#129
yep yep yep
BugOpenSwamp Clubswampadmin1d ago
#128
Support named argument syntax for model method run (e.g. --arg key=value)
BugOpenSwamp Clubswampadminks1d ago
#127
env var overrides for globalArguments silently change which environment a model targets
FeatureOpenSwamp Clubswampadmin6d ago
#126
deno lint no-import-prefix conflicts with swamp's required npm:/jsr: inline specifiers
FeatureOpenSwamp Clubswampadmin8d ago
#125
AI agents should search community extensions before offering to create custom models
FeatureOpenSwamp Clubswampadmin11d ago
#124
feat: add --content-type filter to extension search
FeatureOpenSwamp Clubswampadmin14d ago
#123
Add a 'reports' feature
FeatureOpenSwamp Clubswampadmin18d ago
#122
Port remaining CLI commands to libswamp + renderer pattern
FeatureOpenSwamp Clubswampadmin22d ago
#121
Persistent runner / server mode to eliminate per-invocation CLI startup overhead
BugOpenSwamp Clubswampadmin26d ago
#120
AI agent should prefer fan-out model methods over shell loops for fleet operations
FeatureOpenSwamp Clubswampadmin1mo ago
#119
Support unbundled helper scripts in extension packages
FeatureOpenSwamp Clubswampadmin1mo ago
#118
Add progress indicator for long-running model methods
FeatureOpenSwamp Clubswampadmin1mo ago
#117
Built-in structured output parser for CLI commands
FeatureOpenSwamp Clubswampadmin1mo ago
#116
Automatic trace context propagation across workflow steps
FeatureOpenSwamp Clubswampadmin1mo ago
#115
Native OpenTelemetry tracing for swamp CLI internals
FeatureOpenSwamp Clubswampadmin1mo ago
#114
Claude Code should prefer extending swamp extensions over using external CLI tools
BugOpenSwamp Clubswampadmin1mo ago
#113
Framework log lines written to stdout pollute model method output
FeatureOpenSwamp Clubswampadmin2mo ago
#112
Swamp skill should guide AI agents to create extension models instead of inline shell scripts
BugOpenSwamp Clubswampadmin2mo ago
#111
Shared team collectives for collaborative extension publishing
FeatureOpenSwamp Clubswampadmin2mo ago
#110
Delete methods should return last known state data
FeatureOpenSwamp Clubswampadmin2mo ago
#109
Add smoke-test skill for extension models
FeatureOpenSwamp Clubswampadmin2mo ago
#108
Workflow run output is unreadable — resource data and errors are buried in log noise
FeatureOpenSwamp Clubswampadmin2mo ago
#107
Recommend or manage lockfile strategy for extension model npm dependencies
FeatureOpenSwamp Clubswampadmin3mo ago
#106
Output of running a method is not the actual output
FeatureOpenSwamp Clubswampadmin3mo ago
#105
Add macOS Keychain vault type
FeatureOpenSwamp Clubswampadmin3mo ago
#104
bug: Vault secret shell escaping incomplete — $(), semicolons, and pipes are interpreted
BugOpenSwamp Clubswampadmin3mo ago
#103
Swamp should support "Scheduled"-type status for execution
FeatureOpenSwamp Clubswampadmin4mo ago
#102
feat: add support for Nix via a flake
FeatureOpenSwamp Clubswampadmin4mo ago
#101
ModelType.normalize replaces all dots with slashes, corrupting dotted type names
BugOpenSwamp Clubswampadmin4mo ago
#100
fix: collective validator error message omits drivers and datastores
FeatureClosedSwamp Clubswampadmin4mo ago
#99
Skill docs: document configSchema inline requirement and .describe() constraints for vault extensions
FeatureClosedSwamp Clubswampadmin4mo ago
#98
It takes 42 seconds to run swamp --help
BugClosedSwamp Clubswampadmin4mo ago
#97
After today upgrade
BugClosedSwamp Clubswampadmin5mo ago
#96
Auto-resolver fails when extensions/models/ directory does not exist for vault-only extensions
BugClosedSwamp Clubswampadmin5mo ago
#95
Azure Key Vault extension vault bundle fails to load in compiled binary
BugClosedSwamp Clubswampadmin5mo ago
#94
RangeError: Maximum call stack size exceeded when loading extension models with npm dependencies after upgrade to 20260317
BugClosedSwamp Clubswampadmin5mo ago
#93
Extension Zod schema incompatibility after upgrade to 20260312
BugClosedSwamp Clubswampadmin5mo ago
#92
Data garbage collection never fully removes expired data from disk
BugClosedSwamp Clubswampadmin5mo ago
#91
extension push --dry-run requires authentication unnecessarily
FeatureClosedSwamp Clubswampadmin5mo ago
#90
Typed context APIs to eliminate no-explicit-any in extension models
FeatureClosedSwamp Clubswampadmin6mo ago
#89
AWS extensions fail to load: missing _lib/aws.ts shared dependency
BugClosedSwamp Clubswampadmin6mo ago
#88
getContent() should resolve vault expressions for sensitive fields
FeatureClosedSwamp Clubswampadmin6mo ago
#87
getContent() should return parsed objects, not raw Uint8Array
FeatureClosedSwamp Clubswampadmin6mo ago
#86
Add context.readResource() to MethodContext for user extension models
FeatureClosedSwamp Clubswampadmin6mo ago
#85
Datastore lock: allow concurrent reads across different models
FeatureClosedSwamp Clubswampadmin6mo ago
#84
extension install should be an alias of extension pull
BugClosedSwamp Clubswampadmin6mo ago
#83
feat: Execution Driver Abstraction — Pluggable Isolation for Model Execution
FeatureClosedSwamp Clubswampadmin6mo ago
#82
Support --global-arg on model create
FeatureClosedSwamp Clubswampadmin7mo ago
#81
consider a libswamp
FeatureClosedSwamp Clubswampadmin7mo ago
#80
Running workflow should not block read-only operations
FeatureClosedSwamp Clubswampadmin7mo ago
#79
Update from 20260227 to 20260311 breaks existing model definitions (symlink + path-based type)
BugClosedSwamp Clubswampadmin7mo ago
#78
loadUserModels ignores --repo-dir, uses cwd instead
BugClosedSwamp Clubswampadmin7mo ago
#77
datastore lock release --force deadlocks on the stale lock it's trying to release
BugClosedSwamp Clubswampadmin7mo ago
#76
Datastore lock not released when interactive command fails in non-TTY context
BugClosedSwamp Clubswampadmin7mo ago
#75
vault put to 1Password stores empty password field
BugClosedSwamp Clubswampadmin8mo ago
#74
Leaderboard shows 0-event users whose profiles 404
FeatureClosedSwamp Clubswampadmin8mo ago
#73
Move AWS, Azure, and 1Password vault providers to extensions
FeatureClosedSwamp Clubswampadmin8mo ago
#72
Data instance name uniqueness is global across specs instead of per-spec
BugClosedSwamp Clubswampadmin8mo ago
#71
Audit timeline misses today's entries in UTC+ timezones
BugClosedSwamp Clubswampadmin8mo ago
#70
AI agent discoverability: reduce trial-and-error for CLI syntax
BugClosedSwamp Clubswampadmin8mo ago
#69
GlobalArguments CEL expressions fail when factory inputs are omitted — selective evaluation not working
BugClosedSwamp Clubswampadmin8mo ago
#68
Document factory pattern for model reuse in skills
FeatureClosedSwamp Clubswampadmin8mo ago
#67
Delete method uses identifier as data name instead of instance name
BugClosedSwamp Clubswampadmin9mo ago
#66
CLI method run ignores required arguments without .default()
BugClosedSwamp Clubswampadmin9mo ago
#65
Workflow run output mixes data, errors, and logs without clear separation — hard to find what actually executed
FeatureClosedSwamp Clubswampadmin9mo ago
#64
data.latest() in workflow step inputs resolved at workflow start, not at step execution time
BugClosedSwamp Clubswampadmin9mo ago
#63
Update method fails when globalArguments contain cross-model CEL expressions
BugClosedSwamp Clubswampadmin9mo ago
#62
Track resource deletion in local data model
FeatureClosedSwamp Clubswampadmin9mo ago
#61
fix: extension npm packages fail to resolve in compiled binary
BugClosedSwamp Clubswampadmin9mo ago
#60
swamp repo upgrade replaces entire CLAUDE.md with generic template instead of merging
BugClosedSwamp Clubswampadmin10mo ago
#59
Add drift detection to reconcile stored state against live cloud resources
FeatureClosedSwamp Clubswampadmin10mo ago
#58
Model inputs schema validated on all methods — delete fails requiring create-time inputs
BugClosedSwamp Clubswampadmin10mo ago
#57
Support wait-until-ready semantics for async resource provisioning
FeatureClosedSwamp Clubswampadmin10mo ago
#56
support pushing to organizations
FeatureClosedSwamp Clubswampadmin10mo ago
#55
Add data rename/move command for non-destructive refactoring
FeatureClosedSwamp Clubswampadmin10mo ago
#54
Schema mismatch warnings lack model context and misrepresent API response shapes
BugClosedSwamp Clubswampadmin10mo ago
#53
Support pre-flight validate method on models before method execution
FeatureClosedSwamp Clubswampadmin10mo ago
#52
Extension models need built-in support for idempotent create operations
FeatureClosedSwamp Clubswampadmin11mo ago
#51
Workflow reports succeeded when step outputs indicate failure
BugClosedSwamp Clubswampadmin11mo ago
#50
Swamp skills don't prevent AI agents from manually generating UUIDs for workflows
BugClosedSwamp Clubswampadmin11mo ago
#49
Bundler breaks tslib CJS/ESM interop for @aws-sdk/client-s3 dynamic imports
BugClosedSwamp Clubswampadmin11mo ago
#48
Support both US and UK English spellings (-ize/-ise)
BugClosedSwamp Clubswampadmin11mo ago
#47
swamp extensions aren't rebundled all the time
BugClosedSwamp Clubswampadmin11mo ago
#46
forEach with object items and static step name causes spurious cyclic dependency error
BugClosedSwamp Clubswampadmin11mo ago
#45
Validate extension content namespaces match package namespace during push
FeatureClosedSwamp Clubswampadmin12mo ago
#44
Extension metadata should align with usage and show all information
FeatureClosedSwamp Clubswampadmin12mo ago
#43
Enforce deno fmt and deno lint before publishing extensions
FeatureClosedSwamp Clubswampadmin12mo ago
#42
Swamp repo upgrade process after swamp update
FeatureClosedSwamp Clubswampadmin12mo ago
#41
Swamp hooks not formatted properly for Kiro, Kiro doesn't pipe and details into it's PostToolUse hook
BugClosedSwamp Clubswampadmin12mo ago
#40
change to x-api-key
FeatureClosedSwamp Clubswampadmin12mo ago
#39
feat: send content metadata from CLI during extension push
FeatureClosedSwamp Clubswampadmin12mo ago
#38
Add `swamp extension yank` command
FeatureClosedSwamp Clubswampadmin12mo ago
#37
Add api key management to swamp
FeatureClosedSwamp Clubswampadmin13mo ago
#36
Add per-version changelog/patch notes to extension push
FeatureClosedSwamp Clubswampadmin13mo ago
#35
Feature request: Kiro Support
FeatureClosedSwamp Clubswampadmin13mo ago
#34
swamp update appears to stall with no progress feedback
FeatureClosedSwamp Clubswampadmin13mo ago
#33
Show data retrieval commands after workflow run completes
FeatureClosedSwamp Clubswampadmin13mo ago
#32
Extension registry should support a git URL field for source code links
FeatureClosedSwamp Clubswampadmin13mo ago
#31
Preserve Unicode box-drawing characters in method stdout
BugClosedSwamp Clubswampadmin13mo ago
#30
Support --help flag on custom extension model methods
FeatureClosedSwamp Clubswampadmin14mo ago
#29
vault put: support reading secret values from a file instead of CLI args
FeatureClosedSwamp Clubswampadmin14mo ago
#28
Workflow inputs not resolved - modelIdOrName receives literal expression string
BugClosedSwamp Clubswampadmin14mo ago
#27
Check community extensions before building custom models
FeatureClosedSwamp Clubswampadmin14mo ago
#26
Use AWS_REGION instead of force to us-east-1
BugClosedSwamp Clubswampadmin14mo ago
#25
Add allowFailure flag on workflow steps
FeatureClosedSwamp Clubswampadmin14mo ago
#24
user.get returns 404 — wrong API URL path
BugClosedSwamp Clubswampadmin14mo ago
#23
Body already consumed error on logConfig.get and device.getPosture
BugClosedSwamp Clubswampadmin14mo ago
#22
model evaluate does not persist evaluated definitions for all models
BugClosedSwamp Clubswampadmin15mo ago
#21
workflow run does not evaluate expressions or pass task.inputs without --last-evaluated
BugClosedSwamp Clubswampadmin15mo ago
#20
Security: CLI login lacks user-visible device verification code
BugClosedSwamp Clubswampadmin15mo ago
#19
fix: detectConflicts uses basename for bundles, missing nested directory structure
BugClosedSwamp Clubswampadmin15mo ago
#18
Add repository field to extension manifest schema
FeatureClosedSwamp Clubswampadmin15mo ago
#17
Add extension list command
FeatureClosedSwamp Clubswampadmin15mo ago
#16
feat: implement `extension rm` command
FeatureClosedSwamp Clubswampadmin15mo ago
#15
Track extracted files in upstream_extensions.json during extension pull
FeatureClosedSwamp Clubswampadmin16mo ago
#14
Extension push includes macOS ._* resource fork files in archive
BugClosedSwamp Clubswampadmin16mo ago
#13
extension push ignores modelsDir setting in .swamp.yaml
BugClosedSwamp Clubswampadmin16mo ago
#12
Populate .gitattributes with linguist-generated markers during repo init
FeatureClosedSwamp Clubswampadmin16mo ago
#11
MaxListenersExceededWarning shown after repeated CLI commands
BugClosedSwamp Clubswampadmin16mo ago
#10
Extension push should follow symlinks in workflows/ directory
BugClosedSwamp Clubswampadmin16mo ago
#9
Workflow step task.inputs not forwarded as method arguments at runtime
BugClosedSwamp Clubswampadmin16mo ago
#8
forEach with data.findBySpec() expands duplicate steps causing cyclic dependency error
BugClosedSwamp Clubswampadmin16mo ago
#7
Add extensions/workflows support for 3rd-party workflow discovery and execution
FeatureClosedSwamp Clubswampadmin17mo ago
#6
Proactive update notification via post-run async check
FeatureClosedSwamp Clubswampadmin17mo ago
#5
Include models/ and vaults/ symlink dirs in managed .gitignore section
FeatureClosedSwamp Clubswampadmin17mo ago
#4
Provide guidance on deno.lock file management
BugClosedSwamp Clubswampadmin17mo ago
#3
Race condition: repo index concurrent with vault put crashes with ENOTEMPTY
BugClosedSwamp Clubswampadmin17mo ago
#2
Race condition in concurrent vault put: refreshSecretsIndex ENOTEMPTY
FeatureClosedSwamp Clubswampadmin17mo ago
#1
Add contract tests, property-based tests, and architectural fitness tests
FeatureClosedSwamp Clubswampadmin17mo ago
← Back to list
01Issue
BugClosedSwamp Club
AssigneesNone
Security: CLI login lacks user-visible device verification code
Opened by swampadmin · 1/4/2025
Summary
The CLI browser-based login flow (swamp auth login) does not display a user-visible verification code that the user can cross-check between the CLI and the web UI. This means a user has no way to confirm that the browser session they are authenticating actually corresponds to the CLI session that initiated the request.
Current Behavior
- CLI generates a random
stateUUID and opens the browser to/login?cli_callback=...&state=... - User authenticates in the browser
- Browser redirects back to the CLI's localhost callback server with a session token
- CLI validates the
stateparameter matches (CSRF protection only)
The state parameter is a machine-level CSRF nonce — it is never shown to the user and cannot be visually verified.
Problem
Without a user-visible verification code, the flow is vulnerable to session fixation / phishing-adjacent attacks:
- An attacker could trick a user into authenticating a CLI session the attacker controls (e.g. by sending them a crafted login URL)
- The user has no way to verify that the browser login page corresponds to their CLI instance
- This is a known gap addressed by standards like OAuth 2.0 Device Authorization Grant (RFC 8628), which requires a
user_codeto be displayed on both the device and the browser for cross-verification
Proposed Solution
Implement a user-visible verification code similar to the OAuth device flow:
- CLI displays a short code (e.g.
ABCD-1234) in the terminal when initiating login - Web UI displays the same code on the authorization page
- User confirms the codes match before approving the login (or types the code into the web UI)
This ensures the user can verify that the browser session they are about to authorize actually belongs to the CLI session in front of them.
References
- RFC 8628 - OAuth 2.0 Device Authorization Grant — standard pattern for device-to-browser verification codes
- GitHub CLI (
gh auth login) and other CLIs use similar verification code patterns
02Bog Flow
Closed
No activity in this phase yet.
03Sludge Pulse
Sign in to post a ripple.