fix(opencode): harden external runtime contract

README.md

@@ -93,6 +93,7 @@ Then add these values to `apps/sim/.env`:
 
 ```env
 NEXT_PUBLIC_OPENCODE_ENABLED=true
+OPENCODE_REPOSITORY_ROOT=/app/repos
 OPENCODE_SERVER_USERNAME=opencode
 OPENCODE_SERVER_PASSWORD=change-me
 OPENCODE_REPOS=https://github.com/octocat/Hello-World.git
@@ -134,6 +135,7 @@ Local vs production behavior:
 - `docker-compose.opencode.local.yml`
   - adds OpenCode locally without changing the base local compose file
   - publishes `OPENCODE_PORT` to the host so `next dev` on the host can talk to OpenCode
+  - defaults `OPENCODE_REPOSITORY_ROOT=/app/repos`
   - defaults `OPENCODE_SERVER_USERNAME=opencode`
   - defaults `OPENCODE_SERVER_PASSWORD=dev-opencode-password` if you do not set one explicitly
 - `docker-compose.prod.yml`
@@ -143,7 +145,8 @@ Local vs production behavior:
   - builds the OpenCode runtime locally from this repository instead of requiring an official Sim-hosted image
   - injects the required `NEXT_PUBLIC_OPENCODE_ENABLED` and `OPENCODE_*` variables into `simstudio`
   - keeps OpenCode internal to the Docker network with `expose`, not a published host port
-  - expects `OPENCODE_SERVER_PASSWORD` to be set explicitly
+  - defaults `OPENCODE_REPOSITORY_ROOT=/app/repos`
+  - requires `OPENCODE_SERVER_PASSWORD` to be set explicitly before `docker compose` starts
 
 Production deploy command:
 
@@ -168,10 +171,10 @@ Without that override, host-side Next.js cannot reliably reach the Docker servic
 Notes:
 
 - If `OPENCODE_REPOS` is empty, `opencode` still starts but no repositories are cloned.
-- Repositories are cloned into `/app/repos/<repo-name>`.
+- Repositories are cloned into `${OPENCODE_REPOSITORY_ROOT:-/app/repos}/<repo-name>`.
 - Private Azure Repos must use `https` plus `GIT_USERNAME` and `GIT_TOKEN`; the container will not prompt interactively for passwords.
 - `GOOGLE_GENERATIVE_AI_API_KEY` is optional; the optional overlays map it automatically from `GEMINI_API_KEY` if not set.
-- If you prefer to run OpenCode in separate infrastructure, skip the overlays and point Sim at that deployment with `OPENCODE_BASE_URL`, `OPENCODE_SERVER_USERNAME`, and `OPENCODE_SERVER_PASSWORD`.
+- If you prefer to run OpenCode in separate infrastructure, skip the overlays and point Sim at that deployment with `OPENCODE_BASE_URL`, `OPENCODE_SERVER_USERNAME`, `OPENCODE_SERVER_PASSWORD`, and the matching `OPENCODE_REPOSITORY_ROOT`.
 
 Basic verification after startup:
 

apps/sim/.env.example

@@ -36,6 +36,7 @@ API_ENCRYPTION_KEY=your_api_encryption_key # Use `openssl rand -hex 32` to gener
 # OPENCODE_BASE_URL=http://opencode:4096    # Use this when SIM and OpenCode both run in Docker Compose
 #                                           # Or point this to any separate OpenCode deployment that implements the same auth contract
 # OPENCODE_PORT=4096
+# OPENCODE_REPOSITORY_ROOT=/app/repos       # Must match the repository root used by the OpenCode runtime, including external deployments
 # OPENCODE_SERVER_USERNAME=opencode
 # OPENCODE_SERVER_PASSWORD=change-me  # Required for the internal OpenCode service
 # OPENCODE_REPOS=https://github.com/org/ui-components,https://github.com/org/design-tokens

apps/sim/lib/opencode/service.ts

@@ -15,7 +15,7 @@ import { and, eq, isNull } from 'drizzle-orm'
 import { createOpenCodeClient } from '@/lib/opencode/client'
 
 const logger = createLogger('OpenCodeService')
-const OPEN_CODE_REPOSITORY_ROOT = '/app/repos'
+const DEFAULT_OPEN_CODE_REPOSITORY_ROOT = '/app/repos'
 
 export interface OpenCodeRepositoryOption {
   id: string
@@ -77,6 +77,19 @@ export interface OpenCodeMessageItem {
   createdAt: number
 }
 
+function getOpenCodeRepositoryRoot(): string {
+  const configuredRoot = process.env.OPENCODE_REPOSITORY_ROOT?.trim()
+  if (!configuredRoot) {
+    return DEFAULT_OPEN_CODE_REPOSITORY_ROOT
+  }
+
+  if (configuredRoot === '/') {
+    return configuredRoot
+  }
+
+  return configuredRoot.replace(/\/+$/, '')
+}
+
 function stripGitSuffix(value: string): string {
   return value.endsWith('.git') ? value.slice(0, -4) : value
 }
@@ -140,19 +153,21 @@ function listConfiguredOpenCodeRepositoryNames(): string[] {
 }
 
 function getRepositoryName(repository: string): string {
-  if (repository.startsWith(OPEN_CODE_REPOSITORY_ROOT)) {
-    return repository.slice(OPEN_CODE_REPOSITORY_ROOT.length + 1)
+  const repositoryRoot = getOpenCodeRepositoryRoot()
+
+  if (repository.startsWith(`${repositoryRoot}/`)) {
+    return repository.slice(repositoryRoot.length + 1)
   }
 
   return repository
 }
 
 function buildOpenCodeRepositoryDirectory(repository: string): string {
-  return `${OPEN_CODE_REPOSITORY_ROOT}/${repository}`
+  return `${getOpenCodeRepositoryRoot()}/${repository}`
 }
 
 function isProjectInsideRepositoryRoot(project: Project): boolean {
-  return project.worktree.startsWith(`${OPEN_CODE_REPOSITORY_ROOT}/`)
+  return project.worktree.startsWith(`${getOpenCodeRepositoryRoot()}/`)
 }
 
 function mapProjectToRepositoryOption(project: Project): OpenCodeRepositoryOption {

docker-compose.opencode.local.yml

@@ -10,6 +10,7 @@ services:
       - '4096'
     environment:
       - OPENCODE_PORT=${OPENCODE_PORT:-4096}
+      - OPENCODE_REPOSITORY_ROOT=${OPENCODE_REPOSITORY_ROOT:-/app/repos}
       - OPENCODE_SERVER_USERNAME=${OPENCODE_SERVER_USERNAME:-opencode}
       - OPENCODE_SERVER_PASSWORD=${OPENCODE_SERVER_PASSWORD:-dev-opencode-password}
       - OPENCODE_REPOS=${OPENCODE_REPOS:-}
@@ -21,7 +22,7 @@ services:
       - GEMINI_API_KEY=${GEMINI_API_KEY:-${GEMINI_API_KEY_1:-}}
       - GOOGLE_GENERATIVE_AI_API_KEY=${GOOGLE_GENERATIVE_AI_API_KEY:-${GEMINI_API_KEY:-${GEMINI_API_KEY_1:-}}}
     volumes:
-      - opencode_repos:/app/repos
+      - opencode_repos:${OPENCODE_REPOSITORY_ROOT:-/app/repos}
       - opencode_data:/home/opencode/.local/share/opencode
     healthcheck:
       test: ['CMD', '/usr/local/bin/opencode-healthcheck.sh']
@@ -35,6 +36,7 @@ services:
       - NEXT_PUBLIC_OPENCODE_ENABLED=${NEXT_PUBLIC_OPENCODE_ENABLED:-true}
       - OPENCODE_BASE_URL=${OPENCODE_BASE_URL:-http://opencode:${OPENCODE_PORT:-4096}}
       - OPENCODE_PORT=${OPENCODE_PORT:-4096}
+      - OPENCODE_REPOSITORY_ROOT=${OPENCODE_REPOSITORY_ROOT:-/app/repos}
       - OPENCODE_SERVER_USERNAME=${OPENCODE_SERVER_USERNAME:-opencode}
       - OPENCODE_SERVER_PASSWORD=${OPENCODE_SERVER_PASSWORD:-dev-opencode-password}
       - OPENCODE_REPOS=${OPENCODE_REPOS:-}

docker-compose.opencode.yml

@@ -8,8 +8,9 @@ services:
       - '4096'
     environment:
       - OPENCODE_PORT=${OPENCODE_PORT:-4096}
+      - OPENCODE_REPOSITORY_ROOT=${OPENCODE_REPOSITORY_ROOT:-/app/repos}
       - OPENCODE_SERVER_USERNAME=${OPENCODE_SERVER_USERNAME:-opencode}
-      - OPENCODE_SERVER_PASSWORD=${OPENCODE_SERVER_PASSWORD}
+      - OPENCODE_SERVER_PASSWORD=${OPENCODE_SERVER_PASSWORD:?OPENCODE_SERVER_PASSWORD is required for docker-compose.opencode.yml}
       - OPENCODE_REPOS=${OPENCODE_REPOS:-}
       - GIT_USERNAME=${GIT_USERNAME:-}
       - GIT_TOKEN=${GIT_TOKEN:-}
@@ -19,7 +20,7 @@ services:
       - GEMINI_API_KEY=${GEMINI_API_KEY:-${GEMINI_API_KEY_1:-}}
       - GOOGLE_GENERATIVE_AI_API_KEY=${GOOGLE_GENERATIVE_AI_API_KEY:-${GEMINI_API_KEY:-${GEMINI_API_KEY_1:-}}}
     volumes:
-      - opencode_repos:/app/repos
+      - opencode_repos:${OPENCODE_REPOSITORY_ROOT:-/app/repos}
       - opencode_data:/home/opencode/.local/share/opencode
     healthcheck:
       test: ['CMD', '/usr/local/bin/opencode-healthcheck.sh']
@@ -33,8 +34,9 @@ services:
       - NEXT_PUBLIC_OPENCODE_ENABLED=${NEXT_PUBLIC_OPENCODE_ENABLED:-true}
       - OPENCODE_BASE_URL=${OPENCODE_BASE_URL:-http://opencode:${OPENCODE_PORT:-4096}}
       - OPENCODE_PORT=${OPENCODE_PORT:-4096}
+      - OPENCODE_REPOSITORY_ROOT=${OPENCODE_REPOSITORY_ROOT:-/app/repos}
       - OPENCODE_SERVER_USERNAME=${OPENCODE_SERVER_USERNAME:-opencode}
-      - OPENCODE_SERVER_PASSWORD=${OPENCODE_SERVER_PASSWORD}
+      - OPENCODE_SERVER_PASSWORD=${OPENCODE_SERVER_PASSWORD:?OPENCODE_SERVER_PASSWORD is required for docker-compose.opencode.yml}
       - OPENCODE_REPOS=${OPENCODE_REPOS:-}
     depends_on:
       opencode:

docker/opencode/README.md

@@ -15,6 +15,7 @@ This service runs `opencode serve` for Sim. It backs the optional `OpenCode` wor
 At minimum, set:
 
 ```env
+OPENCODE_REPOSITORY_ROOT=/app/repos
 OPENCODE_SERVER_USERNAME=opencode
 OPENCODE_SERVER_PASSWORD=change-me
 OPENCODE_REPOS=https://github.com/octocat/Hello-World.git
@@ -24,9 +25,10 @@ GEMINI_API_KEY=your-gemini-key
 Notes:
 
 - The UI block is intentionally hidden until `NEXT_PUBLIC_OPENCODE_ENABLED=true` is set on the Sim app.
+- `OPENCODE_REPOSITORY_ROOT` defaults to `/app/repos` and must match the path Sim uses when it resolves repository directories.
 - `OPENCODE_SERVER_USERNAME` defaults to `opencode` in the optional compose overlays if omitted.
 - `docker-compose.opencode.local.yml` defaults `OPENCODE_SERVER_PASSWORD` to `dev-opencode-password`, but setting it explicitly is safer and avoids app/container credential drift.
-- `docker-compose.opencode.yml` requires `OPENCODE_SERVER_PASSWORD` to be provided from the environment.
+- `docker-compose.opencode.yml` requires `OPENCODE_SERVER_PASSWORD` to be provided from the environment before `docker compose` starts.
 - OpenCode needs at least one provider key to answer prompts:
   - `OPENAI_API_KEY`
   - `ANTHROPIC_API_KEY`
@@ -48,7 +50,7 @@ Azure Repos over HTTPS is also supported. Example:
 OPENCODE_REPOS=https://dev.azure.com/org/project/_git/repo
 ```
 
-Each repository is cloned into `/app/repos/<repo-name>`. On restart, existing clones are updated with `git pull --ff-only`. A background cron sync retries every 15 minutes.
+Each repository is cloned into `${OPENCODE_REPOSITORY_ROOT:-/app/repos}/<repo-name>`. On restart, existing clones are updated with `git pull --ff-only`. A background cron sync retries every 15 minutes.
 
 For private repositories, provide HTTPS credentials with one of these options:
 
@@ -68,6 +70,7 @@ Add this to `apps/sim/.env`:
 ```env
 NEXT_PUBLIC_OPENCODE_ENABLED=true
 OPENCODE_BASE_URL=http://127.0.0.1:4096
+OPENCODE_REPOSITORY_ROOT=/app/repos
 OPENCODE_SERVER_USERNAME=opencode
 OPENCODE_SERVER_PASSWORD=change-me
 ```
@@ -119,9 +122,9 @@ Production should use the base compose plus the OpenCode overlay:
 docker compose -f docker-compose.prod.yml -f docker-compose.opencode.yml up -d --build
 ```
 
-The overlay injects `NEXT_PUBLIC_OPENCODE_ENABLED`, `OPENCODE_BASE_URL`, `OPENCODE_PORT`, `OPENCODE_SERVER_USERNAME`, and `OPENCODE_SERVER_PASSWORD` into `simstudio`, so the app can authenticate against the internal OpenCode server without changing `docker-compose.prod.yml`.
+The overlay injects `NEXT_PUBLIC_OPENCODE_ENABLED`, `OPENCODE_BASE_URL`, `OPENCODE_PORT`, `OPENCODE_REPOSITORY_ROOT`, `OPENCODE_SERVER_USERNAME`, and `OPENCODE_SERVER_PASSWORD` into `simstudio`, so the app can authenticate against the internal OpenCode server without changing `docker-compose.prod.yml`.
 
-If you prefer to run OpenCode in separate infrastructure, skip the overlay and set the same app variables directly on the Sim deployment.
+If you prefer to run OpenCode in separate infrastructure, skip the overlay and set the same app variables directly on the Sim deployment. The external OpenCode runtime must expose project worktrees under the same `OPENCODE_REPOSITORY_ROOT` that Sim is configured to use.
 
 OpenCode stays internal to the Docker network, so verify from another container:
 
@@ -166,4 +169,4 @@ The SDK also supports injecting extra per-session context without triggering a r
 ## Notes
 
 - Session retention is not managed yet. OpenCode data persists until the `opencode_data` volume is pruned.
-- The compose overlays are convenience wrappers. The app can also target any compatible external OpenCode deployment through `OPENCODE_BASE_URL` plus the same server credentials.
+- The compose overlays are convenience wrappers. The app can also target any compatible external OpenCode deployment through `OPENCODE_BASE_URL`, the same server credentials, and the same `OPENCODE_REPOSITORY_ROOT`.

docker/opencode/entrypoint.sh

@@ -11,6 +11,7 @@ write_runtime_env() {
     HOME
     PATH
     OPENCODE_REPOS
+    OPENCODE_REPOSITORY_ROOT
     GIT_USERNAME
     GIT_TOKEN
     GITHUB_TOKEN
@@ -76,6 +77,7 @@ EOF
 main() {
   : "${OPENCODE_PORT:=4096}"
   : "${OPENCODE_SERVER_USERNAME:=opencode}"
+  : "${OPENCODE_REPOSITORY_ROOT:=/app/repos}"
 
   if [[ -z "${OPENCODE_SERVER_PASSWORD:-}" ]]; then
     log "OPENCODE_SERVER_PASSWORD is required"
@@ -86,8 +88,8 @@ main() {
     export GOOGLE_GENERATIVE_AI_API_KEY="${GEMINI_API_KEY}"
   fi
 
-  mkdir -p /app/repos /home/opencode/.config/opencode /home/opencode/.local/share/opencode /home/opencode/.local/state
-  chown -R opencode:opencode /app/repos /home/opencode/.config /home/opencode/.local/share /home/opencode/.local/state
+  mkdir -p "${OPENCODE_REPOSITORY_ROOT}" /home/opencode/.config/opencode /home/opencode/.local/share/opencode /home/opencode/.local/state
+  chown -R opencode:opencode "${OPENCODE_REPOSITORY_ROOT}" /home/opencode/.config /home/opencode/.local/share /home/opencode/.local/state
 
   write_runtime_env
   write_global_config

docker/opencode/sync-repos.sh

@@ -8,6 +8,7 @@ fi
 export HOME="${HOME:-/home/opencode}"
 export GIT_TERMINAL_PROMPT=0
 export GIT_ASKPASS=/usr/local/bin/git-askpass.sh
+export OPENCODE_REPOSITORY_ROOT="${OPENCODE_REPOSITORY_ROOT:-/app/repos}"
 
 log() {
   printf '[opencode-sync] %s\n' "$*"
@@ -23,7 +24,7 @@ trim() {
 sync_repo() {
   local repo_url="$1"
   local repo_name="$2"
-  local repo_dir="/app/repos/${repo_name}"
+  local repo_dir="${OPENCODE_REPOSITORY_ROOT}/${repo_name}"
 
   if [[ -d "$repo_dir/.git" ]]; then
     if git -C "$repo_dir" pull --ff-only; then
@@ -53,7 +54,7 @@ sync_repo() {
 main() {
   local repos_raw="${OPENCODE_REPOS:-}"
 
-  mkdir -p /app/repos
+  mkdir -p "${OPENCODE_REPOSITORY_ROOT}"
 
   if [[ -z "$repos_raw" ]]; then
     log "No repositories configured"