@evident-ai/cli 0.2.1-dev.fab83f9 → 3.0.1-dev.476bdd6

package/dist/index.js

@@ -12,41 +12,30 @@ import chalk2 from "chalk";
 import Conf from "conf";
 import { homedir } from "os";
 import { join } from "path";
-var environmentPresets = {
-  local: {
-    apiUrl: "http://localhost:3001/v1",
-    tunnelUrl: "ws://localhost:8787"
-  },
-  dev: {
-    apiUrl: "https://api.dev.evident.run/v1",
-    tunnelUrl: "wss://tunnel.dev.evident.run"
-  },
-  production: {
-    // Production URLs also have aliases: api.evident.run, tunnel.evident.run
-    apiUrl: "https://api.production.evident.run/v1",
-    tunnelUrl: "wss://tunnel.production.evident.run"
-  }
+var PRODUCTION_API_URL = "https://api.production.evident.run/v1";
+var PRODUCTION_TUNNEL_URL = "wss://tunnel.production.evident.run";
+var defaults = {
+  apiUrl: PRODUCTION_API_URL,
+  tunnelUrl: PRODUCTION_TUNNEL_URL
 };
-var defaults = environmentPresets.production;
-var currentEnvironment = "production";
-function setEnvironment(env) {
-  currentEnvironment = env;
-}
-function getEnvironment() {
-  const envVar = process.env.EVIDENT_ENV;
-  if (envVar && environmentPresets[envVar]) {
-    return envVar;
+var endpointOverride;
+var tunnelOverride;
+function setEndpoint(url) {
+  if (!url) {
+    endpointOverride = void 0;
+    return;
   }
-  return currentEnvironment;
+  const trimmed = url.replace(/\/+$/, "");
+  endpointOverride = /\/v1$/.test(trimmed) ? trimmed : `${trimmed}/v1`;
 }
-function getEnvConfig() {
-  return environmentPresets[getEnvironment()];
+function setTunnelUrl(url) {
+  tunnelOverride = url ? url.replace(/\/+$/, "") : void 0;
 }
 function getApiUrl() {
-  return process.env.EVIDENT_API_URL ?? getEnvConfig().apiUrl;
+  return endpointOverride ?? process.env.EVIDENT_API_URL ?? defaults.apiUrl;
 }
 function getTunnelUrl() {
-  return process.env.EVIDENT_TUNNEL_URL ?? getEnvConfig().tunnelUrl;
+  return tunnelOverride ?? process.env.EVIDENT_TUNNEL_URL ?? defaults.tunnelUrl;
 }
 var config = new Conf({
   projectName: "evident",
@@ -65,19 +54,28 @@ function getApiUrlConfig() {
 function getTunnelUrlConfig() {
   return getTunnelUrl();
 }
+function credentialsKey() {
+  return getApiUrl();
+}
 function getCredentials() {
-  return {
-    token: credentials.get("token"),
-    user: credentials.get("user"),
-    expiresAt: credentials.get("expiresAt")
-  };
+  const byEndpoint = credentials.get("byEndpoint") ?? {};
+  return byEndpoint[credentialsKey()] ?? {};
 }
 function setCredentials(creds) {
-  if (creds.token) credentials.set("token", creds.token);
-  if (creds.user) credentials.set("user", creds.user);
-  if (creds.expiresAt) credentials.set("expiresAt", creds.expiresAt);
+  const byEndpoint = credentials.get("byEndpoint") ?? {};
+  byEndpoint[credentialsKey()] = {
+    token: creds.token,
+    user: creds.user,
+    expiresAt: creds.expiresAt
+  };
+  credentials.set("byEndpoint", byEndpoint);
 }
 function clearCredentials() {
+  const byEndpoint = credentials.get("byEndpoint") ?? {};
+  delete byEndpoint[credentialsKey()];
+  credentials.set("byEndpoint", byEndpoint);
+}
+function clearAllCredentials() {
   credentials.clear();
 }
 function getCliName() {
@@ -187,7 +185,6 @@ var api = {
 
 // src/lib/keychain.ts
 var SERVICE_NAME = "evident-cli";
-var ACCOUNT_NAME = "default";
 async function getKeytar() {
   try {
     const keytar = await import("keytar");
@@ -199,10 +196,13 @@ async function getKeytar() {
     return null;
   }
 }
+function keychainAccount() {
+  return getApiUrlConfig();
+}
 async function storeToken(credentials2) {
   const keytar = await getKeytar();
   if (keytar) {
-    await keytar.setPassword(SERVICE_NAME, ACCOUNT_NAME, JSON.stringify(credentials2));
+    await keytar.setPassword(SERVICE_NAME, keychainAccount(), JSON.stringify(credentials2));
   } else {
     setCredentials({
       token: credentials2.token,
@@ -214,12 +214,13 @@ async function storeToken(credentials2) {
 async function getToken() {
   const keytar = await getKeytar();
   if (keytar) {
-    const stored = await keytar.getPassword(SERVICE_NAME, ACCOUNT_NAME);
+    const account = keychainAccount();
+    const stored = await keytar.getPassword(SERVICE_NAME, account);
     if (stored) {
       try {
         return JSON.parse(stored);
       } catch {
-        await keytar.deletePassword(SERVICE_NAME, ACCOUNT_NAME);
+        await keytar.deletePassword(SERVICE_NAME, account);
         return null;
       }
     }
@@ -234,12 +235,26 @@ async function getToken() {
   }
   return null;
 }
-async function deleteToken() {
+async function deleteToken(options = {}) {
   const keytar = await getKeytar();
   if (keytar) {
-    await keytar.deletePassword(SERVICE_NAME, ACCOUNT_NAME);
+    if (options.all) {
+      const all = await keytar.findCredentials(SERVICE_NAME).catch(() => []);
+      await Promise.all(
+        all.map(
+          (entry) => keytar.deletePassword(SERVICE_NAME, entry.account).catch(() => {
+          })
+        )
+      );
+    } else {
+      await keytar.deletePassword(SERVICE_NAME, keychainAccount());
+    }
+  }
+  if (options.all) {
+    clearAllCredentials();
+  } else {
+    clearCredentials();
   }
-  clearCredentials();
 }
 
 // src/utils/ui.ts
@@ -407,25 +422,32 @@ async function login(options) {
 }
 
 // src/commands/logout.ts
-async function logout() {
+async function logout(options = {}) {
+  if (options.all) {
+    await deleteToken({ all: true });
+    printSuccess("Logged out of all endpoints.");
+    return;
+  }
   const credentials2 = await getToken();
   if (!credentials2) {
-    printWarning("You are not logged in.");
+    printWarning(`You are not logged in to ${getApiUrlConfig()}.`);
     return;
   }
   await deleteToken();
-  printSuccess("Logged out successfully.");
+  printSuccess(`Logged out of ${getApiUrlConfig()}.`);
 }
 
 // src/commands/whoami.ts
 import chalk3 from "chalk";
 async function whoami() {
+  const apiUrl = getApiUrlConfig();
   const credentials2 = await getToken();
   if (!credentials2) {
-    printError("Not logged in. Run the `login` command to authenticate.");
+    printError(`Not logged in to ${apiUrl}. Run the \`login\` command to authenticate.`);
     process.exit(1);
   }
   blank();
+  console.log(keyValue("Endpoint", apiUrl));
   console.log(keyValue("User", chalk3.bold(credentials2.user.email)));
   console.log(keyValue("User ID", credentials2.user.id));
   if (credentials2.expiresAt) {
@@ -444,9 +466,9 @@ async function whoami() {
 }
 
 // src/commands/run.ts
-import chalk5 from "chalk";
-import ora2 from "ora";
-import { select as select2 } from "@inquirer/prompts";
+import chalk6 from "chalk";
+import ora3 from "ora";
+import { select as select3 } from "@inquirer/prompts";
 
 // ../../packages/types/src/telemetry/index.ts
 var TelemetryEventTypes = {
@@ -459,10 +481,8 @@ var TelemetryEventTypes = {
 };
 
 // ../../packages/types/src/tunnel/index.ts
-var TUNNEL_CHUNK_THRESHOLD = 512 * 1024;
-var TUNNEL_CHUNK_SIZE = 768 * 1024;
-var TUNNEL_MAX_RESPONSE_SIZE = 50 * 1024 * 1024;
-var TUNNEL_CHUNK_TIMEOUT_MS = 30 * 1e3;
+var MAX_FRAME_BYTES = 256 * 1024;
+var TUNNEL_DRAIN_PING_PATH = "/__evident/drain";
 
 // src/lib/telemetry.ts
 var CLI_VERSION = process.env.npm_package_version || "unknown";
@@ -574,33 +594,6 @@ function emitAgentDisconnected(agentId, metadata) {
     agent_id: agentId
   });
 }
-function emitAgentMessageProcessing(agentId, metadata) {
-  emitEvent({
-    event_type: TelemetryEventTypes.AGENT_MESSAGE_PROCESSING,
-    severity: "info",
-    message: `Processing message ${metadata.message_id.slice(0, 8)}...`,
-    metadata,
-    agent_id: agentId
-  });
-}
-function emitAgentMessageDone(agentId, metadata) {
-  emitEvent({
-    event_type: TelemetryEventTypes.AGENT_MESSAGE_DONE,
-    severity: "info",
-    message: `Message ${metadata.message_id.slice(0, 8)} processed`,
-    metadata,
-    agent_id: agentId
-  });
-}
-function emitAgentMessageFailed(agentId, metadata) {
-  emitEvent({
-    event_type: TelemetryEventTypes.AGENT_MESSAGE_FAILED,
-    severity: "error",
-    message: metadata.error ? `Message ${metadata.message_id.slice(0, 8)} failed: ${metadata.error}` : `Message ${metadata.message_id.slice(0, 8)} ${metadata.reason || "failed"}`,
-    metadata,
-    agent_id: agentId
-  });
-}
 var EventTypes = {
   // Tunnel lifecycle
   TUNNEL_STARTING: "tunnel.starting",
@@ -665,7 +658,7 @@ function isInteractive(jsonOutput) {
 // src/lib/opencode/health.ts
 async function checkOpenCodeHealth(port) {
   try {
-    const response = await fetch(`http://localhost:${port}/global/health`, {
+    const response = await fetch(`http://127.0.0.1:${port}/global/health`, {
       signal: AbortSignal.timeout(2e3)
       // 2 second timeout
     });
@@ -844,12 +837,12 @@ async function findHealthyOpenCodeInstances() {
 }
 async function startOpenCode(port) {
   let command = "opencode";
-  let args = ["serve", "--port", port.toString()];
+  let args = ["serve", "--port", port.toString(), "--hostname", "127.0.0.1"];
   try {
     execSync("which opencode", { stdio: "ignore" });
   } catch {
     command = "npx";
-    args = ["opencode", "serve", "--port", port.toString()];
+    args = ["opencode", "serve", "--port", port.toString(), "--hostname", "127.0.0.1"];
   }
   const child = spawn(command, args, {
     detached: true,
@@ -981,14 +974,59 @@ async function promptOpenCodeInstall(interactive) {
 }
 
 // src/lib/opencode/session.ts
-async function createOpenCodeSession(port) {
-  const response = await fetch(`http://localhost:${port}/session`, {
+function opencodeBase(port) {
+  return `http://127.0.0.1:${port}`;
+}
+async function getOpenCodeDirectory(port) {
+  try {
+    const res = await fetch(`${opencodeBase(port)}/path`);
+    if (!res.ok) return null;
+    const body = await res.json();
+    const dir = typeof body.directory === "string" && body.directory || typeof body.worktree === "string" && body.worktree || typeof body.path?.cwd === "string" && body.path.cwd || typeof body.path?.directory === "string" && body.path.directory || null;
+    return dir && dir.trim() ? dir.trim() : null;
+  } catch {
+    return null;
+  }
+}
+function roleOf(m) {
+  if (!m || typeof m !== "object") return void 0;
+  if (typeof m.role === "string") return m.role;
+  const infoRole = m.info?.role;
+  return typeof infoRole === "string" ? infoRole : void 0;
+}
+function completedOf(m) {
+  if (!m || typeof m !== "object") return void 0;
+  return m.info?.time?.completed;
+}
+async function getSessionMessages(port, sessionId) {
+  try {
+    const res = await fetch(`${opencodeBase(port)}/session/${sessionId}/message`);
+    if (!res.ok) return null;
+    const body = await res.json();
+    return Array.isArray(body) ? body : null;
+  } catch {
+    return null;
+  }
+}
+function isTurnComplete(messages) {
+  if (!messages || messages.length === 0) return false;
+  const last = messages[messages.length - 1];
+  if (roleOf(last) !== "assistant") return false;
+  return completedOf(last) != null;
+}
+async function createOpenCodeSession(port, directory) {
+  const url = new URL(`${opencodeBase(port)}/session`);
+  if (directory && directory.trim()) {
+    url.searchParams.set("directory", directory.trim());
+  }
+  const response = await fetch(url, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
     body: JSON.stringify({})
   });
   if (!response.ok) {
-    throw new Error(`Failed to create session: HTTP ${response.status}`);
+    const text = await response.text().catch(() => "");
+    throw new Error(`Failed to create session: HTTP ${response.status}${text ? `: ${text}` : ""}`);
   }
   const data = await response.json();
   return data.id;
@@ -1018,7 +1056,7 @@ async function sendMessageToOpenCode(port, sessionId, content, options, hooks, m
       if (pollDone) break;
       if (hooks?.onQuestion) {
         try {
-          const res = await fetch(`http://localhost:${port}/question`);
+          const res = await fetch(`${opencodeBase(port)}/question`);
           if (res.ok) {
             const questions = await res.json();
             for (const q of questions) {
@@ -1033,7 +1071,7 @@ async function sendMessageToOpenCode(port, sessionId, content, options, hooks, m
       }
       if (hooks?.onPermission) {
         try {
-          const res = await fetch(`http://localhost:${port}/permission`);
+          const res = await fetch(`${opencodeBase(port)}/permission`);
           if (res.ok) {
             const permissions = await res.json();
             for (const p of permissions) {
@@ -1052,7 +1090,7 @@ async function sendMessageToOpenCode(port, sessionId, content, options, hooks, m
     const controller = new AbortController();
     const timer = setTimeout(() => controller.abort(), maxWaitMs);
     try {
-      const res = await fetch(`http://localhost:${port}/session/${sessionId}/message`, {
+      const res = await fetch(`${opencodeBase(port)}/session/${sessionId}/message`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(body),
@@ -1062,11 +1100,14 @@ async function sendMessageToOpenCode(port, sessionId, content, options, hooks, m
         const text = await res.text().catch(() => "");
         throw new Error(`OpenCode message failed: HTTP ${res.status}${text ? `: ${text}` : ""}`);
       }
-      const sessionRes = await fetch(`http://localhost:${port}/session/${sessionId}`).catch(
+      const sessionRes = await fetch(`${opencodeBase(port)}/session/${sessionId}`).catch(
         () => null
       );
       const session = sessionRes?.ok ? await sessionRes.json() : null;
-      return { title: session?.title };
+      const reportedInteraction = reportedQuestions.size > 0 || reportedPermissions.size > 0;
+      const turnComplete = isTurnComplete(await getSessionMessages(port, sessionId));
+      const awaitingInteraction = reportedInteraction && !turnComplete;
+      return { title: session?.title, awaitingInteraction };
     } catch (err) {
       if (err instanceof Error && err.name === "AbortError") {
         throw new Error("Message processing timed out");
@@ -1082,147 +1123,149 @@ async function sendMessageToOpenCode(port, sessionId, content, options, hooks, m
 }
 
 // src/lib/tunnel/connection.ts
-import WebSocket from "ws";
+import WebSocket2 from "ws";
 
 // src/lib/tunnel/forwarding.ts
-var CHUNK_THRESHOLD = 512 * 1024;
-var CHUNK_SIZE = 768 * 1024;
-async function forwardToOpenCode(port, request) {
-  const url = `http://localhost:${port}${request.path}`;
-  try {
-    const response = await fetch(url, {
-      method: request.method,
-      headers: {
-        "Content-Type": "application/json",
-        ...request.headers
-      },
-      body: request.body ? JSON.stringify(request.body) : void 0
-    });
-    let body;
-    const contentType = response.headers.get("Content-Type");
-    const text = await response.text();
-    if (!text || text.length === 0) {
-      body = null;
-    } else if (contentType?.includes("application/json")) {
+import WebSocket from "ws";
+var LOOPBACK_HOST = "127.0.0.1";
+var STRIP_REQ = /* @__PURE__ */ new Set([
+  "host",
+  "connection",
+  "keep-alive",
+  "proxy-authorization",
+  "transfer-encoding",
+  "upgrade",
+  "content-length"
+]);
+var STRIP_RES = /* @__PURE__ */ new Set([
+  "connection",
+  "keep-alive",
+  "transfer-encoding",
+  "content-encoding",
+  "content-length"
+]);
+var StreamForwarder = class {
+  constructor(ws, port, callbacks = {}) {
+    this.ws = ws;
+    this.port = port;
+    this.callbacks = callbacks;
+  }
+  inflight = /* @__PURE__ */ new Map();
+  /**
+   * Handle an edge→agent frame. Unknown frame types are ignored.
+   */
+  handleFrame(frame) {
+    switch (frame.type) {
+      case "open":
+        this.callbacks.onOpen?.(frame.sid, frame.method, frame.path);
+        void this.handleOpen(frame);
+        break;
+      case "req_data":
+        this.inflight.get(frame.sid)?.pushBody?.(Buffer.from(frame.b64, "base64"));
+        break;
+      case "req_end":
+        this.inflight.get(frame.sid)?.endBody?.();
+        break;
+      case "abort":
+        this.inflight.get(frame.sid)?.abort?.();
+        break;
+    }
+  }
+  /**
+   * Abort every in-flight stream (e.g. on WebSocket close).
+   */
+  abortAll() {
+    for (const stream of this.inflight.values()) {
       try {
-        body = JSON.parse(text);
+        stream.abort();
       } catch {
-        body = text;
       }
-    } else {
-      body = text;
     }
-    return {
-      status: response.status,
-      body
-    };
-  } catch (error2) {
-    const message = error2 instanceof Error ? error2.message : "Unknown error";
-    return {
-      status: 502,
-      body: { error: "Failed to connect to OpenCode", message }
-    };
+    this.inflight.clear();
   }
-}
-function sendResponse(ws, requestId, response) {
-  const bodyStr = JSON.stringify(response.body ?? null);
-  const bodyBytes = Buffer.from(bodyStr, "utf-8");
-  if (bodyBytes.length < CHUNK_THRESHOLD) {
-    ws.send(
-      JSON.stringify({
-        type: "response",
-        id: requestId,
-        payload: response
-      })
-    );
-    return;
+  send(frame) {
+    if (this.ws.readyState === WebSocket.OPEN) {
+      this.ws.send(JSON.stringify(frame));
+    }
   }
-  sendResponseAsChunks(ws, requestId, response, bodyBytes);
-}
-function sendResponseAsChunks(ws, requestId, response, bodyBytes) {
-  const chunks = splitIntoChunks(bodyBytes, CHUNK_SIZE);
-  ws.send(
-    JSON.stringify({
-      type: "response_start",
-      id: requestId,
-      total_chunks: chunks.length,
-      total_size: bodyBytes.length,
-      payload: {
-        status: response.status,
-        headers: response.headers
+  async handleOpen(frame) {
+    const { sid, method, path, headers, has_body } = frame;
+    if (path === TUNNEL_DRAIN_PING_PATH) {
+      this.callbacks.onDrainPing?.();
+      this.send({ type: "head", sid, status: 204, headers: {} });
+      this.send({ type: "res_end", sid });
+      return;
+    }
+    const ac = new AbortController();
+    let bodyPromise;
+    let pushBody;
+    let endBody;
+    if (has_body) {
+      const chunks = [];
+      bodyPromise = new Promise((resolve) => {
+        pushBody = (buf) => {
+          chunks.push(buf);
+        };
+        endBody = () => {
+          resolve(Buffer.concat(chunks));
+        };
+      });
+    }
+    const fwdHeaders = {};
+    for (const [k, v] of Object.entries(headers ?? {})) {
+      if (!STRIP_REQ.has(k.toLowerCase())) fwdHeaders[k] = v;
+    }
+    this.inflight.set(sid, { pushBody, endBody, abort: () => ac.abort() });
+    const body = bodyPromise ? await bodyPromise : void 0;
+    if (ac.signal.aborted) {
+      this.inflight.delete(sid);
+      return;
+    }
+    let upstream;
+    try {
+      upstream = await fetch(`http://${LOOPBACK_HOST}:${this.port}${path}`, {
+        method,
+        headers: fwdHeaders,
+        body,
+        redirect: "manual",
+        signal: ac.signal
+      });
+    } catch (err) {
+      this.inflight.delete(sid);
+      if (!ac.signal.aborted) {
+        this.send({ type: "res_err", sid, message: `upstream fetch failed: ${String(err)}` });
       }
-    })
-  );
-  for (let i = 0; i < chunks.length; i++) {
-    ws.send(
-      JSON.stringify({
-        type: "response_chunk",
-        id: requestId,
-        chunk_index: i,
-        data: chunks[i].toString("base64")
-      })
-    );
-  }
-  ws.send(
-    JSON.stringify({
-      type: "response_end",
-      id: requestId
-    })
-  );
-}
-function splitIntoChunks(data, chunkSize) {
-  const chunks = [];
-  for (let i = 0; i < data.length; i += chunkSize) {
-    chunks.push(data.subarray(i, i + chunkSize));
-  }
-  return chunks;
-}
-
-// src/lib/tunnel/events.ts
-async function subscribeToOpenCodeEvents(port, subscriptionId, ws, abortController) {
-  const url = `http://localhost:${port}/event`;
-  try {
-    const response = await fetch(url, {
-      headers: { Accept: "text/event-stream" },
-      signal: abortController.signal
+      return;
+    }
+    const resHeaders = {};
+    upstream.headers.forEach((value, key) => {
+      if (!STRIP_RES.has(key.toLowerCase())) resHeaders[key] = value;
     });
-    if (!response.ok) {
-      throw new Error(`Failed to connect to OpenCode events: ${response.status}`);
-    }
-    if (!response.body) {
-      throw new Error("No response body");
-    }
-    const reader = response.body.getReader();
-    const decoder = new TextDecoder();
-    let buffer = "";
-    while (true) {
-      const { done, value } = await reader.read();
-      if (done) {
-        ws.send(JSON.stringify({ type: "event_end", id: subscriptionId }));
-        break;
-      }
-      buffer += decoder.decode(value, { stream: true });
-      const lines = buffer.split("\n");
-      buffer = lines.pop() || "";
-      for (const line of lines) {
-        if (line.startsWith("data: ")) {
-          try {
-            const event = JSON.parse(line.slice(6));
-            ws.send(JSON.stringify({ type: "event", id: subscriptionId, event }));
-          } catch {
+    this.send({ type: "head", sid, status: upstream.status, headers: resHeaders });
+    this.callbacks.onHead?.(sid, upstream.status);
+    try {
+      if (upstream.body) {
+        const reader = upstream.body.getReader();
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) break;
+          const chunk = Buffer.from(value);
+          for (let i = 0; i < chunk.length; i += MAX_FRAME_BYTES) {
+            const slice = chunk.subarray(i, i + MAX_FRAME_BYTES);
+            this.send({ type: "res_data", sid, b64: slice.toString("base64") });
           }
         }
       }
+      this.send({ type: "res_end", sid });
+    } catch (err) {
+      if (!ac.signal.aborted) {
+        this.send({ type: "res_err", sid, message: String(err) });
+      }
+    } finally {
+      this.inflight.delete(sid);
     }
-  } catch (error2) {
-    if (abortController.signal.aborted) {
-      return;
-    }
-    const message = error2 instanceof Error ? error2.message : "Unknown error";
-    ws.send(JSON.stringify({ type: "event_error", id: subscriptionId, error: message }));
-    throw error2;
   }
-}
+};
 
 // src/lib/tunnel/connection.ts
 var MAX_RECONNECT_DELAY = 3e4;
@@ -1232,6 +1275,33 @@ function getReconnectDelay(attempt) {
   const jitter = Math.random() * 1e3;
   return Math.min(exponentialDelay + jitter, MAX_RECONNECT_DELAY);
 }
+function describeSocketError(error2, url) {
+  const code = error2.code;
+  switch (code) {
+    case "ECONNREFUSED":
+      return `connection refused at ${url} \u2014 is the tunnel relay running? (ECONNREFUSED)`;
+    case "ENOTFOUND":
+      return `host not found for ${url} \u2014 check the tunnel URL (ENOTFOUND)`;
+    case "ETIMEDOUT":
+      return `connection timed out to ${url} (ETIMEDOUT)`;
+    case "ECONNRESET":
+      return `connection reset by ${url} (ECONNRESET)`;
+    default: {
+      const base = error2.message?.trim();
+      const suffix = code ? ` (${code})` : "";
+      return `${base && base.length > 0 ? base : "socket error"}${suffix} connecting to ${url}`;
+    }
+  }
+}
+var STREAM_FRAME_TYPES = /* @__PURE__ */ new Set([
+  "open",
+  "req_data",
+  "req_end",
+  "abort"
+]);
+function isStreamFrame(message) {
+  return STREAM_FRAME_TYPES.has(message.type);
+}
 function connectTunnel(options) {
   const {
     agentId,
@@ -1242,330 +1312,890 @@ function connectTunnel(options) {
     onError,
     onRequest,
     onResponse,
-    onInfo
+    onInfo,
+    onDrainPing
   } = options;
   const tunnelUrl = getTunnelUrlConfig();
   const url = `${tunnelUrl}/tunnel/${agentId}/connect`;
-  const activeEventSubscriptions = /* @__PURE__ */ new Map();
   return new Promise((resolve, reject) => {
-    const ws = new WebSocket(url, {
+    const ws = new WebSocket2(url, {
       headers: {
         Authorization: authHeader
       }
     });
+    const streamStartTimes = /* @__PURE__ */ new Map();
+    const forwarder = new StreamForwarder(ws, port, {
+      onOpen: (sid, method, path) => {
+        if (path === TUNNEL_DRAIN_PING_PATH) return;
+        streamStartTimes.set(sid, Date.now());
+        onRequest?.(method, path, sid);
+      },
+      onHead: (sid, status) => {
+        const startedAt = streamStartTimes.get(sid);
+        streamStartTimes.delete(sid);
+        onResponse?.(status, startedAt ? Date.now() - startedAt : 0, sid);
+      },
+      onDrainPing: () => onDrainPing?.()
+    });
     const connectionTimeout = setTimeout(() => {
       ws.close();
       reject(new Error("Connection timeout"));
     }, 3e4);
+    let upgradeRejection = null;
+    ws.on("unexpected-response", (_req, res) => {
+      clearTimeout(connectionTimeout);
+      const chunks = [];
+      res.on("data", (chunk) => chunks.push(chunk));
+      res.on("end", () => {
+        const bodyRaw = Buffer.concat(chunks).toString("utf8").trim();
+        let detail = bodyRaw;
+        try {
+          const parsed = JSON.parse(bodyRaw);
+          detail = parsed.error ?? parsed.message ?? bodyRaw;
+          if (parsed.details) detail += ` (${parsed.details})`;
+        } catch {
+        }
+        const statusLine = `HTTP ${res.statusCode}${res.statusMessage ? ` ${res.statusMessage}` : ""}`;
+        upgradeRejection = detail ? `${statusLine}: ${detail}` : statusLine;
+        onError?.(`Tunnel refused by relay (${upgradeRejection})`);
+        reject(new Error(`Tunnel handshake rejected: ${upgradeRejection}`));
+      });
+    });
     ws.on("open", () => {
       onInfo?.("WebSocket connection established");
     });
-    ws.on("message", async (data) => {
+    ws.on("message", (data) => {
+      let message;
       try {
-        const message = JSON.parse(data.toString());
-        switch (message.type) {
-          case "connected": {
-            clearTimeout(connectionTimeout);
-            const connectedAgentId = message.agent_id ?? agentId;
-            onConnected?.(connectedAgentId);
-            resolve({
-              ws,
-              close: () => ws.close(1e3, "CLI shutdown"),
-              activeEventSubscriptions
-            });
-            break;
-          }
-          case "error":
-            clearTimeout(connectionTimeout);
-            onError?.(message.message || "Unknown tunnel error");
-            if (message.code === "unauthorized") {
-              ws.close();
-              reject(new Error("Unauthorized"));
-            }
-            break;
-          case "ping":
-            ws.send(JSON.stringify({ type: "pong" }));
-            break;
-          case "request":
-            if (message.id && message.payload) {
-              const startTime = Date.now();
-              onRequest?.(message.payload.method, message.payload.path, message.id);
-              const response = await forwardToOpenCode(port, message.payload);
-              const durationMs = Date.now() - startTime;
-              onResponse?.(response.status, durationMs, message.id);
-              sendResponse(ws, message.id, response);
-            }
-            break;
-          case "subscribe_events":
-            if (message.id) {
-              const abortController = new AbortController();
-              activeEventSubscriptions.set(message.id, abortController);
-              onInfo?.(`Starting event subscription ${message.id.slice(0, 8)}`);
-              subscribeToOpenCodeEvents(port, message.id, ws, abortController).catch((error2) => {
-                if (!abortController.signal.aborted) {
-                  onError?.(`Event subscription failed: ${error2.message}`);
-                }
-              }).finally(() => {
-                activeEventSubscriptions.delete(message.id);
-              });
-            }
-            break;
-          case "unsubscribe_events":
-            if (message.id) {
-              const controller = activeEventSubscriptions.get(message.id);
-              if (controller) {
-                controller.abort();
-                activeEventSubscriptions.delete(message.id);
-              }
-            }
-            break;
-        }
+        message = JSON.parse(data.toString());
       } catch (error2) {
         const errorMessage = error2 instanceof Error ? error2.message : "Unknown error";
         onError?.(`Failed to handle message: ${errorMessage}`);
+        return;
+      }
+      if (isStreamFrame(message)) {
+        forwarder.handleFrame(message);
+        return;
+      }
+      switch (message.type) {
+        case "connected": {
+          clearTimeout(connectionTimeout);
+          const connectedAgentId = message.agent_id ?? agentId;
+          onConnected?.(connectedAgentId);
+          resolve({
+            ws,
+            close: () => ws.close(1e3, "CLI shutdown")
+          });
+          break;
+        }
+        case "error":
+          clearTimeout(connectionTimeout);
+          onError?.(message.message || "Unknown tunnel error");
+          if (message.code === "unauthorized") {
+            ws.close();
+            reject(new Error("Unauthorized"));
+          }
+          break;
+        case "ping":
+          ws.send(JSON.stringify({ type: "pong" }));
+          break;
       }
     });
     ws.on("error", (error2) => {
       clearTimeout(connectionTimeout);
-      onError?.(`Connection error: ${error2.message}`);
-      reject(error2);
+      const detail = upgradeRejection ?? describeSocketError(error2, url);
+      onError?.(`Connection error: ${detail}`);
+      reject(upgradeRejection ? new Error(upgradeRejection) : new Error(detail));
     });
     ws.on("close", (code, reason) => {
-      const reasonStr = reason.toString() || "No reason provided";
+      const reasonStr = reason.toString() || upgradeRejection || (code === 1006 ? "abnormal closure" : "No reason provided");
+      forwarder.abortAll();
+      streamStartTimes.clear();
       onDisconnected?.(code, reasonStr);
-      for (const [, controller] of activeEventSubscriptions) {
-        controller.abort();
-      }
-      activeEventSubscriptions.clear();
     });
   });
 }
 
-// src/commands/run.ts
-var MAX_ACTIVITY_LOG_ENTRIES = 10;
-var MESSAGE_POLL_INTERVAL_MS = 2e3;
-var MAX_CONSECUTIVE_FETCH_FAILURES = 3;
-var LOCK_HEARTBEAT_INTERVAL_MS = 5 * 60 * 1e3;
-async function resolveAgentIdFromKey(authHeader) {
-  const apiUrl = getApiUrlConfig();
-  try {
-    const response = await fetch(`${apiUrl}/me`, {
-      headers: { Authorization: authHeader }
-    });
-    if (!response.ok) {
-      return { error: `Failed to resolve agent from key: HTTP ${response.status}` };
-    }
-    const data = await response.json();
-    if (data.auth_type === "agent_key" && data.agent_id) {
-      return { agent_id: data.agent_id };
+// src/lib/tunnel/runner-connection.ts
+var RunnerConnection = class {
+  opts;
+  sleep;
+  connection = null;
+  resolvedAgentId;
+  /** True while a (re)connect loop is in flight. */
+  reconnecting = false;
+  /** The in-flight reconnect promise, awaitable by the caller. */
+  reconnectPromise = null;
+  /** 1-based count of the current reconnect attempt streak. */
+  reconnectAttempt = 0;
+  constructor(opts) {
+    this.opts = opts;
+    this.resolvedAgentId = opts.agentId;
+    this.sleep = opts.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
+  }
+  get agentId() {
+    return this.resolvedAgentId;
+  }
+  /** Establish the initial tunnel connection (with retry/backoff). */
+  async connect() {
+    await this.connectWithRetry(false);
+  }
+  /** Close the active connection (idempotent). */
+  close() {
+    if (this.connection) {
+      try {
+        this.connection.close();
+      } catch {
+      }
+      this.connection = null;
     }
-    return {
-      error: "Cannot resolve agent ID: auth type is not agent_key. Please provide --agent explicitly."
-    };
-  } catch (error2) {
-    const message = error2 instanceof Error ? error2.message : "Unknown error";
-    return { error: `Failed to resolve agent from key: ${message}` };
   }
-}
-async function getAgentInfo(agentId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  try {
-    const response = await fetch(`${apiUrl}/agents/${agentId}`, {
-      headers: { Authorization: authHeader }
-    });
-    if (response.status === 404) {
-      return { valid: false, error: "Agent not found" };
-    }
-    if (response.status === 401) {
-      return { valid: false, error: "Authentication failed", authFailed: true };
-    }
-    if (!response.ok) {
-      return { valid: false, error: `API error: ${response.status}` };
-    }
-    const agent = await response.json();
-    if (agent.sandbox_type !== "local" && agent.sandbox_type !== "github_actions") {
-      return {
-        valid: false,
-        error: `Agent is type '${agent.sandbox_type}', must be 'local' or 'github_actions' for CLI connection`
-      };
+  async connectWithRetry(isReconnect) {
+    if (isReconnect && this.reconnecting) return;
+    this.reconnecting = true;
+    this.close();
+    const { events } = this.opts;
+    while (this.opts.isRunning()) {
+      try {
+        this.connection = await connectTunnel({
+          agentId: this.resolvedAgentId,
+          authHeader: this.opts.getAuthHeader(),
+          port: this.opts.port,
+          onConnected: (agentId) => {
+            this.reconnectAttempt = 0;
+            this.reconnecting = false;
+            this.resolvedAgentId = agentId;
+            events.onConnected(agentId, isReconnect);
+          },
+          onDisconnected: (code, reason) => {
+            events.onDisconnected(code, reason);
+            if (this.opts.isRunning() && code !== 1e3 && !this.reconnecting) {
+              this.reconnectPromise = this.connectWithRetry(true).catch((err) => {
+                events.onError?.(`Reconnection failed: ${err.message}`);
+              });
+            }
+          },
+          onError: (error2) => events.onError?.(error2),
+          onResponse: () => events.onResponse?.(),
+          onDrainPing: () => events.onDrainPing?.(),
+          onInfo: (message) => events.onInfo?.(message)
+        });
+        return;
+      } catch (error2) {
+        this.reconnectAttempt++;
+        if (error2.message === "Unauthorized") {
+          this.reconnecting = false;
+          throw error2;
+        }
+        const delay = getReconnectDelay(this.reconnectAttempt);
+        events.onReconnecting?.(this.reconnectAttempt);
+        events.onError?.(`Connection failed, retrying in ${Math.round(delay / 1e3)}s...`);
+        await this.sleep(delay);
+      }
     }
-    return { valid: true, agent };
-  } catch (error2) {
-    const message = error2 instanceof Error ? error2.message : "Unknown error";
-    return { valid: false, error: `Failed to validate agent: ${message}` };
+    this.reconnecting = false;
   }
-}
-var AuthenticationError = class extends Error {
+};
+
+// src/lib/channels/driver.ts
+var DEFAULT_RETRY_POLICY = {
+  maxAttempts: 6,
+  baseDelayMs: 500,
+  maxDelayMs: 3e4
+};
+var DEFAULT_PAUSED_POLL_INTERVAL_MS = 2e3;
+var DEFAULT_PAUSED_MAX_WAIT_MS = 10 * 60 * 1e3;
+var ChannelAuthError = class extends Error {
   constructor(message) {
     super(message);
-    this.name = "AuthenticationError";
+    this.name = "ChannelAuthError";
   }
 };
-function checkAuthResponse(response, context) {
-  if (response.status === 401 || response.status === 403) {
-    throw new AuthenticationError(
-      `Authentication failed during ${context}: HTTP ${response.status}. Your session may have expired.`
-    );
-  }
-}
-async function getPendingConversations(agentId, authHeader, conversationFilter) {
-  const apiUrl = getApiUrlConfig();
-  const response = await fetch(`${apiUrl}/agents/${agentId}/conversations/pending`, {
-    headers: { Authorization: authHeader }
-  });
-  checkAuthResponse(response, "fetching pending conversations");
-  if (!response.ok) {
-    throw new Error(`Failed to get pending conversations: HTTP ${response.status}`);
-  }
-  const data = await response.json();
-  let conversations = data.conversations;
-  if (conversationFilter) {
-    conversations = conversations.filter((c) => c.id === conversationFilter);
+function backoffDelay(attempt, policy) {
+  const exp = policy.baseDelayMs * Math.pow(2, attempt);
+  const capped = Math.min(policy.maxDelayMs, exp);
+  return Math.floor(Math.random() * capped);
+}
+function isRetryableStatus(status) {
+  return status === 429 || status >= 500 && status <= 599;
+}
+var ChannelDriver = class {
+  agentId;
+  port;
+  apiUrl;
+  getAuthHeader;
+  conversationFilter;
+  retry;
+  log;
+  fetchImpl;
+  sleep;
+  pausedPollIntervalMs;
+  pausedMaxWaitMs;
+  /** Cache of conversationId → opencode sessionId. */
+  sessions = /* @__PURE__ */ new Map();
+  /**
+   * Outstanding paused-session watchers, keyed by `message.id` (WI-2-CLI).
+   * Single-flight per message: while a watcher is live for a message we never
+   * start a second one. The message stays `processing` for the watcher's lifetime
+   * so the `?status=pending` drain cannot double-claim it.
+   */
+  watchers = /* @__PURE__ */ new Map();
+  /**
+   * Cache of the opencode root directory (from `GET /path`). Resolved lazily on
+   * first session creation so drain-created sessions are rooted at the project
+   * directory and thus visible in `opencode web`'s session list. `undefined` =
+   * not yet resolved; `null` = resolved-but-unavailable (don't keep retrying).
+   */
+  opencodeDirectory = void 0;
+  /** Serialises drains so a reconnect during a drain doesn't double-process. */
+  draining = false;
+  constructor(config2) {
+    this.agentId = config2.agentId;
+    this.port = config2.port;
+    this.apiUrl = config2.apiUrl.replace(/\/$/, "");
+    this.getAuthHeader = config2.getAuthHeader;
+    this.conversationFilter = config2.conversationFilter ?? null;
+    this.retry = { ...DEFAULT_RETRY_POLICY, ...config2.retry };
+    this.log = config2.log ?? (() => {
+    });
+    this.fetchImpl = config2.fetchImpl ?? fetch;
+    this.sleep = config2.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
+    this.pausedPollIntervalMs = config2.pausedPollIntervalMs ?? DEFAULT_PAUSED_POLL_INTERVAL_MS;
+    this.pausedMaxWaitMs = config2.pausedMaxWaitMs ?? DEFAULT_PAUSED_MAX_WAIT_MS;
+  }
+  /** The IPv4-loopback base URL for the local `opencode serve`. */
+  get opencodeBase() {
+    return `http://127.0.0.1:${this.port}`;
+  }
+  // -------------------------------------------------------------------------
+  // Public API
+  // -------------------------------------------------------------------------
+  /**
+   * Drain all pending channel conversations once: poll → process → callback.
+   * Called on tunnel `connected` (WI-CHAN-4) and on each poll tick by `run.ts`.
+   * Re-entrant calls while a drain is in flight are skipped (return 0).
+   *
+   * @returns the number of messages processed.
+   */
+  async drainPending() {
+    if (this.draining) return 0;
+    this.draining = true;
+    let processed = 0;
+    try {
+      const conversations = await this.getPendingConversations();
+      if (conversations.length > 0) {
+        const total = conversations.reduce((sum, c) => sum + (c.pending_message_count ?? 0), 0);
+        this.log({
+          level: "info",
+          message: `Found ${total} pending message(s) across ${conversations.length} conversation(s) \u2014 draining`
+        });
+      }
+      for (const conv of conversations) {
+        processed += await this.processConversation(conv);
+      }
+    } finally {
+      this.draining = false;
+    }
+    return processed;
   }
-  return conversations;
-}
-async function getPendingMessages(agentId, conversationId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  const response = await fetch(
-    `${apiUrl}/agents/${agentId}/threads/${conversationId}/messages?status=pending`,
-    { headers: { Authorization: authHeader } }
-  );
-  checkAuthResponse(response, "fetching pending messages");
-  if (!response.ok) {
-    throw new Error(`Failed to get messages: HTTP ${response.status}`);
+  /**
+   * Await all outstanding paused-session watchers (WI-2-CLI).
+   *
+   * In production the watchers are deliberately started-not-awaited so the drain
+   * loop never blocks on them and process exit is not held up (the cron recovers
+   * any abandoned ones). This helper exists primarily for deterministic tests
+   * that need to observe the watcher's effect (the `done` PATCH or its giving up)
+   * after a non-blocking `drainPending`. Watchers never reject, so this resolves.
+   */
+  async flushPausedWatchers() {
+    await Promise.all([...this.watchers.values()]);
+  }
+  // -------------------------------------------------------------------------
+  // Conversation processing
+  // -------------------------------------------------------------------------
+  async processConversation(conv) {
+    const sessionId = await this.ensureSession(conv);
+    const messages = await this.getPendingMessages(conv.id);
+    let processed = 0;
+    for (const message of messages) {
+      const claimed = await this.markProcessing(conv.id, message.id);
+      if (!claimed) {
+        this.log({
+          level: "info",
+          message: `Message ${message.id.slice(0, 8)} already claimed \u2014 skipping`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+        continue;
+      }
+      try {
+        this.log({
+          level: "info",
+          message: `Sending queued message ${message.id.slice(0, 8)} to OpenCode (session ${sessionId.slice(0, 8)})`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+        const result = await sendMessageToOpenCode(
+          this.port,
+          sessionId,
+          message.content,
+          {
+            agent: message.opencode_agent ?? void 0,
+            model: message.opencode_model ?? void 0
+          },
+          {
+            onQuestion: (question) => this.reportInteraction(conv.id, "question", question),
+            onPermission: (permission) => this.reportInteraction(conv.id, "permission", permission)
+          }
+        );
+        if (result.awaitingInteraction) {
+          this.log({
+            level: "info",
+            message: `Message ${message.id.slice(0, 8)} paused awaiting interaction \u2014 watching session for completion`,
+            conversation_id: conv.id,
+            message_id: message.id
+          });
+          this.startPausedWatcher(conv, message, sessionId);
+          continue;
+        }
+        await this.confirmCompletion(sessionId);
+        await this.markDone(conv.id, message.id, sessionId);
+        processed += 1;
+        this.log({
+          level: "info",
+          message: `Message ${message.id.slice(0, 8)} processed`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+      } catch (err) {
+        if (err instanceof ChannelAuthError) throw err;
+        await this.markFailed(conv.id, message.id).catch(() => {
+        });
+        this.log({
+          level: "error",
+          message: `Message ${message.id.slice(0, 8)} failed: ${err instanceof Error ? err.message : String(err)}`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+      }
+    }
+    return processed;
   }
-  return response.json();
-}
-async function markMessageProcessing(agentId, conversationId, messageId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  const response = await fetch(
-    `${apiUrl}/agents/${agentId}/threads/${conversationId}/messages/${messageId}`,
-    {
-      method: "PATCH",
-      headers: { Authorization: authHeader, "Content-Type": "application/json" },
-      body: JSON.stringify({ status: "processing" })
+  async ensureSession(conv) {
+    const cached = this.sessions.get(conv.id);
+    if (cached) return cached;
+    if (conv.opencode_session_id) {
+      this.sessions.set(conv.id, conv.opencode_session_id);
+      return conv.opencode_session_id;
     }
-  );
-  checkAuthResponse(response, "marking message as processing");
-  return response.ok;
-}
-async function reportInteractiveEvent(agentId, conversationId, type, data, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  const response = await fetch(
-    `${apiUrl}/agents/${agentId}/threads/${conversationId}/interactive-event`,
-    {
-      method: "POST",
-      headers: { Authorization: authHeader, "Content-Type": "application/json" },
-      body: JSON.stringify({ type, data })
+    const directory = await this.resolveOpenCodeDirectory();
+    const sessionId = await createOpenCodeSession(this.port, directory);
+    this.sessions.set(conv.id, sessionId);
+    await this.persistSession(conv.id, sessionId).catch(() => {
+    });
+    return sessionId;
+  }
+  /**
+   * Lazily resolve (and cache) opencode's root directory via `GET /path`.
+   * Resolved once per driver: `undefined` until first lookup, then the directory
+   * string or `null` if unavailable (we don't keep retrying a missing `/path`).
+   */
+  async resolveOpenCodeDirectory() {
+    if (this.opencodeDirectory !== void 0) return this.opencodeDirectory;
+    this.opencodeDirectory = await getOpenCodeDirectory(this.port);
+    if (!this.opencodeDirectory) {
+      this.log({
+        level: "info",
+        message: "Could not determine opencode directory (GET /path) \u2014 new sessions may not appear in opencode web"
+      });
     }
-  );
-  checkAuthResponse(response, "reporting interactive event");
-  if (!response.ok) {
-    throw new Error(`Failed to report interactive event: HTTP ${response.status}`);
+    return this.opencodeDirectory;
   }
-}
-async function markMessageDone(agentId, conversationId, messageId, authHeader, sessionId) {
-  const apiUrl = getApiUrlConfig();
-  const body = { status: "done" };
-  if (sessionId) {
-    body.opencode_session_id = sessionId;
+  /**
+   * Local reconcile: re-query `GET /session/:id/message` and check whether the
+   * last assistant message is message-level complete (`isTurnComplete`).
+   *
+   * This is a PURE OBSERVABILITY probe on the normal (non-paused) path: the
+   * blocking POST already returned, and `markDone` causes the server to re-fetch
+   * the messages itself (via `extractTextFromMessages`) when delivering the
+   * reply — so this round-trip never gates delivery. We keep it only to surface a
+   * truthful diagnostic when opencode hasn't yet recorded a completed assistant
+   * turn at reconcile time, then proceed to `markDone` regardless. Uses the
+   * injected `fetchImpl` and reuses only the pure `isTurnComplete` predicate.
+   */
+  async confirmCompletion(sessionId) {
+    try {
+      const res = await this.fetchImpl(`${this.opencodeBase}/session/${sessionId}/message`);
+      if (!res.ok) return;
+      const body = await res.json();
+      const messages = Array.isArray(body) ? body : null;
+      if (!isTurnComplete(messages)) {
+        this.log({
+          level: "info",
+          message: `Session ${sessionId.slice(0, 8)} messages do not yet show a completed assistant turn on reconcile \u2014 delivering anyway`
+        });
+      }
+    } catch {
+    }
+  }
+  // -------------------------------------------------------------------------
+  // Paused-session watcher (WI-2-CLI)
+  // -------------------------------------------------------------------------
+  /**
+   * Start (but do NOT await) a watcher that resumes a paused turn to completion.
+   *
+   * Single-flight per message: if a watcher is already live for this message we
+   * skip. The returned watcher promise is tracked in `this.watchers` and removed
+   * when it settles; it never rejects (the body is fully guarded), so a failed
+   * poll/markDone can never crash the run loop — the cron stays as the safety net.
+   */
+  startPausedWatcher(conv, message, sessionId) {
+    if (this.watchers.has(message.id)) return;
+    const watcher = this.watchPausedSession(conv, message, sessionId).finally(() => {
+      this.watchers.delete(message.id);
+    });
+    this.watchers.set(message.id, watcher);
   }
-  const response = await fetch(
-    `${apiUrl}/agents/${agentId}/threads/${conversationId}/messages/${messageId}`,
-    {
-      method: "PATCH",
-      headers: { Authorization: authHeader, "Content-Type": "application/json" },
-      body: JSON.stringify(body)
+  /**
+   * Poll `GET /session/:id/message` until the SAME paused turn is message-level
+   * complete — the last message is an ASSISTANT message whose
+   * `info.time.completed` is set (the user answered the question/permission in
+   * opencode web and opencode finished the turn) — then complete it via the
+   * EXISTING `markDone` PATCH — NO re-send of the original message. The server
+   * re-fetches the assistant messages on completion, so the watcher does not
+   * pass any reply text.
+   *
+   * Fetch seam: the poll uses the injected `this.fetchImpl` (preserving the
+   * tests' injection) and reuses only the pure `isTurnComplete` predicate from
+   * `session.ts` — we do NOT call `getSessionMessages` (which uses the global
+   * `fetch`) here.
+   *
+   * Bounded by `pausedMaxWaitMs` (default 10 min, strictly < the 15-min cron
+   * reset): on timeout we STOP and leave the message `processing` so the cron
+   * remains the last-resort safety net. The whole body is wrapped so any
+   * poll/markDone failure is logged and swallowed — a watcher MUST NEVER throw
+   * out of the run loop.
+   */
+  async watchPausedSession(conv, message, sessionId) {
+    const deadline = Date.now() + this.pausedMaxWaitMs;
+    try {
+      while (Date.now() < deadline) {
+        await this.sleep(this.pausedPollIntervalMs);
+        let completed = false;
+        try {
+          const res = await this.fetchImpl(`${this.opencodeBase}/session/${sessionId}/message`);
+          if (res.ok) {
+            const body = await res.json();
+            const messages = Array.isArray(body) ? body : null;
+            completed = isTurnComplete(messages);
+          }
+        } catch {
+          continue;
+        }
+        if (!completed) continue;
+        this.log({
+          level: "info",
+          message: `Paused session ${sessionId.slice(0, 8)} completed \u2014 marking message ${message.id.slice(0, 8)} done`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+        await this.markDone(conv.id, message.id, sessionId);
+        return;
+      }
+      this.log({
+        level: "info",
+        message: `Paused session ${sessionId.slice(0, 8)} did not complete within the watch window \u2014 leaving message ${message.id.slice(0, 8)} for the cron safety net`,
+        conversation_id: conv.id,
+        message_id: message.id
+      });
+    } catch (err) {
+      this.log({
+        level: "error",
+        message: `Paused-session watcher failed for message ${message.id.slice(0, 8)}: ${err instanceof Error ? err.message : String(err)}`,
+        conversation_id: conv.id,
+        message_id: message.id
+      });
     }
-  );
-  checkAuthResponse(response, "marking message as done");
-}
-async function markMessageFailed(agentId, conversationId, messageId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  const response = await fetch(
-    `${apiUrl}/agents/${agentId}/threads/${conversationId}/messages/${messageId}`,
-    {
-      method: "PATCH",
-      headers: { Authorization: authHeader, "Content-Type": "application/json" },
-      body: JSON.stringify({ status: "failed" })
+  }
+  // -------------------------------------------------------------------------
+  // Evident API calls (combinedAuth thread routes)
+  // -------------------------------------------------------------------------
+  async getPendingConversations() {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/conversations/pending`,
+      {
+        headers: { Authorization: this.getAuthHeader() }
+      }
+    );
+    this.assertAuth(res, "fetching pending conversations");
+    if (!res.ok) {
+      throw new Error(`Failed to get pending conversations: HTTP ${res.status}`);
     }
-  );
-  checkAuthResponse(response, "marking message as failed");
-}
-async function acquireConversationLock(agentId, conversationId, correlationId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  try {
-    const response = await fetch(`${apiUrl}/agents/${agentId}/threads/${conversationId}/lock`, {
-      method: "POST",
-      headers: { Authorization: authHeader, "Content-Type": "application/json" },
-      body: JSON.stringify({ correlation_id: correlationId })
-    });
-    checkAuthResponse(response, "acquiring conversation lock");
-    if (response.status === 409) {
-      return { acquired: false, error: "Conversation already locked by another runner" };
+    const data = await res.json();
+    let conversations = data.conversations;
+    if (this.conversationFilter) {
+      conversations = conversations.filter((c) => c.id === this.conversationFilter);
     }
-    if (!response.ok) {
-      return { acquired: false, error: `Failed to acquire lock: HTTP ${response.status}` };
+    return conversations;
+  }
+  async getPendingMessages(conversationId) {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages?status=pending`,
+      { headers: { Authorization: this.getAuthHeader() } }
+    );
+    this.assertAuth(res, "fetching pending messages");
+    if (!res.ok) {
+      throw new Error(`Failed to get messages: HTTP ${res.status}`);
     }
-    return { acquired: true };
-  } catch (error2) {
-    if (error2 instanceof AuthenticationError) throw error2;
-    return { acquired: false, error: String(error2) };
+    return await res.json();
   }
-}
-async function extendConversationLock(agentId, conversationId, correlationId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  try {
-    const response = await fetch(
-      `${apiUrl}/agents/${agentId}/threads/${conversationId}/lock/extend`,
+  async markProcessing(conversationId, messageId) {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages/${messageId}`,
       {
-        method: "POST",
-        headers: { Authorization: authHeader, "Content-Type": "application/json" },
-        body: JSON.stringify({ correlation_id: correlationId })
+        method: "PATCH",
+        headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+        body: JSON.stringify({ status: "processing" })
       }
     );
-    return response.ok;
-  } catch {
-    return false;
+    this.assertAuth(res, "marking message as processing");
+    return res.ok;
   }
-}
-async function releaseConversationLock(agentId, conversationId, correlationId, authHeader) {
-  const apiUrl = getApiUrlConfig();
-  try {
-    await fetch(
-      `${apiUrl}/agents/${agentId}/threads/${conversationId}/lock?correlation_id=${encodeURIComponent(correlationId)}`,
+  /**
+   * EXISTING combinedAuth completion route — idempotent + retried (WI-CHAN-2).
+   * `PATCH .../messages/:id {status:'done', opencode_session_id}`. The server's
+   * `queued_conversation_messages.status`/`processed_at` gate makes a re-call
+   * for an already-`done` message a no-op (no double Slack post).
+   */
+  async markDone(conversationId, messageId, sessionId) {
+    await this.callWithRetry(
+      "marking message as done",
+      () => this.fetchImpl(
+        `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages/${messageId}`,
+        {
+          method: "PATCH",
+          headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+          body: JSON.stringify({ status: "done", opencode_session_id: sessionId })
+        }
+      )
+    );
+  }
+  async markFailed(conversationId, messageId) {
+    await this.callWithRetry(
+      "marking message as failed",
+      () => this.fetchImpl(
+        `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/messages/${messageId}`,
+        {
+          method: "PATCH",
+          headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+          body: JSON.stringify({ status: "failed" })
+        }
+      )
+    );
+  }
+  async persistSession(conversationId, sessionId) {
+    const res = await this.fetchImpl(
+      `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}`,
       {
-        method: "DELETE",
-        headers: { Authorization: authHeader }
+        method: "PATCH",
+        headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+        body: JSON.stringify({ opencode_session_id: sessionId })
       }
     );
+    this.assertAuth(res, "persisting session id");
+  }
+  /**
+   * EXISTING combinedAuth interaction route (WI-CHAN-3) — idempotent + retried.
+   * `POST .../interactive-event {type, data}`. The server persists the
+   * interaction and posts a link to the proxied opencode-web conversation.
+   */
+  async reportInteraction(conversationId, type, data) {
+    try {
+      await this.callWithRetry(
+        "reporting interactive event",
+        () => this.fetchImpl(
+          `${this.apiUrl}/agents/${this.agentId}/threads/${conversationId}/interactive-event`,
+          {
+            method: "POST",
+            headers: { Authorization: this.getAuthHeader(), "Content-Type": "application/json" },
+            body: JSON.stringify({ type, data })
+          }
+        )
+      );
+      this.log({
+        level: "info",
+        message: `${type} surfaced to channel (id: ${data.id.slice(0, 8)})`,
+        conversation_id: conversationId
+      });
+    } catch (err) {
+      if (err instanceof ChannelAuthError) throw err;
+      this.log({
+        level: "error",
+        message: `Failed to surface ${type}: ${err instanceof Error ? err.message : String(err)}`,
+        conversation_id: conversationId
+      });
+    }
+  }
+  // -------------------------------------------------------------------------
+  // Retry wrapper
+  // -------------------------------------------------------------------------
+  /**
+   * Invoke an Evident API call, retrying on transient failures (5xx / 429 /
+   * network errors) with exponential backoff + jitter (capped). Auth failures
+   * (401/403) are terminal and surface as `ChannelAuthError`; other 4xx are
+   * terminal too. No on-disk persistence — a crash mid-retry drops the callback
+   * (accepted by ADR-0039).
+   */
+  async callWithRetry(context, call) {
+    let lastError;
+    for (let attempt = 0; attempt < this.retry.maxAttempts; attempt += 1) {
+      let res;
+      try {
+        res = await call();
+      } catch (err) {
+        lastError = err;
+        if (attempt < this.retry.maxAttempts - 1) {
+          await this.sleep(backoffDelay(attempt, this.retry));
+          continue;
+        }
+        throw err;
+      }
+      if (res.status === 401 || res.status === 403) {
+        throw new ChannelAuthError(
+          `Authentication failed during ${context}: HTTP ${res.status}. Your session may have expired.`
+        );
+      }
+      if (res.ok) return;
+      if (isRetryableStatus(res.status)) {
+        lastError = new Error(`${context}: HTTP ${res.status}`);
+        if (attempt < this.retry.maxAttempts - 1) {
+          await this.sleep(backoffDelay(attempt, this.retry));
+          continue;
+        }
+      }
+      throw new Error(`${context}: HTTP ${res.status}`);
+    }
+    throw lastError instanceof Error ? lastError : new Error(`${context}: exhausted retries`);
+  }
+  assertAuth(res, context) {
+    if (res.status === 401 || res.status === 403) {
+      throw new ChannelAuthError(
+        `Authentication failed during ${context}: HTTP ${res.status}. Your session may have expired.`
+      );
+    }
+  }
+};
+
+// src/commands/ensure-opencode.ts
+import chalk5 from "chalk";
+import ora2 from "ora";
+import { select as select2 } from "@inquirer/prompts";
+async function ensureOpenCodeRunning(ctx) {
+  const healthCheck = await checkOpenCodeHealth(ctx.port);
+  if (healthCheck.healthy) {
+    return { port: ctx.port, process: null, version: healthCheck.version ?? null };
+  }
+  const runningInstances = await findHealthyOpenCodeInstances();
+  if (runningInstances.length > 0) {
+    if (!ctx.interactive) {
+      throw new Error(
+        `OpenCode not found on port ${ctx.port}, but running on port ${runningInstances[0].port}. Use --port ${runningInstances[0].port}`
+      );
+    }
+    blank();
+    console.log(chalk5.yellow("Found OpenCode running on different port(s):"));
+    for (const instance of runningInstances) {
+      const ver = instance.version ? ` (v${instance.version})` : "";
+      const cwd = instance.cwd ? ` in ${instance.cwd}` : "";
+      console.log(chalk5.dim(`  * Port ${instance.port}${ver}${cwd}`));
+    }
+    blank();
+    if (runningInstances.length === 1) {
+      console.log(chalk5.yellow("Tip: Run with the correct port:"));
+      console.log(
+        chalk5.dim(
+          `  ${getCliName()} run --agent ${ctx.agentId} --port ${runningInstances[0].port}`
+        )
+      );
+    }
+    blank();
+    throw new Error(`OpenCode not running on port ${ctx.port}`);
+  }
+  if (!isOpenCodeInstalled()) {
+    if (!ctx.interactive) {
+      throw new Error("OpenCode is not installed. Install it with: npm install -g opencode-ai");
+    }
+    const result = await promptOpenCodeInstall(true);
+    if (result === "exit") process.exit(0);
+    if (result !== "installed" && !isOpenCodeInstalled()) {
+      throw new Error("OpenCode is not installed");
+    }
+  }
+  if (!ctx.interactive) {
+    ctx.log(`OpenCode is not running on port ${ctx.port}. Starting it automatically...`);
+    const proc = await startOpenCode(ctx.port);
+    const health = await waitForOpenCodeHealth(ctx.port, 3e4);
+    if (!health.healthy) {
+      throw new Error(
+        `OpenCode failed to start on port ${ctx.port}. Install with: npm install -g opencode-ai`
+      );
+    }
+    ctx.log(`OpenCode started on port ${ctx.port}${health.version ? ` (v${health.version})` : ""}`);
+    return { port: ctx.port, process: proc, version: health.version ?? null };
+  }
+  let port = ctx.port;
+  if (isPortInUse(port)) {
+    console.log(chalk5.yellow(`
+Port ${port} is already in use.`));
+    const alternativePort = findAvailablePort(port + 1);
+    if (alternativePort) {
+      const useAlternative = await select2({
+        message: `Use port ${alternativePort} instead?`,
+        choices: [
+          { name: `Yes, use port ${alternativePort}`, value: "yes" },
+          { name: "No, I will free the port manually", value: "no" }
+        ]
+      });
+      if (useAlternative === "yes") {
+        port = alternativePort;
+      } else {
+        throw new Error(`Port ${ctx.port} is in use`);
+      }
+    }
+  }
+  const action = await select2({
+    message: "OpenCode is not running. What would you like to do?",
+    choices: [
+      {
+        name: "Start OpenCode for me",
+        value: "start",
+        description: `Run 'opencode serve --port ${port}'`
+      },
+      {
+        name: "Show me the command",
+        value: "manual",
+        description: "Display the command to run manually"
+      },
+      {
+        name: "Continue without OpenCode",
+        value: "continue",
+        description: "Requests will fail until OpenCode starts"
+      }
+    ]
+  });
+  if (action === "manual") {
+    blank();
+    console.log(chalk5.bold("Run this command in another terminal:"));
+    blank();
+    console.log(`  ${chalk5.cyan(`opencode serve --port ${port}`)}`);
+    blank();
+    throw new Error("Please start OpenCode manually");
+  }
+  if (action === "start") {
+    const spinner = ora2("Starting OpenCode...").start();
+    const proc = await startOpenCode(port);
+    const health = await waitForOpenCodeHealth(port, 3e4);
+    if (!health.healthy) {
+      spinner.fail("Failed to start OpenCode");
+      throw new Error("OpenCode failed to start");
+    }
+    spinner.stop();
+    return { port, process: proc, version: health.version ?? null };
+  }
+  return { port, process: null, version: null };
+}
+
+// src/commands/agent-lookup.ts
+async function readErrorMessage(response) {
+  const text = await response.text().catch(() => "");
+  if (!text) return response.statusText || void 0;
+  try {
+    const data = JSON.parse(text);
+    const message = data.message ?? data.error;
+    if (typeof message === "string" && message.trim()) {
+      return message;
+    }
   } catch {
   }
+  return text.trim() || response.statusText || void 0;
 }
-async function updateConversationSession(agentId, conversationId, sessionId, authHeader) {
+function authFailureHint(apiUrl, serverMessage) {
+  const reason = serverMessage ? `: ${serverMessage}` : "";
+  return `Authentication failed${reason}. Your credentials were rejected by ${apiUrl}. This usually means you logged in against a different environment, or your session expired \u2014 log in again pointing at this endpoint and retry.`;
+}
+async function resolveAgentIdFromKey(authHeader) {
   const apiUrl = getApiUrlConfig();
-  const response = await fetch(`${apiUrl}/agents/${agentId}/threads/${conversationId}`, {
-    method: "PATCH",
-    headers: { Authorization: authHeader, "Content-Type": "application/json" },
-    body: JSON.stringify({ opencode_session_id: sessionId })
-  });
-  checkAuthResponse(response, "updating conversation session");
-  if (!response.ok) {
-    const text = await response.text().catch(() => "");
-    throw new Error(
-      `Failed to update conversation session: HTTP ${response.status}${text ? `: ${text}` : ""}`
-    );
+  try {
+    const response = await fetch(`${apiUrl}/me`, {
+      headers: { Authorization: authHeader }
+    });
+    if (response.status === 401) {
+      const serverMessage = await readErrorMessage(response);
+      return { error: authFailureHint(apiUrl, serverMessage), authFailed: true };
+    }
+    if (!response.ok) {
+      const serverMessage = await readErrorMessage(response);
+      return {
+        error: `Failed to resolve agent from key (HTTP ${response.status})${serverMessage ? `: ${serverMessage}` : ""}`
+      };
+    }
+    const data = await response.json();
+    if (data.auth_type === "agent_key" && data.agent_id) {
+      return { agent_id: data.agent_id };
+    }
+    return {
+      error: "Cannot resolve agent ID: auth type is not agent_key. Please provide --agent explicitly."
+    };
+  } catch (error2) {
+    const message = error2 instanceof Error ? error2.message : "Unknown error";
+    return { error: `Failed to resolve agent from key: ${message}` };
   }
 }
-async function updateConversationTitle(agentId, conversationId, title, authHeader) {
+async function getAgentInfo(agentId, authHeader) {
   const apiUrl = getApiUrlConfig();
-  const response = await fetch(`${apiUrl}/agents/${agentId}/threads/${conversationId}`, {
-    method: "PATCH",
-    headers: { Authorization: authHeader, "Content-Type": "application/json" },
-    body: JSON.stringify({ title })
-  });
-  checkAuthResponse(response, "updating conversation title");
+  try {
+    const response = await fetch(`${apiUrl}/agents/${agentId}`, {
+      headers: { Authorization: authHeader }
+    });
+    if (response.status === 401) {
+      const serverMessage = await readErrorMessage(response);
+      return { valid: false, error: authFailureHint(apiUrl, serverMessage), authFailed: true };
+    }
+    if (response.status === 403) {
+      const serverMessage = await readErrorMessage(response);
+      return {
+        valid: false,
+        error: serverMessage ?? "You do not have access to this agent (it may belong to a different team or organization)."
+      };
+    }
+    if (response.status === 404) {
+      const serverMessage = await readErrorMessage(response);
+      return { valid: false, error: serverMessage ?? `Agent ${agentId} not found` };
+    }
+    if (!response.ok) {
+      const serverMessage = await readErrorMessage(response);
+      return {
+        valid: false,
+        error: `API error (HTTP ${response.status})${serverMessage ? `: ${serverMessage}` : ""}`
+      };
+    }
+    const agent = await response.json();
+    if (agent.agent_type !== "local") {
+      return {
+        valid: false,
+        error: `Agent is type '${agent.agent_type}', must be 'local' for CLI connection`
+      };
+    }
+    return { valid: true, agent };
+  } catch (error2) {
+    const message = error2 instanceof Error ? error2.message : "Unknown error";
+    return { valid: false, error: `Failed to validate agent: ${message}` };
+  }
 }
+
+// src/commands/run.ts
+var MAX_ACTIVITY_LOG_ENTRIES = 10;
+var CHANNEL_POLL_INTERVAL_MS = Number(process.env.EVIDENT_CHANNEL_POLL_INTERVAL_MS) || 2e3;
 function log(state, message, isError = false) {
   if (state.json) {
     console.log(
@@ -1576,7 +2206,7 @@ function log(state, message, isError = false) {
       })
     );
   } else if (!state.interactive) {
-    const prefix = isError ? chalk5.red("\u2717") : chalk5.green("\u2022");
+    const prefix = isError ? chalk6.red("\u2717") : chalk6.green("\u2022");
     console.log(`${prefix} ${message}`);
   }
 }
@@ -1589,7 +2219,6 @@ function logActivity(state, entry) {
   if (state.activityLog.length > MAX_ACTIVITY_LOG_ENTRIES) {
     state.activityLog.shift();
   }
-  state.lastActivity = fullEntry.timestamp;
   if (!state.interactive) {
     if (entry.type === "error") {
       log(state, entry.error ?? "Unknown error", true);
@@ -1598,130 +2227,21 @@ function logActivity(state, entry) {
     }
   }
 }
-var ANSI = {
-  moveUp: (n) => `\x1B[${n}A`
-};
-var STATUS_DISPLAY_HEIGHT = 22;
-function colorizeStatus(status) {
-  if (status >= 200 && status < 300) {
-    return chalk5.green(status.toString());
-  } else if (status >= 300 && status < 400) {
-    return chalk5.yellow(status.toString());
-  } else if (status >= 400 && status < 500) {
-    return chalk5.red(status.toString());
-  } else if (status >= 500) {
-    return chalk5.bgRed.white(` ${status} `);
-  }
-  return status.toString();
-}
-function formatActivityEntry(entry) {
-  const time = entry.timestamp.toLocaleTimeString("en-US", {
-    hour12: false,
-    hour: "2-digit",
-    minute: "2-digit",
-    second: "2-digit"
-  });
-  switch (entry.type) {
-    case "request": {
-      const duration = entry.durationMs ? ` (${entry.durationMs}ms)` : "";
-      const status = entry.status ? ` -> ${colorizeStatus(entry.status)}` : " ...";
-      return `  ${chalk5.dim(`[${time}]`)} ${chalk5.cyan("<-")} ${entry.method} ${entry.path}${status}${duration}`;
-    }
-    case "response": {
-      const duration = entry.durationMs ? ` (${entry.durationMs}ms)` : "";
-      return `  ${chalk5.dim(`[${time}]`)} ${chalk5.green("->")} ${entry.method} ${entry.path} ${colorizeStatus(entry.status)}${duration}`;
-    }
-    case "error": {
-      const errorMsg = entry.error || "Unknown error";
-      const path = entry.path ? ` ${entry.method} ${entry.path}` : "";
-      return `  ${chalk5.dim(`[${time}]`)} ${chalk5.red("x")}${path} - ${chalk5.red(errorMsg)}`;
-    }
-    case "info": {
-      return `  ${chalk5.dim(`[${time}]`)} ${chalk5.blue("*")} ${entry.message}`;
-    }
-    default:
-      return `  ${chalk5.dim(`[${time}]`)} ${entry.message || "Unknown"}`;
-  }
-}
 function displayStatus(state) {
   if (!state.interactive) return;
-  const lines = [];
-  lines.push(chalk5.bold("Evident"));
-  lines.push(chalk5.dim("-".repeat(60)));
-  lines.push("");
-  if (state.agentName) {
-    lines.push(`  Agent:      ${state.agentName}`);
-  }
-  lines.push(`  ID:         ${state.agentId}`);
-  if (state.conversationFilter) {
-    lines.push(`  Filter:     conversation ${state.conversationFilter.slice(0, 8)}...`);
-  }
-  lines.push("");
-  if (state.connected) {
-    lines.push(`  ${chalk5.green("*")} Tunnel:    ${chalk5.green("Connected to Evident")}`);
-  } else {
-    if (state.reconnectAttempt > 0) {
-      lines.push(
-        `  ${chalk5.yellow("o")} Tunnel:    ${chalk5.yellow(`Reconnecting... (attempt ${state.reconnectAttempt})`)}`
-      );
-    } else {
-      lines.push(`  ${chalk5.yellow("o")} Tunnel:    ${chalk5.yellow("Connecting...")}`);
-    }
-  }
-  if (state.opencodeConnected) {
-    const version = state.opencodeVersion ? `, v${state.opencodeVersion}` : "";
-    lines.push(
-      `  ${chalk5.green("*")} OpenCode:  ${chalk5.green(`Running on port ${state.port}${version}`)}`
-    );
-  } else {
-    lines.push(`  ${chalk5.red("o")} OpenCode:  ${chalk5.red(`Not connected (port ${state.port})`)}`);
-  }
-  lines.push("");
-  if (state.messageCount > 0) {
-    lines.push(`  Messages:   ${state.messageCount} processed`);
-    lines.push("");
-  }
-  if (state.activityLog.length > 0) {
-    lines.push(chalk5.bold("  Activity:"));
-    for (const entry of state.activityLog) {
-      lines.push(formatActivityEntry(entry));
-    }
-  } else {
-    lines.push(chalk5.dim("  No activity yet. Waiting for requests..."));
-  }
-  lines.push("");
-  lines.push(chalk5.dim("-".repeat(60)));
-  if (state.verbose) {
-    lines.push(chalk5.dim("  Verbose mode: ON"));
-  }
-  lines.push("");
-  lines.push(
-    chalk5.dim(`  Tip: Run \`opencode attach http://localhost:${state.port}\` to see live activity`)
+  const attempt = state.connection?.reconnectAttempt ?? 0;
+  const tunnel = state.connected ? chalk6.green("tunnel: connected") : attempt > 0 ? chalk6.yellow(`tunnel: reconnecting (#${attempt})`) : chalk6.yellow("tunnel: connecting");
+  const opencode = state.opencodeConnected ? chalk6.green(`opencode: :${state.port}`) : chalk6.red(`opencode: :${state.port} (down)`);
+  const messages = state.messageCount > 0 ? chalk6.dim(` \xB7 ${state.messageCount} processed`) : "";
+  const last = state.activityLog[state.activityLog.length - 1];
+  const detail = last ? chalk6.dim(` \xB7 ${last.type === "error" ? last.error ?? "" : last.message ?? ""}`) : "";
+  const agent = state.agentName ?? state.agentId;
+  console.log(
+    `${chalk6.bold("Evident")} ${chalk6.dim(agent)}  ${tunnel}  ${opencode}${messages}${detail}`
   );
-  lines.push(chalk5.dim("  Press Ctrl+C to disconnect"));
-  while (lines.length < STATUS_DISPLAY_HEIGHT) {
-    lines.push("");
-  }
-  if (!state.displayInitialized) {
-    console.log("");
-    console.log(chalk5.dim("=".repeat(60)));
-    console.log("");
-    for (const line of lines) {
-      console.log(line);
-    }
-    state.displayInitialized = true;
-  } else {
-    process.stdout.write(ANSI.moveUp(STATUS_DISPLAY_HEIGHT + 3));
-    console.log(chalk5.dim("=".repeat(60)));
-    console.log("");
-    for (const line of lines) {
-      process.stdout.write("\x1B[2K");
-      console.log(line);
-    }
-  }
 }
 async function promptForLogin(promptMessage, successMessage) {
-  const action = await select2({
+  const action = await select3({
     message: promptMessage,
     choices: [
       {
@@ -1737,7 +2257,7 @@ async function promptForLogin(promptMessage, successMessage) {
     ]
   });
   if (action === "exit") {
-    console.log(chalk5.dim(`
+    console.log(chalk6.dim(`
 You can log in later by running: ${getCliName()} login`));
     process.exit(0);
   }
@@ -1748,137 +2268,10 @@ You can log in later by running: ${getCliName()} login`));
     process.exit(1);
   }
   blank();
-  console.log(chalk5.green(successMessage));
+  console.log(chalk6.green(successMessage));
   blank();
   return { token: credentials2.token, authType: "bearer", user: credentials2.user };
 }
-async function ensureOpenCodeRunning(state) {
-  const healthCheck = await checkOpenCodeHealth(state.port);
-  if (healthCheck.healthy) {
-    state.opencodeConnected = true;
-    state.opencodeVersion = healthCheck.version ?? null;
-    return;
-  }
-  const runningInstances = await findHealthyOpenCodeInstances();
-  if (runningInstances.length > 0) {
-    if (!state.interactive) {
-      throw new Error(
-        `OpenCode not found on port ${state.port}, but running on port ${runningInstances[0].port}. Use --port ${runningInstances[0].port}`
-      );
-    }
-    blank();
-    console.log(chalk5.yellow("Found OpenCode running on different port(s):"));
-    for (const instance of runningInstances) {
-      const ver = instance.version ? ` (v${instance.version})` : "";
-      const cwd = instance.cwd ? ` in ${instance.cwd}` : "";
-      console.log(chalk5.dim(`  * Port ${instance.port}${ver}${cwd}`));
-    }
-    blank();
-    if (runningInstances.length === 1) {
-      console.log(chalk5.yellow("Tip: Run with the correct port:"));
-      console.log(
-        chalk5.dim(
-          `  ${getCliName()} run --agent ${state.agentId} --port ${runningInstances[0].port}`
-        )
-      );
-    }
-    blank();
-    throw new Error(`OpenCode not running on port ${state.port}`);
-  }
-  if (!isOpenCodeInstalled()) {
-    if (!state.interactive) {
-      throw new Error("OpenCode is not installed. Install it with: npm install -g opencode-ai");
-    }
-    const result = await promptOpenCodeInstall(true);
-    if (result === "exit") {
-      process.exit(0);
-    }
-    if (result === "installed" || isOpenCodeInstalled()) {
-    } else {
-      throw new Error("OpenCode is not installed");
-    }
-  }
-  if (state.interactive) {
-    let actualPort = state.port;
-    if (isPortInUse(state.port)) {
-      console.log(chalk5.yellow(`
-Port ${state.port} is already in use.`));
-      const alternativePort = findAvailablePort(state.port + 1);
-      if (alternativePort) {
-        const useAlternative = await select2({
-          message: `Use port ${alternativePort} instead?`,
-          choices: [
-            { name: `Yes, use port ${alternativePort}`, value: "yes" },
-            { name: "No, I will free the port manually", value: "no" }
-          ]
-        });
-        if (useAlternative === "yes") {
-          actualPort = alternativePort;
-          state.port = actualPort;
-        } else {
-          throw new Error(`Port ${state.port} is in use`);
-        }
-      }
-    }
-    const action = await select2({
-      message: "OpenCode is not running. What would you like to do?",
-      choices: [
-        {
-          name: "Start OpenCode for me",
-          value: "start",
-          description: `Run 'opencode serve --port ${actualPort}'`
-        },
-        {
-          name: "Show me the command",
-          value: "manual",
-          description: "Display the command to run manually"
-        },
-        {
-          name: "Continue without OpenCode",
-          value: "continue",
-          description: "Requests will fail until OpenCode starts"
-        }
-      ]
-    });
-    if (action === "manual") {
-      blank();
-      console.log(chalk5.bold("Run this command in another terminal:"));
-      blank();
-      console.log(`  ${chalk5.cyan(`opencode serve --port ${actualPort}`)}`);
-      blank();
-      throw new Error("Please start OpenCode manually");
-    }
-    if (action === "start") {
-      const spinner = ora2("Starting OpenCode...").start();
-      state.opencodeProcess = await startOpenCode(actualPort);
-      const health = await waitForOpenCodeHealth(actualPort, 3e4);
-      if (!health.healthy) {
-        spinner.fail("Failed to start OpenCode");
-        throw new Error("OpenCode failed to start");
-      }
-      spinner.succeed(
-        `OpenCode running on port ${actualPort}${health.version ? ` (v${health.version})` : ""}`
-      );
-      state.opencodeConnected = true;
-      state.opencodeVersion = health.version ?? null;
-    }
-  } else {
-    log(state, `OpenCode is not running on port ${state.port}. Starting it automatically...`);
-    state.opencodeProcess = await startOpenCode(state.port);
-    const health = await waitForOpenCodeHealth(state.port, 3e4);
-    if (!health.healthy) {
-      throw new Error(
-        `OpenCode failed to start on port ${state.port}. Install with: npm install -g opencode-ai`
-      );
-    }
-    log(
-      state,
-      `OpenCode started on port ${state.port}${health.version ? ` (v${health.version})` : ""}`
-    );
-    state.opencodeConnected = true;
-    state.opencodeVersion = health.version ?? null;
-  }
-}
 var AUTH_EXPIRED_EXIT_CODE = 77;
 async function handleAuthError(state, error2) {
   logActivity(state, {
@@ -1888,12 +2281,12 @@ async function handleAuthError(state, error2) {
   if (state.interactive) displayStatus(state);
   if (!state.interactive) {
     blank();
-    console.log(chalk5.red("Authentication expired"));
-    console.log(chalk5.dim("Your authentication token is no longer valid."));
+    console.log(chalk6.red("Authentication expired"));
+    console.log(chalk6.dim("Your authentication token is no longer valid."));
     blank();
-    console.log(chalk5.dim("To fix this:"));
-    console.log(chalk5.dim(`  1. Run '${getCliName()} login' to re-authenticate`));
-    console.log(chalk5.dim("  2. Restart this command"));
+    console.log(chalk6.dim("To fix this:"));
+    console.log(chalk6.dim(`  1. Run '${getCliName()} login' to re-authenticate`));
+    console.log(chalk6.dim("  2. Restart this command"));
     blank();
     await cleanup(state);
     await shutdownTelemetry();
@@ -1901,7 +2294,7 @@ async function handleAuthError(state, error2) {
     return { success: false };
   }
   blank();
-  console.log(chalk5.yellow("Your authentication has expired."));
+  console.log(chalk6.yellow("Your authentication has expired."));
   blank();
   try {
     const credentials2 = await promptForLogin(
@@ -1914,285 +2307,62 @@ async function handleAuthError(state, error2) {
     return { success: false };
   }
 }
-function isNetworkError(error2) {
-  if (error2 instanceof Error) {
-    const message = error2.message.toLowerCase();
-    return message.includes("fetch failed") || message.includes("network") || message.includes("econnrefused") || message.includes("econnreset") || message.includes("etimedout") || message.includes("socket hang up");
-  }
-  return false;
-}
-async function processQueue(state, authHeader, triggerReconnect) {
+async function driveChannels(state, driver) {
   let idlePolls = 0;
-  let currentAuthHeader = authHeader;
   while (state.running) {
-    if (state.reconnecting && state.reconnectPromise) {
-      logActivity(state, {
-        type: "info",
-        message: "Waiting for tunnel reconnection..."
-      });
+    if (state.connection?.reconnecting && state.connection.reconnectPromise) {
+      logActivity(state, { type: "info", message: "Waiting for tunnel reconnection..." });
       if (state.interactive) displayStatus(state);
-      await state.reconnectPromise;
+      await state.connection.reconnectPromise;
     }
     try {
-      const conversations = await getPendingConversations(
-        state.agentId,
-        currentAuthHeader,
-        state.conversationFilter ?? void 0
-      );
-      state.consecutiveFetchFailures = 0;
-      if (conversations.length > 0) {
+      const processed = await driver.drainPending();
+      state.messageCount += processed;
+      if (processed > 0) {
         idlePolls = 0;
-        for (const conv of conversations) {
-          if (!state.running) break;
-          if (!state.lockedConversations.has(conv.id)) {
-            const lockResult = await acquireConversationLock(
-              state.agentId,
-              conv.id,
-              state.lockCorrelationId,
-              currentAuthHeader
-            );
-            if (!lockResult.acquired) {
-              logActivity(state, {
-                type: "info",
-                message: `Conversation ${conv.id.slice(0, 8)} locked by another runner \u2014 skipping`
-              });
-              if (state.interactive) displayStatus(state);
-              continue;
-            }
-            state.lockedConversations.add(conv.id);
-            logActivity(state, {
-              type: "info",
-              message: `Lock acquired on conversation ${conv.id.slice(0, 8)}`
-            });
-          }
-          logActivity(state, {
-            type: "info",
-            message: `Processing conversation ${conv.id.slice(0, 8)}... (${conv.pending_message_count} pending)`
-          });
-          if (state.interactive) displayStatus(state);
-          let sessionId = state.sessions.get(conv.id);
-          if (!sessionId) {
-            if (conv.opencode_session_id) {
-              sessionId = conv.opencode_session_id;
-            } else {
-              sessionId = await createOpenCodeSession(state.port);
-              await updateConversationSession(state.agentId, conv.id, sessionId, currentAuthHeader);
-              logActivity(state, {
-                type: "info",
-                message: `Created session ${sessionId.slice(0, 8)}`
-              });
-            }
-            state.sessions.set(conv.id, sessionId);
-          }
-          const messages = await getPendingMessages(state.agentId, conv.id, currentAuthHeader);
-          for (const message of messages) {
-            if (!state.running) break;
-            logActivity(state, {
-              type: "info",
-              message: `Processing message ${message.id.slice(0, 8)}...`
-            });
-            if (state.interactive) displayStatus(state);
-            const claimed = await markMessageProcessing(
-              state.agentId,
-              conv.id,
-              message.id,
-              currentAuthHeader
-            );
-            if (!claimed) {
-              logActivity(state, {
-                type: "info",
-                message: `Message ${message.id.slice(0, 8)} already claimed`
-              });
-              continue;
-            }
-            emitAgentMessageProcessing(state.agentId, {
-              message_id: message.id,
-              conversation_id: conv.id
-            });
-            try {
-              const result = await sendMessageToOpenCode(
-                state.port,
-                sessionId,
-                message.content,
-                {
-                  agent: message.opencode_agent ?? void 0,
-                  model: message.opencode_model ?? void 0
-                },
-                {
-                  onQuestion: async (question) => {
-                    try {
-                      await reportInteractiveEvent(
-                        state.agentId,
-                        conv.id,
-                        "question",
-                        question,
-                        currentAuthHeader
-                      );
-                      logActivity(state, {
-                        type: "info",
-                        message: `Question surfaced to user (id: ${question.id.slice(0, 8)})`
-                      });
-                    } catch (err) {
-                      logActivity(state, {
-                        type: "error",
-                        error: `Failed to surface question: ${err}`
-                      });
-                    }
-                  },
-                  onPermission: async (permission) => {
-                    try {
-                      await reportInteractiveEvent(
-                        state.agentId,
-                        conv.id,
-                        "permission",
-                        permission,
-                        currentAuthHeader
-                      );
-                      logActivity(state, {
-                        type: "info",
-                        message: `Permission request surfaced to user (id: ${permission.id.slice(0, 8)})`
-                      });
-                    } catch (err) {
-                      logActivity(state, {
-                        type: "error",
-                        error: `Failed to surface permission: ${err}`
-                      });
-                    }
-                  }
-                }
-              );
-              if (result.title) {
-                try {
-                  await updateConversationTitle(
-                    state.agentId,
-                    conv.id,
-                    result.title,
-                    currentAuthHeader
-                  );
-                } catch {
-                }
-              }
-              await markMessageDone(
-                state.agentId,
-                conv.id,
-                message.id,
-                currentAuthHeader,
-                sessionId
-              );
-              state.messageCount++;
-              logActivity(state, {
-                type: "info",
-                message: `Message ${message.id.slice(0, 8)} processed`
-              });
-              emitAgentMessageDone(state.agentId, {
-                message_id: message.id,
-                conversation_id: conv.id
-              });
-            } catch (error2) {
-              if (error2 instanceof AuthenticationError) {
-                throw error2;
-              }
-              await markMessageFailed(state.agentId, conv.id, message.id, currentAuthHeader);
-              logActivity(state, {
-                type: "error",
-                error: `Message ${message.id.slice(0, 8)} failed: ${error2}`
-              });
-              emitAgentMessageFailed(state.agentId, {
-                message_id: message.id,
-                conversation_id: conv.id,
-                error: String(error2)
-              });
-            }
-            if (state.interactive) displayStatus(state);
-          }
-        }
-      } else {
-        if (state.idleTimeout !== null) {
-          idlePolls++;
-          if (idlePolls === 1) {
-            logActivity(state, {
-              type: "info",
-              message: `Queue empty, waiting (timeout: ${state.idleTimeout}s)...`
-            });
-            if (state.interactive) displayStatus(state);
-          }
-        }
-      }
-      await new Promise((resolve) => setTimeout(resolve, MESSAGE_POLL_INTERVAL_MS));
-      if (state.idleTimeout !== null && idlePolls >= 2) {
-        const idleMs = idlePolls * MESSAGE_POLL_INTERVAL_MS;
-        if (idleMs > state.idleTimeout * 1e3) {
+        if (state.interactive) displayStatus(state);
+      } else if (state.idleTimeout !== null) {
+        idlePolls++;
+        if (idlePolls === 1) {
           logActivity(state, {
             type: "info",
-            message: "Idle timeout reached"
+            message: `Queue empty, waiting (timeout: ${state.idleTimeout}s)...`
           });
           if (state.interactive) displayStatus(state);
-          break;
         }
       }
     } catch (error2) {
-      if (error2 instanceof AuthenticationError) {
+      if (error2 instanceof ChannelAuthError) {
         const result = await handleAuthError(state, error2);
         if (result.success && result.newAuthHeader) {
-          currentAuthHeader = result.newAuthHeader;
           state.authHeader = result.newAuthHeader;
-          logActivity(state, {
-            type: "info",
-            message: "Continuing with new credentials..."
-          });
+          logActivity(state, { type: "info", message: "Continuing with new credentials..." });
           if (state.interactive) displayStatus(state);
           continue;
-        } else {
-          state.running = false;
-          break;
         }
+        state.running = false;
+        break;
       }
       const errorMessage = error2 instanceof Error ? error2.message : String(error2);
-      logActivity(state, {
-        type: "error",
-        error: `Queue processing error: ${errorMessage}`
-      });
+      logActivity(state, { type: "error", error: `Channel processing error: ${errorMessage}` });
       if (state.interactive) displayStatus(state);
-      if (isNetworkError(error2)) {
-        state.consecutiveFetchFailures++;
-        if (state.consecutiveFetchFailures >= MAX_CONSECUTIVE_FETCH_FAILURES) {
-          logActivity(state, {
-            type: "info",
-            message: `Detected ${state.consecutiveFetchFailures} consecutive fetch failures, triggering reconnection...`
-          });
-          if (state.interactive) displayStatus(state);
-          await triggerReconnect();
-          state.consecutiveFetchFailures = 0;
-        }
+    }
+    await new Promise((resolve) => setTimeout(resolve, CHANNEL_POLL_INTERVAL_MS));
+    if (state.idleTimeout !== null && idlePolls >= 2) {
+      const idleMs = idlePolls * CHANNEL_POLL_INTERVAL_MS;
+      if (idleMs > state.idleTimeout * 1e3) {
+        logActivity(state, { type: "info", message: "Idle timeout reached" });
+        if (state.interactive) displayStatus(state);
+        break;
       }
-      await new Promise((resolve) => setTimeout(resolve, MESSAGE_POLL_INTERVAL_MS));
     }
   }
 }
-async function cleanup(state, authHeader) {
+async function cleanup(state) {
   state.running = false;
-  if (state.lockHeartbeatTimer) {
-    clearInterval(state.lockHeartbeatTimer);
-    state.lockHeartbeatTimer = null;
-  }
-  if (authHeader && state.lockedConversations.size > 0) {
-    for (const convId of state.lockedConversations) {
-      await releaseConversationLock(state.agentId, convId, state.lockCorrelationId, authHeader);
-    }
-    if (state.interactive) {
-      logActivity(state, {
-        type: "info",
-        message: `Released ${state.lockedConversations.size} lock(s)`
-      });
-      displayStatus(state);
-    } else {
-      log(state, `Released ${state.lockedConversations.size} lock(s)`);
-    }
-    state.lockedConversations.clear();
-  }
-  if (state.tunnelConnection) {
-    state.tunnelConnection.close();
-    state.tunnelConnection = null;
+  if (state.connection) {
+    state.connection.close();
+    state.connection = null;
   }
   if (state.opencodeProcess) {
     stopOpenCode(state.opencodeProcess);
@@ -2211,7 +2381,6 @@ async function run(options) {
     agentId: options.agent || "",
     agentName: null,
     port: options.port ?? 4096,
-    verbose: options.verbose ?? false,
     conversationFilter: options.conversation ?? null,
     idleTimeout: options.idleTimeout ?? null,
     json: options.json ?? false,
@@ -2219,22 +2388,11 @@ async function run(options) {
     connected: false,
     opencodeConnected: false,
     opencodeVersion: null,
-    reconnectAttempt: 0,
     opencodeProcess: null,
-    tunnelConnection: null,
+    connection: null,
     running: true,
     activityLog: [],
-    displayInitialized: false,
-    lastActivity: /* @__PURE__ */ new Date(),
-    pendingRequests: /* @__PURE__ */ new Map(),
-    sessions: /* @__PURE__ */ new Map(),
     messageCount: 0,
-    lockCorrelationId: `cli-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
-    lockedConversations: /* @__PURE__ */ new Set(),
-    lockHeartbeatTimer: null,
-    consecutiveFetchFailures: 0,
-    reconnecting: false,
-    reconnectPromise: null,
     authHeader: ""
   };
   if (state.idleTimeout === null && (process.env.GITHUB_ACTIONS || process.env.CI)) {
@@ -2251,7 +2409,7 @@ async function run(options) {
     } else {
       log(state, "Shutting down...");
     }
-    await cleanup(state, state.authHeader);
+    await cleanup(state);
     await shutdownTelemetry();
     process.exit(0);
   };
@@ -2263,13 +2421,13 @@ async function run(options) {
       if (!interactive) {
         printError("Authentication required");
         blank();
-        console.log(chalk5.dim("Set EVIDENT_AGENT_KEY environment variable for CI"));
-        console.log(chalk5.dim("Or run `evident login` for interactive authentication"));
+        console.log(chalk6.dim("Set EVIDENT_AGENT_KEY environment variable for CI"));
+        console.log(chalk6.dim("Or run `evident login` for interactive authentication"));
         blank();
         process.exit(1);
       }
       blank();
-      console.log(chalk5.yellow("You are not logged in to Evident."));
+      console.log(chalk6.yellow("You are not logged in to Evident."));
       blank();
       credentials2 = await promptForLogin(
         "Would you like to log in now?",
@@ -2283,6 +2441,12 @@ async function run(options) {
         if (resolved.agent_id) {
           state.agentId = resolved.agent_id;
           log(state, `Resolved agent ID from key: ${state.agentId}`);
+          if (state.interactive && !state.json) {
+            logActivity(state, {
+              type: "info",
+              message: `Agent ID resolved from key: ${state.agentId}`
+            });
+          }
         } else {
           printError(resolved.error || "Failed to resolve agent ID from key");
           process.exit(1);
@@ -2290,7 +2454,7 @@ async function run(options) {
       } else {
         printError("--agent is required when not using EVIDENT_AGENT_KEY");
         blank();
-        console.log(chalk5.dim("Either provide --agent <id> or set EVIDENT_AGENT_KEY"));
+        console.log(chalk6.dim("Either provide --agent <id> or set EVIDENT_AGENT_KEY"));
         blank();
         process.exit(1);
       }
@@ -2309,15 +2473,15 @@ async function run(options) {
     );
     if (interactive && !state.json) {
       blank();
-      console.log(chalk5.bold("Evident Run"));
-      console.log(chalk5.dim("-".repeat(40)));
+      console.log(chalk6.bold("Evident Run"));
+      console.log(chalk6.dim("-".repeat(40)));
     }
-    const spinner = interactive && !state.json ? ora2("Validating agent...").start() : null;
+    const spinner = interactive && !state.json ? ora3("Validating agent...").start() : null;
     let validation = await getAgentInfo(state.agentId, state.authHeader);
     if (!validation.valid && validation.authFailed && interactive) {
       spinner?.fail("Authentication failed");
       blank();
-      console.log(chalk5.yellow("Your authentication token is invalid or expired."));
+      console.log(chalk6.yellow("Your authentication token is invalid or expired."));
       blank();
       credentials2 = await promptForLogin(
         "Would you like to log in again?",
@@ -2333,172 +2497,129 @@ async function run(options) {
     }
     spinner?.succeed(`Agent: ${validation.agent.name || state.agentId}`);
     state.agentName = validation.agent.name;
-    const ocSpinner = interactive && !state.json ? ora2("Checking OpenCode...").start() : null;
+    const ocSpinner = interactive && !state.json ? ora3("Checking OpenCode...").start() : null;
     try {
-      await ensureOpenCodeRunning(state);
+      const oc = await ensureOpenCodeRunning({
+        port: state.port,
+        interactive: state.interactive,
+        agentId: state.agentId,
+        log: (message) => log(state, message)
+      });
+      state.port = oc.port;
+      state.opencodeProcess = oc.process;
+      state.opencodeVersion = oc.version;
+      state.opencodeConnected = oc.process !== null || oc.version !== null;
       const version = state.opencodeVersion ? ` (v${state.opencodeVersion})` : "";
       ocSpinner?.succeed(`OpenCode running on port ${state.port}${version}`);
     } catch (error2) {
       ocSpinner?.fail(error2.message);
       throw error2;
     }
-    const tunnelSpinner = interactive && !state.json ? ora2("Connecting tunnel...").start() : null;
-    const connectWithRetry = async (isReconnect = false) => {
-      if (isReconnect && state.reconnecting) {
-        return;
-      }
-      state.reconnecting = true;
-      if (state.tunnelConnection) {
-        try {
-          state.tunnelConnection.close();
-        } catch {
-        }
-        state.tunnelConnection = null;
-      }
-      while (state.running) {
-        try {
-          state.tunnelConnection = await connectTunnel({
-            agentId: state.agentId,
-            authHeader: state.authHeader,
-            port: state.port,
-            onConnected: (agentId) => {
-              state.connected = true;
-              state.reconnectAttempt = 0;
-              state.reconnecting = false;
-              state.consecutiveFetchFailures = 0;
-              state.agentId = agentId;
-              logActivity(state, {
-                type: "info",
-                message: isReconnect ? `Tunnel reconnected (agent: ${agentId})` : `Tunnel connected (agent: ${agentId})`
-              });
-              emitAgentConnected(state.agentId, { port: state.port });
-              if (state.interactive) displayStatus(state);
-            },
-            onDisconnected: (code, reason) => {
-              state.connected = false;
+    const tunnelSpinner = interactive && !state.json ? ora3("Connecting tunnel...").start() : null;
+    const channelDriver = new ChannelDriver({
+      agentId: state.agentId,
+      port: state.port,
+      apiUrl: getApiUrlConfig(),
+      getAuthHeader: () => state.authHeader,
+      conversationFilter: state.conversationFilter,
+      log: (entry) => logActivity(state, {
+        type: entry.level === "error" ? "error" : "info",
+        message: entry.message,
+        error: entry.level === "error" ? entry.message : void 0
+      })
+    });
+    const connection = new RunnerConnection({
+      agentId: state.agentId,
+      getAuthHeader: () => state.authHeader,
+      port: state.port,
+      isRunning: () => state.running,
+      events: {
+        onConnected: (agentId, isReconnect) => {
+          state.connected = true;
+          state.agentId = agentId;
+          logActivity(state, {
+            type: "info",
+            message: `Tunnel ${isReconnect ? "reconnected" : "connected"} (agent: ${agentId})`
+          });
+          emitAgentConnected(state.agentId, { port: state.port });
+          if (!isReconnect) tunnelSpinner?.succeed("Tunnel connected");
+          if (state.interactive) displayStatus(state);
+          channelDriver.drainPending().then((processed) => {
+            if (processed > 0) {
+              state.messageCount += processed;
               logActivity(state, {
                 type: "info",
-                message: `Tunnel disconnected (code: ${code}, reason: ${reason})`
+                message: `Drained ${processed} queued message(s) on connect`
               });
-              emitAgentDisconnected(state.agentId, { code, reason });
-              if (state.interactive) displayStatus(state);
-              if (state.running && code !== 1e3 && !state.reconnecting) {
-                logActivity(state, {
-                  type: "info",
-                  message: "Attempting automatic reconnection..."
-                });
-                if (state.interactive) displayStatus(state);
-                state.reconnectPromise = connectWithRetry(true).catch((err) => {
-                  logActivity(state, {
-                    type: "error",
-                    error: `Reconnection failed: ${err.message}`
-                  });
-                  if (state.interactive) displayStatus(state);
-                });
-              }
-            },
-            onError: (error2) => {
-              logActivity(state, { type: "error", error: error2 });
-              if (state.interactive) displayStatus(state);
-            },
-            onRequest: (method, path, requestId) => {
-              state.pendingRequests.set(requestId, {
-                startTime: Date.now(),
-                method,
-                path
-              });
-              logActivity(state, { type: "request", method, path, requestId });
-              if (state.interactive) displayStatus(state);
-            },
-            onResponse: (status, durationMs, requestId) => {
-              const pending = state.pendingRequests.get(requestId);
-              state.pendingRequests.delete(requestId);
-              state.opencodeConnected = true;
-              const lastEntry = state.activityLog[state.activityLog.length - 1];
-              if (lastEntry && lastEntry.requestId === requestId) {
-                lastEntry.type = "response";
-                lastEntry.status = status;
-                lastEntry.durationMs = durationMs;
-              } else if (pending) {
-                logActivity(state, {
-                  type: "response",
-                  method: pending.method,
-                  path: pending.path,
-                  status,
-                  durationMs,
-                  requestId
-                });
-              }
-              if (state.interactive) displayStatus(state);
-            },
-            onInfo: (message) => {
-              logActivity(state, { type: "info", message });
               if (state.interactive) displayStatus(state);
             }
+          }).catch((error2) => {
+            const message = error2 instanceof Error ? error2.message : String(error2);
+            logActivity(state, {
+              type: "error",
+              error: `Failed to drain queued messages on connect: ${message}`
+            });
+            if (state.interactive) displayStatus(state);
           });
-          if (!isReconnect) {
-            tunnelSpinner?.succeed("Tunnel connected");
-          }
-          return;
-        } catch (error2) {
-          state.reconnectAttempt++;
-          const delay = getReconnectDelay(state.reconnectAttempt);
-          if (error2.message === "Unauthorized") {
-            state.reconnecting = false;
-            if (!isReconnect) {
-              tunnelSpinner?.fail("Unauthorized");
-            }
-            throw error2;
-          }
+        },
+        onDisconnected: (code, reason) => {
+          state.connected = false;
           logActivity(state, {
-            type: "error",
-            error: `Connection failed, retrying in ${Math.round(delay / 1e3)}s...`
+            type: "info",
+            message: `Tunnel disconnected (code: ${code}, reason: ${reason})`
           });
+          emitAgentDisconnected(state.agentId, { code, reason });
           if (state.interactive) displayStatus(state);
-          await new Promise((resolve) => setTimeout(resolve, delay));
-        }
-      }
-      state.reconnecting = false;
-    };
-    const triggerReconnect = async () => {
-      if (!state.reconnecting) {
-        state.reconnectPromise = connectWithRetry(true).catch((err) => {
-          logActivity(state, {
-            type: "error",
-            error: `Reconnection failed: ${err.message}`
-          });
+        },
+        onError: (error2) => {
+          logActivity(state, { type: "error", error: error2 });
           if (state.interactive) displayStatus(state);
-        });
-      }
-      if (state.reconnectPromise) {
-        await state.reconnectPromise;
-      }
-    };
-    await connectWithRetry(false);
-    state.lockHeartbeatTimer = setInterval(async () => {
-      for (const convId of state.lockedConversations) {
-        const extended = await extendConversationLock(
-          state.agentId,
-          convId,
-          state.lockCorrelationId,
-          state.authHeader
-        );
-        if (!extended) {
-          logActivity(state, {
-            type: "error",
-            error: `Failed to extend lock on conversation ${convId.slice(0, 8)}`
+        },
+        // Web traffic is proxied transparently; only note opencode is live.
+        onResponse: () => {
+          state.opencodeConnected = true;
+        },
+        // A channel message was queued and the api-worker pinged us over the
+        // tunnel to drain immediately instead of waiting for the next poll tick.
+        // Best-effort + non-fatal: mirror the on-connect drain block. A failed
+        // drain here is logged and swallowed — the steady-state poll retries, so
+        // a lost/failed ping can never orphan a message (§2 invariant).
+        onDrainPing: () => {
+          if (!state.running) return;
+          logActivity(state, { type: "info", message: "Drain ping received \u2014 draining" });
+          channelDriver.drainPending().then((processed) => {
+            if (processed > 0) {
+              state.messageCount += processed;
+              logActivity(state, {
+                type: "info",
+                message: `Drained ${processed} queued message(s) on ping`
+              });
+              if (state.interactive) displayStatus(state);
+            }
+          }).catch((error2) => {
+            const message = error2 instanceof Error ? error2.message : String(error2);
+            logActivity(state, {
+              type: "error",
+              error: `Failed to drain queued messages on ping: ${message}`
+            });
+            if (state.interactive) displayStatus(state);
           });
-          state.lockedConversations.delete(convId);
-        }
+        },
+        onInfo: (message) => logActivity(state, { type: "info", message })
       }
-    }, LOCK_HEARTBEAT_INTERVAL_MS);
-    if (interactive && !state.json) {
-      displayStatus(state);
-    } else {
-      log(state, "Processing queue...");
+    });
+    state.connection = connection;
+    try {
+      await connection.connect();
+    } catch (error2) {
+      if (error2.message === "Unauthorized") tunnelSpinner?.fail("Unauthorized");
+      throw error2;
+    }
+    if (!interactive || state.json) {
+      log(state, "Driving channel messages...");
     }
-    await processQueue(state, state.authHeader, triggerReconnect);
-    await cleanup(state, state.authHeader);
+    await driveChannels(state, channelDriver);
+    await cleanup(state);
     if (state.json) {
       console.log(
         JSON.stringify({
@@ -2512,7 +2633,7 @@ async function run(options) {
     await shutdownTelemetry();
     process.exit(0);
   } catch (error2) {
-    await cleanup(state, state.authHeader);
+    await cleanup(state);
     const message = error2 instanceof Error ? error2.message : String(error2);
     if (state.json) {
       console.log(JSON.stringify({ status: "error", error: message }));
@@ -2530,16 +2651,22 @@ async function run(options) {
 
 // src/index.ts
 var program = new Command();
-program.name("evident").description("Run OpenCode locally and connect it to Evident").version("0.1.0").option("-e, --env <environment>", "Environment to use (local, dev, production)", "production").hook("preAction", (thisCommand) => {
-  const env = thisCommand.opts().env;
-  if (env) {
-    setEnvironment(env);
+program.name("evident").description("Run OpenCode locally and connect it to Evident").version("0.1.0").option(
+  "--endpoint <url>",
+  "Evident API base URL (default: production; e.g. http://localhost:3001)"
+).option("--tunnel <url>", "Tunnel WebSocket URL (default: production; e.g. ws://localhost:8787)").hook("preAction", (thisCommand) => {
+  const { endpoint, tunnel } = thisCommand.opts();
+  if (endpoint) {
+    setEndpoint(endpoint);
+  }
+  if (tunnel) {
+    setTunnelUrl(tunnel);
   }
 });
 program.command("login").description("Authenticate with Evident").option("--token", "Use token-based authentication (for CI/CD)").option("--no-browser", "Do not open the browser automatically").action(login);
-program.command("logout").description("Remove stored credentials").action(logout);
+program.command("logout").description("Remove stored credentials for the current endpoint").option("--all", "Remove stored credentials for all endpoints").action((options) => logout({ all: options.all }));
 program.command("whoami").description("Show the currently logged in user").action(whoami);
-program.command("run").description("Connect to Evident and process messages").requiredOption("-a, --agent <id>", "Agent ID to connect to").option("-p, --port <port>", "OpenCode port (default: 4096)", "4096").option("-v, --verbose", "Show detailed request/response information").option("-c, --conversation <id>", "Process only this specific conversation").option("--idle-timeout <seconds>", "Exit after N seconds idle").option("--json", "Output in JSON format").action(
+program.command("run").description("Connect to Evident and process messages").option("-a, --agent [id]", "Agent ID to connect to (optional when EVIDENT_AGENT_KEY is set)").option("-p, --port <port>", "OpenCode port (default: 4096)", "4096").option("-v, --verbose", "Show detailed request/response information").option("-c, --conversation <id>", "Process only this specific conversation").option("--idle-timeout <seconds>", "Exit after N seconds idle").option("--json", "Output in JSON format").action(
   (options) => {
     run({
       agent: options.agent,