@node9/proxy 1.24.3 → 1.26.0

package/dist/cli.mjs

@@ -2251,6 +2251,42 @@ var init_dist = __esm({
         regex: /\bAGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JNLH]{58}\b/,
         severity: "block",
         keywords: ["age-secret-key-"]
+      },
+      // ── Database connection strings ───────────────────────────────────────────
+      // Universal <scheme>://[user]:<password>@<host> shape. Covers the gap
+      // vendor-prefix patterns (AWS / GitHub / Stripe / …) leave open. Matches
+      // the whole URL so maskSecret produces `<scheme>...:****@...<host>` —
+      // the password value never appears in the redacted sample.
+      //
+      // Schemes covered: redis, rediss (TLS), postgres, postgresql,
+      // mongodb, mongodb+srv, mysql, mariadb, amqp, amqps, kafka,
+      // clickhouse, cassandra. HTTP(S) / FTP / SSH are intentionally
+      // excluded — they're not database URLs and adding them would
+      // create false positives on every basic-auth URL in the wild.
+      //
+      // Requires `:password@` (4+ char password) so user-only URLs like
+      // `redis://user@host` don't match. Stopwords ('your', '${', '<your',
+      // 'placeholder', 'changeme', etc.) keep doc/README scans clean.
+      {
+        name: "Database Connection String",
+        regex: /\b(redis|rediss|postgres|postgresql|mongodb|mongodb\+srv|mysql|mariadb|amqp|amqps|kafka|clickhouse|cassandra):\/\/[^:/\s@]*:[^@\s]{4,}@[^\s/]+/,
+        severity: "block",
+        keywords: [
+          "redis://",
+          "rediss://",
+          "postgres://",
+          "postgresql://",
+          "mongodb://",
+          "mongodb+srv://",
+          "mysql://",
+          "mariadb://",
+          "amqp://",
+          "amqps://",
+          "kafka://",
+          "clickhouse://",
+          "cassandra://"
+        ],
+        minEntropy: 3
       }
     ];
     DLP_PATTERNS_GLOBAL = DLP_PATTERNS.map(
@@ -2353,7 +2389,7 @@ var init_dist = __esm({
       },
       {
         // Mirrors the JSON shield's `.env` pattern (project-jail.json's
-        // review-read-env-any-tool) so the AST FS-op path catches the
+        // block-read-env-any-tool) so the AST FS-op path catches the
         // same set the regex shield does — including Next.js / Vite's
         // `.env.<env>.local` double-suffix overrides which are commonly
         // gitignored AND commonly contain real secrets.
@@ -3099,7 +3135,7 @@ var init_dist = __esm({
             {
               field: "command",
               op: "matches",
-              value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*?\\.ssh[\\/\\\\]",
+              value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type|grep|egrep|fgrep|rg|ag|ack|awk|gawk|sed|cut|tr|jq|yq|od|xxd|hexdump|strings|sort|uniq|tac|nl|dd)\\s+.*?\\.ssh[\\/\\\\]",
               flags: "i"
             }
           ],
@@ -3113,7 +3149,7 @@ var init_dist = __esm({
             {
               field: "command",
               op: "matches",
-              value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*?\\.aws[\\/\\\\]",
+              value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type|grep|egrep|fgrep|rg|ag|ack|awk|gawk|sed|cut|tr|jq|yq|od|xxd|hexdump|strings|sort|uniq|tac|nl|dd)\\s+.*?\\.aws[\\/\\\\]",
               flags: "i"
             }
           ],
@@ -3127,7 +3163,7 @@ var init_dist = __esm({
             {
               field: "command",
               op: "matches",
-              value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*\\.env(\\.local|\\.production|\\.staging)?\\b",
+              value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type|grep|egrep|fgrep|rg|ag|ack|awk|gawk|sed|cut|tr|jq|yq|od|xxd|hexdump|strings|sort|uniq|tac|nl|dd)\\s+.*?\\.env(\\.(local|production|staging|development|production\\.local|staging\\.local|development\\.local))?(?=\\s|$|[;&|>)<])",
               flags: "i"
             }
           ],
@@ -3141,7 +3177,7 @@ var init_dist = __esm({
             {
               field: "command",
               op: "matches",
-              value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type)\\s+.*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials)",
+              value: "(cat|less|head|tail|bat|more|open|print|nano|vim|vi|emacs|code|type|grep|egrep|fgrep|rg|ag|ack|awk|gawk|sed|cut|tr|jq|yq|od|xxd|hexdump|strings|sort|uniq|tac|nl|dd)\\s+.*(credentials\\.json|\\.netrc|\\.npmrc|\\.docker[\\/\\\\]config\\.json|gcloud[\\/\\\\]credentials)",
               flags: "i"
             }
           ],
@@ -3177,7 +3213,7 @@ var init_dist = __esm({
           reason: "Reading AWS credentials is blocked by project-jail shield"
         },
         {
-          name: "shield:project-jail:review-read-env-any-tool",
+          name: "shield:project-jail:block-read-env-any-tool",
           tool: "*",
           conditions: [
             {
@@ -3187,8 +3223,8 @@ var init_dist = __esm({
               flags: "i"
             }
           ],
-          verdict: "review",
-          reason: "Reading .env files requires approval (project-jail shield)"
+          verdict: "block",
+          reason: "Reading .env files is blocked by project-jail shield"
         },
         {
           name: "shield:project-jail:review-read-credentials-any-tool",
@@ -3453,6 +3489,30 @@ function writeShieldOverride(shieldName, ruleName, verdict) {
   overrides[shieldName] = { ...overrides[shieldName] ?? {}, [ruleName]: verdict };
   writeShieldsFile({ ...current, overrides });
 }
+function migrateRenamedRuleKeys() {
+  const current = readShieldsFile();
+  if (!current.overrides || Object.keys(current.overrides).length === 0) return [];
+  const renameMap = new Map(RULE_KEY_MIGRATIONS);
+  const migrated = [];
+  const nextOverrides = {};
+  let anyChange = false;
+  for (const [shield, rules] of Object.entries(current.overrides)) {
+    const nextRules = {};
+    for (const [key, verdict] of Object.entries(rules)) {
+      const newKey = renameMap.get(key);
+      if (newKey) {
+        if (!(newKey in nextRules)) nextRules[newKey] = verdict;
+        migrated.push({ shield, oldKey: key, newKey });
+        anyChange = true;
+      } else {
+        nextRules[key] = verdict;
+      }
+    }
+    if (Object.keys(nextRules).length > 0) nextOverrides[shield] = nextRules;
+  }
+  if (anyChange) writeShieldsFile({ ...current, overrides: nextOverrides });
+  return migrated;
+}
 function clearShieldOverride(shieldName, ruleName) {
   const current = readShieldsFile();
   if (!current.overrides?.[shieldName]?.[ruleName]) return;
@@ -3501,7 +3561,7 @@ function installShield(name, shieldJson) {
   fs2.writeFileSync(tmp, JSON.stringify(shieldJson, null, 2), { mode: 384 });
   fs2.renameSync(tmp, filePath);
 }
-var USER_SHIELDS_DIR, SHIELDS, SHIELDS_STATE_FILE;
+var USER_SHIELDS_DIR, SHIELDS, SHIELDS_STATE_FILE, RULE_KEY_MIGRATIONS;
 var init_shields = __esm({
   "src/shields.ts"() {
     "use strict";
@@ -3510,6 +3570,14 @@ var init_shields = __esm({
     USER_SHIELDS_DIR = path2.join(os2.homedir(), ".node9", "shields");
     SHIELDS = buildSHIELDS();
     SHIELDS_STATE_FILE = path2.join(os2.homedir(), ".node9", "shields.json");
+    RULE_KEY_MIGRATIONS = [
+      // 2026-05-21 — project-jail .env reads promoted review → block. Renamed
+      // so the key honestly describes the verdict. Credential-file rules
+      // (.netrc, .npmrc, .docker, .kube, gcloud) deliberately stay at `review`
+      // — see the rationale in packages/policy-engine/src/shell/index.ts
+      // around the review-read-credentials rule.
+      ["shield:project-jail:review-read-env-any-tool", "shield:project-jail:block-read-env-any-tool"]
+    ];
   }
 });
 
@@ -6438,6 +6506,122 @@ var init_mcp_pin = __esm({
   }
 });
 
+// src/setup-opencode-shim.ts
+function renderOpencodeShim(input) {
+  const { node9Argv, version: version2 } = input;
+  return `// Auto-generated by \`node9 init\`. Do not edit \u2014 re-run init to upgrade.
+// NODE9_SHIM_VERSION = "${version2}"
+//
+// node9 protection shim for Opencode. Wires three hooks against the
+// agent's plugin API and shells out to the node9 CLI for verdicts.
+//
+// Block by throwing from a hook handler; Opencode's plugin trigger
+// (packages/opencode/src/plugin/index.ts:273) propagates the error and
+// halts the tool call.
+
+const { spawnSync } = require("node:child_process");
+
+// argv prefix for invoking the node9 CLI. argv[0] is the executable
+// (either the npm-installed wrapper script or the node binary); the
+// remaining entries (if any) are passed as the leading args before
+// the subcommand name (e.g. ["/path/to/dist/cli.js"] for dev mode).
+const NODE9_ARGV = ${JSON.stringify(node9Argv)};
+const HOOK_TIMEOUT_MS = 30000;
+const LOG_TIMEOUT_MS = 5000;
+
+function parseReason(stdout) {
+  // node9 check emits {decision, reason, message} JSON on stdout when
+  // blocking. Fall back to a generic string if anything goes wrong.
+  try {
+    const v = JSON.parse(stdout || "");
+    return v && (v.reason || v.message);
+  } catch (e) {
+    return null;
+  }
+}
+
+function extractPromptText(parts) {
+  // chat.message gives us parts: Part[]. We only DLP-scan text parts
+  // (image / tool_use parts can't contain pasted secrets in any form
+  // node9's scanner currently recognizes).
+  if (!Array.isArray(parts)) return "";
+  return parts
+    .filter((p) => p && p.type === "text")
+    .map((p) => (p && p.text) || "")
+    .join("\\n");
+}
+
+module.exports = {
+  id: "node9",
+  server: async (input) => ({
+    "tool.execute.before": async (ctx, mutable) => {
+      const payload = {
+        hook_event_name: "PreToolUse",
+        tool_name: ctx.tool,
+        tool_input: mutable.args,
+        session_id: ctx.sessionID,
+        cwd: input.directory,
+        meta: { agent: "Opencode" },
+      };
+      const r = spawnSync(NODE9_ARGV[0], [...NODE9_ARGV.slice(1), "check"], {
+        input: JSON.stringify(payload),
+        encoding: "utf-8",
+        timeout: HOOK_TIMEOUT_MS,
+      });
+      if (r.status === 0) return;
+      const reason = parseReason(r.stdout) || "blocked by node9";
+      throw new Error("[node9] " + reason);
+    },
+
+    "tool.execute.after": async (ctx) => {
+      // Fire-and-forget audit log \u2014 failures here must NEVER throw,
+      // or we'd retroactively "block" a tool call that already ran.
+      const payload = {
+        hook_event_name: "PostToolUse",
+        tool_name: ctx.tool,
+        session_id: ctx.sessionID,
+        cwd: input.directory,
+        meta: { agent: "Opencode" },
+      };
+      try {
+        spawnSync(NODE9_ARGV[0], [...NODE9_ARGV.slice(1), "log"], {
+          input: JSON.stringify(payload),
+          encoding: "utf-8",
+          timeout: LOG_TIMEOUT_MS,
+        });
+      } catch (e) {
+        // Swallow: audit log gaps are preferable to crashing the agent.
+      }
+    },
+
+    "chat.message": async (ctx, mutable) => {
+      const prompt = extractPromptText(mutable.parts);
+      if (!prompt) return;
+      const payload = {
+        hook_event_name: "UserPromptSubmit",
+        prompt,
+        session_id: ctx.sessionID,
+        meta: { agent: "Opencode" },
+      };
+      const r = spawnSync(NODE9_ARGV[0], [...NODE9_ARGV.slice(1), "check"], {
+        input: JSON.stringify(payload),
+        encoding: "utf-8",
+        timeout: HOOK_TIMEOUT_MS,
+      });
+      if (r.status === 0) return;
+      const reason = parseReason(r.stdout) || "prompt blocked";
+      throw new Error("[node9] " + reason);
+    },
+  }),
+};
+`;
+}
+var init_setup_opencode_shim = __esm({
+  "src/setup-opencode-shim.ts"() {
+    "use strict";
+  }
+});
+
 // src/setup.ts
 import fs13 from "fs";
 import path15 from "path";
@@ -6900,6 +7084,18 @@ function claudeDesktopConfigPath(homeDir2 = os12.homedir()) {
   }
   return null;
 }
+function binaryInPath(binary) {
+  const pathEnv = process.env.PATH ?? "";
+  for (const dir of pathEnv.split(path15.delimiter)) {
+    if (!dir) continue;
+    try {
+      fs13.accessSync(path15.join(dir, binary), fs13.constants.X_OK);
+      return true;
+    } catch {
+    }
+  }
+  return false;
+}
 function detectAgents(homeDir2 = os12.homedir()) {
   const exists = (p) => {
     try {
@@ -6921,7 +7117,10 @@ function detectAgents(homeDir2 = os12.homedir()) {
     codex: exists(path15.join(homeDir2, ".codex")),
     windsurf: exists(path15.join(homeDir2, ".codeium", "windsurf")),
     vscode: exists(path15.join(homeDir2, ".vscode")),
-    claudeDesktop: desktopPath !== null && exists(path15.dirname(desktopPath))
+    claudeDesktop: desktopPath !== null && exists(path15.dirname(desktopPath)),
+    // Opencode creates ~/.config/opencode lazily on first launch — fall back
+    // to a PATH lookup so installed-but-never-launched CLIs are still wired.
+    opencode: exists(path15.join(homeDir2, ".config", "opencode")) || binaryInPath("opencode")
   };
 }
 async function setupCursor() {
@@ -7554,6 +7753,127 @@ function teardownClaudeDesktop() {
     console.log(chalk.blue("  \u2139\uFE0F  No Node9-wrapped MCP servers found in Claude Desktop config"));
   }
 }
+function node9ArgvForShim() {
+  if (process.env.NODE9_TESTING === "1") return ["node9"];
+  const nodeExec = process.execPath;
+  const cliScript = process.argv[1];
+  if (cliScript && cliScript.endsWith(".js")) return [nodeExec, cliScript];
+  return [cliScript];
+}
+function node9Version() {
+  try {
+    const pkg = JSON.parse(
+      fs13.readFileSync(path15.join(__dirname, "..", "package.json"), "utf-8")
+    );
+    return pkg.version ?? "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
+async function setupOpencode() {
+  seedMcpPinsIfMissing();
+  const homeDir2 = os12.homedir();
+  const configDir = path15.join(homeDir2, ".config", "opencode");
+  const pluginsDir = path15.join(configDir, "plugins");
+  const configPath = path15.join(configDir, "opencode.json");
+  const pluginPath = path15.join(pluginsDir, OPENCODE_PLUGIN_NAME);
+  try {
+    fs13.mkdirSync(pluginsDir, { recursive: true });
+  } catch (err2) {
+    const code = err2.code;
+    if (code !== "EEXIST") {
+      console.log(chalk.yellow(`  \u26A0\uFE0F  Could not create ${pluginsDir}: ${code ?? String(err2)}`));
+      return;
+    }
+  }
+  const shimContent = renderOpencodeShim({
+    node9Argv: node9ArgvForShim(),
+    version: node9Version()
+  });
+  let pluginChanged = false;
+  const existingShim = (() => {
+    try {
+      return fs13.readFileSync(pluginPath, "utf-8");
+    } catch {
+      return null;
+    }
+  })();
+  if (existingShim !== shimContent) {
+    fs13.writeFileSync(pluginPath, shimContent);
+    pluginChanged = true;
+    if (existingShim) {
+      console.log(chalk.yellow("  \u{1F527} Opencode plugin shim updated to current version"));
+    } else {
+      console.log(
+        chalk.green("  \u2705 Opencode plugin installed \u2192 tool.execute.before / after, chat.message")
+      );
+    }
+  }
+  const config = readJson(configPath) ?? {};
+  const mcp = config.mcp ?? {};
+  let configChanged = false;
+  const desiredCommand = [...node9ArgvForShim(), "mcp-server"];
+  const desiredEntry = {
+    type: "local",
+    command: desiredCommand,
+    enabled: true
+  };
+  const existing = mcp["node9"];
+  const entryMatches = existing && existing.type === "local" && Array.isArray(existing.command) && existing.command.length === desiredCommand.length && existing.command.every((c, i) => c === desiredCommand[i]) && existing.enabled !== false;
+  if (!entryMatches) {
+    mcp["node9"] = desiredEntry;
+    config.mcp = mcp;
+    configChanged = true;
+    if (existing) {
+      console.log(chalk.yellow("  \u{1F527} Opencode MCP entry updated (node9)"));
+    } else {
+      console.log(chalk.green("  \u2705 node9 MCP server added   \u2192 node9 mcp-server"));
+    }
+  }
+  if (configChanged) writeJson(configPath, config);
+  if (pluginChanged || configChanged) {
+    console.log(chalk.green.bold("\u{1F6E1}\uFE0F  Node9 is now protecting Opencode!"));
+    console.log(chalk.gray("    Restart Opencode for changes to take effect."));
+    printDaemonTip();
+  } else {
+    console.log(chalk.blue("  \u2139\uFE0F  Node9 is already fully configured for Opencode."));
+  }
+}
+function teardownOpencode() {
+  const homeDir2 = os12.homedir();
+  const configDir = path15.join(homeDir2, ".config", "opencode");
+  const pluginsDir = path15.join(configDir, "plugins");
+  const configPath = path15.join(configDir, "opencode.json");
+  const pluginPath = path15.join(pluginsDir, OPENCODE_PLUGIN_NAME);
+  try {
+    if (fs13.existsSync(pluginPath)) {
+      fs13.unlinkSync(pluginPath);
+      console.log(chalk.green("  \u2705 Removed node9 plugin from ~/.config/opencode/plugins/"));
+    }
+  } catch (err2) {
+    console.log(chalk.yellow(`  \u26A0\uFE0F  Could not remove ${pluginPath}: ${String(err2)}`));
+  }
+  const config = readJson(configPath);
+  if (!config) {
+    console.log(chalk.blue("  \u2139\uFE0F  ~/.config/opencode/opencode.json not found \u2014 nothing to remove"));
+    return;
+  }
+  const mcp = config.mcp ?? {};
+  let changed = false;
+  if (mcp["node9"]) {
+    delete mcp["node9"];
+    changed = true;
+    console.log(
+      chalk.green("  \u2705 Removed node9 MCP server entry from ~/.config/opencode/opencode.json")
+    );
+  }
+  if (changed) {
+    config.mcp = mcp;
+    writeJson(configPath, config);
+  } else {
+    console.log(chalk.blue("  \u2139\uFE0F  No node9 entries found in ~/.config/opencode/opencode.json"));
+  }
+}
 function getAgentsStatus(homeDir2 = os12.homedir()) {
   const detected = detectAgents(homeDir2);
   const claudeWired = (() => {
@@ -7636,16 +7956,38 @@ function getAgentsStatus(homeDir2 = os12.homedir()) {
         return !!(cfg?.mcpServers && hasNode9McpServer(cfg.mcpServers));
       })(),
       mode: detected.claudeDesktop ? "mcp" : null
+    },
+    {
+      name: "opencode",
+      label: "Opencode",
+      installed: detected.opencode,
+      wired: (() => {
+        const pluginPath = path15.join(
+          homeDir2,
+          ".config",
+          "opencode",
+          "plugins",
+          OPENCODE_PLUGIN_NAME
+        );
+        if (fs13.existsSync(pluginPath)) return true;
+        const cfg = readJson(
+          path15.join(homeDir2, ".config", "opencode", "opencode.json")
+        );
+        return !!cfg?.mcp?.["node9"];
+      })(),
+      mode: detected.opencode ? "hooks" : null
     }
   ];
 }
-var NODE9_MCP_SERVER_ENTRY, CODEX_PRE_TOOL_MATCHERS;
+var NODE9_MCP_SERVER_ENTRY, CODEX_PRE_TOOL_MATCHERS, OPENCODE_PLUGIN_NAME;
 var init_setup = __esm({
   "src/setup.ts"() {
     "use strict";
     init_mcp_pin();
+    init_setup_opencode_shim();
     NODE9_MCP_SERVER_ENTRY = { command: "node9", args: ["mcp-server"] };
     CODEX_PRE_TOOL_MATCHERS = ["^Bash$", "^apply_patch$", "^mcp__.*"];
+    OPENCODE_PLUGIN_NAME = "node9.js";
   }
 });
 
@@ -15944,6 +16286,11 @@ function sanitize2(value) {
   return value.replace(/[\x00-\x1F\x7F]/g, "");
 }
 function detectAiAgent(payload) {
+  const meta = payload.meta;
+  if (meta && typeof meta === "object") {
+    const tagged = meta.agent;
+    if (typeof tagged === "string" && tagged.length > 0) return tagged;
+  }
   if (payload.turn_id !== void 0) {
     return "Codex";
   }
@@ -18451,14 +18798,18 @@ import path39 from "path";
 import os34 from "os";
 import https4 from "https";
 var DEFAULT_SHIELDS = ["bash-safe", "filesystem", "project-jail"];
-function fireTelemetryPing(agents) {
+function buildTelemetryPayload(agents, firstInstall) {
+  return {
+    event: "init_completed",
+    agents_detected: agents,
+    os: process.platform,
+    node9_version: node9Version(),
+    first_install: firstInstall
+  };
+}
+function fireTelemetryPing(agents, firstInstall) {
   try {
-    const body = JSON.stringify({
-      event: "init_completed",
-      agents_detected: agents,
-      os: process.platform,
-      node9_version: process.env.npm_package_version ?? "unknown"
-    });
+    const body = JSON.stringify(buildTelemetryPayload(agents, firstInstall));
     const req = https4.request(
       {
         hostname: "api.node9.ai",
@@ -18491,6 +18842,12 @@ function registerInitCommand(program2) {
   ).action(
     async (options) => {
       console.log(chalk16.cyan.bold("\n\u{1F6E1}\uFE0F  Node9 Init\n"));
+      {
+        const migrated = migrateRenamedRuleKeys();
+        for (const m of migrated) {
+          console.log(chalk16.dim(`  \u{1F527} Rule renamed: ${m.oldKey} \u2192 ${m.newKey}`));
+        }
+      }
       let chosenMode = options.mode.toLowerCase();
       if (!["standard", "strict", "audit", "observe"].includes(chosenMode)) {
         chosenMode = DEFAULT_CONFIG.settings.mode;
@@ -18525,6 +18882,7 @@ function registerInitCommand(program2) {
         console.log("");
       }
       const configPath = path39.join(os34.homedir(), ".node9", "config.json");
+      const isFirstInstall = !fs38.existsSync(configPath);
       if (fs38.existsSync(configPath) && !options.force) {
         try {
           const existing = JSON.parse(fs38.readFileSync(configPath, "utf-8"));
@@ -18582,6 +18940,7 @@ function registerInitCommand(program2) {
         else if (agent === "windsurf") await setupWindsurf();
         else if (agent === "vscode") await setupVSCode();
         else if (agent === "claudeDesktop") await setupClaudeDesktop();
+        else if (agent === "opencode") await setupOpencode();
         console.log("");
       }
       if ((process.platform === "darwin" || process.platform === "linux") && process.stdout.isTTY) {
@@ -18627,7 +18986,7 @@ function registerInitCommand(program2) {
           message: "Send anonymous usage stats to help improve node9? (no code, no args)",
           default: true
         });
-        if (sendTelemetry) fireTelemetryPing(found);
+        if (sendTelemetry) fireTelemetryPing(found, isFirstInstall);
         console.log("");
       }
       const agentList = found.join(", ");
@@ -20341,7 +20700,8 @@ var SETUP_FN = {
   codex: setupCodex,
   windsurf: setupWindsurf,
   vscode: setupVSCode,
-  claudeDesktop: setupClaudeDesktop
+  claudeDesktop: setupClaudeDesktop,
+  opencode: setupOpencode
 };
 var TEARDOWN_FN = {
   claude: teardownClaude,
@@ -20350,7 +20710,8 @@ var TEARDOWN_FN = {
   codex: teardownCodex,
   windsurf: teardownWindsurf,
   vscode: teardownVSCode,
-  claudeDesktop: teardownClaudeDesktop
+  claudeDesktop: teardownClaudeDesktop,
+  opencode: teardownOpencode
 };
 var AGENT_NAMES = Object.keys(SETUP_FN);
 function registerAgentsCommand(program2) {