opencode-swarm 6.20.0 → 6.20.2

package/README.md

@@ -852,7 +852,7 @@ This release adds runtime detection hooks to catch and warn about architect work
 - **Partial gate tracking**: Detects when QA gates are skipped
 - **Self-fix detection**: Warns when an agent fixes its own gate failure (should delegate to fresh agent)
 - **Batch detection**: Catches "implement X and add Y" batching in task requests
-- **Zero-delegation detection**: Warns when tasks complete without any coder delegation
+- **Zero-delegation detection**: Warns when tasks complete without any coder delegation; supports parsing delegation envelopes from JSON or KEY: VALUE text format for validation.
 
 These hooks are advisory (warnings only) and help maintain workflow discipline during long sessions.
 

package/dist/cli/index.js

@@ -14186,6 +14186,8 @@ function log(message, data) {
   }
 }
 function warn(message, data) {
+  if (!DEBUG)
+    return;
   const timestamp = new Date().toISOString();
   if (data !== undefined) {
     console.warn(`[opencode-swarm ${timestamp}] WARN: ${message}`, data);
@@ -32646,9 +32648,9 @@ function validateArgs(args) {
     return false;
   return true;
 }
-function getLinterCommand(linter, mode) {
+function getLinterCommand(linter, mode, projectDir) {
   const isWindows = process.platform === "win32";
-  const binDir = path11.join(process.cwd(), "node_modules", ".bin");
+  const binDir = path11.join(projectDir, "node_modules", ".bin");
   const biomeBin = isWindows ? path11.join(binDir, "biome.EXE") : path11.join(binDir, "biome");
   const eslintBin = isWindows ? path11.join(binDir, "eslint.cmd") : path11.join(binDir, "eslint");
   switch (linter) {
@@ -32825,8 +32827,8 @@ async function detectAvailableLinter() {
   } catch {}
   return null;
 }
-async function runLint(linter, mode) {
-  const command = getLinterCommand(linter, mode);
+async function runLint(linter, mode, directory) {
+  const command = getLinterCommand(linter, mode, directory);
   const commandStr = command.join(" ");
   if (commandStr.length > MAX_COMMAND_LENGTH) {
     return {
@@ -32840,7 +32842,8 @@ async function runLint(linter, mode) {
   try {
     const proc = Bun.spawn(command, {
       stdout: "pipe",
-      stderr: "pipe"
+      stderr: "pipe",
+      cwd: directory
     });
     const [stdout, stderr] = await Promise.all([
       new Response(proc.stdout).text(),
@@ -32954,11 +32957,19 @@ var lint = createSwarmTool({
       };
       return JSON.stringify(errorResult2, null, 2);
     }
+    if (!directory || typeof directory !== "string" || directory.trim() === "") {
+      const errorResult2 = {
+        success: false,
+        mode: "check",
+        error: "project directory is required but was not provided"
+      };
+      return JSON.stringify(errorResult2, null, 2);
+    }
     const { mode } = args;
     const cwd = directory;
     const linter = await detectAvailableLinter();
     if (linter) {
-      const result = await runLint(linter, mode);
+      const result = await runLint(linter, mode, directory);
       return JSON.stringify(result, null, 2);
     }
     const additionalLinter = detectAdditionalLinter(cwd);

package/dist/hooks/delegation-gate.d.ts

@@ -5,13 +5,22 @@
  * Uses experimental.chat.messages.transform to provide non-blocking guidance.
  */
 import type { PluginConfig } from '../config';
-import type { DelegationEnvelope } from '../types/delegation.js';
+import type { DelegationEnvelope, EnvelopeValidationResult } from '../types/delegation.js';
 /**
  * Parses a string to extract a DelegationEnvelope.
  * Returns null if no valid envelope is found.
  * Never throws - all errors are caught and result in null.
  */
 export declare function parseDelegationEnvelope(content: string): DelegationEnvelope | null;
+interface ValidationContext {
+    planTasks: string[];
+    validAgents: string[];
+}
+/**
+ * Validates a DelegationEnvelope against the current plan and agent list.
+ * Returns { valid: true } on success, or { valid: false; reason: string } on failure.
+ */
+export declare function validateDelegationEnvelope(envelope: unknown, context: ValidationContext): EnvelopeValidationResult;
 interface MessageInfo {
     role: string;
     agent?: string;

package/dist/hooks/guardrails.d.ts

@@ -9,11 +9,11 @@
 import { type GuardrailsConfig } from '../config/schema';
 /**
  * Creates guardrails hooks for circuit breaker protection
- * @param directory Working directory (from plugin init context)
- * @param config Guardrails configuration
+ * @param directoryOrConfig Working directory (from plugin init context) OR legacy config object for backward compatibility
+ * @param config Guardrails configuration (optional if first arg is config)
  * @returns Tool before/after hooks and messages transform hook
  */
-export declare function createGuardrailsHooks(directory: string, config: GuardrailsConfig): {
+export declare function createGuardrailsHooks(directoryOrConfig?: string | GuardrailsConfig, config?: GuardrailsConfig): {
     toolBefore: (input: {
         tool: string;
         sessionID: string;

package/dist/index.js

@@ -14248,6 +14248,8 @@ function log(message, data) {
   }
 }
 function warn(message, data) {
+  if (!DEBUG)
+    return;
   const timestamp = new Date().toISOString();
   if (data !== undefined) {
     console.warn(`[opencode-swarm ${timestamp}] WARN: ${message}`, data);
@@ -32236,9 +32238,9 @@ function validateArgs(args2) {
     return false;
   return true;
 }
-function getLinterCommand(linter, mode) {
+function getLinterCommand(linter, mode, projectDir) {
   const isWindows = process.platform === "win32";
-  const binDir = path18.join(process.cwd(), "node_modules", ".bin");
+  const binDir = path18.join(projectDir, "node_modules", ".bin");
   const biomeBin = isWindows ? path18.join(binDir, "biome.EXE") : path18.join(binDir, "biome");
   const eslintBin = isWindows ? path18.join(binDir, "eslint.cmd") : path18.join(binDir, "eslint");
   switch (linter) {
@@ -32415,8 +32417,8 @@ async function detectAvailableLinter() {
   } catch {}
   return null;
 }
-async function runLint(linter, mode) {
-  const command = getLinterCommand(linter, mode);
+async function runLint(linter, mode, directory) {
+  const command = getLinterCommand(linter, mode, directory);
   const commandStr = command.join(" ");
   if (commandStr.length > MAX_COMMAND_LENGTH) {
     return {
@@ -32430,7 +32432,8 @@ async function runLint(linter, mode) {
   try {
     const proc = Bun.spawn(command, {
       stdout: "pipe",
-      stderr: "pipe"
+      stderr: "pipe",
+      cwd: directory
     });
     const [stdout, stderr] = await Promise.all([
       new Response(proc.stdout).text(),
@@ -32550,11 +32553,19 @@ var init_lint = __esm(() => {
         };
         return JSON.stringify(errorResult2, null, 2);
       }
+      if (!directory || typeof directory !== "string" || directory.trim() === "") {
+        const errorResult2 = {
+          success: false,
+          mode: "check",
+          error: "project directory is required but was not provided"
+        };
+        return JSON.stringify(errorResult2, null, 2);
+      }
       const { mode } = args2;
       const cwd = directory;
       const linter = await detectAvailableLinter();
       if (linter) {
-        const result = await runLint(linter, mode);
+        const result = await runLint(linter, mode, directory);
         return JSON.stringify(result, null, 2);
       }
       const additionalLinter = detectAdditionalLinter(cwd);
@@ -34357,10 +34368,10 @@ async function runVersionCheck(dir, _timeoutMs) {
     };
   }
 }
-async function runLintCheck(_dir, linter, timeoutMs) {
+async function runLintCheck(dir, linter, timeoutMs) {
   const startTime = Date.now();
   try {
-    const lintPromise = runLint(linter, "check");
+    const lintPromise = runLint(linter, "check", dir);
     const timeoutPromise = new Promise((_, reject) => {
       setTimeout(() => {
         reject(new Error(`Lint check timed out after ${timeoutMs}ms`));
@@ -39092,6 +39103,8 @@ If you are about to edit a source file: STOP. You are violating protocol.
 writeCount > 0 on source files from the Architect is equivalent to GATE_DELEGATION_BYPASS.
 
 PLAN STATE PROTECTION
+WHY: plan.md is auto-regenerated by PlanSyncWorker from plan.json. Any direct write to plan.md will be silently overwritten within seconds. If you see plan.md reverting after your edit, this is the cause \u2014 the worker detected a plan.json change and regenerated plan.md from it.
+The correct tools: save_plan to create or restructure a plan (writes plan.json \u2192 triggers regeneration); update_task_status() for task completion status; phase_complete() for phase-level transitions.
 .swarm/plan.md and .swarm/plan.json are READABLE but NOT DIRECTLY WRITABLE for state transitions.
 Task-level status changes (marking individual tasks as "completed") must use update_task_status().
 Phase-level completion (marking an entire phase as done) must use phase_complete().
@@ -44993,7 +45006,7 @@ async function handleKnowledgeListCommand(directory, _args) {
       "|------|----------|------------|---------------------|"
     ];
     for (const entry of entries) {
-      const truncatedLesson = entry.lesson.length > 60 ? entry.lesson.slice(0, 57) + "..." : entry.lesson;
+      const truncatedLesson = entry.lesson.length > 60 ? `${entry.lesson.slice(0, 57)}...` : entry.lesson;
       const confidencePct = Math.round(entry.confidence * 100);
       lines.push(`| ${entry.id.slice(0, 8)}... | ${entry.category} | ${confidencePct}% | ${truncatedLesson} |`);
     }
@@ -45605,7 +45618,7 @@ async function handleRollbackCommand(directory, args2) {
 `);
   }
   const targetPhase = parseInt(phaseArg, 10);
-  if (isNaN(targetPhase) || targetPhase < 1) {
+  if (Number.isNaN(targetPhase) || targetPhase < 1) {
     return "Error: Phase number must be a positive integer.";
   }
   const manifestPath = validateSwarmPath(directory, "checkpoints/manifest.json");
@@ -45650,7 +45663,7 @@ async function handleRollbackCommand(directory, args2) {
     timestamp: new Date().toISOString()
   };
   try {
-    fs12.appendFileSync(eventsPath, JSON.stringify(rollbackEvent) + `
+    fs12.appendFileSync(eventsPath, `${JSON.stringify(rollbackEvent)}
 `);
   } catch (error93) {
     console.error("Failed to write rollback event:", error93);
@@ -47493,14 +47506,24 @@ function getCurrentTaskId(sessionId) {
   const session = swarmState.agentSessions.get(sessionId);
   return session?.currentTaskId ?? `${sessionId}:unknown`;
 }
-function createGuardrailsHooks(directory, config3) {
-  if (config3.enabled === false) {
+function createGuardrailsHooks(directoryOrConfig, config3) {
+  let directory;
+  let guardrailsConfig;
+  if (directoryOrConfig && typeof directoryOrConfig === "object" && "enabled" in directoryOrConfig) {
+    directory = process.cwd();
+    guardrailsConfig = directoryOrConfig;
+  } else {
+    directory = directoryOrConfig ?? process.cwd();
+    guardrailsConfig = config3;
+  }
+  if (guardrailsConfig?.enabled === false) {
     return {
       toolBefore: async () => {},
       toolAfter: async () => {},
       messagesTransform: async () => {}
     };
   }
+  const cfg = guardrailsConfig;
   const inputArgsByCallID = new Map;
   return {
     toolBefore: async (input, output) => {
@@ -47508,6 +47531,13 @@ function createGuardrailsHooks(directory, config3) {
       if (currentSession?.delegationActive) {} else if (isArchitect(input.sessionID) && isWriteTool(input.tool)) {
         const args2 = output.args;
         const targetPath = args2?.filePath ?? args2?.path ?? args2?.file ?? args2?.target;
+        if (typeof targetPath === "string" && targetPath.length > 0) {
+          const resolvedTarget = path25.resolve(directory, targetPath).toLowerCase();
+          const planMdPath = path25.resolve(directory, ".swarm", "plan.md").toLowerCase();
+          if (resolvedTarget === planMdPath) {
+            throw new Error("PLAN STATE VIOLATION: Direct writes to .swarm/plan.md are blocked. " + "plan.md is auto-regenerated from plan.json by PlanSyncWorker. " + "Use update_task_status() to mark tasks complete, " + "phase_complete() for phase transitions, or " + "save_plan to create/restructure plans.");
+          }
+        }
         if (!targetPath && (input.tool === "apply_patch" || input.tool === "patch")) {
           const patchText = args2?.input ?? args2?.patch ?? (Array.isArray(args2?.cmd) ? args2.cmd[1] : undefined);
           if (typeof patchText === "string") {
@@ -47523,6 +47553,11 @@ function createGuardrailsHooks(directory, config3) {
                 paths.add(p);
             }
             for (const p of paths) {
+              const resolvedP = path25.resolve(directory, p);
+              const planMdPath = path25.resolve(directory, ".swarm", "plan.md");
+              if (resolvedP.toLowerCase() === planMdPath.toLowerCase()) {
+                throw new Error("PLAN STATE VIOLATION: Direct writes to .swarm/plan.md are blocked. " + "plan.md is auto-regenerated from plan.json by PlanSyncWorker. " + "Use update_task_status() to mark tasks complete, " + "phase_complete() for phase transitions, or " + "save_plan to create/restructure plans.");
+              }
               if (isOutsideSwarmDir(p, directory) && (isSourceCodePath(p) || hasTraversalSegments(p))) {
                 const session2 = swarmState.agentSessions.get(input.sessionID);
                 if (session2) {
@@ -47581,7 +47616,7 @@ function createGuardrailsHooks(directory, config3) {
       if (resolvedName === ORCHESTRATOR_NAME) {
         return;
       }
-      const agentConfig = resolveGuardrailsConfig(config3, session.agentName);
+      const agentConfig = resolveGuardrailsConfig(cfg, session.agentName);
       if (agentConfig.max_duration_minutes === 0 && agentConfig.max_tool_calls === 0) {
         return;
       }
@@ -51240,7 +51275,7 @@ function validateExtensions(extensions) {
   }
   return { valid: true, value: extensions, error: null };
 }
-async function getGitChurn(days) {
+async function getGitChurn(days, directory) {
   const churnMap = new Map;
   const proc = Bun.spawn([
     "git",
@@ -51250,7 +51285,8 @@ async function getGitChurn(days) {
     "--pretty=format:"
   ], {
     stdout: "pipe",
-    stderr: "pipe"
+    stderr: "pipe",
+    cwd: directory
   });
   const stdout = await new Response(proc.stdout).text();
   await proc.exited;
@@ -51315,8 +51351,8 @@ function getComplexityForFile(filePath) {
     return null;
   }
 }
-async function analyzeHotspots(days, topN, extensions) {
-  const churnMap = await getGitChurn(days);
+async function analyzeHotspots(days, topN, extensions, directory) {
+  const churnMap = await getGitChurn(days, directory);
   const extSet = new Set(extensions.map((e) => e.startsWith(".") ? e : `.${e}`));
   const filteredChurn = new Map;
   for (const [file3, count] of churnMap) {
@@ -51326,7 +51362,7 @@ async function analyzeHotspots(days, topN, extensions) {
     }
   }
   const hotspots = [];
-  const cwd = process.cwd();
+  const cwd = directory;
   let analyzedFiles = 0;
   for (const [file3, churnCount] of filteredChurn) {
     let fullPath = file3;
@@ -51378,7 +51414,22 @@ var complexity_hotspots = createSwarmTool({
     top_n: tool.schema.number().optional().describe("Number of top hotspots to return (default: 20, valid range: 1-100)"),
     extensions: tool.schema.string().optional().describe('Comma-separated extensions to include (default: "ts,tsx,js,jsx,py,rs,ps1")')
   },
-  async execute(args2, _directory) {
+  async execute(args2, directory) {
+    if (!directory || typeof directory !== "string" || directory.trim() === "") {
+      const errorResult = {
+        error: "project directory is required but was not provided",
+        analyzedFiles: 0,
+        period: "0 days",
+        hotspots: [],
+        summary: {
+          fullGates: 0,
+          securityReview: 0,
+          enhancedReview: 0,
+          standard: 0
+        }
+      };
+      return JSON.stringify(errorResult, null, 2);
+    }
     let daysInput;
     let topNInput;
     let extensionsInput;
@@ -51442,7 +51493,7 @@ var complexity_hotspots = createSwarmTool({
     const topN = topNValidation.value;
     const extensions = extensionsValidation.value.split(",").map((e) => e.trim());
     try {
-      const result = await analyzeHotspots(days, topN, extensions);
+      const result = await analyzeHotspots(days, topN, extensions, directory);
       return JSON.stringify(result, null, 2);
     } catch (e) {
       const errorResult = {
@@ -51477,7 +51528,7 @@ var SAFE_REF_PATTERN = /^[a-zA-Z0-9._\-/~^@{}]+$/;
 var MAX_REF_LENGTH = 256;
 var MAX_PATH_LENGTH = 500;
 var SHELL_METACHARACTERS2 = /[;|&$`(){}<>!'"]/;
-var CONTROL_CHAR_PATTERN2 = new RegExp("[\\u0000-\\u001F\\u007F]");
+var CONTROL_CHAR_PATTERN2 = /[\u0000-\u001F\u007F]/;
 function validateBase(base) {
   if (base.length > MAX_REF_LENGTH) {
     return `base ref exceeds maximum length of ${MAX_REF_LENGTH}`;
@@ -51515,8 +51566,17 @@ var diff = tool({
     base: tool.schema.string().optional().describe('Base ref to diff against (default: HEAD). Use "staged" for staged changes, "unstaged" for working tree changes.'),
     paths: tool.schema.array(tool.schema.string()).optional().describe("Optional file paths to restrict diff scope.")
   },
-  async execute(args2, _context) {
+  async execute(args2, context) {
     try {
+      if (!context.directory || typeof context.directory !== "string" || context.directory.trim() === "") {
+        const errorResult = {
+          error: "project directory is required but was not provided",
+          files: [],
+          contractChanges: [],
+          hasContractChanges: false
+        };
+        return JSON.stringify(errorResult, null, 2);
+      }
       const base = args2.base ?? "HEAD";
       const baseValidationError = validateBase(base);
       if (baseValidationError) {
@@ -51555,12 +51615,14 @@ var diff = tool({
       const numstatOutput = execFileSync("git", numstatArgs, {
         encoding: "utf-8",
         timeout: DIFF_TIMEOUT_MS,
-        maxBuffer: MAX_BUFFER_BYTES
+        maxBuffer: MAX_BUFFER_BYTES,
+        cwd: context.directory
       });
       const fullDiffOutput = execFileSync("git", fullDiffArgs, {
         encoding: "utf-8",
         timeout: DIFF_TIMEOUT_MS,
-        maxBuffer: MAX_BUFFER_BYTES
+        maxBuffer: MAX_BUFFER_BYTES,
+        cwd: context.directory
       });
       const files = [];
       const numstatLines = numstatOutput.split(`
@@ -51610,7 +51672,7 @@ var diff = tool({
       return JSON.stringify(result, null, 2);
     } catch (e) {
       const errorResult = {
-        error: e instanceof Error ? `git diff failed: ${e.constructor.name}` : "git diff failed: unknown error",
+        error: e instanceof Error ? `git diff failed: ${e.message}` : "git diff failed: unknown error",
         files: [],
         contractChanges: [],
         hasContractChanges: false
@@ -52906,9 +52968,9 @@ function validateArgs3(args2) {
   }
   return true;
 }
-function detectEcosystems() {
+function detectEcosystems(directory) {
   const ecosystems = [];
-  const cwd = process.cwd();
+  const cwd = directory;
   if (fs23.existsSync(path34.join(cwd, "package.json"))) {
     ecosystems.push("npm");
   }
@@ -52935,13 +52997,13 @@ function detectEcosystems() {
   }
   return ecosystems;
 }
-async function runNpmAudit() {
+async function runNpmAudit(directory) {
   const command = ["npm", "audit", "--json"];
   try {
     const proc = Bun.spawn(command, {
       stdout: "pipe",
       stderr: "pipe",
-      cwd: process.cwd()
+      cwd: directory
     });
     const timeoutPromise = new Promise((resolve12) => setTimeout(() => resolve12("timeout"), AUDIT_TIMEOUT_MS));
     const result = await Promise.race([
@@ -53058,13 +53120,13 @@ function mapNpmSeverity(severity) {
       return "info";
   }
 }
-async function runPipAudit() {
+async function runPipAudit(directory) {
   const command = ["pip-audit", "--format=json"];
   try {
     const proc = Bun.spawn(command, {
       stdout: "pipe",
       stderr: "pipe",
-      cwd: process.cwd()
+      cwd: directory
     });
     const timeoutPromise = new Promise((resolve12) => setTimeout(() => resolve12("timeout"), AUDIT_TIMEOUT_MS));
     const result = await Promise.race([
@@ -53189,13 +53251,13 @@ async function runPipAudit() {
     };
   }
 }
-async function runCargoAudit() {
+async function runCargoAudit(directory) {
   const command = ["cargo", "audit", "--json"];
   try {
     const proc = Bun.spawn(command, {
       stdout: "pipe",
       stderr: "pipe",
-      cwd: process.cwd()
+      cwd: directory
     });
     const timeoutPromise = new Promise((resolve12) => setTimeout(() => resolve12("timeout"), AUDIT_TIMEOUT_MS));
     const result = await Promise.race([
@@ -53303,7 +53365,7 @@ function mapCargoSeverity(cvss) {
     return "moderate";
   return "low";
 }
-async function runGoAudit() {
+async function runGoAudit(directory) {
   const command = ["govulncheck", "-json", "./..."];
   if (!isCommandAvailable("govulncheck")) {
     warn("[pkg-audit] govulncheck not found, skipping Go audit");
@@ -53322,7 +53384,7 @@ async function runGoAudit() {
     const proc = Bun.spawn(command, {
       stdout: "pipe",
       stderr: "pipe",
-      cwd: process.cwd()
+      cwd: directory
     });
     const timeoutPromise = new Promise((resolve12) => setTimeout(() => resolve12("timeout"), AUDIT_TIMEOUT_MS));
     const result = await Promise.race([
@@ -53433,7 +53495,7 @@ async function runGoAudit() {
     };
   }
 }
-async function runDotnetAudit() {
+async function runDotnetAudit(directory) {
   const command = [
     "dotnet",
     "list",
@@ -53458,7 +53520,7 @@ async function runDotnetAudit() {
     const proc = Bun.spawn(command, {
       stdout: "pipe",
       stderr: "pipe",
-      cwd: process.cwd()
+      cwd: directory
     });
     const timeoutPromise = new Promise((resolve12) => setTimeout(() => resolve12("timeout"), AUDIT_TIMEOUT_MS));
     const result = await Promise.race([
@@ -53557,7 +53619,7 @@ function mapDotnetSeverity(severity) {
       return "info";
   }
 }
-async function runBundleAudit() {
+async function runBundleAudit(directory) {
   const useBundleExec = !isCommandAvailable("bundle-audit") && isCommandAvailable("bundle");
   if (!isCommandAvailable("bundle-audit") && !isCommandAvailable("bundle")) {
     warn("[pkg-audit] bundle-audit not found, skipping Ruby audit");
@@ -53577,7 +53639,7 @@ async function runBundleAudit() {
     const proc = Bun.spawn(command, {
       stdout: "pipe",
       stderr: "pipe",
-      cwd: process.cwd()
+      cwd: directory
     });
     const timeoutPromise = new Promise((resolve12) => setTimeout(() => resolve12("timeout"), AUDIT_TIMEOUT_MS));
     const result = await Promise.race([
@@ -53704,7 +53766,7 @@ function mapBundleSeverity(adv) {
     return "moderate";
   return "low";
 }
-async function runDartAudit() {
+async function runDartAudit(directory) {
   const dartBin = isCommandAvailable("dart") ? "dart" : isCommandAvailable("flutter") ? "flutter" : null;
   if (!dartBin) {
     warn("[pkg-audit] dart/flutter not found, skipping Dart audit");
@@ -53724,7 +53786,7 @@ async function runDartAudit() {
     const proc = Bun.spawn(command, {
       stdout: "pipe",
       stderr: "pipe",
-      cwd: process.cwd()
+      cwd: directory
     });
     const timeoutPromise = new Promise((resolve12) => setTimeout(() => resolve12("timeout"), AUDIT_TIMEOUT_MS));
     const result = await Promise.race([
@@ -53823,8 +53885,8 @@ async function runDartAudit() {
     };
   }
 }
-async function runAutoAudit() {
-  const ecosystems = detectEcosystems();
+async function runAutoAudit(directory) {
+  const ecosystems = detectEcosystems(directory);
   if (ecosystems.length === 0) {
     return {
       ecosystems: [],
@@ -53839,25 +53901,25 @@ async function runAutoAudit() {
   for (const eco of ecosystems) {
     switch (eco) {
       case "npm":
-        results.push(await runNpmAudit());
+        results.push(await runNpmAudit(directory));
         break;
       case "pip":
-        results.push(await runPipAudit());
+        results.push(await runPipAudit(directory));
         break;
       case "cargo":
-        results.push(await runCargoAudit());
+        results.push(await runCargoAudit(directory));
         break;
       case "go":
-        results.push(await runGoAudit());
+        results.push(await runGoAudit(directory));
         break;
       case "dotnet":
-        results.push(await runDotnetAudit());
+        results.push(await runDotnetAudit(directory));
         break;
       case "ruby":
-        results.push(await runBundleAudit());
+        results.push(await runBundleAudit(directory));
         break;
       case "dart":
-        results.push(await runDartAudit());
+        results.push(await runDartAudit(directory));
         break;
     }
   }
@@ -53883,40 +53945,46 @@ var pkg_audit = createSwarmTool({
   args: {
     ecosystem: tool.schema.enum(["auto", "npm", "pip", "cargo", "go", "dotnet", "ruby", "dart"]).default("auto").describe('Package ecosystem to audit: "auto" (detect from project files), "npm", "pip", "cargo", "go" (govulncheck), "dotnet" (dotnet list package), "ruby" (bundle-audit), or "dart" (dart pub outdated)')
   },
-  async execute(args2, _directory) {
+  async execute(args2, directory) {
     if (!validateArgs3(args2)) {
       const errorResult = {
         error: 'Invalid arguments: ecosystem must be "auto", "npm", "pip", "cargo", "go", "dotnet", "ruby", or "dart"'
       };
       return JSON.stringify(errorResult, null, 2);
     }
+    if (!directory || typeof directory !== "string" || directory.trim() === "") {
+      const errorResult = {
+        error: "project directory is required but was not provided"
+      };
+      return JSON.stringify(errorResult, null, 2);
+    }
     const obj = args2;
     const ecosystem = obj.ecosystem || "auto";
     let result;
     switch (ecosystem) {
       case "auto":
-        result = await runAutoAudit();
+        result = await runAutoAudit(directory);
         break;
       case "npm":
-        result = await runNpmAudit();
+        result = await runNpmAudit(directory);
         break;
       case "pip":
-        result = await runPipAudit();
+        result = await runPipAudit(directory);
         break;
       case "cargo":
-        result = await runCargoAudit();
+        result = await runCargoAudit(directory);
         break;
       case "go":
-        result = await runGoAudit();
+        result = await runGoAudit(directory);
         break;
       case "dotnet":
-        result = await runDotnetAudit();
+        result = await runDotnetAudit(directory);
         break;
       case "ruby":
-        result = await runBundleAudit();
+        result = await runBundleAudit(directory);
         break;
       case "dart":
-        result = await runDartAudit();
+        result = await runDartAudit(directory);
         break;
     }
     return JSON.stringify(result, null, 2);
@@ -56088,7 +56156,7 @@ async function runLintWrapped(files, directory, _config) {
         duration_ms: Number(process.hrtime.bigint() - start2) / 1e6
       };
     }
-    const result = await runWithTimeout(runLint(linter, "check"), TOOL_TIMEOUT_MS);
+    const result = await runWithTimeout(runLint(linter, "check", directory), TOOL_TIMEOUT_MS);
     return {
       ran: true,
       result,
@@ -56104,7 +56172,7 @@ async function runLintWrapped(files, directory, _config) {
 }
 async function runLintOnFiles(linter, files, workspaceDir) {
   const isWindows = process.platform === "win32";
-  const binDir = path37.join(process.cwd(), "node_modules", ".bin");
+  const binDir = path37.join(workspaceDir, "node_modules", ".bin");
   const validatedFiles = [];
   for (const file3 of files) {
     if (typeof file3 !== "string") {
@@ -56137,7 +56205,8 @@ async function runLintOnFiles(linter, files, workspaceDir) {
   try {
     const proc = Bun.spawn(command, {
       stdout: "pipe",
-      stderr: "pipe"
+      stderr: "pipe",
+      cwd: workspaceDir
     });
     const [stdout, stderr] = await Promise.all([
       new Response(proc.stdout).text(),
@@ -56528,7 +56597,7 @@ var pre_check_batch = createSwarmTool({
     directory: tool.schema.string().describe('Directory to run checks in (e.g., "." or "./src")'),
     sast_threshold: tool.schema.enum(["low", "medium", "high", "critical"]).optional().describe("Minimum severity for SAST findings to cause failure (default: medium)")
   },
-  async execute(args2, _directory) {
+  async execute(args2, directory) {
     if (!args2 || typeof args2 !== "object") {
       const errorResult = {
         gates_passed: false,
@@ -56544,6 +56613,33 @@ var pre_check_batch = createSwarmTool({
       };
       return JSON.stringify(errorResult, null, 2);
     }
+    if (!directory || typeof directory !== "string" || directory.trim() === "") {
+      const errorResult = {
+        gates_passed: false,
+        lint: {
+          ran: false,
+          error: "project directory is required but was not provided",
+          duration_ms: 0
+        },
+        secretscan: {
+          ran: false,
+          error: "project directory is required but was not provided",
+          duration_ms: 0
+        },
+        sast_scan: {
+          ran: false,
+          error: "project directory is required but was not provided",
+          duration_ms: 0
+        },
+        quality_budget: {
+          ran: false,
+          error: "project directory is required but was not provided",
+          duration_ms: 0
+        },
+        total_duration_ms: 0
+      };
+      return JSON.stringify(errorResult, null, 2);
+    }
     const typedArgs = args2;
     if (!typedArgs.directory) {
       const errorResult = {

package/dist/tools/lint.d.ts

@@ -29,7 +29,7 @@ export declare function containsControlChars(str: string): boolean;
 export declare function validateArgs(args: unknown): args is {
     mode: 'fix' | 'check';
 };
-export declare function getLinterCommand(linter: SupportedLinter, mode: 'fix' | 'check'): string[];
+export declare function getLinterCommand(linter: SupportedLinter, mode: 'fix' | 'check', projectDir: string): string[];
 /**
  * Build the shell command for an additional (non-JS/TS) linter.
  * cppcheck has no --fix mode; csharp and some others behave differently.
@@ -41,7 +41,7 @@ export declare function getAdditionalLinterCommand(linter: AdditionalLinter, mod
  */
 export declare function detectAdditionalLinter(cwd: string): 'ruff' | 'clippy' | 'golangci-lint' | 'checkstyle' | 'ktlint' | 'dotnet-format' | 'cppcheck' | 'swiftlint' | 'dart-analyze' | 'rubocop' | null;
 export declare function detectAvailableLinter(): Promise<SupportedLinter | null>;
-export declare function runLint(linter: SupportedLinter, mode: 'fix' | 'check'): Promise<LintResult>;
+export declare function runLint(linter: SupportedLinter, mode: 'fix' | 'check', directory: string): Promise<LintResult>;
 /**
  * Run an additional (non-JS/TS) linter.
  * Follows the same structure as runLint() but uses getAdditionalLinterCommand().

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "6.20.0",
+	"version": "6.20.2",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",