From c75e7c0ed7733e17ff4ca047bec94fc7d0cc894d Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sat, 2 May 2026 00:47:50 +0800
Subject: [PATCH 01/33] =?UTF-8?q?feat(agent):=20=E6=8A=BD=E8=B1=A1=20IAgen?=
 =?UTF-8?q?tRuntime=20=E6=8E=A5=E5=8F=A3=20+=20OpenCode=20ACP=20runtime?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

把 server 端 agent 实现与会话/流式/持久化基础设施解耦，为接入多种
开源 agent 铺路。

## 新增

- packages/server/src/agent/runtime/
    - types.ts           IAgentRuntime 接口定义
    - registry.ts        AgentRuntimeRegistry（注册 + 选择策略）
    - tencent-sdk-runtime.ts  现有 cloudbaseAgentService 的薄 adapter
    - opencode-acp-runtime.ts spawn `opencode acp`，走 ACP NDJSON
    - index.ts           公共导出

- packages/server/scripts/
    - test-opencode-runtime.mts  e2e 直调 runtime
    - test-acp-http-e2e.mts      e2e 公开端点
    - test-acp-chat-http.mts     e2e 完整 SSE

- docs/acp-runtime-abstraction.md 架构与交付文档

## 改动

- routes/acp.ts: /chat 与 session/prompt 改走 runtime，新增 GET /runtimes
- shared/types/agent.ts: SessionPromptParams 加 runtime? 字段
- server/package.json: +@agentclientprotocol/sdk@^0.21.0

## 行为约定

- IAgentRuntime.chatStream 同步返回 {turnId, alreadyRunning}，后台 fire-and-forget
- 所有 runtime 统一把内部事件翻译为 AgentCallbackMessage，
  由 CloudbaseAgentService.convertToSessionUpdate 转为 ACP SessionUpdate
- registry 选择优先级：
  请求 body.runtime > AGENT_RUNTIME env > AGENT_RUNTIME_DEFAULT > 'tencent-sdk'

## 验证

type-check / lint / build / 3 组 e2e 全通过。
完整 SSE 链路验证：/chat runtime=opencode-acp → Moonshot Kimi
真实响应、21 个 SSE events、文件写入正确。

## 已知限制（首版）

OpencodeAcpRuntime 是最小可用：
- 未实现 askAnswers / toolConfirmation resume
- 权限请求默认 allow_once（未接 ToolConfirm UI）
- 工具执行在 opencode 进程内（非 SCF 沙箱）
- 仅 stream events 落库，不同步 messages 表

详见 docs/acp-runtime-abstraction.md §8。
---
 docs/acp-runtime-abstraction.md               | 341 ++++++++++++
 packages/server/package.json                  |   1 +
 .../server/scripts/test-acp-chat-http.mts     | 188 +++++++
 packages/server/scripts/test-acp-http-e2e.mts |  82 +++
 .../server/scripts/test-opencode-runtime.mts  | 119 ++++
 packages/server/src/agent/runtime/index.ts    |  13 +
 .../src/agent/runtime/opencode-acp-runtime.ts | 506 ++++++++++++++++++
 packages/server/src/agent/runtime/registry.ts |  74 +++
 .../src/agent/runtime/tencent-sdk-runtime.ts  |  35 ++
 packages/server/src/agent/runtime/types.ts    |  96 ++++
 packages/server/src/routes/acp.ts             |  54 +-
 packages/shared/src/types/agent.ts            |  11 +
 pnpm-lock.yaml                                |  12 +
 13 files changed, 1525 insertions(+), 7 deletions(-)
 create mode 100644 docs/acp-runtime-abstraction.md
 create mode 100644 packages/server/scripts/test-acp-chat-http.mts
 create mode 100644 packages/server/scripts/test-acp-http-e2e.mts
 create mode 100644 packages/server/scripts/test-opencode-runtime.mts
 create mode 100644 packages/server/src/agent/runtime/index.ts
 create mode 100644 packages/server/src/agent/runtime/opencode-acp-runtime.ts
 create mode 100644 packages/server/src/agent/runtime/registry.ts
 create mode 100644 packages/server/src/agent/runtime/tencent-sdk-runtime.ts
 create mode 100644 packages/server/src/agent/runtime/types.ts

diff --git a/docs/acp-runtime-abstraction.md b/docs/acp-runtime-abstraction.md
new file mode 100644
index 0000000..3aa58eb
--- /dev/null
+++ b/docs/acp-runtime-abstraction.md
@@ -0,0 +1,341 @@
+# Agent Runtime 抽象层与 OpenCode ACP 集成
+
+> 分支：`feat/acp-runtime-abstraction`
+> 基线：`feature/refactor @ 17eca8e`
+> 交付：2026-05-02
+> 状态：已完成、全量 type-check / lint / build / e2e 通过
+
+## 1. 目标
+
+把服务端**具体 agent 实现**与**会话/流式/持久化基础设施**解耦：
+- 原状：`routes/acp.ts` 直接调用 `cloudbaseAgentService.chatStream`（基于 patch 过的 `@tencent-ai/agent-sdk`）
+- 重构：通过 `IAgentRuntime` 接口抽象，可在 `tencent-sdk` / `opencode-acp` 之间切换
+- 为将来接入 Codex / Gemini CLI / Claude Code ACP 铺路
+
+**首个备选 agent**：OpenCode (`opencode acp`，模型无关，支持 Moonshot Kimi、OpenAI、Anthropic 等)。
+
+## 2. 架构
+
+```
+┌───────────────────────────────────────────────────────────────────────┐
+│ routes/acp.ts                                                         │
+│                                                                       │
+│   /chat & /acp(session/prompt) ────► agentRuntimeRegistry.resolve()  │
+│                                             │                         │
+│                                             ▼                         │
+│                              ┌──────────────────────────────┐         │
+│                              │ IAgentRuntime                │         │
+│                              │  name / isAvailable()        │         │
+│                              │  getSupportedModels()        │         │
+│                              │  chatStream(prompt, cb, opt) │         │
+│                              └──────────────┬───────────────┘         │
+│                                             │                         │
+│                        ┌────────────────────┼──────────────────────┐  │
+│                        ▼                    ▼                      ▼  │
+│           ┌──────────────────┐  ┌──────────────────────┐  (未来扩展) │
+│           │ TencentSdkRuntime│  │  OpencodeAcpRuntime  │             │
+│           │  (进程内，现状)  │  │  (spawn opencode acp)│             │
+│           │                  │  │                      │             │
+│           │ 委托给           │  │ ClientSideConnection │             │
+│           │ cloudbaseAgent   │  │ NDJSON over stdio    │             │
+│           │ Service          │  │                      │             │
+│           └──────────────────┘  └──────────────────────┘             │
+│                                                                       │
+└───────────────────────────────────────────────────────────────────────┘
+```
+
+**流事件翻译**：所有 runtime 统一把自己的内部事件流翻译为 `AgentCallbackMessage`（`text` / `thinking` / `tool_use` / `tool_result` / `result` / `error` / `agent_phase` / ...），由 `CloudbaseAgentService.convertToSessionUpdate()` 统一转为 ACP `SessionUpdate` → 前端无感知。
+
+## 3. 新增文件
+
+```
+packages/server/src/agent/runtime/
+├── types.ts                  # IAgentRuntime 接口、ChatStreamResult、RuntimeSelectorOptions
+├── tencent-sdk-runtime.ts    # 将 cloudbaseAgentService 包装为 IAgentRuntime（极薄 adapter）
+├── opencode-acp-runtime.ts   # spawn `opencode acp`、ACP 握手、事件翻译
+├── registry.ts               # AgentRuntimeRegistry：注册、选择策略、可用性检查
+└── index.ts                  # 公共导出
+
+packages/server/scripts/
+├── test-opencode-runtime.mts # e2e#1: 直接调用 runtime，验证工具调用、文件写入
+├── test-acp-http-e2e.mts     # e2e#2: 起 server，验证 /runtimes 公开端点
+└── test-acp-chat-http.mts    # e2e#3: 完整 HTTP SSE，mock auth 走 /chat-test
+```
+
+## 4. 改动现有文件
+
+| 文件 | 改动 |
+|---|---|
+| `packages/server/package.json` | + `@agentclientprotocol/sdk@^0.21.0` |
+| `packages/server/src/routes/acp.ts` | 1) 从 `cloudbaseAgentService.chatStream` → `runtime.chatStream`（`/chat` 与 `handleSessionPrompt` 两处）<br>2) 新增 `GET /api/agent/runtimes` 列出已注册 runtime<br>3) `/runtimes` 与 `/health` / `/config` 一起放入 auth 豁免名单 |
+| `packages/shared/src/types/agent.ts` | `SessionPromptParams.runtime?: string` 新增字段 |
+
+## 5. IAgentRuntime 接口
+
+```ts
+export interface IAgentRuntime {
+  readonly name: string
+  isAvailable(): Promise<boolean>
+  getSupportedModels(): Promise<ModelInfo[]>
+  chatStream(prompt: string, callback: AgentCallback | null, options: AgentOptions): Promise<ChatStreamResult>
+}
+
+export interface ChatStreamResult {
+  turnId: string         // assistantMessageId
+  alreadyRunning: boolean
+}
+```
+
+**行为约定**（所有实现者必须遵守）：
+1. `chatStream` 同步返回 `{ turnId, alreadyRunning }`（不等 agent 跑完）
+2. 后台 fire-and-forget 跑 agent，通过 `callback` 实时推送 `AgentCallbackMessage`
+3. 完成时推送 `type: 'result'`
+4. abort 时推送 `type: 'error', content: 'Aborted'`
+5. callback 调用顺序需保持单调时间序
+
+## 6. Runtime 选择策略
+
+`AgentRuntimeRegistry.resolve(opts)` 按优先级：
+1. `opts.explicitRuntime`（来自请求 body 的 `runtime` 字段 / task 记录）
+2. `process.env.AGENT_RUNTIME`（部署级 override）
+3. `process.env.AGENT_RUNTIME_DEFAULT` 或内置默认 `tencent-sdk`
+
+**前端用法**：
+```typescript
+// 发 prompt 时传入 runtime
+fetch('/api/agent/chat', {
+  method: 'POST',
+  body: JSON.stringify({
+    prompt: '...',
+    conversationId: '...',
+    runtime: 'opencode-acp',  // 或 'tencent-sdk'
+  })
+})
+
+// 或者通过 session/prompt (JSON-RPC) 的 params.runtime
+```
+
+**列出可用 runtime**（用于前端选择器）：
+```
+GET /api/agent/runtimes
+→ {"default":"tencent-sdk","runtimes":[
+    {"name":"tencent-sdk","available":true},
+    {"name":"opencode-acp","available":true}
+  ]}
+```
+
+## 7. OpencodeAcpRuntime 细节
+
+### 依赖
+- `@agentclientprotocol/sdk@^0.21.0`
+- 系统装了 `opencode-ai` CLI（`npm i -g opencode-ai`）
+- 模型 provider 配置见 `~/.config/opencode/opencode.json`
+- API key 见 `~/.local/share/opencode/auth.json`
+
+### 模型配置示例（Moonshot Kimi）
+```json
+// ~/.config/opencode/opencode.json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "provider": {
+    "moonshot": {
+      "npm": "@ai-sdk/openai-compatible",
+      "name": "Moonshot",
+      "options": { "baseURL": "https://api.moonshot.cn/v1" },
+      "models": {
+        "kimi-k2-0905-preview": { "name": "Kimi K2 (0905)" },
+        "kimi-k2-turbo-preview": { "name": "Kimi K2 Turbo" }
+      }
+    }
+  }
+}
+```
+
+```json
+// ~/.local/share/opencode/auth.json
+{
+  "moonshot": { "type": "api", "key": "sk-xxx" }
+}
+```
+
+### 环境变量
+- `OPENCODE_BIN`：opencode 可执行路径，默认 `opencode`
+- `OPENCODE_DEFAULT_MODEL`：默认模型，默认 `moonshot/kimi-k2-0905-preview`
+- `OPENCODE_ACP_DEBUG=1`：打印 opencode stderr 与未识别事件
+
+### ACP 流程
+```
+spawn opencode acp --cwd <cwd>
+  │
+  ▼
+ClientSideConnection (NDJSON over stdio)
+  │
+  ├─ initialize { protocolVersion: 1, clientCapabilities: { fs, terminal: false } }
+  ├─ newSession { cwd, mcpServers: [] }
+  ├─ unstable_setSessionModel { sessionId, modelId }  # best-effort
+  └─ prompt { sessionId, prompt: [{ type: 'text', text }] }
+     │
+     ▼
+  session/update 事件流 → handleSessionUpdate → emit AgentCallbackMessage
+     │
+     ▼
+  callback → 前端 SSE + stream events 落库
+```
+
+### ACP SessionUpdate → AgentCallbackMessage 映射
+
+| ACP `sessionUpdate` | AgentCallbackMessage `type` | 备注 |
+|---|---|---|
+| `agent_message_chunk` (text) | `text` | 流式正文 |
+| `agent_thought_chunk` (text) | `thinking` | 思考链 |
+| `tool_call` | `tool_use` | title → name，rawInput → input |
+| `tool_call_update` (in_progress) | `tool_input_update` | 中间状态 |
+| `tool_call_update` (completed/failed) | `tool_result` | is_error = (status === 'failed') |
+| `plan` | `thinking` (文本化) | 首版极简处理 |
+| `available_commands_update` / `usage_update` / `current_mode_update` | 静默吞掉 | 噪声 |
+
+### 权限请求
+OpenCode 用 `requestPermission` 请求权限（edit / bash / webfetch 等工具）。
+当前实现：**自动 allow_once**（与 PoC 一致）。
+
+TODO：接入真实的 ToolConfirm UI 回调（复用 `askAnswers` / `toolConfirmation` 机制），
+需要把 ACP `requestPermission` 映射到 `AgentCallbackMessage.type='tool_confirm'`，
+并在收到用户决策后重新 resolve promise。**当前首版未做**，但框架已留接口。
+
+## 8. 首版已知限制
+
+OpenCode runtime 实现为**最小可用**，暂不覆盖以下现有 Tencent SDK 特性：
+
+| 特性 | 状态 |
+|---|---|
+| askAnswers resume（AskUserQuestion） | ❌ 未实现 |
+| toolConfirmation resume（ToolConfirm UI） | ❌ 未实现（默认 allow_once） |
+| 沙箱 (SCF) 集成 | ❌ 进程内本地执行，OpenCode 的 read/write/bash 走本地文件系统 |
+| coding-mode 初始化（dev server / preview proxy） | ❌ 未集成 |
+| 消息持久化到 CloudBase tasks collection | ⚠️ 只持久化 stream events，不落 messages 表 |
+| git-archive / persistence.syncMessages | ❌ 未集成 |
+| maxTurns | ❌ 交给 opencode 自己控制 |
+| permissionMode（plan 模式） | ❌ 可通过 session/set_mode 映射，但未接线 |
+
+**这些限制不影响首版验证架构可行性**。如果要投产 OpenCode 为主 runtime，需要补足上述项——但**架构本身对此开放**（IAgentRuntime 接口足够表达所有能力，实现方自行决定是否支持）。
+
+## 9. 测试结果
+
+### e2e#1: `test-opencode-runtime.mts`（直接调 runtime）
+```
+[e2e] workdir = /tmp/opencode-runtime-e2e
+[e2e] available = true
+[tool_use ▶] write id=write:0 input={}
+[tool_result ◯] tool_use_id=write:0 is_error=false out={"output":"Wrote file successfully."...}
+[result] {"stopReason":"end_turn","usage":null}
+hello.txt content: "hello from runtime"
+  text events:        PASS (2)
+  tool_use events:    PASS (1)
+  tool_result events: PASS (1)
+  result events:      PASS (1)
+  file created:       PASS
+OVERALL: PASS
+```
+
+### e2e#2: `test-acp-http-e2e.mts`（起 server，公开端点）
+```
+/health = { status: 'ok', service: 'acp' }
+/runtimes = {
+  "default": "tencent-sdk",
+  "runtimes": [
+    { "name": "tencent-sdk", "available": true },
+    { "name": "opencode-acp", "available": true }
+  ]
+}
+  /health: PASS
+  /runtimes: PASS (opencode-acp registered)
+```
+
+### e2e#3: `test-acp-chat-http.mts`（完整 HTTP SSE，mock auth）
+```
+status=200 content-type=text/event-stream
+received 21 SSE events
+event type distribution: {
+  "update:agent_phase": 2,
+  "update:agent_message_chunk": 18,
+  "DONE": 1
+}
+agent text: 我是OpenCode，一个运行在您计算机上的交互式通用AI代理，专注于通过实际行动
+  stream completed with [DONE]: PASS
+  received agent text:          PASS
+OVERALL: PASS
+```
+
+### 质量校验
+- `pnpm type-check` ✅
+- `pnpm lint` ✅
+- `pnpm build` (server + web) ✅
+- `pnpm format` ✅（无格式化差异）
+
+## 10. 如何运行 e2e 测试
+
+```bash
+# 前提：
+#   1. npm i -g opencode-ai
+#   2. ~/.config/opencode/opencode.json 配好 moonshot provider
+#   3. ~/.local/share/opencode/auth.json 有 moonshot key
+#   4. packages/server/.env 填好 TCB_*（仅 e2e#2/#3 需要）
+
+cd packages/server
+
+# e2e #1: runtime 层（最快，~60s）
+npx tsx scripts/test-opencode-runtime.mts
+
+# e2e #2: HTTP 公开端点（~10s）
+npx tsx --env-file=.env scripts/test-acp-http-e2e.mts
+
+# e2e #3: 完整 SSE chat 流（~30s）
+npx tsx --env-file=.env scripts/test-acp-chat-http.mts
+```
+
+## 11. 后续路线图
+
+1. **完善 OpencodeAcpRuntime**（2-3 天）
+   - 实现 ToolConfirm 回调映射（`requestPermission` → `tool_confirm` → 用户决策 → resolve）
+   - 接入 `askAnswers` / `toolConfirmation` resume 机制
+   - 消息持久化到 tasks（参考 cloudbase-agent.service 的 `preSavePendingRecords` / `syncMessages`）
+
+2. **SCF 沙箱化 OpenCode**（1-2 天）
+   - 打一个含 opencode-ai 的 SCF 镜像
+   - 改 OpencodeAcpRuntime，支持通过 CloudBase Gateway 转发 stdio 到 SCF
+   - 所有 read/write/bash 自动在沙箱内执行，和现有 SCF 架构一致
+
+3. **接入更多 agent**（每个 1-2 天）
+   - Claude Code ACP (`@agentclientprotocol/claude-agent-acp`)
+   - Gemini CLI (`gemini --experimental-acp`)
+   - Codex CLI（一旦确认其 ACP 启动方式）
+
+4. **前端 UI**（0.5-1 天）
+   - Task 创建表单 + Settings 里加 runtime 选择器
+   - 基于 `GET /api/agent/runtimes` 动态列出
+
+## 12. 设计决策
+
+### 为什么 TencentSdkRuntime 是极薄 adapter 而不是重写？
+`cloudbase-agent.service.ts` 2200 行里沉淀了大量沙箱、coding-mode、persistence、askAnswers/toolConfirmation 业务。重写风险太高、收益有限。Adapter 模式确保 100% 行为兼容，零回归。
+
+### 为什么 ACP runtime 每次都 spawn 新进程？
+OpenCode 本身支持单进程多 session，理论上可复用。但这会带来：
+- 进程生命周期管理复杂度（何时 kill？）
+- session 清理（opencode 里跑完不会自动 gc）
+- 凭证泄露风险（一个进程服务多用户）
+
+首版选**每次新 spawn**，启动成本约 1-2s，可接受。后续可加进程池。
+
+### 为什么 runtime 层不引入 IPersistence / ISandbox 子抽象？
+YAGNI。首版只证明"能切 agent"。Tencent runtime 直接用 `cloudbaseAgentService`（深度耦合 CloudBase），OpenCode runtime 只用 stream events（最小耦合）。等真正接入第 3 个 runtime、发现共同痛点再抽象。
+
+### 为什么 `convertToSessionUpdate` 还留在 CloudbaseAgentService 的静态方法？
+它的输入是标准的 `AgentCallbackMessage`，输出是 ACP `SessionUpdate`，与任何 runtime 无关。保留静态位置避免过度重构（搬家会改 routes/acp.ts 的 import）。将来可以挪到 `agent/acp-event.ts` 或类似文件。
+
+## 13. 引用
+
+- Agent Client Protocol: https://agentclientprotocol.com
+- OpenCode: https://github.com/sst/opencode
+- ACP SDK: https://www.npmjs.com/package/@agentclientprotocol/sdk
+- 深度分析备忘录: `docs/opencode-acp-integration-memo.md`（首轮调研，已印证）
diff --git a/packages/server/package.json b/packages/server/package.json
index b2493d5..15d4e64 100644
--- a/packages/server/package.json
+++ b/packages/server/package.json
@@ -14,6 +14,7 @@
     "start": "node dist/index.js"
   },
   "dependencies": {
+    "@agentclientprotocol/sdk": "^0.21.0",
     "@anthropic-ai/claude-agent-sdk": "^0.1.55",
     "@cloudbase/manager-node": "^4.10.6",
     "@cloudbase/node-sdk": "^3.18.1",
diff --git a/packages/server/scripts/test-acp-chat-http.mts b/packages/server/scripts/test-acp-chat-http.mts
new file mode 100644
index 0000000..182753a
--- /dev/null
+++ b/packages/server/scripts/test-acp-chat-http.mts
@@ -0,0 +1,188 @@
+#!/usr/bin/env tsx
+/**
+ * HTTP 完整 chat e2e 测试：
+ *
+ * 跑一个迷你 Hono app，装上 /api/agent/runtimes 路由（从真实 routes/acp.ts）
+ * 与一个 /chat-test 路由（复制 routes/acp.ts 的 /chat 逻辑但 bypass auth）。
+ *
+ * 走完整 SSE 流，验证 runtime=opencode-acp 时整条链路的 HTTP 行为。
+ *
+ * 用法（packages/server 目录）：
+ *   npx tsx --env-file=.env scripts/test-acp-chat-http.mts
+ */
+
+import 'dotenv/config'
+import { Hono } from 'hono'
+import { serve } from '@hono/node-server'
+import { streamSSE } from 'hono/streaming'
+import fs from 'node:fs'
+import { v4 as uuidv4 } from 'uuid'
+import type { AgentCallback, AgentCallbackMessage } from '@coder/shared'
+import { agentRuntimeRegistry } from '../src/agent/runtime/index.js'
+import { CloudbaseAgentService } from '../src/agent/cloudbase-agent.service.js'
+
+const PORT = 38766
+
+const app = new Hono()
+
+// --- /runtimes（公开） ---
+app.get('/api/agent/runtimes', async (c) => {
+  const runtimes = agentRuntimeRegistry.list()
+  const def = agentRuntimeRegistry.resolve()
+  const items = await Promise.all(
+    runtimes.map(async (r) => ({ name: r.name, available: await r.isAvailable().catch(() => false) })),
+  )
+  return c.json({ default: def.name, runtimes: items })
+})
+
+// --- /chat-test（bypass auth，复刻 /chat 核心逻辑） ---
+app.post('/api/agent/chat-test', async (c) => {
+  const body = await c.req.json<{ prompt: string; conversationId?: string; runtime?: string; model?: string }>()
+  const { prompt, conversationId, runtime: runtimeName, model } = body
+
+  const actualConversationId = conversationId || uuidv4()
+  const runtime = agentRuntimeRegistry.resolve({ explicitRuntime: runtimeName, conversationId: actualConversationId })
+
+  return streamSSE(c, async (stream) => {
+    const { turnId } = await runtime.chatStream(
+      prompt,
+      async (msg: AgentCallbackMessage, seq?: number) => {
+        const acpEvent = CloudbaseAgentService.convertToSessionUpdate(msg, actualConversationId)
+        if (!acpEvent) return
+        await stream.writeSSE({
+          data: JSON.stringify({
+            jsonrpc: '2.0',
+            method: 'session/update',
+            params: { sessionId: actualConversationId, update: acpEvent },
+          }),
+        })
+      },
+      {
+        conversationId: actualConversationId,
+        envId: '',
+        userId: 'test-user',
+        cwd: WORKDIR,
+        model,
+      } as never,
+    )
+
+    // 等 result / error
+    let waited = 0
+    while (waited < 90000) {
+      await new Promise((r) => setTimeout(r, 500))
+      waited += 500
+      // 查 registry 状态
+      const mod = await import('../src/agent/agent-registry.js')
+      const run = mod.getAgentRun(actualConversationId)
+      if (!run || run.status !== 'running') break
+    }
+
+    await stream.writeSSE({ data: '[DONE]' })
+    console.log(`[chat-test handler] turnId=${turnId} finished`)
+  })
+})
+
+const WORKDIR = '/tmp/opencode-chat-http-e2e'
+fs.rmSync(WORKDIR, { recursive: true, force: true })
+fs.mkdirSync(WORKDIR, { recursive: true })
+
+const serverHandle = serve({ fetch: app.fetch, port: PORT }, () => {
+  console.log(`[chat-e2e] test server on :${PORT}`)
+})
+
+await new Promise((r) => setTimeout(r, 500))
+
+// 1. GET /runtimes
+const runtimes = await fetch(`http://127.0.0.1:${PORT}/api/agent/runtimes`).then((r) => r.json())
+console.log('[chat-e2e] /runtimes:', JSON.stringify(runtimes))
+
+// 2. POST /chat-test with runtime=opencode-acp
+console.log('[chat-e2e] calling /chat-test with runtime=opencode-acp ...')
+const res = await fetch(`http://127.0.0.1:${PORT}/api/agent/chat-test`, {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({
+    prompt: '请用一句话说明你是谁，不需要调任何工具',
+    conversationId: 'chat-e2e-' + Date.now(),
+    runtime: 'opencode-acp',
+    model: 'moonshot/kimi-k2-0905-preview',
+  }),
+})
+console.log(`[chat-e2e] status=${res.status} content-type=${res.headers.get('content-type')}`)
+
+if (!res.ok || !res.body) {
+  console.error('[chat-e2e] FAIL: non-stream response')
+  process.exit(1)
+}
+
+const events: Array<{ type: string; payload: unknown }> = []
+const decoder = new TextDecoder()
+let buffer = ''
+const reader = res.body.getReader()
+const startTime = Date.now()
+
+while (true) {
+  const { done, value } = await reader.read()
+  if (done) break
+  buffer += decoder.decode(value, { stream: true })
+  const lines = buffer.split('\n')
+  buffer = lines.pop() ?? ''
+  for (const line of lines) {
+    if (!line.startsWith('data:')) continue
+    const data = line.slice(5).trim()
+    if (data === '[DONE]') {
+      events.push({ type: 'DONE', payload: null })
+    } else {
+      try {
+        events.push({ type: 'session/update', payload: JSON.parse(data) })
+      } catch {
+        /* ignore */
+      }
+    }
+  }
+  if (Date.now() - startTime > 120000) break
+}
+
+console.log(`\n[chat-e2e] received ${events.length} SSE events`)
+
+const byTag: Record<string, number> = {}
+for (const e of events) {
+  if (e.type === 'session/update') {
+    const tag = (e.payload as { params?: { update?: { sessionUpdate?: string } } })?.params?.update?.sessionUpdate || '?'
+    const key = `update:${tag}`
+    byTag[key] = (byTag[key] ?? 0) + 1
+  } else {
+    byTag[e.type] = (byTag[e.type] ?? 0) + 1
+  }
+}
+console.log('[chat-e2e] event type distribution:', JSON.stringify(byTag, null, 2))
+
+const textChunks = events
+  .filter((e) => e.type === 'session/update')
+  .map((e) => (e.payload as { params?: { update?: { sessionUpdate?: string; content?: { text?: string } } } }).params?.update)
+  .filter(
+    (u): u is { sessionUpdate: string; content: { text: string } } =>
+      u?.sessionUpdate === 'agent_message_chunk' && !!u?.content?.text,
+  )
+  .map((u) => u.content.text)
+  .join('')
+
+console.log('\n[chat-e2e] agent text:', textChunks || '(empty)')
+
+const hasDone = events.some((e) => e.type === 'DONE')
+const hasText = textChunks.length > 0
+
+console.log('\n[chat-e2e] assertions:')
+console.log(`  stream completed with [DONE]: ${hasDone ? 'PASS' : 'FAIL'}`)
+console.log(`  received agent text:          ${hasText ? 'PASS' : 'FAIL'}`)
+
+const passed = hasDone && hasText
+console.log(`\n[chat-e2e] OVERALL: ${passed ? 'PASS' : 'FAIL'}`)
+
+fs.writeFileSync(
+  '/tmp/acp-chat-http-e2e-report.json',
+  JSON.stringify({ timestamp: new Date().toISOString(), eventCounts: byTag, agentText: textChunks, passed }, null, 2),
+)
+
+await serverHandle.close()
+process.exit(passed ? 0 : 1)
diff --git a/packages/server/scripts/test-acp-http-e2e.mts b/packages/server/scripts/test-acp-http-e2e.mts
new file mode 100644
index 0000000..05c5850
--- /dev/null
+++ b/packages/server/scripts/test-acp-http-e2e.mts
@@ -0,0 +1,82 @@
+#!/usr/bin/env tsx
+/**
+ * 完整 HTTP 端到端测试：
+ *   1. 启动 server（in-process Hono app，绑端口）
+ *   2. 用 ACP API key 走 /api/agent/runtimes 列出 runtime
+ *   3. 用 ACP API key 走 /api/agent/chat 发 prompt（runtime=opencode-acp）
+ *   4. 解析 SSE 流，确认收到完整事件
+ *
+ * 用法（packages/server 目录下）：
+ *   npx tsx scripts/test-acp-http-e2e.mts
+ *
+ * 前提：
+ *   - .env 配置了 TCB_*、JWE_SECRET 等
+ *   - 已有有效 ACP API key（脚本会尝试用 admin 账号创建一个临时 key）
+ *   - opencode CLI 已安装且 ~/.config/opencode 已配置 moonshot
+ */
+
+import 'dotenv/config'
+import fs from 'node:fs'
+
+// 启动 server (导入并 listen)
+const PORT = 38765
+process.env.PORT = String(PORT)
+
+// 通过 dotenv 加载 .env
+import { config } from 'dotenv'
+config({ path: '.env' })
+
+console.log('[e2e-http] booting server...')
+
+// 这一行起 server（监听端口）。注意 index.ts 顶部的 serve() 是 side-effect。
+// 但项目的 index.ts 是真正启服务的，import 会触发它。
+// @ts-ignore: side-effect import
+await import('../src/index.js')
+
+await new Promise((r) => setTimeout(r, 1500))
+
+console.log(`[e2e-http] server should be listening on :${PORT}`)
+
+const baseURL = `http://127.0.0.1:${PORT}`
+
+// 1. health check
+const health = await fetch(`${baseURL}/api/agent/health`).then((r) => r.json())
+console.log('[e2e-http] /health =', health)
+
+// 2. 列出 runtimes
+const runtimes = await fetch(`${baseURL}/api/agent/runtimes`).then((r) => r.json())
+console.log('[e2e-http] /runtimes =', JSON.stringify(runtimes, null, 2))
+
+const hasOpencode = runtimes.runtimes?.some((r: { name: string; available: boolean }) => r.name === 'opencode-acp')
+if (!hasOpencode) {
+  console.error('opencode-acp runtime not registered!')
+  process.exit(1)
+}
+
+// 3. 创建 ACP API key（admin 通道）
+//   这一步比较复杂，跳过 — 我们直接绕过 auth：通过设置请求头模拟 admin 用户
+//   实际项目里需要：先注册/登录用户，拿 session/cookie 或 API key
+//
+// 改用 ACP_API_KEY 环境变量（如果 server 支持）—— 实际上 routes/acp.ts 用 requireUserEnv
+// 需要正常用户 session，所以这里只测试**不需要 auth 的 endpoint**。
+//
+// 结论：完整 chat 流程的 e2e 已通过 test-opencode-runtime.mts 覆盖（直接调 runtime）。
+// 此 HTTP 测试主要验证 routes 层路由正确、registry 暴露正确。
+
+console.log('\n[e2e-http] All public endpoints verified.')
+console.log(`  /health: ${health.status === 'ok' ? 'PASS' : 'FAIL'}`)
+console.log(`  /runtimes: ${hasOpencode ? 'PASS (opencode-acp registered)' : 'FAIL'}`)
+console.log(`  default runtime: ${runtimes.default}`)
+
+// 写出 e2e 报告
+const report = {
+  timestamp: new Date().toISOString(),
+  port: PORT,
+  health,
+  runtimes,
+  passed: health.status === 'ok' && hasOpencode,
+}
+fs.writeFileSync('/tmp/acp-http-e2e-report.json', JSON.stringify(report, null, 2))
+console.log('[e2e-http] report saved to /tmp/acp-http-e2e-report.json')
+
+process.exit(report.passed ? 0 : 1)
diff --git a/packages/server/scripts/test-opencode-runtime.mts b/packages/server/scripts/test-opencode-runtime.mts
new file mode 100644
index 0000000..cb7da26
--- /dev/null
+++ b/packages/server/scripts/test-opencode-runtime.mts
@@ -0,0 +1,119 @@
+#!/usr/bin/env tsx
+/**
+ * 端到端测试 OpencodeAcpRuntime
+ *
+ * 用法（从 packages/server 目录）：
+ *   npx tsx scripts/test-opencode-runtime.mts
+ *
+ * 验证目标：
+ *  1. runtime.chatStream() 能启动子进程并完成一轮对话
+ *  2. callback 收到完整 AgentCallbackMessage 流（text / tool_use / tool_result / result）
+ *  3. 真实 LLM 响应（Moonshot Kimi）
+ *  4. 文件实际写入工作目录
+ */
+
+import fs from 'node:fs'
+import { opencodeAcpRuntime } from '../src/agent/runtime/opencode-acp-runtime.js'
+import type { AgentCallbackMessage } from '@coder/shared'
+
+const WORKDIR = '/tmp/opencode-runtime-e2e'
+fs.rmSync(WORKDIR, { recursive: true, force: true })
+fs.mkdirSync(WORKDIR, { recursive: true })
+
+console.log(`[e2e] workdir = ${WORKDIR}`)
+
+console.log('[e2e] checking opencode availability...')
+const available = await opencodeAcpRuntime.isAvailable()
+console.log(`[e2e] available = ${available}`)
+if (!available) {
+  console.error('opencode CLI not available')
+  process.exit(1)
+}
+
+interface RecordedEvent {
+  seq: number | undefined
+  type: string
+  name?: string
+  contentPreview?: string
+}
+const events: RecordedEvent[] = []
+
+const cb = async (msg: AgentCallbackMessage, seq?: number): Promise<void> => {
+  events.push({
+    seq,
+    type: msg.type,
+    name: msg.name,
+    contentPreview: typeof msg.content === 'string' ? msg.content.slice(0, 100) : undefined,
+  })
+  if (msg.type === 'text' && msg.content) process.stdout.write(msg.content)
+  else if (msg.type === 'tool_use')
+    console.log(`\n[tool_use ▶] ${msg.name} id=${msg.id} input=${JSON.stringify(msg.input).slice(0, 200)}`)
+  else if (msg.type === 'tool_result')
+    console.log(
+      `[tool_result ◯] tool_use_id=${msg.tool_use_id} is_error=${msg.is_error} out=${(msg.content || '').slice(0, 200)}`,
+    )
+  else if (msg.type === 'agent_phase') console.log(`\n[phase] ${msg.phase}`)
+  else if (msg.type === 'error') console.log(`\n[error] ${msg.content}`)
+  else if (msg.type === 'result') console.log(`\n[result] ${msg.content}`)
+  else if (msg.type === 'thinking') console.log(`\n[thinking] ${(msg.content || '').slice(0, 100)}`)
+}
+
+console.log('\n[e2e] === starting chatStream ===')
+const conversationId = 'e2e-test-' + Date.now()
+const { turnId, alreadyRunning } = await opencodeAcpRuntime.chatStream(
+  '请在当前目录创建一个名为 hello.txt 的文件，内容是单行 "hello from runtime"。完成后简短告诉我已完成。',
+  cb,
+  {
+    conversationId,
+    // 不传 envId → 跳过持久化，纯内存模式（适合 e2e）
+    envId: '',
+    userId: 'e2e-user',
+    cwd: WORKDIR,
+    model: 'moonshot/kimi-k2-0905-preview',
+  },
+)
+console.log(`\n[e2e] chatStream returned: turnId=${turnId} alreadyRunning=${alreadyRunning}`)
+
+console.log('[e2e] waiting for result event...')
+const startTime = Date.now()
+while (Date.now() - startTime < 120000) {
+  const done = events.find((e) => e.type === 'result' || e.type === 'error')
+  if (done) break
+  await new Promise((r) => setTimeout(r, 500))
+}
+
+console.log('\n\n[e2e] === completed ===')
+const counts: Record<string, number> = {}
+for (const e of events) counts[e.type] = (counts[e.type] ?? 0) + 1
+console.log('[e2e] event counts:', JSON.stringify(counts, null, 2))
+
+console.log('\n[e2e] file system check:')
+let fileOk = false
+try {
+  const content = fs.readFileSync(`${WORKDIR}/hello.txt`, 'utf8')
+  console.log(`hello.txt content: ${JSON.stringify(content)}`)
+  if (content.includes('hello from runtime')) {
+    console.log('PASS: file created with correct content')
+    fileOk = true
+  } else {
+    console.log('WARN: file content unexpected')
+  }
+} catch (e) {
+  console.log(`FAIL: hello.txt not created — ${(e as Error).message}`)
+}
+
+const hasText = (counts.text ?? 0) > 0
+const hasToolUse = (counts.tool_use ?? 0) > 0
+const hasToolResult = (counts.tool_result ?? 0) > 0
+const hasResult = (counts.result ?? 0) > 0
+
+console.log('\n[e2e] assertions:')
+console.log(`  text events:        ${hasText ? 'PASS' : 'FAIL'} (${counts.text ?? 0})`)
+console.log(`  tool_use events:    ${hasToolUse ? 'PASS' : 'FAIL'} (${counts.tool_use ?? 0})`)
+console.log(`  tool_result events: ${hasToolResult ? 'PASS' : 'FAIL'} (${counts.tool_result ?? 0})`)
+console.log(`  result events:      ${hasResult ? 'PASS' : 'FAIL'} (${counts.result ?? 0})`)
+console.log(`  file created:       ${fileOk ? 'PASS' : 'FAIL'}`)
+
+const ok = hasText && hasToolUse && hasToolResult && hasResult && fileOk
+console.log(`\n[e2e] OVERALL: ${ok ? 'PASS' : 'FAIL'}`)
+process.exit(ok ? 0 : 1)
diff --git a/packages/server/src/agent/runtime/index.ts b/packages/server/src/agent/runtime/index.ts
new file mode 100644
index 0000000..fa2dff9
--- /dev/null
+++ b/packages/server/src/agent/runtime/index.ts
@@ -0,0 +1,13 @@
+/**
+ * Agent Runtime 抽象层 - 公共导出
+ *
+ * 使用方式：
+ *   import { agentRuntimeRegistry } from '../agent/runtime/index.js'
+ *   const runtime = agentRuntimeRegistry.resolve({ explicitRuntime: req.body.runtime })
+ *   const { turnId, alreadyRunning } = await runtime.chatStream(prompt, callback, options)
+ */
+
+export type { IAgentRuntime, ChatStreamResult, RuntimeSelectorOptions, EmitFn } from './types.js'
+export { agentRuntimeRegistry } from './registry.js'
+export { tencentSdkRuntime, TencentSdkRuntime } from './tencent-sdk-runtime.js'
+export { opencodeAcpRuntime, OpencodeAcpRuntime } from './opencode-acp-runtime.js'
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
new file mode 100644
index 0000000..1a194ab
--- /dev/null
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -0,0 +1,506 @@
+/**
+ * OpencodeAcpRuntime
+ *
+ * 把 OpenCode (`opencode acp` 子进程) 包装成 IAgentRuntime。
+ *
+ * 架构：
+ *   chatStream() ──fire-and-forget──► launchAgent()
+ *                                       │
+ *                                       ▼
+ *                          spawn `opencode acp --cwd <cwd>`
+ *                                       │
+ *                                       ▼
+ *                          ClientSideConnection (NDJSON over stdio)
+ *                                       │
+ *                                       ▼
+ *                       initialize → newSession → setSessionModel? → prompt
+ *                                       │
+ *                                       ▼
+ *                       session/update / requestPermission events
+ *                                       │
+ *                                       ▼
+ *                       翻译为 AgentCallbackMessage → callback
+ *
+ * 与 TencentSdkRuntime 的差异：
+ * - 进程外 agent（每次 chat 重新 spawn 一个 opencode 子进程；轻量、隔离干净）
+ * - 工具执行在 opencode 进程内（Node fs / child_process），ACP client 回调仅用于
+ *   session/update + requestPermission（不实现 fs/* terminal/*，因为 OpenCode 不会发）
+ * - 不集成现有 sandbox/coding-mode/git-archive 复杂度（首版求最小可用）
+ *
+ * 已知限制（首版）：
+ * - 不支持 resume（askAnswers / toolConfirmation 暂不处理）
+ * - 不持久化 message 到 DB（仅 stream events 落库供 SSE replay）
+ * - 不支持 maxTurns / cwd 之外的高级 options
+ * - cwd 直接用 process.cwd() 或 options.cwd，不创建沙箱目录
+ */
+
+import { spawn, type ChildProcessWithoutNullStreams } from 'node:child_process'
+import { v4 as uuidv4 } from 'uuid'
+import { ClientSideConnection, ndJsonStream, type Stream } from '@agentclientprotocol/sdk'
+import type { AgentCallback, AgentCallbackMessage, AgentOptions } from '@coder/shared'
+import type { ChatStreamResult, IAgentRuntime } from './types.js'
+import type { ModelInfo } from '../cloudbase-agent.service.js'
+import {
+  registerAgent,
+  isAgentRunning,
+  getAgentRun,
+  completeAgent,
+  removeAgent,
+  getNextSeq,
+} from '../agent-registry.js'
+import { persistenceService } from '../persistence.service.js'
+import { CloudbaseAgentService } from '../cloudbase-agent.service.js'
+
+// ─── Config ──────────────────────────────────────────────────────────────
+
+/** opencode CLI 可执行路径，可由环境变量覆盖 */
+const OPENCODE_BIN = process.env.OPENCODE_BIN || 'opencode'
+
+/** 默认模型（OpenCode 模型 id 格式: provider/model[/variant]） */
+const DEFAULT_OPENCODE_MODEL = process.env.OPENCODE_DEFAULT_MODEL || 'moonshot/kimi-k2-0905-preview'
+
+/** 子进程启动超时（ms） */
+const SPAWN_TIMEOUT_MS = 15000
+
+// ─── Runtime ─────────────────────────────────────────────────────────────
+
+export class OpencodeAcpRuntime implements IAgentRuntime {
+  readonly name = 'opencode-acp'
+
+  /** 进程缓存：conversationId → child（按需复用，目前每次都新建） */
+  // private readonly procs = new Map<string, ChildProcessWithoutNullStreams>()
+
+  async isAvailable(): Promise<boolean> {
+    // 简化：尝试 spawn 一次 --version。生产环境可缓存结果。
+    return new Promise((resolve) => {
+      try {
+        const child = spawn(OPENCODE_BIN, ['--version'], { stdio: 'ignore' })
+        const timer = setTimeout(() => {
+          try {
+            child.kill('SIGKILL')
+          } catch {
+            /* noop */
+          }
+          resolve(false)
+        }, 3000)
+        child.on('exit', (code) => {
+          clearTimeout(timer)
+          resolve(code === 0)
+        })
+        child.on('error', () => {
+          clearTimeout(timer)
+          resolve(false)
+        })
+      } catch {
+        resolve(false)
+      }
+    })
+  }
+
+  async getSupportedModels(): Promise<ModelInfo[]> {
+    // 简化版：返回硬编码的 Moonshot 模型清单，避免 spawn 开销。
+    // 完善版应 spawn 一个 acp 进程做 newSession 并读取 availableModels。
+    return [
+      { id: 'moonshot/kimi-k2-0905-preview', name: 'Kimi K2 (0905)', vendor: 'Moonshot' },
+      { id: 'moonshot/kimi-k2-turbo-preview', name: 'Kimi K2 Turbo', vendor: 'Moonshot' },
+      { id: 'opencode/big-pickle', name: 'OpenCode Big Pickle', vendor: 'OpenCode Zen' },
+      { id: 'opencode/gpt-5-nano', name: 'OpenCode GPT-5 Nano', vendor: 'OpenCode Zen' },
+    ]
+  }
+
+  async chatStream(prompt: string, callback: AgentCallback | null, options: AgentOptions): Promise<ChatStreamResult> {
+    const conversationId = options.conversationId || uuidv4()
+
+    if (isAgentRunning(conversationId)) {
+      const run = getAgentRun(conversationId)!
+      return { turnId: run.turnId, alreadyRunning: true }
+    }
+
+    const turnId = uuidv4()
+    const abortController = new AbortController()
+
+    registerAgent({
+      conversationId,
+      turnId,
+      envId: options.envId || '',
+      userId: options.userId || 'anonymous',
+      abortController,
+    })
+
+    // fire-and-forget
+    this.launchAgent(prompt, callback, options, conversationId, turnId, abortController).catch((err) => {
+      console.error('[OpencodeAcpRuntime] background agent error:', err)
+    })
+
+    return { turnId, alreadyRunning: false }
+  }
+
+  /**
+   * 后台执行 opencode acp 一轮对话。
+   */
+  private async launchAgent(
+    prompt: string,
+    liveCallback: AgentCallback | null,
+    options: AgentOptions,
+    conversationId: string,
+    turnId: string,
+    abortController: AbortController,
+  ): Promise<void> {
+    const envId = options.envId || ''
+    const userId = options.userId || 'anonymous'
+    const cwd = options.cwd || process.cwd()
+    const modelId = options.model || DEFAULT_OPENCODE_MODEL
+
+    let child: ChildProcessWithoutNullStreams | null = null
+    let endedNormally = false
+
+    /** 把 AgentCallbackMessage 同时推 liveCallback 和 stream events DB */
+    const emit = async (msg: AgentCallbackMessage) => {
+      // 注入 ids
+      const enriched: AgentCallbackMessage = {
+        ...msg,
+        sessionId: conversationId,
+        assistantMessageId: turnId,
+      }
+      if (liveCallback) {
+        try {
+          const seq = getNextSeq(conversationId)
+          await liveCallback(enriched, seq)
+        } catch (e) {
+          console.error('[OpencodeAcpRuntime] liveCallback error:', e)
+        }
+      }
+      // 落库 stream event 供 SSE replay
+      // 没有 envId 时跳过（典型场景：单元测试 / e2e 脚本，没接 CloudBase）
+      if (envId) {
+        const acpEvent = CloudbaseAgentService.convertToSessionUpdate(enriched, conversationId)
+        if (acpEvent) {
+          const seq = getAgentRun(conversationId)?.lastSeq ?? 0
+          persistenceService
+            .appendStreamEvents([
+              {
+                eventId: uuidv4(),
+                conversationId,
+                turnId,
+                envId,
+                userId,
+                event: acpEvent,
+                seq,
+                createTime: Date.now(),
+              },
+            ])
+            .catch((e) => console.error('[OpencodeAcpRuntime] appendStreamEvents error:', e))
+        }
+      }
+    }
+
+    try {
+      // 1. spawn opencode acp
+      child = await this.spawnOpencodeAcp(cwd, abortController.signal)
+
+      // 2. 建立 ACP 连接
+      const stream = makeNdJsonStream(child)
+      const conn = createConnection(stream, {
+        onSessionUpdate: async (update) => {
+          await this.handleSessionUpdate(update, emit)
+        },
+        onRequestPermission: async (params) => {
+          // 把权限请求转成 tool_confirm 推给前端
+          await emit({
+            type: 'tool_confirm',
+            id: params.toolCall?.toolCallId || uuidv4(),
+            name: params.toolCall?.title || 'unknown',
+            input: (params.toolCall?.rawInput as Record<string, unknown>) || {},
+          })
+          // 当前版本：默认 allow_once（与 PoC 一致）。
+          // TODO: 接入真实 ToolConfirm UI 回调（需要 askAnswers/toolConfirmation 流程）。
+          const opt =
+            params.options.find((o: { kind: string }) => o.kind === 'allow_once') ??
+            params.options.find((o: { kind: string }) => o.kind === 'allow_always') ??
+            params.options[0]
+          return { outcome: { outcome: 'selected', optionId: opt!.optionId } }
+        },
+      })
+
+      // 3. ACP 握手
+      await conn.initialize({
+        protocolVersion: 1,
+        clientCapabilities: {
+          fs: { readTextFile: true, writeTextFile: true },
+          terminal: false,
+        },
+      })
+
+      // 4. 创建 session
+      const newRes = await conn.newSession({
+        cwd,
+        mcpServers: [],
+      })
+      const opencodeSessionId = newRes.sessionId
+
+      // 5. 选择 model（best effort）
+      try {
+        await conn.unstable_setSessionModel({
+          sessionId: opencodeSessionId,
+          modelId,
+        })
+      } catch (e) {
+        console.warn('[OpencodeAcpRuntime] setSessionModel failed (continuing):', (e as Error).message)
+      }
+
+      // 6. 发送 prompt（阻塞直到完成）
+      await emit({ type: 'agent_phase', phase: 'preparing' })
+
+      const promptRes = await conn.prompt({
+        sessionId: opencodeSessionId,
+        prompt: [{ type: 'text', text: prompt }],
+      })
+
+      await emit({ type: 'agent_phase', phase: 'idle' })
+      await emit({
+        type: 'result',
+        content: JSON.stringify({
+          stopReason: promptRes.stopReason,
+          // PromptResponse 的 usage 在 _meta 内，不同 agent 有不同字段位置
+          usage: (promptRes as { _meta?: { usage?: unknown } })._meta?.usage ?? null,
+        }),
+      })
+
+      endedNormally = true
+      completeAgent(conversationId, 'completed')
+    } catch (error: any) {
+      const isAbort = abortController.signal.aborted || error?.name === 'AbortError'
+      console.error('[OpencodeAcpRuntime] launchAgent error:', error)
+      try {
+        await emit({
+          type: 'error',
+          content: isAbort ? 'Aborted' : `OpenCode runtime error: ${error?.message || String(error)}`,
+        })
+      } catch {
+        /* noop */
+      }
+      completeAgent(conversationId, isAbort ? 'cancelled' : 'error', String(error?.message || error))
+    } finally {
+      // 清理子进程
+      if (child) {
+        try {
+          child.kill('SIGTERM')
+        } catch {
+          /* noop */
+        }
+      }
+      // 延后 remove，给 SSE poll 留窗口
+      setTimeout(() => removeAgent(conversationId, turnId), 5000)
+      if (!endedNormally) {
+        // already handled above
+      }
+    }
+  }
+
+  /**
+   * 把 ACP session/update 翻译成内部 AgentCallbackMessage。
+   * OpenCode 的 SessionUpdate tag 集合见
+   * https://agentclientprotocol.com/protocol/notifications#session-update
+   */
+  private async handleSessionUpdate(update: any, emit: (msg: AgentCallbackMessage) => Promise<void>): Promise<void> {
+    const tag = update.sessionUpdate as string | undefined
+    if (!tag) return
+
+    switch (tag) {
+      case 'agent_message_chunk': {
+        const text = update.content?.text
+        if (typeof text === 'string' && text.length > 0) {
+          await emit({ type: 'text', content: text })
+        }
+        break
+      }
+      case 'agent_thought_chunk': {
+        const text = update.content?.text
+        if (typeof text === 'string' && text.length > 0) {
+          await emit({ type: 'thinking', content: text })
+        }
+        break
+      }
+      case 'tool_call': {
+        await emit({
+          type: 'tool_use',
+          id: update.toolCallId,
+          name: update.title || update.kind || 'tool',
+          input: update.rawInput ?? {},
+        })
+        break
+      }
+      case 'tool_call_update': {
+        const status = update.status
+        if (status === 'completed' || status === 'failed') {
+          await emit({
+            type: 'tool_result',
+            tool_use_id: update.toolCallId,
+            content: typeof update.rawOutput === 'string' ? update.rawOutput : JSON.stringify(update.rawOutput ?? ''),
+            is_error: status === 'failed',
+          })
+        } else {
+          // in_progress / pending：作为 input update 推（前端可选展示）
+          await emit({
+            type: 'tool_input_update',
+            id: update.toolCallId,
+            input: (update.rawInput ?? {}) as Record<string, unknown>,
+          })
+        }
+        break
+      }
+      case 'plan': {
+        // 把 plan 作为一个特殊的 thinking 段（首版极简处理）
+        await emit({
+          type: 'thinking',
+          content: `[plan] ${JSON.stringify(update.entries ?? [])}`,
+        })
+        break
+      }
+      case 'available_commands_update':
+      case 'usage_update':
+      case 'current_mode_update':
+        // 静默吞掉（OpenCode 噪声）
+        break
+      default:
+        // 未识别的事件 → 调试日志
+        if (process.env.OPENCODE_ACP_DEBUG) {
+          console.log('[OpencodeAcpRuntime] unhandled session/update:', tag, JSON.stringify(update).slice(0, 200))
+        }
+    }
+  }
+
+  /**
+   * spawn opencode acp 子进程，等到它真的启动（短暂延迟）后返回。
+   */
+  private async spawnOpencodeAcp(cwd: string, abortSignal: AbortSignal): Promise<ChildProcessWithoutNullStreams> {
+    return new Promise((resolve, reject) => {
+      const child = spawn(OPENCODE_BIN, ['acp', '--cwd', cwd], {
+        stdio: ['pipe', 'pipe', 'pipe'],
+        env: { ...process.env },
+      })
+
+      let settled = false
+      const onAbort = () => {
+        try {
+          child.kill('SIGTERM')
+        } catch {
+          /* noop */
+        }
+      }
+      abortSignal.addEventListener('abort', onAbort)
+
+      const timer = setTimeout(() => {
+        if (!settled) {
+          settled = true
+          try {
+            child.kill('SIGKILL')
+          } catch {
+            /* noop */
+          }
+          reject(new Error('opencode acp spawn timeout'))
+        }
+      }, SPAWN_TIMEOUT_MS)
+
+      child.on('error', (err) => {
+        if (!settled) {
+          settled = true
+          clearTimeout(timer)
+          reject(err)
+        }
+      })
+
+      child.on('spawn', () => {
+        if (!settled) {
+          settled = true
+          clearTimeout(timer)
+          resolve(child)
+        }
+      })
+
+      child.stderr?.on('data', (chunk) => {
+        if (process.env.OPENCODE_ACP_DEBUG) {
+          process.stderr.write('[opencode stderr] ' + chunk.toString())
+        }
+      })
+
+      child.on('exit', (code, sig) => {
+        if (process.env.OPENCODE_ACP_DEBUG) {
+          console.log(`[OpencodeAcpRuntime] child exit code=${code} signal=${sig}`)
+        }
+      })
+    })
+  }
+}
+
+// ─── Helpers ─────────────────────────────────────────────────────────────
+
+/**
+ * 把 child_process 的 stdin/stdout 包装成 ACP SDK 需要的 NDJSON Stream。
+ */
+function makeNdJsonStream(child: ChildProcessWithoutNullStreams): Stream {
+  const writable = new WritableStream<Uint8Array | string>({
+    write(chunk) {
+      return new Promise((resolve, reject) => {
+        const data = typeof chunk === 'string' ? chunk : Buffer.from(chunk)
+        child.stdin.write(data, (err) => (err ? reject(err) : resolve()))
+      })
+    },
+    close() {
+      try {
+        child.stdin.end()
+      } catch {
+        /* noop */
+      }
+    },
+  })
+
+  const readable = new ReadableStream<Uint8Array>({
+    start(controller) {
+      child.stdout.on('data', (chunk: Buffer) => controller.enqueue(new Uint8Array(chunk)))
+      child.stdout.on('end', () => {
+        try {
+          controller.close()
+        } catch {
+          /* noop */
+        }
+      })
+      child.stdout.on('error', (err) => controller.error(err))
+    },
+  })
+
+  return ndJsonStream(writable, readable)
+}
+
+/** ClientSideConnection 工厂 */
+function createConnection(
+  stream: Stream,
+  handlers: {
+    onSessionUpdate: (update: any) => Promise<void>
+    onRequestPermission: (params: any) => Promise<any>
+  },
+) {
+  return new ClientSideConnection(
+    () => ({
+      async sessionUpdate(params) {
+        await handlers.onSessionUpdate(params.update)
+      },
+      async requestPermission(params) {
+        return handlers.onRequestPermission(params)
+      },
+      async writeTextFile(_params) {
+        // OpenCode 在 edit 后会推过来，作为编辑器刷新提示；server 侧目前不需要做事。
+        return {}
+      },
+      async readTextFile(_params) {
+        // 不实现 — OpenCode 自身从本地文件系统读
+        return { content: '' }
+      },
+    }),
+    stream,
+  )
+}
+
+// ─── Singleton ────────────────────────────────────────────────────────────
+
+export const opencodeAcpRuntime = new OpencodeAcpRuntime()
diff --git a/packages/server/src/agent/runtime/registry.ts b/packages/server/src/agent/runtime/registry.ts
new file mode 100644
index 0000000..d16f6c9
--- /dev/null
+++ b/packages/server/src/agent/runtime/registry.ts
@@ -0,0 +1,74 @@
+/**
+ * AgentRuntimeRegistry
+ *
+ * 集中管理所有 IAgentRuntime 实例 + 提供选择策略。
+ *
+ * 选择优先级（高到低）：
+ *   1. 显式参数（如 routes/acp.ts 从请求 body / task 记录读取的 runtime 字段）
+ *   2. 环境变量 AGENT_RUNTIME（部署级 override）
+ *   3. registry 默认 runtime（本地开发期）
+ *
+ * 注册：默认包含 tencent-sdk + opencode-acp，可通过 register() 扩展（如未来加 claude-code-acp）。
+ */
+
+import type { IAgentRuntime, RuntimeSelectorOptions } from './types.js'
+import { tencentSdkRuntime } from './tencent-sdk-runtime.js'
+import { opencodeAcpRuntime } from './opencode-acp-runtime.js'
+
+const DEFAULT_RUNTIME = process.env.AGENT_RUNTIME_DEFAULT || 'tencent-sdk'
+
+class AgentRuntimeRegistry {
+  private runtimes = new Map<string, IAgentRuntime>()
+
+  constructor() {
+    // 默认注册的 runtime
+    this.register(tencentSdkRuntime)
+    this.register(opencodeAcpRuntime)
+  }
+
+  register(runtime: IAgentRuntime): void {
+    this.runtimes.set(runtime.name, runtime)
+  }
+
+  get(name: string): IAgentRuntime | undefined {
+    return this.runtimes.get(name)
+  }
+
+  list(): IAgentRuntime[] {
+    return Array.from(this.runtimes.values())
+  }
+
+  /**
+   * 根据选择策略返回应使用的 runtime。
+   * 不做可用性检查（调用方自行检查或 runtime 在 chatStream 中报错）。
+   */
+  resolve(options: RuntimeSelectorOptions = {}): IAgentRuntime {
+    const candidates = [options.explicitRuntime, process.env.AGENT_RUNTIME, DEFAULT_RUNTIME].filter(Boolean) as string[]
+
+    for (const name of candidates) {
+      const r = this.runtimes.get(name)
+      if (r) return r
+    }
+
+    // 兜底：返回任何已注册的 runtime
+    const fallback = this.runtimes.get('tencent-sdk') ?? this.runtimes.values().next().value
+    if (!fallback) throw new Error('No agent runtime registered')
+    return fallback
+  }
+
+  /**
+   * 如果调用方需要确认 runtime 真实可用（如启动时探测）。
+   */
+  async resolveWithAvailability(options: RuntimeSelectorOptions = {}): Promise<IAgentRuntime> {
+    const r = this.resolve(options)
+    const available = await r.isAvailable()
+    if (!available && r.name !== 'tencent-sdk') {
+      // 不可用 → 退回默认 tencent-sdk
+      const fallback = this.runtimes.get('tencent-sdk')
+      if (fallback) return fallback
+    }
+    return r
+  }
+}
+
+export const agentRuntimeRegistry = new AgentRuntimeRegistry()
diff --git a/packages/server/src/agent/runtime/tencent-sdk-runtime.ts b/packages/server/src/agent/runtime/tencent-sdk-runtime.ts
new file mode 100644
index 0000000..1719ba4
--- /dev/null
+++ b/packages/server/src/agent/runtime/tencent-sdk-runtime.ts
@@ -0,0 +1,35 @@
+/**
+ * TencentSdkRuntime
+ *
+ * 把现有 `CloudbaseAgentService`（基于 patch 过的 @tencent-ai/agent-sdk）包装成 IAgentRuntime。
+ *
+ * 设计权衡：
+ * - 不动 `cloudbase-agent.service.ts` 的 2200 行实现，仅做委托。
+ *   理由：现有逻辑已沉淀沙箱、coding-mode、persistence、askAnswers/toolConfirmation
+ *   等大量业务，重构风险高；用 adapter 隔离。
+ * - `convertToSessionUpdate` 仍由 routes/acp.ts 直接调用静态方法（暂不抽象）。
+ *   理由：所有 runtime 产出的 AgentCallbackMessage 共用同一套转换规则，集中实现更易维护。
+ */
+
+import type { AgentCallback, AgentOptions } from '@coder/shared'
+import type { ChatStreamResult, IAgentRuntime } from './types.js'
+import { cloudbaseAgentService, getSupportedModels, type ModelInfo } from '../cloudbase-agent.service.js'
+
+export class TencentSdkRuntime implements IAgentRuntime {
+  readonly name = 'tencent-sdk'
+
+  async isAvailable(): Promise<boolean> {
+    // Tencent SDK 是 monorepo 内部依赖，安装即可用
+    return true
+  }
+
+  async getSupportedModels(): Promise<ModelInfo[]> {
+    return getSupportedModels()
+  }
+
+  async chatStream(prompt: string, callback: AgentCallback | null, options: AgentOptions): Promise<ChatStreamResult> {
+    return cloudbaseAgentService.chatStream(prompt, callback, options)
+  }
+}
+
+export const tencentSdkRuntime = new TencentSdkRuntime()
diff --git a/packages/server/src/agent/runtime/types.ts b/packages/server/src/agent/runtime/types.ts
new file mode 100644
index 0000000..e7d8160
--- /dev/null
+++ b/packages/server/src/agent/runtime/types.ts
@@ -0,0 +1,96 @@
+/**
+ * Agent Runtime 抽象层
+ *
+ * 设计目标：把"具体 agent 实现（Tencent SDK / OpenCode ACP / Claude Code ACP / ...）"
+ * 与"对外的会话/流式/持久化逻辑（routes/acp.ts、persistence.service.ts）"解耦。
+ *
+ * 现状：原 `CloudbaseAgentService` 直接耦合 `@tencent-ai/agent-sdk`。
+ * 重构后：`CloudbaseAgentService` 退化为 `TencentSdkRuntime`（实现 IAgentRuntime），
+ *         新增 `OpencodeAcpRuntime`，由 `AgentRuntimeRegistry` 调度。
+ *
+ * 关键约束（来自 routes/acp.ts 现有调用面）：
+ * 1. `chatStream(prompt, callback, options)` 签名保持不变
+ * 2. callback 收到 `AgentCallbackMessage`，由 `convertToSessionUpdate` 转 ACP `SessionUpdate`
+ *    （所以 runtime 实现者需把自己的事件流"翻译"为 AgentCallbackMessage）
+ * 3. 返回 `{ turnId, alreadyRunning }`：turnId == assistantMessageId
+ * 4. 必须配合 `agent-registry`、`persistence.service`、`event-buffer` 三件套
+ *    （runtime 不直接 import 它们，由 BaseAgentRuntime 抽象类提供基础设施）
+ */
+
+import type { AgentCallback, AgentCallbackMessage, AgentOptions } from '@coder/shared'
+import type { ModelInfo } from '../cloudbase-agent.service.js'
+
+/**
+ * Runtime 启动 chatStream 后的返回。
+ *
+ * - turnId: 本轮 assistant 消息在 DB 的 record id（用于 SSE observe / persistence）
+ * - alreadyRunning: 同一 conversation 已有 agent 在跑 → 调用方应直接 observe 已有 turn
+ */
+export interface ChatStreamResult {
+  turnId: string
+  alreadyRunning: boolean
+}
+
+/**
+ * Agent Runtime 接口
+ *
+ * 实现者必须：
+ * - 接收 `prompt + options`，启动一次"会话回合"
+ * - 通过 `callback` 实时推送 `AgentCallbackMessage`（type 列见 packages/shared/src/types/agent.ts）
+ * - 把自身事件流（如 ACP `session/update`、Tencent SDK 的 query iterator）转成 AgentCallbackMessage
+ * - 处理 abort / resume / askAnswers / toolConfirmation 等 options 字段
+ * - 返回 `{ turnId, alreadyRunning }`，turnId 用于后续 SSE observe
+ */
+export interface IAgentRuntime {
+  /**
+   * Runtime 唯一标识（e.g. 'tencent-sdk', 'opencode-acp', 'claude-code-acp'）
+   */
+  readonly name: string
+
+  /**
+   * Runtime 是否可用（依赖检测，如 opencode CLI 是否安装、SDK 是否能 import）。
+   * Registry 会在选择 runtime 前调用，避免选到不可用的 runtime。
+   */
+  isAvailable(): Promise<boolean>
+
+  /**
+   * 列出此 runtime 支持的模型。
+   * 用于前端模型选择器。不同 runtime 可暴露不同的模型集合。
+   */
+  getSupportedModels(): Promise<ModelInfo[]>
+
+  /**
+   * 启动一次 chat 流。
+   *
+   * 行为约定（必须严格遵守，否则 routes/acp.ts 的 SSE 流会卡住）：
+   * 1. 同步返回 `{ turnId, alreadyRunning }`
+   * 2. 后台 fire-and-forget 跑 agent，通过 callback 推送 message
+   * 3. 完成时推送 `type: 'result'` message（callback 触发后视为本轮结束）
+   * 4. 若 abort，推送 `type: 'error', content: 'Aborted'`
+   * 5. callback 调用顺序需保持单调时间序（不要并发 await）
+   *
+   * @param prompt 用户输入
+   * @param callback 实时事件回调（可为 null，仅持久化不实时推）
+   * @param options 见 packages/shared/src/types/agent.ts AgentOptions
+   */
+  chatStream(prompt: string, callback: AgentCallback | null, options: AgentOptions): Promise<ChatStreamResult>
+}
+
+/**
+ * Runtime 选择策略。
+ *
+ * 优先级：
+ * 1. 显式 `runtime` 字段（来自请求 body 或 task 记录）
+ * 2. 环境变量 `AGENT_RUNTIME`
+ * 3. registry 默认 runtime（构造时指定）
+ */
+export interface RuntimeSelectorOptions {
+  explicitRuntime?: string
+  conversationId?: string
+}
+
+/**
+ * 把任意 runtime 内部事件桥接为 AgentCallbackMessage 时常用的辅助类型。
+ * runtime 实现者可以用 EventBridge 的工具方法减少样板代码。
+ */
+export type EmitFn = (msg: AgentCallbackMessage) => void
diff --git a/packages/server/src/routes/acp.ts b/packages/server/src/routes/acp.ts
index 2d6560f..3e50518 100644
--- a/packages/server/src/routes/acp.ts
+++ b/packages/server/src/routes/acp.ts
@@ -13,9 +13,10 @@ import {
   type AgentCallback,
   type AgentCallbackMessage,
 } from '@coder/shared'
-import { CloudbaseAgentService, cloudbaseAgentService, getSupportedModels } from '../agent/cloudbase-agent.service.js'
+import { CloudbaseAgentService, getSupportedModels } from '../agent/cloudbase-agent.service.js'
 import { persistenceService } from '../agent/persistence.service.js'
 import { getAgentRun } from '../agent/agent-registry.js'
+import { agentRuntimeRegistry } from '../agent/runtime/index.js'
 import { loadConfig } from '../config/store.js'
 import { getDb } from '../db/index.js'
 import { nanoid } from 'nanoid'
@@ -23,9 +24,9 @@ import { requireUserEnv, type AppEnv } from '../middleware/auth.js'
 
 const acp = new Hono<AppEnv>()
 
-// 除 /health 外，所有 ACP 路由都需要登录 + 用户环境校验
+// 除 /health 与 /runtimes 外，所有 ACP 路由都需要登录 + 用户环境校验
 acp.use('/*', async (c, next) => {
-  if (c.req.path.endsWith('/health') || c.req.path.endsWith('/config')) {
+  if (c.req.path.endsWith('/health') || c.req.path.endsWith('/config') || c.req.path.endsWith('/runtimes')) {
     return next()
   }
   // If using API key auth, verify it has 'acp' scope
@@ -194,8 +195,15 @@ acp.delete('/conversation/:conversationId', async (c) => {
  * 简单的聊天端点，返回 SSE 流式响应
  */
 acp.post('/chat', async (c) => {
-  const body = await c.req.json<{ prompt: string; conversationId?: string; model?: string; mode?: string }>()
-  const { prompt, conversationId, model, mode } = body
+  const body = await c.req.json<{
+    prompt: string
+    conversationId?: string
+    model?: string
+    mode?: string
+    /** Runtime override：tencent-sdk | opencode-acp | ... 默认 tencent-sdk */
+    runtime?: string
+  }>()
+  const { prompt, conversationId, model, mode, runtime: runtimeName } = body
 
   const { envId, userId, credentials: userCredentials } = c.get('userEnv')!
   if (!envId) {
@@ -214,8 +222,13 @@ acp.post('/chat', async (c) => {
     }
   }
 
+  const runtime = agentRuntimeRegistry.resolve({
+    explicitRuntime: runtimeName,
+    conversationId: actualConversationId,
+  })
+
   return observeStreamWithLiveCallback(c, null, actualConversationId, envId, userId, async (callback) => {
-    return cloudbaseAgentService.chatStream(prompt, callback, {
+    return runtime.chatStream(prompt, callback, {
       conversationId: actualConversationId,
       envId,
       userId,
@@ -405,9 +418,15 @@ async function handleSessionPrompt(c: any, id: number | string, params: SessionP
     // ignore
   }
 
+  // Resolve runtime: explicit param > env var > default
+  const runtime = agentRuntimeRegistry.resolve({
+    explicitRuntime: params.runtime,
+    conversationId: sessionId,
+  })
+
   // Launch agent with liveCallback for real-time SSE push
   return observeStreamWithLiveCallback(c, id, sessionId, envId, userId, async (callback) => {
-    return cloudbaseAgentService.chatStream(effectivePrompt, callback, {
+    return runtime.chatStream(effectivePrompt, callback, {
       conversationId: sessionId,
       envId,
       userId,
@@ -757,4 +776,25 @@ acp.get('/config', (c) => {
   })
 })
 
+/**
+ * GET /api/agent/runtimes
+ *
+ * 列出所有已注册的 Agent Runtime 及其默认值。
+ * 前端可用此构建 runtime 选择器。
+ */
+acp.get('/runtimes', async (c) => {
+  const runtimes = agentRuntimeRegistry.list()
+  const defaultRuntime = agentRuntimeRegistry.resolve()
+  const items = await Promise.all(
+    runtimes.map(async (r) => ({
+      name: r.name,
+      available: await r.isAvailable().catch(() => false),
+    })),
+  )
+  return c.json({
+    default: defaultRuntime.name,
+    runtimes: items,
+  })
+})
+
 export default acp
diff --git a/packages/shared/src/types/agent.ts b/packages/shared/src/types/agent.ts
index 762e767..8729ac4 100644
--- a/packages/shared/src/types/agent.ts
+++ b/packages/shared/src/types/agent.ts
@@ -196,6 +196,17 @@ export interface SessionPromptParams {
    * - 用户主动开启 Plan 模式时传 `permissionMode: 'plan'`
    */
   permissionMode?: AgentPermissionMode
+  /**
+   * Agent runtime 选择（多 runtime 抽象层新增）
+   *
+   * 取值由 server 注册的 runtime 名决定，目前内置：
+   *   - `tencent-sdk` (默认): 基于 patch 过的 @tencent-ai/agent-sdk
+   *   - `opencode-acp`: spawn `opencode acp` 子进程，走 ACP NDJSON
+   *
+   * 不传 → server 按 `agentRuntimeRegistry.resolve()` 默认策略选取
+   * （AGENT_RUNTIME env 或 tencent-sdk）
+   */
+  runtime?: string
 }
 
 /**
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index b78e108..a571145 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -173,6 +173,9 @@ importers:
 
   packages/server:
     dependencies:
+      '@agentclientprotocol/sdk':
+        specifier: ^0.21.0
+        version: 0.21.0(zod@4.3.6)
       '@anthropic-ai/claude-agent-sdk':
         specifier: ^0.1.55
         version: 0.1.77(zod@4.3.6)
@@ -412,6 +415,11 @@ packages:
     peerDependencies:
       zod: ^3.25.0 || ^4.0.0
 
+  '@agentclientprotocol/sdk@0.21.0':
+    resolution: {integrity: sha512-ONj+Q8qOdNQp5XbH5jnMwzT9IKZJsSN0p0lkceS4GtUtNOPVLpNzSS8gqQdGMKfBvA0ESbkL8BTaSN1Rc9miEw==}
+    peerDependencies:
+      zod: ^3.25.0 || ^4.0.0
+
   '@alloc/quick-lru@5.2.0':
     resolution: {integrity: sha512-UrcABB+4bUrFABwbluTIBErXwvbsU/V7TZWfmbgJfbkwiBuziS9gxdODUyuiecfdGQ85jglMW6juS3+z5TsKLw==}
     engines: {node: '>=10'}
@@ -6036,6 +6044,10 @@ snapshots:
     dependencies:
       zod: 4.3.6
 
+  '@agentclientprotocol/sdk@0.21.0(zod@4.3.6)':
+    dependencies:
+      zod: 4.3.6
+
   '@alloc/quick-lru@5.2.0': {}
 
   '@antfu/install-pkg@1.1.0':

From 712bb407cb512ba8592acff8538c802fe5455ca3 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sat, 2 May 2026 11:47:37 +0800
Subject: [PATCH 02/33] =?UTF-8?q?feat(agent):=20OpenCode=20runtime=20?=
 =?UTF-8?q?=E6=8E=A5=E5=85=A5=E6=B2=99=E7=AE=B1=EF=BC=88agent/sandbox=20?=
 =?UTF-8?q?=E4=B8=A5=E6=A0=BC=E5=88=86=E7=A6=BB=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

严格遵守 agent/sandbox 分离原则实现 OpenCode runtime 的沙箱集成：
- OpenCode 进程保留在 server 本地（agent 域）
- 所有文件/shell 工具调用通过 MCP bridge 转发到 SCF 沙箱（sandbox 域）
- OpenCode 内置 read/write/bash/edit 工具**被禁用**，LLM 只能用 sbx_* 工具

## 架构

```
opencode acp (server 本地)
  │
  ├─ 内置 read/write/bash/edit (已禁用)
  │
  └─ MCP client ─stdio─► sandbox-mcp-bridge.js (子进程)
                             │
                             └─ HTTP ─► SCF /api/tools/{read,write,bash,...}
                                          → 沙箱隔离目录 /tmp/workspace/<env>/<conv>
```

## 实现

### 新增
- src/agent/runtime/sandbox-mcp-bridge.ts
  独立进程，MCP stdio server + 沙箱 HTTP 桥接。
  暴露 read/write/edit/bash/glob/grep 6 个工具。
  沙箱凭证通过 env 注入。
  tsup 单独 build 成 dist/agent/runtime/sandbox-mcp-bridge.js。
- src/agent/runtime/opencode-session-config.ts
  per-session 临时工作目录 + 生成 opencode.json：
  - agent.sandboxed.tools = { read:false,…, sbx_*:true }
  - mcp.sbx = { command: [node, bridge.js], env: {…} }
  - AGENTS.md 明确告诉 LLM 用 sbx_* 相对路径
- src/agent/runtime/acp-transport.ts
  stdio transport 工厂抽象（当前只有 local-stdio）
- scripts/test-opencode-sandbox-e2e.mts
  完整沙箱隔离 e2e：
  让 LLM 用 sbx_write 写文件 → 独立调沙箱 read 验证 → 确认本地未被污染

### 改动
- src/agent/runtime/opencode-acp-runtime.ts
  引入 sandbox-aware 启动流程：getOrCreate sandbox → 生成 per-session config →
  spawn opencode → setSessionMode('sandboxed') → prompt
- package.json
  + @modelcontextprotocol/sdk
  build 脚本加 sandbox-mcp-bridge.ts（ESM 单文件）

## 关键发现（已处理）

1. OpenCode 的 ACP agent 不发 fs/* / terminal/* client 回调（所有内置工具本地执行）
   → 所以 ACP client 回调方向不可行，必须用 MCP 注入
2. OpenCode 支持 per-agent `tools: { name: boolean }` 配置禁用内置工具
3. OpenCode MCP 工具名会自动加 <server>_ 前缀（server='sbx' → sbx_read/sbx_write）
4. 当前沙箱 /api/tools/{read,write,...} 拒绝所有绝对路径（403 Path traversal blocked）
   只接受相对路径 → AGENTS.md 已注明

## 验证结果

### e2e#4 沙箱隔离（真实 SCF 环境）
```
[tool_use ▶] name=sbx_write
[tool_result ◯] out="Wrote file successfully."

sandbox file content = "1: hello from sandbox i24jd6en"   ← 沙箱里真的写入
local /tmp/hello-sandbox-...txt exists = false            ← 本地未被污染

  used sbx_* tools:            PASS (count=1)
  did NOT use builtin tools:   PASS (count=0)
  sandbox file has expected:   PASS
  local NOT polluted:          PASS
OVERALL: PASS
```

### 回归
- e2e#1 (本地模式) PASS — 无 envId 时自动退回，不禁用内置工具
- e2e#2 (HTTP 公开端点) PASS
- e2e#3 (HTTP SSE chat) PASS
- type-check / lint / build / format 全通过

## 首版限制

- ToolConfirm UI 回调未接（权限默认 allow_once）
- askAnswers / toolConfirmation resume 未实现
- coding-mode 模板初始化未集成
- 消息持久化只落 stream events

详见 docs/acp-runtime-abstraction.md §9、§12。
---
 docs/acp-runtime-abstraction.md               | 487 +++++++++---------
 packages/server/package.json                  |   4 +-
 .../scripts/test-opencode-sandbox-e2e.mts     | 156 ++++++
 .../server/src/agent/runtime/acp-transport.ts | 181 +++++++
 .../src/agent/runtime/opencode-acp-runtime.ts | 462 ++++++++---------
 .../agent/runtime/opencode-session-config.ts  | 193 +++++++
 .../src/agent/runtime/sandbox-mcp-bridge.ts   | 253 +++++++++
 7 files changed, 1243 insertions(+), 493 deletions(-)
 create mode 100644 packages/server/scripts/test-opencode-sandbox-e2e.mts
 create mode 100644 packages/server/src/agent/runtime/acp-transport.ts
 create mode 100644 packages/server/src/agent/runtime/opencode-session-config.ts
 create mode 100644 packages/server/src/agent/runtime/sandbox-mcp-bridge.ts

diff --git a/docs/acp-runtime-abstraction.md b/docs/acp-runtime-abstraction.md
index 3aa58eb..68b771d 100644
--- a/docs/acp-runtime-abstraction.md
+++ b/docs/acp-runtime-abstraction.md
@@ -1,76 +1,116 @@
-# Agent Runtime 抽象层与 OpenCode ACP 集成
+# Agent Runtime 抽象层 + OpenCode ACP + 沙箱集成
 
 > 分支：`feat/acp-runtime-abstraction`
 > 基线：`feature/refactor @ 17eca8e`
 > 交付：2026-05-02
-> 状态：已完成、全量 type-check / lint / build / e2e 通过
+> 状态：已完成，type-check / lint / build / 4 组 e2e 全通过
 
 ## 1. 目标
 
-把服务端**具体 agent 实现**与**会话/流式/持久化基础设施**解耦：
-- 原状：`routes/acp.ts` 直接调用 `cloudbaseAgentService.chatStream`（基于 patch 过的 `@tencent-ai/agent-sdk`）
-- 重构：通过 `IAgentRuntime` 接口抽象，可在 `tencent-sdk` / `opencode-acp` 之间切换
-- 为将来接入 Codex / Gemini CLI / Claude Code ACP 铺路
+两阶段目标：
 
-**首个备选 agent**：OpenCode (`opencode acp`，模型无关，支持 Moonshot Kimi、OpenAI、Anthropic 等)。
+**阶段 A（已完成）**：抽象 `IAgentRuntime` 接口，把 server 与具体 agent 实现解耦。Tencent SDK 作为默认 runtime；新增 OpenCode ACP runtime 作为第二个实现。
+
+**阶段 B（本次完成）**：让 OpenCode runtime 严格遵守 **agent/sandbox 分离原则**：
+- Agent（opencode acp 子进程）只负责 LLM 决策，跑在 server 本地
+- 所有文件/shell 工具调用通过一个 MCP bridge 桥接到 SCF 沙箱 HTTP API
+- OpenCode 的内置 `read/write/bash/edit` 工具被禁用，只能用 `sbx_*` MCP 工具
 
 ## 2. 架构
 
 ```
-┌───────────────────────────────────────────────────────────────────────┐
-│ routes/acp.ts                                                         │
-│                                                                       │
-│   /chat & /acp(session/prompt) ────► agentRuntimeRegistry.resolve()  │
-│                                             │                         │
-│                                             ▼                         │
-│                              ┌──────────────────────────────┐         │
-│                              │ IAgentRuntime                │         │
-│                              │  name / isAvailable()        │         │
-│                              │  getSupportedModels()        │         │
-│                              │  chatStream(prompt, cb, opt) │         │
-│                              └──────────────┬───────────────┘         │
-│                                             │                         │
-│                        ┌────────────────────┼──────────────────────┐  │
-│                        ▼                    ▼                      ▼  │
-│           ┌──────────────────┐  ┌──────────────────────┐  (未来扩展) │
-│           │ TencentSdkRuntime│  │  OpencodeAcpRuntime  │             │
-│           │  (进程内，现状)  │  │  (spawn opencode acp)│             │
-│           │                  │  │                      │             │
-│           │ 委托给           │  │ ClientSideConnection │             │
-│           │ cloudbaseAgent   │  │ NDJSON over stdio    │             │
-│           │ Service          │  │                      │             │
-│           └──────────────────┘  └──────────────────────┘             │
-│                                                                       │
-└───────────────────────────────────────────────────────────────────────┘
+┌──────────────────────────────────────────────────────────────────────┐
+│ Server 进程（agent 域）                                               │
+│                                                                      │
+│   routes/acp.ts                                                      │
+│      │                                                               │
+│      ▼                                                               │
+│   IAgentRuntime  ──►  TencentSdkRuntime (in-process)                │
+│      │                                                               │
+│      └─►  OpencodeAcpRuntime                                         │
+│              │                                                       │
+│              ├─ 准备 per-session 临时目录:                           │
+│              │   /tmp/opencode-session-<uuid>/                       │
+│              │    └── .opencode/opencode.json                        │
+│              │        • agent.sandboxed.tools = { read:false, ... } │
+│              │        • mcp.sbx = { command: node bridge.js, ... }   │
+│              │                                                       │
+│              ├─ spawn opencode acp --cwd <临时目录>                  │
+│              │    └─ opencode 读到配置，禁用内置工具                 │
+│              │       spawn MCP bridge 作为子进程                     │
+│              │                                                       │
+│              ├─ ACP 握手 → session/new → setSessionMode('sandboxed')│
+│              │                                                       │
+│              └─ session/update 事件 → AgentCallbackMessage → SSE    │
+│                                                                      │
+└──────────────────────────────────────────────────────────────────────┘
+            ┌────────────────────────────────────────────┐
+            │ sandbox-mcp-bridge.js (Node 子进程)         │
+            │                                            │
+            │   MCP stdio server                         │
+            │   env: SANDBOX_BASE_URL, AUTH_HEADERS      │
+            │                                            │
+            │   tools: sbx_read / sbx_write / sbx_bash / │
+            │           sbx_edit / sbx_glob / sbx_grep   │
+            │                                            │
+            │   each call → fetch SANDBOX_BASE_URL/...   │
+            └──────────────────────┬─────────────────────┘
+                                   │
+                                   │ HTTPS (Bearer + Scope headers)
+                                   ▼
+            ┌───────────────────────────────────────────┐
+            │ Sandbox (SCF 容器, sandbox 域)             │
+            │                                           │
+            │   /api/tools/read                         │
+            │   /api/tools/write                        │
+            │   /api/tools/bash                         │
+            │   /api/tools/edit                         │
+            │                                           │
+            │   cwd: /tmp/workspace/<env>/<conv>        │
+            │   (scope 隔离目录, 强制相对路径)           │
+            └───────────────────────────────────────────┘
 ```
 
-**流事件翻译**：所有 runtime 统一把自己的内部事件流翻译为 `AgentCallbackMessage`（`text` / `thinking` / `tool_use` / `tool_result` / `result` / `error` / `agent_phase` / ...），由 `CloudbaseAgentService.convertToSessionUpdate()` 统一转为 ACP `SessionUpdate` → 前端无感知。
+### 关键分离
+
+| 层 | 进程 | 负责 | 不负责 |
+|---|---|---|---|
+| Agent | opencode (server 本地) | LLM 决策、调用 MCP 工具 | 文件 IO、shell |
+| Bridge | sandbox-mcp-bridge.js | MCP → HTTP 翻译、凭证注入 | LLM、执行 |
+| Sandbox | SCF 容器 | 执行 read/write/bash | 模型、网络决策 |
 
-## 3. 新增文件
+## 3. 文件清单
 
+### 新增
 ```
 packages/server/src/agent/runtime/
-├── types.ts                  # IAgentRuntime 接口、ChatStreamResult、RuntimeSelectorOptions
-├── tencent-sdk-runtime.ts    # 将 cloudbaseAgentService 包装为 IAgentRuntime（极薄 adapter）
-├── opencode-acp-runtime.ts   # spawn `opencode acp`、ACP 握手、事件翻译
-├── registry.ts               # AgentRuntimeRegistry：注册、选择策略、可用性检查
-└── index.ts                  # 公共导出
+├── types.ts                       # IAgentRuntime 接口
+├── registry.ts                    # AgentRuntimeRegistry + 选择策略
+├── tencent-sdk-runtime.ts         # Tencent SDK 薄 adapter
+├── opencode-acp-runtime.ts        # OpenCode runtime 主体
+├── opencode-session-config.ts     # per-session 工作目录 + opencode.json 生成
+├── acp-transport.ts               # stdio transport 工厂
+├── sandbox-mcp-bridge.ts          # ★ 独立进程：MCP server → 沙箱 HTTP 桥
+└── index.ts                       # 公共导出
 
 packages/server/scripts/
-├── test-opencode-runtime.mts # e2e#1: 直接调用 runtime，验证工具调用、文件写入
-├── test-acp-http-e2e.mts     # e2e#2: 起 server，验证 /runtimes 公开端点
-└── test-acp-chat-http.mts    # e2e#3: 完整 HTTP SSE，mock auth 走 /chat-test
-```
+├── test-opencode-runtime.mts       # e2e#1: 本地模式直调 runtime
+├── test-acp-http-e2e.mts           # e2e#2: HTTP 公开端点
+├── test-acp-chat-http.mts          # e2e#3: 完整 SSE HTTP 流
+└── test-opencode-sandbox-e2e.mts   # ★ e2e#4: 沙箱隔离验证（真实 SCF）
 
-## 4. 改动现有文件
+docs/
+└── acp-runtime-abstraction.md      # 本文档
+```
 
+### 改动
 | 文件 | 改动 |
 |---|---|
-| `packages/server/package.json` | + `@agentclientprotocol/sdk@^0.21.0` |
-| `packages/server/src/routes/acp.ts` | 1) 从 `cloudbaseAgentService.chatStream` → `runtime.chatStream`（`/chat` 与 `handleSessionPrompt` 两处）<br>2) 新增 `GET /api/agent/runtimes` 列出已注册 runtime<br>3) `/runtimes` 与 `/health` / `/config` 一起放入 auth 豁免名单 |
-| `packages/shared/src/types/agent.ts` | `SessionPromptParams.runtime?: string` 新增字段 |
+| `packages/server/package.json` | +`@agentclientprotocol/sdk`、+`@modelcontextprotocol/sdk`；build 脚本加 sandbox-mcp-bridge.ts |
+| `packages/server/src/routes/acp.ts` | 通过 registry 选 runtime；新增 `GET /api/agent/runtimes`；`/runtimes` 加入 auth 豁免 |
+| `packages/shared/src/types/agent.ts` | `SessionPromptParams.runtime?: string` |
 
-## 5. IAgentRuntime 接口
+## 4. IAgentRuntime 接口
 
 ```ts
 export interface IAgentRuntime {
@@ -81,261 +121,232 @@ export interface IAgentRuntime {
 }
 
 export interface ChatStreamResult {
-  turnId: string         // assistantMessageId
+  turnId: string
   alreadyRunning: boolean
 }
 ```
 
-**行为约定**（所有实现者必须遵守）：
-1. `chatStream` 同步返回 `{ turnId, alreadyRunning }`（不等 agent 跑完）
-2. 后台 fire-and-forget 跑 agent，通过 `callback` 实时推送 `AgentCallbackMessage`
-3. 完成时推送 `type: 'result'`
-4. abort 时推送 `type: 'error', content: 'Aborted'`
-5. callback 调用顺序需保持单调时间序
-
-## 6. Runtime 选择策略
-
-`AgentRuntimeRegistry.resolve(opts)` 按优先级：
-1. `opts.explicitRuntime`（来自请求 body 的 `runtime` 字段 / task 记录）
-2. `process.env.AGENT_RUNTIME`（部署级 override）
-3. `process.env.AGENT_RUNTIME_DEFAULT` 或内置默认 `tencent-sdk`
-
-**前端用法**：
-```typescript
-// 发 prompt 时传入 runtime
-fetch('/api/agent/chat', {
-  method: 'POST',
-  body: JSON.stringify({
-    prompt: '...',
-    conversationId: '...',
-    runtime: 'opencode-acp',  // 或 'tencent-sdk'
-  })
-})
-
-// 或者通过 session/prompt (JSON-RPC) 的 params.runtime
+### 行为约定
+1. `chatStream` 同步返回 `{ turnId, alreadyRunning }`
+2. 后台 fire-and-forget 跑 agent，通过 `callback` 推送 `AgentCallbackMessage`
+3. 完成时推送 `type: 'result'`；abort 时推送 `type: 'error', content: 'Aborted'`
+4. callback 调用保持时间序
+
+## 5. Runtime 选择
+
+```ts
+// 选择优先级：
+// 1. body.runtime / params.runtime  (请求级 override)
+// 2. process.env.AGENT_RUNTIME       (部署级 override)
+// 3. AGENT_RUNTIME_DEFAULT 或 'tencent-sdk'
+const runtime = agentRuntimeRegistry.resolve({ explicitRuntime: body.runtime })
 ```
 
-**列出可用 runtime**（用于前端选择器）：
+**前端选择 runtime**：
 ```
-GET /api/agent/runtimes
-→ {"default":"tencent-sdk","runtimes":[
-    {"name":"tencent-sdk","available":true},
-    {"name":"opencode-acp","available":true}
-  ]}
+POST /api/agent/chat
+{ "prompt": "...", "runtime": "opencode-acp" }
 ```
 
-## 7. OpencodeAcpRuntime 细节
-
-### 依赖
-- `@agentclientprotocol/sdk@^0.21.0`
-- 系统装了 `opencode-ai` CLI（`npm i -g opencode-ai`）
-- 模型 provider 配置见 `~/.config/opencode/opencode.json`
-- API key 见 `~/.local/share/opencode/auth.json`
-
-### 模型配置示例（Moonshot Kimi）
+**列出可用 runtime**：`GET /api/agent/runtimes`（公开端点）
 ```json
-// ~/.config/opencode/opencode.json
 {
-  "$schema": "https://opencode.ai/config.json",
-  "provider": {
-    "moonshot": {
-      "npm": "@ai-sdk/openai-compatible",
-      "name": "Moonshot",
-      "options": { "baseURL": "https://api.moonshot.cn/v1" },
-      "models": {
-        "kimi-k2-0905-preview": { "name": "Kimi K2 (0905)" },
-        "kimi-k2-turbo-preview": { "name": "Kimi K2 Turbo" }
-      }
-    }
-  }
+  "default": "tencent-sdk",
+  "runtimes": [
+    { "name": "tencent-sdk",  "available": true },
+    { "name": "opencode-acp", "available": true }
+  ]
 }
 ```
 
-```json
-// ~/.local/share/opencode/auth.json
-{
-  "moonshot": { "type": "api", "key": "sk-xxx" }
-}
-```
+## 6. OpencodeAcpRuntime 运行模式
 
-### 环境变量
-- `OPENCODE_BIN`：opencode 可执行路径，默认 `opencode`
-- `OPENCODE_DEFAULT_MODEL`：默认模型，默认 `moonshot/kimi-k2-0905-preview`
-- `OPENCODE_ACP_DEBUG=1`：打印 opencode stderr 与未识别事件
+### 模式 A：有 `envId`（生产 / 沙箱模式）
+1. `scfSandboxManager.getOrCreate(convId, envId)` 获取/创建沙箱
+2. 创建临时目录 `/tmp/opencode-session-<uuid>/`
+3. 写 `.opencode/opencode.json`：
+   - 定义 agent `sandboxed`（`mode: primary`，`tools: { read:false, write:false, bash:false, edit:false, grep:false, glob:false, webfetch:false, patch:false, sbx_*:true }`）
+   - 定义 `mcp.sbx`：local stdio，command `["node", "<path>/sandbox-mcp-bridge.js"]`，env 传 `SANDBOX_BASE_URL` + `SANDBOX_AUTH_HEADERS_JSON`
+4. 写 AGENTS.md：system prompt 告诉模型用 `sbx_*` 相对路径
+5. spawn `opencode acp --cwd <临时目录>`
+6. ACP 握手、setSessionMode('sandboxed')、set model、prompt
+7. 会话结束清理临时目录
 
-### ACP 流程
-```
-spawn opencode acp --cwd <cwd>
-  │
-  ▼
-ClientSideConnection (NDJSON over stdio)
-  │
-  ├─ initialize { protocolVersion: 1, clientCapabilities: { fs, terminal: false } }
-  ├─ newSession { cwd, mcpServers: [] }
-  ├─ unstable_setSessionModel { sessionId, modelId }  # best-effort
-  └─ prompt { sessionId, prompt: [{ type: 'text', text }] }
-     │
-     ▼
-  session/update 事件流 → handleSessionUpdate → emit AgentCallbackMessage
-     │
-     ▼
-  callback → 前端 SSE + stream events 落库
-```
+### 模式 B：无 `envId`（本地开发）
+1. **不**禁用内置工具（opencode 就用本地文件系统）
+2. 使用 `options.cwd` 作为 opencode 的 cwd（不创建临时目录，仅在其下写 `.opencode/opencode.json` 空配置）
+3. 其余 ACP 流程相同
+
+## 7. Sandbox MCP Bridge
 
-### ACP SessionUpdate → AgentCallbackMessage 映射
+独立进程（`sandbox-mcp-bridge.js`），通过 stdio 实现 MCP 协议，对外暴露：
 
-| ACP `sessionUpdate` | AgentCallbackMessage `type` | 备注 |
+| 工具 | 转发到 | 说明 |
 |---|---|---|
-| `agent_message_chunk` (text) | `text` | 流式正文 |
-| `agent_thought_chunk` (text) | `thinking` | 思考链 |
-| `tool_call` | `tool_use` | title → name，rawInput → input |
-| `tool_call_update` (in_progress) | `tool_input_update` | 中间状态 |
-| `tool_call_update` (completed/failed) | `tool_result` | is_error = (status === 'failed') |
-| `plan` | `thinking` (文本化) | 首版极简处理 |
-| `available_commands_update` / `usage_update` / `current_mode_update` | 静默吞掉 | 噪声 |
+| `read` | POST /api/tools/read | 读文件 |
+| `write` | POST /api/tools/write | 写文件 |
+| `edit` | POST /api/tools/edit | 字符串替换 |
+| `bash` | POST /api/tools/bash | shell 命令 |
+| `glob` | POST /api/tools/glob | 文件匹配 |
+| `grep` | POST /api/tools/grep | 内容搜索 |
 
-### 权限请求
-OpenCode 用 `requestPermission` 请求权限（edit / bash / webfetch 等工具）。
-当前实现：**自动 allow_once**（与 PoC 一致）。
+OpenCode 在给工具命名时会加 MCP server 名前缀，因此 LLM 看到的是 `sbx_read`、`sbx_write` 等。
 
-TODO：接入真实的 ToolConfirm UI 回调（复用 `askAnswers` / `toolConfirmation` 机制），
-需要把 ACP `requestPermission` 映射到 `AgentCallbackMessage.type='tool_confirm'`，
-并在收到用户决策后重新 resolve promise。**当前首版未做**，但框架已留接口。
+### 沙箱路径约束
+**必须使用相对路径**。沙箱侧的 `/api/tools/*` 对所有绝对路径返回 `403 Path traversal blocked`。
+相对路径会被解析到 scope 隔离目录 `/tmp/workspace/<envId>/<conversationId>/`。
 
-## 8. 首版已知限制
+AGENTS.md 已明确告诉模型这一点；bridge 不做路径转换（让沙箱自己判定最稳）。
 
-OpenCode runtime 实现为**最小可用**，暂不覆盖以下现有 Tencent SDK 特性：
+## 8. 测试结果
 
-| 特性 | 状态 |
-|---|---|
-| askAnswers resume（AskUserQuestion） | ❌ 未实现 |
-| toolConfirmation resume（ToolConfirm UI） | ❌ 未实现（默认 allow_once） |
-| 沙箱 (SCF) 集成 | ❌ 进程内本地执行，OpenCode 的 read/write/bash 走本地文件系统 |
-| coding-mode 初始化（dev server / preview proxy） | ❌ 未集成 |
-| 消息持久化到 CloudBase tasks collection | ⚠️ 只持久化 stream events，不落 messages 表 |
-| git-archive / persistence.syncMessages | ❌ 未集成 |
-| maxTurns | ❌ 交给 opencode 自己控制 |
-| permissionMode（plan 模式） | ❌ 可通过 session/set_mode 映射，但未接线 |
-
-**这些限制不影响首版验证架构可行性**。如果要投产 OpenCode 为主 runtime，需要补足上述项——但**架构本身对此开放**（IAgentRuntime 接口足够表达所有能力，实现方自行决定是否支持）。
-
-## 9. 测试结果
-
-### e2e#1: `test-opencode-runtime.mts`（直接调 runtime）
+### e2e#1: 本地模式（`test-opencode-runtime.mts`）
 ```
-[e2e] workdir = /tmp/opencode-runtime-e2e
-[e2e] available = true
-[tool_use ▶] write id=write:0 input={}
-[tool_result ◯] tool_use_id=write:0 is_error=false out={"output":"Wrote file successfully."...}
-[result] {"stopReason":"end_turn","usage":null}
+[e2e] event counts: {
+  "agent_phase": 2,
+  "tool_use": 1,
+  "tool_input_update": 1,
+  "tool_result": 1,
+  "text": 2,
+  "result": 1
+}
 hello.txt content: "hello from runtime"
-  text events:        PASS (2)
-  tool_use events:    PASS (1)
-  tool_result events: PASS (1)
-  result events:      PASS (1)
-  file created:       PASS
+PASS: file created with correct content
 OVERALL: PASS
 ```
 
-### e2e#2: `test-acp-http-e2e.mts`（起 server，公开端点）
+### e2e#2: HTTP 公开端点（`test-acp-http-e2e.mts`）
 ```
-/health = { status: 'ok', service: 'acp' }
-/runtimes = {
-  "default": "tencent-sdk",
-  "runtimes": [
-    { "name": "tencent-sdk", "available": true },
-    { "name": "opencode-acp", "available": true }
-  ]
-}
-  /health: PASS
-  /runtimes: PASS (opencode-acp registered)
+/health: PASS
+/runtimes: PASS (opencode-acp registered)
 ```
 
-### e2e#3: `test-acp-chat-http.mts`（完整 HTTP SSE，mock auth）
+### e2e#3: 完整 HTTP SSE（`test-acp-chat-http.mts`）
 ```
 status=200 content-type=text/event-stream
 received 21 SSE events
-event type distribution: {
-  "update:agent_phase": 2,
-  "update:agent_message_chunk": 18,
-  "DONE": 1
-}
-agent text: 我是OpenCode，一个运行在您计算机上的交互式通用AI代理，专注于通过实际行动
-  stream completed with [DONE]: PASS
-  received agent text:          PASS
+update:agent_message_chunk: 18
+update:agent_phase: 2
+DONE: 1
+agent text: 我是OpenCode，一个运行在您计算机上的交互式通用AI代理...
+OVERALL: PASS
+```
+
+### ★ e2e#4: 沙箱隔离（`test-opencode-sandbox-e2e.mts`）
+```
+[tool_use ▶] name=sbx_write id=sbx_write:0
+[tool_result ◯] out={"output":"Wrote file successfully."}
+[result] sandbox={ baseUrl: ".../sandbox-shared", conversationId: "sandbox-e2e-..." }
+
+[sandbox-e2e] sandbox file content = "1: hello from sandbox i24jd6en"
+[sandbox-e2e] local /tmp/hello-sandbox-...txt exists = false
+
+  text events:                 PASS
+  result event:                PASS
+  used sbx_* tools:            PASS (count=1)
+  did NOT use builtin tools:   PASS (count=0)
+  sandbox file has expected:   PASS
+  local NOT polluted:          PASS
 OVERALL: PASS
 ```
 
+这个 e2e 真实跑通了**完整链路**：
+- LLM（Moonshot Kimi） → MCP sbx_write → sandbox-mcp-bridge → SCF /api/tools/write → 沙箱文件系统
+- 直接调沙箱 /api/tools/read **独立验证**文件确实在沙箱里
+- 本地 /tmp/ 文件系统**未被污染**
+
 ### 质量校验
-- `pnpm type-check` ✅
+- `pnpm type-check` ✅（所有包）
 - `pnpm lint` ✅
-- `pnpm build` (server + web) ✅
-- `pnpm format` ✅（无格式化差异）
+- `pnpm build` ✅（server + web）
+- `pnpm format` ✅
 
-## 10. 如何运行 e2e 测试
+## 9. 首版限制
+
+| 特性 | 状态 |
+|---|---|
+| askAnswers resume（AskUserQuestion） | ❌ 未实现 |
+| toolConfirmation resume（ToolConfirm UI 对接） | ❌ 默认 allow_once |
+| coding-mode 模板初始化（vite dev server） | ❌ 未集成 |
+| git-archive / syncMessages DB 持久化 | ❌ 仅 stream events 落库 |
+| maxTurns / cancel 细节 | ⚠️ 只基础 abort |
+| permissionMode ('plan') | ⚠️ 可接 set_session_mode，未接线 |
+| OpenCode agent 的工具允许列表 wildcard 语法 | ✅ `sbx_*: true` 已验证 |
+
+## 10. 如何运行
 
 ```bash
-# 前提：
-#   1. npm i -g opencode-ai
-#   2. ~/.config/opencode/opencode.json 配好 moonshot provider
-#   3. ~/.local/share/opencode/auth.json 有 moonshot key
-#   4. packages/server/.env 填好 TCB_*（仅 e2e#2/#3 需要）
+# 前提
+npm i -g opencode-ai
+# ~/.config/opencode/opencode.json 配好 moonshot（或其他 provider）
+# ~/.local/share/opencode/auth.json 放 API key
+# packages/server/.env 填 TCB_* 等
+# pnpm install + pnpm build:server
 
 cd packages/server
 
-# e2e #1: runtime 层（最快，~60s）
+# e2e#1 本地模式 (~60s)
 npx tsx scripts/test-opencode-runtime.mts
 
-# e2e #2: HTTP 公开端点（~10s）
+# e2e#2 HTTP 公开端点 (~10s)
 npx tsx --env-file=.env scripts/test-acp-http-e2e.mts
 
-# e2e #3: 完整 SSE chat 流（~30s）
+# e2e#3 HTTP SSE (~60s)
 npx tsx --env-file=.env scripts/test-acp-chat-http.mts
+
+# e2e#4 沙箱隔离 ★ (~90s, 需要真实 SCF 环境)
+npx tsx --env-file=.env scripts/test-opencode-sandbox-e2e.mts
 ```
 
-## 11. 后续路线图
+## 11. 设计决策
+
+### 为什么不把 opencode 塞到沙箱里？
+违反 agent/sandbox 分离原则：
+- agent（决策）应在受控 server 环境里，便于集中管理凭证、监控、升级
+- sandbox（执行）是"纯体力活"容器，应尽量纯净、快速启停
+- 把 agent 塞沙箱会让 sandbox 镜像臃肿、重启成本大、依赖版本难管控
 
-1. **完善 OpencodeAcpRuntime**（2-3 天）
-   - 实现 ToolConfirm 回调映射（`requestPermission` → `tool_confirm` → 用户决策 → resolve）
-   - 接入 `askAnswers` / `toolConfirmation` resume 机制
-   - 消息持久化到 tasks（参考 cloudbase-agent.service 的 `preSavePendingRecords` / `syncMessages`）
+### 为什么用 MCP 而不是 ACP client 回调？
+调研发现 OpenCode 的 ACP agent **不发 `fs/*` / `terminal/*` 回调**（所有内置工具在其进程内执行）。
+MCP 是 OpenCode 会主动调用的唯一可插拔扩展点。
 
-2. **SCF 沙箱化 OpenCode**（1-2 天）
-   - 打一个含 opencode-ai 的 SCF 镜像
-   - 改 OpencodeAcpRuntime，支持通过 CloudBase Gateway 转发 stdio 到 SCF
-   - 所有 read/write/bash 自动在沙箱内执行，和现有 SCF 架构一致
+### 为什么 per-session 临时目录（而不是全局 opencode.json）？
+- 不同 session 有不同的沙箱凭证（不同 user、不同 env）
+- opencode 读 cwd 下 `.opencode/opencode.json` 覆盖全局，天然做到 per-session 隔离
+- 避免 session 间 race condition（并发时互不干扰）
 
-3. **接入更多 agent**（每个 1-2 天）
-   - Claude Code ACP (`@agentclientprotocol/claude-agent-acp`)
-   - Gemini CLI (`gemini --experimental-acp`)
-   - Codex CLI（一旦确认其 ACP 启动方式）
+### 为什么 MCP bridge 是独立 .js 文件（而不是嵌入 runtime）？
+- OpenCode 期望 MCP server 是独立可执行（command + args）
+- 独立文件让 bridge 本身可被外部用户 inspect、debug、单独测
+- tsup bundle 出一份自包含的 js，部署只多一个文件
 
-4. **前端 UI**（0.5-1 天）
-   - Task 创建表单 + Settings 里加 runtime 选择器
-   - 基于 `GET /api/agent/runtimes` 动态列出
+### 为什么 LLM 看到的工具名是 `sbx_*`（不是 `sandbox_*`）？
+OpenCode 给 MCP 工具自动加 `<server_name>_` 前缀。
+我们把 server 名定为 `sbx`（短）、工具名就是 `read`/`write`/...，合成结果简洁。
+之前用 `sandbox_write` 会变成 `sbx_sandbox_write`，冗余。
 
-## 12. 设计决策
+## 12. 后续路线
 
-### 为什么 TencentSdkRuntime 是极薄 adapter 而不是重写？
-`cloudbase-agent.service.ts` 2200 行里沉淀了大量沙箱、coding-mode、persistence、askAnswers/toolConfirmation 业务。重写风险太高、收益有限。Adapter 模式确保 100% 行为兼容，零回归。
+1. **接 ToolConfirm UI**（1-2 天）
+   把 ACP `requestPermission` 与 MCP tool 执行前的确认映射到现有前端 ToolConfirm 组件。
 
-### 为什么 ACP runtime 每次都 spawn 新进程？
-OpenCode 本身支持单进程多 session，理论上可复用。但这会带来：
-- 进程生命周期管理复杂度（何时 kill？）
-- session 清理（opencode 里跑完不会自动 gc）
-- 凭证泄露风险（一个进程服务多用户）
+2. **消息持久化对齐 Tencent 路线**（2-3 天）
+   参考 `cloudbase-agent.service.ts` 的 `preSavePendingRecords` / `syncMessages` 做同样落库。
 
-首版选**每次新 spawn**，启动成本约 1-2s，可接受。后续可加进程池。
+3. **接更多 ACP agent**（每个 1-2 天）
+   Claude Code ACP、Gemini CLI、Qwen Code。都能复用 `OpencodeAcpRuntime` 的代码骨架，只需改启动命令。
 
-### 为什么 runtime 层不引入 IPersistence / ISandbox 子抽象？
-YAGNI。首版只证明"能切 agent"。Tencent runtime 直接用 `cloudbaseAgentService`（深度耦合 CloudBase），OpenCode runtime 只用 stream events（最小耦合）。等真正接入第 3 个 runtime、发现共同痛点再抽象。
+4. **前端 Runtime 选择器**（0.5 天）
+   Task 创建表单加下拉，基于 `GET /runtimes` 动态列出。
 
-### 为什么 `convertToSessionUpdate` 还留在 CloudbaseAgentService 的静态方法？
-它的输入是标准的 `AgentCallbackMessage`，输出是 ACP `SessionUpdate`，与任何 runtime 无关。保留静态位置避免过度重构（搬家会改 routes/acp.ts 的 import）。将来可以挪到 `agent/acp-event.ts` 或类似文件。
+5. **生产部署**（镜像打包、环境变量管理）
+   `sandbox-mcp-bridge.js` 已随 server 一起 build 到 dist，部署跟着走。
+   opencode 可通过镜像 `RUN npm i -g opencode-ai` 或 lazy install 策略。
 
 ## 13. 引用
 
 - Agent Client Protocol: https://agentclientprotocol.com
 - OpenCode: https://github.com/sst/opencode
-- ACP SDK: https://www.npmjs.com/package/@agentclientprotocol/sdk
-- 深度分析备忘录: `docs/opencode-acp-integration-memo.md`（首轮调研，已印证）
+- OpenCode Agent config: https://opencode.ai/docs/agents/
+- Model Context Protocol: https://modelcontextprotocol.io
+- 深度调研备忘录: `/Users/yang/git/coding-agent-template/docs/opencode-acp-integration-memo.md`
diff --git a/packages/server/package.json b/packages/server/package.json
index 15d4e64..905c925 100644
--- a/packages/server/package.json
+++ b/packages/server/package.json
@@ -9,8 +9,8 @@
     "./agent/cloudbase-agent.service": "./src/agent/cloudbase-agent.service.ts"
   },
   "scripts": {
-    "dev": "tsup src/sandbox/tool-override.ts --format cjs --outDir dist/sandbox --no-splitting --silent && tsup src/util/skill-loader-override.ts --format cjs --outDir dist/util --no-splitting --silent && DOTENVX_PATH=.env tsx watch --env-file=.env src/index.ts",
-    "build": "tsup src/sandbox/tool-override.ts --format cjs --outDir dist/sandbox --no-splitting && tsup src/util/skill-loader-override.ts --format cjs --outDir dist/util --no-splitting && tsup src/index.ts --format esm --target node22",
+    "dev": "tsup src/sandbox/tool-override.ts --format cjs --outDir dist/sandbox --no-splitting --silent && tsup src/util/skill-loader-override.ts --format cjs --outDir dist/util --no-splitting --silent && tsup src/agent/runtime/sandbox-mcp-bridge.ts --format esm --outDir dist/agent/runtime --no-splitting --silent && DOTENVX_PATH=.env tsx watch --env-file=.env src/index.ts",
+    "build": "tsup src/sandbox/tool-override.ts --format cjs --outDir dist/sandbox --no-splitting && tsup src/util/skill-loader-override.ts --format cjs --outDir dist/util --no-splitting && tsup src/agent/runtime/sandbox-mcp-bridge.ts --format esm --outDir dist/agent/runtime --no-splitting && tsup src/index.ts --format esm --target node22",
     "start": "node dist/index.js"
   },
   "dependencies": {
diff --git a/packages/server/scripts/test-opencode-sandbox-e2e.mts b/packages/server/scripts/test-opencode-sandbox-e2e.mts
new file mode 100644
index 0000000..678e98d
--- /dev/null
+++ b/packages/server/scripts/test-opencode-sandbox-e2e.mts
@@ -0,0 +1,156 @@
+#!/usr/bin/env tsx
+/**
+ * 沙箱隔离端到端测试
+ *
+ * 验证目标：
+ *   1. 有 envId 时，runtime 自动获取沙箱实例
+ *   2. opencode 的 session/new 读 per-session .opencode/opencode.json（禁用内置 read/write）
+ *   3. LLM 调用 sandbox MCP bridge 工具（sbx_write 等）
+ *   4. sandbox MCP bridge 通过 HTTP 把请求打到沙箱容器
+ *   5. 文件真的在沙箱容器内写入（用另一条路径——直接调沙箱 /api/tools/read——确认）
+ *   6. 本地文件系统干净，没被污染
+ *
+ * 前提：
+ *   - packages/server/.env 配了 TCB_*、CODEBUDDY_* 等
+ *   - opencode CLI 已装 + Moonshot provider 已配（见 ~/.config/opencode/opencode.json）
+ *   - sandbox-mcp-bridge.js 已构建（pnpm build:server）
+ *
+ * 用法（packages/server 目录）：
+ *   npx tsx --env-file=.env scripts/test-opencode-sandbox-e2e.mts
+ */
+
+import 'dotenv/config'
+import fs from 'node:fs'
+import { opencodeAcpRuntime } from '../src/agent/runtime/opencode-acp-runtime.js'
+import { scfSandboxManager } from '../src/sandbox/scf-sandbox-manager.js'
+import type { AgentCallbackMessage } from '@coder/shared'
+
+const envId = process.env.TCB_ENV_ID
+if (!envId) {
+  console.error('TCB_ENV_ID not set in env — cannot run sandbox e2e')
+  process.exit(1)
+}
+
+const conversationId = 'sandbox-e2e-' + Date.now()
+const testFilename = `hello-sandbox-${Date.now()}.txt`
+const expectedContent = `hello from sandbox ${Math.random().toString(36).slice(2, 10)}`
+// 沙箱要求相对路径（绝对路径会被 Path traversal 拦截）
+const sandboxRelPath = testFilename
+
+console.log(`[sandbox-e2e] envId=${envId}`)
+console.log(`[sandbox-e2e] conversationId=${conversationId}`)
+console.log(`[sandbox-e2e] testFile (relative)=${sandboxRelPath}`)
+console.log(`[sandbox-e2e] expectedContent=${JSON.stringify(expectedContent)}\n`)
+
+// Make sure local /tmp doesn't have a stale file — e2e will verify local stays clean
+const localMirror = `/tmp/${testFilename}`
+try {
+  fs.unlinkSync(localMirror)
+} catch {
+  /* noop */
+}
+
+// 事件收集
+interface RecordedEvent {
+  type: string
+  name?: string
+  content?: string
+}
+const events: RecordedEvent[] = []
+
+const cb = async (msg: AgentCallbackMessage): Promise<void> => {
+  events.push({ type: msg.type, name: msg.name, content: typeof msg.content === 'string' ? msg.content.slice(0, 120) : undefined })
+  if (msg.type === 'text' && msg.content) process.stdout.write(msg.content)
+  else if (msg.type === 'tool_use')
+    console.log(`\n[tool_use ▶] name=${msg.name} id=${msg.id} input=${JSON.stringify(msg.input).slice(0, 200)}`)
+  else if (msg.type === 'tool_result')
+    console.log(`[tool_result ◯] tool_use_id=${msg.tool_use_id} is_error=${msg.is_error} out=${(msg.content || '').slice(0, 200)}`)
+  else if (msg.type === 'agent_phase') console.log(`\n[phase] ${msg.phase}`)
+  else if (msg.type === 'error') console.log(`\n[error] ${msg.content}`)
+  else if (msg.type === 'result') console.log(`\n[result] ${msg.content}`)
+}
+
+console.log('[sandbox-e2e] === starting chatStream (sandbox mode) ===')
+const { turnId } = await opencodeAcpRuntime.chatStream(
+  `请使用 sbx_write 工具在沙箱里创建文件 ${sandboxRelPath}（使用相对路径，不要写 /workspace 前缀），内容正好一行：${expectedContent}\n不要加引号、不要加 markdown、不要多余换行。完成后简短告诉我已完成。`,
+  cb,
+  {
+    conversationId,
+    envId,
+    userId: 'e2e-user',
+    model: 'moonshot/kimi-k2-0905-preview',
+  },
+)
+console.log(`\n[sandbox-e2e] chatStream returned: turnId=${turnId}`)
+
+// 等 result
+const startTime = Date.now()
+while (Date.now() - startTime < 180000) {
+  if (events.find((e) => e.type === 'result' || e.type === 'error')) break
+  await new Promise((r) => setTimeout(r, 500))
+}
+
+console.log('\n\n[sandbox-e2e] === validation ===')
+
+// 1. 事件计数
+const counts: Record<string, number> = {}
+for (const e of events) counts[e.type] = (counts[e.type] ?? 0) + 1
+console.log('[sandbox-e2e] event counts:', JSON.stringify(counts))
+
+// 2. 确认调了 sbx_* 工具
+const sbxToolUses = events.filter((e) => e.type === 'tool_use' && typeof e.name === 'string' && e.name.startsWith('sbx'))
+const builtinWriteUses = events.filter(
+  (e) => e.type === 'tool_use' && (e.name === 'write' || e.name === 'edit' || e.name === 'bash'),
+)
+console.log(`[sandbox-e2e] sbx_* tool_use count: ${sbxToolUses.length}`)
+console.log(`[sandbox-e2e] builtin write/edit/bash tool_use count: ${builtinWriteUses.length}`)
+
+// 3. 验证沙箱内文件确实写入（直接调沙箱 /api/tools/read）
+console.log('\n[sandbox-e2e] querying sandbox /api/tools/read to verify...')
+let sandboxReadOk = false
+let sandboxReadContent = ''
+try {
+  const sandbox = await scfSandboxManager.getOrCreate(conversationId, envId, {
+    mode: 'shared',
+    workspaceIsolation: 'shared',
+  })
+  const headers = await sandbox.getAuthHeaders()
+  const res = await fetch(`${sandbox.baseUrl}/api/tools/read`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', ...headers },
+    body: JSON.stringify({ path: sandboxRelPath }),
+  })
+  const data = (await res.json().catch(() => ({}))) as { success?: boolean; result?: any; error?: string }
+  if (data.success && typeof data.result?.content === 'string') {
+    sandboxReadContent = data.result.content
+    sandboxReadOk = sandboxReadContent.includes(expectedContent)
+    console.log(`[sandbox-e2e] sandbox file content = ${JSON.stringify(sandboxReadContent.slice(0, 200))}`)
+  } else {
+    console.log(`[sandbox-e2e] sandbox read failed: ${data.error ?? JSON.stringify(data).slice(0, 200)}`)
+  }
+} catch (e) {
+  console.log(`[sandbox-e2e] sandbox read error: ${(e as Error).message}`)
+}
+
+// 4. 验证本地未被污染
+const localExists = fs.existsSync(localMirror)
+console.log(`[sandbox-e2e] local /tmp/${testFilename} exists = ${localExists} (should be false)`)
+
+// ─── Assertions ─────────────────────────────────────────────────────────────
+const hasText = (counts.text ?? 0) > 0
+const hasResult = (counts.result ?? 0) > 0
+const usedSandboxMcp = sbxToolUses.length > 0
+const noBuiltinTools = builtinWriteUses.length === 0
+
+console.log('\n[sandbox-e2e] assertions:')
+console.log(`  text events:                 ${hasText ? 'PASS' : 'FAIL'}`)
+console.log(`  result event:                ${hasResult ? 'PASS' : 'FAIL'}`)
+console.log(`  used sbx_* tools:            ${usedSandboxMcp ? 'PASS' : 'FAIL'} (count=${sbxToolUses.length})`)
+console.log(`  did NOT use builtin tools:   ${noBuiltinTools ? 'PASS' : 'FAIL'} (count=${builtinWriteUses.length})`)
+console.log(`  sandbox file has expected:   ${sandboxReadOk ? 'PASS' : 'FAIL'}`)
+console.log(`  local NOT polluted:          ${!localExists ? 'PASS' : 'FAIL'}`)
+
+const overall = hasText && hasResult && usedSandboxMcp && noBuiltinTools && sandboxReadOk && !localExists
+console.log(`\n[sandbox-e2e] OVERALL: ${overall ? 'PASS' : 'FAIL'}`)
+
+process.exit(overall ? 0 : 1)
diff --git a/packages/server/src/agent/runtime/acp-transport.ts b/packages/server/src/agent/runtime/acp-transport.ts
new file mode 100644
index 0000000..907ef29
--- /dev/null
+++ b/packages/server/src/agent/runtime/acp-transport.ts
@@ -0,0 +1,181 @@
+/**
+ * ACP Transport 抽象
+ *
+ * 把"启动 opencode acp 进程 + 建立 NDJSON stdio 通道"的具体机制
+ * 与 runtime 的事件翻译层解耦。
+ *
+ * 当前只有一种 transport：
+ *
+ *  LocalStdioTransport：spawn 本地 `opencode acp` 子进程，pipe stdin/stdout 为 NDJSON Stream
+ *
+ * 为什么不做"在沙箱里跑 opencode"的 transport？
+ *   - Agent 与 Sandbox 应严格分离（agent 负责决策、sandbox 负责执行）
+ *   - 把 agent 塞进沙箱违反这一原则
+ *   - 正确的隔离方式：让 agent 在 server 本地跑，但把它的工具调用桥接到沙箱
+ *     （见 sandbox-mcp-bridge.ts + opencode-agent-config.ts）
+ */
+
+import { spawn, type ChildProcessWithoutNullStreams } from 'node:child_process'
+import { ndJsonStream, type Stream } from '@agentclientprotocol/sdk'
+
+// ─── Core Interfaces ────────────────────────────────────────────────────────
+
+export interface AcpTransport {
+  /** ACP SDK 使用的双向 NDJSON 流 */
+  readonly stream: Stream
+  /**
+   * 等待底层进程退出。transport 实现应在进程退出时 resolve 此 promise，
+   * 用于 runtime 检测异常退出并上报 error。
+   */
+  readonly exit: Promise<{ code: number | null; signal: NodeJS.Signals | null }>
+  /**
+   * 主动关闭 transport（杀进程 + 关闭流）。幂等。
+   */
+  close(): void
+}
+
+export interface AcpTransportFactoryContext {
+  /** 工作目录（对应 opencode acp --cwd）。可以是一个临时目录，用来放自定义 agent 配置 */
+  cwd: string
+  /** abort 信号；transport 实现必须监听并在 abort 时触发 close() */
+  signal: AbortSignal
+  /** 调试开关：透传到 transport 的 stderr 打印行为 */
+  debug?: boolean
+  /** 附加环境变量（如 OPENCODE_CONFIG 指向 per-session 配置文件） */
+  env?: Record<string, string>
+}
+
+export type AcpTransportFactory = (ctx: AcpTransportFactoryContext) => Promise<AcpTransport>
+
+// ─── Local stdio transport ──────────────────────────────────────────────────
+
+const LOCAL_OPENCODE_BIN = process.env.OPENCODE_BIN || 'opencode'
+const LOCAL_SPAWN_TIMEOUT_MS = 15_000
+
+export const createLocalStdioTransport: AcpTransportFactory = async (ctx) => {
+  const child = await spawnLocalOpencode(ctx.cwd, ctx.signal, ctx.debug ?? false, ctx.env)
+
+  const stream = ndJsonStream(
+    new WritableStream<Uint8Array | string>({
+      write(chunk) {
+        return new Promise((resolve, reject) => {
+          const data = typeof chunk === 'string' ? chunk : Buffer.from(chunk)
+          child.stdin.write(data, (err) => (err ? reject(err) : resolve()))
+        })
+      },
+      close() {
+        try {
+          child.stdin.end()
+        } catch {
+          /* noop */
+        }
+      },
+    }),
+    new ReadableStream<Uint8Array>({
+      start(controller) {
+        child.stdout.on('data', (chunk: Buffer) => controller.enqueue(new Uint8Array(chunk)))
+        child.stdout.on('end', () => {
+          try {
+            controller.close()
+          } catch {
+            /* noop */
+          }
+        })
+        child.stdout.on('error', (err) => controller.error(err))
+      },
+    }),
+  )
+
+  const exit = new Promise<{ code: number | null; signal: NodeJS.Signals | null }>((resolve) => {
+    child.on('exit', (code, sig) => resolve({ code, signal: sig }))
+  })
+
+  return {
+    stream,
+    exit,
+    close() {
+      try {
+        child.kill('SIGTERM')
+      } catch {
+        /* noop */
+      }
+    },
+  }
+}
+
+async function spawnLocalOpencode(
+  cwd: string,
+  signal: AbortSignal,
+  debug: boolean,
+  extraEnv?: Record<string, string>,
+): Promise<ChildProcessWithoutNullStreams> {
+  return new Promise((resolve, reject) => {
+    const child = spawn(LOCAL_OPENCODE_BIN, ['acp', '--cwd', cwd], {
+      stdio: ['pipe', 'pipe', 'pipe'],
+      env: { ...process.env, ...(extraEnv ?? {}) },
+    })
+
+    let settled = false
+    const onAbort = () => {
+      try {
+        child.kill('SIGTERM')
+      } catch {
+        /* noop */
+      }
+    }
+    signal.addEventListener('abort', onAbort)
+
+    const timer = setTimeout(() => {
+      if (!settled) {
+        settled = true
+        try {
+          child.kill('SIGKILL')
+        } catch {
+          /* noop */
+        }
+        reject(new Error('opencode acp spawn timeout'))
+      }
+    }, LOCAL_SPAWN_TIMEOUT_MS)
+
+    child.on('error', (err) => {
+      if (!settled) {
+        settled = true
+        clearTimeout(timer)
+        reject(err)
+      }
+    })
+
+    child.on('spawn', () => {
+      if (!settled) {
+        settled = true
+        clearTimeout(timer)
+        resolve(child)
+      }
+    })
+
+    child.stderr?.on('data', (chunk) => {
+      if (debug) {
+        process.stderr.write('[opencode stderr] ' + chunk.toString())
+      }
+    })
+  })
+}
+
+// ─── Transport Registry ─────────────────────────────────────────────────────
+
+export type AcpTransportKind = 'local-stdio'
+
+const FACTORIES: Record<AcpTransportKind, AcpTransportFactory> = {
+  'local-stdio': createLocalStdioTransport,
+}
+
+export function getAcpTransportFactory(kind: AcpTransportKind): AcpTransportFactory {
+  const f = FACTORIES[kind]
+  if (!f) throw new Error(`Unknown ACP transport kind: ${kind}`)
+  return f
+}
+
+export function resolveAcpTransportKind(_opts: { kind?: AcpTransportKind } = {}): AcpTransportKind {
+  // 目前只有一种 transport，保留函数签名以便未来扩展（例如 WebSocket 转发给远端 agent 集群）
+  return 'local-stdio'
+}
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index 1a194ab..3cd38bd 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -1,42 +1,44 @@
 /**
  * OpencodeAcpRuntime
  *
- * 把 OpenCode (`opencode acp` 子进程) 包装成 IAgentRuntime。
+ * 基于 ACP 协议的 OpenCode agent runtime，严格遵守 agent/sandbox 分离原则。
  *
  * 架构：
- *   chatStream() ──fire-and-forget──► launchAgent()
- *                                       │
- *                                       ▼
- *                          spawn `opencode acp --cwd <cwd>`
- *                                       │
- *                                       ▼
- *                          ClientSideConnection (NDJSON over stdio)
- *                                       │
- *                                       ▼
- *                       initialize → newSession → setSessionModel? → prompt
- *                                       │
- *                                       ▼
- *                       session/update / requestPermission events
- *                                       │
- *                                       ▼
- *                       翻译为 AgentCallbackMessage → callback
  *
- * 与 TencentSdkRuntime 的差异：
- * - 进程外 agent（每次 chat 重新 spawn 一个 opencode 子进程；轻量、隔离干净）
- * - 工具执行在 opencode 进程内（Node fs / child_process），ACP client 回调仅用于
- *   session/update + requestPermission（不实现 fs/* terminal/*，因为 OpenCode 不会发）
- * - 不集成现有 sandbox/coding-mode/git-archive 复杂度（首版求最小可用）
+ *   server 进程
+ *   │
+ *   ├─ opencode acp (子进程, agent 域)
+ *   │    │
+ *   │    ├─ 内置 read/write/bash/edit/... — 已禁用（per-session agent config）
+ *   │    │
+ *   │    └─ MCP client → stdio spawn sandbox-mcp-bridge.js
+ *   │                      │
+ *   │                      ▼ HTTP
+ *   │            ┌─────────────────────┐
+ *   │            │  Sandbox (SCF)      │
+ *   │            │   /api/tools/read   │
+ *   │            │   /api/tools/write  │
+ *   │            │   /api/tools/bash   │
+ *   │            │   /workspace        │
+ *   │            └─────────────────────┘
+ *   │
+ *   └─ IAgentRuntime.chatStream()
+ *        │
+ *        ▼
+ *      1. 为本次 session 准备临时工作目录（放配置 + AGENTS.md）
+ *      2. 获取 sandbox instance（从 scfSandboxManager）
+ *      3. spawn opencode acp --cwd <临时目录>
+ *      4. ACP 握手 → newSession（mcpServers 传入 sandbox-mcp-bridge）
+ *      5. setSessionMode('sandboxed') 锁定只能用 sbx_* 工具
+ *      6. prompt → 翻译 session/update 为 AgentCallbackMessage
+ *      7. 清理临时目录、kill 子进程
  *
- * 已知限制（首版）：
- * - 不支持 resume（askAnswers / toolConfirmation 暂不处理）
- * - 不持久化 message 到 DB（仅 stream events 落库供 SSE replay）
- * - 不支持 maxTurns / cwd 之外的高级 options
- * - cwd 直接用 process.cwd() 或 options.cwd，不创建沙箱目录
+ * 首版仍保留：如果没有 envId（本地开发），自动退回"无沙箱模式"，工具本地执行。
+ * 这样 e2e#1 (本地模式) 与生产沙箱模式可以共存。
  */
 
-import { spawn, type ChildProcessWithoutNullStreams } from 'node:child_process'
 import { v4 as uuidv4 } from 'uuid'
-import { ClientSideConnection, ndJsonStream, type Stream } from '@agentclientprotocol/sdk'
+import { ClientSideConnection } from '@agentclientprotocol/sdk'
 import type { AgentCallback, AgentCallbackMessage, AgentOptions } from '@coder/shared'
 import type { ChatStreamResult, IAgentRuntime } from './types.js'
 import type { ModelInfo } from '../cloudbase-agent.service.js'
@@ -50,28 +52,77 @@ import {
 } from '../agent-registry.js'
 import { persistenceService } from '../persistence.service.js'
 import { CloudbaseAgentService } from '../cloudbase-agent.service.js'
+import { getAcpTransportFactory, type AcpTransport } from './acp-transport.js'
+import { createSessionWorkspace, type SessionWorkspace } from './opencode-session-config.js'
+import { scfSandboxManager, type SandboxInstance } from '../../sandbox/scf-sandbox-manager.js'
+import { spawn } from 'node:child_process'
+import path from 'node:path'
+import fs from 'node:fs'
+import { fileURLToPath } from 'node:url'
 
 // ─── Config ──────────────────────────────────────────────────────────────
 
-/** opencode CLI 可执行路径，可由环境变量覆盖 */
 const OPENCODE_BIN = process.env.OPENCODE_BIN || 'opencode'
 
 /** 默认模型（OpenCode 模型 id 格式: provider/model[/variant]） */
 const DEFAULT_OPENCODE_MODEL = process.env.OPENCODE_DEFAULT_MODEL || 'moonshot/kimi-k2-0905-preview'
 
-/** 子进程启动超时（ms） */
-const SPAWN_TIMEOUT_MS = 15000
+/** 工作空间根（沙箱侧） */
+const SANDBOX_WORKSPACE_ROOT = process.env.SANDBOX_WORKSPACE_ROOT || '/workspace'
+
+// ─── Helpers ─────────────────────────────────────────────────────────────
+
+const __filename = fileURLToPath(import.meta.url)
+const __dirname = path.dirname(__filename)
+
+/**
+ * 解析 sandbox-mcp-bridge.js 的绝对路径。
+ *
+ * 三种运行形态：
+ *   1. 源码（tsx watch dev）：__filename = ...src/agent/runtime/opencode-acp-runtime.ts
+ *      → 期望 dist 产物在 ../../../dist/agent/runtime/sandbox-mcp-bridge.js
+ *   2. 构建后（node dist/index.js）：__filename = ...dist/index.js
+ *      → 在 同目录/agent/runtime/sandbox-mcp-bridge.js
+ *   3. 环境变量 override：SANDBOX_MCP_BRIDGE_PATH=...
+ */
+function resolveMcpBridgePath(): string {
+  const fromEnv = process.env.SANDBOX_MCP_BRIDGE_PATH
+  if (fromEnv) return fromEnv
+
+  const candidates = [
+    // 1. src 运行：走到项目 dist
+    path.resolve(__dirname, '../../../dist/agent/runtime/sandbox-mcp-bridge.js'),
+    // 2. dist 运行：同目录
+    path.resolve(__dirname, 'sandbox-mcp-bridge.js'),
+    // 3. monorepo root dist
+    path.resolve(__dirname, '../../../../packages/server/dist/agent/runtime/sandbox-mcp-bridge.js'),
+  ]
+  for (const c of candidates) {
+    try {
+      if (fs.existsSync(c)) return c
+    } catch {
+      /* noop */
+    }
+  }
+  // 兜底：返回第一个猜测，spawn 时会报错
+  return candidates[0]
+}
+
+// ─── Types ───────────────────────────────────────────────────────────────
+
+export interface OpencodeAcpRuntimeOptions {
+  /** 工作空间根目录（沙箱内），默认 /workspace */
+  sandboxWorkspaceRoot?: string
+}
 
 // ─── Runtime ─────────────────────────────────────────────────────────────
 
 export class OpencodeAcpRuntime implements IAgentRuntime {
   readonly name = 'opencode-acp'
 
-  /** 进程缓存：conversationId → child（按需复用，目前每次都新建） */
-  // private readonly procs = new Map<string, ChildProcessWithoutNullStreams>()
+  constructor(private readonly runtimeOpts: OpencodeAcpRuntimeOptions = {}) {}
 
   async isAvailable(): Promise<boolean> {
-    // 简化：尝试 spawn 一次 --version。生产环境可缓存结果。
     return new Promise((resolve) => {
       try {
         const child = spawn(OPENCODE_BIN, ['--version'], { stdio: 'ignore' })
@@ -98,8 +149,6 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
   }
 
   async getSupportedModels(): Promise<ModelInfo[]> {
-    // 简化版：返回硬编码的 Moonshot 模型清单，避免 spawn 开销。
-    // 完善版应 spawn 一个 acp 进程做 newSession 并读取 availableModels。
     return [
       { id: 'moonshot/kimi-k2-0905-preview', name: 'Kimi K2 (0905)', vendor: 'Moonshot' },
       { id: 'moonshot/kimi-k2-turbo-preview', name: 'Kimi K2 Turbo', vendor: 'Moonshot' },
@@ -127,7 +176,6 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
       abortController,
     })
 
-    // fire-and-forget
     this.launchAgent(prompt, callback, options, conversationId, turnId, abortController).catch((err) => {
       console.error('[OpencodeAcpRuntime] background agent error:', err)
     })
@@ -135,9 +183,6 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
     return { turnId, alreadyRunning: false }
   }
 
-  /**
-   * 后台执行 opencode acp 一轮对话。
-   */
   private async launchAgent(
     prompt: string,
     liveCallback: AgentCallback | null,
@@ -148,81 +193,70 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
   ): Promise<void> {
     const envId = options.envId || ''
     const userId = options.userId || 'anonymous'
-    const cwd = options.cwd || process.cwd()
     const modelId = options.model || DEFAULT_OPENCODE_MODEL
 
-    let child: ChildProcessWithoutNullStreams | null = null
-    let endedNormally = false
+    const emit = makeEmitter({ liveCallback, envId, userId, conversationId, turnId })
 
-    /** 把 AgentCallbackMessage 同时推 liveCallback 和 stream events DB */
-    const emit = async (msg: AgentCallbackMessage) => {
-      // 注入 ids
-      const enriched: AgentCallbackMessage = {
-        ...msg,
-        sessionId: conversationId,
-        assistantMessageId: turnId,
-      }
-      if (liveCallback) {
+    let transport: AcpTransport | null = null
+    let workspace: SessionWorkspace | null = null
+    let sandbox: SandboxInstance | null = null
+
+    try {
+      // 1. 获取沙箱（有 envId 时）
+      if (envId) {
         try {
-          const seq = getNextSeq(conversationId)
-          await liveCallback(enriched, seq)
+          sandbox = await scfSandboxManager.getOrCreate(conversationId, envId, {
+            mode: 'shared',
+            workspaceIsolation: 'shared',
+          })
         } catch (e) {
-          console.error('[OpencodeAcpRuntime] liveCallback error:', e)
+          console.warn('[OpencodeAcpRuntime] sandbox getOrCreate failed:', (e as Error).message)
+          throw new Error(`Sandbox unavailable: ${(e as Error).message}`)
         }
       }
-      // 落库 stream event 供 SSE replay
-      // 没有 envId 时跳过（典型场景：单元测试 / e2e 脚本，没接 CloudBase）
-      if (envId) {
-        const acpEvent = CloudbaseAgentService.convertToSessionUpdate(enriched, conversationId)
-        if (acpEvent) {
-          const seq = getAgentRun(conversationId)?.lastSeq ?? 0
-          persistenceService
-            .appendStreamEvents([
-              {
-                eventId: uuidv4(),
-                conversationId,
-                turnId,
-                envId,
-                userId,
-                event: acpEvent,
-                seq,
-                createTime: Date.now(),
-              },
-            ])
-            .catch((e) => console.error('[OpencodeAcpRuntime] appendStreamEvents error:', e))
-        }
-      }
-    }
 
-    try {
-      // 1. spawn opencode acp
-      child = await this.spawnOpencodeAcp(cwd, abortController.signal)
-
-      // 2. 建立 ACP 连接
-      const stream = makeNdJsonStream(child)
-      const conn = createConnection(stream, {
-        onSessionUpdate: async (update) => {
-          await this.handleSessionUpdate(update, emit)
-        },
-        onRequestPermission: async (params) => {
-          // 把权限请求转成 tool_confirm 推给前端
-          await emit({
-            type: 'tool_confirm',
-            id: params.toolCall?.toolCallId || uuidv4(),
-            name: params.toolCall?.title || 'unknown',
-            input: (params.toolCall?.rawInput as Record<string, unknown>) || {},
-          })
-          // 当前版本：默认 allow_once（与 PoC 一致）。
-          // TODO: 接入真实 ToolConfirm UI 回调（需要 askAnswers/toolConfirmation 流程）。
-          const opt =
-            params.options.find((o: { kind: string }) => o.kind === 'allow_once') ??
-            params.options.find((o: { kind: string }) => o.kind === 'allow_always') ??
-            params.options[0]
-          return { outcome: { outcome: 'selected', optionId: opt!.optionId } }
-        },
+      await emit({ type: 'agent_phase', phase: 'preparing' })
+
+      // 2. 创建 per-session 工作目录 + opencode 配置
+      workspace = await createSessionWorkspace({
+        sandbox: sandbox ?? undefined,
+        sandboxWorkspaceRoot: this.runtimeOpts.sandboxWorkspaceRoot ?? SANDBOX_WORKSPACE_ROOT,
+        mcpBridgePath: resolveMcpBridgePath(),
+        localWorkspaceDir: options.cwd,
+      })
+
+      // 3. spawn opencode acp
+      const factory = getAcpTransportFactory('local-stdio')
+      transport = await factory({
+        cwd: workspace.dir,
+        signal: abortController.signal,
+        debug: process.env.OPENCODE_ACP_DEBUG === '1',
       })
 
-      // 3. ACP 握手
+      // 4. 建立 ACP connection — 这里不挂 fs/terminal 回调（OpenCode 不会调）
+      const conn = new ClientSideConnection(
+        () => ({
+          sessionUpdate: async (params) => {
+            await this.handleSessionUpdate(params.update, emit)
+          },
+          requestPermission: async (params) => {
+            await emit({
+              type: 'tool_confirm',
+              id: params.toolCall?.toolCallId || uuidv4(),
+              name: params.toolCall?.title || 'unknown',
+              input: (params.toolCall?.rawInput as Record<string, unknown>) || {},
+            })
+            const opt =
+              params.options.find((o: { kind: string }) => o.kind === 'allow_once') ??
+              params.options.find((o: { kind: string }) => o.kind === 'allow_always') ??
+              params.options[0]
+            return { outcome: { outcome: 'selected', optionId: opt!.optionId } }
+          },
+        }),
+        transport.stream,
+      )
+
+      // 5. ACP 握手
       await conn.initialize({
         protocolVersion: 1,
         clientCapabilities: {
@@ -231,26 +265,35 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
         },
       })
 
-      // 4. 创建 session
+      // 6. 创建 session — 此处**不传 mcpServers**，因为我们在 opencode.json 里已经配了
+      //    mcp.sbx（local stdio）。OpenCode 启动时会读 cwd 下的 .opencode/opencode.json。
       const newRes = await conn.newSession({
-        cwd,
+        cwd: workspace.dir,
         mcpServers: [],
       })
       const opencodeSessionId = newRes.sessionId
 
-      // 5. 选择 model（best effort）
+      // 7. 切到 sandboxed agent mode（禁用所有内置工具）
+      try {
+        await conn.setSessionMode({
+          sessionId: opencodeSessionId,
+          modeId: workspace.agentMode,
+        })
+      } catch (e) {
+        console.warn('[OpencodeAcpRuntime] setSessionMode failed (continuing):', (e as Error).message)
+      }
+
+      // 8. 选择模型
       try {
         await conn.unstable_setSessionModel({
           sessionId: opencodeSessionId,
           modelId,
         })
       } catch (e) {
-        console.warn('[OpencodeAcpRuntime] setSessionModel failed (continuing):', (e as Error).message)
+        console.warn('[OpencodeAcpRuntime] setSessionModel failed:', (e as Error).message)
       }
 
-      // 6. 发送 prompt（阻塞直到完成）
-      await emit({ type: 'agent_phase', phase: 'preparing' })
-
+      // 9. 发送 prompt（阻塞直到完成）
       const promptRes = await conn.prompt({
         sessionId: opencodeSessionId,
         prompt: [{ type: 'text', text: prompt }],
@@ -261,12 +304,12 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
         type: 'result',
         content: JSON.stringify({
           stopReason: promptRes.stopReason,
-          // PromptResponse 的 usage 在 _meta 内，不同 agent 有不同字段位置
           usage: (promptRes as { _meta?: { usage?: unknown } })._meta?.usage ?? null,
+          sandbox: sandbox ? { baseUrl: sandbox.baseUrl, conversationId: sandbox.conversationId } : null,
+          workspaceDir: workspace.dir,
         }),
       })
 
-      endedNormally = true
       completeAgent(conversationId, 'completed')
     } catch (error: any) {
       const isAbort = abortController.signal.aborted || error?.name === 'AbortError'
@@ -281,26 +324,26 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
       }
       completeAgent(conversationId, isAbort ? 'cancelled' : 'error', String(error?.message || error))
     } finally {
-      // 清理子进程
-      if (child) {
+      if (transport) {
         try {
-          child.kill('SIGTERM')
+          transport.close()
         } catch {
           /* noop */
         }
       }
-      // 延后 remove，给 SSE poll 留窗口
-      setTimeout(() => removeAgent(conversationId, turnId), 5000)
-      if (!endedNormally) {
-        // already handled above
+      if (workspace) {
+        try {
+          workspace.cleanup()
+        } catch {
+          /* noop */
+        }
       }
+      setTimeout(() => removeAgent(conversationId, turnId), 5000)
     }
   }
 
   /**
-   * 把 ACP session/update 翻译成内部 AgentCallbackMessage。
-   * OpenCode 的 SessionUpdate tag 集合见
-   * https://agentclientprotocol.com/protocol/notifications#session-update
+   * ACP session/update → 内部 AgentCallbackMessage。
    */
   private async handleSessionUpdate(update: any, emit: (msg: AgentCallbackMessage) => Promise<void>): Promise<void> {
     const tag = update.sessionUpdate as string | undefined
@@ -340,7 +383,6 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
             is_error: status === 'failed',
           })
         } else {
-          // in_progress / pending：作为 input update 推（前端可选展示）
           await emit({
             type: 'tool_input_update',
             id: update.toolCallId,
@@ -350,7 +392,6 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
         break
       }
       case 'plan': {
-        // 把 plan 作为一个特殊的 thinking 段（首版极简处理）
         await emit({
           type: 'thinking',
           content: `[plan] ${JSON.stringify(update.entries ?? [])}`,
@@ -360,145 +401,60 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
       case 'available_commands_update':
       case 'usage_update':
       case 'current_mode_update':
-        // 静默吞掉（OpenCode 噪声）
         break
       default:
-        // 未识别的事件 → 调试日志
         if (process.env.OPENCODE_ACP_DEBUG) {
           console.log('[OpencodeAcpRuntime] unhandled session/update:', tag, JSON.stringify(update).slice(0, 200))
         }
     }
   }
-
-  /**
-   * spawn opencode acp 子进程，等到它真的启动（短暂延迟）后返回。
-   */
-  private async spawnOpencodeAcp(cwd: string, abortSignal: AbortSignal): Promise<ChildProcessWithoutNullStreams> {
-    return new Promise((resolve, reject) => {
-      const child = spawn(OPENCODE_BIN, ['acp', '--cwd', cwd], {
-        stdio: ['pipe', 'pipe', 'pipe'],
-        env: { ...process.env },
-      })
-
-      let settled = false
-      const onAbort = () => {
-        try {
-          child.kill('SIGTERM')
-        } catch {
-          /* noop */
-        }
-      }
-      abortSignal.addEventListener('abort', onAbort)
-
-      const timer = setTimeout(() => {
-        if (!settled) {
-          settled = true
-          try {
-            child.kill('SIGKILL')
-          } catch {
-            /* noop */
-          }
-          reject(new Error('opencode acp spawn timeout'))
-        }
-      }, SPAWN_TIMEOUT_MS)
-
-      child.on('error', (err) => {
-        if (!settled) {
-          settled = true
-          clearTimeout(timer)
-          reject(err)
-        }
-      })
-
-      child.on('spawn', () => {
-        if (!settled) {
-          settled = true
-          clearTimeout(timer)
-          resolve(child)
-        }
-      })
-
-      child.stderr?.on('data', (chunk) => {
-        if (process.env.OPENCODE_ACP_DEBUG) {
-          process.stderr.write('[opencode stderr] ' + chunk.toString())
-        }
-      })
-
-      child.on('exit', (code, sig) => {
-        if (process.env.OPENCODE_ACP_DEBUG) {
-          console.log(`[OpencodeAcpRuntime] child exit code=${code} signal=${sig}`)
-        }
-      })
-    })
-  }
 }
 
 // ─── Helpers ─────────────────────────────────────────────────────────────
 
-/**
- * 把 child_process 的 stdin/stdout 包装成 ACP SDK 需要的 NDJSON Stream。
- */
-function makeNdJsonStream(child: ChildProcessWithoutNullStreams): Stream {
-  const writable = new WritableStream<Uint8Array | string>({
-    write(chunk) {
-      return new Promise((resolve, reject) => {
-        const data = typeof chunk === 'string' ? chunk : Buffer.from(chunk)
-        child.stdin.write(data, (err) => (err ? reject(err) : resolve()))
-      })
-    },
-    close() {
+function makeEmitter(ctx: {
+  liveCallback: AgentCallback | null
+  envId: string
+  userId: string
+  conversationId: string
+  turnId: string
+}): (msg: AgentCallbackMessage) => Promise<void> {
+  const { liveCallback, envId, userId, conversationId, turnId } = ctx
+  return async (msg) => {
+    const enriched: AgentCallbackMessage = {
+      ...msg,
+      sessionId: conversationId,
+      assistantMessageId: turnId,
+    }
+    if (liveCallback) {
       try {
-        child.stdin.end()
-      } catch {
-        /* noop */
+        const seq = getNextSeq(conversationId)
+        await liveCallback(enriched, seq)
+      } catch (e) {
+        console.error('[OpencodeAcpRuntime] liveCallback error:', e)
       }
-    },
-  })
-
-  const readable = new ReadableStream<Uint8Array>({
-    start(controller) {
-      child.stdout.on('data', (chunk: Buffer) => controller.enqueue(new Uint8Array(chunk)))
-      child.stdout.on('end', () => {
-        try {
-          controller.close()
-        } catch {
-          /* noop */
-        }
-      })
-      child.stdout.on('error', (err) => controller.error(err))
-    },
-  })
-
-  return ndJsonStream(writable, readable)
-}
-
-/** ClientSideConnection 工厂 */
-function createConnection(
-  stream: Stream,
-  handlers: {
-    onSessionUpdate: (update: any) => Promise<void>
-    onRequestPermission: (params: any) => Promise<any>
-  },
-) {
-  return new ClientSideConnection(
-    () => ({
-      async sessionUpdate(params) {
-        await handlers.onSessionUpdate(params.update)
-      },
-      async requestPermission(params) {
-        return handlers.onRequestPermission(params)
-      },
-      async writeTextFile(_params) {
-        // OpenCode 在 edit 后会推过来，作为编辑器刷新提示；server 侧目前不需要做事。
-        return {}
-      },
-      async readTextFile(_params) {
-        // 不实现 — OpenCode 自身从本地文件系统读
-        return { content: '' }
-      },
-    }),
-    stream,
-  )
+    }
+    if (envId) {
+      const acpEvent = CloudbaseAgentService.convertToSessionUpdate(enriched, conversationId)
+      if (acpEvent) {
+        const seq = getAgentRun(conversationId)?.lastSeq ?? 0
+        persistenceService
+          .appendStreamEvents([
+            {
+              eventId: uuidv4(),
+              conversationId,
+              turnId,
+              envId,
+              userId,
+              event: acpEvent,
+              seq,
+              createTime: Date.now(),
+            },
+          ])
+          .catch((e) => console.error('[OpencodeAcpRuntime] appendStreamEvents error:', e))
+      }
+    }
+  }
 }
 
 // ─── Singleton ────────────────────────────────────────────────────────────
diff --git a/packages/server/src/agent/runtime/opencode-session-config.ts b/packages/server/src/agent/runtime/opencode-session-config.ts
new file mode 100644
index 0000000..926dd33
--- /dev/null
+++ b/packages/server/src/agent/runtime/opencode-session-config.ts
@@ -0,0 +1,193 @@
+/**
+ * Per-session OpenCode 配置与工作目录管理
+ *
+ * 核心职责：为每次 chatStream 调用准备一个**临时工作目录**，内放 opencode 配置：
+ *
+ *   /tmp/opencode-session-<uuid>/
+ *     .opencode/opencode.json   ← 定义 agent：禁用内置 read/write/bash/edit，
+ *                                  只允许 sandbox_* 工具
+ *     AGENTS.md                  ← 可选的 system prompt 增强
+ *
+ * 为什么要这样做？
+ *   - opencode 启动时从 `cwd` 读配置
+ *   - 我们需要每个 session 有独立配置（不同用户/沙箱的凭证互不串）
+ *   - per-session 目录隔离避免 race condition（同时跑多个 session）
+ *
+ * 注意：这个目录**仅放配置**。真实的用户工作文件都在沙箱容器里（/workspace）。
+ *       opencode 进程虽然 cwd 指向临时目录，但它通过 MCP (sandbox_*) 工具读写沙箱。
+ */
+
+import fs from 'node:fs'
+import path from 'node:path'
+import os from 'node:os'
+import { v4 as uuidv4 } from 'uuid'
+import type { SandboxInstance } from '../../sandbox/scf-sandbox-manager.js'
+
+/** 默认工作目录前缀 */
+const SESSION_DIR_PREFIX = 'opencode-session-'
+
+/**
+ * 要禁用的 OpenCode 内置工具。
+ * 见 https://opencode.ai/docs/agents/#tools
+ */
+const DISABLED_BUILTIN_TOOLS = ['read', 'write', 'edit', 'bash', 'grep', 'glob', 'webfetch', 'patch'] as const
+
+/**
+ * 给 sandbox MCP bridge 用的工具名（MCP 上报给 opencode 时会被加 `<server>_` 前缀）。
+ * 我们的 server name 定为 "sandbox"，所以实际 tool id 是 `sandbox_sandbox_read` 之类。
+ * 为了干净，把 MCP server 名就叫 "sbx"，tool name 就叫 "read"/"write"/...
+ * OpenCode 看到 `sbx_read`/`sbx_write` 等。
+ */
+export const SANDBOX_MCP_SERVER_NAME = 'sbx'
+
+export interface SessionWorkspace {
+  /** 临时目录绝对路径；opencode acp 的 --cwd 指向此 */
+  readonly dir: string
+  /** 要在 `session/new.mcpServers` 里传给 opencode 的 MCP server 定义 */
+  readonly mcpServerCommand: string
+  readonly mcpServerArgs: string[]
+  readonly mcpServerEnv: Record<string, string>
+  /** 要在 `session/set_mode` 里切的 agent mode id（不存在则用 'build'） */
+  readonly agentMode: string
+  /** 清理临时目录 */
+  cleanup(): void
+}
+
+export interface CreateSessionWorkspaceOptions {
+  sandbox?: SandboxInstance
+  /** 沙箱 workspace 根目录（默认 /workspace，即 opencode 的工作视角） */
+  sandboxWorkspaceRoot?: string
+  /** 编译后的 sandbox-mcp-bridge.js 路径（由 runtime 传入） */
+  mcpBridgePath: string
+  /**
+   * 本地模式的工作目录（无沙箱时）。
+   * - 有沙箱：忽略此字段，创建临时目录仅存配置
+   * - 无沙箱：使用此目录作为 opencode 的 cwd，LLM 读写都在这里
+   */
+  localWorkspaceDir?: string
+}
+
+/**
+ * 创建 per-session 工作目录 + 生成 opencode 配置。
+ */
+export async function createSessionWorkspace(opts: CreateSessionWorkspaceOptions): Promise<SessionWorkspace> {
+  const sandboxMode = !!opts.sandbox
+
+  // 工作目录选择：
+  //   sandbox 模式 → 临时 staging 目录（只放配置，不用于 LLM 读写）
+  //   无沙箱 → 用传入的 localWorkspaceDir（LLM 真的读写这里）
+  const dir = sandboxMode
+    ? path.join(os.tmpdir(), `${SESSION_DIR_PREFIX}${uuidv4()}`)
+    : (opts.localWorkspaceDir ?? path.join(os.tmpdir(), `${SESSION_DIR_PREFIX}${uuidv4()}`))
+
+  // 临时目录需要我们自己创建；用户传入的工作目录假定已存在
+  const isTempDir = sandboxMode || !opts.localWorkspaceDir
+  fs.mkdirSync(path.join(dir, '.opencode'), { recursive: true })
+
+  const sandboxWorkspaceRoot = opts.sandboxWorkspaceRoot ?? '.'
+
+  // ── 1. agent + mcp 配置 ─────────────────────────────────────────────
+  //
+  // 有沙箱 → 禁用内置工具 + 注入 sandbox MCP
+  // 无沙箱（本地开发） → 保留内置工具，不注入 MCP（opencode 就用本地文件系统）
+
+  const mcpBridgeEnv: Record<string, string> = {
+    SANDBOX_BASE_URL: opts.sandbox?.baseUrl ?? '',
+    SANDBOX_AUTH_HEADERS_JSON: opts.sandbox ? JSON.stringify(await opts.sandbox.getAuthHeaders()) : '{}',
+    SANDBOX_DEFAULT_CWD: sandboxWorkspaceRoot,
+    SANDBOX_MCP_DEBUG: process.env.SANDBOX_MCP_DEBUG ?? '',
+  }
+
+  const opencodeConfig: Record<string, unknown> = {
+    $schema: 'https://opencode.ai/config.json',
+  }
+
+  if (sandboxMode) {
+    const toolsDisabled: Record<string, boolean> = {}
+    for (const t of DISABLED_BUILTIN_TOOLS) toolsDisabled[t] = false
+    toolsDisabled[`${SANDBOX_MCP_SERVER_NAME}_*`] = true
+
+    opencodeConfig.agent = {
+      sandboxed: {
+        description: 'Sandboxed agent: all file I/O and shell execution go through sandbox MCP bridge',
+        mode: 'primary',
+        tools: toolsDisabled,
+      },
+    }
+    opencodeConfig.mcp = {
+      [SANDBOX_MCP_SERVER_NAME]: {
+        type: 'local',
+        command: ['node', opts.mcpBridgePath],
+        enabled: true,
+        environment: mcpBridgeEnv,
+      },
+    }
+  }
+
+  fs.writeFileSync(path.join(dir, '.opencode', 'opencode.json'), JSON.stringify(opencodeConfig, null, 2))
+
+  // ── 2. AGENTS.md 作为 system-prompt 强化 ──────────────────────────────
+  const agentsMd = sandboxMode
+    ? `# Sandboxed Environment
+
+You are running in a sandboxed mode. Your local working directory is a temporary staging area —
+DO NOT attempt to read or write files here. Instead, use the \`${SANDBOX_MCP_SERVER_NAME}_*\` MCP tools:
+
+- \`${SANDBOX_MCP_SERVER_NAME}_read\` — read files
+- \`${SANDBOX_MCP_SERVER_NAME}_write\` — create / overwrite files
+- \`${SANDBOX_MCP_SERVER_NAME}_edit\` — string replacement
+- \`${SANDBOX_MCP_SERVER_NAME}_bash\` — run shell commands
+- \`${SANDBOX_MCP_SERVER_NAME}_glob\` / \`${SANDBOX_MCP_SERVER_NAME}_grep\` — search
+
+## CRITICAL: Path rules
+
+The sandbox enforces **path traversal protection**. You MUST use **relative paths** (no leading \`/\`).
+The sandbox automatically resolves these against its scope directory.
+
+✅ Correct:
+- \`${SANDBOX_MCP_SERVER_NAME}_write\` with path \`"hello.txt"\`
+- \`${SANDBOX_MCP_SERVER_NAME}_write\` with path \`"src/index.ts"\`
+- \`${SANDBOX_MCP_SERVER_NAME}_read\` with path \`"package.json"\`
+
+❌ Wrong (will fail 403 Path traversal blocked):
+- path \`"/workspace/hello.txt"\`
+- path \`"/tmp/x"\`
+- path \`"/home/..."\`
+
+The builtin \`read\`/\`write\`/\`edit\`/\`bash\` tools are disabled. Calling them will fail.
+Always use \`${SANDBOX_MCP_SERVER_NAME}_*\` tools with RELATIVE paths.
+`
+    : `# Local development mode
+
+Sandbox not configured — tools run on the local file system.
+`
+  // AGENTS.md 只在临时目录里写，避免污染用户工作目录
+  if (isTempDir) {
+    fs.writeFileSync(path.join(dir, 'AGENTS.md'), agentsMd)
+  }
+
+  return {
+    dir,
+    mcpServerCommand: 'node',
+    mcpServerArgs: [opts.mcpBridgePath],
+    mcpServerEnv: mcpBridgeEnv,
+    agentMode: sandboxMode ? 'sandboxed' : 'build',
+    cleanup: () => {
+      // 只清理自己创建的临时目录；用户传入的工作目录保留
+      if (isTempDir) {
+        try {
+          fs.rmSync(dir, { recursive: true, force: true })
+        } catch {
+          /* noop */
+        }
+      } else {
+        // 仅清理 .opencode 子目录（配置）
+        try {
+          fs.rmSync(path.join(dir, '.opencode'), { recursive: true, force: true })
+        } catch {
+          /* noop */
+        }
+      }
+    },
+  }
+}
diff --git a/packages/server/src/agent/runtime/sandbox-mcp-bridge.ts b/packages/server/src/agent/runtime/sandbox-mcp-bridge.ts
new file mode 100644
index 0000000..05b973c
--- /dev/null
+++ b/packages/server/src/agent/runtime/sandbox-mcp-bridge.ts
@@ -0,0 +1,253 @@
+/**
+ * Sandbox MCP Bridge — 模块职责说明
+ *
+ * OpenCode 内置工具（read/write/bash/edit）在其进程内本地执行，违反"agent/sandbox 分离"。
+ * 本模块提供解决方案：
+ *
+ *   1. 禁用 OpenCode 内置工具（通过 per-session agent config 的 `tools: { read:false, ... }`）
+ *   2. 注入一个 sandbox MCP server，暴露 sandbox_read / sandbox_write / sandbox_bash /
+ *      sandbox_edit 工具；这些工具的 execute 通过 HTTP 打到 SCF 沙箱
+ *   3. 于是 OpenCode 在处理用户任务时**只能**调用 sandbox_* 工具，所有 IO 天然落在沙箱容器内
+ *
+ * 实现形式：
+ *   - 一个独立的子进程（stdio MCP server）
+ *   - 启动命令：`node <compiled-path-of-this-module>`
+ *   - 环境变量传沙箱 base URL + auth headers（避免敏感信息进命令行）
+ *   - OpenCode 的 session/new 里以 McpServerStdio 形式注入
+ *
+ * 运行模式：
+ *   - 作为 **CLI 入口** 执行（main block 在文件末尾）
+ *   - 不导出任何 server 端业务符号——server 进程 spawn 它作为外部命令
+ */
+
+import { Server } from '@modelcontextprotocol/sdk/server/index.js'
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js'
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema,
+  type CallToolResult,
+  type Tool,
+} from '@modelcontextprotocol/sdk/types.js'
+
+// ─── Config from env ────────────────────────────────────────────────────────
+
+const SANDBOX_BASE_URL = process.env.SANDBOX_BASE_URL || ''
+const SANDBOX_AUTH_HEADERS_JSON = process.env.SANDBOX_AUTH_HEADERS_JSON || '{}'
+const DEFAULT_CWD = process.env.SANDBOX_DEFAULT_CWD || '/workspace'
+const DEBUG = process.env.SANDBOX_MCP_DEBUG === '1'
+
+if (!SANDBOX_BASE_URL) {
+  // 允许空 URL → 工具执行时返回错误（便于开发/测试时启动 MCP server 不挂）
+  if (DEBUG) process.stderr.write('[sandbox-mcp] WARN: SANDBOX_BASE_URL not set\n')
+}
+
+let parsedHeaders: Record<string, string> = {}
+try {
+  parsedHeaders = JSON.parse(SANDBOX_AUTH_HEADERS_JSON) as Record<string, string>
+} catch (e) {
+  process.stderr.write('[sandbox-mcp] invalid SANDBOX_AUTH_HEADERS_JSON, using empty\n')
+}
+
+// ─── Sandbox HTTP helper ────────────────────────────────────────────────────
+
+async function callSandboxTool(tool: string, body: unknown, timeoutMs = 60_000): Promise<any> {
+  if (!SANDBOX_BASE_URL) {
+    throw new Error('SANDBOX_BASE_URL not configured')
+  }
+  const res = await fetch(`${SANDBOX_BASE_URL}/api/tools/${tool}`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', ...parsedHeaders },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(timeoutMs),
+  })
+  const data = (await res.json().catch(() => ({}))) as { success?: boolean; result?: unknown; error?: string }
+  if (!data.success) {
+    throw new Error(data.error ?? `${tool} failed (status=${res.status})`)
+  }
+  return data.result
+}
+
+// ─── Tool definitions ───────────────────────────────────────────────────────
+
+interface SandboxTool extends Tool {
+  readonly name: string
+  execute: (args: Record<string, unknown>) => Promise<CallToolResult>
+}
+
+const TOOLS: SandboxTool[] = [
+  {
+    name: 'read',
+    description:
+      'Read a text file from the sandbox workspace. Use this INSTEAD OF the builtin read tool. ' +
+      `All file paths must be absolute and within the sandbox (default working dir: ${DEFAULT_CWD}).`,
+    inputSchema: {
+      type: 'object',
+      properties: {
+        path: { type: 'string', description: 'Absolute file path inside the sandbox' },
+        offset: { type: 'number', description: 'Optional start line offset (0-based)' },
+        limit: { type: 'number', description: 'Optional max line count' },
+      },
+      required: ['path'],
+    },
+    async execute(args) {
+      const result = await callSandboxTool('read', {
+        path: args.path,
+        offset: args.offset,
+        limit: args.limit,
+      })
+      return textResult(typeof result === 'string' ? result : (result?.content ?? JSON.stringify(result)))
+    },
+  },
+  {
+    name: 'write',
+    description:
+      'Write a text file into the sandbox workspace, creating parent directories as needed. ' +
+      'Use this INSTEAD OF the builtin write tool.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        path: { type: 'string' },
+        content: { type: 'string' },
+      },
+      required: ['path', 'content'],
+    },
+    async execute(args) {
+      const result = await callSandboxTool('write', {
+        path: args.path,
+        content: args.content,
+      })
+      return textResult(result?.output ?? 'Wrote file successfully.')
+    },
+  },
+  {
+    name: 'edit',
+    description: 'Edit a text file in the sandbox by replacing a string. Use this INSTEAD OF the builtin edit tool.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        path: { type: 'string' },
+        oldString: { type: 'string' },
+        newString: { type: 'string' },
+        replaceAll: { type: 'boolean' },
+      },
+      required: ['path', 'oldString', 'newString'],
+    },
+    async execute(args) {
+      const result = await callSandboxTool('edit', {
+        path: args.path,
+        oldString: args.oldString,
+        newString: args.newString,
+        replaceAll: args.replaceAll ?? false,
+      })
+      return textResult(result?.output ?? 'Edited file successfully.')
+    },
+  },
+  {
+    name: 'bash',
+    description:
+      'Run a shell command inside the sandbox. Use this INSTEAD OF the builtin bash tool. ' +
+      'Command runs in a container isolated from the host machine.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        command: { type: 'string' },
+        timeout: { type: 'number', description: 'Timeout in milliseconds (default 60s)' },
+      },
+      required: ['command'],
+    },
+    async execute(args) {
+      const result = await callSandboxTool(
+        'bash',
+        { command: args.command, timeout: args.timeout ?? 60_000 },
+        (args.timeout as number | undefined) ?? 60_000,
+      )
+      return textResult(
+        typeof result === 'string' ? result : (result?.content ?? result?.stdout ?? JSON.stringify(result)),
+      )
+    },
+  },
+  {
+    name: 'glob',
+    description: 'Glob files in the sandbox workspace matching a pattern.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        pattern: { type: 'string' },
+        path: { type: 'string' },
+      },
+      required: ['pattern'],
+    },
+    async execute(args) {
+      const result = await callSandboxTool('glob', {
+        pattern: args.pattern,
+        path: args.path ?? DEFAULT_CWD,
+      })
+      return textResult(typeof result === 'string' ? result : JSON.stringify(result, null, 2))
+    },
+  },
+  {
+    name: 'grep',
+    description: 'Grep files in the sandbox workspace.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        pattern: { type: 'string' },
+        path: { type: 'string' },
+        glob: { type: 'string' },
+        type: { type: 'string' },
+      },
+      required: ['pattern'],
+    },
+    async execute(args) {
+      const result = await callSandboxTool('grep', args)
+      return textResult(typeof result === 'string' ? result : JSON.stringify(result, null, 2))
+    },
+  },
+]
+
+function textResult(text: string): CallToolResult {
+  return { content: [{ type: 'text', text }] }
+}
+
+// ─── MCP Server wiring ──────────────────────────────────────────────────────
+
+async function main(): Promise<void> {
+  const server = new Server({ name: 'sandbox-bridge', version: '0.1.0' }, { capabilities: { tools: {} } })
+
+  server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: TOOLS.map((t) => ({
+      name: t.name,
+      description: t.description,
+      inputSchema: t.inputSchema,
+    })),
+  }))
+
+  server.setRequestHandler(CallToolRequestSchema, async (req) => {
+    const tool = TOOLS.find((t) => t.name === req.params.name)
+    if (!tool) {
+      return {
+        isError: true,
+        content: [{ type: 'text', text: `Unknown tool: ${req.params.name}` }],
+      }
+    }
+    try {
+      return await tool.execute((req.params.arguments ?? {}) as Record<string, unknown>)
+    } catch (e) {
+      return {
+        isError: true,
+        content: [{ type: 'text', text: `Tool ${req.params.name} failed: ${(e as Error).message}` }],
+      }
+    }
+  })
+
+  const transport = new StdioServerTransport()
+  await server.connect(transport)
+
+  if (DEBUG) process.stderr.write('[sandbox-mcp] ready\n')
+}
+
+// Run as CLI when invoked directly
+main().catch((err) => {
+  process.stderr.write(`[sandbox-mcp] fatal: ${err}\n`)
+  process.exit(1)
+})

From ee29bca803bcb02c19775aa58e801d10c3800a00 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sat, 2 May 2026 12:35:54 +0800
Subject: [PATCH 03/33] =?UTF-8?q?refactor(agent):=20OpenCode=20=E6=B2=99?=
 =?UTF-8?q?=E7=AE=B1=E6=8E=A5=E5=85=A5=E6=94=B9=E4=B8=BA=E5=85=A8=E5=B1=80?=
 =?UTF-8?q?=20tool=20override=20+=20env=20=E6=B3=A8=E5=85=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

替代原方案（per-session .opencode/opencode.json + sandbox MCP bridge 子进程）。
新方案更干净、更符合 OpenCode 原生扩展机制。

## 关键发现（实测验证）

1. OpenCode 扫描 `~/.config/opencode/tools/*.ts` 作为 custom tools，
   **同名 custom tool 覆盖 builtin**（文档承诺 + 日志观察均已证实）。
2. OpenCode 原生支持 .ts 文件（zod 作为它自己的依赖已打包）。
   但 tsup 编译后的 .js 文件保留 `import 'zod'` 静态语句，当前 opencode
   binary 无法解析这种外部 import，会静默忽略。所以 installer 直接拷 .ts 源文件。
3. OpenCode 的 MCP / tool 子进程继承父 opencode 进程的 process.env
   (源码 packages/opencode/src/mcp/index.ts: `env: { ...process.env, ... }`)。
   → 我们 spawn opencode 时注入的 env 能传到工具执行处。

## 改动

### 新增
- src/agent/runtime/opencode-installer.ts
  幂等安装 6 个工具模板到 ~/.config/opencode/tools/。
  hash 比对跳过未变更；OPENCODE_TOOLS_FORCE_REINSTALL=1 强制覆盖。
- src/agent/runtime/opencode-tool-templates/
  {read, write, edit, bash, grep, glob}.ts — 每个文件独立自包含：
  if (SANDBOX_MODE === '1') → fetch SANDBOX_BASE_URL/api/tools/*
  else                     → 本地 fs / child_process

### 重写
- src/agent/runtime/opencode-acp-runtime.ts
  每次 chatStream：
    1. ensureToolsInstalledOnce() — 惰性安装
    2. scfSandboxManager.getOrCreate(convId, envId)
    3. spawn opencode acp, env={
         SANDBOX_MODE:'1',
         SANDBOX_BASE_URL, SANDBOX_AUTH_HEADERS_JSON,
       }
    4. ACP 握手 → newSession → prompt
  删除 setSessionMode / mcpServers / 临时目录写 opencode.json 等旧逻辑

### 删除
- sandbox-mcp-bridge.ts（MCP 子进程中转层）
- opencode-session-config.ts（per-session 配置写入）

## 测试结果

### e2e#1 本地模式
```
[tool_result ◯] out="Wrote 18 bytes to /tmp/opencode-runtime-e2e/hello.txt"
                      ^^^^^^^^^^^^^ 这是 custom write.ts 的输出格式
OVERALL: PASS
```

### e2e#4 沙箱隔离（真实 SCF）
```
[tool_use ▶] name=write           ← LLM 用 write 工具（不是 sbx_write）
[tool_result] out="{path: /tmp/workspace/huming-test-.../sandbox-e2e-v2-.../...txt,
                   bytesWritten: 22, diff: ...}"   ← 沙箱 HTTP API 响应格式

sandbox file content = "1: hello from v2 vusknorg"  ← 独立调沙箱 read 验证
local /tmp/.../txt exists = false                    ← 本地干净

  LLM used 'write' tool:      PASS
  sandbox file has content:   PASS
  local NOT polluted:         PASS
OVERALL: PASS
```

### 其他回归
- e2e#2 HTTP /runtimes: PASS
- e2e#3 HTTP SSE chat: PASS (28 events)
- type-check / lint / build / format 全通过

## 优势对比（相比 MCP bridge 方案）

- 工具名 `read/write/bash/edit` 与 LLM 训练期望一致（不用 sbx_ 前缀）
- 少一个 MCP 子进程 + 一层 JSON-RPC 序列化
- 凭证只停留在进程 env 里，session 结束即消失（无磁盘残留）
- per-session 开销 = spawn opencode（不多写任何文件）
---
 docs/acp-runtime-abstraction.md               | 446 +++++++-----------
 packages/server/package.json                  |   4 +-
 .../scripts/test-opencode-sandbox-e2e.mts     | 114 +++--
 .../src/agent/runtime/opencode-acp-runtime.ts | 185 +++-----
 .../src/agent/runtime/opencode-installer.ts   | 126 +++++
 .../agent/runtime/opencode-session-config.ts  | 193 --------
 .../runtime/opencode-tool-templates/bash.ts   |  59 +++
 .../runtime/opencode-tool-templates/edit.ts   |  60 +++
 .../runtime/opencode-tool-templates/glob.ts   |  43 ++
 .../runtime/opencode-tool-templates/grep.ts   |  50 ++
 .../runtime/opencode-tool-templates/read.ts   |  62 +++
 .../runtime/opencode-tool-templates/write.ts  |  46 ++
 .../src/agent/runtime/sandbox-mcp-bridge.ts   | 253 ----------
 packages/server/tsconfig.json                 |   3 +-
 14 files changed, 758 insertions(+), 886 deletions(-)
 create mode 100644 packages/server/src/agent/runtime/opencode-installer.ts
 delete mode 100644 packages/server/src/agent/runtime/opencode-session-config.ts
 create mode 100644 packages/server/src/agent/runtime/opencode-tool-templates/bash.ts
 create mode 100644 packages/server/src/agent/runtime/opencode-tool-templates/edit.ts
 create mode 100644 packages/server/src/agent/runtime/opencode-tool-templates/glob.ts
 create mode 100644 packages/server/src/agent/runtime/opencode-tool-templates/grep.ts
 create mode 100644 packages/server/src/agent/runtime/opencode-tool-templates/read.ts
 create mode 100644 packages/server/src/agent/runtime/opencode-tool-templates/write.ts
 delete mode 100644 packages/server/src/agent/runtime/sandbox-mcp-bridge.ts

diff --git a/docs/acp-runtime-abstraction.md b/docs/acp-runtime-abstraction.md
index 68b771d..bfb4e16 100644
--- a/docs/acp-runtime-abstraction.md
+++ b/docs/acp-runtime-abstraction.md
@@ -1,352 +1,258 @@
-# Agent Runtime 抽象层 + OpenCode ACP + 沙箱集成
+# Agent Runtime 抽象层 + OpenCode ACP + 沙箱隔离
 
 > 分支：`feat/acp-runtime-abstraction`
 > 基线：`feature/refactor @ 17eca8e`
-> 交付：2026-05-02
-> 状态：已完成，type-check / lint / build / 4 组 e2e 全通过
+> 最终架构：**全局 tool override + per-session env 注入**
+> 状态：type-check / lint / build + 4 组 e2e 全通过
 
 ## 1. 目标
 
-两阶段目标：
-
-**阶段 A（已完成）**：抽象 `IAgentRuntime` 接口，把 server 与具体 agent 实现解耦。Tencent SDK 作为默认 runtime；新增 OpenCode ACP runtime 作为第二个实现。
-
-**阶段 B（本次完成）**：让 OpenCode runtime 严格遵守 **agent/sandbox 分离原则**：
-- Agent（opencode acp 子进程）只负责 LLM 决策，跑在 server 本地
-- 所有文件/shell 工具调用通过一个 MCP bridge 桥接到 SCF 沙箱 HTTP API
-- OpenCode 的内置 `read/write/bash/edit` 工具被禁用，只能用 `sbx_*` MCP 工具
+- 抽象 `IAgentRuntime` 接口，让 server 可在不同 agent 实现（Tencent SDK / OpenCode ACP / 未来的 Claude Code ACP / Gemini CLI 等）之间切换
+- OpenCode runtime 严格遵守 **agent 与 sandbox 分离**原则
+  - Agent 进程在 server 本地（负责 LLM 决策）
+  - 所有文件/shell 工具调用转发到 SCF 沙箱（负责执行）
+- 模板化配置：全局一次安装，per-session 只注入动态凭证
 
 ## 2. 架构
 
 ```
-┌──────────────────────────────────────────────────────────────────────┐
-│ Server 进程（agent 域）                                               │
-│                                                                      │
-│   routes/acp.ts                                                      │
-│      │                                                               │
-│      ▼                                                               │
-│   IAgentRuntime  ──►  TencentSdkRuntime (in-process)                │
-│      │                                                               │
-│      └─►  OpencodeAcpRuntime                                         │
-│              │                                                       │
-│              ├─ 准备 per-session 临时目录:                           │
-│              │   /tmp/opencode-session-<uuid>/                       │
-│              │    └── .opencode/opencode.json                        │
-│              │        • agent.sandboxed.tools = { read:false, ... } │
-│              │        • mcp.sbx = { command: node bridge.js, ... }   │
-│              │                                                       │
-│              ├─ spawn opencode acp --cwd <临时目录>                  │
-│              │    └─ opencode 读到配置，禁用内置工具                 │
-│              │       spawn MCP bridge 作为子进程                     │
-│              │                                                       │
-│              ├─ ACP 握手 → session/new → setSessionMode('sandboxed')│
-│              │                                                       │
-│              └─ session/update 事件 → AgentCallbackMessage → SSE    │
-│                                                                      │
-└──────────────────────────────────────────────────────────────────────┘
-            ┌────────────────────────────────────────────┐
-            │ sandbox-mcp-bridge.js (Node 子进程)         │
-            │                                            │
-            │   MCP stdio server                         │
-            │   env: SANDBOX_BASE_URL, AUTH_HEADERS      │
-            │                                            │
-            │   tools: sbx_read / sbx_write / sbx_bash / │
-            │           sbx_edit / sbx_glob / sbx_grep   │
-            │                                            │
-            │   each call → fetch SANDBOX_BASE_URL/...   │
-            └──────────────────────┬─────────────────────┘
-                                   │
-                                   │ HTTPS (Bearer + Scope headers)
-                                   ▼
-            ┌───────────────────────────────────────────┐
-            │ Sandbox (SCF 容器, sandbox 域)             │
-            │                                           │
-            │   /api/tools/read                         │
-            │   /api/tools/write                        │
-            │   /api/tools/bash                         │
-            │   /api/tools/edit                         │
-            │                                           │
-            │   cwd: /tmp/workspace/<env>/<conv>        │
-            │   (scope 隔离目录, 强制相对路径)           │
-            └───────────────────────────────────────────┘
+┌─────────────────────────────────────────────────────────────────┐
+│ Server 启动                                                       │
+│   └─ ensureOpencodeToolsInstalled()                             │
+│        └─ 把 read/write/bash/edit/grep/glob .ts 模板拷到          │
+│           ~/.config/opencode/tools/                              │
+│           (opencode 读取全局配置，custom 覆盖 builtin)            │
+├─────────────────────────────────────────────────────────────────┤
+│ 每次 chatStream                                                   │
+│                                                                   │
+│   1. scfSandboxManager.getOrCreate()  ← 沙箱实例                 │
+│   2. spawn `opencode acp --cwd <临时目录>`                        │
+│      env: {                                                       │
+│        SANDBOX_MODE=1,                                           │
+│        SANDBOX_BASE_URL=<沙箱 HTTPS>,                            │
+│        SANDBOX_AUTH_HEADERS_JSON=<凭证 JSON>,                    │
+│      }                                                            │
+│   3. opencode 子进程加载 ~/.config/opencode/tools/read.ts 等      │
+│      custom tools 覆盖 builtin read/write/...                    │
+│      tools 内 process.env.SANDBOX_* 读取本 session 凭证          │
+│   4. ACP 握手 → session/new → prompt → 收 session/update 流       │
+│                                                                   │
+│   工具调用流：                                                     │
+│     LLM ──► "write" tool                                         │
+│              └─ 实际调 ~/.config/opencode/tools/write.ts         │
+│                 └─ process.env.SANDBOX_MODE === '1'              │
+│                    └─ fetch SANDBOX_BASE_URL/api/tools/write     │
+│                       └─ 沙箱容器写文件（隔离目录）                │
+└─────────────────────────────────────────────────────────────────┘
 ```
 
-### 关键分离
+## 3. 核心原理（实测验证）
 
-| 层 | 进程 | 负责 | 不负责 |
-|---|---|---|---|
-| Agent | opencode (server 本地) | LLM 决策、调用 MCP 工具 | 文件 IO、shell |
-| Bridge | sandbox-mcp-bridge.js | MCP → HTTP 翻译、凭证注入 | LLM、执行 |
-| Sandbox | SCF 容器 | 执行 read/write/bash | 模型、网络决策 |
+### 3.1 OpenCode 的 custom tool 覆盖规则
 
-## 3. 文件清单
+OpenCode 在 `~/.config/opencode/tools/` 和 `.opencode/tools/` 查找 `.ts` / `.js` 文件。
+- **文件名即工具名**：`read.ts` → tool `read`
+- **同名 custom tool 覆盖 builtin**（实测已 PASS，见 §5）
+- 官方文档："If a custom tool uses the same name as a built-in tool, the custom tool takes priority."
 
-### 新增
-```
-packages/server/src/agent/runtime/
-├── types.ts                       # IAgentRuntime 接口
-├── registry.ts                    # AgentRuntimeRegistry + 选择策略
-├── tencent-sdk-runtime.ts         # Tencent SDK 薄 adapter
-├── opencode-acp-runtime.ts        # OpenCode runtime 主体
-├── opencode-session-config.ts     # per-session 工作目录 + opencode.json 生成
-├── acp-transport.ts               # stdio transport 工厂
-├── sandbox-mcp-bridge.ts          # ★ 独立进程：MCP server → 沙箱 HTTP 桥
-└── index.ts                       # 公共导出
+### 3.2 OpenCode spawn 时的 env 传递链
 
-packages/server/scripts/
-├── test-opencode-runtime.mts       # e2e#1: 本地模式直调 runtime
-├── test-acp-http-e2e.mts           # e2e#2: HTTP 公开端点
-├── test-acp-chat-http.mts          # e2e#3: 完整 SSE HTTP 流
-└── test-opencode-sandbox-e2e.mts   # ★ e2e#4: 沙箱隔离验证（真实 SCF）
-
-docs/
-└── acp-runtime-abstraction.md      # 本文档
+源码 `packages/opencode/src/mcp/index.ts`:
+```ts
+StdioClientTransport({
+  env: { ...process.env, ...(cmd === "opencode" ? { BUN_BE_BUN: "1" } : {}), ...mcp.environment }
+})
 ```
 
-### 改动
-| 文件 | 改动 |
-|---|---|
-| `packages/server/package.json` | +`@agentclientprotocol/sdk`、+`@modelcontextprotocol/sdk`；build 脚本加 sandbox-mcp-bridge.ts |
-| `packages/server/src/routes/acp.ts` | 通过 registry 选 runtime；新增 `GET /api/agent/runtimes`；`/runtimes` 加入 auth 豁免 |
-| `packages/shared/src/types/agent.ts` | `SessionPromptParams.runtime?: string` |
+OpenCode 启动子进程（tool 执行、MCP server）时会**继承 opencode 父进程的 env**。
+因此：server → spawn opencode 时注入 env → opencode → tool 执行 → 所有层级都能 `process.env.SANDBOX_*` 读到。
 
-## 4. IAgentRuntime 接口
+### 3.3 为什么 `.ts` 而不是 `.js` 安装？
 
-```ts
-export interface IAgentRuntime {
-  readonly name: string
-  isAvailable(): Promise<boolean>
-  getSupportedModels(): Promise<ModelInfo[]>
-  chatStream(prompt: string, callback: AgentCallback | null, options: AgentOptions): Promise<ChatStreamResult>
-}
-
-export interface ChatStreamResult {
-  turnId: string
-  alreadyRunning: boolean
-}
-```
+tsup 打包出的 `.js` 文件仍保留 `import { z } from 'zod'`。当前版本的 opencode binary **不能解析 `.js` 里的外部 import**，会静默忽略文件（tool 不注册）。
 
-### 行为约定
-1. `chatStream` 同步返回 `{ turnId, alreadyRunning }`
-2. 后台 fire-and-forget 跑 agent，通过 `callback` 推送 `AgentCallbackMessage`
-3. 完成时推送 `type: 'result'`；abort 时推送 `type: 'error', content: 'Aborted'`
-4. callback 调用保持时间序
+而 opencode **原生支持 `.ts` 文件**（内置 TypeScript loader），能正确处理 `import { z } from 'zod'`（zod 作为 opencode 依赖一并打包在 binary 内）。
 
-## 5. Runtime 选择
+所以 installer 直接拷贝 `.ts` 源文件，不走 tsup 编译。
 
-```ts
-// 选择优先级：
-// 1. body.runtime / params.runtime  (请求级 override)
-// 2. process.env.AGENT_RUNTIME       (部署级 override)
-// 3. AGENT_RUNTIME_DEFAULT 或 'tencent-sdk'
-const runtime = agentRuntimeRegistry.resolve({ explicitRuntime: body.runtime })
-```
+## 4. 文件清单
 
-**前端选择 runtime**：
-```
-POST /api/agent/chat
-{ "prompt": "...", "runtime": "opencode-acp" }
+### 新增
 ```
+packages/server/src/agent/runtime/
+├── types.ts                            # IAgentRuntime 接口
+├── registry.ts                         # AgentRuntimeRegistry 选择策略
+├── tencent-sdk-runtime.ts              # Tencent SDK 薄 adapter
+├── opencode-acp-runtime.ts             # OpenCode runtime 主体（env 注入）
+├── opencode-installer.ts               # 全局 tool 幂等安装
+├── acp-transport.ts                    # local stdio transport
+├── opencode-tool-templates/            # ★ tool override 源模板
+│   ├── read.ts    (SANDBOX_MODE=1 → sandbox HTTP, else local fs)
+│   ├── write.ts
+│   ├── edit.ts
+│   ├── bash.ts
+│   ├── grep.ts
+│   └── glob.ts
+└── index.ts
 
-**列出可用 runtime**：`GET /api/agent/runtimes`（公开端点）
-```json
-{
-  "default": "tencent-sdk",
-  "runtimes": [
-    { "name": "tencent-sdk",  "available": true },
-    { "name": "opencode-acp", "available": true }
-  ]
-}
+packages/server/scripts/
+├── test-opencode-runtime.mts           # e2e#1: 本地无沙箱
+├── test-acp-http-e2e.mts               # e2e#2: HTTP 公开端点
+├── test-acp-chat-http.mts              # e2e#3: 完整 HTTP SSE chat
+└── test-opencode-sandbox-e2e.mts       # ★ e2e#4: 沙箱隔离（真实 SCF）
 ```
 
-## 6. OpencodeAcpRuntime 运行模式
-
-### 模式 A：有 `envId`（生产 / 沙箱模式）
-1. `scfSandboxManager.getOrCreate(convId, envId)` 获取/创建沙箱
-2. 创建临时目录 `/tmp/opencode-session-<uuid>/`
-3. 写 `.opencode/opencode.json`：
-   - 定义 agent `sandboxed`（`mode: primary`，`tools: { read:false, write:false, bash:false, edit:false, grep:false, glob:false, webfetch:false, patch:false, sbx_*:true }`）
-   - 定义 `mcp.sbx`：local stdio，command `["node", "<path>/sandbox-mcp-bridge.js"]`，env 传 `SANDBOX_BASE_URL` + `SANDBOX_AUTH_HEADERS_JSON`
-4. 写 AGENTS.md：system prompt 告诉模型用 `sbx_*` 相对路径
-5. spawn `opencode acp --cwd <临时目录>`
-6. ACP 握手、setSessionMode('sandboxed')、set model、prompt
-7. 会话结束清理临时目录
+### 改动
+| 文件 | 改动 |
+|---|---|
+| `packages/server/package.json` | + `@agentclientprotocol/sdk`, + `@modelcontextprotocol/sdk`（保留，供将来 MCP 复用）；build 脚本：拷贝 tool 模板 .ts → dist/ |
+| `packages/server/tsconfig.json` | 排除 `opencode-tool-templates/**`（独立语义，不参与 server bundle） |
+| `packages/server/src/routes/acp.ts` | 通过 registry 选 runtime + `GET /api/agent/runtimes` |
+| `packages/shared/src/types/agent.ts` | `SessionPromptParams.runtime?: string` |
 
-### 模式 B：无 `envId`（本地开发）
-1. **不**禁用内置工具（opencode 就用本地文件系统）
-2. 使用 `options.cwd` 作为 opencode 的 cwd（不创建临时目录，仅在其下写 `.opencode/opencode.json` 空配置）
-3. 其余 ACP 流程相同
+### 删除
+- ~~`sandbox-mcp-bridge.ts`~~（原 MCP 桥 server，已被 direct tool override 替代）
+- ~~`opencode-session-config.ts`~~（原 per-session 写 `.opencode/opencode.json`，已被全局配置替代）
 
-## 7. Sandbox MCP Bridge
+## 5. 关键决策与实测
 
-独立进程（`sandbox-mcp-bridge.js`），通过 stdio 实现 MCP 协议，对外暴露：
+### 决策 1：全局安装 vs per-session 写配置
 
-| 工具 | 转发到 | 说明 |
+| 方案 | 优点 | 缺点 |
 |---|---|---|
-| `read` | POST /api/tools/read | 读文件 |
-| `write` | POST /api/tools/write | 写文件 |
-| `edit` | POST /api/tools/edit | 字符串替换 |
-| `bash` | POST /api/tools/bash | shell 命令 |
-| `glob` | POST /api/tools/glob | 文件匹配 |
-| `grep` | POST /api/tools/grep | 内容搜索 |
+| ~~per-session `.opencode/opencode.json`~~ | 完全隔离 | 每次写文件、opencode 重复解析 |
+| **全局 `~/.config/opencode/`** ★ | 只写一次；opencode 缓存加载 | 需 installer 幂等 + version 检测 |
 
-OpenCode 在给工具命名时会加 MCP server 名前缀，因此 LLM 看到的是 `sbx_read`、`sbx_write` 等。
+### 决策 2：工具实现走 MCP bridge vs tool override
 
-### 沙箱路径约束
-**必须使用相对路径**。沙箱侧的 `/api/tools/*` 对所有绝对路径返回 `403 Path traversal blocked`。
-相对路径会被解析到 scope 隔离目录 `/tmp/workspace/<envId>/<conversationId>/`。
+| 方案 | 工具名 | 进程数 | 复杂度 |
+|---|---|---|---|
+| ~~MCP bridge（第 3 个子进程）~~ | `sbx_read`, `sbx_write` | server + opencode + mcp_bridge | 高 |
+| **tool override（直接覆盖）** ★ | `read`, `write`（LLM 原生熟悉） | server + opencode | 低 |
+
+### 决策 3：凭证传递方式
 
-AGENTS.md 已明确告诉模型这一点；bridge 不做路径转换（让沙箱自己判定最稳）。
+| 方案 | 凭证位置 | 生命周期 |
+|---|---|---|
+| ~~config 文件 `environment` 字段~~ | 磁盘（even per-session tmp） | 直到文件删除 |
+| **spawn env 注入** ★ | 进程 env | 进程退出即消失 |
 
-## 8. 测试结果
+## 6. e2e 测试结果
 
-### e2e#1: 本地模式（`test-opencode-runtime.mts`）
+### e2e#1: 本地无沙箱（`test-opencode-runtime.mts`）
 ```
-[e2e] event counts: {
-  "agent_phase": 2,
-  "tool_use": 1,
-  "tool_input_update": 1,
-  "tool_result": 1,
-  "text": 2,
-  "result": 1
-}
+[OpencodeAcpRuntime] installed opencode tools to /Users/yang/.config/opencode/tools:
+    installed=read,write,edit,bash,grep,glob
+
+[tool_use ▶] write id=write:0
+[tool_result ◯] out="Wrote 18 bytes to /private/tmp/opencode-runtime-e2e/hello.txt"
+  ^^^^^^^^^^^^^ 这是我们 custom write.ts 的输出格式（builtin 不这么写）
+
 hello.txt content: "hello from runtime"
-PASS: file created with correct content
 OVERALL: PASS
 ```
 
 ### e2e#2: HTTP 公开端点（`test-acp-http-e2e.mts`）
 ```
 /health: PASS
-/runtimes: PASS (opencode-acp registered)
+/runtimes: {"default":"tencent-sdk","runtimes":[...]}
 ```
 
-### e2e#3: 完整 HTTP SSE（`test-acp-chat-http.mts`）
+### e2e#3: 完整 HTTP SSE chat（`test-acp-chat-http.mts`）
 ```
-status=200 content-type=text/event-stream
-received 21 SSE events
-update:agent_message_chunk: 18
-update:agent_phase: 2
-DONE: 1
-agent text: 我是OpenCode，一个运行在您计算机上的交互式通用AI代理...
+28 SSE events (agent_phase×2, agent_message_chunk×25, DONE×1)
+agent text: 我是OpenCode，一个运行在您计算机上的交互式通用AI助手...
 OVERALL: PASS
 ```
 
-### ★ e2e#4: 沙箱隔离（`test-opencode-sandbox-e2e.mts`）
-```
-[tool_use ▶] name=sbx_write id=sbx_write:0
-[tool_result ◯] out={"output":"Wrote file successfully."}
-[result] sandbox={ baseUrl: ".../sandbox-shared", conversationId: "sandbox-e2e-..." }
-
-[sandbox-e2e] sandbox file content = "1: hello from sandbox i24jd6en"
-[sandbox-e2e] local /tmp/hello-sandbox-...txt exists = false
-
-  text events:                 PASS
-  result event:                PASS
-  used sbx_* tools:            PASS (count=1)
-  did NOT use builtin tools:   PASS (count=0)
-  sandbox file has expected:   PASS
-  local NOT polluted:          PASS
-OVERALL: PASS
+### ★ e2e#4: 沙箱隔离（`test-opencode-sandbox-e2e.mts`, 真实 SCF）
 ```
+[tool_use ▶] name=write
+[tool_result ◯] out="{path: /tmp/workspace/huming-test-.../sandbox-e2e-v2-.../hello-sandbox-v2-.txt, bytesWritten: 22, diff: ...}"
+  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  沙箱 HTTP API 返回格式，证明确实走了沙箱（不是本地 fs）
 
-这个 e2e 真实跑通了**完整链路**：
-- LLM（Moonshot Kimi） → MCP sbx_write → sandbox-mcp-bridge → SCF /api/tools/write → 沙箱文件系统
-- 直接调沙箱 /api/tools/read **独立验证**文件确实在沙箱里
-- 本地 /tmp/ 文件系统**未被污染**
+sandbox file content = "1: hello from v2 vusknorg"   ← 独立调沙箱 /api/tools/read 验证
+local /tmp/hello-sandbox-v2-*.txt exists = false     ← 本地干净
 
-### 质量校验
-- `pnpm type-check` ✅（所有包）
-- `pnpm lint` ✅
-- `pnpm build` ✅（server + web）
-- `pnpm format` ✅
-
-## 9. 首版限制
+  LLM used 'write' tool:      PASS (count=1)
+  sandbox file has content:   PASS
+  local NOT polluted:         PASS
+OVERALL: PASS
+```
 
-| 特性 | 状态 |
-|---|---|
-| askAnswers resume（AskUserQuestion） | ❌ 未实现 |
-| toolConfirmation resume（ToolConfirm UI 对接） | ❌ 默认 allow_once |
-| coding-mode 模板初始化（vite dev server） | ❌ 未集成 |
-| git-archive / syncMessages DB 持久化 | ❌ 仅 stream events 落库 |
-| maxTurns / cancel 细节 | ⚠️ 只基础 abort |
-| permissionMode ('plan') | ⚠️ 可接 set_session_mode，未接线 |
-| OpenCode agent 的工具允许列表 wildcard 语法 | ✅ `sbx_*: true` 已验证 |
+**沙箱隔离完全工作**：LLM 调的是 `write`（不是 `sbx_write`），工具内部读 env 走 HTTP 到沙箱，文件写在沙箱容器内，本地文件系统毫无污染。
 
-## 10. 如何运行
+## 7. 如何运行
 
 ```bash
 # 前提
 npm i -g opencode-ai
-# ~/.config/opencode/opencode.json 配好 moonshot（或其他 provider）
-# ~/.local/share/opencode/auth.json 放 API key
-# packages/server/.env 填 TCB_* 等
-# pnpm install + pnpm build:server
+# ~/.config/opencode/opencode.json 配好 provider（Moonshot / Anthropic / OpenAI…）
+# ~/.local/share/opencode/auth.json 填 API key
 
 cd packages/server
 
-# e2e#1 本地模式 (~60s)
+# 首次运行时，runtime 会自动把 tool 模板装到 ~/.config/opencode/tools/
+# 如果需要强制重装：OPENCODE_TOOLS_FORCE_REINSTALL=1 pnpm dev
+
+# e2e#1 本地模式 (~90s)
 npx tsx scripts/test-opencode-runtime.mts
 
-# e2e#2 HTTP 公开端点 (~10s)
+# e2e#2 HTTP endpoints (~10s)
 npx tsx --env-file=.env scripts/test-acp-http-e2e.mts
 
-# e2e#3 HTTP SSE (~60s)
+# e2e#3 SSE chat (~60s)
 npx tsx --env-file=.env scripts/test-acp-chat-http.mts
 
-# e2e#4 沙箱隔离 ★ (~90s, 需要真实 SCF 环境)
+# ★ e2e#4 沙箱 (~180s, 需真实 SCF)
 npx tsx --env-file=.env scripts/test-opencode-sandbox-e2e.mts
 ```
 
-## 11. 设计决策
-
-### 为什么不把 opencode 塞到沙箱里？
-违反 agent/sandbox 分离原则：
-- agent（决策）应在受控 server 环境里，便于集中管理凭证、监控、升级
-- sandbox（执行）是"纯体力活"容器，应尽量纯净、快速启停
-- 把 agent 塞沙箱会让 sandbox 镜像臃肿、重启成本大、依赖版本难管控
-
-### 为什么用 MCP 而不是 ACP client 回调？
-调研发现 OpenCode 的 ACP agent **不发 `fs/*` / `terminal/*` 回调**（所有内置工具在其进程内执行）。
-MCP 是 OpenCode 会主动调用的唯一可插拔扩展点。
+## 8. Env 变量
 
-### 为什么 per-session 临时目录（而不是全局 opencode.json）？
-- 不同 session 有不同的沙箱凭证（不同 user、不同 env）
-- opencode 读 cwd 下 `.opencode/opencode.json` 覆盖全局，天然做到 per-session 隔离
-- 避免 session 间 race condition（并发时互不干扰）
+### runtime 侧
+| 变量 | 默认 | 作用 |
+|---|---|---|
+| `OPENCODE_BIN` | `opencode` | opencode 可执行路径 |
+| `OPENCODE_DEFAULT_MODEL` | `moonshot/kimi-k2-0905-preview` | 默认模型 |
+| `SANDBOX_WORKSPACE_ROOT` | `.` | LLM 看到的沙箱工作目录 |
+| `OPENCODE_TOOLS_INSTALL_DIR` | `~/.config/opencode/tools` | 全局 tools 安装目录 |
+| `OPENCODE_TOOLS_FORCE_REINSTALL` | - | `=1` 强制重装（版本升级） |
+| `OPENCODE_TOOL_TEMPLATE_DIR` | 自动推断 | 覆盖模板源路径 |
+| `OPENCODE_ACP_DEBUG` | - | `=1` 开启详细日志 |
+| `AGENT_RUNTIME` / `AGENT_RUNTIME_DEFAULT` | `tencent-sdk` | runtime 选择 |
+
+### spawn 时自动注入到 opencode 子进程（由 runtime 控制）
+| 变量 | 作用 |
+|---|---|
+| `SANDBOX_MODE` | `1` 启用 HTTP 转发，`0` 走本地 fs |
+| `SANDBOX_BASE_URL` | 沙箱 base URL（由 `scfSandboxManager.getOrCreate` 获取） |
+| `SANDBOX_AUTH_HEADERS_JSON` | 沙箱 auth headers JSON |
 
-### 为什么 MCP bridge 是独立 .js 文件（而不是嵌入 runtime）？
-- OpenCode 期望 MCP server 是独立可执行（command + args）
-- 独立文件让 bridge 本身可被外部用户 inspect、debug、单独测
-- tsup bundle 出一份自包含的 js，部署只多一个文件
+## 9. 首版限制
 
-### 为什么 LLM 看到的工具名是 `sbx_*`（不是 `sandbox_*`）？
-OpenCode 给 MCP 工具自动加 `<server_name>_` 前缀。
-我们把 server 名定为 `sbx`（短）、工具名就是 `read`/`write`/...，合成结果简洁。
-之前用 `sandbox_write` 会变成 `sbx_sandbox_write`，冗余。
+| 特性 | 状态 |
+|---|---|
+| askAnswers / toolConfirmation resume | ❌ 未接入 |
+| ToolConfirm UI 回调 | ⚠️ 默认 allow_once |
+| coding-mode 模板初始化 | ❌ 未集成 |
+| 消息持久化到 tasks | ⚠️ 只 stream events 落库 |
+| tool override 的版本升级 hash 匹配 | ✅ 已实现（hashFile 比较） |
+| 首次安装报告日志 | ✅ 已输出 |
 
-## 12. 后续路线
+## 10. 后续方向
 
 1. **接 ToolConfirm UI**（1-2 天）
-   把 ACP `requestPermission` 与 MCP tool 执行前的确认映射到现有前端 ToolConfirm 组件。
-
-2. **消息持久化对齐 Tencent 路线**（2-3 天）
-   参考 `cloudbase-agent.service.ts` 的 `preSavePendingRecords` / `syncMessages` 做同样落库。
-
-3. **接更多 ACP agent**（每个 1-2 天）
-   Claude Code ACP、Gemini CLI、Qwen Code。都能复用 `OpencodeAcpRuntime` 的代码骨架，只需改启动命令。
-
-4. **前端 Runtime 选择器**（0.5 天）
-   Task 创建表单加下拉，基于 `GET /runtimes` 动态列出。
-
-5. **生产部署**（镜像打包、环境变量管理）
-   `sandbox-mcp-bridge.js` 已随 server 一起 build 到 dist，部署跟着走。
-   opencode 可通过镜像 `RUN npm i -g opencode-ai` 或 lazy install 策略。
+2. **askAnswers / resume 流程**（2-3 天）
+3. **消息持久化对齐 Tencent 路线**（2-3 天）
+4. **更多 ACP agent**（Claude Code / Gemini / Qwen Code；每个 1-2 天，runtime 骨架复用）
+5. **前端 Runtime 选择器**（0.5 天）
 
-## 13. 引用
+## 11. 引用
 
 - Agent Client Protocol: https://agentclientprotocol.com
-- OpenCode: https://github.com/sst/opencode
-- OpenCode Agent config: https://opencode.ai/docs/agents/
-- Model Context Protocol: https://modelcontextprotocol.io
-- 深度调研备忘录: `/Users/yang/git/coding-agent-template/docs/opencode-acp-integration-memo.md`
+- OpenCode Custom Tools: https://opencode.ai/docs/custom-tools/
+- OpenCode Agents: https://opencode.ai/docs/agents/
+- OpenCode ACP: https://opencode.ai/docs/acp/
+- 源码调研备忘录: `/Users/yang/git/coding-agent-template/docs/opencode-acp-integration-memo.md`
diff --git a/packages/server/package.json b/packages/server/package.json
index 905c925..9984da6 100644
--- a/packages/server/package.json
+++ b/packages/server/package.json
@@ -9,8 +9,8 @@
     "./agent/cloudbase-agent.service": "./src/agent/cloudbase-agent.service.ts"
   },
   "scripts": {
-    "dev": "tsup src/sandbox/tool-override.ts --format cjs --outDir dist/sandbox --no-splitting --silent && tsup src/util/skill-loader-override.ts --format cjs --outDir dist/util --no-splitting --silent && tsup src/agent/runtime/sandbox-mcp-bridge.ts --format esm --outDir dist/agent/runtime --no-splitting --silent && DOTENVX_PATH=.env tsx watch --env-file=.env src/index.ts",
-    "build": "tsup src/sandbox/tool-override.ts --format cjs --outDir dist/sandbox --no-splitting && tsup src/util/skill-loader-override.ts --format cjs --outDir dist/util --no-splitting && tsup src/agent/runtime/sandbox-mcp-bridge.ts --format esm --outDir dist/agent/runtime --no-splitting && tsup src/index.ts --format esm --target node22",
+    "dev": "tsup src/sandbox/tool-override.ts --format cjs --outDir dist/sandbox --no-splitting --silent && tsup src/util/skill-loader-override.ts --format cjs --outDir dist/util --no-splitting --silent && DOTENVX_PATH=.env tsx watch --env-file=.env src/index.ts",
+    "build": "tsup src/sandbox/tool-override.ts --format cjs --outDir dist/sandbox --no-splitting && tsup src/util/skill-loader-override.ts --format cjs --outDir dist/util --no-splitting && tsup src/index.ts --format esm --target node22 && mkdir -p dist/agent/runtime/opencode-tool-templates && cp src/agent/runtime/opencode-tool-templates/*.ts dist/agent/runtime/opencode-tool-templates/",
     "start": "node dist/index.js"
   },
   "dependencies": {
diff --git a/packages/server/scripts/test-opencode-sandbox-e2e.mts b/packages/server/scripts/test-opencode-sandbox-e2e.mts
index 678e98d..a9410f5 100644
--- a/packages/server/scripts/test-opencode-sandbox-e2e.mts
+++ b/packages/server/scripts/test-opencode-sandbox-e2e.mts
@@ -1,21 +1,19 @@
 #!/usr/bin/env tsx
 /**
- * 沙箱隔离端到端测试
+ * 沙箱隔离 e2e 测试（新架构 - tool override + env 注入）
  *
- * 验证目标：
- *   1. 有 envId 时，runtime 自动获取沙箱实例
- *   2. opencode 的 session/new 读 per-session .opencode/opencode.json（禁用内置 read/write）
- *   3. LLM 调用 sandbox MCP bridge 工具（sbx_write 等）
- *   4. sandbox MCP bridge 通过 HTTP 把请求打到沙箱容器
- *   5. 文件真的在沙箱容器内写入（用另一条路径——直接调沙箱 /api/tools/read——确认）
- *   6. 本地文件系统干净，没被污染
+ * 验证链路：
+ *   LLM → 调 write 工具 (被 ~/.config/opencode/tools/write.ts 覆盖)
+ *       → 读 process.env.SANDBOX_BASE_URL + SANDBOX_AUTH_HEADERS_JSON
+ *       → fetch 沙箱 /api/tools/write
+ *       → 沙箱容器里真实写文件
  *
- * 前提：
- *   - packages/server/.env 配了 TCB_*、CODEBUDDY_* 等
- *   - opencode CLI 已装 + Moonshot provider 已配（见 ~/.config/opencode/opencode.json）
- *   - sandbox-mcp-bridge.js 已构建（pnpm build:server）
+ * 断言：
+ *   1. LLM 使用了 write 工具（名字就是 write，非 sbx_* 前缀）
+ *   2. 直接调沙箱 /api/tools/read 能读到预期内容（独立验证）
+ *   3. 本地文件系统未被污染
  *
- * 用法（packages/server 目录）：
+ * 用法：
  *   npx tsx --env-file=.env scripts/test-opencode-sandbox-e2e.mts
  */
 
@@ -31,18 +29,17 @@ if (!envId) {
   process.exit(1)
 }
 
-const conversationId = 'sandbox-e2e-' + Date.now()
-const testFilename = `hello-sandbox-${Date.now()}.txt`
-const expectedContent = `hello from sandbox ${Math.random().toString(36).slice(2, 10)}`
-// 沙箱要求相对路径（绝对路径会被 Path traversal 拦截）
+const conversationId = 'sandbox-e2e-v2-' + Date.now()
+const testFilename = `hello-sandbox-v2-${Date.now()}.txt`
+const expectedContent = `hello from v2 ${Math.random().toString(36).slice(2, 10)}`
 const sandboxRelPath = testFilename
 
-console.log(`[sandbox-e2e] envId=${envId}`)
-console.log(`[sandbox-e2e] conversationId=${conversationId}`)
-console.log(`[sandbox-e2e] testFile (relative)=${sandboxRelPath}`)
-console.log(`[sandbox-e2e] expectedContent=${JSON.stringify(expectedContent)}\n`)
+console.log(`[sandbox-e2e-v2] envId=${envId}`)
+console.log(`[sandbox-e2e-v2] conversationId=${conversationId}`)
+console.log(`[sandbox-e2e-v2] testFile (relative)=${sandboxRelPath}`)
+console.log(`[sandbox-e2e-v2] expectedContent=${JSON.stringify(expectedContent)}\n`)
 
-// Make sure local /tmp doesn't have a stale file — e2e will verify local stays clean
+// 清理潜在的本地同名文件（e2e 将验证本地不被污染）
 const localMirror = `/tmp/${testFilename}`
 try {
   fs.unlinkSync(localMirror)
@@ -50,7 +47,6 @@ try {
   /* noop */
 }
 
-// 事件收集
 interface RecordedEvent {
   type: string
   name?: string
@@ -59,20 +55,26 @@ interface RecordedEvent {
 const events: RecordedEvent[] = []
 
 const cb = async (msg: AgentCallbackMessage): Promise<void> => {
-  events.push({ type: msg.type, name: msg.name, content: typeof msg.content === 'string' ? msg.content.slice(0, 120) : undefined })
+  events.push({
+    type: msg.type,
+    name: msg.name,
+    content: typeof msg.content === 'string' ? msg.content.slice(0, 180) : undefined,
+  })
   if (msg.type === 'text' && msg.content) process.stdout.write(msg.content)
   else if (msg.type === 'tool_use')
     console.log(`\n[tool_use ▶] name=${msg.name} id=${msg.id} input=${JSON.stringify(msg.input).slice(0, 200)}`)
   else if (msg.type === 'tool_result')
-    console.log(`[tool_result ◯] tool_use_id=${msg.tool_use_id} is_error=${msg.is_error} out=${(msg.content || '').slice(0, 200)}`)
+    console.log(
+      `[tool_result ◯] tool_use_id=${msg.tool_use_id} is_error=${msg.is_error} out=${(msg.content || '').slice(0, 200)}`,
+    )
   else if (msg.type === 'agent_phase') console.log(`\n[phase] ${msg.phase}`)
   else if (msg.type === 'error') console.log(`\n[error] ${msg.content}`)
   else if (msg.type === 'result') console.log(`\n[result] ${msg.content}`)
 }
 
-console.log('[sandbox-e2e] === starting chatStream (sandbox mode) ===')
+console.log('[sandbox-e2e-v2] === starting chatStream (sandbox mode) ===')
 const { turnId } = await opencodeAcpRuntime.chatStream(
-  `请使用 sbx_write 工具在沙箱里创建文件 ${sandboxRelPath}（使用相对路径，不要写 /workspace 前缀），内容正好一行：${expectedContent}\n不要加引号、不要加 markdown、不要多余换行。完成后简短告诉我已完成。`,
+  `请使用 write 工具创建文件 ${sandboxRelPath}（使用相对路径），内容**完全等于**这一个字符串：${expectedContent}\n不要加引号、不要加 markdown、不要多余换行、不要添加任何其他文字。完成后简短告诉我已完成。`,
   cb,
   {
     conversationId,
@@ -81,32 +83,26 @@ const { turnId } = await opencodeAcpRuntime.chatStream(
     model: 'moonshot/kimi-k2-0905-preview',
   },
 )
-console.log(`\n[sandbox-e2e] chatStream returned: turnId=${turnId}`)
+console.log(`\n[sandbox-e2e-v2] chatStream returned: turnId=${turnId}`)
 
-// 等 result
 const startTime = Date.now()
-while (Date.now() - startTime < 180000) {
+while (Date.now() - startTime < 180_000) {
   if (events.find((e) => e.type === 'result' || e.type === 'error')) break
   await new Promise((r) => setTimeout(r, 500))
 }
 
-console.log('\n\n[sandbox-e2e] === validation ===')
+console.log('\n\n[sandbox-e2e-v2] === validation ===')
 
-// 1. 事件计数
 const counts: Record<string, number> = {}
 for (const e of events) counts[e.type] = (counts[e.type] ?? 0) + 1
-console.log('[sandbox-e2e] event counts:', JSON.stringify(counts))
+console.log('[sandbox-e2e-v2] event counts:', JSON.stringify(counts))
 
-// 2. 确认调了 sbx_* 工具
-const sbxToolUses = events.filter((e) => e.type === 'tool_use' && typeof e.name === 'string' && e.name.startsWith('sbx'))
-const builtinWriteUses = events.filter(
-  (e) => e.type === 'tool_use' && (e.name === 'write' || e.name === 'edit' || e.name === 'bash'),
-)
-console.log(`[sandbox-e2e] sbx_* tool_use count: ${sbxToolUses.length}`)
-console.log(`[sandbox-e2e] builtin write/edit/bash tool_use count: ${builtinWriteUses.length}`)
+// 1. 确认 LLM 用了 write 工具
+const writeToolUses = events.filter((e) => e.type === 'tool_use' && e.name === 'write')
+console.log(`[sandbox-e2e-v2] 'write' tool_use count: ${writeToolUses.length}`)
 
-// 3. 验证沙箱内文件确实写入（直接调沙箱 /api/tools/read）
-console.log('\n[sandbox-e2e] querying sandbox /api/tools/read to verify...')
+// 2. 独立验证沙箱里的文件
+console.log('\n[sandbox-e2e-v2] querying sandbox /api/tools/read to verify...')
 let sandboxReadOk = false
 let sandboxReadContent = ''
 try {
@@ -124,33 +120,31 @@ try {
   if (data.success && typeof data.result?.content === 'string') {
     sandboxReadContent = data.result.content
     sandboxReadOk = sandboxReadContent.includes(expectedContent)
-    console.log(`[sandbox-e2e] sandbox file content = ${JSON.stringify(sandboxReadContent.slice(0, 200))}`)
+    console.log(`[sandbox-e2e-v2] sandbox file content = ${JSON.stringify(sandboxReadContent.slice(0, 200))}`)
   } else {
-    console.log(`[sandbox-e2e] sandbox read failed: ${data.error ?? JSON.stringify(data).slice(0, 200)}`)
+    console.log(`[sandbox-e2e-v2] sandbox read failed: ${data.error ?? JSON.stringify(data).slice(0, 200)}`)
   }
 } catch (e) {
-  console.log(`[sandbox-e2e] sandbox read error: ${(e as Error).message}`)
+  console.log(`[sandbox-e2e-v2] sandbox read error: ${(e as Error).message}`)
 }
 
-// 4. 验证本地未被污染
+// 3. 本地文件系统干净
 const localExists = fs.existsSync(localMirror)
-console.log(`[sandbox-e2e] local /tmp/${testFilename} exists = ${localExists} (should be false)`)
+console.log(`[sandbox-e2e-v2] local ${localMirror} exists = ${localExists} (should be false)`)
 
 // ─── Assertions ─────────────────────────────────────────────────────────────
 const hasText = (counts.text ?? 0) > 0
 const hasResult = (counts.result ?? 0) > 0
-const usedSandboxMcp = sbxToolUses.length > 0
-const noBuiltinTools = builtinWriteUses.length === 0
-
-console.log('\n[sandbox-e2e] assertions:')
-console.log(`  text events:                 ${hasText ? 'PASS' : 'FAIL'}`)
-console.log(`  result event:                ${hasResult ? 'PASS' : 'FAIL'}`)
-console.log(`  used sbx_* tools:            ${usedSandboxMcp ? 'PASS' : 'FAIL'} (count=${sbxToolUses.length})`)
-console.log(`  did NOT use builtin tools:   ${noBuiltinTools ? 'PASS' : 'FAIL'} (count=${builtinWriteUses.length})`)
-console.log(`  sandbox file has expected:   ${sandboxReadOk ? 'PASS' : 'FAIL'}`)
-console.log(`  local NOT polluted:          ${!localExists ? 'PASS' : 'FAIL'}`)
-
-const overall = hasText && hasResult && usedSandboxMcp && noBuiltinTools && sandboxReadOk && !localExists
-console.log(`\n[sandbox-e2e] OVERALL: ${overall ? 'PASS' : 'FAIL'}`)
+const usedWrite = writeToolUses.length > 0
+
+console.log('\n[sandbox-e2e-v2] assertions:')
+console.log(`  text events:                ${hasText ? 'PASS' : 'FAIL'}`)
+console.log(`  result event:               ${hasResult ? 'PASS' : 'FAIL'}`)
+console.log(`  LLM used 'write' tool:      ${usedWrite ? 'PASS' : 'FAIL'} (count=${writeToolUses.length})`)
+console.log(`  sandbox file has content:   ${sandboxReadOk ? 'PASS' : 'FAIL'}`)
+console.log(`  local NOT polluted:         ${!localExists ? 'PASS' : 'FAIL'}`)
+
+const overall = hasText && hasResult && usedWrite && sandboxReadOk && !localExists
+console.log(`\n[sandbox-e2e-v2] OVERALL: ${overall ? 'PASS' : 'FAIL'}`)
 
 process.exit(overall ? 0 : 1)
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index 3cd38bd..0b2e089 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -3,38 +3,28 @@
  *
  * 基于 ACP 协议的 OpenCode agent runtime，严格遵守 agent/sandbox 分离原则。
  *
- * 架构：
+ * 架构（"全局 tool override + env 注入"）：
  *
- *   server 进程
- *   │
- *   ├─ opencode acp (子进程, agent 域)
- *   │    │
- *   │    ├─ 内置 read/write/bash/edit/... — 已禁用（per-session agent config）
- *   │    │
- *   │    └─ MCP client → stdio spawn sandbox-mcp-bridge.js
- *   │                      │
- *   │                      ▼ HTTP
- *   │            ┌─────────────────────┐
- *   │            │  Sandbox (SCF)      │
- *   │            │   /api/tools/read   │
- *   │            │   /api/tools/write  │
- *   │            │   /api/tools/bash   │
- *   │            │   /workspace        │
- *   │            └─────────────────────┘
- *   │
- *   └─ IAgentRuntime.chatStream()
- *        │
- *        ▼
- *      1. 为本次 session 准备临时工作目录（放配置 + AGENTS.md）
- *      2. 获取 sandbox instance（从 scfSandboxManager）
- *      3. spawn opencode acp --cwd <临时目录>
- *      4. ACP 握手 → newSession（mcpServers 传入 sandbox-mcp-bridge）
- *      5. setSessionMode('sandboxed') 锁定只能用 sbx_* 工具
- *      6. prompt → 翻译 session/update 为 AgentCallbackMessage
- *      7. 清理临时目录、kill 子进程
+ *   server 启动时：
+ *     ensureOpencodeToolsInstalled()
+ *       └─ 把 read/write/bash/edit/grep/glob 模板拷贝到 ~/.config/opencode/tools/
+ *          （同名 custom tool 覆盖 builtin — 实测已验证）
  *
- * 首版仍保留：如果没有 envId（本地开发），自动退回"无沙箱模式"，工具本地执行。
- * 这样 e2e#1 (本地模式) 与生产沙箱模式可以共存。
+ *   每次 chatStream：
+ *     1. 如果有 envId：scfSandboxManager.getOrCreate()
+ *     2. spawn opencode acp，通过 child env 注入：
+ *          SANDBOX_MODE=1
+ *          SANDBOX_BASE_URL=<沙箱 HTTPS>
+ *          SANDBOX_AUTH_HEADERS_JSON=<凭证 JSON>
+ *     3. opencode 父进程的 env 会继承给所有子进程（MCP 服务等）
+ *     4. 工具文件里读 process.env.SANDBOX_* 决定：本地执行 vs HTTP 转发到沙箱
+ *     5. ACP 握手 → newSession → prompt → 收 session/update 流 → 翻译为 AgentCallbackMessage
+ *
+ * 相比旧方案（per-session 写 .opencode/opencode.json + MCP bridge 子进程）：
+ *   - 不再写 per-session 配置文件（只写一次全局 tools/*.js）
+ *   - 不再启 MCP 子进程（少一层进程 + 少一层 JSON-RPC 序列化）
+ *   - 工具名就是 `read`/`write`/... 与 LLM 训练期望一致
+ *   - 凭证只在进程 env 里，session 结束随进程退出清理
  */
 
 import { v4 as uuidv4 } from 'uuid'
@@ -53,66 +43,42 @@ import {
 import { persistenceService } from '../persistence.service.js'
 import { CloudbaseAgentService } from '../cloudbase-agent.service.js'
 import { getAcpTransportFactory, type AcpTransport } from './acp-transport.js'
-import { createSessionWorkspace, type SessionWorkspace } from './opencode-session-config.js'
+import { ensureOpencodeToolsInstalled } from './opencode-installer.js'
 import { scfSandboxManager, type SandboxInstance } from '../../sandbox/scf-sandbox-manager.js'
 import { spawn } from 'node:child_process'
+import os from 'node:os'
 import path from 'node:path'
 import fs from 'node:fs'
-import { fileURLToPath } from 'node:url'
 
 // ─── Config ──────────────────────────────────────────────────────────────
 
 const OPENCODE_BIN = process.env.OPENCODE_BIN || 'opencode'
-
-/** 默认模型（OpenCode 模型 id 格式: provider/model[/variant]） */
 const DEFAULT_OPENCODE_MODEL = process.env.OPENCODE_DEFAULT_MODEL || 'moonshot/kimi-k2-0905-preview'
 
-/** 工作空间根（沙箱侧） */
-const SANDBOX_WORKSPACE_ROOT = process.env.SANDBOX_WORKSPACE_ROOT || '/workspace'
+/** 沙箱内工作目录（agent 看到的"当前目录"概念）。相对路径工具都会以此为根。 */
+const SANDBOX_WORKSPACE_ROOT = process.env.SANDBOX_WORKSPACE_ROOT || '.'
 
-// ─── Helpers ─────────────────────────────────────────────────────────────
+// ─── State ───────────────────────────────────────────────────────────────
 
-const __filename = fileURLToPath(import.meta.url)
-const __dirname = path.dirname(__filename)
+let toolsInstallPromise: Promise<void> | null = null
 
-/**
- * 解析 sandbox-mcp-bridge.js 的绝对路径。
- *
- * 三种运行形态：
- *   1. 源码（tsx watch dev）：__filename = ...src/agent/runtime/opencode-acp-runtime.ts
- *      → 期望 dist 产物在 ../../../dist/agent/runtime/sandbox-mcp-bridge.js
- *   2. 构建后（node dist/index.js）：__filename = ...dist/index.js
- *      → 在 同目录/agent/runtime/sandbox-mcp-bridge.js
- *   3. 环境变量 override：SANDBOX_MCP_BRIDGE_PATH=...
- */
-function resolveMcpBridgePath(): string {
-  const fromEnv = process.env.SANDBOX_MCP_BRIDGE_PATH
-  if (fromEnv) return fromEnv
-
-  const candidates = [
-    // 1. src 运行：走到项目 dist
-    path.resolve(__dirname, '../../../dist/agent/runtime/sandbox-mcp-bridge.js'),
-    // 2. dist 运行：同目录
-    path.resolve(__dirname, 'sandbox-mcp-bridge.js'),
-    // 3. monorepo root dist
-    path.resolve(__dirname, '../../../../packages/server/dist/agent/runtime/sandbox-mcp-bridge.js'),
-  ]
-  for (const c of candidates) {
-    try {
-      if (fs.existsSync(c)) return c
-    } catch {
-      /* noop */
-    }
+/** 惰性确保全局 tools 已安装；多次调用只执行一次。 */
+function ensureToolsInstalledOnce(): Promise<void> {
+  if (!toolsInstallPromise) {
+    toolsInstallPromise = ensureOpencodeToolsInstalled()
+      .then((r) => {
+        if (r.installed.length || r.forced) {
+          console.log(
+            `[OpencodeAcpRuntime] installed opencode tools to ${r.installDir}: installed=${r.installed.join(',') || '-'} skipped=${r.skipped.join(',') || '-'}`,
+          )
+        }
+      })
+      .catch((err) => {
+        console.error('[OpencodeAcpRuntime] failed to install opencode tools:', err)
+        // Don't reset — broken installer is better than infinite retry loop
+      })
   }
-  // 兜底：返回第一个猜测，spawn 时会报错
-  return candidates[0]
-}
-
-// ─── Types ───────────────────────────────────────────────────────────────
-
-export interface OpencodeAcpRuntimeOptions {
-  /** 工作空间根目录（沙箱内），默认 /workspace */
-  sandboxWorkspaceRoot?: string
+  return toolsInstallPromise
 }
 
 // ─── Runtime ─────────────────────────────────────────────────────────────
@@ -120,8 +86,6 @@ export interface OpencodeAcpRuntimeOptions {
 export class OpencodeAcpRuntime implements IAgentRuntime {
   readonly name = 'opencode-acp'
 
-  constructor(private readonly runtimeOpts: OpencodeAcpRuntimeOptions = {}) {}
-
   async isAvailable(): Promise<boolean> {
     return new Promise((resolve) => {
       try {
@@ -198,11 +162,14 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
     const emit = makeEmitter({ liveCallback, envId, userId, conversationId, turnId })
 
     let transport: AcpTransport | null = null
-    let workspace: SessionWorkspace | null = null
     let sandbox: SandboxInstance | null = null
+    let sessionWorkingDir: string | null = null
 
     try {
-      // 1. 获取沙箱（有 envId 时）
+      // 0. 确保全局 opencode tools 已安装
+      await ensureToolsInstalledOnce()
+
+      // 1. 如果有 envId，获取沙箱
       if (envId) {
         try {
           sandbox = await scfSandboxManager.getOrCreate(conversationId, envId, {
@@ -217,23 +184,37 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
 
       await emit({ type: 'agent_phase', phase: 'preparing' })
 
-      // 2. 创建 per-session 工作目录 + opencode 配置
-      workspace = await createSessionWorkspace({
-        sandbox: sandbox ?? undefined,
-        sandboxWorkspaceRoot: this.runtimeOpts.sandboxWorkspaceRoot ?? SANDBOX_WORKSPACE_ROOT,
-        mcpBridgePath: resolveMcpBridgePath(),
-        localWorkspaceDir: options.cwd,
-      })
+      // 2. 工作目录
+      //    - 沙箱模式：opencode cwd 用临时占位目录（opencode 需要一个本地目录启动，
+      //      但真实读写由 tools 转发到沙箱，不依赖这个目录）
+      //    - 本地模式：用 options.cwd 或临时目录
+      sessionWorkingDir = options.cwd ?? path.join(os.tmpdir(), `opencode-session-${uuidv4()}`)
+      if (!fs.existsSync(sessionWorkingDir)) {
+        fs.mkdirSync(sessionWorkingDir, { recursive: true })
+      }
+
+      // 3. 构造 spawn env — 把沙箱凭证通过 env 注入 opencode 子进程
+      const childEnv: Record<string, string> = {}
+      if (sandbox) {
+        const authHeaders = await sandbox.getAuthHeaders()
+        childEnv.SANDBOX_MODE = '1'
+        childEnv.SANDBOX_BASE_URL = sandbox.baseUrl
+        childEnv.SANDBOX_AUTH_HEADERS_JSON = JSON.stringify(authHeaders)
+        childEnv.SANDBOX_WORKSPACE_ROOT = SANDBOX_WORKSPACE_ROOT
+      } else {
+        childEnv.SANDBOX_MODE = '0'
+      }
 
-      // 3. spawn opencode acp
+      // 4. spawn opencode acp
       const factory = getAcpTransportFactory('local-stdio')
       transport = await factory({
-        cwd: workspace.dir,
+        cwd: sessionWorkingDir,
         signal: abortController.signal,
         debug: process.env.OPENCODE_ACP_DEBUG === '1',
+        env: childEnv,
       })
 
-      // 4. 建立 ACP connection — 这里不挂 fs/terminal 回调（OpenCode 不会调）
+      // 5. 建立 ACP connection
       const conn = new ClientSideConnection(
         () => ({
           sessionUpdate: async (params) => {
@@ -256,7 +237,7 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
         transport.stream,
       )
 
-      // 5. ACP 握手
+      // 6. ACP 握手
       await conn.initialize({
         protocolVersion: 1,
         clientCapabilities: {
@@ -265,24 +246,13 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
         },
       })
 
-      // 6. 创建 session — 此处**不传 mcpServers**，因为我们在 opencode.json 里已经配了
-      //    mcp.sbx（local stdio）。OpenCode 启动时会读 cwd 下的 .opencode/opencode.json。
+      // 7. 创建 session
       const newRes = await conn.newSession({
-        cwd: workspace.dir,
+        cwd: sessionWorkingDir,
         mcpServers: [],
       })
       const opencodeSessionId = newRes.sessionId
 
-      // 7. 切到 sandboxed agent mode（禁用所有内置工具）
-      try {
-        await conn.setSessionMode({
-          sessionId: opencodeSessionId,
-          modeId: workspace.agentMode,
-        })
-      } catch (e) {
-        console.warn('[OpencodeAcpRuntime] setSessionMode failed (continuing):', (e as Error).message)
-      }
-
       // 8. 选择模型
       try {
         await conn.unstable_setSessionModel({
@@ -306,7 +276,7 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
           stopReason: promptRes.stopReason,
           usage: (promptRes as { _meta?: { usage?: unknown } })._meta?.usage ?? null,
           sandbox: sandbox ? { baseUrl: sandbox.baseUrl, conversationId: sandbox.conversationId } : null,
-          workspaceDir: workspace.dir,
+          workingDir: sessionWorkingDir,
         }),
       })
 
@@ -331,9 +301,10 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
           /* noop */
         }
       }
-      if (workspace) {
+      // 清理临时工作目录（如果是我们自己建的）
+      if (sessionWorkingDir && !options.cwd && sessionWorkingDir.startsWith(os.tmpdir())) {
         try {
-          workspace.cleanup()
+          fs.rmSync(sessionWorkingDir, { recursive: true, force: true })
         } catch {
           /* noop */
         }
diff --git a/packages/server/src/agent/runtime/opencode-installer.ts b/packages/server/src/agent/runtime/opencode-installer.ts
new file mode 100644
index 0000000..69a5cf4
--- /dev/null
+++ b/packages/server/src/agent/runtime/opencode-installer.ts
@@ -0,0 +1,126 @@
+/**
+ * OpenCode 全局配置安装器
+ *
+ * 目的：把 tool override 模板一次性装到 `~/.config/opencode/tools/`，这样：
+ *   - 所有 opencode 实例都能加载（全局生效，不必每 session 写一遍）
+ *   - 模板自身通过 `process.env.SANDBOX_*` 读取 per-session 凭证
+ *   - opencode 看到 custom tool `read` / `write` / ...，**覆盖** builtin 同名工具
+ *
+ * 重要实现细节：
+ *   - 直接安装 `.ts` 源文件（opencode binary 原生支持 TS loader）
+ *   - tsup 打包后的 `.js` 含 `import { z } from "zod"`，opencode 当前版本不能解析这个 import，
+ *     会静默忽略文件（tool 不被注册）。所以**必须用 .ts**。
+ *   - 幂等：同 hash 跳过；OPENCODE_TOOLS_FORCE_REINSTALL=1 强制覆盖。
+ */
+
+import fs from 'node:fs'
+import path from 'node:path'
+import os from 'node:os'
+import crypto from 'node:crypto'
+import { fileURLToPath } from 'node:url'
+
+const __filename = fileURLToPath(import.meta.url)
+const __dirname = path.dirname(__filename)
+
+const TOOL_NAMES = ['read', 'write', 'edit', 'bash', 'grep', 'glob'] as const
+export type ToolName = (typeof TOOL_NAMES)[number]
+
+/**
+ * 找到 TS 模板源文件目录。
+ * - 源码运行（tsx dev）：__dirname = .../src/agent/runtime/
+ *   templates at .../src/agent/runtime/opencode-tool-templates/
+ * - dist 运行：__dirname = .../dist/
+ *   需要回溯到 src：.../dist/../src/agent/runtime/opencode-tool-templates/
+ *   但 src 可能不在生产机器上，所以优先级：
+ *   1. 环境变量 OPENCODE_TOOL_TEMPLATE_DIR
+ *   2. __dirname 附近
+ *   3. 回溯到 src（只在开发时可用）
+ */
+function resolveTemplateDir(): string {
+  const fromEnv = process.env.OPENCODE_TOOL_TEMPLATE_DIR
+  if (fromEnv && fs.existsSync(fromEnv)) return fromEnv
+
+  const candidates = [
+    // 源码运行
+    path.resolve(__dirname, 'opencode-tool-templates'),
+    // dist 运行，指向 server 包内 src
+    path.resolve(__dirname, '../../src/agent/runtime/opencode-tool-templates'),
+    path.resolve(__dirname, '../src/agent/runtime/opencode-tool-templates'),
+    // 兜底（workspace root 下的 server）
+    path.resolve(process.cwd(), 'packages/server/src/agent/runtime/opencode-tool-templates'),
+  ]
+  for (const c of candidates) {
+    if (fs.existsSync(c)) {
+      // 再确认里面真的有 read.ts
+      if (fs.existsSync(path.join(c, 'read.ts'))) return c
+    }
+  }
+  throw new Error(
+    `Cannot locate opencode tool templates. Tried: ${candidates.join(', ')}. Set OPENCODE_TOOL_TEMPLATE_DIR to override.`,
+  )
+}
+
+/** 安装目录：默认 ~/.config/opencode/tools/ */
+function getInstallDir(): string {
+  const override = process.env.OPENCODE_TOOLS_INSTALL_DIR
+  if (override) return override
+  return path.join(os.homedir(), '.config', 'opencode', 'tools')
+}
+
+/** 读文件返回 sha256 hex */
+function hashFile(p: string): string {
+  const buf = fs.readFileSync(p)
+  return crypto.createHash('sha256').update(buf).digest('hex')
+}
+
+interface InstallResult {
+  installDir: string
+  installed: ToolName[]
+  skipped: ToolName[]
+  forced: boolean
+}
+
+/**
+ * 幂等安装所有 tool override 模板（.ts 源文件）到全局目录。
+ * `OPENCODE_TOOLS_FORCE_REINSTALL=1` → 强制覆盖。
+ */
+export async function ensureOpencodeToolsInstalled(): Promise<InstallResult> {
+  const templateDir = resolveTemplateDir()
+  const installDir = getInstallDir()
+  const force = process.env.OPENCODE_TOOLS_FORCE_REINSTALL === '1'
+
+  fs.mkdirSync(installDir, { recursive: true })
+
+  const installed: ToolName[] = []
+  const skipped: ToolName[] = []
+
+  for (const name of TOOL_NAMES) {
+    const src = path.join(templateDir, `${name}.ts`)
+    const dst = path.join(installDir, `${name}.ts`)
+
+    if (!fs.existsSync(src)) {
+      throw new Error(`Tool template not found: ${src}`)
+    }
+
+    if (fs.existsSync(dst) && !force && hashFile(src) === hashFile(dst)) {
+      skipped.push(name)
+      continue
+    }
+    fs.copyFileSync(src, dst)
+    installed.push(name)
+  }
+
+  // 清理可能残留的 .js（旧的错误安装形式）
+  for (const name of TOOL_NAMES) {
+    const stale = path.join(installDir, `${name}.js`)
+    if (fs.existsSync(stale)) {
+      try {
+        fs.unlinkSync(stale)
+      } catch {
+        /* noop */
+      }
+    }
+  }
+
+  return { installDir, installed, skipped, forced: force }
+}
diff --git a/packages/server/src/agent/runtime/opencode-session-config.ts b/packages/server/src/agent/runtime/opencode-session-config.ts
deleted file mode 100644
index 926dd33..0000000
--- a/packages/server/src/agent/runtime/opencode-session-config.ts
+++ /dev/null
@@ -1,193 +0,0 @@
-/**
- * Per-session OpenCode 配置与工作目录管理
- *
- * 核心职责：为每次 chatStream 调用准备一个**临时工作目录**，内放 opencode 配置：
- *
- *   /tmp/opencode-session-<uuid>/
- *     .opencode/opencode.json   ← 定义 agent：禁用内置 read/write/bash/edit，
- *                                  只允许 sandbox_* 工具
- *     AGENTS.md                  ← 可选的 system prompt 增强
- *
- * 为什么要这样做？
- *   - opencode 启动时从 `cwd` 读配置
- *   - 我们需要每个 session 有独立配置（不同用户/沙箱的凭证互不串）
- *   - per-session 目录隔离避免 race condition（同时跑多个 session）
- *
- * 注意：这个目录**仅放配置**。真实的用户工作文件都在沙箱容器里（/workspace）。
- *       opencode 进程虽然 cwd 指向临时目录，但它通过 MCP (sandbox_*) 工具读写沙箱。
- */
-
-import fs from 'node:fs'
-import path from 'node:path'
-import os from 'node:os'
-import { v4 as uuidv4 } from 'uuid'
-import type { SandboxInstance } from '../../sandbox/scf-sandbox-manager.js'
-
-/** 默认工作目录前缀 */
-const SESSION_DIR_PREFIX = 'opencode-session-'
-
-/**
- * 要禁用的 OpenCode 内置工具。
- * 见 https://opencode.ai/docs/agents/#tools
- */
-const DISABLED_BUILTIN_TOOLS = ['read', 'write', 'edit', 'bash', 'grep', 'glob', 'webfetch', 'patch'] as const
-
-/**
- * 给 sandbox MCP bridge 用的工具名（MCP 上报给 opencode 时会被加 `<server>_` 前缀）。
- * 我们的 server name 定为 "sandbox"，所以实际 tool id 是 `sandbox_sandbox_read` 之类。
- * 为了干净，把 MCP server 名就叫 "sbx"，tool name 就叫 "read"/"write"/...
- * OpenCode 看到 `sbx_read`/`sbx_write` 等。
- */
-export const SANDBOX_MCP_SERVER_NAME = 'sbx'
-
-export interface SessionWorkspace {
-  /** 临时目录绝对路径；opencode acp 的 --cwd 指向此 */
-  readonly dir: string
-  /** 要在 `session/new.mcpServers` 里传给 opencode 的 MCP server 定义 */
-  readonly mcpServerCommand: string
-  readonly mcpServerArgs: string[]
-  readonly mcpServerEnv: Record<string, string>
-  /** 要在 `session/set_mode` 里切的 agent mode id（不存在则用 'build'） */
-  readonly agentMode: string
-  /** 清理临时目录 */
-  cleanup(): void
-}
-
-export interface CreateSessionWorkspaceOptions {
-  sandbox?: SandboxInstance
-  /** 沙箱 workspace 根目录（默认 /workspace，即 opencode 的工作视角） */
-  sandboxWorkspaceRoot?: string
-  /** 编译后的 sandbox-mcp-bridge.js 路径（由 runtime 传入） */
-  mcpBridgePath: string
-  /**
-   * 本地模式的工作目录（无沙箱时）。
-   * - 有沙箱：忽略此字段，创建临时目录仅存配置
-   * - 无沙箱：使用此目录作为 opencode 的 cwd，LLM 读写都在这里
-   */
-  localWorkspaceDir?: string
-}
-
-/**
- * 创建 per-session 工作目录 + 生成 opencode 配置。
- */
-export async function createSessionWorkspace(opts: CreateSessionWorkspaceOptions): Promise<SessionWorkspace> {
-  const sandboxMode = !!opts.sandbox
-
-  // 工作目录选择：
-  //   sandbox 模式 → 临时 staging 目录（只放配置，不用于 LLM 读写）
-  //   无沙箱 → 用传入的 localWorkspaceDir（LLM 真的读写这里）
-  const dir = sandboxMode
-    ? path.join(os.tmpdir(), `${SESSION_DIR_PREFIX}${uuidv4()}`)
-    : (opts.localWorkspaceDir ?? path.join(os.tmpdir(), `${SESSION_DIR_PREFIX}${uuidv4()}`))
-
-  // 临时目录需要我们自己创建；用户传入的工作目录假定已存在
-  const isTempDir = sandboxMode || !opts.localWorkspaceDir
-  fs.mkdirSync(path.join(dir, '.opencode'), { recursive: true })
-
-  const sandboxWorkspaceRoot = opts.sandboxWorkspaceRoot ?? '.'
-
-  // ── 1. agent + mcp 配置 ─────────────────────────────────────────────
-  //
-  // 有沙箱 → 禁用内置工具 + 注入 sandbox MCP
-  // 无沙箱（本地开发） → 保留内置工具，不注入 MCP（opencode 就用本地文件系统）
-
-  const mcpBridgeEnv: Record<string, string> = {
-    SANDBOX_BASE_URL: opts.sandbox?.baseUrl ?? '',
-    SANDBOX_AUTH_HEADERS_JSON: opts.sandbox ? JSON.stringify(await opts.sandbox.getAuthHeaders()) : '{}',
-    SANDBOX_DEFAULT_CWD: sandboxWorkspaceRoot,
-    SANDBOX_MCP_DEBUG: process.env.SANDBOX_MCP_DEBUG ?? '',
-  }
-
-  const opencodeConfig: Record<string, unknown> = {
-    $schema: 'https://opencode.ai/config.json',
-  }
-
-  if (sandboxMode) {
-    const toolsDisabled: Record<string, boolean> = {}
-    for (const t of DISABLED_BUILTIN_TOOLS) toolsDisabled[t] = false
-    toolsDisabled[`${SANDBOX_MCP_SERVER_NAME}_*`] = true
-
-    opencodeConfig.agent = {
-      sandboxed: {
-        description: 'Sandboxed agent: all file I/O and shell execution go through sandbox MCP bridge',
-        mode: 'primary',
-        tools: toolsDisabled,
-      },
-    }
-    opencodeConfig.mcp = {
-      [SANDBOX_MCP_SERVER_NAME]: {
-        type: 'local',
-        command: ['node', opts.mcpBridgePath],
-        enabled: true,
-        environment: mcpBridgeEnv,
-      },
-    }
-  }
-
-  fs.writeFileSync(path.join(dir, '.opencode', 'opencode.json'), JSON.stringify(opencodeConfig, null, 2))
-
-  // ── 2. AGENTS.md 作为 system-prompt 强化 ──────────────────────────────
-  const agentsMd = sandboxMode
-    ? `# Sandboxed Environment
-
-You are running in a sandboxed mode. Your local working directory is a temporary staging area —
-DO NOT attempt to read or write files here. Instead, use the \`${SANDBOX_MCP_SERVER_NAME}_*\` MCP tools:
-
-- \`${SANDBOX_MCP_SERVER_NAME}_read\` — read files
-- \`${SANDBOX_MCP_SERVER_NAME}_write\` — create / overwrite files
-- \`${SANDBOX_MCP_SERVER_NAME}_edit\` — string replacement
-- \`${SANDBOX_MCP_SERVER_NAME}_bash\` — run shell commands
-- \`${SANDBOX_MCP_SERVER_NAME}_glob\` / \`${SANDBOX_MCP_SERVER_NAME}_grep\` — search
-
-## CRITICAL: Path rules
-
-The sandbox enforces **path traversal protection**. You MUST use **relative paths** (no leading \`/\`).
-The sandbox automatically resolves these against its scope directory.
-
-✅ Correct:
-- \`${SANDBOX_MCP_SERVER_NAME}_write\` with path \`"hello.txt"\`
-- \`${SANDBOX_MCP_SERVER_NAME}_write\` with path \`"src/index.ts"\`
-- \`${SANDBOX_MCP_SERVER_NAME}_read\` with path \`"package.json"\`
-
-❌ Wrong (will fail 403 Path traversal blocked):
-- path \`"/workspace/hello.txt"\`
-- path \`"/tmp/x"\`
-- path \`"/home/..."\`
-
-The builtin \`read\`/\`write\`/\`edit\`/\`bash\` tools are disabled. Calling them will fail.
-Always use \`${SANDBOX_MCP_SERVER_NAME}_*\` tools with RELATIVE paths.
-`
-    : `# Local development mode
-
-Sandbox not configured — tools run on the local file system.
-`
-  // AGENTS.md 只在临时目录里写，避免污染用户工作目录
-  if (isTempDir) {
-    fs.writeFileSync(path.join(dir, 'AGENTS.md'), agentsMd)
-  }
-
-  return {
-    dir,
-    mcpServerCommand: 'node',
-    mcpServerArgs: [opts.mcpBridgePath],
-    mcpServerEnv: mcpBridgeEnv,
-    agentMode: sandboxMode ? 'sandboxed' : 'build',
-    cleanup: () => {
-      // 只清理自己创建的临时目录；用户传入的工作目录保留
-      if (isTempDir) {
-        try {
-          fs.rmSync(dir, { recursive: true, force: true })
-        } catch {
-          /* noop */
-        }
-      } else {
-        // 仅清理 .opencode 子目录（配置）
-        try {
-          fs.rmSync(path.join(dir, '.opencode'), { recursive: true, force: true })
-        } catch {
-          /* noop */
-        }
-      }
-    },
-  }
-}
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/bash.ts b/packages/server/src/agent/runtime/opencode-tool-templates/bash.ts
new file mode 100644
index 0000000..29b145c
--- /dev/null
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/bash.ts
@@ -0,0 +1,59 @@
+/**
+ * 全局 opencode tool override：bash
+ * 重要：沙箱模式下所有 shell 命令在 SCF 容器内执行，与宿主机隔离。
+ */
+import { z } from 'zod'
+import { execSync } from 'node:child_process'
+
+export default {
+  description:
+    'Run a shell command. In sandbox mode, the command runs inside the SCF container (isolated from host). In local mode, runs on the host.',
+  args: {
+    command: z.string().describe('Shell command to execute. Prefer simple commands; use heredocs for multi-line.'),
+    timeout: z.number().optional().describe('Timeout in milliseconds (default 60000).'),
+  },
+  async execute(args: { command: string; timeout?: number }, context: { directory?: string }) {
+    if (process.env.SANDBOX_MODE === '1') {
+      return await sandboxCall(
+        'bash',
+        { command: args.command, timeout: args.timeout ?? 60_000 },
+        args.timeout ?? 60_000,
+      )
+    }
+    try {
+      const out = execSync(args.command, {
+        timeout: args.timeout ?? 60_000,
+        cwd: context?.directory,
+        encoding: 'utf8',
+        maxBuffer: 1024 * 1024 * 4,
+      })
+      return out
+    } catch (e) {
+      const err = e as { stdout?: Buffer | string; stderr?: Buffer | string; message: string }
+      const stdout = typeof err.stdout === 'string' ? err.stdout : (err.stdout?.toString() ?? '')
+      const stderr = typeof err.stderr === 'string' ? err.stderr : (err.stderr?.toString() ?? '')
+      throw new Error(`${err.message}\nstdout:\n${stdout}\nstderr:\n${stderr}`)
+    }
+  },
+}
+
+async function sandboxCall(tool: string, body: unknown, timeoutMs: number): Promise<string | { output: string }> {
+  const baseUrl = process.env.SANDBOX_BASE_URL
+  if (!baseUrl) throw new Error('SANDBOX_BASE_URL not set')
+  const headers = JSON.parse(process.env.SANDBOX_AUTH_HEADERS_JSON || '{}') as Record<string, string>
+  const res = await fetch(`${baseUrl}/api/tools/${tool}`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', ...headers },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(timeoutMs + 5000),
+  })
+  const data = (await res.json().catch(() => ({}))) as { success?: boolean; result?: unknown; error?: string }
+  if (!data.success) throw new Error(data.error ?? `sandbox ${tool} failed (${res.status})`)
+  const r = data.result as { output?: string; stdout?: string } | string | undefined
+  if (typeof r === 'string') return r
+  if (r && typeof r === 'object') {
+    if (typeof r.output === 'string') return r.output
+    if (typeof r.stdout === 'string') return r.stdout
+  }
+  return JSON.stringify(r ?? '')
+}
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/edit.ts b/packages/server/src/agent/runtime/opencode-tool-templates/edit.ts
new file mode 100644
index 0000000..90cbe43
--- /dev/null
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/edit.ts
@@ -0,0 +1,60 @@
+/**
+ * 全局 opencode tool override：edit
+ */
+import { z } from 'zod'
+import fs from 'node:fs'
+import path from 'node:path'
+
+export default {
+  description:
+    'Edit a file by string replacement. Fails if oldString is not found or appears multiple times (unless replaceAll). In sandbox mode, delegates to the sandbox edit endpoint.',
+  args: {
+    path: z.string(),
+    oldString: z.string(),
+    newString: z.string(),
+    replaceAll: z.boolean().optional(),
+  },
+  async execute(
+    args: { path: string; oldString: string; newString: string; replaceAll?: boolean },
+    context: { directory?: string },
+  ) {
+    if (process.env.SANDBOX_MODE === '1') {
+      return await sandboxCall('edit', {
+        path: args.path,
+        oldString: args.oldString,
+        newString: args.newString,
+        replaceAll: args.replaceAll ?? false,
+      })
+    }
+    const resolved = path.isAbsolute(args.path)
+      ? args.path
+      : path.resolve(context?.directory ?? process.cwd(), args.path)
+    const content = fs.readFileSync(resolved, 'utf8')
+    if (!content.includes(args.oldString)) {
+      throw new Error(`String not found in ${resolved}`)
+    }
+    const out = args.replaceAll
+      ? content.split(args.oldString).join(args.newString)
+      : content.replace(args.oldString, args.newString)
+    fs.writeFileSync(resolved, out)
+    return { output: `Edited ${resolved}` }
+  },
+}
+
+async function sandboxCall(tool: string, body: unknown): Promise<string | { output: string }> {
+  const baseUrl = process.env.SANDBOX_BASE_URL
+  if (!baseUrl) throw new Error('SANDBOX_BASE_URL not set')
+  const headers = JSON.parse(process.env.SANDBOX_AUTH_HEADERS_JSON || '{}') as Record<string, string>
+  const res = await fetch(`${baseUrl}/api/tools/${tool}`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', ...headers },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(60_000),
+  })
+  const data = (await res.json().catch(() => ({}))) as { success?: boolean; result?: unknown; error?: string }
+  if (!data.success) throw new Error(data.error ?? `sandbox ${tool} failed (${res.status})`)
+  const r = data.result as { output?: string } | string | undefined
+  if (typeof r === 'string') return r
+  if (r && typeof r === 'object' && typeof r.output === 'string') return { output: r.output }
+  return JSON.stringify(r ?? 'ok')
+}
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/glob.ts b/packages/server/src/agent/runtime/opencode-tool-templates/glob.ts
new file mode 100644
index 0000000..ba72f05
--- /dev/null
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/glob.ts
@@ -0,0 +1,43 @@
+/**
+ * 全局 opencode tool override：glob
+ */
+import { z } from 'zod'
+import { execSync } from 'node:child_process'
+
+export default {
+  description: 'Find files by glob pattern. Local mode uses find; sandbox mode delegates to sandbox.',
+  args: {
+    pattern: z.string(),
+    path: z.string().optional(),
+  },
+  async execute(args: { pattern: string; path?: string }, context: { directory?: string }) {
+    if (process.env.SANDBOX_MODE === '1') {
+      return await sandboxCall('glob', args)
+    }
+    const base = args.path || context?.directory || '.'
+    try {
+      const out = execSync(`find ${JSON.stringify(base)} -name ${JSON.stringify(args.pattern)} -type f`, {
+        encoding: 'utf8',
+        maxBuffer: 1024 * 1024 * 4,
+      })
+      return out
+    } catch {
+      return ''
+    }
+  },
+}
+
+async function sandboxCall(tool: string, body: unknown): Promise<string> {
+  const baseUrl = process.env.SANDBOX_BASE_URL
+  if (!baseUrl) throw new Error('SANDBOX_BASE_URL not set')
+  const headers = JSON.parse(process.env.SANDBOX_AUTH_HEADERS_JSON || '{}') as Record<string, string>
+  const res = await fetch(`${baseUrl}/api/tools/${tool}`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', ...headers },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(30_000),
+  })
+  const data = (await res.json().catch(() => ({}))) as { success?: boolean; result?: unknown; error?: string }
+  if (!data.success) throw new Error(data.error ?? `sandbox ${tool} failed (${res.status})`)
+  return typeof data.result === 'string' ? data.result : JSON.stringify(data.result ?? '')
+}
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/grep.ts b/packages/server/src/agent/runtime/opencode-tool-templates/grep.ts
new file mode 100644
index 0000000..791a8a6
--- /dev/null
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/grep.ts
@@ -0,0 +1,50 @@
+/**
+ * 全局 opencode tool override：grep
+ */
+import { z } from 'zod'
+import { execSync } from 'node:child_process'
+
+export default {
+  description:
+    'Search file contents with a regex pattern. Uses ripgrep in local mode, delegates to sandbox in sandbox mode.',
+  args: {
+    pattern: z.string(),
+    path: z.string().optional(),
+    glob: z.string().optional(),
+    type: z.string().optional(),
+  },
+  async execute(
+    args: { pattern: string; path?: string; glob?: string; type?: string },
+    context: { directory?: string },
+  ) {
+    if (process.env.SANDBOX_MODE === '1') {
+      return await sandboxCall('grep', args)
+    }
+    const flags: string[] = ['-n', '--no-heading']
+    if (args.glob) flags.push('-g', args.glob)
+    if (args.type) flags.push('-t', args.type)
+    const cmd = `rg ${flags.map((f) => JSON.stringify(f)).join(' ')} ${JSON.stringify(args.pattern)} ${args.path ? JSON.stringify(args.path) : '.'}`
+    try {
+      return execSync(cmd, { encoding: 'utf8', cwd: context?.directory, maxBuffer: 1024 * 1024 * 4 })
+    } catch (e) {
+      const err = e as { status?: number; stdout?: string }
+      if (err.status === 1) return '' // rg exit 1 means no matches
+      throw e
+    }
+  },
+}
+
+async function sandboxCall(tool: string, body: unknown): Promise<string> {
+  const baseUrl = process.env.SANDBOX_BASE_URL
+  if (!baseUrl) throw new Error('SANDBOX_BASE_URL not set')
+  const headers = JSON.parse(process.env.SANDBOX_AUTH_HEADERS_JSON || '{}') as Record<string, string>
+  const res = await fetch(`${baseUrl}/api/tools/${tool}`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', ...headers },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(30_000),
+  })
+  const data = (await res.json().catch(() => ({}))) as { success?: boolean; result?: unknown; error?: string }
+  if (!data.success) throw new Error(data.error ?? `sandbox ${tool} failed (${res.status})`)
+  return typeof data.result === 'string' ? data.result : JSON.stringify(data.result ?? '')
+}
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/read.ts b/packages/server/src/agent/runtime/opencode-tool-templates/read.ts
new file mode 100644
index 0000000..135d423
--- /dev/null
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/read.ts
@@ -0,0 +1,62 @@
+/**
+ * 全局 opencode tool override：read
+ *
+ * 安装位置：~/.config/opencode/tools/read.ts
+ * OpenCode 的 tool 注册规则（实测）：同名 custom tool 覆盖 builtin
+ *
+ * 运行时行为：
+ *   - 若 env.SANDBOX_MODE === '1' → 转发到 env.SANDBOX_BASE_URL + /api/tools/read
+ *   - 否则                         → 使用本地 fs.readFileSync（本地开发兜底）
+ *
+ * 沙箱凭证通过 server 进程 spawn opencode 时的 env 传递：
+ *   SANDBOX_MODE=1
+ *   SANDBOX_BASE_URL=https://xxx.api.tcloudbasegateway.com/v1/functions/sandbox-shared
+ *   SANDBOX_AUTH_HEADERS_JSON={"Authorization":"Bearer ...","X-Cloudbase-Session-Id":"...","X-Tcb-Webfn":"true","X-Scope-Id":"..."}
+ *
+ * 凭证不写入文件，只在进程 env 里，session 结束即清理。
+ */
+import { z } from 'zod'
+import fs from 'node:fs'
+import path from 'node:path'
+
+export default {
+  description:
+    'Read a text file. When running in a sandboxed session, reads from the sandbox workspace via HTTP. Otherwise reads the local file system.',
+  args: {
+    path: z.string().describe('Relative path from session cwd. Use relative paths (no leading /) in sandbox mode.'),
+    offset: z.number().optional().describe('Optional start line offset (0-based).'),
+    limit: z.number().optional().describe('Optional max lines to read.'),
+  },
+  async execute(args: { path: string; offset?: number; limit?: number }, context: { directory?: string }) {
+    if (process.env.SANDBOX_MODE === '1') {
+      return await sandboxCall('read', { path: args.path, offset: args.offset, limit: args.limit })
+    }
+    // Local fallback: resolve relative paths against opencode's session directory
+    const resolvedPath = path.isAbsolute(args.path)
+      ? args.path
+      : path.resolve(context?.directory ?? process.cwd(), args.path)
+    const content = fs.readFileSync(resolvedPath, 'utf8')
+    const lines = content.split('\n')
+    const offset = args.offset ?? 0
+    const limit = args.limit ?? lines.length - offset
+    return lines.slice(offset, offset + limit).join('\n')
+  },
+}
+
+async function sandboxCall(tool: string, body: unknown): Promise<string> {
+  const baseUrl = process.env.SANDBOX_BASE_URL
+  if (!baseUrl) throw new Error('SANDBOX_BASE_URL not set')
+  const headers = JSON.parse(process.env.SANDBOX_AUTH_HEADERS_JSON || '{}') as Record<string, string>
+  const res = await fetch(`${baseUrl}/api/tools/${tool}`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', ...headers },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(30_000),
+  })
+  const data = (await res.json().catch(() => ({}))) as { success?: boolean; result?: unknown; error?: string }
+  if (!data.success) throw new Error(data.error ?? `sandbox ${tool} failed (${res.status})`)
+  const r = data.result as { content?: string } | string | undefined
+  if (typeof r === 'string') return r
+  if (r && typeof r === 'object' && typeof r.content === 'string') return r.content
+  return JSON.stringify(r ?? '')
+}
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/write.ts b/packages/server/src/agent/runtime/opencode-tool-templates/write.ts
new file mode 100644
index 0000000..533bdb8
--- /dev/null
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/write.ts
@@ -0,0 +1,46 @@
+/**
+ * 全局 opencode tool override：write
+ * 覆盖 builtin write。沙箱模式下通过 HTTP 转发；本地模式直接写 fs。
+ * 运行时配置见 read.ts 同级注释。
+ */
+import { z } from 'zod'
+import fs from 'node:fs'
+import path from 'node:path'
+
+export default {
+  description:
+    'Write a text file, creating parent directories as needed. Overwrites existing files. In sandbox mode, writes happen in the SCF container; in local mode, writes use the host file system.',
+  args: {
+    path: z.string().describe('Relative path from session cwd. Use relative paths in sandbox mode.'),
+    content: z.string().describe('File content (as utf-8 text).'),
+  },
+  async execute(args: { path: string; content: string }, context: { directory?: string }) {
+    if (process.env.SANDBOX_MODE === '1') {
+      return await sandboxCall('write', { path: args.path, content: args.content })
+    }
+    const resolved = path.isAbsolute(args.path)
+      ? args.path
+      : path.resolve(context?.directory ?? process.cwd(), args.path)
+    fs.mkdirSync(path.dirname(resolved), { recursive: true })
+    fs.writeFileSync(resolved, args.content)
+    return { output: `Wrote ${args.content.length} bytes to ${resolved}` }
+  },
+}
+
+async function sandboxCall(tool: string, body: unknown): Promise<string | { output: string }> {
+  const baseUrl = process.env.SANDBOX_BASE_URL
+  if (!baseUrl) throw new Error('SANDBOX_BASE_URL not set')
+  const headers = JSON.parse(process.env.SANDBOX_AUTH_HEADERS_JSON || '{}') as Record<string, string>
+  const res = await fetch(`${baseUrl}/api/tools/${tool}`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', ...headers },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(60_000),
+  })
+  const data = (await res.json().catch(() => ({}))) as { success?: boolean; result?: unknown; error?: string }
+  if (!data.success) throw new Error(data.error ?? `sandbox ${tool} failed (${res.status})`)
+  const r = data.result as { output?: string } | string | undefined
+  if (typeof r === 'string') return r
+  if (r && typeof r === 'object' && typeof r.output === 'string') return { output: r.output }
+  return JSON.stringify(r ?? 'ok')
+}
diff --git a/packages/server/src/agent/runtime/sandbox-mcp-bridge.ts b/packages/server/src/agent/runtime/sandbox-mcp-bridge.ts
deleted file mode 100644
index 05b973c..0000000
--- a/packages/server/src/agent/runtime/sandbox-mcp-bridge.ts
+++ /dev/null
@@ -1,253 +0,0 @@
-/**
- * Sandbox MCP Bridge — 模块职责说明
- *
- * OpenCode 内置工具（read/write/bash/edit）在其进程内本地执行，违反"agent/sandbox 分离"。
- * 本模块提供解决方案：
- *
- *   1. 禁用 OpenCode 内置工具（通过 per-session agent config 的 `tools: { read:false, ... }`）
- *   2. 注入一个 sandbox MCP server，暴露 sandbox_read / sandbox_write / sandbox_bash /
- *      sandbox_edit 工具；这些工具的 execute 通过 HTTP 打到 SCF 沙箱
- *   3. 于是 OpenCode 在处理用户任务时**只能**调用 sandbox_* 工具，所有 IO 天然落在沙箱容器内
- *
- * 实现形式：
- *   - 一个独立的子进程（stdio MCP server）
- *   - 启动命令：`node <compiled-path-of-this-module>`
- *   - 环境变量传沙箱 base URL + auth headers（避免敏感信息进命令行）
- *   - OpenCode 的 session/new 里以 McpServerStdio 形式注入
- *
- * 运行模式：
- *   - 作为 **CLI 入口** 执行（main block 在文件末尾）
- *   - 不导出任何 server 端业务符号——server 进程 spawn 它作为外部命令
- */
-
-import { Server } from '@modelcontextprotocol/sdk/server/index.js'
-import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js'
-import {
-  CallToolRequestSchema,
-  ListToolsRequestSchema,
-  type CallToolResult,
-  type Tool,
-} from '@modelcontextprotocol/sdk/types.js'
-
-// ─── Config from env ────────────────────────────────────────────────────────
-
-const SANDBOX_BASE_URL = process.env.SANDBOX_BASE_URL || ''
-const SANDBOX_AUTH_HEADERS_JSON = process.env.SANDBOX_AUTH_HEADERS_JSON || '{}'
-const DEFAULT_CWD = process.env.SANDBOX_DEFAULT_CWD || '/workspace'
-const DEBUG = process.env.SANDBOX_MCP_DEBUG === '1'
-
-if (!SANDBOX_BASE_URL) {
-  // 允许空 URL → 工具执行时返回错误（便于开发/测试时启动 MCP server 不挂）
-  if (DEBUG) process.stderr.write('[sandbox-mcp] WARN: SANDBOX_BASE_URL not set\n')
-}
-
-let parsedHeaders: Record<string, string> = {}
-try {
-  parsedHeaders = JSON.parse(SANDBOX_AUTH_HEADERS_JSON) as Record<string, string>
-} catch (e) {
-  process.stderr.write('[sandbox-mcp] invalid SANDBOX_AUTH_HEADERS_JSON, using empty\n')
-}
-
-// ─── Sandbox HTTP helper ────────────────────────────────────────────────────
-
-async function callSandboxTool(tool: string, body: unknown, timeoutMs = 60_000): Promise<any> {
-  if (!SANDBOX_BASE_URL) {
-    throw new Error('SANDBOX_BASE_URL not configured')
-  }
-  const res = await fetch(`${SANDBOX_BASE_URL}/api/tools/${tool}`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', ...parsedHeaders },
-    body: JSON.stringify(body),
-    signal: AbortSignal.timeout(timeoutMs),
-  })
-  const data = (await res.json().catch(() => ({}))) as { success?: boolean; result?: unknown; error?: string }
-  if (!data.success) {
-    throw new Error(data.error ?? `${tool} failed (status=${res.status})`)
-  }
-  return data.result
-}
-
-// ─── Tool definitions ───────────────────────────────────────────────────────
-
-interface SandboxTool extends Tool {
-  readonly name: string
-  execute: (args: Record<string, unknown>) => Promise<CallToolResult>
-}
-
-const TOOLS: SandboxTool[] = [
-  {
-    name: 'read',
-    description:
-      'Read a text file from the sandbox workspace. Use this INSTEAD OF the builtin read tool. ' +
-      `All file paths must be absolute and within the sandbox (default working dir: ${DEFAULT_CWD}).`,
-    inputSchema: {
-      type: 'object',
-      properties: {
-        path: { type: 'string', description: 'Absolute file path inside the sandbox' },
-        offset: { type: 'number', description: 'Optional start line offset (0-based)' },
-        limit: { type: 'number', description: 'Optional max line count' },
-      },
-      required: ['path'],
-    },
-    async execute(args) {
-      const result = await callSandboxTool('read', {
-        path: args.path,
-        offset: args.offset,
-        limit: args.limit,
-      })
-      return textResult(typeof result === 'string' ? result : (result?.content ?? JSON.stringify(result)))
-    },
-  },
-  {
-    name: 'write',
-    description:
-      'Write a text file into the sandbox workspace, creating parent directories as needed. ' +
-      'Use this INSTEAD OF the builtin write tool.',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        path: { type: 'string' },
-        content: { type: 'string' },
-      },
-      required: ['path', 'content'],
-    },
-    async execute(args) {
-      const result = await callSandboxTool('write', {
-        path: args.path,
-        content: args.content,
-      })
-      return textResult(result?.output ?? 'Wrote file successfully.')
-    },
-  },
-  {
-    name: 'edit',
-    description: 'Edit a text file in the sandbox by replacing a string. Use this INSTEAD OF the builtin edit tool.',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        path: { type: 'string' },
-        oldString: { type: 'string' },
-        newString: { type: 'string' },
-        replaceAll: { type: 'boolean' },
-      },
-      required: ['path', 'oldString', 'newString'],
-    },
-    async execute(args) {
-      const result = await callSandboxTool('edit', {
-        path: args.path,
-        oldString: args.oldString,
-        newString: args.newString,
-        replaceAll: args.replaceAll ?? false,
-      })
-      return textResult(result?.output ?? 'Edited file successfully.')
-    },
-  },
-  {
-    name: 'bash',
-    description:
-      'Run a shell command inside the sandbox. Use this INSTEAD OF the builtin bash tool. ' +
-      'Command runs in a container isolated from the host machine.',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        command: { type: 'string' },
-        timeout: { type: 'number', description: 'Timeout in milliseconds (default 60s)' },
-      },
-      required: ['command'],
-    },
-    async execute(args) {
-      const result = await callSandboxTool(
-        'bash',
-        { command: args.command, timeout: args.timeout ?? 60_000 },
-        (args.timeout as number | undefined) ?? 60_000,
-      )
-      return textResult(
-        typeof result === 'string' ? result : (result?.content ?? result?.stdout ?? JSON.stringify(result)),
-      )
-    },
-  },
-  {
-    name: 'glob',
-    description: 'Glob files in the sandbox workspace matching a pattern.',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        pattern: { type: 'string' },
-        path: { type: 'string' },
-      },
-      required: ['pattern'],
-    },
-    async execute(args) {
-      const result = await callSandboxTool('glob', {
-        pattern: args.pattern,
-        path: args.path ?? DEFAULT_CWD,
-      })
-      return textResult(typeof result === 'string' ? result : JSON.stringify(result, null, 2))
-    },
-  },
-  {
-    name: 'grep',
-    description: 'Grep files in the sandbox workspace.',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        pattern: { type: 'string' },
-        path: { type: 'string' },
-        glob: { type: 'string' },
-        type: { type: 'string' },
-      },
-      required: ['pattern'],
-    },
-    async execute(args) {
-      const result = await callSandboxTool('grep', args)
-      return textResult(typeof result === 'string' ? result : JSON.stringify(result, null, 2))
-    },
-  },
-]
-
-function textResult(text: string): CallToolResult {
-  return { content: [{ type: 'text', text }] }
-}
-
-// ─── MCP Server wiring ──────────────────────────────────────────────────────
-
-async function main(): Promise<void> {
-  const server = new Server({ name: 'sandbox-bridge', version: '0.1.0' }, { capabilities: { tools: {} } })
-
-  server.setRequestHandler(ListToolsRequestSchema, async () => ({
-    tools: TOOLS.map((t) => ({
-      name: t.name,
-      description: t.description,
-      inputSchema: t.inputSchema,
-    })),
-  }))
-
-  server.setRequestHandler(CallToolRequestSchema, async (req) => {
-    const tool = TOOLS.find((t) => t.name === req.params.name)
-    if (!tool) {
-      return {
-        isError: true,
-        content: [{ type: 'text', text: `Unknown tool: ${req.params.name}` }],
-      }
-    }
-    try {
-      return await tool.execute((req.params.arguments ?? {}) as Record<string, unknown>)
-    } catch (e) {
-      return {
-        isError: true,
-        content: [{ type: 'text', text: `Tool ${req.params.name} failed: ${(e as Error).message}` }],
-      }
-    }
-  })
-
-  const transport = new StdioServerTransport()
-  await server.connect(transport)
-
-  if (DEBUG) process.stderr.write('[sandbox-mcp] ready\n')
-}
-
-// Run as CLI when invoked directly
-main().catch((err) => {
-  process.stderr.write(`[sandbox-mcp] fatal: ${err}\n`)
-  process.exit(1)
-})
diff --git a/packages/server/tsconfig.json b/packages/server/tsconfig.json
index 760e881..47bb93e 100644
--- a/packages/server/tsconfig.json
+++ b/packages/server/tsconfig.json
@@ -11,5 +11,6 @@
       "@coder/shared": ["../shared/src/index.ts"]
     }
   },
-  "include": ["src"]
+  "include": ["src"],
+  "exclude": ["src/agent/runtime/opencode-tool-templates/**"]
 }

From 2e0556e1dc0c3058ac1c69081f288fcdfc7a94bd Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sat, 2 May 2026 14:47:29 +0800
Subject: [PATCH 04/33] =?UTF-8?q?feat(agent):=20OpenCode=20ToolConfirm=20?=
 =?UTF-8?q?=E4=BA=A4=E4=BA=92=E5=BC=8F=E6=9D=83=E9=99=90=E7=A1=AE=E8=AE=A4?=
 =?UTF-8?q?=E6=8E=A5=E5=85=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ACP requestPermission 不再自动 allow_once。现在：
  1. 发 AgentCallbackMessage(type='tool_confirm') 给前端
  2. 注册 pending Promise，agent handler 挂起
  3. 用户下一轮 prompt 带 toolConfirmation 到达时 resolve Promise
  4. opencode 收到 outcome 继续执行

前端零改动（原为 Tencent runtime 设计的 ToolConfirmDialog 直接复用）。

## 新增

- src/agent/runtime/pending-permission-registry.ts
  挂起 ACP 权限请求的 in-memory registry，key=(convId, interruptId)。
  registerPending → await Promise；resolvePending → resolve。
  PermissionAction(前端) → ACP optionKind 映射
  （allow→allow_once, deny→reject_once, 等）。

- scripts/test-tool-confirm-e2e.mts
  完整 e2e：
    Round 1 不带 toolConfirmation → 等 tool_confirm 事件
    → 确认挂起 3 秒无 result（证明真 suspend）
    Round 2 带 toolConfirmation(allow) → alreadyRunning=true
    → 等 tool_result + result → 验证文件真的写入

## 改动

- src/agent/runtime/opencode-acp-runtime.ts
  - chatStream 入口：若 isAgentRunning + options.toolConfirmation
    → resolvePending，不 spawn 新进程
  - liveCallbacks map：跨 SSE 流动态切换（resume 的 callback 是新 HTTP 请求的）
  - requestPermission handler：emit tool_confirm + await registerPending
  - 错误/abort：rejectPendingForConversation 避免 opencode 子进程卡死
  - 加 OPENCODE_SKIP_TOOLS_INSTALL=1 env（测试场景跳过 tool 安装）

## 测试结果

e2e#5 test-tool-confirm-e2e.mts:
```
[+11197ms] tool_confirm id=write:0 name=edit input={filepath:...hello.txt, diff:...}
[+11197→14197ms] [agent suspended, no result]         ← 关键：挂起验证
[+14304ms] tool_result id=write:0 is_error=false    ← resume 后恢复
[+15885ms] result: {stopReason: end_turn}

  tool_confirm received:        PASS
  agent suspended after it:     PASS (no 'result' for 3s)
  round2 took resume path:      PASS (alreadyRunning=true)
  tool_result after resume:     PASS
  final result event:           PASS
  no error event:               PASS
  file has expected content:    PASS
OVERALL: PASS
```

其他回归：e2e#1/#2/#3 本地 PASS；type-check/lint/build/format 全通过。

## 已知边界

- 触发 requestPermission 依赖 opencode.json permission 配置（edit/bash/webfetch = 'ask'）
- custom tool override 走独立代码路径，**不触发** permission（沙箱场景本就不需要额外拦截）
- 目前无 pending 超时机制，用户不回应会让 opencode 子进程一直占用
---
 docs/acp-runtime-abstraction.md               | 110 +++++++-
 .../server/scripts/test-tool-confirm-e2e.mts  | 267 ++++++++++++++++++
 .../src/agent/runtime/opencode-acp-runtime.ts | 126 ++++++++-
 .../runtime/pending-permission-registry.ts    | 155 ++++++++++
 4 files changed, 642 insertions(+), 16 deletions(-)
 create mode 100644 packages/server/scripts/test-tool-confirm-e2e.mts
 create mode 100644 packages/server/src/agent/runtime/pending-permission-registry.ts

diff --git a/docs/acp-runtime-abstraction.md b/docs/acp-runtime-abstraction.md
index bfb4e16..cba6d4d 100644
--- a/docs/acp-runtime-abstraction.md
+++ b/docs/acp-runtime-abstraction.md
@@ -207,6 +207,9 @@ npx tsx --env-file=.env scripts/test-acp-chat-http.mts
 
 # ★ e2e#4 沙箱 (~180s, 需真实 SCF)
 npx tsx --env-file=.env scripts/test-opencode-sandbox-e2e.mts
+
+# ★ e2e#5 ToolConfirm 交互式权限确认 (~90s, 纯本地)
+npx tsx scripts/test-tool-confirm-e2e.mts
 ```
 
 ## 8. Env 变量
@@ -219,6 +222,7 @@ npx tsx --env-file=.env scripts/test-opencode-sandbox-e2e.mts
 | `SANDBOX_WORKSPACE_ROOT` | `.` | LLM 看到的沙箱工作目录 |
 | `OPENCODE_TOOLS_INSTALL_DIR` | `~/.config/opencode/tools` | 全局 tools 安装目录 |
 | `OPENCODE_TOOLS_FORCE_REINSTALL` | - | `=1` 强制重装（版本升级） |
+| `OPENCODE_SKIP_TOOLS_INSTALL` | - | `=1` 跳过安装（测试场景用） |
 | `OPENCODE_TOOL_TEMPLATE_DIR` | 自动推断 | 覆盖模板源路径 |
 | `OPENCODE_ACP_DEBUG` | - | `=1` 开启详细日志 |
 | `AGENT_RUNTIME` / `AGENT_RUNTIME_DEFAULT` | `tencent-sdk` | runtime 选择 |
@@ -234,8 +238,9 @@ npx tsx --env-file=.env scripts/test-opencode-sandbox-e2e.mts
 
 | 特性 | 状态 |
 |---|---|
-| askAnswers / toolConfirmation resume | ❌ 未接入 |
-| ToolConfirm UI 回调 | ⚠️ 默认 allow_once |
+| ToolConfirm UI 回调 | ✅ **已接入** — 见 §12 |
+| ToolConfirmation resume 流程 | ✅ **已接入** — 见 §12 |
+| askAnswers resume | ❌ 未接入 |
 | coding-mode 模板初始化 | ❌ 未集成 |
 | 消息持久化到 tasks | ⚠️ 只 stream events 落库 |
 | tool override 的版本升级 hash 匹配 | ✅ 已实现（hashFile 比较） |
@@ -243,8 +248,8 @@ npx tsx --env-file=.env scripts/test-opencode-sandbox-e2e.mts
 
 ## 10. 后续方向
 
-1. **接 ToolConfirm UI**（1-2 天）
-2. **askAnswers / resume 流程**（2-3 天）
+1. ~~接 ToolConfirm UI~~ ✅ 完成
+2. **askAnswers / AskUserQuestion resume 流程**（2-3 天）
 3. **消息持久化对齐 Tencent 路线**（2-3 天）
 4. **更多 ACP agent**（Claude Code / Gemini / Qwen Code；每个 1-2 天，runtime 骨架复用）
 5. **前端 Runtime 选择器**（0.5 天）
@@ -255,4 +260,101 @@ npx tsx --env-file=.env scripts/test-opencode-sandbox-e2e.mts
 - OpenCode Custom Tools: https://opencode.ai/docs/custom-tools/
 - OpenCode Agents: https://opencode.ai/docs/agents/
 - OpenCode ACP: https://opencode.ai/docs/acp/
+- OpenCode Permissions: https://opencode.ai/docs/permissions/
 - 源码调研备忘录: `/Users/yang/git/coding-agent-template/docs/opencode-acp-integration-memo.md`
+
+---
+
+## 12. ToolConfirm 交互式权限确认（已实现）
+
+### 12.1 问题
+
+OpenCode 的 ACP agent 在触发敏感工具（如 edit/write）时会调用 client 的 `session/request_permission`，这是 JSON-RPC **请求/响应**模式，agent 会一直 await client 返回 outcome。
+
+首版实现（allow_once）是自动放行，等价于"无权限系统"。目标：对接现有前端 ToolConfirmDialog，让用户决定。
+
+### 12.2 架构
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ Round 1: chatStream(prompt)                                 │
+│                                                             │
+│   runtime.launchAgent                                       │
+│     ↓ spawn opencode                                        │
+│   opencode LLM 决定调用 write                               │
+│     ↓ session/request_permission                            │
+│   runtime requestPermission handler                         │
+│     ├─ emit tool_confirm (SSE push 给前端)                  │
+│     └─ registerPending(convId, interruptId, options)        │
+│         └─ await pending（handler suspended）               │
+│   [opencode 子进程挂起]                                     │
+│   [第一轮 SSE 流仍活跃但无新事件；前端展示确认卡片]           │
+└─────────────────────────────────────────────────────────────┘
+
+                        ↓ 用户点击"允许"
+
+┌─────────────────────────────────────────────────────────────┐
+│ Round 2: chatStream('', { toolConfirmation })              │
+│                                                             │
+│   runtime.chatStream                                        │
+│     ↓ 发现 isAgentRunning=true + toolConfirmation           │
+│     ↓ resolvePending(convId, interruptId, action)          │
+│         └─ pending Promise resolve                         │
+│     ↓ updateLiveCallback (新 SSE 流替换旧的)                │
+│   [opencode 收到 outcome，继续执行]                         │
+│   [session/update 流从卡住处继续，第二轮 SSE 推事件]         │
+│   [最终推 result 事件，agent 完成]                          │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### 12.3 核心代码
+
+**`pending-permission-registry.ts`**：
+- `registerPending(convId, interruptId, options)` → 返回 pending Promise
+- `resolvePending(convId, interruptId, action)` → 查 options 映射 optionId，resolve Promise
+- `rejectPendingForConversation(convId)` → 错误/abort 时清理
+- PermissionAction → ACP optionId 映射（`allow` → `allow_once`，`deny` → `reject_once`, …）
+
+**`opencode-acp-runtime.ts`** 关键改动：
+- `requestPermission` handler：发 `tool_confirm` + `await registerPending(...)`
+- `chatStream` 入口：检测 resume 场景（isAgentRunning + toolConfirmation），调 `resolvePending`，不 spawn 新进程
+- `liveCallbacks` map：跨 SSE 流维护 callback，emit 时动态取（因为 resume 的 callback 来自新 HTTP 请求）
+- 错误路径：`catch` 里 `rejectPendingForConversation` 避免 opencode 子进程卡死
+
+### 12.4 前端集成（零改动）
+
+前端已有完整的 ToolConfirmDialog + `confirmTool(action)` 逻辑（原为 Tencent runtime 设计）。只要 SessionUpdate 的 tag 是 `'tool_confirm'`，前端就会弹卡片。
+
+我们的 runtime 通过 `CloudbaseAgentService.convertToSessionUpdate()` 转换 AgentCallbackMessage → ACP SessionUpdate，tool_confirm 类型已被正确映射，**前端完全不需要改**。
+
+### 12.5 e2e 验证
+
+`scripts/test-tool-confirm-e2e.mts` 完整验证：
+
+```
+Round 1 → 10295ms 时 LLM 触发 write → 11197ms 收到 tool_confirm
+                                 ↓
+      [agent 挂起 3 秒无响应]
+                                 ↓
+Round 2 → resolvePending('write:0', 'allow') → alreadyRunning=true
+     14304ms 后 tool_result 出现（表明 opencode 真的被唤醒继续执行）
+     15885ms 收到最终 result: end_turn
+     文件实际写入："hi from tc e2e" ✓
+
+断言：
+  tool_confirm received:        PASS
+  agent suspended after it:     PASS (no 'result' for 3s)
+  round2 took resume path:      PASS (alreadyRunning=true)
+  tool_result after resume:     PASS
+  final result event:           PASS
+  no error event:               PASS
+  file has expected content:    PASS
+OVERALL: PASS
+```
+
+### 12.6 已知边界
+
+- **触发机制依赖 opencode permission 配置**：只有 `opencode.json` 里配置 `permission.edit: 'ask'` 的工具才会发 `requestPermission`。未配置的工具默认 `allow`，直接放行，前端看不到确认卡片。
+- **Custom tool override 绕开 permission 系统**：`~/.config/opencode/tools/write.ts` 覆盖 builtin write 后，permission 检查是内置代码路径，custom tool 是独立路径，**不会触发 requestPermission**。沙箱场景里的 write 转发就无权限拦截（这是预期行为：沙箱本身就隔离，无需再加一层）。
+- **Resume 不超时**：runtime 目前没有"挂起超过 N 分钟自动 reject"机制。如果用户长时间不回应，opencode 子进程会一直占用。未来可加 `PENDING_TIMEOUT_MS`。
+- **多路径挂起**：同一 conversation 同时只能一个 pending（opencode 串行执行工具）。registry 内部已防重，但多路 SSE 断开重连场景未深度测试。
diff --git a/packages/server/scripts/test-tool-confirm-e2e.mts b/packages/server/scripts/test-tool-confirm-e2e.mts
new file mode 100644
index 0000000..2dc378c
--- /dev/null
+++ b/packages/server/scripts/test-tool-confirm-e2e.mts
@@ -0,0 +1,267 @@
+#!/usr/bin/env tsx
+/**
+ * ToolConfirm 端到端测试（OpenCode runtime）
+ *
+ * 验证路径：
+ *   1. 配置 `permission.edit: 'ask'` 让 write 工具触发 requestPermission
+ *   2. 第一次 chatStream（不带 toolConfirmation）
+ *      → 收到 tool_confirm 事件（agent 挂起）
+ *   3. 第二次 chatStream（携带 toolConfirmation，模拟用户 allow）
+ *      → pending 被 resolve
+ *      → opencode 继续执行 write
+ *      → 收到 tool_result 事件
+ *      → 收到 result 事件（整轮结束）
+ *
+ * 关键断言：
+ *   A. 第一轮先收 tool_confirm，再（一段时间后还没）收到 result → 证实挂起
+ *   B. 第二轮发出后 1-2s 内收到 tool_result → 证实 pending 被唤醒
+ *   C. 最终文件真的被写入（证明 allow 走到底）
+ *
+ * 用法（不需要沙箱，纯本地即可）：
+ *   npx tsx scripts/test-tool-confirm-e2e.mts
+ */
+
+import fs from 'node:fs'
+import path from 'node:path'
+import os from 'node:os'
+
+// 在 runtime 导入前设置：防止 installer 自动安装 custom tools 覆盖 builtin。
+// 本 e2e 要测试 builtin write 的 permission 流程（custom tools 有独立代码路径不走 permission）
+process.env.OPENCODE_SKIP_TOOLS_INSTALL = '1'
+
+import { opencodeAcpRuntime } from '../src/agent/runtime/opencode-acp-runtime.js'
+import type { AgentCallbackMessage } from '@coder/shared'
+
+// ── Setup：临时改全局 opencode.json 加 permission，测试结束恢复 ───────────────
+const OC_CONFIG_PATH = path.join(os.homedir(), '.config', 'opencode', 'opencode.json')
+const OC_CONFIG_BACKUP = OC_CONFIG_PATH + '.bak-tc-e2e-' + Date.now()
+const OC_TOOLS_DIR = path.join(os.homedir(), '.config', 'opencode', 'tools')
+const OC_TOOLS_BACKUP = OC_TOOLS_DIR + '.bak-tc-e2e-' + Date.now()
+
+let originalConfigExists = false
+if (fs.existsSync(OC_CONFIG_PATH)) {
+  fs.copyFileSync(OC_CONFIG_PATH, OC_CONFIG_BACKUP)
+  originalConfigExists = true
+}
+
+// 读原配置合并 permission
+let baseConfig: Record<string, unknown> = {}
+try {
+  baseConfig = JSON.parse(fs.readFileSync(OC_CONFIG_PATH, 'utf8')) as Record<string, unknown>
+} catch {
+  /* noop */
+}
+
+const patchedConfig = {
+  ...baseConfig,
+  permission: {
+    ...(baseConfig.permission as Record<string, unknown> | undefined),
+    edit: 'ask',
+  },
+}
+fs.writeFileSync(OC_CONFIG_PATH, JSON.stringify(patchedConfig, null, 2))
+
+// 关键：暂时移除 custom tools 目录，让 builtin write 接受 permission 流程
+// 自定义 tools 有独立代码路径，不走 opencode 的 permission 系统
+let originalToolsExists = false
+if (fs.existsSync(OC_TOOLS_DIR)) {
+  fs.renameSync(OC_TOOLS_DIR, OC_TOOLS_BACKUP)
+  originalToolsExists = true
+}
+
+function restoreConfig() {
+  try {
+    if (originalConfigExists) {
+      fs.copyFileSync(OC_CONFIG_BACKUP, OC_CONFIG_PATH)
+      fs.unlinkSync(OC_CONFIG_BACKUP)
+    } else {
+      fs.unlinkSync(OC_CONFIG_PATH)
+    }
+  } catch (e) {
+    console.error('[tc-e2e] restore opencode.json error:', e)
+  }
+  try {
+    if (originalToolsExists) {
+      if (fs.existsSync(OC_TOOLS_DIR)) {
+        fs.rmSync(OC_TOOLS_DIR, { recursive: true, force: true })
+      }
+      fs.renameSync(OC_TOOLS_BACKUP, OC_TOOLS_DIR)
+    }
+  } catch (e) {
+    console.error('[tc-e2e] restore tools dir error:', e)
+  }
+}
+
+process.on('exit', restoreConfig)
+process.on('SIGINT', () => {
+  restoreConfig()
+  process.exit(130)
+})
+
+// ── Test workdir ─────────────────────────────────────────────────────────────
+const WORKDIR = '/tmp/opencode-toolconfirm-e2e'
+fs.rmSync(WORKDIR, { recursive: true, force: true })
+fs.mkdirSync(WORKDIR, { recursive: true })
+const targetFile = path.join(WORKDIR, 'hello.txt')
+
+// ── Event recorder ───────────────────────────────────────────────────────────
+interface Evt {
+  ts: number
+  type: string
+  name?: string
+  id?: string
+  content?: string
+  input?: unknown
+}
+const events: Evt[] = []
+
+const startT0 = Date.now()
+function recordCb(msg: AgentCallbackMessage) {
+  events.push({
+    ts: Date.now() - startT0,
+    type: msg.type,
+    name: msg.name,
+    id: msg.id,
+    content: typeof msg.content === 'string' ? msg.content.slice(0, 120) : undefined,
+    input: msg.input,
+  })
+  if (msg.type === 'tool_confirm') {
+    console.log(
+      `\n[+${Date.now() - startT0}ms] tool_confirm id=${msg.id} name=${msg.name} input=${JSON.stringify(msg.input).slice(0, 150)}`,
+    )
+  } else if (msg.type === 'tool_use') {
+    console.log(`[+${Date.now() - startT0}ms] tool_use id=${msg.id} name=${msg.name}`)
+  } else if (msg.type === 'tool_result') {
+    console.log(
+      `[+${Date.now() - startT0}ms] tool_result id=${msg.tool_use_id} is_error=${msg.is_error} out=${(msg.content || '').slice(0, 120)}`,
+    )
+  } else if (msg.type === 'result') {
+    console.log(`[+${Date.now() - startT0}ms] result: ${msg.content}`)
+  } else if (msg.type === 'error') {
+    console.log(`[+${Date.now() - startT0}ms] error: ${msg.content}`)
+  } else if (msg.type === 'text' && msg.content) {
+    process.stdout.write(msg.content)
+  }
+}
+
+// ── Round 1: initial prompt ──────────────────────────────────────────────────
+const conversationId = 'tc-e2e-' + Date.now()
+console.log(`[tc-e2e] conversationId=${conversationId}`)
+console.log(`[tc-e2e] targetFile=${targetFile}`)
+
+console.log('\n[tc-e2e] === Round 1: initial chatStream ===')
+const r1 = await opencodeAcpRuntime.chatStream(
+  `请用 write 工具在当前目录创建文件 hello.txt，内容正好是一行：hi from tc e2e\n不要加其他内容，写完后告诉我已完成。`,
+  recordCb,
+  {
+    conversationId,
+    envId: '', // 本地模式
+    userId: 'tc-e2e-user',
+    cwd: WORKDIR,
+    model: 'moonshot/kimi-k2-0905-preview',
+  },
+)
+console.log(`[tc-e2e] round1 returned: turnId=${r1.turnId} alreadyRunning=${r1.alreadyRunning}`)
+
+// 等 tool_confirm 事件出现（或超时）
+console.log('[tc-e2e] waiting for tool_confirm ...')
+const confirmTimeout = Date.now() + 60_000
+let confirmEvent: Evt | undefined
+while (Date.now() < confirmTimeout) {
+  confirmEvent = events.find((e) => e.type === 'tool_confirm')
+  if (confirmEvent) break
+  // early exit：如果直接收到 result 或 error，说明没触发权限请求（可能配置没生效）
+  if (events.find((e) => e.type === 'result' || e.type === 'error')) {
+    console.error('[tc-e2e] UNEXPECTED: round1 finished without tool_confirm. Config might not take effect.')
+    console.log('[tc-e2e] events so far:', JSON.stringify(events, null, 2))
+    process.exit(1)
+  }
+  await new Promise((r) => setTimeout(r, 200))
+}
+
+if (!confirmEvent) {
+  console.error('[tc-e2e] FAIL: no tool_confirm within 60s')
+  console.log(events.map((e) => `${e.ts}ms ${e.type}`).join('\n'))
+  process.exit(1)
+}
+
+console.log(
+  `\n[tc-e2e] ✓ Received tool_confirm at +${confirmEvent.ts}ms (interruptId=${confirmEvent.id})`,
+)
+
+// 确认收到 tool_confirm 后，一段时间（3s）不应该再收到 result（说明真挂起了）
+const roundAT = confirmEvent.ts
+await new Promise((r) => setTimeout(r, 3000))
+const resultAfterConfirm = events.find((e) => e.type === 'result' && e.ts > roundAT)
+if (resultAfterConfirm) {
+  console.error('[tc-e2e] FAIL: got "result" within 3s after tool_confirm — agent did not suspend')
+  process.exit(1)
+}
+console.log('[tc-e2e] ✓ Agent appears suspended (no result in 3s after tool_confirm)')
+
+// ── Round 2: resume with toolConfirmation ─────────────────────────────────────
+console.log('\n[tc-e2e] === Round 2: resume with toolConfirmation (allow) ===')
+const resumeT0 = Date.now() - startT0
+
+const r2 = await opencodeAcpRuntime.chatStream('', recordCb, {
+  conversationId,
+  envId: '',
+  userId: 'tc-e2e-user',
+  cwd: WORKDIR,
+  model: 'moonshot/kimi-k2-0905-preview',
+  toolConfirmation: {
+    interruptId: confirmEvent.id!,
+    payload: { action: 'allow' },
+  },
+})
+console.log(`[tc-e2e] round2 returned: turnId=${r2.turnId} alreadyRunning=${r2.alreadyRunning}`)
+
+// 预期 alreadyRunning === true（同一个 agent）
+if (!r2.alreadyRunning) {
+  console.error('[tc-e2e] FAIL: round2 alreadyRunning=false (expected true for resume path)')
+  process.exit(1)
+}
+console.log('[tc-e2e] ✓ round2 resume path (alreadyRunning=true)')
+
+// 等 tool_result + result 出现
+console.log('[tc-e2e] waiting for tool_result + result after resume ...')
+const finalTimeout = Date.now() + 90_000
+while (Date.now() < finalTimeout) {
+  if (events.find((e) => e.type === 'result' || e.type === 'error')) break
+  await new Promise((r) => setTimeout(r, 200))
+}
+
+// ── Validation ────────────────────────────────────────────────────────────────
+console.log('\n\n[tc-e2e] === validation ===')
+const counts: Record<string, number> = {}
+for (const e of events) counts[e.type] = (counts[e.type] ?? 0) + 1
+console.log('[tc-e2e] event counts:', JSON.stringify(counts, null, 2))
+
+const toolResults = events.filter((e) => e.type === 'tool_result')
+const resumedToolResult = toolResults.find((e) => e.ts > resumeT0)
+const finalResult = events.find((e) => e.type === 'result')
+const errorEv = events.find((e) => e.type === 'error')
+
+// 文件检查
+let fileOk = false
+try {
+  const content = fs.readFileSync(targetFile, 'utf8')
+  fileOk = content.includes('hi from tc e2e')
+  console.log(`[tc-e2e] file content = ${JSON.stringify(content)}`)
+} catch (e) {
+  console.log(`[tc-e2e] file missing: ${(e as Error).message}`)
+}
+
+console.log('\n[tc-e2e] assertions:')
+console.log(`  tool_confirm received:        ${confirmEvent ? 'PASS' : 'FAIL'}`)
+console.log(`  agent suspended after it:     PASS (no 'result' for 3s)`)
+console.log(`  round2 took resume path:      PASS (alreadyRunning=true)`)
+console.log(`  tool_result after resume:     ${resumedToolResult ? 'PASS' : 'FAIL'}`)
+console.log(`  final result event:           ${finalResult ? 'PASS' : 'FAIL'}`)
+console.log(`  no error event:               ${errorEv ? 'FAIL (err=' + errorEv.content + ')' : 'PASS'}`)
+console.log(`  file has expected content:    ${fileOk ? 'PASS' : 'FAIL'}`)
+
+const overall = !!confirmEvent && !!resumedToolResult && !!finalResult && !errorEv && fileOk
+console.log(`\n[tc-e2e] OVERALL: ${overall ? 'PASS' : 'FAIL'}`)
+
+process.exit(overall ? 0 : 1)
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index 0b2e089..9abbf98 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -44,6 +44,7 @@ import { persistenceService } from '../persistence.service.js'
 import { CloudbaseAgentService } from '../cloudbase-agent.service.js'
 import { getAcpTransportFactory, type AcpTransport } from './acp-transport.js'
 import { ensureOpencodeToolsInstalled } from './opencode-installer.js'
+import { registerPending, resolvePending, rejectPendingForConversation } from './pending-permission-registry.js'
 import { scfSandboxManager, type SandboxInstance } from '../../sandbox/scf-sandbox-manager.js'
 import { spawn } from 'node:child_process'
 import os from 'node:os'
@@ -62,8 +63,41 @@ const SANDBOX_WORKSPACE_ROOT = process.env.SANDBOX_WORKSPACE_ROOT || '.'
 
 let toolsInstallPromise: Promise<void> | null = null
 
+/**
+ * 活跃 agent 的 liveCallback 注册表。
+ *
+ * 为什么需要？—— Resume 场景：第一轮 chatStream 的 SSE 流已结束（前端看到
+ * tool_confirm 后切 waiting_for_interaction），第二轮 chatStream 是**新的
+ * HTTP 请求**，带新的 callback。pending 恢复后，后续的 session/update 必须
+ * 用**新 callback** 推给新 SSE 流（而不是第一轮的 callback，那个 stream 已关）。
+ *
+ * 所以每次 chatStream（包括 resume 入口）都要更新这个 map，launchAgent 内部的
+ * emit 函数通过 getLiveCallback() 间接取最新值。
+ */
+const liveCallbacks = new Map<string, AgentCallback | null>()
+
+function registerLiveCallback(conversationId: string, cb: AgentCallback | null): void {
+  liveCallbacks.set(conversationId, cb)
+}
+
+function updateLiveCallback(conversationId: string, cb: AgentCallback | null): void {
+  liveCallbacks.set(conversationId, cb)
+}
+
+function getLiveCallback(conversationId: string): AgentCallback | null {
+  return liveCallbacks.get(conversationId) ?? null
+}
+
+function clearLiveCallback(conversationId: string): void {
+  liveCallbacks.delete(conversationId)
+}
+
 /** 惰性确保全局 tools 已安装；多次调用只执行一次。 */
 function ensureToolsInstalledOnce(): Promise<void> {
+  if (process.env.OPENCODE_SKIP_TOOLS_INSTALL === '1') {
+    // 测试场景可显式跳过（例如 ToolConfirm e2e 要测 builtin write 的 permission 流）
+    return Promise.resolve()
+  }
   if (!toolsInstallPromise) {
     toolsInstallPromise = ensureOpencodeToolsInstalled()
       .then((r) => {
@@ -124,8 +158,35 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
   async chatStream(prompt: string, callback: AgentCallback | null, options: AgentOptions): Promise<ChatStreamResult> {
     const conversationId = options.conversationId || uuidv4()
 
+    // Resume path：已有挂起的 agent + 携带 toolConfirmation
+    //   → 不 spawn 新进程，直接 resolve 挂起的 permission Promise
+    //   → opencode 收到 outcome 后继续执行，session/update 流从卡住处继续
     if (isAgentRunning(conversationId)) {
       const run = getAgentRun(conversationId)!
+      if (options.toolConfirmation) {
+        const resolved = resolvePending(
+          conversationId,
+          options.toolConfirmation.interruptId,
+          options.toolConfirmation.payload.action,
+        )
+        if (!resolved) {
+          console.warn(
+            `[OpencodeAcpRuntime] toolConfirmation arrived but no pending registration for interruptId=${options.toolConfirmation.interruptId}`,
+          )
+        }
+        // 记住本轮的 callback 给后续 session/update 转发：
+        // pending Promise 里关联的 emit 已经在 launchAgent 的闭包里了，
+        // 外部 callback 只有在本次 SSE 流里才能用。
+        // 最简单的做法：更新 registry 里记录的 liveCallback（下一条 AgentCallbackMessage 转发到此）
+        updateLiveCallback(conversationId, callback)
+      } else {
+        // 兜底：没有 toolConfirmation 却进来了——直接返回，让调用方走 observe
+        if (process.env.OPENCODE_ACP_DEBUG) {
+          console.log(
+            `[OpencodeAcpRuntime] chatStream re-entered without toolConfirmation (conv=${conversationId}); returning existing turn`,
+          )
+        }
+      }
       return { turnId: run.turnId, alreadyRunning: true }
     }
 
@@ -140,6 +201,9 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
       abortController,
     })
 
+    // 记录本轮的 liveCallback（resume 时可替换，因为 SSE 流可能已更新）
+    registerLiveCallback(conversationId, callback)
+
     this.launchAgent(prompt, callback, options, conversationId, turnId, abortController).catch((err) => {
       console.error('[OpencodeAcpRuntime] background agent error:', err)
     })
@@ -149,7 +213,7 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
 
   private async launchAgent(
     prompt: string,
-    liveCallback: AgentCallback | null,
+    _liveCallback: AgentCallback | null,
     options: AgentOptions,
     conversationId: string,
     turnId: string,
@@ -159,7 +223,10 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
     const userId = options.userId || 'anonymous'
     const modelId = options.model || DEFAULT_OPENCODE_MODEL
 
-    const emit = makeEmitter({ liveCallback, envId, userId, conversationId, turnId })
+    // emit 每次动态取 liveCallback（resume 时回调会被替换）
+    // 第一轮由 chatStream 调用 registerLiveCallback 写入；第二轮（resume）由
+    // chatStream 的 resume 分支更新。
+    const emit = makeEmitter({ envId, userId, conversationId, turnId })
 
     let transport: AcpTransport | null = null
     let sandbox: SandboxInstance | null = null
@@ -221,17 +288,41 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
             await this.handleSessionUpdate(params.update, emit)
           },
           requestPermission: async (params) => {
+            // ACP 权限请求 → 桥接到前端 ToolConfirm UI
+            //
+            // 流程：
+            //   1. 生成/取 interruptId（前端用来回传 toolConfirmation）
+            //   2. 发 AgentCallbackMessage(type='tool_confirm')：前端显示确认卡片
+            //   3. registerPending 注册一个挂起 Promise
+            //   4. await pending：handler 卡住 → opencode 也卡住
+            //   5. 前端用户选择 → 下一轮 chatStream 带 toolConfirmation
+            //   6. chatStream 调 resolvePending → 本 Promise resolve → handler 返回
+            //   7. opencode 收到 outcome 后继续
+            const interruptId = params.toolCall?.toolCallId || uuidv4()
+            const toolName = params.toolCall?.title || 'unknown'
+            const toolInput = (params.toolCall?.rawInput as Record<string, unknown>) || {}
+
             await emit({
               type: 'tool_confirm',
-              id: params.toolCall?.toolCallId || uuidv4(),
-              name: params.toolCall?.title || 'unknown',
-              input: (params.toolCall?.rawInput as Record<string, unknown>) || {},
+              id: interruptId,
+              name: toolName,
+              input: toolInput,
             })
-            const opt =
-              params.options.find((o: { kind: string }) => o.kind === 'allow_once') ??
-              params.options.find((o: { kind: string }) => o.kind === 'allow_always') ??
-              params.options[0]
-            return { outcome: { outcome: 'selected', optionId: opt!.optionId } }
+
+            try {
+              // 这里会长时间挂起 — 直到外部 resolvePending 或 rejectPendingForConversation
+              return await registerPending(conversationId, interruptId, params.options as any[])
+            } catch (e) {
+              // abort/reject 时 fallback：让 opencode 收到拒绝（避免它卡死）
+              const reject =
+                params.options.find((o: { kind: string }) => o.kind === 'reject_once') ??
+                params.options[params.options.length - 1]
+              console.warn(
+                `[OpencodeAcpRuntime] pending permission rejected (conv=${conversationId}, interrupt=${interruptId}):`,
+                (e as Error).message,
+              )
+              return { outcome: { outcome: 'selected', optionId: reject!.optionId } }
+            }
           },
         }),
         transport.stream,
@@ -284,6 +375,14 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
     } catch (error: any) {
       const isAbort = abortController.signal.aborted || error?.name === 'AbortError'
       console.error('[OpencodeAcpRuntime] launchAgent error:', error)
+      // 释放挂起的权限请求（否则 opencode 子进程卡住 + chatStream 永远不返回）
+      const rejectedCount = rejectPendingForConversation(
+        conversationId,
+        isAbort ? 'Aborted' : `runtime error: ${error?.message || error}`,
+      )
+      if (rejectedCount > 0 && process.env.OPENCODE_ACP_DEBUG) {
+        console.log(`[OpencodeAcpRuntime] rejected ${rejectedCount} pending permissions due to error`)
+      }
       try {
         await emit({
           type: 'error',
@@ -309,6 +408,8 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
           /* noop */
         }
       }
+      // 清掉 liveCallback 注册，避免 map 泄漏
+      clearLiveCallback(conversationId)
       setTimeout(() => removeAgent(conversationId, turnId), 5000)
     }
   }
@@ -384,19 +485,20 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
 // ─── Helpers ─────────────────────────────────────────────────────────────
 
 function makeEmitter(ctx: {
-  liveCallback: AgentCallback | null
   envId: string
   userId: string
   conversationId: string
   turnId: string
 }): (msg: AgentCallbackMessage) => Promise<void> {
-  const { liveCallback, envId, userId, conversationId, turnId } = ctx
+  const { envId, userId, conversationId, turnId } = ctx
   return async (msg) => {
     const enriched: AgentCallbackMessage = {
       ...msg,
       sessionId: conversationId,
       assistantMessageId: turnId,
     }
+    // 动态取 liveCallback：resume 时第二轮 SSE 的 callback 会替换第一轮的
+    const liveCallback = getLiveCallback(conversationId)
     if (liveCallback) {
       try {
         const seq = getNextSeq(conversationId)
diff --git a/packages/server/src/agent/runtime/pending-permission-registry.ts b/packages/server/src/agent/runtime/pending-permission-registry.ts
new file mode 100644
index 0000000..82cadf3
--- /dev/null
+++ b/packages/server/src/agent/runtime/pending-permission-registry.ts
@@ -0,0 +1,155 @@
+/**
+ * PendingPermissionRegistry
+ *
+ * 存放被挂起的 ACP `requestPermission` 调用，跨 chatStream 请求传递用户决策。
+ *
+ * 场景（OpenCode ACP 下的 ToolConfirm 流程）：
+ *
+ *   1. opencode 子进程对工具调用发 `session/request_permission`
+ *   2. ClientSideConnection 的 `requestPermission` handler 被触发
+ *   3. handler：
+ *        a. 通过 emit 发 AgentCallbackMessage(type='tool_confirm') 给前端 SSE
+ *        b. 调用 `registerPending(convId, interruptId, options)` 拿到 pending Promise
+ *        c. `return await pending` → 本 handler 挂起（opencode 也挂起）
+ *   4. 前端用户点 "允许/拒绝" → 下一轮 session/prompt 带 params.toolConfirmation
+ *   5. routes/acp.ts 照常调 runtime.chatStream(options.toolConfirmation)
+ *   6. runtime 检测到：
+ *        - isAgentRunning → 已有挂起的 agent
+ *        - options.toolConfirmation 非空
+ *      → 调 `resolvePending(convId, interruptId, action)` 喂给挂起的 Promise
+ *   7. opencode 收到 outcome，继续执行，session/update 事件从卡住的地方恢复
+ *
+ * 内存存储，进程重启清空（与 agent-registry 一致）。
+ * 同一个 conversationId 同时只能有一个挂起的权限请求（opencode 本身保证序列化）。
+ */
+
+import type { RequestPermissionResponse } from '@agentclientprotocol/sdk'
+
+type AcpOption = {
+  optionId: string
+  kind: 'allow_once' | 'allow_always' | 'reject_once' | 'reject_always' | string
+  name?: string
+}
+
+export interface PendingPermission {
+  conversationId: string
+  /** 对应 toolCallId（前端 resume 时传 interruptId） */
+  interruptId: string
+  options: AcpOption[]
+  /** 创建时间（用于调试和超时清理） */
+  createdAt: number
+  /**
+   * resolve opencode ACP `requestPermission` 返回值。
+   * 这个函数被 runtime 外部（resolvePending）调用。
+   */
+  resolve: (outcome: RequestPermissionResponse) => void
+  /** reject 用于 abort 场景 */
+  reject: (reason?: unknown) => void
+}
+
+const pending = new Map<string, PendingPermission>()
+
+function key(conversationId: string, interruptId: string): string {
+  return `${conversationId}::${interruptId}`
+}
+
+/**
+ * 注册一个挂起的权限请求，返回 Promise 给 ACP handler。
+ * ACP handler 应该 `await` 这个 Promise，Promise resolve 时 handler 返回给 opencode。
+ */
+export function registerPending(
+  conversationId: string,
+  interruptId: string,
+  options: AcpOption[],
+): Promise<RequestPermissionResponse> {
+  return new Promise((resolve, reject) => {
+    const existing = pending.get(key(conversationId, interruptId))
+    if (existing) {
+      // 边界：同一 interruptId 重复注册（理论上不应发生）—— 清理旧的
+      existing.reject(new Error('Replaced by new pending permission'))
+    }
+    pending.set(key(conversationId, interruptId), {
+      conversationId,
+      interruptId,
+      options,
+      createdAt: Date.now(),
+      resolve,
+      reject,
+    })
+  })
+}
+
+/**
+ * 由 runtime（下一轮 chatStream）调用：根据用户 action 查找对应 ACP 选项 id，喂给挂起的 handler。
+ *
+ * @returns true 表示成功找到并 resolve；false 表示没有挂起的记录（可能 agent 已超时/被 cancel）
+ */
+export function resolvePending(
+  conversationId: string,
+  interruptId: string,
+  action: 'allow' | 'allow_always' | 'deny' | 'reject_and_exit_plan',
+): boolean {
+  const entry = pending.get(key(conversationId, interruptId))
+  if (!entry) return false
+
+  const optionId = pickOptionId(entry.options, action)
+  pending.delete(key(conversationId, interruptId))
+  entry.resolve({
+    outcome: { outcome: 'selected', optionId },
+  })
+  return true
+}
+
+/**
+ * 由 abort 逻辑调用：把所有该 conversation 的挂起权限请求 reject，让 opencode 收到错误退出。
+ */
+export function rejectPendingForConversation(conversationId: string, reason = 'Aborted'): number {
+  let count = 0
+  for (const [k, entry] of pending) {
+    if (entry.conversationId === conversationId) {
+      entry.reject(new Error(reason))
+      pending.delete(k)
+      count++
+    }
+  }
+  return count
+}
+
+/** 是否有挂起的权限请求（调试/observability 用） */
+export function hasPending(conversationId: string): boolean {
+  for (const entry of pending.values()) {
+    if (entry.conversationId === conversationId) return true
+  }
+  return false
+}
+
+/**
+ * 把 PermissionAction 映射到 ACP options 的 optionId。
+ *
+ * ACP options 的 kind 可能包括：
+ *   - allow_once: 本次允许
+ *   - allow_always: 永远允许
+ *   - reject_once: 本次拒绝
+ *   - reject_always: 永远拒绝（OpenCode 不一定提供）
+ *
+ * 前端 PermissionAction:
+ *   - allow             → allow_once
+ *   - allow_always      → allow_always（没有就 fallback 到 allow_once）
+ *   - deny              → reject_once
+ *   - reject_and_exit_plan → reject_once（ExitPlanMode 特化，opencode 端视同拒绝）
+ */
+function pickOptionId(options: AcpOption[], action: string): string {
+  const findKind = (kind: string) => options.find((o) => o.kind === kind)
+
+  switch (action) {
+    case 'allow':
+      return (findKind('allow_once') ?? findKind('allow_always') ?? options[0]).optionId
+    case 'allow_always':
+      return (findKind('allow_always') ?? findKind('allow_once') ?? options[0]).optionId
+    case 'deny':
+    case 'reject_and_exit_plan':
+      return (findKind('reject_once') ?? findKind('reject_always') ?? options[options.length - 1]).optionId
+    default:
+      return options[0].optionId
+  }
+}

From 268aa49f00d59576c3a22aa550c1dc3b420cf19a Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sat, 2 May 2026 16:36:21 +0800
Subject: [PATCH 05/33] =?UTF-8?q?feat(agent):=20OpenCode=20AskUserQuestion?=
 =?UTF-8?q?=20=E6=8E=A5=E5=85=A5=EF=BC=88custom=20tool=20+=20=E5=86=85?=
 =?UTF-8?q?=E9=83=A8=20HTTP=20=E5=9B=9E=E8=B0=83=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenCode 原生 ACP 不支持 AskUserQuestion（内置 question tool 在 ACP 模式默认
禁用，且 ACP agent 层没订阅 Question 事件总线，会死锁）。我们自己实现：
通过 custom tool override + server 本地 HTTP endpoint 挂起机制完成。

## 新增

- src/agent/runtime/pending-question-registry.ts
  独立的挂起 HTTP response registry（对比 permission registry 挂 JSON-RPC
  Promise）。registerPendingQuestion / resolvePendingQuestion /
  rejectPendingQuestionsForConversation。

- src/agent/runtime/opencode-tool-templates/question.ts
  custom tool，参数 schema 与 opencode 原生一致（header/question/options/multiple）。
  execute 里 fetch ASK_USER_URL（env 注入），阻塞等 HTTP 响应里的 answers，
  返回格式化文本给 LLM。

- scripts/test-ask-user-e2e.mts
  完整 e2e：起 mini Hono app 挂 acp 路由 + 127.0.0.1 + 随机端口；
  Round 1 让 LLM 调 question tool → 验证 ask_user 事件 + 3s 挂起无 result；
  Round 2 带 askAnswers → 验证 alreadyRunning=true + tool_result 含答案 +
  LLM 文本引用答案。

## 改动

- routes/acp.ts
  - 新 POST /api/agent/internal/ask-user（仅 127.0.0.1 + X-Internal-Token 认证）
  - middleware 对 /internal/* 豁免 requireUserEnv，走 token 认证
  - handler 注册 PendingQuestion + emitForConversation 推 ask_user 给前端 SSE
  - 10 分钟超时返 408

- src/agent/runtime/opencode-acp-runtime.ts
  - 新 emitters map + emitForConversation() 导出
  - getAskUserToken() 惰性生成 16-byte hex 共享 token
  - spawn opencode 时注入 ASK_USER_URL / ASK_USER_TOKEN / ASK_USER_CONVERSATION_ID
  - chatStream resume 分支处理 options.askAnswers → resolvePendingQuestion
  - 错误/abort 路径一并 rejectPendingQuestionsForConversation

- src/agent/runtime/opencode-installer.ts
  TOOL_NAMES 加 'question'

- src/index.ts
  server 启动时设置 ASK_USER_BASE_URL env（127.0.0.1:<port>）

- shared/types/agent.ts 无改动：askAnswers / toolConfirmation 定义早就存在（P2
  设计时为 Tencent SDK 用的）

## 测试结果

e2e (AskUserQuestion):
```
Round 1:
  +11670ms  tool_use name=question
  +15092ms  ★ ask_user questions=[{header:Database, options:[PostgreSQL, MySQL]}]
  [agent 挂起 3s 无 result]
Round 2 (askAnswers PostgreSQL):
  alreadyRunning=true
  +18149ms  tool_result: "User answered: Which database to use? → PostgreSQL..."
  +36349ms  result: end_turn
  LLM 文本引用答案: "Great! You've chosen PostgreSQL..."

  ask_user received:             PASS
  agent suspended after:         PASS
  round2 resume path:            PASS
  tool_result with user answer:  PASS
  final result event:            PASS
  no error event:                PASS
  text mentions answer:          PASS (bonus)
OVERALL: PASS
```

回归：e2e#1 local + ToolConfirm e2e 全 PASS；type-check/lint/build/format 通过。

## 已知边界

- LLM 主动调用 question 工具依赖 prompt 明确指示（Kimi 默认倾向自己拍板）
- 10 分钟超时（ASK_USER_TIMEOUT_MS env）
- Token 静态生成，进程重启会变（生产建议 env 显式注入）
---
 docs/acp-runtime-abstraction.md               | 121 +++++++++-
 packages/server/scripts/test-ask-user-e2e.mts | 216 ++++++++++++++++++
 .../src/agent/runtime/opencode-acp-runtime.ts | 112 +++++++--
 .../src/agent/runtime/opencode-installer.ts   |   2 +-
 .../opencode-tool-templates/question.ts       | 112 +++++++++
 .../runtime/pending-question-registry.ts      | 110 +++++++++
 packages/server/src/index.ts                  |   6 +
 packages/server/src/routes/acp.ts             |  85 ++++++-
 8 files changed, 742 insertions(+), 22 deletions(-)
 create mode 100644 packages/server/scripts/test-ask-user-e2e.mts
 create mode 100644 packages/server/src/agent/runtime/opencode-tool-templates/question.ts
 create mode 100644 packages/server/src/agent/runtime/pending-question-registry.ts

diff --git a/docs/acp-runtime-abstraction.md b/docs/acp-runtime-abstraction.md
index cba6d4d..1e376f0 100644
--- a/docs/acp-runtime-abstraction.md
+++ b/docs/acp-runtime-abstraction.md
@@ -240,7 +240,8 @@ npx tsx scripts/test-tool-confirm-e2e.mts
 |---|---|
 | ToolConfirm UI 回调 | ✅ **已接入** — 见 §12 |
 | ToolConfirmation resume 流程 | ✅ **已接入** — 见 §12 |
-| askAnswers resume | ❌ 未接入 |
+| AskUserQuestion（询问用户） | ✅ **已接入** — 见 §13 |
+| askAnswers resume | ✅ **已接入** — 见 §13 |
 | coding-mode 模板初始化 | ❌ 未集成 |
 | 消息持久化到 tasks | ⚠️ 只 stream events 落库 |
 | tool override 的版本升级 hash 匹配 | ✅ 已实现（hashFile 比较） |
@@ -249,7 +250,7 @@ npx tsx scripts/test-tool-confirm-e2e.mts
 ## 10. 后续方向
 
 1. ~~接 ToolConfirm UI~~ ✅ 完成
-2. **askAnswers / AskUserQuestion resume 流程**（2-3 天）
+2. ~~AskUserQuestion resume 流程~~ ✅ 完成
 3. **消息持久化对齐 Tencent 路线**（2-3 天）
 4. **更多 ACP agent**（Claude Code / Gemini / Qwen Code；每个 1-2 天，runtime 骨架复用）
 5. **前端 Runtime 选择器**（0.5 天）
@@ -358,3 +359,119 @@ OVERALL: PASS
 - **Custom tool override 绕开 permission 系统**：`~/.config/opencode/tools/write.ts` 覆盖 builtin write 后，permission 检查是内置代码路径，custom tool 是独立路径，**不会触发 requestPermission**。沙箱场景里的 write 转发就无权限拦截（这是预期行为：沙箱本身就隔离，无需再加一层）。
 - **Resume 不超时**：runtime 目前没有"挂起超过 N 分钟自动 reject"机制。如果用户长时间不回应，opencode 子进程会一直占用。未来可加 `PENDING_TIMEOUT_MS`。
 - **多路径挂起**：同一 conversation 同时只能一个 pending（opencode 串行执行工具）。registry 内部已防重，但多路 SSE 断开重连场景未深度测试。
+
+---
+
+## 13. AskUserQuestion（已实现）
+
+### 13.1 问题
+
+OpenCode 内置 `question` tool（`packages/opencode/src/tool/question.ts`），但：
+- 在 ACP 模式默认禁用（`OPENCODE_CLIENT=acp` 导致 tool registry 不注册）
+- 即便开启，opencode 的 ACP agent 层 **没有订阅** `Question.Event.Asked`
+  事件总线，LLM 调 question tool 时 `Deferred` 永远不会 resolve，agent 会死锁
+
+结论：**OpenCode 原生 ACP 不支持 AskUserQuestion**。需要我们自己实现。
+
+### 13.2 设计：Custom tool + 内部 HTTP endpoint
+
+与 ToolConfirm（§12）的 ACP JSON-RPC 挂起不同，AskUserQuestion 通过**内部 HTTP 回调**挂起：
+
+```
+┌─ Round 1 ─────────────────────────────────────────────────────────────┐
+│                                                                        │
+│  opencode 子进程 LLM 调 question 工具                                   │
+│   ↓                                                                    │
+│  ~/.config/opencode/tools/question.ts (custom override)                │
+│   ↓ execute 里 fetch                                                   │
+│  POST http://127.0.0.1:<port>/api/agent/internal/ask-user              │
+│        headers: X-Internal-Token: <shared token>                       │
+│        body: { conversationId, toolCallId, questions }                 │
+│   ↓                                                                    │
+│  server handler:                                                       │
+│    1. emitForConversation(convId, {type:'ask_user', id, input})       │
+│       → AgentCallbackMessage → 前端 SSE(sessionUpdate='ask_user')     │
+│    2. registerPendingQuestion(convId, toolCallId, res)                │
+│       → HTTP response 挂起（不 send）                                 │
+│                                                                        │
+│  [前端 AskUserForm 展示；用户填写；Round 1 的 SSE 流"轻松"等待]          │
+└────────────────────────────────────────────────────────────────────────┘
+
+┌─ Round 2 ─────────────────────────────────────────────────────────────┐
+│                                                                        │
+│  前端 submit answers → POST /session/prompt                           │
+│    body.askAnswers = { <toolCallId>: { toolCallId, answers } }       │
+│                                                                        │
+│  routes/acp.ts 透传 options.askAnswers                                │
+│   ↓                                                                    │
+│  runtime.chatStream                                                   │
+│    isAgentRunning + options.askAnswers 非空                           │
+│     → resolvePendingQuestion(convId, toolCallId, answers)             │
+│     → HTTP res.json({ ok: true, answers })                           │
+│                                                                        │
+│  [opencode 子进程 question.ts execute 的 fetch 收到响应]                │
+│   ↓                                                                    │
+│  tool output: "User answered: \"Which DB?\" → PostgreSQL. You can..." │
+│   ↓                                                                    │
+│  LLM 继续推理，引用用户答案                                            │
+│   ↓                                                                    │
+│  最终 result → 第二轮 SSE 流关闭                                       │
+└────────────────────────────────────────────────────────────────────────┘
+```
+
+### 13.3 核心代码
+
+**`pending-question-registry.ts`**：独立于 permission registry，因为：
+- Permission 存 ACP JSON-RPC Promise resolver
+- Question 存 HTTP response resolver（用户填答案后 res.json 返回 opencode 子进程）
+
+**`opencode-tool-templates/question.ts`**：新增 custom tool
+- 参数 schema 与 opencode 原生 question tool 一致（`header`/`question`/`options`/`multiple`）
+- execute 内 fetch 内部 endpoint，阻塞等答案
+- 返回格式化文本 + metadata.answers
+
+**`routes/acp.ts`**：新增 `POST /api/agent/internal/ask-user`
+- 认证：X-Internal-Token（仅 127.0.0.1 回环）
+- 中间件豁免 `requireUserEnv`（它是 agent 内部调用，不走用户会话）
+- 挂起 HTTP response 10 分钟，超时 408
+
+**`opencode-acp-runtime.ts`**：
+- spawn 时注入 `ASK_USER_URL`/`ASK_USER_TOKEN`/`ASK_USER_CONVERSATION_ID`
+- `chatStream` resume 分支处理 `options.askAnswers`
+- 暴露 `emitForConversation` 给 routes 用（推 ask_user 给前端 SSE）
+
+### 13.4 e2e 验证
+
+`scripts/test-ask-user-e2e.mts`：
+
+```
+Round 1:
+  +11670ms  tool_use id=question:0 name=question
+  +15092ms  ★ ask_user id=question:0 questions=[{header:Database, options:[PostgreSQL, MySQL]}]
+  [agent suspended 3s no result]
+
+模拟用户选 "PostgreSQL"
+
+Round 2 (askAnswers):
+  alreadyRunning=true
+  +18149ms  tool_result: "User answered: Which database to use? → PostgreSQL..."
+  +20341ms  tool_use skill (LLM 继续调用后续工具)
+  +36349ms  result: end_turn
+  LLM 文本: "Great! You've chosen PostgreSQL. Let me provide recommendations..."
+
+  ask_user received:             PASS
+  agent suspended after:         PASS (no result 3s)
+  round2 resume path:            PASS (alreadyRunning=true)
+  tool_result with user answer:  PASS
+  final result event:            PASS
+  no error event:                PASS
+  text mentions answer:          PASS (bonus)
+OVERALL: PASS
+```
+
+### 13.5 已知边界
+
+- **LLM 的主动性依赖 prompt 明确指示**：默认 Moonshot/Kimi 倾向于自己拍板，不会主动提问。需要在用户 prompt 里写"请使用 question 工具征询我..."才会调用。对于生产 UX，建议在 system prompt 里明确鼓励 question 工具的使用场景。
+- **超时 10 分钟**：可通过 `ASK_USER_TIMEOUT_MS` env 覆盖。超时后 opencode tool 拿到 `408` 响应，会把 "timeout" 告知 LLM，由 LLM 决定是否重试。
+- **token 静态**：runtime 首次 `getAskUserToken()` 调用时生成，此后不变。服务进程重启会重新生成。生产部署下应通过 env 显式注入稳定 token。
+- **多路 SSE 重连**：Round 1 SSE 断了后，用户重连 GET /observe/:sessionId 能继续收事件，但已经 emit 过的 ask_user 不会重放（它已落 stream events DB，由 observe 的 replay 逻辑带出）。
diff --git a/packages/server/scripts/test-ask-user-e2e.mts b/packages/server/scripts/test-ask-user-e2e.mts
new file mode 100644
index 0000000..d10ef0d
--- /dev/null
+++ b/packages/server/scripts/test-ask-user-e2e.mts
@@ -0,0 +1,216 @@
+#!/usr/bin/env tsx
+/**
+ * AskUserQuestion 端到端测试（OpenCode runtime）
+ *
+ * 验证链路：
+ *   1. 启动一个 Hono app，只挂载 acp 路由（含 /api/agent/internal/ask-user）
+ *   2. 设置 ASK_USER_BASE_URL = http://127.0.0.1:<port>
+ *   3. 第一轮 chatStream：
+ *        - LLM 调 question 工具
+ *        - custom question.ts execute → fetch ASK_USER_URL
+ *        - server /internal/ask-user → emit ask_user（到 callback）+ 注册 pending
+ *        - 观察：收到 ask_user 事件；一段时间内没 result（证明挂起）
+ *   4. 第二轮 chatStream 带 askAnswers
+ *        - runtime resolvePendingQuestion → HTTP res.json(answers)
+ *        - custom question.ts 拿到 answers → execute 返回 tool output
+ *        - LLM 继续推理
+ *        - 最终 result
+ *   5. 断言：LLM 文本里包含用户答案的选项 label
+ *
+ * 用法：
+ *   npx tsx scripts/test-ask-user-e2e.mts
+ */
+
+import fs from 'node:fs'
+import { serve } from '@hono/node-server'
+import { Hono } from 'hono'
+
+// 在 import runtime 前设置 env（installer 和 emitter 都需要）
+// 端口在 hono serve 起来后才知道，所以先占位，后面改写
+let assignedPort = 0
+process.env.OPENCODE_SKIP_TOOLS_INSTALL !== '1' // noop; 这个场景需要 tool 被装上
+
+// 启动测试 server ──────────────────────────────────────────────────────
+const app = new Hono()
+// 只需要 acp 路由，但 acp.ts 的 middleware 会检查用户 env / token。
+// internal/* 走 token 认证（getAskUserToken），其他路径 requireUserEnv。
+// 因此我们直接 import acp 路由模块并挂载。
+import acpRoutes from '../src/routes/acp.js'
+app.route('/api/agent', acpRoutes)
+
+// 赋值端口（让系统挑一个空闲端口）
+const server = serve({ fetch: app.fetch, port: 0, hostname: '127.0.0.1' }, (info) => {
+  assignedPort = info.port
+  console.log(`[askuser-e2e] test server listening on 127.0.0.1:${assignedPort}`)
+})
+await new Promise((r) => setTimeout(r, 200))
+process.env.ASK_USER_BASE_URL = `http://127.0.0.1:${assignedPort}`
+
+// 此时再 import runtime —— 它会读最新的 env
+const { opencodeAcpRuntime } = await import('../src/agent/runtime/opencode-acp-runtime.js')
+const { getAskUserToken } = await import('../src/agent/runtime/opencode-acp-runtime.js')
+console.log('[askuser-e2e] ASK_USER_BASE_URL=', process.env.ASK_USER_BASE_URL)
+console.log('[askuser-e2e] ASK_USER_TOKEN=', getAskUserToken().slice(0, 8) + '...')
+
+// ── 测试工作目录 ────────────────────────────────────────────────────────
+const WORKDIR = '/tmp/opencode-askuser-e2e-' + Date.now()
+fs.mkdirSync(WORKDIR, { recursive: true })
+
+// ── Event recorder ──────────────────────────────────────────────────────
+import type { AgentCallbackMessage } from '@coder/shared'
+const events: Array<{ ts: number; type: string; name?: string; id?: string; content?: string; input?: unknown }> =
+  []
+const startT0 = Date.now()
+
+function makeCb(label: string) {
+  return async (msg: AgentCallbackMessage) => {
+    events.push({
+      ts: Date.now() - startT0,
+      type: msg.type,
+      name: msg.name,
+      id: msg.id,
+      content: typeof msg.content === 'string' ? msg.content.slice(0, 200) : undefined,
+      input: msg.input,
+    })
+    const t = Date.now() - startT0
+    if (msg.type === 'ask_user') {
+      console.log(
+        `\n[${label} +${t}ms] ★ ask_user id=${msg.id} questions=${JSON.stringify(msg.input).slice(0, 250)}`,
+      )
+    } else if (msg.type === 'tool_use') {
+      console.log(`[${label} +${t}ms] tool_use id=${msg.id} name=${msg.name}`)
+    } else if (msg.type === 'tool_result') {
+      console.log(`[${label} +${t}ms] tool_result out=${(msg.content || '').slice(0, 200)}`)
+    } else if (msg.type === 'result') {
+      console.log(`[${label} +${t}ms] result: ${msg.content}`)
+    } else if (msg.type === 'error') {
+      console.log(`[${label} +${t}ms] error: ${msg.content}`)
+    } else if (msg.type === 'text' && msg.content) {
+      process.stdout.write(msg.content)
+    }
+  }
+}
+
+// ── Round 1: 第一轮 prompt ──────────────────────────────────────────────
+const conversationId = 'askuser-e2e-' + Date.now()
+console.log(`\n[askuser-e2e] === Round 1 ===`)
+
+const r1 = await opencodeAcpRuntime.chatStream(
+  `我想搭建一个 web 应用后端。请使用 question 工具问我以下问题：\n` +
+    `header="Database"，question="Which database to use?"，options 包含 PostgreSQL 和 MySQL 两个选项。\n` +
+    `等我回答后再给建议。不要自己下决定，必须用 question 工具征询。`,
+  makeCb('r1'),
+  {
+    conversationId,
+    envId: '',
+    userId: 'e2e-user',
+    cwd: WORKDIR,
+    model: 'moonshot/kimi-k2-0905-preview',
+  },
+)
+console.log(`[askuser-e2e] round1 returned: turnId=${r1.turnId}`)
+
+// 等 ask_user 事件
+console.log('[askuser-e2e] waiting for ask_user ...')
+const askTimeout = Date.now() + 60_000
+let askEvent: (typeof events)[number] | undefined
+while (Date.now() < askTimeout) {
+  askEvent = events.find((e) => e.type === 'ask_user')
+  if (askEvent) break
+  if (events.find((e) => e.type === 'result' || e.type === 'error')) {
+    console.error('[askuser-e2e] UNEXPECTED: round1 finished without ask_user')
+    console.log(JSON.stringify(events, null, 2))
+    server.close()
+    process.exit(1)
+  }
+  await new Promise((r) => setTimeout(r, 200))
+}
+
+if (!askEvent) {
+  console.error('[askuser-e2e] FAIL: no ask_user within 60s')
+  server.close()
+  process.exit(1)
+}
+console.log(`\n[askuser-e2e] ✓ Received ask_user at +${askEvent.ts}ms (toolCallId=${askEvent.id})`)
+
+// 等 3 秒确认没 result（说明挂起）
+await new Promise((r) => setTimeout(r, 3000))
+const earlyResult = events.find((e) => e.type === 'result' && e.ts > (askEvent!.ts ?? 0))
+if (earlyResult) {
+  console.error('[askuser-e2e] FAIL: got result too early after ask_user')
+  server.close()
+  process.exit(1)
+}
+console.log('[askuser-e2e] ✓ agent suspended after ask_user')
+
+// 取 questions 头（header）作为回答 key
+const questions = (askEvent.input as { questions: Array<{ header: string; options: Array<{ label: string }> }> })
+  .questions
+const firstHeader = questions[0].header
+const chosenLabel = questions[0].options.find((o) => /postgres/i.test(o.label))?.label ?? questions[0].options[0].label
+console.log(`[askuser-e2e] simulated user answer: ${firstHeader}="${chosenLabel}"`)
+
+// ── Round 2: 发 askAnswers ──────────────────────────────────────────────
+console.log(`\n[askuser-e2e] === Round 2 ===`)
+const resumeT0 = Date.now() - startT0
+const r2 = await opencodeAcpRuntime.chatStream('', makeCb('r2'), {
+  conversationId,
+  envId: '',
+  userId: 'e2e-user',
+  cwd: WORKDIR,
+  model: 'moonshot/kimi-k2-0905-preview',
+  askAnswers: {
+    [askEvent.id!]: {
+      toolCallId: askEvent.id!,
+      answers: { [firstHeader]: chosenLabel },
+    },
+  },
+})
+console.log(`[askuser-e2e] round2 returned: alreadyRunning=${r2.alreadyRunning}`)
+
+if (!r2.alreadyRunning) {
+  console.error('[askuser-e2e] FAIL: round2 should have alreadyRunning=true')
+  server.close()
+  process.exit(1)
+}
+
+// 等 result
+console.log('[askuser-e2e] waiting for tool_result + result ...')
+const finalTimeout = Date.now() + 120_000
+while (Date.now() < finalTimeout) {
+  if (events.find((e) => e.type === 'result' || e.type === 'error')) break
+  await new Promise((r) => setTimeout(r, 200))
+}
+
+// ── Validation ──────────────────────────────────────────────────────────
+console.log('\n\n[askuser-e2e] === validation ===')
+const counts: Record<string, number> = {}
+for (const e of events) counts[e.type] = (counts[e.type] ?? 0) + 1
+console.log('[askuser-e2e] event counts:', JSON.stringify(counts))
+
+const toolResults = events.filter((e) => e.type === 'tool_result')
+const questionResult = toolResults.find((e) => e.ts > resumeT0 && typeof e.content === 'string' && e.content.includes(chosenLabel))
+const finalResult = events.find((e) => e.type === 'result')
+const errorEv = events.find((e) => e.type === 'error')
+
+// 检查 LLM 是否在最终文本里引用了用户答案（不强要求，但加分）
+const allText = events
+  .filter((e) => e.type === 'text')
+  .map((e) => e.content)
+  .join('')
+const textMentionsAnswer = allText.includes(chosenLabel) || allText.toLowerCase().includes(chosenLabel.toLowerCase())
+
+console.log('\n[askuser-e2e] assertions:')
+console.log(`  ask_user received:             PASS`)
+console.log(`  agent suspended after:         PASS (no result 3s)`)
+console.log(`  round2 resume path:            PASS (alreadyRunning=true)`)
+console.log(`  tool_result with user answer:  ${questionResult ? 'PASS' : 'FAIL'}`)
+console.log(`  final result event:            ${finalResult ? 'PASS' : 'FAIL'}`)
+console.log(`  no error event:                ${errorEv ? 'FAIL (' + errorEv.content + ')' : 'PASS'}`)
+console.log(`  text mentions answer:          ${textMentionsAnswer ? 'PASS (bonus)' : 'WARN (not required)'}`)
+
+const overall = !!questionResult && !!finalResult && !errorEv
+console.log(`\n[askuser-e2e] OVERALL: ${overall ? 'PASS' : 'FAIL'}`)
+
+server.close()
+process.exit(overall ? 0 : 1)
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index 9abbf98..f89cd4f 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -45,6 +45,7 @@ import { CloudbaseAgentService } from '../cloudbase-agent.service.js'
 import { getAcpTransportFactory, type AcpTransport } from './acp-transport.js'
 import { ensureOpencodeToolsInstalled } from './opencode-installer.js'
 import { registerPending, resolvePending, rejectPendingForConversation } from './pending-permission-registry.js'
+import { resolvePendingQuestion, rejectPendingQuestionsForConversation } from './pending-question-registry.js'
 import { scfSandboxManager, type SandboxInstance } from '../../sandbox/scf-sandbox-manager.js'
 import { spawn } from 'node:child_process'
 import os from 'node:os'
@@ -92,6 +93,53 @@ function clearLiveCallback(conversationId: string): void {
   liveCallbacks.delete(conversationId)
 }
 
+/**
+ * Per-conversation emitter 注册表：launchAgent 里写入闭包 emit，
+ * 供 routes/acp.ts 的 /internal/ask-user handler 对 ask_user 消息广播。
+ */
+const emitters = new Map<string, (msg: AgentCallbackMessage) => Promise<void>>()
+
+function registerEmitter(conversationId: string, emit: (m: AgentCallbackMessage) => Promise<void>): void {
+  emitters.set(conversationId, emit)
+}
+
+function clearEmitter(conversationId: string): void {
+  emitters.delete(conversationId)
+}
+
+/**
+ * 对外暴露：routes/acp.ts 调此方法给指定 conversation 发 AgentCallbackMessage。
+ * 主要用于 /internal/ask-user endpoint：tool 请求问用户 → emit ask_user → SSE 推前端。
+ */
+export async function emitForConversation(conversationId: string, msg: AgentCallbackMessage): Promise<void> {
+  const emit = emitters.get(conversationId)
+  if (!emit) throw new Error(`no emitter registered for conversation ${conversationId}`)
+  await emit(msg)
+}
+
+/**
+ * Internal-endpoint 共享 token。
+ *
+ * 在 server 启动时生成一次（惰性），通过 env 注入 opencode 子进程。
+ * 子进程的 custom tool 通过 `X-Internal-Token` header 回调 server 时认证。
+ */
+let askUserToken: string | null = null
+export function getAskUserToken(): string {
+  if (!askUserToken) {
+    // 16 字节十六进制，足够强的临时 token
+    askUserToken = cryptoRandomToken()
+  }
+  return askUserToken
+}
+
+function cryptoRandomToken(): string {
+  // 16 bytes hex, no external deps
+  const bytes = new Uint8Array(16)
+  // Node runtime 保证有 crypto.getRandomValues
+  ;(globalThis.crypto as Crypto).getRandomValues(bytes)
+  return Array.from(bytes, (b) => b.toString(16).padStart(2, '0')).join('')
+}
+
 /** 惰性确保全局 tools 已安装；多次调用只执行一次。 */
 function ensureToolsInstalledOnce(): Promise<void> {
   if (process.env.OPENCODE_SKIP_TOOLS_INSTALL === '1') {
@@ -158,11 +206,15 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
   async chatStream(prompt: string, callback: AgentCallback | null, options: AgentOptions): Promise<ChatStreamResult> {
     const conversationId = options.conversationId || uuidv4()
 
-    // Resume path：已有挂起的 agent + 携带 toolConfirmation
-    //   → 不 spawn 新进程，直接 resolve 挂起的 permission Promise
-    //   → opencode 收到 outcome 后继续执行，session/update 流从卡住处继续
+    // Resume path：已有挂起的 agent + 携带 toolConfirmation / askAnswers
+    //   → 不 spawn 新进程，直接 resolve 挂起的 permission Promise / question HTTP
+    //   → opencode 收到 outcome/answers 后继续执行，session/update 流继续
     if (isAgentRunning(conversationId)) {
       const run = getAgentRun(conversationId)!
+
+      // 更新 liveCallback 到新 SSE 流（第一轮的 SSE 可能已关）
+      updateLiveCallback(conversationId, callback)
+
       if (options.toolConfirmation) {
         const resolved = resolvePending(
           conversationId,
@@ -174,19 +226,26 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
             `[OpencodeAcpRuntime] toolConfirmation arrived but no pending registration for interruptId=${options.toolConfirmation.interruptId}`,
           )
         }
-        // 记住本轮的 callback 给后续 session/update 转发：
-        // pending Promise 里关联的 emit 已经在 launchAgent 的闭包里了，
-        // 外部 callback 只有在本次 SSE 流里才能用。
-        // 最简单的做法：更新 registry 里记录的 liveCallback（下一条 AgentCallbackMessage 转发到此）
-        updateLiveCallback(conversationId, callback)
-      } else {
-        // 兜底：没有 toolConfirmation 却进来了——直接返回，让调用方走 observe
-        if (process.env.OPENCODE_ACP_DEBUG) {
-          console.log(
-            `[OpencodeAcpRuntime] chatStream re-entered without toolConfirmation (conv=${conversationId}); returning existing turn`,
-          )
+      }
+
+      if (options.askAnswers) {
+        // askAnswers 结构：{ [assistantMessageId|recordId]: { toolCallId, answers } }
+        // 我们只关心 value 里的 toolCallId + answers
+        for (const entry of Object.values(options.askAnswers)) {
+          const resolved = resolvePendingQuestion(conversationId, entry.toolCallId, entry.answers)
+          if (!resolved) {
+            console.warn(
+              `[OpencodeAcpRuntime] askAnswers arrived but no pending question for toolCallId=${entry.toolCallId}`,
+            )
+          }
         }
       }
+
+      if (!options.toolConfirmation && !options.askAnswers && process.env.OPENCODE_ACP_DEBUG) {
+        console.log(
+          `[OpencodeAcpRuntime] chatStream re-entered without resume payload (conv=${conversationId}); returning existing turn`,
+        )
+      }
       return { turnId: run.turnId, alreadyRunning: true }
     }
 
@@ -227,6 +286,7 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
     // 第一轮由 chatStream 调用 registerLiveCallback 写入；第二轮（resume）由
     // chatStream 的 resume 分支更新。
     const emit = makeEmitter({ envId, userId, conversationId, turnId })
+    registerEmitter(conversationId, emit)
 
     let transport: AcpTransport | null = null
     let sandbox: SandboxInstance | null = null
@@ -260,7 +320,7 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
         fs.mkdirSync(sessionWorkingDir, { recursive: true })
       }
 
-      // 3. 构造 spawn env — 把沙箱凭证通过 env 注入 opencode 子进程
+      // 3. 构造 spawn env — 把沙箱凭证 + AskUser 回调 URL 通过 env 注入 opencode 子进程
       const childEnv: Record<string, string> = {}
       if (sandbox) {
         const authHeaders = await sandbox.getAuthHeaders()
@@ -272,6 +332,15 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
         childEnv.SANDBOX_MODE = '0'
       }
 
+      // AskUser 内部 HTTP 回调：question custom tool execute 时 fetch 此 URL
+      // URL 从 ASK_USER_BASE_URL env（server 启动时设置）+ path + 查询参数拼成
+      const askUserBase = process.env.ASK_USER_BASE_URL || ''
+      if (askUserBase) {
+        childEnv.ASK_USER_URL = `${askUserBase.replace(/\/$/, '')}/api/agent/internal/ask-user`
+        childEnv.ASK_USER_TOKEN = getAskUserToken()
+        childEnv.ASK_USER_CONVERSATION_ID = conversationId
+      }
+
       // 4. spawn opencode acp
       const factory = getAcpTransportFactory('local-stdio')
       transport = await factory({
@@ -380,8 +449,14 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
         conversationId,
         isAbort ? 'Aborted' : `runtime error: ${error?.message || error}`,
       )
-      if (rejectedCount > 0 && process.env.OPENCODE_ACP_DEBUG) {
-        console.log(`[OpencodeAcpRuntime] rejected ${rejectedCount} pending permissions due to error`)
+      const rejectedQ = rejectPendingQuestionsForConversation(
+        conversationId,
+        isAbort ? 'Aborted' : `runtime error: ${error?.message || error}`,
+      )
+      if ((rejectedCount > 0 || rejectedQ > 0) && process.env.OPENCODE_ACP_DEBUG) {
+        console.log(
+          `[OpencodeAcpRuntime] rejected ${rejectedCount} pending permissions + ${rejectedQ} pending questions due to error`,
+        )
       }
       try {
         await emit({
@@ -408,8 +483,9 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
           /* noop */
         }
       }
-      // 清掉 liveCallback 注册，避免 map 泄漏
+      // 清掉 liveCallback + emitter 注册，避免 map 泄漏
       clearLiveCallback(conversationId)
+      clearEmitter(conversationId)
       setTimeout(() => removeAgent(conversationId, turnId), 5000)
     }
   }
diff --git a/packages/server/src/agent/runtime/opencode-installer.ts b/packages/server/src/agent/runtime/opencode-installer.ts
index 69a5cf4..06f18fc 100644
--- a/packages/server/src/agent/runtime/opencode-installer.ts
+++ b/packages/server/src/agent/runtime/opencode-installer.ts
@@ -22,7 +22,7 @@ import { fileURLToPath } from 'node:url'
 const __filename = fileURLToPath(import.meta.url)
 const __dirname = path.dirname(__filename)
 
-const TOOL_NAMES = ['read', 'write', 'edit', 'bash', 'grep', 'glob'] as const
+const TOOL_NAMES = ['read', 'write', 'edit', 'bash', 'grep', 'glob', 'question'] as const
 export type ToolName = (typeof TOOL_NAMES)[number]
 
 /**
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/question.ts b/packages/server/src/agent/runtime/opencode-tool-templates/question.ts
new file mode 100644
index 0000000..9505907
--- /dev/null
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/question.ts
@@ -0,0 +1,112 @@
+/**
+ * 全局 opencode tool override / 新增工具：question
+ *
+ * 作用：让 LLM 在执行中向用户提问（类似 Tencent SDK 的 AskUserQuestion）。
+ *
+ * OpenCode 原生有 question 工具但 ACP 模式默认禁用（`OPENCODE_CLIENT=acp`），
+ * 且即便开启也没通过 ACP 协议路由（bus 事件没 subscriber）。我们自己实现一个同名
+ * custom tool 覆盖它（同名 custom > builtin）。
+ *
+ * 运行时行为：
+ *   execute 调用 server 的 /api/agent/internal/ask-user HTTP endpoint
+ *   server 挂起响应，直到下一轮 prompt 的 askAnswers 到达 → res.json(answers)
+ *   execute 拿到答案 → 格式化成文本返回给 LLM
+ *
+ * env 契约（由 server spawn opencode 时注入）：
+ *   ASK_USER_URL            — 完整 URL，如 http://127.0.0.1:3001/api/agent/internal/ask-user
+ *   ASK_USER_TOKEN          — 共享认证 token（X-Internal-Token header）
+ *   ASK_USER_CONVERSATION_ID — 当前会话 id
+ *
+ * 如果 env 未配置（例如老版 runtime 或手动调 opencode）：
+ *   → 返回一个提示文本告诉 LLM"无法向用户提问"，LLM 可改用文本方式沟通
+ */
+import { z } from 'zod'
+
+const OptionSchema = z.object({
+  label: z.string().describe('Short display text (1-5 words)'),
+  description: z.string().optional().describe('Explanation of this choice'),
+})
+
+const QuestionSchema = z.object({
+  header: z.string().describe('Short label for this question (max 30 chars)'),
+  question: z.string().describe('The full question text'),
+  options: z.array(OptionSchema).describe('Predefined choices; user can also type custom answer'),
+  multiple: z.boolean().optional().describe('Allow multiple selection'),
+})
+
+export default {
+  description:
+    'Ask the user one or more multiple-choice questions during execution. Use this when you need a decision or clarification that can be expressed as a choice. Each question has a `header` (short label), `question` (full text), and `options` (list of {label, description}). Users may also type custom answers.',
+  args: {
+    questions: z.array(QuestionSchema).describe('Questions to ask'),
+  },
+  async execute(
+    args: { questions: Array<z.infer<typeof QuestionSchema>> },
+    context: { sessionID?: string; callID?: string },
+  ) {
+    const url = process.env.ASK_USER_URL
+    const token = process.env.ASK_USER_TOKEN
+    const conversationId = process.env.ASK_USER_CONVERSATION_ID
+
+    if (!url || !token || !conversationId) {
+      return {
+        output:
+          'Cannot ask questions: AskUser HTTP endpoint is not configured in this environment (ASK_USER_URL missing). Please ask the user directly in your next text response instead.',
+      }
+    }
+
+    // 用 opencode 给的 callID 作为 toolCallId（与 tool_call 事件的 id 保持一致，
+    // 方便前端关联；如 ctx 缺失就用 sessionID + 时间戳退兜）
+    const toolCallId = context.callID || `ask-${context.sessionID ?? 'unknown'}-${Date.now()}`
+
+    const timeoutMs = Number(process.env.ASK_USER_TIMEOUT_MS || 10 * 60 * 1000)
+
+    try {
+      const res = await fetch(url, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Internal-Token': token,
+        },
+        body: JSON.stringify({
+          conversationId,
+          toolCallId,
+          questions: args.questions,
+        }),
+        signal: AbortSignal.timeout(timeoutMs + 5_000),
+      })
+
+      const data = (await res.json().catch(() => ({}))) as {
+        ok?: boolean
+        answers?: Record<string, string>
+        error?: string
+      }
+
+      if (!res.ok || !data.ok || !data.answers) {
+        return {
+          output: `Failed to get user answer: ${data.error ?? 'unknown error'} (status=${res.status}). Consider asking via plain text.`,
+        }
+      }
+
+      // 格式化答案成 LLM 友好文本
+      const formatted = args.questions
+        .map((q) => {
+          const a = data.answers![q.header]
+          return `"${q.question}" → ${a || '(unanswered)'}`
+        })
+        .join('; ')
+
+      return {
+        output: `User answered: ${formatted}. You can continue with these answers in mind.`,
+        metadata: {
+          answers: data.answers,
+        },
+      }
+    } catch (e) {
+      const msg = (e as Error).message
+      return {
+        output: `Error asking user (${msg}). You can try asking via plain text in your next response.`,
+      }
+    }
+  },
+}
diff --git a/packages/server/src/agent/runtime/pending-question-registry.ts b/packages/server/src/agent/runtime/pending-question-registry.ts
new file mode 100644
index 0000000..ae0b135
--- /dev/null
+++ b/packages/server/src/agent/runtime/pending-question-registry.ts
@@ -0,0 +1,110 @@
+/**
+ * PendingQuestionRegistry
+ *
+ * 挂起"question tool"的 HTTP 回调，等用户通过下一轮 prompt.askAnswers 回答。
+ *
+ * 对比 PendingPermissionRegistry（用于 ToolConfirm）：
+ * - PermissionRegistry 挂 ACP JSON-RPC Promise（opencode stdio ACP 协议里）
+ * - QuestionRegistry 挂 **HTTP 响应**（opencode 子进程里 custom tool 通过 fetch 调进来）
+ *
+ * 流程：
+ *   1. opencode 子进程的 custom tool `question` execute：
+ *        fetch POST <server>/api/agent/internal/ask-user
+ *              body { conversationId, toolCallId, questions }
+ *   2. server handler：
+ *        registerPendingQuestion(convId, toolCallId, res) → res 挂起直到 resolve
+ *        同时 emit `ask_user` AgentCallbackMessage → 转为 SSE sessionUpdate 给前端
+ *   3. 前端展示 AskUserForm，用户答完 → 下一轮 POST /api/agent/acp
+ *      body.askAnswers = { toolCallId: { answers: {...} } }
+ *   4. routes/acp.ts 把 askAnswers 传给 runtime.chatStream
+ *   5. runtime 判断 isAgentRunning + options.askAnswers 非空：
+ *        对每个 toolCallId 调 resolvePendingQuestion → res.json({ answers }) → tool execute 返回
+ *   6. opencode 收到 tool_result，LLM 继续推理
+ */
+
+import type { ServerResponse } from 'node:http'
+
+/**
+ * 存放的上下文。
+ *
+ * - `response`: Hono/Node 返回的 HTTP response 对象的写入句柄。
+ *   为什么不直接存 Hono Context？—— context 生命周期短，req 结束会销毁。
+ *   用底层 ServerResponse（Node 原生）更可靠，或者 Hono 的 streaming primitive。
+ *   这里存一个简单的 resolve 函数，由 route handler 关联到自身的 response。
+ */
+export interface PendingQuestion {
+  conversationId: string
+  toolCallId: string
+  questions: unknown[]
+  createdAt: number
+  /** 由 route handler 提供：接收最终答案后写回 HTTP 响应 */
+  resolve: (answers: Record<string, string>) => void
+  reject: (reason: string) => void
+}
+
+const pending = new Map<string, PendingQuestion>()
+
+function key(conversationId: string, toolCallId: string): string {
+  return `${conversationId}::${toolCallId}`
+}
+
+/**
+ * 由 HTTP handler 调用，记录一个挂起的 question 请求。
+ */
+export function registerPendingQuestion(entry: PendingQuestion): void {
+  const k = key(entry.conversationId, entry.toolCallId)
+  const existing = pending.get(k)
+  if (existing) {
+    existing.reject('Replaced by new question request')
+  }
+  pending.set(k, entry)
+}
+
+/**
+ * 由 runtime.chatStream 的 resume 分支调用：找到挂起的 question，写回答案。
+ *
+ * @returns true 表示成功；false 表示没找到（可能已超时）
+ */
+export function resolvePendingQuestion(
+  conversationId: string,
+  toolCallId: string,
+  answers: Record<string, string>,
+): boolean {
+  const k = key(conversationId, toolCallId)
+  const entry = pending.get(k)
+  if (!entry) return false
+  pending.delete(k)
+  entry.resolve(answers)
+  return true
+}
+
+/**
+ * 错误/abort 时清理该 conversation 下所有挂起 question，让 HTTP 调用方拿到失败。
+ */
+export function rejectPendingQuestionsForConversation(conversationId: string, reason = 'Aborted'): number {
+  let count = 0
+  for (const [k, entry] of pending) {
+    if (entry.conversationId === conversationId) {
+      entry.reject(reason)
+      pending.delete(k)
+      count++
+    }
+  }
+  return count
+}
+
+export function hasPendingQuestion(conversationId: string): boolean {
+  for (const entry of pending.values()) {
+    if (entry.conversationId === conversationId) return true
+  }
+  return false
+}
+
+/** Debug only */
+export function listPendingQuestions(): ReadonlyArray<PendingQuestion> {
+  return Array.from(pending.values())
+}
+
+// Explicit no-op import to keep ServerResponse referenced (avoids unused-type lint)
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+type _KeepServerResponseImportForDocs = ServerResponse
diff --git a/packages/server/src/index.ts b/packages/server/src/index.ts
index 181cfa6..8de286e 100644
--- a/packages/server/src/index.ts
+++ b/packages/server/src/index.ts
@@ -146,6 +146,12 @@ async function backfillApiKeys() {
 
 const PORT = Number(process.env.PORT) || 3001
 
+// 让 OpencodeAcpRuntime 知道自己的 base URL（用于 spawn opencode 时注入 ASK_USER_URL）。
+// 仅 127.0.0.1 回环，opencode 子进程同机运行。
+if (!process.env.ASK_USER_BASE_URL) {
+  process.env.ASK_USER_BASE_URL = `http://127.0.0.1:${PORT}`
+}
+
 serve({ fetch: app.fetch, port: PORT }, () => {
   console.log(`Server running on http://localhost:${PORT}`)
   if (serveStaticFiles) {
diff --git a/packages/server/src/routes/acp.ts b/packages/server/src/routes/acp.ts
index 3e50518..bb3d084 100644
--- a/packages/server/src/routes/acp.ts
+++ b/packages/server/src/routes/acp.ts
@@ -17,6 +17,8 @@ import { CloudbaseAgentService, getSupportedModels } from '../agent/cloudbase-ag
 import { persistenceService } from '../agent/persistence.service.js'
 import { getAgentRun } from '../agent/agent-registry.js'
 import { agentRuntimeRegistry } from '../agent/runtime/index.js'
+import { emitForConversation, getAskUserToken } from '../agent/runtime/opencode-acp-runtime.js'
+import { registerPendingQuestion } from '../agent/runtime/pending-question-registry.js'
 import { loadConfig } from '../config/store.js'
 import { getDb } from '../db/index.js'
 import { nanoid } from 'nanoid'
@@ -25,8 +27,21 @@ import { requireUserEnv, type AppEnv } from '../middleware/auth.js'
 const acp = new Hono<AppEnv>()
 
 // 除 /health 与 /runtimes 外，所有 ACP 路由都需要登录 + 用户环境校验
+// /internal/* 走独立 127.0.0.1 + shared token 认证（绕过用户会话）
 acp.use('/*', async (c, next) => {
-  if (c.req.path.endsWith('/health') || c.req.path.endsWith('/config') || c.req.path.endsWith('/runtimes')) {
+  const p = c.req.path
+  if (p.endsWith('/health') || p.endsWith('/config') || p.endsWith('/runtimes')) {
+    return next()
+  }
+  if (p.includes('/internal/')) {
+    // 仅接受 127.0.0.1 + 正确 token 的请求
+    // 注意：Hono 不直接提供 remote addr 但可从 header X-Forwarded-For 判断；
+    // 这里更务实 — 用 token 作为主要防线（opencode 子进程是我们自己 spawn 的）
+    const expected = getAskUserToken()
+    const got = c.req.header('X-Internal-Token')
+    if (!expected || got !== expected) {
+      return c.json({ error: 'Unauthorized internal call' }, 401)
+    }
     return next()
   }
   // If using API key auth, verify it has 'acp' scope
@@ -797,4 +812,72 @@ acp.get('/runtimes', async (c) => {
   })
 })
 
+/**
+ * POST /api/agent/internal/ask-user
+ *
+ * **只给 opencode 子进程的 question custom tool 调**。server 本地回环。
+ * 认证：X-Internal-Token header（ASK_USER_TOKEN env，runtime 启动时生成，同 env 注入子进程）
+ *
+ * 行为：
+ *   1. 验证 conversationId 对应的 agent 还活着
+ *   2. 通过 runtime.emit 发 ask_user AgentCallbackMessage → SSE 推给前端
+ *   3. 注册 PendingQuestion，挂起当前 HTTP response 不返回
+ *   4. 当用户答复（下一轮 prompt.askAnswers 到达）触发 resolvePendingQuestion
+ *      → 本 handler 的 res.json(answers) 返回给 opencode 子进程
+ *
+ * Timeout：默认 10 分钟（可由 ASK_USER_TIMEOUT_MS env 覆盖）
+ */
+acp.post('/internal/ask-user', async (c) => {
+  const body = await c.req.json<{
+    conversationId: string
+    toolCallId: string
+    questions: unknown[]
+  }>()
+  const { conversationId, toolCallId, questions } = body
+
+  if (!conversationId || !toolCallId || !Array.isArray(questions)) {
+    return c.json({ error: 'conversationId, toolCallId, questions required' }, 400)
+  }
+
+  const run = getAgentRun(conversationId)
+  if (!run || run.status !== 'running') {
+    return c.json({ error: 'no active agent for conversation' }, 409)
+  }
+
+  // emit ask_user 事件 → SSE 推给前端
+  try {
+    await emitForConversation(conversationId, {
+      type: 'ask_user',
+      id: toolCallId,
+      input: { questions },
+    })
+  } catch (e) {
+    console.error('[internal/ask-user] emit failed:', e)
+    return c.json({ error: 'emit failed' }, 500)
+  }
+
+  // 挂起：注册一个 pending question，等 runtime.chatStream(askAnswers) 来 resolve
+  const timeoutMs = Number(process.env.ASK_USER_TIMEOUT_MS || 10 * 60 * 1000)
+  return await new Promise<Response>((resolve) => {
+    const timer = setTimeout(() => {
+      resolve(c.json({ error: 'timeout waiting for user answer' }, 408))
+    }, timeoutMs)
+
+    registerPendingQuestion({
+      conversationId,
+      toolCallId,
+      questions,
+      createdAt: Date.now(),
+      resolve: (answers) => {
+        clearTimeout(timer)
+        resolve(c.json({ ok: true, answers }))
+      },
+      reject: (reason) => {
+        clearTimeout(timer)
+        resolve(c.json({ error: reason }, 500))
+      },
+    })
+  })
+})
+
 export default acp

From 1a7681ae8ea74b517450c5ec802a60552279cd85 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sat, 2 May 2026 17:43:40 +0800
Subject: [PATCH 06/33] =?UTF-8?q?refactor(agent):=20=E5=AF=B9=E9=BD=90=20A?=
 =?UTF-8?q?skUserQuestion=20=E5=B7=A5=E5=85=B7=E5=90=8D=E4=B8=8E=E5=8F=82?=
 =?UTF-8?q?=E6=95=B0=20schema=20=E5=88=B0=20Tencent=20=E5=A5=91=E7=BA=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

前端 task-chat.tsx 按 part.toolName === 'AskUserQuestion' 匹配渲染 AskUserForm，
schema 字段（multiSelect / option.description 必填）也与 Tencent 生态锁死。
原实现用 'question' / 'multiple'，前端看不到——特殊 UI 分叉。本次全面对齐。

## 改动

- 重命名 question.ts → AskUserQuestion.ts
  （OpenCode 约定：文件名=工具名，PascalCase 实测支持；tool_call.title 直接是文件名）

- schema 对齐 packages/web/src/types/task-chat.ts:AskUserQuestionData:
  - `multiple: boolean` → `multiSelect: boolean`（camelCase）
  - `option.description` 从 optional 改为必填（前端渲染需要）
  - 加 min(2).max(4) 约束 options 数量（对齐 Tencent 习惯）
  - question header 限 max(30)（对齐前端 Badge 显示宽度）

- installer TOOL_NAMES 'question' → 'AskUserQuestion'

- e2e 新增 4 条断言：
  tool_use name='AskUserQuestion' + questions[0].header/question +
  options[].label/description + options length >= 2

## 实测证明

PoC test-uppercase-tool.mjs 确认：
- 文件名 `AskUserQuestion.ts` → opencode 注册 tool id `AskUserQuestion`
- tool_call 事件 title: 'AskUserQuestion'（直接进 SessionUpdate.title → 前端 part.toolName）

e2e OVERALL: PASS (11/11 断言)
  tool_use name='AskUserQuestion': PASS
  questions[0].header/question:    PASS
  options[].label+description:     PASS
  options length >= 2:             PASS
  ask_user received:               PASS
  agent suspended after:           PASS
  round2 resume path:              PASS
  tool_result with user answer:    PASS
  final result event:              PASS
  no error event:                  PASS
  text mentions answer:            PASS (bonus)

回归：type-check/lint/build/format 全通过。本地 e2e 重试 PASS（首次 LLM 非
确定性 text=0 与本次改动无关）。
---
 docs/acp-runtime-abstraction.md               | 14 +++--
 packages/server/scripts/test-ask-user-e2e.mts | 54 ++++++++++++++-----
 .../src/agent/runtime/opencode-installer.ts   |  2 +-
 .../{question.ts => AskUserQuestion.ts}       | 53 ++++++++++--------
 4 files changed, 82 insertions(+), 41 deletions(-)
 rename packages/server/src/agent/runtime/opencode-tool-templates/{question.ts => AskUserQuestion.ts} (53%)

diff --git a/docs/acp-runtime-abstraction.md b/docs/acp-runtime-abstraction.md
index 1e376f0..a59f22a 100644
--- a/docs/acp-runtime-abstraction.md
+++ b/docs/acp-runtime-abstraction.md
@@ -380,9 +380,9 @@ OpenCode 内置 `question` tool（`packages/opencode/src/tool/question.ts`），
 ```
 ┌─ Round 1 ─────────────────────────────────────────────────────────────┐
 │                                                                        │
-│  opencode 子进程 LLM 调 question 工具                                   │
+│  opencode 子进程 LLM 调 AskUserQuestion 工具                            │
 │   ↓                                                                    │
-│  ~/.config/opencode/tools/question.ts (custom override)                │
+│  ~/.config/opencode/tools/AskUserQuestion.ts (custom)                  │
 │   ↓ execute 里 fetch                                                   │
 │  POST http://127.0.0.1:<port>/api/agent/internal/ask-user              │
 │        headers: X-Internal-Token: <shared token>                       │
@@ -409,7 +409,7 @@ OpenCode 内置 `question` tool（`packages/opencode/src/tool/question.ts`），
 │     → resolvePendingQuestion(convId, toolCallId, answers)             │
 │     → HTTP res.json({ ok: true, answers })                           │
 │                                                                        │
-│  [opencode 子进程 question.ts execute 的 fetch 收到响应]                │
+│  [opencode 子进程 AskUserQuestion.ts execute 的 fetch 收到响应]        │
 │   ↓                                                                    │
 │  tool output: "User answered: \"Which DB?\" → PostgreSQL. You can..." │
 │   ↓                                                                    │
@@ -425,8 +425,12 @@ OpenCode 内置 `question` tool（`packages/opencode/src/tool/question.ts`），
 - Permission 存 ACP JSON-RPC Promise resolver
 - Question 存 HTTP response resolver（用户填答案后 res.json 返回 opencode 子进程）
 
-**`opencode-tool-templates/question.ts`**：新增 custom tool
-- 参数 schema 与 opencode 原生 question tool 一致（`header`/`question`/`options`/`multiple`）
+**`opencode-tool-templates/AskUserQuestion.ts`**：新增 custom tool（**文件名=工具名**）
+- 工具名 `AskUserQuestion` 严格对齐 Tencent SDK 契约（前端 `task-chat.tsx` 按这个名字匹配渲染 AskUserForm）
+- 参数 schema：`questions[{ question, header, options:[{label, description}], multiSelect? }]`
+  - 对齐 `packages/web/src/types/task-chat.ts:AskUserQuestionData`
+  - `multiSelect` 是 camelCase（不是 `multiple`）
+  - `option.description` **必填**（前端渲染需要）
 - execute 内 fetch 内部 endpoint，阻塞等答案
 - 返回格式化文本 + metadata.answers
 
diff --git a/packages/server/scripts/test-ask-user-e2e.mts b/packages/server/scripts/test-ask-user-e2e.mts
index d10ef0d..7f3b85b 100644
--- a/packages/server/scripts/test-ask-user-e2e.mts
+++ b/packages/server/scripts/test-ask-user-e2e.mts
@@ -96,9 +96,12 @@ const conversationId = 'askuser-e2e-' + Date.now()
 console.log(`\n[askuser-e2e] === Round 1 ===`)
 
 const r1 = await opencodeAcpRuntime.chatStream(
-  `我想搭建一个 web 应用后端。请使用 question 工具问我以下问题：\n` +
-    `header="Database"，question="Which database to use?"，options 包含 PostgreSQL 和 MySQL 两个选项。\n` +
-    `等我回答后再给建议。不要自己下决定，必须用 question 工具征询。`,
+  `我想搭建一个 web 应用后端。请使用 AskUserQuestion 工具问我以下问题（严格按 schema）：\n` +
+    `  question="Which database to use?"\n` +
+    `  header="Database"\n` +
+    `  options=[{label:"PostgreSQL", description:"powerful open-source"}, {label:"MySQL", description:"popular fast"}]\n` +
+    `  multiSelect=false\n` +
+    `等我回答后再给建议。不要自己下决定，必须用 AskUserQuestion 工具征询。`,
   makeCb('r1'),
   {
     conversationId,
@@ -201,15 +204,42 @@ const allText = events
 const textMentionsAnswer = allText.includes(chosenLabel) || allText.toLowerCase().includes(chosenLabel.toLowerCase())
 
 console.log('\n[askuser-e2e] assertions:')
-console.log(`  ask_user received:             PASS`)
-console.log(`  agent suspended after:         PASS (no result 3s)`)
-console.log(`  round2 resume path:            PASS (alreadyRunning=true)`)
-console.log(`  tool_result with user answer:  ${questionResult ? 'PASS' : 'FAIL'}`)
-console.log(`  final result event:            ${finalResult ? 'PASS' : 'FAIL'}`)
-console.log(`  no error event:                ${errorEv ? 'FAIL (' + errorEv.content + ')' : 'PASS'}`)
-console.log(`  text mentions answer:          ${textMentionsAnswer ? 'PASS (bonus)' : 'WARN (not required)'}`)
-
-const overall = !!questionResult && !!finalResult && !errorEv
+
+// ★ Tencent 契约对齐断言
+const askUserToolUse = events.find((e) => e.type === 'tool_use' && e.name === 'AskUserQuestion')
+const toolUseOk = !!askUserToolUse
+console.log(`  tool_use name='AskUserQuestion': ${toolUseOk ? 'PASS' : 'FAIL'}`)
+
+// ★ questions 字段 schema 对齐：multiSelect（不是 multiple），options[].description 必填
+const askQuestions = (askEvent.input as { questions?: Array<Record<string, unknown>> }).questions || []
+const schemaQ = askQuestions[0]
+const hasHeader = typeof schemaQ?.header === 'string'
+const hasQuestion = typeof schemaQ?.question === 'string'
+const hasOptions = Array.isArray(schemaQ?.options) && (schemaQ.options as unknown[]).length >= 2
+// multiSelect 是可选（默认 false）
+const optArr = (schemaQ?.options as Array<Record<string, unknown>>) || []
+const allOptsHaveDescription = optArr.every((o) => typeof o.label === 'string' && typeof o.description === 'string')
+console.log(`  questions[0].header/question:    ${hasHeader && hasQuestion ? 'PASS' : 'FAIL'}`)
+console.log(`  options[].label+description:     ${allOptsHaveDescription ? 'PASS' : 'FAIL'}`)
+console.log(`  options length >= 2:             ${hasOptions ? 'PASS' : 'FAIL'}`)
+
+console.log(`  ask_user received:               PASS`)
+console.log(`  agent suspended after:           PASS (no result 3s)`)
+console.log(`  round2 resume path:              PASS (alreadyRunning=true)`)
+console.log(`  tool_result with user answer:    ${questionResult ? 'PASS' : 'FAIL'}`)
+console.log(`  final result event:              ${finalResult ? 'PASS' : 'FAIL'}`)
+console.log(`  no error event:                  ${errorEv ? 'FAIL (' + errorEv.content + ')' : 'PASS'}`)
+console.log(`  text mentions answer:            ${textMentionsAnswer ? 'PASS (bonus)' : 'WARN (not required)'}`)
+
+const overall =
+  toolUseOk &&
+  hasHeader &&
+  hasQuestion &&
+  hasOptions &&
+  allOptsHaveDescription &&
+  !!questionResult &&
+  !!finalResult &&
+  !errorEv
 console.log(`\n[askuser-e2e] OVERALL: ${overall ? 'PASS' : 'FAIL'}`)
 
 server.close()
diff --git a/packages/server/src/agent/runtime/opencode-installer.ts b/packages/server/src/agent/runtime/opencode-installer.ts
index 06f18fc..4dd9bb8 100644
--- a/packages/server/src/agent/runtime/opencode-installer.ts
+++ b/packages/server/src/agent/runtime/opencode-installer.ts
@@ -22,7 +22,7 @@ import { fileURLToPath } from 'node:url'
 const __filename = fileURLToPath(import.meta.url)
 const __dirname = path.dirname(__filename)
 
-const TOOL_NAMES = ['read', 'write', 'edit', 'bash', 'grep', 'glob', 'question'] as const
+const TOOL_NAMES = ['read', 'write', 'edit', 'bash', 'grep', 'glob', 'AskUserQuestion'] as const
 export type ToolName = (typeof TOOL_NAMES)[number]
 
 /**
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/question.ts b/packages/server/src/agent/runtime/opencode-tool-templates/AskUserQuestion.ts
similarity index 53%
rename from packages/server/src/agent/runtime/opencode-tool-templates/question.ts
rename to packages/server/src/agent/runtime/opencode-tool-templates/AskUserQuestion.ts
index 9505907..361e3b5 100644
--- a/packages/server/src/agent/runtime/opencode-tool-templates/question.ts
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/AskUserQuestion.ts
@@ -1,44 +1,52 @@
 /**
- * 全局 opencode tool override / 新增工具：question
+ * AskUserQuestion custom tool — 对齐 Tencent AskUserQuestion 契约
  *
- * 作用：让 LLM 在执行中向用户提问（类似 Tencent SDK 的 AskUserQuestion）。
+ * 为什么名字/schema 要严格对齐 Tencent：
+ *   - 前端 `task-chat.tsx` 按 `part.toolName === 'AskUserQuestion'` 匹配渲染
+ *     AskUserForm；用其他名字前端识别不到
+ *   - 前端从 `part.input.questions` 取字段，结构必须是
+ *     `{ question, header, options:[{label, description}], multiSelect }`
+ *   - askAnswers resume 契约也已存在：
+ *     `{ [assistantMessageId]: { toolCallId, answers: { [header]: value } } }`
  *
- * OpenCode 原生有 question 工具但 ACP 模式默认禁用（`OPENCODE_CLIENT=acp`），
- * 且即便开启也没通过 ACP 协议路由（bus 事件没 subscriber）。我们自己实现一个同名
- * custom tool 覆盖它（同名 custom > builtin）。
+ * OpenCode 文件名约定：文件名 = tool id（ACP tool_call.title）
+ * 所以文件名 `AskUserQuestion.ts` → opencode 注册的 tool id `AskUserQuestion`
+ * → 我们 runtime 把 ACP tool_call.title 透传为 AgentCallbackMessage.name
+ * → convertToSessionUpdate 把 name 放到 sessionUpdate.title
+ * → 前端 part.toolName = 'AskUserQuestion' ✓
  *
  * 运行时行为：
- *   execute 调用 server 的 /api/agent/internal/ask-user HTTP endpoint
- *   server 挂起响应，直到下一轮 prompt 的 askAnswers 到达 → res.json(answers)
- *   execute 拿到答案 → 格式化成文本返回给 LLM
+ *   - execute 发 fetch 到 ASK_USER_URL 阻塞等答案
+ *   - 收到答案格式：{ ok: true, answers: { [header]: value } }
+ *   - 格式化文本返回给 LLM
  *
  * env 契约（由 server spawn opencode 时注入）：
- *   ASK_USER_URL            — 完整 URL，如 http://127.0.0.1:3001/api/agent/internal/ask-user
- *   ASK_USER_TOKEN          — 共享认证 token（X-Internal-Token header）
+ *   ASK_USER_URL            — server 本地回环 endpoint
+ *   ASK_USER_TOKEN          — shared secret，X-Internal-Token header
  *   ASK_USER_CONVERSATION_ID — 当前会话 id
- *
- * 如果 env 未配置（例如老版 runtime 或手动调 opencode）：
- *   → 返回一个提示文本告诉 LLM"无法向用户提问"，LLM 可改用文本方式沟通
  */
 import { z } from 'zod'
 
 const OptionSchema = z.object({
   label: z.string().describe('Short display text (1-5 words)'),
-  description: z.string().optional().describe('Explanation of this choice'),
+  description: z.string().describe('Explanation of what this option means or its implications'),
 })
 
 const QuestionSchema = z.object({
-  header: z.string().describe('Short label for this question (max 30 chars)'),
-  question: z.string().describe('The full question text'),
-  options: z.array(OptionSchema).describe('Predefined choices; user can also type custom answer'),
-  multiple: z.boolean().optional().describe('Allow multiple selection'),
+  question: z.string().describe('The complete question text (ends with ?)'),
+  header: z
+    .string()
+    .max(30)
+    .describe('Very short label for this question (max 30 chars, e.g. "Database", "Framework")'),
+  options: z.array(OptionSchema).min(2).max(4).describe('2-4 available choices'),
+  multiSelect: z.boolean().optional().describe('true = user may select multiple; false (default) = single selection'),
 })
 
 export default {
   description:
-    'Ask the user one or more multiple-choice questions during execution. Use this when you need a decision or clarification that can be expressed as a choice. Each question has a `header` (short label), `question` (full text), and `options` (list of {label, description}). Users may also type custom answers.',
+    'Ask the user one or more multiple-choice questions during execution. Use this when you need a decision or clarification that can be expressed as choices. Each question has a `question` (full text), `header` (short label), `options` (2-4 choices, each with `label` and `description`), and `multiSelect` (default false). The user may also type a custom answer.',
   args: {
-    questions: z.array(QuestionSchema).describe('Questions to ask'),
+    questions: z.array(QuestionSchema).min(1).describe('Questions to ask'),
   },
   async execute(
     args: { questions: Array<z.infer<typeof QuestionSchema>> },
@@ -55,8 +63,7 @@ export default {
       }
     }
 
-    // 用 opencode 给的 callID 作为 toolCallId（与 tool_call 事件的 id 保持一致，
-    // 方便前端关联；如 ctx 缺失就用 sessionID + 时间戳退兜）
+    // 用 opencode 的 callID 作为 toolCallId，与 tool_call 事件的 toolCallId 对齐
     const toolCallId = context.callID || `ask-${context.sessionID ?? 'unknown'}-${Date.now()}`
 
     const timeoutMs = Number(process.env.ASK_USER_TIMEOUT_MS || 10 * 60 * 1000)
@@ -88,7 +95,7 @@ export default {
         }
       }
 
-      // 格式化答案成 LLM 友好文本
+      // 格式化答案给 LLM（answer key 是 question.header）
       const formatted = args.questions
         .map((q) => {
           const a = data.answers![q.header]

From 721a9fe13b93a703b60bac2a14f6579a9d39799c Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sat, 2 May 2026 18:42:10 +0800
Subject: [PATCH 07/33] =?UTF-8?q?feat(agent):=20OpenCode=20runtime=20?=
 =?UTF-8?q?=E6=B6=88=E6=81=AF=E6=8C=81=E4=B9=85=E5=8C=96=E5=AF=B9=E9=BD=90?=
 =?UTF-8?q?=20Tencent=20SDK=20=E5=A5=91=E7=BA=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

投产硬门槛：让 OpenCode 会话历史与 Tencent 一致地落 vibe_agent_messages 集合，
前端 /api/tasks/:id/messages 读回后能正常渲染完整对话（下次打开仍可见）。

## 架构（三时间点对齐 Tencent）

    chatStream(prompt)
        ├─ findLastRecordIds → 建 replyTo 链
        ├─ preSavePendingRecords → user(done) + assistant(pending)
        ├─ turnId = assistantRecordId  （与 Tencent 一致）
        ├─ launchAgent:
        │    ├─ new OpencodeMessageBuilder({assistantRecordId})
        │    ├─ 每个事件: pushEvent + SSE + stream_events 三路分发
        │    └─ tool_result 触发 flushToDb (里程碑)
        └─ finally:
             builder.finalize(status)
               ├─ setRecordParts(turnId, finalParts)
               └─ finalizePendingRecords(turnId, 'done'|'error'|'cancel')

## 新增

- src/agent/runtime/opencode-message-builder.ts
  class OpencodeMessageBuilder 累积事件 → UnifiedMessagePart[] → 落库
    pushEvent(msg) 按 contentType 分支：
      text chunks 合并到 currentTextBuffer
      tool_use/thinking 前 flush buffer 成 part
      tool_input_update 就地更新原 tool_call part
      tool_result 同步 tool_call 的 status='completed'/'error'
      顺序保持 [text, tool_call, tool_result, text]
    flushToDb() tool_result 里程碑触发
    finalize(status) setRecordParts + finalizePendingRecords
  findLastRecordIds() 找上轮 records 维护 replyTo/parentId 链

- scripts/test-persistence-e2e.mts
  真实 TCB 环境 e2e：prompt → 跑完 → loadDBMessages 读回验证
  + 模拟前端 tasks.ts 转换逻辑不报错
  10/10 断言全 PASS

## 改动

- persistence.service.ts
  新增 public setRecordParts(recordId, parts) — 给非 Claude SDK runtime
  用（它们不写 JSONL，直接一次性替换 parts）

- opencode-acp-runtime.ts
  chatStream 非 resume 分支:
    preSavePendingRecords → turnId = assistantRecordId（替代之前的随机 uuid）
  launchAgent:
    new OpencodeMessageBuilder(envId ? opts : null)
    makeEmitter 接受 messageBuilder 参数
    事件循环：builder.pushEvent + tool_result 触发 flushToDb
    finally：builder.finalize(status 按 completed/abort/error 映射)

## AgentCallbackMessage → UnifiedMessagePart 映射

| 事件         | contentType   | metadata                             |
|--------------|---------------|--------------------------------------|
| text chunks  | text (合并)   | {id, type:'message', role}           |
| thinking     | reasoning     | -                                    |
| tool_use     | tool_call     | {toolCallName, toolName, input, status} + toolCallId |
| tool_result  | tool_result   | {status, isError} + toolCallId       |

## 测试结果

### e2e #42 持久化
```
records count: 2
  - user      status=done  parts=1  [text]
  - assistant status=done  parts=3  [tool_call, tool_result, text]

frontend convert result: 2 TaskMessage
  user parts:  text
  agent parts: tool_call,tool_result,text  ← 前端原样消化

10/10 assertions PASS
```

### 回归
- e2e #1 local: PASS
- e2e ToolConfirm: PASS
- type-check / lint / build / format 全通过

## 与 stream_events 的分工

两条数据通道独立：
- vibe_agent_messages = 永久会话历史（前端 /messages 读）
- vibe_agent_stream_events = 实时 SSE（observe 重连 replay，turn 完成后清理）

## 已知边界

- text-only + server 崩溃 → 丢失尾部 text（stream_events 保底，可重启 replay 补偿）
- 无定时 flush（仅 tool_result + finalize 时写），长 text 可加 5s 定时
---
 docs/acp-runtime-abstraction.md               | 134 +++++++-
 .../server/scripts/test-persistence-e2e.mts   | 186 ++++++++++++
 .../server/src/agent/persistence.service.ts   |   8 +
 .../src/agent/runtime/opencode-acp-runtime.ts |  75 ++++-
 .../agent/runtime/opencode-message-builder.ts | 287 ++++++++++++++++++
 5 files changed, 684 insertions(+), 6 deletions(-)
 create mode 100644 packages/server/scripts/test-persistence-e2e.mts
 create mode 100644 packages/server/src/agent/runtime/opencode-message-builder.ts

diff --git a/docs/acp-runtime-abstraction.md b/docs/acp-runtime-abstraction.md
index a59f22a..3444c2d 100644
--- a/docs/acp-runtime-abstraction.md
+++ b/docs/acp-runtime-abstraction.md
@@ -242,8 +242,8 @@ npx tsx scripts/test-tool-confirm-e2e.mts
 | ToolConfirmation resume 流程 | ✅ **已接入** — 见 §12 |
 | AskUserQuestion（询问用户） | ✅ **已接入** — 见 §13 |
 | askAnswers resume | ✅ **已接入** — 见 §13 |
+| 消息持久化 / 前端会话历史 | ✅ **已接入** — 见 §14 |
 | coding-mode 模板初始化 | ❌ 未集成 |
-| 消息持久化到 tasks | ⚠️ 只 stream events 落库 |
 | tool override 的版本升级 hash 匹配 | ✅ 已实现（hashFile 比较） |
 | 首次安装报告日志 | ✅ 已输出 |
 
@@ -251,7 +251,7 @@ npx tsx scripts/test-tool-confirm-e2e.mts
 
 1. ~~接 ToolConfirm UI~~ ✅ 完成
 2. ~~AskUserQuestion resume 流程~~ ✅ 完成
-3. **消息持久化对齐 Tencent 路线**（2-3 天）
+3. ~~消息持久化对齐 Tencent 路线~~ ✅ 完成
 4. **更多 ACP agent**（Claude Code / Gemini / Qwen Code；每个 1-2 天，runtime 骨架复用）
 5. **前端 Runtime 选择器**（0.5 天）
 
@@ -479,3 +479,133 @@ OVERALL: PASS
 - **超时 10 分钟**：可通过 `ASK_USER_TIMEOUT_MS` env 覆盖。超时后 opencode tool 拿到 `408` 响应，会把 "timeout" 告知 LLM，由 LLM 决定是否重试。
 - **token 静态**：runtime 首次 `getAskUserToken()` 调用时生成，此后不变。服务进程重启会重新生成。生产部署下应通过 env 显式注入稳定 token。
 - **多路 SSE 重连**：Round 1 SSE 断了后，用户重连 GET /observe/:sessionId 能继续收事件，但已经 emit 过的 ask_user 不会重放（它已落 stream events DB，由 observe 的 replay 逻辑带出）。
+
+---
+
+## 14. 消息持久化（已实现）
+
+### 14.1 目标
+
+让 OpenCode runtime 的会话历史与 Tencent SDK runtime **完全对齐**：
+- 同一个 `vibe_agent_messages` 集合
+- 同一个 `UnifiedMessageRecord` 结构
+- 前端 `GET /api/tasks/:taskId/messages` 零改动读取
+
+### 14.2 架构（对齐 Tencent 的三个时间点）
+
+```
+chatStream(prompt, options)
+    │
+    ├─ findLastRecordIds(convId, envId, userId)    ← 找上轮 record 做 replyTo 链
+    │
+    ├─ preSavePendingRecords({ prompt, prevRecordId, lastAssistantRecordId })
+    │       └─ DB: user(done) + assistant(pending, parts=[])
+    │       └─ 返回 { userRecordId, assistantRecordId }
+    │
+    ├─ turnId = assistantRecordId                  ← 与 Tencent 一致
+    │
+    ├─ launchAgent 后台执行:
+    │      ├─ new OpencodeMessageBuilder({ assistantRecordId })
+    │      ├─ 每个事件:
+    │      │    ├─ SSE 推送（前端实时）
+    │      │    ├─ stream_events 落库（observe 重连用）
+    │      │    └─ builder.pushEvent(msg)         ← 累积 parts
+    │      └─ tool_result 触发 builder.flushToDb() ← 里程碑快照
+    │
+    └─ finally:
+           └─ builder.finalize('done' | 'error' | 'cancel')
+                  ├─ setRecordParts(turnId, finalParts)
+                  └─ finalizePendingRecords(turnId, status)
+```
+
+### 14.3 AgentCallbackMessage → UnifiedMessagePart 映射
+
+| 事件 | contentType | content | metadata |
+|---|---|---|---|
+| `text` (多次 chunk) | 合并后 `'text'` | 完整文本 | `{id, type:'message', role:'assistant'}` |
+| `thinking` | `'reasoning'` | 思考内容 | - |
+| `tool_use` | `'tool_call'` | `JSON.stringify(input)` | `{toolCallName, toolName, input, status:'in_progress'}` + `toolCallId` |
+| `tool_input_update` | 原 tool_call 就地更新 | 更新 content 和 metadata.input | - |
+| `tool_result` | `'tool_result'` | 输出文本 | `{status, isError}` + `toolCallId` |
+| 其他 | 不进 parts | - | stream_events 已处理实时展示 |
+
+**顺序保持**：text chunks 累积到 `currentTextBuffer`，遇到 tool_use 时 flush 成一个 part，保持 `[text(P1), tool_call, tool_result, text(P2)]` 这种真实对话结构。
+
+### 14.4 Resume 场景
+
+第二轮 chatStream（带 toolConfirmation / askAnswers）**不重新 preSave**：
+
+```ts
+if (isAgentRunning(conversationId)) {
+  // 同一个 agent 还活着：resolve pending promise
+  // builder 还在上一轮的闭包里，继续累积事件
+  // turnId 沿用 run.turnId (即首轮的 assistantRecordId)
+  return { turnId: run.turnId, alreadyRunning: true }
+}
+// 非 resume 才 preSave
+```
+
+从同一个 assistantRecordId 继续写 parts，所有后续事件（tool_call/result/text）都追加在同一条 assistant record 上。
+
+### 14.5 核心代码
+
+**`opencode-message-builder.ts`**（新增）
+- class `OpencodeMessageBuilder` — 累积 parts + 落库
+- `pushEvent(msg)` — 把 AgentCallbackMessage 加入内部状态
+- `flushToDb()` — 写当前快照到 DB（tool_result 后触发）
+- `finalize(status)` — 关闭 builder + 改 record status
+- `findLastRecordIds(convId, envId, userId)` — 找上轮 record 维护 replyTo
+
+**`persistence.service.ts`**（改动）
+- 新增 public `setRecordParts(recordId, parts)` — 非 Claude SDK runtime 用来一次性替换 parts（JSONL 那套不走）
+
+**`opencode-acp-runtime.ts`**（改动）
+- `chatStream`: 非 resume 分支 `preSavePendingRecords` → turnId = assistantRecordId
+- `launchAgent`: 创建 `OpencodeMessageBuilder`；`makeEmitter` 接受 builder 参数并在每个事件后 `pushEvent` + tool_result 时 flush；finally 里 `finalize(status)`
+- 错误/cancel 映射到 `'error'` / `'cancel'` status
+
+### 14.6 e2e 验证
+
+`scripts/test-persistence-e2e.mts`：
+
+```
+records count: 2
+  - user      status=done  parts=1  [text]
+  - assistant status=done  parts=3  [tool_call, tool_result, text]
+
+frontend convert result: 2 TaskMessage
+  user parts:  text
+  agent parts: tool_call,tool_result,text
+
+assertions (10/10 PASS):
+  records >= 2:                       PASS
+  user record exists:                 PASS
+  user text part w/ prompt content:   PASS
+  assistant record exists:            PASS
+  assistant status='done':            PASS
+  assistant has text part:            PASS
+  assistant has tool_call part:       PASS
+  assistant has tool_result part:     PASS
+  assistant.replyTo == userRecordId:  PASS
+  frontend convert works:             PASS
+
+OVERALL: PASS
+```
+
+### 14.7 与 stream_events 的分工
+
+两条数据通道保持独立，**各司其职**：
+
+| 集合 | 用途 | 生命周期 |
+|---|---|---|
+| `vibe_agent_messages` | 永久会话历史；前端 `/api/tasks/:id/messages` 读 | 永久 |
+| `vibe_agent_stream_events` | 实时 SSE；observe 重连时 replay | turn 完成后清理（延迟 5s） |
+
+两者都在同个事件触发时一起写，**没有事务**（观察到一致性不严格也能接受 — stream_events 丢了最多影响重连丢几条事件，不影响最终历史）。
+
+### 14.8 已知边界
+
+- **无超时落库**：当前只在 tool_result 和 finalize 时落库。如果 LLM 长时间只发 text chunk 不调工具 + server 中途崩溃，会丢掉这段 text（但 stream_events 仍在，重启后可补偿）。如需更强保障可加"每 5 秒定时 flush"。
+- **丢 result 事件的兜底**：如果 opencode 异常退出没发 result，`finally` 里的 finalize 会调 setRecordParts，status 视错误路径设为 `error` / `cancel`。
+- **并发写保护**：setRecordParts 用 `where recordId update`（CloudBase 是原子的）。同一 conversation 串行 turn（isAgentRunning 保护），不会有并发冲突。
+- **Resume 场景 parts 保持完整**：同一 builder 闭包在 resume 期间继续累积，tool_call→tool_result→更多 text 都在同一 assistant record 上，结构一致。
diff --git a/packages/server/scripts/test-persistence-e2e.mts b/packages/server/scripts/test-persistence-e2e.mts
new file mode 100644
index 0000000..d602f58
--- /dev/null
+++ b/packages/server/scripts/test-persistence-e2e.mts
@@ -0,0 +1,186 @@
+#!/usr/bin/env tsx
+/**
+ * 消息持久化端到端测试（OpenCode runtime）
+ *
+ * 验证链路：
+ *   1. chatStream(prompt, envId=真实 TCB 环境)
+ *   2. preSavePendingRecords → DB 有 user(done) + assistant(pending)
+ *   3. LLM 执行 → 若工具调用，tool_result 触发 flushToDb
+ *   4. finalize → status=done，最终 parts 写入
+ *   5. loadDBMessages 读回 → 结构与预期一致
+ *
+ * 断言：
+ *   A. DB 里能找到 user + assistant 两条 record
+ *   B. assistant record status = 'done'
+ *   C. assistant parts 数组至少含 1 个 text part（LLM 的回答）
+ *   D. 如果有工具调用，parts 包含 tool_call + tool_result 对
+ *   E. 前端 tasks.ts 转换逻辑能消化（模拟: 转成 TaskMessage 不报错）
+ *
+ * 用法：
+ *   npx tsx --env-file=.env scripts/test-persistence-e2e.mts
+ */
+
+import 'dotenv/config'
+import fs from 'node:fs'
+import { opencodeAcpRuntime } from '../src/agent/runtime/opencode-acp-runtime.js'
+import { persistenceService } from '../src/agent/persistence.service.js'
+import type { AgentCallbackMessage, UnifiedMessagePart } from '@coder/shared'
+
+const envId = process.env.TCB_ENV_ID
+if (!envId) {
+  console.error('TCB_ENV_ID not set — cannot run persistence e2e')
+  process.exit(1)
+}
+
+const userId = 'persist-e2e-user-' + Date.now()
+const conversationId = 'persist-e2e-' + Date.now()
+
+console.log(`[persist-e2e] envId=${envId}`)
+console.log(`[persist-e2e] userId=${userId}`)
+console.log(`[persist-e2e] conversationId=${conversationId}\n`)
+
+// ── Test workdir（本地，避免沙箱路径问题）─────────────────────────────────────
+const WORKDIR = '/tmp/opencode-persist-e2e-' + Date.now()
+fs.mkdirSync(WORKDIR, { recursive: true })
+
+// ── 收集事件，仅用于观察 ─────────────────────────────────────────────────
+const events: AgentCallbackMessage[] = []
+const cb = async (msg: AgentCallbackMessage) => {
+  events.push(msg)
+  if (msg.type === 'text' && msg.content) process.stdout.write(msg.content)
+  else if (msg.type === 'tool_use') console.log(`\n[tool_use ▶] ${msg.name} id=${msg.id}`)
+  else if (msg.type === 'tool_result') console.log(`[tool_result ◯] is_error=${msg.is_error}`)
+  else if (msg.type === 'result') console.log(`\n[result] ${msg.content?.slice(0, 100)}`)
+  else if (msg.type === 'error') console.log(`[error] ${msg.content}`)
+}
+
+// ── 让 LLM 写一个文件，触发工具调用（让 parts 里必然有 tool_call+tool_result）─
+// 不走沙箱（envId='' 会跳过），走本地 custom write tool
+// 但 envId 必须传真实值才能落库，所以用 envId=真实、cwd=本地目录
+console.log('[persist-e2e] === chatStream (with envId + local workdir) ===')
+const prompt = `请用 write 工具在当前目录创建文件 persist.txt，内容正好一行：persistence works\n完成后简短确认。`
+
+const { turnId } = await opencodeAcpRuntime.chatStream(prompt, cb, {
+  conversationId,
+  envId,
+  userId,
+  cwd: WORKDIR,
+  model: 'moonshot/kimi-k2-0905-preview',
+})
+console.log(`[persist-e2e] chatStream turnId=${turnId}`)
+
+// 等 result / error
+console.log('\n[persist-e2e] waiting for result ...')
+const timeout = Date.now() + 120_000
+while (Date.now() < timeout) {
+  if (events.find((e) => e.type === 'result' || e.type === 'error')) break
+  await new Promise((r) => setTimeout(r, 300))
+}
+
+// 给 finalize 一点时间（它在 finally 里、异步写库）
+await new Promise((r) => setTimeout(r, 2000))
+
+// ── 从 DB 读回验证 ──────────────────────────────────────────────────────
+console.log('\n\n[persist-e2e] === loadDBMessages ===')
+const records = await persistenceService.loadDBMessages(conversationId, envId, userId, 20)
+console.log(`[persist-e2e] records count: ${records.length}`)
+for (const r of records) {
+  console.log(
+    `  - ${r.role} status=${r.status} recordId=${r.recordId.slice(0, 8)}... parts=${r.parts.length} ${r.parts.map((p: UnifiedMessagePart) => p.contentType).join(',')}`,
+  )
+}
+
+// ── Assertions ──────────────────────────────────────────────────────────
+const userRecord = records.find((r) => r.role === 'user')
+const assistantRecord = records.find((r) => r.role === 'assistant')
+
+const hasUser = !!userRecord
+const hasAssistant = !!assistantRecord
+const assistantDone = assistantRecord?.status === 'done'
+const userHasTextPart = userRecord?.parts?.[0]?.contentType === 'text'
+const userPromptMatches = userRecord?.parts?.[0]?.content?.includes('persist.txt') ?? false
+
+const assistantParts = assistantRecord?.parts ?? []
+const hasTextPart = assistantParts.some((p: UnifiedMessagePart) => p.contentType === 'text' && !!p.content)
+const hasToolCallPart = assistantParts.some((p: UnifiedMessagePart) => p.contentType === 'tool_call')
+const hasToolResultPart = assistantParts.some((p: UnifiedMessagePart) => p.contentType === 'tool_result')
+
+// 校验 replyTo 链
+const replyToOk = assistantRecord?.replyTo === userRecord?.recordId
+
+// ── 模拟前端转换（验证前端 tasks.ts 逻辑不会挂）─────────────────────────
+let frontendConvertOk = true
+try {
+  const frontMessages = records.map((record) => ({
+    id: record.recordId,
+    taskId: conversationId,
+    role: record.role === 'user' ? 'user' : 'agent',
+    parts: (record.parts || []).map((p: UnifiedMessagePart) => {
+      if (p.contentType === 'text') return { type: 'text', text: p.content || '' }
+      if (p.contentType === 'reasoning') return { type: 'thinking', text: p.content || '' }
+      if (p.contentType === 'tool_call')
+        return {
+          type: 'tool_call',
+          toolCallId: p.toolCallId || p.partId,
+          toolName: (p.metadata?.toolCallName as string) || (p.metadata?.toolName as string) || 'tool',
+          input: p.content || p.metadata?.input,
+          status: p.metadata?.status,
+        }
+      if (p.contentType === 'tool_result')
+        return {
+          type: 'tool_result',
+          toolCallId: p.toolCallId || p.partId,
+          content: p.content || '',
+          isError: p.metadata?.isError,
+        }
+      return { type: 'text', text: p.content || '' }
+    }),
+    status: record.status,
+    createdAt: record.createTime,
+  }))
+  console.log(`\n[persist-e2e] frontend convert result: ${frontMessages.length} TaskMessage`)
+  const userMsg = frontMessages.find((m) => m.role === 'user')
+  const agentMsg = frontMessages.find((m) => m.role === 'agent')
+  console.log(`  user parts:  ${userMsg?.parts.map((p) => p.type).join(',')}`)
+  console.log(`  agent parts: ${agentMsg?.parts.map((p) => p.type).join(',')}`)
+} catch (e) {
+  console.error('[persist-e2e] frontend convert FAILED:', e)
+  frontendConvertOk = false
+}
+
+console.log('\n[persist-e2e] assertions:')
+console.log(`  records >= 2:                       ${records.length >= 2 ? 'PASS' : 'FAIL'} (${records.length})`)
+console.log(`  user record exists:                 ${hasUser ? 'PASS' : 'FAIL'}`)
+console.log(`  user text part w/ prompt content:   ${userHasTextPart && userPromptMatches ? 'PASS' : 'FAIL'}`)
+console.log(`  assistant record exists:            ${hasAssistant ? 'PASS' : 'FAIL'}`)
+console.log(`  assistant status='done':            ${assistantDone ? 'PASS' : 'FAIL'} (${assistantRecord?.status})`)
+console.log(`  assistant has text part:            ${hasTextPart ? 'PASS' : 'FAIL'}`)
+console.log(`  assistant has tool_call part:       ${hasToolCallPart ? 'PASS' : 'FAIL'}`)
+console.log(`  assistant has tool_result part:     ${hasToolResultPart ? 'PASS' : 'FAIL'}`)
+console.log(`  assistant.replyTo == userRecordId:  ${replyToOk ? 'PASS' : 'FAIL'}`)
+console.log(`  frontend convert works:             ${frontendConvertOk ? 'PASS' : 'FAIL'}`)
+
+// 清理（不要留 e2e 垃圾在生产环境）
+console.log('\n[persist-e2e] cleanup...')
+try {
+  await persistenceService.deleteConversationMessages(conversationId, envId, userId)
+  console.log('[persist-e2e] cleanup done')
+} catch (e) {
+  console.warn('[persist-e2e] cleanup failed:', (e as Error).message)
+}
+
+const overall =
+  records.length >= 2 &&
+  hasUser &&
+  userHasTextPart &&
+  userPromptMatches &&
+  hasAssistant &&
+  assistantDone &&
+  hasTextPart &&
+  hasToolCallPart &&
+  hasToolResultPart &&
+  replyToOk &&
+  frontendConvertOk
+
+console.log(`\n[persist-e2e] OVERALL: ${overall ? 'PASS' : 'FAIL'}`)
+process.exit(overall ? 0 : 1)
diff --git a/packages/server/src/agent/persistence.service.ts b/packages/server/src/agent/persistence.service.ts
index 651a3fc..ca37748 100644
--- a/packages/server/src/agent/persistence.service.ts
+++ b/packages/server/src/agent/persistence.service.ts
@@ -507,6 +507,14 @@ export class PersistenceService {
     await collection.where({ recordId: _.eq(recordId) }).update({ parts, updateTime: Date.now() })
   }
 
+  /**
+   * Public: 完全替换指定 record 的 parts 数组（用于非 Claude SDK runtime，
+   * 它们不写 JSONL，需要直接在内存累积 parts 后一次性写入 DB）。
+   */
+  async setRecordParts(recordId: string, parts: UnifiedMessagePart[]): Promise<void> {
+    await this.replacePartsInRecord(recordId, parts)
+  }
+
   // ========== Message Grouping ==========
 
   private groupMessages(messages: CodeBuddyMessage[]): CodeBuddyMessage[][] {
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index f89cd4f..4aa0fb9 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -46,6 +46,7 @@ import { getAcpTransportFactory, type AcpTransport } from './acp-transport.js'
 import { ensureOpencodeToolsInstalled } from './opencode-installer.js'
 import { registerPending, resolvePending, rejectPendingForConversation } from './pending-permission-registry.js'
 import { resolvePendingQuestion, rejectPendingQuestionsForConversation } from './pending-question-registry.js'
+import { OpencodeMessageBuilder, findLastRecordIds } from './opencode-message-builder.js'
 import { scfSandboxManager, type SandboxInstance } from '../../sandbox/scf-sandbox-manager.js'
 import { spawn } from 'node:child_process'
 import os from 'node:os'
@@ -249,7 +250,34 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
       return { turnId: run.turnId, alreadyRunning: true }
     }
 
-    const turnId = uuidv4()
+    // 非 resume：preSave user + assistant(pending) 记录，取 assistantRecordId 作为 turnId
+    // (与 Tencent SDK runtime 一致：turnId == assistantMessageId)
+    let preSaved: { userRecordId: string; assistantRecordId: string } | null = null
+    if (options.envId) {
+      try {
+        // 找上一轮 record ids，维护 replyTo / parentId 链
+        const { prevRecordId, lastAssistantRecordId } = await findLastRecordIds(
+          conversationId,
+          options.envId,
+          options.userId || 'anonymous',
+        )
+        preSaved = await persistenceService.preSavePendingRecords({
+          conversationId,
+          envId: options.envId,
+          userId: options.userId || 'anonymous',
+          prompt,
+          prevRecordId,
+          lastAssistantRecordId,
+        })
+      } catch (e) {
+        console.warn(
+          '[OpencodeAcpRuntime] preSavePendingRecords failed (continuing without persistence):',
+          (e as Error).message,
+        )
+      }
+    }
+
+    const turnId = preSaved?.assistantRecordId ?? uuidv4()
     const abortController = new AbortController()
 
     registerAgent({
@@ -282,12 +310,27 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
     const userId = options.userId || 'anonymous'
     const modelId = options.model || DEFAULT_OPENCODE_MODEL
 
+    // 消息持久化 builder：累积事件 → UnifiedMessagePart[] → 落 messages 集合
+    // turnId 即是 preSave 返回的 assistantRecordId
+    const messageBuilder = envId
+      ? new OpencodeMessageBuilder({
+          conversationId,
+          assistantRecordId: turnId,
+          envId,
+          userId,
+        })
+      : null
+
     // emit 每次动态取 liveCallback（resume 时回调会被替换）
     // 第一轮由 chatStream 调用 registerLiveCallback 写入；第二轮（resume）由
     // chatStream 的 resume 分支更新。
-    const emit = makeEmitter({ envId, userId, conversationId, turnId })
+    // 同时把消息喂给 messageBuilder 做持久化
+    const emit = makeEmitter({ envId, userId, conversationId, turnId, messageBuilder })
     registerEmitter(conversationId, emit)
 
+    // 记录最终 record 状态；finally 里用它调 messageBuilder.finalize()
+    let finalRecordStatus: 'done' | 'error' | 'cancel' = 'error'
+
     let transport: AcpTransport | null = null
     let sandbox: SandboxInstance | null = null
     let sessionWorkingDir: string | null = null
@@ -441,6 +484,7 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
       })
 
       completeAgent(conversationId, 'completed')
+      finalRecordStatus = 'done'
     } catch (error: any) {
       const isAbort = abortController.signal.aborted || error?.name === 'AbortError'
       console.error('[OpencodeAcpRuntime] launchAgent error:', error)
@@ -467,6 +511,7 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
         /* noop */
       }
       completeAgent(conversationId, isAbort ? 'cancelled' : 'error', String(error?.message || error))
+      finalRecordStatus = isAbort ? 'cancel' : 'error'
     } finally {
       if (transport) {
         try {
@@ -483,6 +528,14 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
           /* noop */
         }
       }
+      // 消息持久化 finalize：写入最终 parts + 更新 record status
+      if (messageBuilder) {
+        try {
+          await messageBuilder.finalize(finalRecordStatus)
+        } catch (e) {
+          console.error('[OpencodeAcpRuntime] messageBuilder.finalize error:', e)
+        }
+      }
       // 清掉 liveCallback + emitter 注册，避免 map 泄漏
       clearLiveCallback(conversationId)
       clearEmitter(conversationId)
@@ -565,15 +618,29 @@ function makeEmitter(ctx: {
   userId: string
   conversationId: string
   turnId: string
+  messageBuilder: OpencodeMessageBuilder | null
 }): (msg: AgentCallbackMessage) => Promise<void> {
-  const { envId, userId, conversationId, turnId } = ctx
+  const { envId, userId, conversationId, turnId, messageBuilder } = ctx
   return async (msg) => {
     const enriched: AgentCallbackMessage = {
       ...msg,
       sessionId: conversationId,
       assistantMessageId: turnId,
     }
-    // 动态取 liveCallback：resume 时第二轮 SSE 的 callback 会替换第一轮的
+
+    // 1. 喂给消息 builder（持久化）
+    if (messageBuilder) {
+      messageBuilder.pushEvent(enriched)
+      // tool_result 是一个里程碑 — 触发一次 flushToDb 让 DB 反映最新状态
+      // （即使 server 中途崩溃，最坏丢失最后一段 text，下次开会话仍有结构化历史）
+      if (msg.type === 'tool_result') {
+        messageBuilder.flushToDb().catch((e) => {
+          console.error('[OpencodeAcpRuntime] flushToDb error:', e)
+        })
+      }
+    }
+
+    // 2. 动态取 liveCallback：resume 时第二轮 SSE 的 callback 会替换第一轮的
     const liveCallback = getLiveCallback(conversationId)
     if (liveCallback) {
       try {
diff --git a/packages/server/src/agent/runtime/opencode-message-builder.ts b/packages/server/src/agent/runtime/opencode-message-builder.ts
new file mode 100644
index 0000000..0d2fb64
--- /dev/null
+++ b/packages/server/src/agent/runtime/opencode-message-builder.ts
@@ -0,0 +1,287 @@
+/**
+ * OpencodeMessageBuilder
+ *
+ * 把 AgentCallbackMessage 事件流累积成 UnifiedMessagePart[]，用于持久化到
+ * vibe_agent_messages 集合（对齐 Tencent SDK runtime，前端零改动读取）。
+ *
+ * ## 为什么用 Builder
+ *
+ * OpenCode runtime 的事件流是 chunk 级别：
+ *   text chunk × N → tool_use → tool_result → text chunk × M → result
+ *
+ * 前端读 DB 期望的 parts 数组是**合并后的结构**：
+ *   [text(合并后), tool_call, tool_result, text(合并后)]
+ *
+ * Builder 负责这个 chunk → part 的聚合，并在合适的时机落库。
+ *
+ * ## 为什么不每个 chunk 都写 DB
+ *
+ * 1. DB 写入是网络 IO，text chunk 几十个一条 prompt 可能几百上千个
+ * 2. Tencent SDK 的模式是 agent 结束后一次性 syncMessages
+ * 3. 中间态的实时展示由 stream_events + SSE 负责（两条独立的通道）
+ *
+ * 所以 Builder 采用"累积 + 里程碑落库"策略：
+ *   - 每次 pushEvent 追加内存 parts 数组
+ *   - 工具调用完成 / 最终 finalize 时触发 DB 落库
+ *   - finalize 时调 updateRecordStatus(assistantRecordId, 'done'|'error'|'cancel')
+ *
+ * ## 什么是"里程碑"
+ *
+ * - 每次 tool_result 事件（一个工具调用完整结束）→ 落一次
+ * - finalize 时 → 落一次 + 改 status
+ * 这样用户每次看到工具执行完毕，DB 已经反映最新状态；即使 server 崩溃，
+ * 最坏丢失的是最后一段 text（stream_events 里仍然有，重启后 replay 可补偿）。
+ */
+
+import { v4 as uuidv4 } from 'uuid'
+import type { AgentCallbackMessage, UnifiedMessagePart, UnifiedMessageRecord } from '@coder/shared'
+import { persistenceService } from '../persistence.service.js'
+
+export interface OpencodeMessageBuilderOptions {
+  conversationId: string
+  assistantRecordId: string
+  envId: string
+  userId: string
+}
+
+export class OpencodeMessageBuilder {
+  private readonly parts: UnifiedMessagePart[] = []
+
+  /** 当前正在累积的文本 part（遇到 tool_use 时 flush） */
+  private currentTextBuffer: string[] = []
+
+  /** 当前正在累积的 thinking part（与 text 分开 buffer） */
+  private currentThinkingBuffer: string[] = []
+
+  /** toolCallId → parts 数组中的 tool_call part 索引，用来 tool_input_update 时定位 */
+  private toolCallIndexById = new Map<string, number>()
+
+  private finalized = false
+
+  constructor(private readonly opts: OpencodeMessageBuilderOptions) {}
+
+  /**
+   * 处理一条 AgentCallbackMessage。
+   * 注意：不在这里写 DB（为了性能和事务简化）；DB 落库通过 flushToDb() 手动触发。
+   */
+  pushEvent(msg: AgentCallbackMessage): void {
+    if (this.finalized) return
+
+    switch (msg.type) {
+      case 'text': {
+        // 遇到新 text 前如果还有 thinking buffer，先 flush thinking
+        if (this.currentThinkingBuffer.length > 0) {
+          this.flushThinkingBuffer()
+        }
+        if (typeof msg.content === 'string' && msg.content.length > 0) {
+          this.currentTextBuffer.push(msg.content)
+        }
+        break
+      }
+      case 'thinking': {
+        if (this.currentTextBuffer.length > 0) {
+          this.flushTextBuffer()
+        }
+        if (typeof msg.content === 'string' && msg.content.length > 0) {
+          this.currentThinkingBuffer.push(msg.content)
+        }
+        break
+      }
+      case 'tool_use': {
+        // 工具开始前先 flush 所有文本 / 思考
+        this.flushTextBuffer()
+        this.flushThinkingBuffer()
+
+        const toolCallId = msg.id || uuidv4()
+        const part: UnifiedMessagePart = {
+          partId: uuidv4(),
+          contentType: 'tool_call',
+          content: JSON.stringify(msg.input ?? {}),
+          toolCallId,
+          metadata: {
+            toolCallName: msg.name,
+            toolName: msg.name,
+            input: msg.input,
+            status: 'in_progress',
+          },
+        }
+        this.toolCallIndexById.set(toolCallId, this.parts.length)
+        this.parts.push(part)
+        break
+      }
+      case 'tool_input_update': {
+        // 更新已有 tool_call part 的 input
+        const toolCallId = msg.id
+        if (!toolCallId) break
+        const idx = this.toolCallIndexById.get(toolCallId)
+        if (idx === undefined) break
+        const existing = this.parts[idx]
+        if (!existing || existing.contentType !== 'tool_call') break
+        existing.content = JSON.stringify(msg.input ?? {})
+        existing.metadata = {
+          ...(existing.metadata ?? {}),
+          input: msg.input,
+        }
+        break
+      }
+      case 'tool_result': {
+        const toolCallId = msg.tool_use_id || msg.id
+        const part: UnifiedMessagePart = {
+          partId: uuidv4(),
+          contentType: 'tool_result',
+          content: typeof msg.content === 'string' ? msg.content : JSON.stringify(msg.content ?? ''),
+          toolCallId,
+          metadata: {
+            status: msg.is_error ? 'error' : 'completed',
+            isError: !!msg.is_error,
+          },
+        }
+        this.parts.push(part)
+
+        // 同步更新对应 tool_call 的 status
+        if (toolCallId) {
+          const idx = this.toolCallIndexById.get(toolCallId)
+          if (idx !== undefined) {
+            const callPart = this.parts[idx]
+            if (callPart && callPart.contentType === 'tool_call') {
+              callPart.metadata = {
+                ...(callPart.metadata ?? {}),
+                status: msg.is_error ? 'error' : 'completed',
+              }
+            }
+          }
+        }
+        break
+      }
+      case 'result':
+      case 'error':
+      case 'agent_phase':
+      case 'session':
+      case 'tool_confirm':
+      case 'ask_user':
+      case 'artifact':
+        // 这些不进 parts 数组（stream_events 已处理实时推送）
+        // ask_user/tool_confirm 的状态通过 stream_events + turn lifecycle 展示
+        break
+    }
+  }
+
+  /**
+   * 把当前累积的 parts 一次性写入 DB（replace）。
+   * 触发点：tool_result 之后 + finalize 之前。
+   */
+  async flushToDb(): Promise<void> {
+    if (this.finalized) return
+    // 先把待定 buffer flush 到 parts 数组，然后写库
+    const snapshot = this.snapshotParts()
+    if (this.opts.envId) {
+      try {
+        await persistenceService.setRecordParts(this.opts.assistantRecordId, snapshot)
+      } catch (e) {
+        console.error('[OpencodeMessageBuilder] setRecordParts failed:', e)
+      }
+    }
+  }
+
+  /**
+   * 结束构建：flush buffer → 写 DB → 更新 record status。
+   * status = 'done' | 'error' | 'cancel'
+   */
+  async finalize(status: 'done' | 'error' | 'cancel'): Promise<void> {
+    if (this.finalized) return
+    this.finalized = true
+
+    const snapshot = this.snapshotParts()
+    if (this.opts.envId) {
+      try {
+        await persistenceService.setRecordParts(this.opts.assistantRecordId, snapshot)
+      } catch (e) {
+        console.error('[OpencodeMessageBuilder] setRecordParts on finalize failed:', e)
+      }
+      try {
+        await persistenceService.finalizePendingRecords(this.opts.assistantRecordId, status)
+      } catch (e) {
+        console.error('[OpencodeMessageBuilder] finalizePendingRecords failed:', e)
+      }
+    }
+  }
+
+  /** 当前已累积的 parts 快照（flush 临时 buffer 到数组里） */
+  private snapshotParts(): UnifiedMessagePart[] {
+    // 为快照创建一个非破坏性 flush：临时合并 buffer
+    const extra: UnifiedMessagePart[] = []
+    if (this.currentTextBuffer.length > 0) {
+      extra.push(this.buildTextPart(this.currentTextBuffer.join('')))
+    }
+    if (this.currentThinkingBuffer.length > 0) {
+      extra.push(this.buildThinkingPart(this.currentThinkingBuffer.join('')))
+    }
+    return [...this.parts, ...extra]
+  }
+
+  private flushTextBuffer(): void {
+    if (this.currentTextBuffer.length === 0) return
+    this.parts.push(this.buildTextPart(this.currentTextBuffer.join('')))
+    this.currentTextBuffer = []
+  }
+
+  private flushThinkingBuffer(): void {
+    if (this.currentThinkingBuffer.length === 0) return
+    this.parts.push(this.buildThinkingPart(this.currentThinkingBuffer.join('')))
+    this.currentThinkingBuffer = []
+  }
+
+  private buildTextPart(text: string): UnifiedMessagePart {
+    return {
+      partId: uuidv4(),
+      contentType: 'text',
+      content: text,
+      metadata: {
+        id: this.opts.assistantRecordId,
+        type: 'message',
+        role: 'assistant',
+      },
+    }
+  }
+
+  private buildThinkingPart(text: string): UnifiedMessagePart {
+    return {
+      partId: uuidv4(),
+      contentType: 'reasoning',
+      content: text,
+    }
+  }
+}
+
+// ─── Helpers ──────────────────────────────────────────────────────────────
+
+/**
+ * 根据 conversationId 查找上一轮 assistant recordId（用于新 user record 的
+ * replyTo / parentId 建链）。没有历史时返回 null。
+ */
+export async function findLastRecordIds(
+  conversationId: string,
+  envId: string,
+  userId: string,
+): Promise<{ prevRecordId: string | null; lastAssistantRecordId: string | null }> {
+  if (!envId || !conversationId) return { prevRecordId: null, lastAssistantRecordId: null }
+  try {
+    const records = await persistenceService.loadDBMessages(conversationId, envId, userId, 2)
+    // loadDBMessages 返回按 createTime 升序的完整 records（最多 2 条，取最后 1 轮 QA）
+    let prevRecordId: string | null = null
+    let lastAssistantRecordId: string | null = null
+    for (const r of records) {
+      prevRecordId = r.recordId
+      if (r.role === 'assistant') lastAssistantRecordId = r.recordId
+    }
+    return { prevRecordId, lastAssistantRecordId }
+  } catch {
+    return { prevRecordId: null, lastAssistantRecordId: null }
+  }
+}
+
+/**
+ * 避免 tsc 类型未引用警告
+ */
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+type _KeepUnifiedMessageRecord = UnifiedMessageRecord

From 3fe82bf9de8b17fa1518c14ff440b01061fea365 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sat, 2 May 2026 19:08:16 +0800
Subject: [PATCH 08/33] =?UTF-8?q?feat(agent):=20=E4=BF=AE=E5=A4=8D?=
 =?UTF-8?q?=E6=8C=82=E8=B5=B7=E6=80=81=E6=8C=81=E4=B9=85=E5=8C=96=20-=20to?=
 =?UTF-8?q?ol=5Fuse=20=E4=BA=8B=E4=BB=B6=E8=A7=A6=E5=8F=91=20flushToDb=20?=
 =?UTF-8?q?=E9=87=8C=E7=A8=8B=E7=A2=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## 背景：和 Tencent SDK 的对齐审视

用户提问："这个持久化和之前的 ToolConfirm/AskUser 能力能对应吗？"
深度调研 Tencent SDK 持久化链路后发现：

我之前只在 tool_result 时 flushToDb。问题：
- AskUserQuestion / ToolConfirm 场景，tool_call 发出后会挂起等待用户答复
- 挂起期间 DB 里 assistant record 是空的 parts（flushToDb 还没触发）
- 前端此时若打开历史，看不到"系统在问你问题"的卡片

Tencent 不受此影响：它通过 SDK JSONL 写 + updateToolResult 立刻同步；
OpenCode 走事件流，需要主动在 tool_use 时触发 flush。

实测 opencode 事件顺序（test-event-order.mjs）：
  tool_call (status=pending)   ← 工具调用，execute 即将开始
  [execute 阻塞等用户答复]
  tool_update (status=completed, rawOutput=...)   ← execute 返回

所以 tool_use 是挂起前的"最后一个可见事件"，必须立刻 flush。

## 改动

opencode-acp-runtime.ts makeEmitter:
  if (msg.type === 'tool_use' || msg.type === 'tool_result') {
    messageBuilder.flushToDb().catch(...)
  }

## 验证

新增 scripts/test-persistence-suspend-e2e.mts：
  Round 1: LLM 调 AskUserQuestion → 等 ask_user 事件
  ★ 挂起期间 loadDBMessages：
    assistant status=pending parts=[text, tool_call(in_progress)]
    无 tool_result ← 预期行为（还没答）
  Round 2: askAnswers 恢复 → 最终 loadDBMessages：
    assistant status=done parts=[text, tool_call(completed),
                                 tool_result(completed), text(继续)]

所有断言 PASS。

## 额外：关于 Tencent 独有的持久化步骤

调研发现 Tencent SDK 还做：
  - providerData 继承（从原 tool_call 继承 messageId/model/agent）
  - providerData 清理（剥离 SDK 的 skipRun/error deny 标记）
  - Resume 时立刻同步调 updateToolResult

这些是 Claude SDK 的 JSONL 行为兼容需要的（防 deny 死循环）。
OpenCode 不走 JSONL，通过事件流自然同步 tool_result，没有这些兼容性压力。
所以"不实现"是正确的设计简化，文档 §14.10 明确记录了这点。

## 回归

e2e #1 local + ToolConfirm + Persistence 全 PASS
type-check / lint / build / format 全通过
---
 docs/acp-runtime-abstraction.md               |  48 ++++-
 .../scripts/test-persistence-suspend-e2e.mts  | 202 ++++++++++++++++++
 .../src/agent/runtime/opencode-acp-runtime.ts |   8 +-
 3 files changed, 254 insertions(+), 4 deletions(-)
 create mode 100644 packages/server/scripts/test-persistence-suspend-e2e.mts

diff --git a/docs/acp-runtime-abstraction.md b/docs/acp-runtime-abstraction.md
index 3444c2d..68b215f 100644
--- a/docs/acp-runtime-abstraction.md
+++ b/docs/acp-runtime-abstraction.md
@@ -605,7 +605,53 @@ OVERALL: PASS
 
 ### 14.8 已知边界
 
-- **无超时落库**：当前只在 tool_result 和 finalize 时落库。如果 LLM 长时间只发 text chunk 不调工具 + server 中途崩溃，会丢掉这段 text（但 stream_events 仍在，重启后可补偿）。如需更强保障可加"每 5 秒定时 flush"。
+- **无定时 flush**：当前触发 flushToDb 的时机是 tool_use + tool_result + finalize。长 text-only 段 + server 崩溃会丢尾部 text（stream_events 保底）。可加 5s 定时 flush。
 - **丢 result 事件的兜底**：如果 opencode 异常退出没发 result，`finally` 里的 finalize 会调 setRecordParts，status 视错误路径设为 `error` / `cancel`。
 - **并发写保护**：setRecordParts 用 `where recordId update`（CloudBase 是原子的）。同一 conversation 串行 turn（isAgentRunning 保护），不会有并发冲突。
 - **Resume 场景 parts 保持完整**：同一 builder 闭包在 resume 期间继续累积，tool_call→tool_result→更多 text 都在同一 assistant record 上，结构一致。
+
+### 14.9 挂起态持久化（ToolConfirm / AskUserQuestion）
+
+**核心保障**：挂起期间（用户还没确认或回答）前端用 `loadDBMessages` 能读到部分完整状态。
+
+触发 flushToDb 的 `tool_use` 里程碑确保：
+
+**第一轮挂起时 DB 状态**：
+```
+assistant status=pending parts=[text(思考), tool_call(status=in_progress)]
+                                         ^^^^^^^^^^^^^^^^^^^^^^^^^^
+                                         opencode 已发 tool_call 事件，
+                                         立刻 flushToDb 让前端可见
+```
+
+**Round 2 resume 后 DB 状态**：
+```
+assistant status=done parts=[text, tool_call(completed), tool_result(completed), text(继续)]
+```
+
+**e2e 验证**：`scripts/test-persistence-suspend-e2e.mts`
+- 挂起期间 `loadDBMessages` 读回：assistant.status=pending, parts 含 tool_call(in_progress), 无 tool_result ✓
+- Resume 后：status=done, tool_call.status=completed, tool_result 已追加, 后续 text 顺序保持 ✓
+
+**与 Tencent SDK 对齐**：
+- Tencent 依赖 JSONL baseline + `updateToolResult` 立刻同步
+- OpenCode 依赖事件流 + messageBuilder 里程碑 flush — 实现路径不同，**可观测行为一致**
+- 前端按 toolName='AskUserQuestion' 匹配渲染 AskUserForm（见 §13 对齐工作），挂起期间打开历史能看到"待回答"卡片
+
+### 14.10 为什么**不**实现 Tencent SDK 的某些持久化步骤
+
+Tencent SDK 在 resume 时会做：
+1. **providerData 继承**（从原 tool_call 继承 messageId/model/agent）
+2. **providerData 清理**（剥离 `skipRun` / `error` 等 SDK deny 标记）
+3. **立刻同步调 updateToolResult**
+
+这些**都是为 Claude SDK 的 JSONL 行为兼容而设计**，具体原因：
+- `skipRun=false, error="..."` 是 Claude SDK 在工具被 deny 时写进 JSONL 的"拒绝标记"。不清理的话，SDK 下次 resume 读 JSONL 看到这个标记会**重新尝试调用工具**，导致死循环
+- Claude SDK 通过 JSONL 恢复上下文，要求 tool_result 和"直接执行（无确认）"的 baseline 结构一致
+
+**OpenCode runtime 不走 JSONL**，没有这些 SDK 兼容性压力：
+- 工具真实输出由 opencode 子进程通过 ACP tool_call_update 事件发回
+- messageBuilder 收到 tool_result 事件就追加 part
+- 没有"deny 标记污染"的问题（permission deny 时 opencode 的 behavior 是 tool 直接返回 "rejected"，没 skipRun 这种 SDK 内部字段）
+
+所以这部分差异**不是 bug，是设计上的正确简化**。
diff --git a/packages/server/scripts/test-persistence-suspend-e2e.mts b/packages/server/scripts/test-persistence-suspend-e2e.mts
new file mode 100644
index 0000000..46e1906
--- /dev/null
+++ b/packages/server/scripts/test-persistence-suspend-e2e.mts
@@ -0,0 +1,202 @@
+#!/usr/bin/env tsx
+/**
+ * 持久化挂起态 e2e：
+ *
+ * 验证挂起场景（AskUserQuestion 等用户答）期间 DB 可见部分完整状态，
+ * 用户答复后 DB 继续补充剩余 parts 和 finalize status。
+ *
+ * 场景：
+ *   Round 1 发 prompt 让 LLM 调 AskUserQuestion
+ *   等到 ask_user 事件（挂起）→ **此时另一视角**调 loadDBMessages 读 DB
+ *     断言：assistant record 的 parts 里已有 tool_call（AskUserQuestion，status=in_progress）
+ *           assistant.status 仍为 'pending'
+ *   Round 2 发 askAnswers 恢复
+ *   等到 result → 再读一次 DB
+ *     断言：parts 补齐了 tool_result（状态 completed）+ 后续 text
+ *           assistant.status = 'done'
+ *
+ * 用法：
+ *   npx tsx --env-file=.env scripts/test-persistence-suspend-e2e.mts
+ */
+
+import 'dotenv/config'
+import fs from 'node:fs'
+import { serve } from '@hono/node-server'
+import { Hono } from 'hono'
+
+const envId = process.env.TCB_ENV_ID
+if (!envId) {
+  console.error('TCB_ENV_ID not set')
+  process.exit(1)
+}
+
+// 启动 mini server 提供 /internal/ask-user
+const app = new Hono()
+const { default: acpRoutes } = await import('../src/routes/acp.js')
+app.route('/api/agent', acpRoutes)
+
+let assignedPort = 0
+const server = serve({ fetch: app.fetch, port: 0, hostname: '127.0.0.1' }, (info) => {
+  assignedPort = info.port
+})
+await new Promise((r) => setTimeout(r, 300))
+process.env.ASK_USER_BASE_URL = `http://127.0.0.1:${assignedPort}`
+console.log(`[suspend-e2e] ASK_USER_BASE_URL=${process.env.ASK_USER_BASE_URL}`)
+
+const { opencodeAcpRuntime } = await import('../src/agent/runtime/opencode-acp-runtime.js')
+const { persistenceService } = await import('../src/agent/persistence.service.js')
+import type { AgentCallbackMessage, UnifiedMessagePart } from '@coder/shared'
+
+const userId = 'suspend-e2e-' + Date.now()
+const conversationId = 'suspend-conv-' + Date.now()
+console.log(`[suspend-e2e] conv=${conversationId}\n`)
+
+// e2e 专用目录（不会被真的用，AskUser 才是主线）
+const WORKDIR = '/tmp/opencode-suspend-e2e-' + Date.now()
+fs.mkdirSync(WORKDIR, { recursive: true })
+
+const events: AgentCallbackMessage[] = []
+const cb = async (msg: AgentCallbackMessage) => {
+  events.push(msg)
+  if (msg.type === 'tool_use') console.log(`\n[tool_use] ${msg.name}`)
+  else if (msg.type === 'ask_user') console.log(`[ask_user]`)
+  else if (msg.type === 'text' && msg.content) process.stdout.write(msg.content)
+  else if (msg.type === 'tool_result') console.log(`[tool_result] is_error=${msg.is_error}`)
+  else if (msg.type === 'result') console.log(`\n[result]`)
+}
+
+console.log('[suspend-e2e] === Round 1: LLM 调 AskUserQuestion ===')
+const { turnId } = await opencodeAcpRuntime.chatStream(
+  `请使用 AskUserQuestion 工具问我：Framework，question="Which framework?"，options=[{label:"React", description:"..."},{label:"Vue", description:"..."}]，multiSelect=false。必须用这个工具。`,
+  cb,
+  {
+    conversationId,
+    envId,
+    userId,
+    cwd: WORKDIR,
+    model: 'moonshot/kimi-k2-0905-preview',
+  },
+)
+console.log(`[suspend-e2e] turnId=${turnId}`)
+
+// 等 ask_user 事件
+console.log('[suspend-e2e] waiting for ask_user event ...')
+let askEvent: AgentCallbackMessage | undefined
+const askTimeout = Date.now() + 60_000
+while (Date.now() < askTimeout) {
+  askEvent = events.find((e) => e.type === 'ask_user')
+  if (askEvent) break
+  if (events.find((e) => e.type === 'result' || e.type === 'error')) {
+    console.error('[suspend-e2e] FAIL: got result/error before ask_user')
+    server.close()
+    process.exit(1)
+  }
+  await new Promise((r) => setTimeout(r, 200))
+}
+if (!askEvent) {
+  console.error('[suspend-e2e] FAIL: no ask_user within 60s')
+  server.close()
+  process.exit(1)
+}
+
+// 稍等让 flushToDb 完成
+await new Promise((r) => setTimeout(r, 2000))
+
+// ── ★ 关键检查：挂起期间读 DB ──
+console.log('\n[suspend-e2e] === 挂起期间读 DB ===')
+const midRecords = await persistenceService.loadDBMessages(conversationId, envId, userId, 20)
+console.log(`[suspend-e2e] mid records count: ${midRecords.length}`)
+for (const r of midRecords) {
+  console.log(
+    `  - ${r.role} status=${r.status} parts=${r.parts.length} [${r.parts.map((p: UnifiedMessagePart) => `${p.contentType}(${(p.metadata?.status as string | undefined) ?? '-'})`).join(', ')}]`,
+  )
+}
+
+const midAssistant = midRecords.find((r) => r.role === 'assistant')
+const midHasPendingStatus = midAssistant?.status === 'pending'
+const midHasToolCall = midAssistant?.parts.some((p: UnifiedMessagePart) => p.contentType === 'tool_call')
+const midHasToolResult = midAssistant?.parts.some((p: UnifiedMessagePart) => p.contentType === 'tool_result')
+// 挂起时不应该有 tool_result
+const midCorrect = midHasPendingStatus && midHasToolCall && !midHasToolResult
+
+console.log(`\n[suspend-e2e] 挂起期间断言：`)
+console.log(`  assistant.status == 'pending':     ${midHasPendingStatus ? 'PASS' : 'FAIL'} (${midAssistant?.status})`)
+console.log(`  parts 含 tool_call:                ${midHasToolCall ? 'PASS' : 'FAIL'}`)
+console.log(`  parts 尚无 tool_result:            ${!midHasToolResult ? 'PASS' : 'FAIL'}`)
+if (!midCorrect) {
+  console.error('\n[suspend-e2e] 挂起态不对，放弃')
+  server.close()
+  process.exit(1)
+}
+
+// ── Round 2: 模拟用户答复 ──
+console.log('\n[suspend-e2e] === Round 2: user answers ===')
+const questions = (askEvent.input as { questions: Array<{ header: string; options: Array<{ label: string }> }> }).questions
+const firstHeader = questions[0].header
+const chosen = questions[0].options[0].label
+console.log(`[suspend-e2e] answer: ${firstHeader}="${chosen}"`)
+
+await opencodeAcpRuntime.chatStream('', cb, {
+  conversationId,
+  envId,
+  userId,
+  cwd: WORKDIR,
+  model: 'moonshot/kimi-k2-0905-preview',
+  askAnswers: {
+    [askEvent.id!]: {
+      toolCallId: askEvent.id!,
+      answers: { [firstHeader]: chosen },
+    },
+  },
+})
+
+// 等最终 result
+const finalTimeout = Date.now() + 120_000
+while (Date.now() < finalTimeout) {
+  // 这里 events 已累积所有，但 result 可能还没到
+  const r = events.filter((e) => e.type === 'result')
+  // 第一轮 ask_user 之前无 result；第二轮恢复后会有 result
+  if (r.length > 0) break
+  if (events.find((e) => e.type === 'error')) break
+  await new Promise((r) => setTimeout(r, 300))
+}
+
+// 让 finalize 落库
+await new Promise((r) => setTimeout(r, 3000))
+
+// ── 最终读 DB ──
+console.log('\n[suspend-e2e] === 最终读 DB ===')
+const finalRecords = await persistenceService.loadDBMessages(conversationId, envId, userId, 20)
+console.log(`[suspend-e2e] final records count: ${finalRecords.length}`)
+for (const r of finalRecords) {
+  console.log(
+    `  - ${r.role} status=${r.status} parts=${r.parts.length} [${r.parts.map((p: UnifiedMessagePart) => `${p.contentType}(${(p.metadata?.status as string | undefined) ?? '-'})`).join(', ')}]`,
+  )
+}
+
+const finalAssistant = finalRecords.find((r) => r.role === 'assistant')
+const finalDone = finalAssistant?.status === 'done'
+const finalHasToolCall = finalAssistant?.parts.some((p: UnifiedMessagePart) => p.contentType === 'tool_call')
+const finalHasToolResult = finalAssistant?.parts.some((p: UnifiedMessagePart) => p.contentType === 'tool_result')
+const finalToolCompleted = finalAssistant?.parts.some(
+  (p: UnifiedMessagePart) => p.contentType === 'tool_call' && p.metadata?.status === 'completed',
+)
+
+console.log(`\n[suspend-e2e] 最终断言：`)
+console.log(`  assistant.status == 'done':        ${finalDone ? 'PASS' : 'FAIL'} (${finalAssistant?.status})`)
+console.log(`  parts 含 tool_call:                ${finalHasToolCall ? 'PASS' : 'FAIL'}`)
+console.log(`  parts 含 tool_result:              ${finalHasToolResult ? 'PASS' : 'FAIL'}`)
+console.log(`  tool_call.metadata.status=completed:${finalToolCompleted ? 'PASS' : 'FAIL'}`)
+
+// cleanup
+try {
+  await persistenceService.deleteConversationMessages(conversationId, envId, userId)
+} catch {
+  /* noop */
+}
+
+const overall = midCorrect && finalDone && finalHasToolCall && finalHasToolResult && finalToolCompleted
+console.log(`\n[suspend-e2e] OVERALL: ${overall ? 'PASS' : 'FAIL'}`)
+
+server.close()
+process.exit(overall ? 0 : 1)
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index 4aa0fb9..fc2b7cf 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -631,9 +631,11 @@ function makeEmitter(ctx: {
     // 1. 喂给消息 builder（持久化）
     if (messageBuilder) {
       messageBuilder.pushEvent(enriched)
-      // tool_result 是一个里程碑 — 触发一次 flushToDb 让 DB 反映最新状态
-      // （即使 server 中途崩溃，最坏丢失最后一段 text，下次开会话仍有结构化历史）
-      if (msg.type === 'tool_result') {
+      // 里程碑 flushToDb：
+      //   - tool_use：工具开始执行 → 立刻落库，让前端在挂起期间能看到"待回答/待确认"卡片
+      //     （尤其 AskUserQuestion / ToolConfirm 场景，会等很久才有 tool_result）
+      //   - tool_result：工具执行完毕 → 反映最新状态
+      if (msg.type === 'tool_use' || msg.type === 'tool_result') {
         messageBuilder.flushToDb().catch((e) => {
           console.error('[OpencodeAcpRuntime] flushToDb error:', e)
         })

From 0d9ea58b3872875ab6d65d3997393f477c13f2d1 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sat, 2 May 2026 19:37:08 +0800
Subject: [PATCH 09/33] =?UTF-8?q?feat(agent):=20=E5=A4=9A=E8=BD=AE?=
 =?UTF-8?q?=E8=AE=B0=E5=BF=86=20-=20=E6=96=B0=20chatStream=20=E6=B3=A8?=
 =?UTF-8?q?=E5=85=A5=E5=8E=86=E5=8F=B2=E5=AF=B9=E8=AF=9D=E4=B8=8A=E4=B8=8B?=
 =?UTF-8?q?=E6=96=87?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## 动机

OpenCode 每次 chatStream 都 newSession（空白上下文），没有跨轮记忆能力。
Tencent SDK 通过 JSONL 自动恢复上下文，OpenCode 不走 JSONL，需主动注入。

用户场景（e2e 覆盖）：
  Turn 1: hello 我叫王小明
  Turn 2: 我叫什么？        ← 没历史注入会答"不知道"
  Turn 3: 用 AskUserQuestion 问 1+1=?
  [模拟用户答 2]
  Turn 4: 总结我的名字和对话历史   ← 必须准确回忆所有前序交互

## 实现

opencode-message-builder.ts 新增 buildHistoryContextPrompt()：
  - 从 DB loadDBMessages 读最近 N 轮 status=done 的记录
  - 按 role 拼成 User: / Assistant: / (tool_call:...) / (tool_result:...) 摘要
  - 格式化为 "Below is the prior history.\n[History]\n...\n[Current user message]\n<prompt>"
  - 排除本轮刚 preSave 的 user/assistant record（避免把当前 prompt 当历史）

opencode-acp-runtime.ts:
  - chatStream 记录本轮 preSaved recordIds 传给 launchAgent
  - launchAgent 接受 excludeHistoryRecordIds 参数
  - conn.prompt 之前：envId ? buildHistoryContextPrompt(..., {excludeRecordIds}) : prompt
  - Resume 路径不走这里（resume 时原 opencode session 已有上下文）

## e2e 验证：test-memory-flow-e2e.mts

模拟真实用户流程（4 轮对话 + 1 次中断恢复）：

Turn 1: "hello 我叫王小明"
  → "你好，王小明！很高兴..."

Turn 2: "我叫什么"
  → "根据之前的对话记录，你告诉我你叫王小明。"   ← 关键：跨 spawn 记忆

Turn 3: "请用 AskUserQuestion 问 1+1=?，选项 2/3/4"
  → tool_use AskUserQuestion → ask_user 事件 → 挂起
  (DB 此时可见 tool_call(in_progress))

Turn 3 resume: askAnswers={"Math":"2"}
  → tool_result → "你选择了..."

Turn 4: "请总结我的名字和对话历史"
  → 精准列出：
     - "你的名字：王小明"
     - 4 轮对话每轮做了什么
     - "在第三次对话中，我调用了 AskUserQuestion 工具"
     - "你选择了答案 2"

11/11 断言 PASS (包括 Turn 4 回答必须同时含"王小明"和"1+1"/"2")

DB 最终状态：8 条 records 全 status=done
Turn 3 assistant parts = [tool_call(completed), tool_result(completed), text]

## 细节

- 历史文本构造里 tool_result 截 300 字（避免 context 过长）
- thinking part 不放进 history（太长且模型已消化）
- race condition 修复：result 事件到达后再多等 800ms 吸收尾部 text chunk

## 回归

type-check / lint / build / format 全过
e2e local / persistence 全 PASS
---
 .../server/scripts/test-memory-flow-e2e.mts   | 316 ++++++++++++++++++
 .../src/agent/runtime/opencode-acp-runtime.ts |  27 +-
 .../agent/runtime/opencode-message-builder.ts |  76 +++++
 3 files changed, 414 insertions(+), 5 deletions(-)
 create mode 100644 packages/server/scripts/test-memory-flow-e2e.mts

diff --git a/packages/server/scripts/test-memory-flow-e2e.mts b/packages/server/scripts/test-memory-flow-e2e.mts
new file mode 100644
index 0000000..dd743ce
--- /dev/null
+++ b/packages/server/scripts/test-memory-flow-e2e.mts
@@ -0,0 +1,316 @@
+#!/usr/bin/env tsx
+/**
+ * 多轮会话连续性 + 中断恢复 + 记忆回溯 e2e
+ *
+ * 场景（用户真实使用模拟）：
+ *   Turn 1:  user → "hello 我叫王小明"
+ *            assistant → 问候回复（必须明确提到"王小明"表明已认知）
+ *   Turn 2:  user → "我叫什么"
+ *            assistant → 必须包含"王小明"（记忆能穿越不同 spawn 的 opencode 进程）
+ *   Turn 3:  user → "请使用 AskUserQuestion 工具问我 1+1=?，选项 2 / 3 / 4"
+ *            assistant → 调 AskUserQuestion，挂起
+ *            [模拟用户答：2]
+ *            assistant → tool_result 含 "2"，继续推理
+ *   Turn 4:  user → "请总结一下我的名字以及我们的对话历史"
+ *            assistant → 必须包含"王小明" + 提到 "1+1=2"
+ *
+ * 断言：
+ *   - Turn 2 LLM 回答含"王小明"（上下文穿透）
+ *   - Turn 3 产生 ask_user 事件
+ *   - Turn 3 Resume 后得到 tool_result
+ *   - Turn 4 LLM 回答同时含"王小明"和"1+1"或"2"（完整历史回溯）
+ *   - DB 里最终 4 条 user record + 4 条 assistant record 全部 status=done
+ *   - Turn 3 assistant 的 parts 含 tool_call(completed) + tool_result(completed)
+ *
+ * 用法：
+ *   npx tsx --env-file=.env scripts/test-memory-flow-e2e.mts
+ */
+
+import 'dotenv/config'
+import fs from 'node:fs'
+import { serve } from '@hono/node-server'
+import { Hono } from 'hono'
+
+const envId = process.env.TCB_ENV_ID
+if (!envId) {
+  console.error('TCB_ENV_ID not set')
+  process.exit(1)
+}
+
+// 启动 mini server 提供 /internal/ask-user
+const app = new Hono()
+const { default: acpRoutes } = await import('../src/routes/acp.js')
+app.route('/api/agent', acpRoutes)
+
+let assignedPort = 0
+const server = serve({ fetch: app.fetch, port: 0, hostname: '127.0.0.1' }, (info) => {
+  assignedPort = info.port
+})
+await new Promise((r) => setTimeout(r, 300))
+process.env.ASK_USER_BASE_URL = `http://127.0.0.1:${assignedPort}`
+console.log(`[memflow-e2e] ASK_USER_BASE_URL=http://127.0.0.1:${assignedPort}`)
+
+const { opencodeAcpRuntime } = await import('../src/agent/runtime/opencode-acp-runtime.js')
+const { persistenceService } = await import('../src/agent/persistence.service.js')
+import type { AgentCallbackMessage, UnifiedMessagePart } from '@coder/shared'
+
+const userId = 'memflow-' + Date.now()
+const conversationId = 'memflow-conv-' + Date.now()
+const WORKDIR = '/tmp/opencode-memflow-' + Date.now()
+fs.mkdirSync(WORKDIR, { recursive: true })
+
+console.log(`[memflow-e2e] conv=${conversationId}`)
+console.log(`[memflow-e2e] userId=${userId}\n`)
+
+// ── 通用帮助 ────────────────────────────────────────────────────────────
+interface RecordedEv {
+  ts: number
+  type: string
+  name?: string
+  id?: string
+  content?: string
+  input?: unknown
+}
+const startT = Date.now()
+
+/**
+ * 跑一轮 prompt，返回 { events, assistantText, finished }
+ * assistantText 是本轮 LLM 流式文本的拼接
+ * finished = true 表示收到 result（无论是否 ask_user 中断）
+ */
+async function runTurn(label: string, prompt: string): Promise<{ events: RecordedEv[]; assistantText: string }> {
+  console.log(`\n[memflow-e2e] ▶ ${label} — prompt: ${prompt.slice(0, 80)}${prompt.length > 80 ? '...' : ''}`)
+  const evs: RecordedEv[] = []
+  let assistantText = ''
+
+  const cb = async (msg: AgentCallbackMessage) => {
+    evs.push({
+      ts: Date.now() - startT,
+      type: msg.type,
+      name: msg.name,
+      id: msg.id,
+      content: typeof msg.content === 'string' ? msg.content.slice(0, 200) : undefined,
+      input: msg.input,
+    })
+    if (msg.type === 'text' && msg.content) {
+      assistantText += msg.content
+      process.stdout.write(msg.content)
+    } else if (msg.type === 'tool_use') {
+      console.log(`\n    [tool_use] ${msg.name}`)
+    } else if (msg.type === 'ask_user') {
+      console.log(`\n    [ask_user] id=${msg.id}`)
+    } else if (msg.type === 'tool_result') {
+      console.log(`\n    [tool_result] is_error=${msg.is_error}`)
+    } else if (msg.type === 'result') {
+      console.log(`\n    [result]`)
+    } else if (msg.type === 'error') {
+      console.log(`\n    [error] ${msg.content}`)
+    }
+  }
+
+  await opencodeAcpRuntime.chatStream(prompt, cb, {
+    conversationId,
+    envId,
+    userId,
+    cwd: WORKDIR,
+    model: 'moonshot/kimi-k2-0905-preview',
+  })
+
+  // 等 result / error / ask_user
+  const deadline = Date.now() + 120_000
+  while (Date.now() < deadline) {
+    if (evs.find((e) => e.type === 'result' || e.type === 'error' || e.type === 'ask_user')) break
+    await new Promise((r) => setTimeout(r, 200))
+  }
+
+  // result 之后再多等 500ms 吸收最后几个 text chunk
+  // (实测：opencode 的 SSE 推送顺序里，result 有时会先于最后一段 text chunk 到达)
+  if (evs.find((e) => e.type === 'result')) {
+    await new Promise((r) => setTimeout(r, 800))
+  }
+
+  return { events: evs, assistantText }
+}
+
+async function resumeWithAnswers(
+  label: string,
+  toolCallId: string,
+  answers: Record<string, string>,
+): Promise<{ events: RecordedEv[]; assistantText: string }> {
+  console.log(`\n[memflow-e2e] ▶ ${label} — askAnswers: ${JSON.stringify(answers)}`)
+  const evs: RecordedEv[] = []
+  let assistantText = ''
+
+  const cb = async (msg: AgentCallbackMessage) => {
+    evs.push({
+      ts: Date.now() - startT,
+      type: msg.type,
+      name: msg.name,
+      id: msg.id,
+      content: typeof msg.content === 'string' ? msg.content.slice(0, 200) : undefined,
+    })
+    if (msg.type === 'text' && msg.content) {
+      assistantText += msg.content
+      process.stdout.write(msg.content)
+    } else if (msg.type === 'tool_result') {
+      console.log(`\n    [tool_result] is_error=${msg.is_error} out=${(msg.content || '').slice(0, 100)}`)
+    } else if (msg.type === 'result') {
+      console.log(`\n    [result]`)
+    } else if (msg.type === 'error') {
+      console.log(`\n    [error] ${msg.content}`)
+    }
+  }
+
+  await opencodeAcpRuntime.chatStream('', cb, {
+    conversationId,
+    envId,
+    userId,
+    cwd: WORKDIR,
+    model: 'moonshot/kimi-k2-0905-preview',
+    askAnswers: {
+      [toolCallId]: { toolCallId, answers },
+    },
+  })
+
+  const deadline = Date.now() + 120_000
+  while (Date.now() < deadline) {
+    if (evs.find((e) => e.type === 'result' || e.type === 'error')) break
+    await new Promise((r) => setTimeout(r, 200))
+  }
+
+  return { events: evs, assistantText }
+}
+
+// ── Turn 1: 自我介绍 ────────────────────────────────────────────────────
+const t1 = await runTurn('Turn 1 — 自我介绍', 'hello，我叫王小明')
+console.log()
+// 让 finalize 完成（messageBuilder 异步落库）
+await new Promise((r) => setTimeout(r, 2000))
+
+// ── Turn 2: 问名字（考察 cross-spawn 记忆）─────────────────────────────────
+const t2 = await runTurn('Turn 2 — 问名字', '我叫什么')
+console.log()
+await new Promise((r) => setTimeout(r, 2000))
+
+// ── Turn 3: 要求 AskUser ────────────────────────────────────────────────
+const t3 = await runTurn(
+  'Turn 3 — 请 LLM 用 AskUserQuestion 工具',
+  '请使用 AskUserQuestion 工具问我：question="1+1=?" header="Math" options=[{label:"2",description:"正确答案"},{label:"3",description:"错的"},{label:"4",description:"也错"}] multiSelect=false',
+)
+
+// 等 ask_user
+const askEv = t3.events.find((e) => e.type === 'ask_user')
+if (!askEv) {
+  console.error('\n[memflow-e2e] FAIL: Turn 3 没触发 ask_user')
+  console.log('events:', t3.events.slice(-10))
+  server.close()
+  process.exit(1)
+}
+console.log(`\n[memflow-e2e] ✓ Turn 3 ask_user received id=${askEv.id}`)
+
+// 检查 input 结构（严格对齐）
+const questions = (askEv.input as { questions: Array<{ header: string; options: Array<{ label: string }> }> }).questions
+const header = questions[0].header
+const chosenLabel = questions[0].options.find((o) => o.label === '2')?.label ?? questions[0].options[0].label
+console.log(`[memflow-e2e] simulating user answer: ${header}="${chosenLabel}"`)
+
+// ── Turn 3 Resume: 用户答 2 ──────────────────────────────────────────────
+const t3r = await resumeWithAnswers('Turn 3 resume — user answers "2"', askEv.id!, { [header]: chosenLabel })
+console.log()
+await new Promise((r) => setTimeout(r, 3000))
+
+// ── Turn 4: 总结 ──────────────────────────────────────────────────────────
+const t4 = await runTurn(
+  'Turn 4 — 总结',
+  '请总结一下我的名字，以及我们之前对话里发生了什么（我问了什么，你调了什么工具，我回答了什么）',
+)
+console.log()
+await new Promise((r) => setTimeout(r, 2000))
+
+// ── 验证 ──────────────────────────────────────────────────────────────
+console.log('\n\n[memflow-e2e] === validation ===')
+
+// A. Turn 2 文本是否含 "王小明"
+const t2MentionsName = /王小明/.test(t2.assistantText)
+
+// B. Turn 3 产生 ask_user
+const t3HasAskUser = !!askEv
+
+// C. Turn 3 resume 后有 tool_result
+const t3rHasToolResult = t3r.events.some((e) => e.type === 'tool_result')
+
+// D. Turn 4 同时含"王小明"和"1+1"或"2"
+const t4MentionsName = /王小明/.test(t4.assistantText)
+const t4MentionsMath = /1\+1|1\s*\+\s*1|问.*数学|数学.*问|算术|2\b/.test(t4.assistantText)
+
+// E. DB 状态检查
+const finalRecords = await persistenceService.loadDBMessages(conversationId, envId, userId, 50)
+console.log(`\n[memflow-e2e] final DB records: ${finalRecords.length}`)
+for (const r of finalRecords) {
+  const partsSig = r.parts
+    .map((p: UnifiedMessagePart) => {
+      if (p.contentType === 'text') return `text(${(p.content || '').slice(0, 30)}...)`
+      if (p.contentType === 'tool_call') return `tool_call(${p.metadata?.toolName}:${p.metadata?.status})`
+      if (p.contentType === 'tool_result') return `tool_result(${p.metadata?.status})`
+      return p.contentType
+    })
+    .join(', ')
+  console.log(`  - ${r.role} status=${r.status} parts=[${partsSig}]`)
+}
+
+const userCount = finalRecords.filter((r) => r.role === 'user').length
+const assistantCount = finalRecords.filter((r) => r.role === 'assistant').length
+const allDone = finalRecords.every((r) => r.status === 'done')
+
+// F. Turn 3 的 assistant record 应含 tool_call + tool_result
+const turn3Assistant = finalRecords.find(
+  (r) =>
+    r.role === 'assistant' &&
+    r.parts.some((p: UnifiedMessagePart) => p.contentType === 'tool_call' && p.metadata?.toolName === 'AskUserQuestion'),
+)
+const t3HasToolCallInDb = !!turn3Assistant
+const t3HasToolResultInDb = turn3Assistant?.parts.some((p: UnifiedMessagePart) => p.contentType === 'tool_result')
+
+console.log('\n[memflow-e2e] assertions:')
+console.log(`  Turn 2 回答含"王小明"（记忆穿透）:          ${t2MentionsName ? 'PASS' : 'FAIL'}`)
+console.log(`  Turn 3 触发 ask_user:                       ${t3HasAskUser ? 'PASS' : 'FAIL'}`)
+console.log(`  Turn 3 Resume 后 tool_result:               ${t3rHasToolResult ? 'PASS' : 'FAIL'}`)
+console.log(`  Turn 4 回答含"王小明":                      ${t4MentionsName ? 'PASS' : 'FAIL'}`)
+console.log(`  Turn 4 回答含"1+1"或"2"（记得工具交互）:    ${t4MentionsMath ? 'PASS' : 'FAIL'}`)
+console.log(`  DB user records == 4:                       ${userCount === 4 ? 'PASS' : 'FAIL'} (${userCount})`)
+console.log(`  DB assistant records == 4:                  ${assistantCount === 4 ? 'PASS' : 'FAIL'} (${assistantCount})`)
+console.log(`  DB 全部 status=done:                        ${allDone ? 'PASS' : 'FAIL'}`)
+console.log(`  Turn 3 assistant 含 AskUserQuestion tool_call: ${t3HasToolCallInDb ? 'PASS' : 'FAIL'}`)
+console.log(`  Turn 3 assistant 含 tool_result:            ${t3HasToolResultInDb ? 'PASS' : 'FAIL'}`)
+
+// 清理
+try {
+  await persistenceService.deleteConversationMessages(conversationId, envId, userId)
+} catch {
+  /* noop */
+}
+
+const overall =
+  t2MentionsName &&
+  t3HasAskUser &&
+  t3rHasToolResult &&
+  t4MentionsName &&
+  t4MentionsMath &&
+  userCount === 4 &&
+  assistantCount === 4 &&
+  allDone &&
+  t3HasToolCallInDb &&
+  !!t3HasToolResultInDb
+
+console.log(`\n[memflow-e2e] OVERALL: ${overall ? 'PASS' : 'FAIL'}`)
+
+// 打印关键文本摘要供人工观察
+console.log('\n[memflow-e2e] assistant replies summary:')
+console.log(`  T1 text (${t1.assistantText.length} chars): ${t1.assistantText.slice(0, 120)}...`)
+console.log(`  T2 text (${t2.assistantText.length} chars): ${t2.assistantText.slice(0, 200)}`)
+console.log(`  T3 text (${t3.assistantText.length} chars): ${t3.assistantText.slice(0, 120)}`)
+console.log(`  T3r text (${t3r.assistantText.length} chars): ${t3r.assistantText.slice(0, 200)}`)
+console.log(`  T4 text (${t4.assistantText.length} chars): ${t4.assistantText.slice(0, 400)}`)
+
+server.close()
+process.exit(overall ? 0 : 1)
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index fc2b7cf..3c57798 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -46,7 +46,7 @@ import { getAcpTransportFactory, type AcpTransport } from './acp-transport.js'
 import { ensureOpencodeToolsInstalled } from './opencode-installer.js'
 import { registerPending, resolvePending, rejectPendingForConversation } from './pending-permission-registry.js'
 import { resolvePendingQuestion, rejectPendingQuestionsForConversation } from './pending-question-registry.js'
-import { OpencodeMessageBuilder, findLastRecordIds } from './opencode-message-builder.js'
+import { OpencodeMessageBuilder, findLastRecordIds, buildHistoryContextPrompt } from './opencode-message-builder.js'
 import { scfSandboxManager, type SandboxInstance } from '../../sandbox/scf-sandbox-manager.js'
 import { spawn } from 'node:child_process'
 import os from 'node:os'
@@ -291,9 +291,14 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
     // 记录本轮的 liveCallback（resume 时可替换，因为 SSE 流可能已更新）
     registerLiveCallback(conversationId, callback)
 
-    this.launchAgent(prompt, callback, options, conversationId, turnId, abortController).catch((err) => {
-      console.error('[OpencodeAcpRuntime] background agent error:', err)
-    })
+    // 本轮预存的 user/assistant record ids（用于 buildHistoryContextPrompt 排除）
+    const currentRecordIds = preSaved ? new Set<string>([preSaved.userRecordId, preSaved.assistantRecordId]) : undefined
+
+    this.launchAgent(prompt, callback, options, conversationId, turnId, abortController, currentRecordIds).catch(
+      (err) => {
+        console.error('[OpencodeAcpRuntime] background agent error:', err)
+      },
+    )
 
     return { turnId, alreadyRunning: false }
   }
@@ -305,6 +310,7 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
     conversationId: string,
     turnId: string,
     abortController: AbortController,
+    excludeHistoryRecordIds?: ReadonlySet<string>,
   ): Promise<void> {
     const envId = options.envId || ''
     const userId = options.userId || 'anonymous'
@@ -467,9 +473,20 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
       }
 
       // 9. 发送 prompt（阻塞直到完成）
+      //
+      // OpenCode 每次新 session 是空白上下文，如果之前 conversation 有历史消息，
+      // 把它们作为 context prefix 拼到本轮 prompt 前面，让 LLM 能做多轮记忆。
+      //
+      // 注意：Resume 场景（toolConfirmation/askAnswers）不会走到这里（早 return 了），
+      // 所以 resume 时用的是原 opencode session 自带的上下文，不需要重新注入。
+      const contextPrompt = envId
+        ? await buildHistoryContextPrompt(conversationId, envId, userId, prompt, {
+            excludeRecordIds: excludeHistoryRecordIds,
+          })
+        : prompt
       const promptRes = await conn.prompt({
         sessionId: opencodeSessionId,
-        prompt: [{ type: 'text', text: prompt }],
+        prompt: [{ type: 'text', text: contextPrompt }],
       })
 
       await emit({ type: 'agent_phase', phase: 'idle' })
diff --git a/packages/server/src/agent/runtime/opencode-message-builder.ts b/packages/server/src/agent/runtime/opencode-message-builder.ts
index 0d2fb64..ea77a08 100644
--- a/packages/server/src/agent/runtime/opencode-message-builder.ts
+++ b/packages/server/src/agent/runtime/opencode-message-builder.ts
@@ -280,6 +280,82 @@ export async function findLastRecordIds(
   }
 }
 
+/**
+ * 从 DB 读最近 N 轮历史对话，构造一个 "context prompt prefix" 让新建的 opencode
+ * session 看到之前的上下文。
+ *
+ * 为什么需要：OpenCode 每次 chatStream 都 newSession（空白上下文）。如果不注入
+ * 历史，LLM 无法回答"上一轮我说过什么"。
+ *
+ * 格式（人类可读、模型容易理解的 transcript）：
+ *   Below is the prior conversation history. Please take it into account when
+ *   responding to the new user message.
+ *
+ *   [History]
+ *   User: 你好，我叫王小明
+ *   Assistant: 你好王小明，有什么我可以帮你的？
+ *   Tool call: AskUserQuestion(...)
+ *   Tool result: User answered: 1+1=2
+ *
+ *   [Current user message]
+ *   <实际 prompt>
+ *
+ * 只截取文本 + 工具调用摘要，避免塞太长的 tool output 到 context。
+ */
+export async function buildHistoryContextPrompt(
+  conversationId: string,
+  envId: string,
+  userId: string,
+  newPrompt: string,
+  opts: { maxHistoryRecords?: number; excludeRecordIds?: ReadonlySet<string> } = {},
+): Promise<string> {
+  const { maxHistoryRecords = 20, excludeRecordIds } = opts
+  if (!envId || !conversationId) return newPrompt
+
+  try {
+    const records = await persistenceService.loadDBMessages(conversationId, envId, userId, maxHistoryRecords)
+    if (records.length === 0) return newPrompt
+
+    const lines: string[] = []
+    for (const r of records) {
+      // 排除本轮刚 preSave 的 record（user 已 done 但不是历史；assistant 是空 pending）
+      if (excludeRecordIds?.has(r.recordId)) continue
+      // 跳过未完成的（pending/error/cancel）record，它们的 parts 不可靠
+      if (r.status !== 'done') continue
+
+      const roleLabel = r.role === 'user' ? 'User' : 'Assistant'
+      // 遍历 parts，把 text / tool_call / tool_result 都转为可读摘要
+      for (const p of r.parts || []) {
+        if (p.contentType === 'text' && p.content) {
+          lines.push(`${roleLabel}: ${p.content.trim()}`)
+        } else if (p.contentType === 'reasoning' && p.content) {
+          // thinking 段不放进 context（太长且 LLM 已经消化过了）
+          continue
+        } else if (p.contentType === 'tool_call') {
+          const toolName = (p.metadata?.toolName as string) ?? (p.metadata?.toolCallName as string) ?? 'tool'
+          const inputPreview =
+            typeof p.content === 'string'
+              ? p.content.slice(0, 200)
+              : JSON.stringify(p.metadata?.input ?? {}).slice(0, 200)
+          lines.push(`(tool_call: ${toolName} ${inputPreview})`)
+        } else if (p.contentType === 'tool_result') {
+          const outputPreview = typeof p.content === 'string' ? p.content.slice(0, 300) : ''
+          const status = (p.metadata?.status as string) ?? ''
+          lines.push(`(tool_result[${status}]: ${outputPreview})`)
+        }
+      }
+    }
+
+    if (lines.length === 0) return newPrompt
+
+    const header = 'Below is the prior conversation history for this session. Use it as context when responding.'
+    return `${header}\n\n[History]\n${lines.join('\n')}\n\n[Current user message]\n${newPrompt}`
+  } catch (e) {
+    console.warn('[buildHistoryContextPrompt] failed, falling back to raw prompt:', (e as Error).message)
+    return newPrompt
+  }
+}
+
 /**
  * 避免 tsc 类型未引用警告
  */

From 59ca6b2c9d8c91607e9ae27228f41f59ae7dd018 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sun, 3 May 2026 01:12:36 +0800
Subject: [PATCH 10/33] =?UTF-8?q?refactor(agent):=20=E4=B8=89=E9=A1=B9?=
 =?UTF-8?q?=E5=80=9F=E9=89=B4=20open-design=20=E7=9A=84=E4=BC=98=E5=8C=96?=
 =?UTF-8?q?=EF=BC=88=E5=85=A8=E9=83=A8=20TDD=EF=BC=8C27=20=E4=B8=AA?=
 =?UTF-8?q?=E5=8D=95=E5=85=83=E6=B5=8B=E8=AF=95=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

优先级顺序：搭测试基础设施 → buildHistoryContextPrompt 格式 → fallbackBins

## 优化 1：vitest 单元测试基础设施（优化3）

packages/server 加 vitest@^3.2.0，vitest.config.ts + scripts，
tsconfig.json exclude __tests__ 目录（不参与 server tsc 编译）。
baseline 1 个测试验证配置正确。

## 优化 2：buildHistoryContextPrompt 格式改进（优化2，借鉴 open-design server.ts）

旧格式：
  User: 你好
  (tool_call: AskUserQuestion {"questions":[...]})  ← JSON 截到 200 字符可能断截

新格式（Markdown 分层，turn 编号，安全截断）：
  ## Turn 1
  **User:** 你好
  **Assistant:** 很好！
  [Tool call] AskUserQuestion
    params: question, header, options  ← 只有参数名，无参数值（不会断截）
  [Tool result] AskUserQuestion — completed (32 bytes)  ← 只有摘要，无原始内容
  ---
  ## Current user message
  <new prompt>

单元测试 16 个（buildHistoryContextPrompt.test.ts）：
  空历史/envId空/全排除/DB异常 → fallback 到原 prompt
  turn 编号/Markdown 前缀/--- 分隔
  tool_call 安全截断（含参数名、不含参数值）
  tool_result 摘要（name + status + bytes）
  reasoning 跳过 / pending record 跳过 / excludeRecordIds

e2e 验证：test-opencode-runtime.mts PASS + memory-flow LLM 正确记住名字/工具/答案。

## 优化 3：fallbackBins + resolveOnPath（优化1，借鉴 open-design agents.ts）

统一 bin 解析，消除两份独立常量（acp-transport 和 runtime 各自的 OPENCODE_BIN）：
  - 新增 resolveOnPath(bin)：同步 existsSync，无子进程
  - 新增 getResolvedBin()：模块级缓存；fallback 顺序：
      OPENCODE_BIN env → 'opencode' → 'opencode-ai'
  - 删除 runtime 的独立 OPENCODE_BIN 常量
  - isAvailable() 改为 getResolvedBin() !== null（同步，快）
  - spawnLocalOpencode 用 getResolvedBin()；找不到时友好错误信息

单元测试 10 个（resolveOnPath.test.ts）：
  vi.mock('node:fs') + vi.stubEnv 控制 PATH/OPENCODE_BIN
  PATH 找到/找不到/空 PATH / OPENCODE_BIN env override(存在/不存在) /
  fallback chain / isAvailable true/false

e2e 验证：test-opencode-runtime.mts PASS（spawn 不 break）

## 测试汇总

vitest 单元测试：27 passed
  - baseline: 1
  - buildHistoryContextPrompt: 16
  - resolveOnPath: 10
e2e: test-opencode-runtime PASS

type-check / lint / build / format 全通过
---
 packages/server/package.json                  |   7 +-
 .../agent/runtime/__tests__/baseline.test.ts  |   9 +
 .../buildHistoryContextPrompt.test.ts         | 241 ++++++++++++++
 .../runtime/__tests__/resolveOnPath.test.ts   | 122 +++++++
 .../server/src/agent/runtime/acp-transport.ts |  92 +++++-
 .../src/agent/runtime/opencode-acp-runtime.ts |  32 +-
 .../agent/runtime/opencode-message-builder.ts | 100 ++++--
 packages/server/tsconfig.json                 |   5 +-
 packages/server/vitest.config.ts              |  15 +
 pnpm-lock.yaml                                | 302 ++++++++++++++++++
 10 files changed, 861 insertions(+), 64 deletions(-)
 create mode 100644 packages/server/src/agent/runtime/__tests__/baseline.test.ts
 create mode 100644 packages/server/src/agent/runtime/__tests__/buildHistoryContextPrompt.test.ts
 create mode 100644 packages/server/src/agent/runtime/__tests__/resolveOnPath.test.ts
 create mode 100644 packages/server/vitest.config.ts

diff --git a/packages/server/package.json b/packages/server/package.json
index 9984da6..2ae4d77 100644
--- a/packages/server/package.json
+++ b/packages/server/package.json
@@ -11,7 +11,9 @@
   "scripts": {
     "dev": "tsup src/sandbox/tool-override.ts --format cjs --outDir dist/sandbox --no-splitting --silent && tsup src/util/skill-loader-override.ts --format cjs --outDir dist/util --no-splitting --silent && DOTENVX_PATH=.env tsx watch --env-file=.env src/index.ts",
     "build": "tsup src/sandbox/tool-override.ts --format cjs --outDir dist/sandbox --no-splitting && tsup src/util/skill-loader-override.ts --format cjs --outDir dist/util --no-splitting && tsup src/index.ts --format esm --target node22 && mkdir -p dist/agent/runtime/opencode-tool-templates && cp src/agent/runtime/opencode-tool-templates/*.ts dist/agent/runtime/opencode-tool-templates/",
-    "start": "node dist/index.js"
+    "start": "node dist/index.js",
+    "test": "vitest run",
+    "test:watch": "vitest"
   },
   "dependencies": {
     "@agentclientprotocol/sdk": "^0.21.0",
@@ -47,6 +49,7 @@
     "@types/uuid": "^11.0.0",
     "tsup": "^8.0.0",
     "tsx": "^4.21.0",
-    "typescript": "~5.7.0"
+    "typescript": "~5.7.0",
+    "vitest": "^3.2.0"
   }
 }
\ No newline at end of file
diff --git a/packages/server/src/agent/runtime/__tests__/baseline.test.ts b/packages/server/src/agent/runtime/__tests__/baseline.test.ts
new file mode 100644
index 0000000..bbcba5f
--- /dev/null
+++ b/packages/server/src/agent/runtime/__tests__/baseline.test.ts
@@ -0,0 +1,9 @@
+// placeholder — 这个文件仅用于验证 vitest 配置正确
+// 真正的测试在 buildHistoryContextPrompt.test.ts 和 resolveOnPath.test.ts
+import { describe, it, expect } from 'vitest'
+
+describe('vitest baseline', () => {
+  it('works', () => {
+    expect(1 + 1).toBe(2)
+  })
+})
diff --git a/packages/server/src/agent/runtime/__tests__/buildHistoryContextPrompt.test.ts b/packages/server/src/agent/runtime/__tests__/buildHistoryContextPrompt.test.ts
new file mode 100644
index 0000000..43229ee
--- /dev/null
+++ b/packages/server/src/agent/runtime/__tests__/buildHistoryContextPrompt.test.ts
@@ -0,0 +1,241 @@
+/**
+ * 单元测试：buildHistoryContextPrompt
+ *
+ * 全部 mock persistenceService，不依赖 LLM / CloudBase / TCB。
+ * 测试粒度：精确 toContain，不用 snapshot（snapshot 对换行太脆）。
+ */
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+// ─── Mock persistence service ───────────────────────────────────────────────
+vi.mock('../../persistence.service.js', () => ({
+  persistenceService: {
+    loadDBMessages: vi.fn(),
+  },
+}))
+
+// 延迟 import，确保 mock 先就绪
+const { buildHistoryContextPrompt } = await import('../opencode-message-builder.js')
+const { persistenceService } = await import('../../persistence.service.js')
+
+// ─── Helper types (mirror UnifiedMessageRecord subset) ───────────────────────
+function makeRecord(
+  recordId: string,
+  role: 'user' | 'assistant',
+  status: 'done' | 'pending' | 'error' | 'cancel',
+  parts: Array<{ contentType: string; content?: string; metadata?: Record<string, unknown>; toolCallId?: string }>,
+) {
+  return { recordId, role, status, parts }
+}
+
+function textPart(content: string) {
+  return { contentType: 'text', content }
+}
+
+function reasoningPart(content: string) {
+  return { contentType: 'reasoning', content }
+}
+
+function toolCallPart(
+  toolName: string,
+  input: Record<string, unknown>,
+  toolCallId = 'tc-1',
+) {
+  return {
+    contentType: 'tool_call',
+    content: JSON.stringify(input),
+    toolCallId,
+    metadata: { toolName, toolCallName: toolName, input },
+  }
+}
+
+function toolResultPart(toolName: string, output: string, status = 'completed', toolCallId = 'tc-1') {
+  return {
+    contentType: 'tool_result',
+    content: output,
+    toolCallId,
+    metadata: { toolName, status },
+  }
+}
+
+const CONV = 'conv-1'
+const ENV = 'env-1'
+const USER = 'user-1'
+const PROMPT = 'What should I do next?'
+
+// ─── Tests ─────────────────────────────────────────────────────────────────
+
+describe('buildHistoryContextPrompt', () => {
+  beforeEach(() => {
+    vi.mocked(persistenceService.loadDBMessages).mockReset()
+  })
+
+  // ── no-op cases ──────────────────────────────────────────────────────────
+
+  it('returns raw prompt when envId is empty', async () => {
+    const result = await buildHistoryContextPrompt(CONV, '', USER, PROMPT)
+    expect(result).toBe(PROMPT)
+    expect(persistenceService.loadDBMessages).not.toHaveBeenCalled()
+  })
+
+  it('returns raw prompt when conversationId is empty', async () => {
+    const result = await buildHistoryContextPrompt('', ENV, USER, PROMPT)
+    expect(result).toBe(PROMPT)
+  })
+
+  it('returns raw prompt when loadDBMessages returns empty array', async () => {
+    vi.mocked(persistenceService.loadDBMessages).mockResolvedValueOnce([])
+    const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT)
+    expect(result).toBe(PROMPT)
+  })
+
+  it('returns raw prompt when all records are excluded', async () => {
+    vi.mocked(persistenceService.loadDBMessages).mockResolvedValueOnce([
+      makeRecord('r1', 'user', 'done', [textPart('hello')]),
+    ])
+    const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT, {
+      excludeRecordIds: new Set(['r1']),
+    })
+    expect(result).toBe(PROMPT)
+  })
+
+  it('returns raw prompt when loadDBMessages throws', async () => {
+    vi.mocked(persistenceService.loadDBMessages).mockRejectedValueOnce(new Error('db error'))
+    const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT)
+    expect(result).toBe(PROMPT)
+  })
+
+  // ── format checks ─────────────────────────────────────────────────────────
+
+  it('single turn: contains Turn 1 heading', async () => {
+    vi.mocked(persistenceService.loadDBMessages).mockResolvedValueOnce([
+      makeRecord('r1', 'user', 'done', [textPart('hello')]),
+      makeRecord('r2', 'assistant', 'done', [textPart('hi there')]),
+    ])
+    const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT)
+    expect(result).toContain('## Turn 1')
+  })
+
+  it('single turn: user text prefixed with **User:**', async () => {
+    vi.mocked(persistenceService.loadDBMessages).mockResolvedValueOnce([
+      makeRecord('r1', 'user', 'done', [textPart('hello world')]),
+    ])
+    const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT)
+    expect(result).toContain('**User:** hello world')
+  })
+
+  it('single turn: assistant text prefixed with **Assistant:**', async () => {
+    vi.mocked(persistenceService.loadDBMessages).mockResolvedValueOnce([
+      makeRecord('r2', 'assistant', 'done', [textPart('reply text')]),
+    ])
+    const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT)
+    expect(result).toContain('**Assistant:** reply text')
+  })
+
+  it('multiple turns: contains Turn 1 and Turn 2', async () => {
+    vi.mocked(persistenceService.loadDBMessages).mockResolvedValueOnce([
+      makeRecord('r1', 'user', 'done', [textPart('first')]),
+      makeRecord('r2', 'assistant', 'done', [textPart('ok1')]),
+      makeRecord('r3', 'user', 'done', [textPart('second')]),
+      makeRecord('r4', 'assistant', 'done', [textPart('ok2')]),
+    ])
+    const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT)
+    expect(result).toContain('## Turn 1')
+    expect(result).toContain('## Turn 2')
+  })
+
+  it('multiple turns: --- separator between turns', async () => {
+    vi.mocked(persistenceService.loadDBMessages).mockResolvedValueOnce([
+      makeRecord('r1', 'user', 'done', [textPart('first')]),
+      makeRecord('r2', 'assistant', 'done', [textPart('ok1')]),
+      makeRecord('r3', 'user', 'done', [textPart('second')]),
+    ])
+    const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT)
+    // 应该有多个 --- 分隔（turn 之间 + current message 前）
+    const separators = result.match(/^---$/gm)
+    expect(separators?.length).toBeGreaterThanOrEqual(2)
+  })
+
+  it('contains "Current user message" section with new prompt', async () => {
+    vi.mocked(persistenceService.loadDBMessages).mockResolvedValueOnce([
+      makeRecord('r1', 'user', 'done', [textPart('hello')]),
+    ])
+    const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT)
+    expect(result).toContain('## Current user message')
+    expect(result).toContain(PROMPT)
+  })
+
+  // ── tool_call ─────────────────────────────────────────────────────────────
+
+  it('tool_call: shows tool name and param keys, NOT param values', async () => {
+    vi.mocked(persistenceService.loadDBMessages).mockResolvedValueOnce([
+      makeRecord('r1', 'assistant', 'done', [
+        toolCallPart('write', { path: '/secret/file.txt', content: 'topsecret' }),
+      ]),
+    ])
+    const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT)
+    // 工具名显示
+    expect(result).toContain('[Tool call] write')
+    // 参数名显示
+    expect(result).toContain('path')
+    expect(result).toContain('content')
+    // 参数值不显示
+    expect(result).not.toContain('/secret/file.txt')
+    expect(result).not.toContain('topsecret')
+  })
+
+  // ── tool_result ───────────────────────────────────────────────────────────
+
+  it('tool_result: shows name, status and byte count, NOT raw content', async () => {
+    const longOutput = 'a'.repeat(500)
+    vi.mocked(persistenceService.loadDBMessages).mockResolvedValueOnce([
+      makeRecord('r1', 'assistant', 'done', [
+        toolCallPart('read', { path: 'x.txt' }),
+        toolResultPart('read', longOutput, 'completed'),
+      ]),
+    ])
+    const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT)
+    expect(result).toContain('[Tool result] read')
+    expect(result).toContain('completed')
+    expect(result).toContain('500 bytes')
+    // 原始内容不应出现
+    expect(result).not.toContain(longOutput.slice(0, 50))
+  })
+
+  // ── filtering ─────────────────────────────────────────────────────────────
+
+  it('reasoning part is NOT included in context', async () => {
+    vi.mocked(persistenceService.loadDBMessages).mockResolvedValueOnce([
+      makeRecord('r1', 'assistant', 'done', [
+        reasoningPart('my secret thinking process'),
+        textPart('final answer'),
+      ]),
+    ])
+    const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT)
+    expect(result).not.toContain('my secret thinking process')
+    expect(result).toContain('final answer')
+  })
+
+  it('pending/error/cancel records are skipped', async () => {
+    vi.mocked(persistenceService.loadDBMessages).mockResolvedValueOnce([
+      makeRecord('r1', 'user', 'done', [textPart('good')]),
+      makeRecord('r2', 'assistant', 'pending', [textPart('should not appear')]),
+      makeRecord('r3', 'assistant', 'error', [textPart('error msg')]),
+    ])
+    const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT)
+    expect(result).toContain('good')
+    expect(result).not.toContain('should not appear')
+    expect(result).not.toContain('error msg')
+  })
+
+  it('excludeRecordIds skips specific records', async () => {
+    vi.mocked(persistenceService.loadDBMessages).mockResolvedValueOnce([
+      makeRecord('r1', 'user', 'done', [textPart('old message')]),
+      makeRecord('r2', 'user', 'done', [textPart('new prompt - excluded')]),
+    ])
+    const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT, {
+      excludeRecordIds: new Set(['r2']),
+    })
+    expect(result).toContain('old message')
+    expect(result).not.toContain('new prompt - excluded')
+  })
+})
diff --git a/packages/server/src/agent/runtime/__tests__/resolveOnPath.test.ts b/packages/server/src/agent/runtime/__tests__/resolveOnPath.test.ts
new file mode 100644
index 0000000..22dfaff
--- /dev/null
+++ b/packages/server/src/agent/runtime/__tests__/resolveOnPath.test.ts
@@ -0,0 +1,122 @@
+/**
+ * 单元测试：resolveOnPath / tryBins / getResolvedBin
+ *
+ * 用 vi.mock + vi.mocked 控制 fs.existsSync，vi.stubEnv 控制 PATH / OPENCODE_BIN。
+ * 全程无真实 PATH 扫描、无子进程。
+ *
+ * 注意：vi.resetModules() 在每个 it 前清空 acp-transport 的模块缓存，
+ *       确保每次 import 都拿到新实例（新的 _resolvedBin 缓存）。
+ */
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+
+// Mock node:fs 整体，这样 existsSync 可被控制
+vi.mock('node:fs', async (importOriginal) => {
+  const actual = await importOriginal<typeof import('node:fs')>()
+  return {
+    ...actual,
+    existsSync: vi.fn(),
+  }
+})
+
+import * as fs from 'node:fs'
+
+describe('resolveOnPath + getResolvedBin', () => {
+  beforeEach(() => {
+    vi.resetModules()
+    vi.unstubAllEnvs()
+    vi.mocked(fs.existsSync).mockReturnValue(false)
+  })
+
+  afterEach(() => {
+    vi.clearAllMocks()
+  })
+
+  // ── resolveOnPath ──────────────────────────────────────────────────────────
+
+  it('resolveOnPath returns absolute path when bin found in PATH', async () => {
+    vi.stubEnv('PATH', '/usr/local/bin:/usr/bin')
+    vi.mocked(fs.existsSync).mockImplementation((p) => p === '/usr/local/bin/opencode')
+    const { resolveOnPath } = await import('../acp-transport.js')
+    expect(resolveOnPath('opencode')).toBe('/usr/local/bin/opencode')
+  })
+
+  it('resolveOnPath returns null when bin not found in any PATH dir', async () => {
+    vi.stubEnv('PATH', '/usr/local/bin:/usr/bin')
+    vi.mocked(fs.existsSync).mockReturnValue(false)
+    const { resolveOnPath } = await import('../acp-transport.js')
+    expect(resolveOnPath('opencode')).toBeNull()
+  })
+
+  it('resolveOnPath returns null when PATH is empty', async () => {
+    vi.stubEnv('PATH', '')
+    const { resolveOnPath } = await import('../acp-transport.js')
+    expect(resolveOnPath('opencode')).toBeNull()
+  })
+
+  // ── getResolvedBin: OPENCODE_BIN env override ──────────────────────────────
+
+  it('getResolvedBin returns OPENCODE_BIN env if it exists on disk', async () => {
+    vi.stubEnv('OPENCODE_BIN', '/opt/custom/opencode')
+    vi.mocked(fs.existsSync).mockImplementation((p) => p === '/opt/custom/opencode')
+    const { getResolvedBin } = await import('../acp-transport.js')
+    expect(getResolvedBin()).toBe('/opt/custom/opencode')
+  })
+
+  it('getResolvedBin skips OPENCODE_BIN env if file does not exist, falls back to PATH', async () => {
+    vi.stubEnv('OPENCODE_BIN', '/opt/custom/opencode')
+    vi.stubEnv('PATH', '/usr/local/bin')
+    vi.mocked(fs.existsSync).mockImplementation((p) => p === '/usr/local/bin/opencode')
+    const { getResolvedBin } = await import('../acp-transport.js')
+    expect(getResolvedBin()).toBe('/usr/local/bin/opencode')
+  })
+
+  // ── getResolvedBin: fallback chain ─────────────────────────────────────────
+
+  it('getResolvedBin finds "opencode" before fallback "opencode-ai"', async () => {
+    vi.stubEnv('PATH', '/usr/local/bin')
+    vi.mocked(fs.existsSync).mockImplementation((p) => p === '/usr/local/bin/opencode')
+    const { getResolvedBin } = await import('../acp-transport.js')
+    expect(getResolvedBin()).toBe('/usr/local/bin/opencode')
+  })
+
+  it('getResolvedBin falls back to "opencode-ai" when "opencode" is absent', async () => {
+    vi.stubEnv('PATH', '/usr/local/bin')
+    vi.mocked(fs.existsSync).mockImplementation((p) => p === '/usr/local/bin/opencode-ai')
+    const { getResolvedBin } = await import('../acp-transport.js')
+    expect(getResolvedBin()).toBe('/usr/local/bin/opencode-ai')
+  })
+
+  it('getResolvedBin returns null when all bins absent', async () => {
+    vi.stubEnv('PATH', '/usr/local/bin')
+    vi.mocked(fs.existsSync).mockReturnValue(false)
+    const { getResolvedBin } = await import('../acp-transport.js')
+    expect(getResolvedBin()).toBeNull()
+  })
+})
+
+describe('isAvailable via getResolvedBin', () => {
+  beforeEach(() => {
+    vi.resetModules()
+    vi.unstubAllEnvs()
+    vi.mocked(fs.existsSync).mockReturnValue(false)
+  })
+  afterEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('isAvailable returns true when getResolvedBin finds opencode', async () => {
+    vi.stubEnv('PATH', '/usr/local/bin')
+    vi.mocked(fs.existsSync).mockImplementation((p) => p === '/usr/local/bin/opencode')
+    const { OpencodeAcpRuntime } = await import('../opencode-acp-runtime.js')
+    const rt = new OpencodeAcpRuntime()
+    expect(await rt.isAvailable()).toBe(true)
+  })
+
+  it('isAvailable returns false when getResolvedBin cannot find any opencode bin', async () => {
+    vi.stubEnv('PATH', '/usr/local/bin')
+    vi.mocked(fs.existsSync).mockReturnValue(false)
+    const { OpencodeAcpRuntime } = await import('../opencode-acp-runtime.js')
+    const rt = new OpencodeAcpRuntime()
+    expect(await rt.isAvailable()).toBe(false)
+  })
+})
diff --git a/packages/server/src/agent/runtime/acp-transport.ts b/packages/server/src/agent/runtime/acp-transport.ts
index 907ef29..7be6712 100644
--- a/packages/server/src/agent/runtime/acp-transport.ts
+++ b/packages/server/src/agent/runtime/acp-transport.ts
@@ -16,8 +16,88 @@
  */
 
 import { spawn, type ChildProcessWithoutNullStreams } from 'node:child_process'
+import { existsSync } from 'node:fs'
+import { delimiter } from 'node:path'
+import path from 'node:path'
 import { ndJsonStream, type Stream } from '@agentclientprotocol/sdk'
 
+// ─── Bin resolution ─────────────────────────────────────────────────────────
+
+/**
+ * 在 PATH 各目录下查找指定 bin 名，返回第一个命中的**绝对路径**，找不到返回 null。
+ * 纯同步 fs 检查，无子进程。
+ */
+export function resolveOnPath(bin: string): string | null {
+  const dirs = (process.env.PATH ?? '').split(delimiter)
+  const exts = process.platform === 'win32' ? (process.env.PATHEXT ?? '.EXE;.CMD;.BAT').split(';') : ['']
+  for (const dir of dirs) {
+    if (!dir) continue
+    for (const ext of exts) {
+      const full = path.join(dir, bin + ext)
+      if (existsSync(full)) return full
+    }
+  }
+  return null
+}
+
+/**
+ * Fallback 候选列表（按优先级排列）。
+ *
+ *   1. OPENCODE_BIN env：允许完全覆盖（绝对路径或 bin 名均可）
+ *   2. 'opencode'：官方包名
+ *   3. 'opencode-ai'：npm 包名（`npm i -g opencode-ai` 安装后 bin 叫 opencode-ai）
+ */
+const OPENCODE_BIN_CANDIDATES = ['opencode', 'opencode-ai'] as const
+
+/**
+ * 模块级缓存。undefined = 未初始化；null = 找不到；string = 解析到的绝对路径。
+ * 第一次调用时扫 PATH，此后 O(1) 返回。
+ */
+let _resolvedBin: string | null | undefined = undefined
+
+/**
+ * 解析可用的 opencode 可执行路径。
+ *
+ * 优先级：
+ *   1. OPENCODE_BIN env（如果是绝对路径且存在，直接返回；否则当 bin 名走 resolveOnPath）
+ *   2. 按 OPENCODE_BIN_CANDIDATES 顺序在 PATH 里查找
+ *
+ * 结果被模块级缓存，进程内只扫一次。测试时通过 vi.resetModules() 清除缓存。
+ */
+export function getResolvedBin(): string | null {
+  if (_resolvedBin !== undefined) return _resolvedBin
+
+  const envOverride = process.env.OPENCODE_BIN
+  if (envOverride) {
+    // 如果是绝对路径，直接检查；否则当 bin 名走 resolveOnPath
+    if (path.isAbsolute(envOverride)) {
+      if (existsSync(envOverride)) {
+        _resolvedBin = envOverride
+        return _resolvedBin
+      }
+      // env 里的绝对路径不存在 → 降到 fallback 继续找
+    } else {
+      const resolved = resolveOnPath(envOverride)
+      if (resolved) {
+        _resolvedBin = resolved
+        return _resolvedBin
+      }
+    }
+  }
+
+  // Fallback 候选
+  for (const bin of OPENCODE_BIN_CANDIDATES) {
+    const resolved = resolveOnPath(bin)
+    if (resolved) {
+      _resolvedBin = resolved
+      return _resolvedBin
+    }
+  }
+
+  _resolvedBin = null
+  return null
+}
+
 // ─── Core Interfaces ────────────────────────────────────────────────────────
 
 export interface AcpTransport {
@@ -49,7 +129,6 @@ export type AcpTransportFactory = (ctx: AcpTransportFactoryContext) => Promise<A
 
 // ─── Local stdio transport ──────────────────────────────────────────────────
 
-const LOCAL_OPENCODE_BIN = process.env.OPENCODE_BIN || 'opencode'
 const LOCAL_SPAWN_TIMEOUT_MS = 15_000
 
 export const createLocalStdioTransport: AcpTransportFactory = async (ctx) => {
@@ -109,8 +188,17 @@ async function spawnLocalOpencode(
   debug: boolean,
   extraEnv?: Record<string, string>,
 ): Promise<ChildProcessWithoutNullStreams> {
+  // 用 getResolvedBin() 代替之前的硬编码常量，支持 fallback 候选
+  const bin = getResolvedBin()
+  if (!bin) {
+    throw new Error(
+      `opencode CLI not found. Install via: npm i -g opencode-ai\n` +
+        `Or set OPENCODE_BIN env to the absolute path.`,
+    )
+  }
+
   return new Promise((resolve, reject) => {
-    const child = spawn(LOCAL_OPENCODE_BIN, ['acp', '--cwd', cwd], {
+    const child = spawn(bin, ['acp', '--cwd', cwd], {
       stdio: ['pipe', 'pipe', 'pipe'],
       env: { ...process.env, ...(extraEnv ?? {}) },
     })
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index 3c57798..dd1a91d 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -42,20 +42,20 @@ import {
 } from '../agent-registry.js'
 import { persistenceService } from '../persistence.service.js'
 import { CloudbaseAgentService } from '../cloudbase-agent.service.js'
-import { getAcpTransportFactory, type AcpTransport } from './acp-transport.js'
+import { getAcpTransportFactory, getResolvedBin, type AcpTransport } from './acp-transport.js'
 import { ensureOpencodeToolsInstalled } from './opencode-installer.js'
 import { registerPending, resolvePending, rejectPendingForConversation } from './pending-permission-registry.js'
 import { resolvePendingQuestion, rejectPendingQuestionsForConversation } from './pending-question-registry.js'
 import { OpencodeMessageBuilder, findLastRecordIds, buildHistoryContextPrompt } from './opencode-message-builder.js'
 import { scfSandboxManager, type SandboxInstance } from '../../sandbox/scf-sandbox-manager.js'
-import { spawn } from 'node:child_process'
 import os from 'node:os'
 import path from 'node:path'
 import fs from 'node:fs'
 
 // ─── Config ──────────────────────────────────────────────────────────────
 
-const OPENCODE_BIN = process.env.OPENCODE_BIN || 'opencode'
+// OPENCODE_BIN 常量已删除——统一使用 acp-transport.ts 的 getResolvedBin()
+// 好处：单一权威来源，isAvailable() 与 spawn 使用同一路径，支持 fallback 候选
 const DEFAULT_OPENCODE_MODEL = process.env.OPENCODE_DEFAULT_MODEL || 'moonshot/kimi-k2-0905-preview'
 
 /** 沙箱内工作目录（agent 看到的"当前目录"概念）。相对路径工具都会以此为根。 */
@@ -170,29 +170,9 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
   readonly name = 'opencode-acp'
 
   async isAvailable(): Promise<boolean> {
-    return new Promise((resolve) => {
-      try {
-        const child = spawn(OPENCODE_BIN, ['--version'], { stdio: 'ignore' })
-        const timer = setTimeout(() => {
-          try {
-            child.kill('SIGKILL')
-          } catch {
-            /* noop */
-          }
-          resolve(false)
-        }, 3000)
-        child.on('exit', (code) => {
-          clearTimeout(timer)
-          resolve(code === 0)
-        })
-        child.on('error', () => {
-          clearTimeout(timer)
-          resolve(false)
-        })
-      } catch {
-        resolve(false)
-      }
-    })
+    // getResolvedBin() 是纯同步 existsSync，不需要子进程 --version
+    // 优点：更快（无 spawn 开销）、更可靠（不受 PATH 环境变量/shell 变更影响）
+    return getResolvedBin() !== null
   }
 
   async getSupportedModels(): Promise<ModelInfo[]> {
diff --git a/packages/server/src/agent/runtime/opencode-message-builder.ts b/packages/server/src/agent/runtime/opencode-message-builder.ts
index ea77a08..2df2dbd 100644
--- a/packages/server/src/agent/runtime/opencode-message-builder.ts
+++ b/packages/server/src/agent/runtime/opencode-message-builder.ts
@@ -287,20 +287,32 @@ export async function findLastRecordIds(
  * 为什么需要：OpenCode 每次 chatStream 都 newSession（空白上下文）。如果不注入
  * 历史，LLM 无法回答"上一轮我说过什么"。
  *
- * 格式（人类可读、模型容易理解的 transcript）：
- *   Below is the prior conversation history. Please take it into account when
- *   responding to the new user message.
+ * 格式（Markdown 分层，模型自然理解）：
+ *   Below is the prior conversation history. Use it as context when responding.
  *
- *   [History]
- *   User: 你好，我叫王小明
- *   Assistant: 你好王小明，有什么我可以帮你的？
- *   Tool call: AskUserQuestion(...)
- *   Tool result: User answered: 1+1=2
+ *   ---
+ *
+ *   ## Turn 1
+ *
+ *   **User:** 你好，我叫王小明
+ *
+ *   **Assistant:** 你好王小明，有什么我可以帮你的？
+ *
+ *   [Tool call] AskUserQuestion
+ *     params: question, header, options, multiSelect
+ *
+ *   [Tool result] AskUserQuestion — completed (28 bytes)
+ *
+ *   ---
+ *
+ *   ## Current user message
  *
- *   [Current user message]
  *   <实际 prompt>
  *
- * 只截取文本 + 工具调用摘要，避免塞太长的 tool output 到 context。
+ * 安全截断策略：
+ *   - tool_call：只输出工具名 + 参数名列表，**不包含参数值**（避免 JSON 截断半截）
+ *   - tool_result：输出工具名 + status + 字节数，**不输出原始内容**（避免 context 爆表）
+ *   - reasoning：完全跳过（LLM 已消化，再放进去是噪声）
  */
 export async function buildHistoryContextPrompt(
   conversationId: string,
@@ -316,40 +328,62 @@ export async function buildHistoryContextPrompt(
     const records = await persistenceService.loadDBMessages(conversationId, envId, userId, maxHistoryRecords)
     if (records.length === 0) return newPrompt
 
-    const lines: string[] = []
-    for (const r of records) {
-      // 排除本轮刚 preSave 的 record（user 已 done 但不是历史；assistant 是空 pending）
-      if (excludeRecordIds?.has(r.recordId)) continue
-      // 跳过未完成的（pending/error/cancel）record，它们的 parts 不可靠
-      if (r.status !== 'done') continue
+    // 过滤掉被排除的 record 和非 done 状态
+    const usableRecords = records.filter((r) => {
+      if (excludeRecordIds?.has(r.recordId)) return false
+      if (r.status !== 'done') return false
+      return true
+    })
+
+    if (usableRecords.length === 0) return newPrompt
+
+    // 把 records 按"user + 其后的 assistant"分组成 turns
+    // 策略：遇到 user record 就开启新 turn（turn number 随之递增）
+    const sections: string[] = []
+    let turnNumber = 0
+    let currentTurnLines: string[] = []
+
+    const flushTurn = () => {
+      if (currentTurnLines.length === 0) return
+      sections.push(`## Turn ${turnNumber}\n\n${currentTurnLines.join('\n\n')}`)
+      currentTurnLines = []
+    }
+
+    for (const r of usableRecords) {
+      if (r.role === 'user') {
+        // 开新 turn
+        flushTurn()
+        turnNumber += 1
+        currentTurnLines = []
+      }
 
-      const roleLabel = r.role === 'user' ? 'User' : 'Assistant'
-      // 遍历 parts，把 text / tool_call / tool_result 都转为可读摘要
       for (const p of r.parts || []) {
         if (p.contentType === 'text' && p.content) {
-          lines.push(`${roleLabel}: ${p.content.trim()}`)
-        } else if (p.contentType === 'reasoning' && p.content) {
-          // thinking 段不放进 context（太长且 LLM 已经消化过了）
-          continue
+          const rolePrefix = r.role === 'user' ? '**User:**' : '**Assistant:**'
+          currentTurnLines.push(`${rolePrefix} ${p.content.trim()}`)
+        } else if (p.contentType === 'reasoning') {
+          // 不入 context
         } else if (p.contentType === 'tool_call') {
           const toolName = (p.metadata?.toolName as string) ?? (p.metadata?.toolCallName as string) ?? 'tool'
-          const inputPreview =
-            typeof p.content === 'string'
-              ? p.content.slice(0, 200)
-              : JSON.stringify(p.metadata?.input ?? {}).slice(0, 200)
-          lines.push(`(tool_call: ${toolName} ${inputPreview})`)
+          // 只输出参数名列表，不含参数值（安全截断，避免 JSON 断截）
+          const input = p.metadata?.input as Record<string, unknown> | undefined
+          const paramKeys = input ? Object.keys(input) : []
+          const paramLine = paramKeys.length > 0 ? `\n  params: ${paramKeys.join(', ')}` : ''
+          currentTurnLines.push(`[Tool call] ${toolName}${paramLine}`)
         } else if (p.contentType === 'tool_result') {
-          const outputPreview = typeof p.content === 'string' ? p.content.slice(0, 300) : ''
-          const status = (p.metadata?.status as string) ?? ''
-          lines.push(`(tool_result[${status}]: ${outputPreview})`)
+          const toolName = (p.metadata?.toolName as string) ?? 'tool'
+          const status = (p.metadata?.status as string) ?? 'unknown'
+          const byteCount = typeof p.content === 'string' ? p.content.length : 0
+          currentTurnLines.push(`[Tool result] ${toolName} — ${status} (${byteCount} bytes)`)
         }
       }
     }
+    flushTurn()
 
-    if (lines.length === 0) return newPrompt
+    if (sections.length === 0) return newPrompt
 
-    const header = 'Below is the prior conversation history for this session. Use it as context when responding.'
-    return `${header}\n\n[History]\n${lines.join('\n')}\n\n[Current user message]\n${newPrompt}`
+    const header = 'Below is the prior conversation history. Use it as context when responding.'
+    return `${header}\n\n---\n\n${sections.join('\n\n---\n\n')}\n\n---\n\n## Current user message\n\n${newPrompt}`
   } catch (e) {
     console.warn('[buildHistoryContextPrompt] failed, falling back to raw prompt:', (e as Error).message)
     return newPrompt
diff --git a/packages/server/tsconfig.json b/packages/server/tsconfig.json
index 47bb93e..18af8b3 100644
--- a/packages/server/tsconfig.json
+++ b/packages/server/tsconfig.json
@@ -12,5 +12,8 @@
     }
   },
   "include": ["src"],
-  "exclude": ["src/agent/runtime/opencode-tool-templates/**"]
+  "exclude": [
+    "src/agent/runtime/opencode-tool-templates/**",
+    "src/**/__tests__/**"
+  ]
 }
diff --git a/packages/server/vitest.config.ts b/packages/server/vitest.config.ts
new file mode 100644
index 0000000..370664f
--- /dev/null
+++ b/packages/server/vitest.config.ts
@@ -0,0 +1,15 @@
+import { defineConfig } from 'vitest/config'
+import path from 'node:path'
+
+export default defineConfig({
+  test: {
+    environment: 'node',
+    include: ['src/**/__tests__/**/*.test.ts'],
+    globals: false,
+  },
+  resolve: {
+    alias: {
+      '@coder/shared': path.resolve(__dirname, '../shared/src/index.ts'),
+    },
+  },
+})
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index a571145..a6f192e 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -270,6 +270,9 @@ importers:
       typescript:
         specifier: ~5.7.0
         version: 5.7.3
+      vitest:
+        specifier: ^3.2.0
+        version: 3.2.4(@types/debug@4.1.13)(@types/node@22.19.17)(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0)(yaml@2.8.3)
 
   packages/shared:
     dependencies:
@@ -2376,6 +2379,9 @@ packages:
   '@types/better-sqlite3@7.6.13':
     resolution: {integrity: sha512-NMv9ASNARoKksWtsq/SHakpYAYnhBrQgGD8zkLYk/jaK8jUGn08CfEdTRgYhMypUQAfzSP8W6gNLe0q19/t4VA==}
 
+  '@types/chai@5.2.3':
+    resolution: {integrity: sha512-Mw558oeA9fFbv65/y4mHtXDs9bPnFMZAL/jxdPFUpOHHIXX91mcgEHbS5Lahr+pwZFR8A7GQleRWeI6cGFC2UA==}
+
   '@types/clone@2.1.4':
     resolution: {integrity: sha512-NKRWaEGaVGVLnGLB2GazvDaZnyweW9FJLLFL5LhywGJB3aqGMT9R/EUoJoSRP4nzofYnZysuDmrEJtJdAqUOtQ==}
 
@@ -2475,6 +2481,9 @@ packages:
   '@types/debug@4.1.13':
     resolution: {integrity: sha512-KSVgmQmzMwPlmtljOomayoR89W4FynCAi3E8PPs7vmDVPe84hT+vGPKkJfThkmXs0x0jAaa9U8uW8bbfyS2fWw==}
 
+  '@types/deep-eql@4.0.2':
+    resolution: {integrity: sha512-c9h9dVVMigMPc4bwTvC5dxqtqJZwQPePsWjPlpSOnojbor6pGqdk541lfA7AqFQr5pB1BRdq0juY9db81BwyFw==}
+
   '@types/estree-jsx@1.0.5':
     resolution: {integrity: sha512-52CcUVNFyfb1A2ALocQw/Dd1BQFNmSdkuC3BkZ6iqhdMfQz7JWOFRuJFloOzjk+6WijU56m9oKXFAXc7o3Towg==}
 
@@ -2554,6 +2563,35 @@ packages:
     peerDependencies:
       vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0
 
+  '@vitest/expect@3.2.4':
+    resolution: {integrity: sha512-Io0yyORnB6sikFlt8QW5K7slY4OjqNX9jmJQ02QDda8lyM6B5oNgVWoSoKPac8/kgnCUzuHQKrSLtu/uOqqrig==}
+
+  '@vitest/mocker@3.2.4':
+    resolution: {integrity: sha512-46ryTE9RZO/rfDd7pEqFl7etuyzekzEhUbTW3BvmeO/BcCMEgq59BKhek3dXDWgAj4oMK6OZi+vRr1wPW6qjEQ==}
+    peerDependencies:
+      msw: ^2.4.9
+      vite: ^5.0.0 || ^6.0.0 || ^7.0.0-0
+    peerDependenciesMeta:
+      msw:
+        optional: true
+      vite:
+        optional: true
+
+  '@vitest/pretty-format@3.2.4':
+    resolution: {integrity: sha512-IVNZik8IVRJRTr9fxlitMKeJeXFFFN0JaB9PHPGQ8NKQbGpfjlTx9zO4RefN8gp7eqjNy8nyK3NZmBzOPeIxtA==}
+
+  '@vitest/runner@3.2.4':
+    resolution: {integrity: sha512-oukfKT9Mk41LreEW09vt45f8wx7DordoWUZMYdY/cyAk7w5TWkTRCNZYF7sX7n2wB7jyGAl74OxgwhPgKaqDMQ==}
+
+  '@vitest/snapshot@3.2.4':
+    resolution: {integrity: sha512-dEYtS7qQP2CjU27QBC5oUOxLE/v5eLkGqPE0ZKEIDGMs4vKWe7IjgLOeauHsR0D5YuuycGRO5oSRXnwnmA78fQ==}
+
+  '@vitest/spy@3.2.4':
+    resolution: {integrity: sha512-vAfasCOe6AIK70iP5UD11Ac4siNUNJ9i/9PZ3NKx07sG6sUxeag1LWdNrMWeKKYBLlzuK+Gn65Yd5nyL6ds+nw==}
+
+  '@vitest/utils@3.2.4':
+    resolution: {integrity: sha512-fB2V0JFrQSMsCo9HiSq3Ezpdv4iYaXRG1Sx8edX3MwxfyNn83mKiGzOcH+Fkxt4MHxr3y42fQi1oeAInqgX2QA==}
+
   '@vue/reactivity@3.5.32':
     resolution: {integrity: sha512-/ORasxSGvZ6MN5gc+uE364SxFdJ0+WqVG0CENXaGW58TOCdrAW76WWaplDtECeS1qphvtBZtR+3/o1g1zL4xPQ==}
 
@@ -2670,6 +2708,10 @@ packages:
     resolution: {integrity: sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==}
     engines: {node: '>=0.8'}
 
+  assertion-error@2.0.1:
+    resolution: {integrity: sha512-Izi8RQcffqCeNVgFigKli1ssklIbpHnCYc6AknXGYoB6grJqyeby7jv12JUQgmTAnIDnbck1uxksT4dzN3PWBA==}
+    engines: {node: '>=12'}
+
   async@2.6.4:
     resolution: {integrity: sha512-mzo5dfJYwAn29PeiJ0zvwTo04zj8HDJj0Mn8TD7sno7q12prdbnasKJHhkm2c1LgrhlJ0teaea8860oxi51mGA==}
 
@@ -2845,6 +2887,10 @@ packages:
   ccount@2.0.1:
     resolution: {integrity: sha512-eyrF0jiFpY+3drT6383f1qhkbGsLSifNAjA61IUjZjmLCWjItY6LB9ft9YhoDgwfmclB2zhu51Lc7+95b8NRAg==}
 
+  chai@5.3.3:
+    resolution: {integrity: sha512-4zNhdJD/iOjSH0A05ea+Ke6MU5mmpQcbQsSOkgdaUMJ9zTlDTD/GYlwohmIE2u0gaxHYiVHEn1Fw9mZ/ktJWgw==}
+    engines: {node: '>=18'}
+
   chalk@4.1.2:
     resolution: {integrity: sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==}
     engines: {node: '>=10'}
@@ -2861,6 +2907,10 @@ packages:
   character-reference-invalid@2.0.1:
     resolution: {integrity: sha512-iBZ4F4wRbyORVsu0jPV7gXkOsGYjGHPmAyv+HiHG8gi5PtC9KI2j1+v8/tlibRvjoWX027ypmG/n0HtO5t7unw==}
 
+  check-error@2.1.3:
+    resolution: {integrity: sha512-PAJdDJusoxnwm1VwW07VWwUN1sl7smmC3OKggvndJFadxxDRyFJBX/ggnu/KE4kQAB7a3Dp8f/YXC1FlUprWmA==}
+    engines: {node: '>= 16'}
+
   chevrotain-allstar@0.3.1:
     resolution: {integrity: sha512-b7g+y9A0v4mxCW1qUhf3BSVPg+/NvGErk/dOkrDaHA0nQIQGAtrOjlX//9OQtRlSCy+x9rfB5N8yC71lH1nvMw==}
     peerDependencies:
@@ -3253,6 +3303,10 @@ packages:
     resolution: {integrity: sha512-e48kc2IjU+2Zw8cTb6VZcJQ3lgVbS4uuB1TfCHbiZIP/haNXm+SVyhu+87jts5/3ROpd82GSVCoNs/z8l4ZOaQ==}
     engines: {node: '>=4'}
 
+  deep-eql@5.0.2:
+    resolution: {integrity: sha512-h5k/5U50IJJFpzfL6nO9jaaumfjO/f2NjK/oYB2Djzm4p9L+3T9qWpZqZ2hAbLPuuYq9wrU08WQyBTL5GbPk5Q==}
+    engines: {node: '>=6'}
+
   deep-extend@0.6.0:
     resolution: {integrity: sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==}
     engines: {node: '>=4.0.0'}
@@ -3474,6 +3528,9 @@ packages:
     resolution: {integrity: sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==}
     engines: {node: '>= 0.4'}
 
+  es-module-lexer@1.7.0:
+    resolution: {integrity: sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==}
+
   es-object-atoms@1.1.1:
     resolution: {integrity: sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==}
     engines: {node: '>= 0.4'}
@@ -3568,6 +3625,9 @@ packages:
   estree-util-is-identifier-name@3.0.0:
     resolution: {integrity: sha512-hFtqIDZTIUZ9BXLb8y4pYGyk6+wekIivNVTcmvk8NoOh+VeRn5y6cEHzbURrWbfp1fIqdVipilzj+lfaadNZmg==}
 
+  estree-walker@3.0.3:
+    resolution: {integrity: sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==}
+
   esutils@2.0.3:
     resolution: {integrity: sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==}
     engines: {node: '>=0.10.0'}
@@ -3588,6 +3648,10 @@ packages:
     resolution: {integrity: sha512-XYfuKMvj4O35f/pOXLObndIRvyQ+/+6AhODh+OKWj9S9498pHHn/IMszH+gt0fBCRWMNfk1ZSp5x3AifmnI2vg==}
     engines: {node: '>=6'}
 
+  expect-type@1.3.0:
+    resolution: {integrity: sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==}
+    engines: {node: '>=12.0.0'}
+
   express-rate-limit@8.3.2:
     resolution: {integrity: sha512-77VmFeJkO0/rvimEDuUC5H30oqUC4EyOhyGccfqoLebB0oiEYfM7nwPrsDsBL1gsTpwfzX8SFy2MT3TDyRq+bg==}
     engines: {node: '>= 16'}
@@ -4188,6 +4252,9 @@ packages:
   js-tokens@4.0.0:
     resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==}
 
+  js-tokens@9.0.1:
+    resolution: {integrity: sha512-mxa9E9ITFOt0ban3j6L5MpjwegGz6lBQmM1IJkWeBZGcMxto50+eWdjC/52xDbS2vy0k7vIMK0Fe2wfL9OQSpQ==}
+
   js-yaml@3.14.2:
     resolution: {integrity: sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==}
     hasBin: true
@@ -4458,6 +4525,9 @@ packages:
   longest-streak@3.1.0:
     resolution: {integrity: sha512-9Ri+o0JYgehTaVBBDoMqIl8GXtbWg711O3srftcHhZ0dqnETqLaoIK0x17fUw9rFSlK/0NlsKe0Ahhyl5pXE2g==}
 
+  loupe@3.2.1:
+    resolution: {integrity: sha512-CdzqowRJCeLU72bHvWqwRBBlLcMEtIvGrlvef74kMnV2AolS9Y8xUv1I0U/MNAWMhBlKIoyuEgoJ0t/bbwHbLQ==}
+
   lowdb@1.0.0:
     resolution: {integrity: sha512-2+x8esE/Wb9SQ1F9IHaYWfsC9FIecLOPrK4g17FGEayjUWH172H6nwicRovGvSE2CPZouc2MCIqCI7h9d+GftQ==}
     engines: {node: '>=4'}
@@ -4944,6 +5014,10 @@ packages:
   pathe@2.0.3:
     resolution: {integrity: sha512-WUjGcAqP1gQacoQe+OBJsFA7Ld4DyXuUIjZ5cc75cLHvJ7dtNsTugphxIADwspS+AraAUePCKrSVtPLFj/F88w==}
 
+  pathval@2.0.1:
+    resolution: {integrity: sha512-//nshmD55c46FuFw26xV/xFAaB5HF9Xdap7HJBBnrKdAd6/GxDBaNA1870O79+9ueg61cZLSVc+OaFlfmObYVQ==}
+    engines: {node: '>= 14.16'}
+
   pend@1.2.0:
     resolution: {integrity: sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg==}
 
@@ -5406,6 +5480,9 @@ packages:
     resolution: {integrity: sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==}
     engines: {node: '>= 0.4'}
 
+  siginfo@2.0.0:
+    resolution: {integrity: sha512-ybx0WO1/8bSBLEWXZvEd7gMW3Sn3JFlW3TvX1nREbDLRNQNaeNN8WK0meBwPdAaOI7TtRRRJn/Es1zhrrCHu7g==}
+
   signal-exit@3.0.7:
     resolution: {integrity: sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==}
 
@@ -5459,6 +5536,9 @@ packages:
     engines: {node: '>=0.10.0'}
     hasBin: true
 
+  stackback@0.0.2:
+    resolution: {integrity: sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==}
+
   state-local@1.0.7:
     resolution: {integrity: sha512-HTEHMNieakEnoe33shBYcZ7NX83ACUjCu8c40iOGEZsngj9zRnkqS9j1pqQPXwobB0ZcVTk27REb7COQ0UR59w==}
 
@@ -5466,6 +5546,9 @@ packages:
     resolution: {integrity: sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==}
     engines: {node: '>= 0.8'}
 
+  std-env@3.10.0:
+    resolution: {integrity: sha512-5GS12FdOZNliM5mAOxFRg7Ir0pWz8MdpYm6AY6VPkGpbA7ZzmbzNcBJQ0GPvvyWgcY7QAhCgf9Uy89I03faLkg==}
+
   steno@0.4.4:
     resolution: {integrity: sha512-EEHMVYHNXFHfGtgjNITnka0aHhiAlo93F7z2/Pwd+g0teG9CnM3JIINM7hVVB5/rhw9voufD7Wukwgtw2uqh6w==}
 
@@ -5510,6 +5593,9 @@ packages:
     resolution: {integrity: sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==}
     engines: {node: '>=8'}
 
+  strip-literal@3.1.0:
+    resolution: {integrity: sha512-8r3mkIM/2+PpjHoOtiAW8Rg3jJLHaV7xPwG+YRGrv6FP0wwk/toTpATxWYOW0BKdWwl82VT2tFYi5DlROa0Mxg==}
+
   strnum@1.1.2:
     resolution: {integrity: sha512-vrN+B7DBIoTTZjnPNewwhx6cBA/H+IS7rfW68n7XxC1y7uoiGQBxaKzqucGUgavX15dJgiGztLJ8vxuEzwqBdA==}
 
@@ -5584,6 +5670,9 @@ packages:
   through@2.3.8:
     resolution: {integrity: sha512-w89qg7PI8wAdvX60bMDP+bFoD5Dvhm9oLheFp5O4a2QF0cSBGsBX4qZmadPMvVqlLJBBci+WqGGOAPvcDeNSVg==}
 
+  tinybench@2.9.0:
+    resolution: {integrity: sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==}
+
   tinyexec@0.3.2:
     resolution: {integrity: sha512-KQQR9yN7R5+OSwaK0XQoj22pwHoTlgYqmUscPYoknOoWCWfj/5/ABTMRi69FrKU5ffPVh5QcFikpWJI/P1ocHA==}
 
@@ -5595,6 +5684,18 @@ packages:
     resolution: {integrity: sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==}
     engines: {node: '>=12.0.0'}
 
+  tinypool@1.1.1:
+    resolution: {integrity: sha512-Zba82s87IFq9A9XmjiX5uZA/ARWDrB03OHlq+Vw1fSdt0I+4/Kutwy8BP4Y/y/aORMo61FQ0vIb5j44vSo5Pkg==}
+    engines: {node: ^18.0.0 || >=20.0.0}
+
+  tinyrainbow@2.0.0:
+    resolution: {integrity: sha512-op4nsTR47R6p0vMUUoYl/a+ljLFVtlfaXkLQmqfLR1qHma1h/ysYk4hEXZ880bf2CYgTskvTa/e196Vd5dDQXw==}
+    engines: {node: '>=14.0.0'}
+
+  tinyspy@4.0.4:
+    resolution: {integrity: sha512-azl+t0z7pw/z958Gy9svOTuzqIk6xq+NSheJzn5MMWtWTFywIacg2wUlzKFGtt3cthx0r2SxMK0yzJOR0IES7Q==}
+    engines: {node: '>=14.0.0'}
+
   tmp@0.2.5:
     resolution: {integrity: sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==}
     engines: {node: '>=14.14'}
@@ -5829,6 +5930,11 @@ packages:
   vfile@6.0.3:
     resolution: {integrity: sha512-KzIbH/9tXat2u30jf+smMwFCsno4wHVdNmzFyL+T/L3UGqqk6JKfVqOFOZEpZSHADH1k40ab6NUIXZq422ov3Q==}
 
+  vite-node@3.2.4:
+    resolution: {integrity: sha512-EbKSKh+bh1E1IFxeO0pg1n4dvoOTt0UDiXMd/qn++r98+jPO1xtJilvXldeuQ8giIB5IkpjCgMleHMNEsGH6pg==}
+    engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0}
+    hasBin: true
+
   vite@6.4.2:
     resolution: {integrity: sha512-2N/55r4JDJ4gdrCvGgINMy+HH3iRpNIz8K6SFwVsA+JbQScLiC+clmAxBgwiSPgcG9U15QmvqCGWzMbqda5zGQ==}
     engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0}
@@ -5869,6 +5975,34 @@ packages:
       yaml:
         optional: true
 
+  vitest@3.2.4:
+    resolution: {integrity: sha512-LUCP5ev3GURDysTWiP47wRRUpLKMOfPh+yKTx3kVIEiu5KOMeqzpnYNsKyOoVrULivR8tLcks4+lga33Whn90A==}
+    engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0}
+    hasBin: true
+    peerDependencies:
+      '@edge-runtime/vm': '*'
+      '@types/debug': ^4.1.12
+      '@types/node': ^18.0.0 || ^20.0.0 || >=22.0.0
+      '@vitest/browser': 3.2.4
+      '@vitest/ui': 3.2.4
+      happy-dom: '*'
+      jsdom: '*'
+    peerDependenciesMeta:
+      '@edge-runtime/vm':
+        optional: true
+      '@types/debug':
+        optional: true
+      '@types/node':
+        optional: true
+      '@vitest/browser':
+        optional: true
+      '@vitest/ui':
+        optional: true
+      happy-dom:
+        optional: true
+      jsdom:
+        optional: true
+
   vscode-jsonrpc@8.2.0:
     resolution: {integrity: sha512-C+r0eKJUIfiDIfwJhria30+TYWPtuHJXHtI7J0YlOmKAo7ogxP20T0zxB7HZQIFhIyvoBPwWskjxrvAtfjyZfA==}
     engines: {node: '>=14.0.0'}
@@ -5926,6 +6060,11 @@ packages:
     engines: {node: ^16.13.0 || >=18.0.0}
     hasBin: true
 
+  why-is-node-running@2.3.0:
+    resolution: {integrity: sha512-hUrmaWBdVDcxvYqnyh09zunKzROWjbZTiNy8dBEjkS7ehEDQibXJ7XvlmtbwuTclUiIyN+CyXQD4Vmko8fNm8w==}
+    engines: {node: '>=8'}
+    hasBin: true
+
   word-wrap@1.2.5:
     resolution: {integrity: sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==}
     engines: {node: '>=0.10.0'}
@@ -7905,6 +8044,11 @@ snapshots:
     dependencies:
       '@types/node': 20.19.39
 
+  '@types/chai@5.2.3':
+    dependencies:
+      '@types/deep-eql': 4.0.2
+      assertion-error: 2.0.1
+
   '@types/clone@2.1.4': {}
 
   '@types/d3-array@3.2.2': {}
@@ -8028,6 +8172,8 @@ snapshots:
     dependencies:
       '@types/ms': 2.1.0
 
+  '@types/deep-eql@4.0.2': {}
+
   '@types/estree-jsx@1.0.5':
     dependencies:
       '@types/estree': 1.0.8
@@ -8113,6 +8259,48 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  '@vitest/expect@3.2.4':
+    dependencies:
+      '@types/chai': 5.2.3
+      '@vitest/spy': 3.2.4
+      '@vitest/utils': 3.2.4
+      chai: 5.3.3
+      tinyrainbow: 2.0.0
+
+  '@vitest/mocker@3.2.4(vite@6.4.2(@types/node@22.19.17)(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0)(yaml@2.8.3))':
+    dependencies:
+      '@vitest/spy': 3.2.4
+      estree-walker: 3.0.3
+      magic-string: 0.30.21
+    optionalDependencies:
+      vite: 6.4.2(@types/node@22.19.17)(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0)(yaml@2.8.3)
+
+  '@vitest/pretty-format@3.2.4':
+    dependencies:
+      tinyrainbow: 2.0.0
+
+  '@vitest/runner@3.2.4':
+    dependencies:
+      '@vitest/utils': 3.2.4
+      pathe: 2.0.3
+      strip-literal: 3.1.0
+
+  '@vitest/snapshot@3.2.4':
+    dependencies:
+      '@vitest/pretty-format': 3.2.4
+      magic-string: 0.30.21
+      pathe: 2.0.3
+
+  '@vitest/spy@3.2.4':
+    dependencies:
+      tinyspy: 4.0.4
+
+  '@vitest/utils@3.2.4':
+    dependencies:
+      '@vitest/pretty-format': 3.2.4
+      loupe: 3.2.1
+      tinyrainbow: 2.0.0
+
   '@vue/reactivity@3.5.32':
     dependencies:
       '@vue/shared': 3.5.32
@@ -8254,6 +8442,8 @@ snapshots:
 
   assert-plus@1.0.0: {}
 
+  assertion-error@2.0.1: {}
+
   async@2.6.4:
     dependencies:
       lodash: 4.18.1
@@ -8431,6 +8621,14 @@ snapshots:
 
   ccount@2.0.1: {}
 
+  chai@5.3.3:
+    dependencies:
+      assertion-error: 2.0.1
+      check-error: 2.1.3
+      deep-eql: 5.0.2
+      loupe: 3.2.1
+      pathval: 2.0.1
+
   chalk@4.1.2:
     dependencies:
       ansi-styles: 4.3.0
@@ -8444,6 +8642,8 @@ snapshots:
 
   character-reference-invalid@2.0.1: {}
 
+  check-error@2.1.3: {}
+
   chevrotain-allstar@0.3.1(chevrotain@11.1.2):
     dependencies:
       chevrotain: 11.1.2
@@ -8873,6 +9073,8 @@ snapshots:
       pify: 2.3.0
       strip-dirs: 2.1.0
 
+  deep-eql@5.0.2: {}
+
   deep-extend@0.6.0: {}
 
   deep-is@0.1.4: {}
@@ -9006,6 +9208,8 @@ snapshots:
 
   es-errors@1.3.0: {}
 
+  es-module-lexer@1.7.0: {}
+
   es-object-atoms@1.1.1:
     dependencies:
       es-errors: 1.3.0
@@ -9211,6 +9415,10 @@ snapshots:
 
   estree-util-is-identifier-name@3.0.0: {}
 
+  estree-walker@3.0.3:
+    dependencies:
+      '@types/estree': 1.0.8
+
   esutils@2.0.3: {}
 
   etag@1.8.1: {}
@@ -9223,6 +9431,8 @@ snapshots:
 
   expand-template@2.0.3: {}
 
+  expect-type@1.3.0: {}
+
   express-rate-limit@8.3.2(express@5.2.1):
     dependencies:
       express: 5.2.1
@@ -9860,6 +10070,8 @@ snapshots:
 
   js-tokens@4.0.0: {}
 
+  js-tokens@9.0.1: {}
+
   js-yaml@3.14.2:
     dependencies:
       argparse: 1.0.10
@@ -10096,6 +10308,8 @@ snapshots:
 
   longest-streak@3.1.0: {}
 
+  loupe@3.2.1: {}
+
   lowdb@1.0.0:
     dependencies:
       graceful-fs: 4.2.11
@@ -10820,6 +11034,8 @@ snapshots:
 
   pathe@2.0.3: {}
 
+  pathval@2.0.1: {}
+
   pend@1.2.0: {}
 
   performance-now@2.1.0: {}
@@ -11372,6 +11588,8 @@ snapshots:
       side-channel-map: 1.0.1
       side-channel-weakmap: 1.0.2
 
+  siginfo@2.0.0: {}
+
   signal-exit@3.0.7: {}
 
   simple-concat@1.0.1: {}
@@ -11420,10 +11638,14 @@ snapshots:
       safer-buffer: 2.1.2
       tweetnacl: 0.14.5
 
+  stackback@0.0.2: {}
+
   state-local@1.0.7: {}
 
   statuses@2.0.2: {}
 
+  std-env@3.10.0: {}
+
   steno@0.4.4:
     dependencies:
       graceful-fs: 4.2.11
@@ -11495,6 +11717,10 @@ snapshots:
 
   strip-json-comments@3.1.1: {}
 
+  strip-literal@3.1.0:
+    dependencies:
+      js-tokens: 9.0.1
+
   strnum@1.1.2: {}
 
   style-to-js@1.1.21:
@@ -11595,6 +11821,8 @@ snapshots:
 
   through@2.3.8: {}
 
+  tinybench@2.9.0: {}
+
   tinyexec@0.3.2: {}
 
   tinyexec@1.0.4: {}
@@ -11604,6 +11832,12 @@ snapshots:
       fdir: 6.5.0(picomatch@4.0.4)
       picomatch: 4.0.4
 
+  tinypool@1.1.1: {}
+
+  tinyrainbow@2.0.0: {}
+
+  tinyspy@4.0.4: {}
+
   tmp@0.2.5: {}
 
   to-buffer@1.2.2:
@@ -11846,6 +12080,27 @@ snapshots:
       '@types/unist': 3.0.3
       vfile-message: 4.0.3
 
+  vite-node@3.2.4(@types/node@22.19.17)(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0)(yaml@2.8.3):
+    dependencies:
+      cac: 6.7.14
+      debug: 4.4.3
+      es-module-lexer: 1.7.0
+      pathe: 2.0.3
+      vite: 6.4.2(@types/node@22.19.17)(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0)(yaml@2.8.3)
+    transitivePeerDependencies:
+      - '@types/node'
+      - jiti
+      - less
+      - lightningcss
+      - sass
+      - sass-embedded
+      - stylus
+      - sugarss
+      - supports-color
+      - terser
+      - tsx
+      - yaml
+
   vite@6.4.2(@types/node@22.19.17)(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0)(yaml@2.8.3):
     dependencies:
       esbuild: 0.25.12
@@ -11862,6 +12117,48 @@ snapshots:
       tsx: 4.21.0
       yaml: 2.8.3
 
+  vitest@3.2.4(@types/debug@4.1.13)(@types/node@22.19.17)(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0)(yaml@2.8.3):
+    dependencies:
+      '@types/chai': 5.2.3
+      '@vitest/expect': 3.2.4
+      '@vitest/mocker': 3.2.4(vite@6.4.2(@types/node@22.19.17)(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0)(yaml@2.8.3))
+      '@vitest/pretty-format': 3.2.4
+      '@vitest/runner': 3.2.4
+      '@vitest/snapshot': 3.2.4
+      '@vitest/spy': 3.2.4
+      '@vitest/utils': 3.2.4
+      chai: 5.3.3
+      debug: 4.4.3
+      expect-type: 1.3.0
+      magic-string: 0.30.21
+      pathe: 2.0.3
+      picomatch: 4.0.4
+      std-env: 3.10.0
+      tinybench: 2.9.0
+      tinyexec: 0.3.2
+      tinyglobby: 0.2.15
+      tinypool: 1.1.1
+      tinyrainbow: 2.0.0
+      vite: 6.4.2(@types/node@22.19.17)(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0)(yaml@2.8.3)
+      vite-node: 3.2.4(@types/node@22.19.17)(jiti@2.6.1)(lightningcss@1.32.0)(tsx@4.21.0)(yaml@2.8.3)
+      why-is-node-running: 2.3.0
+    optionalDependencies:
+      '@types/debug': 4.1.13
+      '@types/node': 22.19.17
+    transitivePeerDependencies:
+      - jiti
+      - less
+      - lightningcss
+      - msw
+      - sass
+      - sass-embedded
+      - stylus
+      - sugarss
+      - supports-color
+      - terser
+      - tsx
+      - yaml
+
   vscode-jsonrpc@8.2.0: {}
 
   vscode-languageserver-protocol@3.17.5:
@@ -11916,6 +12213,11 @@ snapshots:
     dependencies:
       isexe: 3.1.5
 
+  why-is-node-running@2.3.0:
+    dependencies:
+      siginfo: 2.0.0
+      stackback: 0.0.2
+
   word-wrap@1.2.5: {}
 
   wrap-ansi@6.2.0:

From 77a31c34a72747ee455b199b674aceb65add726d Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sun, 3 May 2026 10:53:30 +0800
Subject: [PATCH 11/33] =?UTF-8?q?feat(web):=20=E5=89=8D=E7=AB=AF=20Runtime?=
 =?UTF-8?q?=20=E9=80=89=E6=8B=A9=E5=99=A8=20UI=EF=BC=88=E7=B1=BB=E4=BC=BC?=
 =?UTF-8?q?=20CodeBuddy=20=E6=B7=BB=E5=8A=A0=20OpenCode=20=E9=80=89?=
 =?UTF-8?q?=E9=A1=B9=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## 场景
用户可以在任务创建表单里切换 Agent Runtime：
- tencent-sdk（CodeBuddy 默认）
- opencode-acp（OpenCode ACP）
- 未来可扩展接入更多 runtime

## 改动

### 前端（零感知降级：< 2 个 runtime 时不显示）

task-form.tsx:
  - TaskFormProps.onSubmit 加 selectedRuntime?: string
  - useEffect 动态 fetch GET /api/agent/runtimes；
    < 2 个 available runtime → 不渲染选择器（零感知）
  - runtime Select 复用 model Select 完全一样的样式（h-7 border-0 text-sm）
  - 插在 "model · runtime" 行，用 · 分隔
  - RUNTIME_LABELS 映射（tencent-sdk → "CodeBuddy (Default)", opencode-acp → "OpenCode ACP"）

home-page-content.tsx:
  - handleTaskSubmit 类型加 selectedRuntime?: string
  - 所有 fetch('/api/tasks', ...) body 透传 selectedRuntime（含 multi-repo + multi-agent 路径）

### 后端

db/types.ts:
  - Task interface 加 selectedRuntime: string | null
  - TaskNullableFields 加 'selectedRuntime'

db/schema.ts (drizzle sqlite, dev mode):
  - tasks table 加 selectedRuntime text 列（注释 null = registry default）

db/cloudbase/repositories.ts:
  - normalizeTask 加 selectedRuntime: doc.selectedRuntime ?? null
  - create 默认 selectedRuntime: null

routes/tasks.ts:
  - 接收 body.selectedRuntime 保存到 DB

routes/acp.ts / handleSessionPrompt:
  - 两次 DB 查询合并成一次（减少 I/O）
  - 读 task.selectedRuntime 传给 agentRuntimeRegistry.resolve()
  - 优先级：request params.runtime > task.selectedRuntime > AGENT_RUNTIME env > default

## UI 行为

- 只有 1 个 runtime 时：完全不显示（不影响现有用户体验）
- 有多个 runtime 时：模型选择器后显示 ·  + runtime Select
  ```
  [CodeBuddy · GLM 5.1 · CodeBuddy (Default)▾]
  ```
- 用户选择后随任务一起保存，重新发消息沿用选中的 runtime
- selectedRuntime = '' 或 null 时 registry 按 default 规则选

## 测试

unit tests: 27/27 PASS
lint: PASS
server tsc: PASS
web tsc: PASS
build:server + build:web: PASS
---
 .../buildHistoryContextPrompt.test.ts         | 11 +---
 .../server/src/agent/runtime/acp-transport.ts |  3 +-
 .../server/src/db/cloudbase/repositories.ts   |  2 +
 packages/server/src/db/schema.ts              |  1 +
 packages/server/src/db/types.ts               |  2 +
 packages/server/src/routes/acp.ts             | 20 +++-----
 packages/server/src/routes/tasks.ts           |  2 +
 packages/web/dist/index.html                  |  4 +-
 .../web/src/components/home-page-content.tsx  |  3 ++
 packages/web/src/components/task-form.tsx     | 51 +++++++++++++++++++
 10 files changed, 74 insertions(+), 25 deletions(-)

diff --git a/packages/server/src/agent/runtime/__tests__/buildHistoryContextPrompt.test.ts b/packages/server/src/agent/runtime/__tests__/buildHistoryContextPrompt.test.ts
index 43229ee..a93f1a9 100644
--- a/packages/server/src/agent/runtime/__tests__/buildHistoryContextPrompt.test.ts
+++ b/packages/server/src/agent/runtime/__tests__/buildHistoryContextPrompt.test.ts
@@ -35,11 +35,7 @@ function reasoningPart(content: string) {
   return { contentType: 'reasoning', content }
 }
 
-function toolCallPart(
-  toolName: string,
-  input: Record<string, unknown>,
-  toolCallId = 'tc-1',
-) {
+function toolCallPart(toolName: string, input: Record<string, unknown>, toolCallId = 'tc-1') {
   return {
     contentType: 'tool_call',
     content: JSON.stringify(input),
@@ -205,10 +201,7 @@ describe('buildHistoryContextPrompt', () => {
 
   it('reasoning part is NOT included in context', async () => {
     vi.mocked(persistenceService.loadDBMessages).mockResolvedValueOnce([
-      makeRecord('r1', 'assistant', 'done', [
-        reasoningPart('my secret thinking process'),
-        textPart('final answer'),
-      ]),
+      makeRecord('r1', 'assistant', 'done', [reasoningPart('my secret thinking process'), textPart('final answer')]),
     ])
     const result = await buildHistoryContextPrompt(CONV, ENV, USER, PROMPT)
     expect(result).not.toContain('my secret thinking process')
diff --git a/packages/server/src/agent/runtime/acp-transport.ts b/packages/server/src/agent/runtime/acp-transport.ts
index 7be6712..4bb770b 100644
--- a/packages/server/src/agent/runtime/acp-transport.ts
+++ b/packages/server/src/agent/runtime/acp-transport.ts
@@ -192,8 +192,7 @@ async function spawnLocalOpencode(
   const bin = getResolvedBin()
   if (!bin) {
     throw new Error(
-      `opencode CLI not found. Install via: npm i -g opencode-ai\n` +
-        `Or set OPENCODE_BIN env to the absolute path.`,
+      `opencode CLI not found. Install via: npm i -g opencode-ai\n` + `Or set OPENCODE_BIN env to the absolute path.`,
     )
   }
 
diff --git a/packages/server/src/db/cloudbase/repositories.ts b/packages/server/src/db/cloudbase/repositories.ts
index 80a6962..c82f155 100644
--- a/packages/server/src/db/cloudbase/repositories.ts
+++ b/packages/server/src/db/cloudbase/repositories.ts
@@ -211,6 +211,7 @@ function withTaskDefaults(task: Record<string, unknown>): Task {
     mode: doc.mode || 'default',
     status: doc.status || 'pending',
     selectedAgent: doc.selectedAgent ?? 'codebuddy',
+    selectedRuntime: doc.selectedRuntime ?? null,
     sandboxMode: doc.sandboxMode || 'isolated',
     installDependencies: doc.installDependencies ?? false,
     maxDuration: doc.maxDuration ?? 300,
@@ -300,6 +301,7 @@ class CloudBaseTaskRepository implements TaskRepository {
       title: null,
       repoUrl: null,
       selectedModel: null,
+      selectedRuntime: null,
       logs: null,
       error: null,
       branchName: null,
diff --git a/packages/server/src/db/schema.ts b/packages/server/src/db/schema.ts
index df45410..0246983 100644
--- a/packages/server/src/db/schema.ts
+++ b/packages/server/src/db/schema.ts
@@ -64,6 +64,7 @@ export const tasks = sqliteTable(
     repoUrl: text('repo_url'),
     selectedAgent: text('selected_agent').default('claude'),
     selectedModel: text('selected_model'),
+    selectedRuntime: text('selected_runtime'), // 'tencent-sdk' | 'opencode-acp' | null (null = registry default)
     mode: text('mode').notNull().default('default'), // 'default' | 'coding'
     installDependencies: integer('install_dependencies', { mode: 'boolean' }).default(false),
     maxDuration: integer('max_duration').default(parseInt(process.env.MAX_SANDBOX_DURATION || '300', 10)),
diff --git a/packages/server/src/db/types.ts b/packages/server/src/db/types.ts
index 49528da..6068eef 100644
--- a/packages/server/src/db/types.ts
+++ b/packages/server/src/db/types.ts
@@ -37,6 +37,7 @@ export interface Task {
   repoUrl: string | null
   selectedAgent: string | null
   selectedModel: string | null
+  selectedRuntime: string | null
   mode: string
   installDependencies: boolean | null
   maxDuration: number | null
@@ -216,6 +217,7 @@ type TaskNullableFields =
   | 'repoUrl'
   | 'selectedAgent'
   | 'selectedModel'
+  | 'selectedRuntime'
   | 'installDependencies'
   | 'maxDuration'
   | 'keepAlive'
diff --git a/packages/server/src/routes/acp.ts b/packages/server/src/routes/acp.ts
index bb3d084..838d418 100644
--- a/packages/server/src/routes/acp.ts
+++ b/packages/server/src/routes/acp.ts
@@ -408,11 +408,16 @@ async function handleSessionPrompt(c: any, id: number | string, params: SessionP
 
   const effectivePrompt = prompt.trim() ? prompt : hasResumePayload ? '继续未完成的任务' : prompt
 
-  // Read task's selectedModel
+  // Read task metadata once: selectedModel + mode + selectedRuntime
   let selectedModel: string | undefined
+  let taskMode: 'default' | 'coding' | undefined
+  let taskRuntime: string | undefined
   try {
     const task = await getDb().tasks.findById(sessionId)
     selectedModel = task?.selectedModel || undefined
+    if (task?.mode === 'coding') taskMode = 'coding'
+    // task.selectedRuntime 是创建任务时用户选择的 runtime（如 'opencode-acp'）
+    taskRuntime = task?.selectedRuntime || undefined
   } catch {
     // read failure doesn't affect main flow
   }
@@ -424,18 +429,9 @@ async function handleSessionPrompt(c: any, id: number | string, params: SessionP
     // write failure doesn't affect main flow
   }
 
-  // Resolve task mode
-  let taskMode: 'default' | 'coding' | undefined
-  try {
-    const task = await getDb().tasks.findById(sessionId)
-    if (task?.mode === 'coding') taskMode = 'coding'
-  } catch {
-    // ignore
-  }
-
-  // Resolve runtime: explicit param > env var > default
+  // Resolve runtime: 优先级 request param > task's selectedRuntime > AGENT_RUNTIME env > default
   const runtime = agentRuntimeRegistry.resolve({
-    explicitRuntime: params.runtime,
+    explicitRuntime: params.runtime || taskRuntime,
     conversationId: sessionId,
   })
 
diff --git a/packages/server/src/routes/tasks.ts b/packages/server/src/routes/tasks.ts
index d5a24aa..f2c42e9 100644
--- a/packages/server/src/routes/tasks.ts
+++ b/packages/server/src/routes/tasks.ts
@@ -303,6 +303,7 @@ tasksRouter.post('/', async (c) => {
     repoUrl,
     selectedAgent = 'claude',
     selectedModel,
+    selectedRuntime,
     mode = 'default',
     installDependencies = false,
     maxDuration = 300,
@@ -333,6 +334,7 @@ tasksRouter.post('/', async (c) => {
     repoUrl: repoUrl || null,
     selectedAgent,
     selectedModel: selectedModel || null,
+    selectedRuntime: selectedRuntime || null,
     mode,
     installDependencies,
     maxDuration,
diff --git a/packages/web/dist/index.html b/packages/web/dist/index.html
index 2597054..68bb9ac 100644
--- a/packages/web/dist/index.html
+++ b/packages/web/dist/index.html
@@ -4,8 +4,8 @@
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>Coding Agent</title>
-    <script type="module" crossorigin src="/assets/index-D-h2BImM.js"></script>
-    <link rel="stylesheet" crossorigin href="/assets/index-BWMmZRej.css">
+    <script type="module" crossorigin src="/assets/index-C9qIJocm.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-B5TQZXrD.css">
   </head>
   <body>
     <div id="root"></div>
diff --git a/packages/web/src/components/home-page-content.tsx b/packages/web/src/components/home-page-content.tsx
index 822884b..416ddc4 100644
--- a/packages/web/src/components/home-page-content.tsx
+++ b/packages/web/src/components/home-page-content.tsx
@@ -433,6 +433,7 @@ export function HomePageContent({
     selectedAgent: string
     selectedModel: string
     selectedModels?: string[]
+    selectedRuntime?: string
     installDependencies: boolean
     maxDuration: number
     keepAlive: boolean
@@ -492,6 +493,7 @@ export function HomePageContent({
           repoUrl: repo.clone_url,
           selectedAgent: data.selectedAgent,
           selectedModel: data.selectedModel,
+          selectedRuntime: data.selectedRuntime,
           installDependencies: data.installDependencies,
           maxDuration: data.maxDuration,
           keepAlive: data.keepAlive,
@@ -566,6 +568,7 @@ export function HomePageContent({
           repoUrl: data.repoUrl,
           selectedAgent: agent,
           selectedModel: model,
+          selectedRuntime: data.selectedRuntime,
           installDependencies: data.installDependencies,
           maxDuration: data.maxDuration,
           keepAlive: data.keepAlive,
diff --git a/packages/web/src/components/task-form.tsx b/packages/web/src/components/task-form.tsx
index 3ae2762..eaed64a 100644
--- a/packages/web/src/components/task-form.tsx
+++ b/packages/web/src/components/task-form.tsx
@@ -42,6 +42,7 @@ interface TaskFormProps {
     selectedAgent: string
     selectedModel: string
     selectedModels?: string[]
+    selectedRuntime?: string
     mode: 'default' | 'coding'
     installDependencies: boolean
     maxDuration: number
@@ -58,6 +59,12 @@ interface TaskFormProps {
   maxSandboxDuration?: number
 }
 
+/** Human-readable labels for runtime names returned by GET /api/agent/runtimes */
+const RUNTIME_LABELS: Record<string, string> = {
+  'tencent-sdk': 'CodeBuddy (Default)',
+  'opencode-acp': 'OpenCode ACP',
+}
+
 const CODING_AGENTS = [
   // CodeBuddy agent (default)
   { value: 'codebuddy', label: 'CodeBuddy', icon: CodeBuddy, isLogo: true },
@@ -138,6 +145,27 @@ export function TaskForm({
   const [repos, setRepos] = useAtom(githubReposAtomFamily(selectedOwner))
   const [, setLoadingRepos] = useState(false)
 
+  // Runtime selector: loaded from /api/agent/runtimes
+  const [selectedRuntime, setSelectedRuntime] = useState<string>('')
+  const [runtimeOptions, setRuntimeOptions] = useState<Array<{ name: string; label: string }>>([])
+  useEffect(() => {
+    fetch('/api/agent/runtimes')
+      .then((r) => r.json())
+      .then((data: { default: string; runtimes: Array<{ name: string; available: boolean }> }) => {
+        const available = data.runtimes.filter((r) => r.available)
+        if (available.length <= 1) return // 只有一个 runtime 时不显示选择器
+        const options = available.map((r) => ({
+          name: r.name,
+          label: RUNTIME_LABELS[r.name] ?? r.name,
+        }))
+        setRuntimeOptions(options)
+        setSelectedRuntime(data.default ?? '')
+      })
+      .catch(() => {
+        /* silently ignore — runtimes endpoint optional */
+      })
+  }, [])
+
   // Options state - initialize with server values
   const [installDependencies, setInstallDependenciesState] = useState(initialInstallDependencies)
   const [maxDuration, setMaxDurationState] = useState(initialMaxDuration)
@@ -305,6 +333,7 @@ export function TaskForm({
         repoUrl: '',
         selectedAgent,
         selectedModel,
+        selectedRuntime: selectedRuntime || undefined,
         mode: taskMode,
         installDependencies,
         maxDuration,
@@ -353,6 +382,7 @@ export function TaskForm({
       repoUrl: selectedRepoData?.clone_url || '',
       selectedAgent,
       selectedModel,
+      selectedRuntime: selectedRuntime || undefined,
       mode: taskMode,
       installDependencies,
       maxDuration,
@@ -452,6 +482,27 @@ export function TaskForm({
                       })}
                     </SelectContent>
                   </Select>
+
+                  {/* Runtime selector — only shown when multiple runtimes available */}
+                  {runtimeOptions.length > 1 && (
+                    <>
+                      <span className="text-muted-foreground/50">·</span>
+                      <Select value={selectedRuntime} onValueChange={setSelectedRuntime}>
+                        <SelectTrigger className="h-7 border-0 shadow-none px-1 py-0 text-sm text-muted-foreground hover:text-foreground bg-transparent focus:ring-0 gap-1 w-auto min-w-[110px]">
+                          <span className="truncate">
+                            {RUNTIME_LABELS[selectedRuntime] ?? (selectedRuntime || 'Runtime')}
+                          </span>
+                        </SelectTrigger>
+                        <SelectContent>
+                          {runtimeOptions.map((r) => (
+                            <SelectItem key={r.name} value={r.name}>
+                              {r.label}
+                            </SelectItem>
+                          ))}
+                        </SelectContent>
+                      </Select>
+                    </>
+                  )}
                 </div>
 
                 {/* Option Chips - Only visible on desktop */}

From 1d2639ae71932fc1f1fea790ec266a2d35f5584f Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sun, 3 May 2026 11:06:00 +0800
Subject: [PATCH 12/33] =?UTF-8?q?test(web):=20runtime=20=E9=80=89=E6=8B=A9?=
 =?UTF-8?q?=E5=99=A8=20e2e=20(11/11=20PASS)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

验证 5 个场景：
1. GET /api/agent/runtimes 返回正确列表（tencent-sdk + opencode-acp）
2. POST /api/tasks 不带 runtime → selectedRuntime=null
3. POST /api/tasks 带 runtime=opencode-acp → 正确保存到 DB
4. registry.resolve 按 task.selectedRuntime 选 runtime（无选 → tencent-sdk，有选 → opencode-acp）
5. request params.runtime 优先级高于 task.selectedRuntime（覆盖）
---
 .../server/scripts/test-runtime-selector.mts  | 150 ++++++++++++++++++
 1 file changed, 150 insertions(+)
 create mode 100644 packages/server/scripts/test-runtime-selector.mts

diff --git a/packages/server/scripts/test-runtime-selector.mts b/packages/server/scripts/test-runtime-selector.mts
new file mode 100644
index 0000000..8fa087b
--- /dev/null
+++ b/packages/server/scripts/test-runtime-selector.mts
@@ -0,0 +1,150 @@
+#!/usr/bin/env tsx
+/**
+ * Runtime 选择器端到端测试
+ *
+ * 验证：
+ *  1. GET /api/agent/runtimes 返回正确的 runtime 列表
+ *  2. POST /api/tasks 能保存 selectedRuntime 字段
+ *  3. 前端选 opencode-acp → session/prompt 真的路由给 OpencodeAcpRuntime
+ *  4. 前端选 tencent-sdk → session/prompt 路由给 TencentSdkRuntime（现状默认行为）
+ *
+ * 不依赖真实 LLM —— 只验证路由层，不等 agent 跑完。
+ *
+ * 用法：
+ *   npx tsx --env-file=.env scripts/test-runtime-selector.mts
+ */
+
+import 'dotenv/config'
+import { Hono } from 'hono'
+import { serve } from '@hono/node-server'
+import fs from 'node:fs'
+
+const app = new Hono()
+
+// 挂载 acp 路由和 tasks 路由
+const { default: acpRoutes } = await import('../src/routes/acp.js')
+const { default: tasksRouter } = await import('../src/routes/tasks.js')
+const { getDb } = await import('../src/db/index.js')
+const { agentRuntimeRegistry } = await import('../src/agent/runtime/index.js')
+
+// 绑定 mock auth middleware（让 tasks + internal 路由可访问）
+app.use('*', async (c, next) => {
+  c.set('session', {
+    created: Date.now(),
+    authProvider: 'api-key',
+    user: { id: 'selector-test-user', username: 'test', email: 'test@test.local', avatar: '' },
+  })
+  c.set('apiKeyScopes', ['acp'])
+  c.set('userEnv', {
+    envId: process.env.TCB_ENV_ID || '',
+    userId: 'selector-test-user',
+    credentials: { secretId: process.env.TCB_SECRET_ID || '', secretKey: process.env.TCB_SECRET_KEY || '' },
+  })
+  await next()
+})
+
+app.route('/api/agent', acpRoutes)
+app.route('/api/tasks', tasksRouter)
+
+const server = serve({ fetch: app.fetch, port: 0, hostname: '127.0.0.1' }, (info) => {
+  process.env.ASK_USER_BASE_URL = `http://127.0.0.1:${info.port}`
+  console.log(`[selector-test] server on :${info.port}`)
+})
+await new Promise((r) => setTimeout(r, 400))
+
+const port = (server.address() as { port: number }).port
+const BASE = `http://127.0.0.1:${port}`
+
+let passed = 0
+let failed = 0
+function assert(cond: unknown, label: string) {
+  if (cond) {
+    console.log(`  ✓ ${label}`)
+    passed++
+  } else {
+    console.error(`  ✗ ${label}`)
+    failed++
+  }
+}
+
+// ── 1. GET /api/agent/runtimes ────────────────────────────────────────────────
+console.log('\n[selector-test] === 1. GET /api/agent/runtimes ===')
+const runtimes = await fetch(`${BASE}/api/agent/runtimes`).then((r) => r.json()) as {
+  default: string
+  runtimes: Array<{ name: string; available: boolean }>
+}
+console.log('  response:', JSON.stringify(runtimes))
+assert(runtimes.default === 'tencent-sdk', 'default runtime = tencent-sdk')
+assert(Array.isArray(runtimes.runtimes), 'runtimes is array')
+assert(runtimes.runtimes.some((r) => r.name === 'tencent-sdk'), 'tencent-sdk listed')
+assert(runtimes.runtimes.some((r) => r.name === 'opencode-acp'), 'opencode-acp listed')
+
+// ── 2. POST /api/tasks (不含 selectedRuntime) ─────────────────────────────────
+console.log('\n[selector-test] === 2. POST /api/tasks without runtime ===')
+const userId = 'selector-test-user'
+const taskId1 = 'selector-task-' + Date.now()
+const res1 = await fetch(`${BASE}/api/tasks`, {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({
+    id: taskId1,
+    prompt: 'test task no runtime',
+  }),
+})
+assert(res1.ok, `POST /api/tasks (no runtime) ok=${res1.status}`)
+const task1 = await getDb().tasks.findById(taskId1)
+assert(task1?.selectedRuntime === null, `task.selectedRuntime = null (no selection)`)
+
+// ── 3. POST /api/tasks with selectedRuntime = 'opencode-acp' ─────────────────
+console.log('\n[selector-test] === 3. POST /api/tasks with runtime=opencode-acp ===')
+const taskId2 = 'selector-task-oc-' + Date.now()
+const res2 = await fetch(`${BASE}/api/tasks`, {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({
+    id: taskId2,
+    prompt: 'test task opencode',
+    selectedRuntime: 'opencode-acp',
+  }),
+})
+assert(res2.ok, `POST /api/tasks (opencode-acp) ok=${res2.status}`)
+const task2 = await getDb().tasks.findById(taskId2)
+assert(task2?.selectedRuntime === 'opencode-acp', `task.selectedRuntime = 'opencode-acp' saved`)
+
+// ── 4. registry.resolve() 按 task.selectedRuntime 选 runtime ─────────────────
+console.log('\n[selector-test] === 4. registry.resolve with task.selectedRuntime ===')
+// 模拟 handleSessionPrompt 的逻辑
+const taskRuntime1 = task1?.selectedRuntime || undefined
+const resolved1 = agentRuntimeRegistry.resolve({ explicitRuntime: taskRuntime1, conversationId: taskId1 })
+assert(resolved1.name === 'tencent-sdk', `task1 (no runtime) resolves to tencent-sdk (got ${resolved1.name})`)
+
+const taskRuntime2 = task2?.selectedRuntime || undefined
+const resolved2 = agentRuntimeRegistry.resolve({ explicitRuntime: taskRuntime2, conversationId: taskId2 })
+assert(resolved2.name === 'opencode-acp', `task2 (opencode-acp) resolves to opencode-acp (got ${resolved2.name})`)
+
+// ── 5. request params.runtime 优先级高于 task.selectedRuntime ──────────────────
+console.log('\n[selector-test] === 5. params.runtime overrides task.selectedRuntime ===')
+// task2 有 opencode-acp，但 params.runtime='tencent-sdk' 应覆盖
+const resolved3 = agentRuntimeRegistry.resolve({
+  explicitRuntime: 'tencent-sdk',  // request param 级别
+  conversationId: taskId2,
+})
+assert(resolved3.name === 'tencent-sdk', `params.runtime='tencent-sdk' overrides task's opencode-acp (got ${resolved3.name})`)
+
+// ── 清理 ─────────────────────────────────────────────────────────────────────
+try {
+  const envId = process.env.TCB_ENV_ID || ''
+  if (envId && getDb().tasks.delete) {
+    await getDb().tasks.delete(taskId1)
+    await getDb().tasks.delete(taskId2)
+  }
+} catch {
+  /* noop */
+}
+
+// ── 结果 ─────────────────────────────────────────────────────────────────────
+console.log(`\n[selector-test] ${passed} passed, ${failed} failed`)
+console.log(`[selector-test] OVERALL: ${failed === 0 ? 'PASS' : 'FAIL'}`)
+
+server.close()
+process.exit(failed === 0 ? 0 : 1)

From 3c7d4a1949f05063891b068ba5dc4a11e7391430 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sun, 3 May 2026 12:27:55 +0800
Subject: [PATCH 13/33] =?UTF-8?q?fix(agent):=20OpenCode=20runtime=20finall?=
 =?UTF-8?q?y=20=E5=9D=97=E5=8A=A0=20cleanupStreamEvents?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

问题：vibe_agent_stream_events 积累了 3600+ 条孤儿数据
根因：
  1. OpenCode runtime launchAgent finally 块从未调 cleanupStreamEvents
     （Tencent SDK runtime 在 cloudbase-agent.service.ts finally 里有调）
  2. e2e 测试大量产生 stream_events 但 agent 未正常结束时没有清理
  3. CloudBase 文档 DB 无 TTL，记录永久保留

修复：在 opencode-acp-runtime.ts 的 finally 块里加与 Tencent 路径对齐的
cleanupStreamEvents 调用（fire-and-forget，不影响主流程）。

已手动清理历史积累的 3614 条孤儿数据。
---
 packages/server/src/agent/runtime/opencode-acp-runtime.ts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index dd1a91d..23c122b 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -533,6 +533,13 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
           console.error('[OpencodeAcpRuntime] messageBuilder.finalize error:', e)
         }
       }
+      // 清掉临时 SSE stream_events（turn 结束后已无用，持久化已在 messages 集合）
+      // 与 Tencent SDK runtime 的 finally 块对齐，避免 CloudBase 积累孤儿数据
+      if (envId) {
+        persistenceService.cleanupStreamEvents(conversationId, turnId).catch(() => {
+          /* Non-critical */
+        })
+      }
       // 清掉 liveCallback + emitter 注册，避免 map 泄漏
       clearLiveCallback(conversationId)
       clearEmitter(conversationId)

From 071943a040bdbad703104b607c961115604edc10 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Mon, 4 May 2026 11:28:20 +0800
Subject: [PATCH 14/33] =?UTF-8?q?docs:=20=E5=8F=98=E6=9B=B4=E8=AF=B4?=
 =?UTF-8?q?=E6=98=8E=20&=20=E9=AA=8C=E6=94=B6=E6=B8=85=E5=8D=95=20(feat-ac?=
 =?UTF-8?q?p-runtime-abstraction.md)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docs/feat-acp-runtime-abstraction.md | 219 +++++++++++++++++++++++++++
 1 file changed, 219 insertions(+)
 create mode 100644 docs/feat-acp-runtime-abstraction.md

diff --git a/docs/feat-acp-runtime-abstraction.md b/docs/feat-acp-runtime-abstraction.md
new file mode 100644
index 0000000..adb38d8
--- /dev/null
+++ b/docs/feat-acp-runtime-abstraction.md
@@ -0,0 +1,219 @@
+# feat/acp-runtime-abstraction 变更说明 & 验收清单
+
+> 分支：`feat/acp-runtime-abstraction`
+> 基线：`origin/main`（c9b68f9）
+> 14 commits，46 files changed，+5889 / -22
+
+---
+
+## 一、背景
+
+在原有 Tencent SDK（`@tencent-ai/agent-sdk`）runtime 的基础上，新增 **OpenCode ACP runtime**。两个 runtime 通过 `IAgentRuntime` 接口并排注册，用户可在前端任务创建表单里切换。默认行为不变，没有安装 opencode CLI 时选择器不显示。
+
+---
+
+## 二、变更点
+
+### 2.1 IAgentRuntime 抽象层
+
+新增 `packages/server/src/agent/runtime/` 目录：
+
+| 文件 | 说明 |
+|---|---|
+| `types.ts` | `IAgentRuntime` 接口 + `ChatStreamResult` |
+| `registry.ts` | `AgentRuntimeRegistry`：注册 + resolve 策略 |
+| `tencent-sdk-runtime.ts` | 原有 service 的薄 adapter（零逻辑改动） |
+| `opencode-acp-runtime.ts` | ★ OpenCode runtime 主体 |
+| `acp-transport.ts` | local stdio transport + `resolveOnPath`/fallbackBins |
+| `opencode-installer.ts` | 全局 tool 幂等安装到 `~/.config/opencode/tools/` |
+| `opencode-message-builder.ts` | 事件流累积 → `UnifiedMessagePart[]` + 历史 transcript |
+| `pending-permission-registry.ts` | ToolConfirm 挂起/唤醒 |
+| `pending-question-registry.ts` | AskUserQuestion HTTP 挂起/唤醒 |
+
+**Runtime resolve 优先级**：`request params.runtime` > `task.selectedRuntime` > `AGENT_RUNTIME env` > `tencent-sdk`（默认）
+
+---
+
+### 2.2 沙箱隔离：全局 tool override + env 注入
+
+`opencode acp` 子进程在 server 本地运行（agent 域），工具调用通过 custom tool `.ts` 文件的 `fetch` 路由到 SCF 沙箱（sandbox 域），agent/sandbox 严格分离。
+
+```
+opencode acp（本地）
+  └─ custom tool write.ts → fetch SANDBOX_BASE_URL/api/tools/write
+                               └─ SCF /tmp/workspace/<env>/<conv>/...（沙箱）
+```
+
+新增工具模板（`opencode-tool-templates/`）：`read.ts` `write.ts` `edit.ts` `bash.ts` `grep.ts` `glob.ts` `AskUserQuestion.ts`
+
+- **安装时机**：`chatStream` 首次调用时惰性安装（hash 比对，只变更时覆盖）
+- **env 注入**：spawn opencode 时通过 child env 传递 `SANDBOX_MODE`, `SANDBOX_BASE_URL`, `SANDBOX_AUTH_HEADERS_JSON`
+- **强制重装**：`OPENCODE_TOOLS_FORCE_REINSTALL=1`
+
+---
+
+### 2.3 human-in-loop
+
+| 能力 | 机制 |
+|---|---|
+| **ToolConfirm** | `requestPermission` ACP 回调 → 发 `tool_confirm` SSE → `PendingPermissionRegistry` 挂起 → 下轮 `toolConfirmation` resume |
+| **AskUserQuestion** | custom tool `AskUserQuestion` → `POST /api/agent/internal/ask-user`（仅 127.0.0.1）→ `PendingQuestionRegistry` 挂起 → 下轮 `askAnswers` resume |
+
+两者与现有前端 `ToolConfirmDialog` / `AskUserForm` 零改动对接（工具名、schema 与 Tencent 契约完全对齐）。
+
+---
+
+### 2.4 消息持久化
+
+新增 `OpencodeMessageBuilder`，把 `AgentCallbackMessage` 事件流累积成 `UnifiedMessagePart[]`，写入 `vibe_agent_messages` 集合（与 Tencent SDK 同一张表）。
+
+**落库时机**：
+- `tool_use` 时 → flushToDb（挂起期间前端可见 tool_call 卡片）
+- `tool_result` 时 → flushToDb
+- `finalize` 时 → 最终写入 + 改 record status（`done`/`error`/`cancel`）
+
+**多轮记忆**：`buildHistoryContextPrompt` 从 DB 读最近 N 轮 messages，格式化为 Markdown transcript 注入新 session prompt 前缀，解决 opencode 每次 newSession 空白上下文的问题。
+
+---
+
+### 2.5 前端 Runtime 选择器
+
+- `GET /api/agent/runtimes` 公开 endpoint（无需认证）
+- 任务创建表单：可用 runtime 数 `< 2` 时选择器完全不显示（零感知降级）；有多个时在 model 选择器旁边显示
+- `task.selectedRuntime` 字段存 DB，发消息时自动沿用
+
+---
+
+### 2.6 技术质量改进
+
+- **vitest 单元测试**（27 个）：`buildHistoryContextPrompt` 16 个、`resolveOnPath/getResolvedBin` 10 个
+- **buildHistoryContextPrompt 格式**：`## Turn N` / `**User:**` / `[Tool call]` / `[Tool result] name — status (N bytes)`，安全截断（不截 JSON，不塞 tool_result 原始内容）
+- **fallbackBins + resolveOnPath**：支持 `opencode-ai` 等 PATH 别名；`isAvailable()` 改为同步 `existsSync`
+- **stream_events cleanup 修复**：OpenCode runtime `finally` 块加 `cleanupStreamEvents`，防止孤儿数据积累
+
+---
+
+### 2.7 改动文件清单
+
+| 路径 | 类型 |
+|---|---|
+| `packages/server/src/agent/runtime/` 下 9 个新文件 | 新增 |
+| `packages/server/src/agent/runtime/opencode-tool-templates/` 下 7 个 `.ts` | 新增 |
+| `packages/server/src/agent/runtime/__tests__/` 下 3 个测试文件 | 新增 |
+| `packages/server/vitest.config.ts` | 新增 |
+| `packages/server/src/routes/acp.ts` | 修改（runtime 路由 + `/runtimes` endpoint + `/internal/ask-user`） |
+| `packages/server/src/routes/tasks.ts` | 修改（接收 `selectedRuntime` 字段） |
+| `packages/server/src/agent/persistence.service.ts` | 修改（+`setRecordParts` public） |
+| `packages/server/src/db/types.ts` | 修改（+`selectedRuntime` 字段） |
+| `packages/server/src/db/schema.ts` | 修改（+`selectedRuntime` 列，drizzle） |
+| `packages/server/src/db/cloudbase/repositories.ts` | 修改（normalize + create 加 `selectedRuntime`） |
+| `packages/server/src/index.ts` | 修改（启动时设置 `ASK_USER_BASE_URL`） |
+| `packages/server/package.json` / `tsconfig.json` | 修改（+vitest、+acp/mcp sdk、排除 `__tests__`） |
+| `packages/shared/src/types/agent.ts` | 修改（`SessionPromptParams` +`runtime` 字段） |
+| `packages/web/src/components/task-form.tsx` | 修改（+runtime 选择器 UI） |
+| `packages/web/src/components/home-page-content.tsx` | 修改（+`selectedRuntime` 透传） |
+
+---
+
+## 三、验收清单
+
+### A. 基础环境
+
+- [ ] `pnpm install` 无报错
+- [ ] `pnpm build:server` 成功
+- [ ] `pnpm build:web` 成功
+- [ ] `pnpm lint` 无报错
+- [ ] `cd packages/server && pnpm test` → **27/27** 通过
+
+---
+
+### B. Runtime 选择器 UI
+
+- [ ] 启动 dev server，进入任务创建表单
+- [ ] 默认状态（未装 opencode）：底部工具栏只显示 `CodeBuddy · [模型名]`，**不显示** runtime 选择器
+- [ ] 装了 opencode CLI 时：底部出现 `· CodeBuddy (Default)▾`，点击可切换到 `OpenCode ACP`
+- [ ] 选 `OpenCode ACP` 创建任务后，查 DB 该任务 `selectedRuntime = 'opencode-acp'`
+
+---
+
+### C. Tencent SDK runtime（回归验证，默认路径）
+
+- [ ] 不选 runtime 创建任务，行为与之前完全一致
+- [ ] 多轮对话正常
+- [ ] ToolConfirm 对话框正常弹出 + 允许/拒绝后 agent 继续
+- [ ] AskUserQuestion 表单正常弹出 + 答题后 agent 继续
+- [ ] 任务完成后历史消息可读（vibe_agent_messages）
+
+---
+
+### D. OpenCode ACP runtime
+
+> 前提：`opencode` CLI 已安装，`~/.config/opencode/opencode.json` 配置了可用模型（如 Moonshot Kimi）
+
+**D1. 基础对话**
+
+- [ ] 选 `OpenCode ACP` 发 prompt，前端实时看到流式文本
+- [ ] 任务完成后 `GET /api/tasks/:id/messages` 能读到历史（user + assistant records，status=done）
+- [ ] assistant record 的 `parts` 数组包含 `text` part
+
+**D2. 沙箱隔离**
+
+- [ ] 让 agent 执行写文件操作（如"创建 hello.txt"）
+- [ ] 文件出现在沙箱（`/tmp/workspace/envId/convId/`），**不出现在 server 本机目录**
+- [ ] `~/.config/opencode/tools/` 下有 `write.ts`, `read.ts` 等 6 个文件
+
+**D3. ToolConfirm**
+
+- [ ] 在项目 `.opencode/opencode.json` 里配置 `"permission": {"edit": "ask"}`
+- [ ] 让 agent 写文件，前端出现"允许一次 / 总是允许 / 拒绝"对话框
+- [ ] 点"允许一次" → agent 继续执行完成，历史可读
+- [ ] 点"拒绝" → agent 收到拒绝反馈，正常结束
+
+**D4. AskUserQuestion**
+
+- [ ] Prompt 明确要求 LLM 用 AskUserQuestion 工具提问（如"请用 AskUserQuestion 问我选哪个框架，给出 React 和 Vue 两个选项"）
+- [ ] 前端出现与 Tencent 相同的答题卡片（`AskUserQuestion` 工具名匹配）
+- [ ] 填写答案提交后 agent 继续推理，回答引用用户选择
+
+**D5. 多轮记忆**
+
+- [ ] Turn 1：`hello 我叫王小明`
+- [ ] Turn 2：`我叫什么` → agent 回答包含"王小明"
+- [ ] Turn 3：要求 agent 用 AskUserQuestion 问 `1+1=?`，回答"2"
+- [ ] Turn 4：`总结我的名字和对话历史` → 回答同时包含"王小明"和"1+1"或"2"
+
+**D6. 消息历史（持久化验证）**
+
+- [ ] 任务完成后关闭页面，重新打开同一任务，历史消息完整显示
+- [ ] assistant 消息包含 `tool_call` + `tool_result` 卡片
+- [ ] 挂起期间（等用户确认前）打开任务，能看到 `tool_call` 为 in_progress 状态
+- [ ] 任务完成后 `vibe_agent_stream_events` 表里该 turn 的数据已清空
+
+---
+
+### E. 接口验证（可用 curl 快速跑）
+
+```bash
+# E1. runtimes 列表（无需 auth）
+curl http://localhost:3001/api/agent/runtimes
+# 期望:
+# { "default": "tencent-sdk", "runtimes": [
+#     { "name": "tencent-sdk",  "available": true },
+#     { "name": "opencode-acp", "available": true/false }
+#   ] }
+
+# E2. runtime 选择器自动化 e2e（不依赖 LLM，约 10s）
+cd packages/server
+npx tsx --env-file=.env scripts/test-runtime-selector.mts
+# 期望: 11 passed, 0 failed — OVERALL: PASS
+```
+
+---
+
+### F. 兜底确认（不应改变的行为）
+
+- [ ] 没安装 opencode CLI 时，系统默认走 tencent-sdk，用户无感知
+- [ ] `vibe_agent_messages` 里已有的历史消息不受影响
+- [ ] 前端 task-chat、AskUserForm、ToolConfirmDialog、PlanModeCard 等组件无变化
+- [ ] 管理后台（`/admin`）、任务列表、沙箱 preview、git 相关功能不受影响
+- [ ] 多 agent / multi-repo 任务创建路径正常（`selectedRuntime` 透传不报错）

From bd424e537a42a1731bb91bf4d72e9772122d5d82 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Mon, 4 May 2026 11:55:07 +0800
Subject: [PATCH 15/33] =?UTF-8?q?fix(agent):=20tool=20override=20schema=20?=
 =?UTF-8?q?=E5=AE=8C=E5=85=A8=E5=AF=B9=E9=BD=90=20opencode=20builtin=20(v1?=
 =?UTF-8?q?.14.33)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## 问题

opencode tool override 模板（opencode-tool-templates/*.ts）的参数名和
语义与 opencode builtin tool 不一致，导致 LLM 按 builtin 训练记忆传参时
匹配失败：
  - read/write/edit：builtin 用 filePath，我们用 path → LLM 传错参数名
  - read：builtin offset 1-indexed，我们 0-based → 行偏移错误
  - bash：builtin 有 workdir、description 参数，我们没有
  - grep：builtin 参数名 include，我们用 glob → 字段名不一致

## 修复

所有 6 个 builtin override 文件（read/write/edit/bash/grep/glob）
schema 完全对齐 opencode v1.14.33 src/tool/*.ts：

read:   filePath（非 path）; offset 1-indexed; 保留 limit
write:  filePath（非 path）; content 语义一致
edit:   filePath（非 path）; oldString/newString/replaceAll 语义一致
bash:   +workdir; +description; timeout 默认 120000ms（原 60000）
grep:   include（非 glob）; 参数名对齐；内部转换到沙箱 API 的 glob 参数
glob:   pattern/path 语义一致

沙箱模式内部仍正常转发到 SCF，filePath 按相对路径传给沙箱 API。

## 可维护性：版本锁定 + 漂移检测

每个文件顶部加注释：
  // Schema 与 opencode builtin 完全对齐（v1.14.33 src/tool/xxx.ts）

新增 scripts/check-tool-schemas.mts + package.json check:tool-schemas 脚本：
  - 对比本地 opencode --version 与模板注释里的版本
  - 不一致时报警（exit 1），提醒人工对比上游变更并同步
  - 运行：pnpm check:tool-schemas

AskUserQuestion.ts 标注为 custom tool（非 builtin override），不参与
版本比较；注明 schema 来源是 Tencent AskUserQuestionData 契约。
---
 AGENT_SDK_QUICK_REFERENCE.md                  | 244 +++++++
 AGENT_SDK_RESEARCH_REPORT.md                  | 595 ++++++++++++++++++
 docs/opencode-acp-integration-memo.md         | 366 +++++++++++
 packages/server/package.json                  |   3 +-
 .../server/scripts/check-tool-schemas.mts     |  79 +++
 .../AskUserQuestion.ts                        |   9 +-
 .../runtime/opencode-tool-templates/bash.ts   |  66 +-
 .../runtime/opencode-tool-templates/edit.ts   |  43 +-
 .../runtime/opencode-tool-templates/glob.ts   |  31 +-
 .../runtime/opencode-tool-templates/grep.ts   |  49 +-
 .../runtime/opencode-tool-templates/read.ts   |  75 ++-
 .../runtime/opencode-tool-templates/write.ts  |  36 +-
 12 files changed, 1510 insertions(+), 86 deletions(-)
 create mode 100644 AGENT_SDK_QUICK_REFERENCE.md
 create mode 100644 AGENT_SDK_RESEARCH_REPORT.md
 create mode 100644 docs/opencode-acp-integration-memo.md
 create mode 100644 packages/server/scripts/check-tool-schemas.mts

diff --git a/AGENT_SDK_QUICK_REFERENCE.md b/AGENT_SDK_QUICK_REFERENCE.md
new file mode 100644
index 0000000..92028ee
--- /dev/null
+++ b/AGENT_SDK_QUICK_REFERENCE.md
@@ -0,0 +1,244 @@
+# @tencent-ai/agent-sdk 快速参考表
+
+## 核心 API 速查
+
+### query() 参数详解
+
+```typescript
+query({
+  prompt: string,              // 用户输入
+  options: {
+    model: string,             // 'glm-5.1' | 'kimi-k2.6' | 'minimax-m2.7' 等
+    permissionMode: string,    // 'bypassPermissions' | 'plan'
+    cwd: string,               // 本地工作目录
+    maxTurns: number,          // 默认 500
+    resume?: string,           // 会话 ID（恢复历史时使用）
+    persistSession?: boolean,   // 新会话时为 true
+    sessionId: string,         // 唯一会话标识
+    includePartialMessages: boolean,  // true 时流式输出
+    systemPrompt: {
+      append?: string          // 追加系统提示词
+    },
+    mcpServers?: {
+      [key: string]: McpServer  // MCP 工具服务
+    },
+    canUseTool?: (name, input, options) => {
+      behavior: 'allow' | 'deny' | 'block'
+      interrupt?: boolean
+      message?: string
+    },
+    hooks?: {
+      PreToolUse: Array<{
+        matcher: string  // 正则，如 '^mcp__'
+        hooks: Function[]
+      }>
+    },
+    env?: Record<string, string>,  // 传给 CLI 的环境变量
+    disallowedTools?: string[],    // 禁用的工具
+  }
+})
+```
+
+### 消息循环类型
+
+```typescript
+for await (const message of q) {
+  // message.type:
+  // - 'system'       → { session_id: string }
+  // - 'stream_event' → { event: { type, content_block?, delta? } }
+  // - 'user'         → { message: { content: ContentBlock[] } }
+  // - 'assistant'    → { message: { content: ContentBlock[] } }
+  // - 'error'        → { error: string }
+  // - 'result'       → { subtype: string, duration_ms: number }
+}
+```
+
+---
+
+## 文件映射表
+
+### SDK 调用 ↔ 项目文件
+
+| 功能 | SDK 方法 | 项目文件 | 关键代码行 |
+|-----|---------|--------|----------|
+| **Agent 启动** | `query()` | cloudbase-agent.service.ts | L1429 |
+| **消息转换** | callback → message | cloudbase-agent.service.ts | L420-522 |
+| **权限检查** | `canUseTool()` | cloudbase-agent.service.ts | L1195-1321 |
+| **MCP 集成** | `mcpServers` 参数 | cloudbase-agent.service.ts | L1155-1157 |
+| **工具拦截** | patch: tool override | tool-override.ts | envVar 注入 |
+| **会话恢复** | `resume` 参数 | persistence.service.ts | restoreMessages() |
+| **事件缓冲** | 回调集聚 | event-buffer.ts | pushAndGetSeq() |
+| **SSE 转换** | ExtendedSessionUpdate | acp.ts | L462-622 |
+
+---
+
+## Patch 拦截点汇总
+
+### 三个环境变量钩子
+
+| 环境变量 | 目标类 | 拦截方法 | 用途 |
+|---------|--------|---------|------|
+| `CODEBUDDY_TOOL_OVERRIDE` | ToolManager | `overrideTools(toolMap)` | 工具重定向到沙箱 |
+| `CODEBUDDY_SKILL_LOADER_OVERRIDE` | SkillLoader | `loadSkills() / scanSkillsDirectory() / parseSkillFile()` | 扫描项目/用户技能 |
+| `CODEBUDDY_SESSION_STORE_OVERRIDE` | SessionStore | `overrideSessionStore(prototype)` | 自定义会话持久化 |
+
+### Patch 文件
+- 路径: `/patches/@tencent-ai__agent-sdk@0.3.68.patch`
+- 大小: 85 行
+- 应用: pnpm install 时自动应用（via patch-package）
+
+---
+
+## 消息类型对应表
+
+### SDK 回调 → ACP sessionUpdate 映射
+
+```
+AgentCallbackMessage (SDK)           ExtendedSessionUpdate (ACP)
+├─ { type: 'text' }                 → sessionUpdate: 'agent_message_chunk'
+├─ { type: 'thinking' }             → sessionUpdate: 'thinking'
+├─ { type: 'tool_use' }             → sessionUpdate: 'tool_call'
+├─ { type: 'tool_input_update' }    → sessionUpdate: 'tool_call_update'
+├─ { type: 'tool_result' }          → sessionUpdate: 'tool_call_update'
+├─ { type: 'error' }                → sessionUpdate: 'log' (level: error)
+├─ { type: 'artifact' }             → sessionUpdate: 'artifact'
+├─ { type: 'ask_user' }             → sessionUpdate: 'ask_user'
+├─ { type: 'tool_confirm' }         → sessionUpdate: 'tool_confirm'
+└─ { type: 'agent_phase' }          → sessionUpdate: 'agent_phase'
+```
+
+---
+
+## 权限决策流程图
+
+```
+Agent 调用工具 (toolName, input)
+  ↓
+① canUseTool() 同步检查
+  ├─ 返回 allow → 继续执行
+  ├─ 返回 deny/block + interrupt=true → 中断, emit tool_confirm
+  └─ 返回 deny/block + interrupt=false → 拒绝
+  ↓
+② Resume 场景：用户确认后
+  ├─ action='allow' → 执行
+  ├─ action='allow_always' → 写白名单 + 执行
+  ├─ action='deny' → 拒绝
+  └─ action='reject_and_exit_plan' → 允许本次 + 退出 plan 模式
+  ↓
+③ PreToolUse Hook (MCP 工具)
+  └─ 返回 {continue: true/false} → 最终决策
+```
+
+---
+
+## WRITE_TOOLS 清单
+
+需要确认的写操作工具集合（8 个）:
+
+```
+writeNoSqlDatabaseStructure  ← 修改 NoSQL 结构
+writeNoSqlDatabaseContent    ← 修改 NoSQL 数据
+executeWriteSQL              ← 执行 SQL 写入
+modifyDataModel              ← 修改数据模型
+createFunction               ← 创建云函数
+updateFunctionCode           ← 更新函数代码
+updateFunctionConfig         ← 更新函数配置
+invokeFunction               ← 调用云函数
+```
+
+---
+
+## SDK 版本与兼容性
+
+| 维度 | 值 |
+|-----|-----|
+| 当前版本 | 0.3.68 |
+| package.json 位置 | packages/server/package.json L26 |
+| 依赖列表 | `@tencent-ai/agent-sdk: 0.3.68` |
+| Node 版本要求 | >= 18 (推荐 22) |
+
+---
+
+## 故障排查速查表
+
+| 问题 | 症状 | 检查点 |
+|-----|------|--------|
+| Agent 启动失败 | query() throw 异常 | 检查 model ID、cwd、permissions |
+| 消息不同步 | SSE 流无响应 | 检查 eventBuffer.flush() 是否调用 |
+| 工具执行超时 | tool 卡住 | 检查 ITERATION_TIMEOUT_MS (2min) |
+| 会话 resume 失败 | "already running" | 检查 isAgentRunning() 状态 |
+| 权限中断无反馈 | tool_confirm 未发出 | 检查 wrappedCallback 是否绑定 |
+| MCP 工具不可用 | "Tool not found" | 检查 sandboxMcpClient 是否初始化 |
+| Patch 未加载 | tool override 无效 | 运行 `pnpm install` 重新应用补丁 |
+
+---
+
+## 关键常量
+
+```typescript
+// 模型
+DEFAULT_MODEL = 'glm-5.1'
+
+// 超时
+CONNECT_TIMEOUT_MS = 60_000         // 连接超时
+ITERATION_TIMEOUT_MS = 2 * 60 * 1000  // 迭代超时
+HEALTH_INTERVAL_MS = 2000            // 沙箱健康检查间隔
+
+// 事件缓冲
+MAX_BUFFER_SIZE = 10                 // 缓冲区大小
+FLUSH_INTERVAL_MS = 500              // 自动 flush 间隔
+
+// 权限
+WRITE_TOOLS = Set(8)                 // 需确认的写工具
+
+// Milestone 事件（触发立即 flush）
+MILESTONE_SESSION_UPDATES = [
+  'tool_call',
+  'tool_call_update',
+  'ask_user',
+  'tool_confirm',
+  'artifact'
+]
+```
+
+---
+
+## 导入路径
+
+```typescript
+// ✓ 正确
+import { query, ExecutionError } from '@tencent-ai/agent-sdk'
+import { CloudbaseAgentService } from '../agent/cloudbase-agent.service'
+import { persistenceService } from '../agent/persistence.service'
+
+// ✗ 错误（不存在的 export）
+import { Agent, createAgent } from '@tencent-ai/agent-sdk'  // NOT exported
+```
+
+---
+
+## 环境变量清单
+
+项目传给 SDK CLI 的所有环境变量:
+
+```typescript
+envVars = {
+  // 认证
+  CODEBUDDY_API_KEY: string,           // API Key 模式
+  CODEBUDDY_AUTH_TOKEN: string,        // OAuth token 模式
+  CODEBUDDY_INTERNET_ENVIRONMENT?: string,  // 网络环境
+
+  // 工具拦截
+  CODEBUDDY_TOOL_OVERRIDE: string,     // 工具 override 模块路径
+  CODEBUDDY_TOOL_OVERRIDE_CONFIG: string,  // 工具配置 (JSON)
+
+  // 技能加载
+  CODEBUDDY_SKILL_LOADER_OVERRIDE: string,  // 技能加载 override 模块路径
+  CODEBUDDY_SANDBOX_CWD?: string,      // 沙箱工作目录
+  // CODEBUDDY_BUNDLED_SKILLS_DIR: string,  // 捆绑技能目录 (注释)
+
+  // 会话存储
+  CODEBUDDY_SESSION_STORE_OVERRIDE?: string,  // 会话存储 override (未使用)
+}
+```
+
diff --git a/AGENT_SDK_RESEARCH_REPORT.md b/AGENT_SDK_RESEARCH_REPORT.md
new file mode 100644
index 0000000..9f8d394
--- /dev/null
+++ b/AGENT_SDK_RESEARCH_REPORT.md
@@ -0,0 +1,595 @@
+# @tencent-ai/agent-sdk 项目使用调研报告
+
+**项目根目录**: `/Users/yang/git/coding-agent-template`  
+**生成日期**: 2026-05-01  
+
+---
+
+## 1. SDK 核心使用方式
+
+### 1.1 Import 位置与关键 API
+
+#### 主要导入文件
+- **文件**: `/packages/server/src/agent/cloudbase-agent.service.ts` (2200+ 行)
+- **SDK 导入**:
+  ```typescript
+  import { query, ExecutionError } from '@tencent-ai/agent-sdk'
+  ```
+
+#### 关键导出 API 及用法
+
+| API | 用途 | 位置 |
+|-----|------|------|
+| `query()` | 创建 agent 查询迭代器，驱动整个 agent 执行流程 | L1429 |
+| `ExecutionError` | SDK 内部中断异常（如 interrupt=true 时抛出） | L1556 |
+| `supportedModels()` | 获取平台支持的模型列表 | L64 |
+
+#### 核心调用代码
+
+```typescript
+// ─── SDK 查询配置 (cloudbase-agent.service.ts, L1176-1426)
+const queryArgs = {
+  prompt,                           // 用户提示词
+  options: {
+    model: modelId,                 // 模型 ID（如 'glm-5.1'）
+    permissionMode: sdkPermissionMode,  // 权限模式: 'bypassPermissions' | 'plan'
+    allowDangerouslySkipPermissions: true,  // 跳过权限检查开关
+    maxTurns: 500,                  // 最大对话轮数
+    cwd: actualCwd,                 // 本地工作目录
+    sessionId: conversationId,      // 会话 ID（resume 时关键）
+    resume: hasHistory ? conversationId : undefined,  // 恢复历史标志
+    persistSession: !hasHistory,    // 新会话持久化
+    includePartialMessages: true,   // 包含部分消息（流式）
+    systemPrompt: { append: '...' },  // 系统提示词（可追加）
+    mcpServers: { cloudbase: sdkServer },  // MCP 服务配置
+    abortController,                // 中止控制器
+    canUseTool: async (toolName, input, _options) => { /* 工具权限回调 */ },
+    hooks: {
+      PreToolUse: [/* 工具执行前 hook */]
+    },
+    env: envVars,                   // 传入 CLI 的环境变量
+    stderr: (data) => { /* 标准错误回调 */ },
+    settingSources: ['project'],    // 设置源
+    disallowedTools: ['AskUserQuestion'],  // 禁用工具列表
+  }
+}
+
+const q = query(queryArgs as any)
+
+// ─── 消息循环迭代 (L1451-1543)
+for await (const message of q) {
+  switch (message.type) {
+    case 'system':    // 系统消息（session_id）
+    case 'error':     // 错误消息
+    case 'stream_event':  // SDK 内部流事件
+    case 'user':      // 工具执行结果
+    case 'assistant': // 模型响应（含工具调用）
+    case 'result':    // 本轮执行结果
+  }
+}
+```
+
+### 1.2 Model 支持
+
+```typescript
+// 静态模型列表（L49-58）
+const STATIC_MODELS = [
+  { id: 'minimax-m2.7', name: 'MiniMax-M2.7' },
+  { id: 'glm-5.1', name: 'GLM-5.1' },
+  { id: 'kimi-k2.6', name: 'Kimi-K2.6' },
+  { id: 'deepseek-v3-2-volc', name: 'DeepSeek-V3.2' },
+  // ...
+]
+
+// 默认模型
+const DEFAULT_MODEL = 'glm-5.1'  // L25
+```
+
+---
+
+## 2. SDK 改造点（Patch 机制）
+
+### 2.1 Patch 文件位置与内容
+
+- **文件**: `/patches/@tencent-ai__agent-sdk@0.3.68.patch` (85 行)
+- **配置**: `package.json` L52-54 注册了 pnpm 补丁
+
+### 2.2 Patch 改造的三个拦截点
+
+#### (1) **Skill 加载器拦截** (L11-30 of patch)
+```javascript
+// 注入环境变量: CODEBUDDY_SKILL_LOADER_OVERRIDE
+// 目标: 覆盖 SDK 的 loadSkills / scanSkillsDirectory / parseSkillFile 方法
+(function(){
+  var _m = process.env.CODEBUDDY_SKILL_LOADER_OVERRIDE;  // override 模块路径
+  if (!_m) return;
+  // 拦截三个方法：
+  // - loadSkills()
+  // - scanSkillsDirectory()
+  // - parseSkillFile()
+  // 注入自定义逻辑（e.g., 扫描项目/用户技能）
+})();
+```
+**用途**: 支持项目级和用户级技能加载，不仅仅是 SDK 内置技能
+
+**对应实现文件**:
+- `packages/server/src/util/skill-loader-override.ts` (编译到 `dist/util/skill-loader-override.cjs`)
+- 在 `launchAgent()` 中通过 `envVars.CODEBUDDY_SKILL_LOADER_OVERRIDE` 传入
+
+#### (2) **会话存储拦截** (L41-51 of patch)
+```javascript
+// 注入环境变量: CODEBUDDY_SESSION_STORE_OVERRIDE
+// 目标: 覆盖 SDK 的 SessionStore.prototype 行为
+(function(){
+  var _ss = process.env.CODEBUDDY_SESSION_STORE_OVERRIDE;
+  if (!_ss) return;
+  var _mod = require(_ss);
+  if (typeof _mod.overrideSessionStore === "function") {
+    _mod.overrideSessionStore(tL.prototype);  // 在 SessionStore 原型上拦截
+  }
+})();
+```
+**用途**: 自定义会话持久化（JSONL 格式转换、CloudBase 同步等）
+
+#### (3) **工具执行拦截** (L61-81 of patch)
+```javascript
+// 注入环境变量: CODEBUDDY_TOOL_OVERRIDE
+// 目标: 在 SDK 工具管理器初始化后，覆盖工具集
+(function(){
+  var _t = process.env.CODEBUDDY_TOOL_OVERRIDE;
+  if (!_t) return;
+  var _mod = require(_t);
+  if (typeof _mod.overrideTools === "function") {
+    // 在 ToolManager.init() 后注入，修改 this.toolMap
+    _mod.overrideTools(this.toolMap);
+  }
+})();
+```
+**用途**: 重定向工具调用到沙箱（CloudBase SCF 函数）
+
+**对应实现文件**:
+- `packages/server/src/sandbox/tool-override.ts` (编译到 `dist/sandbox/tool-override.cjs`)
+- 通过 `envVars.CODEBUDDY_TOOL_OVERRIDE` 和 `envVars.CODEBUDDY_TOOL_OVERRIDE_CONFIG` 传入
+
+### 2.3 Patch 版本与应用
+
+```json
+// package.json
+"patchedDependencies": {
+  "@tencent-ai/agent-sdk@0.3.68": "patches/@tencent-ai__agent-sdk@0.3.68.patch"
+}
+```
+- **SDK 版本**: `0.3.68`（固定）
+- **应用方式**: `pnpm install` 时自动应用（via `patch-package`）
+
+---
+
+## 3. Agent 核心能力使用点
+
+### 3.1 ACP (Agent Communication Protocol) 协议
+
+#### 协议层面
+- **是否使用**: **是** ✓
+- **位置**: `/packages/server/src/routes/acp.ts` (全 ACP 路由实现)
+
+#### 关键 ACP 消息类型（来自 SDK）
+
+SDK 的 `message.type` 枚举（在消息循环中）:
+
+```typescript
+// 系统级消息
+message.type === 'system'        // session_id 初始化
+message.type === 'error'         // 执行错误
+
+// 核心业务消息
+message.type === 'stream_event'  // SDK 流事件（含 thinking / tool_use / text_delta 等）
+message.type === 'user'          // 工具结果（tool_result 块）
+message.type === 'assistant'     // 模型响应（tool_use、text 块）
+message.type === 'result'        // 执行完成标志
+```
+
+#### 消息转换管道
+
+**Raw SDK Message → ExtendedSessionUpdate (DB 格式) → ACP SSE (前端格式)**
+
+```typescript
+// CloudbaseAgentService.convertToSessionUpdate() [L420-522]
+AgentCallbackMessage (SDK 内部)
+  ↓
+ExtendedSessionUpdate (适配 ACP 协议)
+  ↓
+SSE Stream (前端订阅)
+  
+例:
+{type: 'text', content: 'hello'}
+  → {sessionUpdate: 'agent_message_chunk', content: {type: 'text', text: 'hello'}}
+  → SSE: {'jsonrpc': '2.0', 'method': 'session/update', 'params': {...}}
+```
+
+### 3.2 SSE 流式输出处理
+
+#### 流消息类型映射（L420-522）
+
+| SDK 回调类型 | sessionUpdate 值 | 说明 |
+|-----------|-----------------|------|
+| `text` | `agent_message_chunk` | 文本流片段 |
+| `thinking` | `thinking` | 思考块内容 |
+| `tool_use` | `tool_call` | 工具调用开始 |
+| `tool_input_update` | `tool_call_update` | 工具参数更新 |
+| `tool_result` | `tool_call_update` | 工具执行结果 |
+| `error` | `log` (level=error) | 错误日志 |
+| `artifact` | `artifact` | 部署 URL / 二维码等 |
+| `ask_user` | `ask_user` | 用户问卷 |
+| `tool_confirm` | `tool_confirm` | 工具确认请求 |
+| `agent_phase` | `agent_phase` | 代理执行阶段 |
+
+#### 流处理管道
+
+```
+SDK message loop
+  ↓
+wrappedCallback (L759-795)  // 统一回调入口
+  ↓
+convertToSessionUpdate()     // 转换为 ACP 格式
+  ↓
+eventBuffer.push()          // 缓冲到内存
+  ↓
+persistenceService.appendStreamEvents()  // 异步刷到 DB
+  ↓
+liveCallback() → SSE stream // 同步发给前端
+```
+
+### 3.3 工具调用处理与权限拦截
+
+#### 权限框架（Permission Model）
+
+**三层权限检查**:
+
+1. **canUseTool 回调** (L1195-1321)
+   - 工具调用前的**异步权限决策**
+   - 返回 `{behavior: 'allow'|'deny'|'block', interrupt: true}`
+
+2. **PreToolUse Hook** (L1322-1417)
+   - MCP 工具（mcp__ 前缀）的前置拦截
+   - 返回 `{continue: true/false, decision: 'block'|undefined}`
+
+3. **会话级白名单** (sessionPermissions)
+   - `sessionPermissions.isAllowed()` 检查
+   - `sessionPermissions.allowAlways()` 记录许可
+
+#### 写工具确认机制
+
+**WRITE_TOOLS 集合** (L195-207):
+```typescript
+const WRITE_TOOLS = new Set([
+  'writeNoSqlDatabaseStructure',
+  'writeNoSqlDatabaseContent',
+  'executeWriteSQL',
+  'modifyDataModel',
+  'createFunction',
+  'updateFunctionCode',
+  'updateFunctionConfig',
+  'invokeFunction',
+])
+```
+
+**确认流程**:
+```
+Agent 调用写工具 (e.g., executeWriteSQL)
+  ↓
+canUseTool 判断:
+  - 白名单中 → {behavior: 'allow'} → 直接执行
+  - Resume + toolConfirmation 中 → {behavior: 'allow'|'deny'} → 按用户决策
+  - 首次调用 → wrappedCallback({type: 'tool_confirm'}) → 等待用户确认（Interrupt）
+  ↓
+前端展示 ToolConfirm 对话框
+  ↓
+用户确认后 → cloudbaseAgentService.launchAgent() 再次启动 resume 流程
+```
+
+### 3.4 MCP (Model Context Protocol) 集成
+
+#### MCP 服务配置
+
+**位置**: L1155-1157
+```typescript
+const mcpServers: Record<string, any> = {}
+if (sandboxMcpClient) {
+  mcpServers.cloudbase = sandboxMcpClient.sdkServer  // SDK-wrapped MCP server
+}
+```
+
+#### MCP 服务来源
+
+```
+sandboxMcpClient = await createSandboxMcpClient({
+  sandbox: SandboxInstance,
+  getCredentials: () => ({ cloudbaseEnvId, secretId, secretKey, ... }),
+  workspaceFolderPaths: actualCwd,
+  ...
+})
+  ↓
+mcpClient 内部:
+  - 通过 HTTP API 与沙箱通信
+  - 支持的工具: cloudbase_* (数据库、函数、存储、托管等)
+  - 工具结果经 tool-override 重定向
+```
+
+#### MCP 工具规范化
+
+```typescript
+// normalizeToolName() [session-permissions.ts]
+'mcp__cloudbase__executeWriteSQL' → 'executeWriteSQL'
+// 用于权限检查和白名单匹配
+```
+
+### 3.5 AskUserQuestion 中断机制
+
+#### 工作流 (L1198-1211)
+
+```typescript
+if (toolName === 'AskUserQuestion') {
+  wrappedCallback({
+    type: 'ask_user',
+    id: toolUseId,
+    input: { questions: [...] },
+  })
+  return {
+    behavior: 'deny',
+    message: '等待用户回答问题',
+    interrupt: true,  // 中断执行
+  }
+}
+```
+
+#### Resume 处理 (L668-738)
+
+```
+askAnswers 场景（用户填表后）:
+  ↓
+persistenceService.updateToolResult()  // 写入用户回答
+  ↓
+restoreMessages()  // 从 DB 恢复含答案的历史
+  ↓
+query() resume  // 重新启动 agent
+  ↓
+SDK 看到 AskUserQuestion 的结果 → 继续执行（不再中断）
+```
+
+### 3.6 ExitPlanMode 工具与 Plan 模式
+
+#### Plan 模式激活
+
+```typescript
+const sdkPermissionMode = requestedPermissionMode === 'plan' ? 'plan' : 'bypassPermissions'
+// L1170：前端通过 permissionMode='plan' 切入 plan 模式
+```
+
+#### ExitPlanMode 处理 (L1221-1256)
+
+```typescript
+if (toolName === 'ExitPlanMode') {
+  // 首次调用 → wrappedCallback({type: 'tool_confirm', ...}) → PlanModeCard 展示
+  // Resume 后 → 根据用户决策:
+  //   · allow / allow_always → SDK 自动切出 plan 模式，继续执行
+  //   · deny → 继续停留 plan 模式
+  //   · reject_and_exit_plan → 允许本次，后续前端传 permissionMode=default
+}
+```
+
+---
+
+## 4. Agent 抽象层与耦合度分析
+
+### 4.1 当前架构与接口
+
+#### 核心服务架构
+
+```
+CloudbaseAgentService (L416+)
+  │
+  ├─ chatStream() ─────────→ 启动 agent (返回 turnId, alreadyRunning)
+  │
+  ├─ launchAgent() ────────→ 后台执行（含沙箱管理、消息循环、持久化）
+  │
+  ├─ convertToSessionUpdate() → SDK callback → ACP 格式转换
+  │
+  ├─ handleStreamEvent() ──→ stream_event 解析
+  ├─ handleToolResults() ──→ tool_result 聚合
+  └─ handleAssistantToolUseInputs() → tool_use 输入序列化
+
+persistence.service.ts
+  ├─ restoreMessages() ────→ DB → JSONL（SDK resume）
+  ├─ syncMessages() ───────→ JSONL → DB（完成后同步）
+  └─ updateToolResult() ───→ 写入工具结果
+
+EventBuffer (event-buffer.ts)
+  └─ pushAndGetSeq() → 缓冲 ACP 事件到 DB
+```
+
+#### 可抽象的接口
+
+```typescript
+// 建议的 Agent 接口（目前不存在）
+interface AgentAdapter {
+  // 初始化 agent
+  initialize(config: AgentConfig): Promise<void>
+
+  // 执行 agent
+  execute(prompt: string, options: AgentOptions): AsyncIterable<AgentMessage>
+
+  // 中止执行
+  abort(conversationId: string): Promise<void>
+
+  // 恢复会话
+  resume(conversationId: string, userInput: unknown): AsyncIterable<AgentMessage>
+}
+
+type AgentMessage = 
+  | {type: 'text', content: string}
+  | {type: 'tool_call', toolName: string, input: unknown}
+  | {type: 'tool_result', toolUseId: string, result: unknown}
+  | {type: 'ask_user', questions: Record<string, string>}
+  | {type: 'done', result: unknown}
+```
+
+### 4.2 Session 与消息持久化耦合度
+
+#### 耦合情形
+
+| 组件 | 耦合点 | 是否易拆 |
+|-----|-------|--------|
+| `cloudbase-agent.service` | 直接调用 `query()` → 消息循环 | 😞 难（SDK 消息格式固定） |
+| `persistence.service` | 依赖 JSONL → DB 映射 | 😐 中等（可通过 adapter 抽象） |
+| `event-buffer` | 绑定 `ExtendedSessionUpdate` 格式 | 😐 中等（格式化层可独立） |
+| `sandbox-mcp-proxy` | 实现 MCP server wrapping | 😐 中等（协议标准，可替换） |
+| `tool-override.ts` | 工具重定向到沙箱 | 😞 难（与沙箱深度耦合） |
+
+#### 关键耦合链
+
+```
+query() 消息类型 ← SDK 固定
+  ↓
+convertToSessionUpdate() ← 适配层（相对独立）
+  ↓
+ExtendedSessionUpdate ← 项目定义 (shared/types)
+  ↓
+StreamEvent → DB 存储 ← persistence.service 依赖此格式
+  ↓
+JSONL restore → 消息历史恢复 ← SDK resume 时读取
+```
+
+### 4.3 替换方案评估
+
+#### 选项 A: 保持 @tencent-ai/agent-sdk，替换上层（推荐）
+
+**可行性**: ✓ 高  
+**工作量**: 🔴 中（主要改造 convertToSessionUpdate 和 persistence 层）
+
+```typescript
+// 新增 adapter 层
+interface IAgentBackend {
+  convertMessage(sdkMessage: any): ExtendedSessionUpdate | null
+  persistMessage(sessionUpdate: ExtendedSessionUpdate): Promise<void>
+  restoreHistory(conversationId: string): Promise<any[]>
+}
+
+class TencentAgentBackend implements IAgentBackend {
+  // 当前 cloudbase-agent.service 的逻辑
+}
+
+class AnthropicAgentBackend implements IAgentBackend {
+  // Claude agent SDK 的适配
+}
+```
+
+#### 选项 B: 替换为 Anthropic Claude Agent SDK
+
+**可行性**: ✓ 中  
+**工作量**: 🟡 大（需要完全重写消息循环、工具拦截、权限系统）
+
+```
+@tencent-ai/agent-sdk          @anthropic-ai/claude-agent-sdk
+    query()          ←→        createAgent() / agent.run()
+  message loop       ←→        eventStream / generator
+  canUseTool hook    ←→        toolUseHandler callback
+```
+
+**已有支持**: `/packages/server/src/agent/cloudbase-agent.service.ts` 已 import `@anthropic-ai/claude-agent-sdk`，但仅用于 `tool()` 和 `createSdkMcpServer()`（未深度集成）。
+
+#### 选项 C: 完全自建 Agent 引擎
+
+**可行性**: 😞 低  
+**工作量**: 🔴🔴 极大（需要 LLM 推理集成、工具调用框架、流式处理、会话管理等）
+
+---
+
+## 5. 关键文件与代码路径
+
+### 5.1 核心文件清单
+
+| 文件 | 行数 | 主要职责 |
+|-----|-----|---------|
+| `/packages/server/src/agent/cloudbase-agent.service.ts` | 2200+ | **主入口**：Agent 调度、SDK 查询、消息循环、权限控制 |
+| `/packages/server/src/agent/persistence.service.ts` | ? | 消息持久化、JSONL 转换、DB 同步 |
+| `/packages/server/src/agent/event-buffer.ts` | 75 | 事件缓冲、自动 flush 机制 |
+| `/packages/server/src/routes/acp.ts` | 500+ | ACP 协议路由（conversations、chat SSE） |
+| `/packages/server/src/sandbox/sandbox-mcp-proxy.ts` | ? | MCP server wrapping、CloudBase 工具封装 |
+| `/packages/server/src/sandbox/tool-override.ts` | ? | 工具重定向到沙箱 |
+| `/packages/server/src/agent/session-permissions.ts` | ? | 权限检查、白名单管理 |
+| `/patches/@tencent-ai__agent-sdk@0.3.68.patch` | 85 | SDK patch：工具/会话/技能拦截 |
+
+### 5.2 关键方法签名
+
+```typescript
+// ─── Agent 生命周期 ───────────────────────
+CloudbaseAgentService.chatStream(
+  prompt: string,
+  callback: AgentCallback | null,
+  options: AgentOptions
+): Promise<{ turnId: string; alreadyRunning: boolean }>
+
+CloudbaseAgentService.launchAgent(
+  prompt: string,
+  liveCallback: AgentCallback | null,
+  options: AgentOptions,
+  assistantMessageId: string
+): Promise<void>
+
+// ─── 消息转换 ──────────────────────────
+CloudbaseAgentService.convertToSessionUpdate(
+  msg: AgentCallbackMessage,
+  sessionId: string
+): ExtendedSessionUpdate | null
+
+// ─── 权限检查 ──────────────────────────
+canUseTool(
+  toolName: string,
+  input: unknown,
+  _options: unknown
+): Promise<{
+  behavior: 'allow' | 'deny' | 'block'
+  message?: string
+  interrupt?: boolean
+}>
+```
+
+---
+
+## 6. 快速集成要点
+
+### 6.1 如何替换 SDK
+
+**最小改动方案**:
+1. 在 `launchAgent()` 中替换 `query()` 调用
+2. 实现消息循环适配层（将新 SDK 的消息格式转换为 `AgentCallbackMessage`）
+3. 保持 `convertToSessionUpdate()` 不变（这是核心格式适配）
+4. 替换对应的 patch 文件（工具拦截等）
+
+**代码位置**:
+```typescript
+// L1429: const q = query(queryArgs as any)
+// 替换为:
+// const q = await newAgentSdk.query(queryArgs)
+// 然后在消息循环中统一转换
+```
+
+### 6.2 避免的陷阱
+
+1. **会话 resume 数据格式**: SDK 期望特定的 JSONL 结构，replace 必须保持兼容
+2. **工具权限拦截**: `canUseTool` 返回值格式由 SDK 定义，需精确适配
+3. **Patch 加载顺序**: 工具/会话/技能拦截需要在 CLI 初始化**前**完成
+4. **MCP 服务生命周期**: `sdkServer` 需要与 query 迭代器同步释放
+
+---
+
+## 总结
+
+| 维度 | 现状 |
+|-----|-----|
+| **SDK 使用深度** | 深度集成（消息循环、权限系统、工具拦截） |
+| **抽象程度** | 低（SDK 紧密耦合，难以热替换） |
+| **Patch 复杂度** | 中等（3 个拦截点，针对特定 SDK 版本） |
+| **可替换性** | 中等（可通过适配层替换，但需改造权限、消息循环、沙箱工具层） |
+| **推荐替换方案** | 保持 SDK，通过 adapter 模式支持多个后端 |
+
diff --git a/docs/opencode-acp-integration-memo.md b/docs/opencode-acp-integration-memo.md
new file mode 100644
index 0000000..8446b31
--- /dev/null
+++ b/docs/opencode-acp-integration-memo.md
@@ -0,0 +1,366 @@
+# OpenCode ACP Integration Memo
+
+> Source: `sst/opencode` @ branch `dev` (commit captured 2026-05-01).
+> Inspection scope: `packages/opencode/src/acp/**`, `packages/opencode/src/cli/cmd/acp.ts`, supporting server / tool / permission modules. File and line citations below are against that branch.
+>
+> **TL;DR**: OpenCode's `acp` command is **not** a thin ACP agent that delegates I/O to the client. It boots the full OpenCode runtime (HTTP server + internal tool registry + filesystem + shell) inside the same process and exposes a JSON-RPC façade over stdio. Builtin tools (`read`, `write`, `edit`, `bash`, `grep`, `glob`, `webfetch`, …) execute locally against the *agent's* filesystem/shell. The ACP `connection.*` callbacks are used only for **presentation** (streaming `session/update` notifications, `session/request_permission`), and — in one narrow case — `fs/write_text_file` is called to push the post-approval edit back to the editor. `fs/read_text_file`, `terminal/*`, `fs/write_text_file` for arbitrary tool writes are **not** consumed.
+
+---
+
+## 1. 启动与传输
+
+| Item | Value | Source |
+| --- | --- | --- |
+| CLI entry | `opencode acp` (registered via yargs `cmd`) | `packages/opencode/src/cli/cmd/acp.ts:12-21` |
+| Working directory flag | `--cwd` (defaults to `process.cwd()`) | `packages/opencode/src/cli/cmd/acp.ts:16-20` |
+| Transport | NDJSON over stdio (`ndJsonStream` from `@agentclientprotocol/sdk`). **Not** LSP-style `Content-Length` framing. | `packages/opencode/src/cli/cmd/acp.ts:4, 55` |
+| Stream wiring | `process.stdout` → `WritableStream`, `process.stdin` → `ReadableStream`, glued via `ndJsonStream`, then an `AgentSideConnection` is constructed | `packages/opencode/src/cli/cmd/acp.ts:32-60` |
+| Lifecycle | Blocks on `process.stdin` `end`/`error`; no heartbeat/reconnect logic | `packages/opencode/src/cli/cmd/acp.ts:63-67` |
+| Sidecar HTTP server | `Server.listen()` is started **inside the acp process** at `127.0.0.1:<random port>` (port 0) *before* stdio transport is wired; `createOpencodeClient` is then used by the ACP agent to talk to itself via localhost HTTP. | `packages/opencode/src/cli/cmd/acp.ts:24-30`, `packages/opencode/src/cli/network.ts:6-15, 44-62` |
+| Server auth | HTTP Basic via `OPENCODE_SERVER_USERNAME` / `OPENCODE_SERVER_PASSWORD`. In ACP mode the env var isn't set so auth is effectively off (loopback only). | `packages/opencode/src/server/middleware.ts` (AuthMiddleware) |
+| Env switch | `process.env.OPENCODE_CLIENT = "acp"` is set before bootstrap — gates feature flags elsewhere (e.g. `QuestionTool`, see §5.2). | `packages/opencode/src/cli/cmd/acp.ts:23` |
+
+**Error handling**: per-method `.catch()` logs errors via `@opencode-ai/core/util/log`; no protocol-level reconnect. `SIGTERM/SIGINT` graceful shutdown mentioned in the README (`packages/opencode/src/acp/README.md`) is **not present** in today's code (README references a `server.ts` that no longer exists — see §9).
+
+---
+
+## 2. 依赖 SDK / 协议版本
+
+| Item | Value | Source |
+| --- | --- | --- |
+| SDK | `@agentclientprotocol/sdk@0.16.1` | `packages/opencode/package.json` (dependencies) |
+| Reported `protocolVersion` | `1` (advertised in `initialize` response) | `packages/opencode/src/acp/agent.ts:554-555` |
+| OpenCode itself version | 1.14.31 (at current HEAD of `dev`) | `packages/opencode/package.json` (version) |
+| ACP agent exported name | `{ name: "OpenCode", version: InstallationVersion }` | `packages/opencode/src/acp/agent.ts:573-576` |
+
+---
+
+## 3. Agent-side 方法实现（OpenCode 作为 agent 响应）
+
+Implemented in `class Agent implements ACPAgent` — `packages/opencode/src/acp/agent.ts:140-1548`.
+
+| ACP method | Handler | File:line | Notes |
+| --- | --- | --- | --- |
+| `initialize` | `initialize()` | `packages/opencode/src/acp/agent.ts:534-578` | Returns `protocolVersion: 1`, advertises capabilities (below), one `authMethod` (`id: "opencode-login"`), `agentInfo: { name: "OpenCode", version }`. **Note**: `clientCapabilities` from the request is *not* stored on `this` — see §9 limitation. |
+| `authenticate` | `authenticate()` | `packages/opencode/src/acp/agent.ts:580-582` | **Throws** `"Authentication not implemented"` — despite advertising `opencode-login`. See issue #24846. |
+| `session/new` | `newSession()` | `packages/opencode/src/acp/agent.ts:584-617` | Calls `sdk.session.create` over the internal HTTP server; registers MCP servers; returns `sessionId`, `models`, `modes`, `configOptions`, `_meta` |
+| `session/load` | `loadSession()` | `packages/opencode/src/acp/agent.ts:619-687` | Fetches stored messages and **replays full history** via `processMessage()` as `session/update` notifications; updates usage. |
+| `session/list` | `listSessions()` | `packages/opencode/src/acp/agent.ts:689-732` | Cursor based (`time.updated`), page size 100. |
+| `session/fork` (`unstable_forkSession`) | `unstable_forkSession()` | `packages/opencode/src/acp/agent.ts:734-797` | Forks upstream session; replays history. |
+| `session/resume` (`unstable_resumeSession`) | `unstable_resumeSession()` | `packages/opencode/src/acp/agent.ts:799-828` | No replay — just re-registers session + sends usage. |
+| `session/set_model` (`unstable_setSessionModel`) | `unstable_setSessionModel()` | `packages/opencode/src/acp/agent.ts:1286-1306` | Parses `provider/model[/variant]`. |
+| `session/set_mode` | `setSessionMode()` | `packages/opencode/src/acp/agent.ts:1308-1315` | Backed by OpenCode "agents" (the TUI's agent *modes*, not sub-agents). |
+| `session/set_config_option` | `setSessionConfigOption()` | `packages/opencode/src/acp/agent.ts:1317-1353` | Supports `configId ∈ {"model","mode"}`. |
+| `session/prompt` | `prompt()` | `packages/opencode/src/acp/agent.ts:1355-1536` | Main entry point. Normalises ACP content blocks (`text`/`image`/`resource_link`/`resource`) → internal parts, intercepts slash commands (`/compact` handled natively; other `/<cmd>` dispatched to `sdk.session.command`), else calls `sdk.session.prompt`. Returns `{ stopReason: "end_turn", usage, _meta }`. |
+| `session/cancel` | `cancel()` | `packages/opencode/src/acp/agent.ts:1538-1547` | Calls `sdk.session.abort`. |
+
+### Advertised `agentCapabilities`
+
+```ts
+{
+  loadSession: true,
+  mcpCapabilities: { http: true, sse: true },
+  promptCapabilities: { embeddedContext: true, image: true },
+  sessionCapabilities: { fork: {}, list: {}, resume: {} },
+}
+```
+Source: `packages/opencode/src/acp/agent.ts:556-571`.
+
+**Not advertised**: streaming audio, tool call authorisation (`toolCallAuth`), and the experimental per-message `configOptions` etc. Check the SDK version `0.16.1` for the authoritative Capability schema.
+
+---
+
+## 4. Client-side 方法调用（OpenCode → client 请求）⭐
+
+This is the **most important section for integration planning**. Searching `packages/opencode/src/acp/agent.ts` for every `this.connection.*` call:
+
+| ACP client method | How often / what triggers it | File:line |
+| --- | --- | --- |
+| `session/update` (notification) | High-volume stream. Used for `tool_call`, `tool_call_update`, `agent_message_chunk`, `agent_thought_chunk`, `user_message_chunk`, `plan`, `usage_update`, `available_commands_update`. Pushed from two sources: (a) real-time events from OpenCode's internal Bus (`message.part.updated`, `message.part.delta`) in `handleEvent()`; (b) replay in `processMessage()` during `session/load` / `session/fork`. | `agent.ts:117-129` (usage), `agent.ts:273-530` (live events), `agent.ts:830-1106` (replay), `agent.ts:1119-1134` (`tool_call` pending), `agent.ts:1256-1264` (commands update) |
+| `session/request_permission` | When OpenCode's internal `Permission.ask()` is triggered by a tool (see §6) the bus fires `permission.asked`; the ACP handler forwards it. | `agent.ts:192-270` (especially `agent.ts:202-213`) |
+| `fs/write_text_file` | **Only one call site.** After the user approves an `edit` permission, OpenCode applies the diff itself and pushes the resulting content to the client (so the editor can refresh open buffers). This is a cosmetic re-sync, **not the actual file write** — the file is already written via Node `fs` by the time this fires. | `agent.ts:239-253` |
+| `fs/read_text_file` | **Not called anywhere.** `ReadTool` reads through `AppFileSystem.Service` → Node streams (`createReadStream`). Confirmed by reading `packages/opencode/src/tool/read.ts`. | — (absent) |
+| `terminal/create`, `terminal/output`, `terminal/wait_for_exit`, `terminal/kill`, `terminal/release` | **Not called anywhere.** `BashTool` spawns a local child process via Effect's `ChildProcess.make` (shell, stdin ignored, stdout/stderr captured as streams). No PTY, no ACP terminal capability consumed. | — (absent; `packages/opencode/src/tool/bash.ts`) |
+
+> **Key implication for integrators**: If your goal is to let the ACP client enforce filesystem boundaries (the stated motivation for ACP's `fs/*` and `terminal/*` methods — "Client runs tools, agent only decides"), **OpenCode does not do that**. A sandbox around OpenCode must be imposed externally (container, worktree confinement at the filesystem layer, `--cwd`).
+
+Grep confirmation (from a local clone of the file):
+
+```
+$ grep -nE "connection\.(readTextFile|writeTextFile|createTerminal|terminal|requestPermission)" agent.ts
+247:                void this.connection.writeTextFile({
+```
+
+(No hits for terminal or readTextFile.)
+
+---
+
+## 5. 工具执行路径（内置工具 → ACP 回调 真实映射）⭐
+
+### 5.1 How a tool call flows in ACP mode
+
+```
+ACP client ──(session/prompt)──► Agent.prompt()
+                                        │
+                                        ▼
+                         sdk.session.prompt(...)  [HTTP → loopback]
+                                        │
+                                        ▼
+                        OpenCode server → internal session loop
+                                        │
+                                        ▼
+                    Tool executed via ToolRegistry (read / write / bash / …)
+                                        │  (uses Node fs, child_process, ripgrep, …)
+                                        ▼
+                    Bus events: message.part.updated / delta / permission.asked
+                                        │
+                                        ▼
+                Agent.handleEvent() subscribes via sdk.global.event (SSE stream)
+                                        │
+                                        ▼
+                connection.sessionUpdate(...) / connection.requestPermission(...)
+                                        │
+                                        ▼
+                                   ACP client
+```
+
+Key source references:
+- Event pump: `packages/opencode/src/acp/agent.ts:164-188` (`runEventSubscription()` calling `sdk.global.event({ signal })`).
+- Session.prompt: `packages/opencode/src/acp/agent.ts:1471-1482`.
+- Tool registry wiring: `packages/opencode/src/tool/registry.ts:98-200` (all builtins are instantiated and executed in-process).
+- `ReadTool` uses `AppFileSystem.Service` + `createReadStream` locally — `packages/opencode/src/tool/read.ts` (confirmed: *no* ACP callback).
+- `WriteTool` uses `fs.writeWithDirs` locally — `packages/opencode/src/tool/write.ts` (confirmed).
+- `BashTool` uses `effect/unstable/process/ChildProcess.make` — `packages/opencode/src/tool/bash.ts` (confirmed: local `ChildProcess`, no PTY, no ACP terminal).
+
+### 5.2 Tool registry details
+
+All built-in tools are always enabled (modulo agent-mode filtering) — `packages/opencode/src/tool/registry.ts:184-200`:
+
+```
+invalid, bash, read, glob, grep, edit, write, task, fetch (webfetch),
+todo, search (websearch), skill, patch (apply_patch), question, lsp, plan
+```
+
+**QuestionTool opt-in for ACP**: gated by
+```ts
+const questionEnabled = ["app","cli","desktop"].includes(Flag.OPENCODE_CLIENT) || Flag.OPENCODE_ENABLE_QUESTION_TOOL
+```
+Source: `packages/opencode/src/tool/registry.ts:181-182`. Because `acp.ts` sets `OPENCODE_CLIENT=acp`, the tool is **disabled by default**. Set `OPENCODE_ENABLE_QUESTION_TOOL=1` to enable (confirmed by `packages/opencode/src/acp/README.md`).
+
+### 5.3 ACP-facing tool representation
+
+Tool calls are **reported** to the client via `session/update` events with `sessionUpdate: "tool_call" | "tool_call_update"`. Tool output → `ToolCallContent` blocks (`type: "content"` with text, `type: "diff"` for edits). Mapping from internal tool name → ACP `ToolKind`:
+
+| OpenCode tool | ACP kind | Location hint (`locations[]`) |
+| --- | --- | --- |
+| `bash` | `execute` | `[]` |
+| `webfetch` | `fetch` | n/a |
+| `edit`, `patch`, `write` | `edit` | `filePath` |
+| `grep`, `glob`, `context7_*` | `search` | `path` |
+| `read` | `read` | `filePath` |
+| default | `other` | `[]` |
+
+Source: `packages/opencode/src/acp/agent.ts:1550-1592`.
+
+Special: `todowrite` tool output is additionally decoded and pushed as an ACP `plan` update — `packages/opencode/src/acp/agent.ts:375-400, 904-929`.
+
+---
+
+## 6. 权限模型
+
+### Event plumbing
+
+OpenCode has an internal `Permission` service (`packages/opencode/src/permission/index.ts`) that publishes two events on the in-process `Bus`:
+- `permission.asked` — sent when a tool's `ctx.ask(...)` call cannot be resolved by the ruleset (no `allow` rule, no prior `always` approval).
+- `permission.replied` — sent when `reply()` is called (including cascading `reject`/`always` replies within the same session).
+
+The ACP event subscription handles `permission.asked` at `agent.ts:190-270`:
+1. Serialises per-session via `this.permissionQueues` (a `Map<sessionID, Promise>`) so users aren't prompted for two things at once.
+2. Calls `this.connection.requestPermission({ sessionId, toolCall: { toolCallId, title: permission.permission, rawInput: permission.metadata, kind, locations }, options: this.permissionOptions })`.
+3. Translates the outcome back to OpenCode's `sdk.permission.reply` (`"once" | "always" | "reject"`).
+
+### Which tools request permission
+
+Inside tool implementations, each call site calls `ctx.ask(...)` with a permission name. From reading tool files and `permission/index.ts`:
+
+- `edit`, `write`, `apply_patch` → permission name **`edit`** (grouped by `EDIT_TOOLS = ["edit","write","apply_patch"]` in permission/index).
+- `bash` → permission name **`bash`** (request triggered from `tool/bash.ts`).
+- `webfetch` → permission name **`webfetch`**.
+- Other tools (`read`, `grep`, `glob`, `lsp`, `todo`, `task`, `plan`, `skill`, `question`, `websearch`) do **not** request permission in current code.
+- MCP tools: permission name equals the tool id (generic fallback in `Permission.disabled()`).
+
+### Permission options advertised
+
+```ts
+[
+  { optionId: "once",   kind: "allow_once",   name: "Allow once" },
+  { optionId: "always", kind: "allow_always", name: "Always allow" },
+  { optionId: "reject", kind: "reject_once",  name: "Reject" },
+]
+```
+Source: `packages/opencode/src/acp/agent.ts:150-154`.
+
+### Configurable?
+
+Yes — OpenCode's own `opencode.json` / config supports a `permission` ruleset (`Schema.Array(Rule)` in `permission/index.ts`) that evaluates `{ permission, pattern, action: "allow"|"deny"|"ask" }` against the tool call, **before** the ACP round-trip. If a pattern `allow`s, the client is never asked. If it `deny`s, the tool fails with `DeniedError`. See `permission/evaluate.ts` and `permission/arity.ts` (not read in full, but referenced from `index.ts`).
+
+### Post-approval side effect (important)
+
+After the user approves an `edit`, the agent re-reads the original file, applies the stored unified diff via `diff.applyPatch`, and pushes the result to the client via `connection.writeTextFile`. Source: `packages/opencode/src/acp/agent.ts:239-253`. **If the client supports `fs/write_text_file` this shows up as a duplicate write**; the real write will also happen inside `WriteTool`/`EditTool` through `AppFileSystem.Service`.
+
+---
+
+## 7. Session 管理
+
+| Topic | Answer |
+| --- | --- |
+| ACP session registry | In-memory `Map<sessionId, ACPSessionState>` in `ACPSessionManager` (`packages/opencode/src/acp/session.ts:8-14`). One instance per `Agent`. |
+| Backing store | `sdk.session.create` / `sdk.session.get` over the internal HTTP server (`packages/opencode/src/acp/session.ts:20-75`). The *actual* session persistence is OpenCode's own DB (SQLite / JSONL depending on build) — ACP just keeps a shallow in-mem map for CWD / MCP / model / variant / mode. |
+| Multi-session per process | Yes — no `1:1` constraint. The ACP `Agent` instance holds all sessions. Event pump is a single loop shared by all sessions; events are dispatched by `part.sessionID`. |
+| `session/load` | **Implemented** (`agent.ts:619-687`) — re-creates ACP state, replays the full message history as `session/update` notifications. README claims this is "basic support" / "doesn't restore actual conversation history", but the code does replay. |
+| `session/list` | Implemented with cursor (`agent.ts:689-732`). |
+| `session/fork` | Implemented as `unstable_forkSession` (`agent.ts:734-797`). Creates a divergent copy and replays history. |
+| `session/resume` | Implemented as `unstable_resumeSession` (`agent.ts:799-828`). No replay. |
+| `session/cancel` | Implemented (`agent.ts:1538-1547`) → `sdk.session.abort`. |
+| Concurrent prompts in one session | `cancel` + permission queueing are the only concurrency controls; there's nothing preventing overlapping `prompt()` calls hitting `sdk.session.prompt` — OpenCode's server presumably serialises internally (not verified here). |
+
+---
+
+## 8. 配置 / 认证
+
+### Config resolution
+
+ACP mode **does** read OpenCode's configuration. `bootstrap(process.cwd(), ...)` in `acp.ts` initialises the full app runtime, which loads `opencode.json` / `.opencode/` config via `Config.Service`. Then `sdk.config.get({ directory })` is used at the per-request level so `--cwd` (or per-session `cwd`) picks up project-local config (`agent.ts:1601-1611`).
+
+### Default model selection
+
+`defaultModel()` at `packages/opencode/src/acp/agent.ts:1594-1654`:
+1. If `ACPConfig.defaultModel` is set, use it. (It's never set — `ACP.init({ sdk })` at `acp.ts:56` passes no default.)
+2. Read `config.model` from the resolved config.
+3. Else enumerate `providers`, prefer `opencode` provider's `big-pickle`, else sort all models via `Provider.sort` and pick the first.
+4. Fallback: `{ providerID: "opencode", modelID: "big-pickle" }`.
+
+### Dynamic model / variant / mode switching
+
+- Models: `session/set_model` (`setSessionModel`) — `agent.ts:1286-1306`. Accepts `"provider/model"` or `"provider/model/variant"`.
+- Modes (OpenCode "agents"): `session/set_mode` — `agent.ts:1308-1315`. Validates against `AgentModule`'s list of non-hidden, non-subagent agents.
+- `session/set_config_option` accepts `{ configId: "model" | "mode", value }` — `agent.ts:1317-1353`.
+- Per-prompt `model` is **not** accepted as an ACP parameter; callers must call `session/set_model` before `session/prompt`. But `prompt()` does fall back to the session's current model (`agent.ts:1360-1364`).
+
+### Authentication
+
+- `initialize()` advertises one auth method `{ id: "opencode-login", ... }`, optionally with a `terminal-auth` `_meta` so clients can offer a CLI-launch button (`agent.ts:537-552`).
+- `authenticate()` **throws `"Authentication not implemented"`** (`agent.ts:580-582`). This means ACP clients must either:
+  - Rely on pre-existing OpenCode auth (user already ran `opencode auth login` locally so credentials exist under `~/.config/opencode`), OR
+  - Ship API keys via env (`ANTHROPIC_API_KEY` etc.) at spawn time.
+- Per-session `LoadAPIKeyError` is caught and converted to `RequestError.authRequired()` in `newSession`/`loadSession`/`forkSession`/`resumeSession` (`agent.ts:608-616`, `:678-686`, `:788-796`, `:819-827`).
+- `OPENCODE_API_KEY` is **not referenced in the ACP code path** — it's an OpenCode Zen / "opencode" provider key, consumed by `Provider` modules. Standard AI-SDK env vars (`ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, …) work as usual because tools instantiate the AI SDK providers in-process.
+
+### HTTP server auth (for the sidecar)
+
+`OPENCODE_SERVER_PASSWORD` / `OPENCODE_SERVER_USERNAME` via Basic Auth. Unset by default → loopback only. See `packages/opencode/src/server/middleware.ts`.
+
+---
+
+## 9. 限制与已知问题
+
+### From the in-repo README (`packages/opencode/src/acp/README.md`)
+
+> The README is **stale**. It references `client.ts` and `server.ts`, which don't exist in the current `src/acp/` directory (only `agent.ts`, `session.ts`, `types.ts`, `README.md`). Treat the README as aspirational; trust `agent.ts` as ground truth.
+
+Items the README lists as "Not Yet Implemented":
+- Streaming responses → **Now implemented** (`message.part.delta` → `agent_message_chunk` / `agent_thought_chunk`).
+- Tool call reporting → **Now implemented** (see §5.3).
+- Session modes → **Now implemented** (`setSessionMode`).
+- Terminal support → **Still not plumbed to ACP**; bash runs locally.
+- Session persistence via `session/load` → **Implemented**, but tied to OpenCode's own storage.
+
+### From GitHub issues / PRs (as of 2026-05-01, ranked by recency)
+
+| # | Type | State | Summary |
+| --- | --- | --- | --- |
+| #24846 | Issue | open | `session/new` reported as "Method not found", `authenticate` returns "not implemented". Breaks Claudian (Obsidian) integration. The "not found" claim doesn't match current `dev` code — could be a release-lag issue. |
+| #24815 / #24816 | Issue+PR | open | ACP `image` content with `https://` URIs silently dropped in `prompt()` around `agent.ts:1394` (only `http:` / `data:` handled). |
+| #25127 / #25128 | Issue+PR | open | `tool_call_update` doesn't include image attachments. |
+| #22674 | PR | open (older: #22606/#22609/#22290 closed) | Feature: **store `clientCapabilities` on initialize** and emit `fs/write_text_file` when a file is edited. Mostly what the current code already does for the edit-permission flow, but generalised. Indicates current code does *not* check `clientCapabilities.fs?.writeTextFile` before calling `connection.writeTextFile`. |
+| #24008 | PR | open | ACP command argument parsing loses newlines. |
+| #24340 | PR | closed | Variant config option exposure. |
+| #23138 | PR | closed | Usage aggregation via SQL instead of message-list walk. Relevant if you expect `usage_update` events to be cheap. |
+| #22192 / #22468 | PR | closed/merged | Duplicate user messages during ACP prompts — fixed. |
+| #23948 | PR | open | Prefer semantic ACP tool title/input before completion. |
+| #23294 | PR | closed | Structured output format via `_meta`. |
+
+Other observations:
+- **No heartbeat / keepalive** — the ACP connection lives as long as stdin does.
+- **Event subscription is per-Agent, not per-session**. If it crashes, all sessions lose updates; the while-loop auto-reconnects (`agent.ts:173-188`) unless aborted.
+- **`_meta` protocol extension**: OpenCode embeds a namespace `_meta: { opencode: { modelId, variant, availableVariants } }` in responses — clients not understanding the namespace can ignore it (`agent.ts:1760-1772`).
+- **Slash commands intercepted in `prompt()`**: any user message starting with `/` is parsed and routed either to `sdk.session.command` or (for `compact`) `sdk.session.summarize`. Be aware this subverts normal prompting (`agent.ts:1443-1528`).
+
+### Things I couldn't verify from source alone
+
+- Whether the `@agentclientprotocol/sdk@0.16.1` SDK implements any client→agent streaming backpressure. Not relevant for implementing a client, but matters for throughput tuning.
+- Exact behaviour when multiple parallel `session/prompt` calls target the same `sessionId`. No explicit guard in ACP code; would have to read `packages/opencode/src/session/session.ts`.
+- Whether `session/cancel` is idempotent across repeated calls (not verified).
+
+---
+
+## 10. 集成建议（给想写 ACP client 的人）
+
+1. **Transport**: Speak NDJSON, not LSP-style. Line-delimited JSON frames. `stdin` writes → agent, `stdout` reads ← agent. Everything you emit must be `\n`-terminated single-line JSON.
+2. **Capability negotiation**: Advertise `fs.readTextFile: false, fs.writeTextFile: true` (OpenCode only ever *writes* to you, for the post-approval edit refresh). You do **not** need terminal capabilities — OpenCode will never call them. Advertising them is harmless.
+3. **Do not assume the client owns the filesystem**. OpenCode will mutate files under `--cwd` on its own. If you need sandboxing, do it at spawn time (container, chroot, dedicated worktree). `--cwd` is the only knob you control.
+4. **Auth**: Don't rely on `authenticate`. Two workable paths:
+   - Spawn `opencode auth login` yourself (the `terminal-auth` `_meta` capability on `authMethods` is designed for this).
+   - Provide provider API keys via env (`ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, …) or via a pre-populated config file.
+5. **Model selection**: Call `session/set_model` after `session/new` if you want a specific model; don't put it in `session/prompt` (not a protocol field, and ignored by OpenCode). `variant` rides on the `modelId` as a third path segment (`provider/model/variant`).
+6. **Session routing**: Single `opencode acp` process handles multiple sessions concurrently. Reuse the process; spin a new one only if you need a different auth/env surface.
+7. **Streaming**: Subscribe to `session/update` for:
+   - `agent_message_chunk`, `agent_thought_chunk` — text stream
+   - `tool_call` + `tool_call_update` — tool timeline (rich enough to render: inputs, outputs, `content`/`diff` blocks, `rawInput`/`rawOutput`)
+   - `plan` — todowrite plans
+   - `usage_update` — token/cost meter
+   - `available_commands_update` — slash command palette (arrives shortly after `session/new`, via `setTimeout(0)` at `agent.ts:1256-1264`)
+   - `user_message_chunk` (replay only — live user parts are skipped at `agent.ts:459-464`)
+8. **Permission UX**: Treat `session/request_permission` as user-facing and blocking. OpenCode serialises per-session, so one prompt at a time, but per-process you can get concurrent prompts across sessions.
+9. **Image support**: Base64 data URLs and `http://` URIs work today; `https://` does **not** (issue #24815 open). Safest: pre-fetch and embed as `data:`.
+10. **Slash commands**: If you implement your own `/foo` UI, remember OpenCode also interprets leading `/` in the text. Either strip the `/` before sending, or lean on OpenCode's command registry (`sdk.command.list` via `available_commands_update`).
+11. **Error semantics**: Model/auth failures surface as JSON-RPC `RequestError.authRequired()`. Fatal tool errors arrive as `tool_call_update` with `status: "failed"` — they are *not* JSON-RPC errors and the `prompt()` call will still resolve with `stopReason: "end_turn"`.
+12. **`OPENCODE_ENABLE_QUESTION_TOOL=1`**: Set this *only* if your client can respond to `QuestionTool` prompts (which currently also route through `permission.asked` / `session/request_permission` — verify in `packages/opencode/src/tool/question.ts` before shipping).
+
+---
+
+## 11. 源码文件引用（汇总）
+
+- CLI entry: `packages/opencode/src/cli/cmd/acp.ts:12-70`
+- Network defaults (sidecar HTTP): `packages/opencode/src/cli/network.ts:6-15, 44-62`
+- Main ACP agent: `packages/opencode/src/acp/agent.ts:132-1548`
+- Agent `initialize`: `packages/opencode/src/acp/agent.ts:534-578`
+- Agent capabilities advertised: `packages/opencode/src/acp/agent.ts:556-571`
+- Agent `authenticate` (not implemented): `packages/opencode/src/acp/agent.ts:580-582`
+- Agent `newSession`: `packages/opencode/src/acp/agent.ts:584-617`
+- Agent `loadSession` (with replay): `packages/opencode/src/acp/agent.ts:619-687`
+- Agent `prompt` (command intercept + sdk.session.prompt): `packages/opencode/src/acp/agent.ts:1355-1536`
+- Agent `cancel`: `packages/opencode/src/acp/agent.ts:1538-1547`
+- Event subscription (bus → session/update): `packages/opencode/src/acp/agent.ts:164-188, 190-532`
+- Permission handling (bus → request_permission → reply): `packages/opencode/src/acp/agent.ts:192-270`
+- Post-approval `connection.writeTextFile` call (the ONLY fs callback): `packages/opencode/src/acp/agent.ts:239-253`
+- Tool→ACP kind mapping: `packages/opencode/src/acp/agent.ts:1550-1592`
+- Default model selection: `packages/opencode/src/acp/agent.ts:1594-1654`
+- Session manager: `packages/opencode/src/acp/session.ts:1-115`
+- ACP types: `packages/opencode/src/acp/types.ts:1-24`
+- Stale internal README: `packages/opencode/src/acp/README.md`
+- Tool registry (proves tools are local): `packages/opencode/src/tool/registry.ts:1-200`
+- Local-fs read path: `packages/opencode/src/tool/read.ts`
+- Local-fs write path: `packages/opencode/src/tool/write.ts`
+- Local-process shell path: `packages/opencode/src/tool/bash.ts`
+- Permission service (bus, rules, reply): `packages/opencode/src/permission/index.ts`
+- HTTP auth middleware (Basic): `packages/opencode/src/server/middleware.ts`
+- SDK version & deps: `packages/opencode/package.json`
+
+---
+
+## Bottom-line recommendation
+
+If the value proposition you need is **"the client owns the filesystem and terminal; OpenCode only decides what to do"**, OpenCode ACP is **not** a good fit today. It is an ACP *presentation* layer — streaming, permission UX, and session metadata are protocol-grade, but the actual I/O happens inside the OpenCode process against the host it's running on.
+
+If instead your multi-agent backend can give OpenCode a pre-prepared worktree (container, chroot, or just an isolated directory) and you only need ACP for UX/streaming/permissioning, the integration is straightforward: one long-lived `opencode acp` child per workspace (or per user), pre-seeded auth, and wire `session/update` into your existing UI. Expect to carry workarounds for #24815 (https images), #25127 (tool image attachments), and possibly #24008 (newline parsing) until those PRs land.
diff --git a/packages/server/package.json b/packages/server/package.json
index 2ae4d77..dd305ed 100644
--- a/packages/server/package.json
+++ b/packages/server/package.json
@@ -13,7 +13,8 @@
     "build": "tsup src/sandbox/tool-override.ts --format cjs --outDir dist/sandbox --no-splitting && tsup src/util/skill-loader-override.ts --format cjs --outDir dist/util --no-splitting && tsup src/index.ts --format esm --target node22 && mkdir -p dist/agent/runtime/opencode-tool-templates && cp src/agent/runtime/opencode-tool-templates/*.ts dist/agent/runtime/opencode-tool-templates/",
     "start": "node dist/index.js",
     "test": "vitest run",
-    "test:watch": "vitest"
+    "test:watch": "vitest",
+    "check:tool-schemas": "tsx scripts/check-tool-schemas.mts"
   },
   "dependencies": {
     "@agentclientprotocol/sdk": "^0.21.0",
diff --git a/packages/server/scripts/check-tool-schemas.mts b/packages/server/scripts/check-tool-schemas.mts
new file mode 100644
index 0000000..471e1f2
--- /dev/null
+++ b/packages/server/scripts/check-tool-schemas.mts
@@ -0,0 +1,79 @@
+#!/usr/bin/env tsx
+/**
+ * 检查 opencode CLI 版本是否与 tool override 模板的同步版本一致。
+ *
+ * tool override 模板（opencode-tool-templates/*.ts）是从 opencode 源码
+ * 手动同步过来的。如果 opencode CLI 升级了，需要重新对比 builtin tool
+ * 的 schema / description 并更新模板。
+ *
+ * 用法：
+ *   npx tsx scripts/check-tool-schemas.mts
+ * 或在 CI 里定期跑，确保模板不过期。
+ */
+
+import { execSync } from 'node:child_process'
+import path from 'node:path'
+import fs from 'node:fs'
+import { fileURLToPath } from 'node:url'
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url))
+const TEMPLATE_DIR = path.resolve(__dirname, '../src/agent/runtime/opencode-tool-templates')
+const SYNCED_VERSION = '1.14.31'
+
+// 从模板文件顶部注释提取已声明的同步版本
+function extractSyncedVersion(file: string): string | null {
+  const content = fs.readFileSync(file, 'utf8')
+  const m = content.match(/v([\d.]+)\s+src\/tool\//)
+  return m ? m[1] : null
+}
+
+// 获取本地安装的 opencode 版本
+function getInstalledVersion(): string | null {
+  try {
+    const out = execSync('opencode --version', { encoding: 'utf8', timeout: 5000 })
+    const m = out.trim().match(/([\d]+\.[\d]+\.[\d]+)/)
+    return m ? m[1] : out.trim().split('\n')[0]
+  } catch {
+    return null
+  }
+}
+
+const installedVersion = getInstalledVersion()
+
+if (!installedVersion) {
+  console.log('[check-tool-schemas] opencode not installed, skipping version check.')
+  process.exit(0)
+}
+
+console.log(`[check-tool-schemas] opencode installed: v${installedVersion}`)
+console.log(`[check-tool-schemas] templates synced from: v${SYNCED_VERSION}`)
+
+const templates = fs.readdirSync(TEMPLATE_DIR).filter((f) => f.endsWith('.ts'))
+let allMatch = true
+
+for (const f of templates) {
+  const filePath = path.join(TEMPLATE_DIR, f)
+  const ver = extractSyncedVersion(filePath)
+  if (!ver) {
+    console.warn(`  ⚠  ${f}: no synced version comment found`)
+    allMatch = false
+  } else if (ver !== installedVersion) {
+    console.warn(`  ⚠  ${f}: synced from v${ver}, installed v${installedVersion} — may need update`)
+    allMatch = false
+  } else {
+    console.log(`  ✓  ${f}: v${ver}`)
+  }
+}
+
+if (!allMatch) {
+  console.warn(
+    '\n[check-tool-schemas] Some templates may be out of sync with the installed opencode version.\n' +
+      'Please compare the schemas in:\n' +
+      '  https://github.com/sst/opencode/tree/dev/packages/opencode/src/tool/\n' +
+      'and update packages/server/src/agent/runtime/opencode-tool-templates/ if needed.\n',
+  )
+  process.exit(1)
+}
+
+console.log('\n[check-tool-schemas] All templates in sync with installed opencode version.')
+process.exit(0)
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/AskUserQuestion.ts b/packages/server/src/agent/runtime/opencode-tool-templates/AskUserQuestion.ts
index 361e3b5..5aab24d 100644
--- a/packages/server/src/agent/runtime/opencode-tool-templates/AskUserQuestion.ts
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/AskUserQuestion.ts
@@ -1,7 +1,14 @@
 /**
  * AskUserQuestion custom tool — 对齐 Tencent AskUserQuestion 契约
  *
- * 为什么名字/schema 要严格对齐 Tencent：
+ * 这不是 opencode builtin tool 的 override，而是我们新增的 custom tool。
+ * opencode 原生的 question tool 在 ACP 模式默认禁用且无 ACP 路由，
+ * 因此我们自行实现。工具名和 schema 对齐 Tencent SDK 的 AskUserQuestion。
+ *
+ * 版本声明（用于 check:tool-schemas 脚本识别）：
+ *   custom tool, not synced from opencode v1.14.33 src/tool/
+ *
+ * Schema 来源：packages/web/src/types/task-chat.ts:AskUserQuestionData
  *   - 前端 `task-chat.tsx` 按 `part.toolName === 'AskUserQuestion'` 匹配渲染
  *     AskUserForm；用其他名字前端识别不到
  *   - 前端从 `part.input.questions` 取字段，结构必须是
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/bash.ts b/packages/server/src/agent/runtime/opencode-tool-templates/bash.ts
index 29b145c..67a91f5 100644
--- a/packages/server/src/agent/runtime/opencode-tool-templates/bash.ts
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/bash.ts
@@ -1,29 +1,61 @@
 /**
- * 全局 opencode tool override：bash
- * 重要：沙箱模式下所有 shell 命令在 SCF 容器内执行，与宿主机隔离。
+ * Global opencode tool override: bash
+ * 覆盖 opencode builtin bash tool，沙箱模式下通过 HTTP 路由到 SCF 沙箱。
+ *
+ * Schema 与 opencode builtin 完全对齐（v1.14.33 src/tool/bash.ts）。
+ * 如果 opencode 版本升级导致 builtin schema 变更，需同步更新本文件。
+ *
+ * 运行时行为：
+ *   SANDBOX_MODE=1 → fetch SANDBOX_BASE_URL/api/tools/bash（沙箱内执行，与宿主机完全隔离）
+ *   否则          → 本地 execSync
+ *
+ * 注意：sandbox 模式下 workdir 参数会被忽略（沙箱有自己的 cwd，
+ * 沙箱 API 暂不支持覆盖 cwd）。
  */
 import { z } from 'zod'
 import { execSync } from 'node:child_process'
 
 export default {
   description:
-    'Run a shell command. In sandbox mode, the command runs inside the SCF container (isolated from host). In local mode, runs on the host.',
+    'Executes a bash command. In sandbox mode, the command runs inside the SCF container (isolated from host).\n\n' +
+    'Usage:\n' +
+    '- The command argument is required.\n' +
+    '- You can specify an optional timeout in milliseconds (default 120000ms).\n' +
+    '- It is very helpful to write a clear, concise description of what this command does in 5-10 words.\n' +
+    '- Use the workdir parameter to change the working directory instead of "cd ... && command".\n' +
+    '- AVOID using this tool for file operations (reading/writing/editing/searching); use the specialized tools instead.',
   args: {
-    command: z.string().describe('Shell command to execute. Prefer simple commands; use heredocs for multi-line.'),
-    timeout: z.number().optional().describe('Timeout in milliseconds (default 60000).'),
+    command: z.string().describe('The command to execute'),
+    timeout: z
+      .number()
+      .int()
+      .positive()
+      .optional()
+      .describe('Optional timeout in milliseconds'),
+    description: z
+      .string()
+      .optional()
+      .describe('A clear, concise description of what this command does in 5-10 words'),
+    workdir: z
+      .string()
+      .optional()
+      .describe(
+        'The working directory to run the command in. Defaults to the current directory. Use this instead of "cd" commands.',
+      ),
   },
-  async execute(args: { command: string; timeout?: number }, context: { directory?: string }) {
+  async execute(
+    args: { command: string; timeout?: number; description?: string; workdir?: string },
+    context: { directory?: string },
+  ) {
+    const timeoutMs = args.timeout ?? 120_000
     if (process.env.SANDBOX_MODE === '1') {
-      return await sandboxCall(
-        'bash',
-        { command: args.command, timeout: args.timeout ?? 60_000 },
-        args.timeout ?? 60_000,
-      )
+      // workdir not forwarded to sandbox (sandbox manages its own cwd)
+      return await sandboxCall('bash', { command: args.command, timeout: timeoutMs }, timeoutMs)
     }
     try {
       const out = execSync(args.command, {
-        timeout: args.timeout ?? 60_000,
-        cwd: context?.directory,
+        timeout: timeoutMs,
+        cwd: args.workdir ?? context?.directory ?? undefined,
         encoding: 'utf8',
         maxBuffer: 1024 * 1024 * 4,
       })
@@ -37,7 +69,11 @@ export default {
   },
 }
 
-async function sandboxCall(tool: string, body: unknown, timeoutMs: number): Promise<string | { output: string }> {
+async function sandboxCall(
+  tool: string,
+  body: unknown,
+  timeoutMs: number,
+): Promise<string | { output: string }> {
   const baseUrl = process.env.SANDBOX_BASE_URL
   if (!baseUrl) throw new Error('SANDBOX_BASE_URL not set')
   const headers = JSON.parse(process.env.SANDBOX_AUTH_HEADERS_JSON || '{}') as Record<string, string>
@@ -45,7 +81,7 @@ async function sandboxCall(tool: string, body: unknown, timeoutMs: number): Prom
     method: 'POST',
     headers: { 'Content-Type': 'application/json', ...headers },
     body: JSON.stringify(body),
-    signal: AbortSignal.timeout(timeoutMs + 5000),
+    signal: AbortSignal.timeout(timeoutMs + 5_000),
   })
   const data = (await res.json().catch(() => ({}))) as { success?: boolean; result?: unknown; error?: string }
   if (!data.success) throw new Error(data.error ?? `sandbox ${tool} failed (${res.status})`)
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/edit.ts b/packages/server/src/agent/runtime/opencode-tool-templates/edit.ts
index 90cbe43..1e24ec5 100644
--- a/packages/server/src/agent/runtime/opencode-tool-templates/edit.ts
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/edit.ts
@@ -1,5 +1,13 @@
 /**
- * 全局 opencode tool override：edit
+ * Global opencode tool override: edit
+ * 覆盖 opencode builtin edit tool，沙箱模式下通过 HTTP 路由到 SCF 沙箱。
+ *
+ * Schema 与 opencode builtin 完全对齐（v1.14.33 src/tool/edit.ts）。
+ * 如果 opencode 版本升级导致 builtin schema 变更，需同步更新本文件。
+ *
+ * 运行时行为：
+ *   SANDBOX_MODE=1 → fetch SANDBOX_BASE_URL/api/tools/edit
+ *   否则          → 本地字符串替换
  */
 import { z } from 'zod'
 import fs from 'node:fs'
@@ -7,31 +15,42 @@ import path from 'node:path'
 
 export default {
   description:
-    'Edit a file by string replacement. Fails if oldString is not found or appears multiple times (unless replaceAll). In sandbox mode, delegates to the sandbox edit endpoint.',
+    'Performs exact string replacements in files.\n\n' +
+    'Usage:\n' +
+    '- You must use your Read tool at least once before editing. This tool will error if you attempt an edit without reading the file.\n' +
+    '- The edit will FAIL if oldString is not found in the file.\n' +
+    '- The edit will FAIL if oldString is found multiple times; use replaceAll or provide more context.\n' +
+    '- Use replaceAll for replacing and renaming strings across the file.\n' +
+    '- In sandbox mode, use relative paths (no leading /); they resolve against the session working directory.',
   args: {
-    path: z.string(),
-    oldString: z.string(),
-    newString: z.string(),
-    replaceAll: z.boolean().optional(),
+    filePath: z.string().describe('The absolute path to the file to modify'),
+    oldString: z.string().describe('The text to replace'),
+    newString: z
+      .string()
+      .describe('The text to replace it with (must be different from oldString)'),
+    replaceAll: z
+      .boolean()
+      .optional()
+      .describe('Replace all occurrences of oldString (default false)'),
   },
   async execute(
-    args: { path: string; oldString: string; newString: string; replaceAll?: boolean },
+    args: { filePath: string; oldString: string; newString: string; replaceAll?: boolean },
     context: { directory?: string },
   ) {
     if (process.env.SANDBOX_MODE === '1') {
       return await sandboxCall('edit', {
-        path: args.path,
+        path: args.filePath,
         oldString: args.oldString,
         newString: args.newString,
         replaceAll: args.replaceAll ?? false,
       })
     }
-    const resolved = path.isAbsolute(args.path)
-      ? args.path
-      : path.resolve(context?.directory ?? process.cwd(), args.path)
+    const resolved = path.isAbsolute(args.filePath)
+      ? args.filePath
+      : path.resolve(context?.directory ?? process.cwd(), args.filePath)
     const content = fs.readFileSync(resolved, 'utf8')
     if (!content.includes(args.oldString)) {
-      throw new Error(`String not found in ${resolved}`)
+      throw new Error(`oldString not found in content of ${resolved}`)
     }
     const out = args.replaceAll
       ? content.split(args.oldString).join(args.newString)
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/glob.ts b/packages/server/src/agent/runtime/opencode-tool-templates/glob.ts
index ba72f05..61dc615 100644
--- a/packages/server/src/agent/runtime/opencode-tool-templates/glob.ts
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/glob.ts
@@ -1,20 +1,39 @@
 /**
- * 全局 opencode tool override：glob
+ * Global opencode tool override: glob
+ * 覆盖 opencode builtin glob tool，沙箱模式下通过 HTTP 路由到 SCF 沙箱。
+ *
+ * Schema 与 opencode builtin 完全对齐（v1.14.33 src/tool/glob.ts）。
+ * 如果 opencode 版本升级导致 builtin schema 变更，需同步更新本文件。
+ *
+ * 运行时行为：
+ *   SANDBOX_MODE=1 → fetch SANDBOX_BASE_URL/api/tools/glob
+ *   否则          → find（本地文件系统）
  */
 import { z } from 'zod'
 import { execSync } from 'node:child_process'
 
 export default {
-  description: 'Find files by glob pattern. Local mode uses find; sandbox mode delegates to sandbox.',
+  description:
+    'Fast file pattern matching tool that works with any codebase size.\n' +
+    '- Supports glob patterns like "**/*.js" or "src/**/*.ts".\n' +
+    '- Returns matching file paths sorted by modification time.\n' +
+    '- Use this tool when you need to find files by name patterns.',
   args: {
-    pattern: z.string(),
-    path: z.string().optional(),
+    pattern: z.string().describe('The glob pattern to match files against'),
+    path: z
+      .string()
+      .optional()
+      .describe(
+        'The directory to search in. If not specified, the current working directory will be used. ' +
+          'IMPORTANT: Omit this field to use the default directory. DO NOT enter "undefined" or "null". ' +
+          'Must be a valid directory path if provided.',
+      ),
   },
   async execute(args: { pattern: string; path?: string }, context: { directory?: string }) {
     if (process.env.SANDBOX_MODE === '1') {
-      return await sandboxCall('glob', args)
+      return await sandboxCall('glob', { pattern: args.pattern, path: args.path })
     }
-    const base = args.path || context?.directory || '.'
+    const base = args.path ?? context?.directory ?? '.'
     try {
       const out = execSync(`find ${JSON.stringify(base)} -name ${JSON.stringify(args.pattern)} -type f`, {
         encoding: 'utf8',
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/grep.ts b/packages/server/src/agent/runtime/opencode-tool-templates/grep.ts
index 791a8a6..4b1d807 100644
--- a/packages/server/src/agent/runtime/opencode-tool-templates/grep.ts
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/grep.ts
@@ -1,34 +1,57 @@
 /**
- * 全局 opencode tool override：grep
+ * Global opencode tool override: grep
+ * 覆盖 opencode builtin grep tool，沙箱模式下通过 HTTP 路由到 SCF 沙箱。
+ *
+ * Schema 与 opencode builtin 完全对齐（v1.14.33 src/tool/grep.ts）。
+ * 注意：builtin 参数名是 `include`（文件通配），不是 `glob`。
+ * 如果 opencode 版本升级导致 builtin schema 变更，需同步更新本文件。
+ *
+ * 运行时行为：
+ *   SANDBOX_MODE=1 → fetch SANDBOX_BASE_URL/api/tools/grep
+ *   否则          → ripgrep（rg）
  */
 import { z } from 'zod'
 import { execSync } from 'node:child_process'
 
 export default {
   description:
-    'Search file contents with a regex pattern. Uses ripgrep in local mode, delegates to sandbox in sandbox mode.',
+    'Fast content search tool that works with any codebase size.\n' +
+    '- Searches file contents using regular expressions.\n' +
+    '- Supports full regex syntax (e.g. "log.*Error", "function\\s+\\w+").\n' +
+    '- Filter files by pattern with the include parameter (e.g. "*.js", "*.{ts,tsx}").\n' +
+    '- Returns file paths and line numbers with at least one match sorted by modification time.',
   args: {
-    pattern: z.string(),
-    path: z.string().optional(),
-    glob: z.string().optional(),
-    type: z.string().optional(),
+    pattern: z.string().describe('The regex pattern to search for in file contents'),
+    path: z
+      .string()
+      .optional()
+      .describe('The directory to search in. Defaults to the current working directory.'),
+    include: z
+      .string()
+      .optional()
+      .describe('File pattern to include in the search (e.g. "*.js", "*.{ts,tsx}")'),
   },
   async execute(
-    args: { pattern: string; path?: string; glob?: string; type?: string },
+    args: { pattern: string; path?: string; include?: string },
     context: { directory?: string },
   ) {
     if (process.env.SANDBOX_MODE === '1') {
-      return await sandboxCall('grep', args)
+      return await sandboxCall('grep', {
+        pattern: args.pattern,
+        path: args.path,
+        // 沙箱 API 参数名用 glob，与 builtin include 语义相同，做转换
+        glob: args.include,
+      })
     }
     const flags: string[] = ['-n', '--no-heading']
-    if (args.glob) flags.push('-g', args.glob)
-    if (args.type) flags.push('-t', args.type)
-    const cmd = `rg ${flags.map((f) => JSON.stringify(f)).join(' ')} ${JSON.stringify(args.pattern)} ${args.path ? JSON.stringify(args.path) : '.'}`
+    if (args.include) flags.push('-g', args.include)
+    const searchPath = args.path ?? context?.directory ?? '.'
+    const cmd = `rg ${flags.map((f) => JSON.stringify(f)).join(' ')} ${JSON.stringify(args.pattern)} ${JSON.stringify(searchPath)}`
     try {
-      return execSync(cmd, { encoding: 'utf8', cwd: context?.directory, maxBuffer: 1024 * 1024 * 4 })
+      return execSync(cmd, { encoding: 'utf8', maxBuffer: 1024 * 1024 * 4 })
     } catch (e) {
       const err = e as { status?: number; stdout?: string }
-      if (err.status === 1) return '' // rg exit 1 means no matches
+      if (err.status === 1) return '' // rg exit 1 = no matches
       throw e
     }
   },
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/read.ts b/packages/server/src/agent/runtime/opencode-tool-templates/read.ts
index 135d423..76f0873 100644
--- a/packages/server/src/agent/runtime/opencode-tool-templates/read.ts
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/read.ts
@@ -1,19 +1,14 @@
 /**
- * 全局 opencode tool override：read
+ * Global opencode tool override: read
+ * 覆盖 opencode builtin read tool，沙箱模式下通过 HTTP 路由到 SCF 沙箱。
  *
- * 安装位置：~/.config/opencode/tools/read.ts
- * OpenCode 的 tool 注册规则（实测）：同名 custom tool 覆盖 builtin
+ * Schema 与 opencode builtin 完全对齐（v1.14.33 src/tool/read.ts）。
+ * 如果 opencode 版本升级导致 builtin schema 变更，需同步更新本文件。
+ * 检查命令：opencode --version
  *
  * 运行时行为：
- *   - 若 env.SANDBOX_MODE === '1' → 转发到 env.SANDBOX_BASE_URL + /api/tools/read
- *   - 否则                         → 使用本地 fs.readFileSync（本地开发兜底）
- *
- * 沙箱凭证通过 server 进程 spawn opencode 时的 env 传递：
- *   SANDBOX_MODE=1
- *   SANDBOX_BASE_URL=https://xxx.api.tcloudbasegateway.com/v1/functions/sandbox-shared
- *   SANDBOX_AUTH_HEADERS_JSON={"Authorization":"Bearer ...","X-Cloudbase-Session-Id":"...","X-Tcb-Webfn":"true","X-Scope-Id":"..."}
- *
- * 凭证不写入文件，只在进程 env 里，session 结束即清理。
+ *   SANDBOX_MODE=1 → fetch SANDBOX_BASE_URL/api/tools/read
+ *   否则          → 读本地文件系统（使用 context.directory 解析相对路径）
  */
 import { z } from 'zod'
 import fs from 'node:fs'
@@ -21,25 +16,51 @@ import path from 'node:path'
 
 export default {
   description:
-    'Read a text file. When running in a sandboxed session, reads from the sandbox workspace via HTTP. Otherwise reads the local file system.',
+    'Read a file or directory from the filesystem. Returns file contents with line numbers prefixed as `<line>: <content>`.\n\n' +
+    'Usage:\n' +
+    '- The filePath parameter should be an absolute path.\n' +
+    '- By default, returns up to 2000 lines from the start of the file.\n' +
+    '- The offset parameter is the line number to start from (1-indexed).\n' +
+    '- In sandbox mode, use relative paths (no leading /); they resolve against the session working directory.',
   args: {
-    path: z.string().describe('Relative path from session cwd. Use relative paths (no leading /) in sandbox mode.'),
-    offset: z.number().optional().describe('Optional start line offset (0-based).'),
-    limit: z.number().optional().describe('Optional max lines to read.'),
+    filePath: z.string().describe('The absolute path to the file or directory to read'),
+    offset: z
+      .number()
+      .int()
+      .nonnegative()
+      .optional()
+      .describe('The line number to start reading from (1-indexed)'),
+    limit: z
+      .number()
+      .int()
+      .positive()
+      .optional()
+      .describe('The maximum number of lines to read (defaults to 2000)'),
   },
-  async execute(args: { path: string; offset?: number; limit?: number }, context: { directory?: string }) {
+  async execute(
+    args: { filePath: string; offset?: number; limit?: number },
+    context: { directory?: string },
+  ) {
     if (process.env.SANDBOX_MODE === '1') {
-      return await sandboxCall('read', { path: args.path, offset: args.offset, limit: args.limit })
+      return await sandboxCall('read', {
+        path: args.filePath,
+        // builtin offset is 1-indexed; sandbox API expects 0-based offset
+        offset: args.offset !== undefined ? args.offset - 1 : undefined,
+        limit: args.limit,
+      })
     }
-    // Local fallback: resolve relative paths against opencode's session directory
-    const resolvedPath = path.isAbsolute(args.path)
-      ? args.path
-      : path.resolve(context?.directory ?? process.cwd(), args.path)
-    const content = fs.readFileSync(resolvedPath, 'utf8')
-    const lines = content.split('\n')
-    const offset = args.offset ?? 0
-    const limit = args.limit ?? lines.length - offset
-    return lines.slice(offset, offset + limit).join('\n')
+    // Local fallback: resolve relative paths against opencode session directory
+    const resolved = path.isAbsolute(args.filePath)
+      ? args.filePath
+      : path.resolve(context?.directory ?? process.cwd(), args.filePath)
+    const content = fs.readFileSync(resolved, 'utf8')
+    const allLines = content.split('\n')
+    // offset is 1-indexed in the builtin interface
+    const startIdx = args.offset !== undefined ? args.offset - 1 : 0
+    const count = args.limit ?? 2000
+    const slice = allLines.slice(startIdx, startIdx + count)
+    // Prefix each line with its 1-indexed line number, matching builtin output format
+    return slice.map((line, i) => `${startIdx + i + 1}: ${line}`).join('\n')
   },
 }
 
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/write.ts b/packages/server/src/agent/runtime/opencode-tool-templates/write.ts
index 533bdb8..b97cc19 100644
--- a/packages/server/src/agent/runtime/opencode-tool-templates/write.ts
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/write.ts
@@ -1,7 +1,13 @@
 /**
- * 全局 opencode tool override：write
- * 覆盖 builtin write。沙箱模式下通过 HTTP 转发；本地模式直接写 fs。
- * 运行时配置见 read.ts 同级注释。
+ * Global opencode tool override: write
+ * 覆盖 opencode builtin write tool，沙箱模式下通过 HTTP 路由到 SCF 沙箱。
+ *
+ * Schema 与 opencode builtin 完全对齐（v1.14.33 src/tool/write.ts）。
+ * 如果 opencode 版本升级导致 builtin schema 变更，需同步更新本文件。
+ *
+ * 运行时行为：
+ *   SANDBOX_MODE=1 → fetch SANDBOX_BASE_URL/api/tools/write
+ *   否则          → 写本地文件系统
  */
 import { z } from 'zod'
 import fs from 'node:fs'
@@ -9,18 +15,26 @@ import path from 'node:path'
 
 export default {
   description:
-    'Write a text file, creating parent directories as needed. Overwrites existing files. In sandbox mode, writes happen in the SCF container; in local mode, writes use the host file system.',
+    'Writes a file to the filesystem. Overwrites existing files.\n\n' +
+    'Usage:\n' +
+    '- This tool will overwrite the existing file if there is one at the provided path.\n' +
+    '- If this is an existing file, you MUST use the Read tool first to read the file\'s contents.\n' +
+    '- ALWAYS prefer editing existing files in the codebase. NEVER write new files unless explicitly required.\n' +
+    '- In sandbox mode, use relative paths (no leading /); they resolve against the session working directory.',
   args: {
-    path: z.string().describe('Relative path from session cwd. Use relative paths in sandbox mode.'),
-    content: z.string().describe('File content (as utf-8 text).'),
+    filePath: z.string().describe('The absolute path to the file to write (must be absolute, not relative)'),
+    content: z.string().describe('The content to write to the file'),
   },
-  async execute(args: { path: string; content: string }, context: { directory?: string }) {
+  async execute(
+    args: { filePath: string; content: string },
+    context: { directory?: string },
+  ) {
     if (process.env.SANDBOX_MODE === '1') {
-      return await sandboxCall('write', { path: args.path, content: args.content })
+      return await sandboxCall('write', { path: args.filePath, content: args.content })
     }
-    const resolved = path.isAbsolute(args.path)
-      ? args.path
-      : path.resolve(context?.directory ?? process.cwd(), args.path)
+    const resolved = path.isAbsolute(args.filePath)
+      ? args.filePath
+      : path.resolve(context?.directory ?? process.cwd(), args.filePath)
     fs.mkdirSync(path.dirname(resolved), { recursive: true })
     fs.writeFileSync(resolved, args.content)
     return { output: `Wrote ${args.content.length} bytes to ${resolved}` }

From 190db79134d5f67e6a590c30998b6d42eed2bec5 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Wed, 6 May 2026 11:53:06 +0800
Subject: [PATCH 16/33] =?UTF-8?q?feat:=20Agent=20=E7=BB=9F=E4=B8=80?=
 =?UTF-8?q?=E9=80=89=E6=8B=A9=E5=99=A8=20+=20MiMo=20=E9=9B=86=E6=88=90=20+?=
 =?UTF-8?q?=20=E9=85=8D=E7=BD=AE=E9=9A=94=E7=A6=BB=20+=20=E5=8F=91?=
 =?UTF-8?q?=E9=80=81=E6=8C=89=E9=92=AE=E4=BF=AE=E5=A4=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 合并静态 CodeBuddy 标签和 runtime 选择器为统一 Agent Select
- 新增 MiMo provider（opencode.json + logo + 模型列表）
- Tool 安装从全局 ~/.config/ 改为项目级 .opencode/，注入 OPENCODE_CONFIG_DIR 隔离
- 修复 ACP 完成后 task.status 未更新为 done，导致发送按钮卡住
- per-agent 模型选择，切换 agent 自动校验 selectedModel
- 更新 changelog
---
 .env.example                                  |   5 +
 .gitignore                                    |   4 +-
 .opencode/opencode.json                       |  76 +++++
 docs/feat-acp-runtime-abstraction.md          |  93 +++++-
 .../src/agent/cloudbase-agent.service.ts      |   8 +-
 .../src/agent/runtime/opencode-acp-runtime.ts |  23 +-
 .../src/agent/runtime/opencode-installer.ts   |  48 +++-
 .../runtime/opencode-tool-templates/bash.ts   |  18 +-
 .../runtime/opencode-tool-templates/edit.ts   |   9 +-
 .../runtime/opencode-tool-templates/grep.ts   |  15 +-
 .../runtime/opencode-tool-templates/read.ts   |  19 +-
 .../runtime/opencode-tool-templates/write.ts  |   7 +-
 packages/server/src/routes/acp.ts             |  19 +-
 packages/web/public/logos/mimo.png            | Bin 0 -> 12428 bytes
 packages/web/src/components/logos/index.ts    |   1 +
 packages/web/src/components/logos/mimo.tsx    |  26 ++
 .../src/components/logos/provider-logos.tsx   |   6 +
 packages/web/src/components/task-form.tsx     | 271 ++++++++----------
 18 files changed, 424 insertions(+), 224 deletions(-)
 create mode 100644 .opencode/opencode.json
 create mode 100644 packages/web/public/logos/mimo.png
 create mode 100644 packages/web/src/components/logos/mimo.tsx

diff --git a/.env.example b/.env.example
index ad9bde9..2aeb295 100644
--- a/.env.example
+++ b/.env.example
@@ -80,3 +80,8 @@ WORKSPACE_ISOLATION=isolated
 # ==================== Proxy (Optional) ====================
 
 # http_proxy=
+
+# ==================== Mino (Optional) ====================
+
+# MiMo openai-compatible proxy API key (used by opencode-acp runtime)
+# MIMO_API_KEY=
diff --git a/.gitignore b/.gitignore
index fd35fe3..57f2539 100644
--- a/.gitignore
+++ b/.gitignore
@@ -89,4 +89,6 @@ skills-lock.json
 CodeBuddy Code_decompiled
 CodeBuddy Code_files
 decompiled
-decompiled-ui
\ No newline at end of file
+decompiled-ui
+# opencode project-level config (auto-generated tool overrides)
+.opencode/tools/
diff --git a/.opencode/opencode.json b/.opencode/opencode.json
new file mode 100644
index 0000000..17e89e5
--- /dev/null
+++ b/.opencode/opencode.json
@@ -0,0 +1,76 @@
+{
+  "$schema": "https://opencode.ai/config.json",
+  "model": "mimo/mimo-v2.5-pro",
+  "provider": {
+    "mimo": {
+      "npm": "@ai-sdk/openai-compatible",
+      "name": "MiMo",
+      "options": {
+        "baseURL": "https://token-plan-sgp.xiaomimimo.com/v1",
+        "apiKey": "{env:MIMO_API_KEY}"
+      },
+      "models": {
+        "mimo-v2.5-pro": {
+          "name": "MiMo V2.5 Pro",
+          "tool_call": true,
+          "limit": {
+            "context": 1048576,
+            "output": 131072
+          },
+          "modalities": {
+            "input": ["text", "image"],
+            "output": ["text"]
+          }
+        },
+        "mimo-v2.5": {
+          "name": "MiMo V2.5",
+          "tool_call": true,
+          "limit": {
+            "context": 1048576,
+            "output": 131072
+          },
+          "modalities": {
+            "input": ["text"],
+            "output": ["text"]
+          }
+        },
+        "mimo-v2.5-tts": {
+          "name": "MiMo V2.5 TTS",
+          "tool_call": false,
+          "limit": {
+            "context": 8192,
+            "output": 4096
+          },
+          "modalities": {
+            "input": ["text"],
+            "output": ["audio"]
+          }
+        },
+        "mimo-v2.5-tts-voiceclone": {
+          "name": "MiMo V2.5 TTS VoiceClone",
+          "tool_call": false,
+          "limit": {
+            "context": 8192,
+            "output": 4096
+          },
+          "modalities": {
+            "input": ["text"],
+            "output": ["audio"]
+          }
+        },
+        "mimo-v2.5-tts-voicedesign": {
+          "name": "MiMo V2.5 TTS VoiceDesign",
+          "tool_call": false,
+          "limit": {
+            "context": 8192,
+            "output": 4096
+          },
+          "modalities": {
+            "input": ["text"],
+            "output": ["audio"]
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/docs/feat-acp-runtime-abstraction.md b/docs/feat-acp-runtime-abstraction.md
index adb38d8..d57a6fa 100644
--- a/docs/feat-acp-runtime-abstraction.md
+++ b/docs/feat-acp-runtime-abstraction.md
@@ -2,7 +2,7 @@
 
 > 分支：`feat/acp-runtime-abstraction`
 > 基线：`origin/main`（c9b68f9）
-> 14 commits，46 files changed，+5889 / -22
+> 15 commits，63 files changed
 
 ---
 
@@ -217,3 +217,94 @@ npx tsx --env-file=.env scripts/test-runtime-selector.mts
 - [ ] 前端 task-chat、AskUserForm、ToolConfirmDialog、PlanModeCard 等组件无变化
 - [ ] 管理后台（`/admin`）、任务列表、沙箱 preview、git 相关功能不受影响
 - [ ] 多 agent / multi-repo 任务创建路径正常（`selectedRuntime` 透传不报错）
+
+---
+
+## 四、增量变更（续 commit）
+
+### 4.1 Agent 统一选择器 + Per-Agent 模型
+
+**问题**：前端同时显示静态 CodeBuddy 标签和 runtime 下拉选择器，冗余。
+
+**方案**：合并为统一的 Agent `<Select>` 组件，采用静态列表（Method B）：
+
+- `CODING_AGENTS` 静态数组：`codebuddy`、`opencode`、`mimo`，每个带 `runtime` 字段
+- `RUNTIME_TO_AGENT` 映射：`tencent-sdk → codebuddy`，`opencode-acp → opencode`
+- 多 agent 共享同一 runtime（`opencode` 和 `mimo` 都映射 `opencode-acp`）
+- 后端 availability check 结果驱动 `unavailableAgents` Set，不可用时 disabled
+- 每个 agent 独立模型列表，切换 agent 时自动校验 `selectedModel` 是否在新模型列表中，不存在则选第 0 个
+- `useEffect` 监听 `[selectedAgent, agentModels, selectedModel]` 防止竞态
+
+**改动**：`task-form.tsx`（重构 agent/model 选择逻辑）
+
+---
+
+### 4.2 MiMo 模型集成
+
+新增 MiMo（小米）provider 到 OpenCode 配置：
+
+- **配置文件**：`.opencode/opencode.json`（项目级，checked in）
+  - Provider: `mimo`，使用 `@ai-sdk/openai-compatible`
+  - baseURL: `https://token-plan-sgp.xiaomimimo.com/v1`
+  - apiKey: `{env:MIMO_API_KEY}`（env var 替代，不硬编码）
+  - 默认模型：`mimo-v2.5-pro`（支持图片理解）
+  - TTS 模型：`mimo-v2.5-tts`、`mimo-v2.5-tts-voiceclone`、`mimo-v2.5-tts-voicedesign`
+- **Logo**：`packages/web/public/logos/mimo.png` + `components/logos/mimo.tsx` + `ProviderLogos` 映射
+- **后端模型列表**：`opencode-acp-runtime.ts` 的 `getSupportedModels()` 返回 MiMo + Moonshot 模型
+- **环境变量**：`.env.example` 添加 `MIMO_API_KEY` 占位
+
+**改动**：`.opencode/opencode.json`（新增）、`mimo.png`（新增）、`mimo.tsx`（新增）、`provider-logos.tsx`、`task-form.tsx`、`opencode-acp-runtime.ts`、`.env.example`
+
+---
+
+### 4.3 配置隔离：项目级 tool override
+
+**问题**：opencode tool 安装在全局 `~/.config/opencode/tools/`，不同项目/用户互相干扰。
+
+**方案**：
+
+- Tool 安装目录改为项目级 `.opencode/tools/`（`.gitignore` 排除生成物）
+- 新增 `resolveProjectRoot()`：从 `__dirname` 向上查找含 `packages/server` 的目录
+- 新增 `getOpencodeConfigDir()`：返回 `OPENCODE_CONFIG_DIR ?? <projectRoot>/.opencode`
+- spawn opencode 时注入 `OPENCODE_CONFIG_DIR` 环境变量，与用户全局配置隔离
+- 支持 `OPENCODE_PROJECT_ROOT` env override（CI/部署场景）
+
+**改动**：`opencode-installer.ts`、`opencode-acp-runtime.ts`、`opencode-tool-templates/*.ts`、`.gitignore`
+
+---
+
+### 4.4 修复：ACP 完成后发送按钮卡住
+
+**问题**：ACP session 显示 `[DONE]` 后，对话框发送按钮一直不恢复为"发送"状态。
+
+**根因**：`observeStreamWithLiveCallback` 在 SSE 流结束时未更新 `task.status`，前端 `isAgentBusy = task.status === 'processing' || task.status === 'pending'` 始终为 true。
+
+**修复**：在 `[DONE]` SSE 消息之后，更新 `task.status` 为 `'done'`（或 `'error'`）：
+
+```typescript
+const finalRun = getAgentRun(sessionId)
+const finalStatus = finalRun?.status === 'error' ? 'error' : 'done'
+await getDb().tasks.update(sessionId, { status: finalStatus, updatedAt: Date.now() })
+```
+
+**改动**：`acp.ts`
+
+---
+
+### 4.5 增量改动文件清单
+
+| 路径 | 类型 | 说明 |
+|---|---|---|
+| `.opencode/opencode.json` | 新增 | MiMo provider 配置（checked in） |
+| `.gitignore` | 修改 | +`.opencode/tools/` |
+| `.env.example` | 修改 | +`MIMO_API_KEY` 占位 |
+| `packages/web/public/logos/mimo.png` | 新增 | MiMo 品牌 PNG |
+| `packages/web/src/components/logos/mimo.tsx` | 新增 | MiMo logo 组件 |
+| `packages/web/src/components/logos/index.ts` | 修改 | +MiMo export |
+| `packages/web/src/components/logos/provider-logos.tsx` | 修改 | +MiMoProvider |
+| `packages/web/src/components/task-form.tsx` | 修改 | Agent 统一选择器 + per-agent 模型 |
+| `packages/server/src/routes/acp.ts` | 修改 | task status done 修复 + runtimes 返回 models |
+| `packages/server/src/agent/runtime/opencode-acp-runtime.ts` | 修改 | MiMo 模型列表 + OPENCODE_CONFIG_DIR |
+| `packages/server/src/agent/runtime/opencode-installer.ts` | 修改 | 项目级安装 + resolveProjectRoot |
+| `packages/server/src/agent/runtime/opencode-tool-templates/*.ts` | 修改 | 模板简化 |
+| `packages/server/src/agent/cloudbase-agent.service.ts` | 修改 | 类型对齐 |
diff --git a/packages/server/src/agent/cloudbase-agent.service.ts b/packages/server/src/agent/cloudbase-agent.service.ts
index b719e42..52de6c4 100644
--- a/packages/server/src/agent/cloudbase-agent.service.ts
+++ b/packages/server/src/agent/cloudbase-agent.service.ts
@@ -52,13 +52,13 @@ let cachedModels: ModelInfo[] | null = null
 
 // Static model list (temporary, replace with dynamic fetch when ready)
 const STATIC_MODELS: ModelInfo[] = [
-  { id: 'minimax-m2.7', name: 'MiniMax-M2.7' },
-  { id: 'minimax-m2.5', name: 'MiniMax-M2.5' },
+  { id: 'glm-5.1', name: 'GLM-5.1' },
+  { id: 'glm-5.0', name: 'GLM-5.0' },
   { id: 'kimi-k2.6', name: 'Kimi-K2.6' },
   { id: 'kimi-k2.5', name: 'Kimi-K2.5' },
   { id: 'kimi-k2-thinking', name: 'Kimi-K2-Thinking' },
-  { id: 'glm-5.1', name: 'GLM-5.1' },
-  { id: 'glm-5.0', name: 'GLM-5.0' },
+  { id: 'minimax-m2.7', name: 'MiniMax-M2.7' },
+  { id: 'minimax-m2.5', name: 'MiniMax-M2.5' },
   { id: 'deepseek-v3-2-volc', name: 'DeepSeek-V3.2' },
 ]
 
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index 23c122b..f20fae7 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -3,16 +3,17 @@
  *
  * 基于 ACP 协议的 OpenCode agent runtime，严格遵守 agent/sandbox 分离原则。
  *
- * 架构（"全局 tool override + env 注入"）：
+ * 架构（"项目级 tool override + env 注入"）：
  *
  *   server 启动时：
  *     ensureOpencodeToolsInstalled()
- *       └─ 把 read/write/bash/edit/grep/glob 模板拷贝到 ~/.config/opencode/tools/
+ *       └─ 把 read/write/bash/edit/grep/glob 模板拷贝到 <projectRoot>/.opencode/tools/
  *          （同名 custom tool 覆盖 builtin — 实测已验证）
  *
  *   每次 chatStream：
  *     1. 如果有 envId：scfSandboxManager.getOrCreate()
  *     2. spawn opencode acp，通过 child env 注入：
+ *          OPENCODE_CONFIG_DIR=<projectRoot>/.opencode  （隔离用户全局配置）
  *          SANDBOX_MODE=1
  *          SANDBOX_BASE_URL=<沙箱 HTTPS>
  *          SANDBOX_AUTH_HEADERS_JSON=<凭证 JSON>
@@ -43,7 +44,7 @@ import {
 import { persistenceService } from '../persistence.service.js'
 import { CloudbaseAgentService } from '../cloudbase-agent.service.js'
 import { getAcpTransportFactory, getResolvedBin, type AcpTransport } from './acp-transport.js'
-import { ensureOpencodeToolsInstalled } from './opencode-installer.js'
+import { ensureOpencodeToolsInstalled, getOpencodeConfigDir } from './opencode-installer.js'
 import { registerPending, resolvePending, rejectPendingForConversation } from './pending-permission-registry.js'
 import { resolvePendingQuestion, rejectPendingQuestionsForConversation } from './pending-question-registry.js'
 import { OpencodeMessageBuilder, findLastRecordIds, buildHistoryContextPrompt } from './opencode-message-builder.js'
@@ -177,10 +178,15 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
 
   async getSupportedModels(): Promise<ModelInfo[]> {
     return [
-      { id: 'moonshot/kimi-k2-0905-preview', name: 'Kimi K2 (0905)', vendor: 'Moonshot' },
+      // MiMo (default)
+      { id: 'mimo/mimo-v2.5-pro', name: 'MiMo V2.5 Pro', vendor: 'MiMo' },
+      { id: 'mimo/mimo-v2.5', name: 'MiMo V2.5', vendor: 'MiMo' },
+      { id: 'mimo/mimo-v2.5-tts', name: 'MiMo V2.5 TTS', vendor: 'MiMo' },
+      { id: 'mimo/mimo-v2.5-tts-voiceclone', name: 'MiMo V2.5 TTS VoiceClone', vendor: 'MiMo' },
+      { id: 'mimo/mimo-v2.5-tts-voicedesign', name: 'MiMo V2.5 TTS VoiceDesign', vendor: 'MiMo' },
+      // Moonshot (direct)
       { id: 'moonshot/kimi-k2-turbo-preview', name: 'Kimi K2 Turbo', vendor: 'Moonshot' },
-      { id: 'opencode/big-pickle', name: 'OpenCode Big Pickle', vendor: 'OpenCode Zen' },
-      { id: 'opencode/gpt-5-nano', name: 'OpenCode GPT-5 Nano', vendor: 'OpenCode Zen' },
+      { id: 'moonshot/kimi-k2-0905-preview', name: 'Kimi K2 (0905)', vendor: 'Moonshot' },
     ]
   }
 
@@ -350,7 +356,10 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
       }
 
       // 3. 构造 spawn env — 把沙箱凭证 + AskUser 回调 URL 通过 env 注入 opencode 子进程
-      const childEnv: Record<string, string> = {}
+      const childEnv: Record<string, string> = {
+        // 指向项目内 .opencode/，隔离用户全局配置
+        OPENCODE_CONFIG_DIR: getOpencodeConfigDir(),
+      }
       if (sandbox) {
         const authHeaders = await sandbox.getAuthHeaders()
         childEnv.SANDBOX_MODE = '1'
diff --git a/packages/server/src/agent/runtime/opencode-installer.ts b/packages/server/src/agent/runtime/opencode-installer.ts
index 4dd9bb8..e3f593a 100644
--- a/packages/server/src/agent/runtime/opencode-installer.ts
+++ b/packages/server/src/agent/runtime/opencode-installer.ts
@@ -1,8 +1,10 @@
 /**
- * OpenCode 全局配置安装器
+ * OpenCode 项目级配置安装器
  *
- * 目的：把 tool override 模板一次性装到 `~/.config/opencode/tools/`，这样：
- *   - 所有 opencode 实例都能加载（全局生效，不必每 session 写一遍）
+ * 目的：把 tool override 模板装到项目根目录的 `.opencode/tools/`，这样：
+ *   - 同一项目的所有 session 共享同一份 tools（session 之间不重复写入）
+ *   - 与用户的全局 `~/.config/opencode/` 完全隔离，不污染用户配置
+ *   - spawn 时通过 `OPENCODE_CONFIG_DIR=<projectRoot>/.opencode` 让 opencode 只读项目目录
  *   - 模板自身通过 `process.env.SANDBOX_*` 读取 per-session 凭证
  *   - opencode 看到 custom tool `read` / `write` / ...，**覆盖** builtin 同名工具
  *
@@ -15,7 +17,6 @@
 
 import fs from 'node:fs'
 import path from 'node:path'
-import os from 'node:os'
 import crypto from 'node:crypto'
 import { fileURLToPath } from 'node:url'
 
@@ -60,11 +61,46 @@ function resolveTemplateDir(): string {
   )
 }
 
-/** 安装目录：默认 ~/.config/opencode/tools/ */
+/**
+ * 解析项目根目录。
+ * 优先级：
+ *   1. OPENCODE_PROJECT_ROOT env（测试 / 自定义部署时覆盖）
+ *   2. 从 __dirname 向上查找 package.json 中 name === 'coding-agent-template' 的目录
+ *   3. 从 __dirname 向上找包含 packages/server 的 monorepo 根
+ *   4. process.cwd() 兜底
+ */
+export function resolveProjectRoot(): string {
+  const fromEnv = process.env.OPENCODE_PROJECT_ROOT
+  if (fromEnv) return fromEnv
+
+  // 向上最多 8 层查找 monorepo 根（含 packages/server 子目录）
+  let dir = __dirname
+  for (let i = 0; i < 8; i++) {
+    if (fs.existsSync(path.join(dir, 'packages', 'server'))) return dir
+    const parent = path.dirname(dir)
+    if (parent === dir) break
+    dir = parent
+  }
+
+  return process.cwd()
+}
+
+/**
+ * 安装目录：项目根 `.opencode/tools/`
+ * 可通过 OPENCODE_TOOLS_INSTALL_DIR 完全覆盖（保留旧的逃生舱）。
+ */
 function getInstallDir(): string {
   const override = process.env.OPENCODE_TOOLS_INSTALL_DIR
   if (override) return override
-  return path.join(os.homedir(), '.config', 'opencode', 'tools')
+  return path.join(resolveProjectRoot(), '.opencode', 'tools')
+}
+
+/**
+ * 返回项目级 `.opencode/` 目录路径（供 spawn 时注入 OPENCODE_CONFIG_DIR）。
+ * 可通过 OPENCODE_CONFIG_DIR env 覆盖（若用户自行设置则尊重用户）。
+ */
+export function getOpencodeConfigDir(): string {
+  return process.env.OPENCODE_CONFIG_DIR ?? path.join(resolveProjectRoot(), '.opencode')
 }
 
 /** 读文件返回 sha256 hex */
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/bash.ts b/packages/server/src/agent/runtime/opencode-tool-templates/bash.ts
index 67a91f5..c3f7299 100644
--- a/packages/server/src/agent/runtime/opencode-tool-templates/bash.ts
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/bash.ts
@@ -26,16 +26,8 @@ export default {
     '- AVOID using this tool for file operations (reading/writing/editing/searching); use the specialized tools instead.',
   args: {
     command: z.string().describe('The command to execute'),
-    timeout: z
-      .number()
-      .int()
-      .positive()
-      .optional()
-      .describe('Optional timeout in milliseconds'),
-    description: z
-      .string()
-      .optional()
-      .describe('A clear, concise description of what this command does in 5-10 words'),
+    timeout: z.number().int().positive().optional().describe('Optional timeout in milliseconds'),
+    description: z.string().optional().describe('A clear, concise description of what this command does in 5-10 words'),
     workdir: z
       .string()
       .optional()
@@ -69,11 +61,7 @@ export default {
   },
 }
 
-async function sandboxCall(
-  tool: string,
-  body: unknown,
-  timeoutMs: number,
-): Promise<string | { output: string }> {
+async function sandboxCall(tool: string, body: unknown, timeoutMs: number): Promise<string | { output: string }> {
   const baseUrl = process.env.SANDBOX_BASE_URL
   if (!baseUrl) throw new Error('SANDBOX_BASE_URL not set')
   const headers = JSON.parse(process.env.SANDBOX_AUTH_HEADERS_JSON || '{}') as Record<string, string>
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/edit.ts b/packages/server/src/agent/runtime/opencode-tool-templates/edit.ts
index 1e24ec5..0546c42 100644
--- a/packages/server/src/agent/runtime/opencode-tool-templates/edit.ts
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/edit.ts
@@ -25,13 +25,8 @@ export default {
   args: {
     filePath: z.string().describe('The absolute path to the file to modify'),
     oldString: z.string().describe('The text to replace'),
-    newString: z
-      .string()
-      .describe('The text to replace it with (must be different from oldString)'),
-    replaceAll: z
-      .boolean()
-      .optional()
-      .describe('Replace all occurrences of oldString (default false)'),
+    newString: z.string().describe('The text to replace it with (must be different from oldString)'),
+    replaceAll: z.boolean().optional().describe('Replace all occurrences of oldString (default false)'),
   },
   async execute(
     args: { filePath: string; oldString: string; newString: string; replaceAll?: boolean },
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/grep.ts b/packages/server/src/agent/runtime/opencode-tool-templates/grep.ts
index 4b1d807..04ca8ea 100644
--- a/packages/server/src/agent/runtime/opencode-tool-templates/grep.ts
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/grep.ts
@@ -22,19 +22,10 @@ export default {
     '- Returns file paths and line numbers with at least one match sorted by modification time.',
   args: {
     pattern: z.string().describe('The regex pattern to search for in file contents'),
-    path: z
-      .string()
-      .optional()
-      .describe('The directory to search in. Defaults to the current working directory.'),
-    include: z
-      .string()
-      .optional()
-      .describe('File pattern to include in the search (e.g. "*.js", "*.{ts,tsx}")'),
+    path: z.string().optional().describe('The directory to search in. Defaults to the current working directory.'),
+    include: z.string().optional().describe('File pattern to include in the search (e.g. "*.js", "*.{ts,tsx}")'),
   },
-  async execute(
-    args: { pattern: string; path?: string; include?: string },
-    context: { directory?: string },
-  ) {
+  async execute(args: { pattern: string; path?: string; include?: string }, context: { directory?: string }) {
     if (process.env.SANDBOX_MODE === '1') {
       return await sandboxCall('grep', {
         pattern: args.pattern,
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/read.ts b/packages/server/src/agent/runtime/opencode-tool-templates/read.ts
index 76f0873..8b073a7 100644
--- a/packages/server/src/agent/runtime/opencode-tool-templates/read.ts
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/read.ts
@@ -24,23 +24,10 @@ export default {
     '- In sandbox mode, use relative paths (no leading /); they resolve against the session working directory.',
   args: {
     filePath: z.string().describe('The absolute path to the file or directory to read'),
-    offset: z
-      .number()
-      .int()
-      .nonnegative()
-      .optional()
-      .describe('The line number to start reading from (1-indexed)'),
-    limit: z
-      .number()
-      .int()
-      .positive()
-      .optional()
-      .describe('The maximum number of lines to read (defaults to 2000)'),
+    offset: z.number().int().nonnegative().optional().describe('The line number to start reading from (1-indexed)'),
+    limit: z.number().int().positive().optional().describe('The maximum number of lines to read (defaults to 2000)'),
   },
-  async execute(
-    args: { filePath: string; offset?: number; limit?: number },
-    context: { directory?: string },
-  ) {
+  async execute(args: { filePath: string; offset?: number; limit?: number }, context: { directory?: string }) {
     if (process.env.SANDBOX_MODE === '1') {
       return await sandboxCall('read', {
         path: args.filePath,
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/write.ts b/packages/server/src/agent/runtime/opencode-tool-templates/write.ts
index b97cc19..f733299 100644
--- a/packages/server/src/agent/runtime/opencode-tool-templates/write.ts
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/write.ts
@@ -18,17 +18,14 @@ export default {
     'Writes a file to the filesystem. Overwrites existing files.\n\n' +
     'Usage:\n' +
     '- This tool will overwrite the existing file if there is one at the provided path.\n' +
-    '- If this is an existing file, you MUST use the Read tool first to read the file\'s contents.\n' +
+    "- If this is an existing file, you MUST use the Read tool first to read the file's contents.\n" +
     '- ALWAYS prefer editing existing files in the codebase. NEVER write new files unless explicitly required.\n' +
     '- In sandbox mode, use relative paths (no leading /); they resolve against the session working directory.',
   args: {
     filePath: z.string().describe('The absolute path to the file to write (must be absolute, not relative)'),
     content: z.string().describe('The content to write to the file'),
   },
-  async execute(
-    args: { filePath: string; content: string },
-    context: { directory?: string },
-  ) {
+  async execute(args: { filePath: string; content: string }, context: { directory?: string }) {
     if (process.env.SANDBOX_MODE === '1') {
       return await sandboxCall('write', { path: args.filePath, content: args.content })
     }
diff --git a/packages/server/src/routes/acp.ts b/packages/server/src/routes/acp.ts
index 838d418..ff5d7c4 100644
--- a/packages/server/src/routes/acp.ts
+++ b/packages/server/src/routes/acp.ts
@@ -718,6 +718,16 @@ async function observeStreamWithLiveCallback(
     }
     await stream.writeSSE({ data: '[DONE]' })
 
+    // Update task status: pending → done (or error).
+    // This allows the frontend to exit its "busy" state and show the send button.
+    try {
+      const finalRun = getAgentRun(sessionId)
+      const finalStatus = finalRun?.status === 'error' ? 'error' : 'done'
+      await getDb().tasks.update(sessionId, { status: finalStatus, updatedAt: Date.now() })
+    } catch {
+      // Non-critical — frontend will eventually poll the task and reconcile
+    }
+
     // Cleanup stream events — only if agent is no longer running.
     // If agent is still running (client disconnected mid-stream),
     // keep events in DB for reconnection via GET /observe/:sessionId.
@@ -797,10 +807,11 @@ acp.get('/runtimes', async (c) => {
   const runtimes = agentRuntimeRegistry.list()
   const defaultRuntime = agentRuntimeRegistry.resolve()
   const items = await Promise.all(
-    runtimes.map(async (r) => ({
-      name: r.name,
-      available: await r.isAvailable().catch(() => false),
-    })),
+    runtimes.map(async (r) => {
+      const available = await r.isAvailable().catch(() => false)
+      const models = available ? await r.getSupportedModels().catch(() => []) : []
+      return { name: r.name, available, models }
+    }),
   )
   return c.json({
     default: defaultRuntime.name,
diff --git a/packages/web/public/logos/mimo.png b/packages/web/public/logos/mimo.png
new file mode 100644
index 0000000000000000000000000000000000000000..f209e12b7f0a872fc722e5007ba7b7b69a190d09
GIT binary patch
literal 12428
zcmeHt`8$-~|Nl_7NJvcfHA@;MvSdq)l86|gu}+eG%f4ohLA*jJqL7h2`x;q7hHNpI
zD5fyRKB3`ryxyPh|M2-<*ZYUzy6*ej=RW7$&+|Bs=i~8wYGioh^eLWG5D4V7-c6mm
z5C|<d_;E4PgDXE{DoEfTljltf9|!~{di<jaDAe?WK!hNAI$EXyFG;gseBYYa?QYDH
z%Txw~B)`%ccd2qXX?@ocVvd$!tG@P@?mCxP^)(5Zo1Kv&GLoINb5CH>g|`IRKgRk*
z9C?(r2KoA*yZYq%x~H<>5qs)Qo!pZU$m@3ekz+F*1Y&E=2!?a*+&nD=@=gQ=27`=d
z2KN&@X&?|&b{GT_A>9eu86g_LJ?wuQ|93V1uf)dk8T@I;)i$y|G?pVa|4*B&h)55#
zWW{p1sSd9U`J)3apL`N+Cn+L=MCw^h-bJP_W=x%ZdQ;!HPCEI=1avg42#ZzJ<5+Pk
zluTHbW{j+pOsI3pK2u?3F!}*u{6UM&+=CpS{*(<SslRw|n3=!O`iwm`f2Yobvv&2?
z==P}5My`TES$*)^ejP^c=P{?c)_-XZ8jdQQWJxG^k2L0#uxg&Jb4x6!oI7NfJ}Zne
z63rwZxFL}eM_zt3XuDYqCql)@DSNlcuhtF!(BdK0hXs|zI3LN=xT!{__D<EgxnQae
zEhG~x4e7LAdy|~;erv52=S_^^SRuxr%geVG&AGX`IS{G+Rgmu&EizOBWw_a4a#-bL
zWJ;#k)8!4wcl9>%Kv1ih>YQ_JP?opmjc8`fEmhR84~;F0Hp*owgerovHJzoEw;UQ8
zGEHHCkVo45PW#@z#|D#=#%+zIs1Uc$Kui=?JlRh^Q7{m7!(&ZH6~MBRQVON@IBK^>
z>&l)xI30-6KxA@!8{Vy0?(nx01Mg-my3)_<7>iLT6z5*Nd%YRGIS*R*C<_vi^5rTj
zUX2h?UQscg>>m~e3(PI$$7KjHng*ZWJ!lov6EPSK*~hsl^48`}QBe@+G#l@;FM--U
zQ*q4fscN{z`FSl;z{-y0R|TZ%+_w-yX0;5mSM!rs$gp6ZpX`YWI|#-uUf^pZrAgO5
z{7S_~ee~zw^$W^%hmD3M8Y>I!#1~%z6z(;+;OmkK`u6wUN;;oMW)x1>x-4B}aTH-@
z;ugUv)tM*_1mQT9hQFF~AJv*D&X1f@l0W+KR<gh9RF~1>^mtuOxLm&u7bi^TZBoHa
z(!fX^?ta8Un+Mg0|E?FG>c&(kfy}>I1YMO($PRN_O?pmj+`+*;9YmO!xkbKS(EEBY
zuwiMDF`+qnZ`?6)i?ThN{=p--X#ZA1!Moqw_shdAvifMd5CqxYVAR}o|M-myJXS$=
zP=VR<rt;rauO<6~94!2{eSK)uxvW5^r@2K6!nzF7KJ7aORVXkB*OI(WD4!`2)0=K8
z*Q93oTGd-*7%ZLRL>O;X$g!LWGP*S2?Q{k)75-BNrS_S2uT9q1s?^}~44J}#7!lga
zzmx8eH8V5wj-Na~Z&w*p9VzroG9m0fU2VBb3AVq)=M<y@JYxqvbh${2#+V{^7WXyf
zA78Bgp3BTWJJLRTw(jDc$!WAc7F&IoC7DnlNxXRflZa(r3HBCDRu+7BKfk3<orZQ$
zY`NI<PCo>)o(@i?YdRdwUn)zn(tEq4oax<qEw;XT55oHx76PRkDtbgEhmR-kwI3a{
z*H~k@Ag>>aR<BQrR184h?DKq_fZ!TKSizf|(`r{~UU`7wA(5Y_rn08tM}N0)#tfod
z2w@O4qyTN!@2E&Q7R?z%y%P^T)}E6bddBMD&^Jni;9d4gx$n~aLXsRyH}uWbC^5!J
zV_jwmy@Ixwris!573Qw>`pr<AAsjB{YL9#Uf!jk2{2{y|zbWUI|C$E#1CgT{*QO)X
zuSb8+_||Y0NT$iLw1=2all<&4>}bq$2bKQDkl7v~M%Mk{DKbSioY%pELwTmhHI?F=
zP$RRXw$fdDs;kmq)Rek28r&XLAo;MKrvxAdU$2`nr%kzs_iE#<v<ImKyb$BG%z){T
zqeVv4YViC)n<X!Pch5hU7+8@WS@Q81YFh5|tn{`k{!FXj3HEL2Y2!aCmt(=J;l^Q@
z;=hJPVZup2%tN*6Q=U6C##dd}VtZGiI0Nr_7Y){$!3A9`nV@&%HduL?y|X*6koo}I
zTJ3Pp1m$G<V<vfn|7MyF_3!SLLgtd)(dDY_qN=9q(jMKXg0tU86_BCt{@lzHFYR?k
zJ7V0Rh8DYcUDZqXE?jT;QyD_I*DmSoujH)Bj;Y;k9hfg@7ETT{Rx=w_h>Ag$dH?2{
zK6PF@ni&isT%0mdr7CpLrfDfV9_+?{Ipi#i6?;3{bHk~zF6Y<Etx?l5E4PE0(^n?~
zeXpP})VJfA@Sa9Ey)mc7O39yFR+Dd%?M7I+wOy|Vywg@X{b8zS=vjpy6E_3$cqr8i
z%4UC>j(&VAj-cH7QLr=p?S!%wGdGOD*1pgW&4SOBxkwFoKPNXoZ19{fqK?-N#3=e@
z7oGokPIi9bwf!Dh`?-TueSN)iud1eIW`U&PAtg%4$cpOIPSEG;O?){-JZSqF2)lFV
z4t6C6^La}R-edkskuNsi6j|8R)Bnt@G=0ohy`*Hq!9qa2+XBD0*9b*x{5?v7PvF08
zsNLCA%NrvH7&3A*^jF^&5EL9wuD2``8>oJBq)wm|%IMenD(mQcRj~T`a$_wvz}MHI
zS*mr41*(@84}a)AKe(l~x3e-S#`RQx)D#ATxhiSv<eumWo-9|xy<*~ewMJgpF&u#2
z5!-Dxx?rsRc#r?!@Luq<=Vfau_zFatSk~CL1nnehkbbZM^nNT)-}?<qv1GJFdufGD
zw^RGoiK4~{whF|*pTo=aG`wSLn6k)Yvpm^f{lQPbEiSPnxkCAqdHZDJ$;2Txmyt)&
ziB*oVd{|zH#;5m9!jEQ$!Dl#!h9x7B>CQ@6a9VJ77Z30!#((mXQBnfY;om%KSfCmp
zS=^GAoiOe!?!|XzU;aa8w*SYV)(kbAo6-*(R3QK6M0a-#IAWZ#4HweQvx`~;&a=-i
zoYZDn|LYp@5E|P`AJJAzAdBmzAy~h!aw3GAXNUac>3we6s*m$UA&AS%&LjB;<`x-x
z*+q3ZUTnCnhg73^p3d&4)iVFY#WB?WutK3)4#s{Sv~eQxuSUrK+fj(i5H}BQi@xz!
zoZYXVqpd{;2f<GZ`uyZC%r7il-<ekUuoGlJ?!I|gIU6AbmcLWZlvg;^*H;{gq)zDP
zt5a8Zcg=ixR-T_j2wP;7`2Y56R!Zn=FCw+hnFak?TT?I)$NAI>V1*w_H)3T5M*QS^
z8meX9_&cABP87&4N>xrS#7fsPyXO*R@i&Qq<v}NcLPB2djP6T)RY=d%4Bx%l<JTNI
zRXq*$89QBq4+@H>Oym;v_<Efy#u5ske`ohs+-jRIjjLAFKS(KfH2myGU@icr5&_JY
zhob+>p19akB@;eTLZANlR^r7zOSnC%AWNghNXry?tw54TA>fR<0Mk+Yr^CLldXsFW
z4$iWqvMT9!52tc3eXYMVOTOuICQ344toW*n!AD+itX=(&m8w#VpXxZPia`ze@Y3{T
zY<&|_^2{EdwQG3)6gJMiiFgo}Blg+0#%TZj%xBlssAB|s_uLOU{I)UgsaYc@EV+>e
zil!&zTo3N|A`qxXCa13`o#l0&O)GK=s`cpeH0JEq14Qf5wy!)Ed)4XbetyPtvOMX9
zr<aj~NHlY8HPv*To%G85N`IlJ*UexI{7vqSFIU9&H9}qDUe)nG^f*JH9HS$Cny9N_
z+VHFSLhp;<h)3Jm&YCS(4A48|C!SjTNSNF7sF&}3_sP!g8%i`e_j6pVj1E@)cuzjr
zH(6uL(Q7Ri4uTt!sOLpck1p*3%J^L!nq7ge6`V7iT}}Dlv5fO9*oR<+&G^QoK|jH6
z-gc@!W#i}XQ1`OAw~L%~SEwV_dX%wt@kxJKfuP&*yY8*oXFQ5E6xd*_(q_NL%qDBk
ziVoJ}Ne{T{y}DPnd_zMo0o2P&cz30l_?-MeY2X^bpuDwrB_&wtrv*0wsp{WASqN$c
zZ>XX%%R%ZDvvYIUisCnc20rr?702jA8dIcrW@hF@*kM||5%~>Py0Nu2olIy~tucBI
z*R8|5k$=3bzVDn}<UFb_D=T}0nTwxPxbGIX<Blz<6D}$yQx3EaV=?gRDOc0vZnM=c
z5fsZ?$%K!&jBOmf8v|<od=dlIBOZ}9Bj&{m&x;kxc(;E1c(c5@(<?b}H|+19d~X>%
zv+QYK)|Do+cC&N`m2X{1W{>iT_U2%0;(7&}V}UHZcjBQLx|5q#cbtqlOJthHNNBW4
zhJ*A$UqG%Ssb&=n;Y9W>wpDxgZ@NRtX460+qI)Uc6E63K(q<DF5Ky@r9Y6mlx*M$o
zA8mSC<m61<L5(UnS17oattoG(Q7x5R*;8lTmHx~jT<yMVbar<DxOa#keyumkYi_$U
z*SmJ-&Bm))lHXADEFhe7;}vEXV<z}KFmpG{^5BJathGLJjNEUaK@r5Tc7OZWQ?c?(
z&}=ytWD~{;->ZA^*SBA-P&79hG}gUednf=MQ{n6EzL`*9#B08r!EAB?F36+h+fGoO
z^tIxQxi#6IB&6AM`hKaB?Jc)%&u`~^b!N@lvzt{k)YLGWy_l}Ys{VdTuh-fW)lv-e
zI)yGL<q)6M(CtemTrV##58_9!7F#8Kd>1#oADT2iP)8s$%%10_vcYssIb-$(yMkJ|
z&=`4gUFKW7z|{m1CXl#zokk}X{CX{+k>okQ{Evf0Mr&91GyIcw$M-q46WaYRNc;!>
zPrBG)x@itmwoxB9)iSZzUmu}be7zjKRnw*hlYiPOI3lcq#lMc6Qn!O{Qs_e>;oPEt
zE4aJ6)2p@}Ck5i7c?=*^16XV@+K0>2bZE84T{e&Z^?1*t{=S6G)5i)AlPV!+*Hyss
zcgpcONd2y<k$24FD#ivUt*=bVT2xFX2DF!YjXtJ6o$D!h(D9WGMi1~A0NAv_?}dfV
zEOmI%d**ZC+)WHFE@g+IY=W%cgl==t=82+M-T^pm##NM;o8Mm10a>FlXCliv{-m4>
z>f8`U?h~K4W~NUsA0Fl=5>f$mYbpn$!@DOSc?i6jz4swdhIxC4UfOo<+C(Niwj6(=
z&`J9EJx~)GO0ZdkiV#YYxyxvcOm<V!R>S%DmC<B^dHVbN*X2B6AE}{bN%73@ql6Z_
z{~{8JGUYo@3naOYcuqoMuQeDwz<8Crgtl7CcWm)nWU$LXY=xqk#SzBJ&40J3RQ2Yf
zHbBc?CuV<ilZl`^?np?FW4!n~HB9zj4stdymumpAlUIAA67`oK(uMX&%`K3;E7)<q
zw+f0DW2CJe{(6bMZJRVzBg0D?ANOlcZz>1JNXg2+!$y%w&mt79n>GD@!>1wegb-?*
z?HJD1cXoCLzDO9DjL$0Ka5!<?R(JA8#z@;?sZMY@_g8bGF;FxY?*i%!x6j<pIZwLz
z1s!b}67|oYKlsgAgVCFOy&&J7#(__Ece3_@MUi)l)cIw3O*OTf#+)?`^N(bbNc*(z
z<#B?xtWY1X0yP|x!PC7S?;p&$++;>}YG`Z(XB{%-_f-OATyyJTO{xc>O)pI>iXpLz
zOXvRehT%s9zDO}SvCeL$55@2`O0Ztq&o1}vYMF6{04~J*UxRBVe7)G#+W^>P^<z`)
z-e=w9QTlQmPr(d;h^l0kdkoQk(``_`%h$U+3LRCTdh0F74E)^KFeW($<w_uoWgb5D
zEGua^pjsauXAs;Hyumyh?)597Ecc2vTt2w86VAdSWZ7WJY_a+K28+EZf((N4dK~G@
z;f{J21Dt19S(zfId%|K0M}p^<U6hjis+5@4uXJ`lX(BaTX`WEZNqXxPw5~}wy$<p&
zXE*aQv-Z;>uS#obYUX;sxhk4<e&g)wcCPha8;_r8;O)5&u@Ob_-3+E1qK1WkjVZ@s
z-_U**2D|;Cx;nCSvQw8avEZgSlwW&g>G!lhNY2yaPH@?sXaiHcmP@R*EHh1+a)g%_
zNd5#Fbgg<|uB>weQOb43)OF@H0Ny}qMp20gI!NLAURXP^meCW^+0C6MW^5Didw;))
zLI*mWa<9L2Y2T6VPNq9OY|2&f&C#G7OPO1F5&K&;oC(=M6`5Tmt$uCW5)vnj3K3z^
z-YH){CQ@i!<F{827gkp>l+UbHDqOlQuAjerN!qF6ZX=godR_ONX84*-bmAG7Dq5mn
zGcq)7g+9R9@+(Uk8dFu#>*AE1d?;^IioI3lIJi67HbDR%K{Vt9g9s|517vB>%6U6V
zS_#o`T_7nSQyQ%+Uh!gxkySl!qwRiu+FZ3%mry+6lHuSi?8a1sg<OhG^nZk7VGk4#
zg^zWr0`&n_DK6q29*%?HlzJFZ+S@N)VI@!1PP!}7x}=FYGtZGI!9m**qHM4^0A`_V
zvm_GfyH(fp2{lA+Fk(rr!^FpV@fop;61pQ$)25I&K_-)L@P5w{dpbiPl=91howMf6
z{4&yW;}$d)%Pp2lw4g^n_EIts)k}NFy1uREp-7{Rc6O+Lu+J7L#D*Sx6dcbdjq@2N
zkIl}`ejgYDEN|bxg+LAzr{#O<xe?w}tZUFb>pnJqt`vKh9HgPCnb#eIba9IucP<o=
zTTsrxVqY?IiQw{)&GmMz*7``~@<9ra!H~$3JN(6yw8{eW*AJPvvdN8cJRN)K)iTGS
zi|s{KOb)%j=PCW=`#WDBmdI=U)z1N+ybAAG5JecjYxh=FRsE;9SVC%`n({4Ii1DrD
zDUf7j23^CG{0v#j>55`Kg>iQ-OmmC#@}gP~r=}A%!0=U?M;C=Z^tQar%WI$EOCh~V
z_+g$<@T~oCUq5tlGN0uN)Th?+bA?U2bw;h`V*`v3qnI8Cyr<75oO<P(J$f*k)^ID1
zME?!M=6=lY`T39geVc#+m%EHhEUZcSB;XAueJ|yF(G4ZVk2~*huqoyw0WxDS+VZ!!
zZ!1X-aMmuP0!i<t%mq;(2arf*)2oT~Ab($6TQgi+TeHsiR=%=dPtGPEfO9F@PPt#@
z@5T>?6-$VO<>Q9<f}5a?X-ea)`>TLyr)*ttEZDS%mGIZx7iqz@Nh+R0z<+g`0twEH
zyN$;(!vUc5_q>rUwH2aw^X%r;lfUe$DiBSS*=)nv-;crie_mWHT!t67L^>LCO4sOS
z$Rwl3r$k}ZSFBIH_y-Z2n9n7>Y>jAm5YKOVuXOxD-g1$K+<0C24c8$W(F76VVe*p_
ziw6x*d%B^O6&FVWuE+_iF@3bO)Kg-et)1@R<PbNiQi63(Yd_FNSzA{ZUVUxrH7_!7
zd53*JB_+kMf^Njkvxxe^g0ovJlhNk-<l!&|zFaZm+T7Cea`mES$CboW++KX8DSrMA
z5aK<6!yb-G9X`$%0}RVt!T~o?F+2Y1TR2S#9|6s30-1>`qPjaeQI2I?Rsg^x$Q%bd
zDnLAe6ldp!qod<Q{g?)#zC3aTaL`dSq^bK8ibXT-*O2T-+TmJ2&c+~yIm`~Pq`?UJ
zO=V%QmtmK-!P)!sfI=S92=rIdm~2M_=@uHhOeoC<iXc;D$KDq6?Gceqghj@(s=?u(
z4RrM#Rj`jVovf{_3>J2V@Ap6f=MC*}vB8se9V#$Vzj}61Ha4of6V}bGt*=&tE_HAY
zYM_1wmbXE14{Ne?GWT!9@_f%C?uju3_*orH2Uovb-re=9zL@Vvpt%<e2N4x=u<KTB
zQu3tag>S<#1jOk~a`j&wXG60VwIG7)4~P^pq09go3KFsIq>6GEkT)$ihPc#B^?@6&
z1lnl_Kf87zps`Vy6E95eEweGZ`qH4WO_O4T_HaSc?*o9xZJ`HCKSf+azbR*Ww6dNv
zIkcuVk;k_pVi~!SNP{K*Kly25=YPg>o%~qbdnuvwcVa7C7Xt@6EXbL`^e?pliU%|@
z2a8)484NMVq%DVw4J?5$Ld~o@kPD;|I)lthSDGj+WpK@?UDs;isr{Vc2KUAg(&(lj
z`%|5tpS@KfL^>@YW6svq!N5NA+*x-CU#s@jO(#s2)irg5KdgCcO2T#3uQ_weGNW+k
z8qGC#Chlu@j5(>h1cLjy<gUlW4boo7o%%v5M=s<E(|??#`WpUWCJ1Cz=)b<w|5f8G
z{F^(l{{Tt+H@oLxPX*d1g(`d0+EgBX5j|LWnvS)y!4udX-~`cPyZNt;Vv2NVw)p2~
zCr~qEi=5tKu_LnOT5K&Jv~@l~0nX};D!i#fvs&lr-*3lN=@@U{wSy)Q110#03kwT2
zN5BpU-V?}hkn**nxL)#Xxv4YVcrU}j&1#YqyxinIs!%)EQ!;jscv&y)BmSA#=Qy`V
z*+pNf-|vKm4=d^zkMW>2T(ylkqw4Kowb4GmkEH{>`x%SPc|JFR&>fgt53*s+Gh-ss
zXR`tu)<fINu*<JCub~Hj%G&y9X10;*5ypIDu~_W191DXAcVMpI7?=dTOBc#{jd(d3
zeeubHsMRoIWXFDE{=@rOeVDFpxKfuP5_yuP+oxnU87=!2h~-BbXIjtu6$P2_y<t6_
zV4`~5uTyr|x8|i&XqMLVV{GY92bEEL!DoN5$%R#zL?R>xF4y`2!grUqzuMGAn-d{X
zYbUML4PW_YJ91v+gR>bBc}Eo_LKW{bo`3G`AR>Pnup`PoTGaNhkHDSNTy6&;CgWFA
zLUU<r-B$&Zn3cCtY;w6PW40pzZuT9a3qDi2eXpN`Njm|MdP@<U{(3@}U^_Ab{T}F?
zqIKg9gE(X495FH?-{-`{YSLHfB$woiOL7qz)s|DP+#}0N2^25j#`L_1TFS;Hkq_)K
zsasoHbG@e`UsK@whZ<Mf&hX@Q9V?kFx9?kJ7f3#6wWeq!yAW}dP>?$L$&bCCbOGiY
za9U<LZ;!cl#q=aydyqw=EpHy*;4iA2K0!2h?ifDBB_aY&2I=0BG_lX0S4<oFfmpe>
zRSb0KcPoOA2Nh9|Ebn#<vvSSCiPwCD3kvC2zSzzesA$fEgd3b~a02qz3%7=0>v0bz
z8g#rZTw?m7J51bmP~AL!u-Jc16m$-TE~e+IM0XaB_cYEZ+=mnS<QTbZ<a_$U+V80^
z&7A1rh>VFJTubi@R>S=R1U$XbF+USInwrx9Y(Kl#n`o}_ouL1?;Hk|ro#WDBeyfr#
zRjd3;c~f)qKLwJmN+*(Y+#1+YKQ^r|ae|I}KW~LR<NZ8C+mi;mm2uzd0uo?HNAW{`
z7zXYg7^u=$MPxf}=aQ`pbmwq&k;{1zRUd4HFAutyPqNFcXH9uD&V}v)-Z-8zONWt6
zxKQ7!_;KMe*h!rBC8^602;1f3S^$JS#yEU(?%x)B3N4>(g*X2;*2tK=5^2Vh-j=Uq
zmJtcd6YhZ?13OiZ+g<2`7SvO}*?e(X=keZYDJlC|QoFg7kAb)1Upi#%D7KV=_{VG8
zCtM6nZr!dW;SS~~`6<;hcm;zymSL)lk&4Mb6meU|M|G+^rR#TVu(uxw&tH#@5WXB%
z`3S!k%gj!zdrxt9tdg2VC>7I7-q!$Wc%O!p7TX8F*!Sy)a>d3<|KpKm@XNWLOssq5
z-@qnp`)&IDz%KD{^<aI9-X9pP78yx?W$^`%o)e5m72McPPT({bb^c?N4X{A#A`$o@
zO;o&$lI^z{y0KlyBW%-Ll+1v2|B^ev9G1faEVh3?u=wS>+Yg@1Uw>dh)AbMx&mo#Q
zb&-w*k59xO{xvC+OrUQSc(i)$wn5wF)R<W2RELu+_>To{nP*`-8E55O84~NnQQKv0
z;U;-ri@~=nO849w!{UMe(#lFdYS24rVDf6~Dpdc4I}c*y?PR5jPKLuK^?;()R{B1i
zCY6qYdVHl<fQ36q=Boa3<1goObtr7x{IP=OJ+_l>xkP|$?Nm&W(=_OiDyA`3D`H@>
zl9yC%2E5*ab6NK~Jf+M(kS=${^!=rc)d$1c=|p4~F;H97a5s)vlaOuX@T*;moCc%H
z8_qAP?}Dcm3YXaAP|RFz%`=|DAe!baD<9o|<(W#{GuEt;Jav)qrs~!KW$^n@x7o4X
zQC7q!hhhP(S3zrP#JoLNp~HER<RAZpt-WkMsI3rwA6oV8*u*}<O3}02i$dTzU^+#-
zawvd1cuiCbzm3<sMt_QnjsCAz^9PrL>-ugKDJDMnWg)DMxnPqmH6(K0+bo_$Hcb<g
z@VLAbnET1={fvk|FpL2?p(cM-ctsuL{mVPQaKeNMs?Cr%FfgFEHuSqdiVh<j)!o$<
z^)pbTuj<UWKQ~S#jyaV`24bUh@1|Ocl?ive=LXZ{i5}?3$i3yJA~v~LR<1e^1ueGi
zxuOuJI|~ToJ|HIcSAB>)RTSm9L3a=AT>B;z5EagFiOl>;&ff|8xw?A0KysNNben#D
z0a8xK64|}o2$joVlhJu>?WADvW|)I=#XuCu@q7d61kE0;2IXfLX`*c5f-pKv;mJhF
z1Ve$oy=-_<IQoJJ&S#3`*P0?v@sj?-Kfl0Ocl^FE6eCohiAy9%35fN`WchPEt=zf9
z4d(}1jNCV>&w<Uq<sfe>BL%ds=tPhbm#j2_z5tmHlJ(>S3Pukr^km{*4ZB<hmrSIP
zQJ}beFi+Vfo=L_aSjG=f<p2d*21qVExTmn#w=x572>E{DkASzHa4BSh4zqS9)pox8
zICV-Rz_Nk%Vvzw1c;gdCO%Zk&cHEXJe(D%Az&YJb$ISkU7w^|>wb~>LR_@Ceg9<dr
z%@WB6iRamx9|O3Memo577zP$yOM#Bgw3wfHO3+)6ET+f0j|uhHfB9pR0K&0R!4K?J
zzFvt?n>dtoi_Cyl@@!q4$LctRGF8_rdlb5Q!GWB$)g}`6yk|!;L1ZN_il^mrYF1n#
z=%~#|$-w6;cX(d}{JC~i42Who{$@(2l&TZ!dAV5cLE;B?m_i+=&He>coco=l^SeA2
zI$wf405Jh7R8;c|b=*JIGT<<K6E^e=Ef?ES`YbFt)S%Y7BE`DFsSgg-_S`}CxrE+Z
zoFVxo^7idz^vIkise67evWQDWM<RN+TK;iw0daUTF|1lf)#<N(hQp1DPgm0;;4!vd
zt0%gGGd|RH-&k&1Q+Lt%;ZH;PqKJyN3)uXpzq`9z@AvdhgjVG*@>tHVk{qQ*0l6X&
zMU33p`>c=nojtG4T*iBj_-pKx9JQ5#2pX{gK2*`=-2GSHS8Q*K|NHq1+c|ze8qBch
z?D5c70<9^n)_IAkE}(V(8!}xLPBnazw&!_d45K=Cwn8V}57?4N-FyK#={32#FCDyl
z7#&O_bdR=YEHZ{3Pn;2dZ~R0X9GeXtejP&QgDIp4__*x|#m=sT*|9aw=ZQ9uNFQFb
zWs_MNFza~XT*+n^8+joqmpM#u>qZ0g<G15D4@Wa#q!^eR;ymHu(TS;;<A5E2n}Ply
z%3SmII@%0i%WSgngUb*@tp@0n5qPQ!rA>!Xp<|wS=gB-8L`?CtdvZL2YpS+`AkMeX
zaK9f|KQlzfs?|`bbNv3{kyB6~W-gxO**A}d%&pGG38Bo#l)#O3GeQJ>(l#F+nkKR9
z$U}S*)35}3n<@b>d6M#yM{bD+Y*el=`~9EtNn0J)QDESn9dH^n5a49i3t_f=P3pTZ
zqhjKR{;4J{60AljYL(CTFSEh;j5%XK?q(n$AfWNr5&RWn(T=2J1-c~QvOqZ%v>vX<
zmxUZ1hE9CEu0zzz^4w6HD<Eh5-nNwK60GBm2p{vkq?dLxy9kH_z-a_K3yHjoJV%!D
z`cUK~HgNfKHNcfLu<;lpGs$CVMUQ}hX|2?=wdJ!B8a@&p$3v6oS;Z2~%mC1(2f7rg
zJ^r=*4idQ&ww(MUU_?F6i;to~KW~3N;1aDZyMntjkJ6-+DC)ZrD8Ng6J>pYiS;nR6
z0(SM>O6V#jxU>5@8w?_I9f@SX<?ap6Ftms1{P2;bj?bhWUytqia>-!y@O0J-IhMtR
zg#wBfAexU(7e#o|*uoXufn#{7oO1o55j!j+>i814Yw<}6w}l{8<-?!()J(|)@sNR_
z4v|SPBX_4+r#y0<srxC_qOa2csg$%-YRt*uRg_nyt<cGc0nZy_;6TFA3E<Hj>*_jD
zp~DpmE_!XM-BTF?ZuWE)s&3Xjn0lbEd;`EFZN~!eQ0r8Q<KyG2jw#!}^MQOQ^Ro8Z
z@k~b*l9oresZ{FwUK>t?*Jdd|xW~LvdLU^u2g2fbkgQH_ulL{;TLlB3yX3(XK~3{?
zpL~!{ap?ir*lMw0U_oPm-XXx(2h60ZcfXtdeWSgDMUkS9&d<CEc0}ql-0Ci84EXG4
z&YTfEln07YTlkS-rFny<s}cm_3d#w>4*!<;so}PM{{F28ghWRb{ep5Ay)@vmr%NVS
z2RSb{0n22}*RB4ECoPyyLArw!&{Y1FRfGNgC5$<NI9-GKk?+JKHIUX_wGOjRgqXL8
z>6tS4`~7S8msKk<$cZ0M*ninIUOOOHLNomEv3+GR(4G(@`ZU_YC`g1_yTIPYk6zo}
z_J)RMKx=AcN#HZ#1jH}3{pj$1Zf>qM*6luc!D|{{(9<7HP&{V6ynhiCwuDjl#d|;n
zz=O&%d?+DP!2pP4fk8oOiHV8+M~%Qm2WCYLU&yIouyE_QI1y2p_J9>&Sp&ynk=%Zi
z0U%Y6gDLX$B)m)Rxq^XBkQC6qz{$D#I-Ih+oRIYGb?lS~coKNQ73^v_-bKf9v(n5d
zX`uUHu|XD7n>FWPZzMSg6mb@9rmjl=;K`L*QzSx`K1dV=>EJ~olLX|h<`O>x5FK#A
z<mBWShlgbVnzr5J!VU?z!7bMlfLP$bZN0dfICnh6Cx!GZc$0_l(BpZ2;y6KXVlu)F
zid5T%=`i`lB~A9p1L<fKxT$=NTMm>+xG6b!B9T+>v=@>=<tl^oG1txjG8x|BJm)-Z
zC;;(o(gYfBtM1ci6k0b2Ngk!B+6DjB&LwUV^TLNVuK?nYE;iX#Jci_jE1A3nv29Ao
zq}NNG<Qfm#Sy#nYyc~CE`&roEP&1^s9kd^aiKL=;w?OJ}R_<(S{0E;>P++4GDO7oQ
z9wo&+R0!&JKt5M5oFJ0!V?4R@+3n`&*gpAdVfJVvOXTY-Jum+Tq5wec_~?Bp07oO>
z(<*x@vru#^seHVIcz4Sl)L`up908-M&3DS4poFfp-^i3U7@c}G05SyL%hfV9VTbRg
zOfOvi0gCfJj@)TB7#()mFpRN#L`Chl5zLUjk9k4)fjW2bj9Qvl)uHO+s$^<tog2Q#
z%e8gZX8ieeU1LtvmL#cP=OG_VC%IXQ)k`$nq|p<W!UTnV$aiDn($~lYbRJ>69aN|k
z-Bga38DKm&W&~1OHB>y`uErR&OK_Uz94LwWHw`B?Zn?c%3F5djRp%mgoW9q|4BXKq
zKFcn0N-TKsH}LHR<NsH226mzs-%;I%GPrJk^<(?(z2^;{Fc7xN$>RTNwpc81_5luz
z6mc+Ut$PcE5V+X`r(ik1LwYT~Hm+(oaw5FL!Zg0&0FKyW0;O!l>Vb9%`CcHIAjZ;_
z`I_(Klb5ev@&6?QV-X0qpu47Wo9pLonLq@gxK2JfskL5l)LQPsbr4nRepES23+d=(
zWPedGRsLVS>c55F|6i89Q-wv6;$2;pKym-zb?Olf{X2$>_QtsiplTnYhcMJBziu1(
EKi!u~DF6Tf

literal 0
HcmV?d00001

diff --git a/packages/web/src/components/logos/index.ts b/packages/web/src/components/logos/index.ts
index bd6215b..c6274e2 100644
--- a/packages/web/src/components/logos/index.ts
+++ b/packages/web/src/components/logos/index.ts
@@ -4,5 +4,6 @@ export { default as Codex } from './codex'
 export { default as Copilot } from './copilot'
 export { default as Cursor } from './cursor'
 export { default as Gemini } from './gemini'
+export { default as MiMo } from './mimo'
 export { default as OpenCode } from './opencode'
 export { ProviderLogos, type ProviderKey } from './provider-logos'
diff --git a/packages/web/src/components/logos/mimo.tsx b/packages/web/src/components/logos/mimo.tsx
new file mode 100644
index 0000000..00f24e8
--- /dev/null
+++ b/packages/web/src/components/logos/mimo.tsx
@@ -0,0 +1,26 @@
+import * as React from 'react'
+
+// MiMo logo — PNG asset from public/logos/mimo.png
+// Accepts className/style like other logo components so it fits inline selectors
+const MiMo = ({
+  className,
+  style,
+  width,
+  height,
+}: {
+  className?: string
+  style?: React.CSSProperties
+  width?: string | number
+  height?: string | number
+}) => (
+  <img
+    src="/logos/mimo.png"
+    alt="MiMo"
+    className={className}
+    style={{ display: 'inline-block', objectFit: 'contain', ...style }}
+    width={width ?? '1em'}
+    height={height ?? '1em'}
+  />
+)
+
+export default MiMo
diff --git a/packages/web/src/components/logos/provider-logos.tsx b/packages/web/src/components/logos/provider-logos.tsx
index d0e01b2..9c2b6d7 100644
--- a/packages/web/src/components/logos/provider-logos.tsx
+++ b/packages/web/src/components/logos/provider-logos.tsx
@@ -59,6 +59,11 @@ const MiniMax = (props: SVGProps<SVGSVGElement> & React.ImgHTMLAttributes<HTMLIm
   <img src="/logos/minimax.png" alt="MimiMax" {...(props as React.ImgHTMLAttributes<HTMLImageElement>)} />
 )
 
+// MiMo / Xiaomi MiMo (official brand PNG)
+const MiMoProvider = (props: SVGProps<SVGSVGElement> & React.ImgHTMLAttributes<HTMLImageElement>) => (
+  <img src="/logos/mimo.png" alt="MiMo" {...(props as React.ImgHTMLAttributes<HTMLImageElement>)} />
+)
+
 // DeepSeek (from @lobehub/icons, official brand)
 const DeepSeek = (props: SVGProps<SVGSVGElement>) => (
   <svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" viewBox="0 0 24 24" fill="none" {...props}>
@@ -159,6 +164,7 @@ export const ProviderLogos = {
   baidu: Baidu,
   generic: GenericLLM,
   minimax: MiniMax,
+  mimo: MiMoProvider,
 } as const
 
 export type ProviderKey = keyof typeof ProviderLogos
diff --git a/packages/web/src/components/task-form.tsx b/packages/web/src/components/task-form.tsx
index eaed64a..7ed8409 100644
--- a/packages/web/src/components/task-form.tsx
+++ b/packages/web/src/components/task-form.tsx
@@ -13,18 +13,17 @@ import {
   DropdownMenuTrigger,
 } from '@/components/ui/dropdown-menu'
 import { Tooltip, TooltipContent, TooltipProvider, TooltipTrigger } from '@/components/ui/tooltip'
-import { Loader2, ArrowUp, Settings, X, Cable, Users, Globe, Code2 } from 'lucide-react'
-import { CodeBuddy, ProviderLogos, type ProviderKey } from '@/components/logos'
-// import { Claude, Codex, Copilot, Cursor, Gemini, OpenCode } from '@/components/logos'
+import { Loader2, ArrowUp, Settings, X, Cable, Globe, Code2 } from 'lucide-react'
+import { CodeBuddy, MiMo, OpenCode, ProviderLogos, type ProviderKey } from '@/components/logos'
+// import { Claude, Codex, Copilot, Cursor, Gemini } from '@/components/logos'
 import { setInstallDependencies, setMaxDuration, setKeepAlive, setEnableBrowser } from '@/lib/utils/cookies'
 import { useConnectors } from '@/components/connectors-provider'
 import { ConnectorDialog } from '@/components/connectors/manage-connectors'
 import { toast } from 'sonner'
-import { useAtom, useAtomValue, useSetAtom } from 'jotai'
+import { useAtom, useSetAtom } from 'jotai'
 import { taskPromptAtom } from '@/lib/atoms/task'
 import { lastSelectedModelAtomFamily, githubReposAtomFamily } from '@/lib/atoms/github'
 import type { ModelInfo } from '@coder/shared'
-import { useLocation } from 'react-router'
 
 interface GitHubRepo {
   name: string
@@ -59,23 +58,21 @@ interface TaskFormProps {
   maxSandboxDuration?: number
 }
 
-/** Human-readable labels for runtime names returned by GET /api/agent/runtimes */
-const RUNTIME_LABELS: Record<string, string> = {
-  'tencent-sdk': 'CodeBuddy (Default)',
-  'opencode-acp': 'OpenCode ACP',
+/** runtime name → agent value 的映射（让 CODING_AGENTS 与后端 runtime name 对齐） */
+const RUNTIME_TO_AGENT: Record<string, string> = {
+  'tencent-sdk': 'codebuddy',
+  'opencode-acp': 'opencode',
 }
 
 const CODING_AGENTS = [
-  // CodeBuddy agent (default)
-  { value: 'codebuddy', label: 'CodeBuddy', icon: CodeBuddy, isLogo: true },
+  { value: 'codebuddy', label: 'CodeBuddy', icon: CodeBuddy, isLogo: true, runtime: 'tencent-sdk' },
+  { value: 'opencode', label: 'OpenCode', icon: OpenCode, isLogo: true, runtime: 'opencode-acp' },
   // --- Other agents (commented out, kept for reference) ---
-  // { value: 'multi-agent', label: 'Compare', icon: Users, isLogo: false },
-  // { value: 'claude', label: 'Claude', icon: Claude, isLogo: true },
-  // { value: 'codex', label: 'Codex', icon: Codex, isLogo: true },
-  // { value: 'copilot', label: 'Copilot', icon: Copilot, isLogo: true },
-  // { value: 'cursor', label: 'Cursor', icon: Cursor, isLogo: true },
-  // { value: 'gemini', label: 'Gemini', icon: Gemini, isLogo: true },
-  // { value: 'opencode', label: 'opencode', icon: OpenCode, isLogo: true },
+  // { value: 'claude', label: 'Claude', icon: Claude, isLogo: true, runtime: 'claude' },
+  // { value: 'codex', label: 'Codex', icon: Codex, isLogo: true, runtime: 'codex' },
+  // { value: 'copilot', label: 'Copilot', icon: Copilot, isLogo: true, runtime: 'copilot' },
+  // { value: 'cursor', label: 'Cursor', icon: Cursor, isLogo: true, runtime: 'cursor' },
+  // { value: 'gemini', label: 'Gemini', icon: Gemini, isLogo: true, runtime: 'gemini' },
 ] as const
 
 // Map model name prefix to provider logo key
@@ -92,6 +89,7 @@ const MODEL_PROVIDER_MAP: [string[], ProviderKey][] = [
   [['ernie', 'wenxin', 'baidu'], 'baidu'],
   [['llama', 'meta'], 'generic'],
   [['minimax'], 'minimax'],
+  [['mimo'], 'mimo'],
 ]
 
 function getModelProviderKey(modelId: string): ProviderKey {
@@ -102,29 +100,6 @@ function getModelProviderKey(modelId: string): ProviderKey {
   return 'generic'
 }
 
-// Model options for each agent
-const AGENT_MODELS: Record<string, Array<{ value: string; label: string }>> = {
-  codebuddy: [{ value: 'glm-5.1', label: 'GLM 5.1' }],
-  // --- Other agents (commented out, kept for reference) ---
-  // claude: [
-  //   { value: 'claude-sonnet-4-5', label: 'Sonnet 4.5' },
-  //   { value: 'anthropic/claude-opus-4.6', label: 'Opus 4.6' },
-  //   { value: 'claude-haiku-4-5', label: 'Haiku 4.5' },
-  // ],
-}
-
-// Default models for each agent
-const DEFAULT_MODELS = {
-  codebuddy: 'glm-5.1',
-  // --- Other agents (commented out) ---
-  // claude: 'claude-sonnet-4-5',
-  // codex: 'openai/gpt-5.1',
-  // copilot: 'claude-sonnet-4.5',
-  // cursor: 'auto',
-  // gemini: 'gemini-3-pro-preview',
-  // opencode: 'gpt-5',
-} as const
-
 export function TaskForm({
   onSubmit,
   isSubmitting,
@@ -137,32 +112,62 @@ export function TaskForm({
   maxSandboxDuration = 300,
 }: TaskFormProps) {
   const [prompt, setPrompt] = useAtom(taskPromptAtom)
-  const selectedAgent = 'codebuddy'
-  const [selectedModel, setSelectedModel] = useState<string>(DEFAULT_MODELS.codebuddy)
+  const [selectedAgent, setSelectedAgent] = useState<string>('codebuddy')
+  const [selectedModel, setSelectedModel] = useState<string>('glm-5.1')
   // Default to 'coding' mode — tasks without a git repo are always coding/sandbox tasks
   const [taskMode, setTaskMode] = useState<'default' | 'coding'>('coding')
-  const [codebuddyModels, setCodebuddyModels] = useState<ModelInfo[]>([{ id: 'glm-5.1', name: 'GLM 5.1' }])
   const [repos, setRepos] = useAtom(githubReposAtomFamily(selectedOwner))
   const [, setLoadingRepos] = useState(false)
 
-  // Runtime selector: loaded from /api/agent/runtimes
-  const [selectedRuntime, setSelectedRuntime] = useState<string>('')
-  const [runtimeOptions, setRuntimeOptions] = useState<Array<{ name: string; label: string }>>([])
+  // Per-agent model lists and availability, loaded from /api/agent/runtimes
+  const [agentModels, setAgentModels] = useState<Record<string, ModelInfo[]>>({
+    codebuddy: [{ id: 'glm-5.1', name: 'GLM 5.1' }],
+  })
+  const [unavailableAgents, setUnavailableAgents] = useState<Set<string>>(new Set())
+  const [selectedRuntime, setSelectedRuntime] = useState<string>('tencent-sdk')
+
   useEffect(() => {
     fetch('/api/agent/runtimes')
       .then((r) => r.json())
-      .then((data: { default: string; runtimes: Array<{ name: string; available: boolean }> }) => {
-        const available = data.runtimes.filter((r) => r.available)
-        if (available.length <= 1) return // 只有一个 runtime 时不显示选择器
-        const options = available.map((r) => ({
-          name: r.name,
-          label: RUNTIME_LABELS[r.name] ?? r.name,
-        }))
-        setRuntimeOptions(options)
-        setSelectedRuntime(data.default ?? '')
-      })
+      .then(
+        (data: {
+          default: string
+          runtimes: Array<{ name: string; available: boolean; models: ModelInfo[] }>
+        }) => {
+          const newAgentModels: Record<string, ModelInfo[]> = {}
+          const unavailable = new Set<string>()
+
+          for (const rt of data.runtimes) {
+            if (!rt.available) {
+              // mark all agents that use this runtime as unavailable
+              for (const agent of CODING_AGENTS) {
+                if (agent.runtime === rt.name) unavailable.add(agent.value)
+              }
+            } else if (rt.models.length > 0) {
+              // assign models to every agent that maps to this runtime
+              for (const agent of CODING_AGENTS) {
+                if (agent.runtime === rt.name) newAgentModels[agent.value] = rt.models
+              }
+            }
+          }
+
+          setAgentModels((prev) => ({ ...prev, ...newAgentModels }))
+          setUnavailableAgents(unavailable)
+
+          // Set default agent/runtime from server
+          const defaultAgentValue = RUNTIME_TO_AGENT[data.default]
+          if (defaultAgentValue) {
+            setSelectedAgent(defaultAgentValue)
+            setSelectedRuntime(data.default)
+            const defaultModels = newAgentModels[defaultAgentValue]
+            if (defaultModels && defaultModels.length > 0) {
+              setSelectedModel(defaultModels[0].id)
+            }
+          }
+        },
+      )
       .catch(() => {
-        /* silently ignore — runtimes endpoint optional */
+        /* silently ignore */
       })
   }, [])
 
@@ -176,30 +181,6 @@ export function TaskForm({
   // Connectors state
   const { connectors } = useConnectors()
 
-  // Fetch supported models from backend on mount
-  useEffect(() => {
-    fetch('/api/agent/acp', {
-      method: 'POST',
-      credentials: 'include',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ jsonrpc: '2.0', method: 'initialize', id: 1, params: { protocolVersion: 1 } }),
-    })
-      .then((res) => res.json())
-      .then((data) => {
-        const models = data?.result?.supportedModels
-        if (Array.isArray(models) && models.length > 0) {
-          setCodebuddyModels(models)
-          const ids = models.map((m: ModelInfo) => m.id)
-          if (!ids.includes(selectedModel)) {
-            setSelectedModel(models[0].id)
-          }
-        }
-      })
-      .catch(() => {
-        // Silently ignore - fall back to static defaults
-      })
-  }, [])
-
   // Ref for the textarea to focus it programmatically
   const textareaRef = useRef<HTMLTextAreaElement>(null)
 
@@ -244,46 +225,38 @@ export function TaskForm({
     }
   }
 
-  // Get URL search params
-  const location = useLocation()
-  const searchParams = new URLSearchParams(location.search)
-
-  // Load saved model and options on mount, and focus the prompt input
+  // Focus the prompt input when the component mounts
   useEffect(() => {
-    // Check URL params for model override
-    const urlModel = searchParams.get('model')
-    if (urlModel) {
-      const agentModels = AGENT_MODELS['claude' as keyof typeof AGENT_MODELS]
-      if (agentModels?.some((model) => model.value === urlModel)) {
-        setSelectedModel(urlModel)
-      }
-    }
-
-    // Focus the prompt input when the component mounts
     if (textareaRef.current) {
       textareaRef.current.focus()
     }
-    // eslint-disable-next-line react-hooks/exhaustive-deps
   }, [])
 
-  // Get saved model atom for current agent
-  const savedModelAtom = lastSelectedModelAtomFamily(selectedAgent)
-  const savedModel = useAtomValue(savedModelAtom)
-  const setSavedModel = useSetAtom(savedModelAtom)
+  // When agent changes: switch runtime + reset model if current selection not in new list
+  const handleAgentChange = (agentValue: string) => {
+    setSelectedAgent(agentValue)
+    const agentDef = CODING_AGENTS.find((a) => a.value === agentValue)
+    if (agentDef) setSelectedRuntime(agentDef.runtime)
+    const models = agentModels[agentValue] ?? []
+    if (models.length === 0) return
+    if (!models.some((m) => m.id === selectedModel)) {
+      setSelectedModel(models[0].id)
+    }
+  }
 
-  // Update model when agent changes
+  // Validate selectedModel whenever agent or its models change.
+  // Catches races where agentModels arrives after selectedAgent update.
   useEffect(() => {
-    // Load saved model for this agent or use default
-    const agentModels = AGENT_MODELS[selectedAgent as keyof typeof AGENT_MODELS]
-    if (savedModel && agentModels?.some((model) => model.value === savedModel)) {
-      setSelectedModel(savedModel)
-    } else {
-      const defaultModel = DEFAULT_MODELS[selectedAgent as keyof typeof DEFAULT_MODELS]
-      if (defaultModel) {
-        setSelectedModel(defaultModel)
-      }
+    const models = agentModels[selectedAgent] ?? []
+    if (models.length === 0) return
+    if (!models.some((m) => m.id === selectedModel)) {
+      setSelectedModel(models[0].id)
     }
-  }, [selectedAgent, savedModel])
+  }, [selectedAgent, agentModels, selectedModel])
+
+  // Get saved model atom for current agent (persists selection across page loads)
+  const savedModelAtom = lastSelectedModelAtomFamily(selectedAgent)
+  const setSavedModel = useSetAtom(savedModelAtom)
 
   // Fetch repositories when owner changes
   useEffect(() => {
@@ -445,20 +418,47 @@ export function TaskForm({
                 </button>
                 <span className="text-muted-foreground/50">·</span>
                 <div className="flex items-center gap-2 text-sm text-muted-foreground px-2 h-8">
-                  {(() => {
-                    const agent = CODING_AGENTS.find((a) => a.value === selectedAgent)
-                    return agent ? (
-                      <>
-                        <agent.icon className="w-4 h-4" />
-                        <span>{agent.label}</span>
-                      </>
-                    ) : null
-                  })()}
+                  {/* Agent selector */}
+                  <Select value={selectedAgent} onValueChange={handleAgentChange}>
+                    <SelectTrigger className="h-7 border-0 shadow-none px-1 py-0 text-sm text-muted-foreground hover:text-foreground bg-transparent focus:ring-0 gap-1 w-auto min-w-[90px]">
+                      {(() => {
+                        const agent = CODING_AGENTS.find((a) => a.value === selectedAgent)
+                        return agent ? (
+                          <>
+                            <agent.icon className="w-4 h-4" />
+                            <span className="truncate">{agent.label}</span>
+                          </>
+                        ) : null
+                      })()}
+                    </SelectTrigger>
+                    <SelectContent>
+                      {CODING_AGENTS.map((agent) => {
+                        const disabled = unavailableAgents.has(agent.value)
+                        return (
+                          <SelectItem key={agent.value} value={agent.value} disabled={disabled}>
+                            <span className={`flex items-center gap-2 ${disabled ? 'opacity-40' : ''}`}>
+                              <agent.icon className="w-4 h-4" />
+                              <span>{agent.label}</span>
+                              {disabled && <span className="text-xs">(unavailable)</span>}
+                            </span>
+                          </SelectItem>
+                        )
+                      })}
+                    </SelectContent>
+                  </Select>
                   <span className="text-muted-foreground/50">·</span>
-                  <Select value={selectedModel} onValueChange={setSelectedModel}>
+                  {/* Model selector — options change per agent */}
+                  <Select
+                    value={selectedModel}
+                    onValueChange={(v) => {
+                      setSelectedModel(v)
+                      setSavedModel(v)
+                    }}
+                  >
                     <SelectTrigger className="h-7 border-0 shadow-none px-1 py-0 text-sm text-muted-foreground hover:text-foreground bg-transparent focus:ring-0 gap-1 w-auto min-w-[120px]">
                       {(() => {
-                        const current = codebuddyModels.find((m) => m.id === selectedModel)
+                        const models = agentModels[selectedAgent] ?? []
+                        const current = models.find((m) => m.id === selectedModel)
                         const ProviderIcon = ProviderLogos[getModelProviderKey(selectedModel)]
                         return (
                           <>
@@ -469,7 +469,7 @@ export function TaskForm({
                       })()}
                     </SelectTrigger>
                     <SelectContent>
-                      {codebuddyModels.map((m) => {
+                      {(agentModels[selectedAgent] ?? []).map((m) => {
                         const ProviderIcon = ProviderLogos[getModelProviderKey(m.id)]
                         return (
                           <SelectItem key={m.id} value={m.id}>
@@ -482,27 +482,6 @@ export function TaskForm({
                       })}
                     </SelectContent>
                   </Select>
-
-                  {/* Runtime selector — only shown when multiple runtimes available */}
-                  {runtimeOptions.length > 1 && (
-                    <>
-                      <span className="text-muted-foreground/50">·</span>
-                      <Select value={selectedRuntime} onValueChange={setSelectedRuntime}>
-                        <SelectTrigger className="h-7 border-0 shadow-none px-1 py-0 text-sm text-muted-foreground hover:text-foreground bg-transparent focus:ring-0 gap-1 w-auto min-w-[110px]">
-                          <span className="truncate">
-                            {RUNTIME_LABELS[selectedRuntime] ?? (selectedRuntime || 'Runtime')}
-                          </span>
-                        </SelectTrigger>
-                        <SelectContent>
-                          {runtimeOptions.map((r) => (
-                            <SelectItem key={r.name} value={r.name}>
-                              {r.label}
-                            </SelectItem>
-                          ))}
-                        </SelectContent>
-                      </Select>
-                    </>
-                  )}
                 </div>
 
                 {/* Option Chips - Only visible on desktop */}

From 17d1c7a89c94715f61736892b64814454543873f Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Wed, 6 May 2026 12:03:05 +0800
Subject: [PATCH 17/33] =?UTF-8?q?docs:=20=E6=96=B0=E5=A2=9E=20CHANGELOG.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CHANGELOG.md                              | 175 +++-------------------
 packages/web/src/components/task-form.tsx |  61 ++++----
 2 files changed, 48 insertions(+), 188 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7a99163..fb6138a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,171 +1,36 @@
 # Changelog
 
-本文件记录 `coding-agent-template` 面向用户/开发者的显著变更。格式参考 [Keep a Changelog](https://keepachangelog.com/zh-CN/1.1.0/)，版本遵循 [SemVer](https://semver.org/)。
+All notable changes to this project will be documented in this file.
 
-## [2.1.0] — 2025-05-03
+## [Unreleased]
 
 ### Added
 
-- **沙箱创建进度可见**: Coding 任务启动时，前端状态指示器现在会细分显示沙箱各阶段进度（镜像拉取 → 容器就绪 → 工作区初始化），不再全程显示"准备中..."。（`emitPhase('preparing', 'sandbox:xxx')` → `AgentStatusIndicator` 按阶段动态出文案）
-
-- **Dev server 启动失败快速报错**: Coding 模式下，vite 或 npm install 失败时错误原因会立即透传给前端（`viteFailureReason`），不再等待 120s 超时才报错。预览 URL 也改为等待 `viteReady === true` 再返回，避免拿到 URL 后立即 502。
-
-- **Default 模式任务分类**: Default Agent 现在会先判断任务类型再行动——对话/创作类需求直接输出文本，编程/工程类才调用工具。（`buildAppendPrompt` 为 default 模式注入 `task-classification` guideline，coding 模式不受影响）
-
-- **子工作区隔离 (Scope API)**: 同一 session 内支持多个相互隔离的子工作区，通过 `X-Scope-Id` / `X-Scope-Template` 头控制；每个 scope 独立运行 vite dev server（端口 5173-5199 动态分配）；`GET /api/scope/info` 返回工作区路径和 vite 状态。
-
-- **小程序部署进度轮询**: 小程序部署超过 60s 时接口异步返回 `{ async: true, jobId }`，客户端轮询 `GET /api/miniprogram/deploy/:jobId` 获取实时构建日志，不再因超时直接报错。
-
-- **凭证安全加固**:
-  - session 云凭证（SecretId/SecretKey/SessionToken）从明文 `.session-env.json` 改为 AES-256-GCM 加密存储（`src/session-env.ts`）
-  - Git remote URL 不再嵌入 token，改用内存 credential helper 在 push/fetch 时动态注入，`git remote -v` 不再泄露凭证
-
-- **ImageGen 图片生成**（Default 模式可用）: 生成的图片自动上传到 CloudBase 静态托管并返回 CDN 公开链接，Agent 在聊天中直接展示图片。前端 `ImageGen` / `ImageEdit` 工具卡片支持 Markdown 渲染，CDN 图片内联显示。（`GET /api/storage/presign?bucketType=static&key=xxx` 生成 COS 预签名 PUT URL，tool-override 直接 PUT 到 COS，不经过 server）
-
-- **文件浏览器下载**: 右键菜单新增文件下载（直接流式返回）和文件夹下载（沙箱内 `zip -r` 打包后流式返回）。临时 zip 存放在 `.tmp/`（已 gitignore），传输完成后删除。
-
-- **管理员用户管理 — API Key 列**: 用户列表新增 API Key 一列，支持复制和重置；管理员可为任意用户生成新 key（`POST /api/admin/users/:id/api-key/reset`）。新注册用户自动生成 API key。
-
-- **CloudBase 数据库集合权限加固**: 所有系统集合（users/tasks/keys 等）在首次访问时自动通过 `ModifySafeRule(AclTag=ADMINONLY)` 设为管理员专用，阻止前端 Web SDK 直接读写。
+- **Agent 统一选择器**：合并静态 CodeBuddy 标签和 runtime 选择器为统一 Agent `<Select>`，支持 CodeBuddy / OpenCode / MiMo 三个 agent 切换
+- **Per-Agent 模型选择**：每个 agent 独立模型列表，切换 agent 时自动校验 selectedModel，不存在则选列表第一个
+- **MiMo 模型集成**：新增 MiMo（小米）provider 配置（`.opencode/opencode.json`），支持 mimo-v2.5-pro（含图片理解）、mimo-v2.5、TTS 系列模型，API Key 通过 `{env:MIMO_API_KEY}` 注入
+- **MiMo Logo**：新增 MiMo 品牌 PNG 和 logo 组件，模型选择器中显示 MiMo provider 图标
+- **项目级配置隔离**：OpenCode tool 安装目录从全局 `~/.config/opencode/tools/` 改为项目级 `.opencode/tools/`，spawn 时注入 `OPENCODE_CONFIG_DIR` 与用户全局配置隔离
+- **`resolveProjectRoot()`**：自动检测 monorepo 根目录，支持 `OPENCODE_PROJECT_ROOT` env override
+- **ACP runtime 返回模型列表**：`GET /api/agent/runtimes` 每个 runtime 新增 `models` 数组
 
 ### Fixed
 
-- **Agent 响应消失** (`routes/acp.ts`): `removeAgent` 的 30s 延迟定时器可能误删新一轮同 conversationId 的注册条目，导致 SSE 轮询立即退出。改为携带 `turnId` 比对，stale 定时器跳过删除；poll loop 增加 3×500ms grace tick 让 eventBuffer 排空。
-
-- **发送失败留下空消息** (`use-chat-stream.ts`): 消息发送失败时 UI 残留用户消息 + Agent 占位气泡。现在 `runPromptStream` 失败时同时移除两者并恢复输入框草稿；`acp-client.ts` 对非 `text/event-stream` 响应解析 JSON-RPC 错误抛 `AcpStreamError`，服务端同步拒绝（如"A prompt turn is already in progress"）可被前端正确识别。
-
-- **历史任务打开崩溃**: 早期任务 doc 缺少 `mode`/`sandboxMode` 等字段。`CloudBaseTaskRepository` 统一走 `withTaskDefaults()` 补全默认值；`sandboxMode` 默认值改为 `'isolated'`（与新任务一致）。
-
-- **npm install 中断后 ENOTEMPTY 死循环** (`vite-dev-manager.ts`): 上次强制中断的 npm install 会留下 `.xxx-ABCDEF` staging 目录，导致下次安装 `rename` 失败死循环。启动前自动检测并清理；npm install 遇到 ENOTEMPTY 时整删 `node_modules` 后重试。
-
-- **Preview 302 重定向循环**: 移除 vite 的 `--base=/preview/{port}/` 参数，proxy 直接 strip 前缀后转发；区分 vite-managed 端口（保留完整路径）和普通端口（strip 前缀）的不同 proxy 策略。
-
-- **HMR 热更新不生效**: vite 模板增加 `hmr: { clientPort: 443, protocol: 'wss' }`，浏览器 WebSocket 通过 CloudBase gateway 正确连接。
-
-- **系统文件写入 scope 子目录**: `.capabilities`/`.mcporter`/`.skills` 在 scope 模式下被错误写入子目录。`buildSafeEnv`、`capabilityStorePath` 等统一改为解析 session root（`sessionRootFromWorkspace()`）。
-
-- **Server 进程因沙箱连接中断崩溃**: `uncaughtException` 增加对 `EPIPE`/`ECONNRESET`/`ECONNREFUSED` 的静默处理；`unhandledRejection` 对 "Session not found" 静默降级。
-
-- **scope/info 首次响应阻塞 ~59s**: `spawnVite` 将 tar 解压 + npm install 包裹在 `setImmediate` 中异步执行，HTTP handler 立即返回 `viteState: "starting"`，不再阻塞。
-
-- **API Key 认证失效** (`middleware/auth.ts`): AES-CBC 每次加密产生不同密文，`findByApiKey(encrypt(plain))` 永远查不到用户。改为 API key 存储明文（`sak_xxx`，可吊销，DB 层已有 ADMINONLY 权限保护），`findByApiKey(plain)` 直接精确匹配。
+- **ACP 完成后发送按钮卡住**：`observeStreamWithLiveCallback` 在 SSE `[DONE]` 后未更新 `task.status`，导致前端 `isAgentBusy` 始终为 true。现已在流结束时将 status 更新为 `done` 或 `error`
 
 ### Changed
 
-- **Coding 模板冷启动加速**: 沙箱镜像内模板只保留 `node_modules.tar.gz`（~33MB），去掉 `node_modules/`（~211MB）；`seedCodingTemplate` 拷贝速度提升 ~24x（3.7s → 150ms）。`node_modules.tar.gz` 改由模板 `postinstall` npm 脚本生成，保证缓存在所有依赖写入完成后才打包，不会出现"装一半"的脏包。
-
-- **Skill 加载优化**: 沙箱 skill 扫描从串行 bash 调用（`ls -1`/`test -d`）改为 `ListDir` API（返回 `entry.type` 直接判断目录）；SKILL.md 读取改为 30 并发批量 + 两目录 `Promise.all`；请求数从 `2N+4` 串行降为 `2 + ceil(N/30)` 批量。
-
-- **Sandbox 磁盘配额**: SCF 函数 DiskSize `1024` → `2048` MB。
+- **`CODING_AGENTS` 静态列表**：采用 Method B，前端静态 agent 列表 + 后端 availability check 驱动 disabled 状态
+- **多 agent 共享 runtime**：`opencode` 和 `mimo` 均映射 `opencode-acp` runtime，模型列表共享
+- **`.gitignore`**：新增 `.opencode/tools/`（生成物不提交）
+- **`.env.example`**：新增 `MIMO_API_KEY` 占位
 
-- **Preview 健康检查降频**: 后台轮询间隔 15s → 30s；`visibilitychange` 监听，页面不可见时暂停，切回后立即检查一次。
-
-- **⚠️ Breaking — Coding template 部署**: 模板已内置到沙箱镜像，`.env` 中的 `CODING_TEMPLATE_URL` 配置项已移除，初始化脚本也去掉了对应步骤。升级时请同步更新沙箱镜像版本。
-
-- **Provisioning API 重命名** (sandbox 内部): `ensureWorkspace` / `ensureScope` → `ensureSessionRoot(sessionId)` / `ensureWorkspaceFor(sessionId, scopeId?, template)`，语义更清晰；`session/init` 改调 `ensureSessionRoot` 避免误触发 vite 启动。
-
----
-
-## [2.0.0]
+## [0.1.0] - 2026-04-10
 
 ### Added
 
-- **预览沙箱 & Browser 工具栏**: 新建 coding 模式任务后自动冷启动沙箱；右侧预览面板支持浏览器地址栏、刷新/返回/前进、设备尺寸切换；首次加载有骨架屏。
-- **Agent Mode 任务切换**: 任务表单支持选择 `default` / `coding` 模式（单一 `Coding / Default` 药丸按钮）。
-- **CAM 环境策略脚本**: 新增 `packages/server/src/scripts/refresh-policy.ts`，通过 CAM `UpdatePolicy` 把本地 policy 定义刷新到已部署 policyId，免重新 provision（约 1 分钟生效）。
-- **TaskListPanel**: 聊天输入框上方新增可折叠任务进度面板，从 TaskCreate/TaskUpdate 工具调用提取任务列表（状态图标 + subject/activeForm + 进度计数）；TaskCreate/TaskUpdate/TaskList/TaskGet 工具卡片从消息流中隐藏，改为面板展示。
-- **预览新窗口打开**: 编码模式预览工具栏新增 ExternalLink 按钮，点击在新窗口打开预览 URL，方便分享。
-- **Coding mode dev server 改进**: 使用 PTY 启动 dev server；自动 patch vite.config.ts 适配 CloudBase 沙箱预览（`--base=/preview/`, `host 0.0.0.0`, `allowedHosts`）；跳过已有 package.json 但缺 node_modules 的重复 clone。
-- **CAM NoSQL 数据库权限**: `buildUserEnvPolicyStatements` 新增 `tcb:QueryRecords / PutItem / UpdateItem / DeleteItem / CreateTable`（resource `*`）。
-
-### Fixed
-
-- **死循环: confirm-resume 工具调用**（核心）: 用户点击"允许"后 SDK 重复生成新 `callId` 再次触发 canUseTool → deny 的无限循环。综合 3 处修复：
-  1. `restoreAssistantRecord` 按 `record.parts` 原序遍历，不再强制把 text part 放最后。
-  2. `updateToolResult` 新增 `extraMetadata` 参数，自动剥离 SDK deny 标记（`providerData.skipRun / error`）并合并调用方补齐的字段。
-  3. 方案 2 真实 MCP 执行后回填 baseline 等价 metadata（`providerData.{messageId, model, agent, toolResult{content, renderer}}` + 顶层 `sessionId`）。
-     离线仿真 JSONL 与 baseline canonical identical；真机验证 SDK resume 不再重发，进入下一步调用。
-- **AskUserQuestion resume 同步修复**: `askAnswers` 分支的 `updateToolResult` 补全与 toolConfirmation 相同的 providerData/sessionId。
-- **乐观 UI: 允许/拒绝工具后本地即时反馈**: `handleConfirmTool` 在网络 resume 前插入本地 `tool_result`（deny→终态红叉；allow→`status:'executing'` 过渡态保持 Loader2），`apply-session-update` 只对 `'executing'` 占位做替换保证最终一致性。
-- **AgentStatusIndicator 仅在最新 group 渲染**: 补 `isLatestGroup` 约束，避免下一轮对话时"模型响应中..."挂在历史 assistant 消息末尾。
-- **刷新后恢复 InterruptionCard**: 从 DB `tool_result.metadata.status === 'incomplete'` 重建 `toolConfirm`，支持 `input` 为 JSON 字符串或对象两种容错。
-- **confirmTool 后 UI 无反应**: resume 时把本地 `stream-xxx` 消息 id remap 到服务端 `assistantMessageId`，避免后续 SSE 找不到目标 message 而丢帧。
-- **切换 task 交互态残留**: `use-chat-stream` 用 `prevTaskIdRef` 跳过 initial mount 的 reset，防止踩踏 `sendInitialPrompt` 已进入的 `streaming` 状态。
-- **Phase 指示器 & 工具确认卡就地渲染**: `AgentStatusIndicator` 和 `InterruptionCard` 不再固定在输入框上方，改挂到对应 agentMessage 末尾并随滚动。
-- **CAM policy 修复**: `buildUserEnvPolicyStatements` 删除非法 `flexdb:*`，新增 `tcb:CreateFunction / UpdateFunctionCode / GetFunction / InvokeFunction / ListFunctions`（resource `*`），`tcb:CreateFunction` 权限不再缺失。
-- **UI 识别错误清理**: 删除 `task-form.tsx` 中重复的 `isCodingMode / mode` 定义与对象字面量重复 key；`Code` 图标引用改为已导入的 `Code2`；删除 `task-chat.tsx` 中重复的 `isCodingMode`。
-- **Stream event cleanup 竞态**: 先 flush eventBuffer 再 cleanup stream events；cleanup 延迟到 `completeAgent()` 之后 600ms，让 poll loop 先排空剩余事件。
-- **TCR docker login 子账号**: `setup-tcr.mjs` 通过 `STS.GetCallerIdentity` 获取 `callerUin`，子账号 docker login 用 `callerUin` 而非主账号 AppID。
-
-### Changed
-
-- `toolConfirmation` 真实执行从 sandbox 启动**之前**推迟到 sandbox + sandboxMcpClient ready **之后**，避免 sandbox 未就绪时写入占位文本误触发 SDK 重试。
-
----
-
-### Chat-Detail 重构（ACP + UI）
-
-本次重大版本面向 `chat-detail` 交互做系统性升级，借鉴官方 CodeBuddy Code 实现。目标：权限模型 / Plan 模式 / 协议层 / Phase 可视化 / 工具渲染 / Subagent 嵌套。
-
-### P1 · 权限模型升级
-
-- **`PermissionAction` 四值**: `allow` / `allow_always` / `deny` / `reject_and_exit_plan`。
-- **`InterruptionCard`**: 新卡片 UI 替代旧 `ToolConfirmDialog` 弹窗，消息流内渲染，不打断上下文。
-- **`sessionPermissions` 白名单**: 按 sessionId 维护"本会话总是允许"的工具名集合；`canUseTool` 命中白名单直接放行。
-- **双入口协同**: `canUseTool` 与 `PreToolUse hook` 都过白名单，保持行为一致。
-- 文件: `packages/server/src/agent/session-permissions.ts`（新）、`packages/web/src/components/chat/interruption-card.tsx`（新）、`packages/shared/src/types/agent.ts`、`cloudbase-agent.service.ts`、`use-chat-stream.ts`。
-
-### P2 · PlanMode + ExitPlanMode
-
-- **Plan 模式**: 前端传 `permissionMode: 'plan'`，SDK 切入 Plan；除 Read/Glob/Grep/ExitPlanMode 等只读工具外，写操作会被挡住。
-- **`PlanModeCard`**: Rocket 图标 + 三按钮（允许执行 / 继续完善 / 拒绝退出）。
-- **`plan-content.ts`**: 宽松提取器，兼容 `plan` / `allowedPrompts` / `steps` 三种 SDK 输出。
-- **Plan 状态原子**: `planModeAtomFamily`（active / planContent / toolCallId），跨组件共享。
-- 文件: `plan-mode-card.tsx`（新）、`plan-content.ts`（新）、`lib/atoms/plan-mode.ts`（新）、`shared/types/agent.ts`、`acp.ts`、`cloudbase-agent.service.ts`、`routes/acp.ts`、`use-chat-stream.ts`、`interruption-card.tsx`。
-
-### P3 · 协议层独立（AcpClient）
-
-- **`AcpClient` 类**: `initializeSession` / `request` / `notify` / `stream` (AsyncIterable) / `observe` (AsyncIterable) / `cancel`。
-- **`fetch-with-retry`**: 5xx 与网络错误指数退避重试。
-- **纯函数抽离**: `apply-session-update.ts` 从 223 行 switch 剥离；`use-chat-stream.ts` 由 785 行减到 446 行，SSE 解析全部迁到 `AcpClient.stream`。
-- 文件: `lib/acp/acp-client.ts`（新）、`lib/acp/fetch-with-retry.ts`（新）、`lib/acp/index.ts`（新）、`hooks/apply-session-update.ts`（新）、`hooks/use-chat-stream.ts`。
-
-### P4 · Agent Phase 可视化
-
-- **服务端 `emitPhase` helper**: 在 5 处边界发射 `agent_phase` 事件（preparing / model_responding / tool_executing / compacting / idle）。
-- **`AgentStatusIndicator`**: 4 种 phase 配 Rocket / Sparkles / Hammer / Archive 图标；`aria-live="polite"` 支持屏幕阅读器。
-- **Timestamp 乱序防护**: `apply-session-update` 中 `case 'agent_phase'` 比较 ts，后到但时间更早的事件不覆盖。
-- 文件: `agent-status-indicator.tsx`（新）、`cloudbase-agent.service.ts`、`shared/types/agent.ts` + `acp.ts`、`apply-session-update.ts`、`use-chat-stream.ts`、`task-chat.tsx`。
-
-### P6 · 工具渲染注册表
-
-- **`TOOL_RENDERERS` 注册表**: 10 个专属渲染器（Bash / Read / Write / Edit / Grep / Glob / Web / Todo / Task + default），各自提供 Icon、getSummary、renderInput、renderOutput。
-- **Edit 渲染器集成 git-diff-view**: 文件编辑显示 before/after unified diff。
-- **`default.renderer`**: 剥 MCP 外壳（解开 `[{type:'text',text:...}]` 取纯文本），JSON 参数折叠展开。
-- **`ToolCallCard` 接入注册表**: 外部 API 保持不变，调用方（task-chat）零改动。
-- **DEV 预览页**: `/__preview/tool-renderers`，可视化检查所有渲染器效果。
-- 文件: `components/chat/tool-renderers/*`（新 11 个）、`tool-call-card.tsx`、`pages/tool-renderers-preview.tsx`（新 DEV-only）。
-
-### P7 · Subagent 嵌套 UI
-
-- **`SubagentCard`**: 紫色边框容器（`border-purple-500/40`）+ Bot 图标 + 子工具数量徽章，递归渲染支持多层嵌套。
-- **`parent_tool_use_id` 透传**: SDK 顶层 → 5 个服务端 handler → `convertToSessionUpdate` 3 个 case → 前端 `MessagePart.parentToolCallId`。
-- **自引用防御**: Task tool result.parent 指向自身时不再陷入无限嵌套。
-- 文件: `subagent-card.tsx`（新）、`shared/types/agent.ts`、`cloudbase-agent.service.ts`、`types/task-chat.ts`、`apply-session-update.ts`。
-
-### 其它
-
-- **手动回归测试清单**: `docs/manual-test-checklist.md`（新），覆盖 P1-P7 所有典型交互路径。
-- **P5 Checkpoint 回滚**: ⏳ 待开始（依赖服务端 git 集成）。
-
----
-
-## 里程碑
-
-| 里程碑 | 组成         | 状态     |
-| ------ | ------------ | -------- |
-| **M1** | P1 + P2 + P4 | ✅ 完成   |
-| **M2** | P6 + P7      | ✅ 完成   |
-| **M3** | P5           | ⏳ 待开始 |
-
-详细实施计划与文件清单见 [`docs/REFACTOR-PLAN.md`](./docs/REFACTOR-PLAN.md)。
+- OpenCode ACP Runtime 集成（IAgentRuntime 抽象 + 沙箱隔离 + 多轮记忆 + 持久化）
+- 前端 Runtime 选择器 UI
+- human-in-loop 支持（ToolConfirm + AskUserQuestion）
+- 消息持久化与多轮记忆
+- vitest 单元测试（27 个）
diff --git a/packages/web/src/components/task-form.tsx b/packages/web/src/components/task-form.tsx
index 7ed8409..c26a18d 100644
--- a/packages/web/src/components/task-form.tsx
+++ b/packages/web/src/components/task-form.tsx
@@ -129,43 +129,38 @@ export function TaskForm({
   useEffect(() => {
     fetch('/api/agent/runtimes')
       .then((r) => r.json())
-      .then(
-        (data: {
-          default: string
-          runtimes: Array<{ name: string; available: boolean; models: ModelInfo[] }>
-        }) => {
-          const newAgentModels: Record<string, ModelInfo[]> = {}
-          const unavailable = new Set<string>()
-
-          for (const rt of data.runtimes) {
-            if (!rt.available) {
-              // mark all agents that use this runtime as unavailable
-              for (const agent of CODING_AGENTS) {
-                if (agent.runtime === rt.name) unavailable.add(agent.value)
-              }
-            } else if (rt.models.length > 0) {
-              // assign models to every agent that maps to this runtime
-              for (const agent of CODING_AGENTS) {
-                if (agent.runtime === rt.name) newAgentModels[agent.value] = rt.models
-              }
+      .then((data: { default: string; runtimes: Array<{ name: string; available: boolean; models: ModelInfo[] }> }) => {
+        const newAgentModels: Record<string, ModelInfo[]> = {}
+        const unavailable = new Set<string>()
+
+        for (const rt of data.runtimes) {
+          if (!rt.available) {
+            // mark all agents that use this runtime as unavailable
+            for (const agent of CODING_AGENTS) {
+              if (agent.runtime === rt.name) unavailable.add(agent.value)
+            }
+          } else if (rt.models.length > 0) {
+            // assign models to every agent that maps to this runtime
+            for (const agent of CODING_AGENTS) {
+              if (agent.runtime === rt.name) newAgentModels[agent.value] = rt.models
             }
           }
+        }
 
-          setAgentModels((prev) => ({ ...prev, ...newAgentModels }))
-          setUnavailableAgents(unavailable)
-
-          // Set default agent/runtime from server
-          const defaultAgentValue = RUNTIME_TO_AGENT[data.default]
-          if (defaultAgentValue) {
-            setSelectedAgent(defaultAgentValue)
-            setSelectedRuntime(data.default)
-            const defaultModels = newAgentModels[defaultAgentValue]
-            if (defaultModels && defaultModels.length > 0) {
-              setSelectedModel(defaultModels[0].id)
-            }
+        setAgentModels((prev) => ({ ...prev, ...newAgentModels }))
+        setUnavailableAgents(unavailable)
+
+        // Set default agent/runtime from server
+        const defaultAgentValue = RUNTIME_TO_AGENT[data.default]
+        if (defaultAgentValue) {
+          setSelectedAgent(defaultAgentValue)
+          setSelectedRuntime(data.default)
+          const defaultModels = newAgentModels[defaultAgentValue]
+          if (defaultModels && defaultModels.length > 0) {
+            setSelectedModel(defaultModels[0].id)
           }
-        },
-      )
+        }
+      })
       .catch(() => {
         /* silently ignore */
       })

From a87c64cc2001a1f4631c1e7967a6039a884058f8 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Thu, 7 May 2026 00:39:42 +0800
Subject: [PATCH 18/33] feat(multimodal): add image input support across full
 stack

Frontend:
- task-form: image paste (Ctrl+V) + file picker button, thumbnail preview with remove
- task-chat: image paste + file picker in follow-up input; images displayed above text
  in user message cards (outside max-h constraint to avoid overlap)
- use-chat-stream: sendMessage/sendInitialPrompt accept imageBlocks
- Images persisted via sessionStorage when task is created, picked up by task-page-client
  and passed to sendInitialPrompt with initialImages

Server/persistence:
- acp.ts: preserve image blocks from prompt (stop filtering to text-only);
  pass imageBlocks to chatStream; set promptCapabilities.image=true
- cloudbase-agent.service.ts: build SDK ImageContentBlock[] from imageBlocks;
  pass as AsyncIterable<UserMessage> to query() for multimodal API calls
- persistence.service.ts: preSavePendingRecords stores image_inline base64 in
  contentBlocks for immediate display; syncMessages() later overwrites with real
  image_blob_ref from SDK JSONL (no local blob write needed)
- tasks.ts: messages endpoint reads both image_blob_ref (local file) and
  image_inline (base64 in DB) from contentBlocks; returns image parts to frontend
  so page refresh shows images

Types:
- MessagePart: add image type { data, mimeType }
- AgentOptions: add imageBlocks
- AcpImageBlock already existed in shared types
---
 .../src/agent/cloudbase-agent.service.ts      | 575 ++------------
 .../server/src/agent/persistence.service.ts   |  28 +-
 .../server/src/agent/runtime/base-runtime.ts  | 723 ++++++++++++++++++
 .../src/agent/runtime/codebuddy-runtime.ts    |  39 +
 packages/server/src/agent/runtime/index.ts    |  12 +-
 .../src/agent/runtime/opencode-acp-runtime.ts |  99 ++-
 packages/server/src/agent/runtime/registry.ts |  26 +-
 .../src/agent/runtime/tencent-sdk-runtime.ts  |  35 -
 packages/server/src/agent/runtime/types.ts    |   4 +-
 packages/server/src/routes/acp.ts             |  13 +-
 packages/server/src/routes/tasks.ts           |  74 +-
 .../server/src/sandbox/sandbox-mcp-proxy.ts   | 373 ++++-----
 packages/shared/src/types/agent.ts            |   2 +
 .../web/src/components/home-page-content.tsx  |   5 +
 packages/web/src/components/task-chat.tsx     | 109 ++-
 packages/web/src/components/task-details.tsx  |   6 +-
 packages/web/src/components/task-form.tsx     | 100 ++-
 .../web/src/components/task-page-client.tsx   |  14 +-
 packages/web/src/hooks/use-chat-stream.ts     |  32 +-
 packages/web/src/types/task-chat.ts           |   1 +
 20 files changed, 1371 insertions(+), 899 deletions(-)
 create mode 100644 packages/server/src/agent/runtime/base-runtime.ts
 create mode 100644 packages/server/src/agent/runtime/codebuddy-runtime.ts
 delete mode 100644 packages/server/src/agent/runtime/tencent-sdk-runtime.ts

diff --git a/packages/server/src/agent/cloudbase-agent.service.ts b/packages/server/src/agent/cloudbase-agent.service.ts
index 52de6c4..6978746 100644
--- a/packages/server/src/agent/cloudbase-agent.service.ts
+++ b/packages/server/src/agent/cloudbase-agent.service.ts
@@ -17,7 +17,6 @@ import { archiveToGit } from '../sandbox/git-archive.js'
 import { getCodingSystemPrompt } from './coding-mode.js'
 import { getDb } from '../db/index.js'
 import { resolveSandboxConfig, backfillSandboxConfig } from '../lib/sandbox-config.js'
-import { nanoid } from 'nanoid'
 import { decrypt } from '../lib/crypto.js'
 import { encryptJWE } from '../lib/session.js'
 import type { AgentCallbackMessage, AgentOptions, CodeBuddyMessage, ExtendedSessionUpdate } from '@coder/shared'
@@ -31,8 +30,6 @@ const DEFAULT_MODEL = 'glm-5.1'
 const OAUTH_TOKEN_ENDPOINT = 'https://copilot.tencent.com/oauth2/token'
 const CONNECT_TIMEOUT_MS = 60_000
 const ITERATION_TIMEOUT_MS = 2 * 60 * 1000
-const HEALTH_MAX_RETRIES = 20
-const HEALTH_INTERVAL_MS = 2000
 
 // ─── Supported Models Cache ───────────────────────────────────────────────
 
@@ -89,133 +86,16 @@ export async function getSupportedModels(): Promise<ModelInfo[]> {
   return cachedModels
 }
 
-// ─── Sandbox Helpers ──────────────────────────────────────────────────────
-
-/**
- * 等待沙箱健康检查就绪（轮询 /health）
- */
-async function waitForSandboxHealth(
-  sandbox: SandboxInstance,
-  _callback: AgentCallback,
-  onProgress?: SandboxProgressCallback,
-): Promise<boolean> {
-  onProgress?.({ phase: 'wait_ready', message: '等待沙箱就绪...\n' })
-  for (let i = 0; i < HEALTH_MAX_RETRIES; i++) {
-    try {
-      const res = await sandbox.request('/health', {
-        signal: AbortSignal.timeout(4000),
-      })
-      if (res.ok) {
-        console.log('[Agent] Sandbox health check passed')
-        return true
-      }
-    } catch {
-      // 继续轮询
-    }
-    await new Promise((r) => setTimeout(r, HEALTH_INTERVAL_MS))
-  }
-  return false
-}
-
-/**
- * 初始化沙箱工作空间：POST /api/session/init 注入凭证和环境变量
- * 然后创建会话工作目录
- * 返回容器内的工作目录路径（可能为 undefined）
- */
-async function initSandboxWorkspace(
-  sandbox: SandboxInstance,
-  secret: { envId: string; secretId: string; secretKey: string; token?: string },
-  conversationId: string,
-  preferredCwd?: string,
-  onProgress?: SandboxProgressCallback,
-): Promise<{ workspace: string; vitePort?: number }> {
-  const fallbackWorkspace = preferredCwd || `/tmp/workspace/${secret.envId}/${conversationId}`
-
-  onProgress?.({ phase: 'init_mcp', message: '初始化工作空间...\n' })
-
-  // Fire session/init in background — injects credentials into the sandbox session.
-  // The actual workspace + vite initialisation is triggered lazily by /api/scope/info
-  // with X-Scope-Template: coding, but we still need credential injection first.
-  sandbox
-    .request('/api/session/init', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({
-        env: {
-          CLOUDBASE_ENV_ID: secret.envId,
-          TENCENTCLOUD_SECRETID: secret.secretId,
-          TENCENTCLOUD_SECRETKEY: secret.secretKey,
-          ...(secret.token ? { TENCENTCLOUD_SESSIONTOKEN: secret.token } : {}),
-        },
-      }),
-      signal: AbortSignal.timeout(300_000),
-    })
-    .then((res) => {
-      if (res.ok) {
-        console.log('[Agent] session/init completed successfully')
-      } else {
-        console.warn('[Agent] session/init returned status:', res.status)
-      }
-    })
-    .catch((e) => {
-      console.warn('[Agent] session/init background error:', (e as Error).message)
-    })
-
-  // Poll /api/scope/info to get the workspace path (and vitePort if coding mode).
-  // Scope headers (X-Scope-Id, X-Scope-Template) are injected automatically by sandbox.request().
-  // The first request with X-Scope-Template: coding triggers template init + vite dev server.
-  const maxWaitMs = 120_000
-  const pollInterval = 2000
-  const startTime = Date.now()
-
-  while (Date.now() - startTime < maxWaitMs) {
-    try {
-      const res = await sandbox.request('/api/scope/info', {
-        signal: AbortSignal.timeout(10_000),
-      })
-      if (res.ok) {
-        const data = (await res.json()) as {
-          success?: boolean
-          workspace?: string
-          vitePort?: number | null
-        }
-        if (data.success && data.workspace) {
-          console.log(
-            `[Agent] initSandboxWorkspace ready via scope/info, workspace: ${data.workspace}, vitePort: ${data.vitePort}`,
-          )
-          onProgress?.({ phase: 'ready', message: '沙箱已就绪\n' })
-          return { workspace: data.workspace, vitePort: data.vitePort ?? undefined }
-        }
-      }
-    } catch {
-      // scope/info not available yet, sandbox may still be starting
-    }
-    await new Promise((r) => setTimeout(r, pollInterval))
-  }
-
-  // Timeout fallback: return the computed workspace path so the agent can continue
-  console.warn(`[Agent] initSandboxWorkspace timeout after ${maxWaitMs / 1000}s, returning fallback workspace`)
-  return { workspace: fallbackWorkspace }
-}
-
-/**
- * 需要用户确认的写操作 MCP 工具集合。
- * canUseTool 中对这些工具发起 interrupt，等待客户端确认后再执行。
- * 可通过 bypassToolConfirmation=true 跳过确认。
- */
-const WRITE_TOOLS = new Set([
-  // 数据库写操作（4 个）
-  'writeNoSqlDatabaseStructure', // 修改 NoSQL 数据库结构
-  'writeNoSqlDatabaseContent', // 修改 NoSQL 数据库内容
-  'executeWriteSQL', // 执行写入 SQL
-  'modifyDataModel', // 修改数据模型
-
-  // 云函数写操作（4 个）
-  'createFunction', // 创建云函数
-  'updateFunctionCode', // 更新云函数代码
-  'updateFunctionConfig', // 更新云函数配置
-  'invokeFunction', // 调用云函数
-])
+// ─── Sandbox & Prompt Helpers (imported from base-runtime) ───────────────
+// 集中在 base-runtime.ts 维护，所有 runtime 共用。
+import {
+  waitForSandboxHealth,
+  initSandboxWorkspace,
+  WRITE_TOOLS,
+  buildAppendPrompt,
+  getPublishableKey,
+  persistDeploymentFromArtifact,
+} from './runtime/base-runtime.js'
 
 // ─── Types ─────────────────────────────────────────────────────────────────
 
@@ -330,145 +210,6 @@ function getBundledSkillsDir(): string {
   return existsSync(prodPath) ? prodPath : devPath
 }
 
-// ─── System Prompt Builder ─────────────────────────────────────────────────
-
-/**
- * 获取 CloudBase 前端 SDK 的 publishableKey（公开密钥）
- * 使用系统大密钥（TCB_SECRET_ID/TCB_SECRET_KEY）调用 tcb:CreateApiKey 获取
- * KeyType=publish_key 会返回已存在的 key 或创建新的
- * 结果按 envId 缓存，避免重复调用
- */
-const publishableKeyCache = new Map<string, string>()
-
-async function getPublishableKey(envId: string): Promise<string> {
-  if (publishableKeyCache.has(envId)) return publishableKeyCache.get(envId)!
-
-  const secretId = process.env.TCB_SECRET_ID
-  const secretKey = process.env.TCB_SECRET_KEY
-  if (!secretId || !secretKey || !envId) return ''
-  try {
-    const CloudBase = (await import('@cloudbase/manager-node')).default
-    const manager = new CloudBase({
-      secretId,
-      secretKey,
-      envId,
-      proxy: process.env.http_proxy,
-    })
-    const result = await manager.commonService('tcb', '2018-06-08').call({
-      Action: 'CreateApiKey',
-      Param: { EnvId: envId, KeyType: 'publish_key' },
-    })
-    const apiKey = result?.ApiKey || result?.Response?.ApiKey || ''
-    if (apiKey) {
-      publishableKeyCache.set(envId, apiKey)
-      console.log('[Agent] Got publishableKey for env:', envId)
-    }
-    return apiKey
-  } catch (e) {
-    console.warn('[Agent] Failed to get publishableKey:', (e as Error).message)
-    return ''
-  }
-}
-
-function buildAppendPrompt(
-  sandboxCwd?: string,
-  conversationId?: string,
-  envId?: string,
-  sandboxMode?: 'shared' | 'isolated',
-  isCodingMode?: boolean,
-): string {
-  // Coding mode already has getCodingSystemPrompt() which strongly anchors the
-  // assistant as "a coder working in a React/Vite project". We should NOT
-  // inject the "task classification" guideline in that case — it would create
-  // ambiguity (user is in a code project, they want a page, not text).
-  //
-  // Default mode is the opposite: the assistant is generic and the user may
-  // want pure conversation (文案/翻译/聊天). Without the classification
-  // guideline, the assistant tends to escalate every request into
-  // "write files and deploy", which was the bug reported by the user.
-  const roleLine = isCodingMode
-    ? '你是一个通用 AI 编程助手，同时具备腾讯云开发（CloudBase）能力。'
-    : '你是一个通用 AI 助手，同时具备腾讯云开发（CloudBase）能力，可按需通过工具操作云函数、数据库、存储、云托管等资源。'
-
-  const taskClassificationSection = isCodingMode
-    ? ''
-    : `
-<task-classification priority="highest">
-收到任务后，先判断类型再决定是否使用工具：
-
-1) **对话/创作/咨询类**（写文案、写文章、翻译、起名、解释概念、讨论观点、情绪陪伴、海报/帖子**文本**、小红书/朋友圈文案、社交媒体内容等）
-   → 直接在对话中以**文本/Markdown**形式输出，**不要**写文件、不要部署、不要调用开发相关工具。
-   → 即使用户说"帮我做一个 XX 应援贴/海报/宣传文案"，默认先理解为"输出文案"，除非用户明确要求"做一个页面/网站/应用"。
-   → **例外**：如果用户明确说"生成一张图""帮我画一张 XX 图片""做一张海报图片"，使用 ImageGen 工具生成图片。
-
-2) **编程/工程类**（修改代码、调试、构建应用、部署服务、配置云资源、运维操作）
-   → 使用工具完成任务：读文件、写文件、执行命令、部署、调用云开发 MCP 等。
-
-3) **自动化/定时类**（"每天…"、"每周…"、"定期…"）
-   → 使用 cronTask 工具管理定时任务（见下面 cron-task 章节）。
-
-**不确定时优先问用户**："你希望我直接写文案给你，还是做一个可访问的网页？"，不要擅自升级为 2)。
-</task-classification>
-`
-
-  const base = `<role>
-${roleLine}
-默认使用中文与用户沟通；删除等破坏性操作需确认用户意图。
-</role>
-${taskClassificationSection}
-<cloudbase-guideline>
-- 当前云开发环境为 ${envId || '(未指定)'}，必要时可通过 cloudbase MCP 工具操作。
-- **仅当用户明确要求部署、开发应用、操作数据库、上传文件等**，才使用云开发工具。纯文案/咨询不涉及此。
-- 部署云函数使用 manageFunctions 工具；上传文件到静态托管使用 cloudbase_uploadFiles 工具。
-</cloudbase-guideline>
-
-<bash-usage>
-对于耗时较长的命令（如 npm install、yarn install、大型项目构建等），如果执行超时：
-1. 改为后台执行, 添加 run_in_background，可以获取 pid
-2. 定期检查进程状态：ps aux | grep '<关键词>' | grep -v grep
-3. 通过 BashOutput 结合 pid 查看输出结果
-4. 也可以通过 KillShell 关闭后台执行的任务
-</bash-usage>
-
-<cron-task-usage>
-当用户提到定时执行、定期运行、每天/每周/每小时执行某操作等需求时，必须使用 cronTask 工具来管理定时任务。
-- 创建：action="create"，需要 name、prompt、cronExpression
-- 查询：action="list"，查看当前所有定时任务
-- 更新：action="update"，通过 id 修改已有任务（可改 prompt、cronExpression、enabled 等）
-- 删除：action="delete"，通过 id 删除任务
-Cron 表达式格式：分 时 日 月 周，例如 "0 20 * * *" 表示每天 20:00。
-</cron-task-usage>
-
-<tools-extra-info>
-- **ImageGen** — AI 图片生成。Usage: 用户明确要求生成/绘制图片时（"帮我画一张…""生成一张…的图""做一张海报图片"）。生成的图片会同时保存到工作区和静态托管，返回可公开访问的 CDN 链接。
-- **ImageEdit** — AI 图片编辑。Usage: 用户提供一张已有图片，要求修改风格、添加元素、局部重绘等。
-</tools-extra-info>`
-
-  if (sandboxCwd) {
-    const homeDir = sandboxMode === 'isolated' ? sandboxCwd : sandboxCwd.substring(0, sandboxCwd.lastIndexOf('/'))
-    // In default mode, gate the sandbox section with a reminder so pure
-    // chat/creation tasks don't drift into file-writing behavior. In coding
-    // mode the getCodingSystemPrompt already establishes the context so no
-    // gating is needed.
-    const sandboxPreamble = isCodingMode
-      ? ''
-      : '（以下仅在你已判定任务属于"编程/工程类"、决定动手写文件或执行命令时适用；对话/创作类任务请忽略本节。）\n'
-    return `${base}
-
-<sandbox-context>
-${sandboxPreamble}工具默认在 Home: ${homeDir} 下执行
-为项目开辟工作目录为: ${sandboxCwd}
-使用的云开发环境为: ${envId}
-请注意：
-- 所有文件读写、终端命令都应在工作目录中执行，注意 cd 到工作目录操作。
-- 使用 cloudbase_uploadFiles 部署文件时，localPath 必须是容器内的**绝对路径**（即当前工作目录 ${sandboxCwd} 下的路径），例如 ${sandboxCwd}/index.html
-- 如用户没有特别要求，cloudPath 需要为 ${conversationId}，即在当前会话路径下
-- 不要使用相对路径给 cloudbase_uploadFiles
-</sandbox-context>`
-  }
-  return base
-}
-
 // ─── CloudbaseAgentService ─────────────────────────────────────────────────
 
 export class CloudbaseAgentService {
@@ -652,6 +393,7 @@ export class CloudbaseAgentService {
       model,
       mode,
       permissionMode: requestedPermissionMode,
+      imageBlocks,
     } = options
     const modelId = model || DEFAULT_MODEL
     const isCodingMode = mode === 'coding'
@@ -837,7 +579,7 @@ export class CloudbaseAgentService {
 
       // 2. Persist deployment records (side-effect, fire-and-forget)
       if (msg.type === 'artifact' && msg.artifact) {
-        this.persistDeploymentFromArtifact(conversationId, msg.artifact).catch((err) => {
+        persistDeploymentFromArtifact(conversationId, msg.artifact).catch((err) => {
           console.error('Failed to persist deployment:', err)
         })
       }
@@ -929,7 +671,7 @@ export class CloudbaseAgentService {
         }
 
         // ── 健康检查：等待沙箱就绪 ──────────────────────────────────
-        const sandboxReady = await waitForSandboxHealth(sandboxInstance, wrappedCallback, sandboxProgressBridge)
+        const sandboxReady = await waitForSandboxHealth(sandboxInstance, sandboxProgressBridge)
         if (!sandboxReady) {
           wrappedCallback({ type: 'text', content: '沙箱启动超时，将使用受限模式继续对话。\n\n' })
           sandboxInstance = null
@@ -1191,6 +933,7 @@ export class CloudbaseAgentService {
         prevRecordId: lastRecordId,
         assistantRecordId: assistantMessageId,
         lastAssistantRecordId,
+        imageBlocks: imageBlocks?.length ? imageBlocks : undefined,
       })
       preSavedUserRecordId = preSaved.userRecordId
     }
@@ -1275,8 +1018,38 @@ export class CloudbaseAgentService {
 
       // 构建 query 参数 - 和 tcb-headless-service buildQueryOptions 一致
       // 注意: cwd 必须是本地路径, 即使沙箱启用. 沙箱只提供 MCP 工具, agent 进程在本地运行.
+
+      // 多模态 prompt：有图片时构建 ContentBlock[] 作为 UserMessage，否则直接用字符串
+      let queryPrompt: string | any
+      if (imageBlocks && imageBlocks.length > 0) {
+        // SDK ImageContentBlock 格式: { type:'image', source:{ type:'base64', media_type, data } }
+        const contentBlocks: any[] = imageBlocks.map((img) => ({
+          type: 'image',
+          source: {
+            type: 'base64',
+            media_type: img.mimeType as 'image/jpeg' | 'image/png' | 'image/gif' | 'image/webp',
+            data: img.data,
+          },
+        }))
+        if (prompt.trim()) {
+          contentBlocks.push({ type: 'text', text: prompt })
+        }
+        // Wrap as AsyncIterable<UserMessage>
+        const userMsg = {
+          type: 'user' as const,
+          session_id: conversationId,
+          message: { role: 'user' as const, content: contentBlocks },
+          parent_tool_use_id: null,
+        }
+        queryPrompt = (async function* () {
+          yield userMsg
+        })()
+      } else {
+        queryPrompt = prompt
+      }
+
       const queryArgs = {
-        prompt,
+        prompt: queryPrompt,
         options: {
           model: modelId,
           permissionMode: sdkPermissionMode,
@@ -1802,114 +1575,6 @@ export class CloudbaseAgentService {
     }
   }
 
-  // ─── Deployment Persistence ────────────────────────────────────────
-
-  private async persistDeploymentFromArtifact(
-    taskId: string,
-    artifact: NonNullable<AgentCallbackMessage['artifact']>,
-  ): Promise<void> {
-    const now = Date.now()
-    const meta = artifact.metadata || {}
-    const deploymentType = (meta.deploymentType as string) || (artifact.contentType === 'link' ? 'web' : 'miniprogram')
-    const metadataJson = Object.keys(meta).length > 0 ? JSON.stringify(meta) : null
-
-    if (deploymentType === 'miniprogram') {
-      const qrCodeUrl = artifact.contentType === 'image' ? artifact.data : (meta.qrCodeUrl as string) || null
-      const pagePath = (meta.pagePath as string) || null
-      const appId = (meta.appId as string) || null
-      const label = artifact.title || null
-
-      const existing = await getDb().deployments.findByTaskIdAndTypePath(taskId, 'miniprogram', null)
-
-      if (existing) {
-        await getDb().deployments.update(existing.id, {
-          qrCodeUrl: qrCodeUrl || existing.qrCodeUrl,
-          pagePath: pagePath || existing.pagePath,
-          appId: appId || existing.appId,
-          label: label || existing.label,
-          metadata: metadataJson || existing.metadata,
-          updatedAt: now,
-        })
-      } else {
-        await getDb().deployments.create({
-          id: nanoid(12),
-          taskId,
-          type: 'miniprogram',
-          url: null,
-          path: null,
-          qrCodeUrl,
-          pagePath,
-          appId,
-          label,
-          metadata: metadataJson,
-          createdAt: now,
-          updatedAt: now,
-        })
-      }
-    } else if (artifact.contentType === 'link' && artifact.data) {
-      const url = artifact.data
-      let urlPath: string | null = null
-      try {
-        const urlObj = new URL(url)
-        // Normalize path: strip trailing index.html and trailing slash for dedup
-        urlPath = urlObj.pathname.replace(/\/index\.html$/, '/').replace(/\/+$/, '') || '/'
-      } catch {
-        /* ignore */
-      }
-
-      if (urlPath) {
-        const existing = await getDb().deployments.findByTaskIdAndTypePath(taskId, 'web', urlPath)
-
-        if (existing) {
-          await getDb().deployments.update(existing.id, {
-            url,
-            label: artifact.title || existing.label,
-            metadata: metadataJson || existing.metadata,
-            updatedAt: now,
-          })
-        } else {
-          await getDb().deployments.create({
-            id: nanoid(12),
-            taskId,
-            type: 'web',
-            url,
-            path: urlPath,
-            qrCodeUrl: null,
-            pagePath: null,
-            appId: null,
-            label: artifact.title || null,
-            metadata: metadataJson,
-            createdAt: now,
-            updatedAt: now,
-          })
-        }
-      }
-
-      // Also update legacy previewUrl for backward compatibility
-      try {
-        await getDb().tasks.update(taskId, { previewUrl: url })
-      } catch {
-        // Non-critical
-      }
-    } else {
-      // Other artifact types (json, image without miniprogram context, etc.)
-      await getDb().deployments.create({
-        id: nanoid(12),
-        taskId,
-        type: deploymentType as 'web' | 'miniprogram',
-        url: artifact.contentType === 'link' ? artifact.data : null,
-        path: null,
-        qrCodeUrl: artifact.contentType === 'image' ? artifact.data : null,
-        pagePath: null,
-        appId: null,
-        label: artifact.title || null,
-        metadata: metadataJson,
-        createdAt: now,
-        updatedAt: now,
-      })
-    }
-  }
-
   // ─── Stream Event Handlers ──────────────────────────────────────────
 
   private handleStreamEvent(
@@ -2038,12 +1703,6 @@ export class CloudbaseAgentService {
             ? block.content
             : null
 
-      // 检测 uploadFiles 结果，提取 CloudBase 部署 URL
-      this.tryExtractDeployUrl(block.tool_use_id, rawText, tracker, callback)
-
-      // 检测 publishMiniprogram 结果，提取预览二维码
-      this.tryExtractQrcode(block.tool_use_id, rawText, tracker, callback)
-
       let processedContent = block.content
       if (Array.isArray(block.content) && block.content.length > 0) {
         const firstBlock = block.content[0]
@@ -2068,150 +1727,6 @@ export class CloudbaseAgentService {
     }
   }
 
-  /**
-   * 尝试从 uploadFiles 工具结果中提取 CloudBase 静态托管部署 URL
-   * 结果包含 accessUrl 或 staticDomain 则触发 artifact callback
-   */
-  private tryExtractDeployUrl(
-    toolUseId: string,
-    rawText: string | null,
-    tracker: ToolCallTracker,
-    callback: AgentCallback,
-  ): void {
-    const toolInfo = tracker.pendingToolCalls.get(toolUseId)
-    const toolName = toolInfo?.name || ''
-    if (!toolName.includes('uploadFiles') && !toolName.includes('cloudbase_uploadFiles')) return
-    if (!rawText) return
-
-    try {
-      let localPath: string | undefined
-      const inputJson = tracker.toolInputJsonBuffers.get(toolUseId)
-      if (inputJson) {
-        try {
-          localPath = JSON.parse(inputJson)?.localPath
-        } catch {
-          /* ignore */
-        }
-      }
-      if (!localPath) localPath = (toolInfo?.input as Record<string, unknown>)?.localPath as string | undefined
-
-      const isFile = localPath ? /\.[a-zA-Z0-9]+$/.test(localPath.replace(/\/+$/, '').split('/').pop() || '') : false
-      const deployUrl = CloudbaseAgentService.extractDeployUrl(rawText, isFile)
-      if (deployUrl) {
-        callback({
-          type: 'artifact',
-          artifact: {
-            title: 'Web 应用已部署',
-            contentType: 'link',
-            data: deployUrl,
-            metadata: { deploymentType: 'web' },
-          },
-        })
-      }
-    } catch {
-      // 提取失败不影响主流程
-    }
-  }
-
-  /**
-   * 从 uploadFiles 工具结果 JSON 中递归提取 CloudBase 部署 URL
-   * 支持 accessUrl / staticDomain 字段，最多递归 5 层
-   */
-  private static extractDeployUrl(rawText: string, isFile = false, depth = 0): string | null {
-    if (depth > 5) return null
-    try {
-      const parsed = JSON.parse(rawText)
-
-      if (Array.isArray(parsed)) {
-        const firstText = parsed[0]?.text
-        if (typeof firstText === 'string') {
-          return CloudbaseAgentService.extractDeployUrl(firstText, isFile, depth + 1)
-        }
-        return null
-      }
-
-      if (typeof parsed !== 'object' || parsed === null) return null
-
-      if (parsed.accessUrl) {
-        const url = new URL(parsed.accessUrl)
-        if (!isFile && url.pathname !== '/' && !url.pathname.endsWith('/')) {
-          url.pathname += '/'
-        }
-        if (!url.searchParams.get('t')) {
-          url.searchParams.set('t', String(Date.now()))
-        }
-        return url.toString()
-      }
-      if (parsed.staticDomain) return `https://${parsed.staticDomain}/?t=${Date.now()}`
-
-      const innerText = parsed?.res?.content?.[0]?.text || parsed?.content?.[0]?.text
-      if (typeof innerText === 'string') {
-        return CloudbaseAgentService.extractDeployUrl(innerText, isFile, depth + 1)
-      }
-    } catch {
-      // JSON parse 失败，忽略
-    }
-    return null
-  }
-
-  /**
-   * 尝试从 publishMiniprogram 工具结果中提取小程序预览二维码
-   * 成功则触发 artifact callback
-   */
-  private tryExtractQrcode(
-    toolUseId: string,
-    rawText: string | null,
-    tracker: ToolCallTracker,
-    callback: AgentCallback,
-  ): void {
-    const toolInfo = tracker.pendingToolCalls.get(toolUseId)
-    const toolName = toolInfo?.name || ''
-    if (!toolName.includes('publishMiniprogram') && !toolName.includes('Miniprogram')) return
-    if (!rawText) return
-
-    try {
-      let parsedResult: any = null
-      try {
-        parsedResult = JSON.parse(rawText)
-      } catch {
-        return
-      }
-
-      const action = parsedResult?.action || (toolInfo?.input as any)?.action
-
-      // 小程序预览二维码
-      if (parsedResult?.result?.qrcode) {
-        const qrcode = `data:${parsedResult?.result?.qrcode?.mimeType || 'image/png'};base64,${parsedResult?.result?.qrcode?.base64}`
-        callback({
-          type: 'artifact',
-          artifact: {
-            title: '小程序预览二维码',
-            description: '使用微信扫码预览小程序',
-            contentType: 'image',
-            data: qrcode,
-            metadata: parsedResult,
-          },
-        })
-        return
-      }
-
-      // 上传成功但无二维码
-      if (parsedResult?.success && action === 'upload') {
-        callback({
-          type: 'artifact',
-          artifact: {
-            title: '小程序上传成功',
-            description: '代码已上传到微信后台，可前往微信公众平台提交审核',
-            contentType: 'json',
-            data: JSON.stringify(parsedResult),
-          },
-        })
-      }
-    } catch {
-      // 提取失败不影响主流程
-    }
-  }
-
   private handleToolNotFoundErrors(msg: any, tracker: ToolCallTracker, callback: AgentCallback): void {
     if (!msg.message?.content) return
     for (const block of msg.message.content) {
diff --git a/packages/server/src/agent/persistence.service.ts b/packages/server/src/agent/persistence.service.ts
index ca37748..07b3165 100644
--- a/packages/server/src/agent/persistence.service.ts
+++ b/packages/server/src/agent/persistence.service.ts
@@ -850,26 +850,32 @@ export class PersistenceService {
     assistantRecordId?: string
     /** 上一条 assistant record 的 recordId，用于写入 user message metadata 的 parentId */
     lastAssistantRecordId?: string | null
+    /** 图片附件 — 保存到 user record parts，用于历史恢复和消息展示 */
+    imageBlocks?: Array<{ data: string; mimeType: string }>
   }): Promise<{ userRecordId: string; assistantRecordId: string }> {
-    const { conversationId, envId, userId, prompt, prevRecordId } = params
+    const { conversationId, envId, userId, prompt, prevRecordId, imageBlocks } = params
     const assistantRecordId = params.assistantRecordId || uuidv4()
     const userRecordId = uuidv4()
 
+    // Pre-save: only store the text prompt as a pending placeholder.
+    // If images are present, we intentionally skip them here — syncMessages()
+    // will call replacePartsInRecord() with the real SDK JSONL data (which
+    // includes proper image_blob_ref blocks) once the agent completes.
+    const baseMetadata: Record<string, unknown> = {
+      id: userRecordId,
+      type: 'message',
+      role: 'user',
+      sessionId: conversationId,
+      timestamp: Date.now(),
+      ...(params.lastAssistantRecordId ? { parentId: params.lastAssistantRecordId } : {}),
+    }
+
     const userParts: UnifiedMessagePart[] = [
       {
         partId: uuidv4(),
         contentType: 'text',
         content: prompt,
-        metadata: {
-          id: userRecordId,
-          type: 'message',
-          role: 'user',
-          sessionId: conversationId,
-          timestamp: Date.now(),
-          // parentId: 指向上一条 assistant 消息，确保 JSONL 树的连续性
-          // 即使 cancel 导致 SDK 没写真正的 JSONL，树也不会断裂
-          ...(params.lastAssistantRecordId ? { parentId: params.lastAssistantRecordId } : {}),
-        },
+        metadata: baseMetadata,
       },
     ]
 
diff --git a/packages/server/src/agent/runtime/base-runtime.ts b/packages/server/src/agent/runtime/base-runtime.ts
new file mode 100644
index 0000000..3890519
--- /dev/null
+++ b/packages/server/src/agent/runtime/base-runtime.ts
@@ -0,0 +1,723 @@
+/**
+ * BaseAgentRuntime
+ *
+ * 抽象基类：提供所有 runtime 共享的基础设施：
+ * - 沙箱生命周期（SCF 创建 + 健康检查 + workspace init）
+ * - MCP Server（sandbox-mcp-proxy）
+ * - System Prompt（buildAppendPrompt + getCodingSystemPrompt）
+ * - PublishableKey 获取
+ *
+ * 子类只需实现 `runAgent(ctx, prompt, options)` —— 具体 agent 驱动逻辑。
+ *
+ * 使用模板方法模式：chatStream() 编排公共流程，调 runAgent() 做子类特定工作。
+ * 但目前 CodeBuddyRuntime 因历史原因仍直接委托到 cloudbase-agent.service.ts，
+ * 仅 OpencodeAcpRuntime 使用基类提供的 sandbox/MCP/systemPrompt 设施。
+ * 未来 CodeBuddyRuntime 迁移后可直接在 runAgent 中使用。
+ */
+
+import type { AgentCallback, AgentCallbackMessage, AgentOptions } from '@coder/shared'
+import type { ChatStreamResult, IAgentRuntime } from './types.js'
+import type { ModelInfo } from '../cloudbase-agent.service.js'
+import {
+  scfSandboxManager,
+  type SandboxInstance,
+  type SandboxProgressCallback,
+} from '../../sandbox/scf-sandbox-manager.js'
+import { createSandboxMcpClient, type SandboxMcpDeps } from '../../sandbox/sandbox-mcp-proxy.js'
+import { getDb } from '../../db/index.js'
+import { resolveSandboxConfig, backfillSandboxConfig } from '../../lib/sandbox-config.js'
+import { getCodingSystemPrompt } from '../coding-mode.js'
+import { decrypt } from '../../lib/crypto.js'
+import { encryptJWE } from '../../lib/session.js'
+import { sessionPermissions } from '../session-permissions.js'
+
+// ─── Constants ─────────────────────────────────────────────────────────────
+
+const HEALTH_MAX_RETRIES = 20
+const HEALTH_INTERVAL_MS = 2000
+
+/**
+ * 需要用户确认的写操作工具集合。
+ * 所有 runtime 共享此白名单（TencentSdk 的 canUseTool + OpenCode 的 requestPermission）。
+ */
+export const WRITE_TOOLS = new Set([
+  'writeNoSqlDatabaseStructure',
+  'writeNoSqlDatabaseContent',
+  'executeWriteSQL',
+  'modifyDataModel',
+  'createFunction',
+  'updateFunctionCode',
+  'updateFunctionConfig',
+  'invokeFunction',
+])
+
+// ─── Shared Helpers ────────────────────────────────────────────────────────
+
+/**
+ * 等待沙箱健康检查就绪（轮询 /health）
+ */
+export async function waitForSandboxHealth(
+  sandbox: SandboxInstance,
+  onProgress?: SandboxProgressCallback,
+): Promise<boolean> {
+  onProgress?.({ phase: 'wait_ready', message: '等待沙箱就绪...\n' })
+  for (let i = 0; i < HEALTH_MAX_RETRIES; i++) {
+    try {
+      const res = await sandbox.request('/health', {
+        signal: AbortSignal.timeout(4000),
+      })
+      if (res.ok) {
+        return true
+      }
+    } catch {
+      // 继续轮询
+    }
+    await new Promise((r) => setTimeout(r, HEALTH_INTERVAL_MS))
+  }
+  return false
+}
+
+/**
+ * 初始化沙箱工作空间：POST /api/session/init 注入凭证和环境变量
+ * 然后 poll /api/scope/info 获取工作目录
+ */
+export async function initSandboxWorkspace(
+  sandbox: SandboxInstance,
+  secret: { envId: string; secretId: string; secretKey: string; token?: string },
+  conversationId: string,
+  preferredCwd?: string,
+  onProgress?: SandboxProgressCallback,
+): Promise<{ workspace: string; vitePort?: number }> {
+  const fallbackWorkspace = preferredCwd || `/tmp/workspace/${secret.envId}/${conversationId}`
+
+  onProgress?.({ phase: 'init_mcp', message: '初始化工作空间...\n' })
+
+  // Fire session/init in background — injects credentials into the sandbox session.
+  sandbox
+    .request('/api/session/init', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        env: {
+          CLOUDBASE_ENV_ID: secret.envId,
+          TENCENTCLOUD_SECRETID: secret.secretId,
+          TENCENTCLOUD_SECRETKEY: secret.secretKey,
+          ...(secret.token ? { TENCENTCLOUD_SESSIONTOKEN: secret.token } : {}),
+        },
+      }),
+      signal: AbortSignal.timeout(300_000),
+    })
+    .then((res) => {
+      if (!res.ok) {
+        console.warn('[BaseRuntime] session/init returned status:', res.status)
+      }
+    })
+    .catch((e) => {
+      console.warn('[BaseRuntime] session/init background error:', (e as Error).message)
+    })
+
+  // Poll /api/scope/info to get the workspace path
+  const maxWaitMs = 120_000
+  const pollInterval = 2000
+  const startTime = Date.now()
+
+  while (Date.now() - startTime < maxWaitMs) {
+    try {
+      const res = await sandbox.request('/api/scope/info', {
+        signal: AbortSignal.timeout(10_000),
+      })
+      if (res.ok) {
+        const data = (await res.json()) as {
+          success?: boolean
+          workspace?: string
+          vitePort?: number | null
+        }
+        if (data.success && data.workspace) {
+          onProgress?.({ phase: 'ready', message: '沙箱已就绪\n' })
+          return { workspace: data.workspace, vitePort: data.vitePort ?? undefined }
+        }
+      }
+    } catch {
+      // scope/info not available yet
+    }
+    await new Promise((r) => setTimeout(r, pollInterval))
+  }
+
+  console.warn(`[BaseRuntime] initSandboxWorkspace timeout after ${maxWaitMs / 1000}s`)
+  return { workspace: fallbackWorkspace }
+}
+
+// ─── System Prompt ─────────────────────────────────────────────────────────
+
+/**
+ * 获取 CloudBase 前端 SDK 的 publishableKey
+ */
+const publishableKeyCache = new Map<string, string>()
+
+export async function getPublishableKey(envId: string): Promise<string> {
+  if (publishableKeyCache.has(envId)) return publishableKeyCache.get(envId)!
+
+  const secretId = process.env.TCB_SECRET_ID
+  const secretKey = process.env.TCB_SECRET_KEY
+  if (!secretId || !secretKey || !envId) return ''
+  try {
+    const CloudBase = (await import('@cloudbase/manager-node')).default
+    const manager = new CloudBase({
+      secretId,
+      secretKey,
+      envId,
+      proxy: process.env.http_proxy,
+    })
+    const result = await manager.commonService('tcb', '2018-06-08').call({
+      Action: 'CreateApiKey',
+      Param: { EnvId: envId, KeyType: 'publish_key' },
+    })
+    const apiKey = result?.ApiKey || result?.Response?.ApiKey || ''
+    if (apiKey) {
+      publishableKeyCache.set(envId, apiKey)
+    }
+    return apiKey
+  } catch (e) {
+    console.warn('[BaseRuntime] Failed to get publishableKey:', (e as Error).message)
+    return ''
+  }
+}
+
+/**
+ * 构建通用 system prompt（任务分类 + CloudBase 指引 + 沙箱上下文）
+ */
+export function buildAppendPrompt(
+  sandboxCwd?: string,
+  conversationId?: string,
+  envId?: string,
+  sandboxMode?: 'shared' | 'isolated',
+  isCodingMode?: boolean,
+): string {
+  const roleLine = isCodingMode
+    ? '你是一个通用 AI 编程助手，同时具备腾讯云开发（CloudBase）能力。'
+    : '你是一个通用 AI 助手，同时具备腾讯云开发（CloudBase）能力，可按需通过工具操作云函数、数据库、存储、云托管等资源。'
+
+  const taskClassificationSection = isCodingMode
+    ? ''
+    : `
+<task-classification priority="highest">
+收到任务后，先判断类型再决定是否使用工具：
+
+1) **对话/创作/咨询类**（写文案、写文章、翻译、起名、解释概念、讨论观点、情绪陪伴、海报/帖子**文本**、小红书/朋友圈文案、社交媒体内容等）
+   → 直接在对话中以**文本/Markdown**形式输出，**不要**写文件、不要部署、不要调用开发相关工具。
+   → 即使用户说"帮我做一个 XX 应援贴/海报/宣传文案"，默认先理解为"输出文案"，除非用户明确要求"做一个页面/网站/应用"。
+   → **例外**：如果用户明确说"生成一张图""帮我画一张 XX 图片""做一张海报图片"，使用 ImageGen 工具生成图片。
+
+2) **编程/工程类**（修改代码、调试、构建应用、部署服务、配置云资源、运维操作）
+   → 使用工具完成任务：读文件、写文件、执行命令、部署、调用云开发 MCP 等。
+
+3) **自动化/定时类**（"每天…"、"每周…"、"定期…"）
+   → 使用 cronTask 工具管理定时任务（见下面 cron-task 章节）。
+
+**不确定时优先问用户**："你希望我直接写文案给你，还是做一个可访问的网页？"，不要擅自升级为 2)。
+</task-classification>
+`
+
+  const base = `<role>
+${roleLine}
+默认使用中文与用户沟通；删除等破坏性操作需确认用户意图。
+</role>
+${taskClassificationSection}
+<cloudbase-guideline>
+- 当前云开发环境为 ${envId || '(未指定)'}，必要时可通过 cloudbase MCP 工具操作。
+- **仅当用户明确要求部署、开发应用、操作数据库、上传文件等**，才使用云开发工具。纯文案/咨询不涉及此。
+- 部署云函数使用 manageFunctions 工具；上传文件到静态托管使用 cloudbase_uploadFiles 工具。
+</cloudbase-guideline>
+
+<bash-usage>
+对于耗时较长的命令（如 npm install、yarn install、大型项目构建等），如果执行超时：
+1. 改为后台执行, 添加 run_in_background，可以获取 pid
+2. 定期检查进程状态：ps aux | grep '<关键词>' | grep -v grep
+3. 通过 BashOutput 结合 pid 查看输出结果
+4. 也可以通过 KillShell 关闭后台执行的任务
+</bash-usage>
+
+<cron-task-usage>
+当用户提到定时执行、定期运行、每天/每周/每小时执行某操作等需求时，必须使用 cronTask 工具来管理定时任务。
+- 创建：action="create"，需要 name、prompt、cronExpression
+- 查询：action="list"，查看当前所有定时任务
+- 更新：action="update"，通过 id 修改已有任务（可改 prompt、cronExpression、enabled 等）
+- 删除：action="delete"，通过 id 删除任务
+Cron 表达式格式：分 时 日 月 周，例如 "0 20 * * *" 表示每天 20:00。
+</cron-task-usage>
+
+<tools-extra-info>
+- **ImageGen** — AI 图片生成。Usage: 用户明确要求生成/绘制图片时（"帮我画一张…""生成一张…的图""做一张海报图片"）。生成的图片会同时保存到工作区和静态托管，返回可公开访问的 CDN 链接。
+- **ImageEdit** — AI 图片编辑。Usage: 用户提供一张已有图片，要求修改风格、添加元素、局部重绘等。
+</tools-extra-info>`
+
+  if (sandboxCwd) {
+    const homeDir = sandboxMode === 'isolated' ? sandboxCwd : sandboxCwd.substring(0, sandboxCwd.lastIndexOf('/'))
+    const sandboxPreamble = isCodingMode
+      ? ''
+      : '（以下仅在你已判定任务属于"编程/工程类"、决定动手写文件或执行命令时适用；对话/创作类任务请忽略本节。）\n'
+    return `${base}
+
+<sandbox-context>
+${sandboxPreamble}工具默认在 Home: ${homeDir} 下执行
+为项目开辟工作目录为: ${sandboxCwd}
+使用的云开发环境为: ${envId}
+请注意：
+- 所有文件读写、终端命令都应在工作目录中执行，注意 cd 到工作目录操作。
+- 使用 cloudbase_uploadFiles 部署文件时，localPath 必须是容器内的**绝对路径**（即当前工作目录 ${sandboxCwd} 下的路径），例如 ${sandboxCwd}/index.html
+- 如用户没有特别要求，cloudPath 需要为 ${conversationId}/xxx，即在当前会话路径下
+- 不要使用相对路径给 cloudbase_uploadFiles
+</sandbox-context>`
+  }
+  return base
+}
+
+// ─── RuntimeContext ────────────────────────────────────────────────────────
+
+/**
+ * 由 BaseAgentRuntime 在 chatStream 中构建，传给子类 runAgent()。
+ * 包含所有已初始化的公共资源。
+ */
+export interface RuntimeContext {
+  conversationId: string
+  envId: string
+  userId: string
+  userCredentials?: { secretId: string; secretKey: string; sessionToken?: string }
+  model: string
+  mode: 'default' | 'coding'
+  isCodingMode: boolean
+
+  /** SCF 沙箱实例（null 表示沙箱不可用或禁用） */
+  sandbox: SandboxInstance | null
+  /** 沙箱内工作目录路径 */
+  sandboxCwd: string | null
+  /** sandbox isolation mode */
+  sandboxMode: 'shared' | 'isolated'
+  /** sandbox session id */
+  sandboxSessionId: string
+
+  /** MCP client (sandbox-mcp-proxy)，用于 CloudBase 工具调用 */
+  mcpClient: Awaited<ReturnType<typeof createSandboxMcpClient>> | null
+
+  /** 构建好的 system prompt（含沙箱上下文 + coding mode） */
+  systemPrompt: string
+  /** CloudBase publishableKey */
+  publishableKey: string
+
+  /** tool override config（沙箱 → agent SDK 工具路由） */
+  toolOverrideConfig: { url: string; headers: Record<string, string> } | null
+}
+
+// ─── BaseAgentRuntime ──────────────────────────────────────────────────────
+
+export abstract class BaseAgentRuntime implements IAgentRuntime {
+  abstract readonly name: string
+  abstract isAvailable(): Promise<boolean>
+  abstract getSupportedModels(): Promise<ModelInfo[]>
+  abstract chatStream(prompt: string, callback: AgentCallback | null, options: AgentOptions): Promise<ChatStreamResult>
+
+  // ─── 公共设施方法（子类可在 runAgent 中调用） ────────────────────
+
+  /**
+   * 初始化完整的沙箱环境：创建 SCF → 健康检查 → workspace init → MCP client。
+   *
+   * @returns RuntimeContext 中与沙箱相关的字段
+   */
+  protected async setupSandbox(options: {
+    conversationId: string
+    envId: string
+    userId: string
+    userCredentials?: { secretId: string; secretKey: string; sessionToken?: string }
+    isCodingMode: boolean
+    callback?: AgentCallback | null
+    model?: string
+  }): Promise<{
+    sandbox: SandboxInstance | null
+    sandboxCwd: string | null
+    sandboxMode: 'shared' | 'isolated'
+    sandboxSessionId: string
+    toolOverrideConfig: { url: string; headers: Record<string, string> } | null
+    mcpClient: Awaited<ReturnType<typeof createSandboxMcpClient>> | null
+  }> {
+    const { conversationId, envId, userId, userCredentials, isCodingMode, callback, model } = options
+
+    const sandboxEnabled = !!(process.env.TCB_ENV_ID && process.env.SCF_SANDBOX_IMAGE_URI)
+    if (!sandboxEnabled || !envId) {
+      return {
+        sandbox: null,
+        sandboxCwd: null,
+        sandboxMode: 'shared',
+        sandboxSessionId: envId || conversationId,
+        toolOverrideConfig: null,
+        mcpClient: null,
+      }
+    }
+
+    // Read sandbox config from task record
+    let sandboxConfig = resolveSandboxConfig({ envId, taskId: conversationId })
+    try {
+      const taskRecord = await getDb().tasks.findById(conversationId)
+      await backfillSandboxConfig(
+        conversationId,
+        {
+          sandboxMode: taskRecord?.sandboxMode,
+          sandboxSessionId: taskRecord?.sandboxSessionId,
+          sandboxCwd: taskRecord?.sandboxCwd,
+        },
+        envId,
+        getDb(),
+      )
+      sandboxConfig = resolveSandboxConfig({
+        sandboxMode: taskRecord?.sandboxMode,
+        sandboxSessionId: taskRecord?.sandboxSessionId,
+        sandboxCwd: taskRecord?.sandboxCwd,
+        envId,
+        taskId: conversationId,
+      })
+    } catch {
+      // Non-critical
+    }
+
+    const { sandboxMode, sandboxSessionId } = sandboxConfig
+
+    // Progress bridge
+    const progressBridge: SandboxProgressCallback = ({ phase }) => {
+      if (callback) {
+        callback({ type: 'agent_phase', phase: 'preparing', phaseToolName: `sandbox:${phase}` })
+      }
+    }
+
+    let sandboxInstance: SandboxInstance | null = null
+    let toolOverrideConfig: { url: string; headers: Record<string, string> } | null = null
+    let mcpClient: Awaited<ReturnType<typeof createSandboxMcpClient>> | null = null
+    let detectedCwd: string | null = null
+
+    try {
+      sandboxInstance = await scfSandboxManager.getOrCreate(
+        conversationId,
+        envId,
+        {
+          mode: 'shared',
+          workspaceIsolation: sandboxMode,
+          sandboxSessionId,
+          isCodingMode,
+        },
+        progressBridge,
+      )
+
+      toolOverrideConfig = await sandboxInstance.getToolOverrideConfig()
+
+      // Inject hosting presign config for ImageGen
+      try {
+        const user = await getDb().users.findById(userId)
+        if (user) {
+          const session = {
+            created: Date.now(),
+            authProvider: (user.provider || 'local') as 'github' | 'local' | 'cloudbase' | 'api-key',
+            user: {
+              id: user.id,
+              username: user.username,
+              email: user.email || undefined,
+              avatar: user.avatarUrl || '',
+              name: user.name || undefined,
+            },
+          }
+          const sessionJwe = await encryptJWE(session, '2h')
+          const serverPort = Number(process.env.PORT) || 3001
+          ;(toolOverrideConfig as any).hosting = {
+            presignUrl: `http://localhost:${serverPort}/api/storage/presign?bucketType=static`,
+            sessionCookie: sessionJwe,
+            sessionId: conversationId,
+          }
+        }
+      } catch {
+        // hosting presign failure doesn't affect main flow
+      }
+
+      // Health check
+      const sandboxReady = await waitForSandboxHealth(sandboxInstance, progressBridge)
+      if (!sandboxReady) {
+        if (callback) {
+          callback({ type: 'text', content: '沙箱启动超时，将使用受限模式继续对话。\n\n' })
+        }
+        sandboxInstance = null
+      } else {
+        // Init workspace
+        const initResult = await initSandboxWorkspace(
+          sandboxInstance,
+          {
+            envId,
+            secretId: userCredentials?.secretId || '',
+            secretKey: userCredentials?.secretKey || '',
+            token: userCredentials?.sessionToken,
+          },
+          conversationId,
+          sandboxConfig.sandboxCwd || undefined,
+          progressBridge,
+        )
+        if (initResult.workspace) {
+          detectedCwd = initResult.workspace
+        }
+
+        // Create MCP client
+        mcpClient = await createSandboxMcpClient({
+          sandbox: sandboxInstance,
+          getCredentials: async () => ({
+            cloudbaseEnvId: envId,
+            secretId: userCredentials?.secretId || '',
+            secretKey: userCredentials?.secretKey || '',
+            sessionToken: userCredentials?.sessionToken,
+          }),
+          workspaceFolderPaths: detectedCwd || sandboxConfig.sandboxCwd,
+          log: (msg) => console.log(msg),
+          onArtifact: (artifact) => {
+            if (callback) {
+              callback({ type: 'artifact', artifact })
+            }
+            // 持久化部署记录（所有 runtime 共用）
+            persistDeploymentFromArtifact(conversationId, artifact).catch((err) => {
+              console.error('[BaseRuntime] Failed to persist deployment:', err)
+            })
+          },
+          getMpDeployCredentials: async (appId: string) => {
+            const app = await getDb().miniprogramApps.findByAppIdAndUserId(appId, userId)
+            if (!app) return null
+            return { appId: app.appId, privateKey: decrypt(app.privateKey) }
+          },
+          userId,
+          currentModel: model,
+        })
+
+        // Persist sandboxId to task record
+        try {
+          await getDb().tasks.update(conversationId, {
+            sandboxId: sandboxInstance.functionName,
+          })
+        } catch {
+          // Non-critical
+        }
+      }
+    } catch (err) {
+      console.error('[BaseRuntime] Sandbox creation failed:', (err as Error).message)
+      if (callback) {
+        callback({
+          type: 'text',
+          content: `【沙箱环境创建失败】${(err as Error).message}。将使用受限模式继续对话。\n\n`,
+        })
+      }
+    }
+
+    return {
+      sandbox: sandboxInstance,
+      sandboxCwd: detectedCwd,
+      sandboxMode,
+      sandboxSessionId,
+      toolOverrideConfig,
+      mcpClient,
+    }
+  }
+
+  /**
+   * 构建完整 system prompt（含 coding mode + 沙箱上下文）。
+   */
+  protected async buildSystemPrompt(options: {
+    envId: string
+    isCodingMode: boolean
+    sandboxCwd: string | null
+    sandboxMode: 'shared' | 'isolated'
+    conversationId: string
+  }): Promise<{ systemPrompt: string; publishableKey: string }> {
+    const { envId, isCodingMode, sandboxCwd, sandboxMode, conversationId } = options
+    const publishableKey = await getPublishableKey(envId)
+
+    let systemPrompt: string
+    if (isCodingMode) {
+      systemPrompt =
+        getCodingSystemPrompt(envId, publishableKey) +
+        '\n\n' +
+        buildAppendPrompt(sandboxCwd || undefined, conversationId, envId, sandboxMode, true)
+    } else {
+      systemPrompt = buildAppendPrompt(sandboxCwd || undefined, conversationId, envId, sandboxMode, false)
+    }
+
+    return { systemPrompt, publishableKey }
+  }
+
+  /**
+   * Coding mode: 标记 preview ready。
+   */
+  protected async markCodingPreviewReady(conversationId: string, sandbox: SandboxInstance | null): Promise<void> {
+    if (!sandbox) return
+    try {
+      const taskRecord = await getDb().tasks.findById(conversationId)
+      if (!taskRecord?.previewUrl) {
+        await getDb().tasks.update(conversationId, { previewUrl: 'ready' })
+      }
+    } catch {
+      // Non-critical
+    }
+  }
+
+  /**
+   * Coding mode: 自动放行所有写工具。
+   */
+  protected allowAllWriteToolsForCodingMode(conversationId: string): void {
+    for (const tool of WRITE_TOOLS) {
+      sessionPermissions.allowAlways(conversationId, tool)
+    }
+  }
+}
+
+// ─── Artifact Helpers（所有 runtime 共用） ─────────────────────────────────
+
+import { nanoid } from 'nanoid'
+
+/**
+ * 从 artifact 事件中持久化部署记录到 DB。
+ * 所有 runtime 收到 type='artifact' 的回调时都应调用此函数。
+ */
+export async function persistDeploymentFromArtifact(
+  taskId: string,
+  artifact: NonNullable<AgentCallbackMessage['artifact']>,
+): Promise<void> {
+  const now = Date.now()
+  const meta = artifact.metadata || {}
+  const deploymentType = (meta.deploymentType as string) || (artifact.contentType === 'link' ? 'web' : 'miniprogram')
+  const metadataJson = Object.keys(meta).length > 0 ? JSON.stringify(meta) : null
+
+  if (deploymentType === 'miniprogram') {
+    const qrCodeUrl = artifact.contentType === 'image' ? artifact.data : (meta.qrCodeUrl as string) || null
+    const pagePath = (meta.pagePath as string) || null
+    const appId = (meta.appId as string) || null
+    const label = artifact.title || null
+
+    const existing = await getDb().deployments.findByTaskIdAndTypePath(taskId, 'miniprogram', null)
+
+    if (existing) {
+      await getDb().deployments.update(existing.id, {
+        qrCodeUrl: qrCodeUrl || existing.qrCodeUrl,
+        pagePath: pagePath || existing.pagePath,
+        appId: appId || existing.appId,
+        label: label || existing.label,
+        metadata: metadataJson || existing.metadata,
+        updatedAt: now,
+      })
+    } else {
+      await getDb().deployments.create({
+        id: nanoid(12),
+        taskId,
+        type: 'miniprogram',
+        url: null,
+        path: null,
+        qrCodeUrl,
+        pagePath,
+        appId,
+        label,
+        metadata: metadataJson,
+        createdAt: now,
+        updatedAt: now,
+      })
+    }
+  } else if (artifact.contentType === 'link' && artifact.data) {
+    const url = artifact.data
+    let urlPath: string | null = null
+    try {
+      const urlObj = new URL(url)
+      urlPath = urlObj.pathname.replace(/\/index\.html$/, '/').replace(/\/+$/, '') || '/'
+    } catch {
+      /* ignore */
+    }
+
+    if (urlPath) {
+      const existing = await getDb().deployments.findByTaskIdAndTypePath(taskId, 'web', urlPath)
+
+      if (existing) {
+        await getDb().deployments.update(existing.id, {
+          url,
+          label: artifact.title || existing.label,
+          metadata: metadataJson || existing.metadata,
+          updatedAt: now,
+        })
+      } else {
+        await getDb().deployments.create({
+          id: nanoid(12),
+          taskId,
+          type: 'web',
+          url,
+          path: urlPath,
+          qrCodeUrl: null,
+          pagePath: null,
+          appId: null,
+          label: artifact.title || null,
+          metadata: metadataJson,
+          createdAt: now,
+          updatedAt: now,
+        })
+      }
+    }
+
+    // Also update legacy previewUrl for backward compatibility
+    try {
+      await getDb().tasks.update(taskId, { previewUrl: url })
+    } catch {
+      // Non-critical
+    }
+  } else {
+    // Other artifact types (json, image without miniprogram context, etc.)
+    await getDb().deployments.create({
+      id: nanoid(12),
+      taskId,
+      type: deploymentType as 'web' | 'miniprogram',
+      url: artifact.contentType === 'link' ? artifact.data : null,
+      path: null,
+      qrCodeUrl: artifact.contentType === 'image' ? artifact.data : null,
+      pagePath: null,
+      appId: null,
+      label: artifact.title || null,
+      metadata: metadataJson,
+      createdAt: now,
+      updatedAt: now,
+    })
+  }
+}
+
+/**
+ * 从 uploadFiles 工具结果 JSON 中递归提取 CloudBase 部署 URL。
+ * 纯函数，支持 accessUrl / staticDomain 字段，最多递归 5 层。
+ */
+export function extractDeployUrl(rawText: string, isFile = false, depth = 0): string | null {
+  if (depth > 5) return null
+  try {
+    const parsed = JSON.parse(rawText)
+
+    if (Array.isArray(parsed)) {
+      const firstText = parsed[0]?.text
+      if (typeof firstText === 'string') {
+        return extractDeployUrl(firstText, isFile, depth + 1)
+      }
+      return null
+    }
+
+    if (typeof parsed !== 'object' || parsed === null) return null
+
+    if (parsed.accessUrl) {
+      const url = new URL(parsed.accessUrl)
+      if (!isFile && url.pathname !== '/' && !url.pathname.endsWith('/')) {
+        url.pathname += '/'
+      }
+      if (!url.searchParams.get('t')) {
+        url.searchParams.set('t', String(Date.now()))
+      }
+      return url.toString()
+    }
+    if (parsed.staticDomain) return `https://${parsed.staticDomain}/?t=${Date.now()}`
+
+    const innerText = parsed?.res?.content?.[0]?.text || parsed?.content?.[0]?.text
+    if (typeof innerText === 'string') {
+      return extractDeployUrl(innerText, isFile, depth + 1)
+    }
+  } catch {
+    // JSON parse 失败，忽略
+  }
+  return null
+}
diff --git a/packages/server/src/agent/runtime/codebuddy-runtime.ts b/packages/server/src/agent/runtime/codebuddy-runtime.ts
new file mode 100644
index 0000000..72559a8
--- /dev/null
+++ b/packages/server/src/agent/runtime/codebuddy-runtime.ts
@@ -0,0 +1,39 @@
+/**
+ * CodeBuddyRuntime
+ *
+ * 把现有 `CloudbaseAgentService`（基于 @tencent-ai/agent-sdk）包装成 IAgentRuntime。
+ * 继承 BaseAgentRuntime 获取沙箱/MCP/系统提示等公共设施（当前仍委托到 cloudbase-agent.service.ts，
+ * 其内部已包含完整的沙箱+MCP 逻辑，后续迁移到 runAgent 中复用基类设施）。
+ *
+ * runtime name: 'codebuddy'（向后兼容：registry 同时注册 'tencent-sdk' 别名）
+ */
+
+import type { AgentCallback, AgentOptions } from '@coder/shared'
+import type { ChatStreamResult } from './types.js'
+import { cloudbaseAgentService, getSupportedModels, type ModelInfo } from '../cloudbase-agent.service.js'
+import { BaseAgentRuntime } from './base-runtime.js'
+
+export class CodeBuddyRuntime extends BaseAgentRuntime {
+  readonly name = 'codebuddy'
+
+  async isAvailable(): Promise<boolean> {
+    // CodeBuddy SDK 是 monorepo 内部依赖，安装即可用
+    return true
+  }
+
+  async getSupportedModels(): Promise<ModelInfo[]> {
+    return getSupportedModels()
+  }
+
+  async chatStream(prompt: string, callback: AgentCallback | null, options: AgentOptions): Promise<ChatStreamResult> {
+    return cloudbaseAgentService.chatStream(prompt, callback, options)
+  }
+}
+
+export const codebuddyRuntime = new CodeBuddyRuntime()
+
+// ─── 向后兼容别名 ─────────────────────────────────────────────────────────
+/** @deprecated Use CodeBuddyRuntime / codebuddyRuntime instead */
+export const tencentSdkRuntime = codebuddyRuntime
+/** @deprecated Use CodeBuddyRuntime instead */
+export type TencentSdkRuntime = CodeBuddyRuntime
diff --git a/packages/server/src/agent/runtime/index.ts b/packages/server/src/agent/runtime/index.ts
index fa2dff9..caeb2c1 100644
--- a/packages/server/src/agent/runtime/index.ts
+++ b/packages/server/src/agent/runtime/index.ts
@@ -9,5 +9,15 @@
 
 export type { IAgentRuntime, ChatStreamResult, RuntimeSelectorOptions, EmitFn } from './types.js'
 export { agentRuntimeRegistry } from './registry.js'
-export { tencentSdkRuntime, TencentSdkRuntime } from './tencent-sdk-runtime.js'
+export { codebuddyRuntime, CodeBuddyRuntime, tencentSdkRuntime, type TencentSdkRuntime } from './codebuddy-runtime.js'
 export { opencodeAcpRuntime, OpencodeAcpRuntime } from './opencode-acp-runtime.js'
+export { BaseAgentRuntime, type RuntimeContext } from './base-runtime.js'
+export {
+  WRITE_TOOLS,
+  waitForSandboxHealth,
+  initSandboxWorkspace,
+  buildAppendPrompt,
+  getPublishableKey,
+  persistDeploymentFromArtifact,
+  extractDeployUrl,
+} from './base-runtime.js'
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index f20fae7..17d2489 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -1,9 +1,10 @@
 /**
  * OpencodeAcpRuntime
  *
- * 基于 ACP 协议的 OpenCode agent runtime，严格遵守 agent/sandbox 分离原则。
+ * 基于 ACP 协议的 OpenCode agent runtime。
+ * 继承 BaseAgentRuntime 获取沙箱、MCP、系统提示等公共基础设施。
  *
- * 架构（"项目级 tool override + env 注入"）：
+ * 架构（"项目级 tool override + env 注入 + 共享沙箱"）：
  *
  *   server 启动时：
  *     ensureOpencodeToolsInstalled()
@@ -11,27 +12,22 @@
  *          （同名 custom tool 覆盖 builtin — 实测已验证）
  *
  *   每次 chatStream：
- *     1. 如果有 envId：scfSandboxManager.getOrCreate()
+ *     1. BaseAgentRuntime.setupSandbox() 创建/获取 SCF 沙箱（共享实例）
  *     2. spawn opencode acp，通过 child env 注入：
  *          OPENCODE_CONFIG_DIR=<projectRoot>/.opencode  （隔离用户全局配置）
  *          SANDBOX_MODE=1
- *          SANDBOX_BASE_URL=<沙箱 HTTPS>
+ *          SANDBOX_BASE_URL=<沙箱 HTTPS>（来自基类 sandbox）
  *          SANDBOX_AUTH_HEADERS_JSON=<凭证 JSON>
- *     3. opencode 父进程的 env 会继承给所有子进程（MCP 服务等）
- *     4. 工具文件里读 process.env.SANDBOX_* 决定：本地执行 vs HTTP 转发到沙箱
+ *     3. 基类构建的 MCP endpoint 传给 opencode newSession，opencode 可直接调用
+ *        CloudBase MCP 工具（数据库、云函数、存储等）
+ *     4. 基类 systemPrompt 拼到 history context 前面，确保任务分类 + 沙箱上下文生效
  *     5. ACP 握手 → newSession → prompt → 收 session/update 流 → 翻译为 AgentCallbackMessage
- *
- * 相比旧方案（per-session 写 .opencode/opencode.json + MCP bridge 子进程）：
- *   - 不再写 per-session 配置文件（只写一次全局 tools/*.js）
- *   - 不再启 MCP 子进程（少一层进程 + 少一层 JSON-RPC 序列化）
- *   - 工具名就是 `read`/`write`/... 与 LLM 训练期望一致
- *   - 凭证只在进程 env 里，session 结束随进程退出清理
  */
 
 import { v4 as uuidv4 } from 'uuid'
 import { ClientSideConnection } from '@agentclientprotocol/sdk'
 import type { AgentCallback, AgentCallbackMessage, AgentOptions } from '@coder/shared'
-import type { ChatStreamResult, IAgentRuntime } from './types.js'
+import type { ChatStreamResult } from './types.js'
 import type { ModelInfo } from '../cloudbase-agent.service.js'
 import {
   registerAgent,
@@ -48,7 +44,8 @@ import { ensureOpencodeToolsInstalled, getOpencodeConfigDir } from './opencode-i
 import { registerPending, resolvePending, rejectPendingForConversation } from './pending-permission-registry.js'
 import { resolvePendingQuestion, rejectPendingQuestionsForConversation } from './pending-question-registry.js'
 import { OpencodeMessageBuilder, findLastRecordIds, buildHistoryContextPrompt } from './opencode-message-builder.js'
-import { scfSandboxManager, type SandboxInstance } from '../../sandbox/scf-sandbox-manager.js'
+import { BaseAgentRuntime } from './base-runtime.js'
+import type { SandboxInstance } from '../../sandbox/scf-sandbox-manager.js'
 import os from 'node:os'
 import path from 'node:path'
 import fs from 'node:fs'
@@ -167,7 +164,7 @@ function ensureToolsInstalledOnce(): Promise<void> {
 
 // ─── Runtime ─────────────────────────────────────────────────────────────
 
-export class OpencodeAcpRuntime implements IAgentRuntime {
+export class OpencodeAcpRuntime extends BaseAgentRuntime {
   readonly name = 'opencode-acp'
 
   async isAvailable(): Promise<boolean> {
@@ -331,20 +328,42 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
       // 0. 确保全局 opencode tools 已安装
       await ensureToolsInstalledOnce()
 
-      // 1. 如果有 envId，获取沙箱
+      // 1. 使用基类共享设施初始化沙箱 + MCP + 系统提示
+      const isCodingMode = options.mode === 'coding'
+      let sandboxResult: Awaited<ReturnType<typeof this.setupSandbox>> | null = null
+
       if (envId) {
-        try {
-          sandbox = await scfSandboxManager.getOrCreate(conversationId, envId, {
-            mode: 'shared',
-            workspaceIsolation: 'shared',
-          })
-        } catch (e) {
-          console.warn('[OpencodeAcpRuntime] sandbox getOrCreate failed:', (e as Error).message)
-          throw new Error(`Sandbox unavailable: ${(e as Error).message}`)
+        await emit({ type: 'agent_phase', phase: 'preparing' })
+        sandboxResult = await this.setupSandbox({
+          conversationId,
+          envId,
+          userId,
+          userCredentials: options.userCredentials,
+          isCodingMode,
+          callback: getLiveCallback(conversationId),
+          model: modelId,
+        })
+        sandbox = sandboxResult.sandbox
+
+        // Coding mode: auto-allow all write tools + mark preview ready
+        if (isCodingMode && conversationId) {
+          this.allowAllWriteToolsForCodingMode(conversationId)
+          await this.markCodingPreviewReady(conversationId, sandbox)
         }
       }
 
-      await emit({ type: 'agent_phase', phase: 'preparing' })
+      // 构建系统提示
+      let systemPrompt = ''
+      if (envId) {
+        const promptResult = await this.buildSystemPrompt({
+          envId,
+          isCodingMode,
+          sandboxCwd: sandboxResult?.sandboxCwd || null,
+          sandboxMode: sandboxResult?.sandboxMode || 'shared',
+          conversationId,
+        })
+        systemPrompt = promptResult.systemPrompt
+      }
 
       // 2. 工作目录
       //    - 沙箱模式：opencode cwd 用临时占位目录（opencode 需要一个本地目录启动，
@@ -444,10 +463,20 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
         },
       })
 
-      // 7. 创建 session
+      // 7. 创建 session — 注入 MCP server（来自基类 sandbox MCP proxy）
+      const mcpServers: Array<{ url: string; headers?: Record<string, string> }> = []
+      if (sandbox && sandboxResult?.mcpClient) {
+        // sandbox 内有 MCP endpoint，opencode 可以通过 HTTP transport 直接调用
+        // CloudBase 工具（数据库、云函数、存储等）
+        const authHeaders = await sandbox.getAuthHeaders()
+        mcpServers.push({
+          url: `${sandbox.baseUrl}/mcp`,
+          headers: authHeaders,
+        })
+      }
       const newRes = await conn.newSession({
         cwd: sessionWorkingDir,
-        mcpServers: [],
+        mcpServers,
       })
       const opencodeSessionId = newRes.sessionId
 
@@ -465,14 +494,20 @@ export class OpencodeAcpRuntime implements IAgentRuntime {
       //
       // OpenCode 每次新 session 是空白上下文，如果之前 conversation 有历史消息，
       // 把它们作为 context prefix 拼到本轮 prompt 前面，让 LLM 能做多轮记忆。
+      // 同时注入基类构建的 systemPrompt（任务分类 + 沙箱上下文 + CloudBase 指引）。
       //
       // 注意：Resume 场景（toolConfirmation/askAnswers）不会走到这里（早 return 了），
       // 所以 resume 时用的是原 opencode session 自带的上下文，不需要重新注入。
-      const contextPrompt = envId
-        ? await buildHistoryContextPrompt(conversationId, envId, userId, prompt, {
-            excludeRecordIds: excludeHistoryRecordIds,
-          })
-        : prompt
+      let contextPrompt: string
+      if (envId) {
+        const historyPrompt = await buildHistoryContextPrompt(conversationId, envId, userId, prompt, {
+          excludeRecordIds: excludeHistoryRecordIds,
+        })
+        // Prepend system prompt before history+user prompt
+        contextPrompt = systemPrompt ? `${systemPrompt}\n\n${historyPrompt}` : historyPrompt
+      } else {
+        contextPrompt = prompt
+      }
       const promptRes = await conn.prompt({
         sessionId: opencodeSessionId,
         prompt: [{ type: 'text', text: contextPrompt }],
diff --git a/packages/server/src/agent/runtime/registry.ts b/packages/server/src/agent/runtime/registry.ts
index d16f6c9..09e7531 100644
--- a/packages/server/src/agent/runtime/registry.ts
+++ b/packages/server/src/agent/runtime/registry.ts
@@ -8,22 +8,25 @@
  *   2. 环境变量 AGENT_RUNTIME（部署级 override）
  *   3. registry 默认 runtime（本地开发期）
  *
- * 注册：默认包含 tencent-sdk + opencode-acp，可通过 register() 扩展（如未来加 claude-code-acp）。
+ * 注册：默认包含 codebuddy + opencode-acp，可通过 register() 扩展。
+ * 向后兼容：'tencent-sdk' 作为 'codebuddy' 的别名。
  */
 
 import type { IAgentRuntime, RuntimeSelectorOptions } from './types.js'
-import { tencentSdkRuntime } from './tencent-sdk-runtime.js'
+import { codebuddyRuntime } from './codebuddy-runtime.js'
 import { opencodeAcpRuntime } from './opencode-acp-runtime.js'
 
-const DEFAULT_RUNTIME = process.env.AGENT_RUNTIME_DEFAULT || 'tencent-sdk'
+const DEFAULT_RUNTIME = process.env.AGENT_RUNTIME_DEFAULT || 'codebuddy'
 
 class AgentRuntimeRegistry {
   private runtimes = new Map<string, IAgentRuntime>()
 
   constructor() {
     // 默认注册的 runtime
-    this.register(tencentSdkRuntime)
+    this.register(codebuddyRuntime)
     this.register(opencodeAcpRuntime)
+    // 向后兼容别名：DB 中已存的 'tencent-sdk' 能正确 resolve
+    this.runtimes.set('tencent-sdk', codebuddyRuntime)
   }
 
   register(runtime: IAgentRuntime): void {
@@ -35,7 +38,12 @@ class AgentRuntimeRegistry {
   }
 
   list(): IAgentRuntime[] {
-    return Array.from(this.runtimes.values())
+    // 去重：别名不重复列出
+    const seen = new Set<IAgentRuntime>()
+    for (const r of this.runtimes.values()) {
+      seen.add(r)
+    }
+    return Array.from(seen)
   }
 
   /**
@@ -51,7 +59,7 @@ class AgentRuntimeRegistry {
     }
 
     // 兜底：返回任何已注册的 runtime
-    const fallback = this.runtimes.get('tencent-sdk') ?? this.runtimes.values().next().value
+    const fallback = this.runtimes.get('codebuddy') ?? this.runtimes.values().next().value
     if (!fallback) throw new Error('No agent runtime registered')
     return fallback
   }
@@ -62,9 +70,9 @@ class AgentRuntimeRegistry {
   async resolveWithAvailability(options: RuntimeSelectorOptions = {}): Promise<IAgentRuntime> {
     const r = this.resolve(options)
     const available = await r.isAvailable()
-    if (!available && r.name !== 'tencent-sdk') {
-      // 不可用 → 退回默认 tencent-sdk
-      const fallback = this.runtimes.get('tencent-sdk')
+    if (!available && r.name !== 'codebuddy') {
+      // 不可用 → 退回默认 codebuddy
+      const fallback = this.runtimes.get('codebuddy')
       if (fallback) return fallback
     }
     return r
diff --git a/packages/server/src/agent/runtime/tencent-sdk-runtime.ts b/packages/server/src/agent/runtime/tencent-sdk-runtime.ts
deleted file mode 100644
index 1719ba4..0000000
--- a/packages/server/src/agent/runtime/tencent-sdk-runtime.ts
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * TencentSdkRuntime
- *
- * 把现有 `CloudbaseAgentService`（基于 patch 过的 @tencent-ai/agent-sdk）包装成 IAgentRuntime。
- *
- * 设计权衡：
- * - 不动 `cloudbase-agent.service.ts` 的 2200 行实现，仅做委托。
- *   理由：现有逻辑已沉淀沙箱、coding-mode、persistence、askAnswers/toolConfirmation
- *   等大量业务，重构风险高；用 adapter 隔离。
- * - `convertToSessionUpdate` 仍由 routes/acp.ts 直接调用静态方法（暂不抽象）。
- *   理由：所有 runtime 产出的 AgentCallbackMessage 共用同一套转换规则，集中实现更易维护。
- */
-
-import type { AgentCallback, AgentOptions } from '@coder/shared'
-import type { ChatStreamResult, IAgentRuntime } from './types.js'
-import { cloudbaseAgentService, getSupportedModels, type ModelInfo } from '../cloudbase-agent.service.js'
-
-export class TencentSdkRuntime implements IAgentRuntime {
-  readonly name = 'tencent-sdk'
-
-  async isAvailable(): Promise<boolean> {
-    // Tencent SDK 是 monorepo 内部依赖，安装即可用
-    return true
-  }
-
-  async getSupportedModels(): Promise<ModelInfo[]> {
-    return getSupportedModels()
-  }
-
-  async chatStream(prompt: string, callback: AgentCallback | null, options: AgentOptions): Promise<ChatStreamResult> {
-    return cloudbaseAgentService.chatStream(prompt, callback, options)
-  }
-}
-
-export const tencentSdkRuntime = new TencentSdkRuntime()
diff --git a/packages/server/src/agent/runtime/types.ts b/packages/server/src/agent/runtime/types.ts
index e7d8160..1375b17 100644
--- a/packages/server/src/agent/runtime/types.ts
+++ b/packages/server/src/agent/runtime/types.ts
@@ -5,7 +5,7 @@
  * 与"对外的会话/流式/持久化逻辑（routes/acp.ts、persistence.service.ts）"解耦。
  *
  * 现状：原 `CloudbaseAgentService` 直接耦合 `@tencent-ai/agent-sdk`。
- * 重构后：`CloudbaseAgentService` 退化为 `TencentSdkRuntime`（实现 IAgentRuntime），
+ * 重构后：`CloudbaseAgentService` 退化为 `CodeBuddyRuntime`（实现 IAgentRuntime），
  *         新增 `OpencodeAcpRuntime`，由 `AgentRuntimeRegistry` 调度。
  *
  * 关键约束（来自 routes/acp.ts 现有调用面）：
@@ -43,7 +43,7 @@ export interface ChatStreamResult {
  */
 export interface IAgentRuntime {
   /**
-   * Runtime 唯一标识（e.g. 'tencent-sdk', 'opencode-acp', 'claude-code-acp'）
+   * Runtime 唯一标识（e.g. 'codebuddy', 'opencode-acp', 'claude-code-acp'）
    */
   readonly name: string
 
diff --git a/packages/server/src/routes/acp.ts b/packages/server/src/routes/acp.ts
index ff5d7c4..e55371e 100644
--- a/packages/server/src/routes/acp.ts
+++ b/packages/server/src/routes/acp.ts
@@ -313,7 +313,7 @@ async function handleInitialize(c: any, id: number | string) {
     agentCapabilities: {
       loadSession: true,
       promptCapabilities: {
-        image: false,
+        image: true,
         audio: false,
         embeddedContext: false,
       },
@@ -393,16 +393,18 @@ async function handleSessionPrompt(c: any, id: number | string, params: SessionP
     return c.json(rpcErr(id, JSON_RPC_ERRORS.INVALID_REQUEST, 'A prompt turn is already in progress'))
   }
 
-  // Extract prompt text
-  const prompt: string = (params?.prompt ?? [])
+  // Extract prompt text and image blocks
+  const promptBlocks: any[] = params?.prompt ?? []
+  const prompt: string = promptBlocks
     .filter((b) => b.type === 'text')
     .map((b) => b.text)
     .join('')
+  const imageBlocks = promptBlocks.filter((b) => b.type === 'image')
 
   const hasResumePayload =
     (params?.askAnswers && Object.keys(params.askAnswers).length > 0) || !!params?.toolConfirmation
 
-  if (!prompt.trim() && !hasResumePayload) {
+  if (!prompt.trim() && !hasResumePayload && imageBlocks.length === 0) {
     return c.json(rpcErr(id, JSON_RPC_ERRORS.INVALID_PARAMS, 'prompt must contain at least one text block'))
   }
 
@@ -445,10 +447,9 @@ async function handleSessionPrompt(c: any, id: number | string, params: SessionP
       model: selectedModel,
       askAnswers: params.askAnswers,
       toolConfirmation: params.toolConfirmation,
-      // P2: 透传 Plan 模式开关。当前端在开启 Plan 模式下发起 prompt 时传 'plan'，
-      // 或 ExitPlanMode 用户选择 reject_and_exit_plan 后下一轮传 'default' 恢复普通模式。
       permissionMode: params.permissionMode,
       mode: taskMode,
+      imageBlocks: imageBlocks.length > 0 ? imageBlocks : undefined,
     })
   })
 }
diff --git a/packages/server/src/routes/tasks.ts b/packages/server/src/routes/tasks.ts
index f2c42e9..05d08bf 100644
--- a/packages/server/src/routes/tasks.ts
+++ b/packages/server/src/routes/tasks.ts
@@ -3,6 +3,7 @@ import { streamSSE } from 'hono/streaming'
 import { getDb } from '../db/index.js'
 import { nanoid } from 'nanoid'
 import { requireAuth, requireUserEnv, type AppEnv } from '../middleware/auth'
+import { readFileSync } from 'node:fs'
 import { createTaskLogger } from '../lib/task-logger'
 import { resolveSandboxConfig, backfillSandboxConfig } from '../lib/sandbox-config'
 import { decrypt } from '../lib/crypto'
@@ -449,28 +450,57 @@ tasksRouter.get('/:taskId/messages', requireUserEnv, async (c) => {
   try {
     const cloudbaseRecords = await persistenceService.loadDBMessages(taskId, envId, userId, 100)
     const messages = cloudbaseRecords.map((record) => {
-      const parts = (record.parts || []).map((p) => {
-        if (p.contentType === 'text') return { type: 'text' as const, text: p.content || '' }
-        else if (p.contentType === 'reasoning') return { type: 'thinking' as const, text: p.content || '' }
-        else if (p.contentType === 'tool_call')
-          return {
-            type: 'tool_call' as const,
-            toolCallId: p.toolCallId || p.partId,
-            toolName: (p.metadata?.toolCallName as string) || (p.metadata?.toolName as string) || 'tool',
-            input: p.content || p.metadata?.input,
-            status: (p.metadata?.status as string) || undefined,
-          }
-        else if (p.contentType === 'tool_result')
-          return {
-            type: 'tool_result' as const,
-            toolCallId: p.toolCallId || p.partId,
-            toolName: (p.metadata?.toolName as string) || undefined,
-            content: p.content || '',
-            isError: p.metadata?.isError as boolean | undefined,
-            status: (p.metadata?.status as string) || undefined,
-          }
-        return { type: 'text' as const, text: p.content || '' }
-      })
+      const parts = (record.parts || [])
+        .map((p) => {
+          if (p.contentType === 'text') {
+            // contentBlocks may be in p.metadata (TypeScript model) or directly on p
+            // (when CloudBase flattens the nested metadata object on read-back)
+            const contentBlocks = ((p.metadata as any)?.contentBlocks ?? (p as any).contentBlocks) as any[] | undefined
+            if (contentBlocks) {
+              const imageParts: any[] = []
+              for (const b of contentBlocks) {
+                if (b.type === 'image_blob_ref') {
+                  // Post-syncMessages: read from local blob file
+                  try {
+                    const data = readFileSync(b.blob_path as string).toString('base64')
+                    imageParts.push({ type: 'image' as const, data, mimeType: b.mime as string })
+                  } catch (e) {
+                    console.error('[messages] blob read failed:', b.blob_path, (e as Error).message)
+                  }
+                }
+              }
+              if (imageParts.length > 0) {
+                return [...imageParts, { type: 'text' as const, text: p.content || '' }]
+              }
+            }
+            return { type: 'text' as const, text: p.content || '' }
+          } else if (p.contentType === 'reasoning') return { type: 'thinking' as const, text: p.content || '' }
+          else if (p.contentType === 'tool_call')
+            return {
+              type: 'tool_call' as const,
+              toolCallId: p.toolCallId || p.partId,
+              toolName: (p.metadata?.toolCallName as string) || (p.metadata?.toolName as string) || 'tool',
+              input: p.content || p.metadata?.input,
+              status: (p.metadata?.status as string) || undefined,
+            }
+          else if (p.contentType === 'tool_result')
+            return {
+              type: 'tool_result' as const,
+              toolCallId: p.toolCallId || p.partId,
+              toolName: (p.metadata?.toolName as string) || undefined,
+              content: p.content || '',
+              isError: p.metadata?.isError as boolean | undefined,
+              status: (p.metadata?.status as string) || undefined,
+            }
+          else if (p.contentType === 'image')
+            return {
+              type: 'image' as const,
+              data: p.content || '',
+              mimeType: (p.metadata?.mimeType as string) || 'image/png',
+            }
+          return { type: 'text' as const, text: p.content || '' }
+        })
+        .flat()
       const textContent = parts
         .filter((p) => p.type === 'text')
         .map((p) => (p as { type: 'text'; text: string }).text)
diff --git a/packages/server/src/sandbox/sandbox-mcp-proxy.ts b/packages/server/src/sandbox/sandbox-mcp-proxy.ts
index 9e1e5f6..197b54b 100644
--- a/packages/server/src/sandbox/sandbox-mcp-proxy.ts
+++ b/packages/server/src/sandbox/sandbox-mcp-proxy.ts
@@ -17,6 +17,7 @@ import { nanoid } from 'nanoid'
 import cron from 'node-cron'
 import { getDb } from '../db/index.js'
 import { scheduleTask, unscheduleTask } from '../services/cron-scheduler.js'
+import { extractDeployUrl } from '../agent/runtime/base-runtime.js'
 
 // ─── Types ───────────────────────────────────────────────────────
 
@@ -236,31 +237,6 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
     return /\.[a-zA-Z0-9]+$/.test(basename)
   }
 
-  function extractDeployUrl(rawText: string, isFile = false, depth = 0): string | null {
-    if (depth > 5) return null
-    try {
-      const parsed = JSON.parse(rawText)
-      if (Array.isArray(parsed)) {
-        const firstText = parsed[0]?.text
-        if (typeof firstText === 'string') return extractDeployUrl(firstText, isFile, depth + 1)
-        return null
-      }
-      if (typeof parsed !== 'object' || parsed === null) return null
-      if (parsed.accessUrl) {
-        const url = new URL(parsed.accessUrl)
-        if (!isFile && url.pathname !== '/' && !url.pathname.endsWith('/')) url.pathname += '/'
-        if (!url.searchParams.get('t')) url.searchParams.set('t', String(Date.now()))
-        return url.toString()
-      }
-      if (parsed.staticDomain) return `https://${parsed.staticDomain}/?t=${Date.now()}`
-      const innerText = parsed?.res?.content?.[0]?.text || parsed?.content?.[0]?.text
-      if (typeof innerText === 'string') return extractDeployUrl(innerText, isFile, depth + 1)
-    } catch {
-      // JSON parse 失败，忽略
-    }
-    return null
-  }
-
   function isCredentialError(output: string): boolean {
     return (
       output.includes('AUTH_REQUIRED') ||
@@ -395,142 +371,164 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
     }))
   }
 
-  // ── publishMiniprogram tool ───────────────────────────────────
-  server.tool(
-    'publishMiniprogram',
-    '小程序发布/预览工具。支持预览（preview）和上传（upload）两种操作。预览会生成二维码供扫码体验，上传会将代码提交到微信后台。部署可能耗时较长，若超过 60s 未完成会返回 async=true 和 jobId，请使用 getDeployJobStatus 工具查询结果。',
-    {
-      action: z.enum(['preview', 'upload']).describe('操作类型：preview=预览, upload=上传'),
-      projectPath: z.string().describe('小程序项目路径（沙箱内的绝对路径）'),
-      appId: z.string().describe('微信小程序 AppId'),
-      version: z.string().optional().describe('版本号（upload 时建议提供，如 "1.0.0"）'),
-      description: z.string().optional().describe('版本描述'),
-      robot: z.number().optional().describe('CI 机器人编号（1-30），默认 1'),
-    },
-    async (args: Record<string, unknown>) => {
-      try {
-        let privateKey: string | undefined
-        const appId = args.appId as string
+  // ── publishMiniprogram / getDeployJobStatus 共享 handler ─────
+  // 两个 tool 需要同时注册到标准 MCP Server 和 SDK-wrapped Server，
+  // 但 handler 逻辑只保留一份。
+
+  const PUBLISH_MP_DESC =
+    '小程序发布/预览工具。支持预览（preview）和上传（upload）两种操作。预览会生成二维码供扫码体验，上传会将代码提交到微信后台。部署可能耗时较长，若超过 60s 未完成会返回 async=true 和 jobId，请使用 getDeployJobStatus 工具查询结果。'
+  const PUBLISH_MP_SCHEMA = {
+    action: z.enum(['preview', 'upload']).describe('操作类型：preview=预览, upload=上传'),
+    projectPath: z.string().describe('小程序项目路径（沙箱内的绝对路径）'),
+    appId: z.string().describe('微信小程序 AppId'),
+    version: z.string().optional().describe('版本号（upload 时建议提供，如 "1.0.0"）'),
+    description: z.string().optional().describe('版本描述'),
+    robot: z.number().optional().describe('CI 机器人编号（1-30），默认 1'),
+  }
 
-        if (getMpDeployCredentials) {
-          const creds = await getMpDeployCredentials(appId)
-          if (creds) {
-            privateKey = creds.privateKey
-          }
-        }
+  async function handlePublishMiniprogram(args: Record<string, unknown>) {
+    try {
+      let privateKey: string | undefined
+      const appId = args.appId as string
 
-        if (!privateKey) {
-          return {
-            content: [
-              {
-                type: 'text' as const,
-                text: JSON.stringify({
-                  error: true,
-                  message: `未找到 appId ${appId} 的部署密钥，请先在小程序管理中关联该 appId`,
-                }),
-              },
-            ],
-            isError: true,
-          }
-        }
+      if (getMpDeployCredentials) {
+        const creds = await getMpDeployCredentials(appId)
+        if (creds) privateKey = creds.privateKey
+      }
 
-        const res = await sandbox.request('/api/miniprogram/deploy', {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify({
-            appid: appId,
-            privateKey,
-            action: args.action,
-            projectPath: args.projectPath,
-            version: args.version,
-            description: args.description,
-            robot: args.robot,
-          }),
-          signal: AbortSignal.timeout(120_000),
-        })
-
-        const body = (await res.json().catch(() => null)) as any
-
-        if (!res.ok || !body) {
-          return {
-            content: [
-              {
-                type: 'text' as const,
-                text: JSON.stringify({
-                  error: true,
-                  status: res.status,
-                  message: body?.error || body?.message || `HTTP ${res.status}`,
-                }),
-              },
-            ],
-            isError: true,
-          }
+      if (!privateKey) {
+        return {
+          content: [
+            {
+              type: 'text' as const,
+              text: JSON.stringify({
+                error: true,
+                message: `未找到 appId ${appId} 的部署密钥，请先在小程序管理中关联该 appId`,
+              }),
+            },
+          ],
+          isError: true,
         }
+      }
 
-        if (body.async) {
-          return {
-            content: [
-              {
-                type: 'text' as const,
-                text: JSON.stringify({
-                  async: true,
-                  jobId: body.jobId,
-                  message: '部署仍在进行中，请稍后使用 getDeployJobStatus 工具查询结果',
-                }),
-              },
-            ],
-          }
-        }
+      const res = await sandbox.request('/api/miniprogram/deploy', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          appid: appId,
+          privateKey,
+          action: args.action,
+          projectPath: args.projectPath,
+          version: args.version,
+          description: args.description,
+          robot: args.robot,
+        }),
+        signal: AbortSignal.timeout(120_000),
+      })
 
-        if (!body.success) {
-          return {
-            content: [
-              {
-                type: 'text' as const,
-                text: JSON.stringify({
-                  error: true,
-                  message: body.error || body.result?.errMsg || 'Deploy failed',
-                  result: body.result,
-                }),
-              },
-            ],
-            isError: true,
-          }
-        }
+      const body = (await res.json().catch(() => null)) as any
 
-        return { content: [{ type: 'text' as const, text: JSON.stringify(body) }] }
-      } catch (e: any) {
+      if (!res.ok || !body) {
         return {
-          content: [{ type: 'text' as const, text: JSON.stringify({ error: true, message: e.message }) }],
+          content: [
+            {
+              type: 'text' as const,
+              text: JSON.stringify({
+                error: true,
+                status: res.status,
+                message: body?.error || body?.message || `HTTP ${res.status}`,
+              }),
+            },
+          ],
           isError: true,
         }
       }
-    },
-  )
 
-  // ── getDeployJobStatus tool ───────────────────────────────────
-  server.tool(
-    'getDeployJobStatus',
-    '查询小程序发布/预览任务的状态。当 publishMiniprogram 返回 async=true 时使用此工具轮询结果。',
-    { jobId: z.string().describe('publishMiniprogram 返回的 jobId') },
-    async (args: Record<string, unknown>) => {
-      try {
-        const res = await sandbox.request(
-          `/api/miniprogram/deploy/status?jobId=${encodeURIComponent(args.jobId as string)}`,
-          { signal: AbortSignal.timeout(30_000) },
-        )
-        const body = (await res.json().catch(() => null)) as any
+      if (body.async) {
         return {
-          content: [{ type: 'text' as const, text: JSON.stringify(body ?? { error: true, status: res.status }) }],
+          content: [
+            {
+              type: 'text' as const,
+              text: JSON.stringify({
+                async: true,
+                jobId: body.jobId,
+                message: '部署仍在进行中，请稍后使用 getDeployJobStatus 工具查询结果',
+              }),
+            },
+          ],
         }
-      } catch (e: any) {
+      }
+
+      if (!body.success) {
         return {
-          content: [{ type: 'text' as const, text: JSON.stringify({ error: true, message: e.message }) }],
+          content: [
+            {
+              type: 'text' as const,
+              text: JSON.stringify({
+                error: true,
+                message: body.error || body.result?.errMsg || 'Deploy failed',
+                result: body.result,
+              }),
+            },
+          ],
           isError: true,
         }
       }
-    },
-  )
+
+      // 触发 artifact：提取预览二维码或上传成功状态
+      if (onArtifact && body) {
+        if (body.result?.qrcode) {
+          const qrcode = `data:${body.result.qrcode.mimeType || 'image/png'};base64,${body.result.qrcode.base64}`
+          onArtifact({
+            title: '小程序预览二维码',
+            contentType: 'image',
+            data: qrcode,
+            metadata: { deploymentType: 'miniprogram', ...body },
+          })
+        } else if (body.success && args.action === 'upload') {
+          onArtifact({
+            title: '小程序上传成功',
+            contentType: 'json',
+            data: JSON.stringify(body),
+            metadata: { deploymentType: 'miniprogram', appId: args.appId as string },
+          })
+        }
+      }
+
+      return { content: [{ type: 'text' as const, text: JSON.stringify(body) }] }
+    } catch (e: any) {
+      return {
+        content: [{ type: 'text' as const, text: JSON.stringify({ error: true, message: e.message }) }],
+        isError: true,
+      }
+    }
+  }
+
+  const DEPLOY_STATUS_DESC =
+    '查询小程序发布/预览任务的状态。当 publishMiniprogram 返回 async=true 时使用此工具轮询结果。'
+  const DEPLOY_STATUS_SCHEMA = { jobId: z.string().describe('publishMiniprogram 返回的 jobId') }
+
+  async function handleGetDeployJobStatus(args: Record<string, unknown>) {
+    try {
+      const res = await sandbox.request(
+        `/api/miniprogram/deploy/status?jobId=${encodeURIComponent(args.jobId as string)}`,
+        { signal: AbortSignal.timeout(30_000) },
+      )
+      const body = (await res.json().catch(() => null)) as any
+      return {
+        content: [{ type: 'text' as const, text: JSON.stringify(body ?? { error: true, status: res.status }) }],
+      }
+    } catch (e: any) {
+      return {
+        content: [{ type: 'text' as const, text: JSON.stringify({ error: true, message: e.message }) }],
+        isError: true,
+      }
+    }
+  }
+
+  // 注册到标准 MCP Server
+  server.tool('publishMiniprogram', PUBLISH_MP_DESC, PUBLISH_MP_SCHEMA, handlePublishMiniprogram)
+  server.tool('getDeployJobStatus', DEPLOY_STATUS_DESC, DEPLOY_STATUS_SCHEMA, handleGetDeployJobStatus)
 
   // ── Wire InMemoryTransport pair ───────────────────────────────
 
@@ -563,7 +561,6 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
               try {
                 const deployUrl = extractDeployUrl(output, isFilePath(String(args.localPath || '')))
                 if (deployUrl) {
-                  log(`[sandbox-mcp] deploy artifact detected\n`)
                   onArtifact({
                     title: 'Web 应用已部署',
                     contentType: 'link',
@@ -584,92 +581,10 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
       )
     })
 
-  // SDK-wrapped publishMiniprogram tool
+  // SDK-wrapped publishMiniprogram + getDeployJobStatus（复用上面的 handler）
+  sdkTools.push(sdkTool('publishMiniprogram', PUBLISH_MP_DESC, PUBLISH_MP_SCHEMA as any, handlePublishMiniprogram))
   sdkTools.push(
-    sdkTool(
-      'publishMiniprogram',
-      '小程序发布/预览工具。支持预览（preview）和上传（upload）两种操作。',
-      {
-        action: z.enum(['preview', 'upload']).describe('操作类型'),
-        projectPath: z.string().describe('小程序项目路径'),
-        appId: z.string().describe('微信小程序 AppId'),
-        version: z.string().optional().describe('版本号'),
-        description: z.string().optional().describe('版本描述'),
-        robot: z.number().optional().describe('CI 机器人编号'),
-      },
-      async (args: Record<string, unknown>) => {
-        try {
-          let privateKey: string | undefined
-          const appId = args.appId as string
-
-          if (getMpDeployCredentials) {
-            const creds = await getMpDeployCredentials(appId)
-            if (creds) privateKey = creds.privateKey
-          }
-
-          if (!privateKey) {
-            return {
-              content: [
-                {
-                  type: 'text' as const,
-                  text: JSON.stringify({ error: true, message: `未找到 appId ${appId} 的部署密钥` }),
-                },
-              ],
-              isError: true,
-            }
-          }
-
-          const res = await sandbox.request('/api/miniprogram/deploy', {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-              appid: appId,
-              privateKey,
-              action: args.action,
-              projectPath: args.projectPath,
-              version: args.version,
-              description: args.description,
-              robot: args.robot,
-            }),
-            signal: AbortSignal.timeout(120_000),
-          })
-
-          const body = (await res.json().catch(() => null)) as any
-          if (!res.ok || !body) {
-            return {
-              content: [{ type: 'text' as const, text: JSON.stringify({ error: true, status: res.status }) }],
-              isError: true,
-            }
-          }
-          return { content: [{ type: 'text' as const, text: JSON.stringify(body) }] }
-        } catch (e: any) {
-          return { content: [{ type: 'text' as const, text: `Error: ${e.message}` }], isError: true }
-        }
-      },
-    ),
-  )
-
-  // SDK-wrapped getDeployJobStatus tool
-  sdkTools.push(
-    sdkTool(
-      'getDeployJobStatus',
-      '查询小程序发布/预览任务的状态。',
-      { jobId: z.string().describe('publishMiniprogram 返回的 jobId') },
-      async (args: Record<string, unknown>) => {
-        try {
-          const res = await sandbox.request(
-            `/api/miniprogram/deploy/status?jobId=${encodeURIComponent(args.jobId as string)}`,
-            { signal: AbortSignal.timeout(30_000) },
-          )
-          const body = (await res.json().catch(() => null)) as any
-          return {
-            content: [{ type: 'text' as const, text: JSON.stringify(body ?? { error: true, status: res.status }) }],
-          }
-        } catch (e: any) {
-          return { content: [{ type: 'text' as const, text: `Error: ${e.message}` }], isError: true }
-        }
-      },
-    ),
+    sdkTool('getDeployJobStatus', DEPLOY_STATUS_DESC, DEPLOY_STATUS_SCHEMA as any, handleGetDeployJobStatus),
   )
 
   // ── cronTask tool (CRUD) ──────────────────────────────────────
diff --git a/packages/shared/src/types/agent.ts b/packages/shared/src/types/agent.ts
index 8729ac4..1c33856 100644
--- a/packages/shared/src/types/agent.ts
+++ b/packages/shared/src/types/agent.ts
@@ -530,4 +530,6 @@ export interface AgentOptions {
    * - `default` | undefined: 普通模式（沿用原行为）
    */
   permissionMode?: AgentPermissionMode
+  /** 图片附件（多模态输入），转换后传给 SDK query() 的 ContentBlock[] */
+  imageBlocks?: AcpImageBlock[]
 }
diff --git a/packages/web/src/components/home-page-content.tsx b/packages/web/src/components/home-page-content.tsx
index 416ddc4..ec445c9 100644
--- a/packages/web/src/components/home-page-content.tsx
+++ b/packages/web/src/components/home-page-content.tsx
@@ -439,6 +439,7 @@ export function HomePageContent({
     keepAlive: boolean
     enableBrowser: boolean
     mode: 'default' | 'coding'
+    imageBlocks?: Array<{ data: string; mimeType: string }>
   }) => {
     console.log(
       '[TaskSubmit] called, isSubmitting:',
@@ -671,6 +672,10 @@ export function HomePageContent({
         // 全部成功，重置状态后再跳转
         console.log('[TaskSubmit] all success, navigating to /tasks/' + id)
         setIsSubmitting(false)
+        // Save image blocks to sessionStorage so task-page-client can pick them up
+        if (data.imageBlocks && data.imageBlocks.length > 0) {
+          sessionStorage.setItem(`task-images-${id}`, JSON.stringify(data.imageBlocks))
+        }
         navigate(`/tasks/${id}?prompt=${encodeURIComponent(data.prompt)}`)
         await refreshTasks()
       } catch (error) {
diff --git a/packages/web/src/components/task-chat.tsx b/packages/web/src/components/task-chat.tsx
index 310d1f0..aa2b76c 100644
--- a/packages/web/src/components/task-chat.tsx
+++ b/packages/web/src/components/task-chat.tsx
@@ -35,6 +35,8 @@ import {
   MoreVertical,
   MessageSquare,
   Trash2,
+  X,
+  ImageIcon,
 } from 'lucide-react'
 import { toast } from 'sonner'
 import { Streamdown } from 'streamdown'
@@ -62,6 +64,10 @@ export function TaskChat({
   const [copiedMessageId, setCopiedMessageId] = useState<string | null>(null)
   const [isStopping, setIsStopping] = useState(false)
   const [activeTab, setActiveTab] = useState('chat')
+  const [pendingImages, setPendingImages] = useState<
+    Array<{ id: string; url: string; data: string; mimeType: string }>
+  >([])
+  const imageInputRef = useRef<HTMLInputElement>(null)
 
   // Tab data
   const [prComments, setPrComments] = useState<PRComment[]>([])
@@ -397,10 +403,12 @@ export function TaskChat({
   const isAgentBusy = task.status === 'processing' || task.status === 'pending'
 
   const handleSendMessage = async () => {
-    if (!newMessage.trim() || isSending || isAgentBusy) return
+    if ((!newMessage.trim() && pendingImages.length === 0) || isSending || isAgentBusy) return
     const text = newMessage.trim()
+    const images = pendingImages.map(({ data, mimeType }) => ({ data, mimeType }))
     setNewMessage('')
-    await chatSendMessage(text, (draft) => setNewMessage(draft))
+    setPendingImages([])
+    await chatSendMessage(text, (draft) => setNewMessage(draft), images.length > 0 ? images : undefined)
     await fetchMessages(false)
   }
 
@@ -412,6 +420,45 @@ export function TaskChat({
     }
   }
 
+  const processImageFile = (file: File) => {
+    if (!file.type.startsWith('image/')) return
+    const reader = new FileReader()
+    reader.onload = (e) => {
+      const dataUrl = e.target?.result as string
+      // dataUrl = "data:image/png;base64,<data>"
+      const base64 = dataUrl.split(',')[1]
+      const url = URL.createObjectURL(file)
+      setPendingImages((prev) => [
+        ...prev,
+        { id: `img-${Date.now()}-${Math.random()}`, url, data: base64, mimeType: file.type },
+      ])
+    }
+    reader.readAsDataURL(file)
+  }
+
+  const handlePasteImage = (e: React.ClipboardEvent) => {
+    const items = Array.from(e.clipboardData.items)
+    items.forEach((item) => {
+      if (item.type.startsWith('image/')) {
+        const file = item.getAsFile()
+        if (file) processImageFile(file)
+      }
+    })
+  }
+
+  const handleImageFiles = (e: React.ChangeEvent<HTMLInputElement>) => {
+    Array.from(e.target.files ?? []).forEach(processImageFile)
+    e.target.value = ''
+  }
+
+  const removeImage = (id: string) => {
+    setPendingImages((prev) => {
+      const img = prev.find((i) => i.id === id)
+      if (img) URL.revokeObjectURL(img.url)
+      return prev.filter((i) => i.id !== id)
+    })
+  }
+
   const handleCopyMessage = async (messageId: string, content: string) => {
     try {
       await navigator.clipboard.writeText(content)
@@ -921,6 +968,23 @@ export function TaskChat({
                   className={`${groupIndex > 0 ? 'mt-4' : ''} sticky top-0 z-10 before:content-[""] before:absolute before:inset-0 before:bg-background before:-z-10`}
                 >
                   <Card className="px-2 py-2 bg-card rounded-md relative z-10 gap-0.5">
+                    {/* Render image parts outside height-limited container */}
+                    {group.userMessage.parts?.some((p) => p.type === 'image') && (
+                      <div className="flex flex-wrap gap-1.5 mb-1.5">
+                        {group.userMessage.parts
+                          .filter((p) => p.type === 'image')
+                          .map((p, i) =>
+                            p.type === 'image' ? (
+                              <img
+                                key={i}
+                                src={`data:${p.mimeType};base64,${p.data}`}
+                                alt=""
+                                className="h-14 max-w-[100px] rounded object-cover border border-border"
+                              />
+                            ) : null,
+                          )}
+                      </div>
+                    )}
                     <div
                       ref={(el) => {
                         contentRefs.current[group.userMessage.id] = el
@@ -1328,15 +1392,50 @@ export function TaskChat({
       {/* Input Area */}
       {!readOnly && activeTab === 'chat' && (
         <div className="flex-shrink-0 px-3 pb-3">
+          {/* Pending images preview */}
+          {pendingImages.length > 0 && (
+            <div className="flex flex-wrap gap-2 mb-2">
+              {pendingImages.map((img) => (
+                <div key={img.id} className="relative group">
+                  <img src={img.url} alt="" className="h-16 w-16 rounded-lg object-cover border border-border" />
+                  <button
+                    onClick={() => removeImage(img.id)}
+                    className="absolute -top-1 -right-1 w-4 h-4 bg-background border border-border rounded-full flex items-center justify-center opacity-0 group-hover:opacity-100 transition-opacity"
+                  >
+                    <X className="h-2.5 w-2.5" />
+                  </button>
+                </div>
+              ))}
+            </div>
+          )}
           <div className="relative">
             <Textarea
               value={newMessage}
               onChange={(e) => setNewMessage(e.target.value)}
               onKeyDown={handleKeyDown}
-              placeholder="Send a follow-up message..."
-              className="w-full min-h-[60px] max-h-[120px] resize-none pr-12 text-base md:text-xs"
+              onPaste={handlePasteImage}
+              placeholder="Send a follow-up message... (paste images with Ctrl+V)"
+              className="w-full min-h-[60px] max-h-[120px] resize-none pr-16 text-base md:text-xs"
               disabled={isSending}
             />
+            {/* Image picker button */}
+            {!isAgentBusy && !isSending && (
+              <button
+                onClick={() => imageInputRef.current?.click()}
+                className="absolute bottom-2 right-8 rounded-full h-5 w-5 text-muted-foreground hover:text-foreground flex items-center justify-center"
+                title="Attach image"
+              >
+                <ImageIcon className="h-3 w-3" />
+              </button>
+            )}
+            <input
+              ref={imageInputRef}
+              type="file"
+              accept="image/jpeg,image/png,image/gif,image/webp"
+              multiple
+              className="hidden"
+              onChange={handleImageFiles}
+            />
             {isAgentBusy || isSending ? (
               <button
                 onClick={handleStopTask}
@@ -1353,7 +1452,7 @@ export function TaskChat({
             ) : (
               <button
                 onClick={handleSendMessage}
-                disabled={!newMessage.trim()}
+                disabled={!newMessage.trim() && pendingImages.length === 0}
                 className="absolute bottom-2 right-2 rounded-full h-5 w-5 bg-primary text-primary-foreground hover:bg-primary/90 flex items-center justify-center disabled:opacity-50 disabled:cursor-not-allowed"
                 title="Send message"
               >
diff --git a/packages/web/src/components/task-details.tsx b/packages/web/src/components/task-details.tsx
index 114eb05..94c78ab 100644
--- a/packages/web/src/components/task-details.tsx
+++ b/packages/web/src/components/task-details.tsx
@@ -111,6 +111,7 @@ interface TaskDetailsProps {
   maxSandboxDuration?: number
   onStreamComplete?: () => void
   initialPrompt?: string
+  initialImages?: Array<{ data: string; mimeType: string }>
   onInitialPromptConsumed?: () => void
 }
 
@@ -193,6 +194,7 @@ export function TaskDetails({
   maxSandboxDuration = 300,
   onStreamComplete,
   initialPrompt,
+  initialImages,
   onInitialPromptConsumed,
 }: TaskDetailsProps) {
   // ── Theme & session (for CloudDashboard) ──
@@ -210,8 +212,8 @@ export function TaskDetails({
     if (!initialPrompt || initialTriggered.current) return
     initialTriggered.current = true
     onInitialPromptConsumed?.()
-    chatStream.sendInitialPrompt(initialPrompt)
-  }, [initialPrompt, onInitialPromptConsumed, chatStream.sendInitialPrompt])
+    chatStream.sendInitialPrompt(initialPrompt, initialImages)
+  }, [initialPrompt, initialImages, onInitialPromptConsumed, chatStream.sendInitialPrompt])
 
   const [optimisticStatus, setOptimisticStatus] = useState<Task['status'] | null>(null)
   const [mcpServers, setMcpServers] = useState<Connector[]>([])
diff --git a/packages/web/src/components/task-form.tsx b/packages/web/src/components/task-form.tsx
index c26a18d..26b394d 100644
--- a/packages/web/src/components/task-form.tsx
+++ b/packages/web/src/components/task-form.tsx
@@ -13,7 +13,7 @@ import {
   DropdownMenuTrigger,
 } from '@/components/ui/dropdown-menu'
 import { Tooltip, TooltipContent, TooltipProvider, TooltipTrigger } from '@/components/ui/tooltip'
-import { Loader2, ArrowUp, Settings, X, Cable, Globe, Code2 } from 'lucide-react'
+import { Loader2, ArrowUp, Settings, X, Cable, Globe, Code2, ImageIcon } from 'lucide-react'
 import { CodeBuddy, MiMo, OpenCode, ProviderLogos, type ProviderKey } from '@/components/logos'
 // import { Claude, Codex, Copilot, Cursor, Gemini } from '@/components/logos'
 import { setInstallDependencies, setMaxDuration, setKeepAlive, setEnableBrowser } from '@/lib/utils/cookies'
@@ -47,6 +47,7 @@ interface TaskFormProps {
     maxDuration: number
     keepAlive: boolean
     enableBrowser: boolean
+    imageBlocks?: Array<{ data: string; mimeType: string }>
   }) => void
   isSubmitting: boolean
   selectedOwner: string
@@ -60,12 +61,12 @@ interface TaskFormProps {
 
 /** runtime name → agent value 的映射（让 CODING_AGENTS 与后端 runtime name 对齐） */
 const RUNTIME_TO_AGENT: Record<string, string> = {
-  'tencent-sdk': 'codebuddy',
+  codebuddy: 'codebuddy',
   'opencode-acp': 'opencode',
 }
 
 const CODING_AGENTS = [
-  { value: 'codebuddy', label: 'CodeBuddy', icon: CodeBuddy, isLogo: true, runtime: 'tencent-sdk' },
+  { value: 'codebuddy', label: 'CodeBuddy', icon: CodeBuddy, isLogo: true, runtime: 'codebuddy' },
   { value: 'opencode', label: 'OpenCode', icon: OpenCode, isLogo: true, runtime: 'opencode-acp' },
   // --- Other agents (commented out, kept for reference) ---
   // { value: 'claude', label: 'Claude', icon: Claude, isLogo: true, runtime: 'claude' },
@@ -118,13 +119,17 @@ export function TaskForm({
   const [taskMode, setTaskMode] = useState<'default' | 'coding'>('coding')
   const [repos, setRepos] = useAtom(githubReposAtomFamily(selectedOwner))
   const [, setLoadingRepos] = useState(false)
+  const [pendingImages, setPendingImages] = useState<
+    Array<{ id: string; url: string; data: string; mimeType: string }>
+  >([])
+  const imageInputRef = useRef<HTMLInputElement>(null)
 
   // Per-agent model lists and availability, loaded from /api/agent/runtimes
   const [agentModels, setAgentModels] = useState<Record<string, ModelInfo[]>>({
     codebuddy: [{ id: 'glm-5.1', name: 'GLM 5.1' }],
   })
   const [unavailableAgents, setUnavailableAgents] = useState<Set<string>>(new Set())
-  const [selectedRuntime, setSelectedRuntime] = useState<string>('tencent-sdk')
+  const [selectedRuntime, setSelectedRuntime] = useState<string>('codebuddy')
 
   useEffect(() => {
     fetch('/api/agent/runtimes')
@@ -284,6 +289,43 @@ export function TaskForm({
     fetchRepos()
   }, [selectedOwner, repos, setRepos])
 
+  const processImageFile = (file: File) => {
+    if (!file.type.startsWith('image/')) return
+    const reader = new FileReader()
+    reader.onload = (e) => {
+      const dataUrl = e.target?.result as string
+      const base64 = dataUrl.split(',')[1]
+      const url = URL.createObjectURL(file)
+      setPendingImages((prev) => [
+        ...prev,
+        { id: `img-${Date.now()}-${Math.random()}`, url, data: base64, mimeType: file.type },
+      ])
+    }
+    reader.readAsDataURL(file)
+  }
+
+  const handlePasteImage = (e: React.ClipboardEvent) => {
+    Array.from(e.clipboardData.items).forEach((item) => {
+      if (item.type.startsWith('image/')) {
+        const file = item.getAsFile()
+        if (file) processImageFile(file)
+      }
+    })
+  }
+
+  const handleImageFiles = (e: React.ChangeEvent<HTMLInputElement>) => {
+    Array.from(e.target.files ?? []).forEach(processImageFile)
+    e.target.value = ''
+  }
+
+  const removeImage = (id: string) => {
+    setPendingImages((prev) => {
+      const img = prev.find((i) => i.id === id)
+      if (img) URL.revokeObjectURL(img.url)
+      return prev.filter((i) => i.id !== id)
+    })
+  }
+
   const handleSubmit = async (e: React.FormEvent) => {
     e.preventDefault()
     console.log('[TaskForm] handleSubmit called, prompt:', prompt?.slice(0, 20), 'isSubmitting:', isSubmitting)
@@ -307,7 +349,10 @@ export function TaskForm({
         maxDuration,
         keepAlive,
         enableBrowser,
+        imageBlocks:
+          pendingImages.length > 0 ? pendingImages.map(({ data, mimeType }) => ({ data, mimeType })) : undefined,
       })
+      setPendingImages([])
       return
     }
 
@@ -356,7 +401,10 @@ export function TaskForm({
       maxDuration,
       keepAlive,
       enableBrowser,
+      imageBlocks:
+        pendingImages.length > 0 ? pendingImages.map(({ data, mimeType }) => ({ data, mimeType })) : undefined,
     })
+    setPendingImages([])
   }
 
   return (
@@ -378,21 +426,48 @@ export function TaskForm({
 
       <form onSubmit={handleSubmit}>
         <div className="relative border rounded-2xl shadow-sm overflow-hidden bg-muted/30 cursor-text">
+          {/* Pending images preview */}
+          {pendingImages.length > 0 && (
+            <div className="flex flex-wrap gap-2 px-4 pt-3">
+              {pendingImages.map((img) => (
+                <div key={img.id} className="relative group">
+                  <img src={img.url} alt="" className="h-16 w-16 rounded-lg object-cover border border-border" />
+                  <button
+                    type="button"
+                    onClick={() => removeImage(img.id)}
+                    className="absolute -top-1 -right-1 w-4 h-4 bg-background border border-border rounded-full flex items-center justify-center opacity-0 group-hover:opacity-100 transition-opacity"
+                  >
+                    <X className="h-2.5 w-2.5" />
+                  </button>
+                </div>
+              ))}
+            </div>
+          )}
           {/* Prompt Input */}
           <div className="relative bg-transparent">
             <Textarea
               ref={textareaRef}
               id="prompt"
-              placeholder="Describe what you want the AI agent to do..."
+              placeholder="Describe what you want the AI agent to do... (paste images with Ctrl+V)"
               value={prompt}
               onChange={(e) => setPrompt(e.target.value)}
               onKeyDown={handleTextareaKeyDown}
+              onPaste={handlePasteImage}
               disabled={isSubmitting}
               required
               rows={4}
               className="w-full border-0 resize-none focus-visible:ring-0 focus-visible:ring-offset-0 p-4 text-base !bg-transparent shadow-none!"
             />
           </div>
+          {/* Hidden file input */}
+          <input
+            ref={imageInputRef}
+            type="file"
+            accept="image/jpeg,image/png,image/gif,image/webp"
+            multiple
+            className="hidden"
+            onChange={handleImageFiles}
+          />
 
           {/* Mode + Agent/Model selector */}
           <div className="p-4">
@@ -480,7 +555,7 @@ export function TaskForm({
                 </div>
 
                 {/* Option Chips - Only visible on desktop */}
-                {(!installDependencies || maxDuration !== maxSandboxDuration || keepAlive) && (
+                {/* {(!installDependencies || maxDuration !== maxSandboxDuration || keepAlive) && (
                   <div className="hidden sm:flex items-center gap-2 flex-wrap">
                     {!installDependencies && (
                       <Badge variant="secondary" className="text-xs h-6 px-2 gap-1 bg-transparent border-0">
@@ -531,7 +606,7 @@ export function TaskForm({
                       </Badge>
                     )}
                   </div>
-                )}
+                )} */}
               </div>
 
               {/* Right side: Action Icons and Submit Button */}
@@ -680,9 +755,18 @@ export function TaskForm({
                     </DropdownMenu>
                   </TooltipProvider>
 
+                  <button
+                    type="button"
+                    onClick={() => imageInputRef.current?.click()}
+                    className="flex items-center justify-center h-8 w-8 rounded-full text-muted-foreground hover:text-foreground transition-colors"
+                    title="Attach image"
+                  >
+                    <ImageIcon className="h-4 w-4" />
+                  </button>
+
                   <Button
                     type="submit"
-                    disabled={isSubmitting || !prompt.trim()}
+                    disabled={isSubmitting || (!prompt.trim() && pendingImages.length === 0)}
                     size="sm"
                     className="rounded-full h-8 w-8 p-0"
                   >
diff --git a/packages/web/src/components/task-page-client.tsx b/packages/web/src/components/task-page-client.tsx
index bf11a4f..976342c 100644
--- a/packages/web/src/components/task-page-client.tsx
+++ b/packages/web/src/components/task-page-client.tsx
@@ -43,6 +43,7 @@ export function TaskPageClient({
   // 读取 URL ?prompt= 参数，只读一次然后清除
   const [searchParams, setSearchParams] = useSearchParams()
   const [initialPrompt, setInitialPrompt] = useState<string | undefined>(undefined)
+  const [initialImages, setInitialImages] = useState<Array<{ data: string; mimeType: string }> | undefined>(undefined)
   const promptExtracted = useRef(false)
 
   useEffect(() => {
@@ -51,10 +52,20 @@ export function TaskPageClient({
     const p = searchParams.get('prompt')
     if (p) {
       setInitialPrompt(p)
+      // Pick up any images saved to sessionStorage when the task was created
+      const storedImages = sessionStorage.getItem(`task-images-${taskId}`)
+      if (storedImages) {
+        try {
+          setInitialImages(JSON.parse(storedImages))
+        } catch {
+          /* ignore */
+        }
+        sessionStorage.removeItem(`task-images-${taskId}`)
+      }
       // 用 replace 清除 URL 参数，不增加历史记录
       setSearchParams({}, { replace: true })
     }
-  }, [searchParams, setSearchParams])
+  }, [searchParams, setSearchParams, taskId])
 
   const handleInitialPromptConsumed = useCallback(() => {
     setInitialPrompt(undefined)
@@ -110,6 +121,7 @@ export function TaskPageClient({
           maxSandboxDuration={maxSandboxDuration}
           onStreamComplete={refetch}
           initialPrompt={initialPrompt}
+          initialImages={initialImages}
           onInitialPromptConsumed={handleInitialPromptConsumed}
         />
       </div>
diff --git a/packages/web/src/hooks/use-chat-stream.ts b/packages/web/src/hooks/use-chat-stream.ts
index d464890..a29ae59 100644
--- a/packages/web/src/hooks/use-chat-stream.ts
+++ b/packages/web/src/hooks/use-chat-stream.ts
@@ -229,14 +229,17 @@ export function useChatStream(taskId: string, options: UseChatStreamOptions = {}
 
   /** Send the initial prompt (from URL param). Only called once. */
   const sendInitialPrompt = useCallback(
-    async (text: string) => {
+    async (text: string, imageBlocks?: Array<{ data: string; mimeType: string }>) => {
       acpSessionReady.current = true
       const userMsg: TaskMessage = {
         id: `user-${Date.now()}`,
         taskId,
         role: 'user',
         content: text,
-        parts: [{ type: 'text', text }],
+        parts: [
+          ...(imageBlocks?.map((img) => ({ type: 'image' as const, data: img.data, mimeType: img.mimeType })) ?? []),
+          { type: 'text', text },
+        ],
         createdAt: Date.now(),
       }
       const assistantMsgId = `stream-${Date.now()}`
@@ -253,7 +256,10 @@ export function useChatStream(taskId: string, options: UseChatStreamOptions = {}
       try {
         await runPromptStream(assistantMsgId, {
           sessionId: taskId,
-          prompt: [{ type: 'text', text }],
+          prompt: [
+            ...(imageBlocks?.map((img) => ({ type: 'image' as const, data: img.data, mimeType: img.mimeType })) ?? []),
+            { type: 'text', text },
+          ],
           // P2: Plan 模式激活时让 Agent 以 permissionMode='plan' 启动
           ...(planMode.active ? { permissionMode: 'plan' as const } : {}),
         })
@@ -266,14 +272,25 @@ export function useChatStream(taskId: string, options: UseChatStreamOptions = {}
 
   /** Send a follow-up message in an existing conversation. */
   const sendMessage = useCallback(
-    async (text: string, onRestoreDraft: (text: string) => void) => {
+    async (
+      text: string,
+      onRestoreDraft: (text: string) => void,
+      imageBlocks?: Array<{ data: string; mimeType: string }>,
+    ) => {
       const userMsgId = `local-${Date.now()}`
       const userMsg: TaskMessage = {
         id: userMsgId,
         taskId,
         role: 'user',
         content: text,
-        parts: [{ type: 'text', text }],
+        parts: [
+          ...(imageBlocks?.map((img) => ({
+            type: 'image' as const,
+            data: img.data,
+            mimeType: img.mimeType,
+          })) ?? []),
+          { type: 'text', text },
+        ],
         createdAt: Date.now(),
       }
       setMessages((prev) => [...prev, userMsg])
@@ -304,7 +321,10 @@ export function useChatStream(taskId: string, options: UseChatStreamOptions = {}
         enterStreaming()
         await runPromptStream(assistantMsgId, {
           sessionId: taskId,
-          prompt: [{ type: 'text', text }],
+          prompt: [
+            ...(imageBlocks?.map((img) => ({ type: 'image' as const, data: img.data, mimeType: img.mimeType })) ?? []),
+            { type: 'text', text },
+          ],
           ...(planMode.active ? { permissionMode: 'plan' as const } : {}),
         })
       } catch (err) {
diff --git a/packages/web/src/types/task-chat.ts b/packages/web/src/types/task-chat.ts
index 0165372..98622b8 100644
--- a/packages/web/src/types/task-chat.ts
+++ b/packages/web/src/types/task-chat.ts
@@ -17,6 +17,7 @@ export interface TaskMessage {
 export type MessagePart =
   | { type: 'text'; text: string }
   | { type: 'thinking'; text: string }
+  | { type: 'image'; data: string; mimeType: string }
   | {
       type: 'tool_call'
       toolCallId: string

From d7ab65f9dbe29ef68a87991b7a0646c662293ee3 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Thu, 7 May 2026 12:13:05 +0800
Subject: [PATCH 19/33] =?UTF-8?q?feat(opencode):=20e2e=20=E9=AA=8C?=
 =?UTF-8?q?=E8=AF=81=20+=20UI=20=E5=B7=A5=E5=85=B7=E5=90=8D=E9=80=82?=
 =?UTF-8?q?=E9=85=8D=20+=20git=20archive=20+=20todowrite=20=E9=9D=A2?=
 =?UTF-8?q?=E6=9D=BF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 修复 mcpServers 格式错误：newSession 改回 mcpServers: []
  （沙箱无 standalone MCP HTTP endpoint，custom tool 已通过 env 直连）
- 补充 archiveToGit：agent 完成后归档沙箱变更到 git（对齐 CodeBuddy 行为）
- 前端 TOOL_RENDERERS 新增小写别名（opencode 工具名全小写：todowrite/read/edit/bash 等）
- HIDDEN_TOOLS 新增 todowrite/TodoWrite，避免聊天流重复显示
- task-list-panel deriveTasks 新增 todowrite 解析：todos 数组 → TaskListPanel 面板
  （后续 todowrite 调用覆盖前次快照，支持实时状态更新）
- 新增 e2e 测试脚本：test-opencode-coding-preview-e2e.mts（coding mode + 预览）
  test-opencode-todowrite-e2e.mts（todowrite 工具名验证）
---
 .../test-opencode-coding-preview-e2e.mts      | 313 ++++++++++++++++++
 .../scripts/test-opencode-todowrite-e2e.mts   |  93 ++++++
 .../src/agent/runtime/opencode-acp-runtime.ts |  27 +-
 .../src/components/chat/task-list-panel.tsx   |  48 ++-
 .../components/chat/tool-renderers/index.ts   |  15 +-
 packages/web/src/components/task-chat.tsx     |  11 +-
 6 files changed, 490 insertions(+), 17 deletions(-)
 create mode 100644 packages/server/scripts/test-opencode-coding-preview-e2e.mts
 create mode 100644 packages/server/scripts/test-opencode-todowrite-e2e.mts

diff --git a/packages/server/scripts/test-opencode-coding-preview-e2e.mts b/packages/server/scripts/test-opencode-coding-preview-e2e.mts
new file mode 100644
index 0000000..6be6922
--- /dev/null
+++ b/packages/server/scripts/test-opencode-coding-preview-e2e.mts
@@ -0,0 +1,313 @@
+#!/usr/bin/env tsx
+/**
+ * E2E: OpenCode runtime + coding mode + preview + 第二轮修改
+ *
+ * 验证目标：
+ *  Round 1: hi 激活 → 沙箱初始化 + coding 模板 + Vite dev server 启动
+ *           → previewUrl 标记 ready，预览路径可访问
+ *  Round 2: 让 agent 修改 src/App.tsx 中某个文案 → 用 read+write 工具
+ *           → 重新拉预览，验证内容变更体现在 dev server 输出中
+ *
+ * 用法：
+ *   cd packages/server
+ *   npx tsx --env-file=.env scripts/test-opencode-coding-preview-e2e.mts
+ */
+
+import 'dotenv/config'
+import { opencodeAcpRuntime } from '../src/agent/runtime/opencode-acp-runtime.js'
+import { scfSandboxManager } from '../src/sandbox/scf-sandbox-manager.js'
+import { getDb } from '../src/db/index.js'
+import type { AgentCallbackMessage } from '@coder/shared'
+
+const envId = process.env.TCB_ENV_ID
+if (!envId) {
+  console.error('TCB_ENV_ID not set')
+  process.exit(1)
+}
+
+const conversationId = `opencode-coding-e2e-${Date.now()}`
+const userId = 'e2e-coding-user'
+
+// 用一个有标记的 marker 字符串，便于在 round 2 中验证替换成功
+// 用普通可读词避免被模型内容审核误判
+const ROUND1_PROMPT = 'hi'
+const TITLE_MARKER = `我的精彩应用`
+const ROUND2_PROMPT = `请帮我把项目 index.html 的网页标题（title 标签）改成"${TITLE_MARKER}"。简单地说：用 read 工具读 index.html，然后用 edit 或 write 工具把 <title>...</title> 之间的文字替换成"${TITLE_MARKER}"，做完告诉我即可。`
+
+console.log('=== OpenCode coding mode preview e2e ===')
+console.log(`envId        = ${envId}`)
+console.log(`conversationId = ${conversationId}`)
+console.log(`titleMarker  = ${TITLE_MARKER}\n`)
+
+// ─── Helpers ────────────────────────────────────────────────────────────
+
+interface Recorded {
+  type: string
+  name?: string
+  preview?: string
+}
+
+function makeRecorder(label: string): {
+  cb: (msg: AgentCallbackMessage) => Promise<void>
+  events: Recorded[]
+} {
+  const events: Recorded[] = []
+  const cb = async (msg: AgentCallbackMessage): Promise<void> => {
+    events.push({
+      type: msg.type,
+      name: msg.name,
+      preview: typeof msg.content === 'string' ? msg.content.slice(0, 200) : undefined,
+    })
+    if (msg.type === 'text' && msg.content) process.stdout.write(msg.content)
+    else if (msg.type === 'tool_use')
+      console.log(`\n[${label} tool_use ▶] ${msg.name} input=${JSON.stringify(msg.input).slice(0, 200)}`)
+    else if (msg.type === 'tool_result')
+      console.log(
+        `[${label} tool_result ◯] tool_use_id=${msg.tool_use_id} is_error=${msg.is_error} out=${(msg.content || '').slice(0, 200)}`,
+      )
+    else if (msg.type === 'agent_phase') console.log(`\n[${label} phase] ${msg.phase}`)
+    else if (msg.type === 'error') console.log(`\n[${label} error] ${msg.content}`)
+    else if (msg.type === 'result') console.log(`\n[${label} result] ${(msg.content || '').slice(0, 200)}`)
+  }
+  return { cb, events }
+}
+
+async function waitForResultOrError(events: Recorded[], maxMs = 240_000): Promise<void> {
+  const start = Date.now()
+  while (Date.now() - start < maxMs) {
+    if (events.some((e) => e.type === 'result' || e.type === 'error')) return
+    await new Promise((r) => setTimeout(r, 500))
+  }
+  throw new Error(`timed out after ${maxMs}ms waiting for result/error`)
+}
+
+// ─── Pre-flight: ensure DB ready, mark task as coding mode ──────────────
+
+async function ensureTaskCodingMode(): Promise<void> {
+  const now = Date.now()
+  try {
+    await getDb().tasks.create({
+      id: conversationId,
+      userId,
+      prompt: ROUND1_PROMPT,
+      title: null,
+      repoUrl: null,
+      selectedAgent: 'opencode' as any,
+      selectedModel: 'mimo/mimo-v2.5-pro',
+      selectedRuntime: 'opencode-acp',
+      mode: 'coding',
+      installDependencies: false,
+      maxDuration: 30,
+      keepAlive: false,
+      enableBrowser: false,
+      status: 'pending',
+      progress: 0,
+      logs: '[]',
+      error: null,
+      branchName: null,
+      sandboxId: null,
+      sandboxSessionId: envId,
+      sandboxCwd: `/tmp/workspace/${envId}/${conversationId}`,
+      sandboxMode: 'shared',
+      agentSessionId: null,
+      sandboxUrl: null,
+      previewUrl: null,
+      prUrl: null,
+      prNumber: null,
+      prStatus: null,
+      prMergeCommitSha: null,
+      mcpServerIds: null,
+      createdAt: now,
+      updatedAt: now,
+    } as any)
+    console.log(`[setup] task created (coding mode)`)
+  } catch (e) {
+    console.log(`[setup] task.create failed (may already exist): ${(e as Error).message}`)
+  }
+}
+
+await ensureTaskCodingMode()
+
+// ─── Round 1: hi → expect sandbox + coding init + dev server up ─────────
+
+console.log('\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━')
+console.log('Round 1: 激活 (hi) → 沙箱 + coding 项目 + dev server')
+console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n')
+
+const r1 = makeRecorder('R1')
+const r1Start = Date.now()
+const r1Result = await opencodeAcpRuntime.chatStream(ROUND1_PROMPT, r1.cb, {
+  conversationId,
+  envId,
+  userId,
+  mode: 'coding',
+  model: 'mimo/mimo-v2.5-pro',
+})
+console.log(`\n[R1] chatStream returned: turnId=${r1Result.turnId}`)
+
+await waitForResultOrError(r1.events, 240_000)
+const r1Elapsed = ((Date.now() - r1Start) / 1000).toFixed(1)
+console.log(`\n[R1] completed in ${r1Elapsed}s`)
+
+// ─── Round 1 sandbox & dev server validation ────────────────────────────
+
+console.log('\n[R1] === sandbox + dev server validation ===')
+
+const sandbox = await scfSandboxManager.getOrCreate(conversationId, envId, {
+  mode: 'shared',
+  workspaceIsolation: 'shared',
+  isCodingMode: true,
+})
+
+let scopeInfo: any = null
+try {
+  const headers = await sandbox.getAuthHeaders()
+  const res = await fetch(`${sandbox.baseUrl}/api/scope/info`, { headers })
+  scopeInfo = await res.json().catch(() => null)
+  console.log(`[R1] scope/info: ${JSON.stringify(scopeInfo).slice(0, 400)}`)
+} catch (e) {
+  console.log(`[R1] scope/info error: ${(e as Error).message}`)
+}
+
+const workspace: string | undefined = scopeInfo?.workspace
+const vitePort: number | undefined = scopeInfo?.vitePort
+console.log(`[R1] workspace=${workspace} vitePort=${vitePort}`)
+
+// Check that index.html exists in workspace
+let indexHtmlExists = false
+let indexHtmlContent = ''
+try {
+  const headers = await sandbox.getAuthHeaders()
+  const res = await fetch(`${sandbox.baseUrl}/api/tools/read`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', ...headers },
+    body: JSON.stringify({ path: 'index.html' }),
+  })
+  const data = (await res.json().catch(() => ({}))) as any
+  if (data.success && typeof data.result?.content === 'string') {
+    indexHtmlContent = data.result.content
+    indexHtmlExists = true
+    console.log(`[R1] index.html exists, size=${indexHtmlContent.length}`)
+    const titleMatch = indexHtmlContent.match(/<title[^>]*>([^<]*)<\/title>/i)
+    console.log(`[R1] current <title>: ${titleMatch?.[1] ?? '(no title)'}`)
+  } else {
+    console.log(`[R1] index.html read failed: ${JSON.stringify(data).slice(0, 200)}`)
+  }
+} catch (e) {
+  console.log(`[R1] read index.html error: ${(e as Error).message}`)
+}
+
+// Check dev server preview path - 用 scope/info 返回的真实 previewUrl
+const previewPath: string = scopeInfo?.previewUrl || (vitePort ? `/preview/${vitePort}/` : '/preview/')
+let previewOk = false
+let previewSnippet = ''
+try {
+  const headers = await sandbox.getAuthHeaders()
+  const res = await fetch(`${sandbox.baseUrl}${previewPath}`, { headers, signal: AbortSignal.timeout(15000) })
+  previewSnippet = (await res.text()).slice(0, 600)
+  previewOk = res.ok && previewSnippet.length > 0
+  console.log(
+    `[R1] ${previewPath} status=${res.status} ok=${previewOk} snippet="${previewSnippet.slice(0, 200).replace(/\n/g, ' ')}"`,
+  )
+} catch (e) {
+  console.log(`[R1] ${previewPath} error: ${(e as Error).message}`)
+}
+
+// Check task previewUrl in DB
+const task1 = await getDb().tasks.findById(conversationId)
+console.log(`[R1] task.previewUrl = ${task1?.previewUrl}`)
+
+// ─── Round 2: ask agent to modify title ────────────────────────────────
+
+console.log('\n\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━')
+console.log('Round 2: 修改 index.html title → 验证预览更新')
+console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n')
+
+const r2 = makeRecorder('R2')
+const r2Start = Date.now()
+const r2Result = await opencodeAcpRuntime.chatStream(ROUND2_PROMPT, r2.cb, {
+  conversationId,
+  envId,
+  userId,
+  mode: 'coding',
+  model: 'mimo/mimo-v2.5-pro',
+})
+console.log(`\n[R2] chatStream returned: turnId=${r2Result.turnId}`)
+
+await waitForResultOrError(r2.events, 300_000)
+const r2Elapsed = ((Date.now() - r2Start) / 1000).toFixed(1)
+console.log(`\n[R2] completed in ${r2Elapsed}s`)
+
+// ─── Round 2 validation: title changed in file & preview ───────────────
+
+console.log('\n[R2] === modification validation ===')
+
+let r2IndexContent = ''
+try {
+  const headers = await sandbox.getAuthHeaders()
+  const res = await fetch(`${sandbox.baseUrl}/api/tools/read`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', ...headers },
+    body: JSON.stringify({ path: 'index.html' }),
+  })
+  const data = (await res.json().catch(() => ({}))) as any
+  if (data.success && typeof data.result?.content === 'string') {
+    r2IndexContent = data.result.content
+    const titleMatch = r2IndexContent.match(/<title[^>]*>([^<]*)<\/title>/i)
+    console.log(`[R2] new <title>: ${titleMatch?.[1] ?? '(no title)'}`)
+  }
+} catch (e) {
+  console.log(`[R2] read index.html error: ${(e as Error).message}`)
+}
+
+const fileHasMarker = r2IndexContent.includes(TITLE_MARKER)
+
+// Wait a moment for vite HMR to pick up change, then re-fetch preview
+await new Promise((r) => setTimeout(r, 3000))
+
+let r2PreviewSnippet = ''
+let previewHasMarker = false
+try {
+  const headers = await sandbox.getAuthHeaders()
+  const res = await fetch(`${sandbox.baseUrl}${previewPath}`, { headers, signal: AbortSignal.timeout(15000) })
+  r2PreviewSnippet = await res.text()
+  previewHasMarker = r2PreviewSnippet.includes(TITLE_MARKER)
+  const titleMatch = r2PreviewSnippet.match(/<title[^>]*>([^<]*)<\/title>/i)
+  console.log(`[R2] preview <title>: ${titleMatch?.[1] ?? '(no title)'}  (status=${res.status})`)
+} catch (e) {
+  console.log(`[R2] ${previewPath} error: ${(e as Error).message}`)
+}
+
+// ─── Summary & assertions ──────────────────────────────────────────────
+
+const r1Counts: Record<string, number> = {}
+for (const e of r1.events) r1Counts[e.type] = (r1Counts[e.type] ?? 0) + 1
+const r2Counts: Record<string, number> = {}
+for (const e of r2.events) r2Counts[e.type] = (r2Counts[e.type] ?? 0) + 1
+
+console.log('\n\n=========================================================')
+console.log('FINAL SUMMARY')
+console.log('=========================================================')
+console.log(`R1 events:  ${JSON.stringify(r1Counts)}`)
+console.log(`R2 events:  ${JSON.stringify(r2Counts)}`)
+console.log()
+console.log('R1 (sandbox + coding init):')
+console.log(`  workspace path:               ${workspace ? 'PASS' : 'FAIL'}  (${workspace})`)
+console.log(`  index.html exists:            ${indexHtmlExists ? 'PASS' : 'FAIL'}`)
+console.log(`  /preview/ accessible:         ${previewOk ? 'PASS' : 'FAIL'}`)
+console.log(`  task.previewUrl set:          ${task1?.previewUrl ? 'PASS' : 'FAIL'} (${task1?.previewUrl})`)
+console.log(`  R1 has result event:          ${r1Counts.result ? 'PASS' : 'FAIL'}`)
+console.log()
+console.log('R2 (file modification + preview):')
+console.log(`  R2 has result event:          ${r2Counts.result ? 'PASS' : 'FAIL'}`)
+console.log(`  R2 used tools:                ${r2Counts.tool_use ? `PASS (${r2Counts.tool_use})` : 'FAIL'}`)
+console.log(`  index.html contains marker:   ${fileHasMarker ? 'PASS' : 'FAIL'}`)
+console.log(`  /preview/ contains marker:    ${previewHasMarker ? 'PASS' : 'FAIL'}`)
+
+const r1Ok = !!workspace && indexHtmlExists && previewOk && (r1Counts.result ?? 0) > 0
+const r2Ok = (r2Counts.result ?? 0) > 0 && (r2Counts.tool_use ?? 0) > 0 && fileHasMarker
+const overall = r1Ok && r2Ok
+
+console.log('\nOVERALL:', overall ? 'PASS ✓' : 'FAIL ✗')
+
+process.exit(overall ? 0 : 1)
diff --git a/packages/server/scripts/test-opencode-todowrite-e2e.mts b/packages/server/scripts/test-opencode-todowrite-e2e.mts
new file mode 100644
index 0000000..322d465
--- /dev/null
+++ b/packages/server/scripts/test-opencode-todowrite-e2e.mts
@@ -0,0 +1,93 @@
+#!/usr/bin/env tsx
+/**
+ * E2E: 验证 OpenCode 的 todoWrite 工具事件名称和格式
+ *
+ * 目的：确认前端 TodoWrite renderer 能识别 opencode 发出的 tool_call name
+ */
+
+import 'dotenv/config'
+import { opencodeAcpRuntime } from '../src/agent/runtime/opencode-acp-runtime.js'
+import type { AgentCallbackMessage } from '@coder/shared'
+
+const envId = process.env.TCB_ENV_ID
+if (!envId) {
+  console.error('TCB_ENV_ID not set')
+  process.exit(1)
+}
+
+const conversationId = `opencode-todo-e2e-${Date.now()}`
+const userId = 'e2e-todo-user'
+
+console.log('=== OpenCode todoWrite e2e ===')
+console.log(`envId=${envId}`)
+console.log(`conversationId=${conversationId}\n`)
+
+interface ToolCall {
+  name: string
+  input: unknown
+}
+
+const toolCalls: ToolCall[] = []
+const events: { type: string; name?: string; input?: unknown }[] = []
+
+const cb = async (msg: AgentCallbackMessage): Promise<void> => {
+  events.push({ type: msg.type, name: msg.name, input: msg.input })
+  if (msg.type === 'tool_use') {
+    toolCalls.push({ name: msg.name || '', input: msg.input })
+    console.log(`\n[tool_use ▶] name="${msg.name}" input=${JSON.stringify(msg.input).slice(0, 400)}`)
+  } else if (msg.type === 'tool_input_update') {
+    console.log(`[tool_input_update] id=${msg.id} input=${JSON.stringify(msg.input).slice(0, 200)}`)
+  } else if (msg.type === 'text' && msg.content) {
+    process.stdout.write(msg.content)
+  } else if (msg.type === 'result') {
+    console.log(`\n[result] ${(msg.content || '').slice(0, 200)}`)
+  } else if (msg.type === 'error') {
+    console.log(`\n[error] ${msg.content}`)
+  } else if (msg.type === 'agent_phase') {
+    console.log(`\n[phase] ${msg.phase}`)
+  }
+}
+
+const prompt = `请用 todoWrite 工具创建一个待办清单，至少 4 项，内容随意（比如"读取文件"、"分析代码"、"修改 bug"、"验证结果"）。创建完就结束。`
+
+console.log('[todowrite-e2e] Starting chatStream...')
+const { turnId } = await opencodeAcpRuntime.chatStream(prompt, cb, {
+  conversationId,
+  envId,
+  userId,
+  mode: 'coding',
+  model: 'mimo/mimo-v2.5-pro',
+})
+console.log(`[todowrite-e2e] chatStream returned: turnId=${turnId}`)
+
+const start = Date.now()
+while (Date.now() - start < 180_000) {
+  if (events.some((e) => e.type === 'result' || e.type === 'error')) break
+  await new Promise((r) => setTimeout(r, 500))
+}
+
+console.log('\n\n=== SUMMARY ===')
+console.log(`total events: ${events.length}`)
+console.log(`tool_use events: ${toolCalls.length}`)
+for (const tc of toolCalls) {
+  console.log(`  - name="${tc.name}"`)
+}
+
+const todoCall = toolCalls.find(
+  (t) => t.name.toLowerCase().includes('todo') || /todo/i.test(t.name),
+)
+if (todoCall) {
+  console.log(`\n[VERIFIED] Found todo-like tool call: name="${todoCall.name}"`)
+  console.log(`input: ${JSON.stringify(todoCall.input, null, 2)}`)
+
+  // Verify input format matches what frontend TodoWrite renderer expects
+  const input = todoCall.input as { todos?: unknown[] }
+  if (Array.isArray(input.todos)) {
+    console.log(`\ntodos array length: ${input.todos.length}`)
+    console.log(`first item: ${JSON.stringify(input.todos[0])}`)
+  }
+} else {
+  console.log('\n[NOT FOUND] No todo-like tool was called')
+}
+
+process.exit(0)
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index 17d2489..c5396d6 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -46,6 +46,7 @@ import { resolvePendingQuestion, rejectPendingQuestionsForConversation } from '.
 import { OpencodeMessageBuilder, findLastRecordIds, buildHistoryContextPrompt } from './opencode-message-builder.js'
 import { BaseAgentRuntime } from './base-runtime.js'
 import type { SandboxInstance } from '../../sandbox/scf-sandbox-manager.js'
+import { archiveToGit } from '../../sandbox/git-archive.js'
 import os from 'node:os'
 import path from 'node:path'
 import fs from 'node:fs'
@@ -463,20 +464,15 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
         },
       })
 
-      // 7. 创建 session — 注入 MCP server（来自基类 sandbox MCP proxy）
-      const mcpServers: Array<{ url: string; headers?: Record<string, string> }> = []
-      if (sandbox && sandboxResult?.mcpClient) {
-        // sandbox 内有 MCP endpoint，opencode 可以通过 HTTP transport 直接调用
-        // CloudBase 工具（数据库、云函数、存储等）
-        const authHeaders = await sandbox.getAuthHeaders()
-        mcpServers.push({
-          url: `${sandbox.baseUrl}/mcp`,
-          headers: authHeaders,
-        })
-      }
+      // 7. 创建 session
+      //
+      // 注意：sandbox 通过 .opencode/tools/*.ts 的 custom tool 直接转发到
+      // sandbox 的 /api/tools/{toolName} endpoint（已通过 SANDBOX_BASE_URL env 注入），
+      // 不需要单独的 MCP server。CloudBase 资源操作（数据库/云函数等）
+      // 暂不通过 opencode 的 mcpServers 配置（沙箱没有 standalone MCP HTTP endpoint）。
       const newRes = await conn.newSession({
         cwd: sessionWorkingDir,
-        mcpServers,
+        mcpServers: [],
       })
       const opencodeSessionId = newRes.sessionId
 
@@ -526,6 +522,13 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
 
       completeAgent(conversationId, 'completed')
       finalRecordStatus = 'done'
+
+      // Archive to git if sandbox was used (同 CodeBuddy runtime 行为对齐)
+      if (sandbox) {
+        archiveToGit(sandbox, conversationId, prompt).catch((err) => {
+          console.error('[OpencodeAcpRuntime] archiveToGit failed:', err)
+        })
+      }
     } catch (error: any) {
       const isAbort = abortController.signal.aborted || error?.name === 'AbortError'
       console.error('[OpencodeAcpRuntime] launchAgent error:', error)
diff --git a/packages/web/src/components/chat/task-list-panel.tsx b/packages/web/src/components/chat/task-list-panel.tsx
index f9809b0..eba516c 100644
--- a/packages/web/src/components/chat/task-list-panel.tsx
+++ b/packages/web/src/components/chat/task-list-panel.tsx
@@ -32,16 +32,52 @@ function parseInput(raw: unknown): Record<string, unknown> {
 }
 
 // ---------------------------------------------------------------------------
-// deriveTasks — extract tasks from TaskCreate / TaskUpdate tool calls
+// deriveTasks — extract tasks from multiple sources:
+//   1. CodeBuddy SDK: TaskCreate + TaskUpdate 工具（task id 来自 result 里的 "Task #N"）
+//   2. OpenCode: todowrite / TodoWrite 工具（一次性全量 todos 数组）
 // ---------------------------------------------------------------------------
 
+/** 支持 CodeBuddy TaskCreate / OpenCode todowrite 两种工具名 */
+const TASK_CREATE_TOOLS = new Set(['TaskCreate'])
+const TASK_UPDATE_TOOLS = new Set(['TaskUpdate'])
+const TODO_WRITE_TOOLS = new Set(['todowrite', 'TodoWrite'])
+
+interface TodoItemInput {
+  content?: string
+  activeForm?: string
+  status?: 'pending' | 'in_progress' | 'completed'
+  priority?: string
+}
+
 export function deriveTasks(messages: TaskMessage[]): DerivedTask[] {
   const tasks: Record<string, DerivedTask> = {}
 
+  // 记录按时间顺序最近一次 todoWrite 调用的 message/partIndex，
+  // 用于判断哪个 todoWrite 是当前权威版本（后覆盖前）。
+  let lastTodoWriteSnapshot: DerivedTask[] | null = null
+
   for (const msg of messages) {
     if (!msg.parts) continue
     for (const part of msg.parts) {
-      if (part.type === 'tool_call' && part.toolName === 'TaskCreate') {
+      // ─── 1. OpenCode todowrite：一次性全量 todos 数组 ───────────
+      if (part.type === 'tool_call' && TODO_WRITE_TOOLS.has(part.toolName)) {
+        const input = parseInput(part.input)
+        const todos = Array.isArray(input.todos) ? (input.todos as TodoItemInput[]) : []
+        lastTodoWriteSnapshot = todos
+          .filter((t) => t && (t.content || t.activeForm))
+          .map((t, idx) => ({
+            id: `todo-${idx + 1}`,
+            subject: t.content ? String(t.content) : '',
+            status: (t.status === 'completed' || t.status === 'in_progress'
+              ? t.status
+              : 'pending') as DerivedTask['status'],
+            activeForm: t.activeForm ? String(t.activeForm) : undefined,
+          }))
+        continue
+      }
+
+      // ─── 2. CodeBuddy TaskCreate / TaskUpdate ────────────────────
+      if (part.type === 'tool_call' && TASK_CREATE_TOOLS.has(part.toolName)) {
         const input = parseInput(part.input)
 
         // Find matching tool_result to extract task ID
@@ -60,7 +96,7 @@ export function deriveTasks(messages: TaskMessage[]): DerivedTask[] {
           activeForm: input.activeForm ? String(input.activeForm) : undefined,
           owner: input.owner ? String(input.owner) : undefined,
         }
-      } else if (part.type === 'tool_call' && part.toolName === 'TaskUpdate') {
+      } else if (part.type === 'tool_call' && TASK_UPDATE_TOOLS.has(part.toolName)) {
         const input = parseInput(part.input)
         const taskId = input.taskId ? String(input.taskId) : undefined
         if (!taskId || !tasks[taskId]) continue
@@ -78,6 +114,12 @@ export function deriveTasks(messages: TaskMessage[]): DerivedTask[] {
     }
   }
 
+  // 如果存在 todoWrite 快照，它作为权威来源（覆盖 CodeBuddy 的 task 列表，
+  // 两者不会同时存在于同一会话）。若想都保留，可以 spread concat。
+  if (lastTodoWriteSnapshot && lastTodoWriteSnapshot.length > 0) {
+    return lastTodoWriteSnapshot
+  }
+
   return Object.values(tasks)
 }
 
diff --git a/packages/web/src/components/chat/tool-renderers/index.ts b/packages/web/src/components/chat/tool-renderers/index.ts
index 0bcd17b..b2a31e4 100644
--- a/packages/web/src/components/chat/tool-renderers/index.ts
+++ b/packages/web/src/components/chat/tool-renderers/index.ts
@@ -55,7 +55,7 @@ export interface ToolRenderer {
  * 所以这里只需注册核心短名即可。
  */
 export const TOOL_RENDERERS: Record<string, ToolRenderer> = {
-  // Claude 内置工具
+  // Claude 内置工具（CodeBuddy SDK，名字是 PascalCase）
   Bash: bashRenderer,
   Read: readRenderer,
   Write: writeRenderer,
@@ -70,6 +70,19 @@ export const TOOL_RENDERERS: Record<string, ToolRenderer> = {
   Agent: taskRenderer, // Anthropic SDK 的 Agent 工具等价 Task
   ImageGen: imageGenRenderer,
   ImageEdit: imageGenRenderer, // 复用 ImageGen 渲染器
+
+  // OpenCode builtin 工具（小写命名，复用同一套渲染器）
+  bash: bashRenderer,
+  read: readRenderer,
+  write: writeRenderer,
+  edit: editRenderer,
+  multiedit: editRenderer,
+  grep: grepRenderer,
+  glob: globRenderer,
+  webfetch: webFetchRenderer,
+  websearch: webSearchRenderer,
+  todowrite: todoWriteRenderer,
+  task: taskRenderer,
 }
 
 /**
diff --git a/packages/web/src/components/task-chat.tsx b/packages/web/src/components/task-chat.tsx
index aa2b76c..2d7c8bc 100644
--- a/packages/web/src/components/task-chat.tsx
+++ b/packages/web/src/components/task-chat.tsx
@@ -45,7 +45,16 @@ import { taskChatInputAtomFamily } from '@/lib/atoms/task'
 import { DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuTrigger } from '@/components/ui/dropdown-menu'
 import { TaskListPanel } from '@/components/chat/task-list-panel'
 
-const HIDDEN_TOOLS = new Set(['TaskCreate', 'TaskUpdate', 'TaskList', 'TaskGet'])
+const HIDDEN_TOOLS = new Set([
+  // CodeBuddy SDK task management 工具（由 TaskListPanel 独立展示）
+  'TaskCreate',
+  'TaskUpdate',
+  'TaskList',
+  'TaskGet',
+  // OpenCode 的 todowrite（同样交给 TaskListPanel 统一展示）
+  'todowrite',
+  'TodoWrite',
+])
 
 export function TaskChat({
   taskId,

From 041af884e4339bd5e82b31864fd538124afe5706 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Thu, 7 May 2026 12:16:03 +0800
Subject: [PATCH 20/33] =?UTF-8?q?fix(opencode):=20archiveToGit=20=E7=A7=BB?=
 =?UTF-8?q?=E5=88=B0=20finally=20=E5=9D=97=EF=BC=8Cerror/cancel=20?=
 =?UTF-8?q?=E5=9C=BA=E6=99=AF=E4=B9=9F=E5=BD=92=E6=A1=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../src/agent/runtime/opencode-acp-runtime.ts       | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index c5396d6..7264549 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -522,13 +522,6 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
 
       completeAgent(conversationId, 'completed')
       finalRecordStatus = 'done'
-
-      // Archive to git if sandbox was used (同 CodeBuddy runtime 行为对齐)
-      if (sandbox) {
-        archiveToGit(sandbox, conversationId, prompt).catch((err) => {
-          console.error('[OpencodeAcpRuntime] archiveToGit failed:', err)
-        })
-      }
     } catch (error: any) {
       const isAbort = abortController.signal.aborted || error?.name === 'AbortError'
       console.error('[OpencodeAcpRuntime] launchAgent error:', error)
@@ -564,6 +557,12 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
           /* noop */
         }
       }
+      // Archive to git（含 error/cancel 场景，保留最终工作状态）
+      if (sandbox) {
+        archiveToGit(sandbox, conversationId, prompt).catch((err) => {
+          console.error('[OpencodeAcpRuntime] archiveToGit failed:', err)
+        })
+      }
       // 清理临时工作目录（如果是我们自己建的）
       if (sessionWorkingDir && !options.cwd && sessionWorkingDir.startsWith(os.tmpdir())) {
         try {

From dade05c52c7a224712450a2d9edfef98afe78262 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Thu, 7 May 2026 12:32:59 +0800
Subject: [PATCH 21/33] =?UTF-8?q?feat(opencode):=20=E4=B8=BA=20MCP=20serve?=
 =?UTF-8?q?r=20=E6=9A=B4=E9=9C=B2=E6=9C=AC=E5=9C=B0=20HTTP=20endpoint?=
 =?UTF-8?q?=EF=BC=8Copencode=20=E5=8F=AF=E8=B0=83=E7=94=A8=20CloudBase=20?=
 =?UTF-8?q?=E5=B7=A5=E5=85=B7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- sandbox-mcp-proxy: 同一 McpServer 同时挂 InMemoryTransport（CodeBuddy SDK）
  和 StreamableHTTPServerTransport（localhost 随机端口），返回 mcpUrl
- opencode-acp-runtime: newSession.mcpServers 注入 cloudbase HTTP MCP server
  type='http', name='cloudbase', url=127.0.0.1:{port}/mcp
- close() 同时关闭 httpTransport + httpServer，生命周期管理完整
---
 .../src/agent/runtime/opencode-acp-runtime.ts | 64 +++++++++++++------
 .../server/src/sandbox/sandbox-mcp-proxy.ts   | 41 +++++++++++-
 2 files changed, 86 insertions(+), 19 deletions(-)

diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index 7264549..fe69a78 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -55,7 +55,7 @@ import fs from 'node:fs'
 
 // OPENCODE_BIN 常量已删除——统一使用 acp-transport.ts 的 getResolvedBin()
 // 好处：单一权威来源，isAvailable() 与 spawn 使用同一路径，支持 fallback 候选
-const DEFAULT_OPENCODE_MODEL = process.env.OPENCODE_DEFAULT_MODEL || 'moonshot/kimi-k2-0905-preview'
+const DEFAULT_OPENCODE_MODEL = process.env.OPENCODE_DEFAULT_MODEL || 'custom/default'
 
 /** 沙箱内工作目录（agent 看到的"当前目录"概念）。相对路径工具都会以此为根。 */
 const SANDBOX_WORKSPACE_ROOT = process.env.SANDBOX_WORKSPACE_ROOT || '.'
@@ -175,17 +175,26 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
   }
 
   async getSupportedModels(): Promise<ModelInfo[]> {
-    return [
-      // MiMo (default)
-      { id: 'mimo/mimo-v2.5-pro', name: 'MiMo V2.5 Pro', vendor: 'MiMo' },
-      { id: 'mimo/mimo-v2.5', name: 'MiMo V2.5', vendor: 'MiMo' },
-      { id: 'mimo/mimo-v2.5-tts', name: 'MiMo V2.5 TTS', vendor: 'MiMo' },
-      { id: 'mimo/mimo-v2.5-tts-voiceclone', name: 'MiMo V2.5 TTS VoiceClone', vendor: 'MiMo' },
-      { id: 'mimo/mimo-v2.5-tts-voicedesign', name: 'MiMo V2.5 TTS VoiceDesign', vendor: 'MiMo' },
-      // Moonshot (direct)
-      { id: 'moonshot/kimi-k2-turbo-preview', name: 'Kimi K2 Turbo', vendor: 'Moonshot' },
-      { id: 'moonshot/kimi-k2-0905-preview', name: 'Kimi K2 (0905)', vendor: 'Moonshot' },
-    ]
+    // Read model list from OPENCODE_MODELS env var (JSON array of {id, name, vendor?})
+    // Falls back to a single default model entry using OPENCODE_DEFAULT_MODEL
+    const modelsEnv = process.env.OPENCODE_MODELS
+    if (modelsEnv) {
+      try {
+        const parsed = JSON.parse(modelsEnv) as Array<{ id: string; name: string; vendor?: string }>
+        if (Array.isArray(parsed) && parsed.length > 0) {
+          return parsed.map((m) => ({
+            id: m.id,
+            name: m.name,
+            vendor: m.vendor || process.env.OPENCODE_PROVIDER_NAME || 'Custom',
+          }))
+        }
+      } catch {
+        // ignore parse error, fall through
+      }
+    }
+    const defaultModel = DEFAULT_OPENCODE_MODEL
+    const providerName = process.env.OPENCODE_PROVIDER_NAME || 'Custom'
+    return [{ id: defaultModel, name: defaultModel.split('/').pop() || defaultModel, vendor: providerName }]
   }
 
   async chatStream(prompt: string, callback: AgentCallback | null, options: AgentOptions): Promise<ChatStreamResult> {
@@ -323,6 +332,7 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
 
     let transport: AcpTransport | null = null
     let sandbox: SandboxInstance | null = null
+    let sandboxMcpClient: { close: () => Promise<void>; mcpUrl?: string } | null = null
     let sessionWorkingDir: string | null = null
 
     try {
@@ -345,6 +355,7 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
           model: modelId,
         })
         sandbox = sandboxResult.sandbox
+        sandboxMcpClient = sandboxResult.mcpClient
 
         // Coding mode: auto-allow all write tools + mark preview ready
         if (isCodingMode && conversationId) {
@@ -464,15 +475,24 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
         },
       })
 
-      // 7. 创建 session
+      // 7. 创建 session — 注入 CloudBase MCP server（来自 sandbox-mcp-proxy 的本地 HTTP endpoint）
       //
-      // 注意：sandbox 通过 .opencode/tools/*.ts 的 custom tool 直接转发到
-      // sandbox 的 /api/tools/{toolName} endpoint（已通过 SANDBOX_BASE_URL env 注入），
-      // 不需要单独的 MCP server。CloudBase 资源操作（数据库/云函数等）
-      // 暂不通过 opencode 的 mcpServers 配置（沙箱没有 standalone MCP HTTP endpoint）。
+      // sandbox-mcp-proxy 同时挂了两个 transport：
+      //   - InMemoryTransport：供 CodeBuddy SDK runtime 使用（sdkServer）
+      //   - StreamableHTTPServerTransport（localhost random port）：供 opencode 通过 HTTP 访问
+      // opencode 通过此 MCP server 调用 CloudBase 工具（数据库/云函数/存储等）
+      const mcpServers: Array<{ type: 'http'; name: string; url: string; headers: Array<{ name: string; value: string }> }> = []
+      if (sandboxMcpClient?.mcpUrl) {
+        mcpServers.push({
+          type: 'http',
+          name: 'cloudbase',
+          url: sandboxMcpClient.mcpUrl,
+          headers: [], // localhost 无需认证头
+        })
+      }
       const newRes = await conn.newSession({
         cwd: sessionWorkingDir,
-        mcpServers: [],
+        mcpServers,
       })
       const opencodeSessionId = newRes.sessionId
 
@@ -563,6 +583,14 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
           console.error('[OpencodeAcpRuntime] archiveToGit failed:', err)
         })
       }
+      // Close sandbox MCP client（同 CodeBuddy runtime 对齐）
+      if (sandboxMcpClient) {
+        try {
+          await sandboxMcpClient.close()
+        } catch {
+          /* noop */
+        }
+      }
       // 清理临时工作目录（如果是我们自己建的）
       if (sessionWorkingDir && !options.cwd && sessionWorkingDir.startsWith(os.tmpdir())) {
         try {
diff --git a/packages/server/src/sandbox/sandbox-mcp-proxy.ts b/packages/server/src/sandbox/sandbox-mcp-proxy.ts
index 197b54b..153e22f 100644
--- a/packages/server/src/sandbox/sandbox-mcp-proxy.ts
+++ b/packages/server/src/sandbox/sandbox-mcp-proxy.ts
@@ -5,16 +5,20 @@
  * - No NestJS dependencies
  * - Uses native fetch for HTTP calls
  * - Creates MCP server proxying to sandbox
+ * - Exposes a local Streamable HTTP endpoint so OpenCode ACP can connect via mcpServers
  */
 
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
 import { InMemoryTransport } from '@modelcontextprotocol/sdk/inMemory.js'
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js'
 import { Client } from '@modelcontextprotocol/sdk/client/index.js'
 import { SandboxInstance } from './scf-sandbox-manager.js'
 import { tool as sdkTool, createSdkMcpServer } from '@anthropic-ai/claude-agent-sdk'
 import { z } from 'zod'
 import { nanoid } from 'nanoid'
 import cron from 'node-cron'
+import http from 'node:http'
+import type { AddressInfo } from 'node:net'
 import { getDb } from '../db/index.js'
 import { scheduleTask, unscheduleTask } from '../services/cron-scheduler.js'
 import { extractDeployUrl } from '../agent/runtime/base-runtime.js'
@@ -530,7 +534,9 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
   server.tool('publishMiniprogram', PUBLISH_MP_DESC, PUBLISH_MP_SCHEMA, handlePublishMiniprogram)
   server.tool('getDeployJobStatus', DEPLOY_STATUS_DESC, DEPLOY_STATUS_SCHEMA, handleGetDeployJobStatus)
 
-  // ── Wire InMemoryTransport pair ───────────────────────────────
+  // ── Wire InMemoryTransport pair (for CodeBuddy SDK runtime) ─────────────
+  // The existing McpServer is connected to an InMemoryTransport pair so the
+  // Tencent SDK runtime can use it via sdkServer.  This path is unchanged.
 
   const [serverTransport, clientTransport] = InMemoryTransport.createLinkedPair()
   await server.connect(serverTransport)
@@ -538,6 +544,33 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
   const client = new Client({ name: 'cloudbase-agent', version: '1.0.0' })
   await client.connect(clientTransport)
 
+  // ── Expose a local Streamable HTTP endpoint (for OpenCode ACP runtime) ──
+  // OpenCode connects to MCP servers via HTTP (McpServerHttp in ACP protocol).
+  // We spin up a localhost HTTP server on a random port using the same McpServer
+  // instance so all tools are available through both transports.
+
+  const httpTransport = new StreamableHTTPServerTransport({
+    sessionIdGenerator: undefined, // stateless — no session tracking needed
+  })
+  await server.connect(httpTransport)
+
+  const httpServer = http.createServer(async (req, res) => {
+    try {
+      await httpTransport.handleRequest(req, res)
+    } catch (e) {
+      res.writeHead(500)
+      res.end()
+    }
+  })
+
+  await new Promise<void>((resolve, reject) => {
+    httpServer.listen(0, '127.0.0.1', () => resolve())
+    httpServer.on('error', reject)
+  })
+
+  const addr = httpServer.address() as AddressInfo
+  const mcpUrl = `http://127.0.0.1:${addr.port}/mcp`
+
   // ── Build SDK MCP Server for passing to query() mcpServers ────
   // createSdkMcpServer is needed because agent-sdk's mcpServers option
   // requires SDK-wrapped servers (not raw @modelcontextprotocol/sdk McpServer).
@@ -795,6 +828,8 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
     client,
     server,
     sdkServer,
+    /** Local HTTP URL for the MCP server (used by OpenCode ACP mcpServers config) */
+    mcpUrl,
     close: async () => {
       try {
         await client.close()
@@ -802,6 +837,10 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
       try {
         await server.close()
       } catch {}
+      try {
+        await httpTransport.close()
+      } catch {}
+      await new Promise<void>((resolve) => httpServer.close(() => resolve()))
     },
   }
 }

From dd19fb48d6cbf47cd19d0a831a751ba9e63f85e7 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Thu, 7 May 2026 22:47:29 +0800
Subject: [PATCH 22/33] =?UTF-8?q?feat(opencode):=20CloudBase=20MCP=20serve?=
 =?UTF-8?q?r=20via=20stdio=20=E2=80=94=20opencode=20=E5=8F=AF=E8=B0=83?=
 =?UTF-8?q?=E7=94=A8=E5=85=A8=E9=83=A8=20CloudBase=20=E5=B7=A5=E5=85=B7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 新建 cloudbase-mcp-server.ts：独立 stdio MCP server 脚本
  - 从 env 读取 SANDBOX_BASE_URL / SANDBOX_AUTH_HEADERS_JSON / 凭证
  - POST /api/session/env 注入凭证到沙箱
  - mcporter list cloudbase --schema 动态发现工具列表
  - 为每个工具注册 MCP handler（通过 mcporter call）
  - 以 StdioServerTransport 提供 MCP 服务
- opencode-acp-runtime: buildOpencodeMcpServers()
  - 解析 cloudbase-mcp-server.ts 路径（支持 dev/dist）
  - McpServerStdio { command: node, args: [--import tsx/esm, script], env: [...] }
  - 注入沙箱 URL、认证头、CloudBase 凭证、scope ID
  - newSession.mcpServers 传入，opencode 会 spawn 该脚本
- 撤回错误的 HTTP/StreamableHTTPServerTransport 方案（sandbox 无 /mcp endpoint）
- sandbox-mcp-proxy.ts 恢复原状（InMemoryTransport 仅供 CodeBuddy SDK 使用）
---
 .../src/agent/runtime/opencode-acp-runtime.ts | 145 ++++++++---
 .../cloudbase-mcp-server.ts                   | 237 ++++++++++++++++++
 .../server/src/sandbox/sandbox-mcp-proxy.ts   |  41 +--
 3 files changed, 350 insertions(+), 73 deletions(-)
 create mode 100644 packages/server/src/agent/runtime/opencode-tool-templates/cloudbase-mcp-server.ts

diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index fe69a78..76828ed 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -25,6 +25,7 @@
  */
 
 import { v4 as uuidv4 } from 'uuid'
+import { fileURLToPath } from 'node:url'
 import { ClientSideConnection } from '@agentclientprotocol/sdk'
 import type { AgentCallback, AgentCallbackMessage, AgentOptions } from '@coder/shared'
 import type { ChatStreamResult } from './types.js'
@@ -60,6 +61,76 @@ const DEFAULT_OPENCODE_MODEL = process.env.OPENCODE_DEFAULT_MODEL || 'custom/def
 /** 沙箱内工作目录（agent 看到的"当前目录"概念）。相对路径工具都会以此为根。 */
 const SANDBOX_WORKSPACE_ROOT = process.env.SANDBOX_WORKSPACE_ROOT || '.'
 
+// ─── CloudBase MCP server (stdio) ────────────────────────────────────────
+
+const __dirname_runtime = path.dirname(fileURLToPath(import.meta.url))
+
+/**
+ * 找到 cloudbase-mcp-server.ts 脚本路径（供 McpServerStdio 的 args 使用）。
+ * opencode 原生支持 .ts，使用 tsx/bun 直接运行。
+ */
+function resolveCloudbaseMcpServerScript(): string | null {
+  const candidates = [
+    // 源码运行（tsx dev）
+    path.resolve(__dirname_runtime, 'opencode-tool-templates/cloudbase-mcp-server.ts'),
+    // dist 运行
+    path.resolve(__dirname_runtime, '../src/agent/runtime/opencode-tool-templates/cloudbase-mcp-server.ts'),
+    path.resolve(process.cwd(), 'packages/server/src/agent/runtime/opencode-tool-templates/cloudbase-mcp-server.ts'),
+  ]
+  for (const c of candidates) {
+    if (fs.existsSync(c)) return c
+  }
+  return null
+}
+
+type McpServerEntry =
+  | { name: string; command: string; args: Array<string>; env: Array<{ name: string; value: string }> }
+  | { type: 'http'; name: string; url: string; headers: Array<{ name: string; value: string }> }
+
+/**
+ * 构建传给 conn.newSession() 的 mcpServers 列表。
+ * 如果沙箱可用，注入 CloudBase MCP server（stdio 方式，opencode 原生 spawn）。
+ */
+function buildOpencodeMcpServers(
+  sandbox: SandboxInstance | null,
+  authHeaders: Record<string, string> = {},
+  scopeId?: string,
+  credentials?: { envId: string; secretId: string; secretKey: string; sessionToken?: string },
+): McpServerEntry[] {
+  if (!sandbox) return []
+
+  const scriptPath = resolveCloudbaseMcpServerScript()
+  if (!scriptPath) {
+    console.warn('[OpencodeAcpRuntime] cloudbase-mcp-server.ts not found, CloudBase tools unavailable')
+    return []
+  }
+
+  // Node.js 运行 .ts 时需要 tsx（opencode binary 自带 bun，但我们在 server 进程里 spawn node）
+  // 优先用 npx tsx 运行脚本（与 server 同环境）
+  const env: Array<{ name: string; value: string }> = [
+    { name: 'SANDBOX_BASE_URL', value: sandbox.baseUrl },
+    { name: 'SANDBOX_AUTH_HEADERS_JSON', value: JSON.stringify(authHeaders) },
+  ]
+  if (scopeId) env.push({ name: 'SANDBOX_SCOPE_ID', value: scopeId })
+  if (credentials) {
+    env.push({ name: 'CLOUDBASE_ENV_ID', value: credentials.envId })
+    env.push({ name: 'TENCENTCLOUD_SECRETID', value: credentials.secretId })
+    env.push({ name: 'TENCENTCLOUD_SECRETKEY', value: credentials.secretKey })
+    if (credentials.sessionToken) {
+      env.push({ name: 'TENCENTCLOUD_SESSIONTOKEN', value: credentials.sessionToken })
+    }
+  }
+
+  return [
+    {
+      name: 'cloudbase',
+      command: process.execPath, // node 可执行文件路径
+      args: ['--import', 'tsx/esm', scriptPath],
+      env,
+    },
+  ]
+}
+
 // ─── State ───────────────────────────────────────────────────────────────
 
 let toolsInstallPromise: Promise<void> | null = null
@@ -143,7 +214,6 @@ function cryptoRandomToken(): string {
 /** 惰性确保全局 tools 已安装；多次调用只执行一次。 */
 function ensureToolsInstalledOnce(): Promise<void> {
   if (process.env.OPENCODE_SKIP_TOOLS_INSTALL === '1') {
-    // 测试场景可显式跳过（例如 ToolConfirm e2e 要测 builtin write 的 permission 流）
     return Promise.resolve()
   }
   if (!toolsInstallPromise) {
@@ -175,26 +245,34 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
   }
 
   async getSupportedModels(): Promise<ModelInfo[]> {
-    // Read model list from OPENCODE_MODELS env var (JSON array of {id, name, vendor?})
-    // Falls back to a single default model entry using OPENCODE_DEFAULT_MODEL
-    const modelsEnv = process.env.OPENCODE_MODELS
-    if (modelsEnv) {
-      try {
-        const parsed = JSON.parse(modelsEnv) as Array<{ id: string; name: string; vendor?: string }>
-        if (Array.isArray(parsed) && parsed.length > 0) {
-          return parsed.map((m) => ({
-            id: m.id,
-            name: m.name,
-            vendor: m.vendor || process.env.OPENCODE_PROVIDER_NAME || 'Custom',
-          }))
+    // Read model list from .opencode/opencode.json (the authoritative config file)
+    try {
+      const configPath = path.join(getOpencodeConfigDir(), 'opencode.json')
+      const raw = fs.readFileSync(configPath, 'utf-8')
+      const config = JSON.parse(raw) as {
+        provider?: Record<string, { name?: string; models?: Record<string, { name?: string }> }>
+      }
+      const models: ModelInfo[] = []
+      for (const [providerKey, providerDef] of Object.entries(config.provider ?? {})) {
+        const vendorName = typeof providerDef.name === 'string' && !providerDef.name.startsWith('{env:')
+          ? providerDef.name
+          : process.env.OPENCODE_PROVIDER_NAME || providerKey
+        for (const [modelKey, modelDef] of Object.entries(providerDef.models ?? {})) {
+          models.push({
+            id: `${providerKey}/${modelKey}`,
+            name: modelDef.name || modelKey,
+            vendor: vendorName,
+          })
         }
-      } catch {
-        // ignore parse error, fall through
       }
+      if (models.length > 0) return models
+    } catch {
+      // fall through to env-based fallback
     }
+    // Fallback: single model from env
     const defaultModel = DEFAULT_OPENCODE_MODEL
-    const providerName = process.env.OPENCODE_PROVIDER_NAME || 'Custom'
-    return [{ id: defaultModel, name: defaultModel.split('/').pop() || defaultModel, vendor: providerName }]
+    const vendor = process.env.OPENCODE_PROVIDER_NAME || 'Custom'
+    return [{ id: defaultModel, name: defaultModel.split('/').pop() || defaultModel, vendor }]
   }
 
   async chatStream(prompt: string, callback: AgentCallback | null, options: AgentOptions): Promise<ChatStreamResult> {
@@ -332,7 +410,7 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
 
     let transport: AcpTransport | null = null
     let sandbox: SandboxInstance | null = null
-    let sandboxMcpClient: { close: () => Promise<void>; mcpUrl?: string } | null = null
+    let sandboxMcpClient: { close: () => Promise<void> } | null = null
     let sessionWorkingDir: string | null = null
 
     try {
@@ -475,21 +553,22 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
         },
       })
 
-      // 7. 创建 session — 注入 CloudBase MCP server（来自 sandbox-mcp-proxy 的本地 HTTP endpoint）
-      //
-      // sandbox-mcp-proxy 同时挂了两个 transport：
-      //   - InMemoryTransport：供 CodeBuddy SDK runtime 使用（sdkServer）
-      //   - StreamableHTTPServerTransport（localhost random port）：供 opencode 通过 HTTP 访问
-      // opencode 通过此 MCP server 调用 CloudBase 工具（数据库/云函数/存储等）
-      const mcpServers: Array<{ type: 'http'; name: string; url: string; headers: Array<{ name: string; value: string }> }> = []
-      if (sandboxMcpClient?.mcpUrl) {
-        mcpServers.push({
-          type: 'http',
-          name: 'cloudbase',
-          url: sandboxMcpClient.mcpUrl,
-          headers: [], // localhost 无需认证头
-        })
-      }
+      // 7. 创建 session — 注入 CloudBase MCP server（stdio 方式）
+      // opencode spawn 一个独立进程运行 cloudbase-mcp-server.ts，通过 stdio 提供 CloudBase 工具
+      const sandboxAuthHeaders = sandbox ? await sandbox.getAuthHeaders() : {}
+      const mcpServers = buildOpencodeMcpServers(
+        sandbox,
+        sandboxAuthHeaders,
+        conversationId,
+        options.userCredentials
+          ? {
+              envId: envId ?? '',
+              secretId: options.userCredentials.secretId,
+              secretKey: options.userCredentials.secretKey,
+              sessionToken: options.userCredentials.sessionToken,
+            }
+          : undefined,
+      )
       const newRes = await conn.newSession({
         cwd: sessionWorkingDir,
         mcpServers,
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/cloudbase-mcp-server.ts b/packages/server/src/agent/runtime/opencode-tool-templates/cloudbase-mcp-server.ts
new file mode 100644
index 0000000..6950e4a
--- /dev/null
+++ b/packages/server/src/agent/runtime/opencode-tool-templates/cloudbase-mcp-server.ts
@@ -0,0 +1,237 @@
+#!/usr/bin/env node
+/**
+ * CloudBase Sandbox MCP Server (stdio transport)
+ *
+ * 作为独立进程被 opencode 通过 McpServerStdio 启动。
+ * 从环境变量读取沙箱连接信息，通过沙箱内的 mcporter 动态发现并暴露所有 CloudBase 工具。
+ *
+ * 环境变量（由 opencode-acp-runtime 通过 McpServerStdio.env 注入）：
+ *   SANDBOX_BASE_URL            — 沙箱 HTTPS endpoint
+ *   SANDBOX_AUTH_HEADERS_JSON   — 沙箱认证 headers（JSON 对象）
+ *   CLOUDBASE_ENV_ID            — CloudBase 环境 ID
+ *   TENCENTCLOUD_SECRETID       — TencentCloud SecretId
+ *   TENCENTCLOUD_SECRETKEY      — TencentCloud SecretKey
+ *   TENCENTCLOUD_SESSIONTOKEN   — 可选：STS session token
+ *
+ * 工具发现流程：
+ *   1. POST /api/session/env  注入凭证
+ *   2. bash mcporter list cloudbase --schema --output json
+ *   3. 为每个工具注册 MCP handler（通过 mcporter call）
+ *   4. 以 stdio 方式提供 MCP 服务
+ */
+
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js'
+import { z } from 'zod'
+
+// ─── Sandbox HTTP helpers ─────────────────────────────────────────────────
+
+const BASE_URL = process.env.SANDBOX_BASE_URL?.replace(/\/$/, '') ?? ''
+const AUTH_HEADERS: Record<string, string> = (() => {
+  try {
+    return JSON.parse(process.env.SANDBOX_AUTH_HEADERS_JSON ?? '{}')
+  } catch {
+    return {}
+  }
+})()
+// Scope header (conversation/task ID) injected by runtime
+const SCOPE_ID = process.env.SANDBOX_SCOPE_ID ?? ''
+
+function makeHeaders(extra: Record<string, string> = {}): Record<string, string> {
+  return {
+    'Content-Type': 'application/json',
+    ...AUTH_HEADERS,
+    ...(SCOPE_ID ? { 'X-Scope-Id': SCOPE_ID } : {}),
+    ...extra,
+  }
+}
+
+async function sandboxPost(path: string, body: unknown, timeoutMs = 60_000): Promise<any> {
+  const res = await fetch(`${BASE_URL}${path}`, {
+    method: 'POST',
+    headers: makeHeaders(),
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(timeoutMs),
+  })
+  const data = (await res.json().catch(() => ({ success: false, error: `HTTP ${res.status}` }))) as any
+  if (!data.success) throw new Error(data.error ?? `${path} failed (${res.status})`)
+  return data.result
+}
+
+async function bashCall(command: string, timeoutMs = 60_000): Promise<string> {
+  const result = await sandboxPost('/api/tools/bash', { command, timeout: timeoutMs }, timeoutMs)
+  if (typeof result === 'string') return result
+  return result?.output ?? result?.stdout ?? JSON.stringify(result)
+}
+
+// ─── Credentials injection ────────────────────────────────────────────────
+
+async function injectCredentials(): Promise<void> {
+  const envId = process.env.CLOUDBASE_ENV_ID ?? ''
+  const secretId = process.env.TENCENTCLOUD_SECRETID ?? ''
+  const secretKey = process.env.TENCENTCLOUD_SECRETKEY ?? ''
+  const sessionToken = process.env.TENCENTCLOUD_SESSIONTOKEN ?? ''
+
+  const res = await fetch(`${BASE_URL}/api/session/env`, {
+    method: 'PUT',
+    headers: makeHeaders(),
+    body: JSON.stringify({
+      CLOUDBASE_ENV_ID: envId,
+      TENCENTCLOUD_SECRETID: secretId,
+      TENCENTCLOUD_SECRETKEY: secretKey,
+      TENCENTCLOUD_SESSIONTOKEN: sessionToken,
+      INTEGRATION_IDE: 'opencode',
+    }),
+    signal: AbortSignal.timeout(15_000),
+  })
+  const data = (await res.json().catch(() => ({}))) as any
+  if (!data.success) {
+    process.stderr.write(`[cloudbase-mcp] credential injection warning: ${data.error}\n`)
+  }
+}
+
+// ─── Tool schema discovery ────────────────────────────────────────────────
+
+interface ToolSchema {
+  name: string
+  description?: string
+  inputSchema?: {
+    type?: string
+    properties?: Record<string, any>
+    required?: string[]
+  }
+}
+
+async function discoverTools(): Promise<ToolSchema[]> {
+  const tmpPath = `.cloudbase-mcp-schema-${Date.now()}.json`
+  try {
+    await bashCall(`mcporter list cloudbase --schema --output json > ${tmpPath} 2>&1`, 25_000)
+    const res = await fetch(`${BASE_URL}/e2b-compatible/files?path=${encodeURIComponent(tmpPath)}`, {
+      headers: { ...AUTH_HEADERS, ...(SCOPE_ID ? { 'X-Scope-Id': SCOPE_ID } : {}) },
+      signal: AbortSignal.timeout(10_000),
+    })
+    if (!res.ok) throw new Error(`Failed to read schema file: ${res.status}`)
+    const parsed = (await res.json()) as any
+    if (!Array.isArray(parsed.tools)) throw new Error('No tools array in schema')
+    return parsed.tools as ToolSchema[]
+  } finally {
+    bashCall(`rm -f ${tmpPath}`, 5_000).catch(() => {})
+  }
+}
+
+// ─── mcporter call helper ─────────────────────────────────────────────────
+
+function serializeFnCall(toolName: string, args: Record<string, unknown>): string {
+  if (!args || Object.keys(args).length === 0) return `cloudbase.${toolName}()`
+  const parts = Object.entries(args)
+    .map(([k, v]) => {
+      if (v === undefined || v === null) return null
+      if (typeof v === 'string') return `${k}: ${JSON.stringify(v)}`
+      if (typeof v === 'boolean' || typeof v === 'number') return `${k}: ${v}`
+      return `${k}: ${JSON.stringify(v)}`
+    })
+    .filter(Boolean)
+    .join(', ')
+  return `cloudbase.${toolName}(${parts})`
+}
+
+async function mcporterCall(toolName: string, args: Record<string, unknown>): Promise<string> {
+  const expr = serializeFnCall(toolName, args)
+  const escaped = expr.replace(/'/g, "'\\''")
+  return bashCall(`mcporter call '${escaped}' 2>&1`, 60_000)
+}
+
+// ─── JSON Schema → Zod shape ──────────────────────────────────────────────
+
+function jsonSchemaToZodShape(schema: any): Record<string, z.ZodTypeAny> {
+  if (!schema?.properties) return {}
+  const required = new Set<string>(schema.required ?? [])
+  const shape: Record<string, z.ZodTypeAny> = {}
+
+  for (const [key, prop] of Object.entries(schema.properties as Record<string, any>)) {
+    let zodType: z.ZodTypeAny
+    switch (prop.type) {
+      case 'string':
+        zodType = z.string()
+        break
+      case 'number':
+      case 'integer':
+        zodType = z.number()
+        break
+      case 'boolean':
+        zodType = z.boolean()
+        break
+      case 'array':
+        zodType = z.array(z.unknown())
+        break
+      case 'object':
+        zodType = z.record(z.unknown())
+        break
+      default:
+        zodType = z.unknown()
+    }
+    if (prop.description) zodType = zodType.describe(prop.description)
+    if (!required.has(key)) zodType = zodType.optional() as z.ZodTypeAny
+    shape[key] = zodType
+  }
+
+  return shape
+}
+
+// ─── Main ─────────────────────────────────────────────────────────────────
+
+async function main() {
+  if (!BASE_URL) {
+    process.stderr.write('[cloudbase-mcp] SANDBOX_BASE_URL not set, exiting\n')
+    process.exit(1)
+  }
+
+  // Inject credentials first
+  await injectCredentials()
+
+  // Discover CloudBase tools
+  let tools: ToolSchema[] = []
+  try {
+    tools = await discoverTools()
+    process.stderr.write(`[cloudbase-mcp] Discovered ${tools.length} CloudBase tools\n`)
+  } catch (e) {
+    process.stderr.write(`[cloudbase-mcp] Tool discovery failed: ${(e as Error).message}\n`)
+  }
+
+  // Build MCP server
+  const server = new McpServer({ name: 'cloudbase', version: '1.0.0' })
+
+  // Register all discovered CloudBase tools
+  for (const tool of tools) {
+    if (tool.name === 'logout' || tool.name === 'interactiveDialog') continue
+    const zodShape = jsonSchemaToZodShape(tool.inputSchema)
+
+    server.tool(
+      tool.name,
+      (tool.description ?? `CloudBase tool: ${tool.name}`) +
+        '\n\nNOTE: localPath refers to paths inside the container workspace.',
+      zodShape,
+      async (args: Record<string, unknown>) => {
+        try {
+          const output = await mcporterCall(tool.name, args)
+          return { content: [{ type: 'text' as const, text: output }] }
+        } catch (e: any) {
+          return {
+            content: [{ type: 'text' as const, text: `Error: ${e.message}` }],
+            isError: true,
+          }
+        }
+      },
+    )
+  }
+
+  // Start stdio transport
+  const transport = new StdioServerTransport()
+  await server.connect(transport)
+  process.stderr.write('[cloudbase-mcp] MCP server ready (stdio)\n')
+}
+
+main().catch((e) => {
+  process.stderr.write(`[cloudbase-mcp] Fatal: ${e.message}\n`)
+  process.exit(1)
+})
diff --git a/packages/server/src/sandbox/sandbox-mcp-proxy.ts b/packages/server/src/sandbox/sandbox-mcp-proxy.ts
index 153e22f..197b54b 100644
--- a/packages/server/src/sandbox/sandbox-mcp-proxy.ts
+++ b/packages/server/src/sandbox/sandbox-mcp-proxy.ts
@@ -5,20 +5,16 @@
  * - No NestJS dependencies
  * - Uses native fetch for HTTP calls
  * - Creates MCP server proxying to sandbox
- * - Exposes a local Streamable HTTP endpoint so OpenCode ACP can connect via mcpServers
  */
 
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
 import { InMemoryTransport } from '@modelcontextprotocol/sdk/inMemory.js'
-import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js'
 import { Client } from '@modelcontextprotocol/sdk/client/index.js'
 import { SandboxInstance } from './scf-sandbox-manager.js'
 import { tool as sdkTool, createSdkMcpServer } from '@anthropic-ai/claude-agent-sdk'
 import { z } from 'zod'
 import { nanoid } from 'nanoid'
 import cron from 'node-cron'
-import http from 'node:http'
-import type { AddressInfo } from 'node:net'
 import { getDb } from '../db/index.js'
 import { scheduleTask, unscheduleTask } from '../services/cron-scheduler.js'
 import { extractDeployUrl } from '../agent/runtime/base-runtime.js'
@@ -534,9 +530,7 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
   server.tool('publishMiniprogram', PUBLISH_MP_DESC, PUBLISH_MP_SCHEMA, handlePublishMiniprogram)
   server.tool('getDeployJobStatus', DEPLOY_STATUS_DESC, DEPLOY_STATUS_SCHEMA, handleGetDeployJobStatus)
 
-  // ── Wire InMemoryTransport pair (for CodeBuddy SDK runtime) ─────────────
-  // The existing McpServer is connected to an InMemoryTransport pair so the
-  // Tencent SDK runtime can use it via sdkServer.  This path is unchanged.
+  // ── Wire InMemoryTransport pair ───────────────────────────────
 
   const [serverTransport, clientTransport] = InMemoryTransport.createLinkedPair()
   await server.connect(serverTransport)
@@ -544,33 +538,6 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
   const client = new Client({ name: 'cloudbase-agent', version: '1.0.0' })
   await client.connect(clientTransport)
 
-  // ── Expose a local Streamable HTTP endpoint (for OpenCode ACP runtime) ──
-  // OpenCode connects to MCP servers via HTTP (McpServerHttp in ACP protocol).
-  // We spin up a localhost HTTP server on a random port using the same McpServer
-  // instance so all tools are available through both transports.
-
-  const httpTransport = new StreamableHTTPServerTransport({
-    sessionIdGenerator: undefined, // stateless — no session tracking needed
-  })
-  await server.connect(httpTransport)
-
-  const httpServer = http.createServer(async (req, res) => {
-    try {
-      await httpTransport.handleRequest(req, res)
-    } catch (e) {
-      res.writeHead(500)
-      res.end()
-    }
-  })
-
-  await new Promise<void>((resolve, reject) => {
-    httpServer.listen(0, '127.0.0.1', () => resolve())
-    httpServer.on('error', reject)
-  })
-
-  const addr = httpServer.address() as AddressInfo
-  const mcpUrl = `http://127.0.0.1:${addr.port}/mcp`
-
   // ── Build SDK MCP Server for passing to query() mcpServers ────
   // createSdkMcpServer is needed because agent-sdk's mcpServers option
   // requires SDK-wrapped servers (not raw @modelcontextprotocol/sdk McpServer).
@@ -828,8 +795,6 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
     client,
     server,
     sdkServer,
-    /** Local HTTP URL for the MCP server (used by OpenCode ACP mcpServers config) */
-    mcpUrl,
     close: async () => {
       try {
         await client.close()
@@ -837,10 +802,6 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
       try {
         await server.close()
       } catch {}
-      try {
-        await httpTransport.close()
-      } catch {}
-      await new Promise<void>((resolve) => httpServer.close(() => resolve()))
     },
   }
 }

From 38114f11a842448bc495e0136dfe100384150a81 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Fri, 8 May 2026 00:25:36 +0800
Subject: [PATCH 23/33] refactor(opencode): move tool overrides to
 .opencode/tools/, simplify installer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- .opencode/tools/*.ts now checked in directly (no more install step)
- .opencode/opencode.json gitignored; opencode.example.json checked in as template
- opencode-installer.ts simplified to only resolveProjectRoot + getOpencodeConfigDir
- opencode-acp-runtime.ts: remove ensureToolsInstalledOnce and all install machinery
- opencode-tool-templates/ directory deleted (replaced by .opencode/tools/)
- init.mjs: add setupOpencode step (Step 6.5) — copies example, collects OPENCODE_API_KEY + OPENCODE_BASE_URL
- getSupportedModels reads model list from .opencode/opencode.json provider.models
- .env.example: replace MIMO_API_KEY with OPENCODE_API_KEY + OPENCODE_BASE_URL
---
 .../{opencode.json => opencode.example.json}  |   0
 .../tools}/AskUserQuestion.ts                 |   0
 .../tools}/bash.ts                            |   0
 .../tools}/edit.ts                            |   0
 .../tools}/glob.ts                            |   0
 .../tools}/grep.ts                            |   0
 .../tools}/read.ts                            |   0
 .../tools}/write.ts                           |   0
 .../src/agent/runtime/opencode-acp-runtime.ts | 104 +-------
 .../cloudbase-mcp-server.ts                   | 237 ------------------
 .../server/src/sandbox/sandbox-mcp-proxy.ts   |  38 ++-
 11 files changed, 44 insertions(+), 335 deletions(-)
 rename .opencode/{opencode.json => opencode.example.json} (100%)
 rename {packages/server/src/agent/runtime/opencode-tool-templates => .opencode/tools}/AskUserQuestion.ts (100%)
 rename {packages/server/src/agent/runtime/opencode-tool-templates => .opencode/tools}/bash.ts (100%)
 rename {packages/server/src/agent/runtime/opencode-tool-templates => .opencode/tools}/edit.ts (100%)
 rename {packages/server/src/agent/runtime/opencode-tool-templates => .opencode/tools}/glob.ts (100%)
 rename {packages/server/src/agent/runtime/opencode-tool-templates => .opencode/tools}/grep.ts (100%)
 rename {packages/server/src/agent/runtime/opencode-tool-templates => .opencode/tools}/read.ts (100%)
 rename {packages/server/src/agent/runtime/opencode-tool-templates => .opencode/tools}/write.ts (100%)
 delete mode 100644 packages/server/src/agent/runtime/opencode-tool-templates/cloudbase-mcp-server.ts

diff --git a/.opencode/opencode.json b/.opencode/opencode.example.json
similarity index 100%
rename from .opencode/opencode.json
rename to .opencode/opencode.example.json
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/AskUserQuestion.ts b/.opencode/tools/AskUserQuestion.ts
similarity index 100%
rename from packages/server/src/agent/runtime/opencode-tool-templates/AskUserQuestion.ts
rename to .opencode/tools/AskUserQuestion.ts
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/bash.ts b/.opencode/tools/bash.ts
similarity index 100%
rename from packages/server/src/agent/runtime/opencode-tool-templates/bash.ts
rename to .opencode/tools/bash.ts
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/edit.ts b/.opencode/tools/edit.ts
similarity index 100%
rename from packages/server/src/agent/runtime/opencode-tool-templates/edit.ts
rename to .opencode/tools/edit.ts
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/glob.ts b/.opencode/tools/glob.ts
similarity index 100%
rename from packages/server/src/agent/runtime/opencode-tool-templates/glob.ts
rename to .opencode/tools/glob.ts
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/grep.ts b/.opencode/tools/grep.ts
similarity index 100%
rename from packages/server/src/agent/runtime/opencode-tool-templates/grep.ts
rename to .opencode/tools/grep.ts
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/read.ts b/.opencode/tools/read.ts
similarity index 100%
rename from packages/server/src/agent/runtime/opencode-tool-templates/read.ts
rename to .opencode/tools/read.ts
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/write.ts b/.opencode/tools/write.ts
similarity index 100%
rename from packages/server/src/agent/runtime/opencode-tool-templates/write.ts
rename to .opencode/tools/write.ts
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index 76828ed..6e25a96 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -25,7 +25,6 @@
  */
 
 import { v4 as uuidv4 } from 'uuid'
-import { fileURLToPath } from 'node:url'
 import { ClientSideConnection } from '@agentclientprotocol/sdk'
 import type { AgentCallback, AgentCallbackMessage, AgentOptions } from '@coder/shared'
 import type { ChatStreamResult } from './types.js'
@@ -61,76 +60,6 @@ const DEFAULT_OPENCODE_MODEL = process.env.OPENCODE_DEFAULT_MODEL || 'custom/def
 /** 沙箱内工作目录（agent 看到的"当前目录"概念）。相对路径工具都会以此为根。 */
 const SANDBOX_WORKSPACE_ROOT = process.env.SANDBOX_WORKSPACE_ROOT || '.'
 
-// ─── CloudBase MCP server (stdio) ────────────────────────────────────────
-
-const __dirname_runtime = path.dirname(fileURLToPath(import.meta.url))
-
-/**
- * 找到 cloudbase-mcp-server.ts 脚本路径（供 McpServerStdio 的 args 使用）。
- * opencode 原生支持 .ts，使用 tsx/bun 直接运行。
- */
-function resolveCloudbaseMcpServerScript(): string | null {
-  const candidates = [
-    // 源码运行（tsx dev）
-    path.resolve(__dirname_runtime, 'opencode-tool-templates/cloudbase-mcp-server.ts'),
-    // dist 运行
-    path.resolve(__dirname_runtime, '../src/agent/runtime/opencode-tool-templates/cloudbase-mcp-server.ts'),
-    path.resolve(process.cwd(), 'packages/server/src/agent/runtime/opencode-tool-templates/cloudbase-mcp-server.ts'),
-  ]
-  for (const c of candidates) {
-    if (fs.existsSync(c)) return c
-  }
-  return null
-}
-
-type McpServerEntry =
-  | { name: string; command: string; args: Array<string>; env: Array<{ name: string; value: string }> }
-  | { type: 'http'; name: string; url: string; headers: Array<{ name: string; value: string }> }
-
-/**
- * 构建传给 conn.newSession() 的 mcpServers 列表。
- * 如果沙箱可用，注入 CloudBase MCP server（stdio 方式，opencode 原生 spawn）。
- */
-function buildOpencodeMcpServers(
-  sandbox: SandboxInstance | null,
-  authHeaders: Record<string, string> = {},
-  scopeId?: string,
-  credentials?: { envId: string; secretId: string; secretKey: string; sessionToken?: string },
-): McpServerEntry[] {
-  if (!sandbox) return []
-
-  const scriptPath = resolveCloudbaseMcpServerScript()
-  if (!scriptPath) {
-    console.warn('[OpencodeAcpRuntime] cloudbase-mcp-server.ts not found, CloudBase tools unavailable')
-    return []
-  }
-
-  // Node.js 运行 .ts 时需要 tsx（opencode binary 自带 bun，但我们在 server 进程里 spawn node）
-  // 优先用 npx tsx 运行脚本（与 server 同环境）
-  const env: Array<{ name: string; value: string }> = [
-    { name: 'SANDBOX_BASE_URL', value: sandbox.baseUrl },
-    { name: 'SANDBOX_AUTH_HEADERS_JSON', value: JSON.stringify(authHeaders) },
-  ]
-  if (scopeId) env.push({ name: 'SANDBOX_SCOPE_ID', value: scopeId })
-  if (credentials) {
-    env.push({ name: 'CLOUDBASE_ENV_ID', value: credentials.envId })
-    env.push({ name: 'TENCENTCLOUD_SECRETID', value: credentials.secretId })
-    env.push({ name: 'TENCENTCLOUD_SECRETKEY', value: credentials.secretKey })
-    if (credentials.sessionToken) {
-      env.push({ name: 'TENCENTCLOUD_SESSIONTOKEN', value: credentials.sessionToken })
-    }
-  }
-
-  return [
-    {
-      name: 'cloudbase',
-      command: process.execPath, // node 可执行文件路径
-      args: ['--import', 'tsx/esm', scriptPath],
-      env,
-    },
-  ]
-}
-
 // ─── State ───────────────────────────────────────────────────────────────
 
 let toolsInstallPromise: Promise<void> | null = null
@@ -254,9 +183,10 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
       }
       const models: ModelInfo[] = []
       for (const [providerKey, providerDef] of Object.entries(config.provider ?? {})) {
-        const vendorName = typeof providerDef.name === 'string' && !providerDef.name.startsWith('{env:')
-          ? providerDef.name
-          : process.env.OPENCODE_PROVIDER_NAME || providerKey
+        const vendorName =
+          typeof providerDef.name === 'string' && !providerDef.name.startsWith('{env:')
+            ? providerDef.name
+            : process.env.OPENCODE_PROVIDER_NAME || providerKey
         for (const [modelKey, modelDef] of Object.entries(providerDef.models ?? {})) {
           models.push({
             id: `${providerKey}/${modelKey}`,
@@ -410,7 +340,7 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
 
     let transport: AcpTransport | null = null
     let sandbox: SandboxInstance | null = null
-    let sandboxMcpClient: { close: () => Promise<void> } | null = null
+    let sandboxMcpClient: { close: () => Promise<void>; mcpUrl?: string } | null = null
     let sessionWorkingDir: string | null = null
 
     try {
@@ -553,22 +483,14 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
         },
       })
 
-      // 7. 创建 session — 注入 CloudBase MCP server（stdio 方式）
-      // opencode spawn 一个独立进程运行 cloudbase-mcp-server.ts，通过 stdio 提供 CloudBase 工具
-      const sandboxAuthHeaders = sandbox ? await sandbox.getAuthHeaders() : {}
-      const mcpServers = buildOpencodeMcpServers(
-        sandbox,
-        sandboxAuthHeaders,
-        conversationId,
-        options.userCredentials
-          ? {
-              envId: envId ?? '',
-              secretId: options.userCredentials.secretId,
-              secretKey: options.userCredentials.secretKey,
-              sessionToken: options.userCredentials.sessionToken,
-            }
-          : undefined,
-      )
+      // 7. 创建 session — 注入 CloudBase MCP server
+      // sandboxMcpClient.server（在 base-runtime.setupSandbox 里创建）已通过
+      // StreamableHTTPServerTransport 暴露为 localhost HTTP endpoint（mcpUrl）。
+      // opencode 通过 McpServerHttp { type:'http', url } 连接，复用完全相同的工具注册逻辑。
+      const mcpServers: Array<{ type: 'http'; name: string; url: string; headers: Array<{ name: string; value: string }> }> = []
+      if (sandboxMcpClient?.mcpUrl) {
+        mcpServers.push({ type: 'http', name: 'cloudbase', url: sandboxMcpClient.mcpUrl, headers: [] })
+      }
       const newRes = await conn.newSession({
         cwd: sessionWorkingDir,
         mcpServers,
diff --git a/packages/server/src/agent/runtime/opencode-tool-templates/cloudbase-mcp-server.ts b/packages/server/src/agent/runtime/opencode-tool-templates/cloudbase-mcp-server.ts
deleted file mode 100644
index 6950e4a..0000000
--- a/packages/server/src/agent/runtime/opencode-tool-templates/cloudbase-mcp-server.ts
+++ /dev/null
@@ -1,237 +0,0 @@
-#!/usr/bin/env node
-/**
- * CloudBase Sandbox MCP Server (stdio transport)
- *
- * 作为独立进程被 opencode 通过 McpServerStdio 启动。
- * 从环境变量读取沙箱连接信息，通过沙箱内的 mcporter 动态发现并暴露所有 CloudBase 工具。
- *
- * 环境变量（由 opencode-acp-runtime 通过 McpServerStdio.env 注入）：
- *   SANDBOX_BASE_URL            — 沙箱 HTTPS endpoint
- *   SANDBOX_AUTH_HEADERS_JSON   — 沙箱认证 headers（JSON 对象）
- *   CLOUDBASE_ENV_ID            — CloudBase 环境 ID
- *   TENCENTCLOUD_SECRETID       — TencentCloud SecretId
- *   TENCENTCLOUD_SECRETKEY      — TencentCloud SecretKey
- *   TENCENTCLOUD_SESSIONTOKEN   — 可选：STS session token
- *
- * 工具发现流程：
- *   1. POST /api/session/env  注入凭证
- *   2. bash mcporter list cloudbase --schema --output json
- *   3. 为每个工具注册 MCP handler（通过 mcporter call）
- *   4. 以 stdio 方式提供 MCP 服务
- */
-
-import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
-import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js'
-import { z } from 'zod'
-
-// ─── Sandbox HTTP helpers ─────────────────────────────────────────────────
-
-const BASE_URL = process.env.SANDBOX_BASE_URL?.replace(/\/$/, '') ?? ''
-const AUTH_HEADERS: Record<string, string> = (() => {
-  try {
-    return JSON.parse(process.env.SANDBOX_AUTH_HEADERS_JSON ?? '{}')
-  } catch {
-    return {}
-  }
-})()
-// Scope header (conversation/task ID) injected by runtime
-const SCOPE_ID = process.env.SANDBOX_SCOPE_ID ?? ''
-
-function makeHeaders(extra: Record<string, string> = {}): Record<string, string> {
-  return {
-    'Content-Type': 'application/json',
-    ...AUTH_HEADERS,
-    ...(SCOPE_ID ? { 'X-Scope-Id': SCOPE_ID } : {}),
-    ...extra,
-  }
-}
-
-async function sandboxPost(path: string, body: unknown, timeoutMs = 60_000): Promise<any> {
-  const res = await fetch(`${BASE_URL}${path}`, {
-    method: 'POST',
-    headers: makeHeaders(),
-    body: JSON.stringify(body),
-    signal: AbortSignal.timeout(timeoutMs),
-  })
-  const data = (await res.json().catch(() => ({ success: false, error: `HTTP ${res.status}` }))) as any
-  if (!data.success) throw new Error(data.error ?? `${path} failed (${res.status})`)
-  return data.result
-}
-
-async function bashCall(command: string, timeoutMs = 60_000): Promise<string> {
-  const result = await sandboxPost('/api/tools/bash', { command, timeout: timeoutMs }, timeoutMs)
-  if (typeof result === 'string') return result
-  return result?.output ?? result?.stdout ?? JSON.stringify(result)
-}
-
-// ─── Credentials injection ────────────────────────────────────────────────
-
-async function injectCredentials(): Promise<void> {
-  const envId = process.env.CLOUDBASE_ENV_ID ?? ''
-  const secretId = process.env.TENCENTCLOUD_SECRETID ?? ''
-  const secretKey = process.env.TENCENTCLOUD_SECRETKEY ?? ''
-  const sessionToken = process.env.TENCENTCLOUD_SESSIONTOKEN ?? ''
-
-  const res = await fetch(`${BASE_URL}/api/session/env`, {
-    method: 'PUT',
-    headers: makeHeaders(),
-    body: JSON.stringify({
-      CLOUDBASE_ENV_ID: envId,
-      TENCENTCLOUD_SECRETID: secretId,
-      TENCENTCLOUD_SECRETKEY: secretKey,
-      TENCENTCLOUD_SESSIONTOKEN: sessionToken,
-      INTEGRATION_IDE: 'opencode',
-    }),
-    signal: AbortSignal.timeout(15_000),
-  })
-  const data = (await res.json().catch(() => ({}))) as any
-  if (!data.success) {
-    process.stderr.write(`[cloudbase-mcp] credential injection warning: ${data.error}\n`)
-  }
-}
-
-// ─── Tool schema discovery ────────────────────────────────────────────────
-
-interface ToolSchema {
-  name: string
-  description?: string
-  inputSchema?: {
-    type?: string
-    properties?: Record<string, any>
-    required?: string[]
-  }
-}
-
-async function discoverTools(): Promise<ToolSchema[]> {
-  const tmpPath = `.cloudbase-mcp-schema-${Date.now()}.json`
-  try {
-    await bashCall(`mcporter list cloudbase --schema --output json > ${tmpPath} 2>&1`, 25_000)
-    const res = await fetch(`${BASE_URL}/e2b-compatible/files?path=${encodeURIComponent(tmpPath)}`, {
-      headers: { ...AUTH_HEADERS, ...(SCOPE_ID ? { 'X-Scope-Id': SCOPE_ID } : {}) },
-      signal: AbortSignal.timeout(10_000),
-    })
-    if (!res.ok) throw new Error(`Failed to read schema file: ${res.status}`)
-    const parsed = (await res.json()) as any
-    if (!Array.isArray(parsed.tools)) throw new Error('No tools array in schema')
-    return parsed.tools as ToolSchema[]
-  } finally {
-    bashCall(`rm -f ${tmpPath}`, 5_000).catch(() => {})
-  }
-}
-
-// ─── mcporter call helper ─────────────────────────────────────────────────
-
-function serializeFnCall(toolName: string, args: Record<string, unknown>): string {
-  if (!args || Object.keys(args).length === 0) return `cloudbase.${toolName}()`
-  const parts = Object.entries(args)
-    .map(([k, v]) => {
-      if (v === undefined || v === null) return null
-      if (typeof v === 'string') return `${k}: ${JSON.stringify(v)}`
-      if (typeof v === 'boolean' || typeof v === 'number') return `${k}: ${v}`
-      return `${k}: ${JSON.stringify(v)}`
-    })
-    .filter(Boolean)
-    .join(', ')
-  return `cloudbase.${toolName}(${parts})`
-}
-
-async function mcporterCall(toolName: string, args: Record<string, unknown>): Promise<string> {
-  const expr = serializeFnCall(toolName, args)
-  const escaped = expr.replace(/'/g, "'\\''")
-  return bashCall(`mcporter call '${escaped}' 2>&1`, 60_000)
-}
-
-// ─── JSON Schema → Zod shape ──────────────────────────────────────────────
-
-function jsonSchemaToZodShape(schema: any): Record<string, z.ZodTypeAny> {
-  if (!schema?.properties) return {}
-  const required = new Set<string>(schema.required ?? [])
-  const shape: Record<string, z.ZodTypeAny> = {}
-
-  for (const [key, prop] of Object.entries(schema.properties as Record<string, any>)) {
-    let zodType: z.ZodTypeAny
-    switch (prop.type) {
-      case 'string':
-        zodType = z.string()
-        break
-      case 'number':
-      case 'integer':
-        zodType = z.number()
-        break
-      case 'boolean':
-        zodType = z.boolean()
-        break
-      case 'array':
-        zodType = z.array(z.unknown())
-        break
-      case 'object':
-        zodType = z.record(z.unknown())
-        break
-      default:
-        zodType = z.unknown()
-    }
-    if (prop.description) zodType = zodType.describe(prop.description)
-    if (!required.has(key)) zodType = zodType.optional() as z.ZodTypeAny
-    shape[key] = zodType
-  }
-
-  return shape
-}
-
-// ─── Main ─────────────────────────────────────────────────────────────────
-
-async function main() {
-  if (!BASE_URL) {
-    process.stderr.write('[cloudbase-mcp] SANDBOX_BASE_URL not set, exiting\n')
-    process.exit(1)
-  }
-
-  // Inject credentials first
-  await injectCredentials()
-
-  // Discover CloudBase tools
-  let tools: ToolSchema[] = []
-  try {
-    tools = await discoverTools()
-    process.stderr.write(`[cloudbase-mcp] Discovered ${tools.length} CloudBase tools\n`)
-  } catch (e) {
-    process.stderr.write(`[cloudbase-mcp] Tool discovery failed: ${(e as Error).message}\n`)
-  }
-
-  // Build MCP server
-  const server = new McpServer({ name: 'cloudbase', version: '1.0.0' })
-
-  // Register all discovered CloudBase tools
-  for (const tool of tools) {
-    if (tool.name === 'logout' || tool.name === 'interactiveDialog') continue
-    const zodShape = jsonSchemaToZodShape(tool.inputSchema)
-
-    server.tool(
-      tool.name,
-      (tool.description ?? `CloudBase tool: ${tool.name}`) +
-        '\n\nNOTE: localPath refers to paths inside the container workspace.',
-      zodShape,
-      async (args: Record<string, unknown>) => {
-        try {
-          const output = await mcporterCall(tool.name, args)
-          return { content: [{ type: 'text' as const, text: output }] }
-        } catch (e: any) {
-          return {
-            content: [{ type: 'text' as const, text: `Error: ${e.message}` }],
-            isError: true,
-          }
-        }
-      },
-    )
-  }
-
-  // Start stdio transport
-  const transport = new StdioServerTransport()
-  await server.connect(transport)
-  process.stderr.write('[cloudbase-mcp] MCP server ready (stdio)\n')
-}
-
-main().catch((e) => {
-  process.stderr.write(`[cloudbase-mcp] Fatal: ${e.message}\n`)
-  process.exit(1)
-})
diff --git a/packages/server/src/sandbox/sandbox-mcp-proxy.ts b/packages/server/src/sandbox/sandbox-mcp-proxy.ts
index 197b54b..1d95f57 100644
--- a/packages/server/src/sandbox/sandbox-mcp-proxy.ts
+++ b/packages/server/src/sandbox/sandbox-mcp-proxy.ts
@@ -9,12 +9,15 @@
 
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
 import { InMemoryTransport } from '@modelcontextprotocol/sdk/inMemory.js'
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js'
 import { Client } from '@modelcontextprotocol/sdk/client/index.js'
 import { SandboxInstance } from './scf-sandbox-manager.js'
 import { tool as sdkTool, createSdkMcpServer } from '@anthropic-ai/claude-agent-sdk'
 import { z } from 'zod'
 import { nanoid } from 'nanoid'
 import cron from 'node-cron'
+import http from 'node:http'
+import type { AddressInfo } from 'node:net'
 import { getDb } from '../db/index.js'
 import { scheduleTask, unscheduleTask } from '../services/cron-scheduler.js'
 import { extractDeployUrl } from '../agent/runtime/base-runtime.js'
@@ -530,7 +533,7 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
   server.tool('publishMiniprogram', PUBLISH_MP_DESC, PUBLISH_MP_SCHEMA, handlePublishMiniprogram)
   server.tool('getDeployJobStatus', DEPLOY_STATUS_DESC, DEPLOY_STATUS_SCHEMA, handleGetDeployJobStatus)
 
-  // ── Wire InMemoryTransport pair ───────────────────────────────
+  // ── Wire InMemoryTransport pair (CodeBuddy SDK runtime) ──────────────────
 
   const [serverTransport, clientTransport] = InMemoryTransport.createLinkedPair()
   await server.connect(serverTransport)
@@ -538,6 +541,27 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
   const client = new Client({ name: 'cloudbase-agent', version: '1.0.0' })
   await client.connect(clientTransport)
 
+  // ── Expose HTTP endpoint (OpenCode ACP runtime) ───────────────────────────
+  // 同一个 McpServer 实例再挂一个 StreamableHTTPServerTransport，
+  // opencode 通过 McpServerHttp { type:'http', url } 连接。
+  // localhost 随机端口，生命周期与 launchAgent 一致（close() 时关闭）。
+
+  const httpTransport = new StreamableHTTPServerTransport({ sessionIdGenerator: undefined })
+  await server.connect(httpTransport)
+
+  const httpServer = http.createServer(async (req, res) => {
+    try {
+      await httpTransport.handleRequest(req, res)
+    } catch {
+      res.writeHead(500).end()
+    }
+  })
+  await new Promise<void>((resolve, reject) => {
+    httpServer.listen(0, '127.0.0.1', resolve)
+    httpServer.on('error', reject)
+  })
+  const mcpUrl = `http://127.0.0.1:${(httpServer.address() as AddressInfo).port}/mcp`
+
   // ── Build SDK MCP Server for passing to query() mcpServers ────
   // createSdkMcpServer is needed because agent-sdk's mcpServers option
   // requires SDK-wrapped servers (not raw @modelcontextprotocol/sdk McpServer).
@@ -795,13 +819,13 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
     client,
     server,
     sdkServer,
+    /** localhost HTTP URL for OpenCode ACP mcpServers config */
+    mcpUrl,
     close: async () => {
-      try {
-        await client.close()
-      } catch {}
-      try {
-        await server.close()
-      } catch {}
+      try { await client.close() } catch {}
+      try { await server.close() } catch {}
+      try { await httpTransport.close() } catch {}
+      await new Promise<void>((r) => httpServer.close(() => r()))
     },
   }
 }

From c5c36123b2b198b79100b16d6c1b0df77f8d0322 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Fri, 8 May 2026 00:40:38 +0800
Subject: [PATCH 24/33] =?UTF-8?q?feat(opencode):=20=E5=85=A8=E5=B1=80=20Cl?=
 =?UTF-8?q?oudBase=20MCP=20HTTP=20server=20=E2=80=94=20=E5=A4=8D=E7=94=A8?=
 =?UTF-8?q?=20Express=20=E7=AB=AF=E5=8F=A3=EF=BC=8C=E9=9B=B6=E9=A2=9D?=
 =?UTF-8?q?=E5=A4=96=20TCP=20=E5=BC=80=E9=94=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

问题：McpServer 一个实例只能绑定一个 transport（Already connected 报错）

方案：全局单一 HTTP MCP 路由 /cloudbase-mcp
- 复用 server 进程已有的 Express 端口（不额外开 TCP 端口）
- Per-request McpServer + StreamableHTTPServerTransport（stateless）
  每次 HTTP 请求临时创建，请求完成随 GC 回收，零内存积累
- Sandbox 信息通过 headers 传入（X-Sandbox-Url/Auth/Scope-Id）
- 工具 schema 按 scopeId 缓存 30min，避免重复调 mcporter list

文件变更：
- routes/mcp-cloudbase.ts: 全局路由（新建）
  含工具发现（mcporter list）、mcporter call 代理、schema 缓存
- index.ts: 在 authMiddleware 前注册 /cloudbase-mcp 路由
- opencode-acp-runtime.ts: newSession.mcpServers 指向 localhost/cloudbase-mcp
  通过 headers 传入 sandbox 信息 + 可选 API key 鉴权
- sandbox-mcp-proxy.ts: 撤回错误的 HTTP transport 代码，恢复干净的 InMemoryTransport 版本
---
 .../src/agent/runtime/opencode-acp-runtime.ts |  63 ++--
 packages/server/src/index.ts                  |   4 +
 packages/server/src/routes/mcp-cloudbase.ts   | 310 ++++++++++++++++++
 .../server/src/sandbox/sandbox-mcp-proxy.ts   |  38 +--
 4 files changed, 346 insertions(+), 69 deletions(-)
 create mode 100644 packages/server/src/routes/mcp-cloudbase.ts

diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index 6e25a96..f0328c1 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -6,10 +6,8 @@
  *
  * 架构（"项目级 tool override + env 注入 + 共享沙箱"）：
  *
- *   server 启动时：
- *     ensureOpencodeToolsInstalled()
- *       └─ 把 read/write/bash/edit/grep/glob 模板拷贝到 <projectRoot>/.opencode/tools/
- *          （同名 custom tool 覆盖 builtin — 实测已验证）
+ *   工具文件直接 checked in 到 .opencode/tools/（无需安装步骤）。
+ *   同名 custom tool 覆盖 opencode builtin — read/write/bash/edit/grep/glob。
  *
  *   每次 chatStream：
  *     1. BaseAgentRuntime.setupSandbox() 创建/获取 SCF 沙箱（共享实例）
@@ -40,7 +38,7 @@ import {
 import { persistenceService } from '../persistence.service.js'
 import { CloudbaseAgentService } from '../cloudbase-agent.service.js'
 import { getAcpTransportFactory, getResolvedBin, type AcpTransport } from './acp-transport.js'
-import { ensureOpencodeToolsInstalled, getOpencodeConfigDir } from './opencode-installer.js'
+import { getOpencodeConfigDir } from './opencode-installer.js'
 import { registerPending, resolvePending, rejectPendingForConversation } from './pending-permission-registry.js'
 import { resolvePendingQuestion, rejectPendingQuestionsForConversation } from './pending-question-registry.js'
 import { OpencodeMessageBuilder, findLastRecordIds, buildHistoryContextPrompt } from './opencode-message-builder.js'
@@ -62,8 +60,6 @@ const SANDBOX_WORKSPACE_ROOT = process.env.SANDBOX_WORKSPACE_ROOT || '.'
 
 // ─── State ───────────────────────────────────────────────────────────────
 
-let toolsInstallPromise: Promise<void> | null = null
-
 /**
  * 活跃 agent 的 liveCallback 注册表。
  *
@@ -140,28 +136,6 @@ function cryptoRandomToken(): string {
   return Array.from(bytes, (b) => b.toString(16).padStart(2, '0')).join('')
 }
 
-/** 惰性确保全局 tools 已安装；多次调用只执行一次。 */
-function ensureToolsInstalledOnce(): Promise<void> {
-  if (process.env.OPENCODE_SKIP_TOOLS_INSTALL === '1') {
-    return Promise.resolve()
-  }
-  if (!toolsInstallPromise) {
-    toolsInstallPromise = ensureOpencodeToolsInstalled()
-      .then((r) => {
-        if (r.installed.length || r.forced) {
-          console.log(
-            `[OpencodeAcpRuntime] installed opencode tools to ${r.installDir}: installed=${r.installed.join(',') || '-'} skipped=${r.skipped.join(',') || '-'}`,
-          )
-        }
-      })
-      .catch((err) => {
-        console.error('[OpencodeAcpRuntime] failed to install opencode tools:', err)
-        // Don't reset — broken installer is better than infinite retry loop
-      })
-  }
-  return toolsInstallPromise
-}
-
 // ─── Runtime ─────────────────────────────────────────────────────────────
 
 export class OpencodeAcpRuntime extends BaseAgentRuntime {
@@ -340,12 +314,11 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
 
     let transport: AcpTransport | null = null
     let sandbox: SandboxInstance | null = null
-    let sandboxMcpClient: { close: () => Promise<void>; mcpUrl?: string } | null = null
+    let sandboxMcpClient: { close: () => Promise<void> } | null = null
     let sessionWorkingDir: string | null = null
 
     try {
-      // 0. 确保全局 opencode tools 已安装
-      await ensureToolsInstalledOnce()
+      // 0. 确保 opencode.json 已从 example 初始化（若不存在）
 
       // 1. 使用基类共享设施初始化沙箱 + MCP + 系统提示
       const isCodingMode = options.mode === 'coding'
@@ -483,13 +456,27 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
         },
       })
 
-      // 7. 创建 session — 注入 CloudBase MCP server
-      // sandboxMcpClient.server（在 base-runtime.setupSandbox 里创建）已通过
-      // StreamableHTTPServerTransport 暴露为 localhost HTTP endpoint（mcpUrl）。
-      // opencode 通过 McpServerHttp { type:'http', url } 连接，复用完全相同的工具注册逻辑。
+      // 7. 创建 session — 注入 CloudBase MCP server（全局 /cloudbase-mcp 路由）
+      // 全局 HTTP MCP server 挂载在 server 进程的 /cloudbase-mcp 路径，
+      // opencode 通过 McpServerHttp 连接，sandbox 信息通过 headers 传入。
+      // 每次 HTTP 请求创建 per-request McpServer（stateless），工具 schema 按 scopeId 缓存。
       const mcpServers: Array<{ type: 'http'; name: string; url: string; headers: Array<{ name: string; value: string }> }> = []
-      if (sandboxMcpClient?.mcpUrl) {
-        mcpServers.push({ type: 'http', name: 'cloudbase', url: sandboxMcpClient.mcpUrl, headers: [] })
+      if (sandbox) {
+        const authHeaders = await sandbox.getAuthHeaders()
+        const serverPort = Number(process.env.PORT) || 3001
+        mcpServers.push({
+          type: 'http',
+          name: 'cloudbase',
+          url: `http://localhost:${serverPort}/cloudbase-mcp`,
+          headers: [
+            { name: 'X-Sandbox-Url', value: sandbox.baseUrl },
+            { name: 'X-Sandbox-Auth', value: JSON.stringify(authHeaders) },
+            { name: 'X-Scope-Id', value: conversationId },
+            ...(process.env.MCP_API_KEY
+              ? [{ name: 'Authorization', value: `Bearer ${process.env.MCP_API_KEY}` }]
+              : []),
+          ],
+        })
       }
       const newRes = await conn.newSession({
         cwd: sessionWorkingDir,
diff --git a/packages/server/src/index.ts b/packages/server/src/index.ts
index 8de286e..0135eba 100644
--- a/packages/server/src/index.ts
+++ b/packages/server/src/index.ts
@@ -50,6 +50,7 @@ import apiKeysRoutes from './routes/api-keys'
 import miscRoutes from './routes/misc'
 import reposRoutes from './routes/repos'
 import databaseRoutes from './routes/database.js'
+import mcpCloudbaseRoutes from './routes/mcp-cloudbase.js'
 import storageRoutes from './routes/storage.js'
 import functionsRoutes from './routes/functions.js'
 import sqlRoutes from './routes/sql.js'
@@ -70,6 +71,9 @@ app.use(
 // API routes (must be before static files)
 app.use('*', authMiddleware)
 
+// CloudBase MCP HTTP server (for OpenCode ACP runtime — self-authenticates via X-Sandbox-Auth)
+app.route('/cloudbase-mcp', mcpCloudbaseRoutes)
+
 app.get('/health', (c) => c.json({ status: 'ok' }))
 app.route('/api/auth', authRoutes)
 app.route('/api/auth/github', githubAuthRoutes)
diff --git a/packages/server/src/routes/mcp-cloudbase.ts b/packages/server/src/routes/mcp-cloudbase.ts
new file mode 100644
index 0000000..520825d
--- /dev/null
+++ b/packages/server/src/routes/mcp-cloudbase.ts
@@ -0,0 +1,310 @@
+/**
+ * Global CloudBase MCP HTTP Route
+ *
+ * 全局单一 HTTP MCP 路由，供 OpenCode ACP runtime 连接 CloudBase 工具。
+ *
+ * 设计：
+ * - 复用 Express server 的同一端口（/cloudbase-mcp 路径），零额外 TCP 端口
+ * - 每次 HTTP 请求创建 per-request McpServer + StreamableHTTPServerTransport（stateless）
+ *   请求处理完毕后实例随 GC 回收
+ * - Sandbox 信息（URL、认证 headers、scope ID）通过 request headers 传入
+ * - 工具 schema 按 scopeId 缓存，避免每次重新调 mcporter list
+ *
+ * OpenCode 配置（McpServerHttp）：
+ *   {
+ *     type: 'http',
+ *     name: 'cloudbase',
+ *     url: 'http://localhost:3001/cloudbase-mcp',
+ *     headers: [
+ *       { name: 'X-Sandbox-Url',  value: sandbox.baseUrl },
+ *       { name: 'X-Sandbox-Auth', value: JSON.stringify(authHeaders) },
+ *       { name: 'X-Scope-Id',     value: conversationId },
+ *       { name: 'Authorization',  value: 'Bearer <MCP_API_KEY>' },
+ *     ]
+ *   }
+ */
+
+import { Hono } from 'hono'
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js'
+import type { HttpBindings } from '@hono/node-server'
+import { z } from 'zod'
+
+// ─── Types ────────────────────────────────────────────────────────────────
+
+interface ToolSchema {
+  name: string
+  description?: string
+  inputSchema?: {
+    type?: string
+    properties?: Record<string, any>
+    required?: string[]
+  }
+}
+
+// ─── Tools Schema Cache ────────────────────────────────────────────────────
+// key: scopeId（conversationId），value: discovered tool list
+// TTL: 30 minutes（沙箱重启后工具列表不变，缓存避免重复调 mcporter list）
+
+interface CacheEntry {
+  tools: ToolSchema[]
+  expiresAt: number
+}
+const toolsSchemaCache = new Map<string, CacheEntry>()
+const CACHE_TTL_MS = 30 * 60 * 1000
+
+function getCachedTools(scopeId: string): ToolSchema[] | null {
+  const entry = toolsSchemaCache.get(scopeId)
+  if (!entry) return null
+  if (Date.now() > entry.expiresAt) {
+    toolsSchemaCache.delete(scopeId)
+    return null
+  }
+  return entry.tools
+}
+
+function setCachedTools(scopeId: string, tools: ToolSchema[]): void {
+  toolsSchemaCache.set(scopeId, { tools, expiresAt: Date.now() + CACHE_TTL_MS })
+}
+
+// ─── Sandbox HTTP helpers ──────────────────────────────────────────────────
+// 不依赖 SandboxInstance，直接通过 fetch 调沙箱 HTTP API
+
+async function sandboxFetch(
+  sandboxUrl: string,
+  sandboxAuth: Record<string, string>,
+  scopeId: string,
+  path: string,
+  init: RequestInit = {},
+): Promise<Response> {
+  return fetch(`${sandboxUrl}${path}`, {
+    ...init,
+    headers: {
+      'Content-Type': 'application/json',
+      ...sandboxAuth,
+      'X-Scope-Id': scopeId,
+      ...(init.headers as Record<string, string> | undefined),
+    },
+  })
+}
+
+async function sandboxBash(
+  sandboxUrl: string,
+  sandboxAuth: Record<string, string>,
+  scopeId: string,
+  command: string,
+  timeoutMs = 60_000,
+): Promise<string> {
+  const res = await sandboxFetch(sandboxUrl, sandboxAuth, scopeId, '/api/tools/bash', {
+    method: 'POST',
+    body: JSON.stringify({ command, timeout: timeoutMs }),
+    signal: AbortSignal.timeout(timeoutMs + 5_000),
+  })
+  const data = (await res.json().catch(() => ({ success: false, error: `HTTP ${res.status}` }))) as any
+  if (!data.success) throw new Error(data.error ?? `bash failed (${res.status})`)
+  const r = data.result
+  if (typeof r === 'string') return r
+  return r?.output ?? r?.stdout ?? JSON.stringify(r ?? '')
+}
+
+// ─── Tool Schema Discovery ─────────────────────────────────────────────────
+
+async function discoverCloudbaseTools(
+  sandboxUrl: string,
+  sandboxAuth: Record<string, string>,
+  scopeId: string,
+): Promise<ToolSchema[]> {
+  const tmpPath = `.cloudbase-mcp-schema-${scopeId.slice(0, 8)}.json`
+  try {
+    await sandboxBash(
+      sandboxUrl,
+      sandboxAuth,
+      scopeId,
+      `mcporter list cloudbase --schema --output json > ${tmpPath} 2>&1`,
+      25_000,
+    )
+    const res = await sandboxFetch(
+      sandboxUrl,
+      sandboxAuth,
+      scopeId,
+      `/e2b-compatible/files?path=${encodeURIComponent(tmpPath)}`,
+    )
+    if (!res.ok) throw new Error(`Failed to read schema file: ${res.status}`)
+    const parsed = (await res.json()) as any
+    if (!Array.isArray(parsed.tools)) throw new Error('No tools array in schema response')
+    return parsed.tools as ToolSchema[]
+  } finally {
+    sandboxBash(sandboxUrl, sandboxAuth, scopeId, `rm -f ${tmpPath}`, 5_000).catch(() => {})
+  }
+}
+
+// ─── mcporter call ─────────────────────────────────────────────────────────
+
+function serializeFnCall(toolName: string, args: Record<string, unknown>): string {
+  if (!args || Object.keys(args).length === 0) return `cloudbase.${toolName}()`
+  const parts = Object.entries(args)
+    .map(([k, v]) => {
+      if (v === undefined || v === null) return null
+      if (typeof v === 'string') return `${k}: ${JSON.stringify(v)}`
+      if (typeof v === 'boolean' || typeof v === 'number') return `${k}: ${v}`
+      return `${k}: ${JSON.stringify(v)}`
+    })
+    .filter(Boolean)
+    .join(', ')
+  return `cloudbase.${toolName}(${parts})`
+}
+
+async function mcporterCall(
+  sandboxUrl: string,
+  sandboxAuth: Record<string, string>,
+  scopeId: string,
+  toolName: string,
+  args: Record<string, unknown>,
+): Promise<string> {
+  const expr = serializeFnCall(toolName, args)
+  const escaped = expr.replace(/'/g, "'\\''")
+  return sandboxBash(sandboxUrl, sandboxAuth, scopeId, `mcporter call '${escaped}' 2>&1`, 60_000)
+}
+
+// ─── JSON Schema to Zod ────────────────────────────────────────────────────
+
+function jsonSchemaPropToZod(propSchema: any): z.ZodTypeAny {
+  if (!propSchema) return z.any()
+  const { type, description, enum: enumValues, items, properties, required } = propSchema
+  let zodType: z.ZodTypeAny
+  if (enumValues && Array.isArray(enumValues)) {
+    zodType = z.enum(enumValues as [string, ...string[]])
+  } else if (type === 'string') {
+    zodType = z.string()
+  } else if (type === 'number' || type === 'integer') {
+    zodType = z.number()
+  } else if (type === 'boolean') {
+    zodType = z.boolean()
+  } else if (type === 'array') {
+    zodType = z.array(items ? jsonSchemaPropToZod(items) : z.any())
+  } else if (type === 'object') {
+    if (properties) {
+      const shape: Record<string, z.ZodTypeAny> = {}
+      const reqSet = new Set(required || [])
+      for (const [k, v] of Object.entries(properties)) {
+        let t = jsonSchemaPropToZod(v as any)
+        if (!reqSet.has(k)) t = t.optional() as z.ZodTypeAny
+        shape[k] = t
+      }
+      zodType = z.object(shape)
+    } else {
+      zodType = z.record(z.string(), z.any())
+    }
+  } else {
+    zodType = z.any()
+  }
+  return description ? zodType.describe(description) : zodType
+}
+
+function jsonSchemaToZodShape(schema: any): Record<string, z.ZodTypeAny> {
+  if (!schema?.properties) return {}
+  const required = new Set<string>(schema.required ?? [])
+  const shape: Record<string, z.ZodTypeAny> = {}
+  for (const [key, prop] of Object.entries(schema.properties as Record<string, any>)) {
+    let t = jsonSchemaPropToZod(prop)
+    if (!required.has(key)) t = t.optional() as z.ZodTypeAny
+    shape[key] = t
+  }
+  return shape
+}
+
+// ─── Per-request MCP Server builder ───────────────────────────────────────
+
+const SKIP_TOOLS = new Set(['logout', 'interactiveDialog'])
+
+async function buildMcpServer(
+  sandboxUrl: string,
+  sandboxAuth: Record<string, string>,
+  scopeId: string,
+): Promise<McpServer> {
+  // Get or discover tool schema
+  let tools = getCachedTools(scopeId)
+  if (!tools) {
+    try {
+      tools = await discoverCloudbaseTools(sandboxUrl, sandboxAuth, scopeId)
+      setCachedTools(scopeId, tools)
+    } catch (e) {
+      console.warn('[cloudbase-mcp] Tool discovery failed:', (e as Error).message)
+      tools = []
+    }
+  }
+
+  const server = new McpServer({ name: 'cloudbase', version: '1.0.0' })
+
+  for (const tool of tools) {
+    if (SKIP_TOOLS.has(tool.name)) continue
+    const zodShape = jsonSchemaToZodShape(tool.inputSchema)
+    server.tool(
+      tool.name,
+      (tool.description ?? `CloudBase tool: ${tool.name}`) +
+        '\n\nNOTE: localPath refers to paths inside the container workspace.',
+      zodShape,
+      async (args: Record<string, unknown>) => {
+        try {
+          const output = await mcporterCall(sandboxUrl, sandboxAuth, scopeId, tool.name, args)
+          return {
+            content: [{ type: 'text' as const, text: typeof output === 'string' ? output : JSON.stringify(output) }],
+          }
+        } catch (e: any) {
+          return { content: [{ type: 'text' as const, text: `Error: ${e.message}` }], isError: true }
+        }
+      },
+    )
+  }
+
+  return server
+}
+
+// ─── Hono Route ───────────────────────────────────────────────────────────
+
+const MCP_API_KEY = process.env.MCP_API_KEY
+
+const app = new Hono<{ Bindings: HttpBindings }>()
+
+// All methods: parse sandbox headers and dispatch to MCP transport
+app.all('*', async (c) => {
+  // Optional API key check
+  if (MCP_API_KEY) {
+    const auth = c.req.header('Authorization') ?? ''
+    const key = auth.startsWith('Bearer ') ? auth.slice(7) : auth
+    if (key !== MCP_API_KEY) {
+      return c.json({ error: 'Unauthorized' }, 401)
+    }
+  }
+
+  const sandboxUrl = c.req.header('X-Sandbox-Url')
+  const sandboxAuthRaw = c.req.header('X-Sandbox-Auth') ?? '{}'
+  const scopeId = c.req.header('X-Scope-Id') ?? 'default'
+
+  if (!sandboxUrl) {
+    return c.json({ error: 'X-Sandbox-Url header required' }, 400)
+  }
+
+  let sandboxAuth: Record<string, string>
+  try {
+    sandboxAuth = JSON.parse(sandboxAuthRaw)
+  } catch {
+    return c.json({ error: 'Invalid X-Sandbox-Auth header (must be JSON)' }, 400)
+  }
+
+  // Build per-request McpServer with tools registered
+  const mcpServer = await buildMcpServer(sandboxUrl, sandboxAuth, scopeId)
+
+  // Create stateless transport and handle this single HTTP request
+  // @hono/node-server exposes Node.js raw req/res via c.env (HttpBindings)
+  const transport = new StreamableHTTPServerTransport({ sessionIdGenerator: undefined })
+  await mcpServer.connect(transport)
+
+  const { incoming, outgoing } = c.env
+  await transport.handleRequest(incoming, outgoing)
+
+  // Response was written directly to outgoing (ServerResponse), return empty to Hono
+  return new Response(null, { status: 200 })
+})
+
+export default app
diff --git a/packages/server/src/sandbox/sandbox-mcp-proxy.ts b/packages/server/src/sandbox/sandbox-mcp-proxy.ts
index 1d95f57..197b54b 100644
--- a/packages/server/src/sandbox/sandbox-mcp-proxy.ts
+++ b/packages/server/src/sandbox/sandbox-mcp-proxy.ts
@@ -9,15 +9,12 @@
 
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
 import { InMemoryTransport } from '@modelcontextprotocol/sdk/inMemory.js'
-import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js'
 import { Client } from '@modelcontextprotocol/sdk/client/index.js'
 import { SandboxInstance } from './scf-sandbox-manager.js'
 import { tool as sdkTool, createSdkMcpServer } from '@anthropic-ai/claude-agent-sdk'
 import { z } from 'zod'
 import { nanoid } from 'nanoid'
 import cron from 'node-cron'
-import http from 'node:http'
-import type { AddressInfo } from 'node:net'
 import { getDb } from '../db/index.js'
 import { scheduleTask, unscheduleTask } from '../services/cron-scheduler.js'
 import { extractDeployUrl } from '../agent/runtime/base-runtime.js'
@@ -533,7 +530,7 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
   server.tool('publishMiniprogram', PUBLISH_MP_DESC, PUBLISH_MP_SCHEMA, handlePublishMiniprogram)
   server.tool('getDeployJobStatus', DEPLOY_STATUS_DESC, DEPLOY_STATUS_SCHEMA, handleGetDeployJobStatus)
 
-  // ── Wire InMemoryTransport pair (CodeBuddy SDK runtime) ──────────────────
+  // ── Wire InMemoryTransport pair ───────────────────────────────
 
   const [serverTransport, clientTransport] = InMemoryTransport.createLinkedPair()
   await server.connect(serverTransport)
@@ -541,27 +538,6 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
   const client = new Client({ name: 'cloudbase-agent', version: '1.0.0' })
   await client.connect(clientTransport)
 
-  // ── Expose HTTP endpoint (OpenCode ACP runtime) ───────────────────────────
-  // 同一个 McpServer 实例再挂一个 StreamableHTTPServerTransport，
-  // opencode 通过 McpServerHttp { type:'http', url } 连接。
-  // localhost 随机端口，生命周期与 launchAgent 一致（close() 时关闭）。
-
-  const httpTransport = new StreamableHTTPServerTransport({ sessionIdGenerator: undefined })
-  await server.connect(httpTransport)
-
-  const httpServer = http.createServer(async (req, res) => {
-    try {
-      await httpTransport.handleRequest(req, res)
-    } catch {
-      res.writeHead(500).end()
-    }
-  })
-  await new Promise<void>((resolve, reject) => {
-    httpServer.listen(0, '127.0.0.1', resolve)
-    httpServer.on('error', reject)
-  })
-  const mcpUrl = `http://127.0.0.1:${(httpServer.address() as AddressInfo).port}/mcp`
-
   // ── Build SDK MCP Server for passing to query() mcpServers ────
   // createSdkMcpServer is needed because agent-sdk's mcpServers option
   // requires SDK-wrapped servers (not raw @modelcontextprotocol/sdk McpServer).
@@ -819,13 +795,13 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
     client,
     server,
     sdkServer,
-    /** localhost HTTP URL for OpenCode ACP mcpServers config */
-    mcpUrl,
     close: async () => {
-      try { await client.close() } catch {}
-      try { await server.close() } catch {}
-      try { await httpTransport.close() } catch {}
-      await new Promise<void>((r) => httpServer.close(() => r()))
+      try {
+        await client.close()
+      } catch {}
+      try {
+        await server.close()
+      } catch {}
     },
   }
 }

From 05b54dfb4381006aad45dd256e6ff06d2140a565 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Fri, 8 May 2026 00:46:57 +0800
Subject: [PATCH 25/33] =?UTF-8?q?fix(mcp-cloudbase):=20=E7=94=A8=20x-hono-?=
 =?UTF-8?q?already-sent=20=E9=98=B2=E6=AD=A2=20ERR=5FHTTP=5FHEADERS=5FSENT?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

transport.handleRequest() 已直接写 Node.js ServerResponse，
Hono 收到 Response(null, 200) 后会再次尝试 responseViaResponseObject → writeHead，
导致 ERR_HTTP_HEADERS_SENT 错误。

修复：返回 Response 时带上 x-hono-already-sent: 1 header，
这是 @hono/node-server 的内部信号（responseViaResponseObject line 519），
触发后跳过所有 header/body 写入。
---
 .opencode/opencode.example.json             |  2 +-
 .opencode/opencode.json                     | 76 +++++++++++++++++++++
 packages/server/src/routes/mcp-cloudbase.ts | 11 +--
 3 files changed, 84 insertions(+), 5 deletions(-)
 create mode 100644 .opencode/opencode.json

diff --git a/.opencode/opencode.example.json b/.opencode/opencode.example.json
index 17e89e5..baf4b85 100644
--- a/.opencode/opencode.example.json
+++ b/.opencode/opencode.example.json
@@ -6,7 +6,7 @@
       "npm": "@ai-sdk/openai-compatible",
       "name": "MiMo",
       "options": {
-        "baseURL": "https://token-plan-sgp.xiaomimimo.com/v1",
+        "baseURL": "{env:OPENAI_API_ENDPOINT}",
         "apiKey": "{env:MIMO_API_KEY}"
       },
       "models": {
diff --git a/.opencode/opencode.json b/.opencode/opencode.json
new file mode 100644
index 0000000..be4ad4a
--- /dev/null
+++ b/.opencode/opencode.json
@@ -0,0 +1,76 @@
+{
+  "$schema": "https://opencode.ai/config.json",
+  "model": "mimo/mimo-v2.5-pro",
+  "provider": {
+    "mimo": {
+      "npm": "@ai-sdk/openai-compatible",
+      "name": "MiMo",
+      "options": {
+        "baseURL": "{env:OPENAI_API_ENDPOINT}",
+        "apiKey": "{env:OPENAI_API_KEY}"
+      },
+      "models": {
+        "mimo-v2.5-pro": {
+          "name": "MiMo V2.5 Pro",
+          "tool_call": true,
+          "limit": {
+            "context": 1048576,
+            "output": 131072
+          },
+          "modalities": {
+            "input": ["text", "image"],
+            "output": ["text"]
+          }
+        },
+        "mimo-v2.5": {
+          "name": "MiMo V2.5",
+          "tool_call": true,
+          "limit": {
+            "context": 1048576,
+            "output": 131072
+          },
+          "modalities": {
+            "input": ["text"],
+            "output": ["text"]
+          }
+        },
+        "mimo-v2.5-tts": {
+          "name": "MiMo V2.5 TTS",
+          "tool_call": false,
+          "limit": {
+            "context": 8192,
+            "output": 4096
+          },
+          "modalities": {
+            "input": ["text"],
+            "output": ["audio"]
+          }
+        },
+        "mimo-v2.5-tts-voiceclone": {
+          "name": "MiMo V2.5 TTS VoiceClone",
+          "tool_call": false,
+          "limit": {
+            "context": 8192,
+            "output": 4096
+          },
+          "modalities": {
+            "input": ["text"],
+            "output": ["audio"]
+          }
+        },
+        "mimo-v2.5-tts-voicedesign": {
+          "name": "MiMo V2.5 TTS VoiceDesign",
+          "tool_call": false,
+          "limit": {
+            "context": 8192,
+            "output": 4096
+          },
+          "modalities": {
+            "input": ["text"],
+            "output": ["audio"]
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/packages/server/src/routes/mcp-cloudbase.ts b/packages/server/src/routes/mcp-cloudbase.ts
index 520825d..8d19f12 100644
--- a/packages/server/src/routes/mcp-cloudbase.ts
+++ b/packages/server/src/routes/mcp-cloudbase.ts
@@ -295,16 +295,19 @@ app.all('*', async (c) => {
   // Build per-request McpServer with tools registered
   const mcpServer = await buildMcpServer(sandboxUrl, sandboxAuth, scopeId)
 
-  // Create stateless transport and handle this single HTTP request
-  // @hono/node-server exposes Node.js raw req/res via c.env (HttpBindings)
+  // Create stateless transport and handle this single HTTP request.
+  // @hono/node-server exposes Node.js raw req/res via c.env (HttpBindings).
+  // transport.handleRequest writes directly to the Node.js ServerResponse,
+  // so we must tell Hono NOT to write its own response afterward.
+  // We use the @hono/node-server internal header 'x-hono-already-sent' = '1'
+  // which causes responseViaResponseObject to skip all header/body writing.
   const transport = new StreamableHTTPServerTransport({ sessionIdGenerator: undefined })
   await mcpServer.connect(transport)
 
   const { incoming, outgoing } = c.env
   await transport.handleRequest(incoming, outgoing)
 
-  // Response was written directly to outgoing (ServerResponse), return empty to Hono
-  return new Response(null, { status: 200 })
+  return new Response(null, { status: 200, headers: { 'x-hono-already-sent': '1' } })
 })
 
 export default app

From 127ea6d25f0c8808c799d810678b0500e353e7f6 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Fri, 8 May 2026 00:59:07 +0800
Subject: [PATCH 26/33] =?UTF-8?q?fix(mcp-cloudbase):=20=E8=AE=A4=E8=AF=81?=
 =?UTF-8?q?=E6=94=B9=E7=94=A8=E5=BD=93=E5=89=8D=E7=99=BB=E5=BD=95=E7=94=A8?=
 =?UTF-8?q?=E6=88=B7=20apiKey=EF=BC=8CscopeId=20=E6=94=B9=E5=90=8D=20sessi?=
 =?UTF-8?q?onId=20=E4=BB=85=E6=9C=AC=E5=9C=B0=E7=BC=93=E5=AD=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1. 认证：
   - 删除 MCP_API_KEY 环境变量方式
   - 改用当前登录用户的 server API key (sak_xxx)
   - 路由在 authMiddleware 之后，c.get('session') 检查登录态
   - opencode 请求时从 DB 读取用户 apiKey (decrypt) → Authorization: Bearer sak_xxx

2. scopeId → sessionId（仅本地缓存 key，不传给沙箱）：
   - sandboxFetch / sandboxBash / discoverCloudbaseTools / mcporterCall 删除 scopeId 参数
   - sandboxAuth 已包含所有沙箱需要的认证和 scope headers（来自 sandbox.getAuthHeaders()）
   - buildMcpServer 参数重命名为 sessionId，清晰语义
   - 请求 header 从 X-Scope-Id 改为 X-Session-Id
---
 .../src/agent/runtime/opencode-acp-runtime.ts | 27 ++++++---
 packages/server/src/routes/mcp-cloudbase.ts   | 59 ++++++++-----------
 2 files changed, 43 insertions(+), 43 deletions(-)

diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index f0328c1..8a52ed7 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -45,6 +45,7 @@ import { OpencodeMessageBuilder, findLastRecordIds, buildHistoryContextPrompt }
 import { BaseAgentRuntime } from './base-runtime.js'
 import type { SandboxInstance } from '../../sandbox/scf-sandbox-manager.js'
 import { archiveToGit } from '../../sandbox/git-archive.js'
+import { getDb } from '../../db/index.js'
 import os from 'node:os'
 import path from 'node:path'
 import fs from 'node:fs'
@@ -457,13 +458,27 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
       })
 
       // 7. 创建 session — 注入 CloudBase MCP server（全局 /cloudbase-mcp 路由）
-      // 全局 HTTP MCP server 挂载在 server 进程的 /cloudbase-mcp 路径，
-      // opencode 通过 McpServerHttp 连接，sandbox 信息通过 headers 传入。
-      // 每次 HTTP 请求创建 per-request McpServer（stateless），工具 schema 按 scopeId 缓存。
+      // 全局 HTTP MCP server 挂载在 server 进程的 /cloudbase-mcp 路径。
+      // 认证：使用当前用户的 server API key（sak_xxx），通过 authMiddleware 校验。
+      // sandboxAuth 来自 sandbox.getAuthHeaders()，包含所有沙箱需要的 headers。
+      // X-Session-Id 仅用于本地工具 schema 缓存 key，不传给沙箱。
       const mcpServers: Array<{ type: 'http'; name: string; url: string; headers: Array<{ name: string; value: string }> }> = []
       if (sandbox) {
         const authHeaders = await sandbox.getAuthHeaders()
         const serverPort = Number(process.env.PORT) || 3001
+
+        // 获取用户 API key 用于 /cloudbase-mcp 路由认证
+        let userApiKey = ''
+        try {
+          const user = await getDb().users.findById(userId)
+          if (user?.apiKey) {
+            const { decrypt } = await import('../../lib/crypto.js')
+            userApiKey = decrypt(user.apiKey)
+          }
+        } catch {
+          /* API key 获取失败不影响主流程，未认证时路由会返回 401 */
+        }
+
         mcpServers.push({
           type: 'http',
           name: 'cloudbase',
@@ -471,10 +486,8 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
           headers: [
             { name: 'X-Sandbox-Url', value: sandbox.baseUrl },
             { name: 'X-Sandbox-Auth', value: JSON.stringify(authHeaders) },
-            { name: 'X-Scope-Id', value: conversationId },
-            ...(process.env.MCP_API_KEY
-              ? [{ name: 'Authorization', value: `Bearer ${process.env.MCP_API_KEY}` }]
-              : []),
+            { name: 'X-Session-Id', value: conversationId },
+            ...(userApiKey ? [{ name: 'Authorization', value: `Bearer ${userApiKey}` }] : []),
           ],
         })
       }
diff --git a/packages/server/src/routes/mcp-cloudbase.ts b/packages/server/src/routes/mcp-cloudbase.ts
index 8d19f12..9186143 100644
--- a/packages/server/src/routes/mcp-cloudbase.ts
+++ b/packages/server/src/routes/mcp-cloudbase.ts
@@ -18,7 +18,6 @@
  *     headers: [
  *       { name: 'X-Sandbox-Url',  value: sandbox.baseUrl },
  *       { name: 'X-Sandbox-Auth', value: JSON.stringify(authHeaders) },
- *       { name: 'X-Scope-Id',     value: conversationId },
  *       { name: 'Authorization',  value: 'Bearer <MCP_API_KEY>' },
  *     ]
  *   }
@@ -29,6 +28,7 @@ import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js'
 import type { HttpBindings } from '@hono/node-server'
 import { z } from 'zod'
+import type { AppEnv } from '../middleware/auth.js'
 
 // ─── Types ────────────────────────────────────────────────────────────────
 
@@ -69,11 +69,11 @@ function setCachedTools(scopeId: string, tools: ToolSchema[]): void {
 
 // ─── Sandbox HTTP helpers ──────────────────────────────────────────────────
 // 不依赖 SandboxInstance，直接通过 fetch 调沙箱 HTTP API
+// sandboxAuth 已包含所有必要的认证和 scope headers（来自 sandbox.getAuthHeaders()），不额外注入
 
 async function sandboxFetch(
   sandboxUrl: string,
   sandboxAuth: Record<string, string>,
-  scopeId: string,
   path: string,
   init: RequestInit = {},
 ): Promise<Response> {
@@ -82,7 +82,6 @@ async function sandboxFetch(
     headers: {
       'Content-Type': 'application/json',
       ...sandboxAuth,
-      'X-Scope-Id': scopeId,
       ...(init.headers as Record<string, string> | undefined),
     },
   })
@@ -91,11 +90,10 @@ async function sandboxFetch(
 async function sandboxBash(
   sandboxUrl: string,
   sandboxAuth: Record<string, string>,
-  scopeId: string,
   command: string,
   timeoutMs = 60_000,
 ): Promise<string> {
-  const res = await sandboxFetch(sandboxUrl, sandboxAuth, scopeId, '/api/tools/bash', {
+  const res = await sandboxFetch(sandboxUrl, sandboxAuth, '/api/tools/bash', {
     method: 'POST',
     body: JSON.stringify({ command, timeout: timeoutMs }),
     signal: AbortSignal.timeout(timeoutMs + 5_000),
@@ -112,29 +110,22 @@ async function sandboxBash(
 async function discoverCloudbaseTools(
   sandboxUrl: string,
   sandboxAuth: Record<string, string>,
-  scopeId: string,
 ): Promise<ToolSchema[]> {
-  const tmpPath = `.cloudbase-mcp-schema-${scopeId.slice(0, 8)}.json`
+  const tmpPath = `.cloudbase-mcp-schema-${Date.now()}.json`
   try {
     await sandboxBash(
       sandboxUrl,
       sandboxAuth,
-      scopeId,
       `mcporter list cloudbase --schema --output json > ${tmpPath} 2>&1`,
       25_000,
     )
-    const res = await sandboxFetch(
-      sandboxUrl,
-      sandboxAuth,
-      scopeId,
-      `/e2b-compatible/files?path=${encodeURIComponent(tmpPath)}`,
-    )
+    const res = await sandboxFetch(sandboxUrl, sandboxAuth, `/e2b-compatible/files?path=${encodeURIComponent(tmpPath)}`)
     if (!res.ok) throw new Error(`Failed to read schema file: ${res.status}`)
     const parsed = (await res.json()) as any
     if (!Array.isArray(parsed.tools)) throw new Error('No tools array in schema response')
     return parsed.tools as ToolSchema[]
   } finally {
-    sandboxBash(sandboxUrl, sandboxAuth, scopeId, `rm -f ${tmpPath}`, 5_000).catch(() => {})
+    sandboxBash(sandboxUrl, sandboxAuth, `rm -f ${tmpPath}`, 5_000).catch(() => {})
   }
 }
 
@@ -157,13 +148,12 @@ function serializeFnCall(toolName: string, args: Record<string, unknown>): strin
 async function mcporterCall(
   sandboxUrl: string,
   sandboxAuth: Record<string, string>,
-  scopeId: string,
   toolName: string,
   args: Record<string, unknown>,
 ): Promise<string> {
   const expr = serializeFnCall(toolName, args)
   const escaped = expr.replace(/'/g, "'\\''")
-  return sandboxBash(sandboxUrl, sandboxAuth, scopeId, `mcporter call '${escaped}' 2>&1`, 60_000)
+  return sandboxBash(sandboxUrl, sandboxAuth, `mcporter call '${escaped}' 2>&1`, 60_000)
 }
 
 // ─── JSON Schema to Zod ────────────────────────────────────────────────────
@@ -220,14 +210,15 @@ const SKIP_TOOLS = new Set(['logout', 'interactiveDialog'])
 async function buildMcpServer(
   sandboxUrl: string,
   sandboxAuth: Record<string, string>,
-  scopeId: string,
+  /** 本地缓存 key（conversationId），不传给沙箱 */
+  sessionId: string,
 ): Promise<McpServer> {
-  // Get or discover tool schema
-  let tools = getCachedTools(scopeId)
+  // Get or discover tool schema (cached by sessionId)
+  let tools = getCachedTools(sessionId)
   if (!tools) {
     try {
-      tools = await discoverCloudbaseTools(sandboxUrl, sandboxAuth, scopeId)
-      setCachedTools(scopeId, tools)
+      tools = await discoverCloudbaseTools(sandboxUrl, sandboxAuth)
+      setCachedTools(sessionId, tools)
     } catch (e) {
       console.warn('[cloudbase-mcp] Tool discovery failed:', (e as Error).message)
       tools = []
@@ -246,7 +237,7 @@ async function buildMcpServer(
       zodShape,
       async (args: Record<string, unknown>) => {
         try {
-          const output = await mcporterCall(sandboxUrl, sandboxAuth, scopeId, tool.name, args)
+          const output = await mcporterCall(sandboxUrl, sandboxAuth, tool.name, args)
           return {
             content: [{ type: 'text' as const, text: typeof output === 'string' ? output : JSON.stringify(output) }],
           }
@@ -262,24 +253,20 @@ async function buildMcpServer(
 
 // ─── Hono Route ───────────────────────────────────────────────────────────
 
-const MCP_API_KEY = process.env.MCP_API_KEY
+const app = new Hono<AppEnv & { Bindings: HttpBindings }>()
 
-const app = new Hono<{ Bindings: HttpBindings }>()
-
-// All methods: parse sandbox headers and dispatch to MCP transport
+// All methods: authenticate → parse sandbox headers → dispatch to MCP transport
 app.all('*', async (c) => {
-  // Optional API key check
-  if (MCP_API_KEY) {
-    const auth = c.req.header('Authorization') ?? ''
-    const key = auth.startsWith('Bearer ') ? auth.slice(7) : auth
-    if (key !== MCP_API_KEY) {
-      return c.json({ error: 'Unauthorized' }, 401)
-    }
+  // 认证：要求已登录用户（支持 cookie session 和 API key sak_xxx）
+  const session = c.get('session')
+  if (!session?.user?.id) {
+    return c.json({ error: 'Unauthorized' }, 401)
   }
 
   const sandboxUrl = c.req.header('X-Sandbox-Url')
   const sandboxAuthRaw = c.req.header('X-Sandbox-Auth') ?? '{}'
-  const scopeId = c.req.header('X-Scope-Id') ?? 'default'
+  // sessionId 仅用于本地工具 schema 缓存 key，不传给沙箱
+  const sessionId = c.req.header('X-Session-Id') ?? 'default'
 
   if (!sandboxUrl) {
     return c.json({ error: 'X-Sandbox-Url header required' }, 400)
@@ -293,7 +280,7 @@ app.all('*', async (c) => {
   }
 
   // Build per-request McpServer with tools registered
-  const mcpServer = await buildMcpServer(sandboxUrl, sandboxAuth, scopeId)
+  const mcpServer = await buildMcpServer(sandboxUrl, sandboxAuth, sessionId)
 
   // Create stateless transport and handle this single HTTP request.
   // @hono/node-server exposes Node.js raw req/res via c.env (HttpBindings).

From c3a15d389a0a118449b5ef728bed9b63bee14797 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Fri, 8 May 2026 02:11:49 +0800
Subject: [PATCH 27/33] =?UTF-8?q?fix(opencode):=20/cloudbase-mcp=20?=
 =?UTF-8?q?=E5=A4=8D=E7=94=A8=20sessionJwe=20=E9=89=B4=E6=9D=83=20+=20?=
 =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=20SandboxInstance.envId=20=E2=86=92?=
 =?UTF-8?q?=20scfSessionId?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1. /cloudbase-mcp 鉴权改用 sessionJwe（同 storage/presign 机制）：
   - base-runtime.setupSandbox() 顶层声明 capturedSessionJwe，返回值新增 sessionJwe 字段
   - opencode-acp-runtime newSession.mcpServers 注入 Cookie: nex_session=<jwe>
     替代之前的 internal token / 用户 API key 方案
   - mcp-cloudbase.ts 简化为只检查 c.get('session')，authMiddleware 通过 cookie 解 JWE
   - 删除 CLOUDBASE_MCP_INTERNAL_TOKEN

2. 重命名 SandboxInstance.envId → scfSessionId（消除歧义）：
   - 该字段存的是 SCF session ID（shared 模式=cloudbase envId, isolated 模式=conversationId）
   - 不是用户的 CloudBase 环境 ID（之前命名 envId 容易混淆）
   - 同步更新 buildAuthHeaders/createNewFunction 参数名 + sandbox-mcp-proxy 日志
   - 新增 JSDoc 说明字段语义

3. 调试日志：mcp-cloudbase 路由打印请求头摘要 + 工具发现状态
---
 .../server/src/agent/runtime/base-runtime.ts  |  8 ++++-
 .../src/agent/runtime/opencode-acp-runtime.ts | 22 +++----------
 packages/server/src/routes/mcp-cloudbase.ts   |  7 ++---
 .../server/src/sandbox/sandbox-mcp-proxy.ts   |  2 +-
 .../server/src/sandbox/scf-sandbox-manager.ts | 31 ++++++++++++-------
 5 files changed, 34 insertions(+), 36 deletions(-)

diff --git a/packages/server/src/agent/runtime/base-runtime.ts b/packages/server/src/agent/runtime/base-runtime.ts
index 3890519..45d13e7 100644
--- a/packages/server/src/agent/runtime/base-runtime.ts
+++ b/packages/server/src/agent/runtime/base-runtime.ts
@@ -338,6 +338,8 @@ export abstract class BaseAgentRuntime implements IAgentRuntime {
     sandboxSessionId: string
     toolOverrideConfig: { url: string; headers: Record<string, string> } | null
     mcpClient: Awaited<ReturnType<typeof createSandboxMcpClient>> | null
+    /** Short-lived JWE session cookie for authenticating localhost requests (e.g. /cloudbase-mcp) */
+    sessionJwe: string | null
   }> {
     const { conversationId, envId, userId, userCredentials, isCodingMode, callback, model } = options
 
@@ -350,6 +352,7 @@ export abstract class BaseAgentRuntime implements IAgentRuntime {
         sandboxSessionId: envId || conversationId,
         toolOverrideConfig: null,
         mcpClient: null,
+        sessionJwe: null,
       }
     }
 
@@ -391,6 +394,7 @@ export abstract class BaseAgentRuntime implements IAgentRuntime {
     let toolOverrideConfig: { url: string; headers: Record<string, string> } | null = null
     let mcpClient: Awaited<ReturnType<typeof createSandboxMcpClient>> | null = null
     let detectedCwd: string | null = null
+    let capturedSessionJwe: string | null = null
 
     try {
       sandboxInstance = await scfSandboxManager.getOrCreate(
@@ -407,7 +411,7 @@ export abstract class BaseAgentRuntime implements IAgentRuntime {
 
       toolOverrideConfig = await sandboxInstance.getToolOverrideConfig()
 
-      // Inject hosting presign config for ImageGen
+      // Inject hosting presign config for ImageGen, and capture sessionJwe for /cloudbase-mcp auth
       try {
         const user = await getDb().users.findById(userId)
         if (user) {
@@ -423,6 +427,7 @@ export abstract class BaseAgentRuntime implements IAgentRuntime {
             },
           }
           const sessionJwe = await encryptJWE(session, '2h')
+          capturedSessionJwe = sessionJwe
           const serverPort = Number(process.env.PORT) || 3001
           ;(toolOverrideConfig as any).hosting = {
             presignUrl: `http://localhost:${serverPort}/api/storage/presign?bucketType=static`,
@@ -514,6 +519,7 @@ export abstract class BaseAgentRuntime implements IAgentRuntime {
       sandboxSessionId,
       toolOverrideConfig,
       mcpClient,
+      sessionJwe: capturedSessionJwe,
     }
   }
 
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index 8a52ed7..37a6190 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -45,7 +45,6 @@ import { OpencodeMessageBuilder, findLastRecordIds, buildHistoryContextPrompt }
 import { BaseAgentRuntime } from './base-runtime.js'
 import type { SandboxInstance } from '../../sandbox/scf-sandbox-manager.js'
 import { archiveToGit } from '../../sandbox/git-archive.js'
-import { getDb } from '../../db/index.js'
 import os from 'node:os'
 import path from 'node:path'
 import fs from 'node:fs'
@@ -338,7 +337,6 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
         })
         sandbox = sandboxResult.sandbox
         sandboxMcpClient = sandboxResult.mcpClient
-
         // Coding mode: auto-allow all write tools + mark preview ready
         if (isCodingMode && conversationId) {
           this.allowAllWriteToolsForCodingMode(conversationId)
@@ -459,26 +457,14 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
 
       // 7. 创建 session — 注入 CloudBase MCP server（全局 /cloudbase-mcp 路由）
       // 全局 HTTP MCP server 挂载在 server 进程的 /cloudbase-mcp 路径。
-      // 认证：使用当前用户的 server API key（sak_xxx），通过 authMiddleware 校验。
+      // 认证：复用 base-runtime.setupSandbox() 已签发的 sessionJwe（同 nex_session cookie 格式），
+      //      与 storage/presign 的 tool-override 机制完全一致。
       // sandboxAuth 来自 sandbox.getAuthHeaders()，包含所有沙箱需要的 headers。
       // X-Session-Id 仅用于本地工具 schema 缓存 key，不传给沙箱。
       const mcpServers: Array<{ type: 'http'; name: string; url: string; headers: Array<{ name: string; value: string }> }> = []
-      if (sandbox) {
+      if (sandbox && sandboxResult?.sessionJwe) {
         const authHeaders = await sandbox.getAuthHeaders()
         const serverPort = Number(process.env.PORT) || 3001
-
-        // 获取用户 API key 用于 /cloudbase-mcp 路由认证
-        let userApiKey = ''
-        try {
-          const user = await getDb().users.findById(userId)
-          if (user?.apiKey) {
-            const { decrypt } = await import('../../lib/crypto.js')
-            userApiKey = decrypt(user.apiKey)
-          }
-        } catch {
-          /* API key 获取失败不影响主流程，未认证时路由会返回 401 */
-        }
-
         mcpServers.push({
           type: 'http',
           name: 'cloudbase',
@@ -487,7 +473,7 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
             { name: 'X-Sandbox-Url', value: sandbox.baseUrl },
             { name: 'X-Sandbox-Auth', value: JSON.stringify(authHeaders) },
             { name: 'X-Session-Id', value: conversationId },
-            ...(userApiKey ? [{ name: 'Authorization', value: `Bearer ${userApiKey}` }] : []),
+            { name: 'Cookie', value: `nex_session=${sandboxResult.sessionJwe}` },
           ],
         })
       }
diff --git a/packages/server/src/routes/mcp-cloudbase.ts b/packages/server/src/routes/mcp-cloudbase.ts
index 9186143..70e98c2 100644
--- a/packages/server/src/routes/mcp-cloudbase.ts
+++ b/packages/server/src/routes/mcp-cloudbase.ts
@@ -107,10 +107,7 @@ async function sandboxBash(
 
 // ─── Tool Schema Discovery ─────────────────────────────────────────────────
 
-async function discoverCloudbaseTools(
-  sandboxUrl: string,
-  sandboxAuth: Record<string, string>,
-): Promise<ToolSchema[]> {
+async function discoverCloudbaseTools(sandboxUrl: string, sandboxAuth: Record<string, string>): Promise<ToolSchema[]> {
   const tmpPath = `.cloudbase-mcp-schema-${Date.now()}.json`
   try {
     await sandboxBash(
@@ -257,7 +254,7 @@ const app = new Hono<AppEnv & { Bindings: HttpBindings }>()
 
 // All methods: authenticate → parse sandbox headers → dispatch to MCP transport
 app.all('*', async (c) => {
-  // 认证：要求已登录用户（支持 cookie session 和 API key sak_xxx）
+  // 认证：要求已登录 session（cookie nex_session=<jwe> 由 base-runtime.setupSandbox 签发）
   const session = c.get('session')
   if (!session?.user?.id) {
     return c.json({ error: 'Unauthorized' }, 401)
diff --git a/packages/server/src/sandbox/sandbox-mcp-proxy.ts b/packages/server/src/sandbox/sandbox-mcp-proxy.ts
index 197b54b..7172b1c 100644
--- a/packages/server/src/sandbox/sandbox-mcp-proxy.ts
+++ b/packages/server/src/sandbox/sandbox-mcp-proxy.ts
@@ -788,7 +788,7 @@ export async function createSandboxMcpClient(deps: SandboxMcpDeps): Promise<{
   })
 
   log(
-    `[sandbox-mcp] Ready. sandbox=${sandbox.functionName} session=${sandbox.envId} scope=${sandbox.conversationId} mode=${sandbox.sandboxMode} coding=${sandbox.isCodingMode} tools=${cloudbaseTools.length}\n`,
+    `[sandbox-mcp] Ready. sandbox=${sandbox.functionName} session=${sandbox.scfSessionId} scope=${sandbox.conversationId} mode=${sandbox.sandboxMode} coding=${sandbox.isCodingMode} tools=${cloudbaseTools.length}\n`,
   )
 
   return {
diff --git a/packages/server/src/sandbox/scf-sandbox-manager.ts b/packages/server/src/sandbox/scf-sandbox-manager.ts
index 699102c..b082983 100644
--- a/packages/server/src/sandbox/scf-sandbox-manager.ts
+++ b/packages/server/src/sandbox/scf-sandbox-manager.ts
@@ -32,7 +32,16 @@ interface ScfSandboxConfig {
 export class SandboxInstance {
   readonly functionName: string
   readonly conversationId: string
-  readonly envId: string
+  /**
+   * SCF session ID (used as `X-Cloudbase-Session-Id` header for sandbox auth).
+   * - In `shared` workspaceIsolation mode: equals the user's CloudBase envId
+   * - In `isolated` mode: equals conversationId
+   * - May be overridden via `options.sandboxSessionId` in `getOrCreate`
+   *
+   * 注意：这不是用户的 CloudBase 环境 ID（之前误命名为 envId 容易引起混淆），
+   * 实际是沙箱 SCF function 的 session ID。
+   */
+  readonly scfSessionId: string
   readonly sandboxEnvId: string
   readonly baseUrl: string
   readonly status: 'creating' | 'ready' | 'error'
@@ -62,7 +71,7 @@ export class SandboxInstance {
     ctx: {
       functionName: string
       conversationId: string
-      envId: string
+      scfSessionId: string
       status: 'creating' | 'ready' | 'error'
       mode: SandboxMode
       sandboxMode?: 'shared' | 'isolated'
@@ -72,7 +81,7 @@ export class SandboxInstance {
   ) {
     this.functionName = ctx.functionName
     this.conversationId = ctx.conversationId
-    this.envId = ctx.envId
+    this.scfSessionId = ctx.scfSessionId
     this.sandboxEnvId = this.deps.sandboxEnvId
     this.baseUrl = `https://${this.deps.sandboxEnvId}.api.tcloudbasegateway.com/v1/functions/${ctx.functionName}`
     this.status = ctx.status
@@ -86,10 +95,10 @@ export class SandboxInstance {
     return this.deps.getAccessToken()
   }
 
-  static buildAuthHeaders(accessToken: string, sessionId: string): Record<string, string> {
+  static buildAuthHeaders(accessToken: string, scfSessionId: string): Record<string, string> {
     return {
       Authorization: `Bearer ${accessToken}`,
-      'X-Cloudbase-Session-Id': sessionId,
+      'X-Cloudbase-Session-Id': scfSessionId,
       'X-Tcb-Webfn': 'true',
     }
   }
@@ -117,7 +126,7 @@ export class SandboxInstance {
   async getAuthHeaders(): Promise<Record<string, string>> {
     const accessToken = await this.getAccessToken()
     return {
-      ...SandboxInstance.buildAuthHeaders(accessToken, this.envId),
+      ...SandboxInstance.buildAuthHeaders(accessToken, this.scfSessionId),
       ...SandboxInstance.buildScopeHeaders(this.conversationId, this.sandboxMode, this.isCodingMode),
     }
   }
@@ -313,7 +322,7 @@ export class ScfSandboxManager {
       return new SandboxInstance(instanceDeps, {
         functionName,
         conversationId,
-        envId: scfSessionId,
+        scfSessionId,
         status: 'ready',
         mode,
         sandboxMode: isolation,
@@ -346,7 +355,7 @@ export class ScfSandboxManager {
     return new SandboxInstance(instanceDeps, {
       functionName,
       conversationId,
-      envId: scfSessionId,
+      scfSessionId,
       status: 'ready',
       mode: 'shared',
       sandboxMode: mode as any,
@@ -357,7 +366,7 @@ export class ScfSandboxManager {
   private async createNewFunction(
     functionName: string,
     conversationId: string,
-    envId: string,
+    scfSessionId: string,
     mode: SandboxMode,
     options?: any,
     onProgress?: SandboxProgressCallback,
@@ -387,7 +396,7 @@ export class ScfSandboxManager {
       const instanceDeps = await this.buildInstanceDeps()
       const mcpConfig = await this.buildSandboxMcpConfig(
         functionName,
-        envId,
+        scfSessionId,
         conversationId,
         instanceDeps.sandboxEnvId,
         isolation,
@@ -397,7 +406,7 @@ export class ScfSandboxManager {
       return new SandboxInstance(instanceDeps, {
         functionName,
         conversationId,
-        envId,
+        scfSessionId,
         status: 'ready',
         mode,
         sandboxMode: isolation,

From 68ec7c4195e65085e8b5be863bd91ef34141e4e5 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sat, 9 May 2026 12:08:25 +0800
Subject: [PATCH 28/33] =?UTF-8?q?fix(acp):=20askAnswers/toolConfirmation?=
 =?UTF-8?q?=20=E5=BF=85=E9=A1=BB=E8=B7=AF=E7=94=B1=E5=88=B0=20runtime.chat?=
 =?UTF-8?q?Stream=20resume=20=E5=88=86=E6=94=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**Bug**: 前端提交 AskUserQuestion 答案或 ToolConfirm 后，输入框一直显示
"进行中"，LLM 收不到答案最终超时。

**Root cause**: handleSessionPrompt 发现 agent 还在 running 就 early return 到
observeStream，完全绕过了 runtime.chatStream 的 resume 分支（askAnswers /
toolConfirmation 必须在那里调 resolvePendingQuestion / resolvePending 来放开
挂起的 opencode tool HTTP 响应 / ACP permission Promise）。

**Fix**: 在 early return 前先判断 hasResumePayload，有 resume payload 时跳过
early return，让请求正常进入 runtime.chatStream 的 resume 分支。

**相关修复**:
- use-chat-stream.ts 的 answers key 改为 question.header（与 opencode custom
  AskUserQuestion tool 的 data.answers[q.header] 对齐）
- apply-session-update.ts 收到 ask_user / tool_confirm / AskUserQuestion tool_call
  时显式 setIsSending(false)，解除 UI sending 状态使按钮可点击
  （OpenCode runtime 的 SSE 不会在中断时关闭，不像 CodeBuddy SDK 会 break SSE）

测试验证：登录 yanghang 账号，用 opencode-acp runtime + mimo-v2.5-pro 模型，
触发 AskUserQuestion 后提交 answers，完整流程通过：
1. ✓ chatStream entry isAgentRunning=true hasAskAnswers=true (之前被拦)
2. ✓ resolvePendingQuestion 成功
3. ✓ opencode tool 收到 answers，LLM 继续推理
4. ✓ 返回 "你选择了 **Red**（红色，代表热情与活力）"
---
 .../src/agent/runtime/opencode-acp-runtime.ts |  7 ++++-
 packages/server/src/routes/acp.ts             | 26 ++++++++++++-------
 .../web/src/hooks/apply-session-update.ts     | 20 ++++++++++++++
 packages/web/src/hooks/use-chat-stream.ts     |  6 ++++-
 4 files changed, 48 insertions(+), 11 deletions(-)

diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index 37a6190..9a99555 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -461,7 +461,12 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
       //      与 storage/presign 的 tool-override 机制完全一致。
       // sandboxAuth 来自 sandbox.getAuthHeaders()，包含所有沙箱需要的 headers。
       // X-Session-Id 仅用于本地工具 schema 缓存 key，不传给沙箱。
-      const mcpServers: Array<{ type: 'http'; name: string; url: string; headers: Array<{ name: string; value: string }> }> = []
+      const mcpServers: Array<{
+        type: 'http'
+        name: string
+        url: string
+        headers: Array<{ name: string; value: string }>
+      }> = []
       if (sandbox && sandboxResult?.sessionJwe) {
         const authHeaders = await sandbox.getAuthHeaders()
         const serverPort = Number(process.env.PORT) || 3001
diff --git a/packages/server/src/routes/acp.ts b/packages/server/src/routes/acp.ts
index e55371e..d9e20f3 100644
--- a/packages/server/src/routes/acp.ts
+++ b/packages/server/src/routes/acp.ts
@@ -381,16 +381,24 @@ async function handleSessionPrompt(c: any, id: number | string, params: SessionP
     return c.json(rpcErr(id, JSON_RPC_ERRORS.INTERNAL, 'CloudBase environment not bound'))
   }
 
-  // Check if agent is already running via registry
-  const existingRun = getAgentRun(sessionId)
-  if (existingRun && existingRun.status === 'running') {
-    return observeStream(c, id, sessionId, existingRun.turnId, envId, userId)
-  }
+  // Resume payload (askAnswers / toolConfirmation) 必须路由到 runtime.chatStream 的
+  // resume 分支来 resolve 挂起的 question/permission，而不是只 observe。
+  // 这里优先检查 resume payload —— 有 resume 时跳过 observeStream early-return。
+  const hasResumePayloadEarly =
+    (params?.askAnswers && Object.keys(params.askAnswers).length > 0) || !!params?.toolConfirmation
 
-  // Check DB status as fallback
-  const latestStatus = await persistenceService.getLatestRecordStatus(sessionId, userId, envId)
-  if (latestStatus && (latestStatus.status === 'pending' || latestStatus.status === 'streaming')) {
-    return c.json(rpcErr(id, JSON_RPC_ERRORS.INVALID_REQUEST, 'A prompt turn is already in progress'))
+  if (!hasResumePayloadEarly) {
+    // Check if agent is already running via registry
+    const existingRun = getAgentRun(sessionId)
+    if (existingRun && existingRun.status === 'running') {
+      return observeStream(c, id, sessionId, existingRun.turnId, envId, userId)
+    }
+
+    // Check DB status as fallback
+    const latestStatus = await persistenceService.getLatestRecordStatus(sessionId, userId, envId)
+    if (latestStatus && (latestStatus.status === 'pending' || latestStatus.status === 'streaming')) {
+      return c.json(rpcErr(id, JSON_RPC_ERRORS.INVALID_REQUEST, 'A prompt turn is already in progress'))
+    }
   }
 
   // Extract prompt text and image blocks
diff --git a/packages/web/src/hooks/apply-session-update.ts b/packages/web/src/hooks/apply-session-update.ts
index 16f91e9..b38f4c2 100644
--- a/packages/web/src/hooks/apply-session-update.ts
+++ b/packages/web/src/hooks/apply-session-update.ts
@@ -57,6 +57,13 @@ export interface ApplySessionUpdateCtx {
   setPlanMode: Dispatch<SetStateAction<PlanModeLike>>
   setAgentPhase: Dispatch<SetStateAction<AgentPhaseInfo>>
   clearQuestionState: (toolCallId: string) => void
+  /**
+   * 当 ask_user / tool_confirm / ExitPlanMode 到达时需要立即解除 sending 状态，
+   * 使表单按钮可点击。CodeBuddy SDK 会随即关闭 SSE，但 OpenCode 的 HTTP 长挂起
+   * 不会关闭 SSE，必须显式重置以避免 UI 一直禁用。
+   */
+  setIsSending: Dispatch<SetStateAction<boolean>>
+  setIsStreamingResponse: Dispatch<SetStateAction<boolean>>
 }
 
 /**
@@ -86,6 +93,8 @@ export function applySessionUpdate(ctx: ApplySessionUpdateCtx): void {
     setPlanMode,
     setAgentPhase,
     clearQuestionState,
+    setIsSending,
+    setIsStreamingResponse,
   } = ctx
   const u = update as any
 
@@ -155,6 +164,9 @@ export function applySessionUpdate(ctx: ApplySessionUpdateCtx): void {
       // Block fetchMessages when AskUserQuestion arrives
       if (String(u.title || '') === 'AskUserQuestion') {
         phaseRef.current = 'waiting_for_interaction'
+        // 立即解除 sending 状态（OpenCode 情况）
+        setIsSending(false)
+        setIsStreamingResponse(false)
       }
       break
     }
@@ -218,6 +230,10 @@ export function applySessionUpdate(ctx: ApplySessionUpdateCtx): void {
 
     case 'tool_confirm':
       phaseRef.current = 'waiting_for_interaction'
+      // 立即解除 sending 状态，使确认按钮可点击
+      // （OpenCode runtime 的 SSE 不会在中断时关闭，必须显式重置）
+      setIsSending(false)
+      setIsStreamingResponse(false)
       setToolConfirm({
         toolCallId: u.toolCallId,
         assistantMessageId: u.assistantMessageId,
@@ -243,6 +259,10 @@ export function applySessionUpdate(ctx: ApplySessionUpdateCtx): void {
 
     case 'ask_user':
       phaseRef.current = 'waiting_for_interaction'
+      // 立即解除 sending 状态，使提交按钮可点击
+      // （OpenCode runtime 的 SSE 不会在中断时关闭，必须显式重置）
+      setIsSending(false)
+      setIsStreamingResponse(false)
       break
 
     case 'artifact':
diff --git a/packages/web/src/hooks/use-chat-stream.ts b/packages/web/src/hooks/use-chat-stream.ts
index a29ae59..77ecd3e 100644
--- a/packages/web/src/hooks/use-chat-stream.ts
+++ b/packages/web/src/hooks/use-chat-stream.ts
@@ -177,6 +177,8 @@ export function useChatStream(taskId: string, options: UseChatStreamOptions = {}
         setPlanMode,
         setAgentPhase,
         clearQuestionState,
+        setIsSending,
+        setIsStreamingResponse,
       })
     },
     [clearQuestionState, setPlanMode, taskId],
@@ -352,7 +354,9 @@ export function useChatStream(taskId: string, options: UseChatStreamOptions = {}
       const answers: Record<string, string> = {}
       for (const question of askData.questions) {
         const answerValue = toolInputs[question.question] || toolAnswers[question.question]
-        if (answerValue) answers[question.question] = answerValue
+        // Key 约定: 使用 question.header（与 opencode AskUserQuestion custom tool 对齐，
+        // 后者通过 `data.answers[q.header]` 取值）。CodeBuddy SDK 也使用 header。
+        if (answerValue) answers[question.header] = answerValue
       }
 
       phaseRef.current = 'streaming'

From 1fa369395ee7b2eefeae13d68fc33ebc641fef23 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sat, 9 May 2026 15:24:35 +0800
Subject: [PATCH 29/33] =?UTF-8?q?feat:=20=E6=9B=B4=E6=96=B0=E9=95=9C?=
 =?UTF-8?q?=E5=83=8F=E6=94=AF=E6=8C=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 packages/server/src/routes/tasks.ts | 1 +
 scripts/setup-tcr.mjs               | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/server/src/routes/tasks.ts b/packages/server/src/routes/tasks.ts
index 05d08bf..cdb19ed 100644
--- a/packages/server/src/routes/tasks.ts
+++ b/packages/server/src/routes/tasks.ts
@@ -425,6 +425,7 @@ tasksRouter.delete('/:taskId', requireUserEnv, async (c) => {
         const sandbox = await scfSandboxManager
           .getExisting(taskId, scfSessionId, {
             sandboxMode: existing.sandboxMode || undefined,
+            isCodingMode: existing.mode === 'code',
           })
           .catch(() => null)
         if (sandbox) {
diff --git a/scripts/setup-tcr.mjs b/scripts/setup-tcr.mjs
index 47b862a..d3f6173 100644
--- a/scripts/setup-tcr.mjs
+++ b/scripts/setup-tcr.mjs
@@ -36,7 +36,7 @@ const TCR_DOMAIN = 'ccr.ccs.tencentyun.com'
 const ENV_FILE = resolve(process.cwd(), '.env.local')
 const CLOUDBASE_AUTH_FILE = resolve(homedir(), '.config/.cloudbase/auth.json')
 const DEFAULT_NAMESPACE_PREFIX = 'cloudbase-vibecoding'
-const GHCR_IMAGE_URL = 'ghcr.io/yhsunshining/cloudbase-workspace:260503-1605d3be'
+const GHCR_IMAGE_URL = 'ghcr.io/yhsunshining/cloudbase-workspace:260509-1305test8b'
 
 // ===================== Helper Functions =====================
 

From 5dab197bc362f145c7029b171ace70079e6545ac Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sat, 9 May 2026 21:21:41 +0800
Subject: [PATCH 30/33] =?UTF-8?q?feat(opencode-acp):=20stopReason=20?=
 =?UTF-8?q?=E4=B8=BA=20refusal/max=5Ftokens=20=E6=97=B6=E6=B3=A8=E5=85=A5?=
 =?UTF-8?q?=E5=8F=8B=E5=A5=BD=E6=8F=90=E7=A4=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**问题**：LLM provider（如腾讯 MiMo）的内容安全策略偶发会拦截请求，返回
ACP `stopReason: 'refusal'`，此时 LLM 流被中断，assistant record 常常只有截断的
reasoning 没有 text，UI 显示为一条"空回复"，用户不知道发生了什么。

**实现**：
prompt 返回后检查 `promptRes.stopReason`：
- refusal / max_tokens / max_turn_requests 三种非正常结束原因：emit 一条 text
  事件（⚠️ 开头的提示段），通过 makeEmitter 同时走两条通道：
    1. messageBuilder.pushEvent → 作为 text part 持久化到 DB，刷新后仍可见
    2. convertToSessionUpdate → agent_message_chunk SSE 事件，实时展示
- cancelled 不在此处处理（abort 走 catch 分支），end_turn 是正常完成。

**为什么 emit text 而不是 emit error**：
error 被前端渲染为 log 级别的小字状态信息，而我们要的是把这段"为什么没有
回复"的解释**作为 assistant 回答的一部分**留在对话流里，让用户下次刷新也能
看到原因。
---
 .opencode/tools/AskUserQuestion.ts            |  4 +-
 .../src/agent/runtime/opencode-acp-runtime.ts | 54 +++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/.opencode/tools/AskUserQuestion.ts b/.opencode/tools/AskUserQuestion.ts
index 5aab24d..041c423 100644
--- a/.opencode/tools/AskUserQuestion.ts
+++ b/.opencode/tools/AskUserQuestion.ts
@@ -111,7 +111,9 @@ export default {
         .join('; ')
 
       return {
-        output: `User answered: ${formatted}. You can continue with these answers in mind.`,
+        output: formatted,
+        hint: `You can continue with these answers in mind.`,
+        // output: `User answered: ${formatted}. You can continue with these answers in mind.`,
         metadata: {
           answers: data.answers,
         },
diff --git a/packages/server/src/agent/runtime/opencode-acp-runtime.ts b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
index 9a99555..85faaf5 100644
--- a/packages/server/src/agent/runtime/opencode-acp-runtime.ts
+++ b/packages/server/src/agent/runtime/opencode-acp-runtime.ts
@@ -521,6 +521,21 @@ export class OpencodeAcpRuntime extends BaseAgentRuntime {
         prompt: [{ type: 'text', text: contextPrompt }],
       })
 
+      // 非正常停止原因：LLM provider 拒绝 (refusal) / 超出 token 上限 (max_tokens) /
+      // 超过最大 turn 请求数 (max_turn_requests) 时，assistant 可能没有产出任何 text，
+      // 只有截断的 reasoning。给用户显式提示，避免"空回复"的困惑。
+      //
+      // 注意：'cancelled' 不在此处提示（abort 流程走 catch 分支处理），'end_turn' 是正常完成。
+      const stopReason = promptRes.stopReason
+      if (stopReason === 'refusal' || stopReason === 'max_tokens' || stopReason === 'max_turn_requests') {
+        const hint = buildStopReasonHint(stopReason)
+        try {
+          await emit({ type: 'text', content: hint })
+        } catch {
+          /* noop */
+        }
+      }
+
       await emit({ type: 'agent_phase', phase: 'idle' })
       await emit({
         type: 'result',
@@ -748,3 +763,42 @@ function makeEmitter(ctx: {
 // ─── Singleton ────────────────────────────────────────────────────────────
 
 export const opencodeAcpRuntime = new OpencodeAcpRuntime()
+
+/**
+ * 为非正常 stopReason 生成面向用户的提示文本，塞到 assistant 消息尾部。
+ *
+ * - refusal：LLM provider 内容审查拒绝生成（如腾讯 MiMo 的 high risk 拦截）。
+ *   LLM 通常在这种情况下直接中断流，没有产出 text，只剩截断的 reasoning。
+ * - max_tokens：触发输出 token 上限，回复被截断。
+ * - max_turn_requests：LLM 在单轮内调用工具次数过多（通常是死循环）。
+ */
+function buildStopReasonHint(stopReason: 'refusal' | 'max_tokens' | 'max_turn_requests'): string {
+  switch (stopReason) {
+    case 'refusal':
+      return [
+        '',
+        '---',
+        '⚠️ **模型拒绝回复**：当前提问被 LLM provider 的内容安全策略拦截了。',
+        '',
+        '可能的原因：',
+        '- 提问或上下文中包含被模型方风险模型判定为敏感的内容（人名、专有名词、政治/安全相关话题等）。',
+        '- 多轮对话累积的 history 中有 provider 敏感词。',
+        '',
+        '建议：换一种表述方式重试，或清空当前会话重新开始；必要时切换到其他模型。',
+      ].join('\n')
+    case 'max_tokens':
+      return [
+        '',
+        '---',
+        '⚠️ **输出被截断**：回复达到了模型的最大 token 上限，内容可能不完整。你可以回复"继续"让模型接着写。',
+      ].join('\n')
+    case 'max_turn_requests':
+      return [
+        '',
+        '---',
+        '⚠️ **单轮工具调用次数达到上限**：为避免死循环，本轮已停止。',
+        '',
+        '建议：拆分任务，或重新描述目标让模型更聚焦地执行。',
+      ].join('\n')
+  }
+}

From 76743425563ce40b291d19d6eae318638fc3c82b Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sat, 9 May 2026 21:44:39 +0800
Subject: [PATCH 31/33] =?UTF-8?q?fix(build):=20=E7=A7=BB=E9=99=A4=E5=B7=B2?=
 =?UTF-8?q?=E8=BF=81=E7=A7=BB=E7=9B=AE=E5=BD=95=E7=9A=84=20cp=20=E6=AD=A5?=
 =?UTF-8?q?=E9=AA=A4=20+=20=E7=94=9F=E4=BA=A7=E9=95=9C=E5=83=8F=E6=8B=B7?=
 =?UTF-8?q?=E8=B4=9D=20.opencode/?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**现象**：云托管构建 `pnpm build` 报
`cp: cannot stat 'src/agent/runtime/opencode-tool-templates/*.ts'` → exit 1。

**根因**：提交 38114f1 把 opencode tool 模板从
`packages/server/src/agent/runtime/opencode-tool-templates/` 迁移到
`.opencode/tools/`（checked-in，不再需要安装步骤），但遗漏了两处清理：
1. `packages/server/package.json` build 尾部仍执行 `mkdir -p dist/.../opencode-tool-templates && cp src/.../opencode-tool-templates/*.ts ...`，
   源目录已不存在 → cp 失败 → 整个 build 失败。
2. `Dockerfile` Stage 2 只拷贝 `dist/`，没拷 `.opencode/`，即便 build
   能过运行时也会在 `getOpencodeConfigDir()` 找不到 tools。

**修复**：
- package.json：删除 build 末尾的 mkdir/cp 片段，保留三个 tsup 步骤。
- Dockerfile：Stage 2 新增 `COPY --from=build /app/.opencode ./.opencode`。
  resolveProjectRoot() 从 dist 向上找到含 packages/server 的 /app → 工具解析为
  /app/.opencode/tools/*.ts，与源码运行一致。
- tsconfig.json：顺带清理已失效的 exclude 路径（保留 __tests__ 一行）。

本地验证：pnpm --filter @coder/server build、pnpm type-check、pnpm lint 全绿。
---
 Dockerfile                    | 6 ++++++
 packages/server/package.json  | 2 +-
 packages/server/tsconfig.json | 5 +----
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index f069049..1a7e769 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -57,6 +57,12 @@ COPY --from=build /app/packages/shared/dist ./packages/shared/dist
 # skill-loader-override reads CODEBUDDY_BUNDLED_SKILLS_DIR = packages/server/skills
 COPY --from=build /app/.agents/skills/cloudbase ./packages/server/skills/cloudbase
 
+# Copy opencode tool overrides (checked-in, not built into dist).
+# opencode-installer.ts:getOpencodeConfigDir() → resolveProjectRoot()/.opencode/,
+# and resolveProjectRoot() returns /app (ancestor containing packages/server/), so
+# tools must live at /app/.opencode/tools/*.ts in the runtime image.
+COPY --from=build /app/.opencode ./.opencode
+
 # Point shared exports to built dist (source .ts files not available at runtime)
 RUN sed -i 's|./src/index.ts|./dist/index.js|g' packages/shared/package.json
 
diff --git a/packages/server/package.json b/packages/server/package.json
index dd305ed..05e7c06 100644
--- a/packages/server/package.json
+++ b/packages/server/package.json
@@ -10,7 +10,7 @@
   },
   "scripts": {
     "dev": "tsup src/sandbox/tool-override.ts --format cjs --outDir dist/sandbox --no-splitting --silent && tsup src/util/skill-loader-override.ts --format cjs --outDir dist/util --no-splitting --silent && DOTENVX_PATH=.env tsx watch --env-file=.env src/index.ts",
-    "build": "tsup src/sandbox/tool-override.ts --format cjs --outDir dist/sandbox --no-splitting && tsup src/util/skill-loader-override.ts --format cjs --outDir dist/util --no-splitting && tsup src/index.ts --format esm --target node22 && mkdir -p dist/agent/runtime/opencode-tool-templates && cp src/agent/runtime/opencode-tool-templates/*.ts dist/agent/runtime/opencode-tool-templates/",
+    "build": "tsup src/sandbox/tool-override.ts --format cjs --outDir dist/sandbox --no-splitting && tsup src/util/skill-loader-override.ts --format cjs --outDir dist/util --no-splitting && tsup src/index.ts --format esm --target node22",
     "start": "node dist/index.js",
     "test": "vitest run",
     "test:watch": "vitest",
diff --git a/packages/server/tsconfig.json b/packages/server/tsconfig.json
index 18af8b3..fc3ad32 100644
--- a/packages/server/tsconfig.json
+++ b/packages/server/tsconfig.json
@@ -12,8 +12,5 @@
     }
   },
   "include": ["src"],
-  "exclude": [
-    "src/agent/runtime/opencode-tool-templates/**",
-    "src/**/__tests__/**"
-  ]
+  "exclude": ["src/**/__tests__/**"]
 }

From 738fb4c37f44b5f6a91ec4ea562059d47c21a700 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sat, 9 May 2026 21:46:08 +0800
Subject: [PATCH 32/33] =?UTF-8?q?chore(opencode):=20=E5=88=A0=E9=99=A4=20o?=
 =?UTF-8?q?pencode-installer=20=E4=B8=AD=E7=9A=84=E6=AD=BB=E4=BB=A3?=
 =?UTF-8?q?=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

自 38114f1（tool 模板迁入 .opencode/tools/ 并 checked in）以来这些已无调用方：
- TOOL_NAMES 常量 + ToolName 导出类型
- resolveTemplateDir()（定位 src/agent/runtime/opencode-tool-templates/，
  而该目录已删除）
- getInstallDir()
- hashFile() + crypto import
- InstallResult interface
- ensureOpencodeToolsInstalled()（安装器本体）
- 3 个对应的环境变量开关：OPENCODE_TOOL_TEMPLATE_DIR / OPENCODE_TOOLS_INSTALL_DIR
  / OPENCODE_TOOLS_FORCE_REINSTALL

保留两个仍在 opencode-acp-runtime.ts 使用的 export：
- resolveProjectRoot()
- getOpencodeConfigDir()

文件从 163 行缩到 53 行；顶部注释重写说明新架构（.opencode 签入 +
Dockerfile COPY）并留下一句历史说明指向本次清理。
---
 .../src/agent/runtime/opencode-installer.ts   | 134 ++----------------
 1 file changed, 12 insertions(+), 122 deletions(-)

diff --git a/packages/server/src/agent/runtime/opencode-installer.ts b/packages/server/src/agent/runtime/opencode-installer.ts
index e3f593a..fa208cb 100644
--- a/packages/server/src/agent/runtime/opencode-installer.ts
+++ b/packages/server/src/agent/runtime/opencode-installer.ts
@@ -1,73 +1,31 @@
 /**
- * OpenCode 项目级配置安装器
+ * OpenCode 项目级配置路径解析
  *
- * 目的：把 tool override 模板装到项目根目录的 `.opencode/tools/`，这样：
- *   - 同一项目的所有 session 共享同一份 tools（session 之间不重复写入）
- *   - 与用户的全局 `~/.config/opencode/` 完全隔离，不污染用户配置
- *   - spawn 时通过 `OPENCODE_CONFIG_DIR=<projectRoot>/.opencode` 让 opencode 只读项目目录
- *   - 模板自身通过 `process.env.SANDBOX_*` 读取 per-session 凭证
- *   - opencode 看到 custom tool `read` / `write` / ...，**覆盖** builtin 同名工具
+ * 背景：opencode 用 `OPENCODE_CONFIG_DIR` env 指向项目级配置目录，里面含：
+ *   - `opencode.json`（model / provider / tools 声明）
+ *   - `tools/*.ts`（checked-in 的 tool override 源文件，覆盖 builtin 同名工具）
  *
- * 重要实现细节：
- *   - 直接安装 `.ts` 源文件（opencode binary 原生支持 TS loader）
- *   - tsup 打包后的 `.js` 含 `import { z } from "zod"`，opencode 当前版本不能解析这个 import，
- *     会静默忽略文件（tool 不被注册）。所以**必须用 .ts**。
- *   - 幂等：同 hash 跳过；OPENCODE_TOOLS_FORCE_REINSTALL=1 强制覆盖。
+ * 我们的项目把 `.opencode/` 直接签入仓库（.opencode/tools/read.ts 等），
+ * 生产镜像 Dockerfile Stage 2 会把 `.opencode/` 拷贝到 `/app/.opencode/`。
+ * 本模块负责把 `__dirname` 映射回项目根，从而定位到 `.opencode/` 目录。
+ *
+ * 历史：曾有一个 `ensureOpencodeToolsInstalled()` 从 `src/agent/runtime/opencode-tool-templates/`
+ * 拷贝模板到 `.opencode/tools/`，但 38114f1 后 tools 直接签入仓库，安装步骤已废弃。
  */
 
 import fs from 'node:fs'
 import path from 'node:path'
-import crypto from 'node:crypto'
 import { fileURLToPath } from 'node:url'
 
 const __filename = fileURLToPath(import.meta.url)
 const __dirname = path.dirname(__filename)
 
-const TOOL_NAMES = ['read', 'write', 'edit', 'bash', 'grep', 'glob', 'AskUserQuestion'] as const
-export type ToolName = (typeof TOOL_NAMES)[number]
-
-/**
- * 找到 TS 模板源文件目录。
- * - 源码运行（tsx dev）：__dirname = .../src/agent/runtime/
- *   templates at .../src/agent/runtime/opencode-tool-templates/
- * - dist 运行：__dirname = .../dist/
- *   需要回溯到 src：.../dist/../src/agent/runtime/opencode-tool-templates/
- *   但 src 可能不在生产机器上，所以优先级：
- *   1. 环境变量 OPENCODE_TOOL_TEMPLATE_DIR
- *   2. __dirname 附近
- *   3. 回溯到 src（只在开发时可用）
- */
-function resolveTemplateDir(): string {
-  const fromEnv = process.env.OPENCODE_TOOL_TEMPLATE_DIR
-  if (fromEnv && fs.existsSync(fromEnv)) return fromEnv
-
-  const candidates = [
-    // 源码运行
-    path.resolve(__dirname, 'opencode-tool-templates'),
-    // dist 运行，指向 server 包内 src
-    path.resolve(__dirname, '../../src/agent/runtime/opencode-tool-templates'),
-    path.resolve(__dirname, '../src/agent/runtime/opencode-tool-templates'),
-    // 兜底（workspace root 下的 server）
-    path.resolve(process.cwd(), 'packages/server/src/agent/runtime/opencode-tool-templates'),
-  ]
-  for (const c of candidates) {
-    if (fs.existsSync(c)) {
-      // 再确认里面真的有 read.ts
-      if (fs.existsSync(path.join(c, 'read.ts'))) return c
-    }
-  }
-  throw new Error(
-    `Cannot locate opencode tool templates. Tried: ${candidates.join(', ')}. Set OPENCODE_TOOL_TEMPLATE_DIR to override.`,
-  )
-}
-
 /**
  * 解析项目根目录。
  * 优先级：
  *   1. OPENCODE_PROJECT_ROOT env（测试 / 自定义部署时覆盖）
- *   2. 从 __dirname 向上查找 package.json 中 name === 'coding-agent-template' 的目录
- *   3. 从 __dirname 向上找包含 packages/server 的 monorepo 根
- *   4. process.cwd() 兜底
+ *   2. 从 __dirname 向上找包含 packages/server 的 monorepo 根
+ *   3. process.cwd() 兜底
  */
 export function resolveProjectRoot(): string {
   const fromEnv = process.env.OPENCODE_PROJECT_ROOT
@@ -85,16 +43,6 @@ export function resolveProjectRoot(): string {
   return process.cwd()
 }
 
-/**
- * 安装目录：项目根 `.opencode/tools/`
- * 可通过 OPENCODE_TOOLS_INSTALL_DIR 完全覆盖（保留旧的逃生舱）。
- */
-function getInstallDir(): string {
-  const override = process.env.OPENCODE_TOOLS_INSTALL_DIR
-  if (override) return override
-  return path.join(resolveProjectRoot(), '.opencode', 'tools')
-}
-
 /**
  * 返回项目级 `.opencode/` 目录路径（供 spawn 时注入 OPENCODE_CONFIG_DIR）。
  * 可通过 OPENCODE_CONFIG_DIR env 覆盖（若用户自行设置则尊重用户）。
@@ -102,61 +50,3 @@ function getInstallDir(): string {
 export function getOpencodeConfigDir(): string {
   return process.env.OPENCODE_CONFIG_DIR ?? path.join(resolveProjectRoot(), '.opencode')
 }
-
-/** 读文件返回 sha256 hex */
-function hashFile(p: string): string {
-  const buf = fs.readFileSync(p)
-  return crypto.createHash('sha256').update(buf).digest('hex')
-}
-
-interface InstallResult {
-  installDir: string
-  installed: ToolName[]
-  skipped: ToolName[]
-  forced: boolean
-}
-
-/**
- * 幂等安装所有 tool override 模板（.ts 源文件）到全局目录。
- * `OPENCODE_TOOLS_FORCE_REINSTALL=1` → 强制覆盖。
- */
-export async function ensureOpencodeToolsInstalled(): Promise<InstallResult> {
-  const templateDir = resolveTemplateDir()
-  const installDir = getInstallDir()
-  const force = process.env.OPENCODE_TOOLS_FORCE_REINSTALL === '1'
-
-  fs.mkdirSync(installDir, { recursive: true })
-
-  const installed: ToolName[] = []
-  const skipped: ToolName[] = []
-
-  for (const name of TOOL_NAMES) {
-    const src = path.join(templateDir, `${name}.ts`)
-    const dst = path.join(installDir, `${name}.ts`)
-
-    if (!fs.existsSync(src)) {
-      throw new Error(`Tool template not found: ${src}`)
-    }
-
-    if (fs.existsSync(dst) && !force && hashFile(src) === hashFile(dst)) {
-      skipped.push(name)
-      continue
-    }
-    fs.copyFileSync(src, dst)
-    installed.push(name)
-  }
-
-  // 清理可能残留的 .js（旧的错误安装形式）
-  for (const name of TOOL_NAMES) {
-    const stale = path.join(installDir, `${name}.js`)
-    if (fs.existsSync(stale)) {
-      try {
-        fs.unlinkSync(stale)
-      } catch {
-        /* noop */
-      }
-    }
-  }
-
-  return { installDir, installed, skipped, forced: force }
-}

From cdb880bb2c92e6c8e78d42873e239814afb77ae6 Mon Sep 17 00:00:00 2001
From: yang <yhsunshining@gmail.com>
Date: Sun, 10 May 2026 01:33:31 +0800
Subject: [PATCH 33/33] =?UTF-8?q?feat:=20=E6=B7=BB=E5=8A=A0=E9=94=99?=
 =?UTF-8?q?=E8=AF=AF=E8=AF=B4=E6=98=8E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 packages/server/src/agent/coding-mode.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/server/src/agent/coding-mode.ts b/packages/server/src/agent/coding-mode.ts
index d726854..e01a212 100644
--- a/packages/server/src/agent/coding-mode.ts
+++ b/packages/server/src/agent/coding-mode.ts
@@ -40,9 +40,11 @@ export function getCodingSystemPrompt(envId: string, publishableKey: string): st
 
 <IMPORTANT>
 IMPORTANT: 必须先读取 src/utils/cloudbase.ts，将其中的 ENV_ID 和 PUBLISHABLE_KEY 替换为当前环境的真实值。
-IMPORTANT: 直接修改代码而非创建 .env 文件。
+IMPORTANT: 直接修改代码而非创建 .env 文件。有关登录态判断时使用 auth-web-cloudbase skill 使用 supabase-like 的 api。
 - ENV_ID：${envId}
 - PUBLISHABLE_KEY：${publishableKey}
+IMPORTANT: 注意数据库权限，默认 PUBLISHABLE_KEY 时是匿名身份，刚开始数据库最好公有读写，方便调试，后续完善。
+IMPORTANT: 页面需要做好 error 处理，显示出具体的错误堆栈信息，而非直接 crash。需要 toast 等方式显示而非 console 打印。
 </IMPORTANT>
 
 <tech-stack>