opencode-ultra 0.6.1 → 0.6.3

package/dist/config.d.ts

@@ -69,6 +69,10 @@ declare const PluginConfigSchema: z.ZodObject<{
         maxEnforcements: z.ZodOptional<z.ZodNumber>;
     }, z.core.$strip>>;
     mcp_api_keys: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    safety: z.ZodOptional<z.ZodObject<{
+        maxTotalSpawned: z.ZodOptional<z.ZodNumber>;
+        agentTimeoutMs: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strip>>;
 }, z.core.$loose>;
 export type PluginConfig = z.infer<typeof PluginConfigSchema>;
 export declare function parsePluginConfig(raw: unknown): PluginConfig;

package/dist/index.js

@@ -14923,71 +14923,86 @@ SYNTHESIZE findings before proceeding.`;
 var THINK_MESSAGE = `Extended thinking enabled. Take your time to reason thoroughly.`;
 var EVOLVE_MESSAGE = `[evolve-mode] SELF-IMPROVEMENT CYCLE ACTIVATED.
 
+## CRITICAL PATH: opencode-ultra source location
+opencode-ultra is INSTALLED as a plugin. Its source is at:
+  **~/.cache/opencode/node_modules/opencode-ultra/**
+NOT in the working directory. You must read from this path.
+
 ## MISSION
-Discover what other OpenCode plugins do well, compare with opencode-ultra's current capabilities, and propose concrete improvements to opencode-ultra itself.
+Compare opencode-ultra's ACTUAL current capabilities (read from source) with other OpenCode plugins, then propose concrete improvements.
 
 This is NOT about installing other plugins. This is about LEARNING from the ecosystem and making opencode-ultra better.
 
-## TOOLS AVAILABLE
-- **spawn_agent** \u2014 run scout + explore agents in parallel for data gathering
-- **ledger_save** \u2014 persist improvement proposals for future implementation
+## PHASE 1: SELF-ANALYSIS (DO THIS FIRST \u2014 before anything else)
+
+Before researching other plugins, you MUST understand what opencode-ultra already has.
+Read these files yourself using Read/Grep/Glob (do NOT spawn an agent for this \u2014 you can read directly):
+
+1. ~/.cache/opencode/node_modules/opencode-ultra/README.md
+2. ~/.cache/opencode/node_modules/opencode-ultra/dist/index.js (search for tool names, hook names)
+
+Or use Glob to list: ~/.cache/opencode/node_modules/opencode-ultra/**/*.ts
+
+From the README and source, build this inventory:
+- Tools provided: (list each tool name and what it does)
+- Hooks used: (list each hook and its purpose)
+- Agents defined: (list each agent, its model, its role)
+- Safety features: (sanitizer, trust score, spawn limits, etc.)
+- Other features: (concurrency, categories, keyword detection, etc.)
+
+**STOP and verify**: You must have a concrete capability list before proceeding. If you cannot read the files, try: ls ~/.cache/opencode/node_modules/opencode-ultra/
+
+## PHASE 2: ECOSYSTEM RESEARCH (parallel with spawn_agent)
 
-## PHASE 1: GATHER (parallel)
+Now research what other plugins offer:
 \`\`\`
 spawn_agent({
   agents: [
-    {agent: "scout", prompt: "Search npm and GitHub for OpenCode 1.2.x plugins. For EACH plugin, analyze: what features does it provide? What hooks, tools, or techniques does it use? Focus on UNIQUE capabilities that are genuinely useful. Return a structured feature inventory per plugin.", description: "Ecosystem feature scan"},
-    {agent: "explore", prompt: "Read opencode-ultra's source: src/index.ts, src/tools/*.ts, src/hooks/*.ts, src/safety/*.ts, src/agents/index.ts, README.md. Catalog every feature, tool, hook, and capability. Be exhaustive.", description: "Self-analysis"}
+    {agent: "scout", prompt: "Search npm and GitHub for OpenCode 1.2.x plugins. For EACH interesting plugin: what features does it provide? What hooks, tools, or techniques does it use? Focus on UNIQUE capabilities. Return a structured feature inventory per plugin.", description: "Ecosystem scan"},
+    {agent: "librarian", prompt: "Search for OpenCode plugin best practices, architectural patterns, and advanced techniques. Look at oh-my-opencode, opencode-supermemory, opencode-dcp, opencode-rate-limit-fallback, opencode-worktree, opencode-mad. What patterns do they share? What's unique?", description: "Plugin patterns research"}
   ]
 })
 \`\`\`
 
-## PHASE 2: COMPARE
-After gathering results, build a structured gap analysis:
+## PHASE 3: COMPARE
+
+Build a Feature Matrix using YOUR self-analysis (Phase 1) and agent results (Phase 2).
+
+**RULE**: The "opencode-ultra" column MUST contain Yes/No/Partial with the specific file or feature name. NEVER write "TBD", "unknown", or "\u4E0D\u660E". You read the source yourself \u2014 you know the answer.
 
-### Feature Matrix
 | Feature | opencode-ultra | Other plugin(s) | Gap? |
 |---------|---------------|-----------------|------|
-| (feature) | Yes/No | Which plugin has it | Missing / Partial / Covered |
-
-Focus on features that are:
-- **Genuinely useful** (not gimmicks)
-- **Feasible to implement** (not requiring external infrastructure)
-- **Complementary** to existing capabilities (not duplicate)
+| Multi-agent orchestration | Yes \u2014 spawn_agent tool | oh-my-opencode, MAD | Covered |
+| (example) | No | opencode-dcp | Missing |
+| (example) | Partial \u2014 basic in sanitizer.ts | envsitter-guard | Partial |
 
-### What to IGNORE
-- Auth plugins (opencode-antigravity-auth etc.) \u2014 domain-specific, not relevant
-- oh-my-opencode features we already ported \u2014 mark as "Covered"
-- Trivial wrappers or abandoned projects
+## PHASE 4: PROPOSE
 
-## PHASE 3: PROPOSE
-For each identified gap, produce a concrete improvement proposal:
+For each Missing or Partial gap, propose a concrete improvement:
 
-\`\`\`
 ## Improvement: [Feature Name]
 **Inspiration**: [Plugin name] \u2014 [what it does]
-**Why**: [Why opencode-ultra needs this]
-**How**: [Implementation sketch \u2014 which file to modify, what to add]
+**Current state**: [what opencode-ultra has now, citing specific files/tools]
+**Why**: [concrete benefit]
+**How**: [which file to modify, what to add \u2014 be specific]
 **Effort**: Low / Medium / High
-**Priority**: P0 (critical) / P1 (important) / P2 (nice-to-have)
-\`\`\`
+**Priority**: P0 / P1 / P2
 
-Sort proposals by Priority then Effort (P0-Low first, P2-High last).
+Sort by Priority then Effort.
 
-## PHASE 4: SAVE
-Save the full analysis to the continuity ledger:
+## PHASE 5: SAVE
 \`\`\`
 ledger_save({
   name: "evolve-scan-YYYY-MM-DD",
-  content: "# Evolve Scan Results\\n\\n## Feature Matrix\\n...\\n## Improvement Proposals\\n..."
+  content: "# Evolve Scan Results\\n\\n## Current Capabilities\\n...\\n## Feature Matrix\\n...\\n## Proposals\\n..."
 })
 \`\`\`
 
-## IMPORTANT
-- The goal is to make opencode-ultra BETTER, not to install other plugins.
-- Other plugins are REFERENCE MATERIAL \u2014 study their approach, then design our own implementation.
-- Every proposal must include a concrete "How" section with file paths and implementation direction.
-- Present the final proposals to the user for approval before any implementation.`;
+## RULES
+- Read opencode-ultra source YOURSELF first. Do not delegate self-analysis to a sub-agent.
+- The Feature Matrix must reflect what you actually read. No guessing.
+- Proposals must cite specific opencode-ultra files for the "How" section.
+- Present proposals to user for approval before implementation.`;
 
 // src/hooks/rules-injector.ts
 import * as fs2 from "fs";

package/dist/safety/index.d.ts

@@ -0,0 +1,2 @@
+export { sanitizeAgentOutput, sanitizeSpawnResult, type SanitizeResult } from "./sanitizer";
+export { computeTrustScore, isTyposquatSuspect, formatTrustTable, type PackageMetadata, type TrustScoreResult, type TrustFactor, } from "./trust-score";

package/dist/safety/sanitizer.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Prompt injection sanitizer — strips common injection patterns from agent outputs.
+ * Applied at the boundary where sub-agent results re-enter the orchestrator's context.
+ */
+export interface SanitizeResult {
+    text: string;
+    flagged: boolean;
+    warnings: string[];
+}
+/**
+ * Sanitize text from agent outputs to prevent prompt injection.
+ * Returns the cleaned text plus any warnings.
+ */
+export declare function sanitizeAgentOutput(text: string): SanitizeResult;
+/**
+ * Apply sanitizer to a spawn_agent result string.
+ * Adds a warning banner if injection was detected.
+ */
+export declare function sanitizeSpawnResult(result: string): string;

package/dist/safety/trust-score.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Trust Score — evaluates npm packages for reliability and safety.
+ * Used by evolve mode to rank plugin recommendations.
+ *
+ * Score 0–100:
+ *   90–100  HIGH trust (well-maintained, popular, verified)
+ *   70–89   MEDIUM trust (decent maintenance, some usage)
+ *   40–69   LOW trust (stale, low usage, or missing metadata)
+ *   0–39    RISKY (abandoned, typosquat suspect, no repo)
+ */
+export interface PackageMetadata {
+    name: string;
+    version?: string;
+    description?: string;
+    license?: string;
+    /** ISO date string of last publish */
+    lastPublished?: string;
+    /** Weekly npm downloads */
+    weeklyDownloads?: number;
+    /** GitHub stars (0 if no repo) */
+    stars?: number;
+    /** GitHub repo URL */
+    repository?: string;
+    /** Whether the package has a README */
+    hasReadme?: boolean;
+    /** Number of maintainers */
+    maintainerCount?: number;
+    /** Number of dependencies */
+    dependencyCount?: number;
+}
+export interface TrustScoreResult {
+    score: number;
+    level: "high" | "medium" | "low" | "risky";
+    factors: TrustFactor[];
+    summary: string;
+}
+export interface TrustFactor {
+    name: string;
+    score: number;
+    maxScore: number;
+    detail: string;
+}
+export declare function computeTrustScore(meta: PackageMetadata): TrustScoreResult;
+export declare function isTyposquatSuspect(name: string): boolean;
+/**
+ * Format trust scores as a markdown table for evolve output.
+ */
+export declare function formatTrustTable(results: Array<{
+    meta: PackageMetadata;
+    score: TrustScoreResult;
+}>): string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-ultra",
-  "version": "0.6.1",
+  "version": "0.6.3",
   "description": "Lightweight OpenCode 1.2.x plugin — ultrawork mode, multi-agent orchestration, rules injection",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",