npm - @opencode_weave/weave - Versions diffs - 0.5.0 → 0.5.1 - Mend

@opencode_weave/weave 0.5.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -35,6 +35,7 @@ Weave is a lean OpenCode plugin with multi-agent orchestration. It provides a co
   - [Background Agents](#background-agents)
   - [Tool Permissions](#tool-permissions)
 - [Development](#development)
+- [Acknowledgments](#acknowledgments)
 - [License](#license)
 ## Overview
@@ -312,6 +313,10 @@ Tool access is controlled per-agent to ensure safety and specialized focus. For
 - **Typecheck**: `bun run typecheck`
 - **Clean**: `bun run clean`
+## Acknowledgments
+Weave was inspired by [Oh My OpenCode](https://github.com/code-yeongyu/oh-my-opencode) by [@code-yeongyu](https://github.com/code-yeongyu) — a pioneering OpenCode plugin that proved multi-agent orchestration, discipline agents, and structured plan-execute workflows could radically improve the developer experience. Many of Weave's core ideas — from category-based task dispatch to background agent parallelism — trace their roots to patterns Oh My OpenCode established. We're grateful for the trailblazing work and the vibrant community around it.
 ## License
 MIT

package/dist/index.js CHANGED Viewed

@@ -525,7 +525,7 @@ FORMAT RULES:
 - Use /start-work to hand off to Tapestry for todo-list driven execution of multi-step plans
 - Use shuttle for category-specific specialized work
 - Use Weft for reviewing completed work or validating plans before execution
-- Use Warp for security audits when changes touch auth, crypto, tokens, or input validation
+- MUST use Warp for security audits when changes touch auth, crypto, certificates, tokens, signatures, or input validation — not optional
 - Delegate aggressively to keep your context lean
 </Delegation>
@@ -568,6 +568,7 @@ For complex tasks that benefit from structured planning before execution:
    - SKIP ONLY IF: User explicitly says "skip review"
    - Weft reads the plan, verifies file references, checks executability
    - If Weft rejects, send issues back to Pattern for revision
+   - MANDATORY: If the plan touches security-relevant areas (crypto, auth, certificates, tokens, signatures, or input validation) → also run Warp on the plan
 3. EXECUTE: Tell the user to run \`/start-work\` to begin execution
    - /start-work loads the plan, creates work state at \`.weave/state.json\`, and switches to Tapestry
    - Tapestry reads the plan and works through tasks, marking checkboxes as it goes
@@ -596,11 +597,12 @@ When to skip Weft:
 - User explicitly says "skip review"
 - Simple question-answering (no code changes)
-For security-relevant changes, also delegate to Warp:
+MANDATORY — If ANY changed file touches crypto, auth, certificates, tokens, signatures, or input validation:
+→ MUST run Warp in parallel with Weft. This is NOT optional.
+→ Failure to invoke Warp for security-relevant changes is a workflow violation.
 - Warp is read-only and skeptical-biased — it rejects when security is at risk
 - Warp self-triages: if no security-relevant changes, it fast-exits with APPROVE
 - If Warp rejects: address the specific security issues before shipping
-- Run Warp in parallel with Weft for comprehensive coverage
 </ReviewWorkflow>
 <Style>
@@ -1879,13 +1881,13 @@ function getPlanName(planPath) {
 }
 // src/features/work-state/validation.ts
 import { readFileSync as readFileSync5, existsSync as existsSync6 } from "fs";
-import { resolve as resolve2 } from "path";
+import { resolve as resolve2, sep } from "path";
 function validatePlan(planPath, projectDir) {
   const errors = [];
   const warnings = [];
   const resolvedPlanPath = resolve2(planPath);
   const allowedDir = resolve2(projectDir, PLANS_DIR);
-  if (!resolvedPlanPath.startsWith(allowedDir + "/") && resolvedPlanPath !== allowedDir) {
+  if (!resolvedPlanPath.startsWith(allowedDir + sep) && resolvedPlanPath !== allowedDir) {
     errors.push({
       severity: "error",
       category: "structure",
@@ -2065,7 +2067,7 @@ function validateFileReferences(content, projectDir, warnings) {
       }
       const resolvedProject = resolve2(projectDir);
       const absolutePath = resolve2(projectDir, filePath);
-      if (!absolutePath.startsWith(resolvedProject + "/") && absolutePath !== resolvedProject) {
+      if (!absolutePath.startsWith(resolvedProject + sep) && absolutePath !== resolvedProject) {
         warnings.push({
           severity: "warning",
           category: "file-references",
@@ -2433,7 +2435,7 @@ Before marking this task complete, verify the work:
 If uncertain about quality, delegate to \`weft\` agent for a formal review:
 \`call_weave_agent(agent="weft", prompt="Review the changes for [task description]")\`
-If changes touch auth, crypto, tokens, or input validation, delegate to \`warp\` agent for a security audit:
+MANDATORY: If changes touch auth, crypto, certificates, tokens, signatures, or input validation, you MUST delegate to \`warp\` agent for a security audit — this is NOT optional:
 \`call_weave_agent(agent="warp", prompt="Security audit the changes for [task description]")\`
 Only mark complete when ALL checks pass.`

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@opencode_weave/weave",
-  "version": "0.5.0",
+  "version": "0.5.1",
   "description": "Weave — lean OpenCode plugin with multi-agent orchestration",
   "author": "Weave",
   "license": "MIT",