openhermes 1.2.2

package/harness/skills/verification-loop/SKILL.md

@@ -0,0 +1,126 @@
+---
+name: verification-loop
+description: "A comprehensive verification system for Claude Code sessions."
+origin: ECC
+---
+
+# Verification Loop Skill
+
+A comprehensive verification system for Claude Code sessions.
+
+## When to Use
+
+Invoke this skill:
+- After completing a feature or significant code change
+- Before creating a PR
+- When you want to ensure quality gates pass
+- After refactoring
+
+## Verification Phases
+
+### Phase 1: Build Verification
+```bash
+# Check if project builds
+npm run build 2>&1 | tail -20
+# OR
+pnpm build 2>&1 | tail -20
+```
+
+If build fails, STOP and fix before continuing.
+
+### Phase 2: Type Check
+```bash
+# TypeScript projects
+npx tsc --noEmit 2>&1 | head -30
+
+# Python projects
+pyright . 2>&1 | head -30
+```
+
+Report all type errors. Fix critical ones before continuing.
+
+### Phase 3: Lint Check
+```bash
+# JavaScript/TypeScript
+npm run lint 2>&1 | head -30
+
+# Python
+ruff check . 2>&1 | head -30
+```
+
+### Phase 4: Test Suite
+```bash
+# Run tests with coverage
+npm run test -- --coverage 2>&1 | tail -50
+
+# Check coverage threshold
+# Target: 80% minimum
+```
+
+Report:
+- Total tests: X
+- Passed: X
+- Failed: X
+- Coverage: X%
+
+### Phase 5: Security Scan
+```bash
+# Check for secrets
+grep -rn "sk-" --include="*.ts" --include="*.js" . 2>/dev/null | head -10
+grep -rn "api_key" --include="*.ts" --include="*.js" . 2>/dev/null | head -10
+
+# Check for console.log
+grep -rn "console.log" --include="*.ts" --include="*.tsx" src/ 2>/dev/null | head -10
+```
+
+### Phase 6: Diff Review
+```bash
+# Show what changed
+git diff --stat
+git diff HEAD~1 --name-only
+```
+
+Review each changed file for:
+- Unintended changes
+- Missing error handling
+- Potential edge cases
+
+## Output Format
+
+After running all phases, produce a verification report:
+
+```
+VERIFICATION REPORT
+==================
+
+Build:     [PASS/FAIL]
+Types:     [PASS/FAIL] (X errors)
+Lint:      [PASS/FAIL] (X warnings)
+Tests:     [PASS/FAIL] (X/Y passed, Z% coverage)
+Security:  [PASS/FAIL] (X issues)
+Diff:      [X files changed]
+
+Overall:   [READY/NOT READY] for PR
+
+Issues to Fix:
+1. ...
+2. ...
+```
+
+## Continuous Mode
+
+For long sessions, run verification every 15 minutes or after major changes:
+
+```markdown
+Set a mental checkpoint:
+- After completing each function
+- After finishing a component
+- Before moving to next task
+
+Run: /verify
+```
+
+## Integration with Hooks
+
+This skill complements PostToolUse hooks but provides deeper verification.
+Hooks catch issues immediately; this skill provides comprehensive review.

package/index.mjs

@@ -0,0 +1,5 @@
+export { AutorecallPlugin } from "./autorecall.mjs"
+export { CuratorPlugin } from "./curator.mjs"
+export { SkillBuilderPlugin } from "./skill-builder.mjs"
+export { BootstrapPlugin } from "./bootstrap.mjs"
+export { MemoryToolsPlugin } from "./lib/memory-tools-plugin.mjs"

package/lib/hardening.mjs

@@ -0,0 +1,113 @@
+import crypto from "node:crypto"
+import fs from "node:fs"
+import os from "node:os"
+import path from "node:path"
+
+const SECRET_KEY_PATTERN = /(token|secret|password|passwd|passphrase|api[-_ ]?key|access[-_ ]?key|refresh[-_ ]?token|authorization|cookie|bearer)/i
+const TEXT_REDACTIONS = [
+  [/\bsk-[A-Za-z0-9]{16,}\b/g, "[REDACTED]"],
+  [/\bgh[pousr]_[A-Za-z0-9_]{20,}\b/g, "[REDACTED]"],
+  [/\bxox[baprs]-[A-Za-z0-9-]+\b/g, "[REDACTED]"],
+  [/\bBearer\s+[A-Za-z0-9._~+/=-]{8,}\b/gi, "Bearer [REDACTED]"],
+  [/\b[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}\b/g, "[REDACTED]"],
+]
+
+function isPlainObject(value) {
+  return !!value && typeof value === "object" && !Array.isArray(value)
+}
+
+function truncateText(text, limit = 12000) {
+  const value = String(text ?? "")
+  if (limit <= 0 || value.length <= limit) return value
+  const suffix = "...[truncated]"
+  const sliceLength = Math.max(0, limit - suffix.length)
+  return value.slice(0, sliceLength) + suffix
+}
+
+function redactSensitiveText(text) {
+  let output = String(text ?? "")
+  for (const [pattern, replacement] of TEXT_REDACTIONS) {
+    output = output.replace(pattern, replacement)
+  }
+  return output
+}
+
+function sanitizeValue(value, key = "", options = {}) {
+  const maxStringLength = Number.isFinite(options.maxStringLength) ? options.maxStringLength : 12000
+  if (value === null || value === undefined) return value
+  if (typeof value === "string") return truncateText(redactSensitiveText(value), maxStringLength)
+  if (typeof value === "number" || typeof value === "boolean") return value
+  if (Array.isArray(value)) return value.map(item => sanitizeValue(item, key, options))
+  if (isPlainObject(value)) {
+    const redacted = {}
+    for (const [childKey, childValue] of Object.entries(value)) {
+      redacted[childKey] = SECRET_KEY_PATTERN.test(childKey)
+        ? "[REDACTED]"
+        : sanitizeValue(childValue, childKey, options)
+    }
+    return redacted
+  }
+  return truncateText(redactSensitiveText(String(value)), maxStringLength)
+}
+
+function sanitizeRecord(record, options = {}) {
+  return sanitizeValue(record, "", options)
+}
+
+function fingerprintEnvironment(input = {}) {
+  const fingerprint = {
+    cwd: path.resolve(input.cwd || process.cwd()),
+    harness_root: input.harnessRoot ? path.resolve(input.harnessRoot) : null,
+    project_root: input.projectRoot ? path.resolve(input.projectRoot) : null,
+    project: input.project || null,
+    session_id: input.sessionId || null,
+    os: process.platform,
+    release: os.release(),
+    arch: process.arch,
+    shell: process.env.ComSpec || process.env.COMSPEC || "cmd.exe",
+    provider: process.env.OPENCODE_PROVIDER || "lmstudio",
+    model: process.env.OPENCODE_MODEL || null,
+  }
+  const sha256 = crypto.createHash("sha256").update(JSON.stringify(fingerprint)).digest("hex")
+  return { ...fingerprint, sha256 }
+}
+
+function fingerprintFile(filePath) {
+  try {
+    const stat = fs.statSync(filePath)
+    const content = fs.readFileSync(filePath)
+    return {
+      path: path.normalize(filePath),
+      mtime: stat.mtime.toISOString(),
+      size: stat.size,
+      sha256: crypto.createHash("sha256").update(content).digest("hex"),
+    }
+  } catch {
+    return null
+  }
+}
+
+function atomicWriteJson(filePath, data) {
+  const dir = path.dirname(filePath)
+  fs.mkdirSync(dir, { recursive: true })
+  const tmpPath = path.join(dir, `.${path.basename(filePath)}.${process.pid}.${Date.now()}.tmp`)
+  const payload = `${JSON.stringify(data, null, 2)}\n`
+  fs.writeFileSync(tmpPath, payload, "utf8")
+  try {
+    fs.renameSync(tmpPath, filePath)
+  } catch (err) {
+    try { if (fs.existsSync(filePath)) fs.rmSync(filePath, { force: true }) } catch {}
+    try {
+      fs.renameSync(tmpPath, filePath)
+    } catch (retryErr) {
+      try { fs.rmSync(tmpPath, { force: true }) } catch {}
+      throw retryErr
+    }
+  }
+}
+
+function isTruthy(value) {
+  return /^(1|true|yes|on)$/i.test(String(value || ""))
+}
+
+export { atomicWriteJson, fingerprintEnvironment, fingerprintFile, isTruthy, redactSensitiveText, sanitizeRecord, truncateText }

package/lib/memory-tools-plugin.mjs

@@ -0,0 +1,265 @@
+import { tool } from "@opencode-ai/plugin"
+import { fileURLToPath } from "url"
+import path from "path"
+import fs from "fs"
+import os from "os"
+
+import { atomicWriteJson, fingerprintEnvironment, sanitizeRecord, truncateText } from "./hardening.mjs"
+import { findUnsupportedSchemaKeywords, validateSchema } from "./schema-validator.mjs"
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url))
+const PACKAGE_SCHEMAS = path.resolve(__dirname, "..", "schemas")
+const ROOT = path.join(os.homedir(), ".config", "opencode", "openhermes")
+const MEMORY_DIR = path.join(ROOT, "memory")
+
+const CLASSES = ["audit", "checkpoint", "mistake", "instinct", "decision", "constraint", "backlog", "verification_receipt"]
+const PLURALS = { audit: "audits", checkpoint: "checkpoints", mistake: "mistakes", instinct: "instincts", decision: "decisions", constraint: "constraints", backlog: "backlog", verification_receipt: "verification_receipts" }
+
+function isPlainObject(v) { return !!v && typeof v === "object" && !Array.isArray(v) }
+
+function classDir(cls) { return path.join(MEMORY_DIR, PLURALS[cls]) }
+
+function stableStringify(v, space = 0) {
+  function sort(o) {
+    if (Array.isArray(o)) return o.map(sort)
+    if (!isPlainObject(o)) return o
+    const r = {}
+    for (const k of Object.keys(o).sort()) r[k] = sort(o[k])
+    return r
+  }
+  return JSON.stringify(sort(v), null, space)
+}
+
+function buildEntry(cls, r) {
+  const e = { id: r.id, summary: r.summary, status: r.status, updated_at: r.updated_at ?? r.created_at, path: path.join("openhermes", "memory", PLURALS[cls], `${r.id}.json`), scope: r.scope ?? null, project: r.project ?? null }
+  if (cls === "audit") { e.target = r.target; e.overall_score = r.overall_score }
+  if (cls === "backlog") { e.priority = r.priority; e.trigger = r.trigger }
+  return e
+}
+
+function hasExpired(r) {
+  if (r?.status === "expired" || r?.status === "decayed") return true
+  if (r?.decay_at && Date.parse(r.decay_at) < Date.now()) return true
+  if (r?.expires_at && Date.parse(r.expires_at) < Date.now()) return true
+  return false
+}
+
+function readJSON(fp, fallback) {
+  try { return JSON.parse(fs.readFileSync(fp, "utf8")) } catch { return fallback }
+}
+
+function readJSONL(fp) {
+  try {
+    return fs.readFileSync(fp, "utf8").split(/\r?\n/).map(l => l.trim()).filter(Boolean).map(l => JSON.parse(l))
+  } catch { return [] }
+}
+
+function sortRecent(entries) {
+  function ts(e) { return e?.updated_at ?? e?.created_at ?? "" }
+  return [...entries].sort((a, b) => {
+    const at = Date.parse(ts(a)), bt = Date.parse(ts(b))
+    if (!Number.isNaN(at) && !Number.isNaN(bt) && at !== bt) return bt - at
+    return String(ts(b)).localeCompare(String(ts(a)))
+  })
+}
+
+function filterActive(entries) { return entries.filter(e => !hasExpired(e)) }
+
+function writeObject(cls, record) {
+  const dir = classDir(cls)
+  fs.mkdirSync(dir, { recursive: true })
+  const fp = path.join(dir, `${record.id}.json`)
+  atomicWriteJson(fp, record)
+  const indexPath = path.join(dir, "index.json")
+  let index = readJSON(indexPath, [])
+  if (!Array.isArray(index)) index = []
+  const idx = index.findIndex(e => e?.id === record.id)
+  const entry = buildEntry(cls, record)
+  if (idx >= 0) index[idx] = entry; else index.push(entry)
+  atomicWriteJson(indexPath, index)
+}
+
+function upsertMistake(record) {
+  const dir = classDir("mistake")
+  fs.mkdirSync(dir, { recursive: true })
+  const fp = path.join(dir, "mistakes.jsonl")
+  let entries = readJSONL(fp)
+  const idx = entries.findIndex(e => e?.id === record.id)
+  if (idx >= 0) entries[idx] = record; else entries.push(record)
+  const text = entries.map(e => stableStringify(e)).join("\n")
+  fs.writeFileSync(fp, text ? `${text}\n` : "", "utf8")
+}
+
+function queryList(cls, limit = 10) {
+  if (cls === "mistake") {
+    return sortRecent(filterActive(readJSONL(path.join(classDir(cls), "mistakes.jsonl")))).slice(0, limit)
+  }
+  const dir = classDir(cls)
+  let files = []
+  try { files = fs.readdirSync(dir).filter(f => f.endsWith(".json") && f !== "index.json").map(f => path.join(dir, f)) } catch { return [] }
+  const entries = files.map(f => readJSON(f, null)).filter(Boolean).map(r => buildEntry(cls, r))
+  return sortRecent(filterActive(entries)).slice(0, limit)
+}
+
+function queryGet(cls, id) {
+  if (cls === "mistake") return readJSONL(path.join(classDir(cls), "mistakes.jsonl")).find(e => e?.id === id) ?? null
+  return readJSON(path.join(classDir(cls), `${id}.json`), null)
+}
+
+function scoreRelevance(r, query, project) {
+  const q = query.toLowerCase()
+  let score = 0
+  const fields = [r.summary, r.id, r.description, r.mission, r.current_state, r.failure, r.root_cause, r.fix, r.prevention, r.command, r.project, r.scope, ...(Array.isArray(r.tags) ? r.tags : []), ...(Array.isArray(r.next_actions) ? r.next_actions : []), ...(Array.isArray(r.refs) ? r.refs : [])].filter(Boolean)
+  for (const f of fields) {
+    const str = String(f).toLowerCase()
+    let idx = 0; let count = 0
+    while ((idx = str.indexOf(q, idx)) !== -1) { count++; idx += q.length }
+    score += count * 10
+    if (str.startsWith(q)) score += 5
+    if (str.includes(q)) score += 2
+  }
+  if (r.project && r.project.toLowerCase() === (project || "").toLowerCase()) score += 20
+  if (r.project && project && r.project.toLowerCase().includes(project.toLowerCase())) score += 10
+  const age = Date.now() - Date.parse(r.updated_at || r.created_at || 0)
+  if (!Number.isNaN(age)) score += Math.max(0, 10 - age / 604800000)
+  if (r.status === "active") score += 3
+  if (r.status === "closed") score -= 2
+  return score
+}
+
+function enforceAuditEvidence(record) {
+  const prov = isPlainObject(record.provenance) ? record.provenance : {}
+  return ["db_refs", "file_refs", "log_refs"].some(k => Array.isArray(prov[k]) && prov[k].some(i => typeof i === "string" && i.trim()))
+}
+
+function handlePut(cls, id, dataStr) {
+  let parsed
+  try { parsed = JSON.parse(dataStr) } catch (e) { return `data must be valid JSON: ${e.message}` }
+  if (!isPlainObject(parsed)) return "data must be a JSON object"
+  if (!id?.trim()) return "non-blank id is required"
+
+  const now = new Date().toISOString()
+  const record = { ...parsed, id, class: cls, source: parsed.source ?? "agent", status: parsed.status ?? "active", created_at: parsed.created_at ?? now, updated_at: now }
+
+  const schema = readJSON(path.join(PACKAGE_SCHEMAS, `${cls}.schema.json`), null)
+  if (schema) {
+    const unsupported = findUnsupportedSchemaKeywords(schema)
+    if (unsupported.length) return `Unsupported schema keywords: ${unsupported.join(", ")}`
+    const errs = validateSchema(schema, record, "$")
+    if (cls === "audit" && !enforceAuditEvidence(record)) errs.push("$.provenance must include at least one non-empty evidence ref")
+    if (errs.length) return `Validation errors: ${errs.join("; ")}`
+  }
+
+  if (cls === "mistake") upsertMistake(record)
+  else writeObject(cls, record)
+
+  return stableStringify({ ok: true, id })
+}
+
+function handleGet(cls, id) {
+  if (!id?.trim()) return "non-blank id is required"
+  const record = queryGet(cls, id.trim())
+  if (!record) return stableStringify({ ok: false, found: false })
+  return stableStringify({ ok: true, record })
+}
+
+function handleList(cls, limit = 10) {
+  const entries = queryList(cls, Math.min(limit, 100))
+  return stableStringify({ ok: true, count: entries.length, entries })
+}
+
+function handleLatest(cls) {
+  const list = queryList(cls, 100)
+  const active = filterActive(list)
+  if (!active[0]?.id) return stableStringify({ ok: false, found: false })
+  const record = queryGet(cls, active[0].id)
+  if (!record) return stableStringify({ ok: false, found: false })
+  return stableStringify({ ok: true, record })
+}
+
+function handleSearch(query, scope, classes, project, limit) {
+  const q = (query || "").trim()
+  if (!q) return "non-blank query is required"
+  const clsList = Array.isArray(classes) && classes.length ? classes : CLASSES
+  const lim = Math.min(limit ?? 10, 50)
+  let records = []
+  for (const cls of clsList) {
+    if (cls === "mistake") {
+      for (const m of readJSONL(path.join(classDir(cls), "mistakes.jsonl"))) {
+        if (!hasExpired(m)) records.push(m)
+      }
+    } else {
+      const dir = classDir(cls)
+      let files = []
+      try { files = fs.readdirSync(dir).filter(f => f.endsWith(".json") && f !== "index.json") } catch { continue }
+      for (const f of files) {
+        const r = readJSON(path.join(dir, f), null)
+        if (r && !hasExpired(r)) records.push(r)
+      }
+    }
+  }
+  if (scope === "global") records = records.filter(r => r.scope === "global" || !r.scope)
+  else if (scope === "local") records = records.filter(r => r.scope === "project" || r.scope === "session")
+  const scored = records.map(r => ({ ...buildEntry(r.class || "verification_receipt", r), score: scoreRelevance(r, q, project || "") }))
+    .filter(e => e.score > 0)
+    .sort((a, b) => b.score - a.score)
+    .slice(0, lim)
+  return stableStringify({ ok: true, count: scored.length, query: q, results: scored })
+}
+
+export const MemoryToolsPlugin = async () => {
+  fs.mkdirSync(MEMORY_DIR, { recursive: true })
+  fs.mkdirSync(path.join(ROOT, "runtime"), { recursive: true })
+
+  return {
+    tool: {
+      hm_put: tool({
+        description: "Create or update an OpenHermes memory record",
+        args: {
+          class: tool.schema.enum(CLASSES),
+          id: tool.schema.string(),
+          data: tool.schema.string(),
+        },
+        async execute(args) { return handlePut(args.class, args.id, args.data) },
+      }),
+
+      hm_get: tool({
+        description: "Get a specific OpenHermes memory record by ID",
+        args: {
+          class: tool.schema.enum(CLASSES).describe("Memory class"),
+          id: tool.schema.string().describe("Record ID"),
+        },
+        async execute(args) { return handleGet(args.class, args.id) },
+      }),
+
+      hm_list: tool({
+        description: "List OpenHermes memory records by class, sorted by recency",
+        args: {
+          class: tool.schema.enum(CLASSES).describe("Memory class"),
+          limit: tool.schema.number().optional().default(10).describe("Max results (max 100)"),
+        },
+        async execute(args) { return handleList(args.class, args.limit) },
+      }),
+
+      hm_latest: tool({
+        description: "Get the latest active OpenHermes memory record by class",
+        args: {
+          class: tool.schema.enum(CLASSES).describe("Memory class"),
+        },
+        async execute(args) { return handleLatest(args.class) },
+      }),
+
+      hm_search: tool({
+        description: "Search OpenHermes memory records with keyword matching and relevance ranking",
+        args: {
+          query: tool.schema.string().describe("Search query string"),
+          scope: tool.schema.enum(["global", "local", "auto"]).optional().default("auto").describe("Search scope"),
+          classes: tool.schema.array(tool.schema.enum(CLASSES)).optional().describe("Memory classes to search (default: all)"),
+          project: tool.schema.string().optional().describe("Project filter"),
+          limit: tool.schema.number().optional().default(10).describe("Max results (max 50)"),
+        },
+        async execute(args) { return handleSearch(args.query, args.scope, args.classes, args.project, args.limit) },
+      }),
+    },
+  }
+}

package/lib/schema-validator.mjs

@@ -0,0 +1,77 @@
+const SUPPORTED_SCHEMA_KEYS = new Set(["type", "const", "enum", "format", "minimum", "maximum", "required", "properties", "items"])
+const SCHEMA_METADATA_KEYS = new Set(["$schema", "title", "description", "default"])
+
+function isPlainObject(value) {
+  return !!value && typeof value === "object" && !Array.isArray(value)
+}
+
+function matchesType(type, value) {
+  if (type === "null") return value === null
+  if (type === "array") return Array.isArray(value)
+  if (type === "object") return isPlainObject(value)
+  if (type === "integer") return Number.isInteger(value)
+  if (type === "number") return typeof value === "number" && Number.isFinite(value)
+  return typeof value === type
+}
+
+function validateNode(schema, value, at, errors) {
+  if (!isPlainObject(schema) || value === undefined) return
+  if (schema.const !== undefined && JSON.stringify(value) !== JSON.stringify(schema.const)) errors.push(`${at} must equal ${JSON.stringify(schema.const)}`)
+  if (Array.isArray(schema.enum) && !schema.enum.some(option => JSON.stringify(option) === JSON.stringify(value))) errors.push(`${at} must be one of ${schema.enum.map(option => JSON.stringify(option)).join(", ")}`)
+
+  const types = Array.isArray(schema.type) ? schema.type : (schema.type ? [schema.type] : [])
+  if (types.length && !types.some(type => matchesType(type, value))) {
+    errors.push(`${at} must be ${types.join(" or ")}`)
+    return
+  }
+
+  if (typeof value === "string" && schema.format === "date-time" && Number.isNaN(Date.parse(value))) errors.push(`${at} must be a valid date-time string`)
+  if (typeof value === "number" || Number.isInteger(value)) {
+    if (schema.minimum !== undefined && value < schema.minimum) errors.push(`${at} must be >= ${schema.minimum}`)
+    if (schema.maximum !== undefined && value > schema.maximum) errors.push(`${at} must be <= ${schema.maximum}`)
+  }
+
+  if (Array.isArray(value)) {
+    value.forEach((item, index) => validateNode(schema.items, item, `${at}[${index}]`, errors))
+    return
+  }
+
+  if (isPlainObject(value)) {
+    for (const key of Array.isArray(schema.required) ? schema.required : []) {
+      if (value[key] === undefined) errors.push(`${at}.${key} is required`)
+    }
+    for (const [key, child] of Object.entries(isPlainObject(schema.properties) ? schema.properties : {})) {
+      if (value[key] !== undefined) validateNode(child, value[key], `${at}.${key}`, errors)
+    }
+  }
+}
+
+function validateSchema(schema, value, at = "$") {
+  const errors = []
+  validateNode(schema, value, at, errors)
+  return errors
+}
+
+function visitSchemaNode(schema, at, unsupported) {
+  if (!isPlainObject(schema)) return
+  for (const [key, value] of Object.entries(schema)) {
+    if (key === "properties") {
+      if (!isPlainObject(value)) unsupported.push(`${at}.properties must be an object`)
+      else for (const [propertyName, propertySchema] of Object.entries(value)) visitSchemaNode(propertySchema, `${at}.properties.${propertyName}`, unsupported)
+      continue
+    }
+    if (key === "items") {
+      visitSchemaNode(value, `${at}.items`, unsupported)
+      continue
+    }
+    if (!SUPPORTED_SCHEMA_KEYS.has(key) && !SCHEMA_METADATA_KEYS.has(key)) unsupported.push(`${at} uses unsupported schema keyword "${key}"`)
+  }
+}
+
+function findUnsupportedSchemaKeywords(schema) {
+  const unsupported = []
+  visitSchemaNode(schema, "$", unsupported)
+  return unsupported
+}
+
+export { findUnsupportedSchemaKeywords, isPlainObject, validateSchema }