Merge shuvcode-dev: upstream v1.0.204 sync + TypeScript fix

[shuv1337]

Summary

• Sync upstream v1.0.204 into shuvcode-dev
• Fix TypeScript deep type instantiation error in OpenAPI generation
• Add dev-dist/ to .gitignore

Changes

• fix: Resolve TS2589 error caused by fork's additional routes pushing Hono's type depth over TypeScript's limit
• sync: Merge upstream v1.0.204 with latest features and fixes
• chore: Add dev-dist/ to packages/app/.gitignore

Commits included

• Upstream sync (v1.0.204)
• Desktop permissions
• Sidebar reorder with collapsible sections
• Path traversal protection
• Compaction config improvements
• mDNS service discovery
• Various bug fixes and improvements

Greptile Summary

Syncs upstream v1.0.204 into the shuvcode fork and applies a TypeScript fix to resolve the TS2589 deep type instantiation error caused by additional routes in the fork.

Key Changes:

• TypeScript Fix: Added as any type assertion in openapi() function to prevent Hono's route type depth from exceeding TypeScript's limit
• Security: Added path traversal protection using Filesystem.contains() checks in File.read() and File.list() with comprehensive test coverage
• Configuration: Migrated compaction settings from environment flags (OPENCODE_DISABLE_AUTOCOMPACT, OPENCODE_DISABLE_PRUNE) to config-based system (compaction.auto, compaction.prune)
• mDNS Support: New service discovery module for network advertisement (only publishes on non-loopback hostnames)
• Server Improvements: Enhanced port binding logic with fallback (tries 4096 first, then random port), added cleanup for mDNS on shutdown
• API: New GET /permission endpoint to list pending permissions across all sessions
• UX: Reorganized TUI sidebar with reordered sections (Context → Subagents → MCP → LSP → Changed Files), all sections now collapsible, removed todo section
• Build: Added dev-dist/ to .gitignore

Notable Implementation Details:

• Path traversal protection is lexical-only (doesn't resolve symlinks, may have Windows cross-drive issues per TODOs)
• Session revert cleanup added to compaction endpoint (lines 1140-1141)
• mDNS service automatically unpublishes on server stop via wrapped stop function

Confidence Score: 4/5

• This PR is safe to merge with minor considerations for the path traversal protection limitations
• The PR includes well-tested security improvements (path traversal protection with comprehensive tests), a valid TypeScript workaround for a type depth issue, and sensible architectural improvements (config-based settings, mDNS support). The TypeScript as any cast is appropriately scoped to the OpenAPI generation, and all major changes have corresponding tests. The documented TODOs about symlinks and Windows paths in the security checks are acceptable given the lexical protection is still a significant improvement. Score of 4 (not 5) reflects the type assertion workaround and the known limitations in path traversal protection that should be addressed in future work.
• Pay attention to packages/opencode/src/file/index.ts - ensure the path traversal TODOs are tracked for future symlink and Windows path resolution

Important Files Changed

Filename	Overview
packages/opencode/src/server/server.ts	Fixed TypeScript TS2589 error with type assertion, added permission list endpoint, added mDNS support, and improved server port binding logic
packages/opencode/src/file/index.ts	Added path traversal protection to File.read() and File.list() using Filesystem.contains check with documented limitations
packages/opencode/test/file/path-traversal.test.ts	New comprehensive test suite verifying path traversal protection works correctly for both Filesystem.contains and File API integration
packages/opencode/src/session/compaction.ts	Migrated from Flag-based to Config-based compaction settings (compaction.auto and compaction.prune)
packages/opencode/src/server/mdns.ts	New mDNS service discovery module using bonjour-service for network service advertisement
packages/opencode/src/cli/cmd/tui/routes/session/sidebar.tsx	Reorganized sidebar sections with collapsible UI, removed todo section, moved subagents before MCP, made all sections collapsible

Sequence Diagram

sequenceDiagram
    participant Client
    participant Server
    participant MDNS
    participant FileAPI
    participant Filesystem
    participant Permission
    participant Config
    participant Compaction

    Note over Client,Server: Server Initialization
    Client->>Server: listen({port, hostname, mdns: true})
    Server->>Server: tryServe(4096) or tryServe(0)
    alt mDNS enabled and non-loopback
        Server->>MDNS: publish(port)
        MDNS-->>Server: service published
    else loopback hostname
        Server->>Server: warn("skipping mDNS publish")
    end
    Server-->>Client: server instance

    Note over Client,FileAPI: File Access with Path Traversal Protection
    Client->>Server: GET /file/content?path=../../../etc/passwd
    Server->>FileAPI: File.read("../../../etc/passwd")
    FileAPI->>Filesystem: contains(projectDir, fullPath)
    Filesystem-->>FileAPI: false (path escapes)
    FileAPI-->>Server: throw "Access denied"
    Server-->>Client: 500 Error

    Client->>Server: GET /file/content?path=valid.txt
    Server->>FileAPI: File.read("valid.txt")
    FileAPI->>Filesystem: contains(projectDir, fullPath)
    Filesystem-->>FileAPI: true
    FileAPI-->>Server: file contents
    Server-->>Client: 200 OK

    Note over Client,Permission: Permission Management
    Client->>Server: GET /permission
    Server->>Permission: list()
    Permission-->>Server: pending permissions array
    Server-->>Client: permissions JSON

    Note over Client,Compaction: Session Compaction
    Client->>Server: Agent completes turn
    Server->>Compaction: isOverflow({tokens, model})
    Compaction->>Config: get()
    Config-->>Compaction: {compaction: {auto: true}}
    Compaction-->>Server: true/false
    alt overflow detected
        Server->>Compaction: prune({sessionID})
        Compaction->>Config: get()
        Config-->>Compaction: {compaction: {prune: true}}
        Compaction->>Compaction: remove old tool calls
    end

    Note over Server,MDNS: Server Shutdown
    Client->>Server: server.stop()
    Server->>MDNS: unpublish()
    MDNS-->>Server: service unpublished
    Server-->>Client: shutdown complete

Loading

[shuv1337]

@greptileai review