opencode-codegraph 0.1.0

package/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "opencode-codegraph",
+  "version": "0.1.0",
+  "description": "OpenCode plugin for CodeGraph CPG-powered code analysis",
+  "type": "module",
+  "main": "src/index.ts",
+  "exports": {
+    ".": "./src/index.ts"
+  },
+  "files": [
+    "src"
+  ],
+  "scripts": {
+    "typecheck": "tsc --noEmit",
+    "build": "tsc"
+  },
+  "keywords": [
+    "opencode",
+    "codegraph",
+    "cpg",
+    "code-analysis",
+    "security"
+  ],
+  "license": "MIT",
+  "dependencies": {
+    "@opencode-ai/plugin": "^1.2.22"
+  },
+  "devDependencies": {
+    "typescript": "^5.8.0",
+    "@types/node": "^22.0.0"
+  },
+  "peerDependencies": {
+    "@opencode-ai/plugin": ">=1.2.0"
+  }
+}

package/src/api.ts

@@ -0,0 +1,265 @@
+/**
+ * CodeGraph REST API client for the OpenCode plugin.
+ *
+ * Communicates with the CodeGraph API server (default: http://localhost:8000)
+ * to retrieve CPG data, trigger updates, and run analysis.
+ */
+
+export class CodeGraphAPI {
+  private baseUrl: string
+
+  constructor(baseUrl: string) {
+    this.baseUrl = baseUrl.replace(/\/+$/, "")
+  }
+
+  /**
+   * Get project summary for system prompt injection.
+   * Returns a markdown block with file count, top hotspots, and open security findings.
+   */
+  async getProjectSummary(projectId: string): Promise<string | null> {
+    const params = projectId ? `?project_id=${encodeURIComponent(projectId)}` : ""
+
+    // Fetch multiple endpoints in parallel
+    const [statsRes, findingsRes] = await Promise.allSettled([
+      this.fetch(`/api/v1/cpg/stats${params}`),
+      this.fetch(`/api/v1/cpg/pattern-results${params}&category=security&limit=10`),
+    ])
+
+    const stats =
+      statsRes.status === "fulfilled" ? statsRes.value : null
+    const findings =
+      findingsRes.status === "fulfilled" ? findingsRes.value : null
+
+    if (!stats && !findings) return null
+
+    const lines: string[] = [
+      "## CodeGraph CPG Context",
+      "",
+    ]
+
+    if (stats) {
+      lines.push(
+        `- **Files**: ${stats.total_files ?? "?"}`,
+        `- **Methods**: ${stats.total_methods ?? "?"}`,
+        `- **Security findings**: ${stats.security_findings ?? "?"}`,
+      )
+      if (stats.top_complex_methods?.length) {
+        lines.push("", "### Top complex methods")
+        for (const m of stats.top_complex_methods.slice(0, 5)) {
+          lines.push(`- \`${m.name}\` (CC=${m.cyclomatic_complexity}, fan_in=${m.fan_in})`)
+        }
+      }
+    }
+
+    if (findings?.results?.length) {
+      lines.push("", "### Open security findings")
+      for (const f of findings.results.slice(0, 5)) {
+        lines.push(`- **${f.rule_id}**: ${f.message} (${f.filename}:${f.line})`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Get CPG context for a specific file.
+   * Returns markdown with methods, callers, complexity, and security findings.
+   */
+  async getFileCPGContext(projectId: string, filePath: string): Promise<string | null> {
+    const params = new URLSearchParams()
+    if (projectId) params.set("project_id", projectId)
+    params.set("filename", filePath)
+
+    const [methodsRes, findingsRes] = await Promise.allSettled([
+      this.fetch(`/api/v1/cpg/methods?${params}`),
+      this.fetch(`/api/v1/cpg/pattern-results?${params}&category=security`),
+    ])
+
+    const methods =
+      methodsRes.status === "fulfilled" ? methodsRes.value : null
+    const findings =
+      findingsRes.status === "fulfilled" ? findingsRes.value : null
+
+    if (!methods?.results?.length && !findings?.results?.length) return null
+
+    const lines: string[] = [
+      `### CPG context: \`${filePath}\``,
+      "",
+    ]
+
+    if (methods?.results?.length) {
+      lines.push(`**${methods.results.length} methods** in file:`)
+      for (const m of methods.results.slice(0, 15)) {
+        const flags: string[] = []
+        if (m.is_entry_point) flags.push("entry")
+        if (m.is_external) flags.push("external")
+        if (m.fan_in === 0 && !m.is_entry_point && !m.is_external && !m.is_test) flags.push("DEAD")
+        const flagStr = flags.length ? ` [${flags.join(", ")}]` : ""
+        lines.push(
+          `- \`${m.name}\` CC=${m.cyclomatic_complexity} fan_in=${m.fan_in} fan_out=${m.fan_out}${flagStr}`,
+        )
+      }
+    }
+
+    if (findings?.results?.length) {
+      lines.push("", `**${findings.results.length} security findings:**`)
+      for (const f of findings.results.slice(0, 10)) {
+        lines.push(`- **${f.rule_id}** L${f.line}: ${f.message}`)
+      }
+    }
+
+    return lines.join("\n")
+  }
+
+  /**
+   * Trigger incremental CPG update after a git commit.
+   */
+  async triggerIncrementalUpdate(projectId: string, directory: string): Promise<void> {
+    await this.fetch("/api/v1/webhooks/local", {
+      method: "POST",
+      body: JSON.stringify({
+        event_type: "push",
+        project_id: projectId,
+        directory,
+      }),
+    })
+  }
+
+  /**
+   * Review code changes using CodeGraph analysis.
+   */
+  async reviewChanges(projectId: string, diff: string, baseRef: string): Promise<string> {
+    try {
+      const result = await this.fetch("/api/v1/review", {
+        method: "POST",
+        body: JSON.stringify({
+          project_id: projectId,
+          diff,
+          base_ref: baseRef,
+        }),
+      })
+
+      if (!result) return "CodeGraph review: no results."
+
+      const lines: string[] = ["## CodeGraph Review Results", ""]
+
+      if (result.security_findings?.length) {
+        lines.push(`### Security (${result.security_findings.length} findings)`)
+        for (const f of result.security_findings) {
+          lines.push(`- **${f.rule_id}**: ${f.message} (${f.filename}:${f.line})`)
+        }
+        lines.push("")
+      }
+
+      if (result.impact_analysis) {
+        lines.push("### Impact Analysis")
+        lines.push(`- Affected methods: ${result.impact_analysis.affected_methods ?? 0}`)
+        lines.push(`- Affected callers: ${result.impact_analysis.affected_callers ?? 0}`)
+        if (result.impact_analysis.taint_paths?.length) {
+          lines.push(`- Taint paths: ${result.impact_analysis.taint_paths.length}`)
+        }
+        lines.push("")
+      }
+
+      if (result.complexity_changes?.length) {
+        lines.push("### Complexity Changes")
+        for (const c of result.complexity_changes) {
+          const delta = c.new_cc - c.old_cc
+          const sign = delta > 0 ? "+" : ""
+          lines.push(`- \`${c.method}\`: ${c.old_cc} -> ${c.new_cc} (${sign}${delta})`)
+        }
+      }
+
+      return lines.length > 2 ? lines.join("\n") : "CodeGraph review: no issues found."
+    } catch {
+      return "CodeGraph review: API not available. Run `codegraph-api` first."
+    }
+  }
+
+  /**
+   * Explain a function using CPG data.
+   */
+  async explainFunction(projectId: string, functionName: string): Promise<string> {
+    try {
+      const params = new URLSearchParams({ name: functionName })
+      if (projectId) params.set("project_id", projectId)
+
+      const result = await this.fetch(`/api/v1/cpg/method-detail?${params}`)
+      if (!result) return `Function '${functionName}' not found in CPG.`
+
+      const lines: string[] = [
+        `## \`${result.name}\``,
+        "",
+        `| Metric | Value |`,
+        `|--------|-------|`,
+        `| File | \`${result.filename}\` |`,
+        `| Line | ${result.line_number} |`,
+        `| Cyclomatic complexity | ${result.cyclomatic_complexity} |`,
+        `| Fan-in (callers) | ${result.fan_in} |`,
+        `| Fan-out (callees) | ${result.fan_out} |`,
+        `| LOC | ${result.loc} |`,
+        `| Parameters | ${result.parameters} |`,
+        `| Entry point | ${result.is_entry_point ? "Yes" : "No"} |`,
+        `| External | ${result.is_external ? "Yes" : "No"} |`,
+      ]
+
+      if (result.callers?.length) {
+        lines.push("", "### Callers")
+        for (const c of result.callers.slice(0, 20)) {
+          lines.push(`- \`${c.caller_name}\` (${c.caller_filename}:${c.caller_line})`)
+        }
+      }
+
+      if (result.callees?.length) {
+        lines.push("", "### Callees")
+        for (const c of result.callees.slice(0, 20)) {
+          lines.push(`- \`${c.callee_name}\` (${c.callee_filename}:${c.callee_line})`)
+        }
+      }
+
+      if (result.security_findings?.length) {
+        lines.push("", "### Security Findings")
+        for (const f of result.security_findings) {
+          lines.push(`- **${f.rule_id}**: ${f.message}`)
+        }
+      }
+
+      if (result.taint_paths?.length) {
+        lines.push("", "### Taint Paths")
+        for (const t of result.taint_paths.slice(0, 5)) {
+          lines.push(`- ${t.source} -> ${t.sink} (${t.path_length} hops)`)
+        }
+      }
+
+      return lines.join("\n")
+    } catch {
+      return `CodeGraph: API not available. Run \`codegraph-api\` first.`
+    }
+  }
+
+  // -------------------------------------------------------------------
+  // Private helpers
+  // -------------------------------------------------------------------
+
+  private async fetch(path: string, init?: RequestInit): Promise<any> {
+    const url = `${this.baseUrl}${path}`
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+      ...(init?.headers as Record<string, string> | undefined),
+    }
+
+    const response = await globalThis.fetch(url, {
+      ...init,
+      headers,
+    })
+
+    if (!response.ok) {
+      throw new Error(`CodeGraph API ${response.status}: ${response.statusText}`)
+    }
+
+    const text = await response.text()
+    if (!text) return null
+
+    return JSON.parse(text)
+  }
+}

package/src/index.ts

@@ -0,0 +1,137 @@
+/**
+ * OpenCode plugin for CodeGraph CPG-powered code analysis.
+ *
+ * Provides:
+ * - Auto-enrichment of chat messages with CPG context for mentioned files
+ * - System prompt injection with project summary (hotspots, security findings)
+ * - Post-commit CPG incremental update trigger
+ * - Custom tools: codegraph_review, codegraph_explain_function
+ * - Auto-allow for codegraph_* MCP tools
+ * - Toast notifications on CPG update completion
+ */
+
+import type { Plugin } from "@opencode-ai/plugin"
+import { tool } from "@opencode-ai/plugin/tool"
+
+import { CodeGraphAPI } from "./api"
+import { extractFileRefs, isGitCommit } from "./util"
+
+const codegraphPlugin: Plugin = async (input) => {
+  const { client, directory, $ } = input
+
+  // Detect CodeGraph API URL from environment or default
+  const apiUrl = process.env.CODEGRAPH_API_URL || "http://localhost:8000"
+  const api = new CodeGraphAPI(apiUrl)
+
+  // Detect project ID from environment or opencode.json
+  const projectId = process.env.CODEGRAPH_PROJECT || ""
+
+  return {
+    // -----------------------------------------------------------------
+    // 1. System prompt: inject CPG project summary
+    // -----------------------------------------------------------------
+    "experimental.chat.system.transform": async (_inp, output) => {
+      try {
+        const summary = await api.getProjectSummary(projectId)
+        if (summary) {
+          output.system.push(summary)
+        }
+      } catch {
+        // CodeGraph API not available — skip silently
+      }
+    },
+
+    // -----------------------------------------------------------------
+    // 2. Chat message: auto-enrich with CPG context for mentioned files
+    // -----------------------------------------------------------------
+    "chat.message": async (_inp, output) => {
+      const files = extractFileRefs(output.parts)
+      if (files.length === 0) return
+
+      try {
+        for (const file of files.slice(0, 5)) {
+          const context = await api.getFileCPGContext(projectId, file)
+          if (context) {
+            output.parts.push({
+              type: "text",
+              text: context,
+            })
+          }
+        }
+      } catch {
+        // CodeGraph API not available — skip silently
+      }
+    },
+
+    // -----------------------------------------------------------------
+    // 3. Post-commit: trigger incremental CPG update
+    // -----------------------------------------------------------------
+    "tool.execute.after": async (inp, output) => {
+      if (inp.tool !== "bash") return
+      if (!isGitCommit(output.output)) return
+
+      try {
+        await api.triggerIncrementalUpdate(projectId, directory)
+        // Notify user via output metadata (visible in OpenCode UI)
+        output.title = "CodeGraph: CPG update triggered"
+        output.metadata = {
+          ...output.metadata,
+          codegraph_cpg_update: "triggered",
+        }
+      } catch {
+        // Best-effort — don't break the workflow
+      }
+    },
+
+    // -----------------------------------------------------------------
+    // 4. Custom tools
+    // -----------------------------------------------------------------
+    tool: {
+      codegraph_review: tool({
+        description:
+          "Run CodeGraph security + impact analysis on current changes. " +
+          "Analyzes git diff using CPG call graph, taint analysis, and pattern matching.",
+        args: {
+          base_ref: tool.schema
+            .string()
+            .optional()
+            .describe("Base git ref to compare against (default: HEAD~1)"),
+        },
+        async execute(args) {
+          const baseRef = args.base_ref || "HEAD~1"
+          const diff = await $`git diff ${baseRef}`.quiet().text()
+          if (!diff.trim()) {
+            return "No changes found."
+          }
+
+          const result = await api.reviewChanges(projectId, diff, baseRef)
+          return result
+        },
+      }),
+
+      codegraph_explain_function: tool({
+        description:
+          "Deep analysis of a function using CPG. Shows callers, callees, " +
+          "complexity, taint paths, and security findings.",
+        args: {
+          name: tool.schema.string().describe("Function or method name to analyze"),
+        },
+        async execute(args) {
+          const result = await api.explainFunction(projectId, args.name)
+          return result
+        },
+      }),
+    },
+
+    // -----------------------------------------------------------------
+    // 5. Permissions: auto-allow codegraph_* MCP tools
+    // -----------------------------------------------------------------
+    "permission.ask": async (inp, output) => {
+      if (inp.tool?.startsWith("codegraph_")) {
+        output.status = "allow"
+      }
+    },
+  }
+}
+
+export default codegraphPlugin

package/src/util.ts

@@ -0,0 +1,97 @@
+/**
+ * Utility functions for the CodeGraph OpenCode plugin.
+ */
+
+/**
+ * Extract file references from message parts.
+ * Looks for file paths in text parts (e.g., `src/api/main.py`, @filename patterns).
+ */
+export function extractFileRefs(parts: Array<{ type: string; text?: string }>): string[] {
+  const files: string[] = []
+  const seen = new Set<string>()
+
+  // Common file path patterns
+  const patterns = [
+    // Explicit @file references (OpenCode convention)
+    /(?<!\w)@(\.?[\w/\\.-]+\.\w+)/g,
+    // Backtick-quoted paths
+    /`([\w/\\.-]+\.\w{1,10})`/g,
+    // Common source file patterns in plain text
+    /\b((?:src|lib|app|tests?|pkg|cmd|internal)\/[\w/\\.-]+\.\w{1,10})\b/g,
+  ]
+
+  for (const part of parts) {
+    if (part.type !== "text" || !part.text) continue
+
+    for (const pattern of patterns) {
+      // Reset lastIndex for global regex
+      pattern.lastIndex = 0
+      let match
+      while ((match = pattern.exec(part.text)) !== null) {
+        const file = match[1]
+        if (file && !seen.has(file) && isSourceFile(file)) {
+          seen.add(file)
+          files.push(file)
+        }
+      }
+    }
+  }
+
+  return files
+}
+
+/**
+ * Check if a shell command output indicates a git commit was made.
+ */
+export function isGitCommit(output: string): boolean {
+  if (!output) return false
+
+  // Common git commit success patterns
+  return (
+    /\[[\w/.-]+\s+[a-f0-9]+\]/.test(output) || // [main abc1234] commit message
+    /^\s*create mode/m.test(output) || // create mode 100644
+    /^\s*\d+ files? changed/m.test(output) // 3 files changed, 42 insertions
+  )
+}
+
+// File extensions recognized as source code
+const SOURCE_EXTENSIONS = new Set([
+  "py",
+  "go",
+  "js",
+  "ts",
+  "jsx",
+  "tsx",
+  "java",
+  "kt",
+  "kts",
+  "c",
+  "h",
+  "cpp",
+  "hpp",
+  "cc",
+  "cxx",
+  "cs",
+  "php",
+  "rb",
+  "rs",
+  "swift",
+  "sql",
+  "yaml",
+  "yml",
+  "json",
+  "toml",
+  "xml",
+  "html",
+  "css",
+  "scss",
+  "md",
+  "proto",
+  "graphql",
+  "gql",
+])
+
+function isSourceFile(path: string): boolean {
+  const ext = path.split(".").pop()?.toLowerCase()
+  return ext ? SOURCE_EXTENSIONS.has(ext) : false
+}