diff --git a/ideas/competitive-analysis-2026-05.org b/ideas/competitive-analysis-2026-05.org
index 05d4be0..fbcfe6a 100644
--- a/ideas/competitive-analysis-2026-05.org
+++ b/ideas/competitive-analysis-2026-05.org
@@ -48,30 +48,49 @@ representation, no verification, no self-modification protection, no architectur
 for neurosymbolic reasoning. It is a thin shell around litellm + edit format
 parsers.
 
-** OpenCode / Crush (Go, ~42K lines, MIT)
+** OpenCode (TypeScript/Bun, anomalyco/opencode, 163K★)
 
-Now archived and succeeded by Crush (github.com/charmbracelet/crush). Go-based,
-Bubble Tea TUI.
+The dominant open-source coding agent by adoption. Bun runtime, Effect-TS
+functional core, Solid.js TUI, Turborepo monorepo.
 
-Architecture: Pubsub-driven layered architecture with LSP integration, 8+ provider
-clients (Anthropic, OpenAI, Gemini, Bedrock, Copilot, Azure, Vertex, Groq, xAI),
-hierarchical subagent delegation (child agents have read-only tools).
+Architecture: Dual LLM runtime — default AI SDK (streamText/generateText) +
+opt-in native Effect-Schema runtime (@opencode-ai/llm) with 4-axis route
+decomposition (Protocol/Endpoint/Auth/Framing). 30+ provider plugins.
+Agent workflow DSL with plan/build agent switching. Agent Communication
+Protocol (ACP) for inter-agent messaging. Subagents inherit permission
+boundaries from parent. 18+ built-in tools + custom tools from config.
+Effect-TS ScopedCache per-project state management.
 
-Safety model: Hybrid prompt-based + deterministic permission gating. Permission
-dialog blocks on channel until user approves. Bash commands have a banned-list
-(no curl/wget/nc/telnet). Read-before-write invariant ensures edits only on
-freshly-read content.
+Safety model: Explicitly documentes /not/ sandboxing the agent. The
+permission system is rule-based (glob matching, actions: allow/ask/deny)
+and exists as a UX feature, not security isolation. Built-in agents have
+carefully scoped defaults (build allows most, prompts on doom_loop;
+plan denies all edits except plan files; explore denies everything except
+grep/glob/bash/webfetch/read; question defaults to deny). Permission
+rules are inherited by subagents. Shell tool dynamically scans commands
+for filesystem-impacting operations to determine ask patterns.
 
-Data model: SQLite with 3 tables — sessions, messages (JSON parts column),
-files (versioned file history per session). Hierarchical sessions via
-parent_session_id.
+Data model: SQLite via Drizzle ORM with bun:sqlite or better-sqlite3.
+Key tables: SessionTable (project, workspace, parent hierarchy, cost,
+tokens, model JSON, agent config JSON, permission JSON, revert snapshot),
+MessageTable, PartTable. Project model stores worktree, VCS, sandbox
+config. Config is JSON-chain (user home → project root → worktree) with
+remote config fetch and mergeDeep with concatenating array semantics.
+20 config modules covering agents, permissions, providers, MCP, LSP,
+plugins, skills, references, variable.
 
-Self-modification: No protection against editing its own Go source.
+Self-modification: Agent.generate() interface lets the LLM create new
+agent definitions — the system grows its own subagent roster. Skills
+system loads domain-specific knowledge packs dynamically.
 
 Verification: None.
 
-Key gap vs Passepartout: No safety gates, no knowledge graph, no Org-mode,
-no neurosymbolic architecture. The archived project status is a risk.
+Key gap vs Passepartout: No deterministic safety architecture, no
+knowledge graph, no Org-mode, no verification/proof system, no
+neurosymbolic architecture. The permission system is explicitly labeled
+\"not security isolation\" — it's UX, not a gate stack. Largest userbase
+and most polished product of any coding agent, but architecturally
+conventional.
 
 ** Codex CLI (OpenAI, Rust, ~950K lines)