opencodekit 0.18.18 → 0.18.20

package/dist/index.js

@@ -20,7 +20,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.18.18";
+var version = "0.18.20";
 
 //#endregion
 //#region src/utils/license.ts

package/dist/template/.opencode/plugin/copilot-auth.ts

@@ -67,6 +67,15 @@ const RESPONSES_API_ALTERNATE_INPUT_TYPES = [
 	"reasoning",
 ];
 
+// Expected ID prefixes per Responses API item type.
+// The OpenAI Responses API validates that item IDs start with specific prefixes.
+// GitHub Copilot's backend (especially GPT models) returns non-standard prefixes
+// (e.g., "h_" instead of "fc_") that the API then rejects on replay.
+const RESPONSES_API_EXPECTED_PREFIXES: Record<string, string> = {
+	function_call: "fc_",
+	// function_call_output.call_id prefix is validated directly in sanitizeResponseInputIds
+};
+
 function normalizeDomain(url: string): string {
 	return url.replace(/^https?:\/\//, "").replace(/\/$/, "");
 }
@@ -351,54 +360,161 @@ function swapModelInBody(
 
 // Maximum length for item IDs in the OpenAI Responses API
 const MAX_RESPONSE_API_ID_LENGTH = 64;
+// OpenAI Responses API only allows: letters, numbers, underscores, dashes
+const INVALID_ID_CHARS = /[^a-zA-Z0-9_-]/g;
+
+/** Check if an ID contains characters not allowed by the Responses API */
+function hasInvalidIdChars(id: string): boolean {
+	// Use a non-global regex for .test() to avoid lastIndex state bug
+	return /[^a-zA-Z0-9_-]/.test(id);
+}
+
 /**
- * Sanitize an ID to fit within the Responses API 64-char limit.
- * GitHub Copilot returns proprietary long IDs (400+ chars) that violate
- * the OpenAI spec. We hash them to a deterministic 64-char string.
- * Preserves the original prefix (e.g., "fc_", "msg_", "call_") so that
- * OpenAI's prefix validation passes.
+ * Sanitize an ID for the Responses API.
+ * Handles three issues from GitHub Copilot:
+ * 1. Invalid characters — Copilot IDs contain +, |, /, = (base64-like encoding)
+ * 2. Wrong prefix — GPT models return "h_" instead of "fc_" for function_call items
+ * 3. Excessive length — Copilot returns 400+ char IDs (max is 64)
+ *
+ * Approach matches anomalyco/opencode: replace invalid chars with "_", preserve prefix,
+ * truncate to 64 chars, strip trailing underscores.
+ *
+ * @param id - The original ID to sanitize
+ * @param forcedPrefix - If provided, use this prefix instead of the detected one.
  * See: https://github.com/vercel/ai/issues/5171
  */
-function sanitizeResponseId(id: string): string {
-	if (!id || id.length <= MAX_RESPONSE_API_ID_LENGTH) return id;
-	// Detect and preserve the original prefix (e.g., "fc_", "msg_", "call_", "resp_")
-	// The OpenAI Responses API validates that IDs start with specific prefixes
+function sanitizeResponseId(id: string, forcedPrefix?: string): string {
+	if (!id) return id;
+
+	// Detect the original prefix (e.g., "fc_", "msg_", "call_", "resp_", "h_")
 	const prefixMatch = id.match(/^([a-z]+_)/);
-	const prefix = prefixMatch ? prefixMatch[1] : "";
-	// Hash the full ID for deterministic uniqueness
+	const detectedPrefix = prefixMatch ? prefixMatch[1] : "";
+	const prefix = forcedPrefix ?? detectedPrefix;
+
+	// Strip the original prefix to get the core ID
+	const rawCore = id.slice(detectedPrefix.length);
+	// Replace invalid characters with underscores (same as anomalyco/opencode)
+	const cleanCore = rawCore.replace(INVALID_ID_CHARS, "_").replace(/_+$/g, "");
+
+	// Check if any sanitization is actually needed
+	const needsSanitization = forcedPrefix || hasInvalidIdChars(rawCore) ||
+		id.length > MAX_RESPONSE_API_ID_LENGTH;
+
+	if (!needsSanitization) return id;
+
+	// If result fits within length and core is non-empty, use cleaned core directly
+	if (cleanCore.length > 0 && (prefix.length + cleanCore.length) <= MAX_RESPONSE_API_ID_LENGTH) {
+		return `${prefix}${cleanCore}`;
+	}
+
+	// Hash the full original ID for deterministic uniqueness when truncating
 	let hash = 0;
 	for (let i = 0; i < id.length; i++) {
 		hash = ((hash << 5) - hash + id.charCodeAt(i)) | 0;
 	}
 	const hashStr = Math.abs(hash).toString(36);
-	// Take some chars from after the prefix for additional uniqueness
-	const afterPrefix = id.slice(prefix.length);
 	const maxMiddleLen =
 		MAX_RESPONSE_API_ID_LENGTH - prefix.length - hashStr.length - 1;
-	const middle = afterPrefix.slice(0, Math.max(0, maxMiddleLen));
+	const middle = cleanCore.slice(0, Math.max(0, maxMiddleLen));
 	// Format: prefix + middle + "_" + hash (ensure total <= 64)
-	return `${prefix}${middle}_${hashStr}`.slice(0, MAX_RESPONSE_API_ID_LENGTH);
+	const result = `${prefix}${middle}_${hashStr}`.slice(0, MAX_RESPONSE_API_ID_LENGTH);
+	// Strip trailing underscores from truncation
+	return result.replace(/_+$/, "");
+}
+
+/**
+ * Check if an ID has the expected prefix for its item type.
+ * Returns the expected prefix if the ID is wrong, or null if it's fine.
+ */
+function getExpectedPrefix(item: any): string | null {
+	if (!item || typeof item !== "object" || !item.type) return null;
+	const expected = RESPONSES_API_EXPECTED_PREFIXES[item.type];
+	if (!expected) return null;
+	if (typeof item.id === "string" && !item.id.startsWith(expected)) {
+		return expected;
+	}
+	return null;
+}
+
+/** Check if a string ID needs sanitization (invalid chars or too long) */
+function idNeedsSanitization(id: string): boolean {
+	return id.length > MAX_RESPONSE_API_ID_LENGTH || hasInvalidIdChars(id);
 }
 
 /**
  * Sanitize all IDs in a Responses API input array.
- * Recursively checks `id` and `call_id` fields on each input item.
+ *
+ * Handles THREE classes of invalid IDs:
+ * 1. Invalid characters — Copilot IDs contain +, |, /, = (only [a-zA-Z0-9_-] allowed)
+ * 2. Wrong prefix — Copilot GPT models return IDs like "h_xxx" instead of "fc_xxx"
+ * 3. Excessive length — Copilot returns 400+ char IDs that exceed the 64-char limit.
+ *
+ * Uses a two-pass approach:
+ * - Pass 1: Build an ID remap for all invalid IDs
+ * - Pass 2: Apply the remap to both `id` and `call_id` fields consistently,
+ *   so function_call_output.call_id stays in sync with function_call.id
  */
 function sanitizeResponseInputIds(input: any[]): any[] {
-	return input.map((item: any) => {
-		if (!item || typeof item !== "object") return item;
-		const sanitized = { ...item };
+	// Pass 1: Build ID remapping
+	const idRemap = new Map<string, string>();
+
+	for (const item of input) {
+		if (!item || typeof item !== "object") continue;
+
+		// Check for wrong prefix (e.g., function_call with "h_" instead of "fc_")
+		const expectedPrefix = getExpectedPrefix(item);
+		if (expectedPrefix && typeof item.id === "string" && !idRemap.has(item.id)) {
+			const newId = sanitizeResponseId(item.id, expectedPrefix);
+			if (newId !== item.id) {
+				idRemap.set(item.id, newId);
+			}
+		}
+
+		// Check for invalid chars or excessive length on id
+		if (
+			typeof item.id === "string" &&
+			idNeedsSanitization(item.id) &&
+			!idRemap.has(item.id)
+		) {
+			idRemap.set(item.id, sanitizeResponseId(item.id));
+		}
+
+		// Check for wrong prefix on call_id (defensive: handles truncated conversations
+		// where function_call_output appears without its corresponding function_call)
 		if (
-			typeof sanitized.id === "string" &&
-			sanitized.id.length > MAX_RESPONSE_API_ID_LENGTH
+			item.type === "function_call_output" &&
+			typeof item.call_id === "string" &&
+			!item.call_id.startsWith("fc_") &&
+			!idRemap.has(item.call_id)
 		) {
-			sanitized.id = sanitizeResponseId(sanitized.id);
+			const newCallId = sanitizeResponseId(item.call_id, "fc_");
+			if (newCallId !== item.call_id) {
+				idRemap.set(item.call_id, newCallId);
+			}
 		}
+
+		// Check for invalid chars or excessive length on call_id
 		if (
-			typeof sanitized.call_id === "string" &&
-			sanitized.call_id.length > MAX_RESPONSE_API_ID_LENGTH
+			typeof item.call_id === "string" &&
+			idNeedsSanitization(item.call_id) &&
+			!idRemap.has(item.call_id)
 		) {
-			sanitized.call_id = sanitizeResponseId(sanitized.call_id);
+			idRemap.set(item.call_id, sanitizeResponseId(item.call_id));
+		}
+	}
+
+	// No changes needed
+	if (idRemap.size === 0) return input;
+
+	// Pass 2: Apply remapping to both id and call_id fields
+	return input.map((item: any) => {
+		if (!item || typeof item !== "object") return item;
+		const sanitized = { ...item };
+		if (typeof sanitized.id === "string" && idRemap.has(sanitized.id)) {
+			sanitized.id = idRemap.get(sanitized.id);
+		}
+		if (typeof sanitized.call_id === "string" && idRemap.has(sanitized.call_id)) {
+			sanitized.call_id = idRemap.get(sanitized.call_id);
 		}
 		return sanitized;
 	});
@@ -600,21 +716,22 @@ export const CopilotAuthPlugin: Plugin = async ({ client: sdk }) => {
 
 							// Responses API
 							if (body?.input) {
-								// Sanitize long IDs from Copilot backend (can be 400+ chars)
-								// OpenAI Responses API enforces a 64-char max on item IDs
+								// Sanitize IDs from Copilot backend:
+								// 1. Wrong prefix — GPT models return "h_xxx" instead of "fc_xxx"
+								// 2. Excessive length — Copilot returns 400+ char IDs (max is 64)
 								const sanitizedInput = sanitizeResponseInputIds(body.input);
 								const inputWasSanitized =
 									sanitizedInput !== body.input &&
 									JSON.stringify(sanitizedInput) !== JSON.stringify(body.input);
 
 								if (inputWasSanitized) {
-									log("info", "Sanitized long IDs in Responses API input", {
-										original_count: body.input.filter(
-											(item: any) =>
-												(typeof item?.id === "string" &&
-													item.id.length > MAX_RESPONSE_API_ID_LENGTH) ||
-												(typeof item?.call_id === "string" &&
-													item.call_id.length > MAX_RESPONSE_API_ID_LENGTH),
+									log("info", "Sanitized IDs in Responses API input (prefix or length)", {
+										items_fixed: body.input.filter(
+											(item: any, i: number) =>
+												item && sanitizedInput[i] && (
+													item.id !== sanitizedInput[i].id ||
+													item.call_id !== sanitizedInput[i].call_id
+												),
 										).length,
 									});
 									modifiedBody = {

package/dist/template/.opencode/plugin/lib/notify.ts

@@ -29,13 +29,17 @@ export function isWSL(): boolean {
  */
 export async function notify($: any, title: string, message: string): Promise<void> {
   const platform = process.platform;
-  const safeTitle = title || "OpenCode";
-  const safeMessage = message || "";
 
   try {
     if (platform === "darwin") {
+      // Escape backslashes and double quotes for AppleScript string literals
+      const escapeAS = (s: string) => (s || "").replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+      const safeTitle = escapeAS(title || "OpenCode");
+      const safeMessage = escapeAS(message || "");
       await $`osascript -e ${`display notification "${safeMessage}" with title "${safeTitle}"`}`;
     } else if (platform === "linux") {
+      const safeTitle = title || "OpenCode";
+      const safeMessage = message || "";
       if (isWSL()) {
         // WSL: try notify-send, fail silently
         await $`notify-send ${safeTitle} ${safeMessage}`.catch(() => {});
@@ -43,6 +47,10 @@ export async function notify($: any, title: string, message: string): Promise<vo
         await $`notify-send ${safeTitle} ${safeMessage}`;
       }
     } else if (platform === "win32") {
+      // Escape single quotes for PowerShell string literals
+      const escapePS = (s: string) => (s || "").replace(/'/g, "''");
+      const safeTitle = escapePS(title || "OpenCode");
+      const safeMessage = escapePS(message || "");
       // Windows: PowerShell toast (fire and forget)
       await $`powershell -Command "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('${safeMessage}', '${safeTitle}')"`.catch(
         () => {},

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencodekit",
-	"version": "0.18.18",
+	"version": "0.18.20",
 	"description": "CLI tool for bootstrapping and managing OpenCodeKit projects",
 	"keywords": [
 		"agents",