oh-my-openagent

🛡️ /security-research — New Team Mode Skill

Spin up an adversarial 5-member security team in one command: 3 vulnerability hunters (surface, auth/data, runtime/supply) + 2 PoC engineers, all running in parallel. Every finding is calibrated by actual exploitability — no severity without an attack path. CWE classification + OWASP WSTG/ASVS methodology + CVSS v4.0 scoring built in.

/security-research

Requires team_mode.enabled: true in your oh-my-opencode.jsonc.

⚡ Parent-Wake Race Fixed — No More Duplicate Assistant Streams

Background-agent completion edges were duplicating parent-wake injections, occasionally starting a second assistant stream on the same task. The new parent-wake-dedupe layer catches this at BOTH the flush-time AND the prompt-async gate hold, so completion notifications now collapse to exactly one per logical event. (#4256 / #4019)

🔧 Model Configuration Edge Cases Restored

Three fixes for users hitting model resolution corners:

• Atlas honors your override even when resolution fails (cold cache, no system default). Instead of silently dropping Atlas, it now registers with your chosen model. (#4255)
• multimodal-looker trusts your vision model — set agents.multimodal-looker.model to any provider/model and the vision-cache will accept it, no provider declaration needed. (#4209)
• openai/gpt-5.3-codex stops getting auto-rewritten — the canonical Codex powerhouse is no longer mistakenly migrated to gpt-5.4. (#3777)

🪟 Cross-Platform Tooling Hardening

• OpenCode-bundled ripgrep reused — ~/.cache/opencode/bin/rg is probed first, so we stop duplicate-downloading ripgrep when OpenCode already has it. (#3805)
• Windows ast-grep path matching locked — backslash + UNC suffixes now match the dist CLI consistently. Regression test pins this. (#4220)
• CJK terminal headers preserved — NFC normalization in oh-my-opencode run output stops Hangul/CJK from mangling. (#4170)

✨ TUI Quality of Life

• Clickable subagent entries — late-arriving session IDs are now captured before metadata publish, fixing the perpetual-spinner subagent bug. (#4252)
• look_at no longer hangs — child sessions that produce no output exit gracefully via allowStableIdleWithoutActivity instead of waiting for the 120s timeout. (#4238)
• /stop-continuation respected after boulder completion — no more stray completion nudges fired after you explicitly stopped. (#4149)
• tool-pair-validator continues after repair — multi-message conversations with missing tool_result blocks now repair every affected message in one transform pass. (#4123)

⚠ Breaking (cleanup): Top-level lsp Config Key Removed

Read this if your oh-my-opencode.jsonc had an lsp: block. If you did not, you can ignore this section.

The migration in this release explicitly removes the top-level lsp config key and creates a timestamped .bak file next to your config. Move your server definitions to project-root .opencode/lsp.json — the new home, consumed by the lsp MCP server (backed by packages/lsp-tools-mcp).

Why this looks like a break but isn't: this key was already being silently stripped by the Zod schema since v3.x — custom LSP servers in this location have not been functional for several releases. This migration just makes the loss visible (via log + .bak backup) so you can actually recover.

To restore your servers (one-time):

# 1. Find the most recent backup created by this migration
ls -t ~/.config/opencode/oh-my-opencode.jsonc.bak.* 2>/dev/null | head -1
# or in your project:
ls -t .opencode/oh-my-opencode.jsonc.bak.* 2>/dev/null | head -1

# 2. Open the .bak file, copy the `lsp: { ... }` contents into project-root
#    .opencode/lsp.json with this shape:
#    {
#      "$schema": "...",
#      "servers": {
#        "typescript": { "command": "typescript-language-server", "args": ["--stdio"] }
#      }
#    }

(#4225 / #4279)

Minor Compatibility and Stability Release

This release carries compatibility-facing behavior changes and operational hardening. Read the summary below before upgrading or publishing.

• Rename transition updates across package detection, plugin/config compatibility, and install surfaces.
• Task and tool behavior updates, including delegate-task contract and runtime registration behavior.

Commit Summary

• 20d67be4 @EvangelosMoschou has signed the CLA in code-yeongyu/oh-my-openagent#4357
• 5e2f12fd Merge pull request #4348 from Yeachan-Heo/omc-team/you-are-one-of-5-parallel-work/worker-4
• 0c14c473 Merge pull request #4350 from Yeachan-Heo/omc-team/you-are-one-of-5-parallel-work/worker-3
• f390d365 Merge pull request #4352 from Yeachan-Heo/fix/atlas-config-model-override-4255
• 54513137 Merge pull request #4356 from Yeachan-Heo/fix/issue-3805-auto-tools-path
• bfc50789 fix: trust user-configured multimodal-looker model for vision (#4209)
• 779e2d2f fix(task): capture late-arriving sessionId so TUI subagent entry is clickable (#4252)
• 7d444eed fix(agents): honor user atlas model when resolution returns undefined (#4255)
• 6c691a1a fix(grep): probe OpenCode cache-backed bin for auto-downloaded rg (#3805)
• c0a6c667 Merge pull request #4346 from code-yeongyu/fix/agent-loop-dedupe-race-4256
• b3097e56 fix(background-agent): suppress redundant parent wakes
• 2bfad490 feat(skills): add security-research orchestration
• 1ecf4f64 @chouzz has signed the CLA in code-yeongyu/oh-my-openagent#4312
• 01d21962 Merge pull request #4238 from islee23520/fix/look-at-status-map-hang
• f511b4bc Merge pull request #4263 from YOMXXX/fix/gpt-5-3-codex-migration
• d06a5d7a Merge pull request #4272 from YOMXXX/fix/ast-grep-windows-cli-suffix-test
• 9da30095 Merge pull request #4279 from MoerAI/fix/migrate-orphan-lsp-config-key
• 74db81df Merge pull request #4285 from SpencerJung/fix/issue-4123-tool-pair-retrigger
• 6cac80fe Merge pull request #4290 from SpencerJung/fix/issue-4170-cjk-agent-header
• 12d7d104 Merge pull request #4282 from SpencerJung/fix/issue-4149-terminal-continuation-guard
• 6062df82 fix(migration): make 'lsp' migration guidance self-contained and update stale docs (addresses codex P2 on #4279)
• ed4c04e5 fix(cli): preserve CJK agent header text
• 28569307 fix(tool-pair-validator): continue after synthetic repairs
• 7dae2711 fix(atlas): honor stopped continuation after boulder completion
• a7429cc2 fix(migration): drop orphan 'lsp' config key so users see LSP moved to .opencode/lsp.json (fixes #4225)
• ccaf61e0 test(ast-grep): lock Windows backslash matching for ast_grep dist cli suffix (#4220)
• d788c3d1 fix(migration): stop rewriting explicit gpt-5.3-codex to gpt-5.4 (#3777)
• c4a51bee Cover look_at permanently absent session output
• b3a195d6 Avoid look_at status map wait hang

Thank you to 5 community contributors:

• @islee23520:
  • Avoid look_at status map wait hang
  • Cover look_at permanently absent session output
• @YOMXXX:
  • fix(migration): stop rewriting explicit gpt-5.3-codex to gpt-5.4 (#3777)
  • test(ast-grep): lock Windows backslash matching for ast_grep dist cli suffix (#4220)
• @MoerAI:
  • fix(migration): drop orphan 'lsp' config key so users see LSP moved to .opencode/lsp.json (fixes #4225)
  • fix(migration): make 'lsp' migration guidance self-contained and update stale docs (addresses codex P2 on #4279)
• @SpencerJung:
  • fix(atlas): honor stopped continuation after boulder completion
  • fix(tool-pair-validator): continue after synthetic repairs
  • fix(cli): preserve CJK agent header text
• @Yeachan-Heo:
  • fix(grep): probe OpenCode cache-backed bin for auto-downloaded rg (#3805)