create-walle 0.9.21 → 0.9.23

package/template/claude-task-manager/public/js/setup.js

@@ -2,7 +2,7 @@
 (function() {
 const SETUP = {};
 
-var _activeSetupTab = 'provider';
+var _activeSetupTab = 'integrations';
 var _selectedProvider = 'anthropic';
 var _mcpPort = 3457;
 var _embedProvidersCache = null;
@@ -11,10 +11,14 @@ var _isConfigured = false;
 var _setupTabsBound = false;
 var _providerPickerBound = false;
 var _pcardAccordionBound = false;
+var _connectedServicesLifecycleBound = false;
+var _connectedServicesRefreshTimer = null;
+var _connectedServicesLoadSeq = 0;
 var _setupMemoryCaptureBound = false;
 var _setupMemoryCaptureTimer = null;
+var _retiredSetupTabs = new Set(['provider']);
 var _setupTempMemory = {
-  activeTab: 'provider',
+  activeTab: 'integrations',
   values: null,
   details: null,
   scroll: null,
@@ -27,7 +31,96 @@ var _setupTempMemory = {
 var _microsoftSetupInFlight = false;
 var _microsoftProgressPollTimer = null;
 var _microsoftProbeInFlight = false;
+var _microsoftLoginCheckInFlight = false;
 var _microsoftTunnelProbe = null;
+// Dev Tunnels sign-in account type. GitHub sign-ins expire on an hours-to-days
+// scale and break the tunnel until re-login; Microsoft accounts refresh silently.
+// Resolution: explicit user choice (persisted) > server's last-used provider >
+// 'microsoft' (recommended default).
+var _microsoftLoginProviderChoice = '';
+try { _microsoftLoginProviderChoice = localStorage.getItem('ctm-ms-login-provider') || ''; } catch {}
+
+function _msLoginProvider() {
+  if (_microsoftLoginProviderChoice === 'microsoft' || _microsoftLoginProviderChoice === 'github') {
+    return _microsoftLoginProviderChoice;
+  }
+  var ms = (_lastNetworkSettings || {}).microsoft_dev_tunnel || {};
+  if (ms.login_provider === 'github' || ms.login_provider === 'microsoft') return ms.login_provider;
+  return 'microsoft';
+}
+
+function _msProviderLabel(provider) {
+  return (provider || _msLoginProvider()) === 'github' ? 'GitHub' : 'Microsoft';
+}
+
+function _renderMicrosoftLoginProvider() {
+  var provider = _msLoginProvider();
+  var msBtn = document.getElementById('setup-ms-provider-microsoft');
+  var ghBtn = document.getElementById('setup-ms-provider-github');
+  if (msBtn) {
+    msBtn.setAttribute('aria-pressed', provider === 'microsoft' ? 'true' : 'false');
+    msBtn.disabled = _microsoftSetupInFlight;
+  }
+  if (ghBtn) {
+    ghBtn.setAttribute('aria-pressed', provider === 'github' ? 'true' : 'false');
+    ghBtn.disabled = _microsoftSetupInFlight;
+  }
+}
+
+function setMicrosoftLoginProvider(provider) {
+  if (provider !== 'microsoft' && provider !== 'github') return;
+  var previous = _msLoginProvider();
+  _microsoftLoginProviderChoice = provider;
+  try { localStorage.setItem('ctm-ms-login-provider', provider); } catch {}
+  _renderMicrosoftLoginProvider();
+  var ms = (_lastNetworkSettings || {}).microsoft_dev_tunnel || {};
+  if (provider !== previous && ms.signed_in) {
+    _setMicrosoftActionStatus('Next sign-in will use a ' + _msProviderLabel(provider) + ' account. Click "Use Different Account" to switch now.', '');
+  }
+}
+
+// Human-readable "what happened last" line from the managed host_events ring
+// buffer (drop diagnosis: credential expiry vs relay disconnects).
+function _msLastHostEventText(events) {
+  if (!Array.isArray(events) || !events.length) return '';
+  var ev = events[events.length - 1];
+  if (!ev || !ev.type) return '';
+  var labels = {
+    credential_expired: 'Dev Tunnels sign-in expired',
+    auth_failure: 'tunnel authorization failed',
+    connection_lost: 'tunnel relay connection lost',
+    reconnected: 'tunnel relay reconnected',
+    signed_in: 'Dev Tunnels signed in',
+    host_started: 'tunnel started',
+    tunnel_offline: 'tunnel went offline',
+    tunnel_error: 'tunnel reported an error',
+  };
+  var what = labels[ev.type] || String(ev.type).replace(/_/g, ' ');
+  var when = ev.at ? new Date(ev.at).toLocaleString() : '';
+  return 'Last event: ' + what + (when ? ' (' + when + ').' : '.');
+}
+
+async function tryOtherMicrosoftLoginProvider() {
+  var other = _msLoginProvider() === 'github' ? 'microsoft' : 'github';
+  setMicrosoftLoginProvider(other);
+  var btn = document.getElementById('setup-ms-login-try-other');
+  if (btn) { btn.disabled = true; btn.textContent = 'Starting...'; }
+  try {
+    await _postMicrosoftTunnelLogin(true, { forceNew: true });
+    _setMicrosoftActionStatus(_msProviderLabel(other) + ' sign-in started. Enter the displayed code on the ' + _msProviderLabel(other) + ' page.', 'ok');
+  } catch (e) {
+    _setMicrosoftActionStatus(e.message || 'Could not start ' + _msProviderLabel(other) + ' sign-in', 'error');
+  } finally {
+    if (btn) btn.disabled = false;
+  }
+}
+// Dev Tunnel default is app-gated ("ctm_authenticated"): the URL is reachable and
+// CTM's own passkey + device-token auth is the gate. This is the only mode the
+// phone PWA/WebSocket can use — Dev Tunnels "private" mode uses an interactive
+// edge sign-in that a PWA's fetch/WebSocket can't follow. Private is an explicit
+// opt-in (and is migrated back to app-gated on headless restart by the backend).
+var _microsoftTunnelAccessMode = 'ctm_authenticated';
+var _microsoftTunnelAccessModeTouched = false;
 var _activeDeviceClaim = null;
 var _deviceClaimScopeUpdateTimer = null;
 var _deviceClaimScopeUpdateSeq = 0;
@@ -38,7 +131,15 @@ var _lastPersistedDeviceLabel = '';
 var _deviceLabelSaveInFlight = null;
 var _deviceLabelQueuedValue = null;
 var _deviceLabelLifecycleBound = false;
+var _deviceScopePersistTimer = null;
+var _deviceScopeUserTouched = false;
+var _lastPersistedDeviceScopesKey = '';
+var _deviceScopeLifecycleBound = false;
+var _pairingRequestsPollTimer = null;
 var DEVICE_LABEL_SETTING_KEY = 'ui_setup_device_label';
+var DEVICE_SCOPE_SETTING_KEY = 'ui_setup_device_scopes';
+var DEVICE_SCOPE_VALUES = ['read', 'respond', 'create', 'admin'];
+var DEFAULT_DEVICE_SCOPES = ['read', 'respond'];
 var DEFAULT_DEVICE_LABEL = 'Owner iPhone';
 
 // ── Toast (delegates to dashboard's showToast) ──────────────────────
@@ -168,10 +269,109 @@ async function loadDeviceLabelSetting() {
   } catch { /* setup status also carries this value */ }
 }
 
+function _normalizeDeviceScopes(scopes) {
+  var raw = Array.isArray(scopes) ? scopes : String(scopes || '').split(',');
+  var seen = {};
+  raw.forEach(function(item) {
+    var scope = String(item || '').trim().toLowerCase();
+    if (DEVICE_SCOPE_VALUES.indexOf(scope) >= 0) seen[scope] = true;
+  });
+  if (seen.admin) {
+    DEVICE_SCOPE_VALUES.forEach(function(scope) { seen[scope] = true; });
+  }
+  var out = DEVICE_SCOPE_VALUES.filter(function(scope) { return !!seen[scope]; });
+  return out.length ? out : DEFAULT_DEVICE_SCOPES.slice();
+}
+
+function _applyPersistedDeviceScopes(scopes, options) {
+  var normalized = _normalizeDeviceScopes(scopes);
+  var opts = options || {};
+  if (opts.force || !_deviceScopeUserTouched) {
+    var selected = {};
+    normalized.forEach(function(scope) { selected[scope] = true; });
+    document.querySelectorAll('#setup-device-card [data-device-scope]').forEach(function(cb) {
+      cb.checked = !!selected[cb.getAttribute('data-device-scope')];
+    });
+    _normalizeDeviceScopeCheckboxes();
+  }
+  _lastPersistedDeviceScopesKey = _scopeKey(normalized);
+  if (!_deviceClaimVisible()) {
+    _setDeviceScopeStatus('Selected permissions for the next QR: ' + _scopeListText(_selectedDeviceScopes()) + '.', '');
+  }
+}
+
+async function _writeDeviceScopeSetting(scopes) {
+  var normalized = _normalizeDeviceScopes(scopes);
+  var key = _scopeKey(normalized);
+  if (key === _lastPersistedDeviceScopesKey) return normalized;
+  var body = {};
+  body[DEVICE_SCOPE_SETTING_KEY] = normalized;
+  var headers = { 'Content-Type': 'application/json' };
+  if (typeof state !== 'undefined' && state && state.clientId) headers['X-CTM-Client-Id'] = state.clientId;
+  var r = await fetch('/api/settings', {
+    method: 'PUT',
+    headers: headers,
+    body: JSON.stringify(body),
+  });
+  var d = await r.json().catch(function() { return {}; });
+  if (!r.ok || d.busy || d.error) throw new Error(d.error || 'Phone permission save failed');
+  _lastPersistedDeviceScopesKey = key;
+  return normalized;
+}
+
+function _persistDeviceScopes(scopes, options) {
+  var opts = options || {};
+  var normalized = _normalizeDeviceScopes(scopes);
+  if (opts.immediate) {
+    clearTimeout(_deviceScopePersistTimer);
+    _deviceScopePersistTimer = null;
+    return _writeDeviceScopeSetting(normalized);
+  }
+  clearTimeout(_deviceScopePersistTimer);
+  _deviceScopePersistTimer = setTimeout(function() {
+    _writeDeviceScopeSetting(normalized).catch(function(e) {
+      _setDeviceError(e.message || 'Phone permission save failed');
+    });
+  }, 150);
+  return Promise.resolve(normalized);
+}
+
+function _flushDeviceScopesOnPageHide() {
+  if (!_deviceScopeUserTouched) return;
+  var body = {};
+  body[DEVICE_SCOPE_SETTING_KEY] = _selectedDeviceScopes();
+  try {
+    fetch('/api/settings', {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body),
+      keepalive: true,
+    }).catch(function() {});
+  } catch { /* best effort during unload */ }
+}
+
+function initDeviceScopeLifecycle() {
+  if (_deviceScopeLifecycleBound) return;
+  _deviceScopeLifecycleBound = true;
+  window.addEventListener('pagehide', _flushDeviceScopesOnPageHide);
+}
+
+async function loadDeviceScopeSetting() {
+  try {
+    var r = await fetch('/api/settings?key=' + encodeURIComponent(DEVICE_SCOPE_SETTING_KEY));
+    var d = await r.json();
+    if (!r.ok || d.busy) return;
+    if (d && d.value) _applyPersistedDeviceScopes(d.value);
+    else _lastPersistedDeviceScopesKey = _scopeKey(_selectedDeviceScopes());
+  } catch {
+    _lastPersistedDeviceScopesKey = _scopeKey(_selectedDeviceScopes());
+  }
+}
+
 // ── Tab navigation ──────────────────────────────────────────────────
 function _setSetupActiveTab(target) {
-  if (!target) target = 'provider';
-  if (!document.getElementById('setup-section-' + target)) target = 'provider';
+  if (!target || _retiredSetupTabs.has(target)) target = 'integrations';
+  if (!document.getElementById('setup-section-' + target)) target = 'integrations';
   _activeSetupTab = target;
   _setupTempMemory.activeTab = target;
   var tabs = document.querySelectorAll('#setup-panel .setup-tab');
@@ -184,11 +384,15 @@ function _setSetupActiveTab(target) {
   document.querySelectorAll('#setup-panel .setup-section').forEach(function(p) {
     p.style.display = p.id === 'setup-section-' + target ? '' : 'none';
   });
+  if (target === 'backups' && typeof window.loadBackupsData === 'function') {
+    window.loadBackupsData();
+  }
 }
 
 function _setupTabFromLocation() {
   var hash = (window.location.hash || '').replace(/^#/, '');
   if (hash === 'devices' || hash === 'setup-access' || hash === 'setup-devices') return 'access';
+  if (hash === 'backups') return 'backups';
   if (hash.indexOf('setup&') === 0) {
     var parts = hash.split('&');
     for (var i = 1; i < parts.length; i++) {
@@ -200,7 +404,8 @@ function _setupTabFromLocation() {
 }
 
 function _initialSetupTab() {
-  return _setupTabFromLocation() || _setupTempMemory.activeTab || _activeSetupTab || 'provider';
+  var target = _setupTabFromLocation() || _setupTempMemory.activeTab || _activeSetupTab || 'integrations';
+  return _retiredSetupTabs.has(target) ? 'integrations' : target;
 }
 
 function _setupFieldKey(el) {
@@ -253,7 +458,7 @@ function captureSetupTempState(options) {
     if (el.id) scroll[el.id] = Number(el.scrollTop || 0);
   });
   _setupTempMemory = {
-    activeTab: _activeSetupTab || _setupTempMemory.activeTab || 'provider',
+    activeTab: _activeSetupTab || _setupTempMemory.activeTab || 'integrations',
     values: values,
     details: details,
     scroll: scroll,
@@ -1569,7 +1774,34 @@ function _googleSourceLabel(accounts, serviceKey) {
   return 'Google (' + count + ')';
 }
 
+function _isSetupVisibleForRefresh() {
+  var panel = document.getElementById('setup-panel');
+  if (panel && panel.classList.contains('active')) return true;
+  var hash = window.location && window.location.hash ? window.location.hash : '';
+  return /^#(?:setup(?:&|$)|setup-access$|setup-devices$|devices$)/.test(hash);
+}
+
+function _scheduleConnectedServicesRefresh() {
+  if (!_isSetupVisibleForRefresh()) return;
+  clearTimeout(_connectedServicesRefreshTimer);
+  _connectedServicesRefreshTimer = setTimeout(function() {
+    loadConnectedServices().catch(function() {});
+  }, 80);
+}
+
+function initConnectedServicesLifecycle() {
+  if (_connectedServicesLifecycleBound) return;
+  _connectedServicesLifecycleBound = true;
+  window.addEventListener('online', function() { _scheduleConnectedServicesRefresh(); _refreshAccessHealthOnReturn(); });
+  window.addEventListener('focus', function() { _scheduleConnectedServicesRefresh(); _refreshAccessHealthOnReturn(); });
+  window.addEventListener('pageshow', function() { _scheduleConnectedServicesRefresh(); _refreshAccessHealthOnReturn(); });
+  document.addEventListener('visibilitychange', function() {
+    if (!document.hidden) { _scheduleConnectedServicesRefresh(); _refreshAccessHealthOnReturn(); }
+  });
+}
+
 async function loadConnectedServices() {
+  var seq = ++_connectedServicesLoadSeq;
   var container = document.getElementById('setup-svc-accounts-list');
   var matrixEl = document.getElementById('setup-svc-matrix');
   var dotEl = document.getElementById('setup-svc-dot');
@@ -1577,8 +1809,12 @@ async function loadConnectedServices() {
   var addBtn = document.getElementById('setup-svc-add-google-btn');
 
   try {
-    var r = await fetch('/api/wall-e/gws/accounts');
+    var r = await fetch('/api/wall-e/gws/accounts', {
+      cache: 'no-store',
+      headers: { 'Cache-Control': 'no-cache' },
+    });
     var d = await r.json();
+    if (seq !== _connectedServicesLoadSeq) return _gwsAccountsCache || d;
     _gwsAccountsCache = d;
     _syncGoogleReauthAlert(d);
 
@@ -1655,11 +1891,12 @@ async function loadConnectedServices() {
     }
     return d;
   } catch (e) {
+    if (seq !== _connectedServicesLoadSeq) return _gwsAccountsCache;
     _syncGoogleReauthAlert(null);
     var errDiv = document.createElement('div');
     errDiv.style.cssText = 'color:var(--fg-dim);font-size:12px;padding:8px 0;';
     errDiv.textContent = 'Could not load services.';
-    container.replaceChildren(errDiv);
+    if (container) container.replaceChildren(errDiv);
     return null;
   }
 }
@@ -2065,6 +2302,47 @@ function _microsoftTunnelCanStart(d) {
   return !!(ms.installed && ms.signed_in);
 }
 
+function _microsoftTunnelAccess(ms) {
+  ms = ms || {};
+  var managed = ms.managed_tunnel || {};
+  return managed.access || ms.access || {};
+}
+
+function _normalizeMicrosoftTunnelAccessMode(mode) {
+  var raw = String(mode || '').trim().toLowerCase().replace(/[-\s]+/g, '_');
+  if (raw === 'private' || raw === 'microsoft' || raw === 'private_microsoft') return 'private_microsoft';
+  if (raw === 'anonymous' || raw === 'public' || raw === 'ctm_auth' || raw === 'ctm_authenticated') return 'ctm_authenticated';
+  return '';
+}
+
+function _microsoftTunnelCurrentAccessMode(ms) {
+  ms = ms || {};
+  var managed = ms.managed_tunnel || {};
+  var access = _microsoftTunnelAccess(ms);
+  return _normalizeMicrosoftTunnelAccessMode(access.mode || managed.access_mode || ms.access_mode) || 'ctm_authenticated';
+}
+
+function _microsoftTunnelSelectedAccessMode(ms) {
+  if (!_microsoftTunnelAccessModeTouched) {
+    var current = _microsoftTunnelCurrentAccessMode(ms);
+    _microsoftTunnelAccessMode = current === 'ctm_authenticated' ? current : 'ctm_authenticated';
+  }
+  return _normalizeMicrosoftTunnelAccessMode(_microsoftTunnelAccessMode) || 'ctm_authenticated';
+}
+
+function _microsoftTunnelUsesCtmAuth(ms) {
+  return _microsoftTunnelSelectedAccessMode(ms) === 'ctm_authenticated';
+}
+
+function _microsoftAccessModeMatchesSelection(ms) {
+  return _microsoftTunnelCurrentAccessMode(ms) === _microsoftTunnelSelectedAccessMode(ms);
+}
+
+function _microsoftNeedsPrivateAccessReset(ms) {
+  var access = _microsoftTunnelAccess(ms);
+  return !!(access.needs_private_reset || access.stale_anonymous_access || (access.mode === 'private_microsoft' && access.anonymous_connect));
+}
+
 function _microsoftTunnelAccountText(ms) {
   ms = ms || {};
   return ms.account && (ms.account.display || ms.account.email || ms.account.name || ms.account.id) || '';
@@ -2094,10 +2372,13 @@ function _microsoftAvailabilityCopy(ms, ready) {
 }
 
 function _microsoftTunnelPhoneAuthText(ms) {
-  var account = _microsoftTunnelAccountText(ms);
-  return account
-    ? 'If Microsoft asks you to sign in, use this same account: ' + account + '. CTM still requires the pairing QR and device permissions.'
-    : 'If Microsoft asks you to sign in, use the same Microsoft or GitHub account shown on this Mac. CTM still requires the pairing QR and device permissions.';
+  if (_microsoftNeedsPrivateAccessReset(ms)) {
+    return 'Anonymous tunnel access is still enabled. Reset to private before relying on the phone URL.';
+  }
+  if (_microsoftTunnelUsesCtmAuth(ms)) {
+    return 'The phone URL reaches CTM directly. CTM still requires pairing, device token, route permissions, and passkey step-up.';
+  }
+  return 'Remote browsers pass Microsoft/GitHub tunnel auth first; CTM still requires pairing, device token, route permissions, and passkey step-up.';
 }
 
 function _microsoftTunnelOrigin(d) {
@@ -2116,6 +2397,9 @@ function _tailscaleOrigin(d) {
 }
 
 function _defaultPhoneAccessMethod(d) {
+  // Prefer the live recommended method (the one that's actually working); else Microsoft
+  // tunnel (simplest — no VPN app, no custom domain).
+  if (_lastConnectionHealth && _lastConnectionHealth.recommended) return _lastConnectionHealth.recommended;
   return 'microsoft';
 }
 
@@ -2168,16 +2452,33 @@ function _clearPhoneOriginIfAuto() {
   }
 }
 
+function _phoneOriginEmptyHint(method) {
+  if (method === 'walle') return 'Connect Walle Remote to generate a phone URL';
+  if (method === 'cloudflare') return 'Finish Cloudflare setup to generate a phone URL';
+  if (method === 'microsoft') return 'Start the Microsoft tunnel to generate a phone URL';
+  return 'Sign in to Tailscale to generate a phone URL';
+}
+
 function _renderRecommendedPhoneOrigin(origin, method) {
+  // Until /api/setup/network resolves, _lastNetworkSettings is null and we
+  // cannot know the real origin yet — show an explicit loading state instead
+  // of a fake placeholder URL that reads as a real (wrong) value.
+  var loaded = _lastNetworkSettings !== null;
   var label = document.getElementById('setup-phone-best-label');
   var walleReady = method === 'walle' && _walleRemoteHostedPairingReady(_lastNetworkSettings || {});
   if (label) label.textContent = method === 'walle'
     ? (walleReady ? 'Walle Remote URL' : 'Walle Remote status')
     : (method === 'cloudflare' ? 'Recommended Cloudflare URL' : (method === 'microsoft' ? 'Microsoft tunnel URL' : 'Recommended Tailscale URL'));
   var best = document.getElementById('setup-phone-best-url');
-  if (best) best.textContent = method === 'walle'
-    ? (walleReady ? _walleRemoteUsableMobileUrl(_lastNetworkSettings || {}) : 'Hosted relay unavailable')
-    : (origin ? origin.replace(/\/+$/, '') + '/m/' : (method === 'microsoft' ? 'Start tunnel first' : ''));
+  if (best) best.textContent = !loaded
+    ? 'Resolving…'
+    : (method === 'walle'
+      ? (walleReady ? _walleRemoteUsableMobileUrl(_lastNetworkSettings || {}) : 'Hosted relay unavailable')
+      : (origin ? origin.replace(/\/+$/, '') + '/m/' : (method === 'microsoft' ? 'Start tunnel first' : '')));
+  var phoneInput = document.getElementById('setup-device-origin');
+  if (phoneInput) phoneInput.placeholder = origin
+    ? ''
+    : (!loaded ? 'Resolving phone URL…' : (walleReady ? '' : _phoneOriginEmptyHint(method)));
 }
 
 function _renderPhoneSetupGuidance(method, d) {
@@ -2196,7 +2497,7 @@ function _renderPhoneSetupGuidance(method, d) {
     title.textContent = 'Phone setup: Walle Remote';
     body.textContent = _walleRemoteHostedPairingReady(d)
       ? 'Open Walle on your phone, sign in to the same Walle account, then scan the pairing QR from this Mac. CTM keeps running locally and the phone sends typed remote-control actions through Walle Remote.'
-      : 'Hosted Walle Relay pairing is not connected yet, and m.walle.sh is not a working CTM phone URL for this install. Choose Cloudflare Access or Tailscale for phone access.';
+      : 'Hosted Walle Relay pairing is not connected yet, and m.walle.sh is not a working CTM phone URL for this install. Choose Microsoft tunnel or Tailscale for phone access.';
     return;
   }
   if (method === 'cloudflare') {
@@ -2225,7 +2526,7 @@ function _hideDeviceClaim() {
   if (url) url.textContent = '';
   _activeDeviceClaim = null;
   clearTimeout(_deviceClaimScopeUpdateTimer);
-  _setDeviceScopeStatus('Choose permissions before Pair Phone. They are written into the QR claim when it is created.', '');
+  _setDeviceScopeStatus('Choose permissions before Pair Phone. CTM saves them and writes them into the QR claim when it is created.', '');
 }
 
 function _renderDeviceClaimAction(d) {
@@ -2370,11 +2671,14 @@ function _renderMicrosoftProgress(progress) {
   var codeWrap = document.getElementById('setup-ms-login-code-wrap');
   var codeEl = document.getElementById('setup-ms-login-code');
   var copyCode = document.getElementById('setup-ms-login-copy');
+  var checkLogin = document.getElementById('setup-ms-login-check');
+  var regenerateCode = document.getElementById('setup-ms-login-regenerate');
   var install = progress && progress.install || {};
   var login = progress && progress.login || {};
   var installTail = _processTail(install);
   var loginTail = _processTail(login);
-  var hasLoginFallback = !!(login.login_url || login.device_code);
+  var signedInProgress = !!login.signed_in;
+  var hasLoginFallback = !signedInProgress && !!(login.login_url || login.device_code);
   var show = !!(install.running || login.running || installTail || loginTail || hasLoginFallback || install.error || login.error);
   panel.style.display = show ? '' : 'none';
   if (!show) return;
@@ -2385,6 +2689,7 @@ function _renderMicrosoftProgress(progress) {
   else if (typeof install.exit_code === 'number' && install.exit_code !== 0) state = 'Install exited with code ' + install.exit_code;
   else if (login.error) state = 'Sign-in failed';
   else if (typeof login.exit_code === 'number' && login.exit_code !== 0) state = 'Sign-in exited with code ' + login.exit_code;
+  else if (login.signed_in) state = 'Signed in';
   else if (login.running) state = 'Waiting for sign-in...';
   else if (login.finished_at) state = 'Sign-in process finished';
   else if (install.finished_at) state = 'Install finished';
@@ -2405,6 +2710,24 @@ function _renderMicrosoftProgress(progress) {
   if (codeEl) codeEl.textContent = login.device_code || '';
   if (codeWrap) codeWrap.style.display = login.device_code ? '' : 'none';
   if (copyCode) copyCode.style.display = login.device_code ? '' : 'none';
+  if (checkLogin) {
+    checkLogin.style.display = hasLoginFallback || login.finished_at ? '' : 'none';
+    checkLogin.disabled = !!_microsoftLoginCheckInFlight;
+    checkLogin.textContent = _microsoftLoginCheckInFlight ? 'Checking...' : 'Check Sign-In';
+  }
+  if (regenerateCode) {
+    regenerateCode.style.display = login.device_code ? '' : 'none';
+    regenerateCode.disabled = !!_microsoftSetupInFlight;
+    regenerateCode.title = 'Start a fresh ' + _msProviderLabel() + ' device-code sign-in if this code expired.';
+  }
+  var tryOther = document.getElementById('setup-ms-login-try-other');
+  if (tryOther) {
+    // Sign-in failed or is dragging: offer the other account type so a broken
+    // Microsoft login is never a dead end (and vice versa).
+    var otherLabel = _msLoginProvider() === 'github' ? 'Microsoft' : 'GitHub';
+    tryOther.textContent = 'Try ' + otherLabel + ' instead';
+    tryOther.style.display = (login.error || login.error_code || hasLoginFallback) && !signedInProgress ? '' : 'none';
+  }
   if (fallback) fallback.style.display = hasLoginFallback ? '' : 'none';
 
   if (logEl) {
@@ -2430,12 +2753,88 @@ async function copyMicrosoftLoginCode() {
   }
 }
 
+async function checkMicrosoftTunnelLogin(options) {
+  var opts = options || {};
+  if (_microsoftLoginCheckInFlight) return null;
+  _microsoftLoginCheckInFlight = true;
+  var err = document.getElementById('setup-network-err');
+  var btn = document.getElementById('setup-ms-login-check');
+  if (err && !opts.silent) err.style.display = 'none';
+  if (btn) { btn.disabled = true; btn.textContent = 'Checking...'; }
+  try {
+    var r = await fetch('/api/setup/network/microsoft-dev-tunnel/login/check', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: '{}',
+    });
+    var d = await r.json();
+    var setup = d.setup || d.microsoft_dev_tunnel || null;
+    if (setup) {
+      var settings = _lastNetworkSettings || {};
+      settings.microsoft_dev_tunnel = setup;
+      _lastNetworkSettings = settings;
+      _renderMicrosoftDevTunnelSetup(setup, settings);
+      _renderAccessMethodSelection(settings);
+      _renderPhoneSetupGuidance(_selectedPhoneAccessMethod || 'microsoft', settings);
+    }
+    if (d.progress) _renderMicrosoftProgress(d.progress);
+    if (d.ok) {
+      var display = d.account && d.account.display ? d.account.display : '';
+      if (!opts.silent) _setMicrosoftActionStatus(display ? 'Dev Tunnels signed in as ' + display + '.' : 'Dev Tunnels sign-in verified.', 'ok');
+      return d;
+    }
+    if (!opts.silent) _setMicrosoftActionStatus(d.error || 'Dev Tunnels is not signed in yet. Finish the browser sign-in, then check again.', 'warning');
+    return d;
+  } catch (e) {
+    if (!opts.silent) {
+      if (err) { err.textContent = e.message; err.style.display = 'block'; }
+      _setMicrosoftActionStatus(e.message || 'Could not check Dev Tunnels sign-in', 'error');
+    }
+    return null;
+  } finally {
+    _microsoftLoginCheckInFlight = false;
+    if (btn) { btn.disabled = false; btn.textContent = 'Check Sign-In'; }
+  }
+}
+
+async function regenerateMicrosoftLoginCode() {
+  var err = document.getElementById('setup-network-err');
+  var btn = document.getElementById('setup-ms-login-regenerate');
+  if (err) err.style.display = 'none';
+  var original = btn ? btn.textContent : 'New Code';
+  if (btn) { btn.disabled = true; btn.textContent = 'Starting...'; }
+  try {
+    await _postMicrosoftTunnelLogin(true, { forceNew: true });
+    _setMicrosoftActionStatus('New GitHub sign-in code generated. Use the newest code shown below.', 'ok');
+    setupToast('New Microsoft tunnel sign-in code generated');
+  } catch (e) {
+    if (err) { err.textContent = e.message; err.style.display = 'block'; }
+    _setMicrosoftActionStatus(e.message || 'Could not generate a new sign-in code', 'error');
+  } finally {
+    if (btn) { btn.disabled = false; btn.textContent = original; }
+  }
+}
+
 async function _loadMicrosoftProgress() {
   try {
     var r = await fetch('/api/setup/network/microsoft-dev-tunnel/progress');
     var d = await r.json();
     if (!r.ok || !d.ok) throw new Error(d.error || 'Microsoft tunnel progress unavailable');
     _renderMicrosoftProgress(d.progress || {});
+    var login = d.progress && d.progress.login || {};
+    var ms = _lastNetworkSettings && _lastNetworkSettings.microsoft_dev_tunnel || {};
+    var checkedAt = Date.parse(login.login_checked_at || '');
+    var shouldCheckLogin = login.configured
+      && !login.running
+      && !!login.finished_at
+      && login.exit_code === 0
+      && !login.signed_in
+      && !ms.signed_in
+      && !_microsoftLoginCheckInFlight
+      && (!Number.isFinite(checkedAt) || Date.now() - checkedAt > 5000);
+    if (shouldCheckLogin) {
+      checkMicrosoftTunnelLogin({ silent: true }).catch(function() {});
+    }
     return d.progress || {};
   } catch (e) {
     _setMicrosoftActionStatus(e.message || 'Microsoft tunnel progress unavailable', 'error');
@@ -2482,18 +2881,22 @@ function _renderMicrosoftTunnelTraffic(traffic) {
   }).join('');
 }
 
-function _microsoftProbeTone(probe) {
+function _microsoftProbeTone(probe, ms) {
   if (!probe || !probe.checked) return '';
   if (probe.ctm_reachable) return 'status-ok';
-  if (probe.blocked_by_tunnel_auth || probe.diagnosis === 'tunnel_auth_required') return 'status-ok';
+  if (probe.blocked_by_tunnel_auth || probe.diagnosis === 'tunnel_auth_required') {
+    return _microsoftTunnelUsesCtmAuth(ms) ? 'status-error' : 'status-ok';
+  }
   return 'status-error';
 }
 
 function _microsoftProbeStatusText(probe, ms) {
-  if (_microsoftProbeInFlight) return 'Checking the private phone URL...';
+  if (_microsoftProbeInFlight) return 'Checking the phone URL...';
   if (!probe || !probe.checked) return 'Run this when the phone cannot load the tunnel URL.';
   if (probe.ctm_reachable) return 'CTM is reachable through the tunnel from this Mac.';
-  if (probe.blocked_by_tunnel_auth || probe.diagnosis === 'tunnel_auth_required') return 'Private Microsoft sign-in is active before CTM.';
+  if (probe.blocked_by_tunnel_auth || probe.diagnosis === 'tunnel_auth_required') {
+    return _microsoftTunnelUsesCtmAuth(ms) ? 'Unexpected Microsoft sign-in gate is blocking CTM.' : 'Private Microsoft sign-in gate is active.';
+  }
   if (probe.diagnosis === 'timeout') return 'The tunnel URL timed out before CTM responded.';
   if (probe.diagnosis === 'not_configured') return 'Start the tunnel before checking the phone URL.';
   return probe.status ? ('Tunnel check returned HTTP ' + probe.status + '.') : 'The tunnel URL is not reachable from this Mac.';
@@ -2502,13 +2905,17 @@ function _microsoftProbeStatusText(probe, ms) {
 function _microsoftProbeNoteText(probe, ms) {
   if (_microsoftProbeInFlight) return 'CTM is checking the same devtunnels.ms URL your phone opens.';
   if (!probe || !probe.checked) {
-    return 'If this reports a Microsoft gate, that is expected for a private tunnel. On the phone, sign in with the same account shown above.';
+    return _microsoftTunnelUsesCtmAuth(ms)
+      ? 'CTM-authenticated mode should reach CTM without a Microsoft/GitHub browser challenge, then CTM asks the phone to pair or sign in.'
+      : 'Private Microsoft mode may show the provider sign-in gate before CTM. After that, CTM asks the phone to pair or sign in with its CTM device token.';
   }
   if (probe.ctm_reachable) {
     return 'The Mac-side check reached CTM. If the phone still fails, refresh the phone page and check the CTM traffic list below.';
   }
   if (probe.blocked_by_tunnel_auth || probe.diagnosis === 'tunnel_auth_required') {
-    return 'The tunnel is private. This Mac-side check is stopped by Microsoft because it is not a signed-in browser session; your phone should sign in with the same Microsoft/GitHub account, then CTM will load.';
+    return _microsoftTunnelUsesCtmAuth(ms)
+      ? 'This is not expected for CTM-authenticated mode. Apply the selected mode, then check the URL again.'
+      : 'This is expected for private Microsoft Dev Tunnel access. Complete Microsoft/GitHub sign-in in the phone browser, then CTM will enforce pairing and device permissions.';
   }
   return probe.message || 'Use Recover Now if the tunnel process should be running, then check the URL again.';
 }
@@ -2521,7 +2928,7 @@ function _renderMicrosoftTunnelProbe(probe, ms, ready) {
   if (!panel) return;
   panel.style.display = ready ? '' : 'none';
   panel.classList.remove('status-ok', 'status-warn', 'status-error');
-  var tone = _microsoftProbeTone(probe);
+  var tone = _microsoftProbeTone(probe, ms);
   if (tone) panel.classList.add(tone);
   if (status) status.textContent = _microsoftProbeStatusText(probe, ms);
   if (note) note.textContent = _microsoftProbeNoteText(probe, ms);
@@ -2531,6 +2938,19 @@ function _renderMicrosoftTunnelProbe(probe, ms, ready) {
   }
 }
 
+function _renderMicrosoftPrivateAccessWarning(ms) {
+  var warning = document.getElementById('setup-ms-private-warning');
+  var resetBtn = document.getElementById('setup-ms-reset-private');
+  if (!warning) return false;
+  var needsReset = _microsoftNeedsPrivateAccessReset(ms);
+  warning.style.display = needsReset ? '' : 'none';
+  if (resetBtn) {
+    resetBtn.disabled = !needsReset || _microsoftSetupInFlight;
+    resetBtn.textContent = _microsoftSetupInFlight ? 'Working...' : 'Reset to private';
+  }
+  return needsReset;
+}
+
 function _renderMicrosoftDevTunnelSetup(ms, d) {
   ms = ms || {};
   var managed = ms.managed_tunnel || {};
@@ -2544,6 +2964,7 @@ function _renderMicrosoftDevTunnelSetup(ms, d) {
   var mobileUrl = document.getElementById('setup-ms-mobile-url');
   var inspectUrl = document.getElementById('setup-ms-inspect-url');
   var setupBtn = document.getElementById('setup-ms-setup');
+  var switchLoginBtn = document.getElementById('setup-ms-switch-login');
   var stopBtn = document.getElementById('setup-ms-stop');
   var installCommand = document.getElementById('setup-ms-install-command');
   var loginCommand = document.getElementById('setup-ms-login-command');
@@ -2560,16 +2981,45 @@ function _renderMicrosoftDevTunnelSetup(ms, d) {
   var inspect = managed.inspect_url || ms.inspect_url || '';
   var accountText = _microsoftTunnelAccountText(ms);
   var availability = _microsoftAvailabilityCopy(ms, ready);
+  var needsPrivateReset = _microsoftNeedsPrivateAccessReset(ms);
+  var accessMode = _microsoftTunnelSelectedAccessMode(ms);
+  var currentAccessMode = _microsoftTunnelCurrentAccessMode(ms);
+  var accessModeMatches = currentAccessMode === accessMode;
+  var ctmAuthenticated = accessMode === 'ctm_authenticated';
+  var ctmModeBtn = document.getElementById('setup-ms-mode-ctm');
+  var privateModeBtn = document.getElementById('setup-ms-mode-private');
+  var providerLabel = _msProviderLabel();
+  _renderMicrosoftPrivateAccessWarning(ms);
+  _renderMicrosoftLoginProvider();
+
+  if (ctmModeBtn) {
+    ctmModeBtn.setAttribute('aria-pressed', ctmAuthenticated ? 'true' : 'false');
+    ctmModeBtn.disabled = _microsoftSetupInFlight;
+  }
+  if (privateModeBtn) {
+    privateModeBtn.setAttribute('aria-pressed', !ctmAuthenticated ? 'true' : 'false');
+    privateModeBtn.disabled = _microsoftSetupInFlight;
+  }
 
   if (summary) {
     if (!installed) {
       summary.textContent = 'CTM can install Microsoft Dev Tunnels, open sign-in on this Mac, then start a browser URL for your phone.';
     } else if (!signedIn) {
-      summary.textContent = 'Sign in once with GitHub on this Mac. After sign-in finishes, CTM starts the tunnel and creates the phone pairing QR.';
+      summary.textContent = 'Sign in once with ' + providerLabel + ' on this Mac. After sign-in finishes, CTM starts the tunnel and creates the phone pairing QR.';
+    } else if (needsPrivateReset) {
+      summary.textContent = ctmAuthenticated
+        ? 'Microsoft tunnel is ready for CTM-authenticated phone access. CTM will apply this mode before sharing the URL.'
+        : 'Microsoft tunnel is running, but anonymous connect access is still enabled from older setup. Reset to private before sharing the URL.';
+    } else if (ready && accessModeMatches) {
+      summary.textContent = ctmAuthenticated
+        ? 'Microsoft tunnel is running in CTM-authenticated mode. Open the phone URL and CTM will handle pairing and sign-in.'
+        : 'Microsoft tunnel is running privately. Open the phone URL, pass Microsoft/GitHub tunnel auth, then CTM will handle pairing and sign-in.';
     } else if (ready) {
-      summary.textContent = 'Private Microsoft tunnel is running. Open the phone URL, sign in with the same account if asked, then pair with CTM.';
+      summary.textContent = ctmAuthenticated
+        ? 'Microsoft tunnel is running with the private Microsoft gate. Apply CTM-authenticated mode so the phone can reach CTM directly.'
+        : 'Microsoft tunnel is running with CTM-authenticated access. Apply private Microsoft gate if you want provider auth before CTM.';
     } else {
-      summary.textContent = 'CTM can start the private tunnel now, remove stale anonymous access, and create the phone pairing QR.';
+      summary.textContent = 'CTM can start the tunnel, make the URL reachable by the phone, and create the phone pairing QR.';
     }
   }
   if (account) {
@@ -2580,8 +3030,12 @@ function _renderMicrosoftDevTunnelSetup(ms, d) {
   if (inspectUrl) inspectUrl.textContent = inspect || 'Start tunnel first';
   if (readyLinks) readyLinks.style.display = ready ? '' : 'none';
   if (panelStatus) {
-    panelStatus.textContent = ready
+    panelStatus.textContent = needsPrivateReset
+      ? 'Reset to private'
+      : ready && accessModeMatches
       ? (keepAwake.enabled && keepAwake.running ? 'Ready, kept awake' : 'Ready')
+      : ready
+      ? 'Apply mode'
       : (!installed ? 'Needs setup' : (!signedIn ? 'Sign in required' : 'Ready to start'));
   }
   if (availabilityStatus) {
@@ -2590,9 +3044,11 @@ function _renderMicrosoftDevTunnelSetup(ms, d) {
   }
   if (availabilityNote) {
     var lastRecovered = managed.last_watchdog_recovered_at ? new Date(managed.last_watchdog_recovered_at).toLocaleString() : '';
-    availabilityNote.textContent = keepAwake.enabled
+    var baseNote = keepAwake.enabled
       ? (keepAwake.running ? 'macOS sleep prevention is active while CTM is running.' : 'CTM will try to restart the keep-awake assertion automatically.')
       : (lastRecovered ? 'Last tunnel recovery: ' + lastRecovered : 'Default mode recovers after wake, but it cannot serve the phone while the Mac is asleep.');
+    var lastEvent = _msLastHostEventText(managed.host_events);
+    availabilityNote.textContent = lastEvent ? baseNote + ' ' + lastEvent : baseNote;
   }
   if (keepAwakeInput) {
     keepAwakeInput.checked = !!keepAwake.enabled;
@@ -2612,21 +3068,31 @@ function _renderMicrosoftDevTunnelSetup(ms, d) {
   if (runCommand) runCommand.textContent = managed.run_command || (commands.host_temporary && commands.host_temporary.display) || '';
   _setMicrosoftStep('setup-ms-step-install', installed ? 'done' : 'active');
   _setMicrosoftStep('setup-ms-step-login', signedIn ? 'done' : (installed ? 'active' : 'pending'));
-  _setMicrosoftStep('setup-ms-step-run', ready ? 'done' : (installed && signedIn ? 'active' : 'pending'));
+  _setMicrosoftStep('setup-ms-step-run', ready && accessModeMatches ? 'done' : (installed && signedIn ? 'active' : 'pending'));
   if (setupBtn) {
-    setupBtn.disabled = ready || _microsoftSetupInFlight;
-    setupBtn.textContent = ready
+    setupBtn.disabled = (ready && accessModeMatches) || _microsoftSetupInFlight;
+    setupBtn.textContent = ready && accessModeMatches
       ? 'Ready'
-      : (_microsoftSetupInFlight ? 'Working...' : (!installed ? 'Set Up' : (!signedIn ? 'Open Sign-In' : 'Start Tunnel')));
-    setupBtn.title = ready ? 'Microsoft tunnel phone access is ready to use.' : '';
+      : (_microsoftSetupInFlight ? 'Working...' : (!installed ? 'Set Up' : (!signedIn ? 'Open Sign-In' : (ready ? 'Apply Mode' : 'Start Tunnel'))));
+    setupBtn.title = ready && accessModeMatches ? 'Microsoft tunnel phone access is ready to use.' : '';
+  }
+  if (switchLoginBtn) {
+    switchLoginBtn.style.display = installed && signedIn ? '' : 'none';
+    switchLoginBtn.disabled = _microsoftSetupInFlight;
+    switchLoginBtn.textContent = 'Use Different Account';
+    switchLoginBtn.title = 'Sign out of the current Dev Tunnels account and start ' + providerLabel + ' device sign-in.';
   }
   if (stopBtn) {
     stopBtn.disabled = !ready;
   }
   if (securityNote) {
-    securityNote.textContent = ready
-      ? 'Private Microsoft access is on. CTM also requires the pairing QR, device token, route permissions, and passkey step-up for high-risk actions.'
-      : 'Set Up keeps anonymous access off and resets stale public access before the tunnel is marked ready. Do not share the pairing QR or claim link.';
+    securityNote.textContent = needsPrivateReset
+      ? 'Anonymous Dev Tunnel connect access is detected. Reset to private before sharing the desktop or phone URL.'
+      : (ctmAuthenticated
+        ? 'CTM-authenticated mode creates a connect-only anonymous Dev Tunnel rule so the browser can reach CTM. CTM still requires pairing, device token, route permissions, and passkey step-up.'
+        : (ready
+          ? 'Private Microsoft tunnel is running. Remote browsers pass Microsoft/GitHub tunnel auth first; CTM still requires pairing, device token, route permissions, and passkey step-up.'
+          : 'Private Microsoft gate creates no anonymous tunnel access; remote browsers must pass Microsoft/GitHub auth before CTM loads.'));
   }
   _renderMicrosoftTunnelTraffic(ms.traffic || {});
   _renderMicrosoftTunnelProbe(_microsoftTunnelProbe || ms.public_probe || null, ms, ready);
@@ -2646,30 +3112,31 @@ function _renderAccessMethodSelection(d) {
   var cfPossible = _cloudflareAutoPossible(cfAuto);
   var msReady = _microsoftTunnelReady(d);
   var msCanStart = _microsoftTunnelCanStart(d);
+  var msNeedsPrivateReset = _microsoftNeedsPrivateAccessReset(ms);
+  var msModeMismatch = msReady && !_microsoftAccessModeMatchesSelection(ms);
   _setMethodButton('setup-method-microsoft', method === 'microsoft');
   _setMethodButton('setup-method-walle', method === 'walle');
   _setMethodButton('setup-method-tailscale', method === 'tailscale');
   _setMethodButton('setup-method-cloudflare', method === 'cloudflare');
-  _setMethodBadge(
-    'setup-method-microsoft-badge',
-    msReady ? 'Ready' : (msCanStart ? 'Start' : (ms.installed ? 'Sign in' : 'Install')),
-    msReady ? 'ok' : (msCanStart ? 'info' : (ms.installed ? 'warn' : 'missing'))
-  );
-  _setMethodBadge(
-    'setup-method-walle-badge',
+  // Live connection-health overlays the setup-state badge when we have a health record
+  // (Ready / Attention / Offline–Reconnect / Expired–Reconnect / Error); not_configured
+  // falls back to the setup wizard state (Install / Sign in / Start / Set up).
+  _applyHealthBadge('microsoft', 'setup-method-microsoft-badge',
+    msNeedsPrivateReset ? 'Reset' : (msModeMismatch ? 'Apply' : (msReady ? 'Ready' : (msCanStart ? 'Start' : (ms.installed ? 'Sign in' : 'Install')))),
+    msNeedsPrivateReset ? 'warn' : (msModeMismatch ? 'warn' : (msReady ? 'ok' : (msCanStart ? 'info' : (ms.installed ? 'warn' : 'missing')))));
+  _applyHealthBadge('walle', 'setup-method-walle-badge',
     _walleRemoteHostedPairingReady(d) ? 'Ready' : (walleReady ? 'Relay pending' : 'Set up'),
-    _walleRemoteHostedPairingReady(d) ? 'ok' : (walleReady ? 'warn' : 'info')
-  );
-  _setMethodBadge(
-    'setup-method-tailscale-badge',
+    _walleRemoteHostedPairingReady(d) ? 'ok' : (walleReady ? 'warn' : 'info'));
+  _applyHealthBadge('tailscale', 'setup-method-tailscale-badge',
     tsReady ? 'Ready' : (ts.available ? 'Auto setup' : 'Not detected'),
-    tsReady ? 'ok' : (ts.available ? 'info' : 'missing')
-  );
+    tsReady ? 'ok' : (ts.available ? 'info' : 'missing'));
   _setMethodBadge(
     'setup-method-cloudflare-badge',
     cfReady ? 'Ready' : (cfPossible ? 'API setup' : 'Install'),
     cfReady ? 'ok' : (cfPossible ? 'info' : 'warn')
   );
+  // IA: foreground the selected method; collapse the rest under "Other ways to connect".
+  _applyRecommendedLayout(method);
 
   var msPanel = document.getElementById('setup-microsoft-details');
   var wallePanel = document.getElementById('setup-walle-remote-details');
@@ -2700,6 +3167,13 @@ function _renderAccessMethodSelection(d) {
       ? 'Ready on ' + (cfOrigin || managed.hostname || 'the Cloudflare URL')
       : (cfPossible ? 'API setup can create Access, DNS, tunnel, and phone QR. No cloudflared login cert is required.' : 'Install cloudflared before auto setup.');
   }
+  // When a method is live-broken, its panel status line shows the health detail (so the
+  // single status truth is consistent with the badge + alert banner).
+  [['microsoft', 'setup-ms-panel-status'], ['walle', 'setup-walle-remote-panel-status'], ['tailscale', 'setup-tailscale-panel-status']].forEach(function(pair) {
+    var rec = _healthByMethod[pair[0]];
+    var el = document.getElementById(pair[1]);
+    if (el && rec && _isBrokenHealth(rec.state)) el.textContent = rec.detail;
+  });
 }
 
 function selectPhoneAccessMethod(method) {
@@ -2710,6 +3184,130 @@ function selectPhoneAccessMethod(method) {
   _applySelectedPhoneOrigin(d, true);
 }
 
+// ---- Connection health: live status + expiry + Reconnect + auto-recovery -------------
+function _methodDisplayName(method) {
+  return method === 'microsoft' ? 'Microsoft tunnel'
+    : method === 'walle' ? 'Walle Remote'
+    : method === 'tailscale' ? 'Tailscale'
+    : method === 'cloudflare' ? 'Cloudflare Access' : String(method || '');
+}
+
+function _isBrokenHealth(state) { return state === 'offline' || state === 'expired' || state === 'error'; }
+
+function _healthBadgeForState(state) {
+  switch (state) {
+    case 'ok': return { text: 'Ready', tone: 'ok' };
+    case 'warning': return { text: 'Attention', tone: 'warn' };
+    case 'offline': return { text: 'Offline — Reconnect', tone: 'error' };
+    case 'expired': return { text: 'Expired — Reconnect', tone: 'error' };
+    case 'error': return { text: 'Error', tone: 'error' };
+    default: return null; // not_configured → fall back to the setup-state badge
+  }
+}
+
+// Use the live health badge when we have one; otherwise the setup-state fallback.
+function _applyHealthBadge(method, badgeId, fallbackText, fallbackTone) {
+  var rec = _healthByMethod[method];
+  var hb = rec ? _healthBadgeForState(rec.state) : null;
+  if (hb) _setMethodBadge(badgeId, hb.text, hb.tone);
+  else _setMethodBadge(badgeId, fallbackText, fallbackTone);
+}
+
+async function loadConnectionHealth() {
+  try {
+    var r = await fetch('/api/setup/connection-health');
+    var d = await r.json();
+    if (!r.ok || !d || d.ok === false) return;
+    _lastConnectionHealth = d;
+    _healthByMethod = {};
+    (d.methods || []).forEach(function(m) { _healthByMethod[m.method] = m; });
+    _renderConnectionHealth(d);
+  } catch (e) { /* keep last rendered state; retry next tick */ }
+}
+
+function _scheduleConnectionHealthPoll() {
+  clearTimeout(_connectionHealthTimer);
+  _connectionHealthTimer = setTimeout(function() {
+    var section = document.getElementById('setup-section-access');
+    var visible = section && section.offsetParent !== null;
+    if (visible) loadConnectionHealth();
+    _scheduleConnectionHealthPoll();
+  }, 20000);
+}
+
+// Re-fetch health the moment the user returns to the tab/window, so a connection they
+// fixed externally auto-recovers immediately (not just on the next 20s poll).
+function _refreshAccessHealthOnReturn() {
+  var section = document.getElementById('setup-section-access');
+  if (section && section.offsetParent !== null) loadConnectionHealth();
+}
+
+function _renderConnectionHealth(health) {
+  // Re-render badges/status with the health overlay (uses _healthByMethod), then the
+  // Reconnect banner and any transition notifications.
+  _renderAccessMethodSelection(_lastNetworkSettings || {});
+  _renderAccessHealthAlert((health && health.methods) || []);
+  ((health && health.transitions) || []).forEach(function(t) {
+    var rec = _healthByMethod[t.method] || {};
+    var verb = rec.state === 'expired' ? 'expired' : (rec.state === 'error' ? 'has an error' : 'is offline');
+    _notifyConnectionBroken(t.method, _methodDisplayName(t.method) + ' ' + verb, rec.detail || '');
+  });
+}
+
+function _renderAccessHealthAlert(records) {
+  var el = document.getElementById('setup-access-alert');
+  if (!el) return;
+  var broken = (records || []).filter(function(r) { return _isBrokenHealth(r.state); });
+  if (!broken.length) { el.style.display = 'none'; el.innerHTML = ''; return; }
+  var KNOWN = { microsoft: 1, walle: 1, tailscale: 1, cloudflare: 1 };
+  el.innerHTML = broken.map(function(r) {
+    var method = KNOWN[r.method] ? r.method : ''; // whitelist before it enters the onclick
+    var name = _escHtml(_methodDisplayName(r.method));
+    var detail = _escHtml(r.detail || (r.state === 'expired' ? 'Expired — reconnect.' : 'Offline — reconnect.'));
+    var btn = (r.action && method)
+      ? '<button type="button" class="btn small" onclick="SETUP.triggerReconnect(\'' + method + '\')">Reconnect</button>'
+      : '';
+    return '<div class="setup-access-alert-row"><span>&#9888; <strong>' + name + '</strong> — ' + detail + '</span>' + btn + '</div>';
+  }).join('');
+  el.style.display = '';
+}
+
+function _notifyConnectionBroken(method, title, detail) {
+  try { if (typeof showToast === 'function') showToast(title + ' — click to reconnect', 'var(--red, #e5484d)', 9000, function() { triggerReconnect(method); }); } catch (e) {}
+  try {
+    if (typeof Notification !== 'undefined' && Notification.permission === 'granted' && document.hidden) {
+      new Notification('Phone access offline', { body: title + (detail ? ' — ' + detail : '') });
+    }
+  } catch (e) {}
+}
+
+async function triggerReconnect(method) {
+  var rec = _healthByMethod[method];
+  if (!rec || !rec.action || !rec.action.endpoint) { loadConnectionHealth(); return; }
+  try {
+    var verb = rec.action.method || 'POST';
+    var opts = { method: verb };
+    if (verb !== 'GET') { opts.headers = { 'Content-Type': 'application/json' }; opts.body = '{}'; }
+    await fetch(rec.action.endpoint, opts);
+  } catch (e) {}
+  setTimeout(loadConnectionHealth, 800); // re-probe so the badge/banner auto-recover
+}
+
+// Phase 3 IA: foreground the (selected/recommended) method; collapse the rest under
+// "Other ways to connect". Idempotent — reparents a button only when it isn't already
+// in the right container (no flicker on re-render).
+function _applyRecommendedLayout(foreground) {
+  var primary = document.getElementById('setup-access-primary');
+  var others = document.getElementById('setup-access-others-list');
+  if (!primary || !others) return;
+  ['microsoft', 'walle', 'tailscale'].forEach(function(m) {
+    var btn = document.getElementById('setup-method-' + m);
+    if (!btn) return;
+    var target = (m === foreground) ? primary : others;
+    if (btn.parentNode !== target) target.appendChild(btn);
+  });
+}
+
 function _renderWalleRemoteDevices(devices) {
   var list = document.getElementById('setup-walle-remote-devices');
   if (!list) return;
@@ -2751,9 +3349,9 @@ function _renderWalleRemoteSetup(remote) {
     if (hostedReady) {
       summary.textContent = 'This Mac is connected to hosted Walle Relay. Pair a phone from Walle mobile to continue CTM work without Tailscale.';
     } else if (status.ok) {
-      summary.textContent = 'The local CTM relay contract is ready, but hosted Walle Relay pairing is not connected yet. m.walle.sh is not a working CTM phone URL for this install; use Cloudflare Access or Tailscale until hosted relay is enabled.';
+      summary.textContent = 'The local CTM relay contract is ready, but hosted Walle Relay pairing is not connected yet. m.walle.sh is not a working CTM phone URL for this install; use Microsoft tunnel or Tailscale until hosted relay is enabled.';
     } else {
-      summary.textContent = 'Walle Remote status is unavailable. Tailscale and Cloudflare remain available below.';
+      summary.textContent = 'Walle Remote status is unavailable. Microsoft tunnel and Tailscale remain available below.';
     }
   }
   if (panelStatus) {
@@ -2802,7 +3400,7 @@ async function createWalleRemoteClaim() {
   _setDeviceError('');
   var status = _lastRemoteStatus || await loadWalleRemoteStatus();
   if (!_walleRemoteHostedPairingReady({ remote_relay: status })) {
-    _setDeviceError('Walle Remote hosted pairing is not connected yet, so CTM will not generate a Tailscale-based pairing QR. Use Cloudflare Access fallback for phone access until hosted Walle Relay is enabled.');
+    _setDeviceError('Walle Remote hosted pairing is not connected yet, so CTM will not generate a Walle Remote pairing QR. Use Microsoft tunnel or Tailscale until hosted Walle Relay is enabled.');
     _renderWalleRemoteSetup(status);
     return null;
   }
@@ -2810,6 +3408,9 @@ async function createWalleRemoteClaim() {
   await _persistDeviceLabel(label, { immediate: true }).catch(function(e) {
     _setDeviceError(e.message || 'Phone label save failed');
   });
+  await _persistDeviceScopes(_selectedDeviceScopes(), { immediate: true }).catch(function(e) {
+    _setDeviceError(e.message || 'Phone permission save failed');
+  });
   var origin = _preferredPhoneOrigin({ remote_relay: status }, 'walle');
   var btn = document.getElementById('setup-walle-remote-pair');
   var original = btn ? btn.textContent : 'Pair Phone';
@@ -3143,6 +3744,14 @@ async function loadNetworkSettings() {
   } catch (e) {
     if (err) { err.textContent = e.message; err.style.display = 'block'; }
     _setNetworkStatus('Network settings unavailable', false);
+    // Network settings never loaded — clear the "Resolving…" loading state so
+    // the Pairing Origin field doesn't stay stuck on it. Let the user type one.
+    var bestUrl = document.getElementById('setup-phone-best-url');
+    if (bestUrl && bestUrl.textContent === 'Resolving…') bestUrl.textContent = 'Unavailable';
+    var phoneInput = document.getElementById('setup-device-origin');
+    if (phoneInput && phoneInput.placeholder === 'Resolving phone URL…') {
+      phoneInput.placeholder = 'Enter your phone URL manually';
+    }
     return null;
   }
 }
@@ -3190,12 +3799,13 @@ async function _postMicrosoftTunnelInstall() {
   return d;
 }
 
-async function _postMicrosoftTunnelLogin(deviceCode) {
+async function _postMicrosoftTunnelLogin(deviceCode, options) {
+  options = options || {};
   _startMicrosoftProgressPolling();
   var r = await fetch('/api/setup/network/microsoft-dev-tunnel/login', {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ device_code: deviceCode !== false, provider: 'github' }),
+    body: JSON.stringify({ device_code: deviceCode !== false, provider: _msLoginProvider(), force_new: !!options.forceNew }),
   });
   var d = await r.json();
   if (!r.ok || !d.ok) throw new Error(d.error || 'Could not start devtunnel login');
@@ -3253,9 +3863,9 @@ async function setupMicrosoftTunnel() {
   if (err) err.style.display = 'none';
   if (btn) { btn.disabled = true; btn.textContent = 'Working...'; }
   try {
-    var d = _lastNetworkSettings || await loadNetworkSettings() || {};
+    var d = await loadNetworkSettings() || _lastNetworkSettings || {};
     var ms = d.microsoft_dev_tunnel || {};
-    if (_microsoftTunnelReady(d)) {
+    if (_microsoftTunnelReady(d) && _microsoftAccessModeMatchesSelection(ms)) {
       _setMicrosoftActionStatus('Microsoft tunnel is already ready.', 'ok');
       return;
     }
@@ -3270,18 +3880,19 @@ async function setupMicrosoftTunnel() {
     }
 
     if (!ms.signed_in) {
-      _setMicrosoftActionStatus('Opening GitHub sign-in. Enter the code shown below on the GitHub page; no phone notification is sent.', '');
+      var signInLabel = _msProviderLabel();
+      _setMicrosoftActionStatus('Opening ' + signInLabel + ' sign-in. Enter the code shown below on the ' + signInLabel + ' page; no phone notification is sent.', '');
       if (btn) btn.textContent = 'Waiting...';
       await _postMicrosoftTunnelLogin(true);
       d = await _waitForMicrosoftSignIn(90000, 2000);
       if (!d) {
-        _setMicrosoftActionStatus('Sign-in is still waiting. Enter the displayed code on the GitHub page, choose the account there, then click Set Up again.', '');
+        _setMicrosoftActionStatus('Sign-in is still waiting. Enter the displayed code on the ' + signInLabel + ' page, choose the account there, then click Set Up again.', '');
         return;
       }
       ms = d.microsoft_dev_tunnel || {};
     }
 
-    if (!_microsoftTunnelReady(d)) {
+    if (!_microsoftTunnelReady(d) || !_microsoftAccessModeMatchesSelection(ms)) {
       await startMicrosoftTunnel();
     }
   } catch (e) {
@@ -3302,7 +3913,7 @@ async function startMicrosoftTunnelLogin(deviceCode) {
   if (btn) { btn.disabled = true; btn.textContent = 'Starting...'; }
   try {
     await _postMicrosoftTunnelLogin(deviceCode !== false);
-    _setMicrosoftActionStatus('Sign-in started. Enter the displayed code on the GitHub page; CTM will detect the account after Dev Tunnels finishes.', 'ok');
+    _setMicrosoftActionStatus('Sign-in started. Enter the displayed code on the ' + _msProviderLabel() + ' page; CTM will detect the account after Dev Tunnels finishes.', 'ok');
     setupToast('Microsoft tunnel login started');
   } catch (e) {
     if (err) { err.textContent = e.message; err.style.display = 'block'; }
@@ -3312,6 +3923,39 @@ async function startMicrosoftTunnelLogin(deviceCode) {
   }
 }
 
+async function switchMicrosoftTunnelLogin() {
+  var err = document.getElementById('setup-network-err');
+  var btn = document.getElementById('setup-ms-switch-login');
+  if (err) err.style.display = 'none';
+  if (btn) { btn.disabled = true; btn.textContent = 'Signing out...'; }
+  _setMicrosoftActionStatus('Signing out of the current Dev Tunnels account...', '');
+  try {
+    var logoutRes = await fetch('/api/setup/network/microsoft-dev-tunnel/logout', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: '{}',
+    });
+    var logoutData = await logoutRes.json();
+    if (!logoutRes.ok || !logoutData.ok) throw new Error(logoutData.error || 'Could not sign out of Dev Tunnels');
+    if (_lastNetworkSettings) {
+      _lastNetworkSettings.microsoft_dev_tunnel = logoutData.setup || _lastNetworkSettings.microsoft_dev_tunnel || {};
+    }
+    _renderMicrosoftDevTunnelSetup((_lastNetworkSettings || {}).microsoft_dev_tunnel || {}, _lastNetworkSettings || {});
+    var switchLabel = _msProviderLabel();
+    _setMicrosoftActionStatus('Signed out. Starting ' + switchLabel + ' sign-in now...', '');
+    if (btn) btn.textContent = 'Opening ' + switchLabel + '...';
+    var loginData = await _postMicrosoftTunnelLogin(true, { forceNew: true });
+    _renderMicrosoftProgress(loginData.progress || {});
+    _setMicrosoftActionStatus(switchLabel + ' sign-in started. Enter the displayed code on the ' + switchLabel + ' page, then click Set Up again after it finishes.', 'ok');
+    setupToast(switchLabel + ' sign-in started');
+  } catch (e) {
+    if (err) { err.textContent = e.message; err.style.display = 'block'; }
+    _setMicrosoftActionStatus(e.message || 'Could not switch Dev Tunnels account', 'error');
+  } finally {
+    if (btn) { btn.disabled = false; btn.textContent = 'Use Different Account'; }
+  }
+}
+
 async function startMicrosoftTunnel() {
   var err = document.getElementById('setup-network-err');
   var btn = document.getElementById('setup-ms-setup');
@@ -3321,10 +3965,12 @@ async function startMicrosoftTunnel() {
   if (btn) { btn.disabled = true; btn.textContent = 'Starting...'; }
   var completed = false;
   try {
+    var settings = _lastNetworkSettings || {};
+    var mode = _microsoftTunnelSelectedAccessMode(settings.microsoft_dev_tunnel || {});
     var r = await fetch('/api/setup/network/microsoft-dev-tunnel/start', {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({}),
+      body: JSON.stringify({ access_mode: mode }),
     });
     var d = await r.json();
     if (!r.ok || !d.ok) throw new Error(d.error || 'Microsoft tunnel setup failed');
@@ -3358,7 +4004,10 @@ async function startMicrosoftTunnel() {
     _renderPhoneSetupGuidance('microsoft', updatedNetwork);
     _renderDeviceClaimAction(updatedNetwork);
     _setNetworkStatus('Microsoft tunnel ready', true);
-    _setMicrosoftActionStatus('Microsoft tunnel is ready. Use the phone URL or Pair Phone below.', 'ok');
+    _setMicrosoftActionStatus(mode === 'ctm_authenticated'
+      ? 'Microsoft tunnel is ready. The phone URL should load CTM directly, then CTM will handle pairing.'
+      : 'Microsoft tunnel is ready. Sign in to Microsoft/GitHub in the phone browser, then CTM will handle pairing.',
+      'ok');
     setupToast('Microsoft tunnel ready');
     completed = true;
     var createClaim = !!(document.getElementById('setup-ms-create-claim') || {}).checked;
@@ -3433,6 +4082,80 @@ async function recoverMicrosoftTunnel() {
   }
 }
 
+async function resetMicrosoftTunnelPrivateAccess() {
+  if (_microsoftSetupInFlight) return;
+  _microsoftSetupInFlight = true;
+  var err = document.getElementById('setup-network-err');
+  var btn = document.getElementById('setup-ms-reset-private');
+  if (err) err.style.display = 'none';
+  if (btn) { btn.disabled = true; btn.textContent = 'Resetting...'; }
+  _setMicrosoftActionStatus('Resetting Microsoft Dev Tunnel access to private...', '');
+  try {
+    var settings = _lastNetworkSettings || await loadNetworkSettings() || {};
+    var ms = settings.microsoft_dev_tunnel || {};
+    var managed = ms.managed_tunnel || {};
+    var r = await fetch('/api/setup/network/microsoft-dev-tunnel/reset-private', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ tunnel_id: managed.tunnel_id || ms.tunnel_id || '' }),
+    });
+    var d = await r.json();
+    if (!r.ok || !d.ok) throw new Error(d.error || 'Could not reset Microsoft tunnel access to private');
+    var latest = d.microsoft_dev_tunnel || await loadNetworkSettings();
+    if (latest && latest.microsoft_dev_tunnel) {
+      settings = latest;
+    } else {
+      settings.microsoft_dev_tunnel = {
+        ...ms,
+        managed_tunnel: {
+          ...managed,
+          ...(d.managed_tunnel || {}),
+          access: d.access || (d.managed_tunnel && d.managed_tunnel.access) || {},
+        },
+        access: d.access || {},
+      };
+    }
+    _microsoftTunnelAccessMode = 'private_microsoft';
+    _microsoftTunnelAccessModeTouched = true;
+    _lastNetworkSettings = settings;
+    _renderMicrosoftDevTunnelSetup(settings.microsoft_dev_tunnel || {}, settings);
+    _renderAccessMethodSelection(settings);
+    _renderPhoneSetupGuidance(_selectedPhoneAccessMethod || 'microsoft', settings);
+    _setMicrosoftActionStatus('Anonymous access removed. Microsoft Dev Tunnel is private again.', 'ok');
+    setupToast('Microsoft tunnel reset to private');
+  } catch (e) {
+    if (err) { err.textContent = e.message; err.style.display = 'block'; }
+    _setMicrosoftActionStatus(e.message || 'Could not reset Microsoft tunnel access to private', 'error');
+  } finally {
+    _microsoftSetupInFlight = false;
+    var latestSettings = _lastNetworkSettings || {};
+    _renderMicrosoftDevTunnelSetup((latestSettings && latestSettings.microsoft_dev_tunnel) || {}, latestSettings);
+  }
+}
+
+async function setMicrosoftTunnelAccessMode(mode) {
+  var normalized = _normalizeMicrosoftTunnelAccessMode(mode) || 'ctm_authenticated';
+  if (_microsoftTunnelAccessMode === normalized && _microsoftTunnelAccessModeTouched) return;
+  _microsoftTunnelAccessMode = normalized;
+  _microsoftTunnelAccessModeTouched = true;
+  var settings = _lastNetworkSettings || {};
+  var ms = settings.microsoft_dev_tunnel || {};
+  _renderMicrosoftDevTunnelSetup(ms, settings);
+  _renderPhoneSetupGuidance(_selectedPhoneAccessMethod || 'microsoft', settings);
+  var ready = _microsoftTunnelReady(settings);
+  if (ready && !_microsoftAccessModeMatchesSelection(ms)) {
+    _setMicrosoftActionStatus(normalized === 'ctm_authenticated'
+      ? 'CTM-authenticated mode selected. Click Apply Mode to let phones reach CTM (CTM passkey + device token still gate access).'
+      : 'Private Microsoft gate selected. Click Apply Mode — note: the interactive sign-in breaks the phone PWA/WebSocket, so use this only for a plain desktop browser.',
+      '');
+  } else {
+    _setMicrosoftActionStatus(normalized === 'ctm_authenticated'
+      ? 'CTM-authenticated mode selected for the next tunnel start.'
+      : 'Private Microsoft gate selected for the next tunnel start (breaks the phone PWA — desktop browser only).',
+      '');
+  }
+}
+
 async function probeMicrosoftTunnel() {
   var err = document.getElementById('setup-network-err');
   var latest = _lastNetworkSettings || {};
@@ -3455,7 +4178,10 @@ async function probeMicrosoftTunnel() {
     }
     _renderMicrosoftDevTunnelSetup((_lastNetworkSettings || {}).microsoft_dev_tunnel || ms, _lastNetworkSettings || latest);
     if (probe.blocked_by_tunnel_auth || probe.diagnosis === 'tunnel_auth_required') {
-      _setMicrosoftActionStatus('Private Microsoft sign-in is active before CTM. On the phone, sign in with the same Microsoft/GitHub account shown here.', 'ok');
+      _setMicrosoftActionStatus(_microsoftTunnelUsesCtmAuth((_lastNetworkSettings || {}).microsoft_dev_tunnel || ms)
+        ? 'The phone URL is still blocked by Microsoft tunnel auth. Apply CTM-authenticated mode, then check again.'
+        : 'Private Microsoft sign-in gate is active. Sign in on the phone browser, then CTM will ask for pairing.',
+        _microsoftTunnelUsesCtmAuth((_lastNetworkSettings || {}).microsoft_dev_tunnel || ms) ? 'error' : 'ok');
     } else if (probe.ctm_reachable) {
       _setMicrosoftActionStatus('Phone URL reached CTM from this Mac.', 'ok');
     } else {
@@ -3710,7 +4436,7 @@ function _selectedDeviceScopes() {
   document.querySelectorAll('#setup-device-card [data-device-scope]').forEach(function(cb) {
     if (cb.checked) scopes.push(cb.getAttribute('data-device-scope'));
   });
-  return scopes.length ? scopes : ['read', 'respond'];
+  return _normalizeDeviceScopes(scopes);
 }
 
 function _scopeLabel(scope) {
@@ -3844,10 +4570,14 @@ async function _syncVisibleDeviceClaimScopes() {
 
 function _onDeviceScopesChanged(event) {
   var target = event && event.target;
+  _deviceScopeUserTouched = true;
   _normalizeDeviceScopeCheckboxes(target);
   var scopes = _selectedDeviceScopes();
+  _persistDeviceScopes(scopes, { immediate: true }).catch(function(e) {
+    _setDeviceError(e.message || 'Phone permission save failed');
+  });
   if (!_deviceClaimVisible()) {
-    _setDeviceScopeStatus('Selected permissions for the next QR: ' + _scopeListText(scopes) + '.', '');
+    _setDeviceScopeStatus('Selected permissions for the next QR: ' + _scopeListText(scopes) + '. CTM will remember this after restart.', '');
     return;
   }
   if (_scopeKey(scopes) === _scopeKey(_activeDeviceClaim.scopes)) {
@@ -3887,6 +4617,7 @@ function _invalidateVisibleDeviceClaim(reason) {
 function initDeviceScopeControls() {
   if (_deviceScopeControlsBound) return;
   _deviceScopeControlsBound = true;
+  _normalizeDeviceScopeCheckboxes();
   document.querySelectorAll('#setup-device-card [data-device-scope]').forEach(function(cb) {
     cb.addEventListener('change', _onDeviceScopesChanged);
   });
@@ -3951,6 +4682,11 @@ function _deviceDuplicateText(device) {
   return String(device.duplicate_count) + ' similar pairings';
 }
 
+function _deviceDuplicateActionText(device) {
+  if (!device || Number(device.duplicate_count || 0) <= 1) return '';
+  return device.duplicate_of ? 'Keep this phone' : 'Keep newest';
+}
+
 function _deviceIsRemoved(device) {
   if (!device) return false;
   var auth = String(device.authorization_status || '').toLowerCase();
@@ -3982,6 +4718,7 @@ function _renderDevices(devices) {
   list.innerHTML = rows.map(function(d) {
     var last = d.last_used_at ? new Date(d.last_used_at).toLocaleString() : 'Never used';
     var duplicate = _deviceDuplicateText(d);
+    var duplicateAction = _deviceDuplicateActionText(d);
     return '<div class="setup-device-row">'
       + '<div class="setup-device-main">'
       + '<label class="setup-device-label-editor"><span>Paired device label</span><input type="text" value="' + _escHtml(d.label || 'Phone') + '" autocomplete="off" data-device-label-input></label>'
@@ -3991,6 +4728,7 @@ function _renderDevices(devices) {
       + '<div class="setup-device-actions">'
       + '<span class="setup-device-status ' + _escHtml(_deviceStatusClass(d)) + '">' + _escHtml(_deviceStatusLabel(d)) + '</span>'
       + '<span class="setup-device-last">Last seen: ' + _escHtml(last) + '</span>'
+      + (duplicateAction ? '<button class="setup-btn setup-btn-secondary btn-xs" type="button" data-device-keep-duplicates="' + _escHtml(d.id) + '">' + _escHtml(duplicateAction) + '</button>' : '')
       + '<button class="setup-btn setup-btn-secondary btn-xs" type="button" data-device-save-label="' + _escHtml(d.id) + '">Save</button>'
       + '<button class="setup-btn setup-btn-danger btn-xs" type="button" data-device-remove="' + _escHtml(d.id) + '">Remove</button>'
       + '</div>'
@@ -4001,6 +4739,11 @@ function _renderDevices(devices) {
       removeDeviceConnection(btn.getAttribute('data-device-remove'));
     });
   });
+  list.querySelectorAll('[data-device-keep-duplicates]').forEach(function(btn) {
+    btn.addEventListener('click', function() {
+      revokeDuplicateDeviceConnections(btn.getAttribute('data-device-keep-duplicates'));
+    });
+  });
   list.querySelectorAll('[data-device-save-label]').forEach(function(btn) {
     btn.addEventListener('click', function() {
       var row = btn.closest('.setup-device-row');
@@ -4024,6 +4767,119 @@ function _renderDevices(devices) {
   });
 }
 
+function _pairingRequestDetailText(request) {
+  var details = [];
+  if (request && request.device_hint) details.push(request.device_hint);
+  if (request && request.origin) {
+    try { details.push(new URL(request.origin).host); }
+    catch { details.push(request.origin); }
+  }
+  if (request && request.expires_at) {
+    var remaining = Number(request.expires_at) - Date.now();
+    if (remaining > 0) details.push('expires in ' + Math.max(1, Math.ceil(remaining / 60000)) + ' min');
+  }
+  return details.join(' · ');
+}
+
+function _renderPairingRequests(requests) {
+  var list = document.getElementById('setup-pairing-requests');
+  if (!list) return;
+  var rows = Array.isArray(requests) ? requests.filter(function(request) {
+    return request && request.status === 'pending';
+  }) : [];
+  if (!rows.length) {
+    list.innerHTML = '';
+    return;
+  }
+  list.innerHTML = '<div class="setup-device-empty" style="margin-top:10px;color:var(--yellow);">Phone requests waiting for approval</div>'
+    + rows.map(function(request) {
+      return '<div class="setup-device-row setup-pairing-request-row" data-pairing-request-row="' + _escHtml(request.id) + '">'
+        + '<div class="setup-device-main">'
+        + '<strong>Approve phone code ' + _escHtml(request.code || '') + '</strong>'
+        + '<span class="setup-device-meta">' + _escHtml(request.label || 'Phone') + (request.scopes && request.scopes.length ? ' · requested ' + _escHtml(_scopeListText(request.scopes)) : '') + '</span>'
+        + '<span class="setup-device-meta">' + _escHtml(_pairingRequestDetailText(request)) + '</span>'
+        + '</div>'
+        + '<div class="setup-device-actions">'
+        + '<span class="setup-device-status recent">Waiting</span>'
+        + '<button class="setup-btn setup-btn-primary btn-xs" type="button" data-pairing-approve="' + _escHtml(request.id) + '">Approve</button>'
+        + '<button class="setup-btn setup-btn-secondary btn-xs" type="button" data-pairing-reject="' + _escHtml(request.id) + '">Reject</button>'
+        + '</div>'
+        + '</div>';
+    }).join('');
+  list.querySelectorAll('[data-pairing-approve]').forEach(function(btn) {
+    btn.addEventListener('click', function() {
+      approvePairingRequest(btn.getAttribute('data-pairing-approve'));
+    });
+  });
+  list.querySelectorAll('[data-pairing-reject]').forEach(function(btn) {
+    btn.addEventListener('click', function() {
+      rejectPairingRequest(btn.getAttribute('data-pairing-reject'));
+    });
+  });
+}
+
+function _schedulePairingRequestsPoll(delayMs) {
+  clearTimeout(_pairingRequestsPollTimer);
+  _pairingRequestsPollTimer = setTimeout(function() {
+    loadPairingRequests().catch(function() {});
+  }, Math.max(2000, Number(delayMs || 5000)));
+}
+
+async function loadPairingRequests() {
+  try {
+    var r = await fetch('/api/auth/pairing-requests');
+    var d = await r.json();
+    if (!r.ok || !d.ok) throw new Error(d.error || 'Pairing requests unavailable');
+    var requests = d.requests || [];
+    _renderPairingRequests(requests);
+    _schedulePairingRequestsPoll(requests.length ? 3000 : 5000);
+    return requests;
+  } catch (e) {
+    var list = document.getElementById('setup-pairing-requests');
+    if (list) list.innerHTML = '<div class="setup-device-empty" style="margin-top:10px;color:var(--red);">' + _escHtml(e.message || 'Pairing requests unavailable') + '</div>';
+    _schedulePairingRequestsPoll(8000);
+    return [];
+  }
+}
+
+async function approvePairingRequest(requestId) {
+  if (!requestId) return;
+  _setDeviceError('');
+  try {
+    await _persistDeviceLabel(_deviceLabelValue(), { immediate: true });
+    await _persistDeviceScopes(_selectedDeviceScopes(), { immediate: true });
+    var r = await fetch('/api/auth/pairing-requests/' + encodeURIComponent(requestId) + '/approve', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ label: _deviceLabelValue(), scopes: _selectedDeviceScopes() }),
+    });
+    var d = await r.json();
+    if (!r.ok || !d.ok) throw new Error(d.message || d.error || 'Pairing approval failed');
+    setupToast('Phone pairing approved');
+    await loadPairingRequests();
+  } catch (e) {
+    _setDeviceError(e.message || 'Pairing approval failed');
+  }
+}
+
+async function rejectPairingRequest(requestId) {
+  if (!requestId) return;
+  _setDeviceError('');
+  try {
+    var r = await fetch('/api/auth/pairing-requests/' + encodeURIComponent(requestId) + '/reject', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: '{}',
+    });
+    var d = await r.json();
+    if (!r.ok || !d.ok) throw new Error(d.message || d.error || 'Pairing rejection failed');
+    setupToast('Phone pairing rejected', 'warning');
+    await loadPairingRequests();
+  } catch (e) {
+    _setDeviceError(e.message || 'Pairing rejection failed');
+  }
+}
+
 async function removeDeviceConnection(deviceId) {
   if (!deviceId) return;
   if (typeof window.confirm === 'function' && !window.confirm('Remove this phone connection from CTM? It will need to pair again before it can control this Mac.')) return;
@@ -4042,6 +4898,26 @@ async function removeDeviceConnection(deviceId) {
 
 var revokeDevice = removeDeviceConnection;
 
+async function revokeDuplicateDeviceConnections(deviceId) {
+  if (!deviceId) return;
+  if (typeof window.confirm === 'function' && !window.confirm('Keep this phone pairing and revoke other active duplicate pairings for the same phone?')) return;
+  _setDeviceError('');
+  try {
+    var r = await fetch('/api/auth/device-duplicates/revoke', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ keep_device_id: deviceId }),
+    });
+    var d = await r.json();
+    if (!r.ok || !d.ok) throw new Error(d.message || d.error || 'Duplicate cleanup failed');
+    setupToast(d.revoked ? 'Duplicate phone pairings revoked' : 'No active duplicate pairings to revoke');
+    await loadDevices();
+    if (_lastRemoteStatus) await loadWalleRemoteStatus();
+  } catch (e) {
+    _setDeviceError(e.message || 'Duplicate cleanup failed');
+  }
+}
+
 async function saveDeviceLabel(deviceId, label) {
   var clean = String(label || '').trim().replace(/\s+/g, ' ') || 'Phone';
   _setDeviceError('');
@@ -4090,7 +4966,7 @@ async function createDeviceClaim(options) {
     || preferredOrigin
     || window.location.origin;
   if (_isWalleHostedMobileOrigin(origin)) {
-    var message = 'm.walle.sh is the Walle Remote app, not a direct CTM claim endpoint. Use Walle Remote pairing after hosted relay is connected, or select Cloudflare Access/Tailscale for direct phone access.';
+    var message = 'm.walle.sh is the Walle Remote app, not a direct CTM claim endpoint. Use Walle Remote pairing after hosted relay is connected, or select Microsoft tunnel/Tailscale for direct phone access.';
     _hideDeviceClaim();
     _setDeviceError(message);
     if (opts.throwOnError) throw new Error(message);
@@ -4098,6 +4974,7 @@ async function createDeviceClaim(options) {
   }
   try {
     await _persistDeviceLabel(label, { immediate: true });
+    await _persistDeviceScopes(_selectedDeviceScopes(), { immediate: true });
     var r = await fetch('/api/auth/device-claims', {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
@@ -4308,6 +5185,129 @@ function _embedDimMsg(text) {
   return d;
 }
 
+function _embedPolicyLabel(policy) {
+  if (policy === 'local_only') return 'Local only';
+  if (policy === 'cloud_allowed') return 'Cloud allowed';
+  if (policy === 'off') return 'Off';
+  return 'Auto, local first';
+}
+
+function _embedPolicyHint(policy) {
+  if (policy === 'local_only') return 'Uses Ollama only. Memory text stays on this machine.';
+  if (policy === 'cloud_allowed') return 'Uses local first, then an existing cloud embedding key if local is unavailable.';
+  if (policy === 'off') return 'Disables semantic Memory Search. Keyword search still works.';
+  return 'Turns on local semantic search automatically and asks before using cloud embeddings.';
+}
+
+function _embedProviderLabel(model, providers) {
+  var found = (providers || []).filter(function(p) { return p.model === model; })[0];
+  return found ? found.label : model;
+}
+
+function _embedMakeButton(label, className, onClick) {
+  var btn = document.createElement('button');
+  btn.className = className || 'setup-btn setup-btn-secondary btn-xs';
+  btn.textContent = label;
+  btn.onclick = onClick;
+  return btn;
+}
+
+function _embedAddBenefitDetails(parent, totalMemories) {
+  var details = document.createElement('details');
+  details.className = 'embed-learn-more';
+  var summary = document.createElement('summary');
+  summary.textContent = 'Learn about benefits and ROI';
+  details.appendChild(summary);
+
+  var list = document.createElement('ul');
+  [
+    'Finds memories by meaning, so Wall-E can recover context even when your wording changed.',
+    'Reduces repeated explanations because older sessions, notes, and work facts become easier to retrieve.',
+    'Local embeddings are private and free. Cloud embeddings require opt-in because memory text is sent to the provider.',
+    totalMemories > 0
+      ? 'Current corpus: about ' + totalMemories.toLocaleString() + ' searchable memory items once backfill completes.'
+      : 'It starts helping as soon as Wall-E has memories to index.',
+  ].forEach(function(text) {
+    var li = document.createElement('li');
+    li.textContent = text;
+    list.appendChild(li);
+  });
+  details.appendChild(list);
+  parent.appendChild(details);
+}
+
+function renderEmbeddingAutoPanel(data, providers) {
+  var setupState = data.setup || {};
+  var panel = document.createElement('div');
+  panel.className = 'embed-auto-panel embed-auto-' + (setupState.status || 'unknown');
+
+  var top = document.createElement('div');
+  top.className = 'embed-auto-top';
+
+  var title = document.createElement('div');
+  title.className = 'embed-auto-title';
+  title.textContent = setupState.status === 'off'
+    ? 'Memory Search is off'
+    : (setupState.activeLabel ? 'Memory Search is on' : 'Memory Search is ready to automate');
+  top.appendChild(title);
+
+  var policy = document.createElement('span');
+  policy.className = 'badge badge-ready';
+  policy.textContent = _embedPolicyLabel(setupState.policy);
+  policy.title = _embedPolicyHint(setupState.policy);
+  top.appendChild(policy);
+  panel.appendChild(top);
+
+  var body = document.createElement('div');
+  body.className = 'embed-auto-body';
+  body.textContent = setupState.message || 'Semantic search indexes memory in the background.';
+  panel.appendChild(body);
+
+  if (setupState.status === 'cloud_opt_in_available') {
+    var warning = document.createElement('div');
+    warning.className = 'embed-optin-warning';
+    warning.textContent = 'Cloud opt-in sends memory text and search queries to the selected embedding provider. Use this when recall quality matters more than local-only processing.';
+    panel.appendChild(warning);
+  }
+
+  _embedAddBenefitDetails(panel, data.totalMemories || 0);
+
+  var actions = document.createElement('div');
+  actions.className = 'embed-policy-actions';
+
+  if (setupState.status === 'off') {
+    actions.appendChild(_embedMakeButton('Turn on auto', 'setup-btn setup-btn-primary btn-xs', function() {
+      setEmbeddingPolicy('local_first');
+    }));
+  } else if (setupState.cloudOptInAvailable) {
+    var cloudLabel = setupState.cloudAvailableModel
+      ? 'Allow cloud Memory Search (' + _embedProviderLabel(setupState.cloudAvailableModel, providers) + ')'
+      : 'Allow cloud Memory Search';
+    actions.appendChild(_embedMakeButton(cloudLabel, 'setup-btn setup-btn-primary btn-xs', function() {
+      setEmbeddingPolicy('cloud_allowed');
+    }));
+    actions.appendChild(_embedMakeButton('Stay local only', 'setup-btn setup-btn-secondary btn-xs', function() {
+      setEmbeddingPolicy('local_only');
+    }));
+  } else {
+    actions.appendChild(_embedMakeButton('Auto local first', 'setup-btn setup-btn-secondary btn-xs' + (setupState.policy === 'local_first' ? ' active' : ''), function() {
+      setEmbeddingPolicy('local_first');
+    }));
+    actions.appendChild(_embedMakeButton('Local only', 'setup-btn setup-btn-secondary btn-xs' + (setupState.policy === 'local_only' ? ' active' : ''), function() {
+      setEmbeddingPolicy('local_only');
+    }));
+    actions.appendChild(_embedMakeButton('Cloud allowed', 'setup-btn setup-btn-secondary btn-xs' + (setupState.policy === 'cloud_allowed' ? ' active' : ''), function() {
+      setEmbeddingPolicy('cloud_allowed');
+    }));
+    actions.appendChild(_embedMakeButton('Off', 'setup-btn setup-btn-secondary btn-xs' + (setupState.policy === 'off' ? ' active' : ''), function() {
+      setEmbeddingPolicy('off');
+    }));
+  }
+
+  panel.appendChild(actions);
+  return panel;
+}
+
 async function loadEmbeddings() {
   var container = document.getElementById('setup-embed-providers');
   var statsEl = document.getElementById('setup-embed-stats');
@@ -4318,7 +5318,13 @@ async function loadEmbeddings() {
     var r = await fetch('/api/setup/embeddings');
     var d = await r.json();
     if (!d.providers || d.providers.length === 0) {
-      container.replaceChildren(_embedDimMsg('No embedding providers available.'));
+      var emptyFrag = document.createDocumentFragment();
+      emptyFrag.appendChild(renderEmbeddingAutoPanel(d, []));
+      emptyFrag.appendChild(_embedDimMsg('No embedding providers available.'));
+      container.replaceChildren(emptyFrag);
+      if (dotEl) dotEl.className = 'status-dot missing';
+      if (statsEl) statsEl.textContent = 'No embedding provider active';
+      if (nudgeEl) nudgeEl.style.display = 'none';
       return;
     }
 
@@ -4332,6 +5338,7 @@ async function loadEmbeddings() {
 
     _embedProvidersCache = sorted;
     var frag = document.createDocumentFragment();
+    frag.appendChild(renderEmbeddingAutoPanel(d, sorted));
     var hasActive = false, hasGeminiKey = false, activeUnreachable = false;
 
     for (var i = 0; i < sorted.length; i++) {
@@ -4469,8 +5476,12 @@ async function loadEmbeddings() {
 
 async function switchEmbedding(model, label) {
   var currentActive = _embedProvidersCache && _embedProvidersCache.find(function(p) { return p.isActive; });
+  var nextProvider = _embedProvidersCache && _embedProvidersCache.find(function(p) { return p.model === model; });
   var hasOldEmbeddings = currentActive && currentActive.embeddingCount > 0;
   var msg = 'Switch to ' + label + '?\n\nThis will start embedding all memories with the new provider.';
+  if (nextProvider && nextProvider.provider !== 'ollama') {
+    msg += '\n\nPrivacy note: this sends memory text and future search queries to ' + label + ' for embeddings. Use Auto local-first or Local only if you want local processing.';
+  }
   if (hasOldEmbeddings) {
     msg += '\n\nOld ' + currentActive.label + ' embeddings (' + currentActive.embeddingCount.toLocaleString() + ') are preserved \u2014 you can delete them from this page to save space.';
   }
@@ -4490,6 +5501,26 @@ async function switchEmbedding(model, label) {
   } catch (e) { setupToast(e.message, 'error'); }
 }
 
+async function setEmbeddingPolicy(policy) {
+  if (policy === 'cloud_allowed') {
+    var ok = confirm('Allow cloud Memory Search?\n\nThis can improve recall when local embeddings are unavailable, but memory text and search queries will be sent to the selected cloud embedding provider. You can switch back to Local only at any time.');
+    if (!ok) return;
+  }
+  try {
+    var r = await fetch('/api/setup/embeddings/policy', {
+      method: 'POST', headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ policy: policy }),
+    });
+    var d = await r.json();
+    if (d.ok) {
+      setupToast('Memory Search: ' + _embedPolicyLabel(d.policy || policy));
+      setTimeout(loadEmbeddings, 800);
+    } else {
+      setupToast(d.message || 'Policy update failed', 'error');
+    }
+  } catch (e) { setupToast(e.message, 'error'); }
+}
+
 async function deleteEmbedding(model, label, count) {
   if (!confirm('Delete ' + count.toLocaleString() + ' embeddings from ' + label + '?\n\nThis frees disk space but cannot be undone.')) return;
   try {
@@ -4756,15 +5787,155 @@ async function restoreExpandedPcard() {
   } catch (_) { /* leave all collapsed */ }
 }
 
+function _storageField(id) {
+  var el = document.getElementById(id);
+  return el ? String(el.value || '').trim() : '';
+}
+
+function _setStorageStatus(message, kind) {
+  var status = document.getElementById('setup-storage-status');
+  if (!status) return;
+  status.textContent = message || '';
+  status.className = 'setup-storage-status' + (kind ? ' ' + kind : '');
+}
+
+function _storagePayload() {
+  var move = document.getElementById('setup-storage-move-backups');
+  return {
+    services: {
+      ctm: {
+        data_dir: _storageField('setup-storage-ctm-data-dir'),
+        backup_dir: _storageField('setup-storage-ctm-backup-dir'),
+        move_backups: !move || move.checked,
+      },
+      walle: {
+        data_dir: _storageField('setup-storage-walle-data-dir'),
+        backup_dir: _storageField('setup-storage-walle-backup-dir'),
+        move_backups: !move || move.checked,
+      },
+    },
+  };
+}
+
+function _renderStoragePlan(plan) {
+  var box = document.getElementById('setup-storage-plan');
+  var applyBtn = document.getElementById('setup-storage-apply-btn');
+  if (!box) return;
+  if (!plan) {
+    box.style.display = 'none';
+    box.textContent = '';
+    if (applyBtn) applyBtn.disabled = true;
+    return;
+  }
+  var changes = [];
+  ['ctm', 'walle'].forEach(function(name) {
+    var svc = plan.services && plan.services[name];
+    if (!svc) return;
+    if (svc.data_dir_changed) changes.push(svc.label + ' live DB: ' + svc.current_data_dir + ' -> ' + svc.target_data_dir);
+    if (svc.backup_dir_changed) changes.push(svc.label + ' backups: ' + svc.current_backup_dir + ' -> ' + svc.target_backup_dir);
+  });
+  var warnings = Array.isArray(plan.warnings) ? plan.warnings : [];
+  box.style.display = 'block';
+  box.innerHTML = ''
+    + '<h3>' + (changes.length ? 'Migration Preview' : 'No storage changes detected') + '</h3>'
+    + (changes.length ? '<ul>' + changes.map(function(line) { return '<li>' + _escHtml(line) + '</li>'; }).join('') + '</ul>' : '<div class="setup-backup-folder-status">The configured live and backup paths already match the requested values.</div>')
+    + (warnings.length ? '<div class="setup-backup-folder-status">Warnings</div><ul>' + warnings.map(function(w) { return '<li>' + _escHtml(w.message || String(w)) + '</li>'; }).join('') + '</ul>' : '')
+    + (plan.steps && plan.steps.length ? '<div class="setup-backup-folder-status">Steps: ' + _escHtml(plan.steps.join(' -> ')) + '</div>' : '');
+  if (applyBtn) applyBtn.disabled = changes.length === 0;
+}
+
+async function saveBackupDir() {
+  var status = document.getElementById('setup-storage-status');
+  if (status) status.textContent = 'Saving backup folders...';
+  try {
+    var move = document.getElementById('setup-storage-move-backups');
+    var r = await fetch('/api/storage/backup-dirs', {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        ctm_backup_dir: _storageField('setup-storage-ctm-backup-dir'),
+        walle_backup_dir: _storageField('setup-storage-walle-backup-dir'),
+        move_existing: !move || move.checked,
+      }),
+    });
+    var d = await r.json().catch(function() { return {}; });
+    if (!r.ok || d.error || d.ok === false) {
+      var details = d.errors && d.errors.length ? ': ' + d.errors.map(function(e) { return e.service + ' ' + e.error; }).join('; ') : '';
+      throw new Error((d.error || 'Failed to save backup folders') + details);
+    }
+    _setStorageStatus('Backup folders saved. Existing backup snapshots were ' + (!move || move.checked ? 'moved when needed.' : 'left in place.'), 'ok');
+    _renderStoragePlan(null);
+    setupToast('Backup folders saved');
+    if (typeof window.loadBackupsData === 'function') window.loadBackupsData();
+  } catch (e) {
+    _setStorageStatus(e.message || String(e), 'error');
+  }
+}
+
+async function resetBackupDir() {
+  ['setup-storage-ctm-backup-dir', 'setup-storage-walle-backup-dir'].forEach(function(id) {
+    var input = document.getElementById(id);
+    if (input) input.value = '';
+  });
+  return saveBackupDir();
+}
+
+async function previewStorageMigration() {
+  _setStorageStatus('Building storage migration preview...');
+  try {
+    var r = await fetch('/api/storage/migration/preview', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(_storagePayload()),
+    });
+    var d = await r.json().catch(function() { return {}; });
+    if (!r.ok || d.error) throw new Error(d.error || 'Failed to preview storage migration');
+    _renderStoragePlan(d.plan);
+    _setStorageStatus(d.plan && d.plan.requires_restart
+      ? 'Live database changes require a supervised maintenance window.'
+      : 'Backup-only changes can be applied without restarting services.', 'ok');
+  } catch (e) {
+    _renderStoragePlan(null);
+    _setStorageStatus(e.message || String(e), 'error');
+  }
+}
+
+async function applyStorageMigration() {
+  if (!window.confirm('Apply the storage change now? CTM will stop services, copy and verify the database files, update configuration, then restart CTM and Wall-E.')) return;
+  _setStorageStatus('Starting supervised storage migration...');
+  try {
+    var payload = _storagePayload();
+    payload.confirm = true;
+    var r = await fetch('/api/storage/migration/apply', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(payload),
+    });
+    var d = await r.json().catch(function() { return {}; });
+    if (!r.ok || d.error || d.ok === false) throw new Error(d.error || 'Failed to start storage migration');
+    _renderStoragePlan(d.plan);
+    _setStorageStatus(d.migration
+      ? 'Migration started. CTM may briefly disconnect while the supervisor restarts services.'
+      : 'Storage changes applied.', 'ok');
+    if (typeof window.loadBackupsData === 'function') window.loadBackupsData();
+  } catch (e) {
+    _setStorageStatus(e.message || String(e), 'error');
+  }
+}
+
 // ── Public API ──────────────────────────────────────────────────────
 SETUP.init = function() {
   _setSetupActiveTab(_initialSetupTab());
   initSetupTabs();
   initProviderPicker();
+  // Reflect the saved Dev Tunnels sign-in account choice before network data loads.
+  _renderMicrosoftLoginProvider();
   initProviderModelPreferenceTracking();
   initPcardAccordion();
+  initConnectedServicesLifecycle();
   initCloudflareFieldHelpers();
   initDeviceScopeControls();
+  initDeviceScopeLifecycle();
   initDeviceLabelLifecycle();
   initSetupTempMemoryCapture();
   // Inject the brand-mark SVG for each provider card (anthropic / openai /
@@ -4776,6 +5947,7 @@ SETUP.init = function() {
   // string if that helper hasn't been loaded yet for any reason.
   populateBrandIconsForPcards();
   var deviceLabelPromise = loadDeviceLabelSetting();
+  var deviceScopePromise = loadDeviceScopeSetting();
   var statusPromise = loadStatus();
   // Load card states first (sets toggles + auth radios), THEN decide which
   // single card to expand. restoreExpandedPcard reads /api/settings + falls
@@ -4786,10 +5958,12 @@ SETUP.init = function() {
   var embeddingsPromise = loadEmbeddings();
   var hooksPromise = loadStatusHooks();
   var networkPromise = loadNetworkSettings();
+  loadConnectionHealth();
+  _scheduleConnectionHealthPoll();
   var devicesPromise = loadDevices();
+  var pairingRequestsPromise = loadPairingRequests();
   var healthPromise = loadHealthDashboard();
   _scheduleHealthPoll();
-  var tiersPromise = loadTaskTiers();
   _restoreSetupTempStateSoon();
   Promise.allSettled([
     statusPromise,
@@ -4799,10 +5973,11 @@ SETUP.init = function() {
     embeddingsPromise,
     hooksPromise,
     deviceLabelPromise,
+    deviceScopePromise,
     networkPromise,
     devicesPromise,
+    pairingRequestsPromise,
     healthPromise,
-    tiersPromise,
   ]).then(function() {
     if (_setupTempMemory && _setupTempMemory.pendingRestore) restoreSetupTempState({ final: true });
   });
@@ -4854,110 +6029,6 @@ async function saveStatusHooks() {
   }
 }
 
-// ── Task Tier Overrides (3c) ─────────────────────────────────────────
-// One row per Wall-E task type. Each row has provider+model dropdowns
-// that write through to /api/setup/task-default on change. The provider
-// dropdown is filtered to currently-enabled providers; the model
-// dropdown to that provider's registered models. "— Default —" clears.
-
-var TASK_TIER_TYPES = [
-  { id: 'chat', label: 'Chat', hint: 'Wall-E chat tab + general' },
-  { id: 'think', label: 'Think', hint: 'initiative + reflect loops' },
-  { id: 'coding', label: 'Coding', hint: 'coding orchestrator' },
-  { id: 'coding-review', label: 'Coding Review', hint: 'cross-provider critic' },
-  { id: 'extract', label: 'Extract', hint: 'memory extraction' },
-  { id: 'embeddings', label: 'Embeddings', hint: 'vector search' },
-];
-
-async function loadTaskTiers() {
-  var rows = document.getElementById('setup-tier-rows');
-  if (!rows) return;
-  try {
-    var [defR, modR] = await Promise.all([
-      fetch('/api/setup/task-default').then(function(r) { return r.json(); }),
-      fetch('/api/setup/all-models').then(function(r) { return r.json(); }),
-    ]);
-    var defaults = (defR && Array.isArray(defR.defaults)) ? defR.defaults : [];
-    var defaultsByTask = {};
-    for (var d of defaults) defaultsByTask[d.task_type] = d;
-    var allModels = (modR && Array.isArray(modR.models)) ? modR.models : [];
-
-    if (allModels.length === 0) {
-      var empty = '<div style="color:var(--fg-dim);padding:6px 0;font-size:12px;">No models registered yet. Save a provider above first — its model will appear here.</div>';
-      rows.innerHTML = window.DOMPurify ? DOMPurify.sanitize(empty) : empty;
-      return;
-    }
-
-    // Group models by provider for the 2-level picker
-    var providersInUse = {};
-    for (var m of allModels) {
-      if (!providersInUse[m.provider_type]) providersInUse[m.provider_type] = { name: m.provider_name, models: [] };
-      providersInUse[m.provider_type].models.push(m);
-    }
-
-    var html = '';
-    for (var t of TASK_TIER_TYPES) {
-      var current = defaultsByTask[t.id];
-      var currentProvider = current && current.provider_type ? current.provider_type : '';
-      var currentModelId = current && current.model_registry_id ? current.model_registry_id : '';
-      var providerOpts = '<option value="">— Default —</option>';
-      for (var pt in providersInUse) providerOpts += '<option value="' + _escHtml(pt) + '"' + (pt === currentProvider ? ' selected' : '') + '>' + _escHtml(providersInUse[pt].name) + '</option>';
-      var modelOpts = '<option value="">— Default —</option>';
-      var modelsForProvider = currentProvider ? providersInUse[currentProvider]?.models || [] : [];
-      for (var m of modelsForProvider) modelOpts += '<option value="' + _escHtml(m.id) + '"' + (m.id === currentModelId ? ' selected' : '') + '>' + _escHtml(m.display_name) + '</option>';
-      html += '<div class="tier-row" style="display:grid;grid-template-columns:160px 1fr 1fr;align-items:center;gap:10px;padding:6px 0;border-bottom:1px solid var(--border);">'
-        + '<div><div style="font-size:13px;font-weight:500;">' + _escHtml(t.label) + '</div>'
-        + '<div style="font-size:11px;color:var(--fg-dim);">' + _escHtml(t.hint) + '</div></div>'
-        + '<div class="select-wrap"><select data-tier-provider="' + _escHtml(t.id) + '">' + providerOpts + '</select></div>'
-        + '<div class="select-wrap"><select data-tier-model="' + _escHtml(t.id) + '" ' + (currentProvider ? '' : 'disabled') + '>' + modelOpts + '</select></div>'
-        + '</div>';
-    }
-    rows.innerHTML = window.DOMPurify ? DOMPurify.sanitize(html, { ADD_ATTR: ['data-tier-provider', 'data-tier-model'] }) : html;
-
-    // Wire provider-change → repopulate models for that row
-    rows.querySelectorAll('select[data-tier-provider]').forEach(function(provSel) {
-      provSel.addEventListener('change', function() {
-        var taskType = provSel.getAttribute('data-tier-provider');
-        var modelSel = rows.querySelector('select[data-tier-model="' + CSS.escape(taskType) + '"]');
-        if (!modelSel) return;
-        var providerType = provSel.value;
-        var modelOpts2 = '<option value="">— Default —</option>';
-        if (providerType && providersInUse[providerType]) {
-          for (var mm of providersInUse[providerType].models) modelOpts2 += '<option value="' + _escHtml(mm.id) + '">' + _escHtml(mm.display_name) + '</option>';
-          modelSel.disabled = false;
-        } else {
-          modelSel.disabled = true;
-        }
-        modelSel.innerHTML = window.DOMPurify ? DOMPurify.sanitize(modelOpts2) : modelOpts2;
-        // Clearing provider clears the override
-        if (!providerType) saveTierDefault(taskType, null);
-      });
-    });
-    // Wire model-change → save default
-    rows.querySelectorAll('select[data-tier-model]').forEach(function(modelSel) {
-      modelSel.addEventListener('change', function() {
-        var taskType = modelSel.getAttribute('data-tier-model');
-        saveTierDefault(taskType, modelSel.value || null);
-      });
-    });
-  } catch (e) {
-    var err = '<div style="color:var(--red);padding:6px 0;font-size:12px;">Failed to load task tiers: ' + _escHtml(e.message) + '</div>';
-    rows.innerHTML = window.DOMPurify ? DOMPurify.sanitize(err) : err;
-  }
-}
-
-async function saveTierDefault(taskType, modelRegistryId) {
-  try {
-    var r = await fetch('/api/setup/task-default', {
-      method: 'POST', headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ task_type: taskType, model_registry_id: modelRegistryId }),
-    });
-    var d = await r.json();
-    if (d.ok) setupToast(taskType + ': ' + (modelRegistryId ? 'override set' : 'cleared'));
-    else setupToast(d.error || 'Failed', 'error');
-  } catch (e) { setupToast(e.message, 'error'); }
-}
-
 // ── Provider card state restore (3b) ──────────────────────────────────
 // Pulls /api/setup/providers and reflects toggle / star / auth_method / model
 // onto the new pcard UI. Runs after loadStatus so that loadStatus can no-op
@@ -5015,6 +6086,11 @@ async function loadProviderCardStates() {
 
 var _healthPollTimer = null;
 var _healthRunningTests = new Set();
+// Live connection-health (Access page): poll /api/setup/connection-health, drive badges +
+// Reconnect banner + transition notifications + auto-recovery.
+var _connectionHealthTimer = null;
+var _healthByMethod = {};
+var _lastConnectionHealth = null;
 
 function _healthDotColor(p) {
   if (!p.enabled) return 'var(--fg-dim)';
@@ -5235,8 +6311,12 @@ SETUP.cleanup = function() {
   _setupMemoryCaptureTimer = null;
   clearTimeout(_embedRefreshTimer);
   _embedRefreshTimer = null;
+  clearTimeout(_connectedServicesRefreshTimer);
+  _connectedServicesRefreshTimer = null;
   clearTimeout(_healthPollTimer);
   _healthPollTimer = null;
+  clearTimeout(_pairingRequestsPollTimer);
+  _pairingRequestsPollTimer = null;
 };
 
 // Expose functions called from onclick attributes in HTML
@@ -5256,17 +6336,31 @@ SETUP.reauthGoogleAccount = reauthGoogleAccount;
 SETUP.testMcpConnection = testMcpConnection;
 SETUP.fixMcpConfigs = fixMcpConfigs;
 SETUP.saveDataDirs = saveDataDirs;
+SETUP.saveBackupDir = saveBackupDir;
+SETUP.resetBackupDir = resetBackupDir;
+SETUP.previewStorageMigration = previewStorageMigration;
+SETUP.applyStorageMigration = applyStorageMigration;
+SETUP.showTab = _setSetupActiveTab;
 SETUP.loadNetworkSettings = loadNetworkSettings;
 SETUP.saveNetworkSettings = saveNetworkSettings;
 SETUP.selectPhoneAccessMethod = selectPhoneAccessMethod;
+SETUP.triggerReconnect = triggerReconnect;
+SETUP.loadConnectionHealth = loadConnectionHealth;
 SETUP.setupMicrosoftTunnel = setupMicrosoftTunnel;
 SETUP.startMicrosoftTunnel = startMicrosoftTunnel;
 SETUP.stopMicrosoftTunnel = stopMicrosoftTunnel;
+SETUP.setMicrosoftTunnelAccessMode = setMicrosoftTunnelAccessMode;
 SETUP.startMicrosoftTunnelLogin = startMicrosoftTunnelLogin;
+SETUP.switchMicrosoftTunnelLogin = switchMicrosoftTunnelLogin;
+SETUP.setMicrosoftLoginProvider = setMicrosoftLoginProvider;
+SETUP.tryOtherMicrosoftLoginProvider = tryOtherMicrosoftLoginProvider;
 SETUP.toggleMicrosoftKeepAwake = toggleMicrosoftKeepAwake;
 SETUP.recoverMicrosoftTunnel = recoverMicrosoftTunnel;
+SETUP.resetMicrosoftTunnelPrivateAccess = resetMicrosoftTunnelPrivateAccess;
 SETUP.probeMicrosoftTunnel = probeMicrosoftTunnel;
 SETUP.copyMicrosoftLoginCode = copyMicrosoftLoginCode;
+SETUP.checkMicrosoftTunnelLogin = checkMicrosoftTunnelLogin;
+SETUP.regenerateMicrosoftLoginCode = regenerateMicrosoftLoginCode;
 SETUP.clearMicrosoftTunnelTraffic = clearMicrosoftTunnelTraffic;
 SETUP.applyCloudflareSetup = applyCloudflareSetup;
 SETUP.applyTailscaleSetup = applyTailscaleSetup;
@@ -5275,6 +6369,9 @@ SETUP.cfCopyInstall = cfCopyInstall;
 SETUP.cfCopyLogin = cfCopyLogin;
 SETUP.cfReconfigure = cfReconfigure;
 SETUP.loadDevices = loadDevices;
+SETUP.loadPairingRequests = loadPairingRequests;
+SETUP.approvePairingRequest = approvePairingRequest;
+SETUP.rejectPairingRequest = rejectPairingRequest;
 SETUP.removeDeviceConnection = removeDeviceConnection;
 SETUP.revokeDevice = revokeDevice;
 SETUP.createDeviceClaim = createDeviceClaim;
@@ -5288,7 +6385,7 @@ SETUP.saveStatusHooks = saveStatusHooks;
 
 window.SETUP = SETUP;
 if (document.getElementById('setup-panel')?.classList.contains('active')
-  || /^#(?:setup(?:&|$)|setup-access$|setup-devices$|devices$)/.test(window.location.hash || '')) {
+  || /^#(?:setup(?:&|$)|setup-access$|setup-devices$|devices$|backups$)/.test(window.location.hash || '')) {
   requestAnimationFrame(function() {
     if (window.SETUP === SETUP) SETUP.init();
   });