opencode-swarm 6.22.17 → 6.22.18

package/dist/cli/index.js

@@ -14200,6 +14200,15 @@ var init_logger = __esm(() => {
   DEBUG = process.env.OPENCODE_SWARM_DEBUG === "1";
 });
 
+// src/utils/regex.ts
+function escapeRegex2(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function simpleGlobToRegex(pattern, flags = "i") {
+  const escaped = pattern.split("*").map((starSegment) => starSegment.split("?").map(escapeRegex2).join(".")).join(".*");
+  return new RegExp(`^${escaped}$`, flags);
+}
+
 // src/utils/index.ts
 var init_utils = __esm(() => {
   init_errors3();
@@ -18522,7 +18531,7 @@ __export(exports_util2, {
   floatSafeRemainder: () => floatSafeRemainder2,
   finalizeIssue: () => finalizeIssue2,
   extend: () => extend2,
-  escapeRegex: () => escapeRegex2,
+  escapeRegex: () => escapeRegex3,
   esc: () => esc2,
   defineLazy: () => defineLazy2,
   createTransparentProxy: () => createTransparentProxy2,
@@ -18769,7 +18778,7 @@ var getParsedType2 = (data) => {
 };
 var propertyKeyTypes2 = new Set(["string", "number", "symbol"]);
 var primitiveTypes2 = new Set(["string", "number", "bigint", "boolean", "symbol", "undefined"]);
-function escapeRegex2(str) {
+function escapeRegex3(str) {
   return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function clone2(inst, def, params) {
@@ -19922,7 +19931,7 @@ var $ZodCheckUpperCase2 = /* @__PURE__ */ $constructor2("$ZodCheckUpperCase", (i
 });
 var $ZodCheckIncludes2 = /* @__PURE__ */ $constructor2("$ZodCheckIncludes", (inst, def) => {
   $ZodCheck2.init(inst, def);
-  const escapedRegex = escapeRegex2(def.includes);
+  const escapedRegex = escapeRegex3(def.includes);
   const pattern = new RegExp(typeof def.position === "number" ? `^.{${def.position}}${escapedRegex}` : escapedRegex);
   def.pattern = pattern;
   inst._zod.onattach.push((inst2) => {
@@ -19946,7 +19955,7 @@ var $ZodCheckIncludes2 = /* @__PURE__ */ $constructor2("$ZodCheckIncludes", (ins
 });
 var $ZodCheckStartsWith2 = /* @__PURE__ */ $constructor2("$ZodCheckStartsWith", (inst, def) => {
   $ZodCheck2.init(inst, def);
-  const pattern = new RegExp(`^${escapeRegex2(def.prefix)}.*`);
+  const pattern = new RegExp(`^${escapeRegex3(def.prefix)}.*`);
   def.pattern ?? (def.pattern = pattern);
   inst._zod.onattach.push((inst2) => {
     const bag = inst2._zod.bag;
@@ -19969,7 +19978,7 @@ var $ZodCheckStartsWith2 = /* @__PURE__ */ $constructor2("$ZodCheckStartsWith",
 });
 var $ZodCheckEndsWith2 = /* @__PURE__ */ $constructor2("$ZodCheckEndsWith", (inst, def) => {
   $ZodCheck2.init(inst, def);
-  const pattern = new RegExp(`.*${escapeRegex2(def.suffix)}$`);
+  const pattern = new RegExp(`.*${escapeRegex3(def.suffix)}$`);
   def.pattern ?? (def.pattern = pattern);
   inst._zod.onattach.push((inst2) => {
     const bag = inst2._zod.bag;
@@ -21378,7 +21387,7 @@ var $ZodEnum2 = /* @__PURE__ */ $constructor2("$ZodEnum", (inst, def) => {
   const values = getEnumValues2(def.entries);
   const valuesSet = new Set(values);
   inst._zod.values = valuesSet;
-  inst._zod.pattern = new RegExp(`^(${values.filter((k) => propertyKeyTypes2.has(typeof k)).map((o) => typeof o === "string" ? escapeRegex2(o) : o.toString()).join("|")})$`);
+  inst._zod.pattern = new RegExp(`^(${values.filter((k) => propertyKeyTypes2.has(typeof k)).map((o) => typeof o === "string" ? escapeRegex3(o) : o.toString()).join("|")})$`);
   inst._zod.parse = (payload, _ctx) => {
     const input = payload.value;
     if (valuesSet.has(input)) {
@@ -21399,7 +21408,7 @@ var $ZodLiteral2 = /* @__PURE__ */ $constructor2("$ZodLiteral", (inst, def) => {
     throw new Error("Cannot create literal schema with no valid values");
   }
   inst._zod.values = new Set(def.values);
-  inst._zod.pattern = new RegExp(`^(${def.values.map((o) => typeof o === "string" ? escapeRegex2(o) : o ? escapeRegex2(o.toString()) : String(o)).join("|")})$`);
+  inst._zod.pattern = new RegExp(`^(${def.values.map((o) => typeof o === "string" ? escapeRegex3(o) : o ? escapeRegex3(o.toString()) : String(o)).join("|")})$`);
   inst._zod.parse = (payload, _ctx) => {
     const input = payload.value;
     if (inst._zod.values.has(input)) {
@@ -21747,7 +21756,7 @@ var $ZodTemplateLiteral2 = /* @__PURE__ */ $constructor2("$ZodTemplateLiteral",
       const end = source.endsWith("$") ? source.length - 1 : source.length;
       regexParts.push(source.slice(start, end));
     } else if (part === null || primitiveTypes2.has(typeof part)) {
-      regexParts.push(escapeRegex2(`${part}`));
+      regexParts.push(escapeRegex3(`${part}`));
     } else {
       throw new Error(`Invalid template literal part: ${part}`);
     }
@@ -32567,10 +32576,8 @@ function findBuildFiles(workingDir, patterns) {
       const dir = workingDir;
       try {
         const files = fs2.readdirSync(dir);
-        const matches = files.filter((f) => {
-          const regex = new RegExp(`^${pattern.replace(/\*/g, ".*")}$`);
-          return regex.test(f);
-        });
+        const regex = simpleGlobToRegex(pattern);
+        const matches = files.filter((f) => regex.test(f));
         if (matches.length > 0) {
           return path10.join(dir, matches[0]);
         }
@@ -32623,7 +32630,7 @@ function findAllBuildFiles(workingDir) {
   for (const ecosystem of ECOSYSTEMS) {
     for (const pattern of ecosystem.buildFiles) {
       if (pattern.includes("*")) {
-        const regex = new RegExp(`^${pattern.replace(/\*/g, ".*")}$`);
+        const regex = simpleGlobToRegex(pattern);
         findFilesRecursive(workingDir, regex, allBuildFiles);
       } else {
         const filePath = path10.join(workingDir, pattern);

package/dist/index.js

@@ -15186,6 +15186,15 @@ var init_logger = __esm(() => {
   DEBUG = process.env.OPENCODE_SWARM_DEBUG === "1";
 });
 
+// src/utils/regex.ts
+function escapeRegex2(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function simpleGlobToRegex(pattern, flags2 = "i") {
+  const escaped = pattern.split("*").map((starSegment) => starSegment.split("?").map(escapeRegex2).join(".")).join(".*");
+  return new RegExp(`^${escaped}$`, flags2);
+}
+
 // src/utils/index.ts
 var init_utils = __esm(() => {
   init_errors3();
@@ -18711,7 +18720,7 @@ __export(exports_util2, {
   floatSafeRemainder: () => floatSafeRemainder2,
   finalizeIssue: () => finalizeIssue2,
   extend: () => extend2,
-  escapeRegex: () => escapeRegex2,
+  escapeRegex: () => escapeRegex3,
   esc: () => esc2,
   defineLazy: () => defineLazy2,
   createTransparentProxy: () => createTransparentProxy2,
@@ -18898,7 +18907,7 @@ function numKeys2(data) {
   }
   return keyCount;
 }
-function escapeRegex2(str) {
+function escapeRegex3(str) {
   return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function clone2(inst, def, params) {
@@ -20121,7 +20130,7 @@ var init_checks3 = __esm(() => {
   });
   $ZodCheckIncludes2 = /* @__PURE__ */ $constructor2("$ZodCheckIncludes", (inst, def) => {
     $ZodCheck2.init(inst, def);
-    const escapedRegex = escapeRegex2(def.includes);
+    const escapedRegex = escapeRegex3(def.includes);
     const pattern = new RegExp(typeof def.position === "number" ? `^.{${def.position}}${escapedRegex}` : escapedRegex);
     def.pattern = pattern;
     inst._zod.onattach.push((inst2) => {
@@ -20145,7 +20154,7 @@ var init_checks3 = __esm(() => {
   });
   $ZodCheckStartsWith2 = /* @__PURE__ */ $constructor2("$ZodCheckStartsWith", (inst, def) => {
     $ZodCheck2.init(inst, def);
-    const pattern = new RegExp(`^${escapeRegex2(def.prefix)}.*`);
+    const pattern = new RegExp(`^${escapeRegex3(def.prefix)}.*`);
     def.pattern ?? (def.pattern = pattern);
     inst._zod.onattach.push((inst2) => {
       const bag = inst2._zod.bag;
@@ -20168,7 +20177,7 @@ var init_checks3 = __esm(() => {
   });
   $ZodCheckEndsWith2 = /* @__PURE__ */ $constructor2("$ZodCheckEndsWith", (inst, def) => {
     $ZodCheck2.init(inst, def);
-    const pattern = new RegExp(`.*${escapeRegex2(def.suffix)}$`);
+    const pattern = new RegExp(`.*${escapeRegex3(def.suffix)}$`);
     def.pattern ?? (def.pattern = pattern);
     inst._zod.onattach.push((inst2) => {
       const bag = inst2._zod.bag;
@@ -21660,7 +21669,7 @@ var init_schemas3 = __esm(() => {
     const values = getEnumValues2(def.entries);
     const valuesSet = new Set(values);
     inst._zod.values = valuesSet;
-    inst._zod.pattern = new RegExp(`^(${values.filter((k) => propertyKeyTypes2.has(typeof k)).map((o) => typeof o === "string" ? escapeRegex2(o) : o.toString()).join("|")})$`);
+    inst._zod.pattern = new RegExp(`^(${values.filter((k) => propertyKeyTypes2.has(typeof k)).map((o) => typeof o === "string" ? escapeRegex3(o) : o.toString()).join("|")})$`);
     inst._zod.parse = (payload, _ctx) => {
       const input = payload.value;
       if (valuesSet.has(input)) {
@@ -21681,7 +21690,7 @@ var init_schemas3 = __esm(() => {
       throw new Error("Cannot create literal schema with no valid values");
     }
     inst._zod.values = new Set(def.values);
-    inst._zod.pattern = new RegExp(`^(${def.values.map((o) => typeof o === "string" ? escapeRegex2(o) : o ? escapeRegex2(o.toString()) : String(o)).join("|")})$`);
+    inst._zod.pattern = new RegExp(`^(${def.values.map((o) => typeof o === "string" ? escapeRegex3(o) : o ? escapeRegex3(o.toString()) : String(o)).join("|")})$`);
     inst._zod.parse = (payload, _ctx) => {
       const input = payload.value;
       if (inst._zod.values.has(input)) {
@@ -21968,7 +21977,7 @@ var init_schemas3 = __esm(() => {
         const end = source.endsWith("$") ? source.length - 1 : source.length;
         regexParts.push(source.slice(start2, end));
       } else if (part === null || primitiveTypes2.has(typeof part)) {
-        regexParts.push(escapeRegex2(`${part}`));
+        regexParts.push(escapeRegex3(`${part}`));
       } else {
         throw new Error(`Invalid template literal part: ${part}`);
       }
@@ -32859,10 +32868,8 @@ function findBuildFiles(workingDir, patterns) {
       const dir = workingDir;
       try {
         const files = fs7.readdirSync(dir);
-        const matches = files.filter((f) => {
-          const regex = new RegExp(`^${pattern.replace(/\*/g, ".*")}$`);
-          return regex.test(f);
-        });
+        const regex = simpleGlobToRegex(pattern);
+        const matches = files.filter((f) => regex.test(f));
         if (matches.length > 0) {
           return path19.join(dir, matches[0]);
         }
@@ -32915,7 +32922,7 @@ function findAllBuildFiles(workingDir) {
   for (const ecosystem of ECOSYSTEMS) {
     for (const pattern of ecosystem.buildFiles) {
       if (pattern.includes("*")) {
-        const regex = new RegExp(`^${pattern.replace(/\*/g, ".*")}$`);
+        const regex = simpleGlobToRegex(pattern);
         findFilesRecursive(workingDir, regex, allBuildFiles);
       } else {
         const filePath = path19.join(workingDir, pattern);
@@ -54835,7 +54842,7 @@ async function executePhaseComplete(args2, workingDirectory) {
       const phaseObj = plan.phases.find((p) => p.id === phase);
       if (phaseObj) {
         phaseObj.status = "completed";
-        fs25.writeFileSync(planPath, JSON.stringify(plan, null, 2) + `
+        fs25.writeFileSync(planPath, `${JSON.stringify(plan, null, 2)}
 `, "utf-8");
       }
     } catch (error93) {
@@ -55966,6 +55973,7 @@ function getLanguageForExtension(extension) {
 }
 
 // src/tools/placeholder-scan.ts
+init_utils();
 var MAX_FILE_SIZE = 1024 * 1024;
 var SUPPORTED_PARSER_EXTENSIONS = new Set([
   ".js",
@@ -56524,7 +56532,7 @@ function matchesGlobSegment(path40, glob) {
   }
   return matchGlobSegment(globSegments, pathSegments);
 }
-function simpleGlobToRegex(glob) {
+function simpleGlobToRegex2(glob) {
   if (!glob) {
     return /.*/;
   }
@@ -56552,7 +56560,7 @@ function globMatches(path40, glob) {
   if (hasGlobstar(normalizedGlob)) {
     return matchesGlobSegment(normalizedPath, normalizedGlob);
   }
-  const regex = simpleGlobToRegex(normalizedGlob);
+  const regex = simpleGlobToRegex2(normalizedGlob);
   return regex.test(normalizedPath);
 }
 function shouldExcludeFile(filePath, excludeGlobs) {
@@ -58862,6 +58870,9 @@ init_manager();
 import * as fs31 from "fs";
 import * as path43 from "path";
 
+// src/sbom/detectors/index.ts
+init_utils();
+
 // src/sbom/detectors/dart.ts
 function parsePubspecLock(content) {
   const components = [];
@@ -59628,10 +59639,7 @@ var allDetectors = [
 ];
 function findDetectorsForFile(filePath) {
   const fileName = filePath.split(/[/\\]/).pop() || "";
-  return allDetectors.filter((detector) => detector.patterns.some((pattern) => {
-    const regex = pattern.replace(/\./g, "\\.").replace(/\*/g, ".*").replace(/\?/g, ".");
-    return new RegExp(regex, "i").test(fileName);
-  }));
+  return allDetectors.filter((detector) => detector.patterns.some((pattern) => simpleGlobToRegex(pattern).test(fileName)));
 }
 function detectComponents(filePath, content) {
   const detectors = findDetectorsForFile(filePath);
@@ -59698,6 +59706,7 @@ function serializeCycloneDX(bom) {
 }
 
 // src/tools/sbom-generate.ts
+init_utils();
 init_create_tool();
 var DEFAULT_OUTPUT_DIR = ".swarm/evidence/sbom";
 function findManifestFiles(rootDir) {
@@ -59715,8 +59724,7 @@ function findManifestFiles(rootDir) {
           searchDir(fullPath);
         } else if (entry.isFile()) {
           for (const pattern of patterns) {
-            const regex = pattern.replace(/\./g, "\\.").replace(/\*/g, ".*").replace(/\?/g, ".");
-            if (new RegExp(regex, "i").test(entry.name)) {
+            if (simpleGlobToRegex(pattern).test(entry.name)) {
               manifestFiles.push(path43.relative(rootDir, fullPath));
               break;
             }
@@ -59738,8 +59746,7 @@ function findManifestFilesInDirs(directories, workingDir) {
         const fullPath = path43.join(dir, entry.name);
         if (entry.isFile()) {
           for (const pattern of patterns) {
-            const regex = pattern.replace(/\./g, "\\.").replace(/\*/g, ".*").replace(/\?/g, ".");
-            if (new RegExp(regex, "i").test(entry.name)) {
+            if (simpleGlobToRegex(pattern).test(entry.name)) {
               found.push(path43.relative(workingDir, fullPath));
               break;
             }
@@ -60593,6 +60600,7 @@ init_test_runner();
 
 // src/tools/todo-extract.ts
 init_dist();
+init_utils();
 init_create_tool();
 import * as fs34 from "fs";
 import * as path46 from "path";
@@ -60720,7 +60728,7 @@ function parseTodoComments(content, filePath, tagsSet) {
   const entries = [];
   const lines = content.split(`
 `);
-  const tagPattern = Array.from(tagsSet).join("|");
+  const tagPattern = Array.from(tagsSet).map(escapeRegex2).join("|");
   const regex = new RegExp(`\\b(${tagPattern})\\b[:\\s]?`, "i");
   for (let i2 = 0;i2 < lines.length; i2++) {
     const line = lines[i2];

package/dist/utils/index.d.ts

@@ -1,3 +1,4 @@
 export { CLIError, ConfigError, HookError, SwarmError, ToolError, } from './errors';
 export { error, log, warn } from './logger';
 export { deepMerge, MAX_MERGE_DEPTH } from './merge';
+export { escapeRegex, simpleGlobToRegex } from './regex';

package/dist/utils/regex.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Centralized regex safety utilities.
+ *
+ * Every call-site that builds a RegExp from runtime strings
+ * (user config, glob patterns, tool input) MUST go through one of
+ * these helpers to prevent ReDoS and broken matching.
+ */
+/**
+ * Escape all regex metacharacters in a string so it can be
+ * safely interpolated into a `new RegExp(...)` call.
+ *
+ * Covers the full set: . * + ? ^ $ { } ( ) | [ ] \
+ */
+export declare function escapeRegex(s: string): string;
+/**
+ * Convert a simple glob pattern (supports `*` and `?` wildcards)
+ * into an anchored, case-insensitive RegExp.
+ *
+ * All other regex metacharacters in the pattern are escaped first,
+ * so filenames containing `.`, `(`, `[`, etc. match literally.
+ *
+ * Semantics:
+ *   `*`  → `.*`   (zero or more of any character)
+ *   `?`  → `.`    (exactly one character)
+ *
+ * This is intentionally simple — it does NOT handle `**` / globstar.
+ * For globstar support see `quality/metrics.ts` which has its own
+ * path-aware implementation.
+ */
+export declare function simpleGlobToRegex(pattern: string, flags?: string): RegExp;

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "6.22.17",
+	"version": "6.22.18",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",