vgxness 0.1.0

package/dist/orchestrator/natural-language-planner.js

@@ -0,0 +1,191 @@
+const stopWords = new Set(['a', 'an', 'the', 'to', 'for', 'of', 'and', 'or', 'with', 'we', 'before', 'new']);
+const signalRules = [
+    { signal: 'diagnostic-request', terms: [/\bdiagnos(e|tic|tics)\b/, /\bfail(ing|ure|ed)?\b/, /\bcrash(es|ing)?\b/, /\berrors?\b/, /\btests?\b/, /\bstatus\b/, /\bhealth\b/, /\blogs?\b/, /\bsetup\b/, /\bdoctor\b/] },
+    { signal: 'planning-request', terms: [/\bplan\b/, /\bpreview\b/, /\breview\b/, /\bdry[- ]run\b/] },
+    { signal: 'answer-only', terms: [/\bexplain\b/, /\bwhat\b/, /\bhow\b/, /\bwhy\b/, /\bdescribe\b/, /\bunderstand\b/, /\binvestigat(e|ion)\b/, /\binspect\b/, /\bread[- ]only\b/] },
+    { signal: 'new-capability', terms: [/\bbuild\b/, /\badd\b/, /\bcreate\b/, /\bnew\b/, /\bcapabilit(y|ies)\b/, /\bfeature\b/] },
+    { signal: 'architecture-change', terms: [/\barchitecture\b/, /\barchitectural\b/, /\brefactor\b/, /\bboundar(y|ies)\b/] },
+    { signal: 'workflow-change', terms: [/\bworkflow\b/, /\borchestrat(e|ion|or)\b/, /\bsdd\b/, /\bphase\b/] },
+    { signal: 'persistence-change', terms: [/\bpersist(ent|ence)?\b/, /\bstorage\b/, /\bsqlite\b/, /\bdatabase\b/, /\bmemory\b/, /\bmigration\b/] },
+    { signal: 'security-sensitive', terms: [/\bsecurity\b/, /\bauth\b/, /\btoken\b/, /\bsecret\b/, /\bpermission\b/] },
+    { signal: 'broad-change', terms: [/\bmulti[- ]file\b/, /\bacross\b/, /\bend[- ]to[- ]end\b/, /\bsystem\b/] },
+    { signal: 'execution-request', terms: [/\brun\b/, /\bexecute\b/, /\bapply\b/, /\bstart\b/, /\binstall\b/, /\bpush\b/] },
+    { signal: 'provider-execution', terms: [/\bprovider\b/, /\bopencode\b/, /\bclaude\b/, /\bmodel\b/, /\bllm\b/] },
+    { signal: 'file-edit-request', terms: [/\bedit\b/, /\bwrite\b/, /\bmodify\b/, /\bpatch\b/] },
+    { signal: 'provider-config-write', terms: [/\bconfig\b/, /\.opencode\b/, /\.claude\b/, /\bglobal\b/] },
+    { signal: 'run-recording', terms: [/\brun record\b/, /\brecord a run\b/, /\bcheckpoint\b/] },
+    { signal: 'destructive', terms: [/\bdelete\b/, /\bremove\b/, /\bdestroy\b/, /\bdrop\b/, /\breset\b/] },
+    { signal: 'external', terms: [/\bnetwork\b/, /\bexternal\b/, /\bdownload\b/, /\bapi\b/] },
+    { signal: 'privileged', terms: [/\bsudo\b/, /\badmin\b/, /\bprivileged\b/] },
+];
+export function createNaturalLanguagePlan(input) {
+    const normalizedIntent = normalizeText(input.intent);
+    const signals = extractSignals(normalizedIntent);
+    const ambiguous = isAmbiguous(normalizedIntent);
+    if (ambiguous)
+        addSignal(signals, 'ambiguous');
+    const flow = chooseFlow(signals);
+    const workflow = workflowFor(flow);
+    const needsClarification = ambiguous;
+    const suggestedChangeId = suggestedChangeFor(input, flow);
+    const safety = buildSafety(signals);
+    const actionInput = {
+        project: input.project,
+        intent: input.intent,
+        ...(suggestedChangeId !== undefined ? { change: suggestedChangeId } : {}),
+        ...(input.sdd !== undefined ? { sdd: input.sdd } : {}),
+    };
+    const previewActions = buildPreviewActions(actionInput, flow, needsClarification);
+    return {
+        version: 1,
+        project: input.project,
+        intent: input.intent,
+        flow,
+        workflow,
+        confidence: confidenceFor(flow, signals, needsClarification),
+        reason: reasonFor(flow, signals, needsClarification),
+        signals,
+        needsClarification,
+        ...(needsClarification ? { clarifyingQuestion: 'What target should this change inspect or modify, and what outcome do you want?' } : {}),
+        ...(suggestedChangeId !== undefined ? { suggestedChangeId } : {}),
+        previewActions,
+        safety,
+        ...(input.sdd !== undefined ? { sdd: input.sdd } : {}),
+    };
+}
+function normalizeText(value) {
+    return value.toLowerCase().replace(/[^a-z0-9._/ -]+/g, ' ').replace(/\s+/g, ' ').trim();
+}
+function extractSignals(intent) {
+    const signals = [];
+    for (const rule of signalRules) {
+        if (rule.terms.some((term) => term.test(intent)))
+            addSignal(signals, rule.signal);
+    }
+    if (signals.length === 0 || (/\b(change|fix|update)\b/.test(intent) && !signals.some((signal) => sddSignals.has(signal))))
+        addSignal(signals, 'small-local-change');
+    return signals;
+}
+function addSignal(signals, signal) {
+    if (!signals.includes(signal))
+        signals.push(signal);
+}
+const sddSignals = new Set(['architecture-change', 'workflow-change', 'persistence-change', 'security-sensitive', 'broad-change']);
+const unsafeSignals = new Set(['execution-request', 'provider-execution', 'file-edit-request', 'provider-config-write', 'run-recording', 'destructive', 'external', 'privileged']);
+const strongSddSignals = new Set(['architecture-change', 'workflow-change', 'persistence-change', 'security-sensitive', 'broad-change']);
+const strongUnsafeSignals = new Set(['execution-request', 'provider-execution', 'provider-config-write', 'run-recording', 'destructive', 'external', 'privileged']);
+function isAmbiguous(intent) {
+    const words = intent.split(' ').filter(Boolean);
+    if (words.length <= 2)
+        return true;
+    return /^(fix|update|change|do|handle) (it|this|that)$/.test(intent);
+}
+function chooseFlow(signals) {
+    if (signals.includes('answer-only') && !signals.includes('diagnostic-request') && !signals.includes('new-capability') && !signals.includes('planning-request') && !signals.some((signal) => unsafeSignals.has(signal)))
+        return 'explore';
+    if (signals.some((signal) => strongSddSignals.has(signal) || strongUnsafeSignals.has(signal)))
+        return 'sdd';
+    if (signals.includes('diagnostic-request'))
+        return 'debug';
+    if (signals.includes('answer-only') && !signals.includes('new-capability') && !signals.some((signal) => unsafeSignals.has(signal)))
+        return 'explore';
+    if (signals.includes('planning-request') && !signals.some((signal) => strongSddSignals.has(signal) || strongUnsafeSignals.has(signal)))
+        return 'plan';
+    if (signals.some((signal) => sddSignals.has(signal)) || signals.some((signal) => unsafeSignals.has(signal)))
+        return 'sdd';
+    if (signals.includes('planning-request'))
+        return 'plan';
+    if (signals.includes('new-capability'))
+        return 'build';
+    if (signals.includes('small-local-change') || signals.includes('file-edit-request'))
+        return 'quickfix';
+    return 'explore';
+}
+function workflowFor(flow) {
+    if (flow === 'direct')
+        return 'explore';
+    if (flow === 'diagnose')
+        return 'debug';
+    return flow;
+}
+function confidenceFor(flow, signals, needsClarification) {
+    if (needsClarification)
+        return 0.48;
+    if (flow === 'sdd' && signals.filter((signal) => sddSignals.has(signal) || unsafeSignals.has(signal)).length >= 2)
+        return 0.86;
+    if (flow === 'debug' || flow === 'diagnose')
+        return 0.82;
+    if (flow === 'plan')
+        return 0.74;
+    if (flow === 'build')
+        return 0.7;
+    if (flow === 'quickfix')
+        return 0.72;
+    return 0.72;
+}
+function reasonFor(flow, signals, needsClarification) {
+    if (needsClarification)
+        return 'The request is missing enough target or goal context, so the planner needs clarification before previewing write actions.';
+    if (flow === 'debug' || flow === 'diagnose')
+        return 'The request asks for inspection or failure/status diagnosis, so the preview stays read-only.';
+    if (flow === 'sdd')
+        return 'The request includes capability, architecture, workflow, persistence, safety, or execution risk signals, so SDD is the safest preview path.';
+    if (flow === 'plan')
+        return 'The request asks for planning or review without immediate mutation, so SDD is not required for this preview.';
+    if (flow === 'build')
+        return 'The request asks for a clear implementation that does not show formal SDD risk signals.';
+    if (flow === 'quickfix')
+        return 'The request appears to be a small localized fix, so a lightweight quickfix workflow is sufficient.';
+    if (signals.includes('answer-only'))
+        return 'The request is answer-only or narrow, so SDD is not required.';
+    return 'The request appears narrow and low-risk, so SDD is not required.';
+}
+function suggestedChangeFor(input, flow) {
+    if (input.change !== undefined && input.change.trim().length > 0)
+        return input.change;
+    if (flow !== 'sdd')
+        return undefined;
+    const words = normalizeText(input.intent)
+        .split(' ')
+        .map((word) => word.replace(/[^a-z0-9-]/g, ''))
+        .filter((word) => word.length > 1 && !stopWords.has(word));
+    return words.slice(0, 7).join('-') || undefined;
+}
+function buildSafety(signals) {
+    const notes = ['Preview only: this preview only classifies intent; no providers are called, no files are edited, no provider config is written, and no run is recorded.'];
+    if (signals.includes('execution-request') || signals.includes('provider-execution') || signals.includes('file-edit-request')) {
+        notes.push('Execution was requested but refused in this preview flow; continue manually or through an approved SDD apply phase.');
+    }
+    if (signals.includes('destructive'))
+        notes.push('Destructive impact was detected; review and approval are required before any real operation.');
+    if (signals.includes('provider-config-write'))
+        notes.push('Provider configuration impact was detected; this preview will not write provider config.');
+    if (signals.includes('persistence-change'))
+        notes.push('Persistent behavior or storage impact was detected; SDD review is recommended.');
+    if (signals.includes('external'))
+        notes.push('External or network impact was detected; this preview does not perform external calls.');
+    if (signals.includes('privileged'))
+        notes.push('Privileged impact was detected; this preview does not request elevated access.');
+    return { executed: false, callsProvider: false, editsFiles: false, writesProviderConfig: false, recordsRuns: false, notes };
+}
+function buildPreviewActions(input, flow, needsClarification) {
+    if (needsClarification)
+        return [{ kind: 'clarification', description: 'Ask for the missing target and desired outcome before previewing write actions.' }];
+    if (flow === 'debug' || flow === 'diagnose')
+        return [{ kind: 'diagnostic-preview', description: 'Preview read-only diagnostic commands such as status, doctor, logs, or SDD next checks.' }];
+    if (flow === 'plan')
+        return [{ kind: 'manual-plan', description: 'Draft a manual implementation plan without executing providers or editing files.' }];
+    if (flow === 'explore' || flow === 'direct')
+        return [{ kind: 'answer', description: 'Explore or answer directly without entering SDD.' }];
+    if (flow === 'quickfix')
+        return [{ kind: 'workflow-preview', description: 'Preview a small localized quickfix; no execution occurs in this planner response.' }];
+    if (flow === 'build')
+        return [{ kind: 'workflow-preview', description: 'Preview a scoped build workflow; no execution occurs in this planner response.' }];
+    const change = input.change;
+    const command = change === undefined ? undefined : `npm run cli -- sdd next --project ${input.project} --change ${change}`;
+    return [{
+            kind: 'sdd-preview',
+            description: input.sdd?.next?.recommendedAction ?? 'Preview the SDD handoff for this substantial or risky request; do not execute it here.',
+            ...(command !== undefined ? { command } : {}),
+        }];
+}

package/dist/orchestrator/schema.js

@@ -0,0 +1 @@
+export {};

package/dist/permissions/index.js

@@ -0,0 +1,2 @@
+export * from './schema.js';
+export * from './policy-evaluator.js';

package/dist/permissions/policy-evaluator.js

@@ -0,0 +1,109 @@
+import { existsSync, realpathSync } from 'node:fs';
+import { dirname, isAbsolute, resolve, sep } from 'node:path';
+export const permissionCategories = ['read', 'edit', 'shell', 'network', 'git', 'memory', 'external-directory', 'provider-tool', 'secrets'];
+export const permissionDecisions = ['allow', 'ask', 'deny'];
+export const defaultPermissionPolicy = {
+    rules: [
+        { category: 'read', decision: 'allow', reason: 'Read-only workspace operations are allowed by default.' },
+        { category: 'edit', decision: 'ask', reason: 'File mutation requires approval until enforcement is deeper.' },
+        { category: 'shell', decision: 'ask', reason: 'Shell execution can escape intent and requires approval by default.' },
+        { category: 'network', decision: 'ask', reason: 'Network access is external and requires approval by default.' },
+        { category: 'git', decision: 'ask', reason: 'Git operations can affect review state or remotes.' },
+        { category: 'memory', decision: 'ask', reason: 'Memory changes are durable and should be explicit.' },
+        { category: 'external-directory', decision: 'deny', reason: 'External directory access is denied unless a future sandbox grants it explicitly.' },
+        { category: 'provider-tool', decision: 'ask', reason: 'Provider-specific tools stay opaque and require approval by default.' },
+        { category: 'secrets', decision: 'deny', reason: 'Secret access is privileged and denied by default.' },
+    ],
+};
+const filesystemCategories = new Set(['read', 'edit', 'external-directory']);
+export function evaluatePermission(request, policy = defaultPermissionPolicy) {
+    if (request.category === 'secrets')
+        return result(request, 'deny', 'secret_access', 'Secret access is denied by default.');
+    const boundary = workspaceBoundaryDecision(request);
+    if (boundary !== undefined)
+        return boundary;
+    const agentDecision = request.agent?.permissions[request.category];
+    const baseRule = policy.rules.find((rule) => rule.category === request.category);
+    const baseDecision = agentDecision ?? baseRule?.decision ?? 'ask';
+    const baseReason = agentDecision !== undefined ? 'agent_policy' : 'default_policy';
+    const baseMessage = agentDecision !== undefined
+        ? `${request.agent?.mode ?? 'agent'} ${request.agent?.name ?? request.agent?.id ?? 'unknown'} sets ${request.category} to ${agentDecision}.`
+        : baseRule?.reason ?? `No explicit rule exists for ${request.category}; ask by default.`;
+    const risk = riskDecision(request);
+    if (risk !== undefined && isLessRestrictive(baseDecision, risk.decision)) {
+        return result(request, risk.decision, risk.reason, risk.message);
+    }
+    return result(request, baseDecision, baseReason, baseMessage);
+}
+export function isPathInsideWorkspace(workspaceRoot, targetPath) {
+    const root = resolve(workspaceRoot);
+    const target = resolve(root, targetPath);
+    return target === root || target.startsWith(`${root}${sep}`);
+}
+export function resolveWorkspaceContainedPath(workspaceRoot, targetPath) {
+    const root = canonicalExistingPath(workspaceRoot);
+    if (root === undefined)
+        return { ok: false, reason: `Workspace root does not exist: ${workspaceRoot}` };
+    const requested = isAbsolute(targetPath) ? resolve(targetPath) : resolve(root, targetPath);
+    const parent = canonicalExistingPath(existingAncestor(requested));
+    if (parent === undefined)
+        return { ok: false, reason: `Target parent cannot be resolved: ${targetPath}` };
+    const canonicalTarget = existsSync(requested) ? realpathSync.native(requested) : resolve(parent, requested.slice(existingAncestor(requested).length + 1));
+    if (canonicalTarget !== root && !canonicalTarget.startsWith(`${root}${sep}`)) {
+        return { ok: false, reason: `Path escapes workspace boundary: ${targetPath}` };
+    }
+    return { ok: true, workspaceRoot: root, targetPath: canonicalTarget };
+}
+function existingAncestor(targetPath) {
+    let current = targetPath;
+    while (!existsSync(current)) {
+        const parent = dirname(current);
+        if (parent === current)
+            return current;
+        current = parent;
+    }
+    return current;
+}
+function canonicalExistingPath(targetPath) {
+    if (!existsSync(targetPath))
+        return undefined;
+    return realpathSync.native(targetPath);
+}
+function workspaceBoundaryDecision(request) {
+    if (!filesystemCategories.has(request.category))
+        return undefined;
+    if (request.category === 'external-directory') {
+        return result(request, 'deny', 'workspace_boundary', 'External directory access is denied by the foundation policy.');
+    }
+    if (request.workspaceRoot === undefined || request.targetPath === undefined) {
+        return result(request, 'ask', 'ambiguous_operation', 'Filesystem operation needs workspaceRoot and targetPath before it can be safely decided.');
+    }
+    if (!isPathInsideWorkspace(request.workspaceRoot, request.targetPath)) {
+        return result(request, 'deny', 'workspace_boundary', `Path escapes workspace boundary: ${request.targetPath}`);
+    }
+    return undefined;
+}
+function riskDecision(request) {
+    if (request.destructive === true)
+        return { decision: 'ask', reason: 'destructive_operation', message: 'Destructive operations require human approval.' };
+    if (request.external === true)
+        return { decision: 'ask', reason: 'external_operation', message: 'External operations require human approval.' };
+    if (request.privileged === true)
+        return { decision: 'ask', reason: 'privileged_operation', message: 'Privileged operations require human approval.' };
+    if (request.ambiguous === true)
+        return { decision: 'ask', reason: 'ambiguous_operation', message: 'Ambiguous operations require human approval.' };
+    return undefined;
+}
+function isLessRestrictive(candidate, floor) {
+    return rank(candidate) < rank(floor);
+}
+function rank(decision) {
+    if (decision === 'allow')
+        return 0;
+    if (decision === 'ask')
+        return 1;
+    return 2;
+}
+function result(request, decision, reason, message) {
+    return { decision, category: request.category, operation: request.operation, reason, message };
+}

package/dist/permissions/schema.js

@@ -0,0 +1 @@
+export {};

package/dist/providers/opencode/injection-preview.js

@@ -0,0 +1,134 @@
+import { getProviderRenderer } from '../../agents/renderers/index.js';
+const opencodeProvider = 'opencode';
+export class OpenCodeInjectionPreviewService {
+    dependencies;
+    constructor(dependencies) {
+        this.dependencies = dependencies;
+    }
+    preview(input) {
+        const selectors = validateInput(input);
+        if (!selectors.ok)
+            return selectors;
+        const sddStatus = this.dependencies.sdd.getStatus({ project: selectors.value.project, change: selectors.value.change });
+        if (!sddStatus.ok)
+            return sddStatus;
+        const readiness = this.dependencies.sdd.getReady({ project: selectors.value.project, change: selectors.value.change, phase: selectors.value.phase });
+        if (!readiness.ok)
+            return readiness;
+        const agent = this.resolveAgent(selectors.value);
+        if (!agent.ok)
+            return agent;
+        const subagents = this.resolveSubagents(agent.value.id);
+        if (!subagents.ok)
+            return subagents;
+        const renderer = getProviderRenderer(opencodeProvider);
+        if (!renderer.ok)
+            return renderer;
+        const rendered = renderer.value.render({ agent: agent.value, subagents: subagents.value });
+        if (!rendered.ok)
+            return rendered;
+        const payloadOptions = input.workspaceRoot === undefined ? {} : { workspaceRoot: input.workspaceRoot };
+        const skillPayload = this.dependencies.skills.buildSkillPayload({
+            project: selectors.value.project,
+            scope: agent.value.scope,
+            agentId: agent.value.id,
+            workflow: 'sdd',
+            phase: selectors.value.phase,
+            providerAdapter: opencodeProvider,
+        }, payloadOptions);
+        if (!skillPayload.ok)
+            return skillPayload;
+        return ok({
+            version: 1,
+            provider: opencodeProvider,
+            installable: false,
+            readOnly: true,
+            context: {
+                project: selectors.value.project,
+                change: selectors.value.change,
+                workflow: 'sdd',
+                phase: selectors.value.phase,
+                provider: opencodeProvider,
+                agent: { id: agent.value.id, name: agent.value.name, scope: agent.value.scope, mode: agent.value.mode },
+            },
+            providerArtifacts: rendered.value,
+            skillPayload: skillPayload.value,
+            sdd: { status: sddStatus.value, readiness: readiness.value },
+            safety: {
+                installable: false,
+                readOnly: true,
+                executesProvider: false,
+                writesProviderConfig: false,
+                recordsRuns: false,
+                recordsSkillUsage: false,
+            },
+            warnings: [
+                'OpenCode injection preview is preview-only and installable=false.',
+                'This preview does not execute OpenCode, install hooks, create MCP servers, or create runs.',
+                'This preview does not write provider config, .opencode/, .claude/, or user/global provider files.',
+                ...rendered.value.warnings,
+                ...skillPayload.value.warnings,
+            ],
+        });
+    }
+    resolveAgent(input) {
+        if (input.agentId === undefined && input.agentName === 'vgxness-manager' && this.dependencies.managerProfiles !== undefined) {
+            const effective = this.dependencies.managerProfiles.resolveEffectiveManager({ project: input.project, scope: input.scope, managerName: input.agentName });
+            return effective.ok ? ok(effective.value.manager) : effective;
+        }
+        const resolved = input.agentId !== undefined
+            ? this.dependencies.agents.getAgent(input.agentId)
+            : this.dependencies.agents.getAgentByName(input.project, input.scope, input.agentName);
+        if (!resolved.ok && resolved.error.code === 'not_found')
+            return validationFailure(resolved.error.message);
+        return resolved;
+    }
+    resolveSubagents(agentId) {
+        const summaries = this.dependencies.agents.listSubagents(agentId);
+        if (!summaries.ok)
+            return summaries;
+        const subagents = [];
+        for (const summary of summaries.value) {
+            const subagent = this.dependencies.agents.getAgent(summary.id);
+            if (!subagent.ok)
+                return subagent;
+            subagents.push(subagent.value);
+        }
+        return ok(subagents);
+    }
+}
+function validateInput(input) {
+    if (input.provider === undefined || input.provider.trim().length === 0)
+        return validationFailure('Provider is required');
+    const provider = input.provider.trim().toLowerCase();
+    if (provider !== opencodeProvider)
+        return validationFailure(`Unsupported provider: ${input.provider}`);
+    if (input.project === undefined || input.project.trim().length === 0)
+        return validationFailure('Project is required');
+    if (input.change === undefined || input.change.trim().length === 0)
+        return validationFailure('Change is required');
+    if (input.phase === undefined || input.phase.trim().length === 0)
+        return validationFailure('Phase is required');
+    const agentId = trimOptional(input.agentId);
+    const agentName = trimOptional(input.agentName);
+    if ((agentId === undefined) === (agentName === undefined)) {
+        return validationFailure('Provide exactly one of agentId or agentName');
+    }
+    const validated = {
+        provider: opencodeProvider,
+        project: input.project.trim(),
+        change: input.change.trim(),
+        phase: input.phase.trim(),
+        scope: input.scope ?? 'project',
+        agentName: agentName ?? '',
+    };
+    if (agentId !== undefined)
+        validated.agentId = agentId;
+    return ok(validated);
+}
+function trimOptional(value) {
+    const trimmed = value?.trim();
+    return trimmed === undefined || trimmed.length === 0 ? undefined : trimmed;
+}
+function ok(value) { return { ok: true, value }; }
+function validationFailure(message) { return { ok: false, error: { code: 'validation_failed', message } }; }

package/dist/providers/opencode/manager-payload.js

@@ -0,0 +1,129 @@
+import { getProviderRenderer } from '../../agents/renderers/index.js';
+const opencodeProvider = 'opencode';
+const defaultManagerAgentName = 'vgxness-manager';
+export class OpenCodeManagerPayloadService {
+    dependencies;
+    constructor(dependencies) {
+        this.dependencies = dependencies;
+    }
+    build(input) {
+        const validated = validateInput(input);
+        if (!validated.ok)
+            return validated;
+        const agent = this.resolveAgent(validated.value);
+        if (!agent.ok)
+            return agent;
+        if (agent.value.mode !== 'agent')
+            return validationFailure('OpenCode manager payload requires a top-level agent');
+        const subagents = this.resolveSubagents(agent.value.id);
+        if (!subagents.ok)
+            return subagents;
+        const renderer = getProviderRenderer(opencodeProvider);
+        if (!renderer.ok)
+            return renderer;
+        const rendered = renderer.value.render({ agent: agent.value, subagents: subagents.value });
+        if (!rendered.ok)
+            return rendered;
+        const skillPayload = this.buildSkillPayload(validated.value, agent.value);
+        if (!skillPayload.ok)
+            return skillPayload;
+        return ok({
+            version: 1,
+            provider: opencodeProvider,
+            installable: false,
+            selection: {
+                requested: requestedSelector(validated.value),
+                agent: { id: agent.value.id, name: agent.value.name, scope: agent.value.scope, mode: 'agent' },
+            },
+            providerArtifacts: rendered.value,
+            ...(skillPayload.value !== undefined ? { skillPayload: skillPayload.value } : {}),
+            safety: {
+                installable: false,
+                writesProviderConfig: false,
+                executesProvider: false,
+                readOnly: true,
+                recordsSkillUsage: false,
+                loadsSeeds: false,
+            },
+            warnings: [
+                'OpenCode manager payload is preview-only and installable=false.',
+                'This payload does not execute OpenCode, load seeds, record skill usage, or write provider configuration.',
+                ...rendered.value.warnings,
+                ...(skillPayload.value?.warnings ?? []),
+            ],
+        });
+    }
+    resolveAgent(input) {
+        if (input.agentId !== undefined) {
+            const byId = this.dependencies.agents.getAgent(input.agentId);
+            if (!byId.ok)
+                return byId;
+            if (input.agentName !== undefined && byId.value.name !== input.agentName) {
+                return validationFailure(`agentId resolves to ${byId.value.name}, not ${input.agentName}`);
+            }
+            return byId;
+        }
+        const name = input.agentName ?? defaultManagerAgentName;
+        if (input.agentName === undefined && input.useManagerOverlay === true && this.dependencies.managerProfiles !== undefined) {
+            const effective = this.dependencies.managerProfiles.resolveEffectiveManager({ project: input.project, scope: input.scope, managerName: name });
+            return effective.ok ? ok(effective.value.manager) : effective;
+        }
+        return this.dependencies.agents.getAgentByName(input.project, input.scope, name);
+    }
+    resolveSubagents(agentId) {
+        const summaries = this.dependencies.agents.listSubagents(agentId);
+        if (!summaries.ok)
+            return summaries;
+        const subagents = [];
+        for (const summary of summaries.value) {
+            const subagent = this.dependencies.agents.getAgent(summary.id);
+            if (!subagent.ok)
+                return subagent;
+            subagents.push(subagent.value);
+        }
+        return ok(subagents);
+    }
+    buildSkillPayload(input, agent) {
+        const options = {};
+        if (input.workspaceRoot !== undefined)
+            options.workspaceRoot = input.workspaceRoot;
+        if (input.maxSourceBytes !== undefined)
+            options.maxSourceBytes = input.maxSourceBytes;
+        const payload = this.dependencies.skills.buildSkillPayload({
+            project: input.project,
+            scope: agent.scope,
+            agentId: agent.id,
+            providerAdapter: opencodeProvider,
+        }, options);
+        return payload.ok ? ok(payload.value) : payload;
+    }
+}
+function validateInput(input) {
+    if (input.project.trim().length === 0)
+        return validationFailure('Project is required');
+    if (input.agentId !== undefined && input.agentId.trim().length === 0)
+        return validationFailure('agentId must not be empty');
+    if (input.agentName !== undefined && input.agentName.trim().length === 0)
+        return validationFailure('agentName must not be empty');
+    const validated = { project: input.project.trim(), scope: input.scope ?? 'project' };
+    if (input.agentId !== undefined)
+        validated.agentId = input.agentId.trim();
+    if (input.agentName !== undefined)
+        validated.agentName = input.agentName.trim();
+    if (input.useManagerOverlay !== undefined)
+        validated.useManagerOverlay = input.useManagerOverlay;
+    if (input.workspaceRoot !== undefined)
+        validated.workspaceRoot = input.workspaceRoot;
+    if (input.maxSourceBytes !== undefined)
+        validated.maxSourceBytes = input.maxSourceBytes;
+    return ok(validated);
+}
+function requestedSelector(input) {
+    if (input.agentId !== undefined)
+        return 'agentId';
+    if (input.agentName !== undefined && input.agentName !== defaultManagerAgentName)
+        return 'agentName';
+    return 'default-manager';
+}
+function ok(value) { return { ok: true, value }; }
+function validationFailure(message) { return { ok: false, error: { code: 'validation_failed', message } }; }