npm - opencode-swarm - Versions diffs - 7.81.2 → 7.81.3 - Mend

opencode-swarm 7.81.2 → 7.81.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/cli/index.js +1 -1
package/dist/index.js +23 -5
package/dist/sandbox/linux/bubblewrap-executor.d.ts +2 -1
package/dist/sandbox/macos/sandbox-exec-executor.d.ts +7 -6
package/dist/sandbox/win32/restricted-environment-executor.d.ts +11 -1
package/package.json +1 -1
package/dist/sandbox/linux/edge-cases.d.ts +0 -89

package/dist/cli/index.js CHANGED Viewed

@@ -52,7 +52,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "opencode-swarm",
-    version: "7.81.2",
+    version: "7.81.3",
     description: "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
     main: "dist/index.js",
     types: "dist/index.d.ts",

package/dist/index.js CHANGED Viewed

@@ -69,7 +69,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "opencode-swarm",
-    version: "7.81.2",
+    version: "7.81.3",
     description: "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
     main: "dist/index.js",
     types: "dist/index.d.ts",
@@ -28232,6 +28232,8 @@ class BubblewrapSandboxExecutor {
       "--unshare-ipc",
       "--die-with-parent",
       "--new-session",
+      "--cap-drop",
+      "ALL",
       ...bindArgs,
       "--dev",
       "/dev",
@@ -28528,6 +28530,18 @@ function probeWindowsSandbox() {
 function psStringEscape(s) {
   return s.replace(/[`"$]/g, "`$&");
 }
+function getSafeWindowsPath() {
+  const raw = process.env.SystemRoot;
+  const isValid = typeof raw === "string" && raw.length > 0 && /^[A-Za-z]:[\\/](?:[^\\/;"'<>|*?\r\n]+[\\/]?)*$/.test(raw);
+  const sysRoot = isValid ? raw : "C:\\Windows";
+  return `${sysRoot}\\System32;${sysRoot}`;
+}
+function isPowerShellNativeCommand(command) {
+  return /^(?:Remove-Item|rm|del|erase|Copy-Item|cp|copy|Move-Item|mv|move|Rename-Item|ren|New-Item|ni|Get-Item|gi|Get-ChildItem|ls|dir|gci|Get-Content|cat|type|gc|Set-Content|sc|Add-Content|ac|Clear-Content|clc|Test-Path|Resolve-Path|Split-Path|Join-Path|Out-File|Get-Date)\b/i.test(command.trimStart());
+}
+function isSafePsCommandBody(command) {
+  return !/[;&|`$()\r\n]/.test(command);
+}
 function isPathInScopes(command, scopes) {
   if (scopes.length === 0)
     return true;
@@ -28597,9 +28611,13 @@ class WindowsSandboxExecutor {
     if (!isPathInScopes(command, _allScopes)) {
       throw new SandboxError("Command targets paths outside authorized scopes", "PATH_ESCAPE_SCOPE");
     }
-    const safePath = "C:\\Windows\\System32;C:\\Windows";
+    if (isPowerShellNativeCommand(command) && !isSafePsCommandBody(command)) {
+      throw new SandboxError("PowerShell-native command body contains unsafe characters", "UNSAFE_PS_COMMAND");
+    }
+    const safePath = getSafeWindowsPath();
     const escapedTemp = psStringEscape(temp);
     const escapedCommand = psStringEscape(command);
+    const commandExec = isPowerShellNativeCommand(command) ? `Invoke-Expression "${escapedCommand}"` : `cmd /c "${escapedCommand}"`;
     const psScript = `
 $ErrorActionPreference = 'Stop';
 try {
@@ -28626,8 +28644,8 @@ try {
     }
   }
-  # Execute the command via cmd /c
-  cmd /c "${escapedCommand}";
+  # Execute the command — PS-native cmdlets via Invoke-Expression, others via the standard command interpreter
+  ${commandExec};
 } catch {
   Write-Error $_.Exception.Message;
   exit 1;
@@ -28636,7 +28654,7 @@ try {
   }
   getEnvOverrides() {
     return {
-      PATH: "C:\\Windows\\System32;C:\\Windows",
+      PATH: getSafeWindowsPath(),
       TEMP: null,
       TMP: null,
       LD_PRELOAD: null,

package/dist/sandbox/linux/bubblewrap-executor.d.ts CHANGED Viewed

@@ -3,7 +3,8 @@
  *
  * Wraps shell commands with bwrap (Bubblewrap) to restrict process capabilities.
  * Uses --bind to mount scope paths read-write, --tmpfs for /tmp, and --ro-bind
- * for essential read-only system paths.
+ * for essential read-only system paths. Drops all capabilities via --cap-drop ALL
+ * for defense-in-depth within the user namespace.
  */
 import { type SandboxExecutor } from '../executor';
 /**

package/dist/sandbox/macos/sandbox-exec-executor.d.ts CHANGED Viewed

@@ -1,14 +1,15 @@
 /**
  * macOS sandbox-exec sandbox executor.
  *
- * Wraps shell commands with sandbox-exec(8) to restrict process capabilities
- * using a profile-based deny-by-default policy.
+ * Wraps shell commands with sandbox-exec(8) to enforce file-write containment.
  *
- * Profile allows:
+ * Profile scope:
+ *   - Non-file operations (network, IPC, process creation, sysctl reads) are
+ *     ALLOWED via `(allow default)`. This executor enforces file-write
+ *     containment only — it is not a full-process sandbox.
  *   - Read-only access to essential system paths (/usr, /bin, /sbin, /lib)
- *   - Read-write access to each scope path
- *   - Read-write access to the temp directory (500MB bounded)
- *   - Denies all other file writes
+ *   - Read-write access to each scope path and the temp directory
+ *   - All other file writes are denied
  */
 import { type SandboxExecutor } from '../executor';
 /**

package/dist/sandbox/win32/restricted-environment-executor.d.ts CHANGED Viewed

@@ -73,13 +73,23 @@ export declare class WindowsSandboxExecutor implements SandboxExecutor {
      *   - Sets scoped temp directory (%TEMP%, %TMP%)
      *   - Restricts PATH to safe system paths only
      *   - Removes dangerous environment variables that could be used to bypass restrictions
-     *   - Executes the command via cmd /c inside a PowerShell script
+     *   - Executes PowerShell-native cmdlets (filesystem cmdlets only) via Invoke-Expression,
+     *     and all other commands via cmd /c inside a PowerShell script
+     *
+     * Safety checks applied before wrapping:
+     *   - PowerShell escape patterns are rejected via detectPowerShellEscape
+     *   - PowerShell-native commands are restricted to a filesystem-only cmdlet whitelist
+     *   - PowerShell-native command bodies must not contain statement separators (;),
+     *     call operator (&), pipelines (|), backtick escapes (`), variable references ($),
+     *     subexpressions/parentheses, or newlines
      *
      * @param command   - Raw shell command to execute inside the sandbox
      * @param scopePaths - Additional scope paths to allow (merged with constructor scope)
      * @param tempDir   - Optional temp directory override
      * @returns A PowerShell-wrapped command string ready for shell execution,
      *          or the raw command string when the sandbox is unavailable (passthrough mode)
+     * @throws {SandboxError} UNSAFE_PS_COMMAND when a PowerShell-native command body
+     *         contains characters that enable command injection via Invoke-Expression
      */
     wrapCommand(command: string, scopePaths: string[], tempDir?: string): string;
     /**

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "7.81.2",
+	"version": "7.81.3",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",

package/dist/sandbox/linux/edge-cases.d.ts DELETED Viewed

@@ -1,89 +0,0 @@
-/**
- * Edge case handling utilities for Bubblewrap sandbox.
- *
- * This module provides functions to detect and prevent:
- * - Symlink escape attacks
- * - /proc/self/fd access
- * - io_uring bypass
- * - Namespace escape
- * - Hard-link creation
- * - Rename/move across scope boundary
- * - mmap interception
- */
-/**
- * Check whether a path is a symlink and resolves to a location outside
- * any of the configured scope paths.
- *
- * @param path        - The path to check (may be a symlink)
- * @param scopePaths  - Array of absolute scope paths
- * @returns true if the path is a symlink that escapes the sandbox
- */
-export declare function detectSymlinkEscape(path: string, scopePaths: string[]): boolean;
-/**
- * Check whether a path is under /proc/self/fd/, which provides
- * file descriptor access that can bypass normal path checks.
- *
- * @param path - The path to check
- * @returns true if the path is under /proc/self/fd/
- */
-export declare function detectProcFdAccess(path: string): boolean;
-/**
- * Detect whether io_uring is active on the system, which can be used
- * to perform I/O operations that bypass the seccomp filter.
- *
- * Note: This is a detection function only — it does not prevent io_uring usage.
- * Bubblewrap's --unshare-all combined with seccomp filtering can mitigate this.
- *
- * @returns true if io_uring appears to be active
- */
-export declare function detectIoUringBypass(): boolean;
-/**
- * Detect whether the current process is already running inside a user namespace.
- *
- * When a process is already inside a user namespace (rather than the initial
- * namespace), it may have different privileges and isolation properties than
- * expected. This can affect the security assumptions of a bubblewrap sandbox.
- *
- * @returns true if the current process is already inside a non-initial user namespace
- */
-export declare function detectNamespaceEscape(): boolean;
-/**
- * Check whether a path operation would create a hard link that escapes
- * the sandbox scope.
- *
- * Hard links can allow a file inside the sandbox to be linked to a location
- * outside the sandbox, potentially bypassing containment.
- *
- * @param path        - The path being linked to
- * @param scopePaths  - Array of absolute scope paths
- * @returns true if creating a hard link at path would escape the sandbox
- */
-export declare function detectHardLinkEscape(path: string, scopePaths: string[]): boolean;
-/**
- * Alias for detectHardLinkEscape for API compatibility.
- * @param path        - The path being linked to
- * @param scopePaths  - Array of absolute scope paths
- * @returns true if creating a hard link at path would escape the sandbox
- */
-export declare function detectHardLinkCreation(path: string, scopePaths: string[]): boolean;
-/**
- * Check whether a rename or move operation crosses a scope boundary.
- *
- * Moving a file from inside a scope path to outside violates containment.
- *
- * @param oldPath    - The original path
- * @param newPath    - The destination path after rename/move
- * @param scopePaths - Array of absolute scope paths
- * @returns true if the rename crosses a scope boundary
- */
-export declare function detectRenameAcrossBoundary(oldPath: string, newPath: string, scopePaths: string[]): boolean;
-/**
- * Check whether a path pattern suggests mmap interception attempts.
- *
- * mmap can be used to map device files or anonymous memory that bypasses
- * normal file-based access controls.
- *
- * @param path - The path being accessed
- * @returns true if the path suggests mmap interception
- */
-export declare function detectMmapInterception(path: string): boolean;