teamcopilot 0.0.3 → 0.1.1

package/dist/workspace_files/.opencode/plugins/listAvailableWorkflows.ts

@@ -18,6 +18,14 @@ interface WorkflowSummary {
   can_edit: boolean
 }
 
+interface SessionLookupResponse {
+  error?: unknown
+  data?: {
+    id?: string
+    parentID?: string
+  }
+}
+
 async function readErrorMessageFromResponse(
   response: Response,
   fallbackMessage: string
@@ -40,7 +48,29 @@ async function readErrorMessageFromResponse(
   }
 }
 
-export const ListAvailableWorkflowsPlugin: Plugin = async (_ctx) => {
+export const ListAvailableWorkflowsPlugin: Plugin = async ({ client }) => {
+  async function resolveRootSessionID(sessionID: string): Promise<string> {
+    let currentSessionID = sessionID
+
+    while (true) {
+      const response = (await client.session.get({
+        path: {
+          id: currentSessionID,
+        },
+      })) as SessionLookupResponse
+      if (response.error) {
+        throw new Error(`Failed to resolve root session for ${currentSessionID}`)
+      }
+
+      const parentID = response.data?.parentID
+      if (!parentID) {
+        return currentSessionID
+      }
+
+      currentSessionID = parentID
+    }
+  }
+
   return {
     tool: {
       listAvailableWorkflows: tool({
@@ -49,10 +79,11 @@ export const ListAvailableWorkflowsPlugin: Plugin = async (_ctx) => {
         args: {},
         async execute(_args, context) {
           const { sessionID } = context
+          const authSessionID = await resolveRootSessionID(sessionID)
 
           const response = await fetch(`${getApiBaseUrl()}/api/workflows`, {
             headers: {
-              Authorization: `Bearer ${sessionID}`,
+              Authorization: `Bearer ${authSessionID}`,
             },
           })
 

package/dist/workspace_files/.opencode/plugins/runWorkflow.ts

@@ -64,7 +64,37 @@ function sleep(ms: number): Promise<void> {
   return new Promise((resolve) => setTimeout(resolve, ms))
 }
 
-export const RunWorkflowPlugin: Plugin = async (_ctx) => {
+interface SessionLookupResponse {
+  error?: unknown
+  data?: {
+    id?: string
+    parentID?: string
+  }
+}
+
+export const RunWorkflowPlugin: Plugin = async ({ client }) => {
+  async function resolveRootSessionID(sessionID: string): Promise<string> {
+    let currentSessionID = sessionID
+
+    while (true) {
+      const response = (await client.session.get({
+        path: {
+          id: currentSessionID,
+        },
+      })) as SessionLookupResponse
+      if (response.error) {
+        throw new Error(`Failed to resolve root session for ${currentSessionID}`)
+      }
+
+      const parentID = response.data?.parentID
+      if (!parentID) {
+        return currentSessionID
+      }
+
+      currentSessionID = parentID
+    }
+  }
+
   return {
     tool: {
       runWorkflow: tool({
@@ -86,6 +116,7 @@ export const RunWorkflowPlugin: Plugin = async (_ctx) => {
         },
         async execute(args, context) {
           const { sessionID } = context
+          const authSessionID = await resolveRootSessionID(sessionID)
           const { slug, inputs = {} } = args
           const messageId = extractMessageId(context)
           const callId = extractCallId(context)
@@ -102,7 +133,7 @@ export const RunWorkflowPlugin: Plugin = async (_ctx) => {
             method: "POST",
             headers: {
               "Content-Type": "application/json",
-              Authorization: `Bearer ${sessionID}`,
+              Authorization: `Bearer ${authSessionID}`,
             },
             body: JSON.stringify({
               slug,
@@ -134,7 +165,7 @@ export const RunWorkflowPlugin: Plugin = async (_ctx) => {
               {
                 method: "GET",
                 headers: {
-                  Authorization: `Bearer ${sessionID}`,
+                  Authorization: `Bearer ${authSessionID}`,
                 },
               }
             )

package/dist/workspace_files/.opencode/plugins/skill-command-guard.ts

@@ -0,0 +1,138 @@
+import type { Plugin } from "@opencode-ai/plugin"
+
+function getApiBaseUrl(): string {
+  const port = process.env.TEAMCOPILOT_PORT?.trim()
+  if (!port) {
+    throw new Error("TEAMCOPILOT_PORT must be set.")
+  }
+  return `http://localhost:${port}`
+}
+
+interface SkillDetailsResponse {
+  skill?: {
+    is_approved?: boolean
+  }
+}
+
+async function readErrorMessageFromResponse(
+  response: Response,
+  fallbackMessage: string
+): Promise<string> {
+  try {
+    const text = await response.text()
+    if (!text) return fallbackMessage
+    try {
+      const parsed: unknown = JSON.parse(text)
+      if (parsed && typeof parsed === "object" && "message" in parsed) {
+        const msg = (parsed as { message?: unknown }).message
+        if (typeof msg === "string" && msg.trim().length > 0) return msg
+      }
+    } catch {
+      // fall back to plain text
+    }
+    return text.trim().length > 0 ? text : fallbackMessage
+  } catch {
+    return fallbackMessage
+  }
+}
+
+export function normalizeCommandSlug(command: unknown): string {
+  if (typeof command !== "string") {
+    return ""
+  }
+  const trimmed = command.trim()
+  const match = trimmed.match(/^\/+([^\s]+)/)
+  return match?.[1] ?? ""
+}
+
+function getTaskCommand(args: unknown): string | null {
+  if (!args || typeof args !== "object" || !("command" in args)) {
+    return null
+  }
+
+  const command = (args as { command?: unknown }).command
+  const normalized = normalizeCommandSlug(command)
+  return normalized.length > 0 ? normalized : null
+}
+
+interface SessionLookupResponse {
+  error?: unknown
+  data?: {
+    id?: string
+    parentID?: string
+  }
+}
+
+export const SkillCommandGuard: Plugin = async ({ client }) => {
+  async function resolveRootSessionID(sessionID: string): Promise<string> {
+    let currentSessionID = sessionID
+
+    while (true) {
+      const response = (await client.session.get({
+        path: {
+          id: currentSessionID,
+        },
+      })) as SessionLookupResponse
+      if (response.error) {
+        throw new Error(`Failed to resolve root session for ${currentSessionID}`)
+      }
+      const parentID = response.data?.parentID
+      if (!parentID) {
+        return currentSessionID
+      }
+      currentSessionID = parentID
+    }
+  }
+
+  async function assertAuthorizedSkillCommand(sessionID: string, slug: string): Promise<void> {
+    const rootSessionID = await resolveRootSessionID(sessionID)
+    const skillDetailsResponse = await fetch(
+      `${getApiBaseUrl()}/api/skills/${encodeURIComponent(slug)}`,
+      {
+        headers: {
+          Authorization: `Bearer ${rootSessionID}`,
+        },
+      }
+    )
+
+    if (skillDetailsResponse.status === 404) {
+      return
+    }
+
+    if (!skillDetailsResponse.ok) {
+      const errorMessage = await readErrorMessageFromResponse(
+        skillDetailsResponse,
+        `Failed to fetch skill metadata for ${slug} (HTTP ${skillDetailsResponse.status})`
+      )
+      throw new Error(errorMessage)
+    }
+
+    const skillDetailsPayload =
+      (await skillDetailsResponse.json()) as SkillDetailsResponse
+    const isApproved = skillDetailsPayload.skill?.is_approved === true
+
+    if (!isApproved) {
+      throw new Error(
+        `Skill "${slug}" is not approved yet. Only approved skills can be used.`
+      )
+    }
+  }
+
+  return {
+    "tool.execute.before": async (input, output) => {
+      if (input.tool !== "task") {
+        return
+      }
+
+      const sessionID = typeof input.sessionID === "string" ? input.sessionID.trim() : ""
+      const slug = getTaskCommand(output.args)
+      if (!sessionID || !slug) {
+        return
+      }
+
+      await assertAuthorizedSkillCommand(sessionID, slug)
+    },
+  }
+}
+
+export default SkillCommandGuard

package/dist/workspace_files/AGENTS.md

@@ -76,7 +76,7 @@ Before implementing custom instructions or creating new workflow logic, you MUST
 
 ### What is a Custom Skill?
 
-A **custom skill** is a reusable instruction package for the agent that lives in `custom-skills/<slug>/`.
+A **custom skill** is a reusable instruction package for the agent that lives in `.agents/skills/<slug>/`.
 Each custom skill:
 - Has a unique slug (lowercase, hyphenated, e.g., `triage-support-ticket`)
 - Uses `SKILL.md` as the canonical manifest/instruction file
@@ -375,7 +375,7 @@ These rules exist to prevent data loss, secret leakage, and unsafe behavior. Vio
 
 ### Never delete custom skills
 
-- You must **NEVER delete a custom skill** (folders or files under `custom-skills/<slug>/`).
+- You must **NEVER delete a custom skill** (folders or files under `.agents/skills/<slug>/`).
 - Custom skill deletions are only supposed to happen via the **UI**.
 - If cleanup is requested, prefer **deprecating** or updating skill instructions rather than deleting anything.
 
@@ -398,7 +398,7 @@ These rules exist to prevent data loss, secret leakage, and unsafe behavior. Vio
 
 - You MAY read files outside managed workspace areas when needed to understand user requirements, gather context, or answer questions.
 - Keep any cloned repos, downloaded assets, fixtures, or vendored code **inside** `workflows/<slug>/` only.
-- Keep skill artifacts and instruction files inside `custom-skills/<slug>/` only.
+- Keep skill artifacts and instruction files inside `.agents/skills/<slug>/` only.
 
 ### No destructive shell actions
 

package/dist/workspace_files/package-lock.json

@@ -6,7 +6,8 @@
     "": {
       "dependencies": {
         "opencode-ai": "1.1.65"
-      }
+      },
+      "devDependencies": {}
     },
     "node_modules/opencode-ai": {
       "version": "1.1.65",

package/dist/workspace_files/package.json

@@ -1,5 +1,7 @@
 {
   "dependencies": {
     "opencode-ai": "1.1.65"
-  }
+  },
+  "devDependencies": {},
+  "scripts": {}
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "teamcopilot",
-  "version": "0.0.3",
+  "version": "0.1.1",
   "description": "A shared AI Agent for Teams",
   "homepage": "https://teamcopilot.ai",
   "repository": {