feat: complete OpenCode plugin support with hooks, tools, and commands

Major OpenCode integration overhaul:

- llms.txt: Comprehensive OpenCode documentation for LLMs (642 lines)
- .opencode/plugins/ecc-hooks.ts: All Claude Code hooks translated to OpenCode's plugin system
- .opencode/tools/*.ts: 3 custom tools (run-tests, check-coverage, security-audit)
- .opencode/commands/*.md: All 24 commands in OpenCode format
- .opencode/package.json: npm package structure for opencode-ecc
- .opencode/index.ts: Main plugin entry point

- Delete incorrect LIMITATIONS.md (hooks ARE supported via plugins)
- Rewrite MIGRATION.md with correct hook event mapping
- Update README.md OpenCode section to show full feature parity

OpenCode has 20+ events vs Claude Code's 3 phases:
- PreToolUse → tool.execute.before
- PostToolUse → tool.execute.after
- Stop → session.idle
- SessionStart → session.created
- SessionEnd → session.deleted
- Plus: file.edited, file.watcher.updated, permission.asked, todo.updated

- 12 agents: Full parity
- 24 commands: Full parity (+1 from original 23)
- 16 skills: Full parity
- Hooks: OpenCode has MORE (20+ events vs 3 phases)
- Custom Tools: 3 native OpenCode tools

The OpenCode configuration can now be:
1. Used directly: cd everything-claude-code && opencode
2. Installed via npm: npm install opencode-ecc

.opencode/commands/security.md

@@ -0,0 +1,89 @@
+---
+description: Run comprehensive security review
+agent: security-reviewer
+subtask: true
+---
+
+# Security Review Command
+
+Conduct a comprehensive security review: $ARGUMENTS
+
+## Your Task
+
+Analyze the specified code for security vulnerabilities following OWASP guidelines and security best practices.
+
+## Security Checklist
+
+### OWASP Top 10
+
+1. **Injection** (SQL, NoSQL, OS command, LDAP)
+   - Check for parameterized queries
+   - Verify input sanitization
+   - Review dynamic query construction
+
+2. **Broken Authentication**
+   - Password storage (bcrypt, argon2)
+   - Session management
+   - Multi-factor authentication
+   - Password reset flows
+
+3. **Sensitive Data Exposure**
+   - Encryption at rest and in transit
+   - Proper key management
+   - PII handling
+
+4. **XML External Entities (XXE)**
+   - Disable DTD processing
+   - Input validation for XML
+
+5. **Broken Access Control**
+   - Authorization checks on every endpoint
+   - Role-based access control
+   - Resource ownership validation
+
+6. **Security Misconfiguration**
+   - Default credentials removed
+   - Error handling doesn't leak info
+   - Security headers configured
+
+7. **Cross-Site Scripting (XSS)**
+   - Output encoding
+   - Content Security Policy
+   - Input sanitization
+
+8. **Insecure Deserialization**
+   - Validate serialized data
+   - Implement integrity checks
+
+9. **Using Components with Known Vulnerabilities**
+   - Run `npm audit`
+   - Check for outdated dependencies
+
+10. **Insufficient Logging & Monitoring**
+    - Security events logged
+    - No sensitive data in logs
+    - Alerting configured
+
+### Additional Checks
+
+- [ ] Secrets in code (API keys, passwords)
+- [ ] Environment variable handling
+- [ ] CORS configuration
+- [ ] Rate limiting
+- [ ] CSRF protection
+- [ ] Secure cookie flags
+
+## Report Format
+
+### Critical Issues
+[Issues that must be fixed immediately]
+
+### High Priority
+[Issues that should be fixed before release]
+
+### Recommendations
+[Security improvements to consider]
+
+---
+
+**IMPORTANT**: Security issues are blockers. Do not proceed until critical issues are resolved.