OpenCode · Plugin 02

OpenCode plugin

From blank repo to bonded agent, inside OpenCode.

A native OpenCode plugin that scaffolds, wraps, and ships bonded agents without leaving the TUI. Open a scratch directory, call chio_init, and walk out four minutes later with a signed MCP server, a policy under version control, and receipts on every tool call.

Install in OpenCode See the scaffold →

surfaceOpenCode 1.14+runtimechio 0.1.0 · bridge 0.2.1installopencode.json: "plugin": ["@chio-protocol/opencode-plugin"]sourcebackbay-labs/chio-open-code-plugin

OpenCode · status prefixbonded · 18 guards

⚙tool · chio_init {dir: ".", preset: "tool-agent", name: "support-desk"}

▸scaffolded policy.yaml, agent.md, guards/, receipts.db

▸bonded capability cap_support · ttl 4h · budget $80.00

⚙tool · chio_wrap {cmd: "npx @mcp/zendesk --api-key env:ZD"}

▸attenuating tools14 / 14

✓mounted mcp/zendesk · 9 tools allowed, 5 denied by policy

·tool title prefix: ◉ BONDED · $0.00/$80.00 · 18 guards · 0/0 allow/block · receipts → ./receipts.db

Receipt0xbea1…7fd3ed25519 ✓

01Install

One plug. Every tool call, bonded.

The plugin registers a suite of chio_* custom tools and prefixes every mediated tool's result title with a live BONDED status line — the nearest OpenCode equivalent to a status bar.

Install the chio runtime

The chio binary ships as a single static binary; needed only on the machine running OpenCode.

$curl -fsSL https://www.chio.world/install.sh | sh

Register the plugin

Add @chio-protocol/opencode-plugin to opencode.json.

# opencode.json
{ "plugin": ["@chio-protocol/opencode-plugin"] }

Init a workspace

The chio_init tool generates a deny-by-default policy, a receipts store, and a guards directory tied to your repo.

$# from the TUI tool picker: chio_init

→ scaffold · policy.yaml · agent.md · guards/ · receipts.db

# generated by chio_init · HushSpec 0.1.0
hushspec: "0.1.0"
name: support-desk
extends: chio://preset/support-agent

rules:
  path_allowlist:
    read: ["./tickets/**"]
  tool_access:
    default: block
    allow: [ticket.read, ticket.reply, kb.search]
  velocity:
    budget_usd: 80
    max_invocations: 200
    window_seconds: 86400
  human_in_loop:
    approve_above_usd: 100

02Flow

Four files. One bonded agent.

The scaffold is opinionated. Every file is plain text, committed next to your code, reviewable by humans and CI.

01 · Scaffold

policy.yaml · the ruleset.

Rules, velocity, HITL, and egress under version control. Extend a preset; override what you care about.

preset: tool-agent

02 · Profile

agent.md · the brief.

A human-readable instruction manifest. OpenCode feeds it to the model; Chio lints it against the policy.

role · tools · guardrails

03 · Guards

guards/ · the custom logic.

Rust to WASM fuel-metered deny predicates. Scaffolded, tested, swapped without restarting the host.

cargo check · chio guard test

04 · Receipts

receipts.db · the evidence.

A local SQLite ledger of every allow, deny, cancel, and incomplete. Streams to any SIEM you mount.

sqlite · s3 · splunk · datadog

03Features

Agent construction kit. Wired into the TUI.

Every mutation is reviewable, every diff signable, every deploy receipt-backed.

✦

Tool-result bond prefix

tool.execute.after prepends a live ◉ BONDED · budget · guards line to every mediated tool result. Nearest OpenCode equivalent to a status bar.

tui

⎔

Scaffold presets

tool-agent, code-agent, research-agent, support-agent, trader, release-engineer. Each a deny-closed starting point.

presets

◎

Guard REPL

Write a deny predicate, call chio_guard_add, see it graded against every receipt in the last hour.

wasm · fuel-metered

↻

Session replay

chio_replay scrubs any past session; replay is deterministic because every call was mediated.

replay

⟂

Policy lint

chio_policy_lint: dead capabilities, shadowing, implied egress leaks. CI-ready JSON output.

lint · ci

↗

One-shot deploy

chio_deploy packs guards and runs chio certify: staging first, then prod, auto rollback on guard-fail.

deploy

04Starter kits

Six scaffolds. All revocable.

Every kit is a chio_init preset away. The plugin drops policy.yaml, agent.md, and guards/ scaffolds, bonds a capability, opens the relevant buffer.

tool-agent“Wrap an existing MCP server with deny-by-default rules. Write policy, bond, run.”tool_access · egress · velocity~2 min

code-agent“Hand Claude or Codex a repo with forbidden_paths, shell validation, and patch integrity pre-wired.”fs · shell · patch · egress~3 min

research-agent“Read-only fetch with domain allowlist, rate limiting, and a writeup target in Notion.”fs-read · egress-list · velocity~2 min

support-agent“Paid-tier inbox with human-in-loop above $100 refunds and full receipt export for billing.”refund-gate · ticket-scope~4 min

trader“Paper-trade or live-trade with explicit budget, market-hours guard, ed25519-signed orders.”budget · market-hours · egress~5 min

release-engineer“Wrap kubectl + argocd with human approvals on production namespaces and automatic rollback on deny.”k8s-ns · human-in-loop · rollback~6 min

05Proof

Every scaffold is reviewable before it runs.

allowticket.read · #18421 · tier:paid09:02:14

allowkb.search · "refund policy"09:02:16

allowticket.reply · #18421 · 142 tokens · auto-close09:02:19

cancelrefund.create · $118 · awaits human approval09:02:31

denyticket.read · #9003 · out-of-scope org · guard=tenant_iso09:02:44

Policy, guards, and receipts are ordinary files in your tree. No hidden state, no hidden daemons. Visible in a buffer, diffable in git, signed end to end.

agentdid:chio:4a7e091c2b3d4e5f60718293a4b5c6d7e8f9001112223334445556667778889apolicysupport-desk@0.4.1count26 receipts · 23 allow · 2 deny · 1 cancelhash0xbea1…7fd3

Blank repo. Bonded agent. Two tool calls.

The plugin belongs in every OpenCode install the way a linter does. Free, open source, makes every buffer defensible.

Install in OpenCode Read the quick start →

Other surfacesSee all integrations →

Claude Code pluginTalk Claude into a tiny hedge fund.

OpenClaw pluginShip signed agents from group chat.

Codex appOne command. One new citizen.

Cursor pluginIDE for the internet of agents.