Audit/opencode system updates#18
Merged
Merged
Conversation
…bpaths (AUD-P0-001, AUD-P0-002) Replace blanket '.opencode' EXCLUDE_DIRS with targeted subpath excludes (.opencode/agents, commands, skills, documentation, benchmarks), leaving .opencode/run-logs/ scannable by the secret scanner. Also replace legacy .chatgpt-context-pack* excludes with .context-pack/.
…ke test (AUD-P0-003, AUD-P1-001) AUD-P0-003: Create canonical context-pack generator (scripts/dev/generate-context-pack.sh) - Uses git ls-files to respect .gitignore (root cause fix) - Purges .opencode/run-logs/* before every generation (pre-export hook) - Replaces two external unsafe generators with one source-controlled script - Updated .gitignore: /.chatgpt-context-pack* -> /.context-pack/ AUD-P1-001: Build ADR-0008 smoke test (scripts/security/check-opencode-config.sh) - 11 assertions against opencode.jsonc, all passing - Wired into CI (check-all.sh) and pre-push hook - ADR-0008 updated: default_agent plan->delivery (post-decision annotation)
…P2-004) AUD-P2-003: Create docs/workflows/repository-audit-workflow.md - Documents the repo-auditor -> AGENT_HANDOFF.md -> repo-repair cycle - Mirrors the documentation workflow doc structure AUD-P2-004: Extract generic audit template - templates/repo-audits/opencode-system-audit-template.md from repo-auditor.md - All 11 schema sections preserved - repo-auditor.md updated with canonical template reference - Audit report filed under audits/ as first worked example
…scan (AUD-P2-001, P2-005, P2-006, P1-002, P3-001)
AUD-P2-001: Add /quality-check slash command for git-quality agent
AUD-P2-005: Create .opencode/REGISTRY.md (25 agents, 28 commands, 12 skills)
CI assertion validates counts vs. REGISTRY.md and README.md
AUD-P2-006: Permission-block regression test across 7 agents
(check-agent-permissions.sh verifies 12 secret-path deny patterns)
AUD-P1-002: Dev-dependency advisory scan added to check-dependencies.sh
(informational only, non-blocking per user decision)
AUD-P3-001: Bash deny-list asymmetry documented in REGISTRY.md §Notes
README.md: 27->28 commands (new /quality-check)
…ll phases) Phase A: Stop the bleeding (AUD-P0-001, AUD-P0-002) Phase B: Close structural gap (AUD-P0-003, AUD-P1-001) Phase C: Fill documented gap (AUD-P2-003, AUD-P2-004) Phase D: Polish (AUD-P2-001/005/006, P1-002, P3-001) Includes AGENT_HANDOFF_OPENCODE_SYSTEM.md delivery handoff and Phase B execution plan with pre-execution discoveries.
…on and run records - Align table formatting in REGISTRY.md, AGENT_HANDOFF, audit report, workflow doc - Add spacing/readability improvements across all Phase A-D run records - Consistent italic formatting and structural cleanup in PHASE-B execution plan - No functional or code changes
- P0: update check-opencode-config.sh check 10 to assert git push* as "ask" (split out from deny list; new check 10a verifies ask policy) - P1: fix broken ADR link in repository-audit-workflow.md (0008-opencode-config-consolidation → 0008-canonical-opencode-project-configuration) - P2: clarify check-dependencies.sh header comment (production audit blocks; dev audit is informational only) - P2: remove dead pnpm-lock.yaml from context-pack allowlist (excluded by Python filter as "huge, not useful for context")
- P0: add output-path safety checks to generate-context-pack.sh (blocks unsafe paths like ".", "/", empty, or non-hidden dirs) - P1: remove hard-coded line numbers from audit template header (prevents drift when repo-auditor.md changes) - P1: extend check-agent-permissions.sh to validate edit: denies (was only checking read:; now checks both read + edit) - P1: add missing edit: secret-path denies to qa, reviewer, repository-docs, and security agent configs - P2: replace grep -oP with portable grep -oE in check-registry-counts.sh (PCRE not available on BSD/macOS grep)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.