create-walle 0.9.24 → 0.9.26

package/template/claude-task-manager/api-prompts.js

@@ -7,6 +7,8 @@ const queueEngine = require('./queue-engine');
 const harvest = require('./prompt-harvest');
 const approvalAgent = require('./approval-agent');
 const escalationReview = require('./lib/escalation-review');
+const selfAdapt = require('./lib/approval-self-adapt');
+const permissionMatch = require('./lib/permission-match');
 // permission-sync (Claude/Codex settings mirroring) intentionally removed —
 // CTM permissions are a standalone global config in the CTM DB.
 const walleClient = require('./lib/walle-client');
@@ -22,6 +24,7 @@ const {
   sourceIdFromPath: transcriptSourceIdFromPath,
 } = require('./lib/transcript-store');
 const { queryPromptExecutions } = require('./lib/prompt-executions-query');
+const { createIngestCooldown } = require('./lib/ingest-cooldown');
 const { claudeFileSessionId, _usageMetadata } = require('./lib/jsonl-conversation-parser');
 const structuredCapture = require('./lib/structured-capture');
 // AI search uses direct HTTP calls to Claude API (supports Portkey proxy)
@@ -33,6 +36,17 @@ const TRANSCRIPT_IMPORT_MAX_BYTES = Math.max(1024 * 1024, Number(process.env.CTM
 const TRANSCRIPT_IMPORT_LARGE_FILE_BYTES = Math.max(1024 * 1024, Number(process.env.CTM_TRANSCRIPT_IMPORT_LARGE_FILE_BYTES || 64 * 1024 * 1024));
 const CONVERSATION_IMPORT_RETRY_AFTER_MS = 30 * 1000;
 const BACKGROUND_TRANSCRIPT_IMPORT_DEFAULT_BYTES = 2 * 1024 * 1024;
+// Per-session re-import debounce. An actively-typed session's JSONL grows on every keystroke turn,
+// so it is "cacheBehind" (file > cached size) on practically every import tick — which made the
+// importer re-process the WHOLE conversation (a worker write-lock hold of 0.2–1s for 16k-msg
+// sessions) continuously, starving the main thread off-CPU on the shared lock and lagging the very
+// Codex typing that triggered the re-import. Coalesce: once a session has been imported, don't
+// re-import it on a small-growth ("cacheBehind") trigger again until either MIN_INTERVAL elapses or
+// a large byte delta accrues. Urgent reasons (cold file, stale parser, missing model, linked-missing,
+// shrink-after-change) are never debounced. Tunable; MIN_INTERVAL=0 disables.
+const CONVERSATION_IMPORT_MIN_INTERVAL_MS = Math.max(0, Number(process.env.CTM_CONVERSATION_IMPORT_MIN_INTERVAL_MS ?? 8000));
+const CONVERSATION_IMPORT_FORCE_BYTES = Math.max(0, Number(process.env.CTM_CONVERSATION_IMPORT_FORCE_BYTES ?? 256 * 1024));
+const _lastConversationImportAt = new Map(); // sessionId → Date.now() of last completed import
 
 function setDbMaintenanceRunner(fn) {
   dbMaintenanceRunner = typeof fn === 'function' ? fn : null;
@@ -612,44 +626,20 @@ async function handleReorderFolders(req, res) {
 }
 
 // --- AI Search ---
-function parseCustomHeaders() {
-  const headers = {};
-  const b64 = process.env.ANTHROPIC_CUSTOM_HEADERS_B64;
-  if (b64) {
-    const decoded = Buffer.from(b64, 'base64').toString();
-    for (const line of decoded.split('\n')) {
-      const idx = line.indexOf(':');
-      if (idx > 0) headers[line.slice(0, idx).trim()] = line.slice(idx + 1).trim();
-    }
-  }
-  return headers;
-}
-
+// Background AI helper for the prompts/permissions features (AI search, rule
+// interpretation, history scan, group summaries). Delegates to the provider-aware
+// background-LLM layer (Codex CLI / Claude CLI / Anthropic / DeepSeek / Ollama /
+// whatever the user starred on the AI Providers page) instead of a hardcoded
+// Anthropic fetch — which 404'd for anyone without ANTHROPIC_* env configured.
+// Keeps the Anthropic response shape ({ content: [{ text }] }) callers expect.
 async function callClaude(messages, maxTokens = 1024) {
-  const baseUrl = process.env.ANTHROPIC_BASE_URL || 'https://api.anthropic.com';
-  const apiKey = process.env.ANTHROPIC_API_KEY || 'dummy';
-  const customHeaders = parseCustomHeaders();
-
-  const res = await fetch(`${baseUrl}/messages`, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      'x-api-key': apiKey,
-      'anthropic-version': '2023-06-01',
-      ...customHeaders,
-    },
-    body: JSON.stringify({
-      model: 'claude-sonnet-4-20250514',
-      max_tokens: maxTokens,
-      messages,
-    }),
-  });
-
-  if (!res.ok) {
-    const text = await res.text();
-    throw new Error(`Claude API ${res.status}: ${text}`);
-  }
-  return await res.json();
+  const { callBackgroundLlm } = require('./lib/background-llm');
+  const prompt = (Array.isArray(messages) ? messages : [])
+    .map((m) => (typeof m?.content === 'string' ? m.content : ''))
+    .filter(Boolean)
+    .join('\n\n');
+  const result = await callBackgroundLlm(prompt, { maxTokens });
+  return { content: [{ text: result.text || '' }] };
 }
 
 async function handleAiSearch(req, res) {
@@ -1698,6 +1688,18 @@ async function _conversationImportCandidates(allFiles, lastScanAt) {
         continue;
       }
 
+      // Debounce small-growth re-imports of a hot session (see CONVERSATION_IMPORT_MIN_INTERVAL_MS).
+      // Only when cacheBehind is the SOLE trigger — every other reason is urgent and imports now.
+      const _urgent = changedColdFile || cacheShrankAfterChange || linkedMissingCache || missingModel || staleParser;
+      if (!_urgent && cacheBehind && CONVERSATION_IMPORT_MIN_INTERVAL_MS > 0) {
+        const lastAt = _lastConversationImportAt.get(sessionId) || 0;
+        const sinceLast = Date.now() - lastAt;
+        const grewBytes = Math.max(0, effectiveSize - existingSize);
+        if (lastAt > 0 && sinceLast < CONVERSATION_IMPORT_MIN_INTERVAL_MS && grewBytes < CONVERSATION_IMPORT_FORCE_BYTES) {
+          continue; // imported very recently and only a little new data — let appends coalesce
+        }
+      }
+
       let priority = 6;
       if (cacheBehind) priority = 0;
       else if (staleParser) priority = 1;
@@ -1912,6 +1914,18 @@ async function _importCodexSessionFile(parsed, filePath, options = {}) {
   return true;
 }
 
+// Zero-yield backoff: a file whose slices keep consuming bytes without inserting any rows
+// (a runaway multi-GB rollout full of dedup/non-message lines) cools down exponentially
+// instead of claiming the write lock every tick. Productive slices reset it. Disable via
+// CTM_TRANSCRIPT_INGEST_COOLDOWN_MS=0; see lib/ingest-cooldown.js.
+const _ingestCooldownBaseMs = Number(process.env.CTM_TRANSCRIPT_INGEST_COOLDOWN_MS ?? 15000);
+const _ingestCooldown = _ingestCooldownBaseMs > 0
+  ? createIngestCooldown({
+    baseMs: _ingestCooldownBaseMs,
+    maxMs: Number(process.env.CTM_TRANSCRIPT_INGEST_COOLDOWN_MAX_MS) || undefined,
+  })
+  : null;
+
 function _ingestTranscriptStoreForParsedFile(filePath, parsed, options = {}) {
   // Claude Desktop sessions use a virtual path (`…#ctm-claude-desktop=<uuid>`) that is never a
   // real file on disk — fs.statSync / ingestJsonlFile always throw ENOENT on it. Their
@@ -1919,6 +1933,7 @@ function _ingestTranscriptStoreForParsedFile(filePath, parsed, options = {}) {
   // store, so this ingest can only ever fail for them. Skipping removes a guaranteed-failing
   // synchronous statSync that was firing ~97×/sec in a hot loop on dead desktop sessions.
   if (claudeDesktopSessions.isVirtualSessionPath(filePath)) return null;
+  if (_ingestCooldown && _ingestCooldown.shouldSkip(filePath)) return null;
   try {
     const size = Number(parsed?.fileSize || fs.statSync(filePath).size || 0);
     const agentSessionId = String(parsed?.sessionId || transcriptSourceIdFromPath(filePath) || '').trim();
@@ -1929,16 +1944,29 @@ function _ingestTranscriptStoreForParsedFile(filePath, parsed, options = {}) {
     const result = ingestJsonlFile(db.getDb(), {
       filePath,
       agentSessionId,
+      // ctmSessionId is resolved canonically inside ingestJsonlFile via agent_sessions (a resumed
+      // session owns many rollout ids). agentSessionId is only a bootstrap hint for the first
+      // import before that mapping exists; ingest heals the key on a later pass. Do NOT self-link here.
       ctmSessionId: agentSessionId,
       provider,
       mode: largeColdMode,
       initialTailBytes: maxBytes,
       maxBytes: largeColdMode ? maxBytes : Math.min(size || maxBytes, maxBytes),
     });
+    if (_ingestCooldown) {
+      const cooldown = _ingestCooldown.recordResult(filePath, result);
+      if (cooldown.cooling && cooldown.strikes === 1) {
+        console.log(
+          `[auto-import] backing off ${path.basename(filePath).slice(0, 32)} — zero-yield slice ` +
+          `(bytes=${result.bytesRead || 0}, inserted=0); backlog drains at low priority`
+        );
+      }
+    }
     if ((result.inserted || 0) > 0 || (result.bytesRead || 0) > 0) {
       console.log(
         `[auto-import] transcript-store ${path.basename(filePath).slice(0, 32)}: ` +
-        `inserted=${result.inserted || 0}, bytes=${result.bytesRead || 0}${largeColdMode ? ', mode=tail' : ''}`
+        `inserted=${result.inserted || 0}, bytes=${result.bytesRead || 0}` +
+        `${result.partial ? ', partial=1' : ''}${largeColdMode ? ', mode=tail' : ''}`
       );
     }
     return result;
@@ -2055,11 +2083,10 @@ async function importSessionFile(filePath, projectPath, projectEntry, options =
   // This is critical for active sessions (100MB+ files) to avoid blocking the event
   // loop for seconds during the synchronous JSON parse step.
   const prevFileSize = (existing && existing.file_size) || 0;
+  const isAppend = prevFileSize > 0 && parsed.fileSize > prevFileSize;
   let content;
-  let baseMessages = [];
-  let baseAssistantCount = 0;
 
-  if (prevFileSize > 0 && parsed.fileSize > prevFileSize) {
+  if (isAppend) {
     // Only read the newly appended bytes (typically a few KB-MB, not 100MB)
     const fh = await fsp.open(filePath, 'r');
     try {
@@ -2070,17 +2097,6 @@ async function importSessionFile(filePath, projectPath, projectEntry, options =
     } finally {
       await fh.close();
     }
-    // Carry forward existing parsed messages. Phase 6: load the base from the faithful
-    // per-message rows when known-complete (column read, no multi-MB JSON.parse — and it
-    // survives blob retirement in Phase 7); fall back to the blob when rows aren't ready.
-    try {
-      if (typeof db.sessionContentRowsAvailable === 'function' && db.sessionContentRowsAvailable(parsed.sessionId)) {
-        baseMessages = db.getSessionMessagesArray(parsed.sessionId, { fallbackToBlob: false });
-      } else {
-        baseMessages = JSON.parse(existing.messages || '[]');
-      }
-    } catch {}
-    baseAssistantCount = existing.assistant_msg_count || 0;
   } else {
     // Full read for new files or when file shrank (truncated/rotated)
     content = await fsp.readFile(filePath, 'utf8');
@@ -2096,6 +2112,48 @@ async function importSessionFile(filePath, projectPath, projectEntry, options =
     fileSessionId: claudeFileSessionId(jsonlPath),
     fileDir: path.dirname(jsonlPath),
   });
+
+  // O(Δ) APPEND FAST PATH: for a pure append (file grew, not a compaction pair) append ONLY the
+  // new messages — no full base-array load, no full re-estimate, no full sort. This is what keeps
+  // an active 6k-msg/54MB session from re-processing the whole conversation on every turn (the
+  // giant-transcript freeze). db.appendSessionConversation refuses (ok:false) when the row base
+  // isn't provably safe — prefix changed, gaps, or HWM unset — in which case we fall through to
+  // the full rebuild below. (isCompactPair was already handled above and never reaches here.)
+  if (isAppend && newMessages.length > 0) {
+    const appended = db.appendSessionConversation({
+      session_id: parsed.sessionId,
+      new_messages: newMessages,
+      model_id: parsed.modelId || (existing && existing.model_id) || '',
+      model_provider: parsed.modelProvider || (existing && existing.model_provider) || CLAUDE_MODEL_PROVIDER,
+      file_size: parsed.fileSize,
+      last_user_content: parsedLastUser || '',
+      // Cheap metadata corrections (provider cwd preferred over a lossy decoded project dir, branch,
+      // title, rename, host) — same prefer-new-non-empty semantics as the full importSessionConversation.
+      project_path: parsed.cwd || parsed.project || '',
+      git_branch: parsed.gitBranch || '',
+      title: parsed.title || '',
+      hostname: parsed.hostname || '',
+      rename_name: parsedRename || parsed.renameName || '',
+      import_parser_version: DEFAULT_CONVERSATION_IMPORT_PARSER_VERSION,
+    });
+    if (appended && appended.ok) return true;
+  }
+
+  // Full rebuild: cold import, file shrank/rotated, or the append guard refused. Load the base
+  // array (faithful per-message rows preferred — a column read, no multi-MB JSON.parse, and it
+  // survives blob retirement; blob fallback when rows aren't ready) and re-derive the whole thing.
+  let baseMessages = [];
+  let baseAssistantCount = 0;
+  if (isAppend) {
+    try {
+      if (typeof db.sessionContentRowsAvailable === 'function' && db.sessionContentRowsAvailable(parsed.sessionId)) {
+        baseMessages = db.getSessionMessagesArray(parsed.sessionId, { fallbackToBlob: false });
+      } else {
+        baseMessages = JSON.parse(existing.messages || '[]');
+      }
+    } catch {}
+    baseAssistantCount = existing.assistant_msg_count || 0;
+  }
   const allMessages = baseMessages.concat(newMessages);
   const indexedMessages = prevFileSize > 0 && parsed.fileSize > prevFileSize
     ? _loadIndexedSessionMessages(parsed.sessionId)
@@ -2190,7 +2248,7 @@ async function runIncrementalConversationImport() {
     // Yield after each processed file. importSessionFile() still performs a
     // synchronous SQLite upsert/JSON.stringify at the end, so do not stack
     // several imports in the same event-loop turn.
-    for (const { filePath, projectPath, projectEntry, error } of candidates) {
+    for (const { filePath, projectPath, projectEntry, sessionId: candidateSessionId, error } of candidates) {
       try {
         if (error) throw error;
         scanned++;
@@ -2198,6 +2256,10 @@ async function runIncrementalConversationImport() {
           cooperative: true,
           transcriptMaxBytes: _backgroundTranscriptImportMaxBytes(),
         })) imported++;
+        // Stamp the debounce clock for this session (whether or not a row was written) so a hot
+        // session's rapid small appends coalesce instead of re-importing the whole conversation
+        // every tick. Best-effort — keyed by the candidate's resolved session id.
+        if (candidateSessionId) _lastConversationImportAt.set(candidateSessionId, Date.now());
         const importLimited = imported >= maxImportedPerRun;
         const processedLimited = scanned >= maxProcessedPerRun;
         if ((importLimited || processedLimited) && scanned < candidates.length) {
@@ -2437,16 +2499,78 @@ let _broadcastUiPrefs = null;
 function setUiPrefsBroadcaster(fn) { _broadcastUiPrefs = fn; }
 
 // --- Global Hotkey (macOS) ---
-const HOTKEY_BINARY = path.join(os.homedir(), '.local', 'bin', 'ctm-hotkey');
+// The hotkey runs as a real Developer-ID-signed LSUIElement .app bundle (a peer of
+// Coding Task Manager.app / Wall-E.app), NOT a bare executable. RegisterEventHotKey needs a GUI
+// app registered with the window server; a bare launchd executable — even with
+// setActivationPolicy(.accessory) — never gets that connection, so it registered but never
+// received the keypress. Wrapping it in a .app with an Info.plist (LSUIElement + bundle identity)
+// is the fix, and it reuses the exact bundle+signing pipeline the node daemons already use.
+const HOTKEY_BUNDLE_NAME = 'CTM Screenshot';            // CFBundleName (Activity Monitor display)
+const HOTKEY_BUNDLE_ID = 'com.walle.ctm.hotkey';        // CFBundleIdentifier + codesign identifier
+const HOTKEY_BUNDLE_DIR = path.join(os.homedir(), '.walle', 'bundles', 'CTM-Screenshot.app');
+const HOTKEY_BUNDLE_EXEC = path.join(HOTKEY_BUNDLE_DIR, 'Contents', 'MacOS', 'ctm-hotkey');
+const HOTKEY_LEGACY_BINARY = path.join(os.homedir(), '.local', 'bin', 'ctm-hotkey'); // pre-bundle build; removed on migrate
 const HOTKEY_PLIST_NAME = 'com.ctm.hotkey';
 const HOTKEY_PLIST = path.join(os.homedir(), 'Library', 'LaunchAgents', `${HOTKEY_PLIST_NAME}.plist`);
 const HOTKEY_SWIFT_SOURCE = path.join(__dirname, 'bin', 'ctm-hotkey.swift');
+// Bump when the BUNDLE LAYOUT or build approach changes (not just the swift) to force a rebuild.
+const HOTKEY_BUILD_TAG = 'bundle-v1';
+// Records sha256(swift source)+tag of what's installed, so a boot-time ensure rebuilds when CTM
+// ships new daemon source OR a new bundle layout. Content hash (not mtime) because npm installs and
+// git checkouts don't preserve mtimes — the "new source → rebuild" guarantee must not depend on it.
+const HOTKEY_BUILD_MARKER = path.join(os.homedir(), '.walle', 'bundles', '.ctm-hotkey.build');
+const SCREEN_AUTH_BINARY = path.join(os.homedir(), '.local', 'bin', 'ctm-screen-auth');
+const SCREEN_AUTH_SWIFT_SOURCE = path.join(__dirname, 'bin', 'ctm-screen-auth.swift');
+const SCREEN_AUTH_SIGN_IDENTIFIER = 'com.walle.ctm';
+// Full-screen, non-interactive capture (-x = no camera sound). The hotkey/button should produce a
+// screenshot immediately; the old '-i' popped a region-select crosshair that, when not drag-completed,
+// exited with no file and logged as "cancelled" — the #1 "the screenshot does nothing" report.
+const SCREEN_CAPTURE_NODE_SCRIPT = "require('child_process').execFileSync('/usr/sbin/screencapture',['-x',process.argv[1]],{stdio:'inherit'})";
+const SCREEN_AUTH_NODE_SCRIPT = "const cp=require('child_process');const r=cp.spawnSync(process.argv[1],{encoding:'utf8'});if(r.stdout)process.stdout.write(r.stdout);if(r.stderr)process.stderr.write(r.stderr);process.exit(r.status==null?1:r.status);";
+// Like SCREEN_AUTH_NODE_SCRIPT but runs the helper in --preflight mode (report grant, NEVER prompt)
+// so we can probe several node identities and pick one already granted without popping dialogs.
+const SCREEN_AUTH_PREFLIGHT_SCRIPT = "const cp=require('child_process');const r=cp.spawnSync(process.argv[1],['--preflight'],{encoding:'utf8'});process.stdout.write((r.stdout||'').trim());process.exit(r.status==null?1:r.status);";
+
+// macOS code-signing identity helpers (extracted so bin/ensure-stable-node.js can reuse them
+// without pulling in this whole server module). SIGN_KEYCHAIN is re-exposed under the old name
+// for the screen-auth gate below.
+const {
+  SIGN_KEYCHAIN: HOTKEY_SIGN_KEYCHAIN,
+  developerIdIdentityHash,
+  signCtmBinaryPreferDeveloperId,
+  signLocalCtmBinary,
+  devIdSignBundle,
+  localCodeSignIdentifier,
+  localCodeSignTeamId,
+} = require('./lib/codesign-identity');
+
+// Sign the hotkey .app so it works for EVERY user, regardless of whether they have a Developer ID:
+//   1. Developer ID present → Dev-ID-sign the whole bundle (--deep): stable, branded Team Identifier,
+//      exactly like Coding Task Manager.app / Wall-E.app.
+//   2. Else, the stable self-signed local cert (most `npx create-walle` installs already have one).
+//   3. Else, AD-HOC sign (`codesign --sign -`): a bare unsigned binary will not even execute on
+//      Apple Silicon, so this guarantees the bundle runs. The hotkey needs NO TCC permission, so an
+//      ad-hoc signature is fully sufficient for it to register and fire.
+function signHotkeyBundle() {
+  const dev = devIdSignBundle(HOTKEY_BUNDLE_DIR, HOTKEY_BUNDLE_ID);
+  if (dev.signed) return dev;
+  if (signLocalCtmBinary(HOTKEY_BUNDLE_DIR, HOTKEY_BUNDLE_ID)) return { signed: true, identity: 'self-signed' };
+  try {
+    require('child_process').execFileSync(
+      'codesign', ['--force', '--deep', '--sign', '-', HOTKEY_BUNDLE_DIR],
+      { stdio: 'ignore', timeout: 120000 },
+    );
+    return { signed: true, identity: 'ad-hoc' };
+  } catch {
+    return { signed: false, identity: null };
+  }
+}
 
 function handleHotkeyStatus(req, res) {
   if (process.platform !== 'darwin') {
     return jsonResponse(res, 200, { supported: false, reason: 'macOS only' });
   }
-  const binaryExists = fs.existsSync(HOTKEY_BINARY);
+  const binaryExists = fs.existsSync(HOTKEY_BUNDLE_EXEC);
   const plistExists = fs.existsSync(HOTKEY_PLIST);
   let running = false;
   try {
@@ -2454,15 +2578,16 @@ function handleHotkeyStatus(req, res) {
     const out = execSync('launchctl list 2>/dev/null', { encoding: 'utf8' });
     running = out.includes(HOTKEY_PLIST_NAME);
   } catch {}
-  // Check if event tap actually works (accessibility permission granted)
-  let permissionGranted = false;
+  // Confirm the daemon actually registered the system-wide hotkey (no permission involved —
+  // RegisterEventHotKey needs none; this just verifies it bound the combo successfully).
+  let registered = false;
   if (running) {
     try {
       const { execSync } = require('child_process');
       const log = path.join(os.homedir(), '.local', 'log', 'ctm-hotkey.log');
       if (fs.existsSync(log)) {
         const tail = execSync(`tail -5 "${log}"`, { encoding: 'utf8' });
-        permissionGranted = tail.includes('Global hotkey registered');
+        registered = tail.includes('Global hotkey registered');
       }
     } catch {}
   }
@@ -2470,31 +2595,66 @@ function handleHotkeyStatus(req, res) {
     supported: true,
     installed: binaryExists && plistExists,
     running,
-    permissionGranted,
-    binaryPath: HOTKEY_BINARY,
+    registered,
+    // Back-compat alias: the hotkey no longer needs a TCC permission, so "registered" is the
+    // meaningful signal. Kept so any older client reading `permissionGranted` still works.
+    permissionGranted: registered,
+    binaryPath: HOTKEY_BUNDLE_EXEC,
+    bundlePath: HOTKEY_BUNDLE_DIR,
     sourceExists: fs.existsSync(HOTKEY_SWIFT_SOURCE),
   });
 }
 
-async function handleHotkeyInstall(req, res) {
-  if (process.platform !== 'darwin') {
-    return jsonResponse(res, 400, { error: 'macOS only' });
-  }
-  try {
-    const { execSync } = require('child_process');
+function _hotkeyCtmPort() {
+  return process.env.DEV_CTM_PORT || process.env.CTM_PORT || '3456';
+}
 
-    // 1. Compile Swift binary
-    fs.mkdirSync(path.dirname(HOTKEY_BINARY), { recursive: true });
-    execSync(`swiftc -O -o "${HOTKEY_BINARY}" "${HOTKEY_SWIFT_SOURCE}" -framework Cocoa`, {
-      timeout: 60000, encoding: 'utf8',
-    });
-    fs.chmodSync(HOTKEY_BINARY, 0o755);
+// Identifies WHAT is installed: the swift source content + the bundle-layout tag. A change in
+// either (new source, or a new bundle build approach) flips this and triggers a rebuild.
+function _hotkeyBuildSignature() {
+  const src = require('crypto').createHash('sha256').update(fs.readFileSync(HOTKEY_SWIFT_SOURCE)).digest('hex');
+  return `${src}:${HOTKEY_BUILD_TAG}`;
+}
+
+// The bundle's Info.plist — what turns the bare swift binary into a real GUI app the window server
+// recognizes. LSUIElement=true makes it a menu-bar accessory (no Dock icon); the bundle identity +
+// NSPrincipalClass are what let RegisterEventHotKey actually receive the global hotkey. Same shape
+// as the node-daemon bundles' Info.plist (create-walle.js writeInfoPlist).
+function _writeHotkeyInfoPlist() {
+  const infoPlist = path.join(HOTKEY_BUNDLE_DIR, 'Contents', 'Info.plist');
+  fs.mkdirSync(path.dirname(infoPlist), { recursive: true });
+  fs.writeFileSync(infoPlist, `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>CFBundleName</key>
+  <string>${HOTKEY_BUNDLE_NAME}</string>
+  <key>CFBundleDisplayName</key>
+  <string>${HOTKEY_BUNDLE_NAME}</string>
+  <key>CFBundleIdentifier</key>
+  <string>${HOTKEY_BUNDLE_ID}</string>
+  <key>CFBundleExecutable</key>
+  <string>${path.basename(HOTKEY_BUNDLE_EXEC)}</string>
+  <key>CFBundleVersion</key>
+  <string>1.0</string>
+  <key>CFBundleShortVersionString</key>
+  <string>1.0</string>
+  <key>CFBundlePackageType</key>
+  <string>APPL</string>
+  <key>LSUIElement</key>
+  <true/>
+  <key>LSMinimumSystemVersion</key>
+  <string>11.0</string>
+  <key>NSPrincipalClass</key>
+  <string>NSApplication</string>
+</dict>
+</plist>`);
+}
 
-    // 2. Write launchd plist
-    const ctmPort = process.env.DEV_CTM_PORT || process.env.CTM_PORT || '3456';
-    const logDir = path.join(os.homedir(), '.local', 'log');
-    fs.mkdirSync(logDir, { recursive: true });
-    const plistContent = `<?xml version="1.0" encoding="UTF-8"?>
+function _writeHotkeyPlist(ctmPort) {
+  const logDir = path.join(os.homedir(), '.local', 'log');
+  fs.mkdirSync(logDir, { recursive: true });
+  const plistContent = `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
@@ -2502,7 +2662,7 @@ async function handleHotkeyInstall(req, res) {
   <string>${HOTKEY_PLIST_NAME}</string>
   <key>ProgramArguments</key>
   <array>
-    <string>${HOTKEY_BINARY}</string>
+    <string>${HOTKEY_BUNDLE_EXEC}</string>
   </array>
   <key>EnvironmentVariables</key>
   <dict>
@@ -2512,21 +2672,120 @@ async function handleHotkeyInstall(req, res) {
   <key>RunAtLoad</key>
   <true/>
   <key>KeepAlive</key>
-  <true/>
+  <dict>
+    <key>SuccessfulExit</key>
+    <false/>
+  </dict>
   <key>StandardOutPath</key>
   <string>${logDir}/ctm-hotkey.log</string>
   <key>StandardErrorPath</key>
   <string>${logDir}/ctm-hotkey.log</string>
 </dict>
 </plist>`;
-    fs.mkdirSync(path.dirname(HOTKEY_PLIST), { recursive: true });
-    fs.writeFileSync(HOTKEY_PLIST, plistContent);
-
-    // 3. Load the agent
-    try { execSync(`launchctl unload "${HOTKEY_PLIST}" 2>/dev/null`); } catch {}
+  fs.mkdirSync(path.dirname(HOTKEY_PLIST), { recursive: true });
+  fs.writeFileSync(HOTKEY_PLIST, plistContent);
+}
+
+// Load (or reload) the launchd agent. Modern domain-target API: legacy `load`/`unload` fail with
+// "5: Input/output error" when the label carries a stale *disabled* override (left by a prior
+// bootout/disable or repeated early exits). `enable` clears it; without it the daemon can never
+// be reinstalled. Fall back to legacy `load` only if bootstrap is absent.
+function _loadHotkeyLaunchAgent() {
+  const { execSync } = require('child_process');
+  const uid = process.getuid();
+  const svc = `gui/${uid}/${HOTKEY_PLIST_NAME}`;
+  try { execSync(`launchctl bootout ${svc} 2>/dev/null`); } catch {}
+  try { execSync(`launchctl enable ${svc} 2>/dev/null`); } catch {}
+  try {
+    execSync(`launchctl bootstrap gui/${uid} "${HOTKEY_PLIST}"`);
+  } catch {
     execSync(`launchctl load "${HOTKEY_PLIST}"`);
+  }
+  try { execSync(`launchctl kickstart -k ${svc} 2>/dev/null`); } catch {}
+}
+
+// Build the hotkey .app bundle, sign it, write its LaunchAgent plist, and (re)load it. Compiles the
+// Carbon swift (RegisterEventHotKey / InstallEventHandler; Cocoa for NSApplication) straight INTO
+// the bundle's Contents/MacOS, then writes Info.plist + signs the whole bundle. Records the build
+// signature so the boot-time ensure knows what's installed. Synchronous; throws if swiftc fails.
+function buildAndLoadHotkeyDaemon() {
+  const { execFileSync } = require('child_process');
+  fs.mkdirSync(path.dirname(HOTKEY_BUNDLE_EXEC), { recursive: true });
+  execFileSync('swiftc', ['-O', '-o', HOTKEY_BUNDLE_EXEC, HOTKEY_SWIFT_SOURCE, '-framework', 'Cocoa', '-framework', 'Carbon'], {
+    timeout: 120000, stdio: 'ignore',
+  });
+  fs.chmodSync(HOTKEY_BUNDLE_EXEC, 0o755);
+  _writeHotkeyInfoPlist();
+  const sign = signHotkeyBundle(); // Dev-ID-sign the whole bundle (--deep), else self-sign the exec
+  _writeHotkeyPlist(_hotkeyCtmPort());
+  _loadHotkeyLaunchAgent();
+  try { fs.writeFileSync(HOTKEY_BUILD_MARKER, _hotkeyBuildSignature()); } catch {}
+  // Migrate off the pre-bundle bare binary + its stale marker so two daemons can't compete.
+  try { fs.unlinkSync(HOTKEY_LEGACY_BINARY); } catch {}
+  try { fs.unlinkSync(path.join(os.homedir(), '.local', 'bin', '.ctm-hotkey.build')); } catch {}
+  return { signed: sign.signed, identity: sign.identity, bundle: HOTKEY_BUNDLE_DIR };
+}
+
+function isHotkeyDaemonLoaded() {
+  try {
+    require('child_process').execSync(
+      `launchctl print gui/${process.getuid()}/${HOTKEY_PLIST_NAME}`,
+      { stdio: 'ignore' },
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// Pure decision: given the installed daemon's state, what should the boot-time ensure do?
+//   'rebuild' — binary missing, or the source hash no longer matches what was built (new source
+//               shipped, e.g. the CGEventTap→Carbon migration)
+//   'reload'  — binary is current but the launchd job isn't loaded (e.g. it was booted out)
+//   'noop'    — current and loaded; nothing to do (the cheap happy path on every boot)
+function hotkeyEnsureAction({ binaryExists, builtHash, srcHash, loaded }) {
+  if (!binaryExists || builtHash !== srcHash) return 'rebuild';
+  if (!loaded) return 'reload';
+  return 'noop';
+}
+
+// Boot-time self-heal. End users never run the installer by hand — and a CTM restart alone never
+// rebuilds the Swift LaunchAgent — so when CTM ships new daemon source the installed binary would
+// stay stale forever (exactly the CGEventTap→Carbon migration failure). This rebuilds the daemon
+// when the source hash no longer matches what's installed (or the binary is missing), otherwise
+// just ensures it's loaded. Idempotent and cheap on the happy path (no recompile). Never throws —
+// a daemon hiccup must not block CTM boot.
+function ensureHotkeyDaemon() {
+  if (process.platform !== 'darwin') return { ok: false, reason: 'unsupported' };
+  if (!fs.existsSync(HOTKEY_SWIFT_SOURCE)) return { ok: false, reason: 'missing_source' };
+  try {
+    const srcHash = _hotkeyBuildSignature();
+    let builtHash = null;
+    try { builtHash = fs.readFileSync(HOTKEY_BUILD_MARKER, 'utf8').trim(); } catch {}
+    const binaryExists = fs.existsSync(HOTKEY_BUNDLE_EXEC);
+    const action = hotkeyEnsureAction({ binaryExists, builtHash, srcHash, loaded: isHotkeyDaemonLoaded() });
+    if (action === 'rebuild') {
+      const r = buildAndLoadHotkeyDaemon();
+      return { ok: true, action: binaryExists ? 'rebuilt' : 'installed', signed: r.signed, identity: r.identity };
+    }
+    if (action === 'reload') {
+      _writeHotkeyPlist(_hotkeyCtmPort());
+      _loadHotkeyLaunchAgent();
+      return { ok: true, action: 'reloaded' };
+    }
+    return { ok: true, action: 'noop' };
+  } catch (e) {
+    return { ok: false, reason: 'ensure_failed', error: e && e.message ? e.message : String(e) };
+  }
+}
 
-    jsonResponse(res, 200, { ok: true, binaryPath: HOTKEY_BINARY });
+async function handleHotkeyInstall(req, res) {
+  if (process.platform !== 'darwin') {
+    return jsonResponse(res, 400, { error: 'macOS only' });
+  }
+  try {
+    const r = buildAndLoadHotkeyDaemon();
+    jsonResponse(res, 200, { ok: true, binaryPath: HOTKEY_BUNDLE_EXEC, bundlePath: HOTKEY_BUNDLE_DIR, signed: r.signed, identity: r.identity });
   } catch (e) {
     jsonResponse(res, 500, { error: e.message });
   }
@@ -2535,15 +2794,218 @@ async function handleHotkeyInstall(req, res) {
 function handleHotkeyUninstall(req, res) {
   try {
     const { execSync } = require('child_process');
-    try { execSync(`launchctl unload "${HOTKEY_PLIST}" 2>/dev/null`); } catch {}
+    // bootout (not `disable`) so the label stays enabled and a future reinstall isn't blocked
+    // by a stale disabled override.
+    try { execSync(`launchctl bootout gui/${process.getuid()}/${HOTKEY_PLIST_NAME} 2>/dev/null`); } catch {}
     try { fs.unlinkSync(HOTKEY_PLIST); } catch {}
-    try { fs.unlinkSync(HOTKEY_BINARY); } catch {}
+    try { fs.rmSync(HOTKEY_BUNDLE_DIR, { recursive: true, force: true }); } catch {}
+    try { fs.unlinkSync(HOTKEY_BUILD_MARKER); } catch {}
+    try { fs.unlinkSync(HOTKEY_LEGACY_BINARY); } catch {} // clean up any pre-bundle binary too
     jsonResponse(res, 200, { ok: true });
   } catch (e) {
     jsonResponse(res, 500, { error: e.message });
   }
 }
 
+function ensureScreenRecordingAuthBinary() {
+  if (process.platform !== 'darwin') {
+    return { ok: false, reason: 'unsupported', verdict: 'unavailable' };
+  }
+  if (!fs.existsSync(SCREEN_AUTH_SWIFT_SOURCE)) {
+    return { ok: false, reason: 'missing_source', verdict: 'unavailable', binaryPath: SCREEN_AUTH_BINARY };
+  }
+  try {
+    let needsCompile = !fs.existsSync(SCREEN_AUTH_BINARY);
+    if (!needsCompile) {
+      const srcStat = fs.statSync(SCREEN_AUTH_SWIFT_SOURCE);
+      const binStat = fs.statSync(SCREEN_AUTH_BINARY);
+      needsCompile = srcStat.mtimeMs > binStat.mtimeMs;
+    }
+    let signed = false;
+    let signatureId = '';
+    if (needsCompile) {
+      const { execFileSync } = require('child_process');
+      fs.mkdirSync(path.dirname(SCREEN_AUTH_BINARY), { recursive: true });
+      execFileSync('swiftc', ['-O', '-o', SCREEN_AUTH_BINARY, SCREEN_AUTH_SWIFT_SOURCE, '-framework', 'CoreGraphics'], {
+        timeout: 60000,
+        stdio: 'ignore',
+      });
+      fs.chmodSync(SCREEN_AUTH_BINARY, 0o755);
+    }
+    signatureId = localCodeSignIdentifier(SCREEN_AUTH_BINARY);
+    const devIdAvailable = !!developerIdIdentityHash();
+    const teamId = localCodeSignTeamId(SCREEN_AUTH_BINARY);
+    // Re-sign when the identifier is wrong/absent, OR a Developer ID is now available but the
+    // binary isn't yet Developer-ID-signed — upgrade self-signed → Developer ID so the Screen
+    // Recording prompt (CGRequestScreenCaptureAccess) is honored and the grant persists.
+    const needsSign = (fs.existsSync(HOTKEY_SIGN_KEYCHAIN) || devIdAvailable)
+      && (signatureId !== SCREEN_AUTH_SIGN_IDENTIFIER || (devIdAvailable && !teamId));
+    if (needsSign) {
+      const r = signCtmBinaryPreferDeveloperId(SCREEN_AUTH_BINARY, SCREEN_AUTH_SIGN_IDENTIFIER);
+      signed = r.signed;
+      signatureId = localCodeSignIdentifier(SCREEN_AUTH_BINARY) || (signed ? SCREEN_AUTH_SIGN_IDENTIFIER : signatureId);
+    } else {
+      signed = signatureId === SCREEN_AUTH_SIGN_IDENTIFIER;
+    }
+    return { ok: true, binaryPath: SCREEN_AUTH_BINARY, compiled: needsCompile, signed, signatureId };
+  } catch (e) {
+    return {
+      ok: false,
+      reason: 'install_failed',
+      verdict: 'unavailable',
+      error: e && e.message ? e.message : String(e),
+      binaryPath: SCREEN_AUTH_BINARY,
+    };
+  }
+}
+
+// Candidate node identities that could own the Screen Recording grant, in preference order:
+// (1) the node create-walle recorded as the granted identity, (2) CTM's own exec (the stable
+// notarized node; or the resolved real node when CTM runs from the .app bundle, which can't hold
+// the grant), (3) common node locations. Only existing files are returned.
+function screenshotNodeCandidates() {
+  const out = [];
+  const push = (p) => { if (p && !out.includes(p)) out.push(p); };
+  try { push(fs.readFileSync(path.join(os.homedir(), '.walle', 'bundles', 'node-origin'), 'utf8').trim()); } catch {}
+  try {
+    const { isBundleExec, resolveRealNode } = require('./lib/real-node');
+    push(isBundleExec(process.execPath) ? resolveRealNode() : process.execPath);
+  } catch { push(process.execPath); }
+  ['/opt/homebrew/bin/node', '/usr/local/bin/node', '/usr/bin/node'].forEach(push);
+  return out.filter((p) => { try { return fs.existsSync(p); } catch { return false; } });
+}
+
+// Probe whether `node`, run as its OWN responsible process (via ctm-disclaim), already holds the
+// Screen Recording grant — using the helper's --preflight mode so it NEVER pops a dialog.
+function probeScreenshotNodeGranted(node, disclaim) {
+  try {
+    const out = require('child_process').execFileSync(
+      disclaim, [node, '-e', SCREEN_AUTH_PREFLIGHT_SCRIPT, SCREEN_AUTH_BINARY],
+      { timeout: 8000, encoding: 'utf8' },
+    );
+    return String(out).trim().endsWith('granted');
+  } catch { return false; }
+}
+
+let _grantedScreenshotNode = null; // positive cache only: once a granted node is found, reuse it
+function pickGrantedScreenshotNode(disclaim) {
+  if (_grantedScreenshotNode) return _grantedScreenshotNode;
+  try { ensureScreenRecordingAuthBinary(); } catch {}
+  for (const node of screenshotNodeCandidates()) {
+    if (probeScreenshotNodeGranted(node, disclaim)) { _grantedScreenshotNode = node; return node; }
+  }
+  return null; // not cached → re-probe next time, so a later user grant is picked up automatically
+}
+function _resetGrantedScreenshotNode() { _grantedScreenshotNode = null; }
+
+function screenshotResponsibleContext() {
+  // macOS keys the Screen Recording grant on the RESPONSIBLE process of the `screencapture`
+  // child. A direct capture inherits that from CTM's launcher ancestry (fragile: it's the
+  // notarized node only when CTM is launchd-rooted; under /ctm-dev or a relaunch it's the
+  // terminal/parent), so we ALWAYS route through ctm-disclaim — it makes the chosen node its OWN
+  // responsible process. And we PREFER a node that is ALREADY granted (probed, no prompt) so the
+  // common case needs zero user action; only a fresh machine with nothing granted falls through
+  // to the stable identity + the one-time prompt.
+  const disclaim = path.join(os.homedir(), '.local', 'bin', 'ctm-disclaim');
+  const disclaimOk = process.platform === 'darwin' && fs.existsSync(disclaim);
+  let node = null;
+  let granted = false;
+  if (disclaimOk) {
+    try { node = pickGrantedScreenshotNode(disclaim); granted = !!node; } catch {}
+  }
+  if (!node) {
+    node = process.execPath;
+    try {
+      const { isBundleExec, resolveRealNode } = require('./lib/real-node');
+      if (isBundleExec(process.execPath)) node = resolveRealNode();
+    } catch {}
+  }
+  let nodeIsBundle = false;
+  try { nodeIsBundle = require('./lib/real-node').isBundleExec(node); } catch {}
+  const useBridge = disclaimOk && !!node && !nodeIsBundle;
+  const responsiblePath = useBridge ? node : process.execPath;
+  const responsibleName = responsiblePath ? path.basename(responsiblePath) : 'CTM';
+  return { realNode: node, disclaim, useBridge, responsiblePath, responsibleName, granted };
+}
+
+function screenshotCaptureCommand(tmpFile, context = {}) {
+  if (context.useBridge) {
+    return {
+      cmd: context.disclaim,
+      cmdArgs: [context.realNode, '-e', SCREEN_CAPTURE_NODE_SCRIPT, tmpFile],
+    };
+  }
+  return { cmd: '/usr/sbin/screencapture', cmdArgs: ['-x', tmpFile] };
+}
+
+// Spawn the Screen Recording permission helper under the same macOS responsible process
+// as the actual capture command. Direct captures preflight CTM's bundle identity. Bridged
+// captures preflight the user's real node identity via ctm-disclaim, matching the
+// screencapture child that will run next.
+function requestScreenRecordingAccess(context = {}) {
+  const helper = ensureScreenRecordingAuthBinary();
+  if (!helper.ok) return Promise.resolve({ verdict: helper.verdict || 'unavailable', helper });
+  return new Promise((resolve) => {
+    let done = false;
+    const finish = (verdict) => { if (!done) { done = true; resolve({ verdict, helper }); } };
+    try {
+      const { execFile } = require('child_process');
+      const cmd = context.useBridge ? context.disclaim : SCREEN_AUTH_BINARY;
+      const cmdArgs = context.useBridge ? [context.realNode, '-e', SCREEN_AUTH_NODE_SCRIPT, SCREEN_AUTH_BINARY] : [];
+      execFile(cmd, cmdArgs, { timeout: 15000 }, (err, stdout) => {
+        const out = String(stdout || '').trim();
+        if (out === 'granted' || out === 'requested' || out === 'denied') return finish(out);
+        if (err && err.code === 'ENOENT') return finish('unavailable');
+        finish('denied');
+      });
+    } catch { finish('unavailable'); }
+  });
+}
+
+// Heuristic: a screencapture failure that means "no Screen Recording permission" (vs. a
+// user-cancelled selection, which exits 0 with no file and is handled separately).
+function isScreenRecordingPermissionError(msg) {
+  return /could not create image|not authorized|screen recording|cannot run interactive|operation not permitted/i.test(msg || '');
+}
+
+function screenRecordingPermissionPayload(access, extra = {}) {
+  const verdict = access && access.verdict ? access.verdict : 'unavailable';
+  const helper = access && access.helper ? access.helper : null;
+  const helperError = helper && helper.error ? ` Helper install error: ${helper.error}` : '';
+  // Name the EXACT identity macOS attributes the capture to (the responsible process of the
+  // `screencapture` child), so the user grants the right thing. Historically this guidance named
+  // "Coding Task Manager" — but CTM now runs as the stable notarized node, so the bundle grant is
+  // a no-op and capture stays blocked. responsiblePath/Name come from screenshotResponsibleContext.
+  const responsiblePath = extra.responsiblePath || process.execPath;
+  const responsibleName = extra.responsibleName || (responsiblePath ? path.basename(responsiblePath) : 'CTM');
+  const hint = `Enable Screen Recording for "${responsibleName}" in System Settings → Privacy & Security → `
+    + `Screen & System Audio Recording, then restart CTM. If "${responsibleName}" is not in the list, click +, `
+    + `press ⌘⇧G, paste ${responsiblePath}, add it, and turn it on. (CTM captures under this exact binary — `
+    + `granting any other app, including "Coding Task Manager", will not work.)`;
+  return {
+    error: 'Screen Recording permission required',
+    reason: 'screen_recording_permission',
+    permission: 'screen-recording',
+    verdict,
+    prompted: verdict === 'requested',
+    helper: helper ? {
+      ok: !!helper.ok,
+      reason: helper.reason || '',
+      compiled: !!helper.compiled,
+      signed: !!helper.signed,
+      signatureId: helper.signatureId || '',
+      binaryPath: helper.binaryPath || SCREEN_AUTH_BINARY,
+    } : undefined,
+    hint,
+    details: verdict === 'requested'
+      ? `macOS showed the Screen Recording prompt for "${responsibleName}". Enable "${responsibleName}" (${responsiblePath}) in System Settings → Privacy & Security → Screen & System Audio Recording, then restart CTM. Granting any other app will not work.`
+      : `CTM could not confirm Screen Recording access for "${responsibleName}" (${responsiblePath}). Enable it in System Settings → Privacy & Security → Screen & System Audio Recording, then restart CTM.${helperError}`,
+    responsiblePath,
+    responsibleName,
+    ...extra,
+  };
+}
+
 // --- Screenshot (macOS) ---
 async function handleScreenshot(req, res) {
   // Self-describing diagnostics for the "press hotkey / take screenshot → nothing
@@ -2556,14 +3018,27 @@ async function handleScreenshot(req, res) {
   let captureMs = 0;
   let writeMs = 0;
   try {
+    const captureContext = screenshotResponsibleContext();
+    const access = await requestScreenRecordingAccess(captureContext);
+    if (process.platform === 'darwin' && access.verdict !== 'granted') {
+      console.warn(`[screenshot] PERMISSION preflight total=${Date.now() - t0}ms sessions=${sessionCount} bridge=${captureContext.useBridge ? 1 : 0} verdict=${access.verdict} helper=${access.helper && access.helper.reason ? access.helper.reason : 'ok'}`);
+      return jsonResponse(res, 403, screenRecordingPermissionPayload(access, { phase: 'preflight', bridge: !!captureContext.useBridge, responsiblePath: captureContext.responsiblePath, responsibleName: captureContext.responsibleName }));
+    }
     const { execFile } = require('child_process');
     const tmpFile = path.join(db.DEFAULT_IMAGES_DIR, `screenshot-${Date.now()}.png`);
+    // Capture command. When CTM runs from the self-signed .app bundle, `screencapture` is
+    // attributed to com.walle.ctm (which macOS won't let a background daemon obtain a Screen
+    // Recording grant for) and fails. The disclaim helper + the user's real, already-granted
+    // `node` lets the capture inherit the granted "node" identity instead — see ctm-disclaim.c
+    // and lib/real-node.js. Falls back to calling screencapture directly (e.g. when CTM runs
+    // from real node, or the helper isn't built).
+    const { cmd, cmdArgs } = screenshotCaptureCommand(tmpFile, captureContext);
     // Use async execFile so the event loop stays alive — this lets the browser
     // remain responsive and allows screencapture to work across all monitors.
     const tCap = Date.now();
     await new Promise((resolve, reject) => {
-      execFile('/usr/sbin/screencapture', ['-i', tmpFile], { timeout: 30000 }, (err) => {
-        if (err) reject(err); else resolve();
+      execFile(cmd, cmdArgs, { timeout: 30000, encoding: 'utf8' }, (err, _stdout, stderr) => {
+        if (err) { if (stderr) err._stderr = stderr; reject(err); } else resolve();
       });
     });
     captureMs = Date.now() - tCap;
@@ -2586,9 +3061,21 @@ async function handleScreenshot(req, res) {
     console.warn(`[screenshot] ok id=${result.id} total=${Date.now() - t0}ms capture=${captureMs}ms write=${writeMs}ms sessions=${sessionCount}`);
     jsonResponse(res, 201, result);
   } catch (e) {
-    const busy = /SQLITE_BUSY|write lock|database is locked/i.test(e && e.message || '');
-    console.warn(`[screenshot] FAILED total=${Date.now() - t0}ms capture=${captureMs}ms write=${writeMs}ms sessions=${sessionCount} busy=${busy} err=${e && e.message}`);
-    jsonResponse(res, 500, { error: e.message });
+    const msg = ((e && e.message) || '') + ' ' + ((e && e._stderr) || '');
+    const busy = /SQLITE_BUSY|write lock|database is locked/i.test(msg);
+    // Fallback for stale TCC state or helper/capture disagreement. Normal requests
+    // preflight Screen Recording before this point so user-initiated screenshots prompt
+    // through CoreGraphics. (The global hotkey path needs no permission of its own.)
+    if (isScreenRecordingPermissionError(msg)) {
+      // The cached granted-node may have lost its grant (revoked / node moved) — re-probe.
+      _resetGrantedScreenshotNode();
+      const captureContext = screenshotResponsibleContext();
+      const access = await requestScreenRecordingAccess(captureContext);
+      console.warn(`[screenshot] PERMISSION capture total=${Date.now() - t0}ms capture=${captureMs}ms sessions=${sessionCount} bridge=${captureContext.useBridge ? 1 : 0} verdict=${access.verdict} err=${msg}`);
+      return jsonResponse(res, 403, screenRecordingPermissionPayload(access, { phase: 'capture', bridge: !!captureContext.useBridge, responsiblePath: captureContext.responsiblePath, responsibleName: captureContext.responsibleName }));
+    }
+    console.warn(`[screenshot] FAILED total=${Date.now() - t0}ms capture=${captureMs}ms write=${writeMs}ms sessions=${sessionCount} busy=${busy} err=${msg}`);
+    jsonResponse(res, 500, { error: msg });
   }
 }
 
@@ -2803,12 +3290,39 @@ async function handleGetToolPermRules(req, res) {
   const denyRules = [];
   for (const r of allRules) {
     const entry = { scope: 'global', project: '__global__', rule: r.rule };
-    if (r.list_type === 'deny') denyRules.push(entry);
-    else rules.push(entry);
+    if (r.list_type === 'deny') {
+      entry.exceptions = permissionMatch.parseExceptions(r);
+      denyRules.push(entry);
+    } else rules.push(entry);
   }
   jsonResponse(res, 200, { rules, denyRules, projects: [] });
 }
 
+// Validate + canonicalize one deny-rule exception entry from the client.
+// type 'path': must start with / or ~, no `.`/`..` segments; glob suffixes and
+// trailing slashes collapse ("/tmp/**" → "/tmp"). type 'rule': plain rule
+// syntax. Returns { ok, exception? , error? }.
+function validateRuleException(exc) {
+  if (!exc || typeof exc !== 'object') return { ok: false, error: 'exception must be an object' };
+  const type = exc.type === 'path' ? 'path' : exc.type === 'rule' ? 'rule' : null;
+  if (!type) return { ok: false, error: 'exception type must be "path" or "rule"' };
+  let value = String(exc.value || '').trim();
+  if (!value) return { ok: false, error: 'exception value is required' };
+  if (value.length > 500) return { ok: false, error: 'exception value too long (max 500)' };
+  if (type === 'path') {
+    value = value.replace(/\/\*{1,2}$/, '');
+    while (value.length > 1 && value.endsWith('/')) value = value.slice(0, -1);
+    if (!/^[~/]/.test(value)) return { ok: false, error: 'path must start with / or ~' };
+    if (/\/\.\.?(\/|$)/.test(value)) return { ok: false, error: 'path must not contain . or .. segments' };
+    if (value === '/' || value === '~') return { ok: false, error: 'pick a directory, not the root or home itself' };
+  } else {
+    if (!/^[A-Za-z]+\([^)]*\)$/.test(value)) return { ok: false, error: 'rule must look like Bash(cmd:*)' };
+    if (!permissionMatch.parseRule(value)) return { ok: false, error: 'unparseable rule' };
+  }
+  const note = String(exc.note || '').slice(0, 200).trim();
+  return { ok: true, exception: note ? { type, value, note } : { type, value } };
+}
+
 async function handleSetToolPermRules(req, res) {
   try {
     const body = await readBody(req);
@@ -2824,6 +3338,25 @@ async function handleSetToolPermRules(req, res) {
       // Rules are global; remove the global row (legacy per-project rows are
       // collapsed to global by the db migration).
       db.removePermRule({ rule, listType: lt, project: '__global__' });
+    } else if (action === 'add-exception' || action === 'remove-exception') {
+      // Allow-exceptions attached to a DENY rule ("deny rm except under /tmp").
+      const row = db.listPermRules({ listType: 'deny' }).find((r) => r.rule === rule);
+      if (!row) return jsonResponse(res, 404, { error: `deny rule not found: ${rule}` });
+      let exceptions = permissionMatch.parseExceptions(row);
+      if (action === 'add-exception') {
+        const v = validateRuleException(body.exception);
+        if (!v.ok) return jsonResponse(res, 400, { error: v.error });
+        if (exceptions.length >= 20) return jsonResponse(res, 400, { error: 'too many exceptions on this rule (max 20)' });
+        if (!exceptions.some((e) => e.type === v.exception.type && e.value === v.exception.value)) {
+          exceptions.push(v.exception);
+        }
+      } else {
+        const value = String(body.value || '').trim();
+        exceptions = exceptions.filter((e) => e.value !== value);
+      }
+      db.setPermRuleExceptions({ rule, listType: 'deny', project: '__global__', exceptions });
+      console.log(`[perm-rules] ${action} on ${rule}: ${exceptions.length} exception(s)`);
+      return jsonResponse(res, 200, { ok: true, rule, exceptions });
     }
 
     // CTM permissions are a standalone config in the CTM DB — intentionally NOT
@@ -2860,6 +3393,7 @@ async function classifyPermissionIntent(query) {
 - "listType": "allow" or "deny" (does the user want to ALLOW or BLOCK/DENY this action?)
 - "rules": array of Claude Code permission rule strings
 - "explanation": short explanation of what the rules do
+- "exceptions" (optional, ONLY with listType "deny"): array of {"type":"path","value":"/dir"} or {"type":"rule","value":"Bash(cmd:*)"} entries that carve allowed holes out of the deny — e.g. "block rm except in /tmp" → {"listType":"deny","rules":["Bash(rm:*)"],"exceptions":[{"type":"path","value":"/tmp"}]}. Phrases like "except in <dir>", "but allow under <dir>", "other than <dir>" map to a path exception.
 
 Claude Code permission rule syntax:
 - Bash(command:*) - match any bash command starting with "command" (e.g. Bash(git:*) matches all git commands)
@@ -2879,8 +3413,17 @@ Claude Code permission rule syntax:
 Deny intent indicators: "stop", "block", "deny", "prevent", "no", "never", "don't allow", "disable", "forbid", "ban"
 Allow intent indicators: "allow", "enable", "approve", "let", "permit", "auto-approve"
 
+DEFAULT TO ALLOW. This box is normally used to ADD commands to the allow list.
+Only choose "deny" when the request contains an explicit negation/blocking word
+from the deny indicators above. A bare command or rule pattern with NO negation —
+even a dangerous-looking one like "rm", "kill", "sudo", or "git push" — is an
+ALLOW request: the user is explicitly choosing to allow it. Do NOT infer "deny"
+just because a command looks risky.
+
 For deny rules, be SPECIFIC (e.g. "no push" -> Bash(git push:*), NOT Bash(git:*)).
 For allow rules, match the scope the user requests.
+Shell operations map to Bash(...) rules — e.g. removing/deleting files is Bash(rm:*),
+not Write/Edit (those are the file-editing TOOLS, not shell commands).
 
 IMPORTANT: Output ONLY the JSON object, no markdown fencing.
 
@@ -2890,18 +3433,45 @@ User request: (see below)`;
     // Pass query as a separate message to avoid prompt injection via string interpolation
     const result = await callClaude([{ role: 'user', content: prompt + '\n\n' + query }], 256);
     const text = result.content?.[0]?.text || '';
-    const parsed = JSON.parse(text);
-    return {
-      rules: Array.isArray(parsed.rules) ? parsed.rules : [],
-      explanation: parsed.explanation || '',
-      listType: parsed.listType === 'deny' ? 'deny' : 'allow',
-    };
+    // Tolerate models that wrap the JSON in code fences or prose despite instructions.
+    const jsonText = (text.match(/\{[\s\S]*\}/) || [text])[0];
+    const parsed = JSON.parse(jsonText);
+    return _finalizePermIntent(query, parsed);
   } catch (e) {
     // Fallback: treat as raw rule if it looks like one
     return { rules: [], explanation: `Failed to interpret: ${e.message}`, listType: 'allow' };
   }
 }
 
+// True only when the request carries an explicit negation/blocking WORD (as a
+// standalone token, not a flag like `--no-verify`). Used to keep the add-rule
+// box allow-first: a deny rule should require the user to actually ask to block.
+function _denyHinted(query) {
+  return /(?<![\w-])(no|not|never|don'?t|do not|cannot|stop|block|deny|prevent|disable|forbid|ban|refuse|reject|disallow|blacklist|avoid)(?![\w-])/i
+    .test(String(query || ''));
+}
+
+// Apply the allow-first correction to the LLM's raw classification. The model
+// over-DENIES scary-looking bare commands (rm, kill) that the user is actually
+// choosing to ALLOW; unless the query carries an explicit negation word, force
+// allow (and drop the now-irrelevant deny exceptions + the "blocks…" wording).
+// Pure + exported so it can be unit-tested without the LLM in the loop.
+function _finalizePermIntent(query, parsed) {
+  const rules = Array.isArray(parsed && parsed.rules) ? parsed.rules : [];
+  let listType = (parsed && parsed.listType) === 'deny' ? 'deny' : 'allow';
+  let explanation = (parsed && parsed.explanation) || '';
+  if (listType === 'deny' && !_denyHinted(query)) {
+    listType = 'allow';
+    explanation = rules.length ? `Allow ${rules.join(', ')}.` : `Allow ${String(query || '').trim()}.`;
+  }
+  // Deny-rule exceptions: validate each entry; drop anything malformed (and all
+  // of them when we flipped to allow — exceptions only carve holes out of deny).
+  const exceptions = (listType === 'deny' && Array.isArray(parsed && parsed.exceptions))
+    ? parsed.exceptions.map((e) => validateRuleException(e)).filter((v) => v.ok).map((v) => v.exception)
+    : [];
+  return { rules, explanation, listType, exceptions };
+}
+
 function handlePermAIException(res, query, parentRule, body) {
   const rules = [];
   let explanation = '';
@@ -2910,6 +3480,34 @@ function handlePermAIException(res, query, parentRule, body) {
   const parentMatch = parentRule.match(/^Bash\(([a-zA-Z0-9_./-]+)/);
   const parentBin = parentMatch ? parentMatch[1] : null;
 
+  // Deny-side editor: suggest ALLOW exceptions for a DENY rule ("deny rm except
+  // under /tmp"). A path-looking query becomes a path exception; otherwise a
+  // rule-syntax exception scoped to the parent verb.
+  if (body.exceptionFor === 'deny') {
+    const raw = String(body.query || '').trim();
+    if (/^[~/]/.test(raw)) {
+      const v = validateRuleException({ type: 'path', value: raw });
+      if (!v.ok) return jsonResponse(res, 200, { exceptions: [], explanation: v.error });
+      return jsonResponse(res, 200, {
+        exceptions: [v.exception],
+        explanation: `Allow ${parentBin || 'this command'} when every target is under ${v.exception.value}.`,
+      });
+    }
+    if (/^[A-Za-z]+\(/.test(raw)) {
+      const v = validateRuleException({ type: 'rule', value: raw });
+      if (!v.ok) return jsonResponse(res, 200, { exceptions: [], explanation: v.error });
+      return jsonResponse(res, 200, { exceptions: [v.exception], explanation: `Allow commands matching ${v.exception.value}.` });
+    }
+    const cleaned = raw.replace(/\b(allow|except|in|under|the|dir|directory|folder)\b/gi, ' ').trim();
+    if (parentBin && cleaned) {
+      const v = validateRuleException({ type: 'rule', value: `Bash(${parentBin} ${cleaned}:*)` });
+      if (v.ok) {
+        return jsonResponse(res, 200, { exceptions: [v.exception], explanation: `Allow "${parentBin} ${cleaned}" commands.` });
+      }
+    }
+    return jsonResponse(res, 200, { exceptions: [], explanation: 'Type a directory (e.g. /tmp) or a rule like Bash(rm -i:*).' });
+  }
+
   // Check if it looks like a direct rule pattern already
   if (/^Bash\(/.test(body.query || '')) {
     rules.push(body.query.trim());
@@ -3364,13 +3962,16 @@ function handleListQueues(req, res) {
 async function handleCreateQueue(req, res) {
   try {
     const body = await readBody(req);
-    const { sessionId, mode, items, idleTimeoutMs, autoStart, append, strategy } = body;
+    const { sessionId, mode, items, idleTimeoutMs, autoStart, append, strategy, resend } = body;
     if (!sessionId || !Array.isArray(items) || items.length === 0) {
       return jsonResponse(res, 400, { error: 'sessionId and non-empty items[] required' });
     }
     const appendMode = append === true || strategy === 'append';
+    // `resend` (request- or per-item-level) is the explicit "Re-send this item"
+    // intent — the ONLY thing that re-runs an already-finished queue item. A bare
+    // re-post without it never re-dispatches a delivered item (c3f3af97 guard).
     let state = appendMode
-      ? queueEngine.appendItems(sessionId, { mode, items, idleTimeoutMs, autoStart })
+      ? queueEngine.appendItems(sessionId, { mode, items, idleTimeoutMs, autoStart, resend })
       : queueEngine.createQueue(sessionId, { mode, items, idleTimeoutMs });
     if (!appendMode && autoStart) state = queueEngine.start(sessionId) || state;
     jsonResponse(res, 201, state);
@@ -3534,17 +4135,20 @@ function handleListApprovalRules(req, res) {
 }
 
 // Grouping key for an escalation row: prefer the recorded signature; for legacy
-// rows (recorded before signatures were stored) derive it from the captured
+// rows (recorded before signatures were stored, OR whose summary is a reason
+// label like "Blocklist: …" — those often carry contaminated signatures that
+// split identical commands into duplicate groups) derive it from the captured
 // context via the same helper the approver uses, so old + new rows group together.
 function _escalationKeyFn(row) {
-  if (row && row.command_signature) return row.command_signature;
+  const labelRow = escalationReview.isLabelSummary(row && row.command_summary);
+  if (row && row.command_signature && !labelRow) return row.command_signature;
   try {
     return approvalAgent.escalationCommandParts({
       toolName: row && row.tool_name,
       command: '',
       fullContext: row && row.full_context,
-    }).signature;
-  } catch { return ''; }
+    }).signature || (row && row.command_signature) || '';
+  } catch { return (row && row.command_signature) || ''; }
 }
 
 // GET /api/approval-escalations — escalated commands grouped by TYPE for the
@@ -3561,6 +4165,65 @@ function handleListEscalations(req, res) {
   }
 }
 
+// A Wall-E coding turn registers its park as an escalated row carrying the
+// Wall-E request id. When that row is resolved here, the live turn is still
+// blocked on its own Promise — so call the Wall-E reply endpoint to unpark it
+// (the same endpoint the chat card uses). On a newly-created allow rule, also
+// ask Wall-E to re-check its OTHER parks so a now-covered one self-heals (the
+// no-poller cascade). Best-effort: CTM's row is already resolved regardless.
+async function _notifyWalleParkResolution(rowsById, resolvedIds, reply, { ruleAdded = false } = {}) {
+  const sessions = new Set();
+  for (const id of resolvedIds) {
+    const row = rowsById.get(Number(id));
+    const reqId = row && (row.walle_request_id || row.walleRequestId);
+    if (!reqId) continue;
+    if (row.walle_session_id) sessions.add(row.walle_session_id);
+    try {
+      await walleClient.requestJson(`/api/wall-e/permissions/${encodeURIComponent(reqId)}/reply`, {
+        method: 'POST', body: { reply },
+      });
+    } catch (e) { /* the turn may be gone — the CTM row state is already updated */ }
+  }
+  if (ruleAdded) {
+    for (const sid of sessions) {
+      try {
+        await walleClient.requestJson('/api/wall-e/permissions/reevaluate', { method: 'POST', body: { session_id: sid } });
+      } catch (e) { /* best-effort cascade */ }
+    }
+  }
+}
+
+// Mint durable low-risk learned allow rules from a set of normalized command
+// signatures. These are matched tier-1 by signature in decideApproval (BEFORE the
+// verifier), so the same command SHAPE auto-approves next time regardless of the
+// varying parts the signature collapses (ports/SIDs/paths → <num>/<id>/<path>).
+// This is what makes "Approve" actually stick — the prefix perm-rule the button
+// also creates can't express a parameterized command. Explicit user approval (the
+// Pending-tab buttons) vouches for the command, so we promote regardless of the
+// escalation's risk level; the dangerous-command blocklist still runs first in the
+// cascade and is never overridden. Idempotent (upsert keys on the escaped pattern).
+function _learnSignatureRules(signatures, { label, category, source } = {}, dbi = db) {
+  let created = 0;
+  for (const sig of (Array.isArray(signatures) ? signatures : [])) {
+    const s = String(sig || '').trim();
+    if (!s) continue;
+    try {
+      dbi.upsertApprovalRule({
+        pattern: selfAdapt._escapeRegex(s),
+        commandSignature: s,
+        label: label || 'Approved from queue',
+        description: 'Auto-learned: you approved this command from the Pending queue.',
+        category: category || 'bash-command',
+        riskLevel: 'low',
+        enabled: true,
+        autoLearnedSource: source || 'approve_queue',
+      });
+      created += 1;
+    } catch { /* rule may already exist — ON CONFLICT just bumps times_matched */ }
+  }
+  return created;
+}
+
 // POST /api/approval-escalations/resolve — resolve a whole TYPE at once.
 // body: { action: 'whitelist'|'block'|'dismiss'|'dismiss-all', ids:[...], rule? }
 // whitelist/block create an authoritative perm_rules allow/deny (honored by the
@@ -3573,6 +4236,9 @@ async function handleResolveEscalations(req, res) {
     if (!['whitelist', 'block', 'dismiss', 'dismiss-all', 'approve-all'].includes(action)) {
       return jsonResponse(res, 400, { error: 'invalid_action' });
     }
+    // Snapshot pending rows BEFORE resolving so we can still see which carry a
+    // Wall-E request id (resolved rows drop out of getPendingEscalations()).
+    const _pendingRowsById = new Map((db.getPendingEscalations() || []).map((r) => [Number(r.id), r]));
     // Bulk approve: whitelist EVERY pending type (one allow rule per group from its
     // suggested narrow pattern) and clear the queue. Re-group server-side so the
     // action is atomic and can't be skewed by a stale client view.
@@ -3580,8 +4246,27 @@ async function handleResolveEscalations(req, res) {
       const rows = db.getPendingEscalations() || [];
       const groups = escalationReview.groupEscalations(rows, _escalationKeyFn);
       let resolved = 0;
+      let failed = 0;
       let rulesCreated = 0;
+      let exceptionsAdded = 0;
+      let firstError = '';
+      const _approveAllResolvedIds = [];
       for (const g of groups) {
+        // Blocklist-escalated types can't be allow-listed (the blocklist runs first
+        // and is not overridden by allow rules). Bulk-approve them EXACTLY like the
+        // per-row "Exception & resolve" button: add the same NARROW "never block"
+        // exception (single plain clause, verb+dir-anchored — can't match rm -rf /
+        // or curl|bash) and DISMISS the rows. One click clears the whole queue; the
+        // floor stays for everything it didn't explicitly except.
+        if (escalationReview.isBlocklistGroup(g)) {
+          const exc = escalationReview.suggestException(g);
+          if (exc) exceptionsAdded += _appendBlocklistExceptions([exc], `Approved in bulk: ${g.title || 'command'}`.slice(0, 200));
+          for (const id of (g.ids || [])) {
+            try { db.resolveApprovalDecision(id, 'dismissed'); resolved += 1; }
+            catch (e) { failed += 1; if (!firstError) firstError = e.message; }
+          }
+          continue;
+        }
         const r = String(g.suggestedRule || '').trim();
         if (/^[A-Za-z]+\([^)]*\)$/.test(r)) {
           try {
@@ -3589,11 +4274,29 @@ async function handleResolveEscalations(req, res) {
             rulesCreated += 1;
           } catch (e) { /* rule may already exist — still clear the rows below */ }
         }
+        // Durable signature rules — the matcher that actually auto-approves the next
+        // (parameterized) run; the prefix rule above can't express ports/SIDs/paths.
+        rulesCreated += _learnSignatureRules(g.signatures, {
+          label: g.title || 'Approved in bulk',
+          category: String(g.toolName || 'bash').toLowerCase().replace(/\s+/g, '-'),
+          source: 'approve_all',
+        });
         for (const id of (g.ids || [])) {
-          try { db.resolveApprovalDecision(id, 'approved'); resolved += 1; } catch (e) { /* skip */ }
+          // Don't swallow resolve failures into a false "success": if the write
+          // fails (DB contention, etc.) the row stays escalated and the queue
+          // won't clear, so count it and report it instead of reporting ok.
+          try { db.resolveApprovalDecision(id, 'approved'); resolved += 1; _approveAllResolvedIds.push(id); }
+          catch (e) { failed += 1; if (!firstError) firstError = e.message; }
         }
       }
-      return jsonResponse(res, 200, { ok: true, action, resolved, rulesCreated, typeCount: groups.length });
+      // Unpark any Wall-E turns among the approved rows + cascade to their siblings.
+      await _notifyWalleParkResolution(_pendingRowsById, _approveAllResolvedIds, 'once', { ruleAdded: true });
+      const total = rows.length;
+      return jsonResponse(res, 200, {
+        ok: failed === 0,
+        action, resolved, failed, total, rulesCreated, exceptionsAdded, typeCount: groups.length,
+        error: failed ? `Could not clear ${failed} of ${total} escalation(s): ${firstError}` : undefined,
+      });
     }
     let createdRule = null;
     if (action === 'whitelist' || action === 'block') {
@@ -3610,12 +4313,36 @@ async function handleResolveEscalations(req, res) {
       targetIds = (Array.isArray(body.ids) ? body.ids : []).map(Number).filter(Number.isFinite);
       if (!targetIds.length) return jsonResponse(res, 400, { error: 'ids_required' });
     }
+    // For an explicit whitelist, also mint durable signature rules from the rows
+    // being approved (read their signatures BEFORE resolving clears them) — so the
+    // same command shape auto-approves next run, not just this one instance.
+    let rulesCreated = 0;
+    if (action === 'whitelist') {
+      const idSet = new Set(targetIds);
+      const sigs = (db.getPendingEscalations() || [])
+        .filter((r) => idSet.has(r.id))
+        .map((r) => r.command_signature);
+      rulesCreated = _learnSignatureRules(sigs, { label: createdRule || 'Approved', source: 'approve_row' });
+    }
     const resolveDecision = action === 'block' ? 'denied' : action === 'whitelist' ? 'approved' : 'dismissed';
     let resolved = 0;
+    let failed = 0;
+    let firstError = '';
+    const _resolvedIds = [];
     for (const id of targetIds) {
-      try { db.resolveApprovalDecision(id, resolveDecision); resolved += 1; } catch (e) { /* skip */ }
+      try { db.resolveApprovalDecision(id, resolveDecision); resolved += 1; _resolvedIds.push(id); }
+      catch (e) { failed += 1; if (!firstError) firstError = e.message; }
     }
-    jsonResponse(res, 200, { ok: true, action, resolved, rule: createdRule });
+    // Unpark any Wall-E coding turns among the resolved rows: approve (whitelist)
+    // → reply 'once' (the CTM rule already persists for next time); block/dismiss
+    // → 'reject'. A new allow rule also cascades to the session's other parks.
+    const walleReply = (action === 'whitelist') ? 'once' : 'reject';
+    await _notifyWalleParkResolution(_pendingRowsById, _resolvedIds, walleReply, { ruleAdded: action === 'whitelist' });
+    jsonResponse(res, 200, {
+      ok: failed === 0,
+      action, resolved, failed, total: targetIds.length, rule: createdRule, rulesCreated,
+      error: failed ? `Could not clear ${failed} of ${targetIds.length} escalation(s): ${firstError}` : undefined,
+    });
   } catch (e) {
     jsonResponse(res, 400, { error: e.message });
   }
@@ -3676,16 +4403,47 @@ async function handleResolveApprovalDecision(req, res, id) {
 
 // --- Dangerous-command blocklist (configurable; default ON) ---
 // GET  /api/approval/blocklist
-//   -> { enabled, patterns: [defaults], disabledIds: [int], custom: [{source,flags,reason,category,id}] }
-// POST /api/approval/blocklist { enabled?, disabledIds?, customPatterns? }
+//   -> { enabled, patterns: [defaults], disabledIds: [int], custom: [{source,flags,reason,category,id}],
+//        exceptions: [{source,flags,reason,id}] }
+// POST /api/approval/blocklist { enabled?, disabledIds?, customPatterns?, exceptions? }
 //   -> the same shape as GET (the merged view). Any field omitted is left as-is.
-//   Custom patterns are validated server-side; an invalid one returns 400 and
-//   nothing is persisted. The hard floor is editable but never silently broken.
+//   Custom patterns and exceptions are validated server-side; an invalid one
+//   returns 400 and nothing is persisted. The hard floor is editable but never
+//   silently broken.
 //
 // Persistence: `approval_blocklist_enabled` (bool) + `approval_blocklist_config`
-//   ({ disabledIds:[int], customPatterns:[{source,flags,reason,category}] }).
+//   ({ disabledIds:[int], customPatterns:[{source,flags,reason,category}],
+//      exceptions:[{source,flags,reason}] }).
 //   The agent reads both on every check (approval-agent isBlocklistEnabled /
 //   getBlocklistConfig), so edits take effect without a restart.
+// Append NARROW "never block" exceptions to the blocklist config (validated via
+// the same guard the endpoint uses, deduped by source). Shared by the Pending
+// "Approve all" path (parity with the per-row "Exception & resolve" button) and
+// available to any caller that needs to add an exception programmatically.
+// Skips un-validatable patterns rather than throwing, so a bulk action never aborts
+// on one bad signature. Returns the count actually added.
+function _appendBlocklistExceptions(sources, reasonLabel) {
+  const list = Array.isArray(sources) ? sources : [];
+  if (!list.length) return 0;
+  const { validateUserPattern } = require('./workers/approval-blocklist');
+  const cfg = db.getSetting('approval_blocklist_config', null) || {};
+  const exceptions = Array.isArray(cfg.exceptions) ? cfg.exceptions.slice() : [];
+  const seen = new Set(exceptions.map((e) => String((e && e.source) || '')));
+  let added = 0;
+  for (const src of list) {
+    const s = String(src || '').trim();
+    if (!s || seen.has(s)) continue;
+    const v = validateUserPattern({ source: s, flags: '', reason: reasonLabel || 'Approved from queue (never block)' });
+    if (!v.ok) continue;
+    const { category, ...rest } = v.normalized; // exceptions carry no category
+    exceptions.push({ ...rest, reason: rest.reason === 'Custom blocklist pattern' ? 'Blocklist exception' : rest.reason });
+    seen.add(s);
+    added += 1;
+  }
+  if (added) { cfg.exceptions = exceptions; db.setSetting('approval_blocklist_config', cfg); }
+  return added;
+}
+
 function _blocklistView() {
   const { PATTERN_META } = require('./workers/approval-blocklist');
   const enabled = db.getSetting('approval_blocklist_enabled', true) !== false;
@@ -3702,7 +4460,15 @@ function _blocklistView() {
         category: String((p && p.category) || 'custom'),
       }))
     : [];
-  return { enabled, patterns: PATTERN_META, disabledIds, custom };
+  const exceptions = Array.isArray(cfg.exceptions)
+    ? cfg.exceptions.map((p, i) => ({
+        id: (p && p.id != null) ? p.id : `e${i}`,
+        source: String((p && p.source) || ''),
+        flags: String((p && p.flags) || ''),
+        reason: String((p && p.reason) || 'Blocklist exception'),
+      }))
+    : [];
+  return { enabled, patterns: PATTERN_META, disabledIds, custom, exceptions };
 }
 function handleGetBlocklist(_req, res) {
   try {
@@ -3720,7 +4486,8 @@ async function handleSetBlocklistEnabled(req, res) {
     }
 
     const touchesConfig = Object.prototype.hasOwnProperty.call(body, 'disabledIds')
-      || Object.prototype.hasOwnProperty.call(body, 'customPatterns');
+      || Object.prototype.hasOwnProperty.call(body, 'customPatterns')
+      || Object.prototype.hasOwnProperty.call(body, 'exceptions');
     if (touchesConfig) {
       const cfg = db.getSetting('approval_blocklist_config', null) || {};
 
@@ -3747,8 +4514,21 @@ async function handleSetBlocklistEnabled(req, res) {
         cfg.customPatterns = normalized;
       }
 
+      if (Object.prototype.hasOwnProperty.call(body, 'exceptions')) {
+        if (!Array.isArray(body.exceptions)) return jsonResponse(res, 400, { error: 'exceptions must be an array' });
+        if (body.exceptions.length > 200) return jsonResponse(res, 400, { error: 'too many exceptions (max 200)' });
+        const normalized = [];
+        for (let i = 0; i < body.exceptions.length; i++) {
+          const v = validateUserPattern(body.exceptions[i]);
+          if (!v.ok) return jsonResponse(res, 400, { error: `exception ${i + 1}: ${v.error}` });
+          const { category, ...rest } = v.normalized; // exceptions have no category
+          normalized.push({ ...rest, reason: rest.reason === 'Custom blocklist pattern' ? 'Blocklist exception' : rest.reason });
+        }
+        cfg.exceptions = normalized;
+      }
+
       db.setSetting('approval_blocklist_config', cfg);
-      console.log(`[approval-blocklist] config updated: ${(cfg.disabledIds || []).length} disabled, ${(cfg.customPatterns || []).length} custom`);
+      console.log(`[approval-blocklist] config updated: ${(cfg.disabledIds || []).length} disabled, ${(cfg.customPatterns || []).length} custom, ${(cfg.exceptions || []).length} exceptions`);
     }
 
     jsonResponse(res, 200, _blocklistView());
@@ -4347,4 +5127,4 @@ function safeParse(json, fallback) {
   try { return JSON.parse(json); } catch { return fallback; }
 }
 
-module.exports = { handlePromptApi, queueEngine, runIncrementalConversationImport, runCursorConversationImport, importSessionFile, setUiPrefsBroadcaster, setPromptExecutionsOffThread, setDbMaintenanceRunner, setImageSaveRunner, _ingestPathFromInput, _ingestSourceAllowed, _conversationImportCandidates, _ingestTranscriptStoreForParsedFile };
+module.exports = { handlePromptApi, queueEngine, runIncrementalConversationImport, runCursorConversationImport, importSessionFile, setUiPrefsBroadcaster, setPromptExecutionsOffThread, setDbMaintenanceRunner, setImageSaveRunner, ensureHotkeyDaemon, hotkeyEnsureAction, screenshotResponsibleContext, screenshotNodeCandidates, probeScreenshotNodeGranted, _ingestPathFromInput, _ingestSourceAllowed, _conversationImportCandidates, _ingestTranscriptStoreForParsedFile, _learnSignatureRules, _appendBlocklistExceptions, _finalizePermIntent, _denyHinted, _lastConversationImportAt };