Root bug tracker. Do not create per-package BUGS.md files.
| ID | Severity | Issue | Location | Status | Next action |
|---|---|---|---|---|---|
| S3 | High | Untrusted .opencode/ autoloading for MCP/plugins |
packages/opencode/src/mcp, packages/opencode/src/plugin |
Mitigated with warning, not fully fixed | Design and implement workspace trust prompt before loading local MCP/plugin config |
No confirmed open runtime bugs.
If a test, typecheck, lint, or runtime failure appears during upstream backports, either fix it in the same PR or add it here with enough detail for a fresh session to reproduce.
No confirmed open test failures. A sandboxed focused run failed on 2026-06-06 because local Bun test servers could not bind port 0; the relevant tests passed after user-approved unsandboxed execution. A pre-existing MCP OAuth browser timeout appeared during a full package run and was fixed in the provider/TUI bundle. PR #41 CI exposed a root Turbo typecheck ordering race between app declaration emission and desktop typecheck, and the provider/TUI bundle fixed it by making typecheck depend on ^typecheck. The latest user-approved unsandboxed full-suite rerun passed with 1579 pass, 8 skip, 0 fail; the latest forced root typecheck passed with 13 successful, 0 cached, 0 fail.
| ID | Severity | Issue | Location | Status | Next action |
|---|---|---|---|---|---|
| E1 | Low | sweep() clock skew when turnWhenSet > currentTurn |
packages/opencode/src/context-edit/index.ts |
Deferred | Fix only if upstream/session turn ordering changes make this reachable |
| ID | Severity | Issue | Location | Status | Next action |
|---|---|---|---|---|---|
| Q1 | Low | Empty .catch(() => {}) blocks can hide real failures |
Various | Deferred | Audit only files touched by current PR; keep intentional benign cleanup comments local |
| Q2 | Low | TODO/FIXME/HACK comments remain | Various | Deferred | Clean when touching affected code |
| Q4 | Medium | Copilot SDK chunk type safety is weak | packages/opencode/src/provider/sdk/copilot/chat/openai-compatible-chat-language-model.ts |
Deferred | Replace boundary casts with explicit chunk types when touching Copilot provider |
| Q5 | Low | Direct process.env usage instead of Env.set |
packages/opencode/src/provider/provider.ts |
Deferred | Revisit during provider/runtime cleanup |
These were not confirmed Frankencode bugs yet. PR 1 and the portable PR 2 reliability items were ported, confirmed present, skipped, or deferred with reasons in PLAN.md.
| SHA | Area | Risk if missing |
|---|---|---|
e76cf967e |
Session | Interrupted assistant messages may not finalize cleanly |
ca28dd02e |
Compaction | Tail turns may be lost after summarization |
The upstream shell truncation stream cleanup e26abd8da was skipped because Frankencode did not have upstream's src/tool/shell.ts truncation stream architecture.
- PR 1 June upstream sync: prompt tool enables already present,
context_length_exceededoverflow parsing already present, compaction transforms already present, LiteLLM_noopdiscouragement, subagenttodowritepermissions, BunZlibErrorretryability, configuredmodel.limit.input,Tool.define()wrapper mutation, read permission relative paths, and Plan Mode subagent deny inheritance. - PR 2 June upstream sync, merged as #39: TypeScript LSP native
tsserverargs, MCP cleanup on failed connection/tool listing/refresh, MCP tolerant tool listing for invalidoutputSchema, and webfetch timeout cleanup already present. - Phase 3 CLI/plugin sync: non-interactive
mcp add, searchable/provider-nameauth logout, and plugindisposehook. - Provider/TUI bundle: provider
headerTimeout, Snowflake Cortex, NVIDIA invoke-origin headers, wide-character paste safety, wrapped inline tool rows, API auth metadata, generated SDK type updates, deterministic MCP OAuth browser callback test completion, and Turbo typecheck ordering for app declarations before desktop typecheck. - Security fixed: S1 symlink containment bypass, S2 command injection in GitHub open flow, S4 unauthenticated non-loopback server, S5 sensitive
.envread exposure. - QA fixed: B53-B64, including CAS transaction/reference safety, edit graph transactions, synthetic ID collisions, plugin trigger errors, objective prompt escaping, MCP add return shape, text timing preservation, ripgrep JSON parse handling, and untracked line counts.
- Earlier fixed bugs: PRs #10-#33 in git history.
| ID | Severity | Issue | Location | Status |
|---|---|---|---|---|
| B51 | Low | ID generator counter is not atomic | packages/opencode/src/id/id.ts |
Acceptable while runtime is single-threaded; revisit if worker threads are added |
- Do not copy old false-positive lists back into active docs; they are historical and should be recovered from git history only if needed.
- Track only confirmed bugs here. Use
PLAN.mdandDO_NEXT.mdfor upstream candidates until reproduced or ported. - If a pre-existing failure is too large to fix during a backport, add a precise reproduction command, observed output summary, and affected files here.