Skip to content

v1.2.0 — read-only /kimi:swarm

Choose a tag to compare

View all tags
@linxule linxule released this 09 Jun 12:10
· 4 commits to main since this release
v1.2.0
acecd1f

v1.2.0 — read-only /kimi:swarm parallel review fan-out

A new command that fans a read-only review out across subagents using kimi-code 0.12.0's AgentSwarm tool, then consolidates their findings into one markdown report. Built on the v1.1.1-certified 0.12.0 surface — no upstream compatibility change.

What it does

/kimi:swarm [--budget <30m|1h>] [--cap <N>] [-m <model>] <what to review> — Kimi launches one subagent per target (file / module / question), each inspecting the workspace with read tools only, and the coordinator consolidates the results.

Safety

The whole feature rests on one new primitive: a PreToolUse hook label swarm that allows the read-only tool set plus the exact tool name AgentSwarm, deny-by-default. Because kimi-code builds an identical permission stack for sub- and main agents — PreToolCallHookPermissionPolicy at policy index 0 (the deny-all policy is the startBtw side-question path, not the swarm path) — every spawned subagent inherits the swarm label and fires the same hook, so a subagent's Write/Edit/Bash is denied exactly like a single-turn review's. Read-only swarm opens zero new write surface.

  • The coordinator must be allowed to call AgentSwarm or the swarm never launches; the singular Agent tool stays denied.
  • Unlike single-turn review (which only warns on a missing hook), swarm refuses without the hook — a fan-out with no enforcement is an N-fold blast radius (KIMI_PLUGIN_CC_SKIP_HOOK_CHECK=1 still opts out).
  • Bounded by a mandatory finite --budget wall-clock AbortController (default 30m); --cap is a soft prompt-injected subagent-count hint (the hook is stateless).
  • Defense-in-depth: the coordinator prompt steers subagents to the read-only explore profile, whose tool loadout has no file-editing tools at all — a second layer beneath the hook.

Verification

Reviewed clean by an in-process code-reviewer and a cross-model Codex adversarial pass (both SAFE). The central claim — a spawned swarm subagent's write is hook-denied — is locked by a new real-binary smoke (bun run smoke:real), verified green against the installed 0.12.0 binary: no file landed across the fan-out, the hook deny marker was present, ~183s natural completion.

Limitations

  • Foreground-only (no --background yet).
  • No --write mode — a write-capable swarm needs per-subagent worktree isolation to be safe; deferred.
  • Requires kimi-code >= 0.12.0 (the AgentSwarm tool) and the /kimi:setup PreToolUse hook.

See docs/safety.md § "Read-only swarm".

Assets 2
Loading