Skip to content

Audit/opencode system updates#18

Merged
MerverliPy merged 12 commits into
mainfrom
audit/opencode-system-updates
Jun 20, 2026
Merged

Audit/opencode system updates#18
MerverliPy merged 12 commits into
mainfrom
audit/opencode-system-updates

Conversation

@MerverliPy

Copy link
Copy Markdown
Owner

No description provided.

…bpaths (AUD-P0-001, AUD-P0-002)

Replace blanket '.opencode' EXCLUDE_DIRS with targeted subpath excludes
(.opencode/agents, commands, skills, documentation, benchmarks), leaving
.opencode/run-logs/ scannable by the secret scanner.

Also replace legacy .chatgpt-context-pack* excludes with .context-pack/.
…ke test (AUD-P0-003, AUD-P1-001)

AUD-P0-003: Create canonical context-pack generator (scripts/dev/generate-context-pack.sh)
- Uses git ls-files to respect .gitignore (root cause fix)
- Purges .opencode/run-logs/* before every generation (pre-export hook)
- Replaces two external unsafe generators with one source-controlled script
- Updated .gitignore: /.chatgpt-context-pack* -> /.context-pack/

AUD-P1-001: Build ADR-0008 smoke test (scripts/security/check-opencode-config.sh)
- 11 assertions against opencode.jsonc, all passing
- Wired into CI (check-all.sh) and pre-push hook
- ADR-0008 updated: default_agent plan->delivery (post-decision annotation)
…P2-004)

AUD-P2-003: Create docs/workflows/repository-audit-workflow.md
- Documents the repo-auditor -> AGENT_HANDOFF.md -> repo-repair cycle
- Mirrors the documentation workflow doc structure

AUD-P2-004: Extract generic audit template
- templates/repo-audits/opencode-system-audit-template.md from repo-auditor.md
- All 11 schema sections preserved
- repo-auditor.md updated with canonical template reference
- Audit report filed under audits/ as first worked example
…scan (AUD-P2-001, P2-005, P2-006, P1-002, P3-001)

AUD-P2-001: Add /quality-check slash command for git-quality agent
AUD-P2-005: Create .opencode/REGISTRY.md (25 agents, 28 commands, 12 skills)
           CI assertion validates counts vs. REGISTRY.md and README.md
AUD-P2-006: Permission-block regression test across 7 agents
           (check-agent-permissions.sh verifies 12 secret-path deny patterns)
AUD-P1-002: Dev-dependency advisory scan added to check-dependencies.sh
           (informational only, non-blocking per user decision)
AUD-P3-001: Bash deny-list asymmetry documented in REGISTRY.md §Notes
README.md: 27->28 commands (new /quality-check)
…ll phases)

Phase A: Stop the bleeding (AUD-P0-001, AUD-P0-002)
Phase B: Close structural gap (AUD-P0-003, AUD-P1-001)
Phase C: Fill documented gap (AUD-P2-003, AUD-P2-004)
Phase D: Polish (AUD-P2-001/005/006, P1-002, P3-001)

Includes AGENT_HANDOFF_OPENCODE_SYSTEM.md delivery handoff and
Phase B execution plan with pre-execution discoveries.
…on and run records

- Align table formatting in REGISTRY.md, AGENT_HANDOFF, audit report, workflow doc
- Add spacing/readability improvements across all Phase A-D run records
- Consistent italic formatting and structural cleanup in PHASE-B execution plan
- No functional or code changes
- P0: update check-opencode-config.sh check 10 to assert git push* as "ask"
  (split out from deny list; new check 10a verifies ask policy)
- P1: fix broken ADR link in repository-audit-workflow.md
  (0008-opencode-config-consolidation → 0008-canonical-opencode-project-configuration)
- P2: clarify check-dependencies.sh header comment
  (production audit blocks; dev audit is informational only)
- P2: remove dead pnpm-lock.yaml from context-pack allowlist
  (excluded by Python filter as "huge, not useful for context")
- P0: add output-path safety checks to generate-context-pack.sh
  (blocks unsafe paths like ".", "/", empty, or non-hidden dirs)
- P1: remove hard-coded line numbers from audit template header
  (prevents drift when repo-auditor.md changes)
- P1: extend check-agent-permissions.sh to validate edit: denies
  (was only checking read:; now checks both read + edit)
- P1: add missing edit: secret-path denies to qa, reviewer,
  repository-docs, and security agent configs
- P2: replace grep -oP with portable grep -oE in check-registry-counts.sh
  (PCRE not available on BSD/macOS grep)
@MerverliPy MerverliPy merged commit c7d6a11 into main Jun 20, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant