build(deps): update dependency anomalyco/opencode to v1.14.48

[fro-bot]

This PR contains the following updates:

Package	Update	Change	OpenSSF
anomalyco/opencode	patch	1.14.33 → 1.14.48

---

Release Notes

anomalyco/opencode (anomalyco/opencode)

v1.14.48

Compare Source

Core

Improvements

• Preserve original image attachments instead of resizing them before sending them to the model

v1.14.47

Compare Source

Core

Bugfixes

• Restored prompt editing keybindings in the TUI textarea, including aliases like esc and enter
• Model changes now persist reliably across session activity
• HTTP API schema validation errors now return a readable 400 response body

Improvements

• Scout can now materialize configured reference repositories up front so they are ready to search
• Large image attachments are now auto-resized before sending, with configurable size limits

TUI

• File and directory paths now render relative to the session directory when possible

v1.14.46

Compare Source

Core

Improvements

• Added a built-in customize-opencode skill so opencode config edits are less likely to break startup.

Bugfixes

• Fixed numeric HTTP API query parameters in the generated OpenAPI spec and SDK for session and file endpoints.
• Fixed boolean HTTP API query handling so SDK types and runtime validation stay aligned.
• Tolerated legacy stored numeric values in sessions, diffs, and retry events instead of failing to load old data.
• Fixed old sessions with negative token counts causing message loads and Desktop startup to fail.
• Fixed MCP tool discovery when a server publishes broken outputSchema references.
• Fixed workspace HTTP API query drift so workspace-routed endpoints expose the right query parameters in OpenAPI and the SDK.
• Fixed a Plan Mode security bypass where subagents could ignore parent-agent deny rules.

v1.14.45

Compare Source

Core

Bugfixes

• Provider configs and API responses now accept models marked as active.
• Read tool permission rules now match worktree-relative paths, so read allowlists and denylists apply correctly.
• Workspace-routed HTTP API endpoints no longer reject valid directory and workspace query params.

TUI

Bugfixes

• Startup errors now report every failed bootstrap request instead of only the first one.
• Opening a session no longer crashes when the messages request fails.

Desktop

Bugfixes

• Older migrated sessions with missing diff file details load again.
• Older migrated sessions with missing diff patches load again. (@​OpeOginni)

SDK

Bugfixes

• throwOnError: true now throws a real Error with the server message and preserves the response body in cause.

Extensions

Improvements

• TUI plugins using the deprecated api.command API keep working while you migrate to api.keymap.

Bugfixes

• Provider plugins can no longer mutate shared provider model state for the rest of the app.

Thank you to 1 community contributor:

• @​OpeOginni:
  • fix(sessions): allow optional patch field in diff for migrated sessions (#​26574)

v1.14.44

Compare Source

Core

Bugfixes

• Fixed upgrades failing for existing workspaces when adding the time_used field.

v1.14.43

Compare Source

Core

Bugfixes

• Keep provider and config API responses working when auth loaders add non-JSON options to providers.
• Include tool image attachments in ACP updates and session replays. (@​SteffenDE)

Thank you to 1 community contributor:

• @​SteffenDE:
  • fix(acp): include tool image attachments in updates (#​25128)

v1.14.42

Compare Source

Core

Improvements

• Added HTTP API response compression for large non-streaming responses.
• Added the Scout agent for repo research, docs lookup, and dependency-source inspection.
• Added workspace sync so adapter-backed workspaces can be discovered and registered automatically.
• Added an interactive split-footer mode for opencode run.
• Simplified TUI keybinding config into a flat keybind format.
• Made duplicate worktree names fall back to the parent directory for clearer labels.

Bugfixes

• Fixed HTTP API auth responses to match the previous wire format for empty authorize results and share errors.
• Returned structured validation errors from the HTTP API.
• Rejected invalid permission and question IDs in the HTTP API.
• Included auth challenges on typed HTTP API 401 responses.
• Fixed the HTTP API OpenAPI document route.
• Fixed detached sessions so they are claimed by the source project again.
• Forwarded SIGINT, SIGTERM, and SIGHUP correctly when running through the npm shim. (@​chubes4)
• Allowed skills without descriptions to load correctly.
• Required auth on effect HTTP API root routes. (@​RajvardhanPatil07)
• Kept tool ordering stable so tool lists stop reshuffling between runs.
• Made retry dialogs more specific to the provider and failure reason.
• Fixed Gemini reasoning controls so supported effort levels and small-mode defaults match the model.
• Fixed Anthropic Opus 4.5 reasoning effort options.
• Limited OpenAI deep research models to the reasoning level they actually support.
• Fixed GPT-5 reasoning variants so the exposed effort options match each model family.

TUI

Improvements

• Show retrying sessions as active in the project sidebar. (@​edemaine)

Bugfixes

• Fixed the sidebar message shown for language server state. (@​Polo123456789)
• Sorted the session picker by full last-updated time instead of day buckets. (@​Sleepful)
• Kept longer cleared prompts in draft history so they can be restored.

Desktop

Improvements

• Switched desktop updates to silent per-user install flow.

Thank you to 5 community contributors:

• @​edemaine:
  • feat(desktop): working indicator on project sidebar (#​26223)
• @​RajvardhanPatil07:
  • fix(server): require auth for effect root routes (#​26361)
• @​chubes4:
  • fix(cli): forward signals from npm shim (#​26259)
• @​Sleepful:
  • fix(tui): sort session picker by full updated timestamp (#​24725)
• @​Polo123456789:
  • fix(sidebar): fix logic and missleading message #​26469 (#​26470)

v1.14.41

Compare Source

Core

Bugfixes

• Restored formatter output handling so formatting still works when formatters write to stdout or stderr. (@​ferdinandyb)

Improvements

• Warping a session to another workspace can now carry over your uncommitted file changes.

TUI

Bugfixes

• Restored custom provider setup in /connect.

Desktop

Bugfixes

• Added a macOS Settings menu entry. (@​jessedi0n)

Improvements

• Moved the desktop app's local server into a separate utility process for more reliable startup and shutdown.

Extensions

Improvements

• ACP clients now restore the last model, mode, and effort when loading sessions, and can close sessions cleanly.

Thank you to 4 community contributors:

• @​carmithersh:
  • docs: add opencode-jfrog-plugin to ecosystem list for JFrog integration (#​26019)
• @​jessedi0n:
  • fix(desktop): add macOS settings menu entry (#​26081)
• @​ferdinandyb:
  • fix(format): restore stdout/stderr ignore for formatter processes (#​26037)
• @​YGoetschel:
  • fix: guard undefined contents in diff renderer to fix share viewer SSR crash (#​21763)

v1.14.40

Compare Source

Core

Improvements

• Support .well-known/opencode configs that point to a separate remote config file.

Bugfixes

• Preserve assistant text when replaying signed reasoning blocks. (@​edevil)
• Return consistent not-found errors for missing sessions.
• Apply CORS headers before auth so browser clients can reach legacy server endpoints.
• Fix serve, web, and ACP network options triggering runtime re-entry errors.
• Only show connected workspaces in warp flows, and carry the new directory into the session after warping.
• Restore web terminal CSP allowances.
• Sanitize invalid surrogate characters before provider transforms.
• Fix Cloudflare AI Gateway provider options for OpenAI-compatible models. (@​NathanDrake2406)
• Use the current workspace with /new, including local-project warps.
• Keep editor selection context stable until it is sent.
• Retry server_is_overloaded API errors automatically.
• Restore Mistral Medium 3.5 variants so model selection works correctly.
• Show compaction summaries before retained tail messages.

TUI

Bugfixes

• Keep the selected model when model data refreshes.
• Fix /agent create to use the /agents path. (@​OpeOginni)

Desktop

Improvements

• Allow trusted app windows to write to the clipboard without permission failures.

Bugfixes

• Ignore broken pipe (EPIPE) errors in desktop console logging.
• Stop auto-installing updates when quitting the app.
• Silence noisy browser API Sentry reports in production.
• Prevent sync bootstrap queries from failing during app startup.

Thank you to 6 community contributors:

• @​OpeOginni:
  • fix(TUI): update agent create target path from "/agent" to "/agents" (#​14427)
• @​NathanDrake2406:
  • fix(cf-ai-gateway): route provider options through openaiCompatible key (#​24432) (#​25573)
• @​imduchuyyy:
  • docs: update desktop app references from Tauri to Electron (#​25965)
• @​kill74:
  • docs: fix CLI attach section order (#​25749)
• @​zharinov:
  • fix(ui): preserve SVG tags in DOMPurify config for KaTeX math rendering (#​25866)
• @​edevil:
  • fix(provider): preserve assistant message content when reasoning blocks present (#​21370)

v1.14.39

Compare Source

Desktop

Bugfixes

• Respect HTTP_PROXY and related proxy environment variables in the desktop app.
• Return null instead of failing when the desktop app cannot read a stored value.

v1.14.38

Compare Source

Core

Bugfixes

• Embedded UI requests now work with arbitrary connect-src origins under the default CSP.

Desktop

Bugfixes

• Desktop now trusts system CA certificates for HTTPS connections.

v1.14.37

Compare Source

Core

Bugfixes

• Canceling a task now also cancels child subtask sessions.

Improvements

• Improved v2 session rendering with cleaner tool states, better compaction summaries, and more accurate timing.
• Warp a session into another workspace or back to the local project.

Desktop

Bugfixes

• Run the desktop migration on startup so existing installs transition correctly after the desktop packaging move.
• Stabilized the Windows titlebar when changing zoom levels.

v1.14.35

Compare Source

Core

Bugfixes

• Preserve diff patch boundaries so session diffs keep rendering correctly when file contents include diff --git text.

v1.14.34

Compare Source

Core

Improvements

• Add PTY connection tickets so authenticated terminal websockets work more reliably across clients.
• Add v2 session failure events so clients can detect and show failed runs.
• Improve shell command handling for Bash, PowerShell, and cmd sessions.

Bugfixes

• Return structured error bodies from the effect HTTP server instead of empty failures.
• Reload server auth environment variables correctly for each new HTTP listener.
• Stop worktree creation from hanging while bootstrap commands run.
• Fix Azure Anthropic model resolution when using the Anthropic SDK.
• Fix the web UI proxy so public manifest assets load and proxied responses do not break on transfer-encoding. (@​OpeOginni)
• Allow Codex Spark models when signing in with Codex OAuth. (@​Utkub24)
• Fix embedded UI serving from the standalone server build.
• Fix PTY websocket connections from Desktop when using the HttpApi server.
• Respect custom basic auth usernames in opencode clients.
• Prompt browsers for basic auth on protected server logins. (@​OpeOginni)
• Show real server error messages in the CLI and SDK instead of bare {}.
• Prevent large diffs from using unbounded memory.
• Fix v2 session API responses to encode optional fields correctly.
• Fix pagination Link headers to use the real request host.

TUI

Improvements

• Add debug info to print environment and diagnostic details.

Bugfixes

• Add a --username option for basic-auth server connections. (@​OpeOginni)
• Pass server auth through internal ACP connections.
• Show provider login errors from stderr instead of swallowing them.

Desktop

Bugfixes

• Prevent terminal reconnect loops after recovery failures.
• Preserve auth-token credentials when reopening the app.

Thank you to 4 community contributors:

• @​PanAchy:
  • chore(opencode): exclude .map files from CLI binary build (#​25500)
• @​OpeOginni:
  • fix(httpapi): add basic auth challenge for browser login
  • fix(auth): add username option for basic auth in RunCommand (#​25600)
  • fix(opencode): strip transfer-encoding in UI proxy and allow public manifest assets (#​25698)
• @​Utkub24:
  • fix: allow Codex Spark with Codex OAuth (#​25640)
• @​cgilly2fast:
  • chore(docs): rename firmware provider to frogbot (#​25453)

---

Configuration

📅 Schedule: (in timezone America/Phoenix)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.