opencode-swarm 7.74.2 → 7.75.0

package/dist/commands/command-dispatch.d.ts

@@ -19,15 +19,12 @@ export declare function normalizeSwarmCommandInput(command: string, argumentText
 };
 export declare function canonicalCommandKey(resolved: ResolvedSwarmCommand): string;
 export declare function formatCommandNotFound(tokens: string[]): string;
-export declare function maybeMarkFirstRun(directory: string): boolean;
-export declare function prependWelcome(text: string): string;
 export declare function executeSwarmCommand(args: {
     directory: string;
     agents: Record<string, AgentDefinition>;
     sessionID: string;
     tokens: string[];
     packageRoot?: string;
-    includeWelcome?: boolean;
     buildHelpText?: () => string;
     policy?: SwarmCommandPolicy;
 }): Promise<SwarmCommandExecutionResult>;

package/dist/commands/full-auto.d.ts

@@ -1,12 +1,24 @@
 /**
  * Handles the /swarm full-auto command.
- * Toggles Full-Auto Mode on or off for the active session.
+ * First-class session toggle for Full-Auto Mode: on / off / status / bare toggle.
+ *
+ * Full-Auto no longer requires `full_auto.enabled: true` in the plugin config —
+ * the v2 hooks are always armed and gated at runtime by the durable per-session
+ * run state, so activation is a pure runtime decision (like switching permission
+ * modes in other agent CLIs). Administrators can set `full_auto.locked: true`
+ * to refuse runtime activation entirely.
+ *
+ * `on` accepts an optional mode argument (`assisted` | `supervised` | `strict`)
+ * that overrides `full_auto.mode` for this run. In every mode the critic
+ * reviews escalations on the user's behalf; `strict` routes ALL plan mutations
+ * through the critic, `supervised` (default) routes risky/high-impact actions,
+ * `assisted` only consults the critic when the deterministic policy escalates.
  *
  * In Full-Auto v2 this also creates a durable run-state record under
  * .swarm/full-auto-state.json so the permission/oversight infrastructure can
  * fail-closed across hooks and across process restarts.
  *
- * H2 fix: durable write happens BEFORE flipping the legacy
+ * H2 fix (preserved): durable write happens BEFORE flipping the legacy
  * `session.fullAutoMode` flag. If the durable write fails, the command
  * surfaces the error in its return string and does NOT enable the legacy
  * reactive intercept — preventing a silent fail-open where reactive checks
@@ -14,7 +26,7 @@
  * durable run.
  *
  * @param directory - Project directory (used to persist Full-Auto run state)
- * @param args - Optional argument: "on" | "off" | undefined (toggle behavior)
+ * @param args - "on [mode]" | "off" | "status" | undefined (toggle behavior)
  * @param sessionID - Session ID for accessing active session state
  * @returns Feedback message about Full-Auto Mode state
  */

package/dist/commands/registry.d.ts

@@ -501,9 +501,9 @@ export declare const COMMAND_REGISTRY: {
     };
     readonly 'full-auto': {
         readonly handler: (ctx: CommandContext) => Promise<string>;
-        readonly description: "Toggle Full-Auto Mode for the active session [on|off]";
-        readonly args: "on, off";
-        readonly details: "Toggles Full-Auto Mode which enables autonomous execution without confirmation prompts. When enabled, the architect proceeds through implementation steps automatically. Session-scoped — resets on new session. Use \"on\" or \"off\" to set explicitly, or toggle with no argument.";
+        readonly description: "Toggle Full-Auto Mode for the active session [on [mode]|off|status]";
+        readonly args: "on [assisted|supervised|strict], off, status";
+        readonly details: string;
         readonly category: "utility";
     };
     readonly 'auto-proceed': {

package/dist/config/loader.d.ts

@@ -1,17 +1,6 @@
 import { type PluginConfig } from './schema';
 export declare const MAX_CONFIG_FILE_BYTES = 102400;
 export { deepMerge, MAX_MERGE_DEPTH } from '../utils/merge';
-/**
- * Load plugin configuration from user and project config files.
- *
- * Config locations:
- * 1. User config: ~/.config/opencode/opencode-swarm.json
- * 2. Project config: <directory>/.opencode/opencode-swarm.json
- *
- * Project config takes precedence. Nested objects are deep-merged.
- * IMPORTANT: Raw configs are merged BEFORE Zod parsing so that
- * Zod defaults don't override explicit user values.
- */
 export declare function loadPluginConfig(directory: string): PluginConfig;
 /**
  * Internal variant of loadPluginConfig that also returns loader metadata.
@@ -21,6 +10,11 @@ export declare function loadPluginConfig(directory: string): PluginConfig;
 export declare function loadPluginConfigWithMeta(directory: string): {
     config: PluginConfig;
     loadedFromFile: boolean;
+    /** True when a config file existed but could not be loaded (corrupt JSON,
+     *  oversized, permission error). Consumers with fail-closed semantics —
+     *  e.g. the Full-Auto `locked` activation guard — must treat this as
+     *  "config unknown", not "config defaults". */
+    configHadErrors: boolean;
 };
 /**
  * Async variant of `loadPluginConfigWithMeta`. Used by the plugin entry
@@ -29,6 +23,7 @@ export declare function loadPluginConfigWithMeta(directory: string): {
 export declare function loadPluginConfigWithMetaAsync(directory: string): Promise<{
     config: PluginConfig;
     loadedFromFile: boolean;
+    configHadErrors: boolean;
 }>;
 /**
  * Load custom prompt for an agent from the prompts directory.

package/dist/config/schema.d.ts

@@ -333,6 +333,17 @@ export declare const ReviewPassesConfigSchema: z.ZodObject<{
     security_globs: z.ZodDefault<z.ZodArray<z.ZodString>>;
 }, z.core.$strip>;
 export type ReviewPassesConfig = z.infer<typeof ReviewPassesConfigSchema>;
+export declare const AutoReviewConfigSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    trigger: z.ZodDefault<z.ZodEnum<{
+        task_completion: "task_completion";
+        phase_boundary: "phase_boundary";
+        both: "both";
+    }>>;
+    timeout_ms: z.ZodDefault<z.ZodNumber>;
+    max_diff_kb: z.ZodDefault<z.ZodNumber>;
+}, z.core.$strip>;
+export type AutoReviewConfig = z.infer<typeof AutoReviewConfigSchema>;
 export declare const AdversarialDetectionConfigSchema: z.ZodObject<{
     enabled: z.ZodDefault<z.ZodBoolean>;
     policy: z.ZodDefault<z.ZodEnum<{
@@ -1392,6 +1403,16 @@ export declare const PluginConfigSchema: z.ZodObject<{
         enabled: z.ZodDefault<z.ZodBoolean>;
         skip_in_turbo: z.ZodDefault<z.ZodBoolean>;
     }, z.core.$strip>>;
+    auto_review: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        trigger: z.ZodDefault<z.ZodEnum<{
+            task_completion: "task_completion";
+            phase_boundary: "phase_boundary";
+            both: "both";
+        }>>;
+        timeout_ms: z.ZodDefault<z.ZodNumber>;
+        max_diff_kb: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
     tool_filter: z.ZodOptional<z.ZodObject<{
         enabled: z.ZodDefault<z.ZodBoolean>;
         overrides: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString>>>;
@@ -1858,6 +1879,7 @@ export declare const PluginConfigSchema: z.ZodObject<{
     version_check: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
     full_auto: z.ZodDefault<z.ZodOptional<z.ZodObject<{
         enabled: z.ZodDefault<z.ZodBoolean>;
+        locked: z.ZodDefault<z.ZodBoolean>;
         critic_model: z.ZodOptional<z.ZodString>;
         max_interactions_per_phase: z.ZodDefault<z.ZodNumber>;
         deadlock_threshold: z.ZodDefault<z.ZodNumber>;

package/dist/full-auto/state.d.ts

@@ -88,6 +88,18 @@ export declare function startFullAutoRun(directory: string, sessionID: string, c
     taskID?: string;
 }): FullAutoRunState;
 export declare function pauseFullAutoRun(directory: string, sessionID: string, reason: string): FullAutoRunState | undefined;
+/**
+ * Disarm a Full-Auto run in response to an explicit user `off`.
+ *
+ * Unlike `pauseFullAutoRun` / `terminateFullAutoRun` (system-initiated halts
+ * that fail-closed-block non-read-only tools until the user re-enables),
+ * disarming returns the session to normal interactive operation: the record
+ * transitions to `'idle'`, which every enforcement path treats as
+ * "no active Full-Auto run". Counters and denial history are preserved for
+ * audit. (Adversarial review F3: `off` must not be a one-way door into a
+ * write-blocked session.)
+ */
+export declare function disarmFullAutoRun(directory: string, sessionID: string, reason: string): FullAutoRunState | undefined;
 export declare function terminateFullAutoRun(directory: string, sessionID: string, reason: string): FullAutoRunState | undefined;
 export declare function isFullAutoRunActive(directory: string, sessionID: string): boolean;
 export type FullAutoCounterKey = keyof FullAutoCounters;

package/dist/hooks/auto-review.d.ts

@@ -0,0 +1,82 @@
+/**
+ * Auto-review hook (auto-review machinery, piece B) — opt-in.
+ *
+ * When `auto_review.enabled` is true, completing a task
+ * (`update_task_status` → status 'completed') and/or a phase
+ * (`phase_complete`) automatically dispatches the registered reviewer agent
+ * over a fresh ephemeral session to review the current execution diff —
+ * the same "second model reviews the work in a clean context" pattern used
+ * by Claude Code's auto-review and Codex's review model. The reviewer agent
+ * carries its own configured model (`agents.reviewer.model`), so the review
+ * model is independently configurable from the coder/architect models.
+ *
+ * The pass is ADVISORY and fully fail-open:
+ *   - fire-and-forget from `tool.execute.after` (never blocks the tool)
+ *   - verdicts are persisted as durable review receipts
+ *     (`.swarm/review-receipts/`, scope-fingerprinted over the diff) and an
+ *     `auto_review` event is appended to `.swarm/events.jsonl`
+ *   - a REJECTED or unparseable verdict injects a `[AUTO-REVIEW]` advisory
+ *     into the architect's next prompt; APPROVED stays silent
+ *
+ * Bounds (AGENTS.md invariants 3 and 8): the diff subprocess uses execFile
+ * with cwd/timeout/maxBuffer and ignored stdin; dispatches are guarded by a
+ * per-session in-flight set plus a 60s cooldown in a bounded FIFO map.
+ */
+import { type AutoReviewConfig } from '../config/schema.js';
+/** Test-only: clear module-level dispatch tracking. */
+export declare function resetAutoReviewTracking(): void;
+export type ExecutionDiffResult = {
+    status: 'ok';
+    diff: string;
+} | {
+    status: 'clean';
+} | {
+    status: 'error';
+    reason: string;
+};
+/**
+ * Collect the execution diff for review: `git diff HEAD` (tracked changes)
+ * plus a porcelain summary of untracked files. Distinguishes a clean working
+ * tree from collection failures (git missing, timeout, diff exceeding the
+ * 2× maxBuffer cap) so events report honestly. Output is truncated to
+ * `maxBytes`.
+ */
+declare function computeExecutionDiff(directory: string, maxBytes: number): Promise<ExecutionDiffResult>;
+declare function dispatchReviewer(directory: string, prompt: string, agentName: string, timeoutMs: number): Promise<string>;
+export interface AutoReviewRunInput {
+    directory: string;
+    sessionID: string;
+    trigger: 'task_completion' | 'phase_boundary';
+    taskId?: string;
+    phase?: number;
+    config: Required<Pick<AutoReviewConfig, 'timeout_ms' | 'max_diff_kb'>>;
+    injectAdvisory: (sessionId: string, message: string) => void;
+}
+/**
+ * Execute one auto-review pass: collect diff → dispatch reviewer over an
+ * ephemeral session → persist receipt + event → advisory on REJECTED or
+ * unparseable output. Fully fail-open; never throws.
+ */
+export declare function runAutoReview(input: AutoReviewRunInput): Promise<void>;
+export interface AutoReviewHookOptions {
+    config: AutoReviewConfig;
+    directory: string;
+    injectAdvisory: (sessionId: string, message: string) => void;
+}
+export declare function createAutoReviewHook(options: AutoReviewHookOptions): {
+    toolAfter: (input: {
+        tool: string;
+        sessionID: string;
+        callID?: string;
+    }, output: {
+        args?: unknown;
+        output?: unknown;
+    }) => Promise<void>;
+};
+export declare const _internals: {
+    computeExecutionDiff: typeof computeExecutionDiff;
+    dispatchReviewer: typeof dispatchReviewer;
+    runAutoReview: typeof runAutoReview;
+    now: () => number;
+};
+export {};

package/dist/hooks/review-receipt-collector.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Reviewer receipt collector (auto-review machinery, piece A).
+ *
+ * Parses the mandated reviewer OUTPUT FORMAT (`VERDICT:` / `RISK:` /
+ * `ISSUES:` / `FIXES:`) from a returning reviewer Task delegation and
+ * persists it as a durable review receipt under `.swarm/review-receipts/`
+ * via the existing receipt store (scope-fingerprinted over the delegation
+ * prompt, which defines the reviewed scope).
+ *
+ * Before this collector, reviewer verdicts existed only as free text inside
+ * the architect's context — re-reviews and drift verification had no durable
+ * machine-readable record of what the reviewer decided. Knowledge-directive
+ * lines (`DIRECTIVE_COMPLIANCE`) are handled separately by
+ * `reviewer-verdict-parser.ts`; this module covers the main verdict block.
+ *
+ * Fail-open: parsing or persistence failures never block tool execution.
+ */
+export type ParsedReviewSeverity = 'critical' | 'high' | 'medium';
+export interface ParsedReviewIssue {
+    /** Raw issue line (trimmed, bullet stripped) */
+    text: string;
+    /** Severity inferred from a CRITICAL/HIGH/MEDIUM/LOW/INFO tag, default medium */
+    severity: ParsedReviewSeverity;
+    /** `path:line` reference when one appears in the line */
+    location?: string;
+}
+export interface ParsedReviewerOutput {
+    verdict: 'approved' | 'rejected';
+    /** RISK: LOW | MEDIUM | HIGH | CRITICAL (uppercased), when present */
+    risk?: string;
+    /** Blocking/non-blocking issue lines from the ISSUES section */
+    issues: ParsedReviewIssue[];
+    /** Required-change lines from the FIXES section */
+    fixes: string[];
+}
+/**
+ * Parse the reviewer agent's mandated output block. Returns null when no
+ * unambiguous line-anchored `VERDICT: APPROVED|REJECTED` is present —
+ * including when multiple anchored verdict lines DISAGREE (ambiguous output
+ * fails toward "no machine-readable verdict", never toward approval).
+ */
+export declare function parseReviewerOutput(text: string): ParsedReviewerOutput | null;
+export interface ReviewerReceiptInput {
+    tool: unknown;
+    args?: unknown;
+    sessionID?: unknown;
+}
+export interface ReviewerReceiptOutput {
+    output?: unknown;
+}
+/**
+ * `tool.execute.after` collector. When a reviewer Task returns, parse its
+ * verdict block and persist a durable review receipt. No-op for non-reviewer
+ * delegations, missing prompts/outputs, or unparseable verdicts. Never throws.
+ *
+ * Returns the persisted receipt path (for tests/telemetry) or null.
+ */
+export declare function collectReviewerReceiptAfter(directory: string, input: ReviewerReceiptInput, output: ReviewerReceiptOutput): Promise<string | null>;

package/dist/hooks/review-receipt.d.ts

@@ -20,6 +20,13 @@
  *
  * Critic drift verification can consume prior receipts as supporting context
  * but MUST NOT blindly trust them — staleness check is mandatory.
+ *
+ * Scope-description heterogeneity: receipts in one index may be fingerprinted
+ * over different canonical contents (e.g. 'reviewer-task-prompt' hashes the
+ * delegation prompt; 'auto-review-*-diff' hashes the reviewed diff). A prompt
+ * fingerprint does NOT change when the worktree changes, so consumers MUST
+ * filter by `scope_fingerprint.scope_description` (or compare like-for-like
+ * content) before treating an approved receipt as fresh via isScopeStale().
  */
 export type ReceiptVerdict = 'rejected' | 'approved';
 /** Identity of the reviewer/curator that produced the receipt. */