opencode-onboard 0.0.5 → 0.1.1

package/README.md

@@ -1,13 +1,8 @@
-<!--
-  BANNER
-  Replace the line below with your actual banner image once ready.
-  Recommended size: 1280×640px, dark background.
-  <img src="./assets/banner.png" alt="opencode-onboard banner" width="100%" />
--->
-
 <div align="center">
 
-# opencode-onboard
+<img src="https://raw.githubusercontent.com/CKGrafico/opencode-onboard/refs/heads/main/logo.png" alt="opencode-onboard" width="160" />
+
+# 🧰 opencode-onboard
 
 **One command to prepare any codebase for AI agent workflows.**
 
@@ -20,16 +15,15 @@ Works with [OpenCode](https://opencode.ai), [OpenCode Ensemble](https://github.c
 
 </div>
 
----
-
 ## What is this?
 
 Most codebases have no `AGENTS.md`, no architecture docs agents can read, and no defined workflow for picking up tasks. Agents end up improvising, and that produces inconsistent, brittle results.
 
-**opencode-onboard** fixes that in a single interactive run. It installs a universal agent team and the skills they need to work on your project, platform-aware, non-destructive, and ready the moment it finishes.
-
-> **Note:** This is an independent community tool, not built by or affiliated with the OpenCode team.
+**opencode-onboard** fixes that in a single interactive run. It installs a universal agent team, the skills they need, picks your AI models, and configures OpenCode, platform-aware, non-destructive, and ready the moment it finishes.
 
+<div align="center">
+<img src="https://raw.githubusercontent.com/CKGrafico/opencode-onboard/refs/heads/main/demo.gif" alt="opencode-onboard demo" width="700" />
+</div>
 ---
 
 ## Quick start
@@ -44,19 +38,20 @@ Requires **Node.js 18+**.
 
 ## How it works
 
-The CLI runs through a short interactive sequence:
+The CLI clears the screen, shows a welcome banner, and walks you through 10 steps. The screen always shows the last 2 completed steps + the current one so you always know where you are.
 
 | Step | What happens |
 |------|-------------|
-| **1. Environment check** | Verifies Node.js ≥ 18 and npm/pnpm are available |
-| **2. Clean AI files** | Detects existing `AGENTS.md`, `.cursorrules`, `CLAUDE.md`, etc. and offers to remove them |
+| **1. Environment check** | Verifies Node.js ≥ 18 and pnpm are available |
+| **2. Clean AI files** | Detects existing `AGENTS.md`, `.cursorrules`, `CLAUDE.md`, `.agents/` etc. and removes them, preserves your `.agents/skills/` |
 | **3. Choose platform** | GitHub or Azure DevOps |
-| **4. Copy scaffolding** | Drops the agent layer and bootstrap docs into your project |
-| **5. Choose skills provider** | Installs platform skills agents use for work item and PR workflows |
-| **6. Init OpenSpec** | Runs `npx @fission-ai/openspec init` for structured change management |
-| **7. Install opencode-browser** | Browser plugin agents use for local UI screenshots |
-| **8. Check rtk** | Verifies `rtk` is on PATH |
-| **9. Verify platform CLI** | Checks `gh` (GitHub) or `az` + `azure-devops` (Azure DevOps) |
+| **4. Check platform CLI** | Verifies `gh` (GitHub) or `az` + `azure-devops` (Azure DevOps) |
+| **5. Copy scaffolding** | Drops agents, skills, and bootstrap docs into your project |
+| **6. Init OpenSpec** | Runs `npx @fission-ai/openspec init` silently for structured change management |
+| **7. Install skills** | Installs built-in `ob-` skills + optional additional skills provider |
+| **8. Choose models** | Fetches live model list from [models.dev](https://models.dev), lets you pick plan / build / fast models with cost indicators and canonical pricing |
+| **9. Check RTK** | Verifies `rtk` is on PATH |
+| **10. Install browser plugin** | Installs `@different-ai/opencode-browser` globally for agent browser automation |
 
 When it finishes, open OpenCode in your project and type:
 
@@ -85,20 +80,33 @@ quality-engineer   unit, integration, e2e tests across all layers
 security-auditor   vulnerability audit, secrets, auth gaps
 ```
 
+Each agent has a color in the OpenCode UI. Builder agents (`front-engineer`, `back-engineer`, `infra-engineer`) run at `temperature: 0.2` for deterministic output. `security-auditor` is read-only, edit is denied.
+
 ### Skills, platform knowledge
 
-Skills define *what to know*. They are installed separately and provide the tech and platform-specific knowledge agents need. Agents detect and load relevant skills automatically, **you never tell an agent which skill to use**.
+Skills define *what to know*. They provide the tech and platform-specific knowledge agents need. Agents detect and load relevant skills automatically, **you never tell an agent which skill to use**.
 
-Skills shipped with opencode-onboard (`ob-` prefix):
+Built-in skills (`ob-` prefix) shipped with opencode-onboard:
 
 | Skill | Purpose |
 |-------|---------|
 | `ob-userstory-gh` | Parse a GitHub Issue URL into a structured work item |
 | `ob-userstory-az` | Parse an Azure DevOps work item URL |
-| `ob-pullrequest-gh` | Create and update PRs on GitHub |
-| `ob-pullrequest-az` | Create and update PRs on Azure DevOps |
+| `browser-automation` | Browser control via `@different-ai/opencode-browser` |
+
+Skills live in `.agents/skills/`. Any `SKILL.md` file in a subdirectory is automatically discoverable, write your own and agents will pick them up.
+
+### Models, plan / build / fast
+
+During onboarding you pick three models:
+
+| Role | Used by | Pick |
+|------|---------|------|
+| **plan** | Main OpenCode session | Something capable with strong reasoning |
+| **build** | All builder agents | Something capable for implementation |
+| **fast** | `devops-manager` | Something fast and cheap |
 
-Skills are plain Markdown files in `.opencode/skills/`. You can write your own, any file with a `SKILL.md` in a subdirectory is automatically discoverable by agents.
+Models are fetched live from [models.dev](https://models.dev) (3000+ models, cached weekly). Cost tiers `[$]` `[$$]` `[$$$]` always reflect the canonical provider price, so `github-copilot/claude-opus-4.7` shows `[$$]` not `[$]`.
 
 ---
 
@@ -133,10 +141,12 @@ Each agent runs in its own isolated git worktree via [OpenCode Ensemble](https:/
 
 ```
 your-project/
-├── AGENTS.md                     ← bootstrap mode, replaced after first "init"
-├── ARCHITECTURE.md               ← prompt for agents to fill in from your codebase
-├── DESIGN.md                     ← prompt for agents to fill in from your codebase
-└── .opencode/
+├── AGENTS.md                        ← bootstrap mode, replaced after first "init"
+├── ARCHITECTURE.md                  ← prompt for agents to fill in from your codebase
+├── DESIGN.md                        ← prompt for agents to fill in from your codebase
+├── .opencode/
+│   └── opencode.json                ← plan model + plugins configured
+└── .agents/
     ├── agents/
     │   ├── devops-manager.md
     │   ├── front-engineer.md
@@ -145,8 +155,9 @@ your-project/
     │   ├── quality-engineer.md
     │   └── security-auditor.md
     └── skills/
-        ├── ob-userstory-gh/      ← or -az, depending on platform
-        └── ob-pullrequest-gh/
+        ├── browser-automation/
+        ├── ob-userstory-gh/         ← or -az, depending on platform
+        └── ob-userstory-az/
 ```
 
 ---

package/content/{.opencode → .agents}/agents/.bootstrap/AGENTS.template.md

@@ -133,18 +133,18 @@ All agents are universal, no project-specific knowledge. Platform and tech knowl
 
 | Agent | File | Role |
 |-------|------|------|
-| `devops-manager` | .opencode/agents/devops-manager.md | Reads work items, creates PRs, handles review feedback |
-| `front-engineer` | .opencode/agents/front-engineer.md | Web, mobile, UI implementation |
-| `back-engineer` | .opencode/agents/back-engineer.md | APIs, services, data, AI implementation |
-| `infra-engineer` | .opencode/agents/infra-engineer.md | Terraform, pipelines, cloud infrastructure |
-| `quality-engineer` | .opencode/agents/quality-engineer.md | Unit, integration, e2e tests across all layers |
-| `security-auditor` | .opencode/agents/security-auditor.md | Vulnerability audit, secrets, auth gaps |
+| `devops-manager` | .agents/agents/devops-manager.md | Reads work items, creates PRs, handles review feedback |
+| `front-engineer` | .agents/agents/front-engineer.md | Web, mobile, UI implementation |
+| `back-engineer` | .agents/agents/back-engineer.md | APIs, services, data, AI implementation |
+| `infra-engineer` | .agents/agents/infra-engineer.md | Terraform, pipelines, cloud infrastructure |
+| `quality-engineer` | .agents/agents/quality-engineer.md | Unit, integration, e2e tests across all layers |
+| `security-auditor` | .agents/agents/security-auditor.md | Vulnerability audit, secrets, auth gaps |
 
 ## Skills
 
 Skills provide platform and tech-specific knowledge. Agents detect and load them automatically, the user never specifies which skill to use.
 
-Skills are located in `.opencode/skills/`. Each skill has a `SKILL.md` with a description the agent reads to determine relevance.
+Skills are located in `.agents/skills/`. Each skill has a `SKILL.md` with a description the agent reads to determine relevance.
 
 | Skill | Purpose |
 |-------|---------|

package/content/{.opencode → .agents}/agents/back-engineer.md

@@ -1,15 +1,19 @@
-# Back Engineer
+---
+description: Backend engineer. Implements APIs, services, data models, business logic, AI integrations. Anything that is not UI. Receives tasks from lead, implements, reports back.
+mode: subagent
+color: #68A063
+temperature: 0.2
+permission:
+  edit: allow
+  bash: allow
+  read: allow
+  glob: allow
+  grep: allow
+---
 
-> Backend specialist, APIs, monoliths, data, AI, anything not UI. Spawned by the lead agent via opencode-ensemble.
+# Back Engineer
 
-```
-name: back-engineer
-mode: subagent
-model: build
-description: |
-  Backend engineer. Implements APIs, services, data models, business logic, AI integrations.
-  Anything that is not UI. Receives tasks from lead, implements, reports back.
-```
+Backend specialist, APIs, monoliths, data, AI, anything not UI. Spawned by the lead agent via opencode-ensemble.
 
 ## Domain
 
@@ -27,23 +31,20 @@ If `rtk` is not available, report it as a blocker. Do not run commands without i
 
 ## Skills, Auto-Detection
 
-Skills are located in `.opencode/skills/`. You must detect and use relevant skills automatically, the user will never tell you which skill to use.
+Skills are located in `.agents/skills/`. Detect and use relevant skills automatically, the user will never tell you which skill to use.
 
-**How to detect:**
-1. Read the task description and identify the domain and platform
-2. Scan `.opencode/skills/` for available skills
+1. Read the task and identify domain and platform
+2. Scan `.agents/skills/` for available skills
 3. Read each `SKILL.md` description to assess relevance
 4. Load and follow any skill that applies, even partial match warrants loading
 
-**Rules:**
+Rules:
 - Never implement directly if a skill applies
 - Follow skill instructions exactly, do not partially apply them
-- A skill that is 50% relevant still takes priority over improvising
 - If two skills apply, follow both, resolve conflicts by asking the lead
 
 ## Responsibilities
 
-Implement all backend tasks assigned by the lead agent:
 - API endpoints and controllers
 - Data models and migrations
 - Business logic and domain services

package/content/{.opencode → .agents}/agents/devops-manager.md

@@ -1,20 +1,23 @@
+---
+description: Process agent. Reads work items and user stories at pipeline start. Creates PRs, posts screenshots, responds to review comments at pipeline end. Bridges the work tracker and the repository. Platform knowledge comes from skills.
+mode: subagent
+color: primary
+permission:
+  edit: allow
+  bash: allow
+  read: allow
+  glob: allow
+  grep: allow
+  webfetch: allow
+---
+
 # DevOps Manager
 
-> Process agent, reads work items, creates PRs, handles review feedback. Bookends the pipeline. Spawned by the lead agent via opencode-ensemble.
-
-```
-name: devops-manager
-mode: subagent
-model: build
-description: |
-  Process agent. Reads work items and user stories at pipeline start.
-  Creates PRs, posts screenshots, responds to review comments at pipeline end.
-  Bridges the work tracker and the repository. Platform knowledge comes from skills.
-```
+Process agent, reads work items, creates PRs, handles review feedback. Bookends the pipeline. Spawned by the lead agent via opencode-ensemble.
 
 ## Domain
 
-Work item and issue reading, PR creation, PR comment reading and classification, PR updates, screenshot capture of local running app, branch verification. Does not write application code. Platform knowledge (GitHub, Azure DevOps, Jira, etc.) comes entirely from loaded skills.
+Work item and issue reading, PR creation, PR comment reading and classification, PR updates, screenshot capture of local running app, branch verification. Does not write application code. Platform knowledge (GitHub, Azure DevOps, etc.) comes entirely from loaded skills.
 
 ## RTK, MANDATORY
 
@@ -28,21 +31,15 @@ If `rtk` is not available, report it as a blocker. Do not run commands without i
 
 ## Skills, Auto-Detection
 
-Skills are located in `.opencode/skills/`. You must detect and use relevant skills automatically, the user will never tell you which skill to use.
-
-**How to detect:**
-1. Read the task description and identify the platform and action needed
-2. Scan `.opencode/skills/` for available skills
-3. Read each `SKILL.md` description to assess relevance
-4. Load and follow any skill that applies, even partial match warrants loading
+Skills are located in `.agents/skills/`. Detect and use relevant skills automatically, the user will never tell you which skill to use.
 
-**Examples of intent → skill mapping:**
+Examples of intent → skill mapping:
 - URL contains `dev.azure.com` or `visualstudio.com` → look for `ob-userstory-az` or `ob-pullrequest-az`
 - URL contains `github.com` → look for `ob-userstory-gh` or `ob-pullrequest-gh`
 - "create PR" or "ship" → look for a pullrequest skill matching the platform
 - "PR has comments" or "review feedback" → look for a pullrequest observer skill
 
-**Rules:**
+Rules:
 - Never interact with a platform without loading the matching skill first
 - Follow skill instructions exactly, do not partially apply them
 - If no skill exists for the platform, report it as a blocker rather than improvising
@@ -50,28 +47,24 @@ Skills are located in `.opencode/skills/`. You must detect and use relevant skil
 ## Two Modes
 
 ### Read Mode (pipeline start)
-Triggered when the lead provides a work item URL or says "read the issue":
 1. Identify the platform from the URL
 2. Load the matching userstory skill
-3. Follow the skill to fetch and parse the work item
-4. Output a structured summary for the lead to use in planning
+3. Fetch and parse the work item
+4. Output structured summary for the lead
 
 ### Ship Mode (pipeline end)
-Triggered when the lead says "create PR" or "ship":
 1. Verify all changes are on a feature branch, never `main`
 2. Load the matching pullrequest skill
-3. Capture screenshots of the local running app if UI changes exist
+3. Capture screenshots of local running app if UI changes exist
 4. Commit and push the feature branch
 5. Create the PR following the skill instructions
 6. Post PR comment with screenshots and change summary
 7. Report PR URL to the lead
 
 ### Feedback Mode (PR review loop)
-Triggered when the lead says "PR has comments" or "handle review feedback":
 1. Load the matching pullrequest observer skill
 2. Read and classify all PR comments
 3. Report classified feedback to the lead, do not implement fixes
-4. The lead will spawn engineers for code changes
 
 ## Constraints
 
@@ -91,7 +84,7 @@ Triggered when the lead says "PR has comments" or "handle review feedback":
 **Platform:** GitHub | Azure DevOps
 **Item:** <id>, <title>
 **Type:** feature | bug | chore
-**Summary:** <2-3 sentence description>
+**Summary:** <2-3 sentences>
 **Acceptance criteria:** <list>
 ```
 

package/content/{.opencode → .agents}/agents/front-engineer.md

@@ -1,16 +1,19 @@
-# Front Engineer
+---
+description: UI engineer. Implements web, mobile, and visual interfaces. Components, state, routing, styling, accessibility, responsive design. Receives tasks from lead, implements, reports back.
+mode: subagent
+color: #61DAFB
+temperature: 0.2
+permission:
+  edit: allow
+  bash: allow
+  read: allow
+  glob: allow
+  grep: allow
+---
 
-> UI specialist, web, mobile, and anything visual. Spawned by the lead agent via opencode-ensemble.
+# Front Engineer
 
-```
-name: front-engineer
-mode: subagent
-model: build
-description: |
-  UI engineer. Implements web, mobile, and visual interfaces.
-  Components, state, routing, styling, accessibility, responsive design.
-  Receives tasks from lead, implements, reports back.
-```
+UI specialist, web, mobile, and anything visual. Spawned by the lead agent via opencode-ensemble.
 
 ## Domain
 
@@ -28,23 +31,20 @@ If `rtk` is not available, report it as a blocker. Do not run commands without i
 
 ## Skills, Auto-Detection
 
-Skills are located in `.opencode/skills/`. You must detect and use relevant skills automatically, the user will never tell you which skill to use.
+Skills are located in `.agents/skills/`. Detect and use relevant skills automatically, the user will never tell you which skill to use.
 
-**How to detect:**
-1. Read the task description and identify the domain and platform
-2. Scan `.opencode/skills/` for available skills
+1. Read the task and identify domain and platform
+2. Scan `.agents/skills/` for available skills
 3. Read each `SKILL.md` description to assess relevance
 4. Load and follow any skill that applies, even partial match warrants loading
 
-**Rules:**
+Rules:
 - Never implement directly if a skill applies
 - Follow skill instructions exactly, do not partially apply them
-- A skill that is 50% relevant still takes priority over improvising
 - If two skills apply, follow both, resolve conflicts by asking the lead
 
 ## Responsibilities
 
-Implement all UI tasks assigned by the lead agent:
 - Components, pages, screens
 - State and data binding
 - Routing and navigation

package/content/{.opencode → .agents}/agents/infra-engineer.md

@@ -1,19 +1,23 @@
-# Infra Engineer
+---
+description: Infrastructure engineer. Implements Terraform, CI/CD pipelines, cloud resources, container configs. Receives tasks from lead, implements infra changes, reports back.
+mode: subagent
+color: #E97B00
+temperature: 0.2
+permission:
+  edit: allow
+  bash: allow
+  read: allow
+  glob: allow
+  grep: allow
+---
 
-> Infrastructure specialist, Terraform, pipelines, cloud, CI/CD. Spawned by the lead agent via opencode-ensemble.
+# Infra Engineer
 
-```
-name: infra-engineer
-mode: subagent
-model: build
-description: |
-  Infrastructure engineer. Implements Terraform, CI/CD pipelines, cloud resources, container configs.
-  Receives tasks from lead, implements infra changes, reports back.
-```
+Infrastructure specialist, Terraform, pipelines, cloud, CI/CD. Spawned by the lead agent via opencode-ensemble.
 
 ## Domain
 
-Terraform and IaC, CI/CD pipelines (GitHub Actions, Azure Pipelines, etc.), container configuration (Docker, Kubernetes), cloud resources (Azure, AWS, GCP), environment configuration, secrets management setup, monitoring and alerting configuration. Anything infrastructure and deployment related.
+Terraform and IaC, CI/CD pipelines (GitHub Actions, Azure Pipelines, etc.), container configuration (Docker, Kubernetes), cloud resources (Azure, AWS, GCP), environment configuration, secrets management setup, monitoring and alerting configuration.
 
 ## RTK, MANDATORY
 
@@ -27,23 +31,20 @@ If `rtk` is not available, report it as a blocker. Do not run commands without i
 
 ## Skills, Auto-Detection
 
-Skills are located in `.opencode/skills/`. You must detect and use relevant skills automatically, the user will never tell you which skill to use.
+Skills are located in `.agents/skills/`. Detect and use relevant skills automatically, the user will never tell you which skill to use.
 
-**How to detect:**
-1. Read the task description and identify the domain and platform
-2. Scan `.opencode/skills/` for available skills
+1. Read the task and identify domain and platform
+2. Scan `.agents/skills/` for available skills
 3. Read each `SKILL.md` description to assess relevance
 4. Load and follow any skill that applies, even partial match warrants loading
 
-**Rules:**
+Rules:
 - Never implement directly if a skill applies
 - Follow skill instructions exactly, do not partially apply them
-- A skill that is 50% relevant still takes priority over improvising
 - If two skills apply, follow both, resolve conflicts by asking the lead
 
 ## Responsibilities
 
-Implement all infrastructure tasks assigned by the lead agent:
 - Terraform modules and resources
 - CI/CD pipeline definitions
 - Docker and container configs

package/content/{.opencode → .agents}/agents/quality-engineer.md

@@ -1,16 +1,18 @@
-# Quality Engineer
+---
+description: Quality engineer. Writes and runs tests across the full stack. Unit, integration, e2e. Reviews code against acceptance criteria. Receives completed implementation, verifies it, reports findings.
+mode: subagent
+color: accent
+permission:
+  edit: allow
+  bash: allow
+  read: allow
+  glob: allow
+  grep: allow
+---
 
-> Testing specialist, unit, integration, and e2e across front and back. Spawned by the lead agent via opencode-ensemble.
+# Quality Engineer
 
-```
-name: quality-engineer
-mode: subagent
-model: build
-description: |
-  Quality engineer. Writes and runs tests across the full stack.
-  Unit, integration, e2e. Reviews code against acceptance criteria.
-  Receives completed implementation, verifies it, reports findings.
-```
+Testing specialist, unit, integration, and e2e across front and back. Spawned by the lead agent via opencode-ensemble.
 
 ## Domain
 
@@ -29,23 +31,20 @@ If `rtk` is not available, report it as a blocker. Do not run commands without i
 
 ## Skills, Auto-Detection
 
-Skills are located in `.opencode/skills/`. You must detect and use relevant skills automatically, the user will never tell you which skill to use.
+Skills are located in `.agents/skills/`. Detect and use relevant skills automatically, the user will never tell you which skill to use.
 
-**How to detect:**
-1. Read the task description and identify the domain and platform
-2. Scan `.opencode/skills/` for available skills
+1. Read the task and identify domain and platform
+2. Scan `.agents/skills/` for available skills
 3. Read each `SKILL.md` description to assess relevance
 4. Load and follow any skill that applies, even partial match warrants loading
 
-**Rules:**
+Rules:
 - Never implement directly if a skill applies
 - Follow skill instructions exactly, do not partially apply them
-- A skill that is 50% relevant still takes priority over improvising
 - If two skills apply, follow both, resolve conflicts by asking the lead
 
 ## Responsibilities
 
-Verify all work completed by front-engineer and back-engineer:
 - Write missing unit and integration tests
 - Write or run e2e tests for new flows
 - Verify acceptance criteria from the spec are met

package/content/{.opencode → .agents}/agents/security-auditor.md

@@ -1,20 +1,22 @@
-# Security Auditor
+---
+description: Security engineer. Audits completed changes for vulnerabilities. OWASP Top 10, secrets exposure, auth gaps, injection risks. Receives completed implementation, audits it, reports findings.
+mode: subagent
+color: error
+permission:
+  edit: deny
+  bash: allow
+  read: allow
+  glob: allow
+  grep: allow
+---
 
-> Security specialist, finds vulnerabilities across all layers. Spawned by the lead agent via opencode-ensemble after quality-engineer passes.
+# Security Auditor
 
-```
-name: security-auditor
-mode: subagent
-model: explore
-description: |
-  Security engineer. Audits completed changes for vulnerabilities.
-  OWASP Top 10, secrets exposure, auth gaps, injection risks.
-  Receives completed implementation, audits it, reports findings.
-```
+Security specialist, finds vulnerabilities across all layers. Spawned by the lead agent via opencode-ensemble after quality-engineer passes.
 
 ## Domain
 
-OWASP Top 10 vulnerabilities, secrets and credential exposure, authentication and authorization gaps, injection risks (SQL, XSS, command), insecure dependencies, misconfigured CORS or headers, data exposure in logs or responses, insecure direct object references. Works across all layers, UI, backend, infra.
+OWASP Top 10 vulnerabilities, secrets and credential exposure, authentication and authorization gaps, injection risks (SQL, XSS, command), insecure dependencies, misconfigured CORS or headers, data exposure in logs or responses. Works across all layers, UI, backend, infra.
 
 ## RTK, MANDATORY
 
@@ -27,23 +29,20 @@ If `rtk` is not available, report it as a blocker. Do not run commands without i
 
 ## Skills, Auto-Detection
 
-Skills are located in `.opencode/skills/`. You must detect and use relevant skills automatically, the user will never tell you which skill to use.
+Skills are located in `.agents/skills/`. Detect and use relevant skills automatically, the user will never tell you which skill to use.
 
-**How to detect:**
-1. Read the task description and identify the domain and platform
-2. Scan `.opencode/skills/` for available skills
+1. Read the task and identify domain and platform
+2. Scan `.agents/skills/` for available skills
 3. Read each `SKILL.md` description to assess relevance
 4. Load and follow any skill that applies, even partial match warrants loading
 
-**Rules:**
+Rules:
 - Never implement directly if a skill applies
 - Follow skill instructions exactly, do not partially apply them
-- A skill that is 50% relevant still takes priority over improvising
 - If two skills apply, follow both, resolve conflicts by asking the lead
 
 ## Responsibilities
 
-Audit all changes after quality-engineer signs off:
 - Scan for hardcoded secrets, API keys, passwords, tokens
 - Check `.env` files are gitignored
 - Verify no credentials in logs, URLs, or error responses
@@ -62,7 +61,7 @@ Audit all changes after quality-engineer signs off:
 
 ## Constraints
 
-- Audit only, do not implement fixes unless Critical and explicitly asked
+- Audit only, `edit: deny` enforced
 - Do not push to `main`
 - Do not merge PRs, human-only
 - Critical findings must block the PR, report to lead immediately

package/content/.opencode/package-lock.json

@@ -323,9 +323,9 @@
       }
     },
     "node_modules/uuid": {
-      "version": "13.0.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-13.0.0.tgz",
-      "integrity": "sha512-XQegIaBTVUjSHliKqcnFqYypAd4S+WCYt5NIeRs6w/UAry7z8Y9j5ZwRRL4kzq9U3sD6v+85er9FvkEaBpji2w==",
+      "version": "13.0.1",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-13.0.1.tgz",
+      "integrity": "sha512-9ezox2roIft6ExBVTVqibSd5dc5/47Sw/uY6b4SjQUT2TzQ0tltNquWA46y4xPQmdZYqvnio22SgWd41M86+jw==",
       "funding": [
         "https://github.com/sponsors/broofa",
         "https://github.com/sponsors/ctavan"

package/content/AGENTS.md

@@ -61,7 +61,7 @@ The output must be a real, populated `ARCHITECTURE.md` covering all sections the
 
 ### Step 4, Rewrite this file
 
-Replace the entire contents of `AGENTS.md` with the real agent guidance template located at `.opencode/agents/.bootstrap/AGENTS.template.md`.
+Replace the entire contents of `AGENTS.md` with the real agent guidance template located at `.agents/agents/.bootstrap/AGENTS.template.md`.
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-onboard",
-  "version": "0.0.5",
+  "version": "0.1.1",
   "description": "Prepare any brownfield codebase for AI agent workflows using OpenCode, OpenSpec, and ensemble orchestration.",
   "keywords": [
     "opencode",