npm - opencode-ultra - Versions diffs - 0.6.4 → 0.7.0 - Mend

opencode-ultra 0.6.4 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +96 -31
package/package.json +16 -1

package/dist/index.js CHANGED Viewed

@@ -27570,6 +27570,7 @@ function sanitizeSpawnResult(result) {
 ` + text;
 }
 // src/safety/trust-score.ts
+var MAX_TRUST_SCORE = 108;
 var KNOWN_SCOPES = [
   "@opencode-ai/",
   "opencode-",
@@ -27588,13 +27589,17 @@ var TYPOSQUAT_PATTERNS = [
   /^opencode-.{1,3}$/i
 ];
 function computeTrustScore(meta3) {
-  const factors = [];
-  factors.push(scoreRecency(meta3));
-  factors.push(scorePopularity(meta3));
-  factors.push(scoreQuality(meta3));
-  factors.push(scoreRepository(meta3));
-  factors.push(scoreSafety(meta3));
-  const totalScore = Math.min(100, factors.reduce((sum, f) => sum + f.score, 0));
+  const factors = [
+    scoreRecency(meta3),
+    scorePopularity(meta3),
+    scoreQuality(meta3),
+    scoreRepository(meta3),
+    scoreSafety(meta3),
+    scoreProvenance(meta3),
+    scoreDependencyRisk(meta3)
+  ];
+  const raw = factors.reduce((sum, f) => sum + f.score, 0);
+  const totalScore = clamp(raw, 0, MAX_TRUST_SCORE);
   const level = classifyLevel(totalScore);
   const summary = buildSummary(meta3.name, totalScore, level, factors);
   log("Trust score computed", { package: meta3.name, score: totalScore, level });
@@ -27701,49 +27706,107 @@ function scoreRepository(meta3) {
 }
 function scoreSafety(meta3) {
   const maxScore = 15;
-  let score = 15;
+  let score = 13;
   const details = [];
   if (isTyposquatSuspect(meta3.name)) {
-    score -= 15;
+    score = 0;
     details.push("TYPOSQUAT SUSPECT");
   } else {
     details.push("Name OK");
+    if (KNOWN_SCOPES.some((s) => meta3.name.startsWith(s))) {
+      score = Math.min(maxScore, score + 2);
+      details.push("Known scope");
+    }
   }
-  if (KNOWN_SCOPES.some((s) => meta3.name.startsWith(s))) {
-    score = Math.min(maxScore, score + 3);
-    details.push("Known scope");
+  return { name: "safety", score: Math.max(0, score), maxScore, detail: details.join(", ") };
+}
+function scoreProvenance(meta3) {
+  const maxScore = 8;
+  if (meta3.hasProvenance) {
+    return { name: "provenance", score: 8, maxScore, detail: "Has npm provenance/attestation" };
   }
-  const deps = meta3.dependencyCount ?? 0;
-  if (deps > 50) {
-    score = Math.max(0, score - 5);
-    details.push(`${deps} deps \u2014 heavy`);
-  } else if (deps > 20) {
-    score = Math.max(0, score - 2);
-    details.push(`${deps} deps`);
+  return { name: "provenance", score: 0, maxScore, detail: "No npm provenance" };
+}
+function scoreDependencyRisk(meta3) {
+  const maxScore = 5;
+  const deps = meta3.dependencyCount;
+  if (deps === undefined) {
+    return { name: "dependency_risk", score: 0, maxScore, detail: "No dependency info" };
   }
-  return { name: "safety", score: Math.max(0, score), maxScore, detail: details.join(", ") };
+  if (deps > 20) {
+    return { name: "dependency_risk", score: -5, maxScore, detail: `${deps} deps > 20 \u2014 supply-chain risk` };
+  }
+  return { name: "dependency_risk", score: 0, maxScore, detail: `${deps} deps` };
 }
 function isTyposquatSuspect(name) {
-  return TYPOSQUAT_PATTERNS.some((p) => p.test(name));
+  if (TYPOSQUAT_PATTERNS.some((p) => p.test(name)))
+    return true;
+  const base = unscopedName(name).toLowerCase();
+  const target = "opencode-ultra";
+  if (base && base !== target && levenshteinDistance(base, target) <= 2)
+    return true;
+  return false;
+}
+function isHighPrivilege(name) {
+  return /\b(pty|exec|shell|sudo)\b/i.test(name);
+}
+function unscopedName(name) {
+  if (!name)
+    return "";
+  if (name.startsWith("@")) {
+    const parts = name.split("/");
+    return parts[1] ?? name;
+  }
+  return name;
+}
+function levenshteinDistance(a, b) {
+  if (a === b)
+    return 0;
+  if (a.length === 0)
+    return b.length;
+  if (b.length === 0)
+    return a.length;
+  const m = a.length;
+  const n = b.length;
+  const dp = new Array(n + 1);
+  for (let j = 0;j <= n; j++)
+    dp[j] = j;
+  for (let i = 1;i <= m; i++) {
+    let prev = dp[0];
+    dp[0] = i;
+    for (let j = 1;j <= n; j++) {
+      const tmp = dp[j];
+      const cost = a.charCodeAt(i - 1) === b.charCodeAt(j - 1) ? 0 : 1;
+      dp[j] = Math.min(dp[j] + 1, dp[j - 1] + 1, prev + cost);
+      prev = tmp;
+    }
+  }
+  return dp[n];
 }
 function classifyLevel(score) {
-  if (score >= 90)
+  const pct = score / MAX_TRUST_SCORE;
+  if (pct >= 0.9)
     return "high";
-  if (score >= 70)
+  if (pct >= 0.7)
     return "medium";
-  if (score >= 40)
+  if (pct >= 0.4)
     return "low";
   return "risky";
 }
 function daysSince(isoDate) {
   const then = new Date(isoDate).getTime();
+  if (!Number.isFinite(then))
+    return 9999;
   const now = Date.now();
-  return Math.floor((now - then) / (1000 * 60 * 60 * 24));
+  return Math.max(0, Math.floor((now - then) / (1000 * 60 * 60 * 24)));
+}
+function clamp(n, min, max) {
+  return Math.max(min, Math.min(max, n));
 }
 function buildSummary(name, score, level, factors) {
   const icon = level === "high" ? "V" : level === "medium" ? "~" : level === "low" ? "!" : "X";
   const weakest = [...factors].sort((a, b) => a.score / a.maxScore - b.score / b.maxScore)[0];
-  return `[${icon}] ${name}: ${score}/100 (${level}) \u2014 weakest: ${weakest.name} (${weakest.score}/${weakest.maxScore}: ${weakest.detail})`;
+  return `[${icon}] ${name}: ${score}/${MAX_TRUST_SCORE} (${level}) \u2014 weakest: ${weakest.name} (${weakest.score}/${weakest.maxScore}: ${weakest.detail})`;
 }
 // src/tools/spawn-agent.ts
 var DEFAULT_MAX_TOTAL_SPAWNED = 15;
@@ -28444,17 +28507,19 @@ evolve_apply({
         }
         const meta3 = rec.metadata ?? { name: rec.name };
         const trustResult = computeTrustScore(meta3);
-        const scoreTag = `[${trustResult.score}/100 ${trustResult.level}]`;
-        trustLines.push(`  ${scoreTag} ${rec.name} \u2014 ${rec.reason}`);
+        const effectiveMinScore = isHighPrivilege(rec.name) ? minScore + 20 : minScore;
+        const highPrivTag = isHighPrivilege(rec.name) ? " [HIGH-PRIV +20]" : "";
+        const scoreTag = `[${trustResult.score}/108 ${trustResult.level}]`;
+        trustLines.push(`  ${scoreTag} ${rec.name}${highPrivTag} \u2014 ${rec.reason}`);
         for (const f of trustResult.factors) {
           trustLines.push(`    ${f.name}: ${f.score}/${f.maxScore} (${f.detail})`);
         }
-        if (trustResult.score < minScore) {
+        if (trustResult.score < effectiveMinScore) {
           skipped.push({
             name: rec.name,
-            reason: `Trust score ${trustResult.score} < ${minScore} (${trustResult.level})`
+            reason: `Trust score ${trustResult.score} < ${effectiveMinScore} (${trustResult.level})${highPrivTag}`
           });
-          trustLines.push(`    -> REJECTED (below threshold ${minScore})`);
+          trustLines.push(`    -> REJECTED (below threshold ${effectiveMinScore})`);
           continue;
         }
         added.push(rec.name);

package/package.json CHANGED Viewed

@@ -1,7 +1,22 @@
 {
   "name": "opencode-ultra",
-  "version": "0.6.4",
+  "version": "0.7.0",
   "description": "Lightweight OpenCode 1.2.x plugin — ultrawork mode, multi-agent orchestration, rules injection",
+  "keywords": [
+    "opencode",
+    "plugin",
+    "orchestration",
+    "multi-agent",
+    "ultrawork"
+  ],
+  "homepage": "https://github.com/outxci/opencode-ultra#readme",
+  "bugs": {
+    "url": "https://github.com/outxci/opencode-ultra/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/outxci/opencode-ultra.git"
+  },
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "type": "module",