feat(httpapi-listener): workspace-proxy WS forwarding

Bridge workspace-proxy WebSocket upgrades inside the Bun.serve listener so
the Hono path's WorkspaceRouterMiddleware → ServerProxy.websocket flow has
a native equivalent. The HttpApi handler still owns HTTP; the listener now
also resolves the workspace target inline (?workspace=… or session lookup),
upgrades the client connection, and bridges it to a remote WebSocket with
queueing, subprotocol forwarding, and close-code propagation.

This unblocks flipping Server.listen() over to the new listener but does
not flip it — the Hono path remains canonical. Bun-only; node:http + ws
adapter is a follow-up (TODO inline).

.github/workflows/publish.yml

@@ -209,6 +209,182 @@ jobs:
             packages/opencode/dist/opencode-windows-x64
             packages/opencode/dist/opencode-windows-x64-baseline
 
+  build-tauri:
+    needs:
+      - build-cli
+      - version
+    continue-on-error: false
+    env:
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
+      AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE }}
+      AZURE_TRUSTED_SIGNING_ENDPOINT: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
+    strategy:
+      fail-fast: false
+      matrix:
+        settings:
+          - host: macos-latest
+            target: x86_64-apple-darwin
+          - host: macos-latest
+            target: aarch64-apple-darwin
+          # github-hosted: blacksmith lacks ARM64 MSVC cross-compilation toolchain
+          - host: windows-2025
+            target: aarch64-pc-windows-msvc
+          - host: blacksmith-4vcpu-windows-2025
+            target: x86_64-pc-windows-msvc
+          - host: blacksmith-4vcpu-ubuntu-2404
+            target: x86_64-unknown-linux-gnu
+          - host: blacksmith-8vcpu-ubuntu-2404-arm
+            target: aarch64-unknown-linux-gnu
+    runs-on: ${{ matrix.settings.host }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-tags: true
+
+      - uses: apple-actions/import-codesign-certs@v2
+        if: ${{ runner.os == 'macOS' }}
+        with:
+          keychain: build
+          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
+          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+
+      - name: Verify Certificate
+        if: ${{ runner.os == 'macOS' }}
+        run: |
+          CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
+          CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
+          echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
+          echo "Certificate imported."
+
+      - name: Setup Apple API Key
+        if: ${{ runner.os == 'macOS' }}
+        run: |
+          echo "${{ secrets.APPLE_API_KEY_PATH }}" > $RUNNER_TEMP/apple-api-key.p8
+
+      - uses: ./.github/actions/setup-bun
+
+      - name: Azure login
+        if: runner.os == 'Windows'
+        uses: azure/login@v2
+        with:
+          client-id: ${{ env.AZURE_CLIENT_ID }}
+          tenant-id: ${{ env.AZURE_TENANT_ID }}
+          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "24"
+
+      - name: Cache apt packages
+        if: contains(matrix.settings.host, 'ubuntu')
+        uses: actions/cache@v4
+        with:
+          path: ~/apt-cache
+          key: ${{ runner.os }}-${{ matrix.settings.target }}-apt-${{ hashFiles('.github/workflows/publish.yml') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ matrix.settings.target }}-apt-
+
+      - name: install dependencies (ubuntu only)
+        if: contains(matrix.settings.host, 'ubuntu')
+        run: |
+          mkdir -p ~/apt-cache && chmod -R a+rw ~/apt-cache
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends -o dir::cache::archives="$HOME/apt-cache" libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
+          sudo chmod -R a+rw ~/apt-cache
+
+      - name: install Rust stable
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: ${{ matrix.settings.target }}
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: packages/desktop/src-tauri
+          shared-key: ${{ matrix.settings.target }}
+
+      - name: Prepare
+        run: |
+          cd packages/desktop
+          bun ./scripts/prepare.ts
+        env:
+          OPENCODE_VERSION: ${{ needs.version.outputs.version }}
+          GITHUB_TOKEN: ${{ steps.committer.outputs.token }}
+          OPENCODE_CLI_ARTIFACT: ${{ (runner.os == 'Windows' && 'opencode-cli-windows') || 'opencode-cli' }}
+          RUST_TARGET: ${{ matrix.settings.target }}
+          GH_TOKEN: ${{ github.token }}
+          GITHUB_RUN_ID: ${{ github.run_id }}
+
+      - name: Resolve tauri portable SHA
+        if: contains(matrix.settings.host, 'ubuntu')
+        run: echo "TAURI_PORTABLE_SHA=$(git ls-remote https://github.com/tauri-apps/tauri.git refs/heads/feat/truly-portable-appimage | cut -f1)" >> "$GITHUB_ENV"
+
+      # Fixes AppImage build issues, can be removed when https://github.com/tauri-apps/tauri/pull/12491 is released
+      - name: Install tauri-cli from portable appimage branch
+        uses: taiki-e/cache-cargo-install-action@v3
+        if: contains(matrix.settings.host, 'ubuntu')
+        with:
+          tool: tauri-cli
+          git: https://github.com/tauri-apps/tauri
+          # branch: feat/truly-portable-appimage
+          rev: ${{ env.TAURI_PORTABLE_SHA }}
+
+      - name: Show tauri-cli version
+        if: contains(matrix.settings.host, 'ubuntu')
+        run: cargo tauri --version
+
+      - name: Setup git committer
+        id: committer
+        uses: ./.github/actions/setup-git-committer
+        with:
+          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
+          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}
+
+      - name: Build and upload artifacts
+        uses: tauri-apps/tauri-action@390cbe447412ced1303d35abe75287949e43437a
+        timeout-minutes: 60
+        with:
+          projectPath: packages/desktop
+          uploadWorkflowArtifacts: true
+          tauriScript: ${{ (contains(matrix.settings.host, 'ubuntu') && 'cargo tauri') || '' }}
+          args: --target ${{ matrix.settings.target }} --config ${{ (github.ref_name == 'beta' && './src-tauri/tauri.beta.conf.json') || './src-tauri/tauri.prod.conf.json' }} --verbose
+          updaterJsonPreferNsis: true
+          releaseId: ${{ needs.version.outputs.release }}
+          tagName: ${{ needs.version.outputs.tag }}
+          releaseDraft: true
+          releaseAssetNamePattern: opencode-desktop-[platform]-[arch][ext]
+          repo: ${{ (github.ref_name == 'beta' && 'opencode-beta') || '' }}
+          releaseCommitish: ${{ github.sha }}
+        env:
+          GITHUB_TOKEN: ${{ steps.committer.outputs.token }}
+          TAURI_BUNDLER_NEW_APPIMAGE_FORMAT: true
+          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          APPLE_API_KEY_PATH: ${{ runner.temp }}/apple-api-key.p8
+
+      - name: Verify signed Windows desktop artifacts
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          $files = @(
+            "${{ github.workspace }}\packages\desktop\src-tauri\sidecars\opencode-cli-${{ matrix.settings.target }}.exe"
+          )
+          $files += Get-ChildItem "${{ github.workspace }}\packages\desktop\src-tauri\target\${{ matrix.settings.target }}\release\bundle\nsis\*.exe" | Select-Object -ExpandProperty FullName
+
+          foreach ($file in $files) {
+            $sig = Get-AuthenticodeSignature $file
+            if ($sig.Status -ne "Valid") {
+              throw "Invalid signature for ${file}: $($sig.Status)"
+            }
+          }
+
   build-electron:
     needs:
       - build-cli
@@ -348,30 +524,6 @@ jobs:
         env:
           OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }}
 
-      - name: Create and upload macOS .app.tar.gz
-        if: runner.os == 'macOS' && needs.version.outputs.release
-        working-directory: packages/desktop-electron/dist
-        env:
-          GH_TOKEN: ${{ steps.committer.outputs.token }}
-        run: |
-          if [[ "${{ matrix.settings.target }}" == "x86_64-apple-darwin" ]]; then
-            APP_DIR="mac"
-            OUT_NAME="opencode-desktop-mac-x64.app.tar.gz"
-          elif [[ "${{ matrix.settings.target }}" == "aarch64-apple-darwin" ]]; then
-            APP_DIR="mac-arm64"
-            OUT_NAME="opencode-desktop-mac-arm64.app.tar.gz"
-          else
-            echo "Unknown macOS target: ${{ matrix.settings.target }}"
-            exit 1
-          fi
-          APP_PATH=$(find "$APP_DIR" -maxdepth 1 -name "*.app" -type d | head -1)
-          if [ -z "$APP_PATH" ]; then
-            echo "No .app bundle found in $APP_DIR"
-            exit 1
-          fi
-          tar -czf "$OUT_NAME" -C "$(dirname "$APP_PATH")" "$(basename "$APP_PATH")"
-          gh release upload "v${{ needs.version.outputs.version }}" "$OUT_NAME" --clobber --repo "${{ needs.version.outputs.repo }}"
-
       - name: Verify signed Windows Electron artifacts
         if: runner.os == 'Windows'
         shell: pwsh
@@ -390,7 +542,7 @@ jobs:
 
       - uses: actions/upload-artifact@v4
         with:
-          name: opencode-desktop-${{ matrix.settings.target }}
+          name: opencode-electron-${{ matrix.settings.target }}
           path: packages/desktop-electron/dist/*
 
       - uses: actions/upload-artifact@v4
@@ -404,6 +556,7 @@ jobs:
       - version
       - build-cli
       - sign-cli-windows
+      - build-tauri
       - build-electron
     if: always() && !failure() && !cancelled()
     runs-on: blacksmith-4vcpu-ubuntu-2404
@@ -430,6 +583,13 @@ jobs:
           node-version: "24"
           registry-url: "https://registry.npmjs.org"
 
+      - name: Setup git committer
+        id: committer
+        uses: ./.github/actions/setup-git-committer
+        with:
+          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
+          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}
+
       - uses: actions/download-artifact@v4
         with:
           name: opencode-cli
@@ -451,13 +611,6 @@ jobs:
           pattern: latest-yml-*
           path: /tmp/latest-yml
 
-      - name: Setup git committer
-        id: committer
-        uses: ./.github/actions/setup-git-committer
-        with:
-          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
-          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}
-
       - name: Cache apt packages (AUR)
         uses: actions/cache@v4
         with:
@@ -486,5 +639,3 @@ jobs:
           GH_REPO: ${{ needs.version.outputs.repo }}
           NPM_CONFIG_PROVENANCE: false
           LATEST_YML_DIR: /tmp/latest-yml
-          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
-          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}

.opencode/command/changelog.md

@@ -18,12 +18,9 @@ Do not use `git log` or author metadata when deciding attribution.
 
 Rules:
 
-- Write the final file with release sections in this order:
+- Write the final file with sections in this order:
   `## Core`, `## TUI`, `## Desktop`, `## SDK`, `## Extensions`
 - Only include sections that have at least one notable entry
-- Within each release section, keep bug fixes grouped under `### Bugfixes`
-- Keep other notable entries under `### Improvements` when a section has bug fixes too
-- Omit empty subsections
 - Keep one bullet per commit you keep
 - Skip commits that are entirely internal, CI, tests, refactors, or otherwise not user-facing
 - Start each bullet with a capital letter

packages/core/src/filesystem.ts

@@ -24,7 +24,6 @@ export namespace AppFileSystem {
     readonly isDir: (path: string) => Effect.Effect<boolean>
     readonly isFile: (path: string) => Effect.Effect<boolean>
     readonly existsSafe: (path: string) => Effect.Effect<boolean>
-    readonly readFileStringSafe: (path: string) => Effect.Effect<string | undefined, Error>
     readonly readJson: (path: string) => Effect.Effect<unknown, Error>
     readonly writeJson: (path: string, data: unknown, mode?: number) => Effect.Effect<void, Error>
     readonly ensureDir: (path: string) => Effect.Effect<void, Error>
@@ -48,12 +47,6 @@ export namespace AppFileSystem {
         return yield* fs.exists(path).pipe(Effect.orElseSucceed(() => false))
       })
 
-      const readFileStringSafe = Effect.fn("FileSystem.readFileStringSafe")(function* (path: string) {
-        return yield* fs
-          .readFileString(path)
-          .pipe(Effect.catchReason("PlatformError", "NotFound", () => Effect.succeed(undefined)))
-      })
-
       const isDir = Effect.fn("FileSystem.isDir")(function* (path: string) {
         const info = yield* fs.stat(path).pipe(Effect.catch(() => Effect.void))
         return info?.type === "Directory"
@@ -170,7 +163,6 @@ export namespace AppFileSystem {
       return Service.of({
         ...fs,
         existsSafe,
-        readFileStringSafe,
         isDir,
         isFile,
         readDirectoryEntries,

packages/core/test/filesystem/filesystem.test.ts

@@ -65,34 +65,6 @@ describe("AppFileSystem", () => {
     )
   })
 
-  describe("readFileStringSafe", () => {
-    it(
-      "returns file contents when file exists",
-      Effect.gen(function* () {
-        const fs = yield* AppFileSystem.Service
-        const filesys = yield* FileSystem.FileSystem
-        const tmp = yield* filesys.makeTempDirectoryScoped()
-        const file = path.join(tmp, "exists.txt")
-        yield* filesys.writeFileString(file, "hello")
-
-        const result = yield* fs.readFileStringSafe(file)
-        expect(result).toBe("hello")
-      }),
-    )
-
-    it(
-      "returns undefined for missing file (NotFound)",
-      Effect.gen(function* () {
-        const fs = yield* AppFileSystem.Service
-        const filesys = yield* FileSystem.FileSystem
-        const tmp = yield* filesys.makeTempDirectoryScoped()
-
-        const result = yield* fs.readFileStringSafe(path.join(tmp, "does-not-exist.txt"))
-        expect(result).toBeUndefined()
-      }),
-    )
-  })
-
   describe("readJson / writeJson", () => {
     it(
       "round-trips JSON data",

packages/desktop-electron/electron-builder.config.ts

@@ -27,7 +27,7 @@ const channel = (() => {
 })()
 
 const getBase = (): Configuration => ({
-  artifactName: "opencode-desktop-${os}-${arch}.${ext}",
+  artifactName: "opencode-electron-${os}-${arch}.${ext}",
   directories: {
     output: "dist",
     buildResources: "resources",

packages/desktop/scripts/finalize-latest-json.ts

@@ -1,8 +1,7 @@
 #!/usr/bin/env bun
 
+import { Buffer } from "node:buffer"
 import { $ } from "bun"
-import path from "node:path"
-import { parseArgs } from "node:util"
 
 const { values } = parseArgs({
   args: Bun.argv.slice(2),
@@ -13,6 +12,8 @@ const { values } = parseArgs({
 
 const dryRun = values["dry-run"]
 
+import { parseArgs } from "node:util"
+
 const repo = process.env.GH_REPO
 if (!repo) throw new Error("GH_REPO is required")
 
@@ -22,22 +23,20 @@ if (!releaseId) throw new Error("OPENCODE_RELEASE is required")
 const version = process.env.OPENCODE_VERSION
 if (!version) throw new Error("OPENCODE_VERSION is required")
 
-const dir = process.env.LATEST_YML_DIR
-if (!dir) throw new Error("LATEST_YML_DIR is required")
-const root = dir
-
 const token = process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN
 if (!token) throw new Error("GH_TOKEN or GITHUB_TOKEN is required")
 
-const rel = await fetch(`https://api.github.com/repos/${repo}/releases/${releaseId}`, {
-  headers: {
-    Authorization: `token ${token}`,
-    Accept: "application/vnd.github+json",
-  },
+const apiHeaders = {
+  Authorization: `token ${token}`,
+  Accept: "application/vnd.github+json",
+}
+
+const releaseRes = await fetch(`https://api.github.com/repos/${repo}/releases/${releaseId}`, {
+  headers: apiHeaders,
 })
 
-if (!rel.ok) {
-  throw new Error(`Failed to fetch release: ${rel.status} ${rel.statusText}`)
+if (!releaseRes.ok) {
+  throw new Error(`Failed to fetch release: ${releaseRes.status} ${releaseRes.statusText}`)
 }
 
 type Asset = {
@@ -46,169 +45,115 @@ type Asset = {
 }
 
 type Release = {
+  tag_name?: string
   assets?: Asset[]
 }
 
-const assets = ((await rel.json()) as Release).assets ?? []
-const amap = new Map(assets.map((item) => [item.name, item]))
+const release = (await releaseRes.json()) as Release
+const assets = release.assets ?? []
+const assetByName = new Map(assets.map((asset) => [asset.name, asset]))
 
-type Item = {
-  url: string
+const latestAsset = assetByName.get("latest.json")
+if (!latestAsset) {
+  console.log("latest.json not found, skipping tauri finalization")
+  process.exit(0)
 }
 
-type Yml = {
-  version: string
-  files: Item[]
+const latestRes = await fetch(latestAsset.url, {
+  headers: {
+    Authorization: `token ${token}`,
+    Accept: "application/octet-stream",
+  },
+})
+
+if (!latestRes.ok) {
+  throw new Error(`Failed to fetch latest.json: ${latestRes.status} ${latestRes.statusText}`)
 }
 
-function parse(text: string): Yml {
-  const lines = text.split("\n")
-  let version = ""
-  const files: Item[] = []
-  let url = ""
+const latestText = new TextDecoder().decode(await latestRes.arrayBuffer())
+const latest = JSON.parse(latestText)
+const base = { ...latest }
+delete base.platforms
 
-  const flush = () => {
-    if (!url) return
-    files.push({ url })
-    url = ""
-  }
-
-  for (const line of lines) {
-    const trim = line.trim()
-    if (line.startsWith("version:")) {
-      version = line.slice("version:".length).trim()
-      continue
-    }
-    if (trim.startsWith("- url:")) {
-      flush()
-      url = trim.slice("- url:".length).trim()
-      continue
-    }
-    const indented = line.startsWith("  ") || line.startsWith("\t")
-    if (!indented) flush()
-  }
-  flush()
-
-  return { version, files }
-}
-
-async function read(sub: string, file: string) {
-  const item = Bun.file(path.join(root, sub, file))
-  if (!(await item.exists())) return undefined
-  return parse(await item.text())
-}
-
-function pick(list: Item[], exts: string[]) {
-  for (const ext of exts) {
-    const found = list.find((item) => item.url.split("?")[0]?.toLowerCase().endsWith(ext))
-    if (found) return found.url
-  }
-}
-
-function link(raw: string) {
-  if (raw.startsWith("https://") || raw.startsWith("http://")) return raw
-  return `https://github.com/${repo}/releases/download/v${version}/${raw}`
-}
-
-async function sign(url: string, key: string) {
-  const name = decodeURIComponent(new URL(url).pathname.split("/").pop() ?? key)
-  const asset = amap.get(name)
-  const res = await fetch(asset?.url ?? url, {
+const fetchSignature = async (asset: Asset) => {
+  const res = await fetch(asset.url, {
     headers: {
       Authorization: `token ${token}`,
-      ...(asset ? { Accept: "application/octet-stream" } : {}),
+      Accept: "application/octet-stream",
     },
   })
+
   if (!res.ok) {
-    throw new Error(`Failed to fetch file ${name}: ${res.status} ${res.statusText} (${asset?.url ?? url})`)
+    throw new Error(`Failed to fetch signature: ${res.status} ${res.statusText}`)
   }
 
-  const tmp = process.env.RUNNER_TEMP ?? "/tmp"
-  const file = path.join(tmp, name)
-  await Bun.write(file, await res.arrayBuffer())
-  await $`bunx @tauri-apps/cli signer sign ${file}`
-  const sigFile = Bun.file(`${file}.sig`)
-  if (!(await sigFile.exists())) throw new Error(`Signature file not found for ${name}`)
-  return (await sigFile.text()).trim()
+  return Buffer.from(await res.arrayBuffer()).toString()
 }
 
-const add = async (data: Record<string, { url: string; signature: string }>, key: string, raw: string | undefined) => {
-  if (!raw) return
-  if (data[key]) return
-  const url = link(raw)
-  data[key] = { url, signature: await sign(url, key) }
+const entries: Record<string, { url: string; signature: string }> = {}
+const add = (key: string, asset: Asset, signature: string) => {
+  if (entries[key]) return
+  entries[key] = {
+    url: `https://github.com/${repo}/releases/download/v${version}/${asset.name}`,
+    signature,
+  }
 }
 
-const alias = (data: Record<string, { url: string; signature: string }>, key: string, src: string) => {
-  if (data[key]) return
-  if (!data[src]) return
-  data[key] = data[src]
+const targets = [
+  { key: "linux-x86_64-deb", asset: "opencode-desktop-linux-amd64.deb" },
+  { key: "linux-x86_64-rpm", asset: "opencode-desktop-linux-x86_64.rpm" },
+  { key: "linux-aarch64-deb", asset: "opencode-desktop-linux-arm64.deb" },
+  { key: "linux-aarch64-rpm", asset: "opencode-desktop-linux-aarch64.rpm" },
+  { key: "windows-aarch64-nsis", asset: "opencode-desktop-windows-arm64.exe" },
+  { key: "windows-x86_64-nsis", asset: "opencode-desktop-windows-x64.exe" },
+  { key: "darwin-x86_64-app", asset: "opencode-desktop-darwin-x64.app.tar.gz" },
+  {
+    key: "darwin-aarch64-app",
+    asset: "opencode-desktop-darwin-aarch64.app.tar.gz",
+  },
+]
+
+for (const target of targets) {
+  const asset = assetByName.get(target.asset)
+  if (!asset) continue
+
+  const sig = assetByName.get(`${target.asset}.sig`)
+  if (!sig) continue
+
+  const signature = await fetchSignature(sig)
+  add(target.key, asset, signature)
 }
 
-const winx = await read("latest-yml-x86_64-pc-windows-msvc", "latest.yml")
-const wina = await read("latest-yml-aarch64-pc-windows-msvc", "latest.yml")
-const macx = await read("latest-yml-x86_64-apple-darwin", "latest-mac.yml")
-const maca = await read("latest-yml-aarch64-apple-darwin", "latest-mac.yml")
-const linx = await read("latest-yml-x86_64-unknown-linux-gnu", "latest-linux.yml")
-const lina = await read("latest-yml-aarch64-unknown-linux-gnu", "latest-linux-arm64.yml")
+const alias = (key: string, source: string) => {
+  if (entries[key]) return
+  const entry = entries[source]
+  if (!entry) return
+  entries[key] = entry
+}
 
-const yver = winx?.version ?? wina?.version ?? macx?.version ?? maca?.version ?? linx?.version ?? lina?.version
-if (yver && yver !== version) throw new Error(`latest.yml version mismatch: expected ${version}, got ${yver}`)
-
-const out: Record<string, { url: string; signature: string }> = {}
-
-const winxexe = pick(winx?.files ?? [], [".exe"])
-const winaexe = pick(wina?.files ?? [], [".exe"])
-
-const macxTarGz = "opencode-desktop-mac-x64.app.tar.gz"
-const macaTarGz = "opencode-desktop-mac-arm64.app.tar.gz"
-
-const linxDeb = pick(linx?.files ?? [], [".deb"])
-const linxRpm = pick(linx?.files ?? [], [".rpm"])
-const linxAppImage = pick(linx?.files ?? [], [".appimage"])
-const linaDeb = pick(lina?.files ?? [], [".deb"])
-const linaRpm = pick(lina?.files ?? [], [".rpm"])
-const linaAppImage = pick(lina?.files ?? [], [".appimage"])
-
-await add(out, "windows-x86_64-nsis", winxexe)
-await add(out, "windows-aarch64-nsis", winaexe)
-await add(out, "darwin-x86_64-app", macxTarGz)
-await add(out, "darwin-aarch64-app", macaTarGz)
-
-await add(out, "linux-x86_64-deb", linxDeb)
-await add(out, "linux-x86_64-rpm", linxRpm)
-await add(out, "linux-x86_64-appimage", linxAppImage)
-await add(out, "linux-aarch64-deb", linaDeb)
-await add(out, "linux-aarch64-rpm", linaRpm)
-await add(out, "linux-aarch64-appimage", linaAppImage)
-
-alias(out, "windows-x86_64", "windows-x86_64-nsis")
-alias(out, "windows-aarch64", "windows-aarch64-nsis")
-alias(out, "darwin-x86_64", "darwin-x86_64-app")
-alias(out, "darwin-aarch64", "darwin-aarch64-app")
-alias(out, "linux-x86_64", "linux-x86_64-deb")
-alias(out, "linux-aarch64", "linux-aarch64-deb")
+alias("linux-x86_64", "linux-x86_64-deb")
+alias("linux-aarch64", "linux-aarch64-deb")
+alias("windows-aarch64", "windows-aarch64-nsis")
+alias("windows-x86_64", "windows-x86_64-nsis")
+alias("darwin-x86_64", "darwin-x86_64-app")
+alias("darwin-aarch64", "darwin-aarch64-app")
 
 const platforms = Object.fromEntries(
-  Object.keys(out)
+  Object.keys(entries)
     .sort()
-    .map((key) => [key, out[key]]),
+    .map((key) => [key, entries[key]]),
 )
-
-if (!Object.keys(platforms).length) throw new Error("No updater files found in latest.yml artifacts")
-
-const data = {
-  version,
-  notes: "",
-  pub_date: new Date().toISOString(),
+const output = {
+  ...base,
   platforms,
 }
 
-const tmp = process.env.RUNNER_TEMP ?? "/tmp"
-const file = path.join(tmp, "latest.json")
-await Bun.write(file, JSON.stringify(data, null, 2))
+const dir = process.env.RUNNER_TEMP ?? "/tmp"
+const file = `${dir}/latest.json`
+await Bun.write(file, JSON.stringify(output, null, 2))
 
-const tag = `v${version}`
+const tag = release.tag_name
+if (!tag) throw new Error("Release tag not found")
 
 if (dryRun) {
   console.log(`dry-run: wrote latest.json for ${tag} to ${file}`)

packages/opencode/src/agent/agent.ts

@@ -97,7 +97,6 @@ export const layer = Layer.effect(
           question: "deny",
           plan_enter: "deny",
           plan_exit: "deny",
-          edit: "ask",
           // mirrors github.com/github/gitignore Node.gitignore pattern for .env files
           read: {
             "*": "allow",

packages/opencode/src/cli/cmd/acp.ts

@@ -4,9 +4,9 @@ import { effectCmd } from "../effect-cmd"
 import { AgentSideConnection, ndJsonStream } from "@agentclientprotocol/sdk"
 import { ACP } from "@/acp/agent"
 import { Server } from "@/server/server"
-import { ServerAuth } from "@/server/auth"
 import { createOpencodeClient } from "@opencode-ai/sdk/v2"
 import { withNetworkOptions, resolveNetworkOptions } from "../network"
+import { Flag } from "@opencode-ai/core/flag/flag"
 
 const log = Log.create({ service: "acp-command" })
 
@@ -27,7 +27,13 @@ export const AcpCommand = effectCmd({
 
     const sdk = createOpencodeClient({
       baseUrl: `http://${server.hostname}:${server.port}`,
-      headers: ServerAuth.headers(),
+      headers: Flag.OPENCODE_SERVER_PASSWORD
+        ? {
+            Authorization: `Basic ${Buffer.from(
+              `${Flag.OPENCODE_SERVER_USERNAME ?? "opencode"}:${Flag.OPENCODE_SERVER_PASSWORD}`,
+            ).toString("base64")}`,
+          }
+        : undefined,
     })
 
     const input = new WritableStream<Uint8Array>({

packages/opencode/src/cli/cmd/run.ts

@@ -5,7 +5,6 @@ import { Effect } from "effect"
 import { UI } from "../ui"
 import { effectCmd } from "../effect-cmd"
 import { Flag } from "@opencode-ai/core/flag/flag"
-import { ServerAuth } from "@/server/auth"
 import { EOL } from "os"
 import { Filesystem } from "@/util/filesystem"
 import { createOpencodeClient, type OpencodeClient, type ToolPart } from "@opencode-ai/sdk/v2"
@@ -657,7 +656,13 @@ export const RunCommand = effectCmd({
       }
 
       if (args.attach) {
-        const headers = ServerAuth.headers({ password: args.password })
+        const headers = (() => {
+          const password = args.password ?? process.env.OPENCODE_SERVER_PASSWORD
+          if (!password) return undefined
+          const username = process.env.OPENCODE_SERVER_USERNAME ?? "opencode"
+          const auth = `Basic ${Buffer.from(`${username}:${password}`).toString("base64")}`
+          return { Authorization: auth }
+        })()
         const sdk = createOpencodeClient({ baseUrl: args.attach, directory, headers })
         return await execute(sdk)
       }

packages/opencode/src/cli/cmd/tui/app.tsx

@@ -779,15 +779,6 @@ function App(props: { onSnapshot?: () => Promise<string[]> }) {
         dialog.clear()
       },
     },
-    {
-      title: kv.get("clear_prompt_save_history", false) ? "Don't include cleared prompts in history" : "Include cleared prompts in history",
-      value: "app.toggle.clear_prompt_history",
-      category: "System",
-      onSelect: (dialog) => {
-        kv.set("clear_prompt_save_history", !kv.get("clear_prompt_save_history", false))
-        dialog.clear()
-      },
-    },
   ])
 
   event.on(TuiEvent.CommandExecute.type, (evt) => {

packages/opencode/src/cli/cmd/tui/attach.ts

@@ -5,7 +5,6 @@ import { win32DisableProcessedInput, win32InstallCtrlCGuard } from "./win32"
 import { TuiConfig } from "@/cli/cmd/tui/config/tui"
 import { errorMessage } from "@/util/error"
 import { validateSession } from "./validate-session"
-import { ServerAuth } from "@/server/auth"
 
 export const AttachCommand = cmd({
   command: "attach <url>",
@@ -39,11 +38,6 @@ export const AttachCommand = cmd({
         alias: ["p"],
         type: "string",
         describe: "basic auth password (defaults to OPENCODE_SERVER_PASSWORD)",
-      })
-      .option("username", {
-        alias: ["u"],
-        type: "string",
-        describe: "basic auth username (defaults to OPENCODE_SERVER_USERNAME or 'opencode')",
       }),
   handler: async (args) => {
     const unguard = win32InstallCtrlCGuard()
@@ -66,7 +60,12 @@ export const AttachCommand = cmd({
           return args.dir
         }
       })()
-      const headers = ServerAuth.headers({ password: args.password, username: args.username })
+      const headers = (() => {
+        const password = args.password ?? process.env.OPENCODE_SERVER_PASSWORD
+        if (!password) return undefined
+        const auth = `Basic ${Buffer.from(`opencode:${password}`).toString("base64")}`
+        return { Authorization: auth }
+      })()
       const config = await TuiConfig.get()
 
       try {

packages/opencode/src/cli/cmd/tui/component/prompt/history.tsx

@@ -82,7 +82,6 @@ export const { use: usePromptHistory, provider: PromptHistoryProvider } = create
         return store.history.at(store.index)
       },
       append(item: PromptInfo) {
-        if (store.history.at(-1)?.input === item.input) return
         const entry = structuredClone(unwrap(item))
         let trimmed = false
         setStore(

packages/opencode/src/cli/cmd/tui/component/prompt/index.tsx

@@ -173,7 +173,6 @@ export function Prompt(props: PromptProps) {
   const [editorContextHover, setEditorContextHover] = createSignal(false)
   let lastSubmittedEditorSelectionKey: string | undefined
   const [auto, setAuto] = createSignal<AutocompleteRef>()
-  const [autoaccept, setAutoaccept] = kv.signal<"none" | "edit">("permission_auto_accept", "edit")
   const currentProviderLabel = createMemo(() => local.model.parsed().provider)
   const hasRightContent = createMemo(() => Boolean(props.right))
 
@@ -297,17 +296,6 @@ export function Prompt(props: PromptProps) {
 
   command.register(() => {
     return [
-      {
-        title: autoaccept() === "none" ? "Enable autoedit" : "Disable autoedit",
-        value: "permission.auto_accept.toggle",
-        search: "toggle permissions",
-        keybind: "permission_auto_accept_toggle",
-        category: "Agent",
-        onSelect: (dialog) => {
-          setAutoaccept(() => (autoaccept() === "none" ? "edit" : "none"))
-          dialog.clear()
-        },
-      },
       {
         title: "Clear prompt",
         value: "prompt.clear",
@@ -1136,12 +1124,6 @@ export function Prompt(props: PromptProps) {
                   // If no image, let the default paste behavior continue
                 }
                 if (keybind.match("input_clear", e) && store.prompt.input !== "") {
-                  if (kv.get("clear_prompt_save_history", false)) {
-                    history.append({
-                      ...store.prompt,
-                      mode: store.mode,
-                    })
-                  }
                   input.clear()
                   input.extmarks.clear()
                   setStore("prompt", {
@@ -1336,11 +1318,6 @@ export function Prompt(props: PromptProps) {
               </box>
               <Show when={hasRightContent()}>
                 <box flexDirection="row" gap={1} alignItems="center">
-                  <Show when={autoaccept() === "edit"}>
-                    <text>
-                      <span style={{ fg: theme.warning }}>autoedit</span>
-                    </text>
-                  </Show>
                   {props.right}
                 </box>
               </Show>

packages/opencode/src/cli/cmd/tui/config/tui.ts

@@ -68,73 +68,29 @@ function normalize(raw: Record<string, unknown>) {
   }
 }
 
+async function resolvePlugins(config: Info, configFilepath: string) {
+  if (!config.plugin) return config
+  for (let i = 0; i < config.plugin.length; i++) {
+    config.plugin[i] = await ConfigPlugin.resolvePluginSpec(config.plugin[i], configFilepath)
+  }
+  return config
+}
+
+async function mergeFile(acc: Acc, file: string, ctx: { directory: string }) {
+  const data = await loadFile(file)
+  acc.result = mergeDeep(acc.result, data)
+  if (!data.plugin?.length) return
+
+  const scope = pluginScope(file, ctx)
+  const plugins = ConfigPlugin.deduplicatePluginOrigins([
+    ...(acc.result.plugin_origins ?? []),
+    ...data.plugin.map((spec) => ({ spec, scope, source: file })),
+  ])
+  acc.result.plugin = plugins.map((item) => item.spec)
+  acc.result.plugin_origins = plugins
+}
+
 const loadState = Effect.fn("TuiConfig.loadState")(function* (ctx: { directory: string }) {
-  const afs = yield* AppFileSystem.Service
-
-  const resolvePlugins = (config: Info, configFilepath: string): Effect.Effect<Info> =>
-    Effect.gen(function* () {
-      const plugins = config.plugin
-      if (!plugins) return config
-      for (let i = 0; i < plugins.length; i++) {
-        plugins[i] = yield* Effect.promise(() => ConfigPlugin.resolvePluginSpec(plugins[i], configFilepath))
-      }
-      return config
-    })
-
-  const load = (text: string, configFilepath: string): Effect.Effect<Info> =>
-    Effect.gen(function* () {
-      const expanded = yield* Effect.promise(() =>
-        ConfigVariable.substitute({ text, type: "path", path: configFilepath, missing: "empty" }),
-      )
-      const data = ConfigParse.jsonc(expanded, configFilepath)
-      if (!isRecord(data)) return {} as Info
-      // Flatten a nested "tui" key so users who wrote `{ "tui": { ... } }` inside tui.json
-      // (mirroring the old opencode.json shape) still get their settings applied.
-      const validated = ConfigParse.schema(Info, normalize(data), configFilepath)
-      return yield* resolvePlugins(validated, configFilepath)
-    }).pipe(
-      // catchCause (not tapErrorCause + orElseSucceed) because ConfigParse.jsonc/.schema
-      // can sync-throw — those become defects, which orElseSucceed wouldn't catch.
-      Effect.catchCause((cause) =>
-        Effect.sync(() => {
-          log.warn("invalid tui config", { path: configFilepath, cause })
-          return {} as Info
-        }),
-      ),
-    )
-
-  const loadFile = (filepath: string): Effect.Effect<Info> =>
-    Effect.gen(function* () {
-      // Silent-swallow non-NotFound read errors (perms, EISDIR, IO) → log + skip.
-      // Matches how parse/schema/plugin failures in load() are handled — every
-      // broken-config path degrades gracefully rather than crashing TUI startup.
-      const text = yield* afs.readFileStringSafe(filepath).pipe(
-        Effect.catchCause((cause) =>
-          Effect.sync(() => {
-            log.warn("failed to read tui config", { path: filepath, cause })
-            return undefined
-          }),
-        ),
-      )
-      if (!text) return {} as Info
-      return yield* load(text, filepath)
-    })
-
-  const mergeFile = (acc: Acc, file: string) =>
-    Effect.gen(function* () {
-      const data = yield* loadFile(file)
-      acc.result = mergeDeep(acc.result, data)
-      if (!data.plugin?.length) return
-
-      const scope = pluginScope(file, ctx)
-      const plugins = ConfigPlugin.deduplicatePluginOrigins([
-        ...(acc.result.plugin_origins ?? []),
-        ...data.plugin.map((spec) => ({ spec, scope, source: file })),
-      ])
-      acc.result.plugin = plugins.map((item) => item.spec)
-      acc.result.plugin_origins = plugins
-    })
-
   // Every config dir we may read from: global config dir, any `.opencode`
   // folders between cwd and home, and OPENCODE_CONFIG_DIR.
   const directories = yield* ConfigPaths.directories(ctx.directory)
@@ -148,19 +104,19 @@ const loadState = Effect.fn("TuiConfig.loadState")(function* (ctx: { directory:
 
   // 1. Global tui config (lowest precedence).
   for (const file of ConfigPaths.fileInDirectory(Global.Path.config, "tui")) {
-    yield* mergeFile(acc, file)
+    yield* Effect.promise(() => mergeFile(acc, file, ctx)).pipe(Effect.orDie)
   }
 
   // 2. Explicit OPENCODE_TUI_CONFIG override, if set.
   if (Flag.OPENCODE_TUI_CONFIG) {
     const configFile = Flag.OPENCODE_TUI_CONFIG
-    yield* mergeFile(acc, configFile)
+    yield* Effect.promise(() => mergeFile(acc, configFile, ctx)).pipe(Effect.orDie)
     log.debug("loaded custom tui config", { path: configFile })
   }
 
   // 3. Project tui files, applied root-first so the closest file wins.
   for (const file of projectFiles) {
-    yield* mergeFile(acc, file)
+    yield* Effect.promise(() => mergeFile(acc, file, ctx)).pipe(Effect.orDie)
   }
 
   // 4. `.opencode` directories (and OPENCODE_CONFIG_DIR) discovered while
@@ -171,7 +127,7 @@ const loadState = Effect.fn("TuiConfig.loadState")(function* (ctx: { directory:
   for (const dir of dirs) {
     if (!dir.endsWith(".opencode") && dir !== Flag.OPENCODE_CONFIG_DIR) continue
     for (const file of ConfigPaths.fileInDirectory(dir, "tui")) {
-      yield* mergeFile(acc, file)
+      yield* Effect.promise(() => mergeFile(acc, file, ctx)).pipe(Effect.orDie)
     }
   }
 
@@ -237,3 +193,28 @@ export async function get() {
   return runPromise((svc) => svc.get())
 }
 
+async function loadFile(filepath: string): Promise<Info> {
+  const text = await ConfigPaths.readFile(filepath)
+  if (!text) return {}
+  return load(text, filepath).catch((error) => {
+    log.warn("failed to load tui config", { path: filepath, error })
+    return {}
+  })
+}
+
+async function load(text: string, configFilepath: string): Promise<Info> {
+  return ConfigVariable.substitute({ text, type: "path", path: configFilepath, missing: "empty" })
+    .then((expanded) => ConfigParse.jsonc(expanded, configFilepath))
+    .then((data) => {
+      if (!isRecord(data)) return {}
+
+      // Flatten a nested "tui" key so users who wrote `{ "tui": { ... } }` inside tui.json
+      // (mirroring the old opencode.json shape) still get their settings applied.
+      return ConfigParse.schema(Info, normalize(data), configFilepath)
+    })
+    .then((data) => resolvePlugins(data, configFilepath))
+    .catch((error) => {
+      log.warn("invalid tui config", { path: configFilepath, error })
+      return {}
+    })
+}

packages/opencode/src/cli/cmd/tui/context/sync.tsx

@@ -110,7 +110,6 @@ export const { use: useSync, provider: SyncProvider } = createSimpleContext({
     const project = useProject()
     const sdk = useSDK()
     const kv = useKV()
-    const [autoaccept] = kv.signal<"none" | "edit">("permission_auto_accept", "edit")
 
     const fullSyncedSessions = new Set<string>()
     let syncedWorkspace = project.workspace.current()
@@ -153,13 +152,6 @@ export const { use: useSync, provider: SyncProvider } = createSimpleContext({
 
         case "permission.asked": {
           const request = event.properties
-          if (autoaccept() === "edit" && request.permission === "edit") {
-            sdk.client.permission.reply({
-              reply: "once",
-              requestID: request.id,
-            })
-            break
-          }
           const requests = store.permission[request.sessionID]
           if (!requests) {
             setStore("permission", request.sessionID, [request])

packages/opencode/src/cli/cmd/tui/thread.ts

@@ -8,7 +8,6 @@ import { UI } from "@/cli/ui"
 import * as Log from "@opencode-ai/core/util/log"
 import { errorMessage } from "@/util/error"
 import { withTimeout } from "@/util/timeout"
-import { WithInstance } from "@/project/with-instance"
 import { withNetworkOptions, resolveNetworkOptionsNoConfig } from "@/cli/network"
 import { Filesystem } from "@/util/filesystem"
 import type { GlobalEvent } from "@opencode-ai/sdk/v2"
@@ -191,11 +190,7 @@ export const TuiThreadCommand = cmd({
       const prompt = await input(args.prompt)
       const config = await TuiConfig.get()
 
-      const network = await WithInstance.provide({
-        directory: cwd,
-        fn: () => resolveNetworkOptionsNoConfig(args),
-      })
-
+      const network = resolveNetworkOptionsNoConfig(args)
       const external =
         process.argv.includes("--port") ||
         process.argv.includes("--hostname") ||

packages/opencode/src/cli/cmd/tui/ui/dialog-select.tsx

@@ -37,7 +37,6 @@ export interface DialogSelectOption<T = any> {
   title: string
   value: T
   description?: string
-  search?: string
   footer?: JSX.Element | string
   category?: string
   categoryView?: JSX.Element
@@ -94,8 +93,8 @@ export function DialogSelect<T>(props: DialogSelectProps<T>) {
     // users typically search by the item name, and not its category.
     const result = fuzzysort
       .go(needle, options, {
-        keys: ["title", "category", "search"],
-        scoreFn: (r) => r[0].score * 2 + r[1].score + r[2].score,
+        keys: ["title", "category"],
+        scoreFn: (r) => r[0].score * 2 + r[1].score,
       })
       .map((x) => x.obj)
 

packages/opencode/src/cli/cmd/tui/worker.ts

@@ -7,7 +7,7 @@ import { Rpc } from "@/util/rpc"
 import { upgrade } from "@/cli/upgrade"
 import { Config } from "@/config/config"
 import { GlobalBus } from "@/bus/global"
-import { ServerAuth } from "@/server/auth"
+import { Flag } from "@opencode-ai/core/flag/flag"
 import { writeHeapSnapshot } from "node:v8"
 import { Heap } from "@/cli/heap"
 import { AppRuntime } from "@/effect/app-runtime"
@@ -50,7 +50,7 @@ let server: Awaited<ReturnType<typeof Server.listen>> | undefined
 export const rpc = {
   async fetch(input: { url: string; method: string; headers: Record<string, string>; body?: string }) {
     const headers = { ...input.headers }
-    const auth = ServerAuth.header()
+    const auth = getAuthorizationHeader()
     if (auth && !headers["authorization"] && !headers["Authorization"]) {
       headers["Authorization"] = auth
     }
@@ -102,3 +102,10 @@ export const rpc = {
 }
 
 Rpc.listen(rpc)
+
+function getAuthorizationHeader(): string | undefined {
+  const password = Flag.OPENCODE_SERVER_PASSWORD
+  if (!password) return undefined
+  const username = Flag.OPENCODE_SERVER_USERNAME ?? "opencode"
+  return `Basic ${btoa(`${username}:${password}`)}`
+}

packages/opencode/src/config/config.ts

@@ -355,7 +355,15 @@ export const layer = Layer.effect(
     const env = yield* Env.Service
     const npmSvc = yield* Npm.Service
 
-    const readConfigFile = (filepath: string) => fs.readFileStringSafe(filepath).pipe(Effect.orDie)
+    const readConfigFile = Effect.fnUntraced(function* (filepath: string) {
+      return yield* fs.readFileString(filepath).pipe(
+        Effect.catchIf(
+          (e) => e.reason._tag === "NotFound",
+          () => Effect.succeed(undefined),
+        ),
+        Effect.orDie,
+      )
+    })
 
     const loadConfig = Effect.fnUntraced(function* (
       text: string,

packages/opencode/src/config/paths.ts

@@ -1,9 +1,11 @@
 export * as ConfigPaths from "./paths"
 
 import path from "path"
+import { Filesystem } from "@/util/filesystem"
 import { Flag } from "@opencode-ai/core/flag/flag"
 import { Global } from "@opencode-ai/core/global"
 import { unique } from "remeda"
+import { JsonError } from "./error"
 import * as Effect from "effect/Effect"
 import { AppFileSystem } from "@opencode-ai/core/filesystem"
 
@@ -43,3 +45,11 @@ export const directories = Effect.fn("ConfigPaths.directories")(function* (direc
 export function fileInDirectory(dir: string, name: string) {
   return [path.join(dir, `${name}.json`), path.join(dir, `${name}.jsonc`)]
 }
+
+/** Read a config file, returning undefined for missing files and throwing JsonError for other failures. */
+export async function readFile(filepath: string) {
+  return Filesystem.readText(filepath).catch((err: NodeJS.ErrnoException) => {
+    if (err.code === "ENOENT") return
+    throw new JsonError({ path: filepath }, { cause: err })
+  })
+}

packages/opencode/src/effect/app-runtime.ts

@@ -47,37 +47,19 @@ import { Workspace } from "@/control-plane/workspace"
 import { Worktree } from "@/worktree"
 import { Pty } from "@/pty"
 import { Installation } from "@/installation"
-import * as Effect from "effect/Effect"
 import { ShareNext } from "@/share/share-next"
 import { SessionShare } from "@/share/session"
 import { SyncEvent } from "@/sync"
 import { Npm } from "@opencode-ai/core/npm"
 import { memoMap } from "@opencode-ai/core/effect/memo-map"
 
-// Adjusts the default Config layer to ensure that plugins are always initialised before
-// any other layers read the current config
-const ConfigWithPluginPriority = Layer.effect(
-  Config.Service,
-  Effect.gen(function* () {
-    const config = yield* Config.Service
-    const plugin = yield* Plugin.Service
-
-    return {
-      ...config,
-      get: () => Effect.andThen(plugin.init(), config.get),
-      getGlobal: () => Effect.andThen(plugin.init(), config.getGlobal),
-      getConsoleState: () => Effect.andThen(plugin.init(), config.getConsoleState),
-    }
-  }),
-).pipe(Layer.provide(Layer.merge(Plugin.defaultLayer, Config.defaultLayer)))
-
 export const AppLayer = Layer.mergeAll(
   Npm.defaultLayer,
   AppFileSystem.defaultLayer,
   Bus.defaultLayer,
   Auth.defaultLayer,
   Account.defaultLayer,
-  ConfigWithPluginPriority,
+  Config.defaultLayer,
   Git.defaultLayer,
   Ripgrep.defaultLayer,
   File.defaultLayer,

packages/opencode/src/plugin/index.ts

@@ -10,7 +10,6 @@ import { Bus } from "../bus"
 import * as Log from "@opencode-ai/core/util/log"
 import { createOpencodeClient } from "@opencode-ai/sdk"
 import { Flag } from "@opencode-ai/core/flag/flag"
-import { ServerAuth } from "@/server/auth"
 import { CodexAuthPlugin } from "./codex"
 import { Session } from "@/session/session"
 import { NamedError } from "@opencode-ai/core/util/error"
@@ -125,7 +124,11 @@ export const layer = Layer.effect(
         const client = createOpencodeClient({
           baseUrl: "http://localhost:4096",
           directory: ctx.directory,
-          headers: ServerAuth.headers(),
+          headers: Flag.OPENCODE_SERVER_PASSWORD
+            ? {
+                Authorization: `Basic ${Buffer.from(`${Flag.OPENCODE_SERVER_USERNAME ?? "opencode"}:${Flag.OPENCODE_SERVER_PASSWORD}`).toString("base64")}`,
+              }
+            : undefined,
           fetch: async (...args) => Server.Default().app.fetch(...args),
         })
         const cfg = yield* config.get()

packages/opencode/src/project/bootstrap.ts

@@ -1,3 +1,4 @@
+import { Plugin } from "../plugin"
 import { Format } from "../format"
 import { LSP } from "@/lsp/lsp"
 import { File } from "../file"
@@ -5,7 +6,6 @@ import { Snapshot } from "../snapshot"
 import * as Project from "./project"
 import * as Vcs from "./vcs"
 import { Bus } from "../bus"
-import { Plugin } from "../plugin"
 import { InstanceState } from "@/effect/instance-state"
 import { FileWatcher } from "@/file/watcher"
 import { ShareNext } from "@/share/share-next"
@@ -27,6 +27,7 @@ export const layer = Layer.effect(
     const fileWatcher = yield* FileWatcher.Service
     const format = yield* Format.Service
     const lsp = yield* LSP.Service
+    const plugin = yield* Plugin.Service
     const project = yield* Project.Service
     const shareNext = yield* ShareNext.Service
     const snapshot = yield* Snapshot.Service
@@ -35,9 +36,10 @@ export const layer = Layer.effect(
     const run = Effect.gen(function* () {
       const ctx = yield* InstanceState.context
       yield* Effect.logInfo("bootstrapping", { directory: ctx.directory })
-      // everything depends on config so eager load it for nice traces.
-      // Config can initialise plugins through its layer override.
+      // everything depends on config so eager load it for nice traces
       yield* config.get()
+      // Plugin can mutate config so it has to be initialized before anything else.
+      yield* plugin.init()
       // Each service self-manages its own slow work via Effect.forkScoped against
       // its per-instance state scope. We just await materialization here.
       yield* Effect.forEach(

packages/opencode/src/server/auth.ts

@@ -1,48 +0,0 @@
-export * as ServerAuth from "./auth"
-
-import { ConfigService } from "@/effect/config-service"
-import { Flag } from "@opencode-ai/core/flag/flag"
-import { Config as EffectConfig, Context, Option, Redacted } from "effect"
-
-export type Credentials = {
-  password?: string
-  username?: string
-}
-
-export type DecodedCredentials = {
-  readonly username: string
-  readonly password: Redacted.Redacted
-}
-
-export class Config extends ConfigService.Service<Config>()("@opencode/ServerAuthConfig", {
-  password: EffectConfig.string("OPENCODE_SERVER_PASSWORD").pipe(EffectConfig.option),
-  username: EffectConfig.string("OPENCODE_SERVER_USERNAME").pipe(EffectConfig.withDefault("opencode")),
-}) {}
-
-export type Info = Context.Service.Shape<typeof Config>
-
-export function required(config: Info) {
-  return Option.isSome(config.password) && config.password.value !== ""
-}
-
-export function authorized(credentials: DecodedCredentials, config: Info) {
-  return (
-    Option.isSome(config.password) &&
-    credentials.username === config.username &&
-    Redacted.value(credentials.password) === config.password.value
-  )
-}
-
-export function header(credentials?: Credentials) {
-  const password = credentials?.password ?? Flag.OPENCODE_SERVER_PASSWORD
-  if (!password) return undefined
-
-  const username = credentials?.username ?? Flag.OPENCODE_SERVER_USERNAME ?? "opencode"
-  return `Basic ${Buffer.from(`${username}:${password}`).toString("base64")}`
-}
-
-export function headers(credentials?: Credentials) {
-  const authorization = header(credentials)
-  if (!authorization) return undefined
-  return { Authorization: authorization }
-}

packages/opencode/src/server/httpapi-listener.ts

@@ -8,6 +8,7 @@
 
 import type { ServerWebSocket } from "bun"
 import { Effect, Schema } from "effect"
+import { Flag } from "@opencode-ai/core/flag/flag"
 import { AppRuntime } from "@/effect/app-runtime"
 import { WithInstance } from "@/project/with-instance"
 import { Pty } from "@/pty"
@@ -15,8 +16,14 @@ import { handlePtyInput } from "@/pty/input"
 import { PtyID } from "@/pty/schema"
 import { PtyPaths } from "@/server/routes/instance/httpapi/groups/pty"
 import { ExperimentalHttpApiServer } from "@/server/routes/instance/httpapi/server"
+import { getAdapter } from "@/control-plane/adapters"
+import { WorkspaceID } from "@/control-plane/schema"
+import { Workspace } from "@/control-plane/workspace"
+import { Session } from "@/session/session"
 import * as Log from "@opencode-ai/core/util/log"
 import type { CorsOptions } from "./cors"
+import { ProxyUtil } from "./proxy-util"
+import { getWorkspaceRouteSessionID, isLocalWorkspaceRoute, workspaceProxyURL } from "./shared/workspace-routing"
 
 const log = Log.create({ service: "httpapi-listener" })
 const decodePtyID = Schema.decodeUnknownSync(PtyID)
@@ -33,7 +40,9 @@ export type ListenOptions = CorsOptions & {
   hostname: string
 }
 
-type WsKind = { kind: "pty"; ptyID: string; cursor: number | undefined; directory: string }
+type WsKind =
+  | { kind: "pty"; ptyID: string; cursor: number | undefined; directory: string }
+  | { kind: "proxy"; remoteURL: string; subprotocols: string[] }
 
 type PtyHandler = {
   onMessage: (message: string | ArrayBuffer) => void
@@ -41,10 +50,14 @@ type PtyHandler = {
 }
 
 type WsState = WsKind & {
+  // pty fields
   handler?: PtyHandler
   pending: Array<string | Uint8Array>
   ready: boolean
   closed: boolean
+  // proxy fields
+  remote?: WebSocket
+  proxyQueue?: Array<string | Uint8Array | ArrayBuffer>
 }
 
 // Derive from the OpenAPI path so this stays in sync if the route literal moves.
@@ -57,6 +70,71 @@ function parseCursor(value: string | null): number | undefined {
   return parsed
 }
 
+function openProxy(ws: ServerWebSocket<WsState>) {
+  const data = ws.data
+  if (data.kind !== "proxy") return
+  let remote: WebSocket
+  try {
+    remote = new WebSocket(data.remoteURL, data.subprotocols.length ? data.subprotocols : undefined)
+  } catch (err) {
+    log.error("proxy remote WebSocket construct failed", { error: err })
+    ws.close(1011, "proxy connect failed")
+    return
+  }
+  remote.binaryType = "arraybuffer"
+  data.remote = remote
+
+  remote.onopen = () => {
+    const queue = data.proxyQueue
+    if (queue) {
+      for (const item of queue) {
+        try {
+          remote.send(item as never)
+        } catch {
+          // ignore — close handlers will clean up
+        }
+      }
+      queue.length = 0
+    }
+  }
+  remote.onmessage = (event: MessageEvent) => {
+    try {
+      const payload = event.data
+      if (typeof payload === "string") {
+        ws.send(payload)
+      } else if (payload instanceof ArrayBuffer) {
+        ws.send(new Uint8Array(payload))
+      } else if (payload instanceof Uint8Array) {
+        ws.send(payload)
+      } else if (payload instanceof Blob) {
+        void payload.arrayBuffer().then((buf) => {
+          try {
+            ws.send(new Uint8Array(buf))
+          } catch {
+            // ignore
+          }
+        })
+      }
+    } catch {
+      // ignore — socket likely closed
+    }
+  }
+  remote.onerror = () => {
+    try {
+      ws.close(1011, "proxy error")
+    } catch {
+      // ignore
+    }
+  }
+  remote.onclose = (event: CloseEvent) => {
+    try {
+      ws.close(event.code, event.reason)
+    } catch {
+      // ignore
+    }
+  }
+}
+
 function asAdapter(ws: ServerWebSocket<WsState>) {
   return {
     get readyState() {
@@ -80,6 +158,55 @@ function asAdapter(ws: ServerWebSocket<WsState>) {
   }
 }
 
+async function resolveWorkspaceProxy(
+  request: Request,
+  url: URL,
+): Promise<{ remoteURL: URL; subprotocols: string[] } | undefined> {
+  // Skip proxy resolution entirely when this process is pinned to a single
+  // workspace (the Hono path's WorkspaceRouterMiddleware uses the same guard).
+  if (Flag.OPENCODE_WORKSPACE_ID) return undefined
+
+  // Local-only routes (e.g. /experimental/workspace, GET /session) never
+  // forward — match the Hono behavior even though those routes don't currently
+  // upgrade to WS.
+  if (isLocalWorkspaceRoute(request.method, url.pathname)) return undefined
+
+  // /console paths are served locally and never proxied.
+  if (url.pathname.startsWith("/console")) return undefined
+
+  let workspaceID: string | null = null
+
+  // Prefer session-derived workspace lookup when a session ID is present in
+  // the path; fall back to the explicit ?workspace=... query parameter.
+  const sessionID = getWorkspaceRouteSessionID(url)
+  if (sessionID) {
+    const session = await AppRuntime.runPromise(
+      Session.Service.use((svc) => svc.get(sessionID)).pipe(Effect.withSpan("HttpApiListener.proxy.session")),
+    ).catch(() => undefined)
+    if (session?.workspaceID) workspaceID = session.workspaceID
+  }
+  if (!workspaceID) workspaceID = url.searchParams.get("workspace")
+  if (!workspaceID) return undefined
+
+  const workspace = await AppRuntime.runPromise(
+    Workspace.Service.use((svc) => svc.get(WorkspaceID.make(workspaceID))).pipe(
+      Effect.withSpan("HttpApiListener.proxy.workspace"),
+    ),
+  ).catch(() => undefined)
+  if (!workspace) return undefined
+
+  const adapter = getAdapter(workspace.projectID, workspace.type)
+  const target = await adapter.target(workspace)
+  if (target.type !== "remote") return undefined
+
+  const proxyURL = workspaceProxyURL(target.url, url)
+  const remoteURL = new URL(ProxyUtil.websocketTargetURL(proxyURL))
+  return {
+    remoteURL,
+    subprotocols: ProxyUtil.websocketProtocols(request),
+  }
+}
+
 /**
  * Spin up a native Bun.serve that:
  *   1. Routes all HTTP traffic through the HttpApi web handler.
@@ -98,10 +225,11 @@ export async function listen(opts: ListenOptions): Promise<Listener> {
         hostname: opts.hostname,
         port,
         idleTimeout: 0,
-        fetch(request, server) {
+        async fetch(request, server) {
           const url = new URL(request.url)
+          const isUpgrade = request.headers.get("upgrade")?.toLowerCase() === "websocket"
           const ptyMatch = url.pathname.match(ptyConnectPattern)
-          if (ptyMatch && request.headers.get("upgrade")?.toLowerCase() === "websocket") {
+          if (ptyMatch && isUpgrade) {
             const ptyID = ptyMatch[1]!
             const cursor = parseCursor(url.searchParams.get("cursor"))
             // Resolve the instance directory the same way the HttpApi
@@ -124,20 +252,50 @@ export async function listen(opts: ListenOptions): Promise<Listener> {
             return new Response("upgrade failed", { status: 400 })
           }
 
-          // TODO: workspace-proxy WS upgrade detection. The Hono path forwards via a
-          // remote `new WebSocket(url, ...)` (see ServerProxy.websocket). To support
-          // that here we'd need to (a) resolve the workspace target the same way
-          // `WorkspaceRouterMiddleware` does today, then (b) `server.upgrade(request,
-          // { data: { kind: "proxy", target, headers, protocols } })` and bridge the
-          // ServerWebSocket to a remote WebSocket inside the `websocket` handlers.
-          // Deferred to a follow-up — the proxy story needs more design (auth header
-          // forwarding, fence sync, reconnection semantics) than fits this PR.
+          // Workspace-proxy WS forwarding. Mirrors the Hono path's
+          // `WorkspaceRouterMiddleware` → `ServerProxy.websocket` flow but inline.
+          // Bridging to the remote `new WebSocket(...)` happens inside the
+          // `websocket.open` handler below.
+          //
+          // TODO: Node adapter (no Bun.serve) needs an equivalent path using
+          // `node:http` + `ws`.
+          if (isUpgrade) {
+            try {
+              const proxy = await resolveWorkspaceProxy(request, url)
+              if (proxy) {
+                log.info("workspace-proxy websocket", {
+                  request: url.toString(),
+                  remote: proxy.remoteURL.toString(),
+                })
+                const upgraded = server.upgrade(request, {
+                  data: {
+                    kind: "proxy",
+                    remoteURL: proxy.remoteURL.toString(),
+                    subprotocols: proxy.subprotocols,
+                    pending: [],
+                    ready: false,
+                    closed: false,
+                    proxyQueue: [],
+                  } satisfies WsState,
+                })
+                if (upgraded) return undefined
+                return new Response("upgrade failed", { status: 400 })
+              }
+            } catch (err) {
+              log.error("workspace-proxy ws resolve failed", { error: err })
+              return new Response("workspace lookup failed", { status: 500 })
+            }
+          }
 
           return handler(request as Request, context as never)
         },
         websocket: {
           open(ws) {
             const data = ws.data
+            if (data.kind === "proxy") {
+              openProxy(ws)
+              return
+            }
             if (data.kind !== "pty") {
               ws.close(1011, "unknown ws kind")
               return
@@ -187,6 +345,25 @@ export async function listen(opts: ListenOptions): Promise<Listener> {
           },
           message(ws, message) {
             const data = ws.data
+            if (data.kind === "proxy") {
+              const payload =
+                typeof message === "string"
+                  ? message
+                  : message instanceof Buffer
+                    ? new Uint8Array(message.buffer, message.byteOffset, message.byteLength)
+                    : (message as Uint8Array)
+              const remote = data.remote
+              if (remote && remote.readyState === WebSocket.OPEN) {
+                try {
+                  remote.send(payload)
+                } catch {
+                  // ignore send errors; lifecycle handlers will tear things down
+                }
+                return
+              }
+              data.proxyQueue?.push(payload)
+              return
+            }
             if (data.kind !== "pty") return
             const payload =
               typeof message === "string"
@@ -200,9 +377,17 @@ export async function listen(opts: ListenOptions): Promise<Listener> {
             }
             AppRuntime.runPromise(handlePtyInput(data.handler, payload)).catch(() => undefined)
           },
-          close(ws) {
+          close(ws, code, reason) {
             const data = ws.data
             data.closed = true
+            if (data.kind === "proxy") {
+              try {
+                data.remote?.close(code, reason)
+              } catch {
+                // ignore
+              }
+              return
+            }
             data.handler?.onClose()
           },
         },

packages/opencode/src/server/routes/instance/httpapi/middleware/authorization.ts

@@ -1,11 +1,10 @@
-import { ServerAuth } from "@/server/auth"
-import { Effect, Encoding, Layer, Redacted } from "effect"
+import { ConfigService } from "@/effect/config-service"
+import { Config, Context, Effect, Encoding, Layer, Option, Redacted } from "effect"
 import { HttpRouter, HttpServerRequest, HttpServerResponse } from "effect/unstable/http"
 import { HttpApiError, HttpApiMiddleware, HttpApiSecurity } from "effect/unstable/httpapi"
 
 const AUTH_TOKEN_QUERY = "auth_token"
 const UNAUTHORIZED = 401
-const WWW_AUTHENTICATE = 'Basic realm="Secure Area"'
 
 export class Authorization extends HttpApiMiddleware.Service<Authorization>()(
   "@opencode/ExperimentalHttpApiAuthorization",
@@ -18,18 +17,41 @@ export class Authorization extends HttpApiMiddleware.Service<Authorization>()(
   },
 ) {}
 
+export class ServerAuthConfig extends ConfigService.Service<ServerAuthConfig>()(
+  "@opencode/ExperimentalHttpApiServerAuthConfig",
+  {
+    password: Config.string("OPENCODE_SERVER_PASSWORD").pipe(Config.option),
+    username: Config.string("OPENCODE_SERVER_USERNAME").pipe(Config.withDefault("opencode")),
+  },
+) {}
+
 function validateCredential<A, E, R>(
   effect: Effect.Effect<A, E, R>,
-  credential: ServerAuth.DecodedCredentials,
-  config: ServerAuth.Info,
+  credential: { readonly username: string; readonly password: Redacted.Redacted },
+  config: Context.Service.Shape<typeof ServerAuthConfig>,
 ) {
   return Effect.gen(function* () {
-    if (!ServerAuth.required(config)) return yield* effect
-    if (!ServerAuth.authorized(credential, config)) return yield* new HttpApiError.Unauthorized({})
+    if (!isAuthRequired(config)) return yield* effect
+    if (!isCredentialAuthorized(credential, config)) return yield* new HttpApiError.Unauthorized({})
     return yield* effect
   })
 }
 
+function isAuthRequired(config: Context.Service.Shape<typeof ServerAuthConfig>) {
+  return Option.isSome(config.password) && config.password.value !== ""
+}
+
+function isCredentialAuthorized(
+  credential: { readonly username: string; readonly password: Redacted.Redacted },
+  config: Context.Service.Shape<typeof ServerAuthConfig>,
+) {
+  return (
+    Option.isSome(config.password) &&
+    credential.username === config.username &&
+    Redacted.value(credential.password) === config.password.value
+  )
+}
+
 function decodeCredential(input: string) {
   const emptyCredential = {
     username: "",
@@ -55,24 +77,19 @@ function decodeCredential(input: string) {
 
 function validateRawCredential<A, E, R>(
   effect: Effect.Effect<A, E, R>,
-  credential: ServerAuth.DecodedCredentials,
-  config: ServerAuth.Info,
+  credential: { readonly username: string; readonly password: Redacted.Redacted },
+  config: Context.Service.Shape<typeof ServerAuthConfig>,
 ) {
-  if (!ServerAuth.required(config)) return effect
-  if (!ServerAuth.authorized(credential, config))
-    return Effect.succeed(
-      HttpServerResponse.empty({
-        status: UNAUTHORIZED,
-        headers: { "www-authenticate": WWW_AUTHENTICATE },
-      }),
-    )
+  if (!isAuthRequired(config)) return effect
+  if (!isCredentialAuthorized(credential, config))
+    return Effect.succeed(HttpServerResponse.empty({ status: UNAUTHORIZED }))
   return effect
 }
 
 export const authorizationRouterMiddleware = HttpRouter.middleware()(
   Effect.gen(function* () {
-    const config = yield* ServerAuth.Config
-    if (!ServerAuth.required(config)) return (effect) => effect
+    const config = yield* ServerAuthConfig
+    if (!isAuthRequired(config)) return (effect) => effect
 
     return (effect) =>
       Effect.gen(function* () {
@@ -99,7 +116,7 @@ export const authorizationRouterMiddleware = HttpRouter.middleware()(
 export const authorizationLayer = Layer.effect(
   Authorization,
   Effect.gen(function* () {
-    const config = yield* ServerAuth.Config
+    const config = yield* ServerAuthConfig
     return Authorization.of({
       basic: (effect, { credential }) => validateCredential(effect, credential, config),
       authToken: (effect, { credential }) =>

packages/opencode/src/server/routes/instance/httpapi/server.ts

@@ -46,9 +46,8 @@ import { Worktree } from "@/worktree"
 import { Workspace } from "@/control-plane/workspace"
 import { isAllowedCorsOrigin, type CorsOptions } from "@/server/cors"
 import { serveUIEffect } from "@/server/shared/ui"
-import { ServerAuth } from "@/server/auth"
 import { InstanceHttpApi, RootHttpApi } from "./api"
-import { authorizationLayer, authorizationRouterMiddleware } from "./middleware/authorization"
+import { ServerAuthConfig, authorizationLayer, authorizationRouterMiddleware } from "./middleware/authorization"
 import { EventApi, eventHandlers } from "./event"
 import { configHandlers } from "./handlers/config"
 import { controlHandlers } from "./handlers/control"
@@ -98,7 +97,7 @@ const rootApiRoutes = HttpApiBuilder.layer(RootHttpApi).pipe(Layer.provide([cont
 const instanceRouterLayer = authorizationRouterMiddleware
   .combine(instanceRouterMiddleware)
   .combine(workspaceRouterMiddleware)
-  .layer.pipe(Layer.provide(Socket.layerWebSocketConstructorGlobal), Layer.provide(ServerAuth.Config.defaultLayer))
+  .layer.pipe(Layer.provide(Socket.layerWebSocketConstructorGlobal), Layer.provide(ServerAuthConfig.defaultLayer))
 const eventApiRoutes = HttpApiBuilder.layer(EventApi).pipe(
   Layer.provide(eventHandlers),
   Layer.provide(instanceRouterLayer),
@@ -126,7 +125,7 @@ const instanceApiRoutes = HttpApiBuilder.layer(InstanceHttpApi).pipe(
 const rawInstanceRoutes = Layer.mergeAll(ptyConnectRoute).pipe(Layer.provide(instanceRouterLayer))
 const instanceRoutes = Layer.mergeAll(rawInstanceRoutes, instanceApiRoutes).pipe(
   Layer.provide([
-    authorizationLayer.pipe(Layer.provide(ServerAuth.Config.defaultLayer)),
+    authorizationLayer.pipe(Layer.provide(ServerAuthConfig.defaultLayer)),
     workspaceRoutingLayer.pipe(Layer.provide(Socket.layerWebSocketConstructorGlobal)),
     instanceContextLayer,
   ]),
@@ -138,7 +137,7 @@ const uiRoute = HttpRouter.use((router) =>
     const client = yield* HttpClient.HttpClient
     yield* router.add("*", "/*", (request) => serveUIEffect(request, { fs, client }))
   }),
-).pipe(Layer.provide(authorizationRouterMiddleware.layer.pipe(Layer.provide(ServerAuth.Config.defaultLayer))))
+).pipe(Layer.provide(authorizationRouterMiddleware.layer.pipe(Layer.provide(ServerAuthConfig.defaultLayer))))
 
 export function createRoutes(corsOptions?: CorsOptions) {
   return Layer.mergeAll(rootApiRoutes, eventApiRoutes, instanceRoutes, uiRoute).pipe(

packages/opencode/src/session/session.ts

@@ -339,8 +339,7 @@ export const Event = {
       sessionID: Schema.optional(SessionID),
       // Reuses MessageV2.Assistant.fields.error (already Schema.optional) so
       // the derived zod keeps the same discriminated-union shape on the bus.
-      // Schema.suspend defers access to break circular init in compiled binaries.
-      error: Schema.suspend(() => MessageV2.Assistant.fields.error),
+      error: MessageV2.Assistant.fields.error,
     }),
   ),
 }

packages/opencode/src/util/effect-zod.ts

@@ -256,8 +256,6 @@ function body(ast: SchemaAST.AST): z.ZodTypeAny {
       return array(ast)
     case "Declaration":
       return decl(ast)
-    case "Suspend":
-      return z.lazy(() => walk(ast.thunk()))
     default:
       return fail(ast)
   }

packages/opencode/src/util/error.ts

@@ -7,19 +7,7 @@ export function errorFormat(error: unknown): string {
 
   if (typeof error === "object" && error !== null) {
     try {
-      const json = JSON.stringify(error, null, 2)
-      // Plain objects whose own properties are all non-enumerable (or empty)
-      // serialize to "{}", which prints as a useless bare `{}` on stderr.
-      // Fall back to a custom toString first, then to ctor name + own prop names.
-      if (json === "{}") {
-        const str = String(error)
-        if (str && str !== "[object Object]") return str
-        const ctor = error.constructor?.name
-        const prefix = ctor && ctor !== "Object" ? ctor : "Error"
-        const names = Object.getOwnPropertyNames(error)
-        return names.length === 0 ? `${prefix} (no message)` : `${prefix} { ${names.join(", ")} }`
-      }
-      return json
+      return JSON.stringify(error, null, 2)
     } catch {
       return "Unexpected error (unserializable)"
     }
@@ -46,7 +34,7 @@ export function errorMessage(error: unknown): string {
   if (text && text !== "[object Object]") return text
 
   const formatted = errorFormat(error)
-  if (formatted) return formatted
+  if (formatted && formatted !== "{}") return formatted
   return "unknown error"
 }
 
@@ -57,7 +45,7 @@ export function errorData(error: unknown) {
       message: errorMessage(error),
       stack: error.stack,
       cause: error.cause === undefined ? undefined : errorFormat(error.cause),
-      formatted: errorFormat(error),
+      formatted: errorFormatted(error),
     }
   }
 
@@ -65,7 +53,7 @@ export function errorData(error: unknown) {
     return {
       type: typeof error,
       message: errorMessage(error),
-      formatted: errorFormat(error),
+      formatted: errorFormatted(error),
     }
   }
 
@@ -83,6 +71,12 @@ export function errorData(error: unknown) {
 
   if (typeof data.message !== "string") data.message = errorMessage(error)
   if (typeof data.type !== "string") data.type = error.constructor?.name
-  data.formatted = errorFormat(error)
+  data.formatted = errorFormatted(error)
   return data
 }
+
+function errorFormatted(error: unknown) {
+  const formatted = errorFormat(error)
+  if (formatted !== "{}") return formatted
+  return String(error)
+}

packages/opencode/test/agent/agent.test.ts

@@ -229,8 +229,8 @@ test("agent permission config merges with defaults", async () => {
       expect(build).toBeDefined()
       // Specific pattern is denied
       expect(Permission.evaluate("bash", "rm -rf *", build!.permission).action).toBe("deny")
-      // Edit still asks (default behavior)
-      expect(evalPerm(build, "edit")).toBe("ask")
+      // Edit still allowed
+      expect(evalPerm(build, "edit")).toBe("allow")
     },
   })
 })

packages/opencode/test/config/tui.test.ts

@@ -627,43 +627,3 @@ test("merges plugin_enabled flags across config layers", async () => {
     "local.plugin": true,
   })
 })
-
-test("silently skips malformed tui.json — load failures degrade to {}", async () => {
-  await using tmp = await tmpdir({
-    init: async (dir) => {
-      await Bun.write(path.join(dir, "tui.json"), '{ "theme": "broken",')
-      await Bun.write(path.join(dir, ".opencode", "tui.json"), JSON.stringify({ theme: "fallback" }))
-    },
-  })
-
-  const config = await getTuiConfig(tmp.path)
-  // Project tui.json is malformed → silently skipped (logs a warning)
-  // .opencode/tui.json (lower precedence in this path) still loads
-  expect(config.theme).toBe("fallback")
-})
-
-test("silently skips non-ENOENT read failures (e.g. tui.json is a directory) — fallback layer still loads", async () => {
-  await using tmp = await tmpdir({
-    init: async (dir) => {
-      // tui.json exists as a DIRECTORY rather than a file → readFileString fails
-      // with EISDIR (PlatformError reason ≠ NotFound). The fix in this PR routes
-      // that through catchCause → log + skip, so a fallback layer should still load.
-      await fs.mkdir(path.join(dir, "tui.json"), { recursive: true })
-      await Bun.write(path.join(dir, ".opencode", "tui.json"), JSON.stringify({ theme: "fallback" }))
-    },
-  })
-
-  const config = await getTuiConfig(tmp.path)
-  // Did NOT crash; .opencode/tui.json (lower precedence) still loads.
-  expect(config.theme).toBe("fallback")
-})
-
-test("missing tui.json — silently treated as empty (ENOENT path)", async () => {
-  await using tmp = await tmpdir({})
-
-  // No tui.json anywhere. Should not throw.
-  const config = await getTuiConfig(tmp.path)
-  expect(config).toBeDefined()
-  // No theme set anywhere.
-  expect(config.theme).toBeUndefined()
-})

packages/opencode/test/server/auth.test.ts

@@ -1,59 +0,0 @@
-import { afterEach, describe, expect, test } from "bun:test"
-import { Option, Redacted } from "effect"
-import { Flag } from "@opencode-ai/core/flag/flag"
-import { ServerAuth } from "../../src/server/auth"
-
-const original = {
-  OPENCODE_SERVER_PASSWORD: Flag.OPENCODE_SERVER_PASSWORD,
-  OPENCODE_SERVER_USERNAME: Flag.OPENCODE_SERVER_USERNAME,
-}
-
-afterEach(() => {
-  Flag.OPENCODE_SERVER_PASSWORD = original.OPENCODE_SERVER_PASSWORD
-  Flag.OPENCODE_SERVER_USERNAME = original.OPENCODE_SERVER_USERNAME
-})
-
-describe("ServerAuth", () => {
-  test("does not emit auth headers without a password", () => {
-    Flag.OPENCODE_SERVER_PASSWORD = undefined
-    Flag.OPENCODE_SERVER_USERNAME = "alice"
-
-    expect(ServerAuth.header()).toBeUndefined()
-    expect(ServerAuth.headers()).toBeUndefined()
-  })
-
-  test("defaults to the opencode username", () => {
-    Flag.OPENCODE_SERVER_PASSWORD = "secret"
-    Flag.OPENCODE_SERVER_USERNAME = undefined
-
-    expect(ServerAuth.headers()).toEqual({
-      Authorization: `Basic ${Buffer.from("opencode:secret").toString("base64")}`,
-    })
-  })
-
-  test("uses the configured username", () => {
-    Flag.OPENCODE_SERVER_PASSWORD = "secret"
-    Flag.OPENCODE_SERVER_USERNAME = "alice"
-
-    expect(ServerAuth.headers()).toEqual({
-      Authorization: `Basic ${Buffer.from("alice:secret").toString("base64")}`,
-    })
-  })
-
-  test("prefers explicit credentials", () => {
-    Flag.OPENCODE_SERVER_PASSWORD = "secret"
-    Flag.OPENCODE_SERVER_USERNAME = "alice"
-
-    expect(ServerAuth.headers({ password: "cli-secret", username: "bob" })).toEqual({
-      Authorization: `Basic ${Buffer.from("bob:cli-secret").toString("base64")}`,
-    })
-  })
-
-  test("validates decoded credentials against effect config", () => {
-    const config = { password: Option.some("secret"), username: "alice" }
-
-    expect(ServerAuth.required(config)).toBe(true)
-    expect(ServerAuth.authorized({ username: "alice", password: Redacted.make("secret") }, config)).toBe(true)
-    expect(ServerAuth.authorized({ username: "opencode", password: Redacted.make("secret") }, config)).toBe(false)
-  })
-})

packages/opencode/test/server/httpapi-authorization.test.ts

@@ -3,8 +3,11 @@ import { describe, expect } from "bun:test"
 import { Effect, Layer, Option, Schema } from "effect"
 import { HttpClient, HttpClientRequest, HttpRouter } from "effect/unstable/http"
 import { HttpApi, HttpApiBuilder, HttpApiEndpoint, HttpApiGroup } from "effect/unstable/httpapi"
-import { ServerAuth } from "../../src/server/auth"
-import { Authorization, authorizationLayer } from "../../src/server/routes/instance/httpapi/middleware/authorization"
+import {
+  Authorization,
+  ServerAuthConfig,
+  authorizationLayer,
+} from "../../src/server/routes/instance/httpapi/middleware/authorization"
 import { testEffect } from "../lib/effect"
 
 const Api = HttpApi.make("test-authorization").add(
@@ -24,9 +27,9 @@ const apiLayer = HttpRouter.serve(
   { disableListenLog: true, disableLogger: true },
 ).pipe(Layer.provideMerge(NodeHttpServer.layerTest))
 
-const noAuthLayer = ServerAuth.Config.layer({ password: Option.none(), username: "opencode" })
-const secretLayer = ServerAuth.Config.layer({ password: Option.some("secret"), username: "opencode" })
-const kitSecretLayer = ServerAuth.Config.layer({ password: Option.some("secret"), username: "kit" })
+const noAuthLayer = ServerAuthConfig.layer({ password: Option.none(), username: "opencode" })
+const secretLayer = ServerAuthConfig.layer({ password: Option.some("secret"), username: "opencode" })
+const kitSecretLayer = ServerAuthConfig.layer({ password: Option.some("secret"), username: "kit" })
 
 const it = testEffect(apiLayer.pipe(Layer.provide(noAuthLayer)))
 const itSecret = testEffect(apiLayer.pipe(Layer.provide(secretLayer)))

packages/opencode/test/server/httpapi-listener.test.ts

@@ -1,10 +1,19 @@
 import { afterEach, describe, expect, test } from "bun:test"
+import type { ServerWebSocket } from "bun"
+import { mkdir } from "node:fs/promises"
+import path from "node:path"
 import { Flag } from "@opencode-ai/core/flag/flag"
 import * as Log from "@opencode-ai/core/util/log"
 import { resetDatabase } from "../fixture/db"
 import { disposeAllInstances, tmpdir } from "../fixture/fixture"
+import { registerAdapter } from "../../src/control-plane/adapters"
+import type { WorkspaceAdapter } from "../../src/control-plane/types"
+import { Workspace } from "../../src/control-plane/workspace"
+import { AppRuntime } from "../../src/effect/app-runtime"
+import { Project } from "../../src/project/project"
 import { HttpApiListener } from "../../src/server/httpapi-listener"
 import { PtyPaths } from "../../src/server/routes/instance/httpapi/groups/pty"
+import { Effect } from "effect"
 
 void Log.init({ print: false })
 
@@ -43,6 +52,99 @@ describe("native HttpApi listener", () => {
     }
   })
 
+  test("workspace-proxy WS forwarding round-trips through a fake remote", async () => {
+    await using tmp = await tmpdir({ git: true, config: { formatter: false, lsp: false } })
+
+    // Tiny Bun.serve fake remote that echoes every WS frame it receives.
+    type EchoState = { closed: boolean }
+    const remote = Bun.serve<EchoState>({
+      hostname: "127.0.0.1",
+      port: 0,
+      fetch(request, server) {
+        if (request.headers.get("upgrade")?.toLowerCase() === "websocket") {
+          if (server.upgrade(request, { data: { closed: false } })) return undefined
+          return new Response("upgrade failed", { status: 400 })
+        }
+        return new Response("ok")
+      },
+      websocket: {
+        open(_ws: ServerWebSocket<EchoState>) {},
+        message(ws: ServerWebSocket<EchoState>, msg: string | Buffer) {
+          ws.send(typeof msg === "string" ? `echo:${msg}` : msg)
+        },
+        close(_ws: ServerWebSocket<EchoState>) {},
+      },
+    })
+
+    // The path "/probe" is not a known local-only or PTY route, so the listener
+    // should treat it as a candidate for workspace-proxy WS forwarding.
+    const remoteBase = `http://${remote.hostname}:${remote.port}`
+
+    // Register a remote workspace whose target points at the echo server.
+    const adapter: WorkspaceAdapter = {
+      name: "Remote Listener Test",
+      description: "Remote workspace target for HttpApiListener proxy WS test",
+      configure: (info) => ({ ...info, name: "remote-listener-test", directory: path.join(tmp.path, ".remote") }),
+      create: async () => {
+        await mkdir(path.join(tmp.path, ".remote"), { recursive: true })
+      },
+      async remove() {},
+      target: () => ({ type: "remote" as const, url: remoteBase }),
+    }
+
+    const workspaceID = await AppRuntime.runPromise(
+      Effect.gen(function* () {
+        const project = yield* Project.Service.use((svc) => svc.fromDirectory(tmp.path))
+        registerAdapter(project.project.id, "httpapi-listener-proxy-ws", adapter)
+        const created = yield* Workspace.Service.use((svc) =>
+          svc.create({
+            type: "httpapi-listener-proxy-ws",
+            branch: null,
+            extra: null,
+            projectID: project.project.id,
+          }),
+        )
+        return created.id
+      }),
+    )
+
+    const listener = await startListener()
+    try {
+      const wsURL = new URL("/probe", listener.url)
+      wsURL.protocol = "ws:"
+      wsURL.searchParams.set("workspace", workspaceID)
+
+      const messages: string[] = []
+      const ws = new WebSocket(wsURL)
+      ws.binaryType = "arraybuffer"
+
+      const opened = new Promise<void>((resolve, reject) => {
+        ws.addEventListener("open", () => resolve(), { once: true })
+        ws.addEventListener("error", () => reject(new Error("ws error before open")), { once: true })
+      })
+
+      ws.addEventListener("message", (event) => {
+        const data = event.data
+        messages.push(typeof data === "string" ? data : new TextDecoder().decode(data as ArrayBuffer))
+      })
+
+      await opened
+      ws.send("hello-proxy")
+
+      const start = Date.now()
+      while (!messages.some((m) => m === "echo:hello-proxy") && Date.now() - start < 5_000) {
+        await new Promise((r) => setTimeout(r, 25))
+      }
+
+      expect(messages).toContain("echo:hello-proxy")
+
+      ws.close(1000, "done")
+    } finally {
+      await listener.stop(true)
+      remote.stop(true)
+    }
+  })
+
   testPty("PTY websocket connect echoes input back to the client", async () => {
     await using tmp = await tmpdir({ git: true, config: { formatter: false, lsp: false } })
     const listener = await startListener()

packages/opencode/test/server/httpapi-ui.test.ts

@@ -12,8 +12,10 @@ import {
   HttpServerResponse,
 } from "effect/unstable/http"
 import { AppFileSystem } from "@opencode-ai/core/filesystem"
-import { ServerAuth } from "../../src/server/auth"
-import { authorizationRouterMiddleware } from "../../src/server/routes/instance/httpapi/middleware/authorization"
+import {
+  ServerAuthConfig,
+  authorizationRouterMiddleware,
+} from "../../src/server/routes/instance/httpapi/middleware/authorization"
 import { ExperimentalHttpApiServer } from "../../src/server/routes/instance/httpapi/server"
 import { serveUIEffect } from "../../src/server/shared/ui"
 import { Server } from "../../src/server/server"
@@ -79,7 +81,7 @@ function uiApp(input?: { password?: string; username?: string; client?: Layer.La
         yield* router.add("*", "/*", (request) => serveUIEffect(request, { fs, client }))
       }),
     ).pipe(
-      Layer.provide(authorizationRouterMiddleware.layer.pipe(Layer.provide(ServerAuth.Config.defaultLayer))),
+      Layer.provide(authorizationRouterMiddleware.layer.pipe(Layer.provide(ServerAuthConfig.defaultLayer))),
       Layer.provide([
         AppFileSystem.defaultLayer,
         input?.client ?? httpClient(new Response("ui")),
@@ -199,7 +201,6 @@ describe("HttpApi UI fallback", () => {
     const response = await uiApp({ password: "secret", username: "opencode" }).request("/")
 
     expect(response.status).toBe(401)
-    expect(response.headers.get("www-authenticate")).toBe('Basic realm="Secure Area"')
   })
 
   test("accepts auth token for the web UI", async () => {

packages/opencode/test/util/error.test.ts

@@ -22,19 +22,6 @@ describe("util.error", () => {
     expect(data.code).toBe("E_BAD")
   })
 
-  test("never returns bare {} for opaque object errors", () => {
-    // Plain empty object — what the SDK threw before we wrapped it.
-    expect(errorFormat({})).not.toBe("{}")
-    expect(errorFormat({})).toContain("no message")
-
-    // Object with only non-enumerable own properties (JSON.stringify drops them).
-    class OpaqueError {}
-    const opaque = new OpaqueError()
-    Object.defineProperty(opaque, "secret", { value: "hidden", enumerable: false })
-    expect(errorFormat(opaque)).not.toBe("{}")
-    expect(errorFormat(opaque)).toContain("OpaqueError")
-  })
-
   test("handles opaque throwables with custom toString", () => {
     const err = {
       toString() {

packages/sdk/js/src/v2/client.ts

@@ -84,24 +84,5 @@ export function createOpencodeClient(config?: Config & { directory?: string; exp
 
     return response
   })
-  // The generated client falls back to throwing a literal `{}` when the server
-  // responds with an empty / unparseable error body, which surfaces as a bare
-  // `{}` in TUI / CLI error output. Wrap ONLY that case in a real Error so
-  // downstream formatters get a useful message — but pass through any parsed
-  // JSON error body unchanged so existing consumers can still inspect fields.
-  client.interceptors.error.use((error, response, request) => {
-    const isEmpty =
-      error === undefined ||
-      error === null ||
-      error === "" ||
-      (typeof error === "object" && !(error instanceof Error) && Object.keys(error).length === 0)
-    if (!isEmpty) return error
-    const method = request?.method ?? "?"
-    const url = request?.url ?? "?"
-    if (!response) return new Error(`opencode server ${method} ${url}: network error (no response)`)
-    const status = response.status
-    const statusText = response.statusText ? " " + response.statusText : ""
-    return new Error(`opencode server ${method} ${url} → ${status}${statusText}: (empty response body)`)
-  })
   return new OpencodeClient({ client })
 }

packages/ui/src/components/file-ssr.tsx

@@ -1,4 +1,4 @@
-import { DIFFS_TAG_NAME, FileDiff } from "@pierre/diffs"
+import { DIFFS_TAG_NAME, FileDiff, VirtualizedFileDiff } from "@pierre/diffs"
 import { type PreloadFileDiffResult, type PreloadMultiFileDiffResult } from "@pierre/diffs/ssr"
 import { createEffect, onCleanup, onMount, Show, splitProps } from "solid-js"
 import { Dynamic, isServer } from "solid-js/web"
@@ -13,6 +13,7 @@ import {
   notifyShadowReady,
   observeViewerScheme,
 } from "../pierre/file-runtime"
+import { acquireVirtualizer, virtualMetrics } from "../pierre/virtualizer"
 import { File, type DiffFileProps, type FileProps } from "./file"
 
 type DiffPreload<T> = PreloadMultiFileDiffResult<T> | PreloadFileDiffResult<T>
@@ -25,6 +26,7 @@ function DiffSSRViewer<T>(props: SSRDiffFileProps<T>) {
   let container!: HTMLDivElement
   let fileDiffRef!: HTMLElement
   let fileDiffInstance: FileDiff<T> | undefined
+  let sharedVirtualizer: NonNullable<ReturnType<typeof acquireVirtualizer>> | undefined
 
   const ready = createReadyWatcher()
   const workerPool = useWorkerPool(props.diffStyle)
@@ -49,6 +51,14 @@ function DiffSSRViewer<T>(props: SSRDiffFileProps<T>) {
 
   const getRoot = () => fileDiffRef?.shadowRoot ?? undefined
 
+  const getVirtualizer = () => {
+    if (sharedVirtualizer) return sharedVirtualizer.virtualizer
+    const result = acquireVirtualizer(container)
+    if (!result) return
+    sharedVirtualizer = result
+    return result.virtualizer
+  }
+
   const setSelectedLines = (range: DiffFileProps<T>["selectedLines"], attempt = 0) => {
     const diff = fileDiffInstance
     if (!diff) return
@@ -82,15 +92,27 @@ function DiffSSRViewer<T>(props: SSRDiffFileProps<T>) {
 
     onCleanup(observeViewerScheme(() => fileDiffRef))
 
+    const virtualizer = getVirtualizer()
     const annotations = local.annotations ?? local.preloadedDiff.annotations ?? []
-    fileDiffInstance = new FileDiff<T>(
-      {
-        ...createDefaultOptions(props.diffStyle),
-        ...others,
-        ...(local.preloadedDiff.options ?? {}),
-      },
-      workerPool,
-    )
+    fileDiffInstance = virtualizer
+      ? new VirtualizedFileDiff<T>(
+          {
+            ...createDefaultOptions(props.diffStyle),
+            ...others,
+            ...local.preloadedDiff.options,
+          },
+          virtualizer,
+          virtualMetrics,
+          workerPool,
+        )
+      : new FileDiff<T>(
+          {
+            ...createDefaultOptions(props.diffStyle),
+            ...others,
+            ...local.preloadedDiff.options,
+          },
+          workerPool,
+        )
 
     applyViewerScheme(fileDiffRef)
 
@@ -141,6 +163,8 @@ function DiffSSRViewer<T>(props: SSRDiffFileProps<T>) {
   onCleanup(() => {
     clearReadyWatcher(ready)
     fileDiffInstance?.cleanUp()
+    sharedVirtualizer?.release()
+    sharedVirtualizer = undefined
   })
 
   return (

packages/ui/src/components/file.tsx

@@ -1,5 +1,6 @@
 import { sampledChecksum } from "@opencode-ai/core/util/encode"
 import {
+  DEFAULT_VIRTUAL_FILE_METRICS,
   type DiffLineAnnotation,
   type FileContents,
   type FileDiffMetadata,
@@ -9,6 +10,10 @@ import {
   type FileOptions,
   type LineAnnotation,
   type SelectedLineRange,
+  type VirtualFileMetrics,
+  VirtualizedFile,
+  VirtualizedFileDiff,
+  Virtualizer,
 } from "@pierre/diffs"
 import { type PreloadFileDiffResult, type PreloadMultiFileDiffResult } from "@pierre/diffs/ssr"
 import { createMediaQuery } from "@solid-primitives/media"
@@ -35,10 +40,19 @@ import {
   readShadowLineSelection,
 } from "../pierre/file-selection"
 import { createLineNumberSelectionBridge, restoreShadowTextSelection } from "../pierre/selection-bridge"
+import { acquireVirtualizer, virtualMetrics } from "../pierre/virtualizer"
 import { getWorkerPool } from "../pierre/worker"
 import { FileMedia, type FileMediaOptions } from "./file-media"
 import { FileSearchBar } from "./file-search"
 
+const VIRTUALIZE_BYTES = 500_000
+
+const codeMetrics = {
+  ...DEFAULT_VIRTUAL_FILE_METRICS,
+  lineHeight: 24,
+  fileGap: 0,
+} satisfies Partial<VirtualFileMetrics>
+
 type SharedProps<T> = {
   annotations?: LineAnnotation<T>[] | DiffLineAnnotation<T>[]
   selectedLines?: SelectedLineRange | null
@@ -372,6 +386,11 @@ type AnnotationTarget<A> = {
   rerender: () => void
 }
 
+type VirtualStrategy = {
+  get: () => Virtualizer | undefined
+  cleanup: () => void
+}
+
 function useModeViewer(config: ModeConfig, adapter: ModeAdapter) {
   return useFileViewer({
     enableLineSelection: config.enableLineSelection,
@@ -513,6 +532,64 @@ function scrollParent(el: HTMLElement): HTMLElement | undefined {
   }
 }
 
+function createLocalVirtualStrategy(host: () => HTMLDivElement | undefined, enabled: () => boolean): VirtualStrategy {
+  let virtualizer: Virtualizer | undefined
+  let root: Document | HTMLElement | undefined
+
+  const release = () => {
+    virtualizer?.cleanUp()
+    virtualizer = undefined
+    root = undefined
+  }
+
+  return {
+    get: () => {
+      if (!enabled()) {
+        release()
+        return
+      }
+      if (typeof document === "undefined") return
+
+      const wrapper = host()
+      if (!wrapper) return
+
+      const next = scrollParent(wrapper) ?? document
+      if (virtualizer && root === next) return virtualizer
+
+      release()
+      virtualizer = new Virtualizer()
+      root = next
+      virtualizer.setup(next, next instanceof Document ? undefined : wrapper)
+      return virtualizer
+    },
+    cleanup: release,
+  }
+}
+
+function createSharedVirtualStrategy(host: () => HTMLDivElement | undefined): VirtualStrategy {
+  let shared: NonNullable<ReturnType<typeof acquireVirtualizer>> | undefined
+
+  const release = () => {
+    shared?.release()
+    shared = undefined
+  }
+
+  return {
+    get: () => {
+      if (shared) return shared.virtualizer
+
+      const container = host()
+      if (!container) return
+
+      const result = acquireVirtualizer(container)
+      if (!result) return
+      shared = result
+      return result.virtualizer
+    },
+    cleanup: release,
+  }
+}
+
 function parseLine(node: HTMLElement) {
   if (!node.dataset.line) return
   const value = parseInt(node.dataset.line, 10)
@@ -611,7 +688,7 @@ function ViewerShell(props: {
 // ---------------------------------------------------------------------------
 
 function TextViewer<T>(props: TextFileProps<T>) {
-  let instance: PierreFile<T> | undefined
+  let instance: PierreFile<T> | VirtualizedFile<T> | undefined
   let viewer!: Viewer
 
   const [local, others] = splitProps(props, textKeys)
@@ -631,12 +708,36 @@ function TextViewer<T>(props: TextFileProps<T>) {
     return Math.max(1, total)
   }
 
+  const bytes = createMemo(() => {
+    const value = local.file.contents as unknown
+    if (typeof value === "string") return value.length
+    if (Array.isArray(value)) {
+      return value.reduce(
+        // oxlint-disable-next-line no-base-to-string -- array parts coerced intentionally
+        (sum, part) => sum + (typeof part === "string" ? part.length + 1 : String(part).length + 1),
+        0,
+      )
+    }
+    if (value == null) return 0
+    // oxlint-disable-next-line no-base-to-string -- file contents cast to unknown, coercion is intentional
+    return String(value).length
+  })
+
+  const virtual = createMemo(() => bytes() > VIRTUALIZE_BYTES)
+
+  const virtuals = createLocalVirtualStrategy(() => viewer.wrapper, virtual)
+
   const lineFromMouseEvent = (event: MouseEvent): MouseHit => mouseHit(event, parseLine)
 
   const applySelection = (range: SelectedLineRange | null) => {
     const current = instance
     if (!current) return false
 
+    if (virtual()) {
+      current.setSelectedLines(range)
+      return true
+    }
+
     const root = viewer.getRoot()
     if (!root) return false
 
@@ -735,7 +836,10 @@ function TextViewer<T>(props: TextFileProps<T>) {
   const notify = () => {
     notifyRendered({
       viewer,
-      isReady: (root) => root.querySelectorAll("[data-line]").length >= lineCount(),
+      isReady: (root) => {
+        if (virtual()) return root.querySelector("[data-line]") != null
+        return root.querySelectorAll("[data-line]").length >= lineCount()
+      },
       onReady: () => {
         applySelection(viewer.lastSelection)
         viewer.find.refresh({ reset: true })
@@ -754,11 +858,17 @@ function TextViewer<T>(props: TextFileProps<T>) {
   createEffect(() => {
     const opts = options()
     const workerPool = getWorkerPool("unified")
+    const isVirtual = virtual()
+
+    const virtualizer = virtuals.get()
 
     renderViewer({
       viewer,
       current: instance,
-      create: () => new PierreFile<T>(opts, workerPool),
+      create: () =>
+        isVirtual && virtualizer
+          ? new VirtualizedFile<T>(opts, virtualizer, codeMetrics, workerPool)
+          : new PierreFile<T>(opts, workerPool),
       assign: (value) => {
         instance = value
       },
@@ -785,6 +895,7 @@ function TextViewer<T>(props: TextFileProps<T>) {
   onCleanup(() => {
     instance?.cleanUp()
     instance = undefined
+    virtuals.cleanup()
   })
 
   return <ViewerShell mode="text" viewer={viewer} class={local.class} classList={local.classList} />
@@ -880,6 +991,8 @@ function DiffViewer<T>(props: DiffFileProps<T>) {
     adapter,
   )
 
+  const virtuals = createSharedVirtualStrategy(() => viewer.container)
+
   const large = createMemo(() => {
     if (local.fileDiff) {
       const before = local.fileDiff.deletionLines.join("")
@@ -942,6 +1055,7 @@ function DiffViewer<T>(props: DiffFileProps<T>) {
   createEffect(() => {
     const opts = options()
     const workerPool = large() ? getWorkerPool("unified") : getWorkerPool(props.diffStyle)
+    const virtualizer = virtuals.get()
     const beforeContents = typeof local.before?.contents === "string" ? local.before.contents : ""
     const afterContents = typeof local.after?.contents === "string" ? local.after.contents : ""
     const done = preserve(viewer)
@@ -956,7 +1070,10 @@ function DiffViewer<T>(props: DiffFileProps<T>) {
     renderViewer({
       viewer,
       current: instance,
-      create: () => new FileDiff<T>(opts, workerPool),
+      create: () =>
+        virtualizer
+          ? new VirtualizedFileDiff<T>(opts, virtualizer, virtualMetrics, workerPool)
+          : new FileDiff<T>(opts, workerPool),
       assign: (value) => {
         instance = value
       },
@@ -994,6 +1111,7 @@ function DiffViewer<T>(props: DiffFileProps<T>) {
   onCleanup(() => {
     instance?.cleanUp()
     instance = undefined
+    virtuals.cleanup()
     dragSide = undefined
     dragEndSide = undefined
   })

packages/ui/src/components/session-review.tsx

@@ -26,6 +26,7 @@ import type { LineCommentEditorProps } from "./line-comment"
 import { normalize, text, type ViewDiff } from "./session-diff"
 
 const MAX_DIFF_CHANGED_LINES = 500
+const REVIEW_MOUNT_MARGIN = 300
 
 export type SessionReviewDiffStyle = "unified" | "split"
 
@@ -158,11 +159,14 @@ type SessionReviewSelection = {
 export const SessionReview = (props: SessionReviewProps) => {
   let scroll: HTMLDivElement | undefined
   let focusToken = 0
+  let frame: number | undefined
   const i18n = useI18n()
   const fileComponent = useFileComponent()
   const anchors = new Map<string, HTMLElement>()
+  const nodes = new Map<string, HTMLDivElement>()
   const [store, setStore] = createStore({
     open: [] as string[],
+    visible: {} as Record<string, boolean>,
     force: {} as Record<string, boolean>,
     selection: null as SessionReviewSelection | null,
     commenting: null as SessionReviewSelection | null,
@@ -192,7 +196,44 @@ export const SessionReview = (props: SessionReviewProps) => {
   const diffStyle = () => props.diffStyle ?? (props.split ? "split" : "unified")
   const hasDiffs = () => files().length > 0
 
+  const syncVisible = () => {
+    frame = undefined
+    if (!scroll) return
+
+    const root = scroll.getBoundingClientRect()
+    const top = root.top - REVIEW_MOUNT_MARGIN
+    const bottom = root.bottom + REVIEW_MOUNT_MARGIN
+    const openSet = new Set(open())
+    const next: Record<string, boolean> = {}
+
+    for (const [file, el] of nodes) {
+      if (!openSet.has(file)) continue
+      const rect = el.getBoundingClientRect()
+      if (rect.bottom < top || rect.top > bottom) continue
+      next[file] = true
+    }
+
+    const prev = untrack(() => store.visible)
+    const prevKeys = Object.keys(prev)
+    const nextKeys = Object.keys(next)
+    if (prevKeys.length === nextKeys.length && nextKeys.every((file) => prev[file])) return
+    setStore("visible", next)
+  }
+
+  const queue = () => {
+    if (frame !== undefined) return
+    frame = requestAnimationFrame(syncVisible)
+  }
+
+  const pinned = (file: string) =>
+    props.focusedComment?.file === file ||
+    props.focusedFile === file ||
+    selection()?.file === file ||
+    commenting()?.file === file ||
+    opened()?.file === file
+
   const handleScroll: JSX.EventHandler<HTMLDivElement, Event> = (event) => {
+    queue()
     const next = props.onScroll
     if (!next) return
     if (Array.isArray(next)) {
@@ -203,9 +244,21 @@ export const SessionReview = (props: SessionReviewProps) => {
     ;(next as JSX.EventHandler<HTMLDivElement, Event>)(event)
   }
 
+  onCleanup(() => {
+    if (frame === undefined) return
+    cancelAnimationFrame(frame)
+  })
+
+  createEffect(() => {
+    props.open
+    files()
+    queue()
+  })
+
   const handleChange = (next: string[]) => {
     props.onOpenChange?.(next)
     if (props.open === undefined) setStore("open", next)
+    queue()
   }
 
   const handleExpandOrCollapseAll = () => {
@@ -319,6 +372,7 @@ export const SessionReview = (props: SessionReviewProps) => {
         viewportRef={(el) => {
           scroll = el
           props.scrollRef?.(el)
+          queue()
         }}
         onScroll={handleScroll}
         classList={{
@@ -337,6 +391,7 @@ export const SessionReview = (props: SessionReviewProps) => {
                     const diffCanRender = () => diff.additions !== 0 || diff.deletions !== 0
 
                     const expanded = createMemo(() => open().includes(file))
+                    const mounted = createMemo(() => expanded() && (!!store.visible[file] || pinned(file)))
                     const force = () => !!store.force[file]
 
                     const comments = createMemo(() => grouped().get(file) ?? [])
@@ -427,6 +482,8 @@ export const SessionReview = (props: SessionReviewProps) => {
 
                     onCleanup(() => {
                       anchors.delete(file)
+                      nodes.delete(file)
+                      queue()
                     })
 
                     const handleLineSelected = (range: SelectedLineRange | null) => {
@@ -512,10 +569,19 @@ export const SessionReview = (props: SessionReviewProps) => {
                             data-slot="session-review-diff-wrapper"
                             ref={(el) => {
                               anchors.set(file, el)
+                              nodes.set(file, el)
+                              queue()
                             }}
                           >
                             <Show when={expanded()}>
                               <Switch>
+                                <Match when={!mounted() && !tooLarge()}>
+                                  <div
+                                    data-slot="session-review-diff-placeholder"
+                                    class="rounded-lg border border-border-weak-base bg-background-stronger/40"
+                                    style={{ height: "160px" }}
+                                  />
+                                </Match>
                                 <Match when={tooLarge()}>
                                   <div data-slot="session-review-large-diff">
                                     <div data-slot="session-review-large-diff-title">

packages/ui/src/pierre/virtualizer.ts

@@ -0,0 +1,100 @@
+import { type VirtualFileMetrics, Virtualizer } from "@pierre/diffs"
+
+type Target = {
+  key: Document | HTMLElement
+  root: Document | HTMLElement
+  content: HTMLElement | undefined
+}
+
+type Entry = {
+  virtualizer: Virtualizer
+  refs: number
+}
+
+const cache = new WeakMap<Document | HTMLElement, Entry>()
+
+export const virtualMetrics: Partial<VirtualFileMetrics> = {
+  lineHeight: 24,
+  hunkSeparatorHeight: 24,
+  fileGap: 0,
+}
+
+function scrollable(value: string) {
+  return value === "auto" || value === "scroll" || value === "overlay"
+}
+
+function scrollRoot(container: HTMLElement) {
+  let node = container.parentElement
+  while (node) {
+    const style = getComputedStyle(node)
+    if (scrollable(style.overflowY)) return node
+    node = node.parentElement
+  }
+}
+
+function target(container: HTMLElement): Target | undefined {
+  if (typeof document === "undefined") return
+
+  const review = container.closest("[data-component='session-review']")
+  if (review instanceof HTMLElement) {
+    const root = scrollRoot(container) ?? review
+    const content = review.querySelector("[data-slot='session-review-container']")
+    return {
+      key: review,
+      root,
+      content: content instanceof HTMLElement ? content : undefined,
+    }
+  }
+
+  const root = scrollRoot(container)
+  if (root) {
+    const content = root.querySelector("[role='log']")
+    return {
+      key: root,
+      root,
+      content: content instanceof HTMLElement ? content : undefined,
+    }
+  }
+
+  return {
+    key: document,
+    root: document,
+    content: undefined,
+  }
+}
+
+export function acquireVirtualizer(container: HTMLElement) {
+  const resolved = target(container)
+  if (!resolved) return
+
+  let entry = cache.get(resolved.key)
+  if (!entry) {
+    const virtualizer = new Virtualizer()
+    virtualizer.setup(resolved.root, resolved.content)
+    entry = {
+      virtualizer,
+      refs: 0,
+    }
+    cache.set(resolved.key, entry)
+  }
+
+  entry.refs += 1
+  let done = false
+
+  return {
+    virtualizer: entry.virtualizer,
+    release() {
+      if (done) return
+      done = true
+
+      const current = cache.get(resolved.key)
+      if (!current) return
+
+      current.refs -= 1
+      if (current.refs > 0) return
+
+      current.virtualizer.cleanUp()
+      cache.delete(resolved.key)
+    },
+  }
+}

script/raw-changelog.ts

@@ -82,11 +82,6 @@ function section(areas: Set<string>) {
   return "Core"
 }
 
-function type(message: string) {
-  if (message.match(/fix/i)) return "Bugfixes"
-  return "Improvements"
-}
-
 function reverted(commits: Commit[]) {
   const seen = new Map<string, Commit>()
 
@@ -198,20 +193,13 @@ async function thanks(from: string, to: string, reuse: boolean) {
 }
 
 function format(from: string, to: string, list: Commit[], thanks: string[]) {
-  const grouped = new Map<string, Map<string, string[]>>()
-  for (const title of order) {
-    grouped.set(
-      title,
-      new Map([
-        ["Improvements", []],
-        ["Bugfixes", []],
-      ]),
-    )
-  }
+  const grouped = new Map<string, string[]>()
+  for (const title of order) grouped.set(title, [])
 
   for (const commit of list) {
+    const title = section(commit.areas)
     const attr = commit.author && !team.includes(commit.author) ? ` (@${commit.author})` : ""
-    grouped.get(section(commit.areas))!.get(type(commit.message))!.push(`- \`${commit.hash}\` ${commit.message}${attr}`)
+    grouped.get(title)!.push(`- \`${commit.hash}\` ${commit.message}${attr}`)
   }
 
   const lines = [`Last release: ${ref(from)}`, `Target ref: ${to}`, ""]
@@ -221,23 +209,11 @@ function format(from: string, to: string, list: Commit[], thanks: string[]) {
   }
 
   for (const title of order) {
-    const groups = grouped.get(title)
-    if (!groups || [...groups.values()].every((entries) => entries.length === 0)) continue
+    const entries = grouped.get(title)
+    if (!entries || entries.length === 0) continue
     lines.push(`## ${title}`)
-    const improvements = groups.get("Improvements")!
-    const bugfixes = groups.get("Bugfixes")!
-    if (bugfixes.length === 0) {
-      lines.push(...improvements)
-      lines.push("")
-      continue
-    }
-
-    for (const [subtitle, entries] of groups) {
-      if (entries.length === 0) continue
-      lines.push(`### ${subtitle}`)
-      lines.push(...entries)
-      lines.push("")
-    }
+    lines.push(...entries)
+    lines.push("")
   }
 
   if (thanks.length > 0) {