@wrongstack/webui 0.273.1 → 0.274.0

package/dist/server/index.js

@@ -1166,7 +1166,7 @@ function isTrustedLoopbackOrigin(origin) {
   try {
     const url = new URL(origin);
     if (url.protocol !== "http:" && url.protocol !== "https:") return false;
-    return url.hostname === "localhost" || url.hostname === "127.0.0.1";
+    return url.hostname === "localhost" || url.hostname === "127.0.0.1" || url.hostname === "::1" || url.hostname === "[::1]";
   } catch {
     return false;
   }
@@ -1177,6 +1177,14 @@ function isLoopbackBind(wsHost) {
 function isWildcardBind(wsHost) {
   return wsHost === "0.0.0.0" || wsHost === "::" || wsHost === "[::]";
 }
+function normalizeHostname(hostname) {
+  const h = hostname.trim().toLowerCase();
+  return h.startsWith("[") && h.endsWith("]") ? h.slice(1, -1) : h;
+}
+function allowedHostname(hostname, allowedHostnames) {
+  const normalized = normalizeHostname(hostname);
+  return (allowedHostnames ?? []).some((candidate) => normalizeHostname(candidate) === normalized);
+}
 function tokenMatches(provided, expected) {
   if (!provided) return false;
   const a = Buffer.from(provided);
@@ -1215,28 +1223,37 @@ function hostHeaderOk(input) {
   } catch {
     return false;
   }
-  return isLoopbackHostname(hostname);
+  return isLoopbackHostname(hostname) || allowedHostname(hostname, input.allowedHostnames);
 }
 function verifyClient(input) {
-  const { origin, url, hostHeader, remoteAddress, cookieHeader, wsHost, expectedToken } = input;
+  const {
+    origin,
+    url,
+    hostHeader,
+    remoteAddress,
+    cookieHeader,
+    wsHost,
+    expectedToken,
+    requireToken,
+    allowedHostnames,
+    allowBrowserUrlToken
+  } = input;
   const urlTokenOk = tokenMatches(extractToken(url ?? ""), expectedToken);
   const cookieTokenOk = tokenMatches(extractTokenFromCookie(cookieHeader), expectedToken);
-  if (!hostHeaderOk({ hostHeader, wsHost })) return false;
+  if (!hostHeaderOk({ hostHeader, wsHost, allowedHostnames })) return false;
   if (!origin) {
     const remoteIp = remoteAddress ?? "";
     const isRemoteLoopback = remoteIp === "127.0.0.1" || remoteIp === "::1";
     if (!isRemoteLoopback && isWildcardBind(wsHost)) return false;
-    return urlTokenOk || cookieTokenOk || isLoopbackBind(wsHost);
+    return urlTokenOk || cookieTokenOk || isLoopbackBind(wsHost) && !requireToken;
   }
   try {
-    const { hostname } = new URL(origin);
-    if (isLoopbackHostname(hostname)) {
-      if (isWildcardBind(wsHost) && !isTrustedLoopbackOrigin(origin)) {
-        return false;
-      }
-      return true;
+    const { hostname: originHostname } = new URL(origin);
+    if (isLoopbackHostname(originHostname)) {
+      if (requireToken || !isLoopbackBind(wsHost)) return cookieTokenOk;
+      return isTrustedLoopbackOrigin(origin);
     }
-    return cookieTokenOk;
+    return cookieTokenOk || Boolean(allowBrowserUrlToken) && urlTokenOk && allowedHostname(originHostname, allowedHostnames);
   } catch {
     return false;
   }
@@ -1262,8 +1279,69 @@ function injectWsPort(html, wsPort) {
   return `${tag}
 ${html}`;
 }
-function buildCspHeader(wsPort) {
-  return `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws://127.0.0.1:${wsPort} wss://127.0.0.1:${wsPort}; img-src 'self' data:; font-src 'self' data:; worker-src 'self' blob:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'`;
+function escapeHtmlAttr(value) {
+  return value.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function injectWsConfig(html, opts) {
+  let out = injectWsPort(html, opts.wsPort);
+  if (!opts.publicWsUrl || out.includes('name="wrongstack-ws-url"')) return out;
+  const tag = `<meta name="wrongstack-ws-url" content="${escapeHtmlAttr(opts.publicWsUrl)}" />`;
+  if (out.includes("</head>")) {
+    return out.replace("</head>", `  ${tag}
+  </head>`);
+  }
+  return `${tag}
+${out}`;
+}
+function firstHeader(value) {
+  return Array.isArray(value) ? value[0] : value;
+}
+function wsTokenCookie(token) {
+  return `ws_token=${encodeURIComponent(token)}; HttpOnly; SameSite=Strict; Path=/; Max-Age=3600`;
+}
+function requestToken(req, url) {
+  return url.searchParams.get("token") ?? firstHeader(req.headers["x-ws-token"]) ?? extractTokenFromCookie(req.headers.cookie);
+}
+function requestHostForCsp(hostHeader) {
+  const raw = firstHeader(hostHeader)?.trim();
+  if (!raw) return void 0;
+  try {
+    return new URL(`http://${raw}`).hostname;
+  } catch {
+    return void 0;
+  }
+}
+function formatCspHostname(hostname) {
+  return hostname.includes(":") && !hostname.startsWith("[") ? `[${hostname}]` : hostname;
+}
+function cspSourceFromUrl(rawUrl) {
+  try {
+    const url = new URL(rawUrl);
+    if (url.protocol !== "ws:" && url.protocol !== "wss:") return void 0;
+    return `${url.protocol}//${formatCspHostname(url.hostname)}${url.port ? `:${url.port}` : ""}`;
+  } catch {
+    return void 0;
+  }
+}
+var ALLOWED_INLINE_SCRIPT_HASHES = [
+  "'sha256-6PXDy0zrpXa6mvYOl11bZ8nubNUL7ushPUhGDZtaexg='",
+  "'sha256-6sIdwbEBx7jj0drqSHHm7MqvmoYD3CQ4lp8Zp8blcb0='"
+];
+function buildCspHeader(wsPort, requestHost, publicWsUrl) {
+  const connect = /* @__PURE__ */ new Set([
+    "'self'",
+    `ws://127.0.0.1:${wsPort}`,
+    `wss://127.0.0.1:${wsPort}`
+  ]);
+  if (requestHost && requestHost !== "127.0.0.1") {
+    const host = formatCspHostname(requestHost);
+    connect.add(`ws://${host}:${wsPort}`);
+    connect.add(`wss://${host}:${wsPort}`);
+  }
+  const publicWsSource = publicWsUrl ? cspSourceFromUrl(publicWsUrl) : void 0;
+  if (publicWsSource) connect.add(publicWsSource);
+  const scriptSrc = ["'self'", ...ALLOWED_INLINE_SCRIPT_HASHES].join(" ");
+  return `default-src 'self'; script-src ${scriptSrc}; style-src 'self' 'unsafe-inline'; connect-src ${Array.from(connect).join(" ")}; img-src 'self' data:; font-src 'self' data:; worker-src 'self' blob:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'`;
 }
 function isInsideDist(candidate, distDir) {
   const root = path.resolve(distDir);
@@ -1281,12 +1359,15 @@ function createHttpServer(opts) {
   const port = opts.port ?? Number.parseInt(process.env["PORT"] ?? "3456", 10);
   const distDir = path.resolve(opts.distDir);
   const wsPort = opts.wsPort;
-  const requireApiToken = !isLoopbackBind(opts.host) && Boolean(opts.apiToken);
+  const requireAccessToken = Boolean(opts.requireToken) || !isLoopbackBind(opts.host);
   return http.createServer(async (req, res) => {
     try {
       const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+      const providedAccessToken = requestToken(req, url);
+      const accessTokenOk = Boolean(opts.apiToken) && tokenMatches(providedAccessToken, opts.apiToken ?? "");
+      const shouldSetAuthCookie = Boolean(opts.apiToken) && tokenMatches(url.searchParams.get("token") ?? void 0, opts.apiToken ?? "");
       if (url.pathname === "/ws-auth" && req.method === "GET" && (opts.enableWsCookie ?? true)) {
-        const provided = url.searchParams.get("token") ?? req.headers["x-ws-token"];
+        const provided = requestToken(req, url);
         if (!provided || !opts.apiToken || !tokenMatches(provided, opts.apiToken)) {
           res.writeHead(401, { "Content-Type": "text/plain" });
           res.end("Unauthorized");
@@ -1294,7 +1375,7 @@ function createHttpServer(opts) {
         }
         res.writeHead(200, {
           "Content-Type": "text/plain",
-          "Set-Cookie": `ws_token=${encodeURIComponent(opts.apiToken)}; HttpOnly; SameSite=Strict; Path=/; Max-Age=3600`,
+          "Set-Cookie": wsTokenCookie(opts.apiToken),
           // Belt-and-braces: tell any caches the cookie response itself
           // is sensitive.
           "Cache-Control": "no-store"
@@ -1302,10 +1383,20 @@ function createHttpServer(opts) {
         res.end("ok");
         return;
       }
+      if (requireAccessToken && !accessTokenOk) {
+        res.writeHead(401, {
+          "Content-Type": "text/plain",
+          "Cache-Control": "no-store"
+        });
+        res.end("Unauthorized");
+        return;
+      }
+      if (shouldSetAuthCookie && opts.apiToken) {
+        res.setHeader("Set-Cookie", wsTokenCookie(opts.apiToken));
+        res.setHeader("Cache-Control", "no-store");
+      }
       if (url.pathname === "/api/fleet/ping" && req.method === "POST") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1319,9 +1410,7 @@ function createHttpServer(opts) {
         return;
       }
       if (url.pathname === "/api/sessions" && req.method === "GET") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1331,9 +1420,7 @@ function createHttpServer(opts) {
       }
       const agentsMatch = url.pathname.match(/^\/api\/sessions\/([^/]+)\/agents$/);
       if (agentsMatch && req.method === "GET") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1343,9 +1430,7 @@ function createHttpServer(opts) {
       }
       const eventsMatch = url.pathname.match(/^\/api\/sessions\/([^/]+)\/events$/);
       if (eventsMatch && req.method === "GET") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1357,9 +1442,7 @@ function createHttpServer(opts) {
       }
       const msgMatch = url.pathname.match(/^\/api\/sessions\/([^/]+)\/message$/);
       if (msgMatch && req.method === "POST") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1369,9 +1452,7 @@ function createHttpServer(opts) {
       }
       const mailboxMatch = url.pathname.match(/^\/api\/sessions\/([^/]+)\/mailbox$/);
       if (mailboxMatch && req.method === "GET") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1381,9 +1462,7 @@ function createHttpServer(opts) {
       }
       const interruptMatch = url.pathname.match(/^\/api\/sessions\/([^/]+)\/interrupt$/);
       if (interruptMatch && req.method === "POST") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1397,9 +1476,7 @@ function createHttpServer(opts) {
         return;
       }
       if (url.pathname === "/api/fleet/broadcast" && req.method === "POST") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1446,11 +1523,14 @@ function createHttpServer(opts) {
       res.setHeader("X-Frame-Options", "DENY");
       res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
       if (ext === ".html") {
-        res.setHeader("Cache-Control", "no-cache");
-        res.setHeader("Content-Security-Policy", buildCspHeader(wsPort));
+        if (!shouldSetAuthCookie) res.setHeader("Cache-Control", "no-cache");
+        res.setHeader(
+          "Content-Security-Policy",
+          buildCspHeader(wsPort, requestHostForCsp(req.headers.host), opts.publicWsUrl)
+        );
         const html = await fs.readFile(resolvedPath, "utf8");
         res.writeHead(200);
-        res.end(injectWsPort(html, wsPort));
+        res.end(injectWsConfig(html, { wsPort, publicWsUrl: opts.publicWsUrl }));
         return;
       }
       const fileContent = await fs.readFile(resolvedPath);
@@ -1465,9 +1545,13 @@ function createHttpServer(opts) {
             "X-Content-Type-Options": "nosniff",
             "X-Frame-Options": "DENY",
             "Referrer-Policy": "strict-origin-when-cross-origin",
-            "Content-Security-Policy": buildCspHeader(wsPort)
+            "Content-Security-Policy": buildCspHeader(
+              wsPort,
+              requestHostForCsp(req.headers.host),
+              opts.publicWsUrl
+            )
           });
-          res.end(injectWsPort(html, wsPort));
+          res.end(injectWsConfig(html, { wsPort, publicWsUrl: opts.publicWsUrl }));
         } catch {
           res.writeHead(404);
           res.end("Not found");
@@ -1699,6 +1783,37 @@ function errMessage(err) {
 function generateAuthToken() {
   return randomBytes(16).toString("hex");
 }
+function resolveAuthToken(explicit) {
+  const configured = explicit?.trim() || process.env["WEBUI_TOKEN"]?.trim() || process.env["WEBUI_AUTH_TOKEN"]?.trim();
+  return configured || generateAuthToken();
+}
+function hostForBrowserUrl(bindHost) {
+  if (bindHost === "0.0.0.0") return "127.0.0.1";
+  if (bindHost === "::" || bindHost === "[::]") return "[::1]";
+  if (bindHost.includes(":") && !bindHost.startsWith("[")) return `[${bindHost}]`;
+  return bindHost;
+}
+function buildWebUIAccessUrl(opts) {
+  const protocol = opts.protocol ?? "http";
+  const base = opts.publicUrl?.trim() || `${protocol}://${hostForBrowserUrl(opts.host)}:${opts.port}`;
+  if (!opts.token) return base;
+  try {
+    const url = new URL(base);
+    url.searchParams.set("token", opts.token);
+    const rendered = url.toString();
+    const afterOrigin = base.slice(url.origin.length);
+    if (url.pathname === "/" && !afterOrigin.startsWith("/")) {
+      return `${url.origin}${url.search}${url.hash}`;
+    }
+    return rendered;
+  } catch {
+    return `${base}${base.includes("?") ? "&" : "?"}token=${encodeURIComponent(opts.token)}`;
+  }
+}
+function envFlag(name2) {
+  const value = process.env[name2]?.trim().toLowerCase();
+  return value === "1" || value === "true" || value === "yes" || value === "on";
+}
 
 // src/server/file-handlers.ts
 async function resolveFileInsideProject(projectRoot, filePath) {
@@ -3030,6 +3145,13 @@ import {
   PhaseStore,
   WorktreeManager
 } from "@wrongstack/core";
+function deriveTitle(goal) {
+  const firstLine = goal.split("\n").map((l) => l.trim()).find(Boolean);
+  if (!firstLine) return "AutoPhase";
+  const sentence = firstLine.split(/(?<=[.!?])\s/)[0] ?? firstLine;
+  const trimmed = sentence.length <= 64 ? sentence : `${sentence.slice(0, 63).trimEnd()}\u2026`;
+  return trimmed || "AutoPhase";
+}
 function isGitRepo(cwd) {
   try {
     const r = spawnSync("git", ["rev-parse", "--is-inside-work-tree"], { cwd, encoding: "utf8", windowsHide: true });
@@ -3038,6 +3160,19 @@ function isGitRepo(cwd) {
     return false;
   }
 }
+function commitsSince(cwd, baseSha, branch) {
+  try {
+    const r = spawnSync("git", ["log", "--reverse", "--format=%H", `${baseSha}..${branch}`], {
+      cwd,
+      encoding: "utf8",
+      windowsHide: true
+    });
+    if (r.status !== 0) return [];
+    return r.stdout.split("\n").map((s) => s.trim()).filter(Boolean);
+  } catch {
+    return [];
+  }
+}
 var AutoPhaseWebSocketHandler = class {
   constructor(agent, context, logger, storeDir, events, projectRoot) {
     this.agent = agent;
@@ -3057,10 +3192,17 @@ var AutoPhaseWebSocketHandler = class {
   store;
   clients = /* @__PURE__ */ new Set();
   broadcastInterval = null;
-  /** Aborts in-flight task agents when the run is stopped. */
+  /** Aborts in-flight task agents AND the planning turn when the run is stopped. */
   abort = null;
+  /** Set the instant a stop/clear/revert is requested, so a planning turn that
+   *  resolves afterwards never launches the orchestrator (the abort alone can't
+   *  cover the window between the LLM call resolving and the orchestrator start). */
+  stopping = false;
   /** Optional per-phase git-worktree isolation (lazily created at start). */
   worktrees = null;
+  /** Base branch + tip SHA captured at run start so a revert can git-revert the
+   *  run's squash commits (history-preserving) instead of a destructive reset. */
+  runBase = null;
   /** Per-run worker identities so the board can show "who is on what". */
   usedNicknames = /* @__PURE__ */ new Set();
   addClient(ws) {
@@ -3084,11 +3226,13 @@ var AutoPhaseWebSocketHandler = class {
         this.broadcast({ type: "autophase.resumed", payload: {} });
         break;
       case "autophase.stop":
-        this.abort?.abort();
-        this.orchestrator?.stop();
-        this.stopBroadcast();
-        if (this.graph) void this.store.save(this.graph);
-        this.broadcast({ type: "autophase.stopped", payload: {} });
+        await this.handleStop();
+        break;
+      case "autophase.clear":
+        await this.handleClear();
+        break;
+      case "autophase.revert":
+        await this.handleRevert();
         break;
       case "autophase.status":
         this.broadcastState();
@@ -3165,17 +3309,27 @@ var AutoPhaseWebSocketHandler = class {
     }
   }
   async handleStart(payload) {
-    const title = payload?.goal || payload?.title || "Untitled Project";
+    const goal = payload?.goal || payload?.title || "Untitled Project";
+    const title = deriveTitle(goal);
     const autonomous = payload?.autonomous ?? true;
-    const phases = Array.isArray(payload?.phases) ? payload.phases : await this.planPhases(title);
+    this.abort = new AbortController();
+    this.stopping = false;
+    const phases = Array.isArray(payload?.phases) ? payload.phases : await this.planPhases(goal, this.abort.signal);
+    if (this.stopping || this.abort.signal.aborted) {
+      this.broadcast({ type: "autophase.stopped", payload: { title } });
+      return;
+    }
     this.logger.info(`[AutoPhase] Starting: ${title}`);
-    const graph = await new PhaseGraphBuilder({ title, phases, autonomous }).build();
+    const graph = await new PhaseGraphBuilder({ title, description: goal, phases, autonomous }).build();
     this.graph = graph;
-    this.abort = new AbortController();
     await this.store.save(graph);
-    if (!this.worktrees && this.events && this.projectRoot && process.env["WRONGSTACK_AUTOPHASE_WORKTREES"] !== "0" && isGitRepo(this.projectRoot)) {
+    const useWorktrees = payload?.worktrees ?? process.env["WRONGSTACK_AUTOPHASE_WORKTREES"] !== "0";
+    if (!this.worktrees && this.events && this.projectRoot && useWorktrees && isGitRepo(this.projectRoot)) {
       this.worktrees = new WorktreeManager({ projectRoot: this.projectRoot, events: this.events });
     }
+    if (this.worktrees) {
+      this.runBase = await this.worktrees.currentBase();
+    }
     this.orchestrator = new PhaseOrchestrator({
       graph,
       ctx: {
@@ -3222,6 +3376,62 @@ var AutoPhaseWebSocketHandler = class {
       this.broadcast({ type: "autophase.failed", payload: { title, error: String(err) } });
     });
   }
+  /**
+   * Halt the run NOW — at any phase. Sets `stopping` (so a planning turn that
+   * resolves afterwards bails), aborts in-flight agents, stops the orchestrator
+   * tick, and ends the live broadcast. The board is kept for review; use
+   * `autophase.clear` to reset or `autophase.revert` to undo the changes.
+   */
+  async handleStop() {
+    this.stopping = true;
+    this.abort?.abort();
+    this.orchestrator?.stop();
+    this.stopBroadcast();
+    if (this.graph) await this.store.save(this.graph).catch(() => void 0);
+    this.broadcast({ type: "autophase.stopped", payload: { title: this.graph?.title } });
+  }
+  /**
+   * Stop + wipe: tear down phase worktrees and reset to an empty board so the UI
+   * returns to the start screen ("new one"). Does NOT touch already-merged commits
+   * on the base branch — that is `autophase.revert`.
+   */
+  async handleClear() {
+    await this.handleStop();
+    if (this.worktrees) await this.worktrees.cleanupAllManaged().catch(() => void 0);
+    this.orchestrator = null;
+    this.graph = null;
+    this.runBase = null;
+    this.usedNicknames.clear();
+    this.broadcast({ type: "autophase.cleared", payload: {} });
+    this.broadcast({ type: "autophase.state", payload: this.buildState() });
+  }
+  /**
+   * Stop + undo: remove phase worktrees, then history-preservingly `git revert`
+   * every commit this run landed on the base branch (captured `runBase`..HEAD),
+   * then reset to an empty board. Refuses (reports a reason) on a dirty tree or a
+   * conflicting revert rather than leaving the tree half-reverted.
+   */
+  async handleRevert() {
+    await this.handleStop();
+    if (!this.worktrees || !this.runBase || !this.projectRoot) {
+      this.broadcast({
+        type: "autophase.reverted",
+        payload: { ok: false, reverted: 0, reason: "no git baseline was captured for this run" }
+      });
+      return;
+    }
+    await this.worktrees.cleanupAllManaged().catch(() => void 0);
+    const shas = commitsSince(this.projectRoot, this.runBase.sha, this.runBase.branch);
+    const res = await this.worktrees.revertCommits(this.runBase.branch, shas);
+    this.broadcast({ type: "autophase.reverted", payload: res });
+    if (res.ok) {
+      this.orchestrator = null;
+      this.graph = null;
+      this.runBase = null;
+      this.broadcast({ type: "autophase.cleared", payload: {} });
+      this.broadcast({ type: "autophase.state", payload: this.buildState() });
+    }
+  }
   /** Generic fallback phases when the LLM planner produces nothing usable. */
   defaultPhases() {
     return [
@@ -3232,13 +3442,18 @@ var AutoPhaseWebSocketHandler = class {
       { name: "Deployment", description: "Deploy to production", priority: "medium", estimateHours: 2, parallelizable: false }
     ];
   }
-  /** Plan phases+todos for the goal via the LLM; fall back to defaults on failure. */
-  async planPhases(goal) {
+  /** Plan phases+todos for the goal via the LLM; fall back to defaults on failure.
+   *  The caller passes the run's abort signal so a stop during planning cancels
+   *  the LLM turn (the previous fresh, never-aborted controller made planning
+   *  uninterruptible). */
+  async planPhases(goal, signal) {
     try {
       const planner = new AutoPhasePlanner({
         goal,
         runOnce: async (prompt) => {
-          const result = await this.agent.run(prompt, { signal: new AbortController().signal });
+          const result = await this.agent.run(prompt, {
+            signal: signal ?? new AbortController().signal
+          });
           return result.status === "done" ? result.finalText ?? "" : "";
         }
       });
@@ -3373,6 +3588,10 @@ Type: ${task.type}`;
     const lastError = lastFailed ? `${lastFailed.name}: ${lastFailed.metadata?.integrationError ?? "phase failed"}` : null;
     return {
       title: this.graph.title,
+      // Full operator prompt, shown verbatim in a dedicated goal block (the
+      // title is only a short derived heading). Fall back to the title for
+      // legacy boards saved before the title/goal split.
+      goal: this.graph.description || this.graph.title,
       phases: phaseItems,
       tasks: taskItems,
       activePhaseId: currentActiveId,
@@ -3683,6 +3902,12 @@ var SddBoardWebSocketHandler = class {
 };
 
 // src/server/sdd-wizard-ws-handler.ts
+function deriveTitle2(goal) {
+  const firstLine = goal.split("\n").map((l) => l.trim()).find(Boolean);
+  if (!firstLine) return "New SDD Project";
+  const sentence = firstLine.split(/(?<=[.!?])\s/)[0] ?? firstLine;
+  return sentence.length <= 64 ? sentence : `${sentence.slice(0, 63).trimEnd()}\u2026`;
+}
 var SddWizardWebSocketHandler = class {
   constructor(deps2) {
     this.deps = deps2;
@@ -3721,7 +3946,8 @@ var SddWizardWebSocketHandler = class {
             parallelSlots: msg.payload?.parallelSlots,
             defaultModel: msg.payload?.model,
             defaultProvider: msg.payload?.provider,
-            fallbackModels: Array.isArray(msg.payload?.fallbackModels) ? msg.payload?.fallbackModels : void 0
+            fallbackModels: Array.isArray(msg.payload?.fallbackModels) ? msg.payload?.fallbackModels : void 0,
+            worktrees: typeof msg.payload?.worktrees === "boolean" ? msg.payload.worktrees : void 0
           });
           break;
       }
@@ -3741,7 +3967,7 @@ var SddWizardWebSocketHandler = class {
     }
     if (this.busy) return;
     this.driver = this.deps.makeDriver();
-    const prompt = this.driver.start(goal);
+    const prompt = this.driver.start(deriveTitle2(goal), goal);
     await this.runTurn(prompt);
   }
   async onMessage(text) {
@@ -3826,6 +4052,7 @@ import {
   TaskGraphStore as TaskGraphStore2,
   WorktreeManager as WorktreeManager2
 } from "@wrongstack/core";
+var PLANNING_ONLY_GUARD = "SYSTEM: You are running a PLANNING-ONLY specification interview. Do NOT write, create, or edit any files, and do NOT run shell/terminal commands or use any code-editing tools \u2014 they are disabled here and any attempt will fail and waste the turn. Respond with TEXT ONLY: ask your question, or emit the requested spec / plan / task JSON. All code is written later, automatically, once the plan is approved and the multi-agent run starts.\n\n---\n\n";
 function buildSddWizardDeps(opts) {
   const registry = new SddRunRegistry();
   let isolatedSeq = 0;
@@ -3834,11 +4061,11 @@ function buildSddWizardDeps(opts) {
       id: `sdd-${name2.toLowerCase().replace(/\s+/g, "-")}-${isolatedSeq++}`,
       role: "executor",
       name: name2,
-      disabledTools: ["delegate"],
+      disabledTools: ["delegate", "write", "edit", "patch", "bash", "exec"],
       allowedCapabilities: ["fs.read", "net.outbound"]
     });
     try {
-      const res = await result.agent.run([{ type: "text", text: prompt }]);
+      const res = await result.agent.run([{ type: "text", text: PLANNING_ONLY_GUARD + prompt }]);
       return res.finalText ?? "";
     } finally {
       await result.dispose?.();
@@ -3851,14 +4078,15 @@ function buildSddWizardDeps(opts) {
       sessionPath: path7.join(opts.paths.projectDir, "sdd-wizard-session.json")
     }),
     runInterviewTurn: (prompt) => runIsolatedTurn(prompt, "Spec Architect"),
-    startRun: async (driver, { parallelSlots, defaultModel, defaultProvider, fallbackModels }) => {
+    startRun: async (driver, { parallelSlots, defaultModel, defaultProvider, fallbackModels, worktrees: useWorktrees }) => {
       const graph = driver.getGraph();
       const tracker = driver.getTracker();
       if (!graph || !tracker) {
         throw new Error("No task graph to run \u2014 finish the interview first.");
       }
+      const worktreesEnabled = useWorktrees ?? process.env["WRONGSTACK_SDD_WORKTREES"] !== "0";
       let worktrees;
-      if (process.env["WRONGSTACK_SDD_WORKTREES"] !== "0") {
+      if (worktreesEnabled) {
         const inGit = spawnSync2("git", ["rev-parse", "--is-inside-work-tree"], {
           cwd: opts.projectRoot,
           encoding: "utf8",
@@ -7775,8 +8003,11 @@ async function handleGoalGet(projectRoot, broadcast2) {
 async function startWebUI(opts = {}) {
   ensureSessionShell();
   const requestedWsPort = opts.wsPort ?? 3457;
-  const wsHost = opts.wsHost ?? "127.0.0.1";
-  const requestedHttpPort = Number.parseInt(process.env["PORT"] ?? "3456", 10);
+  const wsHost = opts.wsHost ?? process.env["WEBUI_HOST"] ?? process.env["WS_HOST"] ?? "127.0.0.1";
+  const requestedHttpPort = opts.httpPort ?? opts.webuiPort ?? opts.port ?? Number.parseInt(process.env["WEBUI_PORT"] ?? process.env["PORT"] ?? "3456", 10);
+  const publicUrl = opts.publicUrl ?? process.env["WEBUI_PUBLIC_URL"];
+  const publicWsUrl = opts.publicWsUrl ?? process.env["WEBUI_PUBLIC_WS_URL"];
+  const requireToken = opts.requireToken ?? envFlag("WEBUI_REQUIRE_TOKEN");
   const strictPort = process.env["WEBUI_STRICT_PORT"] === "1" || process.env["WEBUI_STRICT_PORT"] === "true";
   let wsPort = requestedWsPort;
   let httpPort = requestedHttpPort;
@@ -8571,8 +8802,16 @@ async function startWebUI(opts = {}) {
       contextMode: String(context.meta["contextWindowMode"] ?? DEFAULT_CONTEXT_WINDOW_MODE_ID2)
     };
   }
-  const wsToken = generateAuthToken();
-  console.log("[WebUI] WS auth token generated (redacted from logs)");
+  const wsToken = resolveAuthToken(opts.accessToken);
+  console.log("[WebUI] WS auth token ready");
+  const publicHostnames = [publicUrl, publicWsUrl].map((value) => {
+    if (!value) return void 0;
+    try {
+      return new URL(value).hostname;
+    } catch {
+      return void 0;
+    }
+  }).filter((value) => Boolean(value));
   const verifyClient2 = (info) => verifyClient({
     origin: info.origin,
     url: info.req.url ?? "",
@@ -8584,7 +8823,10 @@ async function startWebUI(opts = {}) {
     // exposure class.
     cookieHeader: info.req.headers.cookie,
     wsHost,
-    expectedToken: wsToken
+    expectedToken: wsToken,
+    requireToken,
+    allowedHostnames: publicHostnames,
+    allowBrowserUrlToken: Boolean(publicWsUrl)
   });
   const WS_MAX_PAYLOAD = 8 * 1024 * 1024;
   const wssPrimary = new WebSocketServer({
@@ -9524,8 +9766,10 @@ async function startWebUI(opts = {}) {
     host: wsHost,
     distDir: path16.resolve(import.meta.dirname, "../../dist"),
     wsPort,
+    publicWsUrl,
     globalRoot: wpaths.globalRoot,
     apiToken: wsToken,
+    requireToken,
     watcherMetrics,
     onFleetPing: () => {
       void fleetBroadcast?.();
@@ -9533,7 +9777,12 @@ async function startWebUI(opts = {}) {
   });
   const registryBaseDir = path16.dirname(globalConfigPath);
   httpServer.listen(httpPort, wsHost, () => {
-    const openUrl = `http://${wsHost}:${httpPort}`;
+    const openUrl = buildWebUIAccessUrl({
+      host: wsHost,
+      port: httpPort,
+      token: wsToken,
+      publicUrl
+    });
     console.log(`[WebUI] HTTP server running on ${openUrl}`);
     if (opts.open) openBrowser(openUrl);
     void registerInstance(
@@ -9545,7 +9794,7 @@ async function startWebUI(opts = {}) {
         projectRoot,
         projectName: path16.basename(projectRoot) || projectRoot,
         startedAt: (/* @__PURE__ */ new Date()).toISOString(),
-        url: `http://${wsHost}:${httpPort}`
+        url: buildWebUIAccessUrl({ host: wsHost, port: httpPort, publicUrl })
       },
       registryBaseDir
     ).catch((err) => console.warn(JSON.stringify({
@@ -9595,6 +9844,7 @@ export {
   browserOpenCommand,
   buildCspHeader,
   buildSddWizardDeps,
+  buildWebUIAccessUrl,
   createCustomModeStore,
   createEternalSubscription,
   createHttpServer,
@@ -9602,6 +9852,7 @@ export {
   createToolLspCompletionSource,
   defaultBaseDir,
   deleteKey,
+  envFlag,
   errMessage,
   estimateTokens,
   extractToken,
@@ -9637,6 +9888,7 @@ export {
   handleSkillsInstall,
   handleSkillsUninstall,
   handleSkillsUpdate,
+  hostForBrowserUrl,
   hostHeaderOk,
   injectWsPort,
   isLoopbackBind,
@@ -9652,6 +9904,7 @@ export {
   registerInstance,
   registryPath,
   removeProvider,
+  resolveAuthToken,
   saveProviders,
   send,
   sendResult2 as sendResult,