fix: scope Npm.add() lock to per-package key

Use npm-install:${pkg} instead of a global npm-install lock so concurrent installs of different packages can run in parallel.
2026-03-20 13:44:27 +00:00 · 2026-03-19 21:48:43 -04:00
15 changed files with 330 additions and 336 deletions
--- a/README.md
+++ b/README.md
@@ -128,7 +128,7 @@ If you are working on a project that's related to OpenCode and is using "opencod

 #### How is this different from Claude Code?

-It's very similar to Claude Code in terms of capability. Here are the key differences:
+It's very similar to Claude Code in terms of capability. Here are the key differences::

 - 100% open source
 - Not coupled to any provider. Although we recommend the models we provide through [OpenCode Zen](https://opencode.ai/zen), OpenCode can be used with Claude, OpenAI, Google, or even local models. As models evolve, the gaps between them will close and pricing will drop, so being provider-agnostic is important.
--- a/bun.lock
+++ b/bun.lock
@@ -588,7 +588,6 @@
  ],
  "patchedDependencies": {
    "@openrouter/ai-sdk-provider@1.5.4": "patches/@openrouter%2Fai-sdk-provider@1.5.4.patch",
-    "@ai-sdk/xai@2.0.51": "patches/@ai-sdk%2Fxai@2.0.51.patch",
    "@standard-community/standard-openapi@0.2.9": "patches/@standard-community%2Fstandard-openapi@0.2.9.patch",
  },
  "overrides": {
--- a/nix/hashes.json
+++ b/nix/hashes.json
@@ -1,8 +1,8 @@
 {
  "nodeModules": {
-    "x86_64-linux": "sha256-xq0W2Ym0AzANLXnLyAL+IUwrFm0MKXwkJVdENowoPyY=",
-    "aarch64-linux": "sha256-RtpiGZXk+BboD9MjBetq5sInIbH/OPkLVNSFgN/0ehY=",
-    "aarch64-darwin": "sha256-cX6y262OzqRicH4m0/u1DCsMkpJfzCUOOBFQqtQLvls=",
-    "x86_64-darwin": "sha256-K4UmRKiEfKkvVeKUB85XjHJ1jf0ZUnjL0dWvx9TD4pI="
+    "x86_64-linux": "sha256-yfA50QKqylmaioxi+6d++W8Xv4Wix1hl3hEF6Zz7Ue0=",
+    "aarch64-linux": "sha256-b5sO7V+/zzJClHHKjkSz+9AUBYC8cb7S3m5ab1kpAyk=",
+    "aarch64-darwin": "sha256-V66nmRX6kAjrc41ARVeuTElWK7KD8qG/DVk9K7Fu+J8=",
+    "x86_64-darwin": "sha256-cFyh60WESiqZ5XWZi1+g3F/beSDL1+UPG8KhRivhK8w="
  }
 }
--- a/package.json
+++ b/package.json
@@ -112,7 +112,6 @@
  },
  "patchedDependencies": {
    "@standard-community/standard-openapi@0.2.9": "patches/@standard-community%2Fstandard-openapi@0.2.9.patch",
-    "@openrouter/ai-sdk-provider@1.5.4": "patches/@openrouter%2Fai-sdk-provider@1.5.4.patch",
-    "@ai-sdk/xai@2.0.51": "patches/@ai-sdk%2Fxai@2.0.51.patch"
+    "@openrouter/ai-sdk-provider@1.5.4": "patches/@openrouter%2Fai-sdk-provider@1.5.4.patch"
  }
 }
--- a/packages/opencode/script/build-node.ts
+++ b/packages/opencode/script/build-node.ts
@@ -1,54 +0,0 @@
-#!/usr/bin/env bun
-
-import fs from "fs"
-import path from "path"
-import { fileURLToPath } from "url"
-
-const __filename = fileURLToPath(import.meta.url)
-const __dirname = path.dirname(__filename)
-const dir = path.resolve(__dirname, "..")
-
-process.chdir(dir)
-
-// Load migrations from migration directories
-const migrationDirs = (
-  await fs.promises.readdir(path.join(dir, "migration"), {
-    withFileTypes: true,
-  })
-)
-  .filter((entry) => entry.isDirectory() && /^\d{4}\d{2}\d{2}\d{2}\d{2}\d{2}/.test(entry.name))
-  .map((entry) => entry.name)
-  .sort()
-
-const migrations = await Promise.all(
-  migrationDirs.map(async (name) => {
-    const file = path.join(dir, "migration", name, "migration.sql")
-    const sql = await Bun.file(file).text()
-    const match = /^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})/.exec(name)
-    const timestamp = match
-      ? Date.UTC(
-          Number(match[1]),
-          Number(match[2]) - 1,
-          Number(match[3]),
-          Number(match[4]),
-          Number(match[5]),
-          Number(match[6]),
-        )
-      : 0
-    return { sql, timestamp, name }
-  }),
-)
-console.log(`Loaded ${migrations.length} migrations`)
-
-await Bun.build({
-  target: "node",
-  entrypoints: ["./src/node.ts"],
-  outdir: "./dist",
-  format: "esm",
-  external: ["jsonc-parser"],
-  define: {
-    OPENCODE_MIGRATIONS: JSON.stringify(migrations),
-  },
-})
-
-console.log("Build complete")
--- a/packages/opencode/src/mcp/oauth-callback.ts
+++ b/packages/opencode/src/mcp/oauth-callback.ts
@@ -1,4 +1,5 @@
 import { createConnection } from "net"
+import { createServer } from "http"
 import { Log } from "../util/log"
 import { OAUTH_CALLBACK_PORT, OAUTH_CALLBACK_PATH } from "./oauth-provider"

@@ -52,11 +53,74 @@ interface PendingAuth {
 }

 export namespace McpOAuthCallback {
-  let server: ReturnType<typeof Bun.serve> | undefined
+  let server: ReturnType<typeof createServer> | undefined
  const pendingAuths = new Map<string, PendingAuth>()

  const CALLBACK_TIMEOUT_MS = 5 * 60 * 1000 // 5 minutes

+  function handleRequest(req: import("http").IncomingMessage, res: import("http").ServerResponse) {
+    const url = new URL(req.url || "/", `http://localhost:${OAUTH_CALLBACK_PORT}`)
+
+    if (url.pathname !== OAUTH_CALLBACK_PATH) {
+      res.writeHead(404)
+      res.end("Not found")
+      return
+    }
+
+    const code = url.searchParams.get("code")
+    const state = url.searchParams.get("state")
+    const error = url.searchParams.get("error")
+    const errorDescription = url.searchParams.get("error_description")
+
+    log.info("received oauth callback", { hasCode: !!code, state, error })
+
+    // Enforce state parameter presence
+    if (!state) {
+      const errorMsg = "Missing required state parameter - potential CSRF attack"
+      log.error("oauth callback missing state parameter", { url: url.toString() })
+      res.writeHead(400, { "Content-Type": "text/html" })
+      res.end(HTML_ERROR(errorMsg))
+      return
+    }
+
+    if (error) {
+      const errorMsg = errorDescription || error
+      if (pendingAuths.has(state)) {
+        const pending = pendingAuths.get(state)!
+        clearTimeout(pending.timeout)
+        pendingAuths.delete(state)
+        pending.reject(new Error(errorMsg))
+      }
+      res.writeHead(200, { "Content-Type": "text/html" })
+      res.end(HTML_ERROR(errorMsg))
+      return
+    }
+
+    if (!code) {
+      res.writeHead(400, { "Content-Type": "text/html" })
+      res.end(HTML_ERROR("No authorization code provided"))
+      return
+    }
+
+    // Validate state parameter
+    if (!pendingAuths.has(state)) {
+      const errorMsg = "Invalid or expired state parameter - potential CSRF attack"
+      log.error("oauth callback with invalid state", { state, pendingStates: Array.from(pendingAuths.keys()) })
+      res.writeHead(400, { "Content-Type": "text/html" })
+      res.end(HTML_ERROR(errorMsg))
+      return
+    }
+
+    const pending = pendingAuths.get(state)!
+
+    clearTimeout(pending.timeout)
+    pendingAuths.delete(state)
+    pending.resolve(code)
+
+    res.writeHead(200, { "Content-Type": "text/html" })
+    res.end(HTML_SUCCESS)
+  }
+
  export async function ensureRunning(): Promise<void> {
    if (server) return

@@ -66,75 +130,14 @@ export namespace McpOAuthCallback {
      return
    }

-    server = Bun.serve({
-      port: OAUTH_CALLBACK_PORT,
-      fetch(req) {
-        const url = new URL(req.url)
-
-        if (url.pathname !== OAUTH_CALLBACK_PATH) {
-          return new Response("Not found", { status: 404 })
-        }
-
-        const code = url.searchParams.get("code")
-        const state = url.searchParams.get("state")
-        const error = url.searchParams.get("error")
-        const errorDescription = url.searchParams.get("error_description")
-
-        log.info("received oauth callback", { hasCode: !!code, state, error })
-
-        // Enforce state parameter presence
-        if (!state) {
-          const errorMsg = "Missing required state parameter - potential CSRF attack"
-          log.error("oauth callback missing state parameter", { url: url.toString() })
-          return new Response(HTML_ERROR(errorMsg), {
-            status: 400,
-            headers: { "Content-Type": "text/html" },
-          })
-        }
-
-        if (error) {
-          const errorMsg = errorDescription || error
-          if (pendingAuths.has(state)) {
-            const pending = pendingAuths.get(state)!
-            clearTimeout(pending.timeout)
-            pendingAuths.delete(state)
-            pending.reject(new Error(errorMsg))
-          }
-          return new Response(HTML_ERROR(errorMsg), {
-            headers: { "Content-Type": "text/html" },
-          })
-        }
-
-        if (!code) {
-          return new Response(HTML_ERROR("No authorization code provided"), {
-            status: 400,
-            headers: { "Content-Type": "text/html" },
-          })
-        }
-
-        // Validate state parameter
-        if (!pendingAuths.has(state)) {
-          const errorMsg = "Invalid or expired state parameter - potential CSRF attack"
-          log.error("oauth callback with invalid state", { state, pendingStates: Array.from(pendingAuths.keys()) })
-          return new Response(HTML_ERROR(errorMsg), {
-            status: 400,
-            headers: { "Content-Type": "text/html" },
-          })
-        }
-
-        const pending = pendingAuths.get(state)!
-
-        clearTimeout(pending.timeout)
-        pendingAuths.delete(state)
-        pending.resolve(code)
-
-        return new Response(HTML_SUCCESS, {
-          headers: { "Content-Type": "text/html" },
-        })
-      },
+    server = createServer(handleRequest)
+    await new Promise<void>((resolve, reject) => {
+      server!.listen(OAUTH_CALLBACK_PORT, () => {
+        log.info("oauth callback server started", { port: OAUTH_CALLBACK_PORT })
+        resolve()
+      })
+      server!.on("error", reject)
    })
-
-    log.info("oauth callback server started", { port: OAUTH_CALLBACK_PORT })
  }

  export function waitForCallback(oauthState: string): Promise<string> {
@@ -174,7 +177,7 @@ export namespace McpOAuthCallback {

  export async function stop(): Promise<void> {
    if (server) {
-      server.stop()
+      await new Promise<void>((resolve) => server!.close(() => resolve()))
      server = undefined
      log.info("oauth callback server stopped")
    }
--- a/packages/opencode/src/node.ts
+++ b/packages/opencode/src/node.ts
@@ -1 +0,0 @@
-export { Server } from "./server/server"
--- a/packages/opencode/src/npm/index.ts
+++ b/packages/opencode/src/npm/index.ts
@@ -0,0 +1,180 @@
+// Workaround: Bun on Windows does not support the UV_FS_O_FILEMAP flag that
+// the `tar` package uses for files < 512KB (fs.open returns EINVAL).
+// tar silently swallows the error and skips writing files, leaving only empty
+// directories. Setting __FAKE_PLATFORM__ makes tar fall back to the plain 'w'
+// flag. See tar's get-write-flag.js.
+// Must be set before @npmcli/arborist is imported since tar caches the flag
+// at module evaluation time — so we use a dynamic import() below.
+if (process.platform === "win32") {
+  process.env.__FAKE_PLATFORM__ = "linux"
+}
+
+import semver from "semver"
+import z from "zod"
+import { NamedError } from "@opencode-ai/util/error"
+import { Global } from "../global"
+import { Lock } from "../util/lock"
+import { Log } from "../util/log"
+import path from "path"
+import { readdir } from "fs/promises"
+import { Filesystem } from "@/util/filesystem"
+
+const { Arborist } = await import("@npmcli/arborist")
+
+export namespace Npm {
+  const log = Log.create({ service: "npm" })
+
+  export const InstallFailedError = NamedError.create(
+    "NpmInstallFailedError",
+    z.object({
+      pkg: z.string(),
+    }),
+  )
+
+  function directory(pkg: string) {
+    return path.join(Global.Path.cache, "packages", pkg)
+  }
+
+  export async function outdated(pkg: string, cachedVersion: string): Promise<boolean> {
+    const response = await fetch(`https://registry.npmjs.org/${pkg}`)
+    if (!response.ok) {
+      log.warn("Failed to resolve latest version, using cached", { pkg, cachedVersion })
+      return false
+    }
+
+    const data = (await response.json()) as { "dist-tags"?: { latest?: string } }
+    const latestVersion = data?.["dist-tags"]?.latest
+    if (!latestVersion) {
+      log.warn("No latest version found, using cached", { pkg, cachedVersion })
+      return false
+    }
+
+    const range = /[\s^~*xX<>|=]/.test(cachedVersion)
+    if (range) return !semver.satisfies(latestVersion, cachedVersion)
+
+    return semver.lt(cachedVersion, latestVersion)
+  }
+
+  export async function add(pkg: string) {
+    using _ = await Lock.write(`npm-install:${pkg}`)
+    log.info("installing package", {
+      pkg,
+    })
+    const dir = directory(pkg)
+
+    const arborist = new Arborist({
+      path: dir,
+      binLinks: true,
+      progress: false,
+      savePrefix: "",
+    })
+    const tree = await arborist.loadVirtual().catch(() => {})
+    if (tree) {
+      const first = tree.edgesOut.values().next().value?.to
+      if (first) {
+        log.info("package already installed", { pkg })
+        return first.path
+      }
+    }
+
+    const result = await arborist
+      .reify({
+        add: [pkg],
+        save: true,
+        saveType: "prod",
+      })
+      .catch((cause) => {
+        throw new InstallFailedError(
+          { pkg },
+          {
+            cause,
+          },
+        )
+      })
+
+    const first = result.edgesOut.values().next().value?.to
+    if (!first) throw new InstallFailedError({ pkg })
+    return first.path
+  }
+
+  export async function install(dir: string) {
+    using _ = await Lock.write(`npm-install:${dir}`)
+    log.info("checking dependencies", { dir })
+
+    const reify = async () => {
+      const arb = new Arborist({
+        path: dir,
+        binLinks: true,
+        progress: false,
+        savePrefix: "",
+      })
+      await arb.reify().catch(() => {})
+    }
+
+    if (!(await Filesystem.exists(path.join(dir, "node_modules")))) {
+      log.info("node_modules missing, reifying")
+      await reify()
+      return
+    }
+
+    const pkg = await Filesystem.readJson(path.join(dir, "package.json")).catch(() => ({}))
+    const lock = await Filesystem.readJson(path.join(dir, "package-lock.json")).catch(() => ({}))
+
+    const declared = new Set([
+      ...Object.keys(pkg.dependencies || {}),
+      ...Object.keys(pkg.devDependencies || {}),
+      ...Object.keys(pkg.peerDependencies || {}),
+      ...Object.keys(pkg.optionalDependencies || {}),
+    ])
+
+    const root = lock.packages?.[""] || {}
+    const locked = new Set([
+      ...Object.keys(root.dependencies || {}),
+      ...Object.keys(root.devDependencies || {}),
+      ...Object.keys(root.peerDependencies || {}),
+      ...Object.keys(root.optionalDependencies || {}),
+    ])
+
+    for (const name of declared) {
+      if (!locked.has(name)) {
+        log.info("dependency not in lock file, reifying", { name })
+        await reify()
+        return
+      }
+    }
+
+    log.info("dependencies in sync")
+  }
+
+  export async function which(pkg: string) {
+    const dir = directory(pkg)
+    const binDir = path.join(dir, "node_modules", ".bin")
+
+    const pick = async () => {
+      const files = await readdir(binDir).catch(() => [])
+      if (files.length === 0) return undefined
+      if (files.length === 1) return files[0]
+      // Multiple binaries — resolve from package.json bin field like npx does
+      const pkgJson = await Filesystem.readJson<{ bin?: string | Record<string, string> }>(
+        path.join(dir, "node_modules", pkg, "package.json"),
+      ).catch(() => undefined)
+      if (pkgJson?.bin) {
+        const bin = pkgJson.bin
+        if (typeof bin === "string") return path.basename(bin)
+        const keys = Object.keys(bin)
+        if (keys.length === 1) return keys[0]
+        const unscoped = pkg.startsWith("@") ? pkg.split("/")[1] : pkg
+        return bin[unscoped] ? unscoped : keys[0]
+      }
+      return files[0]
+    }
+
+    const bin = await pick()
+    if (bin) return path.join(binDir, bin)
+
+    await add(pkg)
+    const resolved = await pick()
+    if (!resolved) throw new Error(`No binary found for package "${pkg}" after install`)
+    return path.join(binDir, resolved)
+  }
+}
--- a/packages/opencode/src/permission/evaluate.ts
+++ b/packages/opencode/src/permission/evaluate.ts
@@ -1,15 +0,0 @@
-import { Wildcard } from "@/util/wildcard"
-
-type Rule = {
-  permission: string
-  pattern: string
-  action: "allow" | "deny" | "ask"
-}
-
-export function evaluate(permission: string, pattern: string, ...rulesets: Rule[][]): Rule {
-  const rules = rulesets.flat()
-  const match = rules.findLast(
-    (rule) => Wildcard.match(permission, rule.permission) && Wildcard.match(pattern, rule.pattern),
-  )
-  return match ?? { action: "ask", permission, pattern: "*" }
-}
--- a/packages/opencode/src/permission/index.ts
+++ b/packages/opencode/src/permission/index.ts
@@ -13,7 +13,6 @@ import { Wildcard } from "@/util/wildcard"
 import { Deferred, Effect, Layer, Schema, ServiceMap } from "effect"
 import os from "os"
 import z from "zod"
-import { evaluate as evalRule } from "./evaluate"
 import { PermissionID } from "./schema"

 export namespace PermissionNext {
@@ -126,8 +125,12 @@ export namespace PermissionNext {
  }

  export function evaluate(permission: string, pattern: string, ...rulesets: Ruleset[]): Rule {
-    log.info("evaluate", { permission, pattern, ruleset: rulesets.flat() })
-    return evalRule(permission, pattern, ...rulesets)
+    const rules = rulesets.flat()
+    log.info("evaluate", { permission, pattern, ruleset: rules })
+    const match = rules.findLast(
+      (rule) => Wildcard.match(permission, rule.permission) && Wildcard.match(pattern, rule.pattern),
+    )
+    return match ?? { action: "ask", permission, pattern: "*" }
  }

  export class Service extends ServiceMap.Service<Service, Interface>()("@opencode/PermissionNext") {}
--- a/packages/opencode/src/plugin/codex.ts
+++ b/packages/opencode/src/plugin/codex.ts
@@ -6,6 +6,7 @@ import os from "os"
 import { ProviderTransform } from "@/provider/transform"
 import { ModelID, ProviderID } from "@/provider/schema"
 import { setTimeout as sleep } from "node:timers/promises"
+import { createServer } from "http"

 const log = Log.create({ service: "plugin.codex" })

@@ -241,7 +242,7 @@ interface PendingOAuth {
  reject: (error: Error) => void
 }

-let oauthServer: ReturnType<typeof Bun.serve> | undefined
+let oauthServer: ReturnType<typeof createServer> | undefined
 let pendingOAuth: PendingOAuth | undefined

 async function startOAuthServer(): Promise<{ port: number; redirectUri: string }> {
@@ -249,77 +250,83 @@ async function startOAuthServer(): Promise<{ port: number; redirectUri: string }
    return { port: OAUTH_PORT, redirectUri: `http://localhost:${OAUTH_PORT}/auth/callback` }
  }

-  oauthServer = Bun.serve({
-    port: OAUTH_PORT,
-    fetch(req) {
-      const url = new URL(req.url)
+  oauthServer = createServer((req, res) => {
+    const url = new URL(req.url || "/", `http://localhost:${OAUTH_PORT}`)

-      if (url.pathname === "/auth/callback") {
-        const code = url.searchParams.get("code")
-        const state = url.searchParams.get("state")
-        const error = url.searchParams.get("error")
-        const errorDescription = url.searchParams.get("error_description")
+    if (url.pathname === "/auth/callback") {
+      const code = url.searchParams.get("code")
+      const state = url.searchParams.get("state")
+      const error = url.searchParams.get("error")
+      const errorDescription = url.searchParams.get("error_description")

-        if (error) {
-          const errorMsg = errorDescription || error
-          pendingOAuth?.reject(new Error(errorMsg))
-          pendingOAuth = undefined
-          return new Response(HTML_ERROR(errorMsg), {
-            headers: { "Content-Type": "text/html" },
-          })
-        }
-
-        if (!code) {
-          const errorMsg = "Missing authorization code"
-          pendingOAuth?.reject(new Error(errorMsg))
-          pendingOAuth = undefined
-          return new Response(HTML_ERROR(errorMsg), {
-            status: 400,
-            headers: { "Content-Type": "text/html" },
-          })
-        }
-
-        if (!pendingOAuth || state !== pendingOAuth.state) {
-          const errorMsg = "Invalid state - potential CSRF attack"
-          pendingOAuth?.reject(new Error(errorMsg))
-          pendingOAuth = undefined
-          return new Response(HTML_ERROR(errorMsg), {
-            status: 400,
-            headers: { "Content-Type": "text/html" },
-          })
-        }
-
-        const current = pendingOAuth
+      if (error) {
+        const errorMsg = errorDescription || error
+        pendingOAuth?.reject(new Error(errorMsg))
        pendingOAuth = undefined
-
-        exchangeCodeForTokens(code, `http://localhost:${OAUTH_PORT}/auth/callback`, current.pkce)
-          .then((tokens) => current.resolve(tokens))
-          .catch((err) => current.reject(err))
-
-        return new Response(HTML_SUCCESS, {
-          headers: { "Content-Type": "text/html" },
-        })
+        res.writeHead(200, { "Content-Type": "text/html" })
+        res.end(HTML_ERROR(errorMsg))
+        return
      }

-      if (url.pathname === "/cancel") {
-        pendingOAuth?.reject(new Error("Login cancelled"))
+      if (!code) {
+        const errorMsg = "Missing authorization code"
+        pendingOAuth?.reject(new Error(errorMsg))
        pendingOAuth = undefined
-        return new Response("Login cancelled", { status: 200 })
+        res.writeHead(400, { "Content-Type": "text/html" })
+        res.end(HTML_ERROR(errorMsg))
+        return
      }

-      return new Response("Not found", { status: 404 })
-    },
+      if (!pendingOAuth || state !== pendingOAuth.state) {
+        const errorMsg = "Invalid state - potential CSRF attack"
+        pendingOAuth?.reject(new Error(errorMsg))
+        pendingOAuth = undefined
+        res.writeHead(400, { "Content-Type": "text/html" })
+        res.end(HTML_ERROR(errorMsg))
+        return
+      }
+
+      const current = pendingOAuth
+      pendingOAuth = undefined
+
+      exchangeCodeForTokens(code, `http://localhost:${OAUTH_PORT}/auth/callback`, current.pkce)
+        .then((tokens) => current.resolve(tokens))
+        .catch((err) => current.reject(err))
+
+      res.writeHead(200, { "Content-Type": "text/html" })
+      res.end(HTML_SUCCESS)
+      return
+    }
+
+    if (url.pathname === "/cancel") {
+      pendingOAuth?.reject(new Error("Login cancelled"))
+      pendingOAuth = undefined
+      res.writeHead(200)
+      res.end("Login cancelled")
+      return
+    }
+
+    res.writeHead(404)
+    res.end("Not found")
+  })
+
+  await new Promise<void>((resolve, reject) => {
+    oauthServer!.listen(OAUTH_PORT, () => {
+      log.info("codex oauth server started", { port: OAUTH_PORT })
+      resolve()
+    })
+    oauthServer!.on("error", reject)
  })

-  log.info("codex oauth server started", { port: OAUTH_PORT })
  return { port: OAUTH_PORT, redirectUri: `http://localhost:${OAUTH_PORT}/auth/callback` }
 }

 function stopOAuthServer() {
  if (oauthServer) {
-    oauthServer.stop()
+    oauthServer.close(() => {
+      log.info("codex oauth server stopped")
+    })
    oauthServer = undefined
-    log.info("codex oauth server stopped")
  }
 }

--- a/packages/opencode/src/provider/provider.ts
+++ b/packages/opencode/src/provider/provider.ts
@@ -184,15 +184,6 @@ export namespace Provider {
        options: {},
      }
    },
-    xai: async () => {
-      return {
-        autoload: false,
-        async getModel(sdk: any, modelID: string, _options?: Record<string, any>) {
-          return sdk.responses(modelID)
-        },
-        options: {},
-      }
-    },
    "github-copilot": async () => {
      return {
        autoload: false,
--- a/packages/opencode/src/tool/truncate-effect.ts
+++ b/packages/opencode/src/tool/truncate-effect.ts
@@ -3,7 +3,7 @@ import { Cause, Duration, Effect, Layer, Schedule, ServiceMap } from "effect"
 import path from "path"
 import type { Agent } from "../agent/agent"
 import { AppFileSystem } from "@/filesystem"
-import { evaluate } from "@/permission/evaluate"
+import { PermissionNext } from "../permission"
 import { Identifier } from "../id/id"
 import { Log } from "../util/log"
 import { ToolID } from "./schema"
@@ -28,7 +28,7 @@ export namespace TruncateEffect {

  function hasTaskTool(agent?: Agent.Info) {
    if (!agent?.permission) return false
-    return evaluate("task", "*", agent.permission).action !== "deny"
+    return PermissionNext.evaluate("task", "*", agent.permission).action !== "deny"
  }

  export interface Interface {
--- a/packages/opencode/test/tool/truncation.test.ts
+++ b/packages/opencode/test/tool/truncation.test.ts
@@ -4,14 +4,12 @@ import { Effect, FileSystem, Layer } from "effect"
 import { Truncate } from "../../src/tool/truncate"
 import { TruncateEffect } from "../../src/tool/truncate-effect"
 import { Identifier } from "../../src/id/id"
-import { Process } from "../../src/util/process"
 import { Filesystem } from "../../src/util/filesystem"
 import path from "path"
 import { testEffect } from "../lib/effect"
 import { writeFileStringScoped } from "../lib/filesystem"

 const FIXTURES_DIR = path.join(import.meta.dir, "fixtures")
-const ROOT = path.resolve(import.meta.dir, "..", "..")

 describe("Truncate", () => {
  describe("output", () => {
@@ -127,14 +125,6 @@ describe("Truncate", () => {
      if (result.truncated) throw new Error("expected not truncated")
      expect("outputPath" in result).toBe(false)
    })
-
-    test("loads truncate effect in a fresh process", async () => {
-      const out = await Process.run([process.execPath, "run", path.join(ROOT, "src", "tool", "truncate-effect.ts")], {
-        cwd: ROOT,
-      })
-
-      expect(out.code).toBe(0)
-    }, 20000)
  })

  describe("cleanup", () => {
--- a/patches/@ai-sdk%2Fxai@2.0.51.patch
+++ b/patches/@ai-sdk%2Fxai@2.0.51.patch
@@ -1,108 +0,0 @@
-diff --git a/dist/index.mjs b/dist/index.mjs
--- a/dist/index.mjs
-+++ b/dist/index.mjs
-@@ -959,7 +959,7 @@
-   model: z4.string().nullish(),
-   object: z4.literal("response"),
-   output: z4.array(outputItemSchema),
-  usage: xaiResponsesUsageSchema,
-+  usage: xaiResponsesUsageSchema.nullish(),
-   status: z4.string()
- });
- var xaiResponsesChunkSchema = z4.union([
-\ No newline at end of file
-@@ -1143,6 +1143,18 @@
-   z4.object({
-     type: z4.literal("response.completed"),
-     response: xaiResponsesResponseSchema
-+  }),
-+  z4.object({
-+    type: z4.literal("response.function_call_arguments.delta"),
-+    item_id: z4.string(),
-+    output_index: z4.number(),
-+    delta: z4.string()
-+  }),
-+  z4.object({
-+    type: z4.literal("response.function_call_arguments.done"),
-+    item_id: z4.string(),
-+    output_index: z4.number(),
-+    arguments: z4.string()
-   })
- ]);
- 
-\ No newline at end of file
-@@ -1940,6 +1952,9 @@
-               if (response2.status) {
-                 finishReason = mapXaiResponsesFinishReason(response2.status);
-               }
-+              if (seenToolCalls.size > 0 && finishReason !== "tool-calls") {
-+                finishReason = "tool-calls";
-+              }
-               return;
-             }
-             if (event.type === "response.output_item.added" || event.type === "response.output_item.done") {
-\ No newline at end of file
-@@ -2024,7 +2039,7 @@
-                   }
-                 }
-               } else if (part.type === "function_call") {
-                if (!seenToolCalls.has(part.call_id)) {
-+                if (event.type === "response.output_item.done" && !seenToolCalls.has(part.call_id)) {
-                   seenToolCalls.add(part.call_id);
-                   controller.enqueue({
-                     type: "tool-input-start",
-\ No newline at end of file
-diff --git a/dist/index.js b/dist/index.js
--- a/dist/index.js
-+++ b/dist/index.js
-@@ -964,7 +964,7 @@
-   model: import_v44.z.string().nullish(),
-   object: import_v44.z.literal("response"),
-   output: import_v44.z.array(outputItemSchema),
-  usage: xaiResponsesUsageSchema,
-+  usage: xaiResponsesUsageSchema.nullish(),
-   status: import_v44.z.string()
- });
- var xaiResponsesChunkSchema = import_v44.z.union([
-\ No newline at end of file
-@@ -1148,6 +1148,18 @@
-   import_v44.z.object({
-     type: import_v44.z.literal("response.completed"),
-     response: xaiResponsesResponseSchema
-+  }),
-+  import_v44.z.object({
-+    type: import_v44.z.literal("response.function_call_arguments.delta"),
-+    item_id: import_v44.z.string(),
-+    output_index: import_v44.z.number(),
-+    delta: import_v44.z.string()
-+  }),
-+  import_v44.z.object({
-+    type: import_v44.z.literal("response.function_call_arguments.done"),
-+    item_id: import_v44.z.string(),
-+    output_index: import_v44.z.number(),
-+    arguments: import_v44.z.string()
-   })
- ]);
- 
-\ No newline at end of file
-@@ -1935,6 +1947,9 @@
-               if (response2.status) {
-                 finishReason = mapXaiResponsesFinishReason(response2.status);
-               }
-+              if (seenToolCalls.size > 0 && finishReason !== "tool-calls") {
-+                finishReason = "tool-calls";
-+              }
-               return;
-             }
-             if (event.type === "response.output_item.added" || event.type === "response.output_item.done") {
-\ No newline at end of file
-@@ -2019,7 +2034,7 @@
-                   }
-                 }
-               } else if (part.type === "function_call") {
-                if (!seenToolCalls.has(part.call_id)) {
-+                if (event.type === "response.output_item.done" && !seenToolCalls.has(part.call_id)) {
-                   seenToolCalls.add(part.call_id);
-                   controller.enqueue({
-                     type: "tool-input-start",
-\ No newline at end of file