create-walle 0.9.28 → 0.9.30

package/README.md

@@ -40,9 +40,9 @@ This copies the project, installs dependencies, auto-detects your name and timez
 
 ### Download for Mac (no terminal)
 
-Prefer a click-to-install app? Download the notarized **Wall-E.app** (Apple Silicon):
+Prefer a click-to-install app? Download the notarized **Wall-E.app** (Apple Silicon & Intel):
 
-**⬇ [Download for Mac](https://github.com/ShanniLi/walle-dist/releases/latest)** → `Wall-E-…-arm64.dmg`
+**⬇ [Download for Mac](https://github.com/ShanniLi/walle-dist/releases/latest)** → `Wall-E-…-arm64.dmg` (Apple Silicon) or `Wall-E-…-x64.dmg` (Intel)
 
 Open the DMG, drag **Wall-E** to Applications, and launch it. First run installs everything into `~/.walle` and opens the dashboard — Developer-ID notarized + stapled, so there's no Gatekeeper warning. Under the hood it runs the same `create-walle` setup.
 

package/bin/create-walle.js

@@ -38,6 +38,21 @@ const NATIVE_DEPENDENCIES = new Set([
 // create-walle/macos/build-macos-app.sh (NODE_VERSION). Set WALLE_NO_NOTARIZED_NODE=1 to opt out.
 const NOTARIZED_NODE_VERSION = '25.2.1';
 
+// ── Branded notarized macOS app (the real Screen Recording fix for no-Dev-ID users) ──
+// A bare notarized node is stable but anonymous — macOS shows "node" in the Screen Recording
+// prompt. The downloadable Developer-ID-notarized Wall-E.app runs the daemon under its OWN vendored
+// node, whose signature is part of the branded bundle (Team HQSJ8SS8Q6), so the grant shows
+// "Wall-E", auto-lists, and persists. `npx create-walle` users never get that app — so we fetch the
+// SAME prebuilt notarized app once and adopt its vendored node as the daemon identity (parity with
+// the downloadable app's `WALLE_NOTARIZED_NODE`). All best-effort: a download/verify failure leaves
+// the daemon on the bare notarized node (no regression). Set WALLE_NO_BRANDED_APP=1 to opt out.
+// The runtime-shell app is versioned independently of the npm package (it changes only when the
+// vendored Node / entitlements / signing change) — keep in sync with build-macos-app.sh VERSION.
+const NOTARIZED_APP_VERSION = '1.0.2';
+const NOTARIZED_APP_TEAM_ID = 'HQSJ8SS8Q6';
+const WALLE_DIST_RELEASE_BASE = process.env.WALLE_DIST_RELEASE_BASE
+  || 'https://github.com/ShanniLi/walle-dist/releases/download';
+
 // Files to preserve during update (user config, not code)
 const PRESERVE_ON_UPDATE = ['.env', 'wall-e/wall-e-config.json'];
 
@@ -88,10 +103,11 @@ function execTeamIdentifier(binaryPath) {
 //      app's own branded launcher identity, so it shows "Wall-E").
 //   2. The CTM .app bundle exec WHEN it carries a stable Team Identifier (Developer-ID-signed by
 //      bin/ensure-stable-node.js) — branded AND grant-persisting.
-//   3. The official notarized node we downloaded ourselves — stable but anonymous ("node"); the
-//      fallback for machines without a Developer ID, where a branded-stable bundle isn't possible.
-//   4. The self-signed CTM bundle exec — branded but re-prompts (no stable Team ID).
-//   5. The running node.
+//   3. The adopted Developer-ID-notarized Wall-E.app's vendored node (ensureNotarizedBrandedApp) —
+//      branded ("Wall-E") AND grant-persisting, for no-Dev-ID machines (the npx common case).
+//   4. The official notarized node we downloaded ourselves — stable but anonymous ("node").
+//   5. The self-signed CTM bundle exec — branded but re-prompts (no stable Team ID).
+//   6. The running node.
 function daemonExec() {
   const notarized = process.env.WALLE_NOTARIZED_NODE;
   if (notarized && process.platform === 'darwin') {
@@ -104,6 +120,11 @@ function daemonExec() {
     // Prefer the branded bundle only when it is Developer-ID-signed (has a Team ID): branded AND
     // its grants persist. Otherwise prefer the notarized bare node (stable but "node").
     if (bundleExists && execTeamIdentifier(bundle)) return bundle;
+    // Adopted Developer-ID-notarized Wall-E.app vendored node — branded ("Wall-E") AND
+    // grant-persisting, for no-Dev-ID npx users where the bundle above has no Team ID. Beats the
+    // bare notarized node (anonymous "node").
+    const brandedApp = validatedNotarizedApp();
+    if (brandedApp) return brandedApp;
     const own = validatedNotarizedNode();
     if (own) return own;
     if (bundleExists) return bundle; // self-signed branded bundle — branded name, but re-prompts
@@ -140,10 +161,13 @@ function validatedNotarizedNode() {
   return null;
 }
 
-// The node whose ABI native modules must target = whatever the daemon will run under.
+// The node whose ABI native modules must target = whatever the daemon will run under. The bare
+// notarized node and the adopted branded app's vendored node are BOTH pinned to NOTARIZED_NODE_VERSION
+// (same ABI), so order is belt-and-suspenders; the app fallback only matters in the edge where the
+// node fetch failed but the app fetch succeeded (the daemon then runs under the app's vendored node).
 function daemonNodeForBuild() {
   if (process.platform !== 'darwin') return process.execPath;
-  return validatedNotarizedNode() || process.execPath;
+  return validatedNotarizedNode() || validatedNotarizedApp() || process.execPath;
 }
 
 function nodeReportsVersion(bin, version) {
@@ -238,6 +262,124 @@ function disableNotarizedNode() {
   try { fs.rmSync(notarizedNodePath(), { force: true }); } catch {}
 }
 
+// ── Branded notarized app adoption (mirrors the notarized-node fetch above) ──
+
+function notarizedAppDir() {
+  return process.env.WALLE_NOTARIZED_APP_DIR || path.join(process.env.HOME, '.walle', 'notarized-app');
+}
+
+// The vendored node inside the adopted Wall-E.app — the exact path the downloadable app uses as
+// WALLE_NOTARIZED_NODE. It lives in Contents/Resources (NOT Contents/MacOS), so isBundleExec() is
+// false for it and the screenshot bridge routes capture through it under the branded identity.
+// A SEPARATE dir from ~/.walle/bundles (which buildAppBundles re-clones every update and would
+// clobber the notarized app).
+function notarizedAppVendoredNode() {
+  return path.join(notarizedAppDir(), 'Wall-E.app', 'Contents', 'Resources', 'node');
+}
+
+// Returns the adopted app's vendored node ONLY when the marker matches the pinned app version (the
+// marker is written last, so a partial/failed download is never trusted). Cheap — no codesign here;
+// signature verification happens once at adopt time in ensureNotarizedBrandedApp.
+function validatedNotarizedApp() {
+  if (process.platform !== 'darwin') return null;
+  if (process.env.WALLE_NO_BRANDED_APP === '1') return null;
+  const node = notarizedAppVendoredNode();
+  const marker = path.join(notarizedAppDir(), 'version');
+  try {
+    if (fs.existsSync(node) && fs.existsSync(marker) &&
+        fs.readFileSync(marker, 'utf8').trim() === NOTARIZED_APP_VERSION) {
+      return node;
+    }
+  } catch {}
+  return null;
+}
+
+// codesign --verify --strict gates adoption (catches a tampered/altered bundle); the vendored node
+// must carry the expected Developer-ID Team Identifier (else it's not the branded notarized app and
+// would prompt as "node" anyway). spctl is informational only.
+function verifyNotarizedApp(appDir, { log } = {}) {
+  try {
+    execFileSync('codesign', ['--verify', '--strict', appDir], { stdio: 'pipe', timeout: 60000 });
+  } catch {
+    return false;
+  }
+  const vendored = path.join(appDir, 'Contents', 'Resources', 'node');
+  if (execTeamIdentifier(vendored) !== NOTARIZED_APP_TEAM_ID) return false;
+  if (log) {
+    let assessment;
+    try {
+      execFileSync('spctl', ['-a', '-vv', '--type', 'exec', vendored], { stdio: 'pipe', timeout: 30000 });
+      assessment = 'accepted (notarized)';
+    } catch { assessment = 'signature valid (spctl unconfirmed)'; }
+    log(`  ${DIM}app signature: ${assessment}${RESET}`);
+  }
+  return true;
+}
+
+// Download (once) the prebuilt Developer-ID-notarized Wall-E.app and adopt its vendored node as the
+// daemon identity. Returns the vendored-node path on success, else null (daemon keeps its current
+// node). Best-effort: any failure is non-blocking. Mirrors ensureNotarizedDaemonNode's
+// download→verify→marker-last discipline.
+function ensureNotarizedBrandedApp({ log = console.log } = {}) {
+  if (process.platform !== 'darwin') return null;
+  if (process.env.WALLE_NO_BRANDED_APP === '1') return null;
+  const arch = process.arch === 'arm64' ? 'arm64' : process.arch === 'x64' ? 'x64' : null;
+  if (!arch) return null;
+
+  const dir = notarizedAppDir();
+  const appDir = path.join(dir, 'Wall-E.app');
+  const vendored = notarizedAppVendoredNode();
+  const marker = path.join(dir, 'version');
+
+  // Cached and still valid (marker + signature) → reuse (the "download once").
+  if (validatedNotarizedApp() && verifyNotarizedApp(appDir)) {
+    return vendored;
+  }
+
+  let tmp;
+  try {
+    fs.mkdirSync(dir, { recursive: true });
+    const asset = `Wall-E-${NOTARIZED_APP_VERSION}-${arch}.zip`;
+    const url = `${WALLE_DIST_RELEASE_BASE}/v${NOTARIZED_APP_VERSION}/${asset}`;
+    tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'walle-napp-'));
+    const zip = path.join(tmp, asset);
+    log(`  Downloading notarized Wall-E.app ${NOTARIZED_APP_VERSION} (${arch})…`);
+    execFileSync('curl', ['-fsSL', '-o', zip, url], { timeout: 300000, stdio: 'pipe' });
+    // ditto -x -k preserves the code signature + stapled notarization ticket through extraction.
+    const exDir = path.join(tmp, 'x');
+    fs.mkdirSync(exDir, { recursive: true });
+    execFileSync('ditto', ['-x', '-k', zip, exDir], { timeout: 120000, stdio: 'pipe' });
+    const extractedApp = path.join(exDir, 'Wall-E.app');
+    if (!fs.existsSync(extractedApp)) throw new Error('archive missing Wall-E.app');
+    // Verify BEFORE adopting — never install an unsigned/wrong-team bundle.
+    if (!verifyNotarizedApp(extractedApp)) throw new Error('signature/team verification failed');
+    const exVendored = path.join(extractedApp, 'Contents', 'Resources', 'node');
+    if (!nodeReportsVersion(exVendored, NOTARIZED_NODE_VERSION)) throw new Error('vendored node ABI mismatch');
+
+    fs.rmSync(appDir, { recursive: true, force: true });
+    fs.rmSync(marker, { force: true });
+    fs.cpSync(extractedApp, appDir, { recursive: true });
+    fs.chmodSync(vendored, 0o755);
+
+    if (!verifyNotarizedApp(appDir, { log })) throw new Error('post-install verification failed');
+    fs.writeFileSync(marker, `${NOTARIZED_APP_VERSION}\n`);
+    log(`  ${GREEN}Notarized Wall-E.app ready${RESET} ${DIM}(${appDir})${RESET}`);
+    return vendored;
+  } catch (e) {
+    log(`  ${DIM}Notarized branded app unavailable (${e && e.message ? e.message : e}) — daemon keeps its current node${RESET}`);
+    disableNotarizedBrandedApp();
+    return null;
+  } finally {
+    if (tmp) { try { fs.rmSync(tmp, { recursive: true, force: true }); } catch {} }
+  }
+}
+
+// Drop the marker (and app) so daemonExec stops trusting it. Used when the download/verify fails.
+function disableNotarizedBrandedApp() {
+  try { fs.rmSync(path.join(notarizedAppDir(), 'version'), { force: true }); } catch {}
+  try { fs.rmSync(path.join(notarizedAppDir(), 'Wall-E.app'), { recursive: true, force: true }); } catch {}
+}
+
 function writeCliLifecycleEvent(event, meta = {}) {
   if (process.env.WALLE_TELEMETRY === '0' || process.env.WALLE_TELEMETRY === 'false') return;
   try {
@@ -389,6 +531,9 @@ function install(targetDir) {
   // Fetch the notarized daemon node BEFORE installing deps, so native modules build against
   // its ABI (the daemon and its forks will all run under it). Best-effort / macOS-only.
   ensureNotarizedDaemonNode();
+  // Adopt the branded notarized Wall-E.app so the Screen Recording grant shows "Wall-E" (not the
+  // anonymous "node"). Best-effort; daemonExec prefers its vendored node when present.
+  ensureNotarizedBrandedApp();
 
   console.log(`  Installing dependencies...\n`);
   npmInstall(targetDir);
@@ -412,6 +557,10 @@ function install(targetDir) {
     `CTM_PORT=${port}`,
     `WALL_E_PORT=${wallePort}`,
     '',
+    '# Terminal rendering: Option B (mosh-style server-authoritative state-sync) is on by default.',
+    '# Uncomment to fall back to the raw byte-stream render path.',
+    '# CTM_STATE_SYNC=0',
+    '',
     '# SLACK_TOKEN=',
     '# SLACK_OWNER_USER_ID=',
     '# SLACK_OWNER_HANDLE=',
@@ -509,6 +658,9 @@ function update() {
   // 6. Reinstall deps (in case package.json changed). Refresh the notarized daemon node first
   // so native modules rebuild against its ABI (idempotent: a valid cache is reused, not re-DLed).
   ensureNotarizedDaemonNode();
+  // Refresh the branded notarized Wall-E.app (idempotent) so the in-web upgrade migrates a user
+  // off the anonymous "node" Screen Recording identity onto the branded "Wall-E" one.
+  ensureNotarizedBrandedApp();
   console.log(`  Installing dependencies...\n`);
   npmInstall(dir);
 
@@ -1537,4 +1689,12 @@ module.exports = {
   notarizedNodeDir,
   notarizedNodePath,
   NOTARIZED_NODE_VERSION,
+  ensureNotarizedBrandedApp,
+  validatedNotarizedApp,
+  verifyNotarizedApp,
+  disableNotarizedBrandedApp,
+  notarizedAppDir,
+  notarizedAppVendoredNode,
+  NOTARIZED_APP_VERSION,
+  NOTARIZED_APP_TEAM_ID,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-walle",
-  "version": "0.9.28",
+  "version": "0.9.30",
   "description": "CTM + Wall-E — AI coding dashboard and personal digital twin agent. Multi-agent terminal for Claude Code, Codex, Gemini, Aider, OpenCode, and more, plus prompt editor, task queue, remote phone and tablet access, code/doc review, and an agent that learns from Slack, email & calendar.",
   "bin": {
     "create-walle": "bin/create-walle.js"

package/template/bin/ctm-launch.sh

@@ -9,10 +9,35 @@
 # LaunchAgent plist never needs to change.
 set -euo pipefail
 ROOT="$(cd "$(dirname "$0")/.." && pwd)"
-NODE_BIN="$(bash "$ROOT/bin/node-bin.sh")"
+# CTM_LAUNCH_NODE_BIN lets a test inject the pinned node without running node-bin.sh.
+NODE_BIN="${CTM_LAUNCH_NODE_BIN:-"$(bash "$ROOT/bin/node-bin.sh")"}"
 SERVER="$ROOT/claude-task-manager/server.js"
 PINNED_V="$("$NODE_BIN" -v 2>/dev/null)"
 
+# Exec the chosen runtime — or, under CTM_LAUNCH_PRINT_CHOICE (tests), print the path it WOULD exec
+# and exit 0 without launching the server. Keeps the candidate ladder below assertable end-to-end.
+_exec_choice() {
+  local bin="$1"; shift
+  if [ -n "${CTM_LAUNCH_PRINT_CHOICE:-}" ]; then printf '%s\n' "$bin"; exit 0; fi
+  exec "$bin" "$SERVER" "$@"
+}
+
+# Self-heal the native SQLite driver BEFORE exec'ing the server. A hard power-off can leave
+# better_sqlite3.node torn on disk, and a Homebrew node upgrade can leave it built for the wrong
+# ABI. The server DETECTS this but cannot hot-reload a native module mid-process, so it wedges
+# the boot: DB-owner worker dies -> "Database not initialized" everywhere -> no port bound ->
+# launchd respawns into the SAME broken state every ~5s (a respawn spiral that never converges).
+# Running the preflight here rebuilds the driver if needed, so the fresh `exec` below loads a good
+# binary. It is cheap on the happy path (a require + smoke-test that early-returns when the ABI
+# already matches) and only does the heavy `npm rebuild` when the driver is genuinely broken.
+# Best-effort: a failure here never blocks the boot — the server's own in-process repair still runs.
+# Skipped under CTM_LAUNCH_PRINT_CHOICE: it is irrelevant to runtime selection and needs a real DB.
+CHECK_DRIVER="$ROOT/claude-task-manager/bin/check-sqlite-driver.js"
+if [ -z "${CTM_LAUNCH_PRINT_CHOICE:-}" ] && [ -f "$CHECK_DRIVER" ]; then
+  ( cd "$ROOT/claude-task-manager" && "$NODE_BIN" "$CHECK_DRIVER" ) >/tmp/ctm-boot-sqlite-check.log 2>&1 \
+    || echo "[ctm-launch] sqlite driver preflight reported a problem; see /tmp/ctm-boot-sqlite-check.log (boot continues; server self-repair still applies)" >&2
+fi
+
 # Prefer a STABLE-IDENTITY node so macOS TCC grants (e.g. the "Coding Task Manager would like to
 # access data from other apps" prompt) PERSIST across restarts. macOS keys a TCC grant to the
 # binary's code-signing Designated Requirement: a notarized / Developer-ID-signed node keeps its
@@ -23,39 +48,66 @@ PINNED_V="$("$NODE_BIN" -v 2>/dev/null)"
 # bump can never select a mismatched-ABI runtime (preserves the "upgrade = edit .node-version"
 # guarantee, and the daemon's native modules stay ABI-correct).
 _ver_match() { [ -x "$1" ] && [ "$("$1" -v 2>/dev/null)" = "$PINNED_V" ]; }
+# Does this binary carry a stable code-signing Team Identifier (Developer-ID signed)? Signal that a
+# TCC/Full-Disk-Access grant will PERSIST and that prompts show a branded name. A fast local read.
+# NB this alone CANNOT distinguish "our branded CTM bundle" from the bare notarized node — the
+# notarized node is also Developer-ID signed (Team HX7739G8FX, Node.js Foundation). The discriminator
+# is the code-signing IDENTIFIER (see _is_ctm_bundle_identity).
+# NB capture codesign's output FIRST, then match the string — do NOT pipe `codesign | grep -q`.
+# `grep -q` exits on the first match and closes the pipe; codesign then dies with SIGPIPE (141), and
+# under `set -o pipefail` (above) the pipeline is reported as FAILED even though the pattern matched.
+# That false-negative is exactly what made the daemon keep running the wrong node. Capturing to a
+# var runs codesign to completion (exit 0), then a here-string grep has no upstream to kill.
+_has_team_id() { local o; o="$(codesign -dv "$1" 2>&1)" || true; grep -q '^TeamIdentifier=[A-Z0-9]' <<<"$o"; }
+# Is this binary OUR branded CTM bundle (Identifier=com.walle.ctm)? That is the EXACT identity the
+# Full Disk Access banner tells the user to grant ("Coding Task Manager.app"). The notarized node's
+# Identifier is "node", so this cleanly separates the two.
+_is_ctm_bundle_identity() { local o; o="$(codesign -dv "$1" 2>&1)" || true; grep -q '^Identifier=com\.walle\.ctm$' <<<"$o"; }
 
-# 0) The stable daemon node chosen by bin/ensure-stable-node.js (run off the boot path from
-#    restart-ctm.sh). On a machine WITH a Developer ID this is the branded, Dev-ID-signed CTM
-#    bundle exec — both grant-persisting AND shown as "Coding Task Manager" (not "node") in TCC
-#    prompts; without a Developer ID it is the bare notarized node. Reading the marker keeps
-#    codesign OFF this launchd boot path; the version check rejects a stale marker.
+CTM_BUNDLE="$HOME/.walle/bundles/Coding Task Manager.app/Contents/MacOS/Coding Task Manager"
+
+# 0) The branded CTM bundle (Identifier=com.walle.ctm) — the EXACT identity the FDA banner asks the
+#    user to grant Full Disk Access to. Prefer it ABOVE the stable-node marker. WHY first: the marker
+#    written by ensure-stable-node.js can point at the bare notarized node ("node", Team HX7739G8FX);
+#    because that node IS Developer-ID signed it would satisfy a naive "has a Team Identifier" check
+#    and win — the daemon then runs as "node", the user's grant to "Coding Task Manager.app" never
+#    applies, and the macOS "network volume"/FDA prompt recurs on EVERY restart. Checking THIS bundle
+#    path + its com.walle.ctm identity makes the grant-matching runtime authoritative. Gated on the
+#    version (ABI) match too. Costs one fast `codesign -dv` read per boot (boots are rare); on a
+#    no-Dev-ID machine the bundle is absent/self-signed so this falls through with no behavior change.
+if _ver_match "$CTM_BUNDLE" && _is_ctm_bundle_identity "$CTM_BUNDLE" && _has_team_id "$CTM_BUNDLE"; then
+  _exec_choice "$CTM_BUNDLE" "$@"
+fi
+# 1) The stable daemon node chosen by bin/ensure-stable-node.js (run off the boot path from
+#    restart-ctm.sh). On a machine WITHOUT a Developer ID this is the bare notarized node — the best
+#    stable identity available there. Version-gated; the version check rejects a stale marker.
 MARKER="$HOME/.walle/.stable-daemon-node"
 if [ -f "$MARKER" ]; then
   STABLE_NODE="$(head -n1 "$MARKER" 2>/dev/null)"
   if [ -n "$STABLE_NODE" ] && _ver_match "$STABLE_NODE"; then
-    exec "$STABLE_NODE" "$SERVER" "$@"
+    _exec_choice "$STABLE_NODE" "$@"
   fi
 fi
-# 1) Notarized node handed in by the downloadable Developer-ID Wall-E.app.
+# 2) Notarized node handed in by the downloadable Developer-ID Wall-E.app.
 if [ -n "${WALLE_NOTARIZED_NODE:-}" ] && _ver_match "$WALLE_NOTARIZED_NODE"; then
-  exec "$WALLE_NOTARIZED_NODE" "$SERVER" "$@"
+  _exec_choice "$WALLE_NOTARIZED_NODE" "$@"
 fi
-# 2) The branded .app bundle node when it carries a stable Team Identifier (Developer-ID-signed by
-#    ensure-stable-node.js) — branded AND grant-persisting. `codesign -dv` is a fast local read; it
-#    runs only on a cold boot where the marker is absent/stale.
-CTM_BUNDLE="$HOME/.walle/bundles/Coding Task Manager.app/Contents/MacOS/Coding Task Manager"
-if _ver_match "$CTM_BUNDLE" && codesign -dv "$CTM_BUNDLE" 2>&1 | grep -q '^TeamIdentifier=[A-Z0-9]'; then
-  exec "$CTM_BUNDLE" "$SERVER" "$@"
+# 2.5) The adopted Developer-ID-notarized Wall-E.app's vendored node (create-walle
+#    ensureNotarizedBrandedApp) — branded "Wall-E" AND grant-persisting, for no-Dev-ID machines.
+#    Gated on the version match + a stable Team Identifier (skips a self-signed/wrong bundle).
+BRANDED_APP_NODE="$HOME/.walle/notarized-app/Wall-E.app/Contents/Resources/node"
+if _ver_match "$BRANDED_APP_NODE" && _has_team_id "$BRANDED_APP_NODE"; then
+  _exec_choice "$BRANDED_APP_NODE" "$@"
 fi
 # 3) Notarized node we provisioned ourselves (~/.walle/notarized-node) — stable but anonymous
 #    ("node"); the fallback for machines without a Developer ID.
 NOTARIZED_NODE="$HOME/.walle/notarized-node/bin/node"
 if _ver_match "$NOTARIZED_NODE"; then
-  exec "$NOTARIZED_NODE" "$SERVER" "$@"
+  _exec_choice "$NOTARIZED_NODE" "$@"
 fi
 # 4) The branded bundle node even if only self-signed (branded name, but may re-prompt).
 if _ver_match "$CTM_BUNDLE"; then
-  exec "$CTM_BUNDLE" "$SERVER" "$@"
+  _exec_choice "$CTM_BUNDLE" "$@"
 fi
 # 5) Last resort: the pinned node (ABI-correct, but no stable TCC identity → may re-prompt).
-exec "$NODE_BIN" "$SERVER" "$@"
+_exec_choice "$NODE_BIN" "$@"

package/template/bin/dev.sh

@@ -164,6 +164,19 @@ mkdir -p "$DEV_DIR"
 # (corruption + contention). A throwaway CODEX_HOME keeps dev codex writes — and
 # CTM's own rollout reads, which resolve via the same CODEX_HOME — inside DEV_DIR.
 mkdir -p "$DEV_DIR/codex/sessions"
+# Seed the throwaway CODEX_HOME with the user's existing Codex login. The isolation above
+# relocates CODEX_HOME, which ALSO relocates ~/.codex/auth.json — so without this, dev codex
+# sessions are logged out and prompt for `codex login` (the "codex login issue in staging").
+# Copy only auth.json from the real ~/.codex so dev codex is authenticated while rollouts/sessions
+# stay isolated in DEV_DIR. We deliberately do NOT copy config.toml — it can carry MCP entries that
+# point at the user's primary (e.g. the node_repl missing-binary noise). Idempotent: never clobber
+# an existing dev login.
+_REAL_CODEX_HOME="$HOME/.codex"
+if [[ -f "$_REAL_CODEX_HOME/auth.json" && ! -f "$DEV_DIR/codex/auth.json" ]]; then
+  cp "$_REAL_CODEX_HOME/auth.json" "$DEV_DIR/codex/auth.json" 2>/dev/null \
+    && chmod 600 "$DEV_DIR/codex/auth.json" 2>/dev/null \
+    && echo "  seeded dev CODEX_HOME auth from $_REAL_CODEX_HOME/auth.json"
+fi
 
 cleanup_processes() {
   local stale_args=()
@@ -221,6 +234,11 @@ elif [[ "$MODE" == "refresh" ]]; then
   elif [[ "$COPY_IMAGES" != "1" ]]; then
     echo "  Images: skipped (--no-images)"
   fi
+  rm -rf "$DEV_DIR/scrollback"
+  if [[ -d "$PROD_CTM_DIR/scrollback" ]]; then
+    echo "  Scrollback: syncing $PROD_CTM_DIR/scrollback -> $DEV_DIR/scrollback"
+    "$NODE_BIN" "$ROOT/bin/sync-images.js" "$PROD_CTM_DIR/scrollback" "$DEV_DIR/scrollback"
+  fi
   # Ensure the dev instance owns its WAL files from first open.
   rm -f "$DEV_DIR"/*.db-wal "$DEV_DIR"/*.db-shm
 elif [[ "$MODE" == "reuse" ]]; then

package/template/bin/ensure-stable-node.js

@@ -65,6 +65,17 @@ function resolveStableNode(deps) {
         if (t.exec === ctmExec && team) ctmTeam = team;
       }
       if (ctmTeam) return ctmExec;
+      // Re-signing did not land a Team Identifier THIS run (e.g. a transient codesign failure), but
+      // the CTM bundle may ALREADY be Developer-ID-signed on disk from a prior run — that signature
+      // is self-contained and stays valid regardless. Prefer it over the anonymous notarized node so
+      // the marker records the BRANDED identity and the daemon keeps matching the user's Full Disk
+      // Access grant to "Coding Task Manager.app" (otherwise it runs as "node" → the FDA banner
+      // re-prompts every restart). Gated on existing + version-matching the pin (ABI safety).
+      if (ctmExec && existsSync(ctmExec) && (!pin || cw.nodeReportsVersion(ctmExec, pin))
+          && codesign.localCodeSignTeamId && codesign.localCodeSignTeamId(ctmExec)) {
+        log('CTM bundle already Developer-ID-signed on disk → using it (skip notarized fallback)');
+        return ctmExec;
+      }
     } catch (e) {
       log(`bundle signing failed: ${e && e.message ? e.message : e}`);
     }

package/template/bin/node-bin.sh

@@ -44,6 +44,15 @@ if [[ -z "$PIN" ]]; then
 fi
 
 candidates=(
+  # Immutable, self-managed runtimes FIRST. A `brew upgrade node` (often dragged in by an
+  # unrelated `brew install`) repoints or deletes the Cellar dir below, which would otherwise
+  # leave this resolver unable to find the pin -> daemon won't start. These vendored nodes are
+  # provisioned by bin/ensure-stable-node.js / create-walle and are not touched by Homebrew, so
+  # resolution survives that churn. Every candidate is STILL gated on an exact version match with
+  # the pin in the loop below, so a stale vendored node is skipped (it can never select a wrong ABI).
+  "$HOME/.walle/notarized-node/bin/node"
+  "$HOME/.walle/notarized-app/Wall-E.app/Contents/Resources/node"
+  "$HOME/.walle/bundles/Coding Task Manager.app/Contents/MacOS/Coding Task Manager"
   "/opt/homebrew/Cellar/node/$PIN/bin/node"
   "/usr/local/Cellar/node/$PIN/bin/node"
   "$HOME/.fnm/node-versions/v$PIN/installation/bin/node"