opencode-swarm 6.32.1 → 6.32.3

package/dist/cli/index.js

@@ -31619,8 +31619,11 @@ async function rewriteKnowledge(filePath, entries) {
 ` : "");
     await writeFile(filePath, content, "utf-8");
   } finally {
-    if (release)
-      await release();
+    if (release) {
+      try {
+        await release();
+      } catch {}
+    }
   }
 }
 function normalize2(text) {
@@ -33624,6 +33627,7 @@ async function handleExportCommand(directory, _args) {
 }
 // src/commands/handoff.ts
 init_utils2();
+import crypto3 from "crypto";
 import { renameSync as renameSync5 } from "fs";
 
 // src/services/handoff-service.ts
@@ -34019,7 +34023,7 @@ async function handleHandoffCommand(directory, _args) {
   const handoffData = await getHandoffData(directory);
   const markdown = formatHandoffMarkdown(handoffData);
   const resolvedPath = validateSwarmPath(directory, "handoff.md");
-  const tempPath = `${resolvedPath}.tmp.${Date.now()}.${Math.random().toString(36).slice(2)}`;
+  const tempPath = `${resolvedPath}.tmp.${crypto3.randomUUID()}`;
   await Bun.write(tempPath, markdown);
   renameSync5(tempPath, resolvedPath);
   await writeSnapshot(directory, swarmState);

package/dist/hooks/adversarial-detector.d.ts

@@ -32,3 +32,10 @@ export declare function detectAdversarialPatterns(text: string): AdversarialPatt
  * Format a precedent manipulation detection event for JSONL emission.
  */
 export declare function formatPrecedentManipulationEvent(match: AdversarialPatternMatch, agentName: string, phase: number): string;
+export declare function formatDebuggingSpiralEvent(match: AdversarialPatternMatch, taskId: string): string;
+export declare function handleDebuggingSpiral(match: AdversarialPatternMatch, taskId: string, directory: string): Promise<{
+    eventLogged: boolean;
+    checkpointCreated: boolean;
+    message: string;
+}>;
+export declare function detectDebuggingSpiral(_directory: string): Promise<AdversarialPatternMatch | null>;

package/dist/hooks/delegation-gate.d.ts

@@ -11,7 +11,7 @@ import type { DelegationEnvelope, EnvelopeValidationResult } from '../types/dele
  * Returns null if no valid envelope is found.
  * Never throws - all errors are caught and result in null.
  */
-export declare function parseDelegationEnvelope(content: string): DelegationEnvelope | null;
+export declare function parseDelegationEnvelope(content: string, directory?: string): DelegationEnvelope | null;
 interface ValidationContext {
     planTasks: string[];
     validAgents: string[];

package/dist/hooks/guardrails.d.ts

@@ -7,6 +7,7 @@
  * - Layer 2 (Hard Block @ 100%): Throws error in toolBefore to block further calls, injects STOP message
  */
 import { type GuardrailsConfig } from '../config/schema';
+import { type FileZone } from '../context/zone-classifier';
 /**
  * Retrieves stored input args for a given callID.
  * Used by other hooks (e.g., delegation-gate) to access tool input args.
@@ -72,3 +73,43 @@ export declare function createGuardrailsHooks(directory: string, directoryOrConf
  * @returns Numeric hash (0 if hashing fails)
  */
 export declare function hashArgs(args: unknown): number;
+/** A record of an agent attesting to (resolving/suppressing/deferring) a finding. */
+export interface AttestationRecord {
+    findingId: string;
+    agent: string;
+    attestation: string;
+    action: 'resolve' | 'suppress' | 'defer';
+    timestamp: string;
+}
+/**
+ * Validates that an attestation string meets the minimum length requirement.
+ */
+export declare function validateAttestation(attestation: string, _findingId: string, _agent: string, _action: 'resolve' | 'suppress' | 'defer'): {
+    valid: true;
+} | {
+    valid: false;
+    reason: string;
+};
+/**
+ * Appends an attestation record to `.swarm/evidence/attestations.jsonl`.
+ */
+export declare function recordAttestation(dir: string, record: AttestationRecord): Promise<void>;
+/**
+ * Validates an attestation and, on success, records it; on failure, logs a rejection event.
+ */
+export declare function validateAndRecordAttestation(dir: string, findingId: string, agent: string, attestation: string, action: 'resolve' | 'suppress' | 'defer'): Promise<{
+    valid: true;
+} | {
+    valid: false;
+    reason: string;
+}>;
+/**
+ * Checks whether the given agent is authorised to write to the given file path.
+ */
+export declare function checkFileAuthority(agentName: string, filePath: string, _cwd: string): {
+    allowed: true;
+} | {
+    allowed: false;
+    reason: string;
+    zone?: FileZone;
+};

package/dist/hooks/knowledge-migrator.d.ts

@@ -5,6 +5,7 @@ export interface MigrationResult {
     entriesMigrated: number;
     entriesDropped: number;
     entriesTotal: number;
-    skippedReason?: 'sentinel-exists' | 'no-context-file' | 'empty-context';
+    skippedReason?: 'sentinel-exists' | 'no-context-file' | 'empty-context' | 'external-sentinel-exists';
 }
+export declare function migrateKnowledgeToExternal(_directory: string, _config: KnowledgeConfig): Promise<MigrationResult>;
 export declare function migrateContextToKnowledge(directory: string, config: KnowledgeConfig): Promise<MigrationResult>;

package/dist/index.js

@@ -29876,6 +29876,285 @@ var init_create_tool = __esm(() => {
   init_dist();
 });
 
+// src/tools/checkpoint.ts
+import { spawnSync } from "child_process";
+import * as fs6 from "fs";
+import * as path9 from "path";
+function containsNonAsciiChars(label) {
+  for (let i2 = 0;i2 < label.length; i2++) {
+    const charCode = label.charCodeAt(i2);
+    if (charCode < 32 || charCode > 126) {
+      return true;
+    }
+  }
+  return false;
+}
+function validateLabel(label) {
+  if (!label || label.length === 0) {
+    return "label is required";
+  }
+  if (label.length > MAX_LABEL_LENGTH) {
+    return `label exceeds maximum length of ${MAX_LABEL_LENGTH}`;
+  }
+  if (label.startsWith("--")) {
+    return 'label cannot start with "--" (git flag pattern)';
+  }
+  if (CONTROL_CHAR_PATTERN.test(label)) {
+    return "label contains control characters";
+  }
+  if (NON_ASCII_PATTERN.test(label)) {
+    return "label contains non-ASCII or invalid characters";
+  }
+  if (containsNonAsciiChars(label)) {
+    return "label contains non-ASCII characters (must be printable ASCII only)";
+  }
+  if (SHELL_METACHARACTERS.test(label)) {
+    return "label contains shell metacharacters";
+  }
+  if (!SAFE_LABEL_PATTERN.test(label)) {
+    return "label contains invalid characters (use alphanumeric, hyphen, underscore, space)";
+  }
+  if (!/[a-zA-Z0-9_]/.test(label)) {
+    return "label cannot be whitespace-only";
+  }
+  if (label.includes("..") || label.includes("/") || label.includes("\\")) {
+    return "label contains path traversal sequence";
+  }
+  return null;
+}
+function getCheckpointLogPath(directory) {
+  return path9.join(directory, CHECKPOINT_LOG_PATH);
+}
+function readCheckpointLog(directory) {
+  const logPath = getCheckpointLogPath(directory);
+  try {
+    if (fs6.existsSync(logPath)) {
+      const content = fs6.readFileSync(logPath, "utf-8");
+      const parsed = JSON.parse(content);
+      if (!parsed.checkpoints || !Array.isArray(parsed.checkpoints)) {
+        return { version: 1, checkpoints: [] };
+      }
+      return parsed;
+    }
+  } catch {}
+  return { version: 1, checkpoints: [] };
+}
+function writeCheckpointLog(log2, directory) {
+  const logPath = getCheckpointLogPath(directory);
+  const dir = path9.dirname(logPath);
+  if (!fs6.existsSync(dir)) {
+    fs6.mkdirSync(dir, { recursive: true });
+  }
+  const tempPath = `${logPath}.tmp`;
+  fs6.writeFileSync(tempPath, JSON.stringify(log2, null, 2), "utf-8");
+  fs6.renameSync(tempPath, logPath);
+}
+function gitExec(args2) {
+  const result = spawnSync("git", args2, {
+    encoding: "utf-8",
+    timeout: GIT_TIMEOUT_MS,
+    stdio: ["pipe", "pipe", "pipe"]
+  });
+  if (result.status !== 0) {
+    const err2 = new Error(result.stderr?.trim() || `git exited with code ${result.status}`);
+    throw err2;
+  }
+  return result.stdout;
+}
+function getCurrentSha() {
+  const output = gitExec(["rev-parse", "HEAD"]);
+  return output.trim();
+}
+function isGitRepo() {
+  try {
+    gitExec(["rev-parse", "--git-dir"]);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function handleSave(label, directory) {
+  try {
+    const log2 = readCheckpointLog(directory);
+    const existingCheckpoint = log2.checkpoints.find((c) => c.label === label);
+    if (existingCheckpoint) {
+      return JSON.stringify({
+        action: "save",
+        success: false,
+        error: `duplicate label: "${label}" already exists. Use a different label or delete the existing checkpoint first.`
+      }, null, 2);
+    }
+    const _sha = getCurrentSha();
+    const timestamp = new Date().toISOString();
+    gitExec(["commit", "--allow-empty", "-m", `checkpoint: ${label}`]);
+    const newSha = getCurrentSha();
+    log2.checkpoints.push({
+      label,
+      sha: newSha,
+      timestamp
+    });
+    writeCheckpointLog(log2, directory);
+    return JSON.stringify({
+      action: "save",
+      success: true,
+      label,
+      sha: newSha,
+      message: `Checkpoint saved: "${label}"`
+    }, null, 2);
+  } catch (e) {
+    const errorMessage = e instanceof Error ? `save failed: ${e.message}` : "save failed: unknown error";
+    return JSON.stringify({
+      action: "save",
+      success: false,
+      error: errorMessage
+    }, null, 2);
+  }
+}
+function handleRestore(label, directory) {
+  try {
+    const log2 = readCheckpointLog(directory);
+    const checkpoint = log2.checkpoints.find((c) => c.label === label);
+    if (!checkpoint) {
+      return JSON.stringify({
+        action: "restore",
+        success: false,
+        error: `checkpoint not found: "${label}"`
+      }, null, 2);
+    }
+    gitExec(["reset", "--soft", checkpoint.sha]);
+    return JSON.stringify({
+      action: "restore",
+      success: true,
+      label,
+      sha: checkpoint.sha,
+      message: `Restored to checkpoint: "${label}" (soft reset)`
+    }, null, 2);
+  } catch (e) {
+    const errorMessage = e instanceof Error ? `restore failed: ${e.message}` : "restore failed: unknown error";
+    return JSON.stringify({
+      action: "restore",
+      success: false,
+      error: errorMessage
+    }, null, 2);
+  }
+}
+function handleList(directory) {
+  const log2 = readCheckpointLog(directory);
+  const sorted = [...log2.checkpoints].sort((a, b) => b.timestamp.localeCompare(a.timestamp));
+  return JSON.stringify({
+    action: "list",
+    success: true,
+    count: sorted.length,
+    checkpoints: sorted
+  }, null, 2);
+}
+function handleDelete(label, directory) {
+  try {
+    const log2 = readCheckpointLog(directory);
+    const initialLength = log2.checkpoints.length;
+    log2.checkpoints = log2.checkpoints.filter((c) => c.label !== label);
+    if (log2.checkpoints.length === initialLength) {
+      return JSON.stringify({
+        action: "delete",
+        success: false,
+        error: `checkpoint not found: "${label}"`
+      }, null, 2);
+    }
+    writeCheckpointLog(log2, directory);
+    return JSON.stringify({
+      action: "delete",
+      success: true,
+      label,
+      message: `Checkpoint deleted: "${label}" (git commit preserved)`
+    }, null, 2);
+  } catch (e) {
+    const errorMessage = e instanceof Error ? `delete failed: ${e.message}` : "delete failed: unknown error";
+    return JSON.stringify({
+      action: "delete",
+      success: false,
+      error: errorMessage
+    }, null, 2);
+  }
+}
+var CHECKPOINT_LOG_PATH = ".swarm/checkpoints.json", MAX_LABEL_LENGTH = 100, GIT_TIMEOUT_MS = 30000, SHELL_METACHARACTERS, SAFE_LABEL_PATTERN, CONTROL_CHAR_PATTERN, NON_ASCII_PATTERN, checkpoint;
+var init_checkpoint = __esm(() => {
+  init_tool();
+  init_create_tool();
+  SHELL_METACHARACTERS = /[;|&$`(){}<>!'"]/;
+  SAFE_LABEL_PATTERN = /^[a-zA-Z0-9_ -]+$/;
+  CONTROL_CHAR_PATTERN = /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/;
+  NON_ASCII_PATTERN = /[^\x20-\x7E]/;
+  checkpoint = createSwarmTool({
+    description: "Save, restore, list, and delete git checkpoints. " + "Use save to create a named snapshot, restore to return to a checkpoint (soft reset), " + "list to see all checkpoints, and delete to remove a checkpoint from the log. " + "Git commits are preserved on delete.",
+    args: {
+      action: tool.schema.string().describe("Action to perform: save, restore, list, or delete"),
+      label: tool.schema.string().optional().describe("Checkpoint label (required for save, restore, delete)")
+    },
+    execute: async (args2, directory) => {
+      if (!isGitRepo()) {
+        return JSON.stringify({
+          action: "unknown",
+          success: false,
+          error: "not a git repository"
+        }, null, 2);
+      }
+      let action;
+      let label;
+      try {
+        action = String(args2.action);
+        label = args2.label !== undefined ? String(args2.label) : undefined;
+      } catch {
+        return JSON.stringify({
+          action: "unknown",
+          success: false,
+          error: "invalid arguments"
+        }, null, 2);
+      }
+      const validActions = ["save", "restore", "list", "delete"];
+      if (!validActions.includes(action)) {
+        return JSON.stringify({
+          action,
+          success: false,
+          error: `invalid action: "${action}". Valid actions: ${validActions.join(", ")}`
+        }, null, 2);
+      }
+      if (["save", "restore", "delete"].includes(action)) {
+        if (!label) {
+          return JSON.stringify({
+            action,
+            success: false,
+            error: `label is required for ${action} action`
+          }, null, 2);
+        }
+        const labelError = validateLabel(label);
+        if (labelError) {
+          return JSON.stringify({
+            action,
+            success: false,
+            error: `invalid label: ${labelError}`
+          }, null, 2);
+        }
+      }
+      switch (action) {
+        case "save":
+          return handleSave(label, directory);
+        case "restore":
+          return handleRestore(label, directory);
+        case "list":
+          return handleList(directory);
+        case "delete":
+          return handleDelete(label, directory);
+        default:
+          return JSON.stringify({
+            action,
+            success: false,
+            error: "unreachable"
+          }, null, 2);
+      }
+    }
+  });
+});
+
 // node_modules/graceful-fs/polyfills.js
 var require_polyfills = __commonJS((exports, module2) => {
   var constants = __require("constants");
@@ -43511,286 +43790,8 @@ async function handleBenchmarkCommand(directory, args2) {
 `);
 }
 
-// src/tools/checkpoint.ts
-init_tool();
-init_create_tool();
-import { spawnSync } from "child_process";
-import * as fs6 from "fs";
-import * as path9 from "path";
-var CHECKPOINT_LOG_PATH = ".swarm/checkpoints.json";
-var MAX_LABEL_LENGTH = 100;
-var GIT_TIMEOUT_MS = 30000;
-var SHELL_METACHARACTERS = /[;|&$`(){}<>!'"]/;
-var SAFE_LABEL_PATTERN = /^[a-zA-Z0-9_ -]+$/;
-var CONTROL_CHAR_PATTERN = /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/;
-var NON_ASCII_PATTERN = /[^\x20-\x7E]/;
-function containsNonAsciiChars(label) {
-  for (let i2 = 0;i2 < label.length; i2++) {
-    const charCode = label.charCodeAt(i2);
-    if (charCode < 32 || charCode > 126) {
-      return true;
-    }
-  }
-  return false;
-}
-function validateLabel(label) {
-  if (!label || label.length === 0) {
-    return "label is required";
-  }
-  if (label.length > MAX_LABEL_LENGTH) {
-    return `label exceeds maximum length of ${MAX_LABEL_LENGTH}`;
-  }
-  if (label.startsWith("--")) {
-    return 'label cannot start with "--" (git flag pattern)';
-  }
-  if (CONTROL_CHAR_PATTERN.test(label)) {
-    return "label contains control characters";
-  }
-  if (NON_ASCII_PATTERN.test(label)) {
-    return "label contains non-ASCII or invalid characters";
-  }
-  if (containsNonAsciiChars(label)) {
-    return "label contains non-ASCII characters (must be printable ASCII only)";
-  }
-  if (SHELL_METACHARACTERS.test(label)) {
-    return "label contains shell metacharacters";
-  }
-  if (!SAFE_LABEL_PATTERN.test(label)) {
-    return "label contains invalid characters (use alphanumeric, hyphen, underscore, space)";
-  }
-  if (!/[a-zA-Z0-9_]/.test(label)) {
-    return "label cannot be whitespace-only";
-  }
-  if (label.includes("..") || label.includes("/") || label.includes("\\")) {
-    return "label contains path traversal sequence";
-  }
-  return null;
-}
-function getCheckpointLogPath(directory) {
-  return path9.join(directory, CHECKPOINT_LOG_PATH);
-}
-function readCheckpointLog(directory) {
-  const logPath = getCheckpointLogPath(directory);
-  try {
-    if (fs6.existsSync(logPath)) {
-      const content = fs6.readFileSync(logPath, "utf-8");
-      const parsed = JSON.parse(content);
-      if (!parsed.checkpoints || !Array.isArray(parsed.checkpoints)) {
-        return { version: 1, checkpoints: [] };
-      }
-      return parsed;
-    }
-  } catch {}
-  return { version: 1, checkpoints: [] };
-}
-function writeCheckpointLog(log2, directory) {
-  const logPath = getCheckpointLogPath(directory);
-  const dir = path9.dirname(logPath);
-  if (!fs6.existsSync(dir)) {
-    fs6.mkdirSync(dir, { recursive: true });
-  }
-  const tempPath = `${logPath}.tmp`;
-  fs6.writeFileSync(tempPath, JSON.stringify(log2, null, 2), "utf-8");
-  fs6.renameSync(tempPath, logPath);
-}
-function gitExec(args2) {
-  const result = spawnSync("git", args2, {
-    encoding: "utf-8",
-    timeout: GIT_TIMEOUT_MS,
-    stdio: ["pipe", "pipe", "pipe"]
-  });
-  if (result.status !== 0) {
-    const err2 = new Error(result.stderr?.trim() || `git exited with code ${result.status}`);
-    throw err2;
-  }
-  return result.stdout;
-}
-function getCurrentSha() {
-  const output = gitExec(["rev-parse", "HEAD"]);
-  return output.trim();
-}
-function isGitRepo() {
-  try {
-    gitExec(["rev-parse", "--git-dir"]);
-    return true;
-  } catch {
-    return false;
-  }
-}
-function handleSave(label, directory) {
-  try {
-    const log2 = readCheckpointLog(directory);
-    const existingCheckpoint = log2.checkpoints.find((c) => c.label === label);
-    if (existingCheckpoint) {
-      return JSON.stringify({
-        action: "save",
-        success: false,
-        error: `duplicate label: "${label}" already exists. Use a different label or delete the existing checkpoint first.`
-      }, null, 2);
-    }
-    const _sha = getCurrentSha();
-    const timestamp = new Date().toISOString();
-    gitExec(["commit", "--allow-empty", "-m", `checkpoint: ${label}`]);
-    const newSha = getCurrentSha();
-    log2.checkpoints.push({
-      label,
-      sha: newSha,
-      timestamp
-    });
-    writeCheckpointLog(log2, directory);
-    return JSON.stringify({
-      action: "save",
-      success: true,
-      label,
-      sha: newSha,
-      message: `Checkpoint saved: "${label}"`
-    }, null, 2);
-  } catch (e) {
-    const errorMessage = e instanceof Error ? `save failed: ${e.message}` : "save failed: unknown error";
-    return JSON.stringify({
-      action: "save",
-      success: false,
-      error: errorMessage
-    }, null, 2);
-  }
-}
-function handleRestore(label, directory) {
-  try {
-    const log2 = readCheckpointLog(directory);
-    const checkpoint = log2.checkpoints.find((c) => c.label === label);
-    if (!checkpoint) {
-      return JSON.stringify({
-        action: "restore",
-        success: false,
-        error: `checkpoint not found: "${label}"`
-      }, null, 2);
-    }
-    gitExec(["reset", "--soft", checkpoint.sha]);
-    return JSON.stringify({
-      action: "restore",
-      success: true,
-      label,
-      sha: checkpoint.sha,
-      message: `Restored to checkpoint: "${label}" (soft reset)`
-    }, null, 2);
-  } catch (e) {
-    const errorMessage = e instanceof Error ? `restore failed: ${e.message}` : "restore failed: unknown error";
-    return JSON.stringify({
-      action: "restore",
-      success: false,
-      error: errorMessage
-    }, null, 2);
-  }
-}
-function handleList(directory) {
-  const log2 = readCheckpointLog(directory);
-  const sorted = [...log2.checkpoints].sort((a, b) => b.timestamp.localeCompare(a.timestamp));
-  return JSON.stringify({
-    action: "list",
-    success: true,
-    count: sorted.length,
-    checkpoints: sorted
-  }, null, 2);
-}
-function handleDelete(label, directory) {
-  try {
-    const log2 = readCheckpointLog(directory);
-    const initialLength = log2.checkpoints.length;
-    log2.checkpoints = log2.checkpoints.filter((c) => c.label !== label);
-    if (log2.checkpoints.length === initialLength) {
-      return JSON.stringify({
-        action: "delete",
-        success: false,
-        error: `checkpoint not found: "${label}"`
-      }, null, 2);
-    }
-    writeCheckpointLog(log2, directory);
-    return JSON.stringify({
-      action: "delete",
-      success: true,
-      label,
-      message: `Checkpoint deleted: "${label}" (git commit preserved)`
-    }, null, 2);
-  } catch (e) {
-    const errorMessage = e instanceof Error ? `delete failed: ${e.message}` : "delete failed: unknown error";
-    return JSON.stringify({
-      action: "delete",
-      success: false,
-      error: errorMessage
-    }, null, 2);
-  }
-}
-var checkpoint = createSwarmTool({
-  description: "Save, restore, list, and delete git checkpoints. " + "Use save to create a named snapshot, restore to return to a checkpoint (soft reset), " + "list to see all checkpoints, and delete to remove a checkpoint from the log. " + "Git commits are preserved on delete.",
-  args: {
-    action: tool.schema.string().describe("Action to perform: save, restore, list, or delete"),
-    label: tool.schema.string().optional().describe("Checkpoint label (required for save, restore, delete)")
-  },
-  execute: async (args2, directory) => {
-    if (!isGitRepo()) {
-      return JSON.stringify({
-        action: "unknown",
-        success: false,
-        error: "not a git repository"
-      }, null, 2);
-    }
-    let action;
-    let label;
-    try {
-      action = String(args2.action);
-      label = args2.label !== undefined ? String(args2.label) : undefined;
-    } catch {
-      return JSON.stringify({
-        action: "unknown",
-        success: false,
-        error: "invalid arguments"
-      }, null, 2);
-    }
-    const validActions = ["save", "restore", "list", "delete"];
-    if (!validActions.includes(action)) {
-      return JSON.stringify({
-        action,
-        success: false,
-        error: `invalid action: "${action}". Valid actions: ${validActions.join(", ")}`
-      }, null, 2);
-    }
-    if (["save", "restore", "delete"].includes(action)) {
-      if (!label) {
-        return JSON.stringify({
-          action,
-          success: false,
-          error: `label is required for ${action} action`
-        }, null, 2);
-      }
-      const labelError = validateLabel(label);
-      if (labelError) {
-        return JSON.stringify({
-          action,
-          success: false,
-          error: `invalid label: ${labelError}`
-        }, null, 2);
-      }
-    }
-    switch (action) {
-      case "save":
-        return handleSave(label, directory);
-      case "restore":
-        return handleRestore(label, directory);
-      case "list":
-        return handleList(directory);
-      case "delete":
-        return handleDelete(label, directory);
-      default:
-        return JSON.stringify({
-          action,
-          success: false,
-          error: "unreachable"
-        }, null, 2);
-    }
-  }
-});
-
 // src/commands/checkpoint.ts
+init_checkpoint();
 async function handleCheckpointCommand(directory, args2) {
   const subcommand = args2[0] || "list";
   const label = args2[1];
@@ -44008,8 +44009,11 @@ async function rewriteKnowledge(filePath, entries) {
 ` : "");
     await writeFile(filePath, content, "utf-8");
   } finally {
-    if (release)
-      await release();
+    if (release) {
+      try {
+        await release();
+      } catch {}
+    }
   }
 }
 async function appendRejectedLesson(directory, lesson) {
@@ -46466,6 +46470,7 @@ async function handleExportCommand(directory, _args) {
 }
 // src/commands/handoff.ts
 init_utils2();
+import crypto3 from "crypto";
 import { renameSync as renameSync5 } from "fs";
 
 // src/services/handoff-service.ts
@@ -46868,7 +46873,7 @@ async function handleHandoffCommand(directory, _args) {
   const handoffData = await getHandoffData(directory);
   const markdown = formatHandoffMarkdown(handoffData);
   const resolvedPath = validateSwarmPath(directory, "handoff.md");
-  const tempPath = `${resolvedPath}.tmp.${Date.now()}.${Math.random().toString(36).slice(2)}`;
+  const tempPath = `${resolvedPath}.tmp.${crypto3.randomUUID()}`;
   await Bun.write(tempPath, markdown);
   renameSync5(tempPath, resolvedPath);
   await writeSnapshot(directory, swarmState);
@@ -49749,8 +49754,8 @@ import * as path31 from "path";
 // src/hooks/guardrails.ts
 init_constants();
 init_schema();
-init_manager2();
 import * as path29 from "path";
+init_manager2();
 init_utils();
 
 // src/hooks/loop-detector.ts
@@ -49932,6 +49937,7 @@ function createGuardrailsHooks(directory, directoryOrConfig, config3) {
   } else {
     guardrailsConfig = config3;
   }
+  const effectiveDirectory = typeof directory === "string" ? directory : process.cwd();
   if (guardrailsConfig?.enabled === false) {
     return {
       toolBefore: async () => {},
@@ -50025,9 +50031,9 @@ function createGuardrailsHooks(directory, directoryOrConfig, config3) {
         const args2 = output.args;
         const targetPath = args2?.filePath ?? args2?.path ?? args2?.file ?? args2?.target;
         if (typeof targetPath === "string" && targetPath.length > 0) {
-          const resolvedTarget = path29.resolve(directory, targetPath).toLowerCase();
-          const planMdPath = path29.resolve(directory, ".swarm", "plan.md").toLowerCase();
-          const planJsonPath = path29.resolve(directory, ".swarm", "plan.json").toLowerCase();
+          const resolvedTarget = path29.resolve(effectiveDirectory, targetPath).toLowerCase();
+          const planMdPath = path29.resolve(effectiveDirectory, ".swarm", "plan.md").toLowerCase();
+          const planJsonPath = path29.resolve(effectiveDirectory, ".swarm", "plan.json").toLowerCase();
           if (resolvedTarget === planMdPath || resolvedTarget === planJsonPath) {
             throw new Error("PLAN STATE VIOLATION: Direct writes to .swarm/plan.md and .swarm/plan.json are blocked. " + "plan.md is auto-regenerated from plan.json by PlanSyncWorker. " + "Use update_task_status() to mark tasks complete, " + "phase_complete() for phase transitions, or " + "save_plan to create/restructure plans.");
           }
@@ -50076,13 +50082,13 @@ function createGuardrailsHooks(directory, directoryOrConfig, config3) {
               }
             }
             for (const p of paths) {
-              const resolvedP = path29.resolve(directory, p);
-              const planMdPath = path29.resolve(directory, ".swarm", "plan.md").toLowerCase();
-              const planJsonPath = path29.resolve(directory, ".swarm", "plan.json").toLowerCase();
+              const resolvedP = path29.resolve(effectiveDirectory, p);
+              const planMdPath = path29.resolve(effectiveDirectory, ".swarm", "plan.md").toLowerCase();
+              const planJsonPath = path29.resolve(effectiveDirectory, ".swarm", "plan.json").toLowerCase();
               if (resolvedP.toLowerCase() === planMdPath || resolvedP.toLowerCase() === planJsonPath) {
                 throw new Error("PLAN STATE VIOLATION: Direct writes to .swarm/plan.md and .swarm/plan.json are blocked. " + "plan.md is auto-regenerated from plan.json by PlanSyncWorker. " + "Use update_task_status() to mark tasks complete, " + "phase_complete() for phase transitions, or " + "save_plan to create/restructure plans.");
               }
-              if (isOutsideSwarmDir(p, directory) && (isSourceCodePath(p) || hasTraversalSegments(p))) {
+              if (isOutsideSwarmDir(p, effectiveDirectory) && (isSourceCodePath(p) || hasTraversalSegments(p))) {
                 const session2 = swarmState.agentSessions.get(input.sessionID);
                 if (session2) {
                   session2.architectWriteCount++;
@@ -50098,7 +50104,7 @@ function createGuardrailsHooks(directory, directoryOrConfig, config3) {
             }
           }
         }
-        if (typeof targetPath === "string" && targetPath.length > 0 && isOutsideSwarmDir(targetPath, directory) && isSourceCodePath(path29.relative(directory, path29.resolve(directory, targetPath)))) {
+        if (typeof targetPath === "string" && targetPath.length > 0 && isOutsideSwarmDir(targetPath, effectiveDirectory) && isSourceCodePath(path29.relative(effectiveDirectory, path29.resolve(effectiveDirectory, targetPath)))) {
           const session2 = swarmState.agentSessions.get(input.sessionID);
           if (session2) {
             session2.architectWriteCount++;
@@ -50297,7 +50303,7 @@ function createGuardrailsHooks(directory, directoryOrConfig, config3) {
         if (delegation.isDelegation && (delegation.targetAgent === "reviewer" || delegation.targetAgent === "test_engineer")) {
           let currentPhase = 1;
           try {
-            const plan = await loadPlan(directory);
+            const plan = await loadPlan(effectiveDirectory);
             if (plan) {
               const phaseString = extractCurrentPhaseFromPlan2(plan);
               currentPhase = extractPhaseNumber(phaseString);
@@ -50470,7 +50476,7 @@ ${textPart2.text}`;
           }
           let currentPhaseForCheck = 1;
           try {
-            const plan = await loadPlan(directory);
+            const plan = await loadPlan(effectiveDirectory);
             if (plan) {
               const phaseString = extractCurrentPhaseFromPlan2(plan);
               currentPhaseForCheck = extractPhaseNumber(phaseString);
@@ -50534,7 +50540,7 @@ ${textPart2.text}`;
       }
       if (isArchitectSessionForGates && session && session.catastrophicPhaseWarnings && requireReviewerAndTestEngineer) {
         try {
-          const plan = await loadPlan(directory);
+          const plan = await loadPlan(effectiveDirectory);
           if (plan?.phases) {
             for (const phase of plan.phases) {
               if (phase.status === "complete") {
@@ -50604,6 +50610,7 @@ function hashArgs(args2) {
 }
 
 // src/hooks/delegation-gate.ts
+init_utils2();
 function extractTaskLine(text) {
   const match = text.match(/TASK:\s*(.+?)(?:\n|$)/i);
   return match ? match[1].trim() : null;
@@ -55131,6 +55138,10 @@ var check_gate_status = createSwarmTool({
     return JSON.stringify(result, null, 2);
   }
 });
+
+// src/tools/index.ts
+init_checkpoint();
+
 // src/tools/complexity-hotspots.ts
 init_dist();
 init_create_tool();
@@ -57378,10 +57389,11 @@ async function executePhaseComplete(args2, workingDirectory, directory) {
   const phase = Number(args2.phase);
   const summary = args2.summary;
   const sessionID = args2.sessionID;
-  if (Number.isNaN(phase) || phase < 1) {
+  if (Number.isNaN(phase) || phase < 1 || !Number.isFinite(phase) || !Number.isInteger(phase)) {
     return JSON.stringify({
       success: false,
       phase,
+      status: "blocked",
       message: "Invalid phase number",
       agentsDispatched: [],
       warnings: ["Phase must be a positive number"]
@@ -57449,7 +57461,7 @@ async function executePhaseComplete(args2, workingDirectory, directory) {
   }
   if (!retroFound) {
     const allTaskIds = await listEvidenceTaskIds(dir);
-    const retroTaskIds = allTaskIds.filter((id) => id.startsWith("retro-"));
+    const retroTaskIds = allTaskIds.filter((id) => id.startsWith("retro-") && /^retro-\d+$/.test(id));
     for (const taskId of retroTaskIds) {
       const bundleResult = await loadEvidence(dir, taskId);
       if (bundleResult.status !== "found") {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "6.32.1",
+	"version": "6.32.3",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",