npm - @opencode_weave/weave - Versions diffs - 0.5.0 → 0.5.2 - Mend

@opencode_weave/weave 0.5.0 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -21,9 +21,8 @@ Weave is a lean OpenCode plugin with multi-agent orchestration. It provides a co
   - [Quick Tasks (No Plan Needed)](#quick-tasks-no-plan-needed)
 - [Installation](#installation)
   - [Prerequisites](#prerequisites)
-  - [Step 1: Install](#step-1-install)
-  - [Step 2: Register in opencode.json](#step-2-register-in-opencodejson)
-  - [Step 3: Restart OpenCode](#step-3-restart-opencode)
+  - [Step 1: Add to opencode.json](#step-1-add-to-opencodejson)
+  - [Step 2: Restart OpenCode](#step-2-restart-opencode)
   - [Troubleshooting](#troubleshooting)
 - [Uninstalling](#uninstalling)
 - [Configuration](#configuration)
@@ -35,6 +34,7 @@ Weave is a lean OpenCode plugin with multi-agent orchestration. It provides a co
   - [Background Agents](#background-agents)
   - [Tool Permissions](#tool-permissions)
 - [Development](#development)
+- [Acknowledgments](#acknowledgments)
 - [License](#license)
 ## Overview
@@ -148,17 +148,8 @@ This package is published on [npm](https://www.npmjs.com/package/@opencode_weave
 ### Prerequisites
 - [OpenCode](https://opencode.ai)
-- Bun or Node.js
-### Step 1: Install
-```bash
-bun add @opencode_weave/weave
-# or
-npm install @opencode_weave/weave
-```
-### Step 2: Register in opencode.json
+### Step 1: Add to opencode.json
 Add the plugin to your `opencode.json` file:
@@ -168,9 +159,9 @@ Add the plugin to your `opencode.json` file:
 }
 ```
-### Step 3: Restart OpenCode
+### Step 2: Restart OpenCode
-The plugin loads automatically upon restart and works with zero configuration out of the box.
+OpenCode automatically installs npm plugins at startup — no manual `bun add` or `npm install` required. The plugin loads automatically upon restart and works with zero configuration out of the box.
 ### Troubleshooting
@@ -193,15 +184,7 @@ Delete the `@opencode_weave/weave` entry from the `plugin` array in your `openco
 }
 ```
-### Step 2: Uninstall the package
-```bash
-bun remove @opencode_weave/weave
-# or
-npm uninstall @opencode_weave/weave
-```
-### Step 3: Clean up project artifacts (optional)
+### Step 2: Clean up project artifacts (optional)
 Weave may have created plan and state files during usage. Remove them if no longer needed:
@@ -215,7 +198,7 @@ You can also remove any project-level configuration if present:
 rm -f .opencode/weave-opencode.jsonc .opencode/weave-opencode.json
 ```
-### Step 4: Clean up user-level configuration (optional)
+### Step 3: Clean up user-level configuration (optional)
 If you no longer use Weave in any project, remove the global configuration:
@@ -312,6 +295,10 @@ Tool access is controlled per-agent to ensure safety and specialized focus. For
 - **Typecheck**: `bun run typecheck`
 - **Clean**: `bun run clean`
+## Acknowledgments
+Weave was inspired by [Oh My OpenCode](https://github.com/code-yeongyu/oh-my-opencode) by [@code-yeongyu](https://github.com/code-yeongyu) — a pioneering OpenCode plugin that proved multi-agent orchestration, discipline agents, and structured plan-execute workflows could radically improve the developer experience. Many of Weave's core ideas — from category-based task dispatch to background agent parallelism — trace their roots to patterns Oh My OpenCode established. We're grateful for the trailblazing work and the vibrant community around it.
 ## License
 MIT

package/dist/index.js CHANGED Viewed

@@ -525,7 +525,7 @@ FORMAT RULES:
 - Use /start-work to hand off to Tapestry for todo-list driven execution of multi-step plans
 - Use shuttle for category-specific specialized work
 - Use Weft for reviewing completed work or validating plans before execution
-- Use Warp for security audits when changes touch auth, crypto, tokens, or input validation
+  - MUST use Warp for security audits when changes touch auth, crypto, certificates, tokens, signatures, input validation, secrets, passwords, sessions, CORS, CSP, .env files, or OAuth/OIDC/SAML flows — not optional. When in doubt, invoke Warp — false positives (fast APPROVE) are cheap.
 - Delegate aggressively to keep your context lean
 </Delegation>
@@ -568,10 +568,20 @@ For complex tasks that benefit from structured planning before execution:
    - SKIP ONLY IF: User explicitly says "skip review"
    - Weft reads the plan, verifies file references, checks executability
    - If Weft rejects, send issues back to Pattern for revision
+   - MANDATORY: If the plan touches security-relevant areas (crypto, auth, certificates, tokens, signatures, or input validation) → also run Warp on the plan
 3. EXECUTE: Tell the user to run \`/start-work\` to begin execution
    - /start-work loads the plan, creates work state at \`.weave/state.json\`, and switches to Tapestry
    - Tapestry reads the plan and works through tasks, marking checkboxes as it goes
 4. RESUME: If work was interrupted, \`/start-work\` resumes from the last unchecked task
+5. POST-EXECUTION REVIEW (MANDATORY — NO SKIP CONDITIONS):
+   After Tapestry reports all tasks complete, you MUST run this gate before reporting success to the user:
+   a. Run \`git diff --stat\` to identify all changed files
+   b. Delegate to Weft (quality review) AND Warp (security audit) in parallel
+   c. Warp self-triages: if no security-relevant changes, it fast-exits with APPROVE — so always invoke it
+   d. If Weft or Warp REJECT → address blocking issues, then re-run the rejecting reviewer
+   e. Only report success to the user after BOTH Weft and Warp APPROVE
+   - This step has NO skip conditions. Not for small changes, not for user request, not for time pressure.
+   - Skipping this step is a workflow violation.
 When to use this workflow vs. direct execution:
 - USE plan workflow: Large features, multi-file refactors, anything with 5+ steps or architectural decisions
@@ -579,28 +589,36 @@ When to use this workflow vs. direct execution:
 </PlanWorkflow>
 <ReviewWorkflow>
-After significant implementation work completes:
+Two review modes — different rules for each:
+**Post-Plan-Execution Review (after PlanWorkflow Step 5):**
+- ALWAYS mandatory. No skip conditions. See PlanWorkflow Step 5 for the full protocol.
+- ALWAYS delegate to BOTH Weft (quality) AND Warp (security) in parallel
+- Warp self-triages: fast-exits with APPROVE if no security-relevant changes detected
+- Both must APPROVE before reporting success to the user
+**Ad-Hoc Review (non-plan work):**
 - Delegate to Weft to review the changes
 - Weft is read-only and approval-biased — it rejects only for real problems
 - If Weft approves: proceed confidently
 - If Weft rejects: address the specific blocking issues, then re-review
-When to invoke Weft:
-- After completing a multi-step plan
+When to invoke ad-hoc Weft:
 - After any task that touches 3+ files
 - Before shipping to the user when quality matters
 - When you're unsure if work meets acceptance criteria
-When to skip Weft:
+When to skip ad-hoc Weft:
 - Single-file trivial changes
 - User explicitly says "skip review"
 - Simple question-answering (no code changes)
-For security-relevant changes, also delegate to Warp:
+MANDATORY — If ANY changed file touches crypto, auth, certificates, tokens, signatures, or input validation:
+→ MUST run Warp in parallel with Weft. This is NOT optional.
+→ Failure to invoke Warp for security-relevant changes is a workflow violation.
 - Warp is read-only and skeptical-biased — it rejects when security is at risk
 - Warp self-triages: if no security-relevant changes, it fast-exits with APPROVE
 - If Warp rejects: address the specific security issues before shipping
-- Run Warp in parallel with Weft for comprehensive coverage
 </ReviewWorkflow>
 <Style>
@@ -686,7 +704,8 @@ When activated by /start-work with a plan file:
    d. Mark complete: use Edit tool to change \`- [ ]\` to \`- [x]\` in the plan file
    e. Report: "Completed task N/M: [title]"
 4. CONTINUE to the next unchecked task
-5. When ALL checkboxes are checked, report final summary
+5. When ALL checkboxes are checked, report final summary and include:
+   "All tasks complete. **Post-execution review required** — Loom must run Weft and Warp before reporting success."
 NEVER stop mid-plan unless explicitly told to or completely blocked.
 </PlanExecution>
@@ -1879,13 +1898,13 @@ function getPlanName(planPath) {
 }
 // src/features/work-state/validation.ts
 import { readFileSync as readFileSync5, existsSync as existsSync6 } from "fs";
-import { resolve as resolve2 } from "path";
+import { resolve as resolve2, sep } from "path";
 function validatePlan(planPath, projectDir) {
   const errors = [];
   const warnings = [];
   const resolvedPlanPath = resolve2(planPath);
   const allowedDir = resolve2(projectDir, PLANS_DIR);
-  if (!resolvedPlanPath.startsWith(allowedDir + "/") && resolvedPlanPath !== allowedDir) {
+  if (!resolvedPlanPath.startsWith(allowedDir + sep) && resolvedPlanPath !== allowedDir) {
     errors.push({
       severity: "error",
       category: "structure",
@@ -2065,7 +2084,7 @@ function validateFileReferences(content, projectDir, warnings) {
       }
       const resolvedProject = resolve2(projectDir);
       const absolutePath = resolve2(projectDir, filePath);
-      if (!absolutePath.startsWith(resolvedProject + "/") && absolutePath !== resolvedProject) {
+      if (!absolutePath.startsWith(resolvedProject + sep) && absolutePath !== resolvedProject) {
         warnings.push({
           severity: "warning",
           category: "file-references",
@@ -2433,7 +2452,7 @@ Before marking this task complete, verify the work:
 If uncertain about quality, delegate to \`weft\` agent for a formal review:
 \`call_weave_agent(agent="weft", prompt="Review the changes for [task description]")\`
-If changes touch auth, crypto, tokens, or input validation, delegate to \`warp\` agent for a security audit:
+MANDATORY: If changes touch auth, crypto, certificates, tokens, signatures, or input validation, you MUST delegate to \`warp\` agent for a security audit — this is NOT optional:
 \`call_weave_agent(agent="warp", prompt="Security audit the changes for [task description]")\`
 Only mark complete when ALL checks pass.`

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@opencode_weave/weave",
-  "version": "0.5.0",
+  "version": "0.5.2",
   "description": "Weave — lean OpenCode plugin with multi-agent orchestration",
   "author": "Weave",
   "license": "MIT",