@obtoai/agent-bridge 0.1.0-beta.2 → 0.1.0-beta.21

package/README.md

@@ -1,20 +1,28 @@
 # @obtoai/agent-bridge
 
-A local daemon that lets a coding agent — [Claude Code](https://claude.ai/code) or [OpenAI Codex](https://developers.openai.com/codex) — running on your machine be driven from the [OBTO Agent Bridge](https://obto.co) web UI, even when you're away from the keyboard.
+A local daemon that lets coding agents — [Claude Code](https://claude.ai/code), [OpenAI Codex](https://developers.openai.com/codex), or [opencode](https://opencode.ai) — running on your machine be driven from the [OBTO Agent Bridge](https://obto.co) web UI, even when you're away from the keyboard.
 
-You post a message on a thread from your phone or laptop. The daemon (running on your machine, no port forwarding required) receives it over a long-lived HTTPS stream, spawns or resumes an agent session in your project directory, and the response posts back to the bridge thread within seconds.
+You post a message on a thread from your phone or laptop. The daemon (running on your machine, no port forwarding required) receives it over a long-lived HTTPS stream, spawns or resumes a session for the agent that thread is bound to, and the response posts back to the bridge thread within seconds.
+
+**Three commands, you're driving Claude/Codex/opencode on your phone:**
+
+```bash
+npm install -g @obtoai/agent-bridge
+obto-bridge init     # creates a free account inline — no card, no invite
+obto-bridge start    # daemon connects, you're live
+```
 
 ## Status
 
-**Closed beta.** Need an invite? Email **support@obto.co** with your name and a short note about what you'd use it for. We'll provision an account and mail you credentials.
+**Public beta.** Self-serve, no card. `obto-bridge init` creates a free account inline — no waiting on an invite, no support email loop. A Pro tier with longer Hindsight memory retention is coming; until then everyone gets the same daemon features on the free tier.
 
 ## What you'll need
 
 - macOS, Linux, or Windows, **Node.js 18.17+**
-- One coding agent installed, with your own auth:
-  - **Claude** — Claude Code / the Claude Agent SDK, billed to your Anthropic account; or
-  - **Codex** — the `codex` CLI (`npm i -g @openai/codex`), signed in to your OpenAI/ChatGPT account
-- An invite from `support@obto.co` (gives you an `accountId`, browser username/password, and an API token)
+- At least one coding agent installed on the machine (the daemon drives whichever ones it finds, with your own auth):
+  - **Claude** — Claude Code / the Claude Agent SDK, billed to your Anthropic account.
+  - **Codex** — the `codex` CLI (`npm i -g @openai/codex`), signed in to your OpenAI/ChatGPT account.
+  - **opencode** — `npm i -g opencode-ai` (the `opencode` CLI; the daemon bundles the `@opencode-ai/sdk`). Auth is your own provider key (Anthropic by default; override with env vars below).
 
 ## Install
 
@@ -34,18 +42,31 @@ npx @obtoai/agent-bridge <command>
 obto-bridge init
 ```
 
-Walks you through a few questions: your account ID, API token, an agent name (to distinguish multiple machines on one account), which coding agent to drive (`claude` or `codex`), the project directory to work in, and whether to relay tool-permission requests via the bridge. (The server URL is a built-in default; advanced / self-hosted users can override it with the `BRIDGE_BASE_URL` env var.)
+`init` asks for one thing — your email. Username is derived from the email's local part (`divyansh.verma@gmail.com` → `divyansh-verma`); password is auto-generated as a strong 12-char string and **shown once** in stdout for you to save. It then creates the account inline via `POST /api/bridge/register`, saves the returned API token to `~/.obto-bridge/config.json` (mode 0600), and asks for an agent name (so multiple machines on the same account don't collide), the project directory the daemon should work in, a *fallback* agent (`claude` / `codex` / `opencode` — used only for legacy events without an explicit agent), and whether to relay tool-permission requests via the bridge. Sign in at `https://agent-bridge.obto.co/api/view` as `@username` with the generated password to start a thread.
+
+Overrides:
 
-Config lands at `~/.obto-bridge/config.json` (mode 0600). Safe to commit your account ID; **never commit the `apiToken`**.
+- `obto-bridge init --username <name>` — pick your own username instead of the derived one.
+- `obto-bridge init --password <pwd>` — set your own password instead of auto-generating.
+- `obto-bridge init --token obto_xxxxxxxx --account acc_xxxxxxxx` — skip registration entirely (paste-in for existing users or scripted/headless setups).
 
-### claude vs codex
+The API token is shown to you exactly once at registration time. **Save it.** If you lose it, rotate it from your account settings — it is not stored in readable form server-side. Safe to commit your `accountId`; **never commit the `apiToken`**. (Server URL is a built-in default; advanced / self-hosted users can override with the `BRIDGE_BASE_URL` env var.)
 
-Both drive real coding work on your machine; they differ in how they report back:
+### Agents (claude / codex / opencode)
 
-- **claude** — the fuller integration. Posts status updates, questions, and results as it works (via an in-process MCP tool), and supports the human-in-the-loop tool-permission relay.
-- **codex** — runs the task and delivers one final answer per turn. No mid-task updates and no per-tool relay (the Codex SDK exposes neither); it runs unattended inside a sandbox (`workspace-write` by default, override with `BRIDGE_CODEX_SANDBOX`).
+v1.1 makes the daemon **agent-agnostic per event**: at startup it detects which of `claude`, `codex`, and `opencode` are installed on the machine, advertises that to the bridge, and routes each incoming reply to the right driver based on what the thread is bound to in the UI. You can switch a thread's agent live from the thread header; each engine keeps its own session for that thread, so flipping claude→codex→claude resumes each side's context.
 
-One daemon drives one agent. To run both, use two daemons on two accounts.
+How the three differ in how they report back:
+
+- **claude** — the fullest integration. Posts status updates, mid-task questions, and final results as it works (via an in-process MCP tool), and supports the human-in-the-loop tool-permission relay.
+- **codex** — runs the turn and delivers one final answer per turn. No mid-task updates and no per-tool relay (the Codex SDK exposes neither). Runs unattended inside a sandbox (`workspace-write` by default, override with `BRIDGE_CODEX_SANDBOX`).
+- **opencode** — same capture-model shape as codex: one final answer per turn, no mid-task chatter. Defaults to provider `anthropic` and model `claude-sonnet-4-5`; override with `BRIDGE_OPENCODE_PROVIDER` and `BRIDGE_OPENCODE_MODEL`.
+
+Picking a model is done in the bridge UI's **+ New thread** dialog and the thread-header switcher — not in the daemon config.
+
+### Multi-daemon (running across more than one machine)
+
+You can run the same account's daemon on more than one machine (e.g. a Mac and a Windows box). Each daemon advertises its `agentId` (machine name) + capabilities on connect; threads are atomically **first-touch claimed** by whichever daemon gets the event first, and every other daemon skips the event cleanly. No duplicate replies, no special configuration — just install + start the daemon on each machine.
 
 ## Run
 
@@ -56,14 +77,16 @@ obto-bridge start
 You'll see two log lines and then the daemon waits silently:
 
 ```
-{"msg":"starting daemon","data":{"accountId":"acc_...","agentId":"my-mac",...}}
+{"msg":"starting daemon","data":{"accountId":"acc_...","agentId":"my-mac","capabilities":["claude","codex"],...}}
 {"msg":"sse stream connected","data":{"status":200}}
 ```
 
+`capabilities` is the list of agents this daemon will accept — the bridge UI offers exactly the union across your connected machines.
+
 Now open the bridge UI in any browser, log in with the browser credentials from your invite, and either:
 
-- Reply on an existing thread — daemon resumes the session bound to that thread
-- Start a new thread via the **+ New thread** button — daemon spawns a fresh session in your project directory
+- Reply on an existing thread — daemon resumes the session bound to that thread (and to whichever agent the thread currently uses).
+- Start a new thread via the **+ New thread** button — pick Claude, Codex, or Opencode; the daemon spawns a fresh session in your project directory.
 
 Within ~5–10 seconds you should see the agent's reply appear back on the thread.
 
@@ -72,40 +95,41 @@ Within ~5–10 seconds you should see the agent's reply appear back on the threa
 | Command | What it does |
 |---|---|
 | `obto-bridge whoami` | Verify your token works + show your account info |
-| `obto-bridge status` | List active thread→session bindings |
+| `obto-bridge status` | List bindings per (thread, agent) — one row per engine that's ever driven a thread |
 | `obto-bridge logout` | Wipe `~/.obto-bridge/config.json` |
 
 ## How it actually works
 
 ```
-Your phone        OBTO server                      Your machine
-─────────         ───────────                      ────────────
+Your phone        OBTO server                      Your machine(s)
+─────────         ───────────                      ───────────────
 [reply form] ──►  /api/reply ─► Mongo (durable)
-                  └─►  RabbitMQ (publish bridge.<acct>.reply.<thread>)
+                  └─►  RabbitMQ (publish bridge.<acct>.reply.<thread>,
+                                 payload carries agent + agentId)
                                                 ◄── /api/bridge/stream  (SSE, Bearer auth)
-                                                    └─► daemon process
-                                                        └─► Claude Agent SDK
-                                                            └─► session JSONL in
-                                                                ~/.claude/projects/...
-                  /api/message ◄────  bridge_post (in-process MCP tool from daemon)
+                                                    └─► daemon (dispatches per payload.agent)
+                                                        ├─► Claude Agent SDK   → ~/.claude/projects/...
+                                                        ├─► @openai/codex-sdk  → ~/.codex/sessions/...
+                                                        └─► @opencode-ai/sdk   → opencode server
+                  /api/message ◄────  bridge_post (in-process MCP tool, Claude only)
 [poll: /api/messages] ◄──── (4s loop)
 ```
 
 Key bits:
 
 - The daemon **never** holds RabbitMQ credentials; broker access stays server-side. Per-account routing key isolation enforced by `BridgeAuth`.
-- The daemon's spawned Claude session uses an **in-process MCP server** (`mcp__bridge__bridge_post`) — not the platform's hosted MCP, so the daemon's tools don't depend on a long-lived OBTO MCP proxy session.
-- Each bridge **thread** binds to its own agent **session ID** at first message. Subsequent messages on the same thread resume the same session, so the agent keeps full context. Your interactive sessions are unaffected — they live in separate session stores.
+- For the **claude** driver, the spawned Claude session uses an **in-process MCP server** (`mcp__bridge__bridge_post`) — not the platform's hosted MCP, so the daemon's tools don't depend on a long-lived OBTO MCP proxy session. For **codex** and **opencode**, the SDKs can't auto-approve a write tool when run unattended, so the daemon captures the final response and posts it to the thread on the agent's behalf.
+- Each bridge **thread** binds to its own session ID **per agent**. Subsequent messages on the same thread + same agent resume the same engine-specific session, so the agent keeps full context. Switching the thread's agent in the UI starts (or resumes) the other engine's session — each side's state stays intact. Your interactive sessions are unaffected — they live in separate session stores.
 - Per-thread serialization means rapid bursts on the same thread are handled in order, never racing the same session.
-- With **codex**, there is no in-process MCP tool — the Codex SDK can't auto-approve a write tool when run unattended, so the daemon captures Codex's final response and posts it to the thread on the agent's behalf.
+- Multi-daemon races are killed by atomic first-touch claim against the thread record on the bridge.
 
 ## Agent costs
 
-The daemon runs your chosen agent on your machine with **your** credentials — Anthropic for `claude` (whatever Claude Code uses: `ANTHROPIC_API_KEY` or your Claude.ai session), or your OpenAI/ChatGPT account for `codex`. Every bridge-driven turn is a normal API call billed to you. We don't proxy.
+The daemon runs your chosen agent on your machine with **your** credentials — Anthropic for `claude` (whatever Claude Code uses: `ANTHROPIC_API_KEY` or your Claude.ai session); your OpenAI/ChatGPT account for `codex`; whichever provider you've configured `opencode` to call (Anthropic by default for this daemon). Every bridge-driven turn is a normal API call billed to you. We don't proxy.
 
 ## Data handling
 
-**Your model traffic never touches us.** The daemon runs on your machine and calls Anthropic or OpenAI with *your own* credentials. Your prompts, your code, and the model's responses pass directly between your machine and the model provider, under your own API account and its terms. OBTO does not proxy, route, or see that traffic.
+**Your model traffic never touches us.** The daemon runs on your machine and calls Anthropic, OpenAI, or whichever provider opencode is configured for, with *your own* credentials. Your prompts, your code, and the model's responses pass directly between your machine and the model provider, under your own API account and its terms. OBTO does not proxy, route, or see that traffic.
 
 **What the bridge stores.** For threads to work, the messages you and the agent post are saved in OBTO's database — that's what makes a thread durable and readable from your phone. Threads are strictly scoped to your account; one tenant can never see another's. Your daemon's API token is stored server-side only as a SHA-256 hash; the plaintext token never leaves your local config file.
 

package/bin/obto-bridge.js

@@ -14,7 +14,8 @@ const usage = () => {
   console.error('Usage: obto-bridge <command>');
   console.error('');
   console.error('Commands:');
-  console.error('  init           One-time setup: paste credentials, choose agent name + project dir.');
+  console.error('  init           Create a free account (or paste an existing token via --token/--account)');
+  console.error('                 and write ~/.obto-bridge/config.json.');
   console.error('  start          Run the daemon (foreground).');
   console.error('  status         Print active thread/session bindings.');
   console.error('  whoami         Verify config and show your account info from the server.');
@@ -22,10 +23,12 @@ const usage = () => {
   console.error('  logout         Wipe local credentials at ~/.obto-bridge/config.json.');
   console.error('');
   console.error('Flags:');
-  console.error('  --version, -v  Print the installed package version.');
-  console.error('  --help, -h     Show this help.');
-  console.error('');
-  console.error('Get an invite: support@obto.co');
+  console.error('  --version, -v          Print the installed package version.');
+  console.error('  --help, -h             Show this help.');
+  console.error('  --username <name>      (init only) Override the username derived from email.');
+  console.error('  --password <pwd>       (init only) Set your password instead of auto-generating one.');
+  console.error('  --token <obto_…>       (init only) Skip self-serve register, use this token.');
+  console.error('  --account <acc_…>      (init only) Pair with --token for paste-in mode.');
 };
 
 const cmd = process.argv[2];

package/cli/init.js

@@ -1,13 +1,23 @@
 'use strict';
 
-// `obto-bridge init` — interactive setup wizard. Prompts for credentials,
-// writes ~/.obto-bridge/config.json with mode 0600, then validates the token
-// against the server via GET /api/bridge/whoami so the user knows immediately
-// if anything is wrong.
+// `obto-bridge init` — interactive setup wizard.
+//
+// Default (>=0.1.0-beta.7): self-serve registration. Email is the only
+// required input; username is derived from the email's local part, and a
+// strong password is auto-generated and shown once. Posts to
+// /api/bridge/register, saves the returned API token to
+// ~/.obto-bridge/config.json (mode 0600).
+//
+// Overrides:
+//   --username <name>    Use this instead of the derived username.
+//   --password <pwd>     Use this instead of an auto-generated password.
+//   --token <obto_…>     Skip registration entirely; paste an existing token.
+//   --account <acc_…>    Pair with --token for paste-in mode.
 
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const crypto = require('crypto');
 const readline = require('readline');
 
 const CONFIG_DIR = path.join(os.homedir(), '.obto-bridge');
@@ -19,6 +29,17 @@ const DEFAULTS = {
   relayPermissions: true,
 };
 
+// argv after `obto-bridge init`.
+const argv = process.argv.slice(3);
+const flagValue = (name) => {
+  const i = argv.indexOf(name);
+  return i !== -1 && argv[i + 1] && !argv[i + 1].startsWith('--') ? argv[i + 1] : null;
+};
+const cliToken = flagValue('--token');
+const cliAccount = flagValue('--account');
+const cliUsername = flagValue('--username');
+const cliPassword = flagValue('--password');
+
 const loadExisting = () => {
   try { return JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf8')); }
   catch (_) { return {}; }
@@ -35,6 +56,45 @@ const ask = (rl, prompt, def) =>
     });
   });
 
+// Derive a basicAuthUser-shaped username from email's local part. Mirrors
+// the server-side derivation in registerSubmit so the username we sign in
+// with matches what we display to the user inline.
+const deriveUsername = (email) => {
+  const local = String(email || '').split('@')[0].toLowerCase();
+  let u = local.replace(/[^a-z0-9_-]+/g, '-').replace(/-+/g, '-').replace(/^-+|-+$/g, '').slice(0, 40);
+  if (u.length < 3) u = 'user-' + crypto.randomBytes(3).toString('hex');
+  return u;
+};
+
+// 12-char password, no ambiguous chars (0/O, 1/l/I), grouped as 4-4-4
+// for readability and easy copy-paste. Backed by crypto.randomBytes.
+const generatePassword = () => {
+  const chars = 'abcdefghjkmnpqrstuvwxyz23456789ABCDEFGHJKLMNPQRSTUVWXYZ';
+  const bytes = crypto.randomBytes(12);
+  let out = '';
+  for (let i = 0; i < 12; i++) out += chars[bytes[i] % chars.length];
+  return out.slice(0, 4) + '-' + out.slice(4, 8) + '-' + out.slice(8, 12);
+};
+
+const registerSelfServe = async ({ baseUrl, originHost, email, username, password }) => {
+  const url = baseUrl.replace(/\/$/, '') + '/api/bridge/register';
+  const res = await fetch(url, {
+    method: 'POST',
+    headers: {
+      Accept: 'application/json',
+      'Content-Type': 'application/x-www-form-urlencoded',
+      'OBTO-ORIGIN-HOST': originHost,
+    },
+    body: new URLSearchParams({ email, username, password }).toString(),
+    cache: 'no-store',
+    redirect: 'manual',
+  });
+  const text = await res.text();
+  let data;
+  try { data = JSON.parse(text); } catch (_) { data = { _rawBody: text }; }
+  return { status: res.status, ok: res.ok, data };
+};
+
 const validateAgainstServer = async (cfg) => {
   const url = cfg.baseUrl.replace(/\/$/, '') + '/api/bridge/whoami';
   const res = await fetch(url, {
@@ -55,25 +115,92 @@ const validateAgainstServer = async (cfg) => {
 const main = async () => {
   console.log('OBTO Agent Bridge — setup');
   console.log('-------------------------');
-  console.log('Need credentials? Email support@obto.co for an invite.');
   console.log('Config will be written to: ' + CONFIG_PATH);
   console.log('');
 
   const existing = loadExisting();
   const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
 
-  // Server base URL and OBTO-ORIGIN-HOST are constants of the platform, not
-  // per-user config — every daemon talks to the same bridge app. They are no
-  // longer prompted. Advanced / self-hosted users can still override them via
-  // the BRIDGE_BASE_URL / BRIDGE_ORIGIN_HOST env vars or by editing config.json.
   const baseUrl    = process.env.BRIDGE_BASE_URL    || existing.baseUrl    || DEFAULTS.baseUrl;
   const originHost = process.env.BRIDGE_ORIGIN_HOST || existing.originHost || DEFAULTS.originHost;
-  const accountId  = await ask(rl, 'Account ID (acc_…)',       existing.accountId  || '');
-  const apiToken   = await ask(rl, 'API token (obto_…)',       existing.apiToken   || '');
-  const agentId    = await ask(rl, 'Agent name (e.g. my-mac)', existing.agentId    || os.hostname().split('.')[0] || 'unnamed-agent');
+
+  let accountId = existing.accountId || '';
+  let apiToken = existing.apiToken || '';
+
+  // Pick the credential path. Precedence:
+  //   1. --token + --account flags (machine paste-in, scripted).
+  //   2. Existing config from a prior init.
+  //   3. Self-serve registration via /api/bridge/register (default).
+  const haveCliPaste = !!(cliToken && cliAccount);
+  const haveExisting = !!(existing.accountId && existing.apiToken);
+
+  let registeredUser = '';
+  let registeredPassword = '';
+
+  if (haveCliPaste) {
+    apiToken = cliToken;
+    accountId = cliAccount;
+    console.log('Using credentials from --token / --account flags.');
+    console.log('');
+  } else if (haveExisting) {
+    console.log('Existing config found:');
+    console.log('  Account: ' + existing.accountId);
+    console.log('  Token:   ' + (existing.apiToken || '').slice(0, 10) + '…');
+    console.log('Reusing those credentials. To re-register from scratch, remove ' + CONFIG_PATH + ' first.');
+    console.log('');
+  } else {
+    console.log('Create a free account (no card needed):');
+    const email = await ask(rl, '  Email', '');
+    if (!email || email.indexOf('@') === -1) {
+      console.error('error: a valid email is required.');
+      rl.close();
+      process.exit(1);
+    }
+    const username = cliUsername || deriveUsername(email);
+    const password = cliPassword || generatePassword();
+    console.log('');
+    console.log('  Username: ' + username + (cliUsername ? '' : '   (derived from email)'));
+    if (!cliPassword) {
+      console.log('  Password: ' + password + '   (auto-generated)');
+      console.log('');
+      console.log('  ⚠ SAVE THIS PASSWORD — you will need it to sign in to the web UI.');
+      console.log('    It is shown once here and never again. Reset later from your account page.');
+    }
+    console.log('');
+    console.log('Creating account at ' + baseUrl + ' ...');
+    let r;
+    try {
+      r = await registerSelfServe({ baseUrl, originHost, email, username, password });
+    } catch (e) {
+      console.error('error: registration request failed: ' + (e && e.message ? e.message : e));
+      console.error('       (network problem? you can also paste an existing token via:');
+      console.error('        `obto-bridge init --token <obto_…> --account <acc_…>`)');
+      rl.close();
+      process.exit(1);
+    }
+    if (!r.ok || !r.data || !r.data.ok) {
+      const msg = (r.data && (r.data.error || r.data._rawBody)) || ('HTTP ' + r.status);
+      console.error('error: registration rejected: ' + msg);
+      console.error('       (username taken? rerun with `obto-bridge init --username <different>`)');
+      rl.close();
+      process.exit(1);
+    }
+    accountId = r.data.accountId;
+    apiToken = r.data.apiToken;
+    registeredUser = r.data.basicAuthUser || username;
+    registeredPassword = password;
+    console.log('  ✓ Free account created.');
+    console.log('    Account: ' + accountId);
+    console.log('    Username: ' + registeredUser + '   (sign in with this exact string — no @)');
+    console.log('    Plan:    ' + (r.data.plan || 'free'));
+    console.log('');
+  }
+
+  const agentId    = await ask(rl, 'Agent name (e.g. my-mac)', existing.agentId || os.hostname().split('.')[0] || 'unnamed-agent');
   const projectDir = await ask(rl, 'Project working dir',      existing.projectDir || process.cwd());
-  const agentAns   = await ask(rl, 'Coding agent — claude or codex', existing.agent || 'claude');
-  const agent      = String(agentAns).trim().toLowerCase() === 'codex' ? 'codex' : 'claude';
+  const agentAns   = await ask(rl, 'Coding agent fallback — claude / codex / opencode', existing.agent || 'claude');
+  const agentLow   = String(agentAns).trim().toLowerCase();
+  const agent      = ['claude', 'codex', 'opencode'].indexOf(agentLow) !== -1 ? agentLow : 'claude';
   const relayAns   = await ask(rl, 'Relay permission requests via bridge? (y/n)', existing.relayPermissions !== false ? 'y' : 'n');
   const relayPermissions = String(relayAns).toLowerCase().startsWith('y');
 
@@ -131,14 +258,19 @@ const main = async () => {
 
   if (result.ok && result.parsed && result.parsed.account) {
     const a = result.parsed.account;
-    console.log('  ✓ Authenticated as @' + a.basicAuthUser + ' (' + a.accountId + ', status: ' + a.status + ')');
+    console.log('  ✓ Authenticated as ' + a.basicAuthUser + ' (' + a.accountId + ', status: ' + a.status + ')');
     console.log('');
-    console.log('Next:  obto-bridge start');
+    // The OBTO platform's root URL bounces unauthenticated users to /login.bto;
+    // /api/view is the canonical bridge entry point that serves either the
+    // sign-in form (unauthenticated) or the threads UI (authenticated).
+    const signInUrl = baseUrl.replace(/\/$/, '') + '/api/view';
+    console.log('Sign in at ' + signInUrl + ' as ' + a.basicAuthUser + (registeredPassword ? ' (password above)' : '') + '.');
+    console.log('Run:    obto-bridge start');
     return;
   }
 
   if (result.status === 401) {
-    console.error('  ✗ Server rejected the API token (HTTP 401). Double-check that you pasted the full token from your invite email.');
+    console.error('  ✗ Server rejected the API token (HTTP 401). Re-run `obto-bridge init` to reset.');
     process.exit(2);
   }
   if (result.status === 403) {

package/cli/status.js

@@ -1,7 +1,7 @@
 'use strict';
 
-// `obto-bridge status` — read local state.json and print thread→session bindings.
-// Read-only; useful for "did the daemon ever drive this thread?"
+// `obto-bridge status` — read local state.json and print thread→session
+// bindings. Read-only. v1.1: a thread keeps one session per agent.
 
 const fs = require('fs');
 const path = require('path');
@@ -29,20 +29,33 @@ if (threads.length === 0) {
 const fmtAge = (iso) => {
   if (!iso) return '?';
   const ms = Date.now() - new Date(iso).getTime();
-  if (ms < 60_000) return Math.floor(ms / 1000) + 's ago';
-  if (ms < 3_600_000) return Math.floor(ms / 60_000) + 'm ago';
-  if (ms < 86_400_000) return Math.floor(ms / 3_600_000) + 'h ago';
-  return Math.floor(ms / 86_400_000) + 'd ago';
+  if (ms < 60000) return Math.floor(ms / 1000) + 's ago';
+  if (ms < 3600000) return Math.floor(ms / 60000) + 'm ago';
+  if (ms < 86400000) return Math.floor(ms / 3600000) + 'h ago';
+  return Math.floor(ms / 86400000) + 'd ago';
 };
 
-console.log('Thread                               Session ID                            Last drive');
-console.log('-'.repeat(95));
+console.log('Thread                               Agent   Session ID                            Last drive');
+console.log('-'.repeat(100));
 threads.forEach((t) => {
-  const b = bindings[t];
-  const sid = (b.sessionId || '').slice(0, 36);
-  console.log(t.padEnd(36) + ' ' + sid.padEnd(38) + ' ' + fmtAge(b.lastDriveAt));
+  const b = bindings[t] || {};
+  // v1.1 per-agent sessions; tolerate a stray un-migrated v1 flat binding.
+  const sessions = b.sessions && typeof b.sessions === 'object'
+    ? b.sessions
+    : (b.sessionId ? { claude: b } : {});
+  const agents = Object.keys(sessions);
+  if (agents.length === 0) {
+    console.log(t.padEnd(36) + ' (no session yet)');
+    return;
+  }
+  agents.forEach((agent, i) => {
+    const s = sessions[agent] || {};
+    const sid = String(s.sessionId || '').slice(0, 36);
+    console.log(
+      (i === 0 ? t : '').padEnd(36) + ' ' +
+      agent.padEnd(7) + ' ' +
+      sid.padEnd(38) + ' ' +
+      fmtAge(s.lastDriveAt),
+    );
+  });
 });
-console.log('');
-console.log('JSONLs at: ' + (bindings[threads[0]] && bindings[threads[0]].projectDir
-  ? '~/.claude/projects/' + bindings[threads[0]].projectDir.replace(/\//g, '-') + '/'
-  : 'unknown'));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@obtoai/agent-bridge",
-  "version": "0.1.0-beta.2",
+  "version": "0.1.0-beta.21",
   "description": "Local consumer for the OBTO Agent Bridge. Receives bridge events over SSE and drives a coding agent (Claude Code or OpenAI Codex) on your machine.",
   "license": "Apache-2.0",
   "author": "OBTO Inc.",
@@ -32,6 +32,7 @@
   },
   "dependencies": {
     "@anthropic-ai/claude-agent-sdk": "^0.2.126",
-    "@openai/codex-sdk": "^0.130.0"
+    "@openai/codex-sdk": "^0.130.0",
+    "@opencode-ai/sdk": "^1.16.1"
   }
 }

package/src/bridge-http.js

@@ -78,10 +78,26 @@ const getMessages = (threadId, sinceCursor) => {
 const postAgentActivity = (threadId, state) =>
   postJson('/api/bridge/agent-activity', { threadId, state });
 
+// Phase 2b — atomic first-touch claim. Called by the daemon when it sees a
+// reply event for a thread whose `agentId` is null (unrouted). The bridge's
+// claimThread does a conditional Mongo update — only one daemon wins.
+// Returns { ok, won, winner }: `won` is the only thing the caller acts on.
+const claimThread = (threadId, agentId) =>
+  postJson('/api/bridge/thread/claim', { threadId, agentId });
+
+// Phase 6.1 — push external (non-bridge) sessions discovered by the local
+// filesystem scanner so the bridge UI can render them alongside bridge-owned
+// threads. Fire-and-forget; the bridge tolerates partial payloads and
+// re-observes on the next 30s tick.
+const postExternalSync = (agentId, sessions) =>
+  postJson('/api/bridge/external/sync', { agentId, sessions });
+
 module.exports = {
   getCfg,
   buildHeaders,
   postMessage,
   getMessages,
   postAgentActivity,
+  claimThread,
+  postExternalSync,
 };

package/src/capabilities.js

@@ -0,0 +1,31 @@
+'use strict';
+
+// Phase 2b — what this machine can drive. The Claude Agent SDK is a hard
+// dependency of the daemon (declared in package.json), so `claude` is always
+// available. `codex` and `opencode` need their respective CLIs on PATH —
+// we probe with `which` (POSIX) or `where` (Windows).
+//
+// Sent to the bridge as `?capabilities=claude,codex,...` on SSE connect; the
+// bridge records them in `agent_bridge_daemons` so the UI picker can offer
+// only what's actually installable across the account's machines.
+
+const { spawnSync } = require('child_process');
+
+const onPath = (cmd) => {
+  try {
+    const tool = process.platform === 'win32' ? 'where' : 'which';
+    const r = spawnSync(tool, [cmd], { stdio: 'ignore' });
+    return r.status === 0;
+  } catch (_) {
+    return false;
+  }
+};
+
+const detect = () => {
+  const out = ['claude']; // bundled SDK; always advertised
+  if (onPath('codex')) out.push('codex');
+  if (onPath('opencode')) out.push('opencode');
+  return out;
+};
+
+module.exports = { detect, onPath };