fix(sdk): drop --dangerously-skip-permissions + finish v1.4 migration in opencode harness (#582)

[santoshkumarradha]

Summary

Closes #582.

opencode v1.14+ rejects --dangerously-skip-permissions on the run subcommand — yargs prints the run-help screen to stdout and exits 0. The SDK then treats that help text as the LLM response. Failure is fully silent: no stderr, no error, no non-zero exit. Every multi-agent system on top of OpenCodeProvider returns garbage that looks successful.

I hit this end-to-end running Agent-Field/pr-af on agentfield#575 with HARNESS_PROVIDER=opencode HARNESS_MODEL=openrouter/deepseek/deepseek-v4-pro: pipeline completed succeeded in 5 min with total_findings: 0, dimensions_run: 0, cost_usd: $0, event: APPROVE, because every cluster_scout reasoner's "scout report" was the opencode run [message..] USAGE screen verbatim.

Per-SDK fix

SDK	Bug	Fix
Python	hardcoded --dangerously-skip-permissions after opencode run	drop the flag
TypeScript	uses deprecated opencode -c <dir> -p <prompt> (pre-v1.4); v1.14 rebinds -c to --continue and has no top-level -p, so opencode also prints help & exits 0	rewrite to opencode run --dir <dir> -m <model> <prompt>
Go	already uses opencode run, but also appends --dangerously-skip-permissions	drop the flag

Tests across all three SDKs updated to assert the new canonical invocation and to assert --dangerously-skip-permissions is NOT present anywhere on the constructed command.

Why this fix is safe

opencode v1.14 in non-TTY mode (subprocess invocation, as the SDK uses it) does not prompt for permissions interactively — there's no TTY to read from. The flag was only needed to suppress an interactive prompt that never happens in headless execution. The opencode docs at https://opencode.ai/docs/cli/ still reference the flag, but it is not recognized by the run subcommand in v1.14.41 (opencode run --help confirms no such option).

Reproduce before / verify after

# Before (fails silently, exit 0, help text on stdout):
opencode run --dangerously-skip-permissions -m openrouter/deepseek/deepseek-v4-pro "What is 2+2?"
# → prints `opencode run [message..]` USAGE block, exits 0

# After / control:
opencode run -m openrouter/deepseek/deepseek-v4-pro "What is 2+2? Reply with just the number."
# → "4"

Test plan

• Python: uv run --frozen pytest tests/test_harness_provider_opencode.py -x -q — 18 passed
• TypeScript: npx vitest run tests/harness_provider_opencode.test.ts — 5 passed
• TypeScript broader: npx vitest run tests/harness — 70 passed
• Go: go test ./harness/ -run "TestOpenCode|TestExecute" -count=1 — ok
• Go (full harness suite): pre-existing flaky test TestRunCLI/context_cancellation_returns_a_killed-process_result_with_partial_stdout fails identically on origin/main (unrelated)
• End-to-end: patched .venv re-run of pr-af.review on agentfield#575 no longer hits the help-text-as-scout-output failure (visible in pr-af node log — cluster_scout outputs are now actual LLM responses from deepseek-v4-pro)

[github-actions]

Performance

SDK	Memory	Δ	Latency	Δ	Tests	Status
Python	9.4 KB	+4%	0.31 µs	-11%	✓	✓
Go	217 B	-23%	0.60 µs	-40%	✓	✓
TS	190 B	-46%	3.34 µs	+67%	✓	✗

✓ No regressions detected

[github-actions]

📊 Coverage gate

Thresholds from .coverage-gate.toml: per-surface ≥ 86%, aggregate ≥ 88%, max per-surface regression ≤ 1.0 pp, max aggregate regression ≤ 0.50 pp.

Surface	Current	Baseline	Δ
control-plane	87.50%	87.30%	↑ +0.20 pp	🟡
sdk-go	91.90%	90.70%	↑ +1.20 pp	🟢
sdk-python	93.73%	93.63%	↑ +0.10 pp	🟢
sdk-typescript	92.80%	92.56%	↑ +0.24 pp	🟢
web-ui	89.91%	90.01%	↓ -0.10 pp	🟡
aggregate	89.02%	89.01%	↑ +0.01 pp	🟡

✅ Gate passed

No surface regressed past the allowed threshold and the aggregate stayed above the floor.

[github-actions]

📐 Patch coverage gate

Threshold: 80% on lines this PR touches vs origin/main (from .coverage-gate.toml:thresholds.min_patch).

Surface	Touched lines	Patch coverage	Status
control-plane	0	—	➖ no changes
sdk-go	0	—	➖ no changes
sdk-python	0	—	➖ no changes
sdk-typescript	5	80.00%	✅
web-ui	0	—	➖ no changes

✅ Patch gate passed

Every surface whose lines were touched by this PR has patch coverage at or above the threshold.