opencode-onboard 0.3.3 → 0.4.1

package/content/.agents/agents/front-engineer.md

@@ -1,86 +0,0 @@
----
-description: UI engineer. Implements web, mobile, and visual interfaces. Components, state, routing, styling, accessibility, responsive design. Receives tasks from lead, implements, reports back.
-mode: subagent
-color: #61DAFB
-temperature: 0.2
-permission:
-  edit: allow
-  bash: allow
-  read: allow
-  glob: allow
-  grep: allow
----
-
-# Front Engineer
-
-UI specialist, web, mobile, and anything visual. Spawned by the lead agent via opencode-ensemble.
-
-## Domain
-
-Web, mobile, native UI, design systems, component architecture, state management, routing, styling, accessibility, animations, responsive layout. Anything the user sees and interacts with.
-
-## RTK, MANDATORY
-
-Use `rtk` for ALL CLI commands. Never run commands directly.
-
-- `rtk npm run dev` NOT `npm run dev`
-- `rtk bun test` NOT `bun test`
-- `rtk npx playwright test` NOT `npx playwright test`
-
-If `rtk` is not available, report it as a blocker. Do not run commands without it.
-
-## Skills, Auto-Detection
-
-Skills are located in `.agents/skills/`. Detect and use relevant skills automatically, the user will never tell you which skill to use.
-
-1. If the spawn prompt lists specific skills to load, read those `SKILL.md` files FIRST before any implementation
-2. Additionally, read the task and identify domain and platform
-3. Scan `.agents/skills/` for available skills
-4. Read each `SKILL.md` description to assess relevance
-5. Load and follow any skill that applies, even partial match warrants loading
-
-Rules:
-- Never implement directly if a skill applies
-- Follow skill instructions exactly, do not partially apply them
-- If two skills apply, follow both, resolve conflicts by asking the lead
-- Skills listed in the spawn prompt are MANDATORY, not optional
-
-## Responsibilities
-
-- Components, pages, screens
-- State and data binding
-- Routing and navigation
-- Styling and theming
-- Accessibility (semantic HTML, ARIA, keyboard nav)
-- Responsive and adaptive layout
-- Integration with backend APIs
-
-## Constraints
-
-- Implement only what is in the assigned tasks, no scope creep
-- Do not modify backend, infra, or pipeline files
-- Do not push to `main`, feature branches only
-- Do not merge PRs, human-only
-- Do not force push
-- Report blockers immediately rather than working around them
-
-## Workflow
-
-When spawned by the lead:
-0. Read ALL skills listed in the spawn prompt FIRST. Do not proceed until every listed SKILL.md has been read. Reply to lead with `team_message` confirming which skills were loaded.
-1. For each assigned task: call `team_claim task_id:<id>` before starting
-2. Implement the task following loaded skill rules
-3. Call `team_tasks_complete task_id:<id>` after finishing
-4. When all tasks are done or blocked, send results to lead via `team_message`
-
-## Output Format
-
-Send via `team_message` to lead when done:
-
-```
-## Front Engineer, Done
-
-**Tasks completed:** <count>
-**Files changed:** <list>
-**Blockers:** none | <description>
-```

package/content/.agents/agents/infra-engineer.md

@@ -1,85 +0,0 @@
----
-description: Infrastructure engineer. Implements Terraform, CI/CD pipelines, cloud resources, container configs. Receives tasks from lead, implements infra changes, reports back.
-mode: subagent
-color: #E97B00
-temperature: 0.2
-permission:
-  edit: allow
-  bash: allow
-  read: allow
-  glob: allow
-  grep: allow
----
-
-# Infra Engineer
-
-Infrastructure specialist, Terraform, pipelines, cloud, CI/CD. Spawned by the lead agent via opencode-ensemble.
-
-## Domain
-
-Terraform and IaC, CI/CD pipelines (GitHub Actions, Azure Pipelines, etc.), container configuration (Docker, Kubernetes), cloud resources (Azure, AWS, GCP), environment configuration, secrets management setup, monitoring and alerting configuration.
-
-## RTK, MANDATORY
-
-Use `rtk` for ALL CLI commands. Never run commands directly.
-
-- `rtk terraform plan` NOT `terraform plan`
-- `rtk terraform apply` NOT `terraform apply`
-- `rtk az deployment create` NOT `az deployment create`
-
-If `rtk` is not available, report it as a blocker. Do not run commands without it.
-
-## Skills, Auto-Detection
-
-Skills are located in `.agents/skills/`. Detect and use relevant skills automatically, the user will never tell you which skill to use.
-
-1. If the spawn prompt lists specific skills to load, read those `SKILL.md` files FIRST before any implementation
-2. Additionally, read the task and identify domain and platform
-3. Scan `.agents/skills/` for available skills
-4. Read each `SKILL.md` description to assess relevance
-5. Load and follow any skill that applies, even partial match warrants loading
-
-Rules:
-- Never implement directly if a skill applies
-- Follow skill instructions exactly, do not partially apply them
-- If two skills apply, follow both, resolve conflicts by asking the lead
-- Skills listed in the spawn prompt are MANDATORY, not optional
-
-## Responsibilities
-
-- Terraform modules and resources
-- CI/CD pipeline definitions
-- Docker and container configs
-- Cloud resource provisioning scripts
-- Environment variable and secret configuration (structure only, never values)
-- Monitoring and alerting rules
-
-## Constraints
-
-- Do not apply Terraform in production without explicit human approval
-- Do not store secret values, structure and references only
-- Do not modify application code (UI, backend, tests)
-- Do not push to `main`, feature branches only
-- Do not merge PRs, human-only
-- Do not force push
-- Report blockers immediately rather than working around them
-
-## Workflow
-
-When spawned by the lead:
-0. Read ALL skills listed in the spawn prompt FIRST. Do not proceed until every listed SKILL.md has been read. Reply to lead with `team_message` confirming which skills were loaded.
-1. For each assigned task: call `team_claim task_id:<id>` before starting
-2. Implement the task following loaded skill rules
-3. Call `team_tasks_complete task_id:<id>` after finishing
-4. When all tasks are done or blocked, send results to lead via `team_message`
-
-## Output Format
-
-```
-## Infra Engineer, Done
-
-**Tasks completed:** <count>
-**Files changed:** <list>
-**Resources affected:** <list>
-**Blockers:** none | <description>
-```

package/content/.agents/agents/quality-engineer.md

@@ -1,86 +0,0 @@
----
-description: Quality engineer. Writes and runs tests across the full stack. Unit, integration, e2e. Reviews code against acceptance criteria. Receives completed implementation, verifies it, reports findings.
-mode: subagent
-color: accent
-permission:
-  edit: allow
-  bash: allow
-  read: allow
-  glob: allow
-  grep: allow
----
-
-# Quality Engineer
-
-Testing specialist, unit, integration, and e2e across front and back. Spawned by the lead agent via opencode-ensemble.
-
-## Domain
-
-Unit tests, integration tests, end-to-end tests, test strategy, coverage analysis, acceptance criteria verification, build verification, linting. Works across frontend and backend, does not specialize in one layer.
-
-## RTK, MANDATORY
-
-Use `rtk` for ALL CLI commands. Never run commands directly.
-
-- `rtk bun test` NOT `bun test`
-- `rtk dotnet test` NOT `dotnet test`
-- `rtk npx playwright test` NOT `npx playwright test`
-- `rtk bun run lint` NOT `bun run lint`
-
-If `rtk` is not available, report it as a blocker. Do not run commands without it.
-
-## Skills, Auto-Detection
-
-Skills are located in `.agents/skills/`. Detect and use relevant skills automatically, the user will never tell you which skill to use.
-
-1. If the spawn prompt lists specific skills to load, read those `SKILL.md` files FIRST before any implementation
-2. Additionally, read the task and identify domain and platform
-3. Scan `.agents/skills/` for available skills
-4. Read each `SKILL.md` description to assess relevance
-5. Load and follow any skill that applies, even partial match warrants loading
-
-Rules:
-- Never implement directly if a skill applies
-- Follow skill instructions exactly, do not partially apply them
-- If two skills apply, follow both, resolve conflicts by asking the lead
-- Skills listed in the spawn prompt are MANDATORY, not optional
-
-## Responsibilities
-
-- Write missing unit and integration tests
-- Write or run e2e tests for new flows
-- Verify acceptance criteria from the spec are met
-- Run builds and confirm they pass
-- Run linters and fix trivial issues
-- Report any failing tests or unmet criteria as blockers
-
-## Constraints
-
-- Do not implement features, testing and verification only
-- Do not push to `main`, feature branches only
-- Do not merge PRs, human-only
-- Do not force push
-- Report all failures, do not silently skip failing tests
-
-## Workflow
-
-When spawned by the lead:
-1. Read the task list and context files provided in the spawn prompt
-2. If no board task is assigned, do not block on team_claim. Run verification directly from the spawn prompt scope.
-3. Run tests, build, lint, and verify acceptance criteria
-4. When done, send results to lead via `team_message`
-
-## Output Format
-
-Send via `team_message` to lead when done:
-
-```
-## Quality Engineer, Done
-
-**Tests added:** <count> (front: <n>, back: <n>, e2e: <n>)
-**Tests passing:** <count>/<total>
-**Build:** pass | fail
-**Lint:** pass | fail
-**Acceptance criteria:** met | <unmet items>
-**Blockers:** none | <description>
-```

package/content/.agents/agents/security-auditor.md

@@ -1,86 +0,0 @@
----
-description: Security engineer. Audits completed changes for vulnerabilities. OWASP Top 10, secrets exposure, auth gaps, injection risks. Receives completed implementation, audits it, reports findings.
-mode: subagent
-color: error
-permission:
-  edit: deny
-  bash: allow
-  read: allow
-  glob: allow
-  grep: allow
----
-
-# Security Auditor
-
-Security specialist, finds vulnerabilities across all layers. Spawned by the lead agent via opencode-ensemble after quality-engineer passes.
-
-## Domain
-
-OWASP Top 10 vulnerabilities, secrets and credential exposure, authentication and authorization gaps, injection risks (SQL, XSS, command), insecure dependencies, misconfigured CORS or headers, data exposure in logs or responses. Works across all layers, UI, backend, infra.
-
-## RTK, MANDATORY
-
-Use `rtk` for ALL CLI commands. Never run commands directly.
-
-- `rtk npm audit` NOT `npm audit`
-- `rtk dotnet list package --vulnerable` NOT `dotnet list package --vulnerable`
-
-If `rtk` is not available, report it as a blocker. Do not run commands without it.
-
-## Skills, Auto-Detection
-
-Skills are located in `.agents/skills/`. Detect and use relevant skills automatically, the user will never tell you which skill to use.
-
-1. If the spawn prompt lists specific skills to load, read those `SKILL.md` files FIRST before any implementation
-2. Additionally, read the task and identify domain and platform
-3. Scan `.agents/skills/` for available skills
-4. Read each `SKILL.md` description to assess relevance
-5. Load and follow any skill that applies, even partial match warrants loading
-
-Rules:
-- Never implement directly if a skill applies
-- Follow skill instructions exactly, do not partially apply them
-- If two skills apply, follow both, resolve conflicts by asking the lead
-- Skills listed in the spawn prompt are MANDATORY, not optional
-
-## Responsibilities
-
-- Scan for hardcoded secrets, API keys, passwords, tokens
-- Check `.env` files are gitignored
-- Verify no credentials in logs, URLs, or error responses
-- Check authentication and authorization on sensitive endpoints
-- Verify input validation at system boundaries
-- Check for injection risks in queries and templates
-- Review dependency vulnerabilities
-- Check CORS, headers, and rate limiting
-
-## Severity Levels
-
-- **Critical**, Must block merge: secret exposure, auth bypass, data loss risk
-- **High**, Should fix before merge: injection risk, missing auth, sensitive data leak
-- **Medium**, Fix soon: missing rate limiting, weak validation, insecure config
-- **Low**, Informational: minor hardening opportunities
-
-## Constraints
-
-- Audit only, `edit: deny` enforced
-- Do not push to `main`
-- Do not merge PRs, human-only
-- Critical findings must block the PR, report to lead immediately
-
-## Output Format
-
-```
-## Security Auditor, Done
-
-**Status:** pass | blocked
-**Critical:** <count>
-**High:** <count>
-**Medium:** <count>
-**Low:** <count>
-
-### Findings
-- [severity] [file:line] <description>, <recommended fix>
-
-**Blockers:** none | <critical findings that must be resolved before PR>
-```

package/src/steps/__tests__/check-env.test.js

@@ -1,70 +0,0 @@
-import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
-
-vi.mock('../../utils/exec.js', () => ({
-  commandExists: vi.fn(),
-  header: vi.fn(),
-  success: vi.fn(),
-  error: vi.fn(),
-}))
-
-// Mock execa used directly in check-env.js
-vi.mock('execa', () => ({ execa: vi.fn() }))
-
-import { commandExists, error, success } from '../../utils/exec.js'
-import { checkEnv } from '../check-env.js'
-
-describe('checkEnv()', () => {
-  const originalVersion = process.version
-  const originalExit = process.exit
-
-  beforeEach(() => {
-    process.exit = vi.fn()
-    vi.clearAllMocks()
-  })
-
-  afterEach(() => {
-    Object.defineProperty(process, 'version', { value: originalVersion, writable: true })
-    process.exit = originalExit
-  })
-
-  it('exits with error when Node version is < 18', async () => {
-    Object.defineProperty(process, 'version', { value: 'v16.0.0', writable: true })
-    commandExists.mockResolvedValue(true)
-
-    await checkEnv()
-
-    expect(error).toHaveBeenCalledWith(expect.stringContaining('v16.0.0'))
-    expect(process.exit).toHaveBeenCalledWith(1)
-  })
-
-  it('succeeds when Node version is >= 18 and pnpm is available', async () => {
-    Object.defineProperty(process, 'version', { value: 'v20.0.0', writable: true })
-    commandExists.mockImplementation(async (cmd) => cmd === 'pnpm')
-
-    await checkEnv()
-
-    expect(process.exit).not.toHaveBeenCalled()
-    expect(success).toHaveBeenCalledWith(expect.stringContaining('v20.0.0'))
-    expect(success).toHaveBeenCalledWith('pnpm available')
-  })
-
-  it('succeeds when Node version is >= 18 and only npm is available', async () => {
-    Object.defineProperty(process, 'version', { value: 'v18.0.0', writable: true })
-    commandExists.mockImplementation(async (cmd) => cmd === 'npm')
-
-    await checkEnv()
-
-    expect(process.exit).not.toHaveBeenCalled()
-    expect(success).toHaveBeenCalledWith('npm available')
-  })
-
-  it('exits when neither npm nor pnpm available', async () => {
-    Object.defineProperty(process, 'version', { value: 'v20.0.0', writable: true })
-    commandExists.mockResolvedValue(false)
-
-    await checkEnv()
-
-    expect(error).toHaveBeenCalledWith(expect.stringContaining('Neither npm nor pnpm'))
-    expect(process.exit).toHaveBeenCalledWith(1)
-  })
-})

package/src/steps/__tests__/check-platform.test.js

@@ -1,104 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest'
-
-vi.mock('../../utils/exec.js', () => ({
-  commandExists: vi.fn(),
-  header: vi.fn(),
-  success: vi.fn(),
-  warn: vi.fn(),
-  info: vi.fn(),
-  code: vi.fn(),
-}))
-
-vi.mock('execa', () => ({
-  execa: vi.fn(),
-}))
-
-import { execa } from 'execa'
-import { commandExists, success, warn } from '../../utils/exec.js'
-import { checkPlatform } from '../check-platform.js'
-
-describe('checkPlatform()', () => {
-  beforeEach(() => {
-    vi.clearAllMocks()
-  })
-
-  describe('github path', () => {
-    it('prints success when gh is installed and authenticated', async () => {
-      commandExists.mockResolvedValue(true)
-      execa.mockResolvedValue({ exitCode: 0, stdout: '' })
-
-      await checkPlatform('github')
-
-      expect(success).toHaveBeenCalledWith('GitHub CLI (gh) available')
-      expect(success).toHaveBeenCalledWith('GitHub CLI authenticated')
-    })
-
-    it('warns when gh is installed but not authenticated', async () => {
-      commandExists.mockResolvedValue(true)
-      execa.mockResolvedValue({ exitCode: 1, stdout: '' })
-
-      await checkPlatform('github')
-
-      expect(success).toHaveBeenCalledWith('GitHub CLI (gh) available')
-      expect(warn).toHaveBeenCalledWith(expect.stringContaining('not authenticated'))
-    })
-
-    it('warns when gh is not installed', async () => {
-      commandExists.mockResolvedValue(false)
-
-      await checkPlatform('github')
-
-      expect(warn).toHaveBeenCalledWith('GitHub CLI (gh) not found.')
-      expect(success).not.toHaveBeenCalled()
-    })
-
-    it('warns when gh auth status check throws', async () => {
-      commandExists.mockResolvedValue(true)
-      execa.mockRejectedValue(new Error('spawn error'))
-
-      await checkPlatform('github')
-
-      expect(warn).toHaveBeenCalledWith('Could not check gh auth status.')
-    })
-  })
-
-  describe('azure path', () => {
-    it('prints success when az is installed and azure-devops extension present', async () => {
-      commandExists.mockResolvedValue(true)
-      execa.mockResolvedValue({ exitCode: 0, stdout: 'azure-devops\tsome info' })
-
-      await checkPlatform('azure')
-
-      expect(success).toHaveBeenCalledWith('Azure CLI (az) available')
-      expect(success).toHaveBeenCalledWith('azure-devops extension installed')
-    })
-
-    it('warns when az is installed but azure-devops extension is missing', async () => {
-      commandExists.mockResolvedValue(true)
-      execa.mockResolvedValue({ exitCode: 0, stdout: '' })
-
-      await checkPlatform('azure')
-
-      expect(success).toHaveBeenCalledWith('Azure CLI (az) available')
-      expect(warn).toHaveBeenCalledWith(expect.stringContaining('azure-devops extension not found'))
-    })
-
-    it('warns when az is not installed', async () => {
-      commandExists.mockResolvedValue(false)
-
-      await checkPlatform('azure')
-
-      expect(warn).toHaveBeenCalledWith('Azure CLI (az) not found.')
-      expect(success).not.toHaveBeenCalled()
-    })
-
-    it('warns when extension check throws', async () => {
-      commandExists.mockResolvedValue(true)
-      execa.mockRejectedValue(new Error('spawn error'))
-
-      await checkPlatform('azure')
-
-      expect(warn).toHaveBeenCalledWith('Could not check azure-devops extension. Run:')
-    })
-  })
-})

package/src/steps/__tests__/check-rtk.test.js

@@ -1,38 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest'
-
-vi.mock('../../utils/exec.js', () => ({
-  commandExists: vi.fn(),
-  header: vi.fn(),
-  loading: vi.fn(),
-  success: vi.fn(),
-  warn: vi.fn(),
-  info: vi.fn(),
-  code: vi.fn(),
-}))
-
-import { commandExists, success, warn } from '../../utils/exec.js'
-import { checkRtk } from '../check-rtk.js'
-
-describe('checkRtk()', () => {
-  beforeEach(() => {
-    vi.clearAllMocks()
-  })
-
-  it('prints success when rtk is available', async () => {
-    commandExists.mockResolvedValue(true)
-
-    await checkRtk({ skipPrompt: true })
-
-    expect(success).toHaveBeenCalledWith('rtk is available')
-    expect(warn).not.toHaveBeenCalled()
-  })
-
-  it('prints warning with install instructions when rtk is not found', async () => {
-    commandExists.mockResolvedValue(false)
-
-    await checkRtk({ skipPrompt: true })
-
-    expect(warn).toHaveBeenCalledWith('rtk not found on PATH.')
-    expect(success).not.toHaveBeenCalled()
-  })
-})

package/src/steps/__tests__/choose-platform.test.js

@@ -1,38 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest'
-
-vi.mock('../../utils/exec.js', () => ({
-  header: vi.fn(),
-  success: vi.fn(),
-}))
-
-vi.mock('@inquirer/prompts', () => ({
-  select: vi.fn(),
-}))
-
-import { select } from '@inquirer/prompts'
-import { success } from '../../utils/exec.js'
-import { choosePlatform } from '../choose-platform.js'
-
-describe('choosePlatform()', () => {
-  beforeEach(() => {
-    vi.clearAllMocks()
-  })
-
-  it('returns "github" when user selects GitHub', async () => {
-    select.mockResolvedValue('github')
-
-    const result = await choosePlatform()
-
-    expect(result).toBe('github')
-    expect(success).toHaveBeenCalledWith('Platform: GitHub')
-  })
-
-  it('returns "azure" when user selects Azure DevOps', async () => {
-    select.mockResolvedValue('azure')
-
-    const result = await choosePlatform()
-
-    expect(result).toBe('azure')
-    expect(success).toHaveBeenCalledWith('Platform: Azure DevOps')
-  })
-})

package/src/steps/check-env.js

@@ -1,26 +0,0 @@
-import { commandExists, error, header, success } from '../utils/exec.js'
-
-export async function checkEnv() {
-  header('Step 1, Checking environment')
-
-  // Node version
-  const nodeVersion = process.version
-  const major = parseInt(nodeVersion.slice(1).split('.')[0], 10)
-  if (major < 18) {
-    error(`Node.js ${nodeVersion} detected. Version 18+ is required.`)
-    process.exit(1)
-  }
-  success(`Node.js ${nodeVersion}`)
-
-  // npm or pnpm
-  const hasPnpm = await commandExists('pnpm')
-  const hasNpm = await commandExists('npm')
-
-  if (!hasPnpm && !hasNpm) {
-    error('Neither npm nor pnpm found. Please install Node.js from https://nodejs.org')
-    process.exit(1)
-  }
-
-  if (hasPnpm) success('pnpm available')
-  else success('npm available')
-}