opencode-swarm 6.41.0 → 6.41.2

package/dist/cli/index.js

@@ -32643,7 +32643,7 @@ async function executeWriteRetro(args, directory) {
 var write_retro = createSwarmTool({
   description: "Write a retrospective evidence bundle for a completed phase. " + "Accepts flat retro fields and writes a correctly-wrapped EvidenceBundle to " + ".swarm/evidence/retro-{phase}/evidence.json. " + "Use this instead of manually writing retro JSON to avoid schema validation failures in phase_complete.",
   args: {
-    phase: tool.schema.number().int().positive().max(99).describe("The phase number being completed (e.g., 1, 2, 3)"),
+    phase: tool.schema.number().int().min(1).max(99).describe("The phase number being completed (e.g., 1, 2, 3)"),
     summary: tool.schema.string().describe("Human-readable summary of the phase"),
     task_count: tool.schema.number().int().min(1).max(9999).describe("Count of tasks completed in this phase"),
     task_complexity: tool.schema.enum(["trivial", "simple", "moderate", "complex"]).describe("Complexity level of the completed tasks"),

package/dist/hooks/guardrails.d.ts

@@ -106,7 +106,7 @@ export declare function validateAndRecordAttestation(dir: string, findingId: str
 /**
  * Checks whether the given agent is authorised to write to the given file path.
  */
-export declare function checkFileAuthority(agentName: string, filePath: string, _cwd: string): {
+export declare function checkFileAuthority(agentName: string, filePath: string, cwd: string): {
     allowed: true;
 } | {
     allowed: false;

package/dist/index.js

@@ -41431,6 +41431,9 @@ function isValidTaskId(taskId) {
   if (taskId === null || taskId === undefined) {
     return false;
   }
+  if (typeof taskId !== "string") {
+    return false;
+  }
   const trimmed = taskId.trim();
   return trimmed.length > 0;
 }
@@ -47071,7 +47074,7 @@ async function executeWriteRetro(args2, directory) {
 var write_retro = createSwarmTool({
   description: "Write a retrospective evidence bundle for a completed phase. " + "Accepts flat retro fields and writes a correctly-wrapped EvidenceBundle to " + ".swarm/evidence/retro-{phase}/evidence.json. " + "Use this instead of manually writing retro JSON to avoid schema validation failures in phase_complete.",
   args: {
-    phase: tool.schema.number().int().positive().max(99).describe("The phase number being completed (e.g., 1, 2, 3)"),
+    phase: tool.schema.number().int().min(1).max(99).describe("The phase number being completed (e.g., 1, 2, 3)"),
     summary: tool.schema.string().describe("Human-readable summary of the phase"),
     task_count: tool.schema.number().int().min(1).max(9999).describe("Count of tasks completed in this phase"),
     task_complexity: tool.schema.enum(["trivial", "simple", "moderate", "complex"]).describe("Complexity level of the completed tasks"),
@@ -52386,10 +52389,11 @@ function getCurrentTaskId(sessionId) {
   const session = swarmState.agentSessions.get(sessionId);
   return session?.currentTaskId ?? `${sessionId}:unknown`;
 }
-function isInDeclaredScope(filePath, scopeEntries) {
-  const resolvedFile = path32.resolve(filePath);
+function isInDeclaredScope(filePath, scopeEntries, cwd) {
+  const dir = cwd ?? process.cwd();
+  const resolvedFile = path32.resolve(dir, filePath);
   return scopeEntries.some((scope) => {
-    const resolvedScope = path32.resolve(scope);
+    const resolvedScope = path32.resolve(dir, scope);
     if (resolvedFile === resolvedScope)
       return true;
     const rel = path32.relative(resolvedScope, resolvedFile);
@@ -52847,7 +52851,7 @@ function createGuardrailsHooks(directory, directoryOrConfig, config3) {
           }
           session.partialGateWarningsIssuedForTask?.delete(session.currentTaskId);
           if (session.declaredCoderScope !== null) {
-            const undeclaredFiles = session.modifiedFilesThisCoderTask.map((f) => f.replace(/[\r\n\t]/g, "_")).filter((f) => !isInDeclaredScope(f, session.declaredCoderScope));
+            const undeclaredFiles = session.modifiedFilesThisCoderTask.map((f) => f.replace(/[\r\n\t]/g, "_")).filter((f) => !isInDeclaredScope(f, session.declaredCoderScope, directory));
             if (undeclaredFiles.length >= 1) {
               const safeTaskId = String(session.currentTaskId ?? "").replace(/[\r\n\t]/g, "_");
               session.lastScopeViolation = `Scope violation for task ${safeTaskId}: ` + `${undeclaredFiles.length} undeclared files modified: ` + undeclaredFiles.join(", ");
@@ -53290,9 +53294,11 @@ var AGENT_AUTHORITY_RULES = {
     blockedZones: ["generated"]
   }
 };
-function checkFileAuthority(agentName, filePath, _cwd) {
+function checkFileAuthority(agentName, filePath, cwd) {
   const normalizedAgent = agentName.toLowerCase();
-  const normalizedPath = filePath.replace(/\\/g, "/");
+  const dir = cwd || process.cwd();
+  const resolved = path32.resolve(dir, filePath);
+  const normalizedPath = path32.relative(dir, resolved).replace(/\\/g, "/");
   const rules = AGENT_AUTHORITY_RULES[normalizedAgent];
   if (!rules) {
     return { allowed: false, reason: `Unknown agent: ${agentName}` };
@@ -57670,6 +57676,19 @@ function parseFilePaths(description, filesTouched) {
   }
   return filePaths;
 }
+function buildVerifySummary(tasksChecked, tasksSkipped, tasksBlocked) {
+  if (tasksBlocked > 0) {
+    return `Blocked: ${tasksBlocked} task(s) with missing identifiers`;
+  }
+  const verified = tasksChecked - tasksSkipped;
+  if (tasksSkipped === tasksChecked) {
+    return `All ${tasksChecked} completed task(s) skipped \u2014 research/inventory tasks`;
+  }
+  if (tasksSkipped > 0) {
+    return `${verified} task(s) verified, ${tasksSkipped} skipped (research tasks)`;
+  }
+  return `All ${tasksChecked} completed tasks verified successfully`;
+}
 async function executeCompletionVerify(args2, directory) {
   const phase = Number(args2.phase);
   if (Number.isNaN(phase) || phase < 1 || !Number.isFinite(phase)) {
@@ -57731,7 +57750,7 @@ async function executeCompletionVerify(args2, directory) {
     return JSON.stringify(result2, null, 2);
   }
   let tasksChecked = 0;
-  const tasksSkipped = 0;
+  let tasksSkipped = 0;
   let tasksBlocked = 0;
   const blockedTasks = [];
   for (const task of targetPhase.tasks) {
@@ -57742,13 +57761,7 @@ async function executeCompletionVerify(args2, directory) {
     const fileTargets = parseFilePaths(task.description, task.files_touched);
     const identifiers = parseIdentifiers(task.description);
     if (fileTargets.length === 0) {
-      blockedTasks.push({
-        task_id: task.id,
-        identifier: "",
-        file_path: "",
-        reason: "No file targets \u2014 cannot verify completion without files_touched"
-      });
-      tasksBlocked++;
+      tasksSkipped++;
       continue;
     }
     if (identifiers.length === 0) {
@@ -57766,6 +57779,19 @@ async function executeCompletionVerify(args2, directory) {
     for (const filePath of fileTargets) {
       const normalizedPath = filePath.replace(/\\/g, "/");
       const resolvedPath = path45.resolve(directory, normalizedPath);
+      const projectRoot = path45.resolve(directory);
+      const relative6 = path45.relative(projectRoot, resolvedPath);
+      const withinProject = relative6 === "" || !relative6.startsWith("..") && !path45.isAbsolute(relative6);
+      if (!withinProject) {
+        blockedTasks.push({
+          task_id: task.id,
+          identifier: "",
+          file_path: filePath,
+          reason: `File path '${filePath}' escapes the project directory \u2014 cannot verify completion`
+        });
+        hasFileReadFailure = true;
+        continue;
+      }
       let fileContent;
       try {
         fileContent = fs33.readFileSync(resolvedPath, "utf-8");
@@ -57824,7 +57850,7 @@ async function executeCompletionVerify(args2, directory) {
           timestamp: now,
           agent: "completion_verify",
           verdict: tasksBlocked === 0 ? "pass" : "fail",
-          summary: tasksBlocked === 0 ? `All ${tasksChecked} completed tasks verified successfully` : `Blocked: ${tasksBlocked} task(s) with missing identifiers`,
+          summary: buildVerifySummary(tasksChecked, tasksSkipped, tasksBlocked),
           phase,
           tasks_checked: tasksChecked,
           tasks_skipped: tasksSkipped,
@@ -58966,7 +58992,29 @@ async function executeDeclareScope(args2, fallbackDir) {
       };
     }
   }
-  const mergedFiles = [...args2.files, ...args2.whitelist ?? []];
+  const rawMergedFiles = [...args2.files, ...args2.whitelist ?? []];
+  const warnings = [];
+  const normalizeErrors = [];
+  const dir = normalizedDir || fallbackDir || process.cwd();
+  const mergedFiles = rawMergedFiles.map((file3) => {
+    if (path48.isAbsolute(file3)) {
+      const relativePath = path48.relative(dir, file3).replace(/\\/g, "/");
+      if (relativePath.startsWith("..")) {
+        normalizeErrors.push(`Path '${file3}' resolves outside the project directory`);
+        return file3;
+      }
+      warnings.push(`Absolute path normalized to relative: '${relativePath}' (was '${file3}')`);
+      return relativePath;
+    }
+    return file3;
+  });
+  if (normalizeErrors.length > 0) {
+    return {
+      success: false,
+      message: "Validation failed",
+      errors: normalizeErrors
+    };
+  }
   for (const [_sessionId, session] of swarmState.agentSessions) {
     session.declaredCoderScope = mergedFiles;
     session.lastScopeViolation = null;
@@ -58975,7 +59023,8 @@ async function executeDeclareScope(args2, fallbackDir) {
     success: true,
     message: "Scope declared successfully",
     taskId: args2.taskId,
-    fileCount: mergedFiles.length
+    fileCount: mergedFiles.length,
+    ...warnings.length > 0 ? { warnings } : {}
   };
 }
 var declare_scope = createSwarmTool({
@@ -61480,7 +61529,7 @@ async function executePhaseComplete(args2, workingDirectory, directory) {
 var phase_complete = createSwarmTool({
   description: "Mark a phase as complete and track which agents were dispatched. Used for phase completion gating and tracking. Accepts phase number and optional summary. Returns list of agents that were dispatched.",
   args: {
-    phase: tool.schema.number().describe("The phase number being completed (e.g., 1, 2, 3)"),
+    phase: tool.schema.number().int().min(1).describe("The phase number being completed \u2014 a positive integer (e.g., 1, 2, 3)"),
     summary: tool.schema.string().optional().describe("Optional summary of what was accomplished in this phase"),
     sessionID: tool.schema.string().optional().describe("Session ID for tracking state (auto-provided by plugin context)")
   },
@@ -64018,13 +64067,13 @@ function validatePath(inputPath, baseDir, workspaceDir) {
     resolved = path56.resolve(baseDir, inputPath);
   }
   const workspaceResolved = path56.resolve(workspaceDir);
-  let relative6;
+  let relative8;
   if (isWinAbs) {
-    relative6 = path56.win32.relative(workspaceResolved, resolved);
+    relative8 = path56.win32.relative(workspaceResolved, resolved);
   } else {
-    relative6 = path56.relative(workspaceResolved, resolved);
+    relative8 = path56.relative(workspaceResolved, resolved);
   }
-  if (relative6.startsWith("..")) {
+  if (relative8.startsWith("..")) {
     return "path traversal detected";
   }
   return null;
@@ -64933,7 +64982,7 @@ async function executeSavePlan(args2, fallbackDir) {
       success: false,
       message: "Plan rejected: invalid phase or task IDs",
       errors: validationErrors,
-      recovery_guidance: "Use save_plan with corrected inputs to create or restructure plans. Never write .swarm/plan.json or .swarm/plan.md directly."
+      recovery_guidance: "Phase IDs must be positive integers: 1, 2, 3 (not 0, -1, or decimals). " + 'Task IDs must use N.M format: "1.1", "2.3", "3.1". ' + "Call save_plan again with corrected ids. " + "Never write .swarm/plan.json or .swarm/plan.md directly."
     };
   }
   const placeholderIssues = detectPlaceholderContent(args2);
@@ -65046,7 +65095,7 @@ var save_plan = createSwarmTool({
     title: tool.schema.string().min(1).describe("Plan title \u2014 the REAL project name from the spec. NOT a placeholder like [Project]."),
     swarm_id: tool.schema.string().min(1).describe('Swarm identifier (e.g. "mega")'),
     phases: tool.schema.array(tool.schema.object({
-      id: tool.schema.number().int().positive().describe("Phase number, starting at 1"),
+      id: tool.schema.number().int().min(1).describe("Phase number \u2014 a positive integer starting at 1. Use 1, 2, 3, etc."),
       name: tool.schema.string().min(1).describe("Descriptive phase name derived from the spec"),
       tasks: tool.schema.array(tool.schema.object({
         id: tool.schema.string().min(1).regex(/^\d+\.\d+(\.\d+)*$/, 'Task ID must be in N.M format, e.g. "1.1"').describe('Task ID in N.M format, e.g. "1.1", "2.3"'),
@@ -67629,7 +67678,7 @@ async function executeWriteDriftEvidence(args2, directory) {
 var write_drift_evidence = createSwarmTool({
   description: "Write drift verification evidence for a completed phase. " + "Normalizes verdict (APPROVED->approved, NEEDS_REVISION->rejected) and writes " + "a gate-contract formatted EvidenceBundle to .swarm/evidence/{phase}/drift-verifier.json. " + "Use this after critic_drift_verifier delegation to persist the verification result.",
   args: {
-    phase: tool.schema.number().int().positive().describe("The phase number for the drift verification"),
+    phase: tool.schema.number().int().min(1).describe("The phase number for the drift verification (e.g., 1, 2, 3)"),
     verdict: tool.schema.enum(["APPROVED", "NEEDS_REVISION"]).describe("Verdict of the drift verification: 'APPROVED' or 'NEEDS_REVISION'"),
     summary: tool.schema.string().describe("Human-readable summary of the drift verification")
   },

package/dist/tools/declare-scope.d.ts

@@ -22,6 +22,7 @@ export interface DeclareScopeResult {
     taskId?: string;
     fileCount?: number;
     errors?: string[];
+    warnings?: string[];
 }
 /**
  * Validate that taskId matches the required format (N.M or N.M.P).

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "6.41.0",
+	"version": "6.41.2",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",