// Package opencode implements the opencode (sst/opencode) agent adapter: // launching new TUI sessions, resuming sessions by native id, installing a // workspace-local activity plugin, and reading plugin-derived session info. // // opencode differs from Claude Code and Codex in two ways AO has to bridge: // - It has no native command-hook config (no settings.local.json / hooks.json // equivalent). Its only lifecycle-extensibility surface is a JS/TS plugin // loaded from .opencode/plugins/, so GetAgentHooks installs an AO-owned // plugin file (see hooks.go) instead of merging JSON. // - Its CLI exposes only one approval flag (--dangerously-skip-permissions) // and no system-prompt flag, so AO injects standing instructions by writing // an AO-owned per-session config and selecting the generated agent. // // AO-managed sessions derive native session identity and display metadata from // the opencode plugin's reported events, mirroring the Codex adapter. package opencode import ( "context" "database/sql" "encoding/json" "fmt" "os" "os/exec" "path/filepath" "runtime" "strings" "sync" "time" "github.com/aoagents/agent-orchestrator/backend/internal/adapters" "github.com/aoagents/agent-orchestrator/backend/internal/adapters/agent/agentbase" "github.com/aoagents/agent-orchestrator/backend/internal/adapters/agent/hookutil" "github.com/aoagents/agent-orchestrator/backend/internal/ports" _ "modernc.org/sqlite" // register sqlite driver for opencode session metadata probes ) const ( // adapterID is the registry id and the value users pass to // `ao spawn --agent`. It matches domain.HarnessOpenCode. adapterID = "opencode" // opencodeAgentSessionIDMetadataKey is the session-metadata key the opencode // plugin persists the native session id under. GetRestoreCommand reads it back // to resume an existing session. SessionInfo delegates to // agentbase.StandardSessionInfo which reads ports.MetadataKeyAgentSessionID // (same value), but GetRestoreCommand reads it directly, so the const stays. opencodeAgentSessionIDMetadataKey = "agentSessionId" ) // Plugin is the opencode agent adapter. It is safe for concurrent use; the // binary path is resolved once and cached under binaryMu. type Plugin struct { agentbase.Base binaryMu sync.Mutex resolvedBinary string } // New returns a ready-to-register opencode adapter. func New() *Plugin { return &Plugin{} } var _ adapters.Adapter = (*Plugin)(nil) var _ ports.Agent = (*Plugin)(nil) var _ ports.AgentAuthChecker = (*Plugin)(nil) // Manifest returns the adapter's static self-description. func (p *Plugin) Manifest() adapters.Manifest { return adapters.Manifest{ ID: adapterID, Name: "opencode", Description: "Run opencode worker sessions.", Version: "0.0.1", Capabilities: []adapters.Capability{ adapters.CapabilityAgent, }, } } // GetLaunchCommand builds the argv to start a new interactive opencode session. // Shape: // // [env OPENCODE_CONFIG=] opencode [--dangerously-skip-permissions] [--agent ] [--prompt ] // // The session runs in the worktree (cwd is set by the runtime, as for Claude // Code and Codex). opencode has no CLI flag to set a system prompt, so AO writes // an opencode config into the AO prompt artifact directory, points OPENCODE_CONFIG // at it, and selects the generated agent with --agent. The initial task prompt // is delivered via --prompt (its argument, so a leading "-" is not read as a flag). func (p *Plugin) GetLaunchCommand(ctx context.Context, cfg ports.LaunchConfig) (cmd []string, err error) { binary, err := p.opencodeBinary(ctx) if err != nil { return nil, err } envPrefix, agentName, err := opencodeConfigEnvPrefix(cfg.SystemPrompt, cfg.SystemPromptFile, cfg.SessionID) if err != nil { return nil, err } cmd = envPrefix cmd = append(cmd, binary) appendPermissionFlags(&cmd, cfg.Permissions) if agentName != "" { cmd = append(cmd, "--agent", agentName) } if cfg.Prompt != "" { cmd = append(cmd, "--prompt", cfg.Prompt) } return cmd, nil } // GetRestoreCommand rebuilds the argv that continues an existing opencode // session: `[env OPENCODE_CONFIG=] opencode [--dangerously-skip-permissions] [--agent ] --session `. // It re-applies the permission flag and the generated AO agent config (resume // otherwise reverts to configured defaults). ok is false when the plugin-derived // native session id has not landed yet, so callers fall back to fresh launch // behavior — mirroring the Codex adapter. func (p *Plugin) GetRestoreCommand(ctx context.Context, cfg ports.RestoreConfig) (cmd []string, ok bool, err error) { if err := ctx.Err(); err != nil { return nil, false, err } agentSessionID := strings.TrimSpace(cfg.Session.Metadata[opencodeAgentSessionIDMetadataKey]) if agentSessionID == "" { return nil, false, nil } binary, err := p.opencodeBinary(ctx) if err != nil { return nil, false, err } envPrefix, agentName, err := opencodeConfigEnvPrefix(cfg.SystemPrompt, cfg.SystemPromptFile, cfg.Session.ID) if err != nil { return nil, false, err } cmd = envPrefix cmd = append(cmd, binary) appendPermissionFlags(&cmd, cfg.Permissions) if agentName != "" { cmd = append(cmd, "--agent", agentName) } cmd = append(cmd, "--session", agentSessionID) return cmd, true, nil } // SessionInfo surfaces opencode plugin-derived metadata. Metadata is // intentionally nil for opencode: callers get the normalized fields directly, // matching the Codex adapter. func (p *Plugin) SessionInfo(ctx context.Context, session ports.SessionRef) (ports.SessionInfo, bool, error) { if err := ctx.Err(); err != nil { return ports.SessionInfo{}, false, err } info, ok := agentbase.StandardSessionInfo(session) return info, ok, nil } // AuthStatus checks whether opencode has at least one configured provider // credential. func (p *Plugin) AuthStatus(ctx context.Context) (ports.AgentAuthStatus, error) { binary, err := p.opencodeBinary(ctx) if err != nil { return ports.AgentAuthStatusUnknown, err } if status, ok, err := opencodeLocalAuthStatus(ctx); err != nil { return ports.AgentAuthStatusUnknown, err } else if ok { return status, nil } probeCtx, cancel := context.WithTimeout(ctx, 3*time.Second) defer cancel() out, err := exec.CommandContext(probeCtx, binary, "auth", "list").CombinedOutput() if probeCtx.Err() != nil { return ports.AgentAuthStatusUnknown, probeCtx.Err() } text := strings.ToLower(string(out)) if strings.Contains(text, "0 credentials") { return ports.AgentAuthStatusUnauthorized, nil } if strings.Contains(text, "credential") && err == nil { return ports.AgentAuthStatusAuthorized, nil } if err != nil { return ports.AgentAuthStatusUnknown, nil } return ports.AgentAuthStatusUnknown, nil } var opencodeAPIKeyEnvVars = []string{ "OPENCODE_API_KEY", "OPENAI_API_KEY", "ANTHROPIC_API_KEY", "GEMINI_API_KEY", "GOOGLE_API_KEY", "OPENROUTER_API_KEY", "DEEPSEEK_API_KEY", "GROQ_API_KEY", "XAI_API_KEY", "MISTRAL_API_KEY", "COHERE_API_KEY", } func opencodeLocalAuthStatus(ctx context.Context) (ports.AgentAuthStatus, bool, error) { if err := ctx.Err(); err != nil { return ports.AgentAuthStatusUnknown, false, err } for _, name := range opencodeAPIKeyEnvVars { if strings.TrimSpace(os.Getenv(name)) != "" { return ports.AgentAuthStatusAuthorized, true, nil } } dataDir, ok := opencodeDataDir() if !ok { return ports.AgentAuthStatusUnknown, false, nil } jsonStatus, jsonOK, err := opencodeAuthJSONStatus(filepath.Join(dataDir, "auth.json")) if err != nil { return ports.AgentAuthStatusUnknown, false, err } if jsonOK && jsonStatus == ports.AgentAuthStatusAuthorized { return jsonStatus, true, nil } if status, ok, err := opencodeDBAuthStatus(ctx, filepath.Join(dataDir, "opencode.db")); err != nil || ok { return status, ok, err } if jsonOK { return jsonStatus, true, nil } return ports.AgentAuthStatusUnknown, false, nil } func opencodeDataDir() (string, bool) { if dataDir := strings.TrimSpace(os.Getenv("OPENCODE_DATA_DIR")); dataDir != "" { return dataDir, true } if dataHome := strings.TrimSpace(os.Getenv("XDG_DATA_HOME")); dataHome != "" { return filepath.Join(dataHome, "opencode"), true } home, err := os.UserHomeDir() if err != nil || home == "" { return "", false } return filepath.Join(home, ".local", "share", "opencode"), true } func opencodeAuthJSONStatus(path string) (ports.AgentAuthStatus, bool, error) { data, err := os.ReadFile(path) if os.IsNotExist(err) { return ports.AgentAuthStatusUnknown, false, nil } if err != nil { return ports.AgentAuthStatusUnknown, false, err } if strings.TrimSpace(string(data)) == "" { return ports.AgentAuthStatusUnauthorized, true, nil } var entries map[string]json.RawMessage if err := json.Unmarshal(data, &entries); err != nil { return ports.AgentAuthStatusUnknown, false, err } if len(entries) == 0 { return ports.AgentAuthStatusUnauthorized, true, nil } for key, value := range entries { if strings.TrimSpace(key) == "" { continue } trimmed := strings.TrimSpace(string(value)) if trimmed != "" && trimmed != "null" && trimmed != "{}" { return ports.AgentAuthStatusAuthorized, true, nil } } return ports.AgentAuthStatusUnauthorized, true, nil } func opencodeDBAuthStatus(ctx context.Context, path string) (ports.AgentAuthStatus, bool, error) { if err := ctx.Err(); err != nil { return ports.AgentAuthStatusUnknown, false, err } if _, err := os.Stat(path); os.IsNotExist(err) { return ports.AgentAuthStatusUnknown, false, nil } else if err != nil { return ports.AgentAuthStatusUnknown, false, err } db, err := sql.Open("sqlite", "file:"+filepath.ToSlash(path)+"?mode=ro&_pragma=busy_timeout(1000)") if err != nil { return ports.AgentAuthStatusUnknown, false, err } defer func() { _ = db.Close() }() authorized, known, err := opencodeDBHasAuthorizedAccount(ctx, db) if err != nil { return ports.AgentAuthStatusUnknown, false, err } if !known { return ports.AgentAuthStatusUnknown, false, nil } if authorized { return ports.AgentAuthStatusAuthorized, true, nil } return ports.AgentAuthStatusUnauthorized, true, nil } func opencodeDBHasAuthorizedAccount(ctx context.Context, db *sql.DB) (authorized, known bool, err error) { for _, query := range []string{ `SELECT COUNT(*) FROM account_state WHERE active_account_id IS NOT NULL AND trim(active_account_id) != ''`, `SELECT COUNT(*) FROM account WHERE trim(access_token) != ''`, `SELECT COUNT(*) FROM control_account WHERE active = 1 AND trim(access_token) != ''`, } { count, err := opencodeDBCount(ctx, db, query) if err != nil { if strings.Contains(strings.ToLower(err.Error()), "no such table") { continue } return false, false, err } known = true if count > 0 { return true, true, nil } } return false, known, nil } func opencodeDBCount(ctx context.Context, db *sql.DB, query string) (int, error) { var count int if err := db.QueryRowContext(ctx, query).Scan(&count); err != nil { return 0, err } return count, nil } // appendPermissionFlags maps AO's permission modes onto opencode's single // approval flag. opencode exposes only --dangerously-skip-permissions (no // graduated accept-edits/auto modes), so: // - bypass-permissions → --dangerously-skip-permissions // - default / accept-edits / auto → no flag. opencode resolves approvals from // its own `permission` config exactly as a normal launch. func appendPermissionFlags(cmd *[]string, permissions ports.PermissionMode) { if ports.NormalizePermissionMode(permissions) == ports.PermissionModeBypassPermissions { *cmd = append(*cmd, "--dangerously-skip-permissions") } } const opencodeConfigEnvVar = "OPENCODE_CONFIG" type opencodeInlineConfig struct { Schema string `json:"$schema,omitempty"` Agent map[string]opencodeAgentSettings `json:"agent,omitempty"` } type opencodeAgentSettings struct { Mode string `json:"mode,omitempty"` Prompt string `json:"prompt,omitempty"` } func opencodeConfigEnvPrefix(inlinePrompt, promptFile, sessionID string) ([]string, string, error) { if inlinePrompt == "" && promptFile == "" { return nil, "", nil } if promptFile == "" { return nil, "", fmt.Errorf("opencode: system prompt file required to build agent config") } agentName := opencodeAOAgentName(sessionID) prompt := inlinePrompt if prompt == "" { prompt = "{file:./" + filepath.Base(promptFile) + "}" } dir := filepath.Dir(promptFile) configPath := filepath.Join(dir, "opencode.json") config := opencodeInlineConfig{ Schema: "https://opencode.ai/config.json", Agent: map[string]opencodeAgentSettings{ agentName: { Mode: "primary", Prompt: prompt, }, }, } data, err := json.MarshalIndent(config, "", " ") if err != nil { return nil, "", err } data = append(data, '\n') if err := os.MkdirAll(dir, 0o700); err != nil { return nil, "", fmt.Errorf("opencode: create prompt config dir: %w", err) } if err := hookutil.AtomicWriteFile(configPath, data, 0o600); err != nil { return nil, "", fmt.Errorf("opencode: write prompt config: %w", err) } return []string{"env", opencodeConfigEnvVar + "=" + configPath}, agentName, nil } func opencodeAOAgentName(sessionID string) string { const fallback = "ao-system-prompt" trimmed := strings.TrimSpace(sessionID) if trimmed == "" { return fallback } var b strings.Builder for _, r := range trimmed { switch { case r >= 'a' && r <= 'z', r >= 'A' && r <= 'Z', r >= '0' && r <= '9', r == '-', r == '_': b.WriteRune(r) default: b.WriteByte('-') } } name := strings.Trim(b.String(), "-_") if name == "" { return fallback } return "ao-" + name } // ResolveOpenCodeBinary returns the path to the opencode binary on this machine, // searching PATH then a handful of well-known install locations (the install // script's ~/.opencode/bin, Homebrew, npm global). func ResolveOpenCodeBinary(ctx context.Context) (string, error) { if err := ctx.Err(); err != nil { return "", err } if runtime.GOOS == "windows" { for _, name := range []string{"opencode.cmd", "opencode.exe", "opencode"} { if path, err := exec.LookPath(name); err == nil && path != "" { return path, nil } } candidates := []string{} if appData := os.Getenv("APPDATA"); appData != "" { candidates = append(candidates, filepath.Join(appData, "npm", "opencode.cmd"), filepath.Join(appData, "npm", "opencode.exe"), ) } for _, candidate := range candidates { if hookutil.FileExists(candidate) { return candidate, nil } } return "", fmt.Errorf("opencode: %w", ports.ErrAgentBinaryNotFound) } if path, err := exec.LookPath("opencode"); err == nil && path != "" { return path, nil } candidates := []string{ "/usr/local/bin/opencode", "/opt/homebrew/bin/opencode", } if home, err := os.UserHomeDir(); err == nil { candidates = append(candidates, filepath.Join(home, ".opencode", "bin", "opencode"), filepath.Join(home, ".npm", "bin", "opencode"), ) } for _, candidate := range candidates { if hookutil.FileExists(candidate) { return candidate, nil } if err := ctx.Err(); err != nil { return "", err } } return "", fmt.Errorf("opencode: %w", ports.ErrAgentBinaryNotFound) } func (p *Plugin) opencodeBinary(ctx context.Context) (string, error) { p.binaryMu.Lock() defer p.binaryMu.Unlock() if p.resolvedBinary != "" { return p.resolvedBinary, nil } binary, err := ResolveOpenCodeBinary(ctx) if err != nil { return "", err } p.resolvedBinary = binary return binary, nil }