npm - @evident-ai/cli - Versions diffs - 0.2.1-dev.4fb519b → 0.2.1-dev.581fd4b - Mend

@evident-ai/cli 0.2.1-dev.4fb519b → 0.2.1-dev.581fd4b

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js CHANGED Viewed

@@ -12,41 +12,30 @@ import chalk2 from "chalk";
 import Conf from "conf";
 import { homedir } from "os";
 import { join } from "path";
-var environmentPresets = {
-  local: {
-    apiUrl: "http://localhost:3001/v1",
-    tunnelUrl: "ws://localhost:8787"
-  },
-  dev: {
-    apiUrl: "https://api.dev.evident.run/v1",
-    tunnelUrl: "wss://tunnel.dev.evident.run"
-  },
-  production: {
-    // Production URLs also have aliases: api.evident.run, tunnel.evident.run
-    apiUrl: "https://api.production.evident.run/v1",
-    tunnelUrl: "wss://tunnel.production.evident.run"
-  }
+var PRODUCTION_API_URL = "https://api.production.evident.run/v1";
+var PRODUCTION_TUNNEL_URL = "wss://tunnel.production.evident.run";
+var defaults = {
+  apiUrl: PRODUCTION_API_URL,
+  tunnelUrl: PRODUCTION_TUNNEL_URL
 };
-var defaults = environmentPresets.production;
-var currentEnvironment = "production";
-function setEnvironment(env) {
-  currentEnvironment = env;
-}
-function getEnvironment() {
-  const envVar = process.env.EVIDENT_ENV;
-  if (envVar && environmentPresets[envVar]) {
-    return envVar;
+var endpointOverride;
+var tunnelOverride;
+function setEndpoint(url) {
+  if (!url) {
+    endpointOverride = void 0;
+    return;
   }
-  return currentEnvironment;
+  const trimmed = url.replace(/\/+$/, "");
+  endpointOverride = /\/v1$/.test(trimmed) ? trimmed : `${trimmed}/v1`;
 }
-function getEnvConfig() {
-  return environmentPresets[getEnvironment()];
+function setTunnelUrl(url) {
+  tunnelOverride = url ? url.replace(/\/+$/, "") : void 0;
 }
 function getApiUrl() {
-  return process.env.EVIDENT_API_URL ?? getEnvConfig().apiUrl;
+  return process.env.EVIDENT_API_URL ?? endpointOverride ?? defaults.apiUrl;
 }
 function getTunnelUrl() {
-  return process.env.EVIDENT_TUNNEL_URL ?? getEnvConfig().tunnelUrl;
+  return process.env.EVIDENT_TUNNEL_URL ?? tunnelOverride ?? defaults.tunnelUrl;
 }
 var config = new Conf({
   projectName: "evident",
@@ -444,9 +433,9 @@ async function whoami() {
 }
 // src/commands/run.ts
-import chalk5 from "chalk";
-import ora2 from "ora";
-import { select as select2 } from "@inquirer/prompts";
+import chalk6 from "chalk";
+import ora3 from "ora";
+import { select as select3 } from "@inquirer/prompts";
 // ../../packages/types/src/telemetry/index.ts
 var TelemetryEventTypes = {
@@ -459,10 +448,7 @@ var TelemetryEventTypes = {
 };
 // ../../packages/types/src/tunnel/index.ts
-var TUNNEL_CHUNK_THRESHOLD = 512 * 1024;
-var TUNNEL_CHUNK_SIZE = 768 * 1024;
-var TUNNEL_MAX_RESPONSE_SIZE = 50 * 1024 * 1024;
-var TUNNEL_CHUNK_TIMEOUT_MS = 30 * 1e3;
+var MAX_FRAME_BYTES = 256 * 1024;
 // src/lib/telemetry.ts
 var CLI_VERSION = process.env.npm_package_version || "unknown";
@@ -574,33 +560,6 @@ function emitAgentDisconnected(agentId, metadata) {
     agent_id: agentId
   });
 }
-function emitAgentMessageProcessing(agentId, metadata) {
-  emitEvent({
-    event_type: TelemetryEventTypes.AGENT_MESSAGE_PROCESSING,
-    severity: "info",
-    message: `Processing message ${metadata.message_id.slice(0, 8)}...`,
-    metadata,
-    agent_id: agentId
-  });
-}
-function emitAgentMessageDone(agentId, metadata) {
-  emitEvent({
-    event_type: TelemetryEventTypes.AGENT_MESSAGE_DONE,
-    severity: "info",
-    message: `Message ${metadata.message_id.slice(0, 8)} processed`,
-    metadata,
-    agent_id: agentId
-  });
-}
-function emitAgentMessageFailed(agentId, metadata) {
-  emitEvent({
-    event_type: TelemetryEventTypes.AGENT_MESSAGE_FAILED,
-    severity: "error",
-    message: metadata.error ? `Message ${metadata.message_id.slice(0, 8)} failed: ${metadata.error}` : `Message ${metadata.message_id.slice(0, 8)} ${metadata.reason || "failed"}`,
-    metadata,
-    agent_id: agentId
-  });
-}
 var EventTypes = {
   // Tunnel lifecycle
   TUNNEL_STARTING: "tunnel.starting",
@@ -665,7 +624,7 @@ function isInteractive(jsonOutput) {
 // src/lib/opencode/health.ts
 async function checkOpenCodeHealth(port) {
   try {
-    const response = await fetch(`http://localhost:${port}/global/health`, {
+    const response = await fetch(`http://127.0.0.1:${port}/global/health`, {
       signal: AbortSignal.timeout(2e3)
       // 2 second timeout
     });
@@ -844,12 +803,12 @@ async function findHealthyOpenCodeInstances() {
 }
 async function startOpenCode(port) {
   let command = "opencode";
-  let args = ["serve", "--port", port.toString()];
+  let args = ["serve", "--port", port.toString(), "--hostname", "127.0.0.1"];
   try {
     execSync("which opencode", { stdio: "ignore" });
   } catch {
     command = "npx";
-    args = ["opencode", "serve", "--port", port.toString()];
+    args = ["opencode", "serve", "--port", port.toString(), "--hostname", "127.0.0.1"];
   }
   const child = spawn(command, args, {
     detached: true,
@@ -1082,147 +1041,143 @@ async function sendMessageToOpenCode(port, sessionId, content, options, hooks, m
 }
 // src/lib/tunnel/connection.ts
-import WebSocket from "ws";
+import WebSocket2 from "ws";
 // src/lib/tunnel/forwarding.ts
-var CHUNK_THRESHOLD = 512 * 1024;
-var CHUNK_SIZE = 768 * 1024;
-async function forwardToOpenCode(port, request) {
-  const url = `http://localhost:${port}${request.path}`;
-  try {
-    const response = await fetch(url, {
-      method: request.method,
-      headers: {
-        "Content-Type": "application/json",
-        ...request.headers
-      },
-      body: request.body ? JSON.stringify(request.body) : void 0
-    });
-    let body;
-    const contentType = response.headers.get("Content-Type");
-    const text = await response.text();
-    if (!text || text.length === 0) {
-      body = null;
-    } else if (contentType?.includes("application/json")) {
+import WebSocket from "ws";
+var LOOPBACK_HOST = "127.0.0.1";
+var STRIP_REQ = /* @__PURE__ */ new Set([
+  "host",
+  "connection",
+  "keep-alive",
+  "proxy-authorization",
+  "transfer-encoding",
+  "upgrade",
+  "content-length"
+]);
+var STRIP_RES = /* @__PURE__ */ new Set([
+  "connection",
+  "keep-alive",
+  "transfer-encoding",
+  "content-encoding",
+  "content-length"
+]);
+var StreamForwarder = class {
+  constructor(ws, port, callbacks = {}) {
+    this.ws = ws;
+    this.port = port;
+    this.callbacks = callbacks;
+  }
+  inflight = /* @__PURE__ */ new Map();
+  /**
+   * Handle an edge→agent frame. Unknown frame types are ignored.
+   */
+  handleFrame(frame) {
+    switch (frame.type) {
+      case "open":
+        this.callbacks.onOpen?.(frame.sid, frame.method, frame.path);
+        void this.handleOpen(frame);
+        break;
+      case "req_data":
+        this.inflight.get(frame.sid)?.pushBody?.(Buffer.from(frame.b64, "base64"));
+        break;
+      case "req_end":
+        this.inflight.get(frame.sid)?.endBody?.();
+        break;
+      case "abort":
+        this.inflight.get(frame.sid)?.abort?.();
+        break;
+    }
+  }
+  /**
+   * Abort every in-flight stream (e.g. on WebSocket close).
+   */
+  abortAll() {
+    for (const stream of this.inflight.values()) {
       try {
-        body = JSON.parse(text);
+        stream.abort();
       } catch {
-        body = text;
       }
-    } else {
-      body = text;
     }
-    return {
-      status: response.status,
-      body
-    };
-  } catch (error2) {
-    const message = error2 instanceof Error ? error2.message : "Unknown error";
-    return {
-      status: 502,
-      body: { error: "Failed to connect to OpenCode", message }
-    };
+    this.inflight.clear();
   }
-}
-function sendResponse(ws, requestId, response) {
-  const bodyStr = JSON.stringify(response.body ?? null);
-  const bodyBytes = Buffer.from(bodyStr, "utf-8");
-  if (bodyBytes.length < CHUNK_THRESHOLD) {
-    ws.send(
-      JSON.stringify({
-        type: "response",
-        id: requestId,
-        payload: response
-      })
-    );
-    return;
+  send(frame) {
+    if (this.ws.readyState === WebSocket.OPEN) {
+      this.ws.send(JSON.stringify(frame));
+    }
   }
-  sendResponseAsChunks(ws, requestId, response, bodyBytes);
-}
-function sendResponseAsChunks(ws, requestId, response, bodyBytes) {
-  const chunks = splitIntoChunks(bodyBytes, CHUNK_SIZE);
-  ws.send(
-    JSON.stringify({
-      type: "response_start",
-      id: requestId,
-      total_chunks: chunks.length,
-      total_size: bodyBytes.length,
-      payload: {
-        status: response.status,
-        headers: response.headers
+  async handleOpen(frame) {
+    const { sid, method, path, headers, has_body } = frame;
+    const ac = new AbortController();
+    let bodyPromise;
+    let pushBody;
+    let endBody;
+    if (has_body) {
+      const chunks = [];
+      bodyPromise = new Promise((resolve) => {
+        pushBody = (buf) => {
+          chunks.push(buf);
+        };
+        endBody = () => {
+          resolve(Buffer.concat(chunks));
+        };
+      });
+    }
+    const fwdHeaders = {};
+    for (const [k, v] of Object.entries(headers ?? {})) {
+      if (!STRIP_REQ.has(k.toLowerCase())) fwdHeaders[k] = v;
+    }
+    this.inflight.set(sid, { pushBody, endBody, abort: () => ac.abort() });
+    const body = bodyPromise ? await bodyPromise : void 0;
+    if (ac.signal.aborted) {
+      this.inflight.delete(sid);
+      return;
+    }
+    let upstream;
+    try {
+      upstream = await fetch(`http://${LOOPBACK_HOST}:${this.port}${path}`, {
+        method,
+        headers: fwdHeaders,
+        body,
+        redirect: "manual",
+        signal: ac.signal
+      });
+    } catch (err) {
+      this.inflight.delete(sid);
+      if (!ac.signal.aborted) {
+        this.send({ type: "res_err", sid, message: `upstream fetch failed: ${String(err)}` });
       }
-    })
-  );
-  for (let i = 0; i < chunks.length; i++) {
-    ws.send(
-      JSON.stringify({
-        type: "response_chunk",
-        id: requestId,
-        chunk_index: i,
-        data: chunks[i].toString("base64")
-      })
-    );
-  }
-  ws.send(
-    JSON.stringify({
-      type: "response_end",
-      id: requestId
-    })
-  );
-}
-function splitIntoChunks(data, chunkSize) {
-  const chunks = [];
-  for (let i = 0; i < data.length; i += chunkSize) {
-    chunks.push(data.subarray(i, i + chunkSize));
-  }
-  return chunks;
-}
-// src/lib/tunnel/events.ts
-async function subscribeToOpenCodeEvents(port, subscriptionId, ws, abortController) {
-  const url = `http://localhost:${port}/event`;
-  try {
-    const response = await fetch(url, {
-      headers: { Accept: "text/event-stream" },
-      signal: abortController.signal
+      return;
+    }
+    const resHeaders = {};
+    upstream.headers.forEach((value, key) => {
+      if (!STRIP_RES.has(key.toLowerCase())) resHeaders[key] = value;
     });
-    if (!response.ok) {
-      throw new Error(`Failed to connect to OpenCode events: ${response.status}`);
-    }
-    if (!response.body) {
-      throw new Error("No response body");
-    }
-    const reader = response.body.getReader();
-    const decoder = new TextDecoder();
-    let buffer = "";
-    while (true) {
-      const { done, value } = await reader.read();
-      if (done) {
-        ws.send(JSON.stringify({ type: "event_end", id: subscriptionId }));
-        break;
-      }
-      buffer += decoder.decode(value, { stream: true });
-      const lines = buffer.split("\n");
-      buffer = lines.pop() || "";
-      for (const line of lines) {
-        if (line.startsWith("data: ")) {
-          try {
-            const event = JSON.parse(line.slice(6));
-            ws.send(JSON.stringify({ type: "event", id: subscriptionId, event }));
-          } catch {
+    this.send({ type: "head", sid, status: upstream.status, headers: resHeaders });
+    this.callbacks.onHead?.(sid, upstream.status);
+    try {
+      if (upstream.body) {
+        const reader = upstream.body.getReader();
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) break;
+          const chunk = Buffer.from(value);
+          for (let i = 0; i < chunk.length; i += MAX_FRAME_BYTES) {
+            const slice = chunk.subarray(i, i + MAX_FRAME_BYTES);
+            this.send({ type: "res_data", sid, b64: slice.toString("base64") });
           }
         }
       }
+      this.send({ type: "res_end", sid });
+    } catch (err) {
+      if (!ac.signal.aborted) {
+        this.send({ type: "res_err", sid, message: String(err) });
+      }
+    } finally {
+      this.inflight.delete(sid);
     }
-  } catch (error2) {
-    if (abortController.signal.aborted) {
-      return;
-    }
-    const message = error2 instanceof Error ? error2.message : "Unknown error";
-    ws.send(JSON.stringify({ type: "event_error", id: subscriptionId, error: message }));
-    throw error2;
   }
-}
+};
 // src/lib/tunnel/connection.ts
 var MAX_RECONNECT_DELAY = 3e4;
@@ -1232,6 +1187,33 @@ function getReconnectDelay(attempt) {
   const jitter = Math.random() * 1e3;
   return Math.min(exponentialDelay + jitter, MAX_RECONNECT_DELAY);
 }
+function describeSocketError(error2, url) {
+  const code = error2.code;
+  switch (code) {
+    case "ECONNREFUSED":
+      return `connection refused at ${url} \u2014 is the tunnel relay running? (ECONNREFUSED)`;
+    case "ENOTFOUND":
+      return `host not found for ${url} \u2014 check the tunnel URL (ENOTFOUND)`;
+    case "ETIMEDOUT":
+      return `connection timed out to ${url} (ETIMEDOUT)`;
+    case "ECONNRESET":
+      return `connection reset by ${url} (ECONNRESET)`;
+    default: {
+      const base = error2.message?.trim();
+      const suffix = code ? ` (${code})` : "";
+      return `${base && base.length > 0 ? base : "socket error"}${suffix} connecting to ${url}`;
+    }
+  }
+}
+var STREAM_FRAME_TYPES = /* @__PURE__ */ new Set([
+  "open",
+  "req_data",
+  "req_end",
+  "abort"
+]);
+function isStreamFrame(message) {
+  return STREAM_FRAME_TYPES.has(message.type);
+}
 function connectTunnel(options) {
   const {
     agentId,
@@ -1246,326 +1228,688 @@ function connectTunnel(options) {
   } = options;
   const tunnelUrl = getTunnelUrlConfig();
   const url = `${tunnelUrl}/tunnel/${agentId}/connect`;
-  const activeEventSubscriptions = /* @__PURE__ */ new Map();
   return new Promise((resolve, reject) => {
-    const ws = new WebSocket(url, {
+    const ws = new WebSocket2(url, {
       headers: {
         Authorization: authHeader
       }
     });
+    const streamStartTimes = /* @__PURE__ */ new Map();
+    const forwarder = new StreamForwarder(ws, port, {
+      onOpen: (sid, method, path) => {
+        streamStartTimes.set(sid, Date.now());
+        onRequest?.(method, path, sid);
+      },
+      onHead: (sid, status) => {
+        const startedAt = streamStartTimes.get(sid);
+        streamStartTimes.delete(sid);
+        onResponse?.(status, startedAt ? Date.now() - startedAt : 0, sid);
+      }
+    });
     const connectionTimeout = setTimeout(() => {
       ws.close();
       reject(new Error("Connection timeout"));
     }, 3e4);
+    let upgradeRejection = null;
+    ws.on("unexpected-response", (_req, res) => {
+      clearTimeout(connectionTimeout);
+      const chunks = [];
+      res.on("data", (chunk) => chunks.push(chunk));
+      res.on("end", () => {
+        const bodyRaw = Buffer.concat(chunks).toString("utf8").trim();
+        let detail = bodyRaw;
+        try {
+          const parsed = JSON.parse(bodyRaw);
+          detail = parsed.error ?? parsed.message ?? bodyRaw;
+          if (parsed.details) detail += ` (${parsed.details})`;
+        } catch {
+        }
+        const statusLine = `HTTP ${res.statusCode}${res.statusMessage ? ` ${res.statusMessage}` : ""}`;
+        upgradeRejection = detail ? `${statusLine}: ${detail}` : statusLine;
+        onError?.(`Tunnel refused by relay (${upgradeRejection})`);
+        reject(new Error(`Tunnel handshake rejected: ${upgradeRejection}`));
+      });
+    });
     ws.on("open", () => {
       onInfo?.("WebSocket connection established");
     });
-    ws.on("message", async (data) => {
+    ws.on("message", (data) => {
+      let message;
       try {
-        const message = JSON.parse(data.toString());
-        switch (message.type) {
-          case "connected": {
-            clearTimeout(connectionTimeout);
-            const connectedAgentId = message.agent_id ?? agentId;
-            onConnected?.(connectedAgentId);
-            resolve({
-              ws,
-              close: () => ws.close(1e3, "CLI shutdown"),
-              activeEventSubscriptions
-            });
-            break;
-          }
-          case "error":
-            clearTimeout(connectionTimeout);
-            onError?.(message.message || "Unknown tunnel error");
-            if (message.code === "unauthorized") {
-              ws.close();
-              reject(new Error("Unauthorized"));
-            }
-            break;
-          case "ping":
-            ws.send(JSON.stringify({ type: "pong" }));
-            break;
-          case "request":
-            if (message.id && message.payload) {
-              const startTime = Date.now();
-              onRequest?.(message.payload.method, message.payload.path, message.id);
-              const response = await forwardToOpenCode(port, message.payload);
-              const durationMs = Date.now() - startTime;
-              onResponse?.(response.status, durationMs, message.id);
-              sendResponse(ws, message.id, response);
-            }
-            break;
-          case "subscribe_events":
-            if (message.id) {
-              const abortController = new AbortController();
-              activeEventSubscriptions.set(message.id, abortController);
-              onInfo?.(`Starting event subscription ${message.id.slice(0, 8)}`);
-              subscribeToOpenCodeEvents(port, message.id, ws, abortController).catch((error2) => {
-                if (!abortController.signal.aborted) {
-                  onError?.(`Event subscription failed: ${error2.message}`);
-                }
-              }).finally(() => {
-                activeEventSubscriptions.delete(message.id);
-              });
-            }
-            break;
-          case "unsubscribe_events":
-            if (message.id) {
-              const controller = activeEventSubscriptions.get(message.id);
-              if (controller) {
-                controller.abort();
-                activeEventSubscriptions.delete(message.id);
-              }
-            }
-            break;
-        }
+        message = JSON.parse(data.toString());
       } catch (error2) {
         const errorMessage = error2 instanceof Error ? error2.message : "Unknown error";
         onError?.(`Failed to handle message: ${errorMessage}`);
+        return;
+      }
+      if (isStreamFrame(message)) {
+        forwarder.handleFrame(message);
+        return;
+      }
+      switch (message.type) {
+        case "connected": {
+          clearTimeout(connectionTimeout);
+          const connectedAgentId = message.agent_id ?? agentId;
+          onConnected?.(connectedAgentId);
+          resolve({
+            ws,
+            close: () => ws.close(1e3, "CLI shutdown")
+          });
+          break;
+        }
+        case "error":
+          clearTimeout(connectionTimeout);
+          onError?.(message.message || "Unknown tunnel error");
+          if (message.code === "unauthorized") {
+            ws.close();
+            reject(new Error("Unauthorized"));
+          }
+          break;
+        case "ping":
+          ws.send(JSON.stringify({ type: "pong" }));
+          break;
       }
     });
     ws.on("error", (error2) => {
       clearTimeout(connectionTimeout);
-      onError?.(`Connection error: ${error2.message}`);
-      reject(error2);
+      const detail = upgradeRejection ?? describeSocketError(error2, url);
+      onError?.(`Connection error: ${detail}`);
+      reject(upgradeRejection ? new Error(upgradeRejection) : new Error(detail));
     });
     ws.on("close", (code, reason) => {
-      const reasonStr = reason.toString() || "No reason provided";
+      const reasonStr = reason.toString() || upgradeRejection || (code === 1006 ? "abnormal closure" : "No reason provided");
+      forwarder.abortAll();
+      streamStartTimes.clear();
       onDisconnected?.(code, reasonStr);
-      for (const [, controller] of activeEventSubscriptions) {
-        controller.abort();
-      }
-      activeEventSubscriptions.clear();
     });
   });
 }
-// src/commands/run.ts
-var MAX_ACTIVITY_LOG_ENTRIES = 10;
-var MESSAGE_POLL_INTERVAL_MS = 2e3;
-var MAX_CONSECUTIVE_FETCH_FAILURES = 3;
-var LOCK_HEARTBEAT_INTERVAL_MS = 5 * 60 * 1e3;
-async function resolveAgentIdFromKey(authHeader) {
-  const apiUrl = getApiUrlConfig();
-  try {
-    const response = await fetch(`${apiUrl}/me`, {
-      headers: { Authorization: authHeader }
-    });
-    if (!response.ok) {
-      return { error: `Failed to resolve agent from key: HTTP ${response.status}` };
-    }
-    const data = await response.json();
-    if (data.auth_type === "agent_key" && data.agent_id) {
-      return { agent_id: data.agent_id };
+// src/lib/tunnel/runner-connection.ts
+var RunnerConnection = class {
+  opts;
+  sleep;
+  connection = null;
+  resolvedAgentId;
+  /** True while a (re)connect loop is in flight. */
+  reconnecting = false;
+  /** The in-flight reconnect promise, awaitable by the caller. */
+  reconnectPromise = null;
+  /** 1-based count of the current reconnect attempt streak. */
+  reconnectAttempt = 0;
+  constructor(opts) {
+    this.opts = opts;
+    this.resolvedAgentId = opts.agentId;
+    this.sleep = opts.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
+  }
+  get agentId() {
+    return this.resolvedAgentId;
+  }
+  /** Establish the initial tunnel connection (with retry/backoff). */
+  async connect() {
+    await this.connectWithRetry(false);
+  }
+  /** Close the active connection (idempotent). */
+  close() {
+    if (this.connection) {
+      try {
+        this.connection.close();
+      } catch {
+      }
+      this.connection = null;
     }
-    return {
-      error: "Cannot resolve agent ID: auth type is not agent_key. Please provide --agent explicitly."
-    };
-  } catch (error2) {
-    const message = error2 instanceof Error ? error2.message : "Unknown error";
-    return { error: `Failed to resolve agent from key: ${message}` };
   }
-}
-async function getAgentInfo(agentId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  try {
-    const response = await fetch(`${apiUrl}/agents/${agentId}`, {
-      headers: { Authorization: authHeader }
-    });
-    if (response.status === 404) {
-      return { valid: false, error: "Agent not found" };
-    }
-    if (response.status === 401) {
-      return { valid: false, error: "Authentication failed", authFailed: true };
-    }
-    if (!response.ok) {
-      return { valid: false, error: `API error: ${response.status}` };
-    }
-    const agent = await response.json();
-    if (agent.sandbox_type !== "local" && agent.sandbox_type !== "github_actions") {
-      return {
-        valid: false,
-        error: `Agent is type '${agent.sandbox_type}', must be 'local' or 'github_actions' for CLI connection`
-      };
+  async connectWithRetry(isReconnect) {
+    if (isReconnect && this.reconnecting) return;
+    this.reconnecting = true;
+    this.close();
+    const { events } = this.opts;
+    while (this.opts.isRunning()) {
+      try {
+        this.connection = await connectTunnel({
+          agentId: this.resolvedAgentId,
+          authHeader: this.opts.getAuthHeader(),
+          port: this.opts.port,
+          onConnected: (agentId) => {
+            this.reconnectAttempt = 0;
+            this.reconnecting = false;
+            this.resolvedAgentId = agentId;
+            events.onConnected(agentId, isReconnect);
+          },
+          onDisconnected: (code, reason) => {
+            events.onDisconnected(code, reason);
+            if (this.opts.isRunning() && code !== 1e3 && !this.reconnecting) {
+              this.reconnectPromise = this.connectWithRetry(true).catch((err) => {
+                events.onError?.(`Reconnection failed: ${err.message}`);
+              });
+            }
+          },
+          onError: (error2) => events.onError?.(error2),
+          onResponse: () => events.onResponse?.(),
+          onInfo: (message) => events.onInfo?.(message)
+        });
+        return;
+      } catch (error2) {
+        this.reconnectAttempt++;
+        if (error2.message === "Unauthorized") {
+          this.reconnecting = false;
+          throw error2;
+        }
+        const delay = getReconnectDelay(this.reconnectAttempt);
+        events.onReconnecting?.(this.reconnectAttempt);
+        events.onError?.(`Connection failed, retrying in ${Math.round(delay / 1e3)}s...`);
+        await this.sleep(delay);
+      }
     }
-    return { valid: true, agent };
-  } catch (error2) {
-    const message = error2 instanceof Error ? error2.message : "Unknown error";
-    return { valid: false, error: `Failed to validate agent: ${message}` };
+    this.reconnecting = false;
   }
-}
-var AuthenticationError = class extends Error {
+};
+// src/lib/channels/driver.ts
+var DEFAULT_RETRY_POLICY = {
+  maxAttempts: 6,
+  baseDelayMs: 500,
+  maxDelayMs: 3e4
+};
+var ChannelAuthError = class extends Error {
   constructor(message) {
     super(message);
-    this.name = "AuthenticationError";
+    this.name = "ChannelAuthError";
   }
 };
-function checkAuthResponse(response, context) {
-  if (response.status === 401 || response.status === 403) {
-    throw new AuthenticationError(
-      `Authentication failed during ${context}: HTTP ${response.status}. Your session may have expired.`
-    );
-  }
-}
-async function getPendingConversations(agentId, authHeader, conversationFilter) {
-  const apiUrl = getApiUrlConfig();
-  const response = await fetch(`${apiUrl}/agents/${agentId}/conversations/pending`, {
-    headers: { Authorization: authHeader }
-  });
-  checkAuthResponse(response, "fetching pending conversations");
-  if (!response.ok) {
-    throw new Error(`Failed to get pending conversations: HTTP ${response.status}`);
-  }
-  const data = await response.json();
-  let conversations = data.conversations;
-  if (conversationFilter) {
-    conversations = conversations.filter((c) => c.id === conversationFilter);
+function backoffDelay(attempt, policy) {
+  const exp = policy.baseDelayMs * Math.pow(2, attempt);
+  const capped = Math.min(policy.maxDelayMs, exp);
+  return Math.floor(Math.random() * capped);
+}
+function isRetryableStatus(status) {
+  return status === 429 || status >= 500 && status <= 599;
+}
+var ChannelDriver = class {
+  agentId;
+  port;
+  apiUrl;
+  getAuthHeader;
+  conversationFilter;
+  retry;
+  log;
+  fetchImpl;
+  sleep;
+  /** Cache of conversationId → opencode sessionId. */
+  sessions = /* @__PURE__ */ new Map();
+  /** Serialises drains so a reconnect during a drain doesn't double-process. */
+  draining = false;
+  constructor(config2) {
+    this.agentId = config2.agentId;
+    this.port = config2.port;
+    this.apiUrl = config2.apiUrl.replace(/\/$/, "");
+    this.getAuthHeader = config2.getAuthHeader;
+    this.conversationFilter = config2.conversationFilter ?? null;
+    this.retry = { ...DEFAULT_RETRY_POLICY, ...config2.retry };
+    this.log = config2.log ?? (() => {
+    });
+    this.fetchImpl = config2.fetchImpl ?? fetch;
+    this.sleep = config2.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
   }
-  return conversations;
-}
-async function getPendingMessages(agentId, conversationId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  const response = await fetch(
-    `${apiUrl}/agents/${agentId}/threads/${conversationId}/messages?status=pending`,
-    { headers: { Authorization: authHeader } }
-  );
-  checkAuthResponse(response, "fetching pending messages");
-  if (!response.ok) {
-    throw new Error(`Failed to get messages: HTTP ${response.status}`);
+  /** The IPv4-loopback base URL for the local `opencode serve`. */
+  get opencodeBase() {
+    return `http://127.0.0.1:${this.port}`;
   }
-  return response.json();
-}
-async function markMessageProcessing(agentId, conversationId, messageId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  const response = await fetch(
-    `${apiUrl}/agents/${agentId}/threads/${conversationId}/messages/${messageId}`,
-    {
-      method: "PATCH",
-      headers: { Authorization: authHeader, "Content-Type": "application/json" },
-      body: JSON.stringify({ status: "processing" })
-    }
-  );
-  checkAuthResponse(response, "marking message as processing");
-  return response.ok;
-}
-async function reportInteractiveEvent(agentId, conversationId, type, data, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  const response = await fetch(
-    `${apiUrl}/agents/${agentId}/threads/${conversationId}/interactive-event`,
-    {
-      method: "POST",
-      headers: { Authorization: authHeader, "Content-Type": "application/json" },
-      body: JSON.stringify({ type, data })
+  // -------------------------------------------------------------------------
+  // Public API
+  // -------------------------------------------------------------------------
+  /**
+   * Drain all pending channel conversations once: poll → process → callback.
+   * Called on tunnel `connected` (WI-CHAN-4) and on each poll tick by `run.ts`.
+   * Re-entrant calls while a drain is in flight are skipped (return 0).
+   *
+   * @returns the number of messages processed.
+   */
+  async drainPending() {
+    if (this.draining) return 0;
+    this.draining = true;
+    let processed = 0;
+    try {
+      const conversations = await this.getPendingConversations();
+      for (const conv of conversations) {
+        processed += await this.processConversation(conv);
+      }
+    } finally {
+      this.draining = false;
+    }
+    return processed;
+  }
+  // -------------------------------------------------------------------------
+  // Conversation processing
+  // -------------------------------------------------------------------------
+  async processConversation(conv) {
+    const sessionId = await this.ensureSession(conv);
+    const messages = await this.getPendingMessages(conv.id);
+    let processed = 0;
+    for (const message of messages) {
+      const claimed = await this.markProcessing(conv.id, message.id);
+      if (!claimed) {
+        this.log({
+          level: "info",
+          message: `Message ${message.id.slice(0, 8)} already claimed \u2014 skipping`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+        continue;
+      }
+      try {
+        await sendMessageToOpenCode(
+          this.port,
+          sessionId,
+          message.content,
+          {
+            agent: message.opencode_agent ?? void 0,
+            model: message.opencode_model ?? void 0
+          },
+          {
+            onQuestion: (question) => this.reportInteraction(conv.id, "question", question),
+            onPermission: (permission) => this.reportInteraction(conv.id, "permission", permission)
+          }
+        );
+        await this.confirmCompletion(sessionId);
+        await this.markDone(conv.id, message.id, sessionId);
+        processed += 1;
+        this.log({
+          level: "info",
+          message: `Message ${message.id.slice(0, 8)} processed`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+      } catch (err) {
+        if (err instanceof ChannelAuthError) throw err;
+        await this.markFailed(conv.id, message.id).catch(() => {
+        });
+        this.log({
+          level: "error",
+          message: `Message ${message.id.slice(0, 8)} failed: ${err instanceof Error ? err.message : String(err)}`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+      }
     }
-  );
-  checkAuthResponse(response, "reporting interactive event");
-  if (!response.ok) {
-    throw new Error(`Failed to report interactive event: HTTP ${response.status}`);
-  }
-}
-async function markMessageDone(agentId, conversationId, messageId, authHeader, sessionId) {
-  const apiUrl = getApiUrlConfig();
-  const body = { status: "done" };
-  if (sessionId) {
-    body.opencode_session_id = sessionId;
+    return processed;
   }
-  const response = await fetch(
-    `${apiUrl}/agents/${agentId}/threads/${conversationId}/messages/${messageId}`,
-    {
-      method: "PATCH",
-      headers: { Authorization: authHeader, "Content-Type": "application/json" },
-      body: JSON.stringify(body)
-    }
-  );
-  checkAuthResponse(response, "marking message as done");
-}
-async function markMessageFailed(agentId, conversationId, messageId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  const response = await fetch(
-    `${apiUrl}/agents/${agentId}/threads/${conversationId}/messages/${messageId}`,
-    {
-      method: "PATCH",
-      headers: { Authorization: authHeader, "Content-Type": "application/json" },
-      body: JSON.stringify({ status: "failed" })
+  async ensureSession(conv) {
+    const cached = this.sessions.get(conv.id);
+    if (cached) return cached;
+    if (conv.opencode_session_id) {
+      this.sessions.set(conv.id, conv.opencode_session_id);
+      return conv.opencode_session_id;
     }
-  );
-  checkAuthResponse(response, "marking message as failed");
-}
-async function acquireConversationLock(agentId, conversationId, correlationId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  try {
-    const response = await fetch(`${apiUrl}/agents/${agentId}/threads/${conversationId}/lock`, {
-      method: "POST",
-      headers: { Authorization: authHeader, "Content-Type": "application/json" },
-      body: JSON.stringify({ correlation_id: correlationId })
+    const sessionId = await createOpenCodeSession(this.port);
+    this.sessions.set(conv.id, sessionId);
+    await this.persistSession(conv.id, sessionId).catch(() => {
     });
-    checkAuthResponse(response, "acquiring conversation lock");
-    if (response.status === 409) {
-      return { acquired: false, error: "Conversation already locked by another runner" };
-    }
-    if (!response.ok) {
-      return { acquired: false, error: `Failed to acquire lock: HTTP ${response.status}` };
+    return sessionId;
+  }
+  /**
+   * Local reconcile: re-query `GET /session/:id` and check `time.completed`.
+   * Best-effort — if opencode is unreachable or the field is absent we proceed
+   * to mark done anyway (the blocking call already returned).
+   */
+  async confirmCompletion(sessionId) {
+    try {
+      const res = await this.fetchImpl(`${this.opencodeBase}/session/${sessionId}`);
+      if (!res.ok) return;
+      const session = await res.json();
+      if (session.time && session.time.completed == null) {
+        this.log({
+          level: "info",
+          message: `Session ${sessionId.slice(0, 8)} not marked completed on reconcile \u2014 delivering anyway`
+        });
+      }
+    } catch {
     }
-    return { acquired: true };
-  } catch (error2) {
-    if (error2 instanceof AuthenticationError) throw error2;
-    return { acquired: false, error: String(error2) };
   }
-}
-async function extendConversationLock(agentId, conversationId, correlationId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  try {
-    const response = await fetch(
-      `${apiUrl}/agents/${agentId}/threads/${conversationId}/lock/extend`,
+  // -------------------------------------------------------------------------
+  // Evident API calls (combinedAuth thread routes)
+  // -------------------------------------------------------------------------
+  async getPendingConversations() {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/conversations/pending`,
       {
-        method: "POST",
-        headers: { Authorization: authHeader, "Content-Type": "application/json" },
-        body: JSON.stringify({ correlation_id: correlationId })
+        headers: { Authorization: this.getAuthHeader() }
       }
     );
-    return response.ok;
-  } catch {
-    return false;
+    this.assertAuth(res, "fetching pending conversations");
+    if (!res.ok) {
+      throw new Error(`Failed to get pending conversations: HTTP ${res.status}`);
+    }
+    const data = await res.json();
+    let conversations = data.conversations;
+    if (this.conversationFilter) {
+      conversations = conversations.filter((c) => c.id === this.conversationFilter);
+    }
+    return conversations;
   }
-}
-async function releaseConversationLock(agentId, conversationId, correlationId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  try {
-    await fetch(
-      `${apiUrl}/agents/${agentId}/threads/${conversationId}/lock?correlation_id=${encodeURIComponent(correlationId)}`,
+  async getPendingMessages(conversationId) {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages?status=pending`,
+      { headers: { Authorization: this.getAuthHeader() } }
+    );
+    this.assertAuth(res, "fetching pending messages");
+    if (!res.ok) {
+      throw new Error(`Failed to get messages: HTTP ${res.status}`);
+    }
+    return await res.json();
+  }
+  async markProcessing(conversationId, messageId) {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages/${messageId}`,
       {
-        method: "DELETE",
-        headers: { Authorization: authHeader }
+        method: "PATCH",
+        headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+        body: JSON.stringify({ status: "processing" })
       }
     );
-  } catch {
+    this.assertAuth(res, "marking message as processing");
+    return res.ok;
   }
-}
-async function updateConversationSession(agentId, conversationId, sessionId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  const response = await fetch(`${apiUrl}/agents/${agentId}/threads/${conversationId}`, {
-    method: "PATCH",
-    headers: { Authorization: authHeader, "Content-Type": "application/json" },
-    body: JSON.stringify({ opencode_session_id: sessionId })
+  /**
+   * EXISTING combinedAuth completion route — idempotent + retried (WI-CHAN-2).
+   * `PATCH .../messages/:id {status:'done', opencode_session_id}`. The server's
+   * `queued_conversation_messages.status`/`processed_at` gate makes a re-call
+   * for an already-`done` message a no-op (no double Slack post).
+   */
+  async markDone(conversationId, messageId, sessionId) {
+    await this.callWithRetry(
+      "marking message as done",
+      () => this.fetchImpl(
+        `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages/${messageId}`,
+        {
+          method: "PATCH",
+          headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+          body: JSON.stringify({ status: "done", opencode_session_id: sessionId })
+        }
+      )
+    );
+  }
+  async markFailed(conversationId, messageId) {
+    await this.callWithRetry(
+      "marking message as failed",
+      () => this.fetchImpl(
+        `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages/${messageId}`,
+        {
+          method: "PATCH",
+          headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+          body: JSON.stringify({ status: "failed" })
+        }
+      )
+    );
+  }
+  async persistSession(conversationId, sessionId) {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}`,
+      {
+        method: "PATCH",
+        headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+        body: JSON.stringify({ opencode_session_id: sessionId })
+      }
+    );
+    this.assertAuth(res, "persisting session id");
+  }
+  /**
+   * EXISTING combinedAuth interaction route (WI-CHAN-3) — idempotent + retried.
+   * `POST .../interactive-event {type, data}`. The server persists the
+   * interaction and posts a link to the proxied opencode-web conversation.
+   */
+  async reportInteraction(conversationId, type, data) {
+    try {
+      await this.callWithRetry(
+        "reporting interactive event",
+        () => this.fetchImpl(
+          `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/interactive-event`,
+          {
+            method: "POST",
+            headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+            body: JSON.stringify({ type, data })
+          }
+        )
+      );
+      this.log({
+        level: "info",
+        message: `${type} surfaced to channel (id: ${data.id.slice(0, 8)})`,
+        conversation_id: conversationId
+      });
+    } catch (err) {
+      if (err instanceof ChannelAuthError) throw err;
+      this.log({
+        level: "error",
+        message: `Failed to surface ${type}: ${err instanceof Error ? err.message : String(err)}`,
+        conversation_id: conversationId
+      });
+    }
+  }
+  // -------------------------------------------------------------------------
+  // Retry wrapper
+  // -------------------------------------------------------------------------
+  /**
+   * Invoke an Evident API call, retrying on transient failures (5xx / 429 /
+   * network errors) with exponential backoff + jitter (capped). Auth failures
+   * (401/403) are terminal and surface as `ChannelAuthError`; other 4xx are
+   * terminal too. No on-disk persistence — a crash mid-retry drops the callback
+   * (accepted by ADR-0039).
+   */
+  async callWithRetry(context, call) {
+    let lastError;
+    for (let attempt = 0; attempt < this.retry.maxAttempts; attempt += 1) {
+      let res;
+      try {
+        res = await call();
+      } catch (err) {
+        lastError = err;
+        if (attempt < this.retry.maxAttempts - 1) {
+          await this.sleep(backoffDelay(attempt, this.retry));
+          continue;
+        }
+        throw err;
+      }
+      if (res.status === 401 || res.status === 403) {
+        throw new ChannelAuthError(
+          `Authentication failed during ${context}: HTTP ${res.status}. Your session may have expired.`
+        );
+      }
+      if (res.ok) return;
+      if (isRetryableStatus(res.status)) {
+        lastError = new Error(`${context}: HTTP ${res.status}`);
+        if (attempt < this.retry.maxAttempts - 1) {
+          await this.sleep(backoffDelay(attempt, this.retry));
+          continue;
+        }
+      }
+      throw new Error(`${context}: HTTP ${res.status}`);
+    }
+    throw lastError instanceof Error ? lastError : new Error(`${context}: exhausted retries`);
+  }
+  assertAuth(res, context) {
+    if (res.status === 401 || res.status === 403) {
+      throw new ChannelAuthError(
+        `Authentication failed during ${context}: HTTP ${res.status}. Your session may have expired.`
+      );
+    }
+  }
+};
+// src/commands/ensure-opencode.ts
+import chalk5 from "chalk";
+import ora2 from "ora";
+import { select as select2 } from "@inquirer/prompts";
+async function ensureOpenCodeRunning(ctx) {
+  const healthCheck = await checkOpenCodeHealth(ctx.port);
+  if (healthCheck.healthy) {
+    return { port: ctx.port, process: null, version: healthCheck.version ?? null };
+  }
+  const runningInstances = await findHealthyOpenCodeInstances();
+  if (runningInstances.length > 0) {
+    if (!ctx.interactive) {
+      throw new Error(
+        `OpenCode not found on port ${ctx.port}, but running on port ${runningInstances[0].port}. Use --port ${runningInstances[0].port}`
+      );
+    }
+    blank();
+    console.log(chalk5.yellow("Found OpenCode running on different port(s):"));
+    for (const instance of runningInstances) {
+      const ver = instance.version ? ` (v${instance.version})` : "";
+      const cwd = instance.cwd ? ` in ${instance.cwd}` : "";
+      console.log(chalk5.dim(`  * Port ${instance.port}${ver}${cwd}`));
+    }
+    blank();
+    if (runningInstances.length === 1) {
+      console.log(chalk5.yellow("Tip: Run with the correct port:"));
+      console.log(
+        chalk5.dim(
+          `  ${getCliName()} run --agent ${ctx.agentId} --port ${runningInstances[0].port}`
+        )
+      );
+    }
+    blank();
+    throw new Error(`OpenCode not running on port ${ctx.port}`);
+  }
+  if (!isOpenCodeInstalled()) {
+    if (!ctx.interactive) {
+      throw new Error("OpenCode is not installed. Install it with: npm install -g opencode-ai");
+    }
+    const result = await promptOpenCodeInstall(true);
+    if (result === "exit") process.exit(0);
+    if (result !== "installed" && !isOpenCodeInstalled()) {
+      throw new Error("OpenCode is not installed");
+    }
+  }
+  if (!ctx.interactive) {
+    ctx.log(`OpenCode is not running on port ${ctx.port}. Starting it automatically...`);
+    const proc = await startOpenCode(ctx.port);
+    const health = await waitForOpenCodeHealth(ctx.port, 3e4);
+    if (!health.healthy) {
+      throw new Error(
+        `OpenCode failed to start on port ${ctx.port}. Install with: npm install -g opencode-ai`
+      );
+    }
+    ctx.log(`OpenCode started on port ${ctx.port}${health.version ? ` (v${health.version})` : ""}`);
+    return { port: ctx.port, process: proc, version: health.version ?? null };
+  }
+  let port = ctx.port;
+  if (isPortInUse(port)) {
+    console.log(chalk5.yellow(`
+Port ${port} is already in use.`));
+    const alternativePort = findAvailablePort(port + 1);
+    if (alternativePort) {
+      const useAlternative = await select2({
+        message: `Use port ${alternativePort} instead?`,
+        choices: [
+          { name: `Yes, use port ${alternativePort}`, value: "yes" },
+          { name: "No, I will free the port manually", value: "no" }
+        ]
+      });
+      if (useAlternative === "yes") {
+        port = alternativePort;
+      } else {
+        throw new Error(`Port ${ctx.port} is in use`);
+      }
+    }
+  }
+  const action = await select2({
+    message: "OpenCode is not running. What would you like to do?",
+    choices: [
+      {
+        name: "Start OpenCode for me",
+        value: "start",
+        description: `Run 'opencode serve --port ${port}'`
+      },
+      {
+        name: "Show me the command",
+        value: "manual",
+        description: "Display the command to run manually"
+      },
+      {
+        name: "Continue without OpenCode",
+        value: "continue",
+        description: "Requests will fail until OpenCode starts"
+      }
+    ]
   });
-  checkAuthResponse(response, "updating conversation session");
-  if (!response.ok) {
-    const text = await response.text().catch(() => "");
-    throw new Error(
-      `Failed to update conversation session: HTTP ${response.status}${text ? `: ${text}` : ""}`
+  if (action === "manual") {
+    blank();
+    console.log(chalk5.bold("Run this command in another terminal:"));
+    blank();
+    console.log(`  ${chalk5.cyan(`opencode serve --port ${port}`)}`);
+    blank();
+    throw new Error("Please start OpenCode manually");
+  }
+  if (action === "start") {
+    const spinner = ora2("Starting OpenCode...").start();
+    const proc = await startOpenCode(port);
+    const health = await waitForOpenCodeHealth(port, 3e4);
+    if (!health.healthy) {
+      spinner.fail("Failed to start OpenCode");
+      throw new Error("OpenCode failed to start");
+    }
+    spinner.succeed(
+      `OpenCode running on port ${port}${health.version ? ` (v${health.version})` : ""}`
     );
+    return { port, process: proc, version: health.version ?? null };
   }
+  return { port, process: null, version: null };
 }
-async function updateConversationTitle(agentId, conversationId, title, authHeader) {
+// src/commands/agent-lookup.ts
+async function resolveAgentIdFromKey(authHeader) {
   const apiUrl = getApiUrlConfig();
-  const response = await fetch(`${apiUrl}/agents/${agentId}/threads/${conversationId}`, {
-    method: "PATCH",
-    headers: { Authorization: authHeader, "Content-Type": "application/json" },
-    body: JSON.stringify({ title })
-  });
-  checkAuthResponse(response, "updating conversation title");
+  try {
+    const response = await fetch(`${apiUrl}/me`, {
+      headers: { Authorization: authHeader }
+    });
+    if (!response.ok) {
+      return { error: `Failed to resolve agent from key: HTTP ${response.status}` };
+    }
+    const data = await response.json();
+    if (data.auth_type === "agent_key" && data.agent_id) {
+      return { agent_id: data.agent_id };
+    }
+    return {
+      error: "Cannot resolve agent ID: auth type is not agent_key. Please provide --agent explicitly."
+    };
+  } catch (error2) {
+    const message = error2 instanceof Error ? error2.message : "Unknown error";
+    return { error: `Failed to resolve agent from key: ${message}` };
+  }
 }
+async function getAgentInfo(agentId, authHeader) {
+  const apiUrl = getApiUrlConfig();
+  try {
+    const response = await fetch(`${apiUrl}/agents/${agentId}`, {
+      headers: { Authorization: authHeader }
+    });
+    if (response.status === 404) {
+      return { valid: false, error: "Agent not found" };
+    }
+    if (response.status === 401) {
+      return { valid: false, error: "Authentication failed", authFailed: true };
+    }
+    if (!response.ok) {
+      return { valid: false, error: `API error: ${response.status}` };
+    }
+    const agent = await response.json();
+    if (agent.agent_type !== "local") {
+      return {
+        valid: false,
+        error: `Agent is type '${agent.agent_type}', must be 'local' for CLI connection`
+      };
+    }
+    return { valid: true, agent };
+  } catch (error2) {
+    const message = error2 instanceof Error ? error2.message : "Unknown error";
+    return { valid: false, error: `Failed to validate agent: ${message}` };
+  }
+}
+// src/commands/run.ts
+var MAX_ACTIVITY_LOG_ENTRIES = 10;
+var CHANNEL_POLL_INTERVAL_MS = Number(process.env.EVIDENT_CHANNEL_POLL_INTERVAL_MS) || 2e3;
 function log(state, message, isError = false) {
   if (state.json) {
     console.log(
@@ -1576,7 +1920,7 @@ function log(state, message, isError = false) {
       })
     );
   } else if (!state.interactive) {
-    const prefix = isError ? chalk5.red("\u2717") : chalk5.green("\u2022");
+    const prefix = isError ? chalk6.red("\u2717") : chalk6.green("\u2022");
     console.log(`${prefix} ${message}`);
   }
 }
@@ -1589,7 +1933,6 @@ function logActivity(state, entry) {
   if (state.activityLog.length > MAX_ACTIVITY_LOG_ENTRIES) {
     state.activityLog.shift();
   }
-  state.lastActivity = fullEntry.timestamp;
   if (!state.interactive) {
     if (entry.type === "error") {
       log(state, entry.error ?? "Unknown error", true);
@@ -1598,130 +1941,21 @@ function logActivity(state, entry) {
     }
   }
 }
-var ANSI = {
-  moveUp: (n) => `\x1B[${n}A`
-};
-var STATUS_DISPLAY_HEIGHT = 22;
-function colorizeStatus(status) {
-  if (status >= 200 && status < 300) {
-    return chalk5.green(status.toString());
-  } else if (status >= 300 && status < 400) {
-    return chalk5.yellow(status.toString());
-  } else if (status >= 400 && status < 500) {
-    return chalk5.red(status.toString());
-  } else if (status >= 500) {
-    return chalk5.bgRed.white(` ${status} `);
-  }
-  return status.toString();
-}
-function formatActivityEntry(entry) {
-  const time = entry.timestamp.toLocaleTimeString("en-US", {
-    hour12: false,
-    hour: "2-digit",
-    minute: "2-digit",
-    second: "2-digit"
-  });
-  switch (entry.type) {
-    case "request": {
-      const duration = entry.durationMs ? ` (${entry.durationMs}ms)` : "";
-      const status = entry.status ? ` -> ${colorizeStatus(entry.status)}` : " ...";
-      return `  ${chalk5.dim(`[${time}]`)} ${chalk5.cyan("<-")} ${entry.method} ${entry.path}${status}${duration}`;
-    }
-    case "response": {
-      const duration = entry.durationMs ? ` (${entry.durationMs}ms)` : "";
-      return `  ${chalk5.dim(`[${time}]`)} ${chalk5.green("->")} ${entry.method} ${entry.path} ${colorizeStatus(entry.status)}${duration}`;
-    }
-    case "error": {
-      const errorMsg = entry.error || "Unknown error";
-      const path = entry.path ? ` ${entry.method} ${entry.path}` : "";
-      return `  ${chalk5.dim(`[${time}]`)} ${chalk5.red("x")}${path} - ${chalk5.red(errorMsg)}`;
-    }
-    case "info": {
-      return `  ${chalk5.dim(`[${time}]`)} ${chalk5.blue("*")} ${entry.message}`;
-    }
-    default:
-      return `  ${chalk5.dim(`[${time}]`)} ${entry.message || "Unknown"}`;
-  }
-}
 function displayStatus(state) {
   if (!state.interactive) return;
-  const lines = [];
-  lines.push(chalk5.bold("Evident"));
-  lines.push(chalk5.dim("-".repeat(60)));
-  lines.push("");
-  if (state.agentName) {
-    lines.push(`  Agent:      ${state.agentName}`);
-  }
-  lines.push(`  ID:         ${state.agentId}`);
-  if (state.conversationFilter) {
-    lines.push(`  Filter:     conversation ${state.conversationFilter.slice(0, 8)}...`);
-  }
-  lines.push("");
-  if (state.connected) {
-    lines.push(`  ${chalk5.green("*")} Tunnel:    ${chalk5.green("Connected to Evident")}`);
-  } else {
-    if (state.reconnectAttempt > 0) {
-      lines.push(
-        `  ${chalk5.yellow("o")} Tunnel:    ${chalk5.yellow(`Reconnecting... (attempt ${state.reconnectAttempt})`)}`
-      );
-    } else {
-      lines.push(`  ${chalk5.yellow("o")} Tunnel:    ${chalk5.yellow("Connecting...")}`);
-    }
-  }
-  if (state.opencodeConnected) {
-    const version = state.opencodeVersion ? `, v${state.opencodeVersion}` : "";
-    lines.push(
-      `  ${chalk5.green("*")} OpenCode:  ${chalk5.green(`Running on port ${state.port}${version}`)}`
-    );
-  } else {
-    lines.push(`  ${chalk5.red("o")} OpenCode:  ${chalk5.red(`Not connected (port ${state.port})`)}`);
-  }
-  lines.push("");
-  if (state.messageCount > 0) {
-    lines.push(`  Messages:   ${state.messageCount} processed`);
-    lines.push("");
-  }
-  if (state.activityLog.length > 0) {
-    lines.push(chalk5.bold("  Activity:"));
-    for (const entry of state.activityLog) {
-      lines.push(formatActivityEntry(entry));
-    }
-  } else {
-    lines.push(chalk5.dim("  No activity yet. Waiting for requests..."));
-  }
-  lines.push("");
-  lines.push(chalk5.dim("-".repeat(60)));
-  if (state.verbose) {
-    lines.push(chalk5.dim("  Verbose mode: ON"));
-  }
-  lines.push("");
-  lines.push(
-    chalk5.dim(`  Tip: Run \`opencode attach http://localhost:${state.port}\` to see live activity`)
+  const attempt = state.connection?.reconnectAttempt ?? 0;
+  const tunnel = state.connected ? chalk6.green("tunnel: connected") : attempt > 0 ? chalk6.yellow(`tunnel: reconnecting (#${attempt})`) : chalk6.yellow("tunnel: connecting");
+  const opencode = state.opencodeConnected ? chalk6.green(`opencode: :${state.port}`) : chalk6.red(`opencode: :${state.port} (down)`);
+  const messages = state.messageCount > 0 ? chalk6.dim(` \xB7 ${state.messageCount} processed`) : "";
+  const last = state.activityLog[state.activityLog.length - 1];
+  const detail = last ? chalk6.dim(` \xB7 ${last.type === "error" ? last.error ?? "" : last.message ?? ""}`) : "";
+  const agent = state.agentName ?? state.agentId;
+  console.log(
+    `${chalk6.bold("Evident")} ${chalk6.dim(agent)}  ${tunnel}  ${opencode}${messages}${detail}`
   );
-  lines.push(chalk5.dim("  Press Ctrl+C to disconnect"));
-  while (lines.length < STATUS_DISPLAY_HEIGHT) {
-    lines.push("");
-  }
-  if (!state.displayInitialized) {
-    console.log("");
-    console.log(chalk5.dim("=".repeat(60)));
-    console.log("");
-    for (const line of lines) {
-      console.log(line);
-    }
-    state.displayInitialized = true;
-  } else {
-    process.stdout.write(ANSI.moveUp(STATUS_DISPLAY_HEIGHT + 3));
-    console.log(chalk5.dim("=".repeat(60)));
-    console.log("");
-    for (const line of lines) {
-      process.stdout.write("\x1B[2K");
-      console.log(line);
-    }
-  }
 }
 async function promptForLogin(promptMessage, successMessage) {
-  const action = await select2({
+  const action = await select3({
     message: promptMessage,
     choices: [
       {
@@ -1737,7 +1971,7 @@ async function promptForLogin(promptMessage, successMessage) {
     ]
   });
   if (action === "exit") {
-    console.log(chalk5.dim(`
+    console.log(chalk6.dim(`
 You can log in later by running: ${getCliName()} login`));
     process.exit(0);
   }
@@ -1748,137 +1982,10 @@ You can log in later by running: ${getCliName()} login`));
     process.exit(1);
   }
   blank();
-  console.log(chalk5.green(successMessage));
+  console.log(chalk6.green(successMessage));
   blank();
   return { token: credentials2.token, authType: "bearer", user: credentials2.user };
 }
-async function ensureOpenCodeRunning(state) {
-  const healthCheck = await checkOpenCodeHealth(state.port);
-  if (healthCheck.healthy) {
-    state.opencodeConnected = true;
-    state.opencodeVersion = healthCheck.version ?? null;
-    return;
-  }
-  const runningInstances = await findHealthyOpenCodeInstances();
-  if (runningInstances.length > 0) {
-    if (!state.interactive) {
-      throw new Error(
-        `OpenCode not found on port ${state.port}, but running on port ${runningInstances[0].port}. Use --port ${runningInstances[0].port}`
-      );
-    }
-    blank();
-    console.log(chalk5.yellow("Found OpenCode running on different port(s):"));
-    for (const instance of runningInstances) {
-      const ver = instance.version ? ` (v${instance.version})` : "";
-      const cwd = instance.cwd ? ` in ${instance.cwd}` : "";
-      console.log(chalk5.dim(`  * Port ${instance.port}${ver}${cwd}`));
-    }
-    blank();
-    if (runningInstances.length === 1) {
-      console.log(chalk5.yellow("Tip: Run with the correct port:"));
-      console.log(
-        chalk5.dim(
-          `  ${getCliName()} run --agent ${state.agentId} --port ${runningInstances[0].port}`
-        )
-      );
-    }
-    blank();
-    throw new Error(`OpenCode not running on port ${state.port}`);
-  }
-  if (!isOpenCodeInstalled()) {
-    if (!state.interactive) {
-      throw new Error("OpenCode is not installed. Install it with: npm install -g opencode-ai");
-    }
-    const result = await promptOpenCodeInstall(true);
-    if (result === "exit") {
-      process.exit(0);
-    }
-    if (result === "installed" || isOpenCodeInstalled()) {
-    } else {
-      throw new Error("OpenCode is not installed");
-    }
-  }
-  if (state.interactive) {
-    let actualPort = state.port;
-    if (isPortInUse(state.port)) {
-      console.log(chalk5.yellow(`
-Port ${state.port} is already in use.`));
-      const alternativePort = findAvailablePort(state.port + 1);
-      if (alternativePort) {
-        const useAlternative = await select2({
-          message: `Use port ${alternativePort} instead?`,
-          choices: [
-            { name: `Yes, use port ${alternativePort}`, value: "yes" },
-            { name: "No, I will free the port manually", value: "no" }
-          ]
-        });
-        if (useAlternative === "yes") {
-          actualPort = alternativePort;
-          state.port = actualPort;
-        } else {
-          throw new Error(`Port ${state.port} is in use`);
-        }
-      }
-    }
-    const action = await select2({
-      message: "OpenCode is not running. What would you like to do?",
-      choices: [
-        {
-          name: "Start OpenCode for me",
-          value: "start",
-          description: `Run 'opencode serve --port ${actualPort}'`
-        },
-        {
-          name: "Show me the command",
-          value: "manual",
-          description: "Display the command to run manually"
-        },
-        {
-          name: "Continue without OpenCode",
-          value: "continue",
-          description: "Requests will fail until OpenCode starts"
-        }
-      ]
-    });
-    if (action === "manual") {
-      blank();
-      console.log(chalk5.bold("Run this command in another terminal:"));
-      blank();
-      console.log(`  ${chalk5.cyan(`opencode serve --port ${actualPort}`)}`);
-      blank();
-      throw new Error("Please start OpenCode manually");
-    }
-    if (action === "start") {
-      const spinner = ora2("Starting OpenCode...").start();
-      state.opencodeProcess = await startOpenCode(actualPort);
-      const health = await waitForOpenCodeHealth(actualPort, 3e4);
-      if (!health.healthy) {
-        spinner.fail("Failed to start OpenCode");
-        throw new Error("OpenCode failed to start");
-      }
-      spinner.succeed(
-        `OpenCode running on port ${actualPort}${health.version ? ` (v${health.version})` : ""}`
-      );
-      state.opencodeConnected = true;
-      state.opencodeVersion = health.version ?? null;
-    }
-  } else {
-    log(state, `OpenCode is not running on port ${state.port}. Starting it automatically...`);
-    state.opencodeProcess = await startOpenCode(state.port);
-    const health = await waitForOpenCodeHealth(state.port, 3e4);
-    if (!health.healthy) {
-      throw new Error(
-        `OpenCode failed to start on port ${state.port}. Install with: npm install -g opencode-ai`
-      );
-    }
-    log(
-      state,
-      `OpenCode started on port ${state.port}${health.version ? ` (v${health.version})` : ""}`
-    );
-    state.opencodeConnected = true;
-    state.opencodeVersion = health.version ?? null;
-  }
-}
 var AUTH_EXPIRED_EXIT_CODE = 77;
 async function handleAuthError(state, error2) {
   logActivity(state, {
@@ -1888,12 +1995,12 @@ async function handleAuthError(state, error2) {
   if (state.interactive) displayStatus(state);
   if (!state.interactive) {
     blank();
-    console.log(chalk5.red("Authentication expired"));
-    console.log(chalk5.dim("Your authentication token is no longer valid."));
+    console.log(chalk6.red("Authentication expired"));
+    console.log(chalk6.dim("Your authentication token is no longer valid."));
     blank();
-    console.log(chalk5.dim("To fix this:"));
-    console.log(chalk5.dim(`  1. Run '${getCliName()} login' to re-authenticate`));
-    console.log(chalk5.dim("  2. Restart this command"));
+    console.log(chalk6.dim("To fix this:"));
+    console.log(chalk6.dim(`  1. Run '${getCliName()} login' to re-authenticate`));
+    console.log(chalk6.dim("  2. Restart this command"));
     blank();
     await cleanup(state);
     await shutdownTelemetry();
@@ -1901,7 +2008,7 @@ async function handleAuthError(state, error2) {
     return { success: false };
   }
   blank();
-  console.log(chalk5.yellow("Your authentication has expired."));
+  console.log(chalk6.yellow("Your authentication has expired."));
   blank();
   try {
     const credentials2 = await promptForLogin(
@@ -1914,285 +2021,62 @@ async function handleAuthError(state, error2) {
     return { success: false };
   }
 }
-function isNetworkError(error2) {
-  if (error2 instanceof Error) {
-    const message = error2.message.toLowerCase();
-    return message.includes("fetch failed") || message.includes("network") || message.includes("econnrefused") || message.includes("econnreset") || message.includes("etimedout") || message.includes("socket hang up");
-  }
-  return false;
-}
-async function processQueue(state, authHeader, triggerReconnect) {
+async function driveChannels(state, driver) {
   let idlePolls = 0;
-  let currentAuthHeader = authHeader;
   while (state.running) {
-    if (state.reconnecting && state.reconnectPromise) {
-      logActivity(state, {
-        type: "info",
-        message: "Waiting for tunnel reconnection..."
-      });
+    if (state.connection?.reconnecting && state.connection.reconnectPromise) {
+      logActivity(state, { type: "info", message: "Waiting for tunnel reconnection..." });
       if (state.interactive) displayStatus(state);
-      await state.reconnectPromise;
+      await state.connection.reconnectPromise;
     }
     try {
-      const conversations = await getPendingConversations(
-        state.agentId,
-        currentAuthHeader,
-        state.conversationFilter ?? void 0
-      );
-      state.consecutiveFetchFailures = 0;
-      if (conversations.length > 0) {
+      const processed = await driver.drainPending();
+      state.messageCount += processed;
+      if (processed > 0) {
         idlePolls = 0;
-        for (const conv of conversations) {
-          if (!state.running) break;
-          if (!state.lockedConversations.has(conv.id)) {
-            const lockResult = await acquireConversationLock(
-              state.agentId,
-              conv.id,
-              state.lockCorrelationId,
-              currentAuthHeader
-            );
-            if (!lockResult.acquired) {
-              logActivity(state, {
-                type: "info",
-                message: `Conversation ${conv.id.slice(0, 8)} locked by another runner \u2014 skipping`
-              });
-              if (state.interactive) displayStatus(state);
-              continue;
-            }
-            state.lockedConversations.add(conv.id);
-            logActivity(state, {
-              type: "info",
-              message: `Lock acquired on conversation ${conv.id.slice(0, 8)}`
-            });
-          }
+        if (state.interactive) displayStatus(state);
+      } else if (state.idleTimeout !== null) {
+        idlePolls++;
+        if (idlePolls === 1) {
           logActivity(state, {
             type: "info",
-            message: `Processing conversation ${conv.id.slice(0, 8)}... (${conv.pending_message_count} pending)`
+            message: `Queue empty, waiting (timeout: ${state.idleTimeout}s)...`
           });
           if (state.interactive) displayStatus(state);
-          let sessionId = state.sessions.get(conv.id);
-          if (!sessionId) {
-            if (conv.opencode_session_id) {
-              sessionId = conv.opencode_session_id;
-            } else {
-              sessionId = await createOpenCodeSession(state.port);
-              await updateConversationSession(state.agentId, conv.id, sessionId, currentAuthHeader);
-              logActivity(state, {
-                type: "info",
-                message: `Created session ${sessionId.slice(0, 8)}`
-              });
-            }
-            state.sessions.set(conv.id, sessionId);
-          }
-          const messages = await getPendingMessages(state.agentId, conv.id, currentAuthHeader);
-          for (const message of messages) {
-            if (!state.running) break;
-            logActivity(state, {
-              type: "info",
-              message: `Processing message ${message.id.slice(0, 8)}...`
-            });
-            if (state.interactive) displayStatus(state);
-            const claimed = await markMessageProcessing(
-              state.agentId,
-              conv.id,
-              message.id,
-              currentAuthHeader
-            );
-            if (!claimed) {
-              logActivity(state, {
-                type: "info",
-                message: `Message ${message.id.slice(0, 8)} already claimed`
-              });
-              continue;
-            }
-            emitAgentMessageProcessing(state.agentId, {
-              message_id: message.id,
-              conversation_id: conv.id
-            });
-            try {
-              const result = await sendMessageToOpenCode(
-                state.port,
-                sessionId,
-                message.content,
-                {
-                  agent: message.opencode_agent ?? void 0,
-                  model: message.opencode_model ?? void 0
-                },
-                {
-                  onQuestion: async (question) => {
-                    try {
-                      await reportInteractiveEvent(
-                        state.agentId,
-                        conv.id,
-                        "question",
-                        question,
-                        currentAuthHeader
-                      );
-                      logActivity(state, {
-                        type: "info",
-                        message: `Question surfaced to user (id: ${question.id.slice(0, 8)})`
-                      });
-                    } catch (err) {
-                      logActivity(state, {
-                        type: "error",
-                        error: `Failed to surface question: ${err}`
-                      });
-                    }
-                  },
-                  onPermission: async (permission) => {
-                    try {
-                      await reportInteractiveEvent(
-                        state.agentId,
-                        conv.id,
-                        "permission",
-                        permission,
-                        currentAuthHeader
-                      );
-                      logActivity(state, {
-                        type: "info",
-                        message: `Permission request surfaced to user (id: ${permission.id.slice(0, 8)})`
-                      });
-                    } catch (err) {
-                      logActivity(state, {
-                        type: "error",
-                        error: `Failed to surface permission: ${err}`
-                      });
-                    }
-                  }
-                }
-              );
-              if (result.title) {
-                try {
-                  await updateConversationTitle(
-                    state.agentId,
-                    conv.id,
-                    result.title,
-                    currentAuthHeader
-                  );
-                } catch {
-                }
-              }
-              await markMessageDone(
-                state.agentId,
-                conv.id,
-                message.id,
-                currentAuthHeader,
-                sessionId
-              );
-              state.messageCount++;
-              logActivity(state, {
-                type: "info",
-                message: `Message ${message.id.slice(0, 8)} processed`
-              });
-              emitAgentMessageDone(state.agentId, {
-                message_id: message.id,
-                conversation_id: conv.id
-              });
-            } catch (error2) {
-              if (error2 instanceof AuthenticationError) {
-                throw error2;
-              }
-              await markMessageFailed(state.agentId, conv.id, message.id, currentAuthHeader);
-              logActivity(state, {
-                type: "error",
-                error: `Message ${message.id.slice(0, 8)} failed: ${error2}`
-              });
-              emitAgentMessageFailed(state.agentId, {
-                message_id: message.id,
-                conversation_id: conv.id,
-                error: String(error2)
-              });
-            }
-            if (state.interactive) displayStatus(state);
-          }
-        }
-      } else {
-        if (state.idleTimeout !== null) {
-          idlePolls++;
-          if (idlePolls === 1) {
-            logActivity(state, {
-              type: "info",
-              message: `Queue empty, waiting (timeout: ${state.idleTimeout}s)...`
-            });
-            if (state.interactive) displayStatus(state);
-          }
-        }
-      }
-      await new Promise((resolve) => setTimeout(resolve, MESSAGE_POLL_INTERVAL_MS));
-      if (state.idleTimeout !== null && idlePolls >= 2) {
-        const idleMs = idlePolls * MESSAGE_POLL_INTERVAL_MS;
-        if (idleMs > state.idleTimeout * 1e3) {
-          logActivity(state, {
-            type: "info",
-            message: "Idle timeout reached"
-          });
-          if (state.interactive) displayStatus(state);
-          break;
         }
       }
     } catch (error2) {
-      if (error2 instanceof AuthenticationError) {
+      if (error2 instanceof ChannelAuthError) {
         const result = await handleAuthError(state, error2);
         if (result.success && result.newAuthHeader) {
-          currentAuthHeader = result.newAuthHeader;
           state.authHeader = result.newAuthHeader;
-          logActivity(state, {
-            type: "info",
-            message: "Continuing with new credentials..."
-          });
+          logActivity(state, { type: "info", message: "Continuing with new credentials..." });
           if (state.interactive) displayStatus(state);
           continue;
-        } else {
-          state.running = false;
-          break;
         }
+        state.running = false;
+        break;
       }
       const errorMessage = error2 instanceof Error ? error2.message : String(error2);
-      logActivity(state, {
-        type: "error",
-        error: `Queue processing error: ${errorMessage}`
-      });
+      logActivity(state, { type: "error", error: `Channel processing error: ${errorMessage}` });
       if (state.interactive) displayStatus(state);
-      if (isNetworkError(error2)) {
-        state.consecutiveFetchFailures++;
-        if (state.consecutiveFetchFailures >= MAX_CONSECUTIVE_FETCH_FAILURES) {
-          logActivity(state, {
-            type: "info",
-            message: `Detected ${state.consecutiveFetchFailures} consecutive fetch failures, triggering reconnection...`
-          });
-          if (state.interactive) displayStatus(state);
-          await triggerReconnect();
-          state.consecutiveFetchFailures = 0;
-        }
+    }
+    await new Promise((resolve) => setTimeout(resolve, CHANNEL_POLL_INTERVAL_MS));
+    if (state.idleTimeout !== null && idlePolls >= 2) {
+      const idleMs = idlePolls * CHANNEL_POLL_INTERVAL_MS;
+      if (idleMs > state.idleTimeout * 1e3) {
+        logActivity(state, { type: "info", message: "Idle timeout reached" });
+        if (state.interactive) displayStatus(state);
+        break;
       }
-      await new Promise((resolve) => setTimeout(resolve, MESSAGE_POLL_INTERVAL_MS));
     }
   }
 }
-async function cleanup(state, authHeader) {
+async function cleanup(state) {
   state.running = false;
-  if (state.lockHeartbeatTimer) {
-    clearInterval(state.lockHeartbeatTimer);
-    state.lockHeartbeatTimer = null;
-  }
-  if (authHeader && state.lockedConversations.size > 0) {
-    for (const convId of state.lockedConversations) {
-      await releaseConversationLock(state.agentId, convId, state.lockCorrelationId, authHeader);
-    }
-    if (state.interactive) {
-      logActivity(state, {
-        type: "info",
-        message: `Released ${state.lockedConversations.size} lock(s)`
-      });
-      displayStatus(state);
-    } else {
-      log(state, `Released ${state.lockedConversations.size} lock(s)`);
-    }
-    state.lockedConversations.clear();
-  }
-  if (state.tunnelConnection) {
-    state.tunnelConnection.close();
-    state.tunnelConnection = null;
+  if (state.connection) {
+    state.connection.close();
+    state.connection = null;
   }
   if (state.opencodeProcess) {
     stopOpenCode(state.opencodeProcess);
@@ -2211,7 +2095,6 @@ async function run(options) {
     agentId: options.agent || "",
     agentName: null,
     port: options.port ?? 4096,
-    verbose: options.verbose ?? false,
     conversationFilter: options.conversation ?? null,
     idleTimeout: options.idleTimeout ?? null,
     json: options.json ?? false,
@@ -2219,22 +2102,11 @@ async function run(options) {
     connected: false,
     opencodeConnected: false,
     opencodeVersion: null,
-    reconnectAttempt: 0,
     opencodeProcess: null,
-    tunnelConnection: null,
+    connection: null,
     running: true,
     activityLog: [],
-    displayInitialized: false,
-    lastActivity: /* @__PURE__ */ new Date(),
-    pendingRequests: /* @__PURE__ */ new Map(),
-    sessions: /* @__PURE__ */ new Map(),
     messageCount: 0,
-    lockCorrelationId: `cli-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
-    lockedConversations: /* @__PURE__ */ new Set(),
-    lockHeartbeatTimer: null,
-    consecutiveFetchFailures: 0,
-    reconnecting: false,
-    reconnectPromise: null,
     authHeader: ""
   };
   if (state.idleTimeout === null && (process.env.GITHUB_ACTIONS || process.env.CI)) {
@@ -2251,7 +2123,7 @@ async function run(options) {
     } else {
       log(state, "Shutting down...");
     }
-    await cleanup(state, state.authHeader);
+    await cleanup(state);
     await shutdownTelemetry();
     process.exit(0);
   };
@@ -2263,13 +2135,13 @@ async function run(options) {
       if (!interactive) {
         printError("Authentication required");
         blank();
-        console.log(chalk5.dim("Set EVIDENT_AGENT_KEY environment variable for CI"));
-        console.log(chalk5.dim("Or run `evident login` for interactive authentication"));
+        console.log(chalk6.dim("Set EVIDENT_AGENT_KEY environment variable for CI"));
+        console.log(chalk6.dim("Or run `evident login` for interactive authentication"));
         blank();
         process.exit(1);
       }
       blank();
-      console.log(chalk5.yellow("You are not logged in to Evident."));
+      console.log(chalk6.yellow("You are not logged in to Evident."));
       blank();
       credentials2 = await promptForLogin(
         "Would you like to log in now?",
@@ -2283,6 +2155,12 @@ async function run(options) {
         if (resolved.agent_id) {
           state.agentId = resolved.agent_id;
           log(state, `Resolved agent ID from key: ${state.agentId}`);
+          if (state.interactive && !state.json) {
+            logActivity(state, {
+              type: "info",
+              message: `Agent ID resolved from key: ${state.agentId}`
+            });
+          }
         } else {
           printError(resolved.error || "Failed to resolve agent ID from key");
           process.exit(1);
@@ -2290,7 +2168,7 @@ async function run(options) {
       } else {
         printError("--agent is required when not using EVIDENT_AGENT_KEY");
         blank();
-        console.log(chalk5.dim("Either provide --agent <id> or set EVIDENT_AGENT_KEY"));
+        console.log(chalk6.dim("Either provide --agent <id> or set EVIDENT_AGENT_KEY"));
         blank();
         process.exit(1);
       }
@@ -2309,15 +2187,15 @@ async function run(options) {
     );
     if (interactive && !state.json) {
       blank();
-      console.log(chalk5.bold("Evident Run"));
-      console.log(chalk5.dim("-".repeat(40)));
+      console.log(chalk6.bold("Evident Run"));
+      console.log(chalk6.dim("-".repeat(40)));
     }
-    const spinner = interactive && !state.json ? ora2("Validating agent...").start() : null;
+    const spinner = interactive && !state.json ? ora3("Validating agent...").start() : null;
     let validation = await getAgentInfo(state.agentId, state.authHeader);
     if (!validation.valid && validation.authFailed && interactive) {
       spinner?.fail("Authentication failed");
       blank();
-      console.log(chalk5.yellow("Your authentication token is invalid or expired."));
+      console.log(chalk6.yellow("Your authentication token is invalid or expired."));
       blank();
       credentials2 = await promptForLogin(
         "Would you like to log in again?",
@@ -2333,172 +2211,90 @@ async function run(options) {
     }
     spinner?.succeed(`Agent: ${validation.agent.name || state.agentId}`);
     state.agentName = validation.agent.name;
-    const ocSpinner = interactive && !state.json ? ora2("Checking OpenCode...").start() : null;
+    const ocSpinner = interactive && !state.json ? ora3("Checking OpenCode...").start() : null;
     try {
-      await ensureOpenCodeRunning(state);
+      const oc = await ensureOpenCodeRunning({
+        port: state.port,
+        interactive: state.interactive,
+        agentId: state.agentId,
+        log: (message) => log(state, message)
+      });
+      state.port = oc.port;
+      state.opencodeProcess = oc.process;
+      state.opencodeVersion = oc.version;
+      state.opencodeConnected = oc.process !== null || oc.version !== null;
       const version = state.opencodeVersion ? ` (v${state.opencodeVersion})` : "";
       ocSpinner?.succeed(`OpenCode running on port ${state.port}${version}`);
     } catch (error2) {
       ocSpinner?.fail(error2.message);
       throw error2;
     }
-    const tunnelSpinner = interactive && !state.json ? ora2("Connecting tunnel...").start() : null;
-    const connectWithRetry = async (isReconnect = false) => {
-      if (isReconnect && state.reconnecting) {
-        return;
-      }
-      state.reconnecting = true;
-      if (state.tunnelConnection) {
-        try {
-          state.tunnelConnection.close();
-        } catch {
-        }
-        state.tunnelConnection = null;
-      }
-      while (state.running) {
-        try {
-          state.tunnelConnection = await connectTunnel({
-            agentId: state.agentId,
-            authHeader: state.authHeader,
-            port: state.port,
-            onConnected: (agentId) => {
-              state.connected = true;
-              state.reconnectAttempt = 0;
-              state.reconnecting = false;
-              state.consecutiveFetchFailures = 0;
-              state.agentId = agentId;
-              logActivity(state, {
-                type: "info",
-                message: isReconnect ? `Tunnel reconnected (agent: ${agentId})` : `Tunnel connected (agent: ${agentId})`
-              });
-              emitAgentConnected(state.agentId, { port: state.port });
-              if (state.interactive) displayStatus(state);
-            },
-            onDisconnected: (code, reason) => {
-              state.connected = false;
-              logActivity(state, {
-                type: "info",
-                message: `Tunnel disconnected (code: ${code}, reason: ${reason})`
-              });
-              emitAgentDisconnected(state.agentId, { code, reason });
-              if (state.interactive) displayStatus(state);
-              if (state.running && code !== 1e3 && !state.reconnecting) {
-                logActivity(state, {
-                  type: "info",
-                  message: "Attempting automatic reconnection..."
-                });
-                if (state.interactive) displayStatus(state);
-                state.reconnectPromise = connectWithRetry(true).catch((err) => {
-                  logActivity(state, {
-                    type: "error",
-                    error: `Reconnection failed: ${err.message}`
-                  });
-                  if (state.interactive) displayStatus(state);
-                });
-              }
-            },
-            onError: (error2) => {
-              logActivity(state, { type: "error", error: error2 });
-              if (state.interactive) displayStatus(state);
-            },
-            onRequest: (method, path, requestId) => {
-              state.pendingRequests.set(requestId, {
-                startTime: Date.now(),
-                method,
-                path
-              });
-              logActivity(state, { type: "request", method, path, requestId });
-              if (state.interactive) displayStatus(state);
-            },
-            onResponse: (status, durationMs, requestId) => {
-              const pending = state.pendingRequests.get(requestId);
-              state.pendingRequests.delete(requestId);
-              state.opencodeConnected = true;
-              const lastEntry = state.activityLog[state.activityLog.length - 1];
-              if (lastEntry && lastEntry.requestId === requestId) {
-                lastEntry.type = "response";
-                lastEntry.status = status;
-                lastEntry.durationMs = durationMs;
-              } else if (pending) {
-                logActivity(state, {
-                  type: "response",
-                  method: pending.method,
-                  path: pending.path,
-                  status,
-                  durationMs,
-                  requestId
-                });
-              }
-              if (state.interactive) displayStatus(state);
-            },
-            onInfo: (message) => {
-              logActivity(state, { type: "info", message });
-              if (state.interactive) displayStatus(state);
-            }
-          });
-          if (!isReconnect) {
-            tunnelSpinner?.succeed("Tunnel connected");
-          }
-          return;
-        } catch (error2) {
-          state.reconnectAttempt++;
-          const delay = getReconnectDelay(state.reconnectAttempt);
-          if (error2.message === "Unauthorized") {
-            state.reconnecting = false;
-            if (!isReconnect) {
-              tunnelSpinner?.fail("Unauthorized");
-            }
-            throw error2;
-          }
+    const tunnelSpinner = interactive && !state.json ? ora3("Connecting tunnel...").start() : null;
+    const channelDriver = new ChannelDriver({
+      agentId: state.agentId,
+      port: state.port,
+      apiUrl: getApiUrlConfig(),
+      getAuthHeader: () => state.authHeader,
+      conversationFilter: state.conversationFilter,
+      log: (entry) => logActivity(state, {
+        type: entry.level === "error" ? "error" : "info",
+        message: entry.message,
+        error: entry.level === "error" ? entry.message : void 0
+      })
+    });
+    const connection = new RunnerConnection({
+      agentId: state.agentId,
+      getAuthHeader: () => state.authHeader,
+      port: state.port,
+      isRunning: () => state.running,
+      events: {
+        onConnected: (agentId, isReconnect) => {
+          state.connected = true;
+          state.agentId = agentId;
           logActivity(state, {
-            type: "error",
-            error: `Connection failed, retrying in ${Math.round(delay / 1e3)}s...`
+            type: "info",
+            message: `Tunnel ${isReconnect ? "reconnected" : "connected"} (agent: ${agentId})`
           });
+          emitAgentConnected(state.agentId, { port: state.port });
+          if (!isReconnect) tunnelSpinner?.succeed("Tunnel connected");
           if (state.interactive) displayStatus(state);
-          await new Promise((resolve) => setTimeout(resolve, delay));
-        }
-      }
-      state.reconnecting = false;
-    };
-    const triggerReconnect = async () => {
-      if (!state.reconnecting) {
-        state.reconnectPromise = connectWithRetry(true).catch((err) => {
-          logActivity(state, {
-            type: "error",
-            error: `Reconnection failed: ${err.message}`
+          channelDriver.drainPending().catch(() => {
           });
-          if (state.interactive) displayStatus(state);
-        });
-      }
-      if (state.reconnectPromise) {
-        await state.reconnectPromise;
-      }
-    };
-    await connectWithRetry(false);
-    state.lockHeartbeatTimer = setInterval(async () => {
-      for (const convId of state.lockedConversations) {
-        const extended = await extendConversationLock(
-          state.agentId,
-          convId,
-          state.lockCorrelationId,
-          state.authHeader
-        );
-        if (!extended) {
+        },
+        onDisconnected: (code, reason) => {
+          state.connected = false;
           logActivity(state, {
-            type: "error",
-            error: `Failed to extend lock on conversation ${convId.slice(0, 8)}`
+            type: "info",
+            message: `Tunnel disconnected (code: ${code}, reason: ${reason})`
           });
-          state.lockedConversations.delete(convId);
-        }
+          emitAgentDisconnected(state.agentId, { code, reason });
+          if (state.interactive) displayStatus(state);
+        },
+        onError: (error2) => {
+          logActivity(state, { type: "error", error: error2 });
+          if (state.interactive) displayStatus(state);
+        },
+        // Web traffic is proxied transparently; only note opencode is live.
+        onResponse: () => {
+          state.opencodeConnected = true;
+        },
+        onInfo: (message) => logActivity(state, { type: "info", message })
       }
-    }, LOCK_HEARTBEAT_INTERVAL_MS);
+    });
+    state.connection = connection;
+    try {
+      await connection.connect();
+    } catch (error2) {
+      if (error2.message === "Unauthorized") tunnelSpinner?.fail("Unauthorized");
+      throw error2;
+    }
     if (interactive && !state.json) {
       displayStatus(state);
     } else {
-      log(state, "Processing queue...");
+      log(state, "Driving channel messages...");
     }
-    await processQueue(state, state.authHeader, triggerReconnect);
-    await cleanup(state, state.authHeader);
+    await driveChannels(state, channelDriver);
+    await cleanup(state);
     if (state.json) {
       console.log(
         JSON.stringify({
@@ -2512,7 +2308,7 @@ async function run(options) {
     await shutdownTelemetry();
     process.exit(0);
   } catch (error2) {
-    await cleanup(state, state.authHeader);
+    await cleanup(state);
     const message = error2 instanceof Error ? error2.message : String(error2);
     if (state.json) {
       console.log(JSON.stringify({ status: "error", error: message }));
@@ -2530,16 +2326,22 @@ async function run(options) {
 // src/index.ts
 var program = new Command();
-program.name("evident").description("Run OpenCode locally and connect it to Evident").version("0.1.0").option("-e, --env <environment>", "Environment to use (local, dev, production)", "production").hook("preAction", (thisCommand) => {
-  const env = thisCommand.opts().env;
-  if (env) {
-    setEnvironment(env);
+program.name("evident").description("Run OpenCode locally and connect it to Evident").version("0.1.0").option(
+  "--endpoint <url>",
+  "Evident API base URL (default: production; e.g. http://localhost:3001)"
+).option("--tunnel <url>", "Tunnel WebSocket URL (default: production; e.g. ws://localhost:8787)").hook("preAction", (thisCommand) => {
+  const { endpoint, tunnel } = thisCommand.opts();
+  if (endpoint) {
+    setEndpoint(endpoint);
+  }
+  if (tunnel) {
+    setTunnelUrl(tunnel);
   }
 });
 program.command("login").description("Authenticate with Evident").option("--token", "Use token-based authentication (for CI/CD)").option("--no-browser", "Do not open the browser automatically").action(login);
 program.command("logout").description("Remove stored credentials").action(logout);
 program.command("whoami").description("Show the currently logged in user").action(whoami);
-program.command("run").description("Connect to Evident and process messages").requiredOption("-a, --agent <id>", "Agent ID to connect to").option("-p, --port <port>", "OpenCode port (default: 4096)", "4096").option("-v, --verbose", "Show detailed request/response information").option("-c, --conversation <id>", "Process only this specific conversation").option("--idle-timeout <seconds>", "Exit after N seconds idle").option("--json", "Output in JSON format").action(
+program.command("run").description("Connect to Evident and process messages").option("-a, --agent [id]", "Agent ID to connect to (optional when EVIDENT_AGENT_KEY is set)").option("-p, --port <port>", "OpenCode port (default: 4096)", "4096").option("-v, --verbose", "Show detailed request/response information").option("-c, --conversation <id>", "Process only this specific conversation").option("--idle-timeout <seconds>", "Exit after N seconds idle").option("--json", "Output in JSON format").action(
   (options) => {
     run({
       agent: options.agent,