@neuralnomads/codenomad-dev 0.14.0-dev-20260422-e708c565 → 0.14.0-dev-20260427-0ba13713

package/dist/cli-upgrade.js

@@ -0,0 +1,53 @@
+import { spawn } from "child_process";
+const CODENOMAD_PACKAGE_NAME = "@neuralnomads/codenomad";
+function detectFromText(value) {
+    const lower = (value ?? "").toLowerCase();
+    if (!lower)
+        return null;
+    if (lower.includes("pnpm"))
+        return "pnpm";
+    if (lower.includes("bun"))
+        return "bun";
+    if (lower.includes("npm"))
+        return "npm";
+    return null;
+}
+export function detectPackageManager(env = process.env) {
+    return detectFromText(env.npm_config_user_agent) ?? detectFromText(env.npm_execpath) ?? "npm";
+}
+export function buildUpgradeCommand(version, packageManager = detectPackageManager()) {
+    const targetVersion = (version ?? "").trim() || "latest";
+    const packageSpec = `${CODENOMAD_PACKAGE_NAME}@${targetVersion}`;
+    const args = packageManager === "bun" ? ["add", "-g", packageSpec] : ["install", "-g", packageSpec];
+    return {
+        command: packageManager,
+        args,
+        packageSpec,
+    };
+}
+export function formatUpgradeCommand(command) {
+    return [command.command, ...command.args].join(" ");
+}
+export function runCliUpgrade(version, env = process.env) {
+    const upgrade = buildUpgradeCommand(version, detectPackageManager(env));
+    console.log(`Upgrading CodeNomad with: ${formatUpgradeCommand(upgrade)}`);
+    return new Promise((resolve) => {
+        const child = spawn(upgrade.command, upgrade.args, {
+            env,
+            shell: process.platform === "win32",
+            stdio: "inherit",
+        });
+        child.on("exit", (code, signal) => {
+            if (signal) {
+                console.error(`Upgrade command stopped by signal ${signal}`);
+                resolve(1);
+                return;
+            }
+            resolve(code ?? 0);
+        });
+        child.on("error", (error) => {
+            console.error("Failed to launch upgrade command", error);
+            resolve(1);
+        });
+    });
+}

package/dist/cli-upgrade.test.js

@@ -0,0 +1,31 @@
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import { buildUpgradeCommand, detectPackageManager, formatUpgradeCommand } from "./cli-upgrade";
+describe("cli upgrade", () => {
+    it("defaults to npm when no package manager can be detected", () => {
+        assert.equal(detectPackageManager({}), "npm");
+    });
+    it("detects package managers from npm user agent", () => {
+        assert.equal(detectPackageManager({ npm_config_user_agent: "pnpm/9.0.0 node/v22" }), "pnpm");
+        assert.equal(detectPackageManager({ npm_config_user_agent: "bun/1.0.0" }), "bun");
+        assert.equal(detectPackageManager({ npm_config_user_agent: "npm/10.0.0 node/v22" }), "npm");
+    });
+    it("builds latest upgrade command by default", () => {
+        const command = buildUpgradeCommand(undefined, "npm");
+        assert.equal(command.packageSpec, "@neuralnomads/codenomad@latest");
+        assert.deepEqual(command.args, ["install", "-g", "@neuralnomads/codenomad@latest"]);
+        assert.equal(formatUpgradeCommand(command), "npm install -g @neuralnomads/codenomad@latest");
+    });
+    it("builds a versioned upgrade command", () => {
+        const command = buildUpgradeCommand("0.10.5", "pnpm");
+        assert.equal(command.packageSpec, "@neuralnomads/codenomad@0.10.5");
+        assert.deepEqual(command.args, ["install", "-g", "@neuralnomads/codenomad@0.10.5"]);
+        assert.equal(formatUpgradeCommand(command), "pnpm install -g @neuralnomads/codenomad@0.10.5");
+    });
+    it("uses bun add for Bun installs", () => {
+        const command = buildUpgradeCommand("0.10.5", "bun");
+        assert.equal(command.packageSpec, "@neuralnomads/codenomad@0.10.5");
+        assert.deepEqual(command.args, ["add", "-g", "@neuralnomads/codenomad@0.10.5"]);
+        assert.equal(formatUpgradeCommand(command), "bun add -g @neuralnomads/codenomad@0.10.5");
+    });
+});

package/dist/filesystem/browser.js

@@ -206,6 +206,17 @@ export class FileSystemBrowser {
         if (!input || input === "." || input === "./" || input === "/") {
             return ".";
         }
+        if (path.isAbsolute(input)) {
+            const resolved = path.resolve(input);
+            const relativeToRoot = path.relative(this.root, resolved);
+            if (relativeToRoot === "") {
+                return ".";
+            }
+            if (this.isOutsideRoot(relativeToRoot)) {
+                throw new Error("Access outside of root is not allowed");
+            }
+            return relativeToRoot.replace(/\\+/g, "/");
+        }
         let normalized = input.replace(/\\+/g, "/");
         if (normalized.startsWith("./")) {
             normalized = normalized.replace(/^\.\/+/, "");
@@ -232,11 +243,14 @@ export class FileSystemBrowser {
         const normalized = this.normalizeRelativePath(relativePath);
         const target = path.resolve(this.root, normalized);
         const relativeToRoot = path.relative(this.root, target);
-        if (relativeToRoot.startsWith("..") || path.isAbsolute(relativeToRoot) && relativeToRoot !== "") {
+        if (this.isOutsideRoot(relativeToRoot)) {
             throw new Error("Access outside of root is not allowed");
         }
         return target;
     }
+    isOutsideRoot(relativeToRoot) {
+        return relativeToRoot === ".." || relativeToRoot.startsWith(`..${path.sep}`) || path.isAbsolute(relativeToRoot);
+    }
     resolveUnrestrictedPath(input) {
         if (!input || input === "." || input === "./") {
             return this.homeDir;

package/dist/index.js

@@ -28,12 +28,12 @@ import { SideCarManager } from "./sidecars/manager";
 import { ClientConnectionManager } from "./clients/connection-manager";
 import { PluginChannelManager } from "./plugins/channel";
 import { VoiceModeManager } from "./plugins/voice-mode";
-import { readServerPackageVersion, resolveServerPublicDir } from "./runtime-paths";
+import { runCliUpgrade } from "./cli-upgrade";
 const require = createRequire(import.meta.url);
-const packageJson = { version: readServerPackageVersion(import.meta.url) };
+const packageJson = require("../package.json");
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
-const DEFAULT_UI_STATIC_DIR = resolveServerPublicDir(import.meta.url);
+const DEFAULT_UI_STATIC_DIR = path.resolve(__dirname, "../public");
 const DEFAULT_HOST = "127.0.0.1";
 const DEFAULT_CONFIG_PATH = "~/.config/codenomad/config.json";
 const DEFAULT_HTTPS_PORT = 9898;
@@ -76,9 +76,11 @@ function parseCliOptions(argv) {
         .default(false))
         .addOption(new Option("--dangerously-skip-auth", "Disable CodeNomad's internal auth. Use only behind a trusted perimeter (SSO/VPN/etc).")
         .env("CODENOMAD_SKIP_AUTH")
-        .default(false));
+        .default(false))
+        .addOption(new Option("--upgrade [version]", "Upgrade the global CodeNomad CLI server package and exit"));
     program.parse(argv, { from: "user" });
     const parsed = program.opts();
+    const upgrade = parsed.upgrade;
     const parseBooleanEnv = (value) => {
         const normalized = (value ?? "").trim().toLowerCase();
         return normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "y" || normalized === "on";
@@ -89,7 +91,7 @@ function parseCliOptions(argv) {
     const uiAutoUpdate = autoUpdateString === "1" || autoUpdateString === "true" || autoUpdateString === "yes";
     const httpsEnabled = parseBooleanEnv(parsed.https);
     const httpEnabled = parseBooleanEnv(parsed.http);
-    if (!httpsEnabled && !httpEnabled) {
+    if (upgrade === undefined && !httpsEnabled && !httpEnabled) {
         throw new InvalidArgumentError("At least one listener must be enabled (--https or --http)");
     }
     return {
@@ -118,6 +120,7 @@ function parseCliOptions(argv) {
         authCookieName: parsed.authCookieName,
         generateToken: Boolean(parsed.generateToken),
         dangerouslySkipAuth: Boolean(parsed.dangerouslySkipAuth),
+        upgrade,
     };
 }
 function parsePort(input) {
@@ -144,6 +147,11 @@ function programHasArg(argv, flag) {
 }
 async function main() {
     const options = parseCliOptions(process.argv.slice(2));
+    if (options.upgrade !== undefined) {
+        const version = typeof options.upgrade === "string" ? options.upgrade : undefined;
+        process.exitCode = await runCliUpgrade(version);
+        return;
+    }
     const logger = createLogger({ level: options.logLevel, destination: options.logDestination, component: "app" });
     const workspaceLogger = logger.child({ component: "workspace" });
     const configLogger = logger.child({ component: "config" });
@@ -211,7 +219,10 @@ async function main() {
         getServerBaseUrl: () => serverMeta.localUrl,
         nodeExtraCaCertsPath,
     });
-    const fileSystemBrowser = new FileSystemBrowser({ rootDir: options.rootDir, unrestricted: options.unrestrictedRoot });
+    const fileSystemBrowser = new FileSystemBrowser({
+        rootDir: options.rootDir,
+        unrestricted: options.unrestrictedRoot,
+    });
     const instanceStore = new InstanceStore(configLocation.instancesDir);
     const speechService = new SpeechService(settings, logger.child({ component: "speech" }));
     const sidecarManager = new SideCarManager({

package/dist/opencode-config/package.json

@@ -4,6 +4,6 @@
   "private": true,
   "license": "MIT",
   "dependencies": {
-    "@opencode-ai/plugin": "1.14.19"
+    "@opencode-ai/plugin": "1.3.7"
   }
-}
+}

package/dist/opencode-config.js

@@ -1,9 +1,20 @@
 import { existsSync } from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
 import { createLogger } from "./logger";
-import { resolveOpencodeTemplateDir } from "./runtime-paths";
 const log = createLogger({ component: "opencode-config" });
-const templateDir = resolveOpencodeTemplateDir(import.meta.url);
-const isDevBuild = Boolean(process.env.CODENOMAD_DEV ?? process.env.CLI_UI_DEV_SERVER);
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const devTemplateDir = path.resolve(__dirname, "../../opencode-config");
+const resourcesPath = process.resourcesPath;
+const prodTemplateDirs = [
+    resourcesPath ? path.resolve(resourcesPath, "opencode-config") : undefined,
+    path.resolve(__dirname, "opencode-config"),
+].filter((dir) => Boolean(dir));
+const isDevBuild = Boolean(process.env.CODENOMAD_DEV ?? process.env.CLI_UI_DEV_SERVER) || existsSync(devTemplateDir);
+const templateDir = isDevBuild
+    ? devTemplateDir
+    : prodTemplateDirs.find((dir) => existsSync(dir)) ?? prodTemplateDirs[0];
 export function getOpencodeConfigDir() {
     if (!existsSync(templateDir)) {
         throw new Error(`CodeNomad Opencode config template missing at ${templateDir}`);

package/dist/server/http-server.js

@@ -5,8 +5,6 @@ import replyFrom from "@fastify/reply-from";
 import fs from "fs";
 import { connect as connectTcp } from "net";
 import path from "path";
-import { Readable } from "stream";
-import { pipeline } from "stream/promises";
 import { connect as connectTls } from "tls";
 import { fetch } from "undici";
 import { isValidWorktreeSlug } from "../workspaces/git-worktrees";
@@ -491,49 +489,47 @@ async function proxyWorkspaceRequest(args) {
     if (logger.isLevelEnabled("trace")) {
         logger.trace({ workspaceId, targetUrl, body: request.body }, "Instance proxy payload");
     }
-    const headers = buildWorkspaceInstanceProxyHeaders(request.headers, instanceAuthHeader, directory);
-    if (logger.isLevelEnabled("trace")) {
-        logger.trace({
-            workspaceId,
-            method: request.method,
-            targetUrl,
-            worktreeSlug,
-            directory,
-            contentType: request.headers["content-type"],
-            body: bodyToJson(request.body),
-            headers: redactProxyHeadersForLogs(headers),
-        }, "Proxy -> OpenCode request");
-    }
-    const init = {
-        method: request.method,
-        headers,
-        redirect: "manual",
-    };
-    if (request.method !== "GET" && request.method !== "HEAD") {
-        const body = toProxyRequestBody(request.body);
-        if (body !== undefined) {
-            init.body = body;
-            init.duplex = "half";
-        }
-    }
-    try {
-        const response = await fetch(targetUrl, init);
-        reply.code(response.status);
-        applyInstanceProxyResponseHeaders(reply, response);
-        if (!response.body || request.method === "HEAD") {
-            reply.send();
-            return;
-        }
-        reply.hijack();
-        reply.raw.writeHead(reply.statusCode, toOutgoingHeaders(reply.getHeaders()));
-        await pipeline(Readable.fromWeb(response.body), reply.raw);
-    }
-    catch (error) {
-        logger.error({ err: error, workspaceId, targetUrl }, "Failed to proxy workspace request");
-        if (!reply.sent) {
-            reply.code(502).send({ error: "Workspace instance proxy failed" });
-        }
-    }
+    return reply.from(targetUrl, {
+        rewriteRequestHeaders: (_originalRequest, headers) => {
+            if (instanceAuthHeader) {
+                headers.authorization = instanceAuthHeader;
+            }
+            // OpenCode expects the *full* path; we send it via header to avoid query tampering.
+            const isNonASCII = /[^\x00-\x7F]/.test(directory);
+            const encodedDirectory = isNonASCII ? encodeURIComponent(directory) : directory;
+            headers["x-opencode-directory"] = encodedDirectory;
+            if (logger.isLevelEnabled("trace")) {
+                const outgoing = {};
+                for (const [key, value] of Object.entries(headers)) {
+                    outgoing[key] = value;
+                }
+                // Redact sensitive headers.
+                for (const key of Object.keys(outgoing)) {
+                    const lower = key.toLowerCase();
+                    if (lower === "authorization" || lower === "cookie" || lower === "set-cookie") {
+                        outgoing[key] = "<redacted>";
+                    }
+                }
+                logger.trace({
+                    workspaceId,
+                    method: request.method,
+                    targetUrl,
+                    worktreeSlug,
+                    directory,
+                    contentType: request.headers["content-type"],
+                    body: bodyToJson(request.body),
+                    headers: outgoing,
+                }, "Proxy -> OpenCode request");
+            }
+            return headers;
+        },
+        onError: (proxyReply, { error }) => {
+            logger.error({ err: error, workspaceId, targetUrl }, "Failed to proxy workspace request");
+            if (!proxyReply.sent) {
+                proxyReply.code(502).send({ error: "Workspace instance proxy failed" });
+            }
+        },
+    });
 }
 function extractOpencodeDirectoryOverride(pathSuffix) {
     if (!pathSuffix) {
@@ -696,78 +692,12 @@ function isApiRequest(rawUrl) {
 function buildProxyHeaders(headers) {
     const result = {};
     for (const [key, value] of Object.entries(headers ?? {})) {
-        const lower = key.toLowerCase();
-        if (!value || lower === "host" || isHopByHopHeader(lower))
+        if (!value || key.toLowerCase() === "host")
             continue;
         result[key] = Array.isArray(value) ? value.join(",") : value;
     }
     return result;
 }
-function toProxyRequestBody(body) {
-    if (body == null) {
-        return undefined;
-    }
-    if (typeof body.pipe === "function") {
-        return body;
-    }
-    if (typeof body[Symbol.asyncIterator] === "function") {
-        return body;
-    }
-    if (Buffer.isBuffer(body) || typeof body === "string" || body instanceof Uint8Array) {
-        return body;
-    }
-    return JSON.stringify(body);
-}
-function buildWorkspaceInstanceProxyHeaders(headers, instanceAuthHeader, directory) {
-    const next = buildProxyHeaders(headers);
-    if (instanceAuthHeader) {
-        next.authorization = instanceAuthHeader;
-    }
-    const isNonASCII = /[^\x00-\x7F]/.test(directory);
-    next["x-opencode-directory"] = isNonASCII ? encodeURIComponent(directory) : directory;
-    return next;
-}
-function redactProxyHeadersForLogs(headers) {
-    const outgoing = { ...headers };
-    for (const key of Object.keys(outgoing)) {
-        const lower = key.toLowerCase();
-        if (lower === "authorization" || lower === "cookie" || lower === "set-cookie") {
-            outgoing[key] = "<redacted>";
-        }
-    }
-    return outgoing;
-}
-function applyInstanceProxyResponseHeaders(reply, response) {
-    response.headers.forEach((value, key) => {
-        const lower = key.toLowerCase();
-        if (isHopByHopHeader(lower) || lower === "content-length" || lower === "content-encoding") {
-            return;
-        }
-        reply.header(key, value);
-    });
-}
-function toOutgoingHeaders(headers) {
-    const next = {};
-    for (const [key, value] of Object.entries(headers)) {
-        if (value === undefined) {
-            continue;
-        }
-        next[key] = Array.isArray(value) ? value.map(String) : String(value);
-    }
-    return next;
-}
-function isHopByHopHeader(name) {
-    return new Set([
-        "connection",
-        "keep-alive",
-        "proxy-authenticate",
-        "proxy-authorization",
-        "te",
-        "trailer",
-        "transfer-encoding",
-        "upgrade",
-    ]).has(name);
-}
 async function proxySideCarRequest(args) {
     const sidecarId = args.request.params.id ?? "";
     const sidecar = await args.sidecarManager.get(sidecarId);

package/dist/server/routes/auth.js

@@ -1,7 +1,6 @@
 import fs from "fs";
 import { z } from "zod";
 import { isLoopbackAddress } from "../../auth/http-auth";
-import { resolveAuthTemplatePath } from "../../runtime-paths";
 const LoginSchema = z.object({
     username: z.string().min(1),
     password: z.string().min(1),
@@ -12,26 +11,26 @@ const TokenSchema = z.object({
 const PasswordSchema = z.object({
     password: z.string().min(8),
 });
-const LOGIN_TEMPLATE_PATH = resolveAuthTemplatePath(import.meta.url, "login.html");
-const TOKEN_TEMPLATE_PATH = resolveAuthTemplatePath(import.meta.url, "token.html");
+const LOGIN_TEMPLATE_URL = new URL("./auth-pages/login.html", import.meta.url);
+const TOKEN_TEMPLATE_URL = new URL("./auth-pages/token.html", import.meta.url);
 let cachedLoginTemplate = null;
 let cachedTokenTemplate = null;
-function readTemplate(filePath, cache) {
+function readTemplate(url, cache) {
     if (cache)
         return cache;
-    const content = fs.readFileSync(filePath, "utf-8");
+    const content = fs.readFileSync(url, "utf-8");
     return content;
 }
 function getLoginHtml(defaultUsername) {
     if (!cachedLoginTemplate) {
-        cachedLoginTemplate = readTemplate(LOGIN_TEMPLATE_PATH, null);
+        cachedLoginTemplate = readTemplate(LOGIN_TEMPLATE_URL, null);
     }
     const escapedUsername = escapeHtml(defaultUsername);
     return cachedLoginTemplate.replace(/\{\{DEFAULT_USERNAME\}\}/g, escapedUsername);
 }
 function getTokenHtml() {
     if (!cachedTokenTemplate) {
-        cachedTokenTemplate = readTemplate(TOKEN_TEMPLATE_PATH, null);
+        cachedTokenTemplate = readTemplate(TOKEN_TEMPLATE_URL, null);
     }
     return cachedTokenTemplate;
 }

package/dist/workspaces/__tests__/git-worktrees.test.js

@@ -0,0 +1,43 @@
+import assert from "node:assert/strict";
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import path from "node:path";
+import { describe, it } from "node:test";
+import { listWorktrees } from "../git-worktrees";
+describe("listWorktrees", () => {
+    it("uses the selected workspace folder for the root worktree directory", async () => {
+        const temp = mkdtempSync(path.join(tmpdir(), "codenomad-git-worktrees-"));
+        const binDir = path.join(temp, "bin");
+        const repoRoot = path.join(temp, "repo");
+        const workspaceFolder = path.join(repoRoot, "proj-1");
+        const originalPath = process.env.PATH;
+        try {
+            mkdirSync(binDir, { recursive: true });
+            mkdirSync(workspaceFolder, { recursive: true });
+            const gitPath = path.join(binDir, process.platform === "win32" ? "git.cmd" : "git");
+            const porcelain = [
+                `worktree ${repoRoot}`,
+                "HEAD 1111111",
+                "branch refs/heads/main",
+                "",
+            ].join("\n");
+            if (process.platform === "win32") {
+                writeFileSync(gitPath, `@echo off\r\nif "%1"=="worktree" if "%2"=="list" if "%3"=="--porcelain" (\r\necho ${porcelain.replace(/\n/g, "\r\necho ")}\r\nexit /b 0\r\n)\r\nexit /b 1\r\n`);
+            }
+            else {
+                writeFileSync(gitPath, `#!/bin/sh\nif [ "$1" = "worktree" ] && [ "$2" = "list" ] && [ "$3" = "--porcelain" ]; then\nprintf '%s\n' '${porcelain.replace(/'/g, "'\\''")}'\nexit 0\nfi\nexit 1\n`, { mode: 0o755 });
+            }
+            process.env.PATH = `${binDir}${path.delimiter}${originalPath ?? ""}`;
+            const worktrees = await listWorktrees({ repoRoot, workspaceFolder });
+            assert.equal(worktrees[0]?.slug, "root");
+            assert.equal(worktrees[0]?.directory, workspaceFolder);
+            assert.equal(worktrees[0]?.kind, "root");
+            assert.equal(worktrees[0]?.branch, "main");
+            assert.notEqual(worktrees[0]?.directory, repoRoot);
+        }
+        finally {
+            process.env.PATH = originalPath;
+            rmSync(temp, { recursive: true, force: true });
+        }
+    });
+});

package/dist/workspaces/git-worktrees.js

@@ -87,7 +87,7 @@ export async function listWorktrees(params) {
     const { repoRoot, workspaceFolder, logger } = params;
     const result = await runGit(["worktree", "list", "--porcelain"], workspaceFolder);
     if (!result.ok) {
-        const rootDescriptor = { slug: "root", directory: repoRoot, kind: "root" };
+        const rootDescriptor = { slug: "root", directory: workspaceFolder, kind: "root" };
         logger?.debug?.({ repoRoot, err: result.error }, "Failed to list git worktrees; returning root only");
         return [rootDescriptor];
     }
@@ -95,7 +95,7 @@ export async function listWorktrees(params) {
     const rootRecord = records.find((record) => path.resolve(record.worktree) === path.resolve(repoRoot));
     const rootDescriptor = {
         slug: "root",
-        directory: repoRoot,
+        directory: workspaceFolder,
         kind: "root",
         branch: rootRecord?.branch,
     };

package/dist/workspaces/manager.js

@@ -6,60 +6,8 @@ import { searchWorkspaceFiles } from "../filesystem/search";
 import { clearWorkspaceSearchCache } from "../filesystem/search-cache";
 import { WorkspaceRuntime } from "./runtime";
 import { getOpencodeConfigDir } from "../opencode-config.js";
-import { buildOpencodeBasicAuthHeader, DEFAULT_OPENCODE_USERNAME, generateOpencodeServerPassword, OPENCODE_SERVER_PASSWORD_ENV, OPENCODE_SERVER_USERNAME_ENV, } from "./opencode-auth";
+import { buildOpencodeBasicAuthHeader, OPENCODE_SERVER_PASSWORD_ENV, OPENCODE_SERVER_USERNAME_ENV, resolveOpencodeServerAuth, } from "./opencode-auth";
 const STARTUP_STABILITY_DELAY_MS = 1500;
-function defaultShellPath() {
-    const configured = process.env.SHELL?.trim();
-    if (configured) {
-        return configured;
-    }
-    return process.platform === "darwin" ? "/bin/zsh" : "/bin/bash";
-}
-function shellEscape(input) {
-    if (!input)
-        return "''";
-    return `'${input.replace(/'/g, `'\\''`)}'`;
-}
-function wrapCommandForShell(command, shellPath) {
-    const shellName = path.basename(shellPath).toLowerCase();
-    if (shellName.includes("bash")) {
-        return `if [ -f ~/.bashrc ]; then source ~/.bashrc >/dev/null 2>&1; fi; ${command}`;
-    }
-    if (shellName.includes("zsh")) {
-        return `if [ -f ~/.zshrc ]; then source ~/.zshrc >/dev/null 2>&1; fi; ${command}`;
-    }
-    return command;
-}
-function buildShellArgs(shellPath, command) {
-    const shellName = path.basename(shellPath).toLowerCase();
-    if (shellName.includes("zsh")) {
-        return ["-l", "-i", "-c", command];
-    }
-    return ["-l", "-c", command];
-}
-function resolveBinaryPathFromUserShell(identifier) {
-    if (process.platform === "win32") {
-        return null;
-    }
-    const shellPath = defaultShellPath();
-    const lookupCommand = wrapCommandForShell(`command -v ${shellEscape(identifier)}`, shellPath);
-    const result = spawnSync(shellPath, buildShellArgs(shellPath, lookupCommand), {
-        encoding: "utf8",
-        env: {
-            ...process.env,
-            npm_config_prefix: undefined,
-            NPM_CONFIG_PREFIX: undefined,
-        },
-    });
-    if (result.status !== 0) {
-        return null;
-    }
-    const resolved = String(result.stdout ?? "")
-        .split(/\r?\n/)
-        .map((line) => line.trim())
-        .find((line) => line.length > 0);
-    return resolved ?? null;
-}
 export class WorkspaceManager {
     constructor(options) {
         this.options = options;
@@ -129,8 +77,10 @@ export class WorkspaceManager {
         const serverConfig = this.options.settings.getOwner("config", "server");
         const envVars = serverConfig?.environmentVariables;
         const userEnvironment = envVars && typeof envVars === "object" && !Array.isArray(envVars) ? envVars : {};
-        const opencodeUsername = DEFAULT_OPENCODE_USERNAME;
-        const opencodePassword = generateOpencodeServerPassword();
+        const { username: opencodeUsername, password: opencodePassword } = resolveOpencodeServerAuth({
+            userEnvironment,
+            processEnv: process.env,
+        });
         const authorization = buildOpencodeBasicAuthHeader({ username: opencodeUsername, password: opencodePassword });
         if (!authorization) {
             throw new Error("Failed to build OpenCode auth header");
@@ -252,11 +202,6 @@ export class WorkspaceManager {
         catch (error) {
             this.options.logger.warn({ identifier, err: error }, "Failed to resolve binary path from system PATH");
         }
-        const shellResolved = resolveBinaryPathFromUserShell(identifier);
-        if (shellResolved) {
-            this.options.logger.debug({ identifier, resolved: shellResolved }, "Resolved binary path from user shell");
-            return shellResolved;
-        }
         return identifier;
     }
     pickBinaryCandidate(candidates) {

package/dist/workspaces/opencode-auth.js

@@ -5,6 +5,23 @@ export const DEFAULT_OPENCODE_USERNAME = "codenomad";
 export function generateOpencodeServerPassword() {
     return crypto.randomBytes(32).toString("base64url");
 }
+function readConfiguredValue(key, ...sources) {
+    for (const source of sources) {
+        const value = source?.[key];
+        if (typeof value === "string" && value.trim().length > 0) {
+            return value;
+        }
+    }
+    return undefined;
+}
+export function resolveOpencodeServerAuth(options = {}) {
+    const generatePassword = options.generatePassword ?? generateOpencodeServerPassword;
+    const username = readConfiguredValue(OPENCODE_SERVER_USERNAME_ENV, options.userEnvironment, options.processEnv) ??
+        DEFAULT_OPENCODE_USERNAME;
+    const password = readConfiguredValue(OPENCODE_SERVER_PASSWORD_ENV, options.userEnvironment, options.processEnv) ??
+        generatePassword();
+    return { username, password };
+}
 export function buildOpencodeBasicAuthHeader(params) {
     const username = params.username;
     const password = params.password;

package/dist/workspaces/opencode-auth.test.js

@@ -0,0 +1,34 @@
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import { resolveOpencodeServerAuth } from "./opencode-auth";
+describe("resolveOpencodeServerAuth", () => {
+    it("uses configured OpenCode auth from workspace environment", () => {
+        const auth = resolveOpencodeServerAuth({
+            userEnvironment: {
+                OPENCODE_SERVER_USERNAME: "alice",
+                OPENCODE_SERVER_PASSWORD: "secret",
+            },
+            processEnv: {},
+            generatePassword: () => "generated",
+        });
+        assert.deepEqual(auth, { username: "alice", password: "secret" });
+    });
+    it("uses process environment when workspace environment does not provide credentials", () => {
+        const auth = resolveOpencodeServerAuth({
+            userEnvironment: {},
+            processEnv: {
+                OPENCODE_SERVER_PASSWORD: "process-secret",
+            },
+            generatePassword: () => "generated",
+        });
+        assert.deepEqual(auth, { username: "codenomad", password: "process-secret" });
+    });
+    it("falls back to generated credentials", () => {
+        const auth = resolveOpencodeServerAuth({
+            userEnvironment: {},
+            processEnv: {},
+            generatePassword: () => "generated",
+        });
+        assert.deepEqual(auth, { username: "codenomad", password: "generated" });
+    });
+});