opencode-swarm 7.21.4 → 7.22.0

package/dist/cli/index.js

@@ -34,7 +34,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "opencode-swarm",
-    version: "7.21.4",
+    version: "7.22.0",
     description: "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
     main: "dist/index.js",
     types: "dist/index.d.ts",
@@ -17378,7 +17378,8 @@ var init_schema = __esm(() => {
   AuthorityConfigSchema = exports_external.object({
     enabled: exports_external.boolean().default(true),
     rules: exports_external.record(exports_external.string(), AgentAuthorityRuleSchema).default({}),
-    universal_deny_prefixes: exports_external.array(exports_external.string().min(1)).default([])
+    universal_deny_prefixes: exports_external.array(exports_external.string().min(1)).default([]),
+    verifier_config_paths: exports_external.array(exports_external.string()).optional().describe("Additional glob patterns for verifier config files that are merged into the architect agent's blockedGlobs at plugin init. Writes to matching files are blocked by the authority layer.")
   });
   GeneralCouncilMemberConfigSchema = exports_external.object({
     memberId: exports_external.string().min(1),
@@ -17454,6 +17455,14 @@ var init_schema = __esm(() => {
       const trimmed = v.trim();
       return trimmed === "" ? undefined : trimmed;
     }),
+    auto_select_architect: exports_external.union([exports_external.boolean(), exports_external.string()]).optional().transform((v) => {
+      if (v === undefined)
+        return;
+      if (typeof v === "boolean")
+        return v;
+      const trimmed = v.trim();
+      return trimmed === "" ? false : trimmed;
+    }),
     swarms: exports_external.record(exports_external.string(), SwarmConfigSchema).optional(),
     max_iterations: exports_external.number().min(1).max(10).default(5),
     pipeline: PipelineConfigSchema.optional(),

package/dist/config/schema.d.ts

@@ -641,6 +641,7 @@ export declare const AuthorityConfigSchema: z.ZodObject<{
         allowedGlobs: z.ZodOptional<z.ZodArray<z.ZodString>>;
     }, z.core.$strip>>>;
     universal_deny_prefixes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    verifier_config_paths: z.ZodOptional<z.ZodArray<z.ZodString>>;
 }, z.core.$strip>;
 export type AuthorityConfig = z.infer<typeof AuthorityConfigSchema>;
 export declare const GeneralCouncilConfigSchema: z.ZodObject<{
@@ -827,6 +828,7 @@ export declare const PluginConfigSchema: z.ZodObject<{
         fallback_models: z.ZodOptional<z.ZodArray<z.ZodString>>;
     }, z.core.$strip>>>;
     default_agent: z.ZodPipe<z.ZodOptional<z.ZodString>, z.ZodTransform<string | undefined, string | undefined>>;
+    auto_select_architect: z.ZodPipe<z.ZodOptional<z.ZodUnion<readonly [z.ZodBoolean, z.ZodString]>>, z.ZodTransform<string | boolean | undefined, string | boolean | undefined>>;
     swarms: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
         name: z.ZodOptional<z.ZodString>;
         agents: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
@@ -1005,6 +1007,7 @@ export declare const PluginConfigSchema: z.ZodObject<{
             allowedGlobs: z.ZodOptional<z.ZodArray<z.ZodString>>;
         }, z.core.$strip>>>;
         universal_deny_prefixes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+        verifier_config_paths: z.ZodOptional<z.ZodArray<z.ZodString>>;
     }, z.core.$strip>>;
     plan_cursor: z.ZodOptional<z.ZodObject<{
         enabled: z.ZodDefault<z.ZodBoolean>;

package/dist/index.js

@@ -33,7 +33,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "opencode-swarm",
-    version: "7.21.4",
+    version: "7.22.0",
     description: "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
     main: "dist/index.js",
     types: "dist/index.d.ts",
@@ -15591,7 +15591,8 @@ var init_schema = __esm(() => {
   AuthorityConfigSchema = exports_external.object({
     enabled: exports_external.boolean().default(true),
     rules: exports_external.record(exports_external.string(), AgentAuthorityRuleSchema).default({}),
-    universal_deny_prefixes: exports_external.array(exports_external.string().min(1)).default([])
+    universal_deny_prefixes: exports_external.array(exports_external.string().min(1)).default([]),
+    verifier_config_paths: exports_external.array(exports_external.string()).optional().describe("Additional glob patterns for verifier config files that are merged into the architect agent's blockedGlobs at plugin init. Writes to matching files are blocked by the authority layer.")
   });
   GeneralCouncilMemberConfigSchema = exports_external.object({
     memberId: exports_external.string().min(1),
@@ -15667,6 +15668,14 @@ var init_schema = __esm(() => {
       const trimmed = v.trim();
       return trimmed === "" ? undefined : trimmed;
     }),
+    auto_select_architect: exports_external.union([exports_external.boolean(), exports_external.string()]).optional().transform((v) => {
+      if (v === undefined)
+        return;
+      if (typeof v === "boolean")
+        return v;
+      const trimmed = v.trim();
+      return trimmed === "" ? false : trimmed;
+    }),
     swarms: exports_external.record(exports_external.string(), SwarmConfigSchema).optional(),
     max_iterations: exports_external.number().min(1).max(10).default(5),
     pipeline: PipelineConfigSchema.optional(),
@@ -24166,6 +24175,21 @@ var init_normalize_tool_name = __esm(() => {
 import * as fsSync2 from "node:fs";
 import * as fs8 from "node:fs/promises";
 import * as path10 from "node:path";
+function isConfigFilePath(filePath, cwd, extraGlobs) {
+  const normalized = path10.relative(path10.resolve(cwd), path10.resolve(cwd, filePath)).replace(/\\/g, "/");
+  const { zone } = classifyFile(normalized);
+  if (zone === "config") {
+    return true;
+  }
+  const allGlobs = extraGlobs && extraGlobs.length > 0 ? [...KNOWN_VERIFIER_CONFIG_GLOBS, ...extraGlobs] : KNOWN_VERIFIER_CONFIG_GLOBS;
+  for (const glob of allGlobs) {
+    const matcher = getGlobMatcher(glob);
+    if (matcher(normalized)) {
+      return true;
+    }
+  }
+  return false;
+}
 function enforceSpecDriftGate(directory, toolName) {
   if (!directory)
     return;
@@ -24713,6 +24737,17 @@ function createGuardrailsHooks(directory, directoryOrConfig, config2, authorityC
     };
   }
   const precomputedAuthorityRules = buildEffectiveRules(authorityConfig);
+  const verifierPaths = authorityConfig?.verifier_config_paths;
+  if (verifierPaths && verifierPaths.length > 0) {
+    const existingArchitect = precomputedAuthorityRules.architect ?? {};
+    precomputedAuthorityRules.architect = {
+      ...existingArchitect,
+      blockedGlobs: [
+        ...existingArchitect.blockedGlobs ?? [],
+        ...verifierPaths
+      ]
+    };
+  }
   const universalDenyPrefixes = authorityConfig?.universal_deny_prefixes ?? [];
   const cfg = guardrailsConfig;
   const requiredQaGates = cfg.qa_gates?.required_tools ?? [
@@ -25102,6 +25137,19 @@ function createGuardrailsHooks(directory, directoryOrConfig, config2, authorityC
           if (!authorityCheck.allowed) {
             throw new Error(`WRITE BLOCKED: Agent "${agentName}" is not authorised to write "${delegTargetPath}". Reason: ${authorityCheck.reason}`);
           }
+          if (isConfigFilePath(delegTargetPath, cwd, authorityConfig?.verifier_config_paths)) {
+            const normalizedPath = path10.relative(path10.resolve(cwd), path10.resolve(cwd, delegTargetPath)).replace(/\\/g, "/");
+            const logEntry = {
+              agent: agentName,
+              path: normalizedPath,
+              allowed: authorityCheck.allowed,
+              type: "delegated_write"
+            };
+            if (!authorityCheck.allowed && "reason" in authorityCheck) {
+              logEntry.reason = authorityCheck.reason;
+            }
+            warn("Config file write attempt", logEntry);
+          }
           if (!currentSession.modifiedFilesThisCoderTask.includes(delegTargetPath)) {
             currentSession.modifiedFilesThisCoderTask.push(delegTargetPath);
           }
@@ -25112,6 +25160,19 @@ function createGuardrailsHooks(directory, directoryOrConfig, config2, authorityC
         const cwd = effectiveDirectory;
         for (const p of extractPatchTargetPaths(tool, args2)) {
           const authorityCheck = checkFileAuthorityWithRules(agentName, p, cwd, precomputedAuthorityRules, { declaredScope: resolveDeclaredScope(sessionID) });
+          if (isConfigFilePath(p, cwd, authorityConfig?.verifier_config_paths)) {
+            const normalizedPath = path10.relative(path10.resolve(cwd), path10.resolve(cwd, p)).replace(/\\/g, "/");
+            const logEntry = {
+              agent: agentName,
+              path: normalizedPath,
+              allowed: authorityCheck.allowed,
+              type: "delegated_patch"
+            };
+            if (!authorityCheck.allowed && "reason" in authorityCheck) {
+              logEntry.reason = authorityCheck.reason;
+            }
+            warn("Config file write attempt", logEntry);
+          }
           if (!authorityCheck.allowed) {
             throw new Error(`WRITE BLOCKED: Agent "${agentName}" is not authorised to write "${p}" (via patch). Reason: ${authorityCheck.reason}`);
           }
@@ -25443,6 +25504,19 @@ function createGuardrailsHooks(directory, directoryOrConfig, config2, authorityC
           if (!authorityCheck.allowed) {
             throw new Error(`WRITE BLOCKED: Agent "${agentName}" is not authorised to write "${targetPath}". Reason: ${authorityCheck.reason}`);
           }
+          if (isConfigFilePath(targetPath, effectiveDirectory, authorityConfig?.verifier_config_paths)) {
+            const normalizedPath = path10.relative(path10.resolve(effectiveDirectory), path10.resolve(effectiveDirectory, targetPath)).replace(/\\/g, "/");
+            const logEntry = {
+              agent: agentName,
+              path: normalizedPath,
+              allowed: authorityCheck.allowed,
+              type: "direct_write"
+            };
+            if (!authorityCheck.allowed && "reason" in authorityCheck) {
+              logEntry.reason = authorityCheck.reason;
+            }
+            warn("Config file write attempt", logEntry);
+          }
         }
       }
       if (input.tool === "apply_patch" || input.tool === "patch") {
@@ -25468,6 +25542,19 @@ function createGuardrailsHooks(directory, directoryOrConfig, config2, authorityC
           if (!authorityCheck.allowed) {
             throw new Error(`WRITE BLOCKED: Agent "${patchAgentName}" is not authorised to write "${p}" (via patch). Reason: ${authorityCheck.reason}`);
           }
+          if (isConfigFilePath(p, effectiveDirectory, authorityConfig?.verifier_config_paths)) {
+            const normalizedPath = path10.relative(path10.resolve(effectiveDirectory), path10.resolve(effectiveDirectory, p)).replace(/\\/g, "/");
+            const logEntry = {
+              agent: patchAgentName,
+              path: normalizedPath,
+              allowed: authorityCheck.allowed,
+              type: "direct_patch"
+            };
+            if (!authorityCheck.allowed && "reason" in authorityCheck) {
+              logEntry.reason = authorityCheck.reason;
+            }
+            warn("Config file write attempt", logEntry);
+          }
         }
       }
       {
@@ -26170,11 +26257,11 @@ function checkWriteTargetForSymlink(targetPath, cwd) {
 }
 function buildEffectiveRules(authorityConfig) {
   if (authorityConfig?.enabled === false || !authorityConfig?.rules) {
-    return DEFAULT_AGENT_AUTHORITY_RULES;
+    return { ...DEFAULT_AGENT_AUTHORITY_RULES };
   }
   const entries = Object.entries(authorityConfig.rules);
   if (entries.length === 0) {
-    return DEFAULT_AGENT_AUTHORITY_RULES;
+    return { ...DEFAULT_AGENT_AUTHORITY_RULES };
   }
   const merged = {
     ...DEFAULT_AGENT_AUTHORITY_RULES
@@ -26312,7 +26399,7 @@ function checkFileAuthorityWithRules(agentName, filePath, cwd, effectiveRules, o
   }
   return { allowed: true };
 }
-var import_picomatch, _internals10, SPEC_DRIFT_BLOCKED_TOOLS, storedInputArgs, TRANSIENT_STATUS_CODES, TRANSIENT_MODEL_ERROR_PATTERN, TRANSIENT_PROVIDER_RECOVERY_TAG = "TRANSIENT PROVIDER RECOVERY", DEGRADED_ERROR_PATTERN, CONTENT_FILTER_PATTERN, toolCallsSinceLastWrite, noOpWarningIssued, consecutiveNoToolTurns, DC_MAX_UNWRAP_DEPTH = 5, DC_SAFE_TARGETS, DC_BLOCKED_ABSOLUTE_PREFIXES, DC_FS_ROOTS, DC_REMOTE_PREFIXES, pathNormalizationCache, globMatcherCache, DEFAULT_AGENT_AUTHORITY_RULES;
+var import_picomatch, KNOWN_VERIFIER_CONFIG_GLOBS, _internals10, SPEC_DRIFT_BLOCKED_TOOLS, storedInputArgs, TRANSIENT_STATUS_CODES, TRANSIENT_MODEL_ERROR_PATTERN, TRANSIENT_PROVIDER_RECOVERY_TAG = "TRANSIENT PROVIDER RECOVERY", DEGRADED_ERROR_PATTERN, CONTENT_FILTER_PATTERN, toolCallsSinceLastWrite, noOpWarningIssued, consecutiveNoToolTurns, DC_MAX_UNWRAP_DEPTH = 5, DC_SAFE_TARGETS, DC_BLOCKED_ABSOLUTE_PREFIXES, DC_FS_ROOTS, DC_REMOTE_PREFIXES, pathNormalizationCache, globMatcherCache, DEFAULT_AGENT_AUTHORITY_RULES;
 var init_guardrails = __esm(() => {
   init_quick_lru();
   init_agents2();
@@ -26332,6 +26419,17 @@ var init_guardrails = __esm(() => {
   init_model_limits();
   init_normalize_tool_name();
   import_picomatch = __toESM(require_picomatch2(), 1);
+  KNOWN_VERIFIER_CONFIG_GLOBS = [
+    "**/oxlintrc*",
+    "**/.oxlintrc*",
+    "**/.eslintrc*",
+    "**/eslint.config.*",
+    "**/.prettierrc*",
+    "**/prettier.config.*",
+    "**/biome.jsonc",
+    "**/.secretscanignore",
+    "**/.golangci*"
+  ];
   _internals10 = {
     getSwarmAgents,
     getMostRecentAssistantText,
@@ -26426,7 +26524,18 @@ var init_guardrails = __esm(() => {
     explore: {},
     architect: {
       blockedExact: [".swarm/plan.md", ".swarm/plan.json"],
-      blockedZones: ["generated"]
+      blockedZones: ["generated", "config"],
+      blockedGlobs: [
+        "**/oxlintrc*",
+        "**/.oxlintrc*",
+        "**/.eslintrc*",
+        "**/eslint.config.*",
+        "**/.prettierrc*",
+        "**/prettier.config.*",
+        "**/biome.jsonc",
+        "**/.secretscanignore",
+        "**/.golangci*"
+      ]
     },
     coder: {
       blockedPrefix: [".swarm/"],
@@ -65779,6 +65888,18 @@ DO (explicitly):
 - VERIFY platform compatibility: path.join() used for all paths, no hardcoded separators
 - For confirmed issues requiring a concrete fix: use suggest_patch to produce a structured patch artifact for the coder
 
+## CONFIG STRICTNESS VERIFICATION
+
+When the declared scope includes a verifier/linter config file (biome.json, biome.jsonc, oxlintrc, oxlintrc.json, .eslintrc, .eslintrc.json, eslint.config.*, .prettierrc, .prettierrc.json, prettier.config.*, biome.jsonc, .secretscanignore, golangci-lint configs, tsconfig.json, tsconfig.*.json, or any other linter/formatter/security-tool configuration):
+
+- Verify the change does NOT reduce strictness of any existing rule
+- Reject changes that downgrade "error" to "warn", remove rules, weaken validation thresholds, or narrow file/directory scopes
+- Allow changes that ADD new stricter rules, enable additional rule categories, fix syntax errors, or correct misconfigured paths
+- Document the specific config change and its impact on validation strictness in your review output
+- If a rule is changed from "error" to "warn" or a rule is removed: REJECT with STRICTNESS_REDUCTION: [rule name] — [original setting] → [new setting]
+
+This is a pre-review gate: if config strictness is reduced, reject immediately without proceeding to Tier review.
+
 ## REUSE RE-VERIFICATION (MANDATORY FOR NEW EXPORTS)
 
 When EXPORTS_ADDED is non-empty in the coder's completion report:
@@ -80616,7 +80737,9 @@ var DENY_SHELL_PATTERNS = [
   /\bbunx?\s+publish\b/i,
   /\bterraform\s+(?:apply|destroy)\b/i,
   /\bkubectl\s+(?:delete|apply\s+-f)/i,
-  /\bdrop\s+(?:database|table)\b/i
+  /\bdrop\s+(?:database|table)\b/i,
+  /\bsed\s+-i\b(?=[^\n]*\b(?:biome\.json|eslintrc|oxlintrc)\b)(?=[^\n]*\b(?:error|warn|off)\b)/i,
+  /\b(?:cat|tee)\b[^\n]*>\s*[^\n]*\b(biome\.json|eslintrc|oxlintrc)\b[^\n]*\b(error|warn|off)\b/i
 ];
 var ESCALATE_SHELL_PATTERNS = [
   /\bcurl\b/i,
@@ -80636,7 +80759,9 @@ var ESCALATE_SHELL_PATTERNS = [
   /\bgit\s+pull\b/i,
   /\bgit\s+rebase\b/i,
   /\bgit\s+merge\b/i,
-  /\bgit\s+commit\b/i
+  /\bgit\s+commit\b/i,
+  /\b(sed\s+-i|echo\s+|printf\s+)[^\n]*\b(biome\.jsonc?|eslintrc|eslint\.config|oxlintrc|prettierrc|secretscanignore|golangci|tsconfig\.json|tsconfig\.[^.]+\.json)\b/i,
+  /\b(?:cat|tee)\b[^\n]*>\s*[^\n]*\b(biome\.jsonc?|eslintrc|eslint\.config|oxlintrc|prettierrc|secretscanignore|golangci|tsconfig\.json|tsconfig\.[^.]+\.json)\b/i
 ];
 function isReadOnlyTool(toolName) {
   if (!toolName)
@@ -105206,11 +105331,65 @@ async function initializeOpenCodeSwarm(ctx) {
       swarm_command: createSwarmCommandTool(agentDefinitionMap)
     },
     config: async (opencodeConfig) => {
+      if (!opencodeConfig.agent || typeof opencodeConfig.agent !== "object") {
+        opencodeConfig.agent = {};
+      }
       if (!opencodeConfig.agent) {
         opencodeConfig.agent = { ...agents };
       } else {
         Object.assign(opencodeConfig.agent, agents);
       }
+      const autoSelect = config3?.auto_select_architect;
+      if (autoSelect) {
+        const hasArchitect = Object.keys(agents).some((name2) => stripKnownSwarmPrefix(name2) === "architect");
+        if (hasArchitect) {
+          for (const builtin of ["build", "plan"]) {
+            const existing = opencodeConfig.agent?.[builtin];
+            if (existing && typeof existing === "object" && existing.disable === true) {
+              continue;
+            }
+            opencodeConfig.agent[builtin] = {
+              ...existing && typeof existing === "object" ? existing : {},
+              disable: true
+            };
+          }
+          if (autoSelect === true) {
+            const primaryArchitects = Object.entries(agents).filter(([name2, cfg]) => stripKnownSwarmPrefix(name2) === "architect" && cfg.mode === "primary");
+            if (primaryArchitects.length > 1) {
+              const names = primaryArchitects.map(([n]) => n).join(", ");
+              addDeferredWarning(`[swarm] auto_select_architect is true but ${primaryArchitects.length} architect agents are primary (${names}). Consider setting auto_select_architect to a specific agent name.`);
+            }
+          }
+          if (typeof autoSelect === "string" && autoSelect !== "") {
+            const targetName = autoSelect;
+            const targetIsArchitect = Object.hasOwn(agents, targetName) && stripKnownSwarmPrefix(targetName) === "architect";
+            if (targetIsArchitect) {
+              for (const [name2, cfg] of Object.entries(agents)) {
+                if (stripKnownSwarmPrefix(name2) === "architect" && name2 !== targetName) {
+                  if (opencodeConfig.agent && typeof opencodeConfig.agent === "object") {
+                    opencodeConfig.agent[name2] = {
+                      ...cfg && typeof cfg === "object" ? cfg : {},
+                      mode: "subagent"
+                    };
+                  }
+                }
+              }
+              if (opencodeConfig.agent && typeof opencodeConfig.agent === "object") {
+                const targetExisting = opencodeConfig.agent[targetName];
+                opencodeConfig.agent[targetName] = {
+                  ...targetExisting && typeof targetExisting === "object" ? targetExisting : {},
+                  ...agents[targetName] && typeof agents[targetName] === "object" ? agents[targetName] : {},
+                  mode: "primary"
+                };
+              }
+            } else {
+              addDeferredWarning(`[swarm] auto_select_architect is set to "${targetName}" but that is not a known architect agent. No architect demotion applied.`);
+            }
+          }
+        } else {
+          addDeferredWarning("[swarm] auto_select_architect is enabled but no architect agents were found in the generated set. The option has no effect.");
+        }
+      }
       opencodeConfig.command = {
         ...opencodeConfig.command || {},
         swarm: {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "7.21.4",
+	"version": "7.22.0",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",