npm - @aryaminus/controlkeel-opencode - Versions diffs - 0.2.46 → 0.2.49 - Mend

@aryaminus/controlkeel-opencode 0.2.46 → 0.2.49

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.opencode/agents/controlkeel-operator.md +1 -0
package/.opencode/plugins/controlkeel-governance.ts +8 -5
package/.opencode/skills/controlkeel-governance/SKILL.md +14 -10
package/AGENTS.md +3 -2
package/index.js +8 -5
package/package.json +1 -1

package/.opencode/agents/controlkeel-operator.md CHANGED Viewed

@@ -22,6 +22,7 @@ and validate them against the project's security, budget, and compliance policie
 - `ck_context` — Load mission, findings, budget, and proof context
 - `ck_validate` — Run full governance validation
+- `ck_execute_code` — Run generated code only through CK's guarded Docker sandbox; use `dry_run` first and do not request network/secrets/shell/deploy
 - `ck_finding` — Record a governed finding when you detect a missed issue
 - `ck_review_submit` — Submit review material for human approval
 - `ck_review_status` — Check review status before execution

package/.opencode/plugins/controlkeel-governance.ts CHANGED Viewed

@@ -360,24 +360,27 @@ export const ControlKeelGovernance: Plugin = async ({ project, client, $, direct
       const openError = typeof openPayload?.open_error === "string" ? openPayload.open_error.trim() : ""
       const openFailure = typeof openPayload?.error === "string" ? openPayload.error.trim() : ""
       const browserNotOpened = openPayload?.opened !== true
+      const serverUnavailable = openPayload?.server_serving === false
       const remoteLocalhostMismatch =
         typeof browserUrl === "string" &&
         browserUrl.includes("localhost") &&
         openPayload?.remote === true
-      if (!browserUrl || openError || openFailure || remoteLocalhostMismatch || browserNotOpened) {
+      if (!browserUrl || serverUnavailable || openError || openFailure || remoteLocalhostMismatch || browserNotOpened) {
         return buildPlanResult({
           waitSkipped: true,
           manualApprovalRequired: true,
           reason:
             !browserUrl
               ? "browser_url_unavailable"
-              : browserNotOpened
-                ? "browser_not_opened"
-                : "browser_unreachable",
+              : serverUnavailable
+                ? "review_server_unavailable"
+                : browserNotOpened
+                  ? "browser_not_opened"
+                  : "browser_unreachable",
           guidance:
-            "Browser review is unavailable from this environment or did not actually open. Ask the user for explicit approval in chat, then record it with `controlkeel review plan respond --id <review_id> --decision approved --feedback-notes \"User approved in chat; browser unavailable\" --json` or `ck_review_feedback`.",
+            "Browser review is unavailable, the CK review server is not reachable, or the browser did not actually open. Ask the user for explicit approval in chat, then record it with `controlkeel review plan respond --id <review_id> --decision approved --feedback-notes \"User approved in chat; browser/review server unavailable\" --json` or `ck_review_feedback`.",
         })
       }

package/.opencode/skills/controlkeel-governance/SKILL.md CHANGED Viewed

@@ -13,6 +13,7 @@ compatibility:
   - open-standard
 allowed-tools:
   - ck_validate
+  - ck_execute_code
   - ck_context
   - ck_finding
   - ck_memory_search
@@ -32,6 +33,7 @@ metadata:
   category: governance
   ck_mcp_tools:
     - ck_validate
+    - ck_execute_code
     - ck_context
     - ck_finding
     - ck_memory_search
@@ -53,16 +55,17 @@ You are operating inside a **ControlKeel-governed session**. Start here whenever
 1. Call `ck_context` at task start to load mission, risk, budget, proof, active findings, workspace context, context reacquisition, instruction hierarchy, and recent transcript state.
 2. Call `ck_validate` before writing code, config, shell, or deploy text, and pass trust-boundary metadata when the source content came from the web, tools, skills, or mixed provenance.
-3. If you discover a problem the scanner did not raise, call `ck_finding`.
-4. Use `ck_memory_search` when you need explicit recall of prior decisions, checkpoints, or findings rather than relying only on the default context packet.
-5. Use `ck_memory_record` to persist important decisions, assumptions, and operator guidance that future agents should recover.
-6. Use `ck_memory_archive` to retire stale or superseded guidance before it keeps contaminating retrieval.
-7. Call `ck_budget` and `ck_cost_optimizer` before expensive model or bulk operations.
-8. Call `ck_route` before delegating sub-work to another agent.
-9. Use `ck_deployment_advisor` to analyze stack and generate deployment templates when checking ship readiness.
-10. Use `ck_regression_result` to record external browser or QA evidence before claiming deploy readiness.
-11. Use `ck_outcome_tracker` to track success/failure outcomes for continuous learning.
-12. Use `ck_skill_list` and `ck_skill_load` to activate more specific CK workflows.
+3. Use `ck_execute_code` only for generated code that should run inside CK's guarded Docker sandbox; prefer `dry_run` first, and never treat it as local shell access or a network/secrets grant.
+4. If you discover a problem the scanner did not raise, call `ck_finding`.
+5. Use `ck_memory_search` when you need explicit recall of prior decisions, checkpoints, or findings rather than relying only on the default context packet.
+6. Use `ck_memory_record` to persist important decisions, assumptions, and operator guidance that future agents should recover.
+7. Use `ck_memory_archive` to retire stale or superseded guidance before it keeps contaminating retrieval.
+8. Call `ck_budget` and `ck_cost_optimizer` before expensive model or bulk operations.
+9. Call `ck_route` before delegating sub-work to another agent.
+10. Use `ck_deployment_advisor` to analyze stack and generate deployment templates when checking ship readiness.
+11. Use `ck_regression_result` to record external browser or QA evidence before claiming deploy readiness.
+12. Use `ck_outcome_tracker` to track success/failure outcomes for continuous learning.
+13. Use `ck_skill_list` and `ck_skill_load` to activate more specific CK workflows.
 ## Non-negotiable rules
@@ -81,6 +84,7 @@ You are operating inside a **ControlKeel-governed session**. Start here whenever
 - `ck_context` — mission, task, budget, proof, memory, workspace snapshot, transcript summary, resume context
 - `ck_validate` — governed preflight scan with trust-boundary checks
+- `ck_execute_code` — guarded generated-code execution; Docker sandbox only, local/network/secrets/shell/deploy denied, `dry_run` recommended first
 - `ck_finding` — persist manual findings
 - `ck_memory_search`, `ck_memory_record`, `ck_memory_archive` — explicit typed-memory retrieval and hygiene
 - `ck_regression_result` — import external regression evidence into proof state

package/AGENTS.md CHANGED Viewed

@@ -11,8 +11,9 @@ Required workflow:
 2. Call `ck_validate` before writing code, config, shell, or deploy content.
 3. Submit plans or approval packets with `ck_review_submit` and check `ck_review_status` before execution.
 4. Record any human-review issue with `ck_finding`.
-5. Check `ck_budget` before expensive model or multi-agent work.
-6. Use `ck_route`, `ck_skill_list`, and `ck_skill_load` to delegate or activate specialized CK workflows.
+5. Check `ck_budget` before expensive model or multi-agent work, and keep `ck_context` compact unless full raw context is needed.
+6. Before AFK or delegated implementation, split large work into human-approved vertical slices with explicit dependencies; prefer durable behavior-first issues, stable deep-module interfaces, and branch-level automated review plus human QA before merge.
+7. Use `ck_route`, `ck_skill_list`, and `ck_skill_load` to delegate or activate specialized CK workflows.
 Install ControlKeel:
 - Homebrew: `brew tap aryaminus/controlkeel && brew install controlkeel`

package/index.js CHANGED Viewed

@@ -343,24 +343,27 @@ export const ControlKeelGovernance = async ({ $, directory }) => {
       const openError = typeof openPayload?.open_error === "string" ? openPayload.open_error.trim() : ""
       const openFailure = typeof openPayload?.error === "string" ? openPayload.error.trim() : ""
       const browserNotOpened = openPayload?.opened !== true
+      const serverUnavailable = openPayload?.server_serving === false
       const remoteLocalhostMismatch =
         typeof browserUrl === "string" &&
         browserUrl.includes("localhost") &&
         openPayload?.remote === true
-      if (!browserUrl || openError || openFailure || remoteLocalhostMismatch || browserNotOpened) {
+      if (!browserUrl || serverUnavailable || openError || openFailure || remoteLocalhostMismatch || browserNotOpened) {
         return buildPlanResult({
           waitSkipped: true,
           manualApprovalRequired: true,
           reason:
             !browserUrl
               ? "browser_url_unavailable"
-              : browserNotOpened
-                ? "browser_not_opened"
-                : "browser_unreachable",
+              : serverUnavailable
+                ? "review_server_unavailable"
+                : browserNotOpened
+                  ? "browser_not_opened"
+                  : "browser_unreachable",
           guidance:
-            "Browser review is unavailable from this environment or did not actually open. Ask the user for explicit approval in chat, then record it with `controlkeel review plan respond --id <review_id> --decision approved --feedback-notes \"User approved in chat; browser unavailable\" --json` or `ck_review_feedback`.",
+            "Browser review is unavailable, the CK review server is not reachable, or the browser did not actually open. Ask the user for explicit approval in chat, then record it with `controlkeel review plan respond --id <review_id> --decision approved --feedback-notes \"User approved in chat; browser/review server unavailable\" --json` or `ck_review_feedback`.",
         })
       }

package/package.json CHANGED Viewed

@@ -35,5 +35,5 @@
     "url": "git+https://github.com/aryaminus/controlkeel.git"
   },
   "type": "module",
-  "version": "0.2.46"
+  "version": "0.2.49"
 }