create-walle 0.9.28 → 0.9.29

package/README.md

@@ -40,9 +40,9 @@ This copies the project, installs dependencies, auto-detects your name and timez
 
 ### Download for Mac (no terminal)
 
-Prefer a click-to-install app? Download the notarized **Wall-E.app** (Apple Silicon):
+Prefer a click-to-install app? Download the notarized **Wall-E.app** (Apple Silicon & Intel):
 
-**⬇ [Download for Mac](https://github.com/ShanniLi/walle-dist/releases/latest)** → `Wall-E-…-arm64.dmg`
+**⬇ [Download for Mac](https://github.com/ShanniLi/walle-dist/releases/latest)** → `Wall-E-…-arm64.dmg` (Apple Silicon) or `Wall-E-…-x64.dmg` (Intel)
 
 Open the DMG, drag **Wall-E** to Applications, and launch it. First run installs everything into `~/.walle` and opens the dashboard — Developer-ID notarized + stapled, so there's no Gatekeeper warning. Under the hood it runs the same `create-walle` setup.
 

package/bin/create-walle.js

@@ -38,6 +38,21 @@ const NATIVE_DEPENDENCIES = new Set([
 // create-walle/macos/build-macos-app.sh (NODE_VERSION). Set WALLE_NO_NOTARIZED_NODE=1 to opt out.
 const NOTARIZED_NODE_VERSION = '25.2.1';
 
+// ── Branded notarized macOS app (the real Screen Recording fix for no-Dev-ID users) ──
+// A bare notarized node is stable but anonymous — macOS shows "node" in the Screen Recording
+// prompt. The downloadable Developer-ID-notarized Wall-E.app runs the daemon under its OWN vendored
+// node, whose signature is part of the branded bundle (Team HQSJ8SS8Q6), so the grant shows
+// "Wall-E", auto-lists, and persists. `npx create-walle` users never get that app — so we fetch the
+// SAME prebuilt notarized app once and adopt its vendored node as the daemon identity (parity with
+// the downloadable app's `WALLE_NOTARIZED_NODE`). All best-effort: a download/verify failure leaves
+// the daemon on the bare notarized node (no regression). Set WALLE_NO_BRANDED_APP=1 to opt out.
+// The runtime-shell app is versioned independently of the npm package (it changes only when the
+// vendored Node / entitlements / signing change) — keep in sync with build-macos-app.sh VERSION.
+const NOTARIZED_APP_VERSION = '1.0.2';
+const NOTARIZED_APP_TEAM_ID = 'HQSJ8SS8Q6';
+const WALLE_DIST_RELEASE_BASE = process.env.WALLE_DIST_RELEASE_BASE
+  || 'https://github.com/ShanniLi/walle-dist/releases/download';
+
 // Files to preserve during update (user config, not code)
 const PRESERVE_ON_UPDATE = ['.env', 'wall-e/wall-e-config.json'];
 
@@ -88,10 +103,11 @@ function execTeamIdentifier(binaryPath) {
 //      app's own branded launcher identity, so it shows "Wall-E").
 //   2. The CTM .app bundle exec WHEN it carries a stable Team Identifier (Developer-ID-signed by
 //      bin/ensure-stable-node.js) — branded AND grant-persisting.
-//   3. The official notarized node we downloaded ourselves — stable but anonymous ("node"); the
-//      fallback for machines without a Developer ID, where a branded-stable bundle isn't possible.
-//   4. The self-signed CTM bundle exec — branded but re-prompts (no stable Team ID).
-//   5. The running node.
+//   3. The adopted Developer-ID-notarized Wall-E.app's vendored node (ensureNotarizedBrandedApp) —
+//      branded ("Wall-E") AND grant-persisting, for no-Dev-ID machines (the npx common case).
+//   4. The official notarized node we downloaded ourselves — stable but anonymous ("node").
+//   5. The self-signed CTM bundle exec — branded but re-prompts (no stable Team ID).
+//   6. The running node.
 function daemonExec() {
   const notarized = process.env.WALLE_NOTARIZED_NODE;
   if (notarized && process.platform === 'darwin') {
@@ -104,6 +120,11 @@ function daemonExec() {
     // Prefer the branded bundle only when it is Developer-ID-signed (has a Team ID): branded AND
     // its grants persist. Otherwise prefer the notarized bare node (stable but "node").
     if (bundleExists && execTeamIdentifier(bundle)) return bundle;
+    // Adopted Developer-ID-notarized Wall-E.app vendored node — branded ("Wall-E") AND
+    // grant-persisting, for no-Dev-ID npx users where the bundle above has no Team ID. Beats the
+    // bare notarized node (anonymous "node").
+    const brandedApp = validatedNotarizedApp();
+    if (brandedApp) return brandedApp;
     const own = validatedNotarizedNode();
     if (own) return own;
     if (bundleExists) return bundle; // self-signed branded bundle — branded name, but re-prompts
@@ -140,10 +161,13 @@ function validatedNotarizedNode() {
   return null;
 }
 
-// The node whose ABI native modules must target = whatever the daemon will run under.
+// The node whose ABI native modules must target = whatever the daemon will run under. The bare
+// notarized node and the adopted branded app's vendored node are BOTH pinned to NOTARIZED_NODE_VERSION
+// (same ABI), so order is belt-and-suspenders; the app fallback only matters in the edge where the
+// node fetch failed but the app fetch succeeded (the daemon then runs under the app's vendored node).
 function daemonNodeForBuild() {
   if (process.platform !== 'darwin') return process.execPath;
-  return validatedNotarizedNode() || process.execPath;
+  return validatedNotarizedNode() || validatedNotarizedApp() || process.execPath;
 }
 
 function nodeReportsVersion(bin, version) {
@@ -238,6 +262,124 @@ function disableNotarizedNode() {
   try { fs.rmSync(notarizedNodePath(), { force: true }); } catch {}
 }
 
+// ── Branded notarized app adoption (mirrors the notarized-node fetch above) ──
+
+function notarizedAppDir() {
+  return process.env.WALLE_NOTARIZED_APP_DIR || path.join(process.env.HOME, '.walle', 'notarized-app');
+}
+
+// The vendored node inside the adopted Wall-E.app — the exact path the downloadable app uses as
+// WALLE_NOTARIZED_NODE. It lives in Contents/Resources (NOT Contents/MacOS), so isBundleExec() is
+// false for it and the screenshot bridge routes capture through it under the branded identity.
+// A SEPARATE dir from ~/.walle/bundles (which buildAppBundles re-clones every update and would
+// clobber the notarized app).
+function notarizedAppVendoredNode() {
+  return path.join(notarizedAppDir(), 'Wall-E.app', 'Contents', 'Resources', 'node');
+}
+
+// Returns the adopted app's vendored node ONLY when the marker matches the pinned app version (the
+// marker is written last, so a partial/failed download is never trusted). Cheap — no codesign here;
+// signature verification happens once at adopt time in ensureNotarizedBrandedApp.
+function validatedNotarizedApp() {
+  if (process.platform !== 'darwin') return null;
+  if (process.env.WALLE_NO_BRANDED_APP === '1') return null;
+  const node = notarizedAppVendoredNode();
+  const marker = path.join(notarizedAppDir(), 'version');
+  try {
+    if (fs.existsSync(node) && fs.existsSync(marker) &&
+        fs.readFileSync(marker, 'utf8').trim() === NOTARIZED_APP_VERSION) {
+      return node;
+    }
+  } catch {}
+  return null;
+}
+
+// codesign --verify --strict gates adoption (catches a tampered/altered bundle); the vendored node
+// must carry the expected Developer-ID Team Identifier (else it's not the branded notarized app and
+// would prompt as "node" anyway). spctl is informational only.
+function verifyNotarizedApp(appDir, { log } = {}) {
+  try {
+    execFileSync('codesign', ['--verify', '--strict', appDir], { stdio: 'pipe', timeout: 60000 });
+  } catch {
+    return false;
+  }
+  const vendored = path.join(appDir, 'Contents', 'Resources', 'node');
+  if (execTeamIdentifier(vendored) !== NOTARIZED_APP_TEAM_ID) return false;
+  if (log) {
+    let assessment;
+    try {
+      execFileSync('spctl', ['-a', '-vv', '--type', 'exec', vendored], { stdio: 'pipe', timeout: 30000 });
+      assessment = 'accepted (notarized)';
+    } catch { assessment = 'signature valid (spctl unconfirmed)'; }
+    log(`  ${DIM}app signature: ${assessment}${RESET}`);
+  }
+  return true;
+}
+
+// Download (once) the prebuilt Developer-ID-notarized Wall-E.app and adopt its vendored node as the
+// daemon identity. Returns the vendored-node path on success, else null (daemon keeps its current
+// node). Best-effort: any failure is non-blocking. Mirrors ensureNotarizedDaemonNode's
+// download→verify→marker-last discipline.
+function ensureNotarizedBrandedApp({ log = console.log } = {}) {
+  if (process.platform !== 'darwin') return null;
+  if (process.env.WALLE_NO_BRANDED_APP === '1') return null;
+  const arch = process.arch === 'arm64' ? 'arm64' : process.arch === 'x64' ? 'x64' : null;
+  if (!arch) return null;
+
+  const dir = notarizedAppDir();
+  const appDir = path.join(dir, 'Wall-E.app');
+  const vendored = notarizedAppVendoredNode();
+  const marker = path.join(dir, 'version');
+
+  // Cached and still valid (marker + signature) → reuse (the "download once").
+  if (validatedNotarizedApp() && verifyNotarizedApp(appDir)) {
+    return vendored;
+  }
+
+  let tmp;
+  try {
+    fs.mkdirSync(dir, { recursive: true });
+    const asset = `Wall-E-${NOTARIZED_APP_VERSION}-${arch}.zip`;
+    const url = `${WALLE_DIST_RELEASE_BASE}/v${NOTARIZED_APP_VERSION}/${asset}`;
+    tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'walle-napp-'));
+    const zip = path.join(tmp, asset);
+    log(`  Downloading notarized Wall-E.app ${NOTARIZED_APP_VERSION} (${arch})…`);
+    execFileSync('curl', ['-fsSL', '-o', zip, url], { timeout: 300000, stdio: 'pipe' });
+    // ditto -x -k preserves the code signature + stapled notarization ticket through extraction.
+    const exDir = path.join(tmp, 'x');
+    fs.mkdirSync(exDir, { recursive: true });
+    execFileSync('ditto', ['-x', '-k', zip, exDir], { timeout: 120000, stdio: 'pipe' });
+    const extractedApp = path.join(exDir, 'Wall-E.app');
+    if (!fs.existsSync(extractedApp)) throw new Error('archive missing Wall-E.app');
+    // Verify BEFORE adopting — never install an unsigned/wrong-team bundle.
+    if (!verifyNotarizedApp(extractedApp)) throw new Error('signature/team verification failed');
+    const exVendored = path.join(extractedApp, 'Contents', 'Resources', 'node');
+    if (!nodeReportsVersion(exVendored, NOTARIZED_NODE_VERSION)) throw new Error('vendored node ABI mismatch');
+
+    fs.rmSync(appDir, { recursive: true, force: true });
+    fs.rmSync(marker, { force: true });
+    fs.cpSync(extractedApp, appDir, { recursive: true });
+    fs.chmodSync(vendored, 0o755);
+
+    if (!verifyNotarizedApp(appDir, { log })) throw new Error('post-install verification failed');
+    fs.writeFileSync(marker, `${NOTARIZED_APP_VERSION}\n`);
+    log(`  ${GREEN}Notarized Wall-E.app ready${RESET} ${DIM}(${appDir})${RESET}`);
+    return vendored;
+  } catch (e) {
+    log(`  ${DIM}Notarized branded app unavailable (${e && e.message ? e.message : e}) — daemon keeps its current node${RESET}`);
+    disableNotarizedBrandedApp();
+    return null;
+  } finally {
+    if (tmp) { try { fs.rmSync(tmp, { recursive: true, force: true }); } catch {} }
+  }
+}
+
+// Drop the marker (and app) so daemonExec stops trusting it. Used when the download/verify fails.
+function disableNotarizedBrandedApp() {
+  try { fs.rmSync(path.join(notarizedAppDir(), 'version'), { force: true }); } catch {}
+  try { fs.rmSync(path.join(notarizedAppDir(), 'Wall-E.app'), { recursive: true, force: true }); } catch {}
+}
+
 function writeCliLifecycleEvent(event, meta = {}) {
   if (process.env.WALLE_TELEMETRY === '0' || process.env.WALLE_TELEMETRY === 'false') return;
   try {
@@ -389,6 +531,9 @@ function install(targetDir) {
   // Fetch the notarized daemon node BEFORE installing deps, so native modules build against
   // its ABI (the daemon and its forks will all run under it). Best-effort / macOS-only.
   ensureNotarizedDaemonNode();
+  // Adopt the branded notarized Wall-E.app so the Screen Recording grant shows "Wall-E" (not the
+  // anonymous "node"). Best-effort; daemonExec prefers its vendored node when present.
+  ensureNotarizedBrandedApp();
 
   console.log(`  Installing dependencies...\n`);
   npmInstall(targetDir);
@@ -412,6 +557,10 @@ function install(targetDir) {
     `CTM_PORT=${port}`,
     `WALL_E_PORT=${wallePort}`,
     '',
+    '# Terminal rendering: Option B (mosh-style server-authoritative state-sync) is on by default.',
+    '# Uncomment to fall back to the raw byte-stream render path.',
+    '# CTM_STATE_SYNC=0',
+    '',
     '# SLACK_TOKEN=',
     '# SLACK_OWNER_USER_ID=',
     '# SLACK_OWNER_HANDLE=',
@@ -509,6 +658,9 @@ function update() {
   // 6. Reinstall deps (in case package.json changed). Refresh the notarized daemon node first
   // so native modules rebuild against its ABI (idempotent: a valid cache is reused, not re-DLed).
   ensureNotarizedDaemonNode();
+  // Refresh the branded notarized Wall-E.app (idempotent) so the in-web upgrade migrates a user
+  // off the anonymous "node" Screen Recording identity onto the branded "Wall-E" one.
+  ensureNotarizedBrandedApp();
   console.log(`  Installing dependencies...\n`);
   npmInstall(dir);
 
@@ -1537,4 +1689,12 @@ module.exports = {
   notarizedNodeDir,
   notarizedNodePath,
   NOTARIZED_NODE_VERSION,
+  ensureNotarizedBrandedApp,
+  validatedNotarizedApp,
+  verifyNotarizedApp,
+  disableNotarizedBrandedApp,
+  notarizedAppDir,
+  notarizedAppVendoredNode,
+  NOTARIZED_APP_VERSION,
+  NOTARIZED_APP_TEAM_ID,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-walle",
-  "version": "0.9.28",
+  "version": "0.9.29",
   "description": "CTM + Wall-E — AI coding dashboard and personal digital twin agent. Multi-agent terminal for Claude Code, Codex, Gemini, Aider, OpenCode, and more, plus prompt editor, task queue, remote phone and tablet access, code/doc review, and an agent that learns from Slack, email & calendar.",
   "bin": {
     "create-walle": "bin/create-walle.js"

package/template/bin/ctm-launch.sh

@@ -47,6 +47,13 @@ CTM_BUNDLE="$HOME/.walle/bundles/Coding Task Manager.app/Contents/MacOS/Coding T
 if _ver_match "$CTM_BUNDLE" && codesign -dv "$CTM_BUNDLE" 2>&1 | grep -q '^TeamIdentifier=[A-Z0-9]'; then
   exec "$CTM_BUNDLE" "$SERVER" "$@"
 fi
+# 2.5) The adopted Developer-ID-notarized Wall-E.app's vendored node (create-walle
+#    ensureNotarizedBrandedApp) — branded "Wall-E" AND grant-persisting, for no-Dev-ID machines.
+#    Gated on the version match + a stable Team Identifier (skips a self-signed/wrong bundle).
+BRANDED_APP_NODE="$HOME/.walle/notarized-app/Wall-E.app/Contents/Resources/node"
+if _ver_match "$BRANDED_APP_NODE" && codesign -dv "$BRANDED_APP_NODE" 2>&1 | grep -q '^TeamIdentifier=[A-Z0-9]'; then
+  exec "$BRANDED_APP_NODE" "$SERVER" "$@"
+fi
 # 3) Notarized node we provisioned ourselves (~/.walle/notarized-node) — stable but anonymous
 #    ("node"); the fallback for machines without a Developer ID.
 NOTARIZED_NODE="$HOME/.walle/notarized-node/bin/node"

package/template/bin/dev.sh

@@ -221,6 +221,11 @@ elif [[ "$MODE" == "refresh" ]]; then
   elif [[ "$COPY_IMAGES" != "1" ]]; then
     echo "  Images: skipped (--no-images)"
   fi
+  rm -rf "$DEV_DIR/scrollback"
+  if [[ -d "$PROD_CTM_DIR/scrollback" ]]; then
+    echo "  Scrollback: syncing $PROD_CTM_DIR/scrollback -> $DEV_DIR/scrollback"
+    "$NODE_BIN" "$ROOT/bin/sync-images.js" "$PROD_CTM_DIR/scrollback" "$DEV_DIR/scrollback"
+  fi
   # Ensure the dev instance owns its WAL files from first open.
   rm -f "$DEV_DIR"/*.db-wal "$DEV_DIR"/*.db-shm
 elif [[ "$MODE" == "reuse" ]]; then

package/template/claude-task-manager/api-prompts.js

@@ -1053,7 +1053,6 @@ const {
   createCodexUserDeduper,
   parseCodexJsonlFileIntoMessagesAsync,
   parseCodexJsonlFileIntoMessages,
-  parseCodexJsonlIntoMessages,
   readCodexRolloutMetadata,
 } = require('./lib/session-history');
 const fsp = require('fs').promises;
@@ -1592,17 +1591,6 @@ function _codexUserDeduperFromMessages(messages) {
   return createCodexUserDeduper((Array.isArray(messages) ? messages : []).filter(msg => msg && msg.role === 'user'));
 }
 
-async function _readFileRange(filePath, start, length) {
-  const fh = await fsp.open(filePath, 'r');
-  try {
-    const buf = Buffer.alloc(length);
-    const { bytesRead } = await fh.read(buf, 0, length, start);
-    return buf.subarray(0, bytesRead).toString('utf8');
-  } finally {
-    await fh.close();
-  }
-}
-
 function _conversationImportIndexRows() {
   // Attribution: two full-table index scans built on every conversation-import
   // tick. They run as the sync prefix of _conversationImportCandidates, which is
@@ -1794,8 +1782,15 @@ async function _importCodexSessionFile(parsed, filePath, options = {}) {
   const newMessages = [];
   let parsedTail;
   if (prevFileSize > 0 && parsed.fileSize > prevFileSize) {
-    const content = await _readFileRange(filePath, prevFileSize, parsed.fileSize - prevFileSize);
-    parsedTail = parseCodexJsonlIntoMessages(content, newMessages, { codexUserDeduper });
+    // Stream the new tail [prevFileSize, EOF) in bounded 1 MiB chunks, line-by-line. Reading the
+    // whole delta in one fs.read (the old _readFileRange path) passed a >2 GiB `length` for a
+    // session that grew >2 GiB since the last import, tripping V8's Int32 assertion in node::fs::Read
+    // and ABORTING the process (uncatchable) → launchd respawn loop → all Codex sessions unusable.
+    parsedTail = await parseCodexJsonlFileIntoMessagesAsync(filePath, newMessages, {
+      codexUserDeduper,
+      startOffset: prevFileSize,
+      yieldAfterMs: options.yieldAfterMs || 25,
+    });
   } else if (options.cooperative) {
     parsedTail = await parseCodexJsonlFileIntoMessagesAsync(filePath, newMessages, {
       codexUserDeduper,
@@ -2407,6 +2402,16 @@ function handleGetConversation(req, res, url) {
   const sessionId = url.pathname.split('/').pop();
   const conv = db.getSessionConversation(sessionId);
   if (!conv) return jsonResponse(res, 404, { error: 'Not found' });
+  // The stored `messages` blob is retired ('[]') by default — the conversation lives in the
+  // faithful session_message_rows. Hydrate the blob from rows for this cold API read so callers
+  // still receive the turns. O(N) reconstruction, paid only on this rare endpoint (the hot UI
+  // paths page rows directly and never hit this).
+  if ((!conv.messages || conv.messages === '[]') && typeof db.getSessionMessagesArray === 'function') {
+    try {
+      const rows = db.getSessionMessagesArray(sessionId, { fallbackToBlob: false });
+      if (Array.isArray(rows) && rows.length) conv.messages = JSON.stringify(rows);
+    } catch { /* fall through with the empty blob */ }
+  }
   jsonResponse(res, 200, conv);
 }
 
@@ -2926,10 +2931,22 @@ function screenshotResponsibleContext() {
   try { nodeIsBundle = require('./lib/real-node').isBundleExec(node); } catch {}
   const useBridge = disclaimOk && !!node && !nodeIsBundle;
   const responsiblePath = useBridge ? node : process.execPath;
-  const responsibleName = responsiblePath ? path.basename(responsiblePath) : 'CTM';
+  const responsibleName = screenshotResponsibleDisplayName(responsiblePath);
   return { realNode: node, disclaim, useBridge, responsiblePath, responsibleName, granted };
 }
 
+// macOS attributes the Screen Recording grant to the responsible binary's code SIGNATURE, and shows
+// the enclosing .app's CFBundleName. The adopted Developer-ID-notarized app's vendored node
+// (~/.walle/notarized-app/Wall-E.app/Contents/Resources/node, create-walle ensureNotarizedBrandedApp)
+// and the branded daemon bundles list as "Wall-E"/"Coding Task Manager", not the basename "node" —
+// so the guidance must name the entry the user will actually see, else they grant the wrong thing.
+function screenshotResponsibleDisplayName(responsiblePath) {
+  if (!responsiblePath) return 'CTM';
+  if (/(?:^|\/)Wall-E\.app\//.test(responsiblePath) || responsiblePath.includes('/.walle/notarized-app/')) return 'Wall-E';
+  if (/(?:^|\/)Coding Task Manager\.app\//.test(responsiblePath)) return 'Coding Task Manager';
+  return path.basename(responsiblePath);
+}
+
 function screenshotCaptureCommand(tmpFile, context = {}) {
   if (context.useBridge) {
     return {