create-walle 0.9.25 → 0.9.27

package/bin/create-walle.js

@@ -1,9 +1,10 @@
 #!/usr/bin/env node
 'use strict';
 
-const { execFileSync, spawn } = require('child_process');
+const { execFileSync, spawn, spawnSync } = require('child_process');
 const fs = require('fs');
 const path = require('path');
+const os = require('os');
 
 const BOLD = '\x1b[1m';
 const DIM = '\x1b[2m';
@@ -27,9 +28,216 @@ const NATIVE_DEPENDENCIES = new Set([
   'tree-sitter-bash',
 ]);
 
+// The pinned Node runtime the macOS daemon adopts: an official, Apple-notarized build
+// (signed by the Node.js Foundation) downloaded once from nodejs.org and cached under
+// ~/.walle/notarized-node. Running the launchd daemon under a notarized identity is what lets
+// a background macOS process obtain Screen Recording (and other TCC) grants — a self-signed or
+// cloned node cannot. The whole runtime tree (CTM server, Wall-E supervisor, session-host
+// forks) inherits this node via process.execPath, so native modules are built against THIS
+// version's ABI (see daemonNodeForBuild / npmInstall). Keep in sync with the vendored Node in
+// create-walle/macos/build-macos-app.sh (NODE_VERSION). Set WALLE_NO_NOTARIZED_NODE=1 to opt out.
+const NOTARIZED_NODE_VERSION = '25.2.1';
+
 // Files to preserve during update (user config, not code)
 const PRESERVE_ON_UPDATE = ['.env', 'wall-e/wall-e-config.json'];
 
+// ── macOS .app bundle + self-signed signing (Activity Monitor icon/name + stable TCC) ──
+// macOS shows a process's icon from the .app bundle that encloses its executable, so we
+// place the node binary inside per-daemon LSUIElement bundles. Self-signing with a stable
+// cert gives a stable codesign designated requirement → TCC grants (hotkey) persist across
+// updates. All best-effort: never block install; failures degrade to unsigned/iconless.
+const BUNDLE_ROOT = process.env.WALLE_BUNDLE_DIR || path.join(process.env.HOME, '.walle', 'bundles');
+const SIGN_IDENTITY_CN = 'Wall-E Local Signing';
+const SIGN_KEYCHAIN = process.env.WALLE_SIGN_KEYCHAIN || path.join(process.env.HOME, '.walle', 'walle-signing.keychain-db');
+const APP_BUNDLES = [
+  { app: 'Coding Task Manager.app', exec: 'Coding Task Manager', name: 'Coding Task Manager', bundleId: 'com.walle.ctm', icns: 'AppIcon-ctm.icns' },
+  { app: 'Wall-E.app', exec: 'Wall-E', name: 'Wall-E', bundleId: 'com.walle.agent', icns: 'AppIcon-walle.icns' },
+];
+
+function ctmBundleExec() {
+  return path.join(BUNDLE_ROOT, 'Coding Task Manager.app', 'Contents', 'MacOS', 'Coding Task Manager');
+}
+
+function walleBundleExec() {
+  return path.join(BUNDLE_ROOT, 'Wall-E.app', 'Contents', 'MacOS', 'Wall-E');
+}
+
+// The code-signing Team Identifier of a binary, or '' when unsigned/self-signed. A NON-empty
+// value means the binary carries a stable, OS-trusted Designated Requirement (Developer-ID or
+// notarized) — its TCC grants persist AND macOS keeps showing the .app's CFBundleName in prompts.
+function execTeamIdentifier(binaryPath) {
+  if (process.platform !== 'darwin' || !binaryPath) return '';
+  try {
+    if (!fs.existsSync(binaryPath)) return '';
+    // `codesign -dv` writes its report to STDERR and exits 0, so read both streams via spawnSync.
+    const r = spawnSync('codesign', ['-dv', '--verbose=4', binaryPath], { encoding: 'utf8' });
+    const text = `${r.stdout || ''}\n${r.stderr || ''}`;
+    const m = text.match(/^TeamIdentifier=(.+)$/m);
+    const team = m ? m[1].trim() : '';
+    return team === 'not set' ? '' : team;
+  } catch {
+    return '';
+  }
+}
+
+// Which node binary should launch the CTM daemon. We want an identity that is BOTH stable (its
+// TCC grants persist across restarts) AND branded (macOS shows "Coding Task Manager"/"Wall-E" in
+// prompts, not the anonymous "node"). A Developer-ID-signed .app bundle exec is the only thing
+// that is both; a bare notarized node is stable but anonymous. Order:
+//   1. WALLE_NOTARIZED_NODE — set by the downloadable Developer-ID Wall-E.app (runs under the
+//      app's own branded launcher identity, so it shows "Wall-E").
+//   2. The CTM .app bundle exec WHEN it carries a stable Team Identifier (Developer-ID-signed by
+//      bin/ensure-stable-node.js) — branded AND grant-persisting.
+//   3. The official notarized node we downloaded ourselves — stable but anonymous ("node"); the
+//      fallback for machines without a Developer ID, where a branded-stable bundle isn't possible.
+//   4. The self-signed CTM bundle exec — branded but re-prompts (no stable Team ID).
+//   5. The running node.
+function daemonExec() {
+  const notarized = process.env.WALLE_NOTARIZED_NODE;
+  if (notarized && process.platform === 'darwin') {
+    try { if (fs.existsSync(notarized)) return notarized; } catch {}
+  }
+  if (process.platform === 'darwin') {
+    const bundle = ctmBundleExec();
+    let bundleExists = false;
+    try { bundleExists = fs.existsSync(bundle); } catch {}
+    // Prefer the branded bundle only when it is Developer-ID-signed (has a Team ID): branded AND
+    // its grants persist. Otherwise prefer the notarized bare node (stable but "node").
+    if (bundleExists && execTeamIdentifier(bundle)) return bundle;
+    const own = validatedNotarizedNode();
+    if (own) return own;
+    if (bundleExists) return bundle; // self-signed branded bundle — branded name, but re-prompts
+  }
+  return process.execPath;
+}
+
+// ── Notarized daemon node (npx parity with the downloadable app's TCC fix) ──
+// The downloadable app ships its own notarized node; for the `npx create-walle` path we fetch
+// the equivalent official notarized Node once and point the daemon at it. All best-effort:
+// any failure leaves the daemon on its default node — never blocks install.
+
+function notarizedNodeDir() {
+  return process.env.WALLE_NOTARIZED_NODE_DIR || path.join(process.env.HOME, '.walle', 'notarized-node');
+}
+
+function notarizedNodePath() {
+  return path.join(notarizedNodeDir(), 'bin', 'node');
+}
+
+// Returns the cached notarized node ONLY when the post-verify marker matches the pinned
+// version (the marker is written last, so a partial/failed download is never trusted).
+function validatedNotarizedNode() {
+  if (process.platform !== 'darwin') return null;
+  if (process.env.WALLE_NO_NOTARIZED_NODE === '1') return null;
+  const dest = notarizedNodePath();
+  const marker = path.join(notarizedNodeDir(), 'version');
+  try {
+    if (fs.existsSync(dest) && fs.existsSync(marker) &&
+        fs.readFileSync(marker, 'utf8').trim() === NOTARIZED_NODE_VERSION) {
+      return dest;
+    }
+  } catch {}
+  return null;
+}
+
+// The node whose ABI native modules must target = whatever the daemon will run under.
+function daemonNodeForBuild() {
+  if (process.platform !== 'darwin') return process.execPath;
+  return validatedNotarizedNode() || process.execPath;
+}
+
+function nodeReportsVersion(bin, version) {
+  try {
+    return execFileSync(bin, ['-v'], { encoding: 'utf8', timeout: 10000 }).trim() === `v${version}`;
+  } catch { return false; }
+}
+
+// Integrity check: codesign --verify catches a tampered/altered binary (gates adoption).
+// spctl reports the Gatekeeper/notarization assessment (informational only — a validly-signed
+// official node is still safe to RUN even if spctl is quirky for a bare CLI binary; the TCC
+// benefit only adds to today's behavior, it never regresses it).
+function verifyNotarizedNode(bin, { log } = {}) {
+  try {
+    execFileSync('codesign', ['--verify', '--strict', bin], { stdio: 'pipe', timeout: 30000 });
+  } catch {
+    return false;
+  }
+  if (log) {
+    let assessment;
+    try {
+      execFileSync('spctl', ['-a', '-vv', '--type', 'exec', bin], { stdio: 'pipe', timeout: 30000 });
+      assessment = 'accepted (notarized)';
+    } catch { assessment = 'signature valid (spctl unconfirmed)'; }
+    log(`  ${DIM}node signature: ${assessment}${RESET}`);
+  }
+  return true;
+}
+
+// Download (once) the pinned official notarized Node + npm and cache it. Returns the node path
+// on success, else null (install proceeds on the default node). npm is bundled alongside so
+// native modules can be (re)built under this exact node — guaranteeing the daemon's runtime
+// and its node_modules share one ABI.
+function ensureNotarizedDaemonNode({ log = console.log } = {}) {
+  if (process.platform !== 'darwin') return null;
+  if (process.env.WALLE_NO_NOTARIZED_NODE === '1') return null;
+  const arch = process.arch === 'arm64' ? 'arm64' : process.arch === 'x64' ? 'x64' : null;
+  if (!arch) return null;
+
+  const dir = notarizedNodeDir();
+  const dest = notarizedNodePath();
+  const marker = path.join(dir, 'version');
+
+  // Cached and still valid → reuse (the "download once").
+  const cached = validatedNotarizedNode();
+  if (cached && nodeReportsVersion(cached, NOTARIZED_NODE_VERSION) && verifyNotarizedNode(cached)) {
+    return cached;
+  }
+
+  let tmp;
+  try {
+    fs.mkdirSync(dir, { recursive: true });
+    const base = `node-v${NOTARIZED_NODE_VERSION}-darwin-${arch}`;
+    const tarball = `${base}.tar.gz`;
+    const url = `https://nodejs.org/dist/v${NOTARIZED_NODE_VERSION}/${tarball}`;
+    tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'walle-nnode-'));
+    const tgz = path.join(tmp, tarball);
+    log(`  Downloading notarized Node ${NOTARIZED_NODE_VERSION} (${arch})…`);
+    execFileSync('curl', ['-fsSL', '-o', tgz, url], { timeout: 300000, stdio: 'pipe' });
+    // Extract just the node binary + bundled npm, stripping the version-named top dir.
+    execFileSync('tar', [
+      '-xzf', tgz, '-C', tmp, '--strip-components=1',
+      `${base}/bin/node`, `${base}/lib/node_modules/npm`,
+    ], { timeout: 120000, stdio: 'pipe' });
+
+    fs.rmSync(path.join(dir, 'bin'), { recursive: true, force: true });
+    fs.rmSync(path.join(dir, 'lib'), { recursive: true, force: true });
+    fs.rmSync(marker, { force: true });
+    fs.cpSync(path.join(tmp, 'bin'), path.join(dir, 'bin'), { recursive: true });
+    fs.cpSync(path.join(tmp, 'lib'), path.join(dir, 'lib'), { recursive: true });
+    fs.chmodSync(dest, 0o755);
+
+    if (!nodeReportsVersion(dest, NOTARIZED_NODE_VERSION)) throw new Error('version check failed');
+    if (!verifyNotarizedNode(dest, { log })) throw new Error('signature verification failed');
+
+    fs.writeFileSync(marker, `${NOTARIZED_NODE_VERSION}\n`);
+    log(`  ${GREEN}Notarized Node ready${RESET} ${DIM}(${dest})${RESET}`);
+    return dest;
+  } catch (e) {
+    log(`  ${DIM}Notarized node unavailable (${e && e.message ? e.message : e}) — daemon will use the default node${RESET}`);
+    disableNotarizedNode();
+    return null;
+  } finally {
+    if (tmp) { try { fs.rmSync(tmp, { recursive: true, force: true }); } catch {} }
+  }
+}
+
+// Drop the marker (and binary) so daemonExec/daemonNodeForBuild stop trusting it. Used when the
+// download fails OR when we can't build native modules under it (avoids an ABI split).
+function disableNotarizedNode() {
+  try { fs.rmSync(path.join(notarizedNodeDir(), 'version'), { force: true }); } catch {}
+  try { fs.rmSync(notarizedNodePath(), { force: true }); } catch {}
+}
+
 function writeCliLifecycleEvent(event, meta = {}) {
   if (process.env.WALLE_TELEMETRY === '0' || process.env.WALLE_TELEMETRY === 'false') return;
   try {
@@ -178,10 +386,16 @@ function install(targetDir) {
   console.log(`\n  Copying files...`);
   copyRecursive(TEMPLATE_DIR, targetDir);
 
+  // Fetch the notarized daemon node BEFORE installing deps, so native modules build against
+  // its ABI (the daemon and its forks will all run under it). Best-effort / macOS-only.
+  ensureNotarizedDaemonNode();
+
   console.log(`  Installing dependencies...\n`);
   npmInstall(targetDir);
 
   compileHotkeyDaemon(targetDir);
+  compileScreenAuthHelper(targetDir);
+  compileDisclaimHelper(targetDir);
 
   // .env
   const envLines = [
@@ -223,6 +437,10 @@ function install(targetDir) {
 
   saveWalleDir(path.resolve(targetDir));
 
+  // Build branded .app bundles (icon + name in Activity Monitor) before starting,
+  // so the launchd plist / background spawn can point at the bundle's node exec.
+  buildAppBundles(path.resolve(targetDir));
+
   // Start the service
   console.log(`  Starting Wall-E...`);
   startForegroundOrService(path.resolve(targetDir), port);
@@ -288,13 +506,21 @@ function update() {
   // 5. Stamp version
   stampVersion(dir);
 
-  // 6. Reinstall deps (in case package.json changed)
+  // 6. Reinstall deps (in case package.json changed). Refresh the notarized daemon node first
+  // so native modules rebuild against its ABI (idempotent: a valid cache is reused, not re-DLed).
+  ensureNotarizedDaemonNode();
   console.log(`  Installing dependencies...\n`);
   npmInstall(dir);
 
   compileHotkeyDaemon(dir);
+  compileScreenAuthHelper(dir);
+  compileDisclaimHelper(dir);
+
+  // 7. Refresh branded .app bundles (re-clone node to match the freshly built native
+  // modules' ABI, re-sign) then start again.
+  buildAppBundles(dir);
 
-  // 7. Start again
+  // 8. Start again
   console.log(`\n  Starting Wall-E...`);
   startForegroundOrService(dir, port);
 
@@ -353,6 +579,12 @@ function status() {
 }
 
 function logs() {
+  // On Linux with systemd, the unit logs to the journal.
+  if (process.platform === 'linux' && hasSystemdUser() && fs.existsSync(path.join(process.env.HOME, '.config', 'systemd', 'user', 'walle.service'))) {
+    const child = spawn('journalctl', ['--user', '-u', 'walle.service', '-f'], { stdio: 'inherit' });
+    child.on('error', () => console.log('  Could not read the journal; try ~/.walle/logs/'));
+    return;
+  }
   const logFile = path.join(process.env.HOME, '.walle', 'logs', 'walle.log');
   if (!fs.existsSync(logFile)) {
     console.log(`\n  No logs yet at ${logFile}\n`);
@@ -363,9 +595,25 @@ function logs() {
 }
 
 function uninstall() {
-  const plist = path.join(process.env.HOME, 'Library', 'LaunchAgents', `${LABEL}.plist`);
-  try { execFileSync('launchctl', ['unload', plist], { stdio: 'ignore' }); } catch {}
-  try { fs.unlinkSync(plist); } catch {}
+  if (process.platform === 'darwin') {
+    const plist = path.join(process.env.HOME, 'Library', 'LaunchAgents', `${LABEL}.plist`);
+    try { execFileSync('launchctl', ['unload', plist], { stdio: 'ignore' }); } catch {}
+    try { fs.unlinkSync(plist); } catch {}
+    // Branded .app bundles + Launchpad launcher.
+    try { fs.rmSync(BUNDLE_ROOT, { recursive: true, force: true }); } catch {}
+    try { fs.rmSync(path.join(process.env.HOME, 'Applications', 'Wall-E.app'), { recursive: true, force: true }); } catch {}
+  } else if (process.platform === 'linux') {
+    if (hasSystemdUser()) {
+      try { execFileSync('systemctl', ['--user', 'disable', '--now', 'walle.service'], { stdio: 'ignore' }); } catch {}
+    }
+    try { fs.unlinkSync(path.join(process.env.HOME, '.config', 'systemd', 'user', 'walle.service')); } catch {}
+    try { execFileSync('systemctl', ['--user', 'daemon-reload'], { stdio: 'ignore' }); } catch {}
+    try { fs.unlinkSync(path.join(process.env.HOME, '.local', 'share', 'applications', 'walle.desktop')); } catch {}
+    const themeDir = path.join(process.env.HOME, '.local', 'share', 'icons', 'hicolor');
+    try { fs.unlinkSync(path.join(themeDir, 'scalable', 'apps', 'walle.svg')); } catch {}
+    for (const s of ['16x16', '32x32', '512x512']) { try { fs.unlinkSync(path.join(themeDir, s, 'apps', 'walle.png')); } catch {} }
+    try { execFileSync('gtk-update-icon-cache', ['-f', '-t', themeDir], { stdio: 'ignore' }); } catch {}
+  }
   try { fs.unlinkSync(INSTALL_PATH_FILE); } catch {}
   console.log(`\n  ${GREEN}Service uninstalled.${RESET} Your data in ~/.walle/data is preserved.\n`);
 }
@@ -378,6 +626,10 @@ function stopQuiet(dir, port) {
   if (process.platform === 'darwin' && fs.existsSync(plist)) {
     try { execFileSync('launchctl', ['unload', plist], { stdio: 'ignore' }); } catch {}
   }
+  // Linux: stop the systemd user unit so it doesn't auto-restart during update.
+  if (process.platform === 'linux' && hasSystemdUser() && fs.existsSync(path.join(process.env.HOME, '.config', 'systemd', 'user', 'walle.service'))) {
+    try { execFileSync('systemctl', ['--user', 'stop', 'walle.service'], { stdio: 'ignore' }); } catch {}
+  }
   // Kill CTM and Wall-E processes
   const wallePort = dir ? readWallePort(dir) : String(parseInt(port) + 1);
   for (const p of [port, wallePort]) {
@@ -409,7 +661,9 @@ function startForegroundOrService(dir, port) {
     // Start in background without launchd
     const logDir = path.join(process.env.HOME, '.walle', 'logs');
     fs.mkdirSync(logDir, { recursive: true });
-    const child = spawn(process.execPath, ['claude-task-manager/server.js'], {
+    // Launch via the notarized app node / CTM .app bundle exec when present (TCC + icon).
+    const ctmExec = daemonExec();
+    const child = spawn(ctmExec, ['claude-task-manager/server.js'], {
       cwd: dir,
       detached: true,
       stdio: ['ignore', fs.openSync(path.join(logDir, 'walle.log'), 'a'), fs.openSync(path.join(logDir, 'walle.err'), 'a')],
@@ -425,12 +679,18 @@ function installService(walleDir, port) {
 
   if (process.platform === 'darwin') {
     const nodePath = process.execPath;
+    // Prefer the notarized app's node (downloadable app) → self-signed CTM bundle → node.
+    const launchExec = daemonExec();
     const plistDir = path.join(process.env.HOME, 'Library', 'LaunchAgents');
     fs.mkdirSync(plistDir, { recursive: true });
     const plistPath = path.join(plistDir, `${LABEL}.plist`);
 
     const xmlEsc = (s) => String(s).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
-    const nodeBinDir = path.dirname(nodePath);
+    // Put the notarized node's dir first (when adopted) so bare `node` invocations inside the
+    // daemon resolve to the same ABI it runs under; keep the real node dir as a fallback.
+    const notarizedNode = validatedNotarizedNode();
+    const nodeBinDir = [notarizedNode && path.dirname(notarizedNode), path.dirname(nodePath)]
+      .filter(Boolean).join(':');
     let envDict = `    <key>PATH</key>\n    <string>${xmlEsc(nodeBinDir)}:/usr/local/bin:/opt/homebrew/bin:/usr/bin:/bin</string>\n`;
     envDict += `    <key>HOME</key>\n    <string>${xmlEsc(process.env.HOME)}</string>\n`;
     envDict += `    <key>CTM_PORT</key>\n    <string>${port}</string>\n`;
@@ -453,7 +713,7 @@ function installService(walleDir, port) {
   <string>${LABEL}</string>
   <key>ProgramArguments</key>
   <array>
-    <string>${nodePath}</string>
+    <string>${launchExec}</string>
     <string>${walleDir}/claude-task-manager/server.js</string>
   </array>
   <key>WorkingDirectory</key>
@@ -480,10 +740,114 @@ ${envDict}  </dict>
     fs.writeFileSync(plistPath, plist);
     try { execFileSync('launchctl', ['unload', plistPath], { stdio: 'ignore' }); } catch {}
     execFileSync('launchctl', ['load', plistPath]);
+  } else if (process.platform === 'linux') {
+    // Always register desktop integration (name + icon in launchers / system monitors),
+    // independent of the service manager.
+    installDesktopIntegration(walleDir, port);
+    if (hasSystemdUser()) {
+      installSystemdService(walleDir, port, logDir);
+    } else {
+      installWatchdogFallback(walleDir, port, logDir);
+    }
   } else {
-    // Linux/other: spawn with a restart-on-crash wrapper shell script
-    const watchdogScript = path.join(walleDir, 'bin', 'watchdog.sh');
-    const watchdogContent = `#!/bin/bash
+    installWatchdogFallback(walleDir, port, logDir);
+  }
+}
+
+// ── Linux service / desktop integration ──
+
+// True only when a systemd *user* instance is actually reachable (catches non-systemd
+// distros, bare SSH without lingering, WSL without systemd).
+function hasSystemdUser() {
+  if (process.platform !== 'linux') return false;
+  try {
+    execFileSync('systemctl', ['--user', 'show-environment'], { stdio: 'ignore', timeout: 4000 });
+    return true;
+  } catch { return false; }
+}
+
+function installSystemdService(walleDir, port, logDir) {
+  const unitDir = path.join(process.env.HOME, '.config', 'systemd', 'user');
+  fs.mkdirSync(unitDir, { recursive: true });
+  fs.mkdirSync(logDir, { recursive: true });
+  const sq = (s) => String(s).replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+  let envLines = `Environment="CTM_PORT=${port}"\nEnvironment="CTM_MANAGED_BY_SYSTEMD=1"\n`;
+  try {
+    for (const line of fs.readFileSync(path.join(walleDir, '.env'), 'utf8').split('\n')) {
+      const m = line.match(/^\s*([^#=\s]+)\s*=\s*(.+?)\s*$/);
+      if (m && m[1] !== 'CTM_PORT') envLines += `Environment="${sq(m[1])}=${sq(m[2])}"\n`;
+    }
+  } catch {}
+  const unit = `[Unit]
+Description=Wall-E — personal digital twin (Coding Task Manager)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+WorkingDirectory=${walleDir}
+ExecStart=${process.execPath} ${walleDir}/claude-task-manager/server.js
+Restart=on-failure
+RestartSec=5
+StartLimitIntervalSec=300
+StartLimitBurst=5
+${envLines}StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=walle
+
+[Install]
+WantedBy=default.target
+`;
+  fs.writeFileSync(path.join(unitDir, 'walle.service'), unit);
+  try { execFileSync('systemctl', ['--user', 'daemon-reload'], { stdio: 'ignore' }); } catch {}
+  try { execFileSync('systemctl', ['--user', 'enable', '--now', 'walle.service'], { stdio: 'ignore' }); } catch {}
+  try { execFileSync('systemctl', ['--user', 'restart', 'walle.service'], { stdio: 'ignore' }); } catch {}
+}
+
+// Install a freedesktop .desktop entry + themed icons so Wall-E shows with a name + icon
+// in app launchers and graphical system monitors. Best-effort.
+function installDesktopIntegration(walleDir, port) {
+  if (process.platform !== 'linux') return;
+  try {
+    const appsDir = path.join(process.env.HOME, '.local', 'share', 'applications');
+    const themeDir = path.join(process.env.HOME, '.local', 'share', 'icons', 'hicolor');
+    fs.mkdirSync(appsDir, { recursive: true });
+    const pub = path.join(walleDir, 'claude-task-manager', 'public');
+    const svg = path.join(pub, 'icon.svg');
+    if (fs.existsSync(svg)) {
+      const d = path.join(themeDir, 'scalable', 'apps');
+      fs.mkdirSync(d, { recursive: true });
+      try { fs.copyFileSync(svg, path.join(d, 'walle.svg')); } catch {}
+    }
+    for (const [file, size] of [['icon-16.png', '16x16'], ['icon-32.png', '32x32'], ['icon-512.png', '512x512']]) {
+      const src = path.join(pub, file);
+      if (fs.existsSync(src)) {
+        const d = path.join(themeDir, size, 'apps');
+        fs.mkdirSync(d, { recursive: true });
+        try { fs.copyFileSync(src, path.join(d, 'walle.png')); } catch {}
+      }
+    }
+    fs.writeFileSync(path.join(appsDir, 'walle.desktop'), `[Desktop Entry]
+Type=Application
+Name=Wall-E
+GenericName=Personal Digital Twin
+Comment=Coding Task Manager and Wall-E memory daemon
+Exec=xdg-open http://localhost:${port}
+Icon=walle
+Terminal=false
+Categories=Development;Utility;
+Keywords=walle;ctm;claude;tasks;
+StartupNotify=false
+`);
+    try { execFileSync('gtk-update-icon-cache', ['-f', '-t', themeDir], { stdio: 'ignore' }); } catch {}
+    try { execFileSync('update-desktop-database', [appsDir], { stdio: 'ignore' }); } catch {}
+  } catch {}
+}
+
+function installWatchdogFallback(walleDir, port, logDir) {
+  // Linux/other without systemd: spawn with a restart-on-crash wrapper shell script.
+  const watchdogScript = path.join(walleDir, 'bin', 'watchdog.sh');
+  const watchdogContent = `#!/bin/bash
 # Auto-restart CTM on crash. Clean exit (code 0) stops the watchdog.
 CRASHES=0
 while true; do
@@ -502,28 +866,37 @@ while true; do
   sleep 5
 done
 `;
-    fs.mkdirSync(path.join(walleDir, 'bin'), { recursive: true });
-    fs.writeFileSync(watchdogScript, watchdogContent, { mode: 0o755 });
-
-    const child = spawn('bash', [watchdogScript], {
-      cwd: walleDir,
-      detached: true,
-      stdio: 'ignore',
-      env: { ...process.env, CTM_PORT: port },
-    });
-    child.unref();
-    fs.writeFileSync(path.join(logDir, 'walle.pid'), String(child.pid));
-  }
+  fs.mkdirSync(path.join(walleDir, 'bin'), { recursive: true });
+  fs.writeFileSync(watchdogScript, watchdogContent, { mode: 0o755 });
+
+  const child = spawn('bash', [watchdogScript], {
+    cwd: walleDir,
+    detached: true,
+    stdio: 'ignore',
+    env: { ...process.env, CTM_PORT: port },
+  });
+  child.unref();
+  fs.writeFileSync(path.join(logDir, 'walle.pid'), String(child.pid));
 }
 
 // ── Helpers ──
 
 function npmInstall(dir) {
+  // Build native modules under the node the daemon will actually run (the notarized node when
+  // adopted), so its ABI matches. Safety: if we can't run npm UNDER that node (no co-located
+  // npm-cli.js → npm would fall back to the user's node and build the wrong ABI), don't adopt
+  // the notarized node at all — keeping one consistent ABI beats a half-applied switch.
+  let nodeBin = daemonNodeForBuild();
+  if (nodeBin !== process.execPath && resolveNpmRunner(process.env, nodeBin).type !== 'node-cli') {
+    console.log(`  ${DIM}No npm co-located with the notarized node — keeping the default daemon node${RESET}`);
+    disableNotarizedNode();
+    nodeBin = process.execPath;
+  }
   try {
     for (const relDir of MANAGED_PACKAGE_DIRS) {
-      runNpm(path.join(dir, relDir), ['install', '--loglevel=warn']);
+      runNpm(path.join(dir, relDir), ['install', '--loglevel=warn'], nodeBin);
     }
-    repairNativeDependencies(dir, { phase: 'install' });
+    repairNativeDependencies(dir, { phase: 'install', nodeBin });
   } catch (err) {
     console.error(`\n  ${RED}npm install failed.${RESET}`);
     if (err && err.message) console.error(`  ${DIM}${err.message}${RESET}`);
@@ -537,6 +910,7 @@ function repairNativeDependencies(walleDir, {
   checkDependency = checkNativeDependency,
   runNpmCommand = runNpm,
   log = console.log,
+  nodeBin = process.execPath,
 } = {}) {
   const repairs = [];
   for (const relDir of MANAGED_PACKAGE_DIRS) {
@@ -546,17 +920,17 @@ function repairNativeDependencies(walleDir, {
 
     const failed = [];
     for (const dep of deps) {
-      const check = checkDependency(packageDir, dep);
+      const check = checkDependency(packageDir, dep, nodeBin);
       if (!check.ok) failed.push(dep);
     }
     if (!failed.length) continue;
 
-    log(`  ${YELLOW}Rebuilding native modules for ${relDir}${RESET} ${DIM}(Node ${process.version}, ABI ${process.versions.modules})${RESET}`);
-    runNpmCommand(packageDir, ['rebuild', ...failed, '--loglevel=warn']);
+    log(`  ${YELLOW}Rebuilding native modules for ${relDir}${RESET} ${DIM}(daemon node ${nodeBin !== process.execPath ? `notarized v${NOTARIZED_NODE_VERSION}` : process.version})${RESET}`);
+    runNpmCommand(packageDir, ['rebuild', ...failed, '--loglevel=warn'], nodeBin);
 
     const stillBroken = [];
     for (const dep of failed) {
-      const check = checkDependency(packageDir, dep);
+      const check = checkDependency(packageDir, dep, nodeBin);
       if (!check.ok) stillBroken.push(`${dep}: ${firstLine(check.error)}`);
     }
     if (stillBroken.length) {
@@ -586,14 +960,14 @@ function nativeDependenciesForPackage(packageDir) {
   return Object.keys(declared).filter((name) => NATIVE_DEPENDENCIES.has(name));
 }
 
-function checkNativeDependency(packageDir, dependency) {
+function checkNativeDependency(packageDir, dependency, nodeBin = process.execPath) {
   try {
-    execFileSync(process.execPath, ['-e', `require(${JSON.stringify(dependency)})`], {
+    execFileSync(nodeBin, ['-e', `require(${JSON.stringify(dependency)})`], {
       cwd: packageDir,
       encoding: 'utf8',
       stdio: ['ignore', 'pipe', 'pipe'],
       timeout: 15000,
-      env: npmChildEnv(),
+      env: npmChildEnv(nodeBin),
     });
     return { ok: true };
   } catch (err) {
@@ -602,20 +976,21 @@ function checkNativeDependency(packageDir, dependency) {
   }
 }
 
-function runNpm(cwd, args) {
-  const runner = resolveNpmRunner();
+function runNpm(cwd, args, nodeBin = process.execPath) {
+  const runner = resolveNpmRunner(process.env, nodeBin);
   if (runner.type === 'node-cli') {
-    execFileSync(process.execPath, [runner.path, ...args], {
+    // Run npm UNDER nodeBin so node-gyp targets nodeBin's ABI (= the daemon's runtime).
+    execFileSync(nodeBin, [runner.path, ...args], {
       cwd,
       stdio: 'inherit',
-      env: npmChildEnv(),
+      env: npmChildEnv(nodeBin),
     });
     return;
   }
   execFileSync('npm', args, {
     cwd,
     stdio: 'inherit',
-    env: npmChildEnv(),
+    env: npmChildEnv(nodeBin),
   });
 }
 
@@ -647,10 +1022,11 @@ function npmCliCandidates(execPath = process.execPath) {
   ].map((candidate) => path.resolve(candidate));
 }
 
-function npmChildEnv() {
-  const nodeDir = path.dirname(process.execPath);
+function npmChildEnv(nodeBin = process.execPath) {
+  const nodeDir = path.dirname(nodeBin);
   return {
     ...process.env,
+    // nodeBin's dir first so any `node` node-gyp shells out to is the same ABI we're targeting.
     PATH: [nodeDir, process.env.PATH || ''].filter(Boolean).join(path.delimiter),
     npm_config_update_notifier: 'false',
   };
@@ -728,19 +1104,397 @@ function detectTimezone() {
   return 'UTC';
 }
 
+// Build the global screenshot hotkey as a real LSUIElement .app bundle (a peer of the
+// Coding Task Manager.app / Wall-E.app daemon bundles). RegisterEventHotKey only delivers global
+// hotkeys to a GUI app the window server recognizes — a BARE launchd executable never receives the
+// keypress, which is why the old bare-binary build registered but never fired. Best-effort: if this
+// fails (no swiftc), CTM's boot-time ensureHotkeyDaemon self-heals it on first launch.
 function compileHotkeyDaemon(walleDir) {
   if (process.platform !== 'darwin') return; // macOS only
   const swiftSource = path.join(walleDir, 'claude-task-manager', 'bin', 'ctm-hotkey.swift');
   if (!fs.existsSync(swiftSource)) return;
-  const binary = path.join(process.env.HOME, '.local', 'bin', 'ctm-hotkey');
+  const bundleDir = path.join(BUNDLE_ROOT, 'CTM-Screenshot.app');
+  const exec = path.join(bundleDir, 'Contents', 'MacOS', 'ctm-hotkey');
+  try {
+    fs.mkdirSync(path.dirname(exec), { recursive: true });
+    // Carbon: RegisterEventHotKey / InstallEventHandler. Cocoa: NSApplication (the GUI app context).
+    execFileSync('swiftc', ['-O', '-o', exec, swiftSource, '-framework', 'Cocoa', '-framework', 'Carbon'], { timeout: 120000, stdio: 'pipe' });
+    fs.chmodSync(exec, 0o755);
+    fs.writeFileSync(path.join(bundleDir, 'Contents', 'Info.plist'), `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>CFBundleName</key><string>CTM Screenshot</string>
+  <key>CFBundleDisplayName</key><string>CTM Screenshot</string>
+  <key>CFBundleIdentifier</key><string>com.walle.ctm.hotkey</string>
+  <key>CFBundleExecutable</key><string>ctm-hotkey</string>
+  <key>CFBundlePackageType</key><string>APPL</string>
+  <key>CFBundleVersion</key><string>1.0</string>
+  <key>CFBundleShortVersionString</key><string>1.0</string>
+  <key>LSUIElement</key><true/>
+  <key>LSMinimumSystemVersion</key><string>11.0</string>
+  <key>NSPrincipalClass</key><string>NSApplication</string>
+</dict>
+</plist>
+`);
+    // Sign so it runs for every user (arm64 won't execute an unsigned binary): self-signed local
+    // cert if available, else ad-hoc. CTM's boot ensureHotkeyDaemon upgrades to Developer-ID on
+    // machines that have one. The hotkey needs no TCC permission, so any valid signature suffices.
+    const id = ensureSigningIdentity();
+    if (!id || !signArtifacts(id, [{ path: bundleDir, id: 'com.walle.ctm.hotkey', deep: true }])) {
+      try { execFileSync('codesign', ['--force', '--deep', '--sign', '-', bundleDir], { stdio: 'ignore', timeout: 120000 }); } catch {}
+    }
+    // Remove any pre-bundle bare binary so two daemons can't compete for the combo.
+    try { fs.unlinkSync(path.join(process.env.HOME, '.local', 'bin', 'ctm-hotkey')); } catch {}
+    console.log(`  ${GREEN}Built hotkey app bundle${RESET} ${DIM}(${bundleDir})${RESET}`);
+  } catch {
+    // swiftc not available or build failed — non-fatal; CTM's boot self-heal will retry.
+    console.log(`  ${DIM}Skipped hotkey bundle (Swift compiler not available)${RESET}`);
+  }
+}
+
+// Compile the Screen Recording permission helper (macOS only). CTM spawns this when a
+// screenshot fails for lack of Screen Recording permission; calling
+// CGRequestScreenCaptureAccess() from a CTM child attributes the request to CTM's identity
+// so the system prompt reads "Coding Task Manager" and the grant lands on the right
+// identity. Best-effort: missing swiftc → screenshots just surface a manual-grant hint.
+function compileScreenAuthHelper(walleDir) {
+  if (process.platform !== 'darwin') return; // macOS only
+  const swiftSource = path.join(walleDir, 'claude-task-manager', 'bin', 'ctm-screen-auth.swift');
+  if (!fs.existsSync(swiftSource)) return;
+  const binary = path.join(process.env.HOME, '.local', 'bin', 'ctm-screen-auth');
+  try {
+    fs.mkdirSync(path.dirname(binary), { recursive: true });
+    execFileSync('swiftc', ['-O', '-o', binary, swiftSource, '-framework', 'CoreGraphics'], { timeout: 120000, stdio: 'pipe' });
+    fs.chmodSync(binary, 0o755);
+    console.log(`  ${GREEN}Compiled screen-recording helper${RESET} ${DIM}(${binary})${RESET}`);
+  } catch {
+    console.log(`  ${DIM}Skipped screen-recording helper (Swift compiler not available)${RESET}`);
+  }
+}
+
+// Compile the disclaim helper (macOS only). Lets CTM run `screencapture` as its own
+// responsible TCC process via the user's already-granted `node`, so screenshots work even
+// though CTM runs from a self-signed bundle macOS won't prompt for. Best-effort.
+function compileDisclaimHelper(walleDir) {
+  if (process.platform !== 'darwin') return; // macOS only
+  const src = path.join(walleDir, 'claude-task-manager', 'bin', 'ctm-disclaim.c');
+  if (!fs.existsSync(src)) return;
+  const binary = path.join(process.env.HOME, '.local', 'bin', 'ctm-disclaim');
   try {
     fs.mkdirSync(path.dirname(binary), { recursive: true });
-    execFileSync('swiftc', ['-O', '-o', binary, swiftSource, '-framework', 'Cocoa'], { timeout: 120000, stdio: 'pipe' });
+    execFileSync('clang', ['-O2', '-o', binary, src], { timeout: 120000, stdio: 'pipe' });
     fs.chmodSync(binary, 0o755);
-    console.log(`  ${GREEN}Compiled hotkey daemon${RESET} ${DIM}(${binary})${RESET}`);
+    console.log(`  ${GREEN}Compiled screenshot disclaim helper${RESET} ${DIM}(${binary})${RESET}`);
+  } catch {
+    console.log(`  ${DIM}Skipped disclaim helper (clang not available)${RESET}`);
+  }
+}
+
+// Resolve a REAL node binary (never a bundle exec — guards against copying the
+// bundle's own node onto itself once CTM runs from the bundle after migration).
+function resolveRealNode() {
+  let n = process.execPath;
+  if (!n || n.includes('.app/Contents/MacOS/')) {
+    try { n = execFileSync('node', ['-e', 'process.stdout.write(process.execPath)'], { encoding: 'utf8' }).trim(); } catch {}
+  }
+  return n;
+}
+
+// Clone (APFS copy-on-write, near-free) or copy a binary into place, executable.
+function placeBinary(src, dest) {
+  try { fs.rmSync(dest, { force: true }); } catch {}
+  try { execFileSync('cp', ['-c', src, dest], { stdio: 'ignore' }); }
+  catch { fs.copyFileSync(src, dest); }
+  fs.chmodSync(dest, 0o755);
+}
+
+// A dynamically-linked node (e.g. Homebrew) references @rpath/libnode.*.dylib (and ICU)
+// resolved via its rpath @loader_path/../lib. When we clone node into Contents/MacOS, that
+// rpath resolves to Contents/lib — so we copy the transitive @rpath dylibs there and the
+// unchanged rpath finds them (no install_name_tool needed). Self-contained nodes have no
+// @rpath deps and this is a no-op. Returns the list of copied dylib paths (to sign).
+function bundleNodeDylibs(realNode, libDir) {
+  const copied = [];
+  const seen = new Set();
+  const nodeLibDir = path.resolve(path.dirname(realNode), '..', 'lib');
+  const rpathDeps = (bin) => {
+    try {
+      return execFileSync('otool', ['-L', bin], { encoding: 'utf8' })
+        .split('\n').map((l) => l.trim().split(/\s+/)[0]).filter((d) => d.startsWith('@rpath/'));
+    } catch { return []; }
+  };
+  const rpathsOf = (bin) => {
+    const rp = [];
+    try {
+      const o = execFileSync('otool', ['-l', bin], { encoding: 'utf8' });
+      const re = /cmd LC_RPATH[\s\S]*?path (.+?) \(offset/g;
+      let m; while ((m = re.exec(o))) rp.push(m[1].trim());
+    } catch {}
+    return rp;
+  };
+  const resolveSrc = (dep, binPath, binOrigDir) => {
+    const name = dep.slice('@rpath/'.length);
+    for (const rp of rpathsOf(binPath)) {
+      const base = rp.replace('@loader_path', binOrigDir).replace('@executable_path', path.dirname(realNode));
+      const cand = path.resolve(base, name);
+      if (fs.existsSync(cand)) return cand;
+    }
+    const fb = path.join(nodeLibDir, name); // node's own lib dir (covers Homebrew layout)
+    return fs.existsSync(fb) ? fb : null;
+  };
+  const walk = (binPath, binOrigDir) => {
+    for (const dep of rpathDeps(binPath)) {
+      const name = dep.slice('@rpath/'.length);
+      if (seen.has(name)) continue;
+      const src = resolveSrc(dep, binPath, binOrigDir);
+      if (!src) continue;
+      seen.add(name);
+      fs.mkdirSync(libDir, { recursive: true });
+      const dest = path.join(libDir, name);
+      placeBinary(src, dest);
+      copied.push(dest);
+      walk(dest, path.dirname(src)); // recurse; resolve nested deps against the source's dir
+    }
+  };
+  walk(realNode, path.dirname(realNode));
+  return copied;
+}
+
+function writeInfoPlist(plistPath, b, version) {
+  const esc = (s) => String(s).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+  fs.writeFileSync(plistPath, `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>CFBundleName</key><string>${esc(b.name)}</string>
+  <key>CFBundleDisplayName</key><string>${esc(b.name)}</string>
+  <key>CFBundleIdentifier</key><string>${esc(b.bundleId)}</string>
+  <key>CFBundleExecutable</key><string>${esc(b.exec)}</string>
+  <key>CFBundleIconFile</key><string>AppIcon</string>
+  <key>CFBundlePackageType</key><string>APPL</string>
+  <key>CFBundleInfoDictionaryVersion</key><string>6.0</string>
+  <key>CFBundleVersion</key><string>${esc(version)}</string>
+  <key>CFBundleShortVersionString</key><string>${esc(version)}</string>
+  <key>LSUIElement</key><true/>
+  <key>LSMinimumSystemVersion</key><string>11.0</string>
+</dict>
+</plist>
+`);
+}
+
+// Generate an .icns from a square PNG via sips + iconutil (install-time fallback when
+// no prebuilt .icns shipped). Best-effort; throws if the toolchain is missing.
+function generateIcns(srcPng, outIcns) {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'walle-icns-'));
+  try {
+    const iconset = path.join(tmp, 'AppIcon.iconset');
+    fs.mkdirSync(iconset, { recursive: true });
+    for (const sz of [16, 32, 128, 256, 512]) {
+      execFileSync('sips', ['-z', String(sz), String(sz), srcPng, '--out', path.join(iconset, `icon_${sz}x${sz}.png`)], { stdio: 'ignore' });
+      execFileSync('sips', ['-z', String(sz * 2), String(sz * 2), srcPng, '--out', path.join(iconset, `icon_${sz}x${sz}@2x.png`)], { stdio: 'ignore' });
+    }
+    execFileSync('iconutil', ['-c', 'icns', iconset, '-o', outIcns], { stdio: 'ignore' });
+  } finally {
+    try { fs.rmSync(tmp, { recursive: true, force: true }); } catch {}
+  }
+}
+
+function placeIcns(walleDir, b, resDir) {
+  const out = path.join(resDir, 'AppIcon.icns');
+  const shipped = path.join(walleDir, 'shared', 'icons', b.icns);
+  if (fs.existsSync(shipped)) { try { fs.copyFileSync(shipped, out); return true; } catch {} }
+  const png = path.join(walleDir, 'claude-task-manager', 'public', 'icon-512.png');
+  if (fs.existsSync(png)) { try { generateIcns(png, out); return true; } catch {} }
+  return false; // valid bundle without an icon (generic) — graceful
+}
+
+// A clickable launcher app in ~/Applications (Launchpad / Spotlight / Dock) that brings
+// the CTM primary back up if it's down and opens the dashboard. Unlike the daemon bundles
+// (LSUIElement node), this is a normal app the user can launch when the server is dead —
+// a web button can't help then (nothing is serving the page). Returns the .app path or null.
+function buildLauncherApp(walleDir) {
+  if (process.platform !== 'darwin') return null;
+  try {
+    const appsDir = process.env.WALLE_APPLICATIONS_DIR || path.join(process.env.HOME, 'Applications');
+    const appDir = path.join(appsDir, 'Wall-E.app');
+    const macosDir = path.join(appDir, 'Contents', 'MacOS');
+    const resDir = path.join(appDir, 'Contents', 'Resources');
+    fs.mkdirSync(macosDir, { recursive: true });
+    fs.mkdirSync(resDir, { recursive: true });
+
+    let port = '3456';
+    try { const m = fs.readFileSync(path.join(walleDir, '.env'), 'utf8').match(/^\s*CTM_PORT\s*=\s*(\d+)/m); if (m) port = m[1]; } catch {}
+
+    const exec = path.join(macosDir, 'Wall-E');
+    fs.writeFileSync(exec, `#!/bin/bash
+# Wall-E launcher — start the CTM primary if it's down, then open the dashboard.
+PORT="${port}"
+UID_N="$(id -u)"
+if launchctl print "gui/$UID_N/com.walle.server" >/dev/null 2>&1; then
+  launchctl kickstart "gui/$UID_N/com.walle.server" >/dev/null 2>&1 || true
+else
+  PLIST="$HOME/Library/LaunchAgents/com.walle.server.plist"
+  if [ -f "$PLIST" ]; then
+    launchctl bootstrap "gui/$UID_N" "$PLIST" >/dev/null 2>&1 || true
+  elif [ -f "${walleDir}/claude-task-manager/bin/restart-ctm.sh" ]; then
+    bash "${walleDir}/claude-task-manager/bin/restart-ctm.sh" >/dev/null 2>&1 || true
+  fi
+fi
+SCHEME="http"
+for i in $(seq 1 30); do
+  if curl -s  --max-time 1 "http://localhost:$PORT"  >/dev/null 2>&1; then SCHEME="http";  break; fi
+  if curl -sk --max-time 1 "https://localhost:$PORT" >/dev/null 2>&1; then SCHEME="https"; break; fi
+  sleep 0.5
+done
+open "$SCHEME://localhost:$PORT" 2>/dev/null || true
+`, { mode: 0o755 });
+
+    const version = (() => { try { return String(require('../package.json').version || '0'); } catch { return '0'; } })();
+    const esc = (s) => String(s).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+    fs.writeFileSync(path.join(appDir, 'Contents', 'Info.plist'), `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>CFBundleName</key><string>Wall-E</string>
+  <key>CFBundleDisplayName</key><string>Wall-E</string>
+  <key>CFBundleIdentifier</key><string>com.walle.launcher</string>
+  <key>CFBundleExecutable</key><string>Wall-E</string>
+  <key>CFBundleIconFile</key><string>AppIcon</string>
+  <key>CFBundlePackageType</key><string>APPL</string>
+  <key>CFBundleInfoDictionaryVersion</key><string>6.0</string>
+  <key>CFBundleVersion</key><string>${esc(version)}</string>
+  <key>CFBundleShortVersionString</key><string>${esc(version)}</string>
+  <key>LSMinimumSystemVersion</key><string>11.0</string>
+</dict>
+</plist>
+`);
+    placeIcns(walleDir, { icns: 'AppIcon-walle.icns' }, resDir);
+    return appDir;
+  } catch { return null; }
+}
+
+// Idempotently ensure a stable self-signed code-signing identity in a dedicated keychain
+// (avoids login-keychain prompts; stable designated requirement so TCC survives updates).
+// Returns the identity common name (codesign --sign "<CN>" works with an untrusted
+// self-signed cert — find-identity -v would omit it). Null if signing is unavailable.
+function ensureSigningIdentity() {
+  if (process.platform !== 'darwin') return null;
+  const pw = 'walle';
+  // Count CERTS by common name (trust-independent; find-identity -v hides untrusted certs).
+  // codesign matches certs BY NAME, so 2 certs with this CN → "ambiguous" failures.
+  const certCount = () => {
+    try { return (execFileSync('security', ['find-certificate', '-a', '-c', SIGN_IDENTITY_CN, SIGN_KEYCHAIN], { encoding: 'utf8' }).match(/^keychain:/gm) || []).length; }
+    catch { return 0; }
+  };
+  // The cert's SHA-1 (trust-independent via -Z). Sign by hash, not name: codesign --sign
+  // "<CN>" scans the WHOLE search list and goes "ambiguous" if another keychain holds a
+  // same-named cert; a hash matches exactly one cert. Same cert → same hash → stable DR.
+  const identitySha = () => {
+    try {
+      const out = execFileSync('security', ['find-certificate', '-a', '-c', SIGN_IDENTITY_CN, '-Z', SIGN_KEYCHAIN], { encoding: 'utf8' });
+      const m = out.match(/SHA-1 hash:\s*([0-9A-Fa-f]{40})/);
+      return m ? m[1] : null;
+    } catch { return null; }
+  };
+  try {
+    if (fs.existsSync(SIGN_KEYCHAIN)) {
+      let unlocked = false;
+      try {
+        execFileSync('security', ['unlock-keychain', '-p', pw, SIGN_KEYCHAIN], { stdio: 'ignore' });
+        unlocked = true;
+      } catch {}
+      if (!unlocked && certCount() < 1) {
+        try { execFileSync('security', ['delete-keychain', SIGN_KEYCHAIN], { stdio: 'ignore' }); } catch {}
+      }
+      // Reset to a single clean identity if duplicate certs accumulated (→ ambiguous).
+      if (fs.existsSync(SIGN_KEYCHAIN) && certCount() > 1) { try { execFileSync('security', ['delete-keychain', SIGN_KEYCHAIN], { stdio: 'ignore' }); } catch {} }
+    }
+    fs.mkdirSync(path.dirname(SIGN_KEYCHAIN), { recursive: true });
+    if (!fs.existsSync(SIGN_KEYCHAIN)) execFileSync('security', ['create-keychain', '-p', pw, SIGN_KEYCHAIN], { stdio: 'ignore' });
+    execFileSync('security', ['set-keychain-settings', SIGN_KEYCHAIN], { stdio: 'ignore' }); // no auto-lock timeout
+    execFileSync('security', ['unlock-keychain', '-p', pw, SIGN_KEYCHAIN], { stdio: 'ignore' });
+    try {
+      const list = execFileSync('security', ['list-keychains', '-d', 'user'], { encoding: 'utf8' })
+        .split('\n').map((s) => s.trim().replace(/^"|"$/g, '')).filter(Boolean);
+      if (!list.includes(SIGN_KEYCHAIN)) execFileSync('security', ['list-keychains', '-d', 'user', '-s', ...list, SIGN_KEYCHAIN], { stdio: 'ignore' });
+    } catch {}
+    if (certCount() < 1) {
+      const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'walle-sign-'));
+      try {
+        const keyPem = path.join(tmp, 'key.pem'), certPem = path.join(tmp, 'cert.pem'), p12 = path.join(tmp, 'id.p12');
+        execFileSync('openssl', ['req', '-x509', '-newkey', 'rsa:2048', '-nodes', '-days', '3650', '-keyout', keyPem, '-out', certPem,
+          '-subj', `/CN=${SIGN_IDENTITY_CN}`, '-addext', 'keyUsage=critical,digitalSignature', '-addext', 'extendedKeyUsage=critical,codeSigning'], { stdio: 'ignore' });
+        execFileSync('openssl', ['pkcs12', '-export', '-inkey', keyPem, '-in', certPem, '-out', p12, '-passout', 'pass:' + pw], { stdio: 'ignore' });
+        execFileSync('security', ['import', p12, '-k', SIGN_KEYCHAIN, '-P', pw, '-T', '/usr/bin/codesign', '-T', '/usr/bin/security'], { stdio: 'ignore' });
+      } finally {
+        try { fs.rmSync(tmp, { recursive: true, force: true }); } catch {}
+      }
+    }
+    // ALWAYS (re)authorize codesign to use the key non-interactively (reuse may have relocked).
+    try { execFileSync('security', ['set-key-partition-list', '-S', 'apple-tool:,apple:', '-s', '-k', pw, SIGN_KEYCHAIN], { stdio: 'ignore' }); } catch {}
+    return identitySha();
   } catch {
-    // swiftc not available or compilation failed — non-fatal
-    console.log(`  ${DIM}Skipped hotkey daemon (Swift compiler not available)${RESET}`);
+    return null;
+  }
+}
+
+function signArtifacts(identity, items) {
+  if (!identity) return false;
+  let ok = true;
+  for (const it of items) {
+    try {
+      const args = ['--force', '--sign', identity, '--identifier', it.id, '--keychain', SIGN_KEYCHAIN];
+      if (it.deep) args.push('--deep'); // also sign nested dylibs in Contents/lib (self-signed local use)
+      args.push(it.path);
+      execFileSync('codesign', args, { stdio: 'ignore', timeout: 120000 });
+    } catch { ok = false; }
+  }
+  return ok;
+}
+
+// Build (or refresh) the per-daemon .app bundles so CTM and Wall-E show a real icon +
+// name in Activity Monitor, then self-sign them and the hotkey for stable TCC. darwin-only,
+// best-effort: any failure logs a dim notice and leaves the install working (unsigned/
+// iconless at worst — process names still come from process.title).
+function buildAppBundles(walleDir) {
+  if (process.platform !== 'darwin') return;
+  try {
+    const realNode = resolveRealNode();
+    if (!realNode || !fs.existsSync(realNode)) return;
+    const version = (() => { try { return String(require('../package.json').version || '0'); } catch { return '0'; } })();
+    fs.mkdirSync(BUNDLE_ROOT, { recursive: true });
+    // Record the real node we cloned from. At runtime CTM/Wall-E spawn their children from
+    // this (not the self-signed bundle clone) so a multi-session restart doesn't bury the
+    // macOS endpoint-security stack under a storm of novel-binary AUTH_EXEC evaluations.
+    try { fs.writeFileSync(path.join(BUNDLE_ROOT, 'node-origin'), realNode + '\n'); } catch {}
+    for (const b of APP_BUNDLES) {
+      const appDir = path.join(BUNDLE_ROOT, b.app);
+      const macosDir = path.join(appDir, 'Contents', 'MacOS');
+      const resDir = path.join(appDir, 'Contents', 'Resources');
+      fs.mkdirSync(macosDir, { recursive: true });
+      fs.mkdirSync(resDir, { recursive: true });
+      placeBinary(realNode, path.join(macosDir, b.exec));
+      // Co-locate node's @rpath dylibs (libnode/ICU for dynamically-linked builds) so the
+      // cloned exec runs from inside the bundle. No-op for a self-contained node.
+      bundleNodeDylibs(realNode, path.join(appDir, 'Contents', 'lib'));
+      writeInfoPlist(path.join(appDir, 'Contents', 'Info.plist'), b, version);
+      placeIcns(walleDir, b, resDir);
+    }
+    // Clickable launcher in ~/Applications (Launchpad/Dock) to revive a dead primary.
+    const launcher = buildLauncherApp(walleDir);
+    const identity = ensureSigningIdentity();
+    const items = APP_BUNDLES.map((b) => ({ path: path.join(BUNDLE_ROOT, b.app), id: b.bundleId, deep: true }));
+    if (launcher) items.push({ path: launcher, id: 'com.walle.launcher', deep: true });
+    // The hotkey is its own LSUIElement .app bundle under BUNDLE_ROOT (built by
+    // compileHotkeyDaemon); sign it alongside the daemon bundles. It follows BUNDLE_ROOT, so a
+    // WALLE_BUNDLE_DIR test dir signs the test bundle, never the live one.
+    const hotkeyBundle = path.join(BUNDLE_ROOT, 'CTM-Screenshot.app');
+    if (fs.existsSync(hotkeyBundle)) items.push({ path: hotkeyBundle, id: 'com.walle.ctm.hotkey', deep: true });
+    const signed = signArtifacts(identity, items);
+    console.log(`  ${GREEN}Built app bundles + launcher${RESET} ${DIM}(${BUNDLE_ROOT}${signed ? ', signed' : ', unsigned'})${RESET}`);
+  } catch (e) {
+    console.log(`  ${DIM}Skipped app bundles (${e && e.message ? e.message : e})${RESET}`);
   }
 }
 
@@ -767,4 +1521,20 @@ module.exports = {
   repairNativeDependencies,
   resolveNpmRunner,
   writeCliLifecycleEvent,
+  buildAppBundles,
+  ensureSigningIdentity,
+  signArtifacts,
+  ctmBundleExec,
+  walleBundleExec,
+  execTeamIdentifier,
+  daemonExec,
+  daemonNodeForBuild,
+  validatedNotarizedNode,
+  verifyNotarizedNode,
+  nodeReportsVersion,
+  ensureNotarizedDaemonNode,
+  disableNotarizedNode,
+  notarizedNodeDir,
+  notarizedNodePath,
+  NOTARIZED_NODE_VERSION,
 };