@evident-ai/cli 0.2.0 → 0.2.1-dev.042a051

package/dist/index.js

@@ -1,12 +1,4 @@
 #!/usr/bin/env node
-import {
-  clearCredentials,
-  getApiUrlConfig,
-  getCredentials,
-  getTunnelUrlConfig,
-  setCredentials,
-  setEnvironment
-} from "./chunk-MWOWXSOP.js";
 
 // src/index.ts
 import { Command } from "commander";
@@ -16,6 +8,88 @@ import open from "open";
 import ora from "ora";
 import chalk2 from "chalk";
 
+// src/lib/config.ts
+import Conf from "conf";
+import { homedir } from "os";
+import { join } from "path";
+var PRODUCTION_API_URL = "https://api.production.evident.run/v1";
+var PRODUCTION_TUNNEL_URL = "wss://tunnel.production.evident.run";
+var defaults = {
+  apiUrl: PRODUCTION_API_URL,
+  tunnelUrl: PRODUCTION_TUNNEL_URL
+};
+var endpointOverride;
+var tunnelOverride;
+function setEndpoint(url) {
+  if (!url) {
+    endpointOverride = void 0;
+    return;
+  }
+  const trimmed = url.replace(/\/+$/, "");
+  endpointOverride = /\/v1$/.test(trimmed) ? trimmed : `${trimmed}/v1`;
+}
+function setTunnelUrl(url) {
+  tunnelOverride = url ? url.replace(/\/+$/, "") : void 0;
+}
+function getApiUrl() {
+  return endpointOverride ?? process.env.EVIDENT_API_URL ?? defaults.apiUrl;
+}
+function getTunnelUrl() {
+  return tunnelOverride ?? process.env.EVIDENT_TUNNEL_URL ?? defaults.tunnelUrl;
+}
+var config = new Conf({
+  projectName: "evident",
+  projectSuffix: "",
+  defaults
+});
+var credentials = new Conf({
+  projectName: "evident",
+  projectSuffix: "",
+  configName: "credentials",
+  defaults: {}
+});
+function getApiUrlConfig() {
+  return getApiUrl();
+}
+function getTunnelUrlConfig() {
+  return getTunnelUrl();
+}
+function credentialsKey() {
+  return getApiUrl();
+}
+function getCredentials() {
+  const byEndpoint = credentials.get("byEndpoint") ?? {};
+  return byEndpoint[credentialsKey()] ?? {};
+}
+function setCredentials(creds) {
+  const byEndpoint = credentials.get("byEndpoint") ?? {};
+  byEndpoint[credentialsKey()] = {
+    token: creds.token,
+    user: creds.user,
+    expiresAt: creds.expiresAt
+  };
+  credentials.set("byEndpoint", byEndpoint);
+}
+function clearCredentials() {
+  const byEndpoint = credentials.get("byEndpoint") ?? {};
+  delete byEndpoint[credentialsKey()];
+  credentials.set("byEndpoint", byEndpoint);
+}
+function clearAllCredentials() {
+  credentials.clear();
+}
+function getCliName() {
+  const argv1 = process.argv[1] || "";
+  const isNpx = process.env.npm_execpath?.includes("npx") || process.env.npm_command === "exec" || argv1.includes("_npx") || argv1.includes(".npm/_cacache");
+  if (isNpx) {
+    return "npx @evident-ai/cli@latest";
+  }
+  if (argv1.includes("tsx") || argv1.includes("ts-node")) {
+    return "pnpm --filter @evident-ai/cli dev:run";
+  }
+  return "evident";
+}
+
 // src/lib/api.ts
 var ApiClient = class {
   baseUrl;
@@ -111,7 +185,6 @@ var api = {
 
 // src/lib/keychain.ts
 var SERVICE_NAME = "evident-cli";
-var ACCOUNT_NAME = "default";
 async function getKeytar() {
   try {
     const keytar = await import("keytar");
@@ -123,27 +196,31 @@ async function getKeytar() {
     return null;
   }
 }
-async function storeToken(credentials) {
+function keychainAccount() {
+  return getApiUrlConfig();
+}
+async function storeToken(credentials2) {
   const keytar = await getKeytar();
   if (keytar) {
-    await keytar.setPassword(SERVICE_NAME, ACCOUNT_NAME, JSON.stringify(credentials));
+    await keytar.setPassword(SERVICE_NAME, keychainAccount(), JSON.stringify(credentials2));
   } else {
     setCredentials({
-      token: credentials.token,
-      user: credentials.user,
-      expiresAt: credentials.expiresAt
+      token: credentials2.token,
+      user: credentials2.user,
+      expiresAt: credentials2.expiresAt
     });
   }
 }
 async function getToken() {
   const keytar = await getKeytar();
   if (keytar) {
-    const stored = await keytar.getPassword(SERVICE_NAME, ACCOUNT_NAME);
+    const account = keychainAccount();
+    const stored = await keytar.getPassword(SERVICE_NAME, account);
     if (stored) {
       try {
         return JSON.parse(stored);
       } catch {
-        await keytar.deletePassword(SERVICE_NAME, ACCOUNT_NAME);
+        await keytar.deletePassword(SERVICE_NAME, account);
         return null;
       }
     }
@@ -158,12 +235,26 @@ async function getToken() {
   }
   return null;
 }
-async function deleteToken() {
+async function deleteToken(options = {}) {
   const keytar = await getKeytar();
   if (keytar) {
-    await keytar.deletePassword(SERVICE_NAME, ACCOUNT_NAME);
+    if (options.all) {
+      const all = await keytar.findCredentials(SERVICE_NAME).catch(() => []);
+      await Promise.all(
+        all.map(
+          (entry) => keytar.deletePassword(SERVICE_NAME, entry.account).catch(() => {
+          })
+        )
+      );
+    } else {
+      await keytar.deletePassword(SERVICE_NAME, keychainAccount());
+    }
+  }
+  if (options.all) {
+    clearAllCredentials();
+  } else {
+    clearCredentials();
   }
-  clearCredentials();
 }
 
 // src/utils/ui.ts
@@ -331,29 +422,36 @@ async function login(options) {
 }
 
 // src/commands/logout.ts
-async function logout() {
-  const credentials = await getToken();
-  if (!credentials) {
-    printWarning("You are not logged in.");
+async function logout(options = {}) {
+  if (options.all) {
+    await deleteToken({ all: true });
+    printSuccess("Logged out of all endpoints.");
+    return;
+  }
+  const credentials2 = await getToken();
+  if (!credentials2) {
+    printWarning(`You are not logged in to ${getApiUrlConfig()}.`);
     return;
   }
   await deleteToken();
-  printSuccess("Logged out successfully.");
+  printSuccess(`Logged out of ${getApiUrlConfig()}.`);
 }
 
 // src/commands/whoami.ts
 import chalk3 from "chalk";
 async function whoami() {
-  const credentials = await getToken();
-  if (!credentials) {
-    printError("Not logged in. Run the `login` command to authenticate.");
+  const apiUrl = getApiUrlConfig();
+  const credentials2 = await getToken();
+  if (!credentials2) {
+    printError(`Not logged in to ${apiUrl}. Run the \`login\` command to authenticate.`);
     process.exit(1);
   }
   blank();
-  console.log(keyValue("User", chalk3.bold(credentials.user.email)));
-  console.log(keyValue("User ID", credentials.user.id));
-  if (credentials.expiresAt) {
-    const expiresAt = new Date(credentials.expiresAt);
+  console.log(keyValue("Endpoint", apiUrl));
+  console.log(keyValue("User", chalk3.bold(credentials2.user.email)));
+  console.log(keyValue("User ID", credentials2.user.id));
+  if (credentials2.expiresAt) {
+    const expiresAt = new Date(credentials2.expiresAt);
     const now = /* @__PURE__ */ new Date();
     if (expiresAt < now) {
       console.log(keyValue("Status", chalk3.red("Token expired")));
@@ -367,12 +465,24 @@ async function whoami() {
   blank();
 }
 
-// src/commands/tunnel.ts
-import WebSocket from "ws";
-import chalk4 from "chalk";
-import ora2 from "ora";
-import { execSync, spawn } from "child_process";
-import { select } from "@inquirer/prompts";
+// src/commands/run.ts
+import chalk6 from "chalk";
+import ora3 from "ora";
+import { select as select3 } from "@inquirer/prompts";
+
+// ../../packages/types/src/telemetry/index.ts
+var TelemetryEventTypes = {
+  // Agent activity events (shown in web UI activity log)
+  AGENT_CONNECTED: "agent.connected",
+  AGENT_DISCONNECTED: "agent.disconnected",
+  AGENT_MESSAGE_PROCESSING: "agent.message_processing",
+  AGENT_MESSAGE_DONE: "agent.message_done",
+  AGENT_MESSAGE_FAILED: "agent.message_failed"
+};
+
+// ../../packages/types/src/tunnel/index.ts
+var MAX_FRAME_BYTES = 256 * 1024;
+var TUNNEL_DRAIN_PING_PATH = "/__evident/drain";
 
 // src/lib/telemetry.ts
 var CLI_VERSION = process.env.npm_package_version || "unknown";
@@ -388,7 +498,7 @@ function logEvent(eventType, options = {}) {
     severity: options.severity || "info",
     message: options.message,
     metadata: options.metadata,
-    sandbox_id: options.sandboxId,
+    agent_id: options.agentId,
     timestamp: (/* @__PURE__ */ new Date()).toISOString()
   };
   eventBuffer.push(event);
@@ -402,10 +512,10 @@ function logEvent(eventType, options = {}) {
   }
 }
 var telemetry = {
-  debug: (eventType, message, metadata, sandboxId) => logEvent(eventType, { severity: "debug", message, metadata, sandboxId }),
-  info: (eventType, message, metadata, sandboxId) => logEvent(eventType, { severity: "info", message, metadata, sandboxId }),
-  warn: (eventType, message, metadata, sandboxId) => logEvent(eventType, { severity: "warning", message, metadata, sandboxId }),
-  error: (eventType, message, metadata, sandboxId) => logEvent(eventType, { severity: "error", message, metadata, sandboxId })
+  debug: (eventType, message, metadata, agentId) => logEvent(eventType, { severity: "debug", message, metadata, agentId }),
+  info: (eventType, message, metadata, agentId) => logEvent(eventType, { severity: "info", message, metadata, agentId }),
+  warn: (eventType, message, metadata, agentId) => logEvent(eventType, { severity: "warning", message, metadata, agentId }),
+  error: (eventType, message, metadata, agentId) => logEvent(eventType, { severity: "error", message, metadata, agentId })
 };
 async function flushEvents() {
   if (eventBuffer.length === 0) return;
@@ -416,25 +526,26 @@ async function flushEvents() {
     flushTimeout = null;
   }
   try {
-    const credentials = await getToken();
-    if (!credentials) {
+    const credentials2 = await getToken();
+    if (!credentials2) {
       return;
     }
     const apiUrl = getApiUrlConfig();
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), FLUSH_TIMEOUT_MS);
     try {
+      const request = {
+        events,
+        client_type: "cli",
+        client_version: CLI_VERSION
+      };
       const response = await fetch(`${apiUrl}/telemetry/events`, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
-          Authorization: `Bearer ${credentials.token}`
+          Authorization: `Bearer ${credentials2.token}`
         },
-        body: JSON.stringify({
-          events,
-          client_type: "cli",
-          client_version: CLI_VERSION
-        }),
+        body: JSON.stringify(request),
         signal: controller.signal
       });
       if (!response.ok) {
@@ -457,6 +568,32 @@ async function shutdownTelemetry() {
   }
   await flushEvents();
 }
+function emitEvent(event) {
+  logEvent(event.event_type, {
+    severity: event.severity,
+    message: event.message,
+    metadata: event.metadata,
+    agentId: event.agent_id
+  });
+}
+function emitAgentConnected(agentId, metadata) {
+  emitEvent({
+    event_type: TelemetryEventTypes.AGENT_CONNECTED,
+    severity: "info",
+    message: "Agent CLI connected",
+    metadata,
+    agent_id: agentId
+  });
+}
+function emitAgentDisconnected(agentId, metadata) {
+  emitEvent({
+    event_type: TelemetryEventTypes.AGENT_DISCONNECTED,
+    severity: "info",
+    message: `Agent CLI disconnected (code: ${metadata.code})`,
+    metadata,
+    agent_id: agentId
+  });
+}
 var EventTypes = {
   // Tunnel lifecycle
   TUNNEL_STARTING: "tunnel.starting",
@@ -484,12 +621,71 @@ var EventTypes = {
   CLI_ERROR: "cli.error"
 };
 
-// src/commands/tunnel.ts
-var MAX_RECONNECT_DELAY = 3e4;
-var BASE_RECONNECT_DELAY = 500;
-var MAX_ACTIVITY_LOG_ENTRIES = 10;
-var CHUNK_THRESHOLD = 512 * 1024;
-var CHUNK_SIZE = 768 * 1024;
+// src/lib/auth.ts
+async function getAuthCredentials() {
+  const agentKey = process.env.EVIDENT_AGENT_KEY;
+  if (agentKey) {
+    return { token: agentKey, authType: "agent_key" };
+  }
+  const userToken = process.env.EVIDENT_TOKEN;
+  if (userToken) {
+    return { token: userToken, authType: "bearer" };
+  }
+  const keychainCreds = await getToken();
+  if (keychainCreds) {
+    return {
+      token: keychainCreds.token,
+      authType: "bearer",
+      user: keychainCreds.user
+    };
+  }
+  return null;
+}
+function getAuthHeader(credentials2) {
+  if (credentials2.authType === "agent_key") {
+    return `SandboxKey ${credentials2.token}`;
+  }
+  return `Bearer ${credentials2.token}`;
+}
+function isInteractive(jsonOutput) {
+  if (jsonOutput) return false;
+  if (process.env.CI) return false;
+  if (process.env.GITHUB_ACTIONS) return false;
+  if (!process.stdin.isTTY) return false;
+  return true;
+}
+
+// src/lib/opencode/health.ts
+async function checkOpenCodeHealth(port) {
+  try {
+    const response = await fetch(`http://127.0.0.1:${port}/global/health`, {
+      signal: AbortSignal.timeout(2e3)
+      // 2 second timeout
+    });
+    if (!response.ok) {
+      return { healthy: false, error: `HTTP ${response.status}` };
+    }
+    const data = await response.json().catch(() => ({}));
+    return { healthy: true, version: data.version };
+  } catch (error2) {
+    const message = error2 instanceof Error ? error2.message : "Unknown error";
+    return { healthy: false, error: message };
+  }
+}
+async function waitForOpenCodeHealth(port, timeoutMs = 3e4) {
+  const startTime = Date.now();
+  while (Date.now() - startTime < timeoutMs) {
+    const health = await checkOpenCodeHealth(port);
+    if (health.healthy) {
+      return health;
+    }
+    await new Promise((resolve) => setTimeout(resolve, 1e3));
+  }
+  return { healthy: false, error: "Timeout waiting for OpenCode to be healthy" };
+}
+
+// src/lib/opencode/process.ts
+import { execSync, spawn } from "child_process";
 var OPENCODE_PORT_RANGE = [4096, 4097, 4098, 4099, 4100];
 function getProcessCwd(pid) {
   const platform = process.platform;
@@ -624,22 +820,6 @@ async function scanPortsForOpenCode() {
   }
   return instances;
 }
-async function checkOpenCodeHealth(port) {
-  try {
-    const response = await fetch(`http://localhost:${port}/health`, {
-      signal: AbortSignal.timeout(2e3)
-      // 2 second timeout
-    });
-    if (!response.ok) {
-      return { healthy: false, error: `HTTP ${response.status}` };
-    }
-    const data = await response.json().catch(() => ({}));
-    return { healthy: true, version: data.version };
-  } catch (error2) {
-    const message = error2 instanceof Error ? error2.message : "Unknown error";
-    return { healthy: false, error: message };
-  }
-}
 async function findHealthyOpenCodeInstances() {
   const processes = findOpenCodeProcesses();
   const healthy = [];
@@ -655,948 +835,1848 @@ async function findHealthyOpenCodeInstances() {
   }
   return healthy;
 }
-function logActivity(state, entry) {
-  const fullEntry = {
-    ...entry,
-    timestamp: /* @__PURE__ */ new Date()
-  };
-  state.activityLog.push(fullEntry);
-  if (state.activityLog.length > MAX_ACTIVITY_LOG_ENTRIES) {
-    state.activityLog.shift();
+async function startOpenCode(port) {
+  let command = "opencode";
+  let args = ["serve", "--port", port.toString(), "--hostname", "127.0.0.1"];
+  try {
+    execSync("which opencode", { stdio: "ignore" });
+  } catch {
+    command = "npx";
+    args = ["opencode", "serve", "--port", port.toString(), "--hostname", "127.0.0.1"];
   }
-  state.lastActivity = fullEntry.timestamp;
-}
-function formatActivityEntry(entry, _verbose) {
-  const time = entry.timestamp.toLocaleTimeString("en-US", {
-    hour12: false,
-    hour: "2-digit",
-    minute: "2-digit",
-    second: "2-digit"
+  const child = spawn(command, args, {
+    detached: true,
+    stdio: "ignore",
+    cwd: process.cwd()
   });
-  switch (entry.type) {
-    case "request": {
-      const duration = entry.durationMs ? ` (${entry.durationMs}ms)` : "";
-      const status = entry.status ? ` \u2192 ${colorizeStatus(entry.status)}` : " ...";
-      return `  ${chalk4.dim(`[${time}]`)} ${chalk4.cyan("\u2190")} ${entry.method} ${entry.path}${status}${duration}`;
-    }
-    case "response": {
-      const duration = entry.durationMs ? ` (${entry.durationMs}ms)` : "";
-      return `  ${chalk4.dim(`[${time}]`)} ${chalk4.green("\u2192")} ${entry.method} ${entry.path} ${colorizeStatus(entry.status)}${duration}`;
-    }
-    case "error": {
-      const errorMsg = entry.error || "Unknown error";
-      const path = entry.path ? ` ${entry.method} ${entry.path}` : "";
-      return `  ${chalk4.dim(`[${time}]`)} ${chalk4.red("\u2717")}${path} - ${chalk4.red(errorMsg)}`;
-    }
-    case "info": {
-      return `  ${chalk4.dim(`[${time}]`)} ${chalk4.blue("\u25CF")} ${entry.message}`;
-    }
-    default:
-      return `  ${chalk4.dim(`[${time}]`)} ${entry.message || "Unknown"}`;
-  }
-}
-function colorizeStatus(status) {
-  if (status >= 200 && status < 300) {
-    return chalk4.green(status.toString());
-  } else if (status >= 300 && status < 400) {
-    return chalk4.yellow(status.toString());
-  } else if (status >= 400 && status < 500) {
-    return chalk4.red(status.toString());
-  } else if (status >= 500) {
-    return chalk4.bgRed.white(` ${status} `);
-  }
-  return status.toString();
-}
-var ANSI = {
-  saveCursor: "\x1B[s",
-  restoreCursor: "\x1B[u",
-  clearToEnd: "\x1B[J",
-  moveTo: (row) => `\x1B[${row};1H`,
-  moveUp: (n) => `\x1B[${n}A`
-};
-var STATUS_DISPLAY_HEIGHT = 20;
-function displayStatus(state) {
-  const lines = [];
-  lines.push(chalk4.bold("Evident Tunnel"));
-  lines.push(chalk4.dim("\u2500".repeat(60)));
-  lines.push("");
-  if (state.sandboxName) {
-    lines.push(`  Sandbox:    ${state.sandboxName}`);
-  }
-  lines.push(`  ID:         ${state.sandboxId ?? "Unknown"}`);
-  lines.push("");
-  if (state.connected) {
-    lines.push(`  ${chalk4.green("\u25CF")} Tunnel:    ${chalk4.green("Connected to Evident")}`);
-  } else {
-    if (state.reconnectAttempt > 0) {
-      lines.push(
-        `  ${chalk4.yellow("\u25CB")} Tunnel:    ${chalk4.yellow(`Reconnecting... (attempt ${state.reconnectAttempt})`)}`
-      );
-    } else {
-      lines.push(`  ${chalk4.yellow("\u25CB")} Tunnel:    ${chalk4.yellow("Connecting...")}`);
-    }
-  }
-  if (state.opencodeConnected) {
-    const version = state.opencodeVersion ? ` (v${state.opencodeVersion})` : "";
-    lines.push(`  ${chalk4.green("\u25CF")} OpenCode:  ${chalk4.green(`Running${version}`)}`);
-  } else {
-    lines.push(`  ${chalk4.red("\u25CB")} OpenCode:  ${chalk4.red("Not connected")}`);
-  }
-  lines.push("");
-  if (state.activityLog.length > 0) {
-    lines.push(chalk4.bold("  Activity:"));
-    for (const entry of state.activityLog) {
-      lines.push(formatActivityEntry(entry, state.verbose));
-    }
-  } else {
-    lines.push(chalk4.dim("  No activity yet. Waiting for requests..."));
-  }
-  lines.push("");
-  lines.push(chalk4.dim("\u2500".repeat(60)));
-  if (state.verbose) {
-    lines.push(chalk4.dim("  Verbose mode: ON (request/response bodies will be logged)"));
-  }
-  lines.push(chalk4.dim("  Press Ctrl+C to disconnect"));
-  while (lines.length < STATUS_DISPLAY_HEIGHT) {
-    lines.push("");
-  }
-  if (!state.displayInitialized) {
-    console.log("");
-    console.log(chalk4.dim("\u2550".repeat(60)));
-    console.log("");
-    for (const line of lines) {
-      console.log(line);
-    }
-    state.displayInitialized = true;
-  } else {
-    process.stdout.write(ANSI.moveUp(STATUS_DISPLAY_HEIGHT + 3));
-    console.log(chalk4.dim("\u2550".repeat(60)));
-    console.log("");
-    for (const line of lines) {
-      process.stdout.write("\x1B[2K");
-      console.log(line);
-    }
-  }
+  return child;
 }
-function displayError(_state, error2, details) {
-  blank();
-  console.log(chalk4.bgRed.white.bold(" ERROR "));
-  console.log(chalk4.red(`  ${error2}`));
-  if (details) {
-    console.log(chalk4.dim(`  ${details}`));
+function stopOpenCode(opencodeProcess) {
+  if (!opencodeProcess || !opencodeProcess.pid) {
+    return;
   }
-  blank();
-}
-async function validateSandbox(token, sandboxId) {
-  const apiUrl = getApiUrlConfig();
   try {
-    const response = await fetch(`${apiUrl}/sandboxes/${sandboxId}`, {
-      headers: {
-        Authorization: `Bearer ${token}`
-      }
-    });
-    if (response.status === 404) {
-      return { valid: false, error: "Sandbox not found" };
-    }
-    if (response.status === 401) {
-      return { valid: false, error: "Authentication failed. Please run `evident login` again." };
-    }
-    if (!response.ok) {
-      return { valid: false, error: `API error: ${response.status}` };
-    }
-    const sandbox = await response.json();
-    if (sandbox.sandbox_type !== "remote") {
-      return {
-        valid: false,
-        error: `Sandbox is type '${sandbox.sandbox_type}', must be 'remote' for tunnel connection`
-      };
+    if (process.platform === "win32") {
+      opencodeProcess.kill("SIGTERM");
+    } else {
+      process.kill(-opencodeProcess.pid, "SIGTERM");
     }
-    return { valid: true, name: sandbox.name };
-  } catch (error2) {
-    const message = error2 instanceof Error ? error2.message : "Unknown error";
-    return { valid: false, error: `Failed to validate sandbox: ${message}` };
+  } catch {
   }
 }
-async function forwardToOpenCode(port, request, requestId, state) {
-  const url = `http://localhost:${port}${request.path}`;
-  const startTime = Date.now();
-  state.pendingRequests.set(requestId, {
-    startTime,
-    method: request.method,
-    path: request.path
-  });
-  logActivity(state, {
-    type: "request",
-    method: request.method,
-    path: request.path,
-    requestId
-  });
-  displayStatus(state);
-  if (state.verbose && request.body) {
-    console.log(chalk4.dim(`  Request body: ${JSON.stringify(request.body, null, 2)}`));
-  }
-  telemetry.debug(
-    EventTypes.OPENCODE_REQUEST_FORWARDED,
-    `Forwarding ${request.method} ${request.path}`,
-    {
-      method: request.method,
-      path: request.path,
-      port,
-      requestId
-    },
-    state.sandboxId ?? void 0
-  );
+
+// src/lib/opencode/install.ts
+import { execSync as execSync2 } from "child_process";
+import chalk4 from "chalk";
+import { select } from "@inquirer/prompts";
+var OPENCODE_INSTALL_URL = "https://opencode.ai";
+function isOpenCodeInstalled() {
   try {
-    const response = await fetch(url, {
-      method: request.method,
-      headers: {
-        "Content-Type": "application/json",
-        ...request.headers
-      },
-      body: request.body ? JSON.stringify(request.body) : void 0
-    });
-    let body;
-    const contentType = response.headers.get("Content-Type");
-    const text = await response.text();
-    if (!text || text.length === 0) {
-      body = null;
-    } else if (contentType?.includes("application/json")) {
-      try {
-        body = JSON.parse(text);
-      } catch {
-        body = text;
-      }
-    } else {
-      body = text;
-    }
-    const durationMs = Date.now() - startTime;
-    state.pendingRequests.delete(requestId);
-    if (!state.opencodeConnected) {
-      state.opencodeConnected = true;
-    }
-    const lastEntry = state.activityLog[state.activityLog.length - 1];
-    if (lastEntry && lastEntry.requestId === requestId) {
-      lastEntry.type = "response";
-      lastEntry.status = response.status;
-      lastEntry.durationMs = durationMs;
+    const platform = process.platform;
+    if (platform === "win32") {
+      execSync2("where opencode", { stdio: "ignore" });
     } else {
-      logActivity(state, {
-        type: "response",
-        method: request.method,
-        path: request.path,
-        status: response.status,
-        durationMs,
-        requestId
-      });
+      execSync2("which opencode", { stdio: "ignore" });
     }
-    displayStatus(state);
-    if (state.verbose && body) {
-      const bodyStr = typeof body === "string" ? body : JSON.stringify(body, null, 2);
-      const truncated = bodyStr.length > 500 ? bodyStr.substring(0, 500) + "..." : bodyStr;
-      console.log(chalk4.dim(`  Response body: ${truncated}`));
-    }
-    telemetry.debug(
-      EventTypes.OPENCODE_RESPONSE_SENT,
-      `Response ${response.status}`,
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function promptOpenCodeInstall(interactive) {
+  if (!interactive) {
+    console.log(
+      JSON.stringify({
+        status: "error",
+        error: "OpenCode is not installed",
+        install_url: OPENCODE_INSTALL_URL,
+        install_commands: {
+          npm: "npm install -g opencode-ai",
+          curl: "curl -fsSL https://opencode.ai/install.sh | sh"
+        }
+      })
+    );
+    return "exit";
+  }
+  blank();
+  console.log(chalk4.yellow("OpenCode is not installed on your system."));
+  blank();
+  console.log(chalk4.dim("OpenCode is an AI coding agent that runs locally on your machine."));
+  console.log(chalk4.dim(`Learn more at: ${chalk4.cyan(OPENCODE_INSTALL_URL)}`));
+  blank();
+  const action = await select({
+    message: "How would you like to proceed?",
+    choices: [
       {
-        status: response.status,
-        path: request.path,
-        durationMs,
-        requestId
+        name: "Show installation instructions",
+        value: "instructions",
+        description: "Display commands to install OpenCode"
       },
-      state.sandboxId ?? void 0
-    );
-    return {
-      status: response.status,
-      body
-    };
-  } catch (error2) {
-    const message = error2 instanceof Error ? error2.message : "Unknown error";
-    const durationMs = Date.now() - startTime;
-    state.pendingRequests.delete(requestId);
-    state.opencodeConnected = false;
-    logActivity(state, {
-      type: "error",
-      method: request.method,
-      path: request.path,
-      error: `OpenCode unreachable: ${message}`,
-      durationMs,
-      requestId
-    });
-    displayStatus(state);
-    telemetry.error(
-      EventTypes.OPENCODE_UNREACHABLE,
-      `Failed to connect to OpenCode: ${message}`,
       {
-        port,
-        path: request.path,
-        error: message,
-        requestId
+        name: "Continue without OpenCode",
+        value: "continue",
+        description: "Connect anyway (requests will fail until OpenCode is installed)"
       },
-      state.sandboxId ?? void 0
-    );
-    return {
-      status: 502,
-      body: { error: "Failed to connect to OpenCode", message }
-    };
-  }
-}
-async function subscribeToOpenCodeEvents(port, subscriptionId, ws, state) {
-  const url = `http://localhost:${port}/event`;
-  logActivity(state, {
-    type: "info",
-    message: `Starting event subscription ${subscriptionId.slice(0, 8)}`
-  });
-  displayStatus(state);
-  const abortController = new AbortController();
-  state.activeEventSubscriptions.set(subscriptionId, abortController);
-  try {
-    const response = await fetch(url, {
-      headers: { Accept: "text/event-stream" },
-      signal: abortController.signal
-    });
-    if (!response.ok) {
-      throw new Error(`Failed to connect to OpenCode events: ${response.status}`);
-    }
-    if (!response.body) {
-      throw new Error("No response body");
-    }
-    const reader = response.body.getReader();
-    const decoder = new TextDecoder();
-    let buffer = "";
-    while (true) {
-      const { done, value } = await reader.read();
-      if (done) {
-        ws.send(JSON.stringify({ type: "event_end", id: subscriptionId }));
-        break;
+      {
+        name: "Exit",
+        value: "exit",
+        description: "Exit and install OpenCode manually"
       }
-      buffer += decoder.decode(value, { stream: true });
-      const lines = buffer.split("\n");
-      buffer = lines.pop() || "";
-      for (const line of lines) {
-        if (line.startsWith("data: ")) {
-          try {
-            const event = JSON.parse(line.slice(6));
-            ws.send(JSON.stringify({ type: "event", id: subscriptionId, event }));
-          } catch {
-          }
+    ]
+  });
+  if (action === "instructions") {
+    blank();
+    console.log(chalk4.bold("Install OpenCode using one of these methods:"));
+    blank();
+    console.log(chalk4.dim("  # Option 1: Install via npm (recommended)"));
+    console.log(`  ${chalk4.cyan("npm install -g opencode-ai")}`);
+    blank();
+    console.log(chalk4.dim("  # Option 2: Install via curl"));
+    console.log(`  ${chalk4.cyan("curl -fsSL https://opencode.ai/install.sh | sh")}`);
+    blank();
+    console.log(chalk4.dim(`For more options, visit: ${chalk4.cyan(OPENCODE_INSTALL_URL)}`));
+    blank();
+    const afterInstall = await select({
+      message: "After installing, what would you like to do?",
+      choices: [
+        {
+          name: "I installed it - continue",
+          value: "continue",
+          description: "Proceed with the run command"
+        },
+        {
+          name: "Exit",
+          value: "exit",
+          description: "Exit now and run the command again later"
         }
+      ]
+    });
+    if (afterInstall === "continue") {
+      if (isOpenCodeInstalled()) {
+        console.log(chalk4.green("\n\u2713 OpenCode detected!"));
+        return "installed";
+      } else {
+        console.log(chalk4.yellow("\nOpenCode still not detected in PATH."));
+        console.log(chalk4.dim("You may need to restart your terminal or add it to your PATH."));
+        const proceed = await select({
+          message: "Continue anyway?",
+          choices: [
+            { name: "Yes, continue", value: "continue" },
+            { name: "No, exit", value: "exit" }
+          ]
+        });
+        return proceed === "continue" ? "continue" : "exit";
       }
     }
-  } catch (error2) {
-    if (abortController.signal.aborted) {
-      return;
-    }
-    const message = error2 instanceof Error ? error2.message : "Unknown error";
-    logActivity(state, {
-      type: "error",
-      error: `Event subscription failed: ${message}`
-    });
-    displayStatus(state);
-    ws.send(JSON.stringify({ type: "event_error", id: subscriptionId, error: message }));
-  } finally {
-    state.activeEventSubscriptions.delete(subscriptionId);
+    return "exit";
   }
+  return action;
 }
-function cancelEventSubscription(subscriptionId, state) {
-  const controller = state.activeEventSubscriptions.get(subscriptionId);
-  if (controller) {
-    controller.abort();
-    state.activeEventSubscriptions.delete(subscriptionId);
-  }
+
+// src/lib/opencode/session.ts
+function opencodeBase(port) {
+  return `http://127.0.0.1:${port}`;
 }
-function sendResponse(ws, requestId, response) {
-  const bodyStr = JSON.stringify(response.body ?? null);
-  const bodyBytes = Buffer.from(bodyStr, "utf-8");
-  if (bodyBytes.length < CHUNK_THRESHOLD) {
-    ws.send(
-      JSON.stringify({
-        type: "response",
-        id: requestId,
-        payload: response
-      })
-    );
-    return;
-  }
-  sendResponseAsChunks(ws, requestId, response, bodyBytes);
-}
-function sendResponseAsChunks(ws, requestId, response, bodyBytes) {
-  const chunks = splitIntoChunks(bodyBytes, CHUNK_SIZE);
-  ws.send(
-    JSON.stringify({
-      type: "response_start",
-      id: requestId,
-      total_chunks: chunks.length,
-      total_size: bodyBytes.length,
-      payload: {
-        status: response.status,
-        headers: response.headers
-      }
-    })
-  );
-  for (let i = 0; i < chunks.length; i++) {
-    ws.send(
-      JSON.stringify({
-        type: "response_chunk",
-        id: requestId,
-        chunk_index: i,
-        data: chunks[i].toString("base64")
-      })
-    );
+async function getOpenCodeDirectory(port) {
+  try {
+    const res = await fetch(`${opencodeBase(port)}/path`);
+    if (!res.ok) return null;
+    const body = await res.json();
+    const dir = typeof body.directory === "string" && body.directory || typeof body.worktree === "string" && body.worktree || typeof body.path?.cwd === "string" && body.path.cwd || typeof body.path?.directory === "string" && body.path.directory || null;
+    return dir && dir.trim() ? dir.trim() : null;
+  } catch {
+    return null;
   }
-  ws.send(
-    JSON.stringify({
-      type: "response_end",
-      id: requestId
-    })
-  );
 }
-function splitIntoChunks(data, chunkSize) {
-  const chunks = [];
-  for (let i = 0; i < data.length; i += chunkSize) {
-    chunks.push(data.subarray(i, i + chunkSize));
+function roleOf(m) {
+  if (!m || typeof m !== "object") return void 0;
+  if (typeof m.role === "string") return m.role;
+  const infoRole = m.info?.role;
+  return typeof infoRole === "string" ? infoRole : void 0;
+}
+function completedOf(m) {
+  if (!m || typeof m !== "object") return void 0;
+  return m.info?.time?.completed;
+}
+async function getSessionMessages(port, sessionId) {
+  try {
+    const res = await fetch(`${opencodeBase(port)}/session/${sessionId}/message`);
+    if (!res.ok) return null;
+    const body = await res.json();
+    return Array.isArray(body) ? body : null;
+  } catch {
+    return null;
   }
-  return chunks;
 }
-function getReconnectDelay(attempt) {
-  const exponentialDelay = BASE_RECONNECT_DELAY * Math.pow(2, attempt);
-  const jitter = Math.random() * 1e3;
-  return Math.min(exponentialDelay + jitter, MAX_RECONNECT_DELAY);
+function isTurnComplete(messages) {
+  if (!messages || messages.length === 0) return false;
+  const last = messages[messages.length - 1];
+  if (roleOf(last) !== "assistant") return false;
+  return completedOf(last) != null;
 }
-async function connect(token, sandboxId, port, state) {
-  const tunnelUrl = getTunnelUrlConfig();
-  const url = `${tunnelUrl}/tunnel/${sandboxId}/connect`;
-  logActivity(state, {
-    type: "info",
-    message: "Connecting to tunnel relay..."
+async function createOpenCodeSession(port, directory) {
+  const url = new URL(`${opencodeBase(port)}/session`);
+  if (directory && directory.trim()) {
+    url.searchParams.set("directory", directory.trim());
+  }
+  const response = await fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({})
   });
-  displayStatus(state);
-  telemetry.info(
-    EventTypes.TUNNEL_STARTING,
-    `Connecting to ${url}`,
-    {
-      sandboxId,
-      port,
-      tunnelUrl
-    },
-    sandboxId
-  );
-  return new Promise((resolve, reject) => {
-    const ws = new WebSocket(url, {
-      headers: {
-        Authorization: `Bearer ${token}`
-      }
-    });
-    ws.on("open", () => {
-      state.connected = true;
-      state.reconnectAttempt = 0;
-      logActivity(state, {
-        type: "info",
-        message: "WebSocket connection established"
-      });
-      displayStatus(state);
-    });
-    ws.on("message", async (data) => {
-      try {
-        const message = JSON.parse(data.toString());
-        switch (message.type) {
-          case "connected":
-            state.sandboxId = message.sandbox_id ?? sandboxId;
-            logActivity(state, {
-              type: "info",
-              message: `Tunnel connected (sandbox: ${state.sandboxId})`
-            });
-            telemetry.info(
-              EventTypes.TUNNEL_CONNECTED,
-              `Tunnel connected`,
-              {
-                sandboxId: message.sandbox_id
-              },
-              message.sandbox_id
-            );
-            displayStatus(state);
-            break;
-          case "error":
-            logActivity(state, {
-              type: "error",
-              error: message.message || "Unknown tunnel error"
-            });
-            telemetry.error(
-              EventTypes.TUNNEL_ERROR,
-              `Tunnel error: ${message.message}`,
-              {
-                code: message.code,
-                message: message.message
-              },
-              state.sandboxId ?? void 0
-            );
-            displayStatus(state);
-            if (message.code === "unauthorized") {
-              ws.close();
-              reject(new Error("Unauthorized"));
-            }
-            break;
-          case "ping":
-            ws.send(JSON.stringify({ type: "pong" }));
-            break;
-          case "request":
-            if (message.id && message.payload) {
-              telemetry.debug(
-                EventTypes.OPENCODE_REQUEST_RECEIVED,
-                `Request: ${message.payload.method} ${message.payload.path}`,
-                {
-                  requestId: message.id,
-                  method: message.payload.method,
-                  path: message.payload.path
-                },
-                state.sandboxId ?? void 0
-              );
-              const response = await forwardToOpenCode(port, message.payload, message.id, state);
-              sendResponse(ws, message.id, response);
-            }
-            break;
-          case "subscribe_events":
-            if (message.id) {
-              void subscribeToOpenCodeEvents(port, message.id, ws, state);
+  if (!response.ok) {
+    const text = await response.text().catch(() => "");
+    throw new Error(`Failed to create session: HTTP ${response.status}${text ? `: ${text}` : ""}`);
+  }
+  const data = await response.json();
+  return data.id;
+}
+async function sendMessageToOpenCode(port, sessionId, content, options, hooks, maxWaitMs = 10 * 60 * 1e3) {
+  const body = {
+    parts: [{ type: "text", text: content }]
+  };
+  if (options?.agent) {
+    body.agent = options.agent;
+  }
+  if (options?.model) {
+    const slashIndex = options.model.indexOf("/");
+    if (slashIndex !== -1) {
+      body.model = {
+        providerID: options.model.substring(0, slashIndex),
+        modelID: options.model.substring(slashIndex + 1)
+      };
+    }
+  }
+  let pollDone = false;
+  const reportedQuestions = /* @__PURE__ */ new Set();
+  const reportedPermissions = /* @__PURE__ */ new Set();
+  const pollInteractive = async () => {
+    while (!pollDone) {
+      await new Promise((resolve) => setTimeout(resolve, 1e3));
+      if (pollDone) break;
+      if (hooks?.onQuestion) {
+        try {
+          const res = await fetch(`${opencodeBase(port)}/question`);
+          if (res.ok) {
+            const questions = await res.json();
+            for (const q of questions) {
+              if (q.sessionID === sessionId && !reportedQuestions.has(q.id)) {
+                reportedQuestions.add(q.id);
+                await hooks.onQuestion(q);
+              }
             }
-            break;
-          case "unsubscribe_events":
-            if (message.id) {
-              cancelEventSubscription(message.id, state);
+          }
+        } catch {
+        }
+      }
+      if (hooks?.onPermission) {
+        try {
+          const res = await fetch(`${opencodeBase(port)}/permission`);
+          if (res.ok) {
+            const permissions = await res.json();
+            for (const p of permissions) {
+              if (p.sessionID === sessionId && !reportedPermissions.has(p.id)) {
+                reportedPermissions.add(p.id);
+                await hooks.onPermission(p);
+              }
             }
-            break;
+          }
+        } catch {
+        }
+      }
+    }
+  };
+  const sendMessage = async () => {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), maxWaitMs);
+    try {
+      const res = await fetch(`${opencodeBase(port)}/session/${sessionId}/message`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+        signal: controller.signal
+      });
+      if (!res.ok) {
+        const text = await res.text().catch(() => "");
+        throw new Error(`OpenCode message failed: HTTP ${res.status}${text ? `: ${text}` : ""}`);
+      }
+      const sessionRes = await fetch(`${opencodeBase(port)}/session/${sessionId}`).catch(
+        () => null
+      );
+      const session = sessionRes?.ok ? await sessionRes.json() : null;
+      const reportedInteraction = reportedQuestions.size > 0 || reportedPermissions.size > 0;
+      const turnComplete = isTurnComplete(await getSessionMessages(port, sessionId));
+      const awaitingInteraction = reportedInteraction && !turnComplete;
+      return { title: session?.title, awaitingInteraction };
+    } catch (err) {
+      if (err instanceof Error && err.name === "AbortError") {
+        throw new Error("Message processing timed out");
+      }
+      throw err;
+    } finally {
+      clearTimeout(timer);
+      pollDone = true;
+    }
+  };
+  const [result] = await Promise.all([sendMessage(), pollInteractive()]);
+  return result;
+}
+
+// src/lib/tunnel/connection.ts
+import WebSocket2 from "ws";
+
+// src/lib/tunnel/forwarding.ts
+import WebSocket from "ws";
+var LOOPBACK_HOST = "127.0.0.1";
+var STRIP_REQ = /* @__PURE__ */ new Set([
+  "host",
+  "connection",
+  "keep-alive",
+  "proxy-authorization",
+  "transfer-encoding",
+  "upgrade",
+  "content-length"
+]);
+var STRIP_RES = /* @__PURE__ */ new Set([
+  "connection",
+  "keep-alive",
+  "transfer-encoding",
+  "content-encoding",
+  "content-length"
+]);
+var StreamForwarder = class {
+  constructor(ws, port, callbacks = {}) {
+    this.ws = ws;
+    this.port = port;
+    this.callbacks = callbacks;
+  }
+  inflight = /* @__PURE__ */ new Map();
+  /**
+   * Handle an edge→agent frame. Unknown frame types are ignored.
+   */
+  handleFrame(frame) {
+    switch (frame.type) {
+      case "open":
+        this.callbacks.onOpen?.(frame.sid, frame.method, frame.path);
+        void this.handleOpen(frame);
+        break;
+      case "req_data":
+        this.inflight.get(frame.sid)?.pushBody?.(Buffer.from(frame.b64, "base64"));
+        break;
+      case "req_end":
+        this.inflight.get(frame.sid)?.endBody?.();
+        break;
+      case "abort":
+        this.inflight.get(frame.sid)?.abort?.();
+        break;
+    }
+  }
+  /**
+   * Abort every in-flight stream (e.g. on WebSocket close).
+   */
+  abortAll() {
+    for (const stream of this.inflight.values()) {
+      try {
+        stream.abort();
+      } catch {
+      }
+    }
+    this.inflight.clear();
+  }
+  send(frame) {
+    if (this.ws.readyState === WebSocket.OPEN) {
+      this.ws.send(JSON.stringify(frame));
+    }
+  }
+  async handleOpen(frame) {
+    const { sid, method, path, headers, has_body } = frame;
+    if (path === TUNNEL_DRAIN_PING_PATH) {
+      this.callbacks.onDrainPing?.();
+      this.send({ type: "head", sid, status: 204, headers: {} });
+      this.send({ type: "res_end", sid });
+      return;
+    }
+    const ac = new AbortController();
+    let bodyPromise;
+    let pushBody;
+    let endBody;
+    if (has_body) {
+      const chunks = [];
+      bodyPromise = new Promise((resolve) => {
+        pushBody = (buf) => {
+          chunks.push(buf);
+        };
+        endBody = () => {
+          resolve(Buffer.concat(chunks));
+        };
+      });
+    }
+    const fwdHeaders = {};
+    for (const [k, v] of Object.entries(headers ?? {})) {
+      if (!STRIP_REQ.has(k.toLowerCase())) fwdHeaders[k] = v;
+    }
+    this.inflight.set(sid, { pushBody, endBody, abort: () => ac.abort() });
+    const body = bodyPromise ? await bodyPromise : void 0;
+    if (ac.signal.aborted) {
+      this.inflight.delete(sid);
+      return;
+    }
+    let upstream;
+    try {
+      upstream = await fetch(`http://${LOOPBACK_HOST}:${this.port}${path}`, {
+        method,
+        headers: fwdHeaders,
+        body,
+        redirect: "manual",
+        signal: ac.signal
+      });
+    } catch (err) {
+      this.inflight.delete(sid);
+      if (!ac.signal.aborted) {
+        this.send({ type: "res_err", sid, message: `upstream fetch failed: ${String(err)}` });
+      }
+      return;
+    }
+    const resHeaders = {};
+    upstream.headers.forEach((value, key) => {
+      if (!STRIP_RES.has(key.toLowerCase())) resHeaders[key] = value;
+    });
+    this.send({ type: "head", sid, status: upstream.status, headers: resHeaders });
+    this.callbacks.onHead?.(sid, upstream.status);
+    try {
+      if (upstream.body) {
+        const reader = upstream.body.getReader();
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) break;
+          const chunk = Buffer.from(value);
+          for (let i = 0; i < chunk.length; i += MAX_FRAME_BYTES) {
+            const slice = chunk.subarray(i, i + MAX_FRAME_BYTES);
+            this.send({ type: "res_data", sid, b64: slice.toString("base64") });
+          }
         }
+      }
+      this.send({ type: "res_end", sid });
+    } catch (err) {
+      if (!ac.signal.aborted) {
+        this.send({ type: "res_err", sid, message: String(err) });
+      }
+    } finally {
+      this.inflight.delete(sid);
+    }
+  }
+};
+
+// src/lib/tunnel/connection.ts
+var MAX_RECONNECT_DELAY = 3e4;
+var BASE_RECONNECT_DELAY = 500;
+function getReconnectDelay(attempt) {
+  const exponentialDelay = BASE_RECONNECT_DELAY * Math.pow(2, attempt);
+  const jitter = Math.random() * 1e3;
+  return Math.min(exponentialDelay + jitter, MAX_RECONNECT_DELAY);
+}
+function describeSocketError(error2, url) {
+  const code = error2.code;
+  switch (code) {
+    case "ECONNREFUSED":
+      return `connection refused at ${url} \u2014 is the tunnel relay running? (ECONNREFUSED)`;
+    case "ENOTFOUND":
+      return `host not found for ${url} \u2014 check the tunnel URL (ENOTFOUND)`;
+    case "ETIMEDOUT":
+      return `connection timed out to ${url} (ETIMEDOUT)`;
+    case "ECONNRESET":
+      return `connection reset by ${url} (ECONNRESET)`;
+    default: {
+      const base = error2.message?.trim();
+      const suffix = code ? ` (${code})` : "";
+      return `${base && base.length > 0 ? base : "socket error"}${suffix} connecting to ${url}`;
+    }
+  }
+}
+var STREAM_FRAME_TYPES = /* @__PURE__ */ new Set([
+  "open",
+  "req_data",
+  "req_end",
+  "abort"
+]);
+function isStreamFrame(message) {
+  return STREAM_FRAME_TYPES.has(message.type);
+}
+function connectTunnel(options) {
+  const {
+    agentId,
+    authHeader,
+    port,
+    onConnected,
+    onDisconnected,
+    onError,
+    onRequest,
+    onResponse,
+    onInfo,
+    onDrainPing
+  } = options;
+  const tunnelUrl = getTunnelUrlConfig();
+  const url = `${tunnelUrl}/tunnel/${agentId}/connect`;
+  return new Promise((resolve, reject) => {
+    const ws = new WebSocket2(url, {
+      headers: {
+        Authorization: authHeader
+      }
+    });
+    const streamStartTimes = /* @__PURE__ */ new Map();
+    const forwarder = new StreamForwarder(ws, port, {
+      onOpen: (sid, method, path) => {
+        if (path === TUNNEL_DRAIN_PING_PATH) return;
+        streamStartTimes.set(sid, Date.now());
+        onRequest?.(method, path, sid);
+      },
+      onHead: (sid, status) => {
+        const startedAt = streamStartTimes.get(sid);
+        streamStartTimes.delete(sid);
+        onResponse?.(status, startedAt ? Date.now() - startedAt : 0, sid);
+      },
+      onDrainPing: () => onDrainPing?.()
+    });
+    const connectionTimeout = setTimeout(() => {
+      ws.close();
+      reject(new Error("Connection timeout"));
+    }, 3e4);
+    let upgradeRejection = null;
+    ws.on("unexpected-response", (_req, res) => {
+      clearTimeout(connectionTimeout);
+      const chunks = [];
+      res.on("data", (chunk) => chunks.push(chunk));
+      res.on("end", () => {
+        const bodyRaw = Buffer.concat(chunks).toString("utf8").trim();
+        let detail = bodyRaw;
+        try {
+          const parsed = JSON.parse(bodyRaw);
+          detail = parsed.error ?? parsed.message ?? bodyRaw;
+          if (parsed.details) detail += ` (${parsed.details})`;
+        } catch {
+        }
+        const statusLine = `HTTP ${res.statusCode}${res.statusMessage ? ` ${res.statusMessage}` : ""}`;
+        upgradeRejection = detail ? `${statusLine}: ${detail}` : statusLine;
+        onError?.(`Tunnel refused by relay (${upgradeRejection})`);
+        reject(new Error(`Tunnel handshake rejected: ${upgradeRejection}`));
+      });
+    });
+    ws.on("open", () => {
+      onInfo?.("WebSocket connection established");
+    });
+    ws.on("message", (data) => {
+      let message;
+      try {
+        message = JSON.parse(data.toString());
       } catch (error2) {
         const errorMessage = error2 instanceof Error ? error2.message : "Unknown error";
-        logActivity(state, {
-          type: "error",
-          error: `Failed to handle message: ${errorMessage}`
+        onError?.(`Failed to handle message: ${errorMessage}`);
+        return;
+      }
+      if (isStreamFrame(message)) {
+        forwarder.handleFrame(message);
+        return;
+      }
+      switch (message.type) {
+        case "connected": {
+          clearTimeout(connectionTimeout);
+          const connectedAgentId = message.agent_id ?? agentId;
+          onConnected?.(connectedAgentId);
+          resolve({
+            ws,
+            close: () => ws.close(1e3, "CLI shutdown")
+          });
+          break;
+        }
+        case "error":
+          clearTimeout(connectionTimeout);
+          onError?.(message.message || "Unknown tunnel error");
+          if (message.code === "unauthorized") {
+            ws.close();
+            reject(new Error("Unauthorized"));
+          }
+          break;
+        case "ping":
+          ws.send(JSON.stringify({ type: "pong" }));
+          break;
+      }
+    });
+    ws.on("error", (error2) => {
+      clearTimeout(connectionTimeout);
+      const detail = upgradeRejection ?? describeSocketError(error2, url);
+      onError?.(`Connection error: ${detail}`);
+      reject(upgradeRejection ? new Error(upgradeRejection) : new Error(detail));
+    });
+    ws.on("close", (code, reason) => {
+      const reasonStr = reason.toString() || upgradeRejection || (code === 1006 ? "abnormal closure" : "No reason provided");
+      forwarder.abortAll();
+      streamStartTimes.clear();
+      onDisconnected?.(code, reasonStr);
+    });
+  });
+}
+
+// src/lib/tunnel/runner-connection.ts
+var RunnerConnection = class {
+  opts;
+  sleep;
+  connection = null;
+  resolvedAgentId;
+  /** True while a (re)connect loop is in flight. */
+  reconnecting = false;
+  /** The in-flight reconnect promise, awaitable by the caller. */
+  reconnectPromise = null;
+  /** 1-based count of the current reconnect attempt streak. */
+  reconnectAttempt = 0;
+  constructor(opts) {
+    this.opts = opts;
+    this.resolvedAgentId = opts.agentId;
+    this.sleep = opts.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
+  }
+  get agentId() {
+    return this.resolvedAgentId;
+  }
+  /** Establish the initial tunnel connection (with retry/backoff). */
+  async connect() {
+    await this.connectWithRetry(false);
+  }
+  /** Close the active connection (idempotent). */
+  close() {
+    if (this.connection) {
+      try {
+        this.connection.close();
+      } catch {
+      }
+      this.connection = null;
+    }
+  }
+  async connectWithRetry(isReconnect) {
+    if (isReconnect && this.reconnecting) return;
+    this.reconnecting = true;
+    this.close();
+    const { events } = this.opts;
+    while (this.opts.isRunning()) {
+      try {
+        this.connection = await connectTunnel({
+          agentId: this.resolvedAgentId,
+          authHeader: this.opts.getAuthHeader(),
+          port: this.opts.port,
+          onConnected: (agentId) => {
+            this.reconnectAttempt = 0;
+            this.reconnecting = false;
+            this.resolvedAgentId = agentId;
+            events.onConnected(agentId, isReconnect);
+          },
+          onDisconnected: (code, reason) => {
+            events.onDisconnected(code, reason);
+            if (this.opts.isRunning() && code !== 1e3 && !this.reconnecting) {
+              this.reconnectPromise = this.connectWithRetry(true).catch((err) => {
+                events.onError?.(`Reconnection failed: ${err.message}`);
+              });
+            }
+          },
+          onError: (error2) => events.onError?.(error2),
+          onResponse: () => events.onResponse?.(),
+          onDrainPing: () => events.onDrainPing?.(),
+          onInfo: (message) => events.onInfo?.(message)
         });
-        telemetry.error(
-          EventTypes.TUNNEL_ERROR,
-          `Failed to handle message: ${errorMessage}`,
+        return;
+      } catch (error2) {
+        this.reconnectAttempt++;
+        if (error2.message === "Unauthorized") {
+          this.reconnecting = false;
+          throw error2;
+        }
+        const delay = getReconnectDelay(this.reconnectAttempt);
+        events.onReconnecting?.(this.reconnectAttempt);
+        events.onError?.(`Connection failed, retrying in ${Math.round(delay / 1e3)}s...`);
+        await this.sleep(delay);
+      }
+    }
+    this.reconnecting = false;
+  }
+};
+
+// src/lib/channels/driver.ts
+var DEFAULT_RETRY_POLICY = {
+  maxAttempts: 6,
+  baseDelayMs: 500,
+  maxDelayMs: 3e4
+};
+var DEFAULT_PAUSED_POLL_INTERVAL_MS = 2e3;
+var DEFAULT_PAUSED_MAX_WAIT_MS = 10 * 60 * 1e3;
+var ChannelAuthError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ChannelAuthError";
+  }
+};
+function backoffDelay(attempt, policy) {
+  const exp = policy.baseDelayMs * Math.pow(2, attempt);
+  const capped = Math.min(policy.maxDelayMs, exp);
+  return Math.floor(Math.random() * capped);
+}
+function isRetryableStatus(status) {
+  return status === 429 || status >= 500 && status <= 599;
+}
+var ChannelDriver = class {
+  agentId;
+  port;
+  apiUrl;
+  getAuthHeader;
+  conversationFilter;
+  retry;
+  log;
+  fetchImpl;
+  sleep;
+  pausedPollIntervalMs;
+  pausedMaxWaitMs;
+  /** Cache of conversationId → opencode sessionId. */
+  sessions = /* @__PURE__ */ new Map();
+  /**
+   * Outstanding paused-session watchers, keyed by `message.id` (WI-2-CLI).
+   * Single-flight per message: while a watcher is live for a message we never
+   * start a second one. The message stays `processing` for the watcher's lifetime
+   * so the `?status=pending` drain cannot double-claim it.
+   */
+  watchers = /* @__PURE__ */ new Map();
+  /**
+   * Cache of the opencode root directory (from `GET /path`). Resolved lazily on
+   * first session creation so drain-created sessions are rooted at the project
+   * directory and thus visible in `opencode web`'s session list. `undefined` =
+   * not yet resolved; `null` = resolved-but-unavailable (don't keep retrying).
+   */
+  opencodeDirectory = void 0;
+  /** Serialises drains so a reconnect during a drain doesn't double-process. */
+  draining = false;
+  constructor(config2) {
+    this.agentId = config2.agentId;
+    this.port = config2.port;
+    this.apiUrl = config2.apiUrl.replace(/\/$/, "");
+    this.getAuthHeader = config2.getAuthHeader;
+    this.conversationFilter = config2.conversationFilter ?? null;
+    this.retry = { ...DEFAULT_RETRY_POLICY, ...config2.retry };
+    this.log = config2.log ?? (() => {
+    });
+    this.fetchImpl = config2.fetchImpl ?? fetch;
+    this.sleep = config2.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
+    this.pausedPollIntervalMs = config2.pausedPollIntervalMs ?? DEFAULT_PAUSED_POLL_INTERVAL_MS;
+    this.pausedMaxWaitMs = config2.pausedMaxWaitMs ?? DEFAULT_PAUSED_MAX_WAIT_MS;
+  }
+  /** The IPv4-loopback base URL for the local `opencode serve`. */
+  get opencodeBase() {
+    return `http://127.0.0.1:${this.port}`;
+  }
+  // -------------------------------------------------------------------------
+  // Public API
+  // -------------------------------------------------------------------------
+  /**
+   * Drain all pending channel conversations once: poll → process → callback.
+   * Called on tunnel `connected` (WI-CHAN-4) and on each poll tick by `run.ts`.
+   * Re-entrant calls while a drain is in flight are skipped (return 0).
+   *
+   * @returns the number of messages processed.
+   */
+  async drainPending() {
+    if (this.draining) return 0;
+    this.draining = true;
+    let processed = 0;
+    try {
+      const conversations = await this.getPendingConversations();
+      if (conversations.length > 0) {
+        const total = conversations.reduce((sum, c) => sum + (c.pending_message_count ?? 0), 0);
+        this.log({
+          level: "info",
+          message: `Found ${total} pending message(s) across ${conversations.length} conversation(s) \u2014 draining`
+        });
+      }
+      for (const conv of conversations) {
+        processed += await this.processConversation(conv);
+      }
+    } finally {
+      this.draining = false;
+    }
+    return processed;
+  }
+  /**
+   * Await all outstanding paused-session watchers (WI-2-CLI).
+   *
+   * In production the watchers are deliberately started-not-awaited so the drain
+   * loop never blocks on them and process exit is not held up (the cron recovers
+   * any abandoned ones). This helper exists primarily for deterministic tests
+   * that need to observe the watcher's effect (the `done` PATCH or its giving up)
+   * after a non-blocking `drainPending`. Watchers never reject, so this resolves.
+   */
+  async flushPausedWatchers() {
+    await Promise.all([...this.watchers.values()]);
+  }
+  // -------------------------------------------------------------------------
+  // Conversation processing
+  // -------------------------------------------------------------------------
+  async processConversation(conv) {
+    const sessionId = await this.ensureSession(conv);
+    const messages = await this.getPendingMessages(conv.id);
+    let processed = 0;
+    for (const message of messages) {
+      const claimed = await this.markProcessing(conv.id, message.id);
+      if (!claimed) {
+        this.log({
+          level: "info",
+          message: `Message ${message.id.slice(0, 8)} already claimed \u2014 skipping`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+        continue;
+      }
+      try {
+        this.log({
+          level: "info",
+          message: `Sending queued message ${message.id.slice(0, 8)} to OpenCode (session ${sessionId.slice(0, 8)})`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+        const result = await sendMessageToOpenCode(
+          this.port,
+          sessionId,
+          message.content,
           {
-            error: errorMessage
+            agent: message.opencode_agent ?? void 0,
+            model: message.opencode_model ?? void 0
           },
-          state.sandboxId ?? void 0
+          {
+            onQuestion: (question) => this.reportInteraction(conv.id, "question", question),
+            onPermission: (permission) => this.reportInteraction(conv.id, "permission", permission)
+          }
         );
-        displayStatus(state);
+        if (result.awaitingInteraction) {
+          this.log({
+            level: "info",
+            message: `Message ${message.id.slice(0, 8)} paused awaiting interaction \u2014 watching session for completion`,
+            conversation_id: conv.id,
+            message_id: message.id
+          });
+          this.startPausedWatcher(conv, message, sessionId);
+          continue;
+        }
+        await this.confirmCompletion(sessionId);
+        await this.markDone(conv.id, message.id, sessionId);
+        processed += 1;
+        this.log({
+          level: "info",
+          message: `Message ${message.id.slice(0, 8)} processed`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+      } catch (err) {
+        if (err instanceof ChannelAuthError) throw err;
+        await this.markFailed(conv.id, message.id).catch(() => {
+        });
+        this.log({
+          level: "error",
+          message: `Message ${message.id.slice(0, 8)} failed: ${err instanceof Error ? err.message : String(err)}`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
       }
+    }
+    return processed;
+  }
+  async ensureSession(conv) {
+    const cached = this.sessions.get(conv.id);
+    if (cached) return cached;
+    if (conv.opencode_session_id) {
+      this.sessions.set(conv.id, conv.opencode_session_id);
+      return conv.opencode_session_id;
+    }
+    const directory = await this.resolveOpenCodeDirectory();
+    const sessionId = await createOpenCodeSession(this.port, directory);
+    this.sessions.set(conv.id, sessionId);
+    await this.persistSession(conv.id, sessionId).catch(() => {
     });
-    ws.on("close", (code, reason) => {
-      state.connected = false;
-      const reasonStr = reason.toString() || "No reason provided";
-      logActivity(state, {
-        type: "info",
-        message: `Disconnected (code: ${code}, reason: ${reasonStr})`
+    return sessionId;
+  }
+  /**
+   * Lazily resolve (and cache) opencode's root directory via `GET /path`.
+   * Resolved once per driver: `undefined` until first lookup, then the directory
+   * string or `null` if unavailable (we don't keep retrying a missing `/path`).
+   */
+  async resolveOpenCodeDirectory() {
+    if (this.opencodeDirectory !== void 0) return this.opencodeDirectory;
+    this.opencodeDirectory = await getOpenCodeDirectory(this.port);
+    if (!this.opencodeDirectory) {
+      this.log({
+        level: "info",
+        message: "Could not determine opencode directory (GET /path) \u2014 new sessions may not appear in opencode web"
       });
-      telemetry.info(
-        EventTypes.TUNNEL_DISCONNECTED,
-        "Tunnel disconnected",
-        {
-          sandboxId: state.sandboxId,
-          code,
-          reason: reasonStr
-        },
-        state.sandboxId ?? void 0
-      );
-      displayStatus(state);
-      resolve();
+    }
+    return this.opencodeDirectory;
+  }
+  /**
+   * Local reconcile: re-query `GET /session/:id/message` and check whether the
+   * last assistant message is message-level complete (`isTurnComplete`).
+   *
+   * This is a PURE OBSERVABILITY probe on the normal (non-paused) path: the
+   * blocking POST already returned, and `markDone` causes the server to re-fetch
+   * the messages itself (via `extractTextFromMessages`) when delivering the
+   * reply — so this round-trip never gates delivery. We keep it only to surface a
+   * truthful diagnostic when opencode hasn't yet recorded a completed assistant
+   * turn at reconcile time, then proceed to `markDone` regardless. Uses the
+   * injected `fetchImpl` and reuses only the pure `isTurnComplete` predicate.
+   */
+  async confirmCompletion(sessionId) {
+    try {
+      const res = await this.fetchImpl(`${this.opencodeBase}/session/${sessionId}/message`);
+      if (!res.ok) return;
+      const body = await res.json();
+      const messages = Array.isArray(body) ? body : null;
+      if (!isTurnComplete(messages)) {
+        this.log({
+          level: "info",
+          message: `Session ${sessionId.slice(0, 8)} messages do not yet show a completed assistant turn on reconcile \u2014 delivering anyway`
+        });
+      }
+    } catch {
+    }
+  }
+  // -------------------------------------------------------------------------
+  // Paused-session watcher (WI-2-CLI)
+  // -------------------------------------------------------------------------
+  /**
+   * Start (but do NOT await) a watcher that resumes a paused turn to completion.
+   *
+   * Single-flight per message: if a watcher is already live for this message we
+   * skip. The returned watcher promise is tracked in `this.watchers` and removed
+   * when it settles; it never rejects (the body is fully guarded), so a failed
+   * poll/markDone can never crash the run loop — the cron stays as the safety net.
+   */
+  startPausedWatcher(conv, message, sessionId) {
+    if (this.watchers.has(message.id)) return;
+    const watcher = this.watchPausedSession(conv, message, sessionId).finally(() => {
+      this.watchers.delete(message.id);
     });
-    ws.on("error", (error2) => {
-      state.connected = false;
-      logActivity(state, {
-        type: "error",
-        error: `Connection error: ${error2.message}`
+    this.watchers.set(message.id, watcher);
+  }
+  /**
+   * Poll `GET /session/:id/message` until the SAME paused turn is message-level
+   * complete — the last message is an ASSISTANT message whose
+   * `info.time.completed` is set (the user answered the question/permission in
+   * opencode web and opencode finished the turn) — then complete it via the
+   * EXISTING `markDone` PATCH — NO re-send of the original message. The server
+   * re-fetches the assistant messages on completion, so the watcher does not
+   * pass any reply text.
+   *
+   * Fetch seam: the poll uses the injected `this.fetchImpl` (preserving the
+   * tests' injection) and reuses only the pure `isTurnComplete` predicate from
+   * `session.ts` — we do NOT call `getSessionMessages` (which uses the global
+   * `fetch`) here.
+   *
+   * Bounded by `pausedMaxWaitMs` (default 10 min, strictly < the 15-min cron
+   * reset): on timeout we STOP and leave the message `processing` so the cron
+   * remains the last-resort safety net. The whole body is wrapped so any
+   * poll/markDone failure is logged and swallowed — a watcher MUST NEVER throw
+   * out of the run loop.
+   */
+  async watchPausedSession(conv, message, sessionId) {
+    const deadline = Date.now() + this.pausedMaxWaitMs;
+    try {
+      while (Date.now() < deadline) {
+        await this.sleep(this.pausedPollIntervalMs);
+        let completed = false;
+        try {
+          const res = await this.fetchImpl(`${this.opencodeBase}/session/${sessionId}/message`);
+          if (res.ok) {
+            const body = await res.json();
+            const messages = Array.isArray(body) ? body : null;
+            completed = isTurnComplete(messages);
+          }
+        } catch {
+          continue;
+        }
+        if (!completed) continue;
+        this.log({
+          level: "info",
+          message: `Paused session ${sessionId.slice(0, 8)} completed \u2014 marking message ${message.id.slice(0, 8)} done`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+        await this.markDone(conv.id, message.id, sessionId);
+        return;
+      }
+      this.log({
+        level: "info",
+        message: `Paused session ${sessionId.slice(0, 8)} did not complete within the watch window \u2014 leaving message ${message.id.slice(0, 8)} for the cron safety net`,
+        conversation_id: conv.id,
+        message_id: message.id
+      });
+    } catch (err) {
+      this.log({
+        level: "error",
+        message: `Paused-session watcher failed for message ${message.id.slice(0, 8)}: ${err instanceof Error ? err.message : String(err)}`,
+        conversation_id: conv.id,
+        message_id: message.id
       });
-      telemetry.error(
-        EventTypes.TUNNEL_ERROR,
-        `Connection error: ${error2.message}`,
+    }
+  }
+  // -------------------------------------------------------------------------
+  // Evident API calls (combinedAuth thread routes)
+  // -------------------------------------------------------------------------
+  async getPendingConversations() {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/conversations/pending`,
+      {
+        headers: { Authorization: this.getAuthHeader() }
+      }
+    );
+    this.assertAuth(res, "fetching pending conversations");
+    if (!res.ok) {
+      throw new Error(`Failed to get pending conversations: HTTP ${res.status}`);
+    }
+    const data = await res.json();
+    let conversations = data.conversations;
+    if (this.conversationFilter) {
+      conversations = conversations.filter((c) => c.id === this.conversationFilter);
+    }
+    return conversations;
+  }
+  async getPendingMessages(conversationId) {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages?status=pending`,
+      { headers: { Authorization: this.getAuthHeader() } }
+    );
+    this.assertAuth(res, "fetching pending messages");
+    if (!res.ok) {
+      throw new Error(`Failed to get messages: HTTP ${res.status}`);
+    }
+    return await res.json();
+  }
+  async markProcessing(conversationId, messageId) {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages/${messageId}`,
+      {
+        method: "PATCH",
+        headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+        body: JSON.stringify({ status: "processing" })
+      }
+    );
+    this.assertAuth(res, "marking message as processing");
+    return res.ok;
+  }
+  /**
+   * EXISTING combinedAuth completion route — idempotent + retried (WI-CHAN-2).
+   * `PATCH .../messages/:id {status:'done', opencode_session_id}`. The server's
+   * `queued_conversation_messages.status`/`processed_at` gate makes a re-call
+   * for an already-`done` message a no-op (no double Slack post).
+   */
+  async markDone(conversationId, messageId, sessionId) {
+    await this.callWithRetry(
+      "marking message as done",
+      () => this.fetchImpl(
+        `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages/${messageId}`,
         {
-          error: error2.message
-        },
-        state.sandboxId ?? void 0
+          method: "PATCH",
+          headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+          body: JSON.stringify({ status: "done", opencode_session_id: sessionId })
+        }
+      )
+    );
+  }
+  async markFailed(conversationId, messageId) {
+    await this.callWithRetry(
+      "marking message as failed",
+      () => this.fetchImpl(
+        `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages/${messageId}`,
+        {
+          method: "PATCH",
+          headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+          body: JSON.stringify({ status: "failed" })
+        }
+      )
+    );
+  }
+  async persistSession(conversationId, sessionId) {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}`,
+      {
+        method: "PATCH",
+        headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+        body: JSON.stringify({ opencode_session_id: sessionId })
+      }
+    );
+    this.assertAuth(res, "persisting session id");
+  }
+  /**
+   * EXISTING combinedAuth interaction route (WI-CHAN-3) — idempotent + retried.
+   * `POST .../interactive-event {type, data}`. The server persists the
+   * interaction and posts a link to the proxied opencode-web conversation.
+   */
+  async reportInteraction(conversationId, type, data) {
+    try {
+      await this.callWithRetry(
+        "reporting interactive event",
+        () => this.fetchImpl(
+          `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/interactive-event`,
+          {
+            method: "POST",
+            headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+            body: JSON.stringify({ type, data })
+          }
+        )
       );
-      displayStatus(state);
+      this.log({
+        level: "info",
+        message: `${type} surfaced to channel (id: ${data.id.slice(0, 8)})`,
+        conversation_id: conversationId
+      });
+    } catch (err) {
+      if (err instanceof ChannelAuthError) throw err;
+      this.log({
+        level: "error",
+        message: `Failed to surface ${type}: ${err instanceof Error ? err.message : String(err)}`,
+        conversation_id: conversationId
+      });
+    }
+  }
+  // -------------------------------------------------------------------------
+  // Retry wrapper
+  // -------------------------------------------------------------------------
+  /**
+   * Invoke an Evident API call, retrying on transient failures (5xx / 429 /
+   * network errors) with exponential backoff + jitter (capped). Auth failures
+   * (401/403) are terminal and surface as `ChannelAuthError`; other 4xx are
+   * terminal too. No on-disk persistence — a crash mid-retry drops the callback
+   * (accepted by ADR-0039).
+   */
+  async callWithRetry(context, call) {
+    let lastError;
+    for (let attempt = 0; attempt < this.retry.maxAttempts; attempt += 1) {
+      let res;
+      try {
+        res = await call();
+      } catch (err) {
+        lastError = err;
+        if (attempt < this.retry.maxAttempts - 1) {
+          await this.sleep(backoffDelay(attempt, this.retry));
+          continue;
+        }
+        throw err;
+      }
+      if (res.status === 401 || res.status === 403) {
+        throw new ChannelAuthError(
+          `Authentication failed during ${context}: HTTP ${res.status}. Your session may have expired.`
+        );
+      }
+      if (res.ok) return;
+      if (isRetryableStatus(res.status)) {
+        lastError = new Error(`${context}: HTTP ${res.status}`);
+        if (attempt < this.retry.maxAttempts - 1) {
+          await this.sleep(backoffDelay(attempt, this.retry));
+          continue;
+        }
+      }
+      throw new Error(`${context}: HTTP ${res.status}`);
+    }
+    throw lastError instanceof Error ? lastError : new Error(`${context}: exhausted retries`);
+  }
+  assertAuth(res, context) {
+    if (res.status === 401 || res.status === 403) {
+      throw new ChannelAuthError(
+        `Authentication failed during ${context}: HTTP ${res.status}. Your session may have expired.`
+      );
+    }
+  }
+};
+
+// src/commands/ensure-opencode.ts
+import chalk5 from "chalk";
+import ora2 from "ora";
+import { select as select2 } from "@inquirer/prompts";
+async function ensureOpenCodeRunning(ctx) {
+  const healthCheck = await checkOpenCodeHealth(ctx.port);
+  if (healthCheck.healthy) {
+    return { port: ctx.port, process: null, version: healthCheck.version ?? null };
+  }
+  const runningInstances = await findHealthyOpenCodeInstances();
+  if (runningInstances.length > 0) {
+    if (!ctx.interactive) {
+      throw new Error(
+        `OpenCode not found on port ${ctx.port}, but running on port ${runningInstances[0].port}. Use --port ${runningInstances[0].port}`
+      );
+    }
+    blank();
+    console.log(chalk5.yellow("Found OpenCode running on different port(s):"));
+    for (const instance of runningInstances) {
+      const ver = instance.version ? ` (v${instance.version})` : "";
+      const cwd = instance.cwd ? ` in ${instance.cwd}` : "";
+      console.log(chalk5.dim(`  * Port ${instance.port}${ver}${cwd}`));
+    }
+    blank();
+    if (runningInstances.length === 1) {
+      console.log(chalk5.yellow("Tip: Run with the correct port:"));
+      console.log(
+        chalk5.dim(
+          `  ${getCliName()} run --agent ${ctx.agentId} --port ${runningInstances[0].port}`
+        )
+      );
+    }
+    blank();
+    throw new Error(`OpenCode not running on port ${ctx.port}`);
+  }
+  if (!isOpenCodeInstalled()) {
+    if (!ctx.interactive) {
+      throw new Error("OpenCode is not installed. Install it with: npm install -g opencode-ai");
+    }
+    const result = await promptOpenCodeInstall(true);
+    if (result === "exit") process.exit(0);
+    if (result !== "installed" && !isOpenCodeInstalled()) {
+      throw new Error("OpenCode is not installed");
+    }
+  }
+  if (!ctx.interactive) {
+    ctx.log(`OpenCode is not running on port ${ctx.port}. Starting it automatically...`);
+    const proc = await startOpenCode(ctx.port);
+    const health = await waitForOpenCodeHealth(ctx.port, 3e4);
+    if (!health.healthy) {
+      throw new Error(
+        `OpenCode failed to start on port ${ctx.port}. Install with: npm install -g opencode-ai`
+      );
+    }
+    ctx.log(`OpenCode started on port ${ctx.port}${health.version ? ` (v${health.version})` : ""}`);
+    return { port: ctx.port, process: proc, version: health.version ?? null };
+  }
+  let port = ctx.port;
+  if (isPortInUse(port)) {
+    console.log(chalk5.yellow(`
+Port ${port} is already in use.`));
+    const alternativePort = findAvailablePort(port + 1);
+    if (alternativePort) {
+      const useAlternative = await select2({
+        message: `Use port ${alternativePort} instead?`,
+        choices: [
+          { name: `Yes, use port ${alternativePort}`, value: "yes" },
+          { name: "No, I will free the port manually", value: "no" }
+        ]
+      });
+      if (useAlternative === "yes") {
+        port = alternativePort;
+      } else {
+        throw new Error(`Port ${ctx.port} is in use`);
+      }
+    }
+  }
+  const action = await select2({
+    message: "OpenCode is not running. What would you like to do?",
+    choices: [
+      {
+        name: "Start OpenCode for me",
+        value: "start",
+        description: `Run 'opencode serve --port ${port}'`
+      },
+      {
+        name: "Show me the command",
+        value: "manual",
+        description: "Display the command to run manually"
+      },
+      {
+        name: "Continue without OpenCode",
+        value: "continue",
+        description: "Requests will fail until OpenCode starts"
+      }
+    ]
+  });
+  if (action === "manual") {
+    blank();
+    console.log(chalk5.bold("Run this command in another terminal:"));
+    blank();
+    console.log(`  ${chalk5.cyan(`opencode serve --port ${port}`)}`);
+    blank();
+    throw new Error("Please start OpenCode manually");
+  }
+  if (action === "start") {
+    const spinner = ora2("Starting OpenCode...").start();
+    const proc = await startOpenCode(port);
+    const health = await waitForOpenCodeHealth(port, 3e4);
+    if (!health.healthy) {
+      spinner.fail("Failed to start OpenCode");
+      throw new Error("OpenCode failed to start");
+    }
+    spinner.stop();
+    return { port, process: proc, version: health.version ?? null };
+  }
+  return { port, process: null, version: null };
+}
+
+// src/commands/agent-lookup.ts
+async function readErrorMessage(response) {
+  const text = await response.text().catch(() => "");
+  if (!text) return response.statusText || void 0;
+  try {
+    const data = JSON.parse(text);
+    const message = data.message ?? data.error;
+    if (typeof message === "string" && message.trim()) {
+      return message;
+    }
+  } catch {
+  }
+  return text.trim() || response.statusText || void 0;
+}
+function authFailureHint(apiUrl, serverMessage) {
+  const reason = serverMessage ? `: ${serverMessage}` : "";
+  return `Authentication failed${reason}. Your credentials were rejected by ${apiUrl}. This usually means you logged in against a different environment, or your session expired \u2014 log in again pointing at this endpoint and retry.`;
+}
+async function resolveAgentIdFromKey(authHeader) {
+  const apiUrl = getApiUrlConfig();
+  try {
+    const response = await fetch(`${apiUrl}/me`, {
+      headers: { Authorization: authHeader }
     });
-    const cleanup = async () => {
-      process.removeAllListeners("SIGINT");
-      process.removeAllListeners("SIGTERM");
-      logActivity(state, {
-        type: "info",
-        message: "Shutting down..."
-      });
-      displayStatus(state);
-      telemetry.info(
-        EventTypes.TUNNEL_DISCONNECTED,
-        "Tunnel stopped by user",
-        {
-          sandboxId: state.sandboxId
-        },
-        state.sandboxId ?? void 0
-      );
-      await shutdownTelemetry();
-      ws.close();
-      process.exit(0);
+    if (response.status === 401) {
+      const serverMessage = await readErrorMessage(response);
+      return { error: authFailureHint(apiUrl, serverMessage), authFailed: true };
+    }
+    if (!response.ok) {
+      const serverMessage = await readErrorMessage(response);
+      return {
+        error: `Failed to resolve agent from key (HTTP ${response.status})${serverMessage ? `: ${serverMessage}` : ""}`
+      };
+    }
+    const data = await response.json();
+    if (data.auth_type === "agent_key" && data.agent_id) {
+      return { agent_id: data.agent_id };
+    }
+    return {
+      error: "Cannot resolve agent ID: auth type is not agent_key. Please provide --agent explicitly."
     };
-    process.removeAllListeners("SIGINT");
-    process.removeAllListeners("SIGTERM");
-    process.once("SIGINT", () => void cleanup());
-    process.once("SIGTERM", () => void cleanup());
-  });
+  } catch (error2) {
+    const message = error2 instanceof Error ? error2.message : "Unknown error";
+    return { error: `Failed to resolve agent from key: ${message}` };
+  }
+}
+async function getAgentInfo(agentId, authHeader) {
+  const apiUrl = getApiUrlConfig();
+  try {
+    const response = await fetch(`${apiUrl}/agents/${agentId}`, {
+      headers: { Authorization: authHeader }
+    });
+    if (response.status === 401) {
+      const serverMessage = await readErrorMessage(response);
+      return { valid: false, error: authFailureHint(apiUrl, serverMessage), authFailed: true };
+    }
+    if (response.status === 403) {
+      const serverMessage = await readErrorMessage(response);
+      return {
+        valid: false,
+        error: serverMessage ?? "You do not have access to this agent (it may belong to a different team or organization)."
+      };
+    }
+    if (response.status === 404) {
+      const serverMessage = await readErrorMessage(response);
+      return { valid: false, error: serverMessage ?? `Agent ${agentId} not found` };
+    }
+    if (!response.ok) {
+      const serverMessage = await readErrorMessage(response);
+      return {
+        valid: false,
+        error: `API error (HTTP ${response.status})${serverMessage ? `: ${serverMessage}` : ""}`
+      };
+    }
+    const agent = await response.json();
+    if (agent.agent_type !== "local") {
+      return {
+        valid: false,
+        error: `Agent is type '${agent.agent_type}', must be 'local' for CLI connection`
+      };
+    }
+    return { valid: true, agent };
+  } catch (error2) {
+    const message = error2 instanceof Error ? error2.message : "Unknown error";
+    return { valid: false, error: `Failed to validate agent: ${message}` };
+  }
+}
+
+// src/commands/run.ts
+var MAX_ACTIVITY_LOG_ENTRIES = 10;
+var CHANNEL_POLL_INTERVAL_MS = Number(process.env.EVIDENT_CHANNEL_POLL_INTERVAL_MS) || 2e3;
+function log(state, message, isError = false) {
+  if (state.json) {
+    console.log(
+      JSON.stringify({
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        level: isError ? "error" : "info",
+        message
+      })
+    );
+  } else if (!state.interactive) {
+    const prefix = isError ? chalk6.red("\u2717") : chalk6.green("\u2022");
+    console.log(`${prefix} ${message}`);
+  }
+}
+function logActivity(state, entry) {
+  const fullEntry = {
+    ...entry,
+    timestamp: /* @__PURE__ */ new Date()
+  };
+  state.activityLog.push(fullEntry);
+  if (state.activityLog.length > MAX_ACTIVITY_LOG_ENTRIES) {
+    state.activityLog.shift();
+  }
+  if (!state.interactive) {
+    if (entry.type === "error") {
+      log(state, entry.error ?? "Unknown error", true);
+    } else if (entry.type === "info" && entry.message) {
+      log(state, entry.message);
+    }
+  }
 }
-async function tunnel(options) {
-  const verbose = options.verbose ?? false;
-  const credentials = await getToken();
-  if (!credentials) {
-    const cliName = (await import("./config-J7LPYFVS.js")).getCliName();
-    telemetry.error(EventTypes.CLI_ERROR, "Not logged in", { command: "tunnel" });
-    printError(`Not logged in. Run \`${cliName} login\` first.`);
+function displayStatus(state) {
+  if (!state.interactive) return;
+  const attempt = state.connection?.reconnectAttempt ?? 0;
+  const tunnel = state.connected ? chalk6.green("tunnel: connected") : attempt > 0 ? chalk6.yellow(`tunnel: reconnecting (#${attempt})`) : chalk6.yellow("tunnel: connecting");
+  const opencode = state.opencodeConnected ? chalk6.green(`opencode: :${state.port}`) : chalk6.red(`opencode: :${state.port} (down)`);
+  const messages = state.messageCount > 0 ? chalk6.dim(` \xB7 ${state.messageCount} processed`) : "";
+  const last = state.activityLog[state.activityLog.length - 1];
+  const detail = last ? chalk6.dim(` \xB7 ${last.type === "error" ? last.error ?? "" : last.message ?? ""}`) : "";
+  const agent = state.agentName ?? state.agentId;
+  console.log(
+    `${chalk6.bold("Evident")} ${chalk6.dim(agent)}  ${tunnel}  ${opencode}${messages}${detail}`
+  );
+}
+async function promptForLogin(promptMessage, successMessage) {
+  const action = await select3({
+    message: promptMessage,
+    choices: [
+      {
+        name: "Yes, log me in",
+        value: "login",
+        description: "Opens a browser to authenticate with Evident"
+      },
+      {
+        name: "No, exit",
+        value: "exit",
+        description: "Exit without logging in"
+      }
+    ]
+  });
+  if (action === "exit") {
+    console.log(chalk6.dim(`
+You can log in later by running: ${getCliName()} login`));
+    process.exit(0);
+  }
+  await login({ noBrowser: false });
+  const credentials2 = await getToken();
+  if (!credentials2) {
+    printError("Login failed. Please try again.");
     process.exit(1);
   }
-  const port = options.port ?? 4096;
-  const sandboxId = options.sandbox;
-  if (!sandboxId) {
-    const cliName = (await import("./config-J7LPYFVS.js")).getCliName();
-    printError("--sandbox <id> is required");
+  blank();
+  console.log(chalk6.green(successMessage));
+  blank();
+  return { token: credentials2.token, authType: "bearer", user: credentials2.user };
+}
+var AUTH_EXPIRED_EXIT_CODE = 77;
+async function handleAuthError(state, error2) {
+  logActivity(state, {
+    type: "error",
+    error: error2.message
+  });
+  if (state.interactive) displayStatus(state);
+  if (!state.interactive) {
     blank();
-    console.log(chalk4.dim("To find your sandbox ID:"));
-    console.log(chalk4.dim("  1. Create a remote sandbox in the Evident web UI"));
-    console.log(chalk4.dim("  2. Copy the sandbox ID from the URL or settings"));
-    console.log(chalk4.dim(`  3. Run: ${cliName} tunnel --sandbox <id>`));
+    console.log(chalk6.red("Authentication expired"));
+    console.log(chalk6.dim("Your authentication token is no longer valid."));
     blank();
-    telemetry.error(EventTypes.CLI_ERROR, "Missing sandbox ID", { command: "tunnel" });
-    process.exit(1);
+    console.log(chalk6.dim("To fix this:"));
+    console.log(chalk6.dim(`  1. Run '${getCliName()} login' to re-authenticate`));
+    console.log(chalk6.dim("  2. Restart this command"));
+    blank();
+    await cleanup(state);
+    await shutdownTelemetry();
+    process.exit(AUTH_EXPIRED_EXIT_CODE);
+    return { success: false };
   }
+  blank();
+  console.log(chalk6.yellow("Your authentication has expired."));
+  blank();
+  try {
+    const credentials2 = await promptForLogin(
+      "Would you like to log in again?",
+      "Re-authenticated successfully! Resuming..."
+    );
+    const newAuthHeader = getAuthHeader(credentials2);
+    return { success: true, newAuthHeader };
+  } catch {
+    return { success: false };
+  }
+}
+async function driveChannels(state, driver) {
+  let idlePolls = 0;
+  while (state.running) {
+    if (state.connection?.reconnecting && state.connection.reconnectPromise) {
+      logActivity(state, { type: "info", message: "Waiting for tunnel reconnection..." });
+      if (state.interactive) displayStatus(state);
+      await state.connection.reconnectPromise;
+    }
+    try {
+      const processed = await driver.drainPending();
+      state.messageCount += processed;
+      if (processed > 0) {
+        idlePolls = 0;
+        if (state.interactive) displayStatus(state);
+      } else if (state.idleTimeout !== null) {
+        idlePolls++;
+        if (idlePolls === 1) {
+          logActivity(state, {
+            type: "info",
+            message: `Queue empty, waiting (timeout: ${state.idleTimeout}s)...`
+          });
+          if (state.interactive) displayStatus(state);
+        }
+      }
+    } catch (error2) {
+      if (error2 instanceof ChannelAuthError) {
+        const result = await handleAuthError(state, error2);
+        if (result.success && result.newAuthHeader) {
+          state.authHeader = result.newAuthHeader;
+          logActivity(state, { type: "info", message: "Continuing with new credentials..." });
+          if (state.interactive) displayStatus(state);
+          continue;
+        }
+        state.running = false;
+        break;
+      }
+      const errorMessage = error2 instanceof Error ? error2.message : String(error2);
+      logActivity(state, { type: "error", error: `Channel processing error: ${errorMessage}` });
+      if (state.interactive) displayStatus(state);
+    }
+    await new Promise((resolve) => setTimeout(resolve, CHANNEL_POLL_INTERVAL_MS));
+    if (state.idleTimeout !== null && idlePolls >= 2) {
+      const idleMs = idlePolls * CHANNEL_POLL_INTERVAL_MS;
+      if (idleMs > state.idleTimeout * 1e3) {
+        logActivity(state, { type: "info", message: "Idle timeout reached" });
+        if (state.interactive) displayStatus(state);
+        break;
+      }
+    }
+  }
+}
+async function cleanup(state) {
+  state.running = false;
+  if (state.connection) {
+    state.connection.close();
+    state.connection = null;
+  }
+  if (state.opencodeProcess) {
+    stopOpenCode(state.opencodeProcess);
+    if (state.interactive) {
+      logActivity(state, { type: "info", message: "Stopped OpenCode process" });
+      displayStatus(state);
+    } else {
+      log(state, "Stopped OpenCode process");
+    }
+    state.opencodeProcess = null;
+  }
+}
+async function run(options) {
+  const interactive = isInteractive(options.json);
   const state = {
+    agentId: options.agent || "",
+    agentName: null,
+    port: options.port ?? 4096,
+    conversationFilter: options.conversation ?? null,
+    idleTimeout: options.idleTimeout ?? null,
+    json: options.json ?? false,
+    interactive,
     connected: false,
     opencodeConnected: false,
     opencodeVersion: null,
-    sandboxId,
-    sandboxName: null,
-    reconnectAttempt: 0,
-    lastActivity: /* @__PURE__ */ new Date(),
+    opencodeProcess: null,
+    connection: null,
+    running: true,
     activityLog: [],
-    pendingRequests: /* @__PURE__ */ new Map(),
-    verbose,
-    displayInitialized: false,
-    activeEventSubscriptions: /* @__PURE__ */ new Map()
+    messageCount: 0,
+    authHeader: ""
   };
-  telemetry.info(
-    EventTypes.CLI_COMMAND,
-    "Starting tunnel command",
-    {
-      command: "tunnel",
-      port,
-      sandboxId,
-      verbose
-    },
-    sandboxId
-  );
-  logActivity(state, {
-    type: "info",
-    message: `Starting tunnel (port: ${port}, verbose: ${verbose})`
-  });
-  logActivity(state, {
-    type: "info",
-    message: "Validating sandbox..."
-  });
-  const validateSpinner = ora2("Validating sandbox...").start();
-  const validation = await validateSandbox(credentials.token, sandboxId);
-  if (!validation.valid) {
-    validateSpinner.fail(`Sandbox validation failed: ${validation.error}`);
-    logActivity(state, {
-      type: "error",
-      error: `Sandbox validation failed: ${validation.error}`
-    });
-    telemetry.error(EventTypes.CLI_ERROR, `Sandbox validation failed: ${validation.error}`, {
-      command: "tunnel",
-      sandboxId
-    });
-    displayStatus(state);
-    process.exit(1);
+  if (state.idleTimeout === null && (process.env.GITHUB_ACTIONS || process.env.CI)) {
+    log(
+      state,
+      "Warning: No --idle-timeout set in CI environment. The runner will poll indefinitely until the job times out. Consider adding --idle-timeout 30 to avoid wasting runner minutes.",
+      false
+    );
   }
-  state.sandboxName = validation.name ?? null;
-  validateSpinner.succeed(`Sandbox: ${validation.name || sandboxId}`);
-  logActivity(state, {
-    type: "info",
-    message: `Sandbox validated: ${validation.name || sandboxId}`
-  });
-  logActivity(state, {
-    type: "info",
-    message: `Checking OpenCode on port ${port}...`
-  });
-  const opencodeSpinner = ora2("Checking OpenCode connection...").start();
-  const healthCheck = await checkOpenCodeHealth(port);
-  if (healthCheck.healthy) {
-    state.opencodeConnected = true;
-    state.opencodeVersion = healthCheck.version ?? null;
-    const version = healthCheck.version ? ` (v${healthCheck.version})` : "";
+  const handleSignal = async () => {
+    if (state.interactive) {
+      logActivity(state, { type: "info", message: "Shutting down..." });
+      displayStatus(state);
+    } else {
+      log(state, "Shutting down...");
+    }
+    await cleanup(state);
+    await shutdownTelemetry();
+    process.exit(0);
+  };
+  process.on("SIGINT", handleSignal);
+  process.on("SIGTERM", handleSignal);
+  try {
+    let credentials2 = await getAuthCredentials();
+    if (!credentials2) {
+      if (!interactive) {
+        printError("Authentication required");
+        blank();
+        console.log(chalk6.dim("Set EVIDENT_AGENT_KEY environment variable for CI"));
+        console.log(chalk6.dim("Or run `evident login` for interactive authentication"));
+        blank();
+        process.exit(1);
+      }
+      blank();
+      console.log(chalk6.yellow("You are not logged in to Evident."));
+      blank();
+      credentials2 = await promptForLogin(
+        "Would you like to log in now?",
+        "Login successful! Continuing..."
+      );
+    }
+    state.authHeader = getAuthHeader(credentials2);
+    if (!state.agentId) {
+      if (credentials2.authType === "agent_key") {
+        const resolved = await resolveAgentIdFromKey(state.authHeader);
+        if (resolved.agent_id) {
+          state.agentId = resolved.agent_id;
+          log(state, `Resolved agent ID from key: ${state.agentId}`);
+          if (state.interactive && !state.json) {
+            logActivity(state, {
+              type: "info",
+              message: `Agent ID resolved from key: ${state.agentId}`
+            });
+          }
+        } else {
+          printError(resolved.error || "Failed to resolve agent ID from key");
+          process.exit(1);
+        }
+      } else {
+        printError("--agent is required when not using EVIDENT_AGENT_KEY");
+        blank();
+        console.log(chalk6.dim("Either provide --agent <id> or set EVIDENT_AGENT_KEY"));
+        blank();
+        process.exit(1);
+      }
+    }
     telemetry.info(
-      EventTypes.OPENCODE_HEALTH_OK,
-      `OpenCode healthy on port ${port}`,
-      {
-        port,
-        version: healthCheck.version
-      },
-      sandboxId
-    );
-    opencodeSpinner.succeed(`OpenCode running on port ${port}${version}`);
-    logActivity(state, {
-      type: "info",
-      message: `OpenCode running on port ${port}${version}`
-    });
-  } else {
-    telemetry.warn(
-      EventTypes.OPENCODE_HEALTH_FAILED,
-      `Could not connect to OpenCode: ${healthCheck.error}`,
+      EventTypes.CLI_COMMAND,
+      "Starting run command",
       {
-        port,
-        error: healthCheck.error
+        command: "run",
+        agentId: state.agentId,
+        port: state.port,
+        conversationFilter: state.conversationFilter,
+        interactive
       },
-      sandboxId
+      state.agentId
     );
-    opencodeSpinner.warn(`Could not connect to OpenCode on port ${port}`);
-    logActivity(state, {
-      type: "error",
-      error: `OpenCode not reachable on port ${port}: ${healthCheck.error}`
-    });
-    const runningInstances = await findHealthyOpenCodeInstances();
-    if (runningInstances.length > 0) {
-      blank();
-      console.log(chalk4.yellow("Found OpenCode running on different port(s):"));
-      for (const instance of runningInstances) {
-        const ver = instance.version ? ` (v${instance.version})` : "";
-        const cwd = instance.cwd ? ` in ${instance.cwd}` : "";
-        console.log(chalk4.dim(`  \u2022 Port ${instance.port}${ver}${cwd}`));
-      }
+    if (interactive && !state.json) {
       blank();
-      if (runningInstances.length === 1) {
-        console.log(chalk4.yellow("Tip: Run with the correct port:"));
-        console.log(
-          chalk4.dim(
-            `  npx @evident-ai/cli@latest tunnel --sandbox ${sandboxId} --port ${runningInstances[0].port}`
-          )
-        );
-      } else {
-        console.log(chalk4.yellow("Tip: Specify which port to use:"));
-        console.log(
-          chalk4.dim(`  npx @evident-ai/cli@latest tunnel --sandbox ${sandboxId} --port <PORT>`)
-        );
-      }
+      console.log(chalk6.bold("Evident Run"));
+      console.log(chalk6.dim("-".repeat(40)));
+    }
+    const spinner = interactive && !state.json ? ora3("Validating agent...").start() : null;
+    let validation = await getAgentInfo(state.agentId, state.authHeader);
+    if (!validation.valid && validation.authFailed && interactive) {
+      spinner?.fail("Authentication failed");
       blank();
-    } else {
+      console.log(chalk6.yellow("Your authentication token is invalid or expired."));
       blank();
-      const action = await select({
-        message: "OpenCode is not running. What would you like to do?",
-        choices: [
-          {
-            name: "Start OpenCode for me",
-            value: "start",
-            description: `Run 'opencode serve --port ${port}' in a new process`
-          },
-          {
-            name: "Show me the command to run",
-            value: "manual",
-            description: "Display instructions for starting OpenCode manually"
-          },
-          {
-            name: "Continue without OpenCode",
-            value: "continue",
-            description: "Connect the tunnel anyway (requests will fail until OpenCode starts)"
-          }
-        ]
+      credentials2 = await promptForLogin(
+        "Would you like to log in again?",
+        "Login successful! Retrying..."
+      );
+      state.authHeader = getAuthHeader(credentials2);
+      spinner?.start("Validating agent...");
+      validation = await getAgentInfo(state.agentId, state.authHeader);
+    }
+    if (!validation.valid) {
+      spinner?.fail(`Agent validation failed: ${validation.error}`);
+      throw new Error(validation.error);
+    }
+    spinner?.succeed(`Agent: ${validation.agent.name || state.agentId}`);
+    state.agentName = validation.agent.name;
+    const ocSpinner = interactive && !state.json ? ora3("Checking OpenCode...").start() : null;
+    try {
+      const oc = await ensureOpenCodeRunning({
+        port: state.port,
+        interactive: state.interactive,
+        agentId: state.agentId,
+        log: (message) => log(state, message)
       });
-      if (action === "start") {
-        let actualPort = port;
-        if (isPortInUse(port)) {
-          console.log(chalk4.yellow(`
-Port ${port} is already in use by another process.`));
-          const alternativePort = findAvailablePort(port + 1);
-          if (alternativePort) {
-            const useAlternative = await select({
-              message: `Would you like to use port ${alternativePort} instead?`,
-              choices: [
-                { name: `Yes, use port ${alternativePort}`, value: "yes" },
-                { name: "No, I will free up the port manually", value: "no" }
-              ]
-            });
-            if (useAlternative === "yes") {
-              actualPort = alternativePort;
-            } else {
-              console.log(chalk4.dim(`
-Free up port ${port} and run the tunnel command again.`));
-              blank();
-              process.exit(1);
-            }
-          } else {
-            console.log(
-              chalk4.red(
-                `Could not find an available port. Please free up port ${port} and try again.`
-              )
-            );
-            blank();
-            process.exit(1);
-          }
-        }
-        const opencodeStartSpinner = ora2(`Starting OpenCode on port ${actualPort}...`).start();
-        try {
-          let command = "opencode";
-          let args = ["serve", "--port", actualPort.toString()];
-          try {
-            execSync("which opencode", { stdio: "ignore" });
-          } catch {
-            command = "npx";
-            args = ["opencode", "serve", "--port", actualPort.toString()];
-          }
-          const child = spawn(command, args, {
-            detached: true,
-            stdio: "ignore",
-            cwd: process.cwd()
-            // Start in current working directory
+      state.port = oc.port;
+      state.opencodeProcess = oc.process;
+      state.opencodeVersion = oc.version;
+      state.opencodeConnected = oc.process !== null || oc.version !== null;
+      const version = state.opencodeVersion ? ` (v${state.opencodeVersion})` : "";
+      ocSpinner?.succeed(`OpenCode running on port ${state.port}${version}`);
+    } catch (error2) {
+      ocSpinner?.fail(error2.message);
+      throw error2;
+    }
+    const tunnelSpinner = interactive && !state.json ? ora3("Connecting tunnel...").start() : null;
+    const channelDriver = new ChannelDriver({
+      agentId: state.agentId,
+      port: state.port,
+      apiUrl: getApiUrlConfig(),
+      getAuthHeader: () => state.authHeader,
+      conversationFilter: state.conversationFilter,
+      log: (entry) => logActivity(state, {
+        type: entry.level === "error" ? "error" : "info",
+        message: entry.message,
+        error: entry.level === "error" ? entry.message : void 0
+      })
+    });
+    const connection = new RunnerConnection({
+      agentId: state.agentId,
+      getAuthHeader: () => state.authHeader,
+      port: state.port,
+      isRunning: () => state.running,
+      events: {
+        onConnected: (agentId, isReconnect) => {
+          state.connected = true;
+          state.agentId = agentId;
+          logActivity(state, {
+            type: "info",
+            message: `Tunnel ${isReconnect ? "reconnected" : "connected"} (agent: ${agentId})`
           });
-          child.unref();
-          const maxRetries = 10;
-          const retryDelayMs = 1e3;
-          let healthy = false;
-          let version;
-          for (let i = 0; i < maxRetries; i++) {
-            await sleep(retryDelayMs);
-            const retryHealth = await checkOpenCodeHealth(actualPort);
-            if (retryHealth.healthy) {
-              healthy = true;
-              version = retryHealth.version;
-              break;
+          emitAgentConnected(state.agentId, { port: state.port });
+          if (!isReconnect) tunnelSpinner?.succeed("Tunnel connected");
+          if (state.interactive) displayStatus(state);
+          channelDriver.drainPending().then((processed) => {
+            if (processed > 0) {
+              state.messageCount += processed;
+              logActivity(state, {
+                type: "info",
+                message: `Drained ${processed} queued message(s) on connect`
+              });
+              if (state.interactive) displayStatus(state);
             }
-            opencodeStartSpinner.text = `Starting OpenCode on port ${actualPort}... (${i + 1}/${maxRetries})`;
-          }
-          if (healthy) {
-            state.opencodeConnected = true;
-            state.opencodeVersion = version ?? null;
-            const versionStr = version ? ` (v${version})` : "";
-            opencodeStartSpinner.succeed(`OpenCode started on port ${actualPort}${versionStr}`);
+          }).catch((error2) => {
+            const message = error2 instanceof Error ? error2.message : String(error2);
             logActivity(state, {
-              type: "info",
-              message: `OpenCode started on port ${actualPort}${versionStr}`
+              type: "error",
+              error: `Failed to drain queued messages on connect: ${message}`
             });
-          } else {
-            opencodeStartSpinner.warn(
-              "OpenCode process started but not responding. Check if it started correctly."
-            );
+            if (state.interactive) displayStatus(state);
+          });
+        },
+        onDisconnected: (code, reason) => {
+          state.connected = false;
+          logActivity(state, {
+            type: "info",
+            message: `Tunnel disconnected (code: ${code}, reason: ${reason})`
+          });
+          emitAgentDisconnected(state.agentId, { code, reason });
+          if (state.interactive) displayStatus(state);
+        },
+        onError: (error2) => {
+          logActivity(state, { type: "error", error: error2 });
+          if (state.interactive) displayStatus(state);
+        },
+        // Web traffic is proxied transparently; only note opencode is live.
+        onResponse: () => {
+          state.opencodeConnected = true;
+        },
+        // A channel message was queued and the api-worker pinged us over the
+        // tunnel to drain immediately instead of waiting for the next poll tick.
+        // Best-effort + non-fatal: mirror the on-connect drain block. A failed
+        // drain here is logged and swallowed — the steady-state poll retries, so
+        // a lost/failed ping can never orphan a message (§2 invariant).
+        onDrainPing: () => {
+          if (!state.running) return;
+          logActivity(state, { type: "info", message: "Drain ping received \u2014 draining" });
+          channelDriver.drainPending().then((processed) => {
+            if (processed > 0) {
+              state.messageCount += processed;
+              logActivity(state, {
+                type: "info",
+                message: `Drained ${processed} queued message(s) on ping`
+              });
+              if (state.interactive) displayStatus(state);
+            }
+          }).catch((error2) => {
+            const message = error2 instanceof Error ? error2.message : String(error2);
             logActivity(state, {
-              type: "info",
-              message: "OpenCode may still be starting..."
+              type: "error",
+              error: `Failed to drain queued messages on ping: ${message}`
             });
-            console.log(chalk4.dim("\nTip: Check for errors by running OpenCode manually:"));
-            console.log(chalk4.dim(`  opencode serve --port ${actualPort}`));
-            blank();
-          }
-        } catch (error2) {
-          const msg = error2 instanceof Error ? error2.message : "Unknown error";
-          opencodeStartSpinner.fail(`Failed to start OpenCode: ${msg}`);
-          logActivity(state, {
-            type: "error",
-            error: `Failed to start OpenCode: ${msg}`
+            if (state.interactive) displayStatus(state);
           });
-          console.log(chalk4.yellow("\nYou can try starting it manually:"));
-          console.log(chalk4.dim(`  opencode serve --port ${actualPort}`));
-          blank();
-        }
-      } else if (action === "manual") {
-        blank();
-        console.log(chalk4.yellow("To start OpenCode, run one of these commands:"));
-        blank();
-        console.log(chalk4.dim("  # Start OpenCode in your project directory:"));
-        console.log(chalk4.dim(`  opencode serve --port ${port}`));
-        blank();
-        console.log(chalk4.dim("  # Or if you have OpenCode installed globally:"));
-        console.log(chalk4.dim(`  npx opencode serve --port ${port}`));
-        blank();
-        console.log(
-          chalk4.dim("The tunnel will automatically forward requests once OpenCode is running.")
-        );
-        blank();
+        },
+        onInfo: (message) => logActivity(state, { type: "info", message })
       }
-    }
-  }
-  while (true) {
+    });
+    state.connection = connection;
     try {
-      await connect(credentials.token, sandboxId, port, state);
-      state.reconnectAttempt++;
-      const delay = getReconnectDelay(state.reconnectAttempt);
-      logActivity(state, {
-        type: "info",
-        message: `Reconnecting in ${Math.round(delay / 1e3)}s (attempt ${state.reconnectAttempt})...`
-      });
-      telemetry.info(
-        EventTypes.TUNNEL_RECONNECTING,
-        `Reconnecting (attempt ${state.reconnectAttempt})`,
-        {
-          attempt: state.reconnectAttempt,
-          delayMs: delay
-        },
-        state.sandboxId ?? void 0
-      );
-      displayStatus(state);
-      await sleep(delay);
+      await connection.connect();
     } catch (error2) {
-      const message = error2 instanceof Error ? error2.message : "Unknown error";
-      if (message === "Unauthorized") {
-        telemetry.error(
-          EventTypes.CLI_ERROR,
-          "Authentication failed",
-          {
-            command: "tunnel",
-            error: message
-          },
-          state.sandboxId ?? void 0
-        );
-        await shutdownTelemetry();
-        displayError(state, "Authentication failed", "Please run `evident login` again.");
-        process.exit(1);
-      }
-      logActivity(state, {
-        type: "error",
-        error: message
-      });
-      telemetry.error(
-        EventTypes.TUNNEL_ERROR,
-        `Tunnel error: ${message}`,
-        {
-          error: message,
-          attempt: state.reconnectAttempt
-        },
-        state.sandboxId ?? void 0
+      if (error2.message === "Unauthorized") tunnelSpinner?.fail("Unauthorized");
+      throw error2;
+    }
+    if (!interactive || state.json) {
+      log(state, "Driving channel messages...");
+    }
+    await driveChannels(state, channelDriver);
+    await cleanup(state);
+    if (state.json) {
+      console.log(
+        JSON.stringify({
+          status: "success",
+          messages_processed: state.messageCount
+        })
       );
-      state.reconnectAttempt++;
-      const delay = getReconnectDelay(state.reconnectAttempt);
-      logActivity(state, {
-        type: "info",
-        message: `Reconnecting in ${Math.round(delay / 1e3)}s (attempt ${state.reconnectAttempt})...`
-      });
-      displayStatus(state);
-      await sleep(delay);
+    } else if (!interactive) {
+      log(state, `Completed. Processed ${state.messageCount} message(s).`);
+    }
+    await shutdownTelemetry();
+    process.exit(0);
+  } catch (error2) {
+    await cleanup(state);
+    const message = error2 instanceof Error ? error2.message : String(error2);
+    if (state.json) {
+      console.log(JSON.stringify({ status: "error", error: message }));
+    } else {
+      printError(message);
     }
+    telemetry.error(EventTypes.CLI_ERROR, `Run command failed: ${message}`, {
+      command: "run",
+      agentId: options.agent
+    });
+    await shutdownTelemetry();
+    process.exit(1);
   }
 }
 
 // src/index.ts
 var program = new Command();
-program.name("evident").description("Run OpenCode locally and connect it to Evident").version("0.1.0").option("-e, --env <environment>", "Environment to use (local, dev, production)", "production").hook("preAction", (thisCommand) => {
-  const env = thisCommand.opts().env;
-  if (env) {
-    setEnvironment(env);
+program.name("evident").description("Run OpenCode locally and connect it to Evident").version("0.1.0").option(
+  "--endpoint <url>",
+  "Evident API base URL (default: production; e.g. http://localhost:3001)"
+).option("--tunnel <url>", "Tunnel WebSocket URL (default: production; e.g. ws://localhost:8787)").hook("preAction", (thisCommand) => {
+  const { endpoint, tunnel } = thisCommand.opts();
+  if (endpoint) {
+    setEndpoint(endpoint);
+  }
+  if (tunnel) {
+    setTunnelUrl(tunnel);
   }
 });
 program.command("login").description("Authenticate with Evident").option("--token", "Use token-based authentication (for CI/CD)").option("--no-browser", "Do not open the browser automatically").action(login);
-program.command("logout").description("Remove stored credentials").action(logout);
+program.command("logout").description("Remove stored credentials for the current endpoint").option("--all", "Remove stored credentials for all endpoints").action((options) => logout({ all: options.all }));
 program.command("whoami").description("Show the currently logged in user").action(whoami);
-program.command("tunnel").description("Establish a tunnel to Evident for Local Mode").requiredOption("-s, --sandbox <id>", "Sandbox ID to connect to (required)").option("-p, --port <port>", "OpenCode port (default: 4096)", "4096").option("-v, --verbose", "Show detailed request/response information").action((options) => {
-  tunnel({
-    sandbox: options.sandbox,
-    port: parseInt(options.port, 10),
-    verbose: options.verbose
-  });
-});
+program.command("run").description("Connect to Evident and process messages").option("-a, --agent [id]", "Agent ID to connect to (optional when EVIDENT_AGENT_KEY is set)").option("-p, --port <port>", "OpenCode port (default: 4096)", "4096").option("-v, --verbose", "Show detailed request/response information").option("-c, --conversation <id>", "Process only this specific conversation").option("--idle-timeout <seconds>", "Exit after N seconds idle").option("--json", "Output in JSON format").action(
+  (options) => {
+    run({
+      agent: options.agent,
+      port: parseInt(options.port, 10),
+      verbose: options.verbose,
+      conversation: options.conversation,
+      idleTimeout: options.idleTimeout ? parseInt(options.idleTimeout, 10) : void 0,
+      json: options.json
+    });
+  }
+);
 program.parse();
 //# sourceMappingURL=index.js.map