opencode-swarm 7.63.0 → 7.64.0

package/dist/memory/schema.d.ts

@@ -213,9 +213,9 @@ export declare const MemoryProposalSchema: z.ZodObject<{
     rationale: z.ZodString;
     evidenceRefs: z.ZodArray<z.ZodString>;
     status: z.ZodEnum<{
-        approved: "approved";
-        rejected: "rejected";
         pending: "pending";
+        rejected: "rejected";
+        approved: "approved";
         applied: "applied";
         superseded: "superseded";
     }>;

package/dist/services/external-skill-store.d.ts

@@ -0,0 +1,96 @@
+/**
+ * External skill candidate quarantine store.
+ *
+ * Manages external skill candidates persisted as individual JSON files under
+ * `.swarm/skills/candidates/<uuid>.json`.  Each candidate goes through a
+ * quarantine lifecycle (pending → in_review → quarantined → passed/rejected →
+ * promoted/revoked) before it can be activated as a generated skill.
+ *
+ * All writes are atomic (temp-file + rename) via `atomicWriteFile` from the
+ * evidence subsystem.  File-system I/O is funnelled through `_internals` so
+ * that tests can replace individual operations without cross-module mock
+ * leakage (Bun's `mock.module` is intentionally avoided for I/O seams).
+ *
+ * Invariants:
+ *   - Candidate IDs are UUID v4 (cryptographically random), never derived from
+ *     user input, to prevent path-traversal attacks.
+ *   - `passed`, `promoted`, and `revoked` candidates are NEVER evicted.
+ *   - The store directory is derived from the injected `directory` parameter
+ *     (typically `ctx.directory`); no `process.cwd()` calls.
+ */
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs/promises';
+import type { ExternalSkillCandidate, ExternalSkillCandidateEvaluationVerdict } from '../config/schema';
+import { atomicWriteFile } from '../evidence/task-file';
+/** Configuration for the store. */
+export interface ExternalSkillStoreConfig {
+    /** Maximum number of candidates before FIFO eviction kicks in. */
+    max_candidates: number;
+}
+/** Optional filters for listing candidates. */
+export interface ExternalSkillListFilter {
+    /** Restrict to candidates with this evaluation verdict. */
+    verdict?: ExternalSkillCandidateEvaluationVerdict;
+    /** Restrict to candidates from this source type (e.g. 'github'). */
+    source_type?: string;
+    /** Restrict to candidates with this exact source URL. */
+    source_url?: string;
+    /** ISO datetime — only return candidates fetched at or after this time. */
+    since?: string;
+}
+/** Patch fields accepted by `update`. */
+export type ExternalSkillCandidatePatch = Partial<Pick<ExternalSkillCandidate, 'evaluation_verdict' | 'risk_flags' | 'evaluation_history' | 'skill_name' | 'skill_description'>>;
+/**
+ * Public interface returned by the factory function.
+ *
+ * Every method is scoped to the store directory derived at creation time.
+ */
+export interface ExternalSkillStore {
+    /** Create a new candidate and persist it atomically. */
+    add(candidate: Omit<ExternalSkillCandidate, 'id'>): Promise<ExternalSkillCandidate>;
+    /** Read a single candidate by UUID. Returns `null` if not found. */
+    get(id: string): Promise<ExternalSkillCandidate | null>;
+    /** List candidates with optional filters, sorted by `fetched_at` descending. */
+    list(filter?: ExternalSkillListFilter): Promise<ExternalSkillCandidate[]>;
+    /** Patch an existing candidate (read-modify-write). Appends to `evaluation_history`. */
+    update(id: string, patch: ExternalSkillCandidatePatch): Promise<ExternalSkillCandidate | null>;
+    /** Remove a candidate file. Returns `true` if the file existed and was deleted. */
+    delete(id: string): Promise<boolean>;
+    /**
+     * Evict the oldest `pending` or `rejected` candidates when the store
+     * exceeds `max_candidates`.  Never evicts `passed`, `promoted`, or
+     * `revoked` candidates.  Returns the number of evicted files.
+     */
+    evictIfNeeded(): Promise<number>;
+}
+/**
+ * Dependency-injection seam for testing.
+ *
+ * Tests can temporarily replace individual entries to exercise failure paths
+ * (e.g. file-not-found, permission errors) without `mock.module` leakage.
+ * Restore each entry in `afterEach` via the saved original reference.
+ */
+export declare const _internals: {
+    /** UUID generator — default is `crypto.randomUUID()`. */
+    randomUUID: typeof crypto.randomUUID;
+    /** Async filesystem operations. */
+    fs: {
+        mkdir: typeof fs.mkdir;
+        readFile: typeof fs.readFile;
+        readdir: typeof fs.readdir;
+        unlink: typeof fs.unlink;
+    };
+    /** Atomic write primitive (temp-file + rename). */
+    atomicWriteFile: typeof atomicWriteFile;
+};
+/**
+ * Create an `ExternalSkillStore` scoped to the given project root directory.
+ *
+ * The store persists candidate files under
+ * `<directory>/.swarm/skills/candidates/<uuid>.json`.
+ *
+ * @param directory — Project root (typically `ctx.directory`). Must NOT contain
+ *                   user-controlled path components.
+ * @param config   — Store configuration including capacity limits.
+ */
+export declare function createExternalSkillStore(directory: string, config: ExternalSkillStoreConfig): ExternalSkillStore;

package/dist/services/external-skill-validator.d.ts

@@ -0,0 +1,160 @@
+/**
+ * Validation gates for external skill candidates.
+ *
+ * Provides shared types and individual gate functions that scan candidate
+ * fields for security threats (prompt injection, unsafe instructions,
+ * provenance integrity).  Each gate returns a structured `ValidationGateResult`
+ * that the curation pipeline can use to block, warn, or pass a candidate.
+ *
+ * Gate 1 — `scanPromptInjection`: static regex-based detection of prompt-
+ * injection patterns, prototype pollution, script injection, and obfuscated
+ * content in candidate fields.  Severity is modulated by the candidate's trust
+ * level (FR-004).
+ *
+ * Uses an `_internals` DI seam for testability — no `mock.module` leakage.
+ */
+import type { ExternalSkillCandidate } from '../config/schema';
+/** Result from a single validation gate scan. */
+export interface ValidationGateResult {
+    /** Which gate produced this result. */
+    gate: 'prompt_injection' | 'unsafe_instructions' | 'provenance_integrity';
+    /** Overall pass/fail/warn verdict. */
+    verdict: 'pass' | 'fail' | 'warn';
+    /** Individual findings from the scan. */
+    findings: ValidationFinding[];
+    /** The candidate fields that were scanned. */
+    fields_scanned: string[];
+}
+/** A single finding from a validation gate. */
+export interface ValidationFinding {
+    /** What was detected. */
+    pattern: string;
+    /** Which candidate field triggered the finding. */
+    field: string;
+    /** Human-readable description. */
+    description: string;
+    /**
+     * Severity: 'error' blocks promotion, 'warning' is advisory
+     * (unless trust_level=low).
+     */
+    severity: 'error' | 'warning';
+    /** The matched text snippet (truncated to 100 chars for safety). */
+    match: string;
+}
+/** Result of running all validation gates against a candidate. */
+export interface CandidateEvaluationResult {
+    /** Individual gate results. */
+    gate_results: ValidationGateResult[];
+    /** Aggregated verdict across all gates. */
+    overall_verdict: 'passed' | 'quarantined';
+    /** All findings from all gates combined. */
+    all_findings: ValidationFinding[];
+    /** Risk flags derived from findings (unique pattern names). */
+    risk_flags: string[];
+}
+/** Describes a single detection pattern used by the prompt-injection gate. */
+export interface PromptInjectionPattern {
+    /** Regex to test against field text. */
+    pattern: RegExp;
+    /** Human-readable name for the pattern. */
+    name: string;
+    /** Description shown in findings. */
+    description: string;
+    /** Base severity before trust-level modulation. */
+    severity: 'error' | 'warning';
+}
+/**
+ * Static regex patterns for the prompt-injection gate (FR-004).
+ *
+ * ERROR-severity patterns always block promotion.  WARNING-severity patterns
+ * are modulated by the candidate's trust level:
+ *   - trust_level='low'  → warnings promoted to errors
+ *   - trust_level='medium'/'high' → warnings stay warnings
+ */
+export declare const PROMPT_INJECTION_PATTERNS: PromptInjectionPattern[];
+/** Describes a single detection pattern used by the unsafe-instruction gate. */
+export interface UnsafeInstructionPattern {
+    /** Regex to test against field text. */
+    pattern: RegExp;
+    /** Human-readable name for the pattern. */
+    name: string;
+    /** Description shown in findings. */
+    description: string;
+    /** Base severity before trust-level modulation. */
+    severity: 'error' | 'warning';
+}
+/**
+ * Static regex patterns for the unsafe-instruction gate.
+ *
+ * Extends the DANGEROUS_COMMAND_PATTERNS and SECURITY_DEGRADING_PATTERNS from
+ * knowledge-validator.ts with additional destructive command, privilege
+ * escalation, shell execution, security bypass, and data exfiltration patterns.
+ *
+ * ERROR-severity patterns always block promotion.  WARNING-severity patterns
+ * are modulated by the candidate's trust level:
+ *   - trust_level='low'  → warnings promoted to errors
+ *   - trust_level='medium'/'high' → warnings stay warnings
+ */
+export declare const UNSAFE_INSTRUCTION_PATTERNS: UnsafeInstructionPattern[];
+/** Rate limit defaults for validation operations (FR-007). */
+export declare const VALIDATION_RATE_LIMITS: {
+    /** Maximum candidates per discovery invocation. */
+    readonly max_candidates_per_discovery: 50;
+    /** Maximum concurrent fetch operations. */
+    readonly max_concurrent_fetches: 5;
+    /** Timeout for individual fetch operations in milliseconds. */
+    readonly fetch_timeout_ms: 30000;
+};
+/**
+ * Scan an external skill candidate for prompt-injection patterns.
+ *
+ * Returns a `ValidationGateResult` with gate=`'prompt_injection'`.
+ * The verdict is modulated by `trustLevel`:
+ *   - `'low'`: warnings promoted to errors → verdict is `'fail'` if any finding.
+ *   - `'medium'`/`'high'`: warnings stay warnings → verdict is `'warn'` if only
+ *     warnings, `'fail'` if any error-severity finding.
+ */
+export declare function scanPromptInjection(candidate: ExternalSkillCandidate, trustLevel?: 'low' | 'medium' | 'high'): ValidationGateResult;
+/**
+ * Scan an external skill candidate for unsafe instruction patterns.
+ *
+ * Covers destructive commands, privilege escalation, shell execution
+ * vectors, security bypass instructions, and data exfiltration indicators.
+ *
+ * Returns a `ValidationGateResult` with gate=`'unsafe_instructions'`.
+ * The verdict is modulated by `trustLevel`:
+ *   - `'low'`: warnings promoted to errors → verdict is `'fail'` if any finding.
+ *   - `'medium'`/`'high'`: warnings stay warnings → verdict is `'warn'` if only
+ *     warnings, `'fail'` if any error-severity finding.
+ */
+export declare function scanUnsafeInstructions(candidate: ExternalSkillCandidate, trustLevel?: 'low' | 'medium' | 'high'): ValidationGateResult;
+/**
+ * Scan an external skill candidate for provenance field integrity.
+ *
+ * Validates SHA-256 hash format, fetched_at timing (not in future, not stale),
+ * source_url validity, publisher presence, and content-hash verification.
+ *
+ * Returns a `ValidationGateResult` with gate=`'provenance_integrity'`.
+ * The verdict is modulated by `trustLevel`:
+ *   - `'low'`: warnings promoted to errors → verdict is `'fail'` if any finding.
+ *   - `'medium'`/`'high'`: warnings stay warnings → verdict is `'warn'` if only
+ *     warnings, `'fail'` if any error-severity finding.
+ */
+export declare function scanProvenanceIntegrity(candidate: ExternalSkillCandidate, trustLevel?: 'low' | 'medium' | 'high', ttlDays?: number): ValidationGateResult;
+/**
+ * Run all three validation gates against a candidate and produce an
+ * aggregated evaluation result (FR-004, FR-007).
+ *
+ * Gates are run sequentially: prompt-injection → unsafe-instructions →
+ * provenance-integrity.  Any gate that returns `'fail'` causes the overall
+ * verdict to be `'quarantined'`.  Warnings are advisory unless trust_level
+ * is `'low'` (which promotes them to errors inside each gate).
+ */
+export declare function evaluateCandidate(candidate: ExternalSkillCandidate, options?: {
+    trust_level?: 'low' | 'medium' | 'high';
+    ttl_days?: number;
+}): CandidateEvaluationResult;
+export declare const _internals: {
+    getTimestamp: () => string;
+    computeSha256: (content: string) => string;
+};

package/dist/tools/external-skill-delete.d.ts

@@ -0,0 +1,16 @@
+/**
+ * external_skill_delete — Delete an external skill candidate from the quarantine store.
+ *
+ * Removes a candidate by ID.  If the candidate was previously promoted, the
+ * promoted skill in `.opencode/skills/generated/` is NOT affected — it must be
+ * separately retired or revoked.  Returns a disabled message when
+ * external_skills.curation_enabled is false.
+ *
+ * Uses an `_internals` DI seam for testability — no `mock.module` leakage.
+ */
+import type { ExternalSkillsConfig } from '../config/schema.js';
+import { createSwarmTool } from './create-tool.js';
+export declare const _internals: {
+    loadConfig: (directory: string) => ExternalSkillsConfig | undefined;
+};
+export declare const external_skill_delete: ReturnType<typeof createSwarmTool>;

package/dist/tools/external-skill-discover.d.ts

@@ -0,0 +1,21 @@
+/**
+ * external_skill_discover — Discover external skill candidates from configured sources.
+ *
+ * Fetches skill content from URLs or accepts manual imports, validates them
+ * through the security gates (prompt-injection, unsafe-instructions,
+ * provenance-integrity), and stores them as quarantined candidates in the
+ * external skill store.
+ *
+ * Uses an `_internals` DI seam for testability — no `mock.module` leakage.
+ */
+import { createSwarmTool } from './create-tool.js';
+export declare const _internals: {
+    fetchContent: (_url: string, _timeoutMs: number) => Promise<{
+        content: string;
+        finalUrl: string;
+    }>;
+    getTimestamp: () => string;
+    computeSha256: (content: string) => string;
+    uuid: () => string;
+};
+export declare const external_skill_discover: ReturnType<typeof createSwarmTool>;

package/dist/tools/external-skill-inspect.d.ts

@@ -0,0 +1,15 @@
+/**
+ * external_skill_inspect — Inspect a specific external skill candidate by ID.
+ *
+ * Read-only tool that returns the full candidate record including provenance,
+ * skill_body, and evaluation_history.  Returns a disabled message when
+ * external_skills.curation_enabled is false.
+ *
+ * Uses an `_internals` DI seam for testability — no `mock.module` leakage.
+ */
+import type { ExternalSkillsConfig } from '../config/schema.js';
+import { createSwarmTool } from './create-tool.js';
+export declare const _internals: {
+    loadConfig: (directory: string) => ExternalSkillsConfig | undefined;
+};
+export declare const external_skill_inspect: ReturnType<typeof createSwarmTool>;

package/dist/tools/external-skill-list.d.ts

@@ -0,0 +1,15 @@
+/**
+ * external_skill_list — List external skill candidates in the quarantine store.
+ *
+ * Read-only tool that returns candidate summaries filtered by evaluation verdict,
+ * source type, or date range.  Returns a disabled message when
+ * external_skills.curation_enabled is false.
+ *
+ * Uses an `_internals` DI seam for testability — no `mock.module` leakage.
+ */
+import type { ExternalSkillsConfig } from '../config/schema.js';
+import { createSwarmTool } from './create-tool.js';
+export declare const _internals: {
+    loadConfig: (directory: string) => ExternalSkillsConfig | undefined;
+};
+export declare const external_skill_list: ReturnType<typeof createSwarmTool>;

package/dist/tools/external-skill-promote.d.ts

@@ -0,0 +1,20 @@
+/**
+ * external_skill_promote — Promote a validated external skill candidate to an
+ * active generated skill.
+ *
+ * Re-runs all three validation gates (TOCTOU re-validation).  Requires explicit
+ * user approval (`approver='user'`).  Writes SKILL.md to
+ * `.opencode/skills/generated/<slug>/` with provenance frontmatter.  Stamps the
+ * candidate as promoted and creates an audit record.
+ *
+ * Uses an `_internals` DI seam for testability — no `mock.module` leakage.
+ */
+import type { ExternalSkillsConfig } from '../config/schema.js';
+import { createSwarmTool } from './create-tool.js';
+export declare const _internals: {
+    loadConfig: (directory: string) => ExternalSkillsConfig | undefined;
+    getTimestamp: () => string;
+    fileExists: (filePath: string) => Promise<boolean>;
+    writeSkillFile: (filePath: string, content: string) => Promise<void>;
+};
+export declare const external_skill_promote: ReturnType<typeof createSwarmTool>;

package/dist/tools/external-skill-reject.d.ts

@@ -0,0 +1,15 @@
+/**
+ * external_skill_reject — Reject an external skill candidate after evaluation.
+ *
+ * Marks a candidate as rejected with a user-provided reason.  Records the
+ * state transition in evaluation_history with timestamp, actor, and reason.
+ * Returns a disabled message when external_skills.curation_enabled is false.
+ *
+ * Uses an `_internals` DI seam for testability — no `mock.module` leakage.
+ */
+import type { ExternalSkillsConfig } from '../config/schema.js';
+import { createSwarmTool } from './create-tool.js';
+export declare const _internals: {
+    loadConfig: (directory: string) => ExternalSkillsConfig | undefined;
+};
+export declare const external_skill_reject: ReturnType<typeof createSwarmTool>;

package/dist/tools/external-skill-revoke.d.ts

@@ -0,0 +1,17 @@
+/**
+ * external_skill_revoke — Revoke a previously promoted external skill.
+ *
+ * Atomically retires the SKILL.md from `.opencode/skills/generated/<slug>/`
+ * and stamps the candidate with evaluation_verdict: 'revoked'.  The candidate
+ * stays in quarantine for forensic audit.
+ *
+ * Uses an `_internals` DI seam for testability — no `mock.module` leakage.
+ */
+import type { ExternalSkillsConfig } from '../config/schema.js';
+import { createSwarmTool } from './create-tool.js';
+export declare const _internals: {
+    loadConfig: (directory: string) => ExternalSkillsConfig | undefined;
+    getTimestamp: () => string;
+    retireSkillFile: (filePath: string) => Promise<boolean>;
+};
+export declare const external_skill_revoke: ReturnType<typeof createSwarmTool>;

package/dist/tools/index.d.ts

@@ -18,6 +18,13 @@ export { diff_summary } from './diff-summary';
 export { doc_extract, doc_scan } from './doc-scan';
 export { detect_domains } from './domain-detector';
 export { evidence_check } from './evidence-check';
+export { external_skill_delete } from './external-skill-delete';
+export { external_skill_discover } from './external-skill-discover';
+export { external_skill_inspect } from './external-skill-inspect';
+export { external_skill_list } from './external-skill-list';
+export { external_skill_promote } from './external-skill-promote';
+export { external_skill_reject } from './external-skill-reject';
+export { external_skill_revoke } from './external-skill-revoke';
 export { extract_code_blocks } from './file-extractor';
 export { get_approved_plan } from './get-approved-plan';
 export { get_qa_gate_profile } from './get-qa-gate-profile';

package/dist/tools/manifest.d.ts

@@ -108,4 +108,11 @@ export declare const TOOL_MANIFEST: {
     lean_turbo_run_phase: () => ToolDefinition;
     lean_turbo_status: () => ToolDefinition;
     apply_patch: () => ToolDefinition;
+    external_skill_discover: () => ToolDefinition;
+    external_skill_list: () => ToolDefinition;
+    external_skill_inspect: () => ToolDefinition;
+    external_skill_promote: () => ToolDefinition;
+    external_skill_reject: () => ToolDefinition;
+    external_skill_delete: () => ToolDefinition;
+    external_skill_revoke: () => ToolDefinition;
 };

package/dist/tools/tool-metadata.d.ts

@@ -363,6 +363,34 @@ export declare const TOOL_METADATA: {
         description: string;
         agents: "coder"[];
     };
+    external_skill_discover: {
+        description: string;
+        agents: never[];
+    };
+    external_skill_list: {
+        description: string;
+        agents: never[];
+    };
+    external_skill_inspect: {
+        description: string;
+        agents: never[];
+    };
+    external_skill_promote: {
+        description: string;
+        agents: never[];
+    };
+    external_skill_reject: {
+        description: string;
+        agents: never[];
+    };
+    external_skill_delete: {
+        description: string;
+        agents: never[];
+    };
+    external_skill_revoke: {
+        description: string;
+        agents: never[];
+    };
 };
 /** Union type of all valid tool names (the metadata keys). */
 export type ToolName = keyof typeof TOOL_METADATA;

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "7.63.0",
+	"version": "7.64.0",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",