sync: merge upstream v1.1.28 into shuvcode-dev (#319)

Author: shuv1337

.github/workflows/test.yml

@@ -9,7 +9,29 @@ on:
   workflow_dispatch:
 jobs:
   test:
-    runs-on: blacksmith-4vcpu-ubuntu-2404
+    name: test (${{ matrix.settings.name }})
+    strategy:
+      fail-fast: false
+      matrix:
+        settings:
+          - name: linux
+            host: blacksmith-4vcpu-ubuntu-2404
+            playwright: bunx playwright install --with-deps
+            workdir: .
+            command: |
+              git config --global user.email "bot@opencode.ai"
+              git config --global user.name "opencode"
+              bun turbo typecheck
+              bun turbo test
+          - name: windows
+            host: windows-latest
+            playwright: bunx playwright install
+            workdir: packages/app
+            command: bun test:e2e
+    runs-on: ${{ matrix.settings.host }}
+    defaults:
+      run:
+        shell: bash
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -21,42 +43,63 @@ jobs:
 
       - name: Install Playwright browsers
         working-directory: packages/app
-        run: bunx playwright install --with-deps
+        run: ${{ matrix.settings.playwright }}
+
+      - name: Set OS-specific paths
+        run: |
+          if [ "${{ runner.os }}" = "Windows" ]; then
+            printf '%s\n' "OPENCODE_E2E_ROOT=${{ runner.temp }}\\opencode-e2e" >> "$GITHUB_ENV"
+            printf '%s\n' "OPENCODE_TEST_HOME=${{ runner.temp }}\\opencode-e2e\\home" >> "$GITHUB_ENV"
+            printf '%s\n' "XDG_DATA_HOME=${{ runner.temp }}\\opencode-e2e\\share" >> "$GITHUB_ENV"
+            printf '%s\n' "XDG_CACHE_HOME=${{ runner.temp }}\\opencode-e2e\\cache" >> "$GITHUB_ENV"
+            printf '%s\n' "XDG_CONFIG_HOME=${{ runner.temp }}\\opencode-e2e\\config" >> "$GITHUB_ENV"
+            printf '%s\n' "XDG_STATE_HOME=${{ runner.temp }}\\opencode-e2e\\state" >> "$GITHUB_ENV"
+            printf '%s\n' "MODELS_DEV_API_JSON=${{ github.workspace }}\\packages\\opencode\\test\\tool\\fixtures\\models-api.json" >> "$GITHUB_ENV"
+          else
+            printf '%s\n' "OPENCODE_E2E_ROOT=${{ runner.temp }}/opencode-e2e" >> "$GITHUB_ENV"
+            printf '%s\n' "OPENCODE_TEST_HOME=${{ runner.temp }}/opencode-e2e/home" >> "$GITHUB_ENV"
+            printf '%s\n' "XDG_DATA_HOME=${{ runner.temp }}/opencode-e2e/share" >> "$GITHUB_ENV"
+            printf '%s\n' "XDG_CACHE_HOME=${{ runner.temp }}/opencode-e2e/cache" >> "$GITHUB_ENV"
+            printf '%s\n' "XDG_CONFIG_HOME=${{ runner.temp }}/opencode-e2e/config" >> "$GITHUB_ENV"
+            printf '%s\n' "XDG_STATE_HOME=${{ runner.temp }}/opencode-e2e/state" >> "$GITHUB_ENV"
+            printf '%s\n' "MODELS_DEV_API_JSON=${{ github.workspace }}/packages/opencode/test/tool/fixtures/models-api.json" >> "$GITHUB_ENV"
+          fi
 
       - name: Seed opencode data
         working-directory: packages/opencode
         run: bun script/seed-e2e.ts
         env:
-          MODELS_DEV_API_JSON: ${{ github.workspace }}/packages/opencode/test/tool/fixtures/models-api.json
+          MODELS_DEV_API_JSON: ${{ env.MODELS_DEV_API_JSON }}
           OPENCODE_DISABLE_MODELS_FETCH: "true"
           OPENCODE_DISABLE_SHARE: "true"
           OPENCODE_DISABLE_LSP_DOWNLOAD: "true"
           OPENCODE_DISABLE_DEFAULT_PLUGINS: "true"
           OPENCODE_EXPERIMENTAL_DISABLE_FILEWATCHER: "true"
-          OPENCODE_TEST_HOME: ${{ runner.temp }}/opencode-e2e/home
-          XDG_DATA_HOME: ${{ runner.temp }}/opencode-e2e/share
-          XDG_CACHE_HOME: ${{ runner.temp }}/opencode-e2e/cache
-          XDG_CONFIG_HOME: ${{ runner.temp }}/opencode-e2e/config
-          XDG_STATE_HOME: ${{ runner.temp }}/opencode-e2e/state
+          OPENCODE_TEST_HOME: ${{ env.OPENCODE_TEST_HOME }}
+          XDG_DATA_HOME: ${{ env.XDG_DATA_HOME }}
+          XDG_CACHE_HOME: ${{ env.XDG_CACHE_HOME }}
+          XDG_CONFIG_HOME: ${{ env.XDG_CONFIG_HOME }}
+          XDG_STATE_HOME: ${{ env.XDG_STATE_HOME }}
           OPENCODE_E2E_PROJECT_DIR: ${{ github.workspace }}
           OPENCODE_E2E_SESSION_TITLE: "E2E Session"
           OPENCODE_E2E_MESSAGE: "Seeded for UI e2e"
           OPENCODE_E2E_MODEL: "opencode/gpt-5-nano"
 
       - name: Run opencode server
-        run: bun run dev -- --print-logs --log-level WARN serve --port 4096 --hostname 0.0.0.0 &
+        working-directory: packages/opencode
+        run: bun dev -- --print-logs --log-level WARN serve --port 4096 --hostname 0.0.0.0 &
         env:
-          MODELS_DEV_API_JSON: ${{ github.workspace }}/packages/opencode/test/tool/fixtures/models-api.json
+          MODELS_DEV_API_JSON: ${{ env.MODELS_DEV_API_JSON }}
           OPENCODE_DISABLE_MODELS_FETCH: "true"
           OPENCODE_DISABLE_SHARE: "true"
           OPENCODE_DISABLE_LSP_DOWNLOAD: "true"
           OPENCODE_DISABLE_DEFAULT_PLUGINS: "true"
           OPENCODE_EXPERIMENTAL_DISABLE_FILEWATCHER: "true"
-          OPENCODE_TEST_HOME: ${{ runner.temp }}/opencode-e2e/home
-          XDG_DATA_HOME: ${{ runner.temp }}/opencode-e2e/share
-          XDG_CACHE_HOME: ${{ runner.temp }}/opencode-e2e/cache
-          XDG_CONFIG_HOME: ${{ runner.temp }}/opencode-e2e/config
-          XDG_STATE_HOME: ${{ runner.temp }}/opencode-e2e/state
+          OPENCODE_TEST_HOME: ${{ env.OPENCODE_TEST_HOME }}
+          XDG_DATA_HOME: ${{ env.XDG_DATA_HOME }}
+          XDG_CACHE_HOME: ${{ env.XDG_CACHE_HOME }}
+          XDG_CONFIG_HOME: ${{ env.XDG_CONFIG_HOME }}
+          XDG_STATE_HOME: ${{ env.XDG_STATE_HOME }}
           OPENCODE_CLIENT: "app"
 
       - name: Wait for opencode server
@@ -68,24 +111,21 @@ jobs:
           exit 1
 
       - name: run
-        run: |
-          git config --global user.email "bot@opencode.ai"
-          git config --global user.name "opencode"
-          bun turbo typecheck
-          bun turbo test
+        working-directory: ${{ matrix.settings.workdir }}
+        run: ${{ matrix.settings.command }}
         env:
           CI: true
-          MODELS_DEV_API_JSON: ${{ github.workspace }}/packages/opencode/test/tool/fixtures/models-api.json
+          MODELS_DEV_API_JSON: ${{ env.MODELS_DEV_API_JSON }}
           OPENCODE_DISABLE_MODELS_FETCH: "true"
           OPENCODE_DISABLE_SHARE: "true"
           OPENCODE_DISABLE_LSP_DOWNLOAD: "true"
           OPENCODE_DISABLE_DEFAULT_PLUGINS: "true"
           OPENCODE_EXPERIMENTAL_DISABLE_FILEWATCHER: "true"
-          OPENCODE_TEST_HOME: ${{ runner.temp }}/opencode-e2e/home
-          XDG_DATA_HOME: ${{ runner.temp }}/opencode-e2e/share
-          XDG_CACHE_HOME: ${{ runner.temp }}/opencode-e2e/cache
-          XDG_CONFIG_HOME: ${{ runner.temp }}/opencode-e2e/config
-          XDG_STATE_HOME: ${{ runner.temp }}/opencode-e2e/state
+          OPENCODE_TEST_HOME: ${{ env.OPENCODE_TEST_HOME }}
+          XDG_DATA_HOME: ${{ env.XDG_DATA_HOME }}
+          XDG_CACHE_HOME: ${{ env.XDG_CACHE_HOME }}
+          XDG_CONFIG_HOME: ${{ env.XDG_CONFIG_HOME }}
+          XDG_STATE_HOME: ${{ env.XDG_STATE_HOME }}
           PLAYWRIGHT_SERVER_HOST: "localhost"
           PLAYWRIGHT_SERVER_PORT: "4096"
           VITE_OPENCODE_SERVER_HOST: "localhost"

.github/workflows/update-nix-hashes.yml

@@ -0,0 +1,138 @@
+name: Update Nix Hashes
+
+permissions:
+  contents: write
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - "bun.lock"
+      - "package.json"
+      - "packages/*/package.json"
+      - "flake.lock"
+      - ".github/workflows/update-nix-hashes.yml"
+  pull_request:
+    paths:
+      - "bun.lock"
+      - "package.json"
+      - "packages/*/package.json"
+      - "flake.lock"
+      - ".github/workflows/update-nix-hashes.yml"
+
+jobs:
+  update-node-modules-hashes:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    env:
+      TITLE: node_modules hashes
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+          ref: ${{ github.head_ref || github.ref_name }}
+          repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
+
+      - name: Setup Nix
+        uses: nixbuild/nix-quick-install-action@v34
+
+      - name: Configure git
+        run: |
+          git config --global user.email "action@github.com"
+          git config --global user.name "Github Action"
+
+      - name: Pull latest changes
+        env:
+          TARGET_BRANCH: ${{ github.head_ref || github.ref_name }}
+        run: |
+          BRANCH="${TARGET_BRANCH:-${GITHUB_REF_NAME}}"
+          git pull --rebase --autostash origin "$BRANCH"
+
+      - name: Compute all node_modules hashes
+        run: |
+          set -euo pipefail
+
+          HASH_FILE="nix/hashes.json"
+          SYSTEMS="x86_64-linux aarch64-linux x86_64-darwin aarch64-darwin"
+
+          if [ ! -f "$HASH_FILE" ]; then
+            mkdir -p "$(dirname "$HASH_FILE")"
+            echo '{"nodeModules":{}}' > "$HASH_FILE"
+          fi
+
+          for SYSTEM in $SYSTEMS; do
+            echo "Computing hash for ${SYSTEM}..."
+            BUILD_LOG=$(mktemp)
+            trap 'rm -f "$BUILD_LOG"' EXIT
+
+            # The updater derivations use fakeHash, so they will fail and reveal the correct hash
+            UPDATER_ATTR=".#packages.x86_64-linux.${SYSTEM}_node_modules"
+
+            nix build "$UPDATER_ATTR" --no-link 2>&1 | tee "$BUILD_LOG" || true
+
+            CORRECT_HASH="$(grep -E 'got:\s+sha256-[A-Za-z0-9+/=]+' "$BUILD_LOG" | awk '{print $2}' | head -n1 || true)"
+
+            if [ -z "$CORRECT_HASH" ]; then
+              CORRECT_HASH="$(grep -A2 'hash mismatch' "$BUILD_LOG" | grep 'got:' | awk '{print $2}' | sed 's/sha256:/sha256-/' || true)"
+            fi
+
+            if [ -z "$CORRECT_HASH" ]; then
+              echo "Failed to determine correct node_modules hash for ${SYSTEM}."
+              cat "$BUILD_LOG"
+              exit 1
+            fi
+
+            echo "  ${SYSTEM}: ${CORRECT_HASH}"
+            jq --arg sys "$SYSTEM" --arg h "$CORRECT_HASH" \
+              '.nodeModules[$sys] = $h' "$HASH_FILE" > "${HASH_FILE}.tmp"
+            mv "${HASH_FILE}.tmp" "$HASH_FILE"
+          done
+
+          echo "All hashes computed:"
+          cat "$HASH_FILE"
+
+      - name: Commit ${{ env.TITLE }} changes
+        env:
+          TARGET_BRANCH: ${{ github.head_ref || github.ref_name }}
+        run: |
+          set -euo pipefail
+
+          HASH_FILE="nix/hashes.json"
+          echo "Checking for changes..."
+
+          summarize() {
+            local status="$1"
+            {
+              echo "### Nix $TITLE"
+              echo ""
+              echo "- ref: ${GITHUB_REF_NAME}"
+              echo "- status: ${status}"
+            } >> "$GITHUB_STEP_SUMMARY"
+            if [ -n "${GITHUB_SERVER_URL:-}" ] && [ -n "${GITHUB_REPOSITORY:-}" ] && [ -n "${GITHUB_RUN_ID:-}" ]; then
+              echo "- run: ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" >> "$GITHUB_STEP_SUMMARY"
+            fi
+            echo "" >> "$GITHUB_STEP_SUMMARY"
+          }
+
+          FILES=("$HASH_FILE")
+          STATUS="$(git status --short -- "${FILES[@]}" || true)"
+          if [ -z "$STATUS" ]; then
+            echo "No changes detected."
+            summarize "no changes"
+            exit 0
+          fi
+
+          echo "Changes detected:"
+          echo "$STATUS"
+          git add "${FILES[@]}"
+          git commit -m "chore: update nix node_modules hashes"
+
+          BRANCH="${TARGET_BRANCH:-${GITHUB_REF_NAME}}"
+          git pull --rebase --autostash origin "$BRANCH"
+          git push origin HEAD:"$BRANCH"
+          echo "Changes pushed successfully"
+
+          summarize "committed $(git rev-parse --short HEAD)"

.opencode/skill/bun-file-io/SKILL.md

@@ -0,0 +1,39 @@
+---
+name: bun-file-io
+description: Use this when you are working on file operations like reading, writing, scanning, or deleting files. It summarizes the preferred file APIs and patterns used in this repo. It also notes when to use filesystem helpers for directories.
+---
+
+## Use this when
+
+- Editing file I/O or scans in `packages/opencode`
+- Handling directory operations or external tools
+
+## Bun file APIs (from Bun docs)
+
+- `Bun.file(path)` is lazy; call `text`, `json`, `stream`, `arrayBuffer`, `bytes`, `exists` to read.
+- Metadata: `file.size`, `file.type`, `file.name`.
+- `Bun.write(dest, input)` writes strings, buffers, Blobs, Responses, or files.
+- `Bun.file(...).delete()` deletes a file.
+- `file.writer()` returns a FileSink for incremental writes.
+- `Bun.Glob` + `Array.fromAsync(glob.scan({ cwd, absolute, onlyFiles, dot }))` for scans.
+- Use `Bun.which` to find a binary, then `Bun.spawn` to run it.
+- `Bun.readableStreamToText/Bytes/JSON` for stream output.
+
+## When to use node:fs
+
+- Use `node:fs/promises` for directories (`mkdir`, `readdir`, recursive operations).
+
+## Repo patterns
+
+- Prefer Bun APIs over Node `fs` for file access.
+- Check `Bun.file(...).exists()` before reading.
+- For binary/large files use `arrayBuffer()` and MIME checks via `file.type`.
+- Use `Bun.Glob` + `Array.fromAsync` for scans.
+- Decode tool stderr with `Bun.readableStreamToText`.
+- For large writes, use `Bun.write(Bun.file(path), text)`.
+
+## Quick checklist
+
+- Use Bun APIs first.
+- Use `path.join`/`path.resolve` for paths.
+- Prefer promise `.catch(...)` over `try/catch` when possible.

.opencode/skill/test-skill/SKILL.md

@@ -24,6 +24,7 @@ Server mode is opt-in only. When enabled, set `OPENCODE_SERVER_PASSWORD` to requ
 | **Sandbox escapes**             | The permission system is not a sandbox (see above)                      |
 | **LLM provider data handling**  | Data sent to your configured LLM provider is governed by their policies |
 | **MCP server behavior**         | External MCP servers you configure are outside our trust boundary       |
+| **Malicious config files**      | Users control their own config; modifying it is not an attack vector    |
 
 ---