diff --git a/app.py b/app.py
index a7188a4..182993b 100644
--- a/app.py
+++ b/app.py
@@ -83,6 +83,7 @@ def handle_sigterm(signum, frame):
     "steps": [
         {"id": "git",        "label": "Configuring git identity",     "status": "pending", "started_at": None, "completed_at": None, "error": None},
         {"id": "micro",      "label": "Installing micro editor",      "status": "pending", "started_at": None, "completed_at": None, "error": None},
+        {"id": "proxy",   "label": "Starting content-filter proxy", "status": "pending", "started_at": None, "completed_at": None, "error": None},
         {"id": "claude",     "label": "Configuring Claude CLI",       "status": "pending", "started_at": None, "completed_at": None, "error": None},
         {"id": "codex",      "label": "Configuring Codex CLI",        "status": "pending", "started_at": None, "completed_at": None, "error": None},
         {"id": "opencode",   "label": "Configuring OpenCode CLI",     "status": "pending", "started_at": None, "completed_at": None, "error": None},
@@ -251,6 +252,11 @@ def run_setup():
     _run_step("micro", ["bash", "-c",
         "mkdir -p ~/.local/bin && bash install_micro.sh && mv micro ~/.local/bin/ 2>/dev/null || true"])
 
+    # --- Content-filter proxy (must be running before OpenCode starts) ---
+    # Sanitizes requests/responses between OpenCode and Databricks
+    # (see OpenCode #5028, docs/plans/2026-03-11-litellm-empty-content-blocks-design.md)
+    _run_step("proxy", ["python", "setup_proxy.py"])
+
     # --- Parallel agent setup (all independent of each other) ---
     parallel_steps = [
         ("claude",     ["python", "setup_claude.py"]),
@@ -296,16 +302,33 @@ def get_request_user():
            request.headers.get("X-Databricks-User-Email")
 
 
+def _is_databricks_apps():
+    """Detect if we're running on Databricks Apps (not local dev)."""
+    return os.environ.get("DATABRICKS_APP_PORT") or os.path.isdir("/app/python/source_code")
+
+
 def check_authorization():
-    """Check if the current user is authorized to access the app."""
-    # If owner not set (local dev or SDK unavailable), allow access
+    """Check if the current user is authorized to access the app.
+
+    Fails CLOSED on Databricks Apps: if we can't determine the owner,
+    deny all access rather than allowing unauthenticated terminal access.
+    Fails open only for local development.
+    Fixes: https://github.com/datasciencemonkey/coding-agents-databricks-apps/issues/57
+    """
+    # Fail closed on Databricks Apps if owner couldn't be resolved
     if not app_owner:
-        return True, None
+        if _is_databricks_apps():
+            logger.error("SECURITY: app_owner not resolved — denying all access (fail-closed)")
+            return False, "unknown"
+        return True, None  # Local dev only
 
     current_user = get_request_user()
 
     # If no user identity in request (local dev), allow access
     if not current_user:
+        if _is_databricks_apps():
+            logger.warning("No user identity in request on Databricks Apps — denying access")
+            return False, "unknown"
         return True, None
 
     # Check if current user is the owner
@@ -571,6 +594,21 @@ def set_security_headers(response):
     response.headers["X-Frame-Options"] = "DENY"
     response.headers["X-XSS-Protection"] = "1; mode=block"
     response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+    # CSP: restrict scripts to self + inline (needed for embedded <script> block),
+    # styles to self + inline, block all other sources. Prevents external script injection.
+    # connect-src allows WebSocket + API calls to self.
+    # Fixes: https://github.com/datasciencemonkey/coding-agents-databricks-apps/issues/58
+    response.headers["Content-Security-Policy"] = (
+        "default-src 'none'; "
+        "script-src 'self' 'unsafe-inline'; "
+        "style-src 'self' 'unsafe-inline'; "
+        "img-src 'self' data:; "
+        "font-src 'self'; "
+        "connect-src 'self' ws: wss:; "
+        "frame-ancestors 'none'; "
+        "base-uri 'self'; "
+        "form-action 'self'"
+    )
     return response
 
 
diff --git a/content_filter_proxy.py b/content_filter_proxy.py
new file mode 100644
index 0000000..d830320
--- /dev/null
+++ b/content_filter_proxy.py
@@ -0,0 +1,632 @@
+#!/usr/bin/env python
+"""Lightweight HTTP proxy that sanitizes requests and responses between OpenCode and Databricks.
+
+Request-side fixes:
+  - Strips empty/whitespace-only text content blocks (OpenCode #5028)
+  - Strips orphaned tool_result blocks with no matching tool_use
+  - Removes empty messages after filtering
+
+Response-side fixes:
+  - Remaps 'databricks-tool-call' back to real tool names
+  - Fixes finish_reason when tool calls are present
+
+Runs on localhost (never exposed externally). Zero external dependencies
+beyond stdlib + requests (already installed via databricks-sdk).
+
+See: https://github.com/sst/opencode/issues/5028
+     https://github.com/BerriAI/litellm/pull/20384
+"""
+import json
+import logging
+import os
+import sys
+from http.server import HTTPServer, BaseHTTPRequestHandler
+from socketserver import ThreadingMixIn
+
+import requests
+
+UPSTREAM_BASE = os.environ.get("PROXY_UPSTREAM_BASE", "")
+LISTEN_HOST = os.environ.get("PROXY_HOST", "127.0.0.1")
+LISTEN_PORT = int(os.environ.get("PROXY_PORT", "4000"))
+
+# Diagnostic logging — writes to stderr which goes to ~/.content-filter-proxy.log
+log = logging.getLogger("content-filter-proxy")
+log.setLevel(logging.INFO)
+if not log.handlers:
+    _sh = logging.StreamHandler(sys.stderr)
+    _sh.setFormatter(logging.Formatter("%(asctime)s %(message)s"))
+    log.addHandler(_sh)
+
+# JSON Schema keywords that Gemini doesn't support
+GEMINI_UNSUPPORTED_SCHEMA_KEYS = {
+    "$schema", "$ref", "$defs", "$id", "$comment", "additionalProperties",
+}
+
+# Top-level request fields that Gemini doesn't support
+GEMINI_UNSUPPORTED_REQUEST_KEYS = {
+    "stream_options",
+}
+
+
+# ---------------------------------------------------------------------------
+# Gemini compatibility
+# ---------------------------------------------------------------------------
+
+def strip_unsupported_schema_keys(obj):
+    """Recursively strip JSON Schema keywords that Gemini doesn't support."""
+    if isinstance(obj, dict):
+        return {
+            k: strip_unsupported_schema_keys(v)
+            for k, v in obj.items()
+            if k not in GEMINI_UNSUPPORTED_SCHEMA_KEYS
+        }
+    elif isinstance(obj, list):
+        return [strip_unsupported_schema_keys(item) for item in obj]
+    return obj
+
+
+def sanitize_tool_schemas(data):
+    """Strip JSON Schema keywords that some providers reject.
+
+    Applied universally — $schema, additionalProperties etc. are never
+    required by any downstream API. Claude/GPT ignore them, Gemini rejects them.
+    Stripping for all models is safe and avoids model detection issues.
+    """
+    tools = data.get("tools", [])
+    if not tools:
+        return data
+
+    for tool in tools:
+        func = tool.get("function", {})
+        if "parameters" in func:
+            func["parameters"] = strip_unsupported_schema_keys(func["parameters"])
+
+    # Strip unsupported top-level fields
+    for key in GEMINI_UNSUPPORTED_REQUEST_KEYS:
+        if key in data:
+            log.info(f"  Stripped top-level field: {key}")
+            del data[key]
+
+    # Strip $schema from top level if present
+    data.pop("$schema", None)
+
+    return data
+
+
+# ---------------------------------------------------------------------------
+# Request-side sanitization
+# ---------------------------------------------------------------------------
+
+def _extract_tool_ids_from_message(msg):
+    """Extract all tool_use/tool_call IDs from an assistant message."""
+    ids = set()
+    # Anthropic format: content blocks with type=tool_use
+    content = msg.get("content")
+    if isinstance(content, list):
+        for block in content:
+            if isinstance(block, dict) and block.get("type") == "tool_use":
+                tid = block.get("id")
+                if tid:
+                    ids.add(tid)
+    # OpenAI format: tool_calls array
+    for tc in msg.get("tool_calls") or []:
+        tid = tc.get("id")
+        if tid:
+            ids.add(tid)
+    return ids
+
+
+def _extract_tool_refs_from_message(msg):
+    """Extract all tool_use_id/tool_call_id references from a user/tool message."""
+    refs = set()
+    role = msg.get("role", "")
+    content = msg.get("content")
+    # Anthropic format: tool_result blocks
+    if isinstance(content, list):
+        for block in content:
+            if isinstance(block, dict) and block.get("type") == "tool_result":
+                ref = block.get("tool_use_id")
+                if ref:
+                    refs.add(ref)
+    # OpenAI format: tool messages
+    if role == "tool":
+        ref = msg.get("tool_call_id")
+        if ref:
+            refs.add(ref)
+    return refs
+
+
+def sanitize_messages(messages):
+    """Strip empty text blocks and orphaned tool_result/tool messages.
+
+    Runs multiple passes to handle cascading orphans (dropping one message
+    can make the next one orphaned too).
+    """
+    if not isinstance(messages, list):
+        return messages
+
+    log.info(f"Sanitizing {len(messages)} messages")
+
+    # Log message structure for debugging
+    for i, msg in enumerate(messages):
+        role = msg.get("role", "")
+        tool_ids = _extract_tool_ids_from_message(msg)
+        tool_refs = _extract_tool_refs_from_message(msg)
+        content = msg.get("content")
+        content_desc = ""
+        if isinstance(content, list):
+            types = [b.get("type", "?") if isinstance(b, dict) else "str" for b in content]
+            content_desc = f"[{', '.join(types)}]"
+        elif isinstance(content, str):
+            content_desc = f'str({len(content)} chars)'
+        elif content is None:
+            content_desc = "null"
+        extras = ""
+        if tool_ids:
+            extras += f" tool_ids={tool_ids}"
+        if tool_refs:
+            extras += f" tool_refs={tool_refs}"
+        if msg.get("tool_calls"):
+            extras += f" tool_calls={len(msg['tool_calls'])}"
+        log.info(f"  [{i}] {role}: {content_desc}{extras}")
+
+    # Multi-pass sanitization (handles cascading orphans)
+    prev_len = -1
+    pass_num = 0
+    result = list(messages)
+
+    while len(result) != prev_len and pass_num < 5:
+        prev_len = len(result)
+        pass_num += 1
+        result = _sanitize_single_pass(result, pass_num)
+
+    stripped = len(messages) - len(result)
+    if stripped > 0:
+        log.info(f"Sanitization complete: stripped {stripped} messages/blocks in {pass_num} passes")
+
+    return result
+
+
+def _sanitize_single_pass(messages, pass_num):
+    """One pass of message sanitization."""
+    cleaned = []
+
+    for i, msg in enumerate(messages):
+        role = msg.get("role", "")
+        content = msg.get("content")
+
+        # Build valid tool IDs from the most recent assistant message IN THE
+        # CLEANED list (not the original), so cascading drops are handled.
+        prev_tool_ids = set()
+        for j in range(len(cleaned) - 1, -1, -1):
+            if cleaned[j].get("role") == "assistant":
+                prev_tool_ids = _extract_tool_ids_from_message(cleaned[j])
+                break
+
+        # --- Handle list content (Anthropic format) ---
+        if isinstance(content, list):
+            filtered = []
+            for block in content:
+                if not isinstance(block, dict):
+                    filtered.append(block)
+                    continue
+
+                # Strip empty/whitespace-only text blocks
+                if block.get("type") == "text" and block.get("text", "").strip() == "":
+                    log.info(f"  pass {pass_num}: strip empty text block from msg[{i}] ({role})")
+                    continue
+
+                # Strip orphaned tool_result blocks
+                if block.get("type") == "tool_result":
+                    tool_use_id = block.get("tool_use_id")
+                    if tool_use_id and tool_use_id not in prev_tool_ids:
+                        log.info(f"  pass {pass_num}: strip orphaned tool_result {tool_use_id} from msg[{i}] (prev_ids={prev_tool_ids})")
+                        continue
+
+                filtered.append(block)
+
+            if not filtered:
+                if role == "assistant":
+                    msg = {**msg, "content": filtered}
+                else:
+                    log.info(f"  pass {pass_num}: drop empty {role} msg[{i}]")
+                    continue
+            else:
+                msg = {**msg, "content": filtered}
+
+        # --- Handle OpenAI tool messages ---
+        elif role == "tool":
+            tool_call_id = msg.get("tool_call_id")
+            if tool_call_id and tool_call_id not in prev_tool_ids:
+                log.info(f"  pass {pass_num}: strip orphaned tool msg[{i}] {tool_call_id} (prev_ids={prev_tool_ids})")
+                continue
+
+        # --- Handle empty/null string content ---
+        elif content is None and role == "assistant" and not msg.get("tool_calls"):
+            # Assistant message with null content and no tool_calls — replace
+            log.info(f"  pass {pass_num}: replace null assistant content msg[{i}] with placeholder")
+            msg = {**msg, "content": "."}
+        elif isinstance(content, str) and content.strip() == "":
+            if role == "assistant":
+                # Can't drop assistant messages (breaks alternation), replace with minimal content
+                log.info(f"  pass {pass_num}: replace empty assistant string msg[{i}] with placeholder")
+                msg = {**msg, "content": "."}
+            else:
+                log.info(f"  pass {pass_num}: strip empty string {role} msg[{i}]")
+                continue
+
+        cleaned.append(msg)
+
+    return cleaned
+
+
+# ---------------------------------------------------------------------------
+# Response-side fixes
+# ---------------------------------------------------------------------------
+
+def remap_tool_call(tool_call):
+    """If tool name is 'databricks-tool-call', extract real name from arguments."""
+    func = tool_call.get("function", {})
+    if func.get("name") != "databricks-tool-call":
+        return tool_call
+
+    args_str = func.get("arguments", "")
+    try:
+        args = json.loads(args_str)
+        if isinstance(args, dict) and "name" in args:
+            real_name = args.pop("name")
+            tool_call = {**tool_call, "function": {
+                **func,
+                "name": real_name,
+                "arguments": json.dumps(args),
+            }}
+    except (json.JSONDecodeError, TypeError):
+        pass  # Can't parse — leave as-is
+
+    return tool_call
+
+
+def fix_response_data(data):
+    """Fix tool names and finish_reason in a parsed response object."""
+    if not isinstance(data, dict):
+        return data
+
+    for choice in data.get("choices", []):
+        # Non-streaming: choice.message
+        message = choice.get("message", {})
+        tool_calls = message.get("tool_calls", [])
+        if tool_calls:
+            message["tool_calls"] = [remap_tool_call(tc) for tc in tool_calls]
+            # Fix finish_reason: should be "tool_calls" if tools are invoked
+            if choice.get("finish_reason") == "stop" and tool_calls:
+                choice["finish_reason"] = "tool_calls"
+
+        # Streaming: choice.delta
+        delta = choice.get("delta", {})
+        delta_tool_calls = delta.get("tool_calls", [])
+        if delta_tool_calls:
+            delta["tool_calls"] = [remap_tool_call(tc) for tc in delta_tool_calls]
+
+        # Fix finish_reason for streaming chunks
+        if choice.get("finish_reason") == "stop" and delta_tool_calls:
+            choice["finish_reason"] = "tool_calls"
+
+    return data
+
+
+# ---------------------------------------------------------------------------
+# SSE stream processing
+# ---------------------------------------------------------------------------
+
+class SSEProcessor:
+    """Buffers and fixes SSE events, handling tool name remapping across chunks."""
+
+    def __init__(self):
+        # Per tool-call-index state for streaming name resolution
+        # {index: {"args_buffer": str, "resolved_name": str|None, "buffered_lines": []}}
+        self._tool_state = {}
+        self._pending_flush = []
+
+    def process_line(self, line):
+        """Process one SSE line. Returns list of lines to send (may be empty if buffering)."""
+        # Non-data lines pass through immediately
+        if not line.startswith("data: "):
+            return [line]
+
+        payload = line[6:]  # Strip "data: " prefix
+
+        # [DONE] signal passes through
+        if payload.strip() == "[DONE]":
+            # Flush any remaining buffered events
+            result = list(self._pending_flush)
+            self._pending_flush.clear()
+            result.append(line)
+            return result
+
+        # Parse event JSON
+        try:
+            data = json.loads(payload)
+        except json.JSONDecodeError:
+            return [line]  # Can't parse — pass through
+
+        # Check for tool calls that need remapping
+        needs_buffering = False
+        for choice in data.get("choices", []):
+            delta = choice.get("delta", {})
+            for tc in delta.get("tool_calls", []):
+                idx = tc.get("index", 0)
+                func = tc.get("function", {})
+
+                # First chunk with tool name
+                if "name" in func:
+                    if func["name"] == "databricks-tool-call":
+                        self._tool_state[idx] = {
+                            "args_buffer": func.get("arguments", ""),
+                            "resolved_name": None,
+                            "buffered_lines": [],
+                        }
+                        needs_buffering = True
+                    else:
+                        # Normal tool name — no remapping needed
+                        self._tool_state.pop(idx, None)
+
+                # Argument chunks for a pending tool call
+                elif idx in self._tool_state and self._tool_state[idx]["resolved_name"] is None:
+                    state = self._tool_state[idx]
+                    state["args_buffer"] += func.get("arguments", "")
+                    needs_buffering = True
+
+                    # Try to extract the real name from accumulated arguments
+                    try:
+                        args = json.loads(state["args_buffer"])
+                        if isinstance(args, dict) and "name" in args:
+                            state["resolved_name"] = args.pop("name")
+                            # Rewrite all buffered events with the real name
+                            flushed = self._flush_tool_buffer(idx, state["resolved_name"], args)
+                            return flushed + [self._rewrite_event_line(line, data)]
+                    except json.JSONDecodeError:
+                        pass  # Arguments still incomplete — keep buffering
+
+                # Subsequent chunks after name is resolved
+                elif idx in self._tool_state and self._tool_state[idx]["resolved_name"]:
+                    # Name already resolved — strip "name" from args if present
+                    pass  # Just pass through, name was fixed in first event
+
+            # Fix finish_reason
+            if choice.get("finish_reason") == "stop":
+                # Check if any tool calls were made in this response
+                if self._tool_state:
+                    choice["finish_reason"] = "tool_calls"
+
+        if needs_buffering:
+            # Buffer this event until we can resolve the tool name
+            for idx, state in self._tool_state.items():
+                if state["resolved_name"] is None:
+                    state["buffered_lines"].append(line)
+                    return []  # Don't send yet
+
+        # No buffering needed — fix and forward
+        fixed = fix_response_data(data)
+        return [f"data: {json.dumps(fixed)}"]
+
+    def _flush_tool_buffer(self, idx, real_name, cleaned_args):
+        """Rewrite buffered events with the resolved tool name."""
+        state = self._tool_state[idx]
+        result = []
+        for buffered_line in state["buffered_lines"]:
+            payload = buffered_line[6:]  # Strip "data: "
+            try:
+                bdata = json.loads(payload)
+                for choice in bdata.get("choices", []):
+                    delta = choice.get("delta", {})
+                    for tc in delta.get("tool_calls", []):
+                        if tc.get("index", 0) == idx:
+                            func = tc.get("function", {})
+                            if "name" in func and func["name"] == "databricks-tool-call":
+                                func["name"] = real_name
+                            if "arguments" in func:
+                                # Clear arguments in buffered events (we'll send clean args)
+                                func["arguments"] = ""
+                result.append(f"data: {json.dumps(bdata)}")
+            except json.JSONDecodeError:
+                result.append(buffered_line)
+
+        state["buffered_lines"].clear()
+
+        # Send the cleaned arguments as a separate event
+        args_event = {
+            "choices": [{
+                "delta": {
+                    "tool_calls": [{
+                        "index": idx,
+                        "function": {"arguments": json.dumps(cleaned_args)}
+                    }]
+                },
+                "finish_reason": None
+            }]
+        }
+        result.append(f"data: {json.dumps(args_event)}")
+        return result
+
+    def _rewrite_event_line(self, line, data):
+        """Rewrite an event line with fixed data."""
+        fixed = fix_response_data(data)
+        return f"data: {json.dumps(fixed)}"
+
+    def flush_remaining(self):
+        """Flush any remaining buffered events (graceful fallback)."""
+        result = []
+        for idx, state in self._tool_state.items():
+            for buffered_line in state["buffered_lines"]:
+                result.append(buffered_line)
+            state["buffered_lines"].clear()
+        result.extend(self._pending_flush)
+        self._pending_flush.clear()
+        return result
+
+
+# ---------------------------------------------------------------------------
+# HTTP Server
+# ---------------------------------------------------------------------------
+
+class ThreadedHTTPServer(ThreadingMixIn, HTTPServer):
+    """Handle concurrent requests (e.g., health checks during streaming)."""
+    daemon_threads = True
+
+
+class ProxyHandler(BaseHTTPRequestHandler):
+    """Proxy that sanitizes requests and fixes responses."""
+
+    def do_POST(self):
+        content_length = int(self.headers.get("Content-Length", 0))
+        body = self.rfile.read(content_length)
+
+        log.info(f"POST {self.path} ({content_length} bytes)")
+
+        # --- Sanitize request ---
+        try:
+            data = json.loads(body)
+            if "messages" in data:
+                before = len(data["messages"])
+                data["messages"] = sanitize_messages(data["messages"])
+                after = len(data["messages"])
+                if before != after:
+                    log.info(f"Messages: {before} -> {after}")
+            # Strip unsupported schema keys from tool definitions (all models)
+            data = sanitize_tool_schemas(data)
+            body = json.dumps(data).encode()
+        except (json.JSONDecodeError, KeyError) as e:
+            log.warning(f"Could not parse request body: {e}")
+            pass  # Forward as-is if not valid JSON
+
+        # Build upstream URL
+        upstream_url = UPSTREAM_BASE + self.path
+
+        # Forward headers
+        headers = {}
+        for key in self.headers:
+            if key.lower() not in ("host", "content-length", "transfer-encoding"):
+                headers[key] = self.headers[key]
+        headers["Content-Length"] = str(len(body))
+
+        # Detect streaming
+        is_stream = False
+        try:
+            is_stream = json.loads(body).get("stream", False)
+        except Exception:
+            pass
+
+        try:
+            resp = requests.post(
+                upstream_url,
+                data=body,
+                headers=headers,
+                stream=is_stream,
+                timeout=300,
+            )
+
+            # Log upstream errors
+            if resp.status_code >= 400:
+                log.error(f"Upstream returned {resp.status_code}: {resp.text[:500]}")
+
+            # --- Non-streaming response ---
+            if not is_stream:
+                # Fix response
+                try:
+                    resp_data = resp.json()
+                    resp_data = fix_response_data(resp_data)
+                    resp_body = json.dumps(resp_data).encode()
+                except (json.JSONDecodeError, ValueError):
+                    resp_body = resp.content
+
+                self.send_response(resp.status_code)
+                for key, value in resp.headers.items():
+                    if key.lower() not in ("transfer-encoding", "content-encoding", "content-length"):
+                        self.send_header(key, value)
+                self.send_header("Content-Length", str(len(resp_body)))
+                self.end_headers()
+                self.wfile.write(resp_body)
+                return
+
+            # --- Streaming response ---
+            self.send_response(resp.status_code)
+            for key, value in resp.headers.items():
+                if key.lower() not in ("transfer-encoding", "content-encoding", "content-length"):
+                    self.send_header(key, value)
+            self.send_header("Transfer-Encoding", "chunked")
+            self.end_headers()
+
+            processor = SSEProcessor()
+
+            for raw_line in resp.iter_lines(decode_unicode=True):
+                if raw_line is None:
+                    continue
+
+                line = raw_line.strip() if isinstance(raw_line, str) else raw_line.decode().strip()
+
+                if not line:
+                    # Blank line = event boundary, send it
+                    self._send_chunk(b"\r\n")
+                    continue
+
+                # Process through SSE fixer
+                output_lines = processor.process_line(line)
+                for out_line in output_lines:
+                    self._send_chunk((out_line + "\r\n").encode())
+
+            # Flush any remaining buffered events
+            for remaining in processor.flush_remaining():
+                self._send_chunk((remaining + "\r\n").encode())
+
+            # Send final zero-length chunk to end chunked transfer
+            self._send_chunk(b"")
+
+        except requests.exceptions.ConnectionError as e:
+            self.send_error(502, f"Upstream connection failed: {e}")
+        except requests.exceptions.Timeout:
+            self.send_error(504, "Upstream timeout")
+
+    def _send_chunk(self, data):
+        """Send a chunk in HTTP chunked transfer encoding."""
+        if data:
+            chunk = f"{len(data):x}\r\n".encode() + data + b"\r\n"
+        else:
+            chunk = b"0\r\n\r\n"  # Final chunk
+        try:
+            self.wfile.write(chunk)
+            self.wfile.flush()
+        except BrokenPipeError:
+            pass
+
+    def do_GET(self):
+        """Health check endpoint."""
+        if self.path == "/health":
+            body = json.dumps({"status": "ok", "upstream": UPSTREAM_BASE}).encode()
+            self.send_response(200)
+            self.send_header("Content-Type", "application/json")
+            self.send_header("Content-Length", str(len(body)))
+            self.end_headers()
+            self.wfile.write(body)
+        else:
+            self.send_error(404)
+
+    def log_message(self, format, *args):
+        """Suppress per-request logging to keep container logs clean."""
+        pass
+
+
+# ---------------------------------------------------------------------------
+# Main
+# ---------------------------------------------------------------------------
+
+if __name__ == "__main__":
+    if not UPSTREAM_BASE:
+        print("Error: PROXY_UPSTREAM_BASE environment variable is required", file=sys.stderr)
+        sys.exit(1)
+
+    server = ThreadedHTTPServer((LISTEN_HOST, LISTEN_PORT), ProxyHandler)
+    print(f"Content-filter proxy listening on {LISTEN_HOST}:{LISTEN_PORT}")
+    print(f"Forwarding to: {UPSTREAM_BASE}")
+    print(f"Fixes: empty text blocks, orphaned tool_results, tool name remapping, finish_reason")
+    sys.stdout.flush()
+    server.serve_forever()
diff --git a/docs/plans/2026-03-11-litellm-empty-content-blocks-design.md b/docs/plans/2026-03-11-litellm-empty-content-blocks-design.md
new file mode 100644
index 0000000..745def2
--- /dev/null
+++ b/docs/plans/2026-03-11-litellm-empty-content-blocks-design.md
@@ -0,0 +1,156 @@
+# Design: LiteLLM Local Proxy for Empty Content Block Sanitization
+
+**Date:** 2026-03-11
+**Branch:** `fix/litellm-empty-content-blocks`
+**Related:** OpenCode [#5028](https://github.com/sst/opencode/issues/5028), LiteLLM [PR #20384](https://github.com/BerriAI/litellm/pull/20384)
+
+## Problem
+
+OpenCode intermittently sends malformed messages containing empty text content blocks
+(`{"type": "text", "text": ""}`) to the Databricks Foundation Model API. This occurs during:
+
+1. **Streaming** — empty text blocks appear between thinking blocks in conversation history
+2. **Compaction** — `/compact` command produces empty or whitespace-only blocks
+3. **Model switching** — switching between models (e.g., Gemini to Claude) generates whitespace-only chunks
+
+The Databricks Foundation Model API strictly rejects these with:
+```
+Bad Request: {"message":"messages: text content blocks must be non-empty"}
+```
+
+Once a corrupted message enters the conversation history, **every subsequent request fails** —
+the session is permanently bricked. This is OpenCode issue
+[#5028](https://github.com/sst/opencode/issues/5028), still open as of March 2026.
+
+## Why Not PR #52's Approach
+
+[PR #52](https://github.com/datasciencemonkey/coding-agents-databricks-apps/pull/52) proposes
+forking OpenCode (`dgokeeffe/opencode`) to add a native Databricks provider. After analysis:
+
+1. **Does not fix the root cause** — The fork's `feat/databricks-ai-sdk-provider` branch
+   has no commits that sanitize empty content blocks. The bug originates in OpenCode's core
+   agent loop (conversation history management), not the provider layer. A native provider
+   sends whatever the core gives it.
+
+2. **Fork maintenance burden** — Must track upstream OpenCode releases indefinitely.
+   When upstream fixes #5028, the fork may conflict.
+
+3. **Scope creep** — PR #52 bundles the fork with a spawner app, GitHub CLI setup,
+   and performance fixes. These are independent concerns that should be separate PRs.
+
+4. **Fragile coupling** — Tightly couples our project to a fork that may diverge from
+   upstream, creating long-term maintenance risk for a demo/tool project.
+
+### What to cherry-pick from PR #52 (separately)
+
+PR #52 contains valuable changes that are **independent of the fork** and should be
+extracted into their own PRs:
+
+- **Performance fixes** — `select()` timeout reduction (500ms → 50ms), lock contention
+  fixes in `get_output_batch()` and `cleanup_stale_sessions()`, poll-worker interval
+  reduction (100ms → 50ms). These are changes to `app.py` and `static/poll-worker.js`.
+
+- **WebSocket detection fix** — Correct Socket.IO transport detection that checks
+  `socket.io.engine.transport.name` instead of trusting `connected=true`. This is a
+  change to `static/index.html`.
+
+- **GitHub CLI setup** — Automated `gh` install with xterm.js-safe auth wrapper.
+  Standalone setup script.
+
+These should be reviewed and merged independently — they don't require the OpenCode fork.
+
+## Our Approach: LiteLLM Local Proxy
+
+Run a lightweight LiteLLM instance **inside the same container** on an internal port.
+It intercepts requests from OpenCode, strips empty content blocks via the sanitization
+logic added in [LiteLLM PR #20384](https://github.com/BerriAI/litellm/pull/20384),
+and forwards clean messages to Databricks AI Gateway.
+
+### Architecture
+
+In the current setup, **OpenCode** talks directly to the **Databricks AI Gateway**.
+Because OpenCode sends malformed "empty text blocks," the Gateway rejects them
+immediately with a 400 error.
+
+By introducing **LiteLLM**, we change the traffic flow inside the container:
+
+```
+Users → port 8000 (Flask/xterm.js UI)
+              ↓ spawns PTY
+       OpenCode → localhost:4000 (LiteLLM) → Databricks AI Gateway → Claude/Gemini
+```
+
+1. **OpenCode** (the agent) sends the request to `http://localhost:4000` (the **LiteLLM Proxy**).
+2. **LiteLLM** intercepts the request *before* it leaves the container.
+3. **LiteLLM** applies the sanitization logic (stripping the `{"type": "text", "text": ""}` blocks).
+4. **LiteLLM** then forwards the "cleaned" request to the **Databricks AI Gateway**.
+5. **Databricks** receives a perfectly valid request and processes it.
+
+So, while the traffic eventually reaches Databricks, it is "washed" by LiteLLM locally
+first. This ensures that the Databricks Gateway never sees the malformed data that causes
+it to throw an error.
+
+- **Port 8000** — Flask/Gunicorn (exposed to users via Databricks Apps)
+- **Port 4000** — LiteLLM proxy (internal only, never exposed externally)
+- Databricks Apps only routes external traffic to port 8000
+
+When upstream OpenCode eventually fixes #5028, LiteLLM becomes a no-op (nothing to
+strip) — it degrades gracefully. At that point, remove `setup_litellm.py`, revert the
+baseURL in `setup_opencode.py`, and drop the dependency.
+
+### Implementation Plan
+
+#### 1. Add `litellm` to `requirements.txt`
+
+```
+litellm>=1.60
+```
+
+#### 2. Create `setup_litellm.py`
+
+New setup script that:
+- Writes a LiteLLM config YAML pointing to Databricks AI Gateway
+- Starts LiteLLM as a background process on `localhost:4000`
+- Waits for the health endpoint to confirm it's ready
+- Maps each Databricks model to the `databricks/` prefix so the sanitization path activates
+
+#### 3. Update `setup_opencode.py`
+
+Change OpenCode's `baseURL` from the Databricks Gateway URL to `http://localhost:4000`
+so all requests route through LiteLLM first. The model names and auth stay the same.
+
+#### 4. Add `litellm` setup step to `app.py`
+
+Add a new step in `run_setup()` that runs **before** the parallel agent setup
+(LiteLLM must be running before OpenCode starts using it):
+
+```python
+# Sequential: LiteLLM proxy must be running before agents that use it
+_run_step("litellm", ["python", "setup_litellm.py"])
+
+# Then parallel agent setup...
+```
+
+#### 5. Health check
+
+`setup_litellm.py` should poll `http://localhost:4000/health` before returning success,
+ensuring the proxy is ready before OpenCode sends its first request.
+
+### Trade-offs
+
+| Aspect | Impact |
+|--------|--------|
+| Added dependency | `litellm` package (~small footprint as proxy) |
+| Added latency | Negligible — localhost hop, no network |
+| Startup time | ~2-3s for LiteLLM to start (sequential, before agents) |
+| Maintenance | Zero — LiteLLM is a well-maintained OSS project |
+| Graceful degradation | When #5028 is fixed upstream, proxy strips nothing |
+| Governance preserved | AI Gateway, MLflow tracing, Unity Catalog all intact |
+
+### Testing
+
+1. Deploy to Databricks Apps
+2. Launch OpenCode with `databricks-claude-opus-4-6`
+3. Run 10+ iterations including `/compact` — verify no 400 errors
+4. Check MLflow traces — confirm requests still flow through AI Gateway
+5. Verify LiteLLM is NOT accessible from outside the container (port 4000 not exposed)
diff --git a/setup_opencode.py b/setup_opencode.py
index 5e46078..8ec404c 100644
--- a/setup_opencode.py
+++ b/setup_opencode.py
@@ -1,5 +1,11 @@
 #!/usr/bin/env python
-"""Configure OpenCode CLI with Databricks Model Serving as an OpenAI-compatible provider."""
+"""Configure OpenCode CLI with Databricks Model Serving (via content-filter proxy) local proxy.
+
+Routes requests through a local content-filter proxy proxy (localhost:4000) which sanitizes empty
+text content blocks before forwarding to Databricks AI Gateway. This fixes OpenCode
+issue #5028 where empty content blocks cause "Bad Request" errors.
+See docs/plans/2026-03-11-litellm-empty-content-blocks-design.md for details.
+"""
 import os
 import json
 import subprocess
@@ -7,6 +13,10 @@
 
 from utils import ensure_https
 
+# content-filter proxy local proxy — sanitizes empty content blocks before reaching Databricks
+# (see https://github.com/sst/opencode/issues/5028)
+CONTENT_FILTER_PROXY_URL = "http://127.0.0.1:4000"
+
 # Set HOME if not properly set
 if not os.environ.get("HOME") or os.environ["HOME"] == "/":
     os.environ["HOME"] = "/app/python/source_code"
@@ -54,6 +64,17 @@
         print(f"OpenCode CLI installed to {opencode_bin}")
     else:
         print(f"OpenCode install warning: {result.stderr}")
+
+    # Install @ai-sdk/openai for GPT models (Responses API support)
+    result = subprocess.run(
+        ["npm", "install", "-g", f"--prefix={npm_prefix}", "@ai-sdk/openai"],
+        capture_output=True, text=True,
+        env={**os.environ, "HOME": str(home)}
+    )
+    if result.returncode == 0:
+        print("@ai-sdk/openai installed (Responses API support)")
+    else:
+        print(f"@ai-sdk/openai install warning: {result.stderr}")
 else:
     print(f"OpenCode CLI already installed at {opencode_bin}")
 
@@ -64,18 +85,17 @@
 opencode_config_dir.mkdir(parents=True, exist_ok=True)
 
 if gateway_host:
-    # Gateway mode: separate providers for different API protocols
-    # SDK auto-appends /chat/completions and /responses to baseURL
-    # - Anthropic/Gemini models: baseURL={gateway}/mlflow/v1 → /mlflow/v1/chat/completions
-    # - OpenAI/GPT models: baseURL={gateway}/openai/v1 → /openai/v1/responses
+    # Gateway mode: route through content-filter proxy proxy for content block sanitization
+    # content-filter proxy forwards clean requests to Databricks AI Gateway
+    # OpenAI/GPT models go direct (not affected by the empty content block bug)
     opencode_config = {
         "$schema": "https://opencode.ai/config.json",
         "provider": {
             "databricks": {
                 "npm": "@ai-sdk/openai-compatible",
-                "name": "Databricks AI Gateway (MLflow)",
+                "name": "Databricks AI Gateway (via content-filter proxy)",
                 "options": {
-                    "baseURL": f"{gateway_host}/mlflow/v1",
+                    "baseURL": CONTENT_FILTER_PROXY_URL,
                     "apiKey": "{env:DATABRICKS_TOKEN}"
                 },
                 "models": {
@@ -117,11 +137,12 @@
                 }
             },
             "databricks-openai": {
-                "npm": "@ai-sdk/openai-compatible",
+                "npm": "@ai-sdk/openai",
                 "name": "Databricks AI Gateway (OpenAI)",
                 "options": {
                     "baseURL": f"{gateway_host}/openai/v1",
-                    "apiKey": "{env:DATABRICKS_TOKEN}"
+                    "apiKey": "{env:DATABRICKS_TOKEN}",
+                    "compatibility": "compatible"
                 },
                 "models": {
                     "databricks-gpt-5-2-codex": {
@@ -141,18 +162,32 @@
                 }
             }
         },
+        "mcp": {
+            "deepwiki": {
+                "type": "remote",
+                "url": "https://mcp.deepwiki.com/mcp",
+                "enabled": True,
+                "oauth": False
+            },
+            "exa": {
+                "type": "remote",
+                "url": "https://mcp.exa.ai/mcp",
+                "enabled": True
+            }
+        },
         "model": f"databricks/{anthropic_model}"
     }
 else:
-    # Fallback: current gateway using DATABRICKS_HOST /serving-endpoints (OpenAI-compatible)
+    # Fallback: route through content-filter proxy proxy for content block sanitization
+    # content-filter proxy forwards clean requests to Databricks serving endpoints
     opencode_config = {
         "$schema": "https://opencode.ai/config.json",
         "provider": {
             "databricks": {
                 "npm": "@ai-sdk/openai-compatible",
-                "name": "Databricks Model Serving",
+                "name": "Databricks Model Serving (via content-filter proxy)",
                 "options": {
-                    "baseURL": f"{host}/serving-endpoints",
+                    "baseURL": CONTENT_FILTER_PROXY_URL,
                     "apiKey": "{env:DATABRICKS_TOKEN}"
                 },
                 "models": {
@@ -194,6 +229,19 @@
                 }
             }
         },
+        "mcp": {
+            "deepwiki": {
+                "type": "remote",
+                "url": "https://mcp.deepwiki.com/mcp",
+                "enabled": True,
+                "oauth": False
+            },
+            "exa": {
+                "type": "remote",
+                "url": "https://mcp.exa.ai/mcp",
+                "enabled": True
+            }
+        },
         "model": f"databricks/{anthropic_model}"
     }
 
diff --git a/setup_proxy.py b/setup_proxy.py
new file mode 100644
index 0000000..ed03f8b
--- /dev/null
+++ b/setup_proxy.py
@@ -0,0 +1,137 @@
+#!/usr/bin/env python
+"""Start the content-filter proxy between OpenCode and Databricks.
+
+Fixes known OpenCode bugs by sanitizing requests and responses:
+  - Empty text content blocks (OpenCode #5028)
+  - Orphaned tool_result blocks with no matching tool_use
+  - Databricks 'databricks-tool-call' name mangling
+  - Incorrect finish_reason on tool call responses
+
+See docs/plans/2026-03-11-litellm-empty-content-blocks-design.md
+"""
+import os
+import signal
+import sys
+import time
+import subprocess
+from pathlib import Path
+from urllib.request import urlopen, Request
+from urllib.error import URLError
+
+from utils import ensure_https
+
+PROXY_PORT = 4000
+PROXY_HOST = "127.0.0.1"
+HEALTH_TIMEOUT = 15
+HEALTH_POLL_INTERVAL = 0.5
+
+# Set HOME if not properly set
+if not os.environ.get("HOME") or os.environ["HOME"] == "/":
+    os.environ["HOME"] = "/app/python/source_code"
+
+home = Path(os.environ["HOME"])
+
+# Kill any existing proxy on our port (more reliable than PID file)
+try:
+    result = subprocess.run(
+        ["fuser", "-k", f"{PROXY_PORT}/tcp"],
+        capture_output=True, text=True, timeout=5
+    )
+    if result.returncode == 0:
+        print(f"Killed previous process on port {PROXY_PORT}")
+        time.sleep(1)
+except (FileNotFoundError, subprocess.TimeoutExpired):
+    # fuser not available, try lsof
+    try:
+        result = subprocess.run(
+            ["lsof", "-ti", f":{PROXY_PORT}"],
+            capture_output=True, text=True, timeout=5
+        )
+        for pid in result.stdout.strip().split():
+            try:
+                os.kill(int(pid), signal.SIGKILL)
+                print(f"Killed previous proxy (PID: {pid})")
+            except (ValueError, ProcessLookupError):
+                pass
+        if result.stdout.strip():
+            time.sleep(1)
+    except (FileNotFoundError, subprocess.TimeoutExpired):
+        pass
+
+# Clean up stale PID file
+pid_path = home / ".content-filter-proxy.pid"
+pid_path.unlink(missing_ok=True)
+
+# Databricks configuration
+gateway_host = ensure_https(os.environ.get("DATABRICKS_GATEWAY_HOST", "").rstrip("/"))
+host = ensure_https(os.environ.get("DATABRICKS_HOST", "").rstrip("/"))
+token = os.environ.get("DATABRICKS_TOKEN", "")
+
+if not token:
+    print("Warning: DATABRICKS_TOKEN not set, skipping proxy setup")
+    sys.exit(0)
+
+# Determine the upstream base URL
+if gateway_host:
+    upstream_base = f"{gateway_host}/mlflow/v1"
+    print(f"Content-filter proxy will forward to AI Gateway: {gateway_host}")
+else:
+    upstream_base = f"{host}/serving-endpoints"
+    print(f"Content-filter proxy will forward to: {host}/serving-endpoints")
+
+# Start proxy as a background process
+proxy_script = os.path.join(os.path.dirname(os.path.abspath(__file__)), "content_filter_proxy.py")
+log_path = home / ".content-filter-proxy.log"
+print(f"Starting content-filter proxy on {PROXY_HOST}:{PROXY_PORT}...")
+
+env = os.environ.copy()
+env["PROXY_UPSTREAM_BASE"] = upstream_base
+env["PROXY_HOST"] = PROXY_HOST
+env["PROXY_PORT"] = str(PROXY_PORT)
+
+proc = subprocess.Popen(
+    [sys.executable, proxy_script],
+    stdout=open(log_path, "w"),
+    stderr=subprocess.STDOUT,
+    env=env,
+    start_new_session=True,
+)
+
+# Write PID file for cleanup
+pid_path = home / ".content-filter-proxy.pid"
+pid_path.write_text(str(proc.pid))
+print(f"Proxy started (PID: {proc.pid})")
+
+# Wait for health check
+health_url = f"http://{PROXY_HOST}:{PROXY_PORT}/health"
+start = time.time()
+ready = False
+
+while time.time() - start < HEALTH_TIMEOUT:
+    try:
+        resp = urlopen(Request(health_url), timeout=2)
+        if resp.status == 200:
+            ready = True
+            break
+    except (URLError, OSError):
+        pass
+
+    if proc.poll() is not None:
+        print(f"Error: Proxy exited with code {proc.returncode}")
+        try:
+            print(f"Logs: {log_path.read_text()[:1000]}")
+        except Exception:
+            pass
+        sys.exit(1)
+
+    time.sleep(HEALTH_POLL_INTERVAL)
+
+if ready:
+    elapsed = time.time() - start
+    print(f"Content-filter proxy ready on {PROXY_HOST}:{PROXY_PORT} ({elapsed:.1f}s)")
+else:
+    print(f"Warning: Proxy health check timed out after {HEALTH_TIMEOUT}s")
+    try:
+        print(f"Logs: {log_path.read_text()[:1000]}")
+    except Exception:
+        pass