create-walle 0.9.25 → 0.9.26

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "create-walle",
-  "version": "0.9.25",
-  "description": "CTM + Wall-E \u2014 AI coding dashboard and personal digital twin agent. Multi-agent terminal for Claude Code, Codex, Gemini, Aider, OpenCode, and more, plus prompt editor, task queue, remote phone and tablet access, code/doc review, and an agent that learns from Slack, email & calendar.",
+  "version": "0.9.26",
+  "description": "CTM + Wall-E — AI coding dashboard and personal digital twin agent. Multi-agent terminal for Claude Code, Codex, Gemini, Aider, OpenCode, and more, plus prompt editor, task queue, remote phone and tablet access, code/doc review, and an agent that learns from Slack, email & calendar.",
   "bin": {
     "create-walle": "bin/create-walle.js"
   },

package/template/bin/ctm-dev-cleanup.js

@@ -2,6 +2,8 @@
 'use strict';
 
 const { execFileSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
 const {
   CTM_PROCESS_NAME,
   WALLE_PROCESS_NAME,
@@ -12,6 +14,15 @@ const {
 const DEFAULT_MAX_AGE_MIN = 24 * 60;
 const PROTECTED_PORTS = new Set([3456, 3457]);
 
+// Scratch data dirs a dev/e2e instance creates under /tmp. The name's trailing
+// token is the instance's CTM port for `*-dev-<port>` dirs (e.g.
+// /tmp/walle-dev-4637 → port 4637); e2e/test dirs may be timestamped instead.
+const TMP_ROOT = '/tmp';
+const DEV_DIR_RE = /^(walle-dev|walle-staging|walle-e2e|ctm-dev|ctm-render-test|ctm-e2e|ctm-worktree)-(.+)$/;
+// A dir younger than this is never removed — guards the brief window where a
+// SIBLING dev instance has mkdir-ed its dir but not yet bound its port.
+const DIR_MIN_AGE_SEC = 30;
+
 function parseArgs(argv) {
   const opts = {
     kill: false,
@@ -19,6 +30,8 @@ function parseArgs(argv) {
     maxAgeMin: DEFAULT_MAX_AGE_MIN,
     port: null,
     wallePort: null,
+    rmDirs: false,
+    keepPort: null,
     json: false,
   };
   for (let i = 0; i < argv.length; i += 1) {
@@ -26,6 +39,8 @@ function parseArgs(argv) {
     if (arg === '--kill') opts.kill = true;
     else if (arg === '--stale') opts.stale = true;
     else if (arg === '--json') opts.json = true;
+    else if (arg === '--rm-dirs') opts.rmDirs = true;
+    else if (arg === '--keep-port') opts.keepPort = Number(argv[++i] || 0) || null;
     else if (arg === '--max-age-min') opts.maxAgeMin = Number(argv[++i] || DEFAULT_MAX_AGE_MIN);
     else if (arg === '--port') opts.port = Number(argv[++i] || 0) || null;
     else if (arg === '--wall-e-port') opts.wallePort = Number(argv[++i] || 0) || null;
@@ -95,7 +110,9 @@ function lsofBinary() {
 function pidsListeningOnPort(port, lsof = lsofBinary()) {
   if (!port || PROTECTED_PORTS.has(Number(port))) return [];
   const output = runText(lsof, [`-tiTCP:${port}`, '-sTCP:LISTEN', '-nP']);
-  return [...new Set(output.split(/\s+/).map(n => Number(n)).filter(Number.isInteger))];
+  // Filter to POSITIVE pids: an empty lsof result splits to [''] → Number('') → 0,
+  // which would otherwise read as a phantom "live" pid (a dead port looking busy).
+  return [...new Set(output.split(/\s+/).map(n => Number(n)).filter(n => Number.isInteger(n) && n > 0))];
 }
 
 function processDetails(pid, lsof = lsofBinary()) {
@@ -152,6 +169,57 @@ function tempBacked(details) {
   );
 }
 
+// Scan /tmp for dev/e2e scratch dirs and decide which are safe to delete. A
+// `*-dev-<port>` dir is removable when NO process is listening on its port (the
+// instance is dead) and the port is neither protected (3456/3457) nor the current
+// run's `keepPort` (+ its Wall-E/oauth neighbours). Timestamped (non-port) dirs
+// fall back to the age guard. Dirs newer than DIR_MIN_AGE_SEC are always kept (a
+// sibling instance may be mid-boot). Pure-ish: filesystem + lsof in, decision out.
+function collectStaleDirs(opts = {}, deps = {}) {
+  const root = deps.root || TMP_ROOT;
+  const now = deps.now || Date.now();
+  const isPortLive = deps.isPortLive || ((port) => pidsListeningOnPort(port).length > 0);
+  const keepPorts = new Set(PROTECTED_PORTS);
+  if (opts.keepPort) { const p = Number(opts.keepPort); [p, p + 1, p + 2].forEach((x) => keepPorts.add(x)); }
+  const maxAgeSeconds = Math.max(0, Number(opts.maxAgeMin || DEFAULT_MAX_AGE_MIN)) * 60;
+  const remove = [];
+  const kept = [];
+  let entries = [];
+  try { entries = fs.readdirSync(root, { withFileTypes: true }); } catch { return { remove, kept }; }
+  for (const ent of entries) {
+    if (!ent.isDirectory()) continue;
+    const m = ent.name.match(DEV_DIR_RE);
+    if (!m) continue;
+    const dir = path.join(root, ent.name);
+    let ageSec = Infinity;
+    try { ageSec = (now - fs.statSync(dir).mtimeMs) / 1000; } catch { /* vanished */ continue; }
+    if (ageSec < DIR_MIN_AGE_SEC) { kept.push({ dir, reason: `too new (${Math.round(ageSec)}s)` }); continue; }
+    const portMatch = m[2].match(/^(\d{2,5})$/);
+    if (portMatch) {
+      const port = Number(portMatch[1]);
+      if (keepPorts.has(port)) { kept.push({ dir, reason: `protected/keep port ${port}` }); continue; }
+      if (isPortLive(port)) { kept.push({ dir, reason: `port ${port} live` }); continue; }
+      remove.push({ dir, port, reason: `dead dev instance (port ${port} free)` });
+    } else if (ageSec >= maxAgeSeconds) {
+      remove.push({ dir, port: null, reason: `stale ${ent.name} (${Math.round(ageSec / 60)}m ≥ ${opts.maxAgeMin || DEFAULT_MAX_AGE_MIN}m)` });
+    } else {
+      kept.push({ dir, reason: `non-port dir below ${opts.maxAgeMin || DEFAULT_MAX_AGE_MIN}m` });
+    }
+  }
+  return { remove, kept };
+}
+
+// Delete the dirs `collectStaleDirs` flagged — runs INSIDE this Node process
+// (fs.rmSync), so it is NOT subject to the agent's per-tool-call sandbox `rm -rf`
+// floor. Returns the items actually removed.
+function removeDirs(remove) {
+  const removed = [];
+  for (const item of remove) {
+    try { fs.rmSync(item.dir, { recursive: true, force: true }); removed.push(item); } catch { /* best-effort */ }
+  }
+  return removed;
+}
+
 function collectTargets(procs, opts, detailsByPid = new Map()) {
   const maxAgeSeconds = Math.max(0, Number(opts.maxAgeMin || DEFAULT_MAX_AGE_MIN)) * 60;
   const exactPortPids = new Set([
@@ -247,6 +315,13 @@ function formatReport(result, opts) {
       lines.push(`  PID ${p.pid} ${p.command} - ${p.reason}`);
     }
   }
+  if (result.dirs) {
+    const dirAction = opts.kill ? 'Removed' : 'Would remove';
+    const visibleDirs = opts.kill ? result.dirs.removed : result.dirs.remove;
+    lines.push('');
+    lines.push(`${dirAction} ${visibleDirs.length} dev scratch dir(s); kept ${result.dirs.kept.length}.`);
+    for (const d of visibleDirs) lines.push(`  ${d.dir} - ${d.reason}`);
+  }
   return lines.join('\n');
 }
 
@@ -254,16 +329,25 @@ function main(argv = process.argv.slice(2)) {
   const opts = parseArgs(argv);
   if (opts.help) {
     console.log([
-      'Usage: node bin/ctm-dev-cleanup.js [--kill] [--stale] [--max-age-min N] [--port N --wall-e-port N] [--json]',
+      'Usage: node bin/ctm-dev-cleanup.js [--kill] [--stale] [--rm-dirs] [--keep-port N] [--max-age-min N] [--port N --wall-e-port N] [--json]',
+      '',
+      '  --rm-dirs     also remove dead /tmp/{walle,ctm}-dev-* scratch dirs (port has no live listener)',
+      '  --keep-port N never remove the dir for this port (+ its Wall-E/oauth neighbours)',
       '',
-      `Dry-runs by default. Never targets ${CTM_PROCESS_NAME}/${WALLE_PROCESS_NAME} or ports 3456/3457.`,
+      `Dry-runs by default (add --kill to act). Never targets ${CTM_PROCESS_NAME}/${WALLE_PROCESS_NAME} or ports 3456/3457.`,
     ].join('\n'));
     return 0;
   }
   const detailsByPid = new Map();
   const { targets, kept } = collectTargets(listProcesses(), opts, detailsByPid);
   const killed = opts.kill ? killTargets(targets) : [];
-  const result = { targets, killed, kept };
+  let dirs = null;
+  if (opts.rmDirs) {
+    const { remove, kept: dirKept } = collectStaleDirs(opts);
+    const removed = opts.kill ? removeDirs(remove) : [];
+    dirs = { remove, removed, kept: dirKept };
+  }
+  const result = { targets, killed, kept, dirs };
   console.log(formatReport(result, opts));
   return 0;
 }
@@ -274,6 +358,8 @@ if (require.main === module) {
 
 module.exports = {
   collectTargets,
+  collectStaleDirs,
+  removeDirs,
   commandMatchesExactPort,
   formatReport,
   isProtectedProcess,

package/template/bin/ctm-launch.sh

@@ -10,4 +10,52 @@
 set -euo pipefail
 ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 NODE_BIN="$(bash "$ROOT/bin/node-bin.sh")"
-exec "$NODE_BIN" "$ROOT/claude-task-manager/server.js" "$@"
+SERVER="$ROOT/claude-task-manager/server.js"
+PINNED_V="$("$NODE_BIN" -v 2>/dev/null)"
+
+# Prefer a STABLE-IDENTITY node so macOS TCC grants (e.g. the "Coding Task Manager would like to
+# access data from other apps" prompt) PERSIST across restarts. macOS keys a TCC grant to the
+# binary's code-signing Designated Requirement: a notarized / Developer-ID-signed node keeps its
+# grant; the self-signed bundle node or an ad-hoc PATH node does not → it re-prompts every restart.
+# The notarized node + Dev-ID-signed bundle are provisioned off the boot path by
+# bin/ensure-stable-node.js (run from restart-ctm.sh); here we only PREFER whatever is present.
+# Every candidate is gated on an exact version match with the pinned node, so a `.node-version`
+# bump can never select a mismatched-ABI runtime (preserves the "upgrade = edit .node-version"
+# guarantee, and the daemon's native modules stay ABI-correct).
+_ver_match() { [ -x "$1" ] && [ "$("$1" -v 2>/dev/null)" = "$PINNED_V" ]; }
+
+# 0) The stable daemon node chosen by bin/ensure-stable-node.js (run off the boot path from
+#    restart-ctm.sh). On a machine WITH a Developer ID this is the branded, Dev-ID-signed CTM
+#    bundle exec — both grant-persisting AND shown as "Coding Task Manager" (not "node") in TCC
+#    prompts; without a Developer ID it is the bare notarized node. Reading the marker keeps
+#    codesign OFF this launchd boot path; the version check rejects a stale marker.
+MARKER="$HOME/.walle/.stable-daemon-node"
+if [ -f "$MARKER" ]; then
+  STABLE_NODE="$(head -n1 "$MARKER" 2>/dev/null)"
+  if [ -n "$STABLE_NODE" ] && _ver_match "$STABLE_NODE"; then
+    exec "$STABLE_NODE" "$SERVER" "$@"
+  fi
+fi
+# 1) Notarized node handed in by the downloadable Developer-ID Wall-E.app.
+if [ -n "${WALLE_NOTARIZED_NODE:-}" ] && _ver_match "$WALLE_NOTARIZED_NODE"; then
+  exec "$WALLE_NOTARIZED_NODE" "$SERVER" "$@"
+fi
+# 2) The branded .app bundle node when it carries a stable Team Identifier (Developer-ID-signed by
+#    ensure-stable-node.js) — branded AND grant-persisting. `codesign -dv` is a fast local read; it
+#    runs only on a cold boot where the marker is absent/stale.
+CTM_BUNDLE="$HOME/.walle/bundles/Coding Task Manager.app/Contents/MacOS/Coding Task Manager"
+if _ver_match "$CTM_BUNDLE" && codesign -dv "$CTM_BUNDLE" 2>&1 | grep -q '^TeamIdentifier=[A-Z0-9]'; then
+  exec "$CTM_BUNDLE" "$SERVER" "$@"
+fi
+# 3) Notarized node we provisioned ourselves (~/.walle/notarized-node) — stable but anonymous
+#    ("node"); the fallback for machines without a Developer ID.
+NOTARIZED_NODE="$HOME/.walle/notarized-node/bin/node"
+if _ver_match "$NOTARIZED_NODE"; then
+  exec "$NOTARIZED_NODE" "$SERVER" "$@"
+fi
+# 4) The branded bundle node even if only self-signed (branded name, but may re-prompt).
+if _ver_match "$CTM_BUNDLE"; then
+  exec "$CTM_BUNDLE" "$SERVER" "$@"
+fi
+# 5) Last resort: the pinned node (ABI-correct, but no stable TCC identity → may re-prompt).
+exec "$NODE_BIN" "$SERVER" "$@"

package/template/bin/dev.sh

@@ -8,7 +8,12 @@
 #   bash bin/dev.sh --fresh      # Pick ports and reset to empty DBs before starting
 #   bash bin/dev.sh --reuse      # Pick ports and reuse existing DBs in WALLE_DEV_DIR
 #   bash bin/dev.sh --refresh --no-images  # Copy DBs only; skip image assets
+#   bash bin/dev.sh --purge      # Remove dead dev instances' /tmp scratch dirs, then exit
 #   DEV_CTM_PORT=4456 bash bin/dev.sh  # Use an explicit port pair
+#
+# NOTE: agents must use `bash bin/dev.sh --purge` to clean up dev dirs — a direct
+# `rm -rf /tmp/walle-dev-*` is refused by the Claude Code sandbox floor; --purge
+# deletes inside this script (and bin/ctm-dev-cleanup.js), which the floor allows.
 
 set -e
 ROOT="$(cd "$(dirname "$0")/.." && pwd)"
@@ -31,6 +36,7 @@ Options:
   --fresh        Reset dev SQLite DBs before start (default)
   --refresh      Snapshot production CTM/Wall-E DBs before start
   --reuse        Reuse existing DBs in WALLE_DEV_DIR and keep data on exit
+  --purge        Remove dead dev instances' /tmp scratch dirs (no live ones), then exit
   --no-images    With --refresh, skip copying CTM image assets
   --keep-data    Do not remove the dev data dir when the launcher exits
   --print-config Print resolved ports/data dir and exit
@@ -49,6 +55,9 @@ while [[ $# -gt 0 ]]; do
       MODE="reuse"
       KEEP_DATA_ON_EXIT=1
       ;;
+    --purge)
+      MODE="purge"
+      ;;
     --no-images)
       COPY_IMAGES=0
       ;;
@@ -71,6 +80,17 @@ while [[ $# -gt 0 ]]; do
   shift
 done
 
+# --purge: clean up after dead dev instances and exit (no server start). Removes
+# orphaned /tmp/{walle,ctm}-dev-* scratch dirs whose port has no live listener and
+# sweeps stale/orphaned dev processes. Live instances + ports 3456/3457 untouched.
+# This is the sandbox-safe path agents use instead of `rm -rf /tmp/walle-dev-*`
+# (the deletion happens inside ctm-dev-cleanup.js, not as an agent tool call).
+if [[ "$MODE" == "purge" ]]; then
+  echo "[dev] Purging dead dev instances + /tmp scratch dirs (live instances untouched) ..."
+  "$NODE_BIN" "$ROOT/bin/ctm-dev-cleanup.js" --kill --stale --rm-dirs
+  exit 0
+fi
+
 is_integer() {
   [[ "$1" =~ ^[0-9]+$ ]]
 }
@@ -138,6 +158,12 @@ if [[ -f "$ROOT/.env" ]]; then
 fi
 
 mkdir -p "$DEV_DIR"
+# Isolate Codex rollouts. A /ctm-dev instance restores the prod session list, so
+# without this it would `codex resume <live-id>` into the user's REAL, shared
+# ~/.codex/sessions and become a 2nd/3rd concurrent writer on a live rollout JSONL
+# (corruption + contention). A throwaway CODEX_HOME keeps dev codex writes — and
+# CTM's own rollout reads, which resolve via the same CODEX_HOME — inside DEV_DIR.
+mkdir -p "$DEV_DIR/codex/sessions"
 
 cleanup_processes() {
   local stale_args=()
@@ -175,6 +201,12 @@ cleanup_dev() {
 
 cleanup_processes --stale
 
+# Remove orphaned /tmp scratch dirs left by dev instances that were killed by port
+# (bypassing the EXIT trap) so they don't accumulate. Port-based: only dirs whose
+# port has no live listener are removed; --keep-port protects THIS run's dir (and a
+# --reuse target). Runs inside the script, so it's exempt from the agent rm -rf floor.
+"$NODE_BIN" "$ROOT/bin/ctm-dev-cleanup.js" --kill --rm-dirs --keep-port "$DEV_CTM_PORT" >/dev/null 2>&1 || true
+
 # Handle launch mode
 if [[ "$MODE" == "fresh" ]]; then
   echo "[dev] Starting with fresh (empty) databases"
@@ -212,6 +244,9 @@ export CTM_DATA_DIR="$DEV_DIR"
 export WALL_E_DATA_DIR="$DEV_DIR"
 export WALLE_SESSIONS_DIR="$DEV_DIR/sessions"
 export WALL_E_SESSIONS_DIR="$DEV_DIR/sessions"
+# Isolate Codex rollouts so a dev resume never writes the user's live ~/.codex.
+export CODEX_HOME="$DEV_DIR/codex"
+export CTM_CODEX_SESSIONS_DIR="$DEV_DIR/codex/sessions"
 export CTM_HOST="127.0.0.1"
 export CTM_INSTANCE_TAG="dev-$DEV_CTM_PORT"
 export OAUTH_PROXY_PORT="$DEV_OAUTH_PROXY_PORT"
@@ -220,11 +255,15 @@ export CTM_TLS_KEY=""
 # Dev instances must not rewrite user-level Codex/Claude MCP config to their
 # temporary Wall-E port. Set WALLE_MCP_AUTO_CONFIG=1 to opt in deliberately.
 export WALLE_MCP_AUTO_CONFIG="${WALLE_MCP_AUTO_CONFIG:-0}"
+# Wall-E runtime diagnostics are developer-only. The normal npm/npx startup path
+# leaves this unset, so packaged users do not run extra monitors or diagnostic
+# event collection unless they opt in deliberately.
+export WALL_E_RUNTIME_DIAGNOSTICS="${WALL_E_RUNTIME_DIAGNOSTICS:-1}"
 
 # Source the rest of .env (API keys, owner name, etc.)
 if [[ -f "$ROOT/.env" ]]; then
   set -a
-  source <(grep -v '^#' "$ROOT/.env" | grep -vE '^(CTM_PORT|WALL_E_PORT|CTM_DATA_DIR|WALL_E_DATA_DIR|WALLE_SESSIONS_DIR|WALL_E_SESSIONS_DIR|CTM_HOST|CTM_INSTANCE_TAG|OAUTH_PROXY_PORT|CTM_TLS_CERT|CTM_TLS_KEY|CTM_API_BASE_URL|CTM_SESSION_MEMORY_API_BASE_URL|WALLE_MCP_AUTO_CONFIG|CTM_SKIP_DOTENV)=' | grep '=')
+  source <(grep -v '^#' "$ROOT/.env" | grep -vE '^(CTM_PORT|WALL_E_PORT|CTM_DATA_DIR|WALL_E_DATA_DIR|WALLE_SESSIONS_DIR|WALL_E_SESSIONS_DIR|CODEX_HOME|CTM_CODEX_SESSIONS_DIR|CTM_HOST|CTM_INSTANCE_TAG|OAUTH_PROXY_PORT|CTM_TLS_CERT|CTM_TLS_KEY|CTM_API_BASE_URL|CTM_SESSION_MEMORY_API_BASE_URL|WALLE_MCP_AUTO_CONFIG|CTM_SKIP_DOTENV)=' | grep '=')
   set +a
 fi
 
@@ -238,6 +277,10 @@ export CTM_DATA_DIR="$DEV_DIR"
 export WALL_E_DATA_DIR="$DEV_DIR"
 export WALLE_SESSIONS_DIR="$DEV_DIR/sessions"
 export WALL_E_SESSIONS_DIR="$DEV_DIR/sessions"
+# Reassert Codex isolation after sourcing prod .env (a user .env may pin
+# CODEX_HOME / CTM_CODEX_SESSIONS_DIR at the live ~/.codex sessions).
+export CODEX_HOME="$DEV_DIR/codex"
+export CTM_CODEX_SESSIONS_DIR="$DEV_DIR/codex/sessions"
 export CTM_HOST="127.0.0.1"
 export CTM_INSTANCE_TAG="dev-$DEV_CTM_PORT"
 export OAUTH_PROXY_PORT="$DEV_OAUTH_PROXY_PORT"
@@ -246,6 +289,7 @@ export CTM_TLS_KEY=""
 export CTM_API_BASE_URL="http://127.0.0.1:$DEV_CTM_PORT"
 export CTM_SESSION_MEMORY_API_BASE_URL="http://127.0.0.1:$DEV_CTM_PORT"
 export WALLE_MCP_AUTO_CONFIG="${WALLE_MCP_AUTO_CONFIG:-0}"
+export WALL_E_RUNTIME_DIAGNOSTICS="${WALL_E_RUNTIME_DIAGNOSTICS:-1}"
 export CTM_SKIP_DOTENV="1"
 
 CTM_DEV_CHILD_PID=""

package/template/bin/ensure-stable-node.js

@@ -0,0 +1,132 @@
+#!/usr/bin/env node
+'use strict';
+
+// Provision a STABLE-IDENTITY node for the CTM daemon so macOS TCC grants (e.g. the recurring
+// "Coding Task Manager would like to access data from other apps" prompt) persist across restarts.
+//
+// macOS keys a TCC grant to the requesting binary's code-signing Designated Requirement. A
+// notarized or Developer-ID-signed binary has a stable requirement (its grant sticks); the
+// self-signed .app bundle node or an ad-hoc PATH node does not, so the daemon re-prompts on every
+// restart. End-user installs (npx create-walle / the downloadable app) already run the daemon
+// under a notarized node — this gives the source/dev checkout the same stable identity.
+//
+// Side-effecting provisioner: it may download the notarized Node once and/or Developer-ID-sign the
+// bundle node. Prints the absolute path of the stable node on stdout ('' if none) and ALWAYS exits
+// 0 (fail-open — the launcher falls back to the pinned node, never worse than before). Run off the
+// launchd boot path (from restart-ctm.sh), not inside ctm-launch.sh.
+
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+
+function readPin(root) {
+  try {
+    return fs.readFileSync(path.join(root, '.node-version'), 'utf8').trim().replace(/^v/, '');
+  } catch {
+    return '';
+  }
+}
+
+// `…/Foo.app/Contents/MacOS/Foo` → `…/Foo.app` (the bundle dir codesign --deep signs).
+function bundleAppDir(execPath) {
+  return path.resolve(path.dirname(execPath), '..', '..');
+}
+
+// Pure resolver — all deps injected so it is unit-testable without macOS / network / codesign.
+// Returns the absolute path of a stable-identity node for the CTM daemon, or '' if none could be
+// provisioned. As a side effect it Developer-ID-signs BOTH daemon bundles (CTM + Wall-E) when a
+// Developer ID is present, so the Wall-E daemon and the Wall-E MCP server also get the
+// branded-stable identity (their execs are signed even though we return the CTM exec here).
+//   deps.cw        — create-walle module (ctmBundleExec, walleBundleExec, ensureNotarizedDaemonNode, nodeReportsVersion, NOTARIZED_NODE_VERSION)
+//   deps.codesign  — lib/codesign-identity module (developerIdIdentityHash, devIdSignBundle, localCodeSignTeamId)
+function resolveStableNode(deps) {
+  const { platform, env, pin, cw, codesign, existsSync, log } = deps;
+  if (platform !== 'darwin') return '';
+
+  // 1) Prefer a Developer-ID-signed BRANDED bundle when a Developer ID is present. It is the only
+  //    identity that is BOTH stable (TCC grants persist across restarts) AND branded (prompts show
+  //    "Coding Task Manager" / "Wall-E", not the anonymous "node"). Sign BOTH daemon bundles so the
+  //    CTM daemon, the Wall-E daemon, and the Wall-E MCP server share the branded-stable identity.
+  //    Each bundle is gated on existing + version-matching the pin (ABI). Return the CTM exec (the
+  //    CTM daemon's node); the Wall-E exec is signed for its own daemon/MCP to adopt.
+  if (cw && codesign && codesign.developerIdIdentityHash && codesign.developerIdIdentityHash()) {
+    try {
+      const ctmExec = cw.ctmBundleExec();
+      const walleExec = cw.walleBundleExec ? cw.walleBundleExec() : '';
+      const targets = [
+        { exec: ctmExec, id: 'com.walle.ctm' },
+        { exec: walleExec, id: 'com.walle.agent' },
+      ].filter((t) => t.exec && existsSync(t.exec) && (!pin || cw.nodeReportsVersion(t.exec, pin)));
+      let ctmTeam = '';
+      for (const t of targets) {
+        const r = codesign.devIdSignBundle(bundleAppDir(t.exec), t.id);
+        const team = r && r.signed ? codesign.localCodeSignTeamId(t.exec) : '';
+        if (team) log(`Developer-ID-signed ${t.id} bundle (Team ${team})`);
+        if (t.exec === ctmExec && team) ctmTeam = team;
+      }
+      if (ctmTeam) return ctmExec;
+    } catch (e) {
+      log(`bundle signing failed: ${e && e.message ? e.message : e}`);
+    }
+  }
+
+  // 2) No Developer ID (or bundle signing failed): fall back to the official Apple-notarized Node
+  //    (download-once + verify) — stable but anonymous ("node"). The only stable identity available
+  //    on a machine without a Developer ID. Only adopt it when its version equals the repo's
+  //    .node-version so the daemon's ABI matches the prebuilt native modules (never a mismatch).
+  if (cw && env.WALLE_NO_NOTARIZED_NODE !== '1' && (!pin || pin === cw.NOTARIZED_NODE_VERSION)) {
+    try {
+      const notarized = cw.ensureNotarizedDaemonNode({ log });
+      if (notarized) return notarized;
+    } catch (e) {
+      log(`notarized provisioning failed: ${e && e.message ? e.message : e}`);
+    }
+  }
+
+  return '';
+}
+
+module.exports = { resolveStableNode, readPin, bundleAppDir };
+
+if (require.main === module) {
+  const root = path.resolve(__dirname, '..');
+  const log = (m) => { try { process.stderr.write(`[ensure-stable-node] ${m}\n`); } catch {} };
+  let cw = null;
+  let codesign = null;
+  try { cw = require('../create-walle/bin/create-walle.js'); }
+  catch (e) { log(`create-walle load failed: ${e && e.message ? e.message : e}`); }
+  try { codesign = require('../claude-task-manager/lib/codesign-identity.js'); }
+  catch (e) { log(`codesign-identity load failed: ${e && e.message ? e.message : e}`); }
+
+  let out = '';
+  try {
+    out = resolveStableNode({
+      platform: process.platform,
+      env: process.env,
+      pin: readPin(root),
+      cw,
+      codesign,
+      existsSync: fs.existsSync,
+      log,
+    }) || '';
+  } catch (e) {
+    log(`error: ${e && e.message ? e.message : e}`);
+  }
+  // Record the chosen stable daemon node in a marker the launcher reads FIRST (keeps codesign off
+  // the launchd boot path). Written only when non-empty; a stale/missing marker is harmless —
+  // ctm-launch.sh re-validates the path's version before exec'ing it and falls through otherwise.
+  try {
+    const home = process.env.HOME || os.homedir();
+    const marker = path.join(home, '.walle', '.stable-daemon-node');
+    if (out) {
+      try { fs.mkdirSync(path.dirname(marker), { recursive: true }); } catch {}
+      fs.writeFileSync(marker, `${out}\n`);
+    } else {
+      try { fs.rmSync(marker, { force: true }); } catch {}
+    }
+  } catch (e) {
+    log(`marker write failed: ${e && e.message ? e.message : e}`);
+  }
+  process.stdout.write(out ? `${out}\n` : '\n');
+  process.exit(0);
+}

package/template/bin/install-service.sh

@@ -9,8 +9,14 @@ ROOT="$(dirname "$SCRIPT_DIR")"
 LABEL="com.walle.server"
 PLIST="$HOME/Library/LaunchAgents/$LABEL.plist"
 PORT="${CTM_PORT:-3456}"
+# No-respawn sentinel: CTM's detached self-recovery helper re-bootstraps the job if a bootout
+# leaves it unloaded (a botched plist reload). This sentinel tells it NOT to — for an intentional
+# uninstall/stop. Keep in sync with lib/launchd-recovery.js noRespawnSentinelPath().
+NO_RESPAWN_SENTINEL="$HOME/.walle/logs/.ctm-no-respawn"
 
 if [[ "$1" == "--uninstall" ]]; then
+  mkdir -p "$(dirname "$NO_RESPAWN_SENTINEL")" 2>/dev/null || true
+  : > "$NO_RESPAWN_SENTINEL"   # suppress self-recovery before we tear the service down
   launchctl bootout "gui/$(id -u)/$LABEL" 2>/dev/null || \
     launchctl unload "$PLIST" 2>/dev/null || true
   rm -f "$PLIST"
@@ -18,6 +24,9 @@ if [[ "$1" == "--uninstall" ]]; then
   exit 0
 fi
 
+# A (re)install re-enables self-recovery: clear any stale uninstall/stop sentinel.
+rm -f "$NO_RESPAWN_SENTINEL" 2>/dev/null || true
+
 # Source .env for port and data dir overrides
 ENV_VARS=""
 if [[ -f "$ROOT/.env" ]]; then