Skip to content

fix(audit): consolidate OpenCode project configuration#11

Merged
MerverliPy merged 1 commit into
mainfrom
audit/REPO-AUDIT-F-004-consolidate-opencode-config
Jun 18, 2026
Merged

fix(audit): consolidate OpenCode project configuration#11
MerverliPy merged 1 commit into
mainfrom
audit/REPO-AUDIT-F-004-consolidate-opencode-config

Conversation

@MerverliPy

Copy link
Copy Markdown
Owner

Summary

Remediates REPO-AUDIT-F-004 by replacing two conflicting root OpenCode configurations with one canonical, reviewable policy.

Changes

  • removes opencode.json
  • establishes opencode.jsonc as the sole root OpenCode configuration
  • retains the plan default agent and stricter permission baseline
  • preserves required project instruction files and explicit read-only tool allowances
  • pins opencode-ai to exact version 1.17.7
  • adds the corresponding minimal lockfile entries without unrelated lockfile reserialization
  • records the decision in ADR-0008

Validation

  • isolated resolved-configuration validation passed
  • exactly one root OpenCode configuration remains
  • resolved default agent is plan
  • sharing remains disabled
  • required instruction files are loaded
  • protected read/edit rules and destructive-command denials are preserved
  • task, skill, and external-directory access remain denied
  • local OpenCode binary reports version 1.17.7
  • published package integrity matched registry metadata
  • frozen pnpm install accepted the minimal lockfile without rewriting it
  • changed formatter-supported files pass Prettier
  • lint passed
  • repository status validation passed
  • typecheck passed
  • unit tests passed
  • build passed
  • secret scan passed
  • dependency vulnerability scan passed
  • git diff --check passed

Baseline note

The repository-wide formatting command also checks pnpm-lock.yaml. The lockfile at main already fails Prettier formatting, so that existing baseline defect was not expanded into this remediation. The new lockfile entries were kept to the minimal semantic delta accepted by pnpm install --frozen-lockfile.

Finding

REPO-AUDIT-F-004 — Two root OpenCode configurations conflict and produce an undocumented effective policy.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 20c9c1a2fe

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread docs/adr/0008-canonical-opencode-project-configuration.md
@MerverliPy MerverliPy force-pushed the audit/REPO-AUDIT-F-004-consolidate-opencode-config branch from 20c9c1a to dda3612 Compare June 17, 2026 23:40
@MerverliPy

Copy link
Copy Markdown
Owner Author

@codex[agent]

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create an environment for this repo.

@MerverliPy MerverliPy merged commit 11c56fb into main Jun 18, 2026
3 checks passed
@MerverliPy MerverliPy deleted the audit/REPO-AUDIT-F-004-consolidate-opencode-config branch June 18, 2026 01:33
MerverliPy added a commit that referenced this pull request Jun 18, 2026
)

* security: prevent production development-auth bypass (#8)

* security: prevent production development-auth bypass

Reject explicit development-auth bypass requests in production, use the real OIDC client by default, and add focused regression coverage for all supported application modes.

Remediates audit finding F-001.

* style: format F-001 remediation

* docs: document development auth bypass opt-in

* docs: keep development auth bypass opt-in

* security: require production oidc settings

* security: fail closed when upload scanning is unavailable (#9)

* security: fail closed when upload scanning is unavailable

* docs: anonymize F-002 run record

* security: enforce default-branch governance (#10)

* security: enforce default-branch governance

* docs: namespace repository audit finding record

* docs: disambiguate repository audit finding ID

* fix(audit): consolidate OpenCode project configuration (#11)
MerverliPy added a commit that referenced this pull request Jun 18, 2026
* security: prevent production development-auth bypass

Reject explicit development-auth bypass requests in production, use the real OIDC client by default, and add focused regression coverage for all supported application modes.

Remediates audit finding F-001.

* style: format F-001 remediation

* docs: document development auth bypass opt-in

* docs: keep development auth bypass opt-in

* security: require production oidc settings

* Enhance security measures and documentation for production settings (#12)

* security: prevent production development-auth bypass (#8)

* security: prevent production development-auth bypass

Reject explicit development-auth bypass requests in production, use the real OIDC client by default, and add focused regression coverage for all supported application modes.

Remediates audit finding F-001.

* style: format F-001 remediation

* docs: document development auth bypass opt-in

* docs: keep development auth bypass opt-in

* security: require production oidc settings

* security: fail closed when upload scanning is unavailable (#9)

* security: fail closed when upload scanning is unavailable

* docs: anonymize F-002 run record

* security: enforce default-branch governance (#10)

* security: enforce default-branch governance

* docs: namespace repository audit finding record

* docs: disambiguate repository audit finding ID

* fix(audit): consolidate OpenCode project configuration (#11)
MerverliPy added a commit that referenced this pull request Jun 20, 2026
* security: prevent production development-auth bypass

Reject explicit development-auth bypass requests in production, use the real OIDC client by default, and add focused regression coverage for all supported application modes.

Remediates audit finding F-001.

* style: format F-001 remediation

* docs: document development auth bypass opt-in

* docs: keep development auth bypass opt-in

* security: require production oidc settings

* Enhance security measures and documentation for production settings (#12)

* security: prevent production development-auth bypass (#8)

* security: prevent production development-auth bypass

Reject explicit development-auth bypass requests in production, use the real OIDC client by default, and add focused regression coverage for all supported application modes.

Remediates audit finding F-001.

* style: format F-001 remediation

* docs: document development auth bypass opt-in

* docs: keep development auth bypass opt-in

* security: require production oidc settings

* security: fail closed when upload scanning is unavailable (#9)

* security: fail closed when upload scanning is unavailable

* docs: anonymize F-002 run record

* security: enforce default-branch governance (#10)

* security: enforce default-branch governance

* docs: namespace repository audit finding record

* docs: disambiguate repository audit finding ID

* fix(audit): consolidate OpenCode project configuration (#11)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant