npm - opencode-swarm - Versions diffs - 7.52.2 → 7.53.0 - Mend

opencode-swarm 7.52.2 → 7.53.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +52 -31
package/dist/cli/index.js +205 -105
package/dist/commands/pr-feedback.d.ts +23 -0
package/dist/commands/pr-ref.d.ts +106 -0
package/dist/commands/pr-review.d.ts +8 -2
package/dist/commands/registry.d.ts +7 -0
package/dist/index.js +481 -329
package/dist/state.d.ts +16 -0
package/package.json +1 -1

package/dist/commands/pr-feedback.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+/**
+ * Handle /swarm pr-feedback command.
+ *
+ * Triggers the architect to enter MODE: PR_FEEDBACK — the swarm workflow for
+ * ingesting and closing KNOWN pull-request feedback (review comments, requested
+ * changes, CI failures, merge conflicts, stale branches, pasted notes). This is
+ * distinct from /swarm pr-review, which discovers NEW findings.
+ *
+ * Input contract (PR reference is optional):
+ *   /swarm pr-feedback 155                         → feedback pass on PR 155
+ *   /swarm pr-feedback 155 also fix the lint errors → PR 155 + extra instructions
+ *   /swarm pr-feedback owner/repo#155               → shorthand
+ *   /swarm pr-feedback https://github.com/.../pull/155
+ *   /swarm pr-feedback                              → bare signal; architect builds
+ *                                                     the ledger from current PR/branch
+ *   /swarm pr-feedback address the review notes about error handling
+ *                                                   → no parseable PR ref ⇒ the whole
+ *                                                     input is forwarded as instructions
+ *
+ * PR-reference parsing and injection-hardening are shared with /swarm pr-review
+ * via ./pr-ref.ts.
+ */
+export declare function handlePrFeedbackCommand(directory: string, args: string[]): string;

package/dist/commands/pr-ref.d.ts ADDED Viewed

@@ -0,0 +1,106 @@
+/**
+ * Shared GitHub PR-reference parsing and sanitization for the
+ * `/swarm pr-review` and `/swarm pr-feedback` commands.
+ *
+ * Both commands accept a PR reference in three formats (full URL,
+ * `owner/repo#N`, or a bare PR number resolved against the `origin` remote)
+ * and may be followed by free-text instructions that are forwarded to the
+ * architect in the emitted `[MODE: ...]` signal. All parsing here is hardened
+ * against prompt injection: rival `[MODE: ...]` headers, query strings,
+ * fragments, and embedded credentials are stripped before the value is ever
+ * placed back into a signal string.
+ */
+import { execSync } from 'node:child_process';
+/**
+ * File-scoped indirection seam for the subprocess call. Tests override
+ * `_internals.execSync` (no `mock.module`) to assert the working directory is
+ * threaded through and to simulate a missing `origin` remote.
+ */
+export declare const _internals: {
+    execSync: typeof execSync;
+};
+/**
+ * Strip query strings, fragments, injected MODE headers, and credentials from
+ * a URL string.
+ */
+export declare function sanitizeUrl(raw: string): string;
+/**
+ * Sanitize free-text instructions so they cannot forge a competing MODE
+ * header, inject control sequences, or break out of the signal line.
+ * Collapses whitespace (including newlines), strips bracketed `[MODE: ...]`
+ * headers, and truncates to a bounded length.
+ */
+export declare function sanitizeInstructions(raw: string): string;
+/**
+ * Blocklist of private/localhost hostnames and IP ranges.
+ */
+export declare function isPrivateHost(url: URL): boolean;
+/**
+ * Validate and sanitize a GitHub PR URL.
+ * Returns the sanitized URL on success, or an error message on failure.
+ */
+export type ValidationResult = {
+    sanitized: string;
+} | {
+    error: string;
+};
+export declare function validateAndSanitizeUrl(rawUrl: string): ValidationResult;
+export interface ParsedPr {
+    owner: string;
+    repo: string;
+    number: number;
+}
+/**
+ * Parse a PR reference from three formats:
+ * 1. Full URL: https://github.com/owner/repo/pull/N
+ * 2. Shorthand: owner/repo#N
+ * 3. Bare number: N (resolved against the `origin` git remote in `cwd`)
+ */
+export declare function parsePrRef(input: string, cwd?: string): ParsedPr | null;
+/**
+ * Detect the `origin` remote URL from git config.
+ *
+ * `cwd` should be the project directory the command was invoked for. Without it
+ * the lookup runs in `process.cwd()`, which in a plugin host is frequently not
+ * the repository root — so bare-number PR resolution would silently fail or
+ * resolve against the wrong repo (invariant #3: subprocesses run in an explicit
+ * working directory).
+ */
+export declare function detectGitRemote(cwd?: string): string | null;
+/**
+ * Parse owner/repo from a git remote URL.
+ * Supports HTTPS (https://github.com/owner/repo.git) and SSH (git@github.com:owner/repo.git).
+ */
+export declare function parseGitRemoteUrl(remoteUrl: string): {
+    owner: string;
+    repo: string;
+} | null;
+/**
+ * Whether a token is *shaped* like a PR reference — a full `http(s)` URL, an
+ * `owner/repo#N` shorthand, or a bare number. This is intent detection, not
+ * validation: a token can look like a PR ref yet still fail to resolve (e.g. a
+ * bare number when no `origin` remote exists, or a non-GitHub URL). Callers that
+ * accept free-text fallbacks (pr-feedback) use this to tell "the user meant a PR
+ * reference but it didn't resolve" (surface an error) from "the user typed
+ * instructions" (forward them).
+ */
+export declare function looksLikePrRef(token: string): boolean;
+/**
+ * Resolve the leading token of a PR command's positional args into a validated
+ * GitHub PR URL, and collect any trailing tokens as free-text instructions.
+ *
+ * `rest` is the positional token list AFTER flag parsing (e.g. `--council`
+ * already removed). The first token is the PR reference; everything after it
+ * is sanitized and returned as `instructions` for forwarding in the MODE
+ * signal. `cwd` is the project directory used to resolve a bare PR number
+ * against the `origin` remote.
+ *
+ * Returns `null` when there are no positional tokens (caller shows usage).
+ */
+export type PrCommandInput = {
+    prUrl: string;
+    instructions: string;
+} | {
+    error: string;
+};
+export declare function resolvePrCommandInput(rest: string[], cwd?: string): PrCommandInput | null;

package/dist/commands/pr-review.d.ts CHANGED Viewed

@@ -2,10 +2,16 @@
  * Handle /swarm pr-review command.
  *
  * Triggers the architect to enter MODE: PR_REVIEW — the swarm PR review workflow.
- * Accepts PR URL in multiple formats and sanitizes inputs against injection.
+ * Accepts a PR reference in multiple formats (full URL, owner/repo#N, or a bare
+ * PR number resolved against the origin remote) optionally followed by
+ * free-text instructions, and sanitizes all inputs against injection.
  *
  * Flag parsing:
  *   --council       → appends council=true to emitted signal
+ *   <ref> <text...> → trailing text becomes forwarded instructions
  *   no args         → returns usage string (no throw)
+ *
+ * PR-reference parsing and sanitization are shared with /swarm pr-feedback via
+ * ./pr-ref.ts.
  */
-export declare function handlePrReviewCommand(_directory: string, args: string[]): string;
+export declare function handlePrReviewCommand(directory: string, args: string[]): string;

package/dist/commands/registry.d.ts CHANGED Viewed

@@ -308,6 +308,13 @@ export declare const COMMAND_REGISTRY: {
         readonly details: "Launches a structured PR review: reconstructs PR intent via obligation extraction cascade, runs 6 parallel explorer lanes (correctness, security, dependencies, docs-intent-vs-actual, tests, performance-architecture), validates findings through independent reviewer confirmation, applies critic challenge to HIGH/CRITICAL findings, synthesizes structured report. --council variant fires adversarial multi-model review. Supports full GitHub URL, owner/repo#N shorthand, or bare PR number (resolves against origin remote).";
         readonly category: "agent";
     };
+    readonly 'pr-feedback': {
+        readonly handler: (ctx: CommandContext) => Promise<string>;
+        readonly description: "Ingest and close known PR feedback (review comments, CI failures, conflicts) [pr] [instructions]";
+        readonly args: "[url|owner/repo#N|N] [instructions...]";
+        readonly details: "Triggers MODE: PR_FEEDBACK — ingests existing pull-request feedback (review threads, requested changes, CI/check failures, merge conflicts, stale branch state, pasted notes), verifies every claim against source, clusters related problems, fixes confirmed items, validates the branch, and reports closure status for every ledger item. Distinct from /swarm pr-review, which discovers new findings. The PR reference is optional: with none, the architect builds the ledger from the current PR/branch; text after the reference is forwarded as extra instructions. Supports full GitHub URL, owner/repo#N shorthand, or bare PR number (resolved against origin).";
+        readonly category: "agent";
+    };
     readonly 'deep-dive': {
         readonly handler: (ctx: CommandContext) => Promise<string>;
         readonly description: "Launch deep codebase audit with parallel explorer waves, dual reviewers, and critic challenge [scope]";