@wrongstack/webui 0.273.1 → 0.274.0

package/dist/server/entry.js

@@ -1167,7 +1167,7 @@ function isTrustedLoopbackOrigin(origin) {
   try {
     const url = new URL(origin);
     if (url.protocol !== "http:" && url.protocol !== "https:") return false;
-    return url.hostname === "localhost" || url.hostname === "127.0.0.1";
+    return url.hostname === "localhost" || url.hostname === "127.0.0.1" || url.hostname === "::1" || url.hostname === "[::1]";
   } catch {
     return false;
   }
@@ -1178,6 +1178,14 @@ function isLoopbackBind(wsHost) {
 function isWildcardBind(wsHost) {
   return wsHost === "0.0.0.0" || wsHost === "::" || wsHost === "[::]";
 }
+function normalizeHostname(hostname) {
+  const h = hostname.trim().toLowerCase();
+  return h.startsWith("[") && h.endsWith("]") ? h.slice(1, -1) : h;
+}
+function allowedHostname(hostname, allowedHostnames) {
+  const normalized = normalizeHostname(hostname);
+  return (allowedHostnames ?? []).some((candidate) => normalizeHostname(candidate) === normalized);
+}
 function tokenMatches(provided, expected) {
   if (!provided) return false;
   const a = Buffer.from(provided);
@@ -1216,28 +1224,37 @@ function hostHeaderOk(input) {
   } catch {
     return false;
   }
-  return isLoopbackHostname(hostname);
+  return isLoopbackHostname(hostname) || allowedHostname(hostname, input.allowedHostnames);
 }
 function verifyClient(input) {
-  const { origin, url, hostHeader, remoteAddress, cookieHeader, wsHost, expectedToken } = input;
+  const {
+    origin,
+    url,
+    hostHeader,
+    remoteAddress,
+    cookieHeader,
+    wsHost,
+    expectedToken,
+    requireToken,
+    allowedHostnames,
+    allowBrowserUrlToken
+  } = input;
   const urlTokenOk = tokenMatches(extractToken(url ?? ""), expectedToken);
   const cookieTokenOk = tokenMatches(extractTokenFromCookie(cookieHeader), expectedToken);
-  if (!hostHeaderOk({ hostHeader, wsHost })) return false;
+  if (!hostHeaderOk({ hostHeader, wsHost, allowedHostnames })) return false;
   if (!origin) {
     const remoteIp = remoteAddress ?? "";
     const isRemoteLoopback = remoteIp === "127.0.0.1" || remoteIp === "::1";
     if (!isRemoteLoopback && isWildcardBind(wsHost)) return false;
-    return urlTokenOk || cookieTokenOk || isLoopbackBind(wsHost);
+    return urlTokenOk || cookieTokenOk || isLoopbackBind(wsHost) && !requireToken;
   }
   try {
-    const { hostname } = new URL(origin);
-    if (isLoopbackHostname(hostname)) {
-      if (isWildcardBind(wsHost) && !isTrustedLoopbackOrigin(origin)) {
-        return false;
-      }
-      return true;
+    const { hostname: originHostname } = new URL(origin);
+    if (isLoopbackHostname(originHostname)) {
+      if (requireToken || !isLoopbackBind(wsHost)) return cookieTokenOk;
+      return isTrustedLoopbackOrigin(origin);
     }
-    return cookieTokenOk;
+    return cookieTokenOk || Boolean(allowBrowserUrlToken) && urlTokenOk && allowedHostname(originHostname, allowedHostnames);
   } catch {
     return false;
   }
@@ -1263,8 +1280,69 @@ function injectWsPort(html, wsPort) {
   return `${tag}
 ${html}`;
 }
-function buildCspHeader(wsPort) {
-  return `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws://127.0.0.1:${wsPort} wss://127.0.0.1:${wsPort}; img-src 'self' data:; font-src 'self' data:; worker-src 'self' blob:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'`;
+function escapeHtmlAttr(value) {
+  return value.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function injectWsConfig(html, opts) {
+  let out = injectWsPort(html, opts.wsPort);
+  if (!opts.publicWsUrl || out.includes('name="wrongstack-ws-url"')) return out;
+  const tag = `<meta name="wrongstack-ws-url" content="${escapeHtmlAttr(opts.publicWsUrl)}" />`;
+  if (out.includes("</head>")) {
+    return out.replace("</head>", `  ${tag}
+  </head>`);
+  }
+  return `${tag}
+${out}`;
+}
+function firstHeader(value) {
+  return Array.isArray(value) ? value[0] : value;
+}
+function wsTokenCookie(token) {
+  return `ws_token=${encodeURIComponent(token)}; HttpOnly; SameSite=Strict; Path=/; Max-Age=3600`;
+}
+function requestToken(req, url) {
+  return url.searchParams.get("token") ?? firstHeader(req.headers["x-ws-token"]) ?? extractTokenFromCookie(req.headers.cookie);
+}
+function requestHostForCsp(hostHeader) {
+  const raw = firstHeader(hostHeader)?.trim();
+  if (!raw) return void 0;
+  try {
+    return new URL(`http://${raw}`).hostname;
+  } catch {
+    return void 0;
+  }
+}
+function formatCspHostname(hostname) {
+  return hostname.includes(":") && !hostname.startsWith("[") ? `[${hostname}]` : hostname;
+}
+function cspSourceFromUrl(rawUrl) {
+  try {
+    const url = new URL(rawUrl);
+    if (url.protocol !== "ws:" && url.protocol !== "wss:") return void 0;
+    return `${url.protocol}//${formatCspHostname(url.hostname)}${url.port ? `:${url.port}` : ""}`;
+  } catch {
+    return void 0;
+  }
+}
+var ALLOWED_INLINE_SCRIPT_HASHES = [
+  "'sha256-6PXDy0zrpXa6mvYOl11bZ8nubNUL7ushPUhGDZtaexg='",
+  "'sha256-6sIdwbEBx7jj0drqSHHm7MqvmoYD3CQ4lp8Zp8blcb0='"
+];
+function buildCspHeader(wsPort, requestHost, publicWsUrl) {
+  const connect = /* @__PURE__ */ new Set([
+    "'self'",
+    `ws://127.0.0.1:${wsPort}`,
+    `wss://127.0.0.1:${wsPort}`
+  ]);
+  if (requestHost && requestHost !== "127.0.0.1") {
+    const host = formatCspHostname(requestHost);
+    connect.add(`ws://${host}:${wsPort}`);
+    connect.add(`wss://${host}:${wsPort}`);
+  }
+  const publicWsSource = publicWsUrl ? cspSourceFromUrl(publicWsUrl) : void 0;
+  if (publicWsSource) connect.add(publicWsSource);
+  const scriptSrc = ["'self'", ...ALLOWED_INLINE_SCRIPT_HASHES].join(" ");
+  return `default-src 'self'; script-src ${scriptSrc}; style-src 'self' 'unsafe-inline'; connect-src ${Array.from(connect).join(" ")}; img-src 'self' data:; font-src 'self' data:; worker-src 'self' blob:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'`;
 }
 function isInsideDist(candidate, distDir) {
   const root = path.resolve(distDir);
@@ -1282,12 +1360,15 @@ function createHttpServer(opts) {
   const port = opts.port ?? Number.parseInt(process.env["PORT"] ?? "3456", 10);
   const distDir = path.resolve(opts.distDir);
   const wsPort = opts.wsPort;
-  const requireApiToken = !isLoopbackBind(opts.host) && Boolean(opts.apiToken);
+  const requireAccessToken = Boolean(opts.requireToken) || !isLoopbackBind(opts.host);
   return http.createServer(async (req, res) => {
     try {
       const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+      const providedAccessToken = requestToken(req, url);
+      const accessTokenOk = Boolean(opts.apiToken) && tokenMatches(providedAccessToken, opts.apiToken ?? "");
+      const shouldSetAuthCookie = Boolean(opts.apiToken) && tokenMatches(url.searchParams.get("token") ?? void 0, opts.apiToken ?? "");
       if (url.pathname === "/ws-auth" && req.method === "GET" && (opts.enableWsCookie ?? true)) {
-        const provided = url.searchParams.get("token") ?? req.headers["x-ws-token"];
+        const provided = requestToken(req, url);
         if (!provided || !opts.apiToken || !tokenMatches(provided, opts.apiToken)) {
           res.writeHead(401, { "Content-Type": "text/plain" });
           res.end("Unauthorized");
@@ -1295,7 +1376,7 @@ function createHttpServer(opts) {
         }
         res.writeHead(200, {
           "Content-Type": "text/plain",
-          "Set-Cookie": `ws_token=${encodeURIComponent(opts.apiToken)}; HttpOnly; SameSite=Strict; Path=/; Max-Age=3600`,
+          "Set-Cookie": wsTokenCookie(opts.apiToken),
           // Belt-and-braces: tell any caches the cookie response itself
           // is sensitive.
           "Cache-Control": "no-store"
@@ -1303,10 +1384,20 @@ function createHttpServer(opts) {
         res.end("ok");
         return;
       }
+      if (requireAccessToken && !accessTokenOk) {
+        res.writeHead(401, {
+          "Content-Type": "text/plain",
+          "Cache-Control": "no-store"
+        });
+        res.end("Unauthorized");
+        return;
+      }
+      if (shouldSetAuthCookie && opts.apiToken) {
+        res.setHeader("Set-Cookie", wsTokenCookie(opts.apiToken));
+        res.setHeader("Cache-Control", "no-store");
+      }
       if (url.pathname === "/api/fleet/ping" && req.method === "POST") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1320,9 +1411,7 @@ function createHttpServer(opts) {
         return;
       }
       if (url.pathname === "/api/sessions" && req.method === "GET") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1332,9 +1421,7 @@ function createHttpServer(opts) {
       }
       const agentsMatch = url.pathname.match(/^\/api\/sessions\/([^/]+)\/agents$/);
       if (agentsMatch && req.method === "GET") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1344,9 +1431,7 @@ function createHttpServer(opts) {
       }
       const eventsMatch = url.pathname.match(/^\/api\/sessions\/([^/]+)\/events$/);
       if (eventsMatch && req.method === "GET") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1358,9 +1443,7 @@ function createHttpServer(opts) {
       }
       const msgMatch = url.pathname.match(/^\/api\/sessions\/([^/]+)\/message$/);
       if (msgMatch && req.method === "POST") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1370,9 +1453,7 @@ function createHttpServer(opts) {
       }
       const mailboxMatch = url.pathname.match(/^\/api\/sessions\/([^/]+)\/mailbox$/);
       if (mailboxMatch && req.method === "GET") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1382,9 +1463,7 @@ function createHttpServer(opts) {
       }
       const interruptMatch = url.pathname.match(/^\/api\/sessions\/([^/]+)\/interrupt$/);
       if (interruptMatch && req.method === "POST") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1398,9 +1477,7 @@ function createHttpServer(opts) {
         return;
       }
       if (url.pathname === "/api/fleet/broadcast" && req.method === "POST") {
-        const headerToken = req.headers["x-ws-token"];
-        const provided = Array.isArray(headerToken) ? headerToken[0] : headerToken;
-        if (requireApiToken && !tokenMatches(provided, opts.apiToken ?? "")) {
+        if (requireAccessToken && !accessTokenOk) {
           res.writeHead(401, { "Content-Type": "application/json" });
           res.end(JSON.stringify({ error: "Unauthorized" }));
           return;
@@ -1447,11 +1524,14 @@ function createHttpServer(opts) {
       res.setHeader("X-Frame-Options", "DENY");
       res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
       if (ext === ".html") {
-        res.setHeader("Cache-Control", "no-cache");
-        res.setHeader("Content-Security-Policy", buildCspHeader(wsPort));
+        if (!shouldSetAuthCookie) res.setHeader("Cache-Control", "no-cache");
+        res.setHeader(
+          "Content-Security-Policy",
+          buildCspHeader(wsPort, requestHostForCsp(req.headers.host), opts.publicWsUrl)
+        );
         const html = await fs.readFile(resolvedPath, "utf8");
         res.writeHead(200);
-        res.end(injectWsPort(html, wsPort));
+        res.end(injectWsConfig(html, { wsPort, publicWsUrl: opts.publicWsUrl }));
         return;
       }
       const fileContent = await fs.readFile(resolvedPath);
@@ -1466,9 +1546,13 @@ function createHttpServer(opts) {
             "X-Content-Type-Options": "nosniff",
             "X-Frame-Options": "DENY",
             "Referrer-Policy": "strict-origin-when-cross-origin",
-            "Content-Security-Policy": buildCspHeader(wsPort)
+            "Content-Security-Policy": buildCspHeader(
+              wsPort,
+              requestHostForCsp(req.headers.host),
+              opts.publicWsUrl
+            )
           });
-          res.end(injectWsPort(html, wsPort));
+          res.end(injectWsConfig(html, { wsPort, publicWsUrl: opts.publicWsUrl }));
         } catch {
           res.writeHead(404);
           res.end("Not found");
@@ -1700,6 +1784,37 @@ function errMessage(err) {
 function generateAuthToken() {
   return randomBytes(16).toString("hex");
 }
+function resolveAuthToken(explicit) {
+  const configured = explicit?.trim() || process.env["WEBUI_TOKEN"]?.trim() || process.env["WEBUI_AUTH_TOKEN"]?.trim();
+  return configured || generateAuthToken();
+}
+function hostForBrowserUrl(bindHost) {
+  if (bindHost === "0.0.0.0") return "127.0.0.1";
+  if (bindHost === "::" || bindHost === "[::]") return "[::1]";
+  if (bindHost.includes(":") && !bindHost.startsWith("[")) return `[${bindHost}]`;
+  return bindHost;
+}
+function buildWebUIAccessUrl(opts) {
+  const protocol = opts.protocol ?? "http";
+  const base = opts.publicUrl?.trim() || `${protocol}://${hostForBrowserUrl(opts.host)}:${opts.port}`;
+  if (!opts.token) return base;
+  try {
+    const url = new URL(base);
+    url.searchParams.set("token", opts.token);
+    const rendered = url.toString();
+    const afterOrigin = base.slice(url.origin.length);
+    if (url.pathname === "/" && !afterOrigin.startsWith("/")) {
+      return `${url.origin}${url.search}${url.hash}`;
+    }
+    return rendered;
+  } catch {
+    return `${base}${base.includes("?") ? "&" : "?"}token=${encodeURIComponent(opts.token)}`;
+  }
+}
+function envFlag(name2) {
+  const value = process.env[name2]?.trim().toLowerCase();
+  return value === "1" || value === "true" || value === "yes" || value === "on";
+}
 
 // src/server/file-handlers.ts
 async function resolveFileInsideProject(projectRoot, filePath) {
@@ -3031,6 +3146,13 @@ import {
   PhaseStore,
   WorktreeManager
 } from "@wrongstack/core";
+function deriveTitle(goal) {
+  const firstLine = goal.split("\n").map((l) => l.trim()).find(Boolean);
+  if (!firstLine) return "AutoPhase";
+  const sentence = firstLine.split(/(?<=[.!?])\s/)[0] ?? firstLine;
+  const trimmed = sentence.length <= 64 ? sentence : `${sentence.slice(0, 63).trimEnd()}\u2026`;
+  return trimmed || "AutoPhase";
+}
 function isGitRepo(cwd) {
   try {
     const r = spawnSync("git", ["rev-parse", "--is-inside-work-tree"], { cwd, encoding: "utf8", windowsHide: true });
@@ -3039,6 +3161,19 @@ function isGitRepo(cwd) {
     return false;
   }
 }
+function commitsSince(cwd, baseSha, branch) {
+  try {
+    const r = spawnSync("git", ["log", "--reverse", "--format=%H", `${baseSha}..${branch}`], {
+      cwd,
+      encoding: "utf8",
+      windowsHide: true
+    });
+    if (r.status !== 0) return [];
+    return r.stdout.split("\n").map((s) => s.trim()).filter(Boolean);
+  } catch {
+    return [];
+  }
+}
 var AutoPhaseWebSocketHandler = class {
   constructor(agent, context, logger, storeDir, events, projectRoot) {
     this.agent = agent;
@@ -3058,10 +3193,17 @@ var AutoPhaseWebSocketHandler = class {
   store;
   clients = /* @__PURE__ */ new Set();
   broadcastInterval = null;
-  /** Aborts in-flight task agents when the run is stopped. */
+  /** Aborts in-flight task agents AND the planning turn when the run is stopped. */
   abort = null;
+  /** Set the instant a stop/clear/revert is requested, so a planning turn that
+   *  resolves afterwards never launches the orchestrator (the abort alone can't
+   *  cover the window between the LLM call resolving and the orchestrator start). */
+  stopping = false;
   /** Optional per-phase git-worktree isolation (lazily created at start). */
   worktrees = null;
+  /** Base branch + tip SHA captured at run start so a revert can git-revert the
+   *  run's squash commits (history-preserving) instead of a destructive reset. */
+  runBase = null;
   /** Per-run worker identities so the board can show "who is on what". */
   usedNicknames = /* @__PURE__ */ new Set();
   addClient(ws) {
@@ -3085,11 +3227,13 @@ var AutoPhaseWebSocketHandler = class {
         this.broadcast({ type: "autophase.resumed", payload: {} });
         break;
       case "autophase.stop":
-        this.abort?.abort();
-        this.orchestrator?.stop();
-        this.stopBroadcast();
-        if (this.graph) void this.store.save(this.graph);
-        this.broadcast({ type: "autophase.stopped", payload: {} });
+        await this.handleStop();
+        break;
+      case "autophase.clear":
+        await this.handleClear();
+        break;
+      case "autophase.revert":
+        await this.handleRevert();
         break;
       case "autophase.status":
         this.broadcastState();
@@ -3166,17 +3310,27 @@ var AutoPhaseWebSocketHandler = class {
     }
   }
   async handleStart(payload) {
-    const title = payload?.goal || payload?.title || "Untitled Project";
+    const goal = payload?.goal || payload?.title || "Untitled Project";
+    const title = deriveTitle(goal);
     const autonomous = payload?.autonomous ?? true;
-    const phases = Array.isArray(payload?.phases) ? payload.phases : await this.planPhases(title);
+    this.abort = new AbortController();
+    this.stopping = false;
+    const phases = Array.isArray(payload?.phases) ? payload.phases : await this.planPhases(goal, this.abort.signal);
+    if (this.stopping || this.abort.signal.aborted) {
+      this.broadcast({ type: "autophase.stopped", payload: { title } });
+      return;
+    }
     this.logger.info(`[AutoPhase] Starting: ${title}`);
-    const graph = await new PhaseGraphBuilder({ title, phases, autonomous }).build();
+    const graph = await new PhaseGraphBuilder({ title, description: goal, phases, autonomous }).build();
     this.graph = graph;
-    this.abort = new AbortController();
     await this.store.save(graph);
-    if (!this.worktrees && this.events && this.projectRoot && process.env["WRONGSTACK_AUTOPHASE_WORKTREES"] !== "0" && isGitRepo(this.projectRoot)) {
+    const useWorktrees = payload?.worktrees ?? process.env["WRONGSTACK_AUTOPHASE_WORKTREES"] !== "0";
+    if (!this.worktrees && this.events && this.projectRoot && useWorktrees && isGitRepo(this.projectRoot)) {
       this.worktrees = new WorktreeManager({ projectRoot: this.projectRoot, events: this.events });
     }
+    if (this.worktrees) {
+      this.runBase = await this.worktrees.currentBase();
+    }
     this.orchestrator = new PhaseOrchestrator({
       graph,
       ctx: {
@@ -3223,6 +3377,62 @@ var AutoPhaseWebSocketHandler = class {
       this.broadcast({ type: "autophase.failed", payload: { title, error: String(err) } });
     });
   }
+  /**
+   * Halt the run NOW — at any phase. Sets `stopping` (so a planning turn that
+   * resolves afterwards bails), aborts in-flight agents, stops the orchestrator
+   * tick, and ends the live broadcast. The board is kept for review; use
+   * `autophase.clear` to reset or `autophase.revert` to undo the changes.
+   */
+  async handleStop() {
+    this.stopping = true;
+    this.abort?.abort();
+    this.orchestrator?.stop();
+    this.stopBroadcast();
+    if (this.graph) await this.store.save(this.graph).catch(() => void 0);
+    this.broadcast({ type: "autophase.stopped", payload: { title: this.graph?.title } });
+  }
+  /**
+   * Stop + wipe: tear down phase worktrees and reset to an empty board so the UI
+   * returns to the start screen ("new one"). Does NOT touch already-merged commits
+   * on the base branch — that is `autophase.revert`.
+   */
+  async handleClear() {
+    await this.handleStop();
+    if (this.worktrees) await this.worktrees.cleanupAllManaged().catch(() => void 0);
+    this.orchestrator = null;
+    this.graph = null;
+    this.runBase = null;
+    this.usedNicknames.clear();
+    this.broadcast({ type: "autophase.cleared", payload: {} });
+    this.broadcast({ type: "autophase.state", payload: this.buildState() });
+  }
+  /**
+   * Stop + undo: remove phase worktrees, then history-preservingly `git revert`
+   * every commit this run landed on the base branch (captured `runBase`..HEAD),
+   * then reset to an empty board. Refuses (reports a reason) on a dirty tree or a
+   * conflicting revert rather than leaving the tree half-reverted.
+   */
+  async handleRevert() {
+    await this.handleStop();
+    if (!this.worktrees || !this.runBase || !this.projectRoot) {
+      this.broadcast({
+        type: "autophase.reverted",
+        payload: { ok: false, reverted: 0, reason: "no git baseline was captured for this run" }
+      });
+      return;
+    }
+    await this.worktrees.cleanupAllManaged().catch(() => void 0);
+    const shas = commitsSince(this.projectRoot, this.runBase.sha, this.runBase.branch);
+    const res = await this.worktrees.revertCommits(this.runBase.branch, shas);
+    this.broadcast({ type: "autophase.reverted", payload: res });
+    if (res.ok) {
+      this.orchestrator = null;
+      this.graph = null;
+      this.runBase = null;
+      this.broadcast({ type: "autophase.cleared", payload: {} });
+      this.broadcast({ type: "autophase.state", payload: this.buildState() });
+    }
+  }
   /** Generic fallback phases when the LLM planner produces nothing usable. */
   defaultPhases() {
     return [
@@ -3233,13 +3443,18 @@ var AutoPhaseWebSocketHandler = class {
       { name: "Deployment", description: "Deploy to production", priority: "medium", estimateHours: 2, parallelizable: false }
     ];
   }
-  /** Plan phases+todos for the goal via the LLM; fall back to defaults on failure. */
-  async planPhases(goal) {
+  /** Plan phases+todos for the goal via the LLM; fall back to defaults on failure.
+   *  The caller passes the run's abort signal so a stop during planning cancels
+   *  the LLM turn (the previous fresh, never-aborted controller made planning
+   *  uninterruptible). */
+  async planPhases(goal, signal) {
     try {
       const planner = new AutoPhasePlanner({
         goal,
         runOnce: async (prompt) => {
-          const result = await this.agent.run(prompt, { signal: new AbortController().signal });
+          const result = await this.agent.run(prompt, {
+            signal: signal ?? new AbortController().signal
+          });
           return result.status === "done" ? result.finalText ?? "" : "";
         }
       });
@@ -3374,6 +3589,10 @@ Type: ${task.type}`;
     const lastError = lastFailed ? `${lastFailed.name}: ${lastFailed.metadata?.integrationError ?? "phase failed"}` : null;
     return {
       title: this.graph.title,
+      // Full operator prompt, shown verbatim in a dedicated goal block (the
+      // title is only a short derived heading). Fall back to the title for
+      // legacy boards saved before the title/goal split.
+      goal: this.graph.description || this.graph.title,
       phases: phaseItems,
       tasks: taskItems,
       activePhaseId: currentActiveId,
@@ -3684,6 +3903,12 @@ var SddBoardWebSocketHandler = class {
 };
 
 // src/server/sdd-wizard-ws-handler.ts
+function deriveTitle2(goal) {
+  const firstLine = goal.split("\n").map((l) => l.trim()).find(Boolean);
+  if (!firstLine) return "New SDD Project";
+  const sentence = firstLine.split(/(?<=[.!?])\s/)[0] ?? firstLine;
+  return sentence.length <= 64 ? sentence : `${sentence.slice(0, 63).trimEnd()}\u2026`;
+}
 var SddWizardWebSocketHandler = class {
   constructor(deps2) {
     this.deps = deps2;
@@ -3722,7 +3947,8 @@ var SddWizardWebSocketHandler = class {
             parallelSlots: msg.payload?.parallelSlots,
             defaultModel: msg.payload?.model,
             defaultProvider: msg.payload?.provider,
-            fallbackModels: Array.isArray(msg.payload?.fallbackModels) ? msg.payload?.fallbackModels : void 0
+            fallbackModels: Array.isArray(msg.payload?.fallbackModels) ? msg.payload?.fallbackModels : void 0,
+            worktrees: typeof msg.payload?.worktrees === "boolean" ? msg.payload.worktrees : void 0
           });
           break;
       }
@@ -3742,7 +3968,7 @@ var SddWizardWebSocketHandler = class {
     }
     if (this.busy) return;
     this.driver = this.deps.makeDriver();
-    const prompt = this.driver.start(goal);
+    const prompt = this.driver.start(deriveTitle2(goal), goal);
     await this.runTurn(prompt);
   }
   async onMessage(text) {
@@ -3827,6 +4053,7 @@ import {
   TaskGraphStore as TaskGraphStore2,
   WorktreeManager as WorktreeManager2
 } from "@wrongstack/core";
+var PLANNING_ONLY_GUARD = "SYSTEM: You are running a PLANNING-ONLY specification interview. Do NOT write, create, or edit any files, and do NOT run shell/terminal commands or use any code-editing tools \u2014 they are disabled here and any attempt will fail and waste the turn. Respond with TEXT ONLY: ask your question, or emit the requested spec / plan / task JSON. All code is written later, automatically, once the plan is approved and the multi-agent run starts.\n\n---\n\n";
 function buildSddWizardDeps(opts) {
   const registry = new SddRunRegistry();
   let isolatedSeq = 0;
@@ -3835,11 +4062,11 @@ function buildSddWizardDeps(opts) {
       id: `sdd-${name2.toLowerCase().replace(/\s+/g, "-")}-${isolatedSeq++}`,
       role: "executor",
       name: name2,
-      disabledTools: ["delegate"],
+      disabledTools: ["delegate", "write", "edit", "patch", "bash", "exec"],
       allowedCapabilities: ["fs.read", "net.outbound"]
     });
     try {
-      const res = await result.agent.run([{ type: "text", text: prompt }]);
+      const res = await result.agent.run([{ type: "text", text: PLANNING_ONLY_GUARD + prompt }]);
       return res.finalText ?? "";
     } finally {
       await result.dispose?.();
@@ -3852,14 +4079,15 @@ function buildSddWizardDeps(opts) {
       sessionPath: path7.join(opts.paths.projectDir, "sdd-wizard-session.json")
     }),
     runInterviewTurn: (prompt) => runIsolatedTurn(prompt, "Spec Architect"),
-    startRun: async (driver, { parallelSlots, defaultModel, defaultProvider, fallbackModels }) => {
+    startRun: async (driver, { parallelSlots, defaultModel, defaultProvider, fallbackModels, worktrees: useWorktrees }) => {
       const graph = driver.getGraph();
       const tracker = driver.getTracker();
       if (!graph || !tracker) {
         throw new Error("No task graph to run \u2014 finish the interview first.");
       }
+      const worktreesEnabled = useWorktrees ?? process.env["WRONGSTACK_SDD_WORKTREES"] !== "0";
       let worktrees;
-      if (process.env["WRONGSTACK_SDD_WORKTREES"] !== "0") {
+      if (worktreesEnabled) {
         const inGit = spawnSync2("git", ["rev-parse", "--is-inside-work-tree"], {
           cwd: opts.projectRoot,
           encoding: "utf8",
@@ -7768,8 +7996,11 @@ async function handleGoalGet(projectRoot, broadcast2) {
 async function startWebUI(opts = {}) {
   ensureSessionShell();
   const requestedWsPort = opts.wsPort ?? 3457;
-  const wsHost = opts.wsHost ?? "127.0.0.1";
-  const requestedHttpPort = Number.parseInt(process.env["PORT"] ?? "3456", 10);
+  const wsHost = opts.wsHost ?? process.env["WEBUI_HOST"] ?? process.env["WS_HOST"] ?? "127.0.0.1";
+  const requestedHttpPort = opts.httpPort ?? opts.webuiPort ?? opts.port ?? Number.parseInt(process.env["WEBUI_PORT"] ?? process.env["PORT"] ?? "3456", 10);
+  const publicUrl = opts.publicUrl ?? process.env["WEBUI_PUBLIC_URL"];
+  const publicWsUrl = opts.publicWsUrl ?? process.env["WEBUI_PUBLIC_WS_URL"];
+  const requireToken = opts.requireToken ?? envFlag("WEBUI_REQUIRE_TOKEN");
   const strictPort = process.env["WEBUI_STRICT_PORT"] === "1" || process.env["WEBUI_STRICT_PORT"] === "true";
   let wsPort = requestedWsPort;
   let httpPort = requestedHttpPort;
@@ -8564,8 +8795,16 @@ async function startWebUI(opts = {}) {
       contextMode: String(context.meta["contextWindowMode"] ?? DEFAULT_CONTEXT_WINDOW_MODE_ID2)
     };
   }
-  const wsToken = generateAuthToken();
-  console.log("[WebUI] WS auth token generated (redacted from logs)");
+  const wsToken = resolveAuthToken(opts.accessToken);
+  console.log("[WebUI] WS auth token ready");
+  const publicHostnames = [publicUrl, publicWsUrl].map((value) => {
+    if (!value) return void 0;
+    try {
+      return new URL(value).hostname;
+    } catch {
+      return void 0;
+    }
+  }).filter((value) => Boolean(value));
   const verifyClient2 = (info) => verifyClient({
     origin: info.origin,
     url: info.req.url ?? "",
@@ -8577,7 +8816,10 @@ async function startWebUI(opts = {}) {
     // exposure class.
     cookieHeader: info.req.headers.cookie,
     wsHost,
-    expectedToken: wsToken
+    expectedToken: wsToken,
+    requireToken,
+    allowedHostnames: publicHostnames,
+    allowBrowserUrlToken: Boolean(publicWsUrl)
   });
   const WS_MAX_PAYLOAD = 8 * 1024 * 1024;
   const wssPrimary = new WebSocketServer({
@@ -9517,8 +9759,10 @@ async function startWebUI(opts = {}) {
     host: wsHost,
     distDir: path16.resolve(import.meta.dirname, "../../dist"),
     wsPort,
+    publicWsUrl,
     globalRoot: wpaths.globalRoot,
     apiToken: wsToken,
+    requireToken,
     watcherMetrics,
     onFleetPing: () => {
       void fleetBroadcast?.();
@@ -9526,7 +9770,12 @@ async function startWebUI(opts = {}) {
   });
   const registryBaseDir = path16.dirname(globalConfigPath);
   httpServer.listen(httpPort, wsHost, () => {
-    const openUrl = `http://${wsHost}:${httpPort}`;
+    const openUrl = buildWebUIAccessUrl({
+      host: wsHost,
+      port: httpPort,
+      token: wsToken,
+      publicUrl
+    });
     console.log(`[WebUI] HTTP server running on ${openUrl}`);
     if (opts.open) openBrowser(openUrl);
     void registerInstance(
@@ -9538,7 +9787,7 @@ async function startWebUI(opts = {}) {
         projectRoot,
         projectName: path16.basename(projectRoot) || projectRoot,
         startedAt: (/* @__PURE__ */ new Date()).toISOString(),
-        url: `http://${wsHost}:${httpPort}`
+        url: buildWebUIAccessUrl({ host: wsHost, port: httpPort, publicUrl })
       },
       registryBaseDir
     ).catch((err) => console.warn(JSON.stringify({
@@ -9580,7 +9829,55 @@ async function startWebUI(opts = {}) {
 
 // src/server/entry.ts
 var argv = process.argv.slice(2);
-if (argv.includes("--list") || argv.includes("-l") || argv[0] === "ls") {
+function readArg(names) {
+  for (let i = 0; i < argv.length; i++) {
+    const current = argv[i];
+    if (!current) continue;
+    for (const name2 of names) {
+      if (current === name2) {
+        const next = argv[i + 1];
+        if (!next || next.startsWith("-")) {
+          throw new Error(`${name2} requires a value`);
+        }
+        return next;
+      }
+      if (current.startsWith(`${name2}=`)) return current.slice(name2.length + 1);
+    }
+  }
+  return void 0;
+}
+function parsePort(value, fallback, label) {
+  if (value === void 0) return fallback;
+  const parsed = Number.parseInt(value, 10);
+  if (!Number.isInteger(parsed) || parsed <= 0 || parsed > 65535) {
+    throw new Error(`${label} must be a port between 1 and 65535`);
+  }
+  return parsed;
+}
+function envFlag2(name2) {
+  const value = process.env[name2]?.trim().toLowerCase();
+  return value === "1" || value === "true" || value === "yes" || value === "on";
+}
+function printHelp() {
+  console.log(`Usage: wstackui [options]
+
+Options:
+  --host <host>             Bind host/interface (default: 127.0.0.1)
+  --port <port>             HTTP frontend port (default: 3456)
+  --ws-port <port>          WebSocket backend port (default: 3457)
+  --token <token>           Fixed access token/password (default: random per process)
+  --public-url <url>        Browser-facing HTTP URL for tunnels/proxies
+  --public-ws-url <url>     Browser-facing ws:// or wss:// URL for tunnels/proxies
+  --require-token           Require token/password even on loopback binds
+  --open, -o                Open the browser after startup
+  --list, -l, ls            List running WebUI instances
+  --help, -h                Show this help
+`);
+}
+if (argv.includes("--help") || argv.includes("-h")) {
+  printHelp();
+  process.exit(0);
+} else if (argv.includes("--list") || argv.includes("-l") || argv[0] === "ls") {
   listInstances().then((instances) => {
     console.log(formatInstances(instances));
     process.exit(0);
@@ -9594,11 +9891,40 @@ if (argv.includes("--list") || argv.includes("-l") || argv[0] === "ls") {
     process.exit(1);
   });
 } else {
-  const wsPort = Number.parseInt(process.env["WS_PORT"] ?? "3457", 10);
-  const wsHost = process.env["WS_HOST"] ?? "127.0.0.1";
+  let wsPort;
+  let httpPort;
+  let wsHost;
+  let accessToken;
+  let publicUrl;
+  let publicWsUrl;
+  try {
+    wsHost = readArg(["--host"]) ?? process.env["WEBUI_HOST"] ?? process.env["WS_HOST"] ?? "127.0.0.1";
+    httpPort = parsePort(
+      readArg(["--port", "--http-port"]) ?? process.env["WEBUI_PORT"] ?? process.env["PORT"],
+      3456,
+      "--port"
+    );
+    wsPort = parsePort(readArg(["--ws-port"]) ?? process.env["WS_PORT"], 3457, "--ws-port");
+    accessToken = readArg(["--token", "--auth-token"]) ?? process.env["WEBUI_TOKEN"] ?? process.env["WEBUI_AUTH_TOKEN"];
+    publicUrl = readArg(["--public-url"]) ?? process.env["WEBUI_PUBLIC_URL"];
+    publicWsUrl = readArg(["--public-ws-url"]) ?? process.env["WEBUI_PUBLIC_WS_URL"];
+  } catch (err) {
+    console.error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  }
   const open = argv.includes("--open") || argv.includes("-o") || process.env["WEBUI_OPEN"] === "1";
-  console.log(`[WebUI] Starting standalone server on ${wsHost}:${wsPort}...`);
-  startWebUI({ wsPort, wsHost, open }).catch((err) => {
+  const requireToken = argv.includes("--require-token") || envFlag2("WEBUI_REQUIRE_TOKEN");
+  console.log(`[WebUI] Starting standalone server on ${wsHost} (http:${httpPort}, ws:${wsPort})...`);
+  startWebUI({
+    wsPort,
+    wsHost,
+    httpPort,
+    accessToken,
+    publicUrl,
+    publicWsUrl,
+    requireToken,
+    open
+  }).catch((err) => {
     console.error(JSON.stringify({
       level: "fatal",
       event: "webui.startup_failed",