feat(lib): preinstall opencode + oh-my-opencode

Author: skulidropek

packages/lib/src/core/templates-entrypoint.ts

@@ -19,6 +19,7 @@ import {
 } from "./templates-entrypoint/codex.js"
 import { renderEntrypointGitConfig, renderEntrypointGitHooks } from "./templates-entrypoint/git.js"
 import { renderEntrypointDockerGitBootstrap } from "./templates-entrypoint/nested-docker-git.js"
+import { renderEntrypointOpenCodeConfig } from "./templates-entrypoint/opencode.js"
 import { renderEntrypointBackgroundTasks } from "./templates-entrypoint/tasks.js"
 import {
   renderEntrypointBashCompletion,
@@ -33,6 +34,7 @@ export const renderEntrypoint = (config: TemplateConfig): string =>
     renderEntrypointAuthorizedKeys(config),
     renderEntrypointCodexHome(config),
     renderEntrypointCodexSharedAuth(config),
+    renderEntrypointOpenCodeConfig(config),
     renderEntrypointDockerGitBootstrap(config),
     renderEntrypointMcpPlaywright(config),
     renderEntrypointZshShell(config),

packages/lib/src/core/templates-entrypoint/codex.ts

@@ -182,7 +182,7 @@ $MANAGED_END
 EOF
 )"
   cat <<EOF > "$AGENTS_PATH"
-Ты автономный агент, который имеет полностью все права управления контейнером. У тебя есть доступ к командам sudo, gh, codex, git, node, pnpm и всем остальным другим. Проекты с которыми идёт работа лежат по пути ~
+Ты автономный агент, который имеет полностью все права управления контейнером. У тебя есть доступ к командам sudo, gh, codex, opencode, oh-my-opencode, git, node, pnpm и всем остальным другим. Проекты с которыми идёт работа лежат по пути ~
 $MANAGED_BLOCK
 Если ты видишь файлы AGENTS.md внутри проекта, ты обязан их читать и соблюдать инструкции.
 EOF

packages/lib/src/core/templates-entrypoint/opencode.ts

@@ -0,0 +1,87 @@
+import type { TemplateConfig } from "../domain.js"
+
+// CHANGE: bootstrap OpenCode config (permissions + plugins) and share OpenCode auth.json across projects
+// WHY: make OpenCode usable out-of-the-box inside disposable docker-git containers
+// QUOTE(ТЗ): "Preinstall OpenCode and oh-my-opencode with full authorization of existing tools"
+// REF: issue-34
+// SOURCE: n/a
+// FORMAT THEOREM: forall s: start(s) -> config_exists(s)
+// PURITY: CORE
+// INVARIANT: never overwrites an existing opencode.json/opencode.jsonc
+// COMPLEXITY: O(1)
+export const renderEntrypointOpenCodeConfig = (config: TemplateConfig): string =>
+  `# OpenCode: share auth.json across projects (so /connect is one-time)
+OPENCODE_SHARE_AUTH="\${OPENCODE_SHARE_AUTH:-1}"
+if [[ "$OPENCODE_SHARE_AUTH" == "1" ]]; then
+  OPENCODE_DATA_DIR="/home/${config.sshUser}/.local/share/opencode"
+  OPENCODE_AUTH_FILE="$OPENCODE_DATA_DIR/auth.json"
+
+  # Store in the shared auth volume to persist across projects/containers.
+  OPENCODE_SHARED_HOME="${config.codexHome}-shared/opencode"
+  OPENCODE_SHARED_AUTH_FILE="$OPENCODE_SHARED_HOME/auth.json"
+
+  mkdir -p "$OPENCODE_DATA_DIR" "$OPENCODE_SHARED_HOME"
+  chown -R 1000:1000 "$OPENCODE_DATA_DIR" "$OPENCODE_SHARED_HOME" || true
+
+  # Guard against a bad bind mount creating a directory at auth.json.
+  if [[ -d "$OPENCODE_AUTH_FILE" ]]; then
+    mv "$OPENCODE_AUTH_FILE" "$OPENCODE_AUTH_FILE.bak-$(date +%s)" || true
+  fi
+
+  # Migrate existing per-project auth into the shared location once.
+  if [[ -f "$OPENCODE_AUTH_FILE" && ! -L "$OPENCODE_AUTH_FILE" ]]; then
+    if [[ -f "$OPENCODE_SHARED_AUTH_FILE" ]]; then
+      LOCAL_AUTH="$OPENCODE_AUTH_FILE" SHARED_AUTH="$OPENCODE_SHARED_AUTH_FILE" node - <<'NODE'
+const fs = require("fs")
+const localPath = process.env.LOCAL_AUTH
+const sharedPath = process.env.SHARED_AUTH
+const readJson = (p) => {
+  try {
+    return JSON.parse(fs.readFileSync(p, "utf8"))
+  } catch {
+    return {}
+  }
+}
+const local = readJson(localPath)
+const shared = readJson(sharedPath)
+const merged = { ...local, ...shared } // shared wins on conflicts
+fs.writeFileSync(sharedPath, JSON.stringify(merged, null, 2), { mode: 0o600 })
+NODE
+    else
+      cp "$OPENCODE_AUTH_FILE" "$OPENCODE_SHARED_AUTH_FILE" || true
+      chmod 600 "$OPENCODE_SHARED_AUTH_FILE" || true
+    fi
+    chown 1000:1000 "$OPENCODE_SHARED_AUTH_FILE" || true
+    rm -f "$OPENCODE_AUTH_FILE" || true
+  fi
+
+  ln -sf "$OPENCODE_SHARED_AUTH_FILE" "$OPENCODE_AUTH_FILE"
+fi
+
+# OpenCode: ensure global config exists (plugins + permissions)
+OPENCODE_CONFIG_DIR="/home/${config.sshUser}/.config/opencode"
+OPENCODE_CONFIG_JSON="$OPENCODE_CONFIG_DIR/opencode.json"
+OPENCODE_CONFIG_JSONC="$OPENCODE_CONFIG_DIR/opencode.jsonc"
+
+mkdir -p "$OPENCODE_CONFIG_DIR"
+chown -R 1000:1000 "$OPENCODE_CONFIG_DIR" || true
+
+if [[ ! -f "$OPENCODE_CONFIG_JSON" && ! -f "$OPENCODE_CONFIG_JSONC" ]]; then
+  cat <<'EOF' > "$OPENCODE_CONFIG_JSON"
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": ["oh-my-opencode"],
+  "permission": {
+    "doom_loop": "allow",
+    "external_directory": "allow",
+    "read": {
+      "*": "allow",
+      "*.env": "allow",
+      "*.env.*": "allow",
+      "*.env.example": "allow"
+    }
+  }
+}
+EOF
+  chown 1000:1000 "$OPENCODE_CONFIG_JSON" || true
+fi`

packages/lib/src/core/templates/dockerfile.ts

@@ -31,15 +31,22 @@ RUN printf "export NVM_DIR=/usr/local/nvm\\n[ -s /usr/local/nvm/nvm.sh ] && . /u
   > /etc/profile.d/nvm.sh && chmod 0644 /etc/profile.d/nvm.sh`
 
 const renderDockerfileBunPrelude = (config: TemplateConfig): string =>
-  `# Tooling: pnpm + Codex CLI (bun)
+  `# Tooling: pnpm + Codex CLI + oh-my-opencode (bun)
 RUN corepack enable && corepack prepare pnpm@${config.pnpmVersion} --activate
 ENV BUN_INSTALL=/usr/local/bun
 ENV TERM=xterm-256color
 ENV PATH="/usr/local/bun/bin:$PATH"
 RUN curl -fsSL https://bun.sh/install | bash
 RUN ln -sf /usr/local/bun/bin/bun /usr/local/bin/bun
-RUN script -q -e -c "bun add -g @openai/codex@latest" /dev/null
-RUN ln -sf /usr/local/bun/bin/codex /usr/local/bin/codex`
+RUN script -q -e -c "bun add -g @openai/codex@latest oh-my-opencode@latest" /dev/null
+RUN ln -sf /usr/local/bun/bin/codex /usr/local/bin/codex
+RUN ln -sf /usr/local/bun/bin/oh-my-opencode /usr/local/bin/oh-my-opencode`
+
+const renderDockerfileOpenCode = (): string =>
+  `# Tooling: OpenCode (binary)
+RUN HOME=/usr/local curl -fsSL https://opencode.ai/install | bash -s -- --no-modify-path
+RUN ln -sf /usr/local/.opencode/bin/opencode /usr/local/bin/opencode
+RUN opencode --version`
 
 const dockerfilePlaywrightMcpBlock = String.raw`RUN npm install -g @playwright/mcp@latest
 
@@ -151,6 +158,7 @@ export const renderDockerfile = (config: TemplateConfig): string =>
     renderDockerfilePrompt(),
     renderDockerfileNode(),
     renderDockerfileBun(config),
+    renderDockerfileOpenCode(),
     renderDockerfileUsers(config),
     renderDockerfileWorkspace(config)
   ].join("\n\n")

packages/lib/tests/usecases/prepare-files.test.ts

@@ -107,6 +107,10 @@ describe("prepareProjectFiles", () => {
         expect(dockerfile).toContain("docker-compose-v2")
         expect(entrypoint).toContain('DOCKER_GIT_HOME="/home/dev/.docker-git"')
         expect(entrypoint).toContain('SOURCE_SHARED_AUTH="/home/dev/.codex-shared/auth.json"')
+        expect(entrypoint).toContain('OPENCODE_DATA_DIR="/home/dev/.local/share/opencode"')
+        expect(entrypoint).toContain('OPENCODE_SHARED_HOME="/home/dev/.codex-shared/opencode"')
+        expect(entrypoint).toContain('OPENCODE_CONFIG_DIR="/home/dev/.config/opencode"')
+        expect(entrypoint).toContain('"plugin": ["oh-my-opencode"]')
         expect(composeBefore).toContain(":/home/dev/.docker-git")
         expect(composeBefore).not.toContain("dg-test-browser")