ci(guardrails): enforce opencode boundary checks on pointer updates

Author: pRizz

.githooks/pre-push

@@ -1,4 +1,38 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-./scripts/check-opencode-submodule-published.sh
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+ZERO_SHA="0000000000000000000000000000000000000000"
+
+"$REPO_ROOT"/scripts/check-opencode-submodule-published.sh
+
+needs_guardrails=0
+
+while read -r local_ref local_sha remote_ref remote_sha; do
+    [ -z "${local_ref:-}" ] && continue
+    [ "${local_sha:-$ZERO_SHA}" = "$ZERO_SHA" ] && continue
+
+    if [ "${remote_sha:-$ZERO_SHA}" = "$ZERO_SHA" ]; then
+        revs="$(git -C "$REPO_ROOT" rev-list "$local_sha" --not --all)"
+    else
+        if git -C "$REPO_ROOT" cat-file -e "${remote_sha}^{commit}" 2>/dev/null; then
+            revs="$(git -C "$REPO_ROOT" rev-list "${remote_sha}..${local_sha}")"
+        else
+            echo "Remote base commit ${remote_sha} is not available locally; running strict opencode guardrails conservatively..."
+            needs_guardrails=1
+            break
+        fi
+    fi
+
+    [ -z "$revs" ] && continue
+
+    if git -C "$REPO_ROOT" diff-tree --stdin --no-commit-id --name-only -r <<<"$revs" | rg -q '^packages/opencode$'; then
+        needs_guardrails=1
+        break
+    fi
+done
+
+if [ "$needs_guardrails" -eq 1 ]; then
+    echo "Detected outgoing packages/opencode pointer update; running strict opencode guardrails..."
+    (cd "$REPO_ROOT" && just check-opencode-guardrails)
+fi

AGENTS.md

@@ -10,6 +10,8 @@ Only proceed with the commit if it passes. If it fails, fix the issues first.
 
 `just pre-commit` intentionally runs generation and formatting steps that may modify files you did not edit directly (including markdown). Treat these diffs as expected outputs of the check pipeline.
 
+`just pre-commit` also runs `just check-opencode-guardrails-autofix`, which may auto-sync fork-boundary manifest drift in `packages/opencode/docs/upstream-sync/fork-boundary-manifest.json` when drift is the only issue.
+
 If those diffs are mechanical (generation/format/lint output only), they should be committed with the related change. Do not treat them as noise and do not leave them uncommitted.
 
 Common expected examples (non-exhaustive):
@@ -79,7 +81,7 @@ Setup reference:
 This repo uses git hooks (wired via `git config core.hooksPath .githooks`, set up by `just setup`):
 
 - **pre-commit** — Syncs README to npm packages, guards against unpublished submodule pins, runs cfn-lint on CloudFormation changes.
-- **pre-push** — Validates the opencode submodule commit is published.
+- **pre-push** — Validates the opencode submodule commit is published. When outgoing commits update the `packages/opencode` gitlink, it also runs strict opencode guardrails (`just check-opencode-guardrails`) before push.
 - **post-merge** — After every `git pull`, automatically syncs the submodule and runs `bun install`. No manual action needed.
 
 ## README Badge Sync
@@ -159,6 +161,16 @@ The submodule should always be detached at the superproject-pinned commit. If `g
 git submodule update --recursive
 ```
 
+### Fork Boundary Checks in Detached Submodules
+
+`packages/opencode/script/check-fork-boundary.ts` and `packages/opencode/script/sync-fork-boundary-manifest.ts` resolve target refs as:
+
+1. `FORK_BOUNDARY_TARGET_REF` (when explicitly set)
+2. Current symbolic branch name
+3. `HEAD` fallback when detached
+
+This branch-or-HEAD behavior prevents false passes from stale local `dev` refs in detached submodule states.
+
 ### Fixing stale `core.worktree` errors
 
 If you see errors like "cannot be used without a working tree" or submodule commands fail mysteriously, the submodule's `core.worktree` config is pointing to a wrong or deleted worktree path. Fix from the affected worktree:

CLAUDE.md

@@ -10,6 +10,8 @@ Only proceed with the commit if it passes. If it fails, fix the issues first.
 
 `just pre-commit` intentionally runs generation and formatting steps that may modify files you did not edit directly (including markdown). Treat these diffs as expected outputs of the check pipeline.
 
+`just pre-commit` also runs `just check-opencode-guardrails-autofix`, which may auto-sync fork-boundary manifest drift in `packages/opencode/docs/upstream-sync/fork-boundary-manifest.json` when drift is the only issue.
+
 If those diffs are mechanical (generation/format/lint output only), they should be committed with the related change. Do not treat them as noise and do not leave them uncommitted.
 
 Common expected examples (non-exhaustive):
@@ -79,7 +81,7 @@ Setup reference:
 This repo uses git hooks (wired via `git config core.hooksPath .githooks`, set up by `just setup`):
 
 - **pre-commit** — Syncs README to npm packages, guards against unpublished submodule pins, runs cfn-lint on CloudFormation changes.
-- **pre-push** — Validates the opencode submodule commit is published.
+- **pre-push** — Validates the opencode submodule commit is published. When outgoing commits update the `packages/opencode` gitlink, it also runs strict opencode guardrails (`just check-opencode-guardrails`) before push.
 - **post-merge** — After every `git pull`, automatically syncs the submodule and runs `bun install`. No manual action needed.
 
 ## README Badge Sync
@@ -159,6 +161,16 @@ The submodule should always be detached at the superproject-pinned commit. If `g
 git submodule update --recursive
 ```
 
+### Fork Boundary Checks in Detached Submodules
+
+`packages/opencode/script/check-fork-boundary.ts` and `packages/opencode/script/sync-fork-boundary-manifest.ts` resolve target refs as:
+
+1. `FORK_BOUNDARY_TARGET_REF` (when explicitly set)
+2. Current symbolic branch name
+3. `HEAD` fallback when detached
+
+This branch-or-HEAD behavior prevents false passes from stale local `dev` refs in detached submodule states.
+
 ### Fixing stale `core.worktree` errors
 
 If you see errors like "cannot be used without a working tree" or submodule commands fail mysteriously, the submodule's `core.worktree` config is pointing to a wrong or deleted worktree path. Fix from the affected worktree:

justfile

@@ -118,6 +118,13 @@ check-opencode-guardrails: opencode-install-if-needed
     bun run --cwd packages/opencode sdk:parity:check
     bun run --cwd packages/opencode fork:boundary:check
 
+# Run opencode guardrails with safe local autofix for boundary manifest drift.
+# Intended for local pre-commit paths only; CI/pre-push must stay strict.
+check-opencode-guardrails-autofix: opencode-install-if-needed
+    bun run --cwd packages/opencode rules:parity:check
+    bun run --cwd packages/opencode sdk:parity:check
+    FORK_BOUNDARY_AUTOFIX=1 bun run --cwd packages/opencode fork:boundary:check
+
 # Typecheck opencode workspace
 # Keep scripts.typecheck defined in each fork-* package so Turbo executes its task.
 lint-opencode: opencode-install-if-needed check-fork-typecheck-wiring
@@ -361,7 +368,7 @@ do-marketplace-build:
 
 # Pre-commit checks with conditional Docker stage build for Docker-risk changes.
 # This keeps routine commits fast while still catching Docker context regressions.
-pre-commit: check-opencode-submodule-published sync-opencode-sdk check-opencode-guardrails fmt lint build test-all-fast
+pre-commit: check-opencode-submodule-published sync-opencode-sdk check-opencode-guardrails-autofix fmt lint build test-all-fast
     @PLAYWRIGHT_WORKERS="${PLAYWRIGHT_WORKERS:-1}" \
     OPENCODE_E2E_CLEAN_SESSION_STATE="${OPENCODE_E2E_CLEAN_SESSION_STATE:-0}" \
     just e2e
@@ -373,7 +380,7 @@ pre-commit: check-opencode-submodule-published sync-opencode-sdk check-opencode-
     fi
 
 # Pre-commit checks including Docker build (requires Docker)
-pre-commit-full: check-opencode-submodule-published sync-opencode-sdk check-opencode-guardrails fmt lint build test-all-fast build-docker
+pre-commit-full: check-opencode-submodule-published sync-opencode-sdk check-opencode-guardrails-autofix fmt lint build test-all-fast build-docker
     @PLAYWRIGHT_WORKERS="${PLAYWRIGHT_WORKERS:-1}" \
     OPENCODE_E2E_CLEAN_SESSION_STATE="${OPENCODE_E2E_CLEAN_SESSION_STATE:-0}" \
     just e2e

packages/core/src/docker/Dockerfile

@@ -556,7 +556,7 @@ COPY --chown=opencoder:opencoder packages/opencode /tmp/opencode-local
 # Update it by running: ./scripts/update-opencode-commit.sh
 RUN set -eux; \
     OPENCODE_COMMIT_OVERRIDE="${OPENCODE_COMMIT:-}"; \
-    OPENCODE_COMMIT="65d53d330955a759cca6bac50039a2a923da7fb9"; \
+    OPENCODE_COMMIT="d5432b5dbce9bf11d422cc2516119260ab156859"; \
     if [ -n "${OPENCODE_COMMIT_OVERRIDE}" ]; then OPENCODE_COMMIT="${OPENCODE_COMMIT_OVERRIDE}"; fi; \
     rm -rf /tmp/opencode-repo; \
     if [ "${OPENCODE_SOURCE}" = "local" ]; then \