[Task] Audit OpenCode Go free quota isolation per install

[Astro-Han]

Goal

PawWork should not expose users to a shared OpenCode Go / free-model quota pool unless that behavior is explicit, intentional, and safe.

Two separate users reported the same error almost back-to-back:

Free usage exceeded, subscribe to Go https://opencode.ai/go

One screenshot showed a retry delay of about 50223 seconds. That timing correlation is a strong product-risk signal, but it is not yet proof that all PawWork users share one quota pool.

When this task is done, we should know what identity OpenCode Go uses for PawWork requests and either guarantee per-install/per-device isolation or remove any misleading bundled-free expectation.

Scope

In scope:

• Trace OpenCode Go / free-model request identity from PawWork desktop runtime through the OpenCode provider request.
• Confirm whether current requests include any per-device or per-install identity. Current local evidence shows PawWork sends x-opencode-project, x-opencode-session, x-opencode-request, and x-opencode-client, but no obvious device/install ID.
• Confirm whether the observed failure is tied to IP, API key, workspace/account, model-level pressure, region, or another OpenCode Go server-side limiter.
• Decide the product boundary:
  • PawWork-owned anonymous install token / relay if we promise per-device free usage.
  • Require user-owned OpenCode Go API keys if the provider quota is account/workspace based.
  • Stop treating Go/free models as a reliable default free path if isolation cannot be guaranteed.
• Add or improve diagnostics so support can see the provider, model, auth source, status code, retry-after value, and normalized error type without exposing secrets.

Out of scope:

• Changing OpenCode Go paid billing semantics.
• Building a broad subscription or provider marketplace flow unless it is required to close this specific risk.
• Treating the two simultaneous reports as confirmed proof before checking the server-side quota dimension.

Relevant files or context

Likely code paths:

• packages/opencode/src/session/retry.ts
  • Maps FreeUsageLimitError to Free usage exceeded, subscribe to Go https://opencode.ai/go.
  • Uses provider retry-after-ms / retry-after headers to compute the long retry delay.
• packages/opencode/src/session/llm.ts
  • Adds OpenCode request headers for opencode* providers.
• packages/opencode/src/provider/provider.ts
  • Loads provider API keys from env and saved auth.
  • Configures provider baseURL / API key for OpenCode Go.
• packages/opencode/src/auth/index.ts
  • Stores saved provider auth in runtime data.

External references checked during triage:

• OpenCode Go docs: https://dev.opencode.ai/docs/go/
• OpenCode Go landing page: https://opencode.ai/go
• Historical OpenCode Zen rate limiter code showing IP-window style free-limit logic: https://github.com/anomalyco/opencode/blob/2a2082233d9e8bda4674ce596f04b61b3b32522d/packages/console/app/src/routes/zen/util/rateLimiter.ts

Verification

• Reproduce or instrument one OpenCode Go/free-model request from a clean PawWork install and confirm the exact identity fields sent upstream.
• Compare at least these cases if feasible:
  • Two fresh installs on different devices / networks.
  • Two fresh installs on the same network.
  • Saved user-owned OpenCode Go API key vs no saved key.
• Verify that support diagnostics can distinguish:
  • No key / anonymous path.
  • Saved key path.
  • Env key path.
  • Provider/server quota vs transient provider overload.
• If a code change follows, add targeted tests for the normalized error/diagnostic behavior and manually verify the desktop user path.

Execution mode

Agent should investigate and propose a plan first.

[Astro-Han]

Closing without further work.

The original framing here ("audit free quota isolation per install") turned out to be the wrong question. The actual situation, surfaced while exploring PR #738 (closed without merge — see #738 (comment)):

• Zen ToS at https://opencode.ai/legal/terms-of-service restricts use to "your own internal use, and not on behalf of or for the benefit of any third party." PawWork routing end-user traffic through Zen does not fit that scope regardless of User-Agent shape.
• The narrower dailyRequestsFallback quota PawWork users currently hit is upstream's intended treatment for non-official clients. It is by design, not a bug to fix from the PawWork side.

There is no PawWork-side technical change that resolves this. The path forward sits outside the issue tracker: stop relying on Zen as a default-on free provider, and engage anomalyco directly. Not filing a successor issue.