opencode-ultra 0.6.1 → 0.6.2

package/dist/config.d.ts

@@ -69,6 +69,10 @@ declare const PluginConfigSchema: z.ZodObject<{
         maxEnforcements: z.ZodOptional<z.ZodNumber>;
     }, z.core.$strip>>;
     mcp_api_keys: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    safety: z.ZodOptional<z.ZodObject<{
+        maxTotalSpawned: z.ZodOptional<z.ZodNumber>;
+        agentTimeoutMs: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strip>>;
 }, z.core.$loose>;
 export type PluginConfig = z.infer<typeof PluginConfigSchema>;
 export declare function parsePluginConfig(raw: unknown): PluginConfig;

package/dist/index.js

@@ -14932,23 +14932,32 @@ This is NOT about installing other plugins. This is about LEARNING from the ecos
 - **spawn_agent** \u2014 run scout + explore agents in parallel for data gathering
 - **ledger_save** \u2014 persist improvement proposals for future implementation
 
-## PHASE 1: GATHER (parallel)
+## PHASE 1: GATHER (parallel \u2014 BOTH agents MANDATORY)
+
+You MUST spawn BOTH agents below. Do NOT skip the explore agent.
+
 \`\`\`
 spawn_agent({
   agents: [
     {agent: "scout", prompt: "Search npm and GitHub for OpenCode 1.2.x plugins. For EACH plugin, analyze: what features does it provide? What hooks, tools, or techniques does it use? Focus on UNIQUE capabilities that are genuinely useful. Return a structured feature inventory per plugin.", description: "Ecosystem feature scan"},
-    {agent: "explore", prompt: "Read opencode-ultra's source: src/index.ts, src/tools/*.ts, src/hooks/*.ts, src/safety/*.ts, src/agents/index.ts, README.md. Catalog every feature, tool, hook, and capability. Be exhaustive.", description: "Self-analysis"}
+    {agent: "explore", prompt: "Read opencode-ultra's INSTALLED source at ~/.cache/opencode/node_modules/opencode-ultra/. Read these files: src/index.ts, src/tools/spawn-agent.ts, src/tools/ralph-loop.ts, src/tools/evolve-apply.ts, src/hooks/keyword-detector.ts, src/hooks/rules-injector.ts, src/safety/sanitizer.ts, src/safety/trust-score.ts, src/concurrency/pool.ts, src/agents/index.ts, src/categories/index.ts, README.md. For EACH file, list: what it does, what hooks/tools/features it provides, what techniques it uses. Output a structured capability inventory with Yes/No for each feature area.", description: "Self-analysis of opencode-ultra"}
   ]
 })
 \`\`\`
 
+## HARD GATE: DO NOT proceed to Phase 2 until BOTH agents return results.
+If the explore agent fails to find files, try reading from the current project directory or use Grep to locate opencode-ultra source files. You MUST have a concrete list of opencode-ultra's current capabilities before comparing.
+
 ## PHASE 2: COMPARE
-After gathering results, build a structured gap analysis:
+
+Build a structured gap analysis using BOTH agents' results.
+
+**CRITICAL**: The "opencode-ultra" column MUST be filled with Yes/No/Partial based on the explore agent's output. NEVER write "TBD" or "unknown" \u2014 if you don't know, re-read the source.
 
 ### Feature Matrix
-| Feature | opencode-ultra | Other plugin(s) | Gap? |
-|---------|---------------|-----------------|------|
-| (feature) | Yes/No | Which plugin has it | Missing / Partial / Covered |
+| Feature | opencode-ultra (current) | Other plugin(s) | Gap? |
+|---------|-------------------------|-----------------|------|
+| (feature) | Yes / No / Partial \u2014 cite which file | Which plugin has it | Missing / Partial / Covered |
 
 Focus on features that are:
 - **Genuinely useful** (not gimmicks)
@@ -14961,11 +14970,12 @@ Focus on features that are:
 - Trivial wrappers or abandoned projects
 
 ## PHASE 3: PROPOSE
-For each identified gap, produce a concrete improvement proposal:
+For each identified gap (Missing or Partial), produce a concrete improvement proposal:
 
 \`\`\`
 ## Improvement: [Feature Name]
 **Inspiration**: [Plugin name] \u2014 [what it does]
+**Current state in opencode-ultra**: [what we have now, citing files]
 **Why**: [Why opencode-ultra needs this]
 **How**: [Implementation sketch \u2014 which file to modify, what to add]
 **Effort**: Low / Medium / High
@@ -14987,6 +14997,7 @@ ledger_save({
 - The goal is to make opencode-ultra BETTER, not to install other plugins.
 - Other plugins are REFERENCE MATERIAL \u2014 study their approach, then design our own implementation.
 - Every proposal must include a concrete "How" section with file paths and implementation direction.
+- The opencode-ultra column in Feature Matrix must NEVER be TBD. Read the source first.
 - Present the final proposals to the user for approval before any implementation.`;
 
 // src/hooks/rules-injector.ts

package/dist/safety/index.d.ts

@@ -0,0 +1,2 @@
+export { sanitizeAgentOutput, sanitizeSpawnResult, type SanitizeResult } from "./sanitizer";
+export { computeTrustScore, isTyposquatSuspect, formatTrustTable, type PackageMetadata, type TrustScoreResult, type TrustFactor, } from "./trust-score";

package/dist/safety/sanitizer.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Prompt injection sanitizer — strips common injection patterns from agent outputs.
+ * Applied at the boundary where sub-agent results re-enter the orchestrator's context.
+ */
+export interface SanitizeResult {
+    text: string;
+    flagged: boolean;
+    warnings: string[];
+}
+/**
+ * Sanitize text from agent outputs to prevent prompt injection.
+ * Returns the cleaned text plus any warnings.
+ */
+export declare function sanitizeAgentOutput(text: string): SanitizeResult;
+/**
+ * Apply sanitizer to a spawn_agent result string.
+ * Adds a warning banner if injection was detected.
+ */
+export declare function sanitizeSpawnResult(result: string): string;

package/dist/safety/trust-score.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Trust Score — evaluates npm packages for reliability and safety.
+ * Used by evolve mode to rank plugin recommendations.
+ *
+ * Score 0–100:
+ *   90–100  HIGH trust (well-maintained, popular, verified)
+ *   70–89   MEDIUM trust (decent maintenance, some usage)
+ *   40–69   LOW trust (stale, low usage, or missing metadata)
+ *   0–39    RISKY (abandoned, typosquat suspect, no repo)
+ */
+export interface PackageMetadata {
+    name: string;
+    version?: string;
+    description?: string;
+    license?: string;
+    /** ISO date string of last publish */
+    lastPublished?: string;
+    /** Weekly npm downloads */
+    weeklyDownloads?: number;
+    /** GitHub stars (0 if no repo) */
+    stars?: number;
+    /** GitHub repo URL */
+    repository?: string;
+    /** Whether the package has a README */
+    hasReadme?: boolean;
+    /** Number of maintainers */
+    maintainerCount?: number;
+    /** Number of dependencies */
+    dependencyCount?: number;
+}
+export interface TrustScoreResult {
+    score: number;
+    level: "high" | "medium" | "low" | "risky";
+    factors: TrustFactor[];
+    summary: string;
+}
+export interface TrustFactor {
+    name: string;
+    score: number;
+    maxScore: number;
+    detail: string;
+}
+export declare function computeTrustScore(meta: PackageMetadata): TrustScoreResult;
+export declare function isTyposquatSuspect(name: string): boolean;
+/**
+ * Format trust scores as a markdown table for evolve output.
+ */
+export declare function formatTrustTable(results: Array<{
+    meta: PackageMetadata;
+    score: TrustScoreResult;
+}>): string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-ultra",
-  "version": "0.6.1",
+  "version": "0.6.2",
   "description": "Lightweight OpenCode 1.2.x plugin — ultrawork mode, multi-agent orchestration, rules injection",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",