github code-yeongyu/oh-my-openagent v4.4.0
on GitHub

10 hours ago

🛡️ /security-research — New Team Mode Skill

Spin up an adversarial 5-member security team in one command: 3 vulnerability hunters (surface, auth/data, runtime/supply) + 2 PoC engineers, all running in parallel. Every finding is calibrated by actual exploitability — no severity without an attack path. CWE classification + OWASP WSTG/ASVS methodology + CVSS v4.0 scoring built in. 

/security-research

Requires team_mode.enabled: true in your oh-my-opencode.jsonc.

⚡ Parent-Wake Race Fixed — No More Duplicate Assistant Streams

Background-agent completion edges were duplicating parent-wake injections, occasionally starting a second assistant stream on the same task. The new parent-wake-dedupe layer catches this at BOTH the flush-time AND the prompt-async gate hold, so completion notifications now collapse to exactly one per logical event. (#4256 / #4019)

🔧 Model Configuration Edge Cases Restored

Three fixes for users hitting model resolution corners:

  • Atlas honors your override even when resolution fails (cold cache, no system default). Instead of silently dropping Atlas, it now registers with your chosen model. (#4255)
  • multimodal-looker trusts your vision model — set agents.multimodal-looker.model to any provider/model and the vision-cache will accept it, no provider declaration needed. (#4209)
  • openai/gpt-5.3-codex stops getting auto-rewritten — the canonical Codex powerhouse is no longer mistakenly migrated to gpt-5.4. (#3777)

🪟 Cross-Platform Tooling Hardening

  • OpenCode-bundled ripgrep reused~/.cache/opencode/bin/rg is probed first, so we stop duplicate-downloading ripgrep when OpenCode already has it. (#3805)
  • Windows ast-grep path matching locked — backslash + UNC suffixes now match the dist CLI consistently. Regression test pins this. (#4220)
  • CJK terminal headers preserved — NFC normalization in oh-my-opencode run output stops Hangul/CJK from mangling. (#4170)

✨ TUI Quality of Life

  • Clickable subagent entries — late-arriving session IDs are now captured before metadata publish, fixing the perpetual-spinner subagent bug. (#4252)
  • look_at no longer hangs — child sessions that produce no output exit gracefully via allowStableIdleWithoutActivity instead of waiting for the 120s timeout. (#4238)
  • /stop-continuation respected after boulder completion — no more stray completion nudges fired after you explicitly stopped. (#4149)
  • tool-pair-validator continues after repair — multi-message conversations with missing tool_result blocks now repair every affected message in one transform pass. (#4123)

⚠ Breaking (cleanup): Top-level lsp Config Key Removed

Read this if your oh-my-opencode.jsonc had an lsp: block. If you did not, you can ignore this section.

The migration in this release explicitly removes the top-level lsp config key and creates a timestamped .bak file next to your config. Move your server definitions to project-root .opencode/lsp.json — the new home, consumed by the lsp MCP server (backed by packages/lsp-tools-mcp).

Why this looks like a break but isn't: this key was already being silently stripped by the Zod schema since v3.x — custom LSP servers in this location have not been functional for several releases. This migration just makes the loss visible (via log + .bak backup) so you can actually recover.

To restore your servers (one-time): 

# 1. Find the most recent backup created by this migration
ls -t ~/.config/opencode/oh-my-opencode.jsonc.bak.* 2>/dev/null | head -1
# or in your project:
ls -t .opencode/oh-my-opencode.jsonc.bak.* 2>/dev/null | head -1

# 2. Open the .bak file, copy the `lsp: { ... }` contents into project-root
#    .opencode/lsp.json with this shape:
#    {
#      "$schema": "...",
#      "servers": {
#        "typescript": { "command": "typescript-language-server", "args": ["--stdio"] }
#      }
#    }

(#4225 / #4279)

Minor Compatibility and Stability Release

This release carries compatibility-facing behavior changes and operational hardening. Read the summary below before upgrading or publishing.

  • Rename transition updates across package detection, plugin/config compatibility, and install surfaces.
  • Task and tool behavior updates, including delegate-task contract and runtime registration behavior.

Commit Summary

  • 20d67be @EvangelosMoschou has signed the CLA in #4357
  • 5e2f12f Merge pull request #4348 from Yeachan-Heo/omc-team/you-are-one-of-5-parallel-work/worker-4
  • 0c14c47 Merge pull request #4350 from Yeachan-Heo/omc-team/you-are-one-of-5-parallel-work/worker-3
  • f390d36 Merge pull request #4352 from Yeachan-Heo/fix/atlas-config-model-override-4255
  • 5451313 Merge pull request #4356 from Yeachan-Heo/fix/issue-3805-auto-tools-path
  • bfc5078 fix: trust user-configured multimodal-looker model for vision (#4209)
  • 779e2d2 fix(task): capture late-arriving sessionId so TUI subagent entry is clickable (#4252)
  • 7d444ee fix(agents): honor user atlas model when resolution returns undefined (#4255)
  • 6c691a1 fix(grep): probe OpenCode cache-backed bin for auto-downloaded rg (#3805)
  • c0a6c66 Merge pull request #4346 from code-yeongyu/fix/agent-loop-dedupe-race-4256
  • b3097e5 fix(background-agent): suppress redundant parent wakes
  • 2bfad49 feat(skills): add security-research orchestration
  • 1ecf4f6 @chouzz has signed the CLA in #4312
  • 01d2196 Merge pull request #4238 from islee23520/fix/look-at-status-map-hang
  • f511b4b Merge pull request #4263 from YOMXXX/fix/gpt-5-3-codex-migration
  • d06a5d7 Merge pull request #4272 from YOMXXX/fix/ast-grep-windows-cli-suffix-test
  • 9da3009 Merge pull request #4279 from MoerAI/fix/migrate-orphan-lsp-config-key
  • 74db81d Merge pull request #4285 from SpencerJung/fix/issue-4123-tool-pair-retrigger
  • 6cac80f Merge pull request #4290 from SpencerJung/fix/issue-4170-cjk-agent-header
  • 12d7d10 Merge pull request #4282 from SpencerJung/fix/issue-4149-terminal-continuation-guard
  • 6062df8 fix(migration): make 'lsp' migration guidance self-contained and update stale docs (addresses codex P2 on #4279)
  • ed4c04e fix(cli): preserve CJK agent header text
  • 2856930 fix(tool-pair-validator): continue after synthetic repairs
  • 7dae271 fix(atlas): honor stopped continuation after boulder completion
  • a7429cc fix(migration): drop orphan 'lsp' config key so users see LSP moved to .opencode/lsp.json (fixes #4225)
  • ccaf61e test(ast-grep): lock Windows backslash matching for ast_grep dist cli suffix (#4220)
  • d788c3d fix(migration): stop rewriting explicit gpt-5.3-codex to gpt-5.4 (#3777)
  • c4a51be Cover look_at permanently absent session output
  • b3a195d Avoid look_at status map wait hang

Thank you to 5 community contributors:

  • @islee23520:
    • Avoid look_at status map wait hang
    • Cover look_at permanently absent session output
  • @YOMXXX:
    • fix(migration): stop rewriting explicit gpt-5.3-codex to gpt-5.4 (#3777)
    • test(ast-grep): lock Windows backslash matching for ast_grep dist cli suffix (#4220)
  • @MoerAI:
    • fix(migration): drop orphan 'lsp' config key so users see LSP moved to .opencode/lsp.json (fixes #4225)
    • fix(migration): make 'lsp' migration guidance self-contained and update stale docs (addresses codex P2 on #4279)
  • @SpencerJung:
    • fix(atlas): honor stopped continuation after boulder completion
    • fix(tool-pair-validator): continue after synthetic repairs
    • fix(cli): preserve CJK agent header text
  • @Yeachan-Heo:
    • fix(grep): probe OpenCode cache-backed bin for auto-downloaded rg (#3805)
Check out latest releases or
releases around code-yeongyu/oh-my-openagent v4.4.0

Don't miss a new oh-my-openagent release

NewReleases is sending notifications on new releases.

Get notifications