test: upstream-sync fork hardening and local deployment E2E plan

[terisuke]

Context

dev has been synced with upstream/dev on 2026-04-29. The fork keeps substantial custom guardrails/team behavior on top of upstream, so validation needs to prove both upstream regressions and fork-only automation paths.

Current sync baseline:

• upstream: anomalyco/opencode dev
• fork: Cor-Incorporated/opencode dev
• local merge commit: cd1dda6bc (Merge remote-tracking branch 'upstream/dev' into dev)
• push target: origin/dev

Closed issue risk signals reviewed

Fork-side closed issues show recurring risk in these areas:

• team/background workers can deadlock, stop before edits, or recurse through default worker limits (team/background workers deadlock or stop before edits #185, bug: agent worktrees created as empty git init — team/subagent delegation non-functional #144, fix: Team plugin yard() creates directories in parent directory instead of project-scoped location #155, Fix team worktree setup failure reporting #183, fix(team): prevent default limit and worker recursion deadlocks #184)
• guardrails can be bypassed or over-block legitimate reads/commands (fix(guardrails): apply_patch bypasses tool.execute.before preflight checks #140, fix(guardrails): tighten bash mut regex to reduce false review_state resets #141, bug(guardrails): .env.example reads blocked despite opencode.json explicitly allowing them #142, fix(guardrails): push block regex bypassed by flags between push and remote #104, fix(guardrails): security-engineer grep:allow bypasses read deny for .env files #105, fix(guardrails): incident-responder curl rule ordering allows pipe-to-shell #106)
• review and merge gates can desynchronize from actual review state (feat(guardrails): dual AI review gate — require LGTM from both Codex and GLM 5.1 before merge #143, refactor(guardrails): guardrail.ts 1850行 → モジュール分割 (800行制限超過) #150, feat(guardrails): delegation enforcement in plan mode — structural gap from dogfooding #159)
• CI and local runner behavior has been flaky or environment-sensitive (fix(ci): flaky unit tests — prompt-during-run and hook timeout #121, fix(ci): check-duplicates job crashes — session.data undefined #122, chore: local stop-test-gate hook timeout (exit=143) #123, fix(ci): test failures caused by runner downgrade — blacksmith-4vcpu vs ubuntu-latest #129, bug: bun 1.3.12 bun build --compile produces broken arm64 binaries (exit 137) #162, bug: persistent e2e flaky tests in packages/app (workspace, settings, status-popover) #166)
• fork CI and upstream sync workflows have repeatedly required fixes (chore(ci): prune upstream workflows and add upstream sync for fork #60, infra: configure GitHub Actions runners for fork CI #62, chore: upstream sync to v1.3.15 — fix auto-update incompatibility #66, fix(ci): Blacksmith runners cause permanent queue on fork #77, chore: sync upstream v1.3.16 #93, chore: upstream sync v1.3.16 #95)

Upstream closed issues around the synced range show recurring risk in these areas:

• HTTP API/OpenAPI/SDK parity and request/response shape drift
• provider transform compatibility, especially thinking/reasoning payloads and GitHub Copilot variants
• TUI/OpenTUI rendering, paste, theme, Zed selection, and Windows behavior
• session lifecycle, auto-resume, compaction, question/permission propagation, and background agents
• desktop/web workspace and project icon persistence
• performance with large DBs, prompt cache preservation, startup blocking, and install/runtime dependency chains

Local deployment target

Validate against the local deployed binary/server from this checkout, not only unit tests. The local deployment should use isolated temp state so it cannot pass because of existing user data.

Required isolation:

• temp OPENCODE_CONFIG_DIR
• temp data/storage directory if supported by this checkout
• temp project workspace with git and non-git variants
• no reliance on repo-root test execution
• package-level commands only, especially from packages/opencode

Test plan

1. Sync and build integrity

• Confirm origin/dev includes upstream merge and is no longer behind upstream/dev.
• Run package-level typecheck from packages/opencode: bun typecheck.
• Run package-level focused tests for the touched surfaces:
  • HTTP API bridge/parity/provider/session tests
  • provider transform tests
  • TUI sync/editor tests
  • guardrail plugin/team tests
• Regenerate SDK only if API/generated files drift: ./packages/sdk/js/script/build.ts.
• Verify git status is clean after generation and tests.

2. Local deployment smoke

• Build or run local package binary from packages/opencode.
• Verify opencode --version and command help exit cleanly with EOL.
• Start local server with isolated config and verify readiness.
• Exercise health/instance/session endpoints with auth enabled and disabled.
• Confirm server startup does not block on missing remote project, missing well-known URLs, or empty/non-git projects.

3. Session lifecycle E2E

• Create session in a git project and non-git project.
• Send a basic prompt and confirm progress/result/log events are visible.
• Verify user messages are not duplicated under concurrent prompt submission.
• Verify session title generation does not fail silently for Copilot-compatible provider metadata.
• Resume session and confirm no stale compaction tail_start_id or context overflow.
• Move/list/filter sessions by path and confirm relative path storage migration works.

4. Provider compatibility matrix

• Validate request shaping for OpenAI-compatible, Copilot, OpenRouter, DeepSeek/Qwen thinking/reasoning, and Moonshot sanitization paths using local test doubles where possible.
• Confirm thinking/reasoning payloads are preserved across multi-turn requests where required.
• Confirm unsupported extra tool fields such as eager_input_streaming are removed before provider calls.
• Confirm small/background model selection honors configured provider/model and does not silently force GPT-5 Nano.

5. TUI and editor behavior

• Start TUI in a controlled PTY and verify no crash on startup.
• Verify spinner/rendering does not regress after fork spinner fixes.
• Verify paste path, question dock, status popover, theme loading, and invalid custom theme handling.
• Verify Zed selection byte offsets with non-ASCII text.
• Verify session list filtering by path and workspace state sync.

6. Guardrails and team plugin E2E

• Run /plan -> /auto style workflow with isolated worktrees.
• Confirm team workers clone/setup from the actual repo and do not create empty git init worktrees.
• Confirm workers persist run state before preflight waits and keep operating after parent abort.
• Confirm permission/question propagation does not deadlock nested agents.
• Confirm guardrails block merge/push/rebase bypass patterns and apply_patch bypasses.
• Confirm guardrails still allow explicitly permitted .env.example and safe read cases.
• Confirm secret masking covers bash output and logs.
• Confirm dual-review/merge gates observe the real review completion state.

7. Web/Desktop/App smoke

• Run app package tests for workspace/settings/status-popover regressions.
• Verify project icon override persists through restart/localStorage sync.
• Verify directory/file distinction in git changes UI.
• Verify desktop/web can open a non-git project and recover when a remote folder is missing.

8. Security and adversarial checks

• Try command variants intended to bypass guardrail regexes: reordered git push flags, shell pipes, command substitution, apply_patch mutation, and mixed stdout/stderr secret output.
• Verify no secrets appear in logs, tool results, issue/PR output, or test artifacts.
• Verify symlink/process-tree checks on Linux-sensitive notification logic remain covered by tests even when run on macOS locally.

9. Performance and stability

• Run a startup probe with a seeded large session DB fixture or synthetic session list.
• Confirm startup and session listing stay responsive.
• Confirm tool-call prompt loop does not reload static prompt data unnecessarily.
• Run repeated session prompt/abort/resume cycles to catch hangs.

10. Acceptance criteria

• origin/dev contains upstream sync and local fork custom behavior.
• Package-level bun typecheck passes from packages/opencode.
• Focused tests pass from package directories.
• Local deployed binary/server passes smoke, session, provider, TUI, guardrail/team, and adversarial scenarios.
• Every failure found during this plan gets either a fixing commit or a linked follow-up with reproduction and severity.
• A fork PR is opened only after local deployment validation is complete.

[github-actions]

This issue has been automatically closed.

[terisuke]

Validation update from local sync/hardening pass:

• Synced origin/dev with upstream/dev; merge commit cd1dda6bc pushed to fork.
• Created follow-up fix commit 47f820654 for a real local-deploy issue found during binary smoke: OPENCODE_CONFIG_DIR could be missing, and config bootstrap attempted to write .gitignore before creating the directory, causing /file/content to return 500 in a compiled binary server.
• Fix: create the config directory before writing .gitignore.
• Added regression test: creates missing OPENCODE_CONFIG_DIR before writing gitignore.

Verification completed:

• packages/opencode: bun typecheck passed.
• packages/opencode: focused HTTP API/provider/TUI/guardrails/team/session tests passed, 270 pass / 0 fail.
• packages/opencode: full bun test --timeout 30000 passed, 2252 pass / 11 skip / 1 todo / 0 fail.
• packages/app: bun typecheck passed.
• packages/app: bun run test:unit passed, 307 pass / 0 fail.
• packages/app: PLAYWRIGHT_SERVER_PORT=4096 bun run test:e2e completed; current suite contains one fixme, so result is 1 skipped.
• Local source server smoke passed under isolated temp state on 127.0.0.1:4096 with auth, git project, non-git project, file read, session create/list/status, project current, file status, and find-file checks.
• Native single binary build passed: bun run build --single --skip-install --skip-embed-web-ui.
• Rebuilt compiled binary server smoke passed on 127.0.0.1:4097, including the formerly failing missing-OPENCODE_CONFIG_DIR file read path.

Note: local listen commands require running outside the Codex sandbox on this machine; minimal Bun.serve fails inside sandbox with EADDRINUSE but succeeds outside sandbox.

[terisuke]

追加検証として、team/background 系の弱かった非同期シナリオをテストで固定しました。

追加したテスト:

• background continues after returning, notifies parent, and team_status reconciles completion
  • background tool が親に running を返した後も実行を継続すること
  • 後続完了時に親セッションへ通知すること
  • team_status が同じ run_id の完了状態と出力を復元できること
• background failure with notify false is persisted without sending parent prompt
  • permission block による background 失敗が failure_stage=blocked として永続化されること
  • notify: false の場合に親セッションへ通知しないこと
  • 後から team_status で失敗状態を確認できること

検証結果:

• packages/opencode: bun test --timeout 30000 test/plugin/team.test.ts passed: 42 pass / 0 fail
• packages/opencode: bun typecheck passed
• packages/opencode: bun test --timeout 30000 passed: 2255 pass / 11 skip / 1 todo / 0 fail, 2267 tests across 186 files
• push hook: root bun turbo typecheck passed on push to origin/dev

関連コミット:

• 47f8206 fix(config): create custom config directory before gitignore
• bd7fa2d test(team): cover background completion and notification

絶対に将来問題が起きないことは保証できませんが、今回の指摘対象だった「独自実装の team/tool/background が通常・失敗・非同期完了シナリオで破綻しないか」という観点では、確認できた実装上の穴を修正し、回帰テストとして固定しました。