opencode-swarm 6.40.4 → 6.40.5

package/dist/index.js

@@ -42001,8 +42001,9 @@ All other gates: failure \u2192 return to coder. No self-fixes. No workarounds.
     - quality_budget (maintainability metrics)
     \u2192 Returns { gates_passed, lint, secretscan, sast_scan, quality_budget, total_duration_ms }
     \u2192 If gates_passed === false: read individual tool results, identify which tool(s) failed, return structured rejection to {{AGENT_PREFIX}}coder with specific tool failures. Do NOT call {{AGENT_PREFIX}}reviewer.
-    \u2192 If gates_passed === true: proceed to {{AGENT_PREFIX}}reviewer.
-    \u2192 REQUIRED: Print "pre_check_batch: [PASS \u2014 all gates passed | FAIL \u2014 [gate]: [details]]"
+    \u2192 If gates_passed === true AND sast_preexisting_findings is present: proceed to {{AGENT_PREFIX}}reviewer. Include the pre-existing SAST findings in the reviewer delegation context with instruction: "SAST TRIAGE REQUIRED: The following HIGH/CRITICAL SAST findings exist on unchanged lines in this changeset. Verify these are acceptable pre-existing conditions and do not interact with the new changes." Do NOT return to coder for pre-existing findings on unchanged code.
+    \u2192 If gates_passed === true (no sast_preexisting_findings): proceed to {{AGENT_PREFIX}}reviewer.
+    \u2192 REQUIRED: Print "pre_check_batch: [PASS \u2014 all gates passed | PASS \u2014 pre-existing SAST findings on unchanged lines (N findings, reviewer triage) | FAIL \u2014 [gate]: [details]]"
 
 \u26A0\uFE0F pre_check_batch SCOPE BOUNDARY:
 pre_check_batch runs FOUR automated tools: lint:check, secretscan, sast_scan, quality_budget.
@@ -64125,6 +64126,99 @@ async function runQualityBudgetWrapped(changedFiles, directory, _config) {
     };
   }
 }
+var GATE_SEVERITIES = new Set(["high", "critical"]);
+async function runGitDiff(args2, directory) {
+  try {
+    const proc = Bun.spawn(["git", "diff", ...args2], {
+      cwd: directory,
+      stdout: "pipe",
+      stderr: "pipe"
+    });
+    const [exitCode, stdout] = await Promise.all([
+      proc.exited,
+      new Response(proc.stdout).text()
+    ]);
+    if (exitCode !== 0)
+      return null;
+    const trimmed = stdout.trim();
+    return trimmed.length > 0 ? trimmed : null;
+  } catch {
+    return null;
+  }
+}
+function parseDiffLineRanges(diffOutput) {
+  const result = new Map;
+  let currentFile = null;
+  for (const line of diffOutput.split(`
+`)) {
+    if (line.startsWith("+++ b/")) {
+      currentFile = line.slice(6).trim();
+      if (!result.has(currentFile)) {
+        result.set(currentFile, new Set);
+      }
+      continue;
+    }
+    if (line.startsWith("@@") && currentFile) {
+      const match = line.match(/^@@ [^+]*\+(\d+)(?:,(\d+))? @@/);
+      if (match) {
+        const start2 = parseInt(match[1], 10);
+        const count = match[2] !== undefined ? parseInt(match[2], 10) : 1;
+        const lines = result.get(currentFile);
+        for (let i2 = start2;i2 < start2 + count; i2++) {
+          lines.add(i2);
+        }
+      }
+    }
+  }
+  return result;
+}
+async function getChangedLineRanges(directory) {
+  try {
+    for (const baseBranch of ["origin/main", "origin/master", "main", "master"]) {
+      const mergeBaseProc = Bun.spawn(["git", "merge-base", baseBranch, "HEAD"], { cwd: directory, stdout: "pipe", stderr: "pipe" });
+      const [mbExit, mbOut] = await Promise.all([
+        mergeBaseProc.exited,
+        new Response(mergeBaseProc.stdout).text()
+      ]);
+      if (mbExit === 0 && mbOut.trim()) {
+        const mergeBase = mbOut.trim();
+        const diffOut = await runGitDiff(["-U0", `${mergeBase}..HEAD`], directory);
+        if (diffOut) {
+          return parseDiffLineRanges(diffOut);
+        }
+      }
+    }
+    const diffHead1 = await runGitDiff(["-U0", "HEAD~1"], directory);
+    if (diffHead1) {
+      return parseDiffLineRanges(diffHead1);
+    }
+    const diffHead = await runGitDiff(["-U0", "HEAD"], directory);
+    if (diffHead) {
+      return parseDiffLineRanges(diffHead);
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function classifySastFindings(findings, changedLineRanges, directory) {
+  if (!changedLineRanges || changedLineRanges.size === 0) {
+    return { newFindings: findings, preexistingFindings: [] };
+  }
+  const newFindings = [];
+  const preexistingFindings = [];
+  for (const finding of findings) {
+    const filePath = finding.location.file;
+    const normalised = path53.relative(directory, filePath).replace(/\\/g, "/");
+    const changedLines = changedLineRanges.get(normalised);
+    if (changedLines && changedLines.has(finding.location.line)) {
+      newFindings.push(finding);
+    } else {
+      preexistingFindings.push(finding);
+    }
+  }
+  return { newFindings, preexistingFindings };
+}
 async function runPreCheckBatch(input, workspaceDir, contextDir) {
   const effectiveWorkspaceDir = workspaceDir || input.directory || contextDir;
   const { files, directory, sast_threshold = "medium", config: config3 } = input;
@@ -64233,10 +64327,24 @@ async function runPreCheckBatch(input, workspaceDir, contextDir) {
       warn(`Failed to persist secretscan evidence: ${e instanceof Error ? e.message : String(e)}`);
     }
   }
+  let sastPreexistingFindings;
   if (sastScanResult.ran && sastScanResult.result) {
     if (sastScanResult.result.verdict === "fail") {
-      gatesPassed = false;
-      warn("pre_check_batch: SAST scan found vulnerabilities - GATE FAILED");
+      const gateFindings = sastScanResult.result.findings.filter((f) => GATE_SEVERITIES.has(f.severity));
+      if (gateFindings.length > 0) {
+        const changedLineRanges = await getChangedLineRanges(directory);
+        const { newFindings, preexistingFindings } = classifySastFindings(gateFindings, changedLineRanges, directory);
+        if (newFindings.length > 0) {
+          gatesPassed = false;
+          warn(`pre_check_batch: SAST scan found ${newFindings.length} new HIGH/CRITICAL finding(s) on changed lines - GATE FAILED`);
+        } else if (preexistingFindings.length > 0) {
+          sastPreexistingFindings = preexistingFindings;
+          warn(`pre_check_batch: SAST scan found ${preexistingFindings.length} pre-existing HIGH/CRITICAL finding(s) on unchanged lines - passing to reviewer for triage`);
+        }
+      } else {
+        gatesPassed = false;
+        warn("pre_check_batch: SAST scan found vulnerabilities - GATE FAILED");
+      }
     }
   } else if (sastScanResult.error) {
     gatesPassed = false;
@@ -64255,7 +64363,10 @@ async function runPreCheckBatch(input, workspaceDir, contextDir) {
     secretscan: secretscanResult,
     sast_scan: sastScanResult,
     quality_budget: qualityBudgetResult,
-    total_duration_ms: Math.round(totalDuration)
+    total_duration_ms: Math.round(totalDuration),
+    ...sastPreexistingFindings && sastPreexistingFindings.length > 0 && {
+      sast_preexisting_findings: sastPreexistingFindings
+    }
   };
   const outputSize = JSON.stringify(result).length;
   if (outputSize > MAX_COMBINED_BYTES) {

package/dist/tools/pre-check-batch.d.ts

@@ -7,7 +7,7 @@ import { tool } from '@opencode-ai/plugin';
 import type { PluginConfig } from '../config';
 import type { LintResult } from './lint';
 import type { QualityBudgetResult } from './quality-budget';
-import type { SastScanResult } from './sast-scan';
+import type { SastScanFinding, SastScanResult } from './sast-scan';
 import type { SecretscanErrorResult, SecretscanResult } from './secretscan';
 export interface PreCheckBatchInput {
     /** List of specific files to check (optional) */
@@ -42,7 +42,32 @@ export interface PreCheckBatchResult {
     quality_budget: ToolResult<QualityBudgetResult>;
     /** Total duration in milliseconds */
     total_duration_ms: number;
+    /** Pre-existing SAST findings on unchanged lines, requiring reviewer triage */
+    sast_preexisting_findings?: SastScanFinding[];
 }
+/**
+ * Parse unified diff output (with -U0) to extract added/modified line numbers per file.
+ * Returns a Map from normalised file path → Set of changed line numbers.
+ */
+export declare function parseDiffLineRanges(diffOutput: string): Map<string, Set<number>>;
+/**
+ * Get changed line ranges for the current branch vs its base.
+ * Tries three strategies in order:
+ * 1. merge-base diff against main/master (captures all branch changes, works after commit)
+ * 2. HEAD~1 (single-commit diff, works after commit)
+ * 3. HEAD (unstaged/staged changes, works before commit)
+ * Returns null if git is unavailable or no changes found.
+ */
+export declare function getChangedLineRanges(directory: string): Promise<Map<string, Set<number>> | null>;
+/**
+ * Classify SAST findings as "new" (on changed lines) or "pre-existing" (unchanged lines).
+ * A finding is "new" if its file+line intersects the changed line ranges from git diff.
+ * If line ranges cannot be determined (git unavailable), all findings are treated as new (fail-closed).
+ */
+export declare function classifySastFindings(findings: SastScanFinding[], changedLineRanges: Map<string, Set<number>> | null, directory: string): {
+    newFindings: SastScanFinding[];
+    preexistingFindings: SastScanFinding[];
+};
 /**
  * Run all 4 pre-check tools in parallel with concurrency limit
  * @param input - The pre-check batch input

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "6.40.4",
+	"version": "6.40.5",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",