feat: add native session goals

[jorgitin02]

Issue for this PR

Closes #

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

Adds native session goal support to OpenCode, including backend persistence, runtime continuation, model-facing goal tools, and CLI/app surfaces so goals are handled by the shared server/runtime instead of a custom slash command.

How did you verify your code works?

Ran targeted OpenCode package tests and typecheck locally, including goal persistence, goal continuation, session HTTP API, and prompt tool coverage.

Screenshots / recordings

N/A

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​gitlab/​opencode-gitlab-auth@​1.3.3
	@​jsx-email/​all@​2.2.3
	@​jsx-email/​cli@​1.4.3
	@​jsx-email/​render@​1.1.1
	@​astrojs/​markdown-remark@​6.3.1
	@​ai-sdk/​gateway@​3.0.104
	@​lydell/​node-pty-darwin-arm64@​1.2.0-beta.10
	@​lydell/​node-pty-darwin-x64@​1.2.0-beta.10
	@​effect/​sql-sqlite-bun@​4.0.0-beta.66
	@​ai-sdk/​azure@​3.0.49
	@​ai-sdk/​openai@​3.0.48
	@​ai-sdk/​openai@​3.0.53
	@​effect/​opentelemetry@​4.0.0-beta.66
	@​ai-sdk/​amazon-bedrock@​4.0.96
	@​ai-sdk/​alibaba@​1.0.17
	@​ai-sdk/​provider@​3.0.8
	@​effect/​platform-node@​4.0.0-beta.66
	@​ai-sdk/​provider-utils@​4.0.23
	@​ai-sdk/​xai@​3.0.82
	@​ai-sdk/​google@​3.0.63
	@​astrojs/​check@​0.9.6
	@​hey-api/​openapi-ts@​0.90.10
	@​babel/​core@​7.28.4
	@​lydell/​node-pty@​1.2.0-beta.10
	@​kobalte/​core@​0.13.11
	@​astrojs/​solid-js@​5.1.0
	@​happy-dom/​global-registrator@​20.0.11
	@​astrojs/​cloudflare@​12.6.3
	@​fontsource/​ibm-plex-mono@​5.2.5
	@​ai-sdk/​togetherai@​2.0.41
	@​astrojs/​starlight@​0.34.3
	@​ibm/​plex@​6.4.1
	@​ai-sdk/​deepinfra@​2.0.41
See 17 more rows in the dashboard

View full report

[jorgitin02]

@codex

[jorgitin02]

@codex review

[github-actions]

Thanks for updating your PR! It now meets our contributing guidelines. 👍

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6619f1c01a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[jorgitin02]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 🚀

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @astrojs/compiler is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → npm/@astrojs/check@0.9.6 → npm/@astrojs/compiler@2.13.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@astrojs/compiler@2.13.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @aws-sdk/client-s3 is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/@aws-sdk/client-s3@3.933.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@aws-sdk/client-s3@3.933.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @hey-api/openapi-ts is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: packages/sdk/js/package.json → npm/@hey-api/openapi-ts@0.90.10 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@hey-api/openapi-ts@0.90.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @internationalized/date is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → npm/@kobalte/core@0.13.11 → npm/@internationalized/date@3.12.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@internationalized/date@3.12.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report