opencode-autoresearch 3.1.0 → 3.3.1

package/docs/superpowers/plans/2026-05-03-install-release-security.md

@@ -0,0 +1,855 @@
+# Install Release Security Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Prepare Auto Research v3.3.2 with native OpenCode install documentation, aligned release packaging, and hardened shell hooks.
+
+**Architecture:** Keep npm as the distribution artifact and document OpenCode's native npm plugin install as the primary path. Keep the CLI global install as an optional path, and keep package contents guarded by an explicit allowlist.
+
+**Tech Stack:** TypeScript ESM, Jest with ts-jest, npm package distribution, POSIX shell hooks, GitHub Actions release workflow.
+
+---
+
+## File Structure
+
+- Create: `.opencode/INSTALL.md` as the repo-level OpenCode install guide.
+- Create: `AGENTS.md` as the tracked repository-specific agent guide.
+- Modify: `.gitignore` to stop ignoring the tracked `AGENTS.md`.
+- Modify: `README.md:97-133` to make native OpenCode plugin install primary and npm CLI install secondary.
+- Modify: `docs/OPENCODE_INSTALL.md` to mirror the new install flow with troubleshooting.
+- Modify: `wiki/Installation.md` to mirror the new install flow.
+- Modify: `hooks/status.sh` and `hooks/stop.sh` to pass state paths through environment variables into Node.
+- Modify: `hooks/verify-package.sh` to allow and require `.opencode/INSTALL.md` and `AGENTS.md` in package dry runs.
+- Modify: `package.json`, `package-lock.json`, `VERSION`, `src/constants.ts`, and `.opencode-plugin/plugin.json` for version `3.3.2` and packaged file coverage.
+- Modify: `.github/workflows/release.yml` to add the missing `npm test` release gate.
+- Modify: `CHANGELOG.md`, `docs/ARCHITECTURE.md`, and `docs/RELEASE.md` to align release docs.
+- Modify: `tests/test_package_structure.ts` and `tests/test_constants.ts` to make the release/install/security expectations executable.
+
+Do not commit, tag, push, create a GitHub release, or publish to npm unless the user explicitly approves those operations after verification.
+
+---
+
+### Task 1: Add Failing Release and Security Tests
+
+**Files:**
+- Modify: `tests/test_package_structure.ts`
+- Modify: `tests/test_constants.ts`
+
+- [ ] **Step 1: Add package, install, workflow, and hook assertions**
+
+Add these tests to `tests/test_package_structure.ts` in the nearest existing `describe` blocks, creating new `describe` blocks where needed:
+
+```ts
+describe("package.json", () => {
+  it("packages repo-level OpenCode install guide", () => {
+    const files = readJson(resolve(REPO_ROOT, "package.json")).files as string[];
+    expect(files).toContain(".opencode");
+    expect(files).toContain("AGENTS.md");
+  });
+});
+
+describe(".opencode/", () => {
+  it("has OpenCode install guide with plugin and npm paths", () => {
+    const content = readFileSync(resolve(REPO_ROOT, ".opencode/INSTALL.md"), "utf-8");
+    expect(content).toContain('"plugin": ["opencode-autoresearch"]');
+    expect(content).toContain("npm install -g opencode-autoresearch");
+    expect(content).toContain("opencode-autoresearch doctor");
+  });
+});
+
+describe("AGENTS.md", () => {
+  it("is tracked repository guidance, not local-only context", () => {
+    const content = readFileSync(resolve(REPO_ROOT, "AGENTS.md"), "utf-8");
+    expect(content).toContain("Auto Research");
+    expect(content).toContain("npm run verify:pack");
+  });
+});
+
+describe("release workflow", () => {
+  it("runs tests before publishing", () => {
+    const content = readFileSync(resolve(REPO_ROOT, ".github/workflows/release.yml"), "utf-8");
+    expect(content).toContain("npm test");
+    expect(content).toContain("npm publish --access public --provenance");
+  });
+});
+
+describe("hooks/", () => {
+  it("does not interpolate AUTORESEARCH_STATE into inline JavaScript", () => {
+    const status = readFileSync(resolve(REPO_ROOT, "hooks/status.sh"), "utf-8");
+    const stop = readFileSync(resolve(REPO_ROOT, "hooks/stop.sh"), "utf-8");
+
+    expect(status).toContain("process.env.AUTORESEARCH_STATUS_FILE");
+    expect(stop).toContain("process.env.AUTORESEARCH_STATUS_FILE");
+    expect(status).not.toContain("readFileSync('$STATUS_FILE'");
+    expect(stop).not.toContain("readFileSync('$STATUS_FILE'");
+  });
+});
+```
+
+Update the version assertion in `tests/test_constants.ts`:
+
+```ts
+expect(VERSION).toBe("3.3.2");
+```
+
+- [ ] **Step 2: Run focused tests and verify they fail**
+
+Run:
+
+```bash
+npm run build
+npm test -- tests/test_package_structure.ts tests/test_constants.ts
+```
+
+Expected: FAIL because `.opencode/INSTALL.md` and `AGENTS.md` do not exist yet, package files do not include `.opencode`, the release workflow does not run `npm test`, hooks still interpolate `$STATUS_FILE`, and the compiled version is still `3.3.1`.
+
+---
+
+### Task 2: Add Install Guide and Agent Guidance
+
+**Files:**
+- Create: `.opencode/INSTALL.md`
+- Create: `AGENTS.md`
+- Modify: `.gitignore`
+
+- [ ] **Step 1: Add `.opencode/INSTALL.md`**
+
+Create `.opencode/INSTALL.md` with this content:
+
+````md
+# Installing Auto Research for OpenCode
+
+## Prerequisites
+
+- [OpenCode.ai](https://opencode.ai) installed
+
+## Recommended: OpenCode Plugin Install
+
+Add Auto Research to the `plugin` array in your global or project-level `opencode.json`:
+
+```json
+{
+  "plugin": ["opencode-autoresearch"]
+}
+```
+
+Restart OpenCode. OpenCode installs npm plugins automatically and registers the Auto Research commands.
+
+Verify inside OpenCode by running:
+
+```text
+/autoresearch
+```
+
+## Optional: Global CLI Install
+
+Install the CLI globally if you also want `autoresearch` and `opencode-autoresearch` on your shell `PATH`:
+
+```bash
+npm install -g opencode-autoresearch
+opencode-autoresearch doctor
+```
+
+For one-time use without a global install:
+
+```bash
+npx opencode-autoresearch doctor
+```
+
+## Commands
+
+After installation, these commands are available in OpenCode:
+
+- `/autoresearch`
+- `/autoresearch:plan`
+- `/autoresearch:debug`
+- `/autoresearch:fix`
+- `/autoresearch:learn`
+- `/autoresearch:predict`
+- `/autoresearch:scenario`
+- `/autoresearch:security`
+- `/autoresearch:ship`
+
+## Updating
+
+OpenCode refreshes npm plugins when it starts. Restart OpenCode after changing `opencode.json` or after a new Auto Research package release is published.
+
+To pin a version:
+
+```json
+{
+  "plugin": ["opencode-autoresearch@3.3.2"]
+}
+```
+
+## Troubleshooting
+
+### Plugin not loading
+
+1. Verify the package name in `opencode.json` is `opencode-autoresearch`.
+2. Restart OpenCode after editing config.
+3. Check OpenCode logs with `opencode run --print-logs "hello"`.
+
+### CLI not found
+
+1. Run `npm install -g opencode-autoresearch`.
+2. Verify your npm global bin directory is on `PATH`.
+3. Run `opencode-autoresearch doctor`.
+
+## Getting Help
+
+- Issues: https://github.com/Maleick/AutoResearch/issues
+- Documentation: https://github.com/Maleick/AutoResearch#readme
+````
+
+- [ ] **Step 2: Add `AGENTS.md`**
+
+Create `AGENTS.md` with this content:
+
+````md
+# Auto Research Agent Guide
+
+## Project Purpose
+
+Auto Research is an OpenCode workflow bundle and npm package for structured autonomous improve-verify loops.
+
+## Source of Truth
+
+- Runtime source lives in `src/`.
+- OpenCode commands live in `commands/`.
+- The Auto Research skill bundle lives in `skills/autoresearch/`.
+- Shell hooks live in `hooks/`.
+- OpenCode package metadata lives in `.opencode-plugin/plugin.json`.
+- Installation, architecture, and release docs live in `docs/` and `wiki/`.
+
+## Development Rules
+
+- Build context from existing files before changing behavior.
+- Prefer the smallest correct change.
+- Do not commit, tag, push, create releases, or publish packages unless the user explicitly asks.
+- Do not commit runtime artifacts from `.autoresearch/` or generated result files.
+- Keep `VERSION`, `package.json`, `package-lock.json`, `src/constants.ts`, and `.opencode-plugin/plugin.json` aligned for releases.
+
+## Security Rules
+
+- Do not add install flows that pipe remote scripts into a shell.
+- Keep package contents guarded by `hooks/verify-package.sh`.
+- Do not hardcode secrets, tokens, credentials, or private paths.
+- Pass shell variables into inline scripts through environment variables or argv, not by interpolating into source code.
+
+## Verification
+
+Run the focused relevant checks before claiming work is complete. Release-prep changes should run:
+
+```bash
+npm audit --audit-level=moderate
+npm run typecheck
+npm run build
+npm run verify:pack
+npm test
+npm pack --dry-run
+```
+````
+
+- [ ] **Step 3: Stop ignoring tracked `AGENTS.md`**
+
+Change `.gitignore` from:
+
+```gitignore
+# Local session context (not shared)
+.claude/
+.wolf/
+.serena/
+CLAUDE.md
+AGENTS.md
+```
+
+to:
+
+```gitignore
+# Local session context (not shared)
+.claude/
+.wolf/
+.serena/
+CLAUDE.md
+```
+
+- [ ] **Step 4: Run focused tests for new files**
+
+Run:
+
+```bash
+npm test -- tests/test_package_structure.ts
+```
+
+Expected: still FAIL until package metadata, release workflow, and hooks are updated.
+
+---
+
+### Task 3: Update User-Facing Install Docs
+
+**Files:**
+- Modify: `README.md:97-133`
+- Modify: `docs/OPENCODE_INSTALL.md`
+- Modify: `wiki/Installation.md`
+
+- [ ] **Step 1: Replace README install and quick start flow**
+
+Replace `README.md` lines 97-133 with:
+
+````md
+## Installation
+
+Recommended: add Auto Research to the `plugin` array in your global or project-level `opencode.json`:
+
+```json
+{
+  "plugin": ["opencode-autoresearch"]
+}
+```
+
+Restart OpenCode, then run the setup wizard:
+
+```text
+/autoresearch
+```
+
+If you also want the CLI available on your shell `PATH`, install the npm package globally:
+
+```bash
+npm install -g opencode-autoresearch
+opencode-autoresearch doctor
+```
+
+For one-time CLI use without a global install:
+
+```bash
+npx opencode-autoresearch doctor
+```
+
+See [`.opencode/INSTALL.md`](.opencode/INSTALL.md) for detailed OpenCode install, update, and troubleshooting notes.
+
+## Quick Start
+
+```bash
+# 1. Add the plugin to opencode.json
+# { "plugin": ["opencode-autoresearch"] }
+
+# 2. Restart OpenCode
+
+# 3. Navigate to your project
+cd ~/Projects/my-project
+
+# 4. Start Auto Research in OpenCode
+/autoresearch
+```
+````
+
+- [ ] **Step 2: Replace `docs/OPENCODE_INSTALL.md`**
+
+Replace the file with content that includes the same primary plugin install, optional global CLI install, commands list, runtime artifacts table, update notes, and uninstall command:
+
+````md
+# OpenCode Install
+
+## Recommended: OpenCode Plugin Install
+
+Add Auto Research to the `plugin` array in your global or project-level `opencode.json`:
+
+```json
+{
+  "plugin": ["opencode-autoresearch"]
+}
+```
+
+Restart OpenCode. OpenCode installs npm plugins automatically at startup.
+
+## Verify Installation
+
+Start the setup wizard inside OpenCode:
+
+```text
+/autoresearch
+```
+
+## Optional: Global CLI Install
+
+
+```bash
+npm install -g opencode-autoresearch
+opencode-autoresearch doctor
+```
+
+For one-time CLI use:
+
+```bash
+npx opencode-autoresearch doctor
+```
+
+## OpenCode Commands
+
+| Command | Purpose |
+| --- | --- |
+| `/autoresearch` | Run the main improve-verify loop |
+| `/autoresearch:plan` | Planning workflow |
+| `/autoresearch:debug` | Debugging workflow |
+| `/autoresearch:fix` | Fix workflow |
+| `/autoresearch:learn` | Learning workflow |
+| `/autoresearch:predict` | Prediction workflow |
+| `/autoresearch:scenario` | Scenario expansion |
+| `/autoresearch:security` | Security review |
+| `/autoresearch:ship` | Ship-readiness workflow |
+
+## Runtime Artifacts
+
+Artifacts are stored under the working directory:
+
+| Artifact | Purpose |
+| --- | --- |
+| `.autoresearch/state.json` | Current run state |
+| `.autoresearch/launch.json` | Background launch manifest |
+| `autoresearch-results.tsv` | Iteration log |
+| `autoresearch-report.md` | End-of-run report |
+| `autoresearch-memory.md` | Reusable memory |
+
+## Updating
+
+Restart OpenCode after a new Auto Research package release is available. To pin a version:
+
+```json
+{
+  "plugin": ["opencode-autoresearch@3.3.2"]
+}
+```
+
+## Troubleshooting
+
+### Plugin not loading
+
+1. Verify `opencode.json` uses `"plugin": ["opencode-autoresearch"]`.
+2. Restart OpenCode after editing config.
+3. Check logs with `opencode run --print-logs "hello"`.
+
+### CLI not found
+
+1. Run `npm install -g opencode-autoresearch`.
+2. Verify your npm global bin directory is on `PATH`.
+3. Run `opencode-autoresearch doctor`.
+
+## Uninstall CLI
+
+```bash
+npm uninstall -g opencode-autoresearch
+```
+````
+
+- [ ] **Step 3: Replace `wiki/Installation.md`**
+
+Replace the file with a shorter mirror of the same flow:
+
+````md
+# Installation
+
+## Recommended: OpenCode Plugin Install
+
+Add Auto Research to the `plugin` array in your global or project-level `opencode.json`:
+
+```json
+{
+  "plugin": ["opencode-autoresearch"]
+}
+```
+
+Restart OpenCode, then run:
+
+```text
+/autoresearch
+```
+
+## Optional CLI Install
+
+```bash
+npm install -g opencode-autoresearch
+opencode-autoresearch doctor
+```
+
+## OpenCode Commands
+
+- `/autoresearch` — Default improve-verify loop
+- `/autoresearch:plan` — Planning workflow
+- `/autoresearch:debug` — Debugging workflow
+- `/autoresearch:fix` — Fix workflow
+- `/autoresearch:learn` — Learning workflow
+- `/autoresearch:predict` — Prediction workflow
+- `/autoresearch:scenario` — Scenario expansion
+- `/autoresearch:security` — Security review
+- `/autoresearch:ship` — Ship-readiness workflow
+
+## CLI Commands
+
+```bash
+autoresearch init --goal "Improve reliability" --metric failures --direction lower --verify "npm test"
+autoresearch status
+autoresearch stop
+autoresearch resume
+autoresearch complete
+```
+
+## Runtime Artifacts
+
+- `.autoresearch/state.json` — Current run state
+- `.autoresearch/launch.json` — Background launch manifest
+- `autoresearch-results.tsv` — Iteration log
+- `autoresearch-report.md` — End-of-run report
+- `autoresearch-memory.md` — Reusable memory
+
+See [docs/OPENCODE_INSTALL.md](docs/OPENCODE_INSTALL.md) and [`.opencode/INSTALL.md`](.opencode/INSTALL.md) for full install details.
+````
+
+- [ ] **Step 4: Run focused docs tests**
+
+Run:
+
+```bash
+npm test -- tests/test_package_structure.ts
+```
+
+Expected: still FAIL until package metadata, release workflow, and hooks are updated.
+
+---
+
+### Task 4: Harden Shell Hooks
+
+**Files:**
+- Modify: `hooks/status.sh`
+- Modify: `hooks/stop.sh`
+
+- [ ] **Step 1: Replace `hooks/status.sh` with env-safe Node input**
+
+Use this content:
+
+```sh
+#!/bin/sh
+# Status hook for Auto Research
+# Prints current run status from the state file.
+
+set -e
+
+STATUS_FILE="${AUTORESEARCH_STATE:-.autoresearch/state.json}"
+
+if [ -f "$STATUS_FILE" ]; then
+  AUTORESEARCH_STATUS_FILE="$STATUS_FILE" node --input-type=module -e '
+    import { readFileSync } from "fs";
+    const statusFile = process.env.AUTORESEARCH_STATUS_FILE;
+    if (!statusFile) throw new Error("Missing AUTORESEARCH_STATUS_FILE");
+    const s = JSON.parse(readFileSync(statusFile, "utf8"));
+    console.log("Auto Research run: " + s.run_id);
+    console.log("Status: " + s.status);
+    console.log("Mode: " + s.mode);
+    console.log("Goal: " + s.goal);
+    console.log("Iterations: " + s.stats.total_iterations);
+    console.log("Kept: " + s.stats.kept + " | Discarded: " + s.stats.discarded);
+    if (s.flags.needs_human) console.log("NEEDS HUMAN");
+    if (s.flags.stop_requested) console.log("STOP REQUESTED");
+  ' 2>/dev/null || echo "No active run."
+else
+  echo "No active run."
+fi
+```
+
+- [ ] **Step 2: Replace `hooks/stop.sh` with env-safe Node input**
+
+Use this content:
+
+```sh
+#!/bin/sh
+# Stop hook for Auto Research
+# Marks the background run as stopping if one is active.
+
+set -e
+
+STATUS_FILE="${AUTORESEARCH_STATE:-.autoresearch/state.json}"
+
+if [ -f "$STATUS_FILE" ]; then
+  mode=$(AUTORESEARCH_STATUS_FILE="$STATUS_FILE" node --input-type=module -e '
+    import { readFileSync } from "fs";
+    const statusFile = process.env.AUTORESEARCH_STATUS_FILE;
+    if (!statusFile) throw new Error("Missing AUTORESEARCH_STATUS_FILE");
+    const s = JSON.parse(readFileSync(statusFile, "utf8"));
+    console.log(s.mode || "");
+  ' 2>/dev/null || true)
+  if [ "$mode" = "background" ]; then
+    AUTORESEARCH_STATUS_FILE="$STATUS_FILE" node --input-type=module -e '
+      import { readFileSync, writeFileSync } from "fs";
+      const statusFile = process.env.AUTORESEARCH_STATUS_FILE;
+      if (!statusFile) throw new Error("Missing AUTORESEARCH_STATUS_FILE");
+      const s = JSON.parse(readFileSync(statusFile, "utf8"));
+      s.updated_at = new Date().toISOString();
+      s.flags.stop_requested = true;
+      s.flags.background_active = false;
+      s.status = "stopping";
+      writeFileSync(statusFile, JSON.stringify(s, null, 2) + "\n");
+      console.log("Stop requested for run: " + s.run_id);
+    ' 2>/dev/null || echo "Could not update state."
+  else
+    echo "Only background runs can be stopped."
+  fi
+else
+  echo "No active run."
+fi
+```
+
+- [ ] **Step 3: Run focused hook tests**
+
+Run:
+
+```bash
+npm test -- tests/test_package_structure.ts
+```
+
+Expected: hook interpolation assertion passes; remaining failures are package/version/release metadata.
+
+---
+
+### Task 5: Align Package, Version, Verifier, and Release Workflow
+
+**Files:**
+- Modify: `VERSION`
+- Modify: `package.json`
+- Modify: `package-lock.json`
+- Modify: `src/constants.ts`
+- Modify: `.opencode-plugin/plugin.json`
+- Modify: `hooks/verify-package.sh`
+- Modify: `.github/workflows/release.yml`
+
+- [ ] **Step 1: Bump npm metadata without tagging**
+
+Run:
+
+```bash
+npm version 3.3.2 --no-git-tag-version
+```
+
+Expected: `package.json` and `package-lock.json` versions become `3.3.2` with no git tag created.
+
+- [ ] **Step 2: Align manual version surfaces**
+
+Set `VERSION` to:
+
+```text
+3.3.2
+```
+
+Set `src/constants.ts` line 1 to:
+
+```ts
+export const VERSION = "3.3.2";
+```
+
+Set `.opencode-plugin/plugin.json` version to:
+
+```json
+"version": "3.3.2"
+```
+
+- [ ] **Step 3: Include `.opencode` in package files**
+
+Update `package.json` `files` to include `.opencode` near `.opencode-plugin`:
+
+```json
+  "files": [
+    "dist",
+    "hooks",
+    "commands",
+    "skills",
+    "plugins",
+    "docs",
+    ".opencode",
+    ".opencode-plugin",
+    "AGENTS.md",
+    "VERSION",
+    "README.md",
+    "LICENSE"
+  ]
+```
+
+- [ ] **Step 4: Update package verifier allowlist and required files**
+
+Change `hooks/verify-package.sh` allowlist and required files to:
+
+```js
+const allowedRoots = new Set(["dist", "hooks", "commands", "skills", "plugins", "docs", ".opencode", ".opencode-plugin"]);
+const allowedFiles = new Set(["package.json", "README.md", "LICENSE", "AGENTS.md", "VERSION"]);
+const requiredFiles = [
+  ".opencode/INSTALL.md",
+  ".opencode-plugin/plugin.json",
+  "AGENTS.md",
+  "hooks/init.sh",
+  "skills/autoresearch/SKILL.md",
+  "commands/autoresearch.md",
+];
+```
+
+- [ ] **Step 5: Add the release test gate**
+
+Add this step to `.github/workflows/release.yml` after package verification and before extracting the changelog:
+
+```yaml
+      - name: Test
+        run: npm test
+```
+
+- [ ] **Step 6: Rebuild and run focused tests**
+
+Run:
+
+```bash
+npm run build
+npm test -- tests/test_package_structure.ts tests/test_constants.ts
+```
+
+Expected: PASS.
+
+---
+
+### Task 6: Update Release and Architecture Documentation
+
+**Files:**
+- Modify: `CHANGELOG.md`
+- Modify: `docs/ARCHITECTURE.md`
+- Modify: `docs/RELEASE.md`
+
+- [ ] **Step 1: Add changelog entry**
+
+Insert this section above `## [3.3.1]` in `CHANGELOG.md`:
+
+```md
+## [3.3.2] - 2026-05-03
+
+### Added
+- **OpenCode install guide**: Added `.opencode/INSTALL.md` with native `opencode.json` plugin installation, CLI alternative, update notes, and troubleshooting.
+- **Agent guide**: Added tracked `AGENTS.md` with repository-specific development, security, and verification rules.
+
+### Changed
+- **Installation docs**: Updated README, docs, and wiki install instructions to recommend OpenCode's native npm plugin flow first.
+- **Release pipeline**: Added the missing `npm test` gate to the release workflow and aligned release docs with trusted npm publishing.
+- **Package verification**: Required `.opencode/INSTALL.md` and `AGENTS.md` in package dry-run validation.
+
+### Fixed
+- **Hook hardening**: Passed `AUTORESEARCH_STATE` into inline Node scripts through environment variables instead of interpolating it into JavaScript source.
+- **Version references**: Aligned architecture and release docs for v3.3.2.
+```
+
+- [ ] **Step 2: Update architecture version and package layout**
+
+In `docs/ARCHITECTURE.md`, change the current reference line to:
+
+```md
+> Current reference for v3.3.2.
+```
+
+In the package layout block, add:
+
+```text
+.opencode/INSTALL.md         # OpenCode native plugin install guide
+AGENTS.md                    # Repository-specific agent guide
+```
+
+- [ ] **Step 3: Update release process doc**
+
+In `docs/RELEASE.md`, align version examples to `3.3.2`, list `.opencode/INSTALL.md` in package contents, and make the version alignment sentence read:
+
+```md
+`VERSION`, `package.json`, `package-lock.json`, `src/constants.ts`, and `.opencode-plugin/plugin.json` must all stay aligned. The `VERSION` file is the canonical source of truth.
+```
+
+Update automated release bullets to include:
+
+```md
+1. Build and type-check
+2. Verify package contents
+3. Run tests
+4. Create a GitHub Release with the CHANGELOG section
+5. Publish to npm with provenance through trusted publishing
+```
+
+- [ ] **Step 4: Run docs-focused tests**
+
+Run:
+
+```bash
+npm test -- tests/test_package_structure.ts
+```
+
+Expected: PASS.
+
+---
+
+### Task 7: Full Verification and Release Readiness Report
+
+**Files:**
+- No edits unless a verification command exposes a real defect.
+
+- [ ] **Step 1: Run dependency audit**
+
+Run:
+
+```bash
+npm audit --audit-level=moderate
+```
+
+Expected: `found 0 vulnerabilities`.
+
+- [ ] **Step 2: Run typecheck**
+
+Run:
+
+```bash
+npm run typecheck
+```
+
+Expected: exit code 0.
+
+- [ ] **Step 3: Run build**
+
+Run:
+
+```bash
+npm run build
+```
+
+Expected: exit code 0 and `dist/` regenerated.
+
+- [ ] **Step 4: Run package verification**
+
+Run:
+
+```bash
+npm run verify:pack
+```
+
+Expected: `Package dry-run verified ... files` and no allowlist violations.
+
+- [ ] **Step 5: Run full test suite**
+
+Run:
+
+```bash
+npm test
+```
+
+Expected: all Jest suites pass.
+
+- [ ] **Step 6: Preview package contents**
+
+Run:
+
+```bash
+npm pack --dry-run
+```
+
+Expected: package contents include `.opencode/INSTALL.md`, `AGENTS.md`, `README.md`, `VERSION`, `.opencode-plugin/plugin.json`, `commands/`, `skills/`, `hooks/`, `plugins/`, and `docs/`; package contents do not include `.autoresearch/`, `.claude/`, `.wolf/`, `.serena/`, `CLAUDE.md`, or `node_modules/`.
+
+- [ ] **Step 7: Report release boundary**
+
+Report the changed files, verification results, and remaining release actions. State that commit, tag, push, GitHub release creation, and npm publish were not performed because they require explicit user approval.