tweak(ui): remove open label

packages/app/src/components/session/session-header.tsx

@@ -326,7 +326,7 @@ export function SessionHeader() {
                       <div class="flex h-[24px] box-border items-center rounded-md border border-border-weak-base bg-surface-panel overflow-hidden">
                         <Button
                           variant="ghost"
-                          class="rounded-none h-full py-0 pr-1.5 pl-px gap-1.5 border-none shadow-none disabled:!cursor-default"
+                          class="rounded-none h-full px-0.5 border-none shadow-none disabled:!cursor-default"
                           classList={{
                             "bg-surface-raised-base-active": opening(),
                           }}
@@ -339,7 +339,6 @@ export function SessionHeader() {
                               <Spinner class="size-3.5" style={{ color: tint() ?? "var(--icon-base)" }} />
                             </Show>
                           </div>
-                          <span class="text-12-regular text-text-strong">{language.t("common.open")}</span>
                         </Button>
                         <DropdownMenu
                           gutter={4}

packages/opencode/src/cli/cmd/debug/agent.ts

@@ -159,7 +159,7 @@ async function createToolContext(agent: Agent.Info) {
       for (const pattern of req.patterns) {
         const rule = PermissionNext.evaluate(req.permission, pattern, ruleset)
         if (rule.action === "deny") {
-          throw new PermissionNext.DeniedError({ ruleset })
+          throw new PermissionNext.DeniedError(ruleset)
         }
       }
     },

packages/opencode/src/effect/instance-registry.ts

@@ -1,12 +0,0 @@
-const disposers = new Set<(directory: string) => Promise<void>>()
-
-export function registerDisposer(disposer: (directory: string) => Promise<void>) {
-  disposers.add(disposer)
-  return () => {
-    disposers.delete(disposer)
-  }
-}
-
-export async function disposeInstance(directory: string) {
-  await Promise.allSettled([...disposers].map((disposer) => disposer(directory)))
-}

packages/opencode/src/effect/instances.ts

@@ -1,52 +0,0 @@
-import { Effect, Layer, LayerMap, ServiceMap } from "effect"
-import { registerDisposer } from "./instance-registry"
-import { ProviderAuthService } from "@/provider/auth-service"
-import { QuestionService } from "@/question/service"
-import { PermissionService } from "@/permission/service"
-import { Instance } from "@/project/instance"
-import type { Project } from "@/project/project"
-
-export declare namespace InstanceContext {
-  export interface Shape {
-    readonly directory: string
-    readonly project: Project.Info
-  }
-}
-
-export class InstanceContext extends ServiceMap.Service<InstanceContext, InstanceContext.Shape>()(
-  "opencode/InstanceContext",
-) {}
-
-export type InstanceServices = QuestionService | PermissionService | ProviderAuthService
-
-function lookup(directory: string) {
-  const project = Instance.project
-  const ctx = Layer.sync(InstanceContext, () => InstanceContext.of({ directory, project }))
-  return Layer.mergeAll(
-    Layer.fresh(QuestionService.layer),
-    Layer.fresh(PermissionService.layer),
-    Layer.fresh(ProviderAuthService.layer),
-  ).pipe(Layer.provide(ctx))
-}
-
-export class Instances extends ServiceMap.Service<Instances, LayerMap.LayerMap<string, InstanceServices>>()(
-  "opencode/Instances",
-) {
-  static readonly layer = Layer.effect(
-    Instances,
-    Effect.gen(function* () {
-      const layerMap = yield* LayerMap.make(lookup, { idleTimeToLive: Infinity })
-      const unregister = registerDisposer((directory) => Effect.runPromise(layerMap.invalidate(directory)))
-      yield* Effect.addFinalizer(() => Effect.sync(unregister))
-      return Instances.of(layerMap)
-    }),
-  )
-
-  static get(directory: string): Layer.Layer<InstanceServices, never, Instances> {
-    return Layer.unwrap(Instances.use((map) => Effect.succeed(map.get(directory))))
-  }
-
-  static invalidate(directory: string): Effect.Effect<void, never, Instances> {
-    return Instances.use((map) => map.invalidate(directory))
-  }
-}

packages/opencode/src/effect/runtime.ts

@@ -1,14 +1,8 @@
-import { Effect, Layer, ManagedRuntime } from "effect"
+import { Layer, ManagedRuntime } from "effect"
 import { AccountService } from "@/account/service"
 import { AuthService } from "@/auth/service"
-import { Instances } from "@/effect/instances"
-import type { InstanceServices } from "@/effect/instances"
-import { Instance } from "@/project/instance"
+import { QuestionService } from "@/question/service"
 
 export const runtime = ManagedRuntime.make(
-  Layer.mergeAll(AccountService.defaultLayer, Instances.layer).pipe(Layer.provideMerge(AuthService.defaultLayer)),
+  Layer.mergeAll(AccountService.defaultLayer, AuthService.defaultLayer, QuestionService.layer),
 )
-
-export function runPromiseInstance<A, E>(effect: Effect.Effect<A, E, InstanceServices>) {
-  return runtime.runPromise(effect.pipe(Effect.provide(Instances.get(Instance.directory))))
-}

packages/opencode/src/index.ts

@@ -47,6 +47,11 @@ process.on("uncaughtException", (e) => {
   })
 })
 
+// Ensure the process exits on terminal hangup (eg. closing the terminal tab).
+// Without this, long-running commands like `serve` block on a never-resolving
+// promise and survive as orphaned processes.
+process.on("SIGHUP", () => process.exit())
+
 let cli = yargs(hideBin(process.argv))
   .parserConfiguration({ "populate--": true })
   .scriptName("opencode")

packages/opencode/src/permission/index.ts

@@ -87,7 +87,7 @@ export namespace Permission {
         result.push(item.info)
       }
     }
-    return result.sort((a, b) => String(a.id).localeCompare(String(b.id)))
+    return result.sort((a, b) => a.id.localeCompare(b.id))
   }
 
   export async function ask(input: {

packages/opencode/src/permission/next.ts

@@ -1,11 +1,21 @@
-import { runPromiseInstance } from "@/effect/runtime"
+import { Bus } from "@/bus"
+import { BusEvent } from "@/bus/bus-event"
 import { Config } from "@/config/config"
+import { SessionID, MessageID } from "@/session/schema"
+import { PermissionID } from "./schema"
+import { Instance } from "@/project/instance"
+import { Database, eq } from "@/storage/db"
+import { PermissionTable } from "@/session/session.sql"
 import { fn } from "@/util/fn"
+import { Log } from "@/util/log"
+import { ProjectID } from "@/project/schema"
 import { Wildcard } from "@/util/wildcard"
 import os from "os"
-import * as S from "./service"
+import z from "zod"
 
 export namespace PermissionNext {
+  const log = Log.create({ service: "permission" })
+
   function expand(pattern: string): string {
     if (pattern.startsWith("~/")) return os.homedir() + pattern.slice(1)
     if (pattern === "~") return os.homedir()
@@ -14,22 +24,26 @@ export namespace PermissionNext {
     return pattern
   }
 
-  export const Action = S.Action
-  export type Action = S.Action
-  export const Rule = S.Rule
-  export type Rule = S.Rule
-  export const Ruleset = S.Ruleset
-  export type Ruleset = S.Ruleset
-  export const Request = S.Request
-  export type Request = S.Request
-  export const Reply = S.Reply
-  export type Reply = S.Reply
-  export const Approval = S.Approval
-  export const Event = S.Event
-  export const Service = S.PermissionService
-  export const RejectedError = S.RejectedError
-  export const CorrectedError = S.CorrectedError
-  export const DeniedError = S.DeniedError
+  export const Action = z.enum(["allow", "deny", "ask"]).meta({
+    ref: "PermissionAction",
+  })
+  export type Action = z.infer<typeof Action>
+
+  export const Rule = z
+    .object({
+      permission: z.string(),
+      pattern: z.string(),
+      action: Action,
+    })
+    .meta({
+      ref: "PermissionRule",
+    })
+  export type Rule = z.infer<typeof Rule>
+
+  export const Ruleset = Rule.array().meta({
+    ref: "PermissionRuleset",
+  })
+  export type Ruleset = z.infer<typeof Ruleset>
 
   export function fromConfig(permission: Config.Permission) {
     const ruleset: Ruleset = []
@@ -53,20 +67,178 @@ export namespace PermissionNext {
     return rulesets.flat()
   }
 
-  export const ask = fn(S.AskInput, async (input) =>
-    runPromiseInstance(S.PermissionService.use((service) => service.ask(input))),
-  )
+  export const Request = z
+    .object({
+      id: PermissionID.zod,
+      sessionID: SessionID.zod,
+      permission: z.string(),
+      patterns: z.string().array(),
+      metadata: z.record(z.string(), z.any()),
+      always: z.string().array(),
+      tool: z
+        .object({
+          messageID: MessageID.zod,
+          callID: z.string(),
+        })
+        .optional(),
+    })
+    .meta({
+      ref: "PermissionRequest",
+    })
 
-  export const reply = fn(S.ReplyInput, async (input) =>
-    runPromiseInstance(S.PermissionService.use((service) => service.reply(input))),
-  )
+  export type Request = z.infer<typeof Request>
 
-  export async function list() {
-    return runPromiseInstance(S.PermissionService.use((service) => service.list()))
+  export const Reply = z.enum(["once", "always", "reject"])
+  export type Reply = z.infer<typeof Reply>
+
+  export const Approval = z.object({
+    projectID: ProjectID.zod,
+    patterns: z.string().array(),
+  })
+
+  export const Event = {
+    Asked: BusEvent.define("permission.asked", Request),
+    Replied: BusEvent.define(
+      "permission.replied",
+      z.object({
+        sessionID: SessionID.zod,
+        requestID: PermissionID.zod,
+        reply: Reply,
+      }),
+    ),
   }
 
+  interface PendingEntry {
+    info: Request
+    resolve: () => void
+    reject: (e: any) => void
+  }
+
+  const state = Instance.state(() => {
+    const projectID = Instance.project.id
+    const row = Database.use((db) =>
+      db.select().from(PermissionTable).where(eq(PermissionTable.project_id, projectID)).get(),
+    )
+    const stored = row?.data ?? ([] as Ruleset)
+
+    return {
+      pending: new Map<PermissionID, PendingEntry>(),
+      approved: stored,
+    }
+  })
+
+  export const ask = fn(
+    Request.partial({ id: true }).extend({
+      ruleset: Ruleset,
+    }),
+    async (input) => {
+      const s = await state()
+      const { ruleset, ...request } = input
+      for (const pattern of request.patterns ?? []) {
+        const rule = evaluate(request.permission, pattern, ruleset, s.approved)
+        log.info("evaluated", { permission: request.permission, pattern, action: rule })
+        if (rule.action === "deny")
+          throw new DeniedError(ruleset.filter((r) => Wildcard.match(request.permission, r.permission)))
+        if (rule.action === "ask") {
+          const id = input.id ?? PermissionID.ascending()
+          return new Promise<void>((resolve, reject) => {
+            const info: Request = {
+              id,
+              ...request,
+            }
+            s.pending.set(id, {
+              info,
+              resolve,
+              reject,
+            })
+            Bus.publish(Event.Asked, info)
+          })
+        }
+        if (rule.action === "allow") continue
+      }
+    },
+  )
+
+  export const reply = fn(
+    z.object({
+      requestID: PermissionID.zod,
+      reply: Reply,
+      message: z.string().optional(),
+    }),
+    async (input) => {
+      const s = await state()
+      const existing = s.pending.get(input.requestID)
+      if (!existing) return
+      s.pending.delete(input.requestID)
+      Bus.publish(Event.Replied, {
+        sessionID: existing.info.sessionID,
+        requestID: existing.info.id,
+        reply: input.reply,
+      })
+      if (input.reply === "reject") {
+        existing.reject(input.message ? new CorrectedError(input.message) : new RejectedError())
+        // Reject all other pending permissions for this session
+        const sessionID = existing.info.sessionID
+        for (const [id, pending] of s.pending) {
+          if (pending.info.sessionID === sessionID) {
+            s.pending.delete(id)
+            Bus.publish(Event.Replied, {
+              sessionID: pending.info.sessionID,
+              requestID: pending.info.id,
+              reply: "reject",
+            })
+            pending.reject(new RejectedError())
+          }
+        }
+        return
+      }
+      if (input.reply === "once") {
+        existing.resolve()
+        return
+      }
+      if (input.reply === "always") {
+        for (const pattern of existing.info.always) {
+          s.approved.push({
+            permission: existing.info.permission,
+            pattern,
+            action: "allow",
+          })
+        }
+
+        existing.resolve()
+
+        const sessionID = existing.info.sessionID
+        for (const [id, pending] of s.pending) {
+          if (pending.info.sessionID !== sessionID) continue
+          const ok = pending.info.patterns.every(
+            (pattern) => evaluate(pending.info.permission, pattern, s.approved).action === "allow",
+          )
+          if (!ok) continue
+          s.pending.delete(id)
+          Bus.publish(Event.Replied, {
+            sessionID: pending.info.sessionID,
+            requestID: pending.info.id,
+            reply: "always",
+          })
+          pending.resolve()
+        }
+
+        // TODO: we don't save the permission ruleset to disk yet until there's
+        // UI to manage it
+        // db().insert(PermissionTable).values({ projectID: Instance.project.id, data: s.approved })
+        //   .onConflictDoUpdate({ target: PermissionTable.projectID, set: { data: s.approved } }).run()
+        return
+      }
+    },
+  )
+
   export function evaluate(permission: string, pattern: string, ...rulesets: Ruleset[]): Rule {
-    return S.evaluate(permission, pattern, ...rulesets)
+    const merged = merge(...rulesets)
+    log.info("evaluate", { permission, pattern, ruleset: merged })
+    const match = merged.findLast(
+      (rule) => Wildcard.match(permission, rule.permission) && Wildcard.match(pattern, rule.pattern),
+    )
+    return match ?? { action: "ask", permission, pattern: "*" }
   }
 
   const EDIT_TOOLS = ["edit", "write", "patch", "multiedit"]
@@ -75,10 +247,39 @@ export namespace PermissionNext {
     const result = new Set<string>()
     for (const tool of tools) {
       const permission = EDIT_TOOLS.includes(tool) ? "edit" : tool
-      const rule = ruleset.findLast((rule) => Wildcard.match(permission, rule.permission))
+
+      const rule = ruleset.findLast((r) => Wildcard.match(permission, r.permission))
       if (!rule) continue
       if (rule.pattern === "*" && rule.action === "deny") result.add(tool)
     }
     return result
   }
+
+  /** User rejected without message - halts execution */
+  export class RejectedError extends Error {
+    constructor() {
+      super(`The user rejected permission to use this specific tool call.`)
+    }
+  }
+
+  /** User rejected with message - continues with guidance */
+  export class CorrectedError extends Error {
+    constructor(message: string) {
+      super(`The user rejected permission to use this specific tool call with the following feedback: ${message}`)
+    }
+  }
+
+  /** Auto-rejected by config rule - halts execution */
+  export class DeniedError extends Error {
+    constructor(public readonly ruleset: Ruleset) {
+      super(
+        `The user has specified a rule which prevents you from using this specific tool call. Here are some of the relevant rules ${JSON.stringify(ruleset)}`,
+      )
+    }
+  }
+
+  export async function list() {
+    const s = await state()
+    return Array.from(s.pending.values(), (x) => x.info)
+  }
 }

packages/opencode/src/permission/schema.ts

@@ -2,16 +2,16 @@ import { Schema } from "effect"
 import z from "zod"
 
 import { Identifier } from "@/id/id"
-import { Newtype } from "@/util/schema"
+import { withStatics } from "@/util/schema"
 
-export class PermissionID extends Newtype<PermissionID>()("PermissionID", Schema.String) {
-  static make(id: string): PermissionID {
-    return this.makeUnsafe(id)
-  }
+const permissionIdSchema = Schema.String.pipe(Schema.brand("PermissionID"))
 
-  static ascending(id?: string): PermissionID {
-    return this.makeUnsafe(Identifier.ascending("permission", id))
-  }
+export type PermissionID = typeof permissionIdSchema.Type
 
-  static readonly zod = Identifier.schema("permission") as unknown as z.ZodType<PermissionID>
-}
+export const PermissionID = permissionIdSchema.pipe(
+  withStatics((schema: typeof permissionIdSchema) => ({
+    make: (id: string) => schema.makeUnsafe(id),
+    ascending: (id?: string) => schema.makeUnsafe(Identifier.ascending("permission", id)),
+    zod: Identifier.schema("permission").pipe(z.custom<PermissionID>()),
+  })),
+)

packages/opencode/src/permission/service.ts

@@ -1,251 +0,0 @@
-import { Bus } from "@/bus"
-import { BusEvent } from "@/bus/bus-event"
-import { InstanceContext } from "@/effect/instances"
-import { ProjectID } from "@/project/schema"
-import { MessageID, SessionID } from "@/session/schema"
-import { PermissionTable } from "@/session/session.sql"
-import { Database, eq } from "@/storage/db"
-import { Log } from "@/util/log"
-import { Wildcard } from "@/util/wildcard"
-import { Deferred, Effect, Layer, Schema, ServiceMap } from "effect"
-import z from "zod"
-import { PermissionID } from "./schema"
-
-const log = Log.create({ service: "permission" })
-
-export const Action = z.enum(["allow", "deny", "ask"]).meta({
-  ref: "PermissionAction",
-})
-export type Action = z.infer<typeof Action>
-
-export const Rule = z
-  .object({
-    permission: z.string(),
-    pattern: z.string(),
-    action: Action,
-  })
-  .meta({
-    ref: "PermissionRule",
-  })
-export type Rule = z.infer<typeof Rule>
-
-export const Ruleset = Rule.array().meta({
-  ref: "PermissionRuleset",
-})
-export type Ruleset = z.infer<typeof Ruleset>
-
-export const Request = z
-  .object({
-    id: PermissionID.zod,
-    sessionID: SessionID.zod,
-    permission: z.string(),
-    patterns: z.string().array(),
-    metadata: z.record(z.string(), z.any()),
-    always: z.string().array(),
-    tool: z
-      .object({
-        messageID: MessageID.zod,
-        callID: z.string(),
-      })
-      .optional(),
-  })
-  .meta({
-    ref: "PermissionRequest",
-  })
-export type Request = z.infer<typeof Request>
-
-export const Reply = z.enum(["once", "always", "reject"])
-export type Reply = z.infer<typeof Reply>
-
-export const Approval = z.object({
-  projectID: ProjectID.zod,
-  patterns: z.string().array(),
-})
-
-export const Event = {
-  Asked: BusEvent.define("permission.asked", Request),
-  Replied: BusEvent.define(
-    "permission.replied",
-    z.object({
-      sessionID: SessionID.zod,
-      requestID: PermissionID.zod,
-      reply: Reply,
-    }),
-  ),
-}
-
-export class RejectedError extends Schema.TaggedErrorClass<RejectedError>()("PermissionRejectedError", {}) {
-  override get message() {
-    return "The user rejected permission to use this specific tool call."
-  }
-}
-
-export class CorrectedError extends Schema.TaggedErrorClass<CorrectedError>()("PermissionCorrectedError", {
-  feedback: Schema.String,
-}) {
-  override get message() {
-    return `The user rejected permission to use this specific tool call with the following feedback: ${this.feedback}`
-  }
-}
-
-export class DeniedError extends Schema.TaggedErrorClass<DeniedError>()("PermissionDeniedError", {
-  ruleset: Schema.Any,
-}) {
-  override get message() {
-    return `The user has specified a rule which prevents you from using this specific tool call. Here are some of the relevant rules ${JSON.stringify(this.ruleset)}`
-  }
-}
-
-export type PermissionError = DeniedError | RejectedError | CorrectedError
-
-interface PendingEntry {
-  info: Request
-  deferred: Deferred.Deferred<void, RejectedError | CorrectedError>
-}
-
-export const AskInput = Request.partial({ id: true }).extend({
-  ruleset: Ruleset,
-})
-
-export const ReplyInput = z.object({
-  requestID: PermissionID.zod,
-  reply: Reply,
-  message: z.string().optional(),
-})
-
-export declare namespace PermissionService {
-  export interface Api {
-    readonly ask: (input: z.infer<typeof AskInput>) => Effect.Effect<void, PermissionError>
-    readonly reply: (input: z.infer<typeof ReplyInput>) => Effect.Effect<void>
-    readonly list: () => Effect.Effect<Request[]>
-  }
-}
-
-export class PermissionService extends ServiceMap.Service<PermissionService, PermissionService.Api>()(
-  "@opencode/PermissionNext",
-) {
-  static readonly layer = Layer.effect(
-    PermissionService,
-    Effect.gen(function* () {
-      const { project } = yield* InstanceContext
-      const row = Database.use((db) =>
-        db.select().from(PermissionTable).where(eq(PermissionTable.project_id, project.id)).get(),
-      )
-      const pending = new Map<PermissionID, PendingEntry>()
-      const approved: Ruleset = row?.data ?? []
-
-      const ask = Effect.fn("PermissionService.ask")(function* (input: z.infer<typeof AskInput>) {
-        const { ruleset, ...request } = input
-        let needsAsk = false
-
-        for (const pattern of request.patterns) {
-          const rule = evaluate(request.permission, pattern, ruleset, approved)
-          log.info("evaluated", { permission: request.permission, pattern, action: rule })
-          if (rule.action === "deny") {
-            return yield* new DeniedError({
-              ruleset: ruleset.filter((rule) => Wildcard.match(request.permission, rule.permission)),
-            })
-          }
-          if (rule.action === "allow") continue
-          needsAsk = true
-        }
-
-        if (!needsAsk) return
-
-        const id = request.id ?? PermissionID.ascending()
-        const info: Request = {
-          id,
-          ...request,
-        }
-        log.info("asking", { id, permission: info.permission, patterns: info.patterns })
-
-        const deferred = yield* Deferred.make<void, RejectedError | CorrectedError>()
-        pending.set(id, { info, deferred })
-        void Bus.publish(Event.Asked, info)
-        return yield* Effect.ensuring(
-          Deferred.await(deferred),
-          Effect.sync(() => {
-            pending.delete(id)
-          }),
-        )
-      })
-
-      const reply = Effect.fn("PermissionService.reply")(function* (input: z.infer<typeof ReplyInput>) {
-        const existing = pending.get(input.requestID)
-        if (!existing) return
-
-        pending.delete(input.requestID)
-        void Bus.publish(Event.Replied, {
-          sessionID: existing.info.sessionID,
-          requestID: existing.info.id,
-          reply: input.reply,
-        })
-
-        if (input.reply === "reject") {
-          yield* Deferred.fail(
-            existing.deferred,
-            input.message ? new CorrectedError({ feedback: input.message }) : new RejectedError(),
-          )
-
-          for (const [id, item] of pending.entries()) {
-            if (item.info.sessionID !== existing.info.sessionID) continue
-            pending.delete(id)
-            void Bus.publish(Event.Replied, {
-              sessionID: item.info.sessionID,
-              requestID: item.info.id,
-              reply: "reject",
-            })
-            yield* Deferred.fail(item.deferred, new RejectedError())
-          }
-          return
-        }
-
-        yield* Deferred.succeed(existing.deferred, undefined)
-        if (input.reply === "once") return
-
-        for (const pattern of existing.info.always) {
-          approved.push({
-            permission: existing.info.permission,
-            pattern,
-            action: "allow",
-          })
-        }
-
-        for (const [id, item] of pending.entries()) {
-          if (item.info.sessionID !== existing.info.sessionID) continue
-          const ok = item.info.patterns.every(
-            (pattern) => evaluate(item.info.permission, pattern, approved).action === "allow",
-          )
-          if (!ok) continue
-          pending.delete(id)
-          void Bus.publish(Event.Replied, {
-            sessionID: item.info.sessionID,
-            requestID: item.info.id,
-            reply: "always",
-          })
-          yield* Deferred.succeed(item.deferred, undefined)
-        }
-
-        // TODO: we don't save the permission ruleset to disk yet until there's
-        // UI to manage it
-        // db().insert(PermissionTable).values({ projectID: Instance.project.id, data: s.approved })
-        //   .onConflictDoUpdate({ target: PermissionTable.projectID, set: { data: s.approved } }).run()
-      })
-
-      const list = Effect.fn("PermissionService.list")(function* () {
-        return Array.from(pending.values(), (item) => item.info)
-      })
-
-      return PermissionService.of({ ask, reply, list })
-    }),
-  )
-}
-
-export function evaluate(permission: string, pattern: string, ...rulesets: Ruleset[]): Rule {
-  const merged = rulesets.flat()
-  log.info("evaluate", { permission, pattern, ruleset: merged })
-  const match = merged.findLast(
-    (rule) => Wildcard.match(permission, rule.permission) && Wildcard.match(pattern, rule.pattern),
-  )
-  return match ?? { action: "ask", permission, pattern: "*" }
-}

packages/opencode/src/project/instance.ts

@@ -1,3 +1,4 @@
+import { Effect } from "effect"
 import { Log } from "@/util/log"
 import { Context } from "../util/context"
 import { Project } from "./project"
@@ -5,7 +6,7 @@ import { State } from "./state"
 import { iife } from "@/util/iife"
 import { GlobalBus } from "@/bus/global"
 import { Filesystem } from "@/util/filesystem"
-import { disposeInstance } from "@/effect/instance-registry"
+import { InstanceState } from "@/util/instance-state"
 
 interface Context {
   directory: string
@@ -107,18 +108,17 @@ export const Instance = {
   async reload(input: { directory: string; init?: () => Promise<any>; project?: Project.Info; worktree?: string }) {
     const directory = Filesystem.resolve(input.directory)
     Log.Default.info("reloading instance", { directory })
-    await Promise.all([State.dispose(directory), disposeInstance(directory)])
+    await Promise.all([State.dispose(directory), Effect.runPromise(InstanceState.dispose(directory))])
     cache.delete(directory)
     const next = track(directory, boot({ ...input, directory }))
     emit(directory)
     return await next
   },
   async dispose() {
-    const directory = Instance.directory
-    Log.Default.info("disposing instance", { directory })
-    await Promise.all([State.dispose(directory), disposeInstance(directory)])
-    cache.delete(directory)
-    emit(directory)
+    Log.Default.info("disposing instance", { directory: Instance.directory })
+    await Promise.all([State.dispose(Instance.directory), Effect.runPromise(InstanceState.dispose(Instance.directory))])
+    cache.delete(Instance.directory)
+    emit(Instance.directory)
   },
   async disposeAll() {
     if (disposal.all) return disposal.all

packages/opencode/src/provider/auth-service.ts

@@ -1,9 +1,12 @@
+import { Effect, Layer, Record, ServiceMap, Struct } from "effect"
+import { Instance } from "@/project/instance"
+import { Plugin } from "../plugin"
+import { filter, fromEntries, map, pipe } from "remeda"
 import type { AuthOuathResult } from "@opencode-ai/plugin"
 import { NamedError } from "@opencode-ai/util/error"
 import * as Auth from "@/auth/service"
+import { InstanceState } from "@/util/instance-state"
 import { ProviderID } from "./schema"
-import { Effect, Layer, Record, ServiceMap, Struct } from "effect"
-import { filter, fromEntries, map, pipe } from "remeda"
 import z from "zod"
 
 export const Method = z
@@ -51,13 +54,21 @@ export type ProviderAuthError =
 
 export namespace ProviderAuthService {
   export interface Service {
+    /** Get available auth methods for each provider (e.g. OAuth, API key). */
     readonly methods: () => Effect.Effect<Record<string, Method[]>>
+
+    /** Start an OAuth authorization flow for a provider. Returns the URL to redirect to. */
     readonly authorize: (input: { providerID: ProviderID; method: number }) => Effect.Effect<Authorization | undefined>
+
+    /** Complete an OAuth flow after the user has authorized. Exchanges the code/callback for credentials. */
     readonly callback: (input: {
       providerID: ProviderID
       method: number
       code?: string
     }) => Effect.Effect<void, ProviderAuthError>
+
+    /** Set an API key directly for a provider (no OAuth flow). */
+    readonly api: (input: { providerID: ProviderID; key: string }) => Effect.Effect<void, Auth.AuthServiceError>
   }
 }
 
@@ -68,29 +79,32 @@ export class ProviderAuthService extends ServiceMap.Service<ProviderAuthService,
     ProviderAuthService,
     Effect.gen(function* () {
       const auth = yield* Auth.AuthService
-      const hooks = yield* Effect.promise(async () => {
-        const mod = await import("../plugin")
-        return pipe(
-          await mod.Plugin.list(),
-          filter((x) => x.auth?.provider !== undefined),
-          map((x) => [x.auth!.provider, x.auth!] as const),
-          fromEntries(),
-        )
-      })
-      const pending = new Map<ProviderID, AuthOuathResult>()
+      const state = yield* InstanceState.make(() =>
+        Effect.promise(async () => {
+          const methods = pipe(
+            await Plugin.list(),
+            filter((x) => x.auth?.provider !== undefined),
+            map((x) => [x.auth!.provider, x.auth!] as const),
+            fromEntries(),
+          )
+          return { methods, pending: new Map<ProviderID, AuthOuathResult>() }
+        }),
+      )
 
       const methods = Effect.fn("ProviderAuthService.methods")(function* () {
-        return Record.map(hooks, (item) => item.methods.map((method): Method => Struct.pick(method, ["type", "label"])))
+        const x = yield* InstanceState.get(state)
+        return Record.map(x.methods, (y) => y.methods.map((z): Method => Struct.pick(z, ["type", "label"])))
       })
 
       const authorize = Effect.fn("ProviderAuthService.authorize")(function* (input: {
         providerID: ProviderID
         method: number
       }) {
-        const method = hooks[input.providerID].methods[input.method]
+        const s = yield* InstanceState.get(state)
+        const method = s.methods[input.providerID].methods[input.method]
         if (method.type !== "oauth") return
         const result = yield* Effect.promise(() => method.authorize())
-        pending.set(input.providerID, result)
+        s.pending.set(input.providerID, result)
         return {
           url: result.url,
           method: result.method,
@@ -103,14 +117,17 @@ export class ProviderAuthService extends ServiceMap.Service<ProviderAuthService,
         method: number
         code?: string
       }) {
-        const match = pending.get(input.providerID)
+        const s = yield* InstanceState.get(state)
+        const match = s.pending.get(input.providerID)
         if (!match) return yield* Effect.fail(new OauthMissing({ providerID: input.providerID }))
+
         if (match.method === "code" && !input.code)
           return yield* Effect.fail(new OauthCodeMissing({ providerID: input.providerID }))
 
         const result = yield* Effect.promise(() =>
           match.method === "code" ? match.callback(input.code!) : match.callback(),
         )
+
         if (!result || result.type !== "success") return yield* Effect.fail(new OauthCallbackFailed({}))
 
         if ("key" in result) {
@@ -131,10 +148,18 @@ export class ProviderAuthService extends ServiceMap.Service<ProviderAuthService,
         }
       })
 
+      const api = Effect.fn("ProviderAuthService.api")(function* (input: { providerID: ProviderID; key: string }) {
+        yield* auth.set(input.providerID, {
+          type: "api",
+          key: input.key,
+        })
+      })
+
       return ProviderAuthService.of({
         methods,
         authorize,
         callback,
+        api,
       })
     }),
   )

packages/opencode/src/provider/auth.ts

@@ -1,16 +1,25 @@
+import { Effect, ManagedRuntime } from "effect"
 import z from "zod"
 
-import { runPromiseInstance } from "@/effect/runtime"
 import { fn } from "@/util/fn"
 import * as S from "./auth-service"
 import { ProviderID } from "./schema"
 
+// Separate runtime: ProviderAuthService can't join the shared runtime because
+// runtime.ts → auth-service.ts → provider/auth.ts creates a circular import.
+// AuthService is stateless file I/O so the duplicate instance is harmless.
+const rt = ManagedRuntime.make(S.ProviderAuthService.defaultLayer)
+
+function runPromise<A>(f: (service: S.ProviderAuthService.Service) => Effect.Effect<A, S.ProviderAuthError>) {
+  return rt.runPromise(S.ProviderAuthService.use(f))
+}
+
 export namespace ProviderAuth {
   export const Method = S.Method
   export type Method = S.Method
 
   export async function methods() {
-    return runPromiseInstance(S.ProviderAuthService.use((service) => service.methods()))
+    return runPromise((service) => service.methods())
   }
 
   export const Authorization = S.Authorization
@@ -21,8 +30,7 @@ export namespace ProviderAuth {
       providerID: ProviderID.zod,
       method: z.number(),
     }),
-    async (input): Promise<Authorization | undefined> =>
-      runPromiseInstance(S.ProviderAuthService.use((service) => service.authorize(input))),
+    async (input): Promise<Authorization | undefined> => runPromise((service) => service.authorize(input)),
   )
 
   export const callback = fn(
@@ -31,7 +39,15 @@ export namespace ProviderAuth {
       method: z.number(),
       code: z.string().optional(),
     }),
-    async (input) => runPromiseInstance(S.ProviderAuthService.use((service) => service.callback(input))),
+    async (input) => runPromise((service) => service.callback(input)),
+  )
+
+  export const api = fn(
+    z.object({
+      providerID: ProviderID.zod,
+      key: z.string(),
+    }),
+    async (input) => runPromise((service) => service.api(input)),
   )
 
   export import OauthMissing = S.OauthMissing

packages/opencode/src/question/index.ts

@@ -1,8 +1,13 @@
-import { runPromiseInstance } from "@/effect/runtime"
+import { Effect } from "effect"
+import { runtime } from "@/effect/runtime"
 import * as S from "./service"
 import type { QuestionID } from "./schema"
 import type { SessionID, MessageID } from "@/session/schema"
 
+function runPromise<A>(f: (service: S.QuestionService.Service) => Effect.Effect<A, S.QuestionServiceError>) {
+  return runtime.runPromise(S.QuestionService.use(f))
+}
+
 export namespace Question {
   export const Option = S.Option
   export type Option = S.Option
@@ -22,18 +27,18 @@ export namespace Question {
     questions: Info[]
     tool?: { messageID: MessageID; callID: string }
   }): Promise<Answer[]> {
-    return runPromiseInstance(S.QuestionService.use((service) => service.ask(input)))
+    return runPromise((service) => service.ask(input))
   }
 
   export async function reply(input: { requestID: QuestionID; answers: Answer[] }): Promise<void> {
-    return runPromiseInstance(S.QuestionService.use((service) => service.reply(input)))
+    return runPromise((service) => service.reply(input))
   }
 
   export async function reject(requestID: QuestionID): Promise<void> {
-    return runPromiseInstance(S.QuestionService.use((service) => service.reject(requestID)))
+    return runPromise((service) => service.reject(requestID))
   }
 
   export async function list(): Promise<Request[]> {
-    return runPromiseInstance(S.QuestionService.use((service) => service.list()))
+    return runPromise((service) => service.list())
   }
 }

packages/opencode/src/question/service.ts

@@ -2,6 +2,7 @@ import { Deferred, Effect, Layer, Schema, ServiceMap } from "effect"
 import { Bus } from "@/bus"
 import { BusEvent } from "@/bus/bus-event"
 import { SessionID, MessageID } from "@/session/schema"
+import { InstanceState } from "@/util/instance-state"
 import { Log } from "@/util/log"
 import z from "zod"
 import { QuestionID } from "./schema"
@@ -71,17 +72,22 @@ export const Event = {
   ),
 }
 
-export class RejectedError extends Schema.TaggedErrorClass<RejectedError>()("QuestionRejectedError", {}) {
-  override get message() {
-    return "The user dismissed this question"
+export class RejectedError extends Error {
+  constructor() {
+    super("The user dismissed this question")
   }
 }
 
 // --- Effect service ---
 
+export class QuestionServiceError extends Schema.TaggedErrorClass<QuestionServiceError>()("QuestionServiceError", {
+  message: Schema.String,
+  cause: Schema.optional(Schema.Defect),
+}) {}
+
 interface PendingEntry {
   info: Request
-  deferred: Deferred.Deferred<Answer[], RejectedError>
+  deferred: Deferred.Deferred<Answer[]>
 }
 
 export namespace QuestionService {
@@ -90,10 +96,10 @@ export namespace QuestionService {
       sessionID: SessionID
       questions: Info[]
       tool?: { messageID: MessageID; callID: string }
-    }) => Effect.Effect<Answer[], RejectedError>
-    readonly reply: (input: { requestID: QuestionID; answers: Answer[] }) => Effect.Effect<void>
-    readonly reject: (requestID: QuestionID) => Effect.Effect<void>
-    readonly list: () => Effect.Effect<Request[]>
+    }) => Effect.Effect<Answer[], QuestionServiceError>
+    readonly reply: (input: { requestID: QuestionID; answers: Answer[] }) => Effect.Effect<void, QuestionServiceError>
+    readonly reject: (requestID: QuestionID) => Effect.Effect<void, QuestionServiceError>
+    readonly list: () => Effect.Effect<Request[], QuestionServiceError>
   }
 }
 
@@ -103,17 +109,22 @@ export class QuestionService extends ServiceMap.Service<QuestionService, Questio
   static readonly layer = Layer.effect(
     QuestionService,
     Effect.gen(function* () {
-      const pending = new Map<QuestionID, PendingEntry>()
+      const instanceState = yield* InstanceState.make<Map<QuestionID, PendingEntry>, QuestionServiceError>(() =>
+        Effect.succeed(new Map<QuestionID, PendingEntry>()),
+      )
+
+      const getPending = InstanceState.get(instanceState)
 
       const ask = Effect.fn("QuestionService.ask")(function* (input: {
         sessionID: SessionID
         questions: Info[]
         tool?: { messageID: MessageID; callID: string }
       }) {
+        const pending = yield* getPending
         const id = QuestionID.ascending()
         log.info("asking", { id, questions: input.questions.length })
 
-        const deferred = yield* Deferred.make<Answer[], RejectedError>()
+        const deferred = yield* Deferred.make<Answer[]>()
         const info: Request = {
           id,
           sessionID: input.sessionID,
@@ -127,6 +138,7 @@ export class QuestionService extends ServiceMap.Service<QuestionService, Questio
       })
 
       const reply = Effect.fn("QuestionService.reply")(function* (input: { requestID: QuestionID; answers: Answer[] }) {
+        const pending = yield* getPending
         const existing = pending.get(input.requestID)
         if (!existing) {
           log.warn("reply for unknown request", { requestID: input.requestID })
@@ -143,6 +155,7 @@ export class QuestionService extends ServiceMap.Service<QuestionService, Questio
       })
 
       const reject = Effect.fn("QuestionService.reject")(function* (requestID: QuestionID) {
+        const pending = yield* getPending
         const existing = pending.get(requestID)
         if (!existing) {
           log.warn("reject for unknown request", { requestID })
@@ -154,10 +167,11 @@ export class QuestionService extends ServiceMap.Service<QuestionService, Questio
           sessionID: existing.info.sessionID,
           requestID: existing.info.id,
         })
-        yield* Deferred.fail(existing.deferred, new RejectedError())
+        yield* Deferred.die(existing.deferred, new RejectedError())
       })
 
       const list = Effect.fn("QuestionService.list")(function* () {
+        const pending = yield* getPending
         return Array.from(pending.values(), (x) => x.info)
       })
 

packages/opencode/src/util/instance-state.ts

@@ -0,0 +1,61 @@
+import { Effect, ScopedCache, Scope } from "effect"
+
+import { Instance } from "@/project/instance"
+
+type Disposer = (directory: string) => Effect.Effect<void>
+const disposers = new Set<Disposer>()
+
+const TypeId = "~opencode/InstanceState"
+
+/**
+ * Effect version of `Instance.state` — lazily-initialized, per-directory
+ * cached state for Effect services.
+ *
+ * Values are created on first access for a given directory and cached for
+ * subsequent reads. Concurrent access shares a single initialization —
+ * no duplicate work or races. Use `Effect.acquireRelease` in `init` if
+ * the value needs cleanup on disposal.
+ */
+export interface InstanceState<A, E = never, R = never> {
+  readonly [TypeId]: typeof TypeId
+  readonly cache: ScopedCache.ScopedCache<string, A, E, R>
+}
+
+export namespace InstanceState {
+  /** Create a new InstanceState with the given initializer. */
+  export const make = <A, E = never, R = never>(
+    init: (directory: string) => Effect.Effect<A, E, R | Scope.Scope>,
+  ): Effect.Effect<InstanceState<A, E, Exclude<R, Scope.Scope>>, never, R | Scope.Scope> =>
+    Effect.gen(function* () {
+      const cache = yield* ScopedCache.make<string, A, E, R>({
+        capacity: Number.POSITIVE_INFINITY,
+        lookup: init,
+      })
+
+      const disposer: Disposer = (directory) => ScopedCache.invalidate(cache, directory)
+      disposers.add(disposer)
+      yield* Effect.addFinalizer(() => Effect.sync(() => void disposers.delete(disposer)))
+
+      return {
+        [TypeId]: TypeId,
+        cache,
+      }
+    })
+
+  /** Get the cached value for the current directory, initializing it if needed. */
+  export const get = <A, E, R>(self: InstanceState<A, E, R>) => ScopedCache.get(self.cache, Instance.directory)
+
+  /** Check whether a value exists for the current directory. */
+  export const has = <A, E, R>(self: InstanceState<A, E, R>) => ScopedCache.has(self.cache, Instance.directory)
+
+  /** Invalidate the cached value for the current directory. */
+  export const invalidate = <A, E, R>(self: InstanceState<A, E, R>) =>
+    ScopedCache.invalidate(self.cache, Instance.directory)
+
+  /** Invalidate the given directory across all InstanceState caches. */
+  export const dispose = (directory: string) =>
+    Effect.all(
+      [...disposers].map((disposer) => disposer(directory)),
+      { concurrency: "unbounded" },
+    )
+}

packages/opencode/test/permission/next.test.ts

@@ -1,38 +1,10 @@
-import { afterEach, test, expect } from "bun:test"
+import { test, expect } from "bun:test"
 import os from "os"
-import { Effect } from "effect"
-import { Bus } from "../../src/bus"
-import { runtime } from "../../src/effect/runtime"
-import { Instances } from "../../src/effect/instances"
 import { PermissionNext } from "../../src/permission/next"
-import * as S from "../../src/permission/service"
 import { PermissionID } from "../../src/permission/schema"
 import { Instance } from "../../src/project/instance"
 import { tmpdir } from "../fixture/fixture"
-import { MessageID, SessionID } from "../../src/session/schema"
-
-afterEach(async () => {
-  await Instance.disposeAll()
-})
-
-async function rejectAll(message?: string) {
-  for (const req of await PermissionNext.list()) {
-    await PermissionNext.reply({
-      requestID: req.id,
-      reply: "reject",
-      message,
-    })
-  }
-}
-
-async function waitForPending(count: number) {
-  for (let i = 0; i < 20; i++) {
-    const list = await PermissionNext.list()
-    if (list.length === count) return list
-    await Bun.sleep(0)
-  }
-  return PermissionNext.list()
-}
+import { SessionID } from "../../src/session/schema"
 
 // fromConfig tests
 
@@ -539,84 +511,6 @@ test("ask - returns pending promise when action is ask", async () => {
       // Promise should be pending, not resolved
       expect(promise).toBeInstanceOf(Promise)
       // Don't await - just verify it returns a promise
-      await rejectAll()
-      await promise.catch(() => {})
-    },
-  })
-})
-
-test("ask - adds request to pending list", async () => {
-  await using tmp = await tmpdir({ git: true })
-  await Instance.provide({
-    directory: tmp.path,
-    fn: async () => {
-      const ask = PermissionNext.ask({
-        sessionID: SessionID.make("session_test"),
-        permission: "bash",
-        patterns: ["ls"],
-        metadata: { cmd: "ls" },
-        always: ["ls"],
-        tool: {
-          messageID: MessageID.make("msg_test"),
-          callID: "call_test",
-        },
-        ruleset: [],
-      })
-
-      const list = await PermissionNext.list()
-      expect(list).toHaveLength(1)
-      expect(list[0]).toMatchObject({
-        sessionID: SessionID.make("session_test"),
-        permission: "bash",
-        patterns: ["ls"],
-        metadata: { cmd: "ls" },
-        always: ["ls"],
-        tool: {
-          messageID: MessageID.make("msg_test"),
-          callID: "call_test",
-        },
-      })
-
-      await rejectAll()
-      await ask.catch(() => {})
-    },
-  })
-})
-
-test("ask - publishes asked event", async () => {
-  await using tmp = await tmpdir({ git: true })
-  await Instance.provide({
-    directory: tmp.path,
-    fn: async () => {
-      let seen: PermissionNext.Request | undefined
-      const unsub = Bus.subscribe(PermissionNext.Event.Asked, (event) => {
-        seen = event.properties
-      })
-
-      const ask = PermissionNext.ask({
-        sessionID: SessionID.make("session_test"),
-        permission: "bash",
-        patterns: ["ls"],
-        metadata: { cmd: "ls" },
-        always: ["ls"],
-        tool: {
-          messageID: MessageID.make("msg_test"),
-          callID: "call_test",
-        },
-        ruleset: [],
-      })
-
-      expect(await PermissionNext.list()).toHaveLength(1)
-      expect(seen).toBeDefined()
-      expect(seen).toMatchObject({
-        sessionID: SessionID.make("session_test"),
-        permission: "bash",
-        patterns: ["ls"],
-      })
-
-      unsub()
-      await rejectAll()
-      await ask.catch(() => {})
     },
   })
 })
@@ -638,8 +532,6 @@ test("reply - once resolves the pending ask", async () => {
         ruleset: [],
       })
 
-      await waitForPending(1)
-
       await PermissionNext.reply({
         requestID: PermissionID.make("per_test1"),
         reply: "once",
@@ -665,8 +557,6 @@ test("reply - reject throws RejectedError", async () => {
         ruleset: [],
       })
 
-      await waitForPending(1)
-
       await PermissionNext.reply({
         requestID: PermissionID.make("per_test2"),
         reply: "reject",
@@ -677,36 +567,6 @@ test("reply - reject throws RejectedError", async () => {
   })
 })
 
-test("reply - reject with message throws CorrectedError", async () => {
-  await using tmp = await tmpdir({ git: true })
-  await Instance.provide({
-    directory: tmp.path,
-    fn: async () => {
-      const ask = PermissionNext.ask({
-        id: PermissionID.make("per_test2b"),
-        sessionID: SessionID.make("session_test"),
-        permission: "bash",
-        patterns: ["ls"],
-        metadata: {},
-        always: [],
-        ruleset: [],
-      })
-
-      await waitForPending(1)
-
-      await PermissionNext.reply({
-        requestID: PermissionID.make("per_test2b"),
-        reply: "reject",
-        message: "Use a safer command",
-      })
-
-      const err = await ask.catch((err) => err)
-      expect(err).toBeInstanceOf(PermissionNext.CorrectedError)
-      expect(err.message).toContain("Use a safer command")
-    },
-  })
-})
-
 test("reply - always persists approval and resolves", async () => {
   await using tmp = await tmpdir({ git: true })
   await Instance.provide({
@@ -722,8 +582,6 @@ test("reply - always persists approval and resolves", async () => {
         ruleset: [],
       })
 
-      await waitForPending(1)
-
       await PermissionNext.reply({
         requestID: PermissionID.make("per_test3"),
         reply: "always",
@@ -775,8 +633,6 @@ test("reply - reject cancels all pending for same session", async () => {
         ruleset: [],
       })
 
-      await waitForPending(2)
-
       // Catch rejections before they become unhandled
       const result1 = askPromise1.catch((e) => e)
       const result2 = askPromise2.catch((e) => e)
@@ -794,144 +650,6 @@ test("reply - reject cancels all pending for same session", async () => {
   })
 })
 
-test("reply - always resolves matching pending requests in same session", async () => {
-  await using tmp = await tmpdir({ git: true })
-  await Instance.provide({
-    directory: tmp.path,
-    fn: async () => {
-      const a = PermissionNext.ask({
-        id: PermissionID.make("per_test5a"),
-        sessionID: SessionID.make("session_same"),
-        permission: "bash",
-        patterns: ["ls"],
-        metadata: {},
-        always: ["ls"],
-        ruleset: [],
-      })
-
-      const b = PermissionNext.ask({
-        id: PermissionID.make("per_test5b"),
-        sessionID: SessionID.make("session_same"),
-        permission: "bash",
-        patterns: ["ls"],
-        metadata: {},
-        always: [],
-        ruleset: [],
-      })
-
-      await waitForPending(2)
-
-      await PermissionNext.reply({
-        requestID: PermissionID.make("per_test5a"),
-        reply: "always",
-      })
-
-      await expect(a).resolves.toBeUndefined()
-      await expect(b).resolves.toBeUndefined()
-      expect(await PermissionNext.list()).toHaveLength(0)
-    },
-  })
-})
-
-test("reply - always keeps other session pending", async () => {
-  await using tmp = await tmpdir({ git: true })
-  await Instance.provide({
-    directory: tmp.path,
-    fn: async () => {
-      const a = PermissionNext.ask({
-        id: PermissionID.make("per_test6a"),
-        sessionID: SessionID.make("session_a"),
-        permission: "bash",
-        patterns: ["ls"],
-        metadata: {},
-        always: ["ls"],
-        ruleset: [],
-      })
-
-      const b = PermissionNext.ask({
-        id: PermissionID.make("per_test6b"),
-        sessionID: SessionID.make("session_b"),
-        permission: "bash",
-        patterns: ["ls"],
-        metadata: {},
-        always: [],
-        ruleset: [],
-      })
-
-      await waitForPending(2)
-
-      await PermissionNext.reply({
-        requestID: PermissionID.make("per_test6a"),
-        reply: "always",
-      })
-
-      await expect(a).resolves.toBeUndefined()
-      expect((await PermissionNext.list()).map((x) => x.id)).toEqual([PermissionID.make("per_test6b")])
-
-      await rejectAll()
-      await b.catch(() => {})
-    },
-  })
-})
-
-test("reply - publishes replied event", async () => {
-  await using tmp = await tmpdir({ git: true })
-  await Instance.provide({
-    directory: tmp.path,
-    fn: async () => {
-      const ask = PermissionNext.ask({
-        id: PermissionID.make("per_test7"),
-        sessionID: SessionID.make("session_test"),
-        permission: "bash",
-        patterns: ["ls"],
-        metadata: {},
-        always: [],
-        ruleset: [],
-      })
-
-      await waitForPending(1)
-
-      let seen:
-        | {
-            sessionID: SessionID
-            requestID: PermissionID
-            reply: PermissionNext.Reply
-          }
-        | undefined
-      const unsub = Bus.subscribe(PermissionNext.Event.Replied, (event) => {
-        seen = event.properties
-      })
-
-      await PermissionNext.reply({
-        requestID: PermissionID.make("per_test7"),
-        reply: "once",
-      })
-
-      await expect(ask).resolves.toBeUndefined()
-      expect(seen).toEqual({
-        sessionID: SessionID.make("session_test"),
-        requestID: PermissionID.make("per_test7"),
-        reply: "once",
-      })
-      unsub()
-    },
-  })
-})
-
-test("reply - does nothing for unknown requestID", async () => {
-  await using tmp = await tmpdir({ git: true })
-  await Instance.provide({
-    directory: tmp.path,
-    fn: async () => {
-      await PermissionNext.reply({
-        requestID: PermissionID.make("per_unknown"),
-        reply: "once",
-      })
-      expect(await PermissionNext.list()).toHaveLength(0)
-    },
-  })
-})
-
 test("ask - checks all patterns and stops on first deny", async () => {
   await using tmp = await tmpdir({ git: true })
   await Instance.provide({
@@ -971,74 +689,3 @@ test("ask - allows all patterns when all match allow rules", async () => {
     },
   })
 })
-
-test("ask - should deny even when an earlier pattern is ask", async () => {
-  await using tmp = await tmpdir({ git: true })
-  await Instance.provide({
-    directory: tmp.path,
-    fn: async () => {
-      const ask = PermissionNext.ask({
-        sessionID: SessionID.make("session_test"),
-        permission: "bash",
-        patterns: ["echo hello", "rm -rf /"],
-        metadata: {},
-        always: [],
-        ruleset: [
-          { permission: "bash", pattern: "echo *", action: "ask" },
-          { permission: "bash", pattern: "rm *", action: "deny" },
-        ],
-      })
-
-      const out = await Promise.race([
-        ask.then(
-          () => ({ ok: true as const, err: undefined }),
-          (err) => ({ ok: false as const, err }),
-        ),
-        Bun.sleep(100).then(() => "timeout" as const),
-      ])
-
-      if (out === "timeout") {
-        await rejectAll()
-        await ask.catch(() => {})
-        throw new Error("ask timed out instead of denying immediately")
-      }
-
-      expect(out.ok).toBe(false)
-      expect(out.err).toBeInstanceOf(PermissionNext.DeniedError)
-      expect(await PermissionNext.list()).toHaveLength(0)
-    },
-  })
-})
-
-test("ask - abort should clear pending request", async () => {
-  await using tmp = await tmpdir({ git: true })
-  await Instance.provide({
-    directory: tmp.path,
-    fn: async () => {
-      const ctl = new AbortController()
-      const ask = runtime.runPromise(
-        S.PermissionService.use((svc) =>
-          svc.ask({
-            sessionID: SessionID.make("session_test"),
-            permission: "bash",
-            patterns: ["ls"],
-            metadata: {},
-            always: [],
-            ruleset: [{ permission: "bash", pattern: "*", action: "ask" }],
-          }),
-        ).pipe(Effect.provide(Instances.get(Instance.directory))),
-        { signal: ctl.signal },
-      )
-
-      await waitForPending(1)
-      ctl.abort()
-      await ask.catch(() => {})
-
-      try {
-        expect(await PermissionNext.list()).toHaveLength(0)
-      } finally {
-        await rejectAll()
-      }
-    },
-  })
-})

packages/opencode/test/question/question.test.ts

@@ -1,14 +1,10 @@
-import { afterEach, test, expect } from "bun:test"
+import { test, expect } from "bun:test"
 import { Question } from "../../src/question"
 import { Instance } from "../../src/project/instance"
 import { QuestionID } from "../../src/question/schema"
 import { tmpdir } from "../fixture/fixture"
 import { SessionID } from "../../src/session/schema"
 
-afterEach(async () => {
-  await Instance.disposeAll()
-})
-
 /** Reject all pending questions so dangling Deferred fibers don't hang the test. */
 async function rejectAll() {
   const pending = await Question.list()

packages/opencode/test/tool/read.test.ts

@@ -183,7 +183,7 @@ describe("tool.read env file permissions", () => {
                   askedForEnv = true
                 }
                 if (rule.action === "deny") {
-                  throw new PermissionNext.DeniedError({ ruleset: agent.permission })
+                  throw new PermissionNext.DeniedError(agent.permission)
                 }
               }
             },

packages/opencode/test/util/instance-state.test.ts

@@ -0,0 +1,138 @@
+import { afterEach, expect, test } from "bun:test"
+import { Effect } from "effect"
+
+import { Instance } from "../../src/project/instance"
+import { InstanceState } from "../../src/util/instance-state"
+import { tmpdir } from "../fixture/fixture"
+
+async function access<A, E>(state: InstanceState<A, E>, dir: string) {
+  return Instance.provide({
+    directory: dir,
+    fn: () => Effect.runPromise(InstanceState.get(state)),
+  })
+}
+
+afterEach(async () => {
+  await Instance.disposeAll()
+})
+
+test("InstanceState caches values for the same instance", async () => {
+  await using tmp = await tmpdir()
+  let n = 0
+
+  await Effect.runPromise(
+    Effect.scoped(
+      Effect.gen(function* () {
+        const state = yield* InstanceState.make(() => Effect.sync(() => ({ n: ++n })))
+
+        const a = yield* Effect.promise(() => access(state, tmp.path))
+        const b = yield* Effect.promise(() => access(state, tmp.path))
+
+        expect(a).toBe(b)
+        expect(n).toBe(1)
+      }),
+    ),
+  )
+})
+
+test("InstanceState isolates values by directory", async () => {
+  await using a = await tmpdir()
+  await using b = await tmpdir()
+  let n = 0
+
+  await Effect.runPromise(
+    Effect.scoped(
+      Effect.gen(function* () {
+        const state = yield* InstanceState.make((dir) => Effect.sync(() => ({ dir, n: ++n })))
+
+        const x = yield* Effect.promise(() => access(state, a.path))
+        const y = yield* Effect.promise(() => access(state, b.path))
+        const z = yield* Effect.promise(() => access(state, a.path))
+
+        expect(x).toBe(z)
+        expect(x).not.toBe(y)
+        expect(n).toBe(2)
+      }),
+    ),
+  )
+})
+
+test("InstanceState is disposed on instance reload", async () => {
+  await using tmp = await tmpdir()
+  const seen: string[] = []
+  let n = 0
+
+  await Effect.runPromise(
+    Effect.scoped(
+      Effect.gen(function* () {
+        const state = yield* InstanceState.make(() =>
+          Effect.acquireRelease(
+            Effect.sync(() => ({ n: ++n })),
+            (value) =>
+              Effect.sync(() => {
+                seen.push(String(value.n))
+              }),
+          ),
+        )
+
+        const a = yield* Effect.promise(() => access(state, tmp.path))
+        yield* Effect.promise(() => Instance.reload({ directory: tmp.path }))
+        const b = yield* Effect.promise(() => access(state, tmp.path))
+
+        expect(a).not.toBe(b)
+        expect(seen).toEqual(["1"])
+      }),
+    ),
+  )
+})
+
+test("InstanceState is disposed on disposeAll", async () => {
+  await using a = await tmpdir()
+  await using b = await tmpdir()
+  const seen: string[] = []
+
+  await Effect.runPromise(
+    Effect.scoped(
+      Effect.gen(function* () {
+        const state = yield* InstanceState.make((dir) =>
+          Effect.acquireRelease(
+            Effect.sync(() => ({ dir })),
+            (value) =>
+              Effect.sync(() => {
+                seen.push(value.dir)
+              }),
+          ),
+        )
+
+        yield* Effect.promise(() => access(state, a.path))
+        yield* Effect.promise(() => access(state, b.path))
+        yield* Effect.promise(() => Instance.disposeAll())
+
+        expect(seen.sort()).toEqual([a.path, b.path].sort())
+      }),
+    ),
+  )
+})
+
+test("InstanceState dedupes concurrent lookups for the same directory", async () => {
+  await using tmp = await tmpdir()
+  let n = 0
+
+  await Effect.runPromise(
+    Effect.scoped(
+      Effect.gen(function* () {
+        const state = yield* InstanceState.make(() =>
+          Effect.promise(async () => {
+            n += 1
+            await Bun.sleep(10)
+            return { n }
+          }),
+        )
+
+        const [a, b] = yield* Effect.promise(() => Promise.all([access(state, tmp.path), access(state, tmp.path)]))
+        expect(a).toBe(b)
+        expect(n).toBe(1)
+      }),
+    ),
+  )
+})

packages/sdk/js/src/v2/gen/types.gen.ts

@@ -54,35 +54,6 @@ export type EventServerInstanceDisposed = {
   }
 }
 
-export type PermissionRequest = {
-  id: string
-  sessionID: string
-  permission: string
-  patterns: Array<string>
-  metadata: {
-    [key: string]: unknown
-  }
-  always: Array<string>
-  tool?: {
-    messageID: string
-    callID: string
-  }
-}
-
-export type EventPermissionAsked = {
-  type: "permission.asked"
-  properties: PermissionRequest
-}
-
-export type EventPermissionReplied = {
-  type: "permission.replied"
-  properties: {
-    sessionID: string
-    requestID: string
-    reply: "once" | "always" | "reject"
-  }
-}
-
 export type QuestionOption = {
   /**
    * Display text (1-5 words, concise)
@@ -649,6 +620,35 @@ export type EventMessagePartRemoved = {
   }
 }
 
+export type PermissionRequest = {
+  id: string
+  sessionID: string
+  permission: string
+  patterns: Array<string>
+  metadata: {
+    [key: string]: unknown
+  }
+  always: Array<string>
+  tool?: {
+    messageID: string
+    callID: string
+  }
+}
+
+export type EventPermissionAsked = {
+  type: "permission.asked"
+  properties: PermissionRequest
+}
+
+export type EventPermissionReplied = {
+  type: "permission.replied"
+  properties: {
+    sessionID: string
+    requestID: string
+    reply: "once" | "always" | "reject"
+  }
+}
+
 export type SessionStatus =
   | {
       type: "idle"
@@ -962,8 +962,6 @@ export type Event =
   | EventInstallationUpdateAvailable
   | EventProjectUpdated
   | EventServerInstanceDisposed
-  | EventPermissionAsked
-  | EventPermissionReplied
   | EventQuestionAsked
   | EventQuestionReplied
   | EventQuestionRejected
@@ -977,6 +975,8 @@ export type Event =
   | EventMessagePartUpdated
   | EventMessagePartDelta
   | EventMessagePartRemoved
+  | EventPermissionAsked
+  | EventPermissionReplied
   | EventSessionStatus
   | EventSessionIdle
   | EventSessionCompacted

packages/sdk/openapi.json

@@ -7062,96 +7062,6 @@
         },
         "required": ["type", "properties"]
       },
-      "PermissionRequest": {
-        "type": "object",
-        "properties": {
-          "id": {
-            "type": "string",
-            "pattern": "^per.*"
-          },
-          "sessionID": {
-            "type": "string",
-            "pattern": "^ses.*"
-          },
-          "permission": {
-            "type": "string"
-          },
-          "patterns": {
-            "type": "array",
-            "items": {
-              "type": "string"
-            }
-          },
-          "metadata": {
-            "type": "object",
-            "propertyNames": {
-              "type": "string"
-            },
-            "additionalProperties": {}
-          },
-          "always": {
-            "type": "array",
-            "items": {
-              "type": "string"
-            }
-          },
-          "tool": {
-            "type": "object",
-            "properties": {
-              "messageID": {
-                "type": "string",
-                "pattern": "^msg.*"
-              },
-              "callID": {
-                "type": "string"
-              }
-            },
-            "required": ["messageID", "callID"]
-          }
-        },
-        "required": ["id", "sessionID", "permission", "patterns", "metadata", "always"]
-      },
-      "Event.permission.asked": {
-        "type": "object",
-        "properties": {
-          "type": {
-            "type": "string",
-            "const": "permission.asked"
-          },
-          "properties": {
-            "$ref": "#/components/schemas/PermissionRequest"
-          }
-        },
-        "required": ["type", "properties"]
-      },
-      "Event.permission.replied": {
-        "type": "object",
-        "properties": {
-          "type": {
-            "type": "string",
-            "const": "permission.replied"
-          },
-          "properties": {
-            "type": "object",
-            "properties": {
-              "sessionID": {
-                "type": "string",
-                "pattern": "^ses.*"
-              },
-              "requestID": {
-                "type": "string",
-                "pattern": "^per.*"
-              },
-              "reply": {
-                "type": "string",
-                "enum": ["once", "always", "reject"]
-              }
-            },
-            "required": ["sessionID", "requestID", "reply"]
-          }
-        },
-        "required": ["type", "properties"]
-      },
       "QuestionOption": {
         "type": "object",
         "properties": {
@@ -8760,6 +8670,96 @@
         },
         "required": ["type", "properties"]
       },
+      "PermissionRequest": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string",
+            "pattern": "^per.*"
+          },
+          "sessionID": {
+            "type": "string",
+            "pattern": "^ses.*"
+          },
+          "permission": {
+            "type": "string"
+          },
+          "patterns": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            }
+          },
+          "metadata": {
+            "type": "object",
+            "propertyNames": {
+              "type": "string"
+            },
+            "additionalProperties": {}
+          },
+          "always": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            }
+          },
+          "tool": {
+            "type": "object",
+            "properties": {
+              "messageID": {
+                "type": "string",
+                "pattern": "^msg.*"
+              },
+              "callID": {
+                "type": "string"
+              }
+            },
+            "required": ["messageID", "callID"]
+          }
+        },
+        "required": ["id", "sessionID", "permission", "patterns", "metadata", "always"]
+      },
+      "Event.permission.asked": {
+        "type": "object",
+        "properties": {
+          "type": {
+            "type": "string",
+            "const": "permission.asked"
+          },
+          "properties": {
+            "$ref": "#/components/schemas/PermissionRequest"
+          }
+        },
+        "required": ["type", "properties"]
+      },
+      "Event.permission.replied": {
+        "type": "object",
+        "properties": {
+          "type": {
+            "type": "string",
+            "const": "permission.replied"
+          },
+          "properties": {
+            "type": "object",
+            "properties": {
+              "sessionID": {
+                "type": "string",
+                "pattern": "^ses.*"
+              },
+              "requestID": {
+                "type": "string",
+                "pattern": "^per.*"
+              },
+              "reply": {
+                "type": "string",
+                "enum": ["once", "always", "reject"]
+              }
+            },
+            "required": ["sessionID", "requestID", "reply"]
+          }
+        },
+        "required": ["type", "properties"]
+      },
       "SessionStatus": {
         "anyOf": [
           {
@@ -9611,12 +9611,6 @@
           {
             "$ref": "#/components/schemas/Event.server.instance.disposed"
           },
-          {
-            "$ref": "#/components/schemas/Event.permission.asked"
-          },
-          {
-            "$ref": "#/components/schemas/Event.permission.replied"
-          },
           {
             "$ref": "#/components/schemas/Event.question.asked"
           },
@@ -9656,6 +9650,12 @@
           {
             "$ref": "#/components/schemas/Event.message.part.removed"
           },
+          {
+            "$ref": "#/components/schemas/Event.permission.asked"
+          },
+          {
+            "$ref": "#/components/schemas/Event.permission.replied"
+          },
           {
             "$ref": "#/components/schemas/Event.session.status"
           },