episoda 0.2.17 → 0.2.19

package/dist/daemon/daemon-process.js

@@ -6,9 +6,16 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __commonJS = (cb, mod) => function __require() {
   return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
 };
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 var __copyProps = (to, from, except, desc) => {
   if (from && typeof from === "object" || typeof from === "function") {
     for (let key of __getOwnPropNames(from))
@@ -339,6 +346,9 @@ var require_git_executor = __commonJS({
               return await this.executeBranchExists(command, cwd, options);
             case "branch_has_commits":
               return await this.executeBranchHasCommits(command, cwd, options);
+            // EP831: Find branch by prefix pattern
+            case "find_branch_by_prefix":
+              return await this.executeFindBranchByPrefix(command, cwd, options);
             // EP598: Main branch check for production
             case "main_branch_check":
               return await this.executeMainBranchCheck(cwd, options);
@@ -684,6 +694,32 @@ var require_git_executor = __commonJS({
       /**
        * EP598: Execute main branch check - returns current branch, uncommitted files, and unpushed commits
        */
+      /**
+       * EP831: Find branch by prefix pattern
+       * Searches local and remote branches for one matching the prefix
+       */
+      async executeFindBranchByPrefix(command, cwd, options) {
+        try {
+          const { stdout } = await execAsync("git branch -a", { cwd, timeout: options?.timeout || 1e4 });
+          const prefix = command.prefix;
+          const branches = stdout.split("\n").map((line) => line.replace(/^[\s*]*/, "").replace("remotes/origin/", "").trim()).filter((branch) => branch && !branch.includes("->"));
+          const matchingBranch = branches.find((branch) => branch.startsWith(prefix));
+          return {
+            success: true,
+            output: matchingBranch || "",
+            details: {
+              branchName: matchingBranch || void 0,
+              branchExists: !!matchingBranch
+            }
+          };
+        } catch (error) {
+          return {
+            success: false,
+            error: "UNKNOWN_ERROR",
+            output: error.message || "Failed to find branch"
+          };
+        }
+      }
       async executeMainBranchCheck(cwd, options) {
         try {
           let currentBranch = "";
@@ -1489,15 +1525,15 @@ var require_git_executor = __commonJS({
           try {
             const { stdout: gitDir } = await execAsync("git rev-parse --git-dir", { cwd, timeout: 5e3 });
             const gitDirPath = gitDir.trim();
-            const fs8 = await Promise.resolve().then(() => __importStar(require("fs"))).then((m) => m.promises);
+            const fs12 = await Promise.resolve().then(() => __importStar(require("fs"))).then((m) => m.promises);
             const rebaseMergePath = `${gitDirPath}/rebase-merge`;
             const rebaseApplyPath = `${gitDirPath}/rebase-apply`;
             try {
-              await fs8.access(rebaseMergePath);
+              await fs12.access(rebaseMergePath);
               inRebase = true;
             } catch {
               try {
-                await fs8.access(rebaseApplyPath);
+                await fs12.access(rebaseApplyPath);
                 inRebase = true;
               } catch {
                 inRebase = false;
@@ -1675,14 +1711,9 @@ var require_websocket_client = __commonJS({
     var https_1 = __importDefault(require("https"));
     var version_1 = require_version();
     var ipv4Agent = new https_1.default.Agent({ family: 4 });
-    var INITIAL_RECONNECT_DELAY = 1e3;
-    var MAX_RECONNECT_DELAY = 6e4;
-    var IDLE_RECONNECT_DELAY = 6e5;
     var MAX_RETRY_DURATION = 6 * 60 * 60 * 1e3;
     var IDLE_THRESHOLD = 60 * 60 * 1e3;
-    var RAPID_CLOSE_THRESHOLD = 2e3;
-    var RAPID_CLOSE_BACKOFF = 3e4;
-    var CLIENT_HEARTBEAT_INTERVAL = 45e3;
+    var CLIENT_HEARTBEAT_INTERVAL = 2e4;
     var CLIENT_HEARTBEAT_TIMEOUT = 15e3;
     var CONNECTION_TIMEOUT = 15e3;
     var EpisodaClient2 = class {
@@ -1941,17 +1972,18 @@ var require_websocket_client = __commonJS({
         });
       }
       /**
-       * Schedule reconnection with exponential backoff and randomization
+       * Schedule reconnection with simplified retry logic
+       *
+       * EP843: Simplified from complex exponential backoff to fast-fail approach
        *
-       * EP605: Conservative reconnection with multiple safeguards:
-       * - 6-hour maximum retry duration to prevent indefinite retrying
-       * - Activity-based backoff (10 min delay if idle for 1+ hour)
-       * - No reconnection after intentional disconnect
-       * - Randomization to prevent thundering herd
+       * Strategy:
+       * - For graceful shutdown (server restart): Quick retry (500ms, 1s, 2s) up to 3 attempts
+       * - For other disconnects: 1 retry after 1 second, then stop
+       * - Always respect rate limits from server
+       * - Surface errors quickly so user can take action
        *
-       * EP648: Additional protections against reconnection loops:
-       * - Rate limit awareness: respect server's RATE_LIMITED response
-       * - Rapid close detection: if connection closes within 2s, apply longer backoff
+       * This replaces the previous 6-hour retry with exponential backoff,
+       * which masked problems and delayed error visibility.
        */
       scheduleReconnect() {
         if (this.isIntentionalDisconnect) {
@@ -1970,18 +2002,6 @@ var require_websocket_client = __commonJS({
           clearTimeout(this.heartbeatTimeoutTimer);
           this.heartbeatTimeoutTimer = void 0;
         }
-        if (!this.firstDisconnectTime) {
-          this.firstDisconnectTime = Date.now();
-        }
-        const retryDuration = Date.now() - this.firstDisconnectTime;
-        if (retryDuration >= MAX_RETRY_DURATION) {
-          console.error(`[EpisodaClient] Maximum retry duration (6 hours) exceeded, giving up. Please restart the CLI.`);
-          return;
-        }
-        if (this.reconnectAttempts > 0 && this.reconnectAttempts % 10 === 0) {
-          const hoursRemaining = ((MAX_RETRY_DURATION - retryDuration) / (60 * 60 * 1e3)).toFixed(1);
-          console.log(`[EpisodaClient] Still attempting to reconnect (attempt ${this.reconnectAttempts}, ${hoursRemaining}h remaining)...`);
-        }
         if (this.rateLimitBackoffUntil && Date.now() < this.rateLimitBackoffUntil) {
           const waitTime = this.rateLimitBackoffUntil - Date.now();
           console.log(`[EpisodaClient] Rate limited, waiting ${Math.round(waitTime / 1e3)}s before retry`);
@@ -1992,32 +2012,35 @@ var require_websocket_client = __commonJS({
           }, waitTime);
           return;
         }
-        const timeSinceConnect = Date.now() - this.lastConnectAttemptTime;
-        const wasRapidClose = timeSinceConnect < RAPID_CLOSE_THRESHOLD && this.lastConnectAttemptTime > 0;
-        const timeSinceLastCommand = Date.now() - this.lastCommandTime;
-        const isIdle = timeSinceLastCommand >= IDLE_THRESHOLD;
-        let baseDelay;
-        if (this.isGracefulShutdown && this.reconnectAttempts < 3) {
-          baseDelay = 500 * Math.pow(2, this.reconnectAttempts);
-        } else if (wasRapidClose) {
-          baseDelay = Math.max(RAPID_CLOSE_BACKOFF, INITIAL_RECONNECT_DELAY * Math.pow(2, Math.min(this.reconnectAttempts, 6)));
-          console.log(`[EpisodaClient] Rapid close detected (${timeSinceConnect}ms), applying ${baseDelay / 1e3}s backoff`);
-        } else if (isIdle) {
-          baseDelay = IDLE_RECONNECT_DELAY;
+        let delay;
+        let shouldRetry = true;
+        if (this.isGracefulShutdown) {
+          if (this.reconnectAttempts >= 7) {
+            console.error('[EpisodaClient] Server restart reconnection failed after 7 attempts. Run "episoda dev" to reconnect.');
+            shouldRetry = false;
+          } else {
+            delay = Math.min(500 * Math.pow(2, this.reconnectAttempts), 5e3);
+            console.log(`[EpisodaClient] Server restarting, reconnecting in ${delay}ms (attempt ${this.reconnectAttempts + 1}/7)`);
+          }
         } else {
-          const cappedAttempts = Math.min(this.reconnectAttempts, 6);
-          baseDelay = INITIAL_RECONNECT_DELAY * Math.pow(2, cappedAttempts);
+          if (this.reconnectAttempts >= 1) {
+            console.error('[EpisodaClient] Connection lost. Retry failed. Check server status or restart with "episoda dev".');
+            shouldRetry = false;
+          } else {
+            delay = 1e3;
+            console.log("[EpisodaClient] Connection lost, retrying in 1 second...");
+          }
         }
-        const jitter = baseDelay * 0.25 * (Math.random() * 2 - 1);
-        const maxDelay = isIdle ? IDLE_RECONNECT_DELAY : MAX_RECONNECT_DELAY;
-        const delay = Math.min(baseDelay + jitter, maxDelay);
-        this.reconnectAttempts++;
-        const shutdownType = this.isGracefulShutdown ? "graceful" : "ungraceful";
-        const idleStatus = isIdle ? ", idle" : "";
-        const rapidStatus = wasRapidClose ? ", rapid-close" : "";
-        if (this.reconnectAttempts <= 5 || this.reconnectAttempts % 10 === 0) {
-          console.log(`[EpisodaClient] Reconnecting in ${Math.round(delay / 1e3)}s (attempt ${this.reconnectAttempts}, ${shutdownType}${idleStatus}${rapidStatus})`);
+        if (!shouldRetry) {
+          this.emit({
+            type: "disconnected",
+            code: 1006,
+            reason: "Reconnection attempts exhausted",
+            willReconnect: false
+          });
+          return;
         }
+        this.reconnectAttempts++;
         this.reconnectTimeout = setTimeout(() => {
           console.log("[EpisodaClient] Attempting reconnection...");
           this.connect(this.url, this.token, this.machineId, {
@@ -2026,13 +2049,13 @@ var require_websocket_client = __commonJS({
             osArch: this.osArch,
             daemonPid: this.daemonPid
           }).then(() => {
-            console.log("[EpisodaClient] Reconnection successful, resetting retry counter");
+            console.log("[EpisodaClient] Reconnection successful");
             this.reconnectAttempts = 0;
             this.isGracefulShutdown = false;
             this.firstDisconnectTime = void 0;
             this.rateLimitBackoffUntil = void 0;
           }).catch((error) => {
-            console.error("[EpisodaClient] Reconnection failed:", error);
+            console.error("[EpisodaClient] Reconnection failed:", error.message);
           });
         }, delay);
       }
@@ -2113,36 +2136,36 @@ var require_auth = __commonJS({
       };
     })();
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.getConfigDir = getConfigDir5;
+    exports2.getConfigDir = getConfigDir6;
     exports2.getConfigPath = getConfigPath;
-    exports2.loadConfig = loadConfig2;
+    exports2.loadConfig = loadConfig3;
     exports2.saveConfig = saveConfig2;
     exports2.validateToken = validateToken;
-    var fs8 = __importStar(require("fs"));
-    var path9 = __importStar(require("path"));
-    var os3 = __importStar(require("os"));
+    var fs12 = __importStar(require("fs"));
+    var path13 = __importStar(require("path"));
+    var os5 = __importStar(require("os"));
     var child_process_1 = require("child_process");
     var DEFAULT_CONFIG_FILE = "config.json";
-    function getConfigDir5() {
-      return process.env.EPISODA_CONFIG_DIR || path9.join(os3.homedir(), ".episoda");
+    function getConfigDir6() {
+      return process.env.EPISODA_CONFIG_DIR || path13.join(os5.homedir(), ".episoda");
     }
     function getConfigPath(configPath) {
       if (configPath) {
         return configPath;
       }
-      return path9.join(getConfigDir5(), DEFAULT_CONFIG_FILE);
+      return path13.join(getConfigDir6(), DEFAULT_CONFIG_FILE);
     }
     function ensureConfigDir(configPath) {
-      const dir = path9.dirname(configPath);
-      const isNew = !fs8.existsSync(dir);
+      const dir = path13.dirname(configPath);
+      const isNew = !fs12.existsSync(dir);
       if (isNew) {
-        fs8.mkdirSync(dir, { recursive: true, mode: 448 });
+        fs12.mkdirSync(dir, { recursive: true, mode: 448 });
       }
       if (process.platform === "darwin") {
-        const nosyncPath = path9.join(dir, ".nosync");
-        if (isNew || !fs8.existsSync(nosyncPath)) {
+        const nosyncPath = path13.join(dir, ".nosync");
+        if (isNew || !fs12.existsSync(nosyncPath)) {
           try {
-            fs8.writeFileSync(nosyncPath, "", { mode: 384 });
+            fs12.writeFileSync(nosyncPath, "", { mode: 384 });
             (0, child_process_1.execSync)(`xattr -w com.apple.fileprovider.ignore 1 "${dir}"`, {
               stdio: "ignore",
               timeout: 5e3
@@ -2152,13 +2175,13 @@ var require_auth = __commonJS({
         }
       }
     }
-    async function loadConfig2(configPath) {
+    async function loadConfig3(configPath) {
       const fullPath = getConfigPath(configPath);
-      if (!fs8.existsSync(fullPath)) {
+      if (!fs12.existsSync(fullPath)) {
         return null;
       }
       try {
-        const content = fs8.readFileSync(fullPath, "utf8");
+        const content = fs12.readFileSync(fullPath, "utf8");
         const config = JSON.parse(content);
         return config;
       } catch (error) {
@@ -2171,7 +2194,7 @@ var require_auth = __commonJS({
       ensureConfigDir(fullPath);
       try {
         const content = JSON.stringify(config, null, 2);
-        fs8.writeFileSync(fullPath, content, { mode: 384 });
+        fs12.writeFileSync(fullPath, content, { mode: 384 });
       } catch (error) {
         throw new Error(`Failed to save config: ${error instanceof Error ? error.message : String(error)}`);
       }
@@ -2275,12 +2298,49 @@ var require_dist = __commonJS({
   }
 });
 
+// src/utils/port-check.ts
+var port_check_exports = {};
+__export(port_check_exports, {
+  getServerPort: () => getServerPort,
+  isPortInUse: () => isPortInUse
+});
+async function isPortInUse(port) {
+  return new Promise((resolve2) => {
+    const server = net2.createServer();
+    server.once("error", (err) => {
+      if (err.code === "EADDRINUSE") {
+        resolve2(true);
+      } else {
+        resolve2(false);
+      }
+    });
+    server.once("listening", () => {
+      server.close();
+      resolve2(false);
+    });
+    server.listen(port);
+  });
+}
+function getServerPort() {
+  if (process.env.PORT) {
+    return parseInt(process.env.PORT, 10);
+  }
+  return 3e3;
+}
+var net2;
+var init_port_check = __esm({
+  "src/utils/port-check.ts"() {
+    "use strict";
+    net2 = __toESM(require("net"));
+  }
+});
+
 // package.json
 var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "episoda",
-      version: "0.2.16",
+      version: "0.2.18",
       description: "CLI tool for Episoda local development workflow orchestration",
       main: "dist/index.js",
       types: "dist/index.d.ts",
@@ -2311,6 +2371,9 @@ var require_package = __commonJS({
         ws: "^8.18.0",
         zod: "^4.0.10"
       },
+      optionalDependencies: {
+        "@anthropic-ai/claude-code": "^1.0.0"
+      },
       devDependencies: {
         "@episoda/core": "*",
         "@types/node": "^20.11.24",
@@ -2648,7 +2711,7 @@ var IPCServer = class {
 };
 
 // src/daemon/daemon-process.ts
-var import_core5 = __toESM(require_dist());
+var import_core7 = __toESM(require_dist());
 
 // src/utils/update-checker.ts
 var import_child_process2 = require("child_process");
@@ -3070,6 +3133,160 @@ async function grepDirectoryRecursive(basePath, currentPath, searchPattern, file
     }
   }
 }
+async function handleFileEdit(command, projectPath) {
+  const { path: filePath, oldString, newString, replaceAll = false } = command;
+  const validPath = validatePath(filePath, projectPath);
+  if (!validPath) {
+    return {
+      success: false,
+      error: "Invalid path: directory traversal not allowed"
+    };
+  }
+  try {
+    if (!fs4.existsSync(validPath)) {
+      return {
+        success: false,
+        error: "File not found"
+      };
+    }
+    const stats = fs4.statSync(validPath);
+    if (stats.isDirectory()) {
+      return {
+        success: false,
+        error: "Path is a directory, not a file"
+      };
+    }
+    const MAX_EDIT_SIZE = 10 * 1024 * 1024;
+    if (stats.size > MAX_EDIT_SIZE) {
+      return {
+        success: false,
+        error: `File too large for edit operation: ${stats.size} bytes exceeds limit of ${MAX_EDIT_SIZE} bytes (10MB). Use write-file for large files.`
+      };
+    }
+    const content = fs4.readFileSync(validPath, "utf8");
+    const occurrences = content.split(oldString).length - 1;
+    if (occurrences === 0) {
+      return {
+        success: false,
+        error: "old_string not found in file. Make sure it matches exactly, including whitespace."
+      };
+    }
+    if (occurrences > 1 && !replaceAll) {
+      return {
+        success: false,
+        error: `old_string found ${occurrences} times. Use replaceAll=true to replace all, or provide more context.`
+      };
+    }
+    const newContent = replaceAll ? content.split(oldString).join(newString) : content.replace(oldString, newString);
+    const replacements = replaceAll ? occurrences : 1;
+    const tempPath = `${validPath}.tmp.${Date.now()}`;
+    fs4.writeFileSync(tempPath, newContent, "utf8");
+    fs4.renameSync(tempPath, validPath);
+    const newSize = Buffer.byteLength(newContent, "utf8");
+    return {
+      success: true,
+      replacements,
+      newSize
+    };
+  } catch (error) {
+    const errMsg = error instanceof Error ? error.message : String(error);
+    const isPermissionError = errMsg.includes("EACCES") || errMsg.includes("permission");
+    return {
+      success: false,
+      error: isPermissionError ? "Permission denied" : "Failed to edit file"
+    };
+  }
+}
+async function handleFileDelete(command, projectPath) {
+  const { path: filePath, recursive = false } = command;
+  const validPath = validatePath(filePath, projectPath);
+  if (!validPath) {
+    return {
+      success: false,
+      error: "Invalid path: directory traversal not allowed"
+    };
+  }
+  const normalizedProjectPath = path5.resolve(projectPath);
+  if (validPath === normalizedProjectPath) {
+    return {
+      success: false,
+      error: "Cannot delete project root directory"
+    };
+  }
+  try {
+    if (!fs4.existsSync(validPath)) {
+      return {
+        success: false,
+        error: "Path not found"
+      };
+    }
+    const stats = fs4.statSync(validPath);
+    const isDirectory = stats.isDirectory();
+    if (isDirectory && !recursive) {
+      return {
+        success: false,
+        error: "Cannot delete directory without recursive=true"
+      };
+    }
+    if (isDirectory) {
+      fs4.rmSync(validPath, { recursive: true, force: true });
+    } else {
+      fs4.unlinkSync(validPath);
+    }
+    return {
+      success: true,
+      deleted: true,
+      pathType: isDirectory ? "directory" : "file"
+    };
+  } catch (error) {
+    const errMsg = error instanceof Error ? error.message : String(error);
+    const isPermissionError = errMsg.includes("EACCES") || errMsg.includes("permission");
+    return {
+      success: false,
+      error: isPermissionError ? "Permission denied" : "Failed to delete"
+    };
+  }
+}
+async function handleFileMkdir(command, projectPath) {
+  const { path: dirPath, mode = "0755" } = command;
+  const validPath = validatePath(dirPath, projectPath);
+  if (!validPath) {
+    return {
+      success: false,
+      error: "Invalid path: directory traversal not allowed"
+    };
+  }
+  try {
+    if (fs4.existsSync(validPath)) {
+      const stats = fs4.statSync(validPath);
+      if (stats.isDirectory()) {
+        return {
+          success: true,
+          created: false
+          // Already exists
+        };
+      } else {
+        return {
+          success: false,
+          error: "Path exists but is a file, not a directory"
+        };
+      }
+    }
+    const modeNum = parseInt(mode, 8);
+    fs4.mkdirSync(validPath, { recursive: true, mode: modeNum });
+    return {
+      success: true,
+      created: true
+    };
+  } catch (error) {
+    const errMsg = error instanceof Error ? error.message : String(error);
+    const isPermissionError = errMsg.includes("EACCES") || errMsg.includes("permission");
+    return {
+      success: false,
+      error: isPermissionError ? "Permission denied" : "Failed to create directory"
+    };
+  }
+}
 
 // src/daemon/handlers/exec-handler.ts
 var import_child_process3 = require("child_process");
@@ -3312,6 +3529,10 @@ async function ensureCloudflared() {
 // src/tunnel/tunnel-manager.ts
 var import_child_process5 = require("child_process");
 var import_events = require("events");
+var fs6 = __toESM(require("fs"));
+var path7 = __toESM(require("path"));
+var os2 = __toESM(require("os"));
+var TUNNEL_PID_DIR = path7.join(os2.homedir(), ".episoda", "tunnels");
 var TUNNEL_URL_REGEX = /https:\/\/[a-z0-9-]+\.trycloudflare\.com/i;
 var DEFAULT_RECONNECT_CONFIG = {
   maxRetries: 5,
@@ -3324,8 +3545,204 @@ var TunnelManager = class extends import_events.EventEmitter {
     super();
     this.tunnelStates = /* @__PURE__ */ new Map();
     this.cloudflaredPath = null;
+    /**
+     * EP877: Mutex locks to prevent concurrent tunnel starts for the same module
+     */
+    this.startLocks = /* @__PURE__ */ new Map();
     this.reconnectConfig = { ...DEFAULT_RECONNECT_CONFIG, ...config };
   }
+  /**
+   * EP877: Ensure PID directory exists
+   * EP904: Added proper error handling and logging
+   */
+  ensurePidDir() {
+    try {
+      if (!fs6.existsSync(TUNNEL_PID_DIR)) {
+        console.log(`[Tunnel] EP904: Creating PID directory: ${TUNNEL_PID_DIR}`);
+        fs6.mkdirSync(TUNNEL_PID_DIR, { recursive: true });
+        console.log(`[Tunnel] EP904: PID directory created successfully`);
+      }
+    } catch (error) {
+      console.error(`[Tunnel] EP904: Failed to create PID directory ${TUNNEL_PID_DIR}:`, error);
+      throw error;
+    }
+  }
+  /**
+   * EP877: Get PID file path for a module
+   */
+  getPidFilePath(moduleUid) {
+    return path7.join(TUNNEL_PID_DIR, `${moduleUid}.pid`);
+  }
+  /**
+   * EP877: Write PID to file for tracking across restarts
+   * EP904: Enhanced logging and error visibility
+   */
+  writePidFile(moduleUid, pid) {
+    try {
+      this.ensurePidDir();
+      const pidPath = this.getPidFilePath(moduleUid);
+      fs6.writeFileSync(pidPath, pid.toString(), "utf8");
+      console.log(`[Tunnel] EP904: Wrote PID ${pid} for ${moduleUid} to ${pidPath}`);
+    } catch (error) {
+      console.error(`[Tunnel] EP904: Failed to write PID file for ${moduleUid}:`, error);
+    }
+  }
+  /**
+   * EP877: Read PID from file
+   */
+  readPidFile(moduleUid) {
+    try {
+      const pidPath = this.getPidFilePath(moduleUid);
+      if (!fs6.existsSync(pidPath)) {
+        return null;
+      }
+      const pid = parseInt(fs6.readFileSync(pidPath, "utf8").trim(), 10);
+      return isNaN(pid) ? null : pid;
+    } catch (error) {
+      return null;
+    }
+  }
+  /**
+   * EP877: Remove PID file
+   */
+  removePidFile(moduleUid) {
+    try {
+      const pidPath = this.getPidFilePath(moduleUid);
+      if (fs6.existsSync(pidPath)) {
+        fs6.unlinkSync(pidPath);
+        console.log(`[Tunnel] EP877: Removed PID file for ${moduleUid}`);
+      }
+    } catch (error) {
+      console.error(`[Tunnel] EP877: Failed to remove PID file for ${moduleUid}:`, error);
+    }
+  }
+  /**
+   * EP877: Check if a process is running by PID
+   */
+  isProcessRunning(pid) {
+    try {
+      process.kill(pid, 0);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * EP877: Kill a process by PID
+   */
+  killByPid(pid, signal = "SIGTERM") {
+    try {
+      process.kill(pid, signal);
+      console.log(`[Tunnel] EP877: Sent ${signal} to PID ${pid}`);
+      return true;
+    } catch (error) {
+      return false;
+    }
+  }
+  /**
+   * EP877: Find all cloudflared processes using pgrep
+   */
+  findCloudflaredProcesses() {
+    try {
+      const output = (0, import_child_process5.execSync)("pgrep -f cloudflared", { encoding: "utf8" });
+      return output.trim().split("\n").map((pid) => parseInt(pid, 10)).filter((pid) => !isNaN(pid));
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * EP904: Get the port a cloudflared process is tunneling to
+   * Extracts port from process command line arguments
+   */
+  getProcessPort(pid) {
+    try {
+      const output = (0, import_child_process5.execSync)(`ps -p ${pid} -o args=`, { encoding: "utf8" }).trim();
+      const portMatch = output.match(/--url\s+https?:\/\/localhost:(\d+)/);
+      if (portMatch) {
+        return parseInt(portMatch[1], 10);
+      }
+      return null;
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * EP904: Find cloudflared processes on a specific port
+   */
+  findCloudflaredOnPort(port) {
+    const allProcesses = this.findCloudflaredProcesses();
+    return allProcesses.filter((pid) => this.getProcessPort(pid) === port);
+  }
+  /**
+   * EP904: Kill all cloudflared processes on a specific port
+   * Returns the PIDs that were killed
+   */
+  async killCloudflaredOnPort(port) {
+    const pidsOnPort = this.findCloudflaredOnPort(port);
+    const killed = [];
+    for (const pid of pidsOnPort) {
+      const isTracked = Array.from(this.tunnelStates.values()).some((s) => s.info.pid === pid);
+      console.log(`[Tunnel] EP904: Found cloudflared PID ${pid} on port ${port} (tracked: ${isTracked})`);
+      this.killByPid(pid, "SIGTERM");
+      await new Promise((resolve2) => setTimeout(resolve2, 500));
+      if (this.isProcessRunning(pid)) {
+        this.killByPid(pid, "SIGKILL");
+        await new Promise((resolve2) => setTimeout(resolve2, 200));
+      }
+      killed.push(pid);
+    }
+    if (killed.length > 0) {
+      console.log(`[Tunnel] EP904: Killed ${killed.length} cloudflared process(es) on port ${port}: ${killed.join(", ")}`);
+    }
+    return killed;
+  }
+  /**
+   * EP877: Cleanup orphaned cloudflared processes on startup
+   * Kills any cloudflared processes that have PID files but aren't tracked in memory,
+   * and any cloudflared processes that don't have corresponding PID files.
+   */
+  async cleanupOrphanedProcesses() {
+    const cleaned = [];
+    try {
+      this.ensurePidDir();
+      const pidFiles = fs6.readdirSync(TUNNEL_PID_DIR).filter((f) => f.endsWith(".pid"));
+      for (const pidFile of pidFiles) {
+        const moduleUid = pidFile.replace(".pid", "");
+        const pid = this.readPidFile(moduleUid);
+        if (pid && this.isProcessRunning(pid)) {
+          if (!this.tunnelStates.has(moduleUid)) {
+            console.log(`[Tunnel] EP877: Found orphaned process PID ${pid} for ${moduleUid}, killing...`);
+            this.killByPid(pid, "SIGTERM");
+            await new Promise((resolve2) => setTimeout(resolve2, 1e3));
+            if (this.isProcessRunning(pid)) {
+              this.killByPid(pid, "SIGKILL");
+            }
+            cleaned.push(pid);
+          }
+        }
+        this.removePidFile(moduleUid);
+      }
+      const runningPids = this.findCloudflaredProcesses();
+      const trackedPids = Array.from(this.tunnelStates.values()).map((s) => s.info.pid).filter((pid) => pid !== void 0);
+      for (const pid of runningPids) {
+        if (!trackedPids.includes(pid) && !cleaned.includes(pid)) {
+          console.log(`[Tunnel] EP877: Found untracked cloudflared process PID ${pid}, killing...`);
+          this.killByPid(pid, "SIGTERM");
+          await new Promise((resolve2) => setTimeout(resolve2, 500));
+          if (this.isProcessRunning(pid)) {
+            this.killByPid(pid, "SIGKILL");
+          }
+          cleaned.push(pid);
+        }
+      }
+      if (cleaned.length > 0) {
+        console.log(`[Tunnel] EP877: Cleaned up ${cleaned.length} orphaned cloudflared processes: ${cleaned.join(", ")}`);
+      }
+    } catch (error) {
+      console.error("[Tunnel] EP877: Error during orphan cleanup:", error);
+    }
+    return { cleaned: cleaned.length, pids: cleaned };
+  }
   /**
    * Emit typed tunnel events
    */
@@ -3334,10 +3751,16 @@ var TunnelManager = class extends import_events.EventEmitter {
   }
   /**
    * Initialize the tunnel manager
-   * Ensures cloudflared is available
+   * Ensures cloudflared is available and cleans up orphaned processes
+   *
+   * EP877: Now includes orphaned process cleanup on startup
    */
   async initialize() {
     this.cloudflaredPath = await ensureCloudflared();
+    const cleanup = await this.cleanupOrphanedProcesses();
+    if (cleanup.cleaned > 0) {
+      console.log(`[Tunnel] EP877: Initialization cleaned up ${cleanup.cleaned} orphaned processes`);
+    }
   }
   /**
    * EP672-9: Calculate delay for exponential backoff
@@ -3411,6 +3834,9 @@ var TunnelManager = class extends import_events.EventEmitter {
       });
       tunnelInfo.process = process2;
       tunnelInfo.pid = process2.pid;
+      if (process2.pid) {
+        this.writePidFile(moduleUid, process2.pid);
+      }
       const state = existingState || {
         info: tunnelInfo,
         options,
@@ -3512,24 +3938,77 @@ var TunnelManager = class extends import_events.EventEmitter {
   }
   /**
    * Start a tunnel for a module
+   *
+   * EP877: Uses mutex lock to prevent concurrent starts for the same module
    */
   async startTunnel(options) {
     const { moduleUid } = options;
-    const existingState = this.tunnelStates.get(moduleUid);
+    const existingLock = this.startLocks.get(moduleUid);
+    if (existingLock) {
+      console.log(`[Tunnel] EP877: Waiting for existing start operation for ${moduleUid}`);
+      return existingLock;
+    }
+    const startPromise = this.startTunnelWithLock(options);
+    this.startLocks.set(moduleUid, startPromise);
+    try {
+      return await startPromise;
+    } finally {
+      this.startLocks.delete(moduleUid);
+    }
+  }
+  /**
+   * EP877: Internal start implementation with lock already held
+   * EP901: Enhanced to clean up ALL orphaned cloudflared processes before starting
+   * EP904: Added port-based deduplication to prevent multiple tunnels on same port
+   */
+  async startTunnelWithLock(options) {
+    const { moduleUid, port = 3e3 } = options;
+    const existingState = this.tunnelStates.get(moduleUid);
     if (existingState) {
       if (existingState.info.status === "connected") {
         return { success: true, url: existingState.info.url };
       }
       await this.stopTunnel(moduleUid);
     }
+    const orphanPid = this.readPidFile(moduleUid);
+    if (orphanPid && this.isProcessRunning(orphanPid)) {
+      console.log(`[Tunnel] EP877: Killing orphaned process ${orphanPid} for ${moduleUid} before starting new tunnel`);
+      this.killByPid(orphanPid, "SIGTERM");
+      await new Promise((resolve2) => setTimeout(resolve2, 500));
+      if (this.isProcessRunning(orphanPid)) {
+        this.killByPid(orphanPid, "SIGKILL");
+      }
+      this.removePidFile(moduleUid);
+    }
+    const killedOnPort = await this.killCloudflaredOnPort(port);
+    if (killedOnPort.length > 0) {
+      console.log(`[Tunnel] EP904: Pre-start port cleanup killed ${killedOnPort.length} process(es) on port ${port}`);
+      await new Promise((resolve2) => setTimeout(resolve2, 300));
+    }
+    const cleanup = await this.cleanupOrphanedProcesses();
+    if (cleanup.cleaned > 0) {
+      console.log(`[Tunnel] EP901: Pre-start cleanup removed ${cleanup.cleaned} orphaned processes`);
+    }
     return this.startTunnelProcess(options);
   }
   /**
    * Stop a tunnel for a module
+   *
+   * EP877: Enhanced to handle cleanup via PID file when in-memory state is missing
    */
   async stopTunnel(moduleUid) {
     const state = this.tunnelStates.get(moduleUid);
     if (!state) {
+      const orphanPid = this.readPidFile(moduleUid);
+      if (orphanPid && this.isProcessRunning(orphanPid)) {
+        console.log(`[Tunnel] EP877: Stopping orphaned process ${orphanPid} for ${moduleUid} via PID file`);
+        this.killByPid(orphanPid, "SIGTERM");
+        await new Promise((resolve2) => setTimeout(resolve2, 1e3));
+        if (this.isProcessRunning(orphanPid)) {
+          this.killByPid(orphanPid, "SIGKILL");
+        }
+      }
+      this.removePidFile(moduleUid);
       return;
     }
     state.intentionallyStopped = true;
@@ -3553,6 +4032,7 @@ var TunnelManager = class extends import_events.EventEmitter {
         });
       });
     }
+    this.removePidFile(moduleUid);
     this.tunnelStates.delete(moduleUid);
     this.emitEvent({ type: "stopped", moduleUid });
   }
@@ -3602,31 +4082,599 @@ function getTunnelManager() {
   return tunnelManagerInstance;
 }
 
-// src/utils/dev-server.ts
+// src/tunnel/tunnel-api.ts
+var import_core5 = __toESM(require_dist());
+async function clearTunnelUrl(moduleUid) {
+  if (!moduleUid || moduleUid === "LOCAL") {
+    return;
+  }
+  const config = await (0, import_core5.loadConfig)();
+  if (!config?.access_token) {
+    return;
+  }
+  try {
+    const apiUrl = config.api_url || "https://episoda.dev";
+    await fetch(`${apiUrl}/api/modules/${moduleUid}/tunnel`, {
+      method: "DELETE",
+      headers: {
+        "Authorization": `Bearer ${config.access_token}`
+      }
+    });
+  } catch {
+  }
+}
+
+// src/agent/claude-binary.ts
 var import_child_process6 = require("child_process");
+var path8 = __toESM(require("path"));
+var fs7 = __toESM(require("fs"));
+var cachedBinaryPath = null;
+function isValidClaudeBinary(binaryPath) {
+  try {
+    fs7.accessSync(binaryPath, fs7.constants.X_OK);
+    const version = (0, import_child_process6.execSync)(`"${binaryPath}" --version`, {
+      encoding: "utf-8",
+      timeout: 5e3,
+      stdio: ["pipe", "pipe", "pipe"]
+    }).trim();
+    if (version && /\d+\.\d+/.test(version)) {
+      console.log(`[AgentManager] Found Claude Code at ${binaryPath}: v${version}`);
+      return true;
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+async function ensureClaudeBinary() {
+  if (cachedBinaryPath) {
+    return cachedBinaryPath;
+  }
+  try {
+    const pathResult = (0, import_child_process6.execSync)("which claude", {
+      encoding: "utf-8",
+      timeout: 5e3,
+      stdio: ["pipe", "pipe", "pipe"]
+    }).trim();
+    if (pathResult && isValidClaudeBinary(pathResult)) {
+      cachedBinaryPath = pathResult;
+      return cachedBinaryPath;
+    }
+  } catch {
+  }
+  const bundledPaths = [
+    // In production: node_modules/.bin/claude
+    path8.join(__dirname, "..", "..", "node_modules", ".bin", "claude"),
+    // In monorepo development: packages/episoda/node_modules/.bin/claude
+    path8.join(__dirname, "..", "..", "..", "..", "node_modules", ".bin", "claude"),
+    // Root monorepo node_modules
+    path8.join(__dirname, "..", "..", "..", "..", "..", "node_modules", ".bin", "claude")
+  ];
+  for (const bundledPath of bundledPaths) {
+    if (fs7.existsSync(bundledPath) && isValidClaudeBinary(bundledPath)) {
+      cachedBinaryPath = bundledPath;
+      return cachedBinaryPath;
+    }
+  }
+  try {
+    const npxResult = (0, import_child_process6.execSync)("npx --yes @anthropic-ai/claude-code --version", {
+      encoding: "utf-8",
+      timeout: 3e4,
+      // npx might need to download
+      stdio: ["pipe", "pipe", "pipe"]
+    }).trim();
+    if (npxResult && /\d+\.\d+/.test(npxResult)) {
+      cachedBinaryPath = "npx:@anthropic-ai/claude-code";
+      console.log(`[AgentManager] Using npx to run Claude Code: v${npxResult}`);
+      return cachedBinaryPath;
+    }
+  } catch {
+  }
+  throw new Error(
+    "Claude Code not found. Please install it globally with: npm install -g @anthropic-ai/claude-code"
+  );
+}
 
-// src/utils/port-check.ts
-var net2 = __toESM(require("net"));
-async function isPortInUse(port) {
+// src/agent/agent-manager.ts
+var import_child_process7 = require("child_process");
+var path9 = __toESM(require("path"));
+var fs8 = __toESM(require("fs"));
+var os3 = __toESM(require("os"));
+var instance = null;
+function getAgentManager() {
+  if (!instance) {
+    instance = new AgentManager();
+  }
+  return instance;
+}
+var AgentManager = class {
+  constructor() {
+    this.sessions = /* @__PURE__ */ new Map();
+    this.processes = /* @__PURE__ */ new Map();
+    this.initialized = false;
+    this.pidDir = path9.join(os3.homedir(), ".episoda", "agent-pids");
+  }
+  /**
+   * Initialize the agent manager
+   * - Ensure Claude Code is available
+   * - Clean up any orphaned processes from previous daemon runs
+   */
+  async initialize() {
+    if (this.initialized) {
+      return;
+    }
+    console.log("[AgentManager] Initializing...");
+    if (!fs8.existsSync(this.pidDir)) {
+      fs8.mkdirSync(this.pidDir, { recursive: true });
+    }
+    await this.cleanupOrphanedProcesses();
+    try {
+      await ensureClaudeBinary();
+      console.log("[AgentManager] Claude Code binary verified");
+    } catch (error) {
+      console.warn("[AgentManager] Claude Code not available:", error instanceof Error ? error.message : error);
+    }
+    this.initialized = true;
+    console.log("[AgentManager] Initialized");
+  }
+  /**
+   * Start a new agent session
+   *
+   * Creates the session record but doesn't spawn the process yet.
+   * The process is spawned on the first message.
+   */
+  async startSession(options) {
+    const { sessionId, moduleId, moduleUid, projectPath, message, credentials, systemPrompt, onChunk, onComplete, onError } = options;
+    if (this.sessions.has(sessionId)) {
+      return { success: false, error: "Session already exists" };
+    }
+    const oauthToken = credentials?.oauthToken || credentials?.apiKey;
+    if (!oauthToken) {
+      return { success: false, error: "Missing OAuth token in credentials. Please connect your Claude account in Settings." };
+    }
+    credentials.oauthToken = oauthToken;
+    try {
+      await ensureClaudeBinary();
+    } catch (error) {
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : "Claude Code not available"
+      };
+    }
+    const session = {
+      sessionId,
+      moduleId,
+      moduleUid,
+      projectPath,
+      credentials,
+      systemPrompt,
+      status: "starting",
+      startedAt: /* @__PURE__ */ new Date(),
+      lastActivityAt: /* @__PURE__ */ new Date()
+    };
+    this.sessions.set(sessionId, session);
+    console.log(`[AgentManager] Started session ${sessionId} for ${moduleUid}`);
+    return this.sendMessage({
+      sessionId,
+      message,
+      isFirstMessage: true,
+      onChunk,
+      onComplete,
+      onError
+    });
+  }
+  /**
+   * Send a message to an agent session
+   *
+   * Spawns a new Claude Code process for each message.
+   * Uses --print for non-interactive mode and --output-format stream-json for structured output.
+   * Subsequent messages use --resume with the claudeSessionId for conversation continuity.
+   */
+  async sendMessage(options) {
+    const { sessionId, message, isFirstMessage, claudeSessionId, onChunk, onComplete, onError } = options;
+    const session = this.sessions.get(sessionId);
+    if (!session) {
+      return { success: false, error: "Session not found" };
+    }
+    session.lastActivityAt = /* @__PURE__ */ new Date();
+    session.status = "running";
+    try {
+      const binaryPath = await ensureClaudeBinary();
+      const args = [
+        "--print",
+        // Non-interactive mode
+        "--output-format",
+        "stream-json",
+        // Structured streaming output
+        "--verbose"
+        // Required for stream-json with --print
+      ];
+      if (isFirstMessage && session.systemPrompt) {
+        args.push("--system-prompt", session.systemPrompt);
+      }
+      if (claudeSessionId) {
+        args.push("--resume", claudeSessionId);
+        session.claudeSessionId = claudeSessionId;
+      }
+      args.push("--", message);
+      console.log(`[AgentManager] Spawning Claude Code for session ${sessionId}`);
+      console.log(`[AgentManager] Command: ${binaryPath} ${args.join(" ").substring(0, 100)}...`);
+      let spawnCmd;
+      let spawnArgs;
+      if (binaryPath.startsWith("npx:")) {
+        spawnCmd = "npx";
+        spawnArgs = ["--yes", binaryPath.replace("npx:", ""), ...args];
+      } else {
+        spawnCmd = binaryPath;
+        spawnArgs = args;
+      }
+      const claudeDir = path9.join(os3.homedir(), ".claude");
+      const credentialsPath = path9.join(claudeDir, ".credentials.json");
+      if (!fs8.existsSync(claudeDir)) {
+        fs8.mkdirSync(claudeDir, { recursive: true });
+      }
+      const credentialsContent = JSON.stringify({
+        claudeAiOauth: {
+          accessToken: session.credentials.oauthToken
+        }
+      }, null, 2);
+      fs8.writeFileSync(credentialsPath, credentialsContent, { mode: 384 });
+      console.log("[AgentManager] EP936: Wrote OAuth credentials to ~/.claude/.credentials.json");
+      const childProcess = (0, import_child_process7.spawn)(spawnCmd, spawnArgs, {
+        cwd: session.projectPath,
+        env: {
+          ...process.env,
+          // Disable color output for cleaner JSON parsing
+          NO_COLOR: "1",
+          FORCE_COLOR: "0"
+        },
+        stdio: ["pipe", "pipe", "pipe"]
+      });
+      this.processes.set(sessionId, childProcess);
+      childProcess.stdin?.end();
+      if (childProcess.pid) {
+        session.pid = childProcess.pid;
+        this.writePidFile(sessionId, childProcess.pid);
+      }
+      childProcess.stderr?.on("data", (data) => {
+        console.error(`[AgentManager] stderr: ${data.toString()}`);
+      });
+      childProcess.on("error", (error) => {
+        console.error(`[AgentManager] Process spawn error:`, error);
+      });
+      let stdoutBuffer = "";
+      let extractedSessionId;
+      childProcess.stdout?.on("data", (data) => {
+        stdoutBuffer += data.toString();
+        const lines = stdoutBuffer.split("\n");
+        stdoutBuffer = lines.pop() || "";
+        for (const line of lines) {
+          if (!line.trim()) continue;
+          try {
+            const parsed = JSON.parse(line);
+            switch (parsed.type) {
+              case "assistant":
+                if (parsed.message?.content) {
+                  for (const block of parsed.message.content) {
+                    if (block.type === "text" && block.text) {
+                      onChunk(block.text);
+                    }
+                  }
+                }
+                break;
+              case "content_block_delta":
+                if (parsed.delta?.text) {
+                  onChunk(parsed.delta.text);
+                }
+                break;
+              case "result":
+                if (parsed.session_id) {
+                  extractedSessionId = parsed.session_id;
+                  session.claudeSessionId = extractedSessionId;
+                }
+                if (parsed.result?.session_id) {
+                  extractedSessionId = parsed.result.session_id;
+                  session.claudeSessionId = extractedSessionId;
+                }
+                break;
+              case "system":
+                if (parsed.session_id) {
+                  extractedSessionId = parsed.session_id;
+                  session.claudeSessionId = extractedSessionId;
+                }
+                break;
+              case "error":
+                onError(parsed.error?.message || parsed.message || "Unknown error from Claude Code");
+                break;
+              default:
+                console.log(`[AgentManager] Unknown stream-json type: ${parsed.type}`);
+            }
+          } catch (parseError) {
+            if (line.trim()) {
+              onChunk(line + "\n");
+            }
+          }
+        }
+      });
+      let stderrBuffer = "";
+      childProcess.stderr?.on("data", (data) => {
+        stderrBuffer += data.toString();
+      });
+      childProcess.on("exit", (code, signal) => {
+        console.log(`[AgentManager] Claude Code exited for session ${sessionId}: code=${code}, signal=${signal}`);
+        this.processes.delete(sessionId);
+        this.removePidFile(sessionId);
+        if (code === 0) {
+          session.status = "stopped";
+          onComplete(extractedSessionId || session.claudeSessionId);
+        } else if (signal === "SIGINT") {
+          session.status = "stopped";
+          onComplete(extractedSessionId || session.claudeSessionId);
+        } else {
+          session.status = "error";
+          const errorMsg = stderrBuffer.trim() || `Process exited with code ${code}`;
+          onError(errorMsg);
+        }
+      });
+      childProcess.on("error", (error) => {
+        console.error(`[AgentManager] Process error for session ${sessionId}:`, error);
+        session.status = "error";
+        this.processes.delete(sessionId);
+        this.removePidFile(sessionId);
+        onError(error.message);
+      });
+      return { success: true };
+    } catch (error) {
+      session.status = "error";
+      const errorMsg = error instanceof Error ? error.message : String(error);
+      onError(errorMsg);
+      return { success: false, error: errorMsg };
+    }
+  }
+  /**
+   * Abort an agent session (SIGINT)
+   *
+   * Sends SIGINT to the Claude Code process to abort the current operation.
+   */
+  async abortSession(sessionId) {
+    const process2 = this.processes.get(sessionId);
+    if (process2 && !process2.killed) {
+      console.log(`[AgentManager] Aborting session ${sessionId} with SIGINT`);
+      process2.kill("SIGINT");
+    }
+    const session = this.sessions.get(sessionId);
+    if (session) {
+      session.status = "stopping";
+    }
+  }
+  /**
+   * Stop an agent session gracefully
+   *
+   * Sends SIGINT and waits for process to exit.
+   * If it doesn't exit within 5 seconds, sends SIGTERM.
+   */
+  async stopSession(sessionId) {
+    const process2 = this.processes.get(sessionId);
+    const session = this.sessions.get(sessionId);
+    if (session) {
+      session.status = "stopping";
+    }
+    if (process2 && !process2.killed) {
+      console.log(`[AgentManager] Stopping session ${sessionId}`);
+      process2.kill("SIGINT");
+      await new Promise((resolve2) => {
+        const timeout = setTimeout(() => {
+          if (!process2.killed) {
+            console.log(`[AgentManager] Force killing session ${sessionId}`);
+            process2.kill("SIGTERM");
+          }
+          resolve2();
+        }, 5e3);
+        process2.once("exit", () => {
+          clearTimeout(timeout);
+          resolve2();
+        });
+      });
+    }
+    this.sessions.delete(sessionId);
+    this.processes.delete(sessionId);
+    this.removePidFile(sessionId);
+    console.log(`[AgentManager] Session ${sessionId} stopped`);
+  }
+  /**
+   * Stop all active sessions
+   */
+  async stopAllSessions() {
+    const sessionIds = Array.from(this.sessions.keys());
+    await Promise.all(sessionIds.map((id) => this.stopSession(id)));
+  }
+  /**
+   * Get session info
+   */
+  getSession(sessionId) {
+    return this.sessions.get(sessionId);
+  }
+  /**
+   * Get all active sessions
+   */
+  getAllSessions() {
+    return Array.from(this.sessions.values());
+  }
+  /**
+   * Check if a session exists
+   */
+  hasSession(sessionId) {
+    return this.sessions.has(sessionId);
+  }
+  /**
+   * Clean up orphaned processes from previous daemon runs
+   *
+   * Reads PID files from ~/.episoda/agent-pids/ and kills any
+   * processes that are still running.
+   */
+  async cleanupOrphanedProcesses() {
+    let cleaned = 0;
+    if (!fs8.existsSync(this.pidDir)) {
+      return { cleaned };
+    }
+    const pidFiles = fs8.readdirSync(this.pidDir).filter((f) => f.endsWith(".pid"));
+    for (const pidFile of pidFiles) {
+      const pidPath = path9.join(this.pidDir, pidFile);
+      try {
+        const pidStr = fs8.readFileSync(pidPath, "utf-8").trim();
+        const pid = parseInt(pidStr, 10);
+        if (!isNaN(pid)) {
+          try {
+            process.kill(pid, 0);
+            console.log(`[AgentManager] Killing orphaned process ${pid}`);
+            process.kill(pid, "SIGTERM");
+            cleaned++;
+          } catch {
+          }
+        }
+        fs8.unlinkSync(pidPath);
+      } catch (error) {
+        console.warn(`[AgentManager] Error cleaning PID file ${pidFile}:`, error);
+      }
+    }
+    if (cleaned > 0) {
+      console.log(`[AgentManager] Cleaned up ${cleaned} orphaned process(es)`);
+    }
+    return { cleaned };
+  }
+  /**
+   * Write PID file for session tracking
+   */
+  writePidFile(sessionId, pid) {
+    const pidPath = path9.join(this.pidDir, `${sessionId}.pid`);
+    fs8.writeFileSync(pidPath, pid.toString());
+  }
+  /**
+   * Remove PID file for session
+   */
+  removePidFile(sessionId) {
+    const pidPath = path9.join(this.pidDir, `${sessionId}.pid`);
+    try {
+      if (fs8.existsSync(pidPath)) {
+        fs8.unlinkSync(pidPath);
+      }
+    } catch {
+    }
+  }
+};
+
+// src/utils/dev-server.ts
+var import_child_process8 = require("child_process");
+init_port_check();
+var import_core6 = __toESM(require_dist());
+var import_http = __toESM(require("http"));
+var fs9 = __toESM(require("fs"));
+var path10 = __toESM(require("path"));
+var MAX_RESTART_ATTEMPTS = 5;
+var INITIAL_RESTART_DELAY_MS = 2e3;
+var MAX_RESTART_DELAY_MS = 3e4;
+var MAX_LOG_SIZE_BYTES = 5 * 1024 * 1024;
+var NODE_MEMORY_LIMIT_MB = 2048;
+var activeServers = /* @__PURE__ */ new Map();
+function getLogsDir() {
+  const logsDir = path10.join((0, import_core6.getConfigDir)(), "logs");
+  if (!fs9.existsSync(logsDir)) {
+    fs9.mkdirSync(logsDir, { recursive: true });
+  }
+  return logsDir;
+}
+function getLogFilePath(moduleUid) {
+  return path10.join(getLogsDir(), `dev-${moduleUid}.log`);
+}
+function rotateLogIfNeeded(logPath) {
+  try {
+    if (fs9.existsSync(logPath)) {
+      const stats = fs9.statSync(logPath);
+      if (stats.size > MAX_LOG_SIZE_BYTES) {
+        const backupPath = `${logPath}.1`;
+        if (fs9.existsSync(backupPath)) {
+          fs9.unlinkSync(backupPath);
+        }
+        fs9.renameSync(logPath, backupPath);
+        console.log(`[DevServer] EP932: Rotated log file for ${path10.basename(logPath)}`);
+      }
+    }
+  } catch (error) {
+    console.warn(`[DevServer] EP932: Failed to rotate log:`, error);
+  }
+}
+function writeToLog(logPath, line, isError = false) {
+  try {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const prefix = isError ? "ERR" : "OUT";
+    const logLine = `[${timestamp}] [${prefix}] ${line}
+`;
+    fs9.appendFileSync(logPath, logLine);
+  } catch {
+  }
+}
+async function isDevServerHealthy(port, timeoutMs = 5e3) {
   return new Promise((resolve2) => {
-    const server = net2.createServer();
-    server.once("error", (err) => {
-      if (err.code === "EADDRINUSE") {
+    const req = import_http.default.request(
+      {
+        hostname: "localhost",
+        port,
+        path: "/",
+        method: "HEAD",
+        timeout: timeoutMs
+      },
+      (res) => {
         resolve2(true);
-      } else {
-        resolve2(false);
       }
+    );
+    req.on("error", () => {
+      resolve2(false);
     });
-    server.once("listening", () => {
-      server.close();
+    req.on("timeout", () => {
+      req.destroy();
       resolve2(false);
     });
-    server.listen(port);
+    req.end();
   });
 }
-
-// src/utils/dev-server.ts
-var activeServers = /* @__PURE__ */ new Map();
+async function killProcessOnPort(port) {
+  try {
+    const result = (0, import_child_process8.execSync)(`lsof -ti:${port} 2>/dev/null || true`, { encoding: "utf8" }).trim();
+    if (!result) {
+      console.log(`[DevServer] EP929: No process found on port ${port}`);
+      return true;
+    }
+    const pids = result.split("\n").filter(Boolean);
+    console.log(`[DevServer] EP929: Found ${pids.length} process(es) on port ${port}: ${pids.join(", ")}`);
+    for (const pid of pids) {
+      try {
+        (0, import_child_process8.execSync)(`kill -15 ${pid} 2>/dev/null || true`, { encoding: "utf8" });
+        console.log(`[DevServer] EP929: Sent SIGTERM to PID ${pid}`);
+      } catch {
+      }
+    }
+    await new Promise((resolve2) => setTimeout(resolve2, 1e3));
+    for (const pid of pids) {
+      try {
+        (0, import_child_process8.execSync)(`kill -0 ${pid} 2>/dev/null`, { encoding: "utf8" });
+        (0, import_child_process8.execSync)(`kill -9 ${pid} 2>/dev/null || true`, { encoding: "utf8" });
+        console.log(`[DevServer] EP929: Force killed PID ${pid}`);
+      } catch {
+      }
+    }
+    await new Promise((resolve2) => setTimeout(resolve2, 500));
+    const stillInUse = await isPortInUse(port);
+    if (stillInUse) {
+      console.error(`[DevServer] EP929: Port ${port} still in use after kill attempts`);
+      return false;
+    }
+    console.log(`[DevServer] EP929: Successfully freed port ${port}`);
+    return true;
+  } catch (error) {
+    console.error(`[DevServer] EP929: Error killing process on port ${port}:`, error);
+    return false;
+  }
+}
 async function waitForPort(port, timeoutMs = 3e4) {
   const startTime = Date.now();
   const checkInterval = 500;
@@ -3638,58 +4686,141 @@ async function waitForPort(port, timeoutMs = 3e4) {
   }
   return false;
 }
-async function startDevServer(projectPath, port = 3e3, moduleUid = "default") {
+function calculateRestartDelay(restartCount) {
+  const delay = INITIAL_RESTART_DELAY_MS * Math.pow(2, restartCount);
+  return Math.min(delay, MAX_RESTART_DELAY_MS);
+}
+function spawnDevServerProcess(projectPath, port, moduleUid, logPath) {
+  rotateLogIfNeeded(logPath);
+  const nodeOptions = process.env.NODE_OPTIONS || "";
+  const memoryFlag = `--max-old-space-size=${NODE_MEMORY_LIMIT_MB}`;
+  const enhancedNodeOptions = nodeOptions.includes("max-old-space-size") ? nodeOptions : `${nodeOptions} ${memoryFlag}`.trim();
+  const devProcess = (0, import_child_process8.spawn)("npm", ["run", "dev"], {
+    cwd: projectPath,
+    env: {
+      ...process.env,
+      PORT: String(port),
+      NODE_OPTIONS: enhancedNodeOptions
+    },
+    stdio: ["ignore", "pipe", "pipe"],
+    detached: false
+  });
+  devProcess.stdout?.on("data", (data) => {
+    const line = data.toString().trim();
+    if (line) {
+      console.log(`[DevServer:${moduleUid}] ${line}`);
+      writeToLog(logPath, line, false);
+    }
+  });
+  devProcess.stderr?.on("data", (data) => {
+    const line = data.toString().trim();
+    if (line) {
+      console.error(`[DevServer:${moduleUid}] ${line}`);
+      writeToLog(logPath, line, true);
+    }
+  });
+  return devProcess;
+}
+async function handleProcessExit(moduleUid, code, signal) {
+  const serverInfo = activeServers.get(moduleUid);
+  if (!serverInfo) {
+    return;
+  }
+  const exitReason = signal ? `signal ${signal}` : `code ${code}`;
+  console.log(`[DevServer] EP932: Process for ${moduleUid} exited with ${exitReason}`);
+  writeToLog(serverInfo.logFile || "", `Process exited with ${exitReason}`, true);
+  if (!serverInfo.autoRestartEnabled) {
+    console.log(`[DevServer] EP932: Auto-restart disabled for ${moduleUid}`);
+    activeServers.delete(moduleUid);
+    return;
+  }
+  if (serverInfo.restartCount >= MAX_RESTART_ATTEMPTS) {
+    console.error(`[DevServer] EP932: Max restart attempts (${MAX_RESTART_ATTEMPTS}) reached for ${moduleUid}`);
+    writeToLog(serverInfo.logFile || "", `Max restart attempts reached, giving up`, true);
+    activeServers.delete(moduleUid);
+    return;
+  }
+  const delay = calculateRestartDelay(serverInfo.restartCount);
+  console.log(`[DevServer] EP932: Restarting ${moduleUid} in ${delay}ms (attempt ${serverInfo.restartCount + 1}/${MAX_RESTART_ATTEMPTS})`);
+  writeToLog(serverInfo.logFile || "", `Scheduling restart in ${delay}ms (attempt ${serverInfo.restartCount + 1})`, false);
+  await new Promise((resolve2) => setTimeout(resolve2, delay));
+  if (!activeServers.has(moduleUid)) {
+    console.log(`[DevServer] EP932: Server ${moduleUid} was removed during restart delay, aborting restart`);
+    return;
+  }
+  const logPath = serverInfo.logFile || getLogFilePath(moduleUid);
+  const newProcess = spawnDevServerProcess(serverInfo.projectPath, serverInfo.port, moduleUid, logPath);
+  const updatedInfo = {
+    ...serverInfo,
+    process: newProcess,
+    restartCount: serverInfo.restartCount + 1,
+    lastRestartAt: /* @__PURE__ */ new Date()
+  };
+  activeServers.set(moduleUid, updatedInfo);
+  newProcess.on("exit", (newCode, newSignal) => {
+    handleProcessExit(moduleUid, newCode, newSignal);
+  });
+  newProcess.on("error", (error) => {
+    console.error(`[DevServer] EP932: Process error for ${moduleUid}:`, error);
+    writeToLog(logPath, `Process error: ${error.message}`, true);
+  });
+  const serverReady = await waitForPort(serverInfo.port, 6e4);
+  if (serverReady) {
+    console.log(`[DevServer] EP932: Server ${moduleUid} restarted successfully`);
+    writeToLog(logPath, `Server restarted successfully`, false);
+    updatedInfo.restartCount = 0;
+  } else {
+    console.error(`[DevServer] EP932: Server ${moduleUid} failed to restart`);
+    writeToLog(logPath, `Server failed to restart within timeout`, true);
+  }
+}
+async function startDevServer(projectPath, port = 3e3, moduleUid = "default", options = {}) {
+  const autoRestart = options.autoRestart ?? true;
   if (await isPortInUse(port)) {
     console.log(`[DevServer] Server already running on port ${port}`);
     return { success: true, alreadyRunning: true };
   }
   if (activeServers.has(moduleUid)) {
     const existing = activeServers.get(moduleUid);
-    if (existing && !existing.killed) {
+    if (existing && !existing.process.killed) {
       console.log(`[DevServer] Process already exists for ${moduleUid}`);
       return { success: true, alreadyRunning: true };
     }
   }
-  console.log(`[DevServer] Starting dev server for ${moduleUid} on port ${port}...`);
+  console.log(`[DevServer] EP932: Starting dev server for ${moduleUid} on port ${port} (auto-restart: ${autoRestart})...`);
   try {
-    const devProcess = (0, import_child_process6.spawn)("npm", ["run", "dev"], {
-      cwd: projectPath,
-      env: {
-        ...process.env,
-        PORT: String(port)
-      },
-      stdio: ["ignore", "pipe", "pipe"],
-      detached: false
-    });
-    activeServers.set(moduleUid, devProcess);
-    devProcess.stdout?.on("data", (data) => {
-      const line = data.toString().trim();
-      if (line) {
-        console.log(`[DevServer:${moduleUid}] ${line}`);
-      }
-    });
-    devProcess.stderr?.on("data", (data) => {
-      const line = data.toString().trim();
-      if (line) {
-        console.error(`[DevServer:${moduleUid}] ${line}`);
-      }
-    });
+    const logPath = getLogFilePath(moduleUid);
+    const devProcess = spawnDevServerProcess(projectPath, port, moduleUid, logPath);
+    const serverInfo = {
+      process: devProcess,
+      moduleUid,
+      projectPath,
+      port,
+      startedAt: /* @__PURE__ */ new Date(),
+      restartCount: 0,
+      lastRestartAt: null,
+      autoRestartEnabled: autoRestart,
+      logFile: logPath
+    };
+    activeServers.set(moduleUid, serverInfo);
+    writeToLog(logPath, `Starting dev server on port ${port}`, false);
     devProcess.on("exit", (code, signal) => {
-      console.log(`[DevServer] Process for ${moduleUid} exited with code ${code}, signal ${signal}`);
-      activeServers.delete(moduleUid);
+      handleProcessExit(moduleUid, code, signal);
     });
     devProcess.on("error", (error) => {
       console.error(`[DevServer] Process error for ${moduleUid}:`, error);
-      activeServers.delete(moduleUid);
+      writeToLog(logPath, `Process error: ${error.message}`, true);
     });
     console.log(`[DevServer] Waiting for server to start on port ${port}...`);
     const serverReady = await waitForPort(port, 6e4);
     if (!serverReady) {
       devProcess.kill();
       activeServers.delete(moduleUid);
+      writeToLog(logPath, `Failed to start within timeout`, true);
       return { success: false, error: "Dev server failed to start within timeout" };
     }
     console.log(`[DevServer] Server started successfully on port ${port}`);
+    writeToLog(logPath, `Server started successfully`, false);
     return { success: true };
   } catch (error) {
     const errorMsg = error instanceof Error ? error.message : String(error);
@@ -3698,27 +4829,65 @@ async function startDevServer(projectPath, port = 3e3, moduleUid = "default") {
   }
 }
 async function stopDevServer(moduleUid) {
-  const process2 = activeServers.get(moduleUid);
-  if (process2 && !process2.killed) {
+  const serverInfo = activeServers.get(moduleUid);
+  if (!serverInfo) {
+    return;
+  }
+  serverInfo.autoRestartEnabled = false;
+  if (!serverInfo.process.killed) {
     console.log(`[DevServer] Stopping server for ${moduleUid}`);
-    process2.kill("SIGTERM");
+    if (serverInfo.logFile) {
+      writeToLog(serverInfo.logFile, `Stopping server (manual stop)`, false);
+    }
+    serverInfo.process.kill("SIGTERM");
     await new Promise((resolve2) => setTimeout(resolve2, 2e3));
-    if (!process2.killed) {
-      process2.kill("SIGKILL");
+    if (!serverInfo.process.killed) {
+      serverInfo.process.kill("SIGKILL");
     }
-    activeServers.delete(moduleUid);
   }
+  activeServers.delete(moduleUid);
+}
+async function restartDevServer(moduleUid) {
+  const serverInfo = activeServers.get(moduleUid);
+  if (!serverInfo) {
+    return { success: false, error: `No dev server found for ${moduleUid}` };
+  }
+  const { projectPath, port, autoRestartEnabled, logFile } = serverInfo;
+  console.log(`[DevServer] EP932: Restarting server for ${moduleUid}...`);
+  if (logFile) {
+    writeToLog(logFile, `Manual restart requested`, false);
+  }
+  await stopDevServer(moduleUid);
+  await new Promise((resolve2) => setTimeout(resolve2, 1e3));
+  if (await isPortInUse(port)) {
+    await killProcessOnPort(port);
+  }
+  return startDevServer(projectPath, port, moduleUid, { autoRestart: autoRestartEnabled });
+}
+function getDevServerStatus() {
+  const now = Date.now();
+  return Array.from(activeServers.values()).map((info) => ({
+    moduleUid: info.moduleUid,
+    port: info.port,
+    pid: info.process.pid,
+    startedAt: info.startedAt,
+    uptime: Math.floor((now - info.startedAt.getTime()) / 1e3),
+    restartCount: info.restartCount,
+    lastRestartAt: info.lastRestartAt,
+    autoRestartEnabled: info.autoRestartEnabled,
+    logFile: info.logFile
+  }));
 }
 async function ensureDevServer(projectPath, port = 3e3, moduleUid = "default") {
   if (await isPortInUse(port)) {
     return { success: true };
   }
-  return startDevServer(projectPath, port, moduleUid);
+  return startDevServer(projectPath, port, moduleUid, { autoRestart: true });
 }
 
 // src/utils/port-detect.ts
-var fs6 = __toESM(require("fs"));
-var path7 = __toESM(require("path"));
+var fs10 = __toESM(require("fs"));
+var path11 = __toESM(require("path"));
 var DEFAULT_PORT = 3e3;
 function detectDevPort(projectPath) {
   const envPort = getPortFromEnv(projectPath);
@@ -3736,15 +4905,15 @@ function detectDevPort(projectPath) {
 }
 function getPortFromEnv(projectPath) {
   const envPaths = [
-    path7.join(projectPath, ".env"),
-    path7.join(projectPath, ".env.local"),
-    path7.join(projectPath, ".env.development"),
-    path7.join(projectPath, ".env.development.local")
+    path11.join(projectPath, ".env"),
+    path11.join(projectPath, ".env.local"),
+    path11.join(projectPath, ".env.development"),
+    path11.join(projectPath, ".env.development.local")
   ];
   for (const envPath of envPaths) {
     try {
-      if (!fs6.existsSync(envPath)) continue;
-      const content = fs6.readFileSync(envPath, "utf-8");
+      if (!fs10.existsSync(envPath)) continue;
+      const content = fs10.readFileSync(envPath, "utf-8");
       const lines = content.split("\n");
       for (const line of lines) {
         const match = line.match(/^\s*PORT\s*=\s*["']?(\d+)["']?\s*(?:#.*)?$/);
@@ -3761,10 +4930,10 @@ function getPortFromEnv(projectPath) {
   return null;
 }
 function getPortFromPackageJson(projectPath) {
-  const packageJsonPath = path7.join(projectPath, "package.json");
+  const packageJsonPath = path11.join(projectPath, "package.json");
   try {
-    if (!fs6.existsSync(packageJsonPath)) return null;
-    const content = fs6.readFileSync(packageJsonPath, "utf-8");
+    if (!fs10.existsSync(packageJsonPath)) return null;
+    const content = fs10.readFileSync(packageJsonPath, "utf-8");
     const pkg = JSON.parse(content);
     const devScript = pkg.scripts?.dev;
     if (!devScript) return null;
@@ -3788,11 +4957,79 @@ function getPortFromPackageJson(projectPath) {
 }
 
 // src/daemon/daemon-process.ts
-var fs7 = __toESM(require("fs"));
-var os2 = __toESM(require("os"));
-var path8 = __toESM(require("path"));
+var fs11 = __toESM(require("fs"));
+var os4 = __toESM(require("os"));
+var path12 = __toESM(require("path"));
 var packageJson = require_package();
+async function ensureValidToken(config, bufferMs = 5 * 60 * 1e3) {
+  const now = Date.now();
+  const expiresAt = config.expires_at || 0;
+  if (expiresAt > now + bufferMs) {
+    return config;
+  }
+  if (!config.refresh_token) {
+    console.warn("[Daemon] EP904: Token expired but no refresh_token available");
+    return config;
+  }
+  console.log("[Daemon] EP904: Access token expired or expiring soon, refreshing...");
+  try {
+    const apiUrl = config.api_url || "https://episoda.dev";
+    const response = await fetch(`${apiUrl}/api/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "refresh_token",
+        refresh_token: config.refresh_token
+      })
+    });
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}));
+      console.error(`[Daemon] EP904: Token refresh failed: ${response.status} ${errorData.error || response.statusText}`);
+      return config;
+    }
+    const tokenResponse = await response.json();
+    const updatedConfig = {
+      ...config,
+      access_token: tokenResponse.access_token,
+      refresh_token: tokenResponse.refresh_token || config.refresh_token,
+      expires_at: now + tokenResponse.expires_in * 1e3
+    };
+    await (0, import_core7.saveConfig)(updatedConfig);
+    console.log("[Daemon] EP904: Access token refreshed successfully");
+    return updatedConfig;
+  } catch (error) {
+    console.error("[Daemon] EP904: Token refresh error:", error instanceof Error ? error.message : error);
+    return config;
+  }
+}
+async function fetchWithAuth(url, options = {}, retryOnUnauthorized = true) {
+  let config = await (0, import_core7.loadConfig)();
+  if (!config?.access_token) {
+    throw new Error("No access token configured");
+  }
+  config = await ensureValidToken(config);
+  const headers = {
+    ...options.headers,
+    "Authorization": `Bearer ${config.access_token}`,
+    "Content-Type": "application/json"
+  };
+  let response = await fetch(url, { ...options, headers });
+  if (response.status === 401 && retryOnUnauthorized && config.refresh_token) {
+    console.log("[Daemon] EP904: Received 401, attempting token refresh and retry...");
+    const refreshedConfig = await ensureValidToken({ ...config, expires_at: 0 });
+    if (refreshedConfig.access_token !== config.access_token) {
+      const retryHeaders = {
+        ...options.headers,
+        "Authorization": `Bearer ${refreshedConfig.access_token}`,
+        "Content-Type": "application/json"
+      };
+      response = await fetch(url, { ...options, headers: retryHeaders });
+    }
+  }
+  return response;
+}
 var Daemon = class _Daemon {
+  // 60 seconds
   constructor() {
     this.machineId = "";
     this.deviceId = null;
@@ -3817,11 +5054,38 @@ var Daemon = class _Daemon {
     // 15 seconds
     // EP822: Prevent concurrent tunnel syncs (backpressure guard)
     this.tunnelSyncInProgress = false;
+    // EP833: Track consecutive health check failures per tunnel
+    this.tunnelHealthFailures = /* @__PURE__ */ new Map();
+    // 3 second timeout for health checks
+    // EP911: Track last reported health status to avoid unnecessary DB writes
+    this.lastReportedHealthStatus = /* @__PURE__ */ new Map();
+    // moduleUid -> status
+    // EP837: Prevent concurrent commit syncs (backpressure guard)
+    this.commitSyncInProgress = false;
+    // EP843: Per-module mutex for tunnel operations
+    // Prevents race conditions between autoStartTunnels and module_state_changed handler
+    this.tunnelOperationLocks = /* @__PURE__ */ new Map();
+    // moduleUid -> operation promise
+    // EP929: Health check polling interval (restored from EP843 removal)
+    // Health checks are orthogonal to push-based state sync - they detect dead tunnels
+    this.healthCheckInterval = null;
+    this.healthCheckInProgress = false;
     this.ipcServer = new IPCServer();
   }
   static {
     this.TUNNEL_POLL_INTERVAL_MS = 15e3;
   }
+  static {
+    // moduleUid -> consecutive failures
+    this.HEALTH_CHECK_FAILURE_THRESHOLD = 2;
+  }
+  static {
+    // Restart after 2 consecutive failures
+    this.HEALTH_CHECK_TIMEOUT_MS = 3e3;
+  }
+  static {
+    this.HEALTH_CHECK_INTERVAL_MS = 6e4;
+  }
   /**
    * Start the daemon
    */
@@ -3829,7 +5093,7 @@ var Daemon = class _Daemon {
     console.log("[Daemon] Starting Episoda daemon...");
     this.machineId = await getMachineId();
     console.log(`[Daemon] Machine ID: ${this.machineId}`);
-    const config = await (0, import_core5.loadConfig)();
+    const config = await (0, import_core7.loadConfig)();
     if (config?.device_id) {
       this.deviceId = config.device_id;
       console.log(`[Daemon] Loaded cached Device ID (UUID): ${this.deviceId}`);
@@ -3839,7 +5103,7 @@ var Daemon = class _Daemon {
     this.registerIPCHandlers();
     await this.restoreConnections();
     await this.cleanupOrphanedTunnels();
-    this.startTunnelPolling();
+    this.startHealthCheckPolling();
     this.setupShutdownHandlers();
     console.log("[Daemon] Daemon started successfully");
     this.checkAndNotifyUpdates();
@@ -3873,16 +5137,20 @@ var Daemon = class _Daemon {
         id: p.id,
         path: p.path,
         name: p.name,
-        connected: this.liveConnections.has(p.path)
+        // EP843: Use actual WebSocket state instead of liveConnections Set
+        // This is more reliable as it checks the real connection state
+        connected: this.isWebSocketOpen(p.path),
+        // Keep liveConnections for backwards compatibility and debugging
+        liveConnectionsHas: this.liveConnections.has(p.path)
       }));
       return {
         running: true,
         machineId: this.machineId,
         deviceId: this.deviceId,
         // EP726: UUID for unified device identification
-        hostname: os2.hostname(),
-        platform: os2.platform(),
-        arch: os2.arch(),
+        hostname: os4.hostname(),
+        platform: os4.platform(),
+        arch: os4.arch(),
         projects
       };
     });
@@ -3947,10 +5215,12 @@ var Daemon = class _Daemon {
         name: p.name,
         inConnectionsMap: this.connections.has(p.path),
         inLiveConnections: this.liveConnections.has(p.path),
+        // EP843: Add actual WebSocket state
+        wsOpen: this.isWebSocketOpen(p.path),
         isHealthy: this.isConnectionHealthy(p.path)
       }));
-      const healthyCount = projects.filter((p) => p.isHealthy).length;
-      const staleCount = projects.filter((p) => p.inConnectionsMap && !p.inLiveConnections).length;
+      const healthyCount = projects.filter((p) => p.wsOpen).length;
+      const staleCount = projects.filter((p) => p.inConnectionsMap && !p.wsOpen).length;
       return {
         totalProjects: projects.length,
         healthyConnections: healthyCount,
@@ -3958,6 +5228,86 @@ var Daemon = class _Daemon {
         projects
       };
     });
+    this.ipcServer.on("verify-server-connection", async () => {
+      const config = await (0, import_core7.loadConfig)();
+      if (!config?.access_token || !config?.api_url) {
+        return {
+          verified: false,
+          error: "No authentication configured",
+          localConnected: false,
+          serverConnected: false
+        };
+      }
+      const projects = getAllProjects();
+      const localConnected = projects.some((p) => this.isWebSocketOpen(p.path));
+      let serverConnected = false;
+      let serverMachineId = null;
+      let serverError = null;
+      try {
+        const response = await fetch(`${config.api_url}/api/cli/status`, {
+          headers: {
+            "Authorization": `Bearer ${config.access_token}`,
+            "Content-Type": "application/json"
+          }
+        });
+        if (response.ok) {
+          const data = await response.json();
+          serverConnected = data.connected === true;
+          serverMachineId = data.machine_id || null;
+        } else {
+          serverError = `Server returned ${response.status}`;
+        }
+      } catch (err) {
+        serverError = err instanceof Error ? err.message : "Network error";
+      }
+      const machineMatch = serverMachineId === this.machineId;
+      return {
+        verified: true,
+        localConnected,
+        serverConnected,
+        machineMatch,
+        machineId: this.machineId,
+        serverMachineId,
+        serverError,
+        // Overall status: both local and server must agree
+        actuallyConnected: localConnected && serverConnected && machineMatch
+      };
+    });
+    this.ipcServer.on("tunnel-status", async () => {
+      const tunnelManager = getTunnelManager();
+      const tunnels = tunnelManager.getAllTunnels();
+      return { tunnels };
+    });
+    this.ipcServer.on("tunnel-stop", async (params) => {
+      const { moduleUid } = params;
+      if (!moduleUid) {
+        return { success: false, error: "Module UID is required" };
+      }
+      const tunnelManager = getTunnelManager();
+      if (!tunnelManager.hasTunnel(moduleUid)) {
+        return { success: false, error: "No tunnel found for this module" };
+      }
+      await tunnelManager.stopTunnel(moduleUid);
+      await stopDevServer(moduleUid);
+      await clearTunnelUrl(moduleUid);
+      this.lastReportedHealthStatus.delete(moduleUid);
+      this.tunnelHealthFailures.delete(moduleUid);
+      console.log(`[Daemon] EP823: Tunnel stopped for ${moduleUid}`);
+      return { success: true };
+    });
+    this.ipcServer.on("dev-server-restart", async (params) => {
+      const { moduleUid } = params;
+      if (!moduleUid) {
+        return { success: false, error: "Module UID is required" };
+      }
+      console.log(`[Daemon] EP932: Dev server restart requested for ${moduleUid}`);
+      const result = await restartDevServer(moduleUid);
+      return result;
+    });
+    this.ipcServer.on("dev-server-status", async () => {
+      const status = getDevServerStatus();
+      return { success: true, servers: status };
+    });
   }
   /**
    * Restore WebSocket connections for tracked projects
@@ -3979,6 +5329,55 @@ var Daemon = class _Daemon {
   isConnectionHealthy(projectPath) {
     return this.connections.has(projectPath) && this.liveConnections.has(projectPath);
   }
+  /**
+   * EP843: Check if a connection's WebSocket is actually open
+   *
+   * This checks the actual WebSocket state, not just our tracking Sets.
+   * More reliable than liveConnections Set which can become stale.
+   *
+   * @param projectPath - The project path to check
+   * @returns true if WebSocket exists and is in OPEN state
+   */
+  isWebSocketOpen(projectPath) {
+    const connection = this.connections.get(projectPath);
+    if (!connection) return false;
+    return connection.client.getStatus().connected;
+  }
+  /**
+   * EP843: Acquire a per-module lock for tunnel operations
+   *
+   * Prevents race conditions between:
+   * - autoStartTunnelsForProject() on auth_success
+   * - module_state_changed event handler
+   * - Multiple rapid state transitions
+   *
+   * @param moduleUid - The module UID to lock
+   * @param operation - Async operation to run while holding the lock
+   * @returns Result of the operation
+   */
+  async withTunnelLock(moduleUid, operation) {
+    const existingLock = this.tunnelOperationLocks.get(moduleUid);
+    if (existingLock) {
+      console.log(`[Daemon] EP843: Tunnel operation already in progress for ${moduleUid}, waiting...`);
+      try {
+        await existingLock;
+      } catch {
+      }
+    }
+    let releaseLock;
+    const lockPromise = new Promise((resolve2) => {
+      releaseLock = resolve2;
+    });
+    this.tunnelOperationLocks.set(moduleUid, lockPromise);
+    try {
+      return await operation();
+    } finally {
+      releaseLock();
+      if (this.tunnelOperationLocks.get(moduleUid) === lockPromise) {
+        this.tunnelOperationLocks.delete(moduleUid);
+      }
+    }
+  }
   /**
    * Connect to a project's WebSocket
    */
@@ -4004,7 +5403,7 @@ var Daemon = class _Daemon {
       console.warn(`[Daemon] Stale connection detected for ${projectPath}, forcing reconnection`);
       await this.disconnectProject(projectPath);
     }
-    const config = await (0, import_core5.loadConfig)();
+    const config = await (0, import_core7.loadConfig)();
     if (!config || !config.access_token) {
       throw new Error("No access token found. Please run: episoda auth");
     }
@@ -4018,8 +5417,8 @@ var Daemon = class _Daemon {
     const wsPort = process.env.EPISODA_WS_PORT || "3001";
     const wsUrl = `${wsProtocol}//${serverUrlObj.hostname}:${wsPort}`;
     console.log(`[Daemon] Connecting to ${wsUrl} for project ${projectId}...`);
-    const client = new import_core5.EpisodaClient();
-    const gitExecutor = new import_core5.GitExecutor();
+    const client = new import_core7.EpisodaClient();
+    const gitExecutor = new import_core7.GitExecutor();
     const connection = {
       projectId,
       projectPath,
@@ -4070,6 +5469,15 @@ var Daemon = class _Daemon {
             case "file:write":
               result = await handleFileWrite(cmd, projectPath);
               break;
+            case "file:edit":
+              result = await handleFileEdit(cmd, projectPath);
+              break;
+            case "file:delete":
+              result = await handleFileDelete(cmd, projectPath);
+              break;
+            case "file:mkdir":
+              result = await handleFileMkdir(cmd, projectPath);
+              break;
             case "file:list":
               result = await handleFileList(cmd, projectPath);
               break;
@@ -4119,7 +5527,7 @@ var Daemon = class _Daemon {
             const port = cmd.port || detectDevPort(projectPath);
             const previewUrl = `https://${cmd.moduleUid.toLowerCase()}-${cmd.projectUid.toLowerCase()}.episoda.site`;
             const reportTunnelStatus = async (data) => {
-              const config2 = await (0, import_core5.loadConfig)();
+              const config2 = await (0, import_core7.loadConfig)();
               if (config2?.access_token) {
                 try {
                   const apiUrl = config2.api_url || "https://episoda.dev";
@@ -4204,50 +5612,166 @@ var Daemon = class _Daemon {
               }
             })();
             result = {
-              success: true,
-              previewUrl
-              // Note: actual tunnel URL will be reported via API when ready
+              success: true,
+              previewUrl
+              // Note: actual tunnel URL will be reported via API when ready
+            };
+          } else if (cmd.action === "stop") {
+            await tunnelManager.stopTunnel(cmd.moduleUid);
+            await stopDevServer(cmd.moduleUid);
+            const config2 = await (0, import_core7.loadConfig)();
+            if (config2?.access_token) {
+              try {
+                const apiUrl = config2.api_url || "https://episoda.dev";
+                await fetch(`${apiUrl}/api/modules/${cmd.moduleUid}/tunnel`, {
+                  method: "DELETE",
+                  headers: {
+                    "Authorization": `Bearer ${config2.access_token}`
+                  }
+                });
+                console.log(`[Daemon] Tunnel URL cleared for ${cmd.moduleUid}`);
+              } catch {
+              }
+            }
+            result = { success: true };
+          } else {
+            result = {
+              success: false,
+              error: `Unknown tunnel action: ${cmd.action}`
+            };
+          }
+          await client.send({
+            type: "tunnel_result",
+            commandId: message.id,
+            result
+          });
+          console.log(`[Daemon] Tunnel command ${cmd.action} completed for ${cmd.moduleUid}:`, result.success ? "success" : "failed");
+        } catch (error) {
+          await client.send({
+            type: "tunnel_result",
+            commandId: message.id,
+            result: {
+              success: false,
+              error: error instanceof Error ? error.message : String(error)
+            }
+          });
+          console.error(`[Daemon] Tunnel command execution error:`, error);
+        }
+      }
+    });
+    client.on("agent_command", async (message) => {
+      if (message.type === "agent_command" && message.command) {
+        const cmd = message.command;
+        console.log(`[Daemon] EP912: Received agent command for ${projectId}:`, cmd.action);
+        client.updateActivity();
+        const createStreamingCallbacks = (sessionId, commandId) => ({
+          onChunk: async (chunk) => {
+            try {
+              await client.send({
+                type: "agent_result",
+                commandId,
+                result: { success: true, status: "chunk", sessionId, chunk }
+              });
+            } catch (sendError) {
+              console.error(`[Daemon] EP912: Failed to send chunk (WebSocket may be disconnected):`, sendError);
+            }
+          },
+          onComplete: async (claudeSessionId) => {
+            try {
+              await client.send({
+                type: "agent_result",
+                commandId,
+                result: { success: true, status: "complete", sessionId, claudeSessionId }
+              });
+            } catch (sendError) {
+              console.error(`[Daemon] EP912: Failed to send complete (WebSocket may be disconnected):`, sendError);
+            }
+          },
+          onError: async (error) => {
+            try {
+              await client.send({
+                type: "agent_result",
+                commandId,
+                result: { success: false, status: "error", sessionId, error }
+              });
+            } catch (sendError) {
+              console.error(`[Daemon] EP912: Failed to send error (WebSocket may be disconnected):`, sendError);
+            }
+          }
+        });
+        try {
+          const agentManager = getAgentManager();
+          await agentManager.initialize();
+          let result;
+          if (cmd.action === "start") {
+            const callbacks = createStreamingCallbacks(cmd.sessionId, message.id);
+            const startResult = await agentManager.startSession({
+              sessionId: cmd.sessionId,
+              moduleId: cmd.moduleId,
+              moduleUid: cmd.moduleUid,
+              projectPath,
+              message: cmd.message,
+              credentials: cmd.credentials,
+              systemPrompt: cmd.systemPrompt,
+              ...callbacks
+            });
+            result = {
+              success: startResult.success,
+              status: startResult.success ? "started" : "error",
+              sessionId: cmd.sessionId,
+              error: startResult.error
+            };
+          } else if (cmd.action === "message") {
+            const callbacks = createStreamingCallbacks(cmd.sessionId, message.id);
+            const sendResult = await agentManager.sendMessage({
+              sessionId: cmd.sessionId,
+              message: cmd.message,
+              isFirstMessage: false,
+              claudeSessionId: cmd.claudeSessionId,
+              ...callbacks
+            });
+            result = {
+              success: sendResult.success,
+              status: sendResult.success ? "started" : "error",
+              sessionId: cmd.sessionId,
+              error: sendResult.error
             };
+          } else if (cmd.action === "abort") {
+            await agentManager.abortSession(cmd.sessionId);
+            result = { success: true, status: "aborted", sessionId: cmd.sessionId };
           } else if (cmd.action === "stop") {
-            await tunnelManager.stopTunnel(cmd.moduleUid);
-            await stopDevServer(cmd.moduleUid);
-            const config2 = await (0, import_core5.loadConfig)();
-            if (config2?.access_token) {
-              try {
-                const apiUrl = config2.api_url || "https://episoda.dev";
-                await fetch(`${apiUrl}/api/modules/${cmd.moduleUid}/tunnel`, {
-                  method: "DELETE",
-                  headers: {
-                    "Authorization": `Bearer ${config2.access_token}`
-                  }
-                });
-                console.log(`[Daemon] Tunnel URL cleared for ${cmd.moduleUid}`);
-              } catch {
-              }
-            }
-            result = { success: true };
+            await agentManager.stopSession(cmd.sessionId);
+            result = { success: true, status: "complete", sessionId: cmd.sessionId };
           } else {
             result = {
               success: false,
-              error: `Unknown tunnel action: ${cmd.action}`
+              status: "error",
+              sessionId: cmd.sessionId || "unknown",
+              error: `Unknown agent action: ${cmd.action}`
             };
           }
           await client.send({
-            type: "tunnel_result",
+            type: "agent_result",
             commandId: message.id,
             result
           });
-          console.log(`[Daemon] Tunnel command ${cmd.action} completed for ${cmd.moduleUid}:`, result.success ? "success" : "failed");
+          console.log(`[Daemon] EP912: Agent command ${cmd.action} completed for session ${cmd.action === "start" || cmd.action === "message" ? cmd.sessionId : cmd.sessionId}`);
         } catch (error) {
-          await client.send({
-            type: "tunnel_result",
-            commandId: message.id,
-            result: {
-              success: false,
-              error: error instanceof Error ? error.message : String(error)
-            }
-          });
-          console.error(`[Daemon] Tunnel command execution error:`, error);
+          try {
+            await client.send({
+              type: "agent_result",
+              commandId: message.id,
+              result: {
+                success: false,
+                status: "error",
+                sessionId: cmd.sessionId || "unknown",
+                error: error instanceof Error ? error.message : String(error)
+              }
+            });
+          } catch (sendError) {
+            console.error(`[Daemon] EP912: Failed to send error result (WebSocket may be disconnected):`, sendError);
+          }
+          console.error(`[Daemon] EP912: Agent command execution error:`, error);
         }
       }
     });
@@ -4290,6 +5814,88 @@ var Daemon = class _Daemon {
         console.error(`[Daemon] EP819: Failed to auto-start tunnels:`, error);
       });
     });
+    client.on("module_state_changed", async (message) => {
+      if (message.type === "module_state_changed") {
+        const { moduleUid, state, previousState, branchName, devMode } = message;
+        console.log(`[Daemon] EP843: Module ${moduleUid} state changed: ${previousState} \u2192 ${state}`);
+        if (devMode !== "local") {
+          console.log(`[Daemon] EP843: Skipping tunnel action for ${moduleUid} (mode: ${devMode || "unknown"})`);
+          return;
+        }
+        const tunnelManager = getTunnelManager();
+        await tunnelManager.initialize();
+        await this.withTunnelLock(moduleUid, async () => {
+          const isInActiveZone = state === "ready" || state === "doing" || state === "review";
+          const wasInActiveZone = previousState === "ready" || previousState === "doing" || previousState === "review";
+          const startingWork = previousState === "ready" && state === "doing";
+          const tunnelNotRunning = !tunnelManager.hasTunnel(moduleUid);
+          const needsCrashRecovery = isInActiveZone && tunnelNotRunning;
+          if (startingWork || needsCrashRecovery) {
+            if (tunnelManager.hasTunnel(moduleUid)) {
+              console.log(`[Daemon] EP843: Tunnel already running for ${moduleUid}, skipping start`);
+              return;
+            }
+            console.log(`[Daemon] EP843: Starting tunnel for ${moduleUid} (${previousState} \u2192 ${state})`);
+            try {
+              const port = detectDevPort(projectPath);
+              const devServerResult = await ensureDevServer(projectPath, port, moduleUid);
+              if (!devServerResult.success) {
+                console.error(`[Daemon] EP843: Dev server failed for ${moduleUid}: ${devServerResult.error}`);
+                return;
+              }
+              const config2 = await (0, import_core7.loadConfig)();
+              const apiUrl = config2?.api_url || "https://episoda.dev";
+              const startResult = await tunnelManager.startTunnel({
+                moduleUid,
+                port,
+                onUrl: async (url) => {
+                  console.log(`[Daemon] EP843: Tunnel URL for ${moduleUid}: ${url}`);
+                  try {
+                    await fetchWithAuth(`${apiUrl}/api/modules/${moduleUid}/tunnel`, {
+                      method: "POST",
+                      body: JSON.stringify({ tunnel_url: url })
+                    });
+                  } catch (err) {
+                    console.warn(`[Daemon] EP843: Failed to report tunnel URL:`, err instanceof Error ? err.message : err);
+                  }
+                },
+                onStatusChange: (status, error) => {
+                  if (status === "error") {
+                    console.error(`[Daemon] EP843: Tunnel error for ${moduleUid}: ${error}`);
+                  }
+                }
+              });
+              if (startResult.success) {
+                console.log(`[Daemon] EP843: Tunnel started for ${moduleUid}`);
+              } else {
+                console.error(`[Daemon] EP843: Tunnel failed for ${moduleUid}: ${startResult.error}`);
+              }
+            } catch (error) {
+              console.error(`[Daemon] EP843: Error starting tunnel for ${moduleUid}:`, error);
+            }
+          }
+          if (state === "done" && wasInActiveZone) {
+            console.log(`[Daemon] EP933: Stopping tunnel for ${moduleUid} (${previousState} \u2192 done)`);
+            try {
+              await tunnelManager.stopTunnel(moduleUid);
+              console.log(`[Daemon] EP843: Tunnel stopped for ${moduleUid}`);
+              const config2 = await (0, import_core7.loadConfig)();
+              const apiUrl = config2?.api_url || "https://episoda.dev";
+              try {
+                await fetchWithAuth(`${apiUrl}/api/modules/${moduleUid}/tunnel`, {
+                  method: "POST",
+                  body: JSON.stringify({ tunnel_url: null })
+                });
+              } catch (err) {
+                console.warn(`[Daemon] EP843: Failed to clear tunnel URL:`, err instanceof Error ? err.message : err);
+              }
+            } catch (error) {
+              console.error(`[Daemon] EP843: Error stopping tunnel for ${moduleUid}:`, error);
+            }
+          }
+        });
+      }
+    });
     client.on("error", (message) => {
       console.error(`[Daemon] Server error for ${projectId}:`, message);
     });
@@ -4306,8 +5912,8 @@ var Daemon = class _Daemon {
       let daemonPid;
       try {
         const pidPath = getPidFilePath();
-        if (fs7.existsSync(pidPath)) {
-          const pidStr = fs7.readFileSync(pidPath, "utf-8").trim();
+        if (fs11.existsSync(pidPath)) {
+          const pidStr = fs11.readFileSync(pidPath, "utf-8").trim();
           daemonPid = parseInt(pidStr, 10);
         }
       } catch (pidError) {
@@ -4331,9 +5937,9 @@ var Daemon = class _Daemon {
         client.once("auth_error", errorHandler);
       });
       await client.connect(wsUrl, config.access_token, this.machineId, {
-        hostname: os2.hostname(),
-        osPlatform: os2.platform(),
-        osArch: os2.arch(),
+        hostname: os4.hostname(),
+        osPlatform: os4.platform(),
+        osArch: os4.arch(),
         daemonPid
       });
       console.log(`[Daemon] Successfully connected to project ${projectId}`);
@@ -4386,29 +5992,29 @@ var Daemon = class _Daemon {
    */
   async configureGitUser(projectPath, userId, workspaceId, machineId, projectId, deviceId) {
     try {
-      const { execSync: execSync3 } = await import("child_process");
-      execSync3(`git config episoda.userId ${userId}`, {
+      const { execSync: execSync6 } = await import("child_process");
+      execSync6(`git config episoda.userId ${userId}`, {
         cwd: projectPath,
         encoding: "utf8",
         stdio: "pipe"
       });
-      execSync3(`git config episoda.workspaceId ${workspaceId}`, {
+      execSync6(`git config episoda.workspaceId ${workspaceId}`, {
         cwd: projectPath,
         encoding: "utf8",
         stdio: "pipe"
       });
-      execSync3(`git config episoda.machineId ${machineId}`, {
+      execSync6(`git config episoda.machineId ${machineId}`, {
         cwd: projectPath,
         encoding: "utf8",
         stdio: "pipe"
       });
-      execSync3(`git config episoda.projectId ${projectId}`, {
+      execSync6(`git config episoda.projectId ${projectId}`, {
         cwd: projectPath,
         encoding: "utf8",
         stdio: "pipe"
       });
       if (deviceId) {
-        execSync3(`git config episoda.deviceId ${deviceId}`, {
+        execSync6(`git config episoda.deviceId ${deviceId}`, {
           cwd: projectPath,
           encoding: "utf8",
           stdio: "pipe"
@@ -4427,28 +6033,28 @@ var Daemon = class _Daemon {
    * - Main branch protection (pre-commit blocks direct commits to main)
    */
   async installGitHooks(projectPath) {
-    const hooks = ["post-checkout", "pre-commit"];
-    const hooksDir = path8.join(projectPath, ".git", "hooks");
-    if (!fs7.existsSync(hooksDir)) {
+    const hooks = ["post-checkout", "pre-commit", "post-commit"];
+    const hooksDir = path12.join(projectPath, ".git", "hooks");
+    if (!fs11.existsSync(hooksDir)) {
       console.warn(`[Daemon] Hooks directory not found: ${hooksDir}`);
       return;
     }
     for (const hookName of hooks) {
       try {
-        const hookPath = path8.join(hooksDir, hookName);
-        const bundledHookPath = path8.join(__dirname, "..", "hooks", hookName);
-        if (!fs7.existsSync(bundledHookPath)) {
+        const hookPath = path12.join(hooksDir, hookName);
+        const bundledHookPath = path12.join(__dirname, "..", "hooks", hookName);
+        if (!fs11.existsSync(bundledHookPath)) {
           console.warn(`[Daemon] Bundled hook not found: ${bundledHookPath}`);
           continue;
         }
-        const hookContent = fs7.readFileSync(bundledHookPath, "utf-8");
-        if (fs7.existsSync(hookPath)) {
-          const existingContent = fs7.readFileSync(hookPath, "utf-8");
+        const hookContent = fs11.readFileSync(bundledHookPath, "utf-8");
+        if (fs11.existsSync(hookPath)) {
+          const existingContent = fs11.readFileSync(hookPath, "utf-8");
           if (existingContent === hookContent) {
             continue;
           }
         }
-        fs7.writeFileSync(hookPath, hookContent, { mode: 493 });
+        fs11.writeFileSync(hookPath, hookContent, { mode: 493 });
         console.log(`[Daemon] Installed git hook: ${hookName}`);
       } catch (error) {
         console.warn(`[Daemon] Failed to install ${hookName} hook:`, error instanceof Error ? error.message : error);
@@ -4463,7 +6069,7 @@ var Daemon = class _Daemon {
    */
   async cacheDeviceId(deviceId) {
     try {
-      const config = await (0, import_core5.loadConfig)();
+      const config = await (0, import_core7.loadConfig)();
       if (!config) {
         console.warn("[Daemon] Cannot cache device ID - no config found");
         return;
@@ -4476,7 +6082,7 @@ var Daemon = class _Daemon {
         device_id: deviceId,
         machine_id: this.machineId
       };
-      await (0, import_core5.saveConfig)(updatedConfig);
+      await (0, import_core7.saveConfig)(updatedConfig);
       console.log(`[Daemon] Cached device ID to config: ${deviceId}`);
     } catch (error) {
       console.warn("[Daemon] Failed to cache device ID:", error instanceof Error ? error.message : error);
@@ -4491,20 +6097,14 @@ var Daemon = class _Daemon {
   async autoStartTunnelsForProject(projectPath, projectUid) {
     console.log(`[Daemon] EP819: Checking for active local modules to auto-start tunnels...`);
     try {
-      const config = await (0, import_core5.loadConfig)();
+      const config = await (0, import_core7.loadConfig)();
       if (!config?.access_token) {
         console.warn(`[Daemon] EP819: No access token, skipping tunnel auto-start`);
         return;
       }
       const apiUrl = config.api_url || "https://episoda.dev";
-      const response = await fetch(
-        `${apiUrl}/api/modules?state=doing,review&fields=id,uid,dev_mode,tunnel_url,checkout_machine_id`,
-        {
-          headers: {
-            "Authorization": `Bearer ${config.access_token}`,
-            "Content-Type": "application/json"
-          }
-        }
+      const response = await fetchWithAuth(
+        `${apiUrl}/api/modules?state=ready,doing,review&fields=id,uid,dev_mode,tunnel_url,checkout_machine_id`
       );
       if (!response.ok) {
         console.warn(`[Daemon] EP819: Failed to fetch modules: ${response.status}`);
@@ -4528,12 +6128,8 @@ var Daemon = class _Daemon {
         console.log(`[Daemon] EP819: Auto-starting tunnel for ${moduleUid} on port ${port}`);
         const reportTunnelStatus = async (statusData) => {
           try {
-            const statusResponse = await fetch(`${apiUrl}/api/modules/${moduleUid}/tunnel`, {
+            const statusResponse = await fetchWithAuth(`${apiUrl}/api/modules/${moduleUid}/tunnel`, {
               method: "POST",
-              headers: {
-                "Authorization": `Bearer ${config.access_token}`,
-                "Content-Type": "application/json"
-              },
               body: JSON.stringify(statusData)
             });
             if (statusResponse.ok) {
@@ -4546,90 +6142,80 @@ var Daemon = class _Daemon {
           }
         };
         (async () => {
-          const MAX_RETRIES = 3;
-          const RETRY_DELAY_MS = 2e3;
-          await reportTunnelStatus({
-            tunnel_started_at: (/* @__PURE__ */ new Date()).toISOString(),
-            tunnel_error: null
-          });
-          try {
-            console.log(`[Daemon] EP819: Ensuring dev server is running for ${moduleUid}...`);
-            const devServerResult = await ensureDevServer(projectPath, port, moduleUid);
-            if (!devServerResult.success) {
-              const errorMsg2 = `Dev server failed to start: ${devServerResult.error}`;
-              console.error(`[Daemon] EP819: ${errorMsg2}`);
-              await reportTunnelStatus({ tunnel_error: errorMsg2 });
+          await this.withTunnelLock(moduleUid, async () => {
+            if (tunnelManager.hasTunnel(moduleUid)) {
+              console.log(`[Daemon] EP819: Tunnel already running for ${moduleUid}, skipping auto-start`);
               return;
             }
-            console.log(`[Daemon] EP819: Dev server ready on port ${port}`);
-            let lastError;
-            for (let attempt = 1; attempt <= MAX_RETRIES; attempt++) {
-              console.log(`[Daemon] EP819: Starting tunnel for ${moduleUid} (attempt ${attempt}/${MAX_RETRIES})...`);
-              const startResult = await tunnelManager.startTunnel({
-                moduleUid,
-                port,
-                onUrl: async (url) => {
-                  console.log(`[Daemon] EP819: Tunnel URL for ${moduleUid}: ${url}`);
-                  await reportTunnelStatus({
-                    tunnel_url: url,
-                    tunnel_error: null
-                  });
-                },
-                onStatusChange: (status, error) => {
-                  if (status === "error") {
-                    console.error(`[Daemon] EP819: Tunnel error for ${moduleUid}: ${error}`);
-                    reportTunnelStatus({ tunnel_error: error || "Tunnel connection error" });
-                  } else if (status === "reconnecting") {
-                    console.log(`[Daemon] EP819: Tunnel reconnecting for ${moduleUid}...`);
-                  }
-                }
-              });
-              if (startResult.success) {
-                console.log(`[Daemon] EP819: Tunnel started successfully for ${moduleUid}`);
+            const MAX_RETRIES = 3;
+            const RETRY_DELAY_MS = 2e3;
+            await reportTunnelStatus({
+              tunnel_started_at: (/* @__PURE__ */ new Date()).toISOString(),
+              tunnel_error: null
+            });
+            try {
+              console.log(`[Daemon] EP819: Ensuring dev server is running for ${moduleUid}...`);
+              const devServerResult = await ensureDevServer(projectPath, port, moduleUid);
+              if (!devServerResult.success) {
+                const errorMsg2 = `Dev server failed to start: ${devServerResult.error}`;
+                console.error(`[Daemon] EP819: ${errorMsg2}`);
+                await reportTunnelStatus({ tunnel_error: errorMsg2 });
                 return;
               }
-              lastError = startResult.error;
-              console.warn(`[Daemon] EP819: Tunnel start attempt ${attempt} failed: ${lastError}`);
-              if (attempt < MAX_RETRIES) {
-                console.log(`[Daemon] EP819: Retrying in ${RETRY_DELAY_MS}ms...`);
-                await new Promise((resolve2) => setTimeout(resolve2, RETRY_DELAY_MS));
+              console.log(`[Daemon] EP819: Dev server ready on port ${port}`);
+              let lastError;
+              for (let attempt = 1; attempt <= MAX_RETRIES; attempt++) {
+                console.log(`[Daemon] EP819: Starting tunnel for ${moduleUid} (attempt ${attempt}/${MAX_RETRIES})...`);
+                const startResult = await tunnelManager.startTunnel({
+                  moduleUid,
+                  port,
+                  onUrl: async (url) => {
+                    console.log(`[Daemon] EP819: Tunnel URL for ${moduleUid}: ${url}`);
+                    await reportTunnelStatus({
+                      tunnel_url: url,
+                      tunnel_error: null
+                    });
+                  },
+                  onStatusChange: (status, error) => {
+                    if (status === "error") {
+                      console.error(`[Daemon] EP819: Tunnel error for ${moduleUid}: ${error}`);
+                      reportTunnelStatus({ tunnel_error: error || "Tunnel connection error" });
+                    } else if (status === "reconnecting") {
+                      console.log(`[Daemon] EP819: Tunnel reconnecting for ${moduleUid}...`);
+                    }
+                  }
+                });
+                if (startResult.success) {
+                  console.log(`[Daemon] EP819: Tunnel started successfully for ${moduleUid}`);
+                  return;
+                }
+                lastError = startResult.error;
+                console.warn(`[Daemon] EP819: Tunnel start attempt ${attempt} failed: ${lastError}`);
+                if (attempt < MAX_RETRIES) {
+                  console.log(`[Daemon] EP819: Retrying in ${RETRY_DELAY_MS}ms...`);
+                  await new Promise((resolve2) => setTimeout(resolve2, RETRY_DELAY_MS));
+                }
               }
+              const errorMsg = `Tunnel failed after ${MAX_RETRIES} attempts: ${lastError}`;
+              console.error(`[Daemon] EP819: ${errorMsg}`);
+              await reportTunnelStatus({ tunnel_error: errorMsg });
+            } catch (error) {
+              const errorMsg = error instanceof Error ? error.message : String(error);
+              console.error(`[Daemon] EP819: Async tunnel startup error:`, error);
+              await reportTunnelStatus({ tunnel_error: errorMsg });
             }
-            const errorMsg = `Tunnel failed after ${MAX_RETRIES} attempts: ${lastError}`;
-            console.error(`[Daemon] EP819: ${errorMsg}`);
-            await reportTunnelStatus({ tunnel_error: errorMsg });
-          } catch (error) {
-            const errorMsg = error instanceof Error ? error.message : String(error);
-            console.error(`[Daemon] EP819: Async tunnel startup error:`, error);
-            await reportTunnelStatus({ tunnel_error: `Unexpected error: ${errorMsg}` });
-          }
+          });
         })();
       }
     } catch (error) {
       console.error(`[Daemon] EP819: Error auto-starting tunnels:`, error);
     }
   }
-  /**
-   * EP822: Start periodic tunnel polling
-   *
-   * Polls every 30 seconds to detect module state changes and manage tunnels:
-   * - Start tunnels for modules entering doing/review state
-   * - Stop tunnels for modules leaving doing/review state
-   */
-  startTunnelPolling() {
-    if (this.tunnelPollInterval) {
-      console.log("[Daemon] EP822: Tunnel polling already running");
-      return;
-    }
-    console.log(`[Daemon] EP822: Starting tunnel polling (every ${_Daemon.TUNNEL_POLL_INTERVAL_MS / 1e3}s)`);
-    this.tunnelPollInterval = setInterval(() => {
-      this.syncTunnelsWithActiveModules().catch((error) => {
-        console.error("[Daemon] EP822: Tunnel sync error:", error);
-      });
-    }, _Daemon.TUNNEL_POLL_INTERVAL_MS);
-  }
+  // EP843: startTunnelPolling() removed - replaced by push-based state sync
+  // See module_state_changed handler for the new implementation
   /**
    * EP822: Stop periodic tunnel polling
+   * EP843: Kept for cleanup during shutdown, but interval is never started
    */
   stopTunnelPolling() {
     if (this.tunnelPollInterval) {
@@ -4638,139 +6224,376 @@ var Daemon = class _Daemon {
       console.log("[Daemon] EP822: Tunnel polling stopped");
     }
   }
+  /**
+   * EP929: Start health check polling
+   *
+   * Restored from EP843 removal. Health checks run every 60 seconds to:
+   * - Verify running tunnels are still responsive
+   * - Detect dead tunnels that haven't been cleaned up
+   * - Auto-restart unhealthy tunnels after consecutive failures
+   *
+   * This is orthogonal to the push-based state sync (module_state_changed events).
+   * State sync handles start/stop based on module transitions.
+   * Health checks handle detecting and recovering from tunnel crashes.
+   */
+  startHealthCheckPolling() {
+    if (this.healthCheckInterval) {
+      console.log("[Daemon] EP929: Health check polling already running");
+      return;
+    }
+    console.log(`[Daemon] EP929: Starting health check polling (every ${_Daemon.HEALTH_CHECK_INTERVAL_MS / 1e3}s)`);
+    this.healthCheckInterval = setInterval(async () => {
+      if (this.healthCheckInProgress) {
+        console.log("[Daemon] EP929: Health check still in progress, skipping");
+        return;
+      }
+      this.healthCheckInProgress = true;
+      try {
+        const config = await (0, import_core7.loadConfig)();
+        if (config?.access_token) {
+          await this.performHealthChecks(config);
+        }
+      } catch (error) {
+        console.error("[Daemon] EP929: Health check error:", error instanceof Error ? error.message : error);
+      } finally {
+        this.healthCheckInProgress = false;
+      }
+    }, _Daemon.HEALTH_CHECK_INTERVAL_MS);
+  }
+  /**
+   * EP929: Stop health check polling
+   */
+  stopHealthCheckPolling() {
+    if (this.healthCheckInterval) {
+      clearInterval(this.healthCheckInterval);
+      this.healthCheckInterval = null;
+      console.log("[Daemon] EP929: Health check polling stopped");
+    }
+  }
   /**
    * EP822: Clean up orphaned tunnels from previous daemon runs
+   * EP904: Enhanced to aggressively clean ALL cloudflared processes then restart
+   *        tunnels for qualifying modules (doing/review state, dev_mode=local)
    *
    * When the daemon crashes or is killed, tunnels may continue running.
-   * This method stops any tunnels that are running but shouldn't be,
-   * ensuring a clean slate on startup.
+   * This method:
+   * 1. Kills ALL cloudflared processes (aggressive cleanup for clean slate)
+   * 2. Queries API for modules that should have tunnels
+   * 3. Restarts tunnels for qualifying modules
    */
   async cleanupOrphanedTunnels() {
     try {
       const tunnelManager = getTunnelManager();
+      await tunnelManager.initialize();
       const runningTunnels = tunnelManager.getAllTunnels();
-      if (runningTunnels.length === 0) {
-        return;
-      }
-      console.log(`[Daemon] EP822: Found ${runningTunnels.length} orphaned tunnel(s) from previous run, cleaning up...`);
-      for (const tunnel of runningTunnels) {
-        try {
-          await tunnelManager.stopTunnel(tunnel.moduleUid);
-          await stopDevServer(tunnel.moduleUid);
-          console.log(`[Daemon] EP822: Cleaned up orphaned tunnel for ${tunnel.moduleUid}`);
-        } catch (error) {
-          console.error(`[Daemon] EP822: Failed to clean up tunnel for ${tunnel.moduleUid}:`, error);
+      if (runningTunnels.length > 0) {
+        console.log(`[Daemon] EP904: Stopping ${runningTunnels.length} tracked tunnel(s)...`);
+        for (const tunnel of runningTunnels) {
+          try {
+            await tunnelManager.stopTunnel(tunnel.moduleUid);
+            await stopDevServer(tunnel.moduleUid);
+          } catch (error) {
+            console.error(`[Daemon] EP904: Failed to stop tunnel for ${tunnel.moduleUid}:`, error);
+          }
         }
       }
-      console.log("[Daemon] EP822: Orphaned tunnel cleanup complete");
+      const cleanup = await tunnelManager.cleanupOrphanedProcesses();
+      if (cleanup.cleaned > 0) {
+        console.log(`[Daemon] EP904: Killed ${cleanup.cleaned} orphaned cloudflared process(es)`);
+      }
+      console.log("[Daemon] EP904: Orphaned tunnel cleanup complete - clean slate ready");
     } catch (error) {
-      console.error("[Daemon] EP822: Failed to clean up orphaned tunnels:", error);
+      console.error("[Daemon] EP904: Failed to clean up orphaned tunnels:", error);
     }
   }
+  // EP843: syncTunnelsWithActiveModules() removed - replaced by push-based state sync
+  // See module_state_changed handler for the new implementation
   /**
-   * EP822: Sync tunnels with active modules
-   *
-   * Compares running tunnels against modules in doing/review state.
-   * - Starts tunnels for modules that need them
-   * - Stops tunnels for modules that left active zone
-   *
-   * Fixes from peer review:
-   * - Backpressure guard prevents concurrent syncs
-   * - Uses deviceId (UUID) instead of machineId (string) for machine comparison
-   * - Groups modules by project_id for correct multi-project routing
+   * EP833: Perform health checks on all running tunnels
+   * Checks both tunnel URL and local dev server responsiveness
    */
-  async syncTunnelsWithActiveModules() {
-    if (this.tunnelSyncInProgress) {
-      console.log("[Daemon] EP822: Sync already in progress, skipping");
+  async performHealthChecks(config) {
+    const tunnelManager = getTunnelManager();
+    const runningTunnels = tunnelManager.getAllTunnels();
+    if (runningTunnels.length === 0) {
       return;
     }
-    if (this.liveConnections.size === 0) {
-      return;
+    const apiUrl = config.api_url || "https://episoda.dev";
+    for (const tunnel of runningTunnels) {
+      if (tunnel.status !== "connected") {
+        continue;
+      }
+      const isHealthy = await this.checkTunnelHealth(tunnel);
+      if (isHealthy) {
+        this.tunnelHealthFailures.delete(tunnel.moduleUid);
+        await this.reportTunnelHealth(tunnel.moduleUid, "healthy", config);
+      } else {
+        const failures = (this.tunnelHealthFailures.get(tunnel.moduleUid) || 0) + 1;
+        this.tunnelHealthFailures.set(tunnel.moduleUid, failures);
+        console.log(`[Daemon] EP833: Health check failed for ${tunnel.moduleUid} (${failures}/${_Daemon.HEALTH_CHECK_FAILURE_THRESHOLD})`);
+        if (failures >= _Daemon.HEALTH_CHECK_FAILURE_THRESHOLD) {
+          console.log(`[Daemon] EP833: Tunnel unhealthy for ${tunnel.moduleUid}, restarting...`);
+          await this.withTunnelLock(tunnel.moduleUid, async () => {
+            await this.restartTunnel(tunnel.moduleUid, tunnel.port);
+          });
+          this.tunnelHealthFailures.delete(tunnel.moduleUid);
+          await this.reportTunnelHealth(tunnel.moduleUid, "unhealthy", config);
+        }
+      }
+    }
+  }
+  /**
+   * EP833: Check if a tunnel is healthy
+   * Verifies both the tunnel URL and local dev server respond
+   */
+  async checkTunnelHealth(tunnel) {
+    try {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), _Daemon.HEALTH_CHECK_TIMEOUT_MS);
+      const response = await fetch(tunnel.url, {
+        method: "HEAD",
+        signal: controller.signal
+      });
+      clearTimeout(timeout);
+      if (response.status >= 500) {
+        console.log(`[Daemon] EP833: Tunnel URL returned ${response.status} for ${tunnel.moduleUid}`);
+        return false;
+      }
+    } catch (error) {
+      console.log(`[Daemon] EP833: Tunnel URL unreachable for ${tunnel.moduleUid}:`, error instanceof Error ? error.message : error);
+      return false;
+    }
+    try {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), 2e3);
+      const localResponse = await fetch(`http://localhost:${tunnel.port}`, {
+        method: "HEAD",
+        signal: controller.signal
+      });
+      clearTimeout(timeout);
+      if (localResponse.status >= 500) {
+        console.log(`[Daemon] EP833: Local dev server returned ${localResponse.status} for ${tunnel.moduleUid}`);
+        return false;
+      }
+    } catch (error) {
+      console.log(`[Daemon] EP833: Local dev server unreachable for ${tunnel.moduleUid}:`, error instanceof Error ? error.message : error);
+      return false;
     }
-    this.tunnelSyncInProgress = true;
+    return true;
+  }
+  /**
+   * EP833: Restart a failed tunnel
+   * EP932: Now uses restartDevServer() for robust dev server restart with auto-restart
+   */
+  async restartTunnel(moduleUid, port) {
+    const tunnelManager = getTunnelManager();
     try {
-      const config = await (0, import_core5.loadConfig)();
+      await tunnelManager.stopTunnel(moduleUid);
+      const config = await (0, import_core7.loadConfig)();
       if (!config?.access_token) {
+        console.error(`[Daemon] EP833: No access token for tunnel restart`);
         return;
       }
       const apiUrl = config.api_url || "https://episoda.dev";
-      const tunnelManager = getTunnelManager();
-      const runningTunnels = tunnelManager.getAllTunnels();
-      const runningModuleUids = new Set(runningTunnels.map((t) => t.moduleUid));
-      const response = await fetch(
-        `${apiUrl}/api/modules?state=doing,review&fields=id,uid,dev_mode,tunnel_url,checkout_machine_id,project_id`,
-        {
-          headers: {
-            "Authorization": `Bearer ${config.access_token}`,
-            "Content-Type": "application/json"
-          }
-        }
-      );
-      if (!response.ok) {
-        console.warn(`[Daemon] EP822: Failed to fetch modules: ${response.status}`);
-        return;
-      }
-      const data = await response.json();
-      const modules = data.modules || [];
-      const activeLocalModules = modules.filter(
-        (m) => m.dev_mode === "local" && (!m.checkout_machine_id || m.checkout_machine_id === this.deviceId)
-      );
-      const activeModuleUids = new Set(activeLocalModules.map((m) => m.uid));
-      const modulesNeedingTunnel = activeLocalModules.filter(
-        (m) => !runningModuleUids.has(m.uid)
-      );
-      const tunnelsToStop = runningTunnels.filter(
-        (t) => !activeModuleUids.has(t.moduleUid)
-      );
-      if (modulesNeedingTunnel.length > 0) {
-        console.log(`[Daemon] EP822: Starting tunnels for ${modulesNeedingTunnel.length} module(s)`);
-        const modulesByProject = /* @__PURE__ */ new Map();
-        for (const module2 of modulesNeedingTunnel) {
-          const projectId = module2.project_id;
-          if (!projectId) continue;
-          if (!modulesByProject.has(projectId)) {
-            modulesByProject.set(projectId, []);
+      const devServerResult = await restartDevServer(moduleUid);
+      if (!devServerResult.success) {
+        console.log(`[Daemon] EP932: No tracked server for ${moduleUid}, looking up project...`);
+        let projectId = null;
+        try {
+          const moduleResponse = await fetchWithAuth(`${apiUrl}/api/modules/${moduleUid}`);
+          if (moduleResponse.ok) {
+            const moduleData = await moduleResponse.json();
+            projectId = moduleData.moduleRecord?.project_id ?? null;
           }
-          modulesByProject.get(projectId).push(module2);
+        } catch (e) {
+          console.warn(`[Daemon] EP833: Failed to fetch module details for project lookup`);
         }
         const trackedProjects = getAllProjects();
-        for (const [projectId, projectModules] of modulesByProject) {
-          const project = trackedProjects.find((p) => p.id === projectId);
-          if (project) {
-            console.log(`[Daemon] EP822: Starting ${projectModules.length} tunnel(s) for project ${projectId}`);
-            await this.autoStartTunnelsForProject(project.path, project.id);
-          } else {
-            console.warn(`[Daemon] EP822: Project ${projectId} not tracked locally, skipping ${projectModules.length} module(s)`);
+        let project = projectId ? trackedProjects.find((p) => p.id === projectId) : trackedProjects[0];
+        if (!project && trackedProjects.length > 0) {
+          project = trackedProjects[0];
+          console.warn(`[Daemon] EP833: Could not find project ${projectId}, using fallback`);
+        }
+        if (!project) {
+          console.error(`[Daemon] EP833: No project found for tunnel restart`);
+          return;
+        }
+        const { isPortInUse: isPortInUse2 } = await Promise.resolve().then(() => (init_port_check(), port_check_exports));
+        if (await isPortInUse2(port)) {
+          console.log(`[Daemon] EP932: Port ${port} in use, checking health...`);
+          const healthy = await isDevServerHealthy(port);
+          if (!healthy) {
+            console.log(`[Daemon] EP932: Dev server on port ${port} is not responding, killing process...`);
+            await killProcessOnPort(port);
           }
         }
+        const startResult2 = await ensureDevServer(project.path, port, moduleUid);
+        if (!startResult2.success) {
+          console.error(`[Daemon] EP932: Failed to start dev server: ${startResult2.error}`);
+          return;
+        }
       }
-      if (tunnelsToStop.length > 0) {
-        console.log(`[Daemon] EP822: Stopping ${tunnelsToStop.length} orphaned tunnel(s)`);
-        for (const tunnel of tunnelsToStop) {
+      console.log(`[Daemon] EP932: Dev server ready, restarting tunnel for ${moduleUid}...`);
+      const startResult = await tunnelManager.startTunnel({
+        moduleUid,
+        port,
+        onUrl: async (url) => {
+          console.log(`[Daemon] EP833: Tunnel restarted for ${moduleUid}: ${url}`);
           try {
-            await tunnelManager.stopTunnel(tunnel.moduleUid);
-            await stopDevServer(tunnel.moduleUid);
-            try {
-              await fetch(`${apiUrl}/api/modules/${tunnel.moduleUid}/tunnel`, {
-                method: "DELETE",
-                headers: {
-                  "Authorization": `Bearer ${config.access_token}`
-                }
-              });
-              console.log(`[Daemon] EP822: Tunnel stopped and cleared for ${tunnel.moduleUid}`);
-            } catch {
-            }
-          } catch (error) {
-            console.error(`[Daemon] EP822: Failed to stop tunnel for ${tunnel.moduleUid}:`, error);
+            await fetchWithAuth(`${apiUrl}/api/modules/${moduleUid}/tunnel`, {
+              method: "POST",
+              body: JSON.stringify({
+                tunnel_url: url,
+                tunnel_error: null
+              })
+            });
+          } catch (e) {
+            console.warn(`[Daemon] EP833: Failed to report restarted tunnel URL`);
           }
         }
+      });
+      if (startResult.success) {
+        console.log(`[Daemon] EP833: Tunnel restart successful for ${moduleUid}`);
+      } else {
+        console.error(`[Daemon] EP833: Tunnel restart failed for ${moduleUid}: ${startResult.error}`);
       }
     } catch (error) {
-      console.error("[Daemon] EP822: Error syncing tunnels:", error);
-    } finally {
-      this.tunnelSyncInProgress = false;
+      console.error(`[Daemon] EP833: Error restarting tunnel for ${moduleUid}:`, error);
+    }
+  }
+  /**
+   * EP833: Report tunnel health status to the API
+   * EP904: Use fetchWithAuth for token refresh
+   * EP911: Only report when status CHANGES to reduce DB writes
+   */
+  async reportTunnelHealth(moduleUid, healthStatus, config) {
+    if (!config.access_token) {
+      return;
+    }
+    const lastStatus = this.lastReportedHealthStatus.get(moduleUid);
+    if (lastStatus === healthStatus) {
+      return;
+    }
+    const apiUrl = config.api_url || "https://episoda.dev";
+    try {
+      await fetchWithAuth(`${apiUrl}/api/modules/${moduleUid}/health`, {
+        method: "PATCH",
+        body: JSON.stringify({
+          tunnel_health_status: healthStatus,
+          tunnel_last_health_check: (/* @__PURE__ */ new Date()).toISOString()
+        })
+      });
+      this.lastReportedHealthStatus.set(moduleUid, healthStatus);
+    } catch (error) {
+      console.warn(`[Daemon] EP833: Failed to report health for ${moduleUid}:`, error instanceof Error ? error.message : error);
+    }
+  }
+  /**
+   * EP833: Kill processes matching a pattern
+   * Used to clean up orphaned cloudflared processes
+   */
+  async killProcessesByPattern(pattern) {
+    const { exec } = await import("child_process");
+    const { promisify } = await import("util");
+    const execAsync = promisify(exec);
+    try {
+      const { stdout } = await execAsync(`pgrep -f "${pattern}"`);
+      const pids = stdout.trim().split("\n").filter(Boolean);
+      if (pids.length === 0) {
+        return 0;
+      }
+      let killed = 0;
+      for (const pid of pids) {
+        try {
+          await execAsync(`kill ${pid}`);
+          killed++;
+        } catch {
+        }
+      }
+      if (killed > 0) {
+        console.log(`[Daemon] EP833: Killed ${killed} process(es) matching: ${pattern}`);
+      }
+      return killed;
+    } catch {
+      return 0;
     }
   }
+  /**
+   * EP833: Kill process using a specific port
+   * Used to clean up dev servers when stopping tunnels
+   */
+  async killProcessOnPort(port) {
+    const { exec } = await import("child_process");
+    const { promisify } = await import("util");
+    const execAsync = promisify(exec);
+    try {
+      const { stdout } = await execAsync(`lsof -ti :${port}`);
+      const pids = stdout.trim().split("\n").filter(Boolean);
+      if (pids.length === 0) {
+        return false;
+      }
+      let killed = false;
+      for (const pid of pids) {
+        try {
+          await execAsync(`kill ${pid}`);
+          killed = true;
+        } catch {
+        }
+      }
+      if (killed) {
+        console.log(`[Daemon] EP833: Killed process(es) on port ${port}`);
+      }
+      return killed;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * EP833: Find orphaned cloudflared processes
+   * Returns process info for cloudflared processes not tracked by TunnelManager
+   */
+  async findOrphanedCloudflaredProcesses() {
+    const { exec } = await import("child_process");
+    const { promisify } = await import("util");
+    const execAsync = promisify(exec);
+    try {
+      const { stdout } = await execAsync("ps aux | grep cloudflared | grep -v grep");
+      const lines = stdout.trim().split("\n").filter(Boolean);
+      const tunnelManager = getTunnelManager();
+      const trackedModules = new Set(tunnelManager.getAllTunnels().map((t) => t.moduleUid));
+      const orphaned = [];
+      for (const line of lines) {
+        const parts = line.trim().split(/\s+/);
+        const pid = parts[1];
+        if (pid) {
+          orphaned.push({ pid });
+        }
+      }
+      if (orphaned.length > trackedModules.size) {
+        console.log(`[Daemon] EP833: Found ${orphaned.length} cloudflared processes but only ${trackedModules.size} tracked tunnels`);
+      }
+      return orphaned.length > trackedModules.size ? orphaned : [];
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * EP833: Clean up orphaned cloudflared processes
+   * Called during sync to ensure no zombie tunnels are running
+   */
+  async cleanupOrphanedCloudflaredProcesses() {
+    const orphaned = await this.findOrphanedCloudflaredProcesses();
+    if (orphaned.length === 0) {
+      return;
+    }
+    console.log(`[Daemon] EP833: Cleaning up ${orphaned.length} potentially orphaned cloudflared process(es)`);
+    const killed = await this.killProcessesByPattern("cloudflared tunnel");
+    if (killed > 0) {
+      console.log(`[Daemon] EP833: Cleaned up ${killed} orphaned cloudflared process(es)`);
+    }
+  }
+  // EP843: syncLocalCommits() removed - replaced by GitHub webhook push handler
+  // See /api/webhooks/github handlePushEvent() for the new implementation
   /**
    * Gracefully shutdown daemon
    */
@@ -4779,6 +6602,7 @@ var Daemon = class _Daemon {
     this.shuttingDown = true;
     console.log("[Daemon] Shutting down...");
     this.stopTunnelPolling();
+    this.stopHealthCheckPolling();
     for (const [projectPath, connection] of this.connections) {
       if (connection.reconnectTimer) {
         clearTimeout(connection.reconnectTimer);
@@ -4793,6 +6617,13 @@ var Daemon = class _Daemon {
     } catch (error) {
       console.error("[Daemon] Failed to stop tunnels:", error);
     }
+    try {
+      const agentManager = getAgentManager();
+      await agentManager.stopAllSessions();
+      console.log("[Daemon] All agent sessions stopped");
+    } catch (error) {
+      console.error("[Daemon] Failed to stop agent sessions:", error);
+    }
     await this.ipcServer.stop();
     console.log("[Daemon] Shutdown complete");
   }
@@ -4804,8 +6635,8 @@ var Daemon = class _Daemon {
     await this.shutdown();
     try {
       const pidPath = getPidFilePath();
-      if (fs7.existsSync(pidPath)) {
-        fs7.unlinkSync(pidPath);
+      if (fs11.existsSync(pidPath)) {
+        fs11.unlinkSync(pidPath);
         console.log("[Daemon] PID file cleaned up");
       }
     } catch (error) {