opencode-swarm 6.66.0 → 6.67.1

package/dist/cli/index.js

@@ -18535,9 +18535,9 @@ var AGENT_TOOL_MAP = {
     "checkpoint",
     "check_gate_status",
     "completion_verify",
+    "complexity_hotspots",
     "convene_council",
     "declare_council_criteria",
-    "complexity_hotspots",
     "detect_domains",
     "evidence_check",
     "extract_code_blocks",
@@ -37050,7 +37050,7 @@ function checkAgentToolMapAlignment(registeredKeys) {
           id: `agent-tool-map-mismatch-${agentName}-${toolName}`,
           title: "AGENT_TOOL_MAP alignment gap",
           description: `Tool "${toolName}" is assigned to agent "${agentName}" in AGENT_TOOL_MAP but is not registered in the plugin's tool: {} block. The agent will not be able to use this tool.`,
-          severity: "warn",
+          severity: "error",
           path: `AGENT_TOOL_MAP.${agentName}`,
           currentValue: toolName,
           autoFixable: false
@@ -37159,6 +37159,11 @@ function formatToolDoctorMarkdown(result) {
       }
       lines.push("");
     }
+    if (result.summary.error > 0) {
+      lines.push("---", "");
+      lines.push(`**BLOCKING**: ${result.summary.error} error-severity finding(s) must be resolved before release. ` + `AGENT_TOOL_MAP alignment errors mean an agent's system prompt instructs the model to call a tool that opencode has not registered \u2014 the agent's workflow will silently fail at runtime.`);
+      lines.push("");
+    }
   }
   return lines.join(`
 `);

package/dist/commands/doctor.d.ts

@@ -1,3 +1,10 @@
+import { type ConfigDoctorResult } from '../services/config-doctor';
+/**
+ * Format tool doctor result as markdown for command output.
+ *
+ * Exported for unit testing of the BLOCKING footer enforcement path.
+ */
+export declare function formatToolDoctorMarkdown(result: ConfigDoctorResult): string;
 /**
  * Handle /swarm config doctor command.
  * Maps to: config doctor service (runConfigDoctor)

package/dist/council/__tests__/council-evidence-writer.adversarial.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Adversarial security tests for safeAssignOwnProps.
+ * Tests prototype pollution attacks, constructor pollution, array smuggling,
+ * and boundary violations.
+ */
+export {};

package/dist/council/types.d.ts

@@ -48,6 +48,8 @@ export interface CouncilSynthesis {
     /** 1-indexed */
     roundNumber: number;
     allCriteriaMet: boolean;
+    /** true when called with an empty verdicts array — the APPROVE is vacuous */
+    emptyVerdictsWarning?: boolean;
 }
 export interface CouncilCriteriaItem {
     id: string;
@@ -71,7 +73,14 @@ export interface CouncilConfig {
     vetoPriority: boolean;
     /** Default false — when true, convene_council rejects unless all 5 member verdicts are provided */
     requireAllMembers: boolean;
-    /** Optional webhook URL or handler name invoked when maxRounds is reached without APPROVE. Declared for forward compatibility; no behavior is implemented yet. */
+    /**
+     * Optional webhook URL or handler name for auto-escalation when maxRounds is
+     * reached without APPROVE. Reserved for forward compatibility — NOT yet
+     * implemented. Currently, maxRounds exhaustion surfaces a user-facing message
+     * via `buildUnifiedFeedbackMd` in council-service.ts (see the "Escalate to
+     * user" block), and the architect must relay it to the user. Future wiring
+     * options: critic_oversight agent, HTTP webhook, or configurable handler.
+     */
     escalateOnMaxRounds?: string;
 }
 export declare const COUNCIL_DEFAULTS: CouncilConfig;

package/dist/index.js

@@ -175,9 +175,9 @@ var init_constants = __esm(() => {
       "checkpoint",
       "check_gate_status",
       "completion_verify",
+      "complexity_hotspots",
       "convene_council",
       "declare_council_criteria",
-      "complexity_hotspots",
       "detect_domains",
       "evidence_check",
       "extract_code_blocks",
@@ -35284,7 +35284,7 @@ function checkAgentToolMapAlignment(registeredKeys) {
           id: `agent-tool-map-mismatch-${agentName}-${toolName}`,
           title: "AGENT_TOOL_MAP alignment gap",
           description: `Tool "${toolName}" is assigned to agent "${agentName}" in AGENT_TOOL_MAP but is not registered in the plugin's tool: {} block. The agent will not be able to use this tool.`,
-          severity: "warn",
+          severity: "error",
           path: `AGENT_TOOL_MAP.${agentName}`,
           currentValue: toolName,
           autoFixable: false
@@ -50015,6 +50015,11 @@ function formatToolDoctorMarkdown(result) {
       }
       lines.push("");
     }
+    if (result.summary.error > 0) {
+      lines.push("---", "");
+      lines.push(`**BLOCKING**: ${result.summary.error} error-severity finding(s) must be resolved before release. ` + `AGENT_TOOL_MAP alignment errors mean an agent's system prompt instructs the model to call a tool that opencode has not registered \u2014 the agent's workflow will silently fail at runtime.`);
+      lines.push("");
+    }
   }
   return lines.join(`
 `);
@@ -54733,16 +54738,17 @@ ${customAppendPrompt}`;
   }
   prompt = prompt?.replace("{{YOUR_TOOLS}}", buildYourToolsList())?.replace("{{AVAILABLE_TOOLS}}", buildAvailableToolsList())?.replace("{{SLASH_COMMANDS}}", buildSlashCommandsList());
   const councilBlock = buildCouncilWorkflow(council);
+  const hasPlaceholder = prompt?.includes("{{COUNCIL_WORKFLOW}}") === true;
   if (councilBlock === "") {
-    prompt = prompt?.replace(`
-
-{{COUNCIL_WORKFLOW}}
-
-`, `
+    prompt = prompt?.replace(/\n\n\{\{COUNCIL_WORKFLOW\}\}\n\n/g, `
 
 `);
+  } else if (hasPlaceholder) {
+    prompt = prompt?.replace(/\{\{COUNCIL_WORKFLOW\}\}/g, councilBlock);
   } else {
-    prompt = prompt?.replace("{{COUNCIL_WORKFLOW}}", councilBlock);
+    prompt = `${prompt ?? ""}
+
+${councilBlock}`;
   }
   const advEnabled = adversarialTesting?.enabled ?? true;
   const advScope = adversarialTesting?.scope ?? "all";
@@ -56494,6 +56500,13 @@ function getAgentConfigs(config3, directory, sessionId) {
     } else {
       allowedTools = AGENT_TOOL_MAP[baseAgentName];
     }
+    if (baseAgentName === "architect" && config3?.council?.enabled === true && override !== undefined) {
+      const required3 = ["declare_council_criteria", "convene_council"];
+      const missing = required3.filter((t) => !override.includes(t));
+      if (missing.length > 0) {
+        throw new Error(`[opencode-swarm] Conflicting config: council.enabled=true but tool_filter.overrides.architect omits ${missing.join(", ")}. ` + `Either set council.enabled=false, remove the architect override entirely to fall back on AGENT_TOOL_MAP, or add the missing council tools to the override. ` + `Refusing to silently override your explicit tool_filter.overrides.architect.`);
+      }
+    }
     if (!allowedTools && !Object.hasOwn(toolFilterOverrides, baseAgentName)) {
       if (!warnedMissingWhitelist.has(baseAgentName)) {
         console.warn(`[getAgentConfigs] Unknown agent '${baseAgentName}', defaulting to minimal toolset.`);
@@ -68371,7 +68384,13 @@ ${body2}`);
 }
 
 // src/council/council-evidence-writer.ts
-import { existsSync as existsSync36, mkdirSync as mkdirSync16, readFileSync as readFileSync35, writeFileSync as writeFileSync11 } from "fs";
+import {
+  appendFileSync as appendFileSync7,
+  existsSync as existsSync36,
+  mkdirSync as mkdirSync16,
+  readFileSync as readFileSync35,
+  writeFileSync as writeFileSync11
+} from "fs";
 import { join as join59 } from "path";
 var EVIDENCE_DIR2 = ".swarm/evidence";
 var VALID_TASK_ID = /^\d+\.\d+(\.\d+)*$/;
@@ -68382,7 +68401,23 @@ function safeAssignOwnProps(target, source) {
   for (const key of Object.keys(source)) {
     if (FORBIDDEN_KEYS.has(key))
       continue;
-    target[key] = source[key];
+    const value = source[key];
+    if (value !== null && typeof value === "object" && !Array.isArray(value)) {
+      const nested = Object.create(null);
+      safeAssignOwnProps(nested, value);
+      target[key] = nested;
+    } else if (Array.isArray(value)) {
+      target[key] = value.map((item) => {
+        if (item !== null && typeof item === "object" && !Array.isArray(item)) {
+          const nested = Object.create(null);
+          safeAssignOwnProps(nested, item);
+          return nested;
+        }
+        return item;
+      });
+    } else {
+      target[key] = value;
+    }
   }
   return target;
 }
@@ -68420,6 +68455,20 @@ function writeCouncilEvidence(workingDir, synthesis) {
   safeAssignOwnProps(updated, existingRoot);
   updated.gates = mergedGates;
   writeFileSync11(filePath, JSON.stringify(updated, null, 2));
+  try {
+    const councilDir = join59(workingDir, ".swarm", "council");
+    mkdirSync16(councilDir, { recursive: true });
+    const auditLine = JSON.stringify({
+      round: synthesis.roundNumber,
+      verdict: synthesis.overallVerdict,
+      timestamp: synthesis.timestamp,
+      vetoedBy: synthesis.vetoedBy
+    });
+    appendFileSync7(join59(councilDir, `${synthesis.taskId}.rounds.jsonl`), `${auditLine}
+`);
+  } catch (auditError) {
+    console.warn(`writeCouncilEvidence: failed to append round-history audit log: ${auditError instanceof Error ? auditError.message : String(auditError)}`);
+  }
 }
 
 // src/council/types.ts
@@ -68469,7 +68518,8 @@ function synthesizeCouncilVerdicts(taskId, swarmId, verdicts, criteria, roundNum
     advisoryFindings,
     unifiedFeedbackMd,
     roundNumber,
-    allCriteriaMet
+    allCriteriaMet,
+    ...verdicts.length === 0 && { emptyVerdictsWarning: true }
   };
 }
 function detectConflicts(verdicts) {
@@ -80030,7 +80080,9 @@ var OpenCodeSwarm = async (ctx) => {
       checkpoint,
       completion_verify,
       complexity_hotspots,
+      convene_council,
       curator_analyze,
+      declare_council_criteria,
       knowledge_add,
       knowledge_recall,
       knowledge_remove,
@@ -80045,6 +80097,7 @@ var OpenCodeSwarm = async (ctx) => {
       imports,
       knowledge_query,
       lint,
+      lint_spec,
       diff,
       pkg_audit,
       placeholder_scan,
@@ -80052,6 +80105,7 @@ var OpenCodeSwarm = async (ctx) => {
       pre_check_batch,
       quality_budget,
       repo_map,
+      req_coverage,
       retrieve_summary,
       save_plan,
       sast_scan,

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "6.66.0",
+	"version": "6.67.1",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",