review(drip-171): batch 1 — opencode + codex (4 PRs)

- anomalyco/opencode#24933 merge-after-nits: --file MIME detection fix
- anomalyco/opencode#24935 request-changes: in-tree pet+CAVA bundle, ship as plugin only
- openai/codex#20176 merge-after-nits: SessionSource via JSON deserialize is brittle
- openai/codex#20178 merge-as-is: 1714-line obsolete adapter deletion

Author: Bojun-Vvibe

reviews/2026-W18/drip-171/openai-codex-pr-20176.md

@@ -0,0 +1,59 @@
+# openai/codex#20176 — `TUI: Remove core protocol dependency [5/7]`
+
+- URL: https://github.com/openai/codex/pull/20176
+- Head SHA: `5564c076b3da`
+- Author: etraut-openai
+- Size: +2 / -2 in `codex-rs/tui/src/onboarding/auth.rs`
+- Stack: 5 of 7 in the "remove direct `codex_protocol::protocol`
+  usage from `codex-tui`" series
+
+## Summary
+
+Onboarding auth tests had one lingering `use codex_protocol::protocol::SessionSource;`
+import after the rest of the TUI had been migrated to the
+app-server `SessionSource` equivalent. This PR removes that last
+import in the test module and constructs the `SessionSource` value
+via JSON deserialization instead.
+
+## Specific reference
+
+`codex-rs/tui/src/onboarding/auth.rs:1016-1050` (test module, post-patch):
+
+```rust
+- use codex_protocol::protocol::SessionSource;
+  use pretty_assertions::assert_eq;
+  ...
+- session_source: SessionSource::Cli,
++ session_source: serde_json::from_value(serde_json::json!("cli"))
++     .expect("cli session source should deserialize"),
+```
+
+## Risks
+
+- The new construction is `serde_json::from_value(json!("cli"))` —
+  it relies on the field type implementing `Deserialize` for a
+  bare string, with the contract "the canonical wire form for the
+  CLI variant is the literal string `"cli"`". That's brittle:
+  anyone renaming the variant or adding `#[serde(rename_all = ...)]`
+  silently breaks this test at runtime instead of compile time.
+- It would be cleaner to import the app-server enum directly:
+  `use codex_app_server_protocol::SessionSource;` and then
+  `session_source: SessionSource::Cli,`. The PR description says
+  the rest of onboarding moved to the app-server type, so the
+  enum should already be in scope or trivially importable. Using
+  JSON-string construction in tests defeats half the type system.
+
+## Verdict
+
+`merge-after-nits`
+
+## Suggested nit
+
+Replace the `serde_json::from_value(json!("cli"))` call with a
+direct constructor of the app-server `SessionSource` enum (the
+same type used non-test elsewhere after this stack lands). That
+keeps the cargo-check verification meaningful and avoids hiding
+a future rename behind a runtime panic.
+
+Otherwise the change is mechanical and matches the stated stack
+goal of confining `codex_protocol::protocol` usage out of `codex-tui`.

reviews/2026-W18/drip-171/openai-codex-pr-20178.md

@@ -0,0 +1,57 @@
+# openai/codex#20178 — `TUI: Remove core protocol dependency [6/7]`
+
+- URL: https://github.com/openai/codex/pull/20178
+- Head SHA: `55eeb5bd0af4`
+- Author: etraut-openai
+- Size: +0 / -1714 (single deletion of `codex-rs/tui/src/app/app_server_adapter.rs`)
+- Stack: 6 of 7
+
+## Summary
+
+Deletes the obsolete `app_server_adapter.rs` bridge between the
+app-server event stream and the TUI's direct-core path, now that
+PRs 1–5 in the stack have moved every TUI flow onto the app-server
+surface directly. The file's own header comment (`tui/src/app/app_server_adapter.rs`
+lines 1–11 of the deletion) explicitly calls itself a "temporary
+adapter layer ... [that] should shrink and eventually disappear."
+This PR is that disappearance.
+
+## Specific references
+
+- `codex-rs/tui/src/app/app_server_adapter.rs` deleted in full
+  (1714 lines).
+- The file's leading doc comment said: *"As more TUI flows move
+  onto the app-server surface directly, this adapter should
+  shrink and eventually disappear."* — this PR is the closing
+  step of that plan.
+- PR description claims `cargo check -p codex-tui` and grep for
+  `codex_protocol::protocol` in `codex-tui` are both clean. With
+  this stack and #20176, the entire `codex-tui` crate's direct
+  dependency on `codex_protocol::protocol` is gone.
+
+## Risks
+
+- The diff is a pure deletion, but the dangerous bit is what
+  *imports* this file. If anything outside `codex-rs/tui` pulled
+  `app_server_adapter` symbols (e.g. via `pub use`), this breaks
+  them. PR description says only the TUI consumed it, but a quick
+  `rg "app_server_adapter"` across the workspace would be a
+  one-line confirmation worth pasting into the PR.
+- Test artifacts that imported via `#[cfg(test)] use ... split_command_string`
+  (visible in the file header at line 21 of the deleted file)
+  need to live somewhere. The PR doesn't say where they moved.
+  If they were unused, that's fine; if they migrated, a sentence
+  pointing at PR 5 or PR 7 in the stack would help the reviewer.
+
+## Verdict
+
+`merge-as-is` — assuming the prior PRs in the stack landed and
+`cargo check --workspace` is green.
+
+## Suggested nits
+
+- Add a one-line `rg "app_server_adapter"` confirmation in the PR
+  body to prove no external consumer remains.
+- Optional: in the merge commit message, link to the original
+  introduction PR of the adapter so future archaeologists can
+  see the lifecycle.

reviews/2026-W18/drip-171/sst-opencode-pr-24933.md

@@ -0,0 +1,58 @@
+# sst/opencode#24933 — `fix(cli): detect MIME type for --file flag instead of hardcoding text/plain`
+
+- URL: https://github.com/sst/opencode/pull/24933
+- Head SHA: `0d1dade4d0d7`
+- Author: rogerdigital
+- Size: +1 / -1 in `packages/opencode/src/cli/cmd/run.ts`
+- Closes: #24698
+
+## Summary
+
+`opencode run --file <path>` always tagged the attached file with
+`text/plain`, regardless of actual content. That caused image
+attachments (and any other binary) to be passed to the model as if
+they were UTF-8 text, defeating multimodal routing on providers that
+key off the MIME type. The fix replaces the hardcoded literal with
+the existing `Filesystem.mimeType()` helper.
+
+## Specific reference
+
+`packages/opencode/src/cli/cmd/run.ts:331` (line 328 in the diff
+context, post-patch line 331):
+
+```ts
+- const mime = (await Filesystem.isDir(resolvedPath)) ? "application/x-directory" : "text/plain"
++ const mime = (await Filesystem.isDir(resolvedPath)) ? "application/x-directory" : await Filesystem.mimeType(resolvedPath)
+```
+
+The directory branch is preserved; only the non-directory fallback
+changes. `Filesystem.mimeType()` already exists and is the same
+helper used by other ingestion paths, so this is the obvious
+single-line fix.
+
+## Risks
+
+- `mime-types` returns `false` for unknown extensions. The follow-up
+  question is what `Filesystem.mimeType()` does in that case — if it
+  falls back to `application/octet-stream`, multimodal-incapable
+  providers may now reject what used to silently work as text.
+  Worth a one-liner test for "unknown extension → reasonable
+  fallback (text/plain or octet-stream consistent with other call
+  sites)".
+- No new test added. For a fix that's literally about wrong MIME
+  classification, a small unit test exercising at least
+  `image/png`, `text/plain` (e.g. `.txt`), and unknown extension
+  would lock the behavior.
+
+## Verdict
+
+`merge-after-nits` — add a regression test or at minimum a snippet
+in the PR description verifying the three cases above. The change
+itself is correct and minimal.
+
+## Suggested nits
+
+- Add a `run.test.ts` case for `--file foo.png` asserting
+  `mime === "image/png"`.
+- Confirm `Filesystem.mimeType()`'s unknown-extension behavior in
+  the PR description so reviewers don't have to chase it.

reviews/2026-W18/drip-171/sst-opencode-pr-24935.md

@@ -0,0 +1,71 @@
+# sst/opencode#24935 — `feat(tui): add terminal pet companion with CAVA audio visualizer`
+
+- URL: https://github.com/sst/opencode/pull/24935
+- Head SHA: `d74e8bf24b2f`
+- Author: ZoeImport
+- Size: +1448 / -0 across 10 files
+- Closes: #24937
+
+## Summary
+
+Adds an ASCII pet to the TUI sidebar with a 6-state behavior
+machine, weather influence, and an optional CAVA audio
+visualizer. Ships under `examples/terminal-pet/` plus new feature
+plugin files under `packages/opencode/src/cli/cmd/tui/feature-plugins/sidebar/`.
+Two top-level design docs (`PR-UI-EXTENSION.md`, `PR_DESCRIPTION.md`)
+are added at repo root.
+
+## Specific references
+
+- `PR-UI-EXTENSION.md` and `PR_DESCRIPTION.md` are added at the
+  repository root. These are PR-meta files — they belong in the PR
+  description box, not the tree. Likely to be rejected on style
+  alone.
+- `packages/opencode/src/cli/cmd/tui/feature-plugins/sidebar/pet.tsx`
+  and `spectrum.tsx` are introduced as first-class TUI feature
+  plugins. Per the PR's own analysis (`PR-UI-EXTENSION.md` lines
+  ~10–25 listing existing slots), the project already exposes a
+  `sidebar_content` plugin slot. A whole-cloth pet should live in
+  an external `~/.config/opencode/plugins/...` package using that
+  slot (which the PR even creates as `examples/terminal-pet/`),
+  not be merged into the core TUI tree as a `feature-plugin`.
+- CAVA dependency: `spectrum.tsx` shells out to `cava`. There's
+  no detection / graceful-skip wired into the sidebar mount path
+  visible in the diff — the PR description claims a fallback exists
+  but the test surface is +0 lines, so nothing exercises it.
+- `examples/terminal-pet/pets.config.json` and
+  `pet.config.schema.json` add a config schema with no validator
+  hooked up in the loader path.
+
+## Risks
+
+- Scope: this is two features (pet + audio visualizer) plus a
+  proposed new "UI Widget Extension System" doc rolled into one
+  1448-line PR. The maintainers' usual policy on this repo is one
+  small change per PR.
+- Maintenance burden: a stateful animation widget in the core TUI
+  binary is forever the maintainer's problem. The
+  `examples/terminal-pet/` external plugin form already
+  demonstrates the same thing without taking on that burden.
+- Zero tests added on a PR introducing a state machine, weather
+  system, and audio integration.
+- Top-level `.md` files at repo root will collide with future
+  PR-template tooling.
+
+## Verdict
+
+`request-changes`
+
+## Suggested direction
+
+1. Drop the in-tree `feature-plugins/sidebar/pet.tsx` and
+   `spectrum.tsx` additions; ship the whole thing as the external
+   plugin under `examples/terminal-pet/` (already in the PR).
+2. Move the two `PR-*.md` files into the PR description / a single
+   `examples/terminal-pet/README.md`.
+3. Hard-gate the CAVA path on a runtime `which cava` check with a
+   silent no-op fallback, plus one snapshot test asserting the
+   widget renders without `cava` present.
+4. If the maintainers do want pet-as-core, split into three PRs:
+   plugin-slot exposure (if any new slot is needed), pet widget,
+   audio visualizer.