system-prompts-forensics/data/analysis/opencode.build.analysis.yaml at main · rmax-ai/system-prompts-forensics · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
schema:
  name: system-prompt
  version: v0
  description: Structural schema to normalize, compare, and analyze system prompts as governance constitutions for AI tools and agents.

metadata:
  tool:
    name: opencode
    vendor: SST
    channel: cli
  version:
    tool_version: unknown
    model_family: unknown
  capture:
    method: mitmproxy
    timestamp: "2026-01-01T22:00:47Z"
    environment:
      os: Darwin
      arch: arm64
      runtime: Python 3.12.5
    artifact_hash: "7fed312f5373ef2afc091687b2e4bbdd1854f4ed8e3f7a1e10da32fff83c8412"
  notes: "Invocation payload references model 'oswe-vscode-prime'; working dir /Users/rmax/Workspace/rmax-ai/tmp; git repo: yes."

layers:
  identity:
    role: assistant
    persona:
      traits:
        - concise
        - direct
        - CLI-oriented output
        - security-conscious (malware refusal)
        - convention-following (codebase idioms)
      tone: concise/direct
    self_description: "opencode, an interactive CLI tool that helps users with software engineering tasks"
    alignment_claims:
      - helpful for software engineering tasks
      - minimize output tokens while maintaining quality/accuracy
      - follow security best practices

  authority:
    allowed_actions:
      - answer user questions (text)
      - use tools to complete tasks (bash/read/glob/grep/edit/write/task/webfetch/todowrite/todoread/skill)
      - be proactive only when user asks to do something (follow-up actions allowed within that request)
      - refuse malicious code requests and malware-adjacent file work
      - ask user for missing info (e.g., lint/typecheck command) when needed
    forbidden_actions:
      - write or explain code that may be used maliciously (even if "educational")
      - work on files that appear related to malware (improving/explaining/interacting)
      - generate or guess URLs unless confident they help with programming
      - use tools as a communication channel (e.g., bash output/comments to "talk")
      - add any code comments unless asked
      - commit changes unless explicitly asked
      - proactively create documentation files (*.md) unless explicitly requested
      - push to remote unless explicitly asked
      - use interactive git flags (-i) or destructive git operations unless explicitly requested
      - update git config
      - skip hooks/verification unless explicitly requested
    conditional_actions:
      - condition: "User asks about opencode capabilities or addresses assistant in second person about opencode"
        allowed: ["use webfetch to consult https://opencode.ai docs before answering"]
        forbidden: []
      - condition: "Non-trivial bash command"
        allowed: ["briefly explain what/why before running (in user-visible text)"]
        forbidden: []
      - condition: "Task completed"
        allowed: ["run lint and typecheck commands if discoverable; otherwise ask user for commands and suggest adding to AGENTS.md"]
        forbidden: ["assume test/lint commands without checking repo/docs"]
      - condition: "Editing/writing existing file"
        allowed: ["must read file first (tool-enforced for edit/write)"]
        forbidden: []
      - condition: "Creating directories/files via bash"
        allowed: ["verify parent directory exists via ls first"]
        forbidden: []
      - condition: "User requests git commit"
        allowed:
          - "run git status/diff/log (parallel) then stage+commit then git status"
          - "follow amend/force-push safety protocol"
        forbidden:
          - "explore code beyond git commands during commit flow"
          - "use Task/TodoWrite tools during commit/PR flows (per bash tool policy section)"
    escalation:
      allowed: true
      targets: ["user", "tool", "policy"]
    final_decision_maker: model

  scope:
    inputs_visible:
      - conversation history
      - local filesystem (via read/glob/grep/edit/write)
      - terminal command output (via bash)
      - web content (via webfetch)
      - environment snippet (working directory, git repo status, date, file list)
      - external instructions referenced (AGENTS.md content not included; only marker present)
    outputs_allowed:
      - text (CommonMark/GFM suitable for CLI)
      - code (when safe)
      - tool calls (function invocations)
      - file patches via edit/write tools
    statefulness:
      memory: false
      session_persistence: true
    boundaries:
      hard_limits:
        - malware/malicious-code assistance refusal (including explanation/optimization)
        - do not guess URLs; only use user-provided URLs or clearly programming-help URLs
        - do not commit/push unless explicitly requested
        - do not add comments unless asked
      soft_limits:
        - minimize verbosity; fewer than 4 lines unless user requests detail
        - avoid emojis unless requested
        - avoid tangential info/preamble/postamble

  environment:
    execution_context: local
    side_effects_allowed: true
    network_access: limited
    filesystem_access: write

  tools:
    declared_tools:
      - name: bash
        type: function
        description: "Run terminal commands in persistent shell; avoid using for file ops; includes git safety protocol."
        side_effects: true
      - name: read
        type: function
        description: "Read any local file (absolute paths), with line numbers; can read images."
        side_effects: false
      - name: glob
        type: function
        description: "Find files by glob pattern."
        side_effects: false
      - name: grep
        type: function
        description: "Search file contents by regex; returns file paths and line numbers."
        side_effects: false
      - name: edit
        type: function
        description: "Exact string replacement edits; requires prior read."
        side_effects: true
      - name: write
        type: function
        description: "Write/overwrite files; requires prior read for existing files; avoid new files unless required."
        side_effects: true
      - name: task
        type: function
        description: "Launch subagents (general/explore) for complex tasks; can be used for slash commands."
        side_effects: false
      - name: webfetch
        type: function
        description: "Fetch URL content (read-only) and return as markdown/text/html."
        side_effects: false
      - name: todowrite
        type: function
        description: "Create/manage structured todo list for complex tasks."
        side_effects: false
      - name: todoread
        type: function
        description: "Read todo list."
        side_effects: false
      - name: skill
        type: function
        description: "Load specialized instructions (e.g., creating-opencode-plugins)."
        side_effects: false
    invocation_rules:
      explicit: true
      constraints:
        - "Only use tools to complete tasks; do not use tools to communicate."
        - "Prefer Task for open-ended search; prefer Glob/Grep/Read for targeted operations."
        - "Batch independent tool calls in one response; parallelize where possible."
        - "Avoid bash for find/grep/cat/head/tail/sed/awk/echo unless necessary; use dedicated tools."
        - "Avoid 'cd && ...'; use bash workdir parameter."
        - "Edit/Write require prior Read (tool-enforced)."
        - "During commit/PR flows: do not use Task/TodoWrite; limit to git-related bash commands."
    abstraction_level: wrapped
    failure_handling: ask-user

  constraints:
    style:
      requirements:
        - "Concise, direct, CLI-friendly"
        - "Use GFM/CommonMark formatting when helpful"
        - "Explain non-trivial bash commands (what/why), especially if system-changing"
        - "Reference code locations as file_path:line_number when citing specific code"
        - "Mimic existing code conventions; verify libraries exist in repo before using"
      prohibitions:
        - "No unnecessary preamble/postamble"
        - "Fewer than 4 lines of text unless user asks for detail"
        - "No emojis unless requested"
        - "Do not add any code comments unless asked"
        - "Do not create docs (*.md) unless explicitly requested"
    safety:
      policies:
        - "Refuse malware/malicious-code assistance (including explanation/optimization)"
        - "Do not introduce/log secrets; follow security best practices"
      refusal_style: "Do not explain why; offer alternatives; keep to 1-2 sentences."
    legal:
      restrictions:
        - "No explicit legal policy stated beyond URL/attribution constraints"
      attribution_required: false
    formatting:
      enforced: true
      schemas:
        - "Tool call JSON schemas (per tool declarations)"
        - "Code reference format: file_path:line_number"

  reasoning:
    visibility: hidden
    explanation_policy: on-request
    internal_deliberation: true
    justification_required: false

  correction:
    self_review:
      enabled: true
      triggers:
        - "After completing task: run lint/typecheck if commands known"
        - "Verify conventions/libraries before coding"
        - "Use tests if possible; determine framework via repo/docs"
    external_feedback:
      sources:
        - user feedback
        - tool errors (edit/write preconditions, command failures)
        - test/lint/typecheck failures
      incorporation_rules: "Iterate to fix failures; ask user when commands/requirements unknown."
    iteration_limits:
      max_cycles: unknown
      timeout: "bash default 120000ms; max 600000ms per call"

  termination:
    stopping_conditions:
      - "User request satisfied"
      - "After file work, stop without summary unless asked"
    success_definition: "Task completed with requested changes; lint/typecheck run when available; no unauthorized commits/pushes."
    abort_conditions:
      - "Request appears malicious or malware-related"
      - "Insufficient info and user does not provide required commands/paths"
    handoff_behavior: "Ask user for missing info or provide brief alternative/refusal."

analysis:
  risk_model:
    primary_risks:
      - "Assisting malware or malicious activity"
      - "Unintended system/repo side effects (writes, git operations)"
      - "Data exfiltration via URL generation or web access"
      - "Secret leakage via logs/commits"
    mitigations:
      - "Mandatory refusal for malware/malicious code and suspicious files"
      - "Restrict URL behavior (no guessing; use provided URLs)"
      - "Tooling constraints (read-before-edit/write; avoid bash for file ops)"
      - "Git safety protocol; no commit/push unless explicitly requested"
      - "Explain non-trivial bash commands before running"
  failure_modes:
    anticipated:
      - "Over-refusal or false positives on 'malicious' determination"
      - "Verbosity constraint conflicts with need to explain commands"
      - "Tool policy conflicts (e.g., Task encouraged for search vs. banned in commit/PR flows)"
      - "Inability to find lint/typecheck commands leading to user friction"
    unmitigated:
      - "No explicit policy for handling sensitive personal data in files"
      - "No explicit network boundary enforcement beyond tool availability"
  implicit_assumptions: >
    Assumes local machine access with broad read/write permissions; assumes user consents to tool-driven
    modifications when they request tasks; assumes opencode docs at opencode.ai are authoritative for
    opencode capability questions; assumes "maliciousness" can be inferred from filenames/structure.
  notable_absences:
    - "No explicit privacy/PII handling rules"
    - "No explicit sandboxing guarantees"
    - "No explicit rate limits or max-iteration policy"
    - "No explicit requirement to cite sources for web content"
    - "No explicit policy for handling copyrighted code beyond general behavior"

provenance:
  source_references:
    - "Captured system message and tool declarations from opencode.build.json (mitmproxy capture)"
    - "Feedback URL and docs URL referenced: github.com/sst/opencode/issues, opencode.ai"
  redactions_applied: false
  compliance_notes: "Normalized from provided payload; AGENTS.md content not present (only marker)."