b835d53d83
* cherry-pick updated /anneal command from billing branch + add as Claude Code slash command mirrors origin/billing:.cursor/commands/anneal.md (commit 4f389a8f) into both .cursor/commands/ and .claude/commands/ so the parallel-lens annealing prompt is available in both editors. content is identical between the two files. * anneal: drop REVIEW.md pointer, surface-agnostic dispatch wording, fix modes.ts self-review contradictions Anneal pass over the /anneal slash command and the Build-mode self-review step: - Drop REVIEW.md references in both anneal.md copies. The file does not exist on the Claude Code surface (only .cursor/commands/), and its contents (correctness/security/impact framing) directly contradict the prescribed single-lens, no-pre-shaping discipline. - Replace "Task tool calls" with surface-agnostic "parallel subagent calls" so the meta-prompt does not couple to either CLI's tool naming. - Hedge the "verify via web search" instruction to acknowledge subagents may not have web search available. - modes.ts: drop "and the changed files" — the same step's don't-list forbids handing subagents a curated reading list (in-file contradiction). - modes.ts: restore the "skim only, don't pre-review" warning that the long-form treats as load-bearing. - modes.ts: drop "NO MCP tools" — overbroad; the actual safety property is captured by "no writes, no shell commands, no side effects". Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * anneal: two-round self-anneal of /anneal + modes.ts self-review Expand the multi-lens parallel-review protocol with fixes surfaced by running /anneal on this branch twice. Material additions: /anneal canonical (.claude/commands/anneal.md + .cursor mirror): - promote orientation-vs-defect-hunting distinction to a load-bearing framing in the opening paragraphs - add an empty-target early exit ("nothing to anneal" stop) at §1 - spell out the read-only constraint with the no-op-if-reverted test, and forbid recursive subagent dispatch (incl. agentic MCP tools) - add cleanup-and-debt sub-categories (env vars, feature flags, dangling symbols), supply-chain, test-integrity lenses to the catalog - §1 lens-count rule: explicit trivial/typical/high-risk tiers; "treat as typical" tiebreaker for the unsure case - §2 example uses bare `git diff <primary-branch>` to capture uncommitted edits (three-dot syntax is committed-only) - §5 targeted-follow-up cross-references the fresh-eyes carve-out in Delegation discipline - final-message format spells out coverage shape, findings-table shape, dry-run fix-plan branch, and plan/doc summary branch - stopping criteria distinguish "trivial" from "small / low-risk" action/modes.ts Build mode step 4 (self-review one-pass anneal): - empty-diff early exit; "step 4 mandatory whenever there is a diff" resolves the prior contradiction with the always-runs assertion - lens count by risk (2-3 typical / 4 high-risk single-round-cap / exactly 1 trivial) with separate Tiebreaker - expand swap-in lens menu (research-validated assumptions, security, user-journey, ops, integration, test integrity, supply chain, performance, holistic) so the catalog is a starting menu, not a closed set - rename `cleanup & scope` to `diff hygiene` to avoid colliding with the canonical's broader `cleanup & debt` - delegation discipline bulletized (don't lens-review yourself, don't summarize, don't curate, don't pre-shape, don't mention other lenses); independence rationale stated inline - explicit research-discipline reminder for any lens that touches external contracts (web search, quote URLs) - comment block enumerates deliberate omissions vs the canonical (dry-run, severity categorization, read-only shell) and the deliberate scope decision (sibling diff-producing modes stay solo) action/modes.ts Review + IncrementalReview subagent-dispatch wording: - propagate the no-recursive-dispatch rule (was missing) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * add set_plan/get_plan + restructure Review/IncrementalReview as parallel-subagent orchestrators Build mode's self-review and Review/IncrementalReview now follow the multi-lens parallel-subagent fan-out pattern from the canonical /anneal protocol. New set_plan/get_plan MCP tools (orchestrator-only) persist the implementation plan in tool state so the self-review's plan-adherence lens can verify the diff against the original intent rather than reconstructing it post-hoc. Subagent "read-only / no further dispatch" is currently enforced via prompt prose only — neither claude-code's --disallowedTools nor opencode's per-agent tools allowlist is configured to scope subagent MCP access. Documented as a deferred ~30-50 LOC follow-up in the modes.ts header comment. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * revert Review/IncrementalReview mode prompts to main; keep Build self-review changes E2e testing on this branch only exercised the trivial-1-lens path for Review (preview repo had only docs PRs). Multi-lens Review fan-out was never directly validated against a real code PR. Splitting the Review/IncrementalReview restructure to its own branch (review-mode-orchestrator, draft PR #555) pending focused validation. Keep on this branch: - set_plan/get_plan MCP tools - Build mode multi-lens self-review (Test 3 directly validated 2-subagent parallel fan-out on a 2-file diff) - /anneal command updates (.claude/ and .cursor/ mirrors) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * require plan parameter when selecting Build mode Adds an arktype .narrow on SelectModeParams that rejects select_mode({mode:"Build"}) unless a non-empty 'plan' string is also provided. When valid, the plan is stored into ctx.toolState.plan at mode-selection time, so step 4's plan-adherence lens always has a comparison target. This closes the e2e finding that agents never reached for set_plan on their own (5 of 6 runs in production). Build mode prompt updated to reflect that plan is already populated at mode selection; set_plan remains as the mid-task replan tool. Other modes are unaffected. Validation surfaces the error to the agent with a descriptive message including the path ('plan') and recovery instructions, so a failing call is recoverable on the next turn rather than a hard fail. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * move Build-mode plan-required check from arktype .narrow to execute() arktype .narrow predicates aren't JSON-Schema serializable — FastMCP's toJsonSchema() emitted a {code: "predicate", predicate: Function} object instead of a serialized schema. Effect: agents couldn't see select_mode in their tool list (verified by 5 consecutive runs across two models silently bypassing select_mode entirely after the prior commit). Fix: keep the param schema clean (.narrow removed) and check selectedMode.name === "Build" && !params.plan in the execute() body, returning a structured error response. The agent now sees select_mode normally, gets a clear actionable error if it forgets the plan, and can recover on the next turn by retrying with the plan included. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * flip lens architecture: Build = single fresh-eyes subagent, Review/IncrementalReview = multi-lens Build mode self-review previously fanned out 1-4 lenses on the agent's own diff. The bias-mitigation argument for fan-out is weaker for self-review than for reviewing someone else's PR — the orchestrator just wrote the code, so what matters is one fresh-eyes subagent that doesn't share the implementation context, not breadth across parallel angles. Build now dispatches exactly one subagent that gets the original user request and the diff and evaluates whether the diff fulfills the request. Review and IncrementalReview now use the multi-lens orchestrator pattern (triage → parallel read-only fan-out → aggregate → draft comments → submit). For someone else's PR, parallel lenses (correctness, security, research-validated, user-journey, etc.) provide breadth that a single subagent can't carry coherently. Was previously parked on the review-mode-orchestrator branch (PR #555). Removes set_plan/get_plan MCP tools, ToolState.plan field, and the plan parameter on select_mode. Validated end-to-end that those didn't cause agents to actually use plan tracking (5 of 6 e2e runs skipped them); the original user request from the prompt body is the source of truth and the orchestrator already has it. Drops timeout test plan-param workaround that was added for the prior validation. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * split Review/IncrementalReview multi-lens back out to review-mode-orchestrator branch The multi-lens orchestrator restructure for Review/IncrementalReview was bundled into this branch in commit e964ae0c, but it hasn't been validated against a real code-heavy PR (the e2e exercised it only on docs PRs). Splitting it back out keeps this branch focused on the validated half — Build → single fresh-eyes subagent — and lets the Review changes ship in a focused PR (#555 reopened). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * anneal: fix Build prompt contract bugs found by 3-lens review Major fixes: - checkout_pr returns the field as `base`, not `baseRef` (per checkout.ts:611-616). The prompt was telling agents to read `result.baseRef` which would be undefined. - The base-ref fallback "after fetching" is unreachable via the `git` MCP tool (it blocks `fetch` per AUTH_REQUIRED_REDIRECT). Now names `git_fetch` explicitly. - Boundary-tag wrapping for the user request had no escape rule for input that contains the literal close marker, and no fallback for an empty request. Both are now documented with a nonce-suffix mitigation. - PR reference updated #555 → #557 (the active PR for the multi-lens review-mode-orchestrator branch; #555 was closed after the rebase). Minor fixes: - Retry predicate tightened: "errors out (tool error) or returns an empty body", not "returns nothing usable" (which is unfalsifiable and lets an orchestrator declare any output not-usable to skip review). - Subagent read-only constraints rephrased as prescriptive ("MUST NOT call") rather than descriptive ("you have only"), since on inheriting runtimes the subagent does in fact have access to write tools and the constraint is prompt-only. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * anneal round 2: tighten Build prompt edge cases (workflow_dispatch, base-ref, footer-strip, skip marker) Cross-lens findings from holistic + user-journey + research-validated lenses: - workflow_dispatch + empty diff: report_progress silently no-ops when there's no parent issue/PR. Now also call set_output with a "no-op" summary so the user gets surfacable feedback. - base-ref resolution: clarified `base` from checkout_pr is a bare ref name, added explicit `git remote show origin` path for repos whose primary is not `main` (master, trunk, etc.). - bare `git diff` description: tightened from "shows working tree" to "shows unstaged working-tree changes" — bare diff misses staged changes too, not just committed ones. - prompt-body stripping: explicitly call out the leading `> ` blockquote prefix (added by the *YOUR TASK* section formatting) and the entire Pullfrog footer block, not just one example link. - boundary-tag nonce: always-on now, not conditional on detecting a close marker. Cost is one random short string; failure mode (prompt injection if input contains literal close marker) is silent. - subagent-skip marker: structured `Self-review: SKIPPED (subagent error: ...)` on its own commit-message line, so the gap is greppable. Header comment also documents: - AddressReviews/Fix/Task asymmetry (deliberately deferred) - Subagent-runtime-fence deferred fix must explicitly deny Skill / agentic MCP tools, not just destructive tools (claude-code blocks recursive Task spawn but not alternative dispatch paths). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * anneal round 3: targeted re-review of round-2 changes catches real regressions Round 2's "fixes" introduced two real bugs that round 3's targeted correctness re-review caught: CRITICAL (fixed): tier-3 base-ref resolution used `git remote show origin`, which requires network auth — the MCP `git` tool runs commands through plain spawn() without auth, so this hangs on private repos. Replaced with `git symbolic-ref refs/remotes/origin/HEAD` (local symref, no network), which actions/checkout populates. MAJOR (fixed): the eventInstructions fallback was incoherent — the agent has no separately-addressable eventInstructions field; whatever it received in *YOUR TASK* is its only input. Removed the misleading reference. MAJOR (fixed): per-line `> ` strip was ambiguous, could destructively flatten user-pasted markdown blockquotes. Now: "strip exactly one leading `> ` per line". MAJOR (fixed): tier-1 base-ref preferred bare `<base>` over `origin/<base>`, which fails on the rare alreadyOnBranch path in checkout_pr where the local ref isn't re-created. Now prefers `origin/<base>` (always populated post-fetch). MINOR (fixed): footer-strip anchor was `<sup>`/`<picture>`, both of which appear in legitimate user content (footnotes, etc.). Switched to the PULLFROG_DIVIDER sentinel which is purpose-built for this. MAJOR (acknowledged, partial fix): 4-hex nonce is theatrical security; bumped to 8 hex and explicitly noted it's a typo-guard, not a security boundary, and that the structural fix (separate task() argument) is the real solution. REJECTED (verified false positive): subagent claimed `set_output` is not registered for workflow_dispatch. Verified at action/utils/payload.ts:118 — workflow_dispatch from `gh workflow run` resolves to trigger:"unknown", which IS standalone, which IS registered with set_output. E2e logs from prior tests confirm agents successfully call pullfrog_set_output on workflow_dispatch runs. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * anneal round 4: drop broken symbolic-ref tier, simplify base-ref resolution Round 3's tier-2 (`git symbolic-ref refs/remotes/origin/HEAD`) is empirically broken: actions/checkout doesn't populate origin/HEAD on shallow clones (fetch-depth: 1, used by pullfrog.yml), and Git 2.50+ no longer auto-sets it on full clones either (actions/checkout#2219). New scheme: PR context uses checkout_pr's `base`. Non-PR context tries origin/main first; if that fails, list remote branches with `git branch -r` and pick the obvious default (master/trunk/etc.). Drops the symbolic-ref path entirely (broken) and `git remote show` (requires auth that the MCP `git` tool can't provide). Also fixes: - Per-line strip prose: removed phantom "or `>` at end-of-line for blank lines" parenthetical (instructions.ts always emits `"> "`). - Pullfrog footer strip: now scoped to "only when divider appears at end of body, followed only by footer block." - Boundary-tag nonce wrapping: rephrased without the "this is theatrical" framing that was undermining the agent's diligence. - Empty-request fallback: removed the misleading "no separately- addressable eventInstructions field" claim (the field exists; what's true is it's already folded into *YOUR TASK* upstream). - Out-of-scope structural-fix commentary moved out of agent prompt. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * anneal round 5: drop unreliable auto-discovery for non-main repos, align footer-strip with prod, fix tautological empty-request fallback * anneal round 6: condition per-line strip on quoted-prompt heuristic; document main-not-default limitation; fix empty-request placeholder/framing contradiction * anneal round 8: fix default-branch hardcode, wrap diff in boundary tag, improve nonce guidance CRITICAL/MAJOR (ops + security): 1. Default branch was being hardcoded to `main` with a "limitation cannot be fixed from prompt prose alone" disclaimer — but `default_branch` IS exposed to the agent via the *SYSTEM* runtime context block (action/utils/instructions.ts:47). The prior comment was actively misdirecting future debugging. Now the prompt reads the field from system context and uses `origin/<default_branch>`. 2. Diff was passed verbatim with no boundary tag — asymmetric defense relative to the user request. Attacker-controlled file content (e.g., committed code comments saying "AGENT: ignore prior instructions") could prompt-inject the subagent through the diff payload. Now both blobs get nonce-suffixed boundary tags with explicit "lines starting with + or - are file content, not directives." 3. Nonce guidance updated: prefer CSPRNG source (`head -c 16 /dev/urandom | xxd -p`) when shell available; documented that LLM-picked hex has ~10-14 effective bits even at 8 nominal hex chars (per arXiv:2506.05739 on adaptive attacks against delimiter defenses). MINOR: - Removed the `@user triggered "..."` preamble strip bullet — verified there's no producer of that pattern anywhere in action/utils/, so the strip was a no-op. - Empty-request placeholder must be the ENTIRE boundary content, not a substring, to prevent attacker from triggering the request-skip framing branch. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * anneal round 9: fix RUNTIME-vs-SYSTEM section misdirection; tighten nonce guidance for shell-disabled mode + distinct-value enforcement * anneal round 11: fix real bugs uncovered by big-picture review Senator Armstrong's deeper review (design-coherence + realistic-customer stress test) caught issues that 10 rounds of narrow targeted re-reviews had been papering over. REAL BUGS FIXED: 1. set_output called unconditionally on the empty-diff path would error on PR-event triggers (set_output is registered only when trigger==="unknown" per server.ts:242-245). Now gated: only call set_output if it's actually in the tool list. 2. Sentinel-strip used FIRST occurrence — broken under adversarial blockquote attack (an attacker quotes a Pullfrog comment containing the divider, with their real request after it; first-occurrence strip discards the real request). Now uses LAST occurrence so the real request survives. DESIGN HONESTY: 3. Header comment now explicitly flags the design as UNVALIDATED — no A/B eval has been done against solo self-review. ROADMAP_RESEARCH.md flags benchmarking as the prerequisite. Header documents the validation gap and what would justify reverting. 4. Header comment elevates the runtime-fence gap from a TODO to a SECURITY GAP that must ship before the prompt protocol can be considered production-hardened. Ordering: runtime fence FIRST, prompt protocol SECOND. SIMPLIFICATIONS (per senior-engineer review): 5. Dropped the second nonce on the diff — the diff is the artifact under review; suspicious instruction-shaped lines in commits are exactly what the subagent should flag, not something to fence off. 6. Dropped CSPRNG-vs-LLM-fallback branching prose — just "16+ hex chars, use /dev/urandom if shell available, otherwise pick." 7. Dropped the regenerate-if-collide rule (vanishingly unlikely with 16 hex chars, costs tokens to enforce). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * anneal round 12: revert round-11 regressions (sentinel-strip, set_output gate, diff nonce) Round 12's sharper review caught three regressions round 11 introduced: 1. Sentinel-strip last-occurrence was strictly worse than first-occurrence for the common "user references a prior Pullfrog comment" case. The adversarial-quote scenario it was defending against is contrived (an attacker can put hostile payload anywhere; strip discipline doesn't change attack surface). Reverted to first-occurrence to align with canonical stripExistingFooter() and avoid silently swallowing user reference context. 2. set_output "gate" via "if it's in your tool list" relied on tool introspection that LLMs cannot reliably perform. Replaced with: just call report_progress; document the workflow_dispatch limitation as acceptable (job log is feedback-of-last-resort) rather than asking the agent to conditional-call a tool that may not exist. 3. Diff was de-nonced in round 11 on the assumption runtime fence ships first, but until that runtime fence lands the plain label is forgeable (committed file content can include "--- END DIFF ---" + injection). Restored nonce wrapping. The cost is one extra hex string; the benefit is real until runtime fence ships. Also added explicit caveat on the self-attested skip marker: the proper fix is MCP-layer dispatch-counting, not commit-message annotation. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * ruthless cut: revert Build self-review elaboration to compact form main already had subagent dispatch (4 compact lines). This branch added 70+ lines of elaboration — header warnings, base-ref dance, footer-strip rules, nonce- suffixed boundary tags, retry-once skip markers, delegation-discipline list — all predicated on a runtime fence that doesn't exist and validation that never ran. Senior-engineer review (round 11) explicitly recommended cutting; ROADMAP_RESEARCH flags A/B benchmarking as the prerequisite for this design. Net change vs main now matches what the user actually asked for: - drop the optional plan step (and its "follow the plan" / Notes references) - subagent receives the original user request alongside the diff, evaluated against base ref, with explicit no-further-dispatch constraint Everything else reverts to main's prose. ~10 lines net change instead of 70+. * anneal round 13: tighten self-review prompt inputs to runtime-resolvable values Two underspecified inputs flagged by parallel holistic + mechanics review: 1. "the original user request" is empty for non-@pullfrog-tagged auto-triggers (sync, check_suite, opened, etc.); only YOUR TASK is reliably present in the assembled prompt across all event types. Replace. 2. "base ref (PR base or repo default branch)" requires the agent to resolve and fetch the default branch on non-PR runs (origin/<default> typically not fetched). Drop the elaboration — bare git diff captures all changes at step-3 time since step 2 doesn't commit. Aligns with 3ed2c55a's ruthless-cut philosophy: less elaboration, not more. Verified in round 14: YOUR TASK is the literal section header in instructions.ts (buildTaskSection); bare git diff scope is correct. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * restore plan step to Build mode prompt The plan step was removed alongside the MCP-contract plan-required work, but the user only wanted it gone from the MCP contract, not from the prompt itself. Restores step 1 (plan), the "follow the plan" build sub-bullet, the trailing Notes section, and renumbers learningsStep back to 6. Made-with: Cursor * add pullfrog-reviewer named subagent; standardize review fence to non-mutative+non-recursive Defines a constrained `pullfrog-reviewer` named subagent for the Build mode self-review and /anneal lens dispatch, with a single source of truth in action/agents/reviewer.ts (allowed tools, denied mutating MCP tools, system prompt). Enforcement: - opencode: real fence via agent.pullfrog-reviewer block in buildSecurityConfig — denies edit/bash/task and globs each mutating pullfrog_* MCP tool to false. - claude-code: forward-looking only. Per-agent disallowedTools is upstream-broken (anthropics/claude-agent-sdk-typescript#172, open as of latest update Mar 2026 — subagent child processes still see and can call disallowed tools, including Task). The --agents JSON is defined anyway so the fence becomes real when upstream fixes #172; until then the prompt prose constraint is the actual fence. The PreToolUse hook workaround that does enforce is out of scope. Read-only MCP tools (get_*, list_*) intentionally remain enabled so the reviewer can pull PR/issue/check context without dispatching state changes. Both modes.ts Build self-review and the two anneal.md files now share the same "non-mutative + non-recursive" framing — file reads, grep, search, web search/fetch, read-only shell, and read-only MCP queries allowed; writes, state-changing MCP, and nested subagent dispatch denied. Resolves the previous inconsistency where /anneal allowed read-only shell and Build self-review banned all shell. Made-with: Cursor * Build self-review: pass build-phase failure summary to reviewer subagent Adds an instruction in step 4's dispatch: along with YOUR TASK and git diff, pass a tight plain-text summary of any lint/typecheck/test failures fixed during build (what broke, root cause, the fix) — or "no build-phase failures" if clean. Goal: let the reviewer check that fixes addressed root causes rather than suppressed symptoms (e.g., editing a test to make it pass instead of fixing the bug). Implemented as agent self-summarization rather than piping raw build output to avoid context flooding — typecheck/test output can be hundreds to thousands of lines per failure. The agent has the failure trail in its own conversation history and summarizes from memory; the reviewer sees a few lines per failure, not raw stderr. Caveat: this is a plausible-but-unvalidated quality improvement. The mechanical justification (signal already produced, currently not passed on) is real; "this catches more bugs" is a hypothesis that will need actual run data to confirm. Downside is bounded (reviewer gets slightly more context, no behavior change if the summary is empty or ignored). Made-with: Cursor * Build self-review: distill /anneal delegation + research discipline into dispatch instructions Lifts the codified learnings from /anneal's "Delegation discipline" and "Research discipline" sections into Build mode step 4. These rules are about how-to-prompt the reviewer (not about parallelism), so they transfer losslessly to single-agent dispatch and address bias modes the prior prompt was silent on: - Don't summarize what you implemented (biases toward shape-validation) - Don't curate a reading list (your curation is itself a lens) - Don't pre-shape output with severity/category (leaks hypotheses) - Don't defect-hunt in parallel (reintroduces the implementation bias the subagent is meant to mitigate) - For diffs touching third-party API contracts / SDK semantics / framework directives / DB engine specifics, instruct the reviewer to verify load-bearing claims via web search and quote URLs rather than trust training data Restructures step 4 from one paragraph into three (constraints, inputs, discipline) plus a final review-and-commit paragraph for readability. These are validated learnings from many anneal rounds, not theoretical best practices — they're the single substantive piece this branch was missing. Made-with: Cursor * pullfrog-reviewer: drop MCP deny-list, rely on prose constraint Per-PR-review feedback: hand-maintaining MUTATING_MCP_TOOLS against action/mcp/server.ts was fragile — a future mutating tool added to the MCP server without updating this list would silently grant write access to the reviewer. Inverting to an allowlist or adding a structural test both keep the drift problem. Drop the list and all per-agent runtime denies (claude disallowedTools, opencode tools/permission map). Strengthen REVIEWER_SYSTEM_PROMPT to spell out the categories of state-changing MCP tools by example and explicitly tell the model to apply the no-op-if-reverted invariant to tools added after the prompt was written — the rule is the invariant, not the enumeration. Keep the named subagent so the prompt is reliably injected. Update modes.ts and both anneal.md copies to drop the runtime-enforces-where-supported claim. Co-authored-by: Cursor <cursoragent@cursor.com> * pullfrog-reviewer: fix description to allow read-only shell The description field was overstating the constraint as 'must not shell', but the system prompt explicitly allows read-only commands like git diff, git log, cat, ls. Align description with the actual contract. Co-authored-by: Cursor <cursoragent@cursor.com> * restructure Review/IncrementalReview as multi-lens parallel-subagent orchestrators For someone else's PR, parallel lenses (correctness, security, research-validated claims, user-journey, etc.) provide breadth across angles that a single subagent can't carry coherently. The orchestrator does triage → parallel read-only subagent fan-out → aggregate → draft comments → submit. Lens count by risk: 1 lens for trivial PRs, 2-3 for typical, 4 for high-risk surfaces (billing, auth, migrations). This branch contains ONLY the Review/IncrementalReview multi-lens prompts. Build mode keeps its single-fresh-eyes-subagent shape (different problem — orchestrator just wrote the code; bias-mitigation comes from one subagent that doesn't share the implementation context). The Build changes ship in a separate PR (self-review-subagents → main). Pending validation against a real code-heavy PR before merge — e2e on a docs-only preview repo only exercised the trivial-1-lens path. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Review/IncrementalReview: dispatch fan-out via reviewfrog named subagent The fan-out steps previously said "launch one read-only subagent per lens" without naming the subagent. That bypassed the only enforcement layer the named subagent provides: a baked-in system prompt that restates the non-mutative + non-recursive contract regardless of what the orchestrator sends. Both modes now dispatch via REVIEWER_AGENT_NAME (matching Build mode's self-review wiring) and restate the constraint inline so the rule is present twice. * rename pullfrog-reviewer → reviewfrog Mechanical rename of the named subagent. Constant names (REVIEWER_AGENT_NAME, REVIEWER_SYSTEM_PROMPT) and file paths (action/agents/reviewer.ts) stay as-is — only the agent identifier string and prose references in anneal.md and code comments change. * modes/anneal: trivial PRs skip review entirely; lens count is judgment, not table; allow subsystem lenses Three coupled changes to Review/IncrementalReview/Build self-review and the canonical /anneal command: 1. Trivial-skip: trivial diffs (single-line, formatting/comment-only, doc typo, low-risk dep bump, no behavior change) skip the fan-out / self-review entirely. Build mode skips its self-review subagent; Review submits a bare "Reviewed — no issues found." without dispatching lenses; IncrementalReview takes the existing non-substantive submit path. Tiebreaker on uncertainty: treat as non-trivial. 2. Drop prescriptive lens counts. Replaces "2-3 typical / 4 high-risk cap / 1 trivial" with judgment-based guidance: pick as many lenses as the target has distinct surfaces of risk worth investigating independently; one is sometimes enough; bias toward more (and toward follow-up rounds in /anneal) for high-stakes subsystems; 5+ is a smell that lenses are overlapping rather than covering distinct ground. 3. Subsystem lenses. Adds an explicit second flavor of lens — domain-scoped frames like "the auth lens", "the billing lens", "the schema-migration lens" — alongside the existing themed lenses (correctness, security, user-journey, etc.). Stack themed + subsystem freely. modes.ts and anneal.md (.cursor/ + .claude/, kept byte-identical) move together so the canonical pattern doc and the orchestrator prompt agree on the protocol. * add SessionLabeler so parallel subagent log lines are differentiable When the orchestrator dispatches multiple `reviewfrog` subagents in a single assistant turn (the parallel fan-out the multi-lens prompt now requires), their tool_use / tool_result / text events arrive on opencode's NDJSON stream tagged with distinct `sessionID`s but go through a single `[Pullfrog]` log prefix. Result: log readers can't attribute which lens issued which tool call, making CI logs unreadable for any review with 2+ lenses. SessionLabeler: - Binds the first-seen sessionID to "orchestrator" and subsequent new sessionIDs to FIFO-popped lens labels seeded from task tool_use inputs. - Derives labels from `lens: <name>` markers in the dispatch prompt, the Task `description` field, the `subagent_type`, or `subagent#N` fallback. - Keeps state local to a single runOpenCode invocation. Wiring: - opencode.ts: every event handler (init, message, text, tool_use, tool_result) now looks up the per-event label and prefixes log output via formatWithLabel(). Subagent finalOutput/token-reset paths gated on ORCHESTRATOR_LABEL so child sessions can't clobber parent state. - claude.ts: claude rolls subagent activity into a single tool_result block (no per-event session_id), so it gets a minimal "» dispatching subagent: <label>" log line on Task tool_use as the only attribution. - modes.ts (Review + IncrementalReview): orchestrator instructed to set the Task `description` to the lens name, since that's what the labeler reads when no explicit `lens:` marker is in the prompt. Tests: 18 unit tests covering label derivation, FIFO binding, interleaved sessions, fallback paths, and a realistic four-lens parallel fan-out simulation. Full action test suite stays green (400 passing). This is the pre-flight instrumentation that the multi-lens validation runs depend on — without it, post-hoc log analysis can't tell two subagents apart. * log subagent dispatch + finish at info level for per-lens visibility OpenCode's runtime currently encapsulates subagent execution inside the `task` tool — subagent-internal tool_use/tool_result events do not surface on the parent's NDJSON stream. The SessionLabeler I added in 0c4647f4 therefore can't actually differentiate concurrent subagent log lines (there are no concurrent log lines on the parent stream to differentiate). What CAN be observed on the parent stream is the dispatch and the result of each `task` tool call. This patch surfaces both at info level: » dispatching subagent: lens:security (subagent_type=reviewfrog) ... » subagent finished: lens:security (15.3s, status=completed) — ... Without this, a 4-lens parallel fan-out looks like 4 dispatches in close succession followed by a long quiet gap and then an aggregation turn — you can't see when each lens finished or how the durations overlapped. With it, parallel execution is visible from the timestamps on the "finished" lines. The dispatched label comes from SessionLabeler.recordTaskDispatch (so both lines share the same lens identity). taskDispatchInfo maps callID to {label, startedAt} so the matching tool_result can compute duration and emit the finished line. Also added a defensive comment on the SessionLabeler instantiation documenting that the per-event session-prefix path is currently dormant in the opencode runtime, but kept in place so attribution flips on automatically if/when opencode begins streaming subagent sessions. * fix subagent-finished log: hybrid exact+FIFO callID matching opencode does not consistently surface a tool_result callID matching the originating tool_use callID for the `task` tool, so the previous exact-match-only finish line never fired. Now we: - Dual-index task dispatches by callID AND in a FIFO queue. - Track non-task callIDs so we can identify "unrecognised callID" results as likely-task-with-mismatched-id. - On tool_result, exact-match first; fall back to FIFO when the output looks like a subagent reply (>300 chars) and the callID is unknown. - Flush leftover dispatches at run end with an "(inferred at run-end)" suffix so the gap is visible if subagent results arrive entirely off the tool_result event path (e.g. inlined into the next assistant message). * fix subagent-finished log: move run-end flush to post-subprocess block Investigation on T3 + finish-log-validation runs revealed two real issues with my prior attempt: 1. The `result` event handler is dead — opencode never emits a `result`-typed event over its NDJSON stream, so the inferred-at-run-end flush I had placed there never fired. Move the flush to right after `runSubprocess` returns where it actually executes. 2. The FIFO heuristic was too strict — the >300-char output check excluded short or empty outputs that opencode's `task` tool_result appears to carry (the subagent's full reply seems to arrive via a separate channel, not the result event itself). Drop the size check; rely solely on `knownNonTaskCallIDs` to keep genuinely-non-task tool_results from popping a pending task. Net effect: every `task` tool dispatch gets a matching `» subagent finished` line in the logs, either from the FIFO fallback during the run or from the run-end flush as a backstop. * modes/anneal: anchor lens calibration in worked examples The prior trivial-skip definition ("single-line fix, formatting-only, …") was anchored on diff size, but real-world risk is anchored on diff *shape*: a 5000-line lockfile regen IS trivial, and a 1-line SQL operator flip in a billing path is NOT. The prior lens-count guidance ("there's no fixed count, bias toward more for high-stakes subsystems") gave the agent no concrete shapes to anchor against, so runs varied between under-pick (4 generic lenses on a billing PR) and over-pick (5 overlapping themed lenses on a refactor). This commit hardens both: - Trivial definition gets explicit "looks trivial but isn't" anti-patterns: SQL operator flips, money/tax/timeout constants, feature-flag defaults, comparison operator changes, semantic 1-liners buried in whitespace, public-API renames, new direct deps. Skip lists get explicit "size doesn't matter" calibration for lockfile regens and mechanical renames. - Lens count gets a worked-example ladder: 1 lens (refactor / new test file / isolated fix), 2-3 lenses (typical features), 4-5 lenses (high-stakes subsystem touches), 6+ is a smell. - Subsystem lenses get an explicit recommendation to lead over generic themed equivalents for high-stakes domains, with the reasoning: domain framing primes the subagent for domain-specific failure modes (double-charges, refund races, dispute flows) the generic lens misses. Mirrored byte-identical into both anneal.md copies; modes.ts updates all three review surfaces (Build self-review, Review triage, IncrementalReview triage). * fix harness false-failure when Review submits without todowrite Review and IncrementalReview prompts explicitly forbid calling report_progress (the review IS the durable record). The post-run harness in action/utils/run.ts errors with "agent completed without reporting progress" when toolState.wasUpdated is false at exit. Until now, the only path that set wasUpdated for these modes was the todoTracker's debounced publish — which only fires if the agent happens to call todowrite during the run. Adversarial run on PR #16 (misleading-trivial billing tweak) hit exactly this case: agent went straight from triage → fan-out → review submission with no todowrite calls, and the harness reported failure even though the substantive review was successfully submitted with two inline comments. Fix: create_pull_request_review now marks wasUpdated=true (and finalSummaryWritten=true) on every terminal path — successful submit, empty-content skip, and all-comments-dropped skip. Submitting a review is unambiguously a "done" signal in these modes. Found via adversarial testing of the multi-lens orchestrator on a 1-line tax constant change. Logged in /tmp/pullfrog-validation/v3/. * fix harness false-failure when Review submits without todowrite (correctly) Replaces the prior fix (acc2bd65) which set wasUpdated=true inside create_pull_request_review. That approach worked for the harness check but broke the orphan-comment cleanup: with wasUpdated=true and finalSummaryWritten=true, the (!wasUpdated || trackerWasLastWriter) condition in main.ts evaluated false and the "Leaping into action" progress comment was left behind on every Review run — the exact behavior the cleanup logic was designed to prevent (see plans/review_progress_comment_cleanup_b0120f6c.plan.md). Correct fix: change the harness check in action/utils/run.ts to recognize a submitted PR review as an alternate completion signal alongside wasUpdated. wasUpdated stays false on purpose so cleanup deletes the orphan, but the run no longer false-fails when the agent followed the Review-mode contract (submit a review, never call report_progress). The bug was discovered during adversarial testing of PR #16 (misleading-trivial billing tweak) where the agent went straight from triage → fan-out → review submission without using todowrite, causing the harness to error even though the substantive review (a CAUTION blocking review with two inline comments catching a 10x tax cut) was successfully posted. * fix harness false-failure for Review modes (mode-based carve-out) Replaces the prior carve-out (4c0f69aa) which gated on toolState.review.id. That worked for runs where the review tool actually populated the toolState (validation-2 succeeded), but failed for runs that took a slightly different path where the assignment didn't propagate visibly to handleAgentResult — even when the review verifiably posted to GitHub. Found this empirically: PR #19 (pure mechanical rename across 20 files) opened with the prior fix in place, the agent picked exactly one impact lens (correct calibration!), confirmed no stale references, submitted "Reviewed — no issues found." successfully (visible in GitHub API), and the harness STILL errored with "agent completed without reporting progress." Same SHA, same branch, same code as validation-2 which passed. The toolState.review.id check turns out not to be reliably visible from the run.ts handler in all paths. Better fix: gate on toolState.selectedMode. Review and IncrementalReview modes are designed to never call report_progress (the review is the durable record, and IncrementalReview's non-substantive path produces no artifact at all by design). The harness completion check makes no sense for these modes — skip it entirely. The agent's clean subprocess exit is the completion signal. This also handles edge cases the previous fix missed: IncrementalReview's non-substantive path (no review submitted by design) and any future Review-flow shape that doesn't end at create_pull_request_review. * ci: trigger Test run to validate models-live timeout/concurrency changes * ci: prune passthrough models from live smoke matrix openrouter/* aliases and keyed opencode/* aliases are routing-layer wrappers around models we already smoke-test directly. running every passthrough burns CI minutes (~30 min/run) without catching anything the direct smoke doesn't — slug drift is already covered by the models-catalog job. keep one canary per routing layer (openrouter/claude-sonnet, opencode/claude-sonnet) to validate auth + tool-call translation. free opencode models stay in the matrix since they're unique to the provider. INCLUDE_ALL_PASSTHROUGHS=1 bypasses the prune for full validation. matrix size: 37 → 20 jobs. * fix isRateLimited false-positive on UUIDs/timestamps containing 429 The bare "429" substring pattern was matching MCP session IDs (e.g. `...-4429-...`) and microsecond timestamps in agent stdout, sending transient failures down the 60s rate-limit retry path. With the new 4-minute per-step CI timeout, that backoff plus a slow retry pushed the step past its budget and timed out. Switch to regex patterns and gate the numeric code on `\b429\b` so word boundaries prevent the substring false-match. Verified locally that the UUID `97287d2f-ae1d-4429-8627-73e2454e80ca` and timestamp `02:04:50.9429654` no longer match while real `HTTP 429` / `"status":429` strings still do. --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Colin McDonnell <colinmcd94@gmail.com> Co-authored-by: pullfrog[bot] <226033991+pullfrog[bot]@users.noreply.github.com>
944 lines
35 KiB
TypeScript
944 lines
35 KiB
TypeScript
/**
|
||
* OpenCode agent — secure harness around OpenCode CLI.
|
||
*
|
||
* transparently wraps OpenCode with a security layer:
|
||
* - bash: "deny" via OPENCODE_CONFIG_CONTENT (agent cannot shell out)
|
||
* - OPENCODE_PERMISSION: filesystem sandbox — deny all external paths except /tmp
|
||
* - MCP ShellTool provides restricted shell (filtered env, no secrets)
|
||
* - MCP server injected alongside project config (not replacing)
|
||
* - ASKPASS handles git auth separately (token never in subprocess env)
|
||
*
|
||
* the agent process itself gets full env (needs LLM API keys, PATH, etc.).
|
||
* security is enforced at the tool layer, not the process layer.
|
||
*/
|
||
import { execFileSync } from "node:child_process";
|
||
import { mkdirSync } from "node:fs";
|
||
import { join } from "node:path";
|
||
import { performance } from "node:perf_hooks";
|
||
import { pullfrogMcpName } from "../external.ts";
|
||
import { modelAliases } from "../models.ts";
|
||
import { getIdleMs, markActivity } from "../utils/activity.ts";
|
||
import { formatJsonValue, log } from "../utils/cli.ts";
|
||
import { installFromNpmTarball } from "../utils/install.ts";
|
||
import { detectProviderError } from "../utils/providerErrors.ts";
|
||
import { addSkill, installBundledSkills } from "../utils/skills.ts";
|
||
import { SPAWN_ACTIVITY_TIMEOUT_CODE, SpawnTimeoutError, spawn } from "../utils/subprocess.ts";
|
||
import { ThinkingTimer } from "../utils/timer.ts";
|
||
import type { TodoTracker } from "../utils/todoTracking.ts";
|
||
import { getDevDependencyVersion } from "../utils/version.ts";
|
||
import { buildLearningsReflectionPrompt, runPostRunRetryLoop } from "./postRun.ts";
|
||
import { REVIEWER_AGENT_NAME, REVIEWER_SYSTEM_PROMPT } from "./reviewer.ts";
|
||
import { formatWithLabel, ORCHESTRATOR_LABEL, SessionLabeler } from "./sessionLabeler.ts";
|
||
import {
|
||
type AgentResult,
|
||
type AgentRunContext,
|
||
type AgentUsage,
|
||
agent,
|
||
logTokenTable,
|
||
MAX_STDERR_LINES,
|
||
} from "./shared.ts";
|
||
|
||
async function installOpencodeCli(): Promise<string> {
|
||
return await installFromNpmTarball({
|
||
packageName: "opencode-ai",
|
||
version: getDevDependencyVersion("opencode-ai"),
|
||
executablePath: "bin/opencode",
|
||
installDependencies: true,
|
||
});
|
||
}
|
||
|
||
// ── config ─────────────────────────────────────────────────────────────────────
|
||
|
||
type OpenCodeConfig = {
|
||
mcp?: Record<string, unknown>;
|
||
permission?: Record<string, unknown>;
|
||
provider?: Record<string, unknown>;
|
||
agent?: Record<string, unknown>;
|
||
model?: string;
|
||
enabled_providers?: string[];
|
||
[key: string]: unknown;
|
||
};
|
||
|
||
function buildSecurityConfig(ctx: AgentRunContext, model: string | undefined): string {
|
||
const config: OpenCodeConfig = {
|
||
permission: {
|
||
bash: "deny",
|
||
edit: "allow",
|
||
read: "allow",
|
||
webfetch: "allow",
|
||
external_directory: "allow",
|
||
skill: "allow",
|
||
},
|
||
mcp: {
|
||
[pullfrogMcpName]: { type: "remote", url: ctx.mcpServerUrl },
|
||
},
|
||
agent: buildReviewerAgentConfig(),
|
||
};
|
||
|
||
if (model) {
|
||
config.model = model;
|
||
|
||
const slashIndex = model.indexOf("/");
|
||
if (slashIndex > 0) {
|
||
config.enabled_providers = [model.slice(0, slashIndex).toLowerCase()];
|
||
}
|
||
}
|
||
|
||
return JSON.stringify(config);
|
||
}
|
||
|
||
/**
|
||
* Read-only subagent for self-review and /anneal lens dispatch. The
|
||
* non-mutative + non-recursive contract is enforced by the prose system
|
||
* prompt — see action/agents/reviewer.ts for why we no longer wire per-agent
|
||
* tool/permission denies here.
|
||
*/
|
||
function buildReviewerAgentConfig(): Record<string, unknown> {
|
||
return {
|
||
[REVIEWER_AGENT_NAME]: {
|
||
description:
|
||
"Read-only review subagent for self-review and lens-based code review. " +
|
||
"Reads only — no writes, no state-changing shell or MCP calls, no nested subagent dispatch.",
|
||
mode: "subagent",
|
||
prompt: REVIEWER_SYSTEM_PROMPT,
|
||
},
|
||
};
|
||
}
|
||
|
||
// ── model auto-select fallback ──────────────────────────────────────────────────
|
||
//
|
||
// steps 1–2 of model resolution (PULLFROG_MODEL env, slug resolution) are handled
|
||
// by resolveModel() in utils/agent.ts before the agent runs. this fallback only
|
||
// handles step 3: auto-select via `opencode models`.
|
||
|
||
function getOpenCodeModels(cliPath: string): string[] {
|
||
try {
|
||
const output = execFileSync(cliPath, ["models"], {
|
||
encoding: "utf-8",
|
||
timeout: 30_000,
|
||
env: process.env,
|
||
});
|
||
return output
|
||
.split("\n")
|
||
.map((line) => line.trim())
|
||
.filter(Boolean);
|
||
} catch (error) {
|
||
log.debug(
|
||
`» failed to run \`opencode models\`: ${error instanceof Error ? error.message : String(error)}`
|
||
);
|
||
return [];
|
||
}
|
||
}
|
||
|
||
const AUTO_SELECT_WARNING =
|
||
"select a model explicitly in the Pullfrog console (https://pullfrog.com/console) to avoid this.";
|
||
|
||
function autoSelectModel(cliPath: string): string | undefined {
|
||
const availableModels = getOpenCodeModels(cliPath);
|
||
const availableSet = new Set(availableModels);
|
||
if (availableSet.size > 0) {
|
||
log.debug(`» opencode models (${availableSet.size}): ${availableModels.join(", ")}`);
|
||
const match =
|
||
modelAliases.find((a) => a.preferred && availableSet.has(a.resolve)) ??
|
||
modelAliases.find((a) => availableSet.has(a.resolve));
|
||
if (match) {
|
||
log.info(
|
||
`» model: ${match.resolve} (auto-selected${match.preferred ? " — preferred" : ""} curated match)`
|
||
);
|
||
log.warning(`» model auto-selected. ${AUTO_SELECT_WARNING}`);
|
||
return match.resolve;
|
||
}
|
||
log.info(
|
||
`» opencode has ${availableSet.size} models but none match curated aliases — letting OpenCode auto-select`
|
||
);
|
||
}
|
||
|
||
log.warning(`» no model resolved. letting OpenCode auto-select. ${AUTO_SELECT_WARNING}`);
|
||
return undefined;
|
||
}
|
||
|
||
// ── NDJSON event types ─────────────────────────────────────────────────────────
|
||
|
||
interface OpenCodeInitEvent {
|
||
type: "init";
|
||
timestamp?: string;
|
||
session_id?: string;
|
||
model?: string;
|
||
[key: string]: unknown;
|
||
}
|
||
|
||
interface OpenCodeMessageEvent {
|
||
type: "message";
|
||
timestamp?: string;
|
||
role?: "user" | "assistant";
|
||
content?: string;
|
||
delta?: boolean;
|
||
[key: string]: unknown;
|
||
}
|
||
|
||
interface OpenCodeTextEvent {
|
||
type: "text";
|
||
timestamp?: string;
|
||
sessionID?: string;
|
||
part?: { id?: string; type?: string; text?: string; [key: string]: unknown };
|
||
[key: string]: unknown;
|
||
}
|
||
|
||
interface OpenCodeStepStartEvent {
|
||
type: "step_start";
|
||
timestamp?: string;
|
||
sessionID?: string;
|
||
part?: { id?: string; type?: string; [key: string]: unknown };
|
||
[key: string]: unknown;
|
||
}
|
||
|
||
interface OpenCodeStepFinishEvent {
|
||
type: "step_finish";
|
||
timestamp?: string;
|
||
sessionID?: string;
|
||
part?: {
|
||
id?: string;
|
||
type?: string;
|
||
reason?: string;
|
||
cost?: number;
|
||
tokens?: {
|
||
input?: number;
|
||
output?: number;
|
||
reasoning?: number;
|
||
cache?: { read?: number; write?: number };
|
||
};
|
||
[key: string]: unknown;
|
||
};
|
||
[key: string]: unknown;
|
||
}
|
||
|
||
interface OpenCodeToolUseEvent {
|
||
type: "tool_use";
|
||
timestamp?: number;
|
||
sessionID?: string;
|
||
part?: {
|
||
id?: string;
|
||
callID?: string;
|
||
tool?: string;
|
||
state?: { status?: string; input?: unknown; output?: string };
|
||
};
|
||
[key: string]: unknown;
|
||
}
|
||
|
||
interface OpenCodeToolResultEvent {
|
||
type: "tool_result";
|
||
timestamp?: number;
|
||
sessionID?: string;
|
||
part?: { callID?: string; state?: { status?: string; output?: string } };
|
||
tool_id?: string;
|
||
status?: "success" | "error";
|
||
output?: string;
|
||
[key: string]: unknown;
|
||
}
|
||
|
||
interface OpenCodeResultEvent {
|
||
type: "result";
|
||
timestamp?: string;
|
||
status?: "success" | "error";
|
||
stats?: {
|
||
total_tokens?: number;
|
||
input_tokens?: number;
|
||
output_tokens?: number;
|
||
duration_ms?: number;
|
||
tool_calls?: number;
|
||
};
|
||
[key: string]: unknown;
|
||
}
|
||
|
||
interface OpenCodeErrorEvent {
|
||
type: "error";
|
||
timestamp?: string;
|
||
sessionID?: string;
|
||
error?: { name?: string; message?: string; data?: unknown; [key: string]: unknown };
|
||
[key: string]: unknown;
|
||
}
|
||
|
||
type OpenCodeEvent =
|
||
| OpenCodeInitEvent
|
||
| OpenCodeMessageEvent
|
||
| OpenCodeTextEvent
|
||
| OpenCodeStepStartEvent
|
||
| OpenCodeStepFinishEvent
|
||
| OpenCodeToolUseEvent
|
||
| OpenCodeToolResultEvent
|
||
| OpenCodeResultEvent
|
||
| OpenCodeErrorEvent;
|
||
|
||
// ── runner ──────────────────────────────────────────────────────────────────────
|
||
|
||
type RunParams = {
|
||
label: string;
|
||
cliPath: string;
|
||
args: string[];
|
||
cwd: string;
|
||
env: Record<string, string | undefined>;
|
||
todoTracker?: TodoTracker | undefined;
|
||
onActivityTimeout?: (() => void) | undefined;
|
||
onToolUse?: ((event: { toolName: string; input: unknown }) => void) | undefined;
|
||
};
|
||
|
||
async function runOpenCode(params: RunParams): Promise<AgentResult> {
|
||
const startTime = performance.now();
|
||
let eventCount = 0;
|
||
const thinkingTimer = new ThinkingTimer();
|
||
|
||
let finalOutput = "";
|
||
let accumulatedTokens = { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 };
|
||
// per-step `part.cost` sums across the whole session. sourced from models.dev
|
||
// inside opencode — present for every supported provider (Anthropic, OpenAI,
|
||
// Google, xAI, DeepSeek, Moonshot, OpenRouter sub-providers, etc.).
|
||
let accumulatedCostUsd = 0;
|
||
let tokensLogged = false;
|
||
const toolCallTimings = new Map<string, number>();
|
||
let currentStepId: string | null = null;
|
||
let currentStepType: string | null = null;
|
||
let stepHistory: Array<{ stepId: string; stepType: string; toolCalls: string[] }> = [];
|
||
|
||
// per-session labeler so parallel subagent log lines can be differentiated.
|
||
// the orchestrator's task tool_use events seed the labeler; the next
|
||
// previously-unseen sessionID consumes the head of the pending-label queue.
|
||
// NB: opencode's runtime currently encapsulates subagent execution inside
|
||
// the `task` tool — subagent-internal tool_use/tool_result events do not
|
||
// surface on the parent's NDJSON stream. The labeler is therefore mostly
|
||
// dormant in practice for opencode (no per-event session differentiation
|
||
// is needed because there are no per-subagent events). The orchestrator's
|
||
// `task` dispatch log (with `description: <lens>`) and the per-task
|
||
// duration log below are the actual attribution surface available today.
|
||
// The labeler is kept in place defensively so that if/when opencode begins
|
||
// streaming subagent sessions, attribution flips on with no further work.
|
||
const labeler = new SessionLabeler();
|
||
function eventLabel(event: Record<string, unknown>): string {
|
||
const sid = event.sessionID ?? event.session_id;
|
||
return labeler.labelFor(typeof sid === "string" ? sid : null);
|
||
}
|
||
function withLabel(label: string, message: string): string {
|
||
return label === ORCHESTRATOR_LABEL ? message : formatWithLabel(label, message);
|
||
}
|
||
|
||
// tracks per-task dispatch metadata so the matching tool_result can log a
|
||
// labeled "» subagent finished: lens=X duration=Ys" line. this is the most
|
||
// useful per-lens observability available given that subagent-internal
|
||
// events aren't streamed.
|
||
//
|
||
// matching strategy is hybrid because opencode does NOT reliably emit a
|
||
// tool_result with a callID equal to the originating tool_use.callID for
|
||
// the `task` tool (verified empirically in T3 — 5 task dispatches recorded
|
||
// here, 0 finish lines fired, yet aggregation succeeded so results did
|
||
// arrive on the stream). we keep an exact-match Map for the fast path, and
|
||
// also a FIFO queue for the fallback path where the callID mismatches.
|
||
// the queue + map share entries by reference so popping one removes both.
|
||
interface TaskDispatch {
|
||
label: string;
|
||
startedAt: number;
|
||
toolUseCallID: string;
|
||
}
|
||
const taskDispatchByCallID = new Map<string, TaskDispatch>();
|
||
const pendingTaskDispatches: TaskDispatch[] = [];
|
||
// every non-task tool_use callID we've observed. lets us tell, on a
|
||
// tool_result, whether its callID belongs to a known non-task tool (in
|
||
// which case we never fall back to FIFO) or is unrecognised (in which case
|
||
// a long-output result is a strong "this is probably a task result with a
|
||
// mismatched callID" signal).
|
||
const knownNonTaskCallIDs = new Set<string>();
|
||
|
||
function emitSubagentFinished(
|
||
dispatch: TaskDispatch,
|
||
status: string,
|
||
output: unknown,
|
||
matchKind: "exact" | "fifo"
|
||
) {
|
||
const subagentDuration = performance.now() - dispatch.startedAt;
|
||
const outputStr = typeof output === "string" ? output : "";
|
||
const outputPreview = outputStr.length > 120 ? `${outputStr.slice(0, 120)}…` : outputStr;
|
||
const matchSuffix = matchKind === "fifo" ? " [fifo-matched]" : "";
|
||
log.info(
|
||
`» subagent finished: ${dispatch.label} (${(subagentDuration / 1000).toFixed(1)}s, status=${status})${matchSuffix}` +
|
||
(outputPreview ? ` — ${outputPreview.replace(/\n/g, " ")}` : "")
|
||
);
|
||
taskDispatchByCallID.delete(dispatch.toolUseCallID);
|
||
const idx = pendingTaskDispatches.indexOf(dispatch);
|
||
if (idx >= 0) pendingTaskDispatches.splice(idx, 1);
|
||
}
|
||
|
||
function buildUsage(): AgentUsage | undefined {
|
||
const totalInput =
|
||
accumulatedTokens.input + accumulatedTokens.cacheRead + accumulatedTokens.cacheWrite;
|
||
return totalInput > 0 || accumulatedTokens.output > 0
|
||
? {
|
||
agent: "pullfrog",
|
||
inputTokens: totalInput,
|
||
outputTokens: accumulatedTokens.output,
|
||
cacheReadTokens: accumulatedTokens.cacheRead || undefined,
|
||
cacheWriteTokens: accumulatedTokens.cacheWrite || undefined,
|
||
costUsd: accumulatedCostUsd > 0 ? accumulatedCostUsd : undefined,
|
||
}
|
||
: undefined;
|
||
}
|
||
|
||
const handlers = {
|
||
init: (event: OpenCodeInitEvent) => {
|
||
// bind this sessionID to a label so subsequent events (tool_use,
|
||
// tool_result, text, message) route to the right prefix. for the
|
||
// first session this is "orchestrator"; for subagents it pops from
|
||
// the pending-dispatch queue.
|
||
const label = labeler.labelFor(event.session_id ?? null);
|
||
log.debug(
|
||
withLabel(
|
||
label,
|
||
`» ${params.label} init: session_id=${event.session_id || "unknown"}, model=${event.model || "unknown"}`
|
||
)
|
||
);
|
||
log.debug(withLabel(label, `» ${params.label} init event (full): ${JSON.stringify(event)}`));
|
||
// only reset run-wide state on the orchestrator's init — child sessions
|
||
// emit their own init events and we don't want them to clobber the
|
||
// parent's accumulated counters.
|
||
if (label === ORCHESTRATOR_LABEL) {
|
||
finalOutput = "";
|
||
accumulatedTokens = { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 };
|
||
accumulatedCostUsd = 0;
|
||
tokensLogged = false;
|
||
} else {
|
||
log.info(`» ${params.label} subagent init: ${label} (session ${event.session_id || "?"})`);
|
||
}
|
||
},
|
||
message: (event: OpenCodeMessageEvent) => {
|
||
const label = eventLabel(event);
|
||
if (event.role === "assistant" && event.content?.trim()) {
|
||
const message = event.content.trim();
|
||
if (event.delta) {
|
||
log.debug(
|
||
withLabel(
|
||
label,
|
||
`» ${params.label} thinking: ${message.substring(0, 300)}${message.length > 300 ? "..." : ""}`
|
||
)
|
||
);
|
||
} else {
|
||
log.debug(
|
||
withLabel(
|
||
label,
|
||
`» ${params.label} message (${event.role}): ${message.substring(0, 100)}${message.length > 100 ? "..." : ""}`
|
||
)
|
||
);
|
||
// same reasoning as `text` handler — only orchestrator's non-delta
|
||
// assistant message is the run output; subagent reports stay scoped
|
||
// to the box / debug log.
|
||
if (label === ORCHESTRATOR_LABEL) {
|
||
finalOutput = message;
|
||
}
|
||
}
|
||
} else if (event.role === "user") {
|
||
log.debug(
|
||
withLabel(
|
||
label,
|
||
`» ${params.label} message (${event.role}): ${event.content?.substring(0, 100) || ""}${event.content && event.content.length > 100 ? "..." : ""}`
|
||
)
|
||
);
|
||
}
|
||
},
|
||
text: (event: OpenCodeTextEvent) => {
|
||
if (event.part?.text?.trim()) {
|
||
const message = event.part.text.trim();
|
||
const label = eventLabel(event);
|
||
const boxTitle = label === ORCHESTRATOR_LABEL ? params.label : `${params.label} [${label}]`;
|
||
log.box(message, { title: boxTitle });
|
||
// only the orchestrator's final text is the run's "output" — children
|
||
// emit their own text on report-back, which would clobber the parent's
|
||
// final answer if we accepted any text into finalOutput.
|
||
if (label === ORCHESTRATOR_LABEL) {
|
||
finalOutput = message;
|
||
}
|
||
}
|
||
},
|
||
step_start: (event: OpenCodeStepStartEvent) => {
|
||
const stepType = event.part?.type || "unknown";
|
||
const stepId = event.part?.id || "unknown";
|
||
currentStepId = stepId;
|
||
currentStepType = stepType;
|
||
stepHistory.push({ stepId, stepType, toolCalls: [] });
|
||
},
|
||
step_finish: async (event: OpenCodeStepFinishEvent) => {
|
||
const stepId = event.part?.id || "unknown";
|
||
const eventTokens = event.part?.tokens;
|
||
if (eventTokens) {
|
||
accumulatedTokens.input += eventTokens.input || 0;
|
||
accumulatedTokens.output += eventTokens.output || 0;
|
||
accumulatedTokens.cacheRead += eventTokens.cache?.read || 0;
|
||
accumulatedTokens.cacheWrite += eventTokens.cache?.write || 0;
|
||
}
|
||
// step_finish.part.cost is a per-step delta (not a running total) —
|
||
// OpenCode emits varying per-event values that sum to the session cost.
|
||
// verified empirically across Anthropic, OpenAI, Gemini, xAI, DeepSeek,
|
||
// Moonshot, and OpenRouter (see pullfrog-baseline/opencode-*.log).
|
||
// guard against NaN/Infinity — a single poison value would make the
|
||
// running total un-recoverable for the rest of the session.
|
||
if (typeof event.part?.cost === "number" && Number.isFinite(event.part.cost)) {
|
||
accumulatedCostUsd += event.part.cost;
|
||
}
|
||
if (currentStepId === stepId) {
|
||
currentStepId = null;
|
||
currentStepType = null;
|
||
}
|
||
},
|
||
tool_use: (event: OpenCodeToolUseEvent) => {
|
||
const toolName = event.part?.tool;
|
||
const toolId = event.part?.callID;
|
||
if (!toolName || !toolId) {
|
||
log.info(
|
||
`» tool_use event missing toolName or toolId: ${JSON.stringify(event).substring(0, 500)}`
|
||
);
|
||
return;
|
||
}
|
||
|
||
// when the orchestrator dispatches a subagent via the `task` tool, push
|
||
// a label for the upcoming child session so its events are attributable.
|
||
// record BEFORE label lookup: this event's session is the parent (whose
|
||
// label is already bound); the dispatch label is for the next new
|
||
// sessionID that appears.
|
||
if (toolName === "task") {
|
||
const taskInput = (event.part?.state?.input ?? {}) as {
|
||
description?: string;
|
||
subagent_type?: string;
|
||
prompt?: string;
|
||
};
|
||
const dispatchedLabel = labeler.recordTaskDispatch(taskInput);
|
||
// dual-index by callID (fast path) AND in a FIFO queue (fallback path
|
||
// for when opencode's task tool_result carries a different callID).
|
||
const dispatch: TaskDispatch = {
|
||
label: dispatchedLabel,
|
||
startedAt: performance.now(),
|
||
toolUseCallID: toolId,
|
||
};
|
||
taskDispatchByCallID.set(toolId, dispatch);
|
||
pendingTaskDispatches.push(dispatch);
|
||
log.info(
|
||
`» dispatching subagent: ${dispatchedLabel}` +
|
||
(taskInput.subagent_type ? ` (subagent_type=${taskInput.subagent_type})` : "")
|
||
);
|
||
} else {
|
||
// remember non-task callIDs so a later tool_result with that callID
|
||
// is correctly identified as not-a-task (and we don't FIFO-pop a
|
||
// pending task by mistake).
|
||
knownNonTaskCallIDs.add(toolId);
|
||
}
|
||
|
||
const label = eventLabel(event);
|
||
|
||
if (stepHistory.length > 0) {
|
||
stepHistory[stepHistory.length - 1]!.toolCalls.push(toolName);
|
||
}
|
||
|
||
if (params.onToolUse) {
|
||
params.onToolUse({
|
||
toolName,
|
||
input: event.part?.state?.input,
|
||
});
|
||
}
|
||
|
||
thinkingTimer.markToolCall();
|
||
const inputFormatted = formatJsonValue(event.part?.state?.input || {});
|
||
const toolCallLine =
|
||
inputFormatted !== "{}" ? `» ${toolName}(${inputFormatted})` : `» ${toolName}()`;
|
||
log.info(withLabel(label, toolCallLine));
|
||
|
||
if (event.part?.state?.status === "completed" && event.part.state.output) {
|
||
log.debug(withLabel(label, ` output: ${event.part.state.output}`));
|
||
}
|
||
|
||
// agent's explicit MCP report_progress takes priority over todo tracking
|
||
if (toolName.includes("report_progress") && params.todoTracker) {
|
||
log.debug("» report_progress detected, disabling todo tracking");
|
||
params.todoTracker.cancel();
|
||
}
|
||
|
||
// parse todowrite events for live progress tracking
|
||
if (toolName === "todowrite" && params.todoTracker?.enabled) {
|
||
params.todoTracker.update(event.part?.state?.input);
|
||
}
|
||
},
|
||
tool_result: (event: OpenCodeToolResultEvent) => {
|
||
const toolId = event.part?.callID || event.tool_id;
|
||
const status = event.part?.state?.status || event.status || "unknown";
|
||
const output = event.part?.state?.output || event.output;
|
||
const label = eventLabel(event);
|
||
|
||
thinkingTimer.markToolResult();
|
||
|
||
// surface subagent completion at info level — opencode otherwise hides
|
||
// per-task timing in debug-only logs, so a parallel multi-lens fan-out
|
||
// looks like N dispatches followed by a long quiet gap then a single
|
||
// assistant turn. with this line you can see each lens finishing.
|
||
//
|
||
// matching is hybrid: exact callID first; FIFO fallback when the
|
||
// tool_result's callID is unrecognised. opencode does not consistently
|
||
// surface matching callIDs for the `task` tool, so the FIFO path is the
|
||
// one that fires in practice. we only fall through to FIFO when the
|
||
// callID is brand-new (not in `knownNonTaskCallIDs`) so genuinely
|
||
// non-task tool_results never accidentally pop a pending task.
|
||
if (taskDispatchByCallID.size > 0 || pendingTaskDispatches.length > 0) {
|
||
if (toolId && taskDispatchByCallID.has(toolId)) {
|
||
const dispatch = taskDispatchByCallID.get(toolId);
|
||
if (dispatch) emitSubagentFinished(dispatch, status, output, "exact");
|
||
} else {
|
||
const callIDIsKnownNonTask = toolId ? knownNonTaskCallIDs.has(toolId) : false;
|
||
if (!callIDIsKnownNonTask && pendingTaskDispatches.length > 0) {
|
||
const dispatch = pendingTaskDispatches[0]!;
|
||
emitSubagentFinished(dispatch, status, output, "fifo");
|
||
}
|
||
}
|
||
}
|
||
|
||
if (toolId) {
|
||
const toolStartTime = toolCallTimings.get(toolId);
|
||
if (toolStartTime) {
|
||
const toolDuration = performance.now() - toolStartTime;
|
||
toolCallTimings.delete(toolId);
|
||
const stepContext = currentStepId ? ` (step=${currentStepType || "unknown"})` : "";
|
||
log.debug(
|
||
withLabel(
|
||
label,
|
||
`» ${params.label} tool_result${stepContext}: id=${toolId}, status=${status}, duration=${Math.round(toolDuration)}ms`
|
||
)
|
||
);
|
||
if (output) {
|
||
log.debug(
|
||
withLabel(
|
||
label,
|
||
` output: ${typeof output === "string" ? output : JSON.stringify(output)}`
|
||
)
|
||
);
|
||
}
|
||
if (toolDuration > 5000) {
|
||
log.info(
|
||
withLabel(
|
||
label,
|
||
`» tool call took ${(toolDuration / 1000).toFixed(1)}s - may indicate network latency`
|
||
)
|
||
);
|
||
}
|
||
}
|
||
}
|
||
if (status === "error") {
|
||
const errorMsg = typeof output === "string" ? output : JSON.stringify(output);
|
||
log.info(withLabel(label, `» tool call failed: ${errorMsg}`));
|
||
} else if (output) {
|
||
const outputStr = typeof output === "string" ? output : JSON.stringify(output);
|
||
log.debug(withLabel(label, `tool output: ${outputStr}`));
|
||
}
|
||
},
|
||
result: async (event: OpenCodeResultEvent) => {
|
||
const status = event.status || "unknown";
|
||
const duration = event.stats?.duration_ms || 0;
|
||
const toolCalls = event.stats?.tool_calls || 0;
|
||
log.info(
|
||
`» ${params.label} result: status=${status}, duration=${duration}ms, tool_calls=${toolCalls}`
|
||
);
|
||
|
||
if (event.status === "error") {
|
||
log.info(`» ${params.label} failed: ${JSON.stringify(event)}`);
|
||
} else {
|
||
// the final `result` event only carries input_tokens/output_tokens and
|
||
// no cache breakdown — accumulatedTokens (summed across step_finish
|
||
// events) is strictly more accurate, so we prefer it unconditionally.
|
||
log.info(`» run complete: tool_calls=${toolCalls}, duration=${duration}ms`);
|
||
|
||
if (
|
||
(accumulatedTokens.input > 0 ||
|
||
accumulatedTokens.output > 0 ||
|
||
accumulatedTokens.cacheRead > 0 ||
|
||
accumulatedTokens.cacheWrite > 0) &&
|
||
!tokensLogged
|
||
) {
|
||
logTokenTable({ ...accumulatedTokens, costUsd: accumulatedCostUsd });
|
||
tokensLogged = true;
|
||
}
|
||
}
|
||
},
|
||
};
|
||
|
||
const recentStderr: string[] = [];
|
||
|
||
let lastProviderError: string | null = null;
|
||
|
||
let output = "";
|
||
let stdoutBuffer = "";
|
||
|
||
try {
|
||
const result = await spawn({
|
||
cmd: params.cliPath,
|
||
args: params.args,
|
||
cwd: params.cwd,
|
||
env: params.env,
|
||
activityTimeout: 300_000,
|
||
onActivityTimeout: params.onActivityTimeout,
|
||
stdio: ["ignore", "pipe", "pipe"],
|
||
onStdout: async (chunk) => {
|
||
const text = chunk.toString();
|
||
output += text;
|
||
markActivity();
|
||
|
||
stdoutBuffer += text;
|
||
const lines = stdoutBuffer.split("\n");
|
||
stdoutBuffer = lines.pop() || "";
|
||
|
||
for (const line of lines) {
|
||
const trimmed = line.trim();
|
||
if (!trimmed) continue;
|
||
|
||
let event: OpenCodeEvent;
|
||
try {
|
||
event = JSON.parse(trimmed) as OpenCodeEvent;
|
||
} catch {
|
||
log.debug(`» non-JSON stdout line: ${trimmed.substring(0, 200)}`);
|
||
continue;
|
||
}
|
||
|
||
eventCount++;
|
||
log.debug(JSON.stringify(event, null, 2));
|
||
|
||
const timeSinceLastActivity = getIdleMs();
|
||
if (timeSinceLastActivity > 10000) {
|
||
const activeToolCalls = toolCallTimings.size;
|
||
const toolCallInfo =
|
||
activeToolCalls > 0
|
||
? ` (waiting for ${activeToolCalls} tool call${activeToolCalls > 1 ? "s" : ""})`
|
||
: ` (${params.label} may be processing internally - LLM calls, planning, etc.)`;
|
||
log.info(
|
||
`» no activity for ${(timeSinceLastActivity / 1000).toFixed(1)}s${toolCallInfo} (${eventCount} events processed so far)`
|
||
);
|
||
}
|
||
markActivity();
|
||
|
||
const handler = handlers[event.type as keyof typeof handlers];
|
||
if (!handler) {
|
||
log.info(
|
||
`» ${params.label} event (unhandled): type=${event.type}, data=${JSON.stringify(event).substring(0, 500)}`
|
||
);
|
||
continue;
|
||
}
|
||
try {
|
||
await handler(event as never);
|
||
} catch (err) {
|
||
log.info(
|
||
`» ${params.label} handler for type=${event.type} threw: ${err instanceof Error ? err.message : String(err)}`
|
||
);
|
||
}
|
||
}
|
||
},
|
||
onStderr: (chunk) => {
|
||
const trimmed = chunk.trim();
|
||
if (!trimmed) return;
|
||
|
||
recentStderr.push(trimmed);
|
||
if (recentStderr.length > MAX_STDERR_LINES) recentStderr.shift();
|
||
|
||
const providerError = detectProviderError(trimmed);
|
||
if (providerError) {
|
||
lastProviderError = providerError;
|
||
log.info(`» provider error detected (${providerError}): ${trimmed.substring(0, 500)}`);
|
||
} else {
|
||
log.debug(trimmed);
|
||
}
|
||
},
|
||
});
|
||
|
||
if (result.exitCode === 0) {
|
||
await params.todoTracker?.flush();
|
||
} else {
|
||
params.todoTracker?.cancel();
|
||
}
|
||
|
||
// any pending task dispatches that never got a matching tool_result are
|
||
// surfaced here so the gap is visible rather than silently swallowed.
|
||
// this happens when opencode delivers the subagent's reply through a
|
||
// path other than tool_result (e.g. inlined into the next assistant
|
||
// message). flushing here is best-effort attribution — the durations
|
||
// reported are upper bounds (the subagent could have finished any time
|
||
// between dispatch and run-end), but the labels and ordering are exact.
|
||
//
|
||
// NB: the `result` event handler is dead in opencode (opencode never
|
||
// emits a `result`-typed event), which is why this flush lives here in
|
||
// the post-subprocess block instead.
|
||
if (pendingTaskDispatches.length > 0) {
|
||
for (const dispatch of [...pendingTaskDispatches]) {
|
||
const elapsed = performance.now() - dispatch.startedAt;
|
||
log.info(
|
||
`» subagent finished (inferred at run-end): ${dispatch.label} (≤${(elapsed / 1000).toFixed(1)}s) — no matching tool_result observed; subagent reply likely arrived via assistant message`
|
||
);
|
||
}
|
||
pendingTaskDispatches.length = 0;
|
||
taskDispatchByCallID.clear();
|
||
}
|
||
|
||
const duration = performance.now() - startTime;
|
||
log.info(
|
||
`» ${params.label} completed in ${Math.round(duration)}ms with exit code ${result.exitCode}`
|
||
);
|
||
|
||
if (eventCount === 0) {
|
||
const stderrContext = recentStderr.join("\n");
|
||
const diagnosis = lastProviderError
|
||
? `provider error: ${lastProviderError}`
|
||
: "unknown cause (no stdout events received)";
|
||
log.info(`» ${params.label} produced 0 events (${diagnosis})`);
|
||
if (stderrContext) log.info(`» last stderr output:\n${stderrContext}`);
|
||
}
|
||
|
||
if (
|
||
!tokensLogged &&
|
||
(accumulatedTokens.input > 0 ||
|
||
accumulatedTokens.output > 0 ||
|
||
accumulatedTokens.cacheRead > 0 ||
|
||
accumulatedTokens.cacheWrite > 0)
|
||
) {
|
||
logTokenTable({ ...accumulatedTokens, costUsd: accumulatedCostUsd });
|
||
tokensLogged = true;
|
||
}
|
||
|
||
const usage = buildUsage();
|
||
|
||
if (result.exitCode !== 0) {
|
||
const errorContext = lastProviderError ? ` (${lastProviderError})` : "";
|
||
const errorMessage =
|
||
result.stderr ||
|
||
result.stdout ||
|
||
`unknown error - no output from OpenCode CLI${errorContext}`;
|
||
log.error(
|
||
`${params.label} exited with code ${result.exitCode}${errorContext}: ${errorMessage}`
|
||
);
|
||
log.debug(`stdout: ${result.stdout?.substring(0, 500)}`);
|
||
log.debug(`stderr: ${result.stderr?.substring(0, 500)}`);
|
||
return { success: false, output: finalOutput || output, error: errorMessage, usage };
|
||
}
|
||
|
||
if (eventCount === 0 && lastProviderError) {
|
||
return {
|
||
success: false,
|
||
output: finalOutput || output,
|
||
error: `provider error: ${lastProviderError}`,
|
||
usage,
|
||
};
|
||
}
|
||
|
||
return { success: true, output: finalOutput || output, usage };
|
||
} catch (error) {
|
||
params.todoTracker?.cancel();
|
||
const duration = performance.now() - startTime;
|
||
const errorMessage = error instanceof Error ? error.message : String(error);
|
||
const isActivityTimeout =
|
||
error instanceof SpawnTimeoutError && error.code === SPAWN_ACTIVITY_TIMEOUT_CODE;
|
||
|
||
const stderrContext = recentStderr.slice(-10).join("\n");
|
||
const diagnosis = lastProviderError
|
||
? `likely cause: ${lastProviderError}`
|
||
: eventCount === 0
|
||
? "OpenCode produced 0 stdout events - check if the model provider is reachable"
|
||
: `${eventCount} events were processed before the hang`;
|
||
|
||
log.info(
|
||
`» ${params.label} ${isActivityTimeout ? "hung" : "failed"} after ${(duration / 1000).toFixed(1)}s: ${errorMessage}`
|
||
);
|
||
log.info(`» diagnosis: ${diagnosis}`);
|
||
if (stderrContext)
|
||
log.info(
|
||
`» recent stderr (last ${Math.min(recentStderr.length, 10)} lines):\n${stderrContext}`
|
||
);
|
||
|
||
return {
|
||
success: false,
|
||
output: finalOutput || output,
|
||
error: `${errorMessage} [${diagnosis}]`,
|
||
usage: buildUsage(),
|
||
};
|
||
}
|
||
}
|
||
|
||
// ── agent ───────────────────────────────────────────────────────────────────────
|
||
|
||
export const opencode = agent({
|
||
name: "opencode",
|
||
install: installOpencodeCli,
|
||
run: async (ctx) => {
|
||
const cliPath = await installOpencodeCli();
|
||
|
||
const model = ctx.payload.proxyModel ?? ctx.resolvedModel ?? autoSelectModel(cliPath);
|
||
|
||
const homeEnv = {
|
||
HOME: ctx.tmpdir,
|
||
XDG_CONFIG_HOME: join(ctx.tmpdir, ".config"),
|
||
};
|
||
|
||
mkdirSync(join(homeEnv.XDG_CONFIG_HOME, "opencode"), { recursive: true });
|
||
|
||
const agentBrowserVersion = getDevDependencyVersion("agent-browser");
|
||
addSkill({
|
||
ref: `vercel-labs/agent-browser@v${agentBrowserVersion}`,
|
||
skill: "agent-browser",
|
||
env: homeEnv,
|
||
agent: "opencode",
|
||
});
|
||
|
||
installBundledSkills({ home: homeEnv.HOME });
|
||
|
||
// base args shared between initial run and continue runs
|
||
const baseArgs = ["run", "--format", "json", "--print-logs"];
|
||
|
||
// OPENCODE_PERMISSION has absolute highest precedence (merged after managed/MDM configs).
|
||
// external_directory gates ALL native filesystem tools (Read, Write, Edit, Glob, Grep, etc.)
|
||
// for paths outside the project root. last-match-wins: deny everything, then allow /tmp.
|
||
const permissionOverride = JSON.stringify({
|
||
external_directory: { "*": "deny", "/tmp/*": "allow" },
|
||
});
|
||
|
||
const env: Record<string, string | undefined> = {
|
||
...process.env,
|
||
...homeEnv,
|
||
OPENCODE_CONFIG_CONTENT: buildSecurityConfig(ctx, model),
|
||
OPENCODE_PERMISSION: permissionOverride,
|
||
GOOGLE_GENERATIVE_AI_API_KEY:
|
||
process.env.GOOGLE_GENERATIVE_AI_API_KEY || process.env.GEMINI_API_KEY,
|
||
};
|
||
|
||
const repoDir = process.cwd();
|
||
|
||
log.debug(`» starting Pullfrog (OpenCode): ${cliPath} ${baseArgs.join(" ")}`);
|
||
log.debug(`» working directory: ${repoDir}`);
|
||
|
||
const runParams = {
|
||
label: "Pullfrog",
|
||
cliPath,
|
||
cwd: repoDir,
|
||
env,
|
||
todoTracker: ctx.todoTracker,
|
||
onActivityTimeout: ctx.onActivityTimeout,
|
||
onToolUse: ctx.onToolUse,
|
||
};
|
||
|
||
const result = await runOpenCode({
|
||
...runParams,
|
||
args: [...baseArgs, ctx.instructions.full],
|
||
});
|
||
|
||
// post-run retry loop aggregates usage across the initial run + every
|
||
// resume, so the caller sees the whole session — not just the final
|
||
// slice. opencode always accepts `--continue`, so no canResume guard.
|
||
// the reflection prompt fires once after gates go clean, as a dedicated
|
||
// turn that nudges the agent to persist learnings.
|
||
return runPostRunRetryLoop({
|
||
initialResult: result,
|
||
initialUsage: result.usage,
|
||
stopScript: ctx.stopScript,
|
||
reflectionPrompt: buildLearningsReflectionPrompt("opencode"),
|
||
resume: async (c) =>
|
||
runOpenCode({
|
||
...runParams,
|
||
args: [...baseArgs, "--continue", c.prompt],
|
||
}),
|
||
});
|
||
},
|
||
});
|