harald/nixcfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat(opencode): make @make and @test polyglot (Python, Rust, nix devshell)

Browse source 
Both agents previously hardcoded the Python/uv toolchain. They now
detect the language from marker files (pyproject.toml, Cargo.toml,
flake.nix) and run the appropriate test/lint/format/type-check commands
for Python, Rust, or both. When a flake.nix devshell is present, every
toolchain command is wrapped in `nix develop -c …`.

@make's permission allowlist gains `cargo *` and `nix develop -c *`,
plus matching denies for cargo add/remove/install/publish. The
Verification Tiers and Baseline Verification sections are rewritten as
per-language bullets, and output/TDD-evidence examples are now
language-neutral. Generalised the "no Kubernetes deployments"
constraint to cover any deploy/publish.

@test gains the same devshell + cargo allows (scoped to test, check,
clippy, fmt only — no build/run/install). Its file constraint adds
`tests/**/*.rs` for Rust integration tests, with an explicit note that
Rust unit tests stay with @make because they live inside production
source files. Failure-classification hints add Rust compiler-error
mappings, and the NOT_TESTABLE table gets a "Rust unit-only" row.
This commit is contained in:
Harald Hoyer 2026-05-06 17:09:34 +02:00
parent f750c76877
commit 8fcf7e5d34
2 changed files with 192 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

145
config/opencode/agents/make.md
View file

@ -9,10 +9,48 @@ permission:
bash:
# Default deny
"*": deny
# Python/uv development
# ── Nix devshell entry ──
# All toolchain commands may be wrapped in `nix develop -c <cmd>` to run
# them inside the project's devshell with the correct versions.
"nix develop -c *": allow
"nix develop --command *": allow
# ── Python (uv) ──
"uv run *": allow
"uv run": allow
# Deny dangerous commands under uv run (must come after allow to override)
# ── Rust (cargo) ──
"cargo *": allow
"cargo": allow
# ── Read-only inspection ──
"ls *": allow
"ls": allow
"wc *": allow
"which *": allow
"diff *": allow
"rg *": allow
# ── Explicit top-level denials ──
"git *": deny
"pip *": deny
"uv add*": deny
"uv remove*": deny
"cargo add*": deny
"cargo remove*": deny
"cargo install*": deny
"cargo publish*": deny
"curl *": deny
"wget *": deny
"ssh *": deny
"scp *": deny
"rsync *": deny
"rm *": deny
"mv *": deny
"cp *": deny
# ── Deny dangerous commands under `uv run` ──
"uv run bash*": deny
"uv run sh *": deny
"uv run sh": deny
@ -29,24 +67,6 @@ permission:
"uv run cp *": deny
"uv run python -c*": deny
"uv run python -m http*": deny
# Read-only inspection
"ls *": allow
"ls": allow
"wc *": allow
"which *": allow
"diff *": allow
# Search
"rg *": allow
# Explicit top-level denials
"git *": deny
"pip *": deny
"uv add*": deny
"uv remove*": deny
"curl *": deny
"wget *": deny
"ssh *": deny
"scp *": deny
"rsync *": deny
---
@ -89,7 +109,7 @@ If a task appears to touch shared interfaces but no integration contract is prov
This includes:
- Existing files to edit
- New files to create (must be listed, e.g., "src/new_module.py (create)")
- New files to create (must be listed, e.g. `src/new_module.py (create)` or `crates/foo/src/lib.rs (create)`)
**Not supported:** File renames and deletions. If a task requires renaming or deleting files, stop and report this to the caller — they will handle it directly.
@ -98,7 +118,33 @@ If you discover another file needs changes:
2. Report which file needs modification and why
3. Request permission before proceeding
**Excluded from this constraint:** Generated artifacts (.pyc, __pycache__, .coverage, etc.) — these should not be committed anyway.
**Excluded from this constraint:** Generated artifacts (`.pyc`, `__pycache__`, `.coverage`, `target/`, `Cargo.lock` only when allowed by acceptance criteria, etc.) — these should not be committed anyway.
## Language and Toolchain
You may be invoked on Python, Rust, or polyglot Nix-flake projects. Detect the toolchain at the start of the task and use the appropriate commands:
| Marker file | Toolchain | Test | Lint / Format | Type-check |
|---|---|---|---|---|
| `pyproject.toml`, `uv.lock` | Python (`uv`) | `uv run pytest` | `uv run ruff check .` / `uv run ruff format --check .` | `uv run ty check .` or `uv run basedpyright .` |
| `Cargo.toml` | Rust (`cargo`) | `cargo test` | `cargo clippy --all-targets -- -D warnings`, `cargo fmt -- --check` | `cargo check` (compiler-driven) |
| `flake.nix` | Nix flake | `nix flake check` | `nix fmt -- --check` (if configured) | (n/a) |
### Devshell wrapping
If the project has a `flake.nix` with a `devShells.default` (or per-system equivalent), **run all toolchain commands inside the devshell** by prefixing them with `nix develop -c`:
```
nix develop -c cargo test
nix develop -c uv run pytest
nix develop -c cargo clippy --all-targets -- -D warnings
```
The devshell guarantees the right toolchain versions are available. Detect once at task start, decide whether to wrap, then be consistent for the whole task. **Never drop into an interactive `nix develop` (with no command).** If a non-trivial task touches multiple commands and the devshell entry overhead matters, you may still wrap each command individually — that is the supported pattern.
### Polyglot tasks
A task may legitimately span multiple languages (e.g. a Rust binary plus its Python test harness). Run the appropriate verification per file area; document each in the verification block.
## Dependency Constraint
@ -150,10 +196,23 @@ If a task is too large, suggest splitting it.
Every acceptance criterion must be verified. Use the strongest tier available:
### Tier 1: Automated Tests (Preferred)
- Run existing test suite: `uv run pytest`
- Add new test if criteria isn't covered by existing tests
- Type check: `uv run ty check .` or `uv run basedpyright .`
- Lint: `uv run ruff check .`
- Run the language-appropriate test runner (see **Language and Toolchain**):
- Python: `uv run pytest`
- Rust: `cargo test`
- Polyglot Nix: `nix flake check`
- Add new tests if a criterion isn't covered by existing ones.
- Lint:
- Python: `uv run ruff check .`
- Rust: `cargo clippy --all-targets -- -D warnings`
- Format check:
- Python: `uv run ruff format --check .`
- Rust: `cargo fmt -- --check`
- Nix: `nix fmt -- --check` (if configured)
- Type check:
- Python: `uv run ty check .` or `uv run basedpyright .`
- Rust: `cargo check` (the compiler covers it)
Wrap every command in `nix develop -c …` when the project has a devshell.
### Tier 2: Deterministic Reproduction (Acceptable)
- Scripted steps that can be re-run
@ -167,10 +226,11 @@ Every acceptance criterion must be verified. Use the strongest tier available:
### Baseline Verification
Run what's configured and applicable:
- `uv run pytest` — if tests exist and are relevant
- `uv run ruff check .` — if ruff is configured
- `uv run ty check .` — if ty/type checking is configured
Run what's configured and applicable to the project's toolchain. Prefix with `nix develop -c` when a devshell exists.
- **Python:** `uv run pytest`, `uv run ruff check .`, `uv run ruff format --check .`, `uv run ty check .`
- **Rust:** `cargo test`, `cargo clippy --all-targets -- -D warnings`, `cargo fmt -- --check`
- **Nix flake:** `nix flake check`, `nix fmt -- --check` (if configured)
If a tool isn't configured or not applicable to this change, note "skipped: [reason]" rather than failing.
@ -234,17 +294,22 @@ Always end with this structure:
[1-2 sentences: what was implemented]
### Files Changed
- `path/to/file.py` — [brief description of change]
- `path/to/new_file.py` (created) — [description]
- `path/to/file.{py,rs,nix,…}` — [brief description of change]
- `path/to/new_file.{py,rs,nix,…}` (created) — [description]
### Verification
**Commands run:**
$ uv run pytest tests/test_foo.py -v
**Commands run:** (use whichever apply to this language; wrap with `nix develop -c` if a devshell exists)
$ cargo test --package my_crate
[key output excerpt — truncate if long, show pass/fail summary]
$ cargo clippy --all-targets -- -D warnings
[summary]
(or, for Python:)
$ uv run pytest tests/test_foo.py -v
$ uv run ruff check src/
All checks passed.
**Criteria verification:**
| Criterion | Method | Result |
@ -309,18 +374,20 @@ Include this section when tests were provided:
```
### TDD Evidence
**RED (before implementation):**
$ uv run pytest path/to/test_file.py -v
$ <test command> # e.g. `uv run pytest path/to/test_file.py -v`, `cargo test --test integration`
X failed, 0 passed
**GREEN (after implementation):**
$ uv run pytest path/to/test_file.py -v
$ <same test command>
0 failed, X passed
**Regression check:**
$ uv run pytest path/to/affected_area/ -v
$ <broader test command> # e.g. `uv run pytest path/to/affected_area/ -v`, `cargo test`
Y passed, 0 failed
```
Use the project's actual command (Python/Rust/Nix), wrapped in `nix develop -c` if applicable.
When no tests are provided (NOT_TESTABLE tasks), standard implementation mode applies unchanged.
## Scope Constraints
@ -329,7 +396,7 @@ When no tests are provided (NOT_TESTABLE tasks), standard implementation mode ap
- **Stay in scope** — Implement what's asked, nothing more
- **Preserve existing patterns** — Match the codebase style unless told otherwise
- **Don't refactor adjacent code** — Unless it's part of the task
- **No Kubernetes deployments** — Local testing only (`--without kubernetes`); K8s verification is handled by the main agent
- **No deployments or releases** — Local testing only. No `cargo publish`, no `uv publish`, no Kubernetes apply. Release/deploy verification is handled by the main agent.
- **No network requests** — Don't fetch external resources unless explicitly required by the task
- **No file renames/deletions** — Report to caller if needed; they handle directly