opencode-swarm 7.81.1 → 7.81.3

package/dist/sandbox/linux/bubblewrap-executor.d.ts

@@ -3,7 +3,8 @@
  *
  * Wraps shell commands with bwrap (Bubblewrap) to restrict process capabilities.
  * Uses --bind to mount scope paths read-write, --tmpfs for /tmp, and --ro-bind
- * for essential read-only system paths.
+ * for essential read-only system paths. Drops all capabilities via --cap-drop ALL
+ * for defense-in-depth within the user namespace.
  */
 import { type SandboxExecutor } from '../executor';
 /**

package/dist/sandbox/macos/sandbox-exec-executor.d.ts

@@ -1,14 +1,15 @@
 /**
  * macOS sandbox-exec sandbox executor.
  *
- * Wraps shell commands with sandbox-exec(8) to restrict process capabilities
- * using a profile-based deny-by-default policy.
+ * Wraps shell commands with sandbox-exec(8) to enforce file-write containment.
  *
- * Profile allows:
+ * Profile scope:
+ *   - Non-file operations (network, IPC, process creation, sysctl reads) are
+ *     ALLOWED via `(allow default)`. This executor enforces file-write
+ *     containment only — it is not a full-process sandbox.
  *   - Read-only access to essential system paths (/usr, /bin, /sbin, /lib)
- *   - Read-write access to each scope path
- *   - Read-write access to the temp directory (500MB bounded)
- *   - Denies all other file writes
+ *   - Read-write access to each scope path and the temp directory
+ *   - All other file writes are denied
  */
 import { type SandboxExecutor } from '../executor';
 /**

package/dist/sandbox/win32/restricted-environment-executor.d.ts

@@ -73,13 +73,23 @@ export declare class WindowsSandboxExecutor implements SandboxExecutor {
      *   - Sets scoped temp directory (%TEMP%, %TMP%)
      *   - Restricts PATH to safe system paths only
      *   - Removes dangerous environment variables that could be used to bypass restrictions
-     *   - Executes the command via cmd /c inside a PowerShell script
+     *   - Executes PowerShell-native cmdlets (filesystem cmdlets only) via Invoke-Expression,
+     *     and all other commands via cmd /c inside a PowerShell script
+     *
+     * Safety checks applied before wrapping:
+     *   - PowerShell escape patterns are rejected via detectPowerShellEscape
+     *   - PowerShell-native commands are restricted to a filesystem-only cmdlet whitelist
+     *   - PowerShell-native command bodies must not contain statement separators (;),
+     *     call operator (&), pipelines (|), backtick escapes (`), variable references ($),
+     *     subexpressions/parentheses, or newlines
      *
      * @param command   - Raw shell command to execute inside the sandbox
      * @param scopePaths - Additional scope paths to allow (merged with constructor scope)
      * @param tempDir   - Optional temp directory override
      * @returns A PowerShell-wrapped command string ready for shell execution,
      *          or the raw command string when the sandbox is unavailable (passthrough mode)
+     * @throws {SandboxError} UNSAFE_PS_COMMAND when a PowerShell-native command body
+     *         contains characters that enable command injection via Invoke-Expression
      */
     wrapCommand(command: string, scopePaths: string[], tempDir?: string): string;
     /**

package/dist/session/session-start-store.d.ts

@@ -0,0 +1,6 @@
+export declare function recordSessionStart(directory: string, startMs: number): void;
+export declare function readEarliestSessionStart(directory: string): string | null;
+export declare const _internals: {
+    recordSessionStart: typeof recordSessionStart;
+    readEarliestSessionStart: typeof readEarliestSessionStart;
+};

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "7.81.1",
+	"version": "7.81.3",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",

package/dist/sandbox/linux/edge-cases.d.ts

@@ -1,89 +0,0 @@
-/**
- * Edge case handling utilities for Bubblewrap sandbox.
- *
- * This module provides functions to detect and prevent:
- * - Symlink escape attacks
- * - /proc/self/fd access
- * - io_uring bypass
- * - Namespace escape
- * - Hard-link creation
- * - Rename/move across scope boundary
- * - mmap interception
- */
-/**
- * Check whether a path is a symlink and resolves to a location outside
- * any of the configured scope paths.
- *
- * @param path        - The path to check (may be a symlink)
- * @param scopePaths  - Array of absolute scope paths
- * @returns true if the path is a symlink that escapes the sandbox
- */
-export declare function detectSymlinkEscape(path: string, scopePaths: string[]): boolean;
-/**
- * Check whether a path is under /proc/self/fd/, which provides
- * file descriptor access that can bypass normal path checks.
- *
- * @param path - The path to check
- * @returns true if the path is under /proc/self/fd/
- */
-export declare function detectProcFdAccess(path: string): boolean;
-/**
- * Detect whether io_uring is active on the system, which can be used
- * to perform I/O operations that bypass the seccomp filter.
- *
- * Note: This is a detection function only — it does not prevent io_uring usage.
- * Bubblewrap's --unshare-all combined with seccomp filtering can mitigate this.
- *
- * @returns true if io_uring appears to be active
- */
-export declare function detectIoUringBypass(): boolean;
-/**
- * Detect whether the current process is already running inside a user namespace.
- *
- * When a process is already inside a user namespace (rather than the initial
- * namespace), it may have different privileges and isolation properties than
- * expected. This can affect the security assumptions of a bubblewrap sandbox.
- *
- * @returns true if the current process is already inside a non-initial user namespace
- */
-export declare function detectNamespaceEscape(): boolean;
-/**
- * Check whether a path operation would create a hard link that escapes
- * the sandbox scope.
- *
- * Hard links can allow a file inside the sandbox to be linked to a location
- * outside the sandbox, potentially bypassing containment.
- *
- * @param path        - The path being linked to
- * @param scopePaths  - Array of absolute scope paths
- * @returns true if creating a hard link at path would escape the sandbox
- */
-export declare function detectHardLinkEscape(path: string, scopePaths: string[]): boolean;
-/**
- * Alias for detectHardLinkEscape for API compatibility.
- * @param path        - The path being linked to
- * @param scopePaths  - Array of absolute scope paths
- * @returns true if creating a hard link at path would escape the sandbox
- */
-export declare function detectHardLinkCreation(path: string, scopePaths: string[]): boolean;
-/**
- * Check whether a rename or move operation crosses a scope boundary.
- *
- * Moving a file from inside a scope path to outside violates containment.
- *
- * @param oldPath    - The original path
- * @param newPath    - The destination path after rename/move
- * @param scopePaths - Array of absolute scope paths
- * @returns true if the rename crosses a scope boundary
- */
-export declare function detectRenameAcrossBoundary(oldPath: string, newPath: string, scopePaths: string[]): boolean;
-/**
- * Check whether a path pattern suggests mmap interception attempts.
- *
- * mmap can be used to map device files or anonymous memory that bypasses
- * normal file-based access controls.
- *
- * @param path - The path being accessed
- * @returns true if the path suggests mmap interception
- */
-export declare function detectMmapInterception(path: string): boolean;