create-walle 0.9.10 → 0.9.12

package/README.md

@@ -8,12 +8,12 @@ Set up **CTM + Wall-E** in one command — a browser-based dashboard for AI codi
 
 A web dashboard for running and managing AI coding sessions across multiple providers.
 
-- **Terminal Multiplexer** — Run Claude Code, Codex, Gemini CLI, and Aider sessions side by side with live status, persistent scrollback, model switching, and AI-generated titles
+- **Terminal Multiplexer** — Run Claude Code, Codex, Gemini CLI, Aider, OpenCode, Cursor Agent, and more side by side with live status, persistent scrollback, model switching, and AI-generated titles
 - **Prompt Editor** — Save, version, and organize prompts with folders, tags, chains, templates, and AI search
 - **Task Queue** — Queue prompts for sequential execution with auto-advance when the agent finishes, or step through manually
 - **Approval Workflows** — Auto-approve tool-use requests based on learned rules; uncertain cases escalate to you
 - **Code Review** — View git diffs from any project, staged or unstaged, with line-level detail
-- **Model Registry** — Manage providers (Anthropic, OpenAI, Google, Ollama), compare pricing, switch models per session
+- **Model Registry** — Manage providers (Anthropic, OpenAI, Google, DeepSeek, Ollama, LM Studio, MLX, and CLI subscription providers), compare pricing, switch models per session
 - **Session Insights** — Analyze patterns across sessions to optimize prompts and workflows
 
 ### Wall-E (Personal Digital Twin)
@@ -24,7 +24,7 @@ An always-on AI agent that learns from your Slack, email, calendar, and coding s
 - **Proactive Intelligence** — Surfaces time-sensitive items, suggests actions, and delivers morning briefings and weekly reflections without being asked
 - **Chat with Tools** — Talk to Wall-E in the browser — it can search your memories, look up people, run skills, and call external tools via MCP (Slack, Glean, etc.)
 - **19 Bundled Skills** — Morning briefing, weekly reflection, proactive alerts, Slack monitoring, email sync, calendar integration, coding agent, model training, model pricing sync, and more
-- **Multi-Model** — Works with Claude, GPT, Gemini, and local models via Ollama with smart routing
+- **Multi-Model** — Works with Claude, GPT, Gemini, DeepSeek, and local models via Ollama, LM Studio, or MLX with smart routing
 - **Skill Management GUI** — Search, filter, create, edit, and monitor skills from the browser with rich cards, config forms, execution history, export/import, and pre-flight validation
 - **Multi-Device** — Share your brain across machines via Dropbox or iCloud
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "create-walle",
-  "version": "0.9.10",
-  "description": "CTM + Wall-E \u2014 AI coding dashboard and personal digital twin agent. Multi-agent terminal for Claude Code, Codex, Gemini & Aider, plus prompt editor, task queue, and an agent that learns from Slack, email & calendar.",
+  "version": "0.9.12",
+  "description": "CTM + Wall-E \u2014 AI coding dashboard and personal digital twin agent. Multi-agent terminal for Claude Code, Codex, Gemini, Aider, OpenCode, and more, plus prompt editor, task queue, and an agent that learns from Slack, email & calendar.",
   "bin": {
     "create-walle": "bin/create-walle.js"
   },

package/template/bin/dev.sh

@@ -53,6 +53,10 @@ elif [[ "$1" == "--refresh" ]]; then
   echo "[dev] Snapshotting production databases to $DEV_DIR ..."
   node "$ROOT/bin/sqlite-snapshot.js" "$PROD_CTM_DIR/task-manager.db" "$DEV_DIR/task-manager.db" "CTM"
   node "$ROOT/bin/sqlite-snapshot.js" "$PROD_WALLE_DIR/wall-e-brain.db" "$DEV_DIR/wall-e-brain.db" "Brain"
+  if [[ -d "$PROD_CTM_DIR/images" ]]; then
+    echo "  Images: syncing $PROD_CTM_DIR/images -> $DEV_DIR/images"
+    node "$ROOT/bin/sync-images.js" "$PROD_CTM_DIR/images" "$DEV_DIR/images"
+  fi
   # Ensure the dev instance owns its WAL files from first open.
   rm -f "$DEV_DIR"/*.db-wal "$DEV_DIR"/*.db-shm
 fi
@@ -72,6 +76,8 @@ export CTM_PORT="$DEV_CTM_PORT"
 export WALL_E_PORT="$DEV_WALLE_PORT"
 export CTM_DATA_DIR="$DEV_DIR"
 export WALL_E_DATA_DIR="$DEV_DIR"
+export WALLE_SESSIONS_DIR="$DEV_DIR/sessions"
+export WALL_E_SESSIONS_DIR="$DEV_DIR/sessions"
 export CTM_HOST="127.0.0.1"
 export CTM_INSTANCE_TAG="dev-$DEV_CTM_PORT"
 export OAUTH_PROXY_PORT="$DEV_OAUTH_PROXY_PORT"
@@ -79,7 +85,7 @@ export OAUTH_PROXY_PORT="$DEV_OAUTH_PROXY_PORT"
 # Source the rest of .env (API keys, owner name, etc.)
 if [[ -f "$ROOT/.env" ]]; then
   set -a
-  source <(grep -v '^#' "$ROOT/.env" | grep -vE '^(CTM_PORT|WALL_E_PORT|CTM_DATA_DIR|WALL_E_DATA_DIR|CTM_HOST|CTM_INSTANCE_TAG|OAUTH_PROXY_PORT)=' | grep '=')
+  source <(grep -v '^#' "$ROOT/.env" | grep -vE '^(CTM_PORT|WALL_E_PORT|CTM_DATA_DIR|WALL_E_DATA_DIR|WALLE_SESSIONS_DIR|WALL_E_SESSIONS_DIR|CTM_HOST|CTM_INSTANCE_TAG|OAUTH_PROXY_PORT)=' | grep '=')
   set +a
 fi
 

package/template/bin/setup.js

@@ -8,6 +8,9 @@ const { execFileSync } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 const { atomicWriteFileSync } = require('../claude-task-manager/atomic-write');
+const {
+  setupProviderHasRuntimeAccess,
+} = require('../claude-task-manager/lib/setup-provider-config');
 
 const ROOT = path.resolve(__dirname, '..');
 const ENV_PATH = path.join(ROOT, '.env');
@@ -74,19 +77,60 @@ function runIfNeeded() {
 
 /** Returns true if setup is needed (no API key configured anywhere). Cached after first check. */
 let _needsSetupCache = undefined;
+
+function parseEnvFile(content) {
+  const out = {};
+  for (const line of String(content || '').split('\n')) {
+    const m = line.match(/^\s*([A-Z0-9_]+)\s*=\s*(.*)\s*$/);
+    if (!m) continue;
+    out[m[1]] = m[2].replace(/^['"]|['"]$/g, '');
+  }
+  return out;
+}
+
+function readEnvFile() {
+  if (!fs.existsSync(ENV_PATH)) return {};
+  try { return parseEnvFile(fs.readFileSync(ENV_PATH, 'utf8')); }
+  catch { return {}; }
+}
+
+function readBrainProviderState(env) {
+  try {
+    const brain = require('../wall-e/brain');
+    if (typeof brain.getDb === 'function') brain.getDb();
+    const provider = brain.getKv?.('walle_provider') || env.WALLE_PROVIDER || 'anthropic';
+    const row = brain.getDb().prepare(
+      'SELECT api_key_encrypted, auth_method FROM model_providers WHERE type = ? AND enabled = 1 ORDER BY updated_at DESC LIMIT 1'
+    ).get(provider);
+    return {
+      provider,
+      authMethod: row?.auth_method || brain.getProviderAuthMethod?.(provider) || env.WALLE_AUTH_METHOD || '',
+      hasStoredKey: !!row?.api_key_encrypted,
+    };
+  } catch {
+    return null;
+  }
+}
+
 function needsSetup() {
   if (_needsSetupCache !== undefined) return _needsSetupCache;
-  // Check process.env first (may be set via Portkey, environment, etc.)
-  if (process.env.ANTHROPIC_API_KEY || process.env.ANTHROPIC_BASE_URL) {
-    _needsSetupCache = false;
-    return false;
-  }
   if (!fs.existsSync(ENV_PATH)) {
-    _needsSetupCache = true;
-    return true;
+    const provider = process.env.WALLE_PROVIDER || 'anthropic';
+    _needsSetupCache = !setupProviderHasRuntimeAccess({
+      type: provider,
+      env: process.env,
+      authMethod: process.env.WALLE_AUTH_METHOD || '',
+      hasStoredKey: false,
+    });
+    return _needsSetupCache;
   }
-  const content = fs.readFileSync(ENV_PATH, 'utf8');
-  _needsSetupCache = !content.match(/^ANTHROPIC_API_KEY=\S+/m);
+  const fileEnv = readEnvFile();
+  const env = { ...fileEnv, ...process.env };
+  const dbState = readBrainProviderState(env);
+  const provider = dbState?.provider || env.WALLE_PROVIDER || 'anthropic';
+  const authMethod = dbState?.authMethod || env.WALLE_AUTH_METHOD || '';
+  const hasStoredKey = !!dbState?.hasStoredKey;
+  _needsSetupCache = !setupProviderHasRuntimeAccess({ type: provider, env, authMethod, hasStoredKey });
   return _needsSetupCache;
 }
 

package/template/bin/sync-images.js

@@ -0,0 +1,53 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { pipeline } = require('stream/promises');
+
+async function copyFileStream(src, dest) {
+  await fs.promises.mkdir(path.dirname(dest), { recursive: true });
+  await pipeline(fs.createReadStream(src), fs.createWriteStream(dest));
+}
+
+async function main() {
+  const [srcDir, destDir] = process.argv.slice(2);
+  if (!srcDir || !destDir) {
+    console.error('usage: sync-images.js <srcDir> <destDir>');
+    process.exit(2);
+  }
+  if (!fs.existsSync(srcDir)) {
+    console.log(`  Images: source missing (${srcDir}), skipped`);
+    return;
+  }
+
+  await fs.promises.rm(destDir, { recursive: true, force: true });
+  await fs.promises.mkdir(destDir, { recursive: true });
+
+  const entries = await fs.promises.readdir(srcDir, { withFileTypes: true });
+  let copied = 0;
+  let skipped = 0;
+  for (const entry of entries) {
+    if (!entry.isFile()) continue;
+    const src = path.join(srcDir, entry.name);
+    const dest = path.join(destDir, entry.name);
+    try {
+      await copyFileStream(src, dest);
+      const stat = await fs.promises.stat(dest);
+      if (stat.size === 0) throw new Error('copied zero-byte file');
+      copied += 1;
+    } catch (err) {
+      skipped += 1;
+      try { await fs.promises.unlink(dest); } catch {}
+      if (skipped <= 5) {
+        console.warn(`  Images: skipped ${entry.name}: ${err.message}`);
+      }
+    }
+  }
+  const suffix = skipped > 5 ? ` (${skipped - 5} more skipped)` : '';
+  console.log(`  Images: synced ${copied}, skipped ${skipped}${suffix}`);
+}
+
+main().catch((err) => {
+  console.error(`  Images: warning - image sync failed: ${err.message}`);
+});

package/template/builder-journal.md

@@ -0,0 +1,17 @@
+# Builder Journal
+
+## 2026-04-29 — Surface Wall-E AI provider failures
+
+- Added structured `AI_PROVIDER_ERROR` classification for provider failures, including rate limit, quota, auth, model unavailable, timeout, network, context-window, and unavailable-provider cases.
+- Threaded provider error metadata through Wall-E chat, `/api/wall-e/chat` SSE/JSON responses, CTM Wall-E session WebSocket errors, JSONL error parts, and service alerts.
+- Updated Wall-E chat UX with a persistent provider-failure banner, inline diagnostic message, setup action, dismiss control, and collapsible raw provider details.
+- Updated CTM Wall-E session error notices to render the same provider diagnostic shape instead of collapsing it into a generic string.
+- Added focused node tests for provider classification and chat alerting, plus a Playwright rendering scenario for mocked provider 429 errors.
+
+## 2026-04-29 — Make default-provider switching feel instant
+
+- Found the slow path: CTM wrote the new default, then restarted Wall-E so its cached default client would reload, while the UI waited for the whole request before changing the star.
+- Changed `/api/setup/set-default` to call Wall-E's live setup config endpoint and only schedule a Wall-E restart if that live update fails.
+- Made setup default stars optimistic with rollback on failure, while keeping the selected star visually selected during the in-flight save.
+- Raised contrast on provider card borders, default stars, and toggle tracks so the inline styles no longer wash out the controls.
+- Added a Playwright setup-card regression for optimistic default switching and computed control colors.

package/template/claude-task-manager/api-prompts.js

@@ -7,6 +7,7 @@ const queueEngine = require('./queue-engine');
 const harvest = require('./prompt-harvest');
 const permissionSync = require('./lib/permission-sync');
 const walleClient = require('./lib/walle-client');
+const claudeDesktopSessions = require('./lib/claude-desktop-sessions');
 // AI search uses direct HTTP calls to Claude API (supports Portkey proxy)
 
 // Embed a prompt (async, fire-and-forget)
@@ -593,26 +594,80 @@ function handleGetImage(req, res, url) {
 }
 
 function handleServeImage(req, res, url) {
-  const rawFilename = url.pathname.replace('/api/images/file/', '');
+  let rawFilename = url.pathname.replace('/api/images/file/', '');
+  try { rawFilename = decodeURIComponent(rawFilename); } catch {}
   const safeFilename = path.basename(rawFilename);
+  const isUsableImageFile = (p) => {
+    try { return fs.existsSync(p) && fs.statSync(p).isFile() && fs.statSync(p).size > 0; }
+    catch { return false; }
+  };
+  const canReadImageFile = (p) => {
+    let fd = null;
+    try {
+      fd = fs.openSync(p, 'r');
+      const probe = Buffer.alloc(1);
+      return fs.readSync(fd, probe, 0, 1, 0) > 0;
+    } catch {
+      return false;
+    } finally {
+      if (fd !== null) { try { fs.closeSync(fd); } catch {} }
+    }
+  };
+  const serveImagePlaceholder = () => {
+    const svg = Buffer.from(
+      '<svg xmlns="http://www.w3.org/2000/svg" width="320" height="180" viewBox="0 0 320 180">' +
+      '<rect width="320" height="180" rx="8" fill="#1f2335"/>' +
+      '<text x="160" y="92" text-anchor="middle" font-family="sans-serif" font-size="14" fill="#7aa2f7">Image unavailable</text>' +
+      '</svg>'
+    );
+    res.writeHead(200, {
+      'Content-Type': 'image/svg+xml',
+      'Content-Length': svg.length,
+      'Cache-Control': 'no-store',
+    });
+    res.end(svg);
+  };
+  const mimeMap = { '.png': 'image/png', '.jpg': 'image/jpeg', '.jpeg': 'image/jpeg', '.gif': 'image/gif', '.webp': 'image/webp', '.svg': 'image/svg+xml' };
+  const requestedExt = path.extname(safeFilename).toLowerCase();
+  if (!mimeMap[requestedExt]) {
+    serveImagePlaceholder(); return;
+  }
   let filePath = path.join(db.DEFAULT_IMAGES_DIR, safeFilename);
-  if (!fs.existsSync(filePath)) {
-    // Filename might be the original upload name — look up actual file_path from DB
-    const img = db.getDb().prepare('SELECT file_path FROM images WHERE filename = ? LIMIT 1').get(safeFilename);
-    const resolvedImgPath = img ? path.resolve(img.file_path) : null;
-    if (resolvedImgPath && resolvedImgPath.startsWith(path.resolve(db.DEFAULT_IMAGES_DIR) + path.sep) && fs.existsSync(resolvedImgPath)) {
-      filePath = resolvedImgPath;
-    } else {
-      res.writeHead(404); res.end('Not found'); return;
+  if (!isUsableImageFile(filePath)) {
+    // Filename may be either the original upload name or the stored hash
+    // basename embedded in markdown/session history. Resolve only paths that
+    // came from the images table and whose basename matches the request.
+    const imgs = db.getDb().prepare(`
+      SELECT file_path FROM images
+      WHERE filename = ? OR file_path LIKE ? OR file_path LIKE ?
+      LIMIT 5
+    `).all(safeFilename, '%/' + safeFilename, '%\\' + safeFilename);
+    for (const img of imgs) {
+      const resolvedImgPath = img && img.file_path ? path.resolve(img.file_path) : null;
+      if (!resolvedImgPath || path.basename(resolvedImgPath) !== safeFilename) continue;
+      if (isUsableImageFile(resolvedImgPath)) {
+        filePath = resolvedImgPath;
+        break;
+      }
     }
   }
+  if (!isUsableImageFile(filePath)) {
+    serveImagePlaceholder(); return;
+  }
+  if (!canReadImageFile(filePath)) {
+    serveImagePlaceholder(); return;
+  }
   const ext = path.extname(filePath).toLowerCase();
-  const mimeMap = { '.png': 'image/png', '.jpg': 'image/jpeg', '.jpeg': 'image/jpeg', '.gif': 'image/gif', '.webp': 'image/webp', '.svg': 'image/svg+xml' };
   res.writeHead(200, {
-    'Content-Type': mimeMap[ext] || 'application/octet-stream',
+    'Content-Type': mimeMap[ext],
     'Cache-Control': 'public, max-age=86400'
   });
-  fs.createReadStream(filePath).pipe(res);
+  const stream = fs.createReadStream(filePath);
+  stream.on('error', () => {
+    if (!res.headersSent) serveImagePlaceholder();
+    else res.destroy();
+  });
+  stream.pipe(res);
 }
 
 async function handleUpdateAnnotations(req, res, url) {
@@ -977,6 +1032,36 @@ async function _importCompactPair(parsed, jsonlPath, bakPath, jsonlSize, bakSize
 
 async function importSessionFile(filePath, projectPath, projectEntry) {
   const parsed = parseSessionFile(filePath, projectPath, projectEntry);
+  if (parsed.agent === claudeDesktopSessions.DESKTOP_AGENT) {
+    const messages = claudeDesktopSessions.getMessages(parsed.sessionId) || [];
+    if (messages.length === 0) return false;
+    const userMessages = messages.filter(m => m.role === 'user');
+    const assistantMessages = messages.filter(m => m.role === 'assistant');
+    const firstUser = userMessages[0]?.text || parsed.firstMessage || '';
+    const lastUser = userMessages[userMessages.length - 1]?.text || parsed.lastUserContent || firstUser;
+    const firstAssistant = assistantMessages[0]?.text || parsed.firstAssistantText || '';
+    const existing = db.getSessionConversation(parsed.sessionId);
+    if (existing && existing.file_size === parsed.fileSize && existing.model_provider) return false;
+    db.importSessionConversation({
+      session_id: parsed.sessionId,
+      project_path: parsed.project,
+      messages,
+      user_msg_count: userMessages.length,
+      assistant_msg_count: assistantMessages.length,
+      title: parsed.title || (existing && existing.title) || '',
+      first_message: firstUser,
+      last_user_content: lastUser,
+      first_assistant_text: firstAssistant,
+      rename_name: '',
+      git_branch: '',
+      file_size: parsed.fileSize,
+      session_created_at: parsed.timestamp,
+      hostname: parsed.hostname,
+      model_provider: parsed.modelProvider || (existing && existing.model_provider) || '',
+      model_id: parsed.modelId || (existing && existing.model_id) || '',
+    });
+    return true;
+  }
   if (parsed.isEmpty) return false;
 
   // Compact-pair detection: Claude Code's /compact rotates <id>.jsonl →
@@ -1108,7 +1193,7 @@ async function runIncrementalConversationImport() {
     // several imports in the same event-loop turn.
     for (const { filePath, projectPath, projectEntry } of allFiles) {
       try {
-        const stat = await fsp.stat(filePath);
+        const stat = await fsp.stat(claudeDesktopSessions.sourcePathForStat(filePath));
         if (stat.mtimeMs <= lastScanAt) continue;
         scanned++;
         if (await importSessionFile(filePath, projectPath, projectEntry)) imported++;

package/template/claude-task-manager/api-reviews.js

@@ -4,6 +4,10 @@ const fs = require('fs');
 const db = require('./db');
 const gitUtils = require('./git-utils');
 
+const REVIEW_SEVERITIES = new Set(['comment', 'suggestion', 'issue', 'nit', 'question']);
+const REVIEW_STATUSES = new Set(['open', 'resolved']);
+const REVIEW_SIDES = new Set(['old', 'new']);
+
 // --- Helpers ---
 function isValidProjectPath(p) {
   if (!p || typeof p !== 'string') return false;
@@ -36,6 +40,69 @@ function readBody(req, limit = 1024 * 1024) {
   });
 }
 
+function normalizeReviewSeverity(value) {
+  value = String(value || 'comment').trim().toLowerCase();
+  return REVIEW_SEVERITIES.has(value) ? value : 'comment';
+}
+
+function normalizeReviewStatus(value) {
+  value = String(value || 'open').trim().toLowerCase();
+  if (!REVIEW_STATUSES.has(value)) throw new Error('Invalid review comment status');
+  return value;
+}
+
+function normalizeReviewSide(value) {
+  value = String(value || 'new').trim().toLowerCase();
+  return REVIEW_SIDES.has(value) ? value : 'new';
+}
+
+function positiveLineNumber(value, fieldName) {
+  const n = Number(value);
+  if (!Number.isInteger(n) || n < 1) throw new Error(`${fieldName} must be a positive integer`);
+  return n;
+}
+
+function sanitizeReviewCommentInput(reviewId, body) {
+  body = body || {};
+  const filePath = String(body.file_path || '').trim();
+  const text = String(body.body || '').trim();
+  if (!filePath) throw new Error('file_path required');
+  if (!text) throw new Error('body required');
+  if (filePath.length > 4096) throw new Error('file_path too long');
+  if (text.length > 20000) throw new Error('body too long');
+  const lineStart = positiveLineNumber(body.line_start, 'line_start');
+  let lineEnd = body.line_end == null || body.line_end === '' ? lineStart : positiveLineNumber(body.line_end, 'line_end');
+  if (lineEnd < lineStart) lineEnd = lineStart;
+  return {
+    review_id: reviewId,
+    file_path: filePath,
+    line_start: lineStart,
+    line_end: lineEnd,
+    side: normalizeReviewSide(body.side),
+    body: text,
+    severity: normalizeReviewSeverity(body.severity),
+    ai_generated: !!body.ai_generated,
+  };
+}
+
+function sanitizeReviewCommentUpdate(body) {
+  body = body || {};
+  const update = {};
+  if (Object.prototype.hasOwnProperty.call(body, 'body')) {
+    const text = String(body.body || '').trim();
+    if (!text) throw new Error('body required');
+    if (text.length > 20000) throw new Error('body too long');
+    update.body = text;
+  }
+  if (Object.prototype.hasOwnProperty.call(body, 'severity')) {
+    update.severity = normalizeReviewSeverity(body.severity);
+  }
+  if (Object.prototype.hasOwnProperty.call(body, 'status')) {
+    update.status = normalizeReviewStatus(body.status);
+  }
+  return update;
+}
+
 // --- Change Detection for Badge Polling ---
 // Track last known diff stats per project to detect changes
 const changeTracker = new Map(); // projectPath -> { files: [...], hash: string }
@@ -218,8 +285,9 @@ function handleReviewApi(req, res, url) {
   const commentsMatch = p.match(/^\/api\/reviews\/(\d+)\/comments$/);
   if (commentsMatch && m === 'POST') {
     readBody(req).then(body => {
-      body.review_id = parseInt(commentsMatch[1]);
-      const id = db.addReviewComment(body);
+      const reviewId = parseInt(commentsMatch[1], 10);
+      if (!db.getReview(reviewId)) return jsonResponse(res, 404, { error: 'Review not found' });
+      const id = db.addReviewComment(sanitizeReviewCommentInput(reviewId, body));
       jsonResponse(res, 201, { id });
     }).catch(e => jsonResponse(res, 400, { error: e.message }));
     return true;
@@ -229,7 +297,7 @@ function handleReviewApi(req, res, url) {
   const commentMatch = p.match(/^\/api\/review-comments\/(\d+)$/);
   if (commentMatch && m === 'PUT') {
     readBody(req).then(body => {
-      db.updateReviewComment(parseInt(commentMatch[1]), body);
+      db.updateReviewComment(parseInt(commentMatch[1], 10), sanitizeReviewCommentUpdate(body));
       jsonResponse(res, 200, { ok: true });
     }).catch(e => jsonResponse(res, 400, { error: e.message }));
     return true;
@@ -272,7 +340,8 @@ function composeReviewPrompt(review) {
       const lineRef = c.line_end && c.line_end !== c.line_start
         ? `Lines ${c.line_start}-${c.line_end}`
         : `Line ${c.line_start}`;
-      const severity = c.severity !== 'comment' ? ` [${c.severity}]` : '';
+      const normalizedSeverity = normalizeReviewSeverity(c.severity);
+      const severity = normalizedSeverity !== 'comment' ? ` [${normalizedSeverity}]` : '';
       lines.push(`**${lineRef}**${severity}: ${c.body}\n`);
     }
   }
@@ -284,4 +353,12 @@ function composeReviewPrompt(review) {
   return lines.join('\n');
 }
 
-module.exports = { handleReviewApi, checkForChanges };
+module.exports = {
+  handleReviewApi,
+  checkForChanges,
+  composeReviewPrompt,
+  _normalizeReviewSeverity: normalizeReviewSeverity,
+  _normalizeReviewStatus: normalizeReviewStatus,
+  _sanitizeReviewCommentInput: sanitizeReviewCommentInput,
+  _sanitizeReviewCommentUpdate: sanitizeReviewCommentUpdate,
+};

package/template/claude-task-manager/db.js

@@ -2593,11 +2593,30 @@ function deleteReview(id) {
   getDb().prepare('DELETE FROM code_reviews WHERE id = ?').run(id);
 }
 
+const REVIEW_COMMENT_SEVERITIES = new Set(['comment', 'suggestion', 'issue', 'nit', 'question']);
+const REVIEW_COMMENT_STATUSES = new Set(['open', 'resolved']);
+const REVIEW_COMMENT_SIDES = new Set(['old', 'new']);
+
+function normalizeReviewCommentSeverity(severity) {
+  severity = String(severity || 'comment').trim().toLowerCase();
+  return REVIEW_COMMENT_SEVERITIES.has(severity) ? severity : 'comment';
+}
+
+function normalizeReviewCommentStatus(status) {
+  status = String(status || 'open').trim().toLowerCase();
+  return REVIEW_COMMENT_STATUSES.has(status) ? status : 'open';
+}
+
+function normalizeReviewCommentSide(side) {
+  side = String(side || 'new').trim().toLowerCase();
+  return REVIEW_COMMENT_SIDES.has(side) ? side : 'new';
+}
+
 function addReviewComment({ review_id, file_path, line_start, line_end, side, body, severity, ai_generated }) {
   const result = getDb().prepare(
     `INSERT INTO review_comments (review_id, file_path, line_start, line_end, side, body, severity, ai_generated)
      VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
-  ).run(review_id, file_path, line_start, line_end || line_start, side || 'new', body, severity || 'comment', ai_generated ? 1 : 0);
+  ).run(review_id, file_path, line_start, line_end || line_start, normalizeReviewCommentSide(side), body, normalizeReviewCommentSeverity(severity), ai_generated ? 1 : 0);
   // Update comment count
   const count = getDb().prepare('SELECT COUNT(*) as n FROM review_comments WHERE review_id = ?').get(review_id);
   getDb().prepare('UPDATE code_reviews SET comment_count = ? WHERE id = ?').run(count.n, review_id);
@@ -2608,8 +2627,8 @@ function updateReviewComment(id, { body, severity, status }) {
   const sets = [];
   const params = [];
   if (body !== undefined) { sets.push('body = ?'); params.push(body); }
-  if (severity !== undefined) { sets.push('severity = ?'); params.push(severity); }
-  if (status !== undefined) { sets.push('status = ?'); params.push(status); }
+  if (severity !== undefined) { sets.push('severity = ?'); params.push(normalizeReviewCommentSeverity(severity)); }
+  if (status !== undefined) { sets.push('status = ?'); params.push(normalizeReviewCommentStatus(status)); }
   if (sets.length === 0) return;
   params.push(id);
   getDb().prepare(`UPDATE review_comments SET ${sets.join(', ')} WHERE id = ?`).run(...params);
@@ -3513,6 +3532,13 @@ function resolveSession(id) {
   return null;
 }
 
+function normalizeDbCreatedAt(value) {
+  if (!value) return '';
+  const ms = new Date(value).getTime();
+  if (!Number.isFinite(ms)) return '';
+  return new Date(ms).toISOString().replace('T', ' ').replace(/\.\d+Z$/, '');
+}
+
 /**
  * Merge a ctm_sessions row + agent_sessions row into a unified object
  * that matches the old sessions table shape (for backward compatibility).
@@ -3594,6 +3620,7 @@ function upsertSession(id, data, opts) {
     title: data.title || '',
     user_renamed: data.userRenamed ? 1 : 0,
     starred: data.starred ? 1 : 0,
+    created_at: normalizeDbCreatedAt(data.createdAt),
   };
   const agentParams = (agentId && agentId !== '__CLEAR__') ? {
     agent_session_id: agentId,
@@ -3615,8 +3642,8 @@ function upsertSession(id, data, opts) {
   const txn = d.transaction(() => {
     // Upsert ctm_sessions
     d.prepare(`
-      INSERT INTO ctm_sessions (id, provider, project_path, cwd, title, user_renamed, starred)
-      VALUES (@id, @provider, @project_path, @cwd, @title, @user_renamed, @starred)
+      INSERT INTO ctm_sessions (id, provider, project_path, cwd, title, user_renamed, starred, created_at)
+      VALUES (@id, @provider, @project_path, @cwd, @title, @user_renamed, @starred, COALESCE(NULLIF(@created_at, ''), datetime('now')))
       ON CONFLICT(id) DO UPDATE SET
         provider = COALESCE(NULLIF(excluded.provider, ''), ctm_sessions.provider),
         project_path = COALESCE(NULLIF(excluded.project_path, ''), ctm_sessions.project_path),