fix(server): read auth Config from Flag for HttpApi/Hono parity

HttpApi auth middleware was reading ServerAuth.Config via Effect's generated defaultLayer, which resolves Config.string('OPENCODE_SERVER_PASSWORD') once and is memoized by Layer identity. Subsequent runtime mutation of process.env (or Flag.OPENCODE_SERVER_PASSWORD) was never observed, so the middleware kept serving 401 even when auth was disabled at runtime. Hono's AuthMiddleware reads Flag.OPENCODE_SERVER_PASSWORD per request, so it picks up mutations immediately. With Hono still the production default and HttpApi gated by OPENCODE_EXPERIMENTAL_HTTPAPI, the gap was masked by tests that flipped the flag back to Hono for no-auth scenarios. Override ServerAuth.Config.defaultLayer to read Flag.* via Layer.sync at layer-build time. Each fresh listener (memoMap) picks up current Flag values. This matches Hono behavior across listeners; per-request mutation within a single listener is not preserved (would require reading Flag in the middleware itself, which is a separate concern). Tests: - httpapi-listen: parameterize 'tickets optional when auth disabled' across both backends to lock in parity. - httpapi-raw-route-auth + httpapi-ui: switch from ConfigProvider injection (which is now a no-op since defaultLayer is Flag-backed, not Config-backed) to ServerAuth.Config.layer({...}) for explicit overrides, or Flag mutation for tests that exercise the production read path. 46/46 auth + PTY tests pass.
2026-05-05 00:03:03 +08:00 · 2026-05-04 00:13:02 -04:00
15 changed files with 92 additions and 360 deletions
--- a/packages/app/src/components/terminal.tsx
+++ b/packages/app/src/components/terminal.tsx
@@ -480,21 +480,15 @@ export const Terminal = (props: TerminalProps) => {
          })

      const connectToken = async () => {
-        const result = await client.pty
-          .connectToken(
-            { ptyID: id, directory },
-            {
-              throwOnError: false,
-              headers: { "x-opencode-ticket": "1" },
-            },
-          )
-          .catch((err: unknown) => {
-            if (err instanceof Error && err.message.includes("Request is not supported")) return
-            throw err
-          })
-        if (!result) return
+        const result = await client.pty.connectToken(
+          { ptyID: id },
+          {
+            throwOnError: false,
+            headers: { "x-opencode-ticket": "1" },
+          },
+        )
        if (result.response.status === 200 && result.data?.ticket) return result.data.ticket
-        if (result.response.status === 404 || result.response.status === 405) return
+        if ((result.response.status === 404 || result.response.status === 405) && password) return
        if (result.response.status === 403)
          throw new Error("PTY connect ticket rejected by origin or CSRF checks. Check the server CORS config.")
        throw new Error(`PTY connect ticket failed with ${result.response.status}`)
--- a/packages/app/src/context/terminal.test.ts
+++ b/packages/app/src/context/terminal.test.ts
@@ -1,9 +1,6 @@
 import { beforeAll, describe, expect, mock, test } from "bun:test"

-type ServerKey = Parameters<typeof import("./terminal").getTerminalServerScope>[1]
-
-let getWorkspaceTerminalCacheKey: (dir: string, scope?: string) => string
-let getTerminalServerScope: typeof import("./terminal").getTerminalServerScope
+let getWorkspaceTerminalCacheKey: (dir: string) => string
 let getLegacyTerminalStorageKeys: (dir: string, legacySessionID?: string) => string[]
 let migrateTerminalState: (value: unknown) => unknown

@@ -20,7 +17,6 @@ beforeAll(async () => {
  }))
  const mod = await import("./terminal")
  getWorkspaceTerminalCacheKey = mod.getWorkspaceTerminalCacheKey
-  getTerminalServerScope = mod.getTerminalServerScope
  getLegacyTerminalStorageKeys = mod.getLegacyTerminalStorageKeys
  migrateTerminalState = mod.migrateTerminalState
 })
@@ -29,45 +25,6 @@ describe("getWorkspaceTerminalCacheKey", () => {
  test("uses workspace-only directory cache key", () => {
    expect(getWorkspaceTerminalCacheKey("/repo")).toBe("/repo:__workspace__")
  })
-
-  test("can include a server scope", () => {
-    expect(getWorkspaceTerminalCacheKey("/repo", "wsl:Debian")).toBe("wsl:Debian:/repo:__workspace__")
-  })
-})
-
-describe("getTerminalServerScope", () => {
-  test("preserves local server keys", () => {
-    expect(
-      getTerminalServerScope(
-        { type: "sidecar", variant: "base", http: { url: "http://127.0.0.1:4096" } },
-        "sidecar" as ServerKey,
-      ),
-    ).toBeUndefined()
-    expect(
-      getTerminalServerScope(
-        { type: "http", http: { url: "http://localhost:4096" } },
-        "http://localhost:4096" as ServerKey,
-      ),
-    ).toBeUndefined()
-    expect(
-      getTerminalServerScope({ type: "http", http: { url: "http://[::1]:4096" } }, "http://[::1]:4096" as ServerKey),
-    ).toBeUndefined()
-  })
-
-  test("scopes non-local server keys", () => {
-    expect(
-      getTerminalServerScope(
-        { type: "sidecar", variant: "wsl", distro: "Debian", http: { url: "http://127.0.0.1:4096" } },
-        "wsl:Debian" as ServerKey,
-      ),
-    ).toBe("wsl:Debian" as ServerKey)
-    expect(
-      getTerminalServerScope(
-        { type: "http", http: { url: "https://example.com" } },
-        "https://example.com" as ServerKey,
-      ),
-    ).toBe("https://example.com" as ServerKey)
-  })
 })

 describe("getLegacyTerminalStorageKeys", () => {
--- a/packages/app/src/context/terminal.tsx
+++ b/packages/app/src/context/terminal.tsx
@@ -4,7 +4,6 @@ import { batch, createEffect, createMemo, createRoot, on, onCleanup } from "soli
 import { useParams } from "@solidjs/router"
 import { useSDK } from "./sdk"
 import type { Platform } from "./platform"
-import { ServerConnection, useServer } from "./server"
 import { defaultTitle, titleNumber } from "./terminal-title"
 import { Persist, persisted, removePersisted } from "@/utils/persist"

@@ -83,31 +82,10 @@ export function migrateTerminalState(value: unknown) {
  }
 }

-export function getWorkspaceTerminalCacheKey(dir: string, scope?: string) {
-  if (scope) return `${scope}:${dir}:${WORKSPACE_KEY}`
+export function getWorkspaceTerminalCacheKey(dir: string) {
  return `${dir}:${WORKSPACE_KEY}`
 }

-export function getTerminalServerScope(conn: ServerConnection.Any | undefined, key: ServerConnection.Key) {
-  if (!conn) return
-  if (conn.type === "sidecar" && conn.variant === "base") return
-  if (conn.type === "http") {
-    try {
-      const url = new URL(conn.http.url)
-      if (
-        url.hostname === "localhost" ||
-        url.hostname === "127.0.0.1" ||
-        url.hostname === "::1" ||
-        url.hostname === "[::1]"
-      )
-        return
-    } catch {
-      return key
-    }
-  }
-  return key
-}
-
 export function getLegacyTerminalStorageKeys(dir: string, legacySessionID?: string) {
  if (!legacySessionID) return [`${dir}/terminal.v1`]
  return [`${dir}/terminal/${legacySessionID}.v1`, `${dir}/terminal.v1`]
@@ -132,16 +110,15 @@ const trimTerminal = (pty: LocalPTY) => {
  }
 }

-export function clearWorkspaceTerminals(dir: string, sessionIDs?: string[], platform?: Platform, scope?: string) {
-  const key = getWorkspaceTerminalCacheKey(dir, scope)
+export function clearWorkspaceTerminals(dir: string, sessionIDs?: string[], platform?: Platform) {
+  const key = getWorkspaceTerminalCacheKey(dir)
  for (const cache of caches) {
    const entry = cache.get(key)
    entry?.value.clear()
  }

-  void removePersisted(Persist.workspace(dir, scope ? `terminal:${scope}` : "terminal"), platform)
+  void removePersisted(Persist.workspace(dir, "terminal"), platform)

-  if (scope) return
  const legacy = new Set(getLegacyTerminalStorageKeys(dir))
  for (const id of sessionIDs ?? []) {
    for (const key of getLegacyTerminalStorageKeys(dir, id)) {
@@ -153,17 +130,12 @@ export function clearWorkspaceTerminals(dir: string, sessionIDs?: string[], plat
  }
 }

-function createWorkspaceTerminalSession(
-  sdk: ReturnType<typeof useSDK>,
-  dir: string,
-  legacySessionID?: string,
-  scope?: string,
-) {
-  const legacy = scope ? [] : getLegacyTerminalStorageKeys(dir, legacySessionID)
+function createWorkspaceTerminalSession(sdk: ReturnType<typeof useSDK>, dir: string, legacySessionID?: string) {
+  const legacy = getLegacyTerminalStorageKeys(dir, legacySessionID)

  const [store, setStore, _, ready] = persisted(
    {
-      ...Persist.workspace(dir, scope ? `terminal:${scope}` : "terminal", legacy),
+      ...Persist.workspace(dir, "terminal", legacy),
      migrate: migrateTerminalState,
    },
    createStore<{
@@ -385,12 +357,8 @@ export const { use: useTerminal, provider: TerminalProvider } = createSimpleCont
  gate: false,
  init: () => {
    const sdk = useSDK()
-    const server = useServer()
    const params = useParams()
    const cache = new Map<string, TerminalCacheEntry>()
-    const scope = createMemo(() => {
-      return getTerminalServerScope(server.current, server.key)
-    })

    caches.add(cache)
    onCleanup(() => caches.delete(cache))
@@ -414,9 +382,9 @@ export const { use: useTerminal, provider: TerminalProvider } = createSimpleCont
      }
    }

-    const loadWorkspace = (dir: string, legacySessionID: string | undefined, serverScope: string | undefined) => {
+    const loadWorkspace = (dir: string, legacySessionID?: string) => {
      // Terminals are workspace-scoped so tabs persist while switching sessions in the same directory.
-      const key = getWorkspaceTerminalCacheKey(dir, serverScope)
+      const key = getWorkspaceTerminalCacheKey(dir)
      const existing = cache.get(key)
      if (existing) {
        cache.delete(key)
@@ -425,7 +393,7 @@ export const { use: useTerminal, provider: TerminalProvider } = createSimpleCont
      }

      const entry = createRoot((dispose) => ({
-        value: createWorkspaceTerminalSession(sdk, dir, legacySessionID, serverScope),
+        value: createWorkspaceTerminalSession(sdk, dir, legacySessionID),
        dispose,
      }))

@@ -434,16 +402,16 @@ export const { use: useTerminal, provider: TerminalProvider } = createSimpleCont
      return entry.value
    }

-    const workspace = createMemo(() => loadWorkspace(params.dir!, params.id, scope()))
+    const workspace = createMemo(() => loadWorkspace(params.dir!, params.id))

    createEffect(
      on(
-        () => ({ dir: params.dir, id: params.id, scope: scope() }),
+        () => ({ dir: params.dir, id: params.id }),
        (next, prev) => {
          if (!prev?.dir) return
-          if (next.dir === prev.dir && next.id === prev.id && next.scope === prev.scope) return
-          if (next.dir === prev.dir && next.id && next.scope === prev.scope) return
-          loadWorkspace(prev.dir, prev.id, prev.scope).trimAll()
+          if (next.dir === prev.dir && next.id === prev.id) return
+          if (next.dir === prev.dir && next.id) return
+          loadWorkspace(prev.dir, prev.id).trimAll()
        },
        { defer: true },
      ),
--- a/packages/app/src/pages/layout.tsx
+++ b/packages/app/src/pages/layout.tsx
@@ -35,7 +35,7 @@ import type { DragEvent } from "@thisbeyond/solid-dnd"
 import { useProviders } from "@/hooks/use-providers"
 import { showToast, Toast, toaster } from "@opencode-ai/ui/toast"
 import { useGlobalSDK } from "@/context/global-sdk"
-import { clearWorkspaceTerminals, getTerminalServerScope } from "@/context/terminal"
+import { clearWorkspaceTerminals } from "@/context/terminal"
 import { dropSessionCaches, pickSessionCacheEvictions } from "@/context/global-sync/session-cache"
 import {
  clearSessionPrefetchInflight,
@@ -1557,7 +1557,6 @@ export default function Layout(props: ParentProps) {
      directory,
      sessions.map((s) => s.id),
      platform,
-      getTerminalServerScope(server.current, server.key),
    )
    await globalSDK.client.instance.dispose({ directory }).catch(() => undefined)

--- a/packages/app/src/pages/session/terminal-panel.tsx
+++ b/packages/app/src/pages/session/terminal-panel.tsx
@@ -37,7 +37,6 @@ export function TerminalPanel() {
  const [store, setStore] = createStore({
    autoCreated: false,
    activeDraggable: undefined as string | undefined,
-    recovered: {} as Record<string, boolean>,
    view: typeof window === "undefined" ? 1000 : (window.visualViewport?.height ?? window.innerHeight),
  })

@@ -146,21 +145,6 @@ export function TerminalPanel() {
  const all = terminal.all
  const ids = createMemo(() => all().map((pty) => pty.id))

-  const recoverTerminal = (key: string, id: string, clone: (id: string) => Promise<void>) => {
-    if (store.recovered[key]) return
-    setStore("recovered", key, true)
-    void clone(id)
-  }
-
-  const terminalRecoveryKey = (pty: { id: string; title: string; titleNumber: number }) => {
-    return String(pty.titleNumber || pty.title || pty.id)
-  }
-
-  const markTerminalConnected = (key: string, id: string, trim: (id: string) => void) => {
-    setStore("recovered", key, false)
-    trim(id)
-  }
-
  const handleTerminalDragStart = (event: unknown) => {
    const id = getDraggableId(event)
    if (!id) return
@@ -296,9 +280,9 @@ export function TerminalPanel() {
                            <Terminal
                              pty={pty()}
                              autoFocus={opened()}
-                              onConnect={() => markTerminalConnected(terminalRecoveryKey(pty()), id, ops.trim)}
+                              onConnect={() => ops.trim(id)}
                              onCleanup={ops.update}
-                              onConnectError={() => recoverTerminal(terminalRecoveryKey(pty()), id, ops.clone)}
+                              onConnectError={() => ops.clone(id)}
                            />
                          </div>
                        )}
--- a/packages/opencode/src/server/auth.ts
+++ b/packages/opencode/src/server/auth.ts
@@ -2,7 +2,7 @@ export * as ServerAuth from "./auth"

 import { ConfigService } from "@/effect/config-service"
 import { Flag } from "@opencode-ai/core/flag/flag"
-import { Config as EffectConfig, Context, Option, Redacted } from "effect"
+import { Config as EffectConfig, Context, Layer, Option, Redacted } from "effect"

 export type Credentials = {
  password?: string
@@ -14,10 +14,31 @@ export type DecodedCredentials = {
  readonly password: Redacted.Redacted
 }

+// Read auth config from `Flag.*` instead of via Effect's `Config` system.
+// Effect's generated `defaultLayer` reads `Config.string(...)` once and is
+// memoized by `Layer` identity, so subsequent runtime mutation of
+// `process.env` is never observed by the resolved layer. Tests and dynamic
+// deploys mutate `Flag.OPENCODE_SERVER_*` at runtime; matching Hono's
+// behavior requires re-reading `Flag.*` whenever a fresh listener (i.e. a
+// fresh `memoMap`) is built. `Layer.sync` defers the read until layer-build
+// time, so each new listener picks up the current `Flag.*` values.
+//
+// Note: this is per-listener, not per-request. Hono's `AuthMiddleware` reads
+// `Flag.*` on every request; if exact per-request parity is ever required,
+// the middleware itself must read `Flag.*` rather than yielding `Config`.
 export class Config extends ConfigService.Service<Config>()("@opencode/ServerAuthConfig", {
  password: EffectConfig.string("OPENCODE_SERVER_PASSWORD").pipe(EffectConfig.option),
  username: EffectConfig.string("OPENCODE_SERVER_USERNAME").pipe(EffectConfig.withDefault("opencode")),
-}) {}
+}) {
+  static override get defaultLayer() {
+    return Layer.sync(this, () =>
+      this.of({
+        password: Flag.OPENCODE_SERVER_PASSWORD ? Option.some(Flag.OPENCODE_SERVER_PASSWORD) : Option.none(),
+        username: Flag.OPENCODE_SERVER_USERNAME ?? "opencode",
+      }),
+    )
+  }
+}

 export type Info = Context.Service.Shape<typeof Config>

--- a/packages/opencode/src/server/middleware.ts
+++ b/packages/opencode/src/server/middleware.ts
@@ -13,7 +13,6 @@ import { compress } from "hono/compress"
 import * as ServerBackend from "./backend"
 import { isAllowedCorsOrigin, type CorsOptions } from "./cors"
 import { isPtyConnectPath, PTY_CONNECT_TICKET_QUERY } from "./shared/pty-ticket"
-import { isPublicUIPath } from "./shared/public-ui"

 const log = Log.create({ service: "server" })

@@ -46,7 +45,6 @@ export const AuthMiddleware: MiddlewareHandler = (c, next) => {
  if (c.req.method === "OPTIONS") return next()
  const password = Flag.OPENCODE_SERVER_PASSWORD
  if (!password) return next()
-  if (isPublicUIPath(c.req.method, c.req.path)) return next()
  if (isPtyConnectPath(c.req.path) && c.req.query(PTY_CONNECT_TICKET_QUERY)) return next()
  const username = Flag.OPENCODE_SERVER_USERNAME ?? "opencode"

--- a/packages/opencode/src/server/routes/instance/httpapi/middleware/authorization.ts
+++ b/packages/opencode/src/server/routes/instance/httpapi/middleware/authorization.ts
@@ -3,7 +3,6 @@ import { Effect, Encoding, Layer, Redacted } from "effect"
 import { HttpRouter, HttpServerRequest, HttpServerResponse } from "effect/unstable/http"
 import { HttpApiError, HttpApiMiddleware } from "effect/unstable/httpapi"
 import { hasPtyConnectTicketURL } from "@/server/shared/pty-ticket"
-import { isPublicUIPath } from "@/server/shared/public-ui"

 const AUTH_TOKEN_QUERY = "auth_token"
 const UNAUTHORIZED = 401
@@ -93,7 +92,6 @@ export const authorizationRouterMiddleware = HttpRouter.middleware()(
      Effect.gen(function* () {
        const request = yield* HttpServerRequest.HttpServerRequest
        const url = new URL(request.url, "http://localhost")
-        if (isPublicUIPath(request.method, url.pathname)) return yield* effect
        if (hasPtyConnectTicketURL(url)) return yield* effect
        return yield* credentialFromURL(url, request).pipe(
          Effect.flatMap((credential) => validateRawCredential(effect, credential, config)),
--- a/packages/opencode/src/server/routes/instance/httpapi/middleware/error.ts
+++ b/packages/opencode/src/server/routes/instance/httpapi/middleware/error.ts
@@ -1,58 +0,0 @@
-import { Provider } from "@/provider/provider"
-import { Session } from "@/session/session"
-import { NotFoundError } from "@/storage/storage"
-import { iife } from "@/util/iife"
-import { NamedError } from "@opencode-ai/core/util/error"
-import * as Log from "@opencode-ai/core/util/log"
-import { Cause, Effect } from "effect"
-import { HttpRouter, HttpServerError, HttpServerRespondable, HttpServerResponse } from "effect/unstable/http"
-
-const log = Log.create({ service: "server" })
-
-// Keep typed HttpApi failures on their declared error path; this boundary only replaces defect-only empty 500s.
-export const errorLayer = HttpRouter.middleware<{ handles: unknown }>()((effect) =>
-  effect.pipe(
-    Effect.catchCause((cause) => {
-      const defect = cause.reasons.filter(Cause.isDieReason).find((reason) => {
-        if (HttpServerResponse.isHttpServerResponse(reason.defect)) return false
-        if (HttpServerError.isHttpServerError(reason.defect)) return false
-        if (HttpServerRespondable.isRespondable(reason.defect)) return false
-        return true
-      })
-      if (!defect) return Effect.failCause(cause)
-
-      const error = defect.defect
-      log.error("failed", { error, cause: Cause.pretty(cause) })
-
-      if (error instanceof NamedError) {
-        return Effect.succeed(
-          HttpServerResponse.jsonUnsafe(error.toObject(), {
-            status: iife(() => {
-              if (error instanceof NotFoundError) return 404
-              if (error instanceof Provider.ModelNotFoundError) return 400
-              if (error.name === "ProviderAuthValidationFailed") return 400
-              if (error.name.startsWith("Worktree")) return 400
-              return 500
-            }),
-          }),
-        )
-      }
-      if (error instanceof Session.BusyError) {
-        return Effect.succeed(
-          HttpServerResponse.jsonUnsafe(new NamedError.Unknown({ message: error.message }).toObject(), {
-            status: 400,
-          }),
-        )
-      }
-
-      return Effect.succeed(
-        HttpServerResponse.jsonUnsafe(
-          new NamedError.Unknown({
-            message: error instanceof Error && error.stack ? error.stack : String(error),
-          }).toObject(),
-          { status: 500 },
-        ),
-      )
-    }),
-  ),
-).layer
--- a/packages/opencode/src/server/routes/instance/httpapi/server.ts
+++ b/packages/opencode/src/server/routes/instance/httpapi/server.ts
@@ -45,9 +45,9 @@ import { lazy } from "@/util/lazy"
 import { Vcs } from "@/project/vcs"
 import { Worktree } from "@/worktree"
 import { Workspace } from "@/control-plane/workspace"
+import { ServerAuth } from "@/server/auth"
 import { CorsConfig, isAllowedCorsOrigin, type CorsOptions } from "@/server/cors"
 import { serveUIEffect } from "@/server/shared/ui"
-import { ServerAuth } from "@/server/auth"
 import { InstanceHttpApi, RootHttpApi } from "./api"
 import { authorizationLayer, authorizationRouterMiddleware } from "./middleware/authorization"
 import { EventApi, eventHandlers } from "./event"
@@ -73,7 +73,6 @@ import { workspaceRouterMiddleware, workspaceRoutingLayer } from "./middleware/w
 import { disposeMiddleware } from "./lifecycle"
 import { memoMap } from "@opencode-ai/core/effect/memo-map"
 import * as ServerBackend from "@/server/backend"
-import { errorLayer } from "./middleware/error"

 export const context = Context.makeUnsafe<unknown>(new Map())

@@ -145,7 +144,6 @@ const uiRoute = HttpRouter.use((router) =>
 export function createRoutes(corsOptions?: CorsOptions) {
  return Layer.mergeAll(rootApiRoutes, eventApiRoutes, instanceRoutes, uiRoute).pipe(
    Layer.provide([
-      errorLayer,
      cors(corsOptions),
      runtime,
      Account.defaultLayer,
--- a/packages/opencode/src/server/shared/public-ui.ts
+++ b/packages/opencode/src/server/shared/public-ui.ts
@@ -1,12 +0,0 @@
-// Static UI assets the browser fetches without app-managed credentials, e.g.
-// the manifest link in <head>. These bypass auth so the page can install/render
-// the manifest icons even when a server password is configured.
-export const PUBLIC_UI_PATHS = new Set<string>([
-  "/site.webmanifest",
-  "/web-app-manifest-192x192.png",
-  "/web-app-manifest-512x512.png",
-])
-
-export function isPublicUIPath(method: string, pathname: string) {
-  return method === "GET" && PUBLIC_UI_PATHS.has(pathname)
-}
--- a/packages/opencode/src/server/shared/ui.ts
+++ b/packages/opencode/src/server/shared/ui.ts
@@ -33,7 +33,6 @@ function proxyResponseHeaders(headers: Record<string, string>) {
  // transfer metadata makes browsers decode already-decoded assets again.
  result.delete("content-encoding")
  result.delete("content-length")
-  result.delete("transfer-encoding")
  return result
 }

--- a/packages/opencode/test/server/httpapi-listen.test.ts
+++ b/packages/opencode/test/server/httpapi-listen.test.ts
@@ -40,8 +40,8 @@ async function startListener(backend: "effect-httpapi" | "hono" = "effect-httpap
  return Server.listen({ hostname: "127.0.0.1", port: 0 })
 }

-async function startNoAuthListener() {
-  Flag.OPENCODE_EXPERIMENTAL_HTTPAPI = false
+async function startNoAuthListener(backend: "effect-httpapi" | "hono" = "effect-httpapi") {
+  Flag.OPENCODE_EXPERIMENTAL_HTTPAPI = backend === "effect-httpapi"
  Flag.OPENCODE_SERVER_PASSWORD = undefined
  Flag.OPENCODE_SERVER_USERNAME = auth.username
  delete process.env.OPENCODE_SERVER_PASSWORD
@@ -257,61 +257,20 @@ describe("HttpApi Server.listen", () => {
    }
  })

-  // Regression for #25698 (Ope): the app's SDK call to
-  // `client.pty.connectToken({ ptyID })` originally omitted `directory`, so
-  // the server resolved the PTY in its own cwd context — where the project
-  // PTY isn't registered — and returned 404. The fix is to always pass
-  // `directory` from the app side; this test locks in two contracts:
-  //   1. Mint without directory cannot find a PTY registered in another dir.
-  //   2. Mint with the project directory succeeds; the resulting ticket
-  //      consumes cleanly when the WS upgrade carries the same directory.
-  testPty("PTY connect token requires matching directory across mint and connect", async () => {
-    await using tmp = await tmpdir({ git: true, config: { formatter: false, lsp: false } })
-    const listener = await startListener()
-    try {
-      const info = await createCat(listener, tmp.path)
-
-      // Mint without directory — server uses its own cwd, can't find the PTY.
-      const ambiguous = await fetch(new URL(PtyPaths.connectToken.replace(":ptyID", info.id), listener.url), {
-        method: "POST",
-        headers: { authorization: authorization(), "x-opencode-ticket": "1" },
-      })
-      expect(ambiguous.status).toBe(404)
-
-      // Mint with the project directory — succeeds, ticket binds to that scope.
-      const scoped = await fetch(
-        new URL(
-          `${PtyPaths.connectToken.replace(":ptyID", info.id)}?directory=${encodeURIComponent(tmp.path)}`,
-          listener.url,
-        ),
-        {
-          method: "POST",
-          headers: { authorization: authorization(), "x-opencode-ticket": "1" },
-        },
-      )
-      expect(scoped.status).toBe(200)
-      const mint = (await scoped.json()) as { ticket: string }
-
-      // Same directory on the WS upgrade → consume succeeds.
-      const ws = await openSocket(socketURL(listener, info.id, tmp.path, mint.ticket))
-      ws.close(1000)
-    } finally {
-      await stop(listener, "timed out cleaning up directory-scope listener").catch(() => undefined)
-    }
-  })
-
-  testPty("keeps PTY websocket tickets optional when server auth is disabled", async () => {
-    await using tmp = await tmpdir({ git: true, config: { formatter: false, lsp: false } })
-    const listener = await startNoAuthListener()
-    try {
-      const info = await createCat(listener, tmp.path)
-      const ws = await openSocket(socketURL(listener, info.id, tmp.path))
-      const message = waitForMessage(ws, (message) => message.includes("ping-no-auth"))
-      ws.send("ping-no-auth\n")
-      expect(await message).toContain("ping-no-auth")
-      ws.close(1000)
-    } finally {
-      await stop(listener, "timed out cleaning up no-auth listener").catch(() => undefined)
-    }
-  })
+  for (const backend of ["effect-httpapi", "hono"] as const) {
+    testPty(`keeps PTY websocket tickets optional when server auth is disabled (${backend})`, async () => {
+      await using tmp = await tmpdir({ git: true, config: { formatter: false, lsp: false } })
+      const listener = await startNoAuthListener(backend)
+      try {
+        const info = await createCat(listener, tmp.path)
+        const ws = await openSocket(socketURL(listener, info.id, tmp.path))
+        const message = waitForMessage(ws, (message) => message.includes(`ping-no-auth-${backend}`))
+        ws.send(`ping-no-auth-${backend}\n`)
+        expect(await message).toContain(`ping-no-auth-${backend}`)
+        ws.close(1000)
+      } finally {
+        await stop(listener, "timed out cleaning up no-auth listener").catch(() => undefined)
+      }
+    })
+  }
 })
--- a/packages/opencode/test/server/httpapi-raw-route-auth.test.ts
+++ b/packages/opencode/test/server/httpapi-raw-route-auth.test.ts
@@ -1,8 +1,6 @@
 import { afterEach, describe, expect, test } from "bun:test"
-import { ConfigProvider, Layer } from "effect"
 import { HttpRouter } from "effect/unstable/http"
 import { Flag } from "@opencode-ai/core/flag/flag"
-import { Instance } from "../../src/project/instance"
 import { EventPaths } from "../../src/server/routes/instance/httpapi/event"
 import { PtyPaths } from "../../src/server/routes/instance/httpapi/groups/pty"
 import { ExperimentalHttpApiServer } from "../../src/server/routes/instance/httpapi/server"
@@ -13,23 +11,19 @@ import * as Log from "@opencode-ai/core/util/log"

 void Log.init({ print: false })

-const originalHttpApi = Flag.OPENCODE_EXPERIMENTAL_HTTPAPI
+const original = {
+  OPENCODE_EXPERIMENTAL_HTTPAPI: Flag.OPENCODE_EXPERIMENTAL_HTTPAPI,
+  OPENCODE_SERVER_PASSWORD: Flag.OPENCODE_SERVER_PASSWORD,
+  OPENCODE_SERVER_USERNAME: Flag.OPENCODE_SERVER_USERNAME,
+}

 function app(input: { password?: string; username?: string }) {
  Flag.OPENCODE_EXPERIMENTAL_HTTPAPI = true
-  const handler = HttpRouter.toWebHandler(
-    ExperimentalHttpApiServer.routes.pipe(
-      Layer.provide(
-        ConfigProvider.layer(
-          ConfigProvider.fromUnknown({
-            OPENCODE_SERVER_PASSWORD: input.password,
-            OPENCODE_SERVER_USERNAME: input.username,
-          }),
-        ),
-      ),
-    ),
-    { disableLogger: true },
-  ).handler
+  Flag.OPENCODE_SERVER_PASSWORD = input.password
+  Flag.OPENCODE_SERVER_USERNAME = input.username
+  const handler = HttpRouter.toWebHandler(ExperimentalHttpApiServer.routes, {
+    disableLogger: true,
+  }).handler

  return {
    fetch: (request: Request) => handler(request, ExperimentalHttpApiServer.context),
@@ -48,7 +42,9 @@ async function cancelBody(response: Response) {
 }

 afterEach(async () => {
-  Flag.OPENCODE_EXPERIMENTAL_HTTPAPI = originalHttpApi
+  Flag.OPENCODE_EXPERIMENTAL_HTTPAPI = original.OPENCODE_EXPERIMENTAL_HTTPAPI
+  Flag.OPENCODE_SERVER_PASSWORD = original.OPENCODE_SERVER_PASSWORD
+  Flag.OPENCODE_SERVER_USERNAME = original.OPENCODE_SERVER_USERNAME
  await disposeAllInstances()
  await resetDatabase()
 })
--- a/packages/opencode/test/server/httpapi-ui.test.ts
+++ b/packages/opencode/test/server/httpapi-ui.test.ts
@@ -1,7 +1,7 @@
 import { afterEach, describe, expect, test } from "bun:test"
 import { Flag } from "@opencode-ai/core/flag/flag"
 import * as Log from "@opencode-ai/core/util/log"
-import { ConfigProvider, Effect, Layer } from "effect"
+import { Effect, Layer, Option } from "effect"
 import {
  HttpClient,
  HttpClientRequest,
@@ -50,12 +50,10 @@ function app(input?: { password?: string; username?: string }) {
  const handler = HttpRouter.toWebHandler(
    ExperimentalHttpApiServer.routes.pipe(
      Layer.provide(
-        ConfigProvider.layer(
-          ConfigProvider.fromUnknown({
-            OPENCODE_SERVER_PASSWORD: input?.password,
-            OPENCODE_SERVER_USERNAME: input?.username,
-          }),
-        ),
+        ServerAuth.Config.layer({
+          password: input?.password ? Option.some(input.password) : Option.none(),
+          username: input?.username ?? "opencode",
+        }),
      ),
    ),
    { disableLogger: true },
@@ -71,6 +69,10 @@ function app(input?: { password?: string; username?: string }) {
 }

 function uiApp(input?: { password?: string; username?: string; client?: Layer.Layer<HttpClient.HttpClient> }) {
+  const authConfigLayer = ServerAuth.Config.layer({
+    password: input?.password ? Option.some(input.password) : Option.none(),
+    username: input?.username ?? "opencode",
+  })
  const handler = HttpRouter.toWebHandler(
    HttpRouter.use((router) =>
      Effect.gen(function* () {
@@ -79,17 +81,11 @@ function uiApp(input?: { password?: string; username?: string; client?: Layer.La
        yield* router.add("*", "/*", (request) => serveUIEffect(request, { fs, client }))
      }),
    ).pipe(
-      Layer.provide(authorizationRouterMiddleware.layer.pipe(Layer.provide(ServerAuth.Config.defaultLayer))),
+      Layer.provide(authorizationRouterMiddleware.layer.pipe(Layer.provide(authConfigLayer))),
      Layer.provide([
        AppFileSystem.defaultLayer,
        input?.client ?? httpClient(new Response("ui")),
        HttpServer.layerServices,
-        ConfigProvider.layer(
-          ConfigProvider.fromUnknown({
-            OPENCODE_SERVER_PASSWORD: input?.password,
-            OPENCODE_SERVER_USERNAME: input?.username,
-          }),
-        ),
      ]),
    ),
    { disableLogger: true },
@@ -184,52 +180,6 @@ describe("HttpApi UI fallback", () => {
    expect(await response.text()).toBe("console.log('ok')")
  })

-  // Regression for #25698 (Ope): upstream `transfer-encoding: chunked` was
-  // forwarded through the proxy while the proxy itself re-frames the body,
-  // causing browsers to fail with `ERR_INVALID_CHUNKED_ENCODING`.
-  test("strips upstream transfer-encoding header from proxied assets", async () => {
-    Flag.OPENCODE_EXPERIMENTAL_HTTPAPI = true
-    Flag.OPENCODE_DISABLE_EMBEDDED_WEB_UI = true
-
-    const response = await Effect.runPromise(
-      Effect.gen(function* () {
-        const fs = yield* AppFileSystem.Service
-        const client = yield* HttpClient.HttpClient
-        return yield* serveUIEffect(HttpServerRequest.fromWeb(new Request("http://localhost/")), {
-          fs,
-          client,
-        })
-      }).pipe(
-        Effect.provide(
-          Layer.mergeAll(
-            AppFileSystem.defaultLayer,
-            Layer.succeed(
-              HttpClient.HttpClient,
-              HttpClient.make((request) =>
-                Effect.succeed(
-                  HttpClientResponse.fromWeb(
-                    request,
-                    new Response("<html>opencode</html>", {
-                      headers: {
-                        "transfer-encoding": "chunked",
-                        "content-type": "text/html",
-                      },
-                    }),
-                  ),
-                ),
-              ),
-            ),
-          ),
-        ),
-        Effect.map(HttpServerResponse.toWeb),
-      ),
-    )
-
-    expect(response.status).toBe(200)
-    expect(response.headers.get("transfer-encoding")).toBeNull()
-    expect(await response.text()).toBe("<html>opencode</html>")
-  })
-
  test("serves embedded UI assets when Bun can read them but access reports missing", async () => {
    Flag.OPENCODE_EXPERIMENTAL_HTTPAPI = true
    let readPath: string | undefined
@@ -303,25 +253,6 @@ describe("HttpApi UI fallback", () => {
    expect(response.status).toBe(200)
  })

-  // Regression for #25698 (Ope): the browser fetches the PWA manifest and
-  // its icons via flows that don't carry app-managed credentials (the
-  // `<link rel="manifest">` request is not under page-auth control), so the
-  // server returning 401 breaks PWA install. These specific public assets
-  // should bypass auth.
-  test("serves the PWA manifest without auth even when a server password is set", async () => {
-    Flag.OPENCODE_EXPERIMENTAL_HTTPAPI = true
-    Flag.OPENCODE_DISABLE_EMBEDDED_WEB_UI = true
-
-    for (const path of ["/site.webmanifest", "/web-app-manifest-192x192.png", "/web-app-manifest-512x512.png"]) {
-      const response = await uiApp({
-        password: "secret",
-        username: "opencode",
-        client: httpClient(new Response("ok")),
-      }).request(path)
-      expect(response.status).not.toBe(401)
-    }
-  })
-
  test("allows web UI preflight without auth", async () => {
    Flag.OPENCODE_EXPERIMENTAL_HTTPAPI = true