opencode-onboard 0.1.5 → 0.1.10

package/content/.agents/agents/back-engineer.md

@@ -72,10 +72,3 @@ Rules:
 **Files changed:** <list>
 **Blockers:** none | <description>
 ```
-
-## Session Log
-
-Append to `.agents/session-log.md` (create with header if missing, skip if `session-logging: disabled` in AGENTS.md):
-- On start: `| {ISO timestamp} | back-engineer | started | {task summary} |`
-- On skill load: `| {ISO timestamp} | back-engineer | skill-loaded | {skill-name} |`
-- On done: `| {ISO timestamp} | back-engineer | completed | {files changed count} files |`

package/content/.agents/agents/devops-manager.md

@@ -56,7 +56,7 @@ Rules:
 1. Verify all changes are on a feature branch, never `main`
 2. Load the matching pullrequest skill
 3. Capture screenshots of local running app if UI changes exist
-4. Read `.agents/session-log.md` if it exists — include a "Session Activity" section in the PR description with agent names, task counts, and total duration
+4. Read `.agents/session-log.json` if it exists, parse the JSON array and include a "Session Activity" section in the PR description with agent names, task counts, and skills used
 5. Commit and push the feature branch
 6. Create the PR following the skill instructions
 7. Post PR comment with screenshots and change summary
@@ -74,6 +74,7 @@ Rules:
 - Does not merge PRs, human-only
 - Does not approve PRs, human-only
 - Does not force push
+- ALL GitHub and Azure DevOps data MUST come from `gh` or `az` CLI, NEVER use webfetch or HTTP requests to fetch platform URLs, even as a fallback. If CLI is unavailable, report as a blocker.
 - Browser MCP tools permitted only for screenshots of local app on `localhost` URLs, never for navigating GitHub or Azure DevOps
 
 ## Output Format
@@ -107,10 +108,3 @@ Rules:
 **Questions for human:** <count>, <list>
 **Acknowledged only:** <count>
 ```
-
-## Session Log
-
-Append to `.agents/session-log.md` (create with header if missing, skip if `session-logging: disabled` in AGENTS.md):
-- On start: `| {ISO timestamp} | devops-manager | started | {mode} mode |`
-- On skill load: `| {ISO timestamp} | devops-manager | skill-loaded | {skill-name} |`
-- On done: `| {ISO timestamp} | devops-manager | completed | {summary} |`

package/content/.agents/agents/front-engineer.md

@@ -71,10 +71,3 @@ Rules:
 **Files changed:** <list>
 **Blockers:** none | <description>
 ```
-
-## Session Log
-
-Append to `.agents/session-log.md` (create with header if missing, skip if `session-logging: disabled` in AGENTS.md):
-- On start: `| {ISO timestamp} | front-engineer | started | {task summary} |`
-- On skill load: `| {ISO timestamp} | front-engineer | skill-loaded | {skill-name} |`
-- On done: `| {ISO timestamp} | front-engineer | completed | {files changed count} files |`

package/content/.agents/agents/infra-engineer.md

@@ -72,10 +72,3 @@ Rules:
 **Resources affected:** <list>
 **Blockers:** none | <description>
 ```
-
-## Session Log
-
-Append to `.agents/session-log.md` (create with header if missing, skip if `session-logging: disabled` in AGENTS.md):
-- On start: `| {ISO timestamp} | infra-engineer | started | {task summary} |`
-- On skill load: `| {ISO timestamp} | infra-engineer | skill-loaded | {skill-name} |`
-- On done: `| {ISO timestamp} | infra-engineer | completed | {files changed count} files |`

package/content/.agents/agents/quality-engineer.md

@@ -72,10 +72,3 @@ Rules:
 **Acceptance criteria:** met | <unmet items>
 **Blockers:** none | <description>
 ```
-
-## Session Log
-
-Append to `.agents/session-log.md` (create with header if missing, skip if `session-logging: disabled` in AGENTS.md):
-- On start: `| {ISO timestamp} | quality-engineer | started | {task summary} |`
-- On skill load: `| {ISO timestamp} | quality-engineer | skill-loaded | {skill-name} |`
-- On done: `| {ISO timestamp} | quality-engineer | completed | {tests added count} tests |`

package/content/.agents/agents/security-auditor.md

@@ -82,10 +82,3 @@ Rules:
 
 **Blockers:** none | <critical findings that must be resolved before PR>
 ```
-
-## Session Log
-
-Append to `.agents/session-log.md` (create with header if missing, skip if `session-logging: disabled` in AGENTS.md):
-- On start: `| {ISO timestamp} | security-auditor | started | {task summary} |`
-- On skill load: `| {ISO timestamp} | security-auditor | skill-loaded | {skill-name} |`
-- On done: `| {ISO timestamp} | security-auditor | completed | {findings count} findings |`

package/content/.agents/skills/browser-automation/SKILL.md

@@ -74,6 +74,6 @@ Browser MCP tools are permitted ONLY for interactions with the LOCAL running app
 
 - ✅ Screenshots of locally running app on `localhost` URLs
 - ✅ Click, type, scroll, query on `localhost` pages
-- ❌ Navigate to external services (github.com, dev.azure.com, npmjs.com, etc.) — FORBIDDEN
-- ❌ Use browser tools for any DevOps or GitHub operations — FORBIDDEN
-- ❌ Use browser tools to read or modify production systems — FORBIDDEN
+- ❌ Navigate to external services (github.com, dev.azure.com, npmjs.com, etc.), FORBIDDEN
+- ❌ Use browser tools for any DevOps or GitHub operations, FORBIDDEN
+- ❌ Use browser tools to read or modify production systems, FORBIDDEN

package/content/.agents/skills/ob-pullrequest-az/SKILL.md

@@ -64,7 +64,7 @@ rtk az repos pr create \
   --description "{description}"
 ```
 
-### Step 5: Link work item (MANDATORY, run sequentially — not in parallel)
+### Step 5: Link work item (MANDATORY, run sequentially, not in parallel)
 
 ```bash
 rtk az repos pr work-item add --id {pr-id} --work-items {workitem-id}
@@ -151,7 +151,7 @@ rtk az devops invoke \
 {
   "comments": [{
     "parentCommentId": 1,
-    "content": "Acknowledged — applying this change now.",
+    "content": "Acknowledged, applying this change now.",
     "commentType": 1
   }]
 }
@@ -164,7 +164,7 @@ rtk az devops invoke \
 - ✅ Commit and push to feature branches only
 - ✅ Create and comment on PRs via az CLI
 - ✅ Screenshots of localhost only via browser_screenshot
-- ❌ Commit or push to `main` — FORBIDDEN
-- ❌ Force push — FORBIDDEN
-- ❌ Merge or approve PRs — human-only
-- ❌ Navigate browser to dev.azure.com — FORBIDDEN
+- ❌ Commit or push to `main`, FORBIDDEN
+- ❌ Force push, FORBIDDEN
+- ❌ Merge or approve PRs, human-only
+- ❌ Navigate browser to dev.azure.com, FORBIDDEN

package/content/.agents/skills/ob-pullrequest-gh/SKILL.md

@@ -18,8 +18,8 @@ Use `rtk` wrapper for ALL CLI commands:
 - `rtk gh pr comment` NOT `gh pr comment`
 - `rtk gh api` NOT `gh api`
 
-**Browser MCP tools are FORBIDDEN for all GitHub operations.**
-Browser tools are ONLY permitted for screenshots of the LOCAL running app on `localhost` URLs.
+**ALL GitHub data MUST come from `gh` CLI. NEVER use webfetch, HTTP requests, or browser MCP tools for GitHub operations, even if gh CLI fails. If `gh` is unavailable, report as a blocker.**
+Always pass `--repo {owner}/{repo}` explicitly, never rely on git context to resolve the repo.
 
 ---
 
@@ -85,13 +85,13 @@ Triggered when user says "I've added comments to the PR" or "check PR feedback".
 
 If PR link provided, extract number from URL. Otherwise:
 ```bash
-rtk gh pr list --state open --limit 1
+rtk gh pr list --repo {owner}/{repo} --state open --limit 1
 ```
 
 ### Step 2: Read comment threads
 
 ```bash
-rtk gh pr view {pr-number} --comments
+rtk gh pr view {pr-number} --repo {owner}/{repo} --comments
 # Or structured output:
 rtk gh api repos/{owner}/{repo}/pulls/{pr-number}/comments
 rtk gh api repos/{owner}/{repo}/pulls/{pr-number}/reviews
@@ -121,7 +121,7 @@ Update: `openspec/changes/{change}/proposal.md`, `design.md`, or `tasks.md` as a
 # Reply to a review comment
 rtk gh api repos/{owner}/{repo}/pulls/{pr-number}/comments/{comment-id}/replies \
   --method POST \
-  --field body="Acknowledged — applying this change now."
+  --field body="Acknowledged, applying this change now."
 
 # Or post a general PR comment
 rtk gh pr comment {pr-number} --body "Updated design.md to reflect feedback."
@@ -132,9 +132,10 @@ rtk gh pr comment {pr-number} --body "Updated design.md to reflect feedback."
 ## Guardrails
 
 - ✅ Commit and push to feature branches only
-- ✅ Create and comment on PRs via gh CLI
+- ✅ Create and comment on PRs via gh CLI with explicit `--repo {owner}/{repo}`
 - ✅ Screenshots of localhost only via browser_screenshot
-- ❌ Commit or push to `main` — FORBIDDEN
-- ❌ Force push — FORBIDDEN
-- ❌ Merge or approve PRs — human-only
-- ❌ Navigate browser to github.com — FORBIDDEN
+- ❌ Commit or push to `main`, FORBIDDEN
+- ❌ Force push, FORBIDDEN
+- ❌ Merge or approve PRs, human-only
+- ❌ Navigate browser to github.com, FORBIDDEN
+- ❌ webfetch or HTTP requests to GitHub URLs, FORBIDDEN

package/content/.agents/skills/ob-userstory-az/SKILL.md

@@ -156,17 +156,17 @@ https://dev.azure.com/{org}/{project}/_git/{repo}/pullrequest/{pr-id}
 **State:** {state}
 
 **Change Created:** us-{id}-{slug}
-
-### Next Steps
-1. Review the proposal
-2. Say "implement the plan" to start implementation
 ```
 
+After outputting the above, the lead MUST run `/opsx-propose` to generate the proposal, specs, and tasks. After `/opsx-propose` completes, STOP and ask the user: **"Ready to implement? (yes/no)"**, do NOT proceed to `/opsx-apply` until confirmed.
+
 ---
 
 ## Guardrails
 
 - ✅ Parse Azure DevOps URL and create OpenSpec change
 - ✅ Use `rtk` for all Azure CLI operations
-- ❌ Browser MCP tools for Azure DevOps operations — FORBIDDEN
-- ❌ Implementation — this skill only parses and proposes
+- ✅ Always run `/opsx-propose` after parsing, never skip to implementation
+- ✅ Always stop and confirm with user after propose, before running `/opsx-apply`
+- ❌ Browser MCP tools for Azure DevOps operations, FORBIDDEN
+- ❌ Jump to implementation without user confirmation, FORBIDDEN

package/content/.agents/skills/ob-userstory-gh/SKILL.md

@@ -16,7 +16,7 @@ Use `rtk` wrapper for ALL CLI commands:
 - `rtk gh issue edit` NOT `gh issue edit`
 - `rtk openspec new change` NOT `openspec new change`
 
-**Browser MCP tools are FORBIDDEN for all GitHub operations.**
+**ALL GitHub data MUST come from `gh` CLI. NEVER use webfetch, HTTP requests, or browser MCP tools to fetch GitHub URLs, even if gh CLI fails. If `gh` is unavailable, report it as a blocker.**
 
 ---
 
@@ -36,13 +36,14 @@ gh auth status
 
 ## Steps
 
-1. **Extract Issue Number** from URL
-   - `https://github.com/{owner}/{repo}/issues/42` → number: 42
+1. **Extract owner, repo, and issue number** from URL
+   - `https://github.com/{owner}/{repo}/issues/42` → owner: `{owner}`, repo: `{repo}`, number: `42`
 
-2. **Fetch Issue**
+2. **Fetch Issue**, always pass `--repo` explicitly, never rely on git context:
    ```bash
-   rtk gh issue view 42 --json number,title,body,labels,milestone,state
+   rtk gh issue view 42 --repo {owner}/{repo} --json number,title,body,labels,milestone,state
    ```
+   If this returns an auth error or 404, report as a blocker, do NOT fall back to webfetch or web search.
 
 3. **Extract Key Fields** from JSON response:
    - `number` → Issue number
@@ -61,18 +62,18 @@ gh auth status
 
 ## Full GitHub CLI Reference
 
-Use these for ALL GitHub operations, browser MCP is FORBIDDEN.
+Use these for ALL GitHub operations, browser MCP and webfetch are FORBIDDEN. Always pass `--repo {owner}/{repo}`, never rely on git context.
 
 ### Issues
 ```bash
 # Read issue
-rtk gh issue view <number>
+rtk gh issue view <number> --repo {owner}/{repo}
 
 # List open issues
-rtk gh issue list --state open --limit 10
+rtk gh issue list --repo {owner}/{repo} --state open --limit 10
 
 # Update issue
-rtk gh issue edit <number> --add-label "in-progress"
+rtk gh issue edit <number> --repo {owner}/{repo} --add-label "in-progress"
 ```
 
 ---
@@ -119,17 +120,18 @@ https://raw.githubusercontent.com/{owner}/{repo}/{branch}/{path}
 **Milestone:** {milestone}
 
 **Change Created:** gh-{number}-{slug}
-
-### Next Steps
-1. Review the proposal
-2. Say "implement the plan" to start implementation
 ```
 
+After outputting the above, the lead MUST run `/opsx-propose` to generate the proposal, specs, and tasks. After `/opsx-propose` completes, STOP and ask the user: **"Ready to implement? (yes/no)"**, do NOT proceed to `/opsx-apply` until confirmed.
+
 ---
 
 ## Guardrails
 
 - ✅ Parse GitHub Issue URL and create OpenSpec change
 - ✅ Use `rtk gh` for all GitHub CLI operations
-- ❌ Browser MCP tools for GitHub operations — FORBIDDEN
-- ❌ Implementation — this skill only parses and proposes
+- ✅ Always run `/opsx-propose` after parsing, never skip to implementation
+- ✅ Always stop and confirm with user after propose, before running `/opsx-apply`
+- ❌ `webfetch` or HTTP requests to GitHub URLs, FORBIDDEN, use `gh` CLI only
+- ❌ Browser MCP tools for GitHub operations, FORBIDDEN
+- ❌ Jump to implementation without user confirmation, FORBIDDEN

package/content/.opencode/ensemble.json

@@ -3,10 +3,6 @@
   "mergeOnCleanup": true,
   "timeoutMs": 1800000,
   "stallThresholdMs": 300000,
-  "defaultModel": "anthropic/claude-sonnet-4-6",
-  "modelsByAgent": {
-    "build": "anthropic/claude-sonnet-4-6",
-    "explore": "anthropic/claude-haiku-4.5"
-  },
+  "modelsByAgent": {},
   "modelAssignment": "default"
 }

package/content/.opencode/opencode.json

@@ -3,6 +3,6 @@
   "plugin": [
     "opencode-plugin-openspec",
     "@different-ai/opencode-browser",
-    "@hueyexe/opencode-ensemble@0.13.1"
+    "@hueyexe/opencode-ensemble@0.13.2"
   ]
-}
+}

package/content/.opencode/plugins/session-log.js

@@ -0,0 +1,91 @@
+import fs from "node:fs"
+import path from "node:path"
+
+const LOG_FILE = ".agents/session-log.json"
+
+// Per-session state: editCount and skills loaded
+const sessionState = new Map()
+
+function ts() {
+  return new Date().toISOString()
+}
+
+function appendEntry(directory, entry) {
+  const logPath = path.join(directory, LOG_FILE)
+  const dir = path.dirname(logPath)
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })
+
+  let entries = []
+  if (fs.existsSync(logPath)) {
+    try { entries = JSON.parse(fs.readFileSync(logPath, "utf8")) } catch (_) {}
+  }
+  entries.push(entry)
+  fs.writeFileSync(logPath, JSON.stringify(entries, null, 2), "utf8")
+}
+
+function resolveAgentName(session) {
+  const agentPath = session?.agent
+  if (agentPath) {
+    const base = path.basename(agentPath, ".md")
+    if (base) return base
+  }
+  return "lead"
+}
+
+export const SessionLogPlugin = async ({ client, directory }) => {
+  return {
+    event: async ({ event }) => {
+      try {
+        if (event?.type === "session.created") {
+          const sessionId = event.properties?.id ?? event.properties?.sessionID
+          if (!sessionId) return
+
+          const res = await client.session.get({ path: { id: sessionId } })
+          const session = res?.data
+          const agentName = resolveAgentName(session)
+
+          sessionState.set(sessionId, { agentName, editCount: 0, skills: [] })
+          appendEntry(directory, { ts: ts(), agent: agentName, action: "started", sessionId })
+        }
+
+        if (event?.type === "file.edited") {
+          const sessionId = event.properties?.sessionID ?? event.properties?.id
+          if (!sessionId) return
+          const state = sessionState.get(sessionId)
+          if (state) state.editCount++
+        }
+
+        if (event?.type === "session.idle") {
+          const sessionId = event.properties?.id ?? event.properties?.sessionID
+          if (!sessionId) return
+          const state = sessionState.get(sessionId)
+          if (!state) return
+
+          const { agentName, editCount, skills } = state
+          appendEntry(directory, { ts: ts(), agent: agentName, action: "completed", filesEdited: editCount, skills })
+          sessionState.delete(sessionId)
+        }
+      } catch (_) {}
+    },
+
+    "tool.execute.after": async (input, output) => {
+      try {
+        const sessionId = input?.sessionID ?? input?.session_id
+        if (!sessionId) return
+
+        const state = sessionState.get(sessionId)
+        if (!state) return
+
+        if (input?.tool === "read") {
+          const filePath = input?.args?.filePath ?? ""
+          const match = filePath.match(/[/\\]skills[/\\]([^/\\]+)[/\\]SKILL\.md$/i)
+          if (match) {
+            const skillName = match[1]
+            if (!state.skills.includes(skillName)) state.skills.push(skillName)
+            appendEntry(directory, { ts: ts(), agent: state.agentName, action: "skill-loaded", skill: skillName })
+          }
+        }
+      } catch (_) {}
+    },
+  }
+}

package/content/AGENTS.md

@@ -35,99 +35,35 @@ openspec archive "project-history"
 
 ### Step 2, Generate DESIGN.md
 
-Read the current contents of `DESIGN.md`. It contains a prompt/command. Do the following:
+`DESIGN.md` contains a prompt. You MUST follow this exact sequence, do not skip or reorder steps:
 
-1. Copy the prompt text from `DESIGN.md` into memory
-2. Wipe `DESIGN.md` completely (write empty file)
-3. Execute the copied prompt against this codebase, analyze the design system, visual tokens, typography, colors, spacing, and UI patterns
-4. Write the result back into `DESIGN.md` following the format described in the prompt
+1. **Read `DESIGN.md` now** using a file read tool. The file contains a prompt with instructions and an output format.
+2. **Store the full prompt text** in your context.
+3. **Overwrite `DESIGN.md` with an empty string** (zero bytes). Do this before generating any content.
+4. **Analyze the actual codebase**: read CSS files, Tailwind config, component files, token definitions. Do not rely on prior knowledge, read the files.
+5. **Write the result into `DESIGN.md`** following exactly the format and sections described in the stored prompt.
 
-The output must be a real, populated `DESIGN.md`, not the prompt itself.
+The output must be a real, populated `DESIGN.md` based on what you found in the codebase, not from memory or assumptions.
 
 ---
 
 ### Step 3, Generate ARCHITECTURE.md
 
-Read the current contents of `ARCHITECTURE.md`. It contains a prompt/command. Do the following:
+`ARCHITECTURE.md` contains a prompt. You MUST follow this exact sequence, do not skip or reorder steps:
 
-1. Copy the prompt text from `ARCHITECTURE.md` into memory
-2. Wipe `ARCHITECTURE.md` completely (write empty file)
-3. Execute the copied prompt against this codebase, analyze the full architecture, structure, components, data flows, integrations, and tech stack
-4. Write the result back into `ARCHITECTURE.md` following the structure described in the prompt
+1. **Read `ARCHITECTURE.md` now** using a file read tool. The file contains a prompt with instructions and an output format.
+2. **Store the full prompt text** in your context.
+3. **Overwrite `ARCHITECTURE.md` with an empty string** (zero bytes). Do this before generating any content.
+4. **Analyze the actual codebase**: read folder structure, config files, route definitions, data models, integration points. Do not rely on prior knowledge, read the files.
+5. **Write the result into `ARCHITECTURE.md`** following exactly the format and sections described in the stored prompt.
 
-The output must be a real, populated `ARCHITECTURE.md` covering all sections the prompt describes, not the prompt itself.
+The output must be a real, populated `ARCHITECTURE.md` based on what you found in the codebase, covering all sections the prompt describes.
 
 ---
 
 ### Step 4, Rewrite this file
 
-Replace the entire contents of this file (`AGENTS.md`) with everything below the line `<!-- AGENTS-TEMPLATE-START -->` in this same file. Delete the bootstrap section and the template marker — the file should contain only the template content when done.
-
----
-
-### Step 4b, Patch opsx-apply for ensemble
-
-Read `.opencode/commands/opsx-apply.md`. Find the step that instructs the agent to **implement tasks directly** — it will contain phrases like "make the code changes", "implement tasks", "loop until done or blocked". This step tells the agent to write code itself.
-
-**Replace that step and everything after it** (completion output, pause output, guardrails, fluid workflow) with the following:
-
-```markdown
-6. **Implement via ensemble team**
-
-   NEVER implement tasks directly. Always delegate to specialists via ensemble.
-
-   a. Create feature branch if not already on one: `feature/{id}-{slug}`
-   b. Create team:
-      ```
-      team_create "<change-name>"
-      ```
-      Announce: "Team running. Monitor at http://localhost:4747/"
-
-   c. Spawn only what the tasks require (in parallel):
-      ```
-      team_spawn name:front   agent:front-engineer  → UI/frontend tasks
-      team_spawn name:back    agent:back-engineer   → backend/API tasks
-      team_spawn name:infra   agent:infra-engineer  → infra/pipeline tasks
-      ```
-      Pass each specialist: their relevant tasks + all context file paths from step above.
-      Log each spawn to `.agents/session-log.md` (see Session Log section).
-
-   d. Wait for all → `team_results` → `team_shutdown` + `team_merge`
-
-7. **Quality check**
-
-   ```
-   team_spawn name:quality agent:quality-engineer
-   ```
-   Wait → `team_results` → fix blockers → `team_shutdown`
-
-8. **Mark tasks complete in openspec**
-
-   After specialists finish, update the tasks file: `- [ ]` → `- [x]` for each completed task.
-   Run `openspec status --change "<name>" --json` to confirm progress.
-
-9. **On completion or pause, show status**
-
-   Display:
-   - Tasks completed this session
-   - Overall progress: "N/M tasks complete"
-   - If all done: suggest archive with `/opsx-archive`
-   - If paused: explain why and wait for guidance
-
-   Then run `team_cleanup`.
-
-**Guardrails**
-- NEVER implement tasks directly — always use `team_create` + `team_spawn`
-- Always read context files before spawning (from the apply instructions output)
-- Always pass context file paths and task list to spawned specialists
-- Mark tasks complete in openspec AFTER specialists finish, not before
-- If task is ambiguous, pause and ask before spawning
-- If implementation reveals issues, pause and suggest artifact updates
-- Pause on errors, blockers, or unclear requirements — don't guess
-- Use contextFiles from CLI output, don't assume specific file names
-```
-
-Keep all steps before the implementation step unchanged — they are openspec's domain (select change, check status, get instructions, read context, show progress).
+Replace the entire contents of this file (`AGENTS.md`) with everything below the line `<!-- AGENTS-TEMPLATE-START -->` in this same file. Delete the bootstrap section and the template marker, the file should contain only the template content when done.
 
 ---
 
@@ -153,6 +89,7 @@ You're ready to work.
 - Do NOT implement any features
 - Do NOT create branches or PRs
 - Do NOT modify any project source files
+- Do NOT create RTK files, scripts, or wrappers, RTK is already defined in AGENTS.md and agent files
 - Only read source files for analysis, write only to ARCHITECTURE.md, DESIGN.md, AGENTS.md, and openspec/
 
 <!-- AGENTS-TEMPLATE-START -->
@@ -179,7 +116,7 @@ Trigger patterns:
 - `implement the plan` → run `/opsx-apply` (ensemble orchestration is built into the command) → ship
 - `I've added comments to the PR` → spawn `devops-manager` in feedback mode → fix → update PR
 
-**Never delegate without a plan. Never write implementation code directly, always spawn specialists.**
+**Never delegate without a plan. Never write implementation code directly, always spawn specialists, no exceptions. "Small feature", "faster to do it directly", or "environment issues" are not valid reasons to skip ensemble.**
 
 ## Multi-Agent Execution, opencode-ensemble
 
@@ -233,15 +170,13 @@ devops-manager (ship mode)
 2. Load skill: openspec-propose → generate proposal.md, specs/, tasks.md
    - team_create → spawn design + specs in parallel → merge → write tasks.md
 3. Show the plan: change name, schema, total tasks, task list summary
-4. STOP. Ask user: "Ready to implement? (yes/no)" — DO NOT proceed until confirmed.
+4. STOP. Ask user: "Ready to implement? (yes/no)", DO NOT proceed until confirmed.
 ```
 
 ### Phase 2, Implement
 
 ```
-1. Run /opsx-apply (or load skill openspec-apply-change)
-   The command handles context reading, ensemble orchestration, and task marking automatically.
-   DO NOT implement tasks directly — the command spawns specialists via ensemble.
+1. Run /opsx-apply, handles context reading, ensemble orchestration, and task marking.
 2. After /opsx-apply completes, proceed to quality check.
 ```
 
@@ -309,7 +244,7 @@ Skills are located in `.agents/skills/`. Each skill has a `SKILL.md` with a desc
 | `openspec-propose` | Propose change artifacts (proposal, specs, tasks) |
 | `openspec-apply-change` | Implement change with agent team |
 | `openspec-archive-change` | Archive completed change |
-| `browser-automation` | Browser automation for localhost UI — screenshots, clicks, queries |
+| `browser-automation` | Browser automation for localhost UI, screenshots, clicks, queries |
 
 ---
 
@@ -339,37 +274,6 @@ Example: `feature/42-add-user-auth`
 
 ---
 
-## Session Log
-
-<!-- session-logging: enabled -->
-
-All agents MUST log their activity to `.agents/session-log.md`. This file is gitignored and temporary.
-
-**Check before logging:** Read the `session-logging` comment above. If it says `disabled`, skip all logging.
-
-**On first write per session**, create the file with the header:
-```markdown
-# Session Log
-
-| Timestamp | Agent | Action | Detail |
-|-----------|-------|--------|--------|
-```
-
-**Log these events** by appending a row:
-- Lead spawns an agent → `| {ISO timestamp} | lead | spawned | {agent-name} for {purpose} |`
-- Agent starts → `| {ISO timestamp} | {agent-name} | started | {task summary} |`
-- Agent loads a skill → `| {ISO timestamp} | {agent-name} | skill-loaded | {skill-name} |`
-- Agent completes → `| {ISO timestamp} | {agent-name} | completed | {files changed count} files |`
-- Agent blocked → `| {ISO timestamp} | {agent-name} | blocked | {reason} |`
-
-**Rules:**
-- Append only, never overwrite previous entries
-- One row per event, keep detail column short
-- Use ISO 8601 timestamps
-- The file is gitignored — never commit it
-
----
-
 ## RTK
 
 Use `rtk` wrapper for ALL CLI commands. Never run git, az, gh, or openspec commands directly.
@@ -401,7 +305,7 @@ Agents CANNOT:
 
 ### Platform CLI
 
-ALL platform interactions via CLI only. Browser MCP FORBIDDEN for any DevOps or GitHub operation.
+ALL platform interactions via CLI only. Browser MCP and webfetch FORBIDDEN for any DevOps or GitHub operation, use `gh` or `az` CLI exclusively, never fall back to HTTP requests.
 
 | Operation | Azure DevOps | GitHub |
 |-----------|-------------|--------|

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-onboard",
-  "version": "0.1.5",
+  "version": "0.1.10",
   "description": "Prepare any brownfield codebase for AI agent workflows using OpenCode, OpenSpec, and ensemble orchestration.",
   "keywords": [
     "opencode",

package/src/index.js

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 import chalk from 'chalk'
+import { createRequire } from 'node:module'
 import { checkEnv } from './steps/check-env.js'
 import { checkPlatform } from './steps/check-platform.js'
 import { checkRtk } from './steps/check-rtk.js'
@@ -13,22 +14,24 @@ import { installBrowser } from './steps/install-browser.js'
 
 if (process.stdout.isTTY) console.clear()
 console.log()
+const require = createRequire(import.meta.url)
+const { version } = require('../package.json')
 const logo = chalk.hex('#fe3d57')
 const bannerLines = [
-  logo('        ▒▒▒▒▒▒▒          '),
+  logo('                             '),
   logo('        ▒▒▒▒▒▒▒▒▒▒▒▒▒        '),
   logo('        ▒▒▓       ▓▒▓        '),
   logo('   ▒▒▒▒▒▒▓▒▒▒▒▒▒▒▒▒▓▓▒▒▒▒▒   '),
   logo('  ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▓  '),
   logo(' ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▓▓ '),
-  logo(' ▓▒▒▒▒▒░░▒▒▒▒▒▒▒▒▒▒▒░░▒▒▒▒▓▓ '),
+  logo(' ▓▒▒▒▒░░░▒▒▒▒▒▒▒▒▒▒▒░░░▒▒▒▓▓ '),
   logo('  ▓▓▓▓▒▒▒▓▓▓▓▓▓▓▓▓▓▓▒▒▒▓▓▓▓  '),
-  logo('  ▓▒▒▒▒▒▒▒░▒▒▒▒▒▒▒░▒▒▒▒▒▒▓▓  '),
-  logo('  ▓▒▒▒▒▒▒░▓▒▒▓▒▓▒▒▒▒▒▒▒▒▒▓▓  '),
+  logo('  ▓▓▒▒▒▒▒▒░▒▒▒▒▒▒▒░▒▒▒▒▒▒▓▓  '),
   logo('  ▓▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▓   '),
-  logo('   ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ '),
+  logo('  ▓▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▓   '),
+  logo('   ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓    '),
   '',
-  chalk.bold('        🧰 opencode-onboard'),
+  chalk.bold('        🧰 opencode-onboard') + chalk.dim(` v${version}`),
   chalk.dim('        Prepare your codebase for AI agents'),
 ]
 
@@ -51,7 +54,7 @@ if (process.stdin.isTTY) {
   })
 }
 
-try {
+try {
   // 1. Check Node + pnpm
   await checkEnv()
 

package/src/steps/choose-models.js

@@ -132,7 +132,22 @@ export async function chooseModels() {
     const config = await fse.readJson(opencodeJsonPath)
     config.model = planModel
     await fse.writeJson(opencodeJsonPath, config, { spaces: 2 })
-    success(`plan model → ${planModel} (written to .opencode/opencode.json)`)
+    success(`plan model -> ${planModel} (written to .opencode/opencode.json)`)
+  }
+
+  // Write build and fast models to ensemble.json
+  const ensembleJsonPath = path.join(process.cwd(), '.opencode', 'ensemble.json')
+  if (await fse.pathExists(ensembleJsonPath)) {
+    const ensemble = await fse.readJson(ensembleJsonPath)
+    delete ensemble.defaultModel
+    ensemble.modelsByAgent = {
+      ...ensemble.modelsByAgent,
+      build: buildModel,
+      explore: fastModel,
+    }
+    await fse.writeJson(ensembleJsonPath, ensemble, { spaces: 2 })
+    success(`build model -> ${buildModel} (written to .opencode/ensemble.json)`)
+    success(`fast model -> ${fastModel} (written to .opencode/ensemble.json)`)
   }
 
   console.log()

package/src/steps/clean-ai-files.js

@@ -3,25 +3,45 @@ import path from 'path'
 import { findAiFiles } from '../utils/copy.js'
 import { header, info, prompt, success, warn } from '../utils/exec.js'
 
+/**
+ * Enumerate immediate children of a directory, returning their absolute paths.
+ * Skips any entry named 'skills' at any level to preserve user-installed skills.
+ */
+async function childrenExcludingSkills(dir) {
+  const results = []
+  if (!await fse.pathExists(dir)) return results
+  const entries = await fse.readdir(dir)
+  for (const entry of entries) {
+    if (entry === 'skills') continue
+    results.push(path.join(dir, entry))
+  }
+  return results
+}
+
 export async function cleanAiFiles() {
   header('Step 2, Existing AI config files')
 
   const cwd = process.cwd()
-  const found = await findAiFiles(cwd)
-
-  // Also find .agents contents except skills/ (preserve user skills)
-  const agentsDir = path.join(cwd, '.agents')
-  const agentsEntries = []
-  if (await fse.pathExists(agentsDir)) {
-    const entries = await fse.readdir(agentsDir)
-    for (const entry of entries) {
-      if (entry !== 'skills') {
-        agentsEntries.push(path.join(agentsDir, entry))
-      }
-    }
+
+  // Flat AI config files (not directories)
+  const flatFiles = await findAiFiles(cwd)
+
+  // For directory targets (.opencode, .agents), enumerate children and skip skills/
+  const dirTargets = ['.opencode', '.agents']
+  const dirEntries = []
+  for (const dirName of dirTargets) {
+    const dirPath = path.join(cwd, dirName)
+    const children = await childrenExcludingSkills(dirPath)
+    dirEntries.push(...children)
   }
 
-  const allFiles = [...found, ...agentsEntries]
+  // Remove the directory targets themselves from flat list (we handle them via children)
+  const filteredFlat = flatFiles.filter(f => {
+    const rel = path.relative(cwd, f)
+    return !dirTargets.includes(rel)
+  })
+
+  const allFiles = [...filteredFlat, ...dirEntries]
 
   if (allFiles.length === 0) {
     success('No existing AI config files found')
@@ -33,7 +53,7 @@ export async function cleanAiFiles() {
     info(f.replace(cwd, '.'))
   }
   console.log()
-  prompt('Press Enter to remove them all (your .agents/skills/ will be kept)')
+  prompt('Press Enter to remove them all (skills/ folders will be kept)')
   console.log()
 
   await new Promise(resolve => {

package/src/steps/init-openspec.js

@@ -1,6 +1,114 @@
 import { execa } from 'execa'
+import fs from 'node:fs'
+import path from 'node:path'
 import { error, header, success, warn } from '../utils/exec.js'
 
+const ENSEMBLE_PATCH = `6. **Implement via ensemble team**
+
+   NEVER implement tasks directly. Always delegate to specialists via ensemble.
+   Do NOT touch any source files before the team is running, not even a single edit.
+
+   a. Create feature branch if not already on one: \`feature/{id}-{slug}\`
+
+   b. Clean up any stale team state, then create the team:
+      \`\`\`
+      team_cleanup force:true acknowledge_uncommitted:true   (ignore "not in a team" errors)
+      team_create "<change-name>"
+      \`\`\`
+      Announce: "Team running. Monitor at http://localhost:4747/"
+
+   c. Add all tasks to the shared board so progress is visible in the dashboard.
+      Tasks take { content, priority } only, no assignee field:
+      \`\`\`
+      team_tasks_add tasks:[
+        { content: "1.1 <task description>", priority: "high" },
+        { content: "1.2 <task description>", priority: "high" },
+        ...one entry per task from the tasks.md checklist...
+      ]
+      \`\`\`
+      team_tasks_add returns the task IDs, save them to pass to each agent.
+
+   d. Spawn specialists one at a time (wait for each team_spawn result before calling the next,
+      this avoids git worktree contention). Include the FULL task list,
+      ALL context file paths, and the task IDs for their assigned tasks directly in each spawn prompt.
+      Agents must call team_claim on each task ID before starting it, then team_tasks_complete when done:
+      \`\`\`
+      team_spawn name:back   agent:back-engineer   prompt:"<full task list + context file paths + architecture notes + task IDs for your tasks + call team_claim before each task, team_tasks_complete after + report back when done or blocked>"
+      team_spawn name:front  agent:front-engineer  prompt:"<full task list + context file paths + architecture notes + task IDs for your tasks + call team_claim before each task, team_tasks_complete after + report back when done or blocked>"
+      team_spawn name:infra  agent:infra-engineer  prompt:"<full task list + context file paths + architecture notes + task IDs for your tasks + call team_claim before each task, team_tasks_complete after + report back when done or blocked>"
+      \`\`\`
+
+   e. Wait for all → \`team_results\` → \`team_shutdown\` + \`team_merge\`
+
+7. **Quality check**
+
+   \`\`\`
+   team_spawn name:quality agent:quality-engineer prompt:"<task list, context files, run tests + build + lint + verify acceptance criteria, call team_claim before each task, team_tasks_complete after, report back when done>"
+   \`\`\`
+   Wait → \`team_results\` → fix blockers → \`team_shutdown\`
+
+8. **Mark tasks complete in openspec**
+
+   After specialists finish, update the tasks file: \`- [ ]\` → \`- [x]\` for each completed task.
+   Run \`openspec status --change "<name>" --json\` to confirm progress.
+
+9. **On completion or pause, show status**
+
+   Display:
+   - Tasks completed this session
+   - Overall progress: "N/M tasks complete"
+   - If all done: suggest archive with \`/opsx-archive\`
+   - If paused: explain why and wait for guidance
+
+   Then run \`team_cleanup\`.
+
+**Guardrails**
+- NEVER implement tasks directly. Always use \`team_create\` + \`team_spawn\`, no exceptions
+- NEVER touch source files before \`team_create\` is called, not even one edit
+- ALWAYS run \`team_cleanup force:true\` before \`team_create\` to clear stale state from previous runs
+- ALWAYS add tasks to the board with \`team_tasks_add tasks:[{content, priority}]\` before spawning. No assignee field exists.
+- ALWAYS pass the task IDs returned by team_tasks_add to each agent in their spawn prompt so they can call team_claim
+- NEVER claim or complete tasks yourself as lead. Only subagents call team_claim and team_tasks_complete
+- Spawn teammates ONE AT A TIME, waiting for each team_spawn result before calling the next (avoids git worktree contention)
+- "Small feature", "faster to do it directly", "environment issues", "teammates not responding" are NOT valid reasons to implement directly. If teammates are stuck, use \`team_message\` to resend tasks, then wait
+- Always read context files before spawning (from the apply instructions output)
+- Mark tasks complete in openspec AFTER specialists finish, not before
+- If task is ambiguous, pause and ask before spawning
+- If implementation reveals issues, pause and suggest artifact updates
+- Pause on errors, blockers, or unclear requirements. Do not guess
+- Use contextFiles from CLI output, do not assume specific file names
+`
+
+// Patterns that identify the solo implementation step in openspec-generated files
+const SOLO_IMPL_PATTERNS = [
+  /^#{1,3}\s+\d+\..*(implement|loop until|make the code changes|for each (pending )?task)/im,
+  /\*\*Implement tasks.*loop until/im,
+  /^6\.\s+\*\*Implement tasks/im,
+]
+
+function patchOpensxApply(filePath) {
+  if (!fs.existsSync(filePath)) return false
+
+  const content = fs.readFileSync(filePath, 'utf8')
+  const lines = content.split('\n')
+
+  // Find the line index where the solo implementation step starts
+  let cutLine = -1
+  for (let i = 0; i < lines.length; i++) {
+    if (SOLO_IMPL_PATTERNS.some(p => p.test(lines[i]))) {
+      cutLine = i
+      break
+    }
+  }
+
+  if (cutLine === -1) return false // Pattern not found, skip
+
+  const preamble = lines.slice(0, cutLine).join('\n').trimEnd()
+  const patched = preamble + '\n\n' + ENSEMBLE_PATCH
+  fs.writeFileSync(filePath, patched, 'utf8')
+  return true
+}
+
 export async function initOpenspec() {
   header('Step 6, Initializing OpenSpec')
 
@@ -19,4 +127,20 @@ export async function initOpenspec() {
   } catch (err) {
     error(`Failed to run openspec init: ${err.message}`)
   }
+
+  // Patch opsx-apply.md to use ensemble orchestration instead of solo implementation
+  const targets = [
+    path.join(process.cwd(), '.opencode', 'commands', 'opsx-apply.md'),
+    path.join(process.cwd(), '.opencode', 'skills', 'openspec-apply-change', 'SKILL.md'),
+  ]
+
+  for (const target of targets) {
+    try {
+      const patched = patchOpensxApply(target)
+      if (patched) success(`Patched ${path.relative(process.cwd(), target)} for ensemble`)
+    } catch (err) {
+      warn(`Could not patch ${path.relative(process.cwd(), target)}: ${err.message}`)
+    }
+  }
 }
+

package/src/utils/copy.js

@@ -2,7 +2,7 @@ import fse from 'fs-extra'
 import path from 'path'
 
 // Folders never copied (skills handled separately by chooseSkillsProvider, .bootstrap is internal tooling)
-const ALWAYS_EXCLUDE = ['.bootstrap', 'skills']
+const ALWAYS_EXCLUDE = ['.bootstrap', 'skills', 'node_modules']
 
 /**
  * Copy content/ directory to destination, excluding skills (handled separately by chooseSkillsProvider)
@@ -40,6 +40,8 @@ const AI_FILES = [
   'copilot-instructions.md',
   '.aider.conf.yml',
   '.aider',
+  '.opencode',
+  '.agents'
 ]
 
 export async function findAiFiles(dir) {