opencode-autoresearch 3.3.1 → 3.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.opencode/INSTALL.md +85 -0
- package/.opencode-plugin/plugin.json +2 -2
- package/AGENTS.md +44 -0
- package/INSTALL.md +275 -0
- package/README.md +122 -34
- package/VERSION +1 -1
- package/dist/constants.d.ts +1 -1
- package/dist/constants.js +1 -1
- package/dist/index.d.ts +18 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +46 -1
- package/dist/index.js.map +1 -1
- package/dist/wizard.d.ts.map +1 -1
- package/dist/wizard.js +4 -3
- package/dist/wizard.js.map +1 -1
- package/docs/ARCHITECTURE.md +53 -9
- package/docs/OPENCODE_INSTALL.md +80 -19
- package/docs/QUICKSTART.md +42 -0
- package/docs/RELEASE.md +16 -15
- package/hooks/status.sh +14 -12
- package/hooks/stop.sh +47 -13
- package/hooks/verify-package.sh +36 -3
- package/package.json +24 -5
- package/plugins/autoresearch.ts +2 -8
- package/skills/hermes/INTEGRATION.md +156 -0
- package/skills/hermes/README.md +159 -0
- package/skills/hermes/autoresearch-prompt.md +270 -0
- package/docs/superpowers/plans/2026-05-03-install-release-security.md +0 -855
- package/docs/superpowers/specs/2026-05-03-install-release-security-design.md +0 -80
|
@@ -1,80 +0,0 @@
|
|
|
1
|
-
# Install, Release, and Security Update Design
|
|
2
|
-
|
|
3
|
-
## Goal
|
|
4
|
-
|
|
5
|
-
Prepare Auto Research for the next patch release by adding a native OpenCode install guide, aligning release/package documentation, and fixing security issues found during the audit.
|
|
6
|
-
|
|
7
|
-
## Current Context
|
|
8
|
-
|
|
9
|
-
Auto Research is distributed as the `opencode-autoresearch` npm package and exposes an OpenCode plugin surface through `.opencode-plugin/plugin.json`, `plugins/autoresearch.ts`, `commands/`, `skills/`, and `hooks/`. The repo already documents npm global installation, but it does not provide a repo-level `.opencode/INSTALL.md` like the Superpowers OpenCode guide.
|
|
10
|
-
|
|
11
|
-
The audit found these release-readiness issues:
|
|
12
|
-
|
|
13
|
-
- `AGENTS.md` is ignored and absent, but package metadata and release docs reference it.
|
|
14
|
-
- `docs/ARCHITECTURE.md` still says the current reference is v3.3.0 while released metadata is v3.3.1.
|
|
15
|
-
- `docs/RELEASE.md` says CI runs tests, but `.github/workflows/release.yml` currently runs build, typecheck, and package verification only.
|
|
16
|
-
- `hooks/status.sh` and `hooks/stop.sh` interpolate `AUTORESEARCH_STATE` directly into inline JavaScript, which can break the JavaScript string if the environment variable contains quotes.
|
|
17
|
-
- Dependencies are clean: `npm audit --audit-level=moderate` found 0 vulnerabilities and `npm outdated` reported no outdated packages.
|
|
18
|
-
|
|
19
|
-
## Approach
|
|
20
|
-
|
|
21
|
-
Use both supported install paths:
|
|
22
|
-
|
|
23
|
-
- Primary: OpenCode native plugin install through `opencode.json` using the npm package name.
|
|
24
|
-
- Alternative: npm global CLI install for users who want the `autoresearch` and `opencode-autoresearch` commands on `PATH`.
|
|
25
|
-
|
|
26
|
-
This matches current OpenCode plugin documentation, which supports npm package entries in the `plugin` array and automatically installs them at startup. It also keeps the current npm CLI distribution intact.
|
|
27
|
-
|
|
28
|
-
## Files and Responsibilities
|
|
29
|
-
|
|
30
|
-
- `.opencode/INSTALL.md`: New concise OpenCode install guide modeled after the Superpowers install guide.
|
|
31
|
-
- `README.md`: Main install section should show the OpenCode plugin path first and npm global CLI path second.
|
|
32
|
-
- `docs/OPENCODE_INSTALL.md`: Full install guide should mirror the new install flow and include verification/troubleshooting.
|
|
33
|
-
- `wiki/Installation.md`: Wiki install page should point users to the native plugin path and CLI alternative.
|
|
34
|
-
- `AGENTS.md`: New tracked agent guide with repository-specific working, validation, security, and release rules.
|
|
35
|
-
- `.gitignore`: Stop ignoring tracked `AGENTS.md` while continuing to ignore private local instruction files that should not ship.
|
|
36
|
-
- `package.json`: Include `.opencode/INSTALL.md` in package contents and bump the patch version.
|
|
37
|
-
- `package-lock.json`: Keep npm lock metadata aligned with `package.json`.
|
|
38
|
-
- `.opencode-plugin/plugin.json`: Bump plugin manifest version.
|
|
39
|
-
- `src/constants.ts`: Bump runtime version constant.
|
|
40
|
-
- `VERSION`: Bump canonical version marker.
|
|
41
|
-
- `CHANGELOG.md`: Add the new release entry.
|
|
42
|
-
- `docs/ARCHITECTURE.md`: Align current version and package layout references.
|
|
43
|
-
- `docs/RELEASE.md`: Align release docs with current version surfaces and trusted npm publishing workflow.
|
|
44
|
-
- `.github/workflows/release.yml`: Add `npm test` to match documented release gates.
|
|
45
|
-
- `hooks/status.sh`: Pass state path safely to Node without JavaScript string interpolation.
|
|
46
|
-
- `hooks/stop.sh`: Pass state path safely to Node without JavaScript string interpolation.
|
|
47
|
-
- `hooks/verify-package.sh`: Allow and require `.opencode/INSTALL.md`; keep package allowlist explicit.
|
|
48
|
-
|
|
49
|
-
## Security Design
|
|
50
|
-
|
|
51
|
-
The hook hardening should pass `STATUS_FILE` through Node's `process.env` instead of embedding it in JavaScript source. This prevents an environment value from changing the JavaScript program text and keeps shell quoting simple.
|
|
52
|
-
|
|
53
|
-
The install docs must avoid `curl | sh` and destructive migration commands. They should show an explicit `opencode.json` plugin entry and a separate npm global CLI path.
|
|
54
|
-
|
|
55
|
-
The package verifier remains allowlist-based. Adding `.opencode/INSTALL.md` must be explicit so unexpected files still fail `npm run verify:pack`.
|
|
56
|
-
|
|
57
|
-
## Versioning
|
|
58
|
-
|
|
59
|
-
This is a patch release because it adds install documentation, fixes release packaging metadata, and hardens hooks without changing the command surface or runtime data format.
|
|
60
|
-
|
|
61
|
-
Target version: `3.3.2`.
|
|
62
|
-
|
|
63
|
-
## Verification
|
|
64
|
-
|
|
65
|
-
Run these gates before claiming release readiness:
|
|
66
|
-
|
|
67
|
-
```bash
|
|
68
|
-
npm audit --audit-level=moderate
|
|
69
|
-
npm run typecheck
|
|
70
|
-
npm run build
|
|
71
|
-
npm run verify:pack
|
|
72
|
-
npm test
|
|
73
|
-
npm pack --dry-run
|
|
74
|
-
```
|
|
75
|
-
|
|
76
|
-
Also inspect the package dry-run output enough to confirm `.opencode/INSTALL.md`, `AGENTS.md`, `README.md`, `VERSION`, `.opencode-plugin/plugin.json`, `commands/`, `skills/`, `hooks/`, `plugins/`, and `docs/` are present while `.autoresearch/` and local context files are absent.
|
|
77
|
-
|
|
78
|
-
## Release Boundary
|
|
79
|
-
|
|
80
|
-
This work prepares the repository for release. Creating the git commit, tag, push, GitHub release, or npm publish requires explicit user approval after verification passes.
|