chore: update nix node_modules hashes

Address PR review comments: inline toAccountRepoError and fromRow
helpers, extract ACCOUNT_STATE_ID constant.

AGENTS.md

@@ -122,3 +122,7 @@ const table = sqliteTable("session", {
 - Avoid mocks as much as possible
 - Test actual implementation, do not duplicate logic into tests
 - Tests cannot run from repo root (guard: `do-not-run-tests-from-root`); run from package dirs like `packages/opencode`.
+
+## Type Checking
+
+- Always run `bun typecheck` from package directories (e.g., `packages/opencode`), never `tsc` directly.

nix/hashes.json

@@ -1,8 +1,8 @@
 {
   "nodeModules": {
-    "x86_64-linux": "sha256-+SMpaj0jeIHjlddAu6QIwojmWFVIiA8/G32hiQMjcOk=",
-    "aarch64-linux": "sha256-uo63IF6OCMab+O3ngn1sVxqIGJMm04HXuDgIRmXNTNk=",
-    "aarch64-darwin": "sha256-yB2tWm6AsX6UifnDqe7VldhN5zTQkDoqZ87AGQYjxT4=",
-    "x86_64-darwin": "sha256-nNhtqMSG4/y+uxjj14Jc5QQ7X6hQli9ni4v56XAvaAU="
+    "x86_64-linux": "sha256-TnrYykX8Mf/Ugtkix6V",
+    "aarch64-linux": "sha256-TnrYykX8Mf/Ugtkix6V",
+    "aarch64-darwin": "sha256-TnrYykX8Mf/Ugtkix6V",
+    "x86_64-darwin": "sha256-TnrYykX8Mf/Ugtkix6V"
   }
 }

package.json

@@ -43,6 +43,7 @@
       "dompurify": "3.3.1",
       "drizzle-kit": "1.0.0-beta.16-ea816b6",
       "drizzle-orm": "1.0.0-beta.16-ea816b6",
+      "effect": "4.0.0-beta.29",
       "ai": "5.0.124",
       "hono": "4.10.7",
       "hono-openapi": "1.1.2",
@@ -100,6 +101,7 @@
     "protobufjs",
     "tree-sitter",
     "tree-sitter-bash",
+    "tree-sitter-powershell",
     "web-tree-sitter",
     "electron"
   ],

packages/app/e2e/terminal/terminal-tabs.spec.ts

@@ -27,6 +27,8 @@ async function run(page: Page, cmd: string) {
   await terminal.click()
   await page.keyboard.type(cmd)
   await page.keyboard.press("Enter")
+  // powershell + windows just isnt that fast... we need to wait
+  await page.waitForTimeout(3_000)
 }
 
 async function store(page: Page, key: string) {

packages/app/src/components/session/find-assistant-messages.test.ts

@@ -0,0 +1,81 @@
+import { describe, expect, test } from "bun:test"
+import type { Message } from "@opencode-ai/sdk/v2/client"
+import { findAssistantMessages } from "@opencode-ai/ui/find-assistant-messages"
+
+function user(id: string): Message {
+  return {
+    id,
+    role: "user",
+    sessionID: "session-1",
+    time: { created: 1 },
+  } as unknown as Message
+}
+
+function assistant(id: string, parentID: string): Message {
+  return {
+    id,
+    role: "assistant",
+    sessionID: "session-1",
+    parentID,
+    time: { created: 1 },
+  } as unknown as Message
+}
+
+describe("findAssistantMessages", () => {
+  test("normal ordering: assistant after user in array → found via forward scan", () => {
+    const messages = [user("u1"), assistant("a1", "u1")]
+    const result = findAssistantMessages(messages, 0, "u1")
+    expect(result).toHaveLength(1)
+    expect(result[0].id).toBe("a1")
+  })
+
+  test("clock skew: assistant before user in array → found via backward scan", () => {
+    // When client clock is ahead, user ID sorts after assistant ID,
+    // so assistant appears earlier in the ID-sorted message array
+    const messages = [assistant("a1", "u1"), user("u1")]
+    const result = findAssistantMessages(messages, 1, "u1")
+    expect(result).toHaveLength(1)
+    expect(result[0].id).toBe("a1")
+  })
+
+  test("no assistant messages → returns empty array", () => {
+    const messages = [user("u1"), user("u2")]
+    const result = findAssistantMessages(messages, 0, "u1")
+    expect(result).toHaveLength(0)
+  })
+
+  test("multiple assistant messages with matching parentID → all found", () => {
+    const messages = [user("u1"), assistant("a1", "u1"), assistant("a2", "u1")]
+    const result = findAssistantMessages(messages, 0, "u1")
+    expect(result).toHaveLength(2)
+    expect(result[0].id).toBe("a1")
+    expect(result[1].id).toBe("a2")
+  })
+
+  test("does not return assistant messages with different parentID", () => {
+    const messages = [user("u1"), assistant("a1", "u1"), assistant("a2", "other")]
+    const result = findAssistantMessages(messages, 0, "u1")
+    expect(result).toHaveLength(1)
+    expect(result[0].id).toBe("a1")
+  })
+
+  test("stops forward scan at next user message", () => {
+    const messages = [user("u1"), assistant("a1", "u1"), user("u2"), assistant("a2", "u1")]
+    const result = findAssistantMessages(messages, 0, "u1")
+    expect(result).toHaveLength(1)
+    expect(result[0].id).toBe("a1")
+  })
+
+  test("stops backward scan at previous user message", () => {
+    const messages = [assistant("a0", "u1"), user("u0"), assistant("a1", "u1"), user("u1")]
+    const result = findAssistantMessages(messages, 3, "u1")
+    expect(result).toHaveLength(1)
+    expect(result[0].id).toBe("a1")
+  })
+
+  test("invalid index returns empty array", () => {
+    const messages = [user("u1")]
+    expect(findAssistantMessages(messages, -1, "u1")).toHaveLength(0)
+    expect(findAssistantMessages(messages, 5, "u1")).toHaveLength(0)
+  })
+})

packages/app/src/components/titlebar.tsx

@@ -266,6 +266,9 @@ export function Titlebar() {
           </div>
         </div>
         <div id="opencode-titlebar-left" class="flex items-center gap-3 min-w-0 px-2" />
+        <div class="bg-icon-interactive-base text-background-base font-medium px-2 rounded-sm uppercase font-mono">
+          BETA
+        </div>
       </div>
 
       <div class="min-w-0 flex items-center justify-center pointer-events-none">

packages/app/src/pages/session.tsx

@@ -42,8 +42,8 @@ import { SessionSidePanel } from "@/pages/session/session-side-panel"
 import { TerminalPanel } from "@/pages/session/terminal-panel"
 import { useSessionCommands } from "@/pages/session/use-session-commands"
 import { useSessionHashScroll } from "@/pages/session/use-session-hash-scroll"
-import { same } from "@/utils/same"
 import { formatServerError } from "@/utils/server-errors"
+import { same } from "@opencode-ai/util/array"
 
 const emptyUserMessages: UserMessage[] = []
 

packages/app/src/pages/session/composer/session-question-dock.tsx

@@ -3,6 +3,7 @@ import { createStore } from "solid-js/store"
 import { Button } from "@opencode-ai/ui/button"
 import { DockPrompt } from "@opencode-ai/ui/dock-prompt"
 import { Icon } from "@opencode-ai/ui/icon"
+import { IconButton } from "@opencode-ai/ui/icon-button"
 import { showToast } from "@opencode-ai/ui/toast"
 import type { QuestionAnswer, QuestionRequest } from "@opencode-ai/sdk/v2"
 import { useLanguage } from "@/context/language"
@@ -25,6 +26,7 @@ export const SessionQuestionDock: Component<{ request: QuestionRequest; onSubmit
     customOn: cached?.customOn ?? ([] as boolean[]),
     editing: false,
     sending: false,
+    collapsed: false,
   })
 
   let root: HTMLDivElement | undefined
@@ -35,6 +37,7 @@ export const SessionQuestionDock: Component<{ request: QuestionRequest; onSubmit
   const input = createMemo(() => store.custom[store.tab] ?? "")
   const on = createMemo(() => store.customOn[store.tab] === true)
   const multi = createMemo(() => question()?.multiple === true)
+  const picked = createMemo(() => store.answers[store.tab]?.length ?? 0)
 
   const summary = createMemo(() => {
     const n = Math.min(store.tab + 1, total())
@@ -43,6 +46,8 @@ export const SessionQuestionDock: Component<{ request: QuestionRequest; onSubmit
 
   const last = createMemo(() => store.tab >= total() - 1)
 
+  const fold = () => setStore("collapsed", (value) => !value)
+
   const customUpdate = (value: string, selected: boolean = on()) => {
     const prev = input().trim()
     const next = value.trim()
@@ -257,9 +262,21 @@ export const SessionQuestionDock: Component<{ request: QuestionRequest; onSubmit
       kind="question"
       ref={(el) => (root = el)}
       header={
-        <>
+        <div
+          data-action="session-question-toggle"
+          class="flex flex-1 min-w-0 items-center gap-2 cursor-default select-none"
+          role="button"
+          tabIndex={0}
+          style={{ margin: "0 -10px", padding: "0 0 0 10px" }}
+          onClick={fold}
+          onKeyDown={(event) => {
+            if (event.key !== "Enter" && event.key !== " ") return
+            event.preventDefault()
+            fold()
+          }}
+        >
           <div data-slot="question-header-title">{summary()}</div>
-          <div data-slot="question-progress">
+          <div data-slot="question-progress" class="ml-auto mr-1">
             <For each={questions()}>
               {(_, i) => (
                 <button
@@ -271,13 +288,38 @@ export const SessionQuestionDock: Component<{ request: QuestionRequest; onSubmit
                     (store.customOn[i()] === true && (store.custom[i()] ?? "").trim().length > 0)
                   }
                   disabled={store.sending}
-                  onClick={() => jump(i())}
+                  onMouseDown={(event) => {
+                    event.preventDefault()
+                    event.stopPropagation()
+                  }}
+                  onClick={(event) => {
+                    event.stopPropagation()
+                    jump(i())
+                  }}
                   aria-label={`${language.t("ui.tool.questions")} ${i() + 1}`}
                 />
               )}
             </For>
           </div>
-        </>
+          <div>
+            <IconButton
+              data-action="session-question-toggle-button"
+              icon="chevron-down"
+              size="normal"
+              variant="ghost"
+              classList={{ "rotate-180": store.collapsed }}
+              onMouseDown={(event) => {
+                event.preventDefault()
+                event.stopPropagation()
+              }}
+              onClick={(event) => {
+                event.stopPropagation()
+                fold()
+              }}
+              aria-label={store.collapsed ? language.t("session.todo.expand") : language.t("session.todo.collapse")}
+            />
+          </div>
+        </div>
       }
       footer={
         <>
@@ -297,56 +339,121 @@ export const SessionQuestionDock: Component<{ request: QuestionRequest; onSubmit
         </>
       }
     >
-      <div data-slot="question-text">{question()?.question}</div>
-      <Show when={multi()} fallback={<div data-slot="question-hint">{language.t("ui.question.singleHint")}</div>}>
-        <div data-slot="question-hint">{language.t("ui.question.multiHint")}</div>
+      <div
+        data-slot="question-text"
+        class="cursor-default"
+        classList={{
+          "mb-6": store.collapsed && picked() === 0,
+        }}
+        role={store.collapsed ? "button" : undefined}
+        tabIndex={store.collapsed ? 0 : undefined}
+        onClick={fold}
+        onKeyDown={(event) => {
+          if (!store.collapsed) return
+          if (event.key !== "Enter" && event.key !== " ") return
+          event.preventDefault()
+          fold()
+        }}
+      >
+        {question()?.question}
+      </div>
+      <Show when={store.collapsed && picked() > 0}>
+        <div data-slot="question-hint" class="cursor-default mb-6">
+          {picked()} answer{picked() === 1 ? "" : "s"} selected
+        </div>
       </Show>
-      <div data-slot="question-options">
-        <For each={options()}>
-          {(opt, i) => {
-            const picked = () => store.answers[store.tab]?.includes(opt.label) ?? false
-            return (
+      <div data-slot="question-answers" hidden={store.collapsed} aria-hidden={store.collapsed}>
+        <Show when={multi()} fallback={<div data-slot="question-hint">{language.t("ui.question.singleHint")}</div>}>
+          <div data-slot="question-hint">{language.t("ui.question.multiHint")}</div>
+        </Show>
+        <div data-slot="question-options">
+          <For each={options()}>
+            {(opt, i) => {
+              const picked = () => store.answers[store.tab]?.includes(opt.label) ?? false
+              return (
+                <button
+                  data-slot="question-option"
+                  data-picked={picked()}
+                  role={multi() ? "checkbox" : "radio"}
+                  aria-checked={picked()}
+                  disabled={store.sending}
+                  onClick={() => selectOption(i())}
+                >
+                  <span data-slot="question-option-check" aria-hidden="true">
+                    <span
+                      data-slot="question-option-box"
+                      data-type={multi() ? "checkbox" : "radio"}
+                      data-picked={picked()}
+                    >
+                      <Show when={multi()} fallback={<span data-slot="question-option-radio-dot" />}>
+                        <Icon name="check-small" size="small" />
+                      </Show>
+                    </span>
+                  </span>
+                  <span data-slot="question-option-main">
+                    <span data-slot="option-label">{opt.label}</span>
+                    <Show when={opt.description}>
+                      <span data-slot="option-description">{opt.description}</span>
+                    </Show>
+                  </span>
+                </button>
+              )
+            }}
+          </For>
+
+          <Show
+            when={store.editing}
+            fallback={
               <button
                 data-slot="question-option"
-                data-picked={picked()}
+                data-custom="true"
+                data-picked={on()}
                 role={multi() ? "checkbox" : "radio"}
-                aria-checked={picked()}
+                aria-checked={on()}
                 disabled={store.sending}
-                onClick={() => selectOption(i())}
+                onClick={customOpen}
               >
-                <span data-slot="question-option-check" aria-hidden="true">
-                  <span
-                    data-slot="question-option-box"
-                    data-type={multi() ? "checkbox" : "radio"}
-                    data-picked={picked()}
-                  >
+                <span
+                  data-slot="question-option-check"
+                  aria-hidden="true"
+                  onClick={(e) => {
+                    e.preventDefault()
+                    e.stopPropagation()
+                    customToggle()
+                  }}
+                >
+                  <span data-slot="question-option-box" data-type={multi() ? "checkbox" : "radio"} data-picked={on()}>
                     <Show when={multi()} fallback={<span data-slot="question-option-radio-dot" />}>
                       <Icon name="check-small" size="small" />
                     </Show>
                   </span>
                 </span>
                 <span data-slot="question-option-main">
-                  <span data-slot="option-label">{opt.label}</span>
-                  <Show when={opt.description}>
-                    <span data-slot="option-description">{opt.description}</span>
-                  </Show>
+                  <span data-slot="option-label">{language.t("ui.messagePart.option.typeOwnAnswer")}</span>
+                  <span data-slot="option-description">{input() || language.t("ui.question.custom.placeholder")}</span>
                 </span>
               </button>
-            )
-          }}
-        </For>
-
-        <Show
-          when={store.editing}
-          fallback={
-            <button
+            }
+          >
+            <form
               data-slot="question-option"
               data-custom="true"
               data-picked={on()}
               role={multi() ? "checkbox" : "radio"}
               aria-checked={on()}
-              disabled={store.sending}
-              onClick={customOpen}
+              onMouseDown={(e) => {
+                if (store.sending) {
+                  e.preventDefault()
+                  return
+                }
+                if (e.target instanceof HTMLTextAreaElement) return
+                const input = e.currentTarget.querySelector('[data-slot="question-custom-input"]')
+                if (input instanceof HTMLTextAreaElement) input.focus()
+              }}
+              onSubmit={(e) => {
+                e.preventDefault()
+                commitCustom()
+              }}
             >
               <span
                 data-slot="question-option-check"
@@ -365,80 +472,39 @@ export const SessionQuestionDock: Component<{ request: QuestionRequest; onSubmit
               </span>
               <span data-slot="question-option-main">
                 <span data-slot="option-label">{language.t("ui.messagePart.option.typeOwnAnswer")}</span>
-                <span data-slot="option-description">{input() || language.t("ui.question.custom.placeholder")}</span>
-              </span>
-            </button>
-          }
-        >
-          <form
-            data-slot="question-option"
-            data-custom="true"
-            data-picked={on()}
-            role={multi() ? "checkbox" : "radio"}
-            aria-checked={on()}
-            onMouseDown={(e) => {
-              if (store.sending) {
-                e.preventDefault()
-                return
-              }
-              if (e.target instanceof HTMLTextAreaElement) return
-              const input = e.currentTarget.querySelector('[data-slot="question-custom-input"]')
-              if (input instanceof HTMLTextAreaElement) input.focus()
-            }}
-            onSubmit={(e) => {
-              e.preventDefault()
-              commitCustom()
-            }}
-          >
-            <span
-              data-slot="question-option-check"
-              aria-hidden="true"
-              onClick={(e) => {
-                e.preventDefault()
-                e.stopPropagation()
-                customToggle()
-              }}
-            >
-              <span data-slot="question-option-box" data-type={multi() ? "checkbox" : "radio"} data-picked={on()}>
-                <Show when={multi()} fallback={<span data-slot="question-option-radio-dot" />}>
-                  <Icon name="check-small" size="small" />
-                </Show>
-              </span>
-            </span>
-            <span data-slot="question-option-main">
-              <span data-slot="option-label">{language.t("ui.messagePart.option.typeOwnAnswer")}</span>
-              <textarea
-                ref={(el) =>
-                  setTimeout(() => {
-                    el.focus()
-                    el.style.height = "0px"
-                    el.style.height = `${el.scrollHeight}px`
-                  }, 0)
-                }
-                data-slot="question-custom-input"
-                placeholder={language.t("ui.question.custom.placeholder")}
-                value={input()}
-                rows={1}
-                disabled={store.sending}
-                onKeyDown={(e) => {
-                  if (e.key === "Escape") {
-                    e.preventDefault()
-                    setStore("editing", false)
-                    return
+                <textarea
+                  ref={(el) =>
+                    setTimeout(() => {
+                      el.focus()
+                      el.style.height = "0px"
+                      el.style.height = `${el.scrollHeight}px`
+                    }, 0)
                   }
-                  if (e.key !== "Enter" || e.shiftKey) return
-                  e.preventDefault()
-                  commitCustom()
-                }}
-                onInput={(e) => {
-                  customUpdate(e.currentTarget.value)
-                  e.currentTarget.style.height = "0px"
-                  e.currentTarget.style.height = `${e.currentTarget.scrollHeight}px`
-                }}
-              />
-            </span>
-          </form>
-        </Show>
+                  data-slot="question-custom-input"
+                  placeholder={language.t("ui.question.custom.placeholder")}
+                  value={input()}
+                  rows={1}
+                  disabled={store.sending}
+                  onKeyDown={(e) => {
+                    if (e.key === "Escape") {
+                      e.preventDefault()
+                      setStore("editing", false)
+                      return
+                    }
+                    if (e.key !== "Enter" || e.shiftKey) return
+                    e.preventDefault()
+                    commitCustom()
+                  }}
+                  onInput={(e) => {
+                    customUpdate(e.currentTarget.value)
+                    e.currentTarget.style.height = "0px"
+                    e.currentTarget.style.height = `${e.currentTarget.scrollHeight}px`
+                  }}
+                />
+              </span>
+            </form>
+          </Show>
+        </div>
       </div>
     </DockPrompt>
   )

packages/opencode/migration/20260228203230_blue_harpoon/migration.sql

@@ -0,0 +1,17 @@
+CREATE TABLE `account` (
+	`id` text PRIMARY KEY,
+	`email` text NOT NULL,
+	`url` text NOT NULL,
+	`access_token` text NOT NULL,
+	`refresh_token` text NOT NULL,
+	`token_expiry` integer,
+	`selected_org_id` text,
+	`time_created` integer NOT NULL,
+	`time_updated` integer NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE `account_state` (
+	`id` integer PRIMARY KEY NOT NULL,
+	`active_account_id` text,
+	FOREIGN KEY (`active_account_id`) REFERENCES `account`(`id`) ON UPDATE no action ON DELETE set null
+);

packages/opencode/package.json

@@ -27,6 +27,7 @@
   },
   "devDependencies": {
     "@babel/core": "7.28.4",
+    "@effect/language-service": "0.79.0",
     "@octokit/webhooks-types": "7.6.1",
     "@opencode-ai/script": "workspace:*",
     "@parcel/watcher-darwin-arm64": "2.5.1",
@@ -81,6 +82,8 @@
     "@gitlab/gitlab-ai-provider": "3.6.0",
     "@gitlab/opencode-gitlab-auth": "1.3.3",
     "@hono/standard-validator": "0.1.5",
+    "@hono/node-server": "1.19.11",
+    "@hono/node-ws": "1.3.0",
     "@hono/zod-validator": "catalog:",
     "@modelcontextprotocol/sdk": "1.25.2",
     "@octokit/graphql": "9.0.2",
@@ -91,8 +94,8 @@
     "@opencode-ai/sdk": "workspace:*",
     "@opencode-ai/util": "workspace:*",
     "@openrouter/ai-sdk-provider": "1.5.4",
-    "@opentui/core": "0.1.86",
-    "@opentui/solid": "0.1.86",
+    "@opentui/core": "0.1.87",
+    "@opentui/solid": "0.1.87",
     "@parcel/watcher": "2.5.1",
     "@pierre/diffs": "catalog:",
     "@solid-primitives/event-bus": "1.1.2",
@@ -108,6 +111,7 @@
     "decimal.js": "10.5.0",
     "diff": "catalog:",
     "drizzle-orm": "1.0.0-beta.16-ea816b6",
+    "effect": "catalog:",
     "fuzzysort": "3.1.0",
     "glob": "13.0.5",
     "google-auth-library": "10.5.0",
@@ -126,6 +130,7 @@
     "solid-js": "catalog:",
     "strip-ansi": "7.1.2",
     "tree-sitter-bash": "0.25.0",
+    "tree-sitter-powershell": "0.25.10",
     "turndown": "7.2.0",
     "ulid": "catalog:",
     "vscode-jsonrpc": "8.2.1",

packages/opencode/src/account/account.sql.ts

@@ -1,7 +1,23 @@
-import { sqliteTable, text, integer, primaryKey, uniqueIndex } from "drizzle-orm/sqlite-core"
-import { eq } from "drizzle-orm"
+import { sqliteTable, text, integer, primaryKey } from "drizzle-orm/sqlite-core"
 import { Timestamps } from "@/storage/schema.sql"
 
+export const AccountTable = sqliteTable("account", {
+  id: text().primaryKey(),
+  email: text().notNull(),
+  url: text().notNull(),
+  access_token: text().notNull(),
+  refresh_token: text().notNull(),
+  token_expiry: integer(),
+  selected_org_id: text(),
+  ...Timestamps,
+})
+
+export const AccountStateTable = sqliteTable("account_state", {
+  id: integer().primaryKey(),
+  active_account_id: text().references(() => AccountTable.id, { onDelete: "set null" }),
+})
+
+// LEGACY
 export const ControlAccountTable = sqliteTable(
   "control_account",
   {

packages/opencode/src/account/index.ts

@@ -0,0 +1,43 @@
+import { Effect, Option, ServiceMap } from "effect"
+
+import {
+  Account as AccountSchema,
+  type AccountError,
+  type AccessToken,
+  AccountID,
+  AccountService,
+  OrgID,
+} from "./service"
+
+export { AccessToken, AccountID, OrgID } from "./service"
+
+import { runtime } from "@/effect/runtime"
+
+type AccountServiceShape = ServiceMap.Service.Shape<typeof AccountService>
+
+function runSync<A>(f: (service: AccountServiceShape) => Effect.Effect<A, AccountError>) {
+  return runtime.runSync(AccountService.use(f))
+}
+
+function runPromise<A>(f: (service: AccountServiceShape) => Effect.Effect<A, AccountError>) {
+  return runtime.runPromise(AccountService.use(f))
+}
+
+export namespace Account {
+  export const Account = AccountSchema
+  export type Account = AccountSchema
+
+  export function active(): Account | undefined {
+    return Option.getOrUndefined(runSync((service) => service.active()))
+  }
+
+  export async function config(accountID: AccountID, orgID: OrgID): Promise<Record<string, unknown> | undefined> {
+    const config = await runPromise((service) => service.config(accountID, orgID))
+    return Option.getOrUndefined(config)
+  }
+
+  export async function token(accountID: AccountID): Promise<AccessToken | undefined> {
+    const token = await runPromise((service) => service.token(accountID))
+    return Option.getOrUndefined(token)
+  }
+}

packages/opencode/src/account/repo.ts

@@ -0,0 +1,148 @@
+import { eq } from "drizzle-orm"
+import { Effect, Layer, Option, Schema, ServiceMap } from "effect"
+
+import { Database } from "@/storage/db"
+import { AccountStateTable, AccountTable } from "./account.sql"
+import { Account, AccountID, AccountRepoError, OrgID } from "./schema"
+
+export type AccountRow = (typeof AccountTable)["$inferSelect"]
+
+const decodeAccount = Schema.decodeUnknownSync(Account)
+
+type DbClient = Parameters<typeof Database.use>[0] extends (db: infer T) => unknown ? T : never
+
+const ACCOUNT_STATE_ID = 1
+
+const db = <A>(run: (db: DbClient) => A) =>
+  Effect.try({
+    try: () => Database.use(run),
+    catch: (cause) => new AccountRepoError({ message: "Database operation failed", cause }),
+  })
+
+const current = (db: DbClient) => {
+  const state = db.select().from(AccountStateTable).where(eq(AccountStateTable.id, ACCOUNT_STATE_ID)).get()
+  if (!state?.active_account_id) return
+  return db.select().from(AccountTable).where(eq(AccountTable.id, state.active_account_id)).get()
+}
+
+const setActive = (db: DbClient, accountID: AccountID) =>
+  db
+    .insert(AccountStateTable)
+    .values({ id: ACCOUNT_STATE_ID, active_account_id: accountID })
+    .onConflictDoUpdate({
+      target: AccountStateTable.id,
+      set: { active_account_id: accountID },
+    })
+    .run()
+
+export class AccountRepo extends ServiceMap.Service<
+  AccountRepo,
+  {
+    readonly active: () => Effect.Effect<Option.Option<Account>, AccountRepoError>
+    readonly list: () => Effect.Effect<Account[], AccountRepoError>
+    readonly remove: (accountID: AccountID) => Effect.Effect<void, AccountRepoError>
+    readonly use: (accountID: AccountID, orgID: Option.Option<OrgID>) => Effect.Effect<void, AccountRepoError>
+    readonly getRow: (accountID: AccountID) => Effect.Effect<Option.Option<AccountRow>, AccountRepoError>
+    readonly persistToken: (input: {
+      accountID: AccountID
+      accessToken: string
+      refreshToken: string
+      expiry: Option.Option<number>
+    }) => Effect.Effect<void, AccountRepoError>
+    readonly persistAccount: (input: {
+      id: AccountID
+      email: string
+      url: string
+      accessToken: string
+      refreshToken: string
+      expiry: number
+      orgID: Option.Option<OrgID>
+    }) => Effect.Effect<void, AccountRepoError>
+  }
+>()("@opencode/AccountRepo") {
+  static readonly layer: Layer.Layer<AccountRepo> = Layer.succeed(
+    AccountRepo,
+    AccountRepo.of({
+      active: Effect.fn("AccountRepo.active")(() =>
+        db((db) => current(db)).pipe(Effect.map((row) => (row ? Option.some(decodeAccount(row)) : Option.none()))),
+      ),
+
+      list: Effect.fn("AccountRepo.list")(() => db((db) => db.select().from(AccountTable).all().map((row) => decodeAccount(row)))),
+
+      remove: Effect.fn("AccountRepo.remove")((accountID: AccountID) =>
+        db((db) =>
+          Database.transaction((tx) => {
+            tx.update(AccountStateTable)
+              .set({ active_account_id: null })
+              .where(eq(AccountStateTable.active_account_id, accountID))
+              .run()
+            tx.delete(AccountTable).where(eq(AccountTable.id, accountID)).run()
+          }),
+        ).pipe(Effect.asVoid),
+      ),
+
+      use: Effect.fn("AccountRepo.use")((accountID: AccountID, orgID: Option.Option<OrgID>) =>
+        db((db) =>
+          Database.transaction((tx) => {
+            tx.update(AccountTable)
+              .set({ selected_org_id: Option.getOrNull(orgID) })
+              .where(eq(AccountTable.id, accountID))
+              .run()
+            setActive(tx, accountID)
+          }),
+        ).pipe(Effect.asVoid),
+      ),
+
+      getRow: Effect.fn("AccountRepo.getRow")((accountID: AccountID) =>
+        db((db) => db.select().from(AccountTable).where(eq(AccountTable.id, accountID)).get()).pipe(
+          Effect.map(Option.fromNullishOr),
+        ),
+      ),
+
+      persistToken: Effect.fn("AccountRepo.persistToken")((input) =>
+        db((db) =>
+          db
+            .update(AccountTable)
+            .set({
+              access_token: input.accessToken,
+              refresh_token: input.refreshToken,
+              token_expiry: Option.getOrNull(input.expiry),
+            })
+            .where(eq(AccountTable.id, input.accountID))
+            .run(),
+        ).pipe(Effect.asVoid),
+      ),
+
+      persistAccount: Effect.fn("AccountRepo.persistAccount")((input) => {
+        const orgID = Option.getOrNull(input.orgID)
+        return Effect.try({
+          try: () =>
+            Database.transaction((tx) => {
+              tx.insert(AccountTable)
+                .values({
+                  id: input.id,
+                  email: input.email,
+                  url: input.url,
+                  access_token: input.accessToken,
+                  refresh_token: input.refreshToken,
+                  token_expiry: input.expiry,
+                  selected_org_id: orgID,
+                })
+                .onConflictDoUpdate({
+                  target: AccountTable.id,
+                  set: {
+                    access_token: input.accessToken,
+                    refresh_token: input.refreshToken,
+                    token_expiry: input.expiry,
+                    selected_org_id: orgID,
+                  },
+                })
+                .run()
+              setActive(tx, input.id)
+            }),
+          catch: (cause) => new AccountRepoError({ message: "Database operation failed", cause }),
+        }).pipe(Effect.asVoid)
+      }),
+    }),
+  )
+}

packages/opencode/src/account/schema.ts

@@ -0,0 +1,73 @@
+import { Schema } from "effect"
+
+import { withStatics } from "@/util/schema"
+
+export const AccountID = Schema.String.pipe(
+  Schema.brand("AccountId"),
+  withStatics((s) => ({ make: (id: string) => s.makeUnsafe(id) })),
+)
+export type AccountID = Schema.Schema.Type<typeof AccountID>
+
+export const OrgID = Schema.String.pipe(
+  Schema.brand("OrgId"),
+  withStatics((s) => ({ make: (id: string) => s.makeUnsafe(id) })),
+)
+export type OrgID = Schema.Schema.Type<typeof OrgID>
+
+export const AccessToken = Schema.String.pipe(
+  Schema.brand("AccessToken"),
+  withStatics((s) => ({ make: (token: string) => s.makeUnsafe(token) })),
+)
+export type AccessToken = Schema.Schema.Type<typeof AccessToken>
+
+export class Account extends Schema.Class<Account>("Account")({
+  id: AccountID,
+  email: Schema.String,
+  url: Schema.String,
+  selected_org_id: Schema.NullOr(OrgID),
+}) {}
+
+export class Org extends Schema.Class<Org>("Org")({
+  id: OrgID,
+  name: Schema.String,
+}) {}
+
+export class AccountRepoError extends Schema.TaggedErrorClass<AccountRepoError>()("AccountRepoError", {
+  message: Schema.String,
+  cause: Schema.optional(Schema.Defect),
+}) {}
+
+export class AccountServiceError extends Schema.TaggedErrorClass<AccountServiceError>()("AccountServiceError", {
+  message: Schema.String,
+  cause: Schema.optional(Schema.Defect),
+}) {}
+
+export type AccountError = AccountRepoError | AccountServiceError
+
+export class Login extends Schema.Class<Login>("Login")({
+  code: Schema.String,
+  user: Schema.String,
+  url: Schema.String,
+  server: Schema.String,
+  expiry: Schema.Number,
+  interval: Schema.Number,
+}) {}
+
+export class PollSuccess extends Schema.TaggedClass<PollSuccess>()("PollSuccess", {
+  email: Schema.String,
+}) {}
+
+export class PollPending extends Schema.TaggedClass<PollPending>()("PollPending", {}) {}
+
+export class PollSlow extends Schema.TaggedClass<PollSlow>()("PollSlow", {}) {}
+
+export class PollExpired extends Schema.TaggedClass<PollExpired>()("PollExpired", {}) {}
+
+export class PollDenied extends Schema.TaggedClass<PollDenied>()("PollDenied", {}) {}
+
+export class PollError extends Schema.TaggedClass<PollError>()("PollError", {
+  cause: Schema.Defect,
+}) {}
+
+export const PollResult = Schema.Union([PollSuccess, PollPending, PollSlow, PollExpired, PollDenied, PollError])
+export type PollResult = Schema.Schema.Type<typeof PollResult>

packages/opencode/src/account/service.ts

@@ -0,0 +1,385 @@
+import { Clock, Effect, Layer, Option, Schema, ServiceMap } from "effect"
+import {
+  FetchHttpClient,
+  HttpClient,
+  HttpClientError,
+  HttpClientRequest,
+  HttpClientResponse,
+} from "effect/unstable/http"
+
+import { withTransientReadRetry } from "@/util/effect-http-client"
+import { AccountRepo, type AccountRow } from "./repo"
+import {
+  type AccountError,
+  AccessToken,
+  Account,
+  AccountID,
+  AccountRepoError,
+  AccountServiceError,
+  Login,
+  Org,
+  OrgID,
+  PollDenied,
+  PollError,
+  PollExpired,
+  PollPending,
+  type PollResult,
+  PollSlow,
+  PollSuccess,
+} from "./schema"
+
+export * from "./schema"
+
+export type AccountOrgs = {
+  account: Account
+  orgs: Org[]
+}
+
+const RemoteOrg = Schema.Struct({
+  id: Schema.optional(OrgID),
+  name: Schema.optional(Schema.String),
+})
+
+const RemoteOrgs = Schema.Array(RemoteOrg)
+
+const RemoteConfig = Schema.Struct({
+  config: Schema.Record(Schema.String, Schema.Json),
+})
+
+const TokenRefresh = Schema.Struct({
+  access_token: Schema.String,
+  refresh_token: Schema.optional(Schema.String),
+  expires_in: Schema.optional(Schema.Number),
+})
+
+const DeviceCode = Schema.Struct({
+  device_code: Schema.String,
+  user_code: Schema.String,
+  verification_uri_complete: Schema.String,
+  expires_in: Schema.Number,
+  interval: Schema.Number,
+})
+
+const DeviceToken = Schema.Struct({
+  access_token: Schema.optional(Schema.String),
+  refresh_token: Schema.optional(Schema.String),
+  expires_in: Schema.optional(Schema.Number),
+  error: Schema.optional(Schema.String),
+  error_description: Schema.optional(Schema.String),
+})
+
+const User = Schema.Struct({
+  id: Schema.optional(AccountID),
+  email: Schema.optional(Schema.String),
+})
+
+const ClientId = Schema.Struct({ client_id: Schema.String })
+
+const DeviceTokenRequest = Schema.Struct({
+  grant_type: Schema.String,
+  device_code: Schema.String,
+  client_id: Schema.String,
+})
+
+const serverDefault = "https://web-14275-d60e67f5-pyqs0590.onporter.run"
+const clientId = "opencode-cli"
+
+const toAccountServiceError = (message: string, cause?: unknown) => new AccountServiceError({ message, cause })
+
+const mapAccountServiceError =
+  (operation: string, message = "Account service operation failed") =>
+  <A, E, R>(effect: Effect.Effect<A, E, R>): Effect.Effect<A, AccountServiceError, R> =>
+    effect.pipe(
+      Effect.mapError((error) =>
+        error instanceof AccountServiceError ? error : toAccountServiceError(`${message} (${operation})`, error),
+      ),
+    )
+
+export class AccountService extends ServiceMap.Service<
+  AccountService,
+  {
+    readonly active: () => Effect.Effect<Option.Option<Account>, AccountError>
+    readonly list: () => Effect.Effect<Account[], AccountError>
+    readonly orgsByAccount: () => Effect.Effect<AccountOrgs[], AccountError>
+    readonly remove: (accountID: AccountID) => Effect.Effect<void, AccountError>
+    readonly use: (accountID: AccountID, orgID: Option.Option<OrgID>) => Effect.Effect<void, AccountError>
+    readonly orgs: (accountID: AccountID) => Effect.Effect<Org[], AccountError>
+    readonly config: (
+      accountID: AccountID,
+      orgID: OrgID,
+    ) => Effect.Effect<Option.Option<Record<string, unknown>>, AccountError>
+    readonly token: (accountID: AccountID) => Effect.Effect<Option.Option<AccessToken>, AccountError>
+    readonly login: (url?: string) => Effect.Effect<Login, AccountError>
+    readonly poll: (input: Login) => Effect.Effect<PollResult, AccountError>
+  }
+>()("@opencode/Account") {
+  static readonly layer: Layer.Layer<AccountService, never, AccountRepo | HttpClient.HttpClient> = Layer.effect(
+    AccountService,
+    Effect.gen(function* () {
+      const repo = yield* AccountRepo
+      const http = yield* HttpClient.HttpClient
+      const httpRead = withTransientReadRetry(http)
+
+      const execute = (operation: string, request: HttpClientRequest.HttpClientRequest) =>
+        http.execute(request).pipe(mapAccountServiceError(operation, "HTTP request failed"))
+
+      const executeRead = (operation: string, request: HttpClientRequest.HttpClientRequest) =>
+        httpRead.execute(request).pipe(mapAccountServiceError(operation, "HTTP request failed"))
+
+      const executeEffect = <E>(operation: string, request: Effect.Effect<HttpClientRequest.HttpClientRequest, E>) =>
+        request.pipe(
+          Effect.flatMap((req) => http.execute(req)),
+          mapAccountServiceError(operation, "HTTP request failed"),
+        )
+
+      const okOrNone = (operation: string, response: HttpClientResponse.HttpClientResponse) =>
+        HttpClientResponse.filterStatusOk(response).pipe(
+          Effect.map(Option.some),
+          Effect.catch((error) =>
+            HttpClientError.isHttpClientError(error) && error.reason._tag === "StatusCodeError"
+              ? Effect.succeed(Option.none<HttpClientResponse.HttpClientResponse>())
+              : Effect.fail(error),
+          ),
+          mapAccountServiceError(operation),
+        )
+
+      const tokenForRow = Effect.fn("AccountService.tokenForRow")(function* (found: AccountRow) {
+        const now = yield* Clock.currentTimeMillis
+        if (found.token_expiry && found.token_expiry > now) return Option.some(AccessToken.make(found.access_token))
+
+        const response = yield* execute(
+          "token.refresh",
+          HttpClientRequest.post(`${found.url}/oauth/token`).pipe(
+            HttpClientRequest.acceptJson,
+            HttpClientRequest.bodyUrlParams({
+              grant_type: "refresh_token",
+              refresh_token: found.refresh_token,
+            }),
+          ),
+        )
+
+        const ok = yield* okOrNone("token.refresh", response)
+        if (Option.isNone(ok)) return Option.none()
+
+        const parsed = yield* HttpClientResponse.schemaBodyJson(TokenRefresh)(ok.value).pipe(
+          mapAccountServiceError("token.refresh", "Failed to decode response"),
+        )
+
+        const expiry = Option.fromNullishOr(parsed.expires_in).pipe(Option.map((e) => now + e * 1000))
+
+        yield* repo.persistToken({
+          accountID: AccountID.make(found.id),
+          accessToken: parsed.access_token,
+          refreshToken: parsed.refresh_token ?? found.refresh_token,
+          expiry,
+        })
+
+        return Option.some(AccessToken.make(parsed.access_token))
+      })
+
+      const resolveAccess = Effect.fn("AccountService.resolveAccess")(function* (accountID: AccountID) {
+        const maybeAccount = yield* repo.getRow(accountID)
+        if (Option.isNone(maybeAccount)) return Option.none<{ account: AccountRow; accessToken: AccessToken }>()
+
+        const account = maybeAccount.value
+        const accessToken = yield* tokenForRow(account)
+        if (Option.isNone(accessToken)) return Option.none<{ account: AccountRow; accessToken: AccessToken }>()
+
+        return Option.some({ account, accessToken: accessToken.value })
+      })
+
+      const token = Effect.fn("AccountService.token")((accountID: AccountID) =>
+        resolveAccess(accountID).pipe(Effect.map(Option.map((r) => r.accessToken))),
+      )
+
+      const orgsByAccount = Effect.fn("AccountService.orgsByAccount")(function* () {
+        const accounts = yield* repo.list()
+        return yield* Effect.forEach(
+          accounts,
+          (account) => orgs(account.id).pipe(Effect.map((orgs) => ({ account, orgs }))),
+          { concurrency: "unbounded" },
+        )
+      })
+
+      const orgs = Effect.fn("AccountService.orgs")(function* (accountID: AccountID) {
+        const resolved = yield* resolveAccess(accountID)
+        if (Option.isNone(resolved)) return []
+
+        const { account, accessToken } = resolved.value
+
+        const response = yield* executeRead(
+          "orgs",
+          HttpClientRequest.get(`${account.url}/api/orgs`).pipe(
+            HttpClientRequest.acceptJson,
+            HttpClientRequest.bearerToken(accessToken),
+          ),
+        )
+
+        const ok = yield* okOrNone("orgs", response)
+        if (Option.isNone(ok)) return []
+
+        const orgs = yield* HttpClientResponse.schemaBodyJson(RemoteOrgs)(ok.value).pipe(
+          mapAccountServiceError("orgs", "Failed to decode response"),
+        )
+        return orgs
+          .filter((org) => org.id !== undefined && org.name !== undefined)
+          .map((org) => new Org({ id: org.id!, name: org.name! }))
+      })
+
+      const config = Effect.fn("AccountService.config")(function* (accountID: AccountID, orgID: OrgID) {
+        const resolved = yield* resolveAccess(accountID)
+        if (Option.isNone(resolved)) return Option.none()
+
+        const { account, accessToken } = resolved.value
+
+        const response = yield* executeRead(
+          "config",
+          HttpClientRequest.get(`${account.url}/api/config`).pipe(
+            HttpClientRequest.acceptJson,
+            HttpClientRequest.bearerToken(accessToken),
+            HttpClientRequest.setHeaders({ "x-org-id": orgID }),
+          ),
+        )
+
+        const ok = yield* okOrNone("config", response)
+        if (Option.isNone(ok)) return Option.none()
+
+        const parsed = yield* HttpClientResponse.schemaBodyJson(RemoteConfig)(ok.value).pipe(
+          mapAccountServiceError("config", "Failed to decode response"),
+        )
+        return Option.some(parsed.config)
+      })
+
+      const login = Effect.fn("AccountService.login")(function* (url?: string) {
+        const server = url ?? serverDefault
+
+        const response = yield* executeEffect(
+          "login",
+          HttpClientRequest.post(`${server}/auth/device/code`).pipe(
+            HttpClientRequest.acceptJson,
+            HttpClientRequest.schemaBodyJson(ClientId)({ client_id: clientId }),
+          ),
+        )
+
+        const ok = yield* okOrNone("login", response)
+        if (Option.isNone(ok)) {
+          const body = yield* response.text.pipe(Effect.orElseSucceed(() => ""))
+          return yield* toAccountServiceError(`Failed to initiate device flow: ${body || response.status}`)
+        }
+
+        const parsed = yield* HttpClientResponse.schemaBodyJson(DeviceCode)(ok.value).pipe(
+          mapAccountServiceError("login", "Failed to decode response"),
+        )
+        return new Login({
+          code: parsed.device_code,
+          user: parsed.user_code,
+          url: `${server}${parsed.verification_uri_complete}`,
+          server,
+          expiry: parsed.expires_in,
+          interval: parsed.interval,
+        })
+      })
+
+      const poll = Effect.fn("AccountService.poll")(function* (input: Login) {
+        const response = yield* executeEffect(
+          "poll",
+          HttpClientRequest.post(`${input.server}/auth/device/token`).pipe(
+            HttpClientRequest.acceptJson,
+            HttpClientRequest.schemaBodyJson(DeviceTokenRequest)({
+              grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+              device_code: input.code,
+              client_id: clientId,
+            }),
+          ),
+        )
+
+        const parsed = yield* HttpClientResponse.schemaBodyJson(DeviceToken)(response).pipe(
+          mapAccountServiceError("poll", "Failed to decode response"),
+        )
+
+        if (!parsed.access_token) {
+          if (parsed.error === "authorization_pending") return new PollPending()
+          if (parsed.error === "slow_down") return new PollSlow()
+          if (parsed.error === "expired_token") return new PollExpired()
+          if (parsed.error === "access_denied") return new PollDenied()
+          return new PollError({ cause: parsed.error })
+        }
+
+        const access = parsed.access_token
+
+        const fetchUser = executeRead(
+          "poll.user",
+          HttpClientRequest.get(`${input.server}/api/user`).pipe(
+            HttpClientRequest.acceptJson,
+            HttpClientRequest.bearerToken(access),
+          ),
+        ).pipe(
+          Effect.flatMap((r) =>
+            HttpClientResponse.schemaBodyJson(User)(r).pipe(
+              mapAccountServiceError("poll.user", "Failed to decode response"),
+            ),
+          ),
+        )
+
+        const fetchOrgs = executeRead(
+          "poll.orgs",
+          HttpClientRequest.get(`${input.server}/api/orgs`).pipe(
+            HttpClientRequest.acceptJson,
+            HttpClientRequest.bearerToken(access),
+          ),
+        ).pipe(
+          Effect.flatMap((r) =>
+            HttpClientResponse.schemaBodyJson(RemoteOrgs)(r).pipe(
+              mapAccountServiceError("poll.orgs", "Failed to decode response"),
+            ),
+          ),
+        )
+
+        const [user, remoteOrgs] = yield* Effect.all([fetchUser, fetchOrgs], { concurrency: 2 })
+
+        const userId = user.id
+        const userEmail = user.email
+
+        if (!userId || !userEmail) {
+          return new PollError({ cause: "No id or email in response" })
+        }
+
+        const firstOrgID = remoteOrgs.length > 0 ? Option.fromNullishOr(remoteOrgs[0].id) : Option.none()
+
+        const now = yield* Clock.currentTimeMillis
+        const expiry = now + (parsed.expires_in ?? 0) * 1000
+        const refresh = parsed.refresh_token ?? ""
+
+        yield* repo.persistAccount({
+          id: userId,
+          email: userEmail,
+          url: input.server,
+          accessToken: access,
+          refreshToken: refresh,
+          expiry,
+          orgID: firstOrgID,
+        })
+
+        return new PollSuccess({ email: userEmail })
+      })
+
+      return AccountService.of({
+        active: repo.active,
+        list: repo.list,
+        orgsByAccount,
+        remove: repo.remove,
+        use: repo.use,
+        orgs,
+        config,
+        token,
+        login,
+        poll,
+      })
+    }),
+  )
+
+  static readonly defaultLayer = AccountService.layer.pipe(
+    Layer.provide(AccountRepo.layer),
+    Layer.provide(FetchHttpClient.layer),
+  )
+}

packages/opencode/src/agent/agent.ts

@@ -63,6 +63,7 @@ export namespace Agent {
       question: "deny",
       plan_enter: "deny",
       plan_exit: "deny",
+      edit: "ask",
       // mirrors github.com/github/gitignore Node.gitignore pattern for .env files
       read: {
         "*": "allow",

packages/opencode/src/cli/cmd/account.ts

@@ -0,0 +1,177 @@
+import { cmd } from "./cmd"
+import { Duration, Effect, Match, Option } from "effect"
+import { UI } from "../ui"
+import { runtime } from "@/effect/runtime"
+import { AccountID, AccountService, OrgID, PollExpired, type PollResult } from "@/account/service"
+import { type AccountError } from "@/account/schema"
+import * as Prompt from "../effect/prompt"
+import open from "open"
+
+const openBrowser = (url: string) => Effect.promise(() => open(url).catch(() => undefined))
+
+const println = (msg: string) => Effect.sync(() => UI.println(msg))
+
+const loginEffect = Effect.fn("login")(function* (url?: string) {
+  const service = yield* AccountService
+
+  yield* Prompt.intro("Log in")
+  const login = yield* service.login(url)
+
+  yield* Prompt.log.info("Go to: " + login.url)
+  yield* Prompt.log.info("Enter code: " + login.user)
+  yield* openBrowser(login.url)
+
+  const s = Prompt.spinner()
+  yield* s.start("Waiting for authorization...")
+
+  const poll = (wait: number): Effect.Effect<PollResult, AccountError> =>
+    Effect.gen(function* () {
+      yield* Effect.sleep(wait)
+      const result = yield* service.poll(login)
+      if (result._tag === "PollPending") return yield* poll(wait)
+      if (result._tag === "PollSlow") return yield* poll(wait + 5000)
+      return result
+    })
+
+  const result = yield* poll(login.interval * 1000).pipe(
+    Effect.timeout(Duration.seconds(login.expiry)),
+    Effect.catchTag("TimeoutError", () => Effect.succeed(new PollExpired())),
+  )
+
+  yield* Match.valueTags(result, {
+    PollSuccess: (r) =>
+      Effect.gen(function* () {
+        yield* s.stop("Logged in as " + r.email)
+        yield* Prompt.outro("Done")
+      }),
+    PollExpired: () => s.stop("Device code expired", 1),
+    PollDenied: () => s.stop("Authorization denied", 1),
+    PollError: (r) => s.stop("Error: " + String(r.cause), 1),
+    PollPending: () => s.stop("Unexpected state", 1),
+    PollSlow: () => s.stop("Unexpected state", 1),
+  })
+})
+
+const logoutEffect = Effect.fn("logout")(function* (email?: string) {
+  const service = yield* AccountService
+
+  if (email) {
+    const accounts = yield* service.list()
+    const match = accounts.find((a) => a.email === email)
+    if (!match) return yield* println("Account not found: " + email)
+    yield* service.remove(match.id)
+    yield* println("Logged out from " + email)
+    return
+  }
+
+  const active = yield* service.active()
+  if (Option.isNone(active)) return yield* println("Not logged in")
+  yield* service.remove(active.value.id)
+  yield* println("Logged out from " + active.value.email)
+})
+
+interface OrgChoice {
+  orgID: OrgID
+  accountID: AccountID
+  label: string
+}
+
+const switchEffect = Effect.fn("switch")(function* () {
+  const service = yield* AccountService
+
+  const groups = yield* service.orgsByAccount()
+  if (groups.length === 0) return yield* println("Not logged in")
+
+  const active = yield* service.active()
+  const activeOrgID = Option.flatMap(active, (a) => Option.fromNullishOr(a.selected_org_id))
+
+  const opts = groups.flatMap((group) =>
+    group.orgs.map((org) => {
+      const isActive = Option.isSome(activeOrgID) && activeOrgID.value === org.id
+      return {
+        value: { orgID: org.id, accountID: group.account.id, label: org.name },
+        label: isActive
+          ? `${org.name} (${group.account.email})` + UI.Style.TEXT_DIM + " (active)"
+          : `${org.name} (${group.account.email})`,
+      }
+    }),
+  )
+  if (opts.length === 0) return yield* println("No orgs found")
+
+  yield* Prompt.intro("Switch org")
+
+  const selected = yield* Prompt.select<OrgChoice>({ message: "Select org", options: opts })
+  if (Option.isNone(selected)) return
+
+  const choice = selected.value
+  yield* service.use(choice.accountID, Option.some(choice.orgID))
+  yield* Prompt.outro("Switched to " + choice.label)
+})
+
+const orgsEffect = Effect.fn("orgs")(function* () {
+  const service = yield* AccountService
+
+  const groups = yield* service.orgsByAccount()
+  if (groups.length === 0) return yield* println("No accounts found")
+  if (!groups.some((group) => group.orgs.length > 0)) return yield* println("No orgs found")
+
+  const active = yield* service.active()
+  const activeOrgID = Option.flatMap(active, (a) => Option.fromNullishOr(a.selected_org_id))
+
+  for (const group of groups) {
+    for (const org of group.orgs) {
+      const isActive = Option.isSome(activeOrgID) && activeOrgID.value === org.id
+      const dot = isActive ? UI.Style.TEXT_SUCCESS + "●" + UI.Style.TEXT_NORMAL : " "
+      const name = isActive ? UI.Style.TEXT_HIGHLIGHT_BOLD + org.name + UI.Style.TEXT_NORMAL : org.name
+      const email = UI.Style.TEXT_DIM + group.account.email + UI.Style.TEXT_NORMAL
+      const id = UI.Style.TEXT_DIM + org.id + UI.Style.TEXT_NORMAL
+      yield* println(`  ${dot} ${name}  ${email}  ${id}`)
+    }
+  }
+})
+
+export const LoginCommand = cmd({
+  command: "login [url]",
+  describe: "log in to an opencode account",
+  builder: (yargs) =>
+    yargs.positional("url", {
+      describe: "server URL",
+      type: "string",
+    }),
+  async handler(args) {
+    UI.empty()
+    await runtime.runPromise(loginEffect(args.url))
+  },
+})
+
+export const LogoutCommand = cmd({
+  command: "logout [email]",
+  describe: "log out from an account",
+  builder: (yargs) =>
+    yargs.positional("email", {
+      describe: "account email to log out from",
+      type: "string",
+    }),
+  async handler(args) {
+    UI.empty()
+    await runtime.runPromise(logoutEffect(args.email))
+  },
+})
+
+export const SwitchCommand = cmd({
+  command: "switch",
+  describe: "switch active org",
+  async handler() {
+    UI.empty()
+    await runtime.runPromise(switchEffect())
+  },
+})
+
+export const OrgsCommand = cmd({
+  command: "orgs",
+  describe: "list all orgs",
+  async handler() {
+    UI.empty()
+    await runtime.runPromise(orgsEffect())
+  },
+})

packages/opencode/src/cli/cmd/acp.ts

@@ -23,7 +23,7 @@ export const AcpCommand = cmd({
     process.env.OPENCODE_CLIENT = "acp"
     await bootstrap(process.cwd(), async () => {
       const opts = await resolveNetworkOptions(args)
-      const server = Server.listen(opts)
+      const server = await Server.listen(opts)
 
       const sdk = createOpencodeClient({
         baseUrl: `http://${server.hostname}:${server.port}`,

packages/opencode/src/cli/cmd/import.ts

@@ -10,7 +10,7 @@ import { ShareNext } from "../../share/share-next"
 import { EOL } from "os"
 import { Filesystem } from "../../util/filesystem"
 
-/** Discriminated union returned by the ShareNext API (GET /api/share/:id/data) */
+/** Discriminated union returned by the ShareNext API (GET /api/shares/:id/data) */
 export type ShareData =
   | { type: "session"; data: SDKSession }
   | { type: "message"; data: Message }
@@ -24,6 +24,14 @@ export function parseShareUrl(url: string): string | null {
   return match ? match[1] : null
 }
 
+export function shouldAttachShareAuthHeaders(shareUrl: string, controlBaseUrl: string): boolean {
+  try {
+    return new URL(shareUrl).origin === new URL(controlBaseUrl).origin
+  } catch {
+    return false
+  }
+}
+
 /**
  * Transform ShareNext API response (flat array) into the nested structure for local file storage.
  *
@@ -97,8 +105,21 @@ export const ImportCommand = cmd({
           return
         }
 
-        const baseUrl = await ShareNext.url()
-        const response = await fetch(`${baseUrl}/api/share/${slug}/data`)
+        const parsed = new URL(args.file)
+        const baseUrl = parsed.origin
+        const req = await ShareNext.request()
+        const headers = shouldAttachShareAuthHeaders(args.file, req.baseUrl) ? req.headers : {}
+
+        const dataPath = req.api.data(slug)
+        let response = await fetch(`${baseUrl}${dataPath}`, {
+          headers,
+        })
+
+        if (!response.ok && dataPath !== `/api/share/${slug}/data`) {
+          response = await fetch(`${baseUrl}/api/share/${slug}/data`, {
+            headers,
+          })
+        }
 
         if (!response.ok) {
           process.stdout.write(`Failed to fetch share data: ${response.statusText}`)

packages/opencode/src/cli/cmd/providers.ts

@@ -13,27 +13,13 @@ import { Instance } from "../../project/instance"
 import type { Hooks } from "@opencode-ai/plugin"
 import { Process } from "../../util/process"
 import { text } from "node:stream/consumers"
-import { setTimeout as sleep } from "node:timers/promises"
 
 type PluginAuth = NonNullable<Hooks["auth"]>
 
-/**
- * Handle plugin-based authentication flow.
- * Returns true if auth was handled, false if it should fall through to default handling.
- */
-async function handlePluginAuth(plugin: { auth: PluginAuth }, provider: string, methodName?: string): Promise<boolean> {
+async function handlePluginAuth(plugin: { auth: PluginAuth }, provider: string): Promise<boolean> {
   let index = 0
-  if (methodName) {
-    const match = plugin.auth.methods.findIndex((x) => x.label.toLowerCase() === methodName.toLowerCase())
-    if (match === -1) {
-      prompts.log.error(
-        `Unknown method "${methodName}" for ${provider}. Available: ${plugin.auth.methods.map((x) => x.label).join(", ")}`,
-      )
-      process.exit(1)
-    }
-    index = match
-  } else if (plugin.auth.methods.length > 1) {
-    const selected = await prompts.select({
+  if (plugin.auth.methods.length > 1) {
+    const method = await prompts.select({
       message: "Login method",
       options: [
         ...plugin.auth.methods.map((x, index) => ({
@@ -42,13 +28,12 @@ async function handlePluginAuth(plugin: { auth: PluginAuth }, provider: string,
         })),
       ],
     })
-    if (prompts.isCancel(selected)) throw new UI.CancelledError()
-    index = parseInt(selected)
+    if (prompts.isCancel(method)) throw new UI.CancelledError()
+    index = parseInt(method)
   }
   const method = plugin.auth.methods[index]
 
-  // Handle prompts for all auth types
-  await sleep(10)
+  await Bun.sleep(10)
   const inputs: Record<string, string> = {}
   if (method.prompts) {
     for (const prompt of method.prompts) {
@@ -171,11 +156,6 @@ async function handlePluginAuth(plugin: { auth: PluginAuth }, provider: string,
   return false
 }
 
-/**
- * Build a deduplicated list of plugin-registered auth providers that are not
- * already present in models.dev, respecting enabled/disabled provider lists.
- * Pure function with no side effects; safe to test without mocking.
- */
 export function resolvePluginProviders(input: {
   hooks: Hooks[]
   existingProviders: Record<string, unknown>
@@ -203,19 +183,20 @@ export function resolvePluginProviders(input: {
   return result
 }
 
-export const AuthCommand = cmd({
-  command: "auth",
-  describe: "manage credentials",
+export const ProvidersCommand = cmd({
+  command: "providers",
+  aliases: ["auth"],
+  describe: "manage AI providers and credentials",
   builder: (yargs) =>
-    yargs.command(AuthLoginCommand).command(AuthLogoutCommand).command(AuthListCommand).demandCommand(),
+    yargs.command(ProvidersListCommand).command(ProvidersLoginCommand).command(ProvidersLogoutCommand).demandCommand(),
   async handler() {},
 })
 
-export const AuthListCommand = cmd({
+export const ProvidersListCommand = cmd({
   command: "list",
   aliases: ["ls"],
-  describe: "list providers",
-  async handler() {
+  describe: "list providers and credentials",
+  async handler(_args) {
     UI.empty()
     const authPath = path.join(Global.Path.data, "auth.json")
     const homedir = os.homedir()
@@ -231,7 +212,6 @@ export const AuthListCommand = cmd({
 
     prompts.outro(`${results.length} credentials`)
 
-    // Environment variables section
     const activeEnvVars: Array<{ provider: string; envVar: string }> = []
 
     for (const [providerID, provider] of Object.entries(database)) {
@@ -258,25 +238,14 @@ export const AuthListCommand = cmd({
   },
 })
 
-export const AuthLoginCommand = cmd({
+export const ProvidersLoginCommand = cmd({
   command: "login [url]",
   describe: "log in to a provider",
   builder: (yargs) =>
-    yargs
-      .positional("url", {
-        describe: "opencode auth provider",
-        type: "string",
-      })
-      .option("provider", {
-        alias: ["p"],
-        describe: "provider id or name to log in to (skips provider selection)",
-        type: "string",
-      })
-      .option("method", {
-        alias: ["m"],
-        describe: "login method label (skips method selection)",
-        type: "string",
-      }),
+    yargs.positional("url", {
+      describe: "opencode auth provider",
+      type: "string",
+    }),
   async handler(args) {
     await Instance.provide({
       directory: process.cwd(),
@@ -284,8 +253,7 @@ export const AuthLoginCommand = cmd({
         UI.empty()
         prompts.intro("Add credential")
         if (args.url) {
-          const url = args.url.replace(/\/+$/, "")
-          const wellknown = await fetch(`${url}/.well-known/opencode`).then((x) => x.json() as any)
+          const wellknown = await fetch(`${args.url}/.well-known/opencode`).then((x) => x.json() as any)
           prompts.log.info(`Running \`${wellknown.auth.command.join(" ")}\``)
           const proc = Process.spawn(wellknown.auth.command, {
             stdout: "pipe",
@@ -301,12 +269,12 @@ export const AuthLoginCommand = cmd({
             prompts.outro("Done")
             return
           }
-          await Auth.set(url, {
+          await Auth.set(args.url, {
             type: "wellknown",
             key: wellknown.auth.env,
             token: token.trim(),
           })
-          prompts.log.success("Logged into " + url)
+          prompts.log.success("Logged into " + args.url)
           prompts.outro("Done")
           return
         }
@@ -343,76 +311,59 @@ export const AuthLoginCommand = cmd({
           enabled,
           providerNames: Object.fromEntries(Object.entries(config.provider ?? {}).map(([id, p]) => [id, p.name])),
         })
-        const options = [
-          ...pipe(
-            providers,
-            values(),
-            sortBy(
-              (x) => priority[x.id] ?? 99,
-              (x) => x.name ?? x.id,
+        let provider = await prompts.autocomplete({
+          message: "Select provider",
+          maxItems: 8,
+          options: [
+            ...pipe(
+              providers,
+              values(),
+              sortBy(
+                (x) => priority[x.id] ?? 99,
+                (x) => x.name ?? x.id,
+              ),
+              map((x) => ({
+                label: x.name,
+                value: x.id,
+                hint: {
+                  opencode: "recommended",
+                  anthropic: "Claude Max or API key",
+                  openai: "ChatGPT Plus/Pro or API key",
+                }[x.id],
+              })),
             ),
-            map((x) => ({
+            ...pluginProviders.map((x) => ({
               label: x.name,
               value: x.id,
-              hint: {
-                opencode: "recommended",
-                anthropic: "Claude Max or API key",
-                openai: "ChatGPT Plus/Pro or API key",
-              }[x.id],
+              hint: "plugin",
             })),
-          ),
-          ...pluginProviders.map((x) => ({
-            label: x.name,
-            value: x.id,
-            hint: "plugin",
-          })),
-        ]
+            {
+              value: "other",
+              label: "Other",
+            },
+          ],
+        })
 
-        let provider: string
-        if (args.provider) {
-          const input = args.provider
-          const byID = options.find((x) => x.value === input)
-          const byName = options.find((x) => x.label.toLowerCase() === input.toLowerCase())
-          const match = byID ?? byName
-          if (!match) {
-            prompts.log.error(`Unknown provider "${input}"`)
-            process.exit(1)
-          }
-          provider = match.value
-        } else {
-          const selected = await prompts.autocomplete({
-            message: "Select provider",
-            maxItems: 8,
-            options: [
-              ...options,
-              {
-                value: "other",
-                label: "Other",
-              },
-            ],
-          })
-          if (prompts.isCancel(selected)) throw new UI.CancelledError()
-          provider = selected as string
-        }
+        if (prompts.isCancel(provider)) throw new UI.CancelledError()
 
         const plugin = await Plugin.list().then((x) => x.findLast((x) => x.auth?.provider === provider))
         if (plugin && plugin.auth) {
-          const handled = await handlePluginAuth({ auth: plugin.auth }, provider, args.method)
+          const handled = await handlePluginAuth({ auth: plugin.auth }, provider)
           if (handled) return
         }
 
         if (provider === "other") {
-          const custom = await prompts.text({
+          provider = await prompts.text({
             message: "Enter provider id",
             validate: (x) => (x && x.match(/^[0-9a-z-]+$/) ? undefined : "a-z, 0-9 and hyphens only"),
           })
-          if (prompts.isCancel(custom)) throw new UI.CancelledError()
-          provider = custom.replace(/^@ai-sdk\//, "")
+          if (prompts.isCancel(provider)) throw new UI.CancelledError()
+          provider = provider.replace(/^@ai-sdk\//, "")
+          if (prompts.isCancel(provider)) throw new UI.CancelledError()
 
-          // Check if a plugin provides auth for this custom provider
           const customPlugin = await Plugin.list().then((x) => x.findLast((x) => x.auth?.provider === provider))
           if (customPlugin && customPlugin.auth) {
-            const handled = await handlePluginAuth({ auth: customPlugin.auth }, provider, args.method)
+            const handled = await handlePluginAuth({ auth: customPlugin.auth }, provider)
             if (handled) return
           }
 
@@ -461,10 +412,10 @@ export const AuthLoginCommand = cmd({
   },
 })
 
-export const AuthLogoutCommand = cmd({
+export const ProvidersLogoutCommand = cmd({
   command: "logout",
   describe: "log out from a configured provider",
-  async handler() {
+  async handler(_args) {
     UI.empty()
     const credentials = await Auth.all().then((x) => Object.entries(x))
     prompts.intro("Remove credential")

packages/opencode/src/cli/cmd/run.ts

@@ -370,6 +370,11 @@ export const RunCommand = cmd({
         action: "deny",
         pattern: "*",
       },
+      {
+        permission: "edit",
+        action: "allow",
+        pattern: "*",
+      },
     ]
 
     function title() {

packages/opencode/src/cli/cmd/serve.ts

@@ -15,7 +15,7 @@ export const ServeCommand = cmd({
       console.log("Warning: OPENCODE_SERVER_PASSWORD is not set; server is unsecured.")
     }
     const opts = await resolveNetworkOptions(args)
-    const server = Server.listen(opts)
+    const server = await Server.listen(opts)
     console.log(`opencode server listening on http://${server.hostname}:${server.port}`)
 
     await new Promise(() => {})

packages/opencode/src/cli/cmd/tui/app.tsx

@@ -477,6 +477,7 @@ function App() {
     {
       title: "Toggle MCPs",
       value: "mcp.list",
+      search: "toggle mcps",
       category: "Agent",
       slash: {
         name: "mcps",
@@ -552,8 +553,9 @@ function App() {
       category: "System",
     },
     {
-      title: "Toggle appearance",
+      title: mode() === "dark" ? "Light mode" : "Dark mode",
       value: "theme.switch_mode",
+      search: "toggle appearance",
       onSelect: (dialog) => {
         setMode(mode() === "dark" ? "light" : "dark")
         dialog.clear()
@@ -592,6 +594,7 @@ function App() {
     },
     {
       title: "Toggle debug panel",
+      search: "toggle debug",
       category: "System",
       value: "app.debug",
       onSelect: (dialog) => {
@@ -601,6 +604,7 @@ function App() {
     },
     {
       title: "Toggle console",
+      search: "toggle console",
       category: "System",
       value: "app.console",
       onSelect: (dialog) => {
@@ -641,6 +645,7 @@ function App() {
     {
       title: terminalTitleEnabled() ? "Disable terminal title" : "Enable terminal title",
       value: "terminal.title.toggle",
+      search: "toggle terminal title",
       keybind: "terminal_title_toggle",
       category: "System",
       onSelect: (dialog) => {
@@ -656,6 +661,7 @@ function App() {
     {
       title: kv.get("animations_enabled", true) ? "Disable animations" : "Enable animations",
       value: "app.toggle.animations",
+      search: "toggle animations",
       category: "System",
       onSelect: (dialog) => {
         kv.set("animations_enabled", !kv.get("animations_enabled", true))
@@ -665,6 +671,7 @@ function App() {
     {
       title: kv.get("diff_wrap_mode", "word") === "word" ? "Disable diff wrapping" : "Enable diff wrapping",
       value: "app.toggle.diffwrap",
+      search: "toggle diff wrapping",
       category: "System",
       onSelect: (dialog) => {
         const current = kv.get("diff_wrap_mode", "word")

packages/opencode/src/cli/cmd/tui/component/dialog-model.tsx

@@ -7,6 +7,27 @@ import { useDialog } from "@tui/ui/dialog"
 import { createDialogProviderOptions, DialogProvider } from "./dialog-provider"
 import { useKeybind } from "../context/keybind"
 import * as fuzzysort from "fuzzysort"
+import type { Provider } from "@opencode-ai/sdk/v2"
+
+function pickLatest(models: [string, Provider["models"][string]][]) {
+  const picks: Record<string, [string, Provider["models"][string]]> = {}
+  for (const item of models) {
+    const model = item[0]
+    const info = item[1]
+    const key = info.family ?? model
+    const prev = picks[key]
+    if (!prev) {
+      picks[key] = item
+      continue
+    }
+    if (info.release_date !== prev[1].release_date) {
+      if (info.release_date > prev[1].release_date) picks[key] = item
+      continue
+    }
+    if (model > prev[0]) picks[key] = item
+  }
+  return Object.values(picks)
+}
 
 export function useConnected() {
   const sync = useSync()
@@ -21,6 +42,7 @@ export function DialogModel(props: { providerID?: string }) {
   const dialog = useDialog()
   const keybind = useKeybind()
   const [query, setQuery] = createSignal("")
+  const [all, setAll] = createSignal(false)
 
   const connected = useConnected()
   const providers = createDialogProviderOptions()
@@ -72,8 +94,8 @@ export function DialogModel(props: { providerID?: string }) {
         (provider) => provider.id !== "opencode",
         (provider) => provider.name,
       ),
-      flatMap((provider) =>
-        pipe(
+      flatMap((provider) => {
+        const items = pipe(
           provider.models,
           entries(),
           filter(([_, info]) => info.status !== "deprecated"),
@@ -104,8 +126,9 @@ export function DialogModel(props: { providerID?: string }) {
             (x) => x.footer !== "Free",
             (x) => x.title,
           ),
-        ),
-      ),
+        )
+        return items
+      }),
     )
 
     const popularProviders = !connected()
@@ -154,6 +177,13 @@ export function DialogModel(props: { providerID?: string }) {
             local.model.toggleFavorite(option.value as { providerID: string; modelID: string })
           },
         },
+        {
+          keybind: keybind.all.model_show_all_toggle?.[0],
+          title: all() ? "Show latest only" : "Show all models",
+          onTrigger: () => {
+            setAll((value) => !value)
+          },
+        },
       ]}
       onFilter={setQuery}
       flat={true}

packages/opencode/src/cli/cmd/tui/component/prompt/index.tsx

@@ -77,6 +77,7 @@ export function Prompt(props: PromptProps) {
   const renderer = useRenderer()
   const { theme, syntax } = useTheme()
   const kv = useKV()
+  const [autoaccept, setAutoaccept] = kv.signal<"none" | "edit">("permission_auto_accept", "edit")
 
   function promptModelWarning() {
     toast.show({
@@ -170,6 +171,17 @@ export function Prompt(props: PromptProps) {
 
   command.register(() => {
     return [
+      {
+        title: autoaccept() === "none" ? "Enable autoedit" : "Disable autoedit",
+        value: "permission.auto_accept.toggle",
+        search: "toggle permissions",
+        keybind: "permission_auto_accept_toggle",
+        category: "Agent",
+        onSelect: (dialog) => {
+          setAutoaccept(() => (autoaccept() === "none" ? "edit" : "none"))
+          dialog.clear()
+        },
+      },
       {
         title: "Clear prompt",
         value: "prompt.clear",
@@ -1009,23 +1021,30 @@ export function Prompt(props: PromptProps) {
               cursorColor={theme.text}
               syntaxStyle={syntax()}
             />
-            <box flexDirection="row" flexShrink={0} paddingTop={1} gap={1}>
-              <text fg={highlight()}>
-                {store.mode === "shell" ? "Shell" : Locale.titlecase(local.agent.current().name)}{" "}
-              </text>
-              <Show when={store.mode === "normal"}>
-                <box flexDirection="row" gap={1}>
-                  <text flexShrink={0} fg={keybind.leader ? theme.textMuted : theme.text}>
-                    {local.model.parsed().model}
-                  </text>
-                  <text fg={theme.textMuted}>{local.model.parsed().provider}</text>
-                  <Show when={showVariant()}>
-                    <text fg={theme.textMuted}>·</text>
-                    <text>
-                      <span style={{ fg: theme.warning, bold: true }}>{local.model.variant.current()}</span>
+            <box flexDirection="row" flexShrink={0} paddingTop={1} gap={1} justifyContent="space-between">
+              <box flexDirection="row" gap={1}>
+                <text fg={highlight()}>
+                  {store.mode === "shell" ? "Shell" : Locale.titlecase(local.agent.current().name)}{" "}
+                </text>
+                <Show when={store.mode === "normal"}>
+                  <box flexDirection="row" gap={1}>
+                    <text flexShrink={0} fg={keybind.leader ? theme.textMuted : theme.text}>
+                      {local.model.parsed().model}
                     </text>
-                  </Show>
-                </box>
+                    <text fg={theme.textMuted}>{local.model.parsed().provider}</text>
+                    <Show when={showVariant()}>
+                      <text fg={theme.textMuted}>·</text>
+                      <text>
+                        <span style={{ fg: theme.warning, bold: true }}>{local.model.variant.current()}</span>
+                      </text>
+                    </Show>
+                  </box>
+                </Show>
+              </box>
+              <Show when={autoaccept() === "edit"}>
+                <text>
+                  <span style={{ fg: theme.warning }}>autoedit</span>
+                </text>
               </Show>
             </box>
           </box>

packages/opencode/src/cli/cmd/tui/context/sync.tsx

@@ -25,6 +25,7 @@ import { createSimpleContext } from "./helper"
 import type { Snapshot } from "@/snapshot"
 import { useExit } from "./exit"
 import { useArgs } from "./args"
+import { useKV } from "./kv"
 import { batch, onMount } from "solid-js"
 import { Log } from "@/util/log"
 import type { Path } from "@opencode-ai/sdk"
@@ -106,6 +107,8 @@ export const { use: useSync, provider: SyncProvider } = createSimpleContext({
     })
 
     const sdk = useSDK()
+    const kv = useKV()
+    const [autoaccept] = kv.signal<"none" | "edit">("permission_auto_accept", "edit")
 
     async function syncWorkspaces() {
       const result = await sdk.client.experimental.workspace.list().catch(() => undefined)
@@ -136,6 +139,13 @@ export const { use: useSync, provider: SyncProvider } = createSimpleContext({
 
         case "permission.asked": {
           const request = event.properties
+          if (autoaccept() === "edit" && request.permission === "edit") {
+            sdk.client.permission.reply({
+              reply: "once",
+              requestID: request.id,
+            })
+            break
+          }
           const requests = store.permission[request.sessionID]
           if (!requests) {
             setStore("permission", request.sessionID, [request])
@@ -451,6 +461,7 @@ export const { use: useSync, provider: SyncProvider } = createSimpleContext({
       get ready() {
         return store.status !== "loading"
       },
+
       session: {
         get(sessionID: string) {
           const match = Binary.search(store.session, sessionID, (s) => s.id)

packages/opencode/src/cli/cmd/tui/routes/home.tsx

@@ -47,6 +47,7 @@ export function Home() {
     {
       title: tipsHidden() ? "Show tips" : "Hide tips",
       value: "tips.toggle",
+      search: "toggle tips",
       keybind: "tips_toggle",
       category: "System",
       onSelect: (dialog) => {

packages/opencode/src/cli/cmd/tui/routes/session/index.tsx

@@ -383,7 +383,12 @@ export function Session() {
             sessionID: route.sessionID,
           })
           .then((res) => copy(res.data!.share!.url))
-          .catch(() => toast.show({ message: "Failed to share session", variant: "error" }))
+          .catch((error) => {
+            toast.show({
+              message: error instanceof Error ? error.message : "Failed to share session",
+              variant: "error",
+            })
+          })
         dialog.clear()
       },
     },
@@ -486,7 +491,12 @@ export function Session() {
             sessionID: route.sessionID,
           })
           .then(() => toast.show({ message: "Session unshared successfully", variant: "success" }))
-          .catch(() => toast.show({ message: "Failed to unshare session", variant: "error" }))
+          .catch((error) => {
+            toast.show({
+              message: error instanceof Error ? error.message : "Failed to unshare session",
+              variant: "error",
+            })
+          })
         dialog.clear()
       },
     },
@@ -558,6 +568,7 @@ export function Session() {
     {
       title: sidebarVisible() ? "Hide sidebar" : "Show sidebar",
       value: "session.sidebar.toggle",
+      search: "toggle sidebar",
       keybind: "sidebar_toggle",
       category: "Session",
       onSelect: (dialog) => {
@@ -572,6 +583,7 @@ export function Session() {
     {
       title: conceal() ? "Disable code concealment" : "Enable code concealment",
       value: "session.toggle.conceal",
+      search: "toggle code concealment",
       keybind: "messages_toggle_conceal" as any,
       category: "Session",
       onSelect: (dialog) => {
@@ -582,6 +594,7 @@ export function Session() {
     {
       title: showTimestamps() ? "Hide timestamps" : "Show timestamps",
       value: "session.toggle.timestamps",
+      search: "toggle timestamps",
       category: "Session",
       slash: {
         name: "timestamps",
@@ -595,6 +608,7 @@ export function Session() {
     {
       title: showThinking() ? "Hide thinking" : "Show thinking",
       value: "session.toggle.thinking",
+      search: "toggle thinking",
       keybind: "display_thinking",
       category: "Session",
       slash: {
@@ -609,6 +623,7 @@ export function Session() {
     {
       title: showDetails() ? "Hide tool details" : "Show tool details",
       value: "session.toggle.actions",
+      search: "toggle tool details",
       keybind: "tool_details",
       category: "Session",
       onSelect: (dialog) => {
@@ -617,8 +632,9 @@ export function Session() {
       },
     },
     {
-      title: "Toggle session scrollbar",
+      title: showScrollbar() ? "Hide session scrollbar" : "Show session scrollbar",
       value: "session.toggle.scrollbar",
+      search: "toggle session scrollbar",
       keybind: "scrollbar_toggle",
       category: "Session",
       onSelect: (dialog) => {

packages/opencode/src/cli/cmd/tui/ui/dialog-select.tsx

@@ -34,6 +34,7 @@ export interface DialogSelectOption<T = any> {
   title: string
   value: T
   description?: string
+  search?: string
   footer?: JSX.Element | string
   category?: string
   disabled?: boolean
@@ -85,8 +86,8 @@ export function DialogSelect<T>(props: DialogSelectProps<T>) {
     // users typically search by the item name, and not its category.
     const result = fuzzysort
       .go(needle, options, {
-        keys: ["title", "category"],
-        scoreFn: (r) => r[0].score * 2 + r[1].score,
+        keys: ["title", "category", "search"],
+        scoreFn: (r) => r[0].score * 2 + r[1].score + r[2].score,
       })
       .map((x) => x.obj)
 

packages/opencode/src/cli/cmd/tui/worker.ts

@@ -8,7 +8,6 @@ import { upgrade } from "@/cli/upgrade"
 import { Config } from "@/config/config"
 import { GlobalBus } from "@/bus/global"
 import { createOpencodeClient, type Event } from "@opencode-ai/sdk/v2"
-import type { BunWebSocketData } from "hono/bun"
 import { Flag } from "@/flag/flag"
 import { setTimeout as sleep } from "node:timers/promises"
 
@@ -38,7 +37,7 @@ GlobalBus.on("event", (event) => {
   Rpc.emit("global.event", event)
 })
 
-let server: Bun.Server<BunWebSocketData> | undefined
+let server: Awaited<ReturnType<typeof Server.listen>> | undefined
 
 const eventStream = {
   abort: undefined as AbortController | undefined,
@@ -120,7 +119,7 @@ export const rpc = {
   },
   async server(input: { port: number; hostname: string; mdns?: boolean; cors?: string[] }) {
     if (server) await server.stop(true)
-    server = Server.listen(input)
+    server = await Server.listen(input)
     return { url: server.url.toString() }
   },
   async checkUpgrade(input: { directory: string }) {
@@ -143,7 +142,7 @@ export const rpc = {
     Log.Default.info("worker shutting down")
     if (eventStream.abort) eventStream.abort.abort()
     await Instance.disposeAll()
-    if (server) server.stop(true)
+    if (server) await server.stop(true)
   },
 }
 

packages/opencode/src/cli/cmd/web.ts

@@ -37,7 +37,7 @@ export const WebCommand = cmd({
       UI.println(UI.Style.TEXT_WARNING_BOLD + "!  " + "OPENCODE_SERVER_PASSWORD is not set; server is unsecured.")
     }
     const opts = await resolveNetworkOptions(args)
-    const server = Server.listen(opts)
+    const server = await Server.listen(opts)
     UI.empty()
     UI.println(UI.logo("  "))
     UI.empty()

packages/opencode/src/cli/effect/prompt.ts

@@ -0,0 +1,25 @@
+import * as prompts from "@clack/prompts"
+import { Effect, Option } from "effect"
+
+export const intro = (msg: string) => Effect.sync(() => prompts.intro(msg))
+export const outro = (msg: string) => Effect.sync(() => prompts.outro(msg))
+
+export const log = {
+  info: (msg: string) => Effect.sync(() => prompts.log.info(msg)),
+}
+
+export const select = <Value>(opts: Parameters<typeof prompts.select<Value>>[0]) =>
+  Effect.tryPromise(() => prompts.select(opts)).pipe(
+    Effect.map((result) => {
+      if (prompts.isCancel(result)) return Option.none<Value>()
+      return Option.some(result)
+    }),
+  )
+
+export const spinner = () => {
+  const s = prompts.spinner()
+  return {
+    start: (msg: string) => Effect.sync(() => s.start(msg)),
+    stop: (msg: string, code?: number) => Effect.sync(() => s.stop(msg, code)),
+  }
+}

packages/opencode/src/config/config.ts

@@ -12,6 +12,7 @@ import { lazy } from "../util/lazy"
 import { NamedError } from "@opencode-ai/util/error"
 import { Flag } from "../flag/flag"
 import { Auth } from "../auth"
+import { Env } from "../env"
 import {
   type ParseError as JsoncParseError,
   applyEdits,
@@ -32,7 +33,7 @@ import { Glob } from "../util/glob"
 import { PackageRegistry } from "@/bun/registry"
 import { proxied } from "@/util/proxied"
 import { iife } from "@/util/iife"
-import { Control } from "@/control"
+import { Account } from "@/account"
 import { ConfigPaths } from "./paths"
 import { Filesystem } from "@/util/filesystem"
 
@@ -108,10 +109,6 @@ export namespace Config {
       }
     }
 
-    const token = await Control.token()
-    if (token) {
-    }
-
     // Global user config overrides remote config.
     result = mergeConfigConcatArrays(result, await global())
 
@@ -178,6 +175,26 @@ export namespace Config {
       log.debug("loaded custom config from OPENCODE_CONFIG_CONTENT")
     }
 
+    const active = Account.active()
+    if (active?.selected_org_id) {
+      const config = await Account.config(active.id, active.selected_org_id)
+      const token = await Account.token(active.id)
+      if (token) {
+        process.env["OPENCODE_CONSOLE_TOKEN"] = token
+        Env.set("OPENCODE_CONSOLE_TOKEN", token)
+      }
+
+      if (config) {
+        result = mergeConfigConcatArrays(
+          result,
+          await load(JSON.stringify(config), {
+            dir: path.dirname(`${active.url}/api/config`),
+            source: `${active.url}/api/config`,
+          }),
+        )
+      }
+    }
+
     // Load managed config files last (highest priority) - enterprise admin-controlled
     // Kept separate from directories array to avoid write operations when installing plugins
     // which would fail on system directories requiring elevated permissions
@@ -772,6 +789,7 @@ export namespace Config {
       stash_delete: z.string().optional().default("ctrl+d").describe("Delete stash entry"),
       model_provider_list: z.string().optional().default("ctrl+a").describe("Open provider list from model dialog"),
       model_favorite_toggle: z.string().optional().default("ctrl+f").describe("Toggle model favorite status"),
+      model_show_all_toggle: z.string().optional().default("ctrl+o").describe("Toggle showing all models"),
       session_share: z.string().optional().default("none").describe("Share current session"),
       session_unshare: z.string().optional().default("none").describe("Unshare current session"),
       session_interrupt: z.string().optional().default("escape").describe("Interrupt current session"),
@@ -812,7 +830,12 @@ export namespace Config {
       command_list: z.string().optional().default("ctrl+p").describe("List available commands"),
       agent_list: z.string().optional().default("<leader>a").describe("List agents"),
       agent_cycle: z.string().optional().default("tab").describe("Next agent"),
-      agent_cycle_reverse: z.string().optional().default("shift+tab").describe("Previous agent"),
+      agent_cycle_reverse: z.string().optional().default("none").describe("Previous agent"),
+      permission_auto_accept_toggle: z
+        .string()
+        .optional()
+        .default("shift+tab")
+        .describe("Toggle auto-accept mode for permissions"),
       variant_cycle: z.string().optional().default("ctrl+t").describe("Cycle model variants"),
       input_clear: z.string().optional().default("ctrl+c").describe("Clear input field"),
       input_paste: z.string().optional().default("ctrl+v").describe("Paste from clipboard"),
@@ -972,6 +995,14 @@ export namespace Config {
             .describe(
               "Timeout in milliseconds for requests to this provider. Default is 300000 (5 minutes). Set to false to disable timeout.",
             ),
+          chunkTimeout: z
+            .number()
+            .int()
+            .positive()
+            .optional()
+            .describe(
+              "Timeout in milliseconds between streamed SSE chunks for this provider. If no chunk arrives within this window, the request is aborted.",
+            ),
         })
         .catchall(z.any())
         .optional(),

packages/opencode/src/control/index.ts

@@ -1,67 +0,0 @@
-import { eq, and } from "drizzle-orm"
-import { Database } from "@/storage/db"
-import { ControlAccountTable } from "./control.sql"
-import z from "zod"
-
-export * from "./control.sql"
-
-export namespace Control {
-  export const Account = z.object({
-    email: z.string(),
-    url: z.string(),
-  })
-  export type Account = z.infer<typeof Account>
-
-  function fromRow(row: (typeof ControlAccountTable)["$inferSelect"]): Account {
-    return {
-      email: row.email,
-      url: row.url,
-    }
-  }
-
-  export function account(): Account | undefined {
-    const row = Database.use((db) =>
-      db.select().from(ControlAccountTable).where(eq(ControlAccountTable.active, true)).get(),
-    )
-    return row ? fromRow(row) : undefined
-  }
-
-  export async function token(): Promise<string | undefined> {
-    const row = Database.use((db) =>
-      db.select().from(ControlAccountTable).where(eq(ControlAccountTable.active, true)).get(),
-    )
-    if (!row) return undefined
-    if (row.token_expiry && row.token_expiry > Date.now()) return row.access_token
-
-    const res = await fetch(`${row.url}/oauth/token`, {
-      method: "POST",
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams({
-        grant_type: "refresh_token",
-        refresh_token: row.refresh_token,
-      }).toString(),
-    })
-
-    if (!res.ok) return
-
-    const json = (await res.json()) as {
-      access_token: string
-      refresh_token?: string
-      expires_in?: number
-    }
-
-    Database.use((db) =>
-      db
-        .update(ControlAccountTable)
-        .set({
-          access_token: json.access_token,
-          refresh_token: json.refresh_token ?? row.refresh_token,
-          token_expiry: json.expires_in ? Date.now() + json.expires_in * 1000 : undefined,
-        })
-        .where(and(eq(ControlAccountTable.email, row.email), eq(ControlAccountTable.url, row.url)))
-        .run(),
-    )
-
-    return json.access_token
-  }
-}

packages/opencode/src/effect/runtime.ts

@@ -0,0 +1,4 @@
+import { ManagedRuntime } from "effect"
+import { AccountService } from "@/account/service"
+
+export const runtime = ManagedRuntime.make(AccountService.defaultLayer)

packages/opencode/src/index.ts

@@ -3,7 +3,8 @@ import { hideBin } from "yargs/helpers"
 import { RunCommand } from "./cli/cmd/run"
 import { GenerateCommand } from "./cli/cmd/generate"
 import { Log } from "./util/log"
-import { AuthCommand } from "./cli/cmd/auth"
+import { LoginCommand, LogoutCommand, SwitchCommand, OrgsCommand } from "./cli/cmd/account"
+import { ProvidersCommand } from "./cli/cmd/providers"
 import { AgentCommand } from "./cli/cmd/agent"
 import { UpgradeCommand } from "./cli/cmd/upgrade"
 import { UninstallCommand } from "./cli/cmd/uninstall"
@@ -134,7 +135,11 @@ let cli = yargs(hideBin(process.argv))
   .command(RunCommand)
   .command(GenerateCommand)
   .command(DebugCommand)
-  .command(AuthCommand)
+  .command(LoginCommand)
+  .command(LogoutCommand)
+  .command(SwitchCommand)
+  .command(OrgsCommand)
+  .command(ProvidersCommand)
   .command(AgentCommand)
   .command(UpgradeCommand)
   .command(UninstallCommand)

packages/opencode/src/project/project.ts

@@ -88,6 +88,12 @@ export namespace Project {
     }
   }
 
+  function readCachedId(dir: string) {
+    return Filesystem.readText(path.join(dir, "opencode"))
+      .then((x) => x.trim())
+      .catch(() => undefined)
+  }
+
   export async function fromDirectory(directory: string) {
     log.info("fromDirectory", { directory })
 
@@ -101,19 +107,43 @@ export namespace Project {
         const gitBinary = which("git")
 
         // cached id calculation
-        let id = await Filesystem.readText(path.join(dotgit, "opencode"))
-          .then((x) => x.trim())
-          .catch(() => undefined)
+        let id = await readCachedId(dotgit)
 
         if (!gitBinary) {
           return {
             id: id ?? "global",
             worktree: sandbox,
-            sandbox: sandbox,
+            sandbox,
             vcs: Info.shape.vcs.parse(Flag.OPENCODE_FAKE_VCS),
           }
         }
 
+        const worktree = await git(["rev-parse", "--git-common-dir"], {
+          cwd: sandbox,
+        })
+          .then(async (result) => {
+            const common = gitpath(sandbox, await result.text())
+            // Avoid going to parent of sandbox when git-common-dir is empty.
+            return common === sandbox ? sandbox : path.dirname(common)
+          })
+          .catch(() => undefined)
+
+        if (!worktree) {
+          return {
+            id: id ?? "global",
+            worktree: sandbox,
+            sandbox,
+            vcs: Info.shape.vcs.parse(Flag.OPENCODE_FAKE_VCS),
+          }
+        }
+
+        // In the case of a git worktree, it can't cache the id
+        // because `.git` is not a folder, but it always needs the
+        // same project id as the common dir, so we resolve it now
+        if (id == null) {
+          id = await readCachedId(path.join(worktree, ".git"))
+        }
+
         // generate id from root commit
         if (!id) {
           const roots = await git(["rev-list", "--max-parents=0", "--all"], {
@@ -132,7 +162,7 @@ export namespace Project {
             return {
               id: "global",
               worktree: sandbox,
-              sandbox: sandbox,
+              sandbox,
               vcs: Info.shape.vcs.parse(Flag.OPENCODE_FAKE_VCS),
             }
           }
@@ -147,7 +177,7 @@ export namespace Project {
           return {
             id: "global",
             worktree: sandbox,
-            sandbox: sandbox,
+            sandbox,
             vcs: "git",
           }
         }
@@ -161,33 +191,14 @@ export namespace Project {
         if (!top) {
           return {
             id,
-            sandbox,
             worktree: sandbox,
+            sandbox,
             vcs: Info.shape.vcs.parse(Flag.OPENCODE_FAKE_VCS),
           }
         }
 
         sandbox = top
 
-        const worktree = await git(["rev-parse", "--git-common-dir"], {
-          cwd: sandbox,
-        })
-          .then(async (result) => {
-            const common = gitpath(sandbox, await result.text())
-            // Avoid going to parent of sandbox when git-common-dir is empty.
-            return common === sandbox ? sandbox : path.dirname(common)
-          })
-          .catch(() => undefined)
-
-        if (!worktree) {
-          return {
-            id,
-            sandbox,
-            worktree: sandbox,
-            vcs: Info.shape.vcs.parse(Flag.OPENCODE_FAKE_VCS),
-          }
-        }
-
         return {
           id,
           sandbox,

packages/opencode/src/provider/provider.ts

@@ -46,6 +46,8 @@ import { GoogleAuth } from "google-auth-library"
 import { ProviderTransform } from "./transform"
 import { Installation } from "../installation"
 
+const DEFAULT_CHUNK_TIMEOUT = 120_000
+
 export namespace Provider {
   const log = Log.create({ service: "provider" })
 
@@ -85,6 +87,54 @@ export namespace Provider {
     })
   }
 
+  function wrapSSE(res: Response, ms: number, ctl: AbortController) {
+    if (typeof ms !== "number" || ms <= 0) return res
+    if (!res.body) return res
+    if (!res.headers.get("content-type")?.includes("text/event-stream")) return res
+
+    const reader = res.body.getReader()
+    const body = new ReadableStream<Uint8Array>({
+      async pull(ctrl) {
+        const part = await new Promise<Awaited<ReturnType<typeof reader.read>>>((resolve, reject) => {
+          const id = setTimeout(() => {
+            const err = new Error("SSE read timed out")
+            ctl.abort(err)
+            void reader.cancel(err)
+            reject(err)
+          }, ms)
+
+          reader.read().then(
+            (part) => {
+              clearTimeout(id)
+              resolve(part)
+            },
+            (err) => {
+              clearTimeout(id)
+              reject(err)
+            },
+          )
+        })
+
+        if (part.done) {
+          ctrl.close()
+          return
+        }
+
+        ctrl.enqueue(part.value)
+      },
+      async cancel(reason) {
+        ctl.abort(reason)
+        await reader.cancel(reason)
+      },
+    })
+
+    return new Response(body, {
+      headers: new Headers(res.headers),
+      status: res.status,
+      statusText: res.statusText,
+    })
+  }
+
   const BUNDLED_PROVIDERS: Record<string, (options: any) => SDK> = {
     "@ai-sdk/amazon-bedrock": createAmazonBedrock,
     "@ai-sdk/anthropic": createAnthropic,
@@ -1092,21 +1142,23 @@ export namespace Provider {
       if (existing) return existing
 
       const customFetch = options["fetch"]
+      const chunkTimeout = options["chunkTimeout"] || DEFAULT_CHUNK_TIMEOUT
+      delete options["chunkTimeout"]
 
       options["fetch"] = async (input: any, init?: BunFetchRequestInit) => {
         // Preserve custom fetch if it exists, wrap it with timeout logic
         const fetchFn = customFetch ?? fetch
         const opts = init ?? {}
+        const chunkAbortCtl = typeof chunkTimeout === "number" && chunkTimeout > 0 ? new AbortController() : undefined
+        const signals: AbortSignal[] = []
 
-        if (options["timeout"] !== undefined && options["timeout"] !== null) {
-          const signals: AbortSignal[] = []
-          if (opts.signal) signals.push(opts.signal)
-          if (options["timeout"] !== false) signals.push(AbortSignal.timeout(options["timeout"]))
+        if (opts.signal) signals.push(opts.signal)
+        if (chunkAbortCtl) signals.push(chunkAbortCtl.signal)
+        if (options["timeout"] !== undefined && options["timeout"] !== null && options["timeout"] !== false)
+          signals.push(AbortSignal.timeout(options["timeout"]))
 
-          const combined = signals.length > 1 ? AbortSignal.any(signals) : signals[0]
-
-          opts.signal = combined
-        }
+        const combined = signals.length === 0 ? null : signals.length === 1 ? signals[0] : AbortSignal.any(signals)
+        if (combined) opts.signal = combined
 
         // Strip openai itemId metadata following what codex does
         // Codex uses #[serde(skip_serializing)] on id fields for all item types:
@@ -1126,11 +1178,14 @@ export namespace Provider {
           }
         }
 
-        return fetchFn(input, {
+        const res = await fetchFn(input, {
           ...opts,
           // @ts-ignore see here: https://github.com/oven-sh/bun/issues/16682
           timeout: false,
         })
+
+        if (!chunkAbortCtl) return res
+        return wrapSSE(res, chunkTimeout, chunkAbortCtl)
       }
 
       const bundledFn = BUNDLED_PROVIDERS[model.api.npm]

packages/opencode/src/pty/index.ts

@@ -23,6 +23,8 @@ export namespace Pty {
     close: (code?: number, reason?: string) => void
   }
 
+  const key = (ws: Socket) => (ws.data && typeof ws.data === "object" ? ws.data : ws)
+
   // WebSocket control frame: 0x00 + UTF-8 JSON.
   const meta = (cursor: number) => {
     const json = JSON.stringify({ cursor })
@@ -97,9 +99,9 @@ export namespace Pty {
         try {
           session.process.kill()
         } catch {}
-        for (const [key, ws] of session.subscribers.entries()) {
+        for (const [id, ws] of session.subscribers.entries()) {
           try {
-            if (ws.data === key) ws.close()
+            if (key(ws) === id) ws.close()
           } catch {
             // ignore
           }
@@ -121,7 +123,7 @@ export namespace Pty {
     const id = Identifier.create("pty", false)
     const command = input.command || Shell.preferred()
     const args = input.args || []
-    if (command.endsWith("sh")) {
+    if (Shell.login(command)) {
       args.push("-l")
     }
 
@@ -170,21 +172,21 @@ export namespace Pty {
     ptyProcess.onData((chunk) => {
       session.cursor += chunk.length
 
-      for (const [key, ws] of session.subscribers.entries()) {
+      for (const [id, ws] of session.subscribers.entries()) {
         if (ws.readyState !== 1) {
-          session.subscribers.delete(key)
+          session.subscribers.delete(id)
           continue
         }
 
-        if (ws.data !== key) {
-          session.subscribers.delete(key)
+        if (key(ws) !== id) {
+          session.subscribers.delete(id)
           continue
         }
 
         try {
           ws.send(chunk)
         } catch {
-          session.subscribers.delete(key)
+          session.subscribers.delete(id)
         }
       }
 
@@ -226,9 +228,9 @@ export namespace Pty {
     try {
       session.process.kill()
     } catch {}
-    for (const [key, ws] of session.subscribers.entries()) {
+    for (const [id, ws] of session.subscribers.entries()) {
       try {
-        if (ws.data === key) ws.close()
+        if (key(ws) === id) ws.close()
       } catch {
         // ignore
       }
@@ -259,16 +261,13 @@ export namespace Pty {
     }
     log.info("client connected to session", { id })
 
-    // Use ws.data as the unique key for this connection lifecycle.
-    // If ws.data is undefined, fallback to ws object.
-    const connectionKey = ws.data && typeof ws.data === "object" ? ws.data : ws
+    const sub = key(ws)
 
-    // Optionally cleanup if the key somehow exists
-    session.subscribers.delete(connectionKey)
-    session.subscribers.set(connectionKey, ws)
+    session.subscribers.delete(sub)
+    session.subscribers.set(sub, ws)
 
     const cleanup = () => {
-      session.subscribers.delete(connectionKey)
+      session.subscribers.delete(sub)
     }
 
     const start = session.bufferCursor

packages/opencode/src/server/routes/pty.ts

@@ -1,14 +1,13 @@
 import { Hono } from "hono"
 import { describeRoute, validator, resolver } from "hono-openapi"
-import { upgradeWebSocket } from "hono/bun"
+import type { UpgradeWebSocket } from "hono/ws"
 import z from "zod"
 import { Pty } from "@/pty"
 import { NotFoundError } from "../../storage/db"
 import { errors } from "../error"
-import { lazy } from "../../util/lazy"
 
-export const PtyRoutes = lazy(() =>
-  new Hono()
+export function PtyRoutes(upgradeWebSocket: UpgradeWebSocket) {
+  return new Hono()
     .get(
       "/",
       describeRoute({
@@ -196,5 +195,5 @@ export const PtyRoutes = lazy(() =>
           },
         }
       }),
-    ),
-)
+    )
+}

packages/opencode/src/server/server.ts

@@ -34,7 +34,8 @@ import { ProviderRoutes } from "./routes/provider"
 import { InstanceBootstrap } from "../project/bootstrap"
 import { NotFoundError } from "../storage/db"
 import type { ContentfulStatusCode } from "hono/utils/http-status"
-import { websocket } from "hono/bun"
+import { createAdaptorServer, type ServerType } from "@hono/node-server"
+import { createNodeWebSocket } from "@hono/node-ws"
 import { HTTPException } from "hono/http-exception"
 import { errors } from "./error"
 import { Filesystem } from "@/util/filesystem"
@@ -48,13 +49,20 @@ import { lazy } from "@/util/lazy"
 globalThis.AI_SDK_LOG_WARNINGS = false
 
 export namespace Server {
-  const log = Log.create({ service: "server" })
+  export type Listener = {
+    hostname: string
+    port: number
+    url: URL
+    stop: (close?: boolean) => Promise<void>
+  }
 
-  export const Default = lazy(() => createApp({}))
+  export const Default = lazy(() => create({}).app)
 
-  export const createApp = (opts: { cors?: string[] }): Hono => {
+  function create(opts: { cors?: string[] }) {
+    const log = Log.create({ service: "server" })
     const app = new Hono()
-    return app
+    const ws = createNodeWebSocket({ app })
+    const route = app
       .onError((err, c) => {
         log.error("failed", {
           error: err,
@@ -239,7 +247,6 @@ export namespace Server {
         ),
       )
       .route("/project", ProjectRoutes())
-      .route("/pty", PtyRoutes())
       .route("/config", ConfigRoutes())
       .route("/experimental", ExperimentalRoutes())
       .route("/session", SessionRoutes())
@@ -552,6 +559,7 @@ export namespace Server {
           })
         },
       )
+      .route("/pty", PtyRoutes(ws.upgradeWebSocket))
       .all("/*", async (c) => {
         const path = c.req.path
 
@@ -568,6 +576,11 @@ export namespace Server {
         )
         return response
       })
+
+    return {
+      app: route as Hono,
+      ws,
+    }
   }
 
   export async function openapi() {
@@ -585,48 +598,86 @@ export namespace Server {
     return result
   }
 
-  export function listen(opts: {
+  export async function listen(opts: {
     port: number
     hostname: string
     mdns?: boolean
     mdnsDomain?: string
     cors?: string[]
-  }) {
-    const app = createApp(opts)
-    const args = {
-      hostname: opts.hostname,
-      idleTimeout: 0,
-      fetch: app.fetch,
-      websocket: websocket,
-    } as const
-    const tryServe = (port: number) => {
-      try {
-        return Bun.serve({ ...args, port })
-      } catch {
-        return undefined
-      }
+  }): Promise<Listener> {
+    const log = Log.create({ service: "server" })
+    const built = create({
+      ...opts,
+    })
+    const start = (port: number) =>
+      new Promise<ServerType>((resolve, reject) => {
+        const server = createAdaptorServer({ fetch: built.app.fetch })
+        built.ws.injectWebSocket(server)
+        const fail = (err: Error) => {
+          cleanup()
+          reject(err)
+        }
+        const ready = () => {
+          cleanup()
+          resolve(server)
+        }
+        const cleanup = () => {
+          server.off("error", fail)
+          server.off("listening", ready)
+        }
+        server.once("error", fail)
+        server.once("listening", ready)
+        server.listen(port, opts.hostname)
+      })
+
+    const server = opts.port === 0 ? await start(4096).catch(() => start(0)) : await start(opts.port)
+    const addr = server.address()
+    if (!addr || typeof addr === "string") {
+      throw new Error(`Failed to resolve server address for port ${opts.port}`)
     }
-    const server = opts.port === 0 ? (tryServe(4096) ?? tryServe(0)) : tryServe(opts.port)
-    if (!server) throw new Error(`Failed to start server on port ${opts.port}`)
+
+    const url = new URL("http://localhost")
+    url.hostname = opts.hostname
+    url.port = String(addr.port)
 
     const shouldPublishMDNS =
       opts.mdns &&
-      server.port &&
+      addr.port &&
       opts.hostname !== "127.0.0.1" &&
       opts.hostname !== "localhost" &&
       opts.hostname !== "::1"
     if (shouldPublishMDNS) {
-      MDNS.publish(server.port!, opts.mdnsDomain)
+      MDNS.publish(addr.port, opts.mdnsDomain)
     } else if (opts.mdns) {
       log.warn("mDNS enabled but hostname is loopback; skipping mDNS publish")
     }
 
-    const originalStop = server.stop.bind(server)
-    server.stop = async (closeActiveConnections?: boolean) => {
-      if (shouldPublishMDNS) MDNS.unpublish()
-      return originalStop(closeActiveConnections)
+    let closing: Promise<void> | undefined
+    return {
+      hostname: opts.hostname,
+      port: addr.port,
+      url,
+      stop(close?: boolean) {
+        closing ??= new Promise((resolve, reject) => {
+          if (shouldPublishMDNS) MDNS.unpublish()
+          server.close((err) => {
+            if (err) {
+              reject(err)
+              return
+            }
+            resolve()
+          })
+          if (close) {
+            if ("closeAllConnections" in server && typeof server.closeAllConnections === "function") {
+              server.closeAllConnections()
+            }
+            if ("closeIdleConnections" in server && typeof server.closeIdleConnections === "function") {
+              server.closeIdleConnections()
+            }
+          }
+        })
+        return closing
+      },
     }
-
-    return server
   }
 }

packages/opencode/src/session/prompt.ts

@@ -316,11 +316,7 @@ export namespace SessionPrompt {
       }
 
       if (!lastUser) throw new Error("No user message found in stream. This should never happen.")
-      if (
-        lastAssistant?.finish &&
-        !["tool-calls", "unknown"].includes(lastAssistant.finish) &&
-        lastUser.id < lastAssistant.id
-      ) {
+      if (shouldExitLoop(lastUser, lastAssistant)) {
         log.info("exiting loop", { sessionID })
         break
       }
@@ -1566,9 +1562,7 @@ NOTE: At any point in time through this workflow you should feel free to ask the
     }
     await Session.updatePart(part)
     const shell = Shell.preferred()
-    const shellName = (
-      process.platform === "win32" ? path.win32.basename(shell, ".exe") : path.basename(shell)
-    ).toLowerCase()
+    const shellName = Shell.name(shell)
 
     const invocations: Record<string, { args: string[] }> = {
       nu: {
@@ -1959,4 +1953,15 @@ NOTE: At any point in time through this workflow you should feel free to ask the
       return Session.setTitle({ sessionID: input.session.id, title })
     }
   }
+
+  /** @internal Exported for testing — determines whether the prompt loop should exit */
+  export function shouldExitLoop(
+    lastUser: MessageV2.User | undefined,
+    lastAssistant: MessageV2.Assistant | undefined,
+  ): boolean {
+    if (!lastUser) return false
+    if (!lastAssistant?.finish) return false
+    if (["tool-calls", "unknown"].includes(lastAssistant.finish)) return false
+    return lastAssistant.parentID === lastUser.id
+  }
 }

packages/opencode/src/share/share-next.ts

@@ -1,4 +1,5 @@
 import { Bus } from "@/bus"
+import { Account } from "@/account"
 import { Config } from "@/config/config"
 import { Provider } from "@/provider/provider"
 import { Session } from "@/session"
@@ -11,8 +12,51 @@ import type * as SDK from "@opencode-ai/sdk/v2"
 export namespace ShareNext {
   const log = Log.create({ service: "share-next" })
 
+  type ApiEndpoints = {
+    create: string
+    sync: (shareId: string) => string
+    remove: (shareId: string) => string
+    data: (shareId: string) => string
+  }
+
+  function apiEndpoints(resource: string): ApiEndpoints {
+    return {
+      create: `/api/${resource}`,
+      sync: (shareId) => `/api/${resource}/${shareId}/sync`,
+      remove: (shareId) => `/api/${resource}/${shareId}`,
+      data: (shareId) => `/api/${resource}/${shareId}/data`,
+    }
+  }
+
+  const legacyApi = apiEndpoints("share")
+  const controlApi = apiEndpoints("shares")
+
   export async function url() {
-    return Config.get().then((x) => x.enterprise?.url ?? "https://opncd.ai")
+    const req = await request()
+    return req.baseUrl
+  }
+
+  export async function request(): Promise<{
+    headers: Record<string, string>
+    api: ApiEndpoints
+    baseUrl: string
+  }> {
+    const headers: Record<string, string> = {}
+
+    const active = Account.active()
+    if (!active?.selected_org_id) {
+      const baseUrl = await Config.get().then((x) => x.enterprise?.url ?? "https://opncd.ai")
+      return { headers, api: legacyApi, baseUrl }
+    }
+
+    const token = await Account.token(active.id)
+    if (!token) {
+      throw new Error("No active OpenControl token available for sharing")
+    }
+
+    headers["authorization"] = `Bearer ${token}`
+    headers["x-org-id"] = active.selected_org_id
+    return { headers, api: controlApi, baseUrl: active.url }
   }
 
   const disabled = process.env["OPENCODE_DISABLE_SHARE"] === "true" || process.env["OPENCODE_DISABLE_SHARE"] === "1"
@@ -68,15 +112,20 @@ export namespace ShareNext {
   export async function create(sessionID: string) {
     if (disabled) return { id: "", url: "", secret: "" }
     log.info("creating share", { sessionID })
-    const result = await fetch(`${await url()}/api/share`, {
+    const req = await request()
+    const response = await fetch(`${req.baseUrl}${req.api.create}`, {
       method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-      },
+      headers: { ...req.headers, "Content-Type": "application/json" },
       body: JSON.stringify({ sessionID: sessionID }),
     })
-      .then((x) => x.json())
-      .then((x) => x as { id: string; url: string; secret: string })
+
+    if (!response.ok) {
+      const message = await response.text().catch(() => response.statusText)
+      throw new Error(`Failed to create share (${response.status}): ${message || response.statusText}`)
+    }
+
+    const result = (await response.json()) as { id: string; url: string; secret: string }
+
     Database.use((db) =>
       db
         .insert(SessionShareTable)
@@ -159,16 +208,19 @@ export namespace ShareNext {
       const share = get(sessionID)
       if (!share) return
 
-      await fetch(`${await url()}/api/share/${share.id}/sync`, {
+      const req = await request()
+      const response = await fetch(`${req.baseUrl}${req.api.sync(share.id)}`, {
         method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-        },
+        headers: { ...req.headers, "Content-Type": "application/json" },
         body: JSON.stringify({
           secret: share.secret,
           data: Array.from(queued.data.values()),
         }),
       })
+
+      if (!response.ok) {
+        log.warn("failed to sync share", { sessionID, shareID: share.id, status: response.status })
+      }
     }, 1000)
     queue.set(sessionID, { timeout, data: dataMap })
   }
@@ -178,15 +230,21 @@ export namespace ShareNext {
     log.info("removing share", { sessionID })
     const share = get(sessionID)
     if (!share) return
-    await fetch(`${await url()}/api/share/${share.id}`, {
+
+    const req = await request()
+    const response = await fetch(`${req.baseUrl}${req.api.remove(share.id)}`, {
       method: "DELETE",
-      headers: {
-        "Content-Type": "application/json",
-      },
+      headers: { ...req.headers, "Content-Type": "application/json" },
       body: JSON.stringify({
         secret: share.secret,
       }),
     })
+
+    if (!response.ok) {
+      const message = await response.text().catch(() => response.statusText)
+      throw new Error(`Failed to remove share (${response.status}): ${message || response.statusText}`)
+    }
+
     Database.use((db) => db.delete(SessionShareTable).where(eq(SessionShareTable.session_id, sessionID)).run())
   }
 

packages/opencode/src/shell/shell.ts

@@ -9,6 +9,9 @@ import { setTimeout as sleep } from "node:timers/promises"
 const SIGKILL_TIMEOUT_MS = 200
 
 export namespace Shell {
+  const BLACKLIST = new Set(["fish", "nu"])
+  const LOGIN = new Set(["bash", "dash", "fish", "ksh", "sh", "zsh"])
+
   export async function killTree(proc: ChildProcess, opts?: { exited?: () => boolean }): Promise<void> {
     const pid = proc.pid
     if (!pid || opts?.exited?.()) return
@@ -36,7 +39,29 @@ export namespace Shell {
       }
     }
   }
-  const BLACKLIST = new Set(["fish", "nu"])
+
+  function full(file: string) {
+    if (process.platform !== "win32") return file
+    const shell = Filesystem.windowsPath(file)
+    if (path.win32.dirname(shell) !== ".") return shell
+    return Bun.which(shell) || shell
+  }
+
+  function pick() {
+    const pwsh = Bun.which("pwsh")
+    if (pwsh) return pwsh
+    const powershell = Bun.which("powershell")
+    if (powershell) return powershell
+  }
+
+  function select(file: string | undefined, opts?: { acceptable?: boolean }) {
+    if (file && (!opts?.acceptable || !BLACKLIST.has(name(file)))) return full(file)
+    if (process.platform === "win32") {
+      const shell = pick()
+      if (shell) return shell
+    }
+    return fallback()
+  }
 
   function fallback() {
     if (process.platform === "win32") {
@@ -56,15 +81,16 @@ export namespace Shell {
     return "/bin/sh"
   }
 
-  export const preferred = lazy(() => {
-    const s = process.env.SHELL
-    if (s) return s
-    return fallback()
-  })
+  export function name(file: string) {
+    if (process.platform === "win32") return path.win32.parse(Filesystem.windowsPath(file)).name.toLowerCase()
+    return path.basename(file).toLowerCase()
+  }
 
-  export const acceptable = lazy(() => {
-    const s = process.env.SHELL
-    if (s && !BLACKLIST.has(process.platform === "win32" ? path.win32.basename(s) : path.basename(s))) return s
-    return fallback()
-  })
+  export function login(file: string) {
+    return LOGIN.has(name(file))
+  }
+
+  export const preferred = lazy(() => select(process.env.SHELL))
+
+  export const acceptable = lazy(() => select(process.env.SHELL, { acceptable: true }))
 }

packages/opencode/src/storage/db.ts

@@ -39,7 +39,7 @@ export namespace Database {
   type Schema = typeof schema
   export type Transaction = SQLiteTransaction<"sync", void, Schema>
 
-  type Client = SQLiteBunDatabase<Schema>
+  type Client = SQLiteBunDatabase
 
   type Journal = { sql: string; timestamp: number; name: string }[]
 
@@ -93,7 +93,7 @@ export namespace Database {
     sqlite.run("PRAGMA foreign_keys = ON")
     sqlite.run("PRAGMA wal_checkpoint(PASSIVE)")
 
-    const db = drizzle({ client: sqlite, schema })
+    const db = drizzle({ client: sqlite })
 
     // Apply schema migrations
     const entries =
@@ -124,7 +124,7 @@ export namespace Database {
     Client.reset()
   }
 
-  export type TxOrDb = Transaction | Client
+  export type TxOrDb = SQLiteTransaction<"sync", void, any, any> | Client
 
   const ctx = Context.create<{
     tx: TxOrDb

packages/opencode/src/storage/schema.ts

@@ -1,5 +1,5 @@
-export { ControlAccountTable } from "../control/control.sql"
+export { AccountTable, AccountStateTable, ControlAccountTable } from "../account/account.sql"
+export { ProjectTable } from "../project/project.sql"
 export { SessionTable, MessageTable, PartTable, TodoTable, PermissionTable } from "../session/session.sql"
 export { SessionShareTable } from "../share/share.sql"
-export { ProjectTable } from "../project/project.sql"
 export { WorkspaceTable } from "../control-plane/workspace.sql"

packages/opencode/src/tool/bash.ts

@@ -1,4 +1,5 @@
 import z from "zod"
+import os from "os"
 import { spawn } from "child_process"
 import { Tool } from "./tool"
 import path from "path"
@@ -6,8 +7,7 @@ import DESCRIPTION from "./bash.txt"
 import { Log } from "../util/log"
 import { Instance } from "../project/instance"
 import { lazy } from "@/util/lazy"
-import { Language } from "web-tree-sitter"
-import fs from "fs/promises"
+import { Language, type Node } from "web-tree-sitter"
 
 import { Filesystem } from "@/util/filesystem"
 import { fileURLToPath } from "url"
@@ -20,6 +20,43 @@ import { Plugin } from "@/plugin"
 
 const MAX_METADATA_LENGTH = 30_000
 const DEFAULT_TIMEOUT = Flag.OPENCODE_EXPERIMENTAL_BASH_DEFAULT_TIMEOUT_MS || 2 * 60 * 1000
+const PS = new Set(["powershell", "pwsh"])
+const CWD = new Set(["cd", "push-location", "set-location"])
+const FILES = new Set([
+  ...CWD,
+  "rm",
+  "cp",
+  "mv",
+  "mkdir",
+  "touch",
+  "chmod",
+  "chown",
+  "cat",
+  // Leave PowerShell aliases out for now. Common ones like cat/cp/mv/rm/mkdir
+  // already hit the entries above, and alias normalization should happen in one
+  // place later so we do not risk double-prompting.
+  "get-content",
+  "set-content",
+  "add-content",
+  "copy-item",
+  "move-item",
+  "remove-item",
+  "new-item",
+  "rename-item",
+])
+const FLAGS = new Set(["-destination", "-literalpath", "-path"])
+const SWITCHES = new Set(["-confirm", "-debug", "-force", "-nonewline", "-recurse", "-verbose", "-whatif"])
+
+type Part = {
+  type: string
+  text: string
+}
+
+type Scan = {
+  dirs: Set<string>
+  patterns: Set<string>
+  always: Set<string>
+}
 
 export const log = Log.create({ service: "bash-tool" })
 
@@ -30,6 +67,338 @@ const resolveWasm = (asset: string) => {
   return fileURLToPath(url)
 }
 
+function parts(node: Node) {
+  const out: Part[] = []
+  for (let i = 0; i < node.childCount; i++) {
+    const child = node.child(i)
+    if (!child) continue
+    if (child.type === "command_elements") {
+      for (let j = 0; j < child.childCount; j++) {
+        const item = child.child(j)
+        if (!item || item.type === "command_argument_sep" || item.type === "redirection") continue
+        out.push({ type: item.type, text: item.text })
+      }
+      continue
+    }
+    if (
+      child.type !== "command_name" &&
+      child.type !== "command_name_expr" &&
+      child.type !== "word" &&
+      child.type !== "string" &&
+      child.type !== "raw_string" &&
+      child.type !== "concatenation"
+    ) {
+      continue
+    }
+    out.push({ type: child.type, text: child.text })
+  }
+  return out
+}
+
+function commandText(node: Node) {
+  return (node.parent?.type === "redirected_statement" ? node.parent.text : node.text).trim()
+}
+
+function nested(node: Node) {
+  let parent = node.parent
+  while (parent) {
+    if (parent.type === "command") return true
+    parent = parent.parent
+  }
+  return false
+}
+
+function commands(node: Node) {
+  const out: Node[] = []
+  for (const child of node.descendantsOfType("command")) {
+    if (!child || nested(child)) continue
+    out.push(child)
+  }
+  return out
+}
+
+function unquote(text: string) {
+  if (text.length < 2) return text
+  const first = text[0]
+  const last = text[text.length - 1]
+  if ((first === '"' || first === "'") && first === last) return text.slice(1, -1)
+  return text
+}
+
+function home(text: string) {
+  if (text === "~") return os.homedir()
+  if (text.startsWith("~/") || text.startsWith("~\\")) return path.join(os.homedir(), text.slice(2))
+  return text
+}
+
+function envValue(key: string) {
+  if (process.platform !== "win32") return process.env[key]
+  const name = Object.keys(process.env).find((item) => item.toLowerCase() === key.toLowerCase())
+  return name ? process.env[name] : undefined
+}
+
+function expandEnv(text: string) {
+  const out = unquote(text).replace(/\$env:([A-Za-z_][A-Za-z0-9_]*)/gi, (_, key: string) => {
+    const value = envValue(key)
+    return value || ""
+  })
+  return home(out)
+}
+
+function drive(text: string) {
+  return /^[A-Za-z]:($|[\\/])/.test(text)
+}
+
+function provider(text: string) {
+  return /^[A-Za-z]+:/.test(text) && !drive(text)
+}
+
+function dynamicPath(text: string, ps: boolean) {
+  if (text.startsWith("(") || text.startsWith("@(")) return true
+  if (text.includes("$(") || text.includes("${") || text.includes("`")) return true
+  if (ps) return /\$(?!env:)/i.test(text)
+  return text.includes("$")
+}
+
+function prefix(text: string) {
+  const match = /[?*\[]/.exec(text)
+  if (!match) return text
+  if (match.index === 0) return
+  return text.slice(0, match.index)
+}
+
+function resolvePath(text: string, root: string) {
+  if (process.platform === "win32") {
+    return Filesystem.normalizePath(path.resolve(root, Filesystem.windowsPath(text)))
+  }
+  return path.resolve(root, text)
+}
+
+function argPath(arg: string, cwd: string, ps: boolean) {
+  const text = ps ? expandEnv(arg) : home(unquote(arg))
+  const file = text && prefix(text)
+  if (!file || dynamicPath(file, ps)) return
+  if (ps && provider(file)) return
+  return resolvePath(file, cwd)
+}
+
+function pathArgs(list: Part[], ps: boolean) {
+  if (!ps) {
+    return list
+      .slice(1)
+      .filter((item) => !item.text.startsWith("-") && !(list[0]?.text === "chmod" && item.text.startsWith("+")))
+      .map((item) => item.text)
+  }
+
+  const out: string[] = []
+  let want = false
+  for (const item of list.slice(1)) {
+    if (want) {
+      out.push(item.text)
+      want = false
+      continue
+    }
+    if (item.type === "command_parameter") {
+      const flag = item.text.toLowerCase()
+      if (SWITCHES.has(flag)) continue
+      want = FLAGS.has(flag)
+      continue
+    }
+    out.push(item.text)
+  }
+  return out
+}
+
+async function collect(root: Node, cwd: string, ps: boolean): Promise<Scan> {
+  const scan: Scan = {
+    dirs: new Set<string>(),
+    patterns: new Set<string>(),
+    always: new Set<string>(),
+  }
+
+  for (const node of commands(root)) {
+    const command = parts(node)
+    const tokens = command.map((item) => item.text)
+    const cmd = ps ? tokens[0]?.toLowerCase() : tokens[0]
+
+    if (cmd && FILES.has(cmd)) {
+      for (const arg of pathArgs(command, ps)) {
+        const resolved = argPath(arg, cwd, ps)
+        log.info("resolved path", { arg, resolved })
+        if (!resolved || Instance.containsPath(resolved)) continue
+        const dir = (await Filesystem.isDir(resolved)) ? resolved : path.dirname(resolved)
+        scan.dirs.add(dir)
+      }
+    }
+
+    if (tokens.length && (!cmd || !CWD.has(cmd))) {
+      scan.patterns.add(commandText(node))
+      scan.always.add(BashArity.prefix(tokens).join(" ") + " *")
+    }
+  }
+
+  return scan
+}
+
+function preview(text: string) {
+  if (text.length <= MAX_METADATA_LENGTH) return text
+  return text.slice(0, MAX_METADATA_LENGTH) + "\n\n..."
+}
+
+async function parse(command: string, ps: boolean) {
+  const tree = await parser().then((p) => (ps ? p.ps : p.bash).parse(command))
+  if (!tree) throw new Error("Failed to parse command")
+  return tree.rootNode
+}
+
+async function ask(ctx: Tool.Context, scan: Scan) {
+  if (scan.dirs.size > 0) {
+    const globs = Array.from(scan.dirs).map((dir) => {
+      if (process.platform === "win32") return Filesystem.normalizePathPattern(path.join(dir, "*"))
+      return path.join(dir, "*")
+    })
+    await ctx.ask({
+      permission: "external_directory",
+      patterns: globs,
+      always: globs,
+      metadata: {},
+    })
+  }
+
+  if (scan.patterns.size === 0) return
+  await ctx.ask({
+    permission: "bash",
+    patterns: Array.from(scan.patterns),
+    always: Array.from(scan.always),
+    metadata: {},
+  })
+}
+
+async function shellEnv(ctx: Tool.Context, cwd: string) {
+  const extra = await Plugin.trigger("shell.env", { cwd, sessionID: ctx.sessionID, callID: ctx.callID }, { env: {} })
+  return {
+    ...process.env,
+    ...extra.env,
+  }
+}
+
+function launch(shell: string, name: string, command: string, cwd: string, env: NodeJS.ProcessEnv) {
+  if (process.platform === "win32" && PS.has(name)) {
+    return spawn(shell, ["-NoLogo", "-NoProfile", "-NonInteractive", "-Command", command], {
+      cwd,
+      env,
+      stdio: ["ignore", "pipe", "pipe"],
+      detached: false,
+    })
+  }
+
+  return spawn(command, {
+    shell,
+    cwd,
+    env,
+    stdio: ["ignore", "pipe", "pipe"],
+    detached: process.platform !== "win32",
+  })
+}
+
+async function run(
+  input: {
+    shell: string
+    name: string
+    command: string
+    cwd: string
+    env: NodeJS.ProcessEnv
+    timeout: number
+    description: string
+  },
+  ctx: Tool.Context,
+) {
+  const proc = launch(input.shell, input.name, input.command, input.cwd, input.env)
+  let output = ""
+
+  ctx.metadata({
+    metadata: {
+      output: "",
+      description: input.description,
+    },
+  })
+
+  const append = (chunk: Buffer) => {
+    output += chunk.toString()
+    ctx.metadata({
+      metadata: {
+        output: preview(output),
+        description: input.description,
+      },
+    })
+  }
+
+  proc.stdout?.on("data", append)
+  proc.stderr?.on("data", append)
+
+  let timedOut = false
+  let aborted = false
+  let exited = false
+
+  const kill = () => Shell.killTree(proc, { exited: () => exited })
+
+  if (ctx.abort.aborted) {
+    aborted = true
+    await kill()
+  }
+
+  const abort = () => {
+    aborted = true
+    void kill()
+  }
+
+  ctx.abort.addEventListener("abort", abort, { once: true })
+  const timer = setTimeout(() => {
+    timedOut = true
+    void kill()
+  }, input.timeout + 100)
+
+  await new Promise<void>((resolve, reject) => {
+    const cleanup = () => {
+      clearTimeout(timer)
+      ctx.abort.removeEventListener("abort", abort)
+    }
+
+    proc.once("exit", () => {
+      exited = true
+    })
+
+    proc.once("close", () => {
+      exited = true
+      cleanup()
+      resolve()
+    })
+
+    proc.once("error", (error) => {
+      exited = true
+      cleanup()
+      reject(error)
+    })
+  })
+
+  const metadata: string[] = []
+  if (timedOut) metadata.push(`bash tool terminated command after exceeding timeout ${input.timeout} ms`)
+  if (aborted) metadata.push("User aborted the command")
+  if (metadata.length > 0) {
+    output += "\n\n<bash_metadata>\n" + metadata.join("\n") + "\n</bash_metadata>"
+  }
+
+  return {
+    title: input.description,
+    metadata: {
+      output: preview(output),
+      exit: proc.exitCode,
+      description: input.description,
+    },
+    output,
+  }
+}
+
 const parser = lazy(async () => {
   const { Parser } = await import("web-tree-sitter")
   const { default: treeWasm } = await import("web-tree-sitter/tree-sitter.wasm" as string, {
@@ -44,20 +413,34 @@ const parser = lazy(async () => {
   const { default: bashWasm } = await import("tree-sitter-bash/tree-sitter-bash.wasm" as string, {
     with: { type: "wasm" },
   })
+  const { default: psWasm } = await import("tree-sitter-powershell/tree-sitter-powershell.wasm" as string, {
+    with: { type: "wasm" },
+  })
   const bashPath = resolveWasm(bashWasm)
-  const bashLanguage = await Language.load(bashPath)
-  const p = new Parser()
-  p.setLanguage(bashLanguage)
-  return p
+  const psPath = resolveWasm(psWasm)
+  const [bashLanguage, psLanguage] = await Promise.all([Language.load(bashPath), Language.load(psPath)])
+  const bash = new Parser()
+  bash.setLanguage(bashLanguage)
+  const ps = new Parser()
+  ps.setLanguage(psLanguage)
+  return { bash, ps }
 })
 
 // TODO: we may wanna rename this tool so it works better on other shells
 export const BashTool = Tool.define("bash", async () => {
   const shell = Shell.acceptable()
+  const name = Shell.name(shell)
+  const chain =
+    name === "powershell"
+      ? "If the commands depend on each other and must run sequentially, avoid '&&' in this shell because Windows PowerShell 5.1 does not support it. Use PowerShell conditionals such as `cmd1; if ($?) { cmd2 }` when later commands must depend on earlier success."
+      : "If the commands depend on each other and must run sequentially, use a single Bash call with '&&' to chain them together (e.g., `git add . && git commit -m \"message\" && git push`). For instance, if one operation must complete before another starts (like mkdir before cp, Write before Bash for git operations, or git add before git commit), run these operations sequentially instead."
   log.info("bash tool using shell", { shell })
 
   return {
     description: DESCRIPTION.replaceAll("${directory}", Instance.directory)
+      .replaceAll("${os}", process.platform)
+      .replaceAll("${shell}", name)
+      .replaceAll("${chaining}", chain)
       .replaceAll("${maxLines}", String(Truncate.MAX_LINES))
       .replaceAll("${maxBytes}", String(Truncate.MAX_BYTES)),
     parameters: z.object({
@@ -76,194 +459,29 @@ export const BashTool = Tool.define("bash", async () => {
         ),
     }),
     async execute(params, ctx) {
-      const cwd = params.workdir || Instance.directory
+      const cwd = resolvePath(params.workdir || Instance.directory, Instance.directory)
       if (params.timeout !== undefined && params.timeout < 0) {
         throw new Error(`Invalid timeout value: ${params.timeout}. Timeout must be a positive number.`)
       }
       const timeout = params.timeout ?? DEFAULT_TIMEOUT
-      const tree = await parser().then((p) => p.parse(params.command))
-      if (!tree) {
-        throw new Error("Failed to parse command")
-      }
-      const directories = new Set<string>()
-      if (!Instance.containsPath(cwd)) directories.add(cwd)
-      const patterns = new Set<string>()
-      const always = new Set<string>()
+      const ps = PS.has(name)
+      const root = await parse(params.command, ps)
+      const scan = await collect(root, cwd, ps)
+      if (!Instance.containsPath(cwd)) scan.dirs.add(cwd)
+      await ask(ctx, scan)
 
-      for (const node of tree.rootNode.descendantsOfType("command")) {
-        if (!node) continue
-
-        // Get full command text including redirects if present
-        let commandText = node.parent?.type === "redirected_statement" ? node.parent.text : node.text
-
-        const command = []
-        for (let i = 0; i < node.childCount; i++) {
-          const child = node.child(i)
-          if (!child) continue
-          if (
-            child.type !== "command_name" &&
-            child.type !== "word" &&
-            child.type !== "string" &&
-            child.type !== "raw_string" &&
-            child.type !== "concatenation"
-          ) {
-            continue
-          }
-          command.push(child.text)
-        }
-
-        // not an exhaustive list, but covers most common cases
-        if (["cd", "rm", "cp", "mv", "mkdir", "touch", "chmod", "chown", "cat"].includes(command[0])) {
-          for (const arg of command.slice(1)) {
-            if (arg.startsWith("-") || (command[0] === "chmod" && arg.startsWith("+"))) continue
-            const resolved = await fs.realpath(path.resolve(cwd, arg)).catch(() => "")
-            log.info("resolved path", { arg, resolved })
-            if (resolved) {
-              const normalized =
-                process.platform === "win32" ? Filesystem.windowsPath(resolved).replace(/\//g, "\\") : resolved
-              if (!Instance.containsPath(normalized)) {
-                const dir = (await Filesystem.isDir(normalized)) ? normalized : path.dirname(normalized)
-                directories.add(dir)
-              }
-            }
-          }
-        }
-
-        // cd covered by above check
-        if (command.length && command[0] !== "cd") {
-          patterns.add(commandText)
-          always.add(BashArity.prefix(command).join(" ") + " *")
-        }
-      }
-
-      if (directories.size > 0) {
-        const globs = Array.from(directories).map((dir) => {
-          // Preserve POSIX-looking paths with /s, even on Windows
-          if (dir.startsWith("/")) return `${dir.replace(/[\\/]+$/, "")}/*`
-          return path.join(dir, "*")
-        })
-        await ctx.ask({
-          permission: "external_directory",
-          patterns: globs,
-          always: globs,
-          metadata: {},
-        })
-      }
-
-      if (patterns.size > 0) {
-        await ctx.ask({
-          permission: "bash",
-          patterns: Array.from(patterns),
-          always: Array.from(always),
-          metadata: {},
-        })
-      }
-
-      const shellEnv = await Plugin.trigger(
-        "shell.env",
-        { cwd, sessionID: ctx.sessionID, callID: ctx.callID },
-        { env: {} },
+      return run(
+        {
+          shell,
+          name,
+          command: params.command,
+          cwd,
+          env: await shellEnv(ctx, cwd),
+          timeout,
+          description: params.description,
+        },
+        ctx,
       )
-      const proc = spawn(params.command, {
-        shell,
-        cwd,
-        env: {
-          ...process.env,
-          ...shellEnv.env,
-        },
-        stdio: ["ignore", "pipe", "pipe"],
-        detached: process.platform !== "win32",
-      })
-
-      let output = ""
-
-      // Initialize metadata with empty output
-      ctx.metadata({
-        metadata: {
-          output: "",
-          description: params.description,
-        },
-      })
-
-      const append = (chunk: Buffer) => {
-        output += chunk.toString()
-        ctx.metadata({
-          metadata: {
-            // truncate the metadata to avoid GIANT blobs of data (has nothing to do w/ what agent can access)
-            output: output.length > MAX_METADATA_LENGTH ? output.slice(0, MAX_METADATA_LENGTH) + "\n\n..." : output,
-            description: params.description,
-          },
-        })
-      }
-
-      proc.stdout?.on("data", append)
-      proc.stderr?.on("data", append)
-
-      let timedOut = false
-      let aborted = false
-      let exited = false
-
-      const kill = () => Shell.killTree(proc, { exited: () => exited })
-
-      if (ctx.abort.aborted) {
-        aborted = true
-        await kill()
-      }
-
-      const abortHandler = () => {
-        aborted = true
-        void kill()
-      }
-
-      ctx.abort.addEventListener("abort", abortHandler, { once: true })
-
-      const timeoutTimer = setTimeout(() => {
-        timedOut = true
-        void kill()
-      }, timeout + 100)
-
-      await new Promise<void>((resolve, reject) => {
-        const cleanup = () => {
-          clearTimeout(timeoutTimer)
-          ctx.abort.removeEventListener("abort", abortHandler)
-        }
-
-        proc.once("exit", () => {
-          exited = true
-          cleanup()
-          resolve()
-        })
-
-        proc.once("error", (error) => {
-          exited = true
-          cleanup()
-          reject(error)
-        })
-      })
-
-      const resultMetadata: string[] = []
-
-      if (timedOut) {
-        resultMetadata.push(`bash tool terminated command after exceeding timeout ${timeout} ms`)
-      }
-
-      if (aborted) {
-        resultMetadata.push("User aborted the command")
-      }
-
-      if (resultMetadata.length > 0) {
-        output += "\n\n<bash_metadata>\n" + resultMetadata.join("\n") + "\n</bash_metadata>"
-      }
-
-      return {
-        title: params.description,
-        metadata: {
-          output: output.length > MAX_METADATA_LENGTH ? output.slice(0, MAX_METADATA_LENGTH) + "\n\n..." : output,
-          exit: proc.exitCode,
-          description: params.description,
-        },
-        output,
-      }
     },
   }
 })

packages/opencode/src/tool/bash.txt

@@ -1,5 +1,7 @@
 Executes a given bash command in a persistent shell session with optional timeout, ensuring proper handling and security measures.
 
+Be aware: OS: ${os}, Shell: ${shell}
+
 All commands run in ${directory} by default. Use the `workdir` parameter if you need to run a command in a different directory. AVOID using `cd <directory> && <command>` patterns - use `workdir` instead.
 
 IMPORTANT: This tool is for terminal operations like git, npm, docker, etc. DO NOT use it for file operations (reading, writing, editing, searching, finding files) - use the specialized tools for this instead.
@@ -35,7 +37,7 @@ Usage notes:
     - Communication: Output text directly (NOT echo/printf)
   - When issuing multiple commands:
     - If the commands are independent and can run in parallel, make multiple Bash tool calls in a single message. For example, if you need to run "git status" and "git diff", send a single message with two Bash tool calls in parallel.
-    - If the commands depend on each other and must run sequentially, use a single Bash call with '&&' to chain them together (e.g., `git add . && git commit -m "message" && git push`). For instance, if one operation must complete before another starts (like mkdir before cp, Write before Bash for git operations, or git add before git commit), run these operations sequentially instead.
+    - ${chaining}
     - Use ';' only when you need to run commands sequentially but don't care if earlier commands fail
     - DO NOT use newlines to separate commands (newlines are ok in quoted strings)
   - AVOID using `cd <directory> && <command>`. Use the `workdir` parameter to change directories instead.

packages/opencode/src/tool/external-directory.ts

@@ -1,6 +1,7 @@
 import path from "path"
 import type { Tool } from "./tool"
 import { Instance } from "../project/instance"
+import { Filesystem } from "@/util/filesystem"
 
 type Kind = "file" | "directory"
 
@@ -14,19 +15,23 @@ export async function assertExternalDirectory(ctx: Tool.Context, target?: string
 
   if (options?.bypass) return
 
-  if (Instance.containsPath(target)) return
+  const full = process.platform === "win32" ? Filesystem.normalizePath(target) : target
+  if (Instance.containsPath(full)) return
 
   const kind = options?.kind ?? "file"
-  const parentDir = kind === "directory" ? target : path.dirname(target)
-  const glob = path.join(parentDir, "*").replaceAll("\\", "/")
+  const dir = kind === "directory" ? full : path.dirname(full)
+  const glob =
+    process.platform === "win32"
+      ? Filesystem.normalizePathPattern(path.join(dir, "*"))
+      : path.join(dir, "*").replaceAll("\\", "/")
 
   await ctx.ask({
     permission: "external_directory",
     patterns: [glob],
     always: [glob],
     metadata: {
-      filepath: target,
-      parentDir,
+      filepath: full,
+      parentDir: dir,
     },
   })
 }

packages/opencode/src/tool/read.ts

@@ -33,6 +33,9 @@ export const ReadTool = Tool.define("read", {
     if (!path.isAbsolute(filepath)) {
       filepath = path.resolve(Instance.directory, filepath)
     }
+    if (process.platform === "win32") {
+      filepath = Filesystem.normalizePath(filepath)
+    }
     const title = path.relative(Instance.worktree, filepath)
 
     const stat = Filesystem.stat(filepath)

packages/opencode/src/util/effect-http-client.ts

@@ -0,0 +1,11 @@
+import { Schedule } from "effect"
+import { HttpClient } from "effect/unstable/http"
+
+export const withTransientReadRetry = <E, R>(client: HttpClient.HttpClient.With<E, R>) =>
+  client.pipe(
+    HttpClient.retryTransient({
+      retryOn: "errors-and-responses",
+      times: 2,
+      schedule: Schedule.exponential(200).pipe(Schedule.jittered),
+    }),
+  )

packages/opencode/src/util/filesystem.ts

@@ -2,7 +2,7 @@ import { chmod, mkdir, readFile, writeFile } from "fs/promises"
 import { createWriteStream, existsSync, statSync } from "fs"
 import { lookup } from "mime-types"
 import { realpathSync } from "fs"
-import { dirname, join, relative, resolve as pathResolve } from "path"
+import { dirname, join, relative, resolve as pathResolve, win32 } from "path"
 import { Readable } from "stream"
 import { pipeline } from "stream/promises"
 import { Glob } from "./glob"
@@ -106,13 +106,22 @@ export namespace Filesystem {
    */
   export function normalizePath(p: string): string {
     if (process.platform !== "win32") return p
+    const resolved = win32.normalize(win32.resolve(windowsPath(p)))
     try {
-      return realpathSync.native(p)
+      return realpathSync.native(resolved)
     } catch {
-      return p
+      return resolved
     }
   }
 
+  export function normalizePathPattern(p: string): string {
+    if (process.platform !== "win32") return p
+    if (p === "*") return p
+    const match = p.match(/^(.*)[\\/]\*$/)
+    if (!match) return normalizePath(p)
+    return join(normalizePath(match[1]), "*")
+  }
+
   // We cannot rely on path.resolve() here because git.exe may come from Git Bash, Cygwin, or MSYS2, so we need to translate these paths at the boundary.
   export function resolve(p: string): string {
     return normalizePath(pathResolve(windowsPath(p)))

packages/opencode/src/util/schema.ts

@@ -0,0 +1,17 @@
+import { Schema } from "effect"
+
+/**
+ * Attach static methods to a schema object. Designed to be used with `.pipe()`:
+ *
+ * @example
+ *   export const Foo = fooSchema.pipe(
+ *     withStatics((schema) => ({
+ *       zero: schema.makeUnsafe(0),
+ *       from: Schema.decodeUnknownOption(schema),
+ *     }))
+ *   )
+ */
+export const withStatics =
+  <S extends object, M extends Record<string, unknown>>(methods: (schema: S) => M) =>
+  (schema: S): S & M =>
+    Object.assign(schema, methods(schema))

packages/opencode/src/worktree/index.ts

@@ -413,7 +413,7 @@ export namespace Worktree {
         await runStartScripts(info.directory, { projectID, extra })
       }
 
-      void start().catch((error) => {
+      return start().catch((error) => {
         log.error("worktree start task failed", { directory: info.directory, error })
       })
     }

packages/opencode/test/account/repo.test.ts

@@ -0,0 +1,337 @@
+import { expect } from "bun:test"
+import { Effect, Layer, Option } from "effect"
+
+import { AccountRepo } from "../../src/account/repo"
+import { AccountID, OrgID } from "../../src/account/schema"
+import { resetDatabase } from "../fixture/db"
+import { testEffect } from "../fixture/effect"
+
+const reset = Layer.effectDiscard(Effect.promise(() => resetDatabase()))
+
+const it = testEffect(Layer.merge(AccountRepo.layer, reset))
+
+it.effect(
+  "list returns empty when no accounts exist",
+  Effect.gen(function* () {
+    const accounts = yield* AccountRepo.use((r) => r.list())
+    expect(accounts).toEqual([])
+  }),
+)
+
+it.effect(
+  "active returns none when no accounts exist",
+  Effect.gen(function* () {
+    const active = yield* AccountRepo.use((r) => r.active())
+    expect(Option.isNone(active)).toBe(true)
+  }),
+)
+
+it.effect(
+  "persistAccount inserts and getRow retrieves",
+  Effect.gen(function* () {
+    const id = AccountID.make("user-1")
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id,
+        email: "test@example.com",
+        url: "https://control.example.com",
+        accessToken: "at_123",
+        refreshToken: "rt_456",
+        expiry: Date.now() + 3600_000,
+        orgID: Option.some(OrgID.make("org-1")),
+      }),
+    )
+
+    const row = yield* AccountRepo.use((r) => r.getRow(id))
+    expect(Option.isSome(row)).toBe(true)
+    const value = Option.getOrThrow(row)
+    expect(value.id).toBe("user-1")
+    expect(value.email).toBe("test@example.com")
+    expect(value.selected_org_id).toBe("org-1")
+  }),
+)
+
+it.effect(
+  "persistAccount sets the active account without clearing prior selections",
+  Effect.gen(function* () {
+    const id1 = AccountID.make("user-1")
+    const id2 = AccountID.make("user-2")
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id: id1,
+        email: "first@example.com",
+        url: "https://control.example.com",
+        accessToken: "at_1",
+        refreshToken: "rt_1",
+        expiry: Date.now() + 3600_000,
+        orgID: Option.some(OrgID.make("org-1")),
+      }),
+    )
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id: id2,
+        email: "second@example.com",
+        url: "https://control.example.com",
+        accessToken: "at_2",
+        refreshToken: "rt_2",
+        expiry: Date.now() + 3600_000,
+        orgID: Option.some(OrgID.make("org-2")),
+      }),
+    )
+
+    const row1 = yield* AccountRepo.use((r) => r.getRow(id1))
+    expect(Option.getOrThrow(row1).selected_org_id).toBe("org-1")
+
+    const row2 = yield* AccountRepo.use((r) => r.getRow(id2))
+    expect(Option.getOrThrow(row2).selected_org_id).toBe("org-2")
+
+    const active = yield* AccountRepo.use((r) => r.active())
+    expect(Option.isSome(active)).toBe(true)
+    expect(Option.getOrThrow(active).id).toBe(AccountID.make("user-2"))
+  }),
+)
+
+it.effect(
+  "list returns all accounts",
+  Effect.gen(function* () {
+    const id1 = AccountID.make("user-1")
+    const id2 = AccountID.make("user-2")
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id: id1,
+        email: "a@example.com",
+        url: "https://control.example.com",
+        accessToken: "at_1",
+        refreshToken: "rt_1",
+        expiry: Date.now() + 3600_000,
+        orgID: Option.none(),
+      }),
+    )
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id: id2,
+        email: "b@example.com",
+        url: "https://control.example.com",
+        accessToken: "at_2",
+        refreshToken: "rt_2",
+        expiry: Date.now() + 3600_000,
+        orgID: Option.some(OrgID.make("org-1")),
+      }),
+    )
+
+    const accounts = yield* AccountRepo.use((r) => r.list())
+    expect(accounts.length).toBe(2)
+    expect(accounts.map((a) => a.email).sort()).toEqual(["a@example.com", "b@example.com"])
+  }),
+)
+
+it.effect(
+  "remove deletes an account",
+  Effect.gen(function* () {
+    const id = AccountID.make("user-1")
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id,
+        email: "test@example.com",
+        url: "https://control.example.com",
+        accessToken: "at_1",
+        refreshToken: "rt_1",
+        expiry: Date.now() + 3600_000,
+        orgID: Option.none(),
+      }),
+    )
+
+    yield* AccountRepo.use((r) => r.remove(id))
+
+    const row = yield* AccountRepo.use((r) => r.getRow(id))
+    expect(Option.isNone(row)).toBe(true)
+  }),
+)
+
+it.effect(
+  "use stores the selected org and marks the account active",
+  Effect.gen(function* () {
+    const id1 = AccountID.make("user-1")
+    const id2 = AccountID.make("user-2")
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id: id1,
+        email: "first@example.com",
+        url: "https://control.example.com",
+        accessToken: "at_1",
+        refreshToken: "rt_1",
+        expiry: Date.now() + 3600_000,
+        orgID: Option.none(),
+      }),
+    )
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id: id2,
+        email: "second@example.com",
+        url: "https://control.example.com",
+        accessToken: "at_2",
+        refreshToken: "rt_2",
+        expiry: Date.now() + 3600_000,
+        orgID: Option.none(),
+      }),
+    )
+
+    yield* AccountRepo.use((r) => r.use(id1, Option.some(OrgID.make("org-99"))))
+    const row = yield* AccountRepo.use((r) => r.getRow(id1))
+    expect(Option.getOrThrow(row).selected_org_id).toBe("org-99")
+
+    const active = yield* AccountRepo.use((r) => r.active())
+    expect(Option.getOrThrow(active).id).toBe(id1)
+
+    yield* AccountRepo.use((r) => r.use(id1, Option.none()))
+    const row2 = yield* AccountRepo.use((r) => r.getRow(id1))
+    expect(Option.getOrThrow(row2).selected_org_id).toBeNull()
+
+    const other = yield* AccountRepo.use((r) => r.getRow(id2))
+    expect(Option.getOrThrow(other).selected_org_id).toBeNull()
+  }),
+)
+
+it.effect(
+  "persistToken updates token fields",
+  Effect.gen(function* () {
+    const id = AccountID.make("user-1")
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id,
+        email: "test@example.com",
+        url: "https://control.example.com",
+        accessToken: "old_token",
+        refreshToken: "old_refresh",
+        expiry: 1000,
+        orgID: Option.none(),
+      }),
+    )
+
+    const expiry = Date.now() + 7200_000
+    yield* AccountRepo.use((r) =>
+      r.persistToken({
+        accountID: id,
+        accessToken: "new_token",
+        refreshToken: "new_refresh",
+        expiry: Option.some(expiry),
+      }),
+    )
+
+    const row = yield* AccountRepo.use((r) => r.getRow(id))
+    const value = Option.getOrThrow(row)
+    expect(value.access_token).toBe("new_token")
+    expect(value.refresh_token).toBe("new_refresh")
+    expect(value.token_expiry).toBe(expiry)
+  }),
+)
+
+it.effect(
+  "persistToken with no expiry sets token_expiry to null",
+  Effect.gen(function* () {
+    const id = AccountID.make("user-1")
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id,
+        email: "test@example.com",
+        url: "https://control.example.com",
+        accessToken: "old_token",
+        refreshToken: "old_refresh",
+        expiry: 1000,
+        orgID: Option.none(),
+      }),
+    )
+
+    yield* AccountRepo.use((r) =>
+      r.persistToken({
+        accountID: id,
+        accessToken: "new_token",
+        refreshToken: "new_refresh",
+        expiry: Option.none(),
+      }),
+    )
+
+    const row = yield* AccountRepo.use((r) => r.getRow(id))
+    expect(Option.getOrThrow(row).token_expiry).toBeNull()
+  }),
+)
+
+it.effect(
+  "persistAccount upserts on conflict",
+  Effect.gen(function* () {
+    const id = AccountID.make("user-1")
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id,
+        email: "test@example.com",
+        url: "https://control.example.com",
+        accessToken: "at_v1",
+        refreshToken: "rt_v1",
+        expiry: 1000,
+        orgID: Option.some(OrgID.make("org-1")),
+      }),
+    )
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id,
+        email: "test@example.com",
+        url: "https://control.example.com",
+        accessToken: "at_v2",
+        refreshToken: "rt_v2",
+        expiry: 2000,
+        orgID: Option.some(OrgID.make("org-2")),
+      }),
+    )
+
+    const accounts = yield* AccountRepo.use((r) => r.list())
+    expect(accounts.length).toBe(1)
+
+    const row = yield* AccountRepo.use((r) => r.getRow(id))
+    const value = Option.getOrThrow(row)
+    expect(value.access_token).toBe("at_v2")
+    expect(value.selected_org_id).toBe("org-2")
+  }),
+)
+
+it.effect(
+  "remove clears active state when deleting the active account",
+  Effect.gen(function* () {
+    const id = AccountID.make("user-1")
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id,
+        email: "test@example.com",
+        url: "https://control.example.com",
+        accessToken: "at_1",
+        refreshToken: "rt_1",
+        expiry: Date.now() + 3600_000,
+        orgID: Option.some(OrgID.make("org-1")),
+      }),
+    )
+
+    yield* AccountRepo.use((r) => r.remove(id))
+
+    const active = yield* AccountRepo.use((r) => r.active())
+    expect(Option.isNone(active)).toBe(true)
+  }),
+)
+
+it.effect(
+  "getRow returns none for nonexistent account",
+  Effect.gen(function* () {
+    const row = yield* AccountRepo.use((r) => r.getRow(AccountID.make("nope")))
+    expect(Option.isNone(row)).toBe(true)
+  }),
+)

packages/opencode/test/account/service.test.ts

@@ -0,0 +1,217 @@
+import { expect } from "bun:test"
+import { Effect, Layer, Option, Ref, Schema } from "effect"
+import { HttpClient, HttpClientResponse } from "effect/unstable/http"
+
+import { AccountRepo } from "../../src/account/repo"
+import { AccountService } from "../../src/account/service"
+import { AccountID, Login, Org, OrgID } from "../../src/account/schema"
+import { resetDatabase } from "../fixture/db"
+import { testEffect } from "../fixture/effect"
+
+const reset = Layer.effectDiscard(Effect.promise(() => resetDatabase()))
+
+const it = testEffect(Layer.merge(AccountRepo.layer, reset))
+
+const live = (client: HttpClient.HttpClient) =>
+  AccountService.layer.pipe(Layer.provide(Layer.succeed(HttpClient.HttpClient, client)))
+
+const json = (req: Parameters<typeof HttpClientResponse.fromWeb>[0], body: unknown, status = 200) =>
+  HttpClientResponse.fromWeb(
+    req,
+    new Response(JSON.stringify(body), {
+      status,
+      headers: { "content-type": "application/json" },
+    }),
+  )
+
+const encodeOrg = Schema.encodeSync(Org)
+
+const org = (id: string, name: string) => encodeOrg(new Org({ id: OrgID.make(id), name }))
+
+it.effect(
+  "orgsByAccount groups orgs per account",
+  Effect.gen(function* () {
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id: AccountID.make("user-1"),
+        email: "one@example.com",
+        url: "https://one.example.com",
+        accessToken: "at_1",
+        refreshToken: "rt_1",
+        expiry: Date.now() + 60_000,
+        orgID: Option.none(),
+      }),
+    )
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id: AccountID.make("user-2"),
+        email: "two@example.com",
+        url: "https://two.example.com",
+        accessToken: "at_2",
+        refreshToken: "rt_2",
+        expiry: Date.now() + 60_000,
+        orgID: Option.none(),
+      }),
+    )
+
+    const seen = yield* Ref.make<string[]>([])
+    const client = HttpClient.make((req) =>
+      Effect.gen(function* () {
+        yield* Ref.update(seen, (xs) => [...xs, `${req.method} ${req.url}`])
+
+        if (req.url === "https://one.example.com/api/orgs") {
+          return json(req, [org("org-1", "One")])
+        }
+
+        if (req.url === "https://two.example.com/api/orgs") {
+          return json(req, [org("org-2", "Two A"), org("org-3", "Two B")])
+        }
+
+        return json(req, [], 404)
+      }),
+    )
+
+    const rows = yield* AccountService.use((s) => s.orgsByAccount()).pipe(Effect.provide(live(client)))
+
+    expect(rows.map((row) => [row.account.id, row.orgs.map((org) => org.id)]).map(([id, orgs]) => [id, orgs])).toEqual([
+      [AccountID.make("user-1"), [OrgID.make("org-1")]],
+      [AccountID.make("user-2"), [OrgID.make("org-2"), OrgID.make("org-3")]],
+    ])
+    expect(yield* Ref.get(seen)).toEqual([
+      "GET https://one.example.com/api/orgs",
+      "GET https://two.example.com/api/orgs",
+    ])
+  }),
+)
+
+it.effect(
+  "token refresh persists the new token",
+  Effect.gen(function* () {
+    const id = AccountID.make("user-1")
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id,
+        email: "user@example.com",
+        url: "https://one.example.com",
+        accessToken: "at_old",
+        refreshToken: "rt_old",
+        expiry: Date.now() - 1_000,
+        orgID: Option.none(),
+      }),
+    )
+
+    const client = HttpClient.make((req) =>
+      Effect.succeed(
+        req.url === "https://one.example.com/oauth/token"
+          ? json(req, {
+              access_token: "at_new",
+              refresh_token: "rt_new",
+              expires_in: 60,
+            })
+          : json(req, {}, 404),
+      ),
+    )
+
+    const token = yield* AccountService.use((s) => s.token(id)).pipe(Effect.provide(live(client)))
+
+    expect(Option.getOrThrow(token)).toBeDefined()
+    expect(String(Option.getOrThrow(token))).toBe("at_new")
+
+    const row = yield* AccountRepo.use((r) => r.getRow(id))
+    const value = Option.getOrThrow(row)
+    expect(value.access_token).toBe("at_new")
+    expect(value.refresh_token).toBe("rt_new")
+    expect(value.token_expiry).toBeGreaterThan(Date.now())
+  }),
+)
+
+it.effect(
+  "config sends the selected org header",
+  Effect.gen(function* () {
+    const id = AccountID.make("user-1")
+
+    yield* AccountRepo.use((r) =>
+      r.persistAccount({
+        id,
+        email: "user@example.com",
+        url: "https://one.example.com",
+        accessToken: "at_1",
+        refreshToken: "rt_1",
+        expiry: Date.now() + 60_000,
+        orgID: Option.none(),
+      }),
+    )
+
+    const seen = yield* Ref.make<{ auth?: string; org?: string }>({})
+    const client = HttpClient.make((req) =>
+      Effect.gen(function* () {
+        yield* Ref.set(seen, {
+          auth: req.headers.authorization,
+          org: req.headers["x-org-id"],
+        })
+
+        if (req.url === "https://one.example.com/api/config") {
+          return json(req, { config: { theme: "light", seats: 5 } })
+        }
+
+        return json(req, {}, 404)
+      }),
+    )
+
+    const cfg = yield* AccountService.use((s) => s.config(id, OrgID.make("org-9"))).pipe(Effect.provide(live(client)))
+
+    expect(Option.getOrThrow(cfg)).toEqual({ theme: "light", seats: 5 })
+    expect(yield* Ref.get(seen)).toEqual({
+      auth: "Bearer at_1",
+      org: "org-9",
+    })
+  }),
+)
+
+it.effect(
+  "poll stores the account and first org on success",
+  Effect.gen(function* () {
+    const login = new Login({
+      code: "device-code",
+      user: "user-code",
+      url: "https://one.example.com/verify",
+      server: "https://one.example.com",
+      expiry: 600,
+      interval: 5,
+    })
+
+    const client = HttpClient.make((req) =>
+      Effect.succeed(
+        req.url === "https://one.example.com/auth/device/token"
+          ? json(req, {
+              access_token: "at_1",
+              refresh_token: "rt_1",
+              expires_in: 60,
+            })
+          : req.url === "https://one.example.com/api/user"
+            ? json(req, { id: "user-1", email: "user@example.com" })
+            : req.url === "https://one.example.com/api/orgs"
+              ? json(req, [org("org-1", "One")])
+              : json(req, {}, 404),
+      ),
+    )
+
+    const res = yield* AccountService.use((s) => s.poll(login)).pipe(Effect.provide(live(client)))
+
+    expect(res._tag).toBe("PollSuccess")
+    if (res._tag === "PollSuccess") {
+      expect(res.email).toBe("user@example.com")
+    }
+
+    const active = yield* AccountRepo.use((r) => r.active())
+    expect(Option.getOrThrow(active)).toEqual(
+      expect.objectContaining({
+        id: "user-1",
+        email: "user@example.com",
+        selected_org_id: "org-1",
+      }),
+    )
+  }),
+)

packages/opencode/test/agent/agent.test.ts

@@ -38,7 +38,7 @@ test("build agent has correct default properties", async () => {
       expect(build).toBeDefined()
       expect(build?.mode).toBe("primary")
       expect(build?.native).toBe(true)
-      expect(evalPerm(build, "edit")).toBe("allow")
+      expect(evalPerm(build, "edit")).toBe("ask")
       expect(evalPerm(build, "bash")).toBe("allow")
     },
   })
@@ -217,8 +217,8 @@ test("agent permission config merges with defaults", async () => {
       expect(build).toBeDefined()
       // Specific pattern is denied
       expect(PermissionNext.evaluate("bash", "rm -rf *", build!.permission).action).toBe("deny")
-      // Edit still allowed
-      expect(evalPerm(build, "edit")).toBe("allow")
+      // Edit still asks (default behavior)
+      expect(evalPerm(build, "edit")).toBe("ask")
     },
   })
 })

packages/opencode/test/cli/import.test.ts

@@ -1,5 +1,10 @@
 import { test, expect } from "bun:test"
-import { parseShareUrl, transformShareData, type ShareData } from "../../src/cli/cmd/import"
+import {
+  parseShareUrl,
+  shouldAttachShareAuthHeaders,
+  transformShareData,
+  type ShareData,
+} from "../../src/cli/cmd/import"
 
 // parseShareUrl tests
 test("parses valid share URLs", () => {
@@ -15,6 +20,19 @@ test("rejects invalid URLs", () => {
   expect(parseShareUrl("not-a-url")).toBeNull()
 })
 
+test("only attaches share auth headers for same-origin URLs", () => {
+  expect(shouldAttachShareAuthHeaders("https://control.example.com/share/abc", "https://control.example.com")).toBe(
+    true,
+  )
+  expect(
+    shouldAttachShareAuthHeaders("https://other.example.com/share/abc", "https://control.example.com"),
+  ).toBe(false)
+  expect(shouldAttachShareAuthHeaders("https://control.example.com:443/share/abc", "https://control.example.com")).toBe(
+    true,
+  )
+  expect(shouldAttachShareAuthHeaders("not-a-url", "https://control.example.com")).toBe(false)
+})
+
 // transformShareData tests
 test("transforms share data to storage format", () => {
   const data: ShareData[] = [

packages/opencode/test/cli/plugin-auth-picker.test.ts

@@ -1,5 +1,5 @@
 import { test, expect, describe } from "bun:test"
-import { resolvePluginProviders } from "../../src/cli/cmd/auth"
+import { resolvePluginProviders } from "../../src/cli/cmd/providers"
 import type { Hooks } from "@opencode-ai/plugin"
 
 function hookWithAuth(provider: string): Hooks {

packages/opencode/test/config/config.test.ts

@@ -2,6 +2,7 @@ import { test, expect, describe, mock, afterEach } from "bun:test"
 import { Config } from "../../src/config/config"
 import { Instance } from "../../src/project/instance"
 import { Auth } from "../../src/auth"
+import { AccessToken, Account, AccountID, OrgID } from "../../src/account"
 import { tmpdir } from "../fixture/fixture"
 import path from "path"
 import fs from "fs/promises"
@@ -242,6 +243,52 @@ test("preserves env variables when adding $schema to config", async () => {
   }
 })
 
+test("resolves env templates in account config with account token", async () => {
+  const originalActive = Account.active
+  const originalConfig = Account.config
+  const originalToken = Account.token
+  const originalControlToken = process.env["OPENCODE_CONSOLE_TOKEN"]
+
+  Account.active = mock(() => ({
+    id: AccountID.make("account-1"),
+    email: "user@example.com",
+    url: "https://control.example.com",
+    selected_org_id: OrgID.make("org-1"),
+  }))
+
+  Account.config = mock(async () => ({
+    provider: {
+      opencode: {
+        options: {
+          apiKey: "{env:OPENCODE_CONSOLE_TOKEN}",
+        },
+      },
+    },
+  }))
+
+  Account.token = mock(async () => AccessToken.make("st_test_token"))
+
+  try {
+    await using tmp = await tmpdir()
+    await Instance.provide({
+      directory: tmp.path,
+      fn: async () => {
+        const config = await Config.get()
+        expect(config.provider?.["opencode"]?.options?.apiKey).toBe("st_test_token")
+      },
+    })
+  } finally {
+    Account.active = originalActive
+    Account.config = originalConfig
+    Account.token = originalToken
+    if (originalControlToken !== undefined) {
+      process.env["OPENCODE_CONSOLE_TOKEN"] = originalControlToken
+    } else {
+      delete process.env["OPENCODE_CONSOLE_TOKEN"]
+    }
+  }
+})
+
 test("handles file inclusion substitution", async () => {
   await using tmp = await tmpdir({
     init: async (dir) => {

packages/opencode/test/fixture/effect.ts

@@ -0,0 +1,7 @@
+import { test } from "bun:test"
+import { Effect, Layer } from "effect"
+
+export const testEffect = <R, E>(layer: Layer.Layer<R, E, never>) => ({
+  effect: <A, E2>(name: string, value: Effect.Effect<A, E2, R>) =>
+    test(name, () => Effect.runPromise(value.pipe(Effect.provide(layer)))),
+})

packages/opencode/test/provider/provider.test.ts

@@ -260,6 +260,7 @@ test("env variable takes precedence, config merges options", async () => {
             anthropic: {
               options: {
                 timeout: 60000,
+                chunkTimeout: 15000,
               },
             },
           },
@@ -277,6 +278,7 @@ test("env variable takes precedence, config merges options", async () => {
       expect(providers["anthropic"]).toBeDefined()
       // Config options should be merged
       expect(providers["anthropic"].options.timeout).toBe(60000)
+      expect(providers["anthropic"].options.chunkTimeout).toBe(15000)
     },
   })
 })

packages/opencode/test/pty/pty-shell.test.ts

@@ -0,0 +1,52 @@
+import { describe, expect, test } from "bun:test"
+import { Instance } from "../../src/project/instance"
+import { Pty } from "../../src/pty"
+import { tmpdir } from "../fixture/fixture"
+
+describe("pty shell args", () => {
+  if (process.platform !== "win32") return
+
+  const ps = Bun.which("pwsh") || Bun.which("powershell")
+  if (ps) {
+    test(
+      "does not add login args to pwsh",
+      async () => {
+        await using dir = await tmpdir()
+        await Instance.provide({
+          directory: dir.path,
+          fn: async () => {
+            const info = await Pty.create({ command: ps, title: "pwsh" })
+            try {
+              expect(info.args).toEqual([])
+            } finally {
+              await Pty.remove(info.id)
+            }
+          },
+        })
+      },
+      { timeout: 30000 },
+    )
+  }
+
+  const bash = Bun.which("bash")
+  if (bash) {
+    test(
+      "adds login args to bash",
+      async () => {
+        await using dir = await tmpdir()
+        await Instance.provide({
+          directory: dir.path,
+          fn: async () => {
+            const info = await Pty.create({ command: bash, title: "bash" })
+            try {
+              expect(info.args).toEqual(["-l"])
+            } finally {
+              await Pty.remove(info.id)
+            }
+          },
+        })
+      },
+      { timeout: 30000 },
+    )
+  }
+})

packages/opencode/test/session/prompt-loop-exit.test.ts

@@ -0,0 +1,85 @@
+import { describe, expect, test } from "bun:test"
+import type { MessageV2 } from "../../src/session/message-v2"
+import { SessionPrompt } from "../../src/session/prompt"
+
+function makeUser(id: string): MessageV2.User {
+  return {
+    id,
+    role: "user",
+    sessionID: "session-1",
+    time: { created: Date.now() },
+    agent: "default",
+    model: { providerID: "openai", modelID: "gpt-4" },
+  } as MessageV2.User
+}
+
+function makeAssistant(
+  id: string,
+  parentID: string,
+  finish?: string,
+): MessageV2.Assistant {
+  return {
+    id,
+    role: "assistant",
+    sessionID: "session-1",
+    parentID,
+    mode: "default",
+    agent: "default",
+    path: { cwd: "/tmp", root: "/tmp" },
+    cost: 0,
+    tokens: { input: 0, output: 0, reasoning: 0, cache: { read: 0, write: 0 } },
+    modelID: "gpt-4",
+    providerID: "openai",
+    time: { created: Date.now() },
+    finish,
+  } as MessageV2.Assistant
+}
+
+describe("shouldExitLoop", () => {
+  test("normal case: user ID < assistant ID, parentID matches, finish=end_turn → exits", () => {
+    const user = makeUser("01AAA")
+    const assistant = makeAssistant("01BBB", "01AAA", "end_turn")
+    expect(SessionPrompt.shouldExitLoop(user, assistant)).toBe(true)
+  })
+
+  test("clock skew: user ID > assistant ID, parentID matches, finish=stop → exits", () => {
+    // Simulates client clock ahead: user message ID sorts AFTER the assistant ID
+    const user = makeUser("01ZZZ")
+    const assistant = makeAssistant("01AAA", "01ZZZ", "stop")
+    expect(SessionPrompt.shouldExitLoop(user, assistant)).toBe(true)
+  })
+
+  test("unfinished assistant: finish=tool-calls → does NOT exit", () => {
+    const user = makeUser("01AAA")
+    const assistant = makeAssistant("01BBB", "01AAA", "tool-calls")
+    expect(SessionPrompt.shouldExitLoop(user, assistant)).toBe(false)
+  })
+
+  test("unfinished assistant: finish=unknown → does NOT exit", () => {
+    const user = makeUser("01AAA")
+    const assistant = makeAssistant("01BBB", "01AAA", "unknown")
+    expect(SessionPrompt.shouldExitLoop(user, assistant)).toBe(false)
+  })
+
+  test("no assistant yet → does NOT exit", () => {
+    const user = makeUser("01AAA")
+    expect(SessionPrompt.shouldExitLoop(user, undefined)).toBe(false)
+  })
+
+  test("assistant has no finish → does NOT exit", () => {
+    const user = makeUser("01AAA")
+    const assistant = makeAssistant("01BBB", "01AAA", undefined)
+    expect(SessionPrompt.shouldExitLoop(user, assistant)).toBe(false)
+  })
+
+  test("parentID mismatch → does NOT exit", () => {
+    const user = makeUser("01AAA")
+    const assistant = makeAssistant("01BBB", "01OTHER", "end_turn")
+    expect(SessionPrompt.shouldExitLoop(user, assistant)).toBe(false)
+  })
+
+  test("no user message → does NOT exit", () => {
+    const assistant = makeAssistant("01BBB", "01AAA", "end_turn")
+    expect(SessionPrompt.shouldExitLoop(undefined, assistant)).toBe(false)
+  })
+})

packages/opencode/test/share/share-next.test.ts

@@ -0,0 +1,76 @@
+import { test, expect, mock } from "bun:test"
+import { ShareNext } from "../../src/share/share-next"
+import { AccessToken, Account, AccountID, OrgID } from "../../src/account"
+import { Config } from "../../src/config/config"
+
+test("ShareNext.request uses legacy share API without active org account", async () => {
+  const originalActive = Account.active
+  const originalConfigGet = Config.get
+
+  Account.active = mock(() => undefined)
+  Config.get = mock(async () => ({ enterprise: { url: "https://legacy-share.example.com" } }))
+
+  try {
+    const req = await ShareNext.request()
+
+    expect(req.api.create).toBe("/api/share")
+    expect(req.api.sync("shr_123")).toBe("/api/share/shr_123/sync")
+    expect(req.api.remove("shr_123")).toBe("/api/share/shr_123")
+    expect(req.api.data("shr_123")).toBe("/api/share/shr_123/data")
+    expect(req.baseUrl).toBe("https://legacy-share.example.com")
+    expect(req.headers).toEqual({})
+  } finally {
+    Account.active = originalActive
+    Config.get = originalConfigGet
+  }
+})
+
+test("ShareNext.request uses org share API with auth headers when account is active", async () => {
+  const originalActive = Account.active
+  const originalToken = Account.token
+
+  Account.active = mock(() => ({
+    id: AccountID.make("account-1"),
+    email: "user@example.com",
+    url: "https://control.example.com",
+    selected_org_id: OrgID.make("org-1"),
+  }))
+  Account.token = mock(async () => AccessToken.make("st_test_token"))
+
+  try {
+    const req = await ShareNext.request()
+
+    expect(req.api.create).toBe("/api/shares")
+    expect(req.api.sync("shr_123")).toBe("/api/shares/shr_123/sync")
+    expect(req.api.remove("shr_123")).toBe("/api/shares/shr_123")
+    expect(req.api.data("shr_123")).toBe("/api/shares/shr_123/data")
+    expect(req.baseUrl).toBe("https://control.example.com")
+    expect(req.headers).toEqual({
+      authorization: "Bearer st_test_token",
+      "x-org-id": "org-1",
+    })
+  } finally {
+    Account.active = originalActive
+    Account.token = originalToken
+  }
+})
+
+test("ShareNext.request fails when org account has no token", async () => {
+  const originalActive = Account.active
+  const originalToken = Account.token
+
+  Account.active = mock(() => ({
+    id: AccountID.make("account-1"),
+    email: "user@example.com",
+    url: "https://control.example.com",
+    selected_org_id: OrgID.make("org-1"),
+  }))
+  Account.token = mock(async () => undefined)
+
+  try {
+    await expect(ShareNext.request()).rejects.toThrow("No active OpenControl token available for sharing")
+  } finally {
+    Account.active = originalActive
+    Account.token = originalToken
+  }
+})

packages/opencode/test/shell/shell.test.ts

@@ -0,0 +1,58 @@
+import { describe, expect, test } from "bun:test"
+import path from "path"
+import { Shell } from "../../src/shell/shell"
+import { Filesystem } from "../../src/util/filesystem"
+
+const withShell = async (shell: string | undefined, fn: () => void | Promise<void>) => {
+  const prev = process.env.SHELL
+  if (shell === undefined) delete process.env.SHELL
+  else process.env.SHELL = shell
+  Shell.acceptable.reset()
+  Shell.preferred.reset()
+  try {
+    await fn()
+  } finally {
+    if (prev === undefined) delete process.env.SHELL
+    else process.env.SHELL = prev
+    Shell.acceptable.reset()
+    Shell.preferred.reset()
+  }
+}
+
+describe("shell", () => {
+  test("normalizes shell names", () => {
+    expect(Shell.name("/bin/bash")).toBe("bash")
+    if (process.platform === "win32") {
+      expect(Shell.name("C:/tools/NU.EXE")).toBe("nu")
+      expect(Shell.name("C:/tools/PWSH.EXE")).toBe("pwsh")
+    }
+  })
+
+  test("detects login shells", () => {
+    expect(Shell.login("/bin/bash")).toBe(true)
+    expect(Shell.login("C:/tools/pwsh.exe")).toBe(false)
+  })
+
+  if (process.platform === "win32") {
+    test("rejects blacklisted shells case-insensitively", async () => {
+      await withShell("NU.EXE", async () => {
+        expect(Shell.name(Shell.acceptable())).not.toBe("nu")
+      })
+    })
+
+    test("normalizes Git Bash shell paths from env", async () => {
+      const shell = "/cygdrive/c/Program Files/Git/bin/bash.exe"
+      await withShell(shell, async () => {
+        expect(Shell.preferred()).toBe(Filesystem.windowsPath(shell))
+      })
+    })
+
+    test("resolves bare PowerShell shells", async () => {
+      const shell = Bun.which("pwsh") || Bun.which("powershell")
+      if (!shell) return
+      await withShell(path.win32.basename(shell), async () => {
+        expect(Shell.preferred()).toBe(shell)
+      })
+    })
+  }
+})

packages/opencode/test/tool/bash.test.ts

@@ -1,6 +1,7 @@
 import { describe, expect, test } from "bun:test"
 import os from "os"
 import path from "path"
+import { Shell } from "../../src/shell/shell"
 import { BashTool } from "../../src/tool/bash"
 import { Instance } from "../../src/project/instance"
 import { Filesystem } from "../../src/util/filesystem"
@@ -20,16 +21,90 @@ const ctx = {
 }
 
 const projectRoot = path.join(__dirname, "../..")
+const bin = process.execPath.replaceAll("\\", "/")
+const file = path.join(projectRoot, "test/tool/fixtures/output.ts").replaceAll("\\", "/")
+const shells = (() => {
+  if (process.platform !== "win32") {
+    const shell = process.env.SHELL || Bun.which("bash") || "/bin/sh"
+    return [{ label: path.basename(shell), shell }]
+  }
+
+  const list = [
+    { label: "git bash", shell: process.env.SHELL || Bun.which("bash") },
+    { label: "pwsh", shell: Bun.which("pwsh") },
+    { label: "powershell", shell: Bun.which("powershell") },
+    { label: "cmd", shell: process.env.COMSPEC || Bun.which("cmd.exe") },
+  ].filter((item): item is { label: string; shell: string } => Boolean(item.shell))
+
+  return list.filter(
+    (item, i) => list.findIndex((other) => other.shell.toLowerCase() === item.shell.toLowerCase()) === i,
+  )
+})()
+const ps = shells.filter((item) => item.label === "pwsh" || item.label === "powershell")
+
+const fill = (mode: "lines" | "bytes", n: number) => `${bin} ${file} ${mode} ${n}`
+const glob = (p: string) =>
+  process.platform === "win32" ? Filesystem.normalizePathPattern(p) : p.replaceAll("\\", "/")
+
+const forms = (dir: string) => {
+  if (process.platform !== "win32") return [dir]
+  const full = Filesystem.normalizePath(dir)
+  const slash = full.replaceAll("\\", "/")
+  const root = slash.replace(/^[A-Za-z]:/, "")
+  return Array.from(new Set([full, slash, root, root.toLowerCase()]))
+}
+
+const withShell = (item: { label: string; shell: string }, fn: () => Promise<void>) => async () => {
+  const prev = process.env.SHELL
+  process.env.SHELL = item.shell
+  Shell.acceptable.reset()
+  Shell.preferred.reset()
+  try {
+    await fn()
+  } finally {
+    if (prev === undefined) delete process.env.SHELL
+    else process.env.SHELL = prev
+    Shell.acceptable.reset()
+    Shell.preferred.reset()
+  }
+}
+
+const each = (name: string, fn: (item: { label: string; shell: string }) => Promise<void>) => {
+  for (const item of shells) {
+    test(
+      `${name} [${item.label}]`,
+      withShell(item, () => fn(item)),
+    )
+  }
+}
+
+const capture = (requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">>, stop?: Error) => ({
+  ...ctx,
+  ask: async (req: Omit<PermissionNext.Request, "id" | "sessionID" | "tool">) => {
+    requests.push(req)
+    if (stop) throw stop
+  },
+})
+
+const mustTruncate = (result: {
+  metadata: { truncated?: boolean; exit?: number | null } & Record<string, unknown>
+  output: string
+}) => {
+  if (result.metadata.truncated) return
+  throw new Error(
+    [`shell: ${process.env.SHELL || ""}`, `exit: ${String(result.metadata.exit)}`, "output:", result.output].join("\n"),
+  )
+}
 
 describe("tool.bash", () => {
-  test("basic", async () => {
+  each("basic", async () => {
     await Instance.provide({
       directory: projectRoot,
       fn: async () => {
         const bash = await BashTool.init()
         const result = await bash.execute(
           {
-            command: "echo 'test'",
+            command: "echo test",
             description: "Echo test message",
           },
           ctx,
@@ -42,25 +117,19 @@ describe("tool.bash", () => {
 })
 
 describe("tool.bash permissions", () => {
-  test("asks for bash permission with correct pattern", async () => {
-    await using tmp = await tmpdir({ git: true })
+  each("asks for bash permission with correct pattern", async () => {
+    await using tmp = await tmpdir()
     await Instance.provide({
       directory: tmp.path,
       fn: async () => {
         const bash = await BashTool.init()
         const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
-        const testCtx = {
-          ...ctx,
-          ask: async (req: Omit<PermissionNext.Request, "id" | "sessionID" | "tool">) => {
-            requests.push(req)
-          },
-        }
         await bash.execute(
           {
             command: "echo hello",
             description: "Echo hello",
           },
-          testCtx,
+          capture(requests),
         )
         expect(requests.length).toBe(1)
         expect(requests[0].permission).toBe("bash")
@@ -69,25 +138,19 @@ describe("tool.bash permissions", () => {
     })
   })
 
-  test("asks for bash permission with multiple commands", async () => {
-    await using tmp = await tmpdir({ git: true })
+  each("asks for bash permission with multiple commands", async () => {
+    await using tmp = await tmpdir()
     await Instance.provide({
       directory: tmp.path,
       fn: async () => {
         const bash = await BashTool.init()
         const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
-        const testCtx = {
-          ...ctx,
-          ask: async (req: Omit<PermissionNext.Request, "id" | "sessionID" | "tool">) => {
-            requests.push(req)
-          },
-        }
         await bash.execute(
           {
             command: "echo foo && echo bar",
             description: "Echo twice",
           },
-          testCtx,
+          capture(requests),
         )
         expect(requests.length).toBe(1)
         expect(requests[0].permission).toBe("bash")
@@ -97,88 +160,316 @@ describe("tool.bash permissions", () => {
     })
   })
 
-  test("asks for external_directory permission when cd to parent", async () => {
-    await using tmp = await tmpdir({ git: true })
+  for (const item of ps) {
+    test(
+      `parses PowerShell conditionals for permission prompts [${item.label}]`,
+      withShell(item, async () => {
+        await Instance.provide({
+          directory: projectRoot,
+          fn: async () => {
+            const bash = await BashTool.init()
+            const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
+            await bash.execute(
+              {
+                command: "Write-Host foo; if ($?) { Write-Host bar }",
+                description: "Check PowerShell conditional",
+              },
+              capture(requests),
+            )
+            const bashReq = requests.find((r) => r.permission === "bash")
+            expect(bashReq).toBeDefined()
+            expect(bashReq!.patterns).toContain("Write-Host foo")
+            expect(bashReq!.patterns).toContain("Write-Host bar")
+            expect(bashReq!.always).toContain("Write-Host *")
+          },
+        })
+      }),
+    )
+  }
+
+  each("asks for external_directory permission for wildcard external paths", async () => {
+    await Instance.provide({
+      directory: projectRoot,
+      fn: async () => {
+        const bash = await BashTool.init()
+        const err = new Error("stop after permission")
+        const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
+        const file = process.platform === "win32" ? `${process.env.WINDIR!.replaceAll("\\", "/")}/*` : "/etc/*"
+        const want = process.platform === "win32" ? glob(path.join(process.env.WINDIR!, "*")) : "/etc/*"
+        await expect(
+          bash.execute(
+            {
+              command: `cat ${file}`,
+              description: "Read wildcard path",
+            },
+            capture(requests, err),
+          ),
+        ).rejects.toThrow(err.message)
+        const extDirReq = requests.find((r) => r.permission === "external_directory")
+        expect(extDirReq).toBeDefined()
+        expect(extDirReq!.patterns).toContain(want)
+      },
+    })
+  })
+
+  if (process.platform === "win32") {
+    for (const item of ps) {
+      test(
+        `asks for external_directory permission for PowerShell paths after switches [${item.label}]`,
+        withShell(item, async () => {
+          await Instance.provide({
+            directory: projectRoot,
+            fn: async () => {
+              const bash = await BashTool.init()
+              const err = new Error("stop after permission")
+              const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
+              await expect(
+                bash.execute(
+                  {
+                    command: `Copy-Item -PassThru "${process.env.WINDIR!.replaceAll("\\", "/")}/win.ini" ./out`,
+                    description: "Copy Windows ini",
+                  },
+                  capture(requests, err),
+                ),
+              ).rejects.toThrow(err.message)
+              const extDirReq = requests.find((r) => r.permission === "external_directory")
+              expect(extDirReq).toBeDefined()
+              expect(extDirReq!.patterns).toContain(glob(path.join(process.env.WINDIR!, "*")))
+            },
+          })
+        }),
+      )
+    }
+
+    for (const item of ps) {
+      test(
+        `asks for external_directory permission for missing PowerShell env paths [${item.label}]`,
+        withShell(item, async () => {
+          const key = "OPENCODE_TEST_MISSING"
+          const prev = process.env[key]
+          delete process.env[key]
+          try {
+            await Instance.provide({
+              directory: projectRoot,
+              fn: async () => {
+                const bash = await BashTool.init()
+                const err = new Error("stop after permission")
+                const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
+                const root = path.parse(process.env.WINDIR!).root.replace(/[\\/]+$/, "")
+                await expect(
+                  bash.execute(
+                    {
+                      command: `Get-Content -Path "${root}$env:${key}\\Windows\\win.ini"`,
+                      description: "Read Windows ini with missing env",
+                    },
+                    capture(requests, err),
+                  ),
+                ).rejects.toThrow(err.message)
+                const extDirReq = requests.find((r) => r.permission === "external_directory")
+                expect(extDirReq).toBeDefined()
+                expect(extDirReq!.patterns).toContain(glob(path.join(process.env.WINDIR!, "*")))
+              },
+            })
+          } finally {
+            if (prev === undefined) delete process.env[key]
+            else process.env[key] = prev
+          }
+        }),
+      )
+    }
+
+    for (const item of ps) {
+      test(
+        `asks for external_directory permission for PowerShell env paths [${item.label}]`,
+        withShell(item, async () => {
+          await Instance.provide({
+            directory: projectRoot,
+            fn: async () => {
+              const bash = await BashTool.init()
+              const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
+              await bash.execute(
+                {
+                  command: "Get-Content $env:WINDIR/win.ini",
+                  description: "Read Windows ini from env",
+                },
+                capture(requests),
+              )
+              const extDirReq = requests.find((r) => r.permission === "external_directory")
+              expect(extDirReq).toBeDefined()
+              expect(extDirReq!.patterns).toContain(
+                Filesystem.normalizePathPattern(path.join(process.env.WINDIR!, "*")),
+              )
+            },
+          })
+        }),
+      )
+    }
+
+    for (const item of ps) {
+      test(
+        `treats Set-Location like cd for permissions [${item.label}]`,
+        withShell(item, async () => {
+          await Instance.provide({
+            directory: projectRoot,
+            fn: async () => {
+              const bash = await BashTool.init()
+              const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
+              await bash.execute(
+                {
+                  command: "Set-Location C:/Windows",
+                  description: "Change location",
+                },
+                capture(requests),
+              )
+              const extDirReq = requests.find((r) => r.permission === "external_directory")
+              const bashReq = requests.find((r) => r.permission === "bash")
+              expect(extDirReq).toBeDefined()
+              expect(extDirReq!.patterns).toContain(
+                Filesystem.normalizePathPattern(path.join(process.env.WINDIR!, "*")),
+              )
+              expect(bashReq).toBeUndefined()
+            },
+          })
+        }),
+      )
+    }
+
+    for (const item of ps) {
+      test(
+        `does not add nested PowerShell expressions to permission prompts [${item.label}]`,
+        withShell(item, async () => {
+          await Instance.provide({
+            directory: projectRoot,
+            fn: async () => {
+              const bash = await BashTool.init()
+              const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
+              await bash.execute(
+                {
+                  command: "Write-Output ('a' * 3)",
+                  description: "Write repeated text",
+                },
+                capture(requests),
+              )
+              const bashReq = requests.find((r) => r.permission === "bash")
+              expect(bashReq).toBeDefined()
+              expect(bashReq!.patterns).not.toContain("a * 3")
+              expect(bashReq!.always).not.toContain("a *")
+            },
+          })
+        }),
+      )
+    }
+  }
+
+  each("asks for external_directory permission when cd to parent", async () => {
+    await using tmp = await tmpdir()
     await Instance.provide({
       directory: tmp.path,
       fn: async () => {
         const bash = await BashTool.init()
+        const err = new Error("stop after permission")
         const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
-        const testCtx = {
-          ...ctx,
-          ask: async (req: Omit<PermissionNext.Request, "id" | "sessionID" | "tool">) => {
-            requests.push(req)
-          },
-        }
-        await bash.execute(
-          {
-            command: "cd ../",
-            description: "Change to parent directory",
-          },
-          testCtx,
-        )
+        await expect(
+          bash.execute(
+            {
+              command: "cd ../",
+              description: "Change to parent directory",
+            },
+            capture(requests, err),
+          ),
+        ).rejects.toThrow(err.message)
         const extDirReq = requests.find((r) => r.permission === "external_directory")
         expect(extDirReq).toBeDefined()
       },
     })
   })
 
-  test("asks for external_directory permission when workdir is outside project", async () => {
-    await using tmp = await tmpdir({ git: true })
+  each("asks for external_directory permission when workdir is outside project", async () => {
+    await using tmp = await tmpdir()
     await Instance.provide({
       directory: tmp.path,
       fn: async () => {
         const bash = await BashTool.init()
+        const err = new Error("stop after permission")
         const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
-        const testCtx = {
-          ...ctx,
-          ask: async (req: Omit<PermissionNext.Request, "id" | "sessionID" | "tool">) => {
-            requests.push(req)
-          },
-        }
-        await bash.execute(
-          {
-            command: "ls",
-            workdir: os.tmpdir(),
-            description: "List temp dir",
-          },
-          testCtx,
-        )
+        await expect(
+          bash.execute(
+            {
+              command: "echo ok",
+              workdir: os.tmpdir(),
+              description: "Echo from temp dir",
+            },
+            capture(requests, err),
+          ),
+        ).rejects.toThrow(err.message)
         const extDirReq = requests.find((r) => r.permission === "external_directory")
         expect(extDirReq).toBeDefined()
-        expect(extDirReq!.patterns).toContain(path.join(os.tmpdir(), "*"))
+        expect(extDirReq!.patterns).toContain(glob(path.join(os.tmpdir(), "*")))
       },
     })
   })
 
-  test("asks for external_directory permission when file arg is outside project", async () => {
+  if (process.platform === "win32") {
+    test("normalizes external_directory workdir variants on Windows", async () => {
+      const err = new Error("stop after permission")
+      await using outerTmp = await tmpdir()
+      await using tmp = await tmpdir()
+      await Instance.provide({
+        directory: tmp.path,
+        fn: async () => {
+          const bash = await BashTool.init()
+          const want = Filesystem.normalizePathPattern(path.join(outerTmp.path, "*"))
+
+          for (const dir of forms(outerTmp.path)) {
+            const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
+            await expect(
+              bash.execute(
+                {
+                  command: "echo ok",
+                  workdir: dir,
+                  description: "Echo from external dir",
+                },
+                capture(requests, err),
+              ),
+            ).rejects.toThrow(err.message)
+
+            const extDirReq = requests.find((r) => r.permission === "external_directory")
+            expect({ dir, patterns: extDirReq?.patterns, always: extDirReq?.always }).toEqual({
+              dir,
+              patterns: [want],
+              always: [want],
+            })
+          }
+        },
+      })
+    })
+  }
+
+  each("asks for external_directory permission when file arg is outside project", async () => {
     await using outerTmp = await tmpdir({
       init: async (dir) => {
         await Bun.write(path.join(dir, "outside.txt"), "x")
       },
     })
-    await using tmp = await tmpdir({ git: true })
+    await using tmp = await tmpdir()
     await Instance.provide({
       directory: tmp.path,
       fn: async () => {
         const bash = await BashTool.init()
+        const err = new Error("stop after permission")
         const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
-        const testCtx = {
-          ...ctx,
-          ask: async (req: Omit<PermissionNext.Request, "id" | "sessionID" | "tool">) => {
-            requests.push(req)
-          },
-        }
         const filepath = path.join(outerTmp.path, "outside.txt")
-        await bash.execute(
-          {
-            command: `cat ${filepath}`,
-            description: "Read external file",
-          },
-          testCtx,
-        )
+        await expect(
+          bash.execute(
+            {
+              command: `cat ${filepath}`,
+              description: "Read external file",
+            },
+            capture(requests, err),
+          ),
+        ).rejects.toThrow(err.message)
         const extDirReq = requests.find((r) => r.permission === "external_directory")
-        const expected = path.join(outerTmp.path, "*")
+        const expected = glob(path.join(outerTmp.path, "*"))
         expect(extDirReq).toBeDefined()
         expect(extDirReq!.patterns).toContain(expected)
         expect(extDirReq!.always).toContain(expected)
@@ -186,82 +477,64 @@ describe("tool.bash permissions", () => {
     })
   })
 
-  test("does not ask for external_directory permission when rm inside project", async () => {
-    await using tmp = await tmpdir({ git: true })
+  each("does not ask for external_directory permission when rm inside project", async () => {
+    await using tmp = await tmpdir({
+      init: async (dir) => {
+        await Bun.write(path.join(dir, "tmpfile"), "x")
+      },
+    })
     await Instance.provide({
       directory: tmp.path,
       fn: async () => {
         const bash = await BashTool.init()
         const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
-        const testCtx = {
-          ...ctx,
-          ask: async (req: Omit<PermissionNext.Request, "id" | "sessionID" | "tool">) => {
-            requests.push(req)
-          },
-        }
-
-        await Bun.write(path.join(tmp.path, "tmpfile"), "x")
-
         await bash.execute(
           {
             command: `rm -rf ${path.join(tmp.path, "nested")}`,
-            description: "remove nested dir",
+            description: "Remove nested dir",
           },
-          testCtx,
+          capture(requests),
         )
-
         const extDirReq = requests.find((r) => r.permission === "external_directory")
         expect(extDirReq).toBeUndefined()
       },
     })
   })
 
-  test("includes always patterns for auto-approval", async () => {
-    await using tmp = await tmpdir({ git: true })
+  each("includes always patterns for auto-approval", async () => {
+    await using tmp = await tmpdir()
     await Instance.provide({
       directory: tmp.path,
       fn: async () => {
         const bash = await BashTool.init()
         const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
-        const testCtx = {
-          ...ctx,
-          ask: async (req: Omit<PermissionNext.Request, "id" | "sessionID" | "tool">) => {
-            requests.push(req)
-          },
-        }
         await bash.execute(
           {
             command: "git log --oneline -5",
             description: "Git log",
           },
-          testCtx,
+          capture(requests),
         )
         expect(requests.length).toBe(1)
         expect(requests[0].always.length).toBeGreaterThan(0)
-        expect(requests[0].always.some((p) => p.endsWith("*"))).toBe(true)
+        expect(requests[0].always.some((item) => item.endsWith("*"))).toBe(true)
       },
     })
   })
 
-  test("does not ask for bash permission when command is cd only", async () => {
-    await using tmp = await tmpdir({ git: true })
+  each("does not ask for bash permission when command is cd only", async () => {
+    await using tmp = await tmpdir()
     await Instance.provide({
       directory: tmp.path,
       fn: async () => {
         const bash = await BashTool.init()
         const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
-        const testCtx = {
-          ...ctx,
-          ask: async (req: Omit<PermissionNext.Request, "id" | "sessionID" | "tool">) => {
-            requests.push(req)
-          },
-        }
         await bash.execute(
           {
             command: "cd .",
             description: "Stay in current directory",
           },
-          testCtx,
+          capture(requests),
         )
         const bashReq = requests.find((r) => r.permission === "bash")
         expect(bashReq).toBeUndefined()
@@ -269,45 +542,38 @@ describe("tool.bash permissions", () => {
     })
   })
 
-  test("matches redirects in permission pattern", async () => {
-    await using tmp = await tmpdir({ git: true })
+  each("matches redirects in permission pattern", async () => {
+    await using tmp = await tmpdir()
     await Instance.provide({
       directory: tmp.path,
       fn: async () => {
         const bash = await BashTool.init()
+        const err = new Error("stop after permission")
         const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
-        const testCtx = {
-          ...ctx,
-          ask: async (req: Omit<PermissionNext.Request, "id" | "sessionID" | "tool">) => {
-            requests.push(req)
-          },
-        }
-        await bash.execute({ command: "cat > /tmp/output.txt", description: "Redirect ls output" }, testCtx)
+        await expect(
+          bash.execute(
+            { command: "echo test > output.txt", description: "Redirect test output" },
+            capture(requests, err),
+          ),
+        ).rejects.toThrow(err.message)
         const bashReq = requests.find((r) => r.permission === "bash")
         expect(bashReq).toBeDefined()
-        expect(bashReq!.patterns).toContain("cat > /tmp/output.txt")
+        expect(bashReq!.patterns).toContain("echo test > output.txt")
       },
     })
   })
 
-  test("always pattern has space before wildcard to not include different commands", async () => {
-    await using tmp = await tmpdir({ git: true })
+  each("always pattern has space before wildcard to not include different commands", async () => {
+    await using tmp = await tmpdir()
     await Instance.provide({
       directory: tmp.path,
       fn: async () => {
         const bash = await BashTool.init()
         const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
-        const testCtx = {
-          ...ctx,
-          ask: async (req: Omit<PermissionNext.Request, "id" | "sessionID" | "tool">) => {
-            requests.push(req)
-          },
-        }
-        await bash.execute({ command: "ls -la", description: "List" }, testCtx)
+        await bash.execute({ command: "ls -la", description: "List" }, capture(requests))
         const bashReq = requests.find((r) => r.permission === "bash")
         expect(bashReq).toBeDefined()
-        const pattern = bashReq!.always[0]
-        expect(pattern).toBe("ls *")
+        expect(bashReq!.always[0]).toBe("ls *")
       },
     })
   })
@@ -322,12 +588,12 @@ describe("tool.bash truncation", () => {
         const lineCount = Truncate.MAX_LINES + 500
         const result = await bash.execute(
           {
-            command: `seq 1 ${lineCount}`,
+            command: fill("lines", lineCount),
             description: "Generate lines exceeding limit",
           },
           ctx,
         )
-        expect((result.metadata as any).truncated).toBe(true)
+        mustTruncate(result)
         expect(result.output).toContain("truncated")
         expect(result.output).toContain("The tool call succeeded but the output was truncated")
       },
@@ -342,12 +608,12 @@ describe("tool.bash truncation", () => {
         const byteCount = Truncate.MAX_BYTES + 10000
         const result = await bash.execute(
           {
-            command: `head -c ${byteCount} /dev/zero | tr '\\0' 'a'`,
+            command: fill("bytes", byteCount),
             description: "Generate bytes exceeding limit",
           },
           ctx,
         )
-        expect((result.metadata as any).truncated).toBe(true)
+        mustTruncate(result)
         expect(result.output).toContain("truncated")
         expect(result.output).toContain("The tool call succeeded but the output was truncated")
       },
@@ -366,9 +632,8 @@ describe("tool.bash truncation", () => {
           },
           ctx,
         )
-        expect((result.metadata as any).truncated).toBe(false)
-        const eol = process.platform === "win32" ? "\r\n" : "\n"
-        expect(result.output).toBe(`hello${eol}`)
+        expect((result.metadata as { truncated?: boolean }).truncated).toBe(false)
+        expect(result.output).toContain("hello")
       },
     })
   })
@@ -381,18 +646,18 @@ describe("tool.bash truncation", () => {
         const lineCount = Truncate.MAX_LINES + 100
         const result = await bash.execute(
           {
-            command: `seq 1 ${lineCount}`,
+            command: fill("lines", lineCount),
             description: "Generate lines for file check",
           },
           ctx,
         )
-        expect((result.metadata as any).truncated).toBe(true)
+        mustTruncate(result)
 
-        const filepath = (result.metadata as any).outputPath
+        const filepath = (result.metadata as { outputPath?: string }).outputPath
         expect(filepath).toBeTruthy()
 
-        const saved = await Filesystem.readText(filepath)
-        const lines = saved.trim().split("\n")
+        const saved = await Filesystem.readText(filepath!)
+        const lines = saved.trim().split(/\r?\n/)
         expect(lines.length).toBe(lineCount)
         expect(lines[0]).toBe("1")
         expect(lines[lineCount - 1]).toBe(String(lineCount))

packages/opencode/test/tool/external-directory.test.ts

@@ -4,6 +4,8 @@ import type { Tool } from "../../src/tool/tool"
 import { Instance } from "../../src/project/instance"
 import { assertExternalDirectory } from "../../src/tool/external-directory"
 import type { PermissionNext } from "../../src/permission/next"
+import { Filesystem } from "../../src/util/filesystem"
+import { tmpdir } from "../fixture/fixture"
 
 const baseCtx: Omit<Tool.Context, "ask"> = {
   sessionID: "test",
@@ -15,6 +17,9 @@ const baseCtx: Omit<Tool.Context, "ask"> = {
   metadata: () => {},
 }
 
+const glob = (p: string) =>
+  process.platform === "win32" ? Filesystem.normalizePathPattern(p) : p.replaceAll("\\", "/")
+
 describe("tool.assertExternalDirectory", () => {
   test("no-ops for empty target", async () => {
     const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
@@ -65,7 +70,7 @@ describe("tool.assertExternalDirectory", () => {
 
     const directory = "/tmp/project"
     const target = "/tmp/outside/file.txt"
-    const expected = path.join(path.dirname(target), "*").replaceAll("\\", "/")
+    const expected = glob(path.join(path.dirname(target), "*"))
 
     await Instance.provide({
       directory,
@@ -91,7 +96,7 @@ describe("tool.assertExternalDirectory", () => {
 
     const directory = "/tmp/project"
     const target = "/tmp/outside"
-    const expected = path.join(target, "*").replaceAll("\\", "/")
+    const expected = glob(path.join(target, "*"))
 
     await Instance.provide({
       directory,
@@ -124,4 +129,42 @@ describe("tool.assertExternalDirectory", () => {
 
     expect(requests.length).toBe(0)
   })
+
+  if (process.platform === "win32") {
+    test("normalizes Windows path variants to one glob", async () => {
+      const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
+      const ctx: Tool.Context = {
+        ...baseCtx,
+        ask: async (req) => {
+          requests.push(req)
+        },
+      }
+
+      await using outerTmp = await tmpdir({
+        init: async (dir) => {
+          await Bun.write(path.join(dir, "outside.txt"), "x")
+        },
+      })
+      await using tmp = await tmpdir({ git: true })
+
+      const target = path.join(outerTmp.path, "outside.txt")
+      const alt = target
+        .replace(/^[A-Za-z]:/, "")
+        .replaceAll("\\", "/")
+        .toLowerCase()
+
+      await Instance.provide({
+        directory: tmp.path,
+        fn: async () => {
+          await assertExternalDirectory(ctx, alt)
+        },
+      })
+
+      const req = requests.find((r) => r.permission === "external_directory")
+      const expected = glob(path.join(outerTmp.path, "*"))
+      expect(req).toBeDefined()
+      expect(req!.patterns).toEqual([expected])
+      expect(req!.always).toEqual([expected])
+    })
+  }
 })

packages/opencode/test/tool/fixtures/output.ts

@@ -0,0 +1,14 @@
+const mode = Bun.argv[2]
+const n = Number(Bun.argv[3])
+
+if (mode === "lines") {
+  console.log(Array.from({ length: n }, (_, i) => i + 1).join("\n"))
+  process.exit(0)
+}
+
+if (mode === "bytes") {
+  process.stdout.write("a".repeat(n))
+  process.exit(0)
+}
+
+throw new Error(`unknown mode: ${mode}`)

packages/opencode/test/tool/read.test.ts

@@ -20,6 +20,10 @@ const ctx = {
   ask: async () => {},
 }
 
+const full = (p: string) => (process.platform === "win32" ? Filesystem.normalizePath(p) : p)
+const glob = (p: string) =>
+  process.platform === "win32" ? Filesystem.normalizePathPattern(p) : p.replaceAll("\\", "/")
+
 describe("tool.read external_directory permission", () => {
   test("allows reading absolute path inside project directory", async () => {
     await using tmp = await tmpdir({
@@ -74,11 +78,44 @@ describe("tool.read external_directory permission", () => {
         await read.execute({ filePath: path.join(outerTmp.path, "secret.txt") }, testCtx)
         const extDirReq = requests.find((r) => r.permission === "external_directory")
         expect(extDirReq).toBeDefined()
-        expect(extDirReq!.patterns.some((p) => p.includes(outerTmp.path.replaceAll("\\", "/")))).toBe(true)
+        expect(extDirReq!.patterns).toContain(glob(path.join(outerTmp.path, "*")))
       },
     })
   })
 
+  if (process.platform === "win32") {
+    test("normalizes read permission paths on Windows", async () => {
+      await using tmp = await tmpdir({
+        git: true,
+        init: async (dir) => {
+          await Bun.write(path.join(dir, "test.txt"), "hello world")
+        },
+      })
+      await Instance.provide({
+        directory: tmp.path,
+        fn: async () => {
+          const read = await ReadTool.init()
+          const requests: Array<Omit<PermissionNext.Request, "id" | "sessionID" | "tool">> = []
+          const testCtx = {
+            ...ctx,
+            ask: async (req: Omit<PermissionNext.Request, "id" | "sessionID" | "tool">) => {
+              requests.push(req)
+            },
+          }
+          const target = path.join(tmp.path, "test.txt")
+          const alt = target
+            .replace(/^[A-Za-z]:/, "")
+            .replaceAll("\\", "/")
+            .toLowerCase()
+          await read.execute({ filePath: alt }, testCtx)
+          const readReq = requests.find((r) => r.permission === "read")
+          expect(readReq).toBeDefined()
+          expect(readReq!.patterns).toEqual([full(target)])
+        },
+      })
+    })
+  }
+
   test("asks for directory-scoped external_directory permission when reading external directory", async () => {
     await using outerTmp = await tmpdir({
       init: async (dir) => {
@@ -100,7 +137,7 @@ describe("tool.read external_directory permission", () => {
         await read.execute({ filePath: path.join(outerTmp.path, "external") }, testCtx)
         const extDirReq = requests.find((r) => r.permission === "external_directory")
         expect(extDirReq).toBeDefined()
-        expect(extDirReq!.patterns).toContain(path.join(outerTmp.path, "external", "*").replaceAll("\\", "/"))
+        expect(extDirReq!.patterns).toContain(glob(path.join(outerTmp.path, "external", "*")))
       },
     })
   })

packages/opencode/tsconfig.json

@@ -11,6 +11,11 @@
     "paths": {
       "@/*": ["./src/*"],
       "@tui/*": ["./src/cli/cmd/tui/*"]
-    }
+    },
+    "plugins": [{
+      "name": "@effect/language-service",
+      "transform": "@effect/language-service/transform",
+      "namespaceImportPackages": ["effect", "@effect/*"]
+    }]
   }
 }

packages/sdk/js/src/v2/gen/types.gen.ts

@@ -1009,6 +1009,396 @@ export type GlobalEvent = {
   payload: Event
 }
 
+/**
+ * Custom keybind configurations
+ */
+export type KeybindsConfig = {
+  /**
+   * Leader key for keybind combinations
+   */
+  leader?: string
+  /**
+   * Exit the application
+   */
+  app_exit?: string
+  /**
+   * Open external editor
+   */
+  editor_open?: string
+  /**
+   * List available themes
+   */
+  theme_list?: string
+  /**
+   * Toggle sidebar
+   */
+  sidebar_toggle?: string
+  /**
+   * Toggle session scrollbar
+   */
+  scrollbar_toggle?: string
+  /**
+   * Toggle username visibility
+   */
+  username_toggle?: string
+  /**
+   * View status
+   */
+  status_view?: string
+  /**
+   * Export session to editor
+   */
+  session_export?: string
+  /**
+   * Create a new session
+   */
+  session_new?: string
+  /**
+   * List all sessions
+   */
+  session_list?: string
+  /**
+   * Show session timeline
+   */
+  session_timeline?: string
+  /**
+   * Fork session from message
+   */
+  session_fork?: string
+  /**
+   * Rename session
+   */
+  session_rename?: string
+  /**
+   * Delete session
+   */
+  session_delete?: string
+  /**
+   * Delete stash entry
+   */
+  stash_delete?: string
+  /**
+   * Open provider list from model dialog
+   */
+  model_provider_list?: string
+  /**
+   * Toggle model favorite status
+   */
+  model_favorite_toggle?: string
+  /**
+   * Toggle showing all models
+   */
+  model_show_all_toggle?: string
+  /**
+   * Share current session
+   */
+  session_share?: string
+  /**
+   * Unshare current session
+   */
+  session_unshare?: string
+  /**
+   * Interrupt current session
+   */
+  session_interrupt?: string
+  /**
+   * Compact the session
+   */
+  session_compact?: string
+  /**
+   * Scroll messages up by one page
+   */
+  messages_page_up?: string
+  /**
+   * Scroll messages down by one page
+   */
+  messages_page_down?: string
+  /**
+   * Scroll messages up by one line
+   */
+  messages_line_up?: string
+  /**
+   * Scroll messages down by one line
+   */
+  messages_line_down?: string
+  /**
+   * Scroll messages up by half page
+   */
+  messages_half_page_up?: string
+  /**
+   * Scroll messages down by half page
+   */
+  messages_half_page_down?: string
+  /**
+   * Navigate to first message
+   */
+  messages_first?: string
+  /**
+   * Navigate to last message
+   */
+  messages_last?: string
+  /**
+   * Navigate to next message
+   */
+  messages_next?: string
+  /**
+   * Navigate to previous message
+   */
+  messages_previous?: string
+  /**
+   * Navigate to last user message
+   */
+  messages_last_user?: string
+  /**
+   * Copy message
+   */
+  messages_copy?: string
+  /**
+   * Undo message
+   */
+  messages_undo?: string
+  /**
+   * Redo message
+   */
+  messages_redo?: string
+  /**
+   * Toggle code block concealment in messages
+   */
+  messages_toggle_conceal?: string
+  /**
+   * Toggle tool details visibility
+   */
+  tool_details?: string
+  /**
+   * List available models
+   */
+  model_list?: string
+  /**
+   * Next recently used model
+   */
+  model_cycle_recent?: string
+  /**
+   * Previous recently used model
+   */
+  model_cycle_recent_reverse?: string
+  /**
+   * Next favorite model
+   */
+  model_cycle_favorite?: string
+  /**
+   * Previous favorite model
+   */
+  model_cycle_favorite_reverse?: string
+  /**
+   * List available commands
+   */
+  command_list?: string
+  /**
+   * List agents
+   */
+  agent_list?: string
+  /**
+   * Next agent
+   */
+  agent_cycle?: string
+  /**
+   * Previous agent
+   */
+  agent_cycle_reverse?: string
+  /**
+   * Toggle auto-accept mode for permissions
+   */
+  permission_auto_accept_toggle?: string
+  /**
+   * Cycle model variants
+   */
+  variant_cycle?: string
+  /**
+   * Clear input field
+   */
+  input_clear?: string
+  /**
+   * Paste from clipboard
+   */
+  input_paste?: string
+  /**
+   * Submit input
+   */
+  input_submit?: string
+  /**
+   * Insert newline in input
+   */
+  input_newline?: string
+  /**
+   * Move cursor left in input
+   */
+  input_move_left?: string
+  /**
+   * Move cursor right in input
+   */
+  input_move_right?: string
+  /**
+   * Move cursor up in input
+   */
+  input_move_up?: string
+  /**
+   * Move cursor down in input
+   */
+  input_move_down?: string
+  /**
+   * Select left in input
+   */
+  input_select_left?: string
+  /**
+   * Select right in input
+   */
+  input_select_right?: string
+  /**
+   * Select up in input
+   */
+  input_select_up?: string
+  /**
+   * Select down in input
+   */
+  input_select_down?: string
+  /**
+   * Move to start of line in input
+   */
+  input_line_home?: string
+  /**
+   * Move to end of line in input
+   */
+  input_line_end?: string
+  /**
+   * Select to start of line in input
+   */
+  input_select_line_home?: string
+  /**
+   * Select to end of line in input
+   */
+  input_select_line_end?: string
+  /**
+   * Move to start of visual line in input
+   */
+  input_visual_line_home?: string
+  /**
+   * Move to end of visual line in input
+   */
+  input_visual_line_end?: string
+  /**
+   * Select to start of visual line in input
+   */
+  input_select_visual_line_home?: string
+  /**
+   * Select to end of visual line in input
+   */
+  input_select_visual_line_end?: string
+  /**
+   * Move to start of buffer in input
+   */
+  input_buffer_home?: string
+  /**
+   * Move to end of buffer in input
+   */
+  input_buffer_end?: string
+  /**
+   * Select to start of buffer in input
+   */
+  input_select_buffer_home?: string
+  /**
+   * Select to end of buffer in input
+   */
+  input_select_buffer_end?: string
+  /**
+   * Delete line in input
+   */
+  input_delete_line?: string
+  /**
+   * Delete to end of line in input
+   */
+  input_delete_to_line_end?: string
+  /**
+   * Delete to start of line in input
+   */
+  input_delete_to_line_start?: string
+  /**
+   * Backspace in input
+   */
+  input_backspace?: string
+  /**
+   * Delete character in input
+   */
+  input_delete?: string
+  /**
+   * Undo in input
+   */
+  input_undo?: string
+  /**
+   * Redo in input
+   */
+  input_redo?: string
+  /**
+   * Move word forward in input
+   */
+  input_word_forward?: string
+  /**
+   * Move word backward in input
+   */
+  input_word_backward?: string
+  /**
+   * Select word forward in input
+   */
+  input_select_word_forward?: string
+  /**
+   * Select word backward in input
+   */
+  input_select_word_backward?: string
+  /**
+   * Delete word forward in input
+   */
+  input_delete_word_forward?: string
+  /**
+   * Delete word backward in input
+   */
+  input_delete_word_backward?: string
+  /**
+   * Previous history item
+   */
+  history_previous?: string
+  /**
+   * Next history item
+   */
+  history_next?: string
+  /**
+   * Next child session
+   */
+  session_child_cycle?: string
+  /**
+   * Previous child session
+   */
+  session_child_cycle_reverse?: string
+  /**
+   * Go to parent session
+   */
+  session_parent?: string
+  /**
+   * Suspend terminal
+   */
+  terminal_suspend?: string
+  /**
+   * Toggle terminal title
+   */
+  terminal_title_toggle?: string
+  /**
+   * Toggle tips on home screen
+   */
+  tips_toggle?: string
+  /**
+   * Toggle thinking blocks visibility
+   */
+  display_thinking?: string
+}
+
 /**
  * Log level
  */

packages/ui/src/components/find-assistant-messages.tsx

@@ -0,0 +1,40 @@
+import type { AssistantMessage, Message as MessageType } from "@opencode-ai/sdk/v2/client"
+
+/**
+ * Find assistant messages that are replies to a given user message.
+ *
+ * Scans forward from the user message index first, then falls back to scanning
+ * backward. The backward scan handles clock skew where assistant messages
+ * (generated server-side) sort before the user message (generated client-side
+ * with an ahead clock) in the ID-sorted array.
+ */
+export function findAssistantMessages(
+  messages: MessageType[],
+  userIndex: number,
+  userID: string,
+): AssistantMessage[] {
+  if (userIndex < 0 || userIndex >= messages.length) return []
+
+  const result: AssistantMessage[] = []
+
+  // Scan forward from user message
+  for (let i = userIndex + 1; i < messages.length; i++) {
+    const item = messages[i]
+    if (!item) continue
+    if (item.role === "user") break
+    if (item.role === "assistant" && item.parentID === userID) result.push(item as AssistantMessage)
+  }
+
+  // Scan backward to find assistant messages that sort before the user
+  // message due to clock skew between client and server
+  if (result.length === 0) {
+    for (let i = userIndex - 1; i >= 0; i--) {
+      const item = messages[i]
+      if (!item) continue
+      if (item.role === "user") break
+      if (item.role === "assistant" && item.parentID === userID) result.push(item as AssistantMessage)
+    }
+  }
+
+  return result
+}

packages/ui/src/components/message-part.css

@@ -856,7 +856,7 @@
   [data-slot="question-body"] {
     display: flex;
     flex-direction: column;
-    gap: 16px;
+    gap: 0;
     flex: 1;
     min-height: 0;
     padding: 8px 8px 0;
@@ -936,7 +936,7 @@
     font-weight: var(--font-weight-medium);
     line-height: var(--line-height-large);
     color: var(--text-strong);
-    padding: 0 10px;
+    padding: 16px 10px 0;
   }
 
   [data-slot="question-hint"] {
@@ -1091,6 +1091,14 @@
       white-space: normal;
       overflow-wrap: anywhere;
     }
+
+    &[data-picked="true"] {
+      [data-slot="question-custom-input"]:focus-visible {
+        outline: none;
+        outline-offset: 0;
+        border-radius: 0;
+      }
+    }
   }
 
   [data-slot="question-custom"] {

packages/ui/src/components/session-turn.tsx

@@ -8,6 +8,7 @@ import { getDirectory, getFilename } from "@opencode-ai/util/path"
 import { createEffect, createMemo, createSignal, For, on, ParentProps, Show } from "solid-js"
 import { Dynamic } from "solid-js/web"
 import { AssistantParts, Message, Part, PART_MAPPING } from "./message-part"
+import { findAssistantMessages } from "./find-assistant-messages"
 import { Card } from "./card"
 import { Accordion } from "./accordion"
 import { StickyAccordionHeader } from "./sticky-accordion-header"
@@ -272,14 +273,7 @@ export function SessionTurn(
       const index = messageIndex()
       if (index < 0) return emptyAssistant
 
-      const result: AssistantMessage[] = []
-      for (let i = index + 1; i < messages.length; i++) {
-        const item = messages[i]
-        if (!item) continue
-        if (item.role === "user") break
-        if (item.role === "assistant" && item.parentID === msg.id) result.push(item as AssistantMessage)
-      }
-      return result
+      return findAssistantMessages(messages, index, msg.id)
     },
     emptyAssistant,
     { equals: same },

packages/util/src/array.ts

@@ -1,3 +1,10 @@
+export function same<T>(a: readonly T[] | undefined, b: readonly T[] | undefined) {
+  if (a === b) return true
+  if (!a || !b) return false
+  if (a.length !== b.length) return false
+  return a.every((x, i) => x === b[i])
+}
+
 export function findLast<T>(
   items: readonly T[],
   predicate: (item: T, index: number, items: readonly T[]) => boolean,

packages/web/src/content/docs/config.mdx

@@ -244,7 +244,7 @@ You can configure the providers and models you want to use in your OpenCode conf
 
 The `small_model` option configures a separate model for lightweight tasks like title generation. By default, OpenCode tries to use a cheaper model if one is available from your provider, otherwise it falls back to your main model.
 
-Provider options can include `timeout` and `setCacheKey`:
+Provider options can include `timeout`, `chunkTimeout`, and `setCacheKey`:
 
 ```json title="opencode.json"
 {
@@ -253,6 +253,7 @@ Provider options can include `timeout` and `setCacheKey`:
     "anthropic": {
       "options": {
         "timeout": 600000,
+        "chunkTimeout": 30000,
         "setCacheKey": true
       }
     }
@@ -261,6 +262,7 @@ Provider options can include `timeout` and `setCacheKey`:
 ```
 
 - `timeout` - Request timeout in milliseconds (default: 300000). Set to `false` to disable.
+- `chunkTimeout` - Timeout in milliseconds between streamed response chunks. If no chunk arrives in time, the request is aborted.
 - `setCacheKey` - Ensure a cache key is always set for designated provider.
 
 You can also configure [local models](/docs/models#local). [Learn more](/docs/models).

turbo.json

@@ -10,7 +10,8 @@
     },
     "opencode#test": {
       "dependsOn": ["^build"],
-      "outputs": []
+      "outputs": [],
+      "passThroughEnv": ["*"]
     },
     "@opencode-ai/app#test": {
       "dependsOn": ["^build"],