// Package opencode implements the opencode (sst/opencode) agent adapter: // launching new TUI sessions, resuming sessions by native id, installing a // workspace-local activity plugin, and reading plugin-derived session info. // // opencode differs from Claude Code and Codex in two ways AO has to bridge: // - It has no native command-hook config (no settings.local.json / hooks.json // equivalent). Its only lifecycle-extensibility surface is a JS/TS plugin // loaded from .opencode/plugins/, so GetAgentHooks installs an AO-owned // plugin file (see hooks.go) instead of merging JSON. // - Its CLI exposes only one approval flag (--dangerously-skip-permissions) // and no system-prompt flag, so the graduated permission modes and the // system prompt are deferred to opencode's own config. // // AO-managed sessions derive native session identity and display metadata from // the opencode plugin's reported events, mirroring the Codex adapter. package opencode import ( "context" "database/sql" "encoding/json" "fmt" "os" "os/exec" "path/filepath" "runtime" "strings" "sync" "time" "github.com/aoagents/agent-orchestrator/backend/internal/adapters" "github.com/aoagents/agent-orchestrator/backend/internal/adapters/agent/agentbase" "github.com/aoagents/agent-orchestrator/backend/internal/adapters/agent/hookutil" "github.com/aoagents/agent-orchestrator/backend/internal/ports" _ "modernc.org/sqlite" // register sqlite driver for opencode session metadata probes ) const ( // adapterID is the registry id and the value users pass to // `ao spawn --agent`. It matches domain.HarnessOpenCode. adapterID = "opencode" // opencodeAgentSessionIDMetadataKey is the session-metadata key the opencode // plugin persists the native session id under. GetRestoreCommand reads it back // to resume an existing session. SessionInfo delegates to // agentbase.StandardSessionInfo which reads ports.MetadataKeyAgentSessionID // (same value), but GetRestoreCommand reads it directly, so the const stays. opencodeAgentSessionIDMetadataKey = "agentSessionId" ) // Plugin is the opencode agent adapter. It is safe for concurrent use; the // binary path is resolved once and cached under binaryMu. type Plugin struct { agentbase.Base binaryMu sync.Mutex resolvedBinary string } // New returns a ready-to-register opencode adapter. func New() *Plugin { return &Plugin{} } var _ adapters.Adapter = (*Plugin)(nil) var _ ports.Agent = (*Plugin)(nil) var _ ports.AgentAuthChecker = (*Plugin)(nil) // Manifest returns the adapter's static self-description. func (p *Plugin) Manifest() adapters.Manifest { return adapters.Manifest{ ID: adapterID, Name: "opencode", Description: "Run opencode worker sessions.", Version: "0.0.1", Capabilities: []adapters.Capability{ adapters.CapabilityAgent, }, } } // GetLaunchCommand builds the argv to start a new interactive opencode session. // Shape: // // opencode [--dangerously-skip-permissions] [--prompt ] // // The session runs in the worktree (cwd is set by the runtime, as for Claude // Code and Codex). opencode has no CLI flag to set a system prompt, so // cfg.SystemPrompt / SystemPromptFile are intentionally ignored here — opencode // resolves instructions from its own config and AGENTS.md rules. The initial // task prompt is delivered via --prompt (its argument, so a leading "-" is not // read as a flag). func (p *Plugin) GetLaunchCommand(ctx context.Context, cfg ports.LaunchConfig) (cmd []string, err error) { binary, err := p.opencodeBinary(ctx) if err != nil { return nil, err } cmd = []string{binary} appendPermissionFlags(&cmd, cfg.Permissions) if cfg.Prompt != "" { cmd = append(cmd, "--prompt", cfg.Prompt) } return cmd, nil } // GetRestoreCommand rebuilds the argv that continues an existing opencode // session: `opencode [--dangerously-skip-permissions] --session `. // It re-applies the permission flag (resume otherwise reverts to the configured // default) but not the prompt, which the session already carries. ok is false // when the plugin-derived native session id has not landed yet, so callers fall // back to fresh launch behavior — mirroring the Codex adapter. func (p *Plugin) GetRestoreCommand(ctx context.Context, cfg ports.RestoreConfig) (cmd []string, ok bool, err error) { if err := ctx.Err(); err != nil { return nil, false, err } agentSessionID := strings.TrimSpace(cfg.Session.Metadata[opencodeAgentSessionIDMetadataKey]) if agentSessionID == "" { return nil, false, nil } binary, err := p.opencodeBinary(ctx) if err != nil { return nil, false, err } cmd = make([]string, 0, 4) cmd = append(cmd, binary) appendPermissionFlags(&cmd, cfg.Permissions) cmd = append(cmd, "--session", agentSessionID) return cmd, true, nil } // SessionInfo surfaces opencode plugin-derived metadata. Metadata is // intentionally nil for opencode: callers get the normalized fields directly, // matching the Codex adapter. func (p *Plugin) SessionInfo(ctx context.Context, session ports.SessionRef) (ports.SessionInfo, bool, error) { if err := ctx.Err(); err != nil { return ports.SessionInfo{}, false, err } info, ok := agentbase.StandardSessionInfo(session) return info, ok, nil } // AuthStatus checks whether opencode has at least one configured provider // credential. func (p *Plugin) AuthStatus(ctx context.Context) (ports.AgentAuthStatus, error) { binary, err := p.opencodeBinary(ctx) if err != nil { return ports.AgentAuthStatusUnknown, err } if status, ok, err := opencodeLocalAuthStatus(ctx); err != nil { return ports.AgentAuthStatusUnknown, err } else if ok { return status, nil } probeCtx, cancel := context.WithTimeout(ctx, 3*time.Second) defer cancel() out, err := exec.CommandContext(probeCtx, binary, "auth", "list").CombinedOutput() if probeCtx.Err() != nil { return ports.AgentAuthStatusUnknown, probeCtx.Err() } text := strings.ToLower(string(out)) if strings.Contains(text, "0 credentials") { return ports.AgentAuthStatusUnauthorized, nil } if strings.Contains(text, "credential") && err == nil { return ports.AgentAuthStatusAuthorized, nil } if err != nil { return ports.AgentAuthStatusUnknown, nil } return ports.AgentAuthStatusUnknown, nil } var opencodeAPIKeyEnvVars = []string{ "OPENCODE_API_KEY", "OPENAI_API_KEY", "ANTHROPIC_API_KEY", "GEMINI_API_KEY", "GOOGLE_API_KEY", "OPENROUTER_API_KEY", "DEEPSEEK_API_KEY", "GROQ_API_KEY", "XAI_API_KEY", "MISTRAL_API_KEY", "COHERE_API_KEY", } func opencodeLocalAuthStatus(ctx context.Context) (ports.AgentAuthStatus, bool, error) { if err := ctx.Err(); err != nil { return ports.AgentAuthStatusUnknown, false, err } for _, name := range opencodeAPIKeyEnvVars { if strings.TrimSpace(os.Getenv(name)) != "" { return ports.AgentAuthStatusAuthorized, true, nil } } dataDir, ok := opencodeDataDir() if !ok { return ports.AgentAuthStatusUnknown, false, nil } jsonStatus, jsonOK, err := opencodeAuthJSONStatus(filepath.Join(dataDir, "auth.json")) if err != nil { return ports.AgentAuthStatusUnknown, false, err } if jsonOK && jsonStatus == ports.AgentAuthStatusAuthorized { return jsonStatus, true, nil } if status, ok, err := opencodeDBAuthStatus(ctx, filepath.Join(dataDir, "opencode.db")); err != nil || ok { return status, ok, err } if jsonOK { return jsonStatus, true, nil } return ports.AgentAuthStatusUnknown, false, nil } func opencodeDataDir() (string, bool) { if dataDir := strings.TrimSpace(os.Getenv("OPENCODE_DATA_DIR")); dataDir != "" { return dataDir, true } if dataHome := strings.TrimSpace(os.Getenv("XDG_DATA_HOME")); dataHome != "" { return filepath.Join(dataHome, "opencode"), true } home, err := os.UserHomeDir() if err != nil || home == "" { return "", false } return filepath.Join(home, ".local", "share", "opencode"), true } func opencodeAuthJSONStatus(path string) (ports.AgentAuthStatus, bool, error) { data, err := os.ReadFile(path) if os.IsNotExist(err) { return ports.AgentAuthStatusUnknown, false, nil } if err != nil { return ports.AgentAuthStatusUnknown, false, err } if strings.TrimSpace(string(data)) == "" { return ports.AgentAuthStatusUnauthorized, true, nil } var entries map[string]json.RawMessage if err := json.Unmarshal(data, &entries); err != nil { return ports.AgentAuthStatusUnknown, false, err } if len(entries) == 0 { return ports.AgentAuthStatusUnauthorized, true, nil } for key, value := range entries { if strings.TrimSpace(key) == "" { continue } trimmed := strings.TrimSpace(string(value)) if trimmed != "" && trimmed != "null" && trimmed != "{}" { return ports.AgentAuthStatusAuthorized, true, nil } } return ports.AgentAuthStatusUnauthorized, true, nil } func opencodeDBAuthStatus(ctx context.Context, path string) (ports.AgentAuthStatus, bool, error) { if err := ctx.Err(); err != nil { return ports.AgentAuthStatusUnknown, false, err } if _, err := os.Stat(path); os.IsNotExist(err) { return ports.AgentAuthStatusUnknown, false, nil } else if err != nil { return ports.AgentAuthStatusUnknown, false, err } db, err := sql.Open("sqlite", "file:"+filepath.ToSlash(path)+"?mode=ro&_pragma=busy_timeout(1000)") if err != nil { return ports.AgentAuthStatusUnknown, false, err } defer func() { _ = db.Close() }() authorized, known, err := opencodeDBHasAuthorizedAccount(ctx, db) if err != nil { return ports.AgentAuthStatusUnknown, false, err } if !known { return ports.AgentAuthStatusUnknown, false, nil } if authorized { return ports.AgentAuthStatusAuthorized, true, nil } return ports.AgentAuthStatusUnauthorized, true, nil } func opencodeDBHasAuthorizedAccount(ctx context.Context, db *sql.DB) (authorized, known bool, err error) { for _, query := range []string{ `SELECT COUNT(*) FROM account_state WHERE active_account_id IS NOT NULL AND trim(active_account_id) != ''`, `SELECT COUNT(*) FROM account WHERE trim(access_token) != ''`, `SELECT COUNT(*) FROM control_account WHERE active = 1 AND trim(access_token) != ''`, } { count, err := opencodeDBCount(ctx, db, query) if err != nil { if strings.Contains(strings.ToLower(err.Error()), "no such table") { continue } return false, false, err } known = true if count > 0 { return true, true, nil } } return false, known, nil } func opencodeDBCount(ctx context.Context, db *sql.DB, query string) (int, error) { var count int if err := db.QueryRowContext(ctx, query).Scan(&count); err != nil { return 0, err } return count, nil } // appendPermissionFlags maps AO's permission modes onto opencode's single // approval flag. opencode exposes only --dangerously-skip-permissions (no // graduated accept-edits/auto modes), so: // - bypass-permissions → --dangerously-skip-permissions // - default / accept-edits / auto → no flag. opencode resolves approvals from // its own `permission` config exactly as a normal launch. func appendPermissionFlags(cmd *[]string, permissions ports.PermissionMode) { if ports.NormalizePermissionMode(permissions) == ports.PermissionModeBypassPermissions { *cmd = append(*cmd, "--dangerously-skip-permissions") } } // ResolveOpenCodeBinary returns the path to the opencode binary on this machine, // searching PATH then a handful of well-known install locations (the install // script's ~/.opencode/bin, Homebrew, npm global). func ResolveOpenCodeBinary(ctx context.Context) (string, error) { if err := ctx.Err(); err != nil { return "", err } if runtime.GOOS == "windows" { for _, name := range []string{"opencode.cmd", "opencode.exe", "opencode"} { if path, err := exec.LookPath(name); err == nil && path != "" { return path, nil } } candidates := []string{} if appData := os.Getenv("APPDATA"); appData != "" { candidates = append(candidates, filepath.Join(appData, "npm", "opencode.cmd"), filepath.Join(appData, "npm", "opencode.exe"), ) } for _, candidate := range candidates { if hookutil.FileExists(candidate) { return candidate, nil } } return "", fmt.Errorf("opencode: %w", ports.ErrAgentBinaryNotFound) } if path, err := exec.LookPath("opencode"); err == nil && path != "" { return path, nil } candidates := []string{ "/usr/local/bin/opencode", "/opt/homebrew/bin/opencode", } if home, err := os.UserHomeDir(); err == nil { candidates = append(candidates, filepath.Join(home, ".opencode", "bin", "opencode"), filepath.Join(home, ".npm", "bin", "opencode"), ) } for _, candidate := range candidates { if hookutil.FileExists(candidate) { return candidate, nil } if err := ctx.Err(); err != nil { return "", err } } return "", fmt.Errorf("opencode: %w", ports.ErrAgentBinaryNotFound) } func (p *Plugin) opencodeBinary(ctx context.Context) (string, error) { p.binaryMu.Lock() defer p.binaryMu.Unlock() if p.resolvedBinary != "" { return p.resolvedBinary, nil } binary, err := ResolveOpenCodeBinary(ctx) if err != nil { return "", err } p.resolvedBinary = binary return binary, nil }