ππ€ Autonomy-first (web-oriented) OpenCode starter for real autonomy β with MCP-first tooling, quality gates, and a pragmatic validation flow ππ§ͺ
If youβve ever tried agentic coding and ended up with:
- βDONE β β without running anything,
- random refactors you never asked for,
- UI regressions that only show up after deploy,
- or token-burning context dumpsβ¦
This repo is the missing scaffolding: a clean set of rules + memory + validation gates so OpenCode behaves like a solid teammate from day one.
This template is designed to be as safe as reasonably possible while keeping the agent highly autonomous β in a setup where OpenCode runs directly on your host (no container/VM sandbox by default).
What that means in practice:
- β You get tight workflow boundaries (rules + MCP-first policy + token budgets + validation gates).
- β You reduce the chance of accidental βbig mistakesβ (by forcing real validation and avoiding huge data pulls).
- β You can keep secrets out of the repo (via env-based config).
But also:
β οΈ OpenCode can still run with powerful capabilities. With broad permissions, mistakes can be destructive.β οΈ There is always a small residual risk (tool quirks, edge cases, unexpected prompts, human error).- β The goal here is pragmatic safety (reduce risk a lot) while keeping the workflow fast and autonomous β not βperfect isolationβ.
If you want near-zero blast radius: run in a container/VM. If you want maximum speed on your main machine: this repo helps you do it responsibly.
- β TODO-driven loop: pick a task β implement β validate β retry β escalate when blocked
- π§ͺ Quality gates: no βlooks goodβ DONE β the agent must prove it works
- π§° MCP-first tool policy: filesystem / browser / DB / docker / API client before random bash/web hacks
- βοΈ Token-budget rules: DB + API context stays small and relevant
Default assumptions (easy to swap):
- π UI exists and can be validated in a real browser
- ποΈ DB is MariaDB/MySQL
- π³ Services may run in Docker
- π API smoke tests can be run via an HTTP client (Postmancer)
Non-web project? Different stack? Still usable β youβll just adapt the MCP config + QUALITY gates.
MCP servers give the agent purpose-built tools with clearer boundaries than βdo everything with bashβ:
- filesystem MCP: safer, scoped file access (no wandering outside your project)
- chrome-devtools MCP: validates UI behavior where it actually matters (real browser, real console)
- mysql/mariadb MCP: schema-first + targeted reads (no table dumps)
- docker MCP: inspect logs/status/exec without ad-hoc scripts
- postmancer: quick, repeatable API smoke checks without reinventing curl flows
Net effect: fewer hallucinated validations, fewer accidental dumps, more reliable βDONEβ.
Lara : OK, je te refais la section Project layout en incluant tes dossiers 01_generated, agent, command, memory, plugin, rules, skills, tools, et je marque clairement quand cβest optionnel / souvent vide avec un petit commentaire utile. π
.
ββ AGENTS.md # agent behavior + language & tone policy (source of truth)
ββ TODO.md # task list (can be in any language)
ββ .opencode/
ββ 01_generated/ # optional generated artifacts (templates, exports, snapshots) β safe to delete/rebuild
β (often empty; useful for reproducible outputs without polluting the repo)
ββ agent/ # optional agent profiles / modes / persona presets
β (often empty; useful when you want multiple agent behaviors per repo)
ββ command/ # optional command presets / shortcuts / repeatable workflows
β (often empty; useful to standardize common actions like "run checks" / "smoke test")
ββ memory/ # project memory the agent should rely on (keep updated)
β ββ STATE.md # project context: stack, ports, constraints, URLs
β ββ DISCOVERY.md # entrypoints + useful pointers (where to start, key modules)
β ββ QUALITY.md # validation commands + gates (incl. UI gate / Chrome MCP)
β ββ CHANGELOG_DEV.md # optional structured dev notes (often empty)
ββ plugin/ # optional custom extensions / integrations for your workflow
β (often empty; keep only if you maintain a plugin layer)
ββ rules/ # hard rules the agent must follow (behavioral guardrails)
β ββ 00-core.md # tool policy, conventions, defaults
β ββ 10-safety-guard.md # safety rails (no secrets, no destructive ops, etc.)
β ββ 20-git-guard.md # git policy (often βno git unless askedβ)
β ββ ... # add more rules as your playbook grows
ββ skills/ # optional playbooks for repeatable tasks (debugging, refactors, migrations)
β (often empty; useful when you want consistent βhow toβ procedures)
ββ tools/ # optional tool wrappers / helpers / small scripts used by the agent
(often empty; useful if you standardize local tooling without bloating the main repo)This template expects UI-impacting changes to be validated using Chrome DevTools MCP β not just API calls. Thatβs how you avoid false βDONEβ on:
- routing/hydration issues
- auth flows
- layout regressions
- error rendering
- βworks in API but breaks in UIβ
Install & docs:
If your project has no UI, replace the UI gate in .opencode/memory/QUALITY.md with an equivalent (CLI integration tests, snapshots, etc.).
-
Copy this starter into your project:
.opencode/AGENTS.mdTODO.md
-
Configure MCP servers (paths/ports/hosts):
- filesystem MCP root β your project directory
- DB MCP β your DB (MariaDB/MySQL by default)
- Docker MCP β your Docker daemon (if using containers)
- Chrome DevTools MCP β installed + able to connect to Chrome
- Postmancer β optional, but great for API smoke tests
-
Update memory:
.opencode/memory/STATE.mdβ architecture, ports, URLs, constraints or keep it "as-is"..opencode/memory/QUALITY.mdβ real lint/test/build commands + UI flows or keep it "as-is".
-
Write a good TODO and run OpenCode.
This repo ships with a βknown goodβ MCP toolbox. Youβll typically adapt:
- Change the root path to your project directory
- Keep it scoped to avoid accidental reads/writes outside the repo
- Update host/port/user/db name for your environment
- Prefer env vars (e.g.
{env:OPENCODE_DB_PASS}) instead of hardcoding secrets
If youβre not on MariaDB/MySQL:
- Postgres β swap the MySQL MCP server for a Postgres MCP server
- SQLite β use a SQLite MCP server (or keep DB ops minimal)
- No DB β disable DB MCP and remove DB gates from QUALITY
- Ensure Chrome is installed and reachable by the MCP server
- Keep this enabled if your changes can affect UI behavior
- Enable if your services run in containers (status/logs/exec)
- Disable if you donβt use Docker (and remove Docker references in QUALITY)
- Useful for repeatable API smoke tests (especially when UI is not the best probe)
A TODO should be executable without guesswork.
A good TODO contains:
- expected behavior (observable)
- scope (files/areas)
- exact validation commands
- UI flow to validate (if UI impact)
- βDONE WHENβ criteria
Example:
- [ ] T42: Fix redirect after token refresh
Expected: after refresh, user stays on original route
Scope: frontend auth composable + backend refresh endpoint
Validate:
- npm run lint
- npm test
- npm run build
- UI: open /account, refresh page, verify still on /account (Chrome MCP)
DONE WHEN: all validations PASS and no console errors- filesystem MCP: default for file ops
- chrome-devtools MCP: default for UI checks + console
- DB MCP: schema-first + small samples (LIMIT 4), never dump tables
- postmancer: default for API smoke tests
- docker MCP: default for status/logs/exec
- webfetch/websearch: external docs only (not for testing your app)
-
Never dump tables or giant JSON blobs.
-
Prefer schema introspection first (tables, columns, constraints).
-
For data shape, sample 3β4 rows max (LIMIT 4).
-
For big API responses, keep only:
- first ~450 chars or
- first 3 objects whichever best represents structure.
- All files (code, comments, docs) are written in English.
- User interaction (chat) follows the userβs language.
TODO.mdcan be written in any language.
- Review diffs. Commit early. Commit often.
- Keep backups/snapshots.
- Start restrictive on permissions, loosen gradually.
- Donβt store secrets in the repo.
MIT