Improve upstream sync workflow guidance

.agents/commands/upstream-sync.md

@@ -32,6 +32,7 @@ This command is shared from `.agents/commands/`. `.claude/commands` and `.cursor
 - Do not include agent attribution in branch names, commit messages, PR titles, PR bodies, or comments.
 - Start from a clean worktree. If there are local changes, stop and report them before fetching, switching branches, or merging.
 - Follow the repository rules in `AGENTS.md`; do not duplicate those rules in this command.
+- Keep the sync PR scoped to upstream content plus necessary conflict and fork-delta resolutions. Put follow-up process documentation changes on a separate branch from `main`.
 
 ## Workflow
 
@@ -215,6 +216,20 @@ Before resolving conflicts and before treating a conflict-free merge as ready, r
 
 Treat those files as the source of truth. If a sync exposes a new intentional O3-vs-upstream behavior difference, update `docs/internal/fork-deltas/registry.md` in the sync PR instead of adding a one-off checklist here.
 
+After resolving conflicts, and even when the merge is conflict-free, review the final proxy-branch diff for upstream identity leaking into O3 runtime code:
+
+```bash
+git diff origin/main...HEAD -- apps packages | \
+  rg -n '(@superset|superset-cli|superset-sh|Watt|watt)' || true
+```
+
+Treat matches as review prompts, not automatic failures. Preserve O3 package scopes, product names, domains, env prefixes, protocols, persisted paths, and OAuth client IDs. The current O3 CLI OAuth client id is `o3-code-cli` in:
+
+- `packages/cli/src/lib/auth.ts`
+- `packages/host-service/src/providers/auth/ConfigFileSessionTokenSource/ConfigFileSessionTokenSource.ts`
+
+If upstream adds a trusted-client guard or similar identity-sensitive logic, map upstream IDs to the O3 equivalent before validating.
+
 Useful conflict checks:
 
 ```bash
@@ -232,12 +247,19 @@ For an upstream content sync, run:
 bun run lint:fix
 bun run lint
 bun run typecheck
+if [ ! -f packages/pty-daemon/dist/pty-daemon.js ]; then
+  bun run build
+fi
 bun test
 ```
 
-Run targeted tests for any conflict area. Run `bun run build` when upstream touches packaging, Next apps, Electron, shared config, or release workflows.
+Run targeted tests for any conflict area. Run `bun run build` before the final `bun test` attempt when upstream touches desktop, host-service, daemon, packaging, release, shared config, or Next app behavior.
+
+Some repository tests require generated build artifacts. If `bun test` still fails because `packages/pty-daemon/dist/pty-daemon.js` is missing, run `bun run build` and rerun `bun test` once.
+
+If validation fails from an unrelated existing issue, do not fix unrelated areas in the sync PR. Capture the exact command, first failure class, final summary, and exit code in the PR body. If no targeted tests exist for the touched area, say that explicitly.
 
-If validation fails from an unrelated existing issue, capture the exact command and failure in the PR body.
+If you amend the merge commit after validation, rerun at least `bun run lint:fix`, `bun run lint`, and `bun run typecheck`. Rerun `bun run build` when the amendment could affect build output; a Turbo cache replay is acceptable.
 
 ### 8. Open The PR
 
@@ -262,11 +284,12 @@ cat >/tmp/upstream-sync-pr.md <<EOF
 
 ## Conflict And Fork-Delta Notes
 - Conflicts: <none, or list files/areas>
+- Fork-delta decisions: <none, or summarize identity/client/database/desktop-web-access choices>
 - Fork-delta registry updates: <none, or summarize entries updated>
 - Merge method required: merge commit, not squash/rebase.
 
 ## Validation
-- <commands run and results>
+- <commands run and results, including exact unrelated failures if any>
 
 ## Follow-Ups
 - <none, or list deferred work>