Initial public commit

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: bb-connor

.github/workflows/ci.yml

@@ -0,0 +1,93 @@
+name: ci
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout plugin
+        uses: actions/checkout@v4
+        with:
+          path: chio-open-code-plugin
+
+      - name: Checkout chio-bridge
+        uses: actions/checkout@v4
+        with:
+          repository: owner/chio-bridge
+          path: chio-bridge
+          ref: main
+
+      - name: Checkout chio-test-harness
+        uses: actions/checkout@v4
+        with:
+          repository: owner/chio-test-harness
+          path: chio-test-harness
+          ref: main
+
+      - name: Checkout arc (chio source)
+        uses: actions/checkout@v4
+        with:
+          repository: owner/arc
+          path: arc
+          ref: main
+
+      - name: Setup chio
+        uses: owner/chio-ci-actions/setup-chio@v0.1.0
+        with:
+          mode: build
+          arc-path: arc
+
+      - name: Build chio-bridge
+        working-directory: chio-bridge
+        run: |
+          bun install --frozen-lockfile
+          bun run build
+
+      - name: Install plugin deps
+        working-directory: chio-open-code-plugin
+        run: bun install --frozen-lockfile
+
+      - name: Typecheck
+        working-directory: chio-open-code-plugin
+        run: bun run typecheck || echo "typecheck non-blocking in Wave 5.1"
+
+      - name: Build plugin
+        working-directory: chio-open-code-plugin
+        run: bun run build
+
+      - name: Unit tests
+        working-directory: chio-open-code-plugin
+        run: bun run test
+
+      - name: Install hello-mcp deps (for harness)
+        working-directory: chio-test-harness/hello-mcp
+        run: bun install --frozen-lockfile
+
+      - name: Smoke (direct-plugin-invocation mode — no host required)
+        working-directory: chio-open-code-plugin
+        env:
+          CHIO_SMOKE_HARNESS_SRC: ${{ github.workspace }}/chio-test-harness
+        run: |
+          if [[ -x ./smoke.sh ]]; then
+            ./smoke.sh || {
+              code=$?
+              echo "::warning::smoke.sh exited ${code} (direct-invocation smoke is WIP in CI)"
+              exit 0
+            }
+          else
+            echo "no smoke.sh"
+          fi
+
+      - name: Upload smoke results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: smoke-results
+          path: chio-open-code-plugin/smoke-results
+          if-no-files-found: ignore

.github/workflows/release.yml

@@ -0,0 +1,71 @@
+name: release
+
+# SLSA L3 + Sigstore provenance + reproducible build for @chio/opencode-plugin.
+#
+# Secrets referenced:
+#   NPM_TOKEN  — npm publish auth (skip if using npm Trusted Publishers).
+#
+# Placeholders:
+#   owner/chio-ci-actions — swap to your GH org before pushing.
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+  workflow_dispatch:
+    inputs:
+      tag:
+        required: false
+        default: "v0.0.0-dev"
+      dry-run:
+        required: false
+        default: "true"
+
+permissions:
+  contents: read
+  id-token: write
+  attestations: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    outputs:
+      artifact-name: ${{ steps.hash.outputs.artifact-name }}
+      hashes: ${{ steps.hash.outputs.hashes }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build + pack + publish
+        id: publish
+        uses: owner/chio-ci-actions/publish-chio@v0.1.0
+        with:
+          artifact-type: npm
+          package-name: "@chio/opencode-plugin"
+          tag: ${{ github.event.inputs.tag || github.ref_name }}
+          dry-run: ${{ github.event.inputs.dry-run || 'false' }}
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Compute subjects
+        id: hash
+        run: |
+          set -euo pipefail
+          name="$(basename "${{ steps.publish.outputs.artifact-path }}")"
+          sha="${{ steps.publish.outputs.artifact-sha256 }}"
+          echo "hashes=$(printf '%s  %s\n' "$sha" "$name" | base64 -w0)" >> "$GITHUB_OUTPUT"
+          echo "artifact-name=$name" >> "$GITHUB_OUTPUT"
+
+  provenance:
+    needs: [build]
+    permissions:
+      id-token: write
+      contents: read
+      actions: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: ${{ needs.build.outputs.hashes }}
+      upload-assets: true
+      provenance-name: "${{ needs.build.outputs.artifact-name }}.intoto.jsonl"

.gitignore

@@ -0,0 +1,16 @@
+node_modules/
+dist/
+*.tsbuildinfo
+.DS_Store
+*.log
+.env
+.env.*
+!.env.example
+
+# Scaffold outputs during local testing
+/playground/
+/receipts.db
+/receipts.db-*
+
+# Smoke test artifacts
+/smoke-results/

COMMITS.md

@@ -0,0 +1,120 @@
+# COMMITS.md — chio-open-code-plugin
+
+Native OpenCode plugin (`@<NPM_SCOPE>/opencode-plugin`). Scaffolds,
+wraps, and ships bonded agents without leaving the TUI. OpenCode's
+plugin API has no slash-command surface — commands surface as
+first-class custom tools. Target first ship tag: `v0.2.0`.
+
+---
+
+## 1. chore: scaffold OpenCode plugin package
+
+**Body.** `package.json` (`@chio/opencode-plugin`, exports the
+`ChioPlugin` default), `tsconfig.json`, `LICENSE`, `.gitignore`,
+`bun.lock`. Depends on `@chio/bridge` via workspace and
+`@opencode-ai/plugin` as the plugin API peer. Wave 1.
+
+**Files.**
+
+- `package.json`, `bun.lock`
+- `tsconfig.json`
+- `LICENSE`, `.gitignore`
+
+---
+
+## 2. feat: eight custom tools backed by ChioBridge
+
+**Body.** Exposes eight `chio_*` tools via the OpenCode custom-tool
+API: `chio_init`, `chio_wrap` (wraps an MCP server via
+`chio mcp serve-http -- <cmd>`), `chio_guard_add`, `chio_policy_lint`,
+`chio_replay`, `chio_deploy`, `chio_doctor`, `chio_status`. Each
+maps to a real `ChioBridge` call or a real `chio` subprocess.
+`tool.execute.before` intercepts every tool invocation and calls
+`ChioBridge.check` — deny stamps args + surfaces through
+`tool.execute.after`. Bond status is prefixed into every mediated
+tool result's `title` (OpenCode's plugin API exposes no status-bar
+primitive). Wave 1 rewrite against the host schema.
+
+**Files.**
+
+- `src/index.ts` — plugin entry + lifecycle hooks.
+- `src/tools/*.ts` — one file per custom tool.
+- `src/hooks/*.ts` — `tool.execute.before`, `tool.execute.after`,
+  `session.autobond`.
+- `src/lib/*.ts` — bridge construction, status-line renderer,
+  receipts.db helper.
+- `templates/` — six preset policies (`tool-agent`, `code-agent`,
+  `research-agent`, `support-agent`, `trader`, `release-engineer`).
+
+---
+
+## 3. test: unit coverage and chio-backed smoke
+
+**Body.** Unit tests cover each tool's argument parsing, the
+`tool.execute.before` fail-closed path, status-line rendering, and
+preset-policy HushSpec parse. `smoke.sh` registers the plugin with
+a local `opencode.json`, bonds a session, drives `chio_init` →
+`chio_wrap` → `chio_replay` end-to-end against `chio-test-harness`.
+Wave 1 + ST.2.x.
+
+**Files.**
+
+- `test/*.test.ts`
+- `smoke/` — manual smoke fixtures.
+- `smoke.sh`
+- `SMOKE.md`
+
+---
+
+## 4. feat: chio rename, CHIO_MODE env, extensions.chio presets
+
+**Body.** Imports + bridge construction switch to `ChioBridge` /
+`ChioClient`. Env var ladder `CHIO_MODE=daemon|cli` +
+`CHIO_MCP_EDGE_URL` + `CHIO_TRUST_URL` + `CHIO_TRUST_TOKEN`.
+Preset policies move `velocity`, `human_in_loop`, `market_hours`,
+`signing`, `k8s_namespaces`, `rollback`, `capability`, `budget`
+under `extensions.chio.*` until upstream chio accepts them as
+first-class rule keys (see `ARC_UPSTREAM_PROPOSAL.md`). Wave 5.0.
+
+**Files.**
+
+- `src/index.ts`, `src/lib/*.ts` — bridge construction rename.
+- `templates/*.yaml` — preset migration.
+
+---
+
+## 5. ci: lint, typecheck, and chio-backed smoke
+
+**Body.** GitHub Actions workflow parallel to the other plugins'
+ci.yml. Wave 5.1.
+
+**Files.**
+
+- `.github/workflows/ci.yml`
+
+---
+
+## 6. ci: add SLSA L3 release workflow
+
+**Body.** Tag-triggered `npm publish --provenance` to
+`@<NPM_SCOPE>/opencode-plugin` with SLSA L3 attestation via the
+`publish-chio` composite. Wave 5.5.
+
+**Files.**
+
+- `.github/workflows/release.yml`
+
+---
+
+## 7. docs: README with plugin contract, custom-tool table, preset map
+
+**Body.** Documents the install flow (`cargo install --path
+crates/chio-cli` or `brew install chio-protocol/tap/chio` once the
+tap ships), the custom-tool table, the six presets, the status-line
+convention, and the real `Plugin` contract against
+`@opencode-ai/plugin@1.14.19`. Wave 5.2.
+
+**Files.**
+
+- `README.md`
+- `VERIFY.md`

LICENSE

@@ -0,0 +1,19 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+   Copyright 2026 Backbay Industries
+
+   Full license text: https://www.apache.org/licenses/LICENSE-2.0.txt