feat: add Altimate as a provider via /connect

[suryaiyer95]

Summary

Registers Altimate as an OpenAI-compatible provider accessible through the /connect flow.

• Provider registration: altimate-backend auto-loads when ~/.altimate/altimate.json exists, configured with baseURL, apiKey, and x-tenant header
• Connect flow: Selecting Altimate from /connect opens a 3-field form — Instance Name, API Key, URL — with tab navigation and credential validation against /auth_health
• No model auto-select: After connecting, the dialog closes — user picks the model separately
• Security: Filesystem.write() enforces file permissions via chmod() on every write. Credentials saved with 0o600
• Input sanitization: Trims whitespace and strips trailing slashes from URL

Files changed

File	Description
dialog-altimate-login.tsx	New: credential form with validation, tab navigation, inline errors
dialog-provider.tsx	Routes Altimate selection to credential form
provider.ts	Registers altimate-backend with auto-loader using saved credentials
filesystem.ts	Adds chmod() after writeFile to enforce permissions on existing files
getting-started.md	Documents /connect provider options and Altimate credential setup

Test Plan

• /connect → Altimate appears in Popular with (API key) label
• Select Altimate → 3-field form appears (Instance Name, API Key, URL)
• Tab cycles fields, Enter submits
• Wrong credentials → inline error, form stays open
• Valid credentials → saves to ~/.altimate/altimate.json, dialog closes
• Restart → Altimate provider auto-loads, available in model list
• Switch to another provider → stays on that provider after restart
• Trailing spaces or slash in URL → handled correctly

Checklist

• Tests added/updated
• Documentation updated (if needed)
• CHANGELOG updated (if user-facing)

[dev-punia-altimate]

🤖 Behavioral Analysis — 3 Finding(s)

🟡 Warnings (3)

• F1 packages/opencode/src/cli/cmd/tui/component/dialog-altimate-login.tsx:62 [Validation bypass: whitespace-only values pass required-field checks]
  The three required-field guards use bare if (!instance), if (!key), if (!url) with no trim. A value of ' ' (spaces only) is truthy, so it passes the check. The whitespace value then becomes an HTTP header value (e.g., 'x-tenant: " "'). The server rejects auth and the user sees 'Invalid credentials' instead of the specific 'Instance name is required' error. This is particularly likely for copy-pasted API keys that include surrounding whitespace. Evidence: diff lines ~62-83 show the bare !-checks. Compare question.tsx:148 which uses textarea?.plainText?.trim() ?? '' for the same kind of textarea — proving the codebase pattern is to trim.

• F2 packages/opencode/src/cli/cmd/tui/component/dialog-altimate-login.tsx:99 [Trailing slash in saved URL produces double-slash paths on every API call]
  The saved altimateUrl is used in two places with a hardcoded leading slash on the path: (1) AltimateApi.request in client.ts:67 builds ${creds.altimateUrl}${endpoint} where endpoints all start with '/' (e.g., '/datamates/'); (2) provider.ts new loader uses ${creds.altimateUrl}/agents/v1. If the user enters 'https://api.myaltimate.com/' (trailing slash), all resulting URLs get double slashes: 'https://api.myaltimate.com//datamates/', 'https://api.myaltimate.com//agents/v1'. The validation fetch to ${url}/auth_health also double-slashes, but most servers accept it — so validation passes and the bad URL is saved. Enterprise users directed to enter a custom URL are the most likely to include a trailing slash.

• F3 packages/opencode/src/cli/cmd/tui/component/dialog-altimate-login.tsx:113 [Silent failure: setValidating(false) called before save operations with no error handling]
  After auth validation succeeds, setValidating(false) is called and then the credential-save and reconnect steps are executed with no surrounding try/catch:

  setValidating(false) // <-- set here
  await Filesystem.writeJson(...) // can throw EACCES on chmod, ENOENT if mkdir fails
  await sdk.client.instance.dispose() // can throw network error
  await sync.bootstrap() // safe (handles errors internally via .catch)
  local.model.set(...)
  dialog.clear()

Because submit() is called fire-and-forget from the keyboard handler (no await), any exception from writeJson or dispose becomes an unhandled promise rejection. The dialog remains open (dialog.clear() never called), but validating() is already false so the form looks ready for another attempt. There is zero indication to the user that credentials were not saved. The PR itself introduces the new chmod call in writeFile that can now throw on restricted filesystems (EPERM), making this more likely to trigger than before.

_{Analysis run | Powered by QA Autopilot}

[github-actions]

This PR doesn't fully meet our contributing guidelines and PR template.

What needs to be fixed:

• PR description is missing required template sections. Please use the PR template.

Please edit this PR description to address the above within 2 hours, or it will be automatically closed.

If you believe this was flagged incorrectly, please let a maintainer know.

[Copilot]

Pull request overview

Adds first-class support for an Altimate-hosted “OpenAI-compatible” backend provider, including a TUI login flow that persists credentials locally and prefers Altimate as the default model when configured.

Changes:

• Add an altimate-backend provider loader (autoloads when Altimate credentials exist) and register a default Altimate model in the provider database.
• Introduce a new TUI “Login to Altimate” dialog and wire it into /connect and a new /login command.
• Ensure file writes that specify a mode also apply permissions via chmod.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
packages/opencode/src/util/filesystem.ts	Applies chmod after writes when mode is provided.
packages/opencode/src/provider/provider.ts	Adds altimate-backend custom loader and registers an OpenAI-compatible Altimate model/provider entry.
packages/opencode/src/cli/cmd/tui/context/local.tsx	Prefers Altimate provider/model as the fallback default when connected.
packages/opencode/src/cli/cmd/tui/component/dialog-provider.tsx	Adds Altimate to provider list priority and routes selection to the Altimate login dialog.
packages/opencode/src/cli/cmd/tui/component/dialog-altimate-login.tsx	New dialog to validate and store Altimate credentials, then bootstrap and select Altimate model.
packages/opencode/src/cli/cmd/tui/app.tsx	Adds a “Login to Altimate” command with /login slash entry.
docs/docs/getting-started.md	Documents how to connect/login to Altimate and where credentials are stored.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[dev-punia-altimate]

✅ Tests — All Passed

TypeScript — passed

Python — passed

cc @suryaiyer95
_{Tested at 8d227929 | Run log | Powered by QA Autopilot}