fix: harden opencode webui flows

.dockerignore

@@ -19,7 +19,6 @@ config
 opencode-src
 temp
 
-.git
 .github
 .gitignore
 

Dockerfile

@@ -25,6 +25,40 @@ RUN curl -fsSL https://bun.sh/install | bash && \
 
 WORKDIR /app
 
+FROM base AS metadata
+
+COPY . .
+
+RUN node <<'NODE'
+const { execSync } = require('child_process')
+const fs = require('fs')
+
+const run = (command, fallback) => {
+  try {
+    return execSync(command, { encoding: 'utf8' }).trim() || fallback
+  } catch {
+    return fallback
+  }
+}
+
+const packageJson = JSON.parse(fs.readFileSync('package.json', 'utf8'))
+const sha = run('git rev-parse HEAD', 'unknown')
+const shortSha = run('git rev-parse --short=12 HEAD', sha === 'unknown' ? 'unknown' : sha.slice(0, 12))
+const dirty = run('git status --porcelain', '') !== ''
+
+const buildInfo = {
+  packageVersion: packageJson.version || 'unknown',
+  buildTime: new Date().toISOString(),
+  git: {
+    sha,
+    shortSha,
+    dirty,
+  },
+}
+
+fs.writeFileSync('/tmp/build-info.json', JSON.stringify(buildInfo, null, 2))
+NODE
+
 FROM base AS deps
 
 COPY package.json pnpm-workspace.yaml pnpm-lock.yaml ./
@@ -61,13 +95,13 @@ COPY --from=deps /app/node_modules ./node_modules
 COPY --from=builder /app/shared ./shared
 COPY --from=builder /app/backend ./backend
 COPY --from=builder /app/frontend/dist ./frontend/dist
+COPY --from=metadata /tmp/build-info.json ./build-info.json
 COPY package.json pnpm-workspace.yaml ./
 
 RUN mkdir -p /app/backend/node_modules/@opencode-webui && \
     ln -s /app/shared /app/backend/node_modules/@opencode-webui/shared
 
-COPY scripts/docker-entrypoint.sh /docker-entrypoint.sh
-RUN chmod +x /docker-entrypoint.sh
+COPY --chmod=755 scripts/docker-entrypoint.sh /docker-entrypoint.sh
 
 RUN mkdir -p /workspace /app/data
 

backend/src/routes/health.ts

@@ -1,6 +1,7 @@
 import { Hono } from 'hono'
 import type { Database } from 'bun:sqlite'
 import { opencodeServerManager } from '../services/opencode-single-server'
+import { getBuildInfo } from '../services/build-info'
 
 export function createHealthRoutes(db: Database) {
   const app = new Hono()
@@ -11,23 +12,30 @@ export function createHealthRoutes(db: Database) {
       const opencodeHealthy = await opencodeServerManager.checkHealth()
 
       const status = dbCheck && opencodeHealthy ? 'healthy' : 'degraded'
+      const build = getBuildInfo()
 
       return c.json({
         status,
         timestamp: new Date().toISOString(),
         database: dbCheck ? 'connected' : 'disconnected',
         opencode: opencodeHealthy ? 'healthy' : 'unhealthy',
-        opencodePort: opencodeServerManager.getPort()
+        opencodePort: opencodeServerManager.getPort(),
+        build
       })
     } catch (error) {
       return c.json({
         status: 'unhealthy',
         timestamp: new Date().toISOString(),
-        error: error instanceof Error ? error.message : 'Unknown error'
+        error: error instanceof Error ? error.message : 'Unknown error',
+        build: getBuildInfo()
       }, 503)
     }
   })
 
+  app.get('/build', (c) => {
+    return c.json(getBuildInfo())
+  })
+
   app.get('/processes', async (c) => {
     try {
       const opencodeHealthy = await opencodeServerManager.checkHealth()

backend/src/routes/providers.ts

@@ -7,6 +7,7 @@ import { logger } from '../utils/logger'
 export function createProvidersRoutes() {
   const app = new Hono()
   const authService = new AuthService()
+  const oauthOnlyProviders = new Set(['github-copilot'])
 
   app.get('/credentials', async (c) => {
     try {
@@ -21,8 +22,8 @@ export function createProvidersRoutes() {
   app.get('/:id/credentials/status', async (c) => {
     try {
       const providerId = c.req.param('id')
-      const hasCredentials = await authService.has(providerId)
-      return c.json({ hasCredentials })
+      const status = await authService.getStatus(providerId)
+      return c.json(status)
     } catch (error) {
       logger.error('Failed to check credential status:', error)
       return c.json({ error: 'Failed to check credential status' }, 500)
@@ -32,6 +33,10 @@ export function createProvidersRoutes() {
   app.post('/:id/credentials', async (c) => {
     try {
       const providerId = c.req.param('id')
+      if (oauthOnlyProviders.has(providerId)) {
+        return c.json({ error: 'This provider uses device/OAuth login and cannot be configured with an API key.' }, 400)
+      }
+
       const body = await c.req.json()
       const validated = SetCredentialRequestSchema.parse(body)
 

backend/src/routes/settings.ts

@@ -66,7 +66,7 @@ export function createSettingsRoutes(db: Database) {
     try {
       const userId = c.req.query('userId') || 'default'
       const settings = settingsService.getSettings(userId)
-      return c.json(settings)
+      return c.json(settingsService.toClientSettings(settings))
     } catch (error) {
       logger.error('Failed to get settings:', error)
       return c.json({ error: 'Failed to get settings' }, 500)
@@ -80,7 +80,7 @@ export function createSettingsRoutes(db: Database) {
       const validated = UpdateSettingsSchema.parse(body)
 
       const settings = settingsService.updateSettings(validated.preferences, userId)
-      return c.json(settings)
+      return c.json(settingsService.toClientSettings(settings))
     } catch (error) {
       logger.error('Failed to update settings:', error)
       if (error instanceof z.ZodError) {
@@ -94,7 +94,7 @@ export function createSettingsRoutes(db: Database) {
     try {
       const userId = c.req.query('userId') || 'default'
       const settings = settingsService.resetSettings(userId)
-      return c.json(settings)
+      return c.json(settingsService.toClientSettings(settings))
     } catch (error) {
       logger.error('Failed to reset settings:', error)
       return c.json({ error: 'Failed to reset settings' }, 500)

backend/src/services/auth.ts

@@ -42,7 +42,8 @@ export class AuthService {
     const auth = await this.getAll()
     delete auth[providerId]
 
-    await fs.writeFile(this.authPath, JSON.stringify(auth, null, 2))
+    await fs.mkdir(path.dirname(this.authPath), { recursive: true })
+    await fs.writeFile(this.authPath, JSON.stringify(auth, null, 2), { mode: 0o600 })
     logger.info(`Deleted credentials for provider: ${providerId}`)
   }
 
@@ -52,8 +53,46 @@ export class AuthService {
   }
 
   async has(providerId: string): Promise<boolean> {
-    const auth = await this.getAll()
-    return !!auth[providerId]
+    const status = await this.getStatus(providerId)
+    return status.hasCredentials
+  }
+
+  async getStatus(providerId: string): Promise<{
+    hasCredentials: boolean
+    type: AuthEntry['type'] | null
+    expired: boolean
+    expires: number | null
+    hasAccessToken: boolean
+    hasRefreshToken: boolean
+  }> {
+    const entry = await this.get(providerId)
+    if (!entry) {
+      return {
+        hasCredentials: false,
+        type: null,
+        expired: false,
+        expires: null,
+        hasAccessToken: false,
+        hasRefreshToken: false,
+      }
+    }
+
+    const hasAccessToken = typeof entry.access === 'string' && entry.access.length > 0
+    const hasRefreshToken = typeof entry.refresh === 'string' && entry.refresh.length > 0
+    const expires = typeof entry.expires === 'number' ? entry.expires : null
+    const expired = entry.type === 'oauth' && expires !== null ? expires <= Date.now() : false
+    const hasCredentials = entry.type === 'apiKey'
+      ? typeof entry.apiKey === 'string' && entry.apiKey.length > 0
+      : hasAccessToken || hasRefreshToken
+
+    return {
+      hasCredentials,
+      type: entry.type,
+      expired,
+      expires,
+      hasAccessToken,
+      hasRefreshToken,
+    }
   }
 
   async get(providerId: string): Promise<AuthEntry | null> {

backend/src/services/build-info.ts

@@ -0,0 +1,49 @@
+import { readFileSync } from 'fs'
+import path from 'path'
+
+type BuildInfo = {
+  packageVersion: string
+  buildTime: string
+  git: {
+    sha: string
+    shortSha: string
+    dirty: boolean
+  }
+}
+
+const DEFAULT_BUILD_INFO: BuildInfo = {
+  packageVersion: 'unknown',
+  buildTime: 'unknown',
+  git: {
+    sha: 'unknown',
+    shortSha: 'unknown',
+    dirty: false,
+  },
+}
+
+let cachedBuildInfo: BuildInfo | null = null
+
+export function getBuildInfo(): BuildInfo {
+  if (cachedBuildInfo) {
+    return cachedBuildInfo
+  }
+
+  const buildInfoPath = path.join(process.cwd(), 'build-info.json')
+
+  try {
+    const parsed = JSON.parse(readFileSync(buildInfoPath, 'utf8'))
+    cachedBuildInfo = {
+      packageVersion: typeof parsed.packageVersion === 'string' ? parsed.packageVersion : DEFAULT_BUILD_INFO.packageVersion,
+      buildTime: typeof parsed.buildTime === 'string' ? parsed.buildTime : DEFAULT_BUILD_INFO.buildTime,
+      git: {
+        sha: typeof parsed.git?.sha === 'string' ? parsed.git.sha : DEFAULT_BUILD_INFO.git.sha,
+        shortSha: typeof parsed.git?.shortSha === 'string' ? parsed.git.shortSha : DEFAULT_BUILD_INFO.git.shortSha,
+        dirty: typeof parsed.git?.dirty === 'boolean' ? parsed.git.dirty : DEFAULT_BUILD_INFO.git.dirty,
+      },
+    }
+  } catch {
+    cachedBuildInfo = DEFAULT_BUILD_INFO
+  }
+
+  return cachedBuildInfo
+}

backend/src/services/proxy.ts

@@ -3,6 +3,32 @@ import { ENV } from '@opencode-webui/shared'
 
 const OPENCODE_SERVER_URL = `http://127.0.0.1:${ENV.OPENCODE.PORT}`
 
+function enrichProviderPayload(payload: unknown) {
+  if (!payload || typeof payload !== 'object' || !Array.isArray((payload as { providers?: unknown[] }).providers)) {
+    return payload
+  }
+
+  return {
+    ...(payload as Record<string, unknown>),
+    providers: (payload as { providers: Array<Record<string, unknown>> }).providers.map((provider) => {
+      const authMethod = provider.id === 'github-copilot' ? 'oauth' : 'apiKey'
+      const options = provider.options && typeof provider.options === 'object'
+        ? { ...(provider.options as Record<string, unknown>) }
+        : undefined
+
+      if (authMethod === 'oauth' && options) {
+        delete options.apiKey
+      }
+
+      return {
+        ...provider,
+        authMethod,
+        ...(options ? { options } : {}),
+      }
+    }),
+  }
+}
+
 export async function patchOpenCodeConfig(config: Record<string, unknown>): Promise<boolean> {
   try {
     const response = await fetch(`${OPENCODE_SERVER_URL}/config`, {
@@ -53,6 +79,18 @@ export async function proxyRequest(request: Request) {
       }
     })
 
+    if (request.method === 'GET' && cleanPath === '/config/providers') {
+      const payload = await response.json()
+      return new Response(JSON.stringify(enrichProviderPayload(payload)), {
+        status: response.status,
+        statusText: response.statusText,
+        headers: {
+          ...responseHeaders,
+          'content-type': 'application/json',
+        },
+      })
+    }
+
     return new Response(response.body, {
       status: response.status,
       statusText: response.statusText,