@bakapiano/ccsm 0.21.5 → 0.22.1

package/CLAUDE.md

@@ -311,6 +311,8 @@ allows `https://bakapiano.github.io` only — never `*`.
 | GET | `/api/sessions` | list persisted sessions |
 | PUT | `/api/sessions/:id` | rename / move to folder |
 | DELETE | `/api/sessions/:id` | kill PTY + drop record |
+| POST | `/api/sessions/:id/switch-cli` | change the persisted `cliId` for future resumes; current and target CLI must share `type` |
+| POST | `/api/sessions/:id/stop` | kill the live PTY but keep the record; sets `manualStopped:true` so UI won't auto-resume |
 | POST | `/api/sessions/new` | body `{cliId, cwd?, repos?, folderId?, title?}` — NDJSON stream (workspace · clone-progress · launched) |
 | POST | `/api/sessions/:id/resume` | re-spawn at `cwd` with `cli.resumeIdArgs <id>` (fallback `resumeArgs`) |
 | GET | `/api/cli-sessions/:type` | scan disk for unimported `claude`/`codex`/`copilot` sessions |

package/lib/config.js

@@ -91,6 +91,13 @@ const DEFAULTS = {
   // remote browsers' approval records — stable. `devtunnel delete <id>`
   // is invoked when the user explicitly rotates via the Reset button.
   devtunnel: { tunnelId: null },
+  // Provider-agnostic tunnel prefs. When autoStart is on, the backend
+  // brings the tunnel up during its own startup (server.js boot hook) —
+  // NOT an OS-level autostart. token is persisted so share URLs survive
+  // a backend restart; it's written ONLY while autoStart is on and is
+  // stripped from /api/config so remote devices can't read it. provider
+  // is 'devtunnel' | 'cloudflared'.
+  tunnel: { autoStart: false, provider: null, token: null },
 };
 
 function ensureDataDir() {
@@ -122,9 +129,10 @@ migrateLegacyDataIfNeeded();
 // object so callers don't mutate DEFAULTS.
 function mergeWithDefaults(partial) {
   const out = { ...DEFAULTS, ...partial };
-  // Deep-merge devtunnel so a partial save (just .tunnelId) doesn't
-  // wipe sibling keys we may add later.
+  // Deep-merge devtunnel + tunnel so a partial save (just .tunnelId, or
+  // just .autoStart) doesn't wipe sibling keys.
   out.devtunnel = { ...DEFAULTS.devtunnel, ...(partial?.devtunnel || {}) };
+  out.tunnel = { ...DEFAULTS.tunnel, ...(partial?.tunnel || {}) };
   // Drop v0.x keys that the new architecture doesn't use.
   delete out.terminal;
   delete out.commandShell;
@@ -237,7 +245,19 @@ async function saveConfig(partial) {
   ensureDataDir();
   return withFileLock(CONFIG_PATH, async () => {
     const current = await loadConfig();
-    const next = mergeWithDefaults({ ...current, ...partial });
+    // mergeWithDefaults re-merges nested objects (devtunnel, tunnel)
+    // against DEFAULTS only, so a partial save like
+    // saveConfig({ tunnel: { autoStart: true } }) would reset the
+    // sibling token/provider back to defaults. Pre-merge the nested
+    // blocks against `current` so a partial update preserves siblings.
+    const merged = { ...current, ...partial };
+    if (partial && partial.devtunnel) {
+      merged.devtunnel = { ...current.devtunnel, ...partial.devtunnel };
+    }
+    if (partial && partial.tunnel) {
+      merged.tunnel = { ...current.tunnel, ...partial.tunnel };
+    }
+    const next = mergeWithDefaults(merged);
     await atomicWriteJson(CONFIG_PATH, next);
     return next;
   });

package/lib/persistedSessions.js

@@ -26,6 +26,9 @@
 //                              //   newSessionIdArgs (claude, copilot); set
 //                              //   from disk for adopted sessions. Used
 //                              //   for precise --resume <id>.
+//     manualStopped: false,    // true only when the user explicitly stopped
+//                              //   it from ccsm; prevents auto-resume until
+//                              //   they press Resume.
 //   }
 
 const path = require('node:path');
@@ -73,6 +76,7 @@ async function create(opts) {
       exitCode: null,
       pid: null,
       cliSessionId,
+      manualStopped: false,
     };
     list.push(entry);
     await saveAll(list);
@@ -110,7 +114,7 @@ async function remove(id) {
 // Convenience helpers used at runtime so callers don't have to do
 // load/find/update/save themselves.
 async function markRunning(id, pid) {
-  return update(id, { status: 'running', pid, exitedAt: null, exitCode: null, lastActiveAt: Date.now() });
+  return update(id, { status: 'running', pid, exitedAt: null, exitCode: null, manualStopped: false, lastActiveAt: Date.now() });
 }
 
 async function markExited(id, exitCode) {

package/lib/tunnel.js

@@ -80,6 +80,12 @@ const PROVIDERS = {
 // In-memory state. Single tunnel at a time — switching providers tears
 // down the old one first.
 let current = null;   // { provider, child, url, startedAt, log: string[] }
+let starting = false; // True while start() is mid-spawn. devtunnel does
+                      // ~10-20s of async create/configure BEFORE `current`
+                      // is assigned, so the `if (current)` guard alone
+                      // can't stop a second concurrent start() (boot
+                      // auto-start racing a manual click) from spawning a
+                      // duplicate child. This flag closes that window.
 let token = null;     // Remote-access bearer token. Null = no remote
                       // access enforced. Set via setToken() or by the
                       // start() call. Server.js middleware reads via
@@ -319,6 +325,10 @@ function probeCachedSWR() {
 }
 
 async function status() {
+  // One config read serves both the persisted tunnelId and the
+  // auto-start prefs the Remote page's toggle reflects.
+  let cfg = null;
+  try { cfg = await loadConfig(); } catch { /* fall back to nulls below */ }
   return {
     providers: probeCachedSWR(),
     running: !!current,
@@ -328,10 +338,11 @@ async function status() {
     pid: current?.child?.pid || null,
     log: current?.log?.slice(-50) || [],
     token,
-    tunnelId: current?.tunnelId || (await (async () => {
-      try { return (await loadConfig())?.devtunnel?.tunnelId || null; }
-      catch { return null; }
-    })()),
+    tunnelId: current?.tunnelId || cfg?.devtunnel?.tunnelId || null,
+    // Persisted auto-start prefs — surfaced so the toggle renders the
+    // right state across reloads (the page already polls /status).
+    autoStart: cfg?.tunnel?.autoStart ?? false,
+    autoStartProvider: cfg?.tunnel?.provider ?? null,
     // Token is echoed back so the Remote page can render the
     // pre-built share URL. The route itself is token-protected
     // (the middleware blocks non-loopback callers without it), so
@@ -487,36 +498,51 @@ function clearDevtunnelLogin() {
 // installed, the provider is unknown, or another tunnel is running.
 async function start({ provider, port }) {
   if (current) throw new Error('tunnel already running');
+  if (starting) throw new Error('tunnel is already starting');
   const p = PROVIDERS[provider];
   if (!p) throw new Error(`unknown provider: ${provider}`);
-  const exe = await findBinary(provider);
-  if (!exe) throw new Error(`${p.label} is not installed`);
-  if (provider === 'devtunnel') {
-    const { loggedIn } = await checkDevtunnelLogin(exe);
-    if (!loggedIn) throw new Error('devtunnel requires login — run `devtunnel user login` first');
-  }
 
-  // Resolve devtunnel's persistent id BEFORE building args so the
-  // CLI is invoked with `host <id>` and the public URL stays stable
-  // across restarts. Cloudflared has no equivalent here — quick
-  // tunnels always rotate URLs and named tunnels require a CF
-  // account + DNS setup that's outside ccsm's scope.
-  let tunnelId = null;
-  if (provider === 'devtunnel') {
-    tunnelId = await ensureDevtunnelTunnelId(exe);
-    if (tunnelId) {
-      // Make sure the port is in the tunnel's port list and anonymous
-      // access is enabled. `devtunnel host <id>` doesn't accept port /
-      // access flags after the tunnel exists, so this has to be done
-      // out of band before host.
-      await configureDevtunnelTunnel(exe, tunnelId, port);
+  // Hold the `starting` flag across the async setup below. devtunnel's
+  // create/configure can take 10-20s, all of it BEFORE `current` is
+  // assigned — without this flag a second start() (boot auto-start vs.
+  // a manual click) would slip past the `if (current)` guard and spawn
+  // a duplicate child. Cleared the moment `current` is set, after which
+  // the `if (current)` guard alone is sufficient.
+  starting = true;
+  let entry;
+  let child;
+  try {
+    const exe = await findBinary(provider);
+    if (!exe) throw new Error(`${p.label} is not installed`);
+    if (provider === 'devtunnel') {
+      const { loggedIn } = await checkDevtunnelLogin(exe);
+      if (!loggedIn) throw new Error('devtunnel requires login — run `devtunnel user login` first');
     }
-  }
 
-  const args = p.args(port, { tunnelId });
-  const child = spawn(exe, args, { stdio: ['ignore', 'pipe', 'pipe'], windowsHide: true });
-  const entry = { provider, child, url: null, startedAt: Date.now(), log: [], tunnelId };
-  current = entry;
+    // Resolve devtunnel's persistent id BEFORE building args so the
+    // CLI is invoked with `host <id>` and the public URL stays stable
+    // across restarts. Cloudflared has no equivalent here — quick
+    // tunnels always rotate URLs and named tunnels require a CF
+    // account + DNS setup that's outside ccsm's scope.
+    let tunnelId = null;
+    if (provider === 'devtunnel') {
+      tunnelId = await ensureDevtunnelTunnelId(exe);
+      if (tunnelId) {
+        // Make sure the port is in the tunnel's port list and anonymous
+        // access is enabled. `devtunnel host <id>` doesn't accept port /
+        // access flags after the tunnel exists, so this has to be done
+        // out of band before host.
+        await configureDevtunnelTunnel(exe, tunnelId, port);
+      }
+    }
+
+    const args = p.args(port, { tunnelId });
+    child = spawn(exe, args, { stdio: ['ignore', 'pipe', 'pipe'], windowsHide: true });
+    entry = { provider, child, url: null, startedAt: Date.now(), log: [], tunnelId };
+    current = entry;
+  } finally {
+    starting = false;
+  }
 
   const pushLog = (line) => {
     entry.log.push(line);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bakapiano/ccsm",
-  "version": "0.21.5",
+  "version": "0.22.1",
   "description": "Claude Code Session Manager — Windows web UI to manage many concurrent claude sessions: live list, snapshot/restore, focus existing window, new session in an isolated workspace with repo clones",
   "license": "MIT",
   "main": "server.js",

package/public/css/terminals.css

@@ -282,6 +282,7 @@
   display: flex;
   align-items: center;
   flex-shrink: 0;
+  gap: 4px;
   padding-right: 2px;
 }
 /* Close the gap to the page-title-bar above — only when there IS one.
@@ -335,6 +336,27 @@
 .session-tab-add:hover { background: rgba(255, 255, 255, 0.1); color: #fff; }
 .session-tab-add svg { width: 14px; height: 14px; }
 
+.session-controls {
+  display: inline-flex;
+  align-items: center;
+  flex-shrink: 0;
+}
+.session-control-btn.danger {
+  color: #f4b8b8;
+}
+.session-control-btn.danger:hover:not(:disabled) {
+  color: #ffd1d1;
+  background: rgba(183, 63, 63, 0.22);
+}
+.session-control-btn:disabled {
+  opacity: .55;
+  cursor: wait;
+}
+.session-control-btn svg {
+  width: 13px;
+  height: 13px;
+}
+
 /* Kebab in the page-title-bar (top-right). Compact 24px square so it
    doesn't dominate the masthead. In WCO mode the title-bar already
    reserves padding-right for OS controls, so this slides cleanly to
@@ -359,7 +381,8 @@
 }
 /* Neutral-grey hover tint works on either strip colour (darkens the light
    one, lightens the dark one) without needing a per-theme override. */
-.session-menu-btn:hover { background: rgba(128, 128, 128, 0.2); color: var(--term-on); }
+.session-menu-btn:hover:not(:disabled) { background: rgba(128, 128, 128, 0.2); color: var(--term-on); }
+.session-menu-btn:disabled { opacity: .55; cursor: wait; }
 .session-menu-btn svg { width: 16px; height: 16px; }
 
 .session-menu {
@@ -391,6 +414,20 @@
 .session-menu-item.danger { color: var(--danger, #b73f3f); }
 .session-menu-item.danger:hover { background: rgba(183, 63, 63, 0.08); }
 .session-menu-item svg { width: 14px; height: 14px; }
+.session-menu-item img { width: 14px; height: 14px; }
+.session-menu-separator {
+  height: 1px;
+  background: var(--border);
+  margin: 3px 2px;
+}
+.session-menu-label {
+  padding: 4px 10px 2px;
+  font-size: 11px;
+  line-height: 1.2;
+  color: var(--ink-muted);
+  text-transform: uppercase;
+  letter-spacing: 0;
+}
 
 .session-pane-head {
   display: flex;

package/public/css/widgets.css

@@ -1838,6 +1838,32 @@
    Running: a status banner (state · provider · uptime · stop link)
    followed by a copyable share URL block and an optional collapsed
    CLI log. */
+.tunnel-autostart {
+  display: flex;
+  flex-direction: column;
+  gap: 6px;
+  margin-bottom: var(--s-4);
+}
+.tunnel-autostart-row {
+  display: flex;
+  align-items: center;
+  gap: 9px;
+  cursor: pointer;
+  font-size: 13px;
+  color: var(--ink-mid);
+}
+.tunnel-autostart-row input {
+  flex: 0 0 auto;
+  cursor: pointer;
+}
+.tunnel-autostart-label {
+  user-select: none;
+}
+.tunnel-autostart-hint {
+  /* indent under the checkbox so it lines up with the label text */
+  padding-left: 26px;
+}
+
 .tunnel-hero {
   display: flex;
   align-items: center;

package/public/js/api.js

@@ -254,6 +254,20 @@ export async function setSessionTitle(sessionId, title) {
   await loadSessions();
 }
 
+export async function switchSessionCli(sessionId, cliId) {
+  const r = await api('POST', `/api/sessions/${sessionId}/switch-cli`, { cliId });
+  resumeFailed.delete(sessionId);
+  await loadSessions();
+  return r;
+}
+
+export async function stopSession(sessionId) {
+  const r = await api('POST', `/api/sessions/${sessionId}/stop`);
+  resumeFailed.delete(sessionId);
+  await loadSessions();
+  return r.session;
+}
+
 export async function deleteSession(sessionId) {
   await api('DELETE', `/api/sessions/${sessionId}`);
   await loadSessions();

package/public/js/components/Sidebar.js

@@ -54,10 +54,9 @@ function SessionRow({ s, folderId, siblingIds }) {
   const onClick = async (ev) => {
     ev.preventDefault();
     selectSession(s.id);
-    // Auto-resume on click if the session is stopped — saves the user
-    // from a second click on the "Resume" button in the right pane.
-    // No-op if already running.
-    if (s.status !== 'running') {
+    // Auto-resume on click if the session stopped on its own. Explicitly
+    // stopped sessions stay stopped until the user presses Resume.
+    if (s.status !== 'running' && !s.manualStopped) {
       try { await resumeSession(s.id); }
       catch (e) { setToast(e.message, 'error'); }
     }

package/public/js/icons.js

@@ -141,6 +141,14 @@ export const IconMoreVert = ic('0 0 24 24', html`
   <circle cx="12" cy="19" r="1.6" fill="currentColor" stroke="none"/>
 `, 16);
 
+export const IconPlay = ic('0 0 24 24', html`
+  <polygon points="8 5 19 12 8 19 8 5"/>
+`, 14);
+
+export const IconStop = ic('0 0 24 24', html`
+  <rect x="7" y="7" width="10" height="10" rx="1.5"/>
+`, 14);
+
 // Broadcast / remote — radiating arcs over a centre dot. Used on the
 // Remote nav tab; reads as "this machine is broadcasting" / "remote
 // access available".

package/public/js/pages/LaunchPage.js

@@ -38,16 +38,29 @@ function saveLaunchState(s) {
   try { localStorage.setItem(LS_KEY, JSON.stringify(s)); } catch {}
 }
 
-function initRepoSelection(repos, override) {
-  if (override && Array.isArray(override)) {
-    // Only honour names that still exist in the user's repo list;
-    // anything else was deleted between sessions.
-    const valid = new Set(repos.map((r) => r.name));
-    selectedRepos.value = new Set(override.filter((n) => valid.has(n)));
-    return;
+function initRepoSelection(repos, saved) {
+  const valid = new Set(repos.map((r) => r.name));
+  const sel = new Set();
+  // Start from the persisted selection (last-used picks), keeping only
+  // repos that still exist.
+  if (saved && Array.isArray(saved.repos)) {
+    for (const n of saved.repos) if (valid.has(n)) sel.add(n);
   }
-  const want = new Set(repos.filter((r) => r.defaultSelected).map((r) => r.name));
-  selectedRepos.value = want;
+  // Auto-check any repo whose "pre-select on launch" default is newly
+  // active — i.e. it wasn't a default the last time we saved. This
+  // covers both a brand-new default repo and an existing repo the user
+  // just flipped to default in Configure. A default the user previously
+  // unchecked stays unchecked (it's an old default, already in
+  // knownDefaults). With no saved knownDefaults (fresh user / old
+  // state), every default applies.
+  const knownDefaults = saved && Array.isArray(saved.knownDefaults)
+    ? new Set(saved.knownDefaults) : null;
+  for (const r of repos) {
+    if (r.defaultSelected && (knownDefaults === null || !knownDefaults.has(r.name))) {
+      sel.add(r.name);
+    }
+  }
+  selectedRepos.value = sel;
 }
 
 function LaunchHero() {
@@ -86,17 +99,21 @@ function LaunchHero() {
   }, [folderId, folders.value.length]);
 
   // Persist every change. JSON-stringifying a Set isn't useful, so
-  // we materialize selectedRepos to an array here.
+  // we materialize selectedRepos to an array here. knownDefaults records
+  // which repos were marked "pre-select" at save time so
+  // initRepoSelection can tell a newly-flipped default apart from one the
+  // user deliberately unchecked.
   useEffect(() => {
     saveLaunchState({
       cliId, folderId, mode, cwd,
       repos: [...selectedRepos.value],
+      knownDefaults: repos.filter((r) => r.defaultSelected).map((r) => r.name),
     });
   }, [cliId, folderId, mode, cwd, selectedRepos.value]);
 
 
   const sig = repos.map((r) => r.name + ':' + r.defaultSelected).join('|');
-  useStateOnce(sig, () => initRepoSelection(repos, saved?.repos));
+  useStateOnce(sig, () => initRepoSelection(repos, saved));
 
   const cli = clis.find((c) => c.id === cliId) || clis[0];
   const folder = folders.value.find((f) => f.id === folderId);

package/public/js/pages/RemotePage.js

@@ -423,11 +423,35 @@ export function RemotePage() {
     const fresh = genToken();
     setTokenLocal(fresh);
     try {
-      const s = await api('POST', '/api/tunnel/token', { token: fresh });
+      // When auto-start is on the token must be PERSISTED, else the
+      // rotated token is lost on the next backend restart and every
+      // share URL built from it 401s. Route through the persisting
+      // endpoint in that case; otherwise the in-memory-only token
+      // endpoint is enough.
+      const s = status?.autoStart
+        ? await api('POST', '/api/tunnel/autostart', { autoStart: true, provider, token: fresh })
+        : await api('POST', '/api/tunnel/token', { token: fresh });
       setStatus(s);
       setToast('New token in effect', 'ok');
     } catch (e) { setToast(`token save failed · ${e.message}`, 'error'); }
   }
+  // Persist (or clear) the auto-start preference. On enable with no
+  // token yet, mint one first so the backend has something to reuse on
+  // its next startup. Approved devices keep working regardless of the
+  // token — it only gates NEW device registration.
+  async function onToggleAutoStart(next) {
+    setBusy(true);
+    try {
+      let tok = token;
+      if (next && (!tok || tok.length < 8)) { tok = genToken(); setTokenLocal(tok); }
+      const s = await api('POST', '/api/tunnel/autostart',
+        next ? { autoStart: true, provider, token: tok } : { autoStart: false });
+      setStatus(s);
+      setToast(next ? 'Auto-start on · tunnel comes up when ccsm starts' : 'Auto-start off', 'ok');
+    } catch (e) {
+      setToast(`auto-start ${next ? 'enable' : 'disable'} failed · ${e.message}`, 'error');
+    } finally { setBusy(false); }
+  }
   async function onInstall(p) {
     const ok = await ccsmConfirm(`Install ${p} via winget? Runs in the background — refresh after ~30s.`, {
       title: 'Install tunnel provider', okLabel: 'Install',
@@ -553,6 +577,18 @@ export function RemotePage() {
         meta=${running
           ? html`Provider <code>${status?.provider}</code> · started ${new Date(status.startedAt).toLocaleTimeString()}`
           : html`Not running.`}>
+        <div class="tunnel-autostart">
+          <label class="tunnel-autostart-row">
+            <input type="checkbox" checked=${!!status?.autoStart} disabled=${busy}
+                   onChange=${(e) => onToggleAutoStart(e.target.checked)} />
+            <span class="tunnel-autostart-label">Start this tunnel automatically when ccsm starts</span>
+          </label>
+          ${status?.autoStart && provider === 'cloudflared' ? html`
+            <span class="hint tunnel-autostart-hint">
+              Cloudflare quick tunnels get a new URL each launch — the share URL will change on
+              restart and approved devices must re-register. Use Microsoft Dev Tunnel for a stable URL.
+            </span>` : null}
+        </div>
         ${!running ? html`
           <div class="tunnel-hero">
             <div class="tunnel-hero-body">

package/public/js/pages/SessionsPage.js

@@ -7,13 +7,13 @@
 import { html } from '../html.js';
 import { useEffect, useRef, useState } from 'preact/hooks';
 import { activeSessionId, sessions, config, selectTab, selectSession, clockTick } from '../state.js';
-import { resumeSession, clearResumeFailure, deleteSession, setSessionTitle, openSessionInEditor } from '../api.js';
+import { resumeSession, clearResumeFailure, deleteSession, setSessionTitle, switchSessionCli, stopSession, openSessionInEditor } from '../api.js';
 import { setToast } from '../toast.js';
 import { ccsmConfirm, ccsmPrompt } from '../dialog.js';
 import { TerminalView } from '../components/TerminalView.js';
 import { PageTitleBar } from '../components/PageTitleBar.js';
 import { Popover } from '../components/Popover.js';
-import { IconMoreVert, IconPencil, IconClose, IconPlus, IconForCliType, IconTerminal, IconExternal } from '../icons.js';
+import { IconMoreVert, IconPencil, IconClose, IconPlus, IconForCliType, IconTerminal, IconExternal, IconPlay, IconStop } from '../icons.js';
 import { fmtAgo } from '../util.js';
 
 function SessionTabs({ activeId, onActivate, onNew, kebab }) {
@@ -51,7 +51,7 @@ function SessionTabs({ activeId, onActivate, onNew, kebab }) {
     </div>`;
 }
 
-function SessionMenu({ session, onRename, onDelete, onOpenEditor }) {
+function SessionMenu({ session, switchableClis, onRename, onDelete, onOpenEditor, onSwitchCli }) {
   const [open, setOpen] = useState(false);
   const anchor = useRef(null);
   return html`
@@ -67,6 +67,18 @@ function SessionMenu({ session, onRename, onDelete, onOpenEditor }) {
           <button class="session-menu-item" onClick=${() => { setOpen(false); onOpenEditor(); }}>
             <${IconExternal} /> Open in editor
           </button>
+          ${switchableClis.length ? html`
+            <div class="session-menu-separator"></div>
+            <div class="session-menu-label">Switch CLI</div>
+            ${switchableClis.map((target) => {
+              const TargetIcon = IconForCliType(target.type) || IconTerminal;
+              return html`
+                <button class="session-menu-item" key=${target.id}
+                        onClick=${() => { setOpen(false); onSwitchCli(target); }}>
+                  <${TargetIcon} /> Switch to ${target.name}
+                </button>`;
+            })}
+          ` : null}
           <button class="session-menu-item" onClick=${() => { setOpen(false); onRename(); }}>
             <${IconPencil} /> Rename
           </button>
@@ -77,12 +89,35 @@ function SessionMenu({ session, onRename, onDelete, onOpenEditor }) {
       </${Popover}>` : null}`;
 }
 
+function SessionControls({ running, busy, onStop, onResume }) {
+  return html`
+    <div class="session-controls">
+      ${running ? html`
+        <button class="session-menu-btn session-control-btn danger" type="button"
+                title="Stop session" aria-label="Stop session"
+                disabled=${busy}
+                onClick=${onStop}>
+          <${IconStop} />
+        </button>
+      ` : html`
+        <button class="session-menu-btn session-control-btn" type="button"
+                title=${busy ? 'Resuming session' : 'Resume session'}
+                aria-label=${busy ? 'Resuming session' : 'Resume session'}
+                disabled=${busy}
+                onClick=${onResume}>
+          <${IconPlay} />
+        </button>
+      `}
+    </div>`;
+}
+
 export function SessionsPage() {
   clockTick.value; // resubscribe fmtAgo
   const id = activeSessionId.value;
   const list = sessions.value;
   const session = id ? list.find((s) => s.id === id) : null;
   const [resumeError, setResumeError] = useState(null);
+  const [actionBusy, setActionBusy] = useState(false);
   // Bumps to force the auto-resume effect to re-run on Retry without
   // mutating any signal. Primitive in the dep array → identity changes.
   const [retryNonce, setRetryNonce] = useState(0);
@@ -100,22 +135,50 @@ export function SessionsPage() {
   useEffect(() => {
     if (!session) return;
     if (session.status === 'running') { setResumeError(null); return; }
+    if (session.manualStopped) { setResumeError(null); return; }
     setResumeError(null);
     resumeSession(session.id)
       .then((launched) => { if (launched?.id) selectSession(launched.id); })
       .catch((e) => { setResumeError(e.message); setToast(e.message, 'error'); });
-  }, [session?.id, session?.status, retryNonce]);
+  }, [session?.id, session?.status, session?.cliId, session?.manualStopped, retryNonce]);
 
   if (!session) return null;
 
   const cli = (config.value?.clis || []).find((c) => c.id === session.cliId);
+  const switchableClis = cli
+    ? (config.value?.clis || []).filter((c) => c.id !== cli.id && c.type === cli.type)
+    : [];
   const running = session.status === 'running';
   const title = session.title || session.workspace || session.id.slice(0, 12);
 
-  const onRetry = () => {
+  const onResume = async () => {
     clearResumeFailure(session.id);
     setResumeError(null);
-    setRetryNonce((n) => n + 1);
+    setActionBusy(true);
+    try {
+      const launched = await resumeSession(session.id);
+      if (launched?.id) selectSession(launched.id);
+    } catch (e) {
+      setResumeError(e.message);
+      setToast(e.message, 'error');
+    } finally {
+      setActionBusy(false);
+    }
+  };
+  const onRetry = () => {
+    onResume();
+  };
+  const onStop = async () => {
+    setActionBusy(true);
+    try {
+      await stopSession(session.id);
+      setResumeError(null);
+      setToast('Session stopped');
+    } catch (e) {
+      setToast(e.message, 'error');
+    } finally {
+      setActionBusy(false);
+    }
   };
   const onRename = async () => {
     const next = await ccsmPrompt('Rename session', title, { okLabel: 'Save' });
@@ -138,6 +201,26 @@ export function SessionsPage() {
       setToast(`Opening in ${r?.editor || 'editor'}…`);
     } catch (e) { setToast(e.message, 'error'); }
   };
+  const onSwitchCli = async (target) => {
+    const fromName = cli?.name || session.cliId;
+    if (running) {
+      const ok = await ccsmConfirm(
+        `Switch ${title} from ${fromName} to ${target.name}? The running terminal keeps its current process; ${target.name} is used next time this session resumes.`,
+        { title: 'Switch CLI', okLabel: 'Switch' },
+      );
+      if (!ok) return;
+    }
+    try {
+      const r = await switchSessionCli(session.id, target.id);
+      setToast(r.running
+        ? `CLI switched to ${target.name} for next resume`
+        : `CLI switched to ${target.name}`);
+      if (!running && !session.manualStopped) {
+        clearResumeFailure(session.id);
+        setRetryNonce((n) => n + 1);
+      }
+    } catch (e) { setToast(e.message, 'error'); }
+  };
 
   return html`
     <${PageTitleBar} title=${html`
@@ -148,14 +231,24 @@ export function SessionsPage() {
           <span>${cli ? cli.name : session.cliId}</span>
           ${session.repos.length ? html`<span>·</span><span>${session.repos.join(', ')}</span>` : null}
           <span>·</span>
-          <span>${running ? 'running' : (resumeError ? 'resume failed' : 'resuming…')}</span>
+          <span>${running ? 'running' : (resumeError ? 'resume failed' : (session.manualStopped ? 'stopped' : 'resuming…'))}</span>
         </span>
       `} />
     <${SessionTabs}
       activeId=${session.id}
       onActivate=${(sid) => selectSession(sid)}
       onNew=${() => selectTab('launch')}
-      kebab=${html`<${SessionMenu} session=${session} onRename=${onRename} onDelete=${onDelete} onOpenEditor=${onOpenEditor} />`} />
+      kebab=${html`
+        <${SessionControls} running=${running}
+                            busy=${actionBusy}
+                            onStop=${onStop}
+                            onResume=${onResume} />
+        <${SessionMenu} session=${session}
+                        switchableClis=${switchableClis}
+                        onRename=${onRename}
+                        onDelete=${onDelete}
+                        onOpenEditor=${onOpenEditor}
+                        onSwitchCli=${onSwitchCli} />`} />
     <div class="session-pane">
       <div class="session-pane-body">
         ${running
@@ -165,6 +258,11 @@ export function SessionsPage() {
               ${resumeError ? html`
                 <div>Failed to resume: <span class="mono">${resumeError}</span></div>
                 <button class="action primary" onClick=${onRetry}>Retry</button>
+              ` : session.manualStopped ? html`
+                <div>Session stopped</div>
+                <button class="action primary" onClick=${onResume} disabled=${actionBusy}>
+                  ${actionBusy ? 'Resuming…' : 'Resume'}
+                </button>
               ` : html`
                 <div>Resuming session…</div>
               `}

package/server.js

@@ -217,6 +217,10 @@ function pickCli(cfg, requestedId) {
   return cfg.clis.find((c) => c.id === wanted) || cfg.clis[0];
 }
 
+function findCliById(cfg, id) {
+  return (cfg.clis || []).find((c) => c.id === id) || null;
+}
+
 // Resolve how to spawn a CLI command. Windows quirks:
 // v1.1 — spawn strategy is now caller-controlled via cli.shell:
 //   'direct' — pty.spawn(command, args). Real .exe / absolute paths only.
@@ -456,13 +460,27 @@ function decorateConfigWithProbes(cfg) {
   };
 }
 
+// The tunnel + devtunnel config blocks are managed exclusively through
+// /api/tunnel/* (host-only) — they hold the persisted remote-access
+// token and the named tunnelId. Strip them from /api/config so (a) the
+// plaintext token never reaches an approved remote device reading config
+// and (b) the frontend's whole-object config round-trip on save can't
+// clobber tunnelId/token with a stale snapshot.
+function stripTunnelKeys(cfg) {
+  const rest = { ...cfg };
+  delete rest.tunnel;
+  delete rest.devtunnel;
+  return rest;
+}
 app.get('/api/config', asyncH(async (_req, res) => {
-  res.json(decorateConfigWithProbes(await loadConfig()));
+  res.json(decorateConfigWithProbes(stripTunnelKeys(await loadConfig())));
 }));
 
 app.put('/api/config', asyncH(async (req, res) => {
-  const cfg = await saveConfig(req.body || {});
-  res.json(decorateConfigWithProbes(cfg));
+  const body = { ...(req.body || {}) };
+  delete body.tunnel;
+  delete body.devtunnel;
+  res.json(decorateConfigWithProbes(stripTunnelKeys(await saveConfig(body))));
 }));
 
 // ---- CLI probe / test ----
@@ -625,6 +643,64 @@ app.put('/api/sessions/:id', asyncH(async (req, res) => {
   res.json({ session: updated });
 }));
 
+// Switch the CLI config used to resume an existing session. This is
+// intentionally narrower than the generic PUT route: a session can only
+// move between configured CLIs of the same type (e.g. one claude wrapper
+// to another) so its captured upstream cliSessionId stays meaningful.
+app.post('/api/sessions/:id/switch-cli', asyncH(async (req, res) => {
+  const targetCliId = typeof req.body?.cliId === 'string' ? req.body.cliId.trim() : '';
+  if (!targetCliId) return res.status(400).json({ error: 'cliId required' });
+
+  const record = await persistedSessions.get(req.params.id);
+  if (!record) return res.status(404).json({ error: 'session not found' });
+
+  const cfg = await loadConfig();
+  const currentCli = findCliById(cfg, record.cliId);
+  const targetCli = findCliById(cfg, targetCliId);
+  if (!currentCli) return res.status(400).json({ error: `current CLI ${record.cliId} no longer configured` });
+  if (!targetCli) return res.status(400).json({ error: `target CLI ${targetCliId} not configured` });
+  if (currentCli.type !== targetCli.type) {
+    return res.status(400).json({
+      error: `cannot switch ${currentCli.type} session to ${targetCli.type} CLI`,
+    });
+  }
+
+  if (record.cliId === targetCli.id) {
+    const live = webTerminal.get(record.id);
+    return res.json({ session: record, changed: false, running: !!(live && !live.exitedAt) });
+  }
+
+  const updated = await persistedSessions.update(record.id, { cliId: targetCli.id });
+  const live = webTerminal.get(record.id);
+  res.json({
+    session: updated,
+    changed: true,
+    running: !!(live && !live.exitedAt),
+    fromCliId: currentCli.id,
+    toCliId: targetCli.id,
+    cliType: targetCli.type,
+  });
+}));
+
+// Stop the live PTY for a session without deleting its persisted record.
+// Unlike a natural CLI exit, this is a user intent signal: the frontend
+// should not auto-resume it again until the user explicitly presses Resume.
+app.post('/api/sessions/:id/stop', asyncH(async (req, res) => {
+  const record = await persistedSessions.get(req.params.id);
+  if (!record) return res.status(404).json({ error: 'session not found' });
+  const stopped = webTerminal.kill(record.id);
+  const updated = await persistedSessions.update(record.id, {
+    status: 'exited',
+    pid: null,
+    exitCode: null,
+    exitedAt: Date.now(),
+    manualStopped: true,
+    lastActiveAt: Date.now(),
+  });
+  try { require('./lib/cliActivity').releaseSession(record.id); } catch {}
+  res.json({ stopped, session: updated });
+}));
+
 app.delete('/api/sessions/:id', asyncH(async (req, res) => {
   // Kill PTY first if it's still alive, then drop the record.
   try { webTerminal.kill(req.params.id); } catch {}
@@ -1162,6 +1238,28 @@ app.post('/api/tunnel/token', asyncH(async (req, res) => {
   tunnel.setToken(t);
   res.json(await tunnel.status());
 }));
+// Persist auto-start prefs. When ON, the backend brings this tunnel up
+// during its own startup (the boot hook in the listen IIFE below) using
+// the persisted token, so share URLs survive a backend restart. The
+// token is written to config ONLY while auto-start is on; turning it off
+// wipes the persisted token from disk. setToken keeps the in-memory copy
+// in lockstep so the share URL the page renders stays valid immediately.
+app.post('/api/tunnel/autostart', asyncH(async (req, res) => {
+  const { autoStart, provider, token } = req.body || {};
+  if (autoStart) {
+    if (!token || String(token).length < 8) {
+      return res.status(400).json({ error: 'token required (≥ 8 chars)' });
+    }
+    if (!['devtunnel', 'cloudflared'].includes(provider)) {
+      return res.status(400).json({ error: 'valid provider required' });
+    }
+    tunnel.setToken(token);
+    await saveConfig({ tunnel: { autoStart: true, provider, token } });
+  } else {
+    await saveConfig({ tunnel: { autoStart: false, provider: null, token: null } });
+  }
+  res.json(await tunnel.status());
+}));
 app.post('/api/tunnel/install', asyncH(async (req, res) => {
   const { provider } = req.body || {};
   try {
@@ -1675,6 +1773,20 @@ function openInBrowser(url) {
   // is warm by the time anyone clicks.
   try { tunnel.probe(true).catch(() => {}); } catch {}
 
+  // Auto-start the tunnel if the user enabled it on the Remote page.
+  // This is the BACKEND PROCESS bringing its own tunnel up on startup —
+  // not an OS-level autostart (no registry / scheduled task). Reuses the
+  // persisted token so share URLs stay valid across restarts. Strictly
+  // fire-and-forget: a failure here (devtunnel not signed in, provider
+  // uninstalled, etc.) must never crash boot — it just logs and the user
+  // can start manually from the Remote page.
+  if (cfg.tunnel?.autoStart && cfg.tunnel?.token && cfg.tunnel?.provider) {
+    tunnel.setToken(cfg.tunnel.token);
+    tunnel.start({ provider: cfg.tunnel.provider, port: currentPort })
+      .then((s) => console.log(`[ccsm] tunnel auto-started · ${cfg.tunnel.provider} · ${s.url || 'URL pending'}`))
+      .catch((e) => console.warn(`[ccsm] tunnel auto-start failed · ${e.message}`));
+  }
+
   if (webTerminal.available) {
     let WebSocketServer;
     try { ({ WebSocketServer } = require('ws')); } catch {}