npm - opencode-swarm - Versions diffs - 6.73.0 → 6.74.0 - Mend

opencode-swarm 6.73.0 → 6.74.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/cli/index.js +17 -13
package/dist/config/evidence-schema.d.ts +115 -0
package/dist/index.js +715 -261
package/dist/tools/pre-check-batch.d.ts +8 -0
package/dist/tools/sast-baseline.d.ts +126 -0
package/dist/tools/sast-scan.d.ts +27 -0
package/dist/tools/save-plan.d.ts +7 -0
package/package.json +1 -1

package/dist/tools/pre-check-batch.d.ts CHANGED Viewed

@@ -18,6 +18,14 @@ export interface PreCheckBatchInput {
     sast_threshold?: 'low' | 'medium' | 'high' | 'critical';
     /** Optional plugin config */
     config?: PluginConfig;
+    /**
+     * Current phase number (positive integer >= 1).
+     * When provided, enables SAST baseline diffing: only findings absent from the
+     * phase-scoped baseline (.swarm/evidence/{phase}/sast-baseline.json) drive the
+     * fail verdict. Capture the baseline before first coder delegation via sast_scan
+     * with capture_baseline:true.
+     */
+    phase?: number;
 }
 export interface ToolResult<T> {
     /** Whether the tool was executed */

package/dist/tools/sast-baseline.d.ts ADDED Viewed

@@ -0,0 +1,126 @@
+/**
+ * SAST Baseline — phase-scoped snapshot of pre-existing security findings.
+ *
+ * Enables baseline diffing so only NEW findings (introduced since baseline capture)
+ * drive the fail verdict in subsequent sast_scan calls.
+ *
+ * Storage: .swarm/evidence/{phase}/sast-baseline.json
+ *   Mirrors the phase-scoped convention used by write-drift-evidence.ts and
+ *   write-hallucination-evidence.ts (path.join('evidence', String(phase), filename)
+ *   passed to validateSwarmPath).
+ *
+ * Fingerprint format (stable):
+ *   `${relFile}|${rule_id}|${sha256(3lineWindow).slice(0,16)}|#${occurrenceIndex}`
+ *
+ * Fingerprint format (unstable — file unreadable or path escapes workspace):
+ *   `${relFile}|${rule_id}|L${line}|UNSTABLE|#${occurrenceIndex}`
+ *   Unstable fingerprints are ALWAYS treated as NEW findings (fail-closed).
+ *
+ * Merge semantics:
+ *   On every capture for a set of files, ALL prior fingerprints for those files
+ *   are removed (full prune, engine-agnostic) before inserting current findings.
+ *   This prevents stale cross-engine fingerprints from causing false-pass verdicts.
+ */
+import type { SastScanFinding } from './sast-scan';
+export declare const BASELINE_SCHEMA_VERSION: "1.0.0";
+/** Maximum findings to store in baseline (heuristic — open for tuning). */
+export declare const MAX_BASELINE_FINDINGS = 2000;
+export interface SastBaselineFile {
+    schema_version: '1.0.0';
+    phase: number;
+    created_at: string;
+    updated_at: string;
+    engine: 'tier_a' | 'tier_a+tier_b';
+    /** Canonical relative paths of files indexed into this baseline. */
+    files_indexed: string[];
+    /** Fingerprint strings for all indexed findings. */
+    fingerprints: string[];
+    /** Full findings snapshot (for auditing / debugging). */
+    findings_snapshot: SastScanFinding[];
+    /** True if the snapshot was truncated at MAX_BASELINE_FINDINGS. */
+    truncated: boolean;
+}
+export type LoadBaselineResult = {
+    status: 'found';
+    fingerprints: Set<string>;
+    bundle: SastBaselineFile;
+} | {
+    status: 'not_found';
+} | {
+    status: 'invalid_schema';
+    errors: string[];
+};
+export interface FingerprintResult {
+    fingerprint: string;
+    /** False when the file was unreadable or the path escapes the workspace. */
+    stable: boolean;
+}
+export interface IndexedFinding {
+    finding: SastScanFinding;
+    index: number;
+    stable: boolean;
+    fingerprint: string;
+}
+export type CaptureResult = {
+    status: 'written';
+    path: string;
+    fingerprint_count: number;
+} | {
+    status: 'merged';
+    path: string;
+    fingerprint_count: number;
+} | {
+    status: 'error';
+    message: string;
+};
+/**
+ * Return the canonical relative path for a finding file.
+ * Mirrors the normalization in pre-check-batch.ts classifySastFindings.
+ */
+export declare function normalizeFindingPath(directory: string, file: string): string;
+/**
+ * Compute a stable or unstable fingerprint for a single finding.
+ *
+ * Stable uses a 3-line content window (N-1, N, N+1) so the fingerprint
+ * survives line-number shifts caused by insertions above the finding.
+ *
+ * Unstable is produced when the file cannot be read or the path escapes
+ * the workspace — such findings are always classified NEW (fail-closed).
+ */
+export declare function fingerprintFinding(finding: SastScanFinding, directory: string, occurrenceIndex: number): FingerprintResult;
+/**
+ * Assign occurrence indices to a batch of findings.
+ *
+ * Two findings that produce the same (relFile, rule_id, contentHash) tuple
+ * — e.g., copy-pasted vulnerable lines — receive different indices so they
+ * get distinct fingerprints and can be individually classified.
+ */
+export declare function assignOccurrenceIndices(findings: SastScanFinding[], directory: string): IndexedFinding[];
+/**
+ * Capture or merge SAST findings into the phase-scoped baseline.
+ *
+ * Merge semantics:
+ *   For every file in `scannedFiles`, ALL prior fingerprints for that file are
+ *   removed from the baseline before inserting the current scan's fingerprints.
+ *   This full-prune (engine-agnostic) prevents stale cross-engine entries from
+ *   causing false-pass verdicts on later full-engine diff scans.
+ *
+ * Severity threshold:
+ *   Callers MUST pass ALL findings regardless of severity threshold so the
+ *   baseline captures the full pre-existing surface. Threshold filtering is
+ *   the diff caller's responsibility.
+ *
+ * Idempotency:
+ *   Calling twice with identical inputs produces an identical baseline file.
+ *   Calling with a new file set adds/replaces only those files' fingerprints.
+ */
+export declare function captureOrMergeBaseline(directory: string, phase: number, findings: SastScanFinding[], engine: 'tier_a' | 'tier_a+tier_b', scannedFiles: string[], opts?: {
+    force?: boolean;
+}): Promise<CaptureResult>;
+/**
+ * Load the SAST baseline for a given phase.
+ *
+ * Returns 'not_found' when no baseline file exists (first run for phase).
+ * Returns 'invalid_schema' when the file is present but unparseable.
+ */
+export declare function loadBaseline(directory: string, phase: number): LoadBaselineResult;

package/dist/tools/sast-scan.d.ts CHANGED Viewed

@@ -10,6 +10,21 @@ export interface SastScanInput {
     changed_files: string[];
     /** Minimum severity that causes failure (default: 'medium') */
     severity_threshold?: 'low' | 'medium' | 'high' | 'critical';
+    /**
+     * When true, capture/merge a phase-scoped baseline snapshot and return
+     * status:'baseline_captured'. Subsequent scans with the same phase will
+     * diff against this baseline so only NEW findings drive the fail verdict.
+     *
+     * Capture mode ignores severity_threshold — all severities are recorded.
+     * Requires `phase` to be provided.
+     */
+    capture_baseline?: boolean;
+    /**
+     * Current phase number (positive integer, >= 1). Required when
+     * capture_baseline is true. When provided without capture_baseline, enables
+     * baseline diff mode: only findings absent from the phase baseline fail.
+     */
+    phase?: number;
 }
 export interface SastScanResult {
     /** Overall verdict: pass if no findings above threshold, fail otherwise */
@@ -32,6 +47,18 @@ export interface SastScanResult {
             low: number;
         };
     };
+    /** 'baseline_captured' when capture_baseline:true succeeded */
+    status?: 'baseline_captured' | 'baseline_merged';
+    /** Number of findings recorded in the baseline (capture mode only) */
+    finding_count?: number;
+    /** Findings NOT present in the baseline (diff mode only) */
+    new_findings?: SastScanFinding[];
+    /** Findings that match the baseline (diff mode only) */
+    pre_existing_findings?: SastScanFinding[];
+    /** True when a baseline was loaded and diff mode was active */
+    baseline_used?: boolean;
+    /** True when pre_existing_findings were truncated to fit result limits */
+    truncated_pre_existing?: boolean;
 }
 export interface SastScanFinding {
     rule_id: string;

package/dist/tools/save-plan.d.ts CHANGED Viewed

@@ -21,6 +21,13 @@ export interface SavePlanArgs {
         }>;
     }>;
     working_directory?: string;
+    /**
+     * When true, all task statuses are reset to 'pending' and existing completed
+     * statuses are NOT preserved.  Use this when creating a fresh revision of a
+     * plan where prior completion state should no longer apply (e.g., re-planning
+     * after a failed phase).  Defaults to false (existing statuses preserved).
+     */
+    reset_statuses?: boolean;
 }
 /**
  * Result from executing save_plan

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "6.73.0",
+	"version": "6.74.0",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",