opencode-swarm 7.83.0 → 7.85.0

package/dist/cli/index-hz59hg4h.js

@@ -0,0 +1,452 @@
+// @bun
+import {
+  init_logger,
+  warn
+} from "./index-yx44zd0p.js";
+import {
+  __esm,
+  __export,
+  __toCommonJS
+} from "./index-a76rekgs.js";
+
+// src/sandbox/win32/runner-client.ts
+var exports_runner_client = {};
+__export(exports_runner_client, {
+  probe: () => probe,
+  execute: () => execute,
+  buildDefaultPolicy: () => buildDefaultPolicy,
+  _resetProbeCache: () => _resetProbeCache,
+  _internals: () => _internals,
+  RUNNER_EXIT_CODES: () => RUNNER_EXIT_CODES
+});
+import { spawn, spawnSync } from "child_process";
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import { fileURLToPath } from "url";
+function findRunnerBinary() {
+  const arch = process.arch === "x64" ? "x64" : "arm64";
+  const platform = "win32";
+  const packagePaths = [
+    path.resolve(_runtimeDir, "..", "..", "..", "binaries", `${platform}-${arch}`, "swarm-sandbox-runner.exe"),
+    path.resolve(_runtimeDir, "..", "..", "..", "..", "binaries", `${platform}-${arch}`, "swarm-sandbox-runner.exe")
+  ];
+  for (const p of packagePaths) {
+    try {
+      if (fs.existsSync(p)) {
+        return p;
+      }
+    } catch {}
+  }
+  try {
+    const result = spawnSync("where", ["swarm-sandbox-runner.exe"], {
+      windowsHide: true,
+      encoding: "utf-8",
+      timeout: 2000,
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    if (result.status === 0 && result.stdout?.trim()) {
+      return result.stdout.trim().split(`
+`)[0]?.trim() ?? null;
+    }
+  } catch {}
+  return null;
+}
+function probe() {
+  if (_cachedProbe !== undefined) {
+    return _cachedProbe;
+  }
+  if (process.platform !== "win32") {
+    _cachedProbe = {
+      available: false,
+      mode: "none",
+      capabilities: null,
+      error: "not Windows"
+    };
+    return _cachedProbe;
+  }
+  const binary = _internals.findRunnerBinary();
+  if (!binary) {
+    _cachedProbe = {
+      available: false,
+      mode: "none",
+      capabilities: null,
+      error: "runner binary not found"
+    };
+    warn("Sandbox runner binary not found \u2014 degrading to weak sandbox");
+    return _cachedProbe;
+  }
+  try {
+    const result = _internals.spawnRunner(binary, ["--probe"], {
+      windowsHide: true,
+      encoding: "utf-8",
+      timeout: 2000,
+      stdio: ["ignore", "pipe", "pipe"],
+      cwd: os.tmpdir()
+    });
+    if (result.error) {
+      _cachedProbe = {
+        available: false,
+        mode: "none",
+        capabilities: null,
+        error: `probe spawn error: ${result.error.code ?? result.error.message}`
+      };
+      warn(`Sandbox runner probe failed: ${_cachedProbe.error}`);
+      return _cachedProbe;
+    }
+    if (result.status !== 0) {
+      _cachedProbe = {
+        available: false,
+        mode: "none",
+        capabilities: null,
+        error: `probe exited with code ${result.status}`
+      };
+      warn(`Sandbox runner probe failed: ${_cachedProbe.error}`);
+      return _cachedProbe;
+    }
+    const capabilities = JSON.parse(result.stdout?.trim() ?? "{}");
+    let mode = "none";
+    if (capabilities.app_container_available) {
+      mode = "app-container";
+    } else if (capabilities.restricted_token_available) {
+      mode = "restricted-token";
+    }
+    _cachedProbe = {
+      available: mode !== "none",
+      mode,
+      capabilities
+    };
+    return _cachedProbe;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    _cachedProbe = {
+      available: false,
+      mode: "none",
+      capabilities: null,
+      error: `probe threw: ${msg}`
+    };
+    warn(`Sandbox runner probe threw: ${msg}`);
+    return _cachedProbe;
+  }
+}
+async function execute(command, policy, mode = "auto") {
+  const binary = _internals.findRunnerBinary();
+  if (!binary) {
+    throw new Error("runner binary not found");
+  }
+  const policyJson = JSON.stringify(policy);
+  const args = ["--policy-stdin", "--mode", mode, "--", ...command];
+  return new Promise((resolve2, reject) => {
+    let proc;
+    const timeout = setTimeout(() => {
+      proc?.kill();
+      reject(new Error("runner execution timeout"));
+    }, policy.wall_clock_timeout_ms + 5000);
+    const unref = timeout.unref;
+    if (typeof unref === "function") {
+      unref.call(timeout);
+    }
+    try {
+      proc = _internals.spawnAsync(binary, args, {
+        windowsHide: true,
+        stdio: ["pipe", "pipe", "pipe"],
+        cwd: policy.workspace_roots[0] ?? os.tmpdir()
+      });
+    } catch (err) {
+      clearTimeout(timeout);
+      reject(err);
+      return;
+    }
+    proc.stdin?.write(policyJson);
+    proc.stdin?.end();
+    let stdout = "";
+    let stderr = "";
+    const events = [];
+    proc.stdout?.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    proc.stderr?.on("data", (chunk) => {
+      const lines = chunk.toString().split(`
+`);
+      for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed)
+          continue;
+        try {
+          const event = JSON.parse(trimmed);
+          if (event.type) {
+            events.push(event);
+            continue;
+          }
+        } catch {}
+        stderr += `${trimmed}
+`;
+      }
+    });
+    proc.on("error", (err) => {
+      clearTimeout(timeout);
+      reject(err);
+    });
+    proc.on("close", (code) => {
+      clearTimeout(timeout);
+      const startEvent = events.find((e) => e.type === "start");
+      const runnerMode = startEvent?.mode ?? mode;
+      resolve2({
+        exitCode: code ?? 1,
+        stdout,
+        stderr,
+        events,
+        mode: runnerMode
+      });
+    });
+  });
+}
+function _resetProbeCache() {
+  _cachedProbe = undefined;
+}
+function buildDefaultPolicy(workspaceRoot, runId) {
+  const id = runId ?? `swarm-${crypto.randomUUID?.() ?? Date.now()}`;
+  const appData = process.env.LOCALAPPDATA ?? path.join(os.homedir(), "AppData", "Local");
+  const tempRoot = path.join(appData, "opencode-swarm", "sandbox", id, "temp");
+  return {
+    schema_version: 1,
+    run_id: id,
+    workspace_roots: [workspaceRoot],
+    writable_roots: [workspaceRoot],
+    read_only_subpaths: [".git", ".codex", ".agents", ".swarm"],
+    temp_root: tempRoot,
+    temp_cap_bytes: 524288000,
+    memory_cap_bytes: 2147483648,
+    child_process_cap: 16,
+    wall_clock_timeout_ms: 600000,
+    network_mode: "off",
+    env_allowlist: ["PATH", "TEMP", "TMP", "USERPROFILE", "SYSTEMROOT"],
+    env_overrides: {
+      HTTP_PROXY: "http://127.0.0.1:1",
+      HTTPS_PROXY: "http://127.0.0.1:1"
+    },
+    path_stubs: ["ssh.exe", "curl.exe", "wget.exe", "scp.exe", "sftp.exe"],
+    private_desktop: true,
+    deny_alternate_data_streams: true,
+    deny_unc_paths: true,
+    deny_device_paths: true,
+    deny_symlink_egress: true
+  };
+}
+var _runtimeDir, RUNNER_EXIT_CODES, _cachedProbe, _internals;
+var init_runner_client = __esm(() => {
+  init_logger();
+  _runtimeDir = fileURLToPath(new URL(".", import.meta.url));
+  RUNNER_EXIT_CODES = {
+    SUCCESS: 0,
+    CHILD_NON_ZERO: 1,
+    POLICY_VIOLATION: 64,
+    QUOTA_EXCEEDED: 65,
+    WALL_CLOCK_TIMEOUT: 66,
+    LAUNCHER_MISCONFIG: 67,
+    OS_API_FAILURE: 68,
+    PROBE_FAILED: 69
+  };
+  _internals = {
+    findRunnerBinary,
+    spawnRunner: spawnSync,
+    spawnAsync: spawn
+  };
+});
+
+// src/sandbox/capability-probe.ts
+import { execFile, spawnSync as spawnSync2 } from "child_process";
+import * as os2 from "os";
+function withProbeTimeout(cmd, args, ms) {
+  return new Promise((resolve2, reject) => {
+    const controller = new AbortController;
+    const timer = setTimeout(() => {
+      controller.abort();
+      proc?.kill();
+    }, ms);
+    const unref = timer.unref;
+    if (typeof unref === "function") {
+      unref.call(timer);
+    }
+    let proc;
+    try {
+      proc = execFile(cmd, args, {
+        signal: controller.signal,
+        timeout: ms,
+        windowsHide: true,
+        cwd: os2.tmpdir()
+      }, (error, stdout, _stderr) => {
+        clearTimeout(timer);
+        if (error) {
+          const exc = error;
+          if (exc.code === "ENOENT" || exc.code === "ENOTFOUND") {
+            reject(new Error("binary not found"));
+          } else {
+            reject(error);
+          }
+          return;
+        }
+        resolve2(stdout?.trim() ?? "");
+      });
+    } catch (spawnError) {
+      clearTimeout(timer);
+      reject(spawnError);
+    }
+  });
+}
+async function probeLinux() {
+  try {
+    const output = await withProbeTimeout("bwrap", ["--version"], 2000);
+    if (output.length > 0) {
+      return {
+        status: "enabled",
+        mechanism: "Bubblewrap",
+        platform: "linux"
+      };
+    }
+    return {
+      status: "disabled",
+      mechanism: "Bubblewrap",
+      platform: "linux",
+      error: "binary returned empty version"
+    };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg === "binary not found") {
+      return {
+        status: "unsupported",
+        mechanism: "Bubblewrap",
+        platform: "linux",
+        error: msg
+      };
+    }
+    return {
+      status: "disabled",
+      mechanism: "Bubblewrap",
+      platform: "linux",
+      error: msg
+    };
+  }
+}
+async function probeMacOS() {
+  try {
+    const output = await withProbeTimeout("sandbox-exec", ["--version"], 2000);
+    if (output.length > 0) {
+      return {
+        status: "enabled",
+        mechanism: "sandbox-exec",
+        platform: "darwin"
+      };
+    }
+    return {
+      status: "disabled",
+      mechanism: "sandbox-exec",
+      platform: "darwin",
+      error: "binary returned empty version"
+    };
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (msg === "binary not found") {
+      return {
+        status: "unsupported",
+        mechanism: "sandbox-exec",
+        platform: "darwin",
+        error: msg
+      };
+    }
+    return {
+      status: "disabled",
+      mechanism: "sandbox-exec",
+      platform: "darwin",
+      error: msg
+    };
+  }
+}
+function probeWindows() {
+  try {
+    const { probe: runnerProbe } = (init_runner_client(), __toCommonJS(exports_runner_client));
+    const result = runnerProbe();
+    if (result.available) {
+      return {
+        status: "enabled",
+        platform: "win32",
+        mechanism: `native-runner/${result.mode}`
+      };
+    }
+  } catch {}
+  try {
+    const result = spawnSync2("cmd", ["/c", "echo", "ok"], {
+      windowsHide: true,
+      encoding: "utf-8",
+      timeout: 5000,
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    if (result.error) {
+      return {
+        status: "disabled",
+        platform: "win32",
+        mechanism: "PowerShell wrapper",
+        error: `cmd.exe probe failed: ${result.error.code}`
+      };
+    }
+    return result.status === 0 ? {
+      status: "enabled",
+      platform: "win32",
+      mechanism: "PowerShell wrapper"
+    } : {
+      status: "disabled",
+      platform: "win32",
+      mechanism: "PowerShell wrapper",
+      error: "cmd.exe probe returned non-zero"
+    };
+  } catch (err) {
+    return {
+      status: "disabled",
+      platform: "win32",
+      mechanism: "PowerShell wrapper",
+      error: String(err)
+    };
+  }
+}
+function isBubblewrapAvailable() {
+  return _cached?.status === "enabled" && _cached?.platform === "linux";
+}
+function isSandboxExecAvailable() {
+  return _cached?.status === "enabled" && _cached?.platform === "darwin";
+}
+function isWindowsSandboxAvailable() {
+  return _cached?.status === "enabled" && _cached?.platform === "win32";
+}
+
+class SandboxCapabilityProbe {
+  async detect() {
+    if (_cached !== undefined) {
+      return _cached;
+    }
+    const platform = process.platform;
+    switch (platform) {
+      case "linux":
+        _cached = await probeLinux();
+        break;
+      case "darwin":
+        _cached = await probeMacOS();
+        break;
+      case "win32":
+        _cached = probeWindows();
+        break;
+      default: {
+        _cached = {
+          status: "unsupported",
+          mechanism: "unknown",
+          platform,
+          error: `unsupported platform: ${platform}`
+        };
+      }
+    }
+    return _cached;
+  }
+}
+var _cached;
+var init_capability_probe = () => {};
+
+export { _internals, probe, execute, buildDefaultPolicy, init_runner_client, isBubblewrapAvailable, isSandboxExecAvailable, isWindowsSandboxAvailable, SandboxCapabilityProbe, init_capability_probe };

package/dist/cli/index-jtqkh8jf.js

@@ -0,0 +1,119 @@
+// @bun
+// src/utils/swarm-artifact-cache.ts
+import * as fs from "fs/promises";
+import * as path from "path";
+var MAX_CACHE_ENTRIES = 128;
+var textCache = new Map;
+var parsedCache = new Map;
+var stats = {
+  textReadCount: 0,
+  textCacheHitCount: 0,
+  textCacheMissCount: 0,
+  parsedReadCount: 0,
+  parseCount: 0,
+  parsedCacheHitCount: 0,
+  parsedCacheMissCount: 0,
+  statFailureCount: 0,
+  evictionCount: 0,
+  textEvictionCount: 0,
+  parsedEvictionCount: 0,
+  cloneFallbackCount: 0,
+  textEntryCount: 0,
+  parsedEntryCount: 0
+};
+function sameStamp(a, b) {
+  return a.mtimeMs === b.mtimeMs && a.ctimeMs === b.ctimeMs && a.size === b.size;
+}
+async function getStamp(filePath) {
+  try {
+    const stat2 = await fs.stat(filePath);
+    if (!stat2.isFile())
+      return null;
+    return { mtimeMs: stat2.mtimeMs, ctimeMs: stat2.ctimeMs, size: stat2.size };
+  } catch {
+    stats.statFailureCount++;
+    return null;
+  }
+}
+function canStoreRead(before, after) {
+  return after !== null && sameStamp(before, after);
+}
+function setBounded(cache, key, value, cacheKind) {
+  cache.set(key, value);
+  while (cache.size > MAX_CACHE_ENTRIES) {
+    const oldest = cache.keys().next().value;
+    if (oldest === undefined)
+      break;
+    cache.delete(oldest);
+    stats.evictionCount++;
+    if (cacheKind === "text") {
+      stats.textEvictionCount++;
+    } else {
+      stats.parsedEvictionCount++;
+    }
+  }
+  stats.textEntryCount = textCache.size;
+  stats.parsedEntryCount = parsedCache.size;
+}
+function cloneCachedValue(value) {
+  if (value === null || typeof value !== "object")
+    return value;
+  if (typeof structuredClone === "function") {
+    return structuredClone(value);
+  }
+  stats.cloneFallbackCount++;
+  return JSON.parse(JSON.stringify(value));
+}
+async function readCachedTextFile(filePath, directRead) {
+  const cacheKey = path.resolve(filePath);
+  const stamp = await getStamp(cacheKey);
+  if (!stamp) {
+    stats.textReadCount++;
+    return directRead();
+  }
+  const cached = textCache.get(cacheKey);
+  if (cached && sameStamp(cached, stamp)) {
+    stats.textCacheHitCount++;
+    return cached.value;
+  }
+  stats.textCacheMissCount++;
+  stats.textReadCount++;
+  const value = await directRead();
+  const afterReadStamp = await getStamp(cacheKey);
+  if (value !== null && canStoreRead(stamp, afterReadStamp)) {
+    setBounded(textCache, cacheKey, { ...afterReadStamp, value }, "text");
+  }
+  return value;
+}
+async function readCachedParsedFile(filePath, namespace, readText, parse) {
+  const resolvedPath = path.resolve(filePath);
+  const cacheKey = `${resolvedPath}\x00${namespace}`;
+  const stamp = await getStamp(resolvedPath);
+  if (!stamp) {
+    stats.parsedReadCount++;
+    const content2 = await readText();
+    if (content2 === null)
+      return null;
+    stats.parseCount++;
+    return parse(content2);
+  }
+  const cached = parsedCache.get(cacheKey);
+  if (cached && sameStamp(cached, stamp)) {
+    stats.parsedCacheHitCount++;
+    return cloneCachedValue(cached.value);
+  }
+  stats.parsedCacheMissCount++;
+  stats.parsedReadCount++;
+  const content = await readText();
+  if (content === null)
+    return null;
+  stats.parseCount++;
+  const value = parse(content);
+  const afterReadStamp = await getStamp(resolvedPath);
+  if (canStoreRead(stamp, afterReadStamp)) {
+    setBounded(parsedCache, cacheKey, { ...afterReadStamp, value }, "parsed");
+  }
+  return cloneCachedValue(value);
+}
+
+export { readCachedTextFile, readCachedParsedFile };

package/dist/cli/index-p0arc26j.js

@@ -0,0 +1,28 @@
+// @bun
+// src/utils/merge.ts
+var MAX_MERGE_DEPTH = 10;
+function deepMergeInternal(base, override, depth) {
+  if (depth >= MAX_MERGE_DEPTH) {
+    throw new Error(`deepMerge exceeded maximum depth of ${MAX_MERGE_DEPTH}`);
+  }
+  const result = { ...base };
+  for (const key of Object.keys(override)) {
+    const baseVal = base[key];
+    const overrideVal = override[key];
+    if (typeof baseVal === "object" && baseVal !== null && typeof overrideVal === "object" && overrideVal !== null && !Array.isArray(baseVal) && !Array.isArray(overrideVal)) {
+      result[key] = deepMergeInternal(baseVal, overrideVal, depth + 1);
+    } else {
+      result[key] = overrideVal;
+    }
+  }
+  return result;
+}
+function deepMerge(base, override) {
+  if (!base)
+    return override;
+  if (!override)
+    return base;
+  return deepMergeInternal(base, override, 0);
+}
+
+export { deepMerge };