create-walle 0.1.0

package/template/claude-task-manager/server.js

@@ -0,0 +1,2254 @@
+// Load .env file from project root (no dependencies)
+try {
+  const envPath = require('path').resolve(__dirname, '..', '.env');
+  require('fs').readFileSync(envPath, 'utf8').split('\n').forEach(line => {
+    const match = line.match(/^\s*([^#=]+?)\s*=\s*(.*?)\s*$/);
+    if (match && !process.env[match[1]]) process.env[match[1]] = match[2];
+  });
+} catch {}
+
+const http = require('http');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const crypto = require('crypto');
+const { WebSocketServer } = require('ws');
+const pty = require('node-pty');
+const dbModule = require('./db');
+const { handlePromptApi, queueEngine, importPermissionsToDb } = require('./api-prompts');
+const harvest = require('./prompt-harvest');
+const approvalAgent = require('./approval-agent');
+const { handleReviewApi, checkForChanges } = require('./api-reviews');
+const { sessions } = require('./server-state');
+
+// WALL-E API now served directly by the WALL-E process (port 3457)
+// Frontend connects to it via CORS. Keep proxy as fallback for environments where WALL-E isn't running separately.
+let handleWalleApi;
+try { handleWalleApi = require('../wall-e/api-walle').handleWalleApi; } catch {}
+
+// --- Config ---
+const CONFIG_DIR = process.env.CTM_DATA_DIR || path.join(process.env.HOME, '.walle', 'data');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+const PORT = parseInt(process.env.CTM_PORT || '3456', 10);
+const HOST = process.env.CTM_HOST || '127.0.0.1';
+
+function loadConfig() {
+  if (!fs.existsSync(CONFIG_DIR)) fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  if (fs.existsSync(CONFIG_FILE)) {
+    return JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf8'));
+  }
+  const config = { token: crypto.randomBytes(32).toString('hex') };
+  fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2));
+  fs.chmodSync(CONFIG_FILE, 0o600);
+  return config;
+}
+
+const config = loadConfig();
+
+// --- Initialize SQLite Database ---
+dbModule.initDb();
+dbModule.startDailyBackup();
+queueEngine.init();
+importPermissionsToDb();
+migrateAnalysisCacheToDb();
+
+// Lifecycle: incremental harvest + refresh on startup (async, non-blocking)
+setTimeout(() => harvest.runIncrementalLifecycleRefresh(), 3000);
+// Lifecycle: refresh every 10 minutes
+setInterval(() => harvest.runIncrementalLifecycleRefresh(), 10 * 60 * 1000);
+// Permissions: scrub invalid rules every 5 minutes (Claude Code can write bad patterns)
+setInterval(() => { try { importPermissionsToDb(); } catch {} }, 5 * 60 * 1000);
+
+// --- HTTP Server ---
+const MIME_TYPES = {
+  '.html': 'text/html',
+  '.js': 'text/javascript',
+  '.css': 'text/css',
+  '.json': 'application/json',
+  '.png': 'image/png',
+  '.svg': 'image/svg+xml',
+  '.ico': 'image/x-icon',
+  '.webmanifest': 'application/manifest+json',
+};
+
+function getTokenFromCookie(req) {
+  const cookie = req.headers.cookie || '';
+  const match = cookie.match(/(?:^|;\s*)ctm_token=([^;]+)/);
+  return match ? match[1] : null;
+}
+
+function getAuthToken(req, url) {
+  return url.searchParams.get('token')
+    || req.headers.authorization?.replace('Bearer ', '')
+    || getTokenFromCookie(req);
+}
+
+function isLocalhost(req) {
+  const addr = req.socket?.remoteAddress;
+  return addr === '127.0.0.1' || addr === '::1' || addr === '::ffff:127.0.0.1';
+}
+
+const server = http.createServer((req, res) => {
+  const url = new URL(req.url, `http://${req.headers.host}`);
+
+  // If token is in URL query param for a page request, set cookie and redirect to clean URL
+  if (!url.pathname.startsWith('/api/') && url.searchParams.get('token')) {
+    const token = url.searchParams.get('token');
+    if (token === config.token) {
+      url.searchParams.delete('token');
+      const cleanUrl = url.pathname + (url.search || '') + (url.hash || '');
+      res.writeHead(302, {
+        'Location': cleanUrl,
+        'Set-Cookie': `ctm_token=${token}; HttpOnly; SameSite=Strict; Path=/; Max-Age=31536000`,
+      });
+      res.end();
+      return;
+    }
+  }
+
+  // API routes
+  if (url.pathname.startsWith('/api/')) {
+    if (!isLocalhost(req)) {
+      const authToken = getAuthToken(req, url);
+      if (authToken !== config.token) {
+        res.writeHead(401, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Unauthorized' }));
+        return;
+      }
+    }
+    // Wrap response to broadcast data-changed on successful mutations
+    if (['POST', 'PUT', 'DELETE'].includes(req.method)) {
+      const origEnd = res.end.bind(res);
+      res.end = function(data) {
+        origEnd(data);
+        if (res.statusCode >= 200 && res.statusCode < 300) {
+          // Extract resource type from URL path
+          const resource = url.pathname.replace(/^\/api\//, '').split('/')[0];
+          broadcastDataChanged(resource, req.method);
+        }
+      };
+    }
+    // Try prompt editor API routes first
+    const handled = handlePromptApi(req, res, url);
+    if (handled !== false) return;
+    // Try review API routes
+    const reviewHandled = handleReviewApi(req, res, url);
+    if (reviewHandled !== false) return;
+    // Try WALL-E API routes
+    if (handleWalleApi) {
+      const walleHandled = handleWalleApi(req, res, url);
+      if (walleHandled !== false) return;
+    }
+    handleApi(req, res, url);
+    return;
+  }
+
+  // Redirect to setup page on first run (no API key configured)
+  if (url.pathname === '/' && setup.needsSetup()) {
+    res.writeHead(302, { 'Location': '/setup.html' });
+    res.end();
+    return;
+  }
+
+  // Static files
+  let filePath = url.pathname === '/' ? '/index.html' : url.pathname;
+  const publicDir = path.join(__dirname, 'public');
+  filePath = path.resolve(publicDir, '.' + filePath);
+
+  // Prevent path traversal
+  if (!filePath.startsWith(publicDir)) {
+    res.writeHead(403);
+    res.end('Forbidden');
+    return;
+  }
+
+  const ext = path.extname(filePath);
+  const contentType = MIME_TYPES[ext] || 'application/octet-stream';
+
+  fs.readFile(filePath, (err, data) => {
+    if (err) {
+      res.writeHead(404);
+      res.end('Not Found');
+      return;
+    }
+    res.writeHead(200, {
+      'Content-Type': contentType,
+      'Cache-Control': 'no-cache, no-store, must-revalidate',
+      'Pragma': 'no-cache',
+      'Expires': '0',
+    });
+    res.end(data);
+  });
+});
+
+// --- API Handlers ---
+function handleApi(req, res, url) {
+  // --- Setup API ---
+  if (url.pathname === '/api/setup/status' && req.method === 'GET') {
+    const envPath = path.resolve(__dirname, '..', '.env');
+    let hasApiKey = !!(process.env.ANTHROPIC_API_KEY || process.env.ANTHROPIC_BASE_URL);
+    let ownerName = process.env.WALLE_OWNER_NAME || '';
+    if (!hasApiKey) {
+      try {
+        const envContent = fs.readFileSync(envPath, 'utf8');
+        hasApiKey = /^ANTHROPIC_API_KEY=\S+/m.test(envContent);
+      } catch {}
+    }
+    let slackConnected = false;
+    try {
+      const tokPath = path.join(process.env.HOME, '.walle', 'data', 'oauth-tokens', 'slack.json');
+      slackConnected = fs.existsSync(tokPath);
+    } catch {}
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ owner_name: ownerName, has_api_key: hasApiKey, slack_connected: slackConnected, needs_setup: setup.needsSetup() }));
+    return;
+  }
+  if (url.pathname === '/api/setup/save' && req.method === 'POST') {
+    let body = '';
+    let bodyLen = 0;
+    req.on('data', c => {
+      bodyLen += c.length;
+      if (bodyLen > 8192) { req.destroy(); return; } // 8KB limit
+      body += c;
+    });
+    req.on('end', () => {
+      try {
+        const data = JSON.parse(body);
+        // Validate and sanitize inputs
+        const ownerName = typeof data.owner_name === 'string'
+          ? data.owner_name.replace(/[\r\n=]/g, '').trim().slice(0, 200)
+          : '';
+        const apiKey = typeof data.api_key === 'string'
+          ? data.api_key.replace(/[\r\n\s]/g, '').slice(0, 200)
+          : '';
+        if (apiKey && !/^sk-ant-/.test(apiKey)) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'API key must start with sk-ant-' }));
+          return;
+        }
+        const envPath = path.resolve(__dirname, '..', '.env');
+        const lines = [];
+        // Read existing .env or start fresh
+        try {
+          const existing = fs.readFileSync(envPath, 'utf8');
+          for (const line of existing.split('\n')) {
+            if (line.match(/^#?\s*ANTHROPIC_API_KEY=/) && apiKey) continue;
+            if (line.match(/^#?\s*WALLE_OWNER_NAME=/) && ownerName) continue;
+            lines.push(line);
+          }
+        } catch { lines.push('# Wall-E configuration'); lines.push(''); }
+        // Add values after the header comment
+        if (ownerName) {
+          const insertIdx = lines.findIndex(l => !l.startsWith('#') && l.trim() !== '') || lines.length;
+          lines.splice(insertIdx, 0, `WALLE_OWNER_NAME=${ownerName}`);
+          process.env.WALLE_OWNER_NAME = ownerName;
+        }
+        if (apiKey) {
+          lines.push(`ANTHROPIC_API_KEY=${apiKey}`);
+          process.env.ANTHROPIC_API_KEY = apiKey;
+        }
+        fs.writeFileSync(envPath, lines.join('\n') + '\n', { mode: 0o600 });
+        setup.clearSetupCache(); // so next / request goes to dashboard
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ ok: true }));
+      } catch (e) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: e.message }));
+      }
+    });
+    return;
+  }
+
+  if (url.pathname === '/api/projects' && req.method === 'GET') {
+    return apiGetProjects(req, res);
+  }
+  if (url.pathname === '/api/rules' && req.method === 'GET') {
+    return apiGetRules(req, res, url);
+  }
+  if (url.pathname === '/api/rules' && req.method === 'PUT') {
+    return apiPutRules(req, res);
+  }
+  if (url.pathname === '/api/rules/list' && req.method === 'GET') {
+    return apiListRules(req, res);
+  }
+  if (url.pathname === '/api/recent-sessions' && req.method === 'GET') {
+    return apiRecentSessions(req, res, url);
+  }
+  if (url.pathname === '/api/session/messages' && req.method === 'GET') {
+    return apiSessionMessages(req, res, url);
+  }
+  if (url.pathname === '/api/session' && req.method === 'DELETE') {
+    return apiDeleteSession(req, res, url);
+  }
+  if (url.pathname === '/api/session/truncate' && req.method === 'POST') {
+    return apiTruncateSession(req, res, url);
+  }
+  if (url.pathname === '/api/sessions/clean-empty' && req.method === 'POST') {
+    return apiCleanEmptySessions(req, res);
+  }
+  if (url.pathname === '/api/sessions/ai-search' && req.method === 'POST') {
+    return apiAiSearch(req, res);
+  }
+  if (url.pathname === '/api/sessions/analyze' && req.method === 'POST') {
+    return apiAnalyzeSessions(req, res);
+  }
+  if (url.pathname === '/api/sessions/analysis' && req.method === 'GET') {
+    return apiGetAnalysis(req, res);
+  }
+  if (url.pathname === '/api/sessions/generate-titles' && req.method === 'POST') {
+    return apiGenerateTitles(req, res);
+  }
+  if (url.pathname === '/api/sessions/rename' && req.method === 'POST') {
+    return apiRenameSession(req, res);
+  }
+  // --- Service control endpoints ---
+  if (url.pathname === '/api/services/status' && req.method === 'GET') {
+    return apiServicesStatus(req, res);
+  }
+  if (url.pathname === '/api/restart/ctm' && req.method === 'POST') {
+    return apiRestartCtm(req, res);
+  }
+  if (url.pathname === '/api/restart/walle' && req.method === 'POST') {
+    return apiRestartWalle(req, res);
+  }
+  if (url.pathname === '/api/stop/walle' && req.method === 'POST') {
+    return apiStopWalle(req, res);
+  }
+  if (url.pathname === '/api/start/walle' && req.method === 'POST') {
+    return apiStartWalle(req, res);
+  }
+
+  res.writeHead(404, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify({ error: 'Not found' }));
+}
+
+function apiGetProjects(req, res) {
+  const claudeProjectsDir = path.join(process.env.HOME, '.claude', 'projects');
+  const projects = [];
+
+  if (fs.existsSync(claudeProjectsDir)) {
+    for (const entry of fs.readdirSync(claudeProjectsDir)) {
+      // Claude encodes paths by replacing / with -
+      const projectPath = entry.startsWith('-') ? entry.replace(/-/g, '/') : entry;
+      projects.push({
+        id: entry,
+        path: projectPath,
+        exists: fs.existsSync(projectPath),
+      });
+    }
+  }
+
+  res.writeHead(200, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify(projects));
+}
+
+function decodeProjectEntry(entry) {
+  // Claude encodes paths like /Users/alice/my-project as -Users-alice-my-project
+  // Naive replace(/-/g, '/') breaks paths with real hyphens (octo-cms -> octo/cms)
+  // Use backtracking: try '/' first, fall back to '-' when the final path doesn't exist
+  if (!entry.startsWith('-')) return entry;
+  const parts = entry.slice(1).split('-');
+  if (parts.length > 12) return '/' + parts.join('/'); // cap depth to avoid exponential backtracking
+  const memo = new Map();
+  function solve(idx, current) {
+    const key = `${idx}:${current}`;
+    if (memo.has(key)) return memo.get(key);
+    let result;
+    if (idx >= parts.length) { result = fs.existsSync(current) ? current : null; }
+    else {
+      result = solve(idx + 1, current + '/' + parts[idx]);
+      if (!result) result = solve(idx + 1, current + '-' + parts[idx]);
+    }
+    memo.set(key, result);
+    return result;
+  }
+  return solve(1, '/' + parts[0]) || '/' + parts.join('/'); // fallback to naive
+}
+
+function apiListRules(req, res) {
+  const rules = [];
+  const home = process.env.HOME;
+  const globalRules = path.join(home, '.claude', 'CLAUDE.md');
+  rules.push({
+    type: 'global', path: globalRules,
+    label: '~/.claude/CLAUDE.md',
+    exists: fs.existsSync(globalRules),
+    project: 'Global',
+  });
+
+  // Scan projects for CLAUDE.md files
+  const claudeProjectsDir = path.join(home, '.claude', 'projects');
+  if (fs.existsSync(claudeProjectsDir)) {
+    for (const entry of fs.readdirSync(claudeProjectsDir)) {
+      const entryDir = path.join(claudeProjectsDir, entry);
+      if (!fs.statSync(entryDir).isDirectory()) continue;
+      const projectPath = decodeProjectEntry(entry);
+      const projectExists = fs.existsSync(projectPath);
+      const shortPath = projectPath.replace(home, '~');
+      const projectName = path.basename(projectPath);
+
+      // Skip orphaned projects where the decoded path doesn't exist on disk
+      if (!projectExists) continue;
+
+      // User rules: ~/.claude/projects/<entry>/CLAUDE.md
+      const userRules = path.join(entryDir, 'CLAUDE.md');
+      rules.push({
+        type: 'project-user', path: userRules,
+        label: `.claude/projects/.../CLAUDE.md`,
+        exists: fs.existsSync(userRules),
+        project: projectName, projectPath: shortPath,
+      });
+
+      // Project root: <projectPath>/CLAUDE.md
+      const rootRules = path.join(projectPath, 'CLAUDE.md');
+      if (fs.existsSync(rootRules)) {
+        rules.push({
+          type: 'project-root', path: rootRules,
+          label: `CLAUDE.md`,
+          exists: true,
+          project: projectName, projectPath: shortPath,
+        });
+      }
+
+      // Project .claude: <projectPath>/.claude/CLAUDE.md
+      const dotRules = path.join(projectPath, '.claude', 'CLAUDE.md');
+      if (fs.existsSync(dotRules)) {
+        rules.push({
+          type: 'project-dot', path: dotRules,
+          label: `.claude/CLAUDE.md`,
+          exists: true,
+          project: projectName, projectPath: shortPath,
+        });
+      }
+    }
+  }
+
+  res.writeHead(200, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify(rules));
+}
+
+function isValidRulesPath(filePath) {
+  if (!filePath || path.basename(filePath) !== 'CLAUDE.md') return false;
+  const resolved = path.resolve(filePath);
+  const home = process.env.HOME;
+  // Only allow paths under home directory
+  if (!resolved.startsWith(home + '/') && resolved !== home) return false;
+  return true;
+}
+
+function apiGetRules(req, res, url) {
+  const filePath = url.searchParams.get('path');
+  if (!isValidRulesPath(filePath)) {
+    res.writeHead(400, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Invalid path' }));
+    return;
+  }
+  let content = '';
+  if (fs.existsSync(filePath)) {
+    content = fs.readFileSync(filePath, 'utf8');
+  }
+  res.writeHead(200, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify({ path: filePath, content }));
+}
+
+function apiPutRules(req, res) {
+  let body = '';
+  req.on('data', chunk => { body += chunk; if (body.length > 1024 * 1024) { req.destroy(); return; } });
+  req.on('end', () => {
+    try {
+      const { path: filePath, content } = JSON.parse(body);
+      if (!isValidRulesPath(filePath)) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Invalid path' }));
+        return;
+      }
+      const dir = path.dirname(filePath);
+      if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+      fs.writeFileSync(filePath, content);
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ ok: true }));
+    } catch (e) {
+      res.writeHead(400, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: e.message }));
+    }
+  });
+}
+
+// Helper: detect sessions spawned by CTM itself (title generation, analysis, etc.)
+const CTM_PROMPT_PATTERNS = [
+  /^Generate short, descriptive titles/,
+  /^Analyze these Claude Code sessions/,
+  /^Analyze this Claude Code session history/,
+  /^You are summarizing a group of prompts/,
+  /^Session categorization with JSON output/,
+  /^Batch (?:generate |session )?title/i,
+  /^Return ONLY a JSON/,
+];
+
+function isCtmInternalSession(firstMessage) {
+  if (!firstMessage) return false;
+  return CTM_PROMPT_PATTERNS.some(re => re.test(firstMessage));
+}
+
+// Helper: parse a session JSONL file for metadata
+function parseSessionFile(filePath, projectPath, projectEntry) {
+  const fileStat = fs.statSync(filePath);
+  const modifiedAt = fileStat.mtime.toISOString();
+  const sessionId = path.basename(filePath).replace(/\.jsonl(\.bak)?$/, '');
+
+  // Read first 128KB to get session info (file-history-snapshots can be huge)
+  // Also read last 32KB for more recent messages
+  const fd = fs.openSync(filePath, 'r');
+  const headSize = Math.min(fileStat.size, 131072);
+  const headBuf = Buffer.alloc(headSize);
+  fs.readSync(fd, headBuf, 0, headSize, 0);
+  let chunk = headBuf.toString('utf8');
+
+  // Also read tail if file is larger than head buffer
+  if (fileStat.size > headSize) {
+    const tailSize = Math.min(32768, fileStat.size - headSize);
+    const tailBuf = Buffer.alloc(tailSize);
+    fs.readSync(fd, tailBuf, 0, tailSize, fileStat.size - tailSize);
+    chunk += '\n' + tailBuf.toString('utf8');
+  }
+  fs.closeSync(fd);
+
+  const lines = chunk.split('\n').filter(Boolean);
+
+  let firstUserMessage = '';
+  let sessionCwd = projectPath;
+  let timestamp = modifiedAt;
+  let version = '';
+  let gitBranch = '';
+  let userMsgCount = 0;
+  let allUserMessages = [];
+
+  for (const line of lines) {
+    try {
+      const entry = JSON.parse(line);
+      if (entry.type === 'user' && entry.message?.role === 'user') {
+        const content = entry.message.content;
+        const text = typeof content === 'string'
+          ? content
+          : Array.isArray(content)
+            ? (content.find(c => c.type === 'text')?.text || '')
+            : '';
+        userMsgCount++;
+        const isArtifact = /^\[(?:Request interrupted|Tool use|Error|Retrying)/.test(text);
+        if (text && !isArtifact) allUserMessages.push(text.slice(0, 200));
+        if (!firstUserMessage && text && !isArtifact) {
+          firstUserMessage = text.slice(0, 200);
+          sessionCwd = entry.cwd || sessionCwd;
+          timestamp = entry.timestamp || timestamp;
+          version = entry.version || version;
+          gitBranch = entry.gitBranch || gitBranch;
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  // Generate a title from the first message
+  let title = '';
+  if (firstUserMessage) {
+    // Take first line, strip markdown, truncate
+    title = firstUserMessage.split('\n')[0].replace(/^#+\s*/, '').replace(/[*_`]/g, '').trim();
+    if (title.length > 80) title = title.slice(0, 77) + '...';
+  }
+
+  // Estimate if "empty" — no user messages found
+  const isEmpty = userMsgCount === 0;
+
+  return {
+    sessionId,
+    project: projectPath,
+    projectEntry,
+    cwd: sessionCwd,
+    firstMessage: firstUserMessage,
+    title,
+    isEmpty,
+    userMsgCount,
+    modifiedAt,
+    timestamp,
+    version,
+    gitBranch,
+    fileSize: fileStat.size,
+  };
+}
+
+// Helper: iterate all session files
+function getAllSessionFiles() {
+  const claudeProjectsDir = path.join(process.env.HOME, '.claude', 'projects');
+  const results = [];
+
+  if (!fs.existsSync(claudeProjectsDir)) return results;
+
+  for (const projectEntry of fs.readdirSync(claudeProjectsDir)) {
+    const projectDir = path.join(claudeProjectsDir, projectEntry);
+    let stat;
+    try { stat = fs.statSync(projectDir); } catch { continue; }
+    if (!stat.isDirectory()) continue;
+
+    const projectPath = decodeProjectEntry(projectEntry);
+    let files;
+    try { files = fs.readdirSync(projectDir); } catch { continue; }
+
+    const fileSet = new Set(files);
+    for (const file of files) {
+      if (!file.endsWith('.jsonl') && !file.endsWith('.jsonl.bak')) continue;
+      // Skip .jsonl.bak when the .jsonl version exists (Claude Code creates
+      // .bak on session migration/compaction — showing both causes duplicates)
+      if (file.endsWith('.jsonl.bak') && fileSet.has(file.replace(/\.bak$/, ''))) continue;
+      const filePath = path.join(projectDir, file);
+      // Extract session ID: strip .jsonl or .jsonl.bak
+      const sessionId = file.replace(/\.jsonl(\.bak)?$/, '');
+      results.push({ filePath, projectPath, projectEntry, sessionId });
+    }
+  }
+  return results;
+}
+
+function apiRecentSessions(req, res, url) {
+  const limit = parseInt(url.searchParams.get('limit') || '50', 10);
+  const recentSessions = [];
+
+  for (const { filePath, projectPath, projectEntry } of getAllSessionFiles()) {
+    try {
+      recentSessions.push(parseSessionFile(filePath, projectPath, projectEntry));
+    } catch { /* skip */ }
+  }
+
+  // Merge cached titles (AI or user-renamed)
+  const allTitles = dbModule.getAllSessionTitles();
+  for (const s of recentSessions) {
+    if (allTitles[s.sessionId]) {
+      s.aiTitle = allTitles[s.sessionId].title;
+      s.userRenamed = allTitles[s.sessionId].userRenamed;
+    }
+  }
+
+  recentSessions.sort((a, b) => new Date(b.modifiedAt) - new Date(a.modifiedAt));
+  res.writeHead(200, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify(recentSessions.slice(0, limit)));
+}
+
+// Session IDs are UUIDs; project entries are encoded paths (no slashes or ..)
+const SESSION_ID_RE = /^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/;
+const PROJECT_ENTRY_RE = /^[a-zA-Z0-9._-]+$/;
+
+function apiSessionMessages(req, res, url) {
+  const sessionId = url.searchParams.get('id');
+  const projectEntry = url.searchParams.get('project');
+  if (!sessionId || !projectEntry) {
+    res.writeHead(400, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Missing id or project' }));
+    return;
+  }
+  if (!SESSION_ID_RE.test(sessionId) || !PROJECT_ENTRY_RE.test(projectEntry)) {
+    res.writeHead(400, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Invalid id or project format' }));
+    return;
+  }
+
+  const claudeProjectsDir = path.join(process.env.HOME, '.claude', 'projects');
+  const basePath = path.resolve(claudeProjectsDir, projectEntry, `${sessionId}.jsonl`);
+  if (!basePath.startsWith(claudeProjectsDir + '/')) {
+    res.writeHead(403, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Forbidden' }));
+    return;
+  }
+
+  // Try .jsonl first, then fall back to .jsonl.bak (original file when Claude converts session to directory format)
+  const filePath = fs.existsSync(basePath) ? basePath
+    : fs.existsSync(basePath + '.bak') ? basePath + '.bak'
+    : null;
+  if (!filePath) {
+    res.writeHead(404, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Session not found' }));
+    return;
+  }
+
+  const content = fs.readFileSync(filePath, 'utf8');
+  const lines = content.split('\n').filter(Boolean);
+  const messages = [];
+
+  for (const line of lines) {
+    try {
+      const entry = JSON.parse(line);
+      if (entry.type === 'user' && entry.message?.role === 'user') {
+        const c = entry.message.content;
+        let text = typeof c === 'string' ? c
+          : Array.isArray(c) ? c.filter(b => b.type === 'text').map(b => b.text).join('\n') : '';
+        if (!text) continue;
+        // Detect system/tool messages masquerading as user messages
+        const isToolResult = Array.isArray(c) && c.some(b => b.type === 'tool_result');
+        const isTaskNotification = text.includes('<task-notification>') || (text.includes('toolu_') && text.includes('.output'));
+        const isSystemReminder = text.includes('<system-reminder>') && !text.replace(/<system-reminder>[\s\S]*?<\/system-reminder>/g, '').trim();
+        if (isToolResult || isTaskNotification || isSystemReminder) {
+          messages.push({ role: 'system', text, timestamp: entry.timestamp });
+        } else {
+          // Strip system-reminder tags from real user messages
+          const cleaned = text.replace(/<system-reminder>[\s\S]*?<\/system-reminder>/g, '').trim();
+          messages.push({ role: 'user', text: cleaned || text, timestamp: entry.timestamp });
+        }
+      } else if (entry.type === 'assistant' && entry.message?.role === 'assistant') {
+        const c = entry.message.content;
+        if (!Array.isArray(c)) continue;
+        // Collect text and tool_use blocks
+        const parts = [];
+        for (const block of c) {
+          if (block.type === 'text' && block.text) {
+            parts.push(block.text);
+          } else if (block.type === 'tool_use') {
+            parts.push(`[Tool: ${block.name}]`);
+          }
+        }
+        if (parts.length > 0) {
+          // Deduplicate: assistant messages arrive incrementally, keep only the last one with same parentUuid
+          const lastMsg = messages[messages.length - 1];
+          if (lastMsg && lastMsg.role === 'assistant' && lastMsg._parent === entry.parentUuid) {
+            lastMsg.text = parts.join('\n');
+          } else {
+            messages.push({ role: 'assistant', text: parts.join('\n'), timestamp: entry.timestamp, _parent: entry.parentUuid });
+          }
+        }
+      } else if (entry.type === 'tool_result') {
+        // Skip tool results in the viewer for now — too noisy
+      }
+    } catch { /* skip */ }
+  }
+
+  // Clean internal fields
+  messages.forEach(m => delete m._parent);
+
+  res.writeHead(200, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify(messages));
+}
+
+function apiTruncateSession(req, res, url) {
+  let body = '';
+  req.on('data', chunk => { body += chunk; });
+  req.on('end', () => {
+    try {
+      const parsed = JSON.parse(body);
+      const { id, project } = parsed;
+      // Support both old afterMsgIndex (keep this msg + response) and new cutFromMsgIndex (remove this msg and after)
+      const cutFromMsgIndex = parsed.cutFromMsgIndex != null ? parsed.cutFromMsgIndex : null;
+      const afterMsgIndex = parsed.afterMsgIndex != null ? parsed.afterMsgIndex : null;
+      if (!id || !project || (cutFromMsgIndex == null && afterMsgIndex == null)) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Missing id, project, or cutFromMsgIndex/afterMsgIndex' }));
+        return;
+      }
+      if (!SESSION_ID_RE.test(id) || !PROJECT_ENTRY_RE.test(project)) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Invalid id or project format' }));
+        return;
+      }
+
+      const claudeProjectsDir = path.join(process.env.HOME, '.claude', 'projects');
+      const basePath = path.resolve(claudeProjectsDir, project, `${id}.jsonl`);
+      if (!basePath.startsWith(claudeProjectsDir + '/')) {
+        res.writeHead(403, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Forbidden' }));
+        return;
+      }
+
+      const filePath = fs.existsSync(basePath) ? basePath
+        : fs.existsSync(basePath + '.bak') ? basePath + '.bak'
+        : null;
+      if (!filePath) {
+        res.writeHead(404, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Session not found' }));
+        return;
+      }
+
+      const content = fs.readFileSync(filePath, 'utf8');
+      const rawLines = content.split('\n');
+      const nonEmptyLines = []; // { lineIdx, entry }
+      for (let i = 0; i < rawLines.length; i++) {
+        if (!rawLines[i].trim()) continue;
+        try {
+          nonEmptyLines.push({ lineIdx: i, entry: JSON.parse(rawLines[i]) });
+        } catch { nonEmptyLines.push({ lineIdx: i, entry: null }); }
+      }
+
+      // Walk through the same message-building logic as apiSessionMessages
+      // to find the rendered message index -> JSONL line mapping.
+      // IMPORTANT: deduplication must match frontend exactly — only check the
+      // LAST counted message's parentUuid, not all previous assistant messages.
+      const targetMsgIndex = cutFromMsgIndex != null ? cutFromMsgIndex : afterMsgIndex;
+      let msgIdx = -1;
+      let targetLineIdx = -1; // JSONL line index of the target message
+      let cutAfterLineIdx = -1;    // We'll cut after this JSONL line
+      let lastAssistantParent = null; // Track last assistant parentUuid for dedup (must match frontend)
+
+      for (let j = 0; j < nonEmptyLines.length; j++) {
+        const { lineIdx, entry } = nonEmptyLines[j];
+        if (!entry) continue;
+
+        if (entry.type === 'user' && entry.message?.role === 'user') {
+          const c = entry.message.content;
+          let text = typeof c === 'string' ? c
+            : Array.isArray(c) ? c.filter(b => b.type === 'text').map(b => b.text).join('\n') : '';
+          if (!text) continue;
+          lastAssistantParent = null; // Reset — user message breaks assistant dedup chain
+          msgIdx++;
+          if (msgIdx === targetMsgIndex) {
+            targetLineIdx = lineIdx;
+          }
+        } else if (entry.type === 'assistant' && entry.message?.role === 'assistant') {
+          const c = entry.message.content;
+          if (!Array.isArray(c)) continue;
+          const parts = [];
+          for (const block of c) {
+            if (block.type === 'text' && block.text) parts.push(block.text);
+            else if (block.type === 'tool_use') parts.push(`[Tool: ${block.name}]`);
+          }
+          if (parts.length === 0) continue;
+          // Match frontend dedup: only check if LAST counted message was same parentUuid
+          const isDuplicate = lastAssistantParent != null && lastAssistantParent === entry.parentUuid;
+          if (!isDuplicate) {
+            msgIdx++;
+          }
+          lastAssistantParent = entry.parentUuid;
+          if (msgIdx === targetMsgIndex) {
+            targetLineIdx = lineIdx;
+          }
+        } else if (entry.type === 'tool_result') {
+          continue;
+        }
+      }
+
+      if (targetLineIdx < 0) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Message index not found' }));
+        return;
+      }
+
+      if (cutFromMsgIndex != null) {
+        // cutFromMsgIndex: remove this message and everything after it.
+        // Cut right before the target message's JSONL line.
+        cutAfterLineIdx = targetLineIdx - 1;
+      } else {
+        // afterMsgIndex (legacy): keep this message + its response, remove the rest.
+        // Find the next user message after targetLineIdx and cut before it.
+        cutAfterLineIdx = rawLines.length - 1;
+        for (let j = 0; j < nonEmptyLines.length; j++) {
+          const { lineIdx, entry } = nonEmptyLines[j];
+          if (lineIdx <= targetLineIdx) continue;
+          if (!entry) continue;
+          if (entry.type === 'user' && entry.message?.role === 'user') {
+            cutAfterLineIdx = lineIdx - 1;
+            break;
+          }
+        }
+      }
+
+      // Keep lines 0..cutAfterLineIdx
+      const keptLines = rawLines.slice(0, cutAfterLineIdx + 1);
+      const removedCount = rawLines.filter(l => l.trim()).length - keptLines.filter(l => l.trim()).length;
+
+      // Backup original file
+      const backupPath = filePath + '.truncate-backup.' + Date.now();
+      fs.copyFileSync(filePath, backupPath);
+
+      // Write truncated content
+      fs.writeFileSync(filePath, keptLines.join('\n') + '\n');
+
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({
+        ok: true,
+        keptLines: keptLines.filter(l => l.trim()).length,
+        removedLines: removedCount,
+        backup: backupPath
+      }));
+    } catch (e) {
+      res.writeHead(500, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: e.message }));
+    }
+  });
+}
+
+function apiDeleteSession(req, res, url) {
+  const sessionId = url.searchParams.get('id');
+  const projectEntry = url.searchParams.get('project');
+  if (!sessionId || !projectEntry) {
+    res.writeHead(400, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Missing id or project' }));
+    return;
+  }
+  if (!SESSION_ID_RE.test(sessionId) || !PROJECT_ENTRY_RE.test(projectEntry)) {
+    res.writeHead(400, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Invalid id or project format' }));
+    return;
+  }
+
+  const claudeProjectsDir = path.join(process.env.HOME, '.claude', 'projects');
+  const sessionFile = path.resolve(claudeProjectsDir, projectEntry, `${sessionId}.jsonl`);
+  const sessionDir = path.resolve(claudeProjectsDir, projectEntry, sessionId);
+  if (!sessionFile.startsWith(claudeProjectsDir + '/') || !sessionDir.startsWith(claudeProjectsDir + '/')) {
+    res.writeHead(403, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Forbidden' }));
+    return;
+  }
+
+  let deleted = false;
+  if (fs.existsSync(sessionFile)) {
+    fs.unlinkSync(sessionFile);
+    deleted = true;
+  }
+  // Also remove companion directory if it exists
+  if (fs.existsSync(sessionDir)) {
+    fs.rmSync(sessionDir, { recursive: true, force: true });
+  }
+
+  res.writeHead(200, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify({ ok: true, deleted }));
+}
+
+function apiCleanEmptySessions(req, res) {
+  const claudeProjectsDir = path.join(process.env.HOME, '.claude', 'projects');
+  let cleaned = 0;
+
+  for (const { filePath, projectPath, projectEntry } of getAllSessionFiles()) {
+    try {
+      const session = parseSessionFile(filePath, projectPath, projectEntry);
+      if (session.isEmpty) {
+        fs.unlinkSync(filePath);
+        // Remove companion directory
+        const dirPath = filePath.replace('.jsonl', '');
+        if (fs.existsSync(dirPath) && fs.statSync(dirPath).isDirectory()) {
+          fs.rmSync(dirPath, { recursive: true, force: true });
+        }
+        cleaned++;
+      }
+    } catch { /* skip */ }
+  }
+
+  res.writeHead(200, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify({ ok: true, cleaned }));
+}
+
+function apiAiSearch(req, res) {
+  let body = '';
+  req.on('data', chunk => { body += chunk; if (body.length > 1024 * 1024) { req.destroy(); return; } });
+  req.on('end', () => {
+    try {
+      const { query } = JSON.parse(body);
+      if (!query) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Missing query' }));
+        return;
+      }
+
+      // Collect all session summaries for Claude to search
+      const allSessions = [];
+      for (const { filePath, projectPath, projectEntry } of getAllSessionFiles()) {
+        try {
+          allSessions.push(parseSessionFile(filePath, projectPath, projectEntry));
+        } catch { /* skip */ }
+      }
+      allSessions.sort((a, b) => new Date(b.modifiedAt) - new Date(a.modifiedAt));
+
+      // Build a summary for Claude to search through
+      const summaryText = allSessions.slice(0, 200).map((s, i) =>
+        `[${i}] ${s.sessionId} | ${s.project} | ${s.gitBranch || '-'} | ${s.modifiedAt} | ${s.title || s.firstMessage || '(empty)'}`
+      ).join('\n');
+
+      const { execSync } = require('child_process');
+      const prompt = `You are searching through Claude Code session history. Given the user's search query and the list of sessions below, return ONLY a JSON array of session indices (numbers) that match the query, ranked by relevance. Return [] if nothing matches. No explanation, just the JSON array.
+
+Query: "${query}"
+
+Sessions:
+${summaryText}`;
+
+      const env = { ...process.env };
+      delete env.CLAUDECODE;
+      let result;
+      result = require('child_process').spawnSync('claude', ['-p', prompt], {
+        encoding: 'utf8',
+        timeout: 30000,
+        env,
+        maxBuffer: 1024 * 1024,
+      });
+      if (result.error) throw result.error;
+      result = (result.stdout || '').trim();
+
+      // Parse the indices
+      const match = result.match(/\[[\d,\s]*\]/);
+      const indices = match ? JSON.parse(match[0]) : [];
+      const matched = indices.map(i => allSessions[i]).filter(Boolean);
+
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify(matched));
+    } catch (e) {
+      res.writeHead(500, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: e.message }));
+    }
+  });
+}
+
+// --- Migrate analysis cache from JSON → SQLite (one-time) ---
+function migrateAnalysisCacheToDb() {
+  const ANALYSIS_CACHE_FILE = path.join(CONFIG_DIR, 'analysis-cache.json');
+  if (!fs.existsSync(ANALYSIS_CACHE_FILE)) return;
+  // Only migrate if DB is empty
+  if (dbModule.getSessionAnalysisCount() > 0) return;
+  try {
+    const cache = JSON.parse(fs.readFileSync(ANALYSIS_CACHE_FILE, 'utf8'));
+    let count = 0;
+    for (const [id, s] of Object.entries(cache.sessions || {})) {
+      dbModule.upsertSessionAnalysis({
+        session_id: id,
+        project: s.project || '',
+        title: s.title || '',
+        category: s.category || 'other',
+        topics: s.topics || [],
+        skills_used: s.skills_used || [],
+        complexity: s.complexity || '',
+        summary: s.summary || '',
+        pattern: s.pattern || '',
+        first_message: s.firstMessage || '',
+        session_modified_at: s.modifiedAt || '',
+        message_count: 0,
+      });
+      count++;
+    }
+    // Migrate grouping
+    if (cache.grouping) {
+      const g = cache.grouping;
+      if (g.groups) dbModule.replaceInsightGroups(g.groups.map(grp => ({
+        ...grp, is_internal: /session.?tit|session.?class|ctm|task.?manager/i.test(grp.name),
+      })));
+      if (g.skill_suggestions) dbModule.replaceInsightSkills(g.skill_suggestions.map(sk => ({
+        ...sk, is_internal: /session.?tit|session.?class|ctm|task.?manager/i.test(sk.name + ' ' + sk.title),
+      })));
+    }
+    // Rename old file so it's not re-migrated
+    fs.renameSync(ANALYSIS_CACHE_FILE, ANALYSIS_CACHE_FILE + '.migrated');
+    console.log(`  Migrated ${count} session analyses from JSON cache → SQLite`);
+  } catch (e) {
+    console.error('  Analysis cache migration error:', e.message);
+  }
+}
+
+// --- Session Analysis & Grouping (SQLite-backed) ---
+
+function callClaude(prompt) {
+  const { spawnSync } = require('child_process');
+  const env = { ...process.env };
+  delete env.CLAUDECODE;
+  delete env.CLAUDE_CODE;
+  delete env.CLAUDE_CODE_ENTRYPOINT;
+  delete env.CLAUDE_CODE_ENABLE_TELEMETRY;
+  const result = spawnSync('claude', ['-p', prompt], {
+    encoding: 'utf8', timeout: 60000, env, maxBuffer: 1024 * 1024,
+  });
+  if (result.error) throw result.error;
+  return (result.stdout || '').trim();
+}
+
+function callClaudeAsync(prompt) {
+  const { spawn } = require('child_process');
+  const env = { ...process.env };
+  // Remove all Claude Code env vars to avoid nested session detection
+  for (const key of Object.keys(env)) {
+    if (key.toLowerCase().includes('claude') || key.toLowerCase().includes('portkey')) delete env[key];
+  }
+  return new Promise((resolve, reject) => {
+    let settled = false;
+    const child = spawn('claude', ['-p', prompt], {
+      env, stdio: ['ignore', 'pipe', 'pipe'],
+    });
+    let stdout = '';
+    let stderr = '';
+    child.stdout.on('data', d => { stdout += d; });
+    child.stderr.on('data', d => { stderr += d; });
+    const timer = setTimeout(() => {
+      if (settled) return;
+      settled = true;
+      child.kill('SIGKILL');
+      reject(new Error('Claude CLI timeout'));
+    }, 120000);
+    child.stdout.on('end', () => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      if (stderr && !stdout) reject(new Error(stderr.trim()));
+      else resolve(stdout.trim());
+    });
+    child.on('error', err => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      reject(err);
+    });
+  });
+}
+
+
+function apiRenameSession(req, res) {
+  let body = '';
+  req.on('data', chunk => { body += chunk; if (body.length > 1024 * 1024) { req.destroy(); return; } });
+  req.on('end', () => {
+    try {
+      const { sessionId, title } = JSON.parse(body);
+      if (!sessionId || !title) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'sessionId and title required' }));
+        return;
+      }
+      const trimmed = title.trim().slice(0, 120);
+      dbModule.setSessionTitle(sessionId, trimmed, true);
+
+      // Update in-memory session if active
+      const session = sessions.get(sessionId);
+      if (session) {
+        session.label = trimmed;
+        broadcastSessionList();
+      }
+
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ ok: true, title: trimmed }));
+    } catch (err) {
+      res.writeHead(500, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: err.message }));
+    }
+  });
+}
+
+function apiGenerateTitles(req, res) {
+  let body = '';
+  req.on('data', chunk => { body += chunk; if (body.length > 1024 * 1024) { req.destroy(); return; } });
+  req.on('end', async () => {
+    try {
+      const { sessions } = JSON.parse(body);
+      if (!Array.isArray(sessions) || sessions.length === 0) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'sessions array required' }));
+        return;
+      }
+
+      // Filter to sessions that don't already have titles (or user-renamed), skip CTM-internal sessions
+      const existingTitles = dbModule.getAllSessionTitles();
+      const needTitles = sessions.filter(s => {
+        const existing = existingTitles[s.sessionId];
+        if (existing && (existing.userRenamed || existing.title)) return false;
+        return s.firstMessage && !isCtmInternalSession(s.firstMessage);
+      });
+
+      if (needTitles.length === 0) {
+        const flatTitles = {};
+        for (const [id, v] of Object.entries(existingTitles)) flatTitles[id] = v.title;
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ titles: flatTitles, generated: 0 }));
+        return;
+      }
+
+      // Batch up to 20 sessions at a time
+      const batch = needTitles.slice(0, 20);
+
+      // Strip resume/continuation boilerplate from first messages
+      function cleanFirstMessage(msg) {
+        if (!msg) return '';
+        return msg
+          .replace(/^This session is being continued from a previous conversation[^\n]*\n*/i, '')
+          .replace(/^Continue the conversation[^\n]*\n*/i, '')
+          .replace(/^Resume:?\s*/i, '')
+          .replace(/^Summary:?\s*\n?/i, '')
+          .replace(/^The summary below covers[^\n]*\n*/i, '')
+          .replace(/^\[(?:Request interrupted|Tool use|Error|Retrying)[^\]]*\]\s*/g, '')
+          .trim();
+      }
+
+      const prompt = `Generate short, descriptive titles (max 60 chars) for these Claude Code sessions.
+Each session has an ID and the user's first message. Create a title that summarizes what the user was working on.
+
+IMPORTANT: Do NOT prefix titles with "Resume:", "Continue:", "Fix:", or similar action verbs. Just describe the topic/task directly.
+Good: "Shopping cart checkout flow redesign"
+Bad: "Resume: Update checkout page logic"
+
+Sessions:
+${batch.map((s, i) => `${i + 1}. [${s.sessionId}] ${cleanFirstMessage(s.firstMessage).slice(0, 300)}`).join('\n')}
+
+Return ONLY a JSON array of objects with "id" and "title" fields. No markdown fences.`;
+
+      const result = await callClaudeAsync(prompt);
+      const match = result.match(/\[[\s\S]*\]/);
+      if (match) {
+        const titles = JSON.parse(match[0]);
+        for (const t of titles) {
+          if (t.id && t.title) {
+            dbModule.setSessionTitle(t.id, t.title, false);
+            existingTitles[t.id] = { title: t.title, userRenamed: false };
+          }
+        }
+      }
+
+      // Flatten to simple {id: title} for response
+      const flatTitles = {};
+      for (const [id, v] of Object.entries(existingTitles)) flatTitles[id] = v.title;
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ titles: flatTitles, generated: batch.length }));
+    } catch (err) {
+      res.writeHead(500, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: err.message }));
+    }
+  });
+}
+
+function apiGetAnalysis(req, res) {
+  const url = new URL(req.url, `http://${req.headers.host}`);
+  const includeInternal = url.searchParams.get('includeInternal') === '1';
+  const data = dbModule.getInsightsData(includeInternal);
+  res.writeHead(200, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify(data));
+}
+
+// Analysis state — runs in background, broadcasts progress via WebSocket
+let analysisRunning = false;
+let analysisProgress = [];
+
+function broadcastAnalysisProgress(msg) {
+  analysisProgress.push(msg);
+  const payload = JSON.stringify({ type: 'analysis-progress', message: msg });
+  for (const client of wss.clients) {
+    if (client.readyState === 1) client.send(payload);
+  }
+}
+
+function broadcastAnalysisDone(data) {
+  const payload = JSON.stringify({ type: 'analysis-done', ...data });
+  for (const client of wss.clients) {
+    if (client.readyState === 1) client.send(payload);
+  }
+}
+
+function apiAnalyzeSessions(req, res) {
+  if (analysisRunning) {
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ ok: true, status: 'already-running', progress: analysisProgress }));
+    return;
+  }
+
+  analysisRunning = true;
+  analysisProgress = [];
+
+  // Respond immediately
+  res.writeHead(200, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify({ ok: true, status: 'started' }));
+
+  // Run in background
+  setImmediate(() => runAnalysisBackground());
+}
+
+async function runAnalysisBackground() {
+  const runId = dbModule.startAnalysisRun();
+  let analyzedCount = 0;
+  let skippedCount = 0;
+
+  try {
+    const allFiles = getAllSessionFiles();
+
+    const sessionsToAnalyze = [];
+    const currentSessionIds = new Set();
+
+    for (const { filePath, projectPath, projectEntry } of allFiles) {
+      try {
+        const parsed = parseSessionFile(filePath, projectPath, projectEntry);
+        if (parsed.isEmpty) continue;
+
+        currentSessionIds.add(parsed.sessionId);
+        const existing = dbModule.getSessionAnalysis(parsed.sessionId);
+
+        if (existing && existing.session_modified_at === parsed.modifiedAt) {
+          skippedCount++;
+          continue;
+        }
+        sessionsToAnalyze.push(parsed);
+      } catch { /* skip */ }
+    }
+
+    // Remove stale analyses for sessions that no longer exist
+    const removed = dbModule.deleteStaleAnalyses([...currentSessionIds]);
+    if (removed > 0) broadcastAnalysisProgress(`Removed ${removed} stale session analyses.`);
+
+    broadcastAnalysisProgress(`Found ${sessionsToAnalyze.length} new/changed sessions to analyze (${currentSessionIds.size} total, ${skippedCount} cached)`);
+
+    // Analyze in batches
+    const BATCH_SIZE = 10;
+    for (let i = 0; i < sessionsToAnalyze.length; i += BATCH_SIZE) {
+      const batch = sessionsToAnalyze.slice(i, i + BATCH_SIZE);
+      broadcastAnalysisProgress(`Analyzing sessions ${i + 1}-${Math.min(i + BATCH_SIZE, sessionsToAnalyze.length)} of ${sessionsToAnalyze.length}...`);
+
+      const batchPrompt = `Analyze these Claude Code sessions. For each, provide a JSON object with:
+- "id": the session ID
+- "category": one of [coding, debugging, devops, data, design, research, config, communication, ctm-internal, other]
+- "topics": array of 2-4 specific topic tags
+- "skills_used": array of skills/tools used
+- "complexity": "simple" | "moderate" | "complex"
+- "summary": 1-sentence summary
+- "pattern": workflow pattern description
+- "is_internal": true if this session is about the Claude Task Manager tool itself (session titling, analysis, classification, CTM UI development), false otherwise
+
+Return ONLY a JSON array. No markdown, no explanation.
+
+Sessions:
+${batch.map(s => `---
+ID: ${s.sessionId}
+Project: ${s.project}
+Branch: ${s.gitBranch || '-'}
+First message: ${s.firstMessage || '(none)'}
+Messages: ${s.userMsgCount}
+Modified: ${s.modifiedAt}
+`).join('\n')}`;
+
+      try {
+        const result = await callClaudeAsync(batchPrompt);
+        const match = result.match(/\[[\s\S]*\]/);
+        if (match) {
+          const analyses = JSON.parse(match[0]);
+          for (const analysis of analyses) {
+            const orig = batch.find(s => s.sessionId === analysis.id);
+            if (orig) {
+              dbModule.upsertSessionAnalysis({
+                session_id: analysis.id,
+                project: orig.project,
+                title: orig.title || '',
+                category: analysis.is_internal ? 'ctm-internal' : (analysis.category || 'other'),
+                topics: analysis.topics,
+                skills_used: analysis.skills_used,
+                complexity: analysis.complexity,
+                summary: analysis.summary,
+                pattern: analysis.pattern,
+                first_message: orig.firstMessage || '',
+                session_modified_at: orig.modifiedAt,
+                message_count: orig.userMsgCount || 0,
+              });
+              analyzedCount++;
+            }
+          }
+        }
+      } catch (e) {
+        broadcastAnalysisProgress(`Warning: batch failed: ${e.message}`);
+      }
+    }
+
+    // Only regenerate grouping/skills/recommendations if new sessions were analyzed
+    if (analyzedCount === 0) {
+      broadcastAnalysisProgress(`No new sessions to analyze — skipping group/skill/recommendation regeneration.`);
+      dbModule.completeAnalysisRun(runId, { sessions_analyzed: analyzedCount, sessions_skipped: skippedCount, status: 'completed' });
+      broadcastAnalysisProgress('Analysis complete! (no changes)');
+      broadcastAnalysisDone(dbModule.getInsightsData(false));
+      return;
+    }
+
+    // Generate grouping, skills, and recommendations
+    const allAnalyses = dbModule.getAllSessionAnalyses();
+    broadcastAnalysisProgress(`Generating groups, skills, and recommendations from ${allAnalyses.length} sessions...`);
+
+    const groupPrompt = `Analyze this Claude Code session history. Identify patterns, suggest reusable skills, and give recommendations.
+
+Sessions:
+${allAnalyses.map(s => {
+  const topics = JSON.parse(s.topics || '[]');
+  return `- [${s.category}] ${s.summary || s.title || '?'} (topics: ${topics.join(', ')}; pattern: ${s.pattern || '?'}; project: ${s.project}; msgs: ${s.message_count || '?'})`;
+}).join('\n')}
+
+Return a JSON object with:
+1. "groups": [{name, description, session_ids (array of session IDs), count, category, is_internal (true if group is about CTM tool itself like session-titling/classification/analysis)}]
+2. "skill_suggestions": [{name (kebab-case), title, description, trigger, based_on, priority ("high"|"medium"|"low"), category, is_internal (true if skill is for CTM tool itself)}]
+3. "recommendations": [{type ("prompt-effectiveness"|"cost-saving"|"workflow"|"skill-gap"), title, description, evidence (object with supporting data), impact ("high"|"medium"|"low"), actionable (concrete suggestion string), category}]
+
+For recommendations, analyze:
+- Prompt effectiveness: sessions with high iteration counts vs low - what makes prompts succeed faster?
+- Cost saving: patterns that waste tokens (excessive exploration, vague initial prompts, repeated failures)
+- Workflow: repetitive manual tasks that could be automated with skills
+- Skill gaps: areas where skills/templates would save time
+
+Return ONLY JSON. No markdown fences.`;
+
+    try {
+      const result = await callClaudeAsync(groupPrompt);
+      const match = result.match(/\{[\s\S]*\}/);
+      if (match) {
+        const parsed = JSON.parse(match[0]);
+
+        if (parsed.groups) dbModule.replaceInsightGroups(parsed.groups);
+        if (parsed.skill_suggestions) dbModule.replaceInsightSkills(parsed.skill_suggestions);
+        if (parsed.recommendations) dbModule.replaceInsightRecommendations(parsed.recommendations);
+      }
+    } catch (e) {
+      broadcastAnalysisProgress(`Warning: grouping failed: ${e.message}`);
+    }
+
+    dbModule.completeAnalysisRun(runId, { sessions_analyzed: analyzedCount, sessions_skipped: skippedCount, status: 'completed' });
+    broadcastAnalysisProgress('Analysis complete!');
+    broadcastAnalysisDone(dbModule.getInsightsData(false));
+  } catch (e) {
+    broadcastAnalysisProgress(`Error: ${e.message}`);
+    dbModule.completeAnalysisRun(runId, { sessions_analyzed: analyzedCount, sessions_skipped: skippedCount, status: 'failed' });
+  } finally {
+    analysisRunning = false;
+  }
+}
+
+// --- WebSocket Server (Terminal) ---
+const wss = new WebSocketServer({ server });
+// sessions Map is imported from server-state.js (shared with api-prompts.js)
+
+wss.on('connection', (ws, req) => {
+  const url = new URL(req.url, `http://${req.headers.host}`);
+  const token = getAuthToken(req, url);
+
+  if (!isLocalhost(req) && token !== config.token) {
+    ws.close(4001, 'Unauthorized');
+    return;
+  }
+
+  ws.isAlive = true;
+  ws.on('pong', () => { ws.isAlive = true; });
+
+  ws.on('message', (raw) => {
+    let msg;
+    try { msg = JSON.parse(raw); } catch { return; }
+
+    switch (msg.type) {
+      case 'create': return handleCreate(ws, msg);
+      case 'attach': return handleAttach(ws, msg);
+      case 'input': return handleInput(ws, msg);
+      case 'resize': return handleResize(ws, msg);
+      case 'kill': return handleKill(ws, msg);
+      case 'rename': return handleRename(ws, msg);
+      case 'list': return handleList(ws);
+      case 'detach': return handleDetach(ws, msg);
+    }
+  });
+
+  ws.on('close', () => {
+    // Detach from all sessions
+    for (const [id, session] of sessions) {
+      session.clients = session.clients.filter(c => c !== ws);
+    }
+  });
+});
+
+// --- Queue Engine Integration ---
+function setupQueueForSession(sessionId) {
+  // Set the send function so queue engine can write to PTY
+  queueEngine.setSendFn(sessionId, (data) => {
+    const session = sessions.get(sessionId);
+    if (session) session.ptyProcess.write(data);
+  });
+
+  // Set state change callback to broadcast via WebSocket
+  queueEngine.setOnStateChange(sessionId, (state) => {
+    broadcastQueueState(sessionId, state);
+  });
+}
+
+function broadcastQueueState(sessionId, state) {
+  const payload = JSON.stringify({ type: 'queue-state', sessionId, ...state });
+  for (const client of wss.clients) {
+    if (client.readyState === 1) client.send(payload);
+  }
+}
+
+// --- Shadow Approver Engine ---
+// Monitors terminal output for "Do you want to proceed?" prompts.
+// Checks learned rules first, then uses AI to auto-approve or escalate.
+const autoApprovalBuffers = new Map(); // sessionId -> { text, lastCheck, cooldown, reviewing }
+
+function broadcastToSession(sessionId, session, data) {
+  const payload = JSON.stringify(data);
+  for (const client of session.clients) {
+    if (client.readyState === 1) client.send(payload);
+  }
+}
+
+// Lightweight virtual terminal screen buffer for parsing PTY output.
+// Claude Code uses Ink (React TUI) which renders via cursor positioning,
+// so raw text accumulation doesn't work — we need to interpret cursor moves.
+class VTermScreen {
+  constructor(rows = 60, cols = 220) {
+    this.rows = rows;
+    this.cols = cols;
+    this.screen = [];
+    this.cursorRow = 0;
+    this.cursorCol = 0;
+    this._pending = ''; // Buffer for incomplete escape sequences across chunks
+    for (let r = 0; r < rows; r++) this.screen[r] = new Array(cols).fill(' ');
+  }
+
+  feed(chunk) {
+    // Prepend any leftover from a split escape sequence
+    const data = this._pending + chunk;
+    this._pending = '';
+    let i = 0;
+    while (i < data.length) {
+      const ch = data[i];
+      if (ch === '\x1b') {
+        // Check if we have enough data to parse the escape sequence
+        if (i + 1 >= data.length) {
+          // ESC at end of chunk — save for next feed()
+          this._pending = data.slice(i);
+          return;
+        }
+        if (data[i + 1] === '[') {
+          // CSI sequence: ESC [ params letter
+          let j = i + 2;
+          while (j < data.length && /[0-9;?]/.test(data[j])) j++;
+          if (j >= data.length) {
+            // Incomplete CSI — save for next feed()
+            this._pending = data.slice(i);
+            return;
+          }
+          const params = data.slice(i + 2, j);
+          this._handleCSI(params, data[j]);
+          i = j + 1;
+        } else if (data[i + 1] === ']') {
+          // OSC sequence: skip to BEL or ST
+          let j = i + 2;
+          while (j < data.length && data[j] !== '\x07' && !(data[j] === '\x1b' && data[j + 1] === '\\')) j++;
+          if (j >= data.length) {
+            // Incomplete OSC — save for next feed()
+            this._pending = data.slice(i);
+            return;
+          }
+          i = (data[j] === '\x07') ? j + 1 : j + 2;
+        } else {
+          // Other ESC sequences (charset, etc.) — skip 2 chars
+          i += 2;
+        }
+      } else if (ch === '\n') {
+        this.cursorRow++;
+        if (this.cursorRow >= this.rows) { this._scrollUp(); this.cursorRow = this.rows - 1; }
+        i++;
+      } else if (ch === '\r') {
+        this.cursorCol = 0;
+        i++;
+      } else if (ch === '\t') {
+        this.cursorCol = Math.min(this.cols - 1, (Math.floor(this.cursorCol / 8) + 1) * 8);
+        i++;
+      } else if (ch.charCodeAt(0) < 32 || ch === '\x7f') {
+        i++; // skip control chars
+      } else {
+        // Printable character
+        if (this.cursorCol < this.cols && this.cursorRow < this.rows && this.cursorRow >= 0) {
+          this.screen[this.cursorRow][this.cursorCol] = ch;
+          this.cursorCol++;
+          if (this.cursorCol >= this.cols) {
+            this.cursorCol = 0;
+            this.cursorRow++;
+            if (this.cursorRow >= this.rows) { this._scrollUp(); this.cursorRow = this.rows - 1; }
+          }
+        }
+        i++;
+      }
+    }
+  }
+
+  _handleCSI(params, cmd) {
+    const parts = params.replace(/\?/g, '').split(';').map(Number);
+    switch (cmd) {
+      case 'H': case 'f': // Cursor position
+        this.cursorRow = Math.max(0, (parts[0] || 1) - 1);
+        this.cursorCol = Math.max(0, (parts[1] || 1) - 1);
+        break;
+      case 'A': // Cursor up
+        this.cursorRow = Math.max(0, this.cursorRow - (parts[0] || 1));
+        break;
+      case 'B': // Cursor down
+        this.cursorRow = Math.min(this.rows - 1, this.cursorRow + (parts[0] || 1));
+        break;
+      case 'C': // Cursor forward
+        this.cursorCol = Math.min(this.cols - 1, this.cursorCol + (parts[0] || 1));
+        break;
+      case 'D': // Cursor back
+        this.cursorCol = Math.max(0, this.cursorCol - (parts[0] || 1));
+        break;
+      case 'J': // Erase in display
+        if ((parts[0] || 0) === 2) {
+          for (let r = 0; r < this.rows; r++) this.screen[r].fill(' ');
+        } else if ((parts[0] || 0) === 0) {
+          // Clear from cursor to end
+          this.screen[this.cursorRow].fill(' ', this.cursorCol);
+          for (let r = this.cursorRow + 1; r < this.rows; r++) this.screen[r].fill(' ');
+        }
+        break;
+      case 'K': // Erase in line
+        if ((parts[0] || 0) === 0) {
+          this.screen[this.cursorRow].fill(' ', this.cursorCol);
+        } else if ((parts[0] || 0) === 2) {
+          this.screen[this.cursorRow].fill(' ');
+        }
+        break;
+      case 'G': // Cursor horizontal absolute
+        this.cursorCol = Math.max(0, (parts[0] || 1) - 1);
+        break;
+      case 'd': // Cursor vertical absolute
+        this.cursorRow = Math.max(0, (parts[0] || 1) - 1);
+        break;
+      // m (SGR/color), h/l (mode set/reset), etc. — ignored (visual only)
+    }
+  }
+
+  _scrollUp() {
+    this.screen.shift();
+    this.screen.push(new Array(this.cols).fill(' '));
+  }
+
+  getText() {
+    return this.screen.map(row => row.join('').trimEnd()).join('\n');
+  }
+}
+
+function checkAutoApproval(sessionId, session, data) {
+  // Accumulate output using virtual terminal screen
+  let buf = autoApprovalBuffers.get(sessionId);
+  if (!buf) {
+    buf = { vterm: new VTermScreen(), lastCheck: 0, cooldown: 0, reviewing: false };
+    autoApprovalBuffers.set(sessionId, buf);
+  }
+  buf.vterm.feed(data);
+
+  // Throttle checks
+  const now = Date.now();
+  if (now - buf.lastCheck < 500) return;
+  if (now < buf.cooldown) return;
+  if (buf.reviewing) return; // AI review in progress
+  buf.lastCheck = now;
+
+  // Read the virtual screen as text
+  const clean = buf.vterm.getText();
+
+  // Debug: log buffer content periodically (every 30s per session)
+  if (!buf._lastDebug || now - buf._lastDebug > 30000) {
+    buf._lastDebug = now;
+    const nonEmpty = clean.split('\n').filter(l => l.trim()).slice(-3);
+    if (nonEmpty.length > 0) {
+      console.log(`[shadow-approver:debug] session=${sessionId.slice(0,8)} screen=` +
+        JSON.stringify(nonEmpty.map(l => l.trim().slice(0, 80))));
+    }
+  }
+
+  // Check for approval prompt patterns (proceed, edit, create file)
+  if (!/Do you want to (proceed|make this edit to .+|create .+)\??/.test(clean)) return;
+  if (!/1\.\s*Yes/.test(clean)) return;
+
+  console.log(`[shadow-approver] Detected approval prompt in session ${sessionId.slice(0, 8)}`);
+
+  // Mark as reviewing to prevent duplicate checks
+  buf.reviewing = true;
+
+  // Run the AI-powered approval agent
+  approvalAgent.handleApprovalCheck(sessionId, session, clean, broadcastToSession)
+    .then(handled => {
+      console.log(`[shadow-approver] handleApprovalCheck result: handled=${handled}`);
+      if (handled) {
+        buf.vterm = new VTermScreen();
+        buf.cooldown = Date.now() + 3000;
+      }
+    })
+    .catch(err => {
+      console.error('[shadow-approver] Error:', err.message);
+    })
+    .finally(() => {
+      buf.reviewing = false;
+    });
+}
+
+// Clean up buffers when sessions exit
+function cleanAutoApprovalBuffer(sessionId) {
+  autoApprovalBuffers.delete(sessionId);
+}
+
+// --- Input-Waiting Detection & Notification ---
+// Detects when Claude Code is idle and waiting for user input, then notifies clients.
+const idleNotifyState = new Map(); // sessionId -> { timer, notified, lastOutput, buf }
+
+// Strip ALL ANSI/xterm escape sequences comprehensively
+function stripAnsi(str) {
+  return str
+    .replace(/\x1b\[[0-9;?]*[a-zA-Z]/g, '')   // CSI sequences: ESC [ ... letter
+    .replace(/\x1b\][^\x07\x1b]*(?:\x07|\x1b\\)/g, '') // OSC sequences: ESC ] ... BEL/ST
+    .replace(/\x1b[()][A-Z0-9]/g, '')           // Character set: ESC ( B, etc.
+    .replace(/\x1b>[0-9]*[a-zA-Z]/g, '')        // Private mode: ESC > ...
+    .replace(/\x1b<[a-zA-Z]/g, '')              // ESC < ...
+    .replace(/\x1b=[0-9]*/g, '')                // ESC = ...
+    .replace(/\x1b\s/g, '')                     // ESC space
+    .replace(/\r/g, '')                         // Carriage returns
+    .replace(/[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/g, ''); // Other control chars
+}
+
+const IDLE_PROMPT_PATTERNS = [
+  // Claude Code TUI indicators (these appear when Claude is waiting for input)
+  { pattern: /❯/, reason: 'input' },                                // Claude Code prompt marker (anywhere in buffer)
+  { pattern: /ctrl\+[a-z].*to edit/i, reason: 'input' },            // Claude Code hint text
+  // Approval / choice prompts
+  { pattern: /Do you want to (proceed|make this edit|create )\S/, reason: 'approval' }, // Approval prompt
+  { pattern: /\d+\.\s*Yes.*\d+\.\s*No/s, reason: 'choice' },       // Numbered choice menu
+  { pattern: /\(Y\/n\)\s*$/i, reason: 'approval' },                 // Y/n prompt
+  { pattern: /Enter to confirm/, reason: 'choice' },                // Claude Code confirm
+  // Shell prompts (for non-Claude sessions)
+  { pattern: /[→▶]\s*$/, reason: 'input' },                         // Arrow-style prompts (zsh themes)
+  { pattern: /[\$#%]\s*$/, reason: 'input' },                       // Shell prompts: $, #, %
+];
+const IDLE_NOTIFY_DELAY_MS = 3000; // Wait 3s of silence after prompt marker
+
+function checkIdleNotify(sessionId, session, data) {
+  let st = idleNotifyState.get(sessionId);
+  if (!st) {
+    st = { timer: null, notified: false, lastOutput: Date.now(), buf: '' };
+    idleNotifyState.set(sessionId, st);
+  }
+
+  // Accumulate output in own buffer (independent of auto-approval buffer)
+  st.buf += data;
+  if (st.buf.length > 4096) st.buf = st.buf.slice(-3000);
+
+  st.lastOutput = Date.now();
+
+  // Only reset notified flag if this is substantial output (not just cursor/control sequences)
+  const stripped = data.replace(/\x1b\[[0-9;?]*[a-zA-Z]/g, '').replace(/[\x00-\x1f\x7f]/g, '').trim();
+  if (stripped.length > 2) {
+    st.notified = false; // Significant new output means Claude is active again
+  }
+
+  // Clear any pending notification timer
+  if (st.timer) { clearTimeout(st.timer); st.timer = null; }
+
+  // After a delay, check if output stopped at a prompt marker
+  st.timer = setTimeout(() => {
+    const clean = stripAnsi(st.buf);
+    // Get last non-empty lines
+    const lines = clean.split('\n').filter(l => l.trim().length > 0);
+    const lastLines = lines.slice(-8).join('\n');
+
+    for (const { pattern, reason } of IDLE_PROMPT_PATTERNS) {
+      if (pattern.test(lastLines)) {
+        if (!st.notified) {
+          st.notified = true;
+          broadcastToAll({
+            type: 'waiting-for-input',
+            id: sessionId,
+            reason,
+            label: session.label || '',
+            snippet: lastLines.trim().split('\n').slice(-3).join('\n').slice(0, 200),
+          });
+        }
+        return;
+      }
+    }
+  }, IDLE_NOTIFY_DELAY_MS);
+}
+
+function cleanIdleNotify(sessionId) {
+  const st = idleNotifyState.get(sessionId);
+  if (st?.timer) clearTimeout(st.timer);
+  idleNotifyState.delete(sessionId);
+}
+
+function broadcastToAll(data) {
+  const payload = typeof data === 'string' ? data : JSON.stringify(data);
+  for (const client of wss.clients) {
+    if (client.readyState === 1) client.send(payload);
+  }
+}
+
+function handleCreate(ws, msg) {
+  const id = msg.id || crypto.randomUUID();
+
+  // If a session with this ID is still alive (e.g. resume of a stale entry), attach instead
+  const existing = sessions.get(id);
+  if (existing && existing.ptyProcess) {
+    return handleAttach(ws, { id });
+  }
+
+  const cwd = (msg.cwd || process.env.HOME).replace(/^~/, process.env.HOME);
+  const shell = msg.shell || process.env.SHELL || '/bin/zsh';
+  const cmd = msg.cmd || shell;
+  const args = msg.args || [];
+
+  // If resuming a Claude session, restore .jsonl from .bak if needed
+  // (Claude Code migrates sessions to directory format, renaming .jsonl to .jsonl.bak)
+  if (args.includes('--resume') && id) {
+    const claudeProjectsDir = path.join(process.env.HOME, '.claude', 'projects');
+    try {
+      for (const entry of fs.readdirSync(claudeProjectsDir)) {
+        const jsonl = path.join(claudeProjectsDir, entry, `${id}.jsonl`);
+        const bak = jsonl + '.bak';
+        if (!fs.existsSync(jsonl) && fs.existsSync(bak)) {
+          fs.copyFileSync(bak, jsonl);
+          break;
+        }
+      }
+    } catch { /* ignore — best effort */ }
+  }
+  const cols = msg.cols || 120;
+  const rows = msg.rows || 30;
+  const env = { ...process.env, ...msg.env };
+  // Remove CLAUDECODE so spawned Claude Code sessions don't think they're nested
+  delete env.CLAUDECODE;
+
+  // Determine the label — strip any "Resume:" prefix to avoid accumulation
+  let label = (msg.label || '').replace(/^Resume:\s*/i, '');
+  if (!label) {
+    if (cmd.includes('claude')) {
+      label = `Claude: ${cwd}`;
+    } else {
+      label = `Shell: ${cwd}`;
+    }
+  }
+
+  let ptyProcess;
+  try {
+    ptyProcess = pty.spawn(cmd, args, {
+      name: 'xterm-256color',
+      cols, rows, cwd, env,
+    });
+  } catch (e) {
+    ws.send(JSON.stringify({ type: 'error', message: `Failed to spawn: ${e.message}` }));
+    return;
+  }
+
+  const session = {
+    id,
+    label,
+    cmd,
+    args,
+    cwd,
+    pid: ptyProcess.pid,
+    ptyProcess,
+    clients: [ws],
+    scrollback: [],
+    createdAt: Date.now(),
+    lastActivity: Date.now(),
+  };
+
+  sessions.set(id, session);
+
+  ptyProcess.onData((data) => {
+    session.lastActivity = Date.now();
+    // Only strip \e[3J (Erase Scrollback) — it destroys scroll history on replay.
+    // Do NOT strip \e[2J or \e[?1049h/l — those are needed for Claude Code's TUI rendering.
+    const cleanData = data.replace(/\x1b\[3J/g, '');
+    // Keep scrollback (limit to ~50KB)
+    session.scrollback.push(cleanData);
+    if (session.scrollback.length > 500) session.scrollback.shift();
+
+    const payload = JSON.stringify({ type: 'output', id, data: cleanData });
+    for (const client of session.clients) {
+      if (client.readyState === 1) client.send(payload);
+    }
+
+    // Feed output to queue engine for completion detection
+    queueEngine.feedOutput(id, data);
+
+    // Feed output to auto-approval engine
+    checkAutoApproval(id, session, data);
+
+    // Feed output to idle/waiting-for-input detection
+    checkIdleNotify(id, session, data);
+  });
+
+  ptyProcess.onExit(({ exitCode, signal }) => {
+    const payload = JSON.stringify({ type: 'exit', id, exitCode, signal });
+    for (const client of session.clients) {
+      if (client.readyState === 1) client.send(payload);
+    }
+    sessions.delete(id);
+    queueEngine.onSessionExit(id);
+    cleanAutoApprovalBuffer(id);
+    cleanIdleNotify(id);
+    broadcastSessionList();
+  });
+
+  // Wire up queue engine hooks if a queue exists for this session
+  setupQueueForSession(id);
+
+  // If the client provided an explicit label (e.g. prompt title), persist it
+  if (msg.label) {
+    dbModule.setSessionTitle(id, label, false);
+  }
+
+  ws.send(JSON.stringify({ type: 'created', id, pid: ptyProcess.pid, label, cwd }));
+  broadcastSessionList();
+}
+
+function handleAttach(ws, msg) {
+  const session = sessions.get(msg.id);
+  if (!session) {
+    ws.send(JSON.stringify({ type: 'error', message: 'Session not found', id: msg.id }));
+    return;
+  }
+  if (!session.clients.includes(ws)) {
+    session.clients.push(ws);
+  }
+  // Send scrollback along with the PTY dimensions it was rendered at,
+  // so the client can detect width mismatches
+  const ptyCols = session.ptyProcess?.cols || 120;
+  const ptyRows = session.ptyProcess?.rows || 30;
+  ws.send(JSON.stringify({ type: 'scrollback', id: msg.id, data: session.scrollback.join(''), ptyCols, ptyRows }));
+}
+
+function handleDetach(ws, msg) {
+  const session = sessions.get(msg.id);
+  if (session) {
+    session.clients = session.clients.filter(c => c !== ws);
+  }
+}
+
+function handleInput(ws, msg) {
+  const session = sessions.get(msg.id);
+  if (session) {
+    session.lastActivity = Date.now();
+    session.ptyProcess.write(msg.data);
+  }
+}
+
+function handleResize(ws, msg) {
+  const session = sessions.get(msg.id);
+  if (session && msg.cols && msg.rows) {
+    session.ptyProcess.resize(msg.cols, msg.rows);
+  }
+}
+
+function handleKill(ws, msg) {
+  const session = sessions.get(msg.id);
+  if (session) {
+    session.ptyProcess.kill();
+  }
+}
+
+function handleRename(ws, msg) {
+  const { id, label } = msg;
+  if (!id || !label) return;
+  const trimmed = label.trim().slice(0, 120);
+  if (!trimmed) return;
+
+  // Update in-memory session if active
+  const session = sessions.get(id);
+  if (session) {
+    session.label = trimmed;
+  }
+
+  // Persist to DB with user_renamed flag
+  dbModule.setSessionTitle(id, trimmed, true);
+
+  ws.send(JSON.stringify({ type: 'renamed', id, label: trimmed }));
+  broadcastSessionList();
+}
+
+function handleList(ws) {
+  ws.send(JSON.stringify({
+    type: 'sessions',
+    sessions: Array.from(sessions.values()).map(s => ({
+      id: s.id,
+      label: s.label,
+      cmd: s.cmd,
+      cwd: s.cwd,
+      pid: s.pid,
+      createdAt: s.createdAt,
+      lastActivity: s.lastActivity,
+    })),
+  }));
+}
+
+function broadcastDataChanged(resource, method) {
+  const payload = JSON.stringify({ type: 'data-changed', resource, method });
+  for (const client of wss.clients) {
+    if (client.readyState === 1) client.send(payload);
+  }
+}
+
+function broadcastSessionList() {
+  const payload = JSON.stringify({
+    type: 'sessions',
+    sessions: Array.from(sessions.values()).map(s => ({
+      id: s.id,
+      label: s.label,
+      cmd: s.cmd,
+      cwd: s.cwd,
+      pid: s.pid,
+      createdAt: s.createdAt,
+      lastActivity: s.lastActivity,
+    })),
+  });
+  for (const client of wss.clients) {
+    if (client.readyState === 1) client.send(payload);
+  }
+}
+
+// Heartbeat
+setInterval(() => {
+  wss.clients.forEach((ws) => {
+    if (!ws.isAlive) return ws.terminate();
+    ws.isAlive = false;
+    ws.ping();
+  });
+}, 30000);
+
+// Periodic change detection for code review badge (every 30 seconds)
+const _lastKnownFileCounts = new Map(); // project -> fileCount
+setInterval(async () => {
+  if (wss.clients.size === 0) return;
+  const trackedProjects = new Set();
+  for (const [, session] of sessions) {
+    if (session.cwd) trackedProjects.add(session.cwd);
+  }
+  for (const project of trackedProjects) {
+    try {
+      const result = await checkForChanges(project);
+      const prev = _lastKnownFileCounts.get(project);
+      if (result.fileCount === prev) continue; // No change, skip broadcast
+      _lastKnownFileCounts.set(project, result.fileCount);
+      const payload = JSON.stringify({
+        type: 'files-changed',
+        project,
+        fileCount: result.fileCount,
+        files: result.files.map(f => f.path),
+      });
+      for (const client of wss.clients) {
+        if (client.readyState === 1) client.send(payload);
+      }
+    } catch {}
+  }
+}, 30000);
+
+// --- Graceful Shutdown ---
+function shutdown() {
+  console.log('\n  Shutting down...');
+  dbModule.checkpointWal();
+  dbModule.closeDb();
+  for (const [id, session] of sessions) {
+    try { session.ptyProcess.kill(); } catch {}
+  }
+  process.exit(0);
+}
+process.on('SIGINT', shutdown);
+process.on('SIGTERM', shutdown);
+
+// --- Restart APIs ---
+const { execFile } = require('child_process');
+
+const _ctmStartTime = Date.now();
+
+function apiServicesStatus(req, res) {
+  const ctmUptime = Math.floor((Date.now() - _ctmStartTime) / 1000);
+  // Check Wall-E on port 3457
+  execFile('lsof', ['-ti', ':3457'], (err, stdout) => {
+    const pids = (stdout || '').trim().split('\n').filter(Boolean);
+    // Filter to only node processes
+    let wallePid = null;
+    if (pids.length > 0) {
+      // lsof returns PIDs — just use first one as indicator
+      wallePid = parseInt(pids[0]) || null;
+    }
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({
+      ctm: { running: true, pid: process.pid, uptime: ctmUptime },
+      walle: { running: !!wallePid, pid: wallePid }
+    }));
+  });
+}
+
+function apiStopWalle(req, res) {
+  execFile('lsof', ['-ti', ':3457'], (err, stdout) => {
+    const pids = (stdout || '').trim().split('\n').filter(Boolean);
+    if (pids.length === 0) {
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ ok: true, message: 'Wall-E is not running' }));
+      return;
+    }
+    for (const pid of pids) {
+      try { process.kill(parseInt(pid), 'SIGTERM'); } catch {}
+    }
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ ok: true, message: 'Wall-E stopped' }));
+  });
+}
+
+function apiStartWalle(req, res) {
+  const walleDir = path.join(__dirname, '..', 'wall-e');
+  const agentScript = path.join(walleDir, 'agent.js');
+  // Check if already running
+  execFile('lsof', ['-ti', ':3457'], (err, stdout) => {
+    const pids = (stdout || '').trim().split('\n').filter(Boolean);
+    if (pids.length > 0) {
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ ok: true, message: 'Wall-E is already running' }));
+      return;
+    }
+    const child = require('child_process').spawn(
+      process.execPath,
+      [agentScript],
+      { cwd: walleDir, detached: true, stdio: 'ignore', env: { ...process.env } }
+    );
+    child.unref();
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ ok: true, message: 'Wall-E starting...', pid: child.pid }));
+  });
+}
+
+function apiRestartCtm(req, res) {
+  res.writeHead(200, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify({ ok: true, message: 'CTM server restarting...' }));
+
+  // Spawn a bash one-liner that waits for this process to die, then starts new server
+  const serverScript = path.join(__dirname, 'server.js');
+  const cwdDir = path.resolve(__dirname, '..');
+  const child = require('child_process').spawn('bash', ['-c',
+    `while kill -0 ${process.pid} 2>/dev/null; do sleep 0.1; done; cd "${cwdDir}" && "${process.execPath}" "${serverScript}" >> /tmp/ctm.log 2>&1`
+  ], { detached: true, stdio: 'ignore' });
+  child.unref();
+
+  // Exit after a brief delay for the response to flush
+  setTimeout(() => {
+    dbModule.checkpointWal();
+    dbModule.closeDb();
+    // Kill all PTY sessions
+    for (const [, session] of sessions) {
+      try { session.ptyProcess.kill(); } catch {}
+    }
+    // Force exit — node-pty can keep the event loop alive
+    setTimeout(() => process.kill(process.pid, 'SIGKILL'), 200);
+    process.exit(0);
+  }, 300);
+}
+
+function apiRestartWalle(req, res) {
+  const walleDir = path.join(__dirname, '..', 'wall-e');
+  const agentScript = path.join(walleDir, 'agent.js');
+
+  // Kill existing Wall-E process on port 3457
+  execFile('lsof', ['-ti', ':3457'], (err, stdout) => {
+    const pids = (stdout || '').trim().split('\n').filter(Boolean);
+    for (const pid of pids) {
+      try { process.kill(parseInt(pid), 'SIGTERM'); } catch {}
+    }
+
+    // Wait for old process to die, then spawn new one
+    setTimeout(() => {
+      const child = require('child_process').spawn(
+        process.execPath,
+        [agentScript],
+        { cwd: walleDir, detached: true, stdio: 'ignore', env: { ...process.env } }
+      );
+      child.unref();
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ ok: true, message: 'Wall-E restarting...', pid: child.pid }));
+    }, 1000);
+  });
+}
+
+// --- Queue Engine Hook ---
+queueEngine.setOnQueueCreated((sessionId) => {
+  if (sessions.has(sessionId)) {
+    setupQueueForSession(sessionId);
+  }
+});
+
+// Re-wire restored queues to existing PTY sessions
+for (const [sessionId] of Object.entries(queueEngine.getAllStates())) {
+  if (sessions.has(sessionId)) {
+    setupQueueForSession(sessionId);
+  }
+}
+
+// --- Wire up tracked-projects API ---
+const apiReviews = require('./api-reviews');
+apiReviews._getTrackedProjects = async function() {
+  // Gather ALL sessions (from session files), not just active ones
+  const allSessions = [];
+  for (const { filePath, projectPath, projectEntry } of getAllSessionFiles()) {
+    try {
+      allSessions.push(parseSessionFile(filePath, projectPath, projectEntry));
+    } catch {}
+  }
+
+  // Merge titles (AI or user-renamed)
+  const allTitles = dbModule.getAllSessionTitles();
+  for (const s of allSessions) {
+    if (allTitles[s.sessionId]) {
+      s.aiTitle = allTitles[s.sessionId].title;
+      s.userRenamed = allTitles[s.sessionId].userRenamed;
+    }
+  }
+
+  // Active session IDs for marking active status
+  const activeIds = new Set(sessions.keys());
+
+  // Group by cwd, dedup by path — skip CTM-internal sessions
+  const projectMap = new Map(); // cwd -> { sessions: [], mostRecent }
+  for (const s of allSessions) {
+    if (!s.cwd || s.isEmpty) continue;
+    if (isCtmInternalSession(s.firstMessage)) continue;
+    if (!projectMap.has(s.cwd)) {
+      projectMap.set(s.cwd, { sessions: [] });
+    }
+    projectMap.get(s.cwd).sessions.push({
+      id: s.sessionId,
+      label: s.aiTitle || s.title || s.firstMessage?.slice(0, 60) || s.sessionId.slice(0, 8),
+      modifiedAt: s.modifiedAt,
+      active: activeIds.has(s.sessionId),
+      projectEntry: s.projectEntry,
+    });
+  }
+
+  // Sort sessions within each project (newest first), compute mostRecent
+  for (const [, proj] of projectMap) {
+    proj.sessions.sort((a, b) => new Date(b.modifiedAt) - new Date(a.modifiedAt));
+  }
+
+  // Build results, ranked by most recent session per project
+  const entries = Array.from(projectMap.entries()).map(([cwd, proj]) => ({
+    cwd,
+    mostRecent: proj.sessions[0]?.modifiedAt || '',
+    sessions: proj.sessions,
+  }));
+  entries.sort((a, b) => new Date(b.mostRecent) - new Date(a.mostRecent));
+
+  // Fetch git info + diff stats for each project (in parallel)
+  const gitUtils = require('./git-utils');
+  const results = await Promise.all(entries.map(async (entry) => {
+    let fileCount = 0, files = [], branch = '';
+    try {
+      const result = await checkForChanges(entry.cwd);
+      fileCount = result.fileCount;
+      files = result.files;
+    } catch {}
+    try { branch = await gitUtils.getBranch(entry.cwd); } catch {}
+    return {
+      path: entry.cwd,
+      name: require('path').basename(entry.cwd),
+      branch,
+      fileCount,
+      files,
+      sessions: entry.sessions,
+    };
+  }));
+
+  return results;
+};
+
+// --- Start ---
+const setup = require('../bin/setup');
+
+// Auto-detect owner and create .env if missing (no interactive prompts)
+setup.runIfNeeded();
+
+server.listen(PORT, HOST, () => {
+  console.log(`\n  Claude Task Manager running at:`);
+  console.log(`  Local:  http://localhost:${PORT}/`);
+  console.log(`  Remote: http://localhost:${PORT}/?token=${config.token}`);
+  console.log(`  Auth token: ${config.token}`);
+  console.log(`  Database: ${dbModule.getDbPath()}`);
+  console.log(`  Config: ${CONFIG_FILE}`);
+  if (setup.needsSetup()) {
+    console.log(`\n  → Finish setup at: http://localhost:${PORT}/setup.html\n`);
+  } else {
+    console.log('');
+  }
+});