fix(opencode): add OPENCODE_CONFIG_EXTRA to passthrough allowlist

[Yambr]

Summary

• Adds OPENCODE_CONFIG_EXTRA to OPENCODE_PASSTHROUGH_ENVS in computer-use-server/docker_manager.py so the operator override actually crosses the orchestrator → workspace-sandbox boundary.
• Without this, the documented "OpenCode — custom OpenAI-compat provider" recipe in docs/cli-config-templates.md cannot work in v0.9.2.2: the var is set on the host, but _create_container filters it out, so the entrypoint heredoc inside the sandbox falls through to the canonical 3-provider default and dials https://openrouter.ai/api/v1 directly.
• Closes [v0.9.2.2] OPENCODE_CONFIG_EXTRA missing from OPENCODE_PASSTHROUGH_ENVS — proxy-only routing impossible without local patch #77 (full reproducer + root cause analysis there).

Why

Self-hosted deployments with a proxy-only invariant (LiteLLM, OpenLLM, etc.) for spend attribution / budget enforcement / no-direct-egress can't route opencode sub-agent traffic through their gateway without forking. This unblocks the documented configuration path.

Test plan

• Build image from this branch
• On host: set SUBAGENT_CLI=opencode, OPENAI_API_KEY=<gateway-key>, OPENCODE_CONFIG_EXTRA='{ "provider": { "litellm": { ... "options": { "baseURL": "http://litellm:4000/v1" } } }, "model": "litellm/<model>" }', OPENCODE_SUB_AGENT_DEFAULT_MODEL=litellm/<model>
• docker compose up -d --force-recreate computer-use-server
• Trigger any sub-agent invocation
• Inside the spawned sandbox: printenv | grep OPENCODE_CONFIG_EXTRA returns the JSON (was empty before this PR)
• cat /tmp/opencode.json renders the operator's litellm provider (was canonical 3-provider default before this PR)
• Gateway logs show the sub-agent traffic (was bypassed before this PR)

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features
  • OpenCode configuration overrides are now properly propagated to containerized sandbox environments, allowing operators to apply custom configurations during deployment.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5867c94b-31b8-44c3-b15e-546da5495cbc

📥 Commits

Reviewing files that changed from the base of the PR and between 141756c and 915ac72.

📒 Files selected for processing (1)

• computer-use-server/docker_manager.py

---

📝 Walkthrough

Walkthrough

The OPENCODE_PASSTHROUGH_ENVS allowlist in docker_manager.py is extended to include OPENCODE_CONFIG_EXTRA, allowing operator-supplied OpenCode configuration overrides to propagate into spawned workspace containers when SUBAGENT_CLI=opencode.

Changes

Environment Variable Allowlist Extension

Layer / File(s)	Summary
Configuration Passthrough computer-use-server/docker_manager.py	OPENCODE_PASSTHROUGH_ENVS tuple adds ("OPENCODE_CONFIG_EXTRA", os.getenv("OPENCODE_CONFIG_EXTRA", "")) entry to permit operator-supplied OpenCode config overrides across the orchestrator → sandbox boundary.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A rabbit hops through Docker's gate,
With config now that won't be late—
One tuple entry, simple, bright,
Sends OpenCode through proxies right! 🐰✨
No more escaping through the night.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding OPENCODE_CONFIG_EXTRA to the passthrough allowlist in the OpenCode module.
Linked Issues check	✅ Passed	The PR directly implements the exact fix recommended in issue #77: adding OPENCODE_CONFIG_EXTRA tuple entry to OPENCODE_PASSTHROUGH_ENVS, fully satisfying all coding requirements.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to addressing issue #77; only the minimal required modification to OPENCODE_PASSTHROUGH_ENVS was made with no extraneous changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/opencode-config-extra-passthrough

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Yambr]

Superseded by #87, which extends the same fix with CODEX_CONFIG_EXTRA parity and a regression test in tests/orchestrator/test_passthrough_isolation.py to lock in the per-CLI isolation contract (Pitfall 1).