npm - @ax0l0tl/agent-governance-opencode - Versions diffs - 4.0.0 - Mend

@ax0l0tl/agent-governance-opencode 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +142 -0
package/bin/agt-node +6 -0
package/bin/agt-node.cmd +5 -0
package/config/default-policy.json +172 -0
package/lib/audit.mjs +115 -0
package/lib/poisoning.mjs +37 -0
package/lib/policy.mjs +1363 -0
package/package.json +53 -0
package/server/agt-mcp.mjs +233 -0
package/src/index.mjs +212 -0

package/package.json ADDED Viewed

@@ -0,0 +1,53 @@
+{
+  "name": "@ax0l0tl/agent-governance-opencode",
+  "version": "4.0.0",
+  "description": "Public Preview — OpenCode CLI governance plugin for Agent Governance Toolkit developer protection policies (fork with OpenCode contract fixes)",
+  "type": "module",
+  "main": "src/index.mjs",
+  "exports": {
+    ".": "./src/index.mjs",
+    "./policy": "./lib/policy.mjs",
+    "./mcp-server": "./server/agt-mcp.mjs"
+  },
+  "files": [
+    "bin/",
+    "config/",
+    "lib/",
+    "server/",
+    "src/",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "npm run check",
+    "check": "node --check ./src/index.mjs && node --check ./lib/audit.mjs && node --check ./lib/poisoning.mjs && node --check ./lib/policy.mjs && node --check ./server/agt-mcp.mjs && node --test ./test/*.test.mjs",
+    "test": "node --test ./test/*.test.mjs"
+  },
+  "keywords": [
+    "opencode",
+    "agent",
+    "governance",
+    "security",
+    "policy",
+    "mcp"
+  ],
+  "author": {
+    "name": "Microsoft Corporation",
+    "email": "agentgovtoolkit@microsoft.com"
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/microsoft/agent-governance-toolkit.git",
+    "directory": "agent-governance-opencode"
+  },
+  "homepage": "https://github.com/microsoft/agent-governance-toolkit/tree/main/agent-governance-opencode",
+  "dependencies": {
+    "@microsoft/agent-governance-sdk": "3.7.0"
+  },
+  "devDependencies": {
+    "@opencode-ai/plugin": "^1.17.1"
+  },
+  "engines": {
+    "node": ">=22.0.0"
+  }
+}

package/server/agt-mcp.mjs ADDED Viewed

@@ -0,0 +1,233 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { fileURLToPath } from "node:url";
+import path from "node:path";
+import { checkArbitraryText, getPolicyStatus, loadPolicy } from "../lib/policy.mjs";
+const VERSION = "3.6.0";
+const PROTOCOL_VERSION = "2024-11-05";
+const TOOL_DEFINITIONS = [
+  {
+    name: "agt_policy_status",
+    description: "Return the active AGT OpenCode governance policy status and source.",
+    inputSchema: {
+      type: "object",
+      properties: {},
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "agt_policy_check_text",
+    description: "Check text against AGT prompt, context-poisoning, and MCP-style threat detectors.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        text: {
+          type: "string",
+          description: "Text to inspect.",
+        },
+      },
+      required: ["text"],
+      additionalProperties: false,
+    },
+  },
+];
+export async function handleJsonRpcRequest(state, request) {
+  if (!request || typeof request !== "object" || request.jsonrpc !== "2.0") {
+    return jsonRpcError(null, -32600, "Invalid Request");
+  }
+  const { id = null, method, params = {} } = request;
+  if (typeof method !== "string") {
+    return jsonRpcError(id, -32600, "Invalid Request");
+  }
+  if (method === "initialize") {
+    const protocolVersion =
+      typeof params.protocolVersion === "string" ? params.protocolVersion : PROTOCOL_VERSION;
+    return jsonRpcResult(id, {
+      protocolVersion,
+      capabilities: {
+        tools: {},
+      },
+      serverInfo: {
+        name: "agt-governance",
+        version: VERSION,
+      },
+    });
+  }
+  if (method === "notifications/initialized") {
+    return null;
+  }
+  if (method === "ping") {
+    return jsonRpcResult(id, {});
+  }
+  if (method === "tools/list") {
+    return jsonRpcResult(id, { tools: TOOL_DEFINITIONS });
+  }
+  if (method === "tools/call") {
+    return jsonRpcResult(id, await callTool(state, params));
+  }
+  return jsonRpcError(id, -32601, `Method not found: ${method}`);
+}
+export function encodeJsonRpcMessage(message) {
+  const body = JSON.stringify(message);
+  return `Content-Length: ${Buffer.byteLength(body, "utf8")}\r\n\r\n${body}`;
+}
+async function callTool(state, params) {
+  const name = params?.name;
+  const args = params?.arguments ?? {};
+  if (name === "agt_policy_status") {
+    return asJsonContent(await getPolicyStatus(state));
+  }
+  if (name === "agt_policy_check_text") {
+    if (typeof args.text !== "string") {
+      return asJsonError("agt_policy_check_text requires a string 'text' argument.");
+    }
+    return asJsonContent(checkArbitraryText(state, args.text, "mcp-check"));
+  }
+  return asJsonError(`Unknown tool: ${String(name)}`);
+}
+function asJsonContent(value) {
+  return {
+    content: [
+      {
+        type: "text",
+        text: JSON.stringify(value, null, 2),
+      },
+    ],
+  };
+}
+function asJsonError(message) {
+  return {
+    content: [
+      {
+        type: "text",
+        text: JSON.stringify({ error: message }, null, 2),
+      },
+    ],
+    isError: true,
+  };
+}
+function jsonRpcResult(id, result) {
+  return {
+    jsonrpc: "2.0",
+    id,
+    result,
+  };
+}
+function jsonRpcError(id, code, message) {
+  return {
+    jsonrpc: "2.0",
+    id,
+    error: {
+      code,
+      message,
+    },
+  };
+}
+async function startServer() {
+  const state = await loadPolicy();
+  let buffer = "";
+  process.stdin.setEncoding("utf8");
+  process.stdin.on("data", async (chunk) => {
+    buffer += chunk;
+    try {
+      buffer = await drainBuffer(state, buffer);
+    } catch (error) {
+      const response = jsonRpcError(null, -32603, error instanceof Error ? error.message : String(error));
+      process.stdout.write(encodeJsonRpcMessage(response));
+      buffer = "";
+    }
+  });
+}
+async function drainBuffer(state, buffer) {
+  let remaining = buffer;
+  while (remaining.length > 0) {
+    const headerEnd = remaining.indexOf("\r\n\r\n");
+    if (headerEnd >= 0) {
+      const headerBlock = remaining.slice(0, headerEnd);
+      const lengthMatch = /Content-Length:\s*(\d+)/i.exec(headerBlock);
+      if (!lengthMatch) {
+        throw new Error("Missing Content-Length header");
+      }
+      const bodyStart = headerEnd + 4;
+      const bodyLength = Number(lengthMatch[1]);
+      if (remaining.length < bodyStart + bodyLength) {
+        return remaining;
+      }
+      const body = remaining.slice(bodyStart, bodyStart + bodyLength);
+      remaining = remaining.slice(bodyStart + bodyLength);
+      await respondToBody(state, body);
+      continue;
+    }
+    const newlineIndex = remaining.indexOf("\n");
+    if (newlineIndex < 0) {
+      return remaining;
+    }
+    const line = remaining.slice(0, newlineIndex).trim();
+    remaining = remaining.slice(newlineIndex + 1);
+    if (line.length === 0) {
+      continue;
+    }
+    await respondToBody(state, line);
+  }
+  return remaining;
+}
+async function respondToBody(state, body) {
+  let request;
+  try {
+    request = JSON.parse(body);
+  } catch {
+    process.stdout.write(encodeJsonRpcMessage(jsonRpcError(null, -32700, "Parse error")));
+    return;
+  }
+  const response = await handleJsonRpcRequest(state, request);
+  if (response) {
+    process.stdout.write(encodeJsonRpcMessage(response));
+  }
+}
+if (isMainModule(import.meta.url)) {
+  await startServer();
+}
+function isMainModule(moduleUrl) {
+  if (!process.argv[1]) {
+    return false;
+  }
+  return fileURLToPath(moduleUrl) === path.resolve(process.argv[1]);
+}

package/src/index.mjs ADDED Viewed

@@ -0,0 +1,212 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { tool } from "@opencode-ai/plugin";
+import {
+  checkArbitraryText,
+  evaluateOpenCodePrompt,
+  evaluateOpenCodeTool,
+  evaluateOpenCodeToolOutput,
+  getPolicyStatus,
+  loadPolicy,
+} from "../lib/policy.mjs";
+/**
+ * AGT governance plugin for OpenCode.
+ *
+ * Loads the AGT policy once per OpenCode process and wires it into the
+ * OpenCode plugin contract:
+ *
+ *  - session.created              — inject AGT governance context for the run
+ *  - event (chat.params/start) — scan submitted prompts; throw to block
+ *  - tool.execute.before       — enforce policy; throw to deny, mark args
+ *                                for OpenCode's permission prompt on review
+ *  - tool.execute.after        — scan tool output for known secret patterns
+ *                                and redact in enforce mode
+ *  - tool.agt_policy_status    — return current policy snapshot
+ *  - tool.agt_policy_check_text — inspect arbitrary text for poisoning
+ *
+ * The plugin fails closed: if AGT cannot evaluate a request and the active
+ * policy has `denyOnPolicyError: true` (the default), the request is denied.
+ *
+ * @typedef {(context: object) => Promise<object>} Plugin
+ * @type {Plugin}
+ */
+export const AgtGovernance = async (ctx) => {
+  // OpenCode loads plugins once per process. Cache the compiled policy so we
+  // don't re-read it on every hook invocation.
+  let stateCache;
+  let stateError;
+  async function getState() {
+    if (stateCache) {
+      return stateCache;
+    }
+    if (stateError) {
+      throw stateError;
+    }
+    try {
+      stateCache = await loadPolicy();
+      return stateCache;
+    } catch (error) {
+      stateError = error instanceof Error ? error : new Error(String(error));
+      throw stateError;
+    }
+  }
+  return {
+    // Bug 1 fixed: session.start is not a valid OpenCode hook; use session.created.
+    // The additionalContext return value is also not part of the OpenCode contract.
+    "session.created": async () => {
+      try {
+        const state = await getState();
+        const status = await getPolicyStatus(state);
+        if (typeof ctx?.client?.app?.log === "function") {
+          await ctx.client.app.log({
+            body: {
+              service: "agt-governance",
+              level: "info",
+              message:
+                `[AGT] OpenCode governance active — mode=${status.mode} source=${status.source} ` +
+                `promptDefense=${status.promptDefenseGrade} audit=${status.auditEntries}`,
+            },
+          });
+        }
+      } catch {
+        // best-effort — do not block session creation
+      }
+    },
+    event: async ({ event } = {}) => {
+      // OpenCode emits a wide range of events. Only inspect prompt-bearing
+      // events; ignore the rest cheaply.
+      const prompt = extractPromptFromEvent(event);
+      if (!prompt) {
+        return;
+      }
+      const state = await getState();
+      const result = await evaluateOpenCodePrompt(state, {
+        prompt,
+        sessionId: event?.properties?.sessionID ?? event?.properties?.sessionId,
+      });
+      if (result.effect === "deny") {
+        throw new Error(result.reason || "AGT governance blocked the submitted prompt.");
+      }
+    },
+    // Bug 2 fixed: OpenCode expects flat string keys, not nested objects.
+    "tool.execute.before": async (input, output) => {
+      const state = await getState();
+      const result = await evaluateOpenCodeTool(state, {
+        tool: input?.tool,
+        args: output?.args,
+        cwd: ctx?.directory ?? ctx?.worktree,
+        sessionId: input?.sessionID,
+      });
+      if (result.effect === "deny") {
+        throw new Error(result.reason || `AGT policy denied tool '${input?.tool}'.`);
+      }
+      if (result.effect === "review") {
+        // OpenCode does not currently expose a server-side "ask"
+        // permission decision from inside a plugin hook. We mark the
+        // request as requiring review by appending a hint to the args
+        // so downstream permission integrations can pick it up, and we
+        // still record the audit entry. Operators who want hard-deny
+        // behaviour on review should switch the policy mode or set
+        // `defaultEffect` to `deny`.
+        if (output && typeof output === "object" && output.args && typeof output.args === "object") {
+          output.args.__agt_review_reason = result.reason || "AGT review required.";
+        }
+      }
+    },
+    "tool.execute.after": async (input, output) => {
+      if (!output || typeof output !== "object") {
+        return;
+      }
+      const state = await getState();
+      const text = typeof output.output === "string" ? output.output : "";
+      const result = await evaluateOpenCodeToolOutput(state, {
+        tool: input?.tool,
+        output: text,
+        sessionId: input?.sessionID,
+      });
+      if (result.redact && typeof result.redactedOutput === "string") {
+        output.output = result.redactedOutput;
+        if (typeof output.metadata === "object" && output.metadata !== null) {
+          output.metadata.agtRedacted = true;
+          output.metadata.agtRedactionReason = result.reason;
+        }
+      }
+    },
+    // Bug 3 fixed: `tool` (singular) with `args` (not `tools` with `parameters`).
+    // Bug 4 fixed: execute returns a plain string, not an MCP { content: [...] } envelope.
+    // tool.schema (Zod) is provided by @opencode-ai/plugin (devDependency), which OpenCode
+    // always makes available in its plugin runtime environment.
+    tool: {
+      agt_policy_status: {
+        description: "Return the active AGT OpenCode governance policy status and source.",
+        args: {},
+        async execute() {
+          const state = await getState();
+          return JSON.stringify(await getPolicyStatus(state), null, 2);
+        },
+      },
+      agt_policy_check_text: {
+        description:
+          "Check text against AGT prompt, context-poisoning, and MCP-style threat detectors.",
+        args: {
+          text: tool.schema.string().describe("Text to inspect."),
+        },
+        async execute(args) {
+          const state = await getState();
+          const text = typeof args?.text === "string" ? args.text : "";
+          return JSON.stringify(checkArbitraryText(state, text, "opencode-check"), null, 2);
+        },
+      },
+    },
+  };
+};
+export default AgtGovernance;
+function extractPromptFromEvent(event) {
+  if (!event || typeof event !== "object") {
+    return "";
+  }
+  const type = String(event.type ?? "");
+  if (!type) {
+    return "";
+  }
+  // OpenCode emits chat.* events when the user sends a message. Different
+  // versions may key the prompt under different paths; check the common ones.
+  if (!/^(chat|message|prompt|user)\b/.test(type)) {
+    return "";
+  }
+  const props = event.properties ?? event.data ?? {};
+  const candidates = [
+    props.prompt,
+    props.message,
+    props.text,
+    props.content,
+    typeof props.message === "object" ? props.message?.content : undefined,
+  ];
+  for (const candidate of candidates) {
+    if (typeof candidate === "string" && candidate.trim()) {
+      return candidate;
+    }
+    if (Array.isArray(candidate)) {
+      const joined = candidate
+        .map((part) => (typeof part === "string" ? part : part?.text ?? ""))
+        .filter(Boolean)
+        .join("\n");
+      if (joined.trim()) {
+        return joined;
+      }
+    }
+  }
+  return "";
+}