of deps) {
+          // Check bounds first
+          if (dep < 0 || dep >= validated.subtasks.length) {
+            return JSON.stringify(
+              {
+                valid: false,
+                error: `Invalid dependency: subtask ${i} depends on ${dep}, but only ${validated.subtasks.length} subtasks exist (indices 0-${validated.subtasks.length - 1})`,
+                hint: "Dependency index is out of bounds",
+              },
+              null,
+              2,
+            );
+          }
+          // Check forward references
           if (dep >= i) {
             return JSON.stringify(
               {

package/examples/agents/swarm-planner.md

@@ -1,138 +0,0 @@
----
-name: swarm-planner
-description: Strategic task decomposition for swarm coordination
-model: claude-sonnet-4-5
----
-
-You are a swarm planner. Your job is to decompose complex tasks into optimal parallel subtasks.
-
-## Your Role
-
-You analyze tasks and create decomposition plans that:
-
-- Maximize parallelization (agents work independently)
-- Minimize conflicts (no file overlap between subtasks)
-- Follow the best strategy for the task type
-
-## Workflow
-
-1. **Analyze** - Call `swarm_select_strategy` to understand the task
-2. **Plan** - Call `swarm_plan_prompt` to get strategy-specific guidance
-3. **Decompose** - Create a BeadTree following the guidelines
-4. **Validate** - Ensure no file conflicts or circular dependencies
-
-## Strategy Selection
-
-The plugin auto-selects strategies based on task keywords:
-
-| Strategy          | Best For                                     | Keywords                               |
-| ----------------- | -------------------------------------------- | -------------------------------------- |
-| **file-based**    | Refactoring, migrations, pattern changes     | refactor, migrate, rename, update all  |
-| **feature-based** | New features, adding functionality           | add, implement, build, create, feature |
-| **risk-based**    | Bug fixes, security issues, critical changes | fix, bug, security, critical, urgent   |
-
-You can override with explicit strategy if the auto-detection is wrong.
-
-## Output Format
-
-Return ONLY valid JSON matching the BeadTree schema:
-
-```json
-{
-  "epic": {
-    "title": "Epic title for beads tracker",
-    "description": "Brief description of the overall goal"
-  },
-  "subtasks": [
-    {
-      "title": "What this subtask accomplishes",
-      "description": "Detailed instructions for the agent",
-      "files": ["src/path/to/file.ts", "src/path/to/file.test.ts"],
-      "dependencies": [],
-      "estimated_complexity": 2
-    }
-  ]
-}
-```
-
-**CRITICAL**: Return ONLY the JSON. No markdown, no explanation, no code blocks.
-
-## Decomposition Rules
-
-1. **2-7 subtasks** - Too few = not parallel, too many = coordination overhead
-2. **No file overlap** - Each file appears in exactly one subtask
-3. **Include tests** - Put test files with the code they test
-4. **Order by dependency** - If B needs A's output, A comes first (lower index)
-5. **Estimate complexity** - 1 (trivial) to 5 (complex)
-
-## Anti-Patterns to Avoid
-
-- Don't split tightly coupled files across subtasks
-- Don't create subtasks that can't be tested independently
-- Don't forget shared types/utilities that multiple files depend on
-- Don't make one subtask do everything while others are trivial
-
-## Example Decomposition
-
-**Task**: "Add user authentication with OAuth"
-
-**Strategy**: feature-based (detected from "add" keyword)
-
-**Result**:
-
-```json
-{
-  "epic": {
-    "title": "Add user authentication with OAuth",
-    "description": "Implement OAuth-based authentication flow with session management"
-  },
-  "subtasks": [
-    {
-      "title": "Set up OAuth provider configuration",
-      "description": "Configure OAuth provider (Google/GitHub), add environment variables, create auth config",
-      "files": ["src/auth/config.ts", "src/auth/providers.ts", ".env.example"],
-      "dependencies": [],
-      "estimated_complexity": 2
-    },
-    {
-      "title": "Implement session management",
-      "description": "Create session store, JWT handling, cookie management",
-      "files": [
-        "src/auth/session.ts",
-        "src/auth/jwt.ts",
-        "src/middleware/auth.ts"
-      ],
-      "dependencies": [0],
-      "estimated_complexity": 3
-    },
-    {
-      "title": "Add protected route wrapper",
-      "description": "Create HOC/middleware for protecting routes, redirect logic",
-      "files": ["src/components/ProtectedRoute.tsx", "src/hooks/useAuth.ts"],
-      "dependencies": [1],
-      "estimated_complexity": 2
-    },
-    {
-      "title": "Create login/logout UI",
-      "description": "Login page, logout button, auth state display",
-      "files": ["src/app/login/page.tsx", "src/components/AuthButton.tsx"],
-      "dependencies": [0],
-      "estimated_complexity": 2
-    }
-  ]
-}
-```
-
-## Usage
-
-The coordinator invokes you like this:
-
-```
-@swarm-planner "Add user authentication with OAuth"
-```
-
-You respond with the BeadTree JSON. The coordinator then:
-
-1. Validates with `swarm_validate_decomposition`
-2. Creates beads with `beads_create_epic`
-3. Spawns worker agents for each subtask