fix(core): map legacy auth success callback results to Credential.Value

[bertrandgressier]

Issue for this PR

Closes #32101

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

This PR resolves a schema validation failure and a synchronization gap that occur when dynamic/external plugins (using the legacy dynamic plugin contract) complete their OAuth authorization callback and write credentials.

There were two distinct issues causing the /connect failure and subsequent 401 Unauthorized errors in OpenCode 1.17.4:

1. The /connect Callback Sync Gap (Root Cause for TUI):
   When completing /connect in the TUI, OpenCode invokes the legacy ProviderAuth.callback endpoint, which delegates writes to Auth.set (packages/opencode/src/auth/index.ts). However, while Auth.set wrote correctly to auth.json on disk, it did not synchronize the credentials to the new SQLite credential table in real-time. Since the model execution layer in 1.17.4 reads credentials strictly from SQLite, the system continued to use old/expired tokens from SQLite, resulting in a 401.

   • Fix: Updated Auth.set and Auth.remove (packages/opencode/src/auth/index.ts) to automatically synchronize all legacy auth writes and deletions directly to the SQLite credential store in real-time.

2. Schema Mismatch on Completed Callbacks (Root Cause for Connectors):
   The public @opencode-ai/plugin API types enforce that completed callbacks return { type: "success", access, refresh, expires, metadata }. However, the backend's connector callback completion endpoint (connector.connect.oauth.complete calling complete in packages/core/src/integration.ts) executes this callback directly and pipes the result into credentials.create(...), which strictly expects a Credential.Value (only accepting "oauth" or "key" as type). This caused schema validation failures and "Authentication failed" errors in the TUI.

   • Fix: Implemented a clean, 100% type-safe @effect/schema bridge mapper inside packages/core/src/integration.ts's settle() function. When the completed callback results in a legacy { type: "success" } payload, it is dynamically mapped to the correct, modern Credential.Value shape (either Credential.OAuth or Credential.Key) before validating and writing to SQLite.

This restores seamless, green-status backward compatibility for all dynamic plugins (such as custom enterprise LLM gateways) connecting via Client Credentials / OAuth prompts!

How did you verify your code works?

• Added comprehensive integration tests in packages/opencode/test/auth/auth.test.ts verifying real-time synchronization between legacy Auth.set/Auth.remove and SQLite Credential.Service.
• Added unit tests in packages/core/test/integration.test.ts verifying that legacy success callbacks returning { type: "success" } are parsed, normalized, and saved type-safely.
• Verified that legacy auth plugins no longer cause validation failures upon /connect completion.

Screenshots / recordings

N/A (strictly a backend API adapter fix)

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[github-actions]

Thanks for your contribution!

This PR doesn't have a linked issue. All PRs must reference an existing issue.

Please:

1. Open an issue describing the bug/feature (if one doesn't exist)
2. Add Fixes #<number> or Closes #<number> to this PR description

See CONTRIBUTING.md for details.

[github-actions]

Thanks for updating your PR! It now meets our contributing guidelines. 👍