create-walle 0.9.20 → 0.9.22

package/template/claude-task-manager/db.js

@@ -6,7 +6,7 @@ const zlib = require('zlib');
 
 const { execFileSync } = require('child_process');
 const { normalizeAgentType } = require('./lib/agent-capabilities');
-const { codexRolloutIdFromPath } = require('./lib/session-history');
+const { codexRolloutIdFromPath, readCodexRolloutMetadata } = require('./lib/session-history');
 const { ensureTranscriptTables } = require('./lib/transcript-store');
 const {
   classifySqliteError,
@@ -19,6 +19,7 @@ const {
 const DATA_DIR = process.env.CTM_DATA_DIR || path.join(process.env.HOME, '.walle', 'data');
 const DEFAULT_DB_PATH = path.join(DATA_DIR, 'task-manager.db');
 const DEFAULT_IMAGES_DIR = path.join(DATA_DIR, 'images');
+const SESSION_IMAGES_DIR = path.join(DATA_DIR, 'session-images');
 const BACKUP_DIR = path.join(DATA_DIR, 'backups');
 
 let db = null;
@@ -52,33 +53,57 @@ function resolveGitRoot(projectPath) {
 
 function _codexFileAgentSessionId(jsonlPath) {
   try {
-    return codexRolloutIdFromPath(jsonlPath || '') || '';
+    const filePath = String(jsonlPath || '').trim();
+    if (!filePath) return '';
+    const pathId = codexRolloutIdFromPath(filePath);
+    if (!pathId && !String(path.basename(filePath || '')).startsWith('rollout-')) return '';
+    const meta = readCodexRolloutMetadata(filePath) || {};
+    return String(meta.id || pathId || '').trim();
   } catch {
     return '';
   }
 }
 
+function _looksLikeCodexRolloutBasename(value) {
+  return /^rollout-\d{4}-\d{2}-\d{2}T\d{2}-\d{2}-\d{2}-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(String(value || '').trim());
+}
+
+function _codexRolloutBasenameAgentSessionId(value) {
+  const match = String(value || '').trim().match(/^rollout-\d{4}-\d{2}-\d{2}T\d{2}-\d{2}-\d{2}-([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})$/i);
+  return match ? match[1].toLowerCase() : '';
+}
+
+function _codexResumeAlias(value, canonicalId) {
+  const clean = String(value || '').trim();
+  if (!clean || clean === canonicalId || _looksLikeCodexRolloutBasename(clean)) return '';
+  return clean;
+}
+
 function _normalizeAgentSessionIdentity(data = {}) {
-  const provider = normalizeAgentType(data.provider || '') || String(data.provider || '').toLowerCase();
+  const jsonlPath = String(data.jsonlPath || '').trim();
+  const codexFileAgentSessionId = _codexFileAgentSessionId(jsonlPath);
+  const provider = (codexFileAgentSessionId || _codexRolloutBasenameAgentSessionId(data.agentSessionId))
+    ? 'codex'
+    : (normalizeAgentType(data.provider || '') || String(data.provider || '').toLowerCase());
   let agentSessionId = String(data.agentSessionId || '').trim();
   let providerResumeId = String(data.providerResumeId || data.resumeSessionId || '').trim();
-  const jsonlPath = String(data.jsonlPath || '').trim();
 
-  if (provider === 'codex' && jsonlPath) {
-    const fileAgentSessionId = _codexFileAgentSessionId(jsonlPath);
+  if (provider === 'codex') {
+    const fileAgentSessionId = codexFileAgentSessionId || _codexRolloutBasenameAgentSessionId(agentSessionId);
     if (fileAgentSessionId) {
       if (agentSessionId && agentSessionId !== fileAgentSessionId) {
-        if (!providerResumeId) providerResumeId = agentSessionId;
+        if (!providerResumeId) providerResumeId = _codexResumeAlias(agentSessionId, fileAgentSessionId);
+        const sourceLabel = jsonlPath ? path.basename(jsonlPath) : agentSessionId;
         console.error(
-          `[db] Codex agent_session_id/jsonl mismatch; using filename id ${fileAgentSessionId.slice(0, 8)} ` +
-          `instead of ${agentSessionId.slice(0, 8)} for ${path.basename(jsonlPath)}`
+          `[db] Codex agent_session_id/jsonl mismatch; using rollout metadata id ${fileAgentSessionId.slice(0, 8)} ` +
+          `instead of ${agentSessionId.slice(0, 8)} for ${sourceLabel}`
         );
       }
       agentSessionId = fileAgentSessionId;
     }
   }
 
-  return { agentSessionId, providerResumeId };
+  return { agentSessionId, providerResumeId, provider };
 }
 
 function getDb() {
@@ -110,6 +135,7 @@ function _ensureDataDirs(dbPath) {
   const dir = path.dirname(dbPath);
   if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
   if (!fs.existsSync(DEFAULT_IMAGES_DIR)) fs.mkdirSync(DEFAULT_IMAGES_DIR, { recursive: true });
+  if (!fs.existsSync(SESSION_IMAGES_DIR)) fs.mkdirSync(SESSION_IMAGES_DIR, { recursive: true });
   if (!fs.existsSync(BACKUP_DIR)) fs.mkdirSync(BACKUP_DIR, { recursive: true });
 }
 
@@ -1459,6 +1485,47 @@ function migrateSchemaIfNeeded() {
       // column presence before writing title-generation status.
     }
   }
+  if (getSchemaVersion() < 6) {
+    try {
+      migrateToV6();
+    } catch (e) {
+      console.error('[db] Schema migration to v6 FAILED:', e.message);
+      console.error('[db] Stack:', e.stack);
+      // Non-fatal: Wall-E can still fall back to startup_tasks/model defaults,
+      // but per-session model preferences will not persist until this succeeds.
+    }
+  }
+}
+
+/**
+ * Schema v6: Persist session-scoped model preferences.
+ *
+ * startup_tasks.model_id is a restore hint and intentionally has no provider
+ * identity. Wall-E session model changes need a CTM-owned durable preference so
+ * one tab's model switch cannot mutate Wall-E global defaults or another tab.
+ */
+function migrateToV6() {
+  const d = getDb();
+  d.exec(`
+    CREATE TABLE IF NOT EXISTS session_model_preferences (
+      ctm_session_id TEXT PRIMARY KEY,
+      agent_type TEXT NOT NULL DEFAULT 'walle',
+      provider_type TEXT NOT NULL DEFAULT '',
+      provider_id TEXT NOT NULL DEFAULT '',
+      model_id TEXT NOT NULL DEFAULT '',
+      registry_id TEXT NOT NULL DEFAULT '',
+      scope TEXT NOT NULL DEFAULT 'session',
+      source TEXT NOT NULL DEFAULT 'user',
+      pinned INTEGER NOT NULL DEFAULT 1,
+      created_at TEXT DEFAULT (datetime('now')),
+      updated_at TEXT DEFAULT (datetime('now')),
+      FOREIGN KEY (ctm_session_id) REFERENCES ctm_sessions(id) ON DELETE CASCADE
+    );
+    CREATE INDEX IF NOT EXISTS idx_session_model_preferences_agent
+      ON session_model_preferences(agent_type, updated_at DESC);
+  `);
+  setSchemaVersion(6);
+  console.log('[db] Schema migrated to v6 (session model preferences)');
 }
 
 /**
@@ -2275,6 +2342,157 @@ function deleteImage(id) {
   }
 }
 
+function _sanitizeSessionImageSegment(value, fallback) {
+  const clean = String(value || '')
+    .trim()
+    .replace(/[^A-Za-z0-9._-]+/g, '-')
+    .replace(/-+/g, '-')
+    .replace(/^[.-]+|[.-]+$/g, '')
+    .slice(0, 120);
+  return clean || fallback;
+}
+
+function _sessionImageTimestampSlug(value) {
+  let date = null;
+  if (typeof value === 'number' && Number.isFinite(value)) date = new Date(value);
+  else if (typeof value === 'string' && value.trim()) {
+    const n = Number(value);
+    date = Number.isFinite(n) && /^\d+$/.test(value.trim()) ? new Date(n) : new Date(value);
+  }
+  if (!date || Number.isNaN(date.getTime())) date = new Date();
+  return date.toISOString().replace(/[-:.]/g, '').replace(/Z$/, 'Z');
+}
+
+function _sessionImagePromptHash(text, fallbackParts = []) {
+  const source = String(text || '').trim() || fallbackParts.map(v => String(v || '')).join('|') || String(Date.now());
+  return crypto.createHash('sha256').update(source).digest('hex').slice(0, 16);
+}
+
+function _pathInsideDir(filePath, dirPath) {
+  const resolvedFile = path.resolve(filePath || '');
+  const resolvedDir = path.resolve(dirPath || '');
+  return resolvedFile === resolvedDir || resolvedFile.startsWith(resolvedDir + path.sep);
+}
+
+function _imageRowForReference(ref) {
+  const imageId = Number(ref && ref.id || 0);
+  if (Number.isInteger(imageId) && imageId > 0) {
+    const row = getImage(imageId);
+    if (row) return row;
+  }
+
+  const candidate = String(ref && (ref.file_path || ref.path) || '').trim();
+  if (candidate && _pathInsideDir(candidate, DEFAULT_IMAGES_DIR)) {
+    const resolved = path.resolve(candidate);
+    const row = getDb().prepare(
+      'SELECT * FROM images WHERE file_path = ? OR file_path LIKE ? ORDER BY id DESC LIMIT 1'
+    ).get(resolved, '%/' + path.basename(resolved));
+    if (row) return row;
+    if (fs.existsSync(resolved)) {
+      return {
+        id: null,
+        filename: path.basename(resolved),
+        mime_type: ref && (ref.mimeType || ref.mime_type) || 'image/png',
+        file_path: resolved,
+      };
+    }
+  }
+
+  const filename = path.basename(String(ref && ref.filename || '').trim());
+  if (filename) {
+    const row = getDb().prepare(
+      'SELECT * FROM images WHERE filename = ? OR file_path LIKE ? ORDER BY id DESC LIMIT 1'
+    ).get(filename, '%/' + filename);
+    if (row) return row;
+  }
+
+  return null;
+}
+
+async function _ensureRelativeSymlink(linkPath, relativeTarget) {
+  try {
+    const stat = await fs.promises.lstat(linkPath);
+    if (stat.isSymbolicLink()) {
+      const current = await fs.promises.readlink(linkPath);
+      if (current === relativeTarget) return;
+    }
+    await fs.promises.unlink(linkPath);
+  } catch (err) {
+    if (!err || err.code !== 'ENOENT') throw err;
+  }
+  await fs.promises.symlink(relativeTarget, linkPath);
+}
+
+async function recordSessionImageRefs(data = {}) {
+  const sessionId = String(data.sessionId || data.session_id || '').trim();
+  if (!sessionId) throw new Error('sessionId required');
+  const refs = Array.isArray(data.images) ? data.images : Array.isArray(data.attachments) ? data.attachments : [];
+  const sessionSlug = _sanitizeSessionImageSegment(sessionId, 'session');
+  const timestampSlug = _sessionImageTimestampSlug(data.submittedAt || data.submitted_at || Date.now());
+  const promptHash = _sanitizeSessionImageSegment(
+    data.promptHash || data.prompt_hash || _sessionImagePromptHash(data.promptText || data.prompt_text || '', [sessionId, timestampSlug]),
+    'prompt'
+  ).slice(0, 32);
+  const refDir = path.join(SESSION_IMAGES_DIR, sessionSlug);
+  await fs.promises.mkdir(refDir, { recursive: true });
+
+  const links = [];
+  const skipped = [];
+  const seenTargets = new Set();
+  let index = 0;
+  for (const ref of refs) {
+    const row = _imageRowForReference(ref);
+    if (!row || !row.file_path) {
+      skipped.push({ label: ref && ref.label || '', reason: 'image_not_found' });
+      continue;
+    }
+    const targetPath = path.resolve(row.file_path);
+    if (!_pathInsideDir(targetPath, DEFAULT_IMAGES_DIR)) {
+      skipped.push({ label: ref && ref.label || '', reason: 'outside_image_store' });
+      continue;
+    }
+    if (!fs.existsSync(targetPath)) {
+      skipped.push({ label: ref && ref.label || '', reason: 'file_missing' });
+      continue;
+    }
+    if (seenTargets.has(targetPath)) continue;
+    seenTargets.add(targetPath);
+    index += 1;
+    const ext = path.extname(targetPath) || path.extname(row.filename || '') || '.png';
+    const linkName = `${timestampSlug}-${promptHash}-image-${String(index).padStart(2, '0')}${ext}`;
+    const linkPath = path.join(refDir, linkName);
+    const relativeTarget = path.relative(refDir, targetPath);
+    await _ensureRelativeSymlink(linkPath, relativeTarget);
+    links.push({
+      label: ref && ref.label || `[Image #${index}]`,
+      image_id: row.id || null,
+      filename: row.filename || path.basename(targetPath),
+      mime_type: row.mime_type || ref && ref.mimeType || 'image/png',
+      link: linkName,
+      target: relativeTarget,
+    });
+  }
+
+  const manifestName = `${timestampSlug}-${promptHash}.json`;
+  const manifest = {
+    session_id: sessionId,
+    submitted_at: timestampSlug,
+    prompt_hash: promptHash,
+    prompt_text_hash: _sessionImagePromptHash(data.promptText || data.prompt_text || '', [sessionId, timestampSlug]),
+    created_at: new Date().toISOString(),
+    links,
+    skipped,
+  };
+  await fs.promises.writeFile(path.join(refDir, manifestName), JSON.stringify(manifest, null, 2) + '\n');
+  return {
+    sessionId,
+    refDir,
+    manifest: manifestName,
+    links,
+    skipped,
+  };
+}
+
 // --- Chains ---
 function createChain({ name, description }) {
   const result = getDb().prepare('INSERT INTO chains (name, description) VALUES (?, ?)').run(name, description || '');
@@ -3268,6 +3486,95 @@ function getInsightsData(includeInternal) {
   };
 }
 
+// --- Session Model Preferences ---
+function _cleanSessionModelPreferenceInput(input = {}) {
+  const clean = (value, max) => String(value || '').trim().slice(0, max);
+  return {
+    ctmSessionId: clean(input.ctmSessionId || input.ctm_session_id || input.sessionId || input.id, 160),
+    agentType: clean(input.agentType || input.agent_type || 'walle', 60) || 'walle',
+    providerType: clean(input.providerType || input.provider_type || input.model_provider || input.provider, 120),
+    providerId: clean(input.providerId || input.provider_id, 160),
+    modelId: clean(input.modelId || input.model_id || input.model, 256),
+    registryId: clean(input.registryId || input.registry_id || input.model_registry_id, 256),
+    scope: clean(input.scope || 'session', 40) || 'session',
+    source: clean(input.source || 'user', 80) || 'user',
+    pinned: input.pinned === false || input.pinned === 0 ? 0 : 1,
+  };
+}
+
+function upsertSessionModelPreference(input = {}) {
+  const item = _cleanSessionModelPreferenceInput(input);
+  if (!item.ctmSessionId) throw new Error('ctmSessionId is required');
+  if (!item.modelId) {
+    clearSessionModelPreference(item.ctmSessionId);
+    return null;
+  }
+  const d = getDb();
+  d.prepare(
+    "INSERT OR IGNORE INTO ctm_sessions (id, provider, updated_at) VALUES (?, ?, datetime('now'))"
+  ).run(item.ctmSessionId, item.agentType || 'walle');
+  d.prepare(`
+    INSERT INTO session_model_preferences (
+      ctm_session_id, agent_type, provider_type, provider_id, model_id,
+      registry_id, scope, source, pinned, updated_at
+    )
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, datetime('now'))
+    ON CONFLICT(ctm_session_id) DO UPDATE SET
+      agent_type = excluded.agent_type,
+      provider_type = excluded.provider_type,
+      provider_id = excluded.provider_id,
+      model_id = excluded.model_id,
+      registry_id = excluded.registry_id,
+      scope = excluded.scope,
+      source = excluded.source,
+      pinned = excluded.pinned,
+      updated_at = excluded.updated_at
+  `).run(
+    item.ctmSessionId, item.agentType, item.providerType, item.providerId,
+    item.modelId, item.registryId, item.scope, item.source, item.pinned
+  );
+  flushWal();
+  return getSessionModelPreference(item.ctmSessionId);
+}
+
+function getSessionModelPreference(ctmSessionId) {
+  const id = String(ctmSessionId || '').trim();
+  if (!id) return null;
+  const row = getDb().prepare(
+    'SELECT * FROM session_model_preferences WHERE ctm_session_id = ?'
+  ).get(id);
+  if (!row) return null;
+  return {
+    ctm_session_id: row.ctm_session_id,
+    ctmSessionId: row.ctm_session_id,
+    agent_type: row.agent_type || 'walle',
+    agentType: row.agent_type || 'walle',
+    provider_type: row.provider_type || '',
+    providerType: row.provider_type || '',
+    provider_id: row.provider_id || '',
+    providerId: row.provider_id || '',
+    model_id: row.model_id || '',
+    modelId: row.model_id || '',
+    registry_id: row.registry_id || '',
+    registryId: row.registry_id || '',
+    scope: row.scope || 'session',
+    source: row.source || 'user',
+    pinned: row.pinned !== 0,
+    created_at: row.created_at || '',
+    updated_at: row.updated_at || '',
+  };
+}
+
+function clearSessionModelPreference(ctmSessionId) {
+  const id = String(ctmSessionId || '').trim();
+  if (!id) return 0;
+  const changes = getDb().prepare(
+    'DELETE FROM session_model_preferences WHERE ctm_session_id = ?'
+  ).run(id).changes || 0;
+  if (changes) flushWal();
+  return changes;
+}
+
 // --- Startup Tasks (crash-safe session restore) ---
 const CTM_INSTANCE_ID = `${require('os').hostname()}:${process.pid}:${Date.now()}`;
 
@@ -4436,6 +4743,7 @@ function upsertSession(id, data, opts) {
   const normalizedIdentity = _normalizeAgentSessionIdentity(data);
   const agentId = normalizedIdentity.agentSessionId;
   const providerResumeId = normalizedIdentity.providerResumeId;
+  const provider = normalizedIdentity.provider || data.provider || '';
   function throwCrossTabClaim(existingCtmSessionId) {
     const err = new Error(
       `agent_session_id ${agentId} is already claimed by ctm_session ${existingCtmSessionId} (refusing cross-tab claim for ${id})`
@@ -4448,7 +4756,7 @@ function upsertSession(id, data, opts) {
   }
   const ctmParams = {
     id,
-    provider: data.provider || '',
+    provider,
     project_path: data.projectPath || '',
     cwd: data.cwd || '',
     title: data.title || '',
@@ -4463,7 +4771,7 @@ function upsertSession(id, data, opts) {
   const agentParams = (agentId && agentId !== '__CLEAR__') ? {
     agent_session_id: agentId,
     ctm_session_id: id,
-    provider: data.provider || '',
+    provider,
     provider_resume_id: providerResumeId || '',
     project_path: data.projectPath || '',
     jsonl_path: data.jsonlPath || '',
@@ -4809,6 +5117,161 @@ function repairCodexSessionMetadataFromConversations({ dryRun = false, limit = 5
   };
 }
 
+function _newerTimestamp(a, b) {
+  const aMs = Date.parse(String(a || ''));
+  const bMs = Date.parse(String(b || ''));
+  if (!Number.isFinite(aMs)) return b || '';
+  if (!Number.isFinite(bMs)) return a || '';
+  return aMs >= bMs ? a : b;
+}
+
+function _mergeCodexAgentRow(existing, stale, canonicalId) {
+  const resumeAlias = _codexResumeAlias(existing?.provider_resume_id, canonicalId)
+    || _codexResumeAlias(stale?.provider_resume_id, canonicalId)
+    || _codexResumeAlias(stale?.agent_session_id, canonicalId);
+  return {
+    ctm_session_id: existing?.ctm_session_id || stale?.ctm_session_id || '',
+    provider_resume_id: resumeAlias,
+    project_path: existing?.project_path || stale?.project_path || '',
+    jsonl_path: existing?.jsonl_path || stale?.jsonl_path || '',
+    first_message: existing?.first_message || stale?.first_message || '',
+    file_size: Math.max(Number(existing?.file_size || 0), Number(stale?.file_size || 0)),
+    modified_at: _newerTimestamp(existing?.modified_at, stale?.modified_at),
+    hostname: existing?.hostname || stale?.hostname || '',
+    model: existing?.model || stale?.model || '',
+    git_branch: existing?.git_branch || stale?.git_branch || '',
+    user_msg_count: Math.max(Number(existing?.user_msg_count || 0), Number(stale?.user_msg_count || 0)),
+    slug: existing?.slug || stale?.slug || '',
+  };
+}
+
+function repairCodexRolloutAgentIdentities({ dryRun = false, limit = 1000 } = {}) {
+  const d = getDb();
+  const candidates = d.prepare(`
+    SELECT *
+    FROM agent_sessions
+    WHERE jsonl_path LIKE '%rollout-%.jsonl%'
+    ORDER BY
+      CASE
+        WHEN COALESCE(provider, '') != 'codex' THEN 0
+        WHEN agent_session_id LIKE 'rollout-%' THEN 0
+        WHEN provider_resume_id LIKE 'rollout-%' THEN 0
+        ELSE 1
+      END,
+      updated_at DESC,
+      modified_at DESC
+    LIMIT ?
+  `).all(Math.max(1, Number(limit) || 1000));
+
+  const repairs = [];
+  for (const row of candidates) {
+    const canonicalId = _codexFileAgentSessionId(row.jsonl_path);
+    if (!canonicalId) continue;
+    const provider = normalizeAgentType(row.provider || '') || String(row.provider || '').toLowerCase();
+    if (row.agent_session_id === canonicalId && provider === 'codex') continue;
+    repairs.push({ ...row, canonicalId, provider });
+  }
+
+  if (!dryRun && repairs.length > 0) {
+    const selectAgent = d.prepare('SELECT * FROM agent_sessions WHERE agent_session_id = ?');
+    const updateCanonical = d.prepare(`
+      UPDATE agent_sessions SET
+        ctm_session_id = COALESCE(NULLIF(?, ''), ctm_session_id),
+        provider = 'codex',
+        provider_resume_id = ?,
+        project_path = COALESCE(NULLIF(?, ''), project_path),
+        jsonl_path = COALESCE(NULLIF(?, ''), jsonl_path),
+        first_message = COALESCE(NULLIF(?, ''), first_message),
+        file_size = CASE WHEN ? > COALESCE(file_size, 0) THEN ? ELSE COALESCE(file_size, 0) END,
+        modified_at = COALESCE(NULLIF(?, ''), modified_at),
+        hostname = COALESCE(NULLIF(?, ''), hostname),
+        model = COALESCE(NULLIF(?, ''), model),
+        git_branch = COALESCE(NULLIF(?, ''), git_branch),
+        user_msg_count = CASE WHEN ? > COALESCE(user_msg_count, 0) THEN ? ELSE COALESCE(user_msg_count, 0) END,
+        slug = COALESCE(NULLIF(?, ''), slug),
+        updated_at = datetime('now')
+      WHERE agent_session_id = ?
+    `);
+    const updateInPlace = d.prepare(`
+      UPDATE agent_sessions SET
+        agent_session_id = ?,
+        provider = 'codex',
+        provider_resume_id = ?,
+        updated_at = datetime('now')
+      WHERE agent_session_id = ?
+    `);
+    const deleteStale = d.prepare('DELETE FROM agent_sessions WHERE agent_session_id = ?');
+    const updateCtmProvider = d.prepare(`
+      UPDATE ctm_sessions
+      SET provider = 'codex', updated_at = datetime('now')
+      WHERE id = ? AND COALESCE(provider, '') != 'codex'
+    `);
+
+    const txn = d.transaction(() => {
+      for (const row of repairs) {
+        const canonical = selectAgent.get(row.canonicalId);
+        if (canonical && canonical.agent_session_id !== row.agent_session_id) {
+          const merged = _mergeCodexAgentRow(canonical, row, row.canonicalId);
+          updateCanonical.run(
+            merged.ctm_session_id,
+            merged.provider_resume_id,
+            merged.project_path,
+            merged.jsonl_path,
+            merged.first_message,
+            merged.file_size,
+            merged.file_size,
+            merged.modified_at,
+            merged.hostname,
+            merged.model,
+            merged.git_branch,
+            merged.user_msg_count,
+            merged.user_msg_count,
+            merged.slug,
+            row.canonicalId
+          );
+          deleteStale.run(row.agent_session_id);
+        } else if (row.agent_session_id !== row.canonicalId) {
+          const resumeAlias = _codexResumeAlias(row.provider_resume_id, row.canonicalId)
+            || _codexResumeAlias(row.agent_session_id, row.canonicalId);
+          updateInPlace.run(row.canonicalId, resumeAlias, row.agent_session_id);
+        } else {
+          updateCanonical.run(
+            row.ctm_session_id || '',
+            _codexResumeAlias(row.provider_resume_id, row.canonicalId),
+            row.project_path || '',
+            row.jsonl_path || '',
+            row.first_message || '',
+            Number(row.file_size || 0),
+            Number(row.file_size || 0),
+            row.modified_at || '',
+            row.hostname || '',
+            row.model || '',
+            row.git_branch || '',
+            Number(row.user_msg_count || 0),
+            Number(row.user_msg_count || 0),
+            row.slug || '',
+            row.canonicalId
+          );
+        }
+        if (row.ctm_session_id) updateCtmProvider.run(row.ctm_session_id);
+      }
+    });
+    txn();
+    flushWal();
+  }
+
+  return {
+    checked: candidates.length,
+    repaired: repairs.length,
+    rows: repairs.map(row => ({
+      ctm_session_id: row.ctm_session_id,
+      from_agent_session_id: row.agent_session_id,
+      to_agent_session_id: row.canonicalId,
+      provider: row.provider,
+    })),
+  };
+}
+
 /**
  * Get all session data in old-compatible format (for apiRecentSessions).
  * Returns merged ctm_sessions + agent_sessions rows.
@@ -4988,7 +5451,7 @@ module.exports = {
   createPrompt, updatePrompt, getPrompt, listPrompts, listChildPrompts, setPromptParent, createGroupFromPrompts, deletePrompt, duplicatePrompt, reorderPrompts,
   getPromptVersions, restorePromptVersion,
   createFolder, listFolders, updateFolder, deleteFolder, reorderFolders,
-  saveImage, getImage, updateImageAnnotations, listImages, deleteImage,
+  saveImage, getImage, updateImageAnnotations, listImages, deleteImage, recordSessionImageRefs,
   createChain, getChain, listChains, updateChain, deleteChain,
   listPermissionRules, upsertPermissionRule, deletePermissionRule,
   listPermissionLog, addPermissionLog,
@@ -5013,6 +5476,7 @@ module.exports = {
   replaceInsightRecommendations, listInsightRecommendations,
   startAnalysisRun, completeAnalysisRun, getLastAnalysisRun,
   getInsightsData,
+  upsertSessionModelPreference, getSessionModelPreference, clearSessionModelPreference,
   addStartupTask, updateStartupTaskLabel, updateStartupTaskClaudeSession, updateStartupTaskAgentSession, updateStartupTaskBranch, updateStartupTaskCwd, removeStartupTask, markStartupTaskExited, heartbeatStartupTasks, getStartupTask, listStartupTasks, clearStartupTasks,
   createSessionWithStartupTask,
   appendScrollbackBatch, cleanupScrollbackChunkSeqIntegrity, getNextScrollbackSeq, loadScrollback, loadScrollbackTail, clearScrollback,
@@ -5020,7 +5484,7 @@ module.exports = {
   listHooks, getEnabledHooks, createHook, deleteHook, toggleHook,
   upsertAnalysisFts, backfillFts, ftsSearchAnalyses, invalidateFtsRowidMap,
   extractSessionMessages, extractSessionMessagesAsync, replaceSessionMessages, backfillSessionMessages, backfillSessionMessagesAsync, ftsSearchMessages,
-  DEFAULT_IMAGES_DIR, BACKUP_DIR,
+  DEFAULT_IMAGES_DIR, SESSION_IMAGES_DIR, BACKUP_DIR,
   // Workspaces (Phase 13)
   listWorkspaces, createWorkspace, updateWorkspace, deleteWorkspace,
   addSessionToWorkspace, removeSessionFromWorkspace, getWorkspaceSessions, getSessionWorkspace,
@@ -5034,7 +5498,7 @@ module.exports = {
   // CTM Sessions + Agent Sessions (v1 schema)
   getSessionIdentity, getLatestAgentSessionForCtm, getSessionConversationSourceIds, resolveSession, upsertSession, setSessionStar, getStarredSessionIds,
   setSessionTitleNew, setSessionTitleStatusNew, getSessionTitleNew, getAllSessionsData,
-  repairCodexSessionMetadataFromConversations,
+  repairCodexSessionMetadataFromConversations, repairCodexRolloutAgentIdentities,
   getAgentSessions, getAgentSession, deleteCtmSession,
   // Schema version
   getSchemaVersion,

package/template/claude-task-manager/docs/app-update-refresh-protocol.md

@@ -0,0 +1,69 @@
+# CTM App Update Refresh Protocol
+
+## Problem
+
+CTM is a long-lived browser app. A user can keep several CTM tabs open while
+`create-walle update` replaces CTM and Wall-E code, restarts the server, and
+serves newer HTML, CSS, and JavaScript. Existing browser tabs may reconnect to
+the new server while still executing the old client bundle.
+
+That is unsafe in both directions:
+
+- silently keeping old code leaves users on stale UX after an update;
+- blindly reloading every tab can destroy active terminal input, queue drafts,
+  screenshot edits, or mobile composer text.
+
+## Design
+
+The server is the source of truth for the installed application identity. Each
+WebSocket `hello` includes an app identity:
+
+- `version`: the installed create-walle version;
+- `components`: CTM and Wall-E package versions;
+- `buildId`: a stable hash of key shipped files and package versions.
+
+`buildId` is recomputed from file stats when version info is requested. It must
+not be process-cached because update installers can replace static assets before
+or during a server restart.
+
+The client records the first app identity it sees for the current document. On
+later WebSocket reconnects, if the server identity changes, the page is running
+old code and must refresh before continuing normal operation.
+
+## UX Contract
+
+When a changed app identity is detected:
+
+1. Broadcast `reload-required` to same-origin CTM tabs using `BroadcastChannel`.
+2. If the current tab is idle, reload immediately.
+3. If the current tab has active user work, show a sticky reload-required banner
+   and do not steal focus.
+4. The banner remains until the user clicks **Reload now** or the page is
+   refreshed.
+
+Active user work includes focused xterm.js terminals, editable inputs,
+contenteditable composers, open modals, open queue panel, and screenshot editor
+state.
+
+## Mobile/PWA
+
+The mobile service worker already uses a network-first shell strategy and
+activates new workers. That only updates future navigations; a currently open
+mobile document still needs the same runtime identity handshake. Mobile uses the
+same `hello` comparison and shows a compact refresh banner when a composer or
+detail view is active.
+
+## Non-Goals
+
+- No hard reload while a user is typing.
+- No reload prompt for ordinary CTM restarts when the app identity is unchanged.
+- No dependency on service workers for desktop refresh behavior.
+
+## Verification
+
+Focused render tests should cover:
+
+- an idle desktop tab auto-refreshes on server identity change;
+- a focused terminal desktop tab shows the reload banner without losing focus;
+- another open tab receives the reload-required event through `BroadcastChannel`;
+- mobile shows the refresh banner instead of silently keeping stale code.