Apply PR #24229: fix: lazy session error schema

Adds a WWW-Authenticate challenge for unauthorized experimental HttpApi UI fallback responses so browsers open the Basic Auth prompt when a server password is configured.

.github/workflows/publish.yml

@@ -209,182 +209,6 @@ jobs:
             packages/opencode/dist/opencode-windows-x64
             packages/opencode/dist/opencode-windows-x64-baseline
 
-  build-tauri:
-    needs:
-      - build-cli
-      - version
-    continue-on-error: false
-    env:
-      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
-      AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE }}
-      AZURE_TRUSTED_SIGNING_ENDPOINT: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
-    strategy:
-      fail-fast: false
-      matrix:
-        settings:
-          - host: macos-latest
-            target: x86_64-apple-darwin
-          - host: macos-latest
-            target: aarch64-apple-darwin
-          # github-hosted: blacksmith lacks ARM64 MSVC cross-compilation toolchain
-          - host: windows-2025
-            target: aarch64-pc-windows-msvc
-          - host: blacksmith-4vcpu-windows-2025
-            target: x86_64-pc-windows-msvc
-          - host: blacksmith-4vcpu-ubuntu-2404
-            target: x86_64-unknown-linux-gnu
-          - host: blacksmith-8vcpu-ubuntu-2404-arm
-            target: aarch64-unknown-linux-gnu
-    runs-on: ${{ matrix.settings.host }}
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-tags: true
-
-      - uses: apple-actions/import-codesign-certs@v2
-        if: ${{ runner.os == 'macOS' }}
-        with:
-          keychain: build
-          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
-          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
-
-      - name: Verify Certificate
-        if: ${{ runner.os == 'macOS' }}
-        run: |
-          CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
-          CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
-          echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
-          echo "Certificate imported."
-
-      - name: Setup Apple API Key
-        if: ${{ runner.os == 'macOS' }}
-        run: |
-          echo "${{ secrets.APPLE_API_KEY_PATH }}" > $RUNNER_TEMP/apple-api-key.p8
-
-      - uses: ./.github/actions/setup-bun
-
-      - name: Azure login
-        if: runner.os == 'Windows'
-        uses: azure/login@v2
-        with:
-          client-id: ${{ env.AZURE_CLIENT_ID }}
-          tenant-id: ${{ env.AZURE_TENANT_ID }}
-          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "24"
-
-      - name: Cache apt packages
-        if: contains(matrix.settings.host, 'ubuntu')
-        uses: actions/cache@v4
-        with:
-          path: ~/apt-cache
-          key: ${{ runner.os }}-${{ matrix.settings.target }}-apt-${{ hashFiles('.github/workflows/publish.yml') }}
-          restore-keys: |
-            ${{ runner.os }}-${{ matrix.settings.target }}-apt-
-
-      - name: install dependencies (ubuntu only)
-        if: contains(matrix.settings.host, 'ubuntu')
-        run: |
-          mkdir -p ~/apt-cache && chmod -R a+rw ~/apt-cache
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends -o dir::cache::archives="$HOME/apt-cache" libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
-          sudo chmod -R a+rw ~/apt-cache
-
-      - name: install Rust stable
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          targets: ${{ matrix.settings.target }}
-
-      - uses: Swatinem/rust-cache@v2
-        with:
-          workspaces: packages/desktop/src-tauri
-          shared-key: ${{ matrix.settings.target }}
-
-      - name: Prepare
-        run: |
-          cd packages/desktop
-          bun ./scripts/prepare.ts
-        env:
-          OPENCODE_VERSION: ${{ needs.version.outputs.version }}
-          GITHUB_TOKEN: ${{ steps.committer.outputs.token }}
-          OPENCODE_CLI_ARTIFACT: ${{ (runner.os == 'Windows' && 'opencode-cli-windows') || 'opencode-cli' }}
-          RUST_TARGET: ${{ matrix.settings.target }}
-          GH_TOKEN: ${{ github.token }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-
-      - name: Resolve tauri portable SHA
-        if: contains(matrix.settings.host, 'ubuntu')
-        run: echo "TAURI_PORTABLE_SHA=$(git ls-remote https://github.com/tauri-apps/tauri.git refs/heads/feat/truly-portable-appimage | cut -f1)" >> "$GITHUB_ENV"
-
-      # Fixes AppImage build issues, can be removed when https://github.com/tauri-apps/tauri/pull/12491 is released
-      - name: Install tauri-cli from portable appimage branch
-        uses: taiki-e/cache-cargo-install-action@v3
-        if: contains(matrix.settings.host, 'ubuntu')
-        with:
-          tool: tauri-cli
-          git: https://github.com/tauri-apps/tauri
-          # branch: feat/truly-portable-appimage
-          rev: ${{ env.TAURI_PORTABLE_SHA }}
-
-      - name: Show tauri-cli version
-        if: contains(matrix.settings.host, 'ubuntu')
-        run: cargo tauri --version
-
-      - name: Setup git committer
-        id: committer
-        uses: ./.github/actions/setup-git-committer
-        with:
-          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
-          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}
-
-      - name: Build and upload artifacts
-        uses: tauri-apps/tauri-action@390cbe447412ced1303d35abe75287949e43437a
-        timeout-minutes: 60
-        with:
-          projectPath: packages/desktop
-          uploadWorkflowArtifacts: true
-          tauriScript: ${{ (contains(matrix.settings.host, 'ubuntu') && 'cargo tauri') || '' }}
-          args: --target ${{ matrix.settings.target }} --config ${{ (github.ref_name == 'beta' && './src-tauri/tauri.beta.conf.json') || './src-tauri/tauri.prod.conf.json' }} --verbose
-          updaterJsonPreferNsis: true
-          releaseId: ${{ needs.version.outputs.release }}
-          tagName: ${{ needs.version.outputs.tag }}
-          releaseDraft: true
-          releaseAssetNamePattern: opencode-desktop-[platform]-[arch][ext]
-          repo: ${{ (github.ref_name == 'beta' && 'opencode-beta') || '' }}
-          releaseCommitish: ${{ github.sha }}
-        env:
-          GITHUB_TOKEN: ${{ steps.committer.outputs.token }}
-          TAURI_BUNDLER_NEW_APPIMAGE_FORMAT: true
-          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
-          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
-          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
-          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
-          APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
-          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
-          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
-          APPLE_API_KEY_PATH: ${{ runner.temp }}/apple-api-key.p8
-
-      - name: Verify signed Windows desktop artifacts
-        if: runner.os == 'Windows'
-        shell: pwsh
-        run: |
-          $files = @(
-            "${{ github.workspace }}\packages\desktop\src-tauri\sidecars\opencode-cli-${{ matrix.settings.target }}.exe"
-          )
-          $files += Get-ChildItem "${{ github.workspace }}\packages\desktop\src-tauri\target\${{ matrix.settings.target }}\release\bundle\nsis\*.exe" | Select-Object -ExpandProperty FullName
-
-          foreach ($file in $files) {
-            $sig = Get-AuthenticodeSignature $file
-            if ($sig.Status -ne "Valid") {
-              throw "Invalid signature for ${file}: $($sig.Status)"
-            }
-          }
-
   build-electron:
     needs:
       - build-cli
@@ -524,6 +348,30 @@ jobs:
         env:
           OPENCODE_CHANNEL: ${{ (github.ref_name == 'beta' && 'beta') || 'prod' }}
 
+      - name: Create and upload macOS .app.tar.gz
+        if: runner.os == 'macOS' && needs.version.outputs.release
+        working-directory: packages/desktop-electron/dist
+        env:
+          GH_TOKEN: ${{ steps.committer.outputs.token }}
+        run: |
+          if [[ "${{ matrix.settings.target }}" == "x86_64-apple-darwin" ]]; then
+            APP_DIR="mac"
+            OUT_NAME="opencode-desktop-mac-x64.app.tar.gz"
+          elif [[ "${{ matrix.settings.target }}" == "aarch64-apple-darwin" ]]; then
+            APP_DIR="mac-arm64"
+            OUT_NAME="opencode-desktop-mac-arm64.app.tar.gz"
+          else
+            echo "Unknown macOS target: ${{ matrix.settings.target }}"
+            exit 1
+          fi
+          APP_PATH=$(find "$APP_DIR" -maxdepth 1 -name "*.app" -type d | head -1)
+          if [ -z "$APP_PATH" ]; then
+            echo "No .app bundle found in $APP_DIR"
+            exit 1
+          fi
+          tar -czf "$OUT_NAME" -C "$(dirname "$APP_PATH")" "$(basename "$APP_PATH")"
+          gh release upload "v${{ needs.version.outputs.version }}" "$OUT_NAME" --clobber --repo "${{ needs.version.outputs.repo }}"
+
       - name: Verify signed Windows Electron artifacts
         if: runner.os == 'Windows'
         shell: pwsh
@@ -542,7 +390,7 @@ jobs:
 
       - uses: actions/upload-artifact@v4
         with:
-          name: opencode-electron-${{ matrix.settings.target }}
+          name: opencode-desktop-${{ matrix.settings.target }}
           path: packages/desktop-electron/dist/*
 
       - uses: actions/upload-artifact@v4
@@ -556,7 +404,6 @@ jobs:
       - version
       - build-cli
       - sign-cli-windows
-      - build-tauri
       - build-electron
     if: always() && !failure() && !cancelled()
     runs-on: blacksmith-4vcpu-ubuntu-2404
@@ -583,13 +430,6 @@ jobs:
           node-version: "24"
           registry-url: "https://registry.npmjs.org"
 
-      - name: Setup git committer
-        id: committer
-        uses: ./.github/actions/setup-git-committer
-        with:
-          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
-          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}
-
       - uses: actions/download-artifact@v4
         with:
           name: opencode-cli
@@ -611,6 +451,13 @@ jobs:
           pattern: latest-yml-*
           path: /tmp/latest-yml
 
+      - name: Setup git committer
+        id: committer
+        uses: ./.github/actions/setup-git-committer
+        with:
+          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
+          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}
+
       - name: Cache apt packages (AUR)
         uses: actions/cache@v4
         with:
@@ -639,3 +486,5 @@ jobs:
           GH_REPO: ${{ needs.version.outputs.repo }}
           NPM_CONFIG_PROVENANCE: false
           LATEST_YML_DIR: /tmp/latest-yml
+          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}

.opencode/command/changelog.md

@@ -18,9 +18,12 @@ Do not use `git log` or author metadata when deciding attribution.
 
 Rules:
 
-- Write the final file with sections in this order:
+- Write the final file with release sections in this order:
   `## Core`, `## TUI`, `## Desktop`, `## SDK`, `## Extensions`
 - Only include sections that have at least one notable entry
+- Within each release section, keep bug fixes grouped under `### Bugfixes`
+- Keep other notable entries under `### Improvements` when a section has bug fixes too
+- Omit empty subsections
 - Keep one bullet per commit you keep
 - Skip commits that are entirely internal, CI, tests, refactors, or otherwise not user-facing
 - Start each bullet with a capital letter

packages/core/src/filesystem.ts

@@ -24,6 +24,7 @@ export namespace AppFileSystem {
     readonly isDir: (path: string) => Effect.Effect<boolean>
     readonly isFile: (path: string) => Effect.Effect<boolean>
     readonly existsSafe: (path: string) => Effect.Effect<boolean>
+    readonly readFileStringSafe: (path: string) => Effect.Effect<string | undefined, Error>
     readonly readJson: (path: string) => Effect.Effect<unknown, Error>
     readonly writeJson: (path: string, data: unknown, mode?: number) => Effect.Effect<void, Error>
     readonly ensureDir: (path: string) => Effect.Effect<void, Error>
@@ -47,6 +48,12 @@ export namespace AppFileSystem {
         return yield* fs.exists(path).pipe(Effect.orElseSucceed(() => false))
       })
 
+      const readFileStringSafe = Effect.fn("FileSystem.readFileStringSafe")(function* (path: string) {
+        return yield* fs
+          .readFileString(path)
+          .pipe(Effect.catchReason("PlatformError", "NotFound", () => Effect.succeed(undefined)))
+      })
+
       const isDir = Effect.fn("FileSystem.isDir")(function* (path: string) {
         const info = yield* fs.stat(path).pipe(Effect.catch(() => Effect.void))
         return info?.type === "Directory"
@@ -163,6 +170,7 @@ export namespace AppFileSystem {
       return Service.of({
         ...fs,
         existsSafe,
+        readFileStringSafe,
         isDir,
         isFile,
         readDirectoryEntries,

packages/core/test/filesystem/filesystem.test.ts

@@ -65,6 +65,34 @@ describe("AppFileSystem", () => {
     )
   })
 
+  describe("readFileStringSafe", () => {
+    it(
+      "returns file contents when file exists",
+      Effect.gen(function* () {
+        const fs = yield* AppFileSystem.Service
+        const filesys = yield* FileSystem.FileSystem
+        const tmp = yield* filesys.makeTempDirectoryScoped()
+        const file = path.join(tmp, "exists.txt")
+        yield* filesys.writeFileString(file, "hello")
+
+        const result = yield* fs.readFileStringSafe(file)
+        expect(result).toBe("hello")
+      }),
+    )
+
+    it(
+      "returns undefined for missing file (NotFound)",
+      Effect.gen(function* () {
+        const fs = yield* AppFileSystem.Service
+        const filesys = yield* FileSystem.FileSystem
+        const tmp = yield* filesys.makeTempDirectoryScoped()
+
+        const result = yield* fs.readFileStringSafe(path.join(tmp, "does-not-exist.txt"))
+        expect(result).toBeUndefined()
+      }),
+    )
+  })
+
   describe("readJson / writeJson", () => {
     it(
       "round-trips JSON data",

packages/desktop-electron/electron-builder.config.ts

@@ -27,7 +27,7 @@ const channel = (() => {
 })()
 
 const getBase = (): Configuration => ({
-  artifactName: "opencode-electron-${os}-${arch}.${ext}",
+  artifactName: "opencode-desktop-${os}-${arch}.${ext}",
   directories: {
     output: "dist",
     buildResources: "resources",

packages/desktop/scripts/finalize-latest-json.ts

@@ -1,7 +1,8 @@
 #!/usr/bin/env bun
 
-import { Buffer } from "node:buffer"
 import { $ } from "bun"
+import path from "node:path"
+import { parseArgs } from "node:util"
 
 const { values } = parseArgs({
   args: Bun.argv.slice(2),
@@ -12,8 +13,6 @@ const { values } = parseArgs({
 
 const dryRun = values["dry-run"]
 
-import { parseArgs } from "node:util"
-
 const repo = process.env.GH_REPO
 if (!repo) throw new Error("GH_REPO is required")
 
@@ -23,20 +22,22 @@ if (!releaseId) throw new Error("OPENCODE_RELEASE is required")
 const version = process.env.OPENCODE_VERSION
 if (!version) throw new Error("OPENCODE_VERSION is required")
 
+const dir = process.env.LATEST_YML_DIR
+if (!dir) throw new Error("LATEST_YML_DIR is required")
+const root = dir
+
 const token = process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN
 if (!token) throw new Error("GH_TOKEN or GITHUB_TOKEN is required")
 
-const apiHeaders = {
-  Authorization: `token ${token}`,
-  Accept: "application/vnd.github+json",
-}
-
-const releaseRes = await fetch(`https://api.github.com/repos/${repo}/releases/${releaseId}`, {
-  headers: apiHeaders,
+const rel = await fetch(`https://api.github.com/repos/${repo}/releases/${releaseId}`, {
+  headers: {
+    Authorization: `token ${token}`,
+    Accept: "application/vnd.github+json",
+  },
 })
 
-if (!releaseRes.ok) {
-  throw new Error(`Failed to fetch release: ${releaseRes.status} ${releaseRes.statusText}`)
+if (!rel.ok) {
+  throw new Error(`Failed to fetch release: ${rel.status} ${rel.statusText}`)
 }
 
 type Asset = {
@@ -45,115 +46,169 @@ type Asset = {
 }
 
 type Release = {
-  tag_name?: string
   assets?: Asset[]
 }
 
-const release = (await releaseRes.json()) as Release
-const assets = release.assets ?? []
-const assetByName = new Map(assets.map((asset) => [asset.name, asset]))
+const assets = ((await rel.json()) as Release).assets ?? []
+const amap = new Map(assets.map((item) => [item.name, item]))
 
-const latestAsset = assetByName.get("latest.json")
-if (!latestAsset) {
-  console.log("latest.json not found, skipping tauri finalization")
-  process.exit(0)
+type Item = {
+  url: string
 }
 
-const latestRes = await fetch(latestAsset.url, {
-  headers: {
-    Authorization: `token ${token}`,
-    Accept: "application/octet-stream",
-  },
-})
-
-if (!latestRes.ok) {
-  throw new Error(`Failed to fetch latest.json: ${latestRes.status} ${latestRes.statusText}`)
+type Yml = {
+  version: string
+  files: Item[]
 }
 
-const latestText = new TextDecoder().decode(await latestRes.arrayBuffer())
-const latest = JSON.parse(latestText)
-const base = { ...latest }
-delete base.platforms
+function parse(text: string): Yml {
+  const lines = text.split("\n")
+  let version = ""
+  const files: Item[] = []
+  let url = ""
 
-const fetchSignature = async (asset: Asset) => {
-  const res = await fetch(asset.url, {
+  const flush = () => {
+    if (!url) return
+    files.push({ url })
+    url = ""
+  }
+
+  for (const line of lines) {
+    const trim = line.trim()
+    if (line.startsWith("version:")) {
+      version = line.slice("version:".length).trim()
+      continue
+    }
+    if (trim.startsWith("- url:")) {
+      flush()
+      url = trim.slice("- url:".length).trim()
+      continue
+    }
+    const indented = line.startsWith("  ") || line.startsWith("\t")
+    if (!indented) flush()
+  }
+  flush()
+
+  return { version, files }
+}
+
+async function read(sub: string, file: string) {
+  const item = Bun.file(path.join(root, sub, file))
+  if (!(await item.exists())) return undefined
+  return parse(await item.text())
+}
+
+function pick(list: Item[], exts: string[]) {
+  for (const ext of exts) {
+    const found = list.find((item) => item.url.split("?")[0]?.toLowerCase().endsWith(ext))
+    if (found) return found.url
+  }
+}
+
+function link(raw: string) {
+  if (raw.startsWith("https://") || raw.startsWith("http://")) return raw
+  return `https://github.com/${repo}/releases/download/v${version}/${raw}`
+}
+
+async function sign(url: string, key: string) {
+  const name = decodeURIComponent(new URL(url).pathname.split("/").pop() ?? key)
+  const asset = amap.get(name)
+  const res = await fetch(asset?.url ?? url, {
     headers: {
       Authorization: `token ${token}`,
-      Accept: "application/octet-stream",
+      ...(asset ? { Accept: "application/octet-stream" } : {}),
     },
   })
-
   if (!res.ok) {
-    throw new Error(`Failed to fetch signature: ${res.status} ${res.statusText}`)
+    throw new Error(`Failed to fetch file ${name}: ${res.status} ${res.statusText} (${asset?.url ?? url})`)
   }
 
-  return Buffer.from(await res.arrayBuffer()).toString()
+  const tmp = process.env.RUNNER_TEMP ?? "/tmp"
+  const file = path.join(tmp, name)
+  await Bun.write(file, await res.arrayBuffer())
+  await $`bunx @tauri-apps/cli signer sign ${file}`
+  const sigFile = Bun.file(`${file}.sig`)
+  if (!(await sigFile.exists())) throw new Error(`Signature file not found for ${name}`)
+  return (await sigFile.text()).trim()
 }
 
-const entries: Record<string, { url: string; signature: string }> = {}
-const add = (key: string, asset: Asset, signature: string) => {
-  if (entries[key]) return
-  entries[key] = {
-    url: `https://github.com/${repo}/releases/download/v${version}/${asset.name}`,
-    signature,
-  }
+const add = async (data: Record<string, { url: string; signature: string }>, key: string, raw: string | undefined) => {
+  if (!raw) return
+  if (data[key]) return
+  const url = link(raw)
+  data[key] = { url, signature: await sign(url, key) }
 }
 
-const targets = [
-  { key: "linux-x86_64-deb", asset: "opencode-desktop-linux-amd64.deb" },
-  { key: "linux-x86_64-rpm", asset: "opencode-desktop-linux-x86_64.rpm" },
-  { key: "linux-aarch64-deb", asset: "opencode-desktop-linux-arm64.deb" },
-  { key: "linux-aarch64-rpm", asset: "opencode-desktop-linux-aarch64.rpm" },
-  { key: "windows-aarch64-nsis", asset: "opencode-desktop-windows-arm64.exe" },
-  { key: "windows-x86_64-nsis", asset: "opencode-desktop-windows-x64.exe" },
-  { key: "darwin-x86_64-app", asset: "opencode-desktop-darwin-x64.app.tar.gz" },
-  {
-    key: "darwin-aarch64-app",
-    asset: "opencode-desktop-darwin-aarch64.app.tar.gz",
-  },
-]
-
-for (const target of targets) {
-  const asset = assetByName.get(target.asset)
-  if (!asset) continue
-
-  const sig = assetByName.get(`${target.asset}.sig`)
-  if (!sig) continue
-
-  const signature = await fetchSignature(sig)
-  add(target.key, asset, signature)
+const alias = (data: Record<string, { url: string; signature: string }>, key: string, src: string) => {
+  if (data[key]) return
+  if (!data[src]) return
+  data[key] = data[src]
 }
 
-const alias = (key: string, source: string) => {
-  if (entries[key]) return
-  const entry = entries[source]
-  if (!entry) return
-  entries[key] = entry
-}
+const winx = await read("latest-yml-x86_64-pc-windows-msvc", "latest.yml")
+const wina = await read("latest-yml-aarch64-pc-windows-msvc", "latest.yml")
+const macx = await read("latest-yml-x86_64-apple-darwin", "latest-mac.yml")
+const maca = await read("latest-yml-aarch64-apple-darwin", "latest-mac.yml")
+const linx = await read("latest-yml-x86_64-unknown-linux-gnu", "latest-linux.yml")
+const lina = await read("latest-yml-aarch64-unknown-linux-gnu", "latest-linux-arm64.yml")
 
-alias("linux-x86_64", "linux-x86_64-deb")
-alias("linux-aarch64", "linux-aarch64-deb")
-alias("windows-aarch64", "windows-aarch64-nsis")
-alias("windows-x86_64", "windows-x86_64-nsis")
-alias("darwin-x86_64", "darwin-x86_64-app")
-alias("darwin-aarch64", "darwin-aarch64-app")
+const yver = winx?.version ?? wina?.version ?? macx?.version ?? maca?.version ?? linx?.version ?? lina?.version
+if (yver && yver !== version) throw new Error(`latest.yml version mismatch: expected ${version}, got ${yver}`)
+
+const out: Record<string, { url: string; signature: string }> = {}
+
+const winxexe = pick(winx?.files ?? [], [".exe"])
+const winaexe = pick(wina?.files ?? [], [".exe"])
+
+const macxTarGz = "opencode-desktop-mac-x64.app.tar.gz"
+const macaTarGz = "opencode-desktop-mac-arm64.app.tar.gz"
+
+const linxDeb = pick(linx?.files ?? [], [".deb"])
+const linxRpm = pick(linx?.files ?? [], [".rpm"])
+const linxAppImage = pick(linx?.files ?? [], [".appimage"])
+const linaDeb = pick(lina?.files ?? [], [".deb"])
+const linaRpm = pick(lina?.files ?? [], [".rpm"])
+const linaAppImage = pick(lina?.files ?? [], [".appimage"])
+
+await add(out, "windows-x86_64-nsis", winxexe)
+await add(out, "windows-aarch64-nsis", winaexe)
+await add(out, "darwin-x86_64-app", macxTarGz)
+await add(out, "darwin-aarch64-app", macaTarGz)
+
+await add(out, "linux-x86_64-deb", linxDeb)
+await add(out, "linux-x86_64-rpm", linxRpm)
+await add(out, "linux-x86_64-appimage", linxAppImage)
+await add(out, "linux-aarch64-deb", linaDeb)
+await add(out, "linux-aarch64-rpm", linaRpm)
+await add(out, "linux-aarch64-appimage", linaAppImage)
+
+alias(out, "windows-x86_64", "windows-x86_64-nsis")
+alias(out, "windows-aarch64", "windows-aarch64-nsis")
+alias(out, "darwin-x86_64", "darwin-x86_64-app")
+alias(out, "darwin-aarch64", "darwin-aarch64-app")
+alias(out, "linux-x86_64", "linux-x86_64-deb")
+alias(out, "linux-aarch64", "linux-aarch64-deb")
 
 const platforms = Object.fromEntries(
-  Object.keys(entries)
+  Object.keys(out)
     .sort()
-    .map((key) => [key, entries[key]]),
+    .map((key) => [key, out[key]]),
 )
-const output = {
-  ...base,
+
+if (!Object.keys(platforms).length) throw new Error("No updater files found in latest.yml artifacts")
+
+const data = {
+  version,
+  notes: "",
+  pub_date: new Date().toISOString(),
   platforms,
 }
 
-const dir = process.env.RUNNER_TEMP ?? "/tmp"
-const file = `${dir}/latest.json`
-await Bun.write(file, JSON.stringify(output, null, 2))
+const tmp = process.env.RUNNER_TEMP ?? "/tmp"
+const file = path.join(tmp, "latest.json")
+await Bun.write(file, JSON.stringify(data, null, 2))
 
-const tag = release.tag_name
-if (!tag) throw new Error("Release tag not found")
+const tag = `v${version}`
 
 if (dryRun) {
   console.log(`dry-run: wrote latest.json for ${tag} to ${file}`)

packages/opencode/src/agent/agent.ts

@@ -97,6 +97,7 @@ export const layer = Layer.effect(
           question: "deny",
           plan_enter: "deny",
           plan_exit: "deny",
+          edit: "ask",
           // mirrors github.com/github/gitignore Node.gitignore pattern for .env files
           read: {
             "*": "allow",

packages/opencode/src/cli/cmd/acp.ts

@@ -4,9 +4,9 @@ import { effectCmd } from "../effect-cmd"
 import { AgentSideConnection, ndJsonStream } from "@agentclientprotocol/sdk"
 import { ACP } from "@/acp/agent"
 import { Server } from "@/server/server"
+import { ServerAuth } from "@/server/auth"
 import { createOpencodeClient } from "@opencode-ai/sdk/v2"
 import { withNetworkOptions, resolveNetworkOptions } from "../network"
-import { Flag } from "@opencode-ai/core/flag/flag"
 
 const log = Log.create({ service: "acp-command" })
 
@@ -27,13 +27,7 @@ export const AcpCommand = effectCmd({
 
     const sdk = createOpencodeClient({
       baseUrl: `http://${server.hostname}:${server.port}`,
-      headers: Flag.OPENCODE_SERVER_PASSWORD
-        ? {
-            Authorization: `Basic ${Buffer.from(
-              `${Flag.OPENCODE_SERVER_USERNAME ?? "opencode"}:${Flag.OPENCODE_SERVER_PASSWORD}`,
-            ).toString("base64")}`,
-          }
-        : undefined,
+      headers: ServerAuth.headers(),
     })
 
     const input = new WritableStream<Uint8Array>({

packages/opencode/src/cli/cmd/run.ts

@@ -5,6 +5,7 @@ import { Effect } from "effect"
 import { UI } from "../ui"
 import { effectCmd } from "../effect-cmd"
 import { Flag } from "@opencode-ai/core/flag/flag"
+import { ServerAuth } from "@/server/auth"
 import { EOL } from "os"
 import { Filesystem } from "@/util/filesystem"
 import { createOpencodeClient, type OpencodeClient, type ToolPart } from "@opencode-ai/sdk/v2"
@@ -656,13 +657,7 @@ export const RunCommand = effectCmd({
       }
 
       if (args.attach) {
-        const headers = (() => {
-          const password = args.password ?? process.env.OPENCODE_SERVER_PASSWORD
-          if (!password) return undefined
-          const username = process.env.OPENCODE_SERVER_USERNAME ?? "opencode"
-          const auth = `Basic ${Buffer.from(`${username}:${password}`).toString("base64")}`
-          return { Authorization: auth }
-        })()
+        const headers = ServerAuth.headers({ password: args.password })
         const sdk = createOpencodeClient({ baseUrl: args.attach, directory, headers })
         return await execute(sdk)
       }

packages/opencode/src/cli/cmd/tui/app.tsx

@@ -779,6 +779,15 @@ function App(props: { onSnapshot?: () => Promise<string[]> }) {
         dialog.clear()
       },
     },
+    {
+      title: kv.get("clear_prompt_save_history", false) ? "Don't include cleared prompts in history" : "Include cleared prompts in history",
+      value: "app.toggle.clear_prompt_history",
+      category: "System",
+      onSelect: (dialog) => {
+        kv.set("clear_prompt_save_history", !kv.get("clear_prompt_save_history", false))
+        dialog.clear()
+      },
+    },
   ])
 
   event.on(TuiEvent.CommandExecute.type, (evt) => {

packages/opencode/src/cli/cmd/tui/attach.ts

@@ -5,6 +5,7 @@ import { win32DisableProcessedInput, win32InstallCtrlCGuard } from "./win32"
 import { TuiConfig } from "@/cli/cmd/tui/config/tui"
 import { errorMessage } from "@/util/error"
 import { validateSession } from "./validate-session"
+import { ServerAuth } from "@/server/auth"
 
 export const AttachCommand = cmd({
   command: "attach <url>",
@@ -38,6 +39,11 @@ export const AttachCommand = cmd({
         alias: ["p"],
         type: "string",
         describe: "basic auth password (defaults to OPENCODE_SERVER_PASSWORD)",
+      })
+      .option("username", {
+        alias: ["u"],
+        type: "string",
+        describe: "basic auth username (defaults to OPENCODE_SERVER_USERNAME or 'opencode')",
       }),
   handler: async (args) => {
     const unguard = win32InstallCtrlCGuard()
@@ -60,12 +66,7 @@ export const AttachCommand = cmd({
           return args.dir
         }
       })()
-      const headers = (() => {
-        const password = args.password ?? process.env.OPENCODE_SERVER_PASSWORD
-        if (!password) return undefined
-        const auth = `Basic ${Buffer.from(`opencode:${password}`).toString("base64")}`
-        return { Authorization: auth }
-      })()
+      const headers = ServerAuth.headers({ password: args.password, username: args.username })
       const config = await TuiConfig.get()
 
       try {

packages/opencode/src/cli/cmd/tui/component/prompt/history.tsx

@@ -82,6 +82,7 @@ export const { use: usePromptHistory, provider: PromptHistoryProvider } = create
         return store.history.at(store.index)
       },
       append(item: PromptInfo) {
+        if (store.history.at(-1)?.input === item.input) return
         const entry = structuredClone(unwrap(item))
         let trimmed = false
         setStore(

packages/opencode/src/cli/cmd/tui/component/prompt/index.tsx

@@ -173,6 +173,7 @@ export function Prompt(props: PromptProps) {
   const [editorContextHover, setEditorContextHover] = createSignal(false)
   let lastSubmittedEditorSelectionKey: string | undefined
   const [auto, setAuto] = createSignal<AutocompleteRef>()
+  const [autoaccept, setAutoaccept] = kv.signal<"none" | "edit">("permission_auto_accept", "edit")
   const currentProviderLabel = createMemo(() => local.model.parsed().provider)
   const hasRightContent = createMemo(() => Boolean(props.right))
 
@@ -296,6 +297,17 @@ export function Prompt(props: PromptProps) {
 
   command.register(() => {
     return [
+      {
+        title: autoaccept() === "none" ? "Enable autoedit" : "Disable autoedit",
+        value: "permission.auto_accept.toggle",
+        search: "toggle permissions",
+        keybind: "permission_auto_accept_toggle",
+        category: "Agent",
+        onSelect: (dialog) => {
+          setAutoaccept(() => (autoaccept() === "none" ? "edit" : "none"))
+          dialog.clear()
+        },
+      },
       {
         title: "Clear prompt",
         value: "prompt.clear",
@@ -1124,6 +1136,12 @@ export function Prompt(props: PromptProps) {
                   // If no image, let the default paste behavior continue
                 }
                 if (keybind.match("input_clear", e) && store.prompt.input !== "") {
+                  if (kv.get("clear_prompt_save_history", false)) {
+                    history.append({
+                      ...store.prompt,
+                      mode: store.mode,
+                    })
+                  }
                   input.clear()
                   input.extmarks.clear()
                   setStore("prompt", {
@@ -1318,6 +1336,11 @@ export function Prompt(props: PromptProps) {
               </box>
               <Show when={hasRightContent()}>
                 <box flexDirection="row" gap={1} alignItems="center">
+                  <Show when={autoaccept() === "edit"}>
+                    <text>
+                      <span style={{ fg: theme.warning }}>autoedit</span>
+                    </text>
+                  </Show>
                   {props.right}
                 </box>
               </Show>

packages/opencode/src/cli/cmd/tui/config/tui.ts

@@ -68,29 +68,73 @@ function normalize(raw: Record<string, unknown>) {
   }
 }
 
-async function resolvePlugins(config: Info, configFilepath: string) {
-  if (!config.plugin) return config
-  for (let i = 0; i < config.plugin.length; i++) {
-    config.plugin[i] = await ConfigPlugin.resolvePluginSpec(config.plugin[i], configFilepath)
-  }
-  return config
-}
-
-async function mergeFile(acc: Acc, file: string, ctx: { directory: string }) {
-  const data = await loadFile(file)
-  acc.result = mergeDeep(acc.result, data)
-  if (!data.plugin?.length) return
-
-  const scope = pluginScope(file, ctx)
-  const plugins = ConfigPlugin.deduplicatePluginOrigins([
-    ...(acc.result.plugin_origins ?? []),
-    ...data.plugin.map((spec) => ({ spec, scope, source: file })),
-  ])
-  acc.result.plugin = plugins.map((item) => item.spec)
-  acc.result.plugin_origins = plugins
-}
-
 const loadState = Effect.fn("TuiConfig.loadState")(function* (ctx: { directory: string }) {
+  const afs = yield* AppFileSystem.Service
+
+  const resolvePlugins = (config: Info, configFilepath: string): Effect.Effect<Info> =>
+    Effect.gen(function* () {
+      const plugins = config.plugin
+      if (!plugins) return config
+      for (let i = 0; i < plugins.length; i++) {
+        plugins[i] = yield* Effect.promise(() => ConfigPlugin.resolvePluginSpec(plugins[i], configFilepath))
+      }
+      return config
+    })
+
+  const load = (text: string, configFilepath: string): Effect.Effect<Info> =>
+    Effect.gen(function* () {
+      const expanded = yield* Effect.promise(() =>
+        ConfigVariable.substitute({ text, type: "path", path: configFilepath, missing: "empty" }),
+      )
+      const data = ConfigParse.jsonc(expanded, configFilepath)
+      if (!isRecord(data)) return {} as Info
+      // Flatten a nested "tui" key so users who wrote `{ "tui": { ... } }` inside tui.json
+      // (mirroring the old opencode.json shape) still get their settings applied.
+      const validated = ConfigParse.schema(Info, normalize(data), configFilepath)
+      return yield* resolvePlugins(validated, configFilepath)
+    }).pipe(
+      // catchCause (not tapErrorCause + orElseSucceed) because ConfigParse.jsonc/.schema
+      // can sync-throw — those become defects, which orElseSucceed wouldn't catch.
+      Effect.catchCause((cause) =>
+        Effect.sync(() => {
+          log.warn("invalid tui config", { path: configFilepath, cause })
+          return {} as Info
+        }),
+      ),
+    )
+
+  const loadFile = (filepath: string): Effect.Effect<Info> =>
+    Effect.gen(function* () {
+      // Silent-swallow non-NotFound read errors (perms, EISDIR, IO) → log + skip.
+      // Matches how parse/schema/plugin failures in load() are handled — every
+      // broken-config path degrades gracefully rather than crashing TUI startup.
+      const text = yield* afs.readFileStringSafe(filepath).pipe(
+        Effect.catchCause((cause) =>
+          Effect.sync(() => {
+            log.warn("failed to read tui config", { path: filepath, cause })
+            return undefined
+          }),
+        ),
+      )
+      if (!text) return {} as Info
+      return yield* load(text, filepath)
+    })
+
+  const mergeFile = (acc: Acc, file: string) =>
+    Effect.gen(function* () {
+      const data = yield* loadFile(file)
+      acc.result = mergeDeep(acc.result, data)
+      if (!data.plugin?.length) return
+
+      const scope = pluginScope(file, ctx)
+      const plugins = ConfigPlugin.deduplicatePluginOrigins([
+        ...(acc.result.plugin_origins ?? []),
+        ...data.plugin.map((spec) => ({ spec, scope, source: file })),
+      ])
+      acc.result.plugin = plugins.map((item) => item.spec)
+      acc.result.plugin_origins = plugins
+    })
+
   // Every config dir we may read from: global config dir, any `.opencode`
   // folders between cwd and home, and OPENCODE_CONFIG_DIR.
   const directories = yield* ConfigPaths.directories(ctx.directory)
@@ -104,19 +148,19 @@ const loadState = Effect.fn("TuiConfig.loadState")(function* (ctx: { directory:
 
   // 1. Global tui config (lowest precedence).
   for (const file of ConfigPaths.fileInDirectory(Global.Path.config, "tui")) {
-    yield* Effect.promise(() => mergeFile(acc, file, ctx)).pipe(Effect.orDie)
+    yield* mergeFile(acc, file)
   }
 
   // 2. Explicit OPENCODE_TUI_CONFIG override, if set.
   if (Flag.OPENCODE_TUI_CONFIG) {
     const configFile = Flag.OPENCODE_TUI_CONFIG
-    yield* Effect.promise(() => mergeFile(acc, configFile, ctx)).pipe(Effect.orDie)
+    yield* mergeFile(acc, configFile)
     log.debug("loaded custom tui config", { path: configFile })
   }
 
   // 3. Project tui files, applied root-first so the closest file wins.
   for (const file of projectFiles) {
-    yield* Effect.promise(() => mergeFile(acc, file, ctx)).pipe(Effect.orDie)
+    yield* mergeFile(acc, file)
   }
 
   // 4. `.opencode` directories (and OPENCODE_CONFIG_DIR) discovered while
@@ -127,7 +171,7 @@ const loadState = Effect.fn("TuiConfig.loadState")(function* (ctx: { directory:
   for (const dir of dirs) {
     if (!dir.endsWith(".opencode") && dir !== Flag.OPENCODE_CONFIG_DIR) continue
     for (const file of ConfigPaths.fileInDirectory(dir, "tui")) {
-      yield* Effect.promise(() => mergeFile(acc, file, ctx)).pipe(Effect.orDie)
+      yield* mergeFile(acc, file)
     }
   }
 
@@ -193,28 +237,3 @@ export async function get() {
   return runPromise((svc) => svc.get())
 }
 
-async function loadFile(filepath: string): Promise<Info> {
-  const text = await ConfigPaths.readFile(filepath)
-  if (!text) return {}
-  return load(text, filepath).catch((error) => {
-    log.warn("failed to load tui config", { path: filepath, error })
-    return {}
-  })
-}
-
-async function load(text: string, configFilepath: string): Promise<Info> {
-  return ConfigVariable.substitute({ text, type: "path", path: configFilepath, missing: "empty" })
-    .then((expanded) => ConfigParse.jsonc(expanded, configFilepath))
-    .then((data) => {
-      if (!isRecord(data)) return {}
-
-      // Flatten a nested "tui" key so users who wrote `{ "tui": { ... } }` inside tui.json
-      // (mirroring the old opencode.json shape) still get their settings applied.
-      return ConfigParse.schema(Info, normalize(data), configFilepath)
-    })
-    .then((data) => resolvePlugins(data, configFilepath))
-    .catch((error) => {
-      log.warn("invalid tui config", { path: configFilepath, error })
-      return {}
-    })
-}

packages/opencode/src/cli/cmd/tui/context/sync.tsx

@@ -110,6 +110,7 @@ export const { use: useSync, provider: SyncProvider } = createSimpleContext({
     const project = useProject()
     const sdk = useSDK()
     const kv = useKV()
+    const [autoaccept] = kv.signal<"none" | "edit">("permission_auto_accept", "edit")
 
     const fullSyncedSessions = new Set<string>()
     let syncedWorkspace = project.workspace.current()
@@ -152,6 +153,13 @@ export const { use: useSync, provider: SyncProvider } = createSimpleContext({
 
         case "permission.asked": {
           const request = event.properties
+          if (autoaccept() === "edit" && request.permission === "edit") {
+            sdk.client.permission.reply({
+              reply: "once",
+              requestID: request.id,
+            })
+            break
+          }
           const requests = store.permission[request.sessionID]
           if (!requests) {
             setStore("permission", request.sessionID, [request])

packages/opencode/src/cli/cmd/tui/thread.ts

@@ -8,6 +8,7 @@ import { UI } from "@/cli/ui"
 import * as Log from "@opencode-ai/core/util/log"
 import { errorMessage } from "@/util/error"
 import { withTimeout } from "@/util/timeout"
+import { WithInstance } from "@/project/with-instance"
 import { withNetworkOptions, resolveNetworkOptionsNoConfig } from "@/cli/network"
 import { Filesystem } from "@/util/filesystem"
 import type { GlobalEvent } from "@opencode-ai/sdk/v2"
@@ -190,7 +191,11 @@ export const TuiThreadCommand = cmd({
       const prompt = await input(args.prompt)
       const config = await TuiConfig.get()
 
-      const network = resolveNetworkOptionsNoConfig(args)
+      const network = await WithInstance.provide({
+        directory: cwd,
+        fn: () => resolveNetworkOptionsNoConfig(args),
+      })
+
       const external =
         process.argv.includes("--port") ||
         process.argv.includes("--hostname") ||

packages/opencode/src/cli/cmd/tui/ui/dialog-select.tsx

@@ -37,6 +37,7 @@ export interface DialogSelectOption<T = any> {
   title: string
   value: T
   description?: string
+  search?: string
   footer?: JSX.Element | string
   category?: string
   categoryView?: JSX.Element
@@ -93,8 +94,8 @@ export function DialogSelect<T>(props: DialogSelectProps<T>) {
     // users typically search by the item name, and not its category.
     const result = fuzzysort
       .go(needle, options, {
-        keys: ["title", "category"],
-        scoreFn: (r) => r[0].score * 2 + r[1].score,
+        keys: ["title", "category", "search"],
+        scoreFn: (r) => r[0].score * 2 + r[1].score + r[2].score,
       })
       .map((x) => x.obj)
 

packages/opencode/src/cli/cmd/tui/worker.ts

@@ -7,7 +7,7 @@ import { Rpc } from "@/util/rpc"
 import { upgrade } from "@/cli/upgrade"
 import { Config } from "@/config/config"
 import { GlobalBus } from "@/bus/global"
-import { Flag } from "@opencode-ai/core/flag/flag"
+import { ServerAuth } from "@/server/auth"
 import { writeHeapSnapshot } from "node:v8"
 import { Heap } from "@/cli/heap"
 import { AppRuntime } from "@/effect/app-runtime"
@@ -50,7 +50,7 @@ let server: Awaited<ReturnType<typeof Server.listen>> | undefined
 export const rpc = {
   async fetch(input: { url: string; method: string; headers: Record<string, string>; body?: string }) {
     const headers = { ...input.headers }
-    const auth = getAuthorizationHeader()
+    const auth = ServerAuth.header()
     if (auth && !headers["authorization"] && !headers["Authorization"]) {
       headers["Authorization"] = auth
     }
@@ -102,10 +102,3 @@ export const rpc = {
 }
 
 Rpc.listen(rpc)
-
-function getAuthorizationHeader(): string | undefined {
-  const password = Flag.OPENCODE_SERVER_PASSWORD
-  if (!password) return undefined
-  const username = Flag.OPENCODE_SERVER_USERNAME ?? "opencode"
-  return `Basic ${btoa(`${username}:${password}`)}`
-}

packages/opencode/src/config/config.ts

@@ -355,15 +355,7 @@ export const layer = Layer.effect(
     const env = yield* Env.Service
     const npmSvc = yield* Npm.Service
 
-    const readConfigFile = Effect.fnUntraced(function* (filepath: string) {
-      return yield* fs.readFileString(filepath).pipe(
-        Effect.catchIf(
-          (e) => e.reason._tag === "NotFound",
-          () => Effect.succeed(undefined),
-        ),
-        Effect.orDie,
-      )
-    })
+    const readConfigFile = (filepath: string) => fs.readFileStringSafe(filepath).pipe(Effect.orDie)
 
     const loadConfig = Effect.fnUntraced(function* (
       text: string,

packages/opencode/src/config/paths.ts

@@ -1,11 +1,9 @@
 export * as ConfigPaths from "./paths"
 
 import path from "path"
-import { Filesystem } from "@/util/filesystem"
 import { Flag } from "@opencode-ai/core/flag/flag"
 import { Global } from "@opencode-ai/core/global"
 import { unique } from "remeda"
-import { JsonError } from "./error"
 import * as Effect from "effect/Effect"
 import { AppFileSystem } from "@opencode-ai/core/filesystem"
 
@@ -45,11 +43,3 @@ export const directories = Effect.fn("ConfigPaths.directories")(function* (direc
 export function fileInDirectory(dir: string, name: string) {
   return [path.join(dir, `${name}.json`), path.join(dir, `${name}.jsonc`)]
 }
-
-/** Read a config file, returning undefined for missing files and throwing JsonError for other failures. */
-export async function readFile(filepath: string) {
-  return Filesystem.readText(filepath).catch((err: NodeJS.ErrnoException) => {
-    if (err.code === "ENOENT") return
-    throw new JsonError({ path: filepath }, { cause: err })
-  })
-}

packages/opencode/src/effect/app-runtime.ts

@@ -47,19 +47,37 @@ import { Workspace } from "@/control-plane/workspace"
 import { Worktree } from "@/worktree"
 import { Pty } from "@/pty"
 import { Installation } from "@/installation"
+import * as Effect from "effect/Effect"
 import { ShareNext } from "@/share/share-next"
 import { SessionShare } from "@/share/session"
 import { SyncEvent } from "@/sync"
 import { Npm } from "@opencode-ai/core/npm"
 import { memoMap } from "@opencode-ai/core/effect/memo-map"
 
+// Adjusts the default Config layer to ensure that plugins are always initialised before
+// any other layers read the current config
+const ConfigWithPluginPriority = Layer.effect(
+  Config.Service,
+  Effect.gen(function* () {
+    const config = yield* Config.Service
+    const plugin = yield* Plugin.Service
+
+    return {
+      ...config,
+      get: () => Effect.andThen(plugin.init(), config.get),
+      getGlobal: () => Effect.andThen(plugin.init(), config.getGlobal),
+      getConsoleState: () => Effect.andThen(plugin.init(), config.getConsoleState),
+    }
+  }),
+).pipe(Layer.provide(Layer.merge(Plugin.defaultLayer, Config.defaultLayer)))
+
 export const AppLayer = Layer.mergeAll(
   Npm.defaultLayer,
   AppFileSystem.defaultLayer,
   Bus.defaultLayer,
   Auth.defaultLayer,
   Account.defaultLayer,
-  Config.defaultLayer,
+  ConfigWithPluginPriority,
   Git.defaultLayer,
   Ripgrep.defaultLayer,
   File.defaultLayer,

packages/opencode/src/plugin/index.ts

@@ -10,6 +10,7 @@ import { Bus } from "../bus"
 import * as Log from "@opencode-ai/core/util/log"
 import { createOpencodeClient } from "@opencode-ai/sdk"
 import { Flag } from "@opencode-ai/core/flag/flag"
+import { ServerAuth } from "@/server/auth"
 import { CodexAuthPlugin } from "./codex"
 import { Session } from "@/session/session"
 import { NamedError } from "@opencode-ai/core/util/error"
@@ -124,11 +125,7 @@ export const layer = Layer.effect(
         const client = createOpencodeClient({
           baseUrl: "http://localhost:4096",
           directory: ctx.directory,
-          headers: Flag.OPENCODE_SERVER_PASSWORD
-            ? {
-                Authorization: `Basic ${Buffer.from(`${Flag.OPENCODE_SERVER_USERNAME ?? "opencode"}:${Flag.OPENCODE_SERVER_PASSWORD}`).toString("base64")}`,
-              }
-            : undefined,
+          headers: ServerAuth.headers(),
           fetch: async (...args) => Server.Default().app.fetch(...args),
         })
         const cfg = yield* config.get()

packages/opencode/src/project/bootstrap.ts

@@ -1,4 +1,3 @@
-import { Plugin } from "../plugin"
 import { Format } from "../format"
 import { LSP } from "@/lsp/lsp"
 import { File } from "../file"
@@ -6,6 +5,7 @@ import { Snapshot } from "../snapshot"
 import * as Project from "./project"
 import * as Vcs from "./vcs"
 import { Bus } from "../bus"
+import { Plugin } from "../plugin"
 import { InstanceState } from "@/effect/instance-state"
 import { FileWatcher } from "@/file/watcher"
 import { ShareNext } from "@/share/share-next"
@@ -27,7 +27,6 @@ export const layer = Layer.effect(
     const fileWatcher = yield* FileWatcher.Service
     const format = yield* Format.Service
     const lsp = yield* LSP.Service
-    const plugin = yield* Plugin.Service
     const project = yield* Project.Service
     const shareNext = yield* ShareNext.Service
     const snapshot = yield* Snapshot.Service
@@ -36,10 +35,9 @@ export const layer = Layer.effect(
     const run = Effect.gen(function* () {
       const ctx = yield* InstanceState.context
       yield* Effect.logInfo("bootstrapping", { directory: ctx.directory })
-      // everything depends on config so eager load it for nice traces
+      // everything depends on config so eager load it for nice traces.
+      // Config can initialise plugins through its layer override.
       yield* config.get()
-      // Plugin can mutate config so it has to be initialized before anything else.
-      yield* plugin.init()
       // Each service self-manages its own slow work via Effect.forkScoped against
       // its per-instance state scope. We just await materialization here.
       yield* Effect.forEach(

packages/opencode/src/server/auth.ts

@@ -0,0 +1,48 @@
+export * as ServerAuth from "./auth"
+
+import { ConfigService } from "@/effect/config-service"
+import { Flag } from "@opencode-ai/core/flag/flag"
+import { Config as EffectConfig, Context, Option, Redacted } from "effect"
+
+export type Credentials = {
+  password?: string
+  username?: string
+}
+
+export type DecodedCredentials = {
+  readonly username: string
+  readonly password: Redacted.Redacted
+}
+
+export class Config extends ConfigService.Service<Config>()("@opencode/ServerAuthConfig", {
+  password: EffectConfig.string("OPENCODE_SERVER_PASSWORD").pipe(EffectConfig.option),
+  username: EffectConfig.string("OPENCODE_SERVER_USERNAME").pipe(EffectConfig.withDefault("opencode")),
+}) {}
+
+export type Info = Context.Service.Shape<typeof Config>
+
+export function required(config: Info) {
+  return Option.isSome(config.password) && config.password.value !== ""
+}
+
+export function authorized(credentials: DecodedCredentials, config: Info) {
+  return (
+    Option.isSome(config.password) &&
+    credentials.username === config.username &&
+    Redacted.value(credentials.password) === config.password.value
+  )
+}
+
+export function header(credentials?: Credentials) {
+  const password = credentials?.password ?? Flag.OPENCODE_SERVER_PASSWORD
+  if (!password) return undefined
+
+  const username = credentials?.username ?? Flag.OPENCODE_SERVER_USERNAME ?? "opencode"
+  return `Basic ${Buffer.from(`${username}:${password}`).toString("base64")}`
+}
+
+export function headers(credentials?: Credentials) {
+  const authorization = header(credentials)
+  if (!authorization) return undefined
+  return { Authorization: authorization }
+}

packages/opencode/src/server/routes/instance/httpapi/middleware/authorization.ts

@@ -1,10 +1,11 @@
-import { ConfigService } from "@/effect/config-service"
-import { Config, Context, Effect, Encoding, Layer, Option, Redacted } from "effect"
+import { ServerAuth } from "@/server/auth"
+import { Effect, Encoding, Layer, Redacted } from "effect"
 import { HttpRouter, HttpServerRequest, HttpServerResponse } from "effect/unstable/http"
 import { HttpApiError, HttpApiMiddleware, HttpApiSecurity } from "effect/unstable/httpapi"
 
 const AUTH_TOKEN_QUERY = "auth_token"
 const UNAUTHORIZED = 401
+const WWW_AUTHENTICATE = 'Basic realm="Secure Area"'
 
 export class Authorization extends HttpApiMiddleware.Service<Authorization>()(
   "@opencode/ExperimentalHttpApiAuthorization",
@@ -17,41 +18,18 @@ export class Authorization extends HttpApiMiddleware.Service<Authorization>()(
   },
 ) {}
 
-export class ServerAuthConfig extends ConfigService.Service<ServerAuthConfig>()(
-  "@opencode/ExperimentalHttpApiServerAuthConfig",
-  {
-    password: Config.string("OPENCODE_SERVER_PASSWORD").pipe(Config.option),
-    username: Config.string("OPENCODE_SERVER_USERNAME").pipe(Config.withDefault("opencode")),
-  },
-) {}
-
 function validateCredential<A, E, R>(
   effect: Effect.Effect<A, E, R>,
-  credential: { readonly username: string; readonly password: Redacted.Redacted },
-  config: Context.Service.Shape<typeof ServerAuthConfig>,
+  credential: ServerAuth.DecodedCredentials,
+  config: ServerAuth.Info,
 ) {
   return Effect.gen(function* () {
-    if (!isAuthRequired(config)) return yield* effect
-    if (!isCredentialAuthorized(credential, config)) return yield* new HttpApiError.Unauthorized({})
+    if (!ServerAuth.required(config)) return yield* effect
+    if (!ServerAuth.authorized(credential, config)) return yield* new HttpApiError.Unauthorized({})
     return yield* effect
   })
 }
 
-function isAuthRequired(config: Context.Service.Shape<typeof ServerAuthConfig>) {
-  return Option.isSome(config.password) && config.password.value !== ""
-}
-
-function isCredentialAuthorized(
-  credential: { readonly username: string; readonly password: Redacted.Redacted },
-  config: Context.Service.Shape<typeof ServerAuthConfig>,
-) {
-  return (
-    Option.isSome(config.password) &&
-    credential.username === config.username &&
-    Redacted.value(credential.password) === config.password.value
-  )
-}
-
 function decodeCredential(input: string) {
   const emptyCredential = {
     username: "",
@@ -77,19 +55,24 @@ function decodeCredential(input: string) {
 
 function validateRawCredential<A, E, R>(
   effect: Effect.Effect<A, E, R>,
-  credential: { readonly username: string; readonly password: Redacted.Redacted },
-  config: Context.Service.Shape<typeof ServerAuthConfig>,
+  credential: ServerAuth.DecodedCredentials,
+  config: ServerAuth.Info,
 ) {
-  if (!isAuthRequired(config)) return effect
-  if (!isCredentialAuthorized(credential, config))
-    return Effect.succeed(HttpServerResponse.empty({ status: UNAUTHORIZED }))
+  if (!ServerAuth.required(config)) return effect
+  if (!ServerAuth.authorized(credential, config))
+    return Effect.succeed(
+      HttpServerResponse.empty({
+        status: UNAUTHORIZED,
+        headers: { "www-authenticate": WWW_AUTHENTICATE },
+      }),
+    )
   return effect
 }
 
 export const authorizationRouterMiddleware = HttpRouter.middleware()(
   Effect.gen(function* () {
-    const config = yield* ServerAuthConfig
-    if (!isAuthRequired(config)) return (effect) => effect
+    const config = yield* ServerAuth.Config
+    if (!ServerAuth.required(config)) return (effect) => effect
 
     return (effect) =>
       Effect.gen(function* () {
@@ -116,7 +99,7 @@ export const authorizationRouterMiddleware = HttpRouter.middleware()(
 export const authorizationLayer = Layer.effect(
   Authorization,
   Effect.gen(function* () {
-    const config = yield* ServerAuthConfig
+    const config = yield* ServerAuth.Config
     return Authorization.of({
       basic: (effect, { credential }) => validateCredential(effect, credential, config),
       authToken: (effect, { credential }) =>

packages/opencode/src/server/routes/instance/httpapi/server.ts

@@ -46,8 +46,9 @@ import { Worktree } from "@/worktree"
 import { Workspace } from "@/control-plane/workspace"
 import { isAllowedCorsOrigin, type CorsOptions } from "@/server/cors"
 import { serveUIEffect } from "@/server/shared/ui"
+import { ServerAuth } from "@/server/auth"
 import { InstanceHttpApi, RootHttpApi } from "./api"
-import { ServerAuthConfig, authorizationLayer, authorizationRouterMiddleware } from "./middleware/authorization"
+import { authorizationLayer, authorizationRouterMiddleware } from "./middleware/authorization"
 import { EventApi, eventHandlers } from "./event"
 import { configHandlers } from "./handlers/config"
 import { controlHandlers } from "./handlers/control"
@@ -97,7 +98,7 @@ const rootApiRoutes = HttpApiBuilder.layer(RootHttpApi).pipe(Layer.provide([cont
 const instanceRouterLayer = authorizationRouterMiddleware
   .combine(instanceRouterMiddleware)
   .combine(workspaceRouterMiddleware)
-  .layer.pipe(Layer.provide(Socket.layerWebSocketConstructorGlobal), Layer.provide(ServerAuthConfig.defaultLayer))
+  .layer.pipe(Layer.provide(Socket.layerWebSocketConstructorGlobal), Layer.provide(ServerAuth.Config.defaultLayer))
 const eventApiRoutes = HttpApiBuilder.layer(EventApi).pipe(
   Layer.provide(eventHandlers),
   Layer.provide(instanceRouterLayer),
@@ -125,7 +126,7 @@ const instanceApiRoutes = HttpApiBuilder.layer(InstanceHttpApi).pipe(
 const rawInstanceRoutes = Layer.mergeAll(ptyConnectRoute).pipe(Layer.provide(instanceRouterLayer))
 const instanceRoutes = Layer.mergeAll(rawInstanceRoutes, instanceApiRoutes).pipe(
   Layer.provide([
-    authorizationLayer.pipe(Layer.provide(ServerAuthConfig.defaultLayer)),
+    authorizationLayer.pipe(Layer.provide(ServerAuth.Config.defaultLayer)),
     workspaceRoutingLayer.pipe(Layer.provide(Socket.layerWebSocketConstructorGlobal)),
     instanceContextLayer,
   ]),
@@ -137,7 +138,7 @@ const uiRoute = HttpRouter.use((router) =>
     const client = yield* HttpClient.HttpClient
     yield* router.add("*", "/*", (request) => serveUIEffect(request, { fs, client }))
   }),
-).pipe(Layer.provide(authorizationRouterMiddleware.layer.pipe(Layer.provide(ServerAuthConfig.defaultLayer))))
+).pipe(Layer.provide(authorizationRouterMiddleware.layer.pipe(Layer.provide(ServerAuth.Config.defaultLayer))))
 
 export function createRoutes(corsOptions?: CorsOptions) {
   return Layer.mergeAll(rootApiRoutes, eventApiRoutes, instanceRoutes, uiRoute).pipe(

packages/opencode/src/session/session.ts

@@ -339,7 +339,8 @@ export const Event = {
       sessionID: Schema.optional(SessionID),
       // Reuses MessageV2.Assistant.fields.error (already Schema.optional) so
       // the derived zod keeps the same discriminated-union shape on the bus.
-      error: MessageV2.Assistant.fields.error,
+      // Schema.suspend defers access to break circular init in compiled binaries.
+      error: Schema.suspend(() => MessageV2.Assistant.fields.error),
     }),
   ),
 }

packages/opencode/src/util/effect-zod.ts

@@ -256,6 +256,8 @@ function body(ast: SchemaAST.AST): z.ZodTypeAny {
       return array(ast)
     case "Declaration":
       return decl(ast)
+    case "Suspend":
+      return z.lazy(() => walk(ast.thunk()))
     default:
       return fail(ast)
   }

packages/opencode/src/util/error.ts

@@ -7,7 +7,19 @@ export function errorFormat(error: unknown): string {
 
   if (typeof error === "object" && error !== null) {
     try {
-      return JSON.stringify(error, null, 2)
+      const json = JSON.stringify(error, null, 2)
+      // Plain objects whose own properties are all non-enumerable (or empty)
+      // serialize to "{}", which prints as a useless bare `{}` on stderr.
+      // Fall back to a custom toString first, then to ctor name + own prop names.
+      if (json === "{}") {
+        const str = String(error)
+        if (str && str !== "[object Object]") return str
+        const ctor = error.constructor?.name
+        const prefix = ctor && ctor !== "Object" ? ctor : "Error"
+        const names = Object.getOwnPropertyNames(error)
+        return names.length === 0 ? `${prefix} (no message)` : `${prefix} { ${names.join(", ")} }`
+      }
+      return json
     } catch {
       return "Unexpected error (unserializable)"
     }
@@ -34,7 +46,7 @@ export function errorMessage(error: unknown): string {
   if (text && text !== "[object Object]") return text
 
   const formatted = errorFormat(error)
-  if (formatted && formatted !== "{}") return formatted
+  if (formatted) return formatted
   return "unknown error"
 }
 
@@ -45,7 +57,7 @@ export function errorData(error: unknown) {
       message: errorMessage(error),
       stack: error.stack,
       cause: error.cause === undefined ? undefined : errorFormat(error.cause),
-      formatted: errorFormatted(error),
+      formatted: errorFormat(error),
     }
   }
 
@@ -53,7 +65,7 @@ export function errorData(error: unknown) {
     return {
       type: typeof error,
       message: errorMessage(error),
-      formatted: errorFormatted(error),
+      formatted: errorFormat(error),
     }
   }
 
@@ -71,12 +83,6 @@ export function errorData(error: unknown) {
 
   if (typeof data.message !== "string") data.message = errorMessage(error)
   if (typeof data.type !== "string") data.type = error.constructor?.name
-  data.formatted = errorFormatted(error)
+  data.formatted = errorFormat(error)
   return data
 }
-
-function errorFormatted(error: unknown) {
-  const formatted = errorFormat(error)
-  if (formatted !== "{}") return formatted
-  return String(error)
-}

packages/opencode/test/agent/agent.test.ts

@@ -229,8 +229,8 @@ test("agent permission config merges with defaults", async () => {
       expect(build).toBeDefined()
       // Specific pattern is denied
       expect(Permission.evaluate("bash", "rm -rf *", build!.permission).action).toBe("deny")
-      // Edit still allowed
-      expect(evalPerm(build, "edit")).toBe("allow")
+      // Edit still asks (default behavior)
+      expect(evalPerm(build, "edit")).toBe("ask")
     },
   })
 })

packages/opencode/test/config/tui.test.ts

@@ -627,3 +627,43 @@ test("merges plugin_enabled flags across config layers", async () => {
     "local.plugin": true,
   })
 })
+
+test("silently skips malformed tui.json — load failures degrade to {}", async () => {
+  await using tmp = await tmpdir({
+    init: async (dir) => {
+      await Bun.write(path.join(dir, "tui.json"), '{ "theme": "broken",')
+      await Bun.write(path.join(dir, ".opencode", "tui.json"), JSON.stringify({ theme: "fallback" }))
+    },
+  })
+
+  const config = await getTuiConfig(tmp.path)
+  // Project tui.json is malformed → silently skipped (logs a warning)
+  // .opencode/tui.json (lower precedence in this path) still loads
+  expect(config.theme).toBe("fallback")
+})
+
+test("silently skips non-ENOENT read failures (e.g. tui.json is a directory) — fallback layer still loads", async () => {
+  await using tmp = await tmpdir({
+    init: async (dir) => {
+      // tui.json exists as a DIRECTORY rather than a file → readFileString fails
+      // with EISDIR (PlatformError reason ≠ NotFound). The fix in this PR routes
+      // that through catchCause → log + skip, so a fallback layer should still load.
+      await fs.mkdir(path.join(dir, "tui.json"), { recursive: true })
+      await Bun.write(path.join(dir, ".opencode", "tui.json"), JSON.stringify({ theme: "fallback" }))
+    },
+  })
+
+  const config = await getTuiConfig(tmp.path)
+  // Did NOT crash; .opencode/tui.json (lower precedence) still loads.
+  expect(config.theme).toBe("fallback")
+})
+
+test("missing tui.json — silently treated as empty (ENOENT path)", async () => {
+  await using tmp = await tmpdir({})
+
+  // No tui.json anywhere. Should not throw.
+  const config = await getTuiConfig(tmp.path)
+  expect(config).toBeDefined()
+  // No theme set anywhere.
+  expect(config.theme).toBeUndefined()
+})

packages/opencode/test/server/auth.test.ts

@@ -0,0 +1,59 @@
+import { afterEach, describe, expect, test } from "bun:test"
+import { Option, Redacted } from "effect"
+import { Flag } from "@opencode-ai/core/flag/flag"
+import { ServerAuth } from "../../src/server/auth"
+
+const original = {
+  OPENCODE_SERVER_PASSWORD: Flag.OPENCODE_SERVER_PASSWORD,
+  OPENCODE_SERVER_USERNAME: Flag.OPENCODE_SERVER_USERNAME,
+}
+
+afterEach(() => {
+  Flag.OPENCODE_SERVER_PASSWORD = original.OPENCODE_SERVER_PASSWORD
+  Flag.OPENCODE_SERVER_USERNAME = original.OPENCODE_SERVER_USERNAME
+})
+
+describe("ServerAuth", () => {
+  test("does not emit auth headers without a password", () => {
+    Flag.OPENCODE_SERVER_PASSWORD = undefined
+    Flag.OPENCODE_SERVER_USERNAME = "alice"
+
+    expect(ServerAuth.header()).toBeUndefined()
+    expect(ServerAuth.headers()).toBeUndefined()
+  })
+
+  test("defaults to the opencode username", () => {
+    Flag.OPENCODE_SERVER_PASSWORD = "secret"
+    Flag.OPENCODE_SERVER_USERNAME = undefined
+
+    expect(ServerAuth.headers()).toEqual({
+      Authorization: `Basic ${Buffer.from("opencode:secret").toString("base64")}`,
+    })
+  })
+
+  test("uses the configured username", () => {
+    Flag.OPENCODE_SERVER_PASSWORD = "secret"
+    Flag.OPENCODE_SERVER_USERNAME = "alice"
+
+    expect(ServerAuth.headers()).toEqual({
+      Authorization: `Basic ${Buffer.from("alice:secret").toString("base64")}`,
+    })
+  })
+
+  test("prefers explicit credentials", () => {
+    Flag.OPENCODE_SERVER_PASSWORD = "secret"
+    Flag.OPENCODE_SERVER_USERNAME = "alice"
+
+    expect(ServerAuth.headers({ password: "cli-secret", username: "bob" })).toEqual({
+      Authorization: `Basic ${Buffer.from("bob:cli-secret").toString("base64")}`,
+    })
+  })
+
+  test("validates decoded credentials against effect config", () => {
+    const config = { password: Option.some("secret"), username: "alice" }
+
+    expect(ServerAuth.required(config)).toBe(true)
+    expect(ServerAuth.authorized({ username: "alice", password: Redacted.make("secret") }, config)).toBe(true)
+    expect(ServerAuth.authorized({ username: "opencode", password: Redacted.make("secret") }, config)).toBe(false)
+  })
+})

packages/opencode/test/server/httpapi-authorization.test.ts

@@ -3,11 +3,8 @@ import { describe, expect } from "bun:test"
 import { Effect, Layer, Option, Schema } from "effect"
 import { HttpClient, HttpClientRequest, HttpRouter } from "effect/unstable/http"
 import { HttpApi, HttpApiBuilder, HttpApiEndpoint, HttpApiGroup } from "effect/unstable/httpapi"
-import {
-  Authorization,
-  ServerAuthConfig,
-  authorizationLayer,
-} from "../../src/server/routes/instance/httpapi/middleware/authorization"
+import { ServerAuth } from "../../src/server/auth"
+import { Authorization, authorizationLayer } from "../../src/server/routes/instance/httpapi/middleware/authorization"
 import { testEffect } from "../lib/effect"
 
 const Api = HttpApi.make("test-authorization").add(
@@ -27,9 +24,9 @@ const apiLayer = HttpRouter.serve(
   { disableListenLog: true, disableLogger: true },
 ).pipe(Layer.provideMerge(NodeHttpServer.layerTest))
 
-const noAuthLayer = ServerAuthConfig.layer({ password: Option.none(), username: "opencode" })
-const secretLayer = ServerAuthConfig.layer({ password: Option.some("secret"), username: "opencode" })
-const kitSecretLayer = ServerAuthConfig.layer({ password: Option.some("secret"), username: "kit" })
+const noAuthLayer = ServerAuth.Config.layer({ password: Option.none(), username: "opencode" })
+const secretLayer = ServerAuth.Config.layer({ password: Option.some("secret"), username: "opencode" })
+const kitSecretLayer = ServerAuth.Config.layer({ password: Option.some("secret"), username: "kit" })
 
 const it = testEffect(apiLayer.pipe(Layer.provide(noAuthLayer)))
 const itSecret = testEffect(apiLayer.pipe(Layer.provide(secretLayer)))

packages/opencode/test/server/httpapi-ui.test.ts

@@ -12,10 +12,8 @@ import {
   HttpServerResponse,
 } from "effect/unstable/http"
 import { AppFileSystem } from "@opencode-ai/core/filesystem"
-import {
-  ServerAuthConfig,
-  authorizationRouterMiddleware,
-} from "../../src/server/routes/instance/httpapi/middleware/authorization"
+import { ServerAuth } from "../../src/server/auth"
+import { authorizationRouterMiddleware } from "../../src/server/routes/instance/httpapi/middleware/authorization"
 import { ExperimentalHttpApiServer } from "../../src/server/routes/instance/httpapi/server"
 import { serveUIEffect } from "../../src/server/shared/ui"
 import { Server } from "../../src/server/server"
@@ -81,7 +79,7 @@ function uiApp(input?: { password?: string; username?: string; client?: Layer.La
         yield* router.add("*", "/*", (request) => serveUIEffect(request, { fs, client }))
       }),
     ).pipe(
-      Layer.provide(authorizationRouterMiddleware.layer.pipe(Layer.provide(ServerAuthConfig.defaultLayer))),
+      Layer.provide(authorizationRouterMiddleware.layer.pipe(Layer.provide(ServerAuth.Config.defaultLayer))),
       Layer.provide([
         AppFileSystem.defaultLayer,
         input?.client ?? httpClient(new Response("ui")),
@@ -201,6 +199,7 @@ describe("HttpApi UI fallback", () => {
     const response = await uiApp({ password: "secret", username: "opencode" }).request("/")
 
     expect(response.status).toBe(401)
+    expect(response.headers.get("www-authenticate")).toBe('Basic realm="Secure Area"')
   })
 
   test("accepts auth token for the web UI", async () => {

packages/opencode/test/util/error.test.ts

@@ -22,6 +22,19 @@ describe("util.error", () => {
     expect(data.code).toBe("E_BAD")
   })
 
+  test("never returns bare {} for opaque object errors", () => {
+    // Plain empty object — what the SDK threw before we wrapped it.
+    expect(errorFormat({})).not.toBe("{}")
+    expect(errorFormat({})).toContain("no message")
+
+    // Object with only non-enumerable own properties (JSON.stringify drops them).
+    class OpaqueError {}
+    const opaque = new OpaqueError()
+    Object.defineProperty(opaque, "secret", { value: "hidden", enumerable: false })
+    expect(errorFormat(opaque)).not.toBe("{}")
+    expect(errorFormat(opaque)).toContain("OpaqueError")
+  })
+
   test("handles opaque throwables with custom toString", () => {
     const err = {
       toString() {

packages/sdk/js/src/v2/client.ts

@@ -84,5 +84,24 @@ export function createOpencodeClient(config?: Config & { directory?: string; exp
 
     return response
   })
+  // The generated client falls back to throwing a literal `{}` when the server
+  // responds with an empty / unparseable error body, which surfaces as a bare
+  // `{}` in TUI / CLI error output. Wrap ONLY that case in a real Error so
+  // downstream formatters get a useful message — but pass through any parsed
+  // JSON error body unchanged so existing consumers can still inspect fields.
+  client.interceptors.error.use((error, response, request) => {
+    const isEmpty =
+      error === undefined ||
+      error === null ||
+      error === "" ||
+      (typeof error === "object" && !(error instanceof Error) && Object.keys(error).length === 0)
+    if (!isEmpty) return error
+    const method = request?.method ?? "?"
+    const url = request?.url ?? "?"
+    if (!response) return new Error(`opencode server ${method} ${url}: network error (no response)`)
+    const status = response.status
+    const statusText = response.statusText ? " " + response.statusText : ""
+    return new Error(`opencode server ${method} ${url} → ${status}${statusText}: (empty response body)`)
+  })
   return new OpencodeClient({ client })
 }

packages/ui/src/components/file-ssr.tsx

@@ -1,4 +1,4 @@
-import { DIFFS_TAG_NAME, FileDiff, VirtualizedFileDiff } from "@pierre/diffs"
+import { DIFFS_TAG_NAME, FileDiff } from "@pierre/diffs"
 import { type PreloadFileDiffResult, type PreloadMultiFileDiffResult } from "@pierre/diffs/ssr"
 import { createEffect, onCleanup, onMount, Show, splitProps } from "solid-js"
 import { Dynamic, isServer } from "solid-js/web"
@@ -13,7 +13,6 @@ import {
   notifyShadowReady,
   observeViewerScheme,
 } from "../pierre/file-runtime"
-import { acquireVirtualizer, virtualMetrics } from "../pierre/virtualizer"
 import { File, type DiffFileProps, type FileProps } from "./file"
 
 type DiffPreload<T> = PreloadMultiFileDiffResult<T> | PreloadFileDiffResult<T>
@@ -26,7 +25,6 @@ function DiffSSRViewer<T>(props: SSRDiffFileProps<T>) {
   let container!: HTMLDivElement
   let fileDiffRef!: HTMLElement
   let fileDiffInstance: FileDiff<T> | undefined
-  let sharedVirtualizer: NonNullable<ReturnType<typeof acquireVirtualizer>> | undefined
 
   const ready = createReadyWatcher()
   const workerPool = useWorkerPool(props.diffStyle)
@@ -51,14 +49,6 @@ function DiffSSRViewer<T>(props: SSRDiffFileProps<T>) {
 
   const getRoot = () => fileDiffRef?.shadowRoot ?? undefined
 
-  const getVirtualizer = () => {
-    if (sharedVirtualizer) return sharedVirtualizer.virtualizer
-    const result = acquireVirtualizer(container)
-    if (!result) return
-    sharedVirtualizer = result
-    return result.virtualizer
-  }
-
   const setSelectedLines = (range: DiffFileProps<T>["selectedLines"], attempt = 0) => {
     const diff = fileDiffInstance
     if (!diff) return
@@ -92,27 +82,15 @@ function DiffSSRViewer<T>(props: SSRDiffFileProps<T>) {
 
     onCleanup(observeViewerScheme(() => fileDiffRef))
 
-    const virtualizer = getVirtualizer()
     const annotations = local.annotations ?? local.preloadedDiff.annotations ?? []
-    fileDiffInstance = virtualizer
-      ? new VirtualizedFileDiff<T>(
-          {
-            ...createDefaultOptions(props.diffStyle),
-            ...others,
-            ...local.preloadedDiff.options,
-          },
-          virtualizer,
-          virtualMetrics,
-          workerPool,
-        )
-      : new FileDiff<T>(
-          {
-            ...createDefaultOptions(props.diffStyle),
-            ...others,
-            ...local.preloadedDiff.options,
-          },
-          workerPool,
-        )
+    fileDiffInstance = new FileDiff<T>(
+      {
+        ...createDefaultOptions(props.diffStyle),
+        ...others,
+        ...(local.preloadedDiff.options ?? {}),
+      },
+      workerPool,
+    )
 
     applyViewerScheme(fileDiffRef)
 
@@ -163,8 +141,6 @@ function DiffSSRViewer<T>(props: SSRDiffFileProps<T>) {
   onCleanup(() => {
     clearReadyWatcher(ready)
     fileDiffInstance?.cleanUp()
-    sharedVirtualizer?.release()
-    sharedVirtualizer = undefined
   })
 
   return (

packages/ui/src/components/file.tsx

@@ -1,6 +1,5 @@
 import { sampledChecksum } from "@opencode-ai/core/util/encode"
 import {
-  DEFAULT_VIRTUAL_FILE_METRICS,
   type DiffLineAnnotation,
   type FileContents,
   type FileDiffMetadata,
@@ -10,10 +9,6 @@ import {
   type FileOptions,
   type LineAnnotation,
   type SelectedLineRange,
-  type VirtualFileMetrics,
-  VirtualizedFile,
-  VirtualizedFileDiff,
-  Virtualizer,
 } from "@pierre/diffs"
 import { type PreloadFileDiffResult, type PreloadMultiFileDiffResult } from "@pierre/diffs/ssr"
 import { createMediaQuery } from "@solid-primitives/media"
@@ -40,19 +35,10 @@ import {
   readShadowLineSelection,
 } from "../pierre/file-selection"
 import { createLineNumberSelectionBridge, restoreShadowTextSelection } from "../pierre/selection-bridge"
-import { acquireVirtualizer, virtualMetrics } from "../pierre/virtualizer"
 import { getWorkerPool } from "../pierre/worker"
 import { FileMedia, type FileMediaOptions } from "./file-media"
 import { FileSearchBar } from "./file-search"
 
-const VIRTUALIZE_BYTES = 500_000
-
-const codeMetrics = {
-  ...DEFAULT_VIRTUAL_FILE_METRICS,
-  lineHeight: 24,
-  fileGap: 0,
-} satisfies Partial<VirtualFileMetrics>
-
 type SharedProps<T> = {
   annotations?: LineAnnotation<T>[] | DiffLineAnnotation<T>[]
   selectedLines?: SelectedLineRange | null
@@ -386,11 +372,6 @@ type AnnotationTarget<A> = {
   rerender: () => void
 }
 
-type VirtualStrategy = {
-  get: () => Virtualizer | undefined
-  cleanup: () => void
-}
-
 function useModeViewer(config: ModeConfig, adapter: ModeAdapter) {
   return useFileViewer({
     enableLineSelection: config.enableLineSelection,
@@ -532,64 +513,6 @@ function scrollParent(el: HTMLElement): HTMLElement | undefined {
   }
 }
 
-function createLocalVirtualStrategy(host: () => HTMLDivElement | undefined, enabled: () => boolean): VirtualStrategy {
-  let virtualizer: Virtualizer | undefined
-  let root: Document | HTMLElement | undefined
-
-  const release = () => {
-    virtualizer?.cleanUp()
-    virtualizer = undefined
-    root = undefined
-  }
-
-  return {
-    get: () => {
-      if (!enabled()) {
-        release()
-        return
-      }
-      if (typeof document === "undefined") return
-
-      const wrapper = host()
-      if (!wrapper) return
-
-      const next = scrollParent(wrapper) ?? document
-      if (virtualizer && root === next) return virtualizer
-
-      release()
-      virtualizer = new Virtualizer()
-      root = next
-      virtualizer.setup(next, next instanceof Document ? undefined : wrapper)
-      return virtualizer
-    },
-    cleanup: release,
-  }
-}
-
-function createSharedVirtualStrategy(host: () => HTMLDivElement | undefined): VirtualStrategy {
-  let shared: NonNullable<ReturnType<typeof acquireVirtualizer>> | undefined
-
-  const release = () => {
-    shared?.release()
-    shared = undefined
-  }
-
-  return {
-    get: () => {
-      if (shared) return shared.virtualizer
-
-      const container = host()
-      if (!container) return
-
-      const result = acquireVirtualizer(container)
-      if (!result) return
-      shared = result
-      return result.virtualizer
-    },
-    cleanup: release,
-  }
-}
-
 function parseLine(node: HTMLElement) {
   if (!node.dataset.line) return
   const value = parseInt(node.dataset.line, 10)
@@ -688,7 +611,7 @@ function ViewerShell(props: {
 // ---------------------------------------------------------------------------
 
 function TextViewer<T>(props: TextFileProps<T>) {
-  let instance: PierreFile<T> | VirtualizedFile<T> | undefined
+  let instance: PierreFile<T> | undefined
   let viewer!: Viewer
 
   const [local, others] = splitProps(props, textKeys)
@@ -708,36 +631,12 @@ function TextViewer<T>(props: TextFileProps<T>) {
     return Math.max(1, total)
   }
 
-  const bytes = createMemo(() => {
-    const value = local.file.contents as unknown
-    if (typeof value === "string") return value.length
-    if (Array.isArray(value)) {
-      return value.reduce(
-        // oxlint-disable-next-line no-base-to-string -- array parts coerced intentionally
-        (sum, part) => sum + (typeof part === "string" ? part.length + 1 : String(part).length + 1),
-        0,
-      )
-    }
-    if (value == null) return 0
-    // oxlint-disable-next-line no-base-to-string -- file contents cast to unknown, coercion is intentional
-    return String(value).length
-  })
-
-  const virtual = createMemo(() => bytes() > VIRTUALIZE_BYTES)
-
-  const virtuals = createLocalVirtualStrategy(() => viewer.wrapper, virtual)
-
   const lineFromMouseEvent = (event: MouseEvent): MouseHit => mouseHit(event, parseLine)
 
   const applySelection = (range: SelectedLineRange | null) => {
     const current = instance
     if (!current) return false
 
-    if (virtual()) {
-      current.setSelectedLines(range)
-      return true
-    }
-
     const root = viewer.getRoot()
     if (!root) return false
 
@@ -836,10 +735,7 @@ function TextViewer<T>(props: TextFileProps<T>) {
   const notify = () => {
     notifyRendered({
       viewer,
-      isReady: (root) => {
-        if (virtual()) return root.querySelector("[data-line]") != null
-        return root.querySelectorAll("[data-line]").length >= lineCount()
-      },
+      isReady: (root) => root.querySelectorAll("[data-line]").length >= lineCount(),
       onReady: () => {
         applySelection(viewer.lastSelection)
         viewer.find.refresh({ reset: true })
@@ -858,17 +754,11 @@ function TextViewer<T>(props: TextFileProps<T>) {
   createEffect(() => {
     const opts = options()
     const workerPool = getWorkerPool("unified")
-    const isVirtual = virtual()
-
-    const virtualizer = virtuals.get()
 
     renderViewer({
       viewer,
       current: instance,
-      create: () =>
-        isVirtual && virtualizer
-          ? new VirtualizedFile<T>(opts, virtualizer, codeMetrics, workerPool)
-          : new PierreFile<T>(opts, workerPool),
+      create: () => new PierreFile<T>(opts, workerPool),
       assign: (value) => {
         instance = value
       },
@@ -895,7 +785,6 @@ function TextViewer<T>(props: TextFileProps<T>) {
   onCleanup(() => {
     instance?.cleanUp()
     instance = undefined
-    virtuals.cleanup()
   })
 
   return <ViewerShell mode="text" viewer={viewer} class={local.class} classList={local.classList} />
@@ -991,8 +880,6 @@ function DiffViewer<T>(props: DiffFileProps<T>) {
     adapter,
   )
 
-  const virtuals = createSharedVirtualStrategy(() => viewer.container)
-
   const large = createMemo(() => {
     if (local.fileDiff) {
       const before = local.fileDiff.deletionLines.join("")
@@ -1055,7 +942,6 @@ function DiffViewer<T>(props: DiffFileProps<T>) {
   createEffect(() => {
     const opts = options()
     const workerPool = large() ? getWorkerPool("unified") : getWorkerPool(props.diffStyle)
-    const virtualizer = virtuals.get()
     const beforeContents = typeof local.before?.contents === "string" ? local.before.contents : ""
     const afterContents = typeof local.after?.contents === "string" ? local.after.contents : ""
     const done = preserve(viewer)
@@ -1070,10 +956,7 @@ function DiffViewer<T>(props: DiffFileProps<T>) {
     renderViewer({
       viewer,
       current: instance,
-      create: () =>
-        virtualizer
-          ? new VirtualizedFileDiff<T>(opts, virtualizer, virtualMetrics, workerPool)
-          : new FileDiff<T>(opts, workerPool),
+      create: () => new FileDiff<T>(opts, workerPool),
       assign: (value) => {
         instance = value
       },
@@ -1111,7 +994,6 @@ function DiffViewer<T>(props: DiffFileProps<T>) {
   onCleanup(() => {
     instance?.cleanUp()
     instance = undefined
-    virtuals.cleanup()
     dragSide = undefined
     dragEndSide = undefined
   })

packages/ui/src/components/session-review.tsx

@@ -26,7 +26,6 @@ import type { LineCommentEditorProps } from "./line-comment"
 import { normalize, text, type ViewDiff } from "./session-diff"
 
 const MAX_DIFF_CHANGED_LINES = 500
-const REVIEW_MOUNT_MARGIN = 300
 
 export type SessionReviewDiffStyle = "unified" | "split"
 
@@ -159,14 +158,11 @@ type SessionReviewSelection = {
 export const SessionReview = (props: SessionReviewProps) => {
   let scroll: HTMLDivElement | undefined
   let focusToken = 0
-  let frame: number | undefined
   const i18n = useI18n()
   const fileComponent = useFileComponent()
   const anchors = new Map<string, HTMLElement>()
-  const nodes = new Map<string, HTMLDivElement>()
   const [store, setStore] = createStore({
     open: [] as string[],
-    visible: {} as Record<string, boolean>,
     force: {} as Record<string, boolean>,
     selection: null as SessionReviewSelection | null,
     commenting: null as SessionReviewSelection | null,
@@ -196,44 +192,7 @@ export const SessionReview = (props: SessionReviewProps) => {
   const diffStyle = () => props.diffStyle ?? (props.split ? "split" : "unified")
   const hasDiffs = () => files().length > 0
 
-  const syncVisible = () => {
-    frame = undefined
-    if (!scroll) return
-
-    const root = scroll.getBoundingClientRect()
-    const top = root.top - REVIEW_MOUNT_MARGIN
-    const bottom = root.bottom + REVIEW_MOUNT_MARGIN
-    const openSet = new Set(open())
-    const next: Record<string, boolean> = {}
-
-    for (const [file, el] of nodes) {
-      if (!openSet.has(file)) continue
-      const rect = el.getBoundingClientRect()
-      if (rect.bottom < top || rect.top > bottom) continue
-      next[file] = true
-    }
-
-    const prev = untrack(() => store.visible)
-    const prevKeys = Object.keys(prev)
-    const nextKeys = Object.keys(next)
-    if (prevKeys.length === nextKeys.length && nextKeys.every((file) => prev[file])) return
-    setStore("visible", next)
-  }
-
-  const queue = () => {
-    if (frame !== undefined) return
-    frame = requestAnimationFrame(syncVisible)
-  }
-
-  const pinned = (file: string) =>
-    props.focusedComment?.file === file ||
-    props.focusedFile === file ||
-    selection()?.file === file ||
-    commenting()?.file === file ||
-    opened()?.file === file
-
   const handleScroll: JSX.EventHandler<HTMLDivElement, Event> = (event) => {
-    queue()
     const next = props.onScroll
     if (!next) return
     if (Array.isArray(next)) {
@@ -244,21 +203,9 @@ export const SessionReview = (props: SessionReviewProps) => {
     ;(next as JSX.EventHandler<HTMLDivElement, Event>)(event)
   }
 
-  onCleanup(() => {
-    if (frame === undefined) return
-    cancelAnimationFrame(frame)
-  })
-
-  createEffect(() => {
-    props.open
-    files()
-    queue()
-  })
-
   const handleChange = (next: string[]) => {
     props.onOpenChange?.(next)
     if (props.open === undefined) setStore("open", next)
-    queue()
   }
 
   const handleExpandOrCollapseAll = () => {
@@ -372,7 +319,6 @@ export const SessionReview = (props: SessionReviewProps) => {
         viewportRef={(el) => {
           scroll = el
           props.scrollRef?.(el)
-          queue()
         }}
         onScroll={handleScroll}
         classList={{
@@ -391,7 +337,6 @@ export const SessionReview = (props: SessionReviewProps) => {
                     const diffCanRender = () => diff.additions !== 0 || diff.deletions !== 0
 
                     const expanded = createMemo(() => open().includes(file))
-                    const mounted = createMemo(() => expanded() && (!!store.visible[file] || pinned(file)))
                     const force = () => !!store.force[file]
 
                     const comments = createMemo(() => grouped().get(file) ?? [])
@@ -482,8 +427,6 @@ export const SessionReview = (props: SessionReviewProps) => {
 
                     onCleanup(() => {
                       anchors.delete(file)
-                      nodes.delete(file)
-                      queue()
                     })
 
                     const handleLineSelected = (range: SelectedLineRange | null) => {
@@ -569,19 +512,10 @@ export const SessionReview = (props: SessionReviewProps) => {
                             data-slot="session-review-diff-wrapper"
                             ref={(el) => {
                               anchors.set(file, el)
-                              nodes.set(file, el)
-                              queue()
                             }}
                           >
                             <Show when={expanded()}>
                               <Switch>
-                                <Match when={!mounted() && !tooLarge()}>
-                                  <div
-                                    data-slot="session-review-diff-placeholder"
-                                    class="rounded-lg border border-border-weak-base bg-background-stronger/40"
-                                    style={{ height: "160px" }}
-                                  />
-                                </Match>
                                 <Match when={tooLarge()}>
                                   <div data-slot="session-review-large-diff">
                                     <div data-slot="session-review-large-diff-title">

packages/ui/src/pierre/virtualizer.ts

@@ -1,100 +0,0 @@
-import { type VirtualFileMetrics, Virtualizer } from "@pierre/diffs"
-
-type Target = {
-  key: Document | HTMLElement
-  root: Document | HTMLElement
-  content: HTMLElement | undefined
-}
-
-type Entry = {
-  virtualizer: Virtualizer
-  refs: number
-}
-
-const cache = new WeakMap<Document | HTMLElement, Entry>()
-
-export const virtualMetrics: Partial<VirtualFileMetrics> = {
-  lineHeight: 24,
-  hunkSeparatorHeight: 24,
-  fileGap: 0,
-}
-
-function scrollable(value: string) {
-  return value === "auto" || value === "scroll" || value === "overlay"
-}
-
-function scrollRoot(container: HTMLElement) {
-  let node = container.parentElement
-  while (node) {
-    const style = getComputedStyle(node)
-    if (scrollable(style.overflowY)) return node
-    node = node.parentElement
-  }
-}
-
-function target(container: HTMLElement): Target | undefined {
-  if (typeof document === "undefined") return
-
-  const review = container.closest("[data-component='session-review']")
-  if (review instanceof HTMLElement) {
-    const root = scrollRoot(container) ?? review
-    const content = review.querySelector("[data-slot='session-review-container']")
-    return {
-      key: review,
-      root,
-      content: content instanceof HTMLElement ? content : undefined,
-    }
-  }
-
-  const root = scrollRoot(container)
-  if (root) {
-    const content = root.querySelector("[role='log']")
-    return {
-      key: root,
-      root,
-      content: content instanceof HTMLElement ? content : undefined,
-    }
-  }
-
-  return {
-    key: document,
-    root: document,
-    content: undefined,
-  }
-}
-
-export function acquireVirtualizer(container: HTMLElement) {
-  const resolved = target(container)
-  if (!resolved) return
-
-  let entry = cache.get(resolved.key)
-  if (!entry) {
-    const virtualizer = new Virtualizer()
-    virtualizer.setup(resolved.root, resolved.content)
-    entry = {
-      virtualizer,
-      refs: 0,
-    }
-    cache.set(resolved.key, entry)
-  }
-
-  entry.refs += 1
-  let done = false
-
-  return {
-    virtualizer: entry.virtualizer,
-    release() {
-      if (done) return
-      done = true
-
-      const current = cache.get(resolved.key)
-      if (!current) return
-
-      current.refs -= 1
-      if (current.refs > 0) return
-
-      current.virtualizer.cleanUp()
-      cache.delete(resolved.key)
-    },
-  }
-}

script/raw-changelog.ts

@@ -82,6 +82,11 @@ function section(areas: Set<string>) {
   return "Core"
 }
 
+function type(message: string) {
+  if (message.match(/fix/i)) return "Bugfixes"
+  return "Improvements"
+}
+
 function reverted(commits: Commit[]) {
   const seen = new Map<string, Commit>()
 
@@ -193,13 +198,20 @@ async function thanks(from: string, to: string, reuse: boolean) {
 }
 
 function format(from: string, to: string, list: Commit[], thanks: string[]) {
-  const grouped = new Map<string, string[]>()
-  for (const title of order) grouped.set(title, [])
+  const grouped = new Map<string, Map<string, string[]>>()
+  for (const title of order) {
+    grouped.set(
+      title,
+      new Map([
+        ["Improvements", []],
+        ["Bugfixes", []],
+      ]),
+    )
+  }
 
   for (const commit of list) {
-    const title = section(commit.areas)
     const attr = commit.author && !team.includes(commit.author) ? ` (@${commit.author})` : ""
-    grouped.get(title)!.push(`- \`${commit.hash}\` ${commit.message}${attr}`)
+    grouped.get(section(commit.areas))!.get(type(commit.message))!.push(`- \`${commit.hash}\` ${commit.message}${attr}`)
   }
 
   const lines = [`Last release: ${ref(from)}`, `Target ref: ${to}`, ""]
@@ -209,11 +221,23 @@ function format(from: string, to: string, list: Commit[], thanks: string[]) {
   }
 
   for (const title of order) {
-    const entries = grouped.get(title)
-    if (!entries || entries.length === 0) continue
+    const groups = grouped.get(title)
+    if (!groups || [...groups.values()].every((entries) => entries.length === 0)) continue
     lines.push(`## ${title}`)
-    lines.push(...entries)
-    lines.push("")
+    const improvements = groups.get("Improvements")!
+    const bugfixes = groups.get("Bugfixes")!
+    if (bugfixes.length === 0) {
+      lines.push(...improvements)
+      lines.push("")
+      continue
+    }
+
+    for (const [subtitle, entries] of groups) {
+      if (entries.length === 0) continue
+      lines.push(`### ${subtitle}`)
+      lines.push(...entries)
+      lines.push("")
+    }
   }
 
   if (thanks.length > 0) {