feat(accounts): export OpenCode auth json

[lNimien]

Summary

• Add per-account export for stock OpenCode auth.json payloads.
• Add dashboard copy/download flow with truncated token previews for long access and refresh tokens.
• Add backend/frontend coverage plus OpenSpec change artifacts for the new export flow.

Changes

Area	Change
Backend	Added POST /api/accounts/{account_id}/export/opencode-auth endpoint.
Backend	Decrypts stored account tokens and returns stock OpenCode-compatible auth.json.
Backend	Derives expires from the access token JWT exp claim in epoch milliseconds.
Backend	Adds audit event account_auth_exported without logging token material.
Frontend	Adds Export OpenCode auth action to account details.
Frontend	Adds export dialog with warning, account metadata, token previews, copy buttons, and download button.
Frontend	Keeps downloaded/copied auth.json complete while truncating long tokens visually.
Tests	Adds backend integration tests for successful export and missing account.
Tests	Adds frontend schema and dialog tests.
OpenSpec	Adds add-opencode-auth-export proposal, design, specs, tasks, and verification report.

Test Plan

• .venv\Scripts\python -m pytest tests/integration/test_account_opencode_auth_export.py tests/unit/test_auth.py -q -ra
  • Result: 6 passed, 1 skipped
  • Skip is expected on Windows for POSIX chmod behavior.
• bun run test src/features/accounts/schemas.test.ts src/features/accounts/components/opencode-auth-export-dialog.test.tsx
  • Result: 2 files passed, 8 tests passed
• Manual UI smoke test locally
  • Verified modal does not overflow with long tokens.
  • Verified token previews are truncated.
  • Verified per-token copy buttons.
  • Verified full auth.json copy/download still works.
• openspec validate --specs
  • Blocked locally because the openspec CLI is not installed/available on PATH.

Notes

• The exported file intentionally uses stock OpenCode format:

  {
    "openai": {
      "type": "oauth",
      "refresh": "...",
      "access": "...",
      "expires": 1234567890000,
      "accountId": "..."
    }
  }

• Account email is shown only as dashboard metadata and is not included in the downloaded auth.json.
• Token values are never logged in the audit event.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5d915f4f4b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve null OpenCode accountId when ChatGPT ID is missing

Falling back to account.id here can generate an authJson.openai.accountId value that is not a real ChatGPT account ID (e.g. deduplicated IDs like acc_xxx_<hash> or local fallback IDs). For accounts where chatgpt_account_id is absent, this exports a misleading accountId instead of leaving it unset, and OpenCode will then send that invalid value as ChatGPT-Account-Id, which can cause downstream auth/account selection failures for those exported credentials.

Useful? React with 👍 / 👎.