Skip to content

feat: Add Opencode Plugin#21

Merged
TommYDeeee merged 10 commits intoavast:mainfrom
FeiyouG:main
Mar 3, 2026
Merged

feat: Add Opencode Plugin#21
TommYDeeee merged 10 commits intoavast:mainfrom
FeiyouG:main

Conversation

@FeiyouG
Copy link
Contributor

@FeiyouG FeiyouG commented Feb 26, 2026

Summary

  • Integrates Sage guardrails into OpenCode tool calls via a new OpenCode plugin.
  • Aligns verdict handling with existing hooks: tool.execute.before and experimental.text.complete.
  • Adds OpenCode tools: sage_approve, sage_allowlist_add, and sage_allowlist_remove.

Tests

@FeiyouG
feat: Create Opencode plugin
a7ce4fd 
- Create opencode plugin for
  - Plugin scans on session starts
  - Tool evaluation on tool.execute.before
  - Temporarily allow tool execution via sage_approve
  - Permanently allow tool execution via sage_allowlist_add
- Create unit, integration, and e2e tests
@FeiyouG
fix(opencode): insert plugin scan result at text.complete
9dccfb6 
- insert plugin scan result at text.complete
- update walkPluginFiles to also handle the case when installPath is a
  file
@FeiyouG
update(d0c): Update instructions for install Opencode Plugin
05cf22f 
- Update instructions for install Opencode Plugin
- fix linting issues
@FeiyouG
Merge remote-tracking branch 'upstream/main'
a5070c5
@FeiyouG FeiyouG mentioned this pull request Feb 26, 2026
Open
TommYDeeee
TommYDeeee requested changes Feb 26, 2026
View reviewed changes
Copy link
Collaborator

@TommYDeeee TommYDeeee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this PR, really appreciate it! I have left few notes bellow. Once it is sorted it looks good!

Regarding the:

  • Added E2E tests for the plugin, but they currently cannot pass due to an unaddressed upstream OpenCode bug

Do you expect this to be resolved and addressed in other PR (or here?) once it can be? For now those tests probably can be marked to be skipped.

@FeiyouG
Copy link
Contributor Author

FeiyouG commented Feb 27, 2026

Thanks, @TommYDeeee. I’ve addressed all of the review comments.

I also found a workaround for the --command flag issue in OpenCode, and the E2E tests are now passing locally on my machine.

Please let me know if you have any further comments or suggestions.

@TommYDeeee TommYDeeee self-requested a review February 27, 2026 17:42
TommYDeeee
TommYDeeee previously approved these changes Feb 27, 2026
View reviewed changes
Copy link
Collaborator

@TommYDeeee TommYDeeee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks, now just the small typo (nitpick) and it can be merged.

@FeiyouG
Copy link
Contributor Author

FeiyouG commented Feb 27, 2026

Oh right my bad. It is now fixed.

@TommYDeeee TommYDeeee self-requested a review February 28, 2026 12:40
TommYDeeee
TommYDeeee previously approved these changes Feb 28, 2026
View reviewed changes
vaclavbelak
vaclavbelak requested changes Mar 2, 2026
View reviewed changes
Copy link
Collaborator

@vaclavbelak vaclavbelak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much for your contribution! I have to ask you to address a few issues, two of which are major.

Major:

  • fragile handling of Sage's verdict via try/catch could lead to a security hole if the message changes
  • sage_approve is inferior to a proper ask which seems to be supported by OpenCode

Minor:

  • closing tag in the prompt/instructions

@FeiyouG
refactor(opencode): throw SageVerdictError for deny and ask verdict
4abdc08 
- Fix cache dir resolution on plugin-scan
- Refactor E2E test structure to parse opencode output as JSON
vaclavbelak
vaclavbelak previously approved these changes Mar 3, 2026
View reviewed changes
Copy link
Collaborator

@vaclavbelak vaclavbelak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thank you

@TommYDeeee TommYDeeee self-requested a review March 3, 2026 09:46
@TommYDeeee TommYDeeee merged commit ca03c44 into avast:main Mar 3, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TommYDeeee TommYDeeee TommYDeeee approved these changes

@vaclavbelak vaclavbelak vaclavbelak left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@FeiyouG @vaclavbelak @TommYDeeee