@defend-tech/opencode-optima 0.1.71 → 0.1.73

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -26,8 +26,9 @@
26
26
  - Human approval assignment is prohibited except for the strict allowlist: parent `plan` with clear questions already posted in ClickUp comments; `in progress` blocked by missing credentials, permissions, external tools, or access; or parent `validation` with a functional preview URL such as `https://<taskid>-preview.defend.tech`. Do not assign `CTO`/`PO` for generic handoff, routine validation, cleanup, subtask planning/validation, or partial-phase stops.
27
27
  - Store ClickUp `agent_metadata` JSON with session IDs per agent/type/task/subtask; keep `Definition` as the plan contract and final Documentation as delivered behavior docs.
28
28
  - `workflow_product_manager` is registered only when explicit ClickUp webhook mode is configured and the local webhook subscription state is active/valid.
29
- - Webhook mode is opt-in: Optima validates signed `X-Signature` HMAC SHA-256 requests, routes status/assignee events only for Product Manager-assigned non-terminal tasks, routes comments only when they mention `@Defend Tech Product Manager`, stores new `ses_...` ids in ClickUp `agent_metadata`, and reports stale/missing sessions to ClickUp without creating replacements.
30
- - The listener is a gated in-process HTTP listener for local runtime use; deployments still need a stable public URL/tunnel and local `.optima/.config/runtime/` state containing the ClickUp webhook id/secret. When a ClickUp client exposes webhook validation, Optima validates remote state; otherwise local-only validation is limited to ignored runtime state with matching URL/events and present id/secret.
29
+ - Webhook mode is opt-in: Optima validates signed `X-Signature` HMAC SHA-256 ClickUp requests, routes status/assignee events only for Product Manager-assigned non-terminal tasks, routes comments only when they mention `@Defend Tech Product Manager`, and stores new `ses_...` ids in ClickUp `agent_metadata`. Runtime/process failures stay in local logs and must not create ClickUp comments or tags.
30
+ - The same gated in-process listener can also accept signed GitHub `X-Hub-Signature-256` PR/review/comment events at `/optima/github/webhook` when `clickup.github.webhook` is enabled. GitHub events resolve the ClickUp task from the PR source branch, update only `agent_metadata.task.github`, and steer the existing `workflow_product_manager` session; they do not create replacement sessions or ClickUp runtime comments.
31
+ - Deployments still need a stable public URL/tunnel and local `.optima/.config/runtime/` state containing the ClickUp webhook id/secret. When a ClickUp client exposes webhook validation, Optima validates remote state; otherwise local-only validation is limited to ignored runtime state with matching URL/events and present id/secret.
31
32
 
32
33
  ## Shared Worktree And Git
33
34
 
@@ -19,8 +19,8 @@
19
19
  - Git rules: principal workspace stays on `dev`, never `main`; parent branches use `<type>/<parent-id>`; subtask branches use non-nested `<type>/<parent-id>-subtask-<subtask-id>` and pending subtasks use `<type>/<parent-id>-pending-<title-slug>`; parent task pulls remote once at start; subtasks start from and PR to the parent local branch, bootstrapping the parent from `dev`/`origin/dev` first when missing; PoC branches stay `poc/<clickup-task-id>`; parents PR to `dev`, releases PR `dev` -> `main`; failed/conflicted subtask or parent merges return the affected item to `in progress` for the coding owner; no direct `main` pushes.
20
20
  - Store `agent_metadata` session JSON; `Definition` is the plan contract, final Documentation is delivered behavior docs.
21
21
  - `workflow_product_manager` is registered only when opt-in ClickUp webhook mode is complete and active/valid.
22
- - Webhook mode validates `X-Signature` HMAC SHA-256, routes only PM-assigned non-terminal status/assignee events, routes comments only on `@Defend Tech Product Manager`, writes new `ses_...` ids to `agent_metadata`, and reports stale/missing sessions to ClickUp without replacement.
23
- - The listener is gated in-process local runtime; production needs a stable public URL/tunnel and ignored `.optima/.config/runtime/` webhook state. Remote webhook validation is used when the injected ClickUp client supports it; otherwise local-only validation is limited to matching id/secret/URL/events state.
22
+ - Webhook mode validates ClickUp `X-Signature` HMAC SHA-256, routes only PM-assigned non-terminal status/assignee events, routes comments only on `@Defend Tech Product Manager`, writes new `ses_...` ids to `agent_metadata`, and keeps runtime/process failures in local logs, never ClickUp comments/tags.
23
+ - The listener is gated in-process local runtime; production needs a stable public URL/tunnel and ignored `.optima/.config/runtime/` webhook state. It can also accept GitHub `X-Hub-Signature-256` PR/review/comment webhooks at `/optima/github/webhook`; these update only `agent_metadata.task.github` and steer the existing WPM session resolved from the PR source branch.
24
24
  - Communication: questions, blockers, reviews, dependencies, and escalation go through PMA. Tech Lead reviews architecture/code/PR/standards/repo skills; Validator/QA verifies tests/regression/coverage/evidence/docs.
25
25
  - Reopen same-scope discrepancies by reactivating the same task file, adding `Reopen History`, and reusing existing Task/Workflow Runner session IDs when possible.
26
26
  - Blockers move to `.optima/tasks/blocked/` with a clear blocker report and PO-facing resolution need.
@@ -61,3 +61,14 @@ Use shared policies and additive agent files by default. Do not create or popula
61
61
  - PMA links the task to an approved SCR.
62
62
  - Architect helps decompose the work into slice-based subtasks.
63
63
  - `workflow_runner` executes the end-to-end delivery cycle through specialist delegation while PMA waits for completion notification.
64
+
65
+ ## ClickUp-First PR And Preproduction Gate
66
+
67
+ For ClickUp-first delivery, Validation is a GitHub PR state, not a comment-only handoff.
68
+
69
+ - Subtasks open/update a PR from the subtask branch into the parent task branch before entering Validation.
70
+ - Parent tasks open/update a PR from the task branch into `dev` before entering Validation.
71
+ - GitHub review/comment webhooks wake the workflow owner. The agent replies in GitHub; if a comment requires a change, it moves ClickUp back to `in progress`, fixes/pushes the same branch, returns ClickUp to `validation`, updates the PR, and replies again with the result.
72
+ - The configured final approver/CTO approving the parent PR is the merge trigger. After merge to `dev`, Vercel preproduction must deploy automatically and pass a small smoke/regression check before cleanup and ClickUp `completed`.
73
+ - If merge, Vercel deployment, or regression fails, create Bug subtasks under the parent and return the parent to `in progress`.
74
+ - Worktrees/branches may be deleted only after the merge and preproduction gate pass. OpenCode session ids remain in ClickUp `agent_metadata` so a reopened task can recreate the worktree and resume context.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@defend-tech/opencode-optima",
3
- "version": "0.1.71",
3
+ "version": "0.1.73",
4
4
  "repository": {
5
5
  "type": "git",
6
6
  "url": "git+ssh://git@github.com/defend-tech/opencode-optima.git"
@@ -67,5 +67,24 @@ workflow:
67
67
  subtask: parent_branch
68
68
  parent: dev
69
69
  release: main
70
+ validation_requires_pull_request: true # A task/subtask cannot enter Validation without an open GitHub PR
71
+ review_webhooks:
72
+ enabled: true
73
+ events:
74
+ - pull_request_review
75
+ - pull_request_review_comment
76
+ - issue_comment
77
+ - pull_request
78
+ comment_policy: reply_before_change_and_after_change
79
+ change_request_status: in progress
80
+ after_fix_status: validation
81
+ accepted_by: CTO
82
+ vercel:
83
+ preproduction:
84
+ required_for_parent_tasks: true
85
+ environment: preproduction
86
+ verify_deployment_after_merge: true
87
+ smoke_regression_required: true
88
+ on_failure: create_bug_subtasks_and_return_parent_to_in_progress
70
89
 
71
90
  agents: