core: maintain backward compatibility with existing account data by restoring legacy ControlAccountTable alongside new AccountTable structure

Switch from boolean active flag to workspace_id tracking so users can select which workspace context to operate in. Login now automatically selects the first available workspace and stores it on the account record.

Logout command now actually removes account records and supports targeting specific accounts by email. Switch command provides an interactive picker to change active workspace. Workspaces command lists all available workspaces across accounts.

Configuration now loads workspace-specific settings from the server when an active workspace is selected, enabling per-workspace customization of opencode behavior.

AGENTS.md

@@ -111,3 +111,7 @@ const table = sqliteTable("session", {
 - Avoid mocks as much as possible
 - Test actual implementation, do not duplicate logic into tests
 - Tests cannot run from repo root (guard: `do-not-run-tests-from-root`); run from package dirs like `packages/opencode`.
+
+## Type Checking
+
+- Always run `bun typecheck` from package directories (e.g., `packages/opencode`), never `tsc` directly.

packages/opencode/migration/20260228203230_blue_harpoon/migration.sql

@@ -0,0 +1,11 @@
+CREATE TABLE `account` (
+	`id` text PRIMARY KEY,
+	`email` text NOT NULL,
+	`url` text NOT NULL,
+	`access_token` text NOT NULL,
+	`refresh_token` text NOT NULL,
+	`token_expiry` integer,
+	`workspace_id` text,
+	`time_created` integer NOT NULL,
+	`time_updated` integer NOT NULL
+);

packages/opencode/src/account/account.sql.ts

@@ -1,7 +1,18 @@
-import { sqliteTable, text, integer, primaryKey, uniqueIndex } from "drizzle-orm/sqlite-core"
-import { eq } from "drizzle-orm"
+import { sqliteTable, text, integer, primaryKey } from "drizzle-orm/sqlite-core"
 import { Timestamps } from "@/storage/schema.sql"
 
+export const AccountTable = sqliteTable("account", {
+  id: text().primaryKey(),
+  email: text().notNull(),
+  url: text().notNull(),
+  access_token: text().notNull(),
+  refresh_token: text().notNull(),
+  token_expiry: integer(),
+  workspace_id: text(),
+  ...Timestamps,
+})
+
+// LEGACY
 export const ControlAccountTable = sqliteTable(
   "control_account",
   {

packages/opencode/src/account/index.ts

@@ -0,0 +1,247 @@
+import { eq, sql, isNotNull } from "drizzle-orm"
+import { Database } from "@/storage/db"
+import { AccountTable } from "./account.sql"
+import z from "zod"
+
+export namespace Account {
+  export const Account = z.object({
+    id: z.string(),
+    email: z.string(),
+    url: z.string(),
+    workspace_id: z.string().nullable(),
+  })
+  export type Account = z.infer<typeof Account>
+
+  function fromRow(row: (typeof AccountTable)["$inferSelect"]): Account {
+    return {
+      id: row.id,
+      email: row.email,
+      url: row.url,
+      workspace_id: row.workspace_id,
+    }
+  }
+
+  export function active(): Account | undefined {
+    const row = Database.use((db) => db.select().from(AccountTable).where(isNotNull(AccountTable.workspace_id)).get())
+    return row ? fromRow(row) : undefined
+  }
+
+  export function list(): Account[] {
+    return Database.use((db) => db.select().from(AccountTable).all().map(fromRow))
+  }
+
+  export function remove(accountID: string) {
+    Database.use((db) => db.delete(AccountTable).where(eq(AccountTable.id, accountID)).run())
+  }
+
+  export function use(accountID: string, workspaceID: string | null) {
+    Database.use((db) =>
+      db.update(AccountTable).set({ workspace_id: workspaceID }).where(eq(AccountTable.id, accountID)).run(),
+    )
+  }
+
+  export async function workspaces(accountID: string): Promise<{ id: string; name: string }[]> {
+    const row = Database.use((db) => db.select().from(AccountTable).where(eq(AccountTable.id, accountID)).get())
+    if (!row) return []
+
+    const access = await token(accountID)
+    if (!access) return []
+
+    const res = await fetch(`${row.url}/api/orgs`, {
+      headers: { authorization: `Bearer ${access}` },
+    })
+
+    if (!res.ok) return []
+
+    const json = (await res.json()) as Array<{ id?: string; name?: string }>
+    return json.map((x) => ({ id: x.id ?? "", name: x.name ?? "" }))
+  }
+
+  export async function config(accountID: string, workspaceID: string): Promise<Record<string, unknown> | undefined> {
+    const row = Database.use((db) => db.select().from(AccountTable).where(eq(AccountTable.id, accountID)).get())
+    if (!row) return undefined
+
+    const access = await token(accountID)
+    if (!access) return undefined
+
+    const res = await fetch(`${row.url}/api/config`, {
+      headers: { authorization: `Bearer ${access}`, "x-org-id": workspaceID },
+    })
+
+    if (!res.ok) return undefined
+    const result = (await res.json()) as Record<string, any>
+    return result.config
+  }
+
+  export async function token(accountID: string): Promise<string | undefined> {
+    const row = Database.use((db) => db.select().from(AccountTable).where(eq(AccountTable.id, accountID)).get())
+    if (!row) return undefined
+    if (row.token_expiry && row.token_expiry > Date.now()) return row.access_token
+
+    const res = await fetch(`${row.url}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: row.refresh_token,
+      }).toString(),
+    })
+
+    if (!res.ok) return
+
+    const json = (await res.json()) as {
+      access_token: string
+      refresh_token?: string
+      expires_in?: number
+    }
+
+    Database.use((db) =>
+      db
+        .update(AccountTable)
+        .set({
+          access_token: json.access_token,
+          refresh_token: json.refresh_token ?? row.refresh_token,
+          token_expiry: json.expires_in ? Date.now() + json.expires_in * 1000 : undefined,
+        })
+        .where(eq(AccountTable.id, row.id))
+        .run(),
+    )
+
+    return json.access_token
+  }
+
+  export type Login = {
+    code: string
+    user: string
+    url: string
+    server: string
+    expiry: number
+    interval: number
+  }
+
+  export async function login(url?: string): Promise<Login> {
+    const server = url ?? "https://web-14275-d60e67f5-pyqs0590.onporter.run"
+    const res = await fetch(`${server}/auth/device/code`, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ client_id: "opencode-cli" }),
+    })
+
+    if (!res.ok) throw new Error(`Failed to initiate device flow: ${await res.text()}`)
+
+    const json = (await res.json()) as {
+      device_code: string
+      user_code: string
+      verification_uri_complete: string
+      expires_in: number
+      interval: number
+    }
+
+    const full = `${server}${json.verification_uri_complete}`
+
+    return {
+      code: json.device_code,
+      user: json.user_code,
+      url: full,
+      server,
+      expiry: json.expires_in,
+      interval: json.interval,
+    }
+  }
+
+  export async function poll(
+    input: Login,
+  ): Promise<
+    | { type: "success"; email: string }
+    | { type: "pending" }
+    | { type: "slow" }
+    | { type: "expired" }
+    | { type: "denied" }
+    | { type: "error"; msg: string }
+  > {
+    const res = await fetch(`${input.server}/auth/device/token`, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+        device_code: input.code,
+        client_id: "opencode-cli",
+      }),
+    })
+
+    const json = (await res.json()) as {
+      access_token?: string
+      refresh_token?: string
+      expires_in?: number
+      error?: string
+      error_description?: string
+    }
+
+    if (json.access_token) {
+      const me = await fetch(`${input.server}/api/user`, {
+        headers: { authorization: `Bearer ${json.access_token}` },
+      })
+      const user = (await me.json()) as { id?: string; email?: string }
+      if (!user.id || !user.email) {
+        return { type: "error", msg: "No id or email in response" }
+      }
+      const id = user.id
+      const email = user.email
+
+      const access = json.access_token
+      const expiry = Date.now() + json.expires_in! * 1000
+      const refresh = json.refresh_token ?? ""
+
+      // Fetch workspaces and get first one
+      const orgsRes = await fetch(`${input.server}/api/orgs`, {
+        headers: { authorization: `Bearer ${access}` },
+      })
+      const orgs = (await orgsRes.json()) as Array<{ id?: string; name?: string }>
+      const firstWorkspaceId = orgs.length > 0 ? orgs[0].id : null
+
+      Database.use((db) => {
+        db.update(AccountTable).set({ workspace_id: null }).run()
+        db.insert(AccountTable)
+          .values({
+            id,
+            email,
+            url: input.server,
+            access_token: access,
+            refresh_token: refresh,
+            token_expiry: expiry,
+            workspace_id: firstWorkspaceId,
+          })
+          .onConflictDoUpdate({
+            target: AccountTable.id,
+            set: {
+              access_token: access,
+              refresh_token: refresh,
+              token_expiry: expiry,
+              workspace_id: firstWorkspaceId,
+            },
+          })
+          .run()
+      })
+
+      return { type: "success", email }
+    }
+
+    if (json.error === "authorization_pending") {
+      return { type: "pending" }
+    }
+
+    if (json.error === "slow_down") {
+      return { type: "slow" }
+    }
+
+    if (json.error === "expired_token") {
+      return { type: "expired" }
+    }
+
+    if (json.error === "access_denied") {
+      return { type: "denied" }
+    }
+
+    return { type: "error", msg: json.error || JSON.stringify(json) }
+  }
+}

packages/opencode/src/cli/cmd/account.ts

@@ -0,0 +1,161 @@
+import { cmd } from "./cmd"
+import * as prompts from "@clack/prompts"
+import { UI } from "../ui"
+import { Account } from "@/account"
+
+export const LoginCommand = cmd({
+  command: "login [url]",
+  describe: "log in to an opencode account",
+  builder: (yargs) =>
+    yargs.positional("url", {
+      describe: "server URL",
+      type: "string",
+    }),
+  async handler(args) {
+    UI.empty()
+    prompts.intro("Log in")
+
+    const url = args.url as string | undefined
+    const login = await Account.login(url)
+
+    prompts.log.info("Go to: " + login.url)
+    prompts.log.info("Enter code: " + login.user)
+
+    try {
+      const open =
+        process.platform === "darwin"
+          ? ["open", login.url]
+          : process.platform === "win32"
+            ? ["cmd", "/c", "start", login.url]
+            : ["xdg-open", login.url]
+      Bun.spawn(open, { stdout: "ignore", stderr: "ignore" })
+    } catch {}
+
+    const spinner = prompts.spinner()
+    spinner.start("Waiting for authorization...")
+
+    let wait = login.interval * 1000
+    while (true) {
+      await Bun.sleep(wait)
+
+      const result = await Account.poll(login)
+
+      if (result.type === "success") {
+        spinner.stop("Logged in as " + result.email)
+        prompts.outro("Done")
+        return
+      }
+
+      if (result.type === "pending") continue
+
+      if (result.type === "slow") {
+        wait += 5000
+        continue
+      }
+
+      if (result.type === "expired") {
+        spinner.stop("Device code expired", 1)
+        return
+      }
+
+      if (result.type === "denied") {
+        spinner.stop("Authorization denied", 1)
+        return
+      }
+
+      spinner.stop("Error: " + result.msg, 1)
+      return
+    }
+  },
+})
+
+export const LogoutCommand = cmd({
+  command: "logout [email]",
+  describe: "log out from an account",
+  builder: (yargs) =>
+    yargs.positional("email", {
+      describe: "account email to log out from",
+      type: "string",
+    }),
+  async handler(args) {
+    const email = args.email as string | undefined
+
+    if (email) {
+      const accounts = Account.list()
+      const match = accounts.find((a) => a.email === email)
+      if (!match) {
+        UI.println("Account not found: " + email)
+        return
+      }
+      Account.remove(match.id)
+      UI.println("Logged out from " + email)
+      return
+    }
+
+    const active = Account.active()
+    if (!active) {
+      UI.println("Not logged in")
+      return
+    }
+    Account.remove(active.id)
+    UI.println("Logged out from " + active.email)
+  },
+})
+
+export const SwitchCommand = cmd({
+  command: "switch",
+  describe: "switch active workspace",
+  async handler() {
+    UI.empty()
+
+    const active = Account.active()
+    if (!active) {
+      UI.println("Not logged in")
+      return
+    }
+
+    const workspaces = await Account.workspaces(active.id)
+    if (workspaces.length === 0) {
+      UI.println("No workspaces found")
+      return
+    }
+
+    prompts.intro("Switch workspace")
+
+    const opts = workspaces.map((w) => ({
+      value: w.id,
+      label: w.id === active.workspace_id ? w.name + UI.Style.TEXT_DIM + " (active)" : w.name,
+    }))
+
+    const selected = await prompts.select({
+      message: "Select workspace",
+      options: opts,
+    })
+
+    if (prompts.isCancel(selected)) return
+
+    Account.use(active.id, selected as string)
+    prompts.outro("Switched to " + workspaces.find((w) => w.id === selected)?.name)
+  },
+})
+
+export const WorkspacesCommand = cmd({
+  command: "workspaces",
+  aliases: ["workspace"],
+  describe: "list all workspaces",
+  async handler() {
+    const accounts = Account.list()
+
+    if (accounts.length === 0) {
+      UI.println("No accounts found")
+      return
+    }
+
+    for (const account of accounts) {
+      const workspaces = await Account.workspaces(account.id)
+      for (const space of workspaces) {
+        UI.println([space.name, account.email, space.id].join("\t"))
+      }
+    }
+  },
+})

packages/opencode/src/cli/cmd/providers.ts

@@ -0,0 +1,438 @@
+import { Auth } from "../../auth"
+import { cmd } from "./cmd"
+import * as prompts from "@clack/prompts"
+import { UI } from "../ui"
+import { ModelsDev } from "../../provider/models"
+import { map, pipe, sortBy, values } from "remeda"
+import path from "path"
+import os from "os"
+import { Config } from "../../config/config"
+import { Global } from "../../global"
+import { Plugin } from "../../plugin"
+import { Instance } from "../../project/instance"
+import type { Hooks } from "@opencode-ai/plugin"
+import { Process } from "../../util/process"
+import { text } from "node:stream/consumers"
+
+type PluginAuth = NonNullable<Hooks["auth"]>
+
+async function handlePluginAuth(plugin: { auth: PluginAuth }, provider: string): Promise<boolean> {
+  let index = 0
+  if (plugin.auth.methods.length > 1) {
+    const method = await prompts.select({
+      message: "Login method",
+      options: [
+        ...plugin.auth.methods.map((x, index) => ({
+          label: x.label,
+          value: index.toString(),
+        })),
+      ],
+    })
+    if (prompts.isCancel(method)) throw new UI.CancelledError()
+    index = parseInt(method)
+  }
+  const method = plugin.auth.methods[index]
+
+  await Bun.sleep(10)
+  const inputs: Record<string, string> = {}
+  if (method.prompts) {
+    for (const prompt of method.prompts) {
+      if (prompt.condition && !prompt.condition(inputs)) {
+        continue
+      }
+      if (prompt.type === "select") {
+        const value = await prompts.select({
+          message: prompt.message,
+          options: prompt.options,
+        })
+        if (prompts.isCancel(value)) throw new UI.CancelledError()
+        inputs[prompt.key] = value
+      } else {
+        const value = await prompts.text({
+          message: prompt.message,
+          placeholder: prompt.placeholder,
+          validate: prompt.validate ? (v) => prompt.validate!(v ?? "") : undefined,
+        })
+        if (prompts.isCancel(value)) throw new UI.CancelledError()
+        inputs[prompt.key] = value
+      }
+    }
+  }
+
+  if (method.type === "oauth") {
+    const authorize = await method.authorize(inputs)
+
+    if (authorize.url) {
+      prompts.log.info("Go to: " + authorize.url)
+    }
+
+    if (authorize.method === "auto") {
+      if (authorize.instructions) {
+        prompts.log.info(authorize.instructions)
+      }
+      const spinner = prompts.spinner()
+      spinner.start("Waiting for authorization...")
+      const result = await authorize.callback()
+      if (result.type === "failed") {
+        spinner.stop("Failed to authorize", 1)
+      }
+      if (result.type === "success") {
+        const saveProvider = result.provider ?? provider
+        if ("refresh" in result) {
+          const { type: _, provider: __, refresh, access, expires, ...extraFields } = result
+          await Auth.set(saveProvider, {
+            type: "oauth",
+            refresh,
+            access,
+            expires,
+            ...extraFields,
+          })
+        }
+        if ("key" in result) {
+          await Auth.set(saveProvider, {
+            type: "api",
+            key: result.key,
+          })
+        }
+        spinner.stop("Login successful")
+      }
+    }
+
+    if (authorize.method === "code") {
+      const code = await prompts.text({
+        message: "Paste the authorization code here: ",
+        validate: (x) => (x && x.length > 0 ? undefined : "Required"),
+      })
+      if (prompts.isCancel(code)) throw new UI.CancelledError()
+      const result = await authorize.callback(code)
+      if (result.type === "failed") {
+        prompts.log.error("Failed to authorize")
+      }
+      if (result.type === "success") {
+        const saveProvider = result.provider ?? provider
+        if ("refresh" in result) {
+          const { type: _, provider: __, refresh, access, expires, ...extraFields } = result
+          await Auth.set(saveProvider, {
+            type: "oauth",
+            refresh,
+            access,
+            expires,
+            ...extraFields,
+          })
+        }
+        if ("key" in result) {
+          await Auth.set(saveProvider, {
+            type: "api",
+            key: result.key,
+          })
+        }
+        prompts.log.success("Login successful")
+      }
+    }
+
+    prompts.outro("Done")
+    return true
+  }
+
+  if (method.type === "api") {
+    if (method.authorize) {
+      const result = await method.authorize(inputs)
+      if (result.type === "failed") {
+        prompts.log.error("Failed to authorize")
+      }
+      if (result.type === "success") {
+        const saveProvider = result.provider ?? provider
+        await Auth.set(saveProvider, {
+          type: "api",
+          key: result.key,
+        })
+        prompts.log.success("Login successful")
+      }
+      prompts.outro("Done")
+      return true
+    }
+  }
+
+  return false
+}
+
+export function resolvePluginProviders(input: {
+  hooks: Hooks[]
+  existingProviders: Record<string, unknown>
+  disabled: Set<string>
+  enabled?: Set<string>
+  providerNames: Record<string, string | undefined>
+}): Array<{ id: string; name: string }> {
+  const seen = new Set<string>()
+  const result: Array<{ id: string; name: string }> = []
+
+  for (const hook of input.hooks) {
+    if (!hook.auth) continue
+    const id = hook.auth.provider
+    if (seen.has(id)) continue
+    seen.add(id)
+    if (Object.hasOwn(input.existingProviders, id)) continue
+    if (input.disabled.has(id)) continue
+    if (input.enabled && !input.enabled.has(id)) continue
+    result.push({
+      id,
+      name: input.providerNames[id] ?? id,
+    })
+  }
+
+  return result
+}
+
+export const ProvidersCommand = cmd({
+  command: "providers",
+  aliases: ["auth"],
+  describe: "manage AI providers and credentials",
+  builder: (yargs) =>
+    yargs.command(ProvidersListCommand).command(ProvidersLoginCommand).command(ProvidersLogoutCommand).demandCommand(),
+  async handler() {},
+})
+
+export const ProvidersListCommand = cmd({
+  command: "list",
+  aliases: ["ls"],
+  describe: "list providers and credentials",
+  async handler(_args) {
+    UI.empty()
+    const authPath = path.join(Global.Path.data, "auth.json")
+    const homedir = os.homedir()
+    const displayPath = authPath.startsWith(homedir) ? authPath.replace(homedir, "~") : authPath
+    prompts.intro(`Credentials ${UI.Style.TEXT_DIM}${displayPath}`)
+    const results = Object.entries(await Auth.all())
+    const database = await ModelsDev.get()
+
+    for (const [providerID, result] of results) {
+      const name = database[providerID]?.name || providerID
+      prompts.log.info(`${name} ${UI.Style.TEXT_DIM}${result.type}`)
+    }
+
+    prompts.outro(`${results.length} credentials`)
+
+    const activeEnvVars: Array<{ provider: string; envVar: string }> = []
+
+    for (const [providerID, provider] of Object.entries(database)) {
+      for (const envVar of provider.env) {
+        if (process.env[envVar]) {
+          activeEnvVars.push({
+            provider: provider.name || providerID,
+            envVar,
+          })
+        }
+      }
+    }
+
+    if (activeEnvVars.length > 0) {
+      UI.empty()
+      prompts.intro("Environment")
+
+      for (const { provider, envVar } of activeEnvVars) {
+        prompts.log.info(`${provider} ${UI.Style.TEXT_DIM}${envVar}`)
+      }
+
+      prompts.outro(`${activeEnvVars.length} environment variable` + (activeEnvVars.length === 1 ? "" : "s"))
+    }
+  },
+})
+
+export const ProvidersLoginCommand = cmd({
+  command: "login [url]",
+  describe: "log in to a provider",
+  builder: (yargs) =>
+    yargs.positional("url", {
+      describe: "opencode auth provider",
+      type: "string",
+    }),
+  async handler(args) {
+    await Instance.provide({
+      directory: process.cwd(),
+      async fn() {
+        UI.empty()
+        prompts.intro("Add credential")
+        if (args.url) {
+          const wellknown = await fetch(`${args.url}/.well-known/opencode`).then((x) => x.json() as any)
+          prompts.log.info(`Running \`${wellknown.auth.command.join(" ")}\``)
+          const proc = Process.spawn(wellknown.auth.command, {
+            stdout: "pipe",
+          })
+          if (!proc.stdout) {
+            prompts.log.error("Failed")
+            prompts.outro("Done")
+            return
+          }
+          const [exit, token] = await Promise.all([proc.exited, text(proc.stdout)])
+          if (exit !== 0) {
+            prompts.log.error("Failed")
+            prompts.outro("Done")
+            return
+          }
+          await Auth.set(args.url, {
+            type: "wellknown",
+            key: wellknown.auth.env,
+            token: token.trim(),
+          })
+          prompts.log.success("Logged into " + args.url)
+          prompts.outro("Done")
+          return
+        }
+        await ModelsDev.refresh().catch(() => {})
+
+        const config = await Config.get()
+
+        const disabled = new Set(config.disabled_providers ?? [])
+        const enabled = config.enabled_providers ? new Set(config.enabled_providers) : undefined
+
+        const providers = await ModelsDev.get().then((x) => {
+          const filtered: Record<string, (typeof x)[string]> = {}
+          for (const [key, value] of Object.entries(x)) {
+            if ((enabled ? enabled.has(key) : true) && !disabled.has(key)) {
+              filtered[key] = value
+            }
+          }
+          return filtered
+        })
+
+        const priority: Record<string, number> = {
+          opencode: 0,
+          anthropic: 1,
+          "github-copilot": 2,
+          openai: 3,
+          google: 4,
+          openrouter: 5,
+          vercel: 6,
+        }
+        const pluginProviders = resolvePluginProviders({
+          hooks: await Plugin.list(),
+          existingProviders: providers,
+          disabled,
+          enabled,
+          providerNames: Object.fromEntries(Object.entries(config.provider ?? {}).map(([id, p]) => [id, p.name])),
+        })
+        let provider = await prompts.autocomplete({
+          message: "Select provider",
+          maxItems: 8,
+          options: [
+            ...pipe(
+              providers,
+              values(),
+              sortBy(
+                (x) => priority[x.id] ?? 99,
+                (x) => x.name ?? x.id,
+              ),
+              map((x) => ({
+                label: x.name,
+                value: x.id,
+                hint: {
+                  opencode: "recommended",
+                  anthropic: "Claude Max or API key",
+                  openai: "ChatGPT Plus/Pro or API key",
+                }[x.id],
+              })),
+            ),
+            ...pluginProviders.map((x) => ({
+              label: x.name,
+              value: x.id,
+              hint: "plugin",
+            })),
+            {
+              value: "other",
+              label: "Other",
+            },
+          ],
+        })
+
+        if (prompts.isCancel(provider)) throw new UI.CancelledError()
+
+        const plugin = await Plugin.list().then((x) => x.findLast((x) => x.auth?.provider === provider))
+        if (plugin && plugin.auth) {
+          const handled = await handlePluginAuth({ auth: plugin.auth }, provider)
+          if (handled) return
+        }
+
+        if (provider === "other") {
+          provider = await prompts.text({
+            message: "Enter provider id",
+            validate: (x) => (x && x.match(/^[0-9a-z-]+$/) ? undefined : "a-z, 0-9 and hyphens only"),
+          })
+          if (prompts.isCancel(provider)) throw new UI.CancelledError()
+          provider = provider.replace(/^@ai-sdk\//, "")
+          if (prompts.isCancel(provider)) throw new UI.CancelledError()
+
+          const customPlugin = await Plugin.list().then((x) => x.findLast((x) => x.auth?.provider === provider))
+          if (customPlugin && customPlugin.auth) {
+            const handled = await handlePluginAuth({ auth: customPlugin.auth }, provider)
+            if (handled) return
+          }
+
+          prompts.log.warn(
+            `This only stores a credential for ${provider} - you will need configure it in opencode.json, check the docs for examples.`,
+          )
+        }
+
+        if (provider === "amazon-bedrock") {
+          prompts.log.info(
+            "Amazon Bedrock authentication priority:\n" +
+              "  1. Bearer token (AWS_BEARER_TOKEN_BEDROCK or /connect)\n" +
+              "  2. AWS credential chain (profile, access keys, IAM roles, EKS IRSA)\n\n" +
+              "Configure via opencode.json options (profile, region, endpoint) or\n" +
+              "AWS environment variables (AWS_PROFILE, AWS_REGION, AWS_ACCESS_KEY_ID, AWS_WEB_IDENTITY_TOKEN_FILE).",
+          )
+        }
+
+        if (provider === "opencode") {
+          prompts.log.info("Create an api key at https://opencode.ai/auth")
+        }
+
+        if (provider === "vercel") {
+          prompts.log.info("You can create an api key at https://vercel.link/ai-gateway-token")
+        }
+
+        if (["cloudflare", "cloudflare-ai-gateway"].includes(provider)) {
+          prompts.log.info(
+            "Cloudflare AI Gateway can be configured with CLOUDFLARE_GATEWAY_ID, CLOUDFLARE_ACCOUNT_ID, and CLOUDFLARE_API_TOKEN environment variables. Read more: https://opencode.ai/docs/providers/#cloudflare-ai-gateway",
+          )
+        }
+
+        const key = await prompts.password({
+          message: "Enter your API key",
+          validate: (x) => (x && x.length > 0 ? undefined : "Required"),
+        })
+        if (prompts.isCancel(key)) throw new UI.CancelledError()
+        await Auth.set(provider, {
+          type: "api",
+          key,
+        })
+
+        prompts.outro("Done")
+      },
+    })
+  },
+})
+
+export const ProvidersLogoutCommand = cmd({
+  command: "logout",
+  describe: "log out from a configured provider",
+  async handler(_args) {
+    UI.empty()
+    const credentials = await Auth.all().then((x) => Object.entries(x))
+    prompts.intro("Remove credential")
+    if (credentials.length === 0) {
+      prompts.log.error("No credentials found")
+      return
+    }
+    const database = await ModelsDev.get()
+    const providerID = await prompts.select({
+      message: "Select provider",
+      options: credentials.map(([key, value]) => ({
+        label: (database[key]?.name || key) + UI.Style.TEXT_DIM + " (" + value.type + ")",
+        value: key,
+      })),
+    })
+    if (prompts.isCancel(providerID)) throw new UI.CancelledError()
+    await Auth.remove(providerID)
+    prompts.outro("Logout successful")
+  },
+})

packages/opencode/src/config/config.ts

@@ -32,7 +32,7 @@ import { Glob } from "../util/glob"
 import { PackageRegistry } from "@/bun/registry"
 import { proxied } from "@/util/proxied"
 import { iife } from "@/util/iife"
-import { Control } from "@/control"
+import { Account } from "@/account"
 import { ConfigPaths } from "./paths"
 import { Filesystem } from "@/util/filesystem"
 
@@ -107,10 +107,6 @@ export namespace Config {
       }
     }
 
-    const token = await Control.token()
-    if (token) {
-    }
-
     // Global user config overrides remote config.
     result = mergeConfigConcatArrays(result, await global())
 
@@ -177,6 +173,15 @@ export namespace Config {
       log.debug("loaded custom config from OPENCODE_CONFIG_CONTENT")
     }
 
+    const active = Account.active()
+    if (active?.workspace_id) {
+      const config = await Account.config(active.id, active.workspace_id)
+      result = mergeConfigConcatArrays(result, config ?? {})
+      const token = await Account.token(active.id)
+      // TODO: this is bad
+      process.env["OPENCODE_CONTROL_TOKEN"] = token
+    }
+
     // Load managed config files last (highest priority) - enterprise admin-controlled
     // Kept separate from directories array to avoid write operations when installing plugins
     // which would fail on system directories requiring elevated permissions

packages/opencode/src/control/index.ts

@@ -1,67 +0,0 @@
-import { eq, and } from "drizzle-orm"
-import { Database } from "@/storage/db"
-import { ControlAccountTable } from "./control.sql"
-import z from "zod"
-
-export * from "./control.sql"
-
-export namespace Control {
-  export const Account = z.object({
-    email: z.string(),
-    url: z.string(),
-  })
-  export type Account = z.infer<typeof Account>
-
-  function fromRow(row: (typeof ControlAccountTable)["$inferSelect"]): Account {
-    return {
-      email: row.email,
-      url: row.url,
-    }
-  }
-
-  export function account(): Account | undefined {
-    const row = Database.use((db) =>
-      db.select().from(ControlAccountTable).where(eq(ControlAccountTable.active, true)).get(),
-    )
-    return row ? fromRow(row) : undefined
-  }
-
-  export async function token(): Promise<string | undefined> {
-    const row = Database.use((db) =>
-      db.select().from(ControlAccountTable).where(eq(ControlAccountTable.active, true)).get(),
-    )
-    if (!row) return undefined
-    if (row.token_expiry && row.token_expiry > Date.now()) return row.access_token
-
-    const res = await fetch(`${row.url}/oauth/token`, {
-      method: "POST",
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams({
-        grant_type: "refresh_token",
-        refresh_token: row.refresh_token,
-      }).toString(),
-    })
-
-    if (!res.ok) return
-
-    const json = (await res.json()) as {
-      access_token: string
-      refresh_token?: string
-      expires_in?: number
-    }
-
-    Database.use((db) =>
-      db
-        .update(ControlAccountTable)
-        .set({
-          access_token: json.access_token,
-          refresh_token: json.refresh_token ?? row.refresh_token,
-          token_expiry: json.expires_in ? Date.now() + json.expires_in * 1000 : undefined,
-        })
-        .where(and(eq(ControlAccountTable.email, row.email), eq(ControlAccountTable.url, row.url)))
-        .run(),
-    )
-
-    return json.access_token
-  }
-}

packages/opencode/src/index.ts

@@ -3,7 +3,8 @@ import { hideBin } from "yargs/helpers"
 import { RunCommand } from "./cli/cmd/run"
 import { GenerateCommand } from "./cli/cmd/generate"
 import { Log } from "./util/log"
-import { AuthCommand } from "./cli/cmd/auth"
+import { LoginCommand, LogoutCommand, SwitchCommand, WorkspacesCommand } from "./cli/cmd/account"
+import { ProvidersCommand } from "./cli/cmd/providers"
 import { AgentCommand } from "./cli/cmd/agent"
 import { UpgradeCommand } from "./cli/cmd/upgrade"
 import { UninstallCommand } from "./cli/cmd/uninstall"
@@ -129,7 +130,11 @@ let cli = yargs(hideBin(process.argv))
   .command(RunCommand)
   .command(GenerateCommand)
   .command(DebugCommand)
-  .command(AuthCommand)
+  .command(LoginCommand)
+  .command(LogoutCommand)
+  .command(SwitchCommand)
+  .command(WorkspacesCommand)
+  .command(ProvidersCommand)
   .command(AgentCommand)
   .command(UpgradeCommand)
   .command(UninstallCommand)

packages/opencode/src/storage/db.ts

@@ -11,7 +11,6 @@ import { NamedError } from "@opencode-ai/util/error"
 import z from "zod"
 import path from "path"
 import { readFileSync, readdirSync, existsSync } from "fs"
-import * as schema from "./schema"
 
 declare const OPENCODE_MIGRATIONS: { sql: string; timestamp: number }[] | undefined
 
@@ -26,10 +25,8 @@ const log = Log.create({ service: "db" })
 
 export namespace Database {
   export const Path = path.join(Global.Path.data, "opencode.db")
-  type Schema = typeof schema
-  export type Transaction = SQLiteTransaction<"sync", void, Schema>
 
-  type Client = SQLiteBunDatabase<Schema>
+  type Client = SQLiteBunDatabase
 
   type Journal = { sql: string; timestamp: number }[]
 
@@ -82,7 +79,7 @@ export namespace Database {
     sqlite.run("PRAGMA foreign_keys = ON")
     sqlite.run("PRAGMA wal_checkpoint(PASSIVE)")
 
-    const db = drizzle({ client: sqlite, schema })
+    const db = drizzle({ client: sqlite })
 
     // Apply schema migrations
     const entries =
@@ -108,7 +105,7 @@ export namespace Database {
     Client.reset()
   }
 
-  export type TxOrDb = Transaction | Client
+  export type TxOrDb = SQLiteTransaction<"sync", void, any, any> | Client
 
   const ctx = Context.create<{
     tx: TxOrDb

packages/opencode/src/storage/schema.ts

@@ -1,5 +0,0 @@
-export { ControlAccountTable } from "../control/control.sql"
-export { SessionTable, MessageTable, PartTable, TodoTable, PermissionTable } from "../session/session.sql"
-export { SessionShareTable } from "../share/share.sql"
-export { ProjectTable } from "../project/project.sql"
-export { WorkspaceTable } from "../control-plane/workspace.sql"

packages/opencode/test/cli/plugin-auth-picker.test.ts

@@ -1,5 +1,5 @@
 import { test, expect, describe } from "bun:test"
-import { resolvePluginProviders } from "../../src/cli/cmd/auth"
+import { resolvePluginProviders } from "../../src/cli/cmd/providers"
 import type { Hooks } from "@opencode-ai/plugin"
 
 function hookWithAuth(provider: string): Hooks {

turbo.json

@@ -4,7 +4,7 @@
   "globalPassThroughEnv": ["CI", "OPENCODE_DISABLE_SHARE"],
   "tasks": {
     "typecheck": {
-      "dependsOn": ["^build"]
+      "dependsOn": []
     },
     "build": {
       "dependsOn": ["^build"],