opencode-swarm 5.1.8 → 6.0.1

package/README.md

@@ -1,9 +1,9 @@
 <p align="center">
-  <img src="https://img.shields.io/badge/version-5.1.5-blue" alt="Version">
+  <img src="https://img.shields.io/badge/version-6.0.0-blue" alt="Version">
   <img src="https://img.shields.io/badge/license-MIT-green" alt="License">
   <img src="https://img.shields.io/badge/opencode-plugin-purple" alt="OpenCode Plugin">
   <img src="https://img.shields.io/badge/agents-7-orange" alt="Agents">
-  <img src="https://img.shields.io/badge/tests-1034-brightgreen" alt="Tests">
+  <img src="https://img.shields.io/badge/tests-1188-brightgreen" alt="Tests">
 </p>
 
 <h1 align="center">🐝 OpenCode Swarm</h1>
@@ -138,15 +138,24 @@ OpenCode Swarm:
 ┌─────────────────────────────────────────────────────────────────────────┐
 │  PHASE 5: Execute (per task)                                            │
 │                                                                         │
-│   ┌─────────┐    ┌────────────┐    ┌──────────────┐                    │
-│   │ @coder  │ →  │ @reviewer  │ →  │    @test     │                    │
-│   │ 1 task  │    │ check all  │    │ write + run  │                    │
-│   └─────────┘    └────────────┘    └──────────────┘                    │
-│        │               │                   │                            │
-│        │     If REJECTED: retry    If FAIL: fix + retest               │
-│        └───────────────┘                                                │
+│   ┌─────────┐    ┌───────┐    ┌────────────┐    ┌──────────────┐       │
+│   │ @coder  │ →  │ diff  │ →  │ @reviewer  │ →  │    @test     │       │
+│   │ 1 task  │    │ tool  │    │ check all  │    │ write + run  │       │
+│   └─────────┘    └───────┘    └────────────┘    └──────────────┘       │
+│        │              │             │                   │               │
+│        │    Contract   │   If REJECTED:        If FAIL: fix            │
+│        │    changes?   │   retry from coder    + retest                │
+│        │       │       │             │                                  │
+│        │       ▼       │             ▼                                  │
+│        │  ┌─────────┐  │   ┌──────────────┐    ┌──────────────┐       │
+│        │  │@explorer│  │   │  @reviewer   │ →  │    @test     │       │
+│        │  │ impact  │  │   │ security-only│    │ adversarial  │       │
+│        │  │analysis │  │   │   (if match) │    │   (attacks)  │       │
+│        │  └─────────┘  │   └──────────────┘    └──────────────┘       │
+│        │               │                                               │
+│        └───────────────┘                                               │
 │                                                                         │
-│   Update plan.md: [x] Task complete (only if PASS)                      │
+│   Update plan.md: [x] Task complete (only after ALL gates pass)        │
 │   Next task...                                                          │
 └─────────────────────────────────────────────────────────────────────────┘
                                     │
@@ -334,6 +343,19 @@ bunx opencode-swarm uninstall --clean
 
 ## What's New
 
+### v6.0.0 — Core QA & Security Gates
+- **Dual-pass security reviewer** — After the general reviewer APPROVES, the architect automatically triggers a second security-only review pass when the changed file matches security-sensitive paths (`auth`, `crypto`, `session`, `token`, `middleware`, `api`, `security`) or the coder's output contains security keywords. Configurable via `review_passes` config.
+- **Adversarial testing** — After verification tests PASS, the test engineer is re-delegated with adversarial-only framing: attack vectors, boundary violations, and injection attempts. Pure prompt engineering, no new infrastructure.
+- **Integration impact analysis** — After the coder completes, the `diff` tool detects contract changes (exported functions, interfaces, types). If found, the explorer runs impact analysis across dependents before review begins.
+- **`diff` tool** — New agent-accessible tool providing structured git diff with numstat parsing, contract change detection, configurable base ref (`HEAD`/staged/unstaged), path filtering, and 500-line truncation.
+- **87 new tests** — 1188 total tests across 53+ files (up from 1101 in v5.2.0).
+
+### v5.2.0 — Per-Invocation Guardrails
+- **Per-invocation budget isolation** — Guardrail limits (tool calls, duration, errors) now reset with each agent delegation. Second invocation of the same agent gets a fresh budget, preventing false circuit breaker trips in long-running projects.
+- **Architect protocol enforcement** — New mandatory QA gate rules: every coder task must go through reviewer approval + test_engineer verification before the next coder task. Protocol violations detected at runtime with warning injection.
+- **Invocation window observability** — Circuit breaker logs now include `invocationId` and `windowKey` for precise debugging of which specific agent invocation hit limits.
+- **67 new tests** — 1101 total tests across 48 files (up from 1034 in v5.1.x).
+
 ### v5.0.0 — Verifiable Execution
 - **Canonical plan schema** — Machine-readable `plan.json` with Zod-validated `PlanSchema`/`TaskSchema`/`PhaseSchema`. Automatic migration from legacy `plan.md` format. Structured status tracking (`pending`, `in_progress`, `completed`, `blocked`).
 - **Evidence bundles** — Per-task execution evidence persisted to `.swarm/evidence/`. Five evidence types: `review`, `test`, `diff`, `approval`, `note`. Sanitized task IDs, atomic writes, configurable size limits. `/swarm evidence` to view, `/swarm archive` to manage retention.
@@ -403,7 +425,7 @@ All features are opt-in via configuration. See [Installation Guide](docs/install
 ### ✅ Quality Assurance
 | Agent | Role |
 |-------|------|
-| `reviewer` | Combined correctness + security review. The architect specifies CHECK dimensions (security, correctness, edge-cases, performance, etc.) per call. |
+| `reviewer` | Dual-pass review: correctness review first, then automatic security-only pass for security-sensitive files. The architect specifies CHECK dimensions per call. OWASP Top 10 categories built in. |
 | `critic` | Plan review gate. Reviews the architect's plan BEFORE implementation — checks completeness, feasibility, scope, dependencies, and flags AI-slop. |
 
 ---
@@ -510,8 +532,52 @@ Override limits for specific agents that need more (or less) room:
 
 Profiles merge with base config — only specified fields are overridden.
 
+### Review Passes
+
+Control the dual-pass security review behavior:
+
+```jsonc
+{
+  "review_passes": {
+    "always_security_review": false,  // default: false (only on security-sensitive files)
+    "security_globs": [               // default patterns:
+      "**/*auth*", "**/*crypto*",
+      "**/*session*", "**/*token*",
+      "**/*middleware*", "**/*api*",
+      "**/*security*"
+    ]
+  }
+}
+```
+
+Set `always_security_review: true` to run the security pass on every task, regardless of file path.
+
+### Integration Analysis
+
+Control whether contract change detection triggers impact analysis:
+
+```jsonc
+{
+  "integration_analysis": {
+    "enabled": true  // default: true
+  }
+}
+```
+
 > **Architect is exempt/unlimited by default:** The architect agent has no guardrail limits by default. To override, add a `profiles.architect` entry in your guardrails config.
 
+### Per-Invocation Budgets
+
+Guardrail limits are enforced **per-invocation**, not per-session. Each time the architect delegates to an agent, that agent gets a fresh budget of tool calls, duration, and error tolerance.
+
+**Example**: If `max_tool_calls: 200`, then:
+- Architect → Coder (task 1) → 200 calls available
+- Coder finishes → Architect → Coder (task 2) → 200 calls available again
+
+This prevents long-running projects from accumulating session-wide counters that incorrectly trip the circuit breaker on later tasks.
+
+> **Architect is unlimited**: The architect never creates invocation windows and has no guardrail limits by default.
+
 ### Disable Guardrails
 
 ```json
@@ -531,7 +597,7 @@ Profiles merge with base config — only specified fields are overridden.
 | Execution | Serial (predictable) | Parallel (chaotic) | Parallel | Configurable |
 | Planning | Phased with acceptance criteria | Ad-hoc | Role-based | Graph-based |
 | Memory | Persistent `.swarm/` files | Session only | Session only | Checkpoints |
-| QA | Per-task (unified review) | Optional | Optional | Manual |
+| QA | Dual-pass per-task (review + security + adversarial) | Optional | Optional | Manual |
 | Model mixing | Per-agent configuration | Limited | Limited | Manual |
 | Resume projects | ✅ Native | ❌ | ❌ | Partial |
 | SME domains | Open-domain (any) | Generic | Generic | Generic |
@@ -543,7 +609,7 @@ Profiles merge with base config — only specified fields are overridden.
 
 1. **Plan before code** - Documented phases with acceptance criteria
 2. **One task at a time** - Focused work, quality output
-3. **Review everything immediately** - Correctness + security review per task, not per project
+3. **Review everything immediately** - Dual-pass review (correctness + security) with adversarial testing per task
 4. **Cache SME knowledge** - Don't re-ask answered questions
 5. **Persistent memory** - `.swarm/` files survive sessions
 6. **Serial execution** - Predictable, debuggable, no race conditions
@@ -564,7 +630,7 @@ bun test
 bun test tests/unit/config/schema.test.ts
 ```
 
-1034 tests across 45 files covering config, tools, agents, hooks, commands, state, guardrails, evidence, plan schemas, and circuit breaker race conditions. Uses Bun's built-in test runner — zero additional test dependencies.
+1188 tests across 53+ files covering config, tools, agents, hooks, commands, state, guardrails, evidence, plan schemas, circuit breaker race conditions, invocation windows, multi-invocation isolation, security categories, review/integration schemas, and diff tool. Uses Bun's built-in test runner — zero additional test dependencies.
 
 ## Troubleshooting
 

package/dist/agents/index.d.ts

@@ -20,6 +20,6 @@ export { createArchitectAgent } from './architect';
 export { createCoderAgent } from './coder';
 export { createCriticAgent } from './critic';
 export { createExplorerAgent } from './explorer';
-export { createReviewerAgent } from './reviewer';
+export { createReviewerAgent, SECURITY_CATEGORIES, type SecurityCategory, } from './reviewer';
 export { createSMEAgent } from './sme';
 export { createTestEngineerAgent } from './test-engineer';

package/dist/agents/reviewer.d.ts

@@ -1,2 +1,5 @@
 import type { AgentDefinition } from './architect';
+/** OWASP Top 10 2021 categories for security-focused review passes */
+export declare const SECURITY_CATEGORIES: readonly ["broken-access-control", "cryptographic-failures", "injection", "insecure-design", "security-misconfiguration", "vulnerable-components", "auth-failures", "data-integrity-failures", "logging-monitoring-failures", "ssrf"];
+export type SecurityCategory = (typeof SECURITY_CATEGORIES)[number];
 export declare function createReviewerAgent(model: string, customPrompt?: string, customAppendPrompt?: string): AgentDefinition;

package/dist/config/loader.d.ts

@@ -13,6 +13,8 @@ export declare function deepMerge<T extends Record<string, unknown>>(base?: T, o
  * 2. Project config: <directory>/.opencode/opencode-swarm.json
  *
  * Project config takes precedence. Nested objects are deep-merged.
+ * IMPORTANT: Raw configs are merged BEFORE Zod parsing so that
+ * Zod defaults don't override explicit user values.
  */
 export declare function loadPluginConfig(directory: string): PluginConfig;
 /**

package/dist/config/schema.d.ts

@@ -128,6 +128,15 @@ export declare const SummaryConfigSchema: z.ZodObject<{
     retention_days: z.ZodDefault<z.ZodNumber>;
 }, z.core.$strip>;
 export type SummaryConfig = z.infer<typeof SummaryConfigSchema>;
+export declare const ReviewPassesConfigSchema: z.ZodObject<{
+    always_security_review: z.ZodDefault<z.ZodBoolean>;
+    security_globs: z.ZodDefault<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+export type ReviewPassesConfig = z.infer<typeof ReviewPassesConfigSchema>;
+export declare const IntegrationAnalysisConfigSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+export type IntegrationAnalysisConfig = z.infer<typeof IntegrationAnalysisConfigSchema>;
 export declare const GuardrailsProfileSchema: z.ZodObject<{
     max_tool_calls: z.ZodOptional<z.ZodNumber>;
     max_duration_minutes: z.ZodOptional<z.ZodNumber>;
@@ -282,6 +291,14 @@ export declare const PluginConfigSchema: z.ZodObject<{
         max_stored_bytes: z.ZodDefault<z.ZodNumber>;
         retention_days: z.ZodDefault<z.ZodNumber>;
     }, z.core.$strip>>;
+    review_passes: z.ZodOptional<z.ZodObject<{
+        always_security_review: z.ZodDefault<z.ZodBoolean>;
+        security_globs: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
+    integration_analysis: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    _loadedFromFile: z.ZodDefault<z.ZodBoolean>;
 }, z.core.$strip>;
 export type PluginConfig = z.infer<typeof PluginConfigSchema>;
 export type { AgentName, PipelineAgentName, QAAgentName, } from './constants';

package/dist/hooks/delegation-tracker.d.ts

@@ -8,7 +8,7 @@ import type { PluginConfig } from '../config/schema';
 /**
  * Creates the chat.message hook for delegation tracking.
  */
-export declare function createDelegationTrackerHook(config: PluginConfig): (input: {
+export declare function createDelegationTrackerHook(config: PluginConfig, guardrailsEnabled?: boolean): (input: {
     sessionID: string;
     agent?: string;
 }, output: Record<string, unknown>) => Promise<void>;

package/dist/index.js

@@ -13630,6 +13630,21 @@ var SummaryConfigSchema = exports_external.object({
   max_stored_bytes: exports_external.number().min(10240).max(104857600).default(10485760),
   retention_days: exports_external.number().min(1).max(365).default(7)
 });
+var ReviewPassesConfigSchema = exports_external.object({
+  always_security_review: exports_external.boolean().default(false),
+  security_globs: exports_external.array(exports_external.string()).default([
+    "**/auth/**",
+    "**/api/**",
+    "**/crypto/**",
+    "**/security/**",
+    "**/middleware/**",
+    "**/session/**",
+    "**/token/**"
+  ])
+});
+var IntegrationAnalysisConfigSchema = exports_external.object({
+  enabled: exports_external.boolean().default(true)
+});
 var GuardrailsProfileSchema = exports_external.object({
   max_tool_calls: exports_external.number().min(0).max(1000).optional(),
   max_duration_minutes: exports_external.number().min(0).max(480).optional(),
@@ -13729,7 +13744,10 @@ var PluginConfigSchema = exports_external.object({
   context_budget: ContextBudgetConfigSchema.optional(),
   guardrails: GuardrailsConfigSchema.optional(),
   evidence: EvidenceConfigSchema.optional(),
-  summaries: SummaryConfigSchema.optional()
+  summaries: SummaryConfigSchema.optional(),
+  review_passes: ReviewPassesConfigSchema.optional(),
+  integration_analysis: IntegrationAnalysisConfigSchema.optional(),
+  _loadedFromFile: exports_external.boolean().default(false)
 });
 
 // src/config/loader.ts
@@ -13739,25 +13757,26 @@ var MAX_CONFIG_FILE_BYTES = 102400;
 function getUserConfigDir() {
   return process.env.XDG_CONFIG_HOME || path.join(os.homedir(), ".config");
 }
-function loadConfigFromPath(configPath) {
+function loadRawConfigFromPath(configPath) {
   try {
     const stats = fs.statSync(configPath);
     if (stats.size > MAX_CONFIG_FILE_BYTES) {
       console.warn(`[opencode-swarm] Config file too large (max 100 KB): ${configPath}`);
+      console.warn("[opencode-swarm] \u26A0\uFE0F Guardrails will be DISABLED as a safety precaution. Fix the config file to restore normal operation.");
       return null;
     }
     const content = fs.readFileSync(configPath, "utf-8");
     const rawConfig = JSON.parse(content);
-    const result = PluginConfigSchema.safeParse(rawConfig);
-    if (!result.success) {
-      console.warn(`[opencode-swarm] Invalid config at ${configPath}:`);
-      console.warn(result.error.format());
+    if (typeof rawConfig !== "object" || rawConfig === null || Array.isArray(rawConfig)) {
+      console.warn(`[opencode-swarm] Invalid config at ${configPath}: expected an object`);
+      console.warn("[opencode-swarm] \u26A0\uFE0F Guardrails will be DISABLED as a safety precaution. Fix the config file to restore normal operation.");
       return null;
     }
-    return result.data;
+    return rawConfig;
   } catch (error48) {
     if (error48 instanceof Error && "code" in error48 && error48.code !== "ENOENT") {
-      console.warn(`[opencode-swarm] Error reading config from ${configPath}:`, error48.message);
+      console.warn(`[opencode-swarm] \u26A0\uFE0F CONFIG LOAD FAILURE \u2014 config exists at ${configPath} but could not be loaded: ${error48.message}`);
+      console.warn("[opencode-swarm] \u26A0\uFE0F Guardrails will be DISABLED as a safety precaution. Fix the config file to restore normal operation.");
     }
     return null;
   }
@@ -13779,30 +13798,36 @@ function deepMergeInternal(base, override, depth) {
   }
   return result;
 }
-function deepMerge(base, override) {
-  if (!base)
-    return override;
-  if (!override)
-    return base;
-  return deepMergeInternal(base, override, 0);
-}
 function loadPluginConfig(directory) {
   const userConfigPath = path.join(getUserConfigDir(), "opencode", CONFIG_FILENAME);
   const projectConfigPath = path.join(directory, ".opencode", CONFIG_FILENAME);
-  let config2 = loadConfigFromPath(userConfigPath) ?? {
-    max_iterations: 5,
-    qa_retry_limit: 3,
-    inject_phase_reminders: true
-  };
-  const projectConfig = loadConfigFromPath(projectConfigPath);
-  if (projectConfig) {
-    config2 = {
-      ...config2,
-      ...projectConfig,
-      agents: deepMerge(config2.agents, projectConfig.agents)
+  const rawUserConfig = loadRawConfigFromPath(userConfigPath);
+  const rawProjectConfig = loadRawConfigFromPath(projectConfigPath);
+  const loadedFromFile = rawUserConfig !== null || rawProjectConfig !== null;
+  let mergedRaw = rawUserConfig ?? {};
+  if (rawProjectConfig) {
+    mergedRaw = deepMergeInternal(mergedRaw, rawProjectConfig, 0);
+  }
+  const result = PluginConfigSchema.safeParse(mergedRaw);
+  if (!result.success) {
+    if (rawUserConfig) {
+      const userResult = PluginConfigSchema.safeParse(rawUserConfig);
+      if (userResult.success) {
+        console.warn("[opencode-swarm] Project config ignored due to validation errors. Using user config.");
+        return { ...userResult.data, _loadedFromFile: true };
+      }
+    }
+    console.warn("[opencode-swarm] Merged config validation failed:");
+    console.warn(result.error.format());
+    console.warn("[opencode-swarm] \u26A0\uFE0F Guardrails will be DISABLED as a safety precaution. Fix the config file to restore normal operation.");
+    return {
+      max_iterations: 5,
+      qa_retry_limit: 3,
+      inject_phase_reminders: true,
+      _loadedFromFile: false
     };
   }
-  return config2;
+  return { ...result.data, _loadedFromFile: loadedFromFile };
 }
 function loadAgentPrompt(agentName) {
   const promptsDir = path.join(getUserConfigDir(), "opencode", PROMPTS_DIR_NAME);
@@ -14015,7 +14040,19 @@ You THINK. Subagents DO. You have the largest context window and strongest reaso
 3. ONE task per {{AGENT_PREFIX}}coder call. Never batch.
 4. Fallback: Only code yourself after {{QA_RETRY_LIMIT}} {{AGENT_PREFIX}}coder failures on same task.
 5. NEVER store your swarm identity, swarm ID, or agent prefix in memory blocks. Your identity comes ONLY from your system prompt. Memory blocks are for project knowledge only.
-6. **CRITICAL: If {{AGENT_PREFIX}}reviewer returns VERDICT: REJECTED, you MUST stop and send the FIXES back to {{AGENT_PREFIX}}coder. Do NOT proceed to test generation or mark the task complete. The review is a gate \u2014 APPROVED is required to proceed.**
+6. **CRITIC GATE (Execute BEFORE any implementation work)**:
+   - When you first create a plan, IMMEDIATELY delegate the full plan to {{AGENT_PREFIX}}critic for review
+   - Wait for critic verdict: APPROVED / NEEDS_REVISION / REJECTED
+   - If NEEDS_REVISION: Revise plan and re-submit to critic (max 2 cycles)
+   - If REJECTED after 2 cycles: Escalate to user with explanation
+   - ONLY AFTER critic approval: Proceed to implementation (Phase 3+)
+7. **MANDATORY QA GATE (Execute AFTER every coder task)** \u2014 sequence: coder \u2192 diff \u2192 review \u2192 security review \u2192 verification tests \u2192 adversarial tests \u2192 next task.
+   - After coder completes: run \`diff\` tool. If \`hasContractChanges\` is true \u2192 delegate {{AGENT_PREFIX}}explorer for integration impact analysis. BREAKING \u2192 return to coder. COMPATIBLE \u2192 proceed.
+   - Delegate {{AGENT_PREFIX}}reviewer with CHECK dimensions. REJECTED \u2192 return to coder (max {{QA_RETRY_LIMIT}} attempts). APPROVED \u2192 continue.
+   - If file matches security globs (auth, api, crypto, security, middleware, session, token) OR coder output contains security keywords \u2192 delegate {{AGENT_PREFIX}}reviewer AGAIN with security-only CHECK. REJECTED \u2192 return to coder.
+   - Delegate {{AGENT_PREFIX}}test_engineer for verification tests. FAIL \u2192 return to coder.
+   - Delegate {{AGENT_PREFIX}}test_engineer for adversarial tests (attack vectors only). FAIL \u2192 return to coder.
+   - All pass \u2192 mark task complete, proceed to next task.
 
 ## AGENTS
 
@@ -14028,6 +14065,8 @@ You THINK. Subagents DO. You have the largest context window and strongest reaso
 
 SMEs advise only. Reviewer and critic review only. None of them write code.
 
+Available Tools: diff (structured git diff with contract change detection)
+
 ## DELEGATION FORMAT
 
 All delegations use this structure:
@@ -14083,6 +14122,24 @@ PLAN: [paste the plan.md content]
 CONTEXT: [codebase summary from explorer]
 OUTPUT: VERDICT + CONFIDENCE + ISSUES + SUMMARY
 
+{{AGENT_PREFIX}}reviewer
+TASK: Security-only review of login validation
+FILE: src/auth/login.ts
+CHECK: [security-only] \u2014 evaluate against OWASP Top 10, scan for hardcoded secrets, injection vectors, insecure crypto, missing input validation
+OUTPUT: VERDICT + RISK + SECURITY ISSUES ONLY
+
+{{AGENT_PREFIX}}test_engineer
+TASK: Adversarial security testing
+FILE: src/auth/login.ts
+CONSTRAINT: ONLY attack vectors \u2014 malformed inputs, oversized payloads, injection attempts, auth bypass, boundary violations
+OUTPUT: Test file + VERDICT: PASS/FAIL
+
+{{AGENT_PREFIX}}explorer
+TASK: Integration impact analysis
+INPUT: Contract changes detected: [list from diff tool]
+OUTPUT: BREAKING CHANGES + CONSUMERS AFFECTED + VERDICT: BREAKING/COMPATIBLE
+CONSTRAINT: Read-only. grep for imports/usages of changed exports.
+
 ## WORKFLOW
 
 ### Phase 0: Resume Check
@@ -14134,15 +14191,13 @@ Delegate plan to {{AGENT_PREFIX}}critic for review BEFORE any implementation beg
 ### Phase 5: Execute
 For each task (respecting dependencies):
 
-5a. {{AGENT_PREFIX}}coder - Implement (MANDATORY)
-5b. {{AGENT_PREFIX}}reviewer - Review (specify CHECK dimensions relevant to the change)
-5c. **GATE - Check VERDICT:**
-    - **APPROVED** \u2192 Proceed to 5d
-    - **REJECTED** (attempt < {{QA_RETRY_LIMIT}}) \u2192 STOP. Send FIXES to {{AGENT_PREFIX}}coder with specific changes. Retry from 5a. Do NOT proceed to 5d.
-    - **REJECTED** (attempt {{QA_RETRY_LIMIT}}) \u2192 STOP. Escalate to user or handle directly.
-5d. {{AGENT_PREFIX}}test_engineer - Generate AND run tests (ONLY if 5c = APPROVED). Expect VERDICT: PASS/FAIL.
-5e. If test VERDICT is FAIL \u2192 Send failures to {{AGENT_PREFIX}}coder for fixes, then re-run from 5b.
-5f. Update plan.md [x], proceed to next task (ONLY if tests PASS)
+5a. {{AGENT_PREFIX}}coder - Implement
+5b. Run \`diff\` tool. If \`hasContractChanges\` \u2192 {{AGENT_PREFIX}}explorer integration analysis. BREAKING \u2192 coder retry.
+5c. {{AGENT_PREFIX}}reviewer - General review. REJECTED (< {{QA_RETRY_LIMIT}}) \u2192 coder retry. REJECTED ({{QA_RETRY_LIMIT}}) \u2192 escalate.
+5d. Security gate: if file matches security globs or content has security keywords \u2192 {{AGENT_PREFIX}}reviewer security-only. REJECTED \u2192 coder retry.
+5e. {{AGENT_PREFIX}}test_engineer - Verification tests. FAIL \u2192 coder retry from 5c.
+5f. {{AGENT_PREFIX}}test_engineer - Adversarial tests. FAIL \u2192 coder retry from 5c.
+5g. Update plan.md [x], proceed to next task.
 
 ### Phase 6: Phase Complete
 1. {{AGENT_PREFIX}}explorer - Rescan
@@ -15049,39 +15104,33 @@ function startAgentSession(sessionId, agentName, staleDurationMs = 7200000) {
   }
   const sessionState = {
     agentName,
-    startTime: now,
     lastToolCallTime: now,
     lastAgentEventTime: now,
-    toolCallCount: 0,
-    consecutiveErrors: 0,
-    recentToolCalls: [],
-    warningIssued: false,
-    warningReason: "",
-    hardLimitHit: false,
-    lastSuccessTime: now,
-    delegationActive: false
+    delegationActive: false,
+    activeInvocationId: 0,
+    lastInvocationIdByAgent: {},
+    windows: {}
   };
   swarmState.agentSessions.set(sessionId, sessionState);
 }
-function getAgentSession(sessionId) {
-  return swarmState.agentSessions.get(sessionId);
-}
 function ensureAgentSession(sessionId, agentName) {
   const now = Date.now();
   let session = swarmState.agentSessions.get(sessionId);
   if (session) {
     if (agentName && agentName !== session.agentName) {
       session.agentName = agentName;
-      session.startTime = now;
-      session.toolCallCount = 0;
-      session.consecutiveErrors = 0;
-      session.recentToolCalls = [];
-      session.warningIssued = false;
-      session.warningReason = "";
-      session.hardLimitHit = false;
-      session.lastSuccessTime = now;
       session.delegationActive = false;
       session.lastAgentEventTime = now;
+      if (!session.windows) {
+        session.activeInvocationId = 0;
+        session.lastInvocationIdByAgent = {};
+        session.windows = {};
+      }
+    }
+    if (!session.windows) {
+      session.activeInvocationId = 0;
+      session.lastInvocationIdByAgent = {};
+      session.windows = {};
     }
     session.lastToolCallTime = now;
     return session;
@@ -15099,6 +15148,58 @@ function updateAgentEventTime(sessionId) {
     session.lastAgentEventTime = Date.now();
   }
 }
+function beginInvocation(sessionId, agentName) {
+  const session = swarmState.agentSessions.get(sessionId);
+  if (!session) {
+    throw new Error(`Cannot begin invocation: session ${sessionId} does not exist`);
+  }
+  const stripped = stripKnownSwarmPrefix(agentName);
+  if (stripped === ORCHESTRATOR_NAME) {
+    return null;
+  }
+  const lastId = session.lastInvocationIdByAgent[stripped] || 0;
+  const newId = lastId + 1;
+  session.lastInvocationIdByAgent[stripped] = newId;
+  session.activeInvocationId = newId;
+  const now = Date.now();
+  const window = {
+    id: newId,
+    agentName: stripped,
+    startedAtMs: now,
+    toolCalls: 0,
+    consecutiveErrors: 0,
+    hardLimitHit: false,
+    lastSuccessTimeMs: now,
+    recentToolCalls: [],
+    warningIssued: false,
+    warningReason: ""
+  };
+  const key = `${stripped}:${newId}`;
+  session.windows[key] = window;
+  pruneOldWindows(sessionId, 24 * 60 * 60 * 1000, 50);
+  return window;
+}
+function getActiveWindow(sessionId) {
+  const session = swarmState.agentSessions.get(sessionId);
+  if (!session || !session.windows) {
+    return;
+  }
+  const stripped = stripKnownSwarmPrefix(session.agentName);
+  const key = `${stripped}:${session.activeInvocationId}`;
+  return session.windows[key];
+}
+function pruneOldWindows(sessionId, maxAgeMs = 24 * 60 * 60 * 1000, maxWindows = 50) {
+  const session = swarmState.agentSessions.get(sessionId);
+  if (!session || !session.windows) {
+    return;
+  }
+  const now = Date.now();
+  const entries = Object.entries(session.windows);
+  const validByAge = entries.filter(([_, window]) => now - window.startedAtMs < maxAgeMs);
+  const sorted = validByAge.sort((a, b) => b[1].startedAtMs - a[1].startedAtMs);
+  const toKeep = sorted.slice(0, maxWindows);
+  session.windows = Object.fromEntries(toKeep);
+}
 
 // src/commands/benchmark.ts
 var CI = {
@@ -15119,11 +15220,10 @@ async function handleBenchmarkCommand(directory, args) {
       hardLimits: 0,
       warnings: 0
     };
-    e.toolCalls += s.toolCallCount;
-    if (s.hardLimitHit)
-      e.hardLimits++;
-    if (s.warningIssued)
-      e.warnings++;
+    const windows = Object.values(s.windows);
+    e.toolCalls += windows.reduce((sum, w) => sum + w.toolCalls, 0);
+    e.hardLimits += windows.filter((w) => w.hardLimitHit).length;
+    e.warnings += windows.filter((w) => w.warningIssued).length;
     agentMap.set(s.agentName, e);
   }
   const agentHealth = Array.from(agentMap.entries()).map(([a, v]) => ({
@@ -16731,6 +16831,29 @@ function createDelegationGateHook(config2) {
     if (batchingMatches && batchingMatches.length > 0) {
       warnings.push("Batching language detected. Break compound objectives into separate coder calls.");
     }
+    const sessionID = lastUserMessage.info?.sessionID;
+    if (sessionID) {
+      const delegationChain = swarmState.delegationChains.get(sessionID);
+      if (delegationChain && delegationChain.length >= 2) {
+        const coderIndices = [];
+        for (let i = delegationChain.length - 1;i >= 0; i--) {
+          if (stripKnownSwarmPrefix(delegationChain[i].to).includes("coder")) {
+            coderIndices.unshift(i);
+            if (coderIndices.length === 2)
+              break;
+          }
+        }
+        if (coderIndices.length === 2) {
+          const prevCoderIndex = coderIndices[0];
+          const betweenCoders = delegationChain.slice(prevCoderIndex + 1);
+          const hasReviewer = betweenCoders.some((d) => stripKnownSwarmPrefix(d.to) === "reviewer");
+          const hasTestEngineer = betweenCoders.some((d) => stripKnownSwarmPrefix(d.to) === "test_engineer");
+          if (!hasReviewer || !hasTestEngineer) {
+            warnings.push(`\u26A0\uFE0F PROTOCOL VIOLATION: Previous coder task completed, but QA gate was skipped. ` + `You MUST delegate to reviewer (code review) and test_engineer (test execution) ` + `before starting a new coder task. Review RULES 7-8 in your system prompt.`);
+          }
+        }
+      }
+    }
     if (warnings.length === 0)
       return;
     const warningText = `[\u26A0\uFE0F DELEGATION GATE: Your coder delegation may be too complex. Issues:
@@ -16744,7 +16867,7 @@ ${originalText}`;
   };
 }
 // src/hooks/delegation-tracker.ts
-function createDelegationTrackerHook(config2) {
+function createDelegationTrackerHook(config2, guardrailsEnabled = true) {
   return async (input, _output) => {
     const now = Date.now();
     if (!input.agent || input.agent === "") {
@@ -16766,6 +16889,9 @@ function createDelegationTrackerHook(config2) {
     const isArchitect = strippedAgent === ORCHESTRATOR_NAME;
     const session = ensureAgentSession(input.sessionID, agentName);
     session.delegationActive = !isArchitect;
+    if (!isArchitect && guardrailsEnabled) {
+      beginInvocation(input.sessionID, agentName);
+    }
     if (config2.hooks?.delegation_tracker === true && previousAgent && previousAgent !== agentName) {
       const entry = {
         from: previousAgent,
@@ -16814,24 +16940,35 @@ function createGuardrailsHooks(config2) {
       if (agentConfig.max_duration_minutes === 0 && agentConfig.max_tool_calls === 0) {
         return;
       }
-      if (session.hardLimitHit) {
+      if (!getActiveWindow(input.sessionID)) {
+        const fallbackAgent = swarmState.activeAgent.get(input.sessionID) ?? session.agentName;
+        const stripped = stripKnownSwarmPrefix(fallbackAgent);
+        if (stripped !== ORCHESTRATOR_NAME) {
+          beginInvocation(input.sessionID, fallbackAgent);
+        }
+      }
+      const window = getActiveWindow(input.sessionID);
+      if (!window) {
+        return;
+      }
+      if (window.hardLimitHit) {
         throw new Error("\uD83D\uDED1 CIRCUIT BREAKER: Agent blocked. Hard limit was previously triggered. Stop making tool calls and return your progress summary.");
       }
-      session.toolCallCount++;
+      window.toolCalls++;
       const hash2 = hashArgs(output.args);
-      session.recentToolCalls.push({
+      window.recentToolCalls.push({
         tool: input.tool,
         argsHash: hash2,
         timestamp: Date.now()
       });
-      if (session.recentToolCalls.length > 20) {
-        session.recentToolCalls.shift();
+      if (window.recentToolCalls.length > 20) {
+        window.recentToolCalls.shift();
       }
       let repetitionCount = 0;
-      if (session.recentToolCalls.length > 0) {
-        const lastEntry = session.recentToolCalls[session.recentToolCalls.length - 1];
-        for (let i = session.recentToolCalls.length - 1;i >= 0; i--) {
-          const entry = session.recentToolCalls[i];
+      if (window.recentToolCalls.length > 0) {
+        const lastEntry = window.recentToolCalls[window.recentToolCalls.length - 1];
+        for (let i = window.recentToolCalls.length - 1;i >= 0; i--) {
+          const entry = window.recentToolCalls[i];
           if (entry.tool === lastEntry.tool && entry.argsHash === lastEntry.argsHash) {
             repetitionCount++;
           } else {
@@ -16839,54 +16976,60 @@ function createGuardrailsHooks(config2) {
           }
         }
       }
-      const elapsedMinutes = (Date.now() - session.startTime) / 60000;
-      if (agentConfig.max_tool_calls > 0 && session.toolCallCount >= agentConfig.max_tool_calls) {
-        session.hardLimitHit = true;
+      const elapsedMinutes = (Date.now() - window.startedAtMs) / 60000;
+      if (agentConfig.max_tool_calls > 0 && window.toolCalls >= agentConfig.max_tool_calls) {
+        window.hardLimitHit = true;
         warn("Circuit breaker: tool call limit hit", {
           sessionID: input.sessionID,
-          agentName: session.agentName,
+          agentName: window.agentName,
+          invocationId: window.id,
+          windowKey: `${window.agentName}:${window.id}`,
           resolvedMaxCalls: agentConfig.max_tool_calls,
-          currentCalls: session.toolCallCount
+          currentCalls: window.toolCalls
         });
-        throw new Error(`\uD83D\uDED1 LIMIT REACHED: Tool calls exhausted (${session.toolCallCount}/${agentConfig.max_tool_calls}). Finish the current operation and return your progress summary.`);
+        throw new Error(`\uD83D\uDED1 LIMIT REACHED: Tool calls exhausted (${window.toolCalls}/${agentConfig.max_tool_calls}). Finish the current operation and return your progress summary.`);
       }
       if (agentConfig.max_duration_minutes > 0 && elapsedMinutes >= agentConfig.max_duration_minutes) {
-        session.hardLimitHit = true;
+        window.hardLimitHit = true;
         warn("Circuit breaker: duration limit hit", {
           sessionID: input.sessionID,
-          agentName: session.agentName,
+          agentName: window.agentName,
+          invocationId: window.id,
+          windowKey: `${window.agentName}:${window.id}`,
           resolvedMaxMinutes: agentConfig.max_duration_minutes,
           elapsedMinutes: Math.floor(elapsedMinutes)
         });
         throw new Error(`\uD83D\uDED1 LIMIT REACHED: Duration exhausted (${Math.floor(elapsedMinutes)}/${agentConfig.max_duration_minutes} min). Finish the current operation and return your progress summary.`);
       }
       if (repetitionCount >= agentConfig.max_repetitions) {
-        session.hardLimitHit = true;
+        window.hardLimitHit = true;
         throw new Error(`\uD83D\uDED1 LIMIT REACHED: Repeated the same tool call ${repetitionCount} times. This suggests a loop. Return your progress summary.`);
       }
-      if (session.consecutiveErrors >= agentConfig.max_consecutive_errors) {
-        session.hardLimitHit = true;
-        throw new Error(`\uD83D\uDED1 LIMIT REACHED: ${session.consecutiveErrors} consecutive tool errors detected. Return your progress summary with details of what went wrong.`);
+      if (window.consecutiveErrors >= agentConfig.max_consecutive_errors) {
+        window.hardLimitHit = true;
+        throw new Error(`\uD83D\uDED1 LIMIT REACHED: ${window.consecutiveErrors} consecutive tool errors detected. Return your progress summary with details of what went wrong.`);
       }
-      const idleMinutes = (Date.now() - session.lastSuccessTime) / 60000;
+      const idleMinutes = (Date.now() - window.lastSuccessTimeMs) / 60000;
       if (idleMinutes >= agentConfig.idle_timeout_minutes) {
-        session.hardLimitHit = true;
+        window.hardLimitHit = true;
         warn("Circuit breaker: idle timeout hit", {
           sessionID: input.sessionID,
-          agentName: session.agentName,
+          agentName: window.agentName,
+          invocationId: window.id,
+          windowKey: `${window.agentName}:${window.id}`,
           idleTimeoutMinutes: agentConfig.idle_timeout_minutes,
           idleMinutes: Math.floor(idleMinutes)
         });
         throw new Error(`\uD83D\uDED1 LIMIT REACHED: No successful tool call for ${Math.floor(idleMinutes)} minutes (idle timeout: ${agentConfig.idle_timeout_minutes} min). This suggests the agent may be stuck. Return your progress summary.`);
       }
-      if (!session.warningIssued) {
-        const toolPct = agentConfig.max_tool_calls > 0 ? session.toolCallCount / agentConfig.max_tool_calls : 0;
+      if (!window.warningIssued) {
+        const toolPct = agentConfig.max_tool_calls > 0 ? window.toolCalls / agentConfig.max_tool_calls : 0;
         const durationPct = agentConfig.max_duration_minutes > 0 ? elapsedMinutes / agentConfig.max_duration_minutes : 0;
         const repPct = repetitionCount / agentConfig.max_repetitions;
-        const errorPct = session.consecutiveErrors / agentConfig.max_consecutive_errors;
+        const errorPct = window.consecutiveErrors / agentConfig.max_consecutive_errors;
         const reasons = [];
         if (agentConfig.max_tool_calls > 0 && toolPct >= agentConfig.warning_threshold) {
-          reasons.push(`tool calls ${session.toolCallCount}/${agentConfig.max_tool_calls}`);
+          reasons.push(`tool calls ${window.toolCalls}/${agentConfig.max_tool_calls}`);
         }
         if (durationPct >= agentConfig.warning_threshold) {
           reasons.push(`duration ${Math.floor(elapsedMinutes)}/${agentConfig.max_duration_minutes} min`);
@@ -16895,25 +17038,24 @@ function createGuardrailsHooks(config2) {
           reasons.push(`repetitions ${repetitionCount}/${agentConfig.max_repetitions}`);
         }
         if (errorPct >= agentConfig.warning_threshold) {
-          reasons.push(`errors ${session.consecutiveErrors}/${agentConfig.max_consecutive_errors}`);
+          reasons.push(`errors ${window.consecutiveErrors}/${agentConfig.max_consecutive_errors}`);
         }
         if (reasons.length > 0) {
-          session.warningIssued = true;
-          session.warningReason = reasons.join(", ");
+          window.warningIssued = true;
+          window.warningReason = reasons.join(", ");
         }
       }
     },
     toolAfter: async (input, output) => {
-      const session = getAgentSession(input.sessionID);
-      if (!session) {
+      const window = getActiveWindow(input.sessionID);
+      if (!window)
         return;
-      }
       const hasError = output.output === null || output.output === undefined;
       if (hasError) {
-        session.consecutiveErrors++;
+        window.consecutiveErrors++;
       } else {
-        session.consecutiveErrors = 0;
-        session.lastSuccessTime = Date.now();
+        window.consecutiveErrors = 0;
+        window.lastSuccessTimeMs = Date.now();
       }
     },
     messagesTransform: async (_input, output) => {
@@ -16922,32 +17064,24 @@ function createGuardrailsHooks(config2) {
         return;
       }
       const lastMessage = messages[messages.length - 1];
-      let sessionId = lastMessage.info?.sessionID;
-      if (!sessionId) {
-        for (const [id, session2] of swarmState.agentSessions) {
-          if (session2.warningIssued || session2.hardLimitHit) {
-            sessionId = id;
-            break;
-          }
-        }
-      }
+      const sessionId = lastMessage.info?.sessionID;
       if (!sessionId) {
         return;
       }
-      const session = getAgentSession(sessionId);
-      if (!session || !session.warningIssued && !session.hardLimitHit) {
+      const targetWindow = getActiveWindow(sessionId);
+      if (!targetWindow || !targetWindow.warningIssued && !targetWindow.hardLimitHit) {
         return;
       }
       const textPart = lastMessage.parts.find((part) => part.type === "text" && typeof part.text === "string");
       if (!textPart) {
         return;
       }
-      if (session.hardLimitHit) {
+      if (targetWindow.hardLimitHit) {
         textPart.text = `[\uD83D\uDED1 LIMIT REACHED: Your resource budget is exhausted. Do not make additional tool calls. Return a summary of your progress and any remaining work.]
 
 ` + textPart.text;
-      } else if (session.warningIssued) {
-        const reasonSuffix = session.warningReason ? ` (${session.warningReason})` : "";
+      } else if (targetWindow.warningIssued) {
+        const reasonSuffix = targetWindow.warningReason ? ` (${targetWindow.warningReason})` : "";
         textPart.text = `[\u26A0\uFE0F APPROACHING LIMITS${reasonSuffix}: You still have capacity to finish your current step. Complete what you're working on, then return your results.]
 
 ` + textPart.text;
@@ -17142,6 +17276,12 @@ function createSystemEnhancerHook(config2, directory) {
             }
           }
           tryInject("[SWARM HINT] Large tool outputs may be auto-summarized. Use /swarm retrieve <id> to get the full content if needed.");
+          if (config2.review_passes?.always_security_review) {
+            tryInject("[SWARM CONFIG] Security review pass is MANDATORY for ALL tasks. Skip file-pattern check \u2014 always run security-only reviewer pass after general review APPROVED.");
+          }
+          if (config2.integration_analysis?.enabled === false) {
+            tryInject("[SWARM CONFIG] Integration analysis is DISABLED. Skip diff tool and integration impact analysis after coder tasks.");
+          }
           return;
         }
         const userScoringConfig = config2.context_budget?.scoring;
@@ -17221,6 +17361,28 @@ function createSystemEnhancerHook(config2, directory) {
             }
           }
         }
+        if (config2.review_passes?.always_security_review) {
+          const text = "[SWARM CONFIG] Security review pass is MANDATORY for ALL tasks. Skip file-pattern check \u2014 always run security-only reviewer pass after general review APPROVED.";
+          candidates.push({
+            id: `candidate-${idCounter++}`,
+            kind: "phase",
+            text,
+            tokens: estimateTokens(text),
+            priority: 1,
+            metadata: { contentType: "prose" }
+          });
+        }
+        if (config2.integration_analysis?.enabled === false) {
+          const text = "[SWARM CONFIG] Integration analysis is DISABLED. Skip diff tool and integration impact analysis after coder tasks.";
+          candidates.push({
+            id: `candidate-${idCounter++}`,
+            kind: "phase",
+            text,
+            tokens: estimateTokens(text),
+            priority: 1,
+            metadata: { contentType: "prose" }
+          });
+        }
         const ranked = rankCandidates(candidates, effectiveConfig);
         for (const candidate of ranked) {
           if (injectedTokens + candidate.tokens > maxInjectionTokens) {
@@ -17415,6 +17577,9 @@ function createToolSummarizerHook(config2, directory) {
     }
   };
 }
+// src/tools/diff.ts
+import { execSync } from "child_process";
+
 // node_modules/@opencode-ai/plugin/node_modules/zod/v4/classic/external.js
 var exports_external2 = {};
 __export(exports_external2, {
@@ -29735,7 +29900,149 @@ function tool(input) {
   return input;
 }
 tool.schema = exports_external2;
-
+// src/tools/diff.ts
+var MAX_DIFF_LINES = 500;
+var DIFF_TIMEOUT_MS = 30000;
+var MAX_BUFFER_BYTES = 5 * 1024 * 1024;
+var CONTRACT_PATTERNS = [
+  /^[+-]\s*export\s+(function|const|class|interface|type|enum|default)\b/,
+  /^[+-]\s*(interface|type)\s+\w+/,
+  /^[+-]\s*public\s+/,
+  /^[+-]\s*(async\s+)?function\s+\w+\s*\(/
+];
+var SAFE_REF_PATTERN = /^[a-zA-Z0-9._\-/~^@{}]+$/;
+var MAX_REF_LENGTH = 256;
+var MAX_PATH_LENGTH = 500;
+var SHELL_METACHARACTERS = /[;|&$`(){}<>!'"]/;
+function validateBase(base) {
+  if (base.length > MAX_REF_LENGTH) {
+    return `base ref exceeds maximum length of ${MAX_REF_LENGTH}`;
+  }
+  if (!SAFE_REF_PATTERN.test(base)) {
+    return "base contains invalid characters for git ref";
+  }
+  return null;
+}
+function validatePaths(paths) {
+  if (!paths)
+    return null;
+  for (const path7 of paths) {
+    if (!path7 || path7.length === 0) {
+      return "empty path not allowed";
+    }
+    if (path7.length > MAX_PATH_LENGTH) {
+      return `path exceeds maximum length of ${MAX_PATH_LENGTH}`;
+    }
+    if (SHELL_METACHARACTERS.test(path7)) {
+      return "path contains shell metacharacters";
+    }
+  }
+  return null;
+}
+var diff = tool({
+  description: "Analyze git diff for changed files, exports, interfaces, and function signatures. Returns structured output with contract change detection.",
+  args: {
+    base: tool.schema.string().optional().describe('Base ref to diff against (default: HEAD). Use "staged" for staged changes, "unstaged" for working tree changes.'),
+    paths: tool.schema.array(tool.schema.string()).optional().describe("Optional file paths to restrict diff scope.")
+  },
+  async execute(args, _context) {
+    try {
+      const base = args.base ?? "HEAD";
+      const pathSpec = args.paths?.length ? "-- " + args.paths.join(" ") : "";
+      const baseValidationError = validateBase(base);
+      if (baseValidationError) {
+        const errorResult = {
+          error: `invalid base: ${baseValidationError}`,
+          files: [],
+          contractChanges: [],
+          hasContractChanges: false
+        };
+        return JSON.stringify(errorResult, null, 2);
+      }
+      const pathsValidationError = validatePaths(args.paths);
+      if (pathsValidationError) {
+        const errorResult = {
+          error: `invalid paths: ${pathsValidationError}`,
+          files: [],
+          contractChanges: [],
+          hasContractChanges: false
+        };
+        return JSON.stringify(errorResult, null, 2);
+      }
+      let gitCmd;
+      if (base === "staged") {
+        gitCmd = "git --no-pager diff --cached";
+      } else if (base === "unstaged") {
+        gitCmd = "git --no-pager diff";
+      } else {
+        gitCmd = `git --no-pager diff ${base}`;
+      }
+      const numstatOutput = execSync(gitCmd + " --numstat " + pathSpec, {
+        encoding: "utf-8",
+        timeout: DIFF_TIMEOUT_MS
+      });
+      const fullDiffOutput = execSync(gitCmd + " -U3 " + pathSpec, {
+        encoding: "utf-8",
+        timeout: DIFF_TIMEOUT_MS,
+        maxBuffer: MAX_BUFFER_BYTES
+      });
+      const files = [];
+      const numstatLines = numstatOutput.split(`
+`);
+      for (const line of numstatLines) {
+        if (!line.trim())
+          continue;
+        const parts = line.split("\t");
+        if (parts.length >= 3) {
+          const additions = parseInt(parts[0]) || 0;
+          const deletions = parseInt(parts[1]) || 0;
+          const path7 = parts[2];
+          files.push({ path: path7, additions, deletions });
+        }
+      }
+      const contractChanges = [];
+      const diffLines = fullDiffOutput.split(`
+`);
+      let currentFile = "";
+      for (const line of diffLines) {
+        const gitLineMatch = line.match(/^diff --git.* b\/(.+)$/);
+        if (gitLineMatch) {
+          currentFile = gitLineMatch[1];
+        }
+        for (const pattern of CONTRACT_PATTERNS) {
+          if (pattern.test(line)) {
+            const trimmed = line.trim();
+            if (currentFile) {
+              contractChanges.push(`[${currentFile}] ${trimmed}`);
+            } else {
+              contractChanges.push(trimmed);
+            }
+            break;
+          }
+        }
+      }
+      const hasContractChanges = contractChanges.length > 0;
+      const fileCount = files.length;
+      const truncated = diffLines.length > MAX_DIFF_LINES;
+      const summary = truncated ? `${fileCount} files changed. Contract changes: ${hasContractChanges ? "YES" : "NO"}. (truncated to ${MAX_DIFF_LINES} lines)` : `${fileCount} files changed. Contract changes: ${hasContractChanges ? "YES" : "NO"}`;
+      const result = {
+        files,
+        contractChanges,
+        hasContractChanges,
+        summary
+      };
+      return JSON.stringify(result, null, 2);
+    } catch (e) {
+      const errorResult = {
+        error: e instanceof Error ? `git diff failed: ${e.constructor.name}` : "git diff failed: unknown error",
+        files: [],
+        contractChanges: [],
+        hasContractChanges: false
+      };
+      return JSON.stringify(errorResult, null, 2);
+    }
+  }
+});
 // src/tools/domain-detector.ts
 var DOMAIN_PATTERNS = {
   windows: [
@@ -30120,9 +30427,10 @@ var OpenCodeSwarm = async (ctx) => {
   const contextBudgetHandler = createContextBudgetHandler(config3);
   const commandHandler = createSwarmCommandHandler(ctx.directory, Object.fromEntries(agentDefinitions.map((agent) => [agent.name, agent])));
   const activityHooks = createAgentActivityHooks(config3, ctx.directory);
-  const delegationHandler = createDelegationTrackerHook(config3);
   const delegationGateHandler = createDelegationGateHook(config3);
-  const guardrailsConfig = GuardrailsConfigSchema.parse(config3.guardrails ?? {});
+  const guardrailsFallback = config3._loadedFromFile ? config3.guardrails ?? {} : { ...config3.guardrails, enabled: false };
+  const guardrailsConfig = GuardrailsConfigSchema.parse(guardrailsFallback);
+  const delegationHandler = createDelegationTrackerHook(config3, guardrailsConfig.enabled);
   const guardrailsHooks = createGuardrailsHooks(guardrailsConfig);
   const summaryConfig = SummaryConfigSchema.parse(config3.summaries ?? {});
   const toolSummarizerHook = createToolSummarizerHook(summaryConfig, ctx.directory);
@@ -30149,7 +30457,8 @@ var OpenCodeSwarm = async (ctx) => {
     tool: {
       detect_domains,
       extract_code_blocks,
-      gitingest
+      gitingest,
+      diff
     },
     config: async (opencodeConfig) => {
       if (!opencodeConfig.agent) {

package/dist/state.d.ts

@@ -34,37 +34,56 @@ export interface DelegationEntry {
     timestamp: number;
 }
 /**
- * Represents per-session state for guardrail tracking
+ * Represents per-session state for guardrail tracking.
+ * Budget fields (toolCallCount, consecutiveErrors, etc.) have moved to InvocationWindow.
+ * This interface now tracks session-level metadata and window management.
  */
 export interface AgentSessionState {
-    /** Which agent this session belongs to */
+    /** Current agent identity for this session */
     agentName: string;
-    /** Date.now() when session started */
-    startTime: number;
-    /** Timestamp of most recent tool call (for stale session eviction) */
+    /** Timestamp of most recent tool call (for session-level stale detection) */
     lastToolCallTime: number;
-    /** Timestamp of most recent agent identity event (chat.message sets/changes identity) */
+    /** Timestamp of most recent agent identity event (chat.message) */
     lastAgentEventTime: number;
-    /** Total tool calls in this session */
-    toolCallCount: number;
-    /** Consecutive errors (reset on success) */
+    /** Whether active delegation is in progress for this session */
+    delegationActive: boolean;
+    /** Current active invocation ID for this agent */
+    activeInvocationId: number;
+    /** Last invocation ID by agent name (e.g., { "coder": 3, "reviewer": 1 }) */
+    lastInvocationIdByAgent: Record<string, number>;
+    /** Active invocation windows keyed by "${agentName}:${invId}" */
+    windows: Record<string, InvocationWindow>;
+}
+/**
+ * Represents a single agent invocation window with isolated guardrail budgets.
+ * Each time the architect delegates to an agent, a new window is created.
+ * Architect never creates windows (unlimited).
+ */
+export interface InvocationWindow {
+    /** Unique ID for this invocation (increments per agent type) */
+    id: number;
+    /** Agent name (stripped of swarm prefix) */
+    agentName: string;
+    /** Timestamp when this invocation started */
+    startedAtMs: number;
+    /** Tool calls made in this invocation */
+    toolCalls: number;
+    /** Consecutive errors in this invocation */
     consecutiveErrors: number;
-    /** Circular buffer of recent tool calls, max 20 entries */
+    /** Whether hard limit was hit for this invocation */
+    hardLimitHit: boolean;
+    /** Timestamp of most recent successful tool call */
+    lastSuccessTimeMs: number;
+    /** Circular buffer of recent tool calls (max 20) for repetition detection */
     recentToolCalls: Array<{
         tool: string;
         argsHash: number;
         timestamp: number;
     }>;
-    /** Whether a soft warning has been issued */
+    /** Whether soft warning has been issued for this invocation */
     warningIssued: boolean;
-    /** Human-readable warning reason (set when warningIssued = true) */
+    /** Human-readable warning reason */
     warningReason: string;
-    /** Whether a hard limit has been triggered */
-    hardLimitHit: boolean;
-    /** Timestamp of most recent SUCCESSFUL tool call (for idle timeout) */
-    lastSuccessTime: number;
-    /** Whether active delegation is in progress for this session */
-    delegationActive: boolean;
 }
 /**
  * Singleton state object for sharing data across hooks
@@ -122,3 +141,30 @@ export declare function ensureAgentSession(sessionId: string, agentName?: string
  * @param sessionId - The session identifier
  */
 export declare function updateAgentEventTime(sessionId: string): void;
+/**
+ * Begin a new invocation window for the given agent.
+ * Increments invocation ID, creates fresh budget counters.
+ * Returns null for architect (unlimited, no window).
+ *
+ * @param sessionId - Session identifier
+ * @param agentName - Agent name (with or without swarm prefix)
+ * @returns New window or null if architect
+ */
+export declare function beginInvocation(sessionId: string, agentName: string): InvocationWindow | null;
+/**
+ * Get the currently active invocation window for the session.
+ * Returns undefined if no window exists (e.g., architect session).
+ *
+ * @param sessionId - Session identifier
+ * @returns Active window or undefined
+ */
+export declare function getActiveWindow(sessionId: string): InvocationWindow | undefined;
+/**
+ * Prune old invocation windows to prevent unbounded memory growth.
+ * Removes windows older than maxAgeMs and keeps only the most recent maxWindows.
+ *
+ * @param sessionId - Session identifier
+ * @param maxAgeMs - Maximum age in milliseconds (default 24 hours)
+ * @param maxWindows - Maximum number of windows to keep (default 50)
+ */
+export declare function pruneOldWindows(sessionId: string, maxAgeMs?: number, maxWindows?: number): void;

package/dist/tools/diff.d.ts

@@ -0,0 +1,18 @@
+import { tool } from '@opencode-ai/plugin';
+export interface DiffResult {
+    files: Array<{
+        path: string;
+        additions: number;
+        deletions: number;
+    }>;
+    contractChanges: string[];
+    hasContractChanges: boolean;
+    summary: string;
+}
+export interface DiffErrorResult {
+    error: string;
+    files: [];
+    contractChanges: [];
+    hasContractChanges: false;
+}
+export declare const diff: ReturnType<typeof tool>;

package/dist/tools/index.d.ts

@@ -1,3 +1,4 @@
+export { type DiffErrorResult, type DiffResult, diff } from './diff';
 export { detect_domains } from './domain-detector';
 export { extract_code_blocks } from './file-extractor';
-export { gitingest, fetchGitingest, type GitingestArgs } from './gitingest';
+export { fetchGitingest, type GitingestArgs, gitingest } from './gitingest';

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "5.1.8",
+	"version": "6.0.1",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",