opencodekit 0.16.1 → 0.16.3

package/dist/index.js

@@ -750,9 +750,16 @@ var cac = (name = "") => new CAC(name);
 // package.json
 var package_default = {
   name: "opencodekit",
-  version: "0.16.1",
+  version: "0.16.3",
   description: "CLI tool for bootstrapping and managing OpenCodeKit projects",
-  keywords: ["agents", "cli", "mcp", "opencode", "opencodekit", "template"],
+  keywords: [
+    "agents",
+    "cli",
+    "mcp",
+    "opencode",
+    "opencodekit",
+    "template"
+  ],
   license: "MIT",
   author: "OpenCodeKit",
   repository: {
@@ -762,7 +769,10 @@ var package_default = {
   bin: {
     ock: "dist/index.js"
   },
-  files: ["dist", "README.md"],
+  files: [
+    "dist",
+    "README.md"
+  ],
   type: "module",
   publishConfig: {
     access: "public",
@@ -808,7 +818,9 @@ var package_default = {
   engines: {
     bun: ">=1.3.2"
   },
-  trustedDependencies: ["@beads/bd"]
+  trustedDependencies: [
+    "@beads/bd"
+  ]
 };
 
 // src/commands/agent.ts

package/dist/template/.opencode/AGENTS.md

@@ -16,6 +16,27 @@ Everything else is guidelines, not laws.
 
 ---
 
+## Trust Hierarchy
+
+**DO NOT search when instructions already exist.** Searching is expensive. Follow this order:
+
+1. **AGENTS.md** - Project-specific rules (this file or `./AGENTS.md`)
+2. **Memory** - Past decisions, patterns, gotchas (`memory-search`)
+3. **Project files** - `.opencode/memory/project/` (commands, conventions, tech-stack)
+4. **Codebase search** - Only if above sources are incomplete or wrong
+
+If instructions are incomplete or wrong, **update them** after finding the truth. Don't just use the correct info once—fix the source so future work benefits.
+
+### Atomic Version
+
+```
+DO NOT search when instructions exist.
+TRUST: AGENTS.md → memory → project files → search
+UPDATE instructions when you find errors.
+```
+
+---
+
 ## Skills vs Commands
 
 - Use **commands** for user-facing entrypoints (workflows and intent).
@@ -423,7 +444,25 @@ Before you start implementing, verify the requirements are clear. If interpretat
 
 Before you claim completion, verify these things:
 
-1. **Run review agent** on any significant code changes:
+1. **Run validation commands** (in order):
+
+   ```bash
+   # Type check (REQUIRED if TypeScript/JavaScript)
+   npm run typecheck  # or: bun run typecheck, tsc --noEmit
+
+   # Build (REQUIRED)
+   npm run build  # or: bun run build, cargo build, go build
+
+   # Test (REQUIRED if tests exist)
+   npm test  # or: bun test, cargo test, go test, pytest
+
+   # Lint (REQUIRED if linter configured)
+   npm run lint  # or: bun run lint, cargo clippy, golangci-lint
+   ```
+
+   Skip only if project lacks that script. Document missing scripts in `project/gotchas.md`.
+
+2. **Run review agent** on any significant code changes:
 
    ```typescript
    Task({
@@ -435,11 +474,12 @@ Before you claim completion, verify these things:
 
    If review suggests simplification, implement it before proceeding.
 
-2. You ran `bd close <id>` with a meaningful reason
-3. You ran `bd sync` to push changes
-4. There are no pending LSP nudges
-5. You saved observations for any important decisions or patterns
+3. You ran `bd close <id>` with a meaningful reason
+4. You ran `bd sync` to push changes
+5. There are no pending LSP nudges
+6. You saved observations for any important decisions or patterns
 
+**DO NOT skip validation commands.** Failed builds/tests after merge waste everyone's time.
 **DO NOT skip the Oracle critique for non-trivial changes.** This prevents bloated, overcomplicated solutions that could be 10x simpler.
 
 ---

package/dist/template/.opencode/agent/scout.md

@@ -130,15 +130,61 @@ To construct a permalink: use `grepsearch` to find code, then build the URL from
 | Priority | Tool          | Use Case                                  | Speed   |
 | -------- | ------------- | ----------------------------------------- | ------- |
 | 1        | memory-search | Past research findings                    | Instant |
-| 2        | context7      | Official library docs                     | Fast    |
-| 3        | codesearch    | Exa Code API for SDK/library patterns     | Fast    |
-| 4        | grepsearch    | Cross-repo GitHub code search (1M+ repos) | Medium  |
-| 5        | webfetch      | Specific doc URLs, READMEs, changelogs    | Medium  |
-| 6        | opensrc + LSP | Clone & analyze source code               | Slow    |
-| 7        | websearch     | Tutorials, blog posts, recent news        | Slow    |
+| 2        | v1-run        | npm package health, vulns, comparisons    | Fast    |
+| 3        | context7      | Official library docs                     | Fast    |
+| 4        | codesearch    | Exa Code API for SDK/library patterns     | Fast    |
+| 5        | grepsearch    | Cross-repo GitHub code search (1M+ repos) | Medium  |
+| 6        | webfetch      | Specific doc URLs, READMEs, changelogs    | Medium  |
+| 7        | opensrc + LSP | Clone & analyze source code               | Slow    |
+| 8        | websearch     | Tutorials, blog posts, recent news        | Slow    |
 
 **Rule:** Exhaust faster tools before slower ones. Run tools in parallel when independent.
 
+## v1-run MCP (npm Package Intelligence)
+
+Use for npm package evaluation before adding dependencies. Load the skill first:
+
+```typescript
+skill({ name: "v1-run" });
+```
+
+### Primary Tool: get_package_health
+
+```typescript
+// Comprehensive health check (use this first)
+skill_mcp({ skill_name: "v1-run", tool_name: "get_package_health", arguments: '{"name": "zod"}' });
+```
+
+Returns: version, vulnerabilities, health score (0-100), downloads, TypeScript support, maintenance status, AI recommendation.
+
+### Compare Packages
+
+```typescript
+// Side-by-side comparison (2-5 packages)
+skill_mcp({
+  skill_name: "v1-run",
+  tool_name: "compare_packages",
+  arguments: '{"packages": ["zod", "yup", "joi"]}',
+});
+```
+
+### Other Tools
+
+| Tool                    | Use Case                              |
+| ----------------------- | ------------------------------------- |
+| `check_vulnerabilities` | Security audit for specific version   |
+| `check_deprecated`      | Check if package is deprecated        |
+| `find_alternatives`     | Discover better options for a package |
+| `check_types`           | Verify TypeScript support             |
+| `get_package_version`   | Get latest version only               |
+
+**When to use v1-run:**
+
+- Choosing between npm packages → `compare_packages`
+- Before adding a dependency → `get_package_health`
+- Security audit → `check_vulnerabilities`
+- Package seems abandoned → `find_alternatives`
+
 ## context7 Tools
 
 Use to access up-to-date library documentation (37.6k+ libraries).

package/dist/template/.opencode/command/create.md

@@ -1,8 +1,7 @@
 ---
 description: Create a specification for a bead using templates
 argument-hint: "<bead-id> [--prd] [--proposal]"
-agent: plan
-subtask: true
+agent: build
 ---
 
 # Create: $ARGUMENTS
@@ -108,7 +107,8 @@ question({
     },
     {
       header: "Users",
-      question: "Who will use this? (developers, end users, API consumers, etc.)",
+      question:
+        "Who will use this? (developers, end users, API consumers, etc.)",
       options: [
         { label: "Developers", description: "Internal tooling or API" },
         { label: "End users", description: "Customer-facing feature" },

package/dist/template/.opencode/command/research.md

@@ -23,6 +23,9 @@ if (thorough) {
   skill({ name: "deep-research" });
 }
 
+// For npm package evaluation
+skill({ name: "v1-run" });
+
 // For source code analysis
 skill({ name: "source-code-research" });
 
@@ -149,10 +152,11 @@ If memory search fails (Ollama not running), continue to external sources.
 
 1. **Codebase patterns** (highest trust) - Delegate to @explore for LSP analysis
 2. **Official docs** (high trust) - What does the library documentation say?
-3. **Context7** (high trust) - API usage and examples
-4. **Source code** (high trust) - Library implementation (use `source-code-research` skill)
-5. **GitHub examples** (medium trust) - Real-world patterns via codesearch/grepsearch
-6. **Web search** (lower trust) - Only if tiers 1-5 don't answer
+3. **v1-run** (high trust) - npm package health, vulnerabilities, comparisons
+4. **Context7** (high trust) - API usage and examples
+5. **Source code** (high trust) - Library implementation (use `source-code-research` skill)
+6. **GitHub examples** (medium trust) - Real-world patterns via codesearch/grepsearch
+7. **Web search** (lower trust) - Only if tiers 1-6 don't answer
 
 ## Research
 

package/dist/template/.opencode/dcp.jsonc

@@ -1,72 +1,81 @@
 {
-  "$schema": "https://unpkg.com/@anthropic/dynamic-context-protocol@1.2.7/schema.json",
-  "enabled": true,
-  "debug": false,
-  // "minimal" shows prune activity without noise; "detailed" shows token counts
-  "pruneNotification": "off",
-  "turnProtection": {
-    "enabled": true,
-    // 3 turns = faster cleanup while still protecting recent context
-    "turns": 3,
-  },
-  // Protected file patterns - never auto-prune reads of these files (v1.1.5+)
-  "protectedFilePatterns": [
-    "**/.env*",
-    "**/AGENTS.md",
-    "**/.opencode/**",
-    "**/.beads/**",
-    "**/package.json",
-    "**/tsconfig.json",
-    "**/biome.json",
-  ],
-  "tools": {
-    "settings": {
-      "nudgeEnabled": true,
-      // Nudge every 8 tool calls (slightly more aggressive than default 10)
-      "nudgeFrequency": 8,
-      // Protect state-modifying and critical workflow tools
-      "protectedTools": [
-        "write",
-        "edit",
-        "memory-update",
-        "skill",
-        "skill_mcp",
-        "task",
-        "batch",
-        "todowrite",
-        "todoread",
-        "lsp",
-        "lsp_lsp_rename",
-        "lsp_lsp_find_references",
-        "lsp_lsp_goto_definition",
-        "lsp_lsp_code_actions",
-        "lsp_lsp_code_action_apply",
-        "lsp_lsp_organize_imports",
-      ],
-    },
-    "discard": {
-      "enabled": true,
-    },
-    "extract": {
-      "enabled": true,
-      "showDistillation": false,
-    },
-  },
-  "strategies": {
-    // Dedup = zero LLM cost, high impact - always enable
-    "deduplication": {
-      "enabled": true,
-      "protectedTools": [],
-    },
-    // Supersede writes = zero cost, removes redundant write inputs after read
-    "supersedeWrites": {
-      "enabled": true,
-    },
-    // Purge error inputs after 3 turns
-    "purgeErrors": {
-      "enabled": true,
-      "turns": 3,
-      "protectedTools": [],
-    },
-  },
+	"$schema": "https://raw.githubusercontent.com/Opencode-DCP/opencode-dynamic-context-pruning/dev/dcp.schema.json",
+	"enabled": true,
+	"debug": false,
+	// "minimal" shows prune activity without noise; "detailed" shows token counts
+	"pruneNotification": "off",
+	// "chat" (in-conversation) or "toast" (system notification) - beta feature
+	"pruneNotificationType": "chat",
+	// Commands: /dcp context, /dcp stats, /dcp sweep
+	"commands": {
+		"enabled": true,
+		// Protect these from /dcp sweep
+		"protectedTools": ["observation", "memory-update", "memory-search"]
+	},
+	"turnProtection": {
+		"enabled": true,
+		"turns": 4
+	},
+	// Protected file patterns - never auto-prune reads of these files
+	"protectedFilePatterns": [
+		"**/.env*",
+		"**/AGENTS.md",
+		"**/.opencode/**",
+		"**/.beads/**",
+		"**/package.json",
+		"**/tsconfig.json",
+		"**/biome.json"
+	],
+	"tools": {
+		"settings": {
+			"nudgeEnabled": true,
+			"nudgeFrequency": 10,
+			// Protect state-modifying and critical workflow tools
+			// LSP excluded: ephemeral exploration, prune after understanding
+			"protectedTools": [
+				"write",
+				"edit",
+				"memory-update",
+				"observation",
+				"skill",
+				"skill_mcp",
+				"task",
+				"batch",
+				"todowrite",
+				"todoread"
+			]
+		},
+		// Beta: renamed from "discard" - removes tool content without preservation
+		"prune": {
+			"enabled": true
+		},
+		// Beta: renamed from "extract" - distills key findings before removing
+		"distill": {
+			"enabled": true,
+			"showDistillation": false
+		},
+		// Beta: NEW - collapses range of messages + tools into single summary
+		"compress": {
+			"enabled": true,
+			"showCompression": true
+		}
+	},
+	"strategies": {
+		// Dedup = zero LLM cost, high impact - always enable
+		"deduplication": {
+			"enabled": true,
+			"protectedTools": []
+		},
+		// Supersede writes = zero cost, removes redundant write inputs after read
+		// Note: default changed to false in beta, we explicitly enable
+		"supersedeWrites": {
+			"enabled": true
+		},
+		// Purge error inputs after N turns
+		"purgeErrors": {
+			"enabled": true,
+			"turns": 4,
+			"protectedTools": []
+		}
+	}
 }

package/dist/template/.opencode/opencode.json

@@ -155,7 +155,7 @@
 		}
 	},
 	"plugin": [
-		"@tarquinen/opencode-dcp@latest",
+		"@tarquinen/opencode-dcp@beta",
 		"@franlol/opencode-md-table-formatter@0.0.3"
 	],
 	"provider": {

package/dist/template/.opencode/package.json

@@ -11,7 +11,7 @@
     "type-check": "tsc --noEmit"
   },
   "dependencies": {
-    "@opencode-ai/plugin": "1.1.48"
+    "@opencode-ai/plugin": "1.1.49"
   },
   "devDependencies": {
     "@types/node": "^25.1.0",

package/dist/template/.opencode/plugin/sdk/copilot/chat/convert-to-openai-compatible-chat-messages.ts

@@ -20,14 +20,11 @@ export function convertToOpenAICompatibleChatMessages(
 		const metadata = getOpenAIMetadata({ ...message });
 		switch (role) {
 			case "system": {
+				// v1.1.49 fix: Copilot API expects system message content as plain string,
+				// not array format. Array format causes AGENTS.md to be silently ignored.
 				messages.push({
 					role: "system",
-					content: [
-						{
-							type: "text",
-							text: content,
-						},
-					],
+					content: content,
 					...metadata,
 				});
 				break;

package/dist/template/.opencode/skill/v1-run/SKILL.md

@@ -0,0 +1,165 @@
+---
+name: v1-run
+description: npm package intelligence via MCP. Real-time versions, vulnerability data, health scores, and package comparisons. Use when selecting npm packages, checking for vulnerabilities, or comparing alternatives.
+---
+
+# v1.run MCP
+
+Fast, accurate npm package intelligence for AI agents via Model Context Protocol.
+
+## Overview
+
+v1.run is an MCP-first npm registry by Midday.ai that provides:
+
+- **Real-time version data** - No hallucinated packages
+- **Security vulnerabilities** - From OSV database
+- **Health scores** - Automated 0-100 scoring
+- **Package comparisons** - 50+ pre-built categories
+
+## MCP Endpoint
+
+**URL**: `https://api.v1.run/mcp`
+
+**Authentication**: None required (public API)
+
+## Configuration
+
+v1.run MCP is pre-configured as a skill. Load it with:
+
+```typescript
+skill({ name: "v1-run" });
+```
+
+### Manual Setup (if needed)
+
+```json
+{
+  "mcpServers": {
+    "v1": {
+      "url": "https://api.v1.run/mcp"
+    }
+  }
+}
+```
+
+## Available Tools
+
+| Tool                    | Description                                                                                                       |
+| ----------------------- | ----------------------------------------------------------------------------------------------------------------- |
+| `get_package_health`    | Comprehensive health assessment (primary tool) - version, vulns, score, downloads, TS support, AI recommendations |
+| `get_package_version`   | Get latest version of a package                                                                                   |
+| `check_deprecated`      | Check if package is deprecated + get alternatives                                                                 |
+| `check_types`           | Check TypeScript support (bundled or @types)                                                                      |
+| `check_vulnerabilities` | Security vulnerabilities from OSV database                                                                        |
+| `find_alternatives`     | Find alternative packages with recommendations                                                                    |
+| `compare_packages`      | Side-by-side comparison (2-5 packages)                                                                            |
+
+## Health Score System
+
+Packages are scored 0-100 based on:
+
+| Factor      | Weight | Measures                                |
+| ----------- | ------ | --------------------------------------- |
+| Downloads   | 20%    | Weekly downloads + trend direction      |
+| Bundle Size | 20%    | Smaller gzip = higher score             |
+| Freshness   | 25%    | Recent commits and releases             |
+| Community   | 10%    | Stars, contributors                     |
+| Quality     | 25%    | TypeScript, ESM, security, tree-shaking |
+
+## Usage Examples
+
+### Check Package Health
+
+```typescript
+// Get comprehensive health info for a package (primary tool)
+skill_mcp({ skill_name: "v1-run", tool_name: "get_package_health", arguments: '{"name": "zod"}' });
+```
+
+Response includes:
+
+- Latest version
+- Known vulnerabilities (CVEs)
+- Health score (0-100) with grade
+- Weekly downloads + trend
+- TypeScript support
+- Maintenance status
+- AI recommendation
+
+### Check for Deprecation
+
+```typescript
+// Check if package is deprecated and get alternatives
+skill_mcp({
+  skill_name: "v1-run",
+  tool_name: "check_deprecated",
+  arguments: '{"name": "request"}',
+});
+```
+
+### Check Vulnerabilities
+
+```typescript
+// Check specific version for security issues
+skill_mcp({
+  skill_name: "v1-run",
+  tool_name: "check_vulnerabilities",
+  arguments: '{"name": "lodash", "version": "4.17.20"}',
+});
+```
+
+### Find Alternatives
+
+```typescript
+// Find alternative packages
+skill_mcp({
+  skill_name: "v1-run",
+  tool_name: "find_alternatives",
+  arguments: '{"name": "moment"}',
+});
+```
+
+### Compare Packages
+
+```typescript
+// Compare similar packages (2-5 packages)
+skill_mcp({
+  skill_name: "v1-run",
+  tool_name: "compare_packages",
+  arguments: '{"packages": ["zod", "yup", "joi", "valibot"]}',
+});
+```
+
+## Pre-built Categories (50+)
+
+v1.run includes comparisons for popular package categories:
+
+- **HTTP clients**: axios, got, ky, node-fetch
+- **Date libraries**: moment, date-fns, dayjs, luxon
+- **Validation**: zod, yup, joi, ajv, valibot
+- **State management**: redux, zustand, jotai, recoil
+- **ORM**: prisma, drizzle, typeorm, sequelize
+- **Testing**: vitest, jest, mocha, ava
+- **Bundlers**: vite, esbuild, webpack, rollup
+- **Logging**: pino, winston, bunyan
+
+## When to Use
+
+Use v1.run MCP when:
+
+1. **Choosing between packages** - Get objective comparisons
+2. **Checking for vulnerabilities** - Before adding dependencies
+3. **Evaluating maintenance** - Is the package actively maintained?
+4. **Finding alternatives** - Discover better options for a package
+
+## Best Practices
+
+1. **Always check health** before adding new dependencies
+2. **Compare alternatives** when multiple packages solve the same problem
+3. **Verify TypeScript support** for TypeScript projects
+4. **Check bundle size** for frontend applications
+
+## Documentation
+
+- [v1.run](https://v1.run)
+- [GitHub: midday-ai/v1](https://github.com/midday-ai/v1)
+- [MCP Documentation](https://modelcontextprotocol.io)

package/dist/template/.opencode/skill/v1-run/mcp.json

@@ -0,0 +1,6 @@
+{
+	"v1": {
+		"command": "npx",
+		"args": ["-y", "mcp-remote", "https://api.v1.run/mcp"]
+	}
+}

package/package.json

@@ -1,8 +1,15 @@
 {
 	"name": "opencodekit",
-	"version": "0.16.1",
+	"version": "0.16.3",
 	"description": "CLI tool for bootstrapping and managing OpenCodeKit projects",
-	"keywords": ["agents", "cli", "mcp", "opencode", "opencodekit", "template"],
+	"keywords": [
+		"agents",
+		"cli",
+		"mcp",
+		"opencode",
+		"opencodekit",
+		"template"
+	],
 	"license": "MIT",
 	"author": "OpenCodeKit",
 	"repository": {
@@ -12,7 +19,10 @@
 	"bin": {
 		"ock": "dist/index.js"
 	},
-	"files": ["dist", "README.md"],
+	"files": [
+		"dist",
+		"README.md"
+	],
 	"type": "module",
 	"publishConfig": {
 		"access": "public",
@@ -58,5 +68,7 @@
 	"engines": {
 		"bun": ">=1.3.2"
 	},
-	"trustedDependencies": ["@beads/bd"]
+	"trustedDependencies": [
+		"@beads/bd"
+	]
 }