opencode-swarm 6.22.21 → 6.23.1

package/dist/cli/index.js

@@ -33333,8 +33333,9 @@ function isHighEntropyString(str) {
 function containsPathTraversal(str) {
   if (/\.\.[/\\]/.test(str))
     return true;
-  const normalized = path12.normalize(str);
-  if (/\.\.[/\\]/.test(normalized))
+  if (/[/\\]\.\.$/.test(str) || str === "..")
+    return true;
+  if (/\.\.[/\\]/.test(path12.normalize(str.replace(/\*/g, "x"))))
     return true;
   if (str.includes("%2e%2e") || str.includes("%2E%2E"))
     return true;
@@ -33342,6 +33343,58 @@ function containsPathTraversal(str) {
     return true;
   return false;
 }
+function validateExcludePattern(exc) {
+  if (exc.length === 0)
+    return null;
+  if (exc.length > MAX_FILE_PATH_LENGTH) {
+    return `invalid exclude path: exceeds maximum length of ${MAX_FILE_PATH_LENGTH}`;
+  }
+  if (containsControlChars(exc)) {
+    return "invalid exclude path: contains path traversal or control characters";
+  }
+  if (containsPathTraversal(exc)) {
+    return "invalid exclude path: contains path traversal or control characters";
+  }
+  if (exc.startsWith("!")) {
+    return "invalid exclude path: negation patterns are not supported";
+  }
+  if (exc.startsWith("/") || exc.startsWith("\\")) {
+    return "invalid exclude path: absolute paths are not supported";
+  }
+  return null;
+}
+function isGlobOrPathPattern(pattern) {
+  return pattern.includes("/") || pattern.includes("\\") || /[*?[\]{}]/.test(pattern);
+}
+function loadSecretScanIgnore(scanDir) {
+  const ignorePath = path12.join(scanDir, ".secretscanignore");
+  try {
+    if (!fs4.existsSync(ignorePath))
+      return [];
+    const content = fs4.readFileSync(ignorePath, "utf8");
+    const patterns = [];
+    for (const rawLine of content.split(/\r?\n/)) {
+      const line = rawLine.trim();
+      if (!line || line.startsWith("#"))
+        continue;
+      if (validateExcludePattern(line) === null) {
+        patterns.push(line);
+      }
+    }
+    return patterns;
+  } catch {
+    return [];
+  }
+}
+function isExcluded(entry, relPath, exactNames, globPatterns) {
+  if (exactNames.has(entry))
+    return true;
+  for (const pattern of globPatterns) {
+    if (path12.matchesGlob(relPath, pattern))
+      return true;
+  }
+  return false;
+}
 function containsControlChars(str) {
   return /[\0\r]/.test(str);
 }
@@ -33502,7 +33555,7 @@ function isPathWithinScope(realPath, scanDir) {
   const resolvedRealPath = path12.resolve(realPath);
   return resolvedRealPath === resolvedScanDir || resolvedRealPath.startsWith(resolvedScanDir + path12.sep) || resolvedRealPath.startsWith(`${resolvedScanDir}/`) || resolvedRealPath.startsWith(`${resolvedScanDir}\\`);
 }
-function findScannableFiles(dir, excludeDirs, scanDir, visited, stats = {
+function findScannableFiles(dir, excludeExact, excludeGlobs, scanDir, visited, stats = {
   skippedDirs: 0,
   skippedFiles: 0,
   fileErrors: 0,
@@ -33526,11 +33579,12 @@ function findScannableFiles(dir, excludeDirs, scanDir, visited, stats = {
     return a.localeCompare(b);
   });
   for (const entry of entries) {
-    if (excludeDirs.has(entry)) {
+    const fullPath = path12.join(dir, entry);
+    const relPath = path12.relative(scanDir, fullPath).replace(/\\/g, "/");
+    if (isExcluded(entry, relPath, excludeExact, excludeGlobs)) {
       stats.skippedDirs++;
       continue;
     }
-    const fullPath = path12.join(dir, entry);
     let lstat;
     try {
       lstat = fs4.lstatSync(fullPath);
@@ -33558,7 +33612,7 @@ function findScannableFiles(dir, excludeDirs, scanDir, visited, stats = {
         stats.symlinkSkipped++;
         continue;
       }
-      const subFiles = findScannableFiles(fullPath, excludeDirs, scanDir, visited, stats);
+      const subFiles = findScannableFiles(fullPath, excludeExact, excludeGlobs, scanDir, visited, stats);
       files.push(...subFiles);
     } else if (lstat.isFile()) {
       const ext = path12.extname(fullPath).toLowerCase();
@@ -33572,10 +33626,10 @@ function findScannableFiles(dir, excludeDirs, scanDir, visited, stats = {
   return files;
 }
 var secretscan = tool({
-  description: "Scan directory for potential secrets (API keys, tokens, passwords) using regex patterns and entropy heuristics. Returns metadata-only findings with redacted previews - NEVER returns raw secrets. Excludes common directories (node_modules, .git, dist, etc.) by default.",
+  description: "Scan directory for potential secrets (API keys, tokens, passwords) using regex patterns and entropy heuristics. Returns metadata-only findings with redacted previews - NEVER returns raw secrets. Excludes common directories (node_modules, .git, dist, etc.) by default. Supports glob patterns (e.g. **/.svelte-kit/**, **/*.test.ts) and reads .secretscanignore at the scan root.",
   args: {
     directory: tool.schema.string().describe('Directory to scan for secrets (e.g., "." or "./src")'),
-    exclude: tool.schema.array(tool.schema.string()).optional().describe("Additional directories to exclude (added to default exclusions like node_modules, .git, dist)")
+    exclude: tool.schema.array(tool.schema.string()).optional().describe("Patterns to exclude: plain directory names (e.g. node_modules), relative paths, or globs (e.g. **/.svelte-kit/**, **/*.test.ts). Added to default exclusions.")
   },
   async execute(args, _context) {
     let directory;
@@ -33611,20 +33665,10 @@ var secretscan = tool({
     }
     if (exclude) {
       for (const exc of exclude) {
-        if (exc.length > MAX_FILE_PATH_LENGTH) {
-          const errorResult = {
-            error: `invalid exclude path: exceeds maximum length of ${MAX_FILE_PATH_LENGTH}`,
-            scan_dir: directory,
-            findings: [],
-            count: 0,
-            files_scanned: 0,
-            skipped_files: 0
-          };
-          return JSON.stringify(errorResult, null, 2);
-        }
-        if (containsPathTraversal(exc) || containsControlChars(exc)) {
+        const err = validateExcludePattern(exc);
+        if (err) {
           const errorResult = {
-            error: `invalid exclude path: contains path traversal or control characters`,
+            error: err,
             scan_dir: directory,
             findings: [],
             count: 0,
@@ -33660,10 +33704,20 @@ var secretscan = tool({
         };
         return JSON.stringify(errorResult, null, 2);
       }
-      const excludeDirs = new Set(DEFAULT_EXCLUDE_DIRS);
-      if (exclude) {
-        for (const exc of exclude) {
-          excludeDirs.add(exc);
+      const excludeExact = new Set(DEFAULT_EXCLUDE_DIRS);
+      const excludeGlobs = [];
+      const ignoreFilePatterns = loadSecretScanIgnore(scanDir);
+      const allUserPatterns = [
+        ...exclude ?? [],
+        ...ignoreFilePatterns
+      ];
+      for (const exc of allUserPatterns) {
+        if (exc.length === 0)
+          continue;
+        if (isGlobOrPathPattern(exc)) {
+          excludeGlobs.push(exc);
+        } else {
+          excludeExact.add(exc);
         }
       }
       const stats = {
@@ -33673,7 +33727,7 @@ var secretscan = tool({
         symlinkSkipped: 0
       };
       const visited = new Set;
-      const files = findScannableFiles(scanDir, excludeDirs, scanDir, visited, stats);
+      const files = findScannableFiles(scanDir, excludeExact, excludeGlobs, scanDir, visited, stats);
       files.sort((a, b) => {
         const aLower = a.toLowerCase();
         const bLower = b.toLowerCase();

package/dist/index.js

@@ -33574,8 +33574,9 @@ function isHighEntropyString(str) {
 function containsPathTraversal(str) {
   if (/\.\.[/\\]/.test(str))
     return true;
-  const normalized = path21.normalize(str);
-  if (/\.\.[/\\]/.test(normalized))
+  if (/[/\\]\.\.$/.test(str) || str === "..")
+    return true;
+  if (/\.\.[/\\]/.test(path21.normalize(str.replace(/\*/g, "x"))))
     return true;
   if (str.includes("%2e%2e") || str.includes("%2E%2E"))
     return true;
@@ -33583,6 +33584,58 @@ function containsPathTraversal(str) {
     return true;
   return false;
 }
+function validateExcludePattern(exc) {
+  if (exc.length === 0)
+    return null;
+  if (exc.length > MAX_FILE_PATH_LENGTH) {
+    return `invalid exclude path: exceeds maximum length of ${MAX_FILE_PATH_LENGTH}`;
+  }
+  if (containsControlChars(exc)) {
+    return "invalid exclude path: contains path traversal or control characters";
+  }
+  if (containsPathTraversal(exc)) {
+    return "invalid exclude path: contains path traversal or control characters";
+  }
+  if (exc.startsWith("!")) {
+    return "invalid exclude path: negation patterns are not supported";
+  }
+  if (exc.startsWith("/") || exc.startsWith("\\")) {
+    return "invalid exclude path: absolute paths are not supported";
+  }
+  return null;
+}
+function isGlobOrPathPattern(pattern) {
+  return pattern.includes("/") || pattern.includes("\\") || /[*?[\]{}]/.test(pattern);
+}
+function loadSecretScanIgnore(scanDir) {
+  const ignorePath = path21.join(scanDir, ".secretscanignore");
+  try {
+    if (!fs9.existsSync(ignorePath))
+      return [];
+    const content = fs9.readFileSync(ignorePath, "utf8");
+    const patterns = [];
+    for (const rawLine of content.split(/\r?\n/)) {
+      const line = rawLine.trim();
+      if (!line || line.startsWith("#"))
+        continue;
+      if (validateExcludePattern(line) === null) {
+        patterns.push(line);
+      }
+    }
+    return patterns;
+  } catch {
+    return [];
+  }
+}
+function isExcluded(entry, relPath, exactNames, globPatterns) {
+  if (exactNames.has(entry))
+    return true;
+  for (const pattern of globPatterns) {
+    if (path21.matchesGlob(relPath, pattern))
+      return true;
+  }
+  return false;
+}
 function containsControlChars(str) {
   return /[\0\r]/.test(str);
 }
@@ -33742,7 +33795,7 @@ function isPathWithinScope(realPath, scanDir) {
   const resolvedRealPath = path21.resolve(realPath);
   return resolvedRealPath === resolvedScanDir || resolvedRealPath.startsWith(resolvedScanDir + path21.sep) || resolvedRealPath.startsWith(`${resolvedScanDir}/`) || resolvedRealPath.startsWith(`${resolvedScanDir}\\`);
 }
-function findScannableFiles(dir, excludeDirs, scanDir, visited, stats = {
+function findScannableFiles(dir, excludeExact, excludeGlobs, scanDir, visited, stats = {
   skippedDirs: 0,
   skippedFiles: 0,
   fileErrors: 0,
@@ -33766,11 +33819,12 @@ function findScannableFiles(dir, excludeDirs, scanDir, visited, stats = {
     return a.localeCompare(b);
   });
   for (const entry of entries) {
-    if (excludeDirs.has(entry)) {
+    const fullPath = path21.join(dir, entry);
+    const relPath = path21.relative(scanDir, fullPath).replace(/\\/g, "/");
+    if (isExcluded(entry, relPath, excludeExact, excludeGlobs)) {
       stats.skippedDirs++;
       continue;
     }
-    const fullPath = path21.join(dir, entry);
     let lstat;
     try {
       lstat = fs9.lstatSync(fullPath);
@@ -33798,7 +33852,7 @@ function findScannableFiles(dir, excludeDirs, scanDir, visited, stats = {
         stats.symlinkSkipped++;
         continue;
       }
-      const subFiles = findScannableFiles(fullPath, excludeDirs, scanDir, visited, stats);
+      const subFiles = findScannableFiles(fullPath, excludeExact, excludeGlobs, scanDir, visited, stats);
       files.push(...subFiles);
     } else if (lstat.isFile()) {
       const ext = path21.extname(fullPath).toLowerCase();
@@ -34003,10 +34057,10 @@ var init_secretscan = __esm(() => {
   ];
   O_NOFOLLOW = process.platform !== "win32" ? fs9.constants.O_NOFOLLOW : undefined;
   secretscan = tool({
-    description: "Scan directory for potential secrets (API keys, tokens, passwords) using regex patterns and entropy heuristics. Returns metadata-only findings with redacted previews - NEVER returns raw secrets. Excludes common directories (node_modules, .git, dist, etc.) by default.",
+    description: "Scan directory for potential secrets (API keys, tokens, passwords) using regex patterns and entropy heuristics. Returns metadata-only findings with redacted previews - NEVER returns raw secrets. Excludes common directories (node_modules, .git, dist, etc.) by default. Supports glob patterns (e.g. **/.svelte-kit/**, **/*.test.ts) and reads .secretscanignore at the scan root.",
     args: {
       directory: tool.schema.string().describe('Directory to scan for secrets (e.g., "." or "./src")'),
-      exclude: tool.schema.array(tool.schema.string()).optional().describe("Additional directories to exclude (added to default exclusions like node_modules, .git, dist)")
+      exclude: tool.schema.array(tool.schema.string()).optional().describe("Patterns to exclude: plain directory names (e.g. node_modules), relative paths, or globs (e.g. **/.svelte-kit/**, **/*.test.ts). Added to default exclusions.")
     },
     async execute(args2, _context) {
       let directory;
@@ -34042,20 +34096,10 @@ var init_secretscan = __esm(() => {
       }
       if (exclude) {
         for (const exc of exclude) {
-          if (exc.length > MAX_FILE_PATH_LENGTH) {
-            const errorResult = {
-              error: `invalid exclude path: exceeds maximum length of ${MAX_FILE_PATH_LENGTH}`,
-              scan_dir: directory,
-              findings: [],
-              count: 0,
-              files_scanned: 0,
-              skipped_files: 0
-            };
-            return JSON.stringify(errorResult, null, 2);
-          }
-          if (containsPathTraversal(exc) || containsControlChars(exc)) {
+          const err2 = validateExcludePattern(exc);
+          if (err2) {
             const errorResult = {
-              error: `invalid exclude path: contains path traversal or control characters`,
+              error: err2,
               scan_dir: directory,
               findings: [],
               count: 0,
@@ -34091,10 +34135,20 @@ var init_secretscan = __esm(() => {
           };
           return JSON.stringify(errorResult, null, 2);
         }
-        const excludeDirs = new Set(DEFAULT_EXCLUDE_DIRS);
-        if (exclude) {
-          for (const exc of exclude) {
-            excludeDirs.add(exc);
+        const excludeExact = new Set(DEFAULT_EXCLUDE_DIRS);
+        const excludeGlobs = [];
+        const ignoreFilePatterns = loadSecretScanIgnore(scanDir);
+        const allUserPatterns = [
+          ...exclude ?? [],
+          ...ignoreFilePatterns
+        ];
+        for (const exc of allUserPatterns) {
+          if (exc.length === 0)
+            continue;
+          if (isGlobOrPathPattern(exc)) {
+            excludeGlobs.push(exc);
+          } else {
+            excludeExact.add(exc);
           }
         }
         const stats = {
@@ -34104,7 +34158,7 @@ var init_secretscan = __esm(() => {
           symlinkSkipped: 0
         };
         const visited = new Set;
-        const files = findScannableFiles(scanDir, excludeDirs, scanDir, visited, stats);
+        const files = findScannableFiles(scanDir, excludeExact, excludeGlobs, scanDir, visited, stats);
         files.sort((a, b) => {
           const aLower = a.toLowerCase();
           const bLower = b.toLowerCase();
@@ -47948,8 +48002,8 @@ function isOutsideSwarmDir(filePath, directory) {
     return false;
   const swarmDir = path26.resolve(directory, ".swarm");
   const resolved = path26.resolve(directory, filePath);
-  const relative3 = path26.relative(swarmDir, resolved);
-  return relative3.startsWith("..") || path26.isAbsolute(relative3);
+  const relative4 = path26.relative(swarmDir, resolved);
+  return relative4.startsWith("..") || path26.isAbsolute(relative4);
 }
 function isSourceCodePath(filePath) {
   if (!filePath)
@@ -48734,10 +48788,8 @@ function createDelegationGateHook(config3) {
               break;
             }
           }
-          if (lastCoderIndex === -1) {
-            return;
-          }
-          const afterCoder = delegationChain.slice(lastCoderIndex);
+          const searchStart = lastCoderIndex === -1 ? 0 : lastCoderIndex;
+          const afterCoder = delegationChain.slice(searchStart);
           for (const delegation of afterCoder) {
             const target = stripKnownSwarmPrefix(delegation.to);
             if (target === "reviewer")
@@ -48745,7 +48797,7 @@ function createDelegationGateHook(config3) {
             if (target === "test_engineer")
               hasTestEngineer = true;
           }
-          if (hasReviewer && hasTestEngineer) {
+          if (lastCoderIndex !== -1 && hasReviewer && hasTestEngineer) {
             session.qaSkipCount = 0;
             session.qaSkipTaskIds = [];
           }
@@ -58085,13 +58137,13 @@ function validatePath(inputPath, baseDir, workspaceDir) {
     resolved = path41.resolve(baseDir, inputPath);
   }
   const workspaceResolved = path41.resolve(workspaceDir);
-  let relative4;
+  let relative5;
   if (isWinAbs) {
-    relative4 = path41.win32.relative(workspaceResolved, resolved);
+    relative5 = path41.win32.relative(workspaceResolved, resolved);
   } else {
-    relative4 = path41.relative(workspaceResolved, resolved);
+    relative5 = path41.relative(workspaceResolved, resolved);
   }
-  if (relative4.startsWith("..")) {
+  if (relative5.startsWith("..")) {
     return "path traversal detected";
   }
   return null;
@@ -60900,6 +60952,7 @@ var todo_extract = createSwarmTool({
 });
 // src/tools/update-task-status.ts
 init_tool();
+init_schema();
 init_manager2();
 import * as fs35 from "fs";
 import * as path47 from "path";
@@ -60949,10 +61002,6 @@ function checkReviewerGate(taskId, workingDirectory) {
       const state = getTaskState(session, taskId);
       stateEntries.push(`${sessionId}: ${state}`);
     }
-    const allIdle = stateEntries.length > 0 && stateEntries.every((e) => e.endsWith(": idle"));
-    if (allIdle) {
-      return { blocked: false, reason: "" };
-    }
     try {
       const resolvedDir = workingDirectory ?? process.cwd();
       const planPath = path47.join(resolvedDir, ".swarm", "plan.json");
@@ -60975,6 +61024,49 @@ function checkReviewerGate(taskId, workingDirectory) {
     return { blocked: false, reason: "" };
   }
 }
+function recoverTaskStateFromDelegations(taskId) {
+  let hasReviewer = false;
+  let hasTestEngineer = false;
+  for (const [, chain] of swarmState.delegationChains) {
+    for (const delegation of chain) {
+      const target = stripKnownSwarmPrefix(delegation.to);
+      if (target === "reviewer")
+        hasReviewer = true;
+      if (target === "test_engineer")
+        hasTestEngineer = true;
+    }
+  }
+  if (!hasReviewer && !hasTestEngineer)
+    return;
+  for (const [, session] of swarmState.agentSessions) {
+    if (!(session.taskWorkflowStates instanceof Map))
+      continue;
+    const currentState = getTaskState(session, taskId);
+    if (currentState === "tests_run" || currentState === "complete")
+      continue;
+    if (hasReviewer && currentState === "idle") {
+      try {
+        advanceTaskState(session, taskId, "coder_delegated");
+      } catch {}
+    }
+    if (hasReviewer) {
+      const stateNow = getTaskState(session, taskId);
+      if (stateNow === "coder_delegated" || stateNow === "pre_check_passed") {
+        try {
+          advanceTaskState(session, taskId, "reviewer_run");
+        } catch {}
+      }
+    }
+    if (hasTestEngineer) {
+      const stateNow = getTaskState(session, taskId);
+      if (stateNow === "reviewer_run") {
+        try {
+          advanceTaskState(session, taskId, "tests_run");
+        } catch {}
+      }
+    }
+  }
+}
 async function executeUpdateTaskStatus(args2, fallbackDir) {
   const statusError = validateStatus(args2.status);
   if (statusError) {
@@ -61058,6 +61150,7 @@ async function executeUpdateTaskStatus(args2, fallbackDir) {
     directory = fallbackDir ?? process.cwd();
   }
   if (args2.status === "completed") {
+    recoverTaskStateFromDelegations(args2.task_id);
     const reviewerCheck = checkReviewerGate(args2.task_id, directory);
     if (reviewerCheck.blocked) {
       return {

package/dist/tools/update-task-status.d.ts

@@ -50,6 +50,17 @@ export interface ReviewerGateResult {
  * @returns ReviewerGateResult indicating whether the gate is blocked
  */
 export declare function checkReviewerGate(taskId: string, workingDirectory?: string): ReviewerGateResult;
+/**
+ * Recovery mechanism: reconcile task state with delegation history.
+ * When reviewer/test_engineer delegations occurred but the state machine
+ * was not advanced (e.g., toolAfter didn't fire, subagent_type missing,
+ * cross-session gaps, or pure verification tasks without coder delegation),
+ * this function walks all delegation chains and advances the task state
+ * so that checkReviewerGate can make an accurate decision.
+ *
+ * @param taskId - The task ID to recover state for
+ */
+export declare function recoverTaskStateFromDelegations(taskId: string): void;
 /**
  * Execute the update_task_status tool.
  * Validates the task_id and status, then updates the task status in the plan.

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "6.22.21",
+	"version": "6.23.1",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",