brin
integrations

OpenCode

Add brin to OpenCode with a PreToolUse hook. Gate shell tools and block dangerous packages before they install.

OpenCode's hooks system lets you intercept tool calls before they execute. use a PreToolUse hook to check brin before any package install command runs.

##setup

1. Create .opencode/hooks/brin-check.sh:

Bash
#!/bin/bash
input=$(cat)
cmd=$(echo "$input" | jq -r '.tool_input.command // empty')
 
# Match install commands
if [[ "$cmd" =~ ^(npm\ (i|install|add)|yarn\ add|pnpm\ (add|i)|bun\ (add|i)|pip\ install|cargo\ add)\ (.+)$ ]]; then
  pkg="${BASH_REMATCH[4]}"
 
  # Detect origin
  if [[ "$cmd" =~ ^pip ]]; then origin="pypi"
  elif [[ "$cmd" =~ ^cargo ]]; then origin="crate"
  else origin="npm"
  fi
 
  # Check brin using response headers for speed
  verdict=$(curl -sf -o /dev/null -w "%header{x-brin-verdict}" "https://api.brin.sh/${origin}/${pkg}")
 
  if [[ "$verdict" == "dangerous" || "$verdict" == "suspicious" ]]; then
    score=$(curl -sf -o /dev/null -w "%header{x-brin-score}" "https://api.brin.sh/${origin}/${pkg}")
    jq -n --arg v "$verdict" --arg s "$score" --arg p "$pkg" \
      '{decision:"block", reason:"brin: \($p) is \($v) (score: \($s)). Do not install."}'
  else
    echo '{"decision":"allow"}'
  fi
else
  echo '{"decision":"allow"}'
fi

2. Register the hook in opencode.json:

JSON
{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "bash",
        "command": ".opencode/hooks/brin-check.sh"
      }
    ]
  }
}

3. Make it executable:

Bash
chmod +x .opencode/hooks/brin-check.sh

##how it works

the hook reads x-brin-verdict and x-brin-score from curl response headers for a fast, lightweight check. if the verdict is suspicious or dangerous, the command is blocked. if brin is unreachable, the hook allows the command through.

##global configuration

to apply to all projects, place the config in ~/.config/opencode/opencode.json and the script at ~/.config/opencode/hooks/brin-check.sh.