[codex] Decision: bound OpenCode Dia cookie import#1830
Conversation
|
Codex review: needs maintainer review before merge. Reviewed July 1, 2026, 4:35 PM ET / 20:35 UTC. Summary Reproducibility: yes. from source, but not from a live Dia setup. Current main routes OpenCode web Auto through automaticImportOrder(provider:), which returns [.chrome] for .opencode; AGENTS.md prevents unrequested live Keychain/browser validation that could prompt. Review metrics: 3 noteworthy metrics.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Risk before merge
Maintainer options:
Next step before merge
Security Review detailsBest possible solution: Land a maintainer-approved bounded default if Dia should be automatic for OpenCode; otherwise keep Chrome-only Auto and leave Dia to Manual Cookie until an explicit browser selector exists. Do we have a high-confidence way to reproduce the issue? Yes from source, but not from a live Dia setup. Current main routes OpenCode web Auto through automaticImportOrder(provider:), which returns [.chrome] for .opencode; AGENTS.md prevents unrequested live Keychain/browser validation that could prompt. Is this the best way to solve the issue? Unclear as a product choice. The patch is a narrow implementation of a bounded Chrome-then-Dia default, but the PR body correctly asks maintainers to decide whether that privacy/auth default should change. AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against c3d33308ac06. Label changesLabel changes:
Label justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
Draft decision PR for #1822. This is not a behavior landing until product signs off on the Chrome -> Dia automatic import default.
Scope
Privacy boundary proof
Current limitation
Other Chromium browsers remain manual-only for OpenCode web cookies. Manual Cookie remains the escape hatch until CodexBar has an explicit user-selectable browser setting.
Product sign-off question
Should OpenCode web Auto broaden from Chrome-only to Chrome then Dia by default for #1822, accepting that users with Dia installed may see Dia's own Safe Storage prompt after Chrome is unavailable or unusable?
Validation