This package is the production package surface for Agent Governance Toolkit on OpenCode.
It ships an OpenCode plugin that uses:
- OpenCode's in-process plugin hooks for deterministic session, prompt, tool, and output governance
- a bundled stdio MCP server (
server/agt-mcp.mjs) for operator-facing AGT inspection tools - the AGT TypeScript SDK for policy evaluation, prompt defense, and MCP threat scanning
Public Preview — APIs and policy schema may change.
- a first-party OpenCode plugin package
- a parity layer for the existing Antigravity and Claude Code governance packages, adapted to OpenCode's richer in-process hook contract
- a publishable npm package (
@microsoft/agent-governance-opencode) that can also be loaded locally from a workspace.opencode/plugins/directory
- a Copilot-style extension
- a universal governance layer for every IDE surface
- a guarantee of full Copilot CLI feature parity
Unlike Claude Code (subprocess hooks) and Antigravity (subprocess hooks), OpenCode loads plugins in-process as async TypeScript/JavaScript functions. That means this package can:
- enforce policy on
tool.execute.beforewithout an extra subprocess round trip - redact secrets from
tool.execute.afteroutput before the model sees it (a parity win over Claude Code, which cannot rewrite tool output) - expose custom tools like
agt_policy_statusdirectly to the model without needing a separate MCP server
The stdio MCP server is still shipped for operators who want to invoke governance tools from external workflows.
This initial package enforces:
session.start— injects AGT governance context into the sessionevent(chat-style) — scans submitted prompts; throws to blocktool.execute.before— allow / review / deny tool callstool.execute.after— scans tool output and redacts known secret patterns (AWS, GitHub PAT, OpenAI, JWT, PEM private keys, Azure storage keys)tool.execute.error— records audit entry for failed tool calls
It also exposes two custom tools (in-process and via the stdio MCP server):
agt_policy_status— return the active AGT policy snapshotagt_policy_check_text— inspect arbitrary text for prompt-injection and context-poisoning findings
Run these commands from the package directory:
cd agent-governance-opencode
npm install
npm run checkOpenCode loads plugins from:
opencode.jsonpluginentries (npm specifiers)~/.config/opencode/plugins/*.{ts,js,mjs}(user-global).opencode/plugins/*.{ts,js,mjs}(workspace-local)
{
"$schema": "https://opencode.ai/config.json",
"plugin": ["@microsoft/agent-governance-opencode"]
}Create .opencode/plugins/agt.mjs:
export { default } from "../../agent-governance-opencode/src/index.mjs";In opencode.json:
{
"$schema": "https://opencode.ai/config.json",
"mcp": {
"agt-governance": {
"type": "local",
"command": [
"node",
"./node_modules/@microsoft/agent-governance-opencode/server/agt-mcp.mjs"
]
}
}
}The plugin loads policy from (in order):
AGT_OPENCODE_POLICY_PATHenvironment variable./.agt/policy.jsonin the working directory~/.config/opencode/agt/policy.json- The bundled
config/default-policy.json(enforce mode, fail-closed)
Audit log path defaults to ~/.config/opencode/agt/audit.json and can be
overridden via AGT_OPENCODE_AUDIT_PATH.
- OpenCode's in-process plugin contract does not currently expose a server-side
"ask the user" decision from inside
tool.execute.before. When AGT decidesreview, this plugin marks the args with__agt_review_reasonand lets OpenCode's normal permission flow run. Operators who want hard-deny behaviour on review should settoolPolicies.defaultEffect: "deny"in their policy. - Output redaction is conservative: only well-known credential patterns are redacted. The audit entry records that a redaction occurred but never the redacted value.
- AGT fails closed by default. If the policy file is corrupt or evaluation
throws, requests are denied. Set
denyOnPolicyError: falsein policy to opt into advisory mode.