pluidr 0.5.0 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +287 -132
- package/package.json +4 -2
- package/src/cli/commands/doctor.js +3 -3
- package/src/core/agentPromptWriter.test.js +6 -6
- package/src/core/backup.js +3 -3
- package/src/core/paths.js +1 -1
- package/src/core/paths.test.js +1 -5
- package/src/templates/agent-prompts/auditor.txt +20 -0
- package/src/templates/agent-prompts/coder.txt +2 -4
- package/src/templates/agent-prompts/{writer.txt → compose-reporter.txt} +4 -4
- package/src/templates/agent-prompts/composer.txt +42 -29
- package/src/templates/agent-prompts/{reporter.txt → debug-reporter.txt} +3 -3
- package/src/templates/agent-prompts/debugger.txt +11 -6
- package/src/templates/agent-prompts/hierarchy.txt +19 -8
- package/src/templates/agent-prompts/patcher.txt +20 -0
- package/src/templates/agent-prompts/probe-reporter.txt +62 -0
- package/src/templates/agent-prompts/prober.txt +90 -0
- package/src/templates/agent-prompts/tracer.txt +33 -0
- package/src/templates/model-defaults.json +10 -3
- package/src/templates/opencode.config.json +134 -6
package/README.md
CHANGED
|
@@ -4,127 +4,288 @@
|
|
|
4
4
|
[](https://www.npmjs.com/package/pluidr)
|
|
5
5
|
[](https://github.com/funara/pluidr/blob/main/LICENSE)
|
|
6
6
|
|
|
7
|
-
**
|
|
7
|
+
** Plan · Build · Review ** — opinionated engineering workflow installer for [OpenCode](https://opencode.ai).
|
|
8
8
|
|
|
9
|
-
|
|
9
|
+
---
|
|
10
10
|
|
|
11
|
-
|
|
11
|
+
## What is Pluidr?
|
|
12
12
|
|
|
13
|
-
|
|
13
|
+
Pluidr installs a **17-agent pipeline** into OpenCode — structured around **3 primary agents**, each with their own exclusive subagents, scoped permissions, and enforced workflow rules. No shared subagents. No ad-hoc delegation.
|
|
14
14
|
|
|
15
|
-
|
|
15
|
+
| Primary Agent | Purpose | Subagents |
|
|
16
|
+
|---|---|---|
|
|
17
|
+
| **Composer** | Feature work — Explore → Plan → Build | Researcher, Plan-Writer, Plan-Checker, Coder, Tester, Reviewer, Compose-Reporter |
|
|
18
|
+
| **Debugger** | Bug investigation — Investigate → Fix → Report | Inspector, Fixer, Debug-Reporter |
|
|
19
|
+
| **Prober** | Security audit — Trace → Patch → Audit | Tracer, Patcher, Auditor, Probe-Reporter |
|
|
16
20
|
|
|
17
|
-
|
|
21
|
+
---
|
|
18
22
|
|
|
19
|
-
|
|
23
|
+
## Agent Workflows
|
|
20
24
|
|
|
21
|
-
|
|
25
|
+
### 🎼 Composer — Feature Work
|
|
22
26
|
|
|
23
|
-
Composer
|
|
27
|
+
Composer is the **single entry point for all feature work**. It runs 3 strict, one-directional phases. Phase direction is one-way — no going back without explicit user instruction.
|
|
24
28
|
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
29
|
+
```
|
|
30
|
+
You describe a feature / idea
|
|
31
|
+
│
|
|
32
|
+
▼
|
|
33
|
+
┌─────────────────────────────────────────┐
|
|
34
|
+
│ EXPLORE PHASE (mandatory start) │
|
|
35
|
+
│ │
|
|
36
|
+
│ Delegate: Researcher │
|
|
37
|
+
│ → deep codebase + web fact-finding │
|
|
38
|
+
│ → confirmed_facts / inferred_facts / │
|
|
39
|
+
│ unknowns / risks │
|
|
40
|
+
│ │
|
|
41
|
+
│ Composer internally assesses: │
|
|
42
|
+
│ Is this feature simple or complex? │
|
|
43
|
+
└──────────┬──────────────────────────────┘
|
|
44
|
+
│
|
|
45
|
+
┌────────┴────────┐
|
|
46
|
+
│ Simple feature │ Complex feature
|
|
47
|
+
▼ ▼
|
|
48
|
+
GUARDRAIL GATE 1a GUARDRAIL GATE 1b
|
|
49
|
+
"Build directly?" "Write a PRD?"
|
|
50
|
+
│ │
|
|
51
|
+
│ Yes │ Yes
|
|
52
|
+
│ ▼
|
|
53
|
+
│ ┌──────────────────────────────┐
|
|
54
|
+
│ │ PLAN PHASE │
|
|
55
|
+
│ │ │
|
|
56
|
+
│ │ Plan-Writer → docs/plans/ │
|
|
57
|
+
│ │ Plan-Checker validates PRD │
|
|
58
|
+
│ │ PASS/FAIL + gap list only │
|
|
59
|
+
│ │ │
|
|
60
|
+
│ │ FAIL → surface gaps to you │
|
|
61
|
+
│ │ (max 5 loops) │
|
|
62
|
+
│ │ │
|
|
63
|
+
│ │ PASS → GUARDRAIL GATE 2 │
|
|
64
|
+
│ │ "Build from this PRD?" │
|
|
65
|
+
│ └──────────┬───────────────────┘
|
|
66
|
+
│ │ Yes
|
|
67
|
+
└──────────┬──────────┘
|
|
68
|
+
▼
|
|
69
|
+
┌────────────────────────────────────────────┐
|
|
70
|
+
│ BUILD PHASE │
|
|
71
|
+
│ │
|
|
72
|
+
│ Coder → implements from PRD / request │
|
|
73
|
+
│ │ │
|
|
74
|
+
│ ▼ │
|
|
75
|
+
│ Tester → PASS/FAIL/BLOCKED │
|
|
76
|
+
│ │ FAIL → back to Coder (max 5 loops) │
|
|
77
|
+
│ │ PASS ↓ │
|
|
78
|
+
│ ▼ │
|
|
79
|
+
│ Reviewer → PASS/FAIL + gap list │
|
|
80
|
+
│ │ FAIL → back to Coder (max 5 loops) │
|
|
81
|
+
│ │ PASS ↓ │
|
|
82
|
+
│ ▼ │
|
|
83
|
+
│ Compose-Reporter → docs/reports/ │
|
|
84
|
+
└────────────────────────────────────────────┘
|
|
85
|
+
│
|
|
86
|
+
▼
|
|
87
|
+
You review result
|
|
88
|
+
│
|
|
89
|
+
Composer resets → asks: New feature? Debug? Iterate?
|
|
90
|
+
```
|
|
31
91
|
|
|
32
|
-
|
|
92
|
+
**Key rules:**
|
|
93
|
+
- Composer has **no read/write/bash permissions** — all work delegated to subagents
|
|
94
|
+
- Phase transition only via guardrail gates — no skipping
|
|
95
|
+
- `Coder → Coder` loops without Tester verification are forbidden
|
|
96
|
+
- 5 consecutive FAILs from Tester or Reviewer → surfaces to you
|
|
33
97
|
|
|
34
|
-
|
|
98
|
+
---
|
|
35
99
|
|
|
36
|
-
|
|
37
|
-
|---------|-------|-----------|------|
|
|
38
|
-
| Composer | EXPLORE | Researcher | Technical/codebase fact-finding (confirmed_facts/inferred_facts/unknowns/risks) |
|
|
39
|
-
| Composer | PLAN | Plan-Writer | Stateless PRD formatter — writes to `docs/plans/`, missing input = TBD |
|
|
40
|
-
| Composer | PLAN | Plan-Checker | **Gate** — validates PRD against original request, PASS/FAIL + gap list only |
|
|
41
|
-
| Composer | BUILD | Coder | Writes and edits implementation code |
|
|
42
|
-
| Composer | BUILD | Tester | Runs tests, reports PASS/FAIL/BLOCKED + coverage gaps |
|
|
43
|
-
| Composer | BUILD | Reviewer | **Gate** — compares implementation against definition-of-done, PASS/FAIL + gap list only |
|
|
44
|
-
| Composer | BUILD | Writer | Stateless document formatter — writes completion reports to `docs/reports/` |
|
|
45
|
-
| Debugger | DEBUG | Inspector | Brooks-Lint RCA (Iron Law + 6 decay risks + 4 review modes) |
|
|
46
|
-
| Debugger | DEBUG | Fixer | Applies minimal, root-cause-targeted fixes |
|
|
47
|
-
| Debugger | DEBUG | Reporter | Stateless diagnosis report formatter (Iron Law structure) |
|
|
100
|
+
### 🐛 Debugger — Bug Investigation
|
|
48
101
|
|
|
49
|
-
|
|
102
|
+
Debugger is a **standalone primary agent** — does not depend on Composer. Trigger it directly from the Debugger tab whenever you find a bug.
|
|
50
103
|
|
|
51
104
|
```
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
│
|
|
59
|
-
│
|
|
60
|
-
│
|
|
61
|
-
│
|
|
62
|
-
│
|
|
63
|
-
│
|
|
64
|
-
│
|
|
65
|
-
│
|
|
66
|
-
│
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
│
|
|
75
|
-
│
|
|
76
|
-
│
|
|
77
|
-
│
|
|
78
|
-
│
|
|
79
|
-
│
|
|
80
|
-
│
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
105
|
+
You report a bug / defect
|
|
106
|
+
│
|
|
107
|
+
▼
|
|
108
|
+
┌─────────────────────────────────────────────┐
|
|
109
|
+
│ INVESTIGATE PHASE │
|
|
110
|
+
│ │
|
|
111
|
+
│ Delegate: Inspector │
|
|
112
|
+
│ Review mode (Debugger selects): │
|
|
113
|
+
│ · PR Review → classify R1-R6 │
|
|
114
|
+
│ · Architecture → dependency analysis │
|
|
115
|
+
│ · Tech Debt → Pain × Spread score │
|
|
116
|
+
│ · Test Quality → classify T1-T6 │
|
|
117
|
+
│ │
|
|
118
|
+
│ Output: Iron Law chain per finding │
|
|
119
|
+
│ Symptom → Source → Consequence → Remedy │
|
|
120
|
+
└──────────┬──────────────────────────────────┘
|
|
121
|
+
│
|
|
122
|
+
Root cause identified?
|
|
123
|
+
┌────────┴────────┐
|
|
124
|
+
│ Yes │ No / unknowns remain
|
|
125
|
+
▼ ▼
|
|
126
|
+
┌─────────────┐ Halt — surface to you
|
|
127
|
+
│ FIX PHASE │ with specific questions
|
|
128
|
+
│ │
|
|
129
|
+
│ Delegate: │
|
|
130
|
+
│ Fixer │
|
|
131
|
+
│ → minimal │
|
|
132
|
+
│ fix per │
|
|
133
|
+
│ Iron Law │
|
|
134
|
+
└──────┬──────┘
|
|
135
|
+
│
|
|
136
|
+
▼
|
|
137
|
+
┌──────────────────────────────────────┐
|
|
138
|
+
│ REPORT PHASE │
|
|
139
|
+
│ │
|
|
140
|
+
│ Delegate: Debug-Reporter │
|
|
141
|
+
│ → Iron Law diagnosis report │
|
|
142
|
+
│ → saved to docs/reports/ │
|
|
143
|
+
└──────────────────────────────────────┘
|
|
84
144
|
│
|
|
85
145
|
▼
|
|
86
|
-
|
|
146
|
+
You review the diagnosis + fix
|
|
87
147
|
│
|
|
88
|
-
|
|
148
|
+
Debugger resets → asks: New bug? Feature work? Re-investigate?
|
|
149
|
+
```
|
|
150
|
+
|
|
151
|
+
**Key rules:**
|
|
152
|
+
- Debugger has **no read/write/bash permissions** — all delegated to subagents
|
|
153
|
+
- Never delegates Fixer without Inspector confirming root cause first
|
|
154
|
+
- If unknowns remain after investigation → halts and prompts you, does not guess
|
|
155
|
+
|
|
156
|
+
---
|
|
157
|
+
|
|
158
|
+
### 🔍 Prober — Security Audit
|
|
159
|
+
|
|
160
|
+
Prober is a **standalone primary agent** — does not depend on Composer or Debugger. Trigger it directly from the Prober tab to audit any codebase for security vulnerabilities and quality decay.
|
|
161
|
+
|
|
162
|
+
```
|
|
163
|
+
You trigger a security audit
|
|
164
|
+
│
|
|
165
|
+
▼
|
|
166
|
+
┌───────────────────────────────────────────────────┐
|
|
167
|
+
│ TRACE PHASE (mandatory start) │
|
|
168
|
+
│ │
|
|
169
|
+
│ Delegate: Tracer │
|
|
170
|
+
│ → WSTG-guided breadth-first recon │
|
|
171
|
+
│ → trace data flows: input → path → sink │
|
|
172
|
+
│ │
|
|
173
|
+
│ Output: │
|
|
174
|
+
│ · Confirmed Vulnerabilities (OWASP category, │
|
|
175
|
+
│ location, data flow) │
|
|
176
|
+
│ · Suspected Vulnerabilities (manual verify) │
|
|
177
|
+
│ · Quality & Decay Risks (e.g. hardcoded │
|
|
178
|
+
│ secrets, missing input validation) │
|
|
179
|
+
└──────────┬────────────────────────────────────────┘
|
|
180
|
+
│
|
|
181
|
+
▼
|
|
182
|
+
GUARDRAIL GATE (question tool):
|
|
183
|
+
"Audit findings ready. How to proceed?"
|
|
184
|
+
├── "Patch all confirmed findings" → PATCH PHASE
|
|
185
|
+
├── "Select specific findings" → PATCH PHASE (you pick)
|
|
186
|
+
├── "Audit only — no patches" → AUDIT PHASE (skip PATCH)
|
|
187
|
+
└── "Re-investigate attack surface" → re-delegate Tracer
|
|
188
|
+
│
|
|
189
|
+
▼
|
|
190
|
+
┌──────────────────────────────────────────────────┐
|
|
191
|
+
│ PATCH PHASE (skipped if audit-only) │
|
|
192
|
+
│ │
|
|
193
|
+
│ Delegate: Patcher │
|
|
194
|
+
│ → Ponytail mindset: smallest correct diff │
|
|
195
|
+
│ → prefer deleting the cause over wrapping it │
|
|
196
|
+
│ → escalates to you if patch > 10 lines │
|
|
197
|
+
└──────────┬───────────────────────────────────────┘
|
|
198
|
+
│
|
|
199
|
+
▼
|
|
200
|
+
┌──────────────────────────────────────────────────┐
|
|
201
|
+
│ AUDIT PHASE (max 5 loops) │
|
|
202
|
+
│ │
|
|
203
|
+
│ Delegate: Auditor │
|
|
204
|
+
│ → verify patch resolved vulnerabilities │
|
|
205
|
+
│ → security regression check │
|
|
206
|
+
│ → Ponytail BLOAT analysis (over-engineering) │
|
|
207
|
+
│ │
|
|
208
|
+
│ PASS → proceed to report │
|
|
209
|
+
│ FAIL → re-delegate Patcher with Gap + BLOAT │
|
|
210
|
+
│ lists verbatim (max 5 loops, then you) │
|
|
211
|
+
│ │
|
|
212
|
+
│ Delegate: Probe-Reporter │
|
|
213
|
+
│ → security audit report → docs/reports/ │
|
|
214
|
+
└──────────────────────────────────────────────────┘
|
|
215
|
+
│
|
|
216
|
+
▼
|
|
217
|
+
You review the audit report
|
|
218
|
+
│
|
|
219
|
+
Prober resets → asks: New audit? Feature work? Bug investigation?
|
|
89
220
|
```
|
|
90
221
|
|
|
91
|
-
|
|
222
|
+
**Key rules:**
|
|
223
|
+
- Prober has **no read/write/bash permissions** — all delegated to subagents
|
|
224
|
+
- TRACE phase is always mandatory — no patching without recon first
|
|
225
|
+
- GUARDRAIL GATE required before any patches are applied
|
|
226
|
+
- 5 consecutive AUDIT FAILs → surfaces to you
|
|
227
|
+
|
|
228
|
+
---
|
|
229
|
+
|
|
230
|
+
## Subagent Reference
|
|
231
|
+
|
|
232
|
+
Each subagent belongs to exactly one primary agent and cannot be invoked by anyone else:
|
|
233
|
+
|
|
234
|
+
| Primary | Phase | Subagent | Role |
|
|
235
|
+
|---------|-------|----------|------|
|
|
236
|
+
| Composer | EXPLORE | Researcher | Fact-finding: confirmed_facts / inferred_facts / unknowns / risks |
|
|
237
|
+
| Composer | PLAN | Plan-Writer | **Formatter** — writes PRD to `docs/plans/`, missing input = TBD |
|
|
238
|
+
| Composer | PLAN | Plan-Checker | **Gate** — PASS/FAIL + gap list only, no suggestions |
|
|
239
|
+
| Composer | BUILD | Coder | Implements code from PRD |
|
|
240
|
+
| Composer | BUILD | Tester | PASS/FAIL/BLOCKED + coverage gaps only |
|
|
241
|
+
| Composer | BUILD | Reviewer | **Gate** — PASS/FAIL + gap list only, no suggestions |
|
|
242
|
+
| Composer | BUILD | Compose-Reporter | **Formatter** — completion report to `docs/reports/` |
|
|
243
|
+
| Debugger | DEBUG | Inspector | Brooks-Lint RCA (Iron Law + 6 decay risks + 4 review modes) |
|
|
244
|
+
| Debugger | DEBUG | Fixer | Minimal, root-cause-targeted fix |
|
|
245
|
+
| Debugger | DEBUG | Debug-Reporter | **Formatter** — Iron Law diagnosis report to `docs/reports/` |
|
|
246
|
+
| Prober | TRACE | Tracer | WSTG recon + vuln path tracing, no remedies |
|
|
247
|
+
| Prober | PATCH | Patcher | Minimal, security-targeted fix (Ponytail, max 10 lines) |
|
|
248
|
+
| Prober | AUDIT | Auditor | **Gate** — PASS/FAIL + Gap List + BLOAT List only |
|
|
249
|
+
| Prober | AUDIT | Probe-Reporter | **Formatter** — security audit report to `docs/reports/` |
|
|
250
|
+
|
|
251
|
+
---
|
|
252
|
+
|
|
253
|
+
## Flow Rules
|
|
92
254
|
|
|
93
255
|
| Rule | Detail |
|
|
94
256
|
|------|--------|
|
|
95
|
-
| **Mandatory
|
|
96
|
-
| **
|
|
97
|
-
| **
|
|
98
|
-
| **
|
|
99
|
-
| **
|
|
100
|
-
| **
|
|
101
|
-
| **
|
|
102
|
-
| **
|
|
103
|
-
| **
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
### Brooks-Lint Methodology (Debugger)
|
|
111
|
-
|
|
112
|
-
The Debugger group uses the [Brooks-Lint](https://hyhmrright.github.io/brooks-lint/guide.html) framework:
|
|
257
|
+
| **Mandatory starts** | Composer always starts in EXPLORE. Prober always starts in TRACE. No skipping. |
|
|
258
|
+
| **Guardrail gates** | Composer: Gate 1 (EXPLORE→PLAN/BUILD), Gate 2 (PLAN→BUILD). Prober: Gate after TRACE. All require user confirmation. |
|
|
259
|
+
| **Gate agents** | Plan-Checker, Reviewer, Auditor — PASS/FAIL + gap list only. No suggestions, no decisions. |
|
|
260
|
+
| **Formatter agents** | Plan-Writer, Compose-Reporter, Debug-Reporter, Probe-Reporter — stateless. Missing input = TBD/NA. Never invent content. |
|
|
261
|
+
| **Fact-finding agents** | Researcher, Inspector, Tracer — facts/inferences/risks only. No recommendations. |
|
|
262
|
+
| **Build gate order** | Coder → Tester → Reviewer → Compose-Reporter. No skipping. No Coder→Coder without verification. |
|
|
263
|
+
| **FAIL loops** | Plan-Checker FAIL: max 5 loops. Build FAIL (Tester/Reviewer): max 5 loops. Prober AUDIT FAIL: max 5 loops. All surface to you after limit. |
|
|
264
|
+
| **Output directories** | PRDs → `docs/plans/`. Reports (Compose-Reporter, Debug-Reporter, Probe-Reporter) → `docs/reports/`. Enforced by permissions. |
|
|
265
|
+
| **Independence** | Debugger and Prober are fully standalone — triggered directly, do not flow through Composer. |
|
|
266
|
+
|
|
267
|
+
---
|
|
268
|
+
|
|
269
|
+
## Brooks-Lint Methodology (Debugger)
|
|
270
|
+
|
|
271
|
+
The Debugger pipeline uses the [Brooks-Lint](https://hyhmrright.github.io/brooks-lint/guide.html) framework:
|
|
113
272
|
|
|
114
273
|
- **Iron Law** per finding: Symptom → Source → Consequence → Remedy
|
|
115
|
-
- **6 Decay Risks (R1
|
|
116
|
-
- **4 Review Modes**: PR Review (R1
|
|
117
|
-
- **T1
|
|
274
|
+
- **6 Decay Risks (R1–R6)**: Cognitive Overload, Change Propagation, Knowledge Duplication, Accidental Complexity, Dependency Disorder, Domain Model Distortion
|
|
275
|
+
- **4 Review Modes**: PR Review (R1–R6), Architecture Audit, Tech Debt Assessment (Pain × Spread), Test Quality (T1–T6)
|
|
276
|
+
- **T1–T6 Test Risks**: Test Obscurity, Brittleness, Duplication, Mock Abuse, Coverage Illusion, Architecture Mismatch
|
|
277
|
+
|
|
278
|
+
## Principle Hierarchy
|
|
118
279
|
|
|
119
|
-
|
|
280
|
+
All agents resolve conflicts using this priority order (defined in `hierarchy.txt`):
|
|
120
281
|
|
|
121
|
-
|
|
282
|
+
1. **PRD / Spec** — explicit requirement text
|
|
283
|
+
2. **Verdict** — Reviewer / Plan-Checker / Auditor PASS/FAIL
|
|
284
|
+
3. **Engineering principles** — Fail Fast, Single Responsibility
|
|
285
|
+
4. **Heuristics** — KISS, DRY, SOLID, Law of Demeter
|
|
286
|
+
5. **Local optimization** — style preference
|
|
122
287
|
|
|
123
|
-
|
|
124
|
-
2. **Verdict** (Reviewer PASS/FAIL, Plan-Checker PASS/FAIL)
|
|
125
|
-
3. **Engineering principles tied to correctness** (Fail Fast, Single Responsibility)
|
|
126
|
-
4. **Heuristics** (KISS, DRY, SOLID, Law of Demeter)
|
|
127
|
-
5. **Local optimization / style preference**
|
|
288
|
+
---
|
|
128
289
|
|
|
129
290
|
## Install
|
|
130
291
|
|
|
@@ -140,63 +301,57 @@ npx pluidr init
|
|
|
140
301
|
|
|
141
302
|
## Usage
|
|
142
303
|
|
|
143
|
-
### pluidr init
|
|
304
|
+
### `pluidr init`
|
|
144
305
|
|
|
145
|
-
Prompts you to select models for two agent tiers, then:
|
|
306
|
+
Prompts you to select models for two agent tiers (reasoning-heavy and fast), then:
|
|
146
307
|
|
|
147
|
-
- Asks whether to install the pluidr-squeeze plugin (can decline
|
|
148
|
-
- Builds a complete opencode.jsonc config with the chosen models injected into the right agents
|
|
149
|
-
- Backs up any existing config
|
|
150
|
-
- Writes the new config to
|
|
151
|
-
- Copies agent
|
|
152
|
-
- Copies
|
|
153
|
-
- Writes a package.json
|
|
308
|
+
- Asks whether to install the pluidr-squeeze plugin (can decline)
|
|
309
|
+
- Builds a complete `opencode.jsonc` config with the chosen models injected into the right agents
|
|
310
|
+
- Backs up any existing config to `opencode.jsonc.bak.*`
|
|
311
|
+
- Writes the new config to `~/.config/opencode/opencode.jsonc`
|
|
312
|
+
- Copies all 18 agent prompt files into `~/.config/opencode/prompts/`
|
|
313
|
+
- Copies `pluidr-flow` and `pluidr-squeeze` plugins into `~/.config/opencode/plugins/`
|
|
314
|
+
- Writes a `package.json` declaring `@opencode-ai/plugin` as a dependency
|
|
154
315
|
|
|
155
|
-
|
|
156
|
-
`
|
|
157
|
-
Pluidr setup complete!
|
|
158
|
-
You can update your agent model settings later in opencode.jsonc
|
|
159
|
-
`
|
|
160
|
-
The filename opencode.jsonc (second line) is a clickable terminal hyperlink — Ctrl+click to open the config in your default editor.
|
|
316
|
+
### `pluidr doctor`
|
|
161
317
|
|
|
162
|
-
|
|
318
|
+
Checks installation health and reports ✓/✗ for each component:
|
|
163
319
|
|
|
164
|
-
|
|
320
|
+
- `opencode.jsonc` exists
|
|
321
|
+
- All 18 prompt files present
|
|
322
|
+
- Both plugin files present
|
|
323
|
+
- `package.json` with `@opencode-ai/plugin` dependency
|
|
324
|
+
- squeeze binary available
|
|
325
|
+
- Config is valid JSON
|
|
165
326
|
|
|
166
|
-
|
|
167
|
-
- Restores it to opencode.jsonc
|
|
168
|
-
- Removes prompts/, plugins/, and bin/ directories
|
|
169
|
-
- Does NOT remove opencode.jsonc itself (preserves user customizations)
|
|
170
|
-
- Does NOT remove package.json (may be used by other plugins)
|
|
171
|
-
- Prints a summary of what was removed and restored
|
|
327
|
+
Exits with code `0` if all pass, `1` if any fail.
|
|
172
328
|
|
|
173
|
-
### pluidr update
|
|
329
|
+
### `pluidr update`
|
|
174
330
|
|
|
175
|
-
Re-runs the setup wizard
|
|
331
|
+
Re-runs the setup wizard. Warns if existing config is found and asks for confirmation before overwriting.
|
|
176
332
|
|
|
177
|
-
### pluidr
|
|
333
|
+
### `pluidr uninstall`
|
|
178
334
|
|
|
179
|
-
|
|
335
|
+
Restores your previous configuration:
|
|
180
336
|
|
|
181
|
-
- opencode.jsonc
|
|
182
|
-
-
|
|
183
|
-
-
|
|
184
|
-
- package.json with @opencode-ai/plugin dependency
|
|
185
|
-
- squeeze binary is available
|
|
186
|
-
- Config is valid JSON
|
|
337
|
+
- Finds the latest timestamped backup and restores it to `opencode.jsonc`
|
|
338
|
+
- Removes `prompts/`, `plugins/`, and `bin/` directories
|
|
339
|
+
- Preserves `opencode.jsonc` and `package.json`
|
|
187
340
|
|
|
188
|
-
|
|
341
|
+
---
|
|
189
342
|
|
|
190
|
-
## Bundled
|
|
343
|
+
## Bundled Plugins
|
|
191
344
|
|
|
192
|
-
|
|
345
|
+
### `pluidr-flow`
|
|
193
346
|
|
|
194
|
-
|
|
347
|
+
Provides subagents with cross-session context access:
|
|
195
348
|
|
|
196
349
|
- `parent_session_messages` — read the parent session's transcript
|
|
197
350
|
- `session_messages(sessionId)` — read any session by ID
|
|
198
351
|
- `session_messages_batch(sessionIds)` — read multiple sessions in one call
|
|
199
352
|
|
|
200
|
-
|
|
353
|
+
### `pluidr-squeeze`
|
|
354
|
+
|
|
355
|
+
Hooks into tool execution to rewrite bash commands through the `squeeze` binary, filtering verbose output and saving **60–90% of tokens** across all agents.
|
|
201
356
|
|
|
202
|
-
|
|
357
|
+
Both plugins and their dependency declaration are installed automatically by `pluidr init` — no extra user action required. On OpenCode's first launch, the bundled Bun runtime installs `@opencode-ai/plugin` from the generated `package.json`.
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "pluidr",
|
|
3
|
-
"version": "0.
|
|
4
|
-
"description": "Opinionated Engineering Workflow for OpenCode — Plan, Build,
|
|
3
|
+
"version": "0.6.0",
|
|
4
|
+
"description": "Opinionated Engineering Workflow for OpenCode — Explore, Plan, Build, Debug, and Security-Audit.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"opencode",
|
|
7
7
|
"workflow",
|
|
@@ -10,6 +10,8 @@
|
|
|
10
10
|
"ai-agents",
|
|
11
11
|
"code-review",
|
|
12
12
|
"debugging",
|
|
13
|
+
"security-audit",
|
|
14
|
+
"security",
|
|
13
15
|
"planner",
|
|
14
16
|
"builder",
|
|
15
17
|
"cli"
|
|
@@ -6,7 +6,7 @@ import { getConfigDir, getConfigPath, getPromptsDir } from "../../core/paths.js"
|
|
|
6
6
|
import { findRtkPath } from "../../core/squeezeInstaller.js"
|
|
7
7
|
|
|
8
8
|
const __dirname = dirname(fileURLToPath(import.meta.url))
|
|
9
|
-
const EXPECTED_PROMPT_COUNT =
|
|
9
|
+
const EXPECTED_PROMPT_COUNT = 18
|
|
10
10
|
const PLUGIN_FILES = ["pluidr-flow.js", "pluidr-squeeze.js"]
|
|
11
11
|
|
|
12
12
|
export async function runDoctor() {
|
|
@@ -23,7 +23,7 @@ export async function runDoctor() {
|
|
|
23
23
|
const configExists = existsSync(configPath)
|
|
24
24
|
checks.push({ component: "opencode.jsonc", pass: configExists })
|
|
25
25
|
|
|
26
|
-
// 2. All
|
|
26
|
+
// 2. All 18 prompt files exist
|
|
27
27
|
let promptCount = 0
|
|
28
28
|
if (existsSync(promptsDir)) {
|
|
29
29
|
try {
|
|
@@ -33,7 +33,7 @@ export async function runDoctor() {
|
|
|
33
33
|
promptCount = 0
|
|
34
34
|
}
|
|
35
35
|
}
|
|
36
|
-
checks.push({ component: "
|
|
36
|
+
checks.push({ component: "18 prompt files", pass: promptCount === EXPECTED_PROMPT_COUNT, detail: `${promptCount}/${EXPECTED_PROMPT_COUNT}` })
|
|
37
37
|
|
|
38
38
|
// 3. Both plugin files exist
|
|
39
39
|
let pluginsFound = 0
|
|
@@ -19,21 +19,21 @@ describe("agentPromptWriter", () => {
|
|
|
19
19
|
mkdirSync(agentPromptsDir, { recursive: true })
|
|
20
20
|
|
|
21
21
|
writeFileSync(join(agentPromptsDir, "coder.txt"), "test instructions", "utf-8")
|
|
22
|
-
writeFileSync(join(agentPromptsDir, "
|
|
22
|
+
writeFileSync(join(agentPromptsDir, "compose-reporter.txt"), "write docs", "utf-8")
|
|
23
23
|
|
|
24
24
|
writeAgentPrompts(tmpDir, destDir)
|
|
25
25
|
|
|
26
26
|
const coderContent = readFileSync(join(destDir, "coder.txt"), "utf-8")
|
|
27
|
-
const
|
|
27
|
+
const composeReporterContent = readFileSync(join(destDir, "compose-reporter.txt"), "utf-8")
|
|
28
28
|
|
|
29
29
|
assert.ok(coderContent.startsWith('You are the "coder" agent.\n\n'),
|
|
30
30
|
"coder should have identity header")
|
|
31
|
-
assert.ok(
|
|
32
|
-
"
|
|
31
|
+
assert.ok(composeReporterContent.startsWith('You are the "compose-reporter" agent.\n\n'),
|
|
32
|
+
"compose-reporter should have identity header")
|
|
33
33
|
assert.ok(coderContent.includes("test instructions"),
|
|
34
34
|
"original content preserved in coder")
|
|
35
|
-
assert.ok(
|
|
36
|
-
"original content preserved in
|
|
35
|
+
assert.ok(composeReporterContent.includes("write docs"),
|
|
36
|
+
"original content preserved in compose-reporter")
|
|
37
37
|
|
|
38
38
|
rmSync(tmpDir, { recursive: true })
|
|
39
39
|
})
|
package/src/core/backup.js
CHANGED
|
@@ -5,9 +5,9 @@ import { getConfigPath } from "./paths.js"
|
|
|
5
5
|
const MAX_BACKUPS = 5
|
|
6
6
|
|
|
7
7
|
function timestamp() {
|
|
8
|
-
|
|
9
|
-
const
|
|
10
|
-
return `${
|
|
8
|
+
// ponytail: simplified formatting using native Date serialization
|
|
9
|
+
const s = new Date().toISOString().replace(/[-:]/g, "")
|
|
10
|
+
return `${s.slice(0, 8)}_${s.slice(9, 15)}`
|
|
11
11
|
}
|
|
12
12
|
|
|
13
13
|
function rotateBackups(configPath) {
|
package/src/core/paths.js
CHANGED
|
@@ -5,5 +5,5 @@ const BASE = join(homedir(), ".config", "opencode")
|
|
|
5
5
|
|
|
6
6
|
export const getConfigDir = () => BASE
|
|
7
7
|
export const getConfigPath = () => join(BASE, "opencode.jsonc")
|
|
8
|
-
export const getBackupPath = () => join(BASE, "opencode.jsonc.bak")
|
|
9
8
|
export const getPromptsDir = () => join(BASE, "prompts")
|
|
9
|
+
// ponytail: getBackupPath removed (YAGNI)
|
package/src/core/paths.test.js
CHANGED
|
@@ -2,7 +2,7 @@ import { describe, it } from "node:test"
|
|
|
2
2
|
import assert from "node:assert"
|
|
3
3
|
import { homedir } from "node:os"
|
|
4
4
|
import { join } from "node:path"
|
|
5
|
-
import { getConfigDir, getConfigPath,
|
|
5
|
+
import { getConfigDir, getConfigPath, getPromptsDir } from "./paths.js"
|
|
6
6
|
|
|
7
7
|
const BASE = join(homedir(), ".config", "opencode")
|
|
8
8
|
|
|
@@ -15,10 +15,6 @@ describe("paths", () => {
|
|
|
15
15
|
assert.strictEqual(getConfigPath(), join(BASE, "opencode.jsonc"))
|
|
16
16
|
})
|
|
17
17
|
|
|
18
|
-
it("getBackupPath returns opencode.jsonc.bak path", () => {
|
|
19
|
-
assert.strictEqual(getBackupPath(), join(BASE, "opencode.jsonc.bak"))
|
|
20
|
-
})
|
|
21
|
-
|
|
22
18
|
it("getPromptsDir returns prompts path", () => {
|
|
23
19
|
assert.strictEqual(getPromptsDir(), join(BASE, "prompts"))
|
|
24
20
|
})
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
# Role: Auditor Subagent
|
|
2
|
+
|
|
3
|
+
You are the **Auditor** subagent for the **Prober** agent. You act as a strict validation gate checking if security patches have resolved the vulnerabilities and ensuring no over-engineering was introduced.
|
|
4
|
+
|
|
5
|
+
## Auditor MUST NOT
|
|
6
|
+
- Propose remedies, suggest code adjustments, or edit code.
|
|
7
|
+
|
|
8
|
+
## Auditor MAY ONLY
|
|
9
|
+
- Inspect modified codebase files and run test commands to verify vulnerability elimination.
|
|
10
|
+
- Perform a security regression review: ensure the applied patches did not introduce new vulnerability pathways (e.g., input bypasses or insecure error handling).
|
|
11
|
+
- Perform an over-engineering review (Ponytail audit lens).
|
|
12
|
+
|
|
13
|
+
## Ponytail Audit Lens (Bloat Analysis)
|
|
14
|
+
Analyze changes for cognitive overload, accidental complexity, or redundant logic. Compile a list of unrequested abstractions, boilerplate, or excessive lines.
|
|
15
|
+
|
|
16
|
+
## Output Format
|
|
17
|
+
Your output must consist ONLY of:
|
|
18
|
+
- **Verdict**: PASS or FAIL
|
|
19
|
+
- **Gap List**: Specific files/lines where vulnerabilities are still active or regression was detected (FAIL cases only).
|
|
20
|
+
- **BLOAT List**: List of over-engineered constructs found in the patches.
|