From d4b14c46f929c213573ab27d6e3a5246aa0c2684 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pascal=20Andr=C3=A9?= <pascalandr@gmail.com>
Date: Sat, 23 May 2026 18:26:03 +0200
Subject: [PATCH 01/12] feat(den): add provider credential contract base

Add the LLM provider credential kind/opencode auth storage contract, migration, and passive credential redaction/flags needed by follow-up provider credential and worker sync PRs.
---
 .../den-api/src/routes/org/llm-providers.ts   | 33 ++++++++++++++++---
 .../0019_llm_provider_opencode_oauth.sql      |  3 ++
 ee/packages/den-db/drizzle/meta/_journal.json |  7 ++++
 .../src/schema/sharables/llm-providers.ts     |  4 +++
 4 files changed, 43 insertions(+), 4 deletions(-)
 create mode 100644 ee/packages/den-db/drizzle/0019_llm_provider_opencode_oauth.sql

diff --git a/ee/apps/den-api/src/routes/org/llm-providers.ts b/ee/apps/den-api/src/routes/org/llm-providers.ts
index 5cc66da166..994b43565e 100644
--- a/ee/apps/den-api/src/routes/org/llm-providers.ts
+++ b/ee/apps/den-api/src/routes/org/llm-providers.ts
@@ -145,6 +145,24 @@ function isOrganizationAdmin(payload: { currentMember: { isOwner: boolean; role:
   return payload.currentMember.isOwner || memberHasRole(payload.currentMember.role, "admin")
 }
 
+export function getCredentialFlags(provider: Pick<LlmProviderRow, "credentialKind" | "apiKey" | "opencodeAuth">) {
+  const hasApiKey = Boolean(provider.apiKey && provider.apiKey.trim().length > 0)
+  const hasOpencodeAuth = Boolean(provider.opencodeAuth && provider.opencodeAuth.trim().length > 0)
+  return {
+    hasApiKey,
+    hasOpencodeAuth,
+    hasCredential: provider.credentialKind === "opencode_oauth" ? hasOpencodeAuth : hasApiKey,
+  }
+}
+
+export function redactLlmProviderCredentials<T extends { apiKey?: unknown; opencodeAuth?: unknown }>(provider: T): Omit<T, "apiKey" | "opencodeAuth"> & { apiKey: undefined; opencodeAuth: undefined } {
+  return {
+    ...provider,
+    apiKey: undefined,
+    opencodeAuth: undefined,
+  }
+}
+
 function canManageLlmProvider(
   payload: { currentMember: { id: MemberId; isOwner: boolean; role: string } },
   provider: LlmProviderRow,
@@ -464,7 +482,7 @@ async function loadLlmProviders(input: {
 
   return providers.map((provider) => ({
     ...provider,
-    hasApiKey: Boolean(provider.apiKey && provider.apiKey.trim().length > 0),
+    ...getCredentialFlags(provider),
     models: (modelsByProviderId.get(provider.id) ?? [])
       .map((model) => ({
         id: model.modelId,
@@ -607,8 +625,7 @@ export function registerOrgLlmProviderRoutes<T extends { Variables: OrgRouteVari
 
       return c.json({
         llmProviders: providers.map((provider) => ({
-          ...provider,
-          apiKey: undefined,
+          ...redactLlmProviderCredentials(provider),
           canManage: canManageLlmProvider(payload, provider),
         })),
       })
@@ -678,6 +695,8 @@ export function registerOrgLlmProviderRoutes<T extends { Variables: OrgRouteVari
       return c.json({
         llmProvider: {
           ...provider,
+          opencodeAuth: undefined,
+          ...getCredentialFlags(provider),
           models: models
             .map((model) => ({
               id: model.modelId,
@@ -781,10 +800,13 @@ export function registerOrgLlmProviderRoutes<T extends { Variables: OrgRouteVari
             organizationId: payload.organization.id,
             createdByOrgMembershipId: payload.currentMember.id,
             source: normalized.source,
+            credentialKind: "api_key",
             providerId: normalized.providerId,
             name: normalized.name,
             providerConfig: normalized.providerConfig,
             hasApiKey: Boolean(normalized.apiKey),
+            hasOpencodeAuth: false,
+            hasCredential: Boolean(normalized.apiKey),
             createdAt: now,
             updatedAt: now,
           },
@@ -916,12 +938,15 @@ export function registerOrgLlmProviderRoutes<T extends { Variables: OrgRouteVari
 
         return c.json({
           llmProvider: {
-            ...provider,
+            ...redactLlmProviderCredentials(provider),
             source: normalized.source,
             providerId: normalized.providerId,
             name: normalized.name,
             providerConfig: normalized.providerConfig,
+            credentialKind: provider.credentialKind,
             hasApiKey: input.apiKey === undefined ? Boolean(provider.apiKey) : Boolean(normalized.apiKey),
+            hasOpencodeAuth: Boolean(provider.opencodeAuth),
+            hasCredential: input.apiKey === undefined ? getCredentialFlags(provider).hasCredential : Boolean(normalized.apiKey),
             updatedAt,
           },
         })
diff --git a/ee/packages/den-db/drizzle/0019_llm_provider_opencode_oauth.sql b/ee/packages/den-db/drizzle/0019_llm_provider_opencode_oauth.sql
new file mode 100644
index 0000000000..96f71ae066
--- /dev/null
+++ b/ee/packages/den-db/drizzle/0019_llm_provider_opencode_oauth.sql
@@ -0,0 +1,3 @@
+ALTER TABLE `llm_provider`
+  ADD COLUMN `credential_kind` enum('api_key','opencode_oauth') NOT NULL DEFAULT 'api_key' AFTER `provider_config`,
+  ADD COLUMN `opencode_auth` text AFTER `api_key`;
diff --git a/ee/packages/den-db/drizzle/meta/_journal.json b/ee/packages/den-db/drizzle/meta/_journal.json
index 071846a7df..dfbdc94036 100644
--- a/ee/packages/den-db/drizzle/meta/_journal.json
+++ b/ee/packages/den-db/drizzle/meta/_journal.json
@@ -127,6 +127,13 @@
       "when": 1779380000000,
       "tag": "0018_invited_org_members",
       "breakpoints": true
+    },
+    {
+      "idx": 19,
+      "version": "5",
+      "when": 1777486400000,
+      "tag": "0019_llm_provider_opencode_oauth",
+      "breakpoints": true
     }
   ]
 }
diff --git a/ee/packages/den-db/src/schema/sharables/llm-providers.ts b/ee/packages/den-db/src/schema/sharables/llm-providers.ts
index c4ded95170..25ad41480d 100644
--- a/ee/packages/den-db/src/schema/sharables/llm-providers.ts
+++ b/ee/packages/den-db/src/schema/sharables/llm-providers.ts
@@ -30,7 +30,11 @@ export const LlmProviderTable = mysqlTable(
     providerConfig: json("provider_config")
       .$type<Record<string, unknown>>()
       .notNull(),
+    credentialKind: mysqlEnum("credential_kind", ["api_key", "opencode_oauth"])
+      .notNull()
+      .default("api_key"),
     apiKey: encryptedTextColumn("api_key"),
+    opencodeAuth: encryptedTextColumn("opencode_auth"),
     createdAt: timestamp("created_at", { fsp: 3 }).notNull().defaultNow(),
     updatedAt: timestamp("updated_at", { fsp: 3 })
       .notNull()

From efdefad0d19e62f5bd93cf8b747c47cce587b9fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pascal=20Andr=C3=A9?= <pascalandr@gmail.com>
Date: Sat, 23 May 2026 22:54:28 +0200
Subject: [PATCH 02/12] feat(den): handle OAuth provider credentials

Add Den API create/update/read/import handling for API-key versus OpenCode OAuth provider credentials on top of the credential contract base.
---
 .../den-api/src/routes/org/llm-providers.ts   | 140 ++++++++++++++++--
 .../test/llm-provider-credentials.test.ts     |  61 ++++++++
 2 files changed, 190 insertions(+), 11 deletions(-)
 create mode 100644 ee/apps/den-api/test/llm-provider-credentials.test.ts

diff --git a/ee/apps/den-api/src/routes/org/llm-providers.ts b/ee/apps/den-api/src/routes/org/llm-providers.ts
index 994b43565e..e3c4438cca 100644
--- a/ee/apps/den-api/src/routes/org/llm-providers.ts
+++ b/ee/apps/den-api/src/routes/org/llm-providers.ts
@@ -73,10 +73,12 @@ const customProviderSchema = z.object({
 const llmProviderWriteSchema = z.object({
   name: z.string().trim().min(1).max(255),
   source: z.enum(["models_dev", "custom"]),
+  credentialKind: z.enum(["api_key", "opencode_oauth"]).optional().default("api_key"),
   providerId: z.string().trim().min(1).max(255).optional(),
   modelIds: z.array(z.string().trim().min(1).max(255)).min(1).optional(),
   customConfigText: z.string().trim().min(1).optional(),
   apiKey: z.string().trim().max(65535).optional(),
+  opencodeAuth: z.string().trim().max(65535).optional(),
   memberIds: z.array(denTypeIdSchema("member")).max(500).optional().default([]),
   teamIds: z.array(denTypeIdSchema("team")).max(500).optional().default([]),
 }).superRefine((value, ctx) => {
@@ -105,6 +107,14 @@ const llmProviderWriteSchema = z.object({
       message: "Paste a custom provider config.",
     })
   }
+
+  if (value.credentialKind === "opencode_oauth" && value.source === "models_dev" && value.providerId?.trim().toLowerCase() !== "openai") {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      path: ["credentialKind"],
+      message: "OpenCode OAuth credentials can only be used with the OpenAI catalog provider.",
+    })
+  }
 })
 
 const providerCatalogListResponseSchema = z.object({
@@ -163,6 +173,33 @@ export function redactLlmProviderCredentials<T extends { apiKey?: unknown; openc
   }
 }
 
+export function canImportLlmProviderCredential(payload: { currentMember: { isOwner: boolean; role: string } }) {
+  return isOrganizationAdmin(payload)
+}
+
+function normalizeOpencodeAuth(value: string | undefined) {
+  const trimmed = value?.trim() ?? ""
+  if (!trimmed) return null
+  try {
+    const parsed = JSON.parse(trimmed) as unknown
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed) || (parsed as Record<string, unknown>).type !== "oauth") {
+      throw new Error("invalid auth")
+    }
+    return JSON.stringify(parsed)
+  } catch {
+    throw createFailure(400, "invalid_opencode_auth", "OpenCode OAuth credential must be valid OAuth auth JSON.")
+  }
+}
+
+function buildLlmProviderCredentialPayload(provider: LlmProviderRow) {
+  return {
+    ...redactLlmProviderCredentials(provider),
+    ...getCredentialFlags(provider),
+    apiKey: provider.credentialKind === "api_key" ? provider.apiKey : undefined,
+    opencodeAuth: provider.credentialKind === "opencode_oauth" ? provider.opencodeAuth : undefined,
+  }
+}
+
 function canManageLlmProvider(
   payload: { currentMember: { id: MemberId; isOwner: boolean; role: string } },
   provider: LlmProviderRow,
@@ -292,6 +329,10 @@ async function resolveTeamIds(input: {
 }
 
 async function normalizeLlmProviderInput(input: z.infer<typeof llmProviderWriteSchema>) {
+  const credentialKind = input.credentialKind
+  const apiKey = credentialKind === "api_key" ? input.apiKey?.trim() || null : null
+  const opencodeAuth = credentialKind === "opencode_oauth" ? normalizeOpencodeAuth(input.opencodeAuth) : null
+
   if (input.source === "models_dev") {
     const provider = await getModelsDevProvider(input.providerId ?? "")
     if (!provider) {
@@ -308,10 +349,9 @@ async function normalizeLlmProviderInput(input: z.infer<typeof llmProviderWriteS
       return model
     })
 
-    const apiKey = input.apiKey?.trim() || null
-
     return {
       source: input.source,
+      credentialKind,
       providerId: provider.id,
       name: input.name,
       providerConfig: provider.config,
@@ -321,6 +361,7 @@ async function normalizeLlmProviderInput(input: z.infer<typeof llmProviderWriteS
         config: model.config,
       })),
       apiKey,
+      opencodeAuth,
     }
   }
 
@@ -344,6 +385,7 @@ async function normalizeLlmProviderInput(input: z.infer<typeof llmProviderWriteS
 
   return {
     source: input.source,
+    credentialKind,
     providerId: customProvider.data.id,
     name: input.name,
     providerConfig: providerConfig as JsonRecord,
@@ -352,7 +394,8 @@ async function normalizeLlmProviderInput(input: z.infer<typeof llmProviderWriteS
       name: model.name,
       config: model as JsonRecord,
     })),
-    apiKey: input.apiKey?.trim() || null,
+    apiKey,
+    opencodeAuth,
   }
 }
 
@@ -710,6 +753,67 @@ export function registerOrgLlmProviderRoutes<T extends { Variables: OrgRouteVari
     },
   )
 
+  app.get(
+    "/v1/llm-providers/:llmProviderId/import-credential",
+    describeRoute({
+      tags: ["LLM Providers"],
+      summary: "Import LLM provider credential",
+      description: "Returns credential material for an organization-managed LLM provider to privileged callers only.",
+      responses: {
+        200: jsonResponse("Provider credential returned successfully.", llmProviderResponseSchema),
+        400: jsonResponse("The provider path parameters were invalid.", invalidRequestSchema),
+        401: jsonResponse("The caller must be signed in to import an organization LLM provider credential.", unauthorizedSchema),
+        403: jsonResponse("Only members who can manage this provider can import its credential.", forbiddenSchema),
+        404: jsonResponse("The provider could not be found.", notFoundSchema),
+      },
+    }),
+    requireUserMiddleware,
+    paramValidator(orgLlmProviderParamsSchema),
+    resolveOrganizationContextMiddleware,
+    async (c) => {
+      const payload = c.get("organizationContext")
+      const params = c.req.valid("param")
+
+      let llmProviderId: LlmProviderId
+      try {
+        llmProviderId = parseLlmProviderId(params.llmProviderId)
+      } catch {
+        return c.json({ error: "llm_provider_not_found" }, 404)
+      }
+
+      const providerRows = await db
+        .select()
+        .from(LlmProviderTable)
+        .where(and(eq(LlmProviderTable.id, llmProviderId), eq(LlmProviderTable.organizationId, payload.organization.id)))
+        .limit(1)
+
+      const provider = providerRows[0]
+      if (!provider) return c.json({ error: "llm_provider_not_found" }, 404)
+      if (!canImportLlmProviderCredential(payload)) {
+        return c.json({ error: "forbidden", message: "Only organization admins can import provider credentials." }, 403)
+      }
+
+      const models = await db
+        .select()
+        .from(LlmProviderModelTable)
+        .where(eq(LlmProviderModelTable.llmProviderId, llmProviderId))
+
+      return c.json({
+        llmProvider: {
+          ...buildLlmProviderCredentialPayload(provider),
+          models: models
+            .map((model) => ({
+              id: model.modelId,
+              name: model.name,
+              config: model.modelConfig,
+              createdAt: model.createdAt,
+            }))
+            .sort((left, right) => left.name.localeCompare(right.name)),
+        },
+      })
+    },
+  )
+
   app.post(
     "/v1/llm-providers",
     describeRoute({
@@ -751,10 +855,12 @@ export function registerOrgLlmProviderRoutes<T extends { Variables: OrgRouteVari
             organizationId: payload.organization.id,
             createdByOrgMembershipId: payload.currentMember.id,
             source: normalized.source,
+            credentialKind: normalized.credentialKind,
             providerId: normalized.providerId,
             name: normalized.name,
             providerConfig: normalized.providerConfig,
             apiKey: normalized.apiKey,
+            opencodeAuth: normalized.opencodeAuth,
             createdAt: now,
             updatedAt: now,
           })
@@ -800,13 +906,13 @@ export function registerOrgLlmProviderRoutes<T extends { Variables: OrgRouteVari
             organizationId: payload.organization.id,
             createdByOrgMembershipId: payload.currentMember.id,
             source: normalized.source,
-            credentialKind: "api_key",
+            credentialKind: normalized.credentialKind,
             providerId: normalized.providerId,
             name: normalized.name,
             providerConfig: normalized.providerConfig,
             hasApiKey: Boolean(normalized.apiKey),
-            hasOpencodeAuth: false,
-            hasCredential: Boolean(normalized.apiKey),
+            hasOpencodeAuth: Boolean(normalized.opencodeAuth),
+            hasCredential: normalized.credentialKind === "opencode_oauth" ? Boolean(normalized.opencodeAuth) : Boolean(normalized.apiKey),
             createdAt: now,
             updatedAt: now,
           },
@@ -890,10 +996,16 @@ export function registerOrgLlmProviderRoutes<T extends { Variables: OrgRouteVari
             .update(LlmProviderTable)
             .set({
               source: normalized.source,
+              credentialKind: normalized.credentialKind,
               providerId: normalized.providerId,
               name: normalized.name,
               providerConfig: normalized.providerConfig,
-              apiKey: input.apiKey === undefined ? provider.apiKey : normalized.apiKey,
+              apiKey: normalized.credentialKind === "api_key"
+                ? (input.apiKey === undefined ? provider.apiKey : normalized.apiKey)
+                : null,
+              opencodeAuth: normalized.credentialKind === "opencode_oauth"
+                ? (input.opencodeAuth === undefined ? provider.opencodeAuth : normalized.opencodeAuth)
+                : null,
               updatedAt,
             })
             .where(eq(LlmProviderTable.id, provider.id))
@@ -943,10 +1055,16 @@ export function registerOrgLlmProviderRoutes<T extends { Variables: OrgRouteVari
             providerId: normalized.providerId,
             name: normalized.name,
             providerConfig: normalized.providerConfig,
-            credentialKind: provider.credentialKind,
-            hasApiKey: input.apiKey === undefined ? Boolean(provider.apiKey) : Boolean(normalized.apiKey),
-            hasOpencodeAuth: Boolean(provider.opencodeAuth),
-            hasCredential: input.apiKey === undefined ? getCredentialFlags(provider).hasCredential : Boolean(normalized.apiKey),
+            credentialKind: normalized.credentialKind,
+            hasApiKey: normalized.credentialKind === "api_key"
+              ? (input.apiKey === undefined ? Boolean(provider.apiKey) : Boolean(normalized.apiKey))
+              : false,
+            hasOpencodeAuth: normalized.credentialKind === "opencode_oauth"
+              ? (input.opencodeAuth === undefined ? Boolean(provider.opencodeAuth) : Boolean(normalized.opencodeAuth))
+              : false,
+            hasCredential: normalized.credentialKind === "opencode_oauth"
+              ? (input.opencodeAuth === undefined ? Boolean(provider.opencodeAuth) : Boolean(normalized.opencodeAuth))
+              : (input.apiKey === undefined ? Boolean(provider.apiKey) : Boolean(normalized.apiKey)),
             updatedAt,
           },
         })
diff --git a/ee/apps/den-api/test/llm-provider-credentials.test.ts b/ee/apps/den-api/test/llm-provider-credentials.test.ts
new file mode 100644
index 0000000000..71ea6e92a9
--- /dev/null
+++ b/ee/apps/den-api/test/llm-provider-credentials.test.ts
@@ -0,0 +1,61 @@
+import { beforeAll, expect, test } from "bun:test"
+import { Hono } from "hono"
+
+function seedRequiredEnv() {
+  process.env.DATABASE_URL = process.env.DATABASE_URL ?? "mysql://root:password@127.0.0.1:3306/openwork_test"
+  process.env.DEN_DB_ENCRYPTION_KEY = process.env.DEN_DB_ENCRYPTION_KEY ?? "x".repeat(32)
+  process.env.BETTER_AUTH_SECRET = process.env.BETTER_AUTH_SECRET ?? "y".repeat(32)
+  process.env.BETTER_AUTH_URL = process.env.BETTER_AUTH_URL ?? "http://127.0.0.1:8790"
+  process.env.CORS_ORIGINS = process.env.CORS_ORIGINS ?? "http://127.0.0.1:8790"
+}
+
+let llmProviderModule: typeof import("../src/routes/org/llm-providers.js")
+
+beforeAll(async () => {
+  seedRequiredEnv()
+  llmProviderModule = await import("../src/routes/org/llm-providers.js")
+})
+
+test("generic provider payload redaction removes API key and OAuth auth material", () => {
+  const redacted = llmProviderModule.redactLlmProviderCredentials({
+    id: "llmProvider_secret_123",
+    apiKey: "plain-secret",
+    opencodeAuth: JSON.stringify({ type: "oauth", access: "access", refresh: "refresh", expires: 1 }),
+  })
+
+  expect(redacted).toEqual({
+    id: "llmProvider_secret_123",
+    apiKey: undefined,
+    opencodeAuth: undefined,
+  })
+})
+
+test("credential flags expose presence only, never credential values", () => {
+  expect(llmProviderModule.getCredentialFlags({
+    credentialKind: "opencode_oauth",
+    apiKey: "plain-secret",
+    opencodeAuth: JSON.stringify({ type: "oauth", access: "access", refresh: "refresh", expires: 1 }),
+  })).toEqual({ hasApiKey: true, hasOpencodeAuth: true, hasCredential: true })
+})
+
+test("credential import permission gate requires organization admin role", () => {
+  const owner = { currentMember: { isOwner: true, role: "member" } }
+  const admin = { currentMember: { isOwner: false, role: "admin" } }
+  const creatorOnly = { currentMember: { isOwner: false, role: "member" } }
+
+  expect(llmProviderModule.canImportLlmProviderCredential(owner)).toBe(true)
+  expect(llmProviderModule.canImportLlmProviderCredential(admin)).toBe(true)
+  expect(llmProviderModule.canImportLlmProviderCredential(creatorOnly)).toBe(false)
+})
+
+test("purpose-specific import endpoint requires authentication", async () => {
+  const app = new Hono()
+  llmProviderModule.registerOrgLlmProviderRoutes(app)
+
+  const response = await app.request("http://den.local/v1/llm-providers/llmProvider_secret_123/import-credential", {
+    method: "GET",
+  })
+
+  expect(response.status).toBe(401)
+  await expect(response.json()).resolves.toEqual({ error: "unauthorized" })
+})

From 32b39e7be4a27e509aef75b6de6507ac26fbf383 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pascal=20Andr=C3=A9?= <pascalandr@gmail.com>
Date: Sat, 23 May 2026 22:56:28 +0200
Subject: [PATCH 03/12] feat(app): import OAuth-backed Den providers

Allow desktop cloud-provider import to consume OpenCode OAuth-backed organization providers from the Den credential import endpoint.
---
 apps/app/src/app/lib/den.ts                   |  8 ++++
 .../connections/provider-auth/store.ts        | 44 +++++++++++++++++--
 2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/apps/app/src/app/lib/den.ts b/apps/app/src/app/lib/den.ts
index d5aebaf2be..0f425a9473 100644
--- a/apps/app/src/app/lib/den.ts
+++ b/apps/app/src/app/lib/den.ts
@@ -111,10 +111,13 @@ export type DenOrgLlmProviderModel = {
 export type DenOrgLlmProvider = {
   id: string;
   source: "models_dev" | "custom" | "openwork";
+  credentialKind: "api_key" | "opencode_oauth";
   providerId: string;
   name: string;
   providerConfig: Record<string, unknown>;
   hasApiKey: boolean;
+  hasOpencodeAuth: boolean;
+  hasCredential: boolean;
   models: DenOrgLlmProviderModel[];
   createdAt: string | null;
   updatedAt: string | null;
@@ -122,6 +125,7 @@ export type DenOrgLlmProvider = {
 
 export type DenOrgLlmProviderConnection = DenOrgLlmProvider & {
   apiKey: string | null;
+  opencodeAuth: string | null;
 };
 
 export type DenPluginConfigObjectType = "skill" | "agent" | "command" | "tool" | "mcp" | "hook" | "context" | "custom";
@@ -897,10 +901,13 @@ function parseDenOrgLlmProvider(value: unknown): DenOrgLlmProvider | null {
   return {
     id: value.id,
     source: value.source,
+    credentialKind: value.credentialKind === "opencode_oauth" ? "opencode_oauth" : "api_key",
     providerId: value.providerId,
     name: value.name,
     providerConfig: isRecord(value.providerConfig) ? value.providerConfig : {},
     hasApiKey: value.hasApiKey === true,
+    hasOpencodeAuth: value.hasOpencodeAuth === true,
+    hasCredential: value.hasCredential === true || value.hasApiKey === true || value.hasOpencodeAuth === true,
     models: Array.isArray(value.models)
       ? value.models.flatMap((model) => {
           const parsed = parseDenOrgLlmProviderModel(model);
@@ -936,6 +943,7 @@ function getDenOrgLlmProviderConnection(payload: unknown): DenOrgLlmProviderConn
   return {
     ...provider,
     apiKey: typeof payload.llmProvider.apiKey === "string" ? payload.llmProvider.apiKey : null,
+    opencodeAuth: typeof payload.llmProvider.opencodeAuth === "string" ? payload.llmProvider.opencodeAuth : null,
   };
 }
 
diff --git a/apps/app/src/react-app/domains/connections/provider-auth/store.ts b/apps/app/src/react-app/domains/connections/provider-auth/store.ts
index b0550da8f8..192c403d36 100644
--- a/apps/app/src/react-app/domains/connections/provider-auth/store.ts
+++ b/apps/app/src/react-app/domains/connections/provider-auth/store.ts
@@ -163,8 +163,12 @@ export function createProviderAuthStore(options: CreateProviderAuthStoreOptions)
     a.length === b.length && a.every((value, index) => value === b[index]);
 
   const getCloudManagedProviderId = (
-    provider: Pick<DenOrgLlmProvider, "id" | "providerId" | "source">,
-  ) => provider.source === "openwork" ? "openwork" : provider.id.trim();
+    provider: Pick<DenOrgLlmProvider, "id" | "providerId" | "source" | "credentialKind">,
+  ) => {
+    if (provider.source === "openwork") return "openwork";
+    if (provider.credentialKind === "opencode_oauth") return provider.providerId.trim();
+    return provider.id.trim();
+  };
 
   const getProviderAuthWorkerType = (): "local" | "remote" =>
     options.selectedWorkspaceDisplay().workspaceType === "remote" ? "remote" : "local";
@@ -1327,14 +1331,45 @@ export function createProviderAuthStore(options: CreateProviderAuthStoreOptions)
       const existingImported = state.importedCloudProviders[cloudProviderId] ?? null;
       const localProviderId = getCloudManagedProviderId(provider);
       const apiKey = provider.apiKey?.trim() ?? "";
+      const opencodeAuth = provider.opencodeAuth?.trim() ?? "";
       const env = getCloudProviderEnv(provider.providerConfig);
-      if (!apiKey && env.length > 0) {
+      if (provider.credentialKind === "opencode_oauth" && !opencodeAuth) {
+        throw new Error(`${provider.name} does not have a stored OpenCode OAuth credential yet.`);
+      }
+      if (provider.credentialKind === "api_key" && !apiKey && env.length > 0) {
         throw new Error(`${provider.name} does not have a stored organization credential yet.`);
       }
 
       await assertCloudProviderImportSafe(provider);
 
-      if (apiKey) {
+      if (provider.credentialKind === "opencode_oauth" && opencodeAuth) {
+        let parsedAuth: unknown;
+        try {
+          parsedAuth = JSON.parse(opencodeAuth);
+        } catch {
+          throw new Error(`${provider.name} has invalid OpenCode OAuth JSON.`);
+        }
+        if (!parsedAuth || typeof parsedAuth !== "object" || Array.isArray(parsedAuth)) {
+          throw new Error(`${provider.name} OpenCode OAuth auth must be a JSON object.`);
+        }
+        const authRecord = parsedAuth as Record<string, unknown>;
+        if (authRecord.type !== "oauth") {
+          throw new Error(`${provider.name} OpenCode OAuth auth must include type "oauth".`);
+        }
+        if (typeof authRecord.access !== "string" || !authRecord.access.trim()) {
+          throw new Error(`${provider.name} OpenCode OAuth auth must include an access token.`);
+        }
+        if (typeof authRecord.refresh !== "string" || !authRecord.refresh.trim()) {
+          throw new Error(`${provider.name} OpenCode OAuth auth must include a refresh token.`);
+        }
+        if (typeof authRecord.expires !== "number" || !Number.isFinite(authRecord.expires) || authRecord.expires < 0) {
+          throw new Error(`${provider.name} OpenCode OAuth auth must include a non-negative numeric expires value.`);
+        }
+        await c.auth.set({
+          providerID: localProviderId,
+          auth: parsedAuth as Parameters<typeof c.auth.set>[0]["auth"],
+        });
+      } else if (apiKey) {
         await c.auth.set({
           providerID: localProviderId,
           auth: { type: "api", key: apiKey },
@@ -1380,6 +1415,7 @@ export function createProviderAuthStore(options: CreateProviderAuthStoreOptions)
         .filter((id) => id !== localProviderId && id !== existingImported?.providerId);
       options.setDisabledProviders(nextDisabledProviders);
       options.markOpencodeConfigReloadRequired();
+      await refreshProviders({ dispose: true }).catch(() => null);
       refreshSnapshot();
       emitChange();
       return `${t("status.connected")} ${provider.name}`;

From 976b68c2119c2d731e491f7776ab83a9775e16ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pascal=20Andr=C3=A9?= <pascalandr@gmail.com>
Date: Sun, 24 May 2026 01:01:34 +0200
Subject: [PATCH 04/12] feat(den): add OpenAI OAuth provider flow

Add Den API OpenAI OAuth device-flow routes/tests and Den Web provider UI for OAuth-backed provider credentials on top of the credential handling stack.
---
 .../den-api/src/routes/org/llm-providers.ts   | 359 ++++++++++++++----
 .../den-api/test/llm-providers-oauth.test.ts  | 198 ++++++++++
 .../_components/llm-provider-data.tsx         |   8 +
 .../llm-provider-detail-screen.tsx            |   8 +-
 .../llm-provider-editor-screen.tsx            | 224 ++++++++++-
 .../_components/llm-providers-screen.tsx      |   4 +-
 6 files changed, 704 insertions(+), 97 deletions(-)
 create mode 100644 ee/apps/den-api/test/llm-providers-oauth.test.ts

diff --git a/ee/apps/den-api/src/routes/org/llm-providers.ts b/ee/apps/den-api/src/routes/org/llm-providers.ts
index e3c4438cca..5dd50e7d33 100644
--- a/ee/apps/den-api/src/routes/org/llm-providers.ts
+++ b/ee/apps/den-api/src/routes/org/llm-providers.ts
@@ -1,7 +1,6 @@
-import { and, desc, eq, inArray, isNotNull, isNull, or } from "@openwork-ee/den-db/drizzle"
+import { and, desc, eq, inArray, isNotNull, or } from "@openwork-ee/den-db/drizzle"
 import {
   AuthUserTable,
-  InvitationTable,
   LlmProviderAccessTable,
   LlmProviderModelTable,
   LlmProviderTable,
@@ -33,6 +32,10 @@ type LlmProviderAccessId = typeof LlmProviderAccessTable.$inferSelect.id
 type MemberId = typeof MemberTable.$inferSelect.id
 type TeamId = typeof TeamTable.$inferSelect.id
 type LlmProviderRow = typeof LlmProviderTable.$inferSelect
+const OPENAI_AUTH_ISSUER = "https://auth.openai.com"
+const OPENAI_CODEX_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann"
+const OPENAI_DEVICE_REDIRECT_URI = `${OPENAI_AUTH_ISSUER}/deviceauth/callback`
+const OPENAI_DEVICE_POLLING_SAFETY_MARGIN_MS = 3000
 
 type RouteFailure = {
   status: number
@@ -40,11 +43,6 @@ type RouteFailure = {
   message?: string
 }
 
-function getInvitedMemberName(email: string) {
-  const [localPart, domain = "invited"] = email.split("@")
-  return `${localPart} ${domain.split(".")[0] ?? "invited"}`.trim()
-}
-
 const providerCatalogParamsSchema = z.object({
   providerId: z.string().trim().min(1).max(255),
 })
@@ -108,12 +106,14 @@ const llmProviderWriteSchema = z.object({
     })
   }
 
-  if (value.credentialKind === "opencode_oauth" && value.source === "models_dev" && value.providerId?.trim().toLowerCase() !== "openai") {
-    ctx.addIssue({
-      code: z.ZodIssueCode.custom,
-      path: ["credentialKind"],
-      message: "OpenCode OAuth credentials can only be used with the OpenAI catalog provider.",
-    })
+  if (value.credentialKind === "opencode_oauth") {
+    if (value.source === "models_dev" && !isOpencodeOauthProviderAllowed(value.providerId)) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path: ["credentialKind"],
+        message: "OpenCode OAuth credentials can only be used with the OpenAI catalog provider.",
+      })
+    }
   }
 })
 
@@ -143,6 +143,24 @@ const conflictSchema = z.object({
   message: z.string().optional(),
 }).meta({ ref: "ConflictError" })
 
+const openAiOauthStartResponseSchema = z.object({
+  verificationUrl: z.string(),
+  userCode: z.string(),
+  deviceAuthId: z.string(),
+  intervalMs: z.number(),
+}).meta({ ref: "OpenAiOauthStartResponse" })
+
+const openAiOauthCompleteSchema = z.object({
+  deviceAuthId: z.string().trim().min(1),
+  userCode: z.string().trim().min(1),
+})
+
+const openAiOauthCompleteResponseSchema = z.object({
+  opencodeAuth: z.string(),
+  accountId: z.string().nullable(),
+  expires: z.number(),
+}).meta({ ref: "OpenAiOauthCompleteResponse" })
+
 function createFailure(status: number, error: string, message?: string): RouteFailure {
   return { status, error, message }
 }
@@ -151,55 +169,130 @@ function isRouteFailure(value: unknown): value is RouteFailure {
   return typeof value === "object" && value !== null && "status" in value && "error" in value
 }
 
-function isOrganizationAdmin(payload: { currentMember: { isOwner: boolean; role: string } }) {
-  return payload.currentMember.isOwner || memberHasRole(payload.currentMember.role, "admin")
+function parseJwtClaims(token: string): Record<string, unknown> | null {
+  const parts = token.split(".")
+  if (parts.length !== 3 || !parts[1]) return null
+  try {
+    return JSON.parse(Buffer.from(parts[1], "base64url").toString()) as Record<string, unknown>
+  } catch {
+    return null
+  }
 }
 
-export function getCredentialFlags(provider: Pick<LlmProviderRow, "credentialKind" | "apiKey" | "opencodeAuth">) {
-  const hasApiKey = Boolean(provider.apiKey && provider.apiKey.trim().length > 0)
-  const hasOpencodeAuth = Boolean(provider.opencodeAuth && provider.opencodeAuth.trim().length > 0)
-  return {
-    hasApiKey,
-    hasOpencodeAuth,
-    hasCredential: provider.credentialKind === "opencode_oauth" ? hasOpencodeAuth : hasApiKey,
+function extractOpenAiAccountId(tokens: { id_token?: string; access_token?: string }) {
+  const claims = tokens.id_token ? parseJwtClaims(tokens.id_token) : tokens.access_token ? parseJwtClaims(tokens.access_token) : null
+  if (!claims) return null
+  const apiAuth = claims["https://api.openai.com/auth"]
+  if (typeof claims.chatgpt_account_id === "string") return claims.chatgpt_account_id
+  if (apiAuth && typeof apiAuth === "object" && !Array.isArray(apiAuth) && typeof (apiAuth as Record<string, unknown>).chatgpt_account_id === "string") {
+    return (apiAuth as Record<string, string>).chatgpt_account_id
+  }
+  const organizations = claims.organizations
+  if (Array.isArray(organizations)) {
+    const first = organizations.find((entry): entry is Record<string, unknown> => typeof entry === "object" && entry !== null && !Array.isArray(entry))
+    if (typeof first?.id === "string") return first.id
   }
+  return null
 }
 
-export function redactLlmProviderCredentials<T extends { apiKey?: unknown; opencodeAuth?: unknown }>(provider: T): Omit<T, "apiKey" | "opencodeAuth"> & { apiKey: undefined; opencodeAuth: undefined } {
+export async function startOpenAiDeviceAuth() {
+  const response = await fetch(`${OPENAI_AUTH_ISSUER}/api/accounts/deviceauth/usercode`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "User-Agent": "opencode/den",
+    },
+    body: JSON.stringify({ client_id: OPENAI_CODEX_CLIENT_ID }),
+  })
+  if (!response.ok) {
+    throw createFailure(502, "openai_oauth_start_failed", `OpenAI device authorization failed with ${response.status}.`)
+  }
+  const data = await response.json() as { device_auth_id?: unknown; user_code?: unknown; interval?: unknown }
+  if (typeof data.device_auth_id !== "string" || typeof data.user_code !== "string") {
+    throw createFailure(502, "openai_oauth_start_failed", "OpenAI device authorization response was incomplete.")
+  }
+  const interval = Math.max(Number.parseInt(String(data.interval ?? "5"), 10) || 5, 1) * 1000
   return {
-    ...provider,
-    apiKey: undefined,
-    opencodeAuth: undefined,
+    verificationUrl: `${OPENAI_AUTH_ISSUER}/codex/device`,
+    userCode: data.user_code,
+    deviceAuthId: data.device_auth_id,
+    intervalMs: interval + OPENAI_DEVICE_POLLING_SAFETY_MARGIN_MS,
   }
 }
 
-export function canImportLlmProviderCredential(payload: { currentMember: { isOwner: boolean; role: string } }) {
-  return isOrganizationAdmin(payload)
-}
+export async function completeOpenAiDeviceAuth(input: { deviceAuthId: string; userCode: string }) {
+  const deviceResponse = await fetch(`${OPENAI_AUTH_ISSUER}/api/accounts/deviceauth/token`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "User-Agent": "opencode/den",
+    },
+    body: JSON.stringify({
+      device_auth_id: input.deviceAuthId,
+      user_code: input.userCode,
+    }),
+  })
 
-function normalizeOpencodeAuth(value: string | undefined) {
-  const trimmed = value?.trim() ?? ""
-  if (!trimmed) return null
-  try {
-    const parsed = JSON.parse(trimmed) as unknown
-    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed) || (parsed as Record<string, unknown>).type !== "oauth") {
-      throw new Error("invalid auth")
-    }
-    return JSON.stringify(parsed)
-  } catch {
-    throw createFailure(400, "invalid_opencode_auth", "OpenCode OAuth credential must be valid OAuth auth JSON.")
+  if (deviceResponse.status === 403 || deviceResponse.status === 404) {
+    throw createFailure(409, "openai_oauth_pending", "OpenAI authorization is not complete yet.")
+  }
+  if (!deviceResponse.ok) {
+    throw createFailure(502, "openai_oauth_complete_failed", `OpenAI device authorization failed with ${deviceResponse.status}.`)
+  }
+  const deviceData = await deviceResponse.json() as { authorization_code?: unknown; code_verifier?: unknown }
+  if (typeof deviceData.authorization_code !== "string" || typeof deviceData.code_verifier !== "string") {
+    throw createFailure(502, "openai_oauth_complete_failed", "OpenAI device token response was incomplete.")
   }
-}
 
-function buildLlmProviderCredentialPayload(provider: LlmProviderRow) {
+  const tokenResponse = await fetch(`${OPENAI_AUTH_ISSUER}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      code: deviceData.authorization_code,
+      redirect_uri: OPENAI_DEVICE_REDIRECT_URI,
+      client_id: OPENAI_CODEX_CLIENT_ID,
+      code_verifier: deviceData.code_verifier,
+    }).toString(),
+  })
+  if (!tokenResponse.ok) {
+    throw createFailure(502, "openai_oauth_complete_failed", `OpenAI token exchange failed with ${tokenResponse.status}.`)
+  }
+  const tokens = await tokenResponse.json() as { id_token?: string; access_token?: string; refresh_token?: string; expires_in?: number }
+  if (!tokens.access_token || !tokens.refresh_token) {
+    throw createFailure(502, "openai_oauth_complete_failed", "OpenAI token response did not include OAuth tokens.")
+  }
+  const expires = Date.now() + (tokens.expires_in ?? 3600) * 1000
+  const accountId = extractOpenAiAccountId(tokens)
   return {
-    ...redactLlmProviderCredentials(provider),
-    ...getCredentialFlags(provider),
-    apiKey: provider.credentialKind === "api_key" ? provider.apiKey : undefined,
-    opencodeAuth: provider.credentialKind === "opencode_oauth" ? provider.opencodeAuth : undefined,
+    opencodeAuth: JSON.stringify({
+      type: "oauth",
+      refresh: tokens.refresh_token,
+      access: tokens.access_token,
+      expires,
+      ...(accountId ? { accountId } : {}),
+    }),
+    accountId,
+    expires,
   }
 }
 
+function isOrganizationAdmin(payload: { currentMember: { isOwner: boolean; role: string } }) {
+  return payload.currentMember.isOwner || memberHasRole(payload.currentMember.role, "admin")
+}
+
+export function isOpencodeOauthProviderAllowed(providerId: string | undefined | null) {
+  return providerId?.trim().toLowerCase() === "openai"
+}
+
+export function canUseOpenAiOAuthCredentialFlow(payload: { currentMember: { isOwner: boolean; role: string } }) {
+  return isOrganizationAdmin(payload)
+}
+
+export function canImportLlmProviderCredential(payload: { currentMember: { isOwner: boolean; role: string } }) {
+  return isOrganizationAdmin(payload)
+}
+
 function canManageLlmProvider(
   payload: { currentMember: { id: MemberId; isOwner: boolean; role: string } },
   provider: LlmProviderRow,
@@ -230,6 +323,66 @@ function parseLlmProviderAccessId(value: string) {
   return normalizeDenTypeId("llmProviderAccess", value)
 }
 
+export function getCredentialFlags(provider: Pick<LlmProviderRow, "credentialKind" | "apiKey" | "opencodeAuth">) {
+  const hasApiKey = Boolean(provider.apiKey && provider.apiKey.trim().length > 0)
+  const hasOpencodeAuth = Boolean(provider.opencodeAuth && provider.opencodeAuth.trim().length > 0)
+  return {
+    hasApiKey,
+    hasOpencodeAuth,
+    hasCredential: provider.credentialKind === "opencode_oauth" ? hasOpencodeAuth : hasApiKey,
+  }
+}
+
+export function redactLlmProviderCredentials<T extends { apiKey?: unknown; opencodeAuth?: unknown }>(provider: T): Omit<T, "apiKey" | "opencodeAuth"> & { apiKey: undefined; opencodeAuth: undefined } {
+  return {
+    ...provider,
+    apiKey: undefined,
+    opencodeAuth: undefined,
+  }
+}
+
+function buildLlmProviderCredentialPayload(provider: LlmProviderRow) {
+  return {
+    ...redactLlmProviderCredentials(provider),
+    ...getCredentialFlags(provider),
+    apiKey: provider.credentialKind === "api_key" ? provider.apiKey : undefined,
+    opencodeAuth: provider.credentialKind === "opencode_oauth" ? provider.opencodeAuth : undefined,
+  }
+}
+
+function normalizeOpencodeAuth(value: string | undefined) {
+  const trimmed = value?.trim()
+  if (!trimmed) return null
+
+  try {
+    const parsed = JSON.parse(trimmed) as unknown
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new Error("OpenCode OAuth auth must be a JSON object.")
+    }
+    const auth = parsed as Record<string, unknown>
+    if (auth.type !== "oauth") {
+      throw new Error('OpenCode OAuth auth must include "type": "oauth".')
+    }
+    if (typeof auth.access !== "string" || !auth.access.trim()) {
+      throw new Error("OpenCode OAuth auth must include an access token.")
+    }
+    if (typeof auth.refresh !== "string" || !auth.refresh.trim()) {
+      throw new Error("OpenCode OAuth auth must include a refresh token.")
+    }
+    if (typeof auth.expires !== "number" || !Number.isFinite(auth.expires) || auth.expires < 0) {
+      throw new Error("OpenCode OAuth auth must include a non-negative numeric expires value.")
+    }
+  } catch (error) {
+    throw createFailure(
+      400,
+      "invalid_opencode_auth",
+      error instanceof Error ? error.message : "OpenCode OAuth auth must be valid JSON.",
+    )
+  }
+
+  return trimmed
+}
+
 function parseMemberId(value: string) {
   return normalizeDenTypeId("member", value)
 }
@@ -290,7 +443,7 @@ async function resolveMemberIds(input: {
   const rows = await db
     .select({ id: MemberTable.id })
     .from(MemberTable)
-    .where(and(eq(MemberTable.organizationId, input.organizationId), inArray(MemberTable.id, memberIds), isNull(MemberTable.removedAt)))
+    .where(and(eq(MemberTable.organizationId, input.organizationId), inArray(MemberTable.id, memberIds)))
 
   if (rows.length !== memberIds.length) {
     throw createFailure(404, "member_not_found")
@@ -382,6 +535,9 @@ async function normalizeLlmProviderInput(input: z.infer<typeof llmProviderWriteS
   }
 
   const { models, ...providerConfig } = customProvider.data
+  if (credentialKind === "opencode_oauth" && !isOpencodeOauthProviderAllowed(customProvider.data.id)) {
+    throw createFailure(400, "invalid_credential_kind", "OpenCode OAuth credentials can only be used with the OpenAI provider.")
+  }
 
   return {
     source: input.source,
@@ -462,15 +618,11 @@ async function loadLlmProviders(input: {
         email: AuthUserTable.email,
         image: AuthUserTable.image,
       },
-      invitation: {
-        email: InvitationTable.email,
-      },
     })
     .from(LlmProviderAccessTable)
     .innerJoin(MemberTable, eq(LlmProviderAccessTable.orgMembershipId, MemberTable.id))
-    .leftJoin(AuthUserTable, eq(MemberTable.userId, AuthUserTable.id))
-    .leftJoin(InvitationTable, eq(MemberTable.inviteId, InvitationTable.id))
-    .where(and(inArray(LlmProviderAccessTable.llmProviderId, providerIds), isNotNull(LlmProviderAccessTable.orgMembershipId), isNull(MemberTable.removedAt)))
+    .innerJoin(AuthUserTable, eq(MemberTable.userId, AuthUserTable.id))
+    .where(and(inArray(LlmProviderAccessTable.llmProviderId, providerIds), isNotNull(LlmProviderAccessTable.orgMembershipId)))
 
   const teamAccessRows = await db
     .select({
@@ -535,21 +687,13 @@ async function loadLlmProviders(input: {
       }))
       .sort((left, right) => left.name.localeCompare(right.name)),
     access: {
-      members: (memberAccessByProviderId.get(provider.id) ?? []).map((row) => {
-        const email = row.user?.email ?? row.invitation?.email ?? "invited@example.com"
-        return {
-          id: row.access.id,
-          orgMembershipId: row.member.id,
-          role: row.member.role,
-          user: {
-            id: row.user?.id ?? row.member.id,
-            name: row.user?.name ?? getInvitedMemberName(email),
-            email,
-            image: row.user?.image ?? null,
-          },
-          createdAt: row.access.createdAt,
-        }
-      }),
+      members: (memberAccessByProviderId.get(provider.id) ?? []).map((row) => ({
+        id: row.access.id,
+        orgMembershipId: row.member.id,
+        role: row.member.role,
+        user: row.user,
+        createdAt: row.access.createdAt,
+      })),
       teams: (teamAccessByProviderId.get(provider.id) ?? []).map((row) => ({
         id: row.access.id,
         teamId: row.team.id,
@@ -563,6 +707,69 @@ async function loadLlmProviders(input: {
 }
 
 export function registerOrgLlmProviderRoutes<T extends { Variables: OrgRouteVariables & Partial<MemberTeamsContext> }>(app: Hono<T>) {
+  app.post(
+    "/v1/llm-providers/openai-oauth/start",
+    describeRoute({
+      tags: ["LLM Providers"],
+      summary: "Start OpenAI OAuth device flow",
+      description: "Starts the same OpenAI/ChatGPT device auth flow used by OpenCode and returns the user code.",
+      responses: {
+        200: jsonResponse("OpenAI OAuth device flow started successfully.", openAiOauthStartResponseSchema),
+        401: jsonResponse("The caller must be signed in to connect OpenAI.", unauthorizedSchema),
+        403: jsonResponse("Only organization admins can connect OpenAI OAuth credentials.", forbiddenSchema),
+        502: jsonResponse("OpenAI OAuth could not be started.", conflictSchema),
+      },
+    }),
+    requireUserMiddleware,
+    resolveOrganizationContextMiddleware,
+    async (c) => {
+      const payload = c.get("organizationContext")
+      if (!canUseOpenAiOAuthCredentialFlow(payload)) {
+        return c.json({ error: "forbidden", message: "Only organization admins can connect OpenAI OAuth credentials." }, 403)
+      }
+
+      try {
+        return c.json(await startOpenAiDeviceAuth())
+      } catch (error) {
+        if (isRouteFailure(error)) return c.json({ error: error.error, message: error.message }, { status: error.status as 409 | 502 })
+        throw error
+      }
+    },
+  )
+
+  app.post(
+    "/v1/llm-providers/openai-oauth/complete",
+    describeRoute({
+      tags: ["LLM Providers"],
+      summary: "Complete OpenAI OAuth device flow",
+      description: "Completes OpenAI device auth and returns an OpenCode-native OAuth auth object serialized as JSON.",
+      responses: {
+        200: jsonResponse("OpenAI OAuth completed successfully.", openAiOauthCompleteResponseSchema),
+        401: jsonResponse("The caller must be signed in to complete OpenAI auth.", unauthorizedSchema),
+        403: jsonResponse("Only organization admins can connect OpenAI OAuth credentials.", forbiddenSchema),
+        409: jsonResponse("OpenAI authorization is still pending.", conflictSchema),
+        502: jsonResponse("OpenAI OAuth could not be completed.", conflictSchema),
+      },
+    }),
+    requireUserMiddleware,
+    resolveOrganizationContextMiddleware,
+    jsonValidator(openAiOauthCompleteSchema),
+    async (c) => {
+      const payload = c.get("organizationContext")
+      if (!canUseOpenAiOAuthCredentialFlow(payload)) {
+        return c.json({ error: "forbidden", message: "Only organization admins can connect OpenAI OAuth credentials." }, 403)
+      }
+
+      const input = c.req.valid("json")
+      try {
+        return c.json(await completeOpenAiDeviceAuth(input))
+      } catch (error) {
+        if (isRouteFailure(error)) return c.json({ error: error.error, message: error.message }, { status: error.status as 409 | 502 })
+        throw error
+      }
+    },
+  )
+
   app.get(
     "/v1/llm-provider-catalog",
     describeRoute({
@@ -737,8 +944,7 @@ export function registerOrgLlmProviderRoutes<T extends { Variables: OrgRouteVari
 
       return c.json({
         llmProvider: {
-          ...provider,
-          opencodeAuth: undefined,
+          ...redactLlmProviderCredentials(provider),
           ...getCredentialFlags(provider),
           models: models
             .map((model) => ({
@@ -757,11 +963,11 @@ export function registerOrgLlmProviderRoutes<T extends { Variables: OrgRouteVari
     "/v1/llm-providers/:llmProviderId/import-credential",
     describeRoute({
       tags: ["LLM Providers"],
-      summary: "Import LLM provider credential",
-      description: "Returns credential material for an organization-managed LLM provider to privileged callers only.",
+      summary: "Get LLM provider import credential",
+      description: "Returns a stored organization LLM provider credential for explicit import into a managed OpenCode client.",
       responses: {
-        200: jsonResponse("Provider credential returned successfully.", llmProviderResponseSchema),
-        400: jsonResponse("The provider path parameters were invalid.", invalidRequestSchema),
+        200: jsonResponse("Provider import credential returned successfully.", llmProviderResponseSchema),
+        400: jsonResponse("The provider import path parameters were invalid.", invalidRequestSchema),
         401: jsonResponse("The caller must be signed in to import an organization LLM provider credential.", unauthorizedSchema),
         403: jsonResponse("Only members who can manage this provider can import its credential.", forbiddenSchema),
         404: jsonResponse("The provider could not be found.", notFoundSchema),
@@ -788,7 +994,10 @@ export function registerOrgLlmProviderRoutes<T extends { Variables: OrgRouteVari
         .limit(1)
 
       const provider = providerRows[0]
-      if (!provider) return c.json({ error: "llm_provider_not_found" }, 404)
+      if (!provider) {
+        return c.json({ error: "llm_provider_not_found" }, 404)
+      }
+
       if (!canImportLlmProviderCredential(payload)) {
         return c.json({ error: "forbidden", message: "Only organization admins can import provider credentials." }, 403)
       }
diff --git a/ee/apps/den-api/test/llm-providers-oauth.test.ts b/ee/apps/den-api/test/llm-providers-oauth.test.ts
new file mode 100644
index 0000000000..d985fbd88a
--- /dev/null
+++ b/ee/apps/den-api/test/llm-providers-oauth.test.ts
@@ -0,0 +1,198 @@
+import { beforeAll, expect, test } from "bun:test"
+import { readFile } from "node:fs/promises"
+import { Hono } from "hono"
+
+function seedRequiredEnv() {
+  process.env.DATABASE_URL = process.env.DATABASE_URL ?? "mysql://root:password@127.0.0.1:3306/openwork_test"
+  process.env.DEN_DB_ENCRYPTION_KEY = process.env.DEN_DB_ENCRYPTION_KEY ?? "x".repeat(32)
+  process.env.BETTER_AUTH_SECRET = process.env.BETTER_AUTH_SECRET ?? "y".repeat(32)
+  process.env.BETTER_AUTH_URL = process.env.BETTER_AUTH_URL ?? "http://127.0.0.1:8790"
+  process.env.CORS_ORIGINS = process.env.CORS_ORIGINS ?? "http://127.0.0.1:8790"
+}
+
+let llmProviderModule: typeof import("../src/routes/org/llm-providers.js")
+
+beforeAll(async () => {
+  seedRequiredEnv()
+  llmProviderModule = await import("../src/routes/org/llm-providers.js")
+})
+
+function createRouteApp() {
+  const app = new Hono()
+  llmProviderModule.registerOrgLlmProviderRoutes(app)
+  return app
+}
+
+function jwtWithClaims(claims: Record<string, unknown>) {
+  return [
+    Buffer.from(JSON.stringify({ alg: "none" })).toString("base64url"),
+    Buffer.from(JSON.stringify(claims)).toString("base64url"),
+    "signature",
+  ].join(".")
+}
+
+test("generic provider payload redaction removes API key and OAuth auth material", () => {
+  const redacted = llmProviderModule.redactLlmProviderCredentials({
+    id: "llmProvider_secret_123",
+    apiKey: "sk-secret",
+    opencodeAuth: JSON.stringify({ type: "oauth", access: "access", refresh: "refresh", expires: 1 }),
+  })
+
+  expect(redacted).toEqual({
+    id: "llmProvider_secret_123",
+    apiKey: undefined,
+    opencodeAuth: undefined,
+  })
+})
+
+test("credential flags expose presence only, never credential values", () => {
+  expect(llmProviderModule.getCredentialFlags({
+    credentialKind: "opencode_oauth",
+    apiKey: "sk-secret",
+    opencodeAuth: JSON.stringify({ type: "oauth", access: "access", refresh: "refresh", expires: 1 }),
+  })).toEqual({ hasApiKey: true, hasOpencodeAuth: true, hasCredential: true })
+})
+
+test("OpenCode OAuth credential type rejects non-OpenAI providers", () => {
+  expect(llmProviderModule.isOpencodeOauthProviderAllowed("openai")).toBe(true)
+  expect(llmProviderModule.isOpencodeOauthProviderAllowed(" OpenAI ")).toBe(true)
+  expect(llmProviderModule.isOpencodeOauthProviderAllowed("anthropic")).toBe(false)
+  expect(llmProviderModule.isOpencodeOauthProviderAllowed(undefined)).toBe(false)
+})
+
+test("OAuth credential and import permission gates require organization admin role", () => {
+  const owner = { currentMember: { isOwner: true, role: "member" } }
+  const admin = { currentMember: { isOwner: false, role: "admin" } }
+  const creatorOnly = { currentMember: { isOwner: false, role: "member" } }
+
+  expect(llmProviderModule.canUseOpenAiOAuthCredentialFlow(owner)).toBe(true)
+  expect(llmProviderModule.canUseOpenAiOAuthCredentialFlow(admin)).toBe(true)
+  expect(llmProviderModule.canUseOpenAiOAuthCredentialFlow(creatorOnly)).toBe(false)
+  expect(llmProviderModule.canImportLlmProviderCredential(owner)).toBe(true)
+  expect(llmProviderModule.canImportLlmProviderCredential(admin)).toBe(true)
+  expect(llmProviderModule.canImportLlmProviderCredential(creatorOnly)).toBe(false)
+})
+
+test("OpenAI OAuth routes require an authenticated caller before returning credential material", async () => {
+  const app = createRouteApp()
+
+  const startResponse = await app.request("http://den.local/v1/llm-providers/openai-oauth/start", {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({}),
+  })
+  expect(startResponse.status).toBe(401)
+  await expect(startResponse.json()).resolves.toEqual({ error: "unauthorized" })
+
+  const completeResponse = await app.request("http://den.local/v1/llm-providers/openai-oauth/complete", {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ deviceAuthId: "dev", userCode: "code" }),
+  })
+  expect(completeResponse.status).toBe(401)
+  await expect(completeResponse.json()).resolves.toEqual({ error: "unauthorized" })
+})
+
+test("purpose-specific import endpoint requires authentication", async () => {
+  const app = createRouteApp()
+  const response = await app.request("http://den.local/v1/llm-providers/llmProvider_secret_123/import-credential", {
+    method: "GET",
+  })
+
+  expect(response.status).toBe(401)
+  await expect(response.json()).resolves.toEqual({ error: "unauthorized" })
+})
+
+test("OpenAI OAuth completion reports pending authorization without tokens", async () => {
+  const originalFetch = globalThis.fetch
+  globalThis.fetch = (async () => new Response(JSON.stringify({}), { status: 403 })) as typeof fetch
+  try {
+    await expect(llmProviderModule.completeOpenAiDeviceAuth({
+      deviceAuthId: "device-pending",
+      userCode: "CODE",
+    })).rejects.toMatchObject({ error: "openai_oauth_pending", status: 409 })
+  } finally {
+    globalThis.fetch = originalFetch
+  }
+})
+
+test("OpenAI OAuth start reports upstream failure without credential material", async () => {
+  const originalFetch = globalThis.fetch
+  globalThis.fetch = (async () => new Response(JSON.stringify({ error: "upstream" }), { status: 500 })) as typeof fetch
+  try {
+    await expect(llmProviderModule.startOpenAiDeviceAuth()).rejects.toMatchObject({
+      error: "openai_oauth_start_failed",
+      status: 502,
+    })
+  } finally {
+    globalThis.fetch = originalFetch
+  }
+})
+
+test("OpenAI OAuth completion reports token exchange failure without credential material", async () => {
+  const originalFetch = globalThis.fetch
+  globalThis.fetch = (async (input: RequestInfo | URL) => {
+    const url = String(input)
+    if (url.endsWith("/api/accounts/deviceauth/token")) {
+      return Response.json({ authorization_code: "authorization-code", code_verifier: "verifier" })
+    }
+    if (url.endsWith("/oauth/token")) {
+      return new Response(JSON.stringify({ error: "exchange_failed" }), { status: 500 })
+    }
+    return new Response("not found", { status: 404 })
+  }) as typeof fetch
+
+  try {
+    await expect(llmProviderModule.completeOpenAiDeviceAuth({
+      deviceAuthId: "device-failure",
+      userCode: "CODE",
+    })).rejects.toMatchObject({ error: "openai_oauth_complete_failed", status: 502 })
+  } finally {
+    globalThis.fetch = originalFetch
+  }
+})
+
+test("OpenAI OAuth completion returns importable OpenCode OAuth auth on success", async () => {
+  const originalFetch = globalThis.fetch
+  const calls: string[] = []
+  globalThis.fetch = (async (input: RequestInfo | URL) => {
+    const url = String(input)
+    calls.push(url)
+    if (url.endsWith("/api/accounts/deviceauth/token")) {
+      return Response.json({ authorization_code: "authorization-code", code_verifier: "verifier" })
+    }
+    if (url.endsWith("/oauth/token")) {
+      return Response.json({
+        access_token: jwtWithClaims({ chatgpt_account_id: "acct_123" }),
+        refresh_token: "refresh-token",
+        expires_in: 60,
+      })
+    }
+    return new Response("not found", { status: 404 })
+  }) as typeof fetch
+
+  try {
+    const completed = await llmProviderModule.completeOpenAiDeviceAuth({
+      deviceAuthId: "device-complete",
+      userCode: "CODE",
+    })
+    const auth = JSON.parse(completed.opencodeAuth) as Record<string, unknown>
+
+    expect(calls).toHaveLength(2)
+    expect(auth.type).toBe("oauth")
+    expect(typeof auth.access).toBe("string")
+    expect(auth.refresh).toBe("refresh-token")
+    expect(auth.accountId).toBe("acct_123")
+    expect(completed.accountId).toBe("acct_123")
+    expect(typeof auth.expires).toBe("number")
+  } finally {
+    globalThis.fetch = originalFetch
+  }
+})
+
+test("LLM provider migration journal remains valid JSON", async () => {
+  const journal = await readFile(new URL("../../../packages/den-db/drizzle/meta/_journal.json", import.meta.url), "utf8")
+  const parsed = JSON.parse(journal) as { entries?: Array<{ tag?: string }> }
+
+  expect(parsed.entries?.some((entry) => entry.tag === "0019_llm_provider_opencode_oauth")).toBe(true)
+})
diff --git a/ee/apps/den-web/app/(den)/dashboard/_components/llm-provider-data.tsx b/ee/apps/den-web/app/(den)/dashboard/_components/llm-provider-data.tsx
index 751b911462..53c89d7e0e 100644
--- a/ee/apps/den-web/app/(den)/dashboard/_components/llm-provider-data.tsx
+++ b/ee/apps/den-web/app/(den)/dashboard/_components/llm-provider-data.tsx
@@ -4,6 +4,7 @@ import { useEffect, useState } from "react";
 import { getErrorMessage, requestJson } from "../../_lib/den-flow";
 
 export type DenLlmProviderSource = "models_dev" | "custom" | "openwork";
+export type DenLlmProviderCredentialKind = "api_key" | "opencode_oauth";
 
 export type DenLlmProviderModel = {
   id: string;
@@ -41,7 +42,10 @@ export type DenLlmProvider = {
   providerId: string;
   name: string;
   providerConfig: Record<string, unknown>;
+  credentialKind: DenLlmProviderCredentialKind;
   hasApiKey: boolean;
+  hasOpencodeAuth: boolean;
+  hasCredential: boolean;
   createdAt: string | null;
   updatedAt: string | null;
   canManage: boolean;
@@ -178,6 +182,7 @@ function asLlmProvider(value: unknown): DenLlmProvider | null {
     value.source === "models_dev" || value.source === "custom" || value.source === "openwork"
       ? value.source
       : null;
+  const credentialKind = value.credentialKind === "opencode_oauth" ? "opencode_oauth" : "api_key";
   if (!id || !organizationId || !createdByOrgMembershipId || !providerId || !name || !source) {
     return null;
   }
@@ -190,7 +195,10 @@ function asLlmProvider(value: unknown): DenLlmProvider | null {
     providerId,
     name,
     providerConfig: asJsonRecord(value.providerConfig),
+    credentialKind,
     hasApiKey: value.hasApiKey === true,
+    hasOpencodeAuth: value.hasOpencodeAuth === true,
+    hasCredential: value.hasCredential === true || value.hasApiKey === true || value.hasOpencodeAuth === true,
     createdAt: asIsoString(value.createdAt),
     updatedAt: asIsoString(value.updatedAt),
     canManage: value.canManage === true,
diff --git a/ee/apps/den-web/app/(den)/dashboard/_components/llm-provider-detail-screen.tsx b/ee/apps/den-web/app/(den)/dashboard/_components/llm-provider-detail-screen.tsx
index c208bfdaa9..4b50aac65c 100644
--- a/ee/apps/den-web/app/(den)/dashboard/_components/llm-provider-detail-screen.tsx
+++ b/ee/apps/den-web/app/(den)/dashboard/_components/llm-provider-detail-screen.tsx
@@ -185,10 +185,10 @@ export function LlmProviderDetailScreen({
                     </div>
 
                     <div
-                        className={`inline-flex items-center gap-2 rounded-full px-4 py-2 text-[13px] font-medium ${provider.hasApiKey ? "bg-emerald-50 text-emerald-700" : "bg-amber-50 text-amber-700"}`}
+                        className={`inline-flex items-center gap-2 rounded-full px-4 py-2 text-[13px] font-medium ${provider.hasCredential ? "bg-emerald-50 text-emerald-700" : "bg-amber-50 text-amber-700"}`}
                     >
                         <KeyRound className="h-4 w-4" />
-                        {provider.hasApiKey
+                        {provider.hasCredential
                             ? "Credential saved"
                             : "Credential missing"}
                     </div>
@@ -221,10 +221,10 @@ export function LlmProviderDetailScreen({
                     </div>
                     <div className="rounded-[24px] bg-gray-50 p-5">
                         <p className="text-[12px] font-semibold uppercase tracking-[0.16em] text-gray-400">
-                            Updated
+                            Credential
                         </p>
                         <p className="mt-3 text-[16px] font-medium text-gray-900">
-                            {formatProviderTimestamp(provider.updatedAt)}
+                            {provider.credentialKind === "opencode_oauth" ? "OpenCode OAuth" : "API key"}
                         </p>
                     </div>
                 </div>
diff --git a/ee/apps/den-web/app/(den)/dashboard/_components/llm-provider-editor-screen.tsx b/ee/apps/den-web/app/(den)/dashboard/_components/llm-provider-editor-screen.tsx
index fec4fc356b..d07a559201 100644
--- a/ee/apps/den-web/app/(den)/dashboard/_components/llm-provider-editor-screen.tsx
+++ b/ee/apps/den-web/app/(den)/dashboard/_components/llm-provider-editor-screen.tsx
@@ -34,6 +34,7 @@ import {
     requestLlmProviderCatalogDetail,
     useOrgLlmProviders,
     type DenLlmProvider,
+    type DenLlmProviderCredentialKind,
     type DenModelsDevProviderDetail,
     type DenModelsDevProviderSummary,
 } from "./llm-provider-data";
@@ -88,7 +89,18 @@ export function LlmProviderEditorScreen({
     const [customConfigText, setCustomConfigText] = useState(
         buildCustomProviderTemplate(),
     );
+    const [credentialKind, setCredentialKind] =
+        useState<DenLlmProviderCredentialKind>("api_key");
     const [apiKey, setApiKey] = useState("");
+    const [opencodeAuth, setOpencodeAuth] = useState("");
+    const [openAiOauthBusy, setOpenAiOauthBusy] = useState(false);
+    const [openAiOauthError, setOpenAiOauthError] = useState<string | null>(null);
+    const [openAiOauthSession, setOpenAiOauthSession] = useState<{
+        verificationUrl: string;
+        userCode: string;
+        deviceAuthId: string;
+        intervalMs: number;
+    } | null>(null);
     const [selectedMemberIds, setSelectedMemberIds] = useState<string[]>([]);
     const [selectedTeamIds, setSelectedTeamIds] = useState<string[]>([]);
     const [saveBusy, setSaveBusy] = useState(false);
@@ -146,7 +158,11 @@ export function LlmProviderEditorScreen({
                     ? buildEditableCustomProviderText(provider)
                     : buildCustomProviderTemplate(),
             );
+            setCredentialKind(provider.credentialKind);
             setApiKey("");
+            setOpencodeAuth("");
+            setOpenAiOauthError(null);
+            setOpenAiOauthSession(null);
             return;
         }
 
@@ -159,9 +175,90 @@ export function LlmProviderEditorScreen({
         );
         setSelectedTeamIds([]);
         setCustomConfigText(buildCustomProviderTemplate());
+        setCredentialKind("api_key");
         setApiKey("");
+        setOpencodeAuth("");
+        setOpenAiOauthError(null);
+        setOpenAiOauthSession(null);
     }, [orgContext?.currentMember.id, provider]);
 
+    useEffect(() => {
+        setOpenAiOauthError(null);
+        setOpenAiOauthSession(null);
+    }, [credentialKind, selectedProviderId, source]);
+
+    async function startOpenAiOauth() {
+        setOpenAiOauthBusy(true);
+        setOpenAiOauthError(null);
+        try {
+            const { response, payload } = await requestJson(
+                "/v1/llm-providers/openai-oauth/start",
+                { method: "POST", body: JSON.stringify({}) },
+                20000,
+            );
+            if (!response.ok) {
+                throw new Error(getErrorMessage(payload, `Failed to start OpenAI OAuth (${response.status}).`));
+            }
+            if (!payload || typeof payload !== "object") {
+                throw new Error("OpenAI OAuth response was empty.");
+            }
+            const data = payload as Record<string, unknown>;
+            if (
+                typeof data.verificationUrl !== "string" ||
+                typeof data.userCode !== "string" ||
+                typeof data.deviceAuthId !== "string" ||
+                typeof data.intervalMs !== "number"
+            ) {
+                throw new Error("OpenAI OAuth response was incomplete.");
+            }
+            setOpenAiOauthSession({
+                verificationUrl: data.verificationUrl,
+                userCode: data.userCode,
+                deviceAuthId: data.deviceAuthId,
+                intervalMs: data.intervalMs,
+            });
+            window.open(data.verificationUrl, "_blank", "noopener,noreferrer");
+        } catch (error) {
+            setOpenAiOauthError(error instanceof Error ? error.message : "Could not start OpenAI OAuth.");
+        } finally {
+            setOpenAiOauthBusy(false);
+        }
+    }
+
+    async function completeOpenAiOauth() {
+        if (!openAiOauthSession) {
+            setOpenAiOauthError("Start OpenAI OAuth first.");
+            return;
+        }
+        setOpenAiOauthBusy(true);
+        setOpenAiOauthError(null);
+        try {
+            const { response, payload } = await requestJson(
+                "/v1/llm-providers/openai-oauth/complete",
+                {
+                    method: "POST",
+                    body: JSON.stringify({
+                        deviceAuthId: openAiOauthSession.deviceAuthId,
+                        userCode: openAiOauthSession.userCode,
+                    }),
+                },
+                20000,
+            );
+            if (!response.ok) {
+                throw new Error(getErrorMessage(payload, response.status === 409 ? "OpenAI authorization is not complete yet." : `Failed to complete OpenAI OAuth (${response.status}).`));
+            }
+            if (!payload || typeof payload !== "object" || typeof (payload as Record<string, unknown>).opencodeAuth !== "string") {
+                throw new Error("OpenAI OAuth completion response was incomplete.");
+            }
+            setOpencodeAuth((payload as { opencodeAuth: string }).opencodeAuth);
+            setOpenAiOauthSession(null);
+        } catch (error) {
+            setOpenAiOauthError(error instanceof Error ? error.message : "Could not complete OpenAI OAuth.");
+        } finally {
+            setOpenAiOauthBusy(false);
+        }
+    }
+
     useEffect(() => {
         if (source !== "models_dev" || !orgId || !selectedProviderId) {
             setCatalogDetail(null);
@@ -286,6 +383,11 @@ export function LlmProviderEditorScreen({
             }
         }
 
+        if (credentialKind === "opencode_oauth" && source === "models_dev" && selectedProviderId !== "openai") {
+            setSaveError("OpenCode OAuth credentials are only available for the OpenAI catalog provider.");
+            return;
+        }
+
         if (source === "custom" && !customConfigText.trim()) {
             setSaveError("Paste a custom provider config.");
             return;
@@ -297,6 +399,7 @@ export function LlmProviderEditorScreen({
             const body: Record<string, unknown> = {
                 name: providerName.trim(),
                 source,
+                credentialKind,
                 memberIds: [...new Set(selectedMemberIds)],
                 teamIds: [...new Set(selectedTeamIds)],
             };
@@ -308,10 +411,14 @@ export function LlmProviderEditorScreen({
                 body.customConfigText = customConfigText;
             }
 
-            if (apiKey.trim() || !provider) {
+            if (credentialKind === "api_key" && (apiKey.trim() || !provider || provider.credentialKind !== "api_key")) {
                 body.apiKey = apiKey.trim();
             }
 
+            if (credentialKind === "opencode_oauth" && (opencodeAuth.trim() || !provider || provider.credentialKind !== "opencode_oauth")) {
+                body.opencodeAuth = opencodeAuth.trim();
+            }
+
             const path = provider
                 ? `/v1/llm-providers/${encodeURIComponent(provider.id)}`
                 : `/v1/llm-providers`;
@@ -607,28 +714,113 @@ export function LlmProviderEditorScreen({
                             Credential
                         </h2>
                     </div>
-                    {provider?.hasApiKey ? (
+                    {provider?.hasCredential ? (
                         <span className="rounded-full bg-emerald-50 px-4 py-2 text-[13px] font-medium text-emerald-700">
                             Existing credential saved
                         </span>
                     ) : null}
                 </div>
 
-                <label className="grid gap-3">
-                    <span className="text-[14px] font-medium text-gray-700">
-                        API key / credential
-                    </span>
-                    <DenInput
-                        type="password"
-                        value={apiKey}
-                        onChange={(event) => setApiKey(event.target.value)}
-                        placeholder={
-                            provider?.hasApiKey
-                                ? "Leave blank to keep current credential"
-                                : "Paste the provider credential"
-                        }
+                <div className="mb-6 grid gap-3 md:grid-cols-2">
+                    <DenSelectableRow
+                        selected={credentialKind === "api_key"}
+                        title="API key"
+                        description="Store a provider API key and import it into teammates' workspaces."
+                        onClick={() => setCredentialKind("api_key")}
                     />
-                </label>
+                    <DenSelectableRow
+                        selected={credentialKind === "opencode_oauth"}
+                        title="OpenCode OAuth"
+                        description="Store the native OpenCode OAuth auth JSON for the OpenAI provider."
+                        onClick={() => setCredentialKind("opencode_oauth")}
+                    />
+                </div>
+
+                {credentialKind === "api_key" ? (
+                    <label className="grid gap-3">
+                        <span className="text-[14px] font-medium text-gray-700">
+                            API key / credential
+                        </span>
+                        <DenInput
+                            type="password"
+                            value={apiKey}
+                            onChange={(event) => setApiKey(event.target.value)}
+                            placeholder={
+                                provider?.credentialKind === "api_key" && provider.hasApiKey
+                                    ? "Leave blank to keep current credential"
+                                    : "Paste the provider credential"
+                            }
+                        />
+                    </label>
+                ) : (
+                    <div className="grid gap-4">
+                        <div className="rounded-[24px] border border-blue-100 bg-blue-50 p-5">
+                            <div className="flex flex-col gap-3 md:flex-row md:items-start md:justify-between">
+                                <div>
+                                    <p className="text-[14px] font-semibold text-blue-950">Connect OpenAI with OpenCode OAuth</p>
+                                    <p className="mt-2 text-[13px] leading-6 text-blue-800">
+                                        This uses the same ChatGPT Pro/Plus device flow as OpenCode, then stores the resulting OAuth auth JSON encrypted in Den.
+                                    </p>
+                                </div>
+                                <DenButton
+                                    variant="secondary"
+                                    loading={openAiOauthBusy && !openAiOauthSession}
+                                    onClick={() => void startOpenAiOauth()}
+                                >
+                                    Connect OpenAI
+                                </DenButton>
+                            </div>
+
+                            {openAiOauthSession ? (
+                                <div className="mt-5 rounded-[18px] bg-white p-4 ring-1 ring-inset ring-blue-100">
+                                    <p className="text-[13px] font-medium text-gray-800">Enter this code on OpenAI:</p>
+                                    <div className="mt-3 inline-flex rounded-xl bg-gray-950 px-4 py-2 font-mono text-[22px] font-semibold tracking-[0.18em] text-white">
+                                        {openAiOauthSession.userCode}
+                                    </div>
+                                    <div className="mt-4 flex flex-wrap gap-3">
+                                        <a
+                                            href={openAiOauthSession.verificationUrl}
+                                            target="_blank"
+                                            rel="noreferrer"
+                                            className="inline-flex items-center justify-center rounded-full bg-white px-4 py-2 text-[13px] font-medium text-gray-700 ring-1 ring-inset ring-gray-200 transition hover:bg-gray-50"
+                                        >
+                                            Open OpenAI page
+                                        </a>
+                                        <DenButton
+                                            loading={openAiOauthBusy}
+                                            onClick={() => void completeOpenAiOauth()}
+                                        >
+                                            I finished authorization
+                                        </DenButton>
+                                    </div>
+                                </div>
+                            ) : null}
+
+                            {openAiOauthError ? (
+                                <p className="mt-4 text-[13px] leading-6 text-red-700">{openAiOauthError}</p>
+                            ) : null}
+                        </div>
+
+                        <label className="grid gap-3">
+                            <span className="text-[14px] font-medium text-gray-700">
+                                OpenCode OAuth JSON
+                            </span>
+                            <DenTextarea
+                                value={opencodeAuth}
+                                onChange={(event) => setOpencodeAuth(event.target.value)}
+                                rows={8}
+                                placeholder={
+                                    provider?.credentialKind === "opencode_oauth" && provider.hasOpencodeAuth
+                                        ? "Leave blank to keep current OpenCode OAuth credential"
+                                        : '{ "type": "oauth", "access": "...", "refresh": "...", "expires": 0 }'
+                                }
+                            />
+                            <p className="text-[13px] leading-6 text-gray-500">
+                                You can connect above or paste the same auth shape OpenCode writes to auth.json for OAuth providers.
+                            </p>
+                        </label>
+                    </div>
+                )}
             </section>
 
             {source === "models_dev" ? (
diff --git a/ee/apps/den-web/app/(den)/dashboard/_components/llm-providers-screen.tsx b/ee/apps/den-web/app/(den)/dashboard/_components/llm-providers-screen.tsx
index b79821e7c5..46883035b5 100644
--- a/ee/apps/den-web/app/(den)/dashboard/_components/llm-providers-screen.tsx
+++ b/ee/apps/den-web/app/(den)/dashboard/_components/llm-providers-screen.tsx
@@ -182,9 +182,9 @@ export function LlmProvidersScreen() {
                 </div>
 
                 <div className="mt-5 flex flex-wrap gap-2">
-                  <span className={`inline-flex items-center gap-1 rounded-full px-3 py-1 text-[12px] font-medium ${provider.hasApiKey ? "bg-emerald-50 text-emerald-700" : "bg-amber-50 text-amber-700"}`}>
+                  <span className={`inline-flex items-center gap-1 rounded-full px-3 py-1 text-[12px] font-medium ${provider.hasCredential ? "bg-emerald-50 text-emerald-700" : "bg-amber-50 text-amber-700"}`}>
                     <KeyRound className="h-3.5 w-3.5" />
-                    {provider.hasApiKey ? "Credential saved" : "Credential missing"}
+                    {provider.hasCredential ? (provider.credentialKind === "opencode_oauth" ? "OpenCode OAuth" : "Credential saved") : "Credential missing"}
                   </span>
                   {envNames.slice(0, 2).map((envName) => (
                     <span key={envName} className="rounded-full bg-gray-100 px-3 py-1 text-[12px] font-medium text-gray-600">

From e5fcafa290392a66fad3303f9cd9a47afbfb4886 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pascal=20Andr=C3=A9?= <pascalandr@gmail.com>
Date: Tue, 26 May 2026 23:12:53 +0200
Subject: [PATCH 05/12] fix: TASK-2026-05-26-014 sync managed providers to
 remote workers

Route Den-backed remote workspaces through the managed-provider sync endpoint for background sync and manual Cloud Provider import. Add focused client coverage for successful and sanitized failure paths.
---
 apps/app/src/app/lib/den.ts                   | 41 ++++++++
 .../connections/provider-auth/store.ts        | 95 ++++++++++++++++++-
 .../tests/den-managed-provider-sync.test.ts   | 81 ++++++++++++++++
 3 files changed, 214 insertions(+), 3 deletions(-)
 create mode 100644 apps/app/tests/den-managed-provider-sync.test.ts

diff --git a/apps/app/src/app/lib/den.ts b/apps/app/src/app/lib/den.ts
index 0f425a9473..072f99e2f6 100644
--- a/apps/app/src/app/lib/den.ts
+++ b/apps/app/src/app/lib/den.ts
@@ -128,6 +128,13 @@ export type DenOrgLlmProviderConnection = DenOrgLlmProvider & {
   opencodeAuth: string | null;
 };
 
+export type DenManagedProviderSyncResult = {
+  status: "applied" | "failed";
+  providerCount: number;
+  revision: string;
+  reason?: string;
+};
+
 export type DenPluginConfigObjectType = "skill" | "agent" | "command" | "tool" | "mcp" | "hook" | "context" | "custom";
 
 export type DenPluginConfigObjectVersion = {
@@ -947,6 +954,19 @@ function getDenOrgLlmProviderConnection(payload: unknown): DenOrgLlmProviderConn
   };
 }
 
+function getDenManagedProviderSyncResult(payload: unknown): DenManagedProviderSyncResult | null {
+  if (!isRecord(payload)) return null;
+  if (payload.status !== "applied" && payload.status !== "failed") return null;
+  if (typeof payload.providerCount !== "number" || !Number.isInteger(payload.providerCount) || payload.providerCount < 0) return null;
+  if (typeof payload.revision !== "string") return null;
+  return {
+    status: payload.status,
+    providerCount: payload.providerCount,
+    revision: payload.revision,
+    ...(typeof payload.reason === "string" ? { reason: payload.reason } : {}),
+  };
+}
+
 function parsePluginConfigObjectType(value: unknown): DenPluginConfigObjectType | null {
   return value === "skill" || value === "agent" || value === "command" || value === "tool" ||
     value === "mcp" || value === "hook" || value === "context" || value === "custom"
@@ -1499,6 +1519,27 @@ export function createDenClient(options: { baseUrl: string; apiBaseUrl?: string
       return provider;
     },
 
+    async syncWorkerManagedProviders(orgId: string, workerId: string): Promise<DenManagedProviderSyncResult> {
+      const payload = await requestJson<unknown>(
+        baseUrls,
+        `/v1/workers/${encodeURIComponent(workerId)}/managed-providers/sync`,
+        {
+          method: "POST",
+          token,
+          organizationId: orgId,
+          body: {},
+        },
+      );
+      const result = getDenManagedProviderSyncResult(payload);
+      if (!result) {
+        throw new DenApiError(500, "invalid_managed_provider_sync_payload", "Managed provider sync response was invalid.");
+      }
+      if (result.status !== "applied") {
+        throw new DenApiError(502, "managed_provider_sync_failed", result.reason ?? "Managed provider sync failed.");
+      }
+      return result;
+    },
+
     async listOrgMarketplaces(orgId: string): Promise<DenOrgMarketplace[]> {
       const payload = await requestJson<unknown>(
         baseUrls,
diff --git a/apps/app/src/react-app/domains/connections/provider-auth/store.ts b/apps/app/src/react-app/domains/connections/provider-auth/store.ts
index 192c403d36..90b5b4391c 100644
--- a/apps/app/src/react-app/domains/connections/provider-auth/store.ts
+++ b/apps/app/src/react-app/domains/connections/provider-auth/store.ts
@@ -1429,6 +1429,23 @@ export function createProviderAuthStore(options: CreateProviderAuthStoreOptions)
   }
 
   async function connectCloudProvider(cloudProviderId: string) {
+    const target = getRemoteManagedProviderSyncTarget();
+    if (target) {
+      setStateField("providerAuthError", null);
+      try {
+        const liveProviders = await refreshCloudOrgProviders({ force: true });
+        const provider = liveProviders.find((entry) => entry.id === cloudProviderId);
+        if (!provider) {
+          throw new Error("Organization provider is no longer available.");
+        }
+        await syncRemoteManagedProviders("settings_cloud_opened", liveProviders, state.importedCloudProviders);
+        return `${t("status.connected")} ${provider.name}`;
+      } catch (error) {
+        const message = describeProviderError(error, "Failed to sync organization provider to the remote worker.");
+        setStateField("providerAuthError", message);
+        throw error instanceof Error ? error : new Error(message);
+      }
+    }
     return await connectCloudProviderInternal(cloudProviderId);
   }
 
@@ -1526,6 +1543,75 @@ export function createProviderAuthStore(options: CreateProviderAuthStoreOptions)
     (importedProvider.updatedAt ?? null) !== (provider.updatedAt ?? null) ||
     !sameStringList(importedProvider.modelIds, sortStrings(provider.models.map((model) => model.id)));
 
+  const getRemoteManagedProviderSyncTarget = () => {
+    const workspace = options.selectedWorkspaceDisplay();
+    if (workspace.workspaceType !== "remote") return null;
+    const workerId = workspace.openworkDenWorkerId?.trim() ?? "";
+    if (!workerId) return null;
+
+    const settings = readDenSettings();
+    const orgId = settings.activeOrgId?.trim() ?? "";
+    if (!settings.authToken?.trim() || !orgId) return null;
+    const workspaceOrgId = workspace.openworkDenOrgId?.trim() ?? "";
+    if (workspaceOrgId && workspaceOrgId !== orgId) return null;
+
+    return { settings, orgId, workerId };
+  };
+
+  const rememberRemoteManagedProviderSync = async (providers: DenOrgLlmProvider[]) => {
+    const nextImportedProviders = Object.fromEntries(
+      providers.map((provider) => [
+        provider.id,
+        {
+          cloudProviderId: provider.id,
+          providerId: getCloudManagedProviderId(provider),
+          sourceProviderId: provider.providerId,
+          name: provider.name,
+          source: provider.source,
+          updatedAt: provider.updatedAt ?? null,
+          modelIds: getProviderModelIds(provider),
+          importedAt: Date.now(),
+        },
+      ]),
+    );
+    await persistImportedCloudProviders(nextImportedProviders);
+  };
+
+  const syncRemoteManagedProviders = async (
+    reason: CloudProviderSyncReason,
+    liveProviders: DenOrgLlmProvider[],
+    importedProviders: Record<string, CloudImportedProvider>,
+  ) => {
+    const target = getRemoteManagedProviderSyncTarget();
+    if (!target) return false;
+
+    const den = createDenClient({
+      baseUrl: target.settings.baseUrl,
+      apiBaseUrl: target.settings.apiBaseUrl,
+      token: target.settings.authToken,
+    });
+    await den.syncWorkerManagedProviders(target.orgId, target.workerId);
+    await rememberRemoteManagedProviderSync(liveProviders);
+    await refreshProviders({ dispose: true }).catch(() => null);
+    const newlyImported = liveProviders.filter((provider) => !importedProviders[provider.id]);
+    if (newlyImported.length > 0) {
+      dispatchNewProviders({
+        providers: newlyImported.map((provider) => {
+          const firstModel = provider.models[0] ?? null;
+          return {
+            id: provider.id,
+            name: provider.name,
+            providerId: provider.providerId,
+            firstModelId: firstModel?.id,
+            firstModelName: firstModel?.name ?? firstModel?.id,
+          };
+        }),
+        source: reason === "sign_in" ? "sign_in" : "cloud_sync",
+      });
+    }
+    return true;
+  };
+
   async function performCloudProviderSync(reason: CloudProviderSyncReason) {
     if (!hasCloudProviderSyncPrerequisites()) {
       return;
@@ -1535,6 +1621,11 @@ export function createProviderAuthStore(options: CreateProviderAuthStoreOptions)
       refreshImportedCloudProviders(),
       refreshCloudOrgProviders({ force: true }),
     ]);
+
+    if (await syncRemoteManagedProviders(reason, liveProviders, importedProviders)) {
+      return;
+    }
+
     const liveProviderMap = new Map(liveProviders.map((provider) => [provider.id, provider]));
     const failures: string[] = [];
     const processedLiveProviderIds = new Set<string>();
@@ -1620,9 +1711,7 @@ export function createProviderAuthStore(options: CreateProviderAuthStoreOptions)
     const request = performCloudProviderSync(reason)
       .catch((error) => {
         const message = logCloudProviderSyncError(reason, error);
-        if (reason === "settings_cloud_opened") {
-          setStateField("providerAuthError", message);
-        }
+        setStateField("providerAuthError", message);
       })
       .finally(() => {
         cloudProviderSyncInFlight = null;
diff --git a/apps/app/tests/den-managed-provider-sync.test.ts b/apps/app/tests/den-managed-provider-sync.test.ts
new file mode 100644
index 0000000000..a580e4b615
--- /dev/null
+++ b/apps/app/tests/den-managed-provider-sync.test.ts
@@ -0,0 +1,81 @@
+import { afterEach, describe, expect, test } from "bun:test";
+
+import { createDenClient, DenApiError } from "../src/app/lib/den";
+
+const originalFetch = globalThis.fetch;
+
+describe("Den managed provider worker sync client", () => {
+  afterEach(() => {
+    Object.defineProperty(globalThis, "fetch", {
+      configurable: true,
+      value: originalFetch,
+    });
+  });
+
+  test("posts to the org-scoped worker sync endpoint", async () => {
+    const calls: Array<{ url: string; method: string; org: string | null; authorized: boolean; body: string | null }> = [];
+    const fetchMock: typeof fetch = async (input, init) => {
+      const headers = new Headers(init?.headers);
+      calls.push({
+        url: String(input),
+        method: init?.method ?? "GET",
+        org: headers.get("x-openwork-legacy-org-id"),
+        authorized: headers.get("authorization") === "Bearer user-token",
+        body: typeof init?.body === "string" ? init.body : null,
+      });
+      return new Response(JSON.stringify({
+        status: "applied",
+        providerCount: 1,
+        revision: "safe-revision",
+      }), {
+        headers: { "Content-Type": "application/json" },
+        status: 200,
+      });
+    };
+
+    Object.defineProperty(globalThis, "fetch", {
+      configurable: true,
+      value: fetchMock,
+    });
+
+    const client = createDenClient({ baseUrl: "http://den.local", token: "user-token" });
+    const result = await client.syncWorkerManagedProviders("org_test", "wrk_test");
+
+    expect(result).toEqual({ status: "applied", providerCount: 1, revision: "safe-revision" });
+    expect(calls).toEqual([{
+      url: "http://den.local/v1/workers/wrk_test/managed-providers/sync",
+      method: "POST",
+      org: "org_test",
+      authorized: true,
+      body: "{}",
+    }]);
+  });
+
+  test("surfaces sanitized worker sync failures", async () => {
+    const secret = "sk-secret-value";
+    const fetchMock: typeof fetch = async () => new Response(JSON.stringify({
+      error: "managed_provider_sync_failed",
+      message: "Worker provider sync failed.",
+      details: { redacted: true },
+      secret,
+    }), {
+      headers: { "Content-Type": "application/json" },
+      status: 502,
+    });
+
+    Object.defineProperty(globalThis, "fetch", {
+      configurable: true,
+      value: fetchMock,
+    });
+
+    const client = createDenClient({ baseUrl: "http://den.local", token: "user-token" });
+
+    await expect(client.syncWorkerManagedProviders("org_test", "wrk_test")).rejects.toThrow("Worker provider sync failed.");
+    try {
+      await client.syncWorkerManagedProviders("org_test", "wrk_test");
+    } catch (error) {
+      expect(error).toBeInstanceOf(DenApiError);
+      expect(error instanceof Error ? error.message.includes(secret) : true).toBe(false);
+    }
+  });
+});

From 4dbe93fa1b7b0f24743b49e0ff3206a98ef5994b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pascal=20Andr=C3=A9?= <pascalandr@gmail.com>
Date: Wed, 27 May 2026 23:18:49 +0200
Subject: [PATCH 06/12] fix: TASK-2026-05-26-020 guard managed model picker

Apply the cloud managed model allowlist to session and compact model picker options, refresh provider-list queries after managed-provider sync, and add focused regression coverage for stale OpenAI catalog filtering.
---
 .../src/app/cloud/managed-provider-models.ts  |  61 ++++++++++
 apps/app/src/components/model-select.tsx      |  24 ++--
 .../connections/provider-auth/store.ts        |   4 +-
 .../app/src/react-app/shell/session-route.tsx |  38 +++---
 .../src/react-app/shell/settings-route.tsx    |   6 +
 .../app/tests/managed-provider-models.test.ts | 114 ++++++++++++++++++
 6 files changed, 206 insertions(+), 41 deletions(-)
 create mode 100644 apps/app/src/app/cloud/managed-provider-models.ts
 create mode 100644 apps/app/tests/managed-provider-models.test.ts

diff --git a/apps/app/src/app/cloud/managed-provider-models.ts b/apps/app/src/app/cloud/managed-provider-models.ts
new file mode 100644
index 0000000000..f6228d790a
--- /dev/null
+++ b/apps/app/src/app/cloud/managed-provider-models.ts
@@ -0,0 +1,61 @@
+import type { CloudImportedProvider } from "./import-state";
+import type { ModelOption, ProviderListItem } from "../types";
+
+export function buildCloudManagedModelIdsByProvider(
+  importedCloudProviders: Record<string, CloudImportedProvider> | null | undefined,
+): Map<string, Set<string>> {
+  const next = new Map<string, Set<string>>();
+  for (const imported of Object.values(importedCloudProviders ?? {})) {
+    const providerId = imported.providerId.trim();
+    if (!providerId) continue;
+    const modelIds = imported.modelIds.map((id) => id.trim()).filter(Boolean);
+    if (!modelIds.length) continue;
+    next.set(providerId, new Set(modelIds));
+  }
+  return next;
+}
+
+export function isCloudManagedModelAllowed(
+  cloudManagedModelIdsByProvider: Map<string, Set<string>>,
+  providerId: string,
+  modelId: string,
+) {
+  const allowedModelIds = cloudManagedModelIdsByProvider.get(providerId);
+  return !allowedModelIds || allowedModelIds.has(modelId);
+}
+
+export function hasCloudManagedModelAllowlist(
+  cloudManagedModelIdsByProvider: Map<string, Set<string>>,
+  providerId: string,
+) {
+  return cloudManagedModelIdsByProvider.has(providerId);
+}
+
+export function buildCloudManagedModelOptions(input: {
+  providers: ProviderListItem[];
+  cloudManagedModelIdsByProvider: Map<string, Set<string>>;
+  isRecommendedProvider?: (providerId: string) => boolean;
+}): ModelOption[] {
+  const options: ModelOption[] = [];
+  for (const provider of input.providers) {
+    const isCloudManaged = hasCloudManagedModelAllowlist(input.cloudManagedModelIdsByProvider, provider.id);
+    for (const [modelId, model] of Object.entries(provider.models)) {
+      if (!isCloudManagedModelAllowed(input.cloudManagedModelIdsByProvider, provider.id, modelId)) continue;
+      options.push({
+        providerID: provider.id,
+        modelID: modelId,
+        title: model.name || modelId,
+        description: provider.name,
+        behaviorTitle: "Reasoning",
+        behaviorLabel: "Default",
+        behaviorDescription: "",
+        behaviorValue: null,
+        isFree: false,
+        isConnected: true,
+        isRecommended: input.isRecommendedProvider?.(provider.id),
+        source: isCloudManaged || /^lpr_/i.test(provider.id) ? "cloud" : undefined,
+      });
+    }
+  }
+  return options;
+}
diff --git a/apps/app/src/components/model-select.tsx b/apps/app/src/components/model-select.tsx
index 08077edcf9..dcf017c3e9 100644
--- a/apps/app/src/components/model-select.tsx
+++ b/apps/app/src/components/model-select.tsx
@@ -34,6 +34,7 @@ import { readHiddenModels } from "@/react-app/domains/session/modals/model-picke
 import { Settings2 } from "lucide-react";
 import { openModelPickerEvent } from "@/react-app/shell/new-providers-toast";
 import { newProvidersEvent } from "@/app/lib/provider-events";
+import { buildCloudManagedModelOptions } from "@/app/cloud/managed-provider-models";
 
 function getProviderDisplayName(providerId: string) {
   return providerId
@@ -44,7 +45,7 @@ function getProviderDisplayName(providerId: string) {
 }
 
 function useModelOptions(open: boolean) {
-  const { client, opencodeBaseUrl, selectedWorkspaceRoot } = useWorkspace();
+  const { client, opencodeBaseUrl, selectedWorkspaceRoot, cloudManagedModelIdsByProvider } = useWorkspace();
   const checkDesktopRestriction = useCheckDesktopRestriction();
 
   const { data, refetch } = useProviderListQuery({
@@ -78,21 +79,10 @@ function useModelOptions(open: boolean) {
       restriction: "allowCustomProviders",
     });
 
-    const options = getConnectedProviderItems(data)
-      .flatMap((provider) =>
-        Object.entries(provider.models).map(([id, model]) => ({
-          providerID: provider.id,
-          modelID: id,
-          title: model.name,
-          description: provider.name,
-          behaviorTitle: "Reasoning",
-          behaviorLabel: "Default",
-          behaviorDescription: "",
-          behaviorValue: null,
-          isFree: false,
-          isConnected: true,
-        })),
-      );
+    const options = buildCloudManagedModelOptions({
+      providers: getConnectedProviderItems(data),
+      cloudManagedModelIdsByProvider,
+    });
 
     return options.filter((option) => {
       if (
@@ -110,7 +100,7 @@ function useModelOptions(open: boolean) {
 
       return true;
     });
-  }, [checkDesktopRestriction, data]);
+  }, [checkDesktopRestriction, cloudManagedModelIdsByProvider, data]);
 }
 
 function groupByProvider(modelOptions: ModelOption[]) {
diff --git a/apps/app/src/react-app/domains/connections/provider-auth/store.ts b/apps/app/src/react-app/domains/connections/provider-auth/store.ts
index 90b5b4391c..c3e7edb997 100644
--- a/apps/app/src/react-app/domains/connections/provider-auth/store.ts
+++ b/apps/app/src/react-app/domains/connections/provider-auth/store.ts
@@ -32,7 +32,7 @@ import {
   filterProviderList,
 } from "../../../../app/utils/providers";
 import { getReactQueryClient } from "../../../infra/query-client";
-import { ensureProviderListQuery } from "../provider-list-query";
+import { ensureProviderListQuery, refreshProviderListQueries } from "../provider-list-query";
 import type { OpenworkServerStore } from "../openwork-server-store";
 import {
   denSessionUpdatedEvent,
@@ -1593,6 +1593,7 @@ export function createProviderAuthStore(options: CreateProviderAuthStoreOptions)
     await den.syncWorkerManagedProviders(target.orgId, target.workerId);
     await rememberRemoteManagedProviderSync(liveProviders);
     await refreshProviders({ dispose: true }).catch(() => null);
+    await refreshProviderListQueries(getReactQueryClient()).catch(() => undefined);
     const newlyImported = liveProviders.filter((provider) => !importedProviders[provider.id]);
     if (newlyImported.length > 0) {
       dispatchNewProviders({
@@ -1686,6 +1687,7 @@ export function createProviderAuthStore(options: CreateProviderAuthStoreOptions)
 
     if (configChanged) {
       await refreshProviders({ dispose: true }).catch(() => null);
+      await refreshProviderListQueries(getReactQueryClient()).catch(() => undefined);
     }
 
     // Notify the UI about newly imported providers so the global toast
diff --git a/apps/app/src/react-app/shell/session-route.tsx b/apps/app/src/react-app/shell/session-route.tsx
index 18473c842c..656e4d07ed 100644
--- a/apps/app/src/react-app/shell/session-route.tsx
+++ b/apps/app/src/react-app/shell/session-route.tsx
@@ -128,6 +128,10 @@ import { useReactRenderWatchdog } from "./react-render-watchdog";
 
 import { readDenSettings } from "../../app/lib/den";
 import { denSessionUpdatedEvent } from "../../app/lib/den-session-events";
+import {
+  buildCloudManagedModelOptions,
+  buildCloudManagedModelIdsByProvider,
+} from "../../app/cloud/managed-provider-models";
 
 import { openModelPickerEvent, pendingModelPickerProviderIdsKey } from "./new-providers-toast";
 import { getModelBehaviorSummary } from "../../app/lib/model-behavior";
@@ -1553,6 +1557,10 @@ export function SessionRoute() {
   // sync here so sign-in applies opencode.json changes before Settings opens.
   useCloudProviderAutoSync(sessionProviderAuthStore.runCloudProviderSync);
   const sessionProviderAuthSnapshot = useProviderAuthStoreSnapshot(sessionProviderAuthStore);
+  const cloudManagedModelIdsByProvider = useMemo(
+    () => buildCloudManagedModelIdsByProvider(sessionProviderAuthSnapshot.importedCloudProviders),
+    [sessionProviderAuthSnapshot.importedCloudProviders],
+  );
   const permissionQueryKey = useMemo(
     () =>
       selectedWorkspaceId && selectedSessionId
@@ -1833,28 +1841,11 @@ export function SessionRoute() {
         } catch {
           seenIds = new Set();
         }
-        const options: ModelOption[] = [];
-        for (const provider of getConnectedProviderItems(data)) {
-          const modelIds = Object.keys(provider.models);
-          const isNew = !seenIds.has(provider.id) || recentProviderIds.has(provider.id);
-          for (const id of modelIds) {
-            const model = provider.models[id];
-            options.push({
-              providerID: provider.id,
-              modelID: id,
-              title: model.name || id,
-              description: provider.name,
-              behaviorTitle: "Reasoning",
-              behaviorLabel: "Default",
-              behaviorDescription: "",
-              behaviorValue: null,
-              isFree: false,
-              isConnected: true,
-              isRecommended: isNew,
-              source: /^lpr_/i.test(provider.id) ? "cloud" as const : undefined,
-            });
-          }
-        }
+        const options = buildCloudManagedModelOptions({
+          providers: getConnectedProviderItems(data),
+          cloudManagedModelIdsByProvider,
+          isRecommendedProvider: (providerId) => !seenIds.has(providerId) || recentProviderIds.has(providerId),
+        });
         setModelOptions(options);
       } catch {
         // Silent: the picker surfaces an empty list rather than blocking the UI.
@@ -1863,7 +1854,7 @@ export function SessionRoute() {
     return () => {
       cancelled = true;
     };
-  }, [modelPickerOpen, opencodeBaseUrl, opencodeClient, recentProviderIds, selectedWorkspaceRoot]);
+  }, [cloudManagedModelIdsByProvider, modelPickerOpen, opencodeBaseUrl, opencodeClient, recentProviderIds, selectedWorkspaceRoot]);
 
   // Apply org-level restrictions (dev #1505) on top of the raw model list
   // so the picker never surfaces blocked options:
@@ -2609,6 +2600,7 @@ export function SessionRoute() {
       client={opencodeClient}
       opencodeBaseUrl={opencodeBaseUrl}
       selectedWorkspaceRoot={selectedWorkspaceRoot}
+      cloudManagedModelIdsByProvider={cloudManagedModelIdsByProvider}
     >
     {opencodeClient && selectedWorkspaceEndpoint && opencodeBaseUrl && selectedWorkspaceServerToken ? (
       <ReactSessionRuntime
diff --git a/apps/app/src/react-app/shell/settings-route.tsx b/apps/app/src/react-app/shell/settings-route.tsx
index 92a3f411b7..fc02577253 100644
--- a/apps/app/src/react-app/shell/settings-route.tsx
+++ b/apps/app/src/react-app/shell/settings-route.tsx
@@ -123,6 +123,7 @@ import { abortSessionSafe } from "../../app/lib/opencode-session";
 import { useReloadCoordinator } from "./reload-coordinator";
 import { buildFeedbackUrl } from "../../app/lib/feedback";
 import { getDenInferenceUrl } from "../../app/lib/den";
+import { buildCloudManagedModelIdsByProvider } from "../../app/cloud/managed-provider-models";
 import { readActiveWorkspaceId, writeActiveWorkspaceId } from "./session-memory";
 import { workspaceSessionRoute, workspaceSettingsRoute } from "./workspace-routes";
 import { getReactQueryClient } from "../infra/query-client";
@@ -787,6 +788,11 @@ function SettingsRouteContent(props: SettingsSurfaceProps = {}) {
       Object.values(providerAuthSnapshot.importedCloudProviders ?? {}).some(isOpenWorkCloudProvider),
     [providerAuthSnapshot.cloudOrgProviders, providerAuthSnapshot.importedCloudProviders],
   );
+
+  const cloudManagedModelIdsByProvider = useMemo(
+    () => buildCloudManagedModelIdsByProvider(providerAuthSnapshot.importedCloudProviders),
+    [providerAuthSnapshot.importedCloudProviders],
+  );
   const showOpenWorkModelsSubscribe = !cloudSession.isSignedIn || !hasOpenWorkCloudProvider;
 
   const subscribeToOpenWorkModels = useCallback(() => {
diff --git a/apps/app/tests/managed-provider-models.test.ts b/apps/app/tests/managed-provider-models.test.ts
new file mode 100644
index 0000000000..1f93c10813
--- /dev/null
+++ b/apps/app/tests/managed-provider-models.test.ts
@@ -0,0 +1,114 @@
+import { describe, expect, test } from "bun:test";
+
+import {
+  buildCloudManagedModelOptions,
+  buildCloudManagedModelIdsByProvider,
+  hasCloudManagedModelAllowlist,
+  isCloudManagedModelAllowed,
+} from "../src/app/cloud/managed-provider-models";
+import type { CloudImportedProvider } from "../src/app/cloud/import-state";
+import type { ProviderListItem } from "../src/app/types";
+
+function importedProvider(input: Pick<CloudImportedProvider, "cloudProviderId" | "providerId" | "sourceProviderId" | "name" | "modelIds">): CloudImportedProvider {
+  return {
+    ...input,
+    source: "models_dev",
+    updatedAt: null,
+    importedAt: 1,
+  };
+}
+
+function visibleModelIds(providerId: string, modelIds: string[], allowlist: Map<string, Set<string>>) {
+  return modelIds.filter((modelId) => isCloudManagedModelAllowed(allowlist, providerId, modelId));
+}
+
+function provider(id: string, name: string, modelIds: string[]): ProviderListItem {
+  return {
+    id,
+    name,
+    source: "config",
+    models: Object.fromEntries(modelIds.map((modelId) => [modelId, { id: modelId, name: modelId }])),
+  };
+}
+
+function staleOpenAiModelIds(): string[] {
+  const explicit = [
+    "gpt-5.4",
+    "gpt-5.5",
+    "gpt-5.5-pro",
+    "gpt-5.5-fast",
+    "text-embedding-3-large",
+    "gpt-4o",
+    "gpt-image-1-mini",
+    "gpt-5.4-fast",
+    "o4-mini",
+  ];
+  const generated = Array.from({ length: 45 }, (_, index) => `stale-openai-catalog-${index + 1}`);
+  return [...explicit, ...generated];
+}
+
+describe("managed cloud provider model allowlists", () => {
+  test("session modal and compact select option builder filters 54 stale OpenAI models to selected IDs", () => {
+    const allowlist = buildCloudManagedModelIdsByProvider({
+      lpr_openai: importedProvider({
+        cloudProviderId: "lpr_openai",
+        providerId: "openai",
+        sourceProviderId: "openai",
+        name: "openAI_server",
+        modelIds: ["gpt-5.4", "gpt-5.5"],
+      }),
+    });
+
+    const rawOpenAiProviderListIds = staleOpenAiModelIds();
+
+    expect(rawOpenAiProviderListIds).toHaveLength(54);
+    expect(hasCloudManagedModelAllowlist(allowlist, "openai")).toBe(true);
+    expect(visibleModelIds("openai", rawOpenAiProviderListIds, allowlist)).toEqual(["gpt-5.4", "gpt-5.5"]);
+    expect(buildCloudManagedModelOptions({
+      providers: [provider("openai", "openAI_server", rawOpenAiProviderListIds)],
+      cloudManagedModelIdsByProvider: allowlist,
+      isRecommendedProvider: (providerId) => providerId === "openai",
+    }).map((option) => ({
+      providerID: option.providerID,
+      modelID: option.modelID,
+      source: option.source,
+      isRecommended: option.isRecommended,
+    }))).toEqual([
+      { providerID: "openai", modelID: "gpt-5.4", source: "cloud", isRecommended: true },
+      { providerID: "openai", modelID: "gpt-5.5", source: "cloud", isRecommended: true },
+    ]);
+  });
+
+  test("keeps API-key NVIDIA managed provider selected IDs intact", () => {
+    const allowlist = buildCloudManagedModelIdsByProvider({
+      lpr_nvidia: importedProvider({
+        cloudProviderId: "lpr_nvidia",
+        providerId: "lpr_nvidia",
+        sourceProviderId: "nvidia",
+        name: "nvidia",
+        modelIds: ["deepseek-ai/deepseek-v4-flash", "google/gemma-4-31b-it"],
+      }),
+    });
+
+    expect(visibleModelIds("lpr_nvidia", ["deepseek-ai/deepseek-v4-flash", "google/gemma-4-31b-it"], allowlist)).toEqual([
+      "deepseek-ai/deepseek-v4-flash",
+      "google/gemma-4-31b-it",
+    ]);
+    expect(buildCloudManagedModelOptions({
+      providers: [provider("lpr_nvidia", "nvidia", ["deepseek-ai/deepseek-v4-flash", "google/gemma-4-31b-it"])],
+      cloudManagedModelIdsByProvider: allowlist,
+    }).map((option) => option.modelID)).toEqual([
+      "deepseek-ai/deepseek-v4-flash",
+      "google/gemma-4-31b-it",
+    ]);
+  });
+
+  test("does not filter non-managed providers without imported model IDs", () => {
+    const allowlist = buildCloudManagedModelIdsByProvider({});
+
+    expect(visibleModelIds("anthropic", ["claude-sonnet", "claude-opus"], allowlist)).toEqual([
+      "claude-sonnet",
+      "claude-opus",
+    ]);
+  });
+});

From c5ae1c6d54d255f5bad2a0b28d707d614f31ad14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pascal=20Andr=C3=A9?= <pascalandr@gmail.com>
Date: Thu, 28 May 2026 23:38:39 +0200
Subject: [PATCH 07/12] test: TASK-2026-05-28-008 cover PR 1941 reviews

Add explicit duplicate-provider allowlist coverage and align the OAuth migration journal assertion with the actual migration tag.
---
 .../app/tests/managed-provider-models.test.ts | 21 +++++++++++++++++++
 .../den-api/test/llm-providers-oauth.test.ts  |  2 +-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/apps/app/tests/managed-provider-models.test.ts b/apps/app/tests/managed-provider-models.test.ts
index 1f93c10813..38384d0a86 100644
--- a/apps/app/tests/managed-provider-models.test.ts
+++ b/apps/app/tests/managed-provider-models.test.ts
@@ -111,4 +111,25 @@ describe("managed cloud provider model allowlists", () => {
       "claude-opus",
     ]);
   });
+
+  test("merges duplicate imported provider model allowlists by provider ID", () => {
+    const allowlist = buildCloudManagedModelIdsByProvider({
+      llmProvider_openai_one: importedProvider({
+        cloudProviderId: "llmProvider_openai_one",
+        providerId: "openai",
+        sourceProviderId: "openai",
+        name: "OpenAI one",
+        modelIds: ["gpt-5.4"],
+      }),
+      llmProvider_openai_two: importedProvider({
+        cloudProviderId: "llmProvider_openai_two",
+        providerId: "openai",
+        sourceProviderId: "openai",
+        name: "OpenAI two",
+        modelIds: ["gpt-5.5"],
+      }),
+    });
+
+    expect(visibleModelIds("openai", ["gpt-5.4", "gpt-5.5", "gpt-4o"], allowlist)).toEqual(["gpt-5.4", "gpt-5.5"]);
+  });
 });
diff --git a/ee/apps/den-api/test/llm-providers-oauth.test.ts b/ee/apps/den-api/test/llm-providers-oauth.test.ts
index d985fbd88a..92a9e789e4 100644
--- a/ee/apps/den-api/test/llm-providers-oauth.test.ts
+++ b/ee/apps/den-api/test/llm-providers-oauth.test.ts
@@ -194,5 +194,5 @@ test("LLM provider migration journal remains valid JSON", async () => {
   const journal = await readFile(new URL("../../../packages/den-db/drizzle/meta/_journal.json", import.meta.url), "utf8")
   const parsed = JSON.parse(journal) as { entries?: Array<{ tag?: string }> }
 
-  expect(parsed.entries?.some((entry) => entry.tag === "0019_llm_provider_opencode_oauth")).toBe(true)
+  expect(parsed.entries?.some((entry) => entry.tag === "0020_llm_provider_opencode_oauth")).toBe(true)
 })

From fdd0a387de24a08fae6fe8c39272cd3a48780d12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pascal=20Andr=C3=A9?= <pascalandr@gmail.com>
Date: Fri, 5 Jun 2026 06:19:04 +0200
Subject: [PATCH 08/12] fix: TASK-2026-06-05-001 align oauth migration test

Update the OAuth provider migration journal assertion to match the current migration tag after newer enterprise feedback changes.
---
 ee/apps/den-api/test/llm-providers-oauth.test.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ee/apps/den-api/test/llm-providers-oauth.test.ts b/ee/apps/den-api/test/llm-providers-oauth.test.ts
index 92a9e789e4..f99f9f6da1 100644
--- a/ee/apps/den-api/test/llm-providers-oauth.test.ts
+++ b/ee/apps/den-api/test/llm-providers-oauth.test.ts
@@ -194,5 +194,5 @@ test("LLM provider migration journal remains valid JSON", async () => {
   const journal = await readFile(new URL("../../../packages/den-db/drizzle/meta/_journal.json", import.meta.url), "utf8")
   const parsed = JSON.parse(journal) as { entries?: Array<{ tag?: string }> }
 
-  expect(parsed.entries?.some((entry) => entry.tag === "0020_llm_provider_opencode_oauth")).toBe(true)
+  expect(parsed.entries?.some((entry) => entry.tag === "0021_llm_provider_opencode_oauth")).toBe(true)
 })

From b1e1350210f21c71cc0965a5037aff4653897eed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pascal=20Andr=C3=A9?= <pascalandr@gmail.com>
Date: Tue, 9 Jun 2026 23:56:49 +0200
Subject: [PATCH 09/12] fix: TASK-2026-06-09-002 preserve cloud managed
 provider identity

Use runtime provider IDs for OAuth/OpenWork managed providers, require applied-provider IDs for partial remote sync results, and constrain default model picker entries to managed allowlists.
---
 apps/app/src/app/lib/den.ts                   |  9 +++
 .../connections/provider-auth/store.ts        | 50 +++++++++----
 .../settings/pages/cloud-providers-view.tsx   |  4 +-
 .../src/react-app/shell/settings-route.tsx    | 29 ++------
 .../tests/den-managed-provider-sync.test.ts   | 23 +++++-
 .../app/tests/managed-provider-models.test.ts | 19 +++++
 .../provider-auth-managed-providers.test.ts   | 72 +++++++++++++++++++
 7 files changed, 168 insertions(+), 38 deletions(-)
 create mode 100644 apps/app/tests/provider-auth-managed-providers.test.ts

diff --git a/apps/app/src/app/lib/den.ts b/apps/app/src/app/lib/den.ts
index 46c9ce8f2a..c4dc0d63f3 100644
--- a/apps/app/src/app/lib/den.ts
+++ b/apps/app/src/app/lib/den.ts
@@ -142,6 +142,7 @@ export type DenManagedProviderSyncResult = {
   status: "applied" | "failed";
   providerCount: number;
   revision: string;
+  providerIds?: string[];
   reason?: string;
 };
 
@@ -1090,10 +1091,18 @@ function getDenManagedProviderSyncResult(payload: unknown): DenManagedProviderSy
   if (payload.status !== "applied" && payload.status !== "failed") return null;
   if (typeof payload.providerCount !== "number" || !Number.isInteger(payload.providerCount) || payload.providerCount < 0) return null;
   if (typeof payload.revision !== "string") return null;
+  const rawProviderIds = Array.isArray(payload.providerIds)
+    ? payload.providerIds
+    : Array.isArray(payload.appliedProviderIds)
+      ? payload.appliedProviderIds
+      : undefined;
+  const providerIds = rawProviderIds ? readStringArray(rawProviderIds) : undefined;
+  if (rawProviderIds && providerIds?.length !== payload.providerCount) return null;
   return {
     status: payload.status,
     providerCount: payload.providerCount,
     revision: payload.revision,
+    ...(providerIds ? { providerIds } : {}),
     ...(typeof payload.reason === "string" ? { reason: payload.reason } : {}),
   };
 }
diff --git a/apps/app/src/react-app/domains/connections/provider-auth/store.ts b/apps/app/src/react-app/domains/connections/provider-auth/store.ts
index 6a320da116..152fa5bbcd 100644
--- a/apps/app/src/react-app/domains/connections/provider-auth/store.ts
+++ b/apps/app/src/react-app/domains/connections/provider-auth/store.ts
@@ -119,6 +119,36 @@ type MutableState = {
 
 export type ProviderAuthStore = ReturnType<typeof createProviderAuthStore>;
 
+export const getCloudManagedProviderId = (
+  provider: Pick<DenOrgLlmProvider, "id" | "providerId" | "source" | "credentialKind">,
+) => {
+  if (provider.source === "openwork") return "openwork";
+  if (provider.credentialKind === "opencode_oauth") return provider.providerId.trim();
+  return provider.id.trim();
+};
+
+export function resolveAppliedManagedProvidersFromSyncResult(
+  result: { providerCount: number; providerIds?: string[] },
+  liveProviders: DenOrgLlmProvider[],
+) {
+  if (Array.isArray(result.providerIds)) {
+    const appliedIds = new Set(result.providerIds.map((id) => id.trim()).filter(Boolean));
+    return liveProviders.filter((provider) => appliedIds.has(provider.id));
+  }
+
+  if (result.providerCount === liveProviders.length) {
+    return liveProviders;
+  }
+
+  if (result.providerCount === 0) {
+    return [];
+  }
+
+  throw new Error(
+    "Remote worker synced only part of the organization provider set but did not identify which providers were applied. Imported provider state was left unchanged.",
+  );
+}
+
 export function createProviderAuthStore(options: CreateProviderAuthStoreOptions) {
   const listeners = new Set<() => void>();
 
@@ -164,14 +194,6 @@ export function createProviderAuthStore(options: CreateProviderAuthStoreOptions)
   const sameStringList = (a: string[], b: string[]) =>
     a.length === b.length && a.every((value, index) => value === b[index]);
 
-  const getCloudManagedProviderId = (
-    provider: Pick<DenOrgLlmProvider, "id" | "providerId" | "source" | "credentialKind">,
-  ) => {
-    if (provider.source === "openwork") return "openwork";
-    if (provider.credentialKind === "opencode_oauth") return provider.providerId.trim();
-    return provider.id.trim();
-  };
-
   const getProviderAuthWorkerType = (): "local" | "remote" =>
     options.selectedWorkspaceDisplay().workspaceType === "remote" ? "remote" : "local";
 
@@ -1610,19 +1632,21 @@ export function createProviderAuthStore(options: CreateProviderAuthStoreOptions)
       apiBaseUrl: target.settings.apiBaseUrl,
       token: target.settings.authToken,
     });
-    await den.syncWorkerManagedProviders(target.orgId, target.workerId);
-    await rememberRemoteManagedProviderSync(liveProviders);
+    const syncResult = await den.syncWorkerManagedProviders(target.orgId, target.workerId);
+    const appliedProviders = resolveAppliedManagedProvidersFromSyncResult(syncResult, liveProviders);
+    await rememberRemoteManagedProviderSync(appliedProviders);
     await refreshProviders({ dispose: true }).catch(() => null);
     await refreshProviderListQueries(getReactQueryClient()).catch(() => undefined);
-    const newlyImported = liveProviders.filter((provider) => !importedProviders[provider.id]);
+    const newlyImported = appliedProviders.filter((provider) => !importedProviders[provider.id]);
     if (newlyImported.length > 0) {
       dispatchNewProviders({
         providers: newlyImported.map((provider) => {
           const firstModel = provider.models[0] ?? null;
+          const localProviderId = getCloudManagedProviderId(provider);
           return {
-            id: provider.id,
+            id: localProviderId,
             name: provider.name,
-            providerId: provider.providerId,
+            providerId: localProviderId,
             firstModelId: firstModel?.id,
             firstModelName: firstModel?.name ?? firstModel?.id,
           };
diff --git a/apps/app/src/react-app/domains/settings/pages/cloud-providers-view.tsx b/apps/app/src/react-app/domains/settings/pages/cloud-providers-view.tsx
index 1e48065a12..7b92f31c4f 100644
--- a/apps/app/src/react-app/domains/settings/pages/cloud-providers-view.tsx
+++ b/apps/app/src/react-app/domains/settings/pages/cloud-providers-view.tsx
@@ -11,6 +11,7 @@ import { useCloudSession } from "@/react-app/domains/settings/cloud/cloud-sessio
 import { CloudProvidersSection, type CloudProviderRow } from "@/react-app/domains/settings/cloud/sections";
 import type { useDenSession } from "@/react-app/domains/settings/cloud/use-den-session";
 import { SettingsNotice, SettingsStack } from "@/react-app/domains/settings/settings-section";
+import { getCloudManagedProviderId } from "@/react-app/domains/connections/provider-auth/store";
 
 type CloudProvidersSession = Pick<
   ReturnType<typeof useDenSession>,
@@ -54,9 +55,10 @@ export function CloudProvidersView({
   const rows = React.useMemo<CloudProviderRow[]>(() => {
     const nextRows: CloudProviderRow[] = cloudOrgProviders.map((provider) => {
       const imported = importedCloudProviders[provider.id] ?? null;
+      const localProviderId = getCloudManagedProviderId(provider);
       const status = !imported
         ? "available"
-        : imported.providerId !== provider.id.trim() ||
+        : imported.providerId !== localProviderId ||
             imported.sourceProviderId !== provider.providerId ||
             (imported.source ?? null) !== (provider.source ?? null) ||
             (imported.updatedAt ?? null) !== (provider.updatedAt ?? null) ||
diff --git a/apps/app/src/react-app/shell/settings-route.tsx b/apps/app/src/react-app/shell/settings-route.tsx
index 2bade51b94..e587715c50 100644
--- a/apps/app/src/react-app/shell/settings-route.tsx
+++ b/apps/app/src/react-app/shell/settings-route.tsx
@@ -131,7 +131,7 @@ import { abortSessionSafe } from "@/app/lib/opencode-session";
 import { useReloadCoordinator } from "./reload-coordinator";
 import { buildFeedbackUrl } from "@/app/lib/feedback";
 import { getDenInferenceUrl } from "@/app/lib/den";
-import { buildCloudManagedModelIdsByProvider } from "@/app/cloud/managed-provider-models";
+import { buildCloudManagedModelIdsByProvider, buildCloudManagedModelOptions } from "@/app/cloud/managed-provider-models";
 import { readActiveWorkspaceId, writeActiveWorkspaceId } from "./session-memory";
 import { workspaceSessionRoute, workspaceSettingsRoute } from "./workspace-routes";
 import { getReactQueryClient } from "@/react-app/infra/query-client";
@@ -1211,28 +1211,11 @@ function SettingsRouteContent(props: SettingsSurfaceProps = {}) {
         } catch {
           seenIds = new Set();
         }
-        const options: ModelOption[] = [];
-        for (const provider of getConnectedProviderItems(data)) {
-          const modelIds = Object.keys(provider.models);
-          const isNew = !seenIds.has(provider.id);
-          for (const id of modelIds) {
-            const model = provider.models[id];
-            options.push({
-              providerID: provider.id,
-              modelID: id,
-              title: model.name || id,
-              description: provider.name,
-              behaviorTitle: "Reasoning",
-              behaviorLabel: "Default",
-              behaviorDescription: "",
-              behaviorValue: null,
-              isFree: false,
-              isConnected: true,
-              isRecommended: isNew,
-              source: /^lpr_/i.test(provider.id) ? "cloud" as const : undefined,
-            });
-          }
-        }
+        const options = buildCloudManagedModelOptions({
+          providers: getConnectedProviderItems(data),
+          cloudManagedModelIdsByProvider,
+          isRecommendedProvider: (providerId) => !seenIds.has(providerId),
+        });
         setModelOptions(options);
       } catch (error) {
         toast.error(
diff --git a/apps/app/tests/den-managed-provider-sync.test.ts b/apps/app/tests/den-managed-provider-sync.test.ts
index a580e4b615..51adc79fef 100644
--- a/apps/app/tests/den-managed-provider-sync.test.ts
+++ b/apps/app/tests/den-managed-provider-sync.test.ts
@@ -27,6 +27,7 @@ describe("Den managed provider worker sync client", () => {
         status: "applied",
         providerCount: 1,
         revision: "safe-revision",
+        providerIds: ["lpr_applied"],
       }), {
         headers: { "Content-Type": "application/json" },
         status: 200,
@@ -41,7 +42,7 @@ describe("Den managed provider worker sync client", () => {
     const client = createDenClient({ baseUrl: "http://den.local", token: "user-token" });
     const result = await client.syncWorkerManagedProviders("org_test", "wrk_test");
 
-    expect(result).toEqual({ status: "applied", providerCount: 1, revision: "safe-revision" });
+    expect(result).toEqual({ status: "applied", providerCount: 1, revision: "safe-revision", providerIds: ["lpr_applied"] });
     expect(calls).toEqual([{
       url: "http://den.local/v1/workers/wrk_test/managed-providers/sync",
       method: "POST",
@@ -78,4 +79,24 @@ describe("Den managed provider worker sync client", () => {
       expect(error instanceof Error ? error.message.includes(secret) : true).toBe(false);
     }
   });
+
+  test("rejects sync payloads whose applied provider IDs do not match the provider count", async () => {
+    const fetchMock: typeof fetch = async () => new Response(JSON.stringify({
+      status: "applied",
+      providerCount: 2,
+      revision: "mismatch-revision",
+      providerIds: ["lpr_only_one"],
+    }), {
+      headers: { "Content-Type": "application/json" },
+      status: 200,
+    });
+
+    Object.defineProperty(globalThis, "fetch", {
+      configurable: true,
+      value: fetchMock,
+    });
+
+    const client = createDenClient({ baseUrl: "http://den.local", token: "user-token" });
+    await expect(client.syncWorkerManagedProviders("org_test", "wrk_test")).rejects.toThrow("Managed provider sync response was invalid.");
+  });
 });
diff --git a/apps/app/tests/managed-provider-models.test.ts b/apps/app/tests/managed-provider-models.test.ts
index 38384d0a86..3dbc991528 100644
--- a/apps/app/tests/managed-provider-models.test.ts
+++ b/apps/app/tests/managed-provider-models.test.ts
@@ -132,4 +132,23 @@ describe("managed cloud provider model allowlists", () => {
 
     expect(visibleModelIds("openai", ["gpt-5.4", "gpt-5.5", "gpt-4o"], allowlist)).toEqual(["gpt-5.4", "gpt-5.5"]);
   });
+
+  test("model picker options for OAuth-managed providers keep runtime provider IDs for defaults", () => {
+    const allowlist = buildCloudManagedModelIdsByProvider({
+      lpr_den_openai: importedProvider({
+        cloudProviderId: "lpr_den_openai",
+        providerId: "openai",
+        sourceProviderId: "openai",
+        name: "OpenAI from Den",
+        modelIds: ["gpt-5.5"],
+      }),
+    });
+
+    expect(buildCloudManagedModelOptions({
+      providers: [provider("openai", "OpenAI", ["gpt-5.5"])],
+      cloudManagedModelIdsByProvider: allowlist,
+    }).map((option) => ({ providerID: option.providerID, modelID: option.modelID }))).toEqual([
+      { providerID: "openai", modelID: "gpt-5.5" },
+    ]);
+  });
 });
diff --git a/apps/app/tests/provider-auth-managed-providers.test.ts b/apps/app/tests/provider-auth-managed-providers.test.ts
new file mode 100644
index 0000000000..38f73db0c1
--- /dev/null
+++ b/apps/app/tests/provider-auth-managed-providers.test.ts
@@ -0,0 +1,72 @@
+import { describe, expect, test } from "bun:test";
+
+import type { DenOrgLlmProvider } from "../src/app/lib/den";
+import {
+  getCloudManagedProviderId,
+  resolveAppliedManagedProvidersFromSyncResult,
+} from "../src/react-app/domains/connections/provider-auth/store";
+
+function provider(input: Partial<DenOrgLlmProvider> & Pick<DenOrgLlmProvider, "id" | "providerId">): DenOrgLlmProvider {
+  return {
+    source: "models_dev",
+    credentialKind: "api_key",
+    name: input.providerId,
+    providerConfig: {},
+    hasApiKey: true,
+    hasOpencodeAuth: false,
+    hasCredential: true,
+    models: [],
+    createdAt: null,
+    updatedAt: null,
+    ...input,
+  };
+}
+
+describe("cloud managed provider import identity", () => {
+  test("resolves runtime provider IDs for OAuth and OpenWork managed providers", () => {
+    expect(getCloudManagedProviderId(provider({
+      id: "lpr_openai",
+      providerId: "openai",
+      credentialKind: "opencode_oauth",
+    }))).toBe("openai");
+
+    expect(getCloudManagedProviderId(provider({
+      id: "lpr_openwork",
+      providerId: "openwork-cloud",
+      source: "openwork",
+    }))).toBe("openwork");
+
+    expect(getCloudManagedProviderId(provider({
+      id: "lpr_nvidia",
+      providerId: "nvidia",
+      credentialKind: "api_key",
+    }))).toBe("lpr_nvidia");
+  });
+
+  test("remote sync only records providers identified as applied by Den", () => {
+    const liveProviders = [
+      provider({ id: "lpr_applied", providerId: "openai" }),
+      provider({ id: "lpr_filtered", providerId: "anthropic" }),
+    ];
+
+    expect(resolveAppliedManagedProvidersFromSyncResult({
+      providerCount: 1,
+      providerIds: ["lpr_applied"],
+    }, liveProviders).map((entry) => entry.id)).toEqual(["lpr_applied"]);
+  });
+
+  test("remote sync clears imported state when Den applies an empty provider set", () => {
+    expect(resolveAppliedManagedProvidersFromSyncResult({
+      providerCount: 0,
+    }, [provider({ id: "lpr_filtered", providerId: "anthropic" })])).toEqual([]);
+  });
+
+  test("remote sync refuses ambiguous partial results without applied provider IDs", () => {
+    expect(() => resolveAppliedManagedProvidersFromSyncResult({
+      providerCount: 1,
+    }, [
+      provider({ id: "lpr_applied", providerId: "openai" }),
+      provider({ id: "lpr_filtered", providerId: "anthropic" }),
+    ])).toThrow("did not identify which providers were applied");
+  });
+});

From 3299a88f4df7fa0aba810b77d667d7c853c1f62f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pascal=20Andr=C3=A9?= <pascalandr@gmail.com>
Date: Wed, 10 Jun 2026 13:57:11 +0200
Subject: [PATCH 10/12] fix: TASK-2026-06-10-008 keep host tokens out of bearer
 auth

Stop using remote host tokens as workspace bearer tokens and cover remote endpoint token selection with tests.
---
 apps/app/scripts/workspace-endpoint.test.ts | 34 +++++++++++++++++++++
 apps/app/src/app/lib/workspace-endpoint.ts  |  2 --
 2 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 apps/app/scripts/workspace-endpoint.test.ts

diff --git a/apps/app/scripts/workspace-endpoint.test.ts b/apps/app/scripts/workspace-endpoint.test.ts
new file mode 100644
index 0000000000..e4d087f068
--- /dev/null
+++ b/apps/app/scripts/workspace-endpoint.test.ts
@@ -0,0 +1,34 @@
+import { describe, expect, test } from "bun:test";
+import { resolveWorkspaceEndpoint } from "../src/app/lib/workspace-endpoint";
+
+describe("resolveWorkspaceEndpoint", () => {
+  test("does not use remote host token as bearer authorization", () => {
+    const endpoint = resolveWorkspaceEndpoint({
+      id: "rem_ws_123",
+      workspaceType: "remote",
+      baseUrl: "https://worker.example.test",
+      openworkHostUrl: "https://worker.example.test",
+      openworkToken: null,
+      openworkClientToken: null,
+      openworkHostToken: "host-token-must-not-be-bearer",
+      openworkWorkspaceId: "ws_123",
+    } as never, { baseUrl: "http://127.0.0.1:8791", token: "local-token" });
+
+    expect(endpoint?.token).toBe("");
+  });
+
+  test("uses remote client token before local server token", () => {
+    const endpoint = resolveWorkspaceEndpoint({
+      id: "rem_ws_123",
+      workspaceType: "remote",
+      baseUrl: "https://worker.example.test",
+      openworkHostUrl: "https://worker.example.test",
+      openworkToken: null,
+      openworkClientToken: "remote-client-token",
+      openworkHostToken: "host-token",
+      openworkWorkspaceId: "ws_123",
+    } as never, { baseUrl: "http://127.0.0.1:8791", token: "local-token" });
+
+    expect(endpoint?.token).toBe("remote-client-token");
+  });
+});
diff --git a/apps/app/src/app/lib/workspace-endpoint.ts b/apps/app/src/app/lib/workspace-endpoint.ts
index 20c0d72979..9a1afe0ea8 100644
--- a/apps/app/src/app/lib/workspace-endpoint.ts
+++ b/apps/app/src/app/lib/workspace-endpoint.ts
@@ -56,7 +56,6 @@ type WorkspaceEndpointInput = Pick<
   | "openworkHostUrl"
   | "openworkToken"
   | "openworkClientToken"
-  | "openworkHostToken"
   | "openworkWorkspaceId"
 > | null | undefined;
 
@@ -95,7 +94,6 @@ function pickRemoteToken(workspace: WorkspaceEndpointInput): string {
   return (
     workspace.openworkToken ??
     workspace.openworkClientToken ??
-    workspace.openworkHostToken ??
     ""
   ).trim();
 }

From 540ca5ec558bda375cbca5cceec180a07659203b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pascal=20Andr=C3=A9?= <pascalandr@gmail.com>
Date: Wed, 10 Jun 2026 16:49:44 +0200
Subject: [PATCH 11/12] fix: TASK-2026-06-10-008 keep pending provider access
 visible

Restore pending invitation member access rows in LLM provider responses by left-joining users and preserving invitation email fallback.
---
 .../den-api/src/routes/org/llm-providers.ts   | 23 +++++++++++++++++--
 .../test/llm-provider-credentials.test.ts     | 12 ++++++++++
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/ee/apps/den-api/src/routes/org/llm-providers.ts b/ee/apps/den-api/src/routes/org/llm-providers.ts
index 102e66d22a..a8aa8588c5 100644
--- a/ee/apps/den-api/src/routes/org/llm-providers.ts
+++ b/ee/apps/den-api/src/routes/org/llm-providers.ts
@@ -5,6 +5,7 @@ import {
   LlmProviderModelTable,
   LlmProviderTable,
   MemberTable,
+  InvitationTable,
   TeamTable,
 } from "@openwork-ee/den-db/schema"
 import { createDenTypeId, normalizeDenTypeId } from "@openwork-ee/utils/typeid"
@@ -341,6 +342,20 @@ export function redactLlmProviderCredentials<T extends { apiKey?: unknown; openc
   }
 }
 
+export function serializeLlmProviderAccessUser(input: {
+  user: { id: string | null; name: string | null; email: string | null; image: string | null } | null
+  invitation: { email: string | null } | null
+}) {
+  return input.user?.id
+    ? input.user
+    : {
+        id: null,
+        name: null,
+        email: input.invitation?.email ?? null,
+        image: null,
+      }
+}
+
 function buildLlmProviderCredentialPayload(provider: LlmProviderRow) {
   return {
     ...redactLlmProviderCredentials(provider),
@@ -612,6 +627,9 @@ async function loadLlmProviders(input: {
         id: MemberTable.id,
         role: MemberTable.role,
       },
+      invitation: {
+        email: InvitationTable.email,
+      },
       user: {
         id: AuthUserTable.id,
         name: AuthUserTable.name,
@@ -621,7 +639,8 @@ async function loadLlmProviders(input: {
     })
     .from(LlmProviderAccessTable)
     .innerJoin(MemberTable, eq(LlmProviderAccessTable.orgMembershipId, MemberTable.id))
-    .innerJoin(AuthUserTable, eq(MemberTable.userId, AuthUserTable.id))
+    .leftJoin(AuthUserTable, eq(MemberTable.userId, AuthUserTable.id))
+    .leftJoin(InvitationTable, eq(MemberTable.inviteId, InvitationTable.id))
     .where(and(inArray(LlmProviderAccessTable.llmProviderId, providerIds), isNotNull(LlmProviderAccessTable.orgMembershipId), isNull(MemberTable.removedAt)))
 
   const teamAccessRows = await db
@@ -691,7 +710,7 @@ async function loadLlmProviders(input: {
         id: row.access.id,
         orgMembershipId: row.member.id,
         role: row.member.role,
-        user: row.user,
+        user: serializeLlmProviderAccessUser(row),
         createdAt: row.access.createdAt,
       })),
       teams: (teamAccessByProviderId.get(provider.id) ?? []).map((row) => ({
diff --git a/ee/apps/den-api/test/llm-provider-credentials.test.ts b/ee/apps/den-api/test/llm-provider-credentials.test.ts
index 71ea6e92a9..26510c1a65 100644
--- a/ee/apps/den-api/test/llm-provider-credentials.test.ts
+++ b/ee/apps/den-api/test/llm-provider-credentials.test.ts
@@ -38,6 +38,18 @@ test("credential flags expose presence only, never credential values", () => {
   })).toEqual({ hasApiKey: true, hasOpencodeAuth: true, hasCredential: true })
 })
 
+test("provider access serialization preserves pending invitation email", () => {
+  expect(llmProviderModule.serializeLlmProviderAccessUser({
+    user: { id: null, name: null, email: null, image: null },
+    invitation: { email: "pending@example.com" },
+  })).toEqual({
+    id: null,
+    name: null,
+    email: "pending@example.com",
+    image: null,
+  })
+})
+
 test("credential import permission gate requires organization admin role", () => {
   const owner = { currentMember: { isOwner: true, role: "member" } }
   const admin = { currentMember: { isOwner: false, role: "admin" } }

From ced0ac6de06b23131ee4806deb933030112d7a82 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pascal=20Andr=C3=A9?= <pascalandr@gmail.com>
Date: Wed, 10 Jun 2026 18:34:54 +0200
Subject: [PATCH 12/12] fix: TASK-2026-06-10-009 align cloud provider import
 ids

---
 apps/app/src/app/lib/den.ts                        |  2 +-
 .../domains/cloud/org-onboarding-page.tsx          | 11 +++++++++--
 .../domains/connections/provider-auth/store.ts     | 14 +++++++-------
 3 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/apps/app/src/app/lib/den.ts b/apps/app/src/app/lib/den.ts
index c4dc0d63f3..30d7079824 100644
--- a/apps/app/src/app/lib/den.ts
+++ b/apps/app/src/app/lib/den.ts
@@ -1917,7 +1917,7 @@ export function createDenClient(options: { baseUrl: string; apiBaseUrl?: string
     },
 
     async listOrgLlmProviders(orgId: string): Promise<DenOrgLlmProvider[]> {
-      const payload = await requestJson<unknown>(baseUrls, "/v1/llm-providers", {
+      const payload = await requestJson<unknown>(baseUrls, "/v1/llm-providers?scope=usable", {
         method: "GET",
         token,
         organizationId: orgId,
diff --git a/apps/app/src/react-app/domains/cloud/org-onboarding-page.tsx b/apps/app/src/react-app/domains/cloud/org-onboarding-page.tsx
index d9790776ae..3839c61faa 100644
--- a/apps/app/src/react-app/domains/cloud/org-onboarding-page.tsx
+++ b/apps/app/src/react-app/domains/cloud/org-onboarding-page.tsx
@@ -510,9 +510,16 @@ interface ProviderCardProps {
   } | null) => void;
 }
 
+function getCloudManagedProviderId(
+  provider: Pick<DenOrgLlmProvider, "id" | "providerId" | "source" | "credentialKind">,
+) {
+  if (provider.source === "openwork") return "openwork";
+  if (provider.credentialKind === "opencode_oauth") return provider.providerId.trim();
+  return provider.id.trim();
+}
+
 function ProviderCard({ provider, selectedDefault, onSelectDefault }: ProviderCardProps) {
-  // The local provider ID matches the cloud provider's org-level ID
-  const localProviderId = provider.id.trim();
+  const localProviderId = getCloudManagedProviderId(provider);
   const firstModel = provider.models[0] ?? null;
   const isSelected = selectedDefault?.providerId === localProviderId;
 
diff --git a/apps/app/src/react-app/domains/connections/provider-auth/store.ts b/apps/app/src/react-app/domains/connections/provider-auth/store.ts
index 152fa5bbcd..4d7f54453c 100644
--- a/apps/app/src/react-app/domains/connections/provider-auth/store.ts
+++ b/apps/app/src/react-app/domains/connections/provider-auth/store.ts
@@ -212,7 +212,7 @@ export function createProviderAuthStore(options: CreateProviderAuthStoreOptions)
     }
 
     for (const provider of state.cloudOrgProviders) {
-      const id = provider.providerId.trim();
+      const id = getCloudManagedProviderId(provider);
       if (!id || merged.has(id)) continue;
       if (isDesktopProviderBlocked({ providerId: id, checkRestriction: options.checkDesktopAppRestriction })) continue;
       merged.set(id, {
@@ -775,12 +775,12 @@ export function createProviderAuthStore(options: CreateProviderAuthStoreOptions)
   ) => {
     const localProviderId = getCloudManagedProviderId(provider);
     const existingImported = state.importedCloudProviders[provider.id] ?? null;
+    const importedWithSameLocalId = Object.values(state.importedCloudProviders).find(
+      (entry) => entry.providerId === localProviderId && entry.cloudProviderId !== provider.id,
+    );
     if (
-      existingImported &&
-      existingImported.providerId !== localProviderId &&
-      Object.values(state.importedCloudProviders).some(
-        (entry) => entry.providerId === localProviderId && entry.cloudProviderId !== provider.id,
-      )
+      importedWithSameLocalId &&
+      (!existingImported || existingImported.providerId !== localProviderId)
     ) {
       throw new Error(
         `${localProviderId} is already imported from another cloud provider. Remove it before importing this one.`,
@@ -1743,7 +1743,7 @@ export function createProviderAuthStore(options: CreateProviderAuthStoreOptions)
       });
     }
 
-    if (failures.length > 0) {
+    if (failures.length > 0 && !configChanged) {
       throw new Error(failures.join("\n"));
     }
   }