opencode-swarm 7.73.2 → 7.74.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.opencode/skills/swarm-pr-feedback/SKILL.md +19 -0
- package/dist/cli/index.js +194 -195
- package/dist/commands/_shared/url-security.d.ts +44 -0
- package/dist/commands/issue.d.ts +1 -1
- package/dist/commands/pr-ref.d.ts +2 -45
- package/dist/hooks/skill-usage-log.d.ts +13 -1
- package/dist/index.js +226 -205
- package/package.json +1 -1
|
@@ -10,20 +10,8 @@
|
|
|
10
10
|
* fragments, and embedded credentials are stripped before the value is ever
|
|
11
11
|
* placed back into a signal string.
|
|
12
12
|
*/
|
|
13
|
-
import {
|
|
14
|
-
|
|
15
|
-
* File-scoped indirection seam for the subprocess call. Tests override
|
|
16
|
-
* `_internals.execSync` (no `mock.module`) to assert the working directory is
|
|
17
|
-
* threaded through and to simulate a missing `origin` remote.
|
|
18
|
-
*/
|
|
19
|
-
export declare const _internals: {
|
|
20
|
-
execSync: typeof execSync;
|
|
21
|
-
};
|
|
22
|
-
/**
|
|
23
|
-
* Strip query strings, fragments, injected MODE headers, and credentials from
|
|
24
|
-
* a URL string.
|
|
25
|
-
*/
|
|
26
|
-
export declare function sanitizeUrl(raw: string): string;
|
|
13
|
+
import { _internals, detectGitRemote, parseGitRemoteUrl, sanitizeUrl, type ValidationResult } from './_shared/url-security.js';
|
|
14
|
+
export { _internals, detectGitRemote, parseGitRemoteUrl, sanitizeUrl };
|
|
27
15
|
/**
|
|
28
16
|
* Sanitize free-text instructions so they cannot forge a competing MODE
|
|
29
17
|
* header, inject control sequences, or break out of the signal line.
|
|
@@ -31,19 +19,6 @@ export declare function sanitizeUrl(raw: string): string;
|
|
|
31
19
|
* headers, and truncates to a bounded length.
|
|
32
20
|
*/
|
|
33
21
|
export declare function sanitizeInstructions(raw: string): string;
|
|
34
|
-
/**
|
|
35
|
-
* Blocklist of private/localhost hostnames and IP ranges.
|
|
36
|
-
*/
|
|
37
|
-
export declare function isPrivateHost(url: URL): boolean;
|
|
38
|
-
/**
|
|
39
|
-
* Validate and sanitize a GitHub PR URL.
|
|
40
|
-
* Returns the sanitized URL on success, or an error message on failure.
|
|
41
|
-
*/
|
|
42
|
-
export type ValidationResult = {
|
|
43
|
-
sanitized: string;
|
|
44
|
-
} | {
|
|
45
|
-
error: string;
|
|
46
|
-
};
|
|
47
22
|
export declare function validateAndSanitizeUrl(rawUrl: string): ValidationResult;
|
|
48
23
|
export interface ParsedPr {
|
|
49
24
|
owner: string;
|
|
@@ -57,24 +32,6 @@ export interface ParsedPr {
|
|
|
57
32
|
* 3. Bare number: N (resolved against the `origin` git remote in `cwd`)
|
|
58
33
|
*/
|
|
59
34
|
export declare function parsePrRef(input: string, cwd?: string): ParsedPr | null;
|
|
60
|
-
/**
|
|
61
|
-
* Detect the `origin` remote URL from git config.
|
|
62
|
-
*
|
|
63
|
-
* `cwd` should be the project directory the command was invoked for. Without it
|
|
64
|
-
* the lookup runs in `process.cwd()`, which in a plugin host is frequently not
|
|
65
|
-
* the repository root — so bare-number PR resolution would silently fail or
|
|
66
|
-
* resolve against the wrong repo (invariant #3: subprocesses run in an explicit
|
|
67
|
-
* working directory).
|
|
68
|
-
*/
|
|
69
|
-
export declare function detectGitRemote(cwd?: string): string | null;
|
|
70
|
-
/**
|
|
71
|
-
* Parse owner/repo from a git remote URL.
|
|
72
|
-
* Supports HTTPS (https://github.com/owner/repo.git) and SSH (git@github.com:owner/repo.git).
|
|
73
|
-
*/
|
|
74
|
-
export declare function parseGitRemoteUrl(remoteUrl: string): {
|
|
75
|
-
owner: string;
|
|
76
|
-
repo: string;
|
|
77
|
-
} | null;
|
|
78
35
|
/**
|
|
79
36
|
* Whether a token is *shaped* like a PR reference — a full `http(s)` URL, an
|
|
80
37
|
* `owner/repo#N` shorthand, or a bare number. This is intent detection, not
|
|
@@ -17,7 +17,9 @@ export interface SkillUsageEntry {
|
|
|
17
17
|
taskID: string;
|
|
18
18
|
/** ISO 8601 timestamp of the event. */
|
|
19
19
|
timestamp: string;
|
|
20
|
-
/** Compliance outcome — 'compliant' | '
|
|
20
|
+
/** Compliance outcome — 'compliant' | 'partial' | 'violated' | 'not_checked' | custom.
|
|
21
|
+
* Legacy on-disk entries may carry the pre-fix spelling 'violation'; these are
|
|
22
|
+
* normalized to 'violated' on the read path (see normalizeComplianceVerdict). */
|
|
21
23
|
complianceVerdict: string;
|
|
22
24
|
/** Optional free-text notes from the reviewer. */
|
|
23
25
|
reviewerNotes?: string;
|
|
@@ -51,6 +53,16 @@ export interface PruneResult {
|
|
|
51
53
|
/** Error message when the write/rename step fails; absent on success. */
|
|
52
54
|
error?: string;
|
|
53
55
|
}
|
|
56
|
+
/**
|
|
57
|
+
* Normalize a compliance verdict to the canonical spelling.
|
|
58
|
+
* The sole producer (`skill-propagation-gate.ts`) lowercases the regex
|
|
59
|
+
* capture, yielding 'violated'. Pre-fix on-disk entries may carry the
|
|
60
|
+
* legacy spelling 'violation'; this maps them to the canonical form so
|
|
61
|
+
* that every downstream comparison can use a single string.
|
|
62
|
+
*
|
|
63
|
+
* Exported for unit-testing.
|
|
64
|
+
*/
|
|
65
|
+
export declare function normalizeComplianceVerdict(verdict: string): string;
|
|
54
66
|
/**
|
|
55
67
|
* Test-only dependency-injection seam. Tests override these without
|
|
56
68
|
* `mock.module` (which leaks across files in Bun's shared test-runner).
|