sync: upstream v1.14.41 (fe594693a on dev)

[Alezander9]

Summary

Brings anomalyco/opencode up to v1.14.41 (fe594693a on dev). 70 upstream commits across v1.14.40 – v1.14.41.

Targeted v1.14.41 instead of latest (v1.14.48, 289 commits) because v1.14.42 lands three sweeping refactors that warrant separate review:

• PR #24712 — native LLM core foundation (5bb7b23)
• PR #24149 — scout agent for repo research (40d5ea1)
• OPENCODE_EXPERIMENTAL_WORKSPACES routing changes (workspace fence headers, fixed-id routing, claim detached sessions)

Splitting keeps each sync mechanical. The v1.14.42+ window jumps from 214 files touched to 649; that's the structural-refactor signature we agreed to flag instead of swallow whole.

Notable upstream changes pulled in

• PR #26054 remote_config — .well-known/opencode now supports an external remote_config URL with substitution + headers. Adopted upstream's new fetch-and-merge body in config/config.ts verbatim, kept our bcode.sh/config.json default $schema.
• Agent dir rename agent/ → agents/ (PR #14427) — adopted as .bcode/agents/ for consistency. Updated cli/cmd/agent.ts create-target path and feature-plugins/home/tips-view.tsx tip string. config/agent.ts:129 already accepted both glob patterns, so existing .bcode/agent/ setups keep working.
• Session not-found error typing (PR #25818), session schema tolerates legacy numeric data, scout scaffolding (no integration yet — files added under packages/core/).

Conflicts resolved

File	Resolution
README.{ar,bn,br,bs,da,de,es,fr,gr,it,ja,ko,no,pl,ru,th,tr,uk,vi,zh,zht}.md	re-deleted (21 translations purged at fork rebrand stay purged)
.github/workflows/deploy.yml	re-deleted per PR #14
README.md	kept our concise BrowserCode replacement, dropped upstream's reintroduced desktop-download table (we don't ship a desktop)
bun.lock	took theirs, regenerated via bun install
packages/opencode/package.json	kept @browser-use/browsercode-core, bumped to 1.14.41
packages/opencode/src/cli/cmd/agent.ts	took upstream's .opencode/agents rename, flipped to .bcode/agents
packages/opencode/src/config/config.ts	adopted new remote_config logic, kept bcode.sh schema URL

Yellow-zone audit

11 files touched upstream: core/src/global.ts, packages/opencode/src/agent/agent.ts, cli/cmd/{agent,run,serve,web}.ts, cli/cmd/tui/{app.tsx,routes/session/index.tsx}, config/config.ts, provider/provider.ts, session/session.ts.

Customizations preserved: app = "bcode", BC banner+title, BrowserCode GitHub link, bcode.sh HTTP-Referer/X-Title/X-Source across 8 providers, Cerebras X-Cerebras-3rd-Party-Integration: bcode, .bcode/plans, Skills import, BrowserExecute renderer.

Verification

• bun install: clean (lockfile regenerated)
• bun run typecheck: 6/6 passed in 8.7s

Next sync

Target v1.14.48 in a follow-up PR. v1.14.42 is the gate — needs design discussion on:

1. native LLM core foundation — adopt or leave dormant?
2. scout agent — same question; it's a new built-in agent.
3. workspace routing — flagged behind OPENCODE_EXPERIMENTAL_WORKSPACES, low risk if we leave the flag off, but the packages/core/src/workspace/* additions arrive either way.

[cubic-dev-ai]

5 issues found across 193 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="infra/app.ts">

<violation number="1" location="infra/app.ts:33">
P1: The new early return skips `SYNC_SERVER` binding setup for the `vimtor` stage, which breaks share endpoints that require this binding.</violation>
</file>

<file name="packages/desktop/src/main/apps.ts">

<violation number="1" location="packages/desktop/src/main/apps.ts:61">
P1: `resolveWindowsAppPath` is using `execFilePromise` without `await`, so it parses a Promise object string instead of `where` output and fails to resolve paths.</violation>
</file>

<file name="packages/console/app/src/routes/honeycomb/webhook.ts">

<violation number="1" location="packages/console/app/src/routes/honeycomb/webhook.ts:64">
P2: Handle malformed JSON bodies before schema validation; otherwise invalid JSON returns 500 instead of 400.</violation>

<violation number="2" location="packages/console/app/src/routes/honeycomb/webhook.ts:79">
P2: Catch webhook delivery exceptions so network failures return the intended 502 response instead of an unhandled 500.</violation>
</file>

<file name="packages/opencode/src/config/config.ts">

<violation number="1" location="packages/opencode/src/config/config.ts:552">
P2: Validate that fetched remote config JSON is an object before merging; currently non-object responses can break config loading at runtime.</violation>
</file>

_{Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed. cubic prioritizes the most important files to review.
On a pro plan you can use ultrareview for larger PRs.
Fix all with cubic}

[cubic-dev-ai]

P1: The new early return skips SYNC_SERVER binding setup for the vimtor stage, which breaks share endpoints that require this binding.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At infra/app.ts, line 33:

<comment>The new early return skips `SYNC_SERVER` binding setup for the `vimtor` stage, which breaks share endpoints that require this binding.</comment>

<file context>
@@ -30,6 +30,7 @@ export const api = new sst.cloudflare.Worker("Api", {
   transform: {
     worker: (args) => {
       args.logpush = true
+      if ($app.stage === "vimtor") return
       args.bindings = $resolve(args.bindings).apply((bindings) => [
         ...bindings,
</file context>

Suggested change

	if ($app.stage === "vimtor") return
	// Do not return early here; SYNC_SERVER bindings/migrations are required for API share routes.

[cubic-dev-ai]

P1: resolveWindowsAppPath is using execFilePromise without await, so it parses a Promise object string instead of where output and fails to resolve paths.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/desktop/src/main/apps.ts, line 61:

<comment>`resolveWindowsAppPath` is using `execFilePromise` without `await`, so it parses a Promise object string instead of `where` output and fails to resolve paths.</comment>

<file context>
@@ -32,26 +40,25 @@ export function wslPath(path: string, mode: "windows" | "linux" | null): string
   let output: string
   try {
-    output = execFileSync("where", [appName]).toString()
+    output = execFilePromise("where", [appName]).toString()
   } catch {
     return null
</file context>

Suggested change

	output = execFilePromise("where", [appName]).toString()
	output = (await execFilePromise("where", [appName])).stdout.toString()

[cubic-dev-ai]

P2: Catch webhook delivery exceptions so network failures return the intended 502 response instead of an unhandled 500.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/console/app/src/routes/honeycomb/webhook.ts, line 79:

<comment>Catch webhook delivery exceptions so network failures return the intended 502 response instead of an unhandled 500.</comment>

<file context>
@@ -0,0 +1,85 @@
+    return Response.json({ message: "ignored" }, { status: 200 })
+  }
+
+  const response = await postDiscordMessage(parsed.data)
+  if (!response.ok) {
+    return Response.json({ message: "discord webhook failed" }, { status: 502 })
</file context>

[cubic-dev-ai]

P2: Handle malformed JSON bodies before schema validation; otherwise invalid JSON returns 500 instead of 400.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/console/app/src/routes/honeycomb/webhook.ts, line 64:

<comment>Handle malformed JSON bodies before schema validation; otherwise invalid JSON returns 500 instead of 400.</comment>

<file context>
@@ -0,0 +1,85 @@
+    return Response.json({ message: "invalid token" }, { status: 401 })
+  }
+
+  const body = await input.request.json()
+  console.log(body, JSON.stringify(body, null, 2))
+
</file context>

[cubic-dev-ai]

P2: Validate that fetched remote config JSON is an object before merging; currently non-object responses can break config loading at runtime.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/opencode/src/config/config.ts, line 552:

<comment>Validate that fetched remote config JSON is an object before merging; currently non-object responses can break config loading at runtime.</comment>

<file context>
@@ -501,8 +531,28 @@ export const layer = Layer.effect(
+                  if (!response.ok)
+                    throw new Error(`failed to fetch remote config from ${remote.url}: ${response.status}`)
+                  const data = await response.json()
+                  return isRecord(data) && isRecord(data.config) ? data.config : data
+                })) as Record<string, unknown>)
+              : {}
</file context>

Suggested change

	return isRecord(data) && isRecord(data.config) ? data.config : data
	if (isRecord(data) && isRecord(data.config)) return data.config
	if (isRecord(data)) return data
	throw new Error(`invalid remote config payload from ${remote.url}: expected object JSON`)