create-walle 0.9.21 → 0.9.22

package/template/claude-task-manager/docs/ipad-web-preview.md

@@ -0,0 +1,88 @@
+# CTM iPad Web Preview
+
+Status: implemented for local and staging checks
+Date: 2026-05-19
+
+## Goal
+
+Use `/ipad.html` to run the CTM mobile app inside an iPad-sized frame from any CTM server. This is a fast desktop-browser check for the iPad layout before testing on a physical iPad.
+
+The preview is intentionally same-origin by default:
+
+```text
+http://localhost:3456/ipad.html
+  frames
+http://localhost:3456/m/
+```
+
+When testing a staging/tunnel server, open that server's own preview page:
+
+```text
+https://<staging-host>/ipad.html
+```
+
+That keeps CTM cookies, device tokens, service worker scope, and API calls on the same origin as the mobile app.
+
+## Run A Safe Local Staging Instance
+
+Use `bin/dev.sh --refresh` with a separate port and data directory so iPad testing has copied CTM/Wall-E data without mutating the primary CTM state:
+
+```bash
+WALLE_DEV_DIR=/tmp/walle-dev-4456 \
+DEV_CTM_PORT=4456 \
+DEV_WALLE_PORT=4457 \
+bash bin/dev.sh --refresh
+```
+
+Open:
+
+```text
+http://localhost:4456/ipad.html
+```
+
+The source field defaults to `/m/`. Keep it there for normal testing. If the preview loads but has no sessions, restart with `--refresh`; that copies the current CTM and Wall-E databases into the staging data directory.
+
+## Preview Modes
+
+`/ipad.html` includes four device presets:
+
+- `Test Portrait`: `768 x 1024`, matching the automated tablet regression test.
+- `Test Landscape`: `1024 x 768`, matching the automated split-workspace regression test.
+- `11 Portrait`: `834 x 1194`, close to an 11-inch iPad CSS viewport.
+- `11 Landscape`: `1194 x 834`, close to an 11-inch iPad landscape viewport.
+
+Use `Reload` to reload only the framed mobile app. Use `Open` to launch the framed URL directly.
+
+## What This Catches
+
+- Tablet breakpoint regressions.
+- Horizontal overflow.
+- Portrait single-column sizing.
+- Landscape list/detail split layout.
+- Detail pane modal-vs-region behavior.
+- Composer and bottom navigation placement.
+- Search and session-card density at iPad widths.
+
+## What Still Requires A Real iPad
+
+The preview does not replace Safari-on-iPad validation. Always do one physical-device pass before shipping high-risk mobile changes because desktop browser framing does not fully emulate:
+
+- iPad Safari viewport height changes when the software keyboard opens.
+- PWA standalone mode.
+- touch momentum scrolling and rubber-band edges.
+- safe-area inset differences.
+- iOS third-party cookie and passkey behavior.
+- real camera/file-picker attachment flows.
+
+## Automated Companion Test
+
+The existing mobile render suite covers the same core tablet breakpoints:
+
+```bash
+npm --prefix claude-task-manager exec playwright test -- \
+  --config tests/rendering/playwright.config.js \
+  scenarios/mobile-pwa.spec.js \
+  -g "iPad|tablet|iPad preview"
+```
+
+Use the automated test for regression gates and `/ipad.html` for quick visual inspection.

package/template/claude-task-manager/git-utils.js

@@ -459,7 +459,9 @@ function _realpath(p) {
 //   - isCanonical: path lives under an agent-owned <repo>/.claude|.walle/worktrees/<name>
 //   - isGhost: path contains /~/ corruption OR path doesn't exist on disk
 //   - ahead/behind vs mainBranch
-//   - dirtyFiles: count of modified+untracked
+//   - dirtyFiles: count of tracked dirty + untracked files
+//   - trackedDirtyFiles/untrackedFiles: split counts so untracked-only
+//     generated artifacts do not block safe sync from main
 //   - unmergedCommits: rev-list count main..HEAD (0 ⇒ safe to delete)
 //   - lastActivity: ISO timestamp of HEAD commit
 //   - summary: 1-line human-readable status
@@ -476,6 +478,98 @@ async function _gitSafe(cwd, args, timeoutMs = 5000) {
   });
 }
 
+async function _gitSafeRaw(cwd, args, timeoutMs = 5000) {
+  return new Promise((resolve) => {
+    execFile('git', args, { cwd, timeout: timeoutMs, maxBuffer: 1024 * 1024 }, (err, stdout) => {
+      if (err) return resolve(null);
+      resolve(String(stdout || ''));
+    });
+  });
+}
+
+function _parsePorcelainStatusZ(out) {
+  const entries = String(out || '').split('\0').filter(Boolean);
+  const result = {
+    dirtyFiles: 0,
+    trackedDirtyFiles: 0,
+    untrackedFiles: 0,
+    ignoredFiles: 0,
+    unmergedFiles: 0,
+    stagedFiles: 0,
+    unstagedFiles: 0,
+    untrackedPaths: [],
+  };
+
+  for (let i = 0; i < entries.length; i++) {
+    const entry = entries[i];
+    if (entry.length < 3) continue;
+    const xy = entry.slice(0, 2);
+    const filePath = entry.slice(3);
+    if (xy === '??') {
+      result.untrackedFiles += 1;
+      result.untrackedPaths.push(filePath);
+      continue;
+    }
+    if (xy === '!!') {
+      result.ignoredFiles += 1;
+      continue;
+    }
+
+    result.trackedDirtyFiles += 1;
+    if (xy[0] && xy[0] !== ' ') result.stagedFiles += 1;
+    if (xy[1] && xy[1] !== ' ') result.unstagedFiles += 1;
+    if (xy.includes('U') || ['AA', 'DD'].includes(xy)) result.unmergedFiles += 1;
+    // In porcelain v1 -z, rename/copy records include the source path as a
+    // second NUL-terminated field. Skip it so one rename counts once.
+    if (xy[0] === 'R' || xy[0] === 'C') i += 1;
+  }
+
+  result.dirtyFiles = result.trackedDirtyFiles + result.untrackedFiles;
+  result.hasOnlyUntrackedFiles = result.untrackedFiles > 0 && result.trackedDirtyFiles === 0;
+  return result;
+}
+
+function _trackedDirtyCount(wt) {
+  if (!wt) return 0;
+  if (wt.trackedDirtyFiles != null) return Number(wt.trackedDirtyFiles || 0);
+  const dirty = Number(wt.dirtyFiles || 0);
+  const untracked = Number(wt.untrackedFiles || 0);
+  return Math.max(0, dirty - untracked);
+}
+
+function _hasOnlyUntrackedFiles(wt) {
+  if (!wt) return false;
+  const dirty = Number(wt.dirtyFiles || 0);
+  return dirty > 0 && _trackedDirtyCount(wt) === 0;
+}
+
+function _splitNulPaths(out) {
+  return String(out || '').split('\0').filter(Boolean);
+}
+
+function _pathsOverlap(a, b) {
+  const left = String(a || '').replace(/\/+$/, '');
+  const right = String(b || '').replace(/\/+$/, '');
+  if (!left || !right) return false;
+  return left === right || left.startsWith(right + '/') || right.startsWith(left + '/');
+}
+
+async function _untrackedSyncCollisions(worktreePath, targetBranch) {
+  const status = _parsePorcelainStatusZ(await _gitSafeRaw(worktreePath, ['status', '--porcelain=v1', '-uall', '-z']) || '');
+  if (status.trackedDirtyFiles > 0 || status.untrackedPaths.length === 0) {
+    return { status, collisions: [] };
+  }
+  const changedOut = await _gitSafeRaw(worktreePath, ['diff', '--name-only', '-z', 'HEAD', targetBranch], 8000);
+  const changedPaths = _splitNulPaths(changedOut);
+  if (changedPaths.length === 0) return { status, collisions: [] };
+  const collisions = [];
+  for (const untrackedPath of status.untrackedPaths) {
+    const hit = changedPaths.find(changedPath => _pathsOverlap(untrackedPath, changedPath));
+    if (hit) collisions.push({ untrackedPath, incomingPath: hit });
+  }
+  return { status, collisions };
+}
+
 function _checkpointRefSlug(branchName) {
   let slug = String(branchName || 'branch')
     .replace(/[^A-Za-z0-9._-]+/g, '-')
@@ -621,7 +715,7 @@ function _classifyState(wt) {
   if (wt.isGhost) return 'ghost';
   if (wt.isMain) return 'primary';
   if (!wt.branch || wt.branch === 'HEAD') return 'detached';
-  if (wt.dirtyFiles > 0) return 'dirty';
+  if (_trackedDirtyCount(wt) > 0) return 'dirty';
   const ahead = wt.ahead || 0;
   const behind = wt.behind || 0;
   if (ahead > 0 && behind > 0) return 'diverged';
@@ -654,16 +748,20 @@ function _buildSummary(wt) {
     return 'Primary worktree';
   }
   if (wt.state === 'detached') return 'Detached HEAD — commits here are at risk. Click Recover branch.';
+  const trackedDirty = _trackedDirtyCount(wt);
+  const untrackedFiles = Number(wt.untrackedFiles || 0);
   const parts = [];
   if (wt.ahead > 0) parts.push(`${wt.ahead} ahead`);
   if (wt.behind > 0) parts.push(`${wt.behind} behind`);
-  if (wt.dirtyFiles > 0) parts.push(`${wt.dirtyFiles} dirty`);
+  if (trackedDirty > 0) parts.push(`${trackedDirty} dirty`);
+  if (untrackedFiles > 0) parts.push(`${untrackedFiles} untracked`);
   if (parts.length === 0) return 'Clean — synced with main';
   let suffix = '';
   if (wt.state === 'ahead') suffix = ' — ready to merge';
   else if (wt.state === 'behind') suffix = ' — sync from main';
   else if (wt.state === 'diverged') suffix = ' — needs sync first';
   else if (wt.state === 'dirty') suffix = ' — commit or stash';
+  else if (wt.state === 'clean' && untrackedFiles > 0) suffix = ' — untracked files kept local';
   return parts.join(', ') + suffix;
 }
 
@@ -729,10 +827,12 @@ function _recommendedAction(wt) {
     return { kind: 'primary', label: 'Primary', tone: 'neutral', reason: 'Main checkout.' };
   }
   if (!wt.branch || wt.branch === 'HEAD') return { kind: 'recover_branch', label: 'Recover branch', tone: 'danger', reason: 'Detached HEAD commits can become hard to find.' };
-  if (wt.dirtyFiles > 0) return { kind: 'review_dirty', label: 'Open session', tone: 'warning', reason: `${wt.dirtyFiles} uncommitted file(s).` };
+  const trackedDirty = _trackedDirtyCount(wt);
+  if (trackedDirty > 0) return { kind: 'review_dirty', label: 'Open session', tone: 'warning', reason: `${trackedDirty} tracked dirty file(s).` };
   if ((wt.ahead || 0) > 0 && (wt.behind || 0) > 0) return { kind: 'sync_branch', label: 'Sync first', tone: 'warning', reason: 'Branch has commits and is behind main.' };
   if ((wt.behind || 0) > 0) return { kind: 'sync_branch', label: 'Sync', tone: 'warning', reason: 'Branch is behind main.' };
   if ((wt.ahead || 0) > 0) return { kind: 'finish_work', label: 'Finish', tone: 'success', reason: 'Branch has committed work not on main.' };
+  if (_hasOnlyUntrackedFiles(wt)) return { kind: 'review_dirty', label: 'Open session', tone: 'warning', reason: `${wt.untrackedFiles || wt.dirtyFiles} untracked file(s).` };
   return { kind: 'cleanup', label: 'Clean up', tone: 'neutral', reason: 'No unmerged commits or dirty files.' };
 }
 
@@ -830,6 +930,37 @@ async function syncWorktree(cwd, branchName, strategy, opts) {
       message: 'Worktree HEAD changed before sync could start.',
     };
   }
+  // Make sure main is up to date locally — try a fast-forward fetch but
+  // don't fail if there's no remote.
+  await _gitSafe(repoRoot, ['fetch', 'origin', 'main', '--quiet'], 8000);
+
+  // Pre-check for conflicts using merge-tree (git 2.38+).
+  const preCheck = await mergeWorktreePreCheck(repoRoot, 'main', branchName).catch(() => ({ conflicts: false }));
+  if (preCheck.conflicts) {
+    return { merged: false, conflicts: true, message: 'Merge would conflict — open the worktree in a terminal to resolve.' };
+  }
+
+  const syncSafety = await _untrackedSyncCollisions(wt.path, 'main');
+  if (syncSafety.status.trackedDirtyFiles > 0) {
+    return {
+      merged: false,
+      blocked: true,
+      code: 'TRACKED_DIRTY',
+      beforeHead,
+      message: 'Commit or stash tracked dirty files before syncing from main.',
+    };
+  }
+  if (syncSafety.collisions.length > 0) {
+    return {
+      merged: false,
+      blocked: true,
+      code: 'UNTRACKED_COLLISION',
+      beforeHead,
+      untrackedCollisions: syncSafety.collisions,
+      message: `Sync would overwrite untracked file(s): ${syncSafety.collisions.map(c => c.untrackedPath).slice(0, 3).join(', ')}`,
+    };
+  }
+
   let checkpointRef = '';
   if (opts.createCheckpoint) {
     checkpointRef = await _createWorktreeCheckpoint(repoRoot, branchName, beforeHead);
@@ -844,16 +975,6 @@ async function syncWorktree(cwd, branchName, strategy, opts) {
     }
   }
 
-  // Make sure main is up to date locally — try a fast-forward fetch but
-  // don't fail if there's no remote.
-  await _gitSafe(repoRoot, ['fetch', 'origin', 'main', '--quiet'], 8000);
-
-  // Pre-check for conflicts using merge-tree (git 2.38+).
-  const preCheck = await mergeWorktreePreCheck(repoRoot, 'main', branchName).catch(() => ({ conflicts: false }));
-  if (preCheck.conflicts) {
-    return { merged: false, conflicts: true, message: 'Merge would conflict — open the worktree in a terminal to resolve.' };
-  }
-
   const args = strategy === 'rebase' ? ['rebase', 'main'] : ['merge', 'main', '--no-edit'];
   const out = await _gitSafe(wt.path, args, 30000);
   if (out === null) {
@@ -873,7 +994,8 @@ function _syncAllEligibility(wt) {
   if (!wt || wt.isMain) return { eligible: false, reason: 'primary checkout' };
   if (wt.isGhost || wt.state === 'ghost') return { eligible: false, reason: 'ghost worktree' };
   if (!wt.branch || wt.branch === 'HEAD' || wt.state === 'detached') return { eligible: false, reason: 'detached HEAD' };
-  if ((wt.dirtyFiles || 0) > 0) return { eligible: false, reason: `${wt.dirtyFiles} dirty file(s)` };
+  const trackedDirty = _trackedDirtyCount(wt);
+  if (trackedDirty > 0) return { eligible: false, reason: `${trackedDirty} tracked dirty file(s)` };
   if ((wt.behind || 0) <= 0) return { eligible: false, reason: 'not behind main' };
   return { eligible: true, reason: '' };
 }
@@ -1058,7 +1180,7 @@ async function listRichWorktrees(cwd, opts) {
     // Gather status fields in parallel.
     const [revlist, statusOut, lastIso, unmergedOut] = await Promise.all([
       wt.branch ? _gitSafe(wt.path, ['rev-list', '--left-right', '--count', `${mainBranch}...${wt.branch}`]) : Promise.resolve(null),
-      _gitSafe(wt.path, ['status', '--porcelain']),
+      _gitSafeRaw(wt.path, ['status', '--porcelain=v1', '-uall', '-z']),
       _gitSafe(wt.path, ['log', '-1', '--format=%cI', 'HEAD']),
       wt.branch && !wt.isMain ? _gitSafe(wt.path, ['rev-list', '--count', `${mainBranch}..HEAD`]) : Promise.resolve('0'),
     ]);
@@ -1071,11 +1193,18 @@ async function listRichWorktrees(cwd, opts) {
         ahead = parseInt(parts[1], 10) || 0;
       }
     }
-    const dirtyFiles = statusOut ? statusOut.split('\n').filter(Boolean).length : 0;
+    const status = _parsePorcelainStatusZ(statusOut || '');
+    const dirtyFiles = status.dirtyFiles;
     const unmergedCommits = parseInt(unmergedOut, 10) || 0;
 
     const out = {
       ...wt, isGhost: false, isCanonical, ahead, behind, dirtyFiles, unmergedCommits,
+      trackedDirtyFiles: status.trackedDirtyFiles,
+      untrackedFiles: status.untrackedFiles,
+      unmergedFiles: status.unmergedFiles,
+      stagedFiles: status.stagedFiles,
+      unstagedFiles: status.unstagedFiles,
+      hasOnlyUntrackedFiles: status.hasOnlyUntrackedFiles,
       lastActivity: lastIso || null,
       lastActivityRel: _formatRelativeTime(lastIso),
       mainBranch,

package/template/claude-task-manager/lib/auth-rate-limit.js

@@ -17,10 +17,21 @@ function nowMs() {
   return Date.now();
 }
 
+function normalizeIpLockKey(ip) {
+  let key = String(ip || '').trim();
+  if (!key) return '';
+  if (key.startsWith('[') && key.endsWith(']')) key = key.slice(1, -1);
+  const mappedIpv4 = key.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/i);
+  return mappedIpv4 ? mappedIpv4[1] : key;
+}
+
 class AuthRateLimiter {
   constructor(options = {}) {
     this.limits = { ...DEFAULT_LIMITS, ...(options.limits || {}) };
     this.failedAuth = { ...DEFAULT_FAILED_AUTH, ...(options.failedAuth || {}) };
+    this.ipLockoutExemptions = new Set((options.ipLockoutExemptions || [])
+      .map(normalizeIpLockKey)
+      .filter(Boolean));
     this.buckets = new Map();
     this.failures = new Map();
   }
@@ -50,9 +61,15 @@ class AuthRateLimiter {
     return { ok: true };
   }
 
+  isIpLockoutExempt(ip) {
+    const key = normalizeIpLockKey(ip);
+    return !!key && this.ipLockoutExemptions.has(key);
+  }
+
   isIpLocked(ip, atMs = nowMs()) {
-    const key = String(ip || '');
+    const key = normalizeIpLockKey(ip);
     if (!key) return { ok: true };
+    if (this.ipLockoutExemptions.has(key)) return { ok: true, exempt: true };
     const state = this.failures.get(key);
     if (!state || !state.lockedUntil || state.lockedUntil <= atMs) {
       if (state && state.lockedUntil && state.lockedUntil <= atMs) this.failures.delete(key);
@@ -66,8 +83,9 @@ class AuthRateLimiter {
   }
 
   recordAuthFailure(ip, atMs = nowMs()) {
-    const key = String(ip || '');
+    const key = normalizeIpLockKey(ip);
     if (!key) return { locked: false };
+    if (this.ipLockoutExemptions.has(key)) return { locked: false, count: 0, lockedUntil: null, exempt: true };
     const existing = this.failures.get(key);
     const windowStart = existing && atMs - existing.windowStart < this.failedAuth.windowMs
       ? existing.windowStart
@@ -82,7 +100,8 @@ class AuthRateLimiter {
   }
 
   recordAuthSuccess(ip) {
-    const key = String(ip || '');
+    const key = normalizeIpLockKey(ip);
+    if (this.ipLockoutExemptions.has(key)) return;
     if (key) this.failures.delete(key);
   }
 
@@ -103,5 +122,6 @@ module.exports = {
   AuthRateLimiter,
   DEFAULT_FAILED_AUTH,
   DEFAULT_LIMITS,
+  normalizeIpLockKey,
   rateKindForRule,
 };

package/template/claude-task-manager/lib/auth-rules.js

@@ -82,8 +82,11 @@ const HTTP_AUTH_RULES = Object.freeze([
   exact('GET', '/api/recent-sessions', 'read', false, 'never'),
   exact('GET', '/api/sessions/standup', 'read', false, 'never'),
   exact('GET', '/api/sessions/git-status', 'read', false, 'never'),
+  exact('GET', '/api/session/prompts', 'read', false, 'never'),
   exact('GET', '/api/session/messages', 'read', false, 'never'),
   exact('GET', '/api/session/export', 'read', false, 'never'),
+  exact('GET', '/api/session/prompts', 'read', false, 'never'),
+  exact('POST', '/api/session/image-refs', 'respond', true, 'never'),
   exact('GET', '/api/sessions/integrity', 'read', false, 'never'),
   exact('GET', '/api/sessions/relink-audit', 'read', false, 'never'),
   exact('GET', '/api/sessions/search', 'read', false, 'never'),

package/template/claude-task-manager/lib/document-review.js

@@ -49,6 +49,38 @@ function splitPathAndLine(input, fallbackLine = 1) {
   return { rawPath: raw, line };
 }
 
+function realpathOrResolve(value) {
+  const resolved = path.resolve(value);
+  try { return fs.realpathSync.native ? fs.realpathSync.native(resolved) : fs.realpathSync(resolved); }
+  catch { return resolved; }
+}
+
+function normalizeBaseCwd(cwd) {
+  if (!cwd) return '';
+  const raw = String(cwd || '').trim();
+  if (!raw || !path.isAbsolute(raw)) return '';
+  try {
+    const stat = fs.statSync(raw);
+    const dir = stat.isDirectory() ? raw : path.dirname(raw);
+    return realpathOrResolve(dir);
+  } catch {
+    return '';
+  }
+}
+
+function resolveInputPath(rawPath, options = {}) {
+  if (!rawPath) return '';
+  if (/^~(?:\/|$)/.test(rawPath)) {
+    const home = options.home || process.env.HOME || os.homedir();
+    if (!home) return '';
+    return path.resolve(home, rawPath === '~' ? '' : rawPath.slice(2));
+  }
+  if (path.isAbsolute(rawPath)) return path.resolve(rawPath);
+  const baseCwd = normalizeBaseCwd(options.cwd);
+  if (!baseCwd) throw httpError('relative document path requires a session cwd', 400, 'EINVAL');
+  return path.resolve(baseCwd, rawPath);
+}
+
 function projectRootFor(filePath) {
   const cwd = fs.statSync(filePath).isDirectory() ? filePath : path.dirname(filePath);
   try {
@@ -65,9 +97,8 @@ function projectRootFor(filePath) {
 function resolveDocumentTarget(input, options = {}) {
   const { rawPath, line } = splitPathAndLine(input, options.line || 1);
   if (!rawPath) throw httpError('path required', 400, 'EINVAL');
-  if (!path.isAbsolute(rawPath)) throw httpError('absolute path required', 400, 'EINVAL');
 
-  const resolved = path.resolve(rawPath);
+  const resolved = resolveInputPath(rawPath, options);
   let realPath = '';
   try {
     const stat = fs.statSync(resolved);

package/template/claude-task-manager/lib/microsoft-dev-tunnel-setup.js

@@ -1129,6 +1129,7 @@ function microsoftDevTunnelCommands(options = {}) {
     login: command('devtunnel', ['user', 'login', '-g']),
     device_login: command('devtunnel', ['user', 'login', '-g', '-d']),
     microsoft_device_login: command('devtunnel', ['user', 'login', '-e', '-d']),
+    logout: command('devtunnel', ['user', 'logout']),
     access_private_reset: command('devtunnel', devTunnelPrivateAccessResetArgs('TUNNELID', { port })),
     host_temporary: command('devtunnel', [
       'host',
@@ -1704,6 +1705,87 @@ function loginStateIsReusable(state, provider, options = {}) {
   return now - started < Number(options.loginReuseMs || LOGIN_REUSE_MS);
 }
 
+async function logoutMicrosoftDevTunnelUser(options = {}) {
+  const previous = loadLoginProcessState(options);
+  if (previous && previous.running && pidIsRunning(previous.pid)) {
+    stopLoginProcessState(previous, options);
+  }
+
+  const execFile = options.execFile || defaultExecFile;
+  const args = ['user', 'logout'];
+  const baseState = {
+    ...(previous || {}),
+    running: false,
+    pid: null,
+    provider: 'github',
+    provider_label: loginProviderLabel('github'),
+    command: command('devtunnel', args).display,
+    login_url: '',
+    device_code: '',
+    error: '',
+    error_code: '',
+    signed_out_at: new Date().toISOString(),
+  };
+  try {
+    const result = await execFile('devtunnel', args, {
+      encoding: 'utf8',
+      timeout: options.commandTimeoutMs || 15000,
+      maxBuffer: 512 * 1024,
+    });
+    const stoppedTunnel = options.stopTunnel === false ? null : await stopMicrosoftDevTunnel(options).catch((err) => ({
+      ok: false,
+      error: String(err?.message || err || 'Could not stop existing Microsoft tunnel').slice(0, 800),
+    }));
+    const nextState = {
+      ...baseState,
+      stdout: String(result?.stdout || '').trim().slice(0, 800),
+      stderr: String(result?.stderr || '').trim().slice(0, 800),
+    };
+    writeLoginProcessState(nextState, options);
+    return {
+      ok: true,
+      already_signed_out: false,
+      stopped_tunnel: stoppedTunnel,
+      logout: { ...nextState, state_path: loginStatePath(options) },
+      setup: await detectMicrosoftDevTunnelSetup(options),
+      progress: getMicrosoftDevTunnelProgress(options),
+    };
+  } catch (err) {
+    const text = String(`${err?.stdout || ''}\n${err?.stderr || ''}\n${err?.message || ''}`);
+    const alreadySignedOut = /not\s+(?:logged|signed)\s+in|no\s+user|login\s+required/i.test(text);
+    const nextState = {
+      ...baseState,
+      already_signed_out: alreadySignedOut,
+      error_code: alreadySignedOut ? '' : (err?.code === 'ENOENT' ? 'devtunnel_cli_missing' : 'devtunnel_logout_failed'),
+      error: alreadySignedOut ? '' : text.trim().slice(0, 800),
+    };
+    writeLoginProcessState(nextState, options);
+    if (alreadySignedOut) {
+      const stoppedTunnel = options.stopTunnel === false ? null : await stopMicrosoftDevTunnel(options).catch((stopErr) => ({
+        ok: false,
+        error: String(stopErr?.message || stopErr || 'Could not stop existing Microsoft tunnel').slice(0, 800),
+      }));
+      return {
+        ok: true,
+        already_signed_out: true,
+        stopped_tunnel: stoppedTunnel,
+        logout: { ...nextState, state_path: loginStatePath(options) },
+        setup: await detectMicrosoftDevTunnelSetup(options),
+        progress: getMicrosoftDevTunnelProgress(options),
+      };
+    }
+    return {
+      ok: false,
+      already_signed_out: false,
+      error_code: nextState.error_code,
+      error: nextState.error || 'Microsoft Dev Tunnels sign-out failed.',
+      logout: { ...nextState, state_path: loginStatePath(options) },
+      setup: await detectMicrosoftDevTunnelSetup(options).catch(() => null),
+      progress: getMicrosoftDevTunnelProgress(options),
+    };
+  }
+}
+
 function startMicrosoftDevTunnelLogin(input = {}, options = {}) {
   const fsImpl = options.fs || fs;
   fsImpl.mkdirSync(setupDir(options), { recursive: true, mode: 0o700 });
@@ -1804,6 +1886,7 @@ module.exports = {
   loadKeepAwakeState,
   loadManagedTunnelState,
   loadLoginProcessState,
+  logoutMicrosoftDevTunnelUser,
   managedTunnelDesiredRunning,
   microsoftDevTunnelCommands,
   normalizeTunnelId,

package/template/claude-task-manager/lib/mobile-auth-api.js

@@ -7,6 +7,7 @@ const { requestBrowserOrigin, requestOrigin } = require('./transport-security');
 const CLAIM_PUBLIC_ENDPOINTS = new Set([
   'POST /api/auth/claim/begin-passkey',
   'POST /api/auth/claim/finish',
+  'POST /api/auth/logout-local',
 ]);
 
 let simpleWebAuthnPromise = null;
@@ -92,6 +93,15 @@ function errorJson(res, status, code, message) {
   sendJson(res, status, { ok: false, error: code, message: message || code });
 }
 
+function clearLocalSession(req, res) {
+  sendJson(res, 200, { ok: true }, {
+    'Set-Cookie': [
+      tokenCookie('', requestIsHttps(req), 0),
+      stepUpCookie('', requestIsHttps(req), 0),
+    ],
+  });
+}
+
 function requestIsHttps(req) {
   return !!req?.socket?.encrypted || String(req?.headers?.['x-forwarded-proto'] || '').split(',')[0].trim().toLowerCase() === 'https';
 }
@@ -532,6 +542,10 @@ async function handleMobileAuthApi(req, res, url, options = {}) {
       await finishClaimPasskey(req, res, db);
       return true;
     }
+    if (url.pathname === '/api/auth/logout-local' && req.method === 'POST') {
+      clearLocalSession(req, res);
+      return true;
+    }
 
     if (url.pathname === '/api/auth/device-claims' && req.method === 'POST') {
       const body = await readJsonBody(req);

package/template/claude-task-manager/lib/restart-guard.js

@@ -0,0 +1,68 @@
+'use strict';
+
+const BLOCKING_STATUSES = new Set(['running', 'busy', 'waiting_input']);
+
+function normalizeStatus(value) {
+  const text = String(value || '').trim().toLowerCase().replace(/[-\s]+/g, '_');
+  if (!text) return '';
+  if (text === 'waiting' || text === 'waiting_for_input' || text === 'waiting_input') return 'waiting_input';
+  if (text === 'busy') return 'running';
+  return text;
+}
+
+function sessionLabel(session) {
+  return String(
+    session?.label ||
+    session?.title ||
+    session?.name ||
+    session?.id ||
+    ''
+  ).trim();
+}
+
+function sessionId(session) {
+  return String(session?.id || session?.sessionId || session?.ctmSessionId || '').trim();
+}
+
+function restartSessionSummary(session, status, waitingForInput) {
+  const normalized = waitingForInput ? 'waiting_input' : normalizeStatus(status);
+  return {
+    id: sessionId(session),
+    label: sessionLabel(session),
+    status: normalized || 'idle',
+  };
+}
+
+function summarizeRestartGuard(sessions = [], options = {}) {
+  const items = Array.from(sessions || []).filter(Boolean);
+  const blockers = [];
+  const restorable = [];
+
+  for (const session of items) {
+    const rawStatus = typeof options.statusForSession === 'function'
+      ? options.statusForSession(session)
+      : (session.standupStatus || session.liveStatus || session.serverState || session.status || '');
+    const waitingForInput = typeof options.isWaitingForInput === 'function'
+      ? !!options.isWaitingForInput(session)
+      : !!session.waitingForInput;
+    const summary = restartSessionSummary(session, rawStatus, waitingForInput);
+    if (BLOCKING_STATUSES.has(summary.status)) blockers.push(summary);
+    else restorable.push(summary);
+  }
+
+  return {
+    totalCount: items.length,
+    blockingCount: blockers.length,
+    restorableCount: restorable.length,
+    blockers,
+    restorable,
+  };
+}
+
+module.exports = {
+  summarizeRestartGuard,
+  _private: {
+    normalizeStatus,
+    restartSessionSummary,
+  },
+};