refactor(opencode): simplify database effect reset lifecycle

Adds regression tests for the two non-obvious invariants enforced by the
Effect-Drizzle integration:

- packages/opencode/test/storage/db-effect.test.ts pins that
  DatabaseEffect.layer rebuilds a fresh handle after Database.close + dispose,
  and demonstrates the shared-memoMap poisoning that resetDatabase prevents
  by disposing every DB-consuming runtime before closing the SQLite handle.

- packages/opencode/test/effect/managed-runtime.test.ts pins makeManagedRuntime
  dispose semantics and the lazy.resetIf compare-and-reset guard so a
  rebuilt instance is never clobbered by a stale dispose.

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -1,5 +1,6 @@
 name: Bug report
 description: Report an issue that should be fixed
+labels: ["bug"]
 body:
   - type: textarea
     id: description

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -1,5 +1,6 @@
 name: 🚀 Feature Request
 description: Suggest an idea, feature, or enhancement
+labels: [discussion]
 title: "[FEATURE]:"
 
 body:

.github/ISSUE_TEMPLATE/question.yml

@@ -1,5 +1,6 @@
 name: Question
 description: Ask a question
+labels: ["question"]
 body:
   - type: textarea
     id: question

.github/TEAM_MEMBERS

@@ -11,5 +11,6 @@ MrMushrooooom
 nexxeln
 R44VC0RP
 rekram1-node
+RhysSullivan
 thdxr
 simonklee

.github/VOUCHED.td

@@ -0,0 +1,41 @@
+# Vouched contributors for this project.
+#
+# See https://github.com/mitchellh/vouch for details.
+#
+# Syntax:
+#   - One handle per line (without @), sorted alphabetically.
+#   - Optional platform prefix: platform:username (e.g., github:user).
+#   - Denounce with minus prefix: -username or -platform:username.
+#   - Optional details after a space following the handle.
+adamdotdevin
+-agusbasari29 AI PR slop
+ariane-emory
+-atharvau AI review spamming literally every PR
+-borealbytes
+-carycooper777
+-danieljoshuanazareth
+-danieljoshuanazareth
+-davidbernat looks to be a clawdbot that spams team and sends super weird emails, doesnt appear to be a real person
+dmtrkovalenko
+edemaine
+fahreddinozcan
+-florianleibert
+fwang
+iamdavidhill
+jayair
+kitlangton
+kommander
+-opencode2026
+-opencodeengineer bot that spams issues
+r44vc0rp
+rekram1-node
+-ricardo-m-l
+-robinmordasiewicz
+rubdos
+-saisharan0103 spamming ai prs
+shantur
+simonklee
+-spider-yamet clawdbot/llm psychosis, spam pinging the team
+-terisuke
+thdxr
+-toastythebot

.github/workflows/daily-issues-recap.yml

@@ -0,0 +1,170 @@
+name: daily-issues-recap
+
+on:
+  schedule:
+    # Run at 6 PM EST (23:00 UTC, or 22:00 UTC during daylight saving)
+    - cron: "0 23 * * *"
+  workflow_dispatch: # Allow manual trigger for testing
+
+jobs:
+  daily-recap:
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    permissions:
+      contents: read
+      issues: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - uses: ./.github/actions/setup-bun
+
+      - name: Install opencode
+        run: curl -fsSL https://opencode.ai/install | bash
+
+      - name: Generate daily issues recap
+        id: recap
+        env:
+          OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OPENCODE_PERMISSION: |
+            {
+              "bash": {
+                "*": "deny",
+                "gh issue*": "allow",
+                "gh search*": "allow"
+              },
+              "webfetch": "deny",
+              "edit": "deny",
+              "write": "deny"
+            }
+        run: |
+          # Get today's date range
+          TODAY=$(date -u +%Y-%m-%d)
+
+          opencode run -m opencode/claude-sonnet-4-5 "Generate a daily issues recap for the OpenCode repository.
+
+          TODAY'S DATE: ${TODAY}
+
+          STEP 1: Gather today's issues
+          Search for all OPEN issues created today (${TODAY}) using:
+          gh issue list --repo ${{ github.repository }} --state open --search \"created:${TODAY}\" --json number,title,body,labels,state,comments,createdAt,author --limit 500
+
+          IMPORTANT: EXCLUDE all issues authored by Anomaly team members. Filter out issues where the author login matches ANY of these:
+          adamdotdevin, Brendonovich, fwang, Hona, iamdavidhill, jayair, kitlangton, kommander, MrMushrooooom, R44VC0RP, rekram1-node, thdxr
+          This recap is specifically for COMMUNITY (external) issues only.
+
+          STEP 2: Analyze and categorize
+          For each issue created today, categorize it:
+
+          **Severity Assessment:**
+          - CRITICAL: Crashes, data loss, security issues, blocks major functionality
+          - HIGH: Significant bugs affecting many users, important features broken
+          - MEDIUM: Bugs with workarounds, minor features broken
+          - LOW: Minor issues, cosmetic, nice-to-haves
+
+          **Activity Assessment:**
+          - Note issues with high comment counts or engagement
+          - Note issues from repeat reporters (check if author has filed before)
+
+          STEP 3: Cross-reference with existing issues
+          For issues that seem like feature requests or recurring bugs:
+          - Search for similar older issues to identify patterns
+          - Note if this is a frequently requested feature
+          - Identify any issues that are duplicates of long-standing requests
+
+          STEP 4: Generate the recap
+          Create a structured recap with these sections:
+
+          ===DISCORD_START===
+          **Daily Issues Recap - ${TODAY}**
+
+          **Summary Stats**
+          - Total issues opened today: [count]
+          - By category: [bugs/features/questions]
+
+          **Critical/High Priority Issues**
+          [List any CRITICAL or HIGH severity issues with brief descriptions and issue numbers]
+
+          **Most Active/Discussed**
+          [Issues with significant engagement or from active community members]
+
+          **Trending Topics**
+          [Patterns noticed - e.g., 'Multiple reports about X', 'Continued interest in Y feature']
+
+          **Duplicates & Related**
+          [Issues that relate to existing open issues]
+          ===DISCORD_END===
+
+          STEP 5: Format for Discord
+          Format the recap as a Discord-compatible message:
+          - Use Discord markdown (**, __, etc.)
+          - BE EXTREMELY CONCISE - this is an EOD summary, not a detailed report
+          - Use hyperlinked issue numbers with suppressed embeds: [#1234](<https://github.com/${{ github.repository }}/issues/1234>)
+          - Group related issues on single lines where possible
+          - Add emoji sparingly for critical items only
+          - HARD LIMIT: Keep under 1800 characters total
+          - Skip sections that have nothing notable (e.g., if no critical issues, omit that section)
+          - Prioritize signal over completeness - only surface what matters
+
+          OUTPUT: Output ONLY the content between ===DISCORD_START=== and ===DISCORD_END=== markers. Include the markers so I can extract it." > /tmp/recap_raw.txt
+
+          # Extract only the Discord message between markers
+          sed -n '/===DISCORD_START===/,/===DISCORD_END===/p' /tmp/recap_raw.txt | grep -v '===DISCORD' > /tmp/recap.txt
+
+          echo "recap_file=/tmp/recap.txt" >> $GITHUB_OUTPUT
+
+      - name: Post to Discord
+        env:
+          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_ISSUES_WEBHOOK_URL }}
+        run: |
+          if [ -z "$DISCORD_WEBHOOK_URL" ]; then
+            echo "Warning: DISCORD_ISSUES_WEBHOOK_URL secret not set, skipping Discord post"
+            cat /tmp/recap.txt
+            exit 0
+          fi
+
+          # Read the recap
+          RECAP_RAW=$(cat /tmp/recap.txt)
+          RECAP_LENGTH=${#RECAP_RAW}
+
+          echo "Recap length: ${RECAP_LENGTH} chars"
+
+          # Function to post a message to Discord
+          post_to_discord() {
+            local msg="$1"
+            local content=$(echo "$msg" | jq -Rs '.')
+            curl -s -H "Content-Type: application/json" \
+                 -X POST \
+                 -d "{\"content\": ${content}}" \
+                 "$DISCORD_WEBHOOK_URL"
+            sleep 1
+          }
+
+          # If under limit, send as single message
+          if [ "$RECAP_LENGTH" -le 1950 ]; then
+            post_to_discord "$RECAP_RAW"
+          else
+            echo "Splitting into multiple messages..."
+            remaining="$RECAP_RAW"
+            while [ ${#remaining} -gt 0 ]; do
+              if [ ${#remaining} -le 1950 ]; then
+                post_to_discord "$remaining"
+                break
+              else
+                chunk="${remaining:0:1900}"
+                last_newline=$(echo "$chunk" | grep -bo $'\n' | tail -1 | cut -d: -f1)
+                if [ -n "$last_newline" ] && [ "$last_newline" -gt 500 ]; then
+                  chunk="${remaining:0:$last_newline}"
+                  remaining="${remaining:$((last_newline+1))}"
+                else
+                  chunk="${remaining:0:1900}"
+                  remaining="${remaining:1900}"
+                fi
+                post_to_discord "$chunk"
+              fi
+            done
+          fi
+
+          echo "Posted daily recap to Discord"

.github/workflows/daily-pr-recap.yml

@@ -0,0 +1,173 @@
+name: daily-pr-recap
+
+on:
+  schedule:
+    # Run at 5pm EST (22:00 UTC, or 21:00 UTC during daylight saving)
+    - cron: "0 22 * * *"
+  workflow_dispatch: # Allow manual trigger for testing
+
+jobs:
+  pr-recap:
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - uses: ./.github/actions/setup-bun
+
+      - name: Install opencode
+        run: curl -fsSL https://opencode.ai/install | bash
+
+      - name: Generate daily PR recap
+        id: recap
+        env:
+          OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OPENCODE_PERMISSION: |
+            {
+              "bash": {
+                "*": "deny",
+                "gh pr*": "allow",
+                "gh search*": "allow"
+              },
+              "webfetch": "deny",
+              "edit": "deny",
+              "write": "deny"
+            }
+        run: |
+          TODAY=$(date -u +%Y-%m-%d)
+
+          opencode run -m opencode/claude-sonnet-4-5 "Generate a daily PR activity recap for the OpenCode repository.
+
+          TODAY'S DATE: ${TODAY}
+
+          STEP 1: Gather PR data
+          Run these commands to gather PR information. ONLY include OPEN PRs created or updated TODAY (${TODAY}):
+
+          # Open PRs created today
+          gh pr list --repo ${{ github.repository }} --state open --search \"created:${TODAY}\" --json number,title,author,labels,createdAt,updatedAt,reviewDecision,isDraft,additions,deletions --limit 100
+
+          # Open PRs with activity today (updated today)
+          gh pr list --repo ${{ github.repository }} --state open --search \"updated:${TODAY}\" --json number,title,author,labels,createdAt,updatedAt,reviewDecision,isDraft,additions,deletions --limit 100
+
+          IMPORTANT: EXCLUDE all PRs authored by Anomaly team members. Filter out PRs where the author login matches ANY of these:
+          adamdotdevin, Brendonovich, fwang, Hona, iamdavidhill, jayair, kitlangton, kommander, MrMushrooooom, R44VC0RP, rekram1-node, thdxr
+          This recap is specifically for COMMUNITY (external) contributions only.
+
+
+
+          STEP 2: For high-activity PRs, check comment counts
+          For promising PRs, run:
+          gh pr view [NUMBER] --repo ${{ github.repository }} --json comments --jq '[.comments[] | select(.author.login != \"copilot-pull-request-reviewer\" and .author.login != \"github-actions\")] | length'
+
+          IMPORTANT: When counting comments/activity, EXCLUDE these bot accounts:
+          - copilot-pull-request-reviewer
+          - github-actions
+
+          STEP 3: Identify what matters (ONLY from today's PRs)
+
+          **Bug Fixes From Today:**
+          - PRs with 'fix' or 'bug' in title created/updated today
+          - Small bug fixes (< 100 lines changed) that are easy to review
+          - Bug fixes from community contributors
+
+          **High Activity Today:**
+          - PRs with significant human comments today (excluding bots listed above)
+          - PRs with back-and-forth discussion today
+
+          **Quick Wins:**
+          - Small PRs (< 50 lines) that are approved or nearly approved
+          - PRs that just need a final review
+
+          STEP 4: Generate the recap
+          Create a structured recap:
+
+          ===DISCORD_START===
+          **Daily PR Recap - ${TODAY}**
+
+          **New PRs Today**
+          [PRs opened today - group by type: bug fixes, features, etc.]
+
+          **Active PRs Today**
+          [PRs with activity/updates today - significant discussion]
+
+          **Quick Wins**
+          [Small PRs ready to merge]
+          ===DISCORD_END===
+
+          STEP 5: Format for Discord
+          - Use Discord markdown (**, __, etc.)
+          - BE EXTREMELY CONCISE - surface what we might miss
+          - Use hyperlinked PR numbers with suppressed embeds: [#1234](<https://github.com/${{ github.repository }}/pull/1234>)
+          - Include PR author: [#1234](<url>) (@author)
+          - For bug fixes, add brief description of what it fixes
+          - Show line count for quick wins: \"(+15/-3 lines)\"
+          - HARD LIMIT: Keep under 1800 characters total
+          - Skip empty sections
+          - Focus on PRs that need human eyes
+
+          OUTPUT: Output ONLY the content between ===DISCORD_START=== and ===DISCORD_END=== markers. Include the markers so I can extract it." > /tmp/pr_recap_raw.txt
+
+          # Extract only the Discord message between markers
+          sed -n '/===DISCORD_START===/,/===DISCORD_END===/p' /tmp/pr_recap_raw.txt | grep -v '===DISCORD' > /tmp/pr_recap.txt
+
+          echo "recap_file=/tmp/pr_recap.txt" >> $GITHUB_OUTPUT
+
+      - name: Post to Discord
+        env:
+          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_ISSUES_WEBHOOK_URL }}
+        run: |
+          if [ -z "$DISCORD_WEBHOOK_URL" ]; then
+            echo "Warning: DISCORD_ISSUES_WEBHOOK_URL secret not set, skipping Discord post"
+            cat /tmp/pr_recap.txt
+            exit 0
+          fi
+
+          # Read the recap
+          RECAP_RAW=$(cat /tmp/pr_recap.txt)
+          RECAP_LENGTH=${#RECAP_RAW}
+
+          echo "Recap length: ${RECAP_LENGTH} chars"
+
+          # Function to post a message to Discord
+          post_to_discord() {
+            local msg="$1"
+            local content=$(echo "$msg" | jq -Rs '.')
+            curl -s -H "Content-Type: application/json" \
+                 -X POST \
+                 -d "{\"content\": ${content}}" \
+                 "$DISCORD_WEBHOOK_URL"
+            sleep 1
+          }
+
+          # If under limit, send as single message
+          if [ "$RECAP_LENGTH" -le 1950 ]; then
+            post_to_discord "$RECAP_RAW"
+          else
+            echo "Splitting into multiple messages..."
+            remaining="$RECAP_RAW"
+            while [ ${#remaining} -gt 0 ]; do
+              if [ ${#remaining} -le 1950 ]; then
+                post_to_discord "$remaining"
+                break
+              else
+                chunk="${remaining:0:1900}"
+                last_newline=$(echo "$chunk" | grep -bo $'\n' | tail -1 | cut -d: -f1)
+                if [ -n "$last_newline" ] && [ "$last_newline" -gt 500 ]; then
+                  chunk="${remaining:0:$last_newline}"
+                  remaining="${remaining:$((last_newline+1))}"
+                else
+                  chunk="${remaining:0:1900}"
+                  remaining="${remaining:1900}"
+                fi
+                post_to_discord "$chunk"
+              fi
+            done
+          fi
+
+          echo "Posted daily PR recap to Discord"

.github/workflows/publish.yml

@@ -209,6 +209,182 @@ jobs:
             packages/opencode/dist/opencode-windows-x64
             packages/opencode/dist/opencode-windows-x64-baseline
 
+  build-tauri:
+    needs:
+      - build-cli
+      - version
+    continue-on-error: false
+    env:
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
+      AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE }}
+      AZURE_TRUSTED_SIGNING_ENDPOINT: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
+    strategy:
+      fail-fast: false
+      matrix:
+        settings:
+          - host: macos-latest
+            target: x86_64-apple-darwin
+          - host: macos-latest
+            target: aarch64-apple-darwin
+          # github-hosted: blacksmith lacks ARM64 MSVC cross-compilation toolchain
+          - host: windows-2025
+            target: aarch64-pc-windows-msvc
+          - host: blacksmith-4vcpu-windows-2025
+            target: x86_64-pc-windows-msvc
+          - host: blacksmith-4vcpu-ubuntu-2404
+            target: x86_64-unknown-linux-gnu
+          - host: blacksmith-8vcpu-ubuntu-2404-arm
+            target: aarch64-unknown-linux-gnu
+    runs-on: ${{ matrix.settings.host }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-tags: true
+
+      - uses: apple-actions/import-codesign-certs@v2
+        if: ${{ runner.os == 'macOS' }}
+        with:
+          keychain: build
+          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
+          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+
+      - name: Verify Certificate
+        if: ${{ runner.os == 'macOS' }}
+        run: |
+          CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
+          CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
+          echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
+          echo "Certificate imported."
+
+      - name: Setup Apple API Key
+        if: ${{ runner.os == 'macOS' }}
+        run: |
+          echo "${{ secrets.APPLE_API_KEY_PATH }}" > $RUNNER_TEMP/apple-api-key.p8
+
+      - uses: ./.github/actions/setup-bun
+
+      - name: Azure login
+        if: runner.os == 'Windows'
+        uses: azure/login@v2
+        with:
+          client-id: ${{ env.AZURE_CLIENT_ID }}
+          tenant-id: ${{ env.AZURE_TENANT_ID }}
+          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "24"
+
+      - name: Cache apt packages
+        if: contains(matrix.settings.host, 'ubuntu')
+        uses: actions/cache@v4
+        with:
+          path: ~/apt-cache
+          key: ${{ runner.os }}-${{ matrix.settings.target }}-apt-${{ hashFiles('.github/workflows/publish.yml') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ matrix.settings.target }}-apt-
+
+      - name: install dependencies (ubuntu only)
+        if: contains(matrix.settings.host, 'ubuntu')
+        run: |
+          mkdir -p ~/apt-cache && chmod -R a+rw ~/apt-cache
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends -o dir::cache::archives="$HOME/apt-cache" libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
+          sudo chmod -R a+rw ~/apt-cache
+
+      - name: install Rust stable
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: ${{ matrix.settings.target }}
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: packages/desktop/src-tauri
+          shared-key: ${{ matrix.settings.target }}
+
+      - name: Prepare
+        run: |
+          cd packages/desktop
+          bun ./scripts/prepare.ts
+        env:
+          OPENCODE_VERSION: ${{ needs.version.outputs.version }}
+          GITHUB_TOKEN: ${{ steps.committer.outputs.token }}
+          OPENCODE_CLI_ARTIFACT: ${{ (runner.os == 'Windows' && 'opencode-cli-windows') || 'opencode-cli' }}
+          RUST_TARGET: ${{ matrix.settings.target }}
+          GH_TOKEN: ${{ github.token }}
+          GITHUB_RUN_ID: ${{ github.run_id }}
+
+      - name: Resolve tauri portable SHA
+        if: contains(matrix.settings.host, 'ubuntu')
+        run: echo "TAURI_PORTABLE_SHA=$(git ls-remote https://github.com/tauri-apps/tauri.git refs/heads/feat/truly-portable-appimage | cut -f1)" >> "$GITHUB_ENV"
+
+      # Fixes AppImage build issues, can be removed when https://github.com/tauri-apps/tauri/pull/12491 is released
+      - name: Install tauri-cli from portable appimage branch
+        uses: taiki-e/cache-cargo-install-action@v3
+        if: contains(matrix.settings.host, 'ubuntu')
+        with:
+          tool: tauri-cli
+          git: https://github.com/tauri-apps/tauri
+          # branch: feat/truly-portable-appimage
+          rev: ${{ env.TAURI_PORTABLE_SHA }}
+
+      - name: Show tauri-cli version
+        if: contains(matrix.settings.host, 'ubuntu')
+        run: cargo tauri --version
+
+      - name: Setup git committer
+        id: committer
+        uses: ./.github/actions/setup-git-committer
+        with:
+          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
+          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}
+
+      - name: Build and upload artifacts
+        uses: tauri-apps/tauri-action@390cbe447412ced1303d35abe75287949e43437a
+        timeout-minutes: 60
+        with:
+          projectPath: packages/desktop
+          uploadWorkflowArtifacts: true
+          tauriScript: ${{ (contains(matrix.settings.host, 'ubuntu') && 'cargo tauri') || '' }}
+          args: --target ${{ matrix.settings.target }} --config ${{ (github.ref_name == 'beta' && './src-tauri/tauri.beta.conf.json') || './src-tauri/tauri.prod.conf.json' }} --verbose
+          updaterJsonPreferNsis: true
+          releaseId: ${{ needs.version.outputs.release }}
+          tagName: ${{ needs.version.outputs.tag }}
+          releaseDraft: true
+          releaseAssetNamePattern: opencode-desktop-[platform]-[arch][ext]
+          repo: ${{ (github.ref_name == 'beta' && 'opencode-beta') || '' }}
+          releaseCommitish: ${{ github.sha }}
+        env:
+          GITHUB_TOKEN: ${{ steps.committer.outputs.token }}
+          TAURI_BUNDLER_NEW_APPIMAGE_FORMAT: true
+          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          APPLE_API_KEY_PATH: ${{ runner.temp }}/apple-api-key.p8
+
+      - name: Verify signed Windows desktop artifacts
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          $files = @(
+            "${{ github.workspace }}\packages\desktop\src-tauri\sidecars\opencode-cli-${{ matrix.settings.target }}.exe"
+          )
+          $files += Get-ChildItem "${{ github.workspace }}\packages\desktop\src-tauri\target\${{ matrix.settings.target }}\release\bundle\nsis\*.exe" | Select-Object -ExpandProperty FullName
+
+          foreach ($file in $files) {
+            $sig = Get-AuthenticodeSignature $file
+            if ($sig.Status -ne "Valid") {
+              throw "Invalid signature for ${file}: $($sig.Status)"
+            }
+          }
+
   build-electron:
     needs:
       - build-cli
@@ -348,30 +524,6 @@ jobs:
         env:
           OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }}
 
-      - name: Create and upload macOS .app.tar.gz
-        if: runner.os == 'macOS' && needs.version.outputs.release
-        working-directory: packages/desktop-electron/dist
-        env:
-          GH_TOKEN: ${{ steps.committer.outputs.token }}
-        run: |
-          if [[ "${{ matrix.settings.target }}" == "x86_64-apple-darwin" ]]; then
-            APP_DIR="mac"
-            OUT_NAME="opencode-desktop-mac-x64.app.tar.gz"
-          elif [[ "${{ matrix.settings.target }}" == "aarch64-apple-darwin" ]]; then
-            APP_DIR="mac-arm64"
-            OUT_NAME="opencode-desktop-mac-arm64.app.tar.gz"
-          else
-            echo "Unknown macOS target: ${{ matrix.settings.target }}"
-            exit 1
-          fi
-          APP_PATH=$(find "$APP_DIR" -maxdepth 1 -name "*.app" -type d | head -1)
-          if [ -z "$APP_PATH" ]; then
-            echo "No .app bundle found in $APP_DIR"
-            exit 1
-          fi
-          tar -czf "$OUT_NAME" -C "$(dirname "$APP_PATH")" "$(basename "$APP_PATH")"
-          gh release upload "v${{ needs.version.outputs.version }}" "$OUT_NAME" --clobber --repo "${{ needs.version.outputs.repo }}"
-
       - name: Verify signed Windows Electron artifacts
         if: runner.os == 'Windows'
         shell: pwsh
@@ -390,7 +542,7 @@ jobs:
 
       - uses: actions/upload-artifact@v4
         with:
-          name: opencode-desktop-${{ matrix.settings.target }}
+          name: opencode-electron-${{ matrix.settings.target }}
           path: packages/desktop-electron/dist/*
 
       - uses: actions/upload-artifact@v4
@@ -404,6 +556,7 @@ jobs:
       - version
       - build-cli
       - sign-cli-windows
+      - build-tauri
       - build-electron
     if: always() && !failure() && !cancelled()
     runs-on: blacksmith-4vcpu-ubuntu-2404
@@ -430,6 +583,13 @@ jobs:
           node-version: "24"
           registry-url: "https://registry.npmjs.org"
 
+      - name: Setup git committer
+        id: committer
+        uses: ./.github/actions/setup-git-committer
+        with:
+          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
+          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}
+
       - uses: actions/download-artifact@v4
         with:
           name: opencode-cli
@@ -451,13 +611,6 @@ jobs:
           pattern: latest-yml-*
           path: /tmp/latest-yml
 
-      - name: Setup git committer
-        id: committer
-        uses: ./.github/actions/setup-git-committer
-        with:
-          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
-          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}
-
       - name: Cache apt packages (AUR)
         uses: actions/cache@v4
         with:
@@ -486,5 +639,3 @@ jobs:
           GH_REPO: ${{ needs.version.outputs.repo }}
           NPM_CONFIG_PROVENANCE: false
           LATEST_YML_DIR: /tmp/latest-yml
-          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
-          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}

.github/workflows/vouch-check-issue.yml

@@ -0,0 +1,116 @@
+name: vouch-check-issue
+
+on:
+  issues:
+    types: [opened]
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if issue author is denounced
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const author = context.payload.issue.user.login;
+            const issueNumber = context.payload.issue.number;
+
+            // Skip bots
+            if (author.endsWith('[bot]')) {
+              core.info(`Skipping bot: ${author}`);
+              return;
+            }
+
+            // Read the VOUCHED.td file via API (no checkout needed)
+            let content;
+            try {
+              const response = await github.rest.repos.getContent({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                path: '.github/VOUCHED.td',
+              });
+              content = Buffer.from(response.data.content, 'base64').toString('utf-8');
+            } catch (error) {
+              if (error.status === 404) {
+                core.info('No .github/VOUCHED.td file found, skipping check.');
+                return;
+              }
+              throw error;
+            }
+
+            // Parse the .td file for vouched and denounced users
+            const vouched = new Set();
+            const denounced = new Map();
+            for (const line of content.split('\n')) {
+              const trimmed = line.trim();
+              if (!trimmed || trimmed.startsWith('#')) continue;
+
+              const isDenounced = trimmed.startsWith('-');
+              const rest = isDenounced ? trimmed.slice(1).trim() : trimmed;
+              if (!rest) continue;
+
+              const spaceIdx = rest.indexOf(' ');
+              const handle = spaceIdx === -1 ? rest : rest.slice(0, spaceIdx);
+              const reason = spaceIdx === -1 ? null : rest.slice(spaceIdx + 1).trim();
+
+              // Handle platform:username or bare username
+              // Only match bare usernames or github: prefix (skip other platforms)
+              const colonIdx = handle.indexOf(':');
+              if (colonIdx !== -1) {
+                const platform = handle.slice(0, colonIdx).toLowerCase();
+                if (platform !== 'github') continue;
+              }
+              const username = colonIdx === -1 ? handle : handle.slice(colonIdx + 1);
+              if (!username) continue;
+
+              if (isDenounced) {
+                denounced.set(username.toLowerCase(), reason);
+                continue;
+              }
+
+              vouched.add(username.toLowerCase());
+            }
+
+            // Check if the author is denounced
+            const reason = denounced.get(author.toLowerCase());
+            if (reason !== undefined) {
+              // Author is denounced — close the issue
+              const body = 'This issue has been automatically closed.';
+
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: issueNumber,
+                body,
+              });
+
+              await github.rest.issues.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: issueNumber,
+                state: 'closed',
+                state_reason: 'not_planned',
+              });
+
+              core.info(`Closed issue #${issueNumber} from denounced user ${author}`);
+              return;
+            }
+
+            // Author is positively vouched — add label
+            if (!vouched.has(author.toLowerCase())) {
+              core.info(`User ${author} is not denounced or vouched. Allowing issue.`);
+              return;
+            }
+
+            await github.rest.issues.addLabels({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: issueNumber,
+              labels: ['Vouched'],
+            });
+
+            core.info(`Added vouched label to issue #${issueNumber} from ${author}`);

.github/workflows/vouch-check-pr.yml

@@ -0,0 +1,114 @@
+name: vouch-check-pr
+
+on:
+  pull_request_target:
+    types: [opened]
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if PR author is denounced
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const author = context.payload.pull_request.user.login;
+            const prNumber = context.payload.pull_request.number;
+
+            // Skip bots
+            if (author.endsWith('[bot]')) {
+              core.info(`Skipping bot: ${author}`);
+              return;
+            }
+
+            // Read the VOUCHED.td file via API (no checkout needed)
+            let content;
+            try {
+              const response = await github.rest.repos.getContent({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                path: '.github/VOUCHED.td',
+              });
+              content = Buffer.from(response.data.content, 'base64').toString('utf-8');
+            } catch (error) {
+              if (error.status === 404) {
+                core.info('No .github/VOUCHED.td file found, skipping check.');
+                return;
+              }
+              throw error;
+            }
+
+            // Parse the .td file for vouched and denounced users
+            const vouched = new Set();
+            const denounced = new Map();
+            for (const line of content.split('\n')) {
+              const trimmed = line.trim();
+              if (!trimmed || trimmed.startsWith('#')) continue;
+
+              const isDenounced = trimmed.startsWith('-');
+              const rest = isDenounced ? trimmed.slice(1).trim() : trimmed;
+              if (!rest) continue;
+
+              const spaceIdx = rest.indexOf(' ');
+              const handle = spaceIdx === -1 ? rest : rest.slice(0, spaceIdx);
+              const reason = spaceIdx === -1 ? null : rest.slice(spaceIdx + 1).trim();
+
+              // Handle platform:username or bare username
+              // Only match bare usernames or github: prefix (skip other platforms)
+              const colonIdx = handle.indexOf(':');
+              if (colonIdx !== -1) {
+                const platform = handle.slice(0, colonIdx).toLowerCase();
+                if (platform !== 'github') continue;
+              }
+              const username = colonIdx === -1 ? handle : handle.slice(colonIdx + 1);
+              if (!username) continue;
+
+              if (isDenounced) {
+                denounced.set(username.toLowerCase(), reason);
+                continue;
+              }
+
+              vouched.add(username.toLowerCase());
+            }
+
+            // Check if the author is denounced
+            const reason = denounced.get(author.toLowerCase());
+            if (reason !== undefined) {
+              // Author is denounced — close the PR
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body: 'This pull request has been automatically closed.',
+              });
+
+              await github.rest.pulls.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: prNumber,
+                state: 'closed',
+              });
+
+              core.info(`Closed PR #${prNumber} from denounced user ${author}`);
+              return;
+            }
+
+            // Author is positively vouched — add label
+            if (!vouched.has(author.toLowerCase())) {
+              core.info(`User ${author} is not denounced or vouched. Allowing PR.`);
+              return;
+            }
+
+            await github.rest.issues.addLabels({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+              labels: ['Vouched'],
+            });
+
+            core.info(`Added vouched label to PR #${prNumber} from ${author}`);

.github/workflows/vouch-manage-by-issue.yml

@@ -0,0 +1,38 @@
+name: vouch-manage-by-issue
+
+on:
+  issue_comment:
+    types: [created]
+
+concurrency:
+  group: vouch-manage
+  cancel-in-progress: false
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: read
+
+jobs:
+  manage:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Setup git committer
+        id: committer
+        uses: ./.github/actions/setup-git-committer
+        with:
+          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
+          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}
+
+      - uses: mitchellh/vouch/action/manage-by-issue@main
+        with:
+          issue-id: ${{ github.event.issue.number }}
+          comment-id: ${{ github.event.comment.id }}
+          roles: admin,maintain,write
+        env:
+          GITHUB_TOKEN: ${{ steps.committer.outputs.token }}

.opencode/agent/triage.md

@@ -1,7 +1,7 @@
 ---
 mode: primary
 hidden: true
-model: opencode/gpt-5.4-nano
+model: opencode/minimax-m2.5
 color: "#44BA81"
 tools:
   "*": false
@@ -14,30 +14,127 @@ Use your github-triage tool to triage issues.
 
 This file is the source of truth for ownership/routing rules.
 
-Assign issues by choosing the team with the strongest overlap. The github-triage tool will assign a random member from that team.
+## Labels
 
-Do not add labels to issues. Only assign an owner.
+### windows
 
-When calling github-triage, pass one of these team values: tui, desktop_web, core, inference, windows.
+Use for any issue that mentions Windows (the OS). Be sure they are saying that they are on Windows.
 
-## Teams
+- Use if they mention WSL too
 
-### TUI
+#### perf
 
-Terminal UI issues, including rendering, keybindings, scrolling, terminal compatibility, SSH behavior, crashes in the TUI, and low-level TUI performance.
+Performance-related issues:
 
-### Desktop / Web
+- Slow performance
+- High RAM usage
+- High CPU usage
 
-Desktop application and browser-based app issues, including `opencode web`, desktop-specific UI behavior, packaging, and web view problems.
+**Only** add if it's likely a RAM or CPU issue. **Do not** add for LLM slowness.
 
-### Core
+#### desktop
 
-Core opencode server and harness issues, including sqlite, snapshots, memory, API behavior, agent context construction, tool execution, provider integrations, model behavior, documentation, and larger architectural features.
+Desktop app issues:
 
-### Inference
+- `opencode web` command
+- The desktop app itself
 
-OpenCode Zen, OpenCode Go, and billing issues.
+**Only** add if it's specifically about the Desktop application or `opencode web` view. **Do not** add for terminal, TUI, or general opencode issues.
 
-### Windows
+#### nix
 
-Windows-specific issues, including native Windows behavior, WSL interactions, path handling, shell compatibility, and installation or runtime problems that only happen on Windows.
+**Only** add if the issue explicitly mentions nix.
+
+If the issue does not mention nix, do not add nix.
+
+If the issue mentions nix, assign to `rekram1-node`.
+
+#### zen
+
+**Only** add if the issue mentions "zen" or "opencode zen" or "opencode black".
+
+If the issue doesn't have "zen" or "opencode black" in it then don't add zen label
+
+#### core
+
+Use for core server issues in `packages/opencode/`, excluding `packages/opencode/src/cli/cmd/tui/`.
+
+Examples:
+
+- LSP server behavior
+- Harness behavior (agent + tools)
+- Feature requests for server behavior
+- Agent context construction
+- API endpoints
+- Provider integration issues
+- New, broken, or poor-quality models
+
+#### acp
+
+If the issue mentions acp support, assign acp label.
+
+#### docs
+
+Add if the issue requests better documentation or docs updates.
+
+#### opentui
+
+TUI issues potentially caused by our underlying TUI library:
+
+- Keybindings not working
+- Scroll speed issues (too fast/slow/laggy)
+- Screen flickering
+- Crashes with opentui in the log
+
+**Do not** add for general TUI bugs.
+
+When assigning to people here are the following rules:
+
+Desktop / Web:
+Use for desktop-labeled issues only.
+
+- adamdotdevin
+- iamdavidhill
+- Brendonovich
+- nexxeln
+
+Zen:
+ONLY assign if the issue will have the "zen" label.
+
+- fwang
+- MrMushrooooom
+
+TUI (`packages/opencode/src/cli/cmd/tui/...`):
+
+- thdxr for TUI UX/UI product decisions and interaction flow
+- kommander for OpenTUI engine issues: rendering artifacts, keybind handling, terminal compatibility, SSH behavior, and low-level perf bottlenecks
+- rekram1-node for TUI bugs that are not clearly OpenTUI engine issues
+
+Core (`packages/opencode/...`, excluding TUI subtree):
+
+- thdxr for sqlite/snapshot/memory bugs and larger architectural core features
+- jlongster for opencode server + API feature work (tool currently remaps jlongster -> thdxr until assignable)
+- rekram1-node for harness issues, provider issues, and other bug-squashing
+
+For core bugs that do not clearly map, either thdxr or rekram1-node is acceptable.
+
+Docs:
+
+- R44VC0RP
+
+Windows:
+
+- Hona (assign any issue that mentions Windows or is likely Windows-specific)
+
+Determinism rules:
+
+- If title + body does not contain "zen", do not add the "zen" label
+- If "nix" label is added but title + body does not mention nix/nixos, the tool will drop "nix"
+- If title + body mentions nix/nixos, assign to `rekram1-node`
+- If "desktop" label is added, the tool will override assignee and randomly pick one Desktop / Web owner
+
+In all other cases, choose the team/section with the most overlap with the issue and assign a member from that team at random.
+
+ACP:
+
+- rekram1-node (assign any acp issues to rekram1-node)

.opencode/command/changelog.md

@@ -18,12 +18,9 @@ Do not use `git log` or author metadata when deciding attribution.
 
 Rules:
 
-- Write the final file with release sections in this order:
+- Write the final file with sections in this order:
   `## Core`, `## TUI`, `## Desktop`, `## SDK`, `## Extensions`
 - Only include sections that have at least one notable entry
-- Within each release section, keep bug fixes grouped under `### Bugfixes`
-- Keep other notable entries under `### Improvements` when a section has bug fixes too
-- Omit empty subsections
 - Keep one bullet per commit you keep
 - Skip commits that are entirely internal, CI, tests, refactors, or otherwise not user-facing
 - Start each bullet with a capital letter

.opencode/tool/github-triage.ts

@@ -1,14 +1,16 @@
 /// <reference path="../env.d.ts" />
 import { tool } from "@opencode-ai/plugin"
-
 const TEAM = {
-  tui: ["kommander", "simonklee"],
-  desktop_web: ["Hona", "Brendonovich"],
-  core: ["jlongster", "rekram1-node", "nexxeln", "kitlangton"],
-  inference: ["fwang", "MrMushrooooom"],
+  desktop: ["adamdotdevin", "iamdavidhill", "Brendonovich", "nexxeln"],
+  zen: ["fwang", "MrMushrooooom"],
+  tui: ["kommander", "rekram1-node", "simonklee"],
+  core: ["kitlangton", "rekram1-node", "jlongster"],
+  docs: ["R44VC0RP"],
   windows: ["Hona"],
 } as const
 
+const ASSIGNEES = [...new Set(Object.values(TEAM).flat())]
+
 function pick<T>(items: readonly T[]) {
   return items[Math.floor(Math.random() * items.length)]!
 }
@@ -36,25 +38,79 @@ async function githubFetch(endpoint: string, options: RequestInit = {}) {
 }
 
 export default tool({
-  description: `Use this tool to assign a GitHub issue.
+  description: `Use this tool to assign and/or label a GitHub issue.
 
-Provide the team that should own the issue. This tool picks a random assignee from that team and does not apply labels.`,
+Choose labels and assignee using the current triage policy and ownership rules.
+Pick the most fitting labels for the issue and assign one owner.
+
+If unsure, choose the team/section with the most overlap with the issue and assign a member from that team at random.`,
   args: {
-    team: tool.schema
-      .enum(Object.keys(TEAM) as [keyof typeof TEAM, ...(keyof typeof TEAM)[]])
-      .describe("The owning team"),
+    assignee: tool.schema
+      .enum(ASSIGNEES as [string, ...string[]])
+      .describe("The username of the assignee")
+      .default("rekram1-node"),
+    labels: tool.schema
+      .array(tool.schema.enum(["nix", "opentui", "perf", "web", "desktop", "zen", "docs", "windows", "core"]))
+      .describe("The labels(s) to add to the issue")
+      .default([]),
   },
   async execute(args) {
     const issue = getIssueNumber()
     const owner = "anomalyco"
     const repo = "opencode"
-    const assignee = pick(TEAM[args.team])
+
+    const results: string[] = []
+    let labels = [...new Set(args.labels.map((x) => (x === "desktop" ? "web" : x)))]
+    const web = labels.includes("web")
+    const text = `${process.env.ISSUE_TITLE ?? ""}\n${process.env.ISSUE_BODY ?? ""}`.toLowerCase()
+    const zen = /\bzen\b/.test(text) || text.includes("opencode black")
+    const nix = /\bnix(os)?\b/.test(text)
+
+    if (labels.includes("nix") && !nix) {
+      labels = labels.filter((x) => x !== "nix")
+      results.push("Dropped label: nix (issue does not mention nix)")
+    }
+
+    const assignee = nix ? "rekram1-node" : web ? pick(TEAM.desktop) : args.assignee
+
+    if (labels.includes("zen") && !zen) {
+      throw new Error("Only add the zen label when issue title/body contains 'zen'")
+    }
+
+    if (web && !nix && !(TEAM.desktop as readonly string[]).includes(assignee)) {
+      throw new Error("Web issues must be assigned to adamdotdevin, iamdavidhill, Brendonovich, or nexxeln")
+    }
+
+    if ((TEAM.zen as readonly string[]).includes(assignee) && !labels.includes("zen")) {
+      throw new Error("Only zen issues should be assigned to fwang or MrMushrooooom")
+    }
+
+    if (assignee === "Hona" && !labels.includes("windows")) {
+      throw new Error("Only windows issues should be assigned to Hona")
+    }
+
+    if (assignee === "R44VC0RP" && !labels.includes("docs")) {
+      throw new Error("Only docs issues should be assigned to R44VC0RP")
+    }
+
+    if (assignee === "kommander" && !labels.includes("opentui")) {
+      throw new Error("Only opentui issues should be assigned to kommander")
+    }
 
     await githubFetch(`/repos/${owner}/${repo}/issues/${issue}/assignees`, {
       method: "POST",
       body: JSON.stringify({ assignees: [assignee] }),
     })
+    results.push(`Assigned @${assignee} to issue #${issue}`)
 
-    return `Assigned @${assignee} from ${args.team} to issue #${issue}`
+    if (labels.length > 0) {
+      await githubFetch(`/repos/${owner}/${repo}/issues/${issue}/labels`, {
+        method: "POST",
+        body: JSON.stringify({ labels }),
+      })
+      results.push(`Added labels: ${labels.join(", ")}`)
+    }
+
+    return results.join("\n")
   },
 })

bun.lock

@@ -307,6 +307,19 @@
         "@lydell/node-pty-win32-x64": "1.2.0-beta.10",
       },
     },
+    "packages/effect-drizzle-sqlite": {
+      "name": "@opencode-ai/effect-drizzle-sqlite",
+      "version": "0.0.0",
+      "dependencies": {
+        "drizzle-orm": "catalog:",
+        "effect": "catalog:",
+      },
+      "devDependencies": {
+        "@tsconfig/bun": "catalog:",
+        "@types/bun": "catalog:",
+        "@typescript/native-preview": "catalog:",
+      },
+    },
     "packages/enterprise": {
       "name": "@opencode-ai/enterprise",
       "version": "1.14.33",
@@ -396,6 +409,7 @@
         "@octokit/graphql": "9.0.2",
         "@octokit/rest": "catalog:",
         "@openauthjs/openauth": "catalog:",
+        "@opencode-ai/effect-drizzle-sqlite": "workspace:*",
         "@opencode-ai/plugin": "workspace:*",
         "@opencode-ai/script": "workspace:*",
         "@opencode-ai/sdk": "workspace:*",
@@ -1572,6 +1586,8 @@
 
     "@opencode-ai/desktop-electron": ["@opencode-ai/desktop-electron@workspace:packages/desktop-electron"],
 
+    "@opencode-ai/effect-drizzle-sqlite": ["@opencode-ai/effect-drizzle-sqlite@workspace:packages/effect-drizzle-sqlite"],
+
     "@opencode-ai/enterprise": ["@opencode-ai/enterprise@workspace:packages/enterprise"],
 
     "@opencode-ai/function": ["@opencode-ai/function@workspace:packages/function"],

nix/hashes.json

@@ -1,8 +1,8 @@
 {
   "nodeModules": {
-    "x86_64-linux": "sha256-9wTDLZsuGjkWyVOb6AG2VRYPiaSj/lnXwVkSwNeDcns=",
-    "aarch64-linux": "sha256-gmKlL2fQxY8bo+//8m9e1TNYJK3RXa4i8xsgtd046bc=",
-    "aarch64-darwin": "sha256-ENSJK+7rZi3m342mjtGg9N0P6zWEypXMpI7QdFMydbc=",
-    "x86_64-darwin": "sha256-gkxCxGh5dlwj03vZdz20pbiAwFEDpAlu/5iU8cwZOGI="
+    "x86_64-linux": "sha256-SLWRe4uPSRWgU+NPa1BywmrUtNVIC0Oy2mjmxclxk+s=",
+    "aarch64-linux": "sha256-toHEeIqMzrmThoV0B52juGKm4pa/aJN3gBFFtrSZp2Q=",
+    "aarch64-darwin": "sha256-lYUsUxq5zR2RXjqZTEdjduOncnlwvTlxDJVKWXJuKPY=",
+    "x86_64-darwin": "sha256-77XmuEYqGwb1mkEHfnghq1VtukFTneohA0FW6WDOk1U="
   }
 }

packages/app/src/components/terminal.tsx

@@ -15,7 +15,6 @@ import { terminalFontFamily, useSettings } from "@/context/settings"
 import type { LocalPTY } from "@/context/terminal"
 import { disposeIfDisposable, getHoveredLinkText, setOptionIfSupported } from "@/utils/runtime-adapters"
 import { terminalWriter } from "@/utils/terminal-writer"
-import { terminalWebSocketURL } from "@/utils/terminal-websocket-url"
 
 const TOGGLE_TERMINAL_ID = "terminal.toggle"
 const DEFAULT_TOGGLE_TERMINAL_KEYBIND = "ctrl+`"
@@ -68,6 +67,13 @@ const debugTerminal = (...values: unknown[]) => {
   console.debug("[terminal]", ...values)
 }
 
+const errorName = (err: unknown) => {
+  if (!err || typeof err !== "object") return
+  if (!("name" in err)) return
+  const errorName = err.name
+  return typeof errorName === "string" ? errorName : undefined
+}
+
 const useTerminalUiBindings = (input: {
   container: HTMLDivElement
   term: Term
@@ -472,34 +478,14 @@ export const Terminal = (props: TerminalProps) => {
 
       const gone = () =>
         client.pty
-          .get({ ptyID: id }, { throwOnError: false })
-          .then((result) => result.response.status === 404)
+          .get({ ptyID: id })
+          .then(() => false)
           .catch((err) => {
+            if (errorName(err) === "NotFoundError") return true
             debugTerminal("failed to inspect terminal session", err)
             return false
           })
 
-      const connectToken = async () => {
-        const result = await client.pty
-          .connectToken(
-            { ptyID: id, directory },
-            {
-              throwOnError: false,
-              headers: { "x-opencode-ticket": "1" },
-            },
-          )
-          .catch((err: unknown) => {
-            if (err instanceof Error && err.message.includes("Request is not supported")) return
-            throw err
-          })
-        if (!result) return
-        if (result.response.status === 200 && result.data?.ticket) return result.data.ticket
-        if (result.response.status === 404 || result.response.status === 405) return
-        if (result.response.status === 403)
-          throw new Error("PTY connect ticket rejected by origin or CSRF checks. Check the server CORS config.")
-        throw new Error(`PTY connect ticket failed with ${result.response.status}`)
-      }
-
       const retry = (err: unknown) => {
         if (disposed) return
         if (reconn !== undefined) return
@@ -519,30 +505,22 @@ export const Terminal = (props: TerminalProps) => {
         }, ms)
       }
 
-      const open = async () => {
+      const open = () => {
         if (disposed) return
         drop?.()
 
-        const ticket = await connectToken().catch((err) => {
-          fail(err)
-          return undefined
-        })
-        if (once.value) return
-        if (disposed) return
+        const next = new URL(url + `/pty/${id}/connect`)
+        next.searchParams.set("directory", directory)
+        next.searchParams.set("cursor", String(seek))
+        next.protocol = next.protocol === "https:" ? "wss:" : "ws:"
+        if (!sameOrigin && password) {
+          next.searchParams.set("auth_token", btoa(`${username}:${password}`))
+          // For same-origin requests, let the browser reuse the page's existing auth.
+          next.username = username
+          next.password = password
+        }
 
-        const socket = new WebSocket(
-          terminalWebSocketURL({
-            url,
-            id,
-            directory,
-            cursor: seek,
-            ticket,
-            sameOrigin,
-            username,
-            password,
-            authToken: server.current?.type === "http" ? server.current.authToken : false,
-          }),
-        )
+        const socket = new WebSocket(next)
         socket.binaryType = "arraybuffer"
         ws = socket
 

packages/app/src/context/server.test.ts

@@ -1,53 +0,0 @@
-import { describe, expect, test } from "bun:test"
-import { resolveServerList, ServerConnection } from "./server"
-
-describe("resolveServerList", () => {
-  test("lets startup auth_token credentials override a persisted same-url server", () => {
-    const list = resolveServerList({
-      stored: [{ url: "https://server.example.test" }],
-      props: [
-        {
-          type: "http",
-          authToken: true,
-          http: {
-            url: "https://server.example.test",
-            username: "opencode",
-            password: "secret",
-          },
-        },
-      ],
-    })
-
-    expect(list).toHaveLength(1)
-    expect(list[0]?.type).toBe("http")
-    expect(list[0]?.http).toEqual({
-      url: "https://server.example.test",
-      username: "opencode",
-      password: "secret",
-    })
-    expect(list[0]?.type === "http" ? list[0].authToken : false).toBe(true)
-    expect(ServerConnection.key(list[0]!) as string).toBe("https://server.example.test")
-  })
-
-  test("keeps persisted credentials when startup has no auth_token", () => {
-    const list = resolveServerList({
-      stored: [
-        {
-          url: "https://server.example.test",
-          username: "opencode",
-          password: "saved",
-        },
-      ],
-      props: [{ type: "http", http: { url: "https://server.example.test" } }],
-    })
-
-    expect(list).toHaveLength(1)
-    expect(list[0]?.type).toBe("http")
-    expect(list[0]?.http).toEqual({
-      url: "https://server.example.test",
-      username: "opencode",
-      password: "saved",
-    })
-    expect(list[0]?.type === "http" ? list[0].authToken : true).toBeUndefined()
-  })
-})

packages/app/src/context/server.tsx

@@ -33,33 +33,6 @@ function isLocalHost(url: string) {
   if (host === "localhost" || host === "127.0.0.1") return "local"
 }
 
-export function resolveServerList(input: {
-  props?: Array<ServerConnection.Any>
-  stored: StoredServer[]
-}): Array<ServerConnection.Any> {
-  const servers = [
-    ...input.stored.map((value) =>
-      typeof value === "string"
-        ? {
-            type: "http" as const,
-            http: { url: value },
-          }
-        : value,
-    ),
-    ...(input.props ?? []),
-  ]
-
-  const deduped = new Map<ServerConnection.Key, ServerConnection.Any>()
-  for (const value of servers) {
-    const conn: ServerConnection.Any = "type" in value ? value : { type: "http", http: value }
-    const key = ServerConnection.key(conn)
-    if (deduped.has(key) && conn.type === "http" && !conn.authToken) continue
-    deduped.set(key, conn)
-  }
-
-  return [...deduped.values()]
-}
-
 export namespace ServerConnection {
   type Base = { displayName?: string }
 
@@ -73,7 +46,6 @@ export namespace ServerConnection {
   export type Http = {
     type: "http"
     http: HttpBase
-    authToken?: boolean
   } & Base
 
   export type Sidecar = {
@@ -141,7 +113,26 @@ export const { use: useServer, provider: ServerProvider } = createSimpleContext(
     const url = (x: StoredServer) => (typeof x === "string" ? x : "type" in x ? x.http.url : x.url)
 
     const allServers = createMemo((): Array<ServerConnection.Any> => {
-      return resolveServerList({ stored: store.list, props: props.servers })
+      const servers = [
+        ...(props.servers ?? []),
+        ...store.list.map((value) =>
+          typeof value === "string"
+            ? {
+                type: "http" as const,
+                http: { url: value },
+              }
+            : value,
+        ),
+      ]
+
+      const deduped = new Map(
+        servers.map((value) => {
+          const conn: ServerConnection.Any = "type" in value ? value : { type: "http", http: value }
+          return [ServerConnection.key(conn), conn]
+        }),
+      )
+
+      return [...deduped.values()]
     })
 
     const [state, setState] = createStore({
@@ -183,7 +174,7 @@ export const { use: useServer, provider: ServerProvider } = createSimpleContext(
     function add(input: ServerConnection.Http) {
       const url_ = normalizeServerUrl(input.http.url)
       if (!url_) return
-      const conn: ServerConnection.Http = { ...input, authToken: undefined, http: { ...input.http, url: url_ } }
+      const conn = { ...input, http: { ...input.http, url: url_ } }
       return batch(() => {
         const existing = store.list.findIndex((x) => url(x) === url_)
         if (existing !== -1) {

packages/app/src/context/terminal.test.ts

@@ -1,9 +1,6 @@
 import { beforeAll, describe, expect, mock, test } from "bun:test"
 
-type ServerKey = Parameters<typeof import("./terminal").getTerminalServerScope>[1]
-
-let getWorkspaceTerminalCacheKey: (dir: string, scope?: string) => string
-let getTerminalServerScope: typeof import("./terminal").getTerminalServerScope
+let getWorkspaceTerminalCacheKey: (dir: string) => string
 let getLegacyTerminalStorageKeys: (dir: string, legacySessionID?: string) => string[]
 let migrateTerminalState: (value: unknown) => unknown
 
@@ -20,7 +17,6 @@ beforeAll(async () => {
   }))
   const mod = await import("./terminal")
   getWorkspaceTerminalCacheKey = mod.getWorkspaceTerminalCacheKey
-  getTerminalServerScope = mod.getTerminalServerScope
   getLegacyTerminalStorageKeys = mod.getLegacyTerminalStorageKeys
   migrateTerminalState = mod.migrateTerminalState
 })
@@ -29,45 +25,6 @@ describe("getWorkspaceTerminalCacheKey", () => {
   test("uses workspace-only directory cache key", () => {
     expect(getWorkspaceTerminalCacheKey("/repo")).toBe("/repo:__workspace__")
   })
-
-  test("can include a server scope", () => {
-    expect(getWorkspaceTerminalCacheKey("/repo", "wsl:Debian")).toBe("wsl:Debian:/repo:__workspace__")
-  })
-})
-
-describe("getTerminalServerScope", () => {
-  test("preserves local server keys", () => {
-    expect(
-      getTerminalServerScope(
-        { type: "sidecar", variant: "base", http: { url: "http://127.0.0.1:4096" } },
-        "sidecar" as ServerKey,
-      ),
-    ).toBeUndefined()
-    expect(
-      getTerminalServerScope(
-        { type: "http", http: { url: "http://localhost:4096" } },
-        "http://localhost:4096" as ServerKey,
-      ),
-    ).toBeUndefined()
-    expect(
-      getTerminalServerScope({ type: "http", http: { url: "http://[::1]:4096" } }, "http://[::1]:4096" as ServerKey),
-    ).toBeUndefined()
-  })
-
-  test("scopes non-local server keys", () => {
-    expect(
-      getTerminalServerScope(
-        { type: "sidecar", variant: "wsl", distro: "Debian", http: { url: "http://127.0.0.1:4096" } },
-        "wsl:Debian" as ServerKey,
-      ),
-    ).toBe("wsl:Debian" as ServerKey)
-    expect(
-      getTerminalServerScope(
-        { type: "http", http: { url: "https://example.com" } },
-        "https://example.com" as ServerKey,
-      ),
-    ).toBe("https://example.com" as ServerKey)
-  })
 })
 
 describe("getLegacyTerminalStorageKeys", () => {

packages/app/src/context/terminal.tsx

@@ -4,7 +4,6 @@ import { batch, createEffect, createMemo, createRoot, on, onCleanup } from "soli
 import { useParams } from "@solidjs/router"
 import { useSDK } from "./sdk"
 import type { Platform } from "./platform"
-import { ServerConnection, useServer } from "./server"
 import { defaultTitle, titleNumber } from "./terminal-title"
 import { Persist, persisted, removePersisted } from "@/utils/persist"
 
@@ -83,31 +82,10 @@ export function migrateTerminalState(value: unknown) {
   }
 }
 
-export function getWorkspaceTerminalCacheKey(dir: string, scope?: string) {
-  if (scope) return `${scope}:${dir}:${WORKSPACE_KEY}`
+export function getWorkspaceTerminalCacheKey(dir: string) {
   return `${dir}:${WORKSPACE_KEY}`
 }
 
-export function getTerminalServerScope(conn: ServerConnection.Any | undefined, key: ServerConnection.Key) {
-  if (!conn) return
-  if (conn.type === "sidecar" && conn.variant === "base") return
-  if (conn.type === "http") {
-    try {
-      const url = new URL(conn.http.url)
-      if (
-        url.hostname === "localhost" ||
-        url.hostname === "127.0.0.1" ||
-        url.hostname === "::1" ||
-        url.hostname === "[::1]"
-      )
-        return
-    } catch {
-      return key
-    }
-  }
-  return key
-}
-
 export function getLegacyTerminalStorageKeys(dir: string, legacySessionID?: string) {
   if (!legacySessionID) return [`${dir}/terminal.v1`]
   return [`${dir}/terminal/${legacySessionID}.v1`, `${dir}/terminal.v1`]
@@ -132,16 +110,15 @@ const trimTerminal = (pty: LocalPTY) => {
   }
 }
 
-export function clearWorkspaceTerminals(dir: string, sessionIDs?: string[], platform?: Platform, scope?: string) {
-  const key = getWorkspaceTerminalCacheKey(dir, scope)
+export function clearWorkspaceTerminals(dir: string, sessionIDs?: string[], platform?: Platform) {
+  const key = getWorkspaceTerminalCacheKey(dir)
   for (const cache of caches) {
     const entry = cache.get(key)
     entry?.value.clear()
   }
 
-  void removePersisted(Persist.workspace(dir, scope ? `terminal:${scope}` : "terminal"), platform)
+  void removePersisted(Persist.workspace(dir, "terminal"), platform)
 
-  if (scope) return
   const legacy = new Set(getLegacyTerminalStorageKeys(dir))
   for (const id of sessionIDs ?? []) {
     for (const key of getLegacyTerminalStorageKeys(dir, id)) {
@@ -153,17 +130,12 @@ export function clearWorkspaceTerminals(dir: string, sessionIDs?: string[], plat
   }
 }
 
-function createWorkspaceTerminalSession(
-  sdk: ReturnType<typeof useSDK>,
-  dir: string,
-  legacySessionID?: string,
-  scope?: string,
-) {
-  const legacy = scope ? [] : getLegacyTerminalStorageKeys(dir, legacySessionID)
+function createWorkspaceTerminalSession(sdk: ReturnType<typeof useSDK>, dir: string, legacySessionID?: string) {
+  const legacy = getLegacyTerminalStorageKeys(dir, legacySessionID)
 
   const [store, setStore, _, ready] = persisted(
     {
-      ...Persist.workspace(dir, scope ? `terminal:${scope}` : "terminal", legacy),
+      ...Persist.workspace(dir, "terminal", legacy),
       migrate: migrateTerminalState,
     },
     createStore<{
@@ -385,12 +357,8 @@ export const { use: useTerminal, provider: TerminalProvider } = createSimpleCont
   gate: false,
   init: () => {
     const sdk = useSDK()
-    const server = useServer()
     const params = useParams()
     const cache = new Map<string, TerminalCacheEntry>()
-    const scope = createMemo(() => {
-      return getTerminalServerScope(server.current, server.key)
-    })
 
     caches.add(cache)
     onCleanup(() => caches.delete(cache))
@@ -414,9 +382,9 @@ export const { use: useTerminal, provider: TerminalProvider } = createSimpleCont
       }
     }
 
-    const loadWorkspace = (dir: string, legacySessionID: string | undefined, serverScope: string | undefined) => {
+    const loadWorkspace = (dir: string, legacySessionID?: string) => {
       // Terminals are workspace-scoped so tabs persist while switching sessions in the same directory.
-      const key = getWorkspaceTerminalCacheKey(dir, serverScope)
+      const key = getWorkspaceTerminalCacheKey(dir)
       const existing = cache.get(key)
       if (existing) {
         cache.delete(key)
@@ -425,7 +393,7 @@ export const { use: useTerminal, provider: TerminalProvider } = createSimpleCont
       }
 
       const entry = createRoot((dispose) => ({
-        value: createWorkspaceTerminalSession(sdk, dir, legacySessionID, serverScope),
+        value: createWorkspaceTerminalSession(sdk, dir, legacySessionID),
         dispose,
       }))
 
@@ -434,16 +402,16 @@ export const { use: useTerminal, provider: TerminalProvider } = createSimpleCont
       return entry.value
     }
 
-    const workspace = createMemo(() => loadWorkspace(params.dir!, params.id, scope()))
+    const workspace = createMemo(() => loadWorkspace(params.dir!, params.id))
 
     createEffect(
       on(
-        () => ({ dir: params.dir, id: params.id, scope: scope() }),
+        () => ({ dir: params.dir, id: params.id }),
         (next, prev) => {
           if (!prev?.dir) return
-          if (next.dir === prev.dir && next.id === prev.id && next.scope === prev.scope) return
-          if (next.dir === prev.dir && next.id && next.scope === prev.scope) return
-          loadWorkspace(prev.dir, prev.id, prev.scope).trimAll()
+          if (next.dir === prev.dir && next.id === prev.id) return
+          if (next.dir === prev.dir && next.id) return
+          loadWorkspace(prev.dir, prev.id).trimAll()
         },
         { defer: true },
       ),

packages/app/src/entry.tsx

@@ -7,7 +7,6 @@ import { type Platform, PlatformProvider } from "@/context/platform"
 import { dict as en } from "@/i18n/en"
 import { dict as zh } from "@/i18n/zh"
 import { handleNotificationClick } from "@/utils/notification-click"
-import { authFromToken } from "@/utils/server"
 import pkg from "../package.json"
 import { ServerConnection } from "./context/server"
 
@@ -112,13 +111,6 @@ const getDefaultUrl = () => {
   return getCurrentUrl()
 }
 
-const clearAuthToken = () => {
-  const params = new URLSearchParams(location.search)
-  if (!params.has("auth_token")) return
-  params.delete("auth_token")
-  history.replaceState(null, "", location.pathname + (params.size ? `?${params}` : "") + location.hash)
-}
-
 const platform: Platform = {
   platform: "web",
   version: pkg.version,
@@ -154,16 +146,7 @@ if (import.meta.env.VITE_SENTRY_DSN) {
 }
 
 if (root instanceof HTMLElement) {
-  const auth = authFromToken(new URLSearchParams(location.search).get("auth_token"))
-  clearAuthToken()
-  const server: ServerConnection.Http = {
-    type: "http",
-    authToken: !!auth,
-    http: {
-      url: getCurrentUrl(),
-      ...auth,
-    },
-  }
+  const server: ServerConnection.Http = { type: "http", http: { url: getCurrentUrl() } }
   render(
     () => (
       <PlatformProvider value={platform}>

packages/app/src/pages/layout.tsx

@@ -35,7 +35,7 @@ import type { DragEvent } from "@thisbeyond/solid-dnd"
 import { useProviders } from "@/hooks/use-providers"
 import { showToast, Toast, toaster } from "@opencode-ai/ui/toast"
 import { useGlobalSDK } from "@/context/global-sdk"
-import { clearWorkspaceTerminals, getTerminalServerScope } from "@/context/terminal"
+import { clearWorkspaceTerminals } from "@/context/terminal"
 import { dropSessionCaches, pickSessionCacheEvictions } from "@/context/global-sync/session-cache"
 import {
   clearSessionPrefetchInflight,
@@ -1557,7 +1557,6 @@ export default function Layout(props: ParentProps) {
       directory,
       sessions.map((s) => s.id),
       platform,
-      getTerminalServerScope(server.current, server.key),
     )
     await globalSDK.client.instance.dispose({ directory }).catch(() => undefined)
 

packages/app/src/pages/session/terminal-panel.tsx

@@ -37,7 +37,6 @@ export function TerminalPanel() {
   const [store, setStore] = createStore({
     autoCreated: false,
     activeDraggable: undefined as string | undefined,
-    recovered: {} as Record<string, boolean>,
     view: typeof window === "undefined" ? 1000 : (window.visualViewport?.height ?? window.innerHeight),
   })
 
@@ -146,21 +145,6 @@ export function TerminalPanel() {
   const all = terminal.all
   const ids = createMemo(() => all().map((pty) => pty.id))
 
-  const recoverTerminal = (key: string, id: string, clone: (id: string) => Promise<void>) => {
-    if (store.recovered[key]) return
-    setStore("recovered", key, true)
-    void clone(id)
-  }
-
-  const terminalRecoveryKey = (pty: { id: string; title: string; titleNumber: number }) => {
-    return String(pty.titleNumber || pty.title || pty.id)
-  }
-
-  const markTerminalConnected = (key: string, id: string, trim: (id: string) => void) => {
-    setStore("recovered", key, false)
-    trim(id)
-  }
-
   const handleTerminalDragStart = (event: unknown) => {
     const id = getDraggableId(event)
     if (!id) return
@@ -296,9 +280,9 @@ export function TerminalPanel() {
                             <Terminal
                               pty={pty()}
                               autoFocus={opened()}
-                              onConnect={() => markTerminalConnected(terminalRecoveryKey(pty()), id, ops.trim)}
+                              onConnect={() => ops.trim(id)}
                               onCleanup={ops.update}
-                              onConnectError={() => recoverTerminal(terminalRecoveryKey(pty()), id, ops.clone)}
+                              onConnectError={() => ops.clone(id)}
                             />
                           </div>
                         )}

packages/app/src/utils/server.test.ts

@@ -1,23 +0,0 @@
-import { describe, expect, test } from "bun:test"
-import { authFromToken, authTokenFromCredentials } from "./server"
-
-describe("authFromToken", () => {
-  test("decodes basic auth credentials from auth_token", () => {
-    expect(authFromToken(btoa("kit:secret"))).toEqual({ username: "kit", password: "secret" })
-  })
-
-  test("defaults blank username to opencode", () => {
-    expect(authFromToken(btoa(":secret"))).toEqual({ username: "opencode", password: "secret" })
-  })
-
-  test("ignores malformed tokens", () => {
-    expect(authFromToken("not base64")).toBeUndefined()
-    expect(authFromToken(btoa("missing-separator"))).toBeUndefined()
-  })
-})
-
-describe("authTokenFromCredentials", () => {
-  test("encodes credentials with the default username", () => {
-    expect(authTokenFromCredentials({ password: "secret" })).toBe(btoa("opencode:secret"))
-  })
-})

packages/app/src/utils/server.ts

@@ -1,21 +1,5 @@
 import { createOpencodeClient } from "@opencode-ai/sdk/v2/client"
 import type { ServerConnection } from "@/context/server"
-import { decode64 } from "@/utils/base64"
-
-export function authTokenFromCredentials(input: { username?: string; password: string }) {
-  return btoa(`${input.username ?? "opencode"}:${input.password}`)
-}
-
-export function authFromToken(token: string | null) {
-  const decoded = decode64(token ?? undefined)
-  if (!decoded) return
-  const separator = decoded.indexOf(":")
-  if (separator === -1) return
-  return {
-    username: decoded.slice(0, separator) || "opencode",
-    password: decoded.slice(separator + 1),
-  }
-}
 
 export function createSdkForServer({
   server,
@@ -26,7 +10,7 @@ export function createSdkForServer({
   const auth = (() => {
     if (!server.password) return
     return {
-      Authorization: `Basic ${authTokenFromCredentials({ username: server.username, password: server.password })}`,
+      Authorization: `Basic ${btoa(`${server.username ?? "opencode"}:${server.password}`)}`,
     }
   })()
 

packages/app/src/utils/terminal-websocket-url.test.ts

@@ -1,52 +0,0 @@
-import { describe, expect, test } from "bun:test"
-import { terminalWebSocketURL } from "./terminal-websocket-url"
-
-describe("terminalWebSocketURL", () => {
-  test("uses query auth without embedding credentials in websocket URL", () => {
-    const url = terminalWebSocketURL({
-      url: "http://127.0.0.1:49365",
-      id: "pty_test",
-      directory: "/tmp/project",
-      cursor: 0,
-      sameOrigin: false,
-      username: "opencode",
-      password: "secret",
-    })
-
-    expect(url.protocol).toBe("ws:")
-    expect(url.username).toBe("")
-    expect(url.password).toBe("")
-    expect(url.searchParams.get("auth_token")).toBe(btoa("opencode:secret"))
-  })
-
-  test("omits query auth for same-origin saved credentials", () => {
-    const url = terminalWebSocketURL({
-      url: "https://app.example.test",
-      id: "pty_test",
-      directory: "/tmp/project",
-      cursor: 10,
-      sameOrigin: true,
-      username: "opencode",
-      password: "secret",
-    })
-
-    expect(url.protocol).toBe("wss:")
-    expect(url.searchParams.has("auth_token")).toBe(false)
-  })
-
-  test("uses query auth for same-origin credentials from auth_token", () => {
-    const url = terminalWebSocketURL({
-      url: "https://app.example.test",
-      id: "pty_test",
-      directory: "/tmp/project",
-      cursor: 10,
-      sameOrigin: true,
-      username: "opencode",
-      password: "secret",
-      authToken: true,
-    })
-
-    expect(url.protocol).toBe("wss:")
-    expect(url.searchParams.get("auth_token")).toBe(btoa("opencode:secret"))
-  })
-})

packages/app/src/utils/terminal-websocket-url.ts

@@ -1,28 +0,0 @@
-import { authTokenFromCredentials } from "@/utils/server"
-
-export function terminalWebSocketURL(input: {
-  url: string
-  id: string
-  directory: string
-  cursor: number
-  ticket?: string
-  sameOrigin?: boolean
-  username?: string
-  password?: string
-  authToken?: boolean
-}) {
-  const next = new URL(`${input.url}/pty/${input.id}/connect`)
-  next.searchParams.set("directory", input.directory)
-  next.searchParams.set("cursor", String(input.cursor))
-  next.protocol = next.protocol === "https:" ? "wss:" : "ws:"
-  if (input.ticket) {
-    next.searchParams.set("ticket", input.ticket)
-    return next
-  }
-  if (input.password && (!input.sameOrigin || input.authToken))
-    next.searchParams.set(
-      "auth_token",
-      authTokenFromCredentials({ username: input.username, password: input.password }),
-    )
-  return next
-}

packages/core/src/filesystem.ts

@@ -24,7 +24,6 @@ export namespace AppFileSystem {
     readonly isDir: (path: string) => Effect.Effect<boolean>
     readonly isFile: (path: string) => Effect.Effect<boolean>
     readonly existsSafe: (path: string) => Effect.Effect<boolean>
-    readonly readFileStringSafe: (path: string) => Effect.Effect<string | undefined, Error>
     readonly readJson: (path: string) => Effect.Effect<unknown, Error>
     readonly writeJson: (path: string, data: unknown, mode?: number) => Effect.Effect<void, Error>
     readonly ensureDir: (path: string) => Effect.Effect<void, Error>
@@ -48,12 +47,6 @@ export namespace AppFileSystem {
         return yield* fs.exists(path).pipe(Effect.orElseSucceed(() => false))
       })
 
-      const readFileStringSafe = Effect.fn("FileSystem.readFileStringSafe")(function* (path: string) {
-        return yield* fs
-          .readFileString(path)
-          .pipe(Effect.catchReason("PlatformError", "NotFound", () => Effect.succeed(undefined)))
-      })
-
       const isDir = Effect.fn("FileSystem.isDir")(function* (path: string) {
         const info = yield* fs.stat(path).pipe(Effect.catch(() => Effect.void))
         return info?.type === "Directory"
@@ -170,7 +163,6 @@ export namespace AppFileSystem {
       return Service.of({
         ...fs,
         existsSafe,
-        readFileStringSafe,
         isDir,
         isFile,
         readDirectoryEntries,

packages/core/src/flag/flag.ts

@@ -1,4 +1,5 @@
 import { Config } from "effect"
+import { InstallationChannel } from "../installation/version"
 
 function truthy(key: string) {
   const value = process.env[key]?.toLowerCase()
@@ -10,6 +11,10 @@ function falsy(key: string) {
   return value === "false" || value === "0"
 }
 
+// Channels that default to the new effect-httpapi server backend. The legacy
+// hono backend remains the default for stable (`prod`/`latest`) installs.
+const HTTPAPI_DEFAULT_ON_CHANNELS = new Set(["dev", "beta", "local"])
+
 function number(key: string) {
   const value = process.env[key]
   if (!value) return undefined
@@ -81,6 +86,14 @@ export const Flag = {
   OPENCODE_STRICT_CONFIG_DEPS: truthy("OPENCODE_STRICT_CONFIG_DEPS"),
 
   OPENCODE_WORKSPACE_ID: process.env["OPENCODE_WORKSPACE_ID"],
+  // Defaults to true on dev/beta/local channels so internal users exercise the
+  // new effect-httpapi server backend. Stable (`prod`/`latest`) installs stay
+  // on the legacy hono backend until the rollout is complete. An explicit env
+  // var ("true"/"1" or "false"/"0") always wins, providing an opt-in for
+  // stable users and an escape hatch for dev/beta users.
+  OPENCODE_EXPERIMENTAL_HTTPAPI:
+    truthy("OPENCODE_EXPERIMENTAL_HTTPAPI") ||
+    (!falsy("OPENCODE_EXPERIMENTAL_HTTPAPI") && HTTPAPI_DEFAULT_ON_CHANNELS.has(InstallationChannel)),
   OPENCODE_EXPERIMENTAL_WORKSPACES: OPENCODE_EXPERIMENTAL || truthy("OPENCODE_EXPERIMENTAL_WORKSPACES"),
   OPENCODE_EXPERIMENTAL_EVENT_SYSTEM: OPENCODE_EXPERIMENTAL || truthy("OPENCODE_EXPERIMENTAL_EVENT_SYSTEM"),
 

packages/core/test/filesystem/filesystem.test.ts

@@ -65,34 +65,6 @@ describe("AppFileSystem", () => {
     )
   })
 
-  describe("readFileStringSafe", () => {
-    it(
-      "returns file contents when file exists",
-      Effect.gen(function* () {
-        const fs = yield* AppFileSystem.Service
-        const filesys = yield* FileSystem.FileSystem
-        const tmp = yield* filesys.makeTempDirectoryScoped()
-        const file = path.join(tmp, "exists.txt")
-        yield* filesys.writeFileString(file, "hello")
-
-        const result = yield* fs.readFileStringSafe(file)
-        expect(result).toBe("hello")
-      }),
-    )
-
-    it(
-      "returns undefined for missing file (NotFound)",
-      Effect.gen(function* () {
-        const fs = yield* AppFileSystem.Service
-        const filesys = yield* FileSystem.FileSystem
-        const tmp = yield* filesys.makeTempDirectoryScoped()
-
-        const result = yield* fs.readFileStringSafe(path.join(tmp, "does-not-exist.txt"))
-        expect(result).toBeUndefined()
-      }),
-    )
-  })
-
   describe("readJson / writeJson", () => {
     it(
       "round-trips JSON data",

packages/desktop-electron/electron-builder.config.ts

@@ -27,7 +27,7 @@ const channel = (() => {
 })()
 
 const getBase = (): Configuration => ({
-  artifactName: "opencode-desktop-${os}-${arch}.${ext}",
+  artifactName: "opencode-electron-${os}-${arch}.${ext}",
   directories: {
     output: "dist",
     buildResources: "resources",

packages/desktop/scripts/finalize-latest-json.ts

@@ -1,8 +1,7 @@
 #!/usr/bin/env bun
 
+import { Buffer } from "node:buffer"
 import { $ } from "bun"
-import path from "node:path"
-import { parseArgs } from "node:util"
 
 const { values } = parseArgs({
   args: Bun.argv.slice(2),
@@ -13,6 +12,8 @@ const { values } = parseArgs({
 
 const dryRun = values["dry-run"]
 
+import { parseArgs } from "node:util"
+
 const repo = process.env.GH_REPO
 if (!repo) throw new Error("GH_REPO is required")
 
@@ -22,22 +23,20 @@ if (!releaseId) throw new Error("OPENCODE_RELEASE is required")
 const version = process.env.OPENCODE_VERSION
 if (!version) throw new Error("OPENCODE_VERSION is required")
 
-const dir = process.env.LATEST_YML_DIR
-if (!dir) throw new Error("LATEST_YML_DIR is required")
-const root = dir
-
 const token = process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN
 if (!token) throw new Error("GH_TOKEN or GITHUB_TOKEN is required")
 
-const rel = await fetch(`https://api.github.com/repos/${repo}/releases/${releaseId}`, {
-  headers: {
-    Authorization: `token ${token}`,
-    Accept: "application/vnd.github+json",
-  },
+const apiHeaders = {
+  Authorization: `token ${token}`,
+  Accept: "application/vnd.github+json",
+}
+
+const releaseRes = await fetch(`https://api.github.com/repos/${repo}/releases/${releaseId}`, {
+  headers: apiHeaders,
 })
 
-if (!rel.ok) {
-  throw new Error(`Failed to fetch release: ${rel.status} ${rel.statusText}`)
+if (!releaseRes.ok) {
+  throw new Error(`Failed to fetch release: ${releaseRes.status} ${releaseRes.statusText}`)
 }
 
 type Asset = {
@@ -46,169 +45,115 @@ type Asset = {
 }
 
 type Release = {
+  tag_name?: string
   assets?: Asset[]
 }
 
-const assets = ((await rel.json()) as Release).assets ?? []
-const amap = new Map(assets.map((item) => [item.name, item]))
+const release = (await releaseRes.json()) as Release
+const assets = release.assets ?? []
+const assetByName = new Map(assets.map((asset) => [asset.name, asset]))
 
-type Item = {
-  url: string
+const latestAsset = assetByName.get("latest.json")
+if (!latestAsset) {
+  console.log("latest.json not found, skipping tauri finalization")
+  process.exit(0)
 }
 
-type Yml = {
-  version: string
-  files: Item[]
+const latestRes = await fetch(latestAsset.url, {
+  headers: {
+    Authorization: `token ${token}`,
+    Accept: "application/octet-stream",
+  },
+})
+
+if (!latestRes.ok) {
+  throw new Error(`Failed to fetch latest.json: ${latestRes.status} ${latestRes.statusText}`)
 }
 
-function parse(text: string): Yml {
-  const lines = text.split("\n")
-  let version = ""
-  const files: Item[] = []
-  let url = ""
+const latestText = new TextDecoder().decode(await latestRes.arrayBuffer())
+const latest = JSON.parse(latestText)
+const base = { ...latest }
+delete base.platforms
 
-  const flush = () => {
-    if (!url) return
-    files.push({ url })
-    url = ""
-  }
-
-  for (const line of lines) {
-    const trim = line.trim()
-    if (line.startsWith("version:")) {
-      version = line.slice("version:".length).trim()
-      continue
-    }
-    if (trim.startsWith("- url:")) {
-      flush()
-      url = trim.slice("- url:".length).trim()
-      continue
-    }
-    const indented = line.startsWith("  ") || line.startsWith("\t")
-    if (!indented) flush()
-  }
-  flush()
-
-  return { version, files }
-}
-
-async function read(sub: string, file: string) {
-  const item = Bun.file(path.join(root, sub, file))
-  if (!(await item.exists())) return undefined
-  return parse(await item.text())
-}
-
-function pick(list: Item[], exts: string[]) {
-  for (const ext of exts) {
-    const found = list.find((item) => item.url.split("?")[0]?.toLowerCase().endsWith(ext))
-    if (found) return found.url
-  }
-}
-
-function link(raw: string) {
-  if (raw.startsWith("https://") || raw.startsWith("http://")) return raw
-  return `https://github.com/${repo}/releases/download/v${version}/${raw}`
-}
-
-async function sign(url: string, key: string) {
-  const name = decodeURIComponent(new URL(url).pathname.split("/").pop() ?? key)
-  const asset = amap.get(name)
-  const res = await fetch(asset?.url ?? url, {
+const fetchSignature = async (asset: Asset) => {
+  const res = await fetch(asset.url, {
     headers: {
       Authorization: `token ${token}`,
-      ...(asset ? { Accept: "application/octet-stream" } : {}),
+      Accept: "application/octet-stream",
     },
   })
+
   if (!res.ok) {
-    throw new Error(`Failed to fetch file ${name}: ${res.status} ${res.statusText} (${asset?.url ?? url})`)
+    throw new Error(`Failed to fetch signature: ${res.status} ${res.statusText}`)
   }
 
-  const tmp = process.env.RUNNER_TEMP ?? "/tmp"
-  const file = path.join(tmp, name)
-  await Bun.write(file, await res.arrayBuffer())
-  await $`bunx @tauri-apps/cli signer sign ${file}`
-  const sigFile = Bun.file(`${file}.sig`)
-  if (!(await sigFile.exists())) throw new Error(`Signature file not found for ${name}`)
-  return (await sigFile.text()).trim()
+  return Buffer.from(await res.arrayBuffer()).toString()
 }
 
-const add = async (data: Record<string, { url: string; signature: string }>, key: string, raw: string | undefined) => {
-  if (!raw) return
-  if (data[key]) return
-  const url = link(raw)
-  data[key] = { url, signature: await sign(url, key) }
+const entries: Record<string, { url: string; signature: string }> = {}
+const add = (key: string, asset: Asset, signature: string) => {
+  if (entries[key]) return
+  entries[key] = {
+    url: `https://github.com/${repo}/releases/download/v${version}/${asset.name}`,
+    signature,
+  }
 }
 
-const alias = (data: Record<string, { url: string; signature: string }>, key: string, src: string) => {
-  if (data[key]) return
-  if (!data[src]) return
-  data[key] = data[src]
+const targets = [
+  { key: "linux-x86_64-deb", asset: "opencode-desktop-linux-amd64.deb" },
+  { key: "linux-x86_64-rpm", asset: "opencode-desktop-linux-x86_64.rpm" },
+  { key: "linux-aarch64-deb", asset: "opencode-desktop-linux-arm64.deb" },
+  { key: "linux-aarch64-rpm", asset: "opencode-desktop-linux-aarch64.rpm" },
+  { key: "windows-aarch64-nsis", asset: "opencode-desktop-windows-arm64.exe" },
+  { key: "windows-x86_64-nsis", asset: "opencode-desktop-windows-x64.exe" },
+  { key: "darwin-x86_64-app", asset: "opencode-desktop-darwin-x64.app.tar.gz" },
+  {
+    key: "darwin-aarch64-app",
+    asset: "opencode-desktop-darwin-aarch64.app.tar.gz",
+  },
+]
+
+for (const target of targets) {
+  const asset = assetByName.get(target.asset)
+  if (!asset) continue
+
+  const sig = assetByName.get(`${target.asset}.sig`)
+  if (!sig) continue
+
+  const signature = await fetchSignature(sig)
+  add(target.key, asset, signature)
 }
 
-const winx = await read("latest-yml-x86_64-pc-windows-msvc", "latest.yml")
-const wina = await read("latest-yml-aarch64-pc-windows-msvc", "latest.yml")
-const macx = await read("latest-yml-x86_64-apple-darwin", "latest-mac.yml")
-const maca = await read("latest-yml-aarch64-apple-darwin", "latest-mac.yml")
-const linx = await read("latest-yml-x86_64-unknown-linux-gnu", "latest-linux.yml")
-const lina = await read("latest-yml-aarch64-unknown-linux-gnu", "latest-linux-arm64.yml")
+const alias = (key: string, source: string) => {
+  if (entries[key]) return
+  const entry = entries[source]
+  if (!entry) return
+  entries[key] = entry
+}
 
-const yver = winx?.version ?? wina?.version ?? macx?.version ?? maca?.version ?? linx?.version ?? lina?.version
-if (yver && yver !== version) throw new Error(`latest.yml version mismatch: expected ${version}, got ${yver}`)
-
-const out: Record<string, { url: string; signature: string }> = {}
-
-const winxexe = pick(winx?.files ?? [], [".exe"])
-const winaexe = pick(wina?.files ?? [], [".exe"])
-
-const macxTarGz = "opencode-desktop-mac-x64.app.tar.gz"
-const macaTarGz = "opencode-desktop-mac-arm64.app.tar.gz"
-
-const linxDeb = pick(linx?.files ?? [], [".deb"])
-const linxRpm = pick(linx?.files ?? [], [".rpm"])
-const linxAppImage = pick(linx?.files ?? [], [".appimage"])
-const linaDeb = pick(lina?.files ?? [], [".deb"])
-const linaRpm = pick(lina?.files ?? [], [".rpm"])
-const linaAppImage = pick(lina?.files ?? [], [".appimage"])
-
-await add(out, "windows-x86_64-nsis", winxexe)
-await add(out, "windows-aarch64-nsis", winaexe)
-await add(out, "darwin-x86_64-app", macxTarGz)
-await add(out, "darwin-aarch64-app", macaTarGz)
-
-await add(out, "linux-x86_64-deb", linxDeb)
-await add(out, "linux-x86_64-rpm", linxRpm)
-await add(out, "linux-x86_64-appimage", linxAppImage)
-await add(out, "linux-aarch64-deb", linaDeb)
-await add(out, "linux-aarch64-rpm", linaRpm)
-await add(out, "linux-aarch64-appimage", linaAppImage)
-
-alias(out, "windows-x86_64", "windows-x86_64-nsis")
-alias(out, "windows-aarch64", "windows-aarch64-nsis")
-alias(out, "darwin-x86_64", "darwin-x86_64-app")
-alias(out, "darwin-aarch64", "darwin-aarch64-app")
-alias(out, "linux-x86_64", "linux-x86_64-deb")
-alias(out, "linux-aarch64", "linux-aarch64-deb")
+alias("linux-x86_64", "linux-x86_64-deb")
+alias("linux-aarch64", "linux-aarch64-deb")
+alias("windows-aarch64", "windows-aarch64-nsis")
+alias("windows-x86_64", "windows-x86_64-nsis")
+alias("darwin-x86_64", "darwin-x86_64-app")
+alias("darwin-aarch64", "darwin-aarch64-app")
 
 const platforms = Object.fromEntries(
-  Object.keys(out)
+  Object.keys(entries)
     .sort()
-    .map((key) => [key, out[key]]),
+    .map((key) => [key, entries[key]]),
 )
-
-if (!Object.keys(platforms).length) throw new Error("No updater files found in latest.yml artifacts")
-
-const data = {
-  version,
-  notes: "",
-  pub_date: new Date().toISOString(),
+const output = {
+  ...base,
   platforms,
 }
 
-const tmp = process.env.RUNNER_TEMP ?? "/tmp"
-const file = path.join(tmp, "latest.json")
-await Bun.write(file, JSON.stringify(data, null, 2))
+const dir = process.env.RUNNER_TEMP ?? "/tmp"
+const file = `${dir}/latest.json`
+await Bun.write(file, JSON.stringify(output, null, 2))
 
-const tag = `v${version}`
+const tag = release.tag_name
+if (!tag) throw new Error("Release tag not found")
 
 if (dryRun) {
   console.log(`dry-run: wrote latest.json for ${tag} to ${file}`)

packages/effect-drizzle-sqlite/package.json

@@ -0,0 +1,24 @@
+{
+  "$schema": "https://json.schemastore.org/package.json",
+  "name": "@opencode-ai/effect-drizzle-sqlite",
+  "version": "0.0.0",
+  "private": true,
+  "type": "module",
+  "license": "MIT",
+  "scripts": {
+    "test": "bun test",
+    "typecheck": "tsgo --noEmit"
+  },
+  "exports": {
+    ".": "./src/index.ts"
+  },
+  "dependencies": {
+    "drizzle-orm": "catalog:",
+    "effect": "catalog:"
+  },
+  "devDependencies": {
+    "@tsconfig/bun": "catalog:",
+    "@types/bun": "catalog:",
+    "@typescript/native-preview": "catalog:"
+  }
+}

packages/effect-drizzle-sqlite/src/index.ts

@@ -0,0 +1,246 @@
+import { Database } from "bun:sqlite"
+import { drizzle as drizzleBun, type SQLiteBunDatabase } from "drizzle-orm/bun-sqlite"
+import type { AnyRelations, EmptyRelations } from "drizzle-orm/relations"
+import { SQLiteCountBuilder } from "drizzle-orm/sqlite-core/query-builders/count"
+import { SQLiteDeleteBase } from "drizzle-orm/sqlite-core/query-builders/delete"
+import { SQLiteInsertBase } from "drizzle-orm/sqlite-core/query-builders/insert"
+import { SQLiteRelationalQuery, SQLiteSyncRelationalQuery } from "drizzle-orm/sqlite-core/query-builders/_query"
+import { SQLiteSelectBase } from "drizzle-orm/sqlite-core/query-builders/select"
+import { SQLiteUpdateBase } from "drizzle-orm/sqlite-core/query-builders/update"
+import type { PreparedQueryConfig, SQLiteSession, SQLiteTransaction, SQLiteTransactionConfig } from "drizzle-orm/sqlite-core/session"
+import { SQLitePreparedQuery } from "drizzle-orm/sqlite-core/session"
+import type { DrizzleConfig } from "drizzle-orm/utils"
+import { Cause, Effect, Exit, Schema } from "effect"
+import * as Effectable from "effect/Effectable"
+
+export class EffectDrizzleQueryError extends Schema.TaggedErrorClass<EffectDrizzleQueryError>()(
+  "EffectDrizzleQueryError",
+  {
+    query: Schema.String,
+    params: Schema.Array(Schema.Unknown),
+    cause: Schema.Unknown,
+  },
+) {
+  override get message() {
+    return `Failed query: ${this.query}\nparams: ${this.params}`
+  }
+
+  constructor(params: { readonly query: string; readonly params: ReadonlyArray<unknown>; readonly cause: unknown }) {
+    super(params)
+    Error.captureStackTrace?.(this, EffectDrizzleQueryError)
+  }
+}
+
+export type EffectSQLiteDatabase<
+  TSchema extends Record<string, unknown> = Record<string, never>,
+  TRelations extends AnyRelations = EmptyRelations,
+> = SQLiteBunDatabase<TSchema, TRelations> & {
+  readonly $client: Database
+  readonly withTransaction: <A, E, R>(
+    effect: Effect.Effect<A, E, R>,
+    config?: SQLiteTransactionConfig,
+  ) => Effect.Effect<A, E, R>
+}
+
+export type MakeConfig<
+  TSchema extends Record<string, unknown> = Record<string, never>,
+  TRelations extends AnyRelations = EmptyRelations,
+> = DrizzleConfig<TSchema, TRelations> & {
+  readonly client?: Database
+}
+
+type EffectLikeQuery<A = unknown> = {
+  readonly asEffect?: () => Effect.Effect<A, EffectDrizzleQueryError>
+  readonly toSQL?: () => { readonly sql: string; readonly params?: readonly unknown[] }
+}
+
+type PreparedLike<A = unknown> = EffectLikeQuery<A> & {
+  readonly execute: () => unknown
+  readonly getQuery?: () => { readonly sql: string; readonly params?: readonly unknown[] }
+}
+
+type SelectLike<A = unknown> = EffectLikeQuery<A> & {
+  readonly all: () => A
+}
+
+type GetLike<A = unknown> = EffectLikeQuery & {
+  readonly get: () => A
+}
+
+type MutationLike<A = unknown> = EffectLikeQuery<A> & {
+  readonly all: () => A
+  readonly run: () => A
+  readonly config?: { readonly returning?: unknown }
+}
+
+type CountLike = EffectLikeQuery<number> & {
+  readonly session: { readonly values: (sql: unknown) => unknown[][] }
+  readonly sql: unknown
+}
+
+class TransactionFailure extends Error {
+  constructor(readonly effectCause: Cause.Cause<unknown>) {
+    super("Effect transaction failed")
+  }
+}
+
+const queryInfo = (query: EffectLikeQuery | PreparedLike) => {
+  const info = "getQuery" in query && typeof query.getQuery === "function" ? query.getQuery() : query.toSQL?.()
+  return {
+    query: info?.sql ?? "<unknown>",
+    params: [...(info?.params ?? [])],
+  }
+}
+
+const queryError = (query: EffectLikeQuery | PreparedLike, cause: unknown) =>
+  new EffectDrizzleQueryError({
+    ...queryInfo(query),
+    cause,
+  })
+
+const fromSync = <A>(query: EffectLikeQuery, run: () => A) =>
+  Effect.try({
+    try: run,
+    catch: (cause) => queryError(query, cause),
+  })
+
+const fromMutation = (query: MutationLike) => fromSync(query, () => (query.config?.returning ? query.all() : query.run()))
+
+const fromCount = (query: CountLike) => fromSync(query, () => Number(query.session.values(query.sql)[0]?.[0] ?? 0))
+
+export const getOne = <A>(query: GetLike<A>) => fromSync(query, () => query.get())
+
+const fromExecuteResult = (result: unknown) => {
+  if (result && typeof result === "object" && "sync" in result && typeof result.sync === "function") {
+    return result.sync()
+  }
+  return result
+}
+
+const queryEffectProto = {
+  ...Effectable.Prototype<Effect.Effect<unknown, EffectDrizzleQueryError> & EffectLikeQuery>({
+    label: "DrizzleSqliteQuery",
+    evaluate(this: EffectLikeQuery) {
+      return this.asEffect?.() ?? Effect.die("Drizzle SQLite query is missing asEffect()")
+    },
+  }),
+  commit(this: EffectLikeQuery) {
+    return this.asEffect?.() ?? Effect.die("Drizzle SQLite query is missing asEffect()")
+  },
+}
+
+const patchClass = <A>(ctor: { readonly prototype: object }, asEffect: (self: A) => Effect.Effect<unknown, EffectDrizzleQueryError>) => {
+  if (Object.prototype.hasOwnProperty.call(ctor.prototype, "asEffect")) return
+  Object.assign(ctor.prototype, queryEffectProto, {
+    asEffect(this: A) {
+      return asEffect(this)
+    },
+  })
+}
+
+// `patchClass` is idempotent via `hasOwnProperty` check, so calling this
+// repeatedly is cheap. Patches are applied to Drizzle prototypes globally and
+// survive any Database close/reopen cycle.
+const patchQueryBuilders = () => {
+  patchClass(SQLitePreparedQuery, (query: PreparedLike) => fromSync(query, () => fromExecuteResult(query.execute())))
+  patchClass(SQLiteSelectBase, (query: SelectLike) => fromSync(query, () => query.all()))
+  patchClass(SQLiteInsertBase, fromMutation)
+  patchClass(SQLiteUpdateBase, fromMutation)
+  patchClass(SQLiteDeleteBase, fromMutation)
+  patchClass(SQLiteRelationalQuery, (query: EffectLikeQuery & { readonly executeRaw: () => unknown }) =>
+    fromSync(query, () => query.executeRaw()),
+  )
+  patchClass(SQLiteSyncRelationalQuery, (query: EffectLikeQuery & { readonly executeRaw: () => unknown }) =>
+    fromSync(query, () => query.executeRaw()),
+  )
+  patchClass(SQLiteCountBuilder, fromCount)
+}
+
+const attachTransaction = <
+  TSchema extends Record<string, unknown> = Record<string, never>,
+  TRelations extends AnyRelations = EmptyRelations,
+>(db: SQLiteBunDatabase<TSchema, TRelations> & { readonly $client: Database }): EffectSQLiteDatabase<TSchema, TRelations> => {
+  const txStack: Array<SQLiteTransaction<"sync", void, TSchema, TRelations>> = []
+  const bound = new WeakMap<object, Map<PropertyKey, unknown>>()
+  const current = () => txStack.at(-1) ?? db
+  const runTransaction = (target: SQLiteBunDatabase<TSchema, TRelations> | SQLiteTransaction<"sync", void, TSchema, TRelations>) =>
+    target.transaction.bind(target) as (
+      transaction: (tx: SQLiteTransaction<"sync", void, TSchema, TRelations>) => unknown,
+      config?: SQLiteTransactionConfig,
+    ) => unknown
+
+  const withTransaction = <A, E, R>(
+    effect: Effect.Effect<A, E, R>,
+    config?: SQLiteTransactionConfig,
+  ): Effect.Effect<A, E, R> =>
+    Effect.context<R>().pipe(
+      Effect.flatMap((context) =>
+        Effect.sync(
+          () =>
+            runTransaction(current())((tx) => {
+              txStack.push(tx)
+              try {
+                const exit = Effect.runSyncExit(Effect.provideContext(effect, context))
+                if (Exit.isSuccess(exit)) return exit.value
+                throw new TransactionFailure(exit.cause)
+              } finally {
+                txStack.pop()
+              }
+            }, config) as A,
+        ).pipe(
+          Effect.catchDefect((defect) =>
+            defect instanceof TransactionFailure ? Effect.failCause(defect.effectCause as Cause.Cause<E>) : Effect.die(defect),
+          ),
+        ),
+      ),
+    )
+
+  return new Proxy(db, {
+    get(_target, property) {
+      if (property === "withTransaction") return withTransaction
+      if (property === "$client") return db.$client
+
+      const target = current()
+      const value = Reflect.get(target, property)
+      if (typeof value !== "function") return value
+      const methods = bound.get(target) ?? new Map<PropertyKey, unknown>()
+      bound.set(target, methods)
+      if (!methods.has(property)) methods.set(property, value.bind(target))
+      return methods.get(property)
+    },
+  }) as EffectSQLiteDatabase<TSchema, TRelations>
+}
+
+export const make = <
+  TSchema extends Record<string, unknown> = Record<string, never>,
+  TRelations extends AnyRelations = EmptyRelations,
+>(config: MakeConfig<TSchema, TRelations> = {}): EffectSQLiteDatabase<TSchema, TRelations> => {
+  patchQueryBuilders()
+  return attachTransaction(
+    drizzleBun({
+      ...config,
+      client: config.client ?? new Database(":memory:"),
+    }),
+  )
+}
+
+export const drizzle = make
+
+declare module "drizzle-orm/query-promise" {
+  interface QueryPromise<T> extends Effect.Effect<T, EffectDrizzleQueryError> {
+    asEffect(): Effect.Effect<T, EffectDrizzleQueryError>
+  }
+}
+
+declare module "drizzle-orm/sqlite-core/session" {
+  interface SQLitePreparedQuery<T extends PreparedQueryConfig> extends Effect.Effect<T["execute"], EffectDrizzleQueryError> {
+    asEffect(): Effect.Effect<T["execute"], EffectDrizzleQueryError>
+  }
+}
+
+declare module "drizzle-orm/sqlite-core/query-builders/count" {
+  interface SQLiteCountBuilder<TSession extends SQLiteSession<any, any, any, any>>
+    extends Effect.Effect<number, EffectDrizzleQueryError> {
+    asEffect(): Effect.Effect<number, EffectDrizzleQueryError>
+  }
+}

packages/effect-drizzle-sqlite/test/sqlite.test.ts

@@ -0,0 +1,246 @@
+import { afterEach, beforeEach, describe, expect, test } from "bun:test"
+import { Database } from "bun:sqlite"
+import { eq } from "drizzle-orm"
+import { relations } from "drizzle-orm/_relations"
+import { drizzle as drizzleBun } from "drizzle-orm/bun-sqlite"
+import { integer, sqliteTable, text } from "drizzle-orm/sqlite-core"
+import { Cause, Effect, Exit } from "effect"
+import { EffectDrizzleQueryError, getOne, make, type EffectSQLiteDatabase } from "../src"
+
+const users = sqliteTable("users", {
+  id: integer().primaryKey(),
+  name: text().notNull(),
+})
+
+const posts = sqliteTable("posts", {
+  id: integer().primaryKey(),
+  user_id: integer()
+    .notNull()
+    .references(() => users.id),
+  title: text().notNull(),
+})
+
+const usersRelations = relations(users, ({ many }) => ({
+  posts: many(posts),
+}))
+
+const postsRelations = relations(posts, ({ one }) => ({
+  user: one(users, {
+    fields: [posts.user_id],
+    references: [users.id],
+  }),
+}))
+
+const schema = { users, posts, usersRelations, postsRelations }
+
+let db: EffectSQLiteDatabase<typeof schema>
+
+const testEffect = <A, E>(name: string, effect: () => Effect.Effect<A, E>) => test(name, () => Effect.runPromise(effect()))
+
+beforeEach(() => {
+  db = make({ schema })
+  db.$client.run("PRAGMA foreign_keys = ON")
+  db.$client.run("CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT NOT NULL)")
+  db.$client.run(
+    "CREATE TABLE posts (id INTEGER PRIMARY KEY, user_id INTEGER NOT NULL REFERENCES users(id), title TEXT NOT NULL)",
+  )
+})
+
+afterEach(() => {
+  db.$client.close()
+})
+
+describe("effect drizzle sqlite", () => {
+  test("keeps normal Drizzle Bun SQLite clients usable after patching", async () => {
+    const sqlite = new Database(":memory:")
+    try {
+      const normal = drizzleBun({ client: sqlite })
+      sqlite.run("CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT NOT NULL)")
+
+      normal.insert(users).values({ id: 1, name: "Ada" }).run()
+
+      expect(normal.select().from(users).all()).toEqual([{ id: 1, name: "Ada" }])
+      expect(await normal.select().from(users)).toEqual([{ id: 1, name: "Ada" }])
+    } finally {
+      sqlite.close()
+    }
+  })
+
+  testEffect("makes select/insert/update/delete query builders yieldable Effects", () =>
+    Effect.gen(function* () {
+      yield* db.insert(users).values({ id: 1, name: "Ada" })
+      yield* db.insert(users).values({ id: 2, name: "Grace" })
+
+      const selected = yield* db.select().from(users).orderBy(users.id)
+      expect(selected).toEqual([
+        { id: 1, name: "Ada" },
+        { id: 2, name: "Grace" },
+      ])
+
+      const updated = yield* db.update(users).set({ name: "Lovelace" }).where(eq(users.id, 1)).returning()
+      expect(updated).toEqual([{ id: 1, name: "Lovelace" }])
+
+      const deleted = yield* db.delete(users).where(eq(users.id, 2)).returning({ id: users.id })
+      expect(deleted).toEqual([{ id: 2 }])
+
+      expect(yield* db.select().from(users)).toEqual([{ id: 1, name: "Lovelace" }])
+    }),
+  )
+
+  testEffect("supports direct Effect combinators on queries", () =>
+    Effect.gen(function* () {
+      yield* db.insert(users).values({ id: 1, name: "Ada" })
+
+      expect(
+        yield* (db.select().from(users) as Effect.Effect<Array<{ readonly name: string }>, EffectDrizzleQueryError>).pipe(
+          Effect.map((rows) => rows.map((row) => row.name)),
+        ),
+      ).toEqual(["Ada"])
+    }),
+  )
+
+  testEffect("supports relational query builders", () =>
+    Effect.gen(function* () {
+      yield* db.insert(users).values({ id: 1, name: "Ada" })
+      yield* db.insert(posts).values({ id: 1, user_id: 1, title: "Notes" })
+      expect(
+        yield* db._query.users.findMany({
+          with: {
+            posts: true,
+          },
+        }),
+      ).toEqual([
+        {
+          id: 1,
+          name: "Ada",
+          posts: [{ id: 1, user_id: 1, title: "Notes" }],
+        },
+      ])
+    }),
+  )
+
+  testEffect("runs synchronous Effect programs inside transactions", () =>
+    Effect.gen(function* () {
+      yield* Effect.gen(function* () {
+        yield* db.insert(users).values({ id: 1, name: "Ada" })
+        return yield* db.select().from(users)
+      }).pipe(db.withTransaction)
+
+      expect(yield* db.select().from(users)).toEqual([{ id: 1, name: "Ada" }])
+
+      const exit = yield* Effect.exit(
+        Effect.gen(function* () {
+          yield* db.insert(users).values({ id: 2, name: "Grace" })
+          return yield* Effect.fail("rollback")
+        }).pipe(db.withTransaction),
+      )
+
+      expect(Exit.isFailure(exit)).toBe(true)
+      expect(yield* db.select().from(users).orderBy(users.id)).toEqual([{ id: 1, name: "Ada" }])
+    }),
+  )
+
+  testEffect("supports pipeable transactions using the same database service", () =>
+    Effect.gen(function* () {
+      const exit = yield* Effect.gen(function* () {
+        yield* db.insert(users).values({ id: 1, name: "Ada" })
+        return yield* Effect.fail("rollback")
+      }).pipe(db.withTransaction, Effect.exit)
+
+      expect(Exit.isFailure(exit)).toBe(true)
+      expect(yield* db.select().from(users)).toEqual([])
+
+      yield* Effect.gen(function* () {
+        yield* db.insert(users).values({ id: 2, name: "Grace" })
+        expect(yield* db.$count(users)).toBe(1)
+      }).pipe(db.withTransaction)
+
+      expect(yield* db.select().from(users)).toEqual([{ id: 2, name: "Grace" }])
+    }),
+  )
+
+  testEffect("supports count builders and prepared queries", () =>
+    Effect.gen(function* () {
+      yield* db.insert(users).values([
+        { id: 1, name: "Ada" },
+        { id: 2, name: "Grace" },
+      ])
+
+      expect(yield* db.$count(users)).toBe(2)
+
+      const prepared = db.select().from(users).orderBy(users.id).prepare()
+      expect(yield* prepared).toEqual([
+        { id: 1, name: "Ada" },
+        { id: 2, name: "Grace" },
+      ])
+    }),
+  )
+
+  testEffect("supports single-row select effects", () =>
+    Effect.gen(function* () {
+      yield* db.insert(users).values({ id: 1, name: "Ada" })
+
+      expect(yield* getOne(db.select().from(users).where(eq(users.id, 1)))).toEqual({ id: 1, name: "Ada" })
+      expect(yield* getOne(db.select().from(users).where(eq(users.id, 2)))).toBeUndefined()
+    }),
+  )
+
+  testEffect("nested pipeable transactions commit or roll back with the outer transaction", () =>
+    Effect.gen(function* () {
+      yield* Effect.gen(function* () {
+        yield* db.insert(users).values({ id: 1, name: "Ada" })
+        yield* Effect.gen(function* () {
+          yield* db.insert(users).values({ id: 2, name: "Grace" })
+        }).pipe(db.withTransaction)
+      }).pipe(db.withTransaction)
+
+      expect(yield* db.select().from(users).orderBy(users.id)).toEqual([
+        { id: 1, name: "Ada" },
+        { id: 2, name: "Grace" },
+      ])
+
+      const exit = yield* Effect.gen(function* () {
+        yield* db.insert(users).values({ id: 3, name: "Katherine" })
+        yield* Effect.gen(function* () {
+          yield* db.insert(users).values({ id: 4, name: "Dorothy" })
+          return yield* Effect.fail("inner rollback")
+        }).pipe(db.withTransaction)
+      }).pipe(db.withTransaction, Effect.exit)
+
+      expect(Exit.isFailure(exit)).toBe(true)
+      expect(yield* db.select().from(users).orderBy(users.id)).toEqual([
+        { id: 1, name: "Ada" },
+        { id: 2, name: "Grace" },
+      ])
+    }),
+  )
+
+  testEffect("defects inside transactions roll back and stay defects", () =>
+    Effect.gen(function* () {
+      const exit = yield* Effect.gen(function* () {
+        yield* db.insert(users).values({ id: 1, name: "Ada" })
+        return yield* Effect.die("boom")
+      }).pipe(db.withTransaction, Effect.exit)
+
+      expect(Exit.isFailure(exit)).toBe(true)
+      if (Exit.isFailure(exit)) {
+        expect(exit.cause.reasons.some(Cause.isDieReason)).toBe(true)
+      }
+      expect(yield* db.select().from(users)).toEqual([])
+    }),
+  )
+
+  testEffect("wraps query failures with query text and parameters", () =>
+    Effect.gen(function* () {
+      const exit = yield* Effect.exit(db.insert(posts).values({ id: 1, user_id: 404, title: "Missing" }))
+
+      expect(Exit.isFailure(exit)).toBe(true)
+      if (Exit.isFailure(exit)) {
+        const error = exit.cause.reasons.filter(Cause.isFailReason)[0]?.error
+        expect(error).toBeInstanceOf(EffectDrizzleQueryError)
+        expect((error as EffectDrizzleQueryError).query).toContain("insert into")
+        expect((error as EffectDrizzleQueryError).params).toEqual([1, 404, "Missing"])
+      }
+    }),
+  )
+})

packages/effect-drizzle-sqlite/tsconfig.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "https://json.schemastore.org/tsconfig",
+  "extends": "@tsconfig/bun/tsconfig.json",
+  "compilerOptions": {
+    "types": ["bun"],
+    "noUncheckedIndexedAccess": false,
+    "plugins": [
+      {
+        "name": "@effect/language-service",
+        "transform": "@effect/language-service/transform",
+        "namespaceImportPackages": ["effect", "@effect/*"]
+      }
+    ]
+  }
+}

packages/opencode/package.json

@@ -33,10 +33,10 @@
       "node": "./src/pty/pty.node.ts",
       "default": "./src/pty/pty.bun.ts"
     },
-    "#httpapi-server": {
-      "bun": "./src/server/httpapi-server.node.ts",
-      "node": "./src/server/httpapi-server.node.ts",
-      "default": "./src/server/httpapi-server.node.ts"
+    "#hono": {
+      "bun": "./src/server/adapter.bun.ts",
+      "node": "./src/server/adapter.node.ts",
+      "default": "./src/server/adapter.bun.ts"
     }
   },
   "devDependencies": {
@@ -101,11 +101,16 @@
     "@effect/opentelemetry": "catalog:",
     "@effect/platform-node": "catalog:",
     "@gitlab/opencode-gitlab-auth": "1.3.3",
+    "@hono/node-server": "1.19.11",
+    "@hono/node-ws": "1.3.0",
+    "@hono/standard-validator": "0.1.5",
+    "@hono/zod-validator": "catalog:",
     "@lydell/node-pty": "catalog:",
     "@modelcontextprotocol/sdk": "1.27.1",
     "@octokit/graphql": "9.0.2",
     "@octokit/rest": "catalog:",
     "@openauthjs/openauth": "catalog:",
+    "@opencode-ai/effect-drizzle-sqlite": "workspace:*",
     "@opencode-ai/plugin": "workspace:*",
     "@opencode-ai/script": "workspace:*",
     "@opencode-ai/sdk": "workspace:*",
@@ -140,6 +145,8 @@
     "glob": "13.0.5",
     "google-auth-library": "10.5.0",
     "gray-matter": "4.0.3",
+    "hono": "catalog:",
+    "hono-openapi": "catalog:",
     "ignore": "7.0.5",
     "immer": "11.1.4",
     "jsonc-parser": "3.3.1",

packages/opencode/src/cli/cmd/acp.ts

@@ -4,7 +4,6 @@ import { effectCmd } from "../effect-cmd"
 import { AgentSideConnection, ndJsonStream } from "@agentclientprotocol/sdk"
 import { ACP } from "@/acp/agent"
 import { Server } from "@/server/server"
-import { ServerAuth } from "@/server/auth"
 import { createOpencodeClient } from "@opencode-ai/sdk/v2"
 import { withNetworkOptions, resolveNetworkOptions } from "../network"
 
@@ -27,7 +26,6 @@ export const AcpCommand = effectCmd({
 
     const sdk = createOpencodeClient({
       baseUrl: `http://${server.hostname}:${server.port}`,
-      headers: ServerAuth.headers(),
     })
 
     const input = new WritableStream<Uint8Array>({

packages/opencode/src/cli/cmd/agent.ts

@@ -1,5 +1,6 @@
 import { cmd } from "./cmd"
 import * as prompts from "@clack/prompts"
+import { AppRuntime } from "@/effect/app-runtime"
 import { UI } from "../ui"
 import { Global } from "@opencode-ai/core/global"
 import { Agent } from "../../agent/agent"
@@ -65,166 +66,170 @@ const AgentCreateCommand = effectCmd({
     const maybeCtx = yield* InstanceRef
     if (!maybeCtx) return yield* Effect.die("InstanceRef not provided")
     const ctx = maybeCtx
-    const agentSvc = yield* Agent.Service
     yield* Effect.promise(async () => {
-      const cliPath = args.path
-      const cliDescription = args.description
-      const cliMode = args.mode as AgentMode | undefined
-      const perms = args.permissions
+        const cliPath = args.path
+        const cliDescription = args.description
+        const cliMode = args.mode as AgentMode | undefined
+        const perms = args.permissions
 
-      const isFullyNonInteractive = cliPath && cliDescription && cliMode && perms !== undefined
+        const isFullyNonInteractive = cliPath && cliDescription && cliMode && perms !== undefined
 
-      if (!isFullyNonInteractive) {
-        UI.empty()
-        prompts.intro("Create agent")
-      }
+        if (!isFullyNonInteractive) {
+          UI.empty()
+          prompts.intro("Create agent")
+        }
 
-      const project = ctx.project
+        const project = ctx.project
 
-      // Determine scope/path
-      let targetPath: string
-      if (cliPath) {
-        targetPath = path.join(cliPath, "agent")
-      } else {
-        let scope: "global" | "project" = "global"
-        if (project.vcs === "git") {
-          const scopeResult = await prompts.select({
-            message: "Location",
+        // Determine scope/path
+        let targetPath: string
+        if (cliPath) {
+          targetPath = path.join(cliPath, "agent")
+        } else {
+          let scope: "global" | "project" = "global"
+          if (project.vcs === "git") {
+            const scopeResult = await prompts.select({
+              message: "Location",
+              options: [
+                {
+                  label: "Current project",
+                  value: "project" as const,
+                  hint: ctx.worktree,
+                },
+                {
+                  label: "Global",
+                  value: "global" as const,
+                  hint: Global.Path.config,
+                },
+              ],
+            })
+            if (prompts.isCancel(scopeResult)) throw new UI.CancelledError()
+            scope = scopeResult
+          }
+          targetPath = path.join(
+            scope === "global" ? Global.Path.config : path.join(ctx.worktree, ".opencode"),
+            "agent",
+          )
+        }
+
+        // Get description
+        let description: string
+        if (cliDescription) {
+          description = cliDescription
+        } else {
+          const query = await prompts.text({
+            message: "Description",
+            placeholder: "What should this agent do?",
+            validate: (x) => (x && x.length > 0 ? undefined : "Required"),
+          })
+          if (prompts.isCancel(query)) throw new UI.CancelledError()
+          description = query
+        }
+
+        // Generate agent
+        const spinner = prompts.spinner()
+        spinner.start("Generating agent configuration...")
+        const model = args.model ? Provider.parseModel(args.model) : undefined
+        const generated = await AppRuntime.runPromise(
+          Agent.Service.use((svc) => svc.generate({ description, model })),
+        ).catch((error) => {
+          spinner.stop(`LLM failed to generate agent: ${error.message}`, 1)
+          if (isFullyNonInteractive) process.exit(1)
+          throw new UI.CancelledError()
+        })
+        spinner.stop(`Agent ${generated.identifier} generated`)
+
+        // Select permissions to allow
+        let selected: string[]
+        if (perms !== undefined) {
+          selected = perms ? perms.split(",").map((t) => t.trim()) : AVAILABLE_PERMISSIONS
+        } else {
+          const result = await prompts.multiselect({
+            message: "Select permissions to allow (Space to toggle)",
+            options: AVAILABLE_PERMISSIONS.map((permission) => ({
+              label: permission,
+              value: permission,
+            })),
+            initialValues: AVAILABLE_PERMISSIONS,
+          })
+          if (prompts.isCancel(result)) throw new UI.CancelledError()
+          selected = result
+        }
+
+        // Get mode
+        let mode: AgentMode
+        if (cliMode) {
+          mode = cliMode
+        } else {
+          const modeResult = await prompts.select({
+            message: "Agent mode",
             options: [
               {
-                label: "Current project",
-                value: "project" as const,
-                hint: ctx.worktree,
+                label: "All",
+                value: "all" as const,
+                hint: "Can function in both primary and subagent roles",
               },
               {
-                label: "Global",
-                value: "global" as const,
-                hint: Global.Path.config,
+                label: "Primary",
+                value: "primary" as const,
+                hint: "Acts as a primary/main agent",
+              },
+              {
+                label: "Subagent",
+                value: "subagent" as const,
+                hint: "Can be used as a subagent by other agents",
               },
             ],
+            initialValue: "all" as const,
           })
-          if (prompts.isCancel(scopeResult)) throw new UI.CancelledError()
-          scope = scopeResult
+          if (prompts.isCancel(modeResult)) throw new UI.CancelledError()
+          mode = modeResult
         }
-        targetPath = path.join(scope === "global" ? Global.Path.config : path.join(ctx.worktree, ".opencode"), "agent")
-      }
 
-      // Get description
-      let description: string
-      if (cliDescription) {
-        description = cliDescription
-      } else {
-        const query = await prompts.text({
-          message: "Description",
-          placeholder: "What should this agent do?",
-          validate: (x) => (x && x.length > 0 ? undefined : "Required"),
-        })
-        if (prompts.isCancel(query)) throw new UI.CancelledError()
-        description = query
-      }
-
-      // Generate agent
-      const spinner = prompts.spinner()
-      spinner.start("Generating agent configuration...")
-      const model = args.model ? Provider.parseModel(args.model) : undefined
-      const generated = await Effect.runPromise(agentSvc.generate({ description, model })).catch((error) => {
-        spinner.stop(`LLM failed to generate agent: ${error.message}`, 1)
-        if (isFullyNonInteractive) process.exit(1)
-        throw new UI.CancelledError()
-      })
-      spinner.stop(`Agent ${generated.identifier} generated`)
-
-      // Select permissions to allow
-      let selected: string[]
-      if (perms !== undefined) {
-        selected = perms ? perms.split(",").map((t) => t.trim()) : AVAILABLE_PERMISSIONS
-      } else {
-        const result = await prompts.multiselect({
-          message: "Select permissions to allow (Space to toggle)",
-          options: AVAILABLE_PERMISSIONS.map((permission) => ({
-            label: permission,
-            value: permission,
-          })),
-          initialValues: AVAILABLE_PERMISSIONS,
-        })
-        if (prompts.isCancel(result)) throw new UI.CancelledError()
-        selected = result
-      }
-
-      // Get mode
-      let mode: AgentMode
-      if (cliMode) {
-        mode = cliMode
-      } else {
-        const modeResult = await prompts.select({
-          message: "Agent mode",
-          options: [
-            {
-              label: "All",
-              value: "all" as const,
-              hint: "Can function in both primary and subagent roles",
-            },
-            {
-              label: "Primary",
-              value: "primary" as const,
-              hint: "Acts as a primary/main agent",
-            },
-            {
-              label: "Subagent",
-              value: "subagent" as const,
-              hint: "Can be used as a subagent by other agents",
-            },
-          ],
-          initialValue: "all" as const,
-        })
-        if (prompts.isCancel(modeResult)) throw new UI.CancelledError()
-        mode = modeResult
-      }
-
-      // Build permissions config — deny anything not explicitly selected.
-      const permissions: Record<string, "deny"> = {}
-      for (const permission of AVAILABLE_PERMISSIONS) {
-        if (!selected.includes(permission)) {
-          permissions[permission] = "deny"
+        // Build permissions config — deny anything not explicitly selected.
+        const permissions: Record<string, "deny"> = {}
+        for (const permission of AVAILABLE_PERMISSIONS) {
+          if (!selected.includes(permission)) {
+            permissions[permission] = "deny"
+          }
         }
-      }
 
-      // Build frontmatter
-      const frontmatter: {
-        description: string
-        mode: AgentMode
-        permission?: Record<string, "deny">
-      } = {
-        description: generated.whenToUse,
-        mode,
-      }
-      if (Object.keys(permissions).length > 0) {
-        frontmatter.permission = permissions
-      }
+        // Build frontmatter
+        const frontmatter: {
+          description: string
+          mode: AgentMode
+          permission?: Record<string, "deny">
+        } = {
+          description: generated.whenToUse,
+          mode,
+        }
+        if (Object.keys(permissions).length > 0) {
+          frontmatter.permission = permissions
+        }
 
-      // Write file
-      const content = matter.stringify(generated.systemPrompt, frontmatter)
-      const filePath = path.join(targetPath, `${generated.identifier}.md`)
+        // Write file
+        const content = matter.stringify(generated.systemPrompt, frontmatter)
+        const filePath = path.join(targetPath, `${generated.identifier}.md`)
 
-      await fs.mkdir(targetPath, { recursive: true })
+        await fs.mkdir(targetPath, { recursive: true })
+
+        if (await Filesystem.exists(filePath)) {
+          if (isFullyNonInteractive) {
+            console.error(`Error: Agent file already exists: ${filePath}`)
+            process.exit(1)
+          }
+          prompts.log.error(`Agent file already exists: ${filePath}`)
+          throw new UI.CancelledError()
+        }
+
+        await Filesystem.write(filePath, content)
 
-      if (await Filesystem.exists(filePath)) {
         if (isFullyNonInteractive) {
-          console.error(`Error: Agent file already exists: ${filePath}`)
-          process.exit(1)
+          console.log(filePath)
+        } else {
+          prompts.log.success(`Agent created: ${filePath}`)
+          prompts.outro("Done")
         }
-        prompts.log.error(`Agent file already exists: ${filePath}`)
-        throw new UI.CancelledError()
-      }
-
-      await Filesystem.write(filePath, content)
-
-      if (isFullyNonInteractive) {
-        console.log(filePath)
-      } else {
-        prompts.log.success(`Agent created: ${filePath}`)
-        prompts.outro("Done")
-      }
     })
   }),
 })

packages/opencode/src/cli/cmd/debug/index.ts

@@ -1,10 +1,5 @@
 import { Global } from "@opencode-ai/core/global"
-import { InstallationVersion } from "@opencode-ai/core/installation/version"
-import { Flag } from "@opencode-ai/core/flag/flag"
-import os from "os"
 import { Duration, Effect } from "effect"
-import { Config } from "@/config/config"
-import { ConfigPlugin } from "@/config/plugin"
 import { effectCmd } from "../../effect-cmd"
 import { cmd } from "../cmd"
 import { ConfigCommand } from "./config"
@@ -31,7 +26,6 @@ export const DebugCommand = cmd({
       .command(SnapshotCommand)
       .command(StartupCommand)
       .command(AgentCommand)
-      .command(InfoCommand)
       .command(PathsCommand)
       .command(WaitCommand)
       .demandCommand(),
@@ -46,34 +40,6 @@ const WaitCommand = effectCmd({
   }),
 })
 
-const InfoCommand = effectCmd({
-  command: "info",
-  describe: "show debug information",
-  handler: Effect.fn("Cli.debug.info")(function* () {
-    const config = yield* Config.Service.use((cfg) => cfg.get())
-    const termProgram = process.env.TERM_PROGRAM
-      ? `${process.env.TERM_PROGRAM}${process.env.TERM_PROGRAM_VERSION ? ` ${process.env.TERM_PROGRAM_VERSION}` : ""}`
-      : undefined
-    const terminal = [termProgram, process.env.TERM].filter((item): item is string => Boolean(item)).join(" / ")
-
-    console.log(`opencode version: ${InstallationVersion}`)
-    console.log(`os: ${os.type()} ${os.release()} ${os.arch()}`)
-    console.log(`terminal: ${terminal || "unknown"}`)
-    console.log("plugins:")
-    if (Flag.OPENCODE_PURE) {
-      console.log("external plugins disabled (--pure)")
-      return
-    }
-    if (!config.plugin_origins?.length) {
-      console.log("none")
-      return
-    }
-    for (const plugin of config.plugin_origins) {
-      console.log(`- ${ConfigPlugin.pluginSpecifier(plugin.spec)}`)
-    }
-  }),
-})
-
 const PathsCommand = cmd({
   command: "paths",
   describe: "show global paths (data, config, cache, state)",

packages/opencode/src/cli/cmd/generate.ts

@@ -1,13 +1,22 @@
 import { Server } from "../../server/server"
+import { PublicApi } from "../../server/routes/instance/httpapi/public"
 import type { CommandModule } from "yargs"
+import { OpenApi } from "effect/unstable/httpapi"
 
-type Args = {}
+type Args = {
+  httpapi: boolean
+}
 
 export const GenerateCommand = {
   command: "generate",
-  builder: (yargs) => yargs,
-  handler: async () => {
-    const specs = (await Server.openapi()) as { paths: Record<string, Record<string, any>> }
+  builder: (yargs) =>
+    yargs.option("httpapi", {
+      type: "boolean",
+      default: false,
+      description: "Generate OpenAPI from the experimental Effect HttpApi contract",
+    }),
+  handler: async (args) => {
+    const specs = args.httpapi ? OpenApi.fromApi(PublicApi) : await Server.openapi()
     for (const item of Object.values(specs.paths)) {
       for (const method of ["get", "post", "put", "delete", "patch"] as const) {
         const operation = item[method]

packages/opencode/src/cli/cmd/github.ts

@@ -29,6 +29,7 @@ import { Provider } from "@/provider/provider"
 import { Bus } from "../../bus"
 import { MessageV2 } from "../../session/message-v2"
 import { SessionPrompt } from "@/session/prompt"
+import { AppRuntime } from "@/effect/app-runtime"
 import { Git } from "@/git"
 import { setTimeout as sleep } from "node:timers/promises"
 import { Process } from "@/util/process"
@@ -205,8 +206,6 @@ export const GithubInstallCommand = effectCmd({
     const maybeCtx = yield* InstanceRef
     if (!maybeCtx) return yield* Effect.die("InstanceRef not provided")
     const ctx = maybeCtx
-    const modelsDev = yield* ModelsDev.Service
-    const gitSvc = yield* Git.Service
     yield* Effect.promise(async () => {
       {
         UI.empty()
@@ -214,7 +213,7 @@ export const GithubInstallCommand = effectCmd({
         const app = await getAppInfo()
         await installGitHubApp()
 
-        const providers = await Effect.runPromise(modelsDev.get()).then((p) => {
+        const providers = await AppRuntime.runPromise(ModelsDev.Service.use((s) => s.get())).then((p) => {
           // TODO: add guide for copilot, for now just hide it
           delete p["github-copilot"]
           return p
@@ -262,9 +261,9 @@ export const GithubInstallCommand = effectCmd({
           }
 
           // Get repo info
-          const info = await Effect.runPromise(gitSvc.run(["remote", "get-url", "origin"], { cwd: ctx.worktree })).then(
-            (x) => x.text().trim(),
-          )
+          const info = await AppRuntime.runPromise(
+            Git.Service.use((git) => git.run(["remote", "get-url", "origin"], { cwd: ctx.worktree })),
+          ).then((x) => x.text().trim())
           const parsed = parseGitHubRemote(info)
           if (!parsed) {
             prompts.log.error(`Could not find git repository. Please run this command from a git repository.`)
@@ -441,10 +440,6 @@ export const GithubRunCommand = effectCmd({
   handler: Effect.fn("Cli.github.run")(function* (args) {
     const ctx = yield* InstanceRef
     if (!ctx) return yield* Effect.die("InstanceRef not provided")
-    const gitSvc = yield* Git.Service
-    const sessionSvc = yield* Session.Service
-    const sessionShare = yield* SessionShare.Service
-    const sessionPrompt = yield* SessionPrompt.Service
     yield* Effect.promise(async () => {
       const isMock = args.token || args.event
 
@@ -508,20 +503,21 @@ export const GithubRunCommand = effectCmd({
           : "issue"
         : undefined
       const gitText = async (args: string[]) => {
-        const result = await Effect.runPromise(gitSvc.run(args, { cwd: ctx.worktree }))
+        const result = await AppRuntime.runPromise(Git.Service.use((git) => git.run(args, { cwd: ctx.worktree })))
         if (result.exitCode !== 0) {
           throw new Process.RunFailedError(["git", ...args], result.exitCode, result.stdout, result.stderr)
         }
         return result.text().trim()
       }
       const gitRun = async (args: string[]) => {
-        const result = await Effect.runPromise(gitSvc.run(args, { cwd: ctx.worktree }))
+        const result = await AppRuntime.runPromise(Git.Service.use((git) => git.run(args, { cwd: ctx.worktree })))
         if (result.exitCode !== 0) {
           throw new Process.RunFailedError(["git", ...args], result.exitCode, result.stdout, result.stderr)
         }
         return result
       }
-      const gitStatus = (args: string[]) => Effect.runPromise(gitSvc.run(args, { cwd: ctx.worktree }))
+      const gitStatus = (args: string[]) =>
+        AppRuntime.runPromise(Git.Service.use((git) => git.run(args, { cwd: ctx.worktree })))
       const commitChanges = async (summary: string, actor?: string) => {
         const args = ["commit", "-m", summary]
         if (actor) args.push("-m", `Co-authored-by: ${actor} <${actor}@users.noreply.github.com>`)
@@ -558,22 +554,24 @@ export const GithubRunCommand = effectCmd({
 
         // Setup opencode session
         const repoData = await fetchRepo()
-        session = await Effect.runPromise(
-          sessionSvc.create({
-            permission: [
-              {
-                permission: "question",
-                action: "deny",
-                pattern: "*",
-              },
-            ],
-          }),
+        session = await AppRuntime.runPromise(
+          Session.Service.use((svc) =>
+            svc.create({
+              permission: [
+                {
+                  permission: "question",
+                  action: "deny",
+                  pattern: "*",
+                },
+              ],
+            }),
+          ),
         )
         subscribeSessionEvents()
         shareId = await (async () => {
           if (share === false) return
           if (!share && repoData.data.private) return
-          await Effect.runPromise(sessionShare.share(session.id))
+          await AppRuntime.runPromise(SessionShare.Service.use((svc) => svc.share(session.id)))
           return session.id.slice(-8)
         })()
         console.log("opencode session", session.id)
@@ -946,9 +944,9 @@ export const GithubRunCommand = effectCmd({
       async function chat(message: string, files: PromptFiles = []) {
         console.log("Sending message to opencode...")
 
-        return Effect.runPromise(
+        return AppRuntime.runPromise(
           Effect.gen(function* () {
-            const prompt = sessionPrompt
+            const prompt = yield* SessionPrompt.Service
             const result = yield* prompt.prompt({
               sessionID: session.id,
               messageID: MessageID.ascending(),

packages/opencode/src/cli/cmd/mcp.ts

@@ -19,6 +19,7 @@ import { Global } from "@opencode-ai/core/global"
 import { modify, applyEdits } from "jsonc-parser"
 import { Filesystem } from "@/util/filesystem"
 import { Bus } from "../../bus"
+import { AppRuntime } from "../../effect/app-runtime"
 import { Effect } from "effect"
 
 function getAuthStatusIcon(status: MCP.AuthStatus): string {
@@ -439,158 +440,158 @@ export const McpAddCommand = effectCmd({
     if (!maybeCtx) return yield* Effect.die("InstanceRef not provided")
     const ctx = maybeCtx
     yield* Effect.promise(async () => {
-      UI.empty()
-      prompts.intro("Add MCP server")
+        UI.empty()
+        prompts.intro("Add MCP server")
 
-      const project = ctx.project
+        const project = ctx.project
 
-      // Resolve config paths eagerly for hints
-      const [projectConfigPath, globalConfigPath] = await Promise.all([
-        resolveConfigPath(ctx.worktree),
-        resolveConfigPath(Global.Path.config, true),
-      ])
+        // Resolve config paths eagerly for hints
+        const [projectConfigPath, globalConfigPath] = await Promise.all([
+          resolveConfigPath(ctx.worktree),
+          resolveConfigPath(Global.Path.config, true),
+        ])
 
-      // Determine scope
-      let configPath = globalConfigPath
-      if (project.vcs === "git") {
-        const scopeResult = await prompts.select({
-          message: "Location",
+        // Determine scope
+        let configPath = globalConfigPath
+        if (project.vcs === "git") {
+          const scopeResult = await prompts.select({
+            message: "Location",
+            options: [
+              {
+                label: "Current project",
+                value: projectConfigPath,
+                hint: projectConfigPath,
+              },
+              {
+                label: "Global",
+                value: globalConfigPath,
+                hint: globalConfigPath,
+              },
+            ],
+          })
+          if (prompts.isCancel(scopeResult)) throw new UI.CancelledError()
+          configPath = scopeResult
+        }
+
+        const name = await prompts.text({
+          message: "Enter MCP server name",
+          validate: (x) => (x && x.length > 0 ? undefined : "Required"),
+        })
+        if (prompts.isCancel(name)) throw new UI.CancelledError()
+
+        const type = await prompts.select({
+          message: "Select MCP server type",
           options: [
             {
-              label: "Current project",
-              value: projectConfigPath,
-              hint: projectConfigPath,
+              label: "Local",
+              value: "local",
+              hint: "Run a local command",
             },
             {
-              label: "Global",
-              value: globalConfigPath,
-              hint: globalConfigPath,
+              label: "Remote",
+              value: "remote",
+              hint: "Connect to a remote URL",
             },
           ],
         })
-        if (prompts.isCancel(scopeResult)) throw new UI.CancelledError()
-        configPath = scopeResult
-      }
+        if (prompts.isCancel(type)) throw new UI.CancelledError()
 
-      const name = await prompts.text({
-        message: "Enter MCP server name",
-        validate: (x) => (x && x.length > 0 ? undefined : "Required"),
-      })
-      if (prompts.isCancel(name)) throw new UI.CancelledError()
+        if (type === "local") {
+          const command = await prompts.text({
+            message: "Enter command to run",
+            placeholder: "e.g., opencode x @modelcontextprotocol/server-filesystem",
+            validate: (x) => (x && x.length > 0 ? undefined : "Required"),
+          })
+          if (prompts.isCancel(command)) throw new UI.CancelledError()
 
-      const type = await prompts.select({
-        message: "Select MCP server type",
-        options: [
-          {
-            label: "Local",
-            value: "local",
-            hint: "Run a local command",
-          },
-          {
-            label: "Remote",
-            value: "remote",
-            hint: "Connect to a remote URL",
-          },
-        ],
-      })
-      if (prompts.isCancel(type)) throw new UI.CancelledError()
+          const mcpConfig: ConfigMCP.Info = {
+            type: "local",
+            command: command.split(" "),
+          }
 
-      if (type === "local") {
-        const command = await prompts.text({
-          message: "Enter command to run",
-          placeholder: "e.g., opencode x @modelcontextprotocol/server-filesystem",
-          validate: (x) => (x && x.length > 0 ? undefined : "Required"),
-        })
-        if (prompts.isCancel(command)) throw new UI.CancelledError()
-
-        const mcpConfig: ConfigMCP.Info = {
-          type: "local",
-          command: command.split(" "),
+          await addMcpToConfig(name, mcpConfig, configPath)
+          prompts.log.success(`MCP server "${name}" added to ${configPath}`)
+          prompts.outro("MCP server added successfully")
+          return
         }
 
-        await addMcpToConfig(name, mcpConfig, configPath)
-        prompts.log.success(`MCP server "${name}" added to ${configPath}`)
-        prompts.outro("MCP server added successfully")
-        return
-      }
+        if (type === "remote") {
+          const url = await prompts.text({
+            message: "Enter MCP server URL",
+            placeholder: "e.g., https://example.com/mcp",
+            validate: (x) => {
+              if (!x) return "Required"
+              if (x.length === 0) return "Required"
+              const isValid = URL.canParse(x)
+              return isValid ? undefined : "Invalid URL"
+            },
+          })
+          if (prompts.isCancel(url)) throw new UI.CancelledError()
 
-      if (type === "remote") {
-        const url = await prompts.text({
-          message: "Enter MCP server URL",
-          placeholder: "e.g., https://example.com/mcp",
-          validate: (x) => {
-            if (!x) return "Required"
-            if (x.length === 0) return "Required"
-            const isValid = URL.canParse(x)
-            return isValid ? undefined : "Invalid URL"
-          },
-        })
-        if (prompts.isCancel(url)) throw new UI.CancelledError()
-
-        const useOAuth = await prompts.confirm({
-          message: "Does this server require OAuth authentication?",
-          initialValue: false,
-        })
-        if (prompts.isCancel(useOAuth)) throw new UI.CancelledError()
-
-        let mcpConfig: ConfigMCP.Info
-
-        if (useOAuth) {
-          const hasClientId = await prompts.confirm({
-            message: "Do you have a pre-registered client ID?",
+          const useOAuth = await prompts.confirm({
+            message: "Does this server require OAuth authentication?",
             initialValue: false,
           })
-          if (prompts.isCancel(hasClientId)) throw new UI.CancelledError()
+          if (prompts.isCancel(useOAuth)) throw new UI.CancelledError()
 
-          if (hasClientId) {
-            const clientId = await prompts.text({
-              message: "Enter client ID",
-              validate: (x) => (x && x.length > 0 ? undefined : "Required"),
-            })
-            if (prompts.isCancel(clientId)) throw new UI.CancelledError()
+          let mcpConfig: ConfigMCP.Info
 
-            const hasSecret = await prompts.confirm({
-              message: "Do you have a client secret?",
+          if (useOAuth) {
+            const hasClientId = await prompts.confirm({
+              message: "Do you have a pre-registered client ID?",
               initialValue: false,
             })
-            if (prompts.isCancel(hasSecret)) throw new UI.CancelledError()
+            if (prompts.isCancel(hasClientId)) throw new UI.CancelledError()
 
-            let clientSecret: string | undefined
-            if (hasSecret) {
-              const secret = await prompts.password({
-                message: "Enter client secret",
+            if (hasClientId) {
+              const clientId = await prompts.text({
+                message: "Enter client ID",
+                validate: (x) => (x && x.length > 0 ? undefined : "Required"),
               })
-              if (prompts.isCancel(secret)) throw new UI.CancelledError()
-              clientSecret = secret
-            }
+              if (prompts.isCancel(clientId)) throw new UI.CancelledError()
 
-            mcpConfig = {
-              type: "remote",
-              url,
-              oauth: {
-                clientId,
-                ...(clientSecret && { clientSecret }),
-              },
+              const hasSecret = await prompts.confirm({
+                message: "Do you have a client secret?",
+                initialValue: false,
+              })
+              if (prompts.isCancel(hasSecret)) throw new UI.CancelledError()
+
+              let clientSecret: string | undefined
+              if (hasSecret) {
+                const secret = await prompts.password({
+                  message: "Enter client secret",
+                })
+                if (prompts.isCancel(secret)) throw new UI.CancelledError()
+                clientSecret = secret
+              }
+
+              mcpConfig = {
+                type: "remote",
+                url,
+                oauth: {
+                  clientId,
+                  ...(clientSecret && { clientSecret }),
+                },
+              }
+            } else {
+              mcpConfig = {
+                type: "remote",
+                url,
+                oauth: {},
+              }
             }
           } else {
             mcpConfig = {
               type: "remote",
               url,
-              oauth: {},
             }
           }
-        } else {
-          mcpConfig = {
-            type: "remote",
-            url,
-          }
+
+          await addMcpToConfig(name, mcpConfig, configPath)
+          prompts.log.success(`MCP server "${name}" added to ${configPath}`)
         }
 
-        await addMcpToConfig(name, mcpConfig, configPath)
-        prompts.log.success(`MCP server "${name}" added to ${configPath}`)
-      }
-
-      prompts.outro("MCP server added successfully")
+        prompts.outro("MCP server added successfully")
     })
   }),
 })
@@ -605,171 +606,178 @@ export const McpDebugCommand = effectCmd({
       demandOption: true,
     }),
   handler: Effect.fn("Cli.mcp.debug")(function* (args) {
-    const config = yield* Config.Service.use((cfg) => cfg.get())
-    const mcp = yield* MCP.Service
-    const auth = yield* McpAuth.Service
     yield* Effect.promise(async () => {
-      UI.empty()
-      prompts.intro("MCP OAuth Debug")
+        UI.empty()
+        prompts.intro("MCP OAuth Debug")
 
-      const mcpServers = config.mcp ?? {}
-      const serverName = args.name
+        const config = await AppRuntime.runPromise(Config.Service.use((cfg) => cfg.get()))
+        const mcpServers = config.mcp ?? {}
+        const serverName = args.name
 
-      const serverConfig = mcpServers[serverName]
-      if (!serverConfig) {
-        prompts.log.error(`MCP server not found: ${serverName}`)
-        prompts.outro("Done")
-        return
-      }
-
-      if (!isMcpRemote(serverConfig)) {
-        prompts.log.error(`MCP server ${serverName} is not a remote server`)
-        prompts.outro("Done")
-        return
-      }
-
-      if (serverConfig.oauth === false) {
-        prompts.log.warn(`MCP server ${serverName} has OAuth explicitly disabled`)
-        prompts.outro("Done")
-        return
-      }
-
-      prompts.log.info(`Server: ${serverName}`)
-      prompts.log.info(`URL: ${serverConfig.url}`)
-
-      // Check stored auth status — services already in hand, run inline.
-      const { authStatus, entry } = await Effect.runPromise(
-        Effect.all({
-          authStatus: mcp.getAuthStatus(serverName),
-          entry: auth.get(serverName),
-        }),
-      )
-      prompts.log.info(`Auth status: ${getAuthStatusIcon(authStatus)} ${getAuthStatusText(authStatus)}`)
-
-      if (entry?.tokens) {
-        prompts.log.info(`  Access token: ${entry.tokens.accessToken.substring(0, 20)}...`)
-        if (entry.tokens.expiresAt) {
-          const expiresDate = new Date(entry.tokens.expiresAt * 1000)
-          const isExpired = entry.tokens.expiresAt < Date.now() / 1000
-          prompts.log.info(`  Expires: ${expiresDate.toISOString()} ${isExpired ? "(EXPIRED)" : ""}`)
+        const serverConfig = mcpServers[serverName]
+        if (!serverConfig) {
+          prompts.log.error(`MCP server not found: ${serverName}`)
+          prompts.outro("Done")
+          return
         }
-        if (entry.tokens.refreshToken) {
-          prompts.log.info(`  Refresh token: present`)
-        }
-      }
-      if (entry?.clientInfo) {
-        prompts.log.info(`  Client ID: ${entry.clientInfo.clientId}`)
-        if (entry.clientInfo.clientSecretExpiresAt) {
-          const expiresDate = new Date(entry.clientInfo.clientSecretExpiresAt * 1000)
-          prompts.log.info(`  Client secret expires: ${expiresDate.toISOString()}`)
-        }
-      }
 
-      const spinner = prompts.spinner()
-      spinner.start("Testing connection...")
+        if (!isMcpRemote(serverConfig)) {
+          prompts.log.error(`MCP server ${serverName} is not a remote server`)
+          prompts.outro("Done")
+          return
+        }
 
-      // Test basic HTTP connectivity first
-      try {
-        const response = await fetch(serverConfig.url, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            Accept: "application/json, text/event-stream",
-          },
-          body: JSON.stringify({
-            jsonrpc: "2.0",
-            method: "initialize",
-            params: {
-              protocolVersion: "2024-11-05",
-              capabilities: {},
-              clientInfo: { name: "opencode-debug", version: InstallationVersion },
-            },
-            id: 1,
+        if (serverConfig.oauth === false) {
+          prompts.log.warn(`MCP server ${serverName} has OAuth explicitly disabled`)
+          prompts.outro("Done")
+          return
+        }
+
+        prompts.log.info(`Server: ${serverName}`)
+        prompts.log.info(`URL: ${serverConfig.url}`)
+
+        // Check stored auth status
+        const { authStatus, entry } = await AppRuntime.runPromise(
+          Effect.gen(function* () {
+            const mcp = yield* MCP.Service
+            const auth = yield* McpAuth.Service
+            return {
+              authStatus: yield* mcp.getAuthStatus(serverName),
+              entry: yield* auth.get(serverName),
+            }
           }),
-        })
+        )
+        prompts.log.info(`Auth status: ${getAuthStatusIcon(authStatus)} ${getAuthStatusText(authStatus)}`)
 
-        spinner.stop(`HTTP response: ${response.status} ${response.statusText}`)
-
-        // Check for WWW-Authenticate header
-        const wwwAuth = response.headers.get("www-authenticate")
-        if (wwwAuth) {
-          prompts.log.info(`WWW-Authenticate: ${wwwAuth}`)
+        if (entry?.tokens) {
+          prompts.log.info(`  Access token: ${entry.tokens.accessToken.substring(0, 20)}...`)
+          if (entry.tokens.expiresAt) {
+            const expiresDate = new Date(entry.tokens.expiresAt * 1000)
+            const isExpired = entry.tokens.expiresAt < Date.now() / 1000
+            prompts.log.info(`  Expires: ${expiresDate.toISOString()} ${isExpired ? "(EXPIRED)" : ""}`)
+          }
+          if (entry.tokens.refreshToken) {
+            prompts.log.info(`  Refresh token: present`)
+          }
+        }
+        if (entry?.clientInfo) {
+          prompts.log.info(`  Client ID: ${entry.clientInfo.clientId}`)
+          if (entry.clientInfo.clientSecretExpiresAt) {
+            const expiresDate = new Date(entry.clientInfo.clientSecretExpiresAt * 1000)
+            prompts.log.info(`  Client secret expires: ${expiresDate.toISOString()}`)
+          }
         }
 
-        if (response.status === 401) {
-          prompts.log.warn("Server returned 401 Unauthorized")
+        const spinner = prompts.spinner()
+        spinner.start("Testing connection...")
 
-          // Try to discover OAuth metadata
-          const oauthConfig = typeof serverConfig.oauth === "object" ? serverConfig.oauth : undefined
-          const authProvider = new McpOAuthProvider(
-            serverName,
-            serverConfig.url,
-            {
-              clientId: oauthConfig?.clientId,
-              clientSecret: oauthConfig?.clientSecret,
-              scope: oauthConfig?.scope,
-              redirectUri: oauthConfig?.redirectUri,
+        // Test basic HTTP connectivity first
+        try {
+          const response = await fetch(serverConfig.url, {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/json",
+              Accept: "application/json, text/event-stream",
             },
-            {
-              onRedirect: async () => {},
-            },
-            auth,
-          )
-
-          prompts.log.info("Testing OAuth flow (without completing authorization)...")
-
-          // Try creating transport with auth provider to trigger discovery
-          const transport = new StreamableHTTPClientTransport(new URL(serverConfig.url), {
-            authProvider,
+            body: JSON.stringify({
+              jsonrpc: "2.0",
+              method: "initialize",
+              params: {
+                protocolVersion: "2024-11-05",
+                capabilities: {},
+                clientInfo: { name: "opencode-debug", version: InstallationVersion },
+              },
+              id: 1,
+            }),
           })
 
-          try {
-            const client = new Client({
-              name: "opencode-debug",
-              version: InstallationVersion,
+          spinner.stop(`HTTP response: ${response.status} ${response.statusText}`)
+
+          // Check for WWW-Authenticate header
+          const wwwAuth = response.headers.get("www-authenticate")
+          if (wwwAuth) {
+            prompts.log.info(`WWW-Authenticate: ${wwwAuth}`)
+          }
+
+          if (response.status === 401) {
+            prompts.log.warn("Server returned 401 Unauthorized")
+
+            // Try to discover OAuth metadata
+            const oauthConfig = typeof serverConfig.oauth === "object" ? serverConfig.oauth : undefined
+            const auth = await AppRuntime.runPromise(
+              Effect.gen(function* () {
+                return yield* McpAuth.Service
+              }),
+            )
+            const authProvider = new McpOAuthProvider(
+              serverName,
+              serverConfig.url,
+              {
+                clientId: oauthConfig?.clientId,
+                clientSecret: oauthConfig?.clientSecret,
+                scope: oauthConfig?.scope,
+                redirectUri: oauthConfig?.redirectUri,
+              },
+              {
+                onRedirect: async () => {},
+              },
+              auth,
+            )
+
+            prompts.log.info("Testing OAuth flow (without completing authorization)...")
+
+            // Try creating transport with auth provider to trigger discovery
+            const transport = new StreamableHTTPClientTransport(new URL(serverConfig.url), {
+              authProvider,
             })
-            await client.connect(transport)
-            prompts.log.success("Connection successful (already authenticated)")
-            await client.close()
-          } catch (error) {
-            if (error instanceof UnauthorizedError) {
-              prompts.log.info(`OAuth flow triggered: ${error.message}`)
 
-              // Check if dynamic registration would be attempted
-              const clientInfo = await authProvider.clientInformation()
-              if (clientInfo) {
-                prompts.log.info(`Client ID available: ${clientInfo.client_id}`)
+            try {
+              const client = new Client({
+                name: "opencode-debug",
+                version: InstallationVersion,
+              })
+              await client.connect(transport)
+              prompts.log.success("Connection successful (already authenticated)")
+              await client.close()
+            } catch (error) {
+              if (error instanceof UnauthorizedError) {
+                prompts.log.info(`OAuth flow triggered: ${error.message}`)
+
+                // Check if dynamic registration would be attempted
+                const clientInfo = await authProvider.clientInformation()
+                if (clientInfo) {
+                  prompts.log.info(`Client ID available: ${clientInfo.client_id}`)
+                } else {
+                  prompts.log.info("No client ID - dynamic registration will be attempted")
+                }
               } else {
-                prompts.log.info("No client ID - dynamic registration will be attempted")
+                prompts.log.error(`Connection error: ${error instanceof Error ? error.message : String(error)}`)
               }
-            } else {
-              prompts.log.error(`Connection error: ${error instanceof Error ? error.message : String(error)}`)
+            }
+          } else if (response.status >= 200 && response.status < 300) {
+            prompts.log.success("Server responded successfully (no auth required or already authenticated)")
+            const body = await response.text()
+            try {
+              const json = JSON.parse(body)
+              if (json.result?.serverInfo) {
+                prompts.log.info(`Server info: ${JSON.stringify(json.result.serverInfo)}`)
+              }
+            } catch {
+              // Not JSON, ignore
+            }
+          } else {
+            prompts.log.warn(`Unexpected status: ${response.status}`)
+            const body = await response.text().catch(() => "")
+            if (body) {
+              prompts.log.info(`Response body: ${body.substring(0, 500)}`)
             }
           }
-        } else if (response.status >= 200 && response.status < 300) {
-          prompts.log.success("Server responded successfully (no auth required or already authenticated)")
-          const body = await response.text()
-          try {
-            const json = JSON.parse(body)
-            if (json.result?.serverInfo) {
-              prompts.log.info(`Server info: ${JSON.stringify(json.result.serverInfo)}`)
-            }
-          } catch {
-            // Not JSON, ignore
-          }
-        } else {
-          prompts.log.warn(`Unexpected status: ${response.status}`)
-          const body = await response.text().catch(() => "")
-          if (body) {
-            prompts.log.info(`Response body: ${body.substring(0, 500)}`)
-          }
+        } catch (error) {
+          spinner.stop("Connection failed", 1)
+          prompts.log.error(`Error: ${error instanceof Error ? error.message : String(error)}`)
         }
-      } catch (error) {
-        spinner.stop("Connection failed", 1)
-        prompts.log.error(`Error: ${error instanceof Error ? error.message : String(error)}`)
-      }
 
-      prompts.outro("Debug complete")
+        prompts.outro("Debug complete")
     })
   }),
 })

packages/opencode/src/cli/cmd/providers.ts

@@ -1,10 +1,13 @@
 import { Auth } from "../../auth"
+import { AppRuntime } from "../../effect/app-runtime"
 import { cmd } from "./cmd"
-import { CliError, effectCmd, fail } from "../effect-cmd"
+import { effectCmd } from "../effect-cmd"
+import * as prompts from "@clack/prompts"
 import { UI } from "../ui"
-import * as Prompt from "../effect/prompt"
 import { ModelsDev } from "@/provider/models"
 
+const getModels = () => AppRuntime.runPromise(ModelsDev.Service.use((s) => s.get()))
+const refreshModels = () => AppRuntime.runPromise(ModelsDev.Service.use((s) => s.refresh(true)))
 import { map, pipe, sortBy, values } from "remeda"
 import path from "path"
 import os from "os"
@@ -13,57 +16,44 @@ import { Global } from "@opencode-ai/core/global"
 import { Plugin } from "../../plugin"
 import type { Hooks } from "@opencode-ai/plugin"
 import { Process } from "@/util/process"
-import { errorMessage } from "@/util/error"
 import { text } from "node:stream/consumers"
-import { Effect, Option } from "effect"
+import { Effect } from "effect"
 
 type PluginAuth = NonNullable<Hooks["auth"]>
 
-const promptValue = <Value>(value: Option.Option<Value>) => {
-  if (Option.isNone(value)) return Effect.die(new UI.CancelledError())
-  return Effect.succeed(value.value)
-}
+const put = (key: string, info: Auth.Info) =>
+  AppRuntime.runPromise(
+    Effect.gen(function* () {
+      const auth = yield* Auth.Service
+      yield* auth.set(key, info)
+    }),
+  )
 
-const put = Effect.fn("Cli.providers.put")(function* (key: string, info: Auth.Info) {
-  const auth = yield* Auth.Service
-  yield* Effect.orDie(auth.set(key, info))
-})
-
-const cliTry = <Value>(message: string, fn: () => PromiseLike<Value>) =>
-  Effect.tryPromise({
-    try: fn,
-    catch: (error) => new CliError({ message: message + errorMessage(error) }),
-  })
-
-const handlePluginAuth = Effect.fn("Cli.providers.pluginAuth")(function* (
-  plugin: { auth: PluginAuth },
-  provider: string,
-  methodName?: string,
-) {
-  const index = yield* Effect.gen(function* () {
-    if (!methodName) {
-      if (plugin.auth.methods.length <= 1) return 0
-      return yield* promptValue(
-        yield* Prompt.select({
-          message: "Login method",
-          options: plugin.auth.methods.map((x, index) => ({
-            label: x.label,
-            value: index,
-          })),
-        }),
-      )
-    }
+async function handlePluginAuth(plugin: { auth: PluginAuth }, provider: string, methodName?: string): Promise<boolean> {
+  let index = 0
+  if (methodName) {
     const match = plugin.auth.methods.findIndex((x) => x.label.toLowerCase() === methodName.toLowerCase())
     if (match === -1) {
-      return yield* fail(
+      prompts.log.error(
         `Unknown method "${methodName}" for ${provider}. Available: ${plugin.auth.methods.map((x) => x.label).join(", ")}`,
       )
+      process.exit(1)
     }
-    return match
-  })
+    index = match
+  } else if (plugin.auth.methods.length > 1) {
+    const method = await prompts.select({
+      message: "Login method",
+      options: plugin.auth.methods.map((x, index) => ({
+        label: x.label,
+        value: index.toString(),
+      })),
+    })
+    if (prompts.isCancel(method)) throw new UI.CancelledError()
+    index = parseInt(method)
+  }
   const method = plugin.auth.methods[index]
 
-  yield* Effect.sleep("10 millis")
+  await new Promise((r) => setTimeout(r, 10))
   const inputs: Record<string, string> = {}
   if (method.prompts) {
     for (const prompt of method.prompts) {
@@ -75,44 +65,46 @@ const handlePluginAuth = Effect.fn("Cli.providers.pluginAuth")(function* (
       }
       if (prompt.condition && !prompt.condition(inputs)) continue
       if (prompt.type === "select") {
-        const value = yield* Prompt.select({
+        const value = await prompts.select({
           message: prompt.message,
           options: prompt.options,
         })
-        inputs[prompt.key] = yield* promptValue(value)
-        continue
+        if (prompts.isCancel(value)) throw new UI.CancelledError()
+        inputs[prompt.key] = value
+      } else {
+        const value = await prompts.text({
+          message: prompt.message,
+          placeholder: prompt.placeholder,
+          validate: prompt.validate ? (v) => prompt.validate!(v ?? "") : undefined,
+        })
+        if (prompts.isCancel(value)) throw new UI.CancelledError()
+        inputs[prompt.key] = value
       }
-      const value = yield* Prompt.text({
-        message: prompt.message,
-        placeholder: prompt.placeholder,
-        validate: prompt.validate ? (v) => prompt.validate!(v ?? "") : undefined,
-      })
-      inputs[prompt.key] = yield* promptValue(value)
     }
   }
 
   if (method.type === "oauth") {
-    const authorize = yield* cliTry("Failed to authorize: ", () => method.authorize(inputs))
+    const authorize = await method.authorize(inputs)
 
     if (authorize.url) {
-      yield* Prompt.log.info("Go to: " + authorize.url)
+      prompts.log.info("Go to: " + authorize.url)
     }
 
     if (authorize.method === "auto") {
       if (authorize.instructions) {
-        yield* Prompt.log.info(authorize.instructions)
+        prompts.log.info(authorize.instructions)
       }
-      const spinner = Prompt.spinner()
-      yield* spinner.start("Waiting for authorization...")
-      const result = yield* cliTry("Failed to authorize: ", () => authorize.callback())
+      const spinner = prompts.spinner()
+      spinner.start("Waiting for authorization...")
+      const result = await authorize.callback()
       if (result.type === "failed") {
-        yield* spinner.stop("Failed to authorize", 1)
+        spinner.stop("Failed to authorize", 1)
       }
       if (result.type === "success") {
         const saveProvider = result.provider ?? provider
         if ("refresh" in result) {
           const { type: _, provider: __, refresh, access, expires, ...extraFields } = result
-          yield* put(saveProvider, {
+          await put(saveProvider, {
             type: "oauth",
             refresh,
             access,
@@ -121,30 +113,30 @@ const handlePluginAuth = Effect.fn("Cli.providers.pluginAuth")(function* (
           })
         }
         if ("key" in result) {
-          yield* put(saveProvider, {
+          await put(saveProvider, {
             type: "api",
             key: result.key,
           })
         }
-        yield* spinner.stop("Login successful")
+        spinner.stop("Login successful")
       }
     }
 
     if (authorize.method === "code") {
-      const code = yield* Prompt.text({
+      const code = await prompts.text({
         message: "Paste the authorization code here: ",
         validate: (x) => (x && x.length > 0 ? undefined : "Required"),
       })
-      const authorizationCode = yield* promptValue(code)
-      const result = yield* cliTry("Failed to authorize: ", () => authorize.callback(authorizationCode))
+      if (prompts.isCancel(code)) throw new UI.CancelledError()
+      const result = await authorize.callback(code)
       if (result.type === "failed") {
-        yield* Prompt.log.error("Failed to authorize")
+        prompts.log.error("Failed to authorize")
       }
       if (result.type === "success") {
         const saveProvider = result.provider ?? provider
         if ("refresh" in result) {
           const { type: _, provider: __, refresh, access, expires, ...extraFields } = result
-          yield* put(saveProvider, {
+          await put(saveProvider, {
             type: "oauth",
             refresh,
             access,
@@ -153,57 +145,56 @@ const handlePluginAuth = Effect.fn("Cli.providers.pluginAuth")(function* (
           })
         }
         if ("key" in result) {
-          yield* put(saveProvider, {
+          await put(saveProvider, {
             type: "api",
             key: result.key,
           })
         }
-        yield* Prompt.log.success("Login successful")
+        prompts.log.success("Login successful")
       }
     }
 
-    yield* Prompt.outro("Done")
+    prompts.outro("Done")
     return true
   }
 
   if (method.type === "api") {
-    const key = yield* Prompt.password({
+    const key = await prompts.password({
       message: "Enter your API key",
       validate: (x) => (x && x.length > 0 ? undefined : "Required"),
     })
-    const apiKey = yield* promptValue(key)
+    if (prompts.isCancel(key)) throw new UI.CancelledError()
 
     const metadata = Object.keys(inputs).length ? { metadata: inputs } : {}
-    const authorizeApi = method.authorize
-    if (!authorizeApi) {
-      yield* put(provider, {
+    if (!method.authorize) {
+      await put(provider, {
         type: "api",
-        key: apiKey,
+        key,
         ...metadata,
       })
-      yield* Prompt.outro("Done")
+      prompts.outro("Done")
       return true
     }
 
-    const result = yield* cliTry("Failed to authorize: ", () => authorizeApi(inputs))
+    const result = await method.authorize(inputs)
     if (result.type === "failed") {
-      yield* Prompt.log.error("Failed to authorize")
+      prompts.log.error("Failed to authorize")
     }
     if (result.type === "success") {
       const saveProvider = result.provider ?? provider
-      yield* put(saveProvider, {
+      await put(saveProvider, {
         type: "api",
-        key: result.key ?? apiKey,
+        key: result.key ?? key,
         ...metadata,
       })
-      yield* Prompt.log.success("Login successful")
+      prompts.log.success("Login successful")
     }
-    yield* Prompt.outro("Done")
+    prompts.outro("Done")
     return true
   }
 
   return false
-})
+}
 
 export function resolvePluginProviders(input: {
   hooks: Hooks[]
@@ -248,23 +239,26 @@ export const ProvidersListCommand = effectCmd({
   // Lists global credentials + provider env vars; no project instance needed.
   instance: false,
   handler: Effect.fn("Cli.providers.list")(function* (_args) {
-    const authSvc = yield* Auth.Service
-    const modelsDev = yield* ModelsDev.Service
-
+    yield* Effect.promise(async () => {
     UI.empty()
     const authPath = path.join(Global.Path.data, "auth.json")
     const homedir = os.homedir()
     const displayPath = authPath.startsWith(homedir) ? authPath.replace(homedir, "~") : authPath
-    yield* Prompt.intro(`Credentials ${UI.Style.TEXT_DIM}${displayPath}`)
-    const results = Object.entries(yield* Effect.orDie(authSvc.all()))
-    const database = yield* modelsDev.get()
+    prompts.intro(`Credentials ${UI.Style.TEXT_DIM}${displayPath}`)
+    const results = await AppRuntime.runPromise(
+      Effect.gen(function* () {
+        const auth = yield* Auth.Service
+        return Object.entries(yield* auth.all())
+      }),
+    )
+    const database = await getModels()
 
     for (const [providerID, result] of results) {
       const name = database[providerID]?.name || providerID
-      yield* Prompt.log.info(`${name} ${UI.Style.TEXT_DIM}${result.type}`)
+      prompts.log.info(`${name} ${UI.Style.TEXT_DIM}${result.type}`)
     }
 
-    yield* Prompt.outro(`${results.length} credentials`)
+    prompts.outro(`${results.length} credentials`)
 
     const activeEnvVars: Array<{ provider: string; envVar: string }> = []
 
@@ -281,14 +275,15 @@ export const ProvidersListCommand = effectCmd({
 
     if (activeEnvVars.length > 0) {
       UI.empty()
-      yield* Prompt.intro("Environment")
+      prompts.intro("Environment")
 
       for (const { provider, envVar } of activeEnvVars) {
-        yield* Prompt.log.info(`${provider} ${UI.Style.TEXT_DIM}${envVar}`)
+        prompts.log.info(`${provider} ${UI.Style.TEXT_DIM}${envVar}`)
       }
 
-      yield* Prompt.outro(`${activeEnvVars.length} environment variable` + (activeEnvVars.length === 1 ? "" : "s"))
+      prompts.outro(`${activeEnvVars.length} environment variable` + (activeEnvVars.length === 1 ? "" : "s"))
     }
+    })
   }),
 })
 
@@ -312,173 +307,189 @@ export const ProvidersLoginCommand = effectCmd({
         type: "string",
       }),
   handler: Effect.fn("Cli.providers.login")(function* (args) {
-    const authSvc = yield* Auth.Service
+    yield* Effect.promise(async () => {
+        UI.empty()
+        prompts.intro("Add credential")
+        if (args.url) {
+          const url = args.url.replace(/\/+$/, "")
+          const wellknown = (await fetch(`${url}/.well-known/opencode`).then((x) => x.json())) as {
+            auth: { command: string[]; env: string }
+          }
+          prompts.log.info(`Running \`${wellknown.auth.command.join(" ")}\``)
+          const proc = Process.spawn(wellknown.auth.command, {
+            stdout: "pipe",
+          })
+          if (!proc.stdout) {
+            prompts.log.error("Failed")
+            prompts.outro("Done")
+            return
+          }
+          const [exit, token] = await Promise.all([proc.exited, text(proc.stdout)])
+          if (exit !== 0) {
+            prompts.log.error("Failed")
+            prompts.outro("Done")
+            return
+          }
+          await put(url, {
+            type: "wellknown",
+            key: wellknown.auth.env,
+            token: token.trim(),
+          })
+          prompts.log.success("Logged into " + url)
+          prompts.outro("Done")
+          return
+        }
+        await refreshModels().catch(() => {})
 
-    UI.empty()
-    yield* Prompt.intro("Add credential")
-    if (args.url) {
-      const url = args.url.replace(/\/+$/, "")
-      const wellknown = (yield* cliTry(`Failed to load auth provider metadata from ${url}: `, () =>
-        fetch(`${url}/.well-known/opencode`).then((x) => x.json()),
-      )) as {
-        auth: { command: string[]; env: string }
-      }
-      yield* Prompt.log.info(`Running \`${wellknown.auth.command.join(" ")}\``)
-      const abort = new AbortController()
-      const proc = Process.spawn(wellknown.auth.command, { stdout: "pipe", stderr: "inherit", abort: abort.signal })
-      if (!proc.stdout) {
-        yield* Prompt.log.error("Failed")
-        yield* Prompt.outro("Done")
-        return
-      }
-      const [exit, token] = yield* cliTry("Failed to run auth provider command: ", () =>
-        Promise.all([proc.exited, text(proc.stdout!)]),
-      ).pipe(Effect.ensuring(Effect.sync(() => abort.abort())))
-      if (exit !== 0) {
-        yield* Prompt.log.error("Failed")
-        yield* Prompt.outro("Done")
-        return
-      }
-      yield* Effect.orDie(authSvc.set(url, { type: "wellknown", key: wellknown.auth.env, token: token.trim() }))
-      yield* Prompt.log.success("Logged into " + url)
-      yield* Prompt.outro("Done")
-      return
-    }
+        const config = await AppRuntime.runPromise(Config.Service.use((cfg) => cfg.get()))
 
-    const cfgSvc = yield* Config.Service
-    const pluginSvc = yield* Plugin.Service
-    const modelsDev = yield* ModelsDev.Service
-    yield* Effect.ignore(modelsDev.refresh(true))
+        const disabled = new Set(config.disabled_providers ?? [])
+        const enabled = config.enabled_providers ? new Set(config.enabled_providers) : undefined
 
-    const config = yield* cfgSvc.get()
+        const providers = await getModels().then((x) => {
+          const filtered: Record<string, (typeof x)[string]> = {}
+          for (const [key, value] of Object.entries(x)) {
+            if ((enabled ? enabled.has(key) : true) && !disabled.has(key)) {
+              filtered[key] = value
+            }
+          }
+          return filtered
+        })
+        const hooks = await AppRuntime.runPromise(
+          Effect.gen(function* () {
+            const plugin = yield* Plugin.Service
+            return yield* plugin.list()
+          }),
+        )
 
-    const disabled = new Set(config.disabled_providers ?? [])
-    const enabled = config.enabled_providers ? new Set(config.enabled_providers) : undefined
+        const priority: Record<string, number> = {
+          opencode: 0,
+          openai: 1,
+          "github-copilot": 2,
+          google: 3,
+          anthropic: 4,
+          openrouter: 5,
+          vercel: 6,
+        }
+        const pluginProviders = resolvePluginProviders({
+          hooks,
+          existingProviders: providers,
+          disabled,
+          enabled,
+          providerNames: Object.fromEntries(Object.entries(config.provider ?? {}).map(([id, p]) => [id, p.name])),
+        })
+        const options = [
+          ...pipe(
+            providers,
+            values(),
+            sortBy(
+              (x) => priority[x.id] ?? 99,
+              (x) => x.name ?? x.id,
+            ),
+            map((x) => ({
+              label: x.name,
+              value: x.id,
+              hint: {
+                opencode: "recommended",
+                openai: "ChatGPT Plus/Pro or API key",
+              }[x.id],
+            })),
+          ),
+          ...pluginProviders.map((x) => ({
+            label: x.name,
+            value: x.id,
+            hint: "plugin",
+          })),
+        ]
 
-    const allProviders = yield* modelsDev.get()
-    const providers: Record<string, (typeof allProviders)[string]> = {}
-    for (const [key, value] of Object.entries(allProviders)) {
-      if ((enabled ? enabled.has(key) : true) && !disabled.has(key)) providers[key] = value
-    }
-    const hooks = yield* pluginSvc.list()
+        let provider: string
+        if (args.provider) {
+          const input = args.provider
+          const byID = options.find((x) => x.value === input)
+          const byName = options.find((x) => x.label.toLowerCase() === input.toLowerCase())
+          const match = byID ?? byName
+          if (!match) {
+            prompts.log.error(`Unknown provider "${input}"`)
+            process.exit(1)
+          }
+          provider = match.value
+        } else {
+          const selected = await prompts.autocomplete({
+            message: "Select provider",
+            maxItems: 8,
+            options: [
+              ...options,
+              {
+                value: "other",
+                label: "Other",
+              },
+            ],
+          })
+          if (prompts.isCancel(selected)) throw new UI.CancelledError()
+          provider = selected as string
+        }
 
-    const priority: Record<string, number> = {
-      opencode: 0,
-      openai: 1,
-      "github-copilot": 2,
-      google: 3,
-      anthropic: 4,
-      openrouter: 5,
-      vercel: 6,
-    }
-    const pluginProviders = resolvePluginProviders({
-      hooks,
-      existingProviders: providers,
-      disabled,
-      enabled,
-      providerNames: Object.fromEntries(Object.entries(config.provider ?? {}).map(([id, p]) => [id, p.name])),
+        const plugin = hooks.findLast((x) => x.auth?.provider === provider)
+        if (plugin && plugin.auth) {
+          const handled = await handlePluginAuth({ auth: plugin.auth }, provider, args.method)
+          if (handled) return
+        }
+
+        if (provider === "other") {
+          const custom = await prompts.text({
+            message: "Enter provider id",
+            validate: (x) => (x && x.match(/^[0-9a-z-]+$/) ? undefined : "a-z, 0-9 and hyphens only"),
+          })
+          if (prompts.isCancel(custom)) throw new UI.CancelledError()
+          provider = custom.replace(/^@ai-sdk\//, "")
+
+          const customPlugin = hooks.findLast((x) => x.auth?.provider === provider)
+          if (customPlugin && customPlugin.auth) {
+            const handled = await handlePluginAuth({ auth: customPlugin.auth }, provider, args.method)
+            if (handled) return
+          }
+
+          prompts.log.warn(
+            `This only stores a credential for ${provider} - you will need configure it in opencode.json, check the docs for examples.`,
+          )
+        }
+
+        if (provider === "amazon-bedrock") {
+          prompts.log.info(
+            "Amazon Bedrock authentication priority:\n" +
+              "  1. Bearer token (AWS_BEARER_TOKEN_BEDROCK or /connect)\n" +
+              "  2. AWS credential chain (profile, access keys, IAM roles, EKS IRSA)\n\n" +
+              "Configure via opencode.json options (profile, region, endpoint) or\n" +
+              "AWS environment variables (AWS_PROFILE, AWS_REGION, AWS_ACCESS_KEY_ID, AWS_WEB_IDENTITY_TOKEN_FILE).",
+          )
+        }
+
+        if (provider === "opencode") {
+          prompts.log.info("Create an api key at https://opencode.ai/auth")
+        }
+
+        if (provider === "vercel") {
+          prompts.log.info("You can create an api key at https://vercel.link/ai-gateway-token")
+        }
+
+        if (["cloudflare", "cloudflare-ai-gateway"].includes(provider)) {
+          prompts.log.info(
+            "Cloudflare AI Gateway can be configured with CLOUDFLARE_GATEWAY_ID, CLOUDFLARE_ACCOUNT_ID, and CLOUDFLARE_API_TOKEN environment variables. Read more: https://opencode.ai/docs/providers/#cloudflare-ai-gateway",
+          )
+        }
+
+        const key = await prompts.password({
+          message: "Enter your API key",
+          validate: (x) => (x && x.length > 0 ? undefined : "Required"),
+        })
+        if (prompts.isCancel(key)) throw new UI.CancelledError()
+        await put(provider, {
+          type: "api",
+          key,
+        })
+
+        prompts.outro("Done")
     })
-    const options = [
-      ...pipe(
-        providers,
-        values(),
-        sortBy(
-          (x) => priority[x.id] ?? 99,
-          (x) => x.name ?? x.id,
-        ),
-        map((x) => ({
-          label: x.name,
-          value: x.id,
-          hint: {
-            opencode: "recommended",
-            openai: "ChatGPT Plus/Pro or API key",
-          }[x.id],
-        })),
-      ),
-      ...pluginProviders.map((x) => ({
-        label: x.name,
-        value: x.id,
-        hint: "plugin",
-      })),
-    ]
-
-    let provider: string
-    if (args.provider) {
-      const input = args.provider
-      const byID = options.find((x) => x.value === input)
-      const byName = options.find((x) => x.label.toLowerCase() === input.toLowerCase())
-      const match = byID ?? byName
-      if (!match) {
-        return yield* fail(`Unknown provider "${input}"`)
-      }
-      provider = match.value
-    } else {
-      provider = yield* promptValue(
-        yield* Prompt.autocomplete({
-          message: "Select provider",
-          maxItems: 8,
-          options: [...options, { value: "other", label: "Other" }],
-        }),
-      )
-    }
-
-    const plugin = hooks.findLast((x) => x.auth?.provider === provider)
-    if (plugin && plugin.auth) {
-      const handled = yield* handlePluginAuth({ auth: plugin.auth! }, provider, args.method)
-      if (handled) return
-    }
-
-    if (provider === "other") {
-      provider = (yield* promptValue(
-        yield* Prompt.text({
-          message: "Enter provider id",
-          validate: (x) => (x && x.match(/^[0-9a-z-]+$/) ? undefined : "a-z, 0-9 and hyphens only"),
-        }),
-      )).replace(/^@ai-sdk\//, "")
-
-      const customPlugin = hooks.findLast((x) => x.auth?.provider === provider)
-      if (customPlugin && customPlugin.auth) {
-        const handled = yield* handlePluginAuth({ auth: customPlugin.auth! }, provider, args.method)
-        if (handled) return
-      }
-
-      yield* Prompt.log.warn(
-        `This only stores a credential for ${provider} - you will need configure it in opencode.json, check the docs for examples.`,
-      )
-    }
-
-    if (provider === "amazon-bedrock") {
-      yield* Prompt.log.info(
-        "Amazon Bedrock authentication priority:\n" +
-          "  1. Bearer token (AWS_BEARER_TOKEN_BEDROCK or /connect)\n" +
-          "  2. AWS credential chain (profile, access keys, IAM roles, EKS IRSA)\n\n" +
-          "Configure via opencode.json options (profile, region, endpoint) or\n" +
-          "AWS environment variables (AWS_PROFILE, AWS_REGION, AWS_ACCESS_KEY_ID, AWS_WEB_IDENTITY_TOKEN_FILE).",
-      )
-    }
-
-    if (provider === "opencode") {
-      yield* Prompt.log.info("Create an api key at https://opencode.ai/auth")
-    }
-
-    if (provider === "vercel") {
-      yield* Prompt.log.info("You can create an api key at https://vercel.link/ai-gateway-token")
-    }
-
-    if (["cloudflare", "cloudflare-ai-gateway"].includes(provider)) {
-      yield* Prompt.log.info(
-        "Cloudflare AI Gateway can be configured with CLOUDFLARE_GATEWAY_ID, CLOUDFLARE_ACCOUNT_ID, and CLOUDFLARE_API_TOKEN environment variables. Read more: https://opencode.ai/docs/providers/#cloudflare-ai-gateway",
-      )
-    }
-
-    const key = yield* Prompt.password({
-      message: "Enter your API key",
-      validate: (x) => (x && x.length > 0 ? undefined : "Required"),
-    })
-    const apiKey = yield* promptValue(key)
-    yield* Effect.orDie(authSvc.set(provider, { type: "api", key: apiKey }))
-
-    yield* Prompt.outro("Done")
   }),
 })
 
@@ -488,25 +499,36 @@ export const ProvidersLogoutCommand = effectCmd({
   // Removes a global auth credential; no project instance needed.
   instance: false,
   handler: Effect.fn("Cli.providers.logout")(function* (_args) {
-    const authSvc = yield* Auth.Service
-    const modelsDev = yield* ModelsDev.Service
-
+    yield* Effect.promise(async () => {
     UI.empty()
-    const credentials: Array<[string, Auth.Info]> = Object.entries(yield* Effect.orDie(authSvc.all()))
-    yield* Prompt.intro("Remove credential")
+    const credentials: Array<[string, Auth.Info]> = await AppRuntime.runPromise(
+      Effect.gen(function* () {
+        const auth = yield* Auth.Service
+        return Object.entries(yield* auth.all())
+      }),
+    )
+    prompts.intro("Remove credential")
     if (credentials.length === 0) {
-      yield* Prompt.log.error("No credentials found")
+      prompts.log.error("No credentials found")
       return
     }
-    const database = yield* modelsDev.get()
-    const selected = yield* Prompt.select({
+    const database = await getModels()
+    const selected = await prompts.select({
       message: "Select provider",
       options: credentials.map(([key, value]) => ({
         label: (database[key]?.name || key) + UI.Style.TEXT_DIM + " (" + value.type + ")",
         value: key,
       })),
     })
-    yield* Effect.orDie(authSvc.remove(yield* promptValue(selected)))
-    yield* Prompt.outro("Logout successful")
+    if (prompts.isCancel(selected)) throw new UI.CancelledError()
+    const providerID = selected as string
+    await AppRuntime.runPromise(
+      Effect.gen(function* () {
+        const auth = yield* Auth.Service
+        yield* auth.remove(providerID)
+      }),
+    )
+    prompts.outro("Logout successful")
+    })
   }),
 })

packages/opencode/src/cli/cmd/run.ts

@@ -5,7 +5,6 @@ import { Effect } from "effect"
 import { UI } from "../ui"
 import { effectCmd } from "../effect-cmd"
 import { Flag } from "@opencode-ai/core/flag/flag"
-import { ServerAuth } from "@/server/auth"
 import { EOL } from "os"
 import { Filesystem } from "@/util/filesystem"
 import { createOpencodeClient, type OpencodeClient, type ToolPart } from "@opencode-ai/sdk/v2"
@@ -27,6 +26,7 @@ import { ShellTool } from "../../tool/shell"
 import { ShellID } from "../../tool/shell/id"
 import { TodoWriteTool } from "../../tool/todo"
 import { Locale } from "@/util/locale"
+import { AppRuntime } from "@/effect/app-runtime"
 
 type ToolProps<T> = {
   input: Tool.InferParameters<T>
@@ -276,11 +276,6 @@ export const RunCommand = effectCmd({
         type: "string",
         describe: "basic auth password (defaults to OPENCODE_SERVER_PASSWORD)",
       })
-      .option("username", {
-        alias: ["u"],
-        type: "string",
-        describe: "basic auth username (defaults to OPENCODE_SERVER_USERNAME or 'opencode')",
-      })
       .option("dir", {
         type: "string",
         describe: "directory to run in, path on remote server if attaching",
@@ -304,7 +299,6 @@ export const RunCommand = effectCmd({
         default: false,
       }),
   handler: Effect.fn("Cli.run")(function* (args) {
-    const agentSvc = yield* Agent.Service
     yield* Effect.promise(async () => {
       let message = [...args.message, ...(args["--"] || [])]
         .map((arg) => (arg.includes(" ") ? `"${arg.replace(/"/g, '\\"')}"` : arg))
@@ -608,7 +602,7 @@ export const RunCommand = effectCmd({
             return name
           }
 
-          const entry = await Effect.runPromise(agentSvc.get(name))
+          const entry = await AppRuntime.runPromise(Agent.Service.use((svc) => svc.get(name)))
           if (!entry) {
             UI.println(
               UI.Style.TEXT_WARNING_BOLD + "!",
@@ -662,7 +656,13 @@ export const RunCommand = effectCmd({
       }
 
       if (args.attach) {
-        const headers = ServerAuth.headers({ password: args.password, username: args.username })
+        const headers = (() => {
+          const password = args.password ?? process.env.OPENCODE_SERVER_PASSWORD
+          if (!password) return undefined
+          const username = process.env.OPENCODE_SERVER_USERNAME ?? "opencode"
+          const auth = `Basic ${Buffer.from(`${username}:${password}`).toString("base64")}`
+          return { Authorization: auth }
+        })()
         const sdk = createOpencodeClient({ baseUrl: args.attach, directory, headers })
         return await execute(sdk)
       }

packages/opencode/src/cli/cmd/tui/attach.ts

@@ -5,7 +5,6 @@ import { win32DisableProcessedInput, win32InstallCtrlCGuard } from "./win32"
 import { TuiConfig } from "@/cli/cmd/tui/config/tui"
 import { errorMessage } from "@/util/error"
 import { validateSession } from "./validate-session"
-import { ServerAuth } from "@/server/auth"
 
 export const AttachCommand = cmd({
   command: "attach <url>",
@@ -39,11 +38,6 @@ export const AttachCommand = cmd({
         alias: ["p"],
         type: "string",
         describe: "basic auth password (defaults to OPENCODE_SERVER_PASSWORD)",
-      })
-      .option("username", {
-        alias: ["u"],
-        type: "string",
-        describe: "basic auth username (defaults to OPENCODE_SERVER_USERNAME or 'opencode')",
       }),
   handler: async (args) => {
     const unguard = win32InstallCtrlCGuard()
@@ -66,7 +60,12 @@ export const AttachCommand = cmd({
           return args.dir
         }
       })()
-      const headers = ServerAuth.headers({ password: args.password, username: args.username })
+      const headers = (() => {
+        const password = args.password ?? process.env.OPENCODE_SERVER_PASSWORD
+        if (!password) return undefined
+        const auth = `Basic ${Buffer.from(`opencode:${password}`).toString("base64")}`
+        return { Authorization: auth }
+      })()
       const config = await TuiConfig.get()
 
       try {

packages/opencode/src/cli/cmd/tui/config/tui.ts

@@ -68,73 +68,29 @@ function normalize(raw: Record<string, unknown>) {
   }
 }
 
+async function resolvePlugins(config: Info, configFilepath: string) {
+  if (!config.plugin) return config
+  for (let i = 0; i < config.plugin.length; i++) {
+    config.plugin[i] = await ConfigPlugin.resolvePluginSpec(config.plugin[i], configFilepath)
+  }
+  return config
+}
+
+async function mergeFile(acc: Acc, file: string, ctx: { directory: string }) {
+  const data = await loadFile(file)
+  acc.result = mergeDeep(acc.result, data)
+  if (!data.plugin?.length) return
+
+  const scope = pluginScope(file, ctx)
+  const plugins = ConfigPlugin.deduplicatePluginOrigins([
+    ...(acc.result.plugin_origins ?? []),
+    ...data.plugin.map((spec) => ({ spec, scope, source: file })),
+  ])
+  acc.result.plugin = plugins.map((item) => item.spec)
+  acc.result.plugin_origins = plugins
+}
+
 const loadState = Effect.fn("TuiConfig.loadState")(function* (ctx: { directory: string }) {
-  const afs = yield* AppFileSystem.Service
-
-  const resolvePlugins = (config: Info, configFilepath: string): Effect.Effect<Info> =>
-    Effect.gen(function* () {
-      const plugins = config.plugin
-      if (!plugins) return config
-      for (let i = 0; i < plugins.length; i++) {
-        plugins[i] = yield* Effect.promise(() => ConfigPlugin.resolvePluginSpec(plugins[i], configFilepath))
-      }
-      return config
-    })
-
-  const load = (text: string, configFilepath: string): Effect.Effect<Info> =>
-    Effect.gen(function* () {
-      const expanded = yield* Effect.promise(() =>
-        ConfigVariable.substitute({ text, type: "path", path: configFilepath, missing: "empty" }),
-      )
-      const data = ConfigParse.jsonc(expanded, configFilepath)
-      if (!isRecord(data)) return {} as Info
-      // Flatten a nested "tui" key so users who wrote `{ "tui": { ... } }` inside tui.json
-      // (mirroring the old opencode.json shape) still get their settings applied.
-      const validated = ConfigParse.schema(Info, normalize(data), configFilepath)
-      return yield* resolvePlugins(validated, configFilepath)
-    }).pipe(
-      // catchCause (not tapErrorCause + orElseSucceed) because ConfigParse.jsonc/.schema
-      // can sync-throw — those become defects, which orElseSucceed wouldn't catch.
-      Effect.catchCause((cause) =>
-        Effect.sync(() => {
-          log.warn("invalid tui config", { path: configFilepath, cause })
-          return {} as Info
-        }),
-      ),
-    )
-
-  const loadFile = (filepath: string): Effect.Effect<Info> =>
-    Effect.gen(function* () {
-      // Silent-swallow non-NotFound read errors (perms, EISDIR, IO) → log + skip.
-      // Matches how parse/schema/plugin failures in load() are handled — every
-      // broken-config path degrades gracefully rather than crashing TUI startup.
-      const text = yield* afs.readFileStringSafe(filepath).pipe(
-        Effect.catchCause((cause) =>
-          Effect.sync(() => {
-            log.warn("failed to read tui config", { path: filepath, cause })
-            return undefined
-          }),
-        ),
-      )
-      if (!text) return {} as Info
-      return yield* load(text, filepath)
-    })
-
-  const mergeFile = (acc: Acc, file: string) =>
-    Effect.gen(function* () {
-      const data = yield* loadFile(file)
-      acc.result = mergeDeep(acc.result, data)
-      if (!data.plugin?.length) return
-
-      const scope = pluginScope(file, ctx)
-      const plugins = ConfigPlugin.deduplicatePluginOrigins([
-        ...(acc.result.plugin_origins ?? []),
-        ...data.plugin.map((spec) => ({ spec, scope, source: file })),
-      ])
-      acc.result.plugin = plugins.map((item) => item.spec)
-      acc.result.plugin_origins = plugins
-    })
-
   // Every config dir we may read from: global config dir, any `.opencode`
   // folders between cwd and home, and OPENCODE_CONFIG_DIR.
   const directories = yield* ConfigPaths.directories(ctx.directory)
@@ -148,19 +104,19 @@ const loadState = Effect.fn("TuiConfig.loadState")(function* (ctx: { directory:
 
   // 1. Global tui config (lowest precedence).
   for (const file of ConfigPaths.fileInDirectory(Global.Path.config, "tui")) {
-    yield* mergeFile(acc, file)
+    yield* Effect.promise(() => mergeFile(acc, file, ctx)).pipe(Effect.orDie)
   }
 
   // 2. Explicit OPENCODE_TUI_CONFIG override, if set.
   if (Flag.OPENCODE_TUI_CONFIG) {
     const configFile = Flag.OPENCODE_TUI_CONFIG
-    yield* mergeFile(acc, configFile)
+    yield* Effect.promise(() => mergeFile(acc, configFile, ctx)).pipe(Effect.orDie)
     log.debug("loaded custom tui config", { path: configFile })
   }
 
   // 3. Project tui files, applied root-first so the closest file wins.
   for (const file of projectFiles) {
-    yield* mergeFile(acc, file)
+    yield* Effect.promise(() => mergeFile(acc, file, ctx)).pipe(Effect.orDie)
   }
 
   // 4. `.opencode` directories (and OPENCODE_CONFIG_DIR) discovered while
@@ -171,7 +127,7 @@ const loadState = Effect.fn("TuiConfig.loadState")(function* (ctx: { directory:
   for (const dir of dirs) {
     if (!dir.endsWith(".opencode") && dir !== Flag.OPENCODE_CONFIG_DIR) continue
     for (const file of ConfigPaths.fileInDirectory(dir, "tui")) {
-      yield* mergeFile(acc, file)
+      yield* Effect.promise(() => mergeFile(acc, file, ctx)).pipe(Effect.orDie)
     }
   }
 
@@ -236,3 +192,29 @@ export async function waitForDependencies() {
 export async function get() {
   return runPromise((svc) => svc.get())
 }
+
+async function loadFile(filepath: string): Promise<Info> {
+  const text = await ConfigPaths.readFile(filepath)
+  if (!text) return {}
+  return load(text, filepath).catch((error) => {
+    log.warn("failed to load tui config", { path: filepath, error })
+    return {}
+  })
+}
+
+async function load(text: string, configFilepath: string): Promise<Info> {
+  return ConfigVariable.substitute({ text, type: "path", path: configFilepath, missing: "empty" })
+    .then((expanded) => ConfigParse.jsonc(expanded, configFilepath))
+    .then((data) => {
+      if (!isRecord(data)) return {}
+
+      // Flatten a nested "tui" key so users who wrote `{ "tui": { ... } }` inside tui.json
+      // (mirroring the old opencode.json shape) still get their settings applied.
+      return ConfigParse.schema(Info, normalize(data), configFilepath)
+    })
+    .then((data) => resolvePlugins(data, configFilepath))
+    .catch((error) => {
+      log.warn("invalid tui config", { path: configFilepath, error })
+      return {}
+    })
+}

packages/opencode/src/cli/cmd/tui/context/sync-v2.tsx

@@ -143,15 +143,6 @@ export const { use: useSyncV2, provider: SyncProviderV2 } = createSimpleContext(
               currentAssistant.snapshot = { ...currentAssistant.snapshot, end: event.properties.snapshot }
           })
           break
-        case "session.next.step.failed":
-          update(event.properties.sessionID, (draft) => {
-            const currentAssistant = activeAssistant(draft)
-            if (!currentAssistant) return
-            currentAssistant.time.completed = event.properties.timestamp
-            currentAssistant.finish = "error"
-            currentAssistant.error = event.properties.error
-          })
-          break
         case "session.next.text.started":
           update(event.properties.sessionID, (draft) => {
             activeAssistant(draft)?.content.push({ type: "text", text: "" })
@@ -219,7 +210,7 @@ export const { use: useSyncV2, provider: SyncProviderV2 } = createSimpleContext(
             match.time.completed = event.properties.timestamp
           })
           break
-        case "session.next.tool.failed":
+        case "session.next.tool.error":
           update(event.properties.sessionID, (draft) => {
             const match = latestTool(activeAssistant(draft), event.properties.callID)
             if (match?.state.status !== "running") return

packages/opencode/src/cli/cmd/tui/worker.ts

@@ -7,7 +7,7 @@ import { Rpc } from "@/util/rpc"
 import { upgrade } from "@/cli/upgrade"
 import { Config } from "@/config/config"
 import { GlobalBus } from "@/bus/global"
-import { ServerAuth } from "@/server/auth"
+import { Flag } from "@opencode-ai/core/flag/flag"
 import { writeHeapSnapshot } from "node:v8"
 import { Heap } from "@/cli/heap"
 import { AppRuntime } from "@/effect/app-runtime"
@@ -50,7 +50,7 @@ let server: Awaited<ReturnType<typeof Server.listen>> | undefined
 export const rpc = {
   async fetch(input: { url: string; method: string; headers: Record<string, string>; body?: string }) {
     const headers = { ...input.headers }
-    const auth = ServerAuth.header()
+    const auth = getAuthorizationHeader()
     if (auth && !headers["authorization"] && !headers["Authorization"]) {
       headers["Authorization"] = auth
     }
@@ -102,3 +102,10 @@ export const rpc = {
 }
 
 Rpc.listen(rpc)
+
+function getAuthorizationHeader(): string | undefined {
+  const password = Flag.OPENCODE_SERVER_PASSWORD
+  if (!password) return undefined
+  const username = Flag.OPENCODE_SERVER_USERNAME ?? "opencode"
+  return `Basic ${btoa(`${username}:${password}`)}`
+}

packages/opencode/src/cli/effect-cmd.ts

@@ -3,7 +3,6 @@ import { Effect, Schema } from "effect"
 import { AppRuntime, type AppServices } from "@/effect/app-runtime"
 import { InstanceStore } from "@/project/instance-store"
 import { InstanceRef } from "@/effect/instance-ref"
-import { Instance } from "@/project/instance"
 import { cmd, type WithDoubleDash } from "./cmd/cmd"
 
 /**
@@ -83,21 +82,17 @@ export const effectCmd = <Args, A>(opts: EffectCmdOpts<Args, A>) =>
         return
       }
       const directory = opts.directory?.(args) ?? process.cwd()
-      // Two-phase: load ctx, then run body inside Instance.current ALS.
-      // Effect's InstanceRef is provided via fiber context, but that context is
-      // lost across `await` inside `Effect.promise(async () => ...)` callbacks
-      // — when handlers re-enter Effect via `AppRuntime.runPromise(svc.method())`
-      // there, attach() falls back to Instance.current ALS, which Node preserves
-      // across awaits. Matches the pre-effectCmd `bootstrap()` behavior.
-      const { store, ctx } = await AppRuntime.runPromise(
-        InstanceStore.Service.use((store) => store.load({ directory }).pipe(Effect.map((ctx) => ({ store, ctx })))),
+      await AppRuntime.runPromise(
+        InstanceStore.Service.use((store) =>
+          store.provide(
+            { directory },
+            Effect.gen(function* () {
+              const ctx = yield* InstanceRef
+              const body = opts.handler(args)
+              return ctx ? yield* body.pipe(Effect.ensuring(store.dispose(ctx))) : yield* body
+            }),
+          ),
+        ),
       )
-      try {
-        await Instance.restore(ctx, () =>
-          AppRuntime.runPromise(opts.handler(args).pipe(Effect.provideService(InstanceRef, ctx))),
-        )
-      } finally {
-        await AppRuntime.runPromise(store.dispose(ctx))
-      }
     },
   })

packages/opencode/src/cli/effect/prompt.ts

@@ -6,27 +6,15 @@ export const outro = (msg: string) => Effect.sync(() => prompts.outro(msg))
 
 export const log = {
   info: (msg: string) => Effect.sync(() => prompts.log.info(msg)),
-  error: (msg: string) => Effect.sync(() => prompts.log.error(msg)),
-  warn: (msg: string) => Effect.sync(() => prompts.log.warn(msg)),
-  success: (msg: string) => Effect.sync(() => prompts.log.success(msg)),
-}
-
-const optional = <Value>(result: Value | symbol) => {
-  if (prompts.isCancel(result)) return Option.none<Value>()
-  return Option.some(result)
 }
 
 export const select = <Value>(opts: Parameters<typeof prompts.select<Value>>[0]) =>
-  Effect.promise(() => prompts.select(opts)).pipe(Effect.map((result) => optional(result)))
-
-export const autocomplete = <Value>(opts: Parameters<typeof prompts.autocomplete<Value>>[0]) =>
-  Effect.promise(() => prompts.autocomplete(opts)).pipe(Effect.map((result) => optional(result)))
-
-export const text = (opts: Parameters<typeof prompts.text>[0]) =>
-  Effect.promise(() => prompts.text(opts)).pipe(Effect.map((result) => optional(result)))
-
-export const password = (opts: Parameters<typeof prompts.password>[0]) =>
-  Effect.promise(() => prompts.password(opts)).pipe(Effect.map((result) => optional(result)))
+  Effect.tryPromise(() => prompts.select(opts)).pipe(
+    Effect.map((result) => {
+      if (prompts.isCancel(result)) return Option.none<Value>()
+      return Option.some(result)
+    }),
+  )
 
 export const spinner = () => {
   const s = prompts.spinner()

packages/opencode/src/config/config.ts

@@ -355,7 +355,15 @@ export const layer = Layer.effect(
     const env = yield* Env.Service
     const npmSvc = yield* Npm.Service
 
-    const readConfigFile = (filepath: string) => fs.readFileStringSafe(filepath).pipe(Effect.orDie)
+    const readConfigFile = Effect.fnUntraced(function* (filepath: string) {
+      return yield* fs.readFileString(filepath).pipe(
+        Effect.catchIf(
+          (e) => e.reason._tag === "NotFound",
+          () => Effect.succeed(undefined),
+        ),
+        Effect.orDie,
+      )
+    })
 
     const loadConfig = Effect.fnUntraced(function* (
       text: string,

packages/opencode/src/config/paths.ts

@@ -1,9 +1,11 @@
 export * as ConfigPaths from "./paths"
 
 import path from "path"
+import { Filesystem } from "@/util/filesystem"
 import { Flag } from "@opencode-ai/core/flag/flag"
 import { Global } from "@opencode-ai/core/global"
 import { unique } from "remeda"
+import { JsonError } from "./error"
 import * as Effect from "effect/Effect"
 import { AppFileSystem } from "@opencode-ai/core/filesystem"
 
@@ -43,3 +45,11 @@ export const directories = Effect.fn("ConfigPaths.directories")(function* (direc
 export function fileInDirectory(dir: string, name: string) {
   return [path.join(dir, `${name}.json`), path.join(dir, `${name}.jsonc`)]
 }
+
+/** Read a config file, returning undefined for missing files and throwing JsonError for other failures. */
+export async function readFile(filepath: string) {
+  return Filesystem.readText(filepath).catch((err: NodeJS.ErrnoException) => {
+    if (err.code === "ENOENT") return
+    throw new JsonError({ path: filepath }, { cause: err })
+  })
+}

packages/opencode/src/effect/app-runtime.ts

@@ -46,7 +46,6 @@ import { Vcs } from "@/project/vcs"
 import { Workspace } from "@/control-plane/workspace"
 import { Worktree } from "@/worktree"
 import { Pty } from "@/pty"
-import { PtyTicket } from "@/pty/ticket"
 import { Installation } from "@/installation"
 import { ShareNext } from "@/share/share-next"
 import { SessionShare } from "@/share/session"
@@ -99,7 +98,6 @@ export const AppLayer = Layer.mergeAll(
   Workspace.defaultLayer,
   Worktree.appLayer,
   Pty.defaultLayer,
-  PtyTicket.defaultLayer,
   Installation.defaultLayer,
   ShareNext.defaultLayer,
   SessionShare.defaultLayer,

packages/opencode/src/git/index.ts

@@ -24,7 +24,6 @@ const fail = (err: unknown) =>
     text: () => "",
     stdout: Buffer.alloc(0),
     stderr: Buffer.from(err instanceof Error ? err.message : String(err)),
-    truncated: false,
   }) satisfies Result
 
 export type Kind = "added" | "deleted" | "modified"
@@ -46,28 +45,16 @@ export type Stat = {
   readonly deletions: number
 }
 
-export type Patch = {
-  readonly text: string
-  readonly truncated: boolean
-}
-
-export interface PatchOptions {
-  readonly context?: number
-  readonly maxOutputBytes?: number
-}
-
 export interface Result {
   readonly exitCode: number
   readonly text: () => string
   readonly stdout: Buffer
   readonly stderr: Buffer
-  readonly truncated: boolean
 }
 
 export interface Options {
   readonly cwd: string
   readonly env?: Record<string, string>
-  readonly maxOutputBytes?: number
 }
 
 export interface Interface {
@@ -81,10 +68,6 @@ export interface Interface {
   readonly status: (cwd: string) => Effect.Effect<Item[]>
   readonly diff: (cwd: string, ref: string) => Effect.Effect<Item[]>
   readonly stats: (cwd: string, ref: string) => Effect.Effect<Stat[]>
-  readonly patch: (cwd: string, ref: string, file: string, options?: PatchOptions) => Effect.Effect<Patch>
-  readonly patchAll: (cwd: string, ref: string, options?: PatchOptions) => Effect.Effect<Patch>
-  readonly patchUntracked: (cwd: string, file: string, options?: PatchOptions) => Effect.Effect<Patch>
-  readonly statUntracked: (cwd: string, file: string) => Effect.Effect<Stat | undefined>
 }
 
 const kind = (code: string): Kind => {
@@ -113,31 +96,15 @@ export const layer = Layer.effect(
           stderr: "pipe",
         })
         const handle = yield* spawner.spawn(proc)
-        const collect = (stream: typeof handle.stdout) =>
-          Stream.runFold(
-            stream,
-            () => ({ chunks: [] as Uint8Array[], bytes: 0, truncated: false }),
-            (acc, chunk) => {
-              if (opts.maxOutputBytes === undefined) {
-                acc.chunks.push(chunk)
-                acc.bytes += chunk.length
-                return acc
-              }
-
-              const remaining = opts.maxOutputBytes - acc.bytes
-              if (remaining > 0) acc.chunks.push(remaining >= chunk.length ? chunk : chunk.slice(0, remaining))
-              acc.bytes += chunk.length
-              acc.truncated = acc.truncated || acc.bytes > opts.maxOutputBytes
-              return acc
-            },
-          ).pipe(Effect.map((x) => ({ buffer: Buffer.concat(x.chunks), truncated: x.truncated })))
-        const [stdout, stderr] = yield* Effect.all([collect(handle.stdout), collect(handle.stderr)], { concurrency: 2 })
+        const [stdout, stderr] = yield* Effect.all(
+          [Stream.mkString(Stream.decodeText(handle.stdout)), Stream.mkString(Stream.decodeText(handle.stderr))],
+          { concurrency: 2 },
+        )
         return {
           exitCode: yield* handle.exitCode,
-          text: () => stdout.buffer.toString("utf8"),
-          stdout: stdout.buffer,
-          stderr: stderr.buffer,
-          truncated: stdout.truncated || stderr.truncated,
+          text: () => stdout,
+          stdout: Buffer.from(stdout),
+          stderr: Buffer.from(stderr),
         } satisfies Result
       },
       Effect.scoped,
@@ -273,61 +240,6 @@ export const layer = Layer.effect(
       })
     })
 
-    const patch = Effect.fn("Git.patch")(function* (cwd: string, ref: string, file: string, options?: PatchOptions) {
-      const result = yield* run(
-        ["diff", "--patch", "--no-ext-diff", "--no-renames", `--unified=${options?.context ?? 3}`, ref, "--", file],
-        { cwd, maxOutputBytes: options?.maxOutputBytes },
-      )
-      return { text: result.truncated ? "" : result.text(), truncated: result.truncated } satisfies Patch
-    })
-
-    const patchAll = Effect.fn("Git.patchAll")(function* (cwd: string, ref: string, options?: PatchOptions) {
-      const result = yield* run(
-        ["diff", "--patch", "--no-ext-diff", "--no-renames", `--unified=${options?.context ?? 3}`, ref, "--", "."],
-        { cwd, maxOutputBytes: options?.maxOutputBytes },
-      )
-      return { text: result.text(), truncated: result.truncated } satisfies Patch
-    })
-
-    const patchUntracked = Effect.fn("Git.patchUntracked")(function* (
-      cwd: string,
-      file: string,
-      options?: PatchOptions,
-    ) {
-      const result = yield* run(
-        [
-          "diff",
-          "--no-index",
-          "--patch",
-          "--no-ext-diff",
-          "--no-renames",
-          `--unified=${options?.context ?? 3}`,
-          "--",
-          "/dev/null",
-          file,
-        ],
-        { cwd, maxOutputBytes: options?.maxOutputBytes },
-      )
-      return { text: result.truncated ? "" : result.text(), truncated: result.truncated } satisfies Patch
-    })
-
-    const statUntracked = Effect.fn("Git.statUntracked")(function* (cwd: string, file: string) {
-      const result = yield* run(["diff", "--no-index", "--numstat", "--", "/dev/null", file], {
-        cwd,
-        maxOutputBytes: 4096,
-      })
-      if (result.truncated) return
-      const parts = result.text().split("\t")
-      if (parts.length < 2) return
-      const additions = parts[0] === "-" ? 0 : Number.parseInt(parts[0] || "0", 10)
-      const deletions = parts[1] === "-" ? 0 : Number.parseInt(parts[1] || "0", 10)
-      return {
-        file,
-        additions: Number.isFinite(additions) ? additions : 0,
-        deletions: Number.isFinite(deletions) ? deletions : 0,
-      } satisfies Stat
-    })
-
     return Service.of({
       run,
       branch,
@@ -339,10 +251,6 @@ export const layer = Layer.effect(
       status,
       diff,
       stats,
-      patch,
-      patchAll,
-      patchUntracked,
-      statUntracked,
     })
   }),
 )

packages/opencode/src/permission/index.ts

@@ -5,7 +5,8 @@ import { InstanceState } from "@/effect/instance-state"
 import { ProjectID } from "@/project/schema"
 import { MessageID, SessionID } from "@/session/schema"
 import { PermissionTable } from "@/session/session.sql"
-import { Database } from "@/storage/db"
+import { DatabaseEffect } from "@/storage/db-effect"
+import { getOne } from "@opencode-ai/effect-drizzle-sqlite"
 import { eq } from "drizzle-orm"
 import { zod } from "@/util/effect-zod"
 import * as Log from "@opencode-ai/core/util/log"
@@ -153,11 +154,15 @@ export const layer = Layer.effect(
   Service,
   Effect.gen(function* () {
     const bus = yield* Bus.Service
+    const db = yield* DatabaseEffect.Service
     const state = yield* InstanceState.make<State>(
       Effect.fn("Permission.state")(function* (ctx) {
-        const row = Database.use((db) =>
-          db.select().from(PermissionTable).where(eq(PermissionTable.project_id, ctx.project.id)).get(),
-        )
+        const row = yield* getOne(
+          db
+            .select()
+            .from(PermissionTable)
+            .where(eq(PermissionTable.project_id, ctx.project.id)),
+        ).pipe(Effect.orDie)
         const state = {
           pending: new Map<PermissionID, PendingEntry>(),
           approved: row?.data ?? [],
@@ -319,6 +324,6 @@ export function disabled(tools: string[], ruleset: Ruleset): Set<string> {
   return result
 }
 
-export const defaultLayer = layer.pipe(Layer.provide(Bus.layer))
+export const defaultLayer: Layer.Layer<Service> = layer.pipe(Layer.provide(Bus.layer), Layer.provide(DatabaseEffect.layer))
 
 export * as Permission from "."

packages/opencode/src/plugin/codex.ts

@@ -14,14 +14,7 @@ const ISSUER = "https://auth.openai.com"
 const CODEX_API_ENDPOINT = "https://chatgpt.com/backend-api/codex/responses"
 const OAUTH_PORT = 1455
 const OAUTH_POLLING_SAFETY_MARGIN_MS = 3000
-const ALLOWED_MODELS = new Set([
-  "gpt-5.5",
-  "gpt-5.2",
-  "gpt-5.3-codex",
-  "gpt-5.3-codex-spark",
-  "gpt-5.4",
-  "gpt-5.4-mini",
-])
+const ALLOWED_MODELS = new Set(["gpt-5.5", "gpt-5.2", "gpt-5.3-codex", "gpt-5.4", "gpt-5.4-mini"])
 
 interface PkceCodes {
   verifier: string

packages/opencode/src/plugin/index.ts

@@ -10,7 +10,6 @@ import { Bus } from "../bus"
 import * as Log from "@opencode-ai/core/util/log"
 import { createOpencodeClient } from "@opencode-ai/sdk"
 import { Flag } from "@opencode-ai/core/flag/flag"
-import { ServerAuth } from "@/server/auth"
 import { CodexAuthPlugin } from "./codex"
 import { Session } from "@/session/session"
 import { NamedError } from "@opencode-ai/core/util/error"
@@ -125,7 +124,11 @@ export const layer = Layer.effect(
         const client = createOpencodeClient({
           baseUrl: "http://localhost:4096",
           directory: ctx.directory,
-          headers: ServerAuth.headers(),
+          headers: Flag.OPENCODE_SERVER_PASSWORD
+            ? {
+                Authorization: `Basic ${Buffer.from(`${Flag.OPENCODE_SERVER_USERNAME ?? "opencode"}:${Flag.OPENCODE_SERVER_PASSWORD}`).toString("base64")}`,
+              }
+            : undefined,
           fetch: async (...args) => Server.Default().app.fetch(...args),
         })
         const cfg = yield* config.get()

packages/opencode/src/project/vcs.ts

@@ -1,8 +1,10 @@
 import { Effect, Layer, Context, Schema, Stream, Scope } from "effect"
 import { formatPatch, structuredPatch } from "diff"
+import path from "path"
 import { Bus } from "@/bus"
 import { BusEvent } from "@/bus/bus-event"
 import { InstanceState } from "@/effect/instance-state"
+import { AppFileSystem } from "@opencode-ai/core/filesystem"
 import { FileWatcher } from "@/file/watcher"
 import { Git } from "@/git"
 import * as Log from "@opencode-ai/core/util/log"
@@ -10,11 +12,20 @@ import { zod } from "@/util/effect-zod"
 import { NonNegativeInt, withStatics } from "@/util/schema"
 
 const log = Log.create({ service: "vcs" })
-const PATCH_CONTEXT_LINES = 2_147_483_647
-const MAX_PATCH_BYTES = 10_000_000
-const MAX_TOTAL_PATCH_BYTES = 10_000_000
 
-const emptyPatch = (file: string) => formatPatch(structuredPatch(file, file, "", "", "", "", { context: 0 }))
+const count = (text: string) => {
+  if (!text) return 0
+  if (!text.endsWith("\n")) return text.split("\n").length
+  return text.slice(0, -1).split("\n").length
+}
+
+const work = Effect.fnUntraced(function* (fs: AppFileSystem.Interface, cwd: string, file: string) {
+  const full = path.join(cwd, file)
+  if (!(yield* fs.exists(full).pipe(Effect.orDie))) return ""
+  const buf = yield* fs.readFile(full).pipe(Effect.catch(() => Effect.succeed(new Uint8Array())))
+  if (Buffer.from(buf).includes(0)) return ""
+  return Buffer.from(buf).toString("utf8")
+})
 
 const nums = (list: Git.Stat[]) =>
   new Map(list.map((item) => [item.file, { additions: item.additions, deletions: item.deletions }] as const))
@@ -27,168 +38,59 @@ const merge = (...lists: Git.Item[][]) => {
   return [...out.values()]
 }
 
-const emptyBatch = () => ({ patches: new Map<string, string>(), capped: false })
-
-const parseQuotedPath = (value: string) => {
-  let out = ""
-  for (let idx = 1; idx < value.length; idx++) {
-    const char = value[idx]
-    if (char === '"') return { value: out, end: idx + 1 }
-    if (char !== "\\") {
-      out += char
-      continue
-    }
-
-    const next = value[++idx]
-    if (next === "t") out += "\t"
-    else if (next === "n") out += "\n"
-    else if (next === "r") out += "\r"
-    else if (next === '"' || next === "\\") out += next
-    else out += next ?? ""
-  }
-}
-
-const parsePathToken = (value: string) => {
-  if (!value.startsWith('"')) return value.split("\t")[0]
-  return parseQuotedPath(value)?.value ?? value
-}
-
-const fileFromDiffPath = (value: string | undefined) => {
-  if (!value || value === "/dev/null") return
-  const file = parsePathToken(value)
-  if (file.startsWith("a/") || file.startsWith("b/")) return file.slice(2)
-  return file
-}
-
-const fileFromGitHeader = (header: string) => {
-  if (header.startsWith('"')) {
-    const first = parseQuotedPath(header)
-    const second = first ? header.slice(first.end).trimStart() : undefined
-    if (!second) return
-    if (!second.startsWith('"')) return fileFromDiffPath(second)
-    return fileFromDiffPath(parseQuotedPath(second)?.value)
-  }
-
-  const separator = header.indexOf(" b/")
-  if (separator === -1) return
-  return fileFromDiffPath(header.slice(separator + 1))
-}
-
-const fileFromPatchChunk = (chunk: string) => {
-  const next = /^\+\+\+ (.+)$/m.exec(chunk)?.[1]
-  const before = /^--- (.+)$/m.exec(chunk)?.[1]
-  const file = fileFromDiffPath(next) ?? fileFromDiffPath(before)
-  if (file) return file
-
-  const header = /^diff --git (.+)$/m.exec(chunk)?.[1]
-  return fileFromGitHeader(header ?? "")
-}
-
-const splitGitPatch = (patch: Git.Patch) => {
-  const starts = [...patch.text.matchAll(/^diff --git /gm)].map((match) => match.index)
-  const chunks = starts.map((start, index) => patch.text.slice(start, starts[index + 1] ?? patch.text.length))
-  if (!patch.truncated) return chunks
-  return chunks.slice(0, -1)
-}
-
-const batchPatches = Effect.fnUntraced(function* (git: Git.Interface, cwd: string, ref: string, list: Git.Item[]) {
-  if (list.length === 0) return { patches: new Map<string, string>(), capped: false }
-
-  const result = yield* git.patchAll(cwd, ref, {
-    context: PATCH_CONTEXT_LINES,
-    maxOutputBytes: MAX_TOTAL_PATCH_BYTES,
-  })
-  if (result.truncated) log.warn("batched patch exceeded byte limit", { max: MAX_TOTAL_PATCH_BYTES })
-
-  return {
-    patches: splitGitPatch(result).reduce((acc, patch, index) => {
-      const file = fileFromPatchChunk(patch) ?? list[index]?.file
-      if (!file) return acc
-      acc.set(file, (acc.get(file) ?? "") + patch)
-      return acc
-    }, new Map<string, string>()),
-    capped: result.truncated,
-  }
-})
-
-const nativePatch = Effect.fnUntraced(function* (
-  git: Git.Interface,
-  cwd: string,
-  ref: string | undefined,
-  item: Git.Item,
-) {
-  const result =
-    item.code === "??" || !ref
-      ? yield* git.patchUntracked(cwd, item.file, { context: PATCH_CONTEXT_LINES, maxOutputBytes: MAX_PATCH_BYTES })
-      : yield* git.patch(cwd, ref, item.file, { context: PATCH_CONTEXT_LINES, maxOutputBytes: MAX_PATCH_BYTES })
-  if (!result.truncated && result.text) return result.text
-
-  if (result.truncated) log.warn("patch exceeded byte limit", { file: item.file, max: MAX_PATCH_BYTES })
-  return emptyPatch(item.file)
-})
-
-const totalPatch = (file: string, patch: string, total: number) => {
-  if (total + Buffer.byteLength(patch) <= MAX_TOTAL_PATCH_BYTES) return { patch, capped: false }
-  log.warn("total patch budget exceeded", { file, max: MAX_TOTAL_PATCH_BYTES })
-  return { patch: emptyPatch(file), capped: true }
-}
-
-const patchForItem = Effect.fnUntraced(function* (
-  git: Git.Interface,
-  cwd: string,
-  ref: string | undefined,
-  item: Git.Item,
-  batch: { patches: Map<string, string>; capped: boolean },
-  capped: boolean,
-) {
-  if (capped) return emptyPatch(item.file)
-
-  const batched = batch.patches.get(item.file)
-  if (batched !== undefined) return batched
-  if (item.code !== "??" && batch.capped) return emptyPatch(item.file)
-  return yield* nativePatch(git, cwd, ref, item)
-})
-
 const files = Effect.fnUntraced(function* (
+  fs: AppFileSystem.Interface,
   git: Git.Interface,
   cwd: string,
   ref: string | undefined,
   list: Git.Item[],
   map: Map<string, { additions: number; deletions: number }>,
-  batch: { patches: Map<string, string>; capped: boolean },
 ) {
-  const next: FileDiff[] = []
-  let total = 0
-  let capped = false
-
-  for (const item of list.toSorted((a, b) => a.file.localeCompare(b.file))) {
-    const stat = map.get(item.file) ?? (item.status === "added" ? yield* git.statUntracked(cwd, item.file) : undefined)
-    const patch = yield* patchForItem(git, cwd, ref, item, batch, capped)
-    const result: { patch: string; capped: boolean } = capped
-      ? { patch, capped: true }
-      : totalPatch(item.file, patch, total)
-    capped = capped || result.capped
-    if (!capped) {
-      total += Buffer.byteLength(result.patch)
-      capped = total >= MAX_TOTAL_PATCH_BYTES
-    }
-    next.push({
-      file: item.file,
-      patch: result.patch,
-      additions: stat?.additions ?? 0,
-      deletions: stat?.deletions ?? 0,
-      status: item.status,
-    })
-  }
-
-  return next
+  const base = ref ? yield* git.prefix(cwd) : ""
+  const patch = (file: string, before: string, after: string) =>
+    formatPatch(structuredPatch(file, file, before, after, "", "", { context: Number.MAX_SAFE_INTEGER }))
+  const next = yield* Effect.forEach(
+    list,
+    (item) =>
+      Effect.gen(function* () {
+        const before = item.status === "added" || !ref ? "" : yield* git.show(cwd, ref, item.file, base)
+        const after = item.status === "deleted" ? "" : yield* work(fs, cwd, item.file)
+        const stat = map.get(item.file)
+        return {
+          file: item.file,
+          patch: patch(item.file, before, after),
+          additions: stat?.additions ?? (item.status === "added" ? count(after) : 0),
+          deletions: stat?.deletions ?? (item.status === "deleted" ? count(before) : 0),
+          status: item.status,
+        } satisfies FileDiff
+      }),
+    { concurrency: 8 },
+  )
+  return next.toSorted((a, b) => a.file.localeCompare(b.file))
 })
 
-const diffAgainstRef = Effect.fnUntraced(function* (git: Git.Interface, cwd: string, ref: string) {
+const track = Effect.fnUntraced(function* (
+  fs: AppFileSystem.Interface,
+  git: Git.Interface,
+  cwd: string,
+  ref: string | undefined,
+) {
+  if (!ref) return yield* files(fs, git, cwd, ref, yield* git.status(cwd), new Map())
+  const [list, stats] = yield* Effect.all([git.status(cwd), git.stats(cwd, ref)], { concurrency: 2 })
+  return yield* files(fs, git, cwd, ref, list, nums(stats))
+})
+
+const compare = Effect.fnUntraced(function* (
+  fs: AppFileSystem.Interface,
+  git: Git.Interface,
+  cwd: string,
+  ref: string,
+) {
   const [list, stats, extra] = yield* Effect.all([git.diff(cwd, ref), git.stats(cwd, ref), git.status(cwd)], {
     concurrency: 3,
   })
   return yield* files(
+    fs,
     git,
     cwd,
     ref,
@@ -197,15 +99,9 @@ const diffAgainstRef = Effect.fnUntraced(function* (git: Git.Interface, cwd: str
       extra.filter((item) => item.code === "??"),
     ),
     nums(stats),
-    yield* batchPatches(git, cwd, ref, list),
   )
 })
 
-const track = Effect.fnUntraced(function* (git: Git.Interface, cwd: string, ref: string | undefined) {
-  if (!ref) return yield* files(git, cwd, ref, yield* git.status(cwd), new Map(), emptyBatch())
-  return yield* diffAgainstRef(git, cwd, ref)
-})
-
 export const Mode = Schema.Literals(["git", "branch"]).pipe(withStatics((s) => ({ zod: zod(s) })))
 export type Mode = Schema.Schema.Type<typeof Mode>
 
@@ -251,9 +147,10 @@ interface State {
 
 export class Service extends Context.Service<Service, Interface>()("@opencode/Vcs") {}
 
-export const layer: Layer.Layer<Service, never, Git.Service | Bus.Service> = Layer.effect(
+export const layer: Layer.Layer<Service, never, AppFileSystem.Service | Git.Service | Bus.Service> = Layer.effect(
   Service,
   Effect.gen(function* () {
+    const fs = yield* AppFileSystem.Service
     const git = yield* Git.Service
     const bus = yield* Bus.Service
     const scope = yield* Scope.Scope
@@ -307,19 +204,23 @@ export const layer: Layer.Layer<Service, never, Git.Service | Bus.Service> = Lay
         const ctx = yield* InstanceState.context
         if (ctx.project.vcs !== "git") return []
         if (mode === "git") {
-          return yield* track(git, ctx.directory, (yield* git.hasHead(ctx.directory)) ? "HEAD" : undefined)
+          return yield* track(fs, git, ctx.directory, (yield* git.hasHead(ctx.directory)) ? "HEAD" : undefined)
         }
 
         if (!value.root) return []
         if (value.current && value.current === value.root.name) return []
         const ref = yield* git.mergeBase(ctx.directory, value.root.ref)
         if (!ref) return []
-        return yield* diffAgainstRef(git, ctx.directory, ref)
+        return yield* compare(fs, git, ctx.directory, ref)
       }),
     })
   }),
 )
 
-export const defaultLayer = layer.pipe(Layer.provide(Git.defaultLayer), Layer.provide(Bus.layer))
+export const defaultLayer = layer.pipe(
+  Layer.provide(Git.defaultLayer),
+  Layer.provide(AppFileSystem.defaultLayer),
+  Layer.provide(Bus.layer),
+)
 
 export * as Vcs from "./vcs"

packages/opencode/src/pty/ticket.ts

@@ -1,68 +0,0 @@
-export * as PtyTicket from "./ticket"
-
-import { WorkspaceID } from "@/control-plane/schema"
-import { InstanceRef, WorkspaceRef } from "@/effect/instance-ref"
-import { PtyID } from "@/pty/schema"
-import { PositiveInt } from "@/util/schema"
-import { Cache, Context, Duration, Effect, Layer, Schema } from "effect"
-
-const DEFAULT_TTL = Duration.seconds(60)
-const CAPACITY = 10_000
-
-export const ConnectToken = Schema.Struct({
-  ticket: Schema.String,
-  expires_in: PositiveInt,
-})
-
-export type Scope = {
-  readonly ptyID: PtyID
-  readonly directory?: string
-  readonly workspaceID?: WorkspaceID
-}
-
-export interface Interface {
-  issue(input: Scope): Effect.Effect<typeof ConnectToken.Type>
-  consume(input: Scope & { readonly ticket: string }): Effect.Effect<boolean>
-}
-
-export class Service extends Context.Service<Service, Interface>()("@opencode/PtyTicket") {}
-
-function matches(record: Scope, input: Scope) {
-  return (
-    record.ptyID === input.ptyID && record.directory === input.directory && record.workspaceID === input.workspaceID
-  )
-}
-
-// Tickets are inserted via Cache.set and removed atomically via invalidateWhen. The lookup is
-// never invoked; it dies if it ever is, which would signal a misuse of the Service interface.
-const noLookup = () => Effect.die("PtyTicket cache must be used via set/invalidateWhen, never get")
-
-// Visible for tests so the TTL can be shortened. Production uses `layer` with the default TTL.
-export const make = (ttl: Duration.Input = DEFAULT_TTL) =>
-  Effect.gen(function* () {
-    const cache = yield* Cache.make<string, Scope>({ capacity: CAPACITY, lookup: noLookup, timeToLive: ttl })
-    const expiresIn = Math.max(1, Math.round(Duration.toSeconds(Duration.fromInputUnsafe(ttl))))
-    return Service.of({
-      issue: Effect.fn("PtyTicket.issue")(function* (input) {
-        const ticket = crypto.randomUUID()
-        yield* Cache.set(cache, ticket, input)
-        return { ticket, expires_in: expiresIn }
-      }),
-      consume: Effect.fn("PtyTicket.consume")(function* (input) {
-        return yield* Cache.invalidateWhen(cache, input.ticket, (stored) => matches(stored, input))
-      }),
-    })
-  })
-
-export const layer = Layer.effect(Service, make())
-
-export const defaultLayer = layer
-
-export const scope = Effect.gen(function* () {
-  const instance = yield* InstanceRef
-  const workspaceID = yield* WorkspaceRef
-  return {
-    directory: instance?.directory,
-    workspaceID,
-  }
-})

packages/opencode/src/server/adapter.bun.ts

@@ -0,0 +1,44 @@
+import type { Hono } from "hono"
+import { createBunWebSocket } from "hono/bun"
+import type { Adapter, FetchApp, Opts } from "./adapter"
+
+function listen(app: FetchApp, opts: Opts, websocket?: ReturnType<typeof createBunWebSocket>["websocket"]) {
+  const start = (port: number) => {
+    try {
+      if (websocket) {
+        return Bun.serve({ fetch: app.fetch, hostname: opts.hostname, idleTimeout: 0, websocket, port })
+      }
+      return Bun.serve({ fetch: app.fetch, hostname: opts.hostname, idleTimeout: 0, port })
+    } catch {
+      return
+    }
+  }
+  const server = opts.port === 0 ? (start(4096) ?? start(0)) : start(opts.port)
+  if (!server) {
+    throw new Error(`Failed to start server on port ${opts.port}`)
+  }
+  if (!server.port) {
+    throw new Error(`Failed to resolve server address for port ${opts.port}`)
+  }
+  return {
+    port: server.port,
+    stop(close?: boolean) {
+      return Promise.resolve(server.stop(close))
+    },
+  }
+}
+
+export const adapter: Adapter = {
+  create(app: Hono) {
+    const ws = createBunWebSocket()
+    return {
+      upgradeWebSocket: ws.upgradeWebSocket,
+      listen: (opts) => Promise.resolve(listen(app, opts, ws.websocket)),
+    }
+  },
+  createFetch(app) {
+    return {
+      listen: (opts) => Promise.resolve(listen(app, opts)),
+    }
+  },
+}

packages/opencode/src/server/adapter.node.ts

@@ -0,0 +1,73 @@
+import { createAdaptorServer, type ServerType } from "@hono/node-server"
+import { createNodeWebSocket } from "@hono/node-ws"
+import type { Hono } from "hono"
+import type { Adapter, FetchApp, Opts } from "./adapter"
+
+async function listen(app: FetchApp, opts: Opts, inject?: (server: ServerType) => void) {
+  const start = (port: number) =>
+    new Promise<ServerType>((resolve, reject) => {
+      const server = createAdaptorServer({ fetch: app.fetch })
+      inject?.(server)
+      const fail = (err: Error) => {
+        cleanup()
+        reject(err)
+      }
+      const ready = () => {
+        cleanup()
+        resolve(server)
+      }
+      const cleanup = () => {
+        server.off("error", fail)
+        server.off("listening", ready)
+      }
+      server.once("error", fail)
+      server.once("listening", ready)
+      server.listen(port, opts.hostname)
+    })
+
+  const server = opts.port === 0 ? await start(4096).catch(() => start(0)) : await start(opts.port)
+  const addr = server.address()
+  if (!addr || typeof addr === "string") {
+    throw new Error(`Failed to resolve server address for port ${opts.port}`)
+  }
+
+  let closing: Promise<void> | undefined
+  return {
+    port: addr.port,
+    stop(close?: boolean) {
+      closing ??= new Promise<void>((resolve, reject) => {
+        server.close((err) => {
+          if (err) {
+            reject(err)
+            return
+          }
+          resolve()
+        })
+        if (close) {
+          if ("closeAllConnections" in server && typeof server.closeAllConnections === "function") {
+            server.closeAllConnections()
+          }
+          if ("closeIdleConnections" in server && typeof server.closeIdleConnections === "function") {
+            server.closeIdleConnections()
+          }
+        }
+      })
+      return closing
+    },
+  }
+}
+
+export const adapter: Adapter = {
+  create(app: Hono) {
+    const ws = createNodeWebSocket({ app })
+    return {
+      upgradeWebSocket: ws.upgradeWebSocket,
+      listen: (opts) => listen(app, opts, ws.injectWebSocket),
+    }
+  },
+  createFetch(app) {
+    return {
+      listen: (opts) => listen(app, opts),
+    }
+  },
+}

packages/opencode/src/server/adapter.ts

@@ -0,0 +1,26 @@
+import type { Hono } from "hono"
+import type { UpgradeWebSocket } from "hono/ws"
+
+export type FetchApp = {
+  fetch(request: Request): Response | Promise<Response>
+}
+
+export type Opts = {
+  port: number
+  hostname: string
+}
+
+export type Listener = {
+  port: number
+  stop: (close?: boolean) => Promise<void>
+}
+
+export interface Runtime {
+  upgradeWebSocket: UpgradeWebSocket
+  listen(opts: Opts): Promise<Listener>
+}
+
+export interface Adapter {
+  create(app: Hono): Runtime
+  createFetch(app: FetchApp): Omit<Runtime, "upgradeWebSocket">
+}

packages/opencode/src/server/auth.ts

@@ -1,48 +0,0 @@
-export * as ServerAuth from "./auth"
-
-import { ConfigService } from "@/effect/config-service"
-import { Flag } from "@opencode-ai/core/flag/flag"
-import { Config as EffectConfig, Context, Option, Redacted } from "effect"
-
-export type Credentials = {
-  password?: string
-  username?: string
-}
-
-export type DecodedCredentials = {
-  readonly username: string
-  readonly password: Redacted.Redacted
-}
-
-export class Config extends ConfigService.Service<Config>()("@opencode/ServerAuthConfig", {
-  password: EffectConfig.string("OPENCODE_SERVER_PASSWORD").pipe(EffectConfig.option),
-  username: EffectConfig.string("OPENCODE_SERVER_USERNAME").pipe(EffectConfig.withDefault("opencode")),
-}) {}
-
-export type Info = Context.Service.Shape<typeof Config>
-
-export function required(config: Info) {
-  return Option.isSome(config.password) && config.password.value !== ""
-}
-
-export function authorized(credentials: DecodedCredentials, config: Info) {
-  return (
-    Option.isSome(config.password) &&
-    credentials.username === config.username &&
-    Redacted.value(credentials.password) === config.password.value
-  )
-}
-
-export function header(credentials?: Credentials) {
-  const password = credentials?.password ?? Flag.OPENCODE_SERVER_PASSWORD
-  if (!password) return undefined
-
-  const username = credentials?.username ?? Flag.OPENCODE_SERVER_USERNAME ?? "opencode"
-  return `Basic ${Buffer.from(`${username}:${password}`).toString("base64")}`
-}
-
-export function headers(credentials?: Credentials) {
-  const authorization = header(credentials)
-  if (!authorization) return undefined
-  return { Authorization: authorization }
-}

packages/opencode/src/server/backend.ts

@@ -0,0 +1,32 @@
+import { Flag } from "@opencode-ai/core/flag/flag"
+import { InstallationChannel, InstallationVersion } from "@opencode-ai/core/installation/version"
+
+export type Backend = "effect-httpapi" | "hono"
+
+export type Selection = {
+  backend: Backend
+  reason: "env" | "stable" | "explicit"
+}
+
+export type Attributes = ReturnType<typeof attributes>
+
+export function select(): Selection {
+  if (Flag.OPENCODE_EXPERIMENTAL_HTTPAPI) return { backend: "effect-httpapi", reason: "env" }
+  return { backend: "hono", reason: "stable" }
+}
+
+export function attributes(selection: Selection): Record<string, string> {
+  return {
+    "opencode.server.backend": selection.backend,
+    "opencode.server.backend.reason": selection.reason,
+    "opencode.installation.channel": InstallationChannel,
+    "opencode.installation.version": InstallationVersion,
+  }
+}
+
+export function force(selection: Selection, backend: Backend): Selection {
+  return {
+    backend,
+    reason: selection.backend === backend ? selection.reason : "explicit",
+  }
+}

packages/opencode/src/server/cors.ts

@@ -1,13 +1,7 @@
-import { Context } from "effect"
-
 const opencodeOrigin = /^https:\/\/([a-z0-9-]+\.)*opencode\.ai$/
 
 export type CorsOptions = { readonly cors?: ReadonlyArray<string> }
 
-export const CorsConfig = Context.Reference<CorsOptions | undefined>("@opencode/ServerCorsConfig", {
-  defaultValue: () => undefined,
-})
-
 export function isAllowedCorsOrigin(input: string | undefined, opts?: CorsOptions) {
   if (!input) return true
   if (input.startsWith("http://localhost:")) return true
@@ -18,17 +12,3 @@ export function isAllowedCorsOrigin(input: string | undefined, opts?: CorsOption
   if (opencodeOrigin.test(input)) return true
   return opts?.cors?.includes(input) ?? false
 }
-
-export function isAllowedRequestOrigin(input: string | undefined, host: string | undefined, opts?: CorsOptions) {
-  if (!input) return true
-  if (host && sameHost(input, host)) return true
-  return isAllowedCorsOrigin(input, opts)
-}
-
-function sameHost(origin: string, host: string) {
-  try {
-    return new URL(origin).host === host
-  } catch {
-    return false
-  }
-}

packages/opencode/src/server/error.ts

@@ -0,0 +1,36 @@
+import { resolver } from "hono-openapi"
+import z from "zod"
+import { NotFoundError } from "@/storage/storage"
+
+export const ERRORS = {
+  400: {
+    description: "Bad request",
+    content: {
+      "application/json": {
+        schema: resolver(
+          z
+            .object({
+              data: z.any(),
+              errors: z.array(z.record(z.string(), z.any())),
+              success: z.literal(false),
+            })
+            .meta({
+              ref: "BadRequestError",
+            }),
+        ),
+      },
+    },
+  },
+  404: {
+    description: "Not found",
+    content: {
+      "application/json": {
+        schema: resolver(NotFoundError.Schema),
+      },
+    },
+  },
+} as const
+
+export function errors(...codes: number[]) {
+  return Object.fromEntries(codes.map((code) => [code, ERRORS[code as keyof typeof ERRORS]]))
+}

packages/opencode/src/server/fence.ts

@@ -1,3 +1,4 @@
+import type { MiddlewareHandler } from "hono"
 import { Database } from "@/storage/db"
 import { inArray } from "drizzle-orm"
 import { EventSequenceTable } from "@/sync/event.sql"
@@ -7,8 +8,8 @@ import * as Log from "@opencode-ai/core/util/log"
 import { AppRuntime } from "@/effect/app-runtime"
 import { Effect } from "effect"
 
-export const HEADER = "x-opencode-sync"
-export type State = Record<string, number>
+const HEADER = "x-opencode-sync"
+type State = Record<string, number>
 const log = Log.create({ service: "fence" })
 
 export function load(ids?: string[]) {
@@ -72,3 +73,18 @@ export function waitEffect(workspaceID: WorkspaceID, state: State, signal?: Abor
 export async function wait(workspaceID: WorkspaceID, state: State, signal?: AbortSignal) {
   await AppRuntime.runPromise(waitEffect(workspaceID, state, signal))
 }
+
+export const FenceMiddleware: MiddlewareHandler = async (c, next) => {
+  if (c.req.method === "GET" || c.req.method === "HEAD" || c.req.method === "OPTIONS") return next()
+
+  const prev = load()
+  await next()
+  const current = diff(prev, load())
+
+  if (Object.keys(current).length > 0) {
+    log.info("header", {
+      diff: current,
+    })
+    c.res.headers.set(HEADER, JSON.stringify(current))
+  }
+}

packages/opencode/src/server/httpapi-server.node.ts

@@ -1,35 +0,0 @@
-import { NodeHttpServer } from "@effect/platform-node"
-import { Effect, Layer } from "effect"
-import { createServer } from "node:http"
-import { Service } from "./httpapi-server"
-
-export { Service }
-
-export const name = "node-http-server"
-
-export type Opts = { port: number; hostname: string }
-
-export const layer = (opts: Opts) => {
-  const server = createServer()
-  const serverRef = { closeStarted: false, forceStop: false }
-  const close = server.close.bind(server)
-  // Keep shutdown owned by NodeHttpServer, but honor listener.stop(true) by
-  // force-closing active HTTP sockets when its finalizer calls server.close().
-  server.close = ((callback?: Parameters<typeof server.close>[0]) => {
-    serverRef.closeStarted = true
-    const result = close(callback)
-    if (serverRef.forceStop) server.closeAllConnections()
-    return result
-  }) as typeof server.close
-  return Layer.mergeAll(
-    NodeHttpServer.layer(() => server, { port: opts.port, host: opts.hostname, gracefulShutdownTimeout: "1 second" }),
-    Layer.succeed(Service)(
-      Service.of({
-        closeAll: Effect.sync(() => {
-          serverRef.forceStop = true
-          if (serverRef.closeStarted) server.closeAllConnections()
-        }),
-      }),
-    ),
-  )
-}

packages/opencode/src/server/httpapi-server.ts

@@ -1,9 +0,0 @@
-import { Context, Effect } from "effect"
-
-export interface Interface {
-  readonly closeAll: Effect.Effect<void>
-}
-
-export class Service extends Context.Service<Service, Interface>()("@opencode/HttpApiServer") {}
-
-export * as HttpApiServer from "./httpapi-server"

packages/opencode/src/server/middleware.ts

@@ -0,0 +1,86 @@
+import { Provider } from "@/provider/provider"
+import { NamedError } from "@opencode-ai/core/util/error"
+import { NotFoundError } from "@/storage/storage"
+import { Session } from "@/session/session"
+import type { ContentfulStatusCode } from "hono/utils/http-status"
+import type { ErrorHandler, MiddlewareHandler } from "hono"
+import { HTTPException } from "hono/http-exception"
+import * as Log from "@opencode-ai/core/util/log"
+import { Flag } from "@opencode-ai/core/flag/flag"
+import { basicAuth } from "hono/basic-auth"
+import { cors } from "hono/cors"
+import { compress } from "hono/compress"
+import * as ServerBackend from "./backend"
+import { isAllowedCorsOrigin, type CorsOptions } from "./cors"
+
+const log = Log.create({ service: "server" })
+
+export const ErrorMiddleware: ErrorHandler = (err, c) => {
+  log.error("failed", {
+    error: err,
+  })
+  if (err instanceof NamedError) {
+    let status: ContentfulStatusCode
+    if (err instanceof NotFoundError) status = 404
+    else if (err instanceof Provider.ModelNotFoundError) status = 400
+    else if (err.name === "ProviderAuthValidationFailed") status = 400
+    else if (err.name.startsWith("Worktree")) status = 400
+    else status = 500
+    return c.json(err.toObject(), { status })
+  }
+  if (err instanceof Session.BusyError) {
+    return c.json(new NamedError.Unknown({ message: err.message }).toObject(), { status: 400 })
+  }
+  if (err instanceof HTTPException) return err.getResponse()
+  const message = err instanceof Error && err.stack ? err.stack : err.toString()
+  return c.json(new NamedError.Unknown({ message }).toObject(), {
+    status: 500,
+  })
+}
+
+export const AuthMiddleware: MiddlewareHandler = (c, next) => {
+  // Allow CORS preflight requests to succeed without auth.
+  // Browser clients sending Authorization headers will preflight with OPTIONS.
+  if (c.req.method === "OPTIONS") return next()
+  const password = Flag.OPENCODE_SERVER_PASSWORD
+  if (!password) return next()
+  const username = Flag.OPENCODE_SERVER_USERNAME ?? "opencode"
+
+  if (c.req.query("auth_token")) c.req.raw.headers.set("authorization", `Basic ${c.req.query("auth_token")}`)
+
+  return basicAuth({ username, password })(c, next)
+}
+
+export function LoggerMiddleware(backendAttributes: ServerBackend.Attributes): MiddlewareHandler {
+  return async (c, next) => {
+    const skip = c.req.path === "/log"
+    if (skip) return next()
+    const attributes = {
+      method: c.req.method,
+      path: c.req.path,
+      ...backendAttributes,
+    }
+    log.info("request", attributes)
+    const timer = log.time("request", attributes)
+    await next()
+    timer.stop()
+  }
+}
+
+export function CorsMiddleware(opts?: CorsOptions): MiddlewareHandler {
+  return cors({
+    maxAge: 86_400,
+    origin(input) {
+      if (isAllowedCorsOrigin(input, opts)) return input
+    },
+  })
+}
+
+const zipped = compress()
+export const CompressionMiddleware: MiddlewareHandler = (c, next) => {
+  const path = c.req.path
+  const method = c.req.method
+  if (path === "/event" || path === "/global/event") return next()
+  if (method === "POST" && /\/session\/[^/]+\/(message|prompt_async)$/.test(path)) return next()
+  return zipped(c, next)
+}

packages/opencode/src/server/proxy.ts

@@ -0,0 +1,149 @@
+import { Hono } from "hono"
+import type { UpgradeWebSocket } from "hono/ws"
+import * as Log from "@opencode-ai/core/util/log"
+import * as Fence from "./fence"
+import type { WorkspaceID } from "@/control-plane/schema"
+import { Workspace } from "@/control-plane/workspace"
+import { AppRuntime } from "@/effect/app-runtime"
+import { ProxyUtil } from "./proxy-util"
+import { Effect, Stream } from "effect"
+import { FetchHttpClient, HttpBody, HttpClient, HttpClientRequest } from "effect/unstable/http"
+
+type Msg = string | ArrayBuffer | Uint8Array
+
+function send(ws: { send(data: string | ArrayBuffer | Uint8Array): void }, data: any) {
+  if (data instanceof Blob) {
+    return data.arrayBuffer().then((x) => ws.send(x))
+  }
+  return ws.send(data)
+}
+
+const app = (upgrade: UpgradeWebSocket) =>
+  new Hono().get(
+    "/__workspace_ws",
+    upgrade((c) => {
+      const url = c.req.header("x-opencode-proxy-url")
+      const queue: Msg[] = []
+      let remote: WebSocket | undefined
+      return {
+        onOpen(_, ws) {
+          if (!url) {
+            ws.close(1011, "missing proxy target")
+            return
+          }
+          remote = new WebSocket(url, ProxyUtil.websocketProtocols(c.req.raw))
+          remote.binaryType = "arraybuffer"
+          remote.onopen = () => {
+            for (const item of queue) remote?.send(item)
+            queue.length = 0
+          }
+          remote.onmessage = (event) => {
+            void send(ws, event.data)
+          }
+          remote.onerror = () => {
+            ws.close(1011, "proxy error")
+          }
+          remote.onclose = (event) => {
+            ws.close(event.code, event.reason)
+          }
+        },
+        onMessage(event) {
+          const data = event.data
+          if (typeof data !== "string" && !(data instanceof Uint8Array) && !(data instanceof ArrayBuffer)) return
+          if (remote?.readyState === WebSocket.OPEN) {
+            remote.send(data)
+            return
+          }
+          queue.push(data)
+        },
+        onClose(event) {
+          remote?.close(event.code, event.reason)
+        },
+      }
+    }),
+  )
+
+const log = Log.create({ service: "server-proxy" })
+
+function statusText(response: unknown) {
+  return (response as { source?: Response }).source?.statusText
+}
+
+export function httpEffect(url: string | URL, extra: HeadersInit | undefined, req: Request, workspaceID: WorkspaceID) {
+  return Effect.gen(function* () {
+    const syncing = yield* Workspace.Service.use((workspace) => workspace.isSyncing(workspaceID))
+    if (!syncing) {
+      return new Response(`broken sync connection for workspace: ${workspaceID}`, {
+        status: 503,
+        headers: {
+          "content-type": "text/plain; charset=utf-8",
+        },
+      })
+    }
+
+    const response = yield* HttpClient.execute(
+      HttpClientRequest.make(req.method as never)(url, {
+        headers: ProxyUtil.headers(req, extra),
+        body:
+          req.method === "GET" || req.method === "HEAD"
+            ? HttpBody.empty
+            : HttpBody.raw(req.body, {
+                contentType: req.headers.get("content-type") ?? undefined,
+                contentLength: req.headers.get("content-length")
+                  ? Number(req.headers.get("content-length"))
+                  : undefined,
+              }),
+      }),
+    )
+    const next = new Headers(response.headers as HeadersInit)
+    const sync = Fence.parse(next)
+    next.delete("content-encoding")
+    next.delete("content-length")
+
+    if (sync) yield* Fence.waitEffect(workspaceID, sync, req.signal)
+    const body = yield* Stream.toReadableStreamEffect(response.stream.pipe(Stream.catchCause(() => Stream.empty)))
+    return new Response(body, {
+      status: response.status,
+      statusText: statusText(response),
+      headers: next,
+    })
+  }).pipe(
+    Effect.provide(FetchHttpClient.layer),
+    Effect.catch(() => Effect.succeed(new Response(null, { status: 500 }))),
+  )
+}
+
+export function http(url: string | URL, extra: HeadersInit | undefined, req: Request, workspaceID: WorkspaceID) {
+  return AppRuntime.runPromise(httpEffect(url, extra, req, workspaceID))
+}
+
+export function websocket(
+  upgrade: UpgradeWebSocket,
+  target: string | URL,
+  extra: HeadersInit | undefined,
+  req: Request,
+  env: unknown,
+) {
+  const proxy = new URL(req.url)
+  proxy.pathname = "/__workspace_ws"
+  proxy.search = ""
+  const next = new Headers(req.headers)
+  next.set("x-opencode-proxy-url", ProxyUtil.websocketTargetURL(target))
+  for (const [key, value] of new Headers(extra).entries()) {
+    next.set(key, value)
+  }
+  log.info("proxy websocket", {
+    request: req.url,
+    target: String(target),
+  })
+  return app(upgrade).fetch(
+    new Request(proxy, {
+      method: req.method,
+      headers: next,
+      signal: req.signal,
+    }),
+    env as never,
+  )
+}
+
+export * as ServerProxy from "./proxy"

packages/opencode/src/server/routes/control/index.ts

@@ -0,0 +1,160 @@
+import { Auth } from "@/auth"
+import { AppRuntime } from "@/effect/app-runtime"
+import * as Log from "@opencode-ai/core/util/log"
+import { Effect } from "effect"
+import { ProviderID } from "@/provider/schema"
+import { Hono } from "hono"
+import { describeRoute, resolver, validator, openAPIRouteHandler } from "hono-openapi"
+import z from "zod"
+import { errors } from "../../error"
+
+export function ControlPlaneRoutes(): Hono {
+  const app = new Hono()
+  return app
+    .put(
+      "/auth/:providerID",
+      describeRoute({
+        summary: "Set auth credentials",
+        description: "Set authentication credentials",
+        operationId: "auth.set",
+        responses: {
+          200: {
+            description: "Successfully set authentication credentials",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator(
+        "param",
+        z.object({
+          providerID: ProviderID.zod,
+        }),
+      ),
+      validator("json", Auth.Info.zod),
+      async (c) => {
+        const providerID = c.req.valid("param").providerID
+        const info = c.req.valid("json")
+        await AppRuntime.runPromise(
+          Effect.gen(function* () {
+            const auth = yield* Auth.Service
+            yield* auth.set(providerID, info)
+          }),
+        )
+        return c.json(true)
+      },
+    )
+    .delete(
+      "/auth/:providerID",
+      describeRoute({
+        summary: "Remove auth credentials",
+        description: "Remove authentication credentials",
+        operationId: "auth.remove",
+        responses: {
+          200: {
+            description: "Successfully removed authentication credentials",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator(
+        "param",
+        z.object({
+          providerID: ProviderID.zod,
+        }),
+      ),
+      async (c) => {
+        const providerID = c.req.valid("param").providerID
+        await AppRuntime.runPromise(
+          Effect.gen(function* () {
+            const auth = yield* Auth.Service
+            yield* auth.remove(providerID)
+          }),
+        )
+        return c.json(true)
+      },
+    )
+    .get(
+      "/doc",
+      openAPIRouteHandler(app, {
+        documentation: {
+          info: {
+            title: "opencode",
+            version: "0.0.3",
+            description: "opencode api",
+          },
+          openapi: "3.1.1",
+        },
+      }),
+    )
+    .use(
+      validator(
+        "query",
+        z.object({
+          directory: z.string().optional(),
+          workspace: z.string().optional(),
+        }),
+      ),
+    )
+    .post(
+      "/log",
+      describeRoute({
+        summary: "Write log",
+        description: "Write a log entry to the server logs with specified level and metadata.",
+        operationId: "app.log",
+        responses: {
+          200: {
+            description: "Log entry written successfully",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator(
+        "json",
+        z.object({
+          service: z.string().meta({ description: "Service name for the log entry" }),
+          level: z.enum(["debug", "info", "error", "warn"]).meta({ description: "Log level" }),
+          message: z.string().meta({ description: "Log message" }),
+          extra: z
+            .record(z.string(), z.any())
+            .optional()
+            .meta({ description: "Additional metadata for the log entry" }),
+        }),
+      ),
+      async (c) => {
+        const { service, level, message, extra } = c.req.valid("json")
+        const logger = Log.create({ service })
+
+        switch (level) {
+          case "debug":
+            logger.debug(message, extra)
+            break
+          case "info":
+            logger.info(message, extra)
+            break
+          case "error":
+            logger.error(message, extra)
+            break
+          case "warn":
+            logger.warn(message, extra)
+            break
+        }
+
+        return c.json(true)
+      },
+    )
+}

packages/opencode/src/server/routes/control/workspace.ts

@@ -0,0 +1,210 @@
+import { Hono } from "hono"
+import { describeRoute, resolver, validator } from "hono-openapi"
+import z from "zod"
+import { Effect } from "effect"
+import { listAdapters } from "@/control-plane/adapters"
+import { Workspace } from "@/control-plane/workspace"
+import { AppRuntime } from "@/effect/app-runtime"
+import { WorkspaceAdapterEntry } from "@/control-plane/types"
+import { zodObject } from "@/util/effect-zod"
+import { Instance } from "@/project/instance"
+import { errors } from "../../error"
+import { lazy } from "@/util/lazy"
+import * as Log from "@opencode-ai/core/util/log"
+import { errorData } from "@/util/error"
+
+const log = Log.create({ service: "server.workspace" })
+
+export const WorkspaceRoutes = lazy(() =>
+  new Hono()
+    .get(
+      "/adapter",
+      describeRoute({
+        summary: "List workspace adapters",
+        description: "List all available workspace adapters for the current project.",
+        operationId: "experimental.workspace.adapter.list",
+        responses: {
+          200: {
+            description: "Workspace adapters",
+            content: {
+              "application/json": {
+                schema: resolver(z.array(zodObject(WorkspaceAdapterEntry))),
+              },
+            },
+          },
+        },
+      }),
+      async (c) => {
+        return c.json(await listAdapters(Instance.project.id))
+      },
+    )
+    .post(
+      "/",
+      describeRoute({
+        summary: "Create workspace",
+        description: "Create a workspace for the current project.",
+        operationId: "experimental.workspace.create",
+        responses: {
+          200: {
+            description: "Workspace created",
+            content: {
+              "application/json": {
+                schema: resolver(Workspace.Info.zod),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator(
+        "json",
+        Workspace.CreateInput.zodObject.omit({
+          projectID: true,
+        }),
+      ),
+      async (c) => {
+        const body = c.req.valid("json") as Omit<Workspace.CreateInput, "projectID">
+        const workspace = await AppRuntime.runPromise(
+          Workspace.Service.use((svc) =>
+            svc.create({
+              projectID: Instance.project.id,
+              ...body,
+            }),
+          ),
+        )
+        return c.json(workspace)
+      },
+    )
+    .get(
+      "/",
+      describeRoute({
+        summary: "List workspaces",
+        description: "List all workspaces.",
+        operationId: "experimental.workspace.list",
+        responses: {
+          200: {
+            description: "Workspaces",
+            content: {
+              "application/json": {
+                schema: resolver(z.array(Workspace.Info.zod)),
+              },
+            },
+          },
+        },
+      }),
+      async (c) => {
+        return c.json(await AppRuntime.runPromise(Workspace.Service.use((svc) => svc.list(Instance.project))))
+      },
+    )
+    .get(
+      "/status",
+      describeRoute({
+        summary: "Workspace status",
+        description: "Get connection status for workspaces in the current project.",
+        operationId: "experimental.workspace.status",
+        responses: {
+          200: {
+            description: "Workspace status",
+            content: {
+              "application/json": {
+                schema: resolver(z.array(zodObject(Workspace.ConnectionStatus))),
+              },
+            },
+          },
+        },
+      }),
+      async (c) => {
+        const result = await AppRuntime.runPromise(
+          Workspace.Service.use((svc) => Effect.all([svc.list(Instance.project), svc.status()])),
+        )
+        const ids = new Set(result[0].map((item) => item.id))
+        return c.json(result[1].filter((item) => ids.has(item.workspaceID)))
+      },
+    )
+    .delete(
+      "/:id",
+      describeRoute({
+        summary: "Remove workspace",
+        description: "Remove an existing workspace.",
+        operationId: "experimental.workspace.remove",
+        responses: {
+          200: {
+            description: "Workspace removed",
+            content: {
+              "application/json": {
+                schema: resolver(Workspace.Info.zod.optional()),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator(
+        "param",
+        z.object({
+          id: zodObject(Workspace.Info).shape.id,
+        }),
+      ),
+      async (c) => {
+        const { id } = c.req.valid("param")
+        return c.json(await AppRuntime.runPromise(Workspace.Service.use((svc) => svc.remove(id))))
+      },
+    )
+    .post(
+      "/:id/session-restore",
+      describeRoute({
+        summary: "Restore session into workspace",
+        description: "Replay a session's sync events into the target workspace in batches.",
+        operationId: "experimental.workspace.sessionRestore",
+        responses: {
+          200: {
+            description: "Session replay started",
+            content: {
+              "application/json": {
+                schema: resolver(
+                  z.object({
+                    total: z.number().int().min(0),
+                  }),
+                ),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator("param", z.object({ id: zodObject(Workspace.Info).shape.id })),
+      validator("json", Workspace.SessionRestoreInput.zodObject.omit({ workspaceID: true })),
+      async (c) => {
+        const { id } = c.req.valid("param")
+        const body = c.req.valid("json") as Omit<Workspace.SessionRestoreInput, "workspaceID">
+        log.info("session restore route requested", {
+          workspaceID: id,
+          sessionID: body.sessionID,
+          directory: Instance.directory,
+        })
+        try {
+          const result = await AppRuntime.runPromise(
+            Workspace.Service.use((svc) =>
+              svc.sessionRestore({
+                workspaceID: id,
+                ...body,
+              }),
+            ),
+          )
+          log.info("session restore route complete", {
+            workspaceID: id,
+            sessionID: body.sessionID,
+            total: result.total,
+          })
+          return c.json(result)
+        } catch (err) {
+          log.error("session restore route failed", {
+            workspaceID: id,
+            sessionID: body.sessionID,
+            error: errorData(err),
+          })
+          throw err
+        }
+      },
+    ),
+)

packages/opencode/src/server/routes/global.ts

@@ -0,0 +1,286 @@
+import { Hono, type Context } from "hono"
+import { describeRoute, resolver, validator } from "hono-openapi"
+import { streamSSE } from "hono/streaming"
+import { Effect } from "effect"
+import z from "zod"
+import { BusEvent } from "@/bus/bus-event"
+import { SyncEvent } from "@/sync"
+import { GlobalBus } from "@/bus/global"
+import { Bus } from "@/bus"
+import { AppRuntime } from "@/effect/app-runtime"
+import { AsyncQueue } from "@/util/queue"
+import { Installation } from "@/installation"
+import { InstallationVersion } from "@opencode-ai/core/installation/version"
+import * as Log from "@opencode-ai/core/util/log"
+import { lazy } from "../../util/lazy"
+import { Config } from "@/config/config"
+import { errors } from "../error"
+import { disposeAllInstancesAndEmitGlobalDisposed } from "../global-lifecycle"
+
+const log = Log.create({ service: "server" })
+
+async function streamEvents(c: Context, subscribe: (q: AsyncQueue<string | null>) => () => void) {
+  return streamSSE(c, async (stream) => {
+    const q = new AsyncQueue<string | null>()
+    let done = false
+
+    q.push(
+      JSON.stringify({
+        payload: {
+          id: Bus.createID(),
+          type: "server.connected",
+          properties: {},
+        },
+      }),
+    )
+
+    // Send heartbeat every 10s to prevent stalled proxy streams.
+    const heartbeat = setInterval(() => {
+      q.push(
+        JSON.stringify({
+          payload: {
+            id: Bus.createID(),
+            type: "server.heartbeat",
+            properties: {},
+          },
+        }),
+      )
+    }, 10_000)
+
+    const stop = () => {
+      if (done) return
+      done = true
+      clearInterval(heartbeat)
+      unsub()
+      q.push(null)
+      log.info("global event disconnected")
+    }
+
+    const unsub = subscribe(q)
+
+    stream.onAbort(stop)
+
+    try {
+      for await (const data of q) {
+        if (data === null) return
+        await stream.writeSSE({ data })
+      }
+    } finally {
+      stop()
+    }
+  })
+}
+
+export const GlobalRoutes = lazy(() =>
+  new Hono()
+    .get(
+      "/health",
+      describeRoute({
+        summary: "Get health",
+        description: "Get health information about the OpenCode server.",
+        operationId: "global.health",
+        responses: {
+          200: {
+            description: "Health information",
+            content: {
+              "application/json": {
+                schema: resolver(z.object({ healthy: z.literal(true), version: z.string() })),
+              },
+            },
+          },
+        },
+      }),
+      async (c) => {
+        return c.json({ healthy: true, version: InstallationVersion })
+      },
+    )
+    .get(
+      "/event",
+      describeRoute({
+        summary: "Get global events",
+        description: "Subscribe to global events from the OpenCode system using server-sent events.",
+        operationId: "global.event",
+        responses: {
+          200: {
+            description: "Event stream",
+            content: {
+              "text/event-stream": {
+                schema: resolver(
+                  z
+                    .object({
+                      directory: z.string(),
+                      project: z.string().optional(),
+                      workspace: z.string().optional(),
+                      payload: z.union([...BusEvent.payloads(), ...SyncEvent.payloads()]),
+                    })
+                    .meta({
+                      ref: "GlobalEvent",
+                    }),
+                ),
+              },
+            },
+          },
+        },
+      }),
+      async (c) => {
+        log.info("global event connected")
+        c.header("Cache-Control", "no-cache, no-transform")
+        c.header("X-Accel-Buffering", "no")
+        c.header("X-Content-Type-Options", "nosniff")
+
+        return streamEvents(c, (q) => {
+          async function handler(event: any) {
+            q.push(JSON.stringify(event))
+          }
+          GlobalBus.on("event", handler)
+          return () => GlobalBus.off("event", handler)
+        })
+      },
+    )
+    .get(
+      "/config",
+      describeRoute({
+        summary: "Get global configuration",
+        description: "Retrieve the current global OpenCode configuration settings and preferences.",
+        operationId: "global.config.get",
+        responses: {
+          200: {
+            description: "Get global config info",
+            content: {
+              "application/json": {
+                schema: resolver(Config.Info.zod),
+              },
+            },
+          },
+        },
+      }),
+      async (c) => {
+        return c.json(await AppRuntime.runPromise(Config.Service.use((cfg) => cfg.getGlobal())))
+      },
+    )
+    .patch(
+      "/config",
+      describeRoute({
+        summary: "Update global configuration",
+        description: "Update global OpenCode configuration settings and preferences.",
+        operationId: "global.config.update",
+        responses: {
+          200: {
+            description: "Successfully updated global config",
+            content: {
+              "application/json": {
+                schema: resolver(Config.Info.zod),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator("json", Config.Info.zod),
+      async (c) => {
+        const config = c.req.valid("json")
+        const result = await AppRuntime.runPromise(Config.Service.use((cfg) => cfg.updateGlobal(config)))
+        if (result.changed) {
+          void AppRuntime.runPromise(disposeAllInstancesAndEmitGlobalDisposed({ swallowErrors: true })).catch(
+            () => undefined,
+          )
+        }
+        return c.json(result.info)
+      },
+    )
+    .post(
+      "/dispose",
+      describeRoute({
+        summary: "Dispose instance",
+        description: "Clean up and dispose all OpenCode instances, releasing all resources.",
+        operationId: "global.dispose",
+        responses: {
+          200: {
+            description: "Global disposed",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+        },
+      }),
+      async (c) => {
+        await AppRuntime.runPromise(disposeAllInstancesAndEmitGlobalDisposed())
+        return c.json(true)
+      },
+    )
+    .post(
+      "/upgrade",
+      describeRoute({
+        summary: "Upgrade opencode",
+        description: "Upgrade opencode to the specified version or latest if not specified.",
+        operationId: "global.upgrade",
+        responses: {
+          200: {
+            description: "Upgrade result",
+            content: {
+              "application/json": {
+                schema: resolver(
+                  z.union([
+                    z.object({
+                      success: z.literal(true),
+                      version: z.string(),
+                    }),
+                    z.object({
+                      success: z.literal(false),
+                      error: z.string(),
+                    }),
+                  ]),
+                ),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator(
+        "json",
+        z.object({
+          target: z.string().optional(),
+        }),
+      ),
+      async (c) => {
+        const result = await AppRuntime.runPromise(
+          Installation.Service.use((svc) =>
+            Effect.gen(function* () {
+              const method = yield* svc.method()
+              if (method === "unknown") {
+                return { success: false as const, status: 400 as const, error: "Unknown installation method" }
+              }
+
+              const target = c.req.valid("json").target || (yield* svc.latest(method))
+              const result = yield* Effect.catch(
+                svc.upgrade(method, target).pipe(Effect.as({ success: true as const, version: target })),
+                (err) =>
+                  Effect.succeed({
+                    success: false as const,
+                    status: 500 as const,
+                    error: err instanceof Error ? err.message : String(err),
+                  }),
+              )
+              if (!result.success) return result
+              return { ...result, status: 200 as const }
+            }),
+          ),
+        )
+        if (!result.success) {
+          return c.json({ success: false, error: result.error }, result.status)
+        }
+        const target = result.version
+        GlobalBus.emit("event", {
+          directory: "global",
+          payload: {
+            type: Installation.Event.Updated.type,
+            properties: { version: target },
+          },
+        })
+        return c.json({ success: true, version: target })
+      },
+    ),
+)

packages/opencode/src/server/routes/instance/config.ts

@@ -0,0 +1,109 @@
+import { Hono } from "hono"
+import { describeRoute, validator, resolver } from "hono-openapi"
+import { Config } from "@/config/config"
+import { InstanceState } from "@/effect/instance-state"
+import { InstanceStore } from "@/project/instance-store"
+import { Provider } from "@/provider/provider"
+import { errors } from "../../error"
+import { lazy } from "@/util/lazy"
+import { jsonRequest, runRequest } from "./trace"
+import { Effect } from "effect"
+import * as Log from "@opencode-ai/core/util/log"
+
+const log = Log.create({ service: "server.config" })
+
+export const ConfigRoutes = lazy(() =>
+  new Hono()
+    .get(
+      "/",
+      describeRoute({
+        summary: "Get configuration",
+        description: "Retrieve the current OpenCode configuration settings and preferences.",
+        operationId: "config.get",
+        responses: {
+          200: {
+            description: "Get config info",
+            content: {
+              "application/json": {
+                schema: resolver(Config.Info.zod),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("ConfigRoutes.get", c, function* () {
+          const cfg = yield* Config.Service
+          return yield* cfg.get()
+        }),
+    )
+    .patch(
+      "/",
+      describeRoute({
+        summary: "Update configuration",
+        description: "Update OpenCode configuration settings and preferences.",
+        operationId: "config.update",
+        responses: {
+          200: {
+            description: "Successfully updated config",
+            content: {
+              "application/json": {
+                schema: resolver(Config.Info.zod),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator("json", Config.Info.zod),
+      async (c) => {
+        const result = await runRequest(
+          "ConfigRoutes.update",
+          c,
+          Effect.gen(function* () {
+            const config = c.req.valid("json")
+            const cfg = yield* Config.Service
+            yield* cfg.update(config)
+            return { config, ctx: yield* InstanceState.context }
+          }),
+        )
+        const response = c.json(result.config)
+        void runRequest(
+          "ConfigRoutes.update.dispose",
+          c,
+          InstanceStore.Service.use((store) => store.dispose(result.ctx)).pipe(
+            Effect.uninterruptible,
+            Effect.catchCause((cause) => Effect.sync(() => log.warn("instance disposal failed", { cause }))),
+          ),
+        )
+        return response
+      },
+    )
+    .get(
+      "/providers",
+      describeRoute({
+        summary: "List config providers",
+        description: "Get a list of all configured AI providers and their default models.",
+        operationId: "config.providers",
+        responses: {
+          200: {
+            description: "List of providers",
+            content: {
+              "application/json": {
+                schema: resolver(Provider.ConfigProvidersResult.zod),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("ConfigRoutes.providers", c, function* () {
+          const svc = yield* Provider.Service
+          const providers = yield* svc.list()
+          return {
+            providers: Object.values(providers),
+            default: Provider.defaultModelIDs(providers),
+          }
+        }),
+    ),
+)

packages/opencode/src/server/routes/instance/event.ts

@@ -0,0 +1,90 @@
+import z from "zod"
+import { Hono } from "hono"
+import { describeRoute, resolver } from "hono-openapi"
+import { streamSSE } from "hono/streaming"
+import * as Log from "@opencode-ai/core/util/log"
+import { BusEvent } from "@/bus/bus-event"
+import { Bus } from "@/bus"
+import { AsyncQueue } from "@/util/queue"
+
+const log = Log.create({ service: "server" })
+
+export const EventRoutes = () =>
+  new Hono().get(
+    "/event",
+    describeRoute({
+      summary: "Subscribe to events",
+      description: "Get events",
+      operationId: "event.subscribe",
+      responses: {
+        200: {
+          description: "Event stream",
+          content: {
+            "text/event-stream": {
+              schema: resolver(
+                z.union(BusEvent.payloads()).meta({
+                  ref: "Event",
+                }),
+              ),
+            },
+          },
+        },
+      },
+    }),
+    async (c) => {
+      log.info("event connected")
+      c.header("Cache-Control", "no-cache, no-transform")
+      c.header("X-Accel-Buffering", "no")
+      c.header("X-Content-Type-Options", "nosniff")
+      return streamSSE(c, async (stream) => {
+        const q = new AsyncQueue<string | null>()
+        let done = false
+
+        q.push(
+          JSON.stringify({
+            id: Bus.createID(),
+            type: "server.connected",
+            properties: {},
+          }),
+        )
+
+        // Send heartbeat every 10s to prevent stalled proxy streams.
+        const heartbeat = setInterval(() => {
+          q.push(
+            JSON.stringify({
+              id: Bus.createID(),
+              type: "server.heartbeat",
+              properties: {},
+            }),
+          )
+        }, 10_000)
+
+        const stop = () => {
+          if (done) return
+          done = true
+          clearInterval(heartbeat)
+          unsub()
+          q.push(null)
+          log.info("event disconnected")
+        }
+
+        const unsub = Bus.subscribeAll((event) => {
+          q.push(JSON.stringify(event))
+          if (event.type === Bus.InstanceDisposed.type) {
+            stop()
+          }
+        })
+
+        stream.onAbort(stop)
+
+        try {
+          for await (const data of q) {
+            if (data === null) return
+            await stream.writeSSE({ data })
+          }
+        } finally {
+          stop()
+        }
+      })
+    },
+  )

packages/opencode/src/server/routes/instance/experimental.ts

@@ -0,0 +1,419 @@
+import { Hono } from "hono"
+import { describeRoute, validator, resolver } from "hono-openapi"
+import z from "zod"
+import * as EffectZod from "@/util/effect-zod"
+import { ProviderID, ModelID } from "@/provider/schema"
+import { ToolRegistry } from "@/tool/registry"
+import { Worktree } from "@/worktree"
+import { Instance } from "@/project/instance"
+import { Project } from "@/project/project"
+import { MCP } from "@/mcp"
+import { Session } from "@/session/session"
+import { Config } from "@/config/config"
+import { ConsoleState } from "@/config/console-state"
+import { Account } from "@/account/account"
+import { AccountID, OrgID } from "@/account/schema"
+import { errors } from "../../error"
+import { lazy } from "@/util/lazy"
+import { Effect, Option } from "effect"
+import { Agent } from "@/agent/agent"
+import { jsonRequest, runRequest } from "./trace"
+
+const ConsoleOrgOption = z.object({
+  accountID: z.string(),
+  accountEmail: z.string(),
+  accountUrl: z.string(),
+  orgID: z.string(),
+  orgName: z.string(),
+  active: z.boolean(),
+})
+
+const ConsoleOrgList = z.object({
+  orgs: z.array(ConsoleOrgOption),
+})
+
+const ConsoleSwitchBody = z.object({
+  accountID: z.string(),
+  orgID: z.string(),
+})
+
+const QueryBoolean = z.union([
+  z.preprocess((value) => (value === "true" ? true : value === "false" ? false : value), z.boolean()),
+  z.enum(["true", "false"]),
+])
+
+function queryBoolean(value: z.infer<typeof QueryBoolean> | undefined) {
+  if (value === undefined) return
+  return value === true || value === "true"
+}
+
+export const ExperimentalRoutes = lazy(() =>
+  new Hono()
+    .get(
+      "/console",
+      describeRoute({
+        summary: "Get active Console provider metadata",
+        description: "Get the active Console org name and the set of provider IDs managed by that Console org.",
+        operationId: "experimental.console.get",
+        responses: {
+          200: {
+            description: "Active Console provider metadata",
+            content: {
+              "application/json": {
+                schema: resolver(ConsoleState.zod),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("ExperimentalRoutes.console.get", c, function* () {
+          const config = yield* Config.Service
+          const account = yield* Account.Service
+          const [state, groups] = yield* Effect.all([config.getConsoleState(), account.orgsByAccount()], {
+            concurrency: "unbounded",
+          })
+          return {
+            ...state,
+            switchableOrgCount: groups.reduce((count, group) => count + group.orgs.length, 0),
+          }
+        }),
+    )
+    .get(
+      "/console/orgs",
+      describeRoute({
+        summary: "List switchable Console orgs",
+        description: "Get the available Console orgs across logged-in accounts, including the current active org.",
+        operationId: "experimental.console.listOrgs",
+        responses: {
+          200: {
+            description: "Switchable Console orgs",
+            content: {
+              "application/json": {
+                schema: resolver(ConsoleOrgList),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("ExperimentalRoutes.console.listOrgs", c, function* () {
+          const account = yield* Account.Service
+          const [groups, active] = yield* Effect.all([account.orgsByAccount(), account.active()], {
+            concurrency: "unbounded",
+          })
+          const info = Option.getOrUndefined(active)
+          const orgs = groups.flatMap((group) =>
+            group.orgs.map((org) => ({
+              accountID: group.account.id,
+              accountEmail: group.account.email,
+              accountUrl: group.account.url,
+              orgID: org.id,
+              orgName: org.name,
+              active: !!info && info.id === group.account.id && info.active_org_id === org.id,
+            })),
+          )
+          return { orgs }
+        }),
+    )
+    .post(
+      "/console/switch",
+      describeRoute({
+        summary: "Switch active Console org",
+        description: "Persist a new active Console account/org selection for the current local OpenCode state.",
+        operationId: "experimental.console.switchOrg",
+        responses: {
+          200: {
+            description: "Switch success",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+        },
+      }),
+      validator("json", ConsoleSwitchBody),
+      async (c) =>
+        jsonRequest("ExperimentalRoutes.console.switchOrg", c, function* () {
+          const body = c.req.valid("json")
+          const account = yield* Account.Service
+          yield* account.use(AccountID.make(body.accountID), Option.some(OrgID.make(body.orgID)))
+          return true
+        }),
+    )
+    .get(
+      "/tool/ids",
+      describeRoute({
+        summary: "List tool IDs",
+        description:
+          "Get a list of all available tool IDs, including both built-in tools and dynamically registered tools.",
+        operationId: "tool.ids",
+        responses: {
+          200: {
+            description: "Tool IDs",
+            content: {
+              "application/json": {
+                schema: resolver(z.array(z.string()).meta({ ref: "ToolIDs" })),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      async (c) =>
+        jsonRequest("ExperimentalRoutes.tool.ids", c, function* () {
+          const registry = yield* ToolRegistry.Service
+          return yield* registry.ids()
+        }),
+    )
+    .get(
+      "/tool",
+      describeRoute({
+        summary: "List tools",
+        description:
+          "Get a list of available tools with their JSON schema parameters for a specific provider and model combination.",
+        operationId: "tool.list",
+        responses: {
+          200: {
+            description: "Tools",
+            content: {
+              "application/json": {
+                schema: resolver(
+                  z
+                    .array(
+                      z
+                        .object({
+                          id: z.string(),
+                          description: z.string(),
+                          parameters: z.any(),
+                        })
+                        .meta({ ref: "ToolListItem" }),
+                    )
+                    .meta({ ref: "ToolList" }),
+                ),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator(
+        "query",
+        z.object({
+          provider: z.string(),
+          model: z.string(),
+        }),
+      ),
+      async (c) => {
+        const { provider, model } = c.req.valid("query")
+        const tools = await runRequest(
+          "ExperimentalRoutes.tool.list",
+          c,
+          Effect.gen(function* () {
+            const agents = yield* Agent.Service
+            const registry = yield* ToolRegistry.Service
+            return yield* registry.tools({
+              providerID: ProviderID.make(provider),
+              modelID: ModelID.make(model),
+              agent: yield* agents.get(yield* agents.defaultAgent()),
+            })
+          }),
+        )
+        return c.json(
+          tools.map((t) => ({
+            id: t.id,
+            description: t.description,
+            parameters: EffectZod.toJsonSchema(t.parameters),
+          })),
+        )
+      },
+    )
+    .post(
+      "/worktree",
+      describeRoute({
+        summary: "Create worktree",
+        description: "Create a new git worktree for the current project and run any configured startup scripts.",
+        operationId: "worktree.create",
+        responses: {
+          200: {
+            description: "Worktree created",
+            content: {
+              "application/json": {
+                schema: resolver(Worktree.Info.zod),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator("json", Worktree.CreateInput.zod.optional()),
+      async (c) =>
+        jsonRequest("ExperimentalRoutes.worktree.create", c, function* () {
+          const body = c.req.valid("json")
+          const svc = yield* Worktree.Service
+          return yield* svc.create(body)
+        }),
+    )
+    .get(
+      "/worktree",
+      describeRoute({
+        summary: "List worktrees",
+        description: "List all sandbox worktrees for the current project.",
+        operationId: "worktree.list",
+        responses: {
+          200: {
+            description: "List of worktree directories",
+            content: {
+              "application/json": {
+                schema: resolver(z.array(z.string())),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("ExperimentalRoutes.worktree.list", c, function* () {
+          const svc = yield* Project.Service
+          return yield* svc.sandboxes(Instance.project.id)
+        }),
+    )
+    .delete(
+      "/worktree",
+      describeRoute({
+        summary: "Remove worktree",
+        description: "Remove a git worktree and delete its branch.",
+        operationId: "worktree.remove",
+        responses: {
+          200: {
+            description: "Worktree removed",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator("json", Worktree.RemoveInput.zod),
+      async (c) =>
+        jsonRequest("ExperimentalRoutes.worktree.remove", c, function* () {
+          const body = c.req.valid("json")
+          const worktree = yield* Worktree.Service
+          const project = yield* Project.Service
+          yield* worktree.remove(body)
+          yield* project.removeSandbox(Instance.project.id, body.directory)
+          return true
+        }),
+    )
+    .post(
+      "/worktree/reset",
+      describeRoute({
+        summary: "Reset worktree",
+        description: "Reset a worktree branch to the primary default branch.",
+        operationId: "worktree.reset",
+        responses: {
+          200: {
+            description: "Worktree reset",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator("json", Worktree.ResetInput.zod),
+      async (c) =>
+        jsonRequest("ExperimentalRoutes.worktree.reset", c, function* () {
+          const body = c.req.valid("json")
+          const svc = yield* Worktree.Service
+          yield* svc.reset(body)
+          return true
+        }),
+    )
+    .get(
+      "/session",
+      describeRoute({
+        summary: "List sessions",
+        description:
+          "Get a list of all OpenCode sessions across projects, sorted by most recently updated. Archived sessions are excluded by default.",
+        operationId: "experimental.session.list",
+        responses: {
+          200: {
+            description: "List of sessions",
+            content: {
+              "application/json": {
+                schema: resolver(Session.GlobalInfo.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      validator(
+        "query",
+        z.object({
+          directory: z.string().optional().meta({ description: "Filter sessions by project directory" }),
+          roots: QueryBoolean.optional().meta({ description: "Only return root sessions (no parentID)" }),
+          start: z.coerce
+            .number()
+            .optional()
+            .meta({ description: "Filter sessions updated on or after this timestamp (milliseconds since epoch)" }),
+          cursor: z.coerce
+            .number()
+            .optional()
+            .meta({ description: "Return sessions updated before this timestamp (milliseconds since epoch)" }),
+          search: z.string().optional().meta({ description: "Filter sessions by title (case-insensitive)" }),
+          limit: z.coerce.number().optional().meta({ description: "Maximum number of sessions to return" }),
+          archived: QueryBoolean.optional().meta({ description: "Include archived sessions (default false)" }),
+        }),
+      ),
+      async (c) => {
+        const query = c.req.valid("query")
+        const limit = query.limit ?? 100
+        const sessions: Session.GlobalInfo[] = []
+        for await (const session of Session.listGlobal({
+          directory: query.directory,
+          roots: queryBoolean(query.roots),
+          start: query.start,
+          cursor: query.cursor,
+          search: query.search,
+          limit: limit + 1,
+          archived: queryBoolean(query.archived),
+        })) {
+          sessions.push(session)
+        }
+        const hasMore = sessions.length > limit
+        const list = hasMore ? sessions.slice(0, limit) : sessions
+        if (hasMore && list.length > 0) {
+          c.header("x-next-cursor", String(list[list.length - 1].time.updated))
+        }
+        return c.json(list)
+      },
+    )
+    .get(
+      "/resource",
+      describeRoute({
+        summary: "Get MCP resources",
+        description: "Get all available MCP resources from connected servers. Optionally filter by name.",
+        operationId: "experimental.resource.list",
+        responses: {
+          200: {
+            description: "MCP resources",
+            content: {
+              "application/json": {
+                schema: resolver(z.record(z.string(), MCP.Resource.zod)),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("ExperimentalRoutes.resource.list", c, function* () {
+          const mcp = yield* MCP.Service
+          return yield* mcp.resources()
+        }),
+    ),
+)

packages/opencode/src/server/routes/instance/file.ts

@@ -0,0 +1,190 @@
+import { Hono } from "hono"
+import { describeRoute, validator, resolver } from "hono-openapi"
+import z from "zod"
+import { File } from "@/file"
+import { Ripgrep } from "@/file/ripgrep"
+import { LSP } from "@/lsp/lsp"
+import { Instance } from "@/project/instance"
+import { lazy } from "@/util/lazy"
+import { jsonRequest } from "./trace"
+
+export const FileRoutes = lazy(() =>
+  new Hono()
+    .get(
+      "/find",
+      describeRoute({
+        summary: "Find text",
+        description: "Search for text patterns across files in the project using ripgrep.",
+        operationId: "find.text",
+        responses: {
+          200: {
+            description: "Matches",
+            content: {
+              "application/json": {
+                schema: resolver(Ripgrep.SearchMatch.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      validator(
+        "query",
+        z.object({
+          pattern: z.string(),
+        }),
+      ),
+      async (c) =>
+        jsonRequest("FileRoutes.findText", c, function* () {
+          const pattern = c.req.valid("query").pattern
+          const svc = yield* Ripgrep.Service
+          const result = yield* svc.search({ cwd: Instance.directory, pattern, limit: 10 })
+          return result.items
+        }),
+    )
+    .get(
+      "/find/file",
+      describeRoute({
+        summary: "Find files",
+        description: "Search for files or directories by name or pattern in the project directory.",
+        operationId: "find.files",
+        responses: {
+          200: {
+            description: "File paths",
+            content: {
+              "application/json": {
+                schema: resolver(z.string().array()),
+              },
+            },
+          },
+        },
+      }),
+      validator(
+        "query",
+        z.object({
+          query: z.string(),
+          dirs: z.enum(["true", "false"]).optional(),
+          type: z.enum(["file", "directory"]).optional(),
+          limit: z.coerce.number().int().min(1).max(200).optional(),
+        }),
+      ),
+      async (c) =>
+        jsonRequest("FileRoutes.findFile", c, function* () {
+          const query = c.req.valid("query")
+          const svc = yield* File.Service
+          return yield* svc.search({
+            query: query.query,
+            limit: query.limit ?? 10,
+            dirs: query.dirs !== "false",
+            type: query.type,
+          })
+        }),
+    )
+    .get(
+      "/find/symbol",
+      describeRoute({
+        summary: "Find symbols",
+        description: "Search for workspace symbols like functions, classes, and variables using LSP.",
+        operationId: "find.symbols",
+        responses: {
+          200: {
+            description: "Symbols",
+            content: {
+              "application/json": {
+                schema: resolver(LSP.Symbol.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      validator(
+        "query",
+        z.object({
+          query: z.string(),
+        }),
+      ),
+      async (c) => {
+        return c.json([])
+      },
+    )
+    .get(
+      "/file",
+      describeRoute({
+        summary: "List files",
+        description: "List files and directories in a specified path.",
+        operationId: "file.list",
+        responses: {
+          200: {
+            description: "Files and directories",
+            content: {
+              "application/json": {
+                schema: resolver(File.Node.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      validator(
+        "query",
+        z.object({
+          path: z.string(),
+        }),
+      ),
+      async (c) =>
+        jsonRequest("FileRoutes.list", c, function* () {
+          const svc = yield* File.Service
+          return yield* svc.list(c.req.valid("query").path)
+        }),
+    )
+    .get(
+      "/file/content",
+      describeRoute({
+        summary: "Read file",
+        description: "Read the content of a specified file.",
+        operationId: "file.read",
+        responses: {
+          200: {
+            description: "File content",
+            content: {
+              "application/json": {
+                schema: resolver(File.Content.zod),
+              },
+            },
+          },
+        },
+      }),
+      validator(
+        "query",
+        z.object({
+          path: z.string(),
+        }),
+      ),
+      async (c) =>
+        jsonRequest("FileRoutes.read", c, function* () {
+          const svc = yield* File.Service
+          return yield* svc.read(c.req.valid("query").path)
+        }),
+    )
+    .get(
+      "/file/status",
+      describeRoute({
+        summary: "Get file status",
+        description: "Get the git status of all files in the project.",
+        operationId: "file.status",
+        responses: {
+          200: {
+            description: "File status",
+            content: {
+              "application/json": {
+                schema: resolver(File.Info.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("FileRoutes.status", c, function* () {
+          const svc = yield* File.Service
+          return yield* svc.status()
+        }),
+    ),
+)

packages/opencode/src/server/routes/instance/httpapi/groups/pty.ts

@@ -1,5 +1,4 @@
 import { Pty } from "@/pty"
-import { PtyTicket } from "@/pty/ticket"
 import { PtyID } from "@/pty/schema"
 import { Schema } from "effect"
 import { HttpApi, HttpApiEndpoint, HttpApiError, HttpApiGroup, OpenApi } from "effect/unstable/httpapi"
@@ -24,7 +23,6 @@ export const PtyPaths = {
   get: `${root}/:ptyID`,
   update: `${root}/:ptyID`,
   remove: `${root}/:ptyID`,
-  connectToken: `${root}/:ptyID/connect-token`,
   connect: `${root}/:ptyID/connect`,
 } as const
 
@@ -95,17 +93,6 @@ export const PtyApi = HttpApi.make("pty")
             description: "Remove and terminate a specific pseudo-terminal (PTY) session.",
           }),
         ),
-        HttpApiEndpoint.post("connectToken", PtyPaths.connectToken, {
-          params: { ptyID: PtyID },
-          success: described(PtyTicket.ConnectToken, "WebSocket connect token"),
-          error: [HttpApiError.Forbidden, HttpApiError.NotFound],
-        }).annotateMerge(
-          OpenApi.annotations({
-            identifier: "pty.connectToken",
-            summary: "Create PTY WebSocket token",
-            description: "Create a short-lived ticket for opening a PTY WebSocket connection.",
-          }),
-        ),
       )
       .annotateMerge(OpenApi.annotations({ title: "pty", description: "Experimental HttpApi PTY routes." }))
       .middleware(InstanceContextMiddleware)
@@ -126,7 +113,7 @@ export const PtyConnectApi = HttpApi.make("pty-connect").add(
       HttpApiEndpoint.get("connect", PtyPaths.connect, {
         params: Params,
         success: described(Schema.Boolean, "Connected session"),
-        error: [HttpApiError.Forbidden, HttpApiError.NotFound],
+        error: HttpApiError.NotFound,
       }).annotateMerge(
         OpenApi.annotations({
           identifier: "pty.connect",

packages/opencode/src/server/routes/instance/httpapi/handlers/pty.ts

@@ -1,32 +1,17 @@
 import { Pty } from "@/pty"
 import { PtyID } from "@/pty/schema"
-import { PtyTicket } from "@/pty/ticket"
 import { handlePtyInput } from "@/pty/input"
 import { Shell } from "@/shell/shell"
-import { EffectBridge } from "@/effect/bridge"
-import { CorsConfig, isAllowedRequestOrigin, type CorsOptions } from "@/server/cors"
-import {
-  PTY_CONNECT_TICKET_QUERY,
-  PTY_CONNECT_TOKEN_HEADER,
-  PTY_CONNECT_TOKEN_HEADER_VALUE,
-} from "@/server/shared/pty-ticket"
 import { Effect } from "effect"
 import { HttpRouter, HttpServerRequest, HttpServerResponse } from "effect/unstable/http"
 import { HttpApiBuilder, HttpApiError } from "effect/unstable/httpapi"
 import * as Socket from "effect/unstable/socket/Socket"
 import { InstanceHttpApi } from "../api"
 import { CursorQuery, Params, PtyPaths } from "../groups/pty"
-import { WebSocketTracker } from "../websocket-tracker"
-
-function validOrigin(request: HttpServerRequest.HttpServerRequest, opts: CorsOptions | undefined) {
-  return isAllowedRequestOrigin(request.headers.origin, request.headers.host, opts)
-}
 
 export const ptyHandlers = HttpApiBuilder.group(InstanceHttpApi, "pty", (handlers) =>
   Effect.gen(function* () {
     const pty = yield* Pty.Service
-    const tickets = yield* PtyTicket.Service
-    const cors = yield* CorsConfig
 
     const shells = Effect.fn("PtyHttpApi.shells")(function* () {
       return yield* Effect.promise(() => Shell.list())
@@ -67,14 +52,6 @@ export const ptyHandlers = HttpApiBuilder.group(InstanceHttpApi, "pty", (handler
       return true
     })
 
-    const connectToken = Effect.fn("PtyHttpApi.connectToken")(function* (ctx: { params: { ptyID: PtyID } }) {
-      const request = yield* HttpServerRequest.HttpServerRequest
-      if (request.headers[PTY_CONNECT_TOKEN_HEADER] !== PTY_CONNECT_TOKEN_HEADER_VALUE || !validOrigin(request, cors))
-        return yield* new HttpApiError.Forbidden({})
-      if (!(yield* pty.get(ctx.params.ptyID))) return yield* new HttpApiError.NotFound({})
-      return yield* tickets.issue({ ptyID: ctx.params.ptyID, ...(yield* PtyTicket.scope) })
-    })
-
     return handlers
       .handle("shells", shells)
       .handle("list", list)
@@ -82,15 +59,12 @@ export const ptyHandlers = HttpApiBuilder.group(InstanceHttpApi, "pty", (handler
       .handle("get", get)
       .handle("update", update)
       .handle("remove", remove)
-      .handle("connectToken", connectToken)
   }),
 )
 
 export const ptyConnectRoute = HttpRouter.use((router) =>
   Effect.gen(function* () {
     const pty = yield* Pty.Service
-    const tickets = yield* PtyTicket.Service
-    const cors = yield* CorsConfig
     yield* router.add(
       "GET",
       PtyPaths.connect,
@@ -99,37 +73,16 @@ export const ptyConnectRoute = HttpRouter.use((router) =>
         if (!(yield* pty.get(params.ptyID))) return HttpServerResponse.empty({ status: 404 })
 
         const query = yield* HttpServerRequest.schemaSearchParams(CursorQuery)
-        const request = yield* HttpServerRequest.HttpServerRequest
-        const ticket = new URL(request.url, "http://localhost").searchParams.get(PTY_CONNECT_TICKET_QUERY)
-        if (ticket) {
-          const valid = validOrigin(request, cors)
-            ? yield* tickets.consume({ ticket, ptyID: params.ptyID, ...(yield* PtyTicket.scope) })
-            : false
-          if (!valid) return HttpServerResponse.empty({ status: 403 })
-        }
         const parsedCursor = query.cursor === undefined ? undefined : Number(query.cursor)
         const cursor =
           parsedCursor !== undefined && Number.isSafeInteger(parsedCursor) && parsedCursor >= -1
             ? parsedCursor
             : undefined
-        const socket = yield* Effect.orDie(request.upgrade)
+        const socket = yield* Effect.orDie((yield* HttpServerRequest.HttpServerRequest).upgrade)
         const write = yield* socket.writer
-        const closeAccepted = (event: Socket.CloseEvent) =>
-          socket
-            .runRaw(() => Effect.void, { onOpen: write(event).pipe(Effect.catch(() => Effect.void)) })
-            .pipe(
-              Effect.timeout("1 second"),
-              Effect.catchReason("SocketError", "SocketCloseError", () => Effect.void),
-              Effect.catch(() => Effect.void),
-            )
-        const registered = yield* WebSocketTracker.register(write(WebSocketTracker.SERVER_CLOSING_EVENT()))
-        if (!registered) {
-          yield* closeAccepted(WebSocketTracker.SERVER_CLOSING_EVENT())
-          return HttpServerResponse.empty()
-        }
-        const bridge = yield* EffectBridge.make()
+        const services = yield* Effect.context()
         const writeScoped = (effect: Effect.Effect<void, unknown>) => {
-          bridge.fork(effect.pipe(Effect.catch(() => Effect.void)))
+          Effect.runForkWith(services)(effect.pipe(Effect.catch(() => Effect.void)))
         }
         let closed = false
         const adapter = {
@@ -147,10 +100,7 @@ export const ptyConnectRoute = HttpRouter.use((router) =>
           },
         }
         const handler = yield* pty.connect(params.ptyID, adapter, cursor)
-        if (!handler) {
-          yield* closeAccepted(new Socket.CloseEvent(4404, "session not found"))
-          return HttpServerResponse.empty()
-        }
+        if (!handler) return HttpServerResponse.empty()
 
         yield* socket
           .runRaw((message) => handlePtyInput(handler, message))

packages/opencode/src/server/routes/instance/httpapi/handlers/tui.ts

@@ -5,7 +5,7 @@ import * as Database from "@/storage/db"
 import { eq } from "drizzle-orm"
 import { Effect } from "effect"
 import { HttpApiBuilder, HttpApiError } from "effect/unstable/httpapi"
-import { nextTuiRequest, submitTuiResponse } from "@/server/shared/tui-control"
+import { nextTuiRequest, submitTuiResponse } from "../../tui"
 import { InstanceHttpApi } from "../api"
 import { CommandPayload, TuiPublishPayload } from "../groups/tui"
 

packages/opencode/src/server/routes/instance/httpapi/middleware/authorization.ts

@@ -1,52 +1,71 @@
-import { ServerAuth } from "@/server/auth"
-import { Effect, Encoding, Layer, Redacted } from "effect"
+import { ConfigService } from "@/effect/config-service"
+import { Config, Context, Effect, Encoding, Layer, Option, Redacted } from "effect"
 import { HttpRouter, HttpServerRequest, HttpServerResponse } from "effect/unstable/http"
-import { HttpApiError, HttpApiMiddleware } from "effect/unstable/httpapi"
-import { hasPtyConnectTicketURL } from "@/server/shared/pty-ticket"
-import { isPublicUIPath } from "@/server/shared/public-ui"
+import { HttpApiError, HttpApiMiddleware, HttpApiSecurity } from "effect/unstable/httpapi"
 
 const AUTH_TOKEN_QUERY = "auth_token"
 const UNAUTHORIZED = 401
-const WWW_AUTHENTICATE = 'Basic realm="Secure Area"'
 
-// Avoid HttpApiSecurity alternatives here: Effect security middleware wraps the
-// full handler, so a downstream failure can make the next auth alternative run
-// and remap an authorized NotFound into Unauthorized.
 export class Authorization extends HttpApiMiddleware.Service<Authorization>()(
   "@opencode/ExperimentalHttpApiAuthorization",
   {
     error: HttpApiError.UnauthorizedNoContent,
+    security: {
+      basic: HttpApiSecurity.basic,
+      authToken: HttpApiSecurity.apiKey({ in: "query", key: AUTH_TOKEN_QUERY }),
+    },
   },
 ) {}
 
-function emptyCredential() {
-  return {
-    username: "",
-    password: Redacted.make(""),
-  }
-}
+export class ServerAuthConfig extends ConfigService.Service<ServerAuthConfig>()(
+  "@opencode/ExperimentalHttpApiServerAuthConfig",
+  {
+    password: Config.string("OPENCODE_SERVER_PASSWORD").pipe(Config.option),
+    username: Config.string("OPENCODE_SERVER_USERNAME").pipe(Config.withDefault("opencode")),
+  },
+) {}
 
 function validateCredential<A, E, R>(
   effect: Effect.Effect<A, E, R>,
-  credential: ServerAuth.DecodedCredentials,
-  config: ServerAuth.Info,
+  credential: { readonly username: string; readonly password: Redacted.Redacted },
+  config: Context.Service.Shape<typeof ServerAuthConfig>,
 ) {
   return Effect.gen(function* () {
-    if (!ServerAuth.required(config)) return yield* effect
-    if (!ServerAuth.authorized(credential, config)) return yield* new HttpApiError.Unauthorized({})
+    if (!isAuthRequired(config)) return yield* effect
+    if (!isCredentialAuthorized(credential, config)) return yield* new HttpApiError.Unauthorized({})
     return yield* effect
   })
 }
 
+function isAuthRequired(config: Context.Service.Shape<typeof ServerAuthConfig>) {
+  return Option.isSome(config.password) && config.password.value !== ""
+}
+
+function isCredentialAuthorized(
+  credential: { readonly username: string; readonly password: Redacted.Redacted },
+  config: Context.Service.Shape<typeof ServerAuthConfig>,
+) {
+  return (
+    Option.isSome(config.password) &&
+    credential.username === config.username &&
+    Redacted.value(credential.password) === config.password.value
+  )
+}
+
 function decodeCredential(input: string) {
+  const emptyCredential = {
+    username: "",
+    password: Redacted.make(""),
+  }
+
   return Encoding.decodeBase64String(input)
     .asEffect()
     .pipe(
       Effect.match({
-        onFailure: emptyCredential,
+        onFailure: () => emptyCredential,
         onSuccess: (header) => {
           const parts = header.split(":")
-          if (parts.length !== 2) return emptyCredential()
+          if (parts.length !== 2) return emptyCredential
           return {
             username: parts[0],
             password: Redacted.make(parts[1]),
@@ -56,48 +75,40 @@ function decodeCredential(input: string) {
     )
 }
 
-function credentialFromRequest(request: HttpServerRequest.HttpServerRequest) {
-  return credentialFromURL(new URL(request.url, "http://localhost"), request)
-}
-
-function credentialFromURL(url: URL, request: HttpServerRequest.HttpServerRequest) {
-  const token = url.searchParams.get(AUTH_TOKEN_QUERY)
-  if (token) return decodeCredential(token)
-  const match = /^Basic\s+(.+)$/i.exec(request.headers.authorization ?? "")
-  if (match) return decodeCredential(match[1])
-  return Effect.succeed(emptyCredential())
-}
-
 function validateRawCredential<A, E, R>(
   effect: Effect.Effect<A, E, R>,
-  credential: ServerAuth.DecodedCredentials,
-  config: ServerAuth.Info,
+  credential: { readonly username: string; readonly password: Redacted.Redacted },
+  config: Context.Service.Shape<typeof ServerAuthConfig>,
 ) {
-  if (!ServerAuth.required(config)) return effect
-  if (!ServerAuth.authorized(credential, config))
-    return Effect.succeed(
-      HttpServerResponse.empty({
-        status: UNAUTHORIZED,
-        headers: { "www-authenticate": WWW_AUTHENTICATE },
-      }),
-    )
+  if (!isAuthRequired(config)) return effect
+  if (!isCredentialAuthorized(credential, config))
+    return Effect.succeed(HttpServerResponse.empty({ status: UNAUTHORIZED }))
   return effect
 }
 
 export const authorizationRouterMiddleware = HttpRouter.middleware()(
   Effect.gen(function* () {
-    const config = yield* ServerAuth.Config
-    if (!ServerAuth.required(config)) return (effect) => effect
+    const config = yield* ServerAuthConfig
+    if (!isAuthRequired(config)) return (effect) => effect
 
     return (effect) =>
       Effect.gen(function* () {
         const request = yield* HttpServerRequest.HttpServerRequest
-        const url = new URL(request.url, "http://localhost")
-        if (isPublicUIPath(request.method, url.pathname)) return yield* effect
-        if (hasPtyConnectTicketURL(url)) return yield* effect
-        return yield* credentialFromURL(url, request).pipe(
-          Effect.flatMap((credential) => validateRawCredential(effect, credential, config)),
-        )
+        const match = /^Basic\s+(.+)$/i.exec(request.headers.authorization ?? "")
+        if (match) {
+          return yield* decodeCredential(match[1]).pipe(
+            Effect.flatMap((credential) => validateRawCredential(effect, credential, config)),
+          )
+        }
+
+        const token = new URL(request.url, "http://localhost").searchParams.get(AUTH_TOKEN_QUERY)
+        if (token) {
+          return yield* decodeCredential(token).pipe(
+            Effect.flatMap((credential) => validateRawCredential(effect, credential, config)),
+          )
+        }
+
+        return yield* validateRawCredential(effect, { username: "", password: Redacted.make("") }, config)
       })
   }),
 )
@@ -105,15 +116,13 @@ export const authorizationRouterMiddleware = HttpRouter.middleware()(
 export const authorizationLayer = Layer.effect(
   Authorization,
   Effect.gen(function* () {
-    const config = yield* ServerAuth.Config
-    if (!ServerAuth.required(config)) return Authorization.of((effect) => effect)
-    return Authorization.of((effect) =>
-      Effect.gen(function* () {
-        const request = yield* HttpServerRequest.HttpServerRequest
-        return yield* credentialFromRequest(request).pipe(
-          Effect.flatMap((credential) => validateCredential(effect, credential, config)),
-        )
-      }),
-    )
+    const config = yield* ServerAuthConfig
+    return Authorization.of({
+      basic: (effect, { credential }) => validateCredential(effect, credential, config),
+      authToken: (effect, { credential }) =>
+        decodeCredential(Redacted.value(credential)).pipe(
+          Effect.flatMap((decoded) => validateCredential(effect, decoded, config)),
+        ),
+    })
   }),
 )

packages/opencode/src/server/routes/instance/httpapi/middleware/proxy.ts

@@ -2,7 +2,6 @@ import { ProxyUtil } from "@/server/proxy-util"
 import { Effect, Stream } from "effect"
 import { HttpBody, HttpClient, HttpClientRequest, HttpServerRequest, HttpServerResponse } from "effect/unstable/http"
 import * as Socket from "effect/unstable/socket/Socket"
-import { WebSocketTracker } from "../websocket-tracker"
 
 function webSource(request: HttpServerRequest.HttpServerRequest): Request | undefined {
   return request.source instanceof Request ? request.source : undefined
@@ -29,33 +28,6 @@ export function websocket(
       })
       const writeInbound = yield* inbound.writer
       const writeOutbound = yield* outbound.writer
-      const closeSocket = (socket: Socket.Socket, write: (event: Socket.CloseEvent) => Effect.Effect<void, unknown>) =>
-        socket
-          .runRaw(() => Effect.void, {
-            onOpen: write(WebSocketTracker.SERVER_CLOSING_EVENT()).pipe(Effect.catch(() => Effect.void)),
-          })
-          .pipe(
-            Effect.timeout("1 second"),
-            Effect.catchReason("SocketError", "SocketCloseError", () => Effect.void),
-            Effect.catch(() => Effect.void),
-          )
-      const closeAccepted = Effect.all([closeSocket(inbound, writeInbound), closeSocket(outbound, writeOutbound)], {
-        concurrency: "unbounded",
-        discard: true,
-      })
-      const registered = yield* WebSocketTracker.register(
-        Effect.all(
-          [
-            writeInbound(WebSocketTracker.SERVER_CLOSING_EVENT()),
-            writeOutbound(WebSocketTracker.SERVER_CLOSING_EVENT()),
-          ],
-          { concurrency: "unbounded", discard: true },
-        ),
-      )
-      if (!registered) {
-        yield* closeAccepted
-        return HttpServerResponse.empty()
-      }
 
       yield* outbound
         .runRaw((message) => writeInbound(message))

packages/opencode/src/server/routes/instance/httpapi/middleware/workspace-routing.ts

@@ -5,8 +5,8 @@ import { Workspace } from "@/control-plane/workspace"
 import { EffectBridge } from "@/effect/bridge"
 import { Session } from "@/session/session"
 import { HttpApiProxy } from "./proxy"
-import * as Fence from "@/server/shared/fence"
-import { getWorkspaceRouteSessionID, isLocalWorkspaceRoute, workspaceProxyURL } from "@/server/shared/workspace-routing"
+import * as Fence from "@/server/fence"
+import { getWorkspaceRouteSessionID, isLocalWorkspaceRoute, workspaceProxyURL } from "@/server/workspace"
 import { Flag } from "@opencode-ai/core/flag/flag"
 import { Context, Data, Effect, Layer } from "effect"
 import { HttpClient, HttpRouter, HttpServerRequest, HttpServerResponse } from "effect/unstable/http"

packages/opencode/src/server/routes/instance/httpapi/server.ts

@@ -25,7 +25,6 @@ import { ProviderAuth } from "@/provider/auth"
 import { ModelsDev } from "@/provider/models"
 import { Provider } from "@/provider/provider"
 import { Pty } from "@/pty"
-import { PtyTicket } from "@/pty/ticket"
 import { Question } from "@/question"
 import { Session } from "@/session/session"
 import { SessionCompaction } from "@/session/compaction"
@@ -45,11 +44,10 @@ import { lazy } from "@/util/lazy"
 import { Vcs } from "@/project/vcs"
 import { Worktree } from "@/worktree"
 import { Workspace } from "@/control-plane/workspace"
-import { CorsConfig, isAllowedCorsOrigin, type CorsOptions } from "@/server/cors"
-import { serveUIEffect } from "@/server/shared/ui"
-import { ServerAuth } from "@/server/auth"
+import { isAllowedCorsOrigin, type CorsOptions } from "@/server/cors"
+import { serveUIEffect } from "@/server/routes/ui"
 import { InstanceHttpApi, RootHttpApi } from "./api"
-import { authorizationLayer, authorizationRouterMiddleware } from "./middleware/authorization"
+import { ServerAuthConfig, authorizationLayer, authorizationRouterMiddleware } from "./middleware/authorization"
 import { EventApi, eventHandlers } from "./event"
 import { configHandlers } from "./handlers/config"
 import { controlHandlers } from "./handlers/control"
@@ -72,13 +70,15 @@ import { instanceContextLayer, instanceRouterMiddleware } from "./middleware/ins
 import { workspaceRouterMiddleware, workspaceRoutingLayer } from "./middleware/workspace-routing"
 import { disposeMiddleware } from "./lifecycle"
 import { memoMap } from "@opencode-ai/core/effect/memo-map"
+import * as ServerBackend from "@/server/backend"
 
 export const context = Context.makeUnsafe<unknown>(new Map())
 
 const runtime = HttpRouter.middleware()(
   Effect.succeed((effect) =>
     Effect.gen(function* () {
-      yield* Effect.annotateCurrentSpan({ "opencode.server.backend": "effect-httpapi" })
+      const selected = ServerBackend.select()
+      yield* Effect.annotateCurrentSpan(ServerBackend.attributes(ServerBackend.force(selected, "effect-httpapi")))
       return yield* effect
     }),
   ),
@@ -97,7 +97,7 @@ const rootApiRoutes = HttpApiBuilder.layer(RootHttpApi).pipe(Layer.provide([cont
 const instanceRouterLayer = authorizationRouterMiddleware
   .combine(instanceRouterMiddleware)
   .combine(workspaceRouterMiddleware)
-  .layer.pipe(Layer.provide(Socket.layerWebSocketConstructorGlobal), Layer.provide(ServerAuth.Config.defaultLayer))
+  .layer.pipe(Layer.provide(Socket.layerWebSocketConstructorGlobal), Layer.provide(ServerAuthConfig.defaultLayer))
 const eventApiRoutes = HttpApiBuilder.layer(EventApi).pipe(
   Layer.provide(eventHandlers),
   Layer.provide(instanceRouterLayer),
@@ -125,7 +125,7 @@ const instanceApiRoutes = HttpApiBuilder.layer(InstanceHttpApi).pipe(
 const rawInstanceRoutes = Layer.mergeAll(ptyConnectRoute).pipe(Layer.provide(instanceRouterLayer))
 const instanceRoutes = Layer.mergeAll(rawInstanceRoutes, instanceApiRoutes).pipe(
   Layer.provide([
-    authorizationLayer.pipe(Layer.provide(ServerAuth.Config.defaultLayer)),
+    authorizationLayer.pipe(Layer.provide(ServerAuthConfig.defaultLayer)),
     workspaceRoutingLayer.pipe(Layer.provide(Socket.layerWebSocketConstructorGlobal)),
     instanceContextLayer,
   ]),
@@ -137,7 +137,7 @@ const uiRoute = HttpRouter.use((router) =>
     const client = yield* HttpClient.HttpClient
     yield* router.add("*", "/*", (request) => serveUIEffect(request, { fs, client }))
   }),
-).pipe(Layer.provide(authorizationRouterMiddleware.layer.pipe(Layer.provide(ServerAuth.Config.defaultLayer))))
+).pipe(Layer.provide(authorizationRouterMiddleware.layer.pipe(Layer.provide(ServerAuthConfig.defaultLayer))))
 
 export function createRoutes(corsOptions?: CorsOptions) {
   return Layer.mergeAll(rootApiRoutes, eventApiRoutes, instanceRoutes, uiRoute).pipe(
@@ -162,7 +162,6 @@ export function createRoutes(corsOptions?: CorsOptions) {
       ProviderAuth.defaultLayer,
       Provider.defaultLayer,
       Pty.defaultLayer,
-      PtyTicket.defaultLayer,
       Question.defaultLayer,
       Ripgrep.defaultLayer,
       Session.defaultLayer,
@@ -187,7 +186,6 @@ export function createRoutes(corsOptions?: CorsOptions) {
       FetchHttpClient.layer,
       HttpServer.layerServices,
     ]),
-    Layer.provideMerge(Layer.succeed(CorsConfig)(corsOptions)),
     Layer.provideMerge(InstanceLayer.layer),
     Layer.provideMerge(Observability.layer),
   )

packages/opencode/src/server/routes/instance/httpapi/websocket-tracker.ts

@@ -1,57 +0,0 @@
-import { Context, Effect, Layer, Option } from "effect"
-import * as Socket from "effect/unstable/socket/Socket"
-
-export const SERVER_CLOSING_EVENT = () => new Socket.CloseEvent(1001, "server closing")
-
-type Close = Effect.Effect<void, unknown>
-
-export interface Interface {
-  readonly add: (close: Close) => Effect.Effect<boolean>
-  readonly remove: (close: Close) => Effect.Effect<void>
-  readonly closeAll: Effect.Effect<void>
-}
-
-export class Service extends Context.Service<Service, Interface>()("@opencode/HttpApiWebSocketTracker") {}
-
-export const layer = Layer.sync(Service)(() => {
-  const sockets = new Set<Close>()
-  let closing = false
-  return Service.of({
-    add: (close) =>
-      Effect.gen(function* () {
-        if (closing) return false
-        sockets.add(close)
-        return true
-      }),
-    remove: (close) =>
-      Effect.sync(() => {
-        sockets.delete(close)
-      }),
-    closeAll: Effect.gen(function* () {
-      closing = true
-      const active = Array.from(sockets)
-      sockets.clear()
-      yield* Effect.all(
-        active.map((close) =>
-          close.pipe(
-            Effect.timeout("1 second"),
-            Effect.catch(() => Effect.void),
-          ),
-        ),
-        { concurrency: "unbounded", discard: true },
-      )
-    }),
-  })
-})
-
-export const register = (close: Close) =>
-  Effect.gen(function* () {
-    const tracker = yield* Effect.serviceOption(Service)
-    if (Option.isNone(tracker)) return true
-    const registered = yield* tracker.value.add(close)
-    if (!registered) return false
-    yield* Effect.addFinalizer(() => tracker.value.remove(close))
-    return true
-  })
-
-export * as WebSocketTracker from "./websocket-tracker"

packages/opencode/src/server/routes/instance/index.ts

@@ -0,0 +1,404 @@
+import { describeRoute, resolver, validator } from "hono-openapi"
+import { Hono } from "hono"
+import type { UpgradeWebSocket } from "hono/ws"
+import { Context, Effect } from "effect"
+import { Flag } from "@opencode-ai/core/flag/flag"
+import z from "zod"
+import { Format } from "@/format"
+import { TuiRoutes } from "./tui"
+import { Instance } from "@/project/instance"
+import { InstanceRuntime } from "@/project/instance-runtime"
+import { Vcs } from "@/project/vcs"
+import { Agent } from "@/agent/agent"
+import { Skill } from "@/skill"
+import { Global } from "@opencode-ai/core/global"
+import { LSP } from "@/lsp/lsp"
+import { Command } from "@/command"
+import { QuestionRoutes } from "./question"
+import { PermissionRoutes } from "./permission"
+import { ProjectRoutes } from "./project"
+import { SessionRoutes } from "./session"
+import { PtyRoutes } from "./pty"
+import { McpRoutes } from "./mcp"
+import { FileRoutes } from "./file"
+import { ConfigRoutes } from "./config"
+import { ExperimentalRoutes } from "./experimental"
+import { ProviderRoutes } from "./provider"
+import { EventRoutes } from "./event"
+import { SyncRoutes } from "./sync"
+import { InstanceMiddleware } from "./middleware"
+import { jsonRequest } from "./trace"
+import { ExperimentalHttpApiServer } from "./httpapi/server"
+import { EventPaths } from "./httpapi/event"
+import { ExperimentalPaths } from "./httpapi/groups/experimental"
+import { FilePaths } from "./httpapi/groups/file"
+import { InstancePaths } from "./httpapi/groups/instance"
+import { McpPaths } from "./httpapi/groups/mcp"
+import { PtyPaths } from "./httpapi/groups/pty"
+import { SessionPaths } from "./httpapi/groups/session"
+import { SyncPaths } from "./httpapi/groups/sync"
+import { TuiPaths } from "./httpapi/groups/tui"
+import { WorkspacePaths } from "./httpapi/groups/workspace"
+
+export const InstanceRoutes = (upgrade: UpgradeWebSocket): Hono => {
+  const app = new Hono()
+  const handler = ExperimentalHttpApiServer.webHandler().handler
+  const context = Context.empty() as Context.Context<unknown>
+
+  app.all("/api/*", (c) => handler(c.req.raw, context))
+
+  if (Flag.OPENCODE_EXPERIMENTAL_HTTPAPI) {
+    app.get(EventPaths.event, (c) => handler(c.req.raw, context))
+    app.get("/question", (c) => handler(c.req.raw, context))
+    app.post("/question/:requestID/reply", (c) => handler(c.req.raw, context))
+    app.post("/question/:requestID/reject", (c) => handler(c.req.raw, context))
+    app.get("/permission", (c) => handler(c.req.raw, context))
+    app.post("/permission/:requestID/reply", (c) => handler(c.req.raw, context))
+    app.get("/config", (c) => handler(c.req.raw, context))
+    app.patch("/config", (c) => handler(c.req.raw, context))
+    app.get("/config/providers", (c) => handler(c.req.raw, context))
+    app.get(ExperimentalPaths.console, (c) => handler(c.req.raw, context))
+    app.get(ExperimentalPaths.consoleOrgs, (c) => handler(c.req.raw, context))
+    app.post(ExperimentalPaths.consoleSwitch, (c) => handler(c.req.raw, context))
+    app.get(ExperimentalPaths.tool, (c) => handler(c.req.raw, context))
+    app.get(ExperimentalPaths.toolIDs, (c) => handler(c.req.raw, context))
+    app.get(ExperimentalPaths.worktree, (c) => handler(c.req.raw, context))
+    app.post(ExperimentalPaths.worktree, (c) => handler(c.req.raw, context))
+    app.delete(ExperimentalPaths.worktree, (c) => handler(c.req.raw, context))
+    app.post(ExperimentalPaths.worktreeReset, (c) => handler(c.req.raw, context))
+    app.get(ExperimentalPaths.session, (c) => handler(c.req.raw, context))
+    app.get(ExperimentalPaths.resource, (c) => handler(c.req.raw, context))
+    app.get("/provider", (c) => handler(c.req.raw, context))
+    app.get("/provider/auth", (c) => handler(c.req.raw, context))
+    app.post("/provider/:providerID/oauth/authorize", (c) => handler(c.req.raw, context))
+    app.post("/provider/:providerID/oauth/callback", (c) => handler(c.req.raw, context))
+    app.get("/project", (c) => handler(c.req.raw, context))
+    app.get("/project/current", (c) => handler(c.req.raw, context))
+    app.post("/project/git/init", (c) => handler(c.req.raw, context))
+    app.patch("/project/:projectID", (c) => handler(c.req.raw, context))
+    app.get(FilePaths.findText, (c) => handler(c.req.raw, context))
+    app.get(FilePaths.findFile, (c) => handler(c.req.raw, context))
+    app.get(FilePaths.findSymbol, (c) => handler(c.req.raw, context))
+    app.get(FilePaths.list, (c) => handler(c.req.raw, context))
+    app.get(FilePaths.content, (c) => handler(c.req.raw, context))
+    app.get(FilePaths.status, (c) => handler(c.req.raw, context))
+    app.get(InstancePaths.path, (c) => handler(c.req.raw, context))
+    app.post(InstancePaths.dispose, (c) => handler(c.req.raw, context))
+    app.get(InstancePaths.vcs, (c) => handler(c.req.raw, context))
+    app.get(InstancePaths.vcsDiff, (c) => handler(c.req.raw, context))
+    app.get(InstancePaths.command, (c) => handler(c.req.raw, context))
+    app.get(InstancePaths.agent, (c) => handler(c.req.raw, context))
+    app.get(InstancePaths.skill, (c) => handler(c.req.raw, context))
+    app.get(InstancePaths.lsp, (c) => handler(c.req.raw, context))
+    app.get(InstancePaths.formatter, (c) => handler(c.req.raw, context))
+    app.get(McpPaths.status, (c) => handler(c.req.raw, context))
+    app.post(McpPaths.status, (c) => handler(c.req.raw, context))
+    app.post(McpPaths.auth, (c) => handler(c.req.raw, context))
+    app.post(McpPaths.authCallback, (c) => handler(c.req.raw, context))
+    app.post(McpPaths.authAuthenticate, (c) => handler(c.req.raw, context))
+    app.delete(McpPaths.auth, (c) => handler(c.req.raw, context))
+    app.post(McpPaths.connect, (c) => handler(c.req.raw, context))
+    app.post(McpPaths.disconnect, (c) => handler(c.req.raw, context))
+    app.post(SyncPaths.start, (c) => handler(c.req.raw, context))
+    app.post(SyncPaths.replay, (c) => handler(c.req.raw, context))
+    app.post(SyncPaths.history, (c) => handler(c.req.raw, context))
+    app.get(PtyPaths.list, (c) => handler(c.req.raw, context))
+    app.post(PtyPaths.create, (c) => handler(c.req.raw, context))
+    app.get(PtyPaths.get, (c) => handler(c.req.raw, context))
+    app.put(PtyPaths.update, (c) => handler(c.req.raw, context))
+    app.delete(PtyPaths.remove, (c) => handler(c.req.raw, context))
+    app.get(PtyPaths.connect, (c) => handler(c.req.raw, context))
+    app.get(SessionPaths.list, (c) => handler(c.req.raw, context))
+    app.get(SessionPaths.status, (c) => handler(c.req.raw, context))
+    app.get(SessionPaths.get, (c) => handler(c.req.raw, context))
+    app.get(SessionPaths.children, (c) => handler(c.req.raw, context))
+    app.get(SessionPaths.todo, (c) => handler(c.req.raw, context))
+    app.get(SessionPaths.diff, (c) => handler(c.req.raw, context))
+    app.get(SessionPaths.messages, (c) => handler(c.req.raw, context))
+    app.get(SessionPaths.message, (c) => handler(c.req.raw, context))
+    app.post(SessionPaths.create, (c) => handler(c.req.raw, context))
+    app.delete(SessionPaths.remove, (c) => handler(c.req.raw, context))
+    app.patch(SessionPaths.update, (c) => handler(c.req.raw, context))
+    app.post(SessionPaths.init, (c) => handler(c.req.raw, context))
+    app.post(SessionPaths.fork, (c) => handler(c.req.raw, context))
+    app.post(SessionPaths.abort, (c) => handler(c.req.raw, context))
+    app.post(SessionPaths.share, (c) => handler(c.req.raw, context))
+    app.delete(SessionPaths.share, (c) => handler(c.req.raw, context))
+    app.post(SessionPaths.summarize, (c) => handler(c.req.raw, context))
+    app.post(SessionPaths.prompt, (c) => handler(c.req.raw, context))
+    app.post(SessionPaths.promptAsync, (c) => handler(c.req.raw, context))
+    app.post(SessionPaths.command, (c) => handler(c.req.raw, context))
+    app.post(SessionPaths.shell, (c) => handler(c.req.raw, context))
+    app.post(SessionPaths.revert, (c) => handler(c.req.raw, context))
+    app.post(SessionPaths.unrevert, (c) => handler(c.req.raw, context))
+    app.post(SessionPaths.permissions, (c) => handler(c.req.raw, context))
+    app.delete(SessionPaths.deleteMessage, (c) => handler(c.req.raw, context))
+    app.delete(SessionPaths.deletePart, (c) => handler(c.req.raw, context))
+    app.patch(SessionPaths.updatePart, (c) => handler(c.req.raw, context))
+    app.post(TuiPaths.appendPrompt, (c) => handler(c.req.raw, context))
+    app.post(TuiPaths.openHelp, (c) => handler(c.req.raw, context))
+    app.post(TuiPaths.openSessions, (c) => handler(c.req.raw, context))
+    app.post(TuiPaths.openThemes, (c) => handler(c.req.raw, context))
+    app.post(TuiPaths.openModels, (c) => handler(c.req.raw, context))
+    app.post(TuiPaths.submitPrompt, (c) => handler(c.req.raw, context))
+    app.post(TuiPaths.clearPrompt, (c) => handler(c.req.raw, context))
+    app.post(TuiPaths.executeCommand, (c) => handler(c.req.raw, context))
+    app.post(TuiPaths.showToast, (c) => handler(c.req.raw, context))
+    app.post(TuiPaths.publish, (c) => handler(c.req.raw, context))
+    app.post(TuiPaths.selectSession, (c) => handler(c.req.raw, context))
+    app.get(TuiPaths.controlNext, (c) => handler(c.req.raw, context))
+    app.post(TuiPaths.controlResponse, (c) => handler(c.req.raw, context))
+    app.get(WorkspacePaths.adapters, (c) => handler(c.req.raw, context))
+    app.post(WorkspacePaths.list, (c) => handler(c.req.raw, context))
+    app.get(WorkspacePaths.list, (c) => handler(c.req.raw, context))
+    app.get(WorkspacePaths.status, (c) => handler(c.req.raw, context))
+    app.delete(WorkspacePaths.remove, (c) => handler(c.req.raw, context))
+    app.post(WorkspacePaths.sessionRestore, (c) => handler(c.req.raw, context))
+  }
+
+  return app
+    .route("/project", ProjectRoutes())
+    .route("/pty", PtyRoutes(upgrade))
+    .route("/config", ConfigRoutes())
+    .route("/experimental", ExperimentalRoutes())
+    .route("/session", SessionRoutes())
+    .route("/permission", PermissionRoutes())
+    .route("/question", QuestionRoutes())
+    .route("/provider", ProviderRoutes())
+    .route("/sync", SyncRoutes())
+    .route("/", FileRoutes())
+    .route("/", EventRoutes())
+    .route("/mcp", McpRoutes())
+    .route("/tui", TuiRoutes())
+    .post(
+      "/instance/dispose",
+      describeRoute({
+        summary: "Dispose instance",
+        description: "Clean up and dispose the current OpenCode instance, releasing all resources.",
+        operationId: "instance.dispose",
+        responses: {
+          200: {
+            description: "Instance disposed",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+        },
+      }),
+      async (c) => {
+        await InstanceRuntime.disposeInstance(Instance.current)
+        return c.json(true)
+      },
+    )
+    .get(
+      "/path",
+      describeRoute({
+        summary: "Get paths",
+        description: "Retrieve the current working directory and related path information for the OpenCode instance.",
+        operationId: "path.get",
+        responses: {
+          200: {
+            description: "Path",
+            content: {
+              "application/json": {
+                schema: resolver(
+                  z
+                    .object({
+                      home: z.string(),
+                      state: z.string(),
+                      config: z.string(),
+                      worktree: z.string(),
+                      directory: z.string(),
+                    })
+                    .meta({
+                      ref: "Path",
+                    }),
+                ),
+              },
+            },
+          },
+        },
+      }),
+      async (c) => {
+        return c.json({
+          home: Global.Path.home,
+          state: Global.Path.state,
+          config: Global.Path.config,
+          worktree: Instance.worktree,
+          directory: Instance.directory,
+        })
+      },
+    )
+    .get(
+      "/vcs",
+      describeRoute({
+        summary: "Get VCS info",
+        description: "Retrieve version control system (VCS) information for the current project, such as git branch.",
+        operationId: "vcs.get",
+        responses: {
+          200: {
+            description: "VCS info",
+            content: {
+              "application/json": {
+                schema: resolver(Vcs.Info.zod),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("InstanceRoutes.vcs.get", c, function* () {
+          const vcs = yield* Vcs.Service
+          const [branch, default_branch] = yield* Effect.all([vcs.branch(), vcs.defaultBranch()], {
+            concurrency: 2,
+          })
+          return { branch, default_branch }
+        }),
+    )
+    .get(
+      "/vcs/diff",
+      describeRoute({
+        summary: "Get VCS diff",
+        description: "Retrieve the current git diff for the working tree or against the default branch.",
+        operationId: "vcs.diff",
+        responses: {
+          200: {
+            description: "VCS diff",
+            content: {
+              "application/json": {
+                schema: resolver(Vcs.FileDiff.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      validator(
+        "query",
+        z.object({
+          mode: Vcs.Mode.zod,
+        }),
+      ),
+      async (c) =>
+        jsonRequest("InstanceRoutes.vcs.diff", c, function* () {
+          const vcs = yield* Vcs.Service
+          return yield* vcs.diff(c.req.valid("query").mode)
+        }),
+    )
+    .get(
+      "/command",
+      describeRoute({
+        summary: "List commands",
+        description: "Get a list of all available commands in the OpenCode system.",
+        operationId: "command.list",
+        responses: {
+          200: {
+            description: "List of commands",
+            content: {
+              "application/json": {
+                schema: resolver(Command.Info.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("InstanceRoutes.command.list", c, function* () {
+          const svc = yield* Command.Service
+          return yield* svc.list()
+        }),
+    )
+    .get(
+      "/agent",
+      describeRoute({
+        summary: "List agents",
+        description: "Get a list of all available AI agents in the OpenCode system.",
+        operationId: "app.agents",
+        responses: {
+          200: {
+            description: "List of agents",
+            content: {
+              "application/json": {
+                schema: resolver(Agent.Info.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("InstanceRoutes.agent.list", c, function* () {
+          const svc = yield* Agent.Service
+          return yield* svc.list()
+        }),
+    )
+    .get(
+      "/skill",
+      describeRoute({
+        summary: "List skills",
+        description: "Get a list of all available skills in the OpenCode system.",
+        operationId: "app.skills",
+        responses: {
+          200: {
+            description: "List of skills",
+            content: {
+              "application/json": {
+                schema: resolver(Skill.Info.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("InstanceRoutes.skill.list", c, function* () {
+          const skill = yield* Skill.Service
+          return yield* skill.all()
+        }),
+    )
+    .get(
+      "/lsp",
+      describeRoute({
+        summary: "Get LSP status",
+        description: "Get LSP server status",
+        operationId: "lsp.status",
+        responses: {
+          200: {
+            description: "LSP server status",
+            content: {
+              "application/json": {
+                schema: resolver(LSP.Status.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("InstanceRoutes.lsp.status", c, function* () {
+          const lsp = yield* LSP.Service
+          return yield* lsp.status()
+        }),
+    )
+    .get(
+      "/formatter",
+      describeRoute({
+        summary: "Get formatter status",
+        description: "Get formatter status",
+        operationId: "formatter.status",
+        responses: {
+          200: {
+            description: "Formatter status",
+            content: {
+              "application/json": {
+                schema: resolver(Format.Status.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("InstanceRoutes.formatter.status", c, function* () {
+          const svc = yield* Format.Service
+          return yield* svc.status()
+        }),
+    )
+}

packages/opencode/src/server/routes/instance/mcp.ts

@@ -0,0 +1,277 @@
+import { Hono } from "hono"
+import { describeRoute, validator, resolver } from "hono-openapi"
+import z from "zod"
+import { MCP } from "@/mcp"
+import { ConfigMCP } from "@/config/mcp"
+import { errors } from "../../error"
+import { lazy } from "@/util/lazy"
+import { Effect } from "effect"
+import { jsonRequest, runRequest } from "./trace"
+
+const UnsupportedOAuthError = z
+  .object({
+    error: z.string(),
+  })
+  .meta({ ref: "McpUnsupportedOAuthError" })
+
+const unsupportedOAuthErrorResponse = {
+  description: "MCP server does not support OAuth",
+  content: {
+    "application/json": {
+      schema: resolver(UnsupportedOAuthError),
+    },
+  },
+}
+
+export const McpRoutes = lazy(() =>
+  new Hono()
+    .get(
+      "/",
+      describeRoute({
+        summary: "Get MCP status",
+        description: "Get the status of all Model Context Protocol (MCP) servers.",
+        operationId: "mcp.status",
+        responses: {
+          200: {
+            description: "MCP server status",
+            content: {
+              "application/json": {
+                schema: resolver(z.record(z.string(), MCP.Status.zod)),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("McpRoutes.status", c, function* () {
+          const mcp = yield* MCP.Service
+          return yield* mcp.status()
+        }),
+    )
+    .post(
+      "/",
+      describeRoute({
+        summary: "Add MCP server",
+        description: "Dynamically add a new Model Context Protocol (MCP) server to the system.",
+        operationId: "mcp.add",
+        responses: {
+          200: {
+            description: "MCP server added successfully",
+            content: {
+              "application/json": {
+                schema: resolver(z.record(z.string(), MCP.Status.zod)),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator(
+        "json",
+        z.object({
+          name: z.string(),
+          config: ConfigMCP.Info.zod,
+        }),
+      ),
+      async (c) =>
+        jsonRequest("McpRoutes.add", c, function* () {
+          const { name, config } = c.req.valid("json")
+          const mcp = yield* MCP.Service
+          const result = yield* mcp.add(name, config)
+          return result.status
+        }),
+    )
+    .post(
+      "/:name/auth",
+      describeRoute({
+        summary: "Start MCP OAuth",
+        description: "Start OAuth authentication flow for a Model Context Protocol (MCP) server.",
+        operationId: "mcp.auth.start",
+        responses: {
+          200: {
+            description: "OAuth flow started",
+            content: {
+              "application/json": {
+                schema: resolver(
+                  z.object({
+                    authorizationUrl: z.string().describe("URL to open in browser for authorization"),
+                  }),
+                ),
+              },
+            },
+          },
+          400: unsupportedOAuthErrorResponse,
+          ...errors(404),
+        },
+      }),
+      async (c) => {
+        const name = c.req.param("name")
+        const result = await runRequest(
+          "McpRoutes.auth.start",
+          c,
+          Effect.gen(function* () {
+            const mcp = yield* MCP.Service
+            const supports = yield* mcp.supportsOAuth(name)
+            if (!supports) return { supports }
+            return {
+              supports,
+              auth: yield* mcp.startAuth(name),
+            }
+          }),
+        )
+        if (!result.supports) {
+          return c.json({ error: `MCP server ${name} does not support OAuth` }, 400)
+        }
+        return c.json(result.auth)
+      },
+    )
+    .post(
+      "/:name/auth/callback",
+      describeRoute({
+        summary: "Complete MCP OAuth",
+        description:
+          "Complete OAuth authentication for a Model Context Protocol (MCP) server using the authorization code.",
+        operationId: "mcp.auth.callback",
+        responses: {
+          200: {
+            description: "OAuth authentication completed",
+            content: {
+              "application/json": {
+                schema: resolver(MCP.Status.zod),
+              },
+            },
+          },
+          ...errors(400, 404),
+        },
+      }),
+      validator(
+        "json",
+        z.object({
+          code: z.string().describe("Authorization code from OAuth callback"),
+        }),
+      ),
+      async (c) =>
+        jsonRequest("McpRoutes.auth.callback", c, function* () {
+          const name = c.req.param("name")
+          const { code } = c.req.valid("json")
+          const mcp = yield* MCP.Service
+          return yield* mcp.finishAuth(name, code)
+        }),
+    )
+    .post(
+      "/:name/auth/authenticate",
+      describeRoute({
+        summary: "Authenticate MCP OAuth",
+        description: "Start OAuth flow and wait for callback (opens browser)",
+        operationId: "mcp.auth.authenticate",
+        responses: {
+          200: {
+            description: "OAuth authentication completed",
+            content: {
+              "application/json": {
+                schema: resolver(MCP.Status.zod),
+              },
+            },
+          },
+          400: unsupportedOAuthErrorResponse,
+          ...errors(404),
+        },
+      }),
+      async (c) => {
+        const name = c.req.param("name")
+        const result = await runRequest(
+          "McpRoutes.auth.authenticate",
+          c,
+          Effect.gen(function* () {
+            const mcp = yield* MCP.Service
+            const supports = yield* mcp.supportsOAuth(name)
+            if (!supports) return { supports }
+            return {
+              supports,
+              status: yield* mcp.authenticate(name),
+            }
+          }),
+        )
+        if (!result.supports) {
+          return c.json({ error: `MCP server ${name} does not support OAuth` }, 400)
+        }
+        return c.json(result.status)
+      },
+    )
+    .delete(
+      "/:name/auth",
+      describeRoute({
+        summary: "Remove MCP OAuth",
+        description: "Remove OAuth credentials for an MCP server",
+        operationId: "mcp.auth.remove",
+        responses: {
+          200: {
+            description: "OAuth credentials removed",
+            content: {
+              "application/json": {
+                schema: resolver(z.object({ success: z.literal(true) })),
+              },
+            },
+          },
+          ...errors(404),
+        },
+      }),
+      async (c) =>
+        jsonRequest("McpRoutes.auth.remove", c, function* () {
+          const name = c.req.param("name")
+          const mcp = yield* MCP.Service
+          yield* mcp.removeAuth(name)
+          return { success: true as const }
+        }),
+    )
+    .post(
+      "/:name/connect",
+      describeRoute({
+        description: "Connect an MCP server",
+        operationId: "mcp.connect",
+        responses: {
+          200: {
+            description: "MCP server connected successfully",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+        },
+      }),
+      validator("param", z.object({ name: z.string() })),
+      async (c) =>
+        jsonRequest("McpRoutes.connect", c, function* () {
+          const { name } = c.req.valid("param")
+          const mcp = yield* MCP.Service
+          yield* mcp.connect(name)
+          return true
+        }),
+    )
+    .post(
+      "/:name/disconnect",
+      describeRoute({
+        description: "Disconnect an MCP server",
+        operationId: "mcp.disconnect",
+        responses: {
+          200: {
+            description: "MCP server disconnected successfully",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+        },
+      }),
+      validator("param", z.object({ name: z.string() })),
+      async (c) =>
+        jsonRequest("McpRoutes.disconnect", c, function* () {
+          const { name } = c.req.valid("param")
+          const mcp = yield* MCP.Service
+          yield* mcp.disconnect(name)
+          return true
+        }),
+    ),
+)

packages/opencode/src/server/routes/instance/middleware.ts

@@ -0,0 +1,32 @@
+import type { MiddlewareHandler } from "hono"
+import { WithInstance } from "@/project/with-instance"
+import { AppFileSystem } from "@opencode-ai/core/filesystem"
+import { WorkspaceContext } from "@/control-plane/workspace-context"
+import { WorkspaceID } from "@/control-plane/schema"
+
+export function InstanceMiddleware(workspaceID?: WorkspaceID): MiddlewareHandler {
+  return async (c, next) => {
+    const raw = c.req.query("directory") || c.req.header("x-opencode-directory") || process.cwd()
+    const directory = AppFileSystem.resolve(
+      (() => {
+        try {
+          return decodeURIComponent(raw)
+        } catch {
+          return raw
+        }
+      })(),
+    )
+
+    return WorkspaceContext.provide({
+      workspaceID,
+      async fn() {
+        return WithInstance.provide({
+          directory,
+          async fn() {
+            return next()
+          },
+        })
+      },
+    })
+  }
+}

packages/opencode/src/server/routes/instance/permission.ts

@@ -0,0 +1,73 @@
+import { Hono } from "hono"
+import { describeRoute, validator, resolver } from "hono-openapi"
+import z from "zod"
+import { Permission } from "@/permission"
+import { PermissionID } from "@/permission/schema"
+import { errors } from "../../error"
+import { lazy } from "@/util/lazy"
+import { jsonRequest } from "./trace"
+
+export const PermissionRoutes = lazy(() =>
+  new Hono()
+    .post(
+      "/:requestID/reply",
+      describeRoute({
+        summary: "Respond to permission request",
+        description: "Approve or deny a permission request from the AI assistant.",
+        operationId: "permission.reply",
+        responses: {
+          200: {
+            description: "Permission processed successfully",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+          ...errors(400, 404),
+        },
+      }),
+      validator(
+        "param",
+        z.object({
+          requestID: PermissionID.zod,
+        }),
+      ),
+      validator("json", z.object({ reply: Permission.Reply.zod, message: z.string().optional() })),
+      async (c) =>
+        jsonRequest("PermissionRoutes.reply", c, function* () {
+          const params = c.req.valid("param")
+          const json = c.req.valid("json")
+          const svc = yield* Permission.Service
+          yield* svc.reply({
+            requestID: params.requestID,
+            reply: json.reply,
+            message: json.message,
+          })
+          return true
+        }),
+    )
+    .get(
+      "/",
+      describeRoute({
+        summary: "List pending permissions",
+        description: "Get all pending permission requests across all sessions.",
+        operationId: "permission.list",
+        responses: {
+          200: {
+            description: "List of pending permissions",
+            content: {
+              "application/json": {
+                schema: resolver(Permission.Request.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("PermissionRoutes.list", c, function* () {
+          const svc = yield* Permission.Service
+          return yield* svc.list()
+        }),
+    ),
+)

packages/opencode/src/server/routes/instance/project.ts

@@ -0,0 +1,116 @@
+import { Hono } from "hono"
+import { describeRoute, validator } from "hono-openapi"
+import { resolver } from "hono-openapi"
+import { Instance } from "@/project/instance"
+import { InstanceRuntime } from "@/project/instance-runtime"
+import { Project } from "@/project/project"
+import z from "zod"
+import { ProjectID } from "@/project/schema"
+import { errors } from "../../error"
+import { lazy } from "@/util/lazy"
+import { jsonRequest, runRequest } from "./trace"
+
+export const ProjectRoutes = lazy(() =>
+  new Hono()
+    .get(
+      "/",
+      describeRoute({
+        summary: "List all projects",
+        description: "Get a list of projects that have been opened with OpenCode.",
+        operationId: "project.list",
+        responses: {
+          200: {
+            description: "List of projects",
+            content: {
+              "application/json": {
+                schema: resolver(Project.Info.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      async (c) => {
+        const projects = Project.list()
+        return c.json(projects)
+      },
+    )
+    .get(
+      "/current",
+      describeRoute({
+        summary: "Get current project",
+        description: "Retrieve the currently active project that OpenCode is working with.",
+        operationId: "project.current",
+        responses: {
+          200: {
+            description: "Current project information",
+            content: {
+              "application/json": {
+                schema: resolver(Project.Info.zod),
+              },
+            },
+          },
+        },
+      }),
+      async (c) => {
+        return c.json(Instance.project)
+      },
+    )
+    .post(
+      "/git/init",
+      describeRoute({
+        summary: "Initialize git repository",
+        description: "Create a git repository for the current project and return the refreshed project info.",
+        operationId: "project.initGit",
+        responses: {
+          200: {
+            description: "Project information after git initialization",
+            content: {
+              "application/json": {
+                schema: resolver(Project.Info.zod),
+              },
+            },
+          },
+        },
+      }),
+      async (c) => {
+        const dir = Instance.directory
+        const prev = Instance.project
+        const next = await runRequest(
+          "ProjectRoutes.initGit",
+          c,
+          Project.Service.use((svc) => svc.initGit({ directory: dir, project: prev })),
+        )
+        if (next.id === prev.id && next.vcs === prev.vcs && next.worktree === prev.worktree) return c.json(next)
+        await InstanceRuntime.reloadInstance({ directory: dir, worktree: dir, project: next })
+        return c.json(next)
+      },
+    )
+    .patch(
+      "/:projectID",
+      describeRoute({
+        summary: "Update project",
+        description: "Update project properties such as name, icon, and commands.",
+        operationId: "project.update",
+        responses: {
+          200: {
+            description: "Updated project information",
+            content: {
+              "application/json": {
+                schema: resolver(Project.Info.zod),
+              },
+            },
+          },
+          ...errors(400, 404),
+        },
+      }),
+      validator("param", z.object({ projectID: ProjectID.zod })),
+      validator("json", Project.UpdateInput.omit({ projectID: true })),
+      async (c) =>
+        jsonRequest("ProjectRoutes.update", c, function* () {
+          const projectID = c.req.valid("param").projectID
+          const body = c.req.valid("json")
+          const svc = yield* Project.Service
+          return yield* svc.update({ ...body, projectID })
+        }),
+    ),
+)

packages/opencode/src/server/routes/instance/provider.ts

@@ -0,0 +1,158 @@
+import { Hono } from "hono"
+import { describeRoute, validator, resolver } from "hono-openapi"
+import z from "zod"
+import { Config } from "@/config/config"
+import { Provider } from "@/provider/provider"
+import { ModelsDev } from "@/provider/models"
+import { ProviderAuth } from "@/provider/auth"
+import { ProviderID } from "@/provider/schema"
+import { mapValues } from "remeda"
+import { errors } from "../../error"
+import { lazy } from "@/util/lazy"
+import { Effect } from "effect"
+import { jsonRequest } from "./trace"
+
+export const ProviderRoutes = lazy(() =>
+  new Hono()
+    .get(
+      "/",
+      describeRoute({
+        summary: "List providers",
+        description: "Get a list of all available AI providers, including both available and connected ones.",
+        operationId: "provider.list",
+        responses: {
+          200: {
+            description: "List of providers",
+            content: {
+              "application/json": {
+                schema: resolver(Provider.ListResult.zod),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("ProviderRoutes.list", c, function* () {
+          const svc = yield* Provider.Service
+          const cfg = yield* Config.Service
+          const config = yield* cfg.get()
+          const all = yield* ModelsDev.Service.use((s) => s.get())
+          const disabled = new Set(config.disabled_providers ?? [])
+          const enabled = config.enabled_providers ? new Set(config.enabled_providers) : undefined
+          const filtered: Record<string, (typeof all)[string]> = {}
+          for (const [key, value] of Object.entries(all)) {
+            if ((enabled ? enabled.has(key) : true) && !disabled.has(key)) {
+              filtered[key] = value
+            }
+          }
+          const connected = yield* svc.list()
+          const providers = Object.assign(
+            mapValues(filtered, (x) => Provider.fromModelsDevProvider(x)),
+            connected,
+          )
+          return {
+            all: Object.values(providers),
+            default: Provider.defaultModelIDs(providers),
+            connected: Object.keys(connected),
+          }
+        }),
+    )
+    .get(
+      "/auth",
+      describeRoute({
+        summary: "Get provider auth methods",
+        description: "Retrieve available authentication methods for all AI providers.",
+        operationId: "provider.auth",
+        responses: {
+          200: {
+            description: "Provider auth methods",
+            content: {
+              "application/json": {
+                schema: resolver(ProviderAuth.Methods.zod),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("ProviderRoutes.auth", c, function* () {
+          const svc = yield* ProviderAuth.Service
+          return yield* svc.methods()
+        }),
+    )
+    .post(
+      "/:providerID/oauth/authorize",
+      describeRoute({
+        summary: "OAuth authorize",
+        description: "Initiate OAuth authorization for a specific AI provider to get an authorization URL.",
+        operationId: "provider.oauth.authorize",
+        responses: {
+          200: {
+            description: "Authorization URL and method",
+            content: {
+              "application/json": {
+                schema: resolver(ProviderAuth.Authorization.zod.optional()),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator(
+        "param",
+        z.object({
+          providerID: ProviderID.zod.meta({ description: "Provider ID" }),
+        }),
+      ),
+      validator("json", ProviderAuth.AuthorizeInput.zod),
+      async (c) =>
+        jsonRequest("ProviderRoutes.oauth.authorize", c, function* () {
+          const providerID = c.req.valid("param").providerID
+          const { method, inputs } = c.req.valid("json")
+          const svc = yield* ProviderAuth.Service
+          return yield* svc.authorize({
+            providerID,
+            method,
+            inputs,
+          })
+        }),
+    )
+    .post(
+      "/:providerID/oauth/callback",
+      describeRoute({
+        summary: "OAuth callback",
+        description: "Handle the OAuth callback from a provider after user authorization.",
+        operationId: "provider.oauth.callback",
+        responses: {
+          200: {
+            description: "OAuth callback processed successfully",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator(
+        "param",
+        z.object({
+          providerID: ProviderID.zod.meta({ description: "Provider ID" }),
+        }),
+      ),
+      validator("json", ProviderAuth.CallbackInput.zod),
+      async (c) =>
+        jsonRequest("ProviderRoutes.oauth.callback", c, function* () {
+          const providerID = c.req.valid("param").providerID
+          const { method, code } = c.req.valid("json")
+          const svc = yield* ProviderAuth.Service
+          yield* svc.callback({
+            providerID,
+            method,
+            code,
+          })
+          return true
+        }),
+    ),
+)

packages/opencode/src/server/routes/instance/pty.ts

@@ -0,0 +1,276 @@
+import { Hono } from "hono"
+import { describeRoute, validator, resolver } from "hono-openapi"
+import type { UpgradeWebSocket } from "hono/ws"
+import { Effect, Schema } from "effect"
+import z from "zod"
+import { AppRuntime } from "@/effect/app-runtime"
+import { Pty } from "@/pty"
+import { PtyID } from "@/pty/schema"
+import { Shell } from "@/shell/shell"
+import { NotFoundError } from "@/storage/storage"
+import { errors } from "../../error"
+import { jsonRequest, runRequest } from "./trace"
+
+const ShellItem = z.object({
+  path: z.string(),
+  name: z.string(),
+  acceptable: z.boolean(),
+})
+const decodePtyID = Schema.decodeUnknownSync(PtyID)
+
+export function PtyRoutes(upgradeWebSocket: UpgradeWebSocket) {
+  return new Hono()
+    .get(
+      "/shells",
+      describeRoute({
+        summary: "List available shells",
+        description: "Get a list of available shells on the system.",
+        operationId: "pty.shells",
+        responses: {
+          200: {
+            description: "List of shells",
+            content: {
+              "application/json": {
+                schema: resolver(z.array(ShellItem)),
+              },
+            },
+          },
+        },
+      }),
+      async (c) => {
+        return c.json(await Shell.list())
+      },
+    )
+    .get(
+      "/",
+      describeRoute({
+        summary: "List PTY sessions",
+        description: "Get a list of all active pseudo-terminal (PTY) sessions managed by OpenCode.",
+        operationId: "pty.list",
+        responses: {
+          200: {
+            description: "List of sessions",
+            content: {
+              "application/json": {
+                schema: resolver(Pty.Info.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("PtyRoutes.list", c, function* () {
+          const pty = yield* Pty.Service
+          return yield* pty.list()
+        }),
+    )
+    .post(
+      "/",
+      describeRoute({
+        summary: "Create PTY session",
+        description: "Create a new pseudo-terminal (PTY) session for running shell commands and processes.",
+        operationId: "pty.create",
+        responses: {
+          200: {
+            description: "Created session",
+            content: {
+              "application/json": {
+                schema: resolver(Pty.Info.zod),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator("json", Pty.CreateInput.zod),
+      async (c) =>
+        jsonRequest("PtyRoutes.create", c, function* () {
+          const pty = yield* Pty.Service
+          return yield* pty.create(c.req.valid("json") as Pty.CreateInput)
+        }),
+    )
+    .get(
+      "/:ptyID",
+      describeRoute({
+        summary: "Get PTY session",
+        description: "Retrieve detailed information about a specific pseudo-terminal (PTY) session.",
+        operationId: "pty.get",
+        responses: {
+          200: {
+            description: "Session info",
+            content: {
+              "application/json": {
+                schema: resolver(Pty.Info.zod),
+              },
+            },
+          },
+          ...errors(404),
+        },
+      }),
+      validator("param", z.object({ ptyID: PtyID.zod })),
+      async (c) => {
+        const info = await runRequest(
+          "PtyRoutes.get",
+          c,
+          Effect.gen(function* () {
+            const pty = yield* Pty.Service
+            return yield* pty.get(c.req.valid("param").ptyID)
+          }),
+        )
+        if (!info) {
+          throw new NotFoundError({ message: "Session not found" })
+        }
+        return c.json(info)
+      },
+    )
+    .put(
+      "/:ptyID",
+      describeRoute({
+        summary: "Update PTY session",
+        description: "Update properties of an existing pseudo-terminal (PTY) session.",
+        operationId: "pty.update",
+        responses: {
+          200: {
+            description: "Updated session",
+            content: {
+              "application/json": {
+                schema: resolver(Pty.Info.zod),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator("param", z.object({ ptyID: PtyID.zod })),
+      validator("json", Pty.UpdateInput.zod),
+      async (c) =>
+        jsonRequest("PtyRoutes.update", c, function* () {
+          const pty = yield* Pty.Service
+          return yield* pty.update(c.req.valid("param").ptyID, c.req.valid("json") as Pty.UpdateInput)
+        }),
+    )
+    .delete(
+      "/:ptyID",
+      describeRoute({
+        summary: "Remove PTY session",
+        description: "Remove and terminate a specific pseudo-terminal (PTY) session.",
+        operationId: "pty.remove",
+        responses: {
+          200: {
+            description: "Session removed",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+          ...errors(404),
+        },
+      }),
+      validator("param", z.object({ ptyID: PtyID.zod })),
+      async (c) =>
+        jsonRequest("PtyRoutes.remove", c, function* () {
+          const pty = yield* Pty.Service
+          yield* pty.remove(c.req.valid("param").ptyID)
+          return true
+        }),
+    )
+    .get(
+      "/:ptyID/connect",
+      describeRoute({
+        summary: "Connect to PTY session",
+        description: "Establish a WebSocket connection to interact with a pseudo-terminal (PTY) session in real-time.",
+        operationId: "pty.connect",
+        responses: {
+          200: {
+            description: "Connected session",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+          ...errors(404),
+        },
+      }),
+      validator("param", z.object({ ptyID: PtyID.zod })),
+      upgradeWebSocket(async (c) => {
+        type Handler = {
+          onMessage: (message: string | ArrayBuffer) => void
+          onClose: () => void
+        }
+
+        const id = decodePtyID(c.req.param("ptyID"))
+        const cursor = (() => {
+          const value = c.req.query("cursor")
+          if (!value) return
+          const parsed = Number(value)
+          if (!Number.isSafeInteger(parsed) || parsed < -1) return
+          return parsed
+        })()
+        let handler: Handler | undefined
+        if (
+          !(await runRequest(
+            "PtyRoutes.connect",
+            c,
+            Effect.gen(function* () {
+              const pty = yield* Pty.Service
+              return yield* pty.get(id)
+            }),
+          ))
+        ) {
+          throw new Error("Session not found")
+        }
+
+        type Socket = {
+          readyState: number
+          send: (data: string | Uint8Array | ArrayBuffer) => void
+          close: (code?: number, reason?: string) => void
+        }
+
+        const isSocket = (value: unknown): value is Socket => {
+          if (!value || typeof value !== "object") return false
+          if (!("readyState" in value)) return false
+          if (!("send" in value) || typeof (value as { send?: unknown }).send !== "function") return false
+          if (!("close" in value) || typeof (value as { close?: unknown }).close !== "function") return false
+          return typeof (value as { readyState?: unknown }).readyState === "number"
+        }
+
+        const pending: string[] = []
+        let ready = false
+
+        return {
+          async onOpen(_event, ws) {
+            const socket = ws.raw
+            if (!isSocket(socket)) {
+              ws.close()
+              return
+            }
+            handler = await AppRuntime.runPromise(
+              Effect.gen(function* () {
+                const pty = yield* Pty.Service
+                return yield* pty.connect(id, socket, cursor)
+              }).pipe(Effect.withSpan("PtyRoutes.connect.open")),
+            )
+            ready = true
+            for (const msg of pending) handler?.onMessage(msg)
+            pending.length = 0
+          },
+          onMessage(event) {
+            if (typeof event.data !== "string") return
+            if (!ready) {
+              pending.push(event.data)
+              return
+            }
+            handler?.onMessage(event.data)
+          },
+          onClose() {
+            handler?.onClose()
+          },
+          onError() {
+            handler?.onClose()
+          },
+        }
+      }),
+    )
+}

packages/opencode/src/server/routes/instance/question.ts

@@ -0,0 +1,111 @@
+import { Hono } from "hono"
+import { describeRoute, validator } from "hono-openapi"
+import { resolver } from "hono-openapi"
+import { QuestionID } from "@/question/schema"
+import { Question } from "@/question"
+import z from "zod"
+import { errors } from "../../error"
+import { lazy } from "@/util/lazy"
+import { jsonRequest } from "./trace"
+
+const Reply = z.object({
+  answers: Question.Answer.zod
+    .array()
+    .describe("User answers in order of questions (each answer is an array of selected labels)"),
+})
+
+export const QuestionRoutes = lazy(() =>
+  new Hono()
+    .get(
+      "/",
+      describeRoute({
+        summary: "List pending questions",
+        description: "Get all pending question requests across all sessions.",
+        operationId: "question.list",
+        responses: {
+          200: {
+            description: "List of pending questions",
+            content: {
+              "application/json": {
+                schema: resolver(Question.Request.zod.array()),
+              },
+            },
+          },
+        },
+      }),
+      async (c) =>
+        jsonRequest("QuestionRoutes.list", c, function* () {
+          const svc = yield* Question.Service
+          return yield* svc.list()
+        }),
+    )
+    .post(
+      "/:requestID/reply",
+      describeRoute({
+        summary: "Reply to question request",
+        description: "Provide answers to a question request from the AI assistant.",
+        operationId: "question.reply",
+        responses: {
+          200: {
+            description: "Question answered successfully",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+          ...errors(400, 404),
+        },
+      }),
+      validator(
+        "param",
+        z.object({
+          requestID: QuestionID.zod,
+        }),
+      ),
+      validator("json", Reply),
+      async (c) =>
+        jsonRequest("QuestionRoutes.reply", c, function* () {
+          const params = c.req.valid("param")
+          const json = c.req.valid("json")
+          const svc = yield* Question.Service
+          yield* svc.reply({
+            requestID: params.requestID,
+            answers: json.answers,
+          })
+          return true
+        }),
+    )
+    .post(
+      "/:requestID/reject",
+      describeRoute({
+        summary: "Reject question request",
+        description: "Reject a question request from the AI assistant.",
+        operationId: "question.reject",
+        responses: {
+          200: {
+            description: "Question rejected successfully",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+          ...errors(400, 404),
+        },
+      }),
+      validator(
+        "param",
+        z.object({
+          requestID: QuestionID.zod,
+        }),
+      ),
+      async (c) =>
+        jsonRequest("QuestionRoutes.reject", c, function* () {
+          const params = c.req.valid("param")
+          const svc = yield* Question.Service
+          yield* svc.reject(params.requestID)
+          return true
+        }),
+    ),
+)

packages/opencode/src/server/routes/instance/sync.ts

@@ -0,0 +1,152 @@
+import z from "zod"
+import { Hono } from "hono"
+import { describeRoute, validator, resolver } from "hono-openapi"
+import { SyncEvent } from "@/sync"
+import { Database } from "@/storage/db"
+import { asc } from "drizzle-orm"
+import { and } from "drizzle-orm"
+import { not } from "drizzle-orm"
+import { or } from "drizzle-orm"
+import { lte } from "drizzle-orm"
+import { eq } from "drizzle-orm"
+import { EventTable } from "@/sync/event.sql"
+import { lazy } from "@/util/lazy"
+import * as Log from "@opencode-ai/core/util/log"
+import { Workspace } from "@/control-plane/workspace"
+import { AppRuntime } from "@/effect/app-runtime"
+import { Instance } from "@/project/instance"
+import { errors } from "../../error"
+
+const ReplayEvent = z.object({
+  id: z.string(),
+  aggregateID: z.string(),
+  seq: z.number().int().min(0),
+  type: z.string(),
+  data: z.record(z.string(), z.unknown()),
+})
+
+const log = Log.create({ service: "server.sync" })
+
+export const SyncRoutes = lazy(() =>
+  new Hono()
+    .post(
+      "/start",
+      describeRoute({
+        summary: "Start workspace sync",
+        description: "Start sync loops for workspaces in the current project that have active sessions.",
+        operationId: "sync.start",
+        responses: {
+          200: {
+            description: "Workspace sync started",
+            content: {
+              "application/json": {
+                schema: resolver(z.boolean()),
+              },
+            },
+          },
+        },
+      }),
+      async (c) => {
+        void AppRuntime.runPromise(
+          Workspace.Service.use((workspace) => workspace.startWorkspaceSyncing(Instance.project.id)),
+        )
+        return c.json(true)
+      },
+    )
+    .post(
+      "/replay",
+      describeRoute({
+        summary: "Replay sync events",
+        description: "Validate and replay a complete sync event history.",
+        operationId: "sync.replay",
+        responses: {
+          200: {
+            description: "Replayed sync events",
+            content: {
+              "application/json": {
+                schema: resolver(
+                  z.object({
+                    sessionID: z.string(),
+                  }),
+                ),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator(
+        "json",
+        z.object({
+          directory: z.string(),
+          events: z.array(ReplayEvent).min(1),
+        }),
+      ),
+      async (c) => {
+        const body = c.req.valid("json")
+        const events = body.events
+        const source = events[0].aggregateID
+
+        log.info("sync replay requested", {
+          sessionID: source,
+          events: events.length,
+          first: events[0]?.seq,
+          last: events.at(-1)?.seq,
+          directory: body.directory,
+        })
+        await AppRuntime.runPromise(SyncEvent.use.replayAll(events))
+
+        log.info("sync replay complete", {
+          sessionID: source,
+          events: events.length,
+          first: events[0]?.seq,
+          last: events.at(-1)?.seq,
+        })
+
+        return c.json({
+          sessionID: source,
+        })
+      },
+    )
+    .post(
+      "/history",
+      describeRoute({
+        summary: "List sync events",
+        description:
+          "List sync events for all aggregates. Keys are aggregate IDs the client already knows about, values are the last known sequence ID. Events with seq > value are returned for those aggregates. Aggregates not listed in the input get their full history.",
+        operationId: "sync.history.list",
+        responses: {
+          200: {
+            description: "Sync events",
+            content: {
+              "application/json": {
+                schema: resolver(
+                  z.array(
+                    z.object({
+                      id: z.string(),
+                      aggregate_id: z.string(),
+                      seq: z.number(),
+                      type: z.string(),
+                      data: z.record(z.string(), z.unknown()),
+                    }),
+                  ),
+                ),
+              },
+            },
+          },
+          ...errors(400),
+        },
+      }),
+      validator("json", z.record(z.string(), z.number().int().min(0))),
+      async (c) => {
+        const body = c.req.valid("json")
+        const exclude = Object.entries(body)
+        const where =
+          exclude.length > 0
+            ? not(or(...exclude.map(([id, seq]) => and(eq(EventTable.aggregate_id, id), lte(EventTable.seq, seq))))!)
+            : undefined
+        const rows = Database.use((db) => db.select().from(EventTable).where(where).orderBy(asc(EventTable.seq)).all())
+        return c.json(rows)
+      },
+    ),
+)

packages/opencode/src/server/routes/instance/trace.ts

@@ -0,0 +1,59 @@
+import type { Context } from "hono"
+import { Effect } from "effect"
+import { AppRuntime } from "@/effect/app-runtime"
+
+type AppEnv = Parameters<typeof AppRuntime.runPromise>[0] extends Effect.Effect<any, any, infer R> ? R : never
+
+// Build the base span attributes for an HTTP handler: method, path, and every
+// matched route param. Names follow OTel attribute-naming guidance:
+// domain-first (`session.id`, `message.id`, …) so they match the existing
+// OTel `session.id` semantic convention and the bare `message.id` we
+// already emit from Tool.execute. Non-standard route params fall back to
+// `opencode.<name>` since those are internal implementation details
+// (per https://opentelemetry.io/blog/2025/how-to-name-your-span-attributes/).
+export interface RequestLike {
+  readonly req: {
+    readonly method: string
+    readonly url: string
+    param(): Record<string, string>
+  }
+}
+
+// Normalize a Hono route param key (e.g. `sessionID`, `messageID`, `name`)
+// to an OTel attribute key. `fooID` → `foo.id` for ID-shaped params; any
+// other param is namespaced under `opencode.` to avoid colliding with
+// standard conventions.
+export function paramToAttributeKey(key: string): string {
+  const m = key.match(/^(.+)ID$/)
+  if (m) return `${m[1].toLowerCase()}.id`
+  return `opencode.${key}`
+}
+
+export function requestAttributes(c: RequestLike): Record<string, string> {
+  const attributes: Record<string, string> = {
+    "http.method": c.req.method,
+    "http.path": new URL(c.req.url).pathname,
+  }
+  for (const [key, value] of Object.entries(c.req.param())) {
+    attributes[paramToAttributeKey(key)] = value
+  }
+  return attributes
+}
+
+export function runRequest<A, E>(name: string, c: Context, effect: Effect.Effect<A, E, AppEnv>) {
+  return AppRuntime.runPromise(effect.pipe(Effect.withSpan(name, { attributes: requestAttributes(c) })))
+}
+
+export async function jsonRequest<C extends Context, A, E>(
+  name: string,
+  c: C,
+  effect: (c: C) => Effect.gen.Return<A, E, AppEnv>,
+) {
+  return c.json(
+    await runRequest(
+      name,
+      c,
+      Effect.gen(() => effect(c)),
+    ),
+  )
+}