@evident-ai/cli 0.1.6 → 0.2.1-dev.042a051

package/dist/index.js

@@ -12,41 +12,30 @@ import chalk2 from "chalk";
 import Conf from "conf";
 import { homedir } from "os";
 import { join } from "path";
-var environmentPresets = {
-  local: {
-    apiUrl: "http://localhost:3000/v1",
-    tunnelUrl: "ws://localhost:8787"
-  },
-  dev: {
-    apiUrl: "https://api.dev.evident.run/v1",
-    tunnelUrl: "wss://tunnel.dev.evident.run"
-  },
-  production: {
-    // Production URLs also have aliases: api.evident.run, tunnel.evident.run
-    apiUrl: "https://api.production.evident.run/v1",
-    tunnelUrl: "wss://tunnel.production.evident.run"
-  }
+var PRODUCTION_API_URL = "https://api.production.evident.run/v1";
+var PRODUCTION_TUNNEL_URL = "wss://tunnel.production.evident.run";
+var defaults = {
+  apiUrl: PRODUCTION_API_URL,
+  tunnelUrl: PRODUCTION_TUNNEL_URL
 };
-var defaults = environmentPresets.production;
-var currentEnvironment = "production";
-function setEnvironment(env) {
-  currentEnvironment = env;
-}
-function getEnvironment() {
-  const envVar = process.env.EVIDENT_ENV;
-  if (envVar && environmentPresets[envVar]) {
-    return envVar;
+var endpointOverride;
+var tunnelOverride;
+function setEndpoint(url) {
+  if (!url) {
+    endpointOverride = void 0;
+    return;
   }
-  return currentEnvironment;
+  const trimmed = url.replace(/\/+$/, "");
+  endpointOverride = /\/v1$/.test(trimmed) ? trimmed : `${trimmed}/v1`;
 }
-function getEnvConfig() {
-  return environmentPresets[getEnvironment()];
+function setTunnelUrl(url) {
+  tunnelOverride = url ? url.replace(/\/+$/, "") : void 0;
 }
 function getApiUrl() {
-  return process.env.EVIDENT_API_URL ?? getEnvConfig().apiUrl;
+  return endpointOverride ?? process.env.EVIDENT_API_URL ?? defaults.apiUrl;
 }
 function getTunnelUrl() {
-  return process.env.EVIDENT_TUNNEL_URL ?? getEnvConfig().tunnelUrl;
+  return tunnelOverride ?? process.env.EVIDENT_TUNNEL_URL ?? defaults.tunnelUrl;
 }
 var config = new Conf({
   projectName: "evident",
@@ -65,21 +54,41 @@ function getApiUrlConfig() {
 function getTunnelUrlConfig() {
   return getTunnelUrl();
 }
+function credentialsKey() {
+  return getApiUrl();
+}
 function getCredentials() {
-  return {
-    token: credentials.get("token"),
-    user: credentials.get("user"),
-    expiresAt: credentials.get("expiresAt")
-  };
+  const byEndpoint = credentials.get("byEndpoint") ?? {};
+  return byEndpoint[credentialsKey()] ?? {};
 }
 function setCredentials(creds) {
-  if (creds.token) credentials.set("token", creds.token);
-  if (creds.user) credentials.set("user", creds.user);
-  if (creds.expiresAt) credentials.set("expiresAt", creds.expiresAt);
+  const byEndpoint = credentials.get("byEndpoint") ?? {};
+  byEndpoint[credentialsKey()] = {
+    token: creds.token,
+    user: creds.user,
+    expiresAt: creds.expiresAt
+  };
+  credentials.set("byEndpoint", byEndpoint);
 }
 function clearCredentials() {
+  const byEndpoint = credentials.get("byEndpoint") ?? {};
+  delete byEndpoint[credentialsKey()];
+  credentials.set("byEndpoint", byEndpoint);
+}
+function clearAllCredentials() {
   credentials.clear();
 }
+function getCliName() {
+  const argv1 = process.argv[1] || "";
+  const isNpx = process.env.npm_execpath?.includes("npx") || process.env.npm_command === "exec" || argv1.includes("_npx") || argv1.includes(".npm/_cacache");
+  if (isNpx) {
+    return "npx @evident-ai/cli@latest";
+  }
+  if (argv1.includes("tsx") || argv1.includes("ts-node")) {
+    return "pnpm --filter @evident-ai/cli dev:run";
+  }
+  return "evident";
+}
 
 // src/lib/api.ts
 var ApiClient = class {
@@ -176,7 +185,6 @@ var api = {
 
 // src/lib/keychain.ts
 var SERVICE_NAME = "evident-cli";
-var ACCOUNT_NAME = "default";
 async function getKeytar() {
   try {
     const keytar = await import("keytar");
@@ -188,10 +196,13 @@ async function getKeytar() {
     return null;
   }
 }
+function keychainAccount() {
+  return getApiUrlConfig();
+}
 async function storeToken(credentials2) {
   const keytar = await getKeytar();
   if (keytar) {
-    await keytar.setPassword(SERVICE_NAME, ACCOUNT_NAME, JSON.stringify(credentials2));
+    await keytar.setPassword(SERVICE_NAME, keychainAccount(), JSON.stringify(credentials2));
   } else {
     setCredentials({
       token: credentials2.token,
@@ -203,12 +214,13 @@ async function storeToken(credentials2) {
 async function getToken() {
   const keytar = await getKeytar();
   if (keytar) {
-    const stored = await keytar.getPassword(SERVICE_NAME, ACCOUNT_NAME);
+    const account = keychainAccount();
+    const stored = await keytar.getPassword(SERVICE_NAME, account);
     if (stored) {
       try {
         return JSON.parse(stored);
       } catch {
-        await keytar.deletePassword(SERVICE_NAME, ACCOUNT_NAME);
+        await keytar.deletePassword(SERVICE_NAME, account);
         return null;
       }
     }
@@ -223,12 +235,26 @@ async function getToken() {
   }
   return null;
 }
-async function deleteToken() {
+async function deleteToken(options = {}) {
   const keytar = await getKeytar();
   if (keytar) {
-    await keytar.deletePassword(SERVICE_NAME, ACCOUNT_NAME);
+    if (options.all) {
+      const all = await keytar.findCredentials(SERVICE_NAME).catch(() => []);
+      await Promise.all(
+        all.map(
+          (entry) => keytar.deletePassword(SERVICE_NAME, entry.account).catch(() => {
+          })
+        )
+      );
+    } else {
+      await keytar.deletePassword(SERVICE_NAME, keychainAccount());
+    }
+  }
+  if (options.all) {
+    clearAllCredentials();
+  } else {
+    clearCredentials();
   }
-  clearCredentials();
 }
 
 // src/utils/ui.ts
@@ -396,25 +422,32 @@ async function login(options) {
 }
 
 // src/commands/logout.ts
-async function logout() {
+async function logout(options = {}) {
+  if (options.all) {
+    await deleteToken({ all: true });
+    printSuccess("Logged out of all endpoints.");
+    return;
+  }
   const credentials2 = await getToken();
   if (!credentials2) {
-    printWarning("You are not logged in.");
+    printWarning(`You are not logged in to ${getApiUrlConfig()}.`);
     return;
   }
   await deleteToken();
-  printSuccess("Logged out successfully.");
+  printSuccess(`Logged out of ${getApiUrlConfig()}.`);
 }
 
 // src/commands/whoami.ts
 import chalk3 from "chalk";
 async function whoami() {
+  const apiUrl = getApiUrlConfig();
   const credentials2 = await getToken();
   if (!credentials2) {
-    printError("Not logged in. Run the `login` command to authenticate.");
+    printError(`Not logged in to ${apiUrl}. Run the \`login\` command to authenticate.`);
     process.exit(1);
   }
   blank();
+  console.log(keyValue("Endpoint", apiUrl));
   console.log(keyValue("User", chalk3.bold(credentials2.user.email)));
   console.log(keyValue("User ID", credentials2.user.id));
   if (credentials2.expiresAt) {
@@ -432,10 +465,24 @@ async function whoami() {
   blank();
 }
 
-// src/commands/tunnel.ts
-import WebSocket from "ws";
-import chalk4 from "chalk";
-import ora2 from "ora";
+// src/commands/run.ts
+import chalk6 from "chalk";
+import ora3 from "ora";
+import { select as select3 } from "@inquirer/prompts";
+
+// ../../packages/types/src/telemetry/index.ts
+var TelemetryEventTypes = {
+  // Agent activity events (shown in web UI activity log)
+  AGENT_CONNECTED: "agent.connected",
+  AGENT_DISCONNECTED: "agent.disconnected",
+  AGENT_MESSAGE_PROCESSING: "agent.message_processing",
+  AGENT_MESSAGE_DONE: "agent.message_done",
+  AGENT_MESSAGE_FAILED: "agent.message_failed"
+};
+
+// ../../packages/types/src/tunnel/index.ts
+var MAX_FRAME_BYTES = 256 * 1024;
+var TUNNEL_DRAIN_PING_PATH = "/__evident/drain";
 
 // src/lib/telemetry.ts
 var CLI_VERSION = process.env.npm_package_version || "unknown";
@@ -451,7 +498,7 @@ function logEvent(eventType, options = {}) {
     severity: options.severity || "info",
     message: options.message,
     metadata: options.metadata,
-    sandbox_id: options.sandboxId,
+    agent_id: options.agentId,
     timestamp: (/* @__PURE__ */ new Date()).toISOString()
   };
   eventBuffer.push(event);
@@ -465,10 +512,10 @@ function logEvent(eventType, options = {}) {
   }
 }
 var telemetry = {
-  debug: (eventType, message, metadata, sandboxId) => logEvent(eventType, { severity: "debug", message, metadata, sandboxId }),
-  info: (eventType, message, metadata, sandboxId) => logEvent(eventType, { severity: "info", message, metadata, sandboxId }),
-  warn: (eventType, message, metadata, sandboxId) => logEvent(eventType, { severity: "warning", message, metadata, sandboxId }),
-  error: (eventType, message, metadata, sandboxId) => logEvent(eventType, { severity: "error", message, metadata, sandboxId })
+  debug: (eventType, message, metadata, agentId) => logEvent(eventType, { severity: "debug", message, metadata, agentId }),
+  info: (eventType, message, metadata, agentId) => logEvent(eventType, { severity: "info", message, metadata, agentId }),
+  warn: (eventType, message, metadata, agentId) => logEvent(eventType, { severity: "warning", message, metadata, agentId }),
+  error: (eventType, message, metadata, agentId) => logEvent(eventType, { severity: "error", message, metadata, agentId })
 };
 async function flushEvents() {
   if (eventBuffer.length === 0) return;
@@ -487,17 +534,18 @@ async function flushEvents() {
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), FLUSH_TIMEOUT_MS);
     try {
+      const request = {
+        events,
+        client_type: "cli",
+        client_version: CLI_VERSION
+      };
       const response = await fetch(`${apiUrl}/telemetry/events`, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
           Authorization: `Bearer ${credentials2.token}`
         },
-        body: JSON.stringify({
-          events,
-          client_type: "cli",
-          client_version: CLI_VERSION
-        }),
+        body: JSON.stringify(request),
         signal: controller.signal
       });
       if (!response.ok) {
@@ -520,6 +568,32 @@ async function shutdownTelemetry() {
   }
   await flushEvents();
 }
+function emitEvent(event) {
+  logEvent(event.event_type, {
+    severity: event.severity,
+    message: event.message,
+    metadata: event.metadata,
+    agentId: event.agent_id
+  });
+}
+function emitAgentConnected(agentId, metadata) {
+  emitEvent({
+    event_type: TelemetryEventTypes.AGENT_CONNECTED,
+    severity: "info",
+    message: "Agent CLI connected",
+    metadata,
+    agent_id: agentId
+  });
+}
+function emitAgentDisconnected(agentId, metadata) {
+  emitEvent({
+    event_type: TelemetryEventTypes.AGENT_DISCONNECTED,
+    severity: "info",
+    message: `Agent CLI disconnected (code: ${metadata.code})`,
+    metadata,
+    agent_id: agentId
+  });
+}
 var EventTypes = {
   // Tunnel lifecycle
   TUNNEL_STARTING: "tunnel.starting",
@@ -547,631 +621,2062 @@ var EventTypes = {
   CLI_ERROR: "cli.error"
 };
 
-// src/commands/tunnel.ts
-var MAX_RECONNECT_DELAY = 3e4;
-var BASE_RECONNECT_DELAY = 500;
-var MAX_ACTIVITY_LOG_ENTRIES = 10;
-function logActivity(state, entry) {
-  const fullEntry = {
-    ...entry,
-    timestamp: /* @__PURE__ */ new Date()
-  };
-  state.activityLog.push(fullEntry);
-  if (state.activityLog.length > MAX_ACTIVITY_LOG_ENTRIES) {
-    state.activityLog.shift();
+// src/lib/auth.ts
+async function getAuthCredentials() {
+  const agentKey = process.env.EVIDENT_AGENT_KEY;
+  if (agentKey) {
+    return { token: agentKey, authType: "agent_key" };
   }
-  state.lastActivity = fullEntry.timestamp;
-}
-function formatActivityEntry(entry, _verbose) {
-  const time = entry.timestamp.toLocaleTimeString("en-US", {
-    hour12: false,
-    hour: "2-digit",
-    minute: "2-digit",
-    second: "2-digit"
-  });
-  switch (entry.type) {
-    case "request": {
-      const duration = entry.durationMs ? ` (${entry.durationMs}ms)` : "";
-      const status = entry.status ? ` \u2192 ${colorizeStatus(entry.status)}` : " ...";
-      return `  ${chalk4.dim(`[${time}]`)} ${chalk4.cyan("\u2190")} ${entry.method} ${entry.path}${status}${duration}`;
-    }
-    case "response": {
-      const duration = entry.durationMs ? ` (${entry.durationMs}ms)` : "";
-      return `  ${chalk4.dim(`[${time}]`)} ${chalk4.green("\u2192")} ${entry.method} ${entry.path} ${colorizeStatus(entry.status)}${duration}`;
-    }
-    case "error": {
-      const errorMsg = entry.error || "Unknown error";
-      const path = entry.path ? ` ${entry.method} ${entry.path}` : "";
-      return `  ${chalk4.dim(`[${time}]`)} ${chalk4.red("\u2717")}${path} - ${chalk4.red(errorMsg)}`;
-    }
-    case "info": {
-      return `  ${chalk4.dim(`[${time}]`)} ${chalk4.blue("\u25CF")} ${entry.message}`;
-    }
-    default:
-      return `  ${chalk4.dim(`[${time}]`)} ${entry.message || "Unknown"}`;
+  const userToken = process.env.EVIDENT_TOKEN;
+  if (userToken) {
+    return { token: userToken, authType: "bearer" };
   }
-}
-function colorizeStatus(status) {
-  if (status >= 200 && status < 300) {
-    return chalk4.green(status.toString());
-  } else if (status >= 300 && status < 400) {
-    return chalk4.yellow(status.toString());
-  } else if (status >= 400 && status < 500) {
-    return chalk4.red(status.toString());
-  } else if (status >= 500) {
-    return chalk4.bgRed.white(` ${status} `);
+  const keychainCreds = await getToken();
+  if (keychainCreds) {
+    return {
+      token: keychainCreds.token,
+      authType: "bearer",
+      user: keychainCreds.user
+    };
   }
-  return status.toString();
+  return null;
 }
-function displayStatus(state) {
-  console.clear();
-  console.log(chalk4.bold("Evident Tunnel"));
-  console.log(chalk4.dim("\u2500".repeat(60)));
-  blank();
-  if (state.connected) {
-    console.log(`  ${chalk4.green("\u25CF")} Status:    ${chalk4.green("Connected")}`);
-    console.log(`  Sandbox:    ${state.sandboxId ?? "Unknown"}`);
-    if (state.sandboxName) {
-      console.log(`  Name:       ${state.sandboxName}`);
-    }
-  } else {
-    console.log(`  ${chalk4.yellow("\u25CB")} Status:    ${chalk4.yellow("Reconnecting...")}`);
-    if (state.reconnectAttempt > 0) {
-      console.log(`  Attempt:    ${state.reconnectAttempt}`);
-    }
-  }
-  blank();
-  if (state.activityLog.length > 0) {
-    console.log(chalk4.bold("  Activity:"));
-    for (const entry of state.activityLog) {
-      console.log(formatActivityEntry(entry, state.verbose));
-    }
-  } else {
-    console.log(chalk4.dim("  No activity yet. Waiting for requests..."));
-  }
-  blank();
-  console.log(chalk4.dim("\u2500".repeat(60)));
-  if (state.verbose) {
-    console.log(chalk4.dim("  Verbose mode: ON (request/response bodies will be logged)"));
+function getAuthHeader(credentials2) {
+  if (credentials2.authType === "agent_key") {
+    return `SandboxKey ${credentials2.token}`;
   }
-  console.log(chalk4.dim("  Press Ctrl+C to disconnect"));
+  return `Bearer ${credentials2.token}`;
 }
-function displayError(_state, error2, details) {
-  blank();
-  console.log(chalk4.bgRed.white.bold(" ERROR "));
-  console.log(chalk4.red(`  ${error2}`));
-  if (details) {
-    console.log(chalk4.dim(`  ${details}`));
-  }
-  blank();
+function isInteractive(jsonOutput) {
+  if (jsonOutput) return false;
+  if (process.env.CI) return false;
+  if (process.env.GITHUB_ACTIONS) return false;
+  if (!process.stdin.isTTY) return false;
+  return true;
 }
-async function validateSandbox(token, sandboxId) {
-  const apiUrl = getApiUrlConfig();
+
+// src/lib/opencode/health.ts
+async function checkOpenCodeHealth(port) {
   try {
-    const response = await fetch(`${apiUrl}/sandboxes/${sandboxId}`, {
-      headers: {
-        Authorization: `Bearer ${token}`
-      }
+    const response = await fetch(`http://127.0.0.1:${port}/global/health`, {
+      signal: AbortSignal.timeout(2e3)
+      // 2 second timeout
     });
-    if (response.status === 404) {
-      return { valid: false, error: "Sandbox not found" };
-    }
-    if (response.status === 401) {
-      return { valid: false, error: "Authentication failed. Please run `evident login` again." };
-    }
     if (!response.ok) {
-      return { valid: false, error: `API error: ${response.status}` };
-    }
-    const sandbox = await response.json();
-    if (sandbox.sandbox_type !== "remote") {
-      return {
-        valid: false,
-        error: `Sandbox is type '${sandbox.sandbox_type}', must be 'remote' for tunnel connection`
-      };
+      return { healthy: false, error: `HTTP ${response.status}` };
     }
-    return { valid: true, name: sandbox.name };
+    const data = await response.json().catch(() => ({}));
+    return { healthy: true, version: data.version };
   } catch (error2) {
     const message = error2 instanceof Error ? error2.message : "Unknown error";
-    return { valid: false, error: `Failed to validate sandbox: ${message}` };
+    return { healthy: false, error: message };
   }
 }
-async function forwardToOpenCode(port, request, requestId, state) {
-  const url = `http://localhost:${port}${request.path}`;
+async function waitForOpenCodeHealth(port, timeoutMs = 3e4) {
   const startTime = Date.now();
-  state.pendingRequests.set(requestId, {
-    startTime,
-    method: request.method,
-    path: request.path
-  });
-  logActivity(state, {
-    type: "request",
-    method: request.method,
-    path: request.path,
-    requestId
-  });
-  displayStatus(state);
-  if (state.verbose && request.body) {
-    console.log(chalk4.dim(`  Request body: ${JSON.stringify(request.body, null, 2)}`));
-  }
-  telemetry.debug(
-    EventTypes.OPENCODE_REQUEST_FORWARDED,
-    `Forwarding ${request.method} ${request.path}`,
-    {
-      method: request.method,
-      path: request.path,
-      port,
-      requestId
-    },
-    state.sandboxId ?? void 0
-  );
+  while (Date.now() - startTime < timeoutMs) {
+    const health = await checkOpenCodeHealth(port);
+    if (health.healthy) {
+      return health;
+    }
+    await new Promise((resolve) => setTimeout(resolve, 1e3));
+  }
+  return { healthy: false, error: "Timeout waiting for OpenCode to be healthy" };
+}
+
+// src/lib/opencode/process.ts
+import { execSync, spawn } from "child_process";
+var OPENCODE_PORT_RANGE = [4096, 4097, 4098, 4099, 4100];
+function getProcessCwd(pid) {
+  const platform = process.platform;
   try {
-    const response = await fetch(url, {
-      method: request.method,
-      headers: {
-        "Content-Type": "application/json",
-        ...request.headers
-      },
-      body: request.body ? JSON.stringify(request.body) : void 0
-    });
-    let body;
-    const contentType = response.headers.get("Content-Type");
-    if (contentType?.includes("application/json")) {
-      body = await response.json();
-    } else {
-      body = await response.text();
-    }
-    const durationMs = Date.now() - startTime;
-    state.pendingRequests.delete(requestId);
-    const lastEntry = state.activityLog[state.activityLog.length - 1];
-    if (lastEntry && lastEntry.requestId === requestId) {
-      lastEntry.type = "response";
-      lastEntry.status = response.status;
-      lastEntry.durationMs = durationMs;
-    } else {
-      logActivity(state, {
-        type: "response",
-        method: request.method,
-        path: request.path,
-        status: response.status,
-        durationMs,
-        requestId
-      });
+    if (platform === "darwin") {
+      const output = execSync(`lsof -a -p ${pid} -d cwd -Fn 2>/dev/null`, {
+        encoding: "utf-8",
+        stdio: ["pipe", "pipe", "pipe"]
+      }).trim();
+      const lines = output.split("\n");
+      for (const line of lines) {
+        if (line.startsWith("n") && !line.startsWith("n ")) {
+          return line.slice(1);
+        }
+      }
+    } else if (platform === "linux") {
+      const output = execSync(`readlink /proc/${pid}/cwd 2>/dev/null`, {
+        encoding: "utf-8",
+        stdio: ["pipe", "pipe", "pipe"]
+      }).trim();
+      if (output) return output;
     }
-    displayStatus(state);
-    if (state.verbose && body) {
-      const bodyStr = typeof body === "string" ? body : JSON.stringify(body, null, 2);
-      const truncated = bodyStr.length > 500 ? bodyStr.substring(0, 500) + "..." : bodyStr;
-      console.log(chalk4.dim(`  Response body: ${truncated}`));
+  } catch {
+  }
+  return void 0;
+}
+function isPortInUse(port) {
+  const platform = process.platform;
+  try {
+    if (platform === "darwin" || platform === "linux") {
+      execSync(`lsof -i :${port} -sTCP:LISTEN 2>/dev/null`, {
+        encoding: "utf-8",
+        stdio: ["pipe", "pipe", "pipe"]
+      });
+      return true;
     }
-    telemetry.debug(
-      EventTypes.OPENCODE_RESPONSE_SENT,
-      `Response ${response.status}`,
-      {
-        status: response.status,
-        path: request.path,
-        durationMs,
-        requestId
-      },
-      state.sandboxId ?? void 0
-    );
-    return {
-      status: response.status,
-      body
-    };
-  } catch (error2) {
-    const message = error2 instanceof Error ? error2.message : "Unknown error";
-    const durationMs = Date.now() - startTime;
-    state.pendingRequests.delete(requestId);
-    logActivity(state, {
-      type: "error",
-      method: request.method,
-      path: request.path,
-      error: `OpenCode unreachable: ${message}`,
-      durationMs,
-      requestId
-    });
-    displayStatus(state);
-    telemetry.error(
-      EventTypes.OPENCODE_UNREACHABLE,
-      `Failed to connect to OpenCode: ${message}`,
-      {
-        port,
-        path: request.path,
-        error: message,
-        requestId
-      },
-      state.sandboxId ?? void 0
-    );
-    return {
-      status: 502,
-      body: { error: "Failed to connect to OpenCode", message }
-    };
+  } catch {
   }
+  return false;
 }
-function getReconnectDelay(attempt) {
-  const exponentialDelay = BASE_RECONNECT_DELAY * Math.pow(2, attempt);
-  const jitter = Math.random() * 1e3;
-  return Math.min(exponentialDelay + jitter, MAX_RECONNECT_DELAY);
+function findAvailablePort(startPort, maxAttempts = 10) {
+  for (let i = 0; i < maxAttempts; i++) {
+    const port = startPort + i;
+    if (!isPortInUse(port)) {
+      return port;
+    }
+  }
+  return null;
 }
-async function connect(token, sandboxId, port, state) {
-  const tunnelUrl = getTunnelUrlConfig();
-  const url = `${tunnelUrl}/tunnel/${sandboxId}/connect`;
-  logActivity(state, {
-    type: "info",
-    message: "Connecting to tunnel relay..."
-  });
-  displayStatus(state);
-  telemetry.info(
-    EventTypes.TUNNEL_STARTING,
-    `Connecting to ${url}`,
-    {
-      sandboxId,
-      port,
-      tunnelUrl
-    },
-    sandboxId
-  );
-  return new Promise((resolve, reject) => {
-    const ws = new WebSocket(url, {
-      headers: {
-        Authorization: `Bearer ${token}`
-      }
-    });
-    ws.on("open", () => {
-      state.connected = true;
-      state.reconnectAttempt = 0;
-      logActivity(state, {
-        type: "info",
-        message: "WebSocket connection established"
-      });
-      displayStatus(state);
-    });
-    ws.on("message", async (data) => {
+function findOpenCodeProcesses() {
+  const instances = [];
+  try {
+    const platform = process.platform;
+    if (platform === "darwin" || platform === "linux") {
+      let pids = [];
       try {
-        const message = JSON.parse(data.toString());
-        switch (message.type) {
-          case "connected":
-            state.sandboxId = message.sandbox_id ?? sandboxId;
-            logActivity(state, {
-              type: "info",
-              message: `Tunnel connected (sandbox: ${state.sandboxId})`
-            });
-            telemetry.info(
-              EventTypes.TUNNEL_CONNECTED,
-              `Tunnel connected`,
-              {
-                sandboxId: message.sandbox_id
-              },
-              message.sandbox_id
-            );
-            displayStatus(state);
-            break;
-          case "error":
-            logActivity(state, {
-              type: "error",
-              error: message.message || "Unknown tunnel error"
-            });
-            telemetry.error(
-              EventTypes.TUNNEL_ERROR,
-              `Tunnel error: ${message.message}`,
-              {
-                code: message.code,
-                message: message.message
-              },
-              state.sandboxId ?? void 0
-            );
-            displayStatus(state);
-            if (message.code === "unauthorized") {
-              ws.close();
-              reject(new Error("Unauthorized"));
+        const pgrepOutput = execSync('pgrep -f "opencode serve|opencode-serve"', {
+          encoding: "utf-8",
+          stdio: ["pipe", "pipe", "pipe"]
+        }).trim();
+        if (pgrepOutput) {
+          pids = pgrepOutput.split("\n").map((p) => parseInt(p.trim(), 10)).filter((p) => !isNaN(p));
+        }
+      } catch {
+        try {
+          const psOutput = execSync('ps aux | grep -E "opencode (serve|--port)" | grep -v grep', {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"]
+          }).trim();
+          if (psOutput) {
+            for (const line of psOutput.split("\n")) {
+              const parts = line.trim().split(/\s+/);
+              if (parts.length >= 2) {
+                const pid = parseInt(parts[1], 10);
+                if (!isNaN(pid)) pids.push(pid);
+              }
             }
-            break;
-          case "ping":
-            ws.send(JSON.stringify({ type: "pong" }));
-            break;
-          case "request":
-            if (message.id && message.payload) {
-              telemetry.debug(
-                EventTypes.OPENCODE_REQUEST_RECEIVED,
-                `Request: ${message.payload.method} ${message.payload.path}`,
-                {
-                  requestId: message.id,
-                  method: message.payload.method,
-                  path: message.payload.path
-                },
-                state.sandboxId ?? void 0
-              );
-              const response = await forwardToOpenCode(port, message.payload, message.id, state);
-              ws.send(
-                JSON.stringify({
-                  type: "response",
-                  id: message.id,
-                  payload: response
-                })
-              );
+          }
+        } catch {
+        }
+      }
+      for (const pid of pids) {
+        try {
+          const lsofOutput = execSync(`lsof -Pan -p ${pid} -i TCP -sTCP:LISTEN 2>/dev/null`, {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"]
+          }).trim();
+          for (const line of lsofOutput.split("\n")) {
+            const portMatch = line.match(/:(\d+)\s+\(LISTEN\)/);
+            if (portMatch) {
+              const port = parseInt(portMatch[1], 10);
+              if (!isNaN(port) && !instances.some((i) => i.port === port)) {
+                const cwd = getProcessCwd(pid);
+                instances.push({ pid, port, cwd });
+              }
             }
-            break;
+          }
+        } catch {
         }
-      } catch (error2) {
-        const errorMessage = error2 instanceof Error ? error2.message : "Unknown error";
-        logActivity(state, {
-          type: "error",
-          error: `Failed to handle message: ${errorMessage}`
-        });
-        telemetry.error(
-          EventTypes.TUNNEL_ERROR,
-          `Failed to handle message: ${errorMessage}`,
-          {
-            error: errorMessage
-          },
-          state.sandboxId ?? void 0
-        );
-        displayStatus(state);
       }
-    });
-    ws.on("close", (code, reason) => {
-      state.connected = false;
-      const reasonStr = reason.toString() || "No reason provided";
-      logActivity(state, {
-        type: "info",
-        message: `Disconnected (code: ${code}, reason: ${reasonStr})`
-      });
-      telemetry.info(
-        EventTypes.TUNNEL_DISCONNECTED,
-        "Tunnel disconnected",
-        {
-          sandboxId: state.sandboxId,
-          code,
-          reason: reasonStr
-        },
-        state.sandboxId ?? void 0
-      );
-      displayStatus(state);
-      resolve();
-    });
-    ws.on("error", (error2) => {
-      state.connected = false;
-      logActivity(state, {
-        type: "error",
-        error: `Connection error: ${error2.message}`
-      });
-      telemetry.error(
-        EventTypes.TUNNEL_ERROR,
-        `Connection error: ${error2.message}`,
-        {
-          error: error2.message
-        },
-        state.sandboxId ?? void 0
-      );
-      displayStatus(state);
-    });
-    const cleanup = async () => {
-      process.removeAllListeners("SIGINT");
-      process.removeAllListeners("SIGTERM");
-      logActivity(state, {
-        type: "info",
-        message: "Shutting down..."
-      });
-      displayStatus(state);
-      telemetry.info(
-        EventTypes.TUNNEL_DISCONNECTED,
-        "Tunnel stopped by user",
-        {
-          sandboxId: state.sandboxId
-        },
-        state.sandboxId ?? void 0
-      );
-      await shutdownTelemetry();
-      ws.close();
-      process.exit(0);
-    };
-    process.removeAllListeners("SIGINT");
-    process.removeAllListeners("SIGTERM");
-    process.once("SIGINT", () => void cleanup());
-    process.once("SIGTERM", () => void cleanup());
+    }
+  } catch {
+  }
+  return instances;
+}
+async function scanPortsForOpenCode() {
+  const instances = [];
+  const checks = OPENCODE_PORT_RANGE.map(async (port) => {
+    const health = await checkOpenCodeHealth(port);
+    if (health.healthy) {
+      let pid = 0;
+      try {
+        const lsofOutput = execSync(`lsof -ti :${port} -sTCP:LISTEN 2>/dev/null`, {
+          encoding: "utf-8",
+          stdio: ["pipe", "pipe", "pipe"]
+        }).trim();
+        if (lsofOutput) {
+          pid = parseInt(lsofOutput.split("\n")[0], 10) || 0;
+        }
+      } catch {
+      }
+      const cwd = pid ? getProcessCwd(pid) : void 0;
+      return { pid, port, cwd, version: health.version };
+    }
+    return null;
   });
+  const results = await Promise.all(checks);
+  for (const result of results) {
+    if (result) {
+      instances.push(result);
+    }
+  }
+  return instances;
 }
-async function tunnel(options) {
-  const verbose = options.verbose ?? false;
-  const credentials2 = await getToken();
-  if (!credentials2) {
-    telemetry.error(EventTypes.CLI_ERROR, "Not logged in", { command: "tunnel" });
-    printError("Not logged in. Run `evident login` first.");
-    process.exit(1);
+async function findHealthyOpenCodeInstances() {
+  const processes = findOpenCodeProcesses();
+  const healthy = [];
+  for (const proc of processes) {
+    const health = await checkOpenCodeHealth(proc.port);
+    if (health.healthy) {
+      healthy.push({ ...proc, version: health.version });
+    }
   }
-  const port = options.port ?? 4096;
-  const sandboxId = options.sandbox;
-  if (!sandboxId) {
-    printError("--sandbox <id> is required");
-    blank();
-    console.log(chalk4.dim("To find your sandbox ID:"));
-    console.log(chalk4.dim("  1. Create a remote sandbox in the Evident web UI"));
-    console.log(chalk4.dim("  2. Copy the sandbox ID from the URL or settings"));
-    console.log(chalk4.dim("  3. Run: evident tunnel --sandbox <id>"));
-    blank();
-    telemetry.error(EventTypes.CLI_ERROR, "Missing sandbox ID", { command: "tunnel" });
-    process.exit(1);
+  if (healthy.length === 0) {
+    const scanned = await scanPortsForOpenCode();
+    return scanned;
   }
-  const state = {
-    connected: false,
-    sandboxId,
-    sandboxName: null,
-    reconnectAttempt: 0,
-    lastActivity: /* @__PURE__ */ new Date(),
-    activityLog: [],
-    pendingRequests: /* @__PURE__ */ new Map(),
-    verbose
-  };
-  telemetry.info(
-    EventTypes.CLI_COMMAND,
-    "Starting tunnel command",
-    {
-      command: "tunnel",
-      port,
-      sandboxId,
-      verbose
-    },
-    sandboxId
-  );
-  logActivity(state, {
-    type: "info",
-    message: `Starting tunnel (port: ${port}, verbose: ${verbose})`
-  });
-  logActivity(state, {
-    type: "info",
-    message: "Validating sandbox..."
-  });
-  const validateSpinner = ora2("Validating sandbox...").start();
-  const validation = await validateSandbox(credentials2.token, sandboxId);
-  if (!validation.valid) {
-    validateSpinner.fail(`Sandbox validation failed: ${validation.error}`);
-    logActivity(state, {
-      type: "error",
-      error: `Sandbox validation failed: ${validation.error}`
-    });
-    telemetry.error(EventTypes.CLI_ERROR, `Sandbox validation failed: ${validation.error}`, {
-      command: "tunnel",
-      sandboxId
-    });
-    displayStatus(state);
-    process.exit(1);
+  return healthy;
+}
+async function startOpenCode(port) {
+  let command = "opencode";
+  let args = ["serve", "--port", port.toString(), "--hostname", "127.0.0.1"];
+  try {
+    execSync("which opencode", { stdio: "ignore" });
+  } catch {
+    command = "npx";
+    args = ["opencode", "serve", "--port", port.toString(), "--hostname", "127.0.0.1"];
   }
-  state.sandboxName = validation.name ?? null;
-  validateSpinner.succeed(`Sandbox: ${validation.name || sandboxId}`);
-  logActivity(state, {
-    type: "info",
-    message: `Sandbox validated: ${validation.name || sandboxId}`
-  });
-  logActivity(state, {
-    type: "info",
-    message: `Checking OpenCode on port ${port}...`
+  const child = spawn(command, args, {
+    detached: true,
+    stdio: "ignore",
+    cwd: process.cwd()
   });
-  const opencodeSpinner = ora2("Checking OpenCode connection...").start();
+  return child;
+}
+function stopOpenCode(opencodeProcess) {
+  if (!opencodeProcess || !opencodeProcess.pid) {
+    return;
+  }
   try {
-    telemetry.debug(
-      EventTypes.OPENCODE_HEALTH_CHECK,
-      `Checking OpenCode on port ${port}`,
-      { port },
-      sandboxId
-    );
-    const response = await fetch(`http://localhost:${port}/health`);
-    if (!response.ok) {
-      throw new Error(`Health check returned ${response.status}`);
+    if (process.platform === "win32") {
+      opencodeProcess.kill("SIGTERM");
+    } else {
+      process.kill(-opencodeProcess.pid, "SIGTERM");
     }
-    const healthData = await response.json().catch(() => ({}));
-    const version = healthData.version ? ` (v${healthData.version})` : "";
-    telemetry.info(
-      EventTypes.OPENCODE_HEALTH_OK,
-      `OpenCode healthy on port ${port}`,
+  } catch {
+  }
+}
+
+// src/lib/opencode/install.ts
+import { execSync as execSync2 } from "child_process";
+import chalk4 from "chalk";
+import { select } from "@inquirer/prompts";
+var OPENCODE_INSTALL_URL = "https://opencode.ai";
+function isOpenCodeInstalled() {
+  try {
+    const platform = process.platform;
+    if (platform === "win32") {
+      execSync2("where opencode", { stdio: "ignore" });
+    } else {
+      execSync2("which opencode", { stdio: "ignore" });
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function promptOpenCodeInstall(interactive) {
+  if (!interactive) {
+    console.log(
+      JSON.stringify({
+        status: "error",
+        error: "OpenCode is not installed",
+        install_url: OPENCODE_INSTALL_URL,
+        install_commands: {
+          npm: "npm install -g opencode-ai",
+          curl: "curl -fsSL https://opencode.ai/install.sh | sh"
+        }
+      })
+    );
+    return "exit";
+  }
+  blank();
+  console.log(chalk4.yellow("OpenCode is not installed on your system."));
+  blank();
+  console.log(chalk4.dim("OpenCode is an AI coding agent that runs locally on your machine."));
+  console.log(chalk4.dim(`Learn more at: ${chalk4.cyan(OPENCODE_INSTALL_URL)}`));
+  blank();
+  const action = await select({
+    message: "How would you like to proceed?",
+    choices: [
       {
-        port,
-        healthData
+        name: "Show installation instructions",
+        value: "instructions",
+        description: "Display commands to install OpenCode"
       },
-      sandboxId
-    );
-    opencodeSpinner.succeed(`OpenCode running on port ${port}${version}`);
-    logActivity(state, {
-      type: "info",
-      message: `OpenCode running on port ${port}${version}`
-    });
-  } catch (error2) {
-    const errorMessage = error2 instanceof Error ? error2.message : "Unknown error";
-    telemetry.warn(
-      EventTypes.OPENCODE_HEALTH_FAILED,
-      `Could not connect to OpenCode: ${errorMessage}`,
       {
-        port,
-        error: errorMessage
+        name: "Continue without OpenCode",
+        value: "continue",
+        description: "Connect anyway (requests will fail until OpenCode is installed)"
       },
-      sandboxId
-    );
-    opencodeSpinner.warn(`Could not connect to OpenCode on port ${port}`);
-    logActivity(state, {
-      type: "error",
-      error: `OpenCode not reachable on port ${port}: ${errorMessage}`
-    });
-    printWarning("Make sure OpenCode is running before starting the tunnel:");
-    console.log(chalk4.dim(`  opencode serve --port ${port}`));
+      {
+        name: "Exit",
+        value: "exit",
+        description: "Exit and install OpenCode manually"
+      }
+    ]
+  });
+  if (action === "instructions") {
     blank();
-  }
-  while (true) {
-    try {
-      await connect(credentials2.token, sandboxId, port, state);
-      state.reconnectAttempt++;
-      const delay = getReconnectDelay(state.reconnectAttempt);
-      logActivity(state, {
-        type: "info",
-        message: `Reconnecting in ${Math.round(delay / 1e3)}s (attempt ${state.reconnectAttempt})...`
-      });
-      telemetry.info(
-        EventTypes.TUNNEL_RECONNECTING,
-        `Reconnecting (attempt ${state.reconnectAttempt})`,
+    console.log(chalk4.bold("Install OpenCode using one of these methods:"));
+    blank();
+    console.log(chalk4.dim("  # Option 1: Install via npm (recommended)"));
+    console.log(`  ${chalk4.cyan("npm install -g opencode-ai")}`);
+    blank();
+    console.log(chalk4.dim("  # Option 2: Install via curl"));
+    console.log(`  ${chalk4.cyan("curl -fsSL https://opencode.ai/install.sh | sh")}`);
+    blank();
+    console.log(chalk4.dim(`For more options, visit: ${chalk4.cyan(OPENCODE_INSTALL_URL)}`));
+    blank();
+    const afterInstall = await select({
+      message: "After installing, what would you like to do?",
+      choices: [
         {
-          attempt: state.reconnectAttempt,
-          delayMs: delay
+          name: "I installed it - continue",
+          value: "continue",
+          description: "Proceed with the run command"
         },
-        state.sandboxId ?? void 0
-      );
-      displayStatus(state);
-      await sleep(delay);
-    } catch (error2) {
-      const message = error2 instanceof Error ? error2.message : "Unknown error";
-      if (message === "Unauthorized") {
-        telemetry.error(
-          EventTypes.CLI_ERROR,
-          "Authentication failed",
+        {
+          name: "Exit",
+          value: "exit",
+          description: "Exit now and run the command again later"
+        }
+      ]
+    });
+    if (afterInstall === "continue") {
+      if (isOpenCodeInstalled()) {
+        console.log(chalk4.green("\n\u2713 OpenCode detected!"));
+        return "installed";
+      } else {
+        console.log(chalk4.yellow("\nOpenCode still not detected in PATH."));
+        console.log(chalk4.dim("You may need to restart your terminal or add it to your PATH."));
+        const proceed = await select({
+          message: "Continue anyway?",
+          choices: [
+            { name: "Yes, continue", value: "continue" },
+            { name: "No, exit", value: "exit" }
+          ]
+        });
+        return proceed === "continue" ? "continue" : "exit";
+      }
+    }
+    return "exit";
+  }
+  return action;
+}
+
+// src/lib/opencode/session.ts
+function opencodeBase(port) {
+  return `http://127.0.0.1:${port}`;
+}
+async function getOpenCodeDirectory(port) {
+  try {
+    const res = await fetch(`${opencodeBase(port)}/path`);
+    if (!res.ok) return null;
+    const body = await res.json();
+    const dir = typeof body.directory === "string" && body.directory || typeof body.worktree === "string" && body.worktree || typeof body.path?.cwd === "string" && body.path.cwd || typeof body.path?.directory === "string" && body.path.directory || null;
+    return dir && dir.trim() ? dir.trim() : null;
+  } catch {
+    return null;
+  }
+}
+function roleOf(m) {
+  if (!m || typeof m !== "object") return void 0;
+  if (typeof m.role === "string") return m.role;
+  const infoRole = m.info?.role;
+  return typeof infoRole === "string" ? infoRole : void 0;
+}
+function completedOf(m) {
+  if (!m || typeof m !== "object") return void 0;
+  return m.info?.time?.completed;
+}
+async function getSessionMessages(port, sessionId) {
+  try {
+    const res = await fetch(`${opencodeBase(port)}/session/${sessionId}/message`);
+    if (!res.ok) return null;
+    const body = await res.json();
+    return Array.isArray(body) ? body : null;
+  } catch {
+    return null;
+  }
+}
+function isTurnComplete(messages) {
+  if (!messages || messages.length === 0) return false;
+  const last = messages[messages.length - 1];
+  if (roleOf(last) !== "assistant") return false;
+  return completedOf(last) != null;
+}
+async function createOpenCodeSession(port, directory) {
+  const url = new URL(`${opencodeBase(port)}/session`);
+  if (directory && directory.trim()) {
+    url.searchParams.set("directory", directory.trim());
+  }
+  const response = await fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({})
+  });
+  if (!response.ok) {
+    const text = await response.text().catch(() => "");
+    throw new Error(`Failed to create session: HTTP ${response.status}${text ? `: ${text}` : ""}`);
+  }
+  const data = await response.json();
+  return data.id;
+}
+async function sendMessageToOpenCode(port, sessionId, content, options, hooks, maxWaitMs = 10 * 60 * 1e3) {
+  const body = {
+    parts: [{ type: "text", text: content }]
+  };
+  if (options?.agent) {
+    body.agent = options.agent;
+  }
+  if (options?.model) {
+    const slashIndex = options.model.indexOf("/");
+    if (slashIndex !== -1) {
+      body.model = {
+        providerID: options.model.substring(0, slashIndex),
+        modelID: options.model.substring(slashIndex + 1)
+      };
+    }
+  }
+  let pollDone = false;
+  const reportedQuestions = /* @__PURE__ */ new Set();
+  const reportedPermissions = /* @__PURE__ */ new Set();
+  const pollInteractive = async () => {
+    while (!pollDone) {
+      await new Promise((resolve) => setTimeout(resolve, 1e3));
+      if (pollDone) break;
+      if (hooks?.onQuestion) {
+        try {
+          const res = await fetch(`${opencodeBase(port)}/question`);
+          if (res.ok) {
+            const questions = await res.json();
+            for (const q of questions) {
+              if (q.sessionID === sessionId && !reportedQuestions.has(q.id)) {
+                reportedQuestions.add(q.id);
+                await hooks.onQuestion(q);
+              }
+            }
+          }
+        } catch {
+        }
+      }
+      if (hooks?.onPermission) {
+        try {
+          const res = await fetch(`${opencodeBase(port)}/permission`);
+          if (res.ok) {
+            const permissions = await res.json();
+            for (const p of permissions) {
+              if (p.sessionID === sessionId && !reportedPermissions.has(p.id)) {
+                reportedPermissions.add(p.id);
+                await hooks.onPermission(p);
+              }
+            }
+          }
+        } catch {
+        }
+      }
+    }
+  };
+  const sendMessage = async () => {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), maxWaitMs);
+    try {
+      const res = await fetch(`${opencodeBase(port)}/session/${sessionId}/message`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+        signal: controller.signal
+      });
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`OpenCode message failed: HTTP ${res.status}${text ? `: ${text}` : ""}`);
+      }
+      const sessionRes = await fetch(`${opencodeBase(port)}/session/${sessionId}`).catch(
+        () => null
+      );
+      const session = sessionRes?.ok ? await sessionRes.json() : null;
+      const reportedInteraction = reportedQuestions.size > 0 || reportedPermissions.size > 0;
+      const turnComplete = isTurnComplete(await getSessionMessages(port, sessionId));
+      const awaitingInteraction = reportedInteraction && !turnComplete;
+      return { title: session?.title, awaitingInteraction };
+    } catch (err) {
+      if (err instanceof Error && err.name === "AbortError") {
+        throw new Error("Message processing timed out");
+      }
+      throw err;
+    } finally {
+      clearTimeout(timer);
+      pollDone = true;
+    }
+  };
+  const [result] = await Promise.all([sendMessage(), pollInteractive()]);
+  return result;
+}
+
+// src/lib/tunnel/connection.ts
+import WebSocket2 from "ws";
+
+// src/lib/tunnel/forwarding.ts
+import WebSocket from "ws";
+var LOOPBACK_HOST = "127.0.0.1";
+var STRIP_REQ = /* @__PURE__ */ new Set([
+  "host",
+  "connection",
+  "keep-alive",
+  "proxy-authorization",
+  "transfer-encoding",
+  "upgrade",
+  "content-length"
+]);
+var STRIP_RES = /* @__PURE__ */ new Set([
+  "connection",
+  "keep-alive",
+  "transfer-encoding",
+  "content-encoding",
+  "content-length"
+]);
+var StreamForwarder = class {
+  constructor(ws, port, callbacks = {}) {
+    this.ws = ws;
+    this.port = port;
+    this.callbacks = callbacks;
+  }
+  inflight = /* @__PURE__ */ new Map();
+  /**
+   * Handle an edge→agent frame. Unknown frame types are ignored.
+   */
+  handleFrame(frame) {
+    switch (frame.type) {
+      case "open":
+        this.callbacks.onOpen?.(frame.sid, frame.method, frame.path);
+        void this.handleOpen(frame);
+        break;
+      case "req_data":
+        this.inflight.get(frame.sid)?.pushBody?.(Buffer.from(frame.b64, "base64"));
+        break;
+      case "req_end":
+        this.inflight.get(frame.sid)?.endBody?.();
+        break;
+      case "abort":
+        this.inflight.get(frame.sid)?.abort?.();
+        break;
+    }
+  }
+  /**
+   * Abort every in-flight stream (e.g. on WebSocket close).
+   */
+  abortAll() {
+    for (const stream of this.inflight.values()) {
+      try {
+        stream.abort();
+      } catch {
+      }
+    }
+    this.inflight.clear();
+  }
+  send(frame) {
+    if (this.ws.readyState === WebSocket.OPEN) {
+      this.ws.send(JSON.stringify(frame));
+    }
+  }
+  async handleOpen(frame) {
+    const { sid, method, path, headers, has_body } = frame;
+    if (path === TUNNEL_DRAIN_PING_PATH) {
+      this.callbacks.onDrainPing?.();
+      this.send({ type: "head", sid, status: 204, headers: {} });
+      this.send({ type: "res_end", sid });
+      return;
+    }
+    const ac = new AbortController();
+    let bodyPromise;
+    let pushBody;
+    let endBody;
+    if (has_body) {
+      const chunks = [];
+      bodyPromise = new Promise((resolve) => {
+        pushBody = (buf) => {
+          chunks.push(buf);
+        };
+        endBody = () => {
+          resolve(Buffer.concat(chunks));
+        };
+      });
+    }
+    const fwdHeaders = {};
+    for (const [k, v] of Object.entries(headers ?? {})) {
+      if (!STRIP_REQ.has(k.toLowerCase())) fwdHeaders[k] = v;
+    }
+    this.inflight.set(sid, { pushBody, endBody, abort: () => ac.abort() });
+    const body = bodyPromise ? await bodyPromise : void 0;
+    if (ac.signal.aborted) {
+      this.inflight.delete(sid);
+      return;
+    }
+    let upstream;
+    try {
+      upstream = await fetch(`http://${LOOPBACK_HOST}:${this.port}${path}`, {
+        method,
+        headers: fwdHeaders,
+        body,
+        redirect: "manual",
+        signal: ac.signal
+      });
+    } catch (err) {
+      this.inflight.delete(sid);
+      if (!ac.signal.aborted) {
+        this.send({ type: "res_err", sid, message: `upstream fetch failed: ${String(err)}` });
+      }
+      return;
+    }
+    const resHeaders = {};
+    upstream.headers.forEach((value, key) => {
+      if (!STRIP_RES.has(key.toLowerCase())) resHeaders[key] = value;
+    });
+    this.send({ type: "head", sid, status: upstream.status, headers: resHeaders });
+    this.callbacks.onHead?.(sid, upstream.status);
+    try {
+      if (upstream.body) {
+        const reader = upstream.body.getReader();
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) break;
+          const chunk = Buffer.from(value);
+          for (let i = 0; i < chunk.length; i += MAX_FRAME_BYTES) {
+            const slice = chunk.subarray(i, i + MAX_FRAME_BYTES);
+            this.send({ type: "res_data", sid, b64: slice.toString("base64") });
+          }
+        }
+      }
+      this.send({ type: "res_end", sid });
+    } catch (err) {
+      if (!ac.signal.aborted) {
+        this.send({ type: "res_err", sid, message: String(err) });
+      }
+    } finally {
+      this.inflight.delete(sid);
+    }
+  }
+};
+
+// src/lib/tunnel/connection.ts
+var MAX_RECONNECT_DELAY = 3e4;
+var BASE_RECONNECT_DELAY = 500;
+function getReconnectDelay(attempt) {
+  const exponentialDelay = BASE_RECONNECT_DELAY * Math.pow(2, attempt);
+  const jitter = Math.random() * 1e3;
+  return Math.min(exponentialDelay + jitter, MAX_RECONNECT_DELAY);
+}
+function describeSocketError(error2, url) {
+  const code = error2.code;
+  switch (code) {
+    case "ECONNREFUSED":
+      return `connection refused at ${url} \u2014 is the tunnel relay running? (ECONNREFUSED)`;
+    case "ENOTFOUND":
+      return `host not found for ${url} \u2014 check the tunnel URL (ENOTFOUND)`;
+    case "ETIMEDOUT":
+      return `connection timed out to ${url} (ETIMEDOUT)`;
+    case "ECONNRESET":
+      return `connection reset by ${url} (ECONNRESET)`;
+    default: {
+      const base = error2.message?.trim();
+      const suffix = code ? ` (${code})` : "";
+      return `${base && base.length > 0 ? base : "socket error"}${suffix} connecting to ${url}`;
+    }
+  }
+}
+var STREAM_FRAME_TYPES = /* @__PURE__ */ new Set([
+  "open",
+  "req_data",
+  "req_end",
+  "abort"
+]);
+function isStreamFrame(message) {
+  return STREAM_FRAME_TYPES.has(message.type);
+}
+function connectTunnel(options) {
+  const {
+    agentId,
+    authHeader,
+    port,
+    onConnected,
+    onDisconnected,
+    onError,
+    onRequest,
+    onResponse,
+    onInfo,
+    onDrainPing
+  } = options;
+  const tunnelUrl = getTunnelUrlConfig();
+  const url = `${tunnelUrl}/tunnel/${agentId}/connect`;
+  return new Promise((resolve, reject) => {
+    const ws = new WebSocket2(url, {
+      headers: {
+        Authorization: authHeader
+      }
+    });
+    const streamStartTimes = /* @__PURE__ */ new Map();
+    const forwarder = new StreamForwarder(ws, port, {
+      onOpen: (sid, method, path) => {
+        if (path === TUNNEL_DRAIN_PING_PATH) return;
+        streamStartTimes.set(sid, Date.now());
+        onRequest?.(method, path, sid);
+      },
+      onHead: (sid, status) => {
+        const startedAt = streamStartTimes.get(sid);
+        streamStartTimes.delete(sid);
+        onResponse?.(status, startedAt ? Date.now() - startedAt : 0, sid);
+      },
+      onDrainPing: () => onDrainPing?.()
+    });
+    const connectionTimeout = setTimeout(() => {
+      ws.close();
+      reject(new Error("Connection timeout"));
+    }, 3e4);
+    let upgradeRejection = null;
+    ws.on("unexpected-response", (_req, res) => {
+      clearTimeout(connectionTimeout);
+      const chunks = [];
+      res.on("data", (chunk) => chunks.push(chunk));
+      res.on("end", () => {
+        const bodyRaw = Buffer.concat(chunks).toString("utf8").trim();
+        let detail = bodyRaw;
+        try {
+          const parsed = JSON.parse(bodyRaw);
+          detail = parsed.error ?? parsed.message ?? bodyRaw;
+          if (parsed.details) detail += ` (${parsed.details})`;
+        } catch {
+        }
+        const statusLine = `HTTP ${res.statusCode}${res.statusMessage ? ` ${res.statusMessage}` : ""}`;
+        upgradeRejection = detail ? `${statusLine}: ${detail}` : statusLine;
+        onError?.(`Tunnel refused by relay (${upgradeRejection})`);
+        reject(new Error(`Tunnel handshake rejected: ${upgradeRejection}`));
+      });
+    });
+    ws.on("open", () => {
+      onInfo?.("WebSocket connection established");
+    });
+    ws.on("message", (data) => {
+      let message;
+      try {
+        message = JSON.parse(data.toString());
+      } catch (error2) {
+        const errorMessage = error2 instanceof Error ? error2.message : "Unknown error";
+        onError?.(`Failed to handle message: ${errorMessage}`);
+        return;
+      }
+      if (isStreamFrame(message)) {
+        forwarder.handleFrame(message);
+        return;
+      }
+      switch (message.type) {
+        case "connected": {
+          clearTimeout(connectionTimeout);
+          const connectedAgentId = message.agent_id ?? agentId;
+          onConnected?.(connectedAgentId);
+          resolve({
+            ws,
+            close: () => ws.close(1e3, "CLI shutdown")
+          });
+          break;
+        }
+        case "error":
+          clearTimeout(connectionTimeout);
+          onError?.(message.message || "Unknown tunnel error");
+          if (message.code === "unauthorized") {
+            ws.close();
+            reject(new Error("Unauthorized"));
+          }
+          break;
+        case "ping":
+          ws.send(JSON.stringify({ type: "pong" }));
+          break;
+      }
+    });
+    ws.on("error", (error2) => {
+      clearTimeout(connectionTimeout);
+      const detail = upgradeRejection ?? describeSocketError(error2, url);
+      onError?.(`Connection error: ${detail}`);
+      reject(upgradeRejection ? new Error(upgradeRejection) : new Error(detail));
+    });
+    ws.on("close", (code, reason) => {
+      const reasonStr = reason.toString() || upgradeRejection || (code === 1006 ? "abnormal closure" : "No reason provided");
+      forwarder.abortAll();
+      streamStartTimes.clear();
+      onDisconnected?.(code, reasonStr);
+    });
+  });
+}
+
+// src/lib/tunnel/runner-connection.ts
+var RunnerConnection = class {
+  opts;
+  sleep;
+  connection = null;
+  resolvedAgentId;
+  /** True while a (re)connect loop is in flight. */
+  reconnecting = false;
+  /** The in-flight reconnect promise, awaitable by the caller. */
+  reconnectPromise = null;
+  /** 1-based count of the current reconnect attempt streak. */
+  reconnectAttempt = 0;
+  constructor(opts) {
+    this.opts = opts;
+    this.resolvedAgentId = opts.agentId;
+    this.sleep = opts.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
+  }
+  get agentId() {
+    return this.resolvedAgentId;
+  }
+  /** Establish the initial tunnel connection (with retry/backoff). */
+  async connect() {
+    await this.connectWithRetry(false);
+  }
+  /** Close the active connection (idempotent). */
+  close() {
+    if (this.connection) {
+      try {
+        this.connection.close();
+      } catch {
+      }
+      this.connection = null;
+    }
+  }
+  async connectWithRetry(isReconnect) {
+    if (isReconnect && this.reconnecting) return;
+    this.reconnecting = true;
+    this.close();
+    const { events } = this.opts;
+    while (this.opts.isRunning()) {
+      try {
+        this.connection = await connectTunnel({
+          agentId: this.resolvedAgentId,
+          authHeader: this.opts.getAuthHeader(),
+          port: this.opts.port,
+          onConnected: (agentId) => {
+            this.reconnectAttempt = 0;
+            this.reconnecting = false;
+            this.resolvedAgentId = agentId;
+            events.onConnected(agentId, isReconnect);
+          },
+          onDisconnected: (code, reason) => {
+            events.onDisconnected(code, reason);
+            if (this.opts.isRunning() && code !== 1e3 && !this.reconnecting) {
+              this.reconnectPromise = this.connectWithRetry(true).catch((err) => {
+                events.onError?.(`Reconnection failed: ${err.message}`);
+              });
+            }
+          },
+          onError: (error2) => events.onError?.(error2),
+          onResponse: () => events.onResponse?.(),
+          onDrainPing: () => events.onDrainPing?.(),
+          onInfo: (message) => events.onInfo?.(message)
+        });
+        return;
+      } catch (error2) {
+        this.reconnectAttempt++;
+        if (error2.message === "Unauthorized") {
+          this.reconnecting = false;
+          throw error2;
+        }
+        const delay = getReconnectDelay(this.reconnectAttempt);
+        events.onReconnecting?.(this.reconnectAttempt);
+        events.onError?.(`Connection failed, retrying in ${Math.round(delay / 1e3)}s...`);
+        await this.sleep(delay);
+      }
+    }
+    this.reconnecting = false;
+  }
+};
+
+// src/lib/channels/driver.ts
+var DEFAULT_RETRY_POLICY = {
+  maxAttempts: 6,
+  baseDelayMs: 500,
+  maxDelayMs: 3e4
+};
+var DEFAULT_PAUSED_POLL_INTERVAL_MS = 2e3;
+var DEFAULT_PAUSED_MAX_WAIT_MS = 10 * 60 * 1e3;
+var ChannelAuthError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ChannelAuthError";
+  }
+};
+function backoffDelay(attempt, policy) {
+  const exp = policy.baseDelayMs * Math.pow(2, attempt);
+  const capped = Math.min(policy.maxDelayMs, exp);
+  return Math.floor(Math.random() * capped);
+}
+function isRetryableStatus(status) {
+  return status === 429 || status >= 500 && status <= 599;
+}
+var ChannelDriver = class {
+  agentId;
+  port;
+  apiUrl;
+  getAuthHeader;
+  conversationFilter;
+  retry;
+  log;
+  fetchImpl;
+  sleep;
+  pausedPollIntervalMs;
+  pausedMaxWaitMs;
+  /** Cache of conversationId → opencode sessionId. */
+  sessions = /* @__PURE__ */ new Map();
+  /**
+   * Outstanding paused-session watchers, keyed by `message.id` (WI-2-CLI).
+   * Single-flight per message: while a watcher is live for a message we never
+   * start a second one. The message stays `processing` for the watcher's lifetime
+   * so the `?status=pending` drain cannot double-claim it.
+   */
+  watchers = /* @__PURE__ */ new Map();
+  /**
+   * Cache of the opencode root directory (from `GET /path`). Resolved lazily on
+   * first session creation so drain-created sessions are rooted at the project
+   * directory and thus visible in `opencode web`'s session list. `undefined` =
+   * not yet resolved; `null` = resolved-but-unavailable (don't keep retrying).
+   */
+  opencodeDirectory = void 0;
+  /** Serialises drains so a reconnect during a drain doesn't double-process. */
+  draining = false;
+  constructor(config2) {
+    this.agentId = config2.agentId;
+    this.port = config2.port;
+    this.apiUrl = config2.apiUrl.replace(/\/$/, "");
+    this.getAuthHeader = config2.getAuthHeader;
+    this.conversationFilter = config2.conversationFilter ?? null;
+    this.retry = { ...DEFAULT_RETRY_POLICY, ...config2.retry };
+    this.log = config2.log ?? (() => {
+    });
+    this.fetchImpl = config2.fetchImpl ?? fetch;
+    this.sleep = config2.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
+    this.pausedPollIntervalMs = config2.pausedPollIntervalMs ?? DEFAULT_PAUSED_POLL_INTERVAL_MS;
+    this.pausedMaxWaitMs = config2.pausedMaxWaitMs ?? DEFAULT_PAUSED_MAX_WAIT_MS;
+  }
+  /** The IPv4-loopback base URL for the local `opencode serve`. */
+  get opencodeBase() {
+    return `http://127.0.0.1:${this.port}`;
+  }
+  // -------------------------------------------------------------------------
+  // Public API
+  // -------------------------------------------------------------------------
+  /**
+   * Drain all pending channel conversations once: poll → process → callback.
+   * Called on tunnel `connected` (WI-CHAN-4) and on each poll tick by `run.ts`.
+   * Re-entrant calls while a drain is in flight are skipped (return 0).
+   *
+   * @returns the number of messages processed.
+   */
+  async drainPending() {
+    if (this.draining) return 0;
+    this.draining = true;
+    let processed = 0;
+    try {
+      const conversations = await this.getPendingConversations();
+      if (conversations.length > 0) {
+        const total = conversations.reduce((sum, c) => sum + (c.pending_message_count ?? 0), 0);
+        this.log({
+          level: "info",
+          message: `Found ${total} pending message(s) across ${conversations.length} conversation(s) \u2014 draining`
+        });
+      }
+      for (const conv of conversations) {
+        processed += await this.processConversation(conv);
+      }
+    } finally {
+      this.draining = false;
+    }
+    return processed;
+  }
+  /**
+   * Await all outstanding paused-session watchers (WI-2-CLI).
+   *
+   * In production the watchers are deliberately started-not-awaited so the drain
+   * loop never blocks on them and process exit is not held up (the cron recovers
+   * any abandoned ones). This helper exists primarily for deterministic tests
+   * that need to observe the watcher's effect (the `done` PATCH or its giving up)
+   * after a non-blocking `drainPending`. Watchers never reject, so this resolves.
+   */
+  async flushPausedWatchers() {
+    await Promise.all([...this.watchers.values()]);
+  }
+  // -------------------------------------------------------------------------
+  // Conversation processing
+  // -------------------------------------------------------------------------
+  async processConversation(conv) {
+    const sessionId = await this.ensureSession(conv);
+    const messages = await this.getPendingMessages(conv.id);
+    let processed = 0;
+    for (const message of messages) {
+      const claimed = await this.markProcessing(conv.id, message.id);
+      if (!claimed) {
+        this.log({
+          level: "info",
+          message: `Message ${message.id.slice(0, 8)} already claimed \u2014 skipping`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+        continue;
+      }
+      try {
+        this.log({
+          level: "info",
+          message: `Sending queued message ${message.id.slice(0, 8)} to OpenCode (session ${sessionId.slice(0, 8)})`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+        const result = await sendMessageToOpenCode(
+          this.port,
+          sessionId,
+          message.content,
           {
-            command: "tunnel",
-            error: message
+            agent: message.opencode_agent ?? void 0,
+            model: message.opencode_model ?? void 0
           },
-          state.sandboxId ?? void 0
+          {
+            onQuestion: (question) => this.reportInteraction(conv.id, "question", question),
+            onPermission: (permission) => this.reportInteraction(conv.id, "permission", permission)
+          }
         );
-        await shutdownTelemetry();
-        displayError(state, "Authentication failed", "Please run `evident login` again.");
-        process.exit(1);
+        if (result.awaitingInteraction) {
+          this.log({
+            level: "info",
+            message: `Message ${message.id.slice(0, 8)} paused awaiting interaction \u2014 watching session for completion`,
+            conversation_id: conv.id,
+            message_id: message.id
+          });
+          this.startPausedWatcher(conv, message, sessionId);
+          continue;
+        }
+        await this.confirmCompletion(sessionId);
+        await this.markDone(conv.id, message.id, sessionId);
+        processed += 1;
+        this.log({
+          level: "info",
+          message: `Message ${message.id.slice(0, 8)} processed`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+      } catch (err) {
+        if (err instanceof ChannelAuthError) throw err;
+        await this.markFailed(conv.id, message.id).catch(() => {
+        });
+        this.log({
+          level: "error",
+          message: `Message ${message.id.slice(0, 8)} failed: ${err instanceof Error ? err.message : String(err)}`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
       }
-      logActivity(state, {
-        type: "error",
-        error: message
+    }
+    return processed;
+  }
+  async ensureSession(conv) {
+    const cached = this.sessions.get(conv.id);
+    if (cached) return cached;
+    if (conv.opencode_session_id) {
+      this.sessions.set(conv.id, conv.opencode_session_id);
+      return conv.opencode_session_id;
+    }
+    const directory = await this.resolveOpenCodeDirectory();
+    const sessionId = await createOpenCodeSession(this.port, directory);
+    this.sessions.set(conv.id, sessionId);
+    await this.persistSession(conv.id, sessionId).catch(() => {
+    });
+    return sessionId;
+  }
+  /**
+   * Lazily resolve (and cache) opencode's root directory via `GET /path`.
+   * Resolved once per driver: `undefined` until first lookup, then the directory
+   * string or `null` if unavailable (we don't keep retrying a missing `/path`).
+   */
+  async resolveOpenCodeDirectory() {
+    if (this.opencodeDirectory !== void 0) return this.opencodeDirectory;
+    this.opencodeDirectory = await getOpenCodeDirectory(this.port);
+    if (!this.opencodeDirectory) {
+      this.log({
+        level: "info",
+        message: "Could not determine opencode directory (GET /path) \u2014 new sessions may not appear in opencode web"
       });
-      telemetry.error(
-        EventTypes.TUNNEL_ERROR,
-        `Tunnel error: ${message}`,
+    }
+    return this.opencodeDirectory;
+  }
+  /**
+   * Local reconcile: re-query `GET /session/:id/message` and check whether the
+   * last assistant message is message-level complete (`isTurnComplete`).
+   *
+   * This is a PURE OBSERVABILITY probe on the normal (non-paused) path: the
+   * blocking POST already returned, and `markDone` causes the server to re-fetch
+   * the messages itself (via `extractTextFromMessages`) when delivering the
+   * reply — so this round-trip never gates delivery. We keep it only to surface a
+   * truthful diagnostic when opencode hasn't yet recorded a completed assistant
+   * turn at reconcile time, then proceed to `markDone` regardless. Uses the
+   * injected `fetchImpl` and reuses only the pure `isTurnComplete` predicate.
+   */
+  async confirmCompletion(sessionId) {
+    try {
+      const res = await this.fetchImpl(`${this.opencodeBase}/session/${sessionId}/message`);
+      if (!res.ok) return;
+      const body = await res.json();
+      const messages = Array.isArray(body) ? body : null;
+      if (!isTurnComplete(messages)) {
+        this.log({
+          level: "info",
+          message: `Session ${sessionId.slice(0, 8)} messages do not yet show a completed assistant turn on reconcile \u2014 delivering anyway`
+        });
+      }
+    } catch {
+    }
+  }
+  // -------------------------------------------------------------------------
+  // Paused-session watcher (WI-2-CLI)
+  // -------------------------------------------------------------------------
+  /**
+   * Start (but do NOT await) a watcher that resumes a paused turn to completion.
+   *
+   * Single-flight per message: if a watcher is already live for this message we
+   * skip. The returned watcher promise is tracked in `this.watchers` and removed
+   * when it settles; it never rejects (the body is fully guarded), so a failed
+   * poll/markDone can never crash the run loop — the cron stays as the safety net.
+   */
+  startPausedWatcher(conv, message, sessionId) {
+    if (this.watchers.has(message.id)) return;
+    const watcher = this.watchPausedSession(conv, message, sessionId).finally(() => {
+      this.watchers.delete(message.id);
+    });
+    this.watchers.set(message.id, watcher);
+  }
+  /**
+   * Poll `GET /session/:id/message` until the SAME paused turn is message-level
+   * complete — the last message is an ASSISTANT message whose
+   * `info.time.completed` is set (the user answered the question/permission in
+   * opencode web and opencode finished the turn) — then complete it via the
+   * EXISTING `markDone` PATCH — NO re-send of the original message. The server
+   * re-fetches the assistant messages on completion, so the watcher does not
+   * pass any reply text.
+   *
+   * Fetch seam: the poll uses the injected `this.fetchImpl` (preserving the
+   * tests' injection) and reuses only the pure `isTurnComplete` predicate from
+   * `session.ts` — we do NOT call `getSessionMessages` (which uses the global
+   * `fetch`) here.
+   *
+   * Bounded by `pausedMaxWaitMs` (default 10 min, strictly < the 15-min cron
+   * reset): on timeout we STOP and leave the message `processing` so the cron
+   * remains the last-resort safety net. The whole body is wrapped so any
+   * poll/markDone failure is logged and swallowed — a watcher MUST NEVER throw
+   * out of the run loop.
+   */
+  async watchPausedSession(conv, message, sessionId) {
+    const deadline = Date.now() + this.pausedMaxWaitMs;
+    try {
+      while (Date.now() < deadline) {
+        await this.sleep(this.pausedPollIntervalMs);
+        let completed = false;
+        try {
+          const res = await this.fetchImpl(`${this.opencodeBase}/session/${sessionId}/message`);
+          if (res.ok) {
+            const body = await res.json();
+            const messages = Array.isArray(body) ? body : null;
+            completed = isTurnComplete(messages);
+          }
+        } catch {
+          continue;
+        }
+        if (!completed) continue;
+        this.log({
+          level: "info",
+          message: `Paused session ${sessionId.slice(0, 8)} completed \u2014 marking message ${message.id.slice(0, 8)} done`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+        await this.markDone(conv.id, message.id, sessionId);
+        return;
+      }
+      this.log({
+        level: "info",
+        message: `Paused session ${sessionId.slice(0, 8)} did not complete within the watch window \u2014 leaving message ${message.id.slice(0, 8)} for the cron safety net`,
+        conversation_id: conv.id,
+        message_id: message.id
+      });
+    } catch (err) {
+      this.log({
+        level: "error",
+        message: `Paused-session watcher failed for message ${message.id.slice(0, 8)}: ${err instanceof Error ? err.message : String(err)}`,
+        conversation_id: conv.id,
+        message_id: message.id
+      });
+    }
+  }
+  // -------------------------------------------------------------------------
+  // Evident API calls (combinedAuth thread routes)
+  // -------------------------------------------------------------------------
+  async getPendingConversations() {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/conversations/pending`,
+      {
+        headers: { Authorization: this.getAuthHeader() }
+      }
+    );
+    this.assertAuth(res, "fetching pending conversations");
+    if (!res.ok) {
+      throw new Error(`Failed to get pending conversations: HTTP ${res.status}`);
+    }
+    const data = await res.json();
+    let conversations = data.conversations;
+    if (this.conversationFilter) {
+      conversations = conversations.filter((c) => c.id === this.conversationFilter);
+    }
+    return conversations;
+  }
+  async getPendingMessages(conversationId) {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages?status=pending`,
+      { headers: { Authorization: this.getAuthHeader() } }
+    );
+    this.assertAuth(res, "fetching pending messages");
+    if (!res.ok) {
+      throw new Error(`Failed to get messages: HTTP ${res.status}`);
+    }
+    return await res.json();
+  }
+  async markProcessing(conversationId, messageId) {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages/${messageId}`,
+      {
+        method: "PATCH",
+        headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+        body: JSON.stringify({ status: "processing" })
+      }
+    );
+    this.assertAuth(res, "marking message as processing");
+    return res.ok;
+  }
+  /**
+   * EXISTING combinedAuth completion route — idempotent + retried (WI-CHAN-2).
+   * `PATCH .../messages/:id {status:'done', opencode_session_id}`. The server's
+   * `queued_conversation_messages.status`/`processed_at` gate makes a re-call
+   * for an already-`done` message a no-op (no double Slack post).
+   */
+  async markDone(conversationId, messageId, sessionId) {
+    await this.callWithRetry(
+      "marking message as done",
+      () => this.fetchImpl(
+        `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages/${messageId}`,
         {
-          error: message,
-          attempt: state.reconnectAttempt
-        },
-        state.sandboxId ?? void 0
+          method: "PATCH",
+          headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+          body: JSON.stringify({ status: "done", opencode_session_id: sessionId })
+        }
+      )
+    );
+  }
+  async markFailed(conversationId, messageId) {
+    await this.callWithRetry(
+      "marking message as failed",
+      () => this.fetchImpl(
+        `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages/${messageId}`,
+        {
+          method: "PATCH",
+          headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+          body: JSON.stringify({ status: "failed" })
+        }
+      )
+    );
+  }
+  async persistSession(conversationId, sessionId) {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}`,
+      {
+        method: "PATCH",
+        headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+        body: JSON.stringify({ opencode_session_id: sessionId })
+      }
+    );
+    this.assertAuth(res, "persisting session id");
+  }
+  /**
+   * EXISTING combinedAuth interaction route (WI-CHAN-3) — idempotent + retried.
+   * `POST .../interactive-event {type, data}`. The server persists the
+   * interaction and posts a link to the proxied opencode-web conversation.
+   */
+  async reportInteraction(conversationId, type, data) {
+    try {
+      await this.callWithRetry(
+        "reporting interactive event",
+        () => this.fetchImpl(
+          `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/interactive-event`,
+          {
+            method: "POST",
+            headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+            body: JSON.stringify({ type, data })
+          }
+        )
+      );
+      this.log({
+        level: "info",
+        message: `${type} surfaced to channel (id: ${data.id.slice(0, 8)})`,
+        conversation_id: conversationId
+      });
+    } catch (err) {
+      if (err instanceof ChannelAuthError) throw err;
+      this.log({
+        level: "error",
+        message: `Failed to surface ${type}: ${err instanceof Error ? err.message : String(err)}`,
+        conversation_id: conversationId
+      });
+    }
+  }
+  // -------------------------------------------------------------------------
+  // Retry wrapper
+  // -------------------------------------------------------------------------
+  /**
+   * Invoke an Evident API call, retrying on transient failures (5xx / 429 /
+   * network errors) with exponential backoff + jitter (capped). Auth failures
+   * (401/403) are terminal and surface as `ChannelAuthError`; other 4xx are
+   * terminal too. No on-disk persistence — a crash mid-retry drops the callback
+   * (accepted by ADR-0039).
+   */
+  async callWithRetry(context, call) {
+    let lastError;
+    for (let attempt = 0; attempt < this.retry.maxAttempts; attempt += 1) {
+      let res;
+      try {
+        res = await call();
+      } catch (err) {
+        lastError = err;
+        if (attempt < this.retry.maxAttempts - 1) {
+          await this.sleep(backoffDelay(attempt, this.retry));
+          continue;
+        }
+        throw err;
+      }
+      if (res.status === 401 || res.status === 403) {
+        throw new ChannelAuthError(
+          `Authentication failed during ${context}: HTTP ${res.status}. Your session may have expired.`
+        );
+      }
+      if (res.ok) return;
+      if (isRetryableStatus(res.status)) {
+        lastError = new Error(`${context}: HTTP ${res.status}`);
+        if (attempt < this.retry.maxAttempts - 1) {
+          await this.sleep(backoffDelay(attempt, this.retry));
+          continue;
+        }
+      }
+      throw new Error(`${context}: HTTP ${res.status}`);
+    }
+    throw lastError instanceof Error ? lastError : new Error(`${context}: exhausted retries`);
+  }
+  assertAuth(res, context) {
+    if (res.status === 401 || res.status === 403) {
+      throw new ChannelAuthError(
+        `Authentication failed during ${context}: HTTP ${res.status}. Your session may have expired.`
+      );
+    }
+  }
+};
+
+// src/commands/ensure-opencode.ts
+import chalk5 from "chalk";
+import ora2 from "ora";
+import { select as select2 } from "@inquirer/prompts";
+async function ensureOpenCodeRunning(ctx) {
+  const healthCheck = await checkOpenCodeHealth(ctx.port);
+  if (healthCheck.healthy) {
+    return { port: ctx.port, process: null, version: healthCheck.version ?? null };
+  }
+  const runningInstances = await findHealthyOpenCodeInstances();
+  if (runningInstances.length > 0) {
+    if (!ctx.interactive) {
+      throw new Error(
+        `OpenCode not found on port ${ctx.port}, but running on port ${runningInstances[0].port}. Use --port ${runningInstances[0].port}`
+      );
+    }
+    blank();
+    console.log(chalk5.yellow("Found OpenCode running on different port(s):"));
+    for (const instance of runningInstances) {
+      const ver = instance.version ? ` (v${instance.version})` : "";
+      const cwd = instance.cwd ? ` in ${instance.cwd}` : "";
+      console.log(chalk5.dim(`  * Port ${instance.port}${ver}${cwd}`));
+    }
+    blank();
+    if (runningInstances.length === 1) {
+      console.log(chalk5.yellow("Tip: Run with the correct port:"));
+      console.log(
+        chalk5.dim(
+          `  ${getCliName()} run --agent ${ctx.agentId} --port ${runningInstances[0].port}`
+        )
+      );
+    }
+    blank();
+    throw new Error(`OpenCode not running on port ${ctx.port}`);
+  }
+  if (!isOpenCodeInstalled()) {
+    if (!ctx.interactive) {
+      throw new Error("OpenCode is not installed. Install it with: npm install -g opencode-ai");
+    }
+    const result = await promptOpenCodeInstall(true);
+    if (result === "exit") process.exit(0);
+    if (result !== "installed" && !isOpenCodeInstalled()) {
+      throw new Error("OpenCode is not installed");
+    }
+  }
+  if (!ctx.interactive) {
+    ctx.log(`OpenCode is not running on port ${ctx.port}. Starting it automatically...`);
+    const proc = await startOpenCode(ctx.port);
+    const health = await waitForOpenCodeHealth(ctx.port, 3e4);
+    if (!health.healthy) {
+      throw new Error(
+        `OpenCode failed to start on port ${ctx.port}. Install with: npm install -g opencode-ai`
       );
-      state.reconnectAttempt++;
-      const delay = getReconnectDelay(state.reconnectAttempt);
-      logActivity(state, {
-        type: "info",
-        message: `Reconnecting in ${Math.round(delay / 1e3)}s (attempt ${state.reconnectAttempt})...`
+    }
+    ctx.log(`OpenCode started on port ${ctx.port}${health.version ? ` (v${health.version})` : ""}`);
+    return { port: ctx.port, process: proc, version: health.version ?? null };
+  }
+  let port = ctx.port;
+  if (isPortInUse(port)) {
+    console.log(chalk5.yellow(`
+Port ${port} is already in use.`));
+    const alternativePort = findAvailablePort(port + 1);
+    if (alternativePort) {
+      const useAlternative = await select2({
+        message: `Use port ${alternativePort} instead?`,
+        choices: [
+          { name: `Yes, use port ${alternativePort}`, value: "yes" },
+          { name: "No, I will free the port manually", value: "no" }
+        ]
       });
+      if (useAlternative === "yes") {
+        port = alternativePort;
+      } else {
+        throw new Error(`Port ${ctx.port} is in use`);
+      }
+    }
+  }
+  const action = await select2({
+    message: "OpenCode is not running. What would you like to do?",
+    choices: [
+      {
+        name: "Start OpenCode for me",
+        value: "start",
+        description: `Run 'opencode serve --port ${port}'`
+      },
+      {
+        name: "Show me the command",
+        value: "manual",
+        description: "Display the command to run manually"
+      },
+      {
+        name: "Continue without OpenCode",
+        value: "continue",
+        description: "Requests will fail until OpenCode starts"
+      }
+    ]
+  });
+  if (action === "manual") {
+    blank();
+    console.log(chalk5.bold("Run this command in another terminal:"));
+    blank();
+    console.log(`  ${chalk5.cyan(`opencode serve --port ${port}`)}`);
+    blank();
+    throw new Error("Please start OpenCode manually");
+  }
+  if (action === "start") {
+    const spinner = ora2("Starting OpenCode...").start();
+    const proc = await startOpenCode(port);
+    const health = await waitForOpenCodeHealth(port, 3e4);
+    if (!health.healthy) {
+      spinner.fail("Failed to start OpenCode");
+      throw new Error("OpenCode failed to start");
+    }
+    spinner.stop();
+    return { port, process: proc, version: health.version ?? null };
+  }
+  return { port, process: null, version: null };
+}
+
+// src/commands/agent-lookup.ts
+async function readErrorMessage(response) {
+  const text = await response.text().catch(() => "");
+  if (!text) return response.statusText || void 0;
+  try {
+    const data = JSON.parse(text);
+    const message = data.message ?? data.error;
+    if (typeof message === "string" && message.trim()) {
+      return message;
+    }
+  } catch {
+  }
+  return text.trim() || response.statusText || void 0;
+}
+function authFailureHint(apiUrl, serverMessage) {
+  const reason = serverMessage ? `: ${serverMessage}` : "";
+  return `Authentication failed${reason}. Your credentials were rejected by ${apiUrl}. This usually means you logged in against a different environment, or your session expired \u2014 log in again pointing at this endpoint and retry.`;
+}
+async function resolveAgentIdFromKey(authHeader) {
+  const apiUrl = getApiUrlConfig();
+  try {
+    const response = await fetch(`${apiUrl}/me`, {
+      headers: { Authorization: authHeader }
+    });
+    if (response.status === 401) {
+      const serverMessage = await readErrorMessage(response);
+      return { error: authFailureHint(apiUrl, serverMessage), authFailed: true };
+    }
+    if (!response.ok) {
+      const serverMessage = await readErrorMessage(response);
+      return {
+        error: `Failed to resolve agent from key (HTTP ${response.status})${serverMessage ? `: ${serverMessage}` : ""}`
+      };
+    }
+    const data = await response.json();
+    if (data.auth_type === "agent_key" && data.agent_id) {
+      return { agent_id: data.agent_id };
+    }
+    return {
+      error: "Cannot resolve agent ID: auth type is not agent_key. Please provide --agent explicitly."
+    };
+  } catch (error2) {
+    const message = error2 instanceof Error ? error2.message : "Unknown error";
+    return { error: `Failed to resolve agent from key: ${message}` };
+  }
+}
+async function getAgentInfo(agentId, authHeader) {
+  const apiUrl = getApiUrlConfig();
+  try {
+    const response = await fetch(`${apiUrl}/agents/${agentId}`, {
+      headers: { Authorization: authHeader }
+    });
+    if (response.status === 401) {
+      const serverMessage = await readErrorMessage(response);
+      return { valid: false, error: authFailureHint(apiUrl, serverMessage), authFailed: true };
+    }
+    if (response.status === 403) {
+      const serverMessage = await readErrorMessage(response);
+      return {
+        valid: false,
+        error: serverMessage ?? "You do not have access to this agent (it may belong to a different team or organization)."
+      };
+    }
+    if (response.status === 404) {
+      const serverMessage = await readErrorMessage(response);
+      return { valid: false, error: serverMessage ?? `Agent ${agentId} not found` };
+    }
+    if (!response.ok) {
+      const serverMessage = await readErrorMessage(response);
+      return {
+        valid: false,
+        error: `API error (HTTP ${response.status})${serverMessage ? `: ${serverMessage}` : ""}`
+      };
+    }
+    const agent = await response.json();
+    if (agent.agent_type !== "local") {
+      return {
+        valid: false,
+        error: `Agent is type '${agent.agent_type}', must be 'local' for CLI connection`
+      };
+    }
+    return { valid: true, agent };
+  } catch (error2) {
+    const message = error2 instanceof Error ? error2.message : "Unknown error";
+    return { valid: false, error: `Failed to validate agent: ${message}` };
+  }
+}
+
+// src/commands/run.ts
+var MAX_ACTIVITY_LOG_ENTRIES = 10;
+var CHANNEL_POLL_INTERVAL_MS = Number(process.env.EVIDENT_CHANNEL_POLL_INTERVAL_MS) || 2e3;
+function log(state, message, isError = false) {
+  if (state.json) {
+    console.log(
+      JSON.stringify({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level: isError ? "error" : "info",
+        message
+      })
+    );
+  } else if (!state.interactive) {
+    const prefix = isError ? chalk6.red("\u2717") : chalk6.green("\u2022");
+    console.log(`${prefix} ${message}`);
+  }
+}
+function logActivity(state, entry) {
+  const fullEntry = {
+    ...entry,
+    timestamp: /* @__PURE__ */ new Date()
+  };
+  state.activityLog.push(fullEntry);
+  if (state.activityLog.length > MAX_ACTIVITY_LOG_ENTRIES) {
+    state.activityLog.shift();
+  }
+  if (!state.interactive) {
+    if (entry.type === "error") {
+      log(state, entry.error ?? "Unknown error", true);
+    } else if (entry.type === "info" && entry.message) {
+      log(state, entry.message);
+    }
+  }
+}
+function displayStatus(state) {
+  if (!state.interactive) return;
+  const attempt = state.connection?.reconnectAttempt ?? 0;
+  const tunnel = state.connected ? chalk6.green("tunnel: connected") : attempt > 0 ? chalk6.yellow(`tunnel: reconnecting (#${attempt})`) : chalk6.yellow("tunnel: connecting");
+  const opencode = state.opencodeConnected ? chalk6.green(`opencode: :${state.port}`) : chalk6.red(`opencode: :${state.port} (down)`);
+  const messages = state.messageCount > 0 ? chalk6.dim(` \xB7 ${state.messageCount} processed`) : "";
+  const last = state.activityLog[state.activityLog.length - 1];
+  const detail = last ? chalk6.dim(` \xB7 ${last.type === "error" ? last.error ?? "" : last.message ?? ""}`) : "";
+  const agent = state.agentName ?? state.agentId;
+  console.log(
+    `${chalk6.bold("Evident")} ${chalk6.dim(agent)}  ${tunnel}  ${opencode}${messages}${detail}`
+  );
+}
+async function promptForLogin(promptMessage, successMessage) {
+  const action = await select3({
+    message: promptMessage,
+    choices: [
+      {
+        name: "Yes, log me in",
+        value: "login",
+        description: "Opens a browser to authenticate with Evident"
+      },
+      {
+        name: "No, exit",
+        value: "exit",
+        description: "Exit without logging in"
+      }
+    ]
+  });
+  if (action === "exit") {
+    console.log(chalk6.dim(`
+You can log in later by running: ${getCliName()} login`));
+    process.exit(0);
+  }
+  await login({ noBrowser: false });
+  const credentials2 = await getToken();
+  if (!credentials2) {
+    printError("Login failed. Please try again.");
+    process.exit(1);
+  }
+  blank();
+  console.log(chalk6.green(successMessage));
+  blank();
+  return { token: credentials2.token, authType: "bearer", user: credentials2.user };
+}
+var AUTH_EXPIRED_EXIT_CODE = 77;
+async function handleAuthError(state, error2) {
+  logActivity(state, {
+    type: "error",
+    error: error2.message
+  });
+  if (state.interactive) displayStatus(state);
+  if (!state.interactive) {
+    blank();
+    console.log(chalk6.red("Authentication expired"));
+    console.log(chalk6.dim("Your authentication token is no longer valid."));
+    blank();
+    console.log(chalk6.dim("To fix this:"));
+    console.log(chalk6.dim(`  1. Run '${getCliName()} login' to re-authenticate`));
+    console.log(chalk6.dim("  2. Restart this command"));
+    blank();
+    await cleanup(state);
+    await shutdownTelemetry();
+    process.exit(AUTH_EXPIRED_EXIT_CODE);
+    return { success: false };
+  }
+  blank();
+  console.log(chalk6.yellow("Your authentication has expired."));
+  blank();
+  try {
+    const credentials2 = await promptForLogin(
+      "Would you like to log in again?",
+      "Re-authenticated successfully! Resuming..."
+    );
+    const newAuthHeader = getAuthHeader(credentials2);
+    return { success: true, newAuthHeader };
+  } catch {
+    return { success: false };
+  }
+}
+async function driveChannels(state, driver) {
+  let idlePolls = 0;
+  while (state.running) {
+    if (state.connection?.reconnecting && state.connection.reconnectPromise) {
+      logActivity(state, { type: "info", message: "Waiting for tunnel reconnection..." });
+      if (state.interactive) displayStatus(state);
+      await state.connection.reconnectPromise;
+    }
+    try {
+      const processed = await driver.drainPending();
+      state.messageCount += processed;
+      if (processed > 0) {
+        idlePolls = 0;
+        if (state.interactive) displayStatus(state);
+      } else if (state.idleTimeout !== null) {
+        idlePolls++;
+        if (idlePolls === 1) {
+          logActivity(state, {
+            type: "info",
+            message: `Queue empty, waiting (timeout: ${state.idleTimeout}s)...`
+          });
+          if (state.interactive) displayStatus(state);
+        }
+      }
+    } catch (error2) {
+      if (error2 instanceof ChannelAuthError) {
+        const result = await handleAuthError(state, error2);
+        if (result.success && result.newAuthHeader) {
+          state.authHeader = result.newAuthHeader;
+          logActivity(state, { type: "info", message: "Continuing with new credentials..." });
+          if (state.interactive) displayStatus(state);
+          continue;
+        }
+        state.running = false;
+        break;
+      }
+      const errorMessage = error2 instanceof Error ? error2.message : String(error2);
+      logActivity(state, { type: "error", error: `Channel processing error: ${errorMessage}` });
+      if (state.interactive) displayStatus(state);
+    }
+    await new Promise((resolve) => setTimeout(resolve, CHANNEL_POLL_INTERVAL_MS));
+    if (state.idleTimeout !== null && idlePolls >= 2) {
+      const idleMs = idlePolls * CHANNEL_POLL_INTERVAL_MS;
+      if (idleMs > state.idleTimeout * 1e3) {
+        logActivity(state, { type: "info", message: "Idle timeout reached" });
+        if (state.interactive) displayStatus(state);
+        break;
+      }
+    }
+  }
+}
+async function cleanup(state) {
+  state.running = false;
+  if (state.connection) {
+    state.connection.close();
+    state.connection = null;
+  }
+  if (state.opencodeProcess) {
+    stopOpenCode(state.opencodeProcess);
+    if (state.interactive) {
+      logActivity(state, { type: "info", message: "Stopped OpenCode process" });
       displayStatus(state);
-      await sleep(delay);
+    } else {
+      log(state, "Stopped OpenCode process");
     }
+    state.opencodeProcess = null;
+  }
+}
+async function run(options) {
+  const interactive = isInteractive(options.json);
+  const state = {
+    agentId: options.agent || "",
+    agentName: null,
+    port: options.port ?? 4096,
+    conversationFilter: options.conversation ?? null,
+    idleTimeout: options.idleTimeout ?? null,
+    json: options.json ?? false,
+    interactive,
+    connected: false,
+    opencodeConnected: false,
+    opencodeVersion: null,
+    opencodeProcess: null,
+    connection: null,
+    running: true,
+    activityLog: [],
+    messageCount: 0,
+    authHeader: ""
+  };
+  if (state.idleTimeout === null && (process.env.GITHUB_ACTIONS || process.env.CI)) {
+    log(
+      state,
+      "Warning: No --idle-timeout set in CI environment. The runner will poll indefinitely until the job times out. Consider adding --idle-timeout 30 to avoid wasting runner minutes.",
+      false
+    );
+  }
+  const handleSignal = async () => {
+    if (state.interactive) {
+      logActivity(state, { type: "info", message: "Shutting down..." });
+      displayStatus(state);
+    } else {
+      log(state, "Shutting down...");
+    }
+    await cleanup(state);
+    await shutdownTelemetry();
+    process.exit(0);
+  };
+  process.on("SIGINT", handleSignal);
+  process.on("SIGTERM", handleSignal);
+  try {
+    let credentials2 = await getAuthCredentials();
+    if (!credentials2) {
+      if (!interactive) {
+        printError("Authentication required");
+        blank();
+        console.log(chalk6.dim("Set EVIDENT_AGENT_KEY environment variable for CI"));
+        console.log(chalk6.dim("Or run `evident login` for interactive authentication"));
+        blank();
+        process.exit(1);
+      }
+      blank();
+      console.log(chalk6.yellow("You are not logged in to Evident."));
+      blank();
+      credentials2 = await promptForLogin(
+        "Would you like to log in now?",
+        "Login successful! Continuing..."
+      );
+    }
+    state.authHeader = getAuthHeader(credentials2);
+    if (!state.agentId) {
+      if (credentials2.authType === "agent_key") {
+        const resolved = await resolveAgentIdFromKey(state.authHeader);
+        if (resolved.agent_id) {
+          state.agentId = resolved.agent_id;
+          log(state, `Resolved agent ID from key: ${state.agentId}`);
+          if (state.interactive && !state.json) {
+            logActivity(state, {
+              type: "info",
+              message: `Agent ID resolved from key: ${state.agentId}`
+            });
+          }
+        } else {
+          printError(resolved.error || "Failed to resolve agent ID from key");
+          process.exit(1);
+        }
+      } else {
+        printError("--agent is required when not using EVIDENT_AGENT_KEY");
+        blank();
+        console.log(chalk6.dim("Either provide --agent <id> or set EVIDENT_AGENT_KEY"));
+        blank();
+        process.exit(1);
+      }
+    }
+    telemetry.info(
+      EventTypes.CLI_COMMAND,
+      "Starting run command",
+      {
+        command: "run",
+        agentId: state.agentId,
+        port: state.port,
+        conversationFilter: state.conversationFilter,
+        interactive
+      },
+      state.agentId
+    );
+    if (interactive && !state.json) {
+      blank();
+      console.log(chalk6.bold("Evident Run"));
+      console.log(chalk6.dim("-".repeat(40)));
+    }
+    const spinner = interactive && !state.json ? ora3("Validating agent...").start() : null;
+    let validation = await getAgentInfo(state.agentId, state.authHeader);
+    if (!validation.valid && validation.authFailed && interactive) {
+      spinner?.fail("Authentication failed");
+      blank();
+      console.log(chalk6.yellow("Your authentication token is invalid or expired."));
+      blank();
+      credentials2 = await promptForLogin(
+        "Would you like to log in again?",
+        "Login successful! Retrying..."
+      );
+      state.authHeader = getAuthHeader(credentials2);
+      spinner?.start("Validating agent...");
+      validation = await getAgentInfo(state.agentId, state.authHeader);
+    }
+    if (!validation.valid) {
+      spinner?.fail(`Agent validation failed: ${validation.error}`);
+      throw new Error(validation.error);
+    }
+    spinner?.succeed(`Agent: ${validation.agent.name || state.agentId}`);
+    state.agentName = validation.agent.name;
+    const ocSpinner = interactive && !state.json ? ora3("Checking OpenCode...").start() : null;
+    try {
+      const oc = await ensureOpenCodeRunning({
+        port: state.port,
+        interactive: state.interactive,
+        agentId: state.agentId,
+        log: (message) => log(state, message)
+      });
+      state.port = oc.port;
+      state.opencodeProcess = oc.process;
+      state.opencodeVersion = oc.version;
+      state.opencodeConnected = oc.process !== null || oc.version !== null;
+      const version = state.opencodeVersion ? ` (v${state.opencodeVersion})` : "";
+      ocSpinner?.succeed(`OpenCode running on port ${state.port}${version}`);
+    } catch (error2) {
+      ocSpinner?.fail(error2.message);
+      throw error2;
+    }
+    const tunnelSpinner = interactive && !state.json ? ora3("Connecting tunnel...").start() : null;
+    const channelDriver = new ChannelDriver({
+      agentId: state.agentId,
+      port: state.port,
+      apiUrl: getApiUrlConfig(),
+      getAuthHeader: () => state.authHeader,
+      conversationFilter: state.conversationFilter,
+      log: (entry) => logActivity(state, {
+        type: entry.level === "error" ? "error" : "info",
+        message: entry.message,
+        error: entry.level === "error" ? entry.message : void 0
+      })
+    });
+    const connection = new RunnerConnection({
+      agentId: state.agentId,
+      getAuthHeader: () => state.authHeader,
+      port: state.port,
+      isRunning: () => state.running,
+      events: {
+        onConnected: (agentId, isReconnect) => {
+          state.connected = true;
+          state.agentId = agentId;
+          logActivity(state, {
+            type: "info",
+            message: `Tunnel ${isReconnect ? "reconnected" : "connected"} (agent: ${agentId})`
+          });
+          emitAgentConnected(state.agentId, { port: state.port });
+          if (!isReconnect) tunnelSpinner?.succeed("Tunnel connected");
+          if (state.interactive) displayStatus(state);
+          channelDriver.drainPending().then((processed) => {
+            if (processed > 0) {
+              state.messageCount += processed;
+              logActivity(state, {
+                type: "info",
+                message: `Drained ${processed} queued message(s) on connect`
+              });
+              if (state.interactive) displayStatus(state);
+            }
+          }).catch((error2) => {
+            const message = error2 instanceof Error ? error2.message : String(error2);
+            logActivity(state, {
+              type: "error",
+              error: `Failed to drain queued messages on connect: ${message}`
+            });
+            if (state.interactive) displayStatus(state);
+          });
+        },
+        onDisconnected: (code, reason) => {
+          state.connected = false;
+          logActivity(state, {
+            type: "info",
+            message: `Tunnel disconnected (code: ${code}, reason: ${reason})`
+          });
+          emitAgentDisconnected(state.agentId, { code, reason });
+          if (state.interactive) displayStatus(state);
+        },
+        onError: (error2) => {
+          logActivity(state, { type: "error", error: error2 });
+          if (state.interactive) displayStatus(state);
+        },
+        // Web traffic is proxied transparently; only note opencode is live.
+        onResponse: () => {
+          state.opencodeConnected = true;
+        },
+        // A channel message was queued and the api-worker pinged us over the
+        // tunnel to drain immediately instead of waiting for the next poll tick.
+        // Best-effort + non-fatal: mirror the on-connect drain block. A failed
+        // drain here is logged and swallowed — the steady-state poll retries, so
+        // a lost/failed ping can never orphan a message (§2 invariant).
+        onDrainPing: () => {
+          if (!state.running) return;
+          logActivity(state, { type: "info", message: "Drain ping received \u2014 draining" });
+          channelDriver.drainPending().then((processed) => {
+            if (processed > 0) {
+              state.messageCount += processed;
+              logActivity(state, {
+                type: "info",
+                message: `Drained ${processed} queued message(s) on ping`
+              });
+              if (state.interactive) displayStatus(state);
+            }
+          }).catch((error2) => {
+            const message = error2 instanceof Error ? error2.message : String(error2);
+            logActivity(state, {
+              type: "error",
+              error: `Failed to drain queued messages on ping: ${message}`
+            });
+            if (state.interactive) displayStatus(state);
+          });
+        },
+        onInfo: (message) => logActivity(state, { type: "info", message })
+      }
+    });
+    state.connection = connection;
+    try {
+      await connection.connect();
+    } catch (error2) {
+      if (error2.message === "Unauthorized") tunnelSpinner?.fail("Unauthorized");
+      throw error2;
+    }
+    if (!interactive || state.json) {
+      log(state, "Driving channel messages...");
+    }
+    await driveChannels(state, channelDriver);
+    await cleanup(state);
+    if (state.json) {
+      console.log(
+        JSON.stringify({
+          status: "success",
+          messages_processed: state.messageCount
+        })
+      );
+    } else if (!interactive) {
+      log(state, `Completed. Processed ${state.messageCount} message(s).`);
+    }
+    await shutdownTelemetry();
+    process.exit(0);
+  } catch (error2) {
+    await cleanup(state);
+    const message = error2 instanceof Error ? error2.message : String(error2);
+    if (state.json) {
+      console.log(JSON.stringify({ status: "error", error: message }));
+    } else {
+      printError(message);
+    }
+    telemetry.error(EventTypes.CLI_ERROR, `Run command failed: ${message}`, {
+      command: "run",
+      agentId: options.agent
+    });
+    await shutdownTelemetry();
+    process.exit(1);
   }
 }
 
 // src/index.ts
 var program = new Command();
-program.name("evident").description("Run OpenCode locally and connect it to Evident").version("0.1.0").option("-e, --env <environment>", "Environment to use (local, dev, production)", "production").hook("preAction", (thisCommand) => {
-  const env = thisCommand.opts().env;
-  if (env) {
-    setEnvironment(env);
+program.name("evident").description("Run OpenCode locally and connect it to Evident").version("0.1.0").option(
+  "--endpoint <url>",
+  "Evident API base URL (default: production; e.g. http://localhost:3001)"
+).option("--tunnel <url>", "Tunnel WebSocket URL (default: production; e.g. ws://localhost:8787)").hook("preAction", (thisCommand) => {
+  const { endpoint, tunnel } = thisCommand.opts();
+  if (endpoint) {
+    setEndpoint(endpoint);
+  }
+  if (tunnel) {
+    setTunnelUrl(tunnel);
   }
 });
 program.command("login").description("Authenticate with Evident").option("--token", "Use token-based authentication (for CI/CD)").option("--no-browser", "Do not open the browser automatically").action(login);
-program.command("logout").description("Remove stored credentials").action(logout);
+program.command("logout").description("Remove stored credentials for the current endpoint").option("--all", "Remove stored credentials for all endpoints").action((options) => logout({ all: options.all }));
 program.command("whoami").description("Show the currently logged in user").action(whoami);
-program.command("tunnel").description("Establish a tunnel to Evident for Local Mode").requiredOption("-s, --sandbox <id>", "Sandbox ID to connect to (required)").option("-p, --port <port>", "OpenCode port (default: 4096)", "4096").option("-v, --verbose", "Show detailed request/response information").action((options) => {
-  tunnel({
-    sandbox: options.sandbox,
-    port: parseInt(options.port, 10),
-    verbose: options.verbose
-  });
-});
+program.command("run").description("Connect to Evident and process messages").option("-a, --agent [id]", "Agent ID to connect to (optional when EVIDENT_AGENT_KEY is set)").option("-p, --port <port>", "OpenCode port (default: 4096)", "4096").option("-v, --verbose", "Show detailed request/response information").option("-c, --conversation <id>", "Process only this specific conversation").option("--idle-timeout <seconds>", "Exit after N seconds idle").option("--json", "Output in JSON format").action(
+  (options) => {
+    run({
+      agent: options.agent,
+      port: parseInt(options.port, 10),
+      verbose: options.verbose,
+      conversation: options.conversation,
+      idleTimeout: options.idleTimeout ? parseInt(options.idleTimeout, 10) : void 0,
+      json: options.json
+    });
+  }
+);
 program.parse();
 //# sourceMappingURL=index.js.map