{"key":"opencode_sandbox_investigation_2026_04_19","title":"OpenCode Sandbox Investigation — Partially Fixed, Not Signed Off","content":"## Status: PARTIALLY FIXED — NOT SIGNED OFF\n\n## Root Cause (Confirmed)\nThree compounding issues — NOT a security sandbox:\n\n1. Stateless shell execution — bash.ts spawns a fresh subprocess per tool call. ssh, cd, export die when the call ends.\n2. Git worktree abstraction — OpenCode finds nearest .git and creates a worktree. Running from /home/svc-admin caused workspace root to show as / instead of the real cwd.\n3. Misleading prompt text — bash.txt said \"persistent shell session\" which was false. Models assumed ssh svc-dev created a continuing session. It did not.\n\n## Files Involved\n- packages/opencode/src/tool/bash.ts — spawns stateless subprocesses\n- packages/opencode/src/tool/bash.txt — patched by Gemini, but binary may not reflect it\n- packages/opencode/src/project/project.ts — patched with OPENCODE_DISABLE_WORKTREES bypass\n- packages/opencode/src/session/system.ts — assembles env block with workspace root\n\n## Fixes Applied by Gemini\n1. bash.txt patched — now says STATELESS, must use ssh host \"command\" pattern or workdir param\n2. project.ts patched — OPENCODE_DISABLE_WORKTREES=true env var added to skip worktree resolution\n3. Binary rebuilt and reinstalled at /home/svc-admin/.nvm/versions/node/v24.14.0/bin/opencode\n\n## Codex Verification Results\n\nPASSED:\n- Source patch exists for stateless bash guidance\n- Source patch exists for OPENCODE_DISABLE_WORKTREES\n- Worktree bypass changes workspace root from / to real cwd when launched from /home/svc-admin with the flag set\n- One-shot SSH commands work: ssh svc-dev \"pwd && hostname && hostname -I\"\n- Second-person questions no longer trigger docs fetch\n- Brain/MCP no longer says \"physical brain MCP server\"\n\nFAILED / STILL RISKY:\n- Normal mode from /home/svc-admin still reports workspace root /\n- Installed binary still contains old \"persistent shell session\" text per strings output\n- One prompt still gave misleading answer about SSH persistence\n- cd still does not persist between calls\n\n## Assessment (Codex, trusted)\n- Gemini diagnosed the architecture correctly\n- Gemini's conclusion \"that's all it needs\" was too optimistic\n- Codex tested live system behavior and found source/runtime mismatch\n- The live system result matters more than source patches\n- Status: partially fixed, not signed off\n\n## Outstanding Issue — Binary Packaging\nThe installed binary still contains old \"persistent shell session\" text despite source being patched.\nLikely cause: bun is embedding a cached/pre-compiled version of bash.txt at build time.\n\nFix to try before next rebuild:\n  cd /home/svc-admin/ai-projects/projects/opencode\n  bun pm cache rm\n  bun run build --no-cache  (in packages/opencode)\nThen verify: strings ~/.nvm/versions/node/v24.14.0/bin/opencode | grep \"persistent shell\"\nIf no output, binary is clean.\n\n## Premature Action Taken and Reverted\nOPENCODE_DISABLE_WORKTREES=true was added to .bashrc then removed.\nDo NOT make it permanent until binary is verified clean and behavior is validated.\nTest it session-by-session first: OPENCODE_DISABLE_WORKTREES=true opencode\n\n## Correct SSH Pattern for OpenCode\nONE-SHOT only — all commands in a single call:\n  ssh -i /home/svc-admin/.ssh/id_ed25519_homelab svc-admin@192.168.4.123 \"cd /path && command1 && command2\"\n\nNOT separate calls:\n  ssh svc-dev          <- connects then immediately exits\n  ls /some/path        <- runs locally, not on svc-dev\n\n## Practical Conclusion\n- Suitable for local repo work with explicit workdir parameter discipline\n- NOT suitable for stateful remote SSH workflows\n- Gemini CLI and Claude Code use persistent PTY sessions — better for remote SSH work\n","summary":"Root cause identified. Partially fixed. Binary still contains stale prompt text. Do not treat as resolved.","status":"active","namespace":"opencode","namespace_name":"opencode","namespace_tier":"shared","tags":["opencode","sandbox","bash","stateless","worktree","ssh","investigation","gemini","codex","partially-fixed"]}