chore(upstream): three-layer regression backstop for bridge merges

Root cause of the v1.4.0 audit findings (16 regressions across 30 files):
many altimate customizations were never wrapped in `altimate_change`
markers, so the bridge merge tool — working as designed — overwrote
them with upstream's version. The marker discipline relies on humans
remembering to wrap; the tooling didn't catch the gap. This commit
closes that gap with three layers of defense:

1. Broaden the branding scan
   `script/upstream/analyze.ts` LEAK_PATTERNS now catches bare
   `opencode` strings in user-visible contexts: yargs `describe` text,
   console/UI output, MCP `clientInfo.name`, User-Agent headers, OIDC
   audiences, GitHub workflow YAML, infrastructure identifiers, spawn
   binary names, etc. Reproductive testing: scanning the pre-fix
   v1.4.0 state, the broadened patterns flagged 13 of the 16
   regressions. Runs in CI on every PR (`Branding leak audit` step).
   Also: scanner skips lines inside `altimate_change` blocks (so
   intentional explanatory comments don't false-positive).

2. requireMarkers allowlist for behavior-patched files
   New `MergeConfig.requireMarkers` field in
   `script/upstream/utils/config.ts` lists 38 files known to hold
   altimate behavioral patches (UA strings, retry loops, OAuth skew
   buffers, hour-aligned cleanup tasks, custom theme tweaks, etc.).
   - `analyze.ts --require-markers --strict` verifies each file in
     the list has at least one altimate_change block. Runs in CI.
   - `bridge-merge.ts` treats them as keepOurs: never overlays
     upstream content on these files, even if they have no markers.
     Hard-aborts the merge if any file in the list is missing
     markers (would mean we lost the patches before the merge ran).
   Three new categories now in the merge plan: requireMarkers,
   requireMarkersMissing, plus a "must merge upstream changes
   manually" line in the report.

3. Retroactive marker sweep
   Added altimate_change markers to 14 previously-unmarked files that
   held altimate brand strings or behavioral patches:
   - `cli/cmd/upgrade.ts`, `tui/attach.ts`, `tui/thread.ts`,
     `tui/component/upgrade-indicator.tsx`, `cli/cmd/import.ts`,
     `cli/cmd/plug.ts`, `cli/network.ts`, `cli/cmd/pr.ts` (was a
     pre-existing regression — `spawn("opencode")` would fail since
     the binary is `altimate-code`)
   - `mcp/config.ts`, `mcp/oauth-provider.ts`,
     `config/migrate-tui-config.ts`, `config/tui-migrate.ts`,
     `plugin/copilot.ts`, `plugin/github-copilot/copilot.ts`
   Plus `provider/provider.ts` + `session/llm.ts` UA brand fixes that
   the broadened scan caught.

   Catppuccin theme JSON files (`textMuted` brightness tweak) added
   to `keepOurs` glob — JSON can't carry inline markers, so the
   bridge merge tool just preserves them wholesale.

   Memory tools (`packages/opencode/src/memory/**`) added to
   `keepOurs` — they're a net-new altimate feature family
   (altimate_memory_* tools) not in upstream.

Internal scripts (`script/beta.ts`, `script/raw-changelog.ts`,
`packages/script/src/index.ts`) — wrapped legitimate references to
upstream's bot identity / model IDs in `altimate_change` markers and
flipped the model spawn command from `opencode run` to
`altimate-code run` (the scripts were broken before — would call a
binary that isn't installed).

CI integration
`.github/workflows/ci.yml` now runs both `--branding` and
`--require-markers --strict` on every PR. Existing `--markers` check
remains.

Verified
- bun turbo typecheck — 5/5 packages clean
- bun test test/upstream test/util/error.test.ts test/permission test/server — 553 pass / 0 fail
- bun run script/upstream/analyze.ts --branding — 0 leaks
- bun run script/upstream/analyze.ts --require-markers --strict — 38/38 files have markers
- 0 unmarked altimate-touched files outside the safety nets (verified by tree sweep)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: anandgupta42

.github/workflows/ci.yml

@@ -449,3 +449,17 @@ jobs:
           else
             bun run script/upstream/analyze.ts --markers --base ${{ github.event.pull_request.base.ref }} --strict
           fi
+
+      - name: Branding leak audit (broadened scan, see analyze.ts LEAK_PATTERNS)
+        # Catches user-visible bare "opencode" strings that markers alone miss —
+        # yargs describe text, console output, MCP client identity, workflow YAML,
+        # User-Agent strings, OIDC audience, infrastructure identifiers.
+        # Caught 13 of 16 v1.4.0 bridge merge regressions in retrospective testing.
+        run: bun run script/upstream/analyze.ts --branding
+
+      - name: Require-markers regression backstop
+        # Verifies every file in config.requireMarkers (38 files known to hold
+        # altimate behavioral patches) has at least one altimate_change block.
+        # If any patches were silently lost (refactor, accidental delete, bridge
+        # merge oversight), CI fails here BEFORE the bug reaches production.
+        run: bun run script/upstream/analyze.ts --require-markers --strict

packages/opencode/src/cli/cmd/import.ts

@@ -19,7 +19,9 @@ export type ShareData =
   | { type: "session_diff"; data: unknown }
   | { type: "model"; data: unknown }
 
+// altimate_change start — share URLs use altimate.ai (was opencode.ai)
 /** Extract share ID from a share URL like https://altimate.ai/share/abc123 */
+// altimate_change end
 export function parseShareUrl(url: string): string | null {
   const match = url.match(/^https?:\/\/[^/]+\/share\/([a-zA-Z0-9_-]+)$/)
   return match ? match[1] : null

packages/opencode/src/cli/cmd/plug.ts

@@ -28,7 +28,9 @@ export type PlugDeps = {
   readText: (file: string) => Promise<string>
   write: (file: string, text: string) => Promise<void>
   exists: (file: string) => Promise<boolean>
+  // altimate_change start — accept altimate-code in addition to opencode/tui
   files: (dir: string, name: "altimate-code" | "opencode" | "tui") => string[]
+  // altimate_change end
   global: string
 }
 

packages/opencode/src/cli/cmd/pr.ts

@@ -6,7 +6,9 @@ import { Process } from "@/util/process"
 
 export const PrCommand = cmd({
   command: "pr <number>",
-  describe: "fetch and checkout a GitHub PR branch, then run opencode",
+  // altimate_change start — upstream_fix: branding regression in describe
+  describe: "fetch and checkout a GitHub PR branch, then run altimate-code",
+  // altimate_change end
   builder: (yargs) =>
     yargs.positional("number", {
       type: "number",
@@ -87,10 +89,12 @@ export const PrCommand = cmd({
               const sessionMatch = prInfo.body.match(/https:\/\/opncd\.ai\/s\/([a-zA-Z0-9_-]+)/)
               if (sessionMatch) {
                 const sessionUrl = sessionMatch[0]
-                UI.println(`Found opencode session: ${sessionUrl}`)
+                // altimate_change start — upstream_fix: branding + spawn the right binary
+                UI.println(`Found altimate-code session: ${sessionUrl}`)
                 UI.println(`Importing session...`)
 
-                const importResult = await Process.text(["opencode", "import", sessionUrl], {
+                const importResult = await Process.text(["altimate-code", "import", sessionUrl], {
+                  // altimate_change end
                   nothrow: true,
                 })
                 if (importResult.code === 0) {
@@ -109,18 +113,22 @@ export const PrCommand = cmd({
 
         UI.println(`Successfully checked out PR #${prNumber} as branch '${localBranchName}'`)
         UI.println()
-        UI.println("Starting opencode...")
+        // altimate_change start — upstream_fix: branding + spawn the right binary
+        // (we ship `altimate-code`, not `opencode`). Original spawn would fail with
+        // ENOENT for users who don't have upstream's CLI installed alongside.
+        UI.println("Starting altimate-code...")
         UI.println()
 
         const opencodeArgs = sessionId ? ["-s", sessionId] : []
-        const opencodeProcess = Process.spawn(["opencode", ...opencodeArgs], {
+        const opencodeProcess = Process.spawn(["altimate-code", ...opencodeArgs], {
           stdin: "inherit",
           stdout: "inherit",
           stderr: "inherit",
           cwd: process.cwd(),
         })
         const code = await opencodeProcess.exited
-        if (code !== 0) throw new Error(`opencode exited with code ${code}`)
+        if (code !== 0) throw new Error(`altimate-code exited with code ${code}`)
+        // altimate_change end
       },
     })
   },

packages/opencode/src/cli/cmd/tui/attach.ts

@@ -8,7 +8,9 @@ import { existsSync } from "fs"
 
 export const AttachCommand = cmd({
   command: "attach <url>",
+  // altimate_change start — branding (was "opencode" in upstream)
   describe: "attach to a running altimate-code server",
+  // altimate_change end
   builder: (yargs) =>
     yargs
       .positional("url", {
@@ -63,7 +65,11 @@ export const AttachCommand = cmd({
       const headers = (() => {
         const password = args.password ?? process.env.OPENCODE_SERVER_PASSWORD
         if (!password) return undefined
+        // altimate_change start — Basic-auth username must match the server's
+        // expected username ("altimate"). Upstream's was "opencode"; restoring
+        // it would break the attach handshake against altimate-code servers.
         const auth = `Basic ${Buffer.from(`altimate:${password}`).toString("base64")}`
+        // altimate_change end
         return { Authorization: auth }
       })()
       const config = await Instance.provide({

packages/opencode/src/cli/cmd/tui/component/upgrade-indicator.tsx

@@ -21,7 +21,9 @@ export function UpgradeIndicator(props: { fallback?: JSX.Element }) {
           <Show when={!isCompact()}>
             <text fg={theme.textMuted}>update available ·</text>
           </Show>
+          {/* altimate_change start — upgrade hint shows the altimate-code CLI command */}
           <text fg={theme.textMuted}>altimate upgrade</text>
+          {/* altimate_change end */}
         </box>
       )}
     </Show>

packages/opencode/src/cli/cmd/tui/thread.ts

@@ -64,13 +64,17 @@ async function input(value?: string) {
 
 export const TuiThreadCommand = cmd({
   command: "$0 [project]",
+  // altimate_change start — branding (describe text was "opencode" upstream)
   describe: "start altimate-code tui",
+  // altimate_change end
   builder: (yargs) =>
     withNetworkOptions(yargs)
+      // altimate_change start — branding (positional describe was "opencode" upstream)
       .positional("project", {
         type: "string",
         describe: "path to start altimate-code in",
       })
+      // altimate_change end
       .option("model", {
         type: "string",
         alias: ["m"],
@@ -189,7 +193,9 @@ export const TuiThreadCommand = cmd({
             events: undefined,
           }
         : {
+            // altimate_change start — internal worker URL (was opencode.internal)
             url: "http://altimate-code.internal",
+            // altimate_change end
             fetch: createWorkerFetch(client),
             events: createEventSource(client),
           }

packages/opencode/src/cli/cmd/upgrade.ts

@@ -6,7 +6,9 @@ import { extractChangelog } from "../changelog"
 
 export const UpgradeCommand = {
   command: "upgrade [target]",
+  // altimate_change start — branding (was "opencode" in upstream)
   describe: "upgrade altimate to the latest or a specific version",
+  // altimate_change end
   builder: (yargs: Argv) => {
     return yargs
       .positional("target", {
@@ -28,7 +30,9 @@ export const UpgradeCommand = {
     const detectedMethod = await Installation.method()
     const method = (args.method as Installation.Method) ?? detectedMethod
     if (method === "unknown") {
+      // altimate_change start — branding
       prompts.log.error(`altimate is installed to ${process.execPath} and may be managed by a package manager`)
+      // altimate_change end
       const install = await prompts.select({
         message: "Install anyways?",
         options: [
@@ -46,7 +50,9 @@ export const UpgradeCommand = {
     const target = args.target ? args.target.replace(/^v/, "") : await Installation.latest()
 
     if (Installation.VERSION === target) {
+      // altimate_change start — branding
       prompts.log.warn(`altimate upgrade skipped: ${target} is already installed`)
+      // altimate_change end
       prompts.outro("Done")
       return
     }

packages/opencode/src/cli/network.ts

@@ -17,11 +17,15 @@ const options = {
     describe: "enable mDNS service discovery (defaults hostname to 0.0.0.0)",
     default: false,
   },
+  // altimate_change start — upstream_fix: mDNS service identifier shipped to the
+  // local network. Brand to altimate-code so users see "altimate-code.local"
+  // instead of "opencode.local" in Bonjour/Avahi browsers.
   "mdns-domain": {
     type: "string" as const,
-    describe: "custom domain name for mDNS service (default: opencode.local)",
-    default: "opencode.local",
+    describe: "custom domain name for mDNS service (default: altimate-code.local)",
+    default: "altimate-code.local",
   },
+  // altimate_change end
   cors: {
     type: "string" as const,
     array: true,

packages/opencode/src/config/migrate-tui-config.ts

@@ -12,7 +12,9 @@ import { Global } from "@/global"
 
 const log = Log.create({ service: "tui.migrate" })
 
+// altimate_change start — schema URL points to altimate.ai (was opencode.ai)
 const TUI_SCHEMA_URL = "https://altimate.ai/tui.json"
+// altimate_change end
 
 const LegacyTheme = TuiInfo.shape.theme.optional()
 const LegacyRecord = z.record(z.string(), z.unknown()).optional()