harness: address PR review (per-dataDir cache, archive edit deny)

resolveHarnessDir cached extraction with a single module-level promise
keyed by nothing, so a second call with a different dataDir returned
the first call's path. In production opencode passes a singleton
Global.Path.data so this never bit, but tests and any future
multi-instance scenario would silently get cross-dataDir contamination.
Switch to a Map<dataDir, Promise<path>> — same dataDir still
deduplicates, distinct dataDirs each get their own extraction.

harness-archive/ was whitelisted in external_directory:allow, which
let edit/write/apply_patch silently mutate snapshots that are intended
to be read-only history. Keep the dir-level whitelist (so reads stay
silent — the agent is supposed to browse the archive when migrating
helpers across upgrades), but add an edit:deny rule keyed on
'*/harness-archive/*'. The leading * absorbs the worktree-relative
prefix that edit/write/apply_patch produce; the dir name is the anchor.
All three edit-class tools route through permission='edit' so one rule
covers them. Bash-level mutations (rm -rf) are still possible, but the
agent has no prompt-driven path to them and the user can deny bash
explicitly via config if desired.

Author: Alezander9

packages/bcode-browser/src/harness.ts

@@ -133,12 +133,19 @@ const extractEmbeddedHarness = async (dataDir: string): Promise<string> => {
   return target
 }
 
-let extractPromise: Promise<string> | null = null
+// Per-dataDir cache. In production opencode passes the same Global.Path.data
+// every call, so this is effectively a singleton; tests and any future
+// multi-instance setup that resolves against multiple dataDirs each get their
+// own deduplicated extraction without cross-directory contamination.
+const extractCache = new Map<string, Promise<string>>()
 
 export const resolveHarnessDir = (dataDir: string): Promise<string> => {
   if (!isCompiled) return Promise.resolve(DEV_HARNESS_DIR)
-  if (!extractPromise) extractPromise = extractEmbeddedHarness(dataDir)
-  return extractPromise
+  const cached = extractCache.get(dataDir)
+  if (cached) return cached
+  const fresh = extractEmbeddedHarness(dataDir)
+  extractCache.set(dataDir, fresh)
+  return fresh
 }
 
 export * as Harness from "./harness"

packages/opencode/src/agent/agent.ts

@@ -94,9 +94,20 @@ export const layer = Layer.effect(
         // In dev mode the harness lives inside the worktree, so this glob is a
         // no-op there.
         const harnessGlob = path.join(Harness.harnessDir(Global.Path.data), "*")
-        // Past-version snapshots taken at upgrade time. Read-only browsing for
-        // the agent when migrating its own helpers across upgrades.
+        // Past-version snapshots taken at upgrade time. Read-only history for
+        // the agent when migrating its own helpers across upgrades — silent
+        // reads via the external_directory whitelist, but edits/writes/
+        // apply_patch are denied below to keep snapshots immutable. Bash-level
+        // mutations are still possible but the agent has no prompt-driven
+        // reason to delete the dir.
         const harnessArchiveGlob = path.join(Harness.harnessArchiveDir(Global.Path.data), "*")
+        // edit/write/apply_patch all `ctx.ask({ permission: "edit", ... })`
+        // with a path that's `path.relative(worktree, filepath)` — which for
+        // an out-of-worktree archive file looks like
+        // `../../.local/share/bcode/harness-archive/<hash>/foo.py`. A leading
+        // `*` (greedy `.*`) absorbs that prefix; the dir name itself is the
+        // anchor.
+        const harnessArchiveEditDeny = "*/harness-archive/*"
         const whitelistedDirs = [
           Truncate.GLOB,
           browserSessionsGlob,
@@ -113,6 +124,9 @@ export const layer = Layer.effect(
             "*": "ask",
             ...Object.fromEntries(whitelistedDirs.map((dir) => [dir, "allow"])),
           },
+          // Covers `edit`, `write`, `apply_patch` — all three tools route
+          // through the `edit` permission key (see EDIT_TOOLS in permission/).
+          edit: { [harnessArchiveEditDeny]: "deny" },
           question: "deny",
           plan_enter: "deny",
           plan_exit: "deny",