# OpenCode

Give an OpenCode agent a real, routable, verifiable Whisper network identity.

> **Status: Staged — install from source, registry publish pending** — built and proven end-to-end locally; there is no one-command registry install yet. The real add-step below works today. The native MCP snippet works today (8 tools with a key, `/128` egress proven); the `@whisper/opencode` npm plugin is fixed and pending publish.

## Add it

OpenCode speaks MCP natively. Add the `whisper mcp` server directly to your `opencode.json` — the zero-config path that works today:

```json
{
  "mcp": {
    "whisper": { "type": "local", "command": ["whisper", "mcp"], "enabled": true }
  }
}
```

Once the `@whisper/opencode` plugin is published, adding `"plugin": ["@whisper/opencode"]` to `opencode.json` adds the same tools plus an egress lifecycle hook.

**Prerequisite:** the `whisper` CLI on your PATH — the adapter runs `whisper mcp` (the tool surface) and, for egress, `whisper connect`:

```bash
curl -fsSL https://get.whisper.online | sh
```

## Two tiers, auth optional

Like every Whisper integration, the adapter is two-tier by design — liberal in what it asks of you ([Postel's Law](/docs/integrations)):

- **No API key** — the keyless tools work for everyone: `whisper_verify` (is an address or hostname a real Whisper agent, and whose?) and `whisper_rdap` (its RDAP registration). Real value, zero setup.
- **With your key** (`WHISPER_API_KEY` in the client's environment, or a saved `whisper login`) — the full control plane unlocks (`whisper_register`, `whisper_list`, `whisper_policy`, `whisper_logs`, `whisper_revoke`, `whisper_egress_config`), and the session can **egress from its routable `/128`**.

## Verify without a key

```bash
# keyless — no account, no key
whisper verify 2a04:2a01:f3c6:4261:9887:4349:306a:52c8
# → verified Whisper agent (DANE-anchored)
#   fqdn a98874349306a52c8.botboss.app
```

In an agent chat, the same check is one tool call — ask the model to run `whisper_verify {target:"api.openai.com"}` and it comes back with `is_whisper_agent`, `dane_ok`, and `jws_ok`.

## Egress from your /128

Set your key in the client's launch environment, then let the agent mint its own identity and route through it:

```bash
export WHISPER_API_KEY=whisper_live_…   # set in the CLIENT's launch env
# in chat: whisper_register {name:"scout"}  → a routable /128 + DNS name
whisper ip                          # ✓ egress verified — source IP == the agent's /128
dig -x <that /128>                  # reverse-DNS → the agent's Whisper hostname
```

## Verify it worked

Restart the client and ask it, in chat, to run `whisper_verify` against any address. A true/false `is_whisper_agent` verdict back means the `whisper mcp` server is wired in correctly, end to end. With a key present, `whisper_list` returns your agents.

---

**Next:** [Hermes](/docs/agents-hermes) · [MCP server](/docs/mcp).
