opencode-ultra 0.5.0 → 0.5.1

package/dist/index.js

@@ -14465,7 +14465,11 @@ var PluginConfigSchema = exports_external.object({
   todo_enforcer: exports_external.object({
     maxEnforcements: exports_external.number().min(0).optional()
   }).optional(),
-  mcp_api_keys: exports_external.record(exports_external.string(), exports_external.string()).optional()
+  mcp_api_keys: exports_external.record(exports_external.string(), exports_external.string()).optional(),
+  safety: exports_external.object({
+    maxTotalSpawned: exports_external.number().min(1).optional(),
+    agentTimeoutMs: exports_external.number().min(1000).optional()
+  }).optional()
 }).passthrough();
 function parsePluginConfig(raw) {
   const result = PluginConfigSchema.safeParse(raw);
@@ -27426,16 +27430,89 @@ function resolveCategory(categoryName, configCategories) {
   return { ...builtin, ...override };
 }
 
+// src/safety/sanitizer.ts
+var INJECTION_PATTERNS = [
+  { pattern: /ignore\s+(?:all\s+)?(?:previous\s+|prior\s+|above\s+)?instructions/i, label: "instruction-override" },
+  { pattern: /disregard\s+(?:all\s+)?(?:previous\s+|prior\s+)?(?:instructions|rules|guidelines)/i, label: "instruction-override" },
+  { pattern: /forget\s+(?:all\s+)?(?:previous\s+|prior\s+)?(?:instructions|context|rules)/i, label: "instruction-override" },
+  { pattern: /override\s+(?:all\s+)?(?:previous\s+|prior\s+)?(?:instructions|rules|system)/i, label: "instruction-override" },
+  { pattern: /you\s+are\s+now\s+(?:a\s+|an\s+|in\s+)?/i, label: "role-hijack" },
+  { pattern: /pretend\s+(?:you\s+are|to\s+be|you're)\s+/i, label: "role-hijack" },
+  { pattern: /act\s+as\s+(?:if\s+)?(?:you\s+(?:are|were)\s+)?/i, label: "role-hijack" },
+  { pattern: /role[\s-]?play\s+as/i, label: "role-hijack" },
+  { pattern: /switch\s+(?:to\s+)?(?:your\s+)?(?:new\s+)?(?:role|persona|identity)/i, label: "role-hijack" },
+  { pattern: /<\/?system(?:\s[^>]*)?>/, label: "fake-tag" },
+  { pattern: /<\/?instructions?(?:\s[^>]*)?>/, label: "fake-tag" },
+  { pattern: /<\/?prompt(?:\s[^>]*)?>/, label: "fake-tag" },
+  { pattern: /<\/?assistant(?:\s[^>]*)?>/, label: "fake-tag" },
+  { pattern: /<\/?human(?:\s[^>]*)?>/, label: "fake-tag" },
+  { pattern: /\[SYSTEM\](?:\s*:)?/i, label: "fake-tag" },
+  { pattern: /\[INST\]|\[\/INST\]/i, label: "fake-tag" },
+  { pattern: /new\s+(?:system\s+)?instructions?\s*:/i, label: "new-instructions" },
+  { pattern: /updated?\s+(?:system\s+)?instructions?\s*:/i, label: "new-instructions" },
+  { pattern: /revised?\s+(?:system\s+)?instructions?\s*:/i, label: "new-instructions" },
+  { pattern: /(?:run|execute|eval)\s*\(\s*['"`].*(?:rm\s+-rf|curl\s+.*\|\s*(?:sh|bash)|wget\s+.*\|\s*(?:sh|bash))/i, label: "dangerous-command" },
+  { pattern: /\brm\s+-rf\s+[\/~]/i, label: "dangerous-command" },
+  { pattern: /(?:\u5168\u3066\u306E|\u3059\u3079\u3066\u306E)?(?:\u524D\u306E|\u4EE5\u524D\u306E)?\u6307\u793A\u3092(?:\u7121\u8996|\u5FD8\u308C|\u53D6\u308A\u6D88)/i, label: "instruction-override-ja" },
+  { pattern: /(?:\u65B0\u3057\u3044|\u66F4\u65B0\u3055\u308C\u305F)\u6307\u793A\s*[:\uFF1A]/i, label: "new-instructions-ja" }
+];
+var SUSPICIOUS_UNICODE = /[\u200B-\u200F\u202A-\u202E\u2060-\u2069\uFEFF\u00AD]/g;
+function sanitizeAgentOutput(text) {
+  const warnings = [];
+  const invisibleCount = (text.match(SUSPICIOUS_UNICODE) || []).length;
+  if (invisibleCount > 0) {
+    warnings.push(`Stripped ${invisibleCount} suspicious Unicode characters`);
+    text = text.replace(SUSPICIOUS_UNICODE, "");
+  }
+  for (const { pattern, label } of INJECTION_PATTERNS) {
+    if (pattern.test(text)) {
+      warnings.push(`Injection pattern detected: ${label}`);
+      text = text.replace(pattern, (match) => `[SANITIZED:${label}]`);
+    }
+  }
+  const flagged = warnings.length > 0;
+  if (flagged) {
+    log("Sanitizer flagged content", { warnings });
+  }
+  return { text, flagged, warnings };
+}
+function sanitizeSpawnResult(result) {
+  const { text, flagged, warnings } = sanitizeAgentOutput(result);
+  if (!flagged)
+    return text;
+  const banner = `
+
+> **[Safety] Potential prompt injection detected in agent output.**
+> Patterns: ${warnings.join(", ")}
+> The flagged content has been neutralized.
+`;
+  return banner + `
+` + text;
+}
 // src/tools/spawn-agent.ts
+var DEFAULT_MAX_TOTAL_SPAWNED = 15;
+var DEFAULT_AGENT_TIMEOUT_MS = 180000;
 function showToast(ctx, title, message, variant = "info") {
   const client = ctx.client;
   client.tui?.showToast?.({
     body: { title, message, variant, duration: 2000 }
   })?.catch?.(() => {});
 }
+async function withTimeout(promise3, ms, label) {
+  let timer;
+  const timeout = new Promise((_, reject) => {
+    timer = setTimeout(() => reject(new Error(`Timeout: ${label} exceeded ${ms}ms`)), ms);
+  });
+  try {
+    return await Promise.race([promise3, timeout]);
+  } finally {
+    clearTimeout(timer);
+  }
+}
 async function runAgent(ctx, task, toolCtx, internalSessions, deps, progress) {
   const { agent, prompt, description } = task;
   const t0 = Date.now();
+  const timeoutMs = deps.agentTimeoutMs ?? DEFAULT_AGENT_TIMEOUT_MS;
   const elapsed = () => ((Date.now() - (progress?.startTime ?? t0)) / 1000).toFixed(0);
   const updateTitle = (status) => {
     toolCtx.metadata({ title: status });
@@ -27461,26 +27538,27 @@ async function runAgent(ctx, task, toolCtx, internalSessions, deps, progress) {
 **Error**: Failed to create session`;
     }
     internalSessions.add(sessionID);
-    await ctx.client.session.prompt({
+    await withTimeout(ctx.client.session.prompt({
       path: { id: sessionID },
       body: {
         parts: [{ type: "text", text: prompt }],
         agent
       },
       query: { directory: ctx.directory }
-    });
+    }), timeoutMs, `${agent} (${description})`);
     const messagesResp = await ctx.client.session.messages({
       path: { id: sessionID },
       query: { directory: ctx.directory }
     });
     const messages = messagesResp.data ?? [];
     const lastAssistant = messages.filter((m) => m.info?.role === "assistant").pop();
-    const result = lastAssistant?.parts?.filter((p) => p.type === "text" && p.text).map((p) => p.text).join(`
+    const rawResult = lastAssistant?.parts?.filter((p) => p.type === "text" && p.text).map((p) => p.text).join(`
 `) ?? "(No response from agent)";
     internalSessions.delete(sessionID);
     await ctx.client.session.delete({ path: { id: sessionID }, query: { directory: ctx.directory } }).catch(() => {});
     const agentTime = ((Date.now() - t0) / 1000).toFixed(1);
     log(`spawn_agent: ${agent} done`, { seconds: agentTime, description });
+    const result = sanitizeSpawnResult(rawResult);
     return `## ${description} (${agentTime}s)
 
 **Agent**: ${agent}
@@ -27494,7 +27572,14 @@ ${result}`;
       await ctx.client.session.delete({ path: { id: sessionID }, query: { directory: ctx.directory } }).catch(() => {});
     }
     const msg = error92 instanceof Error ? error92.message : String(error92);
-    log(`spawn_agent: ${agent} error`, { error: msg });
+    const isTimeout = msg.startsWith("Timeout:");
+    log(`spawn_agent: ${agent} ${isTimeout ? "timeout" : "error"}`, { error: msg });
+    if (isTimeout) {
+      return `## ${description}
+
+**Agent**: ${agent}
+**Timeout**: Agent did not complete within ${(timeoutMs / 1000).toFixed(0)}s`;
+    }
     return `## ${description}
 
 **Agent**: ${agent}
@@ -27502,6 +27587,7 @@ ${result}`;
   }
 }
 function createSpawnAgentTool(ctx, internalSessions, deps = {}) {
+  const maxTotalSpawned = deps.maxTotalSpawned ?? DEFAULT_MAX_TOTAL_SPAWNED;
   return tool({
     description: `Spawn subagents to execute tasks in PARALLEL.
 All agents in the array run concurrently (respecting concurrency limits if configured).
@@ -27546,6 +27632,11 @@ spawn_agent({
           return `Error: agents[${i}].description is required`;
         }
       }
+      const currentActive = internalSessions.size;
+      if (currentActive + agents.length > maxTotalSpawned) {
+        log("spawn_agent: BLOCKED by spawn limit", { currentActive, requested: agents.length, max: maxTotalSpawned });
+        return `Error: Too many concurrent spawned agents. Active: ${currentActive}, requested: ${agents.length}, max: ${maxTotalSpawned}. Wait for active agents to complete or increase safety.maxTotalSpawned.`;
+      }
       const agentNames = agents.map((a) => a.agent);
       log("spawn_agent", { count: agents.length, agents: agentNames });
       showToast(ctx, "spawn_agent", `${agents.length} agents: ${agentNames.join(", ")}`);
@@ -27622,8 +27713,21 @@ function resolveTaskModel(task, deps) {
 // src/tools/ralph-loop.ts
 var COMPLETION_MARKER = "<promise>DONE</promise>";
 var DEFAULT_MAX_ITERATIONS = 10;
+var DEFAULT_ITERATION_TIMEOUT_MS = 180000;
 var activeLoops = new Map;
-function createRalphLoopTools(ctx, internalSessions) {
+async function withTimeout2(promise3, ms, label) {
+  let timer;
+  const timeout = new Promise((_, reject) => {
+    timer = setTimeout(() => reject(new Error(`Timeout: ${label} exceeded ${ms}ms`)), ms);
+  });
+  try {
+    return await Promise.race([promise3, timeout]);
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function createRalphLoopTools(ctx, internalSessions, deps = {}) {
+  const iterationTimeoutMs = deps.iterationTimeoutMs ?? DEFAULT_ITERATION_TIMEOUT_MS;
   const ralph_loop = tool({
     description: `Start autonomous loop. Agent keeps working until it outputs ${COMPLETION_MARKER} or max iterations reached.
 Use this for tasks that require multiple rounds of autonomous work (implementation, refactoring, migration).
@@ -27651,29 +27755,43 @@ The agent will be prompted to continue from where it left off each iteration.`,
         sessionID
       };
       activeLoops.set(sessionID, state);
-      log(`Ralph Loop started: ${agentName}, max ${maxIter} iterations`);
+      log(`Ralph Loop started: ${agentName}, max ${maxIter} iterations, timeout ${iterationTimeoutMs}ms/iter`);
       try {
         for (let i = 0;i < maxIter && state.active; i++) {
           state.iteration = i + 1;
           toolCtx.metadata({ title: `Ralph Loop [${i + 1}/${maxIter}] \u2014 ${agentName}` });
           const prompt = i === 0 ? args.prompt : buildContinuationPrompt(args.prompt, i + 1);
-          await ctx.client.session.prompt({
-            path: { id: sessionID },
-            body: {
-              parts: [{ type: "text", text: prompt }],
-              agent: agentName
-            },
-            query: { directory: ctx.directory }
-          });
+          try {
+            await withTimeout2(ctx.client.session.prompt({
+              path: { id: sessionID },
+              body: {
+                parts: [{ type: "text", text: prompt }],
+                agent: agentName
+              },
+              query: { directory: ctx.directory }
+            }), iterationTimeoutMs, `Ralph Loop iteration ${i + 1}`);
+          } catch (iterError) {
+            const msg = iterError instanceof Error ? iterError.message : String(iterError);
+            if (msg.startsWith("Timeout:")) {
+              log(`Ralph Loop iteration ${i + 1} timed out`);
+              toolCtx.metadata({ title: `Ralph Loop TIMEOUT [${i + 1}/${maxIter}]` });
+              return `## Ralph Loop Timeout (iteration ${i + 1}/${maxIter})
+
+**Agent**: ${agentName}
+**Timeout**: Iteration did not complete within ${(iterationTimeoutMs / 1000).toFixed(0)}s`;
+            }
+            throw iterError;
+          }
           const messagesResp = await ctx.client.session.messages({
             path: { id: sessionID },
             query: { directory: ctx.directory }
           });
           const messages = messagesResp.data ?? [];
           const lastAssistant = messages.filter((m) => m.info?.role === "assistant").pop();
-          const resultText = lastAssistant?.parts?.filter((p) => p.type === "text" && p.text).map((p) => p.text).join(`
+          const rawResult = lastAssistant?.parts?.filter((p) => p.type === "text" && p.text).map((p) => p.text).join(`
 `) ?? "";
-          if (resultText.includes(COMPLETION_MARKER)) {
+          const resultText = sanitizeSpawnResult(rawResult);
+          if (rawResult.includes(COMPLETION_MARKER)) {
             toolCtx.metadata({ title: `Ralph Loop DONE [${i + 1}/${maxIter}]` });
             log(`Ralph Loop completed at iteration ${i + 1}`);
             const cleaned = resultText.replace(COMPLETION_MARKER, "").trim();
@@ -28421,12 +28539,17 @@ var OpenCodeUltra = async (ctx) => {
   const resolveAgentModel = (agent) => {
     return agents[agent]?.model;
   };
+  const safetyConfig = pluginConfig.safety ?? {};
   const spawnAgent = createSpawnAgentTool(ctx, internalSessions, {
     pool,
     categories: pluginConfig.categories,
-    resolveAgentModel
+    resolveAgentModel,
+    maxTotalSpawned: safetyConfig.maxTotalSpawned,
+    agentTimeoutMs: safetyConfig.agentTimeoutMs
+  });
+  const ralphTools = createRalphLoopTools(ctx, internalSessions, {
+    iterationTimeoutMs: safetyConfig.agentTimeoutMs
   });
-  const ralphTools = createRalphLoopTools(ctx, internalSessions);
   const batchRead = createBatchReadTool(ctx);
   const ledgerSave = createLedgerSaveTool(ctx);
   const ledgerLoad = createLedgerLoadTool(ctx);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-ultra",
-  "version": "0.5.0",
+  "version": "0.5.1",
   "description": "Lightweight OpenCode 1.2.x plugin — ultrawork mode, multi-agent orchestration, rules injection",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",