Security: Hardcoded absolute path in drizzle.config.ts database URL

[tomaioo]

Summary

Security: Hardcoded absolute path in drizzle.config.ts database URL

Problem

Severity: Medium | File: packages/opencode/drizzle.config.ts:L7

The SQLite database configuration contains a hardcoded absolute path '/home/thdxr/.local/share/opencode/opencode.db' pointing to a specific user's home directory. This will cause failures on any other machine and may leak a developer's username. The path should be configurable via environment variable or derived from a standard location like XDG directories.

Solution

Replace hardcoded path with environment variable or XDG-compliant path resolution: url: process.env.OPENCODE_DB_URL || path.join(os.homedir(), '.local', 'share', 'opencode', 'opencode.db')

Changes

• packages/opencode/drizzle.config.ts (modified)

---

Summary by cubic

Replaced the hardcoded SQLite DB path in packages/opencode/drizzle.config.ts with a configurable URL. Prevents machine-specific failures and username leaks, defaulting to a standard local path.

• Bug Fixes

  • dbCredentials.url now uses process.env.OPENCODE_DB_URL or falls back to path.join(os.homedir(), ".local", "share", "opencode", "opencode.db").

• Migration

  • Set OPENCODE_DB_URL to customize DB location, or ensure ~/.local/share/opencode exists and is writable.

^{Written for commit 259217b. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Updated the SQLite database connection to use OPENCODE_DB_URL when available.
  • Added an automatic local fallback for the database file location if OPENCODE_DB_URL isn’t set.
  • Removed the hardcoded database file path to improve portability across environments.

[coderabbitai]

📝 Walkthrough

Walkthrough

The Drizzle config in packages/opencode/drizzle.config.ts replaces a hardcoded absolute SQLite path with process.env.OPENCODE_DB_URL, falling back to a path computed under os.homedir(). The os and path imports are added to support the fallback computation.

Changes

Dynamic DB URL in Drizzle config

Layer / File(s)	Summary
Dynamic DB URL resolution packages/opencode/drizzle.config.ts	Adds os and path imports; changes dbCredentials.url from a fixed absolute path to process.env.OPENCODE_DB_URL with a path.join(os.homedir(), ...) fallback.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 A path once carved in stone so tight,
Now bends to where the home dirs light.
The env var speaks, the fallback waits,
No hardcoded road to database gates.
Hippity-hop, flexibility's right! 🗄️

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	PR description omits the required 'PINEAPPLE' identifier at the top and is missing the 'Test Plan' section from the template.	Add 'PINEAPPLE' at the very top of the PR description before other content, and include a 'Test Plan' section describing how the changes were tested.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main security issue being addressed: removing a hardcoded absolute path from the drizzle config database URL.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

This PR doesn't fully meet our contributing guidelines and PR template.

What needs to be fixed:

• PR description is missing required template sections. Please use the PR template.

Please edit this PR description to address the above within 2 hours, or it will be automatically closed.

If you believe this was flagged incorrectly, please let a maintainer know.

[github-actions]

Hey! Your PR title Security: Hardcoded absolute path in drizzle.config.ts database URL doesn't follow conventional commit format.

Please update it to start with one of:

• feat: or feat(scope): new feature
• fix: or fix(scope): bug fix
• docs: or docs(scope): documentation changes
• chore: or chore(scope): maintenance tasks
• refactor: or refactor(scope): code refactoring
• test: or test(scope): adding or updating tests

Where scope is the package name (e.g., app, desktop, opencode).

See CONTRIBUTING.md for details.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/opencode/drizzle.config.ts`:
- Line 9: The drizzle.config.ts file uses os.homedir() on line 9 but does not
import the os module, causing a ReferenceError at runtime. Add the missing
import statement for the os module at the top of the file (alongside the
existing path import) so that os.homedir() can be properly resolved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: e63e57f2-9e67-408e-8633-95a824e4fc12

📥 Commits

Reviewing files that changed from the base of the PR and between faf0b61 and b78b276.

📒 Files selected for processing (1)

• packages/opencode/drizzle.config.ts

[cubic-dev-ai]

No issues found across 1 file

_{Re-trigger cubic}

[dev-punia-altimate]

🤖 Code Review — OpenCodeReview (Gemini) — 1 finding(s)

• 1 anchored to a line (posted inline when the comment stream is on)
• 0 without a line anchor

All findings (full text)

1. packages/opencode/drizzle.config.ts (L1)

[🔴 HIGH] The os module is missing an import. Please add import os from "os" since os.homedir() is used below.

Suggested change:

import os from "os"
import path from "path"

[dev-punia-altimate]

[🔴 HIGH] The os module is missing an import. Please add import os from "os" since os.homedir() is used below.

Suggested change:

Suggested change

	import path from "path"
	import os from "os"
	import path from "path"

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.

[dev-punia-altimate]

🤖 Code Review — OpenCodeReview (Gemini) — No Issues Found

No comments generated. Looks good to me.

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/opencode/drizzle.config.ts`:
- Around line 1-3: Remove the invalid plain text content from the beginning of
the drizzle.config.ts file (lines 1-3). This non-TypeScript content is causing
all 17 Biome parse errors. Delete the metadata or commentary text and ensure the
file starts directly with the import statements like import os from "os" and
import path from "path", so the file begins with valid TypeScript code.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 06b27565-8054-4aa5-9171-aaa9116ba79d

📥 Commits

Reviewing files that changed from the base of the PR and between adfcd05 and dccf9dd.

📒 Files selected for processing (1)

• packages/opencode/drizzle.config.ts

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{}

[dev-punia-altimate]

❌ Tests — Failures Detected

TypeScript — 15 failure(s)

• connection_refused [1.00ms]
• timeout
• permission_denied
• parse_error
• network_error
• auth_failure
• rate_limit [1.00ms]
• internal_error
• empty_error
• connection_refused
• timeout
• permission_denied
• parse_error [1.00ms]
• network_error
• auth_failure

Next Step

Please address the failing cases above and re-run verification.

cc @tomaioo

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.

[github-actions]

👋 This PR was automatically closed by our quality checks.

Common reasons:

• New GitHub account with limited contribution history
• PR description doesn't meet our guidelines
• Contribution appears to be AI-generated without meaningful review

If you believe this was a mistake, please open an issue explaining your intended contribution and a maintainer will help you.