opencode-swarm 7.81.2 → 7.81.4

package/.opencode/skills/council/SKILL.md

@@ -92,7 +92,11 @@ RESEARCH CONTEXT
    continue only non-dependent architect work: prepare the synthesis outline,
    normalize the RESEARCH CONTEXT citations, and draft disagreement categories.
    Do not call `convene_general_council` or present conclusions from running
-   lanes. Each dispatch message must
+   lanes. Dispatch promptly — do not accumulate extensive planning prose before the
+   call, or output truncation may swallow the tool call itself. Keep each lane `prompt`
+   compact: send shared context ONCE via the `common_prompt` field, or have lanes read
+   it from a file by absolute path, instead of inlining the same large blob into every
+   lane prompt. Each dispatch message must
    include:
    - The question
    - Round number: 1

package/.opencode/skills/deep-dive/SKILL.md

@@ -71,7 +71,7 @@ Each explorer mission receives:
 - The scope map context from Step 2
 - Instruction: "You are performing a [LANE] audit. Report findings as candidate observations with severity (INFO/LOW/MEDIUM/HIGH/CRITICAL), location, and evidence."
 
-Explorer missions are dispatched in parallel waves. Launch the wave, record the returned `batch_id`, then continue deterministic architect work that does not depend on lane output: refine the scope map, build the candidate ledger shell, inspect local evidence with read-only tools, and prepare reviewer shard structure. Do not synthesize findings from running lanes.
+Explorer missions are dispatched in parallel waves. Launch the wave promptly — do not accumulate extensive planning prose before the call, or output truncation may swallow the tool call itself. Launch the wave, record the returned `batch_id`, then continue deterministic architect work that does not depend on lane output: refine the scope map, build the candidate ledger shell, inspect local evidence with read-only tools, and prepare reviewer shard structure. Do not synthesize findings from running lanes. Keep each lane `prompt` compact: send shared context ONCE via the `common_prompt` field, or have lanes read it from a file by absolute path, instead of inlining the same large blob into every lane prompt — oversized inline prompts produce malformed or truncated tool-call JSON.
 
 At the Step 4 boundary, call `collect_lane_results` with `wait: true` for every open wave batch. Treat missing, stale, cancelled, or failed lanes as explicit coverage gaps; do not silently proceed past a required lane. If `dispatch_lanes_async` is unavailable, use blocking `dispatch_lanes` or parallel Task calls and record that async advisory lanes were unavailable.
 

package/.opencode/skills/deep-research/SKILL.md

@@ -102,7 +102,12 @@ Dispatch up to `max_researchers` `the active swarm's sme agent` calls with
 `batch_id`, then continue architect-owned retrieval quality work that does not
 depend on worker output: tighten the evidence ledger, check source authority,
 prepare reviewer shard structure, and identify unresolved gaps. Do not write final
-claims from running lanes. Each sme dispatch must
+claims from running lanes. Dispatch promptly — do not accumulate extensive planning
+prose before the call, or output truncation may swallow the tool call itself. Keep each
+lane `prompt` compact: send shared context ONCE via the `common_prompt` field, or have
+lanes read it from a file by absolute path, instead of inlining the same large blob into
+every lane prompt — oversized inline prompts produce malformed or truncated tool-call
+JSON. Each sme dispatch must
 include:
 - `DOMAIN`: the subtopic
 - `TASK`: "Synthesize an evidence-grounded answer for this subtopic. Cite each

package/.opencode/skills/swarm-pr-review/SKILL.md

@@ -491,7 +491,7 @@ Tool candidate rules:
 
 ## Phase 3: Parallel Base Explorer Lanes
 
-Launch all base lanes with `dispatch_lanes_async` when available. Pass the six lane specs together, set `max_concurrent` to `6`, record the returned `batch_id`, and continue only non-dependent architect work: refine the obligation ledger, inspect PR metadata, prepare micro-lane trigger checks, and run deterministic read-only local tools. Do not synthesize findings from running lanes.
+Launch all base lanes with `dispatch_lanes_async` when available. Pass the six lane specs together, set `max_concurrent` to `6`, record the returned `batch_id`, and continue only non-dependent architect work: refine the obligation ledger, inspect PR metadata, prepare micro-lane trigger checks, and run deterministic read-only local tools. Do not synthesize findings from running lanes. Keep each lane `prompt` compact: send the shared review context (PR diff, obligation ledger, scope) ONCE via the `common_prompt` field, or have lanes read it from a file by absolute path, instead of inlining the same large blob into all six prompts — oversized inline prompts produce malformed or truncated tool-call JSON and force clumsy file workarounds.
 
 Before Phase 4 or synthesis, call `collect_lane_results` with `wait: true` for the base-lane batch and treat the collected `lane_results` as the join barrier. Missing, stale, cancelled, or failed base lanes are explicit review coverage gaps. If `dispatch_lanes_async` is unavailable, use blocking `dispatch_lanes`; if that is also unavailable, simulate isolated passes. Do not let one lane's conclusions bias another lane, and record unavailable deterministic dispatch in the validation gate.
 

package/dist/cli/index.js

@@ -52,7 +52,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "opencode-swarm",
-    version: "7.81.2",
+    version: "7.81.4",
     description: "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
     main: "dist/index.js",
     types: "dist/index.d.ts",
@@ -17763,11 +17763,11 @@ var init_tool_metadata = __esm(() => {
       ]
     },
     dispatch_lanes: {
-      description: "dispatch multiple read-only exploration/review lanes concurrently and return a structured join result",
+      description: "dispatch read-only exploration/review lanes concurrently and BLOCK until all finish; prefer dispatch_lanes_async for non-blocking dispatch, use this only when promptAsync is unavailable",
       agents: ["architect"]
     },
     dispatch_lanes_async: {
-      description: "launch multiple read-only advisory lanes asynchronously and return a batch id for later collection",
+      description: "launch read-only advisory lanes non-blockingly and return a batch id immediately so you can keep working; join later with collect_lane_results",
       agents: ["architect"]
     },
     collect_lane_results: {
@@ -41475,6 +41475,14 @@ async function activateProposal(directory, slug, force = false, options = {}) {
       reason: `proposal not found or already activated: ${readErr instanceof Error ? readErr.message : String(readErr)}`
     };
   }
+  if (await isRejectedSkillContent(directory, cleanSlug, proposalContent)) {
+    return {
+      activated: false,
+      from,
+      to,
+      reason: "previously rejected equivalent content"
+    };
+  }
   const flipped = proposalContent.replace(/^status:\s*draft\s*$/m, "status: active");
   let evaluation;
   if (options.evaluate) {
@@ -41497,7 +41505,7 @@ async function activateProposal(directory, slug, force = false, options = {}) {
       await appendRejectedSkillEdit({
         directory,
         slug: cleanSlug,
-        candidateContent: flipped,
+        candidateContent: proposalContent,
         incumbentContent,
         operation: options.operation ?? "skill_apply"
       }, evaluation);

package/dist/index.js

@@ -69,7 +69,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "opencode-swarm",
-    version: "7.81.2",
+    version: "7.81.4",
     description: "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
     main: "dist/index.js",
     types: "dist/index.d.ts",
@@ -680,11 +680,11 @@ var init_tool_metadata = __esm(() => {
       ]
     },
     dispatch_lanes: {
-      description: "dispatch multiple read-only exploration/review lanes concurrently and return a structured join result",
+      description: "dispatch read-only exploration/review lanes concurrently and BLOCK until all finish; prefer dispatch_lanes_async for non-blocking dispatch, use this only when promptAsync is unavailable",
       agents: ["architect"]
     },
     dispatch_lanes_async: {
-      description: "launch multiple read-only advisory lanes asynchronously and return a batch id for later collection",
+      description: "launch read-only advisory lanes non-blockingly and return a batch id immediately so you can keep working; join later with collect_lane_results",
       agents: ["architect"]
     },
     collect_lane_results: {
@@ -28232,6 +28232,8 @@ class BubblewrapSandboxExecutor {
       "--unshare-ipc",
       "--die-with-parent",
       "--new-session",
+      "--cap-drop",
+      "ALL",
       ...bindArgs,
       "--dev",
       "/dev",
@@ -28528,6 +28530,18 @@ function probeWindowsSandbox() {
 function psStringEscape(s) {
   return s.replace(/[`"$]/g, "`$&");
 }
+function getSafeWindowsPath() {
+  const raw = process.env.SystemRoot;
+  const isValid = typeof raw === "string" && raw.length > 0 && /^[A-Za-z]:[\\/](?:[^\\/;"'<>|*?\r\n]+[\\/]?)*$/.test(raw);
+  const sysRoot = isValid ? raw : "C:\\Windows";
+  return `${sysRoot}\\System32;${sysRoot}`;
+}
+function isPowerShellNativeCommand(command) {
+  return /^(?:Remove-Item|rm|del|erase|Copy-Item|cp|copy|Move-Item|mv|move|Rename-Item|ren|New-Item|ni|Get-Item|gi|Get-ChildItem|ls|dir|gci|Get-Content|cat|type|gc|Set-Content|sc|Add-Content|ac|Clear-Content|clc|Test-Path|Resolve-Path|Split-Path|Join-Path|Out-File|Get-Date)\b/i.test(command.trimStart());
+}
+function isSafePsCommandBody(command) {
+  return !/[;&|`$()\r\n]/.test(command);
+}
 function isPathInScopes(command, scopes) {
   if (scopes.length === 0)
     return true;
@@ -28597,9 +28611,13 @@ class WindowsSandboxExecutor {
     if (!isPathInScopes(command, _allScopes)) {
       throw new SandboxError("Command targets paths outside authorized scopes", "PATH_ESCAPE_SCOPE");
     }
-    const safePath = "C:\\Windows\\System32;C:\\Windows";
+    if (isPowerShellNativeCommand(command) && !isSafePsCommandBody(command)) {
+      throw new SandboxError("PowerShell-native command body contains unsafe characters", "UNSAFE_PS_COMMAND");
+    }
+    const safePath = getSafeWindowsPath();
     const escapedTemp = psStringEscape(temp);
     const escapedCommand = psStringEscape(command);
+    const commandExec = isPowerShellNativeCommand(command) ? `Invoke-Expression "${escapedCommand}"` : `cmd /c "${escapedCommand}"`;
     const psScript = `
 $ErrorActionPreference = 'Stop';
 try {
@@ -28626,8 +28644,8 @@ try {
     }
   }
 
-  # Execute the command via cmd /c
-  cmd /c "${escapedCommand}";
+  # Execute the command — PS-native cmdlets via Invoke-Expression, others via the standard command interpreter
+  ${commandExec};
 } catch {
   Write-Error $_.Exception.Message;
   exit 1;
@@ -28636,7 +28654,7 @@ try {
   }
   getEnvOverrides() {
     return {
-      PATH: "C:\\Windows\\System32;C:\\Windows",
+      PATH: getSafeWindowsPath(),
       TEMP: null,
       TMP: null,
       LD_PRELOAD: null,
@@ -64022,6 +64040,14 @@ async function activateProposal(directory, slug, force = false, options = {}) {
       reason: `proposal not found or already activated: ${readErr instanceof Error ? readErr.message : String(readErr)}`
     };
   }
+  if (await isRejectedSkillContent(directory, cleanSlug, proposalContent)) {
+    return {
+      activated: false,
+      from,
+      to,
+      reason: "previously rejected equivalent content"
+    };
+  }
   const flipped = proposalContent.replace(/^status:\s*draft\s*$/m, "status: active");
   let evaluation;
   if (options.evaluate) {
@@ -64044,7 +64070,7 @@ async function activateProposal(directory, slug, force = false, options = {}) {
       await appendRejectedSkillEdit({
         directory,
         slug: cleanSlug,
-        candidateContent: flipped,
+        candidateContent: proposalContent,
         incumbentContent,
         operation: options.operation ?? "skill_apply"
       }, evaluation);
@@ -96229,6 +96255,7 @@ If a tool modifies a file, it is a CODER tool. Delegate.
 2. ONE agent per message. Send, STOP, wait for response.
    Exception: Stage B reviewer/test_engineer gate agents for the SAME completed coder task may be dispatched together before waiting when both gates are required. This exception NEVER applies to coder delegations. Preserve ONE task per coder call.
    Separate parallel-mode exception (distinct from the Stage B exception above, and the ONLY case where more than one coder may be dispatched before waiting): when an active \`[PARALLEL EXECUTION PROFILE]\` directive is present in your context (parallelization_enabled=true), you MAY dispatch multiple {{AGENT_PREFIX}}coder agents in a single message — up to the stated max_concurrent_tasks — but ONLY for distinct, dependency-ready tasks whose declared file scopes do NOT overlap. Each coder still requires its own \`declare_scope\` call and carries exactly ONE task (Rule 3 still holds: never batch multiple objectives into one coder). Parallel coders each run in an isolated git worktree, so their writes never collide and are merged back automatically. If no \`[PARALLEL EXECUTION PROFILE]\` directive is present, dispatch coders one at a time.
+   Read-only advisory-lane exception (NON-BLOCKING; distinct from both exceptions above): the "Send, STOP, wait" rule governs MUTATION delegations (coder, and the test_engineer/reviewer Stage B completion gates). It does NOT govern read-only advisory exploration/review lanes. When you dispatch read-only advisory lanes — \`{{AGENT_PREFIX}}explorer\`, \`{{AGENT_PREFIX}}sme\`, \`{{AGENT_PREFIX}}researcher\`, the council members (\`council_generalist\`/\`council_skeptic\`/\`council_domain_expert\`), or an advisory \`{{AGENT_PREFIX}}critic\` lane — use the NON-BLOCKING path so you keep working while they run. Dispatch PROMPTLY: emit the \`dispatch_lanes_async\` call EARLY with compact lane prompts — do not accumulate long planning prose or build oversized inline prompts first, or the tool call can be truncated out of your message and the lanes never launch (a real failure mode on smaller models). The lane mechanism is a SINGLE \`dispatch_lanes_async\` call carrying all lane specs — NOT a per-agent Task/run-in-background pattern. Call \`dispatch_lanes_async\` with all lane specs in one call, record the returned \`batch_id\`, then IMMEDIATELY continue non-dependent architect work (refine the plan/obligation ledger, inspect metadata, prepare the synthesis/reviewer structure, run deterministic read-only tools). Do NOT sit idle waiting on running lanes, and do NOT synthesize findings from still-running lanes. Join later by calling \`collect_lane_results\` with \`wait: true\` as the explicit barrier immediately before you synthesize. Use blocking \`dispatch_lanes\` only when \`dispatch_lanes_async\`/promptAsync is unavailable. Keep each lane prompt compact: send large shared context (PR diff, ledger, scope) ONCE via the \`common_prompt\` field, or have lanes read it from a file by absolute path, instead of inlining the same blob into every lane prompt — inlining large context into many lanes is what produces malformed or truncated tool-call JSON and forces clumsy file workarounds. This non-blocking exception applies ONLY to read-only advisory lanes; it NEVER applies to coder delegations, to the test_engineer/reviewer Stage B completion gates, or to the critic PLAN-review gate, which all still follow "Send, STOP, wait" (or the Stage B parallel-dispatch exception above).
 3. ONE task per {{AGENT_PREFIX}}coder call. Never batch.
 3a. PRE-DELEGATION SCOPE CALL (required): BEFORE every {{AGENT_PREFIX}}coder delegation, you MUST call \`declare_scope\` with { taskId, files } listing the exact file(s) this task will modify (including generated/lockfile paths). No \`declare_scope\` call → no coder delegation. See Rule 1a.
 3b. PRE-DELEGATION SCOPE CALL (test_engineer): BEFORE any {{AGENT_PREFIX}}test_engineer delegation that will CREATE or MODIFY test files, you MUST call \`declare_scope\` with { taskId, files } listing the exact test file path(s) to write. Omitting this call leaves the write scope undeclared and will block the write. See Rule 1a.
@@ -126396,6 +126423,9 @@ init_state();
 init_create_tool();
 var MAX_LANES = 8;
 var MAX_PROMPT_CHARS = 80000;
+var COMMON_PROMPT_SEPARATOR = `
+
+`;
 var DEFAULT_TIMEOUT_MS3 = 300000;
 var MAX_TIMEOUT_MS2 = 1800000;
 var MAX_LANE_OUTPUT_CHARS = 20000;
@@ -126455,6 +126485,7 @@ var LaneSchema = exports_external.object({
 });
 var DispatchLanesArgsSchema = exports_external.object({
   lanes: exports_external.array(LaneSchema).min(1).max(MAX_LANES).describe("Read-only lane specs to dispatch concurrently"),
+  common_prompt: exports_external.string().min(1).regex(/\S/, "common_prompt must contain non-whitespace content").max(MAX_PROMPT_CHARS - COMMON_PROMPT_SEPARATOR.length - 1).optional().describe("Optional shared context prepended to every lane prompt. Send large shared context (PR diff, obligation ledger, scope) ONCE here instead of inlining the same blob into each lane prompt; this keeps the tool-call payload small and avoids malformed/truncated tool-call JSON. Combined common_prompt + per-lane prompt must not exceed the per-lane character limit."),
   max_concurrent: exports_external.number().int().min(1).max(MAX_LANES).optional().describe("Maximum lanes in flight at once; defaults to lane count"),
   timeout_ms: exports_external.number().int().min(10).max(MAX_TIMEOUT_MS2).optional().describe("Per-lane session create/prompt timeout in milliseconds")
 });
@@ -126502,7 +126533,15 @@ async function executeDispatchLanes(args2, directory, context = {}) {
       message: "OpenCode session client is not available"
     });
   }
-  const lanes = parsed.data.lanes;
+  const common = applyCommonPrompt(parsed.data.lanes, parsed.data.common_prompt);
+  if (!common.ok) {
+    return failureResult({
+      failure_class: "invalid_args",
+      message: "Invalid dispatch_lanes arguments",
+      errors: common.errors
+    });
+  }
+  const lanes = common.lanes;
   const maxConcurrent = Math.min(parsed.data.max_concurrent ?? lanes.length, lanes.length, MAX_LANES);
   const timeoutMs = parsed.data.timeout_ms ?? DEFAULT_TIMEOUT_MS3;
   const dispatcher = _internals82.createParallelDispatcher({
@@ -126542,7 +126581,15 @@ async function executeDispatchLanesAsync(args2, directory, context = {}) {
       message: "OpenCode session promptAsync client is not available"
     });
   }
-  const lanes = parsed.data.lanes;
+  const common = applyCommonPrompt(parsed.data.lanes, parsed.data.common_prompt);
+  if (!common.ok) {
+    return asyncFailureResult({
+      failure_class: "invalid_args",
+      message: "Invalid dispatch_lanes_async arguments",
+      errors: common.errors
+    });
+  }
+  const lanes = common.lanes;
   const batchId = parsed.data.batch_id ?? makeBatchId();
   if (findByBatchId(directory, batchId).length > 0) {
     return asyncFailureResult({
@@ -127113,6 +127160,21 @@ function collectFailureResult(args2) {
     errors: args2.errors
   };
 }
+function applyCommonPrompt(lanes, commonPrompt) {
+  if (!commonPrompt)
+    return { ok: true, lanes: [...lanes] };
+  const errors5 = [];
+  const merged = lanes.map((lane) => {
+    const prompt = `${commonPrompt}${COMMON_PROMPT_SEPARATOR}${lane.prompt}`;
+    if (prompt.length > MAX_PROMPT_CHARS) {
+      errors5.push(`Lane "${lane.id}" combined common_prompt + prompt is ${prompt.length} chars ` + `(common_prompt ${commonPrompt.length} + separator ${COMMON_PROMPT_SEPARATOR.length} + ` + `lane prompt ${lane.prompt.length}; max ${MAX_PROMPT_CHARS})`);
+    }
+    return { ...lane, prompt };
+  });
+  if (errors5.length > 0)
+    return { ok: false, errors: errors5 };
+  return { ok: true, lanes: merged };
+}
 function findDuplicateLaneIds(lanes) {
   const seen = new Set;
   const duplicates = new Set;
@@ -127197,9 +127259,10 @@ function sleep2(ms) {
   });
 }
 var dispatch_lanes = createSwarmTool({
-  description: "Dispatch multiple read-only exploration/review lanes concurrently through OpenCode sessions and return a structured join result.",
+  description: "Dispatch multiple read-only exploration/review lanes concurrently and BLOCK until every lane finishes, returning a structured join result. This blocks the caller until completion; for non-blocking dispatch that lets you keep working while lanes run, prefer dispatch_lanes_async + collect_lane_results and use this blocking variant only when promptAsync is unavailable. Keep each lane prompt compact: send large shared context once via common_prompt (or have lanes read it from a file by absolute path) instead of inlining it into every lane prompt.",
   args: {
     lanes: DispatchLanesArgsSchema.shape.lanes,
+    common_prompt: DispatchLanesArgsSchema.shape.common_prompt,
     max_concurrent: DispatchLanesArgsSchema.shape.max_concurrent,
     timeout_ms: DispatchLanesArgsSchema.shape.timeout_ms
   },
@@ -127211,9 +127274,10 @@ var dispatch_lanes = createSwarmTool({
   }
 });
 var dispatch_lanes_async = createSwarmTool({
-  description: "Launch multiple read-only advisory lanes with OpenCode promptAsync and return immediately with a batch id for collect_lane_results.",
+  description: "Launch multiple read-only advisory lanes with OpenCode promptAsync and return IMMEDIATELY with a batch id (non-blocking). After launching, keep working on non-dependent tasks while the lanes run, then call collect_lane_results to join. Keep each lane prompt compact: send large shared context once via common_prompt (or have lanes read it from a file by absolute path) instead of inlining it into every lane prompt, which can produce oversized or malformed tool-call JSON.",
   args: {
     lanes: DispatchLanesAsyncArgsSchema.shape.lanes,
+    common_prompt: DispatchLanesAsyncArgsSchema.shape.common_prompt,
     max_concurrent: DispatchLanesAsyncArgsSchema.shape.max_concurrent,
     timeout_ms: DispatchLanesAsyncArgsSchema.shape.timeout_ms,
     batch_id: DispatchLanesAsyncArgsSchema.shape.batch_id,

package/dist/prm/index.d.ts

@@ -8,9 +8,9 @@
  * - Escalation tracking via escalation
  *
  * This module provides the createPrmHook factory that returns the toolAfter
- * handler used by the swarm hook system. PRM replaces loop-detector.ts for
- * repetition_loop detection, but loop-detector.ts is kept as a fast circuit
- * breaker for backward compatibility.
+ * handler used by the swarm hook system. PRM complements loop-detector.ts:
+ * loop-detector.ts remains the fast circuit breaker in guardrails/tool-before,
+ * while PRM provides deeper multi-pattern detection and escalation.
  */
 export { formatCourseCorrectionForInjection, generateCourseCorrection, } from './course-correction';
 export { createDefaultEscalationState, EscalationTracker } from './escalation';

package/dist/sandbox/linux/bubblewrap-executor.d.ts

@@ -3,7 +3,8 @@
  *
  * Wraps shell commands with bwrap (Bubblewrap) to restrict process capabilities.
  * Uses --bind to mount scope paths read-write, --tmpfs for /tmp, and --ro-bind
- * for essential read-only system paths.
+ * for essential read-only system paths. Drops all capabilities via --cap-drop ALL
+ * for defense-in-depth within the user namespace.
  */
 import { type SandboxExecutor } from '../executor';
 /**

package/dist/sandbox/macos/sandbox-exec-executor.d.ts

@@ -1,14 +1,15 @@
 /**
  * macOS sandbox-exec sandbox executor.
  *
- * Wraps shell commands with sandbox-exec(8) to restrict process capabilities
- * using a profile-based deny-by-default policy.
+ * Wraps shell commands with sandbox-exec(8) to enforce file-write containment.
  *
- * Profile allows:
+ * Profile scope:
+ *   - Non-file operations (network, IPC, process creation, sysctl reads) are
+ *     ALLOWED via `(allow default)`. This executor enforces file-write
+ *     containment only — it is not a full-process sandbox.
  *   - Read-only access to essential system paths (/usr, /bin, /sbin, /lib)
- *   - Read-write access to each scope path
- *   - Read-write access to the temp directory (500MB bounded)
- *   - Denies all other file writes
+ *   - Read-write access to each scope path and the temp directory
+ *   - All other file writes are denied
  */
 import { type SandboxExecutor } from '../executor';
 /**

package/dist/sandbox/win32/restricted-environment-executor.d.ts

@@ -73,13 +73,23 @@ export declare class WindowsSandboxExecutor implements SandboxExecutor {
      *   - Sets scoped temp directory (%TEMP%, %TMP%)
      *   - Restricts PATH to safe system paths only
      *   - Removes dangerous environment variables that could be used to bypass restrictions
-     *   - Executes the command via cmd /c inside a PowerShell script
+     *   - Executes PowerShell-native cmdlets (filesystem cmdlets only) via Invoke-Expression,
+     *     and all other commands via cmd /c inside a PowerShell script
+     *
+     * Safety checks applied before wrapping:
+     *   - PowerShell escape patterns are rejected via detectPowerShellEscape
+     *   - PowerShell-native commands are restricted to a filesystem-only cmdlet whitelist
+     *   - PowerShell-native command bodies must not contain statement separators (;),
+     *     call operator (&), pipelines (|), backtick escapes (`), variable references ($),
+     *     subexpressions/parentheses, or newlines
      *
      * @param command   - Raw shell command to execute inside the sandbox
      * @param scopePaths - Additional scope paths to allow (merged with constructor scope)
      * @param tempDir   - Optional temp directory override
      * @returns A PowerShell-wrapped command string ready for shell execution,
      *          or the raw command string when the sandbox is unavailable (passthrough mode)
+     * @throws {SandboxError} UNSAFE_PS_COMMAND when a PowerShell-native command body
+     *         contains characters that enable command injection via Invoke-Expression
      */
     wrapCommand(command: string, scopePaths: string[], tempDir?: string): string;
     /**

package/dist/tools/dispatch-lanes.d.ts

@@ -1,6 +1,7 @@
 import { z } from 'zod';
 import { createParallelDispatcher } from '../parallel/dispatcher/parallel-dispatcher.js';
 import { createSwarmTool } from './create-tool.js';
+export declare const MAX_PROMPT_CHARS = 80000;
 declare const LaneSchema: z.ZodObject<{
     id: z.ZodString;
     agent: z.ZodString;
@@ -12,6 +13,7 @@ declare const DispatchLanesArgsSchema: z.ZodObject<{
         agent: z.ZodString;
         prompt: z.ZodString;
     }, z.core.$strip>>;
+    common_prompt: z.ZodOptional<z.ZodString>;
     max_concurrent: z.ZodOptional<z.ZodNumber>;
     timeout_ms: z.ZodOptional<z.ZodNumber>;
 }, z.core.$strip>;
@@ -21,6 +23,7 @@ declare const DispatchLanesAsyncArgsSchema: z.ZodObject<{
         agent: z.ZodString;
         prompt: z.ZodString;
     }, z.core.$strip>>;
+    common_prompt: z.ZodOptional<z.ZodString>;
     max_concurrent: z.ZodOptional<z.ZodNumber>;
     timeout_ms: z.ZodOptional<z.ZodNumber>;
     batch_id: z.ZodOptional<z.ZodString>;
@@ -190,10 +193,35 @@ export declare const _internals: {
     sleep: (ms: number) => Promise<void>;
 };
 export declare const _test_exports: {
+    applyCommonPrompt: typeof applyCommonPrompt;
     extractLastAssistantText: typeof extractLastAssistantText;
     formatError: typeof formatError;
     nextCollectPollInterval: typeof nextCollectPollInterval;
     promptHash: typeof promptHash;
+    DispatchLanesArgsSchema: z.ZodObject<{
+        lanes: z.ZodArray<z.ZodObject<{
+            id: z.ZodString;
+            agent: z.ZodString;
+            prompt: z.ZodString;
+        }, z.core.$strip>>;
+        common_prompt: z.ZodOptional<z.ZodString>;
+        max_concurrent: z.ZodOptional<z.ZodNumber>;
+        timeout_ms: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strip>;
+    DispatchLanesAsyncArgsSchema: z.ZodObject<{
+        lanes: z.ZodArray<z.ZodObject<{
+            id: z.ZodString;
+            agent: z.ZodString;
+            prompt: z.ZodString;
+        }, z.core.$strip>>;
+        common_prompt: z.ZodOptional<z.ZodString>;
+        max_concurrent: z.ZodOptional<z.ZodNumber>;
+        timeout_ms: z.ZodOptional<z.ZodNumber>;
+        batch_id: z.ZodOptional<z.ZodString>;
+        mode: z.ZodOptional<z.ZodString>;
+        pr_head_sha: z.ZodOptional<z.ZodString>;
+        scope: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>;
 };
 type ReadOnlyToolPermissions = Record<string, false> & {
     write: false;
@@ -217,6 +245,24 @@ declare function extractLastAssistantText(messages: Array<{
     }>;
 }>): string;
 declare function nextCollectPollInterval(currentMs: number): number;
+type ApplyCommonPromptResult = {
+    ok: true;
+    lanes: DispatchLaneSpec[];
+} | {
+    ok: false;
+    errors: string[];
+};
+/**
+ * Prepend an optional shared `common_prompt` to every lane prompt so callers can
+ * send large shared context once instead of inlining it into each lane (which
+ * bloats the tool-call payload and triggers truncated/malformed tool-call JSON).
+ * Returns an error when any assembled prompt exceeds the per-lane character limit.
+ *
+ * Always returns a fresh array the caller owns: a shallow copy of the originals
+ * when no `commonPrompt` is provided, or shallow-copied lanes with rewritten
+ * prompts when it is. Callers may treat the returned array as their own.
+ */
+declare function applyCommonPrompt(lanes: DispatchLaneSpec[], commonPrompt: string | undefined): ApplyCommonPromptResult;
 declare function formatError(error: unknown): string;
 declare function promptHash(lane: DispatchLaneSpec, directory: string, batchId: string): string;
 export declare const dispatch_lanes: ReturnType<typeof createSwarmTool>;

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "7.81.2",
+	"version": "7.81.4",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",

package/dist/sandbox/linux/edge-cases.d.ts

@@ -1,89 +0,0 @@
-/**
- * Edge case handling utilities for Bubblewrap sandbox.
- *
- * This module provides functions to detect and prevent:
- * - Symlink escape attacks
- * - /proc/self/fd access
- * - io_uring bypass
- * - Namespace escape
- * - Hard-link creation
- * - Rename/move across scope boundary
- * - mmap interception
- */
-/**
- * Check whether a path is a symlink and resolves to a location outside
- * any of the configured scope paths.
- *
- * @param path        - The path to check (may be a symlink)
- * @param scopePaths  - Array of absolute scope paths
- * @returns true if the path is a symlink that escapes the sandbox
- */
-export declare function detectSymlinkEscape(path: string, scopePaths: string[]): boolean;
-/**
- * Check whether a path is under /proc/self/fd/, which provides
- * file descriptor access that can bypass normal path checks.
- *
- * @param path - The path to check
- * @returns true if the path is under /proc/self/fd/
- */
-export declare function detectProcFdAccess(path: string): boolean;
-/**
- * Detect whether io_uring is active on the system, which can be used
- * to perform I/O operations that bypass the seccomp filter.
- *
- * Note: This is a detection function only — it does not prevent io_uring usage.
- * Bubblewrap's --unshare-all combined with seccomp filtering can mitigate this.
- *
- * @returns true if io_uring appears to be active
- */
-export declare function detectIoUringBypass(): boolean;
-/**
- * Detect whether the current process is already running inside a user namespace.
- *
- * When a process is already inside a user namespace (rather than the initial
- * namespace), it may have different privileges and isolation properties than
- * expected. This can affect the security assumptions of a bubblewrap sandbox.
- *
- * @returns true if the current process is already inside a non-initial user namespace
- */
-export declare function detectNamespaceEscape(): boolean;
-/**
- * Check whether a path operation would create a hard link that escapes
- * the sandbox scope.
- *
- * Hard links can allow a file inside the sandbox to be linked to a location
- * outside the sandbox, potentially bypassing containment.
- *
- * @param path        - The path being linked to
- * @param scopePaths  - Array of absolute scope paths
- * @returns true if creating a hard link at path would escape the sandbox
- */
-export declare function detectHardLinkEscape(path: string, scopePaths: string[]): boolean;
-/**
- * Alias for detectHardLinkEscape for API compatibility.
- * @param path        - The path being linked to
- * @param scopePaths  - Array of absolute scope paths
- * @returns true if creating a hard link at path would escape the sandbox
- */
-export declare function detectHardLinkCreation(path: string, scopePaths: string[]): boolean;
-/**
- * Check whether a rename or move operation crosses a scope boundary.
- *
- * Moving a file from inside a scope path to outside violates containment.
- *
- * @param oldPath    - The original path
- * @param newPath    - The destination path after rename/move
- * @param scopePaths - Array of absolute scope paths
- * @returns true if the rename crosses a scope boundary
- */
-export declare function detectRenameAcrossBoundary(oldPath: string, newPath: string, scopePaths: string[]): boolean;
-/**
- * Check whether a path pattern suggests mmap interception attempts.
- *
- * mmap can be used to map device files or anonymous memory that bypasses
- * normal file-based access controls.
- *
- * @param path - The path being accessed
- * @returns true if the path suggests mmap interception
- */
-export declare function detectMmapInterception(path: string): boolean;