opencode-swarm 7.44.1 → 7.46.0

package/dist/sandbox/executors/windows.d.ts

@@ -1 +1,2 @@
-export { WindowsSandboxExecutor } from '../win32/restricted-token-executor';
+export { NativeWindowsSandboxExecutor as WindowsSandboxExecutor } from '../win32/native-sandbox-executor';
+export { WindowsSandboxExecutor as LegacyWindowsSandboxExecutor } from '../win32/restricted-environment-executor';

package/dist/sandbox/win32/native-sandbox-executor.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Windows native sandbox executor.
+ *
+ * Prefers the native swarm-sandbox-runner binary for true OS-level isolation
+ * (AppContainer or restricted token). Falls back to the PowerShell-based
+ * environment executor when the runner binary is unavailable.
+ *
+ * The public API matches SandboxExecutor, but wrapCommand is not the primary
+ * execution path when the native runner is available — execute() provides
+ * the full sandbox lifecycle with NDJSON events.
+ */
+import type { SandboxExecutor } from '../executor';
+import { type RunnerExecuteResult, type RunnerProbeResult } from './runner-client';
+export type SandboxStrength = 'strong' | 'weak' | 'none';
+/**
+ * Native Windows sandbox executor with runner-first, PowerShell-fallback strategy.
+ */
+export declare class NativeWindowsSandboxExecutor implements SandboxExecutor {
+    readonly mechanism: string;
+    private readonly _probeResult;
+    private readonly _fallbackExecutor;
+    private readonly _strength;
+    private _disabled;
+    private _disabledReason;
+    constructor(scopePaths?: string[], tempDir?: string);
+    /** Sandbox strength: 'strong' (native runner), 'weak' (PowerShell), 'none'. */
+    get strength(): SandboxStrength;
+    isAvailable(): boolean;
+    disable(reason: string): void;
+    /**
+     * Wrap a command for execution.
+     *
+     * When the native runner is available, generates a command that pipes
+     * the policy JSON to the runner binary via a temp file. This keeps the
+     * existing guardrails flow (modify args.command → shell executes) while
+     * providing real OS-level sandboxing.
+     *
+     * When the runner is unavailable, falls back to the PowerShell wrapper.
+     */
+    wrapCommand(command: string, scopePaths: string[], tempDir?: string): string;
+    private _wrapWithRunner;
+    getEnvOverrides(): Record<string, string | null>;
+    /**
+     * Execute a command in the native sandbox.
+     *
+     * Only available when strength is 'strong'. Falls back to wrapCommand
+     * for weak sandbox mode.
+     */
+    executeNative(command: string[], workspaceRoot: string, runId?: string): Promise<RunnerExecuteResult>;
+    /** Whether the native runner is available for direct execution. */
+    get hasNativeRunner(): boolean;
+    /** The reason the sandbox was disabled, or null if not disabled. */
+    get disabledReason(): string | null;
+    /** Probe result from the native runner. */
+    get probeResult(): RunnerProbeResult;
+}

package/dist/sandbox/win32/restricted-environment-executor.d.ts

@@ -0,0 +1,95 @@
+/**
+ * Windows Restricted Environment sandbox executor (legacy fallback).
+ *
+ * Wraps shell commands with a PowerShell-based sandbox approach to restrict
+ * process capabilities on Windows. This is the "weak" sandbox used when the
+ * native swarm-sandbox-runner binary is not available.
+ *
+ * Windows does not have a native sandbox mechanism equivalent to Linux bwrap
+ * or macOS sandbox-exec that is accessible from Node.js without native bindings.
+ * This executor provides best-effort sandboxing via:
+ *   - Environment variable scrubbing (removing dangerous vars)
+ *   - PATH restriction to safe system paths only
+ *   - Scoped temp directory
+ *   - PowerShell wrapper for command execution
+ *
+ * For true OS-level sandboxing (AppContainer, Restricted Token, Low Integrity),
+ * native Windows APIs (CreateAppContainerToken, CreateRestrictedToken) are required.
+ */
+import type { SandboxExecutor } from '../executor';
+/**
+ * Check whether the Windows sandbox mechanism is present and functional.
+ * Uses spawnSync to probe synchronously without throwing.
+ *
+ * On Windows, this verifies that basic command execution works.
+ * A failure here indicates the sandbox cannot be initialized and should
+ * degrade gracefully to passthrough mode.
+ */
+declare function probeWindowsSandbox(): boolean;
+/**
+ * DI seam for testability. Exposes the probe function so tests can simulate
+ * unavailable sandbox conditions without requiring a real Windows environment.
+ */
+export declare const _internals: {
+    probeWindowsSandbox: typeof probeWindowsSandbox;
+};
+/**
+ * Windows Restricted Token sandbox executor.
+ *
+ * Provides best-effort process sandboxing via PowerShell environment restrictions.
+ * True OS-level sandboxing requires native Windows API bindings.
+ */
+export declare class WindowsSandboxExecutor implements SandboxExecutor {
+    /** Human-readable mechanism identifier */
+    readonly mechanism = "powershell-wrapper";
+    private readonly _scopePaths;
+    private readonly _tempDir;
+    private _available;
+    private _disabled;
+    private _disabledReason;
+    /**
+     * @param scopePaths - Absolute paths the sandboxed process may write to
+     * @param tempDir   - Optional temp directory path (defaults to system temp)
+     */
+    constructor(scopePaths?: string[], tempDir?: string);
+    /**
+     * Returns true when the Windows sandbox is available and has not been disabled.
+     */
+    isAvailable(): boolean;
+    /**
+     * Disable the sandbox with a reason. Allows external code to force
+     * fallback to unwrapped execution (e.g., for testing, explicit opt-out,
+     * or when initialization fails).
+     *
+     * After calling disable():
+     * - isAvailable() returns false
+     * - wrapCommand() returns the raw command unchanged (passthrough)
+     */
+    disable(reason: string): void;
+    /**
+     * Wrap a shell command string with PowerShell-based sandbox restrictions.
+     *
+     * The wrapper:
+     *   - Sets scoped temp directory (%TEMP%, %TMP%)
+     *   - Restricts PATH to safe system paths only
+     *   - Removes dangerous environment variables that could be used to bypass restrictions
+     *   - Executes the command via cmd /c inside a PowerShell script
+     *
+     * @param command   - Raw shell command to execute inside the sandbox
+     * @param scopePaths - Additional scope paths to allow (merged with constructor scope)
+     * @param tempDir   - Optional temp directory override
+     * @returns A PowerShell-wrapped command string ready for shell execution,
+     *          or the raw command string when the sandbox is unavailable (passthrough mode)
+     */
+    wrapCommand(command: string, scopePaths: string[], tempDir?: string): string;
+    /**
+     * Return environment variable overrides required for the Windows sandbox.
+     *
+     * Security measures:
+     *   - PATH is restricted to essential Windows system directories only
+     *   - TEMP/TMP are set to null (will be set to scoped temp at runtime via wrapCommand)
+     *   - Dangerous variables that don't apply to Windows are cleared for completeness
+     */
+    getEnvOverrides(): Record<string, string | null>;
+}
+export {};

package/dist/sandbox/win32/restricted-token-executor.d.ts

@@ -1,94 +1,9 @@
 /**
- * Windows Restricted Token sandbox executor.
+ * Backwards-compatibility re-export.
  *
- * Wraps shell commands with a PowerShell-based sandbox approach to restrict
- * process capabilities on Windows.
- *
- * Windows does not have a native sandbox mechanism equivalent to Linux bwrap
- * or macOS sandbox-exec that is accessible from Node.js without native bindings.
- * This executor provides best-effort sandboxing via:
- *   - Environment variable scrubbing (removing dangerous vars)
- *   - PATH restriction to safe system paths only
- *   - Scoped temp directory
- *   - PowerShell wrapper for command execution
- *
- * For true OS-level sandboxing (AppContainer, Restricted Token, Low Integrity),
- * native Windows APIs (CreateAppContainerToken, CreateRestrictedToken) are required.
- */
-import type { SandboxExecutor } from '../executor';
-/**
- * Check whether the Windows sandbox mechanism is present and functional.
- * Uses spawnSync to probe synchronously without throwing.
- *
- * On Windows, this verifies that basic command execution works.
- * A failure here indicates the sandbox cannot be initialized and should
- * degrade gracefully to passthrough mode.
- */
-declare function probeWindowsSandbox(): boolean;
-/**
- * DI seam for testability. Exposes the probe function so tests can simulate
- * unavailable sandbox conditions without requiring a real Windows environment.
- */
-export declare const _internals: {
-    probeWindowsSandbox: typeof probeWindowsSandbox;
-};
-/**
- * Windows Restricted Token sandbox executor.
- *
- * Provides best-effort process sandboxing via PowerShell environment restrictions.
- * True OS-level sandboxing requires native Windows API bindings.
+ * The implementation has moved to restricted-environment-executor.ts to
+ * clarify that this is environment scrubbing, not real token restriction.
+ * The native sandbox runner (swarm-sandbox-runner.exe) provides true
+ * OS-level isolation via runner-client.ts.
  */
-export declare class WindowsSandboxExecutor implements SandboxExecutor {
-    /** Human-readable mechanism identifier */
-    readonly mechanism = "powershell-wrapper";
-    private readonly _scopePaths;
-    private readonly _tempDir;
-    private _available;
-    private _disabled;
-    private _disabledReason;
-    /**
-     * @param scopePaths - Absolute paths the sandboxed process may write to
-     * @param tempDir   - Optional temp directory path (defaults to system temp)
-     */
-    constructor(scopePaths?: string[], tempDir?: string);
-    /**
-     * Returns true when the Windows sandbox is available and has not been disabled.
-     */
-    isAvailable(): boolean;
-    /**
-     * Disable the sandbox with a reason. Allows external code to force
-     * fallback to unwrapped execution (e.g., for testing, explicit opt-out,
-     * or when initialization fails).
-     *
-     * After calling disable():
-     * - isAvailable() returns false
-     * - wrapCommand() returns the raw command unchanged (passthrough)
-     */
-    disable(reason: string): void;
-    /**
-     * Wrap a shell command string with PowerShell-based sandbox restrictions.
-     *
-     * The wrapper:
-     *   - Sets scoped temp directory (%TEMP%, %TMP%)
-     *   - Restricts PATH to safe system paths only
-     *   - Removes dangerous environment variables that could be used to bypass restrictions
-     *   - Executes the command via cmd /c inside a PowerShell script
-     *
-     * @param command   - Raw shell command to execute inside the sandbox
-     * @param scopePaths - Additional scope paths to allow (merged with constructor scope)
-     * @param tempDir   - Optional temp directory override
-     * @returns A PowerShell-wrapped command string ready for shell execution,
-     *          or the raw command string when the sandbox is unavailable (passthrough mode)
-     */
-    wrapCommand(command: string, scopePaths: string[], tempDir?: string): string;
-    /**
-     * Return environment variable overrides required for the Windows sandbox.
-     *
-     * Security measures:
-     *   - PATH is restricted to essential Windows system directories only
-     *   - TEMP/TMP are set to null (will be set to scoped temp at runtime via wrapCommand)
-     *   - Dangerous variables that don't apply to Windows are cleared for completeness
-     */
-    getEnvOverrides(): Record<string, string | null>;
-}
-export {};
+export { _internals, WindowsSandboxExecutor, } from './restricted-environment-executor';

package/dist/sandbox/win32/runner-client.d.ts

@@ -0,0 +1,120 @@
+/**
+ * TypeScript client for the swarm-sandbox-runner native Windows sandbox.
+ *
+ * Spawns the Rust binary as a bounded subprocess to execute commands under
+ * real OS-level isolation (AppContainer or restricted token). Communicates
+ * via JSON policy on stdin and NDJSON events on stderr.
+ *
+ * Invariant 1 compliance: probe() is bounded to 2s timeout and fails open.
+ * Invariant 3 compliance: all spawns use explicit cwd, stdin, timeout, and
+ * kill() in finally blocks.
+ */
+import { spawn, spawnSync } from 'node:child_process';
+/** Result of probing the runner binary for capabilities. */
+export interface RunnerProbeResult {
+    available: boolean;
+    mode: 'app-container' | 'restricted-token' | 'none';
+    capabilities: {
+        app_container_available: boolean;
+        lpac_available: boolean;
+        restricted_token_available: boolean;
+        private_desktop_creatable: boolean;
+        integrity_level: string;
+        is_admin: boolean;
+        os_version: string;
+        arch: string;
+    } | null;
+    error?: string;
+}
+/** NDJSON event emitted by the runner on stderr. */
+export interface RunnerEvent {
+    type: 'start' | 'denial' | 'quota_exceeded' | 'exit';
+    run_id?: string;
+    mode?: string;
+    pid?: number;
+    reason?: string;
+    path?: string;
+    kind?: string;
+    used_bytes?: number;
+    cap_bytes?: number;
+    elapsed_ms?: number;
+    cap_ms?: number;
+    exit_code?: number;
+    signal?: string | null;
+    ts?: string;
+}
+/** Result of executing a command in the sandbox. */
+export interface RunnerExecuteResult {
+    exitCode: number;
+    stdout: string;
+    stderr: string;
+    events: RunnerEvent[];
+    mode: string;
+}
+/** Exit codes from the runner binary (stable, do not renumber). */
+export declare const RUNNER_EXIT_CODES: {
+    readonly SUCCESS: 0;
+    readonly CHILD_NON_ZERO: 1;
+    readonly POLICY_VIOLATION: 64;
+    readonly QUOTA_EXCEEDED: 65;
+    readonly WALL_CLOCK_TIMEOUT: 66;
+    readonly LAUNCHER_MISCONFIG: 67;
+    readonly OS_API_FAILURE: 68;
+    readonly PROBE_FAILED: 69;
+};
+/** Sandbox policy passed to the runner via stdin. */
+export interface SandboxPolicy {
+    schema_version: 1;
+    run_id: string;
+    workspace_roots: string[];
+    writable_roots: string[];
+    read_only_subpaths: string[];
+    temp_root: string;
+    temp_cap_bytes: number;
+    memory_cap_bytes: number;
+    child_process_cap: number;
+    wall_clock_timeout_ms: number;
+    network_mode: 'off' | 'on';
+    env_allowlist: string[];
+    env_overrides: Record<string, string>;
+    path_stubs: string[];
+    private_desktop: boolean;
+    deny_alternate_data_streams: boolean;
+    deny_unc_paths: boolean;
+    deny_device_paths: boolean;
+    deny_symlink_egress: boolean;
+}
+/**
+ * DI seam for testability. Exposes internal functions so tests can simulate
+ * runner binary behavior without requiring the actual binary.
+ */
+export declare const _internals: {
+    findRunnerBinary: () => string | null;
+    spawnRunner: typeof spawnSync;
+    spawnAsync: typeof spawn;
+};
+/**
+ * Probe the runner binary for capabilities.
+ *
+ * Bounded to 2s timeout per Invariant 1 (fast, bounded, fail-open).
+ * Results are cached for the session lifetime.
+ */
+export declare function probe(): RunnerProbeResult;
+/**
+ * Execute a command inside the native sandbox.
+ *
+ * @param command - The command and arguments to run
+ * @param policy  - Sandbox policy configuration
+ * @param mode    - Sandbox mode (auto, app-container, restricted-token)
+ * @returns Execution result with exit code, output, and events
+ */
+export declare function execute(command: string[], policy: SandboxPolicy, mode?: 'auto' | 'app-container' | 'restricted-token'): Promise<RunnerExecuteResult>;
+/**
+ * Reset the cached probe result — useful for testing.
+ * @internal
+ */
+export declare function _resetProbeCache(): void;
+/**
+ * Build a default sandbox policy for a given workspace.
+ */
+export declare function buildDefaultPolicy(workspaceRoot: string, runId?: string): SandboxPolicy;

package/dist/tools/diff.d.ts

@@ -13,6 +13,10 @@ export interface DiffResult {
     astDiffs?: ASTDiffResult[];
     semanticSummary?: SemanticDiffSummary;
     markdownSummary?: string;
+    /**
+     * @deprecated This field is no longer computed and will be removed in a future version.
+     * It is retained for backward compatibility with existing consumers.
+     */
     astSkippedCount?: number;
 }
 export interface DiffErrorResult {

package/dist/tools/test-runner.d.ts

@@ -1,4 +1,5 @@
 import type { tool } from '@opencode-ai/plugin';
+import { getAllHistory, type TestRunRecord } from '../test-impact/history-store.js';
 export declare const MAX_OUTPUT_BYTES = 512000;
 export declare const MAX_COMMAND_LENGTH = 500;
 export declare const DEFAULT_TIMEOUT_MS = 60000;
@@ -127,4 +128,10 @@ export declare function isLanguageSpecificTestFile(basename: string): boolean;
  */
 export declare function getTestFilesFromConvention(sourceFiles: string[], workingDir?: string): string[];
 export declare function runTests(framework: TestFramework, scope: 'all' | 'convention' | 'graph' | 'impact', files: string[], coverage: boolean, timeout_ms: number, cwd: string): Promise<TestResult>;
+declare function selectHistoryForAnalysis(history: ReturnType<typeof getAllHistory>): TestRunRecord[];
 export declare const test_runner: ReturnType<typeof tool>;
+export declare const _internals: {
+    readonly selectHistoryForAnalysis: typeof selectHistoryForAnalysis;
+    readonly AGGREGATE_TEST_NAME: "(aggregate)";
+};
+export {};

package/dist/utils/git-binary-missing-error.d.ts

@@ -0,0 +1,9 @@
+export declare class GitBinaryMissingError extends Error {
+    readonly name = "GitBinaryMissingError";
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}
+export declare function isGitBinaryMissing(err: unknown): err is {
+    code?: string;
+};

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "7.44.1",
+	"version": "7.46.0",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",