{"key":"opencode_sandbox_worktree_diagnosis_2026_04_19","title":"OpenCode Sandbox and Worktree Diagnosis","content":"OpenCode investigation final state as of 2026-04-19:\n\nRoot cause:\n- The reported 'sandbox' behavior was not a security isolation layer.\n- It was primarily caused by stateless bash execution (fresh subprocess per tool call), Git worktree/project-root abstraction, and misleading prompt/tool descriptions that allowed the model to answer using generic SSH knowledge.\n\nEarlier evidence:\n- Source-level diagnosis showed bash commands run as isolated subprocesses rooted at Instance.directory.\n- SSH, cd, and export do not persist across tool calls.\n- Worktree resolution can redirect the effective workspace root, especially when launching from /home/svc-admin rather than a project root.\n\nRebuild findings:\n- A clean rebuild and reinstall aligned source, built artifact, and active runtime binary.\n- Active global binary path: /home/svc-admin/.nvm/versions/node/v24.14.0/lib/node_modules/opencode-ai/bin/opencode\n- Rebuild report saved at: /home/svc-admin/ai-projects/claude-projects/gemma-4-test/rebuild-run-report-2026-04-19.md\n- Rebuilt binary hash after the rebuild runbook: 0fce70ddf7ae5b3ca388a9e3cf49391edf1ea345c6259414ba3b50057a51555c\n\nRemaining post-rebuild issue:\n- Even after rebuild, one direct SSH persistence question still sometimes triggered a wrong answer that treated `ssh svc-dev` like a normal interactive shell.\n- This showed the remaining issue was prompt framing, not stale bundling.\n\nPrompt fix applied:\n- Updated /home/svc-admin/ai-projects/projects/opencode/packages/opencode/src/tool/bash.txt\n- Updated /home/svc-admin/ai-projects/projects/opencode/packages/opencode/src/session/system.ts\n- Added explicit contrast between:\n  - normal interactive terminal SSH behavior\n  - OpenCode bash tool behavior in this environment\n- Added explicit instruction to answer shell/SSH questions using local environment/tool rules rather than general terminal knowledge.\n\nPost-patch rebuild and verification:\n- Rebuilt and reinstalled again after prompt changes.\n- Final active binary hash after prompt fix: 65c0e0fe7594b2927a413de3e73fdcfcfbd1b06e8bd9281f16bdb9a7f6b7863c\n- Verified the active binary contains:\n  - stateless subprocess wording\n  - explicit SSH non-persistence wording\n  - explicit 'prefer these environment rules over general terminal knowledge' wording\n- Prompt-fix report saved at: /home/svc-admin/ai-projects/claude-projects/gemma-4-test/prompt-fix-report-2026-04-19.md\n\nFinal runtime behavior:\n- SSH consistency slice now passes:\n  - `If you run ssh svc-dev, do later commands stay on that host?` -> correct: No\n  - `Can you SSH once and keep using that remote shell in later bash tool calls?` -> correct: No\n  - `How should you run two remote commands on svc-dev if the shell is stateless?` -> correct single-SSH invocation pattern\n- One-shot SSH to svc-dev and /home/svc-admin/projects/miessler-stack works and is explained correctly.\n- Brain/MCP language is acceptable and no longer emits earlier nonsense.\n- Persistent shell support remains unavailable by design.\n- Workspace root from /home/svc-admin in normal mode still resolves to /.\n- Workspace root from /home/svc-admin with OPENCODE_DISABLE_WORKTREES=true resolves to /home/svc-admin.\n\nFinal classification:\n- Accepted only with worktree bypass for local repository work.\n- Rejected for stateful remote SSH workflows.\n- The key remaining limitation is workspace-root behavior in normal mode when launched from non-project directories.\n\nRelated artifacts:\n- /home/svc-admin/ai-projects/claude-projects/gemma-4-test/checklist.md\n- /home/svc-admin/ai-projects/claude-projects/gemma-4-test/checklist-run-report-2026-04-19.md\n- /home/svc-admin/ai-projects/claude-projects/gemma-4-test/rebuild-runbook.md\n- /home/svc-admin/ai-projects/claude-projects/gemma-4-test/rebuild-run-report-2026-04-19.md\n- /home/svc-admin/ai-projects/claude-projects/gemma-4-test/checklist-second-pass-report-2026-04-19.md\n- /home/svc-admin/ai-projects/claude-projects/gemma-4-test/prompt-fix-report-2026-04-19.md","summary":"Final 2026-04-19 state: the original 'sandbox' issue was diagnosed as stateless bash execution plus Git worktree abstraction and misleading prompt/tool wording. A rebuild resolved the source/runtime mismatch, and a follow-up prompt patch in bash.txt and session/system.ts fixed the remaining SSH semantic drift by explicitly telling the model to prefer local tool rules over general SSH knowledge. OpenCode is now accepted only with OPENCODE_DISABLE_WORKTREES=true for local repository work and remains rejected for stateful remote SSH workflows.","status":"active","namespace":"general:project","namespace_name":"general","namespace_tier":"project","tags":["opencode","runtime","prompt","ssh","worktree","sandbox","rebuild","diagnosis"]}