@obtoai/agent-bridge 0.1.0-beta.1

package/LICENSE

@@ -0,0 +1,190 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for describing the origin of the Work and
+      reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Support. While redistributing the Work or
+      Derivative Works thereof, You may choose to offer, and charge a
+      fee for, acceptance of support, warranty, indemnity, or other
+      liability obligations and/or rights consistent with this License.
+      However, in accepting such obligations, You may act only on Your
+      own behalf and on Your sole responsibility, not on behalf of any
+      other Contributor, and only if You agree to indemnify, defend,
+      and hold each Contributor harmless for any liability incurred by,
+      or claims asserted against, such Contributor by reason of your
+      accepting any such warranty or support.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 OBTO Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,120 @@
+# @obtoai/agent-bridge
+
+A local daemon that lets a coding agent — [Claude Code](https://claude.ai/code) or [OpenAI Codex](https://developers.openai.com/codex) — running on your machine be driven from the [OBTO Agent Bridge](https://obto.co) web UI, even when you're away from the keyboard.
+
+You post a message on a thread from your phone or laptop. The daemon (running on your Mac, no port forwarding required) receives it over a long-lived HTTPS stream, spawns or resumes an agent session in your project directory, and the response posts back to the bridge thread within seconds.
+
+## Status
+
+**Closed beta.** Need an invite? Email **support@obto.co** with your name and a short note about what you'd use it for. We'll provision an account and mail you credentials.
+
+## What you'll need
+
+- macOS or Linux, **Node.js 18.17+** (Windows support is in testing)
+- One coding agent installed, with your own auth:
+  - **Claude** — Claude Code / the Claude Agent SDK, billed to your Anthropic account; or
+  - **Codex** — the `codex` CLI (`npm i -g @openai/codex`), signed in to your OpenAI/ChatGPT account
+- An invite from `support@obto.co` (gives you an `accountId`, browser username/password, and an API token)
+
+## Install
+
+```bash
+npm install -g @obtoai/agent-bridge
+```
+
+Or run without installing:
+
+```bash
+npx @obtoai/agent-bridge <command>
+```
+
+## Setup
+
+```bash
+obto-bridge init
+```
+
+Walks you through a few questions: your account ID, API token, an agent name (to distinguish multiple machines on one account), which coding agent to drive (`claude` or `codex`), the project directory to work in, and whether to relay tool-permission requests via the bridge. (The server URL is a built-in default; advanced / self-hosted users can override it with the `BRIDGE_BASE_URL` env var.)
+
+Config lands at `~/.obto-bridge/config.json` (mode 0600). Safe to commit your account ID; **never commit the `apiToken`**.
+
+### claude vs codex
+
+Both drive real coding work on your machine; they differ in how they report back:
+
+- **claude** — the fuller integration. Posts status updates, questions, and results as it works (via an in-process MCP tool), and supports the human-in-the-loop tool-permission relay.
+- **codex** — runs the task and delivers one final answer per turn. No mid-task updates and no per-tool relay (the Codex SDK exposes neither); it runs unattended inside a sandbox (`workspace-write` by default, override with `BRIDGE_CODEX_SANDBOX`).
+
+One daemon drives one agent. To run both, use two daemons on two accounts.
+
+## Run
+
+```bash
+obto-bridge start
+```
+
+You'll see two log lines and then the daemon waits silently:
+
+```
+{"msg":"starting daemon","data":{"accountId":"acc_...","agentId":"my-mac",...}}
+{"msg":"sse stream connected","data":{"status":200}}
+```
+
+Now open the bridge UI in any browser, log in with the browser credentials from your invite, and either:
+
+- Reply on an existing thread — daemon resumes the session bound to that thread
+- Start a new thread via the **+ New thread** button — daemon spawns a fresh session in your project directory
+
+Within ~5–10 seconds you should see Claude's reply appear back on the thread.
+
+## Other commands
+
+| Command | What it does |
+|---|---|
+| `obto-bridge whoami` | Verify your token works + show your account info |
+| `obto-bridge status` | List active thread→session bindings |
+| `obto-bridge logout` | Wipe `~/.obto-bridge/config.json` |
+
+## How it actually works
+
+```
+Your phone        OBTO server                      Your Mac
+─────────         ───────────                      ────────
+[reply form] ──►  /api/reply ─► Mongo (durable)
+                  └─►  RabbitMQ (publish bridge.<acct>.reply.<thread>)
+                                                ◄── /api/bridge/stream  (SSE, Bearer auth)
+                                                    └─► daemon process
+                                                        └─► Claude Agent SDK
+                                                            └─► session JSONL in
+                                                                ~/.claude/projects/...
+                  /api/message ◄────  bridge_post (in-process MCP tool from daemon)
+[poll: /api/messages] ◄──── (4s loop)
+```
+
+Key bits:
+
+- The daemon **never** holds RabbitMQ credentials; broker access stays server-side. Per-account routing key isolation enforced by `BridgeAuth`.
+- The daemon's spawned Claude session uses an **in-process MCP server** (`mcp__bridge__bridge_post`) — not the platform's hosted MCP, so the daemon's tools don't depend on a long-lived OBTO MCP proxy session.
+- Each bridge **thread** binds to its own agent **session ID** at first message. Subsequent messages on the same thread resume the same session, so the agent keeps full context. Your interactive sessions are unaffected — they live in separate session stores.
+- Per-thread serialization means rapid bursts on the same thread are handled in order, never racing the same session.
+- With **codex**, there is no in-process MCP tool — the Codex SDK can't auto-approve a write tool when run unattended, so the daemon captures Codex's final response and posts it to the thread on the agent's behalf.
+
+## Agent costs
+
+The daemon runs your chosen agent on your machine with **your** credentials — Anthropic for `claude` (whatever Claude Code uses: `ANTHROPIC_API_KEY` or your Claude.ai session), or your OpenAI/ChatGPT account for `codex`. Every bridge-driven turn is a normal API call billed to you. We don't proxy.
+
+## Privacy and what we store
+
+- Every message you and the agent post on a thread is stored in OBTO's Mongo. Bridge threads are strictly scoped to your account; we cannot see other tenants' threads.
+- Your daemon's `apiToken` is stored locally only; on the server we store a SHA-256 hash.
+- Right of erasure: email `support@obto.co` to delete your account and all associated messages.
+
+## License
+
+Apache-2.0. See [LICENSE](./LICENSE).
+
+## Reporting issues
+
+`https://github.com/obto-inc/agent-bridge/issues`
+
+Daemon-side issues: please include the relevant section of daemon stdout (it's structured JSON; redact your `apiToken` if it appears).

package/bin/obto-bridge.js

@@ -0,0 +1,52 @@
+#!/usr/bin/env node
+'use strict';
+
+const subcommands = {
+  init:           '../cli/init',
+  start:          '../cli/start',
+  status:         '../cli/status',
+  whoami:         '../cli/whoami',
+  logout:         '../cli/logout',
+  'rotate-token': '../cli/rotate-token',
+};
+
+const usage = () => {
+  console.error('Usage: obto-bridge <command>');
+  console.error('');
+  console.error('Commands:');
+  console.error('  init           One-time setup: paste credentials, choose agent name + project dir.');
+  console.error('  start          Run the daemon (foreground).');
+  console.error('  status         Print active thread/session bindings.');
+  console.error('  whoami         Verify config and show your account info from the server.');
+  console.error('  rotate-token   Rotate your API token; old token is invalidated, config is updated.');
+  console.error('  logout         Wipe local credentials at ~/.obto-bridge/config.json.');
+  console.error('');
+  console.error('Flags:');
+  console.error('  --version, -v  Print the installed package version.');
+  console.error('  --help, -h     Show this help.');
+  console.error('');
+  console.error('Get an invite: support@obto.co');
+};
+
+const cmd = process.argv[2];
+
+if (cmd === '--version' || cmd === '-v') {
+  const pkg = require('../package.json');
+  console.log(pkg.version);
+  process.exit(0);
+}
+
+const target = subcommands[cmd];
+
+if (!target) {
+  if (cmd === '--help' || cmd === '-h' || cmd === undefined) {
+    usage();
+    process.exit(cmd === undefined ? 2 : 0);
+  }
+  console.error('obto-bridge: unknown command: ' + cmd);
+  console.error('');
+  usage();
+  process.exit(2);
+}
+
+require(target);

package/cli/init.js

@@ -0,0 +1,157 @@
+'use strict';
+
+// `obto-bridge init` — interactive setup wizard. Prompts for credentials,
+// writes ~/.obto-bridge/config.json with mode 0600, then validates the token
+// against the server via GET /api/bridge/whoami so the user knows immediately
+// if anything is wrong.
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const readline = require('readline');
+
+const CONFIG_DIR = path.join(os.homedir(), '.obto-bridge');
+const CONFIG_PATH = path.join(CONFIG_DIR, 'config.json');
+
+const DEFAULTS = {
+  baseUrl: 'https://agent-bridge.obto.co',
+  originHost: 'agent-bridge.obto.co',
+  relayPermissions: true,
+};
+
+const loadExisting = () => {
+  try { return JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf8')); }
+  catch (_) { return {}; }
+};
+
+const ask = (rl, prompt, def) =>
+  new Promise((resolve) => {
+    const suffix = def
+      ? ' [' + (typeof def === 'string' && def.length > 30 ? def.slice(0, 8) + '…' : def) + ']'
+      : '';
+    rl.question(prompt + suffix + ': ', (answer) => {
+      const v = answer.trim();
+      resolve(v || (def != null ? def : ''));
+    });
+  });
+
+const validateAgainstServer = async (cfg) => {
+  const url = cfg.baseUrl.replace(/\/$/, '') + '/api/bridge/whoami';
+  const res = await fetch(url, {
+    method: 'GET',
+    headers: {
+      Accept: 'application/json',
+      'OBTO-ORIGIN-HOST': cfg.originHost,
+      Authorization: 'Bearer ' + cfg.apiToken,
+    },
+    cache: 'no-store',
+  });
+  const text = await res.text();
+  let parsed;
+  try { parsed = JSON.parse(text); } catch (_) { parsed = { _rawBody: text }; }
+  return { status: res.status, ok: res.ok, parsed };
+};
+
+const main = async () => {
+  console.log('OBTO Agent Bridge — setup');
+  console.log('-------------------------');
+  console.log('Need credentials? Email support@obto.co for an invite.');
+  console.log('Config will be written to: ' + CONFIG_PATH);
+  console.log('');
+
+  const existing = loadExisting();
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+
+  // Server base URL and OBTO-ORIGIN-HOST are constants of the platform, not
+  // per-user config — every daemon talks to the same bridge app. They are no
+  // longer prompted. Advanced / self-hosted users can still override them via
+  // the BRIDGE_BASE_URL / BRIDGE_ORIGIN_HOST env vars or by editing config.json.
+  const baseUrl    = process.env.BRIDGE_BASE_URL    || existing.baseUrl    || DEFAULTS.baseUrl;
+  const originHost = process.env.BRIDGE_ORIGIN_HOST || existing.originHost || DEFAULTS.originHost;
+  const accountId  = await ask(rl, 'Account ID (acc_…)',       existing.accountId  || '');
+  const apiToken   = await ask(rl, 'API token (obto_…)',       existing.apiToken   || '');
+  const agentId    = await ask(rl, 'Agent name (e.g. my-mac)', existing.agentId    || os.hostname().split('.')[0] || 'unnamed-agent');
+  const projectDir = await ask(rl, 'Project working dir',      existing.projectDir || process.cwd());
+  const agentAns   = await ask(rl, 'Coding agent — claude or codex', existing.agent || 'claude');
+  const agent      = String(agentAns).trim().toLowerCase() === 'codex' ? 'codex' : 'claude';
+  const relayAns   = await ask(rl, 'Relay permission requests via bridge? (y/n)', existing.relayPermissions !== false ? 'y' : 'n');
+  const relayPermissions = String(relayAns).toLowerCase().startsWith('y');
+
+  rl.close();
+
+  if (!accountId || !apiToken) {
+    console.error('\nerror: accountId and apiToken are both required.');
+    process.exit(1);
+  }
+  if (!/^acc_[a-z0-9]+$/i.test(accountId)) {
+    console.error('\nerror: accountId should look like "acc_xxxxxxxxxxxx".');
+    process.exit(1);
+  }
+  if (!/^obto_[a-z0-9]+$/i.test(apiToken)) {
+    console.error('\nerror: apiToken should look like "obto_xxxxxxxxxxxx".');
+    process.exit(1);
+  }
+
+  const cfg = {
+    baseUrl,
+    originHost,
+    accountId,
+    apiToken,
+    agentId,
+    agent,
+    projectDir: path.resolve(projectDir),
+    relayPermissions,
+  };
+
+  try {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+    fs.writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2), { mode: 0o600 });
+    fs.chmodSync(CONFIG_PATH, 0o600);
+  } catch (err) {
+    console.error('error: failed to write config: ' + (err && err.message ? err.message : err));
+    process.exit(1);
+  }
+
+  console.log('');
+  console.log('✓ Config saved to ' + CONFIG_PATH);
+
+  // Validate against the server. Non-fatal on network failure — user might be
+  // offline. Fatal on 401/403 (wrong creds) so they fix it now.
+  console.log('  Verifying credentials with ' + baseUrl + ' ...');
+  let result;
+  try {
+    result = await validateAgainstServer(cfg);
+  } catch (err) {
+    console.warn('  ⚠ could not reach the server: ' + (err && err.message ? err.message : err));
+    console.warn('    Config is saved; run `obto-bridge whoami` once you have a network.');
+    console.log('');
+    console.log('Next:  obto-bridge start');
+    return;
+  }
+
+  if (result.ok && result.parsed && result.parsed.account) {
+    const a = result.parsed.account;
+    console.log('  ✓ Authenticated as @' + a.basicAuthUser + ' (' + a.accountId + ', status: ' + a.status + ')');
+    console.log('');
+    console.log('Next:  obto-bridge start');
+    return;
+  }
+
+  if (result.status === 401) {
+    console.error('  ✗ Server rejected the API token (HTTP 401). Double-check that you pasted the full token from your invite email.');
+    process.exit(2);
+  }
+  if (result.status === 403) {
+    console.error('  ✗ Account is suspended (HTTP 403). Contact support@obto.co.');
+    process.exit(2);
+  }
+  console.error('  ✗ Validation failed: HTTP ' + result.status);
+  if (result.parsed && result.parsed.error) console.error('    ' + result.parsed.error);
+  console.error('    Config is saved at ' + CONFIG_PATH + '; edit it manually or rerun `obto-bridge init`.');
+  process.exit(2);
+};
+
+main().catch((err) => {
+  console.error('init failed: ' + (err && err.message ? err.message : err));
+  process.exit(1);
+});

package/cli/logout.js

@@ -0,0 +1,23 @@
+'use strict';
+
+// `obto-bridge logout` — wipe ~/.obto-bridge/config.json.
+// Does NOT touch ~/.agent-bridge-daemon/ (your thread→session bindings stay,
+// in case you log back into the same account).
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const CONFIG_PATH = path.join(os.homedir(), '.obto-bridge', 'config.json');
+
+try {
+  fs.unlinkSync(CONFIG_PATH);
+  console.log('✓ Removed ' + CONFIG_PATH);
+} catch (err) {
+  if (err && err.code === 'ENOENT') {
+    console.log('No config to remove (' + CONFIG_PATH + ' did not exist).');
+  } else {
+    console.error('logout failed: ' + (err && err.message ? err.message : err));
+    process.exit(1);
+  }
+}

package/cli/rotate-token.js

@@ -0,0 +1,88 @@
+'use strict';
+
+// `obto-bridge rotate-token` — call POST /api/bridge/rotate-token with the
+// current bearer token, update ~/.obto-bridge/config.json with the new one,
+// keep a backup of the previous config at config.json.bak.<unix-ts>.
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const CONFIG_PATH = path.join(os.homedir(), '.obto-bridge', 'config.json');
+
+const main = async () => {
+  let raw, cfg;
+  try {
+    raw = fs.readFileSync(CONFIG_PATH, 'utf8');
+    cfg = JSON.parse(raw);
+  } catch (err) {
+    console.error('error: no config at ' + CONFIG_PATH);
+    console.error('Run `obto-bridge init` first.');
+    process.exit(1);
+  }
+  if (!cfg.apiToken || !cfg.baseUrl) {
+    console.error('error: config is missing apiToken or baseUrl. Re-run `obto-bridge init`.');
+    process.exit(1);
+  }
+
+  const url = cfg.baseUrl.replace(/\/$/, '') + '/api/bridge/rotate-token';
+  console.log('Rotating token at ' + url + ' ...');
+
+  let res;
+  try {
+    res = await fetch(url, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        Accept: 'application/json',
+        'OBTO-ORIGIN-HOST': cfg.originHost || 'ob-agent-bridge.obto.co',
+        Authorization: 'Bearer ' + cfg.apiToken,
+      },
+      body: '{}',
+      cache: 'no-store',
+    });
+  } catch (err) {
+    console.error('error: cannot reach the server: ' + (err && err.message ? err.message : err));
+    process.exit(2);
+  }
+
+  const text = await res.text();
+  let parsed;
+  try { parsed = JSON.parse(text); } catch (_) { parsed = { _rawBody: text }; }
+
+  if (!res.ok || !parsed || !parsed.ok || !parsed.apiToken) {
+    console.error('HTTP ' + res.status + ' — rotation failed');
+    if (parsed && parsed.error) console.error('  ' + parsed.error);
+    if (res.status === 401) {
+      console.error('Your current API token is invalid. Email support@obto.co.');
+    }
+    process.exit(3);
+  }
+
+  // Backup, then atomic-rewrite the config with the new token.
+  const newCfg = Object.assign({}, cfg, { apiToken: parsed.apiToken });
+  const backup = CONFIG_PATH + '.bak.' + Math.floor(Date.now() / 1000);
+  try {
+    fs.writeFileSync(backup, raw, { mode: 0o600 });
+    const tmp = CONFIG_PATH + '.tmp';
+    fs.writeFileSync(tmp, JSON.stringify(newCfg, null, 2), { mode: 0o600 });
+    fs.chmodSync(tmp, 0o600);
+    fs.renameSync(tmp, CONFIG_PATH);
+  } catch (err) {
+    console.error('error: rotated successfully on the server but local config update failed:');
+    console.error('  ' + (err && err.message ? err.message : err));
+    console.error('  Save this new token manually before exiting:');
+    console.error('  ' + parsed.apiToken);
+    process.exit(4);
+  }
+
+  console.log('✓ Token rotated. Previous config backed up to:');
+  console.log('  ' + backup);
+  console.log('');
+  console.log('If the daemon is running, restart it to pick up the new token.');
+};
+
+main().catch((err) => {
+  console.error('rotate-token failed: ' + (err && err.message ? err.message : err));
+  process.exit(1);
+});

package/cli/start.js

@@ -0,0 +1,4 @@
+'use strict';
+
+// `obto-bridge start` — just loads the daemon. daemon.js runs on import.
+require('../src/daemon');