create-walle 0.9.22 → 0.9.23

package/template/claude-task-manager/api-prompts.js

@@ -5,28 +5,91 @@ const os = require('os');
 const db = require('./db');
 const queueEngine = require('./queue-engine');
 const harvest = require('./prompt-harvest');
-const permissionSync = require('./lib/permission-sync');
+const approvalAgent = require('./approval-agent');
+const escalationReview = require('./lib/escalation-review');
+// permission-sync (Claude/Codex settings mirroring) intentionally removed —
+// CTM permissions are a standalone global config in the CTM DB.
 const walleClient = require('./lib/walle-client');
 const claudeDesktopSessions = require('./lib/claude-desktop-sessions');
 const skillAutocomplete = require('./lib/skill-autocomplete');
+const skillIntentResolver = require('./lib/skill-intent-resolver');
 const resourceLinks = require('./lib/resource-links');
+const storageMigration = require('./lib/storage-migration');
+const { runSync } = require('./lib/perf-tracker');
 const {
   ingestJsonlFile,
   normalizeProvider: normalizeTranscriptProvider,
   sourceIdFromPath: transcriptSourceIdFromPath,
 } = require('./lib/transcript-store');
+const { queryPromptExecutions } = require('./lib/prompt-executions-query');
+const { claudeFileSessionId, _usageMetadata } = require('./lib/jsonl-conversation-parser');
+const structuredCapture = require('./lib/structured-capture');
 // AI search uses direct HTTP calls to Claude API (supports Portkey proxy)
 
 let dbMaintenanceRunner = null;
+let imageSaveRunner = null;
 const MOBILE_ATTACHMENT_MAX_BYTES = 10 * 1024 * 1024;
 const TRANSCRIPT_IMPORT_MAX_BYTES = Math.max(1024 * 1024, Number(process.env.CTM_TRANSCRIPT_IMPORT_MAX_BYTES || 10 * 1024 * 1024));
 const TRANSCRIPT_IMPORT_LARGE_FILE_BYTES = Math.max(1024 * 1024, Number(process.env.CTM_TRANSCRIPT_IMPORT_LARGE_FILE_BYTES || 64 * 1024 * 1024));
 const CONVERSATION_IMPORT_RETRY_AFTER_MS = 30 * 1000;
+const BACKGROUND_TRANSCRIPT_IMPORT_DEFAULT_BYTES = 2 * 1024 * 1024;
 
 function setDbMaintenanceRunner(fn) {
   dbMaintenanceRunner = typeof fn === 'function' ? fn : null;
 }
 
+function setImageSaveRunner(fn) {
+  imageSaveRunner = typeof fn === 'function' ? fn : null;
+}
+
+// deferRow=true returns as soon as the file is on disk (id:null), firing the
+// images-table INSERT in the background — used by the terminal paste hot path,
+// which forwards the file path/token to the provider and never needs the row id.
+// Callers that need the real id (feedback attachments, prompt-editor annotation)
+// leave deferRow falsy and get the awaited row.
+async function saveImageViaOwner(promptId, buffer, filename, mimeType, deferRow = false) {
+  if (imageSaveRunner) {
+    return await imageSaveRunner({ promptId, buffer, filename, mimeType, deferRow });
+  }
+  return await db.saveImageDecoupled(promptId, buffer, filename, mimeType, { deferRow });
+}
+
+// Measurement scaffolding for "image paste sometimes takes a long time". Logs one
+// `[img-upload]` line per save (→ ctm.log) and returns the result with the internal
+// `_timing` stripped so it isn't sent to the client. `roundTripMs` is the full
+// saveImageViaOwner/saveImageFromFile call; `queueMs` ≈ roundTrip minus the
+// worker-side hash/write/insert (i.e. db-owner queue wait + IPC/structured-clone of
+// the buffer). writeMs/copyMs is the suspected Dropbox file-provider cost.
+function _logImageTiming(label, meta, result) {
+  try {
+    const t = (result && result._timing) || {};
+    const workMs = (t.hashMs || 0) + (t.writeMs || 0) + (t.copyMs || 0) + (t.insertMs || 0);
+    const rt = meta.roundTripMs;
+    const queueMs = rt != null ? Math.max(0, Math.round(rt - workMs)) : null;
+    const bytes = meta.bytes != null ? meta.bytes : (t.bytes != null ? t.bytes : '?');
+    const writePart = ('writeMs' in t)
+      ? `writeMs=${t.writeMs}${t.wrote === false ? '(dedup)' : ''}`
+      : ('copyMs' in t ? `copyMs=${t.copyMs}` : 'writeMs=-');
+    // `path` (caller source, e.g. terminal/prompt/mobile) + `defer` (was the row INSERT
+    // deferred = the terminal fast path) disambiguate which upload route a slow line came
+    // from. defer=1 with insertMs=0 + tiny roundTrip is the terminal paste fast path;
+    // a slow line with defer=0 is a route that intentionally awaits the row (prompt
+    // editor / mobile / feedback).
+    const deferMark = (meta.defer != null) ? (meta.defer ? 1 : 0) : (t.deferred ? 1 : null);
+    console.log(
+      `[img-upload] ${label} bytes=${bytes}`
+      + (meta.source ? ` path=${meta.source}` : '')
+      + (deferMark != null ? ` defer=${deferMark}` : '')
+      + (meta.readMs != null ? ` readMs=${Math.round(meta.readMs)}` : '')
+      + (rt != null ? ` roundTripMs=${Math.round(rt)}` : '')
+      + (queueMs != null ? ` queueMs=${queueMs}` : '')
+      + ` hashMs=${t.hashMs != null ? t.hashMs : '-'} ${writePart} insertMs=${t.insertMs != null ? t.insertMs : '-'}`
+    );
+  } catch { /* never let logging break an upload */ }
+  if (result && result._timing) { const r = { ...result }; delete r._timing; return r; }
+  return result;
+}
+
 // Embed a prompt (async, fire-and-forget)
 async function _embedPrompt(promptId, title, content) {
   try {
@@ -142,6 +205,7 @@ function handlePromptApi(req, res, url) {
 
   // --- Images ---
   if (p === '/api/images/upload' && m === 'POST') return handleUploadImage(req, res, url);
+  if (p === '/api/images/ingest-path' && m === 'POST') return handleIngestImagePath(req, res);
   if (p === '/api/mobile/attachments/upload' && m === 'POST') return handleUploadMobileAttachment(req, res, url);
   if (p === '/api/session/image-refs' && m === 'POST') return handleSessionImageRefs(req, res);
   if (p.match(/^\/api\/images\/\d+$/) && m === 'GET') return handleGetImage(req, res, url);
@@ -195,6 +259,10 @@ function handlePromptApi(req, res, url) {
   if (p === '/api/backups' && m === 'POST') return handleCreateBackup(req, res);
   if (p === '/api/backups/restore' && m === 'POST') return handleRestoreBackup(req, res);
   if (p.match(/^\/api\/backups\/[^/]+$/) && m === 'DELETE') return handleDeleteBackup(req, res, url);
+  if (p === '/api/storage/locations' && m === 'GET') return handleGetStorageLocations(req, res);
+  if (p === '/api/storage/backup-dirs' && m === 'PUT') return handlePutBackupDirs(req, res);
+  if (p === '/api/storage/migration/preview' && m === 'POST') return handlePreviewStorageMigration(req, res);
+  if (p === '/api/storage/migration/apply' && m === 'POST') return handleApplyStorageMigration(req, res);
 
   // --- Tool Permissions (Claude Code native) ---
   if (p === '/api/tool-permissions/scan' && m === 'POST') return handleScanToolUsage(req, res);
@@ -229,6 +297,10 @@ function handlePromptApi(req, res, url) {
     return handleResolveApprovalDecision(req, res, parseInt(p.split('/')[3]));
   }
 
+  // --- Escalation review (grouped "Needs Review" surface in the Permission page) ---
+  if (p === '/api/approval-escalations' && m === 'GET') return handleListEscalations(req, res);
+  if (p === '/api/approval-escalations/resolve' && m === 'POST') return handleResolveEscalations(req, res);
+
   // --- Dangerous-command blocklist (opt-in safety net) ---
   if (p === '/api/approval/blocklist' && m === 'GET') return handleGetBlocklist(req, res);
   if (p === '/api/approval/blocklist' && m === 'POST') return handleSetBlocklistEnabled(req, res);
@@ -248,7 +320,7 @@ function handlePromptApi(req, res, url) {
   if (draftMatch && m === 'PUT') return handleSaveQueueDraft(req, res, draftMatch[1]);
   if (draftMatch && m === 'DELETE') return handleDeleteQueueDraft(req, res, draftMatch[1]);
   const queueMatch = p.match(/^\/api\/queues\/([^/]+)$/);
-  const queueActionMatch = p.match(/^\/api\/queues\/([^/]+)\/(start|pause|resume|next|skip|stop|mode)$/);
+  const queueActionMatch = p.match(/^\/api\/queues\/([^/]+)\/(start|pause|resume|next|skip|stop|mode|remove|reorder)$/);
   if (queueMatch && !queueActionMatch && m === 'GET') return handleGetQueue(req, res, queueMatch[1]);
   if (queueMatch && !queueActionMatch && m === 'DELETE') return handleDeleteQueue(req, res, queueMatch[1]);
   if (queueActionMatch && m === 'POST') return handleQueueAction(req, res, queueActionMatch[1], queueActionMatch[2]);
@@ -266,6 +338,7 @@ function handlePromptApi(req, res, url) {
   if (p === '/api/copilot/chat' && m === 'POST') return handleCopilotChat(req, res);
   if (p === '/api/prompt-quality' && m === 'GET') return handlePromptQuality(req, res, url);
   if (p === '/api/prompt-executions' && m === 'GET') return handleListExecutions(req, res, url);
+  if (p === '/api/prompt-executions/stats' && m === 'GET') return handlePromptExecutionStats(req, res);
   const execSessionMatch = p.match(/^\/api\/prompt-executions\/session\/([^/]+)$/);
   if (execSessionMatch && m === 'GET') return handleSessionExecutions(req, res, execSessionMatch[1]);
   const execOutcomeMatch = p.match(/^\/api\/prompt-executions\/(\d+)\/outcome$/);
@@ -284,6 +357,7 @@ function handlePromptApi(req, res, url) {
   if (p === '/api/prompts/hybrid-search' && m === 'GET') return handleHybridSearch(req, res, url);
   if (p === '/api/prompts/improve' && m === 'POST') return handleImprovePrompt(req, res);
   if (p === '/api/skills/autocomplete' && m === 'GET') return handleSkillAutocomplete(req, res, url);
+  if (p === '/api/skills/resolve-intent' && m === 'GET') return handleSkillResolveIntent(req, res, url);
   if (p === '/api/harvest/stats' && m === 'GET') return handleHarvestStats(req, res);
   if (p === '/api/prompts/pattern-suggestions' && m === 'GET') return handlePatternSuggestions(req, res);
 
@@ -647,12 +721,120 @@ async function handleUploadImage(req, res, url) {
     const promptId = parseInt(url.searchParams.get('prompt_id') || '0');
     const filename = url.searchParams.get('filename') || 'image.png';
     const mimeType = req.headers['content-type'] || 'image/png';
+    // defer_row=1: return as soon as the file is written (id:null), firing the DB
+    // INSERT in the background. The terminal paste path sets this so a paste isn't
+    // stuck behind the db-owner write queue.
+    const deferRow = url.searchParams.get('defer_row') === '1';
+    const _tRead0 = performance.now();
     const buffer = await readRawBody(req);
-    const result = await db.saveImage(promptId, buffer, filename, mimeType);
-    jsonResponse(res, 201, result);
+    const _tRead1 = performance.now();
+    const result = await saveImageViaOwner(promptId, buffer, filename, mimeType, deferRow);
+    const safe = _logImageTiming('upload', {
+      bytes: buffer.length, readMs: _tRead1 - _tRead0, roundTripMs: performance.now() - _tRead1,
+      source: url.searchParams.get('source') || '', defer: deferRow,
+    }, result);
+    jsonResponse(res, 201, safe);
   } catch (e) { jsonResponse(res, 400, { error: e.message }); }
 }
 
+const INGEST_IMAGE_EXT_MIME = {
+  '.png': 'image/png',
+  '.jpg': 'image/jpeg',
+  '.jpeg': 'image/jpeg',
+  '.gif': 'image/gif',
+  '.webp': 'image/webp',
+  '.heic': 'image/heic',
+  '.heif': 'image/heif',
+  '.bmp': 'image/bmp',
+  '.tif': 'image/tiff',
+  '.tiff': 'image/tiff',
+};
+
+// Decode a file:// URL or accept a plain absolute path. Returns '' if neither.
+function _ingestPathFromInput(value) {
+  const raw = String(value || '').trim();
+  if (!raw) return '';
+  if (/^file:\/\//i.test(raw)) {
+    try { return path.resolve(decodeURIComponent(new URL(raw).pathname || '')); }
+    catch { return ''; }
+  }
+  if (path.isAbsolute(raw)) return path.resolve(raw);
+  return '';
+}
+
+// Only stabilize image references that live in user-controlled temp/home roots.
+// This is the macOS screenshot/drag case (e.g. /var/folders/.../TemporaryItems/...png).
+// Refuse arbitrary system paths so this localhost-only endpoint can't be coaxed
+// into copying sensitive files into the served images dir.
+//
+// SECURITY: `candidate` MUST already be a realpath-resolved path (symlinks
+// followed) and each root is realpath-resolved here, so a `.png` symlink living
+// inside an allowed temp root but pointing at e.g. /etc/shadow cannot pass the
+// containment check (its real target is outside the allowed roots). A purely
+// string-based path.resolve() check would be bypassable by such a symlink.
+function _ingestSourceAllowed(candidate) {
+  const realRoots = [];
+  const pushRoot = (p) => {
+    if (!p) return;
+    // Resolve each root through realpath too (e.g. macOS /tmp -> /private/tmp,
+    // /var -> /private/var) so the comparison is symlink-stable on both sides.
+    try { realRoots.push(fs.realpathSync(p)); } catch { /* root may not exist */ }
+  };
+  try { pushRoot(os.tmpdir()); } catch {}
+  for (const env of ['TMPDIR', 'HOME']) {
+    if (process.env[env]) pushRoot(process.env[env]);
+  }
+  // macOS per-user temp + screenshot scratch live under /var/folders and /private/var/folders.
+  for (const r of ['/var/folders', '/private/var/folders', '/tmp', '/private/tmp']) pushRoot(r);
+  return realRoots.some(root => {
+    const rel = path.relative(root, candidate);
+    return rel === '' || (!rel.startsWith('..') && !path.isAbsolute(rel));
+  });
+}
+
+// Ingest a local image FILE by path (not bytes) and return a stable, served copy.
+// Used by the terminal image-reference paste path so CTM forwards a stable
+// images-dir path to the provider instead of the ephemeral macOS temp path
+// (which leaks the local fs and disappears once the screenshot scratch is reaped).
+async function handleIngestImagePath(req, res) {
+  try {
+    const body = await readBody(req, 64 * 1024);
+    const resolved = _ingestPathFromInput(body && (body.path || body.url || body.reference));
+    if (!resolved) return jsonResponse(res, 400, { error: 'invalid_path' });
+    const ext = path.extname(resolved).toLowerCase();
+    const mimeType = INGEST_IMAGE_EXT_MIME[ext];
+    if (!mimeType) return jsonResponse(res, 400, { error: 'unsupported_image_type' });
+    // SECURITY: reject symlinks outright, then resolve the real (symlink-followed)
+    // path BEFORE the allowlist check. Otherwise a `.png` symlink inside an allowed
+    // temp root could point at an arbitrary file (e.g. /etc/shadow) and slip past a
+    // string-only containment check, then be copied into the served images dir.
+    let lst;
+    try { lst = await fs.promises.lstat(resolved); }
+    catch { return jsonResponse(res, 404, { error: 'file_not_found' }); }
+    if (lst.isSymbolicLink()) return jsonResponse(res, 403, { error: 'path_not_allowed' });
+    let realPath;
+    try { realPath = await fs.promises.realpath(resolved); }
+    catch { return jsonResponse(res, 404, { error: 'file_not_found' }); }
+    if (!_ingestSourceAllowed(realPath)) return jsonResponse(res, 403, { error: 'path_not_allowed' });
+    let stat;
+    try { stat = await fs.promises.stat(realPath); }
+    catch { return jsonResponse(res, 404, { error: 'file_not_found' }); }
+    if (!stat.isFile() || stat.size <= 0) return jsonResponse(res, 400, { error: 'not_a_file' });
+    // Copy (deleteSource omitted → default false): never disturb the user's temp file.
+    const _tSave0 = performance.now();
+    const result = await db.saveImageFromFile(0, realPath, path.basename(realPath), mimeType);
+    _logImageTiming('ingest-path', { bytes: stat.size, roundTripMs: performance.now() - _tSave0 }, result);
+    jsonResponse(res, 201, {
+      id: result.id,
+      filename: result.filename,
+      path: result.path,
+      url: `/api/images/file/${encodeURIComponent(result.filename)}`,
+    });
+  } catch (e) {
+    jsonResponse(res, 400, { error: e.message });
+  }
+}
+
 async function handleUploadMobileAttachment(req, res, url) {
   try {
     const kind = url.searchParams.get('kind') === 'image' ? 'image' : 'file';
@@ -665,9 +847,11 @@ async function handleUploadMobileAttachment(req, res, url) {
       jsonResponse(res, 400, { error: 'attachment_empty' });
       return;
     }
-    const result = await db.saveImage(0, buffer, storedFilename, mimeType);
+    const _tSave0 = performance.now();
+    const result = await saveImageViaOwner(0, buffer, storedFilename, mimeType);
+    const safe = _logImageTiming('mobile', { bytes: buffer.length, roundTripMs: performance.now() - _tSave0 }, result);
     jsonResponse(res, 201, {
-      ...result,
+      ...safe,
       kind,
       originalName: filename,
       mimeType,
@@ -869,13 +1053,30 @@ function handleListConversations(req, res, url) {
 
 // Core import logic shared by API handler and auto-import
 const { getAllSessionFiles, getAllSessionFilesAsync, parseSessionFile } = require('./session-utils');
+const walleTranscript = require('./lib/walle-transcript');
+const { readWalleCtmHistory } = require('./lib/walle-ctm-history');
+const {
+  persistWalleSessionConversation,
+  WALLE_SESSION_CACHE_PARSER_VERSION,
+} = require('./lib/walle-session-cache');
 const {
-  codexUserKey,
+  createCodexUserDeduper,
+  parseCodexJsonlFileIntoMessagesAsync,
   parseCodexJsonlFileIntoMessages,
   parseCodexJsonlIntoMessages,
   readCodexRolloutMetadata,
 } = require('./lib/session-history');
 const fsp = require('fs').promises;
+const CODEX_CONVERSATION_IMPORT_PARSER_VERSION = 3;
+const DEFAULT_CONVERSATION_IMPORT_PARSER_VERSION = 1;
+// Claude Code / Claude Desktop sessions are Anthropic, but their JSONL carries no explicit
+// `modelProvider` field, so the parser leaves it ''. Storing '' makes the import's
+// `missingModel` candidate predicate (`!existing.model_provider`) re-select the session on
+// EVERY scan tick forever — re-stringifying + rewriting the whole conversation each time
+// (the re-import storm: 75 sessions, db-owner-worker saturation, write-lock contention).
+// Default to a concrete provider so the row converges after one import. (Codex uses 'openai'
+// and Cursor 'cursor' at their own call sites.)
+const CLAUDE_MODEL_PROVIDER = 'anthropic';
 
 // Parse JSONL content string into conversation messages (sync, CPU-bound but
 // called after async file read so only the parse blocks — not disk I/O).
@@ -981,7 +1182,7 @@ function _parseLargeConversationLine(line) {
   return null;
 }
 
-async function _parseConversationContent(content) {
+async function _parseConversationContent(content, opts = {}) {
   const messages = [];
   const searchMessages = [];
   let assistantCount = 0;
@@ -990,6 +1191,29 @@ async function _parseConversationContent(content) {
   let firstAssistantText = '';
   let renameName = '';
 
+  // Cross-file stitching (mirrors parseSessionFiles in lib/jsonl-conversation-parser):
+  // a post-compact Claude file inherits the PARENT file's lines (old sessionId at the
+  // top). When the owner file still exists next to this one, drop the inherited copy
+  // so the owner's import is the only one that stores those turns. Orphan prefixes
+  // (owner deleted) are kept — they are the only surviving copy.
+  const fileSessionId = String(opts.fileSessionId || '');
+  const fileDir = String(opts.fileDir || '');
+  const ownerOnDisk = new Map();
+  const dropInheritedEntry = (entryId) => {
+    if (!fileSessionId || !fileDir || !entryId || entryId === fileSessionId) return false;
+    if (!ownerOnDisk.has(entryId)) {
+      let exists = false;
+      try { exists = fs.existsSync(path.join(fileDir, `${entryId}.jsonl`)); } catch {}
+      ownerOnDisk.set(entryId, exists);
+    }
+    return ownerOnDisk.get(entryId);
+  };
+  const seenUuids = new Set();
+  const summaries = [];
+  // Last contiguous run emitted for one assistant parentUuid (structured
+  // emission replaces the whole run when the same row re-streams).
+  let lastAssistantRun = null;
+
   // Yield while scanning so a large JSONL does not monopolize the event loop.
   // Avoid content.split('\n') here: building the full line array for a 50MB+
   // file blocks before the parser gets its first chance to yield.
@@ -1014,6 +1238,12 @@ async function _parseConversationContent(content) {
     i++;
     try {
       if (line.length > _LARGE_JSONL_LINE_BYTES) {
+        if (dropInheritedEntry(_readJsonStringPrefix(line, '"sessionId":"', 64))) {
+          await maybeYield();
+          continue;
+        }
+        const largeUuid = _readJsonStringPrefix(line, '"uuid":"', 64);
+        if (largeUuid) seenUuids.add(largeUuid);
         const large = _parseLargeConversationLine(line);
         if (large?.role === 'user') {
           messages.push({ role: 'user', text: large.text.slice(0, _CONVERSATION_CACHE_TEXT_LIMIT), timestamp: large.timestamp });
@@ -1044,11 +1274,64 @@ async function _parseConversationContent(content) {
       }
 
       const entry = JSON.parse(line);
-      if (entry.type === 'user' && entry.message?.role === 'user') {
+      if (dropInheritedEntry(typeof entry.sessionId === 'string' ? entry.sessionId : '')) {
+        await maybeYield();
+        continue;
+      }
+      if (typeof entry.uuid === 'string' && entry.uuid) seenUuids.add(entry.uuid);
+      if (entry.type === 'summary' && typeof entry.summary === 'string' && entry.summary.trim()) {
+        // Async-generated session title ({summary, leafUuid}); not a turn.
+        summaries.push({ summary: entry.summary.trim(), leafUuid: entry.leafUuid || '' });
+      } else if (entry.type === 'system' && entry.subtype === 'compact_boundary'
+          && structuredCapture.structuredCaptureEnabled()) {
+        const compactMeta = entry.compactMetadata || {};
+        const boundary = structuredCapture.compactBoundaryMessage({
+          provider: 'claude',
+          trigger: compactMeta.trigger,
+          preTokens: Number(compactMeta.preTokens),
+          logicalParentUuid: entry.logicalParentUuid,
+          timestamp: entry.timestamp,
+        });
+        messages.push(boundary);
+        searchMessages.push(boundary);
+      } else if (entry.type === 'user' && entry.message?.role === 'user') {
         const c = entry.message.content;
         const text = typeof c === 'string' ? c
           : Array.isArray(c) ? c.filter(b => b.type === 'text').map(b => b.text).join('\n') : '';
-        if (text) {
+        const captureOn = structuredCapture.structuredCaptureEnabled();
+        if (captureOn && (entry.isCompactSummary || entry.isVisibleInTranscriptOnly)) {
+          // Post-compact synthetic context summary — a collapsed structured
+          // row, never a user prompt (keeps first/last-user title signals clean).
+          if (text) {
+            const summaryMsg = structuredCapture.compactSummaryMessage({ provider: 'claude', text, timestamp: entry.timestamp });
+            messages.push(summaryMsg);
+            searchMessages.push(summaryMsg);
+          }
+        } else if (captureOn && Array.isArray(c) && c.some(b => b && b.type === 'tool_result')) {
+          // Mirrors lib/jsonl-conversation-parser: one structured tool_result
+          // row per block, enriched from the top-level toolUseResult.
+          const resultBlocks = c.filter(b => b && b.type === 'tool_result');
+          const tur = resultBlocks.length === 1 && entry.toolUseResult && typeof entry.toolUseResult === 'object'
+            ? entry.toolUseResult : null;
+          for (const block of resultBlocks) {
+            const blockText = typeof block.content === 'string' ? block.content
+              : Array.isArray(block.content)
+                ? block.content.filter(b => b && b.type === 'text' && b.text).map(b => b.text).join('\n')
+                : '';
+            const resultMsg = structuredCapture.toolResultMessage({
+              provider: 'claude',
+              callId: block.tool_use_id,
+              output: blockText || (tur && typeof tur.stdout === 'string' ? tur.stdout : ''),
+              isError: block.is_error === true,
+              filePath: tur ? (tur.filePath || tur.file_path) : undefined,
+              durationMs: tur ? Number(tur.durationMs) : undefined,
+              structuredPatch: tur ? tur.structuredPatch : undefined,
+              timestamp: entry.timestamp,
+            });
+            messages.push(resultMsg);
+            searchMessages.push(resultMsg);
+          }
+        } else if (text) {
           messages.push({ role: 'user', text: text.slice(0, _CONVERSATION_CACHE_TEXT_LIMIT), timestamp: entry.timestamp });
           searchMessages.push({ role: 'user', text, timestamp: entry.timestamp });
           if (!firstUserContent) firstUserContent = text.slice(0, _TITLE_SIGNAL_TEXT_LIMIT);
@@ -1060,6 +1343,80 @@ async function _parseConversationContent(content) {
       } else if (entry.type === 'assistant' && entry.message?.role === 'assistant') {
         const c = entry.message.content;
         if (!Array.isArray(c)) continue;
+        if (structuredCapture.structuredCaptureEnabled()) {
+          // Mirrors lib/jsonl-conversation-parser: thinking → reasoning rows,
+          // tool_use → tool_call rows, text blocks → ONE assistant message
+          // (parentUuid + usage/model metadata), in block order. A re-streamed
+          // parentUuid replaces the previous contiguous run.
+          const run = [];
+          const textParts = [];
+          let textInsertIndex = -1;
+          for (const block of c) {
+            if (!block || typeof block !== 'object') continue;
+            if (block.type === 'text' && block.text) {
+              if (textInsertIndex === -1) textInsertIndex = run.length;
+              textParts.push(block.text);
+            } else if (block.type === 'thinking' && (block.thinking || block.text)) {
+              run.push(structuredCapture.reasoningMessage({ provider: 'claude', text: block.thinking || block.text, timestamp: entry.timestamp }));
+            } else if (block.type === 'tool_use') {
+              run.push(structuredCapture.toolCallMessage({
+                provider: 'claude', tool: block.name, callId: block.id, args: block.input, timestamp: entry.timestamp,
+              }));
+            }
+          }
+          let searchText = '';
+          if (textParts.length) {
+            searchText = textParts.join('\n');
+            if (!firstAssistantText) firstAssistantText = searchText.slice(0, _TITLE_SIGNAL_TEXT_LIMIT);
+            const msg = {
+              role: 'assistant',
+              text: searchText.slice(0, _CONVERSATION_CACHE_TEXT_LIMIT),
+              timestamp: entry.timestamp,
+              parentUuid: entry.parentUuid,
+              _parent: entry.parentUuid,
+            };
+            const usage = _usageMetadata(entry.message.usage);
+            const model = typeof entry.message.model === 'string' ? entry.message.model : '';
+            if (usage || model) {
+              msg.metadata = {};
+              if (usage) msg.metadata.usage = usage;
+              if (model) msg.metadata.model = model;
+            }
+            run.splice(textInsertIndex === -1 ? run.length : textInsertIndex, 0, msg);
+          }
+          if (run.length) {
+            if (entry.parentUuid && lastAssistantRun
+                && lastAssistantRun.parent === entry.parentUuid
+                && lastAssistantRun.mEnd === messages.length
+                && lastAssistantRun.sEnd === searchMessages.length) {
+              messages.splice(lastAssistantRun.mStart);
+              searchMessages.splice(lastAssistantRun.sStart);
+              assistantCount -= lastAssistantRun.assistantCount;
+            }
+            const mStart = messages.length;
+            const sStart = searchMessages.length;
+            let runAssistantCount = 0;
+            for (const m of run) {
+              messages.push(m);
+              if (m.role === 'assistant') {
+                runAssistantCount++;
+                // Search index keeps the FULL text (the messages copy is capped).
+                searchMessages.push({ ...m, text: searchText });
+              } else {
+                searchMessages.push(m);
+              }
+            }
+            assistantCount += runAssistantCount;
+            lastAssistantRun = {
+              parent: entry.parentUuid,
+              mStart, mEnd: messages.length,
+              sStart, sEnd: searchMessages.length,
+              assistantCount: runAssistantCount,
+            };
+          }
+          await maybeYield();
+          continue;
+        }
         const parts = [];
         for (const block of c) {
           if (block.type === 'text' && block.text) parts.push(block.text);
@@ -1094,6 +1451,12 @@ async function _parseConversationContent(content) {
   }
   messages.forEach(m => delete m._parent);
   searchMessages.forEach(m => delete m._parent);
+  // Title candidate (lowest precedence): the last summary whose leafUuid we
+  // actually saw in this content — or one with no leafUuid at all.
+  let summaryTitle = '';
+  for (const s of summaries) {
+    if (!s.leafUuid || seenUuids.has(s.leafUuid)) summaryTitle = s.summary.slice(0, 200);
+  }
   return {
     messages,
     searchMessages,
@@ -1102,6 +1465,7 @@ async function _parseConversationContent(content) {
     lastUserContent,
     firstAssistantText,
     renameName,
+    summaryTitle,
   };
 }
 
@@ -1157,8 +1521,9 @@ async function _importCompactPair(parsed, jsonlPath, bakPath, jsonlSize, bakSize
     fsp.readFile(jsonlPath, 'utf8').catch(() => ''),
   ]);
 
-  const bakParsed = await _parseConversationContent(bakContent);
-  const jsonlParsed = await _parseConversationContent(jsonlContent);
+  const stitchOpts = { fileSessionId: claudeFileSessionId(jsonlPath), fileDir: path.dirname(jsonlPath) };
+  const bakParsed = await _parseConversationContent(bakContent, stitchOpts);
+  const jsonlParsed = await _parseConversationContent(jsonlContent, stitchOpts);
 
   // Concatenate then sort by timestamp so out-of-order writes (rare but
   // possible mid-compact) end up in chronological order.
@@ -1189,7 +1554,7 @@ async function _importCompactPair(parsed, jsonlPath, bakPath, jsonlSize, bakSize
     search_messages: allSearchMessages,
     user_msg_count: signals.userCount,
     assistant_msg_count: signals.assistantCount,
-    title: parsed.title || (existing && existing.title) || '',
+    title: parsed.title || (existing && existing.title) || jsonlParsed.summaryTitle || bakParsed.summaryTitle || '',
     first_message: mergedFirstUser,
     last_user_content: mergedLastUser,
     first_assistant_text: mergedFirstAssistant,
@@ -1198,8 +1563,9 @@ async function _importCompactPair(parsed, jsonlPath, bakPath, jsonlSize, bakSize
     file_size: totalSize,
     session_created_at: parsed.timestamp,
     hostname: parsed.hostname,
-    model_provider: parsed.modelProvider || (existing && existing.model_provider) || '',
+    model_provider: parsed.modelProvider || (existing && existing.model_provider) || CLAUDE_MODEL_PROVIDER,
     model_id: parsed.modelId || (existing && existing.model_id) || '',
+    import_parser_version: DEFAULT_CONVERSATION_IMPORT_PARSER_VERSION,
   });
   return true;
 }
@@ -1232,15 +1598,8 @@ function _loadIndexedSessionMessages(sessionId) {
   }
 }
 
-function _codexSeenUsersFromMessages(messages) {
-  const seen = new Set();
-  for (const msg of Array.isArray(messages) ? messages : []) {
-    if (msg && msg.role === 'user') {
-      const key = codexUserKey(msg.text || msg.content || '');
-      if (key) seen.add(key);
-    }
-  }
-  return seen;
+function _codexUserDeduperFromMessages(messages) {
+  return createCodexUserDeduper((Array.isArray(messages) ? messages : []).filter(msg => msg && msg.role === 'user'));
 }
 
 async function _readFileRange(filePath, start, length) {
@@ -1255,21 +1614,28 @@ async function _readFileRange(filePath, start, length) {
 }
 
 function _conversationImportIndexRows() {
-  const conversations = new Map();
-  const linkedAgentIds = new Set();
-  try {
-    const rows = db.getDb().prepare(
-      'SELECT ctm_session_id, file_size, model_provider FROM session_conversations'
-    ).all();
-    for (const row of rows) conversations.set(row.ctm_session_id, row);
-  } catch {}
-  try {
-    const rows = db.getDb().prepare(
-      'SELECT agent_session_id FROM agent_sessions WHERE agent_session_id IS NOT NULL AND agent_session_id != ""'
-    ).all();
-    for (const row of rows) linkedAgentIds.add(row.agent_session_id);
-  } catch {}
-  return { conversations, linkedAgentIds };
+  // Attribution: two full-table index scans built on every conversation-import
+  // tick. They run as the sync prefix of _conversationImportCandidates, which is
+  // itself called AFTER the job's `await getAllSessionFilesAsync()` — so the
+  // scheduler's tag is already cleared and a slow scan would log as `(unknown)`.
+  // Phase 2.
+  return runSync('conversation-import:buildIndexRows', () => {
+    const conversations = new Map();
+    const linkedAgentIds = new Set();
+    try {
+      const rows = db.getDb().prepare(
+        'SELECT ctm_session_id, file_size, model_provider, import_parser_version FROM session_conversations'
+      ).all();
+      for (const row of rows) conversations.set(row.ctm_session_id, row);
+    } catch {}
+    try {
+      const rows = db.getDb().prepare(
+        'SELECT agent_session_id FROM agent_sessions WHERE agent_session_id IS NOT NULL AND agent_session_id != ""'
+      ).all();
+      for (const row of rows) linkedAgentIds.add(row.agent_session_id);
+    } catch {}
+    return { conversations, linkedAgentIds };
+  });
 }
 
 async function _conversationImportEffectiveSize(filePath, stat) {
@@ -1296,14 +1662,29 @@ async function _conversationImportCandidates(allFiles, lastScanAt) {
       const stat = await fsp.stat(claudeDesktopSessions.sourcePathForStat(filePath));
       if (!stat.isFile()) continue;
       const sessionId = listedSessionId || path.basename(filePath).replace(/\.jsonl(\.bak)?$/, '');
+      // Desktop sessions re-candidate forever via `linkedMissingCache`: importSessionFile
+      // returns false for an empty desktop session (no messages), so no session_conversations
+      // row is ever written, so `!existing` stays true and the session is re-selected every
+      // import tick. Skip dead/empty desktop sessions here — there is nothing to import, and a
+      // healthy one (messages present) writes a cache row and stops matching this guard.
+      if (claudeDesktopSessions.isVirtualSessionPath(filePath)
+          && (claudeDesktopSessions.getMessages(sessionId) || []).length === 0) {
+        continue;
+      }
       const existing = conversations.get(sessionId);
       const existingSize = Number(existing?.file_size || 0);
       const { effectiveSize, hasCompactSibling } = await _conversationImportEffectiveSize(filePath, stat);
+      const isCodexRollout = projectEntry === 'codex' || String(filePath || '').includes(`${path.sep}.codex${path.sep}sessions${path.sep}`);
+      const isWalleTranscript = projectEntry === walleTranscript.WALLE_PROJECT_ENTRY;
       const changedSinceScan = stat.mtimeMs > lastScanAt;
       const cacheBehind = !!existing && effectiveSize > existingSize;
       const cacheShrankAfterChange = !!existing && effectiveSize < existingSize && changedSinceScan;
       const linkedMissingCache = linkedAgentIds.has(sessionId) && !existing;
       const missingModel = !!existing && !existing.model_provider;
+      const staleParser = !!existing && (
+        (isCodexRollout && Number(existing.import_parser_version || 0) < CODEX_CONVERSATION_IMPORT_PARSER_VERSION) ||
+        (isWalleTranscript && Number(existing.import_parser_version || 0) < WALLE_SESSION_CACHE_PARSER_VERSION)
+      );
       const changedColdFile = changedSinceScan && !existing;
 
       if (
@@ -1311,18 +1692,20 @@ async function _conversationImportCandidates(allFiles, lastScanAt) {
         !cacheBehind &&
         !cacheShrankAfterChange &&
         !linkedMissingCache &&
-        !missingModel
+        !missingModel &&
+        !staleParser
       ) {
         continue;
       }
 
       let priority = 6;
       if (cacheBehind) priority = 0;
-      else if (linkedMissingCache) priority = 1;
-      else if (cacheShrankAfterChange) priority = 2;
-      else if (hasCompactSibling && changedColdFile) priority = 3;
-      else if (changedColdFile) priority = 4;
-      else if (missingModel) priority = 5;
+      else if (staleParser) priority = 1;
+      else if (linkedMissingCache) priority = 2;
+      else if (cacheShrankAfterChange) priority = 3;
+      else if (hasCompactSibling && changedColdFile) priority = 4;
+      else if (changedColdFile) priority = 5;
+      else if (missingModel) priority = 6;
 
       candidates.push({
         filePath,
@@ -1356,32 +1739,79 @@ async function _conversationImportCandidates(allFiles, lastScanAt) {
   return candidates;
 }
 
-async function _importCodexSessionFile(parsed, filePath) {
+function _backgroundTranscriptImportMaxBytes() {
+  const raw = Number(process.env.CTM_BACKGROUND_TRANSCRIPT_IMPORT_MAX_BYTES || BACKGROUND_TRANSCRIPT_IMPORT_DEFAULT_BYTES);
+  return Math.max(256 * 1024, Number.isFinite(raw) ? raw : BACKGROUND_TRANSCRIPT_IMPORT_DEFAULT_BYTES);
+}
+
+function _codexImportedFileSize(parsedFileSize, prevFileSize, parsedTail) {
+  const fileSize = Math.max(0, Number(parsedFileSize || 0));
+  const prev = Math.max(0, Number(prevFileSize || 0));
+  const base = prev > 0 && fileSize >= prev ? prev : 0;
+  const rawConsumed = Number.isFinite(Number(parsedTail?.completeBytesRead))
+    ? Number(parsedTail.completeBytesRead)
+    : Number(parsedTail?.bytesRead || 0);
+  const consumed = Math.max(0, Number.isFinite(rawConsumed) ? rawConsumed : 0);
+  return Math.min(fileSize, base + consumed);
+}
+
+async function _importCodexSessionFile(parsed, filePath, options = {}) {
   const sessionId = parsed.sessionId;
   if (!sessionId) return false;
 
   const existing = db.getSessionConversation(sessionId);
-  if (existing && existing.file_size === parsed.fileSize && existing.model_provider) return false;
-
-  const prevFileSize = Number(existing?.file_size || 0);
-  const baseMessages = (prevFileSize > 0 && parsed.fileSize > prevFileSize)
-    ? _safeParseMessagesJson(existing.messages)
-    : [];
-  const indexedMessages = (prevFileSize > 0 && parsed.fileSize > prevFileSize)
-    ? _loadIndexedSessionMessages(sessionId)
+  const parserVersion = CODEX_CONVERSATION_IMPORT_PARSER_VERSION;
+  const parserStale = !!existing && Number(existing.import_parser_version || 0) < parserVersion;
+  if (existing && existing.file_size === parsed.fileSize && existing.model_provider && !parserStale) return false;
+
+  const prevFileSize = parserStale ? 0 : Number(existing?.file_size || 0);
+  // Hard size cap (fail-open): a multi-GB transcript would make the existing-blob
+  // parse + whole-array concat/sort below block the loop and exceed V8's ~512MB
+  // string limit. Over cap ⇒ don't load the full base from the blob; import only
+  // the freshly-read tail (the downstream blob write is also capped to '[]' and
+  // the transcript-store rows carry full history).
+  let _isOverParseCap = null;
+  try { _isOverParseCap = require('./lib/size-cap').isOverParseCap; } catch { /* optional */ }
+  const _overCap = typeof _isOverParseCap === 'function' ? _isOverParseCap(parsed.fileSize) : false;
+  const _loadBase = !_overCap && prevFileSize > 0 && parsed.fileSize > prevFileSize;
+  // Phase 6: load the incremental base from the faithful per-message rows when they're
+  // known-complete (column read, no multi-MB JSON.parse of the blob — and it survives blob
+  // retirement in Phase 7). Falls back to the blob when rows are absent/half-migrated.
+  const _rowsComplete = _loadBase
+    && typeof db.sessionContentRowsAvailable === 'function'
+    && db.sessionContentRowsAvailable(sessionId);
+  const baseMessages = _loadBase
+    ? (_rowsComplete ? db.getSessionMessagesArray(sessionId, { fallbackToBlob: false }) : _safeParseMessagesJson(existing.messages))
     : [];
-  const baseSearchMessages = (prevFileSize > 0 && parsed.fileSize > prevFileSize)
+  const indexedMessages = _loadBase ? _loadIndexedSessionMessages(sessionId) : [];
+  const baseSearchMessages = _loadBase
     ? (indexedMessages.length ? indexedMessages : baseMessages)
     : [];
-  const seenUsers = _codexSeenUsersFromMessages(baseMessages);
+  const codexUserDeduper = _codexUserDeduperFromMessages(baseMessages);
 
   const newMessages = [];
   let parsedTail;
   if (prevFileSize > 0 && parsed.fileSize > prevFileSize) {
     const content = await _readFileRange(filePath, prevFileSize, parsed.fileSize - prevFileSize);
-    parsedTail = parseCodexJsonlIntoMessages(content, newMessages, { seenUsers });
+    parsedTail = parseCodexJsonlIntoMessages(content, newMessages, { codexUserDeduper });
+  } else if (options.cooperative) {
+    parsedTail = await parseCodexJsonlFileIntoMessagesAsync(filePath, newMessages, {
+      codexUserDeduper,
+      yieldAfterMs: options.yieldAfterMs || 25,
+    });
   } else {
-    parsedTail = parseCodexJsonlFileIntoMessages(filePath, newMessages, { seenUsers });
+    parsedTail = parseCodexJsonlFileIntoMessages(filePath, newMessages, { codexUserDeduper });
+  }
+
+  // Re-import storm guard: codex `importedFileSize` tracks CONSUMED bytes, which can stay below
+  // parsed.fileSize indefinitely (trailing non-message lines / a partial record still being
+  // written), so the candidate selector's `cacheBehind` (effectiveSize > stored file_size) never
+  // converges and this importer is re-run every scan tick. When the grown tail held NO new
+  // messages, the whole-conversation re-stringify + replaceSessionMessages below is pure waste
+  // that saturates the db-owner worker — skip it. The resume offset (stored file_size) is left
+  // unchanged, so a record that only completes later is still picked up on a subsequent pass.
+  if (prevFileSize > 0 && parsed.fileSize > prevFileSize && newMessages.length === 0) {
+    return false;
   }
 
   const allMessages = baseMessages.concat(newMessages);
@@ -1392,6 +1822,8 @@ async function _importCodexSessionFile(parsed, filePath) {
   const assistantMessages = allMessages.filter(m => m.role === 'assistant' && (m.text || m.content));
   if (allMessages.length === 0 || userMessages.length === 0) return false;
 
+  const importedFileSize = _codexImportedFileSize(parsed.fileSize, prevFileSize, parsedTail);
+
   const fileMeta = readCodexRolloutMetadata(filePath) || {};
   const meta = parsedTail.sessionMeta || fileMeta || {};
   const firstUser = userMessages[0]?.text || userMessages[0]?.content || '';
@@ -1417,14 +1849,45 @@ async function _importCodexSessionFile(parsed, filePath) {
     first_assistant_text: firstAssistant.slice(0, 500),
     rename_name: existing?.rename_name || '',
     git_branch: meta.git_branch || parsed.gitBranch || '',
-    file_size: parsed.fileSize,
+    file_size: importedFileSize,
     session_created_at: meta.timestamp || parsed.timestamp || '',
     hostname: parsed.hostname,
     model_provider: modelProvider,
     model_id: model || (existing && existing.model_id) || '',
+    import_parser_version: parserVersion,
   });
 
   try {
+    const threadSource = String(meta.thread_source || meta.threadSource || '').trim().toLowerCase();
+    const parentAgentSessionId = String(
+      meta.parent_agent_session_id
+      || meta.parentAgentSessionId
+      || meta.parent_thread_id
+      || meta.parentThreadId
+      || ''
+    ).trim();
+    if (threadSource === 'subagent' && parentAgentSessionId) {
+      db.upsertAgentSessionIdentity(sessionId, {
+        provider: 'codex',
+        providerResumeId: sessionId,
+        cwd: projectPath,
+        projectPath,
+        title,
+        jsonlPath: filePath,
+        fileSize: parsed.fileSize,
+        modifiedAt: parsed.modifiedAt,
+        model,
+        gitBranch: meta.git_branch || parsed.gitBranch || '',
+        hostname: parsed.hostname,
+        userMsgCount: userMessages.length,
+        firstMessage: firstUser.slice(0, 500),
+        threadSource,
+        parentAgentSessionId,
+        agentNickname: meta.agent_nickname || meta.agentNickname || '',
+        agentRole: meta.agent_role || meta.agentRole || '',
+      });
+      return true;
+    }
     const owner = db.getDb().prepare('SELECT ctm_session_id FROM agent_sessions WHERE agent_session_id = ?').get(sessionId);
     db.upsertSession(owner?.ctm_session_id || sessionId, {
       agentSessionId: sessionId,
@@ -1449,21 +1912,28 @@ async function _importCodexSessionFile(parsed, filePath) {
   return true;
 }
 
-function _ingestTranscriptStoreForParsedFile(filePath, parsed) {
+function _ingestTranscriptStoreForParsedFile(filePath, parsed, options = {}) {
+  // Claude Desktop sessions use a virtual path (`…#ctm-claude-desktop=<uuid>`) that is never a
+  // real file on disk — fs.statSync / ingestJsonlFile always throw ENOENT on it. Their
+  // transcript data lives in the Desktop cache (read via getMessages), not the JSONL transcript
+  // store, so this ingest can only ever fail for them. Skipping removes a guaranteed-failing
+  // synchronous statSync that was firing ~97×/sec in a hot loop on dead desktop sessions.
+  if (claudeDesktopSessions.isVirtualSessionPath(filePath)) return null;
   try {
     const size = Number(parsed?.fileSize || fs.statSync(filePath).size || 0);
     const agentSessionId = String(parsed?.sessionId || transcriptSourceIdFromPath(filePath) || '').trim();
     if (!agentSessionId) return null;
     const provider = normalizeTranscriptProvider(parsed?.agent || parsed?.modelProvider || '', filePath);
     const largeColdMode = size >= TRANSCRIPT_IMPORT_LARGE_FILE_BYTES ? 'tail' : undefined;
+    const maxBytes = Math.max(256 * 1024, Number(options.transcriptMaxBytes || TRANSCRIPT_IMPORT_MAX_BYTES));
     const result = ingestJsonlFile(db.getDb(), {
       filePath,
       agentSessionId,
       ctmSessionId: agentSessionId,
       provider,
       mode: largeColdMode,
-      initialTailBytes: TRANSCRIPT_IMPORT_MAX_BYTES,
-      maxBytes: largeColdMode ? TRANSCRIPT_IMPORT_MAX_BYTES : Math.min(size || TRANSCRIPT_IMPORT_MAX_BYTES, TRANSCRIPT_IMPORT_MAX_BYTES),
+      initialTailBytes: maxBytes,
+      maxBytes: largeColdMode ? maxBytes : Math.min(size || maxBytes, maxBytes),
     });
     if ((result.inserted || 0) > 0 || (result.bytesRead || 0) > 0) {
       console.log(
@@ -1478,11 +1948,55 @@ function _ingestTranscriptStoreForParsedFile(filePath, parsed) {
   }
 }
 
-async function importSessionFile(filePath, projectPath, projectEntry) {
+async function _importWalleSessionFile(parsed, filePath) {
+  const sessionId = String(parsed?.sessionId || '').trim();
+  if (!sessionId) return false;
+
+  const existing = db.getSessionConversation(sessionId);
+  const fileStat = await fsp.stat(filePath).catch(() => null);
+  if (!fileStat || !fileStat.isFile()) return false;
+  const parserStale = !!existing &&
+    Number(existing.import_parser_version || 0) < WALLE_SESSION_CACHE_PARSER_VERSION;
+  if (existing && existing.file_size === fileStat.size && existing.model_provider && !parserStale) {
+    return false;
+  }
+
+  const history = readWalleCtmHistory(filePath);
+  if (!history.some((message) => message && message.role === 'user' && (message.content || message.text))) {
+    return false;
+  }
+  const meta = walleTranscript.readSessionMeta(filePath) || {};
+  const chatSessionId = String(meta.chatSessionId || meta.sessionId || sessionId).trim() || sessionId;
+  const wrote = persistWalleSessionConversation({
+    db,
+    source: {
+      ...parsed,
+      ctmSessionId: sessionId,
+      conversationSessionId: sessionId,
+      agentSessionId: sessionId,
+      chatSessionId,
+      jsonlPath: filePath,
+      cwd: meta.cwd || parsed.cwd || parsed.project || '',
+      title: meta.label || parsed.title || '',
+      label: meta.label || parsed.title || '',
+      model_provider: meta.modelProvider || parsed.modelProvider || '',
+      model_id: meta.modelId || parsed.modelId || '',
+    },
+    history,
+    fileStat,
+    hostname: parsed.hostname,
+  });
+  return wrote > 0;
+}
+
+async function importSessionFile(filePath, projectPath, projectEntry, options = {}) {
   const parsed = parseSessionFile(filePath, projectPath, projectEntry);
-  _ingestTranscriptStoreForParsedFile(filePath, parsed);
+  _ingestTranscriptStoreForParsedFile(filePath, parsed, options);
   if (parsed.agent === 'codex') {
-    return _importCodexSessionFile(parsed, filePath);
+    return _importCodexSessionFile(parsed, filePath, options);
+  }
+  if (parsed.agent === 'walle') {
+    return _importWalleSessionFile(parsed, filePath);
   }
   if (parsed.agent === claudeDesktopSessions.DESKTOP_AGENT) {
     const messages = claudeDesktopSessions.getMessages(parsed.sessionId) || [];
@@ -1510,8 +2024,9 @@ async function importSessionFile(filePath, projectPath, projectEntry) {
       file_size: parsed.fileSize,
       session_created_at: parsed.timestamp,
       hostname: parsed.hostname,
-      model_provider: parsed.modelProvider || (existing && existing.model_provider) || '',
+      model_provider: parsed.modelProvider || (existing && existing.model_provider) || CLAUDE_MODEL_PROVIDER,
       model_id: parsed.modelId || (existing && existing.model_id) || '',
+      import_parser_version: DEFAULT_CONVERSATION_IMPORT_PARSER_VERSION,
     });
     return true;
   }
@@ -1555,8 +2070,16 @@ async function importSessionFile(filePath, projectPath, projectEntry) {
     } finally {
       await fh.close();
     }
-    // Carry forward existing parsed messages
-    try { baseMessages = JSON.parse(existing.messages || '[]'); } catch {}
+    // Carry forward existing parsed messages. Phase 6: load the base from the faithful
+    // per-message rows when known-complete (column read, no multi-MB JSON.parse — and it
+    // survives blob retirement in Phase 7); fall back to the blob when rows aren't ready.
+    try {
+      if (typeof db.sessionContentRowsAvailable === 'function' && db.sessionContentRowsAvailable(parsed.sessionId)) {
+        baseMessages = db.getSessionMessagesArray(parsed.sessionId, { fallbackToBlob: false });
+      } else {
+        baseMessages = JSON.parse(existing.messages || '[]');
+      }
+    } catch {}
     baseAssistantCount = existing.assistant_msg_count || 0;
   } else {
     // Full read for new files or when file shrank (truncated/rotated)
@@ -1568,7 +2091,11 @@ async function importSessionFile(filePath, projectPath, projectEntry) {
     searchMessages: newSearchMessages,
     firstUserContent: parsedFirstUser, lastUserContent: parsedLastUser,
     firstAssistantText: parsedFirstAssistant, renameName: parsedRename,
-  } = await _parseConversationContent(content);
+    summaryTitle: parsedSummaryTitle,
+  } = await _parseConversationContent(content, {
+    fileSessionId: claudeFileSessionId(jsonlPath),
+    fileDir: path.dirname(jsonlPath),
+  });
   const allMessages = baseMessages.concat(newMessages);
   const indexedMessages = prevFileSize > 0 && parsed.fileSize > prevFileSize
     ? _loadIndexedSessionMessages(parsed.sessionId)
@@ -1600,7 +2127,7 @@ async function importSessionFile(filePath, projectPath, projectEntry) {
     search_messages: allSearchMessages,
     user_msg_count: signals.userCount,
     assistant_msg_count: signals.assistantCount || baseAssistantCount + newAssistants,
-    title: parsed.title || (existing && existing.title) || '',
+    title: parsed.title || (existing && existing.title) || parsedSummaryTitle || '',
     first_message: mergedFirstUser,
     last_user_content: mergedLastUser,
     first_assistant_text: mergedFirstAssistant,
@@ -1609,8 +2136,9 @@ async function importSessionFile(filePath, projectPath, projectEntry) {
     file_size: parsed.fileSize,
     session_created_at: parsed.timestamp,
     hostname: parsed.hostname,
-    model_provider: parsed.modelProvider || (existing && existing.model_provider) || '',
+    model_provider: parsed.modelProvider || (existing && existing.model_provider) || CLAUDE_MODEL_PROVIDER,
     model_id: parsed.modelId || (existing && existing.model_id) || '',
+    import_parser_version: DEFAULT_CONVERSATION_IMPORT_PARSER_VERSION,
   });
   return true;
 }
@@ -1666,7 +2194,10 @@ async function runIncrementalConversationImport() {
       try {
         if (error) throw error;
         scanned++;
-        if (await importSessionFile(filePath, projectPath, projectEntry)) imported++;
+        if (await importSessionFile(filePath, projectPath, projectEntry, {
+          cooperative: true,
+          transcriptMaxBytes: _backgroundTranscriptImportMaxBytes(),
+        })) imported++;
         const importLimited = imported >= maxImportedPerRun;
         const processedLimited = scanned >= maxProcessedPerRun;
         if ((importLimited || processedLimited) && scanned < candidates.length) {
@@ -1708,6 +2239,108 @@ async function runIncrementalConversationImport() {
   }
 }
 
+// --- Cursor conversation import ----------------------------------------------
+// Cursor stores conversations as a content-addressed blob graph in its own SQLite
+// store (~/.cursor/chats/<ws>/<agent>/store.db), NOT a JSONL append log. Reconstructing
+// it is expensive (blob-graph BFS + per-blob JSON.parse), so — exactly like the JSONL
+// importer — import once into session_conversations and let the normal cache read path
+// serve it, instead of reconstructing on every UI poll (the old design; see the
+// _orderedBlobRefs CPU-profile finding). Signature-gated (store size:mtime) so an unchanged
+// store is skipped; the store path is resolved once per session and cached on a CONFIDENT
+// (agentId) match. Runs on the db-owner worker (off the main event loop) like the JSONL import.
+const CURSOR_IMPORT_PARSER_VERSION = 1; // bump to force a full cursor re-import on shape change
+const _cursorImportSignatures = new Map();   // ctm_session_id → last-imported store signature
+const _cursorResolvedStorePaths = new Map(); // ctm_session_id → resolved store.db path (confident match only)
+
+async function runCursorConversationImport({ cursorHome } = {}) {
+  let imported = 0;
+  let scanned = 0;
+  let skipped = 0;
+  let failed = 0;
+  let total = 0;
+  let cursorStore;
+  try {
+    cursorStore = require('./lib/cursor-conversation-store');
+  } catch (e) {
+    return { imported, scanned, skipped, failed, total, error: `cursor store unavailable: ${e.message}` };
+  }
+  try {
+    const sessions = db.getDb().prepare(
+      "SELECT id, cwd, project_path, created_at, updated_at FROM ctm_sessions WHERE provider = 'cursor'"
+    ).all();
+    total = sessions.length;
+    for (const s of sessions) {
+      try {
+        scanned += 1;
+        const ctmId = String(s.id);
+        const cwd = String(s.cwd || s.project_path || '').trim();
+        const agentRows = db.getDb().prepare(
+          "SELECT agent_session_id FROM agent_sessions WHERE ctm_session_id = ? AND agent_session_id IS NOT NULL AND agent_session_id != ''"
+        ).all(ctmId);
+        const agentSessionIds = agentRows.map((r) => String(r.agent_session_id)).filter(Boolean);
+
+        // Resolve the store. If we already have a confident path, gate on its cheap signature
+        // BEFORE the expensive reconstruct; skip when unchanged since the last import.
+        let storeDbPath = _cursorResolvedStorePaths.get(ctmId) || '';
+        if (storeDbPath) {
+          const sig = cursorStore.statSignature(storeDbPath);
+          if (sig && _cursorImportSignatures.get(ctmId) === sig) { skipped += 1; continue; }
+        }
+
+        let store = null;
+        if (storeDbPath) {
+          try { store = cursorStore.loadCursorStore(storeDbPath); } catch { store = null; }
+        }
+        if (!store) {
+          // No cached path (or its load failed): resolve via match. loadCursorStore is itself
+          // size:mtime-cached, so the enumeration is cheap for idle stores.
+          store = cursorStore.loadCursorConversationForSession({
+            cwd, createdAt: s.created_at, updatedAt: s.updated_at, agentSessionIds, cursorHome,
+          });
+          if (store && store.storeDbPath) {
+            storeDbPath = store.storeDbPath;
+            // Persist the resolved path ONLY on a confident (agentId) match — cwd+time alone is
+            // a heuristic that could pin the wrong store.
+            if (store.agentId && agentSessionIds.includes(store.agentId)) {
+              _cursorResolvedStorePaths.set(ctmId, storeDbPath);
+            }
+          }
+        }
+        if (!store || !Array.isArray(store.messages) || store.messages.length === 0) continue;
+
+        const sig = storeDbPath ? cursorStore.statSignature(storeDbPath) : '';
+        if (sig && _cursorImportSignatures.get(ctmId) === sig) { skipped += 1; continue; }
+
+        const fields = cursorStore.cursorStoreToConversationFields(store);
+        db.importSessionConversation({
+          session_id: ctmId,
+          ...fields,
+          title: '',
+          git_branch: '',
+          file_size: 0, // cursor has no single jsonl footprint; freshness is gated by `sig`
+          session_created_at: fields.session_created_at || s.created_at || '',
+          hostname: '',
+          import_parser_version: CURSOR_IMPORT_PARSER_VERSION,
+          rename_name: '',
+        });
+        if (sig) _cursorImportSignatures.set(ctmId, sig);
+        imported += 1;
+        await new Promise((resolve) => setImmediate(resolve));
+      } catch (e) {
+        failed += 1;
+        console.error(`[cursor-import] ${String(s.id).slice(0, 8)}: ${e.message}`);
+      }
+    }
+    if (imported || failed) {
+      console.log(`[cursor-import] imported ${imported}, skipped ${skipped}, failed ${failed} (scanned ${scanned}/${total})`);
+    }
+    return { imported, scanned, skipped, failed, total };
+  } catch (e) {
+    console.error('[cursor-import] Top-level error:', e.message);
+    return { imported, scanned, skipped, failed, total, error: e.message };
+  }
+}
+
 function handleGetConversation(req, res, url) {
   const sessionId = url.pathname.split('/').pop();
   const conv = db.getSessionConversation(sessionId);
@@ -1754,7 +2387,7 @@ async function handleGetSettings(req, res, url) {
         for (const r of rows) result[r.key] = r.value;
         return result;
       }
-      const allKeys = ['db_path', 'images_dir', 'default_context_type', 'editor_theme', 'auto_version'];
+      const allKeys = ['db_path', 'images_dir', 'backup_dir', 'default_context_type', 'editor_theme', 'auto_version'];
       const result = {};
       for (const k of allKeys) result[k] = db.getSetting(k);
       return result;
@@ -1772,7 +2405,11 @@ async function handlePutSettings(req, res) {
     const changedKeys = await withSqliteBusyRetry(() => {
       const keys = [];
       for (const [k, v] of Object.entries(data)) {
-        db.setSetting(k, v);
+        if (k === 'backup_dir' && typeof db.setBackupDir === 'function') {
+          db.setBackupDir(v, { persist: true });
+        } else {
+          db.setSetting(k, v);
+        }
         keys.push(k);
       }
       return keys;
@@ -1909,29 +2546,50 @@ function handleHotkeyUninstall(req, res) {
 
 // --- Screenshot (macOS) ---
 async function handleScreenshot(req, res) {
+  // Self-describing diagnostics for the "press hotkey / take screenshot → nothing
+  // happens" reports. Logs one [screenshot] line per request with where the time
+  // went (capture vs DB write), the live session count, and the write outcome —
+  // so a stall can be attributed to a blocked loop, a busy lock, or a cancel.
+  const t0 = Date.now();
+  const { sessions, sessionEvents } = require('./server-state');
+  const sessionCount = sessions ? sessions.size : -1;
+  let captureMs = 0;
+  let writeMs = 0;
   try {
     const { execFile } = require('child_process');
     const tmpFile = path.join(db.DEFAULT_IMAGES_DIR, `screenshot-${Date.now()}.png`);
     // Use async execFile so the event loop stays alive — this lets the browser
     // remain responsive and allows screencapture to work across all monitors.
+    const tCap = Date.now();
     await new Promise((resolve, reject) => {
       execFile('/usr/sbin/screencapture', ['-i', tmpFile], { timeout: 30000 }, (err) => {
         if (err) reject(err); else resolve();
       });
     });
-    if (!fs.existsSync(tmpFile)) {
+    captureMs = Date.now() - tCap;
+    try {
+      await fs.promises.access(tmpFile, fs.constants.R_OK);
+    } catch (err) {
+      if (err && err.code !== 'ENOENT') throw err;
+      console.warn(`[screenshot] cancelled — capture=${captureMs}ms sessions=${sessionCount}`);
       return jsonResponse(res, 400, { error: 'Screenshot cancelled' });
     }
-    const buffer = fs.readFileSync(tmpFile);
-    const result = await db.saveImage(0, buffer, path.basename(tmpFile), 'image/png');
+    const tWrite = Date.now();
+    const result = await db.saveImageFromFile(0, tmpFile, path.basename(tmpFile), 'image/png', { deleteSource: true });
+    writeMs = Date.now() - tWrite;
+    if (result && result._timing) delete result._timing; // internal timing — don't emit/return it (this path has its own [screenshot] log)
     // If triggered by hotkey daemon, notify browser clients to open the editor
     const url = new URL(req.url, 'http://localhost');
     if (!url.searchParams.get('token')) {
-      const { sessionEvents } = require('./server-state');
       sessionEvents.emit('screenshot-captured', result);
     }
+    console.warn(`[screenshot] ok id=${result.id} total=${Date.now() - t0}ms capture=${captureMs}ms write=${writeMs}ms sessions=${sessionCount}`);
     jsonResponse(res, 201, result);
-  } catch (e) { jsonResponse(res, 500, { error: e.message }); }
+  } catch (e) {
+    const busy = /SQLITE_BUSY|write lock|database is locked/i.test(e && e.message || '');
+    console.warn(`[screenshot] FAILED total=${Date.now() - t0}ms capture=${captureMs}ms write=${writeMs}ms sessions=${sessionCount} busy=${busy} err=${e && e.message}`);
+    jsonResponse(res, 500, { error: e.message });
+  }
 }
 
 // --- Backups ---
@@ -1940,7 +2598,19 @@ function handleListBackups(req, res) {
   const dbPath = db.getDbPath();
   let dbSize = 0;
   try { dbSize = require('fs').statSync(dbPath).size; } catch {}
-  jsonResponse(res, 200, { backups, db_path: dbPath, backup_dir: require('path').join(require('path').dirname(dbPath), 'backups'), db_size: dbSize });
+  const backupInfo = typeof db.getBackupDirInfo === 'function'
+    ? db.getBackupDirInfo()
+    : { backup_dir: db.getBackupDir() };
+  jsonResponse(res, 200, {
+    backups,
+    db_path: dbPath,
+    data_dir: dbPath ? path.dirname(dbPath) : '',
+    backup_dir: backupInfo.backup_dir || db.getBackupDir(),
+    default_backup_dir: backupInfo.default_backup_dir || '',
+    configured_backup_dir: backupInfo.configured_backup_dir || '',
+    backup_dir_source: backupInfo.source || 'default',
+    db_size: dbSize,
+  });
 }
 
 async function handleCreateBackup(req, res) {
@@ -1972,80 +2642,192 @@ function handleDeleteBackup(req, res, url) {
   jsonResponse(res, 200, { ok: true });
 }
 
-// ============================================================
-// Tool Permissions (reads/writes .claude/settings.local.json)
-// ============================================================
-// Claude Code reads pre-authorized permissions from:
-//   Global: ~/.claude/settings.local.json -> permissions.allow[]
-//   Per-project: <project>/.claude/settings.local.json -> permissions.allow[]
-// Legacy: ~/.claude.json -> projects[path].allowedTools[] (session approval history, read-only)
+function _ctmStorageInfo() {
+  const dbPath = db.getDbPath();
+  const backupInfo = typeof db.getBackupDirInfo === 'function'
+    ? db.getBackupDirInfo()
+    : { backup_dir: db.getBackupDir() };
+  let dbSize = 0;
+  try { dbSize = require('fs').statSync(dbPath).size; } catch {}
+  return {
+    service: 'ctm',
+    label: 'CTM',
+    db_path: dbPath,
+    data_dir: dbPath ? path.dirname(dbPath) : '',
+    db_size: dbSize,
+    backup_dir: backupInfo.backup_dir || db.getBackupDir(),
+    default_backup_dir: backupInfo.default_backup_dir || '',
+    configured_backup_dir: backupInfo.configured_backup_dir || '',
+    backup_dir_source: backupInfo.source || 'default',
+  };
+}
 
-const CLAUDE_JSON_PATH = permissionSync.getClaudeJsonPath();
-const { collectJsonRules, readJsonFile } = permissionSync;
+async function _requestWalleData(pathname, opts = {}, timeoutMs = 5000) {
+  const controller = typeof AbortController !== 'undefined' ? new AbortController() : null;
+  let timer = null;
+  if (controller) timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const upstream = await walleClient.requestJson(pathname, { ...opts, signal: controller ? controller.signal : null });
+    if (upstream.status < 200 || upstream.status >= 300 || upstream.json?.error) {
+      const err = new Error(upstream.json?.error || upstream.body || `Wall-E returned ${upstream.status}`);
+      err.status = upstream.status;
+      throw err;
+    }
+    return upstream.json?.data || upstream.json || {};
+  } finally {
+    if (timer) clearTimeout(timer);
+  }
+}
 
-function importPermissionsToDb(options) {
-  return permissionSync.importPermissionsToDb(db, options);
+async function _storageLocations() {
+  const ctm = _ctmStorageInfo();
+  let walle = null;
+  let walleError = '';
+  try {
+    walle = await _requestWalleData('/api/wall-e/storage', {}, 5000);
+    walle.service = 'walle';
+    walle.label = 'Wall-E';
+  } catch (e) {
+    walleError = e.message || String(e);
+  }
+  return { ctm, walle, walle_error: walleError };
 }
 
-function syncDbToJsonFiles(options) {
-  return permissionSync.syncDbToJsonFiles(db, options);
+async function handleGetStorageLocations(req, res) {
+  try {
+    const locations = await _storageLocations();
+    jsonResponse(res, 200, { ok: true, ...locations, migration: storageMigration.readActiveMigration() });
+  } catch (e) {
+    jsonResponse(res, 500, { error: e.message });
+  }
 }
 
-function handleGetProjects(req, res) {
-  const claudeJson = readJsonFile(CLAUDE_JSON_PATH);
-  const projects = claudeJson.projects || {};
-  const dbRules = db.listPermRules({ listType: 'allow' });
-  const result = Object.entries(projects).map(([projectPath]) => {
-    const allowedTools = dbRules.filter(r => r.project === projectPath).map(r => r.rule);
-    return { path: projectPath, allowedTools };
+async function handlePutBackupDirs(req, res) {
+  try {
+    const data = await readBody(req, 64 * 1024);
+    const result = await _applyBackupDirChanges(data);
+    jsonResponse(res, result.ok ? 200 : 207, result);
+  } catch (e) {
+    jsonResponse(res, 400, { error: e.message });
+  }
+}
+
+async function _applyBackupDirChanges(data = {}) {
+  const moveExisting = data.move_existing !== false && data.moveExisting !== false;
+  const result = { ok: true, ctm: null, walle: null, errors: [] };
+  if (Object.prototype.hasOwnProperty.call(data, 'ctm_backup_dir')) {
+    result.ctm = db.setBackupDir(data.ctm_backup_dir || '', { persist: true, moveExisting });
+  }
+  if (Object.prototype.hasOwnProperty.call(data, 'walle_backup_dir')) {
+    try {
+      result.walle = await _requestWalleData('/api/wall-e/storage/backup-dir', {
+        method: 'PUT',
+        body: { backup_dir: data.walle_backup_dir || '', move_existing: moveExisting },
+      }, 10000);
+    } catch (e) {
+      result.ok = false;
+      result.errors.push({ service: 'walle', error: e.message || String(e) });
+    }
+  }
+  return result;
+}
+
+async function _buildPlanFromRequest(data) {
+  const locations = await _storageLocations();
+  return storageMigration.buildStorageMigrationPlan(data || {}, {
+    dbModule: db,
+    ctmCurrent: locations.ctm,
+    walleCurrent: locations.walle || {
+      data_dir: '',
+      db_path: '',
+      backup_dir: '',
+    },
   });
-  jsonResponse(res, 200, result);
 }
 
-function handleGetToolPermRules(req, res) {
-  // Merge any new rules Claude Code may have added to JSON files
-  for (const r of collectJsonRules()) {
-    db.addPermRule(r); // INSERT OR IGNORE
+async function handlePreviewStorageMigration(req, res) {
+  try {
+    const data = await readBody(req, 128 * 1024);
+    const plan = await _buildPlanFromRequest(data);
+    jsonResponse(res, 200, { ok: true, plan });
+  } catch (e) {
+    jsonResponse(res, 400, { error: e.message });
   }
-  // Read from SQLite (source of truth)
-  const allRules = db.listPermRules();
+}
 
+async function handleApplyStorageMigration(req, res) {
+  try {
+    const data = await readBody(req, 128 * 1024);
+    if (data.confirm !== true) return jsonResponse(res, 400, { error: 'confirmation_required' });
+    const plan = await _buildPlanFromRequest(data);
+    if (!plan.requires_restart) {
+      const services = data.services || {};
+      const backupInput = {
+        move_existing: services.ctm?.move_backups !== false && services.walle?.move_backups !== false,
+      };
+      if (services.ctm && (Object.prototype.hasOwnProperty.call(services.ctm, 'backup_dir') || Object.prototype.hasOwnProperty.call(services.ctm, 'backupDir'))) {
+        backupInput.ctm_backup_dir = services.ctm.backup_dir || services.ctm.backupDir || '';
+      }
+      if (services.walle && (Object.prototype.hasOwnProperty.call(services.walle, 'backup_dir') || Object.prototype.hasOwnProperty.call(services.walle, 'backupDir'))) {
+        backupInput.walle_backup_dir = services.walle.backup_dir || services.walle.backupDir || '';
+      }
+      const backup = await _applyBackupDirChanges(backupInput);
+      return jsonResponse(res, backup.ok ? 200 : 207, { ok: backup.ok, plan, backup });
+    }
+    const started = storageMigration.spawnStorageMigrationSupervisor(plan);
+    jsonResponse(res, 202, { ok: true, plan, migration: started });
+  } catch (e) {
+    jsonResponse(res, 400, { error: e.message });
+  }
+}
+
+// ============================================================
+// Tool Permissions — CTM's standalone, global permission config.
+// ============================================================
+// CTM permissions live ONLY in the CTM DB (perm_rules table) and are global
+// (apply to all projects/sessions). They are intentionally decoupled from
+// Claude Code / Codex settings files — CTM no longer reads or writes
+// ~/.claude/settings*.json, project .claude/settings.json, or ~/.claude.json.
+// The shadow approver (approval-agent.js + lib/permission-match.js) enforces them.
+
+function handleGetProjects(req, res) {
+  // CTM permissions are global — no per-project scoping, no Claude config read.
+  jsonResponse(res, 200, []);
+}
+
+async function handleGetToolPermRules(req, res) {
+  // CTM permissions are a standalone GLOBAL config stored only in the CTM DB —
+  // no reading from Claude/Codex settings files. Every rule is global.
+  const allRules = db.listPermRules();
   const rules = [];
   const denyRules = [];
-  const projectSet = new Set();
-
   for (const r of allRules) {
-    const entry = { scope: r.scope, project: r.project, rule: r.rule };
-    if (r.list_type === 'allow') rules.push(entry);
-    else denyRules.push(entry);
-    if (r.project !== '__global__') projectSet.add(r.project);
-  }
-
-  // Also include projects from ~/.claude.json that might not have rules
-  const claudeJson = readJsonFile(CLAUDE_JSON_PATH);
-  for (const p of Object.keys(claudeJson.projects || {})) {
-    projectSet.add(p);
+    const entry = { scope: 'global', project: '__global__', rule: r.rule };
+    if (r.list_type === 'deny') denyRules.push(entry);
+    else rules.push(entry);
   }
-
-  jsonResponse(res, 200, { rules, denyRules, projects: Array.from(projectSet) });
+  jsonResponse(res, 200, { rules, denyRules, projects: [] });
 }
 
 async function handleSetToolPermRules(req, res) {
   try {
     const body = await readBody(req);
-    const { action, rule, project, listType } = body;
+    const { action, rule, listType } = body;
     const lt = listType === 'deny' ? 'deny' : 'allow';
-    const proj = project || '__global__';
-    const scope = proj === '__global__' ? 'global' : 'project';
 
     if (action === 'add') {
-      db.addPermRule({ rule, listType: lt, scope, project: proj });
+      // Permission policy: rules apply globally to ALL projects. Every add is
+      // stored as a global rule (~/.claude/settings.json) regardless of the UI
+      // scope, so a permission granted once is honored everywhere.
+      db.addPermRule({ rule, listType: lt, scope: 'global', project: '__global__' });
     } else if (action === 'remove') {
-      db.removePermRule({ rule, listType: lt, project: proj });
+      // Rules are global; remove the global row (legacy per-project rows are
+      // collapsed to global by the db migration).
+      db.removePermRule({ rule, listType: lt, project: '__global__' });
     }
 
-    // Sync DB → JSON files
-    syncDbToJsonFiles();
+    // CTM permissions are a standalone config in the CTM DB — intentionally NOT
+    // synced to Claude/Codex settings files. The shadow approver enforces them.
 
     jsonResponse(res, 200, { ok: true });
   } catch (e) {
@@ -2582,20 +3364,21 @@ function handleListQueues(req, res) {
 async function handleCreateQueue(req, res) {
   try {
     const body = await readBody(req);
-    const { sessionId, mode, items, idleTimeoutMs, autoStart } = body;
+    const { sessionId, mode, items, idleTimeoutMs, autoStart, append, strategy } = body;
     if (!sessionId || !Array.isArray(items) || items.length === 0) {
       return jsonResponse(res, 400, { error: 'sessionId and non-empty items[] required' });
     }
-    let state = queueEngine.createQueue(sessionId, { mode, items, idleTimeoutMs });
-    if (autoStart) {
-      state = queueEngine.start(sessionId) || state;
-    }
+    const appendMode = append === true || strategy === 'append';
+    let state = appendMode
+      ? queueEngine.appendItems(sessionId, { mode, items, idleTimeoutMs, autoStart })
+      : queueEngine.createQueue(sessionId, { mode, items, idleTimeoutMs });
+    if (!appendMode && autoStart) state = queueEngine.start(sessionId) || state;
     jsonResponse(res, 201, state);
   } catch (e) { jsonResponse(res, 400, { error: e.message }); }
 }
 
 function handleGetQueue(req, res, sessionId) {
-  const state = queueEngine.getState(sessionId);
+  const state = queueEngine.getState(sessionId) || queueEngine.getPersistedState(sessionId);
   if (!state) {
     res.writeHead(204);
     res.end();
@@ -2615,8 +3398,23 @@ async function handleQueueAction(req, res, sessionId, action) {
     case 'start': state = queueEngine.start(sessionId); break;
     case 'pause': state = queueEngine.pause(sessionId); break;
     case 'resume': state = queueEngine.resume(sessionId); break;
-    case 'next': state = queueEngine.sendNext(sessionId); break;
+    case 'next': state = queueEngine.wake(sessionId, 'manual-next'); break;
     case 'skip': state = queueEngine.skip(sessionId); break;
+    case 'remove': {
+      try {
+        const body = await readBody(req);
+        state = queueEngine.removeItem(sessionId, String(body.itemId || body.id || ''));
+      } catch (e) { return jsonResponse(res, 400, { error: e.message }); }
+      break;
+    }
+    case 'reorder': {
+      try {
+        const body = await readBody(req);
+        const ids = Array.isArray(body.order) ? body.order : (Array.isArray(body.ids) ? body.ids : []);
+        state = queueEngine.reorderItems(sessionId, ids.map(String));
+      } catch (e) { return jsonResponse(res, 400, { error: e.message }); }
+      break;
+    }
     case 'stop': state = queueEngine.stop(sessionId); break;
     case 'mode': {
       try {
@@ -2626,7 +3424,13 @@ async function handleQueueAction(req, res, sessionId, action) {
       break;
     }
   }
-  if (!state) return jsonResponse(res, 404, { error: 'No queue for this session' });
+  if (!state) {
+    const persisted = queueEngine.getPersistedState(sessionId);
+    if (action === 'next' && persisted && persisted.status === 'done') {
+      return jsonResponse(res, 200, persisted);
+    }
+    return jsonResponse(res, 404, { error: 'No queue for this session' });
+  }
   jsonResponse(res, 200, state);
 }
 
@@ -2664,6 +3468,35 @@ function handleDeleteQueueLinkedItems(req, res, promptId) {
 
 // --- Queue Draft (per-session builder state persisted to DB) ---
 
+function queueDraftStatusTimestamp(value) {
+  const n = Number(value);
+  return Number.isFinite(n) && n > 0 ? n : 0;
+}
+
+function mergeQueueDraftItemsByStatusTimestamp(existingItems, incomingItems) {
+  const incoming = Array.isArray(incomingItems) ? incomingItems : [];
+  const existing = Array.isArray(existingItems) ? existingItems : [];
+  const existingById = new Map();
+  for (const item of existing) {
+    if (item && item.id) existingById.set(item.id, item);
+  }
+  return incoming.map((item) => {
+    if (!item || typeof item !== 'object') return item;
+    const previous = item.id ? existingById.get(item.id) : null;
+    if (!previous) return item;
+    const previousStatusAt = queueDraftStatusTimestamp(previous.statusUpdatedAt);
+    const incomingStatusAt = queueDraftStatusTimestamp(item.statusUpdatedAt);
+    if (previousStatusAt > incomingStatusAt && previous.status) {
+      return {
+        ...item,
+        status: previous.status,
+        statusUpdatedAt: previous.statusUpdatedAt,
+      };
+    }
+    return item;
+  });
+}
+
 function handleGetQueueDraft(req, res, sessionId) {
   const key = 'queue_draft_' + sessionId;
   const draft = db.getSetting(key, { items: [], mode: 'manual' });
@@ -2675,7 +3508,10 @@ async function handleSaveQueueDraft(req, res, sessionId) {
     const body = await readBody(req);
     const key = 'queue_draft_' + sessionId;
     const existing = db.getSetting(key, { items: [], mode: 'manual' });
-    if (body.items !== undefined) existing.items = body.items;
+    if (body.items !== undefined) {
+      existing.items = mergeQueueDraftItemsByStatusTimestamp(existing.items, body.items);
+      if (body.savedAt !== undefined) existing.savedAt = body.savedAt;
+    }
     if (body.mode !== undefined) existing.mode = body.mode;
     db.setSetting(key, existing);
     jsonResponse(res, 200, { ok: true });
@@ -2697,6 +3533,94 @@ function handleListApprovalRules(req, res) {
   });
 }
 
+// Grouping key for an escalation row: prefer the recorded signature; for legacy
+// rows (recorded before signatures were stored) derive it from the captured
+// context via the same helper the approver uses, so old + new rows group together.
+function _escalationKeyFn(row) {
+  if (row && row.command_signature) return row.command_signature;
+  try {
+    return approvalAgent.escalationCommandParts({
+      toolName: row && row.tool_name,
+      command: '',
+      fullContext: row && row.full_context,
+    }).signature;
+  } catch { return ''; }
+}
+
+// GET /api/approval-escalations — escalated commands grouped by TYPE for the
+// Permission "Needs Review" surface (collapses a huge pile into a few reviewable
+// types, secrets masked).
+function handleListEscalations(req, res) {
+  try {
+    const rows = db.getPendingEscalations() || [];
+    const groups = escalationReview.groupEscalations(rows, _escalationKeyFn);
+    jsonResponse(res, 200, { groups, total: rows.length, typeCount: groups.length });
+  } catch (e) {
+    console.error('[escalations] list error:', e.message);
+    jsonResponse(res, 500, { error: e.message });
+  }
+}
+
+// POST /api/approval-escalations/resolve — resolve a whole TYPE at once.
+// body: { action: 'whitelist'|'block'|'dismiss'|'dismiss-all', ids:[...], rule? }
+// whitelist/block create an authoritative perm_rules allow/deny (honored by the
+// approver + shown in the rule list); all matching escalated rows are cleared.
+async function handleResolveEscalations(req, res) {
+  try {
+    const body = await readBody(req);
+    const action = String(body.action || '').toLowerCase();
+    const rule = String(body.rule || '').trim();
+    if (!['whitelist', 'block', 'dismiss', 'dismiss-all', 'approve-all'].includes(action)) {
+      return jsonResponse(res, 400, { error: 'invalid_action' });
+    }
+    // Bulk approve: whitelist EVERY pending type (one allow rule per group from its
+    // suggested narrow pattern) and clear the queue. Re-group server-side so the
+    // action is atomic and can't be skewed by a stale client view.
+    if (action === 'approve-all') {
+      const rows = db.getPendingEscalations() || [];
+      const groups = escalationReview.groupEscalations(rows, _escalationKeyFn);
+      let resolved = 0;
+      let rulesCreated = 0;
+      for (const g of groups) {
+        const r = String(g.suggestedRule || '').trim();
+        if (/^[A-Za-z]+\([^)]*\)$/.test(r)) {
+          try {
+            db.addPermRule({ rule: r, listType: 'allow', scope: 'global', project: '__global__' });
+            rulesCreated += 1;
+          } catch (e) { /* rule may already exist — still clear the rows below */ }
+        }
+        for (const id of (g.ids || [])) {
+          try { db.resolveApprovalDecision(id, 'approved'); resolved += 1; } catch (e) { /* skip */ }
+        }
+      }
+      return jsonResponse(res, 200, { ok: true, action, resolved, rulesCreated, typeCount: groups.length });
+    }
+    let createdRule = null;
+    if (action === 'whitelist' || action === 'block') {
+      if (!/^[A-Za-z]+\([^)]*\)$/.test(rule)) {
+        return jsonResponse(res, 400, { error: 'rule must look like Bash(cmd:*)' });
+      }
+      db.addPermRule({ rule, listType: action === 'whitelist' ? 'allow' : 'deny', scope: 'global', project: '__global__' });
+      createdRule = rule;
+    }
+    let targetIds;
+    if (action === 'dismiss-all') {
+      targetIds = (db.getPendingEscalations() || []).map((r) => r.id);
+    } else {
+      targetIds = (Array.isArray(body.ids) ? body.ids : []).map(Number).filter(Number.isFinite);
+      if (!targetIds.length) return jsonResponse(res, 400, { error: 'ids_required' });
+    }
+    const resolveDecision = action === 'block' ? 'denied' : action === 'whitelist' ? 'approved' : 'dismissed';
+    let resolved = 0;
+    for (const id of targetIds) {
+      try { db.resolveApprovalDecision(id, resolveDecision); resolved += 1; } catch (e) { /* skip */ }
+    }
+    jsonResponse(res, 200, { ok: true, action, resolved, rule: createdRule });
+  } catch (e) {
+    jsonResponse(res, 400, { error: e.message });
+  }
+}
+
 async function handleUpsertApprovalRule(req, res) {
   try {
     const body = await readBody(req);
@@ -2750,23 +3674,84 @@ async function handleResolveApprovalDecision(req, res, id) {
   } catch (e) { jsonResponse(res, 400, { error: e.message }); }
 }
 
-// --- Dangerous-command blocklist (opt-in) ---
-// GET  /api/approval/blocklist -> { enabled: bool, patterns: [...] }
-// POST /api/approval/blocklist { enabled: bool } -> { enabled }
+// --- Dangerous-command blocklist (configurable; default ON) ---
+// GET  /api/approval/blocklist
+//   -> { enabled, patterns: [defaults], disabledIds: [int], custom: [{source,flags,reason,category,id}] }
+// POST /api/approval/blocklist { enabled?, disabledIds?, customPatterns? }
+//   -> the same shape as GET (the merged view). Any field omitted is left as-is.
+//   Custom patterns are validated server-side; an invalid one returns 400 and
+//   nothing is persisted. The hard floor is editable but never silently broken.
+//
+// Persistence: `approval_blocklist_enabled` (bool) + `approval_blocklist_config`
+//   ({ disabledIds:[int], customPatterns:[{source,flags,reason,category}] }).
+//   The agent reads both on every check (approval-agent isBlocklistEnabled /
+//   getBlocklistConfig), so edits take effect without a restart.
+function _blocklistView() {
+  const { PATTERN_META } = require('./workers/approval-blocklist');
+  const enabled = db.getSetting('approval_blocklist_enabled', true) !== false;
+  const cfg = db.getSetting('approval_blocklist_config', null) || {};
+  const disabledIds = Array.isArray(cfg.disabledIds)
+    ? cfg.disabledIds.filter((n) => Number.isInteger(n) && n >= 0 && n < PATTERN_META.length)
+    : [];
+  const custom = Array.isArray(cfg.customPatterns)
+    ? cfg.customPatterns.map((p, i) => ({
+        id: (p && p.id != null) ? p.id : `c${i}`,
+        source: String((p && p.source) || ''),
+        flags: String((p && p.flags) || ''),
+        reason: String((p && p.reason) || 'Custom blocklist pattern'),
+        category: String((p && p.category) || 'custom'),
+      }))
+    : [];
+  return { enabled, patterns: PATTERN_META, disabledIds, custom };
+}
 function handleGetBlocklist(_req, res) {
   try {
-    const { PATTERN_META } = require('./workers/approval-blocklist');
-    const enabled = !!db.getSetting('approval_blocklist_enabled', false);
-    jsonResponse(res, 200, { enabled, patterns: PATTERN_META });
+    jsonResponse(res, 200, _blocklistView());
   } catch (e) { jsonResponse(res, 500, { error: e.message }); }
 }
 async function handleSetBlocklistEnabled(req, res) {
   try {
-    const body = await readBody(req);
-    const enabled = !!body.enabled;
-    db.setSetting('approval_blocklist_enabled', enabled);
-    console.log(`[approval-blocklist] enabled=${enabled}`);
-    jsonResponse(res, 200, { enabled });
+    const { validateUserPattern, PATTERN_META } = require('./workers/approval-blocklist');
+    const body = await readBody(req) || {};
+
+    if (Object.prototype.hasOwnProperty.call(body, 'enabled')) {
+      db.setSetting('approval_blocklist_enabled', !!body.enabled);
+      console.log(`[approval-blocklist] enabled=${!!body.enabled}`);
+    }
+
+    const touchesConfig = Object.prototype.hasOwnProperty.call(body, 'disabledIds')
+      || Object.prototype.hasOwnProperty.call(body, 'customPatterns');
+    if (touchesConfig) {
+      const cfg = db.getSetting('approval_blocklist_config', null) || {};
+
+      if (Object.prototype.hasOwnProperty.call(body, 'disabledIds')) {
+        if (!Array.isArray(body.disabledIds)) return jsonResponse(res, 400, { error: 'disabledIds must be an array of pattern ids' });
+        const ids = [];
+        for (const raw of body.disabledIds) {
+          const n = Number(raw);
+          if (!Number.isInteger(n) || n < 0 || n >= PATTERN_META.length) return jsonResponse(res, 400, { error: `invalid pattern id: ${raw}` });
+          if (!ids.includes(n)) ids.push(n);
+        }
+        cfg.disabledIds = ids;
+      }
+
+      if (Object.prototype.hasOwnProperty.call(body, 'customPatterns')) {
+        if (!Array.isArray(body.customPatterns)) return jsonResponse(res, 400, { error: 'customPatterns must be an array' });
+        if (body.customPatterns.length > 200) return jsonResponse(res, 400, { error: 'too many custom patterns (max 200)' });
+        const normalized = [];
+        for (let i = 0; i < body.customPatterns.length; i++) {
+          const v = validateUserPattern(body.customPatterns[i]);
+          if (!v.ok) return jsonResponse(res, 400, { error: `pattern ${i + 1}: ${v.error}` });
+          normalized.push(v.normalized); // { source, flags, reason, category }
+        }
+        cfg.customPatterns = normalized;
+      }
+
+      db.setSetting('approval_blocklist_config', cfg);
+      console.log(`[approval-blocklist] config updated: ${(cfg.disabledIds || []).length} disabled, ${(cfg.customPatterns || []).length} custom`);
+    }
+
+    jsonResponse(res, 200, _blocklistView());
   } catch (e) { jsonResponse(res, 400, { error: e.message }); }
 }
 
@@ -3049,22 +4034,53 @@ function handlePromptQuality(req, res, url) {
   jsonResponse(res, 200, harvest.assessPromptQuality(text));
 }
 
-function handleListExecutions(req, res, url) {
+// Injected by server.js: run the list query on the read-pool (off the main loop)
+// and resolve to the executions array, or null when the pool is unavailable so we
+// fall back to the main-thread query. SELECT * with a large LIMIT blocked the loop
+// ~3.9s on the request path per a CPU profile.
+let _promptExecutionsOffThread = null;
+function setPromptExecutionsOffThread(fn) { _promptExecutionsOffThread = typeof fn === 'function' ? fn : null; }
+
+async function handleListExecutions(req, res, url) {
+  const opts = {
+    limit: url.searchParams.get('limit'),
+    role: url.searchParams.get('role') || null,
+    project: url.searchParams.get('project') || null,
+    after: url.searchParams.get('after') || url.searchParams.get('since') || null,
+    order: url.searchParams.get('order') || 'desc',
+  };
   try {
-    const d = db.getDb();
-    const limit = parseInt(url.searchParams.get('limit')) || 50;
-    const role = url.searchParams.get('role') || null;
-    const project = url.searchParams.get('project') || null;
-    let sql = 'SELECT * FROM prompt_executions WHERE 1=1';
-    const params = [];
-    if (role) { sql += ' AND role = ?'; params.push(role); }
-    if (project) { sql += ' AND project_path LIKE ?'; params.push('%' + project + '%'); }
-    sql += ' ORDER BY executed_at DESC LIMIT ?';
-    params.push(limit);
-    jsonResponse(res, 200, { executions: d.prepare(sql).all(...params) });
+    if (_promptExecutionsOffThread) {
+      const executions = await _promptExecutionsOffThread(opts);
+      if (executions) return jsonResponse(res, 200, { executions });
+      // null → pool unavailable; fall through to the main-thread query.
+    }
+    jsonResponse(res, 200, { executions: queryPromptExecutions(db.getDb(), opts) });
   } catch (e) { jsonResponse(res, 200, { executions: [] }); }
 }
 
+function handlePromptExecutionStats(req, res) {
+  try {
+    const d = db.getDb();
+    const totalSessions = d.prepare('SELECT COUNT(DISTINCT session_id) AS count FROM prompt_executions').get().count;
+    const totalPairs = d.prepare(`
+      SELECT COUNT(*) AS count FROM prompt_executions u
+      JOIN prompt_executions a ON a.session_id = u.session_id AND a.message_index = u.message_index + 1
+      WHERE u.role = 'user' AND a.role = 'assistant'
+        AND length(u.message_text) >= 20 AND length(a.message_text) >= 20
+    `).get().count;
+    const multiTurnSessions = d.prepare(`
+      SELECT COUNT(*) AS count FROM (
+        SELECT session_id FROM prompt_executions WHERE role = 'user'
+        GROUP BY session_id HAVING COUNT(*) >= 2
+      )
+    `).get().count;
+    jsonResponse(res, 200, { totalSessions, totalPairs, multiTurnSessions });
+  } catch (e) {
+    jsonResponse(res, 200, { totalSessions: 0, totalPairs: 0, multiTurnSessions: 0, error: e.message });
+  }
+}
+
 function handleSessionExecutions(req, res, sessionId) {
   try {
     const result = harvest.getPromptsForSession(sessionId);
@@ -3203,30 +4219,28 @@ async function handleImprovePrompt(req, res) {
 
 function handleSkillAutocomplete(req, res, url) {
   try {
-    const query = (url.searchParams.get('q') || '').toLowerCase();
+    const query = url.searchParams.get('q') || '';
     const agent = normalizeSkillAutocompleteAgent(url.searchParams.get('agent') || url.searchParams.get('agentType'));
     const cwd = url.searchParams.get('cwd') || '';
     const includeSessionSeen = !agent || agent === 'all' || url.searchParams.get('includeSession') === '1';
     const skills = buildSkillAutocompleteItems({ cwd, agent, includeSessionSeen });
 
-    let filtered = skills;
-    if (query) {
-      filtered = skills.filter(s => fuzzySkillMatch(s.name, query));
-    }
-
-    filtered.sort((a, b) => {
-      if (b.frequency !== a.frequency) return b.frequency - a.frequency;
-      if (agent) {
-        const sourceDelta = skillAutocomplete.skillSourcePriorityForAgent(a.source, agent) - skillAutocomplete.skillSourcePriorityForAgent(b.source, agent);
-        if (sourceDelta) return sourceDelta;
-      }
-      return a.name.localeCompare(b.name);
-    });
+    const filtered = skillAutocomplete.filterAndSortSkillAutocompleteItems(skills, query, agent || 'all');
 
     jsonResponse(res, 200, filtered.slice(0, 20));
   } catch (e) { jsonResponse(res, 500, { error: e.message }); }
 }
 
+function handleSkillResolveIntent(req, res, url) {
+  try {
+    const intent = url.searchParams.get('intent') || '';
+    const agent = normalizeSkillAutocompleteAgent(url.searchParams.get('agent') || url.searchParams.get('agentType'));
+    const cwd = url.searchParams.get('cwd') || '';
+    const result = skillIntentResolver.resolveSkillIntent({ intent, agent, cwd });
+    jsonResponse(res, result.ok === false ? 400 : 200, result);
+  } catch (e) { jsonResponse(res, 500, { ok: false, error: e.message }); }
+}
+
 function normalizeSkillAutocompleteAgent(value) {
   return skillAutocomplete.normalizeSkillAgentType(value);
 }
@@ -3244,6 +4258,8 @@ function buildSkillAutocompleteItems({ cwd, agent, includeSessionSeen }) {
       description: skill.description || '',
       source: skill.source || 'skill',
       agents: Array.isArray(skill.agents) ? skill.agents : [],
+      capabilities: Array.isArray(skill.capabilities) ? skill.capabilities : [],
+      invocation: skill.invocation || '',
       execution: skill.execution || '',
       path: skill.filePath || skill.path || '',
       frequency: 0,
@@ -3281,14 +4297,6 @@ function sanitizeSkillAutocompleteName(value) {
   return /^[A-Za-z0-9_.:-]{1,80}$/.test(name) ? name : '';
 }
 
-function fuzzySkillMatch(name, query) {
-  let qi = 0;
-  for (const ch of String(name || '').toLowerCase()) {
-    if (qi < query.length && ch === query[qi]) qi++;
-  }
-  return qi === query.length;
-}
-
 function handleHarvestStats(req, res) {
   try {
     const state = harvest.getHarvestState();
@@ -3339,4 +4347,4 @@ function safeParse(json, fallback) {
   try { return JSON.parse(json); } catch { return fallback; }
 }
 
-module.exports = { handlePromptApi, queueEngine, importPermissionsToDb, runIncrementalConversationImport, importSessionFile, setUiPrefsBroadcaster, setDbMaintenanceRunner };
+module.exports = { handlePromptApi, queueEngine, runIncrementalConversationImport, runCursorConversationImport, importSessionFile, setUiPrefsBroadcaster, setPromptExecutionsOffThread, setDbMaintenanceRunner, setImageSaveRunner, _ingestPathFromInput, _ingestSourceAllowed, _conversationImportCandidates, _ingestTranscriptStoreForParsedFile };