fix(opencode): CSP, cache headers, Anthropic prefill, idle timeout, and WebSocket URL credentials

[Dredok]

Issue for this PR

Closes #18084

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

Fixes five bugs:

1. CSP blocks changelog fetch — connect-src in the server's CSP header was missing https://opencode.ai, so the web UI couldn't load the changelog. Added the origin.

2. Proxied assets re-downloaded every page load — responses proxied from app.opencode.ai had no Cache-Control. Now hashed assets under /assets/ get immutable, max-age=1y and everything else gets a 5-minute default.

3. Anthropic prefill error — conversations ending with an assistant message cause "This model does not support assistant message prefill" on claude-sonnet-4-6 / claude-opus-4-6. Added a guard in normalizeMessages that strips trailing assistant messages before sending to Anthropic/Bedrock/Vertex.

4. Connection accumulation — Bun.serve was configured with idleTimeout: 0 (never close idle connections). Over time HTTP keep-alive connections accumulate until the browser hits its per-host limit (~256) and new requests fail with ERR_INSUFFICIENT_RESOURCES. Changed to idleTimeout: 120 (2 minutes). SSE streams are unaffected because they have a 10-second heartbeat.

5. WebSocket URL has spurious credentials — the terminal WebSocket URL unconditionally set url.username = "opencode" even when no password was configured, producing URLs like wss://opencode@host/pty/.... The @ in the URL confused browsers and reverse proxies, causing ERR_NETWORK_CHANGED errors and reconnection loops. Now credentials are only set when a password is actually configured.

Also includes a performance improvement: file watcher invalidations are now debounced (150 ms) so rapid agent writes don't fire N parallel HTTP requests.

How did you verify your code works?

• Built binary with bun run --cwd packages/opencode build -- --single --skip-install — passes.
• Changelog loads in the web UI (CSP fix).
• DevTools → Network shows correct Cache-Control headers on proxied assets.
• Watcher tests pass (4/4) after updating them for the debounce with fake timers.
• Reproduced the prefill error by checking logs — the trailing assistant message is now stripped before the API call.
• Monitored connections with ss -tnp | grep :4096 | wc -l — went from 201 stale connections down to ~5 after restart with the new idle timeout.
• Verified WebSocket URLs no longer contain opencode@ when no password is configured — no more ERR_NETWORK_CHANGED in Chrome console.

Screenshots / recordings

No UI changes.

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[github-actions]

The following comment was made by an LLM, it may be inaccurate:

I found one potentially related PR:

PR #14772: "fix: disable assistant prefill for Claude 4.6 models"
#14772

This PR appears to address a similar issue with Anthropic prefill support for Claude 4.6 models. However, since PR #18091 is the current PR and it's specifically fixing the prefill guard with trailing assistant message stripping (a more comprehensive solution), PR #14772 may be an older or related approach to the same problem.

Check if #14772 is still open or if it overlaps with the prefill fix in the current PR.