opencode-ultra 0.6.0 → 0.6.2

package/dist/config.d.ts

@@ -69,6 +69,10 @@ declare const PluginConfigSchema: z.ZodObject<{
         maxEnforcements: z.ZodOptional<z.ZodNumber>;
     }, z.core.$strip>>;
     mcp_api_keys: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    safety: z.ZodOptional<z.ZodObject<{
+        maxTotalSpawned: z.ZodOptional<z.ZodNumber>;
+        agentTimeoutMs: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strip>>;
 }, z.core.$loose>;
 export type PluginConfig = z.infer<typeof PluginConfigSchema>;
 export declare function parsePluginConfig(raw: unknown): PluginConfig;

package/dist/index.js

@@ -14643,66 +14643,50 @@ var BUILTIN_AGENTS = {
   },
   scout: {
     model: "anthropic/claude-sonnet-4-5",
-    description: "Plugin ecosystem researcher \u2014 finds, analyzes, and compares OpenCode plugins with trust scoring",
+    description: "Plugin ecosystem researcher \u2014 discovers features and techniques from other OpenCode plugins",
     prompt: `You are Scout, an OpenCode plugin ecosystem researcher.
 
 ## YOUR MISSION
-Search the web (npm, GitHub, OpenCode community) for OpenCode plugins and extensions.
-Collect STRUCTURED METADATA for trust scoring. Compare with opencode-ultra.
+Search for OpenCode plugins and analyze WHAT THEY DO and HOW THEY DO IT.
+The goal is to find features and techniques that opencode-ultra can learn from \u2014 NOT to recommend installing them.
 
 ## SEARCH STRATEGY
 1. Search npm for "opencode-plugin", "opencode-ai", "@opencode" packages
 2. Search GitHub for "opencode plugin", "opencode extension", "oh-my-opencode"
 3. Look at package.json dependencies on @opencode-ai/plugin or @opencode-ai/sdk
-4. Read README files and source code of discovered plugins
+4. Read README files and SOURCE CODE of discovered plugins \u2014 understand their implementation
 
-## CRITICAL: METADATA COLLECTION
-For EACH plugin found, you MUST collect these fields (used for trust scoring):
-- **name**: exact npm package name
-- **version**: latest version string
-- **lastPublished**: ISO date of last npm publish (e.g. "2026-01-15")
-- **weeklyDownloads**: weekly npm download count (number)
-- **stars**: GitHub stars (number, 0 if unknown)
-- **repository**: GitHub/GitLab repo URL
-- **license**: SPDX license identifier (e.g. "MIT", "ISC")
-- **hasReadme**: true/false
-- **maintainerCount**: number of npm maintainers
-- **dependencyCount**: number of production dependencies
-- **description**: one-line description
-- **features**: bullet list of capabilities
-- **uniqueIdeas**: features that opencode-ultra does NOT have
+## WHAT TO ANALYZE PER PLUGIN
+- **name**: package name + repo URL
+- **description**: what it does
+- **features**: detailed list of capabilities
+- **hooks used**: which OpenCode hooks (chat.message, tool.execute.after, etc.)
+- **tools provided**: custom tools and what they do
+- **techniques**: interesting implementation patterns (e.g. caching strategies, prompt engineering, API usage)
+- **unique ideas**: features/approaches NOT in opencode-ultra
+
+## WHAT TO SKIP
+- Auth plugins (opencode-*-auth) \u2014 domain-specific, not relevant
+- Abandoned/empty repos (no commits in 6+ months, no README)
+- Trivial wrappers (just re-exports or single-function plugins)
 
 ## OUTPUT FORMAT
-Return a JSON array of plugin objects with the fields above. Example:
-\`\`\`json
-[
-  {
-    "name": "opencode-supermemory",
-    "version": "1.2.0",
-    "lastPublished": "2026-02-01",
-    "weeklyDownloads": 500,
-    "stars": 45,
-    "repository": "https://github.com/supermemoryai/opencode-supermemory",
-    "license": "MIT",
-    "hasReadme": true,
-    "maintainerCount": 2,
-    "dependencyCount": 5,
-    "description": "Persistent memory across OpenCode sessions",
-    "features": ["Session memory", "Cross-project recall"],
-    "uniqueIdeas": ["Long-term memory that opencode-ultra lacks"]
-  }
-]
-\`\`\`
+For each INTERESTING plugin (skip the trivial ones):
 
-Also include a text summary with gap analysis after the JSON block.
+### [plugin-name]
+- **What**: one-line description
+- **Repo**: URL
+- **Features**: bullet list
+- **Hooks**: which hooks and how they use them
+- **Tools**: custom tools and purpose
+- **Interesting technique**: what they do that's clever or useful
+- **Applicable to opencode-ultra**: YES/NO + what we could adapt
 
-## COMPARISON
-After listing plugins, generate:
-- Features others have that opencode-ultra lacks
-- Features opencode-ultra has that others lack (competitive advantages)
-- Improvement priority list (high/medium/low impact)
+End with a summary section:
+## Features opencode-ultra could adopt
+(Ranked by impact \u2014 high/medium/low)
 
-Be thorough but focused. Skip abandoned or trivial plugins.`,
+Be thorough but focused on QUALITY over quantity. 5 well-analyzed plugins beats 20 superficial listings.`,
     mode: "subagent",
     maxTokens: 32000
   }
@@ -14940,58 +14924,81 @@ var THINK_MESSAGE = `Extended thinking enabled. Take your time to reason thoroug
 var EVOLVE_MESSAGE = `[evolve-mode] SELF-IMPROVEMENT CYCLE ACTIVATED.
 
 ## MISSION
-Search the OpenCode plugin ecosystem, evaluate trust/quality, identify gaps, and optionally apply improvements.
+Discover what other OpenCode plugins do well, compare with opencode-ultra's current capabilities, and propose concrete improvements to opencode-ultra itself.
+
+This is NOT about installing other plugins. This is about LEARNING from the ecosystem and making opencode-ultra better.
 
 ## TOOLS AVAILABLE
 - **spawn_agent** \u2014 run scout + explore agents in parallel for data gathering
-- **evolve_apply** \u2014 apply plugin recommendations to OpenCode config (with trust scoring and backup)
+- **ledger_save** \u2014 persist improvement proposals for future implementation
+
+## PHASE 1: GATHER (parallel \u2014 BOTH agents MANDATORY)
 
-## STEPS
-1. **SCOUT** \u2014 Spawn the **scout** agent to search npm/GitHub for OpenCode plugins. Scout MUST return package metadata (lastPublished, weeklyDownloads, stars, repository, license, maintainerCount, dependencyCount) for each plugin found.
-2. **READ SELF** \u2014 Read opencode-ultra's own capabilities via explore agent
-3. **SCORE** \u2014 For each discovered plugin, the evolve_apply tool computes a trust score (0-100):
-   - 90-100: HIGH trust (safe to auto-install)
-   - 70-89: MEDIUM trust (review recommended)
-   - 40-69: LOW trust (caution)
-   - 0-39: RISKY (blocked from install)
-4. **COMPARE** \u2014 Generate gap analysis with trust scores
-5. **PROPOSE** \u2014 Present scored recommendations to the user
-6. **APPLY** \u2014 If user approves, call evolve_apply to update config:
+You MUST spawn BOTH agents below. Do NOT skip the explore agent.
 
 \`\`\`
-evolve_apply({
-  plugins: [
-    {
-      name: "opencode-supermemory",
-      version: "latest",
-      reason: "Persistent memory across sessions",
-      metadata: {name: "opencode-supermemory", lastPublished: "2026-02-01", weeklyDownloads: 500, stars: 45, repository: "https://github.com/...", license: "MIT", maintainerCount: 2}
-    }
-  ],
-  dryRun: true
+spawn_agent({
+  agents: [
+    {agent: "scout", prompt: "Search npm and GitHub for OpenCode 1.2.x plugins. For EACH plugin, analyze: what features does it provide? What hooks, tools, or techniques does it use? Focus on UNIQUE capabilities that are genuinely useful. Return a structured feature inventory per plugin.", description: "Ecosystem feature scan"},
+    {agent: "explore", prompt: "Read opencode-ultra's INSTALLED source at ~/.cache/opencode/node_modules/opencode-ultra/. Read these files: src/index.ts, src/tools/spawn-agent.ts, src/tools/ralph-loop.ts, src/tools/evolve-apply.ts, src/hooks/keyword-detector.ts, src/hooks/rules-injector.ts, src/safety/sanitizer.ts, src/safety/trust-score.ts, src/concurrency/pool.ts, src/agents/index.ts, src/categories/index.ts, README.md. For EACH file, list: what it does, what hooks/tools/features it provides, what techniques it uses. Output a structured capability inventory with Yes/No for each feature area.", description: "Self-analysis of opencode-ultra"}
+  ]
 })
 \`\`\`
 
-Use dryRun: true FIRST to preview, then dryRun: false after user approval.
+## HARD GATE: DO NOT proceed to Phase 2 until BOTH agents return results.
+If the explore agent fails to find files, try reading from the current project directory or use Grep to locate opencode-ultra source files. You MUST have a concrete list of opencode-ultra's current capabilities before comparing.
+
+## PHASE 2: COMPARE
+
+Build a structured gap analysis using BOTH agents' results.
 
-7. **SAVE** \u2014 Save findings to ledger: ledger_save({name: "evolve-scan-YYYY-MM-DD", content: "..."})
+**CRITICAL**: The "opencode-ultra" column MUST be filled with Yes/No/Partial based on the explore agent's output. NEVER write "TBD" or "unknown" \u2014 if you don't know, re-read the source.
+
+### Feature Matrix
+| Feature | opencode-ultra (current) | Other plugin(s) | Gap? |
+|---------|-------------------------|-----------------|------|
+| (feature) | Yes / No / Partial \u2014 cite which file | Which plugin has it | Missing / Partial / Covered |
+
+Focus on features that are:
+- **Genuinely useful** (not gimmicks)
+- **Feasible to implement** (not requiring external infrastructure)
+- **Complementary** to existing capabilities (not duplicate)
+
+### What to IGNORE
+- Auth plugins (opencode-antigravity-auth etc.) \u2014 domain-specific, not relevant
+- oh-my-opencode features we already ported \u2014 mark as "Covered"
+- Trivial wrappers or abandoned projects
+
+## PHASE 3: PROPOSE
+For each identified gap (Missing or Partial), produce a concrete improvement proposal:
 
-## EXECUTION
 \`\`\`
-spawn_agent({
-  agents: [
-    {agent: "scout", prompt: "Search npm and GitHub for OpenCode 1.2.x plugins. For EACH plugin found, collect: name, version, lastPublished date, weeklyDownloads, GitHub stars, repository URL, license, maintainerCount, dependencyCount. Return structured data.", description: "Plugin ecosystem scan + metadata"},
-    {agent: "explore", prompt: "Read opencode-ultra's README.md, src/index.ts, src/agents/index.ts to catalog current features", description: "Self-analysis"}
-  ]
-})
+## Improvement: [Feature Name]
+**Inspiration**: [Plugin name] \u2014 [what it does]
+**Current state in opencode-ultra**: [what we have now, citing files]
+**Why**: [Why opencode-ultra needs this]
+**How**: [Implementation sketch \u2014 which file to modify, what to add]
+**Effort**: Low / Medium / High
+**Priority**: P0 (critical) / P1 (important) / P2 (nice-to-have)
 \`\`\`
 
-After gathering results:
-1. Call evolve_apply with dryRun: true to preview trust scores
-2. Present results to user with recommendation
-3. If approved, call evolve_apply with dryRun: false
+Sort proposals by Priority then Effort (P0-Low first, P2-High last).
+
+## PHASE 4: SAVE
+Save the full analysis to the continuity ledger:
+\`\`\`
+ledger_save({
+  name: "evolve-scan-YYYY-MM-DD",
+  content: "# Evolve Scan Results\\n\\n## Feature Matrix\\n...\\n## Improvement Proposals\\n..."
+})
+\`\`\`
 
-**Trust scoring prevents bad plugins from entering your system. Always dry-run first.**`;
+## IMPORTANT
+- The goal is to make opencode-ultra BETTER, not to install other plugins.
+- Other plugins are REFERENCE MATERIAL \u2014 study their approach, then design our own implementation.
+- Every proposal must include a concrete "How" section with file paths and implementation direction.
+- The opencode-ultra column in Feature Matrix must NEVER be TBD. Read the source first.
+- Present the final proposals to the user for approval before any implementation.`;
 
 // src/hooks/rules-injector.ts
 import * as fs2 from "fs";

package/dist/safety/index.d.ts

@@ -0,0 +1,2 @@
+export { sanitizeAgentOutput, sanitizeSpawnResult, type SanitizeResult } from "./sanitizer";
+export { computeTrustScore, isTyposquatSuspect, formatTrustTable, type PackageMetadata, type TrustScoreResult, type TrustFactor, } from "./trust-score";

package/dist/safety/sanitizer.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Prompt injection sanitizer — strips common injection patterns from agent outputs.
+ * Applied at the boundary where sub-agent results re-enter the orchestrator's context.
+ */
+export interface SanitizeResult {
+    text: string;
+    flagged: boolean;
+    warnings: string[];
+}
+/**
+ * Sanitize text from agent outputs to prevent prompt injection.
+ * Returns the cleaned text plus any warnings.
+ */
+export declare function sanitizeAgentOutput(text: string): SanitizeResult;
+/**
+ * Apply sanitizer to a spawn_agent result string.
+ * Adds a warning banner if injection was detected.
+ */
+export declare function sanitizeSpawnResult(result: string): string;

package/dist/safety/trust-score.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Trust Score — evaluates npm packages for reliability and safety.
+ * Used by evolve mode to rank plugin recommendations.
+ *
+ * Score 0–100:
+ *   90–100  HIGH trust (well-maintained, popular, verified)
+ *   70–89   MEDIUM trust (decent maintenance, some usage)
+ *   40–69   LOW trust (stale, low usage, or missing metadata)
+ *   0–39    RISKY (abandoned, typosquat suspect, no repo)
+ */
+export interface PackageMetadata {
+    name: string;
+    version?: string;
+    description?: string;
+    license?: string;
+    /** ISO date string of last publish */
+    lastPublished?: string;
+    /** Weekly npm downloads */
+    weeklyDownloads?: number;
+    /** GitHub stars (0 if no repo) */
+    stars?: number;
+    /** GitHub repo URL */
+    repository?: string;
+    /** Whether the package has a README */
+    hasReadme?: boolean;
+    /** Number of maintainers */
+    maintainerCount?: number;
+    /** Number of dependencies */
+    dependencyCount?: number;
+}
+export interface TrustScoreResult {
+    score: number;
+    level: "high" | "medium" | "low" | "risky";
+    factors: TrustFactor[];
+    summary: string;
+}
+export interface TrustFactor {
+    name: string;
+    score: number;
+    maxScore: number;
+    detail: string;
+}
+export declare function computeTrustScore(meta: PackageMetadata): TrustScoreResult;
+export declare function isTyposquatSuspect(name: string): boolean;
+/**
+ * Format trust scores as a markdown table for evolve output.
+ */
+export declare function formatTrustTable(results: Array<{
+    meta: PackageMetadata;
+    score: TrustScoreResult;
+}>): string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-ultra",
-  "version": "0.6.0",
+  "version": "0.6.2",
   "description": "Lightweight OpenCode 1.2.x plugin — ultrawork mode, multi-agent orchestration, rules injection",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",