[Task] Track upstream sync after opencode 17701628bd

[Astro-Han]

Goal

Track which upstream opencode changes after 17701628bd PawWork should absorb, manually port, defer, or skip. This is the followup intake after #209, whose scope was frozen at 17701628bd.

The immediate goal is not to cherry-pick code. First produce a read-only sync tracker that prevents provider-specific or runtime fixes from being missed.

Source range

• Previous PawWork upstream intake boundary: 17701628bd4370067a1e2613043a9da14f8e302f
• Current upstream head checked on 2026-05-06: aa3c99a3c0a609ea4dd485355627e3161251584a
• Upstream refs checked:
  • anomalyco/opencode dev
  • sst/opencode dev
• Note: local upstream/dev may be stale if its fetch refspec does not update the branch ref. Verify with git ls-remote or the sst/dev remote ref before making decisions.

Scope

In scope:

• Build a read-only tracker table for upstream PRs/commits after 17701628bd.
• Mark each item as one of: already absorbed, take, manual port, defer, or skip.
• Separate provider/runtime fixes from Effect/HttpApi migration work.
• Identify which items require local patch-id or file-content verification.
• Define the smallest safe PR sequence for followup implementation.

Out of scope for this issue body:

• Directly cherry-picking code before the tracker is complete.
• Pulling upstream app/UI/desktop package restructures wholesale.
• Switching PawWork to the native HttpApi listener before parity tests pass.
• Importing upstream repo governance, VOUCHED, release, Nix, docs-site, or CI-policy churn unless a PawWork dependency is proven.

Initial buckets

Provider/runtime hotfixes to audit first

These are high-risk if missed because they can cause provider-specific request failures, silent option drops, poisoned sessions, or retry gaps.

• fix: default tool call streaming to false for google vertex anomalyco/opencode#24573 Google Vertex tool-call streaming default
• tweak: make interleaved reasoning_content default to true for openai compat deepseek setups anomalyco/opencode#24630 DeepSeek/OpenAI-compatible reasoning_content default
• fix: ensure toolStreaming is set to off by default when using non anthropic models with anthropic sdk anomalyco/opencode#24642 Anthropic SDK non-Anthropic tool streaming default
• fix: sanitize tools for moonshot anomalyco/opencode#24730 Moonshot/Kimi tool schema sanitization
• fix(copilot): ensure available variants sync from api  anomalyco/opencode#24734 Copilot variants sync
• feat: add Mistral Medium 3.5 with reasoning support anomalyco/opencode#24996 Mistral Medium 3.5 reasoning support
• fix: adjust azure defaults to closer match openai to prevent Item .. of type 'reasoning' was provided without its required following item anomalyco/opencode#25007 Azure OpenAI reasoning default fix
• fix: make deepseek string check a bit looser anomalyco/opencode#25012 looser DeepSeek detection
• fix(provider): split providerOptions key on dot for openai-compatible, openai, and anthropic providers anomalyco/opencode#25145 dotted providerOptions keys for OpenAI-compatible/OpenAI/Anthropic
• fix: ensure user config takes precendence over plugin hooks for model resolution anomalyco/opencode#25167 user config precedence over plugin hooks for model resolution
• fix: fix issue if tool returned image and empty text and it caused api errors anomalyco/opencode#25241 image tool result with empty text API error
• fix: bedrock reasoning issue anomalyco/opencode#25303 Bedrock reasoning issue
• fix: regression w/ auth login where stderr was ignored instead of inherited anomalyco/opencode#25529 auth login stderr inheritance
• fix(cf-ai-gateway): route provider options through openaiCompatible key (#24432) anomalyco/opencode#25573 Cloudflare AI Gateway provider options routing
• fix(auth): respect server username in clients anomalyco/opencode#25596 respect server username in clients
• fix: ensure anthropic sdk properly resolves when using azure anomalyco/opencode#25721 Anthropic SDK resolution when using Azure
• fix: ensure mistral medium 3.5 has variants properly setup anomalyco/opencode#25887 Mistral Medium 3.5 variant setup
• fix: retry server_is_overloaded errors anomalyco/opencode#25888 retry server_is_overloaded
• fix: sanitize surrogates anomalyco/opencode#25934 malformed surrogate sanitization
• fix(read): prevent unsupported image formats from being sending to provider anomalyco/opencode#21114 unsupported image format guard before provider request

Runtime/session/tool safety fixes

• fix(opencode): preserve external_dir and deny parent permissions in task child sessions anomalyco/opencode#23290 preserve external_dir and deny parent permissions in task child sessions
• fix(opencode): agent create generates permissions field with deny ins… anomalyco/opencode#24482 agent create writes permissions instead of deprecated tools
• fix(session): harden shell cancellation anomalyco/opencode#24553 harden shell cancellation
• fix: pass workspace symbol query to experimental LSP tool anomalyco/opencode#24576 pass workspace symbol query to experimental LSP tool
• fix(session): remove compaction summary dividers anomalyco/opencode#24677 remove compaction summary dividers
• fix(bash): memory leak - release parsed syntax trees anomalyco/opencode#24861 release bash/tree-sitter parsed syntax trees
• fix: clear timeout after promise rejection anomalyco/opencode#24864 clear timeout after promise rejection
• fix(session): remap compaction tail_start_id when forking anomalyco/opencode#24898 remap compaction tail_start_id when forking
• fix: handle invalid mcp urls anomalyco/opencode#25019 handle invalid MCP URLs
• tweak: allow read tool to accept offset of 0 anomalyco/opencode#25431 allow read tool offset 0
• fix(telemetry): emit Tool.execute span for MCP and plugin tools anomalyco/opencode#25452 emit Tool.execute spans for MCP and plugin tools
• fix(vcs): preserve batched patch boundaries anomalyco/opencode#25787 preserve batched patch boundaries
• fix(session): cancel subtask child sessions anomalyco/opencode#25798 cancel subtask child sessions
• fix(compaction): order compaction summary before retained tail anomalyco/opencode#25851 order compaction summary before retained tail

Desktop/app manual review

Manual port only. Do not import upstream desktop package consolidation wholesale.

• fix(desktop): Path mismatches cause sessions missing + strong ID + existing data fix anomalyco/opencode#25013 desktop path mismatch and missing sessions
• fix(desktop): Prevent Model response Interruption when opening settings dialog anomalyco/opencode#25114 settings dialog should not interrupt model response
• fix: update provider store after loading providers in bootstrap anomalyco/opencode#25236 update provider store after bootstrap loading providers
• fix(desktop): limit zoom handler to zoom keys anomalyco/opencode#25516 limit zoom handler to zoom keys
• fix(desktop): trust system certificates anomalyco/opencode#25837 trust system certificates
• fix(desktop): respect proxy environment anomalyco/opencode#25846 respect proxy environment
• fix(desktop): add error handling to store-get IPC handler anomalyco/opencode#25850 store-get IPC error handling
• fix(ui): preserve SVG tags in DOMPurify config for KaTeX math rendering anomalyco/opencode#25866 preserve SVG tags for KaTeX, requires sanitizer review
• fix(app): require query functions for sync queries anomalyco/opencode#25939 require query functions for sync queries
• fix(desktop): suppress EPIPE errors in console transport anomalyco/opencode#25980 suppress EPIPE in console transport
• chore(desktop): add @parcel/watcher platform packages to optionalDependencies anomalyco/opencode#25996 add @parcel/watcher platform optional dependencies
• feat(desktop): implement clipboard write permission handling anomalyco/opencode#25998 clipboard write permission handling, requires security review

Effect foundation

PawWork already has partial Effect adoption, so this should continue, but as migration slices rather than scattered bug picks.

• InstanceStore / InstanceBootstrap service migration
• ConfigProvider lifecycle per listener / instance
• Instance and Workspace context propagation
• Plugin agent bootstrap regression fixes
• effectCmd CLI migration and followup regression fixes
• Tests using PawWork's testEffect(...), it.live(...), and tmpdir instance helpers

Known upstream followup fixes that must not be lost if taking this line:

• fix(httpapi): install Instance ALS for adapter Promise bridge anomalyco/opencode#25417 adapter Promise ALS bridge
• fix(instance): restore InstanceBootstrap init parameter for non-Effec… anomalyco/opencode#25449 restore InstanceBootstrap init parameter for non-Effect plugin regression
• fix(instance): run bootstrap from instance store anomalyco/opencode#25475 run bootstrap from instance store
• fix(cli): bridge Instance.current ALS in effectCmd handlers (regression from #25522) anomalyco/opencode#25546 bridge Instance.current ALS in effectCmd handlers

HttpApi migration

Do not switch the production listener until parity is proven. Treat this as a staged migration.

• Route inventory parity
• Request body, query, header, status, and JSON shape parity
• OpenAPI/schema parity, including optional/null fields and v2 session response encoding
• Basic auth and browser login parity
• Provider OAuth and MCP OAuth parity
• SSE event stream parity
• PTY websocket parity
• Workspace routing and proxy HTTP/WS parity
• CORS/CSP review for PawWork renderer origin
• Native listener switch only after parity is green and a fallback exists

Suggested implementation sequence

1. Provider-specific and auth hotfix PR.
2. Runtime/session/tool safety PR.
3. Desktop/app critical runtime manual-port PR.
4. Effect foundation PRs: InstanceStore, InstanceBootstrap, ConfigProvider, context propagation, known regression fixes.
5. HttpApi parity tests and disabled-backend parity fixes.
6. effectCmd / CLI migration PRs.
7. Native HttpApi listener and OpenAPI source switch, last.

Tracker rules

• Start read-only: use git cherry -v, git patch-id, git show, git diff, and gh pr view before changing code.
• Do not mark an upstream item as missing until local patch-id and file-content checks agree.
• Provider-specific fixes need stub-provider regression coverage where practical.
• If a change is already absorbed under a PawWork-local commit, record the PawWork commit.
• Use Refs #ISSUE or Part of #ISSUE from implementation PRs. Do not close this tracker until all accepted slices are completed or explicitly deferred.

Verification expectations for followup PRs

• Provider matrix tests for OpenAI-compatible, DeepSeek, Anthropic SDK, Azure OpenAI, Bedrock, Moonshot/Kimi, Mistral, Copilot, Cloudflare AI Gateway, and generic retry/unicode/image-tool-result cases.
• Focused session/tool tests for cancellation, task child session cleanup, compaction, MCP URL handling, read offset, and patch boundaries.
• Desktop manual verification for settings dialog non-interruption, proxy/certificate behavior where practical, IPC/logging changes, and packaged watcher dependency behavior.
• HttpApi parity tests before any listener switch.

[Astro-Han]

Followup tracker hardening after second external review

I rechecked the second review against live upstream refs and local git cherry output. The added anchors below should be folded into this tracker before implementation starts. All items still need local patch-id / file-content verification before being marked missing or already absorbed.

Range note:

• git ls-remote https://github.com/anomalyco/opencode.git refs/heads/dev and git ls-remote https://github.com/sst/opencode.git refs/heads/dev both returned aa3c99a3c0a609ea4dd485355627e3161251584a on 2026-05-06.
• That commit title is chore: update nix node_modules hashes.
• Compare URL: anomalyco/opencode@1770162...aa3c99a

Provider/model additions

• fix: allow Codex Spark with Codex OAuth anomalyco/opencode#25640 Codex Spark allowlist for Codex OAuth
• Keep fix: sanitize surrogates anomalyco/opencode#25934 malformed surrogate sanitization cross-listed under serialization/session safety, not only provider payloads
• Keep provider transform/model catalog fixes separate from auth/client credential fixes

Auth/client credential additions

Track these as a separate auth/client slice rather than bundling them with provider transforms:

• fix(acp): pass server auth to internal client anomalyco/opencode#25591 ACP internal SDK client sends server auth
• fix(auth): add username option for basic auth in RunCommand anomalyco/opencode#25600 run --attach username option, patch-id check against #25596
• fix(app): preserve auth token credentials anomalyco/opencode#25636 preserve app auth_token credentials
• Auth/client hotfix slice should audit #25529, #25591, #25596, #25600, and #25636 together

HttpApi exact regression anchors

Do not allow a future HttpApi/listener PR to proceed without patch-id checks for these:

• fix(httpapi): omit absent optional response fields anomalyco/opencode#25214 omit absent optional response fields
• fix(session): use finite archived timestamp schema anomalyco/opencode#25275 finite archived timestamp schema
• fix(httpapi): preserve OpenAPI parameter parity anomalyco/opencode#25291 OpenAPI parameter parity
• fix(httpapi): pagination Link header echoes request host anomalyco/opencode#25527 pagination Link header host parity
• fix(session): encode v2 session responses anomalyco/opencode#25528 v2 session response encoding
• fix(httpapi): add basic auth challenge for browser login anomalyco/opencode#25588 Basic Auth browser challenge
• fix(server): support desktop PTY websockets with HttpApi anomalyco/opencode#25598 desktop PTY websocket support with HttpApi
• fix(server): serve embedded UI from bunfs anomalyco/opencode#25632 embedded UI from bunfs
• feat(server): pty websocket auth tickets anomalyco/opencode#25660 PTY websocket auth tickets
• fix(opencode): strip transfer-encoding in UI proxy and allow public manifest assets anomalyco/opencode#25698 UI proxy transfer-encoding / public manifest / PTY token directory fix
• fix: ensure effect server middleware properly parses errors anomalyco/opencode#25717 Effect server middleware error parsing
• fix(server): provide fresh ConfigProvider per HttpApi listener anomalyco/opencode#25726 fresh ConfigProvider per HttpApi listener
• Type session not-found errors anomalyco/opencode#25818 typed session not-found errors
• fix(server): restore web terminal CSP allowances anomalyco/opencode#25937 restore web terminal CSP allowances

Desktop/app manual-port additions

• fix(app): prevent terminal recovery loops anomalyco/opencode#25710 terminal recovery loop prevention
• fix(desktop): stabilize Windows titlebar zoom anomalyco/opencode#25813 Windows titlebar zoom stability
• fix(desktop): suppress browser API Sentry errors in prod anomalyco/opencode#25972 suppress BrowserApiErrors Sentry noise in prod desktop
• fix(desktop): disable auto install on app quit anomalyco/opencode#25976 disable updater auto-install-on-quit
• Treat fix(server): allow all connect-src origins in CSP for embedded UI anomalyco/opencode#25838 CSP connect-src * as security-sensitive and review only together with #25937
• Explicitly skip/defer refactor(desktop): consolidate desktop-electron into desktop package anomalyco/opencode#25822 and fix(desktop): update main process anomalyco/opencode#25825 desktop package consolidation unless PawWork intentionally migrates desktop structure

Runtime/session additions

• fix(worktree): fork workspace worktree boot anomalyco/opencode#25723 worktree workspace boot should fork instead of blocking response
• Keep fix(read): prevent unsupported image formats from being sending to provider anomalyco/opencode#21114 unsupported image format guard cross-listed under runtime/session/tool safety; the root risk is Read-tool/session poisoning before it becomes a provider API failure
• Keep feat(core): session warping anomalyco/opencode#25768 session warping out of hotfix sync. If accepted later, use a separate feature/data-contract PR and include #25801 and #25894.

Ordering corrections

• Provider transform/model catalog fixes first; auth/client credential fixes in a separate PR.
• HttpApi parity tests before deeper HttpApi migration and before listener/OpenAPI switch.
• InstanceStore/InstanceBootstrap foundation before effectCmd.
• Bundle effectCmd migration with fix(cli): bridge Instance.current ALS in effectCmd handlers (regression from #25522) anomalyco/opencode#25546.
• Treat feat(server): native HttpApi listener with Bun.serve + WS upgrade anomalyco/opencode#25547 as context/POC. The final listener path must be gated by #25598 plus #25660/#25698/#25726 followups.

---

Third-pass verified corrections after Kimi review

I rechecked the third external review against live refs, local git cherry, and PawWork's current file layout. Do not paste the review wholesale; some range counts and buckets were incorrect.

Range correction:

• 17701628bd...aa3c99a3c0 is 397 commits by local git rev-list, not 250.
• git log PR-title extraction currently finds about 264 unique PR numbers, so the reported 263 PRs / 184 untracked should be treated as a rough prompt, not a verified tracker fact.
• anomalyco/opencode dev and sst/opencode dev still both resolve to aa3c99a3c0a609ea4dd485355627e3161251584a.

Additions accepted into tracker

• tweak: adjust codex plugin to use the models hook anomalyco/opencode#25157 Codex plugin now filters/adjusts Codex OAuth models through the provider models hook. Track with #25640 in the Codex OAuth/model-listing slice.
• fix(vcs): avoid unbounded diff memory usage anomalyco/opencode#25581 VCS diff avoids unbounded memory usage. Add to runtime/session/tool safety as high priority.
• Preapprove agent tmp directory access anomalyco/opencode#25226 preapproves the opencode tmp directory for bash/agent use. Add to runtime/session/tool safety, marked as security-relevant permission behavior.
• chore: rm broken codesearch tool anomalyco/opencode#24992 removes the broken codesearch tool. PawWork currently still registers codesearch, so this needs local patch/file-content verification before implementation.
• fix: ensure disabling OPENCODE_DISABLE_CLAUDE_CODE_SKILLS doesnt disable external skills too anomalyco/opencode#25123 fixes OPENCODE_DISABLE_CLAUDE_CODE_SKILLS accidentally disabling external skills. PawWork currently has the coupled flag behavior, so this should be audited.
• core: fix npm package detection to properly handle cached directories without installed packages anomalyco/opencode#25354 fixes npm package detection for cached directories without installed packages. Add as low-priority runtime/core fix.
• fix(sdk+cli): surface real errors instead of bare {} when server returns empty body anomalyco/opencode#25592 surfaces useful SDK/CLI errors instead of bare {} when the server returns an empty or unparsable error body. Add to auth/client or SDK/client error slice.
• Disable Windows update code signature verification anomalyco/opencode#24905 disables Windows updater code signature verification. Track only as security-sensitive separate review; do not bundle into hotfix PRs.

Keep as context / defer / skip

• update Go DeepSeek flash limits for cache pricing drop anomalyco/opencode#24592 and go: restore Kimi K2.6 limits anomalyco/opencode#25969 only touch upstream packages/console / packages/web Go surfaces. PawWork currently has no packages/console; skip/defer unless PawWork intentionally adopts that upstream console path.
• tweak: make azure onboarding ux a bit better anomalyco/opencode#25057 is Azure onboarding UX, not a provider runtime hotfix. Defer or review with provider-auth UX only.
• feat: refactor bash tool with shell-aware prompts for bash, pwsh+powershell, and cmd anomalyco/opencode#20039 is a major shell-aware bash refactor, not a small runtime hotfix. Keep as context and require local deep check before deciding.
• Refactor v2 session events as schemas anomalyco/opencode#24512, #25628, and #25634 are v2 session schema/rendering context. Do not implement unless PawWork accepts the v2/session-warping feature chain.
• feat(core): store relative path for sessions anomalyco/opencode#24704 and #24849 remain feature/schema migrations for session path storage/filtering, not hotfixes.
• desktop: sentry integration anomalyco/opencode#15300 Sentry desktop integration remains defer/separate review.

Ordering correction

The third review's claim that the tracker puts HttpApi parity tests before Effect foundation is not accurate for the issue body. Keep the existing high-level order: provider/auth/runtime/desktop first, then Effect foundation, then HttpApi parity tests and disabled-backend fixes, then effectCmd, then listener/OpenAPI switch last.

What should be strengthened is the must-bundle wording:

• effectCmd: #25429 -> #25522 -> #25546 must be audited as one regression chain.
• HttpApi listener: #25542 -> #25545 -> #25598 -> #25660 -> #25698 -> #25726 -> final listener switch must be gated together.
• v2/session-warping: #24512 is prerequisite context for #25628/#25634/#25768/#25801/#25894; do not take those as hotfixes.

OpenRouter/LiteLLM note: local grep over the upstream range did not find dedicated OpenRouter or LiteLLM PRs/files. Keep them covered by the generic OpenAI-compatible/providerOptions/retry/unicode test matrix unless a later live scan finds provider-specific changes.

First execution audit pass on codex/i477-upstream-tracker-audit

Read-only audit run against the 93 PR candidates currently named in this issue/comment.

Evidence used:

• Current branch for audit: codex/i477-upstream-tracker-audit
• Upstream range: 17701628bd4370067a1e2613043a9da14f8e302f...aa3c99a3c0a609ea4dd485355627e3161251584a
• git rev-list --count for that range: 397
• Extracted candidates from [Task] Track upstream sync after opencode 17701628bd #477 body + comments: 93
• git cherry -v origin/dev sst/dev 17701628bd... used for patch-equivalence
• For each merge commit, checked whether it is in range and how many touched files still exist in PawWork

Key findings:

• #24677 is already patch-equivalent absorbed (git cherry shows -). No new work needed unless tests reveal behavior drift.
• #24482 and #24573 are not in the post-17701628bd range. They should be checked against [Feature] Track selective upstream backports from opencode v1.14.17-v1.14.22 #209/fix(upstream): permission config + provider/runtime fixes (PR5/5) #301 old sync evidence, not treated as new upstream movement.
• #24592 and #25969 are in range but touch upstream packages/console / packages/web Go surfaces only; PawWork currently has no packages/console. Mark skip/defer unless PawWork intentionally adopts that upstream console path.
• Most remaining candidates are not patch-equivalent absorbed (git cherry shows +) and need slice-level implementation decisions.

Proposed execution states after pass 1

PR A — Provider transform / model catalog hotfix: take

Keep this narrow: provider payload/model behavior only, no app/desktop/HttpApi listener.

• #24630 DeepSeek/OpenAI-compatible reasoning_content default
• #24642 Anthropic SDK non-Anthropic tool streaming default
• #24730 Moonshot/Kimi tool schema sanitization
• #24734 Copilot variants sync
• #24996 Mistral Medium 3.5 reasoning support
• #25007 Azure OpenAI reasoning default fix
• #25012 looser DeepSeek detection
• #25145 dotted providerOptions keys
• #25157 Codex OAuth model filtering through provider models hook
• #25167 user config precedence over plugin hooks for model resolution
• #25241 image tool result with empty text API error
• #25303 Bedrock reasoning issue
• #25573 Cloudflare AI Gateway provider options routing
• #25640 Codex Spark allowlist for Codex OAuth
• #25721 Anthropic SDK resolution when using Azure
• #25887 Mistral Medium 3.5 variant setup
• #25888 retry server_is_overloaded
• #25934 malformed surrogate sanitization

Carry-over checks, not first-pass take:

• #24573 Vertex tool-call streaming default: not in this range; verify against previous sync before adding.
• #24592 / #25969 Go console limits: skip/defer for PawWork unless packages/console is adopted.
• #25057 Azure onboarding UX: defer; not a provider runtime hotfix.

PR B — Auth / client credentials hotfix: take

Keep separate from provider transforms because it touches CLI/ACP/app/client auth paths.

• #25529 auth login stderr inheritance
• #25591 ACP internal SDK client sends server auth
• #25592 useful SDK/CLI error instead of bare {} for empty error bodies
• #25596 respect server username in clients
• #25600 run --attach username option
• #25636 preserve app auth_token credentials, likely manual-port for PawWork app/auth startup

PR C — Runtime / session / tool safety: take or manual-port

• #21114 unsupported image format guard, cross-listed as Read-tool/session poisoning prevention
• #23290 preserve external_dir and deny parent permissions in task child sessions, manual-port likely because the touched upstream path no longer exists locally
• #24553 harden shell cancellation
• #24576 pass workspace symbol query to experimental LSP tool
• #24677 remove compaction summary dividers, already absorbed by patch-id
• #24861 release bash/tree-sitter parsed syntax trees
• #24864 clear timeout after promise rejection
• #24898 remap compaction tail_start_id when forking
• #24992 remove broken codesearch; PawWork still registers codesearch, so treat as manual-port with UI/SDK/tool registry cleanup
• #25019 handle invalid MCP URLs
• #25123 split OPENCODE_DISABLE_CLAUDE_CODE_SKILLS from external skills disable flag
• #25226 preapprove opencode tmp directory for agent/bash, security-relevant permission behavior
• #25354 npm package detection for cached dirs without installed packages
• #25431 read tool offset 0
• #25452 Tool.execute spans for MCP/plugin tools
• #25581 VCS diff bounded memory usage, high priority
• #25723 worktree workspace boot forks instead of blocking response
• #25787 preserve batched patch boundaries
• #25798 cancel subtask child sessions
• #25851 order compaction summary before retained tail

Carry-over/defer:

• #24482 agent create writes permissions instead of deprecated tools: not in this range; verify against previous sync.
• #20039 shell-aware bash refactor: context/deep-check only, not a hotfix cherry-pick.

PR D — Desktop/app manual-port slices: manual-port

Manual port by behavior. Do not cherry-pick upstream package layout.

• #25013 desktop path mismatch and missing sessions
• #25114 settings dialog should not interrupt model response
• #25236 provider store updated after bootstrap loading providers
• #25516 limit zoom handler to zoom keys
• #25598 desktop PTY websockets with HttpApi, only with HttpApi/desktop terminal slice
• #25632 embedded UI from bunfs, only if PawWork packaged embedded UI path matches
• #25660 PTY websocket auth tickets
• #25698 UI proxy transfer-encoding/public manifest/PTY token directory fixes
• #25710 terminal recovery loop prevention
• #25813 Windows titlebar zoom stability
• #25837 trust system certificates
• #25846 respect proxy environment
• #25850 store-get IPC error handling
• #25866 DOMPurify SVG tags for KaTeX, security-sensitive sanitizer review
• #25937 restore web terminal CSP allowances, review with CSP changes
• #25939 require query functions for sync queries
• #25972 suppress BrowserApiErrors Sentry noise in prod desktop, only if PawWork uses comparable telemetry path
• #25976 disable updater auto-install-on-quit, product/update-policy review
• #25980 suppress EPIPE errors in console transport
• #25996 @parcel/watcher optional deps, likely already partially relevant because PawWork packages watcher deps
• #25998 clipboard write permission handling, security review

Explicit defer/skip:

• #15300 Sentry desktop integration: defer/separate product and privacy review
• #24905 disable Windows updater code signature verification: separate security policy review only
• #25822/#25825 desktop package consolidation: skip/defer unless PawWork intentionally migrates desktop package structure
• #25838 connect-src * CSP expansion: do not take alone; review only with #25937 and PawWork security policy

PR E — Effect foundation and HttpApi migration: grouped migration, not hotfix

Do not start this by cherry-picking listener changes. Keep production listener switch last.

Foundation / context chain:

• #24853 big HttpApi backend parity route/handler creation, grouped with Effect foundation, not a standalone fix
• #25417 adapter Promise ALS bridge
• #25449 restore InstanceBootstrap init parameter
• #25475 run bootstrap from instance store

HttpApi disabled-backend parity anchors:

• #25214 omit absent optional response fields
• #25275 finite archived timestamp schema
• #25291 OpenAPI parameter parity
• #25527 pagination Link header host parity
• #25528 v2 session response encoding
• #25588 Basic Auth browser challenge
• #25717 Effect server middleware error parsing
• #25726 fresh ConfigProvider per HttpApi listener
• #25818 typed session not-found errors

CLI/effectCmd chain:

• #25546 bridge Instance.current ALS in effectCmd handlers; must be bundled with the effectCmd conversion chain that introduced the regression

Listener switch last:

• #25547 native HttpApi listener is context/last-stage only, not an implementation target until parity + PTY/auth/CORS are green

Context-only / feature chain: defer

• #24512 v2 session events as schemas
• #24704 session relative path field
• #24849 session filtering by path
• #25768 session warping

These are feature/schema/data-contract changes. Do not mix them into provider/runtime hotfix sync.

Immediate next implementation target

Start with PR A, then PR B. PR A is the safest first code slice because its target files mostly exist locally and it avoids app/desktop/HttpApi listener churn.

[Astro-Han]

Proposed 5-PR execution split after audit pass 1, revised after GPT-5.5-pro review

This is the implementation split to review before code starts. It supersedes the earlier draft in this comment.

Goal: absorb upstream fixes after 17701628bd without mixing unrelated rollback surfaces.

Guiding rules:

• Do not sync by commit order. Sync by failure mode and rollback boundary.
• Keep direct provider/model fixes separate from generic session payload, serialization, and retry fixes.
• Keep auth/client credential fixes separate from provider request transforms.
• Keep desktop/app manual ports separate from HttpApi desktop-terminal/auth/CSP work.
• Keep Effect/HttpApi as a migration line, not a hotfix bucket.
• take here means candidate decision, not proof of absence. Each item still needs local file-content verification during implementation.

PR 1: Provider/model hotfix

Purpose: Fix direct provider request-shape, model catalog, provider option routing, and provider auth-hook behavior. Do not include generic session serialization/retry fixes here.

Include:

• tweak: make interleaved reasoning_content default to true for openai compat deepseek setups anomalyco/opencode#24630 DeepSeek/OpenAI-compatible reasoning_content default
• fix: ensure toolStreaming is set to off by default when using non anthropic models with anthropic sdk anomalyco/opencode#24642 Anthropic SDK non-Anthropic tool streaming default
• fix: sanitize tools for moonshot anomalyco/opencode#24730 Moonshot/Kimi tool schema sanitization
• fix(copilot): ensure available variants sync from api  anomalyco/opencode#24734 Copilot variants sync
• feat: add Mistral Medium 3.5 with reasoning support anomalyco/opencode#24996 Mistral Medium 3.5 reasoning support
• fix: adjust azure defaults to closer match openai to prevent Item .. of type 'reasoning' was provided without its required following item anomalyco/opencode#25007 Azure OpenAI reasoning default fix
• fix: make deepseek string check a bit looser anomalyco/opencode#25012 looser DeepSeek detection
• fix(provider): split providerOptions key on dot for openai-compatible, openai, and anthropic providers anomalyco/opencode#25145 dotted providerOptions keys for OpenAI-compatible/OpenAI/Anthropic
• tweak: adjust codex plugin to use the models hook anomalyco/opencode#25157 Codex OAuth model filtering through provider models hook
• fix: ensure user config takes precendence over plugin hooks for model resolution anomalyco/opencode#25167 user config precedence over plugin hooks for model resolution
• fix: bedrock reasoning issue anomalyco/opencode#25303 Bedrock reasoning issue
• fix(cf-ai-gateway): route provider options through openaiCompatible key (#24432) anomalyco/opencode#25573 Cloudflare AI Gateway provider options routing
• fix: allow Codex Spark with Codex OAuth anomalyco/opencode#25640 Codex Spark allowlist for Codex OAuth
• fix: ensure anthropic sdk properly resolves when using azure anomalyco/opencode#25721 Anthropic SDK resolution when using Azure
• fix: ensure mistral medium 3.5 has variants properly setup anomalyco/opencode#25887 Mistral Medium 3.5 variant setup

Explicitly excluded from PR 1:

• fix: fix issue if tool returned image and empty text and it caused api errors anomalyco/opencode#25241 image tool result with empty text API error. Runtime/session payload fix; move to PR 3.
• fix: retry server_is_overloaded errors anomalyco/opencode#25888 retry server_is_overloaded. Generic retry/runtime policy; move to PR 3.
• fix: sanitize surrogates anomalyco/opencode#25934 malformed surrogate sanitization. Serialization/session safety; move to PR 3.

Carry-over checks, not automatic include:

• fix: default tool call streaming to false for google vertex anomalyco/opencode#24573 Vertex tool-call streaming default. Not in the post-17701628bd range; verify against [Feature] Track selective upstream backports from opencode v1.14.17-v1.14.22 #209/fix(upstream): permission config + provider/runtime fixes (PR5/5) #301 first.
• update Go DeepSeek flash limits for cache pricing drop anomalyco/opencode#24592 and go: restore Kimi K2.6 limits anomalyco/opencode#25969 Go console limits. PawWork currently has no packages/console; skip/defer unless PawWork adopts that upstream console path.
• tweak: make azure onboarding ux a bit better anomalyco/opencode#25057 Azure onboarding UX. Defer unless provider-auth UX is intentionally in scope.

Minimum verification:

• Stub provider tests for OpenAI-compatible, DeepSeek, Anthropic SDK, Azure, Bedrock, Moonshot/Kimi, Mistral, Cloudflare AI Gateway, Copilot, Codex OAuth.
• Payload assertions for providerOptions, reasoning_content, tool streaming defaults, provider model hooks, and provider/model catalog changes.
• No app/desktop/HttpApi listener/CSP/PTY changes in this PR.

PR 2: Auth/client credential hotfix

Purpose: Fix client/server credential propagation and client error surfacing. Keep this separate because failures look like login/connect/auth breakage, not provider payload failures.

Include:

• fix: regression w/ auth login where stderr was ignored instead of inherited anomalyco/opencode#25529 auth login stderr inheritance
• fix(acp): pass server auth to internal client anomalyco/opencode#25591 ACP internal SDK client sends server auth
• fix(sdk+cli): surface real errors instead of bare {} when server returns empty body anomalyco/opencode#25592 useful SDK/CLI error instead of bare {} for empty or unparsable error bodies
• fix(auth): respect server username in clients anomalyco/opencode#25596 respect server username in clients
• fix(auth): add username option for basic auth in RunCommand anomalyco/opencode#25600 run --attach username option
• fix(app): preserve auth token credentials anomalyco/opencode#25636 preserve app auth_token credentials, likely manual-port for PawWork app/server startup

Minimum verification:

• Basic auth username precedence and password propagation.
• run --attach with custom username.
• ACP internal client with server password.
• Auth login helper still shows stderr/login URL.
• SDK/CLI error formatting does not print bare {} for empty response body.
• App startup URL preserves auth_token where PawWork still uses that flow.

PR 3: Runtime/session/tool safety

Purpose: Fix session poisoning, payload serialization, retry policy, cancellation, compaction, tool cleanup, VCS memory, MCP URL handling, and tool registry safety.

Include:

• fix(read): prevent unsupported image formats from being sending to provider anomalyco/opencode#21114 unsupported image format guard, treated as Read-tool/session poisoning prevention
• fix(opencode): preserve external_dir and deny parent permissions in task child sessions anomalyco/opencode#23290 preserve external_dir and deny parent permissions in task child sessions, likely manual-port
• fix(session): harden shell cancellation anomalyco/opencode#24553 harden shell cancellation
• fix: pass workspace symbol query to experimental LSP tool anomalyco/opencode#24576 pass workspace symbol query to experimental LSP tool
• fix(session): remove compaction summary dividers anomalyco/opencode#24677 remove compaction summary dividers, already patch-equivalent absorbed
• fix(bash): memory leak - release parsed syntax trees anomalyco/opencode#24861 release bash/tree-sitter parsed syntax trees
• fix: clear timeout after promise rejection anomalyco/opencode#24864 clear timeout after promise rejection
• fix(session): remap compaction tail_start_id when forking anomalyco/opencode#24898 remap compaction tail_start_id when forking
• chore: rm broken codesearch tool anomalyco/opencode#24992 remove broken codesearch; PawWork still registers codesearch, so this is a manual-port cleanup across tool registry/UI/SDK
• fix: handle invalid mcp urls anomalyco/opencode#25019 handle invalid MCP URLs
• fix: ensure disabling OPENCODE_DISABLE_CLAUDE_CODE_SKILLS doesnt disable external skills too anomalyco/opencode#25123 split OPENCODE_DISABLE_CLAUDE_CODE_SKILLS from external skills disable flag
• Preapprove agent tmp directory access anomalyco/opencode#25226 preapprove opencode tmp directory for agent/bash, security-relevant permission behavior
• fix: fix issue if tool returned image and empty text and it caused api errors anomalyco/opencode#25241 image tool result with empty text API error
• core: fix npm package detection to properly handle cached directories without installed packages anomalyco/opencode#25354 npm package detection for cached dirs without installed packages
• tweak: allow read tool to accept offset of 0 anomalyco/opencode#25431 read tool offset 0
• fix(telemetry): emit Tool.execute span for MCP and plugin tools anomalyco/opencode#25452 Tool.execute spans for MCP/plugin tools
• fix(vcs): avoid unbounded diff memory usage anomalyco/opencode#25581 VCS diff bounded memory usage
• fix(worktree): fork workspace worktree boot anomalyco/opencode#25723 worktree workspace boot forks instead of blocking response
• fix(vcs): preserve batched patch boundaries anomalyco/opencode#25787 preserve batched patch boundaries
• fix(session): cancel subtask child sessions anomalyco/opencode#25798 cancel subtask child sessions
• fix(compaction): order compaction summary before retained tail anomalyco/opencode#25851 order compaction summary before retained tail
• fix: retry server_is_overloaded errors anomalyco/opencode#25888 retry server_is_overloaded
• fix: sanitize surrogates anomalyco/opencode#25934 malformed surrogate sanitization

Carry-over checks, not automatic include:

• fix(opencode): agent create generates permissions field with deny ins… anomalyco/opencode#24482 agent create writes permissions instead of deprecated tools. Not in post-17701628bd; verify against [Feature] Track selective upstream backports from opencode v1.14.17-v1.14.22 #209/fix(upstream): permission config + provider/runtime fixes (PR5/5) #301.
• feat: refactor bash tool with shell-aware prompts for bash, pwsh+powershell, and cmd anomalyco/opencode#20039 shell-aware bash refactor. Treat as context/deep-check only, not a hotfix cherry-pick.

Minimum verification:

• Read tool rejects unsupported image types and does not poison later prompt replay.
• Image tool result with empty text is normalized safely.
• Malformed surrogate text cannot break provider request serialization or session replay.
• server_is_overloaded retry path is covered separately from provider transform tests.
• Shell cancellation and subtask cancellation leave no child session running.
• Bash/tree-sitter parser is released.
• Timeout helper clears timers on rejection.
• Compaction fork remaps tail_start_id; compacted summary order is correct.
• Invalid MCP URL becomes a status/config error, not startup crash.
• read accepts offset 0.
• Skill disable flags are independent.
• VCS diff handles large output without unbounded memory growth.
• codesearch removal or replacement is covered across tool registry, UI rendering, SDK/OpenAPI shape, and snapshots.

PR 4: Desktop/app manual-port

Purpose: Manually port desktop/app behavior fixes where PawWork's product and package layout differ from upstream. Do not include HttpApi terminal/auth/CSP migration work here.

Include by behavior, not by path:

• fix(desktop): Path mismatches cause sessions missing + strong ID + existing data fix anomalyco/opencode#25013 desktop path mismatch and missing sessions
• fix: invert *_ready getters to fix server status indicator anomalyco/opencode#25077 invert *_ready getters to fix provider/MCP/LSP server status indicators, manual-port check against PawWork app sync stores
• fix(desktop): Prevent Model response Interruption when opening settings dialog anomalyco/opencode#25114 settings dialog should not interrupt model response
• fix: update provider store after loading providers in bootstrap anomalyco/opencode#25236 provider store updated after bootstrap loading providers
• fix(desktop): limit zoom handler to zoom keys anomalyco/opencode#25516 limit zoom handler to zoom keys
• fix(app): prevent terminal recovery loops anomalyco/opencode#25710 terminal recovery loop prevention, app-side recovery only
• fix(desktop): stabilize Windows titlebar zoom anomalyco/opencode#25813 Windows titlebar zoom stability
• fix(desktop): trust system certificates anomalyco/opencode#25837 trust system certificates
• fix(desktop): respect proxy environment anomalyco/opencode#25846 respect proxy environment
• fix(desktop): add error handling to store-get IPC handler anomalyco/opencode#25850 store-get IPC error handling
• fix(ui): preserve SVG tags in DOMPurify config for KaTeX math rendering anomalyco/opencode#25866 DOMPurify SVG tags for KaTeX, security-sensitive sanitizer review
• fix(app): require query functions for sync queries anomalyco/opencode#25939 require query functions for sync queries
• fix(desktop): suppress browser API Sentry errors in prod anomalyco/opencode#25972 suppress BrowserApiErrors Sentry noise in prod desktop, only if PawWork uses comparable telemetry path
• fix(desktop): disable auto install on app quit anomalyco/opencode#25976 disable updater auto-install-on-quit, product/update-policy review
• fix(desktop): suppress EPIPE errors in console transport anomalyco/opencode#25980 suppress EPIPE errors in console transport
• chore(desktop): add @parcel/watcher platform packages to optionalDependencies anomalyco/opencode#25996 @parcel/watcher optional deps, likely relevant because PawWork packages watcher deps
• feat(desktop): implement clipboard write permission handling anomalyco/opencode#25998 clipboard write permission handling, security review

Moved out of PR 4 into PR 5:

• fix(server): support desktop PTY websockets with HttpApi anomalyco/opencode#25598 desktop PTY websockets with HttpApi
• fix(server): serve embedded UI from bunfs anomalyco/opencode#25632 embedded UI from bunfs
• feat(server): pty websocket auth tickets anomalyco/opencode#25660 PTY websocket auth tickets
• fix(opencode): strip transfer-encoding in UI proxy and allow public manifest assets anomalyco/opencode#25698 UI proxy transfer-encoding/public manifest/PTY token directory fixes
• fix(server): restore web terminal CSP allowances anomalyco/opencode#25937 restore web terminal CSP allowances

Explicit defer/skip:

• desktop: sentry integration anomalyco/opencode#15300 Sentry desktop integration. Defer or handle in a separate product/privacy review.
• Disable Windows update code signature verification anomalyco/opencode#24905 disable Windows updater code signature verification. Separate security policy review only.
• refactor(desktop): consolidate desktop-electron into desktop package anomalyco/opencode#25822 and fix(desktop): update main process anomalyco/opencode#25825 desktop package consolidation. Skip/defer unless PawWork intentionally migrates desktop package structure.
• fix(server): allow all connect-src origins in CSP for embedded UI anomalyco/opencode#25838 connect-src * CSP expansion. Do not take alone; review only with #25937 and PawWork security policy.

Minimum verification:

• bun run dev:desktop for visible desktop/app behavior.
• Send a prompt, open settings while the model is responding, and confirm the response is not interrupted.
• Provider/MCP/LSP status readiness semantics match actual loading state.
• Desktop provider list/bootstrap state still updates.
• Terminal recovery does not loop on stale app-side state.
• Proxy/cert behavior smoke where practical.
• IPC error paths return safe values.
• CSP/sanitizer review covers KaTeX/SVG rendering and event-handler stripping.
• Clipboard permission handling is reviewed as a security surface.

PR 5: Effect/HttpApi migration series

Purpose: Continue the Effect/HttpApi line PawWork already partially adopted, but keep it as a grouped migration. Do not flip production listener until parity is proven.

This is one tracked migration phase in #477, but implementation may need internal sub-PRs.

Foundation/context chain

• Prepare Effect HttpApi backend parity anomalyco/opencode#24853 big HttpApi backend parity route/handler creation, grouped with Effect foundation
• refactor(session): yield instance context in llm anomalyco/opencode#25200 yield instance context in LLM
• fix(httpapi): install Instance ALS for adapter Promise bridge anomalyco/opencode#25417 adapter Promise ALS bridge
• fix(instance): restore InstanceBootstrap init parameter for non-Effec… anomalyco/opencode#25449 restore InstanceBootstrap init parameter
• fix(instance): run bootstrap from instance store anomalyco/opencode#25475 run bootstrap from instance store

HttpApi/provider/auth/parity chain

• fix(httpapi): preserve provider oauth authorize parity anomalyco/opencode#24703 provider OAuth authorize parity
• fix(httpapi): wire global and control handlers anomalyco/opencode#24835 global and control handlers wired into HttpApi
• refactor: use Effect config for HttpApi authorization anomalyco/opencode#25035 Effect config for HttpApi authorization
• refactor(httpapi): preserve typed errors in session prompt handlers anomalyco/opencode#25181 typed errors preserved in session prompt handlers
• fix(httpapi): omit absent optional response fields anomalyco/opencode#25214 omit absent optional response fields
• fix(session): use finite archived timestamp schema anomalyco/opencode#25275 finite archived timestamp schema
• fix(httpapi): preserve OpenAPI parameter parity anomalyco/opencode#25291 OpenAPI parameter parity
• test(httpapi): add route exerciser coverage anomalyco/opencode#25437 route exerciser coverage, reference/test anchor
• fix(httpapi): pagination Link header echoes request host anomalyco/opencode#25527 pagination Link header host parity
• fix(session): encode v2 session responses anomalyco/opencode#25528 v2 session response encoding
• fix(httpapi): add basic auth challenge for browser login anomalyco/opencode#25588 Basic Auth browser challenge
• fix: ensure effect server middleware properly parses errors anomalyco/opencode#25717 Effect server middleware error parsing
• fix(server): provide fresh ConfigProvider per HttpApi listener anomalyco/opencode#25726 fresh ConfigProvider per HttpApi listener
• Type session not-found errors anomalyco/opencode#25818 typed session not-found errors

HttpApi desktop-terminal/auth/CSP chain

• fix(server): support desktop PTY websockets with HttpApi anomalyco/opencode#25598 desktop PTY websockets with HttpApi
• fix(server): serve embedded UI from bunfs anomalyco/opencode#25632 embedded UI from bunfs, only if applicable to PawWork package/runtime layout
• feat(server): pty websocket auth tickets anomalyco/opencode#25660 PTY websocket auth tickets
• fix(opencode): strip transfer-encoding in UI proxy and allow public manifest assets anomalyco/opencode#25698 UI proxy transfer-encoding/public manifest/PTY token directory fixes
• fix(server): restore web terminal CSP allowances anomalyco/opencode#25937 restore web terminal CSP allowances

CLI/effectCmd chain

• feat(cli): add effectCmd wrapper + convert models command anomalyco/opencode#25429 introduce effectCmd and convert models command
• feat(cli): add instance: false opt-out to effectCmd anomalyco/opencode#25507 instance: false opt-out for effectCmd
• refactor(cli): convert web + account to effectCmd (instance: false) anomalyco/opencode#25512 convert web/account to effectCmd
• refactor(cli): convert debug wait, agent list, acp to effectCmd anomalyco/opencode#25518 convert debug wait / agent list / ACP to effectCmd
• refactor(cli): convert github subcommands to effectCmd anomalyco/opencode#25522 convert github subcommands to effectCmd
• refactor(cli): convert agent / providers / mcp to effectCmd anomalyco/opencode#25525 convert agent/providers/MCP to effectCmd
• refactor(cli/mcp+agent): Stage 4 — drop AppRuntime.runPromise bridges anomalyco/opencode#25530 drop AppRuntime bridges from MCP/agent
• refactor(cli/providers): Stage 4 — drop inline AppRuntime.runPromise calls anomalyco/opencode#25532 drop inline AppRuntime bridges from providers
• refactor(cli/providers): flatten — Effect-native handlers end-to-end anomalyco/opencode#25537 flatten provider handlers to Effect-native shape
• fix(cli): bridge Instance.current ALS in effectCmd handlers (regression from #25522) anomalyco/opencode#25546 bridge Instance.current ALS in effectCmd handlers, regression fix from #25522
• refactor(cli): effectify provider commands anomalyco/opencode#25633 effectify provider commands

Listener/OpenAPI switch chain, last

• refactor(server): extract Hono-coupled utilities to backend-neutral modules anomalyco/opencode#25542 extract Hono-coupled utilities to backend-neutral modules
• feat(server): Server.openapi() backed by HttpApi spec, parity-checked against Hono output anomalyco/opencode#25545 Server.openapi() backed by HttpApi spec
• feat(server): native HttpApi listener with Bun.serve + WS upgrade anomalyco/opencode#25547 native HttpApi listener is context/last-stage only. Do not make it the first implementation target.

Context-only feature/schema chain

• Refactor v2 session events as schemas anomalyco/opencode#24512 v2 session events as schemas
• feat(core): store relative path for sessions anomalyco/opencode#24704 session relative path field
• feat(core): filter sessions by path and add setting to disable anomalyco/opencode#24849 session filtering by path
• feat(core): session warping anomalyco/opencode#25768 session warping

These are feature/schema/data-contract changes. Do not mix them into provider/runtime hotfix sync.

Minimum verification:

• Hono vs HttpApi route inventory parity.
• Provider OAuth authorize parity and API-key/OAuth edge cases.
• Request body/query/header/status/JSON shape parity.
• Error shape parity, including typed prompt errors and typed 404/not-found errors.
• OpenAPI parameter and optional/null field parity.
• SSE event stream parity.
• PTY websocket parity, including auth tickets.
• Basic auth/browser challenge, provider OAuth, MCP OAuth.
• Workspace routing and proxy HTTP/WS.
• CORS/CSP for PawWork renderer origin.
• CLI commands affected by effectCmd, especially github, providers, mcp, agent, account, web, serve, and nested Instance.current paths.

Rollback boundary:

• Keep OPENCODE_EXPERIMENTAL_HTTPAPI / equivalent fallback off until parity is green. Listener/OpenAPI source switch should be the last reversible step after a release-cycle fallback exists.

Range advancement watchlist, not current take

These are not current aa3c99a3c0 merged-range items. Re-evaluate only after moving the upstream head beyond aa3c99a3c0:

• fix: inject cache_control on content blocks for openai-compatible Bedrock proxies (Bifrost, LiteLLM) anomalyco/opencode#25985 Bifrost/LiteLLM OpenAI-compatible Bedrock cache_control
• fix(opencode): recover malformed GLM/NVIDIA tool calls anomalyco/opencode#25971 GLM/NVIDIA malformed tool-call recovery
• fix(opencode): default temperature for openai-compatible config models anomalyco/opencode#25919 OpenAI-compatible config model temperature
• fix(provider): preserve anthropic provider-executed tool pairs anomalyco/opencode#25861 Anthropic provider-executed tool pairs
• fix(session): retry Codex server_is_overloaded stream errors anomalyco/opencode#25728 Codex nested overload retry
• fix(provider): generate fallback ID for tool calls missing 'id' in streaming anomalyco/opencode#25925 fallback ID for missing tool-call id, closed/unmerged background only

Recommended execution order

1. PR 1 Provider/model hotfix
2. PR 2 Auth/client credential hotfix
3. PR 3 Runtime/session/tool safety
4. PR 4 Desktop/app manual-port
5. PR 5 Effect/HttpApi migration series

If PR 3 becomes too large during implementation, split codesearch cleanup or VCS diff memory into a separate sub-PR. If PR 5 becomes too large, split it internally by chain, but keep the ordering and listener-last gate.

[Astro-Han]

Issue 477 Provider Model Hotfix Implementation Plan

For agentic workers: REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task. If using subagents for review or patch-id checks, also use superpowers:subagent-driven-development. Keep checkbox state updated as each step completes.

Goal: Port the PR 1 provider transform and model catalog hotfix slice from upstream anomalyco/opencode range 17701628bd4370067a1e2613043a9da14f8e302f...aa3c99a3c0a609ea4dd485355627e3161251584a into PawWork, without mixing in auth/client, desktop/app, runtime/session payload/retry, or HttpApi listener work.

Architecture: PawWork keeps its product/app/desktop fork intact and ports only the upstream provider-facing behavior that affects model resolution, variant generation, provider option routing, SDK adapter selection, and provider-specific transcript conversion. Most changes land in packages/opencode/src/provider/* and provider/plugin tests. The only planned non-provider source touch is the Bedrock reasoning transcript conversion in packages/opencode/src/session/message-v2.ts, because upstream #25303 is provider-specific and already has a narrow regression test.

Tech Stack: Bun, TypeScript, Effect, AI SDK provider adapters, PawWork packages/opencode.

---

Scope

Include these upstream PRs after local patch-id and file-content confirmation:

• #24630 custom OpenAI-compatible DeepSeek defaults interleaved reasoning_content.
• #24642 disable tool streaming for non-Anthropic models routed through Anthropic SDK.
• #24730 Moonshot/Kimi tool schema sanitizer.
• #24734 GitHub Copilot remote variants from API.
• #24996 and #25887 Mistral Medium 3.5 reasoning variants.
• #25007 Azure defaults and request-id stripping aligned with OpenAI reasoning behavior.
• #25012 looser DeepSeek model detection, only if PawWork's current helper does not already cover the same behavior.
• #25145 dotted provider ID providerOptions key routing.
• #25157 Codex OAuth model filtering via provider model hook.
• #25167 user config precedence over plugin model hooks.
• #25303 Bedrock reasoning transcript conversion when switching models.
• #25573 Cloudflare AI Gateway openaiCompatible provider options and variants.
• #25640 allow Codex Spark with Codex OAuth.
• #25721 Azure SDK model selection works when Anthropic SDK shape is present.

Explicitly exclude from this PR:

• Auth/client credential fixes: #25529, #25591, #25592, #25596, #25600, #25636.
• Runtime/session payload/retry fixes: #21114, #25241, #25888, #25934, and related serialization/replay tests.
• Desktop/app/manual-port work, including terminal auth, CSP, certificates, proxy, updater, IPC, and app sync status.
• HttpApi parity, Effect foundation, effectCmd, listener, OpenAPI, PTY websocket ticket, and embedded UI proxy work.
• Go console/provider limit updates #24592 and #25969 unless PawWork explicitly uses those console routes in this slice. Record them as defer/context if not applicable.
• Old-boundary items such as #24573 and #24482; verify them against prior sync evidence, but do not include them here unless previous sync missed them.

File Boundaries

Expected source files:

• packages/opencode/src/provider/transform.ts
  • SDK key mapping for dotted provider IDs and Cloudflare AI Gateway.
  • DeepSeek, Anthropic SDK, Kimi/Moonshot, Mistral, OpenAI-family, Cloudflare AI Gateway, Azure variant/option behavior.
• packages/opencode/src/provider/provider.ts
  • Custom provider model normalization.
  • Plugin model hook ordering relative to user config.
  • Azure SDK model selection helper.
  • Request body id stripping for OpenAI/Azure.
• packages/opencode/src/plugin/codex.ts
  • Codex OAuth model filtering and zero-cost/limit adjustments via provider.models.
  • gpt-5.3-codex-spark allowlist.
• packages/opencode/src/plugin/github-copilot/models.ts
  • Remote API variant construction and refresh behavior.
• packages/opencode/src/session/message-v2.ts
  • Bedrock reasoning part conversion when replaying to a different model.

Expected tests:

• packages/opencode/test/provider/transform.test.ts
• packages/opencode/test/provider/provider.test.ts
• packages/opencode/test/provider/cf-ai-gateway-e2e.test.ts
• packages/opencode/test/plugin/codex.test.ts
• packages/opencode/test/plugin/github-copilot-models.test.ts
• packages/opencode/test/session/message-v2.test.ts

Do not touch packages/app, packages/desktop-electron, packages/ui, server listener files, generated SDK/OpenAPI files, or desktop packaging files in this PR.

Implementation Tasks

1. Baseline and Absorption Check

• Confirm branch is not dev:

  git status --short --branch

• Re-run patch equivalence for this slice:

  git cherry -v origin/dev sst/dev 17701628bd4370067a1e2613043a9da14f8e302f... \
    | rg '#(24630|24642|24730|24734|24996|25007|25012|25145|25157|25167|25303|25573|25640|25721|25887)'

• For every + result, inspect the upstream diff before editing:

  for commit in \
    738b3065dc2bf643daa40507061a928299f67d30 \
    c361c2953fb54040273324edd99f19ca94ad62ce \
    528fb1d4041518fb2174d182d0c833cbe915f045 \
    0acac216aeee334d5c7f9e4aa4557a16ad7c7691 \
    639e27c3ce3164480ef6abbb5775285ea0f51aa4 \
    a740d2c66782ef3371146cd55d70920ae9b94daf \
    588261076adba0bc385f60fe18637da53ed03420 \
    a12333310f795b92d524634d7b9e2daab8909dfc \
    b80f52f8ad3173acee143e1355a2ab4585443db1 \
    560baae15d806509f97f4b17a8e5811cf97face1 \
    29ec07700c43c18c7fdfb46a594c1c8e4a1d8524 \
    ca77b8f8e9d59f88c0df626ca4997620f81d2a25 \
    ce89bcb8e238401ea8fee000dc54539057d47dc4 \
    c1f607d206e7d723d8093650559fffb8a144738e \
    576480b5dc3645d97d5418795647751ad4a48309
  do
    git show --stat --oneline "$commit"
  done

• For #25012, compare behavior, not just patch-id. PawWork already has isDeepSeekModelID / deepseekMajorVersion; only change code if model IDs such as DeepSeek-R1, deepseek-v4, and suffixed compatible IDs still miss the intended path.
• Run the current targeted provider tests once to capture the baseline:

  bun test packages/opencode/test/provider/transform.test.ts
  bun test packages/opencode/test/provider/provider.test.ts
  bun test packages/opencode/test/plugin/codex.test.ts
  bun test packages/opencode/test/plugin/github-copilot-models.test.ts
  bun test packages/opencode/test/session/message-v2.test.ts

2. DeepSeek Defaults and Detection

• Add or port a provider test matching upstream #24630: a custom OpenAI-compatible model whose API/model id contains deepseek gets capabilities.interleaved: { field: "reasoning_content" } when there is no existing model and no explicit interleaved override.
• Prove explicit interleaved, such as { field: "reasoning_details" }, is preserved.
• Prove non-OpenAI-compatible DeepSeek-looking models do not get this default.
• Do not introduce options.reasoning defaults in this PR unless a separately verified upstream PR in this range requires it.
• Add transform tests for loose DeepSeek matching. Include lowercase, uppercase, and variant-suffixed IDs.
• Implement the smallest change in packages/opencode/src/provider/provider.ts and, only if needed, packages/opencode/src/provider/transform.ts.
• Verify:

  bun test packages/opencode/test/provider/provider.test.ts
  bun test packages/opencode/test/provider/transform.test.ts

3. Provider Options Keying and Anthropic SDK Tool Streaming

• Add transform tests for dotted provider IDs:

  ProviderTransform.providerOptions(modelWithProviderID("wafer.ai"), { reasoningEffort: "high" })

  Expected key: { wafer: { reasoningEffort: "high" } } for OpenAI/OpenAI-compatible/Anthropic SDK families.
• Add a regression test for a non-Claude model routed through @ai-sdk/anthropic: toolStreaming should default to false.
• Keep provider-specific SDK keys that already exist, such as openai, anthropic, gateway, openrouter, and openaiCompatible.
• Implement in packages/opencode/src/provider/transform.ts.
• Verify:

  bun test packages/opencode/test/provider/transform.test.ts

4. Moonshot/Kimi Tool Schema Sanitizer

• Add tests for Moonshot/Kimi schema sanitization:
  • $ref with sibling keys becomes { $ref: "..." }.
  • Tuple items: [{...}, {...}] collapses to the first item, or {} if empty.
  • Non-Moonshot/Kimi providers keep the original schema shape.
• Implement recursive sanitizer in ProviderTransform.schema.
• Verify:

  bun test packages/opencode/test/provider/transform.test.ts

5. Mistral Medium 3.5 Reasoning Variants

• Add tests for mistral-medium-3.5 and mistral-medium-2604.
• Expected variants should include reasoning-enabled entries matching the existing Mistral reasoning pattern.
• Implement by extending the existing Mistral reasoning ID list or helper, not by adding a one-off branch.
• Verify:

  bun test packages/opencode/test/provider/transform.test.ts

6. Azure Defaults and Azure SDK Selection

• Port #25007 behavior:
  • Azure ProviderTransform.options should set store: false.
  • OpenAI item-id stripping should also apply to @ai-sdk/azure.
  • Keep ids only when body.store === true, not because the provider is Azure.
• Port #25721 behavior:
  • Add selectAzureLanguageModel(sdk, modelID, useChat) helper.
  • Prefer sdk.chat(modelID) when useCompletionUrls is true and sdk.chat exists.
  • Otherwise prefer sdk.responses, then sdk.messages, then sdk.chat, then sdk.languageModel.
• Add tests around the helper behavior through the existing provider loader surface. Do not export a test-only helper unless the current file already uses that pattern.
• Verify:

  bun test packages/opencode/test/provider/provider.test.ts
  bun test packages/opencode/test/provider/transform.test.ts

7. GitHub Copilot Remote Variants

• Add or port tests in packages/opencode/test/plugin/github-copilot-models.test.ts proving:
  • Copilot API reasoning_effort values become variants.
  • Adaptive thinking/budget metadata becomes variants where upstream supports it.
  • Refresh does not leave stale variants behind.
• Update packages/opencode/src/plugin/github-copilot/models.ts.
• Ensure packages/opencode/src/provider/provider.ts does not overwrite API-provided model.variants with generic computed variants.
• Verify:

  bun test packages/opencode/test/plugin/github-copilot-models.test.ts
  bun test packages/opencode/test/provider/provider.test.ts

8. Codex OAuth Model Hook and Spark Allowlist

• Update packages/opencode/test/plugin/codex.test.ts so OAuth filtering is asserted through hooks.provider.models, not through mutation inside auth.loader.
• Add a test proving gpt-5.3-codex-spark remains available under Codex OAuth.
• Keep Codex OAuth model cost at zero and preserve the special temporary gpt-5.5 context/input/output limit.
• Move filtering/cost/limit logic from auth.loader(getAuth, provider) into:

  provider: {
    id: "openai",
    async models(provider, ctx) {
      if (ctx.auth?.type !== "oauth") return provider.models
      // filter allowed models and normalize costs/limits
    },
  }

• Keep auth.loader(getAuth) responsible only for auth headers/fetch behavior.
• Verify:

  bun test packages/opencode/test/plugin/codex.test.ts

9. User Config Precedence Over Plugin Model Hooks

• Add a provider test proving user config models override plugin model-hook output for the same provider/model ID.
• Move plugin provider.models hook application before config provider extension, matching upstream #25167.
• Verify that disabled providers are still skipped before hook execution.
• Verify:

  bun test packages/opencode/test/provider/provider.test.ts
  bun test packages/opencode/test/plugin/codex.test.ts

10. Bedrock Reasoning Replay

• Port the narrow #25303 change in packages/opencode/src/session/message-v2.ts.
• Add or port the regression test where an assistant reasoning part with metadata is replayed to a different model.
• Expected output for differentModel:
  • Non-empty reasoning text becomes a normal assistant text part.
  • Reasoning provider metadata is not forwarded.
  • Tool calls following the reasoning part remain ordered.
• Verify:

  bun test packages/opencode/test/session/message-v2.test.ts

11. Cloudflare AI Gateway Provider Options and Variants

• Add sdkKey("ai-gateway-provider") === "openaiCompatible".
• Add ProviderTransform.providerOptions test:

  expect(result).toEqual({
    openaiCompatible: { reasoningEffort: "high" },
  })

• Add Cloudflare AI Gateway variant tests:
  • OpenAI gpt-5.4 upstream includes none, minimal, low, medium, high, xhigh where release date allows it.
  • OpenAI Codex upstreams include their supported efforts.
  • Non-OpenAI upstreams expose low, medium, high.
  • Non-reasoning models return no variants.
• Add the end-to-end stub-fetch regression test in packages/opencode/test/provider/cf-ai-gateway-e2e.test.ts only if the dependency graph already supports ai-gateway-provider locally. The test should prove reasoning_effort lands in the body sent to https://gateway.ai.cloudflare.com/....
• Prefer no new dependency or lockfile churn in PR 1. If ai-gateway-provider is not already available in PawWork's current dependency graph, replace the Cloudflare AI Gateway E2E with a no-network transform-level regression and record the E2E gap in the PR body. Do not add a new dependency in this provider/model hotfix PR unless maintainers explicitly approve it.
• Verify:

  bun test packages/opencode/test/provider/transform.test.ts
  bun test packages/opencode/test/provider/cf-ai-gateway-e2e.test.ts

12. Final Verification

• Run the full targeted slice:

  bun test packages/opencode/test/provider/transform.test.ts
  bun test packages/opencode/test/provider/provider.test.ts
  bun test packages/opencode/test/plugin/codex.test.ts
  bun test packages/opencode/test/plugin/github-copilot-models.test.ts
  bun test packages/opencode/test/provider/cf-ai-gateway-e2e.test.ts
  bun test packages/opencode/test/session/message-v2.test.ts

• Run package typecheck:

  bun --cwd packages/opencode run typecheck

• Inspect diff boundaries:

  git diff --stat origin/dev...
  git diff --name-only origin/dev...

• Confirm no excluded layer was touched:

  git diff --name-only origin/dev... \
    | rg '^(packages/app|packages/desktop-electron|packages/ui|packages/opencode/src/server|packages/sdk|\\.github)' \
    && exit 1 || true

• If packages/opencode/test/provider/cf-ai-gateway-e2e.test.ts cannot run because the local dependency is absent, do not silently drop coverage. Either add the minimal dependency change in this PR with lockfile review, or replace it with a no-network transform-level test and record the verification gap in the PR body.

Commit Boundaries

Use small reversible commits. Stage explicit paths only.

1. fix(opencode): port provider transform hotfixes
   • DeepSeek, providerOptions, Anthropic SDK, Moonshot/Kimi, Mistral, Azure, Cloudflare transform tests and implementation.
2. fix(opencode): sync provider model hooks
   • Copilot variants, Codex OAuth provider model hook, Codex Spark allowlist, plugin hook ordering.
3. fix(opencode): normalize Bedrock reasoning replay
   • message-v2 Bedrock-specific transcript conversion and test.

If a commit crosses these boundaries, split it before pushing.

PR Body Checklist

The implementation PR must say:

• Which upstream PRs were ported and which were behavior-equivalent already.
• Which upstream PRs were intentionally excluded and where they will land.
• Exact targeted tests run.
• Any dependency or generated-file decision, especially for the Cloudflare AI Gateway end-to-end test.
• Confirmation that no packages/app, packages/desktop-electron, packages/ui, HttpApi listener, generated SDK/OpenAPI, or desktop packaging files were changed.

[Astro-Han]

Issue 477 Auth Client Credential Hotfix Implementation Plan

For agentic workers: REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (- [ ]) syntax for tracking. Keep checkbox state updated as each step completes.

Goal: Port PR Slice 2, the auth/client credential hotfix slice from upstream anomalyco/opencode range 17701628bd4370067a1e2613043a9da14f8e302f...aa3c99a3c0a609ea4dd485355627e3161251584a, into PawWork without mixing in provider/model, runtime/session, desktop packaging, or HttpApi migration work.

Architecture: PawWork should centralize server basic-auth header construction in one ServerAuth helper, then reuse it from CLI, ACP, plugin-internal clients, and app credential utilities. This slice also wraps empty SDK/server error responses into readable Error objects and preserves web startup auth_token credentials when the same server URL already exists in persisted state. Upstream files that do not exist in PawWork, such as packages/opencode/src/cli/cmd/tui/* and HttpApi listener files, must be treated as behavior references, not direct copy targets.

Tech Stack: Bun, TypeScript, Solid app tests, PawWork packages/opencode, PawWork packages/app, generated SDK wrapper in packages/sdk/js/src/v2/client.ts.

---

Scope

Include these upstream PRs after local patch-id and file-content confirmation:

• #25529 auth login command inherits child-process stderr.
• #25591 ACP internal SDK client sends server auth.
• #25592 SDK/CLI surfaces useful errors instead of bare {} for empty or unparseable error bodies.
• #25596 internal clients respect OPENCODE_SERVER_USERNAME, not only the default opencode username.
• #25600 run --attach supports an explicit basic-auth username.
• #25636 app startup preserves auth_token credentials and terminal websocket auth still works when same-origin credentials came from auth_token.

Explicitly exclude from this PR:

• Provider/model changes already landed in PR fix(opencode): sync provider model hotfixes #482.
• Runtime/session/tool safety fixes such as #21114, #24992, #25123, #25581, #25798, #25851.
• Desktop/manual-port work such as updater, proxy, certificate, BrowserApiError, zoom, clipboard, package consolidation, or CSP changes.
• HttpApi listener migration, effectCmd migration, PTY websocket auth tickets, OpenAPI/generated SDK regeneration, and listener switch work.
• Any dependency or lockfile change.

File Boundaries

Expected source files:

• packages/opencode/src/server/auth.ts
  • New small helper for server auth credential normalization, header construction, and decoded credential checks.
• packages/opencode/src/server/middleware.ts
  • Use ServerAuth for existing basic-auth gate while preserving current auth_token query behavior.
• packages/opencode/src/cli/cmd/acp.ts
  • Pass ServerAuth.headers() to the internal SDK client created after Server.listen(...).
• packages/opencode/src/cli/cmd/run.ts
  • Add --username / -u for --attach and use ServerAuth.headers({ password, username }).
• packages/opencode/src/cli/cmd/providers.ts
  • Inherit stderr for well-known provider auth child commands.
• packages/opencode/src/plugin/index.ts
  • Use ServerAuth.headers() for the plugin-internal SDK client.
• packages/opencode/src/util/error.ts
  • Avoid returning bare {} for opaque object errors.
• packages/sdk/js/src/v2/client.ts
  • Wrap empty generated-client error payloads into readable Error objects.
• packages/app/src/context/server.tsx
  • Add a resolver that lets startup auth_token credentials override persisted same-URL entries.
• packages/app/src/entry.tsx
  • Decode URL auth_token into the startup server definition.
• packages/app/src/utils/server.ts
  • Add authTokenFromCredentials(...) and authFromToken(...) helpers.
• packages/app/src/utils/terminal-websocket-url.ts
  • New helper that builds PTY websocket URLs and preserves query auth for same-origin websocket URLs when the credential came from startup auth_token.
• packages/app/src/components/terminal.tsx
  • Pass the authToken marker into terminalWebSocketURL(...).

Expected tests:

• packages/opencode/test/server/auth.test.ts
• packages/opencode/test/util/error.test.ts
• packages/app/src/context/server.test.ts
• packages/app/src/utils/server.test.ts
• packages/app/src/utils/terminal-websocket-url.test.ts

Implementation Tasks

1. Baseline and Absorption Check

Files:

• Read only: local checkout and upstream merge commits.

• Step 1: Confirm branch and repository state

Run:

gh repo view --json nameWithOwner,defaultBranchRef
git status --short --branch

Expected: repo is Astro-Han/pawwork, default branch is dev, and implementation branch is not dev.

• Step 2: Create or switch to the implementation branch in an isolated PawWork checkout

Use Codex App Worktree mode or an already-provided isolated checkout. Do not run git worktree add from this repo.

Run in the isolated checkout:

git switch -c codex/i477-auth-client-hotfix

Expected: branch is codex/i477-auth-client-hotfix.

• Step 3: Re-run patch equivalence for this slice

Run:

git fetch origin dev
git remote -v | rg '^sst\s' || git remote add sst https://github.com/sst/opencode.git
git fetch sst dev
git cherry -v origin/dev sst/dev 17701628bd4370067a1e2613043a9da14f8e302f... \
  | rg '#(25529|25591|25592|25596|25600|25636)'

Expected: every + result needs file-content inspection before implementation. Any - result should be recorded as already patch-equivalent.

• Step 4: Inspect the exact upstream source diffs

Run:

for commit in \
  8e016b4703a37dadaafc5de0a1ba17176b1a06a0 \
  7a503de606888939a64776c512ca4588267bbd8d \
  379600b5ab9ed46043d1674e7fb7c3dbcb9bd4ba \
  8694c5b68fc57e7e1bb8129b72b08e128dce9f17 \
  adb7cb1037d24aa18021133b5993fa81869d8ba0 \
  ca6150d6f092cc8761d6072b0b07b6a7de8748cf
do
  git show --stat --oneline "$commit"
done

Expected: confirm the known upstream touch list and note that PawWork does not currently have upstream packages/opencode/src/cli/cmd/tui/* or the same HttpApi listener files.

• Step 5: Run current targeted tests once before edits

Run:

bun test packages/opencode/test/util/error.test.ts

Expected: existing util error tests pass before adding new regression tests. App auth-token tests are created in Task 5 because the websocket URL helper does not exist in the current checkout.

2. ServerAuth Helper and Server-Side Auth Contract

Files:

• Create: packages/opencode/src/server/auth.ts

• Modify: packages/opencode/src/server/middleware.ts

• Test: packages/opencode/test/server/auth.test.ts

• Step 1: Add the failing ServerAuth tests

Create packages/opencode/test/server/auth.test.ts with this content:

import { afterEach, describe, expect, test } from "bun:test"
import { Option, Redacted } from "effect"
import { Flag } from "@opencode-ai/core/flag/flag"
import { ServerAuth } from "../../src/server/auth"

const original = {
  OPENCODE_SERVER_PASSWORD: Flag.OPENCODE_SERVER_PASSWORD,
  OPENCODE_SERVER_USERNAME: Flag.OPENCODE_SERVER_USERNAME,
}

afterEach(() => {
  Flag.OPENCODE_SERVER_PASSWORD = original.OPENCODE_SERVER_PASSWORD
  Flag.OPENCODE_SERVER_USERNAME = original.OPENCODE_SERVER_USERNAME
})

describe("ServerAuth", () => {
  test("does not emit auth headers without a password", () => {
    Flag.OPENCODE_SERVER_PASSWORD = undefined
    Flag.OPENCODE_SERVER_USERNAME = "alice"

    expect(ServerAuth.header()).toBeUndefined()
    expect(ServerAuth.headers()).toBeUndefined()
  })

  test("defaults to the opencode username", () => {
    Flag.OPENCODE_SERVER_PASSWORD = "secret"
    Flag.OPENCODE_SERVER_USERNAME = undefined

    expect(ServerAuth.headers()).toEqual({
      Authorization: `Basic ${Buffer.from("opencode:secret").toString("base64")}`,
    })
  })

  test("uses the configured username", () => {
    Flag.OPENCODE_SERVER_PASSWORD = "secret"
    Flag.OPENCODE_SERVER_USERNAME = "alice"

    expect(ServerAuth.headers()).toEqual({
      Authorization: `Basic ${Buffer.from("alice:secret").toString("base64")}`,
    })
  })

  test("prefers explicit credentials", () => {
    Flag.OPENCODE_SERVER_PASSWORD = "secret"
    Flag.OPENCODE_SERVER_USERNAME = "alice"

    expect(ServerAuth.headers({ password: "cli-secret", username: "bob" })).toEqual({
      Authorization: `Basic ${Buffer.from("bob:cli-secret").toString("base64")}`,
    })
  })

  test("validates decoded credentials against config", () => {
    const config = { password: Option.some("secret"), username: "alice" }

    expect(ServerAuth.required(config)).toBe(true)
    expect(ServerAuth.authorized({ username: "alice", password: Redacted.make("secret") }, config)).toBe(true)
    expect(ServerAuth.authorized({ username: "opencode", password: Redacted.make("secret") }, config)).toBe(false)
  })
})

• Step 2: Run the new test to verify it fails

Run:

bun test packages/opencode/test/server/auth.test.ts

Expected: FAIL because packages/opencode/src/server/auth.ts does not exist.

• Step 3: Add the ServerAuth helper

Create packages/opencode/src/server/auth.ts with this content:

export * as ServerAuth from "./auth"

import { Flag } from "@opencode-ai/core/flag/flag"
import { Option, Redacted } from "effect"

export type Credentials = {
  password?: string
  username?: string
}

export type ConfigInfo = {
  password: Option.Option<string>
  username: string
}

export type DecodedCredentials = {
  readonly username: string
  readonly password: Redacted.Redacted
}

export function required(config: ConfigInfo) {
  return Option.isSome(config.password) && config.password.value !== ""
}

export function authorized(credentials: DecodedCredentials, config: ConfigInfo) {
  return (
    Option.isSome(config.password) &&
    credentials.username === config.username &&
    Redacted.value(credentials.password) === config.password.value
  )
}

export function header(credentials?: Credentials) {
  const password = credentials?.password ?? Flag.OPENCODE_SERVER_PASSWORD
  if (!password) return undefined

  const username = credentials?.username ?? Flag.OPENCODE_SERVER_USERNAME ?? "opencode"
  return `Basic ${Buffer.from(`${username}:${password}`).toString("base64")}`
}

export function headers(credentials?: Credentials) {
  const authorization = header(credentials)
  if (!authorization) return undefined
  return { Authorization: authorization }
}

• Step 4: Run the helper test to verify it passes

Run:

bun test packages/opencode/test/server/auth.test.ts

Expected: PASS.

• Step 5: Wire middleware to the helper without changing query-token behavior

Open packages/opencode/src/server/middleware.ts. Keep the current behavior where auth_token query is converted to authorization, but replace repeated password/username checks with ServerAuth.

The auth decision should keep this shape:

import { Option, Redacted } from "effect"
import { ServerAuth } from "./auth"

// inside the existing middleware callback:
if (c.req.query("auth_token")) c.req.raw.headers.set("authorization", `Basic ${c.req.query("auth_token")}`)

const password = Flag.OPENCODE_SERVER_PASSWORD
if (!password) return next()

const header = c.req.header("authorization")
if (!header?.startsWith("Basic ")) return c.text("Unauthorized", 401)

const decoded = Buffer.from(header.slice("Basic ".length), "base64").toString("utf8")
const separator = decoded.indexOf(":")
if (separator === -1) return c.text("Unauthorized", 401)

const config = {
  password: Option.some(password),
  username: Flag.OPENCODE_SERVER_USERNAME ?? "opencode",
}
const credentials = {
  username: decoded.slice(0, separator),
  password: Redacted.make(decoded.slice(separator + 1)),
}
if (!ServerAuth.authorized(credentials, config)) return c.text("Unauthorized", 401)
return next()

• Step 6: Run server auth tests again

Run:

bun test packages/opencode/test/server/auth.test.ts

Expected: PASS.

3. CLI, ACP, Plugin Internal Clients, and Provider Login stderr

Files:

• Modify: packages/opencode/src/cli/cmd/acp.ts

• Modify: packages/opencode/src/cli/cmd/run.ts

• Modify: packages/opencode/src/cli/cmd/providers.ts

• Modify: packages/opencode/src/plugin/index.ts

• Test: packages/opencode/test/server/auth.test.ts

• Step 1: Update ACP internal client auth

In packages/opencode/src/cli/cmd/acp.ts, import ServerAuth:

import { ServerAuth } from "@/server/auth"

Then change the internal SDK client creation to:

const sdk = createOpencodeClient({
  baseUrl: `http://${server.hostname}:${server.port}`,
  headers: ServerAuth.headers(),
})

• Step 2: Add run --attach --username support

In packages/opencode/src/cli/cmd/run.ts, import ServerAuth:

import { ServerAuth } from "../../server/auth"

In the yargs builder, directly after the existing password option, add:

.option("username", {
  alias: ["u"],
  type: "string",
  describe: "basic auth username (defaults to OPENCODE_SERVER_USERNAME or 'opencode')",
})

In the if (args.attach) block, replace local Basic header construction with:

const headers = ServerAuth.headers({ password: args.password, username: args.username })
const sdk = createOpencodeClient({ baseUrl: args.attach, directory, headers })
return await execute(sdk)

• Step 3: Update plugin-internal client auth

In packages/opencode/src/plugin/index.ts, import ServerAuth:

import { ServerAuth } from "@/server/auth"

In the internal createOpencodeClient(...) call, replace inline Authorization construction with:

headers: ServerAuth.headers(),

Keep the existing fetch: async (...args) => (await Server.Default()).app.fetch(...args) shape if that is the current local shape.

• Step 4: Inherit stderr for well-known provider auth commands

In packages/opencode/src/cli/cmd/providers.ts, inside the ProvidersLoginCommand path for args.url, change the child process spawn options to:

const proc = Process.spawn(wellknown.auth.command, {
  stdout: "pipe",
  stderr: "inherit",
})

This ports #25529 without changing provider selection, plugin auth, or stored credential shape.

• Step 5: Run focused auth helper tests and typecheck for CLI compile coverage

Run:

bun test packages/opencode/test/server/auth.test.ts
bun --cwd packages/opencode run typecheck

Expected: server auth tests pass and tsgo --noEmit completes successfully.

• Step 6: Record run --attach --username wiring as a review or smoke check

If there is no existing CLI test harness for RunCommand, add this PR body verification note:

Manual/code-review verification: `run --attach` now defines `--username/-u` and passes `args.username` into `ServerAuth.headers({ password: args.password, username: args.username })`; `ServerAuth` focused tests cover `alice:secret` style explicit credentials.

• Step 7: Commit the server/CLI auth part

Run:

git diff --stat
git diff -- packages/opencode/src/server/auth.ts packages/opencode/src/server/middleware.ts packages/opencode/src/cli/cmd/acp.ts packages/opencode/src/cli/cmd/run.ts packages/opencode/src/cli/cmd/providers.ts packages/opencode/src/plugin/index.ts packages/opencode/test/server/auth.test.ts
git add packages/opencode/src/server/auth.ts packages/opencode/src/server/middleware.ts packages/opencode/src/cli/cmd/acp.ts packages/opencode/src/cli/cmd/run.ts packages/opencode/src/cli/cmd/providers.ts packages/opencode/src/plugin/index.ts packages/opencode/test/server/auth.test.ts
git commit -m "fix(opencode): sync auth client credentials"

Expected: one commit containing only server, CLI, plugin auth helper wiring, and its focused test.

4. Readable SDK and CLI Errors for Empty Error Bodies

Files:

• Modify: packages/opencode/src/util/error.ts

• Modify: packages/opencode/test/util/error.test.ts

• Modify: packages/sdk/js/src/v2/client.ts

• Step 1: Add failing opaque-error tests

Append this test to packages/opencode/test/util/error.test.ts:

test("never returns bare {} for opaque object errors", () => {
  expect(errorFormat({})).not.toBe("{}")
  expect(errorFormat({})).toContain("no message")

  class OpaqueError {}
  const opaque = new OpaqueError()
  Object.defineProperty(opaque, "secret", { value: "hidden", enumerable: false })

  expect(errorFormat(opaque)).not.toBe("{}")
  expect(errorFormat(opaque)).toContain("OpaqueError")
})

• Step 2: Run the util error test to verify it fails

Run:

bun test packages/opencode/test/util/error.test.ts

Expected: FAIL because errorFormat({}) currently returns {} or errorData(...).formatted can still become {}.

• Step 3: Update error formatting

In packages/opencode/src/util/error.ts, update the object branch in errorFormat(...) to:

if (typeof error === "object" && error !== null) {
  try {
    const json = JSON.stringify(error, null, 2)
    if (json === "{}") {
      const str = String(error)
      if (str && str !== "[object Object]") return str
      const ctor = error.constructor?.name
      const prefix = ctor && ctor !== "Object" ? ctor : "Error"
      const names = Object.getOwnPropertyNames(error)
      return names.length === 0 ? `${prefix} (no message)` : `${prefix} { ${names.join(", ")} }`
    }
    return json
  } catch {
    return "Unexpected error (unserializable)"
  }
}

Then update errorMessage(...) so the formatted fallback is accepted whenever it is non-empty:

const formatted = errorFormat(error)
if (formatted) return formatted
return "unknown error"

Then update errorData(...) to set formatted: errorFormat(error) in every branch instead of using a separate formatter fallback.

• Step 4: Wrap empty generated-client errors

In packages/sdk/js/src/v2/client.ts, after the existing response interceptor and before return new OpencodeClient({ client }), add:

client.interceptors.error.use((error, response, request) => {
  const isEmpty =
    error === undefined ||
    error === null ||
    error === "" ||
    (typeof error === "object" && !(error instanceof Error) && Object.keys(error).length === 0)

  if (!isEmpty) return error

  const method = request?.method ?? "?"
  const url = request?.url ?? "?"
  if (!response) return new Error(`opencode server ${method} ${url}: network error (no response)`)

  const statusText = response.statusText ? " " + response.statusText : ""
  return new Error(`opencode server ${method} ${url} -> ${response.status}${statusText}: (empty response body)`)
})

Use ASCII -> in PawWork instead of a unicode arrow so this file stays ASCII.

• Step 5: Run focused tests and package typecheck

Run:

bun test packages/opencode/test/util/error.test.ts
bun --cwd packages/opencode run typecheck

Expected: util error tests pass and package typecheck completes successfully.

• Step 6: Record SDK empty-error behavior verification

If this slice does not add a dedicated SDK wrapper test, add this explicit PR body verification note:

Manual/code-review verification: `packages/sdk/js/src/v2/client.ts` wraps only empty generated-client error payloads into `Error`; parsed JSON error bodies are returned unchanged by `if (!isEmpty) return error`.

• Step 7: Commit readable error handling

Run:

git diff --stat
git diff -- packages/opencode/src/util/error.ts packages/opencode/test/util/error.test.ts packages/sdk/js/src/v2/client.ts
git add packages/opencode/src/util/error.ts packages/opencode/test/util/error.test.ts packages/sdk/js/src/v2/client.ts
git commit -m "fix(opencode): surface empty server errors"

Expected: one commit containing only error formatting and SDK empty-error wrapping.

5. App Startup auth_token Preservation and Terminal Websocket Auth

Files:

• Modify: packages/app/src/context/server.tsx

• Modify: packages/app/src/entry.tsx

• Modify: packages/app/src/utils/server.ts

• Create: packages/app/src/utils/terminal-websocket-url.ts

• Modify: packages/app/src/components/terminal.tsx

• Test: packages/app/src/context/server.test.ts

• Test: packages/app/src/utils/server.test.ts

• Test: packages/app/src/utils/terminal-websocket-url.test.ts

• Step 1: Add credential token helper tests

Create packages/app/src/utils/server.test.ts with this content:

import { describe, expect, test } from "bun:test"
import { authFromToken, authTokenFromCredentials } from "./server"

describe("authFromToken", () => {
  test("decodes basic auth credentials from auth_token", () => {
    expect(authFromToken(btoa("kit:secret"))).toEqual({ username: "kit", password: "secret" })
  })

  test("defaults blank username to opencode", () => {
    expect(authFromToken(btoa(":secret"))).toEqual({ username: "opencode", password: "secret" })
  })

  test("ignores malformed tokens", () => {
    expect(authFromToken("not base64")).toBeUndefined()
    expect(authFromToken(btoa("missing-separator"))).toBeUndefined()
  })
})

describe("authTokenFromCredentials", () => {
  test("encodes credentials with the default username", () => {
    expect(authTokenFromCredentials({ password: "secret" })).toBe(btoa("opencode:secret"))
  })
})

• Step 2: Add server list resolution tests

Create packages/app/src/context/server.test.ts with this content:

import { describe, expect, test } from "bun:test"
import { resolveServerList, ServerConnection } from "./server"

describe("resolveServerList", () => {
  test("lets startup auth_token credentials override a persisted same-url server", () => {
    const list = resolveServerList({
      stored: [{ url: "https://server.example.test" }],
      props: [
        {
          type: "http",
          authToken: true,
          http: {
            url: "https://server.example.test",
            username: "opencode",
            password: "secret",
          },
        },
      ],
    })

    expect(list).toHaveLength(1)
    expect(list[0]?.type).toBe("http")
    expect(list[0]?.http).toEqual({
      url: "https://server.example.test",
      username: "opencode",
      password: "secret",
    })
    expect(list[0]?.type === "http" ? list[0].authToken : false).toBe(true)
    expect(ServerConnection.key(list[0]!) as string).toBe("https://server.example.test")
  })

  test("keeps persisted credentials when startup has no auth_token", () => {
    const list = resolveServerList({
      stored: [
        {
          url: "https://server.example.test",
          username: "opencode",
          password: "saved",
        },
      ],
      props: [{ type: "http", http: { url: "https://server.example.test" } }],
    })

    expect(list).toHaveLength(1)
    expect(list[0]?.type).toBe("http")
    expect(list[0]?.http).toEqual({
      url: "https://server.example.test",
      username: "opencode",
      password: "saved",
    })
    expect(list[0]?.type === "http" ? list[0].authToken : true).toBeUndefined()
  })
})

• Step 3: Create the full terminal websocket URL helper contract test

Create packages/app/src/utils/terminal-websocket-url.test.ts with this content. PawWork currently does not have this helper or test file, so this step must create the full contract instead of appending to an existing file:

import { describe, expect, test } from "bun:test"
import { terminalWebSocketURL } from "./terminal-websocket-url"

describe("terminalWebSocketURL", () => {
  test("uses query auth for non-same-origin saved credentials", () => {
    const url = terminalWebSocketURL({
      url: "https://server.example.test",
      id: "pty_test",
      directory: "/tmp/project",
      cursor: 10,
      sameOrigin: false,
      username: "opencode",
      password: "secret",
    })

    expect(url.protocol).toBe("wss:")
    expect(url.pathname).toBe("/pty/pty_test/connect")
    expect(url.searchParams.get("directory")).toBe("/tmp/project")
    expect(url.searchParams.get("cursor")).toBe("10")
    expect(url.searchParams.get("auth_token")).toBe(btoa("opencode:secret"))
  })

  test("omits query auth for same-origin saved credentials", () => {
    const url = terminalWebSocketURL({
      url: "https://app.example.test",
      id: "pty_test",
      directory: "/tmp/project",
      cursor: 10,
      sameOrigin: true,
      username: "opencode",
      password: "secret",
    })

    expect(url.protocol).toBe("wss:")
    expect(url.searchParams.has("auth_token")).toBe(false)
  })

  test("uses query auth for same-origin credentials from auth_token", () => {
    const url = terminalWebSocketURL({
      url: "https://app.example.test",
      id: "pty_test",
      directory: "/tmp/project",
      cursor: 10,
      sameOrigin: true,
      username: "opencode",
      password: "secret",
      authToken: true,
    })

    expect(url.protocol).toBe("wss:")
    expect(url.searchParams.get("auth_token")).toBe(btoa("opencode:secret"))
  })
})

• Step 4: Run the new app tests to verify they fail

Run:

bun test packages/app/src/utils/server.test.ts packages/app/src/context/server.test.ts packages/app/src/utils/terminal-websocket-url.test.ts

Expected: FAIL because authFromToken, authTokenFromCredentials, resolveServerList, and terminalWebSocketURL(...) are not implemented yet.

• Step 5: Add app credential helpers

In packages/app/src/utils/server.ts, add these helpers above createSdkForServer(...):

import { decode64 } from "@/utils/base64"

export function authTokenFromCredentials(input: { username?: string; password: string }) {
  return btoa(`${input.username ?? "opencode"}:${input.password}`)
}

export function authFromToken(token: string | null) {
  const decoded = decode64(token ?? undefined)
  if (!decoded) return
  const separator = decoded.indexOf(":")
  if (separator === -1) return
  return {
    username: decoded.slice(0, separator) || "opencode",
    password: decoded.slice(separator + 1),
  }
}

Then change the existing Basic auth header in createSdkForServer(...) to:

Authorization: `Basic ${authTokenFromCredentials({ username: server.username, password: server.password })}`,

• Step 6: Add server list resolver and authToken marker

In packages/app/src/context/server.tsx, add this exported resolver before export namespace ServerConnection:

export function resolveServerList(input: {
  props?: Array<ServerConnection.Any>
  stored: StoredServer[]
}): Array<ServerConnection.Any> {
  const servers = [
    ...input.stored.map((value) =>
      typeof value === "string"
        ? {
            type: "http" as const,
            http: { url: value },
          }
        : value,
    ),
    ...(input.props ?? []),
  ]

  const deduped = new Map<ServerConnection.Key, ServerConnection.Any>()
  for (const value of servers) {
    const conn: ServerConnection.Any = "type" in value ? value : { type: "http", http: value }
    const key = ServerConnection.key(conn)
    if (deduped.has(key) && conn.type === "http" && !conn.authToken) continue
    deduped.set(key, conn)
  }

  return [...deduped.values()]
}

Add authToken?: boolean to ServerConnection.Http:

export type Http = {
  type: "http"
  http: HttpBase
  authToken?: boolean
} & Base

Replace the current allServers body with:

const allServers = createMemo((): Array<ServerConnection.Any> => {
  return resolveServerList({ stored: store.list, props: props.servers })
})

In add(input: ServerConnection.Http), make sure manually added servers do not persist the marker:

const conn: ServerConnection.Http = { ...input, authToken: undefined, http: { ...input.http, url: url_ } }

• Step 7: Decode startup auth_token in app entry

In packages/app/src/entry.tsx, import authFromToken:

import { authFromToken } from "@/utils/server"

Before creating the server object, read the URL token:

const authToken = new URLSearchParams(location.search).get("auth_token")
const auth = authFromToken(authToken)

Then add URL cleanup immediately after capture so the token is not left in the visible URL or browser history:

const clearAuthToken = () => {
  const params = new URLSearchParams(location.search)
  if (!params.has("auth_token")) return
  params.delete("auth_token")
  history.replaceState(null, "", location.pathname + (params.size ? `?${params}` : "") + location.hash)
}

clearAuthToken()

This must preserve unrelated query params and location.hash. For example, ?auth_token=abc&x=1#h should become ?x=1#h.

Then create the startup server as:

const server: ServerConnection.Http = {
  type: "http",
  authToken: !!auth,
  http: {
    url: getCurrentUrl(),
    ...auth,
  },
}

If testing entry.tsx history manipulation is too heavy in this slice, the PR body must include an explicit manual/code-review verification note that auth_token is removed from the URL after capture while unrelated query params and hash are preserved.

• Step 8: Preserve auth_token for terminal websocket URLs

Create packages/app/src/utils/terminal-websocket-url.ts with this content:

import { authTokenFromCredentials } from "@/utils/server"

export function terminalWebSocketURL(input: {
  url: string
  id: string
  directory: string
  cursor: number
  sameOrigin: boolean
  username: string
  password?: string
  authToken?: boolean
}) {
  const next = new URL(input.url + "/pty/" + input.id + "/connect")
  next.searchParams.set("directory", input.directory)
  next.searchParams.set("cursor", String(input.cursor))
  next.protocol = next.protocol === "https:" ? "wss:" : "ws:"
  if (input.password && (!input.sameOrigin || input.authToken)) {
    next.searchParams.set(
      "auth_token",
      authTokenFromCredentials({ username: input.username, password: input.password }),
    )
  }
  return next
}

In packages/app/src/components/terminal.tsx, replace the inline URL construction in open() with the existing terminalWebSocketURL(...) helper if it is not already used, then pass the marker:

const socket = new WebSocket(
  terminalWebSocketURL({
    url,
    id,
    directory,
    cursor: seek,
    sameOrigin,
    username,
    password,
    authToken: server.current?.type === "http" ? server.current.authToken : false,
  }),
)

If the helper is not currently imported in terminal.tsx, add:

import { terminalWebSocketURL } from "@/utils/terminal-websocket-url"

• Step 9: Run the app tests to verify they pass

Run:

bun test packages/app/src/utils/server.test.ts packages/app/src/context/server.test.ts packages/app/src/utils/terminal-websocket-url.test.ts

Expected: PASS.

• Step 10: Run app typecheck

Run:

bun --cwd packages/app run typecheck

Expected: typecheck completes successfully.

• Step 11: Commit the app credential part

Run:

git diff --stat
git diff -- packages/app/src/context/server.tsx packages/app/src/entry.tsx packages/app/src/utils/server.ts packages/app/src/utils/terminal-websocket-url.ts packages/app/src/components/terminal.tsx packages/app/src/context/server.test.ts packages/app/src/utils/server.test.ts packages/app/src/utils/terminal-websocket-url.test.ts
git add packages/app/src/context/server.tsx packages/app/src/entry.tsx packages/app/src/utils/server.ts packages/app/src/utils/terminal-websocket-url.ts packages/app/src/components/terminal.tsx packages/app/src/context/server.test.ts packages/app/src/utils/server.test.ts packages/app/src/utils/terminal-websocket-url.test.ts
git commit -m "fix(app): preserve auth token server credentials"

Expected: one commit containing only app credential preservation and websocket auth coverage.

6. Final Slice Verification and PR Preparation

Files:

• Read only: final diff, PR template, [Task] Track upstream sync after opencode 17701628bd #477 issue context.

• Step 1: Run full targeted verification

Run:

bun test packages/opencode/test/server/auth.test.ts packages/opencode/test/util/error.test.ts
bun test packages/app/src/utils/server.test.ts packages/app/src/context/server.test.ts packages/app/src/utils/terminal-websocket-url.test.ts
bun --cwd packages/opencode run typecheck
bun --cwd packages/app run typecheck
git diff --check

Expected: all commands pass and git diff --check has no output.

• Step 2: Inspect diff boundaries

Run:

git diff --stat origin/dev...
git diff --name-only origin/dev...
git diff --name-only origin/dev... \
  | rg '^(packages/opencode/src/provider|packages/opencode/test/provider|packages/desktop-electron|packages/ui|packages/opencode/src/server/routes/instance/httpapi|packages/sdk/js/src/v2/gen|bun.lock|package.json|\.github)' \
  && exit 1 || true

Expected: changed files are limited to the planned auth/client/app utility surface. The boundary check should exit successfully with no excluded path output.

• Step 3: Confirm commit boundaries

Run:

git log --oneline origin/dev..HEAD
git show --stat --oneline HEAD~3..HEAD

Expected: commits are reviewable and match the planned boundaries:

fix(opencode): sync auth client credentials
fix(opencode): surface empty server errors
fix(app): preserve auth token server credentials

If the exact number of commits differs because a review follow-up was needed, each commit must still have one reversible intent.

• Step 4: Prepare PR body from the repo template

Read .github/pull_request_template.md, then open a ready PR, not a draft PR, with title:

fix(opencode): sync auth client hotfixes

The PR body must include:

## Summary

- Port the #477 PR Slice 2 auth/client credential hotfixes from upstream opencode.
- Centralize server auth header construction and reuse it from CLI, ACP, plugin clients, and attach flows.
- Surface readable SDK/CLI errors for empty error bodies and preserve app startup auth_token credentials.

## Why

#477 tracks PawWork's upstream opencode sync after 17701628bd. PR #482 already landed the provider/model slice. This PR implements the next bounded auth/client slice while excluding provider/model, runtime/session/tool safety, desktop packaging, HttpApi listener, generated SDK, and dependency changes.

## Related Issue

Refs #477

## Review Focus

- ServerAuth helper behavior for passwordless mode, default username, configured username, and explicit attach credentials.
- Empty SDK/server error wrapping without changing parsed JSON error bodies.
- App startup auth_token override behavior when persisted server state already has the same URL.
- URL cleanup after auth_token capture, preserving unrelated query params and hash.
- Terminal websocket query auth behavior for same-origin credentials that came from auth_token.

## How To Verify

- bun test packages/opencode/test/server/auth.test.ts packages/opencode/test/util/error.test.ts
- bun test packages/app/src/utils/server.test.ts packages/app/src/context/server.test.ts packages/app/src/utils/terminal-websocket-url.test.ts
- bun --cwd packages/opencode run typecheck
- bun --cwd packages/app run typecheck
- git diff --check
- Manual/code-review verification: auth_token is removed from browser history after capture while unrelated query params and hash remain.
- Manual/code-review verification: run --attach --username passes explicit username into the Basic auth header helper.
- Manual/code-review verification: SDK empty-error wrapping changes only empty generated-client error payloads and passes parsed JSON errors through unchanged.

• Step 5: Push and open PR

Run:

git push -u origin codex/i477-auth-client-hotfix
gh pr create --repo Astro-Han/pawwork --base dev --head codex/i477-auth-client-hotfix --title "fix(opencode): sync auth client hotfixes" --body-file /path/to/prepared-pr-body.md

Expected: ready PR created against dev. The PR body uses Refs #477, not Closes #477.

Commit Boundaries

Use small reversible commits. Stage explicit paths only. Never use git add -A.

1. fix(opencode): sync auth client credentials
   • ServerAuth helper, server middleware auth reuse, ACP internal SDK auth, plugin internal SDK auth, run --attach --username, provider login stderr inheritance, and focused server auth test.
2. fix(opencode): surface empty server errors
   • Opaque error formatting and generated v2 SDK empty-error wrapping.
3. fix(app): preserve auth token server credentials
   • App auth token encode/decode helpers, startup server dedupe override, terminal websocket auth query preservation, and focused app tests.

PR Body Checklist

The implementation PR must say:

• Which upstream PRs were ported: #25529, #25591, #25592, #25596, #25600, #25636.
• Which upstream files were behavior references only because PawWork lacks that exact path, especially packages/opencode/src/cli/cmd/tui/* and HttpApi listener files.
• Exact targeted tests and typechecks run.
• Confirmation that no provider/model, runtime/session/tool safety, desktop packaging, HttpApi listener migration, generated SDK, dependency, or lockfile files were changed.
• Confirmation that the PR uses Refs #477, not a closing keyword.