opencode-swarm 7.74.1 → 7.74.2

package/dist/cli/index.js

@@ -52,7 +52,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "opencode-swarm",
-    version: "7.74.1",
+    version: "7.74.2",
     description: "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
     main: "dist/index.js",
     types: "dist/index.d.ts",

package/dist/index.js

@@ -69,7 +69,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "opencode-swarm",
-    version: "7.74.1",
+    version: "7.74.2",
     description: "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
     main: "dist/index.js",
     types: "dist/index.d.ts",
@@ -124899,6 +124899,102 @@ var git_blame = createSwarmTool({
 
 // src/tools/gitingest.ts
 init_zod();
+
+// src/services/external-content-scanner.ts
+init_knowledge_validator();
+function scanInvisibleFormatChars2(text) {
+  const findings = [];
+  const matches = text.match(INVISIBLE_FORMAT_CHARS);
+  if (matches !== null && matches.length > 0) {
+    for (const match of matches) {
+      findings.push({
+        pattern: "invisible_format_chars",
+        field: "external_content",
+        description: `Invisible format characters detected (${matches.length} occurrence(s))`,
+        severity: "error",
+        match: match.slice(0, 100)
+      });
+    }
+  }
+  return findings;
+}
+function neutralizeThreatPatterns(text, findings) {
+  if (findings.length === 0) {
+    return text;
+  }
+  let result = text;
+  for (const finding of findings.filter((f) => f.severity === "error")) {
+    const escapedMatch = finding.match.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const pattern = new RegExp(escapedMatch, "g");
+    result = result.replace(pattern, () => `[EXTERNAL_CONTENT_THREAT: ${finding.pattern}] ${finding.match} [/EXTERNAL_CONTENT_THREAT]`);
+  }
+  return result;
+}
+function scanExternalContent(text, options) {
+  const trustLevel = options?.trustLevel ?? "low";
+  const maxLength = options?.maxLength ?? 50000;
+  if (text == null) {
+    text = "";
+  }
+  const originalLength = text.length;
+  const findings = [];
+  if (text.length > maxLength) {
+    findings.push({
+      pattern: "oversized_content",
+      field: "external_content",
+      description: `External content exceeds safe size threshold (${text.length} > ${maxLength} bytes)`,
+      severity: "error",
+      match: `${text.length} bytes`
+    });
+  }
+  findings.push(...scanInvisibleFormatChars2(text));
+  for (const entry of PROMPT_INJECTION_PATTERNS) {
+    const match = entry.pattern.exec(text);
+    if (match !== null) {
+      findings.push({
+        pattern: entry.name,
+        field: "external_content",
+        description: entry.description,
+        severity: entry.severity,
+        match: match[0]
+      });
+    }
+  }
+  for (const entry of UNSAFE_INSTRUCTION_PATTERNS) {
+    const match = entry.pattern.exec(text);
+    if (match !== null) {
+      findings.push({
+        pattern: entry.name,
+        field: "external_content",
+        description: entry.description,
+        severity: entry.severity,
+        match: match[0]
+      });
+    }
+  }
+  const promoteWarnings = trustLevel === "low";
+  const modulatedFindings = findings.map((f) => promoteWarnings && f.severity === "warning" ? { ...f, severity: "error" } : f);
+  const hasErrors = modulatedFindings.some((f) => f.severity === "error");
+  const hasWarnings = modulatedFindings.some((f) => f.severity === "warning");
+  let threatLevel;
+  if (hasErrors) {
+    threatLevel = "error";
+  } else if (hasWarnings) {
+    threatLevel = "warning";
+  } else {
+    threatLevel = "none";
+  }
+  const neutralized = neutralizeThreatPatterns(text, modulatedFindings.filter((f) => f.severity === "error"));
+  return {
+    clean: threatLevel === "none",
+    findings: modulatedFindings,
+    threatLevel,
+    originalLength,
+    neutralized
+  };
+}
+
+// src/tools/gitingest.ts
 init_create_tool();
 var GITINGEST_TIMEOUT_MS = 1e4;
 var GITINGEST_MAX_RESPONSE_BYTES = 5242880;
@@ -124936,7 +125032,31 @@ async function fetchGitingest(args2) {
       if (Number.isFinite(contentLength) && contentLength > GITINGEST_MAX_RESPONSE_BYTES) {
         throw new Error("gitingest response too large");
       }
-      const text = await response.text();
+      let text;
+      const reader = response.body?.getReader();
+      if (reader) {
+        let buffer = "";
+        const decoder = new TextDecoder;
+        let totalBytes = 0;
+        try {
+          while (true) {
+            const { done, value } = await reader.read();
+            if (done)
+              break;
+            totalBytes += value.byteLength;
+            if (totalBytes > GITINGEST_MAX_RESPONSE_BYTES) {
+              throw new Error("gitingest response too large");
+            }
+            buffer += decoder.decode(value, { stream: true });
+          }
+          buffer += decoder.decode();
+          text = buffer;
+        } finally {
+          reader.cancel().catch(() => {});
+        }
+      } else {
+        text = await response.text();
+      }
       if (Buffer.byteLength(text) > GITINGEST_MAX_RESPONSE_BYTES) {
         throw new Error("gitingest response too large");
       }
@@ -124946,11 +125066,24 @@ async function fetchGitingest(args2) {
       } catch {
         throw new Error(`gitingest API returned non-JSON response (${text.length} chars, starts: ${text.slice(0, 80)})`);
       }
-      return `${data.summary}
+      const combined = `${data.summary}
 
 ${data.tree}
 
 ${data.content}`;
+      const scanResult = scanExternalContent(combined, { trustLevel: "low" });
+      let result = combined;
+      if (!scanResult.clean) {
+        const threatSummary = scanResult.findings.filter((f) => f.severity === "error").map((f) => `- ${f.pattern}: ${f.description}`).join(`
+`);
+        result = `[GITINGEST SECURITY NOTE: External repository content scanned and contains potential threat patterns]
+${threatSummary}
+
+[Content follows with threats marked for LLM awareness]
+
+${scanResult.neutralized}`;
+      }
+      return result;
     } catch (error93) {
       if (error93 instanceof DOMException && (error93.name === "TimeoutError" || error93.name === "AbortError")) {
         if (attempt >= GITINGEST_MAX_RETRIES) {
@@ -142322,6 +142455,20 @@ var web_search = createSwarmTool({
         freshness
       });
       const evidence = await captureSearchEvidence(dirResult.directory, policy.query, results);
+      const scannedResults = results.map(({ title, url: url3, snippet }) => {
+        const titleScan = scanExternalContent(title, { trustLevel: "low" });
+        const snippetScan = scanExternalContent(snippet, {
+          trustLevel: "low"
+        });
+        const threatLevel = titleScan.threatLevel === "error" || snippetScan.threatLevel === "error" ? "error" : titleScan.threatLevel === "warning" || snippetScan.threatLevel === "warning" ? "warning" : "none";
+        return {
+          title: titleScan.clean ? title : titleScan.neutralized,
+          url: url3,
+          snippet: snippetScan.clean ? snippet : snippetScan.neutralized,
+          evidenceRef: evidence.refByUrl.get(url3),
+          threatLevel
+        };
+      });
       const ok2 = {
         success: true,
         query: policy.query,
@@ -142330,12 +142477,7 @@ var web_search = createSwarmTool({
         freshness,
         removedStaleYears: policy.removedStaleYears,
         totalResults: results.length,
-        results: results.map(({ title, url: url3, snippet }) => ({
-          title,
-          url: url3,
-          snippet,
-          evidenceRef: evidence.refByUrl.get(url3)
-        })),
+        results: scannedResults,
         evidence: {
           stored: evidence.stored,
           path: evidence.path,

package/dist/services/external-content-scanner.d.ts

@@ -0,0 +1,67 @@
+/**
+ * External content scanner — shared ingress point for arbitrary external text.
+ *
+ * Reuses the prompt-injection and unsafe-instruction patterns from
+ * external-skill-validator.ts to scan network-fetched content (gitingest,
+ * web_search, future network tools) before it enters the LLM context.
+ *
+ * Provides a single shared interface: `scanExternalContent(text, options?)`.
+ * This ensures consistent threat detection across all external sources
+ * and closes the asymmetry documented in issue #1278.
+ *
+ * Uses an `_internals` DI seam for testability — no `mock.module` leakage.
+ */
+import { type ValidationFinding } from './external-skill-validator';
+/** Result from scanning external content for injection and unsafe instructions. */
+export interface ExternalContentScanResult {
+    /** Whether threats were detected. */
+    clean: boolean;
+    /** Individual findings from the scan. */
+    findings: ValidationFinding[];
+    /** Threats found: 'none', 'warning', or 'error'. */
+    threatLevel: 'none' | 'warning' | 'error';
+    /** The original text (for comparison). */
+    originalLength: number;
+    /** The neutralized text with threat markers wrapped. */
+    neutralized: string;
+}
+/**
+ * Apply invisible-format-character detection to raw text.
+ *
+ * Unlike the other patterns, invisible format chars are detected by counting
+ * occurrences in the raw string (not via regex .test), because we need the
+ * match string and they are multi-codepoint.
+ *
+ * Returns an array of findings (empty if none found).
+ * Each finding includes the individual match string (not concatenated),
+ * so callers can neutralize each occurrence at its original position.
+ */
+declare function scanInvisibleFormatChars(text: string): ValidationFinding[];
+/**
+ * Neutralize threat patterns in text by wrapping them with delimiters.
+ * This makes them visible to the LLM as data, not instructions.
+ */
+declare function neutralizeThreatPatterns(text: string, findings: ValidationFinding[]): string;
+/**
+ * Scan arbitrary external content for prompt-injection and unsafe-instruction threats.
+ *
+ * Returns a structured result with:
+ * - `clean`: boolean indicating no error-severity findings
+ * - `findings`: all detected findings
+ * - `threatLevel`: aggregated threat assessment
+ * - `neutralized`: the text with threat patterns wrapped for safety
+ *
+ * @param text - The external content to scan (arbitrary length, typically from API)
+ * @param options - Optional: { trustLevel = 'low' }
+ *   - 'low': warnings are treated as errors
+ *   - 'medium'/'high': warnings stay warnings
+ */
+export declare function scanExternalContent(text: string, options?: {
+    trustLevel?: 'low' | 'medium' | 'high';
+    maxLength?: number;
+}): ExternalContentScanResult;
+export declare const _internals: {
+    scanInvisibleFormatChars: typeof scanInvisibleFormatChars;
+    neutralizeThreatPatterns: typeof neutralizeThreatPatterns;
+};
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "7.74.1",
+	"version": "7.74.2",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",