@elvatis_com/openclaw-cli-bridge-elvatis 1.9.0 → 2.0.0

package/src/cli-runner.ts

@@ -1,19 +1,25 @@
 /**
  * cli-runner.ts
  *
- * Spawns CLI subprocesses (gemini, claude) and captures their output.
- * Input: OpenAI-format messages → formatted prompt string → CLI stdin.
+ * Spawns CLI subprocesses (gemini, claude, codex, opencode, pi) and captures their output.
+ * Input: OpenAI-format messages → formatted prompt string → CLI stdin (or CLI arg).
  *
- * Both Gemini and Claude receive the prompt via stdin to avoid:
- *   - E2BIG (arg list too long) for large conversation histories
- *   - Gemini agentic mode (triggered by @file syntax + workspace cwd)
+ * Prompt delivery:
+ *   - Gemini/Claude/Codex receive the prompt via stdin to avoid E2BIG and agentic mode.
+ *   - OpenCode receives the prompt as a CLI argument (`opencode run "prompt"`).
+ *   - Pi receives the prompt via `-p "prompt"` flag.
  *
- * Gemini is always spawned with cwd = tmpdir() so it doesn't scan the
- * workspace and enter agentic mode.
+ * Workdir isolation:
+ *   - Gemini: defaults to tmpdir() (prevents agentic workspace scanning).
+ *   - Claude/Codex: defaults to homedir().
+ *   - OpenCode/Pi: defaults to homedir().
+ *   - All runners accept an explicit `workdir` override via RouteOptions.
  */
 
-import { spawn } from "node:child_process";
+import { spawn, execSync } from "node:child_process";
 import { tmpdir, homedir } from "node:os";
+import { existsSync } from "node:fs";
+import { join } from "node:path";
 import { ensureClaudeToken, refreshClaudeToken } from "./claude-auth.js";
 
 /** Max messages to include in the prompt sent to the CLI. */
@@ -198,6 +204,41 @@ export function runCli(
   });
 }
 
+/**
+ * Spawn a CLI with the prompt delivered as a CLI argument (not stdin).
+ * Used by OpenCode which expects `opencode run "prompt"`.
+ */
+export function runCliWithArg(
+  cmd: string,
+  args: string[],
+  timeoutMs = 120_000,
+  opts: RunCliOptions = {}
+): Promise<CliRunResult> {
+  const cwd = opts.cwd ?? homedir();
+
+  return new Promise((resolve, reject) => {
+    const proc = spawn(cmd, args, {
+      timeout: timeoutMs,
+      env: buildMinimalEnv(),
+      cwd,
+    });
+
+    let stdout = "";
+    let stderr = "";
+
+    proc.stdout.on("data", (d: Buffer) => { stdout += d.toString(); });
+    proc.stderr.on("data", (d: Buffer) => { stderr += d.toString(); });
+
+    proc.on("close", (code) => {
+      resolve({ stdout: stdout.trim(), stderr: stderr.trim(), exitCode: code ?? 0 });
+    });
+
+    proc.on("error", (err) => {
+      reject(new Error(`Failed to spawn '${cmd}': ${err.message}`));
+    });
+  });
+}
+
 // ──────────────────────────────────────────────────────────────────────────────
 // Gemini CLI
 // ──────────────────────────────────────────────────────────────────────────────
@@ -215,17 +256,20 @@ export function runCli(
  * Gemini CLI: -p "" triggers headless mode; stdin content is the actual prompt
  * (per Gemini docs: "prompt is appended to input on stdin (if any)").
  *
- * cwd = tmpdir() — neutral empty-ish dir, prevents workspace context scanning.
+ * cwd = tmpdir() by default — neutral empty-ish dir, prevents workspace context scanning.
+ * Override with explicit workdir.
  */
 export async function runGemini(
   prompt: string,
   modelId: string,
-  timeoutMs: number
+  timeoutMs: number,
+  workdir?: string
 ): Promise<string> {
   const model = stripPrefix(modelId);
   // -p "" = headless mode trigger; actual prompt arrives via stdin
   const args = ["-m", model, "-p", ""];
-  const result = await runCli("gemini", args, prompt, timeoutMs, { cwd: tmpdir() });
+  const cwd = workdir ?? tmpdir();
+  const result = await runCli("gemini", args, prompt, timeoutMs, { cwd });
 
   // Filter out [WARN] lines from stderr (Gemini emits noisy permission warnings)
   const cleanStderr = result.stderr
@@ -248,11 +292,13 @@ export async function runGemini(
 /**
  * Run Claude Code CLI in headless mode with prompt delivered via stdin.
  * Strips the model prefix ("cli-claude/claude-opus-4-6" → "claude-opus-4-6").
+ * cwd = homedir() by default. Override with explicit workdir.
  */
 export async function runClaude(
   prompt: string,
   modelId: string,
-  timeoutMs: number
+  timeoutMs: number,
+  workdir?: string
 ): Promise<string> {
   // Proactively refresh OAuth token if it's about to expire (< 5 min remaining).
   // No-op for API-key users.
@@ -267,7 +313,8 @@ export async function runClaude(
     "--model", model,
   ];
 
-  const result = await runCli("claude", args, prompt, timeoutMs);
+  const cwd = workdir ?? homedir();
+  const result = await runCli("claude", args, prompt, timeoutMs, { cwd });
 
   // On 401: attempt one token refresh + retry before giving up.
   if (result.exitCode !== 0 && result.stdout.length === 0) {
@@ -275,7 +322,7 @@ export async function runClaude(
     if (stderr.includes("401") || stderr.includes("Invalid authentication credentials") || stderr.includes("authentication_error")) {
       // Refresh and retry once
       await refreshClaudeToken();
-      const retry = await runCli("claude", args, prompt, timeoutMs);
+      const retry = await runCli("claude", args, prompt, timeoutMs, { cwd });
       if (retry.exitCode !== 0 && retry.stdout.length === 0) {
         const retryStderr = retry.stderr || "(no output)";
         if (retryStderr.includes("401") || retryStderr.includes("authentication_error") || retryStderr.includes("Invalid authentication credentials")) {
@@ -294,6 +341,97 @@ export async function runClaude(
   return result.stdout;
 }
 
+// ──────────────────────────────────────────────────────────────────────────────
+// Codex CLI
+// ──────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Ensure the workdir is a git repository. Codex CLI requires a git repo.
+ * If the directory exists but is not a git repo, run `git init`.
+ */
+function ensureGitRepo(dir: string): void {
+  if (!existsSync(join(dir, ".git"))) {
+    execSync("git init", { cwd: dir, stdio: "ignore" });
+  }
+}
+
+/**
+ * Run Codex CLI in non-interactive mode with prompt via stdin.
+ * cwd = homedir() by default. Override with explicit workdir.
+ * Auto-initializes git if workdir is not already a git repo.
+ */
+export async function runCodex(
+  prompt: string,
+  modelId: string,
+  timeoutMs: number,
+  workdir?: string
+): Promise<string> {
+  const model = stripPrefix(modelId);
+  const args = ["--model", model, "--quiet", "--full-auto"];
+  const cwd = workdir ?? homedir();
+
+  // Codex requires a git repo in the working directory
+  ensureGitRepo(cwd);
+
+  const result = await runCli("codex", args, prompt, timeoutMs, { cwd });
+
+  if (result.exitCode !== 0 && result.stdout.length === 0) {
+    throw new Error(`codex exited ${result.exitCode}: ${result.stderr || "(no output)"}`);
+  }
+
+  return result.stdout || result.stderr;
+}
+
+// ──────────────────────────────────────────────────────────────────────────────
+// OpenCode CLI
+// ──────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Run OpenCode CLI. Prompt is passed as a CLI argument: `opencode run "prompt"`.
+ * cwd = homedir() by default. Override with explicit workdir.
+ */
+export async function runOpenCode(
+  prompt: string,
+  _modelId: string,
+  timeoutMs: number,
+  workdir?: string
+): Promise<string> {
+  const args = ["run", prompt];
+  const cwd = workdir ?? homedir();
+  const result = await runCliWithArg("opencode", args, timeoutMs, { cwd });
+
+  if (result.exitCode !== 0 && result.stdout.length === 0) {
+    throw new Error(`opencode exited ${result.exitCode}: ${result.stderr || "(no output)"}`);
+  }
+
+  return result.stdout || result.stderr;
+}
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Pi CLI
+// ──────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Run Pi CLI in non-interactive mode: `pi -p "prompt"`.
+ * cwd = homedir() by default. Override with explicit workdir.
+ */
+export async function runPi(
+  prompt: string,
+  _modelId: string,
+  timeoutMs: number,
+  workdir?: string
+): Promise<string> {
+  const args = ["-p", prompt];
+  const cwd = workdir ?? homedir();
+  const result = await runCliWithArg("pi", args, timeoutMs, { cwd });
+
+  if (result.exitCode !== 0 && result.stdout.length === 0) {
+    throw new Error(`pi exited ${result.exitCode}: ${result.stderr || "(no output)"}`);
+  }
+
+  return result.stdout || result.stderr;
+}
+
 // ──────────────────────────────────────────────────────────────────────────────
 // Model allowlist (T-103)
 // ──────────────────────────────────────────────────────────────────────────────
@@ -319,6 +457,16 @@ export const DEFAULT_ALLOWED_CLI_MODELS: ReadonlySet<string> = new Set([
   // Aliases (map to preview variants internally)
   "cli-gemini/gemini-3-pro",   // alias → gemini-3-pro-preview
   "cli-gemini/gemini-3-flash", // alias → gemini-3-flash-preview
+  // Codex CLI
+  "openai-codex/gpt-5.3-codex",
+  "openai-codex/gpt-5.3-codex-spark",
+  "openai-codex/gpt-5.2-codex",
+  "openai-codex/gpt-5.4",
+  "openai-codex/gpt-5.1-codex-mini",
+  // OpenCode CLI
+  "opencode/default",
+  // Pi CLI
+  "pi/default",
 ]);
 
 /** Normalize model aliases to their canonical CLI model names. */
@@ -341,12 +489,20 @@ export interface RouteOptions {
    * Defaults to DEFAULT_ALLOWED_CLI_MODELS.
    */
   allowedModels?: ReadonlySet<string> | null;
+  /**
+   * Working directory for the CLI subprocess.
+   * Overrides the per-runner default (tmpdir for gemini, homedir for others).
+   */
+  workdir?: string;
 }
 
 /**
  * Route a chat completion to the correct CLI based on model prefix.
- *   cli-gemini/<id>  → gemini CLI
- *   cli-claude/<id>  → claude CLI
+ *   cli-gemini/<id>      → gemini CLI
+ *   cli-claude/<id>      → claude CLI
+ *   openai-codex/<id>    → codex CLI
+ *   opencode/<id>        → opencode CLI
+ *   pi/<id>              → pi CLI
  *
  * Enforces DEFAULT_ALLOWED_CLI_MODELS by default (T-103).
  * Pass `allowedModels: null` to skip the allowlist check.
@@ -379,11 +535,14 @@ export async function routeToCliRunner(
   // Resolve aliases (e.g. gemini-3-pro → gemini-3-pro-preview) after allowlist check
   const resolved = normalizeModelAlias(normalized);
 
-  if (resolved.startsWith("cli-gemini/")) return runGemini(prompt, resolved, timeoutMs);
-  if (resolved.startsWith("cli-claude/")) return runClaude(prompt, resolved, timeoutMs);
+  if (resolved.startsWith("cli-gemini/"))   return runGemini(prompt, resolved, timeoutMs, opts.workdir);
+  if (resolved.startsWith("cli-claude/"))   return runClaude(prompt, resolved, timeoutMs, opts.workdir);
+  if (resolved.startsWith("openai-codex/")) return runCodex(prompt, resolved, timeoutMs, opts.workdir);
+  if (resolved.startsWith("opencode/"))     return runOpenCode(prompt, resolved, timeoutMs, opts.workdir);
+  if (resolved.startsWith("pi/"))           return runPi(prompt, resolved, timeoutMs, opts.workdir);
 
   throw new Error(
-    `Unknown CLI bridge model: "${model}". Use "vllm/cli-gemini/<model>" or "vllm/cli-claude/<model>".`
+    `Unknown CLI bridge model: "${model}". Use "vllm/cli-gemini/<model>", "vllm/cli-claude/<model>", "openai-codex/<model>", "opencode/<model>", or "pi/<model>".`
   );
 }
 

package/src/grok-client.ts

@@ -51,7 +51,7 @@ const STABLE_INTERVAL_MS = 500; // ms between stability checks
 
 function resolveModel(m?: string): string {
   const clean = (m ?? "grok-3").replace("web-grok/", "");
-  const allowed = ["grok-3", "grok-3-fast", "grok-3-mini", "grok-3-mini-fast"];
+  const allowed = ["grok-4", "grok-3", "grok-3-fast", "grok-3-mini", "grok-3-mini-fast"];
   return allowed.includes(clean) ? clean : "grok-3";
 }
 

package/src/proxy-server.ts

@@ -18,6 +18,7 @@ import { claudeComplete, claudeCompleteStream, type ChatMessage as ClaudeBrowser
 import { chatgptComplete, chatgptCompleteStream, type ChatMessage as ChatGPTBrowserChatMessage } from "./chatgpt-browser.js";
 import type { BrowserContext } from "playwright";
 import { renderStatusPage, type StatusProvider } from "./status-template.js";
+import { sessionManager } from "./session-manager.js";
 
 export type GrokCompleteOptions = Parameters<typeof grokComplete>[1];
 export type GrokCompleteStreamOptions = Parameters<typeof grokCompleteStream>[1];
@@ -85,32 +86,38 @@ export interface ProxyServerOptions {
 /** Available CLI bridge models for GET /v1/models */
 export const CLI_MODELS = [
   // ── Claude Code CLI ───────────────────────────────────────────────────────
-  { id: "cli-claude/claude-sonnet-4-6", name: "Claude Sonnet 4.6 (CLI)",  contextWindow: 200_000,   maxTokens: 8_192 },
-  { id: "cli-claude/claude-opus-4-6",   name: "Claude Opus 4.6 (CLI)",    contextWindow: 200_000,   maxTokens: 8_192 },
-  { id: "cli-claude/claude-haiku-4-5",  name: "Claude Haiku 4.5 (CLI)",   contextWindow: 200_000,   maxTokens: 8_192 },
+  { id: "cli-claude/claude-sonnet-4-6", name: "Claude Sonnet 4.6 (CLI)",  contextWindow: 1_000_000, maxTokens: 64_000 },
+  { id: "cli-claude/claude-opus-4-6",   name: "Claude Opus 4.6 (CLI)",    contextWindow: 1_000_000, maxTokens: 128_000 },
+  { id: "cli-claude/claude-haiku-4-5",  name: "Claude Haiku 4.5 (CLI)",   contextWindow: 200_000,   maxTokens: 64_000 },
   // ── Gemini CLI ────────────────────────────────────────────────────────────
-  { id: "cli-gemini/gemini-2.5-pro",      name: "Gemini 2.5 Pro (CLI)",   contextWindow: 1_000_000, maxTokens: 8_192 },
-  { id: "cli-gemini/gemini-2.5-flash",    name: "Gemini 2.5 Flash (CLI)", contextWindow: 1_000_000, maxTokens: 8_192 },
-  { id: "cli-gemini/gemini-3-pro-preview",   name: "Gemini 3 Pro Preview (CLI)",   contextWindow: 1_000_000, maxTokens: 8_192 },
-  { id: "cli-gemini/gemini-3-flash-preview", name: "Gemini 3 Flash Preview (CLI)", contextWindow: 1_000_000, maxTokens: 8_192 },
+  { id: "cli-gemini/gemini-2.5-pro",      name: "Gemini 2.5 Pro (CLI)",   contextWindow: 1_048_576, maxTokens: 65_535 },
+  { id: "cli-gemini/gemini-2.5-flash",    name: "Gemini 2.5 Flash (CLI)", contextWindow: 1_048_576, maxTokens: 65_535 },
+  { id: "cli-gemini/gemini-3-pro-preview",   name: "Gemini 3 Pro Preview (CLI)",   contextWindow: 1_048_576, maxTokens: 65_536 },
+  { id: "cli-gemini/gemini-3-flash-preview", name: "Gemini 3 Flash Preview (CLI)", contextWindow: 1_048_576, maxTokens: 65_536 },
   // Codex CLI models (via openai-codex provider, OAuth auth)
-  { id: "openai-codex/gpt-5.3-codex",       name: "GPT-5.3 Codex",            contextWindow: 200_000, maxTokens: 32_768 },
-  { id: "openai-codex/gpt-5.3-codex-spark", name: "GPT-5.3 Codex Spark",      contextWindow: 200_000, maxTokens: 32_768 },
-  { id: "openai-codex/gpt-5.2-codex",       name: "GPT-5.2 Codex",            contextWindow: 200_000, maxTokens: 32_768 },
-  { id: "openai-codex/gpt-5.4",             name: "GPT-5.4",                   contextWindow: 200_000, maxTokens: 32_768 },
-  { id: "openai-codex/gpt-5.1-codex-mini",  name: "GPT-5.1 Codex Mini",       contextWindow: 200_000, maxTokens: 32_768 },
+  // GPT-5.4: 1M ctx, 128K out | GPT-5.3: 400K ctx, 128K out | GPT-5.2: 200K, 32K | Mini: 128K, 16K
+  { id: "openai-codex/gpt-5.4",             name: "GPT-5.4",               contextWindow: 1_050_000, maxTokens: 128_000 },
+  { id: "openai-codex/gpt-5.3-codex",       name: "GPT-5.3 Codex",        contextWindow: 400_000,   maxTokens: 128_000 },
+  { id: "openai-codex/gpt-5.3-codex-spark", name: "GPT-5.3 Codex Spark",  contextWindow: 400_000,   maxTokens: 64_000 },
+  { id: "openai-codex/gpt-5.2-codex",       name: "GPT-5.2 Codex",        contextWindow: 200_000,   maxTokens: 32_768 },
+  { id: "openai-codex/gpt-5.1-codex-mini",  name: "GPT-5.1 Codex Mini",   contextWindow: 128_000,   maxTokens: 16_384 },
   // Grok web-session models (requires /grok-login)
+  { id: "web-grok/grok-4",           name: "Grok 4 (web session)",           contextWindow: 131_072, maxTokens: 131_072 },
   { id: "web-grok/grok-3",           name: "Grok 3 (web session)",           contextWindow: 131_072, maxTokens: 131_072 },
   { id: "web-grok/grok-3-fast",      name: "Grok 3 Fast (web session)",      contextWindow: 131_072, maxTokens: 131_072 },
   { id: "web-grok/grok-3-mini",      name: "Grok 3 Mini (web session)",      contextWindow: 131_072, maxTokens: 131_072 },
   { id: "web-grok/grok-3-mini-fast", name: "Grok 3 Mini Fast (web session)", contextWindow: 131_072, maxTokens: 131_072 },
   // Gemini web-session models (requires /gemini-login)
-  { id: "web-gemini/gemini-2-5-pro",   name: "Gemini 2.5 Pro (web session)",   contextWindow: 1_000_000, maxTokens: 8192 },
-  { id: "web-gemini/gemini-2-5-flash", name: "Gemini 2.5 Flash (web session)", contextWindow: 1_000_000, maxTokens: 8192 },
-  { id: "web-gemini/gemini-3-pro",     name: "Gemini 3 Pro (web session)",     contextWindow: 1_000_000, maxTokens: 8192 },
-  { id: "web-gemini/gemini-3-flash",   name: "Gemini 3 Flash (web session)",   contextWindow: 1_000_000, maxTokens: 8192 },
+  { id: "web-gemini/gemini-2-5-pro",   name: "Gemini 2.5 Pro (web session)",   contextWindow: 1_048_576, maxTokens: 65_535 },
+  { id: "web-gemini/gemini-2-5-flash", name: "Gemini 2.5 Flash (web session)", contextWindow: 1_048_576, maxTokens: 65_535 },
+  { id: "web-gemini/gemini-3-pro",     name: "Gemini 3 Pro (web session)",     contextWindow: 1_048_576, maxTokens: 65_536 },
+  { id: "web-gemini/gemini-3-flash",   name: "Gemini 3 Flash (web session)",   contextWindow: 1_048_576, maxTokens: 65_536 },
   // Claude → use cli-claude/* instead (web-claude removed in v1.6.x)
   // ChatGPT → use openai-codex/* or copilot-proxy instead (web-chatgpt removed in v1.6.x)
+  // ── OpenCode CLI ──────────────────────────────────────────────────────────
+  { id: "opencode/default",             name: "OpenCode (CLI)",             contextWindow: 128_000,   maxTokens: 16_384 },
+  // ── Pi CLI ──────────────────────────────────────────────────────────────
+  { id: "pi/default",                   name: "Pi (CLI)",                   contextWindow: 128_000,   maxTokens: 16_384 },
   // ── Local BitNet inference ──────────────────────────────────────────────────
   { id: "local-bitnet/bitnet-2b",       name: "BitNet b1.58 2B (local CPU inference)", contextWindow: 4_096, maxTokens: 2_048 },
 ];
@@ -131,9 +138,10 @@ export function startProxyServer(opts: ProxyServerOptions): Promise<http.Server>
       });
     });
 
-    // Stop the token refresh interval when the server closes (timer-leak prevention)
+    // Stop the token refresh interval and session manager when the server closes (timer-leak prevention)
     server.on("close", () => {
       stopTokenRefresh();
+      sessionManager.stop();
     });
 
     server.on("error", (err) => reject(err));
@@ -236,7 +244,7 @@ async function handleRequest(
           owned_by: "openclaw-cli-bridge",
           // CLI-proxy models stream plain text — no tool/function call support
           capabilities: {
-            tools: !(m.id.startsWith("cli-gemini/") || m.id.startsWith("cli-claude/") || m.id.startsWith("local-bitnet/")),
+            tools: !(m.id.startsWith("cli-gemini/") || m.id.startsWith("cli-claude/") || m.id.startsWith("openai-codex/") || m.id.startsWith("opencode/") || m.id.startsWith("pi/") || m.id.startsWith("local-bitnet/")),
           },
         })),
       })
@@ -272,7 +280,8 @@ async function handleRequest(
       return;
     }
 
-    const { model, messages, stream = false } = parsed as { model: string; messages: ChatMessage[]; stream?: boolean; tools?: unknown };
+    const { model, messages, stream = false } = parsed as { model: string; messages: ChatMessage[]; stream?: boolean; tools?: unknown; workdir?: string };
+    const workdir = (parsed as { workdir?: string }).workdir;
     const hasTools = Array.isArray((parsed as { tools?: unknown }).tools) && (parsed as { tools?: unknown[] }).tools!.length > 0;
 
     if (!model || !messages?.length) {
@@ -284,7 +293,7 @@ async function handleRequest(
     // CLI-proxy models (cli-gemini/*, cli-claude/*) are plain text completions —
     // they cannot process tool/function call schemas. Return a clear 400 so
     // OpenClaw can surface a meaningful error instead of getting a garbled response.
-    const isCliModel = model.startsWith("cli-gemini/") || model.startsWith("cli-claude/"); // local-bitnet/* exempt: llama-server silently ignores tools
+    const isCliModel = model.startsWith("cli-gemini/") || model.startsWith("cli-claude/") || model.startsWith("openai-codex/") || model.startsWith("opencode/") || model.startsWith("pi/"); // local-bitnet/* exempt: llama-server silently ignores tools
     if (hasTools && isCliModel) {
       res.writeHead(400, { "Content-Type": "application/json" });
       res.end(JSON.stringify({
@@ -591,7 +600,7 @@ async function handleRequest(
     let content: string;
     let usedModel = model;
     try {
-      content = await routeToCliRunner(model, messages, opts.timeoutMs ?? 120_000);
+      content = await routeToCliRunner(model, messages, opts.timeoutMs ?? 120_000, { workdir });
     } catch (err) {
       const msg = (err as Error).message;
       // ── Model fallback: retry once with a lighter model if configured ────
@@ -599,7 +608,7 @@ async function handleRequest(
       if (fallbackModel) {
         opts.warn(`[cli-bridge] ${model} failed (${msg}), falling back to ${fallbackModel}`);
         try {
-          content = await routeToCliRunner(fallbackModel, messages, opts.timeoutMs ?? 120_000);
+          content = await routeToCliRunner(fallbackModel, messages, opts.timeoutMs ?? 120_000, { workdir });
           usedModel = fallbackModel;
           opts.log(`[cli-bridge] fallback to ${fallbackModel} succeeded`);
         } catch (fallbackErr) {
@@ -667,6 +676,116 @@ async function handleRequest(
     return;
   }
 
+  // ── Session Manager endpoints ──────────────────────────────────────────────
+
+  // POST /v1/sessions/spawn
+  if (url === "/v1/sessions/spawn" && req.method === "POST") {
+    const body = await readBody(req);
+    let parsed: { model: string; messages: ChatMessage[]; workdir?: string; timeout?: number };
+    try {
+      parsed = JSON.parse(body) as typeof parsed;
+    } catch {
+      res.writeHead(400, { "Content-Type": "application/json", ...corsHeaders() });
+      res.end(JSON.stringify({ error: { message: "Invalid JSON body", type: "invalid_request_error" } }));
+      return;
+    }
+    if (!parsed.model || !parsed.messages?.length) {
+      res.writeHead(400, { "Content-Type": "application/json", ...corsHeaders() });
+      res.end(JSON.stringify({ error: { message: "model and messages are required", type: "invalid_request_error" } }));
+      return;
+    }
+    const sessionId = sessionManager.spawn(parsed.model, parsed.messages, {
+      workdir: parsed.workdir,
+      timeout: parsed.timeout,
+    });
+    opts.log(`[cli-bridge] session spawned: ${sessionId} (${parsed.model})`);
+    res.writeHead(200, { "Content-Type": "application/json", ...corsHeaders() });
+    res.end(JSON.stringify({ sessionId }));
+    return;
+  }
+
+  // GET /v1/sessions — list all sessions
+  if (url === "/v1/sessions" && req.method === "GET") {
+    const sessions = sessionManager.list();
+    res.writeHead(200, { "Content-Type": "application/json", ...corsHeaders() });
+    res.end(JSON.stringify({ sessions }));
+    return;
+  }
+
+  // Session-specific endpoints: /v1/sessions/:id/*
+  const sessionMatch = url.match(/^\/v1\/sessions\/([a-f0-9]+)\/(poll|log|write|kill)$/);
+  if (sessionMatch) {
+    const sessionId = sessionMatch[1];
+    const action = sessionMatch[2];
+
+    if (action === "poll" && req.method === "GET") {
+      const result = sessionManager.poll(sessionId);
+      if (!result) {
+        res.writeHead(404, { "Content-Type": "application/json", ...corsHeaders() });
+        res.end(JSON.stringify({ error: { message: "Session not found", type: "not_found" } }));
+        return;
+      }
+      res.writeHead(200, { "Content-Type": "application/json", ...corsHeaders() });
+      res.end(JSON.stringify(result));
+      return;
+    }
+
+    if (action === "log" && req.method === "GET") {
+      // Parse ?offset=N from URL
+      const urlObj = new URL(url, `http://127.0.0.1:${opts.port}`);
+      const offset = parseInt(urlObj.searchParams.get("offset") ?? "0", 10) || 0;
+      const result = sessionManager.log(sessionId, offset);
+      if (!result) {
+        res.writeHead(404, { "Content-Type": "application/json", ...corsHeaders() });
+        res.end(JSON.stringify({ error: { message: "Session not found", type: "not_found" } }));
+        return;
+      }
+      res.writeHead(200, { "Content-Type": "application/json", ...corsHeaders() });
+      res.end(JSON.stringify(result));
+      return;
+    }
+
+    if (action === "write" && req.method === "POST") {
+      const body = await readBody(req);
+      let parsed: { data: string };
+      try {
+        parsed = JSON.parse(body) as typeof parsed;
+      } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...corsHeaders() });
+        res.end(JSON.stringify({ error: { message: "Invalid JSON body", type: "invalid_request_error" } }));
+        return;
+      }
+      const ok = sessionManager.write(sessionId, parsed.data ?? "");
+      res.writeHead(ok ? 200 : 404, { "Content-Type": "application/json", ...corsHeaders() });
+      res.end(JSON.stringify({ ok }));
+      return;
+    }
+
+    if (action === "kill" && req.method === "POST") {
+      const ok = sessionManager.kill(sessionId);
+      res.writeHead(ok ? 200 : 404, { "Content-Type": "application/json", ...corsHeaders() });
+      res.end(JSON.stringify({ ok }));
+      return;
+    }
+  }
+
+  // Also handle /v1/sessions/:id/log with query params (URL match above doesn't capture query strings)
+  const logMatch = url.match(/^\/v1\/sessions\/([a-f0-9]+)\/log\?/);
+  if (logMatch && req.method === "GET") {
+    const sessionId = logMatch[1];
+    const urlObj = new URL(url, `http://127.0.0.1:${opts.port}`);
+    const offset = parseInt(urlObj.searchParams.get("offset") ?? "0", 10) || 0;
+    const result = sessionManager.log(sessionId, offset);
+    if (!result) {
+      res.writeHead(404, { "Content-Type": "application/json", ...corsHeaders() });
+      res.end(JSON.stringify({ error: { message: "Session not found", type: "not_found" } }));
+      return;
+    }
+    res.writeHead(200, { "Content-Type": "application/json", ...corsHeaders() });
+    res.end(JSON.stringify(result));
+    return;
+  }
+
   // 404
   res.writeHead(404, { "Content-Type": "application/json" });
   res.end(JSON.stringify({ error: { message: `Not found: ${url}`, type: "not_found" } }));