-
Notifications
You must be signed in to change notification settings - Fork 131
feat: [v1.17.9] bridge merge upstream OpenCode v1.4.0 → v1.17.9 #964
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
anandgupta42
wants to merge
165
commits into
main
Choose a base branch
from
upstream/merge-v1.17.9
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
165 commits
Select commit
Hold shift + click to select a range
c985718
wip: bridge upstream v1.17.9 overlay + install/structure reconciliati…
anandgupta42 eb2b92d
wip: v1.17.9 reconciliation — Log shim, import repoints, impact playb…
anandgupta42 9e43563
wip: v1.17.9 reconciliation — Effect-API compat wrappers + config-sch…
anandgupta42 4294cc9
wip: v1.17.9 reconciliation — altimate/ Tool-API surface green (check…
anandgupta42 2a22e6b
wip: v1.17.9 reconciliation — §4 re-home TUI customizations into pack…
anandgupta42 34c1f36
wip: v1.17.9 reconciliation — §4 re-home TUI batch 2 + line-streaming…
anandgupta42 96f6138
wip: v1.17.9 reconciliation — §4 app.tsx + UpgradeIndicator port (che…
anandgupta42 cc4502f
wip: v1.17.9 reconciliation — delete dead old-TUI tree (§3.4 part 1) …
anandgupta42 6e6b6d9
wip: v1.17.9 reconciliation — restore dropped hono dep (checkpoint 9)
anandgupta42 99ab746
wip: v1.17.9 reconciliation — moved-to-core util re-export shims (che…
anandgupta42 1b8fd97
feat: [v1.17.9] fork TUI features as host-registered plugins — ADR + …
anandgupta42 74f73fa
feat: [v1.17.9] port 4 fork TUI features to host-registered plugins (…
anandgupta42 1b691bd
feat: [v1.17.9] fully restore prompt-enhance via api.prompt.active() …
anandgupta42 2461250
wip: v1.17.9 reconciliation — 3 more moved-to-core util shims (checkp…
anandgupta42 3dd9e49
wip: v1.17.9 reconciliation — restore Auth/Env Promise wrappers (chec…
anandgupta42 a1085ba
fix: [v1.17.9] Env wrappers must be synchronous (checkpoint 16)
anandgupta42 8f39fda
wip: v1.17.9 reconciliation — Installation.VERSION re-export shim (ch…
anandgupta42 f8cc2f3
wip: v1.17.9 reconciliation — restore util/fn + repoint dropped @open…
anandgupta42 de952af
wip: v1.17.9 reconciliation — restore util/{context,abort,lock} + she…
anandgupta42 2f910be
wip: v1.17.9 reconciliation — restore bus/index.ts Bus namespace (che…
anandgupta42 38dd432
wip: v1.17.9 reconciliation — util/schema shim + branded-type make() …
anandgupta42 3a20a97
wip: v1.17.9 reconciliation — permission/project/filesystem/npm core …
anandgupta42 296ed79
wip: v1.17.9 reconciliation — delete stale old-TUI tests (checkpoint 23)
anandgupta42 5c96c2a
wip: v1.17.9 reconciliation — repoint moved .sql table-def imports to…
anandgupta42 41b969f
wip: v1.17.9 reconciliation — fix provider/session/server core files …
anandgupta42 6a8796d
wip: v1.17.9 reconciliation — 11 survivor files via 5-agent batch (ch…
anandgupta42 c7b7e23
wip: v1.17.9 reconciliation — server routes + tool/mcp/skill batch (c…
anandgupta42 205d76c
wip: v1.17.9 reconciliation — Service facades: Project/ShareNext/Sess…
anandgupta42 8aea81e
wip: v1.17.9 reconciliation — Service facades: Provider/Plugin/LLM/To…
anandgupta42 b0e3e66
wip: v1.17.9 reconciliation — long-tail survivor batch, src 248->52 (…
anandgupta42 16e6cff
wip: v1.17.9 reconciliation — packages/opencode/src is GREEN (checkpo…
anandgupta42 641e616
wip: v1.17.9 reconciliation — opencode TYPECHECK GREEN (0 errors) (ch…
anandgupta42 27fb94c
wip: v1.17.9 — start runtime circular-init fix (Layer.suspend) (check…
anandgupta42 45b2262
fix: [v1.17.9] resolve runtime circular-init via lazy LayerNode deps …
anandgupta42 b23baec
wip: v1.17.9 — broad Layer.suspend sweep (typecheck+TDZ green, KNOWN …
anandgupta42 9e5d731
fix: [v1.17.9] resolve bootstrap deadlock — agent runs end-to-end (ch…
anandgupta42 b2e0ad1
test: [v1.17.9] triage wave 1 — provider/plugin/install/branding/rele…
anandgupta42 cdfe5e0
fix+test: [v1.17.9] DB split-brain fix + wave-2 triage; revert ec36 c…
anandgupta42 3dd78c5
test: [v1.17.9] triage wave-1 complete — upstream/session/server/smal…
anandgupta42 e3f2514
docs+test: [v1.17.9] session behavioral triage + e2e harness (ckpt40)
anandgupta42 998bed0
docs: [v1.17.9] ship-readiness report (ckpt41)
anandgupta42 19c0eb1
test+docs: [v1.17.9] fork carry-forward guards (40 tests, 0 dropped) …
anandgupta42 4e8c4e6
test: [v1.17.9] 50 upstream-adversarial tests (UPI risks) + 2 minor b…
anandgupta42 34508c9
docs: [v1.17.9] finalize ship report + draft PR body (ckpt44 FINAL)
anandgupta42 70decf7
docs+test: [v1.17.9] per-case session-delta review (ckpt45)
anandgupta42 699a369
docs: [v1.17.9] finalize — session review + 132-run e2e (89%, ~95% tr…
anandgupta42 01d0aac
fix: [v1.17.9] fix-everything batch 1 — server v2-location, Account d…
anandgupta42 243ee69
docs: [v1.17.9] fix-everything outcome — server/account/bug fixed, sd…
anandgupta42 00a7035
docs: [v1.17.9] FINAL — suite 868->1, fix-everything complete (ckpt49)
anandgupta42 22e7513
docs: [v1.17.9] differential confidence audit (carry-forward / upstre…
anandgupta42 1f83919
chore+docs: [v1.17.9] marker hygiene (25 files) + autonomous accept-v…
anandgupta42 95d1680
fix: [v1.17.9] restore 8 dropped v1.17.9 session behaviors (autonomou…
anandgupta42 b80f2cb
docs: [v1.17.9] plan to cover the 46 remaining session todos (injecta…
anandgupta42 bdb3cef
docs: [v1.17.9] codex audit results + refreshed PR body (pre-PR)
anandgupta42 6beae93
fix: [v1.17.9] audit follow-ups — partial branding (215->198) + TaskT…
anandgupta42 2999398
fix: [v1.17.9] build.ts stale TUI worker entry path (cli/cmd/tui -> c…
anandgupta42 e92adcf
docs: [v1.17.9] overnight TUI inspection mandate plan
anandgupta42 2c3d2ed
fix: [v1.17.9] TUI /api routing flood + branding 198->0 + require-mar…
anandgupta42 117b6b0
fix: bump CI bun-version 1.3.10 -> 1.3.14 to match merged runtime req…
anandgupta42 86be045
fix: [v1.17.9] eliminate test-suite DB migration race (table `project…
anandgupta42 95ab133
fix: rebrand residual OpenCode leaks surfaced by TUI visual inspection
anandgupta42 600bf8b
docs: [v1.17.9] night-2 validation artifacts (DB-race fix, TUI visual…
anandgupta42 3a583c3
test: [v1.17.9] isolate Google Vertex ADC in preload (deterministic h…
anandgupta42 c2a7fa5
fix: [v1.17.9] lazy-load playwright-core so trace-viewer e2e skips cl…
anandgupta42 b3bee8c
docs: [v1.17.9] WS4 command + WS5 trace verification reports + second…
anandgupta42 761a660
fix: [v1.17.9] restore session tracing — read tracing config via serv…
anandgupta42 af23602
docs: [v1.17.9] mark tracing FIXED in secondary-findings; skill-list …
anandgupta42 14143ab
fix: [v1.17.9] restore `skill list` (read via server) + tracing/skill…
anandgupta42 cb9529a
docs: [v1.17.9] mark skill-list FIXED + record dispositions for remai…
anandgupta42 c905d0f
docs: [v1.17.9] PR body — add CLI instance-context (tracing + skill l…
anandgupta42 a3dc9f0
fix: [v1.17.9] align server auth default username to "opencode" (code…
anandgupta42 591e711
fix: [v1.17.9] root-fix InstanceRef ALS split — bootstrap provides on…
anandgupta42 1ab8421
test+fix: [v1.17.9] migration schema-fingerprint drift guard + close …
anandgupta42 87af8b3
test: [v1.17.9] derive resetDatabase tables from live schema + record…
anandgupta42 55b23f1
fix: [v1.17.9] name WorkspaceContext ALS "workspace" not "instance"
anandgupta42 d074d0f
fix: [v1.17.9] address codex PR #964 review comments (active-path sub…
anandgupta42 ad005a7
fix: [v1.17.9] stop log shim from flooding the TUI (quiet by default,…
anandgupta42 aa22364
test+docs: [v1.17.9] artifact-level detection for the missed-bug clas…
anandgupta42 f513e9d
docs: [v1.17.9] tracing RCA — rule out flushSync, point at Bun-worker…
anandgupta42 7a911be
docs: [v1.17.9] ship-readiness E2E + TUI-inspection playbook (the /go…
anandgupta42 50b295d
fix: [v1.17.9] restore TUI session tracing — sync finalize on the qui…
anandgupta42 34a7b9b
test: [v1.17.9] de-flake TraceConsumer session.deleted re-create test…
anandgupta42 630a4b2
fix: [v1.17.9] lowercase TUI wordmark ("altimate code", not "ALTIMATE…
anandgupta42 a43d9a5
test: [v1.17.9] de-flake M2 trace rename-race test (fixed-wait → poll…
anandgupta42 f5ecdd8
fix: [v1.17.9] finalizeSync applies maxFiles pruning on the sync shut…
anandgupta42 4c46533
fix: address Kilo review findings on PR #964 (v2-core security + migr…
anandgupta42 f647f6e
fix: three TUI/runtime issues from the Altimate Code Issues report
anandgupta42 0ae4c7a
fix: systemic TUI log-hygiene guard so logging stops regressing on up…
anandgupta42 d524947
fix: prune trace files by mtime, not filename — TUI session traces we…
anandgupta42 c60eb12
fix: worker console guard also intercepts console.* (Bun bypasses pro…
anandgupta42 70436fc
fix: revert TUI wordmark to the clean uppercase ALTIMATE CODE block font
anandgupta42 f6e79a4
fix: address codex deep-review findings (grep containment robustness,…
anandgupta42 056d375
fix: de-flake CI subprocess tests via prebuilt test CLI + larger spaw…
anandgupta42 b63660f
fix: address codex pass-2 findings (grep symlink-FILE bypass + publis…
anandgupta42 9fbe4d0
fix: CI de-flake — OPENCODE_TEST_CLI must be absolute (CI passed rela…
anandgupta42 b821039
fix: revert the v2-httpapi upgrade guard (broke its happy-path test; …
anandgupta42 65344da
fix: restore symlink-aware project boundary the v1.17.9 merge dropped…
anandgupta42 baa8ca9
fix: restore #209 sensitive-write guard dropped by the merge (shipped…
anandgupta42 ab7c8f5
test+docs: restore dropped path-traversal security tests + release-co…
anandgupta42 6e33598
fix: load builtin DE skills into the live registry (merge dropped the…
anandgupta42 fe9f996
fix: restore dropped --trace fork-fix + revert prebuilt-binary test d…
anandgupta42 3501636
fix: skip background @opencode-ai/plugin install under OPENCODE_PURE …
anandgupta42 7d664a7
fix(mcp): restore dropped MCP.remove + bunRun harness opt for error-p…
anandgupta42 e256ddf
fix(ci): run subprocess tests in a dedicated bounded pass (kill load-…
anandgupta42 89ded86
fix(ci): run subprocess tests via `bun run src` (not the binary) in t…
anandgupta42 09b068b
chore(acp): TEMP diagnostic — surface the cause behind the -32603 "di…
anandgupta42 59b27ad
fix(test): disable embedded web UI in subprocess test env (real root …
anandgupta42 7c0d7e2
chore: TEMP diagnostics — ubuntu-CI provider registration + acp cause
anandgupta42 1db1181
fix(test): use ripgrep (OPENCODE_DISABLE_FFF) in subprocess tests — r…
anandgupta42 1b98aca
test: guard MCP.remove presence + datamate wiring (regression for the…
anandgupta42 732a20d
fix: restore fork behaviors silently dropped by the v1.17.9 overlay m…
anandgupta42 34a11d7
fix(test): mcp-add asserts the altimate-code global config dir
anandgupta42 57584ed
fix: [storage] adopt core-owned schema on fresh installs (fresh-DB sh…
anandgupta42 8235149
chore: [release] remove internal merge/night-run scratch from the PR
anandgupta42 c44e0a9
fix: [merge] address two shipped-path review findings from the v1.17.…
anandgupta42 e29c065
fix: [merge] prevent fff SIGTRAP crash when TUI is launched from ~ or /
anandgupta42 284ff0f
docs: [merge] correct global config dir + complete the MCP CLI reference
anandgupta42 c224354
fix: [merge] load project tools from .altimate-code/tools, not only .…
anandgupta42 2f12ae3
docs: [merge] document .altimate-code/tools as the preferred custom-t…
anandgupta42 ea55ba9
fix: [merge] stop models echoing the date — carry it in <env>, not th…
anandgupta42 e695b53
fix: [merge] default thinking to hidden for upgraders too (not just f…
anandgupta42 fbf3976
test: [merge] re-enable 137 fork security/behavior tests disabled by …
anandgupta42 2df6c8f
fix: [merge] CRITICAL — `skill remove customize-opencode` could rm -r…
anandgupta42 b5715e7
fix: [merge] restore session-level diff so the modified-files sidebar…
anandgupta42 c87d59d
fix: [merge] restore read-only guard on `db <query>` (was able to DEL…
anandgupta42 ded1893
fix: [merge] MCP hardening — stderr-drain hang, OAuth-state leak, sil…
anandgupta42 6b11abd
test: [merge] make MCP discover/lifecycle tests hermetic (isolate hom…
anandgupta42 89eaf01
fix: [merge] restore ACP altimate-backend default-model preference
anandgupta42 cf62f1f
fix: [merge] idempotent DB migration adopt — stop "duplicate column" …
anandgupta42 c7c7f5e
fix: [merge] restore file diffs in shared sessions
anandgupta42 c75f793
fix: [merge] restore config env-interpolation telemetry
anandgupta42 555ac7f
fix: [merge] route /experimental/workspace to the HttpApi (was 500 vi…
anandgupta42 ab83ed5
fix: [#978] make reviewer mode usable — external reads prompt, bash a…
anandgupta42 a30e477
fix: [#973][#975] restore Ctrl+A/Ctrl+E in prompt + history recall fr…
anandgupta42 c4a474f
fix: [#971][#972][#974] dedupe /mcps autocomplete, surface MCP auth c…
anandgupta42 1794048
fix: [#976] clicking a truncated URL now opens the full URL
anandgupta42 98933b3
fix: restore `codesearch` for explore agent + gather `prompt.skills` …
anandgupta42 acb7a59
chore: extend altimate_change marker to cover move() signature (marke…
anandgupta42 01833e8
fix: close unclosed marker in db.ts + update reviewer pin tests to th…
anandgupta42 ae16338
feat: restore three fork behaviors deferred during the v1.17.9 re-hom…
anandgupta42 27c4905
fix: [upgrade] make migration-journal marking idempotent (stop per-la…
anandgupta42 972df32
test: add real-binary TUI journey suite (opt-in gate for interaction …
anandgupta42 00dde08
fix: [merge] restore dropped upstream behavioral refinements (audit f…
anandgupta42 7232b34
fix: [merge] restore fork-wanted refinements + branding (audit judgme…
anandgupta42 386e653
fix: [release] bump release.yml Bun 1.3.10 -> 1.3.14 (was release-blo…
anandgupta42 b0ade91
fix: [merge] restore 5 dropped upstream fixes + 3 unwired auth plugin…
anandgupta42 8c74589
fix: [security] make the #209 sensitive-write guard actually fire
anandgupta42 14a72bc
fix: [merge] preserve provider-executed flag on tool part metadata
anandgupta42 e3a160a
docs: [board] record E integration-seam findings + final disposition
anandgupta42 c357612
fix: [release] derive release version from the fork package, not upst…
anandgupta42 b7f5a61
feat: [release] enable safe beta releases (channel-from-tag + prerele…
anandgupta42 3b16acc
feat: add /release-beta skill — cut a beta to the npm beta channel (l…
anandgupta42 b57aa69
fix: [merge] 4 shipped-path bugs from PR review (fresh-install, data-…
anandgupta42 383eaf1
fix: [merge] 15 shipped-path bugs from proactive codex review (round 1)
anandgupta42 def7a55
fix: [merge] 8 shipped-path bugs from proactive codex review (round 2…
anandgupta42 e7ec6a9
fix: [security] MCP tools were executing with NO permission check
anandgupta42 3d48a58
fix: [merge] bot-review findings — config jsonc/cache, tui server-con…
anandgupta42 5e287ce
fix: [merge] round-3 findings — env-flag regressions + cli debug/impo…
anandgupta42 a26f586
fix: [merge] round-4 regression review — complete jsonc support + loc…
anandgupta42 6765d87
fix: [merge] upstream_fix: don't blank unresolved ${VAR} — fixes bedr…
anandgupta42 37864cd
fix: [release] unblock release workflow — full-typecheck deps + Verda…
anandgupta42 37e6fd0
fix: [release] de-dupe platform binary (npm E413) + restore pre-relea…
anandgupta42 932d002
docs: [release-beta] add the local pre-tag gates the skill was missing
anandgupta42 bcb0f8a
fix: [release] smoke-test the shipped binary (altimate-code) after de…
anandgupta42 d009fd9
fix: [release] pre-publish smoke test also targets altimate-code
anandgupta42 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,180 @@ | ||
| --- | ||
| description: Cut a BETA (prerelease) of altimate-code to the npm `beta` channel. Existing `latest` users are NOT auto-upgraded — only opt-in beta testers get it. Use to soak a risky change (e.g. a big upstream merge) before promoting to `latest` with /release. | ||
| --- | ||
|
|
||
| # Release altimate-code BETA | ||
|
|
||
| Cut a prerelease to the **`beta`** npm dist-tag. The whole point: **existing | ||
| stable (`latest`) users are never touched.** Only people who opted into the | ||
| beta channel (`npm i -g @altimateai/altimate-code@beta`, or a beta install) | ||
| receive it. Use this to dogfood a risky release before promoting it to | ||
| `latest` with `/release`. | ||
|
|
||
| ## Why this is a separate skill (read once) | ||
|
|
||
| - `/release` tags a plain `vX.Y.Z` → the workflow publishes to **`latest`** → | ||
| **every existing user auto-upgrades on next launch.** For a big/risky change | ||
| that is exactly the "brick everyone if there's a bug" risk. | ||
| - A beta tag has a `-` suffix (`vX.Y.Z-beta.N`). `.github/workflows/release.yml` | ||
| derives `OPENCODE_CHANNEL` from the tag: a `-` → the **`beta`** channel → | ||
| `npm publish --tag beta`. The `latest` dist-tag is left pointing at the old | ||
| stable, so `latest` users do not move. | ||
| - The upgrade check (`cli/upgrade.ts`) is fail-safe and orders prerelease | ||
| identifiers, so a beta tester on `beta.1` auto-upgrades to `beta.2`, and any | ||
| beta upgrades to the eventual stable. This is verified by the round-trip below. | ||
|
|
||
| ## Input | ||
|
|
||
| `$ARGUMENTS` = the target STABLE version this beta leads to (`patch` | `minor` | | ||
| `major`, or an explicit `X.Y.Z`). Default `minor` — a big upstream merge is not | ||
| a patch. The beta tag becomes `vX.Y.Z-beta.N`. | ||
|
|
||
| --- | ||
|
|
||
| ## Step 1 — Determine the beta version | ||
|
|
||
| ```bash | ||
| # current published STABLE (the latest dist-tag) | ||
| npm view @altimateai/altimate-code dist-tags --json | ||
| ``` | ||
|
|
||
| - Base stable `X.Y.Z` from `$ARGUMENTS`: | ||
| - `patch`/empty → not typical for a beta; prefer `minor`. | ||
| - `minor` → bump minor of the current stable (0.8.10 → **0.9.0**). | ||
| - `major` → 0.8.10 → **1.0.0**. | ||
| - explicit `X.Y.Z` → use it. | ||
| - Find the next `-beta.N`: look at the current `beta` dist-tag. If it is already | ||
| `X.Y.Z-beta.M`, next is `beta.(M+1)`; otherwise start at `beta.1`. | ||
|
|
||
| ```bash | ||
| # does a beta for this base already exist? | ||
| npm view @altimateai/altimate-code@beta version 2>/dev/null || echo "no beta yet" | ||
| ``` | ||
|
|
||
| Confirm with the user: **"Cutting beta `vX.Y.Z-beta.N`. This publishes to the | ||
| `beta` channel only — `latest` stays at `<current stable>`, so existing users | ||
| are NOT auto-upgraded. Proceed?"** Wait for an explicit yes. | ||
|
|
||
| ## Step 2 — Ensure clean, correct base | ||
|
|
||
| ```bash | ||
| git branch --show-current # expect main (or the branch you're betaing) | ||
| git status --short # must be clean | ||
| git fetch origin | ||
| git log HEAD..origin/$(git branch --show-current) --oneline # must be up to date | ||
| ``` | ||
| Stop if dirty, behind, or on an unexpected branch. | ||
|
|
||
| ## Step 3 — Pre-tag gates (run the SAME local gates as /release — non-negotiable) | ||
|
|
||
| The npm publish + Verdaccio + size checks only run in the release workflow AFTER | ||
| the tag, and the tag→publish is irreversible. So you MUST reproduce those gates | ||
| LOCALLY before tagging. A green PR check is NOT sufficient — `ci.yml` uses | ||
| `dorny/paths-filter` and only typechecks CHANGED packages, so it misses whole-repo | ||
| issues the release workflow (full `bun turbo typecheck` + Verdaccio + npm publish) | ||
| will hit. Do NOT skip any of these: | ||
|
|
||
| ```bash | ||
| # 1. FULL monorepo typecheck (what the release workflow runs — clean install to match CI) | ||
| rm -rf node_modules && bun install --frozen-lockfile | ||
| bun turbo typecheck --force # all packages, not just changed ones | ||
|
|
||
| # 2. Mandatory pre-release sanity (restored gate; builds a binary that starts) | ||
| (cd packages/opencode && bun run pre-release) | ||
|
|
||
| # 3. Package SIZE check — npm rejects platform tarballs over ~200MB compressed (E413). | ||
| # Build one platform, measure the packed size BEFORE tagging. | ||
| (cd packages/opencode && bun run build:local) | ||
| DIST=$(find packages/opencode/dist -type d -name '*'"$(uname -m | sed s/arm64/arm64/)"'*' | head -1) | ||
| (cd "$DIST" && npm pack --dry-run --json | python3 -c "import sys,json;d=json.load(sys.stdin)[0];mb=d['size']/1048576;print(f'compressed {mb:.0f}MB', 'OK' if mb<190 else 'TOO BIG — will 413')") | ||
|
|
||
| # 4. marker guard | ||
| bun run script/upstream/analyze.ts --markers --base main --strict | ||
|
|
||
| # 5. Local Verdaccio sanity IF docker + a native-platform build are available | ||
| # (the docker image is linux; on a mac you cannot cross-build the linux NAPI dist, | ||
| # so this validates the current platform only — CI covers the rest): | ||
| # (cd packages/dbt-tools && bun run build) && docker compose \ | ||
| # -f test/sanity/docker-compose.verdaccio.yml up --build --abort-on-container-exit --exit-code-from sanity | ||
| ``` | ||
|
|
||
| If ANY gate is red, stop and fix BEFORE tagging. The whole point of these local | ||
| gates is that a release-workflow failure after the tag is irreversible-adjacent | ||
| (partial npm publishes, orphan sub-packages that block a same-version retry). | ||
|
|
||
| ## Step 4 — Tag and push the beta | ||
|
|
||
| The `-beta.N` suffix is what routes to the beta channel. Do NOT omit it. | ||
|
|
||
| ```bash | ||
| BETA_TAG="vX.Y.Z-beta.N" | ||
| git tag "$BETA_TAG" | ||
| git push origin "$BETA_TAG" # push the TAG (not necessarily main) | ||
| ``` | ||
|
|
||
| Note: unlike `/release`, do not `git push origin main` unless main already | ||
| contains this commit. A beta can be tagged on a branch or on main; the tag is | ||
| what triggers the workflow. | ||
|
|
||
| ## Step 5 — Monitor the release workflow | ||
|
|
||
| ```bash | ||
| gh run list --workflow=release.yml --repo AltimateAI/altimate-code --limit 1 | ||
| gh run watch --repo AltimateAI/altimate-code | ||
| ``` | ||
| The workflow's native linux-x64 smoke + pre-publish smoke are the last gates. | ||
| If it fails, do NOT delete the tag — investigate (`gh run view --log-failed`). | ||
|
|
||
| ## Step 6 — CRITICAL post-publish guard: confirm `latest` did NOT move | ||
|
|
||
| This is the safety assertion. After publish: | ||
|
|
||
| ```bash | ||
| npm view @altimateai/altimate-code dist-tags --json | ||
| ``` | ||
|
|
||
| - `beta` MUST now be `X.Y.Z-beta.N`. | ||
| - `latest` MUST be UNCHANGED (still the previous stable, e.g. 0.8.10). | ||
|
|
||
| If `latest` moved to the beta version, **the beta leaked to all users** — treat | ||
| as an incident: publish a corrected `latest` dist-tag back to the last-good | ||
| stable immediately (`npm dist-tag add @altimateai/altimate-code@<good> latest`) | ||
| and investigate the channel derivation in release.yml. | ||
|
|
||
| ## Step 7 — Verify the beta works AND can upgrade out (round-trip) | ||
|
|
||
| The whole reason for a beta is to prove the new codebase is safe — including | ||
| its own auto-upgrade — before stable users touch it. | ||
|
|
||
| ```bash | ||
| # install the beta hermetically (does not touch your normal install if you use a temp prefix) | ||
| npm i -g @altimateai/altimate-code@beta # or an isolated prefix | ||
| altimate --version # reports X.Y.Z-beta.N | ||
| altimate agent list; altimate skill list # fork surfaces load | ||
| ``` | ||
|
|
||
| Dogfood real workflows on the beta. Then prove the **round-trip**: when you cut | ||
| `vX.Y.Z-beta.(N+1)`, a machine already on `beta.N` must auto-upgrade to it on | ||
| next launch (compareVersions orders betas). If it does, the updater on the new | ||
| codebase is proven — stable users can safely be promoted onto it. | ||
|
|
||
| ## Step 8 — Promote to `latest` (separate, deliberate step) | ||
|
|
||
| Only after the beta has soaked and the round-trip is proven: | ||
|
|
||
| - Run **`/release {same bump}`** to cut the stable `vX.Y.Z` → `latest`. That is | ||
| the step that auto-upgrades existing users — and by then you've proven the | ||
| exact code and its updater on the beta channel. | ||
| - Do NOT move `latest` to a `-beta` version by hand; ship a clean stable tag. | ||
|
|
||
| --- | ||
|
|
||
| ## Hard rules | ||
|
|
||
| - The tag MUST contain `-beta.N`. A plain `vX.Y.Z` from this skill would hit | ||
| `latest` — never do that here. | ||
| - Never skip Step 6 (the `latest`-didn't-move assertion). It is the one check | ||
| that catches a channel-routing regression before it bricks everyone. | ||
| - npm publishes are effectively irreversible — get the explicit user yes at | ||
| Step 1 before tagging, and never publish credentials or move `latest` without | ||
| intent. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| .git | ||
| .opencode | ||
| .sst | ||
| .turbo | ||
| .wrangler | ||
| node_modules | ||
| **/node_modules | ||
| **/.output | ||
| **/dist | ||
| **/.turbo | ||
| **/.vite | ||
| **/coverage | ||
| # altimate_change: the exclusions above speed up app image builds, but the Verdaccio sanity | ||
| # Dockerfile (test/sanity/Dockerfile.verdaccio) COPYs packages/opencode/dist, packages/dbt-tools/dist, | ||
| # and .opencode/skills from this same repo-root context. Re-include exactly those so the sanity build | ||
| # context has them (without this the release "Sanity (Verdaccio)" job fails: "<path>: not found"). | ||
| !.opencode/skills | ||
| !.opencode/skills/** | ||
| !packages/opencode/dist | ||
| !packages/opencode/dist/** | ||
| !packages/dbt-tools/dist | ||
| !packages/dbt-tools/dist/** | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| packages/core/migration/**/snapshot.json linguist-generated | ||
| packages/core/src/database/migration.gen.ts linguist-generated |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,30 +1,17 @@ | ||
| aidtya | ||
| aloks98 | ||
| altimateanas | ||
| anandgupta42 | ||
| ankitksharma | ||
| anusha-sharma | ||
| arora-saurabh448 | ||
| dvanaken | ||
| frasermarlow | ||
| gaurpulkit | ||
| govindpawa | ||
| jontsai | ||
| kulvirgit | ||
| mdesmet | ||
| mhallida | ||
| ppradnesh | ||
| rakendd | ||
| ralphstodomingo | ||
| ravik-aai | ||
| robertmaybin | ||
| sahrizvi | ||
| sanjaykr5 | ||
| saravmajestic | ||
| sgvarsh | ||
| shreyastelkar | ||
| sourabhchrs93 | ||
| suryaiyer95 | ||
| tshreyas | ||
| vivekvenkatareddy | ||
| yukthagv | ||
| adamdotdevin | ||
| Brendonovich | ||
| fwang | ||
| Hona | ||
| iamdavidhill | ||
| jayair | ||
| jlongster | ||
| kitlangton | ||
| kommander | ||
| MrMushrooooom | ||
| nexxeln | ||
| R44VC0RP | ||
| rekram1-node | ||
| thdxr | ||
| simonklee | ||
| vimtor | ||
| starptech |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| # Comprehensive merge validation — upstream v1.4.0→v1.17.9 bridge (PR #964) | ||
|
|
||
| Method: not spot-checks. The merge surface (3,254 upstream commits) reduces to a BOUNDED, | ||
| enumerable set validated by three contracts, each covered exhaustively. | ||
|
|
||
| ## Surface (measured) | ||
| - 226 upstream-shared source files modified by the merge (exist in both v1.17.9 and HEAD) | ||
| - 293 fork-only source files | ||
| - 106 fork "altimate_change" behaviors present on main whose marker text wasn't found verbatim on HEAD | ||
|
|
||
| ## Coverage matrix | ||
|
|
||
| | Contract | Question | Method | Result | | ||
| |---|---|---|---| | ||
| | C1: no dropped upstream code | did conflict-resolution revert upstream fixes? | 226 files reviewed by 11 subsystem agents; diff v1.17.9↔HEAD each | No ship-blocker. ~6 real MED/LOW refinement drops (below). High-value upstream fixes (Plan-Mode security, models-cache recovery, session-metadata migration identity, corrupt-message handler) present VERBATIM. | | ||
| | C2: no fork-feature loss | did fork customizations survive? | 106 candidate behaviors verified present-on-HEAD or dropped | Most false (path-restructure moved cli/cmd/tui→tui/src + reworded). Real drops: beginner-tips onboarding, internal-url inconsistency, minor branding. | | ||
| | C3: behavior | does the artifact work? | full suite + schema + upgrade + journey + real binary + CI | 10,555 tests pass (2 flaky, pass isolated); 19/19 schema tables parity; upgrade 16/16; journey 10 green; CI functional gates green. | | ||
|
|
||
| ## REAL findings (all MED/LOW — none block ship), fork-wanted, verified by lead | ||
|
|
||
| | # | file | issue | sev | fix | | ||
| |---|------|-------|-----|-----| | ||
| | 1 | session/compaction.ts | tail-preserving compaction dead: consumers read `tail_start_id` (session.ts:775, message-v2.ts:1016) but no writer sets it on new compaction parts | MED | restore the writer that stamps `tail_start_id` when creating the compaction part | | ||
| | 2 | share/share-next.ts:152 | dropped `Effect.catchCause` on fullSync+flush → unhandled rejection on share-sync failure | MED | wrap fullSync/flush failures (log, don't throw) | | ||
| | 3 | session/llm.ts:214 | Copilot billing split-brain: `includeRawChunks` absent from streamText, but `copilotTotalNanoAiu`/`totalNanoAiu` consumers depend on it → Copilot billing metadata never populates | MED | pass `includeRawChunks: true` for the Copilot provider path | | ||
| | 4 | tui first-run (tips) | fork onboarding UX dropped: main had `BEGINNER_TIPS`/`isFirstTime`; HEAD has zero refs | MED | restore beginner-tips/first-time hint | | ||
| | 5 | util/filesystem.ts:131 | Windows path conversion lost: HEAD does only `realpathSync.native`; upstream also did `windowsPath()` (cygwin/gitbash/WSL) | LOW | restore windowsPath() normalization for win32 | | ||
| | 6 | session/retry.ts:71 | drops upstream's extra "retry 5xx even if SDK says non-retryable" guard | LOW | re-add the status-code 5xx retry guard | | ||
| | 7 | cli/cmd/mcp.ts:419 | CLI MCP installs default to opencode.json not altimate-code.json (both still discovered) | LOW | prefer altimate-code.json in CONFIG_FILENAMES | | ||
| | 8 | tui.ts:166 / runtime.ts:737 | internal worker url `opencode.internal` inconsistent with `altimate-code.internal` elsewhere (internal routing key, not user-visible) | LOW | unify the virtual-host string | | ||
| | — | footer/uninstall/upgrade/initialize.txt | unmarked fork branding + 1-2 "OpenCode config" strings | LOW | marker hygiene + branding fix | | ||
|
|
||
| ## INTENTIONAL divergences (verified NOT bugs — fork deliberately differs) | ||
| - task.ts background subagents — marker: "hides disabled background mode" | ||
| - providers Alibaba/Venice/Azure-workflow/GitLab-Duo — moved to packages/core/src/plugin/provider/* or not shipped | ||
| - run.ts interactive/replay/demo — fork ships its own run command (executive/analyst modes, max-turns, tracing) | ||
| - plugin/index.ts loader + omitted upstream provider plugins — fork ships its own provider set | ||
| - server.ts move-session — actually PRESENT via httpapi control-plane group (false positive) | ||
|
|
||
| ## FALSE positives (verified) | ||
| - agent.ts:524 safety-denial re-append — intended fail-safe (marker documents it) | ||
|
|
||
| ## Verdict | ||
| Comprehensive review of the ENTIRE merge surface found NO ship-blocker (no crash, data-loss, or | ||
| security regression). ~6 medium + a few low fork-wanted refinements to restore. The merge correctly | ||
| adopted upstream v1.17.9 (fixes present verbatim, schema parity, upgrade path clean) and preserved | ||
| the fork (registries, agents, tools, DE features intact). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| # Release-Evaluation Board — final pre-release analysis (PR #964, v1.17.9 bridge) | ||
| 7 independent perspectives (3 codex / 3 sonnet / 1 haiku) + Fable runtime probe + synthesis. | ||
| GOAL: dual preservation — don't lose FORK work, don't lose UPSTREAM work. | ||
|
|
||
| ## Scorecard | ||
|
|
||
| | Perspective | Verdict | Findings | | ||
| |---|---|---| | ||
| | D Fork-feature preservation | **PASS** | All tools (101→102 superset), 9 agents, 13 warehouse drivers, 7 builtin skills, 8 commands, memory/tracing/telemetry/PII — present + WIRED. 0 new fork drops. | | ||
| | F Safety/security regression | **PASS** | All 5 shipped safety properties INTACT: DDL non-overridable, subagent deny-inheritance (#26597), sensitive-write #209 guard (edit.ts+write.ts), secret redaction, basic-auth username. No regression. | | ||
| | A Upstream-fix adoption (73 sampled) | 5 dropped | 1 HIGH-ish (processor providerExecuted), 4 MED/LOW upstream fixes reverted. | | ||
| | B Upgrade/format compat | 2 real | managed-TUI-config load dropped (MED), .json/.jsonc precedence inverted (LOW). Auth-username & thinking-default changes INTENTIONAL. DB/auth/session/cache formats back-compatible. | | ||
| | C Build/packaging/distribution | **1 HIGH ship-blocker** | release.yml pinned Bun 1.3.10 but build scripts require ^1.3.14 → tag releases fail. FIXED. | | ||
| | E Integration seams | 1 real | Azure/DigitalOcean/xAI upstream auth plugins in-tree but unwired in INTERNAL_PLUGINS (MED). Codex plugin = intentional fork keep. | | ||
| | G Branding | LOW polish | `.opencode/` paths in warehouse-list/skill-ops messages + `opencode.json` in provider dialogs should say altimate-code. Provider labels & auth-username default = intentional. | | ||
| | Fable runtime probe | **PASS** | Compiled binary: palette, agent-switch, shell-mode EXECUTE, /skills list, prompt round-trip all work — empirically confirms the resolved V2-premise review comments don't affect the shipped product. | | ||
|
|
||
| ## Actions taken (all upstream-fix restorations, marked + tested) | ||
| - FIXED (HIGH ship-blocker): release.yml Bun 1.3.10 → 1.3.14 (all 4 pins). | ||
| - FIXED (Fable): run.ts in-process auth header (local run 401'd when OPENCODE_SERVER_PASSWORD set). | ||
| - FIXED (delegated): provider.ts Cloudflare unified apiKey; transform.ts Devstral toLowerCase; project.ts session-migration time_updated preservation (3 sites); config/tui.ts managed-config load + paths.ts json/jsonc precedence; plugin/index.ts wire Azure/DigitalOcean/xAI auth plugins. | ||
|
|
||
| ## Flagged follow-up (NOT fixed — deliberate) | ||
| - processor.ts `providerExecuted` handling: shipped session doesn't use the provider-executed-tool flag (adapters capture it). MED — server-side provider tools (e.g. web search) not handled optimally. NOT fixed pre-release: the upstream change is entangled with GitLab-Duo approval code the fork doesn't ship; porting it blind risks core session processing. Needs a scoped follow-up. | ||
| - Branding LOW polish: optional, non-blocking. | ||
|
|
||
| ## Dual-preservation verdict | ||
| - FORK preservation: CLEAN (D + F pass; nothing we built is lost or weakened). | ||
| - UPSTREAM preservation: the gaps were HERE — 5 dropped fixes + 3 unwired auth plugins + managed-config, now restored. This is the class my earlier fork-focused passes missed; the board's upstream-adoption + seam lenses caught them. | ||
|
|
||
| ## Addendum — E (integration seams) full report | ||
| Enumerated the seam surface: 587 `@opencode-ai/*` import sites across 216 files in packages/opencode/src + 37 in packages/tui/src; 6 subsystem scopes audited. | ||
| - **Azure/DigitalOcean/xAI auth plugins unwired** (MED-HIGH) — FIXED (board commit b0ade919c7). | ||
| - **`openai/codex.ts` orphaned** (MED) — DOCUMENTED, not fixed. 0 consumers; fork deliberately uses its own `./codex` (BUILTIN). Harmless dead code; deleting an upstream file risks future-merge friction. Adopting its WebSocket/allowlist/dispose capabilities is a product decision, not a merge fix. | ||
| - **Dual-`Session`-module `getUsage` divergence** (MED-latent / LOW-active) — DOCUMENTED, not fixed. Live path is `processor.ts:326 → session/index.ts:830` (carries the OpenRouter cost fix); `session.ts:387` is the caller-less V2-migration copy. Not a live bug; session.ts is the not-shipped V2 surface. | ||
| - **OVERTURNED false-positive HIGH**: an earlier subagent claimed `fromPlugin` permission-gate bypass (ctx.ask became Effect → `await` no-ops). E traced the `legacyToInit`→bridged-`legacyCtx` layer (tool-zod-compat.ts:221) that makes ask Promise-based before the plugin runs — the gate runs correctly. Safety surface confirmed clean. | ||
| - Server / cli / effect / config / storage seam scopes: clean. Signature-skew class (`Adaptor.target()`) already fixed; 192 tracked `upstream_fix` markers + green typecheck catch compile-level skew. | ||
|
|
||
| ## Final board disposition | ||
| - Ship-blocker: 1 (release.yml) — FIXED. | ||
| - Real dropped-upstream fixes/features: 6 + 3 auth plugins + run-auth — FIXED. | ||
| - Security (pre-existing): sensitive-write guard neutralization — FIXED. | ||
| - provider-executed metadata — FIXED (execution was already correct); settlement-telemetry field = scoped follow-up. | ||
| - Latent/dead-code in the not-shipped V2 surface (codex orphan, getUsage copy) — DOCUMENTED, deliberately not chased. | ||
| - Fork preservation + safety surface: PASS (nothing lost or weakened). |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WARNING:
!.opencode/skillswon't re-include the directory — its parent.opencodeis excluded on line 2.Docker's
.dockerignoredoes not descend into excluded directories, so a!exception is a no-op when a parent directory of the target is already excluded. Thedistnegations below work only becausepackages/...isn't excluded;.opencodeis excluded directly on line 2, soCOPY .opencode/skills/intest/sanity/Dockerfile.verdacciowill still fail with "not found" — the exact failure this change is meant to fix.Fix: change line 2 from
.opencodeto.opencode/*so the directory itself isn't excluded and the skills exception can take effect.Reply with
@kilocode-bot fix itto have Kilo Code address this issue.