fix: authoritative managed-settings.json applied after all user config

[Daviey]

Issue for this PR

Closes #22292

Type of change

• Bug fix

What does this PR do?

Two bypass vectors allowed users to override enterprise managed config:

1. OPENCODE_PERMISSION env var was merged after managed config, so it won. A managed deny rule could be overwritten to allow.
2. Object fields like mcp, agent, provider etc. were additively merged. Users could inject extra entries alongside managed ones (e.g. adding an evil MCP server or an extra provider).

The fix introduces managed-settings.json (and a managed-settings.d/ drop-in directory) in the system config location. It is loaded last, after all user config, project config, and OPENCODE_PERMISSION, so it cannot be overridden. Object fields in that file replace rather than merge, closing the injection vector.

The existing opencode.json managed config is unchanged and still loads earlier in the chain (for non-authoritative defaults). managed-settings.json is the opt-in high enforcement layer.

How did you verify your code works?

Three commits in this PR, each with a specific purpose:

Commit 1: 5c25db2 (tests only, no fix)

11 tests fail against unpatched code. Run with:

git checkout 5c25db25b
cd packages/opencode
bun test --test-name-pattern "managed"

Output:

(fail) managed settings override user settings
(fail) managed settings override project settings
(fail) managed instructions should replace user instructions, not union
(fail) managed agents should replace user agents, not additively merge
(fail) managed mcp should replace user mcp, not additively merge
(fail) managed commands should replace user commands, not additively merge
(fail) managed providers should replace user providers, not additively merge
(fail) managed formatters should replace user formatters, not additively merge
(fail) managed lsp should replace user lsp, not additively merge
(fail) managed experimental should replace user experimental, not additively merge
(fail) managed skills should replace user skills, not additively merge

3 pass, 9 skip, 11 fail

Commit 2: c5ca9d1 (the fix)

Same tests, now all pass:

git checkout c5ca9d10c
cd packages/opencode
bun test --test-name-pattern "managed"

Output:

14 pass, 9 skip, 0 fail

The 3 tests that already passed at commit 1 (permission deny via OPENCODE_PERMISSION, drop-in fragment ordering, dotfile ignore) continue to pass.

Commit 3: 3a3c2f2 (docs)

Adds documentation for managed-settings.json and managed-settings.d/ drop-in fragments to packages/web/src/content/docs/config.mdx. No code changes.

Screenshots / recordings

N/A, no UI changes.

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[github-actions]

Hey! Your PR title Fix/managed settings authoritative doesn't follow conventional commit format.

Please update it to start with one of:

• feat: or feat(scope): new feature
• fix: or fix(scope): bug fix
• docs: or docs(scope): documentation changes
• chore: or chore(scope): maintenance tasks
• refactor: or refactor(scope): code refactoring
• test: or test(scope): adding or updating tests

Where scope is the package name (e.g., app, desktop, opencode).

See CONTRIBUTING.md for details.