opencode-goal-mode 0.2.2 → 0.3.0

package/plugins/goal-guard/system.js

@@ -33,6 +33,9 @@ export function buildSystemInjection(state, config) {
   lines.push(`- Verification observed: ${r.verificationSeen ? "yes" : "no"}.`);
   lines.push(`- Required review gates: ${bullet(r.requiredGates)}.`);
   lines.push(`- Gates still missing or stale: ${bullet(r.missingGates)}.`);
+  if (r.reviewerMemory.open.length) {
+    lines.push(`- Open Reviewer Memory: ${r.reviewerMemory.open.map((m) => `${m.agent}: ${m.finding}`).join(" | ")}.`);
+  }
   lines.push(
     `- Completion is currently ${r.completionAllowed ? "ALLOWED" : "BLOCKED"}. ` +
       (r.completionAllowed

package/plugins/goal-guard/tools.js

@@ -12,7 +12,7 @@
  */
 
 import { tool } from "@opencode-ai/plugin";
-import { statusReport } from "./summary.js";
+import { evidenceMapReport, reviewerMemoryReport, statusReport } from "./summary.js";
 import { recordEvidence } from "./events.js";
 import { refreshStickyGates } from "./gates.js";
 import { createState } from "./state.js";
@@ -38,10 +38,50 @@ export function createGoalTools({ store, config, persist }) {
       async execute(_args, ctx) {
         const state = store.stateFor(ctx.sessionID);
         const report = statusReport(state, config);
+        const goal = report.goal ? `“${report.goal}” — ` : "";
         return {
-          title: `Goal status: completion ${report.completionAllowed ? "allowed" : "blocked"}`,
+          title: `Goal status: ${goal}completion ${report.completionAllowed ? "allowed" : "blocked"}`,
           output: JSON.stringify(report, null, 2),
-          metadata: { completionAllowed: report.completionAllowed, reviewCycles: report.reviewCycles },
+          metadata: {
+            goal: report.goal,
+            completionAllowed: report.completionAllowed,
+            reviewCycles: report.reviewCycles,
+            missingGates: report.missingGates,
+          },
+        };
+      },
+    }),
+
+    goal_evidence_map: tool({
+      description:
+        "Return an authoritative read-only evidence map for this session: each acceptance " +
+        "criterion, matching recorded evidence, required reviewer gate status, coverage status, " +
+        "gaps, and next action.",
+      args: {},
+      async execute(_args, ctx) {
+        const state = store.stateFor(ctx.sessionID);
+        const report = evidenceMapReport(state, config);
+        const covered = report.criteria.filter((item) => item.status === "covered").length;
+        return {
+          title: `Evidence map: ${covered}/${report.criteria.length} criteria covered`,
+          output: JSON.stringify(report, null, 2),
+          metadata: { criteriaCount: report.criteria.length, coveredCount: covered, missingGates: report.missingGates },
+        };
+      },
+    }),
+
+    goal_reviewer_memory: tool({
+      description:
+        "Return durable Reviewer Memory for this session: unresolved and recently resolved " +
+        "reviewer findings carried across cycles. Read-only.",
+      args: {},
+      async execute(_args, ctx) {
+        const state = store.stateFor(ctx.sessionID);
+        const report = reviewerMemoryReport(state);
+        return {
+          title: `Reviewer Memory: ${report.open.length} open findings`,
+          output: JSON.stringify(report, null, 2),
+          metadata: { openCount: report.open.length, total: report.total },
         };
       },
     }),

package/plugins/goal-guard/verdicts.js

@@ -68,17 +68,54 @@ export function latestVerdictFor(state, agent) {
   return state.latestVerdict[agent] || null;
 }
 
+function summarizeFinding(text) {
+  const headingRe = /^(blocking findings?|findings?|non-blocking findings?|open questions?|summary|verdict|blocking|issues?)[:\s]*$/i;
+  const lines = String(text || "")
+    .split(/\r?\n/)
+    .map((line) => line.replace(/^[\s>*_-]+/, "").trim())
+    .filter(Boolean)
+    .filter((line) => !headingRe.test(line))
+    .filter((line) => !/^verdict:?\s*(pass|fail)\b/i.test(line));
+  const blocking = lines.find((line) => /block|fail|finding|risk|missing|gap|regression/i.test(line));
+  return String(blocking || lines[0] || "Reviewer reported a blocking finding.").slice(0, 240);
+}
+
+function updateReviewerMemory(state, agent, verdict, at, seq, text) {
+  state.reviewerMemory ||= [];
+  if (verdict === "PASS") {
+    for (const item of state.reviewerMemory) {
+      if (item.agent === agent && item.status === "open") {
+        item.status = "resolved";
+        item.resolvedAt = at;
+        item.resolvedSeq = seq;
+      }
+    }
+    return;
+  }
+  const finding = summarizeFinding(text);
+  const open = state.reviewerMemory.find((item) => item.agent === agent && item.status === "open" && item.finding === finding);
+  if (open) {
+    open.lastAt = at;
+    open.lastSeq = seq;
+    open.count += 1;
+  } else {
+    state.reviewerMemory.push({ agent, finding, severity: "blocking", status: "open", firstAt: at, firstSeq: seq, lastAt: at, lastSeq: seq, count: 1 });
+  }
+  if (state.reviewerMemory.length > 100) state.reviewerMemory.splice(0, state.reviewerMemory.length - 100);
+}
+
 /**
  * Record a review verdict for `agent`, stamping it with the next monotonic seq.
  * Increments the review-cycle count when the cycle-closing agent reports.
  */
-export function recordVerdict(store, state, agent, verdict) {
+export function recordVerdict(store, state, agent, verdict, text = "") {
   const at = store.nowIso();
   const seq = store.nextSeq();
   const entry = { agent, verdict, at, seq };
   state.verdicts.push(entry);
   if (state.verdicts.length > 200) state.verdicts.splice(0, state.verdicts.length - 200);
   state.latestVerdict[agent] = { verdict, at, seq };
+  updateReviewerMemory(state, agent, verdict, at, seq, text);
   state.lastReviewAt = at;
   state.lastReviewSeq = seq;
   state.updatedAt = at;

package/plugins/goal-guard.js

@@ -179,27 +179,42 @@ export function createGuard(input = {}, options = {}, overrides = {}) {
         // records against that same session (never another), so it can neither
         // mis-credit a sibling session nor break the parent goal, which the task
         // path already covers. Split by tool type so the two never double-count.
+        const wasAllowed = completionAllowed(state, config);
         let recordedAgent = null;
+        let recordedVerdict = null;
         if (tool === "task") {
           const sub = normalizedSubagent(inp);
           if (isReviewAgent(sub)) {
-            const verdict = parseVerdict(textOf(out));
+            const text = textOf(out);
+            const verdict = parseVerdict(text);
             if (verdict) {
-              recordVerdict(store, state, sub, verdict);
+              recordVerdict(store, state, sub, verdict, text);
               recordedAgent = sub;
+              recordedVerdict = verdict;
             }
           }
         } else if (isReviewAgent(state.currentAgent)) {
-          const verdict = parseVerdict(textOf(out));
+          const text = textOf(out);
+          const verdict = parseVerdict(text);
           if (verdict) {
-            recordVerdict(store, state, state.currentAgent, verdict);
+            recordVerdict(store, state, state.currentAgent, verdict, text);
             recordedAgent = state.currentAgent;
+            recordedVerdict = verdict;
           }
         }
 
         if (recordedAgent === CYCLE_CLOSING_AGENT) {
           maybeClearDirtyOnFinalPass(state, config);
         }
+
+        // Surface review progress in the TUI: a toast per recorded verdict, and a
+        // single celebratory toast the moment the last required gate clears.
+        if (recordedAgent && recordedVerdict && config.toastOnReview) {
+          logger.toast(`Goal Guard: ${recordedAgent} → ${recordedVerdict}`, recordedVerdict === "PASS" ? "success" : "warning");
+          if (!wasAllowed && completionAllowed(state, config)) {
+            logger.toast("Goal Guard: all required gates passed — completion unlocked", "success");
+          }
+        }
         persist();
       } catch {
         /* never break a turn */
@@ -231,7 +246,7 @@ export function createGuard(input = {}, options = {}, overrides = {}) {
         const state = store.stateFor(inp.sessionID);
         out.context.push(
           `Goal Guard state: ${summarizeState(state, config)}. Preserve Goal Contract, Verification Ledger, ` +
-            `Review Ledger, review cycle count, dirty state, and open findings across compaction.`,
+            `Review Ledger, Reviewer Memory, review cycle count, dirty state, and open findings across compaction.`,
         );
       } catch {
         /* ignore */

package/plugins/goal-sidebar.js

@@ -0,0 +1,141 @@
+/** @jsxImportSource @opentui/solid */
+/**
+ * Goal Mode — experimental TUI sidebar banner.
+ *
+ * EXPERIMENTAL. This is a TUI plugin module (the companion to the server-side
+ * goal-guard plugin). It renders the current goal as a short, shining-yellow
+ * banner in the OpenCode sidebar, with a compact `passing/total gates ·
+ * dirty/ready` status line, and updates as reviews land.
+ *
+ * It only does anything inside a TUI-plugin-capable OpenCode (one exposing
+ * `api.slots.register`). On any older runtime, missing API, or render error it
+ * silently no-ops — it can never break your TUI.
+ *
+ * Pairing: it reads the SAME on-disk snapshot the goal-guard server plugin
+ * writes (see goal-guard/persistence.js), so the two stay in sync with no extra
+ * IPC. The pure projection (`summary.sidebarView`) is shared with the server
+ * plugin and unit-tested via goal-guard/sidebar-data.js; only the file read and
+ * state-path computation are reimplemented here.
+ *
+ * Runtime constraints (mirrored from working OpenCode TUI plugins):
+ *  - TUI plugin modules export `export default { id, tui }`.
+ *  - The Bun TUI plugin runtime does NOT support top-level ESM imports of Node
+ *    built-ins, so `node:fs`/`node:path`/`node:os`/`node:crypto` are `require()`d
+ *    lazily inside functions. Top-level imports of regular packages (solid-js)
+ *    and of our Node-built-in-free local modules are fine.
+ *  - This file uses Solid/opentui JSX and is loaded only by OpenCode's (Bun) TUI
+ *    runtime, which transpiles it; it is never imported by the Node test suite.
+ */
+
+import { createSignal, onCleanup, Show } from "solid-js";
+import { sidebarView } from "./goal-guard/summary.js";
+import { DEFAULT_CONFIG } from "./goal-guard/config.js";
+
+const DEFAULT_COLOR = "#FFD700"; // shining yellow
+const POLL_MS = 1500;
+
+function resolveOptions(options, env) {
+  const e = env || {};
+  const enabledOpt = options?.sidebarBanner;
+  const enabledEnv = e.GOAL_GUARD_SIDEBAR_BANNER;
+  const disabled =
+    enabledOpt === false || enabledEnv === "0" || enabledEnv === "false" || enabledEnv === "off";
+  const color = options?.sidebarColor || e.GOAL_GUARD_SIDEBAR_COLOR || DEFAULT_COLOR;
+  return { enabled: !disabled, color };
+}
+
+/**
+ * Read the guard's persisted snapshot for a worktree. The state-path logic is
+ * kept identical to goal-guard/persistence.js (stateBaseDir + projectKey); node
+ * built-ins are required lazily to satisfy the TUI runtime.
+ */
+function readSnapshot(worktree) {
+  try {
+    const fs = require("node:fs");
+    const path = require("node:path");
+    const os = require("node:os");
+    const crypto = require("node:crypto");
+    const xdg = process.env.XDG_STATE_HOME && process.env.XDG_STATE_HOME.trim();
+    const base = xdg || path.join(os.homedir(), ".local", "state");
+    const key = crypto.createHash("sha256").update(String(worktree || "default")).digest("hex").slice(0, 16);
+    const file = path.join(base, "opencode", "goal-guard", `${key}.json`);
+    return JSON.parse(fs.readFileSync(file, "utf8"));
+  } catch {
+    return null;
+  }
+}
+
+/** Most-recently-touched active session, preferring an explicit active sessionId. */
+function pickSession(snapshot, sessionId) {
+  if (!snapshot || !Array.isArray(snapshot.sessions)) return null;
+  const records = snapshot.sessions
+    .filter((e) => Array.isArray(e) && e.length === 2)
+    .map(([key, st]) => [key, st && typeof st === "object" ? st : {}]);
+  if (sessionId) {
+    const direct = records.find(([key, st]) => key === sessionId && st.active);
+    if (direct) return direct[1];
+  }
+  const active = records.filter(([, st]) => st.active);
+  if (active.length === 0) return null;
+  active.sort((a, b) => (b[1].touchedAt || 0) - (a[1].touchedAt || 0));
+  return active[0][1];
+}
+
+function readModel(worktree, sessionId) {
+  const snapshot = readSnapshot(worktree);
+  if (!snapshot) return null;
+  const record = pickSession(snapshot, sessionId);
+  if (!record) return null;
+  try {
+    return sidebarView(record, DEFAULT_CONFIG);
+  } catch {
+    return null;
+  }
+}
+
+export const id = "goal-mode-sidebar";
+
+/** @type {import("@opencode-ai/plugin/tui").TuiPlugin} */
+export const tui = async (api, options) => {
+  try {
+    const { enabled, color } = resolveOptions(options, typeof process !== "undefined" ? process.env : {});
+    if (!enabled) return;
+    if (!api?.slots?.register) return; // runtime without the slot API → no-op.
+
+    const worktree = api.state?.path?.worktree || api.state?.path?.directory;
+
+    api.slots.register({
+      order: 50,
+      slots: {
+        sidebar_content(_ctx, props) {
+          const read = () => {
+            try {
+              return readModel(worktree, props?.session_id);
+            } catch {
+              return null;
+            }
+          };
+          const [model, setModel] = createSignal(read());
+          const timer = setInterval(() => setModel(read()), POLL_MS);
+          onCleanup(() => clearInterval(timer));
+          return (
+            <Show when={model()}>
+              <box flexDirection="column">
+                <text fg={color}>
+                  {"◆ "}
+                  <b>GOAL</b>
+                  {`  ${model().goal}`}
+                </text>
+                <text fg={color}>{model().status}</text>
+              </box>
+            </Show>
+          );
+        },
+      },
+    });
+  } catch {
+    /* TUI runtime missing or API drift — render nothing rather than crash. */
+  }
+};
+
+export default { id, tui };

package/research/README.md

@@ -10,7 +10,7 @@ links resolve in the npm package, but they are not runtime files.
 | [opencode-plugin-platform.md](opencode-plugin-platform.md) | Verified OpenCode plugin-runtime facts (hooks, discovery, permissions, tools) from `@opencode-ai/plugin@1.15.13` source. The pinned runtime reference the plugin is built against. |
 | [goal-mode-comparison.md](goal-mode-comparison.md) | How Goal Mode's mechanical enforcement compares to Claude Code and OpenAI Codex, with citations and honest caveats. |
 | [shell-hardening.md](shell-hardening.md) | The shell-analyzer threat model: the bypass classes the old regex guard missed and how the tokenizer closes each. |
-| [benchmarks.md](benchmarks.md) | Benchmark methodology and results (detection rate, false positives, latency). Reproduce with `npm run bench`. |
+| [benchmarks.md](benchmarks.md) | Benchmark methodology and results (shell guard accuracy plus completion truthfulness). Reproduce charts with `npm run bench` and JSON with `npm run bench:truthfulness`. |
 
 Every non-obvious platform claim in these documents was verified against the
 installed `@opencode-ai/plugin` type definitions and/or the `sst/opencode`

package/research/benchmarks.md

@@ -4,60 +4,87 @@ Reproducible measurement of the destructive-command guard from a repository
 checkout. Run:
 
 ```bash
-npm run bench          # detection / false-positive / latency benchmark
-npm run bench:compare  # regenerate the capability-comparison chart
+npm run bench                # external + fixture benchmarks → results.json + charts
+node benchmarks/external.mjs # external benchmark only (add --json for full detail)
+npm run bench:truthfulness   # print the completion-enforcement fixture JSON
+npm run bench:compare        # regenerate the capability-comparison chart
 ```
 
 `npm run bench` writes `docs/benchmarks/results.json` and the SVG charts the
 README embeds.
 
-## Methodology
-
-- **Corpus** (`benchmarks/corpus.mjs`): 71 real shell commands a coding agent
-  might emit, each labeled `destructive` (a guard must block) or `safe` (a guard
-  must not block). Split into families: *classic* (plain `rm -rf`, `git reset
-  --hard`), *obfuscated* (the bypass corpus — substitutions, wrappers, `bash -c`,
-  interpreters, weaponized git), *remote-exec* (`curl | sh`), and *safe*
-  (read-only and quoted-text commands, including ones the old guard
-  false-positived).
-- **Baseline** (`benchmarks/legacy-analyzer.mjs`): the original regex classifier,
-  preserved **verbatim** from the first published release (commit `130956d`), so
-  the comparison is apples-to-apples against the same code that shipped.
-- **A command counts as "blocked"** when the analyzer flags it `destructive` or
-  `networkExec` (the two signals `tool.execute.before` throws on). `mutating`
-  marks the session dirty but does not block, so it is not counted here.
-- **Metrics**: detection rate (recall over destructive commands),
-  false-positive rate (safe commands wrongly blocked), and per-command latency.
+## Why this was rewritten
+
+The previous benchmark reported "20.8% → 100% detection, 21.7% → 0% false
+positives" on a **71-command corpus the analyzer's author wrote**. The analyzer
+was, in effect, the specification of that corpus, so 100%/0% mostly restated
+"my code passes my own examples." Those numbers are still produced — but they are
+now labeled as *regression fixtures*, and the headline figure comes from an
+**external corpus the analyzer was never fitted to**.
+
+## Headline: external corpus
 
-## Results
+- **Source**: real example commands from
+  [tldr-pages](https://github.com/tldr-pages/tldr) (`common`, `linux`, `osx`
+  English pages), pinned by commit in `benchmarks/external-corpus.json`. These
+  are written by hundreds of contributors with no knowledge of this analyzer, so
+  it cannot have been tuned to them. `tldr` `{{placeholder}}` tokens and
+  `[-f|--force]` alternative-flag notation are canonicalized into literal
+  commands by `benchmarks/build-external-corpus.mjs`.
+- **Ground-truth labels** come from `labelDestructive()` in that builder: a
+  deliberately simple, transparent rule (primary utility ∈ a fixed irreversible
+  set; specific destructive `git` subcommands; `curl|wget … | sh`). It is
+  intentionally **independent of the analyzer's own logic**. No automatic labeler
+  is perfect, so the benchmark prints every disagreement for audit rather than
+  hiding them.
+- **Sampling**: all destructive examples found are kept (they are rare in real
+  docs); safe examples are stride-sampled to a cap. This imbalance is recorded in
+  the corpus `totals` and disclosed here so it is not mistaken for a base rate.
 
-Representative run (Node 22, single-threaded; latency varies by machine, the
-accuracy figures do not):
+Representative run (sample of 704 commands: 104 destructive, 600 safe):
 
-| Metric | Legacy regex guard | Goal Mode analyzer |
+| On real third-party commands | Legacy regex guard | Goal Mode analyzer |
 | --- | --- | --- |
-| Detection rate | **20.8%** (10/48) | **100%** (48/48) |
-| False-positive rate | **21.7%** (5/23) | **0%** (0/23) |
-| Detection — classic | 100% | 100% |
-| Detection — obfuscated | 0% (0/35) | 100% (35/35) |
-| Detection — remote-exec | 0% (0/3) | 100% (3/3) |
-| Latency per command | ~2.3 µs | ~3.8 µs |
-
-The legacy guard catches only the *classic* family and misses every obfuscated
-and remote-execution command, while wrongly blocking 1-in-5 benign commands. The
-tokenizer catches the entire corpus with zero false positives, for an extra
-~1.5 µs per command on this run — negligible for a per-tool-call guard (still
-hundreds of thousands of classifications per second).
+| Detection rate | 53.8% | **93.3%** |
+| False-positive rate | 0.2% | 0.2% |
+
+Reading the result honestly:
+
+- The remaining Goal Mode misses are almost entirely un-flagged single-target
+  `rm <file>` (and `rm -i`/`-v`/`-d`), which the guard **intentionally permits**:
+  it blocks `rm -r`/`rm -f`, command-substitution/`bash -c`/interpreter deletes,
+  and remote exec, but not a plain single-file `rm`. Under the strict
+  every-`rm`-is-destructive labeler these are counted as misses.
+- The one counted false positive (`git filter-repo …`) genuinely rewrites
+  history, so the real-world false-positive rate is effectively zero. Run
+  `node benchmarks/external.mjs --json` to see the full miss / false-positive
+  lists.
+- This benchmark directly drove real fixes: `mkfs.<fstype>` variants, `srm`, and
+  `mkswap` were missing from the analyzer and were added after the external run
+  exposed them.
+
+## Curated regression fixtures (a spec, not a survey)
+
+`benchmarks/corpus.mjs` (71 commands) and `benchmarks/completion-corpus.mjs`
+(9 completion-claim cases) define the patterns the analyzer must catch and the
+completion-policy decisions it must make. They pass **by construction** and exist
+to prevent regressions. The 100%/0% / "all cases pass" numbers there are not
+measured accuracy — treat them as a checklist the code is required to satisfy.
+
+- **Baseline** for the fixture comparison (`benchmarks/legacy-analyzer.mjs`) is
+  the original regex classifier, preserved **verbatim** from the first published
+  release (commit `130956d`), so it is the author's own prior code, not a
+  strawman built to lose.
+- **A command counts as "blocked"** when the analyzer flags it `destructive` or
+  `networkExec` (the signals `tool.execute.before` throws on). `mutating` marks
+  the session dirty but does not block, so it is not counted.
 
 ## Honesty notes
 
-- The corpus is hand-built to exercise the known bypass classes; it is a
-  capability benchmark, not a claim of catching *every* possible obfuscation
-  (the analyzer fails open on un-analyzable dynamic commands — see
-  [shell-hardening.md](shell-hardening.md)).
-- The latency comparison is intentionally shown even though the new analyzer is
-  slower: the win is accuracy, and the parse cost is still only a few
-  microseconds per tool-call candidate.
-- "100% on this corpus" means 100% of the labeled set; new bypass classes that
-  are discovered get added to the corpus and fixed (that is how the second-wave
-  findings — `sudo -u`, `pnpm dlx`, interpreter shell-out — entered it).
+- The analyzer fails **open** on un-analyzable dynamic commands (deferring to the
+  host's permission rules); it is defense-in-depth, not a jail — see
+  [shell-hardening.md](shell-hardening.md).
+- The latency comparison is shown even though the tokenizer is slower than a
+  regex: the win is accuracy, and the parse cost is ~1µs per candidate.
+- The completion-enforcement fixtures verify mechanical completion-claim policy,
+  not that an LLM's prose is semantically true in every domain.