TypeScript/Bun monorepo (Effect-based) — an opencode fork shipping the altimate CLI/TUI: deterministic SQL/dbt/lineage/FinOps tooling embeddable under any LLM agent, plus a GitHub Action for automated dbt PR review.
CI here enforces type-safety and marker presence, not runtime correctness of async/Effect flows, cross-platform behavior, or security-sensitive edges (permission checks, auth, path/HTML escaping). Focus review effort there.
bun turbo typecheck/tsc— pure type errors, unused type imports. If it compiles, don't relitigate types.- Marker Guard — presence/format of
altimate_changemarker comments is enforced by a dedicated CI job (marker-guardinci.yml, see #872, #904), not at compile time. Don't flag a missing marker as a guess; CI will fail the PR. Do still flag misuse (see Focus Areas below) since Marker Guard checks presence, not correctness. anti-slop.yml— advisory only (made non-blocking after #741 auto-closed legitimate PRs); don't treat its output as a merge gate.- PR title/standards (
pr-standards.yml) — conventional-commit-style title checks are automated; don't nitpick title format. - Pre-existing issues in code the diff doesn't touch.
- If a PR only touches
.claude/skills, docs, or trivial config, skip deep review — see Comment style.
Before flagging: trace the actual caller and the actual shipped surface. This repo carries a parallel, unshipped "V2" runtime (packages/server HttpApi, V2 projectors) alongside the shipped one (packages/opencode/src/server). Reviewers repeatedly had to correct findings that assumed V2 code was live. Always confirm which surface a change lands on before asserting impact.
- Critical: permission/auth bypass, unawaited Effect discarding a check, path/HTML injection, data loss on the shipped session/trace path, race conditions in shared session/worker state.
- Warning: env/config resolution edge cases, cache invalidation gaps, retry/timeout values not justified by evidence, cross-platform assumptions (macOS-only paths, bash
set -ucrashes), test isolation leaks. - Nit: naming, comment clarity, minor duplication, non-shipped-surface cosmetics.
-
Effect values awaited without running them (Critical).
ctx.ask(...)-style helpers return anEffect, not a Promise;await effectValueawaits the object, never executes it — this shipped a real permission-check bypass (fixed viaawait AppRuntime.runPromise(ctx.ask(...))). Flag when anEffect.promise/Effect.gen-returning function is passed directly toawait. Verify the function's return type first — Effect wrapping is easy to miss because it still type-checks. -
Race conditions in session/worker/tool lifecycle (Critical, ~12 fix commits). Concurrent access to shared state (session cancel/idle flags, worker/server stop, file writes, dispatcher registries) without ordering guarantees:
cancel()race + idle state on normal loop exit (#845), worker/serverstop()moved intofinallyso an invalid--sessionno longer leaks them, stale-file race + error misclassification (#611), DuckDB concurrent-access retry. Flag when new code mutates session/worker/cache state from more than one async path without a lock orfinally-guaranteed cleanup. Verify cleanup runs on both success and error/cancel paths. -
Env-var / config resolution correctness (Warning→Critical, 8 fix commits). MCP config
${VAR}interpolation needs full/recursive resolution, not single-pass; config-key normalization (mcpServers→mcp) and installer env injection have shipped broken more than once. Flag when a diff touches config loading or${VAR}interpolation. Verify resolution is applied everywhere the config is consumed, not just at one call site. -
Fork-merge hygiene:
altimate_changemarker misuse (Warning). Every line diverging from upstreamopencodemust sit inside analtimate_change start/endmarker (100% coverage is the current bar — 98 files/407 blocks). Marker Guard checks presence, not correctness. Flag: (a) redundant new markers nested inside an already-marked block (previously false-positived, #904); (b) upstream-only APIs (LanguageModelV3*,specificationVersion: "v3") leaking into code that intentionally stays on@ai-sdk/provider@2.0.1/LanguageModelV2*— should be reverted/bridged, not silently upgraded. -
Auth/permission surface confusion (V2 vs shipped) (Critical to flag correctly, Nit to over-flag). The shipped permission/OAuth routes live under
packages/opencode/src/server; a structurally similar but unshipped V2 HttpApi exists underpackages/server. Flag when a change weakens the shipped surface's check. Verify first which surface a route lives under — past "bugs" here were false positives against the dead V2 path. -
Telemetry/trace data loss across turns (Warning). Trace waterfall, summary prompt, and chat tab have each independently lost data after an agent turn (trace corruption #865/#867, diff totals not persisted to session summary). Flag when new trace/telemetry-read state isn't confirmed to be re-published after summarize/snapshot/restart.
-
dbt/warehouse connector correctness (Warning, dbt=15 + snowflake/databricks/clickhouse — largest keyword cluster). dbt YAML file-kind classification, surfacing real dbt errors instead of generic "Could not parse", and warehouse-specific SQL (BigQuery
INFORMATION_SCHEMA, Snowflake Cortex gating) have each shipped wrong. Flag when a diff edits a dbt file-kind regex or warehouse-specific SQL template. Verify file-kind matching handles.py/.md(not just.sql/.yml) and matches the most specific path segment, not the first match from root. -
SQL/HTML injection in generated strings (Critical, rare but severe). Hand-built SQL/HTML instead of parameterized binds/escaping: parameterized binds replaced
escapeSqlStringin finops/schema (#277); XSS fixed inoauth-callback.ts/plugin/codex.tsviaescapeHtml(); symlink escape inplugin/shared.tsfixed viaFilesystem.containsReal(resolves symlinks) instead of.contains. Flag any new SQL/HTML string interpolation of external input, or path-containment checks that don't resolve symlinks first. -
Schema/config cache invalidation (Warning).
Config.update()/updateGlobal()needed to explicitly invalidate the per-directoryScopedCache(disposal alone didn't clear it); webfetch 404s were cached too long. Flag new cached derived values from config/fetch without an explicit invalidation path. -
Cross-platform shell/path assumptions (Nit→Warning, dense in
.claude/skills/*review comments). Scripts hardcode macOS paths (Homebrew, Chrome.app,java_home), assume Bash ≥4.4 array expansion underset -u, or skip forcing UTF-8 locale. Flag.shedits usingset -uwith array expansions, single-OS hardcoded paths with no fallback, or legacyjava -versionparsing. -
Test isolation leaks under parallel CI (Warning).
mock.module/dispatcherreset()leaked state across test files (52 CI failures fixed via #460). Flag new tests using global mocks/dispatchers without confirmed teardown under parallelbun test.
- Effect (
effectv4 beta) is used pervasively;Effect.promise/Effect.sync-returning functions look like normal async functions but must be run viaAppRuntime.runPromise(or equivalent) — a bareawaitsilently no-ops the effect. - Ships two SDK generations:
LanguageModelV2*(@ai-sdk/provider@2.0.1, current) vsV3(upstream-only) — V3 types/fields must not appear in code on the shipped path. packages/opencode/src/serveris the shipped server;packages/serveris a not-yet-shipped V2 HttpApi — don't assume the latter affects users.- The binary ships as
altimate(npm exposes bothaltimateandaltimate-codeon PATH); dbt/dbt-tools and skills are bundled into the published binary, so unbundled-dependency regressions (e.g..nodebinaries,@altimateai/altimate-core) break the published artifact even whenbun runin dev works fine. - SQLite is the storage engine (
bun:sqlite, migrated offbetter-sqlite3); schema is core-owned — a fresh DB may lack columns the fork's queries assume (permission.datawas one such case).
@ts-expect-error/documentedas anycasts left in provider/TUI bridge code for known upstream SDK-shape mismatches during a bridge-merge PR (e.g. opentuitraits, markdownfgprop) — these are intentionally temporary and explained inline.- Tying cleanup lifecycles to
server.instance.disposedinstead of anEffectscope — reviewers explicitly declined this refactor as changing instance-bootstrap semantics for no correctness gain.
packages/opencode/src/server/** core routing, db.ts/storage migration code, install/install.ps1, .github/workflows/*.yml, patches/, bun.lock, packages/*/package.json version pins, anything under test/upstream/ (bridge-merge regression suite).
Exact-line comments, one finding each, most-severe first. Prefer a suggestion block over prose when the fix is a small diff. Skip deep review of doc-only, .claude/ skill, and CHANGELOG-only diffs — a clean diff gets lgtm.