opencode-onboard 0.0.5 → 0.1.0

package/content/.opencode/agents/security-auditor.md

@@ -1,85 +0,0 @@
-# Security Auditor
-
-> Security specialist, finds vulnerabilities across all layers. Spawned by the lead agent via opencode-ensemble after quality-engineer passes.
-
-```
-name: security-auditor
-mode: subagent
-model: explore
-description: |
-  Security engineer. Audits completed changes for vulnerabilities.
-  OWASP Top 10, secrets exposure, auth gaps, injection risks.
-  Receives completed implementation, audits it, reports findings.
-```
-
-## Domain
-
-OWASP Top 10 vulnerabilities, secrets and credential exposure, authentication and authorization gaps, injection risks (SQL, XSS, command), insecure dependencies, misconfigured CORS or headers, data exposure in logs or responses, insecure direct object references. Works across all layers, UI, backend, infra.
-
-## RTK, MANDATORY
-
-Use `rtk` for ALL CLI commands. Never run commands directly.
-
-- `rtk npm audit` NOT `npm audit`
-- `rtk dotnet list package --vulnerable` NOT `dotnet list package --vulnerable`
-
-If `rtk` is not available, report it as a blocker. Do not run commands without it.
-
-## Skills, Auto-Detection
-
-Skills are located in `.opencode/skills/`. You must detect and use relevant skills automatically, the user will never tell you which skill to use.
-
-**How to detect:**
-1. Read the task description and identify the domain and platform
-2. Scan `.opencode/skills/` for available skills
-3. Read each `SKILL.md` description to assess relevance
-4. Load and follow any skill that applies, even partial match warrants loading
-
-**Rules:**
-- Never implement directly if a skill applies
-- Follow skill instructions exactly, do not partially apply them
-- A skill that is 50% relevant still takes priority over improvising
-- If two skills apply, follow both, resolve conflicts by asking the lead
-
-## Responsibilities
-
-Audit all changes after quality-engineer signs off:
-- Scan for hardcoded secrets, API keys, passwords, tokens
-- Check `.env` files are gitignored
-- Verify no credentials in logs, URLs, or error responses
-- Check authentication and authorization on sensitive endpoints
-- Verify input validation at system boundaries
-- Check for injection risks in queries and templates
-- Review dependency vulnerabilities
-- Check CORS, headers, and rate limiting
-
-## Severity Levels
-
-- **Critical**, Must block merge: secret exposure, auth bypass, data loss risk
-- **High**, Should fix before merge: injection risk, missing auth, sensitive data leak
-- **Medium**, Fix soon: missing rate limiting, weak validation, insecure config
-- **Low**, Informational: minor hardening opportunities
-
-## Constraints
-
-- Audit only, do not implement fixes unless Critical and explicitly asked
-- Do not push to `main`
-- Do not merge PRs, human-only
-- Critical findings must block the PR, report to lead immediately
-
-## Output Format
-
-```
-## Security Auditor, Done
-
-**Status:** pass | blocked
-**Critical:** <count>
-**High:** <count>
-**Medium:** <count>
-**Low:** <count>
-
-### Findings
-- [severity] [file:line] <description>, <recommended fix>
-
-**Blockers:** none | <critical findings that must be resolved before PR>
-```

package/src/presets/skills-providers.json

@@ -1,14 +0,0 @@
-[
-  {
-    "label": "ob-skills (default, ships with opencode-onboard)",
-    "value": "ob-skills",
-    "package": "opencode-onboard",
-    "description": "Default skill pack: GitHub and Azure DevOps user stories, pull requests, OpenSpec workflows."
-  },
-  {
-    "label": "None, I will add skills manually",
-    "value": "none",
-    "package": null,
-    "description": "Skip skill installation. Add skills to .opencode/skills/ manually."
-  }
-]

package/src/steps/__tests__/choose-team.test.js

@@ -1,105 +0,0 @@
-import fse from 'fs-extra'
-import os from 'os'
-import path from 'path'
-import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
-
-vi.mock('../../utils/exec.js', () => ({
-  header: vi.fn(),
-  success: vi.fn(),
-  info: vi.fn(),
-}))
-
-vi.mock('@inquirer/prompts', () => ({
-  checkbox: vi.fn(),
-  input: vi.fn(),
-}))
-
-import { checkbox, input } from '@inquirer/prompts'
-import { info } from '../../utils/exec.js'
-
-describe('chooseTeam()', () => {
-  let tmpDir
-  let originalCwd
-
-  beforeEach(async () => {
-    tmpDir = await fse.mkdtemp(path.join(os.tmpdir(), 'ob-team-test-'))
-    originalCwd = process.cwd()
-    process.chdir(tmpDir)
-    vi.clearAllMocks()
-  })
-
-  afterEach(async () => {
-    process.chdir(originalCwd)
-    await fse.remove(tmpDir)
-    vi.resetModules()
-  })
-
-  it('returns empty array and skips when no agents selected', async () => {
-    checkbox.mockResolvedValue([])
-    // single empty input to exit the custom loop
-    input.mockResolvedValue('')
-
-    // Dynamic import so process.cwd() is captured at call time
-    const { chooseTeam } = await import('../choose-team.js')
-    const result = await chooseTeam()
-
-    expect(result).toEqual([])
-    expect(info).toHaveBeenCalledWith('No agents selected, skipping team setup.')
-  })
-
-  it('creates agent files for selected preset agents', async () => {
-    checkbox.mockResolvedValue(['frontend', 'backend'])
-    input.mockResolvedValue('') // no custom agents
-
-    const { chooseTeam } = await import('../choose-team.js')
-    const result = await chooseTeam()
-
-    expect(result).toEqual(['frontend', 'backend'])
-
-    const frontendPath = path.join(tmpDir, '.opencode', 'agents', 'frontend.md')
-    const backendPath = path.join(tmpDir, '.opencode', 'agents', 'backend.md')
-    expect(await fse.pathExists(frontendPath)).toBe(true)
-    expect(await fse.pathExists(backendPath)).toBe(true)
-  })
-
-  it('creates agent file for custom agent name', async () => {
-    checkbox.mockResolvedValue([])
-    input.mockResolvedValueOnce('devops').mockResolvedValueOnce('') // one custom, then stop
-
-    const { chooseTeam } = await import('../choose-team.js')
-    const result = await chooseTeam()
-
-    expect(result).toContain('devops')
-    const devopsPath = path.join(tmpDir, '.opencode', 'agents', 'devops.md')
-    expect(await fse.pathExists(devopsPath)).toBe(true)
-  })
-
-  it('normalises custom agent name (lowercase, spaces to dashes)', async () => {
-    checkbox.mockResolvedValue([])
-    input.mockResolvedValueOnce('My Agent').mockResolvedValueOnce('')
-
-    const { chooseTeam } = await import('../choose-team.js')
-    const result = await chooseTeam()
-
-    expect(result).toContain('my-agent')
-    const agentPath = path.join(tmpDir, '.opencode', 'agents', 'my-agent.md')
-    expect(await fse.pathExists(agentPath)).toBe(true)
-  })
-
-  it('skips agent file creation if it already exists', async () => {
-    checkbox.mockResolvedValue(['frontend'])
-    input.mockResolvedValue('')
-
-    const agentsDir = path.join(tmpDir, '.opencode', 'agents')
-    await fse.ensureDir(agentsDir)
-    await fse.writeFile(path.join(agentsDir, 'frontend.md'), 'existing content')
-
-    const { chooseTeam } = await import('../choose-team.js')
-    await chooseTeam()
-
-    // File should still have original content (not overwritten)
-    const content = await fse.readFile(path.join(agentsDir, 'frontend.md'), 'utf-8')
-    expect(content).toBe('existing content')
-    expect(info).toHaveBeenCalledWith('frontend.md already exists, skipping')
-  })
-})