opencode-goal-mode 0.1.0

package/plugins/goal-guard.js

@@ -0,0 +1,426 @@
+import { createHash } from "node:crypto";
+
+const WRITE_TOOLS = new Set(["edit", "write", "apply_patch"]);
+
+const MUTATING_BASH_PATTERNS = [
+  /(^|&&|;|\|\|)\s*(sudo\s+)?(rm|mv|cp|mkdir|rmdir|touch|ln)\b/i,
+  /(^|&&|;|\|\|)\s*(sudo\s+)?(tee|xargs\s+(rm|mv|cp))\b/i,
+  /(^|&&|;|\|\|)\s*[^|]*\s(>|>>)\s*(?!\/dev\/null\b)\S+/i,
+  /(^|&&|;|\|\|)\s*(perl\s+-pi|sed\s+-i)\b/i,
+  /(^|&&|;|\|\|)\s*(npm|pnpm|yarn|bun)\s+(install|ci|add|remove|update)\b/i,
+  /(^|&&|;|\|\|)\s*(npm|pnpm|yarn|bun)\s+(run\s+)?(format|fix|lint:fix)\b/i,
+  /\b((npx|pnpm\s+exec|yarn)\s+)?(prettier|eslint)\b.*\s(--write|--fix)\b/i,
+  /\b(node|python3?)\b.*\b(writeFile|appendFile|copyFile|rename|unlink|rmSync|mkdir|rmdir|openSync)\b/i,
+];
+
+const REVIEW_AGENTS = new Set([
+  "goal-reviewer",
+  "goal-prompt-auditor",
+  "goal-diff-reviewer",
+  "goal-verifier",
+  "goal-test-reviewer",
+  "goal-security-reviewer",
+  "goal-ux-reviewer",
+  "goal-ops-reviewer",
+  "goal-doc-reviewer",
+  "goal-final-auditor",
+  "goal-api-reviewer",
+  "goal-data-reviewer",
+  "goal-perf-reviewer",
+  "goal-quality-gate",
+]);
+
+const GOAL_AGENTS = new Set([
+  "goal",
+  "goal-implementer",
+  "goal-reviewer",
+  "goal-prompt-auditor",
+  "goal-diff-reviewer",
+  "goal-verifier",
+  "goal-test-reviewer",
+  "goal-security-reviewer",
+  "goal-ux-reviewer",
+  "goal-ops-reviewer",
+  "goal-doc-reviewer",
+  "goal-final-auditor",
+  "goal-deep-researcher",
+  "goal-web-researcher",
+  "goal-architect",
+  "goal-mapper",
+  "goal-planner",
+  "goal-coordinator",
+  "goal-doc-writer",
+  "goal-commentator",
+  "goal-api-reviewer",
+  "goal-data-reviewer",
+  "goal-perf-reviewer",
+  "goal-quality-gate",
+]);
+
+function normalizedAgent(input) {
+  if (!input) return undefined;
+  const agent = String(input.agent || input.args?.subagent_type || "").trim();
+  return agent || undefined;
+}
+
+function createState() {
+  return {
+    active: false,
+    dirty: false,
+    dirtyReasons: [],
+    reviewCycles: 0,
+    lastReviewAt: null,
+    lastEditAt: null,
+    lastVerificationAt: null,
+    verdicts: [],
+    latestVerdict: {},
+    currentAgent: undefined,
+    completedBlocked: 0,
+    verificationSeen: false,
+    lastCompletionRejectAt: null,
+  };
+}
+
+const sessions = new Map();
+const MAX_SESSIONS = 200;
+
+function evictOldestSession() {
+  if (sessions.size < MAX_SESSIONS) return;
+  let oldestKey = null;
+  let oldestTime = Infinity;
+  for (const [key, state] of sessions) {
+    const t = new Date(state.lastEditAt || state.lastReviewAt || 0).getTime();
+    if (t < oldestTime) {
+      oldestTime = t;
+      oldestKey = key;
+    }
+  }
+  if (oldestKey) sessions.delete(oldestKey);
+}
+
+function stateFor(sessionID) {
+  const key = String(sessionID || "default").trim() || "default";
+  if (!sessions.has(key)) {
+    while (sessions.size >= MAX_SESSIONS) evictOldestSession();
+    sessions.set(key, createState());
+  }
+  return sessions.get(key);
+}
+
+function nowIso() {
+  return new Date().toISOString();
+}
+
+function textOf(output) {
+  const raw = output?.output || output?.text || output?.message || "";
+  if (typeof raw === "string") return raw;
+  if (typeof raw === "object" && raw?.output) return String(raw.output);
+  if (typeof raw === "object" && raw?.text) return String(raw.text);
+  return JSON.stringify(raw || "");
+}
+
+function isPass(text) {
+  return /Verdict:\s*PASS\b/i.test(text);
+}
+
+function isFail(text) {
+  return /Verdict:\s*FAIL\b/i.test(text);
+}
+
+function isVerification(command) {
+  const normalized = String(command || "").trim();
+  return [
+    /\bnpm\s+test\b/,
+    /\bnpm\s+run\s+test\b/,
+    /\bnpm\s+run\s+validate\b/,
+    /\bnpm\s+run\s+check\b/,
+    /\bnpm\s+run\s+lint\b/,
+    /\bnpm\s+run\s+typecheck\b/,
+    /\bnpm\s+run\s+build\b/,
+    /\bnpm\s+run\s+unit\b/,
+    /\bnpm\s+run\s+integration\b/,
+    /\bjest\b/,
+    /\bmocha\b/,
+    /\bvite\s+test\b/,
+    /\bvitest\b/,
+    /\bpnpm\s+test\b/,
+    /\byarn\s+test\b/,
+    /\bbun\s+test\b/,
+    /\bgo\s+test\b/,
+    /\bcargo\s+test\b/,
+    /\bpytest\b/,
+    /\bpython\s+-m\s+pytest\b/,
+    /\bpython\s+-m\s+unittest\b/,
+    /\bphpunit\b/,
+    /\bmake\s+test\b/,
+    /\bmake\s+check\b/,
+    /\bmake\s+validate\b/,
+  ].some((pattern) => pattern.test(normalized));
+}
+
+function looksLikeDestructiveBash(command) {
+  const normalized = String(command || "").trim();
+  return [
+    /(^|&&|;|\|\|)\s*(sudo\s+)?rm\s+-[a-zA-Z]*[rR][a-zA-Z]*[rfRF]?\b/,
+    /(^|&&|;|\|\|)\s*(sudo\s+)?rm\s+(--recursive|--force|--recursive\s+--force|-rf|-fr|-r)\b/,
+    /(^|&&|;|\|\|)\s*git\s+reset\b/,
+    /(^|&&|;|\|\|)\s*git\s+clean\b/,
+    /(^|&&|;|\|\|)\s*git\s+checkout\b/,
+    /(^|&&|;|\|\|)\s*git\s+restore\b/,
+    /(^|&&|;|\|\|)\s*git\s+switch\b/,
+    /(^|&&|;|\|\|)\s*git\s+push\b/,
+    /(^|&&|;|\|\|)\s*(sudo\s+)?find\b.*\s-delete\b/,
+    /(^|&&|;|\|\|)\s*(sudo\s+)?find\b.*\s-exec\s+rm\b/,
+    /(^|&&|;|\|\|)\s*(sudo\s+)?dd\b.*\bof=\/dev\//,
+    /(^|&&|;|\|\|)\s*(sudo\s+)?mkfs(\.|\s|$)/,
+    /(^|&&|;|\|\|)\s*(sudo\s+)?shred\b/,
+    /(^|&&|;|\|\|)\s*(sudo\s+)?truncate\b/,
+    /(^|&&|;|\|\|)\s*(sudo\s+)?chmod\s+-[a-zA-Z]*[rR][a-zA-Z]*[wW][a-zA-Z]*[xX][a-zA-Z]*\s+\/\b/,
+  ].some((pattern) => pattern.test(normalized));
+}
+
+function looksLikeMutatingBash(command) {
+  const normalized = String(command || "").trim();
+  if (!normalized) return false;
+  if (looksLikeDestructiveBash(normalized)) return true;
+  return MUTATING_BASH_PATTERNS.some((pattern) => pattern.test(normalized));
+}
+
+function commandFingerprint(command) {
+  return createHash("sha256").update(String(command || "")).digest("hex").slice(0, 12);
+}
+
+function latestVerdictFor(state, agent) {
+  const entries = state.verdicts.filter((entry) => entry.agent === agent);
+  if (!entries.length) return null;
+  return entries.sort((a, b) => (a.at < b.at ? 1 : a.at > b.at ? -1 : 0))[0];
+}
+
+function recordReviewVerdict(state, agent, verdict, at) {
+  state.verdicts.push({ agent, verdict, at });
+  state.latestVerdict[agent] = { verdict, at };
+  state.lastReviewAt = at;
+  if (agent === "goal-final-auditor") {
+    state.reviewCycles += 1;
+  }
+}
+
+function verdictAfter(state, agent, since) {
+  const latest = latestVerdictFor(state, agent);
+  if (!latest) return false;
+  if (latest.verdict !== "PASS") return false;
+  if (!since) return true;
+  return latest.at >= since;
+}
+
+const BASE_GATES = [
+  "goal-prompt-auditor",
+  "goal-reviewer",
+  "goal-diff-reviewer",
+  "goal-verifier",
+  "goal-final-auditor",
+];
+
+const CONTEXTUAL_GATES = {
+  security: "goal-security-reviewer",
+  permissions: "goal-security-reviewer",
+  auth: "goal-security-reviewer",
+  shell: "goal-security-reviewer",
+  test: "goal-test-reviewer",
+  coverage: "goal-test-reviewer",
+  ops: "goal-ops-reviewer",
+  restart: "goal-ops-reviewer",
+  install: "goal-ops-reviewer",
+  api: "goal-api-reviewer",
+  endpoint: "goal-api-reviewer",
+  schema: "goal-api-reviewer",
+  data: "goal-data-reviewer",
+  database: "goal-data-reviewer",
+  migration: "goal-data-reviewer",
+  performance: "goal-perf-reviewer",
+  latency: "goal-perf-reviewer",
+  quality: "goal-quality-gate",
+  standard: "goal-quality-gate",
+};
+
+function requiredGates(state, promptText, changedFilesText) {
+  const since = [state.lastEditAt, state.lastVerificationAt].filter(Boolean).sort().at(-1);
+  const text = `${promptText || ""} ${(changedFilesText || state.dirtyReasons.join(" ") || "")}`.toLowerCase();
+  const gates = [...BASE_GATES];
+  for (const [keyword, agent] of Object.entries(CONTEXTUAL_GATES)) {
+    if (text.includes(keyword) && !gates.includes(agent)) gates.push(agent);
+  }
+  return { since, gates };
+}
+
+function missingGates(state) {
+  const { since, gates } = requiredGates(state);
+  return gates.filter((agent) => !verdictAfter(state, agent, since));
+}
+
+function completionAllowed(state) {
+  return state.active && missingGates(state).length === 0;
+}
+
+function summarizeState(state) {
+  const verdictSummary = state.verdicts.slice(-8).map((v) => `${v.agent}:${v.verdict}`).join(", ") || "none";
+  return [
+    `dirty=${state.dirty}`,
+    `reviewCycles=${state.reviewCycles}`,
+    `lastEditAt=${state.lastEditAt || "none"}`,
+    `lastReviewAt=${state.lastReviewAt || "none"}`,
+    `recentVerdicts=${verdictSummary}`,
+    `dirtyReasons=${state.dirtyReasons.slice(-5).join(" | ") || "none"}`,
+  ].join("; ");
+}
+
+export async function GoalGuardPlugin({ client }) {
+  return {
+    async "chat.params"(input) {
+      if (!input?.sessionID || typeof input.sessionID !== "string") return;
+      const normalized = input.sessionID.trim();
+      if (!normalized) return;
+      const state = stateFor(normalized);
+      state.currentAgent = input.agent;
+      if (GOAL_AGENTS.has(input.agent)) state.active = true;
+    },
+
+    async "tool.execute.before"(input, output) {
+      const state = stateFor(input.sessionID);
+      const command = output?.args?.command || input?.args?.command;
+      if (input.tool === "bash" && looksLikeDestructiveBash(command)) {
+        state.active = true;
+        state.dirtyReasons.push(`blocked risky bash fingerprint:${commandFingerprint(command)}`);
+        throw new Error(
+          "Goal Guard blocked a destructive or high-risk bash command. Ask the user or use a safer command."
+        );
+      }
+      if (input.tool === "write" || input.tool === "edit" || input.tool === "apply_patch") {
+        state.dirty = true;
+        state.lastEditAt = nowIso();
+        state.dirtyReasons.push(`${input.tool} at ${state.lastEditAt}`);
+      }
+    },
+
+    async "tool.execute.after"(input, output) {
+      const state = stateFor(input.sessionID);
+      const agent = state.currentAgent;
+      const invokedReviewAgent = normalizedAgent(input);
+      const at = nowIso();
+      let recordedReviewAgent = null;
+
+      if (agent && GOAL_AGENTS.has(agent)) state.active = true;
+
+      if (WRITE_TOOLS.has(input.tool)) {
+        state.dirty = true;
+        state.lastEditAt = at;
+        state.dirtyReasons.push(`${input.tool} at ${at}`);
+      }
+
+      const isReviewing = REVIEW_AGENTS.has(state.currentAgent);
+      if (input.tool === "bash") {
+        const command = String(input?.args?.command || "");
+        if (isVerification(command) && !isReviewing) {
+          state.verificationSeen = true;
+          state.lastVerificationAt = at;
+        }
+        if (!looksLikeDestructiveBash(command) && looksLikeMutatingBash(command) && !isReviewing) {
+          state.dirty = true;
+          state.lastEditAt = at;
+          state.dirtyReasons.push(`bash mutation fingerprint:${commandFingerprint(command)}`);
+        }
+      }
+
+      if (input.tool === "task" && REVIEW_AGENTS.has(invokedReviewAgent)) {
+        const out = textOf(output);
+        const failFirst = isFail(out);
+        const passAfter = isPass(out) && !failFirst;
+        if (!failFirst && !passAfter) return;
+        const verdict = passAfter ? "PASS" : "FAIL";
+        recordReviewVerdict(state, invokedReviewAgent, verdict, at);
+        recordedReviewAgent = invokedReviewAgent;
+      }
+
+      if (agent && REVIEW_AGENTS.has(agent)) {
+        const out = textOf(output);
+        if (/Verdict:\s*(PASS|FAIL)\b/i.test(out)) {
+          const failFirst = isFail(out);
+          const passAfter = isPass(out) && !failFirst;
+          if (!failFirst && !passAfter) return;
+          const verdict = passAfter ? "PASS" : "FAIL";
+          recordReviewVerdict(state, agent, verdict, at);
+          recordedReviewAgent = agent;
+        }
+      }
+
+      if (
+        recordedReviewAgent === "goal-final-auditor" &&
+        latestVerdictFor(state, recordedReviewAgent)?.verdict === "PASS" &&
+        completionAllowed(state)
+      ) {
+        state.dirty = false;
+        state.dirtyReasons = [];
+      }
+    },
+
+    async "experimental.session.compacting"(input, output) {
+      const state = stateFor(input.sessionID);
+      output.context.push(`Goal Guard state: ${summarizeState(state)}. Preserve Goal Contract, Verification Ledger, Review Ledger, review cycle count, dirty state, and open findings across compaction.`);
+    },
+
+    async "experimental.text.complete"(input, output) {
+      const state = stateFor(input.sessionID);
+      const text = output.text || "";
+      const claimsCompletion = /Goal Completed/i.test(text);
+      const completedMatch = text.match(/Review cycles:\s*(\d+)/i);
+      const claimedCycles = completedMatch ? parseInt(completedMatch[1], 10) : -1;
+
+      if (!claimsCompletion) return;
+
+      if (claimedCycles < 0) {
+        state.completedBlocked += 1;
+        output.text = text.replace(/Goal Completed/i, "Goal Not Completed");
+        output.text += `\n\nGoal Guard blocked completion: missing required Review cycles line. State: ${summarizeState(state)}`;
+      } else if (state.reviewCycles === 0) {
+        state.completedBlocked += 1;
+        output.text = text.replace(/Goal Completed/i, "Goal Not Completed");
+        output.text += `\n\nGoal Guard blocked completion: no review cycles recorded. State: ${summarizeState(state)}`;
+      } else if (claimedCycles !== state.reviewCycles) {
+        state.completedBlocked += 1;
+        output.text = text.replace(/Goal Completed/i, "Goal Not Completed");
+        output.text += `\n\nGoal Guard blocked completion: claimed review cycles (${claimedCycles}) do not match recorded review cycles (${state.reviewCycles}). State: ${summarizeState(state)}`;
+      } else if (!completionAllowed(state)) {
+        state.completedBlocked += 1;
+        output.text = text.replace(/Goal Completed/i, "Goal Not Completed");
+        output.text += `\n\nGoal Guard blocked completion: required review gates are missing or stale (${missingGates(state).join(", ") || "goal session not active"}). State: ${summarizeState(state)}`;
+      }
+    },
+
+    async event({ event }) {
+      if (event?.type === "session.idle" && event?.properties?.sessionID) {
+        const state = stateFor(event.properties.sessionID);
+        if (state.dirty) {
+          await client.app.log({
+            body: {
+              service: "goal-guard",
+              level: "warn",
+              message: "Goal session idle while dirty or review-stale",
+              extra: { state: summarizeState(state) },
+            },
+          });
+        }
+      }
+    },
+  };
+}
+
+export default GoalGuardPlugin;
+export const __test = {
+  createState,
+  stateFor,
+  sessions,
+  looksLikeDestructiveBash,
+  looksLikeMutatingBash,
+  isVerification,
+  summarizeState,
+};

package/scripts/check-npm-publish-ready.mjs

@@ -0,0 +1,54 @@
+#!/usr/bin/env node
+
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { parseArgs } from "node:util";
+
+const { values } = parseArgs({
+  options: {
+    "skip-registry": { type: "boolean", default: false },
+    "skip-tag": { type: "boolean", default: false },
+  },
+  allowPositionals: false,
+});
+
+const root = fileURLToPath(new URL("..", import.meta.url));
+const pkg = JSON.parse(readFileSync(join(root, "package.json"), "utf8"));
+
+if (!pkg.name) throw new Error("package.json missing package name");
+if (!pkg.version) throw new Error("package.json missing package version");
+if (pkg.private) throw new Error("Refusing to publish a private package");
+if (pkg.publishConfig?.access !== "public") throw new Error("publishConfig.access must be public");
+if (pkg.publishConfig?.registry !== "https://registry.npmjs.org/") {
+  throw new Error("publishConfig.registry must be https://registry.npmjs.org/");
+}
+
+const releaseTag = process.env.GITHUB_REF_TYPE === "tag" ? process.env.GITHUB_REF_NAME : "";
+if (!values["skip-tag"] && releaseTag) {
+  const normalizedTag = releaseTag.startsWith("v") ? releaseTag.slice(1) : releaseTag;
+  if (normalizedTag !== pkg.version) {
+    throw new Error(`Release tag ${releaseTag} does not match package version ${pkg.version}`);
+  }
+}
+
+function packageMetadataUrl(name) {
+  const registry = pkg.publishConfig.registry.replace(/\/$/, "");
+  return `${registry}/${encodeURIComponent(name)}`;
+}
+
+if (!values["skip-registry"]) {
+  const response = await fetch(packageMetadataUrl(pkg.name), {
+    headers: { accept: "application/vnd.npm.install-v1+json" },
+  });
+
+  if (response.status !== 404) {
+    if (!response.ok) throw new Error(`npm registry check failed with HTTP ${response.status}`);
+    const metadata = await response.json();
+    if (metadata?.versions?.[pkg.version]) {
+      throw new Error(`${pkg.name}@${pkg.version} already exists on npm`);
+    }
+  }
+}
+
+console.log(`${pkg.name}@${pkg.version} is ready for npm publishing`);

package/scripts/install.mjs

@@ -0,0 +1,108 @@
+#!/usr/bin/env node
+
+import { mkdirSync, copyFileSync, readdirSync, statSync, existsSync, readFileSync } from "node:fs";
+import { join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { createHash } from "node:crypto";
+import { parseArgs } from "node:util";
+
+const { values } = parseArgs({
+  options: {
+    global: { type: "boolean", default: false },
+    force: { type: "boolean", default: false },
+    "dry-run": { type: "boolean", default: false },
+    target: { type: "string" },
+    help: { type: "boolean", short: "h", default: false },
+  },
+  allowPositionals: false,
+});
+
+const root = resolve(fileURLToPath(new URL("..", import.meta.url)));
+
+if (values.help) {
+  console.log(`Install OpenCode Goal Mode components.
+
+Usage:
+  node scripts/install.mjs [--global | --target <dir>] [--force] [--dry-run]
+
+Options:
+  --global       Install into ~/.config/opencode.
+  --target DIR   Install into a specific OpenCode config directory.
+  --force        Replace changed destination files.
+  --dry-run      Show planned copies without writing files.
+  -h, --help     Show this help text.`);
+  process.exit(0);
+}
+
+if (values.global && values.target) {
+  throw new Error("Use either --global or --target, not both");
+}
+
+function resolveTarget() {
+  if (values.target) return resolve(String(values.target));
+  if (values.global) {
+    const home = process.env.HOME;
+    if (!home) throw new Error("Cannot resolve HOME for --global install");
+    return join(home, ".config", "opencode");
+  }
+  return resolve(process.cwd(), ".opencode");
+}
+
+function fileHash(path) {
+  const data = readFileSync(path);
+  return createHash("sha256").update(data).digest("hex").slice(0, 16);
+}
+
+function copyDirFiles(from, to, summary) {
+  if (!values["dry-run"]) mkdirSync(to, { recursive: true });
+  for (const entry of readdirSync(from)) {
+    const source = join(from, entry);
+    const dest = join(to, entry);
+    if (!statSync(source).isFile()) continue;
+    if (existsSync(dest) && !statSync(dest).isFile()) {
+      summary.conflicts.push(`${dest} exists but is not a file`);
+      continue;
+    }
+    if (values.force) {
+      if (!values["dry-run"]) copyFileSync(source, dest);
+      summary.copied.push(dest);
+      continue;
+    }
+    if (existsSync(dest)) {
+      const srcHash = fileHash(source);
+      const dstHash = fileHash(dest);
+      if (srcHash === dstHash) {
+        summary.unchanged.push(dest);
+        continue;
+      }
+      summary.conflicts.push(`${dest} differs from packaged ${entry}`);
+      continue;
+    }
+    if (!values["dry-run"]) {
+      copyFileSync(source, dest);
+    }
+    summary.copied.push(dest);
+  }
+}
+
+const target = resolveTarget();
+const summary = { copied: [], unchanged: [], conflicts: [] };
+
+copyDirFiles(join(root, "agents"), join(target, "agents"), summary);
+copyDirFiles(join(root, "commands"), join(target, "commands"), summary);
+copyDirFiles(join(root, "plugins"), join(target, "plugins"), summary);
+
+if (summary.conflicts.length) {
+  throw new Error(
+    [
+      "Refusing to overwrite changed OpenCode component files.",
+      ...summary.conflicts.map((conflict) => `- ${conflict}`),
+      "Use --force to replace them or remove the conflicting files manually.",
+    ].join("\n")
+  );
+}
+
+const verb = values["dry-run"] ? "Would install" : "Installed";
+console.log(`${verb} OpenCode Goal Mode into ${target}`);
+console.log(`Files copied: ${summary.copied.length}; unchanged: ${summary.unchanged.length}`);
+console.log("Restart OpenCode for agents, commands, and plugins to load.");

package/scripts/validate-opencode-config.mjs

@@ -0,0 +1,82 @@
+import { existsSync, readFileSync, readdirSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const root = fileURLToPath(new URL("..", import.meta.url));
+const pkg = JSON.parse(readFileSync(join(root, "package.json"), "utf8"));
+
+if (!pkg.type || pkg.type !== "module") throw new Error("package.json must use ESM type module");
+if (pkg.private) throw new Error("package.json must not be private when npm publishing is enabled");
+if (!pkg.engines?.node) throw new Error("package.json missing Node engine requirement");
+if (!pkg.bin?.["opencode-goal-mode-install"]) throw new Error("package.json missing installer bin");
+if (pkg.publishConfig?.access !== "public") throw new Error("package.json publishConfig.access must be public");
+if (pkg.publishConfig?.registry !== "https://registry.npmjs.org/") {
+  throw new Error("package.json publishConfig.registry must target npmjs.org");
+}
+if (!pkg.files?.includes("agents/") || !pkg.files?.includes("commands/") || !pkg.files?.includes("plugins/")) {
+  throw new Error("package.json files must include installable OpenCode component directories");
+}
+for (const script of [
+  "test",
+  "validate",
+  "ci",
+  "prepublishOnly",
+  "install:local",
+  "install:global",
+  "pack:check",
+  "publish:check",
+  "audit",
+]) {
+  if (!pkg.scripts?.[script]) throw new Error(`package.json missing ${script} script`);
+}
+for (const file of ["README.md", "LICENSE", ".npmignore", ".nvmrc"]) {
+  if (!existsSync(join(root, file))) throw new Error(`${file} missing`);
+}
+
+const agentFiles = readdirSync(join(root, "agents")).filter((file) => file.endsWith(".md"));
+const commandFiles = readdirSync(join(root, "commands")).filter((file) => file.endsWith(".md"));
+const pluginFiles = readdirSync(join(root, "plugins")).filter((file) => file.endsWith(".js"));
+
+if (!agentFiles.includes("goal.md")) throw new Error("primary goal agent missing");
+if (!commandFiles.includes("goal.md")) throw new Error("primary goal command missing");
+if (!pluginFiles.includes("goal-guard.js")) throw new Error("goal guard plugin missing");
+
+const forbiddenComponentName = /(auth|session|token|secret|preauth|failures|hosts\.ya?ml)/i;
+for (const dir of ["agents", "commands", "plugins"]) {
+  for (const file of readdirSync(join(root, dir))) {
+    const path = join(root, dir, file);
+    if (!statSync(path).isFile()) continue;
+    if (forbiddenComponentName.test(file)) throw new Error(`forbidden component filename: ${dir}/${file}`);
+  }
+}
+
+for (const file of agentFiles) {
+  const text = readFileSync(join(root, "agents", file), "utf8");
+  if (!text.startsWith("---\n")) throw new Error(`${file} missing frontmatter`);
+  if (!/^description:/m.test(text)) throw new Error(`${file} missing description`);
+  if (!/^mode:\s+(primary|subagent|all)$/m.test(text)) throw new Error(`${file} has invalid mode`);
+  if (!/^permission:/m.test(text)) throw new Error(`${file} missing permission`);
+}
+
+for (const file of commandFiles) {
+  const text = readFileSync(join(root, "commands", file), "utf8");
+  if (!text.startsWith("---\n")) throw new Error(`${file} missing frontmatter`);
+  if (!/^description:/m.test(text)) throw new Error(`${file} missing description`);
+  if (!/^agent:/m.test(text)) throw new Error(`${file} missing agent`);
+}
+
+const plugin = await import(join(root, "plugins", "goal-guard.js"));
+if (typeof plugin.default !== "function") throw new Error("goal-guard plugin must default-export a function");
+const hooks = await plugin.default({ client: { app: { log: async () => undefined } } });
+for (const hook of [
+  "chat.params",
+  "tool.execute.before",
+  "tool.execute.after",
+  "experimental.session.compacting",
+  "experimental.text.complete",
+  "event",
+]) {
+  if (typeof hooks?.[hook] !== "function") throw new Error(`goal-guard plugin missing ${hook} hook`);
+}
+
+console.log("OpenCode Goal Mode package validation passed");