refactor: single-window IDC auth with JSON API and token selection fixes

[kfiramar]

Problem

• IDC auth UX was multi-window and frequently surfaced generic "Authentication failed" instead of the actual cause.
• OIDC polling and device-authorization edge cases produced confusing failures (invalid request vs expired device code).
• Placeholder @awsapps.local accounts from Kiro CLI sync (and stale tokens) could be selected, leading to 403 AccessDeniedException ("bearer token is invalid").
• OpenCode "connected" state didn’t reliably reflect successful auth because auth.loader returned an empty apiKey.

What Changed (User-facing)

• Single browser window for IDC auth with defaults prefilled; code + "Open Browser" shown immediately, AWS verification opens only on click.
• Auth failures now show the real underlying error message (not a generic failure page).
• Provider connection indicator can reflect stored credentials after successful auth.
• Account selection avoids placeholder accounts when a real-email account exists.

What Changed (Implementation)

• Auth UI + server endpoints:
  • GET / serves a combined page for Start URL + Region + Begin + code + status polling (src/plugin/auth-page.ts).
  • GET /begin returns JSON { verificationUrl, verificationUriComplete, userCode, region } and triggers server-side token polling (src/plugin/server.ts).
  • /status includes message aliasing error; /error?message=... is parsed and rendered correctly.
• Start URL + Region handling:
  • Start URL is normalized to origin + /start and can follow redirects to canonical *.awsapps.com portal hosts (src/kiro/oauth-idc.ts).
  • Region is editable in the auth window; validation accepts standard AWS region strings and config schema is no longer limited to a fixed allowlist (src/plugin/config/schema.ts).
• IDC token polling correctness:
  • Polling request formatting/headers aligned with AWS expectations (reduces immediate "Invalid request" failures) (src/plugin/server.ts).
• Account + token correctness (403 reduction):
  • Prefer non-placeholder accounts when real-email accounts exist (src/plugin/accounts.ts).
  • After successful auth, the new account is saved and immediately injected into the in-memory AccountManager so subsequent requests don’t keep using stale tokens (src/core/auth/auth-handler.ts, src/core/auth/idc-auth-method.ts).
  • Kiro CLI sync prevents refresh-token uniqueness collisions by deleting placeholders before inserting real-email accounts (src/plugin/sync/kiro-cli.ts).
• Connected indicator:
  • auth.loader returns apiKey derived from stored auth so OpenCode UI can display connected (src/plugin.ts).
• Thinking variants:
  • Low/medium/high mapping plus backward-compatible max support (src/core/request/thinking.ts, src/core/request/request-handler.ts, README.md).

Tests

• npm test
• npm run typecheck

Notable Behavior Changes / Risks

• /begin is now JSON (breaking for any consumers relying on it as an HTML navigation endpoint).
• Account selection order changes when placeholder accounts exist; intended to reduce invalid-bearer 403s.

[tickernelz]

did you already test in on your local? both of your PR

[kfiramar]

Yes - I tested both PRs locally.

• I hit the same issues you're seeing (auth failures + stale/unhealthy accounts + DB edge cases) and fixed them because I needed a working setup end to end (for my uses).
• After the fixes, I verified the full workflow locally: connect/auth working, the provider can make requests without the 403/invalid token loop, and the UX behaves as described

I opened thses PRs to share the working solution, there's also an OpenCode Kiro Integration PR - people report issues (I find it likely that those are the ones I faced), this PR addresses many critical ones

I just found an edge case and just committed the fix

[tickernelz]

okay then i trust you, i will merge both of your PR, hope this will fixed lot of bugs