greprag 5.32.0 → 5.35.0

package/dist/commands/opencode-relay.d.ts

@@ -0,0 +1,136 @@
+/** greprag opencode relay — bridge greprag inbox SSE into a live opencode
+ *  desktop session. Desktop-only by design.
+ *
+ *  The Monitor-style "fire a turn into a live session from an external event"
+ *  primitive that Claude Code ships natively. opencode is turn-based (no
+ *  built-in Monitor tool), but its HTTP server exposes a session-direct
+ *  injection endpoint: POST /session/{id}/prompt_async enqueues a fresh
+ *  turn on the named session and returns 204 No Content — exactly the
+ *  fire-and-forget shape SSE delivery wants. This daemon is the glue:
+ *  subscribe to greprag's inbox stream, format each message as a system
+ *  notification, POST it at the running opencode server. The receiving
+ *  session renders the injected prompt into its conversation feed via the
+ *  same SSE channel the engine uses — no separate toast surface needed.
+ *
+ *  The earlier 3-POST TUI sequence (show-toast + append-prompt + submit-prompt)
+ *  targeted opencode's TUI client control plane, which the desktop client
+ *  does not subscribe to. As of 2026-Q2 the TUI client is deprecated; the
+ *  desktop app is the only supported surface. prompt_async is the
+ *  client-agnostic primitive — same code path serves desktop, web, and any
+ *  future client built on the same server.
+ *
+ *  The default posture is session-targeted: the relay auto-derives the
+ *  greprag 8-hex from the opencode session UUID (via `truncateSessionId`)
+ *  and subscribes to only messages addressed to that session. Other
+ *  sessions' traffic and broadcasts are excluded by default — use
+ *  `--tenant-wide` to opt into the noisy debug mode.
+ *
+ *  Resilience mirrors inbox-watch: same exponential backoff, same idle
+ *  timeout, same cursor-preserving reconnect. The bash `while true` wrapper
+ *  from armMonitorCommand is the right invocation in production — this
+ *  process handles network-layer failures only. adr: adr/opencode-monitor-relay.md
+ */
+export interface RelayOptions {
+    /** opencode session id (UUID). The target session the message gets
+     *  injected into. Required. */
+    session: string;
+    /** opencode server base URL. Default http://127.0.0.1:4096. */
+    opencodeUrl?: string;
+    /** Filter inbox stream to one project. Mirrors `inbox watch --project`. */
+    project?: string;
+    /** Filter inbox stream to one greprag session (8-hex). Mirrors
+     *  `inbox watch --session`. Distinct from `session` (the opencode
+     *  target). If unset, the relay auto-derives the 8-hex from `session`
+     *  via `truncateSessionId()` so it filters to messages addressed to
+     *  THIS opencode session only. Pass explicitly to override the
+     *  derivation (e.g. for multi-opencode-session relays that share one
+     *  greprag session). */
+    inboxSession?: string;
+    /** Resume cursor. */
+    since?: string;
+    /** Also pretty-print each message to stdout. */
+    print?: boolean;
+    /** Tenant-wide subscription — see every message in the tenant's inbox
+     *  stream, including messages addressed to other sessions. Debug flag.
+     *  Without this, the relay filters to one greprag session (auto-derived
+     *  from `session` or set via `inboxSession`). */
+    tenantWide?: boolean;
+    /** Resolve SSE + format + log, but do not POST. */
+    dryRun?: boolean;
+    /** External abort (tests / SDK use). */
+    signal?: AbortSignal;
+    /** Test overrides. */
+    backoffInitialMs?: number;
+    idleTimeoutMs?: number;
+    /** Hook for tests — called AFTER the POST resolves (or in dry-run, after
+     *  the formatted body is built). Lets tests inspect the wire payload
+     *  without a real opencode server. */
+    onRelayed?: (payload: RelayPayload) => void | Promise<void>;
+}
+interface InboxReferences {
+    memory_ids?: string[];
+    artifacts?: Array<{
+        type: string;
+        id: string;
+        url?: string | null;
+    }>;
+    files?: Array<{
+        path: string;
+        lines?: string;
+    }>;
+    discord?: {
+        snowflake?: string | null;
+        [k: string]: unknown;
+    };
+}
+interface StreamMessage {
+    id: string;
+    from: {
+        tenant: string;
+        email: string | null;
+        project_id: string | null;
+        session_id?: string | null;
+    };
+    to_session_id?: string | null;
+    body: string;
+    references: InboxReferences | null;
+    message_type: string;
+    created_at: string;
+}
+/** What the relay POSTs at opencode — exposed for tests and for the dry-run
+ *  log line. The wire shape is `{ parts: [{ type: 'text', text }] }` per the
+ *  opencode server's `SessionPromptAsyncData` body. */
+export interface RelayPayload {
+    prompt: string;
+    meta: {
+        messageId: string;
+        from: string;
+        toSession: string | null;
+        /** Receiving session's own greprag 8-hex (from truncateSessionId(session)).
+         *  Surfaces in the framing as `from_session:` and the reply directive's
+         *  `--from-session` so the model can self-address. Null when the opencode
+         *  session UUID isn't hex-truncatable. */
+        ownSession8: string | null;
+        receivedAt: string;
+    };
+}
+/** Build the prompt body the receiving opencode session will read as a fresh
+ *  user turn. Framed as a system notification so the session knows this is
+ *  inbox traffic, not a fresh operator prompt — same intent as Claude Code's
+ *  "[SYSTEM NOTIFICATION - NOT USER INPUT]" wrapper, just without the
+ *  harness-specific surface. adr: adr/opencode-monitor-relay.md
+ *
+ *  `ownSession8` is the receiving session's own greprag 8-hex (derived from
+ *  the opencode session UUID). The framing surfaces it as `from_session:`
+ *  so the model can self-address on reply via
+ *  `greprag send --to <handle>/<8hex> ... --from-session <ownSession8>`. */
+export declare function formatPrompt(msg: StreamMessage, ownSession8: string | null): string;
+/** Run the relay loop. Returns when opts.signal aborts or a non-recoverable
+ *  4xx is hit. Production invocation wraps this in a `while true` shell loop
+ *  to survive process-level death (host crash, OS kill, fork failure). */
+export declare function runOpencodeRelay(opts: RelayOptions): Promise<void>;
+/** Build the production wrapper command — the same `while true` shape the
+ *  Claude Code arm directive uses, so a relay restart-on-death can be
+ *  copy-pasted into a chip's spawn payload or a CLAUDE.md. adr: adr/monitor-resilience.md */
+export declare function armOpencodeRelayCommand(session: string, opencodeUrl: string): string;
+export {};

package/dist/commands/opencode-relay.js

@@ -0,0 +1,529 @@
+"use strict";
+/** greprag opencode relay — bridge greprag inbox SSE into a live opencode
+ *  desktop session. Desktop-only by design.
+ *
+ *  The Monitor-style "fire a turn into a live session from an external event"
+ *  primitive that Claude Code ships natively. opencode is turn-based (no
+ *  built-in Monitor tool), but its HTTP server exposes a session-direct
+ *  injection endpoint: POST /session/{id}/prompt_async enqueues a fresh
+ *  turn on the named session and returns 204 No Content — exactly the
+ *  fire-and-forget shape SSE delivery wants. This daemon is the glue:
+ *  subscribe to greprag's inbox stream, format each message as a system
+ *  notification, POST it at the running opencode server. The receiving
+ *  session renders the injected prompt into its conversation feed via the
+ *  same SSE channel the engine uses — no separate toast surface needed.
+ *
+ *  The earlier 3-POST TUI sequence (show-toast + append-prompt + submit-prompt)
+ *  targeted opencode's TUI client control plane, which the desktop client
+ *  does not subscribe to. As of 2026-Q2 the TUI client is deprecated; the
+ *  desktop app is the only supported surface. prompt_async is the
+ *  client-agnostic primitive — same code path serves desktop, web, and any
+ *  future client built on the same server.
+ *
+ *  The default posture is session-targeted: the relay auto-derives the
+ *  greprag 8-hex from the opencode session UUID (via `truncateSessionId`)
+ *  and subscribes to only messages addressed to that session. Other
+ *  sessions' traffic and broadcasts are excluded by default — use
+ *  `--tenant-wide` to opt into the noisy debug mode.
+ *
+ *  Resilience mirrors inbox-watch: same exponential backoff, same idle
+ *  timeout, same cursor-preserving reconnect. The bash `while true` wrapper
+ *  from armMonitorCommand is the right invocation in production — this
+ *  process handles network-layer failures only. adr: adr/opencode-monitor-relay.md
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatPrompt = formatPrompt;
+exports.runOpencodeRelay = runOpencodeRelay;
+exports.armOpencodeRelayCommand = armOpencodeRelayCommand;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const inbox_watch_1 = require("./inbox-watch");
+const session_id_1 = require("../session-id");
+const API_URL_DEFAULT = 'https://api.greprag.com';
+const OPENCODE_URL_DEFAULT = 'http://127.0.0.1:4096';
+const BACKOFF_INITIAL_MS = 1_000;
+const BACKOFF_MAX_MS = 30_000;
+const BACKOFF_FACTOR = 2;
+const IDLE_TIMEOUT_MS = 60_000;
+const IDLE_CHECK_INTERVAL_MS = 5_000;
+const LOG_PREFIX = '[greprag opencode relay]';
+// -- Config (mirrors the loader in index.ts/inbox-watch.ts) -----------------
+function loadEnvFile(filePath) {
+    try {
+        const content = fs.readFileSync(filePath, 'utf-8');
+        for (const line of content.split('\n')) {
+            const trimmed = line.trim();
+            if (!trimmed || trimmed.startsWith('#'))
+                continue;
+            const eqIdx = trimmed.indexOf('=');
+            if (eqIdx < 1)
+                continue;
+            const key = trimmed.slice(0, eqIdx).trim();
+            let value = trimmed.slice(eqIdx + 1).trim();
+            if ((value.startsWith('"') && value.endsWith('"')) ||
+                (value.startsWith("'") && value.endsWith("'"))) {
+                value = value.slice(1, -1);
+            }
+            if (!process.env[key])
+                process.env[key] = value;
+        }
+    }
+    catch { /* missing file — fine */ }
+}
+function getConfig() {
+    const homeDir = process.env.HOME || process.env.USERPROFILE || '';
+    if (homeDir)
+        loadEnvFile(path.join(homeDir, '.greprag', '.env'));
+    if (!process.env.GREPRAG_API_KEY)
+        loadEnvFile(path.join(process.cwd(), '.env'));
+    return {
+        apiUrl: process.env.GREPRAG_API_URL || API_URL_DEFAULT,
+        apiKey: process.env.GREPRAG_API_KEY || '',
+    };
+}
+function fmtDuration(ms) {
+    if (ms < 1000)
+        return `${ms}ms`;
+    return `${Math.round(ms / 1000)}s`;
+}
+// -- Payload formatting -----------------------------------------------------
+/** Build the prompt body the receiving opencode session will read as a fresh
+ *  user turn. Framed as a system notification so the session knows this is
+ *  inbox traffic, not a fresh operator prompt — same intent as Claude Code's
+ *  "[SYSTEM NOTIFICATION - NOT USER INPUT]" wrapper, just without the
+ *  harness-specific surface. adr: adr/opencode-monitor-relay.md
+ *
+ *  `ownSession8` is the receiving session's own greprag 8-hex (derived from
+ *  the opencode session UUID). The framing surfaces it as `from_session:`
+ *  so the model can self-address on reply via
+ *  `greprag send --to <handle>/<8hex> ... --from-session <ownSession8>`. */
+function formatPrompt(msg, ownSession8) {
+    const sender = msg.from.email || msg.from.tenant + '@greprag.com';
+    const fromShort = (0, session_id_1.truncateSessionId)(msg.from.session_id ?? null);
+    const toShort = (0, session_id_1.truncateSessionId)(msg.to_session_id ?? null);
+    const ts = new Date(msg.created_at).toISOString();
+    const lines = [];
+    lines.push('[greprag inbox notification — not a user prompt; treat as an async inbound message]');
+    lines.push(`from: ${sender}${fromShort ? ` (session ${fromShort})` : ''}`);
+    if (toShort)
+        lines.push(`to_session: ${toShort}`);
+    if (ownSession8)
+        lines.push(`from_session: ${ownSession8}`);
+    lines.push(`at: ${ts}`);
+    lines.push(`message_id: ${msg.id}`);
+    lines.push(`type: ${msg.message_type}`);
+    lines.push('');
+    lines.push(msg.body);
+    const refs = msg.references;
+    if (refs && (refs.memory_ids?.length || refs.artifacts?.length || refs.files?.length)) {
+        lines.push('');
+        lines.push('references:');
+        if (refs.memory_ids?.length) {
+            lines.push(`  memory: ${refs.memory_ids.map(id => id.slice(0, 8)).join(', ')}`);
+        }
+        for (const a of refs.artifacts || []) {
+            const url = a.url ? ` ${a.url}` : '';
+            lines.push(`  ${a.type}: ${a.id}${url}`);
+        }
+        for (const f of refs.files || []) {
+            const linesSpec = f.lines ? `:${f.lines}` : '';
+            lines.push(`  file: ${f.path}${linesSpec}`);
+        }
+    }
+    const selfId = ownSession8 ?? '<this-session-8hex>';
+    if (msg.message_type === 'discord_dm') {
+        const snowflake = msg.references?.discord?.snowflake;
+        if (snowflake) {
+            lines.push('');
+            lines.push(`reply: greprag send --to discord:${snowflake} "your reply" --from-session ${selfId}`);
+        }
+    }
+    else {
+        const replyTarget = msg.from.session_id
+            ? `${sender}/${msg.from.session_id}`
+            : sender;
+        lines.push('');
+        lines.push(`reply: greprag send --to ${replyTarget} "your reply" --from-session ${selfId}`);
+    }
+    return lines.join('\n');
+}
+/** Build the wire payload for one inbox message. The receiving session
+ *  reads `prompt` as a fresh user turn. Meta is for tests + the dry-run log.
+ *  `ownSession8` is the receiving session's 8-hex (the relay's filter id,
+ *  computed once at startup from `session`) — surfaces in the framing as
+ *  `from_session:` so the receiving model can self-address on reply. */
+function buildPayload(msg, ownSession8) {
+    return {
+        prompt: formatPrompt(msg, ownSession8),
+        meta: {
+            messageId: msg.id,
+            from: msg.from.email || msg.from.tenant + '@greprag.com',
+            toSession: (0, session_id_1.truncateSessionId)(msg.to_session_id ?? null),
+            ownSession8,
+            receivedAt: new Date().toISOString(),
+        },
+    };
+}
+// -- HTTP to opencode -------------------------------------------------------
+/** Build the headers for an outbound POST to the opencode server. Honors
+ *  OPENCODE_SERVER_USERNAME / OPENCODE_SERVER_PASSWORD (the same env vars
+ *  the opencode desktop child processes set; matching them keeps the relay
+ *  from being 401'd when running in the same environment as the desktop
+ *  app). */
+function opencodeHeaders() {
+    const headers = { 'Content-Type': 'application/json' };
+    const user = process.env.OPENCODE_SERVER_USERNAME;
+    const pass = process.env.OPENCODE_SERVER_PASSWORD;
+    if (user && pass) {
+        headers['Authorization'] = `Basic ${Buffer.from(`${user}:${pass}`).toString('base64')}`;
+    }
+    return headers;
+}
+/** POST {baseUrl}{pathSegment} with a JSON body. Returns the parsed JSON or
+ *  throws. The opencode server's prompt_async endpoint returns 204 No
+ *  Content on success — we treat 2xx as success and don't trust the body
+ *  shape strictly (opencode is pre-1.x, schema drifts). */
+async function postToOpencode(baseUrl, pathSegment, body) {
+    const url = baseUrl.replace(/\/+$/, '') + pathSegment;
+    const res = await fetch(url, {
+        method: 'POST',
+        headers: opencodeHeaders(),
+        body: JSON.stringify(body),
+    });
+    if (!res.ok) {
+        const text = await res.text();
+        throw new Error(`opencode ${res.status} on ${pathSegment}: ${text.slice(0, 200)}`);
+    }
+}
+/** Deliver one inbox message to the opencode desktop session. Single POST to
+ *  `/session/{id}/prompt_async` enqueues a fresh turn; the server returns
+ *  204 No Content and the model run continues asynchronously. That's exactly
+ *  what we want: a "kick and forget" that doesn't block the SSE loop on
+ *  model latency. */
+async function relayOne(baseUrl, sessionId, payload) {
+    await postToOpencode(baseUrl, `/session/${sessionId}/prompt_async`, { parts: [{ type: 'text', text: payload.prompt }] });
+}
+// -- SSE read loop (mirrors inbox-watch) -----------------------------------
+class StreamInterrupted extends Error {
+    constructor(message, lastId) {
+        super(message);
+        this.name = 'StreamInterrupted';
+        this.lastId = lastId;
+    }
+}
+async function readStream(deps) {
+    const inner = new AbortController();
+    const onOuter = () => inner.abort();
+    if (deps.signal.aborted)
+        inner.abort();
+    else
+        deps.signal.addEventListener('abort', onOuter, { once: true });
+    let idleAborted = false;
+    let lastByteAt = Date.now();
+    const idleTimer = setInterval(() => {
+        if (Date.now() - lastByteAt > deps.idleTimeoutMs) {
+            idleAborted = true;
+            inner.abort();
+        }
+    }, IDLE_CHECK_INTERVAL_MS);
+    try {
+        const url = buildStreamUrl(deps.apiUrl, deps.project, deps.inboxSession, deps.initialId);
+        const res = await fetch(url, {
+            headers: { 'Authorization': `Bearer ${deps.apiKey}`, 'Accept': 'text/event-stream' },
+            signal: inner.signal,
+        });
+        if (!res.ok) {
+            const text = await res.text();
+            throw new Error(`HTTP ${res.status}: ${text.slice(0, 200)}`);
+        }
+        if (!res.body)
+            throw new Error('No response body — server did not stream');
+        let lastId = deps.initialId;
+        const reader = res.body.getReader();
+        const decoder = new TextDecoder();
+        let buffer = '';
+        try {
+            while (true) {
+                let chunk;
+                try {
+                    chunk = await reader.read();
+                }
+                catch (err) {
+                    if (idleAborted) {
+                        throw new StreamInterrupted(`idle ${fmtDuration(deps.idleTimeoutMs)}, no heartbeat`, lastId);
+                    }
+                    throw new StreamInterrupted(err.message || String(err), lastId);
+                }
+                const { done, value } = chunk;
+                if (done)
+                    return lastId;
+                lastByteAt = Date.now();
+                buffer += decoder.decode(value, { stream: true });
+                buffer = buffer.replace(/\r\n/g, '\n');
+                let sep;
+                while ((sep = buffer.indexOf('\n\n')) >= 0) {
+                    const block = buffer.slice(0, sep);
+                    buffer = buffer.slice(sep + 2);
+                    const ev = (0, inbox_watch_1.parseEventBlock)(block);
+                    if (!ev)
+                        continue;
+                    if (ev.id)
+                        lastId = ev.id;
+                    if (ev.event === 'message') {
+                        let msg;
+                        try {
+                            msg = JSON.parse(ev.data);
+                        }
+                        catch {
+                            continue;
+                        }
+                        deps.print(msg);
+                        await deps.relay(msg);
+                    }
+                    else if (ev.event === 'replay-complete') {
+                        try {
+                            const data = JSON.parse(ev.data || '{}');
+                            if (typeof data.count === 'number' && data.count > 0) {
+                                const plural = data.count === 1 ? '' : 's';
+                                console.error(`${LOG_PREFIX} replayed ${data.count} missed row${plural}, resuming live tail`);
+                            }
+                        }
+                        catch { /* malformed control payload — ignore */ }
+                    }
+                    else if (ev.event === 'error') {
+                        console.error(`${LOG_PREFIX} server error: ${ev.data}`);
+                        return lastId;
+                    }
+                }
+            }
+        }
+        finally {
+            try {
+                reader.releaseLock();
+            }
+            catch { /* already released */ }
+        }
+    }
+    finally {
+        clearInterval(idleTimer);
+        deps.signal.removeEventListener('abort', onOuter);
+    }
+}
+function buildStreamUrl(apiUrl, project, session, since) {
+    const u = new URL(apiUrl.replace(/\/+$/, '') + '/v1/inbox/stream');
+    if (project)
+        u.searchParams.set('project', project);
+    if (session)
+        u.searchParams.set('session', session);
+    if (since)
+        u.searchParams.set('since', since);
+    return u.toString();
+}
+function sleep(ms, signal) {
+    return new Promise((resolve) => {
+        const t = setTimeout(resolve, ms);
+        const onAbort = () => { clearTimeout(t); resolve(); };
+        if (signal.aborted) {
+            onAbort();
+            return;
+        }
+        signal.addEventListener('abort', onAbort, { once: true });
+    });
+}
+// -- Public entry -----------------------------------------------------------
+/** Compute the effective greprag 8-hex inbox-session filter for the relay.
+ *  Tenant-wide overrides everything. Explicit `inboxSession` wins over the
+ *  auto-derived value (which is `truncateSessionId(session)`). The auto-derive
+ *  is the whole point of the per-session posture: the opencode session UUID
+ *  truncates to a stable 8-hex that the greprag API auto-registers on every
+ *  memory turn (via session_titles + InboxDO session-activity heartbeat),
+ *  so the relay can subscribe to "messages for me" without the user having
+ *  to know their 8-hex.
+ *
+ *  Returns `null` when no filter should be applied (i.e. tenant-wide). */
+function resolveInboxSession(opts) {
+    if (opts.tenantWide)
+        return null;
+    if (opts.inboxSession)
+        return opts.inboxSession;
+    return (0, session_id_1.truncateSessionId)(opts.session);
+}
+/** Run the relay loop. Returns when opts.signal aborts or a non-recoverable
+ *  4xx is hit. Production invocation wraps this in a `while true` shell loop
+ *  to survive process-level death (host crash, OS kill, fork failure). */
+async function runOpencodeRelay(opts) {
+    if (!opts.session) {
+        console.error(`${LOG_PREFIX} --session <opencode-session-id> is required.`);
+        console.error(`  Get it from \`opencode session list\` or the opencode UI session header.`);
+        process.exit(1);
+    }
+    const cfg = getConfig();
+    if (!cfg.apiKey) {
+        console.error(`${LOG_PREFIX} Not configured. Run: greprag init`);
+        process.exit(1);
+    }
+    const opencodeUrl = opts.opencodeUrl || OPENCODE_URL_DEFAULT;
+    const ownSession8 = (0, session_id_1.truncateSessionId)(opts.session);
+    // Refuse to start tenant-wide by accident. The whole point of the
+    // per-session posture is that one opencode session only sees its own
+    // messages; running unfiltered would leak cross-session traffic into
+    // the wrong conversations. User must either pass --inbox-session
+    // explicitly, --tenant-wide to acknowledge the noisy mode, or use an
+    // opencode session id that's hex-truncatable.
+    if (!opts.tenantWide && !opts.inboxSession && !ownSession8) {
+        console.error(`${LOG_PREFIX} Cannot derive greprag 8-hex from opencode session id "${opts.session}".`);
+        console.error(`  The default posture is session-targeted — pass --inbox-session <8hex> explicitly,`);
+        console.error(`  or --tenant-wide to see every message in the tenant.`);
+        process.exit(1);
+    }
+    const effectiveInboxSession = resolveInboxSession(opts);
+    console.error(`${LOG_PREFIX} relaying inbox → opencode desktop`);
+    console.error(`  opencode_url:  ${opencodeUrl}`);
+    console.error(`  session:       ${opts.session}`);
+    console.error(`  inbox_filter:  ${opts.tenantWide ? '(tenant-wide)' : (effectiveInboxSession ?? '(unable to derive — pass --inbox-session)')}`);
+    console.error(`  project:       ${opts.project || '(tenant-wide)'}`);
+    console.error(`  dry_run:       ${opts.dryRun ? 'yes' : 'no'}`);
+    console.error(`  print:         ${opts.print ? 'yes' : 'no'}`);
+    let cursor = opts.since ?? null;
+    const initialBackoff = opts.backoffInitialMs ?? BACKOFF_INITIAL_MS;
+    const idleTimeoutMs = opts.idleTimeoutMs ?? IDLE_TIMEOUT_MS;
+    let backoff = initialBackoff;
+    let isFirstAttempt = true;
+    const controller = new AbortController();
+    const onSignal = () => { controller.abort(); };
+    process.on('SIGINT', onSignal);
+    process.on('SIGTERM', onSignal);
+    if (opts.signal) {
+        if (opts.signal.aborted)
+            controller.abort();
+        else
+            opts.signal.addEventListener('abort', onSignal, { once: true });
+    }
+    const relay = async (msg) => {
+        const payload = buildPayload(msg, ownSession8);
+        if (opts.onRelayed)
+            await opts.onRelayed(payload);
+        if (opts.dryRun) {
+            console.error(`${LOG_PREFIX} [dry-run] would POST prompt_async for message ${payload.meta.messageId.slice(0, 8)}`);
+            return;
+        }
+        try {
+            await relayOne(opencodeUrl, opts.session, payload);
+            console.error(`${LOG_PREFIX} delivered message ${payload.meta.messageId.slice(0, 8)} → session ${opts.session}`);
+        }
+        catch (err) {
+            // Don't drop the message — re-throw so the outer loop's reconnect logic
+            // takes over (with cursor preserved). The bash wrapper respawns on
+            // process death, so a transient opencode outage recovers cleanly.
+            throw err;
+        }
+    };
+    // Zombie guard: if the opencode server has been gone for too long, exit
+    // non-zero so the bash wrapper / opencode-plugin respawner can give up
+    // instead of looping forever against a dead endpoint. The counter resets
+    // on every successful delivery, so a healthy run never trips it; only a
+    // sustained outage (5 deliveries in a row that all 5xx) terminates us.
+    const MAX_CONSECUTIVE_DELIVERY_FAILURES = 5;
+    let consecutiveDeliveryFailures = 0;
+    const relayWithFailureGate = async (msg) => {
+        try {
+            await relay(msg);
+            consecutiveDeliveryFailures = 0;
+        }
+        catch (err) {
+            consecutiveDeliveryFailures++;
+            if (consecutiveDeliveryFailures >= MAX_CONSECUTIVE_DELIVERY_FAILURES) {
+                console.error(`${LOG_PREFIX} ${consecutiveDeliveryFailures} consecutive delivery failures — ` +
+                    `opencode server appears down, exiting for respawn.`);
+                process.exit(1);
+            }
+            throw err;
+        }
+    };
+    const print = (msg) => {
+        if (!opts.print)
+            return;
+        const sender = msg.from.email || msg.from.tenant + '@greprag.com';
+        console.log(`[${sender}] ${msg.body}`);
+    };
+    while (!controller.signal.aborted) {
+        if (!isFirstAttempt) {
+            const lastSeen = cursor ? cursor.slice(0, 8) : 'none';
+            console.error(`${LOG_PREFIX} reconnecting (last_seen_id=${lastSeen})`);
+        }
+        isFirstAttempt = false;
+        try {
+            const lastId = await readStream({
+                apiUrl: cfg.apiUrl, apiKey: cfg.apiKey, signal: controller.signal,
+                initialId: cursor, idleTimeoutMs,
+                project: opts.project, inboxSession: effectiveInboxSession ?? undefined,
+                relay: relayWithFailureGate, print,
+            });
+            if (lastId)
+                cursor = lastId;
+            backoff = initialBackoff;
+        }
+        catch (err) {
+            if (controller.signal.aborted)
+                break;
+            if (err instanceof StreamInterrupted && err.lastId)
+                cursor = err.lastId;
+            const msg = err.message || String(err);
+            const m = /^HTTP (4\d\d)/.exec(msg);
+            if (m) {
+                console.error(`${LOG_PREFIX} ${msg}`);
+                process.exit(1);
+            }
+            const lastSeen = cursor ? cursor.slice(0, 8) : 'none';
+            console.error(`${LOG_PREFIX} disconnect: ${msg} — retrying in ${fmtDuration(backoff)} (last_seen_id=${lastSeen})`);
+        }
+        if (controller.signal.aborted)
+            break;
+        await sleep(backoff, controller.signal);
+        backoff = Math.min(backoff * BACKOFF_FACTOR, BACKOFF_MAX_MS);
+    }
+}
+/** Build the production wrapper command — the same `while true` shape the
+ *  Claude Code arm directive uses, so a relay restart-on-death can be
+ *  copy-pasted into a chip's spawn payload or a CLAUDE.md. adr: adr/monitor-resilience.md */
+function armOpencodeRelayCommand(session, opencodeUrl) {
+    const urlFlag = opencodeUrl && opencodeUrl !== OPENCODE_URL_DEFAULT
+        ? ` --opencode-url "${opencodeUrl}"`
+        : '';
+    return `while true; do greprag opencode relay --session ${session}${urlFlag}; ` +
+        `echo "[restart]" >&2; sleep 1; done`;
+}
+//# sourceMappingURL=opencode-relay.js.map