Harden OpenCode review gate

[seonghobae]

Summary

• tighten OpenCode review instructions so approvals require structural exploration and use an OpenCode-owned format compatible with Copilot Review and CodeRabbitAI-style actionable findings
• route structural-approval failure detection through the Python normalizer while preserving BandScope's existing APPROVE findings defaulting contract
• allow the internal-PR OpenCode job to fall back to repository GITHUB_TOKEN for review/comment publication when the OpenCode app token is unavailable
• refresh compatible Rust lockfile patches for bytes, camino, and web_atoms

Updates #196. The glib 0.18.5 chain is still upstream-owned through Tauri/GTK/WebKit, so this does not close the tracked RustSec exception.

Security Notes

• OpenCode model/tool execution remains read-only; this change does not add write-capable repo tools to the reviewer runtime or new runtime app network paths.
• The workflow runs only for same-repository, non-draft PRs and grants GITHUB_TOKEN write scope only for GitHub issue/PR review publication when the preferred OpenCode app token or approve token is unavailable.
• Approval is rejected when the control JSON admits missing structural review, inaccessible changed files, or truncated evidence.
• The lockfile refresh is limited to compatible patch updates and keeps the existing narrow glib audit exception model in place.

Verification

• ./scripts/harness/quickcheck.sh
• python3 scripts/checks/verify_supply_chain.py
• uv run --project services/analysis-engine pytest services/analysis-engine/tests/test_supply_chain_policy.py -q -k opencode
• actionlint .github/workflows/opencode-review.yml
• cargo audit --no-fetch --stale from apps/desktop/src-tauri
• cargo tree --target all -i glib@0.18.5 from apps/desktop/src-tauri

[github-actions]

Pull request overview

OpenCode found current-head GitHub Check failures and could not approve until they are mapped to source-backed fixes.

Findings

Line-specific fallback findings:

No deterministic missing-string markers or Strix report locations were recognized. Use the failed-check evidence below to map each failed check to exact local source lines before approving.

Verification

• Review source: independent OpenCode failed-check diagnosis using current-head check evidence.
• Result: REQUEST_CHANGES
• Reason: one or more GitHub Checks failed on current head ea9ee5ecacd152ff5e826677434163e562f18667.

Gate evidence

• Head SHA: ea9ee5ecacd152ff5e826677434163e562f18667
• Workflow run: 27813512464
• Workflow attempt: 1

Failed checks:

• ci/gate / ci / rust-check: FAILURE (https://github.com/ContextWisdomLab/bandscope/actions/runs/27813512385/job/82309085308)

Failed check evidence for line-specific fixes:

Failed GitHub Check Evidence

• PR: #352
• Head SHA: ea9ee5ecacd152ff5e826677434163e562f18667
• Repository: ContextWisdomLab/bandscope

Line-specific repair contract

• Treat the check logs and annotations below as diagnostic evidence, not as a complete review.

• For each actionable failed check, inspect the local source or diff and identify the exact file line that must change.

• OpenCode REQUEST_CHANGES findings must include path, line, root_cause, fix_direction, regression_test_direction, and suggested_diff.

• Do not request changes with only a GitHub Actions URL or a generic check name.

• When Strix logs contain multiple Vulnerability Report or Model ... Vulnerabilities ... sections, include every model-reported vulnerability in the review evidence and findings, including model name, title, severity, endpoint, and Code Locations/path:line evidence when present.

• Create one OpenCode finding per Strix model vulnerability report; do not satisfy two model reports with one combined finding, even when titles or locations match.

Failed check: ci/gate / ci / rust-check

• Type: check_run
• Conclusion: FAILURE
• Details URL: https://github.com/ContextWisdomLab/bandscope/actions/runs/27813512385/job/82309085308
• Workflow run id: 27813512385
• Check run id: 82309085308

Failed job steps

• step 7: Check Tauri shell (failure)

Check annotations

• .github:27-27 [failure] Process completed with exit code 101.

Failed log excerpt

The failed job log could not be collected with gh run view --log-failed.

run 27813512385 is still in progress; logs will be available when it is complete

[github-actions]

OpenCode Review Overview

• Head SHA: aa526f4fc2f962cc65ccef0796e7b63b9d7eff44
• Workflow run: 27814303459
• Workflow attempt: 1
• Gate result: OPENCODE_REVIEW_UNAVAILABLE (approval step)

OpenCode Agent did not produce a valid review payload after all current-head GitHub Checks completed.

• Result: OPENCODE_REVIEW_UNAVAILABLE
• Reason: OpenCode review attempts did not complete or did not return a valid control block.
• OpenCode outcomes: primary=failed, fallback=failed, second_fallback=failed
• Head SHA: aa526f4fc2f962cc65ccef0796e7b63b9d7eff44
• Workflow run: 27814303459
• Workflow attempt: 1

No blocking review was submitted because this is an agent/runtime failure, not a source-backed code finding.

Stale OpenCode request-changes review was tied to old head ea9ee5e and a transient rust-check failure. Current head aa526f4 has all required checks passing, and the latest OpenCode run reports agent/runtime unavailability only as non-source review evidence.