Harden well-known remote_config fetch to enforce same-origin and reject credentials

[OpenCodeEngineer]

Implement backend security hardening in packages/opencode/src/config/config.ts:

• In well-known auth remote config substitution flow, keep env/template substitution behavior.
• Parse and normalize remote URL robustly.
• Enforce remote_config.url origin matches the well-known base origin from auth key URL (normalized, no trailing slash).
• Reject URLs containing username/password credentials.
• Throw explicit error on violation.

Tests in packages/opencode/test/config/config.test.ts:

• Keep templated header substitution test passing with same-origin URL.
• Add test that cross-origin remote_config is rejected with error.

Validation:

• cd packages/opencode && bun test test/config/config.test.ts
• cd packages/opencode && bun typecheck

[OpenCodeEngineer]

Started implementation for #199. I’m updating remote_config wellknown URL normalization and same-origin enforcement, plus adding tests for cross-origin rejection and existing templated header behavior.

[OpenCodeEngineer]

Completed implementation for #199.

Done

• Hardened wellknown remote_config.url parsing/normalization and validation.
• Enforced same-origin against the wellknown auth URL origin.
• Rejected credentialed URLs (username/password).
• Kept template/env substitution for URL and headers.
• Updated same-origin templated-headers test.
• Added cross-origin rejection test.

Validation

• cd packages/opencode && bun test test/config/config.test.ts ✅ (82 pass)
• cd packages/opencode && bun typecheck ✅

[OpenCodeEngineer]

Implemented security hardening for well-known remote_config fetch in packages/opencode/src/config/config.ts.

Completed:

• Preserve env/template substitution for remote_config.url and headers.
• Validate/normalize substituted URL.
• Reject empty/invalid URLs.
• Reject username/password credentials in URL.
• Enforce same-origin: remote_config.url origin must match well-known auth base origin.
• Throw explicit errors on violations.

Tests updated in packages/opencode/test/config/config.test.ts:

• Existing templated headers test now uses same-origin remote URL and still passes.
• Added cross-origin rejection test.

Validation run:

• cd packages/opencode && bun test test/config/config.test.ts (82 pass)
• cd packages/opencode && bun typecheck (pass)