New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details →
Socket
Book a DemoSign in
Socket
Book a DemoSign in

@opencode-cloud/core

Package Overview
Dependencies
Maintainers
1
Versions
90
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@opencode-cloud/core - npm Package Compare versions

Comparing version
24.0.0
 to
24.1.0
+1
-1
Cargo.toml
[package]
name = "opencode-cloud-core"
version = "24.0.0"
version = "24.1.0"
edition = "2024"

@@ -5,0 +5,0 @@ rust-version = "1.89"

+1
-1
package.json
{
"name": "@opencode-cloud/core",
"version": "24.0.0",
"version": "24.1.0",
"description": "Core NAPI bindings for opencode-cloud (internal package)",

@@ -5,0 +5,0 @@ "main": "index.js",

+54
-29
src/docker/Dockerfile

@@ -85,2 +85,11 @@ # =============================================================================

# Runtime user identity (override at build time if host volume mapping needs it).
# These are preferred IDs, not strict requirements:
# - If OPENCODER_GID is already occupied, we create `opencoder` with the next free GID.
# - If OPENCODER_UID is already occupied, we create `opencoder` with the next free UID.
# This avoids collisions with base-image users (for example Ubuntu's default uid/gid 1000)
# while still allowing operators to request specific IDs when available.
ARG OPENCODER_UID=1000
ARG OPENCODER_GID=1000
# -----------------------------------------------------------------------------

@@ -186,6 +195,25 @@ # System Dependencies

# -----------------------------------------------------------------------------
# Create 'opencode' user with passwordless sudo
RUN useradd -m -s /bin/bash -G sudo opencoder \
# Create 'opencoder' user with passwordless sudo
RUN set -eux; \
# Create group first. Prefer requested GID; fall back if already in use. \
if ! getent group opencoder >/dev/null; then \
if getent group "${OPENCODER_GID}" >/dev/null; then \
groupadd opencoder; \
else \
groupadd --gid "${OPENCODER_GID}" opencoder; \
fi; \
fi; \
# Create user next. Prefer requested UID; fall back if already in use. \
if ! id -u opencoder >/dev/null 2>&1; then \
if getent passwd "${OPENCODER_UID}" >/dev/null; then \
useradd -m -s /bin/bash --gid opencoder -G sudo opencoder; \
else \
useradd -m -s /bin/bash --uid "${OPENCODER_UID}" --gid opencoder -G sudo opencoder; \
fi; \
fi; \
# Always pin the primary group to `opencoder` in case the user pre-existed. \
usermod --gid opencoder opencoder \
&& echo "opencoder ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/opencoder \
&& chmod 0440 /etc/sudoers.d/opencoder \
&& chmod 0750 /home/opencoder \
# Snapshot built-in home users from the image so runtime auth logic can

@@ -530,3 +558,3 @@ # ignore defaults (e.g. ubuntu) when deciding if onboarding should run.

OPENCODE_COMMIT_OVERRIDE="${OPENCODE_COMMIT:-}"; \
OPENCODE_COMMIT="ba669d0d68d36063852e29cf640f9baeb26e14be"; \
OPENCODE_COMMIT="9fd774b0238b11b2d2eb646b2d0122da8689d274"; \
if [ -n "${OPENCODE_COMMIT_OVERRIDE}" ]; then OPENCODE_COMMIT="${OPENCODE_COMMIT_OVERRIDE}"; fi; \

@@ -556,2 +584,3 @@ rm -rf /tmp/opencode-repo; \

ARG OPENCODE_SOURCE=remote
ARG TARGETARCH

@@ -571,4 +600,8 @@ # Bind-mount the source from the opencode-source stage, then copy it into

# attempts to ensure each retry starts from a truly clean state.
# - On successful installs, keep the BuildKit cache mount populated so future
# builds can reuse downloaded tarballs.
RUN --mount=type=bind,from=opencode-source,source=/tmp/opencode-repo,target=/tmp/opencode-source-ro \
--mount=type=cache,target=/home/opencoder/.bun/install/cache,uid=1000,gid=1000,mode=0755 \
# Keep cache warm, isolate by architecture, and serialize writers to reduce
# cross-arch contamination and concurrent cache corruption.
--mount=type=cache,id=bun-install-${TARGETARCH},target=/home/opencoder/.bun/install/cache,uid=1000,gid=1000,mode=0755,sharing=locked \
cp -R /tmp/opencode-source-ro /tmp/opencode-repo \

@@ -599,5 +632,3 @@ && sudo mkdir -p /home/opencoder/.bun/install/cache \

bun run build-single-ui; \
fi \
&& sudo find /home/opencoder/.bun/install/cache -mindepth 1 -maxdepth 1 -exec rm -rf {} + || true \
&& sudo rm -rf /home/opencoder/.bun/cache /home/opencoder/.cache/bun
fi

@@ -627,3 +658,7 @@ # =============================================================================

COPY --from=opencode-source /tmp/opencode-repo/packages/opencode-broker /tmp/opencode-broker
# Intentionally copy only Cargo manifests here so cargo-chef dependency planning
# is invalidated by dependency graph changes, not by broker source edits.
RUN mkdir -p /tmp/opencode-broker
COPY --from=opencode-source /tmp/opencode-repo/packages/opencode-broker/Cargo.toml /tmp/opencode-broker/Cargo.toml
COPY --from=opencode-source /tmp/opencode-repo/packages/opencode-broker/Cargo.lock /tmp/opencode-broker/Cargo.lock
WORKDIR /tmp/opencode-broker

@@ -736,8 +771,4 @@ RUN . /home/opencoder/.cargo/env \

USER root
COPY packages/core/src/docker/files/pam/opencode /etc/pam.d/opencode
RUN chmod 644 /etc/pam.d/opencode
COPY --chown=root:root --chmod=0644 packages/core/src/docker/files/pam/opencode /etc/pam.d/opencode
# Verify PAM config file exists
RUN ls -la /etc/pam.d/opencode && cat /etc/pam.d/opencode
# -----------------------------------------------------------------------------

@@ -748,3 +779,3 @@ # opencode-broker systemd Service

# NOTE: Requires root privileges to write to /etc/systemd/system/
COPY packages/core/src/docker/files/opencode-broker.service /etc/systemd/system/opencode-broker.service
COPY --chown=root:root --chmod=0644 packages/core/src/docker/files/opencode-broker.service /etc/systemd/system/opencode-broker.service

@@ -760,3 +791,3 @@ # Enable opencode-broker service

# NOTE: Requires root privileges to write to /etc/systemd/system/
COPY packages/core/src/docker/files/opencode.service /etc/systemd/system/opencode.service
COPY --chown=root:root --chmod=0644 packages/core/src/docker/files/opencode.service /etc/systemd/system/opencode.service

@@ -771,10 +802,5 @@ # Enable opencode service to start at boot (manual symlink since systemctl doesn't work during build)

# Create opencode.jsonc config file with PAM authentication enabled
RUN mkdir -p /home/opencoder/.config/opencode
COPY --chown=opencoder:opencoder packages/core/src/docker/files/opencode.jsonc /home/opencoder/.config/opencode/opencode.jsonc
RUN chown -R opencoder:opencoder /home/opencoder/.config/opencode \
&& chmod 644 /home/opencoder/.config/opencode/opencode.jsonc
RUN install -d -o opencoder -g opencoder -m 0750 /home/opencoder/.config/opencode
COPY --chown=opencoder:opencoder --chmod=0640 packages/core/src/docker/files/opencode.jsonc /home/opencoder/.config/opencode/opencode.jsonc
# Verify config file exists
RUN ls -la /home/opencoder/.config/opencode/opencode.jsonc && cat /home/opencoder/.config/opencode/opencode.jsonc
# -----------------------------------------------------------------------------

@@ -786,8 +812,6 @@ # Entrypoint Script (Hybrid Init Support)

# Note: Entrypoint runs as root to support both modes; tini mode drops to opencode user
COPY packages/core/src/docker/files/entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh
COPY --chown=root:root --chmod=0755 packages/core/src/docker/files/entrypoint.sh /usr/local/bin/entrypoint.sh
# Bootstrap helper for first-user onboarding (invoked by entrypoint and auth route via sudo)
COPY packages/core/src/docker/files/opencode-cloud-bootstrap.sh /usr/local/bin/opencode-cloud-bootstrap
RUN chmod 700 /usr/local/bin/opencode-cloud-bootstrap
COPY --chown=root:root --chmod=0700 packages/core/src/docker/files/opencode-cloud-bootstrap.sh /usr/local/bin/opencode-cloud-bootstrap

@@ -798,4 +822,3 @@ # Note: Don't set USER here - entrypoint needs root to use runuser

# Healthcheck script asset
COPY packages/core/src/docker/files/healthcheck.sh /usr/local/bin/healthcheck.sh
RUN chmod +x /usr/local/bin/healthcheck.sh
COPY --chown=root:root --chmod=0755 packages/core/src/docker/files/healthcheck.sh /usr/local/bin/healthcheck.sh

@@ -816,4 +839,6 @@ # -----------------------------------------------------------------------------

RUN chown -R opencoder:opencoder /opt/opencode \
RUN chown -R root:root /opt/opencode \
&& chmod -R go-w /opt/opencode \
&& chmod +x /opt/opencode/bin/opencode \
&& chown root:root /usr/local/bin/opencode-broker \
&& chmod 4755 /usr/local/bin/opencode-broker

@@ -820,0 +845,0 @@ 

+25
-1
src/docker/files/entrypoint.sh

@@ -55,4 +55,22 @@ #!/bin/bash

railway_external_url() {
local domain
domain="${RAILWAY_PUBLIC_DOMAIN:-}"
domain="$(printf "%s" "${domain}" | tr -d '\r\n' | sed -E 's/^[[:space:]]+//; s/[[:space:]]+$//')"
domain="${domain#http://}"
domain="${domain#https://}"
while [ "${domain}" != "${domain%/}" ]; do
domain="${domain%/}"
done
if [ -z "${domain}" ]; then
return 1
fi
printf "https://%s" "${domain}"
}
print_welcome_banner() {
local version local_host local_url bind_url
local version local_host local_url bind_url external_url
version="$(read_opencode_cloud_version)"

@@ -62,2 +80,3 @@ local_host="$(display_local_host "${OPENCODE_HOST}")"

bind_url="$(build_service_url "${OPENCODE_HOST}" "${OPENCODE_PORT}")"
external_url="$(railway_external_url || true)"

@@ -77,2 +96,7 @@ log "----------------------------------------------------------------------"

log " Bind URL: ${bind_url}"
if [ -n "${external_url}" ]; then
log " External URL (Railway): ${external_url}"
fi
log " Reverse-proxy/custom-domain URL is also valid when configured."
log " Container startup cannot reliably detect proxy/ingress URL unless platform exposes it."
log " 2) First-time setup:"

@@ -79,0 +103,0 @@ log " If no users are configured, this container prints an Initial One-Time Password (IOTP)"