terramend 0.2.0

package/src/agents/opencodePlugin.ts

@@ -0,0 +1,222 @@
+/**
+ * Source for the opencode plugin we drop into the per-run tmpdir at
+ * `<XDG_CONFIG_HOME>/opencode/plugin/terramend-events.ts`. The harness already
+ * redirects `XDG_CONFIG_HOME` to `ctx.tmpdir/.config` (see `opencode.ts`
+ * `homeEnv`), so opencode's auto-discovery scans the tmpdir, never the user's
+ * working tree. opencode's `Global.Path.config` resolves to
+ * `path.join(xdgConfig, "opencode")` and the config layer auto-discovers
+ * plugins from every directory in its scan list — including
+ * `Global.Path.config` — by globbing `{plugin,plugins}/*.{ts,js}` via
+ * `ConfigPlugin.load(dir)`.
+ *
+ * We MUST NOT write into the user's repo working tree. The repo is a checkout
+ * the agent operates on; only the agent's own tools (gated by
+ * `OPENCODE_PERMISSION`) may modify it. The whole reason we redirect HOME and
+ * XDG_CONFIG_HOME is so harness-side files (config, plugins, scratch state)
+ * land in the tmpdir.
+ *
+ * Why the events plugin exists: opencode's `task` tool runs subagents
+ * in-process and the CLI's `cli/cmd/run.ts` event loop filters
+ * `part.sessionID !== sessionID`, so subagent-internal `message.part.updated`
+ * events are silently discarded before reaching our parent NDJSON stream.
+ * plugins, by contrast, receive EVERY bus event via `bus.subscribeAll()`
+ * regardless of session.
+ *
+ * The events plugin re-emits every relevant bus event onto opencode's stdout
+ * as a single JSON line wrapped in a sentinel envelope. our `runOpenCode`
+ * parser recognises the envelope, unpacks it, and routes the inner part
+ * through the existing handlers with a per-session label from `SessionLabeler`
+ * so each subagent's tool calls / text appear inline alongside the
+ * orchestrator's.
+ *
+ * The subagent gate (the `tool.execute.before` hook that hard-blocks
+ * state-mutating MCP tool calls from a subagent session) lives in a SEPARATE
+ * plugin — `TERRAMEND_OPENCODE_GATE_PLUGIN_SOURCE` below — because it's the
+ * load-bearing security fence and must ship into the opencode harness,
+ * whereas this events re-emitter was only needed by the legacy CLI-parsing
+ * path (the active `opencode.ts` reads subagent events directly off the SDK
+ * event stream, so it installs ONLY the gate plugin). Deny-list source of
+ * truth: `src/agents/subagentToolGates.ts`.
+ *
+ * Dumb plugin / smart parent split: the events plugin emits every part for
+ * every session. the parent dedupes against the orchestrator's own session id
+ * (which it already knows from the `init` event). this keeps the plugin trivial
+ * and keeps the per-session attribution logic on the parent side where the
+ * SessionLabeler already lives.
+ *
+ * Event-name prefixing: the wrapped event-type sentinel is
+ * `terramend_bus_event` — picked to be unmistakably ours so a future opencode
+ * release that introduces a coincidentally-named event type won't collide.
+ */
+
+import { SUBAGENT_DENIED_TOOLS } from "#app/agents/subagentToolGates";
+
+export const TERRAMEND_BUS_EVENT_TYPE = "terramend_bus_event" as const;
+
+export const TERRAMEND_OPENCODE_PLUGIN_FILENAME = "terramend-events.ts" as const;
+
+export const TERRAMEND_OPENCODE_GATE_PLUGIN_FILENAME = "terramend-subagent-gate.ts" as const;
+
+/**
+ * Source written verbatim to `<XDG_CONFIG_HOME>/opencode/plugin/terramend-events.ts`.
+ *
+ * - Structural typing only (no runtime import of `@opencode-ai/plugin`):
+ *   opencode installs that dep into the directory containing the plugin
+ *   alongside discovery, but a) the dep isn't required for the structural
+ *   shape we use, and b) keeping zero imports avoids any module-resolution
+ *   coupling to opencode's plugin-loader internals across versions.
+ * - default export is the plugin factory (opencode's plugin loader accepts
+ *   default exports as the server entrypoint).
+ * - we only forward `message.part.updated`. that's where the user-visible
+ *   subagent activity (tool calls, text, step transitions) lives. add more
+ *   event types here if the parent needs them.
+ * - JSON.stringify+single write keeps the line atomic up to PIPE_BUF (4KB on
+ *   Linux). longer parts may interleave with concurrent stdout writers; the
+ *   parser tolerates non-JSON lines (logs them at debug) so a torn line is a
+ *   missed event, not a crash.
+ */
+export const TERRAMEND_OPENCODE_PLUGIN_SOURCE = `// AUTOGENERATED by Terramend. do not edit; it'll be overwritten on the next run.
+// surfaces opencode subagent activity that the CLI's run-loop discards. see
+// action/agents/opencodePlugin.ts in terramend/app for why this exists. lives
+// inside the per-run tmpdir (XDG_CONFIG_HOME/opencode/plugin/), never inside
+// the user's working tree. the subagent gate ships as a separate plugin
+// (terramend-subagent-gate.ts).
+
+const TERRAMEND_BUS_EVENT_TYPE = ${JSON.stringify(TERRAMEND_BUS_EVENT_TYPE)};
+
+// orchestratorSessionID locks to the first sessionID we observe on the bus
+// (\`message.part.updated\`). opencode's run command creates exactly one
+// top-level session before any subagent is dispatched, and the orchestrator
+// emits at least one event before any subagent does — so first-seen-wins
+// captures the orchestrator; every subagent part has a non-matching
+// sessionID.
+let orchestratorSessionID: string | undefined;
+
+function isOrchestratorTaskDispatch(part: {
+  type?: string;
+  tool?: string;
+  state?: { status?: string };
+} | undefined): boolean {
+  if (!part || part.type !== "tool") return false;
+  if (part.tool !== "task") return false;
+  // only forward at status="running" (not "pending"). at pending the
+  // state.input is still {} — the orchestrator has emitted the part shell
+  // but the LLM hasn't filled in description/subagent_type/prompt yet. by
+  // running, input is populated and recordTaskDispatch can derive the lens
+  // label correctly.
+  return part.state?.status === "running";
+}
+
+export default async function terramendEventsPlugin() {
+  return {
+    event: async (input: {
+      event: {
+        type: string;
+        properties?: {
+          part?: {
+            sessionID?: string;
+            type?: string;
+            tool?: string;
+            state?: { status?: string };
+          };
+        };
+      };
+    }) => {
+      const event = input?.event;
+      if (!event || typeof event !== "object") return;
+      if (event.type !== "message.part.updated") return;
+      const part = event.properties?.part;
+      const sessionID = part?.sessionID;
+      if (typeof sessionID !== "string" || sessionID.length === 0) return;
+      if (orchestratorSessionID === undefined) orchestratorSessionID = sessionID;
+
+      if (sessionID === orchestratorSessionID) {
+        // skip orchestrator events EXCEPT early task dispatches.
+        if (!isOrchestratorTaskDispatch(part)) return;
+      }
+
+      try {
+        const line = JSON.stringify({
+          type: TERRAMEND_BUS_EVENT_TYPE,
+          bus_event: event,
+        });
+        process.stdout.write(line + "\\n");
+      } catch {
+        // a circular reference or BigInt etc. would throw; swallow rather
+        // than letting a single bad event take down the plugin.
+      }
+    },
+  };
+}
+`;
+
+/**
+ * Standalone subagent gate plugin written to
+ * `<XDG_CONFIG_HOME>/opencode/plugin/terramend-subagent-gate.ts`. Installed by
+ * the in-process `opencode.ts` harness — the gate is the load-bearing security
+ * fence, so it ships independently of the events re-emitter above (which the
+ * in-process harness doesn't need).
+ *
+ * Hard-blocks state-mutating MCP tool calls originating from a subagent
+ * session via `tool.execute.before`, complementing the runtime backstops from
+ * PR #796 (action/mcp/checkout.ts, action/mcp/git.ts). Deny-list source of
+ * truth: `action/agents/subagentToolGates.ts`.
+ */
+export const TERRAMEND_OPENCODE_GATE_PLUGIN_SOURCE = `// AUTOGENERATED by Terramend. do not edit; it'll be overwritten on the next run.
+// hard-blocks state-mutating MCP tool calls from opencode subagents (PR
+// following terramend/app#796 — see action/agents/subagentToolGates.ts). see
+// action/agents/opencodePlugin.ts in terramend/app for why this exists. lives
+// inside the per-run tmpdir (XDG_CONFIG_HOME/opencode/plugin/), never inside
+// the user's working tree.
+
+// embedded at template-render time so the plugin source has no imports.
+// kept in sync with action/agents/subagentToolGates.ts via a single re-export.
+const SUBAGENT_DENIED_TOOLS = new Set(${JSON.stringify(SUBAGENT_DENIED_TOOLS)});
+
+// opencode presents MCP tools as \`terramend_<bare>\`; strip that to compare
+// against the canonical bare names in SUBAGENT_DENIED_TOOLS. native tools
+// (read, write, bash, task, etc.) lack the prefix and never match the deny
+// list anyway.
+function stripTerramendPrefix(toolName: string): string {
+  if (toolName.startsWith("terramend_")) return toolName.slice("terramend_".length);
+  return toolName;
+}
+
+// orchestratorSessionID locks to the first sessionID we observe on
+// \`tool.execute.before\`. the orchestrator must invoke a tool (e.g. its
+// \`task\` dispatch) before any subagent session exists, so first-seen-wins
+// always captures the orchestrator; every subagent call therefore has a
+// non-matching sessionID and is subject to the deny check.
+let orchestratorSessionID: string | undefined;
+
+export default async function terramendSubagentGatePlugin() {
+  return {
+    "tool.execute.before": async (
+      input: { tool?: string; sessionID?: string; callID?: string },
+      _output: { args?: Record<string, unknown> }
+    ) => {
+      // input: { tool, sessionID, callID } — confirmed against
+      // anomalyco/opencode packages/opencode/src/session/tools.ts which
+      // calls plugin.trigger("tool.execute.before", { tool, sessionID,
+      // callID }, { args }). throwing here surfaces as a tool error to the
+      // model (Effect's run.promise propagates the rejection through the
+      // AI SDK's tool-runtime), so the subagent sees a denial and can
+      // pick a different action.
+      const sessionID = typeof input?.sessionID === "string" ? input.sessionID : "";
+      const tool = typeof input?.tool === "string" ? input.tool : "";
+      if (!sessionID || !tool) return;
+      if (orchestratorSessionID === undefined) orchestratorSessionID = sessionID;
+      if (sessionID === orchestratorSessionID) return;
+      const bare = stripTerramendPrefix(tool);
+      if (!SUBAGENT_DENIED_TOOLS.has(bare)) return;
+      throw new Error(
+        "subagent attempted to call denied tool '" + bare + "'. " +
+        "subagents share the orchestrator's in-process working tree and toolState; " +
+        "state-changing MCP tools (checkout_pr, push_branch, create_pull_request_review, " +
+        "report_progress, etc.) are reserved for the orchestrator. " +
+        "report findings back to the orchestrator and let it perform the mutation."
+      );
+    },
+  };
+}
+`;

package/src/agents/opencodeShared.test.ts

@@ -0,0 +1,34 @@
+import { describe, expect, it } from "vitest";
+import { geminiHighThinkingOverrides } from "#app/agents/opencodeShared";
+import { modelAliases } from "#app/models";
+
+describe("geminiHighThinkingOverrides", () => {
+  // Expected truth pulled the same way the helper does — both must derive from
+  // the registry so the test exercises the wiring, not a hand-maintained list.
+  const expectedApiIds = modelAliases
+    .filter((a) => a.provider === "google")
+    .map((a) => a.resolve.replace(/^google\//, ""));
+  const overrides = geminiHighThinkingOverrides();
+
+  it("covers every direct-Google alias in the registry", () => {
+    expect(Object.keys(overrides).sort()).toEqual([...expectedApiIds].sort());
+  });
+
+  it("is non-empty (catches accidental whole-provider removal)", () => {
+    expect(Object.keys(overrides).length).toBeGreaterThan(0);
+  });
+
+  it("strips the `google/` prefix from each resolve to get the bare API id", () => {
+    for (const id of Object.keys(overrides)) {
+      expect(id).not.toMatch(/^google\//);
+    }
+  });
+
+  it("pins every entry to thinkingLevel: high", () => {
+    for (const [id, value] of Object.entries(overrides)) {
+      expect(value, `entry for ${id}`).toEqual({
+        options: { thinkingConfig: { thinkingLevel: "high" } },
+      });
+    }
+  });
+});

package/src/agents/opencodeShared.ts

@@ -0,0 +1,121 @@
+// Shared helpers for the OpenCode agent harness (`./opencode.ts`). Pure config
+// / model-registry / install glue — nothing here touches the SDK event loop.
+// Kept as a separate module so this config surface stays unit-testable in
+// isolation (see `./opencodeShared.test.ts`).
+
+import { REVIEWER_AGENT_NAME, REVIEWER_SYSTEM_PROMPT } from "#app/agents/reviewer";
+import { deriveSubagentModels } from "#app/agents/subagentModels";
+import { modelAliases } from "#app/models";
+import { log } from "#app/utils/cli";
+import { installFromNpmTarball } from "#app/utils/install";
+import { getAuthorizedModels } from "#app/utils/openCodeModels";
+import { getDevDependencyVersion } from "#app/utils/version";
+
+// ── config ─────────────────────────────────────────────────────────────────────
+
+export type OpenCodeConfig = {
+  mcp?: Record<string, unknown>;
+  permission?: Record<string, unknown>;
+  provider?: Record<string, unknown>;
+  agent?: Record<string, unknown>;
+  experimental?: Record<string, unknown>;
+  model?: string;
+  enabled_providers?: string[];
+  [key: string]: unknown;
+};
+
+/**
+ * Build the `provider.google.models[id].options` map that pins every direct-Google
+ * Gemini alias to `thinkingLevel: "high"`. Sourced from the model registry so
+ * adding/renaming a Google alias in `action/models.ts` flows through automatically.
+ */
+export function geminiHighThinkingOverrides(): Record<string, { options: object }> {
+  return Object.fromEntries(
+    modelAliases
+      .filter((a) => a.provider === "google")
+      .map((a) => [
+        a.resolve.replace(/^google\//, ""),
+        { options: { thinkingConfig: { thinkingLevel: "high" } } },
+      ]),
+  );
+}
+
+/**
+ * Read-only `reviewfrog` subagent for lens-based review. Non-mutative +
+ * non-recursive — enforced by the system prompt in reviewer.ts.
+ *
+ * Per-subagent `model:` override is driven by the registry in
+ * `action/models.ts` via each alias's `subagentModel` field. Currently wired:
+ * Anthropic opus → sonnet, OpenAI gpt-pro → gpt and gpt → gpt-5.4, Google
+ * gemini-pro → gemini-flash. Other providers inherit (no override).
+ */
+export function buildReviewerAgentConfig(
+  orchestratorModel: string | undefined,
+): Record<string, unknown> {
+  const overrides = deriveSubagentModels(orchestratorModel);
+  return {
+    [REVIEWER_AGENT_NAME]: {
+      description:
+        "Read-only review subagent for lens-based code review (correctness, security, billing-subsystem, etc.). " +
+        "Reads only — no writes, no state-changing shell or MCP calls, no nested subagent dispatch.",
+      mode: "subagent",
+      prompt: REVIEWER_SYSTEM_PROMPT,
+      ...(overrides.reviewer !== undefined ? { model: overrides.reviewer } : {}),
+    },
+  };
+}
+
+// ── install ────────────────────────────────────────────────────────────────────
+
+/**
+ * Install the opencode-ai npm tarball and return the path to the executable.
+ *
+ * The bin path differs by version: v1.4.x and earlier shipped `bin/opencode`;
+ * v1.14+ renames the platform-specific binary to `bin/opencode.exe` for every
+ * OS via the postinstall script. Callers pass the binPath that matches their
+ * pinned version so a v1↔v2 swap can't silently install the wrong file.
+ */
+export async function installOpencodeCli(params: { binPath: string }): Promise<string> {
+  return await installFromNpmTarball({
+    packageName: "opencode-ai",
+    version: getDevDependencyVersion("opencode-ai"),
+    executablePath: params.binPath,
+    installDependencies: true,
+  });
+}
+
+// ── model auto-select fallback ──────────────────────────────────────────────────
+//
+// steps 1–2 of model resolution (TERRAMEND_MODEL env, slug resolution) happen
+// in resolveModel() in utils/agent.ts before the agent runs. this is step 3:
+// auto-select using the authorized model set captured in main.ts via
+// `opencode models` introspection.
+
+const AUTO_SELECT_WARNING =
+  "select a model explicitly in the Terramend console (https://terramend.com/console) to avoid this.";
+
+export function autoSelectModel(): string | undefined {
+  const authorized = getAuthorizedModels();
+  if (authorized.size > 0) {
+    // skip hidden aliases (internal subagent-tier targets like
+    // opencode/gpt-5.4) — they should never surface as a user-facing
+    // orchestrator pick. mirrors the selectable-list filter in
+    // components/ModelSelector.tsx.
+    const match =
+      modelAliases.find((a) => !a.hidden && a.preferred && authorized.has(a.resolve)) ??
+      modelAliases.find((a) => !a.hidden && authorized.has(a.resolve));
+    if (match) {
+      log.info(
+        `» model: ${match.resolve} (auto-selected${match.preferred ? " — preferred" : ""} curated match)`,
+      );
+      log.warning(`» model auto-selected. ${AUTO_SELECT_WARNING}`);
+      return match.resolve;
+    }
+    log.info(
+      `» opencode has ${authorized.size} models but none match curated aliases — letting OpenCode auto-select`,
+    );
+  }
+
+  log.warning(`» no model resolved. letting OpenCode auto-select. ${AUTO_SELECT_WARNING}`);
+  return undefined;
+}