opencode-swarm 7.83.0 → 7.84.0

package/dist/cli/index-fjwwrwr5.js

@@ -0,0 +1,37 @@
+// @bun
+import {
+  withEvidenceLock
+} from "./index-bcp79s17.js";
+import {
+  bunWrite
+} from "./index-b9v501fr.js";
+
+// src/evidence/task-file.ts
+import { renameSync, unlinkSync } from "fs";
+import * as path from "path";
+function taskEvidenceRelPath(taskId) {
+  return path.join("evidence", `${taskId}.json`);
+}
+function taskEvidencePath(directory, taskId) {
+  return path.join(directory, ".swarm", taskEvidenceRelPath(taskId));
+}
+var _internals = {
+  renameSync,
+  unlinkSync
+};
+async function atomicWriteFile(targetPath, content) {
+  const tempPath = `${targetPath}.tmp.${Date.now()}.${Math.floor(Math.random() * 1e9)}`;
+  try {
+    await bunWrite(tempPath, content);
+    _internals.renameSync(tempPath, targetPath);
+  } finally {
+    try {
+      _internals.unlinkSync(tempPath);
+    } catch {}
+  }
+}
+function withTaskEvidenceLock(directory, taskId, agent, fn) {
+  return withEvidenceLock(directory, taskEvidenceRelPath(taskId), agent, taskId, fn);
+}
+
+export { taskEvidencePath, atomicWriteFile, withTaskEvidenceLock };

package/dist/cli/index-hz59hg4h.js

@@ -0,0 +1,452 @@
+// @bun
+import {
+  init_logger,
+  warn
+} from "./index-yx44zd0p.js";
+import {
+  __esm,
+  __export,
+  __toCommonJS
+} from "./index-a76rekgs.js";
+
+// src/sandbox/win32/runner-client.ts
+var exports_runner_client = {};
+__export(exports_runner_client, {
+  probe: () => probe,
+  execute: () => execute,
+  buildDefaultPolicy: () => buildDefaultPolicy,
+  _resetProbeCache: () => _resetProbeCache,
+  _internals: () => _internals,
+  RUNNER_EXIT_CODES: () => RUNNER_EXIT_CODES
+});
+import { spawn, spawnSync } from "child_process";
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import { fileURLToPath } from "url";
+function findRunnerBinary() {
+  const arch = process.arch === "x64" ? "x64" : "arm64";
+  const platform = "win32";
+  const packagePaths = [
+    path.resolve(_runtimeDir, "..", "..", "..", "binaries", `${platform}-${arch}`, "swarm-sandbox-runner.exe"),
+    path.resolve(_runtimeDir, "..", "..", "..", "..", "binaries", `${platform}-${arch}`, "swarm-sandbox-runner.exe")
+  ];
+  for (const p of packagePaths) {
+    try {
+      if (fs.existsSync(p)) {
+        return p;
+      }
+    } catch {}
+  }
+  try {
+    const result = spawnSync("where", ["swarm-sandbox-runner.exe"], {
+      windowsHide: true,
+      encoding: "utf-8",
+      timeout: 2000,
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    if (result.status === 0 && result.stdout?.trim()) {
+      return result.stdout.trim().split(`
+`)[0]?.trim() ?? null;
+    }
+  } catch {}
+  return null;
+}
+function probe() {
+  if (_cachedProbe !== undefined) {
+    return _cachedProbe;
+  }
+  if (process.platform !== "win32") {
+    _cachedProbe = {
+      available: false,
+      mode: "none",
+      capabilities: null,
+      error: "not Windows"
+    };
+    return _cachedProbe;
+  }
+  const binary = _internals.findRunnerBinary();
+  if (!binary) {
+    _cachedProbe = {
+      available: false,
+      mode: "none",
+      capabilities: null,
+      error: "runner binary not found"
+    };
+    warn("Sandbox runner binary not found \u2014 degrading to weak sandbox");
+    return _cachedProbe;
+  }
+  try {
+    const result = _internals.spawnRunner(binary, ["--probe"], {
+      windowsHide: true,
+      encoding: "utf-8",
+      timeout: 2000,
+      stdio: ["ignore", "pipe", "pipe"],
+      cwd: os.tmpdir()
+    });
+    if (result.error) {
+      _cachedProbe = {
+        available: false,
+        mode: "none",
+        capabilities: null,
+        error: `probe spawn error: ${result.error.code ?? result.error.message}`
+      };
+      warn(`Sandbox runner probe failed: ${_cachedProbe.error}`);
+      return _cachedProbe;
+    }
+    if (result.status !== 0) {
+      _cachedProbe = {
+        available: false,
+        mode: "none",
+        capabilities: null,
+        error: `probe exited with code ${result.status}`
+      };
+      warn(`Sandbox runner probe failed: ${_cachedProbe.error}`);
+      return _cachedProbe;
+    }
+    const capabilities = JSON.parse(result.stdout?.trim() ?? "{}");
+    let mode = "none";
+    if (capabilities.app_container_available) {
+      mode = "app-container";
+    } else if (capabilities.restricted_token_available) {
+      mode = "restricted-token";
+    }
+    _cachedProbe = {
+      available: mode !== "none",
+      mode,
+      capabilities
+    };
+    return _cachedProbe;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    _cachedProbe = {
+      available: false,
+      mode: "none",
+      capabilities: null,
+      error: `probe threw: ${msg}`
+    };
+    warn(`Sandbox runner probe threw: ${msg}`);
+    return _cachedProbe;
+  }
+}
+async function execute(command, policy, mode = "auto") {
+  const binary = _internals.findRunnerBinary();
+  if (!binary) {
+    throw new Error("runner binary not found");
+  }
+  const policyJson = JSON.stringify(policy);
+  const args = ["--policy-stdin", "--mode", mode, "--", ...command];
+  return new Promise((resolve2, reject) => {
+    let proc;
+    const timeout = setTimeout(() => {
+      proc?.kill();
+      reject(new Error("runner execution timeout"));
+    }, policy.wall_clock_timeout_ms + 5000);
+    const unref = timeout.unref;
+    if (typeof unref === "function") {
+      unref.call(timeout);
+    }
+    try {
+      proc = _internals.spawnAsync(binary, args, {
+        windowsHide: true,
+        stdio: ["pipe", "pipe", "pipe"],
+        cwd: policy.workspace_roots[0] ?? os.tmpdir()
+      });
+    } catch (err) {
+      clearTimeout(timeout);
+      reject(err);
+      return;
+    }
+    proc.stdin?.write(policyJson);
+    proc.stdin?.end();
+    let stdout = "";
+    let stderr = "";
+    const events = [];
+    proc.stdout?.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    proc.stderr?.on("data", (chunk) => {
+      const lines = chunk.toString().split(`
+`);
+      for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed)
+          continue;
+        try {
+          const event = JSON.parse(trimmed);
+          if (event.type) {
+            events.push(event);
+            continue;
+          }
+        } catch {}
+        stderr += `${trimmed}
+`;
+      }
+    });
+    proc.on("error", (err) => {
+      clearTimeout(timeout);
+      reject(err);
+    });
+    proc.on("close", (code) => {
+      clearTimeout(timeout);
+      const startEvent = events.find((e) => e.type === "start");
+      const runnerMode = startEvent?.mode ?? mode;
+      resolve2({
+        exitCode: code ?? 1,
+        stdout,
+        stderr,
+        events,
+        mode: runnerMode
+      });
+    });
+  });
+}
+function _resetProbeCache() {
+  _cachedProbe = undefined;
+}
+function buildDefaultPolicy(workspaceRoot, runId) {
+  const id = runId ?? `swarm-${crypto.randomUUID?.() ?? Date.now()}`;
+  const appData = process.env.LOCALAPPDATA ?? path.join(os.homedir(), "AppData", "Local");
+  const tempRoot = path.join(appData, "opencode-swarm", "sandbox", id, "temp");
+  return {
+    schema_version: 1,
+    run_id: id,
+    workspace_roots: [workspaceRoot],
+    writable_roots: [workspaceRoot],
+    read_only_subpaths: [".git", ".codex", ".agents", ".swarm"],
+    temp_root: tempRoot,
+    temp_cap_bytes: 524288000,
+    memory_cap_bytes: 2147483648,
+    child_process_cap: 16,
+    wall_clock_timeout_ms: 600000,
+    network_mode: "off",
+    env_allowlist: ["PATH", "TEMP", "TMP", "USERPROFILE", "SYSTEMROOT"],
+    env_overrides: {
+      HTTP_PROXY: "http://127.0.0.1:1",
+      HTTPS_PROXY: "http://127.0.0.1:1"
+    },
+    path_stubs: ["ssh.exe", "curl.exe", "wget.exe", "scp.exe", "sftp.exe"],
+    private_desktop: true,
+    deny_alternate_data_streams: true,
+    deny_unc_paths: true,
+    deny_device_paths: true,
+    deny_symlink_egress: true
+  };
+}
+var _runtimeDir, RUNNER_EXIT_CODES, _cachedProbe, _internals;
+var init_runner_client = __esm(() => {
+  init_logger();
+  _runtimeDir = fileURLToPath(new URL(".", import.meta.url));
+  RUNNER_EXIT_CODES = {
+    SUCCESS: 0,
+    CHILD_NON_ZERO: 1,
+    POLICY_VIOLATION: 64,
+    QUOTA_EXCEEDED: 65,
+    WALL_CLOCK_TIMEOUT: 66,
+    LAUNCHER_MISCONFIG: 67,
+    OS_API_FAILURE: 68,
+    PROBE_FAILED: 69
+  };
+  _internals = {
+    findRunnerBinary,
+    spawnRunner: spawnSync,
+    spawnAsync: spawn
+  };
+});
+
+// src/sandbox/capability-probe.ts
+import { execFile, spawnSync as spawnSync2 } from "child_process";
+import * as os2 from "os";
+function withProbeTimeout(cmd, args, ms) {
+  return new Promise((resolve2, reject) => {
+    const controller = new AbortController;
+    const timer = setTimeout(() => {
+      controller.abort();
+      proc?.kill();
+    }, ms);
+    const unref = timer.unref;
+    if (typeof unref === "function") {
+      unref.call(timer);
+    }
+    let proc;
+    try {
+      proc = execFile(cmd, args, {
+        signal: controller.signal,
+        timeout: ms,
+        windowsHide: true,
+        cwd: os2.tmpdir()
+      }, (error, stdout, _stderr) => {
+        clearTimeout(timer);
+        if (error) {
+          const exc = error;
+          if (exc.code === "ENOENT" || exc.code === "ENOTFOUND") {
+            reject(new Error("binary not found"));
+          } else {
+            reject(error);
+          }
+          return;
+        }
+        resolve2(stdout?.trim() ?? "");
+      });
+    } catch (spawnError) {
+      clearTimeout(timer);
+      reject(spawnError);
+    }
+  });
+}
+async function probeLinux() {
+  try {
+    const output = await withProbeTimeout("bwrap", ["--version"], 2000);
+    if (output.length > 0) {
+      return {
+        status: "enabled",
+        mechanism: "Bubblewrap",
+        platform: "linux"
+      };
+    }
+    return {
+      status: "disabled",
+      mechanism: "Bubblewrap",
+      platform: "linux",
+      error: "binary returned empty version"
+    };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg === "binary not found") {
+      return {
+        status: "unsupported",
+        mechanism: "Bubblewrap",
+        platform: "linux",
+        error: msg
+      };
+    }
+    return {
+      status: "disabled",
+      mechanism: "Bubblewrap",
+      platform: "linux",
+      error: msg
+    };
+  }
+}
+async function probeMacOS() {
+  try {
+    const output = await withProbeTimeout("sandbox-exec", ["--version"], 2000);
+    if (output.length > 0) {
+      return {
+        status: "enabled",
+        mechanism: "sandbox-exec",
+        platform: "darwin"
+      };
+    }
+    return {
+      status: "disabled",
+      mechanism: "sandbox-exec",
+      platform: "darwin",
+      error: "binary returned empty version"
+    };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg === "binary not found") {
+      return {
+        status: "unsupported",
+        mechanism: "sandbox-exec",
+        platform: "darwin",
+        error: msg
+      };
+    }
+    return {
+      status: "disabled",
+      mechanism: "sandbox-exec",
+      platform: "darwin",
+      error: msg
+    };
+  }
+}
+function probeWindows() {
+  try {
+    const { probe: runnerProbe } = (init_runner_client(), __toCommonJS(exports_runner_client));
+    const result = runnerProbe();
+    if (result.available) {
+      return {
+        status: "enabled",
+        platform: "win32",
+        mechanism: `native-runner/${result.mode}`
+      };
+    }
+  } catch {}
+  try {
+    const result = spawnSync2("cmd", ["/c", "echo", "ok"], {
+      windowsHide: true,
+      encoding: "utf-8",
+      timeout: 5000,
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    if (result.error) {
+      return {
+        status: "disabled",
+        platform: "win32",
+        mechanism: "PowerShell wrapper",
+        error: `cmd.exe probe failed: ${result.error.code}`
+      };
+    }
+    return result.status === 0 ? {
+      status: "enabled",
+      platform: "win32",
+      mechanism: "PowerShell wrapper"
+    } : {
+      status: "disabled",
+      platform: "win32",
+      mechanism: "PowerShell wrapper",
+      error: "cmd.exe probe returned non-zero"
+    };
+  } catch (err) {
+    return {
+      status: "disabled",
+      platform: "win32",
+      mechanism: "PowerShell wrapper",
+      error: String(err)
+    };
+  }
+}
+function isBubblewrapAvailable() {
+  return _cached?.status === "enabled" && _cached?.platform === "linux";
+}
+function isSandboxExecAvailable() {
+  return _cached?.status === "enabled" && _cached?.platform === "darwin";
+}
+function isWindowsSandboxAvailable() {
+  return _cached?.status === "enabled" && _cached?.platform === "win32";
+}
+
+class SandboxCapabilityProbe {
+  async detect() {
+    if (_cached !== undefined) {
+      return _cached;
+    }
+    const platform = process.platform;
+    switch (platform) {
+      case "linux":
+        _cached = await probeLinux();
+        break;
+      case "darwin":
+        _cached = await probeMacOS();
+        break;
+      case "win32":
+        _cached = probeWindows();
+        break;
+      default: {
+        _cached = {
+          status: "unsupported",
+          mechanism: "unknown",
+          platform,
+          error: `unsupported platform: ${platform}`
+        };
+      }
+    }
+    return _cached;
+  }
+}
+var _cached;
+var init_capability_probe = () => {};
+
+export { _internals, probe, execute, buildDefaultPolicy, init_runner_client, isBubblewrapAvailable, isSandboxExecAvailable, isWindowsSandboxAvailable, SandboxCapabilityProbe, init_capability_probe };