create-walle 0.9.28 → 0.9.30

package/template/claude-task-manager/db.js

@@ -11,6 +11,13 @@ const { codexRolloutIdFromPath, readCodexRolloutMetadata } = require('./lib/sess
 const { ensureTranscriptTables, healSelfLinkedTranscriptKeys } = require('./lib/transcript-store');
 const { isProviderGeneratedUserContextText } = require('./lib/provider-user-context');
 const { buildSessionImageRefs } = require('./lib/session-image-refs');
+const {
+  normalizeRuntimeEvent,
+  normalizeTurnRecord,
+  normalizeInputEnvelope,
+  normalizeRouteSnapshot,
+  normalizeApprovalRecord,
+} = require('./lib/runtime-contract');
 const {
   classifySqliteError,
   ensureSqliteDriverReady,
@@ -785,6 +792,121 @@ function connectDb(dbPath) {
   }
 }
 
+function runtimeKernelSchemaSql() {
+  return `
+    CREATE TABLE IF NOT EXISTS ctm_runtime_events (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      event_id TEXT NOT NULL UNIQUE,
+      idempotency_key TEXT NOT NULL UNIQUE,
+      ctm_session_id TEXT NOT NULL,
+      agent_session_id TEXT DEFAULT '',
+      turn_id TEXT DEFAULT '',
+      adapter TEXT NOT NULL,
+      event_type TEXT NOT NULL,
+      payload_json TEXT NOT NULL DEFAULT '{}',
+      created_at_ms INTEGER NOT NULL,
+      created_at TEXT DEFAULT (datetime('now'))
+    );
+    CREATE INDEX IF NOT EXISTS idx_ctm_runtime_events_session
+      ON ctm_runtime_events(ctm_session_id, created_at_ms, id);
+    CREATE INDEX IF NOT EXISTS idx_ctm_runtime_events_turn
+      ON ctm_runtime_events(ctm_session_id, turn_id, created_at_ms, id);
+    CREATE INDEX IF NOT EXISTS idx_ctm_runtime_events_type
+      ON ctm_runtime_events(event_type, created_at_ms);
+    -- Serves "latest event of a type for a session" (latestContextTruth's per-session token/compact
+    -- lookup) as an O(1) index seek instead of fetching+parsing the oldest 1000 events per poll.
+    CREATE INDEX IF NOT EXISTS idx_ctm_runtime_events_session_type
+      ON ctm_runtime_events(ctm_session_id, event_type, id);
+
+    CREATE TABLE IF NOT EXISTS ctm_runtime_turns (
+      ctm_session_id TEXT NOT NULL,
+      turn_id TEXT NOT NULL,
+      agent_session_id TEXT DEFAULT '',
+      parent_turn_id TEXT DEFAULT '',
+      user_input_event_id TEXT DEFAULT '',
+      status TEXT NOT NULL DEFAULT 'open',
+      opened_at_ms INTEGER NOT NULL,
+      closed_at_ms INTEGER DEFAULT 0,
+      model_route_json TEXT DEFAULT '{}',
+      compact_boundary_json TEXT DEFAULT '{}',
+      metadata_json TEXT DEFAULT '{}',
+      updated_at_ms INTEGER NOT NULL,
+      PRIMARY KEY (ctm_session_id, turn_id)
+    );
+    CREATE INDEX IF NOT EXISTS idx_ctm_runtime_turns_session_status
+      ON ctm_runtime_turns(ctm_session_id, status, updated_at_ms DESC);
+    CREATE INDEX IF NOT EXISTS idx_ctm_runtime_turns_agent
+      ON ctm_runtime_turns(agent_session_id, updated_at_ms DESC);
+
+    CREATE TABLE IF NOT EXISTS ctm_runtime_input_envelopes (
+      input_id TEXT PRIMARY KEY,
+      ctm_session_id TEXT NOT NULL,
+      agent_session_id TEXT DEFAULT '',
+      mode TEXT NOT NULL DEFAULT 'mailbox',
+      source TEXT NOT NULL DEFAULT 'runtime',
+      text TEXT NOT NULL DEFAULT '',
+      attachments_json TEXT NOT NULL DEFAULT '[]',
+      created_at_ms INTEGER NOT NULL,
+      accepted_at_ms INTEGER DEFAULT 0,
+      delivered_at_ms INTEGER DEFAULT 0,
+      result TEXT NOT NULL DEFAULT 'pending',
+      result_reason TEXT DEFAULT '',
+      metadata_json TEXT DEFAULT '{}',
+      updated_at_ms INTEGER NOT NULL
+    );
+    CREATE INDEX IF NOT EXISTS idx_ctm_runtime_input_session_result
+      ON ctm_runtime_input_envelopes(ctm_session_id, result, created_at_ms);
+    CREATE INDEX IF NOT EXISTS idx_ctm_runtime_input_agent
+      ON ctm_runtime_input_envelopes(agent_session_id, created_at_ms);
+
+    CREATE TABLE IF NOT EXISTS ctm_runtime_route_snapshots (
+      route_id TEXT PRIMARY KEY,
+      ctm_session_id TEXT NOT NULL,
+      agent_session_id TEXT DEFAULT '',
+      turn_id TEXT DEFAULT '',
+      requested_model TEXT DEFAULT '',
+      resolved_model TEXT DEFAULT '',
+      provider TEXT DEFAULT '',
+      connection_layer TEXT DEFAULT 'unknown',
+      route_source TEXT DEFAULT 'unknown',
+      supports_images INTEGER DEFAULT 0,
+      supports_tools INTEGER DEFAULT 0,
+      supports_mcp INTEGER DEFAULT 0,
+      created_at_ms INTEGER NOT NULL,
+      metadata_json TEXT DEFAULT '{}'
+    );
+    CREATE INDEX IF NOT EXISTS idx_ctm_runtime_route_session
+      ON ctm_runtime_route_snapshots(ctm_session_id, created_at_ms DESC);
+    CREATE INDEX IF NOT EXISTS idx_ctm_runtime_route_turn
+      ON ctm_runtime_route_snapshots(ctm_session_id, turn_id, created_at_ms DESC);
+
+    CREATE TABLE IF NOT EXISTS ctm_runtime_approvals (
+      approval_id TEXT PRIMARY KEY,
+      ctm_session_id TEXT NOT NULL,
+      agent_session_id TEXT DEFAULT '',
+      turn_id TEXT DEFAULT '',
+      source_event_id TEXT DEFAULT '',
+      status TEXT NOT NULL DEFAULT 'pending',
+      prompt TEXT DEFAULT '',
+      tool_name TEXT DEFAULT '',
+      decision TEXT DEFAULT '',
+      decided_by TEXT DEFAULT '',
+      requested_at_ms INTEGER NOT NULL,
+      resolved_at_ms INTEGER DEFAULT 0,
+      metadata_json TEXT DEFAULT '{}',
+      updated_at_ms INTEGER NOT NULL
+    );
+    CREATE INDEX IF NOT EXISTS idx_ctm_runtime_approvals_session_status
+      ON ctm_runtime_approvals(ctm_session_id, status, requested_at_ms DESC);
+    CREATE INDEX IF NOT EXISTS idx_ctm_runtime_approvals_source_event
+      ON ctm_runtime_approvals(source_event_id);
+  `;
+}
+
+function ensureRuntimeKernelTables(handle = getDb()) {
+  handle.exec(runtimeKernelSchemaSql());
+}
+
 function createTables() {
   db.exec(`
     -- Settings (key-value store)
@@ -1006,6 +1128,7 @@ function createTables() {
     CREATE INDEX IF NOT EXISTS idx_runtime_tasks_session_status ON runtime_tasks(ctm_session_id, status, updated_at DESC);
     CREATE INDEX IF NOT EXISTS idx_runtime_tasks_agent ON runtime_tasks(agent_session_id, updated_at DESC);
   `);
+  ensureRuntimeKernelTables(db);
 }
 
 function runMigrations() {
@@ -1047,6 +1170,7 @@ function runMigrations() {
     CREATE INDEX IF NOT EXISTS idx_runtime_tasks_session_status ON runtime_tasks(ctm_session_id, status, updated_at DESC);
     CREATE INDEX IF NOT EXISTS idx_runtime_tasks_agent ON runtime_tasks(agent_session_id, updated_at DESC);
   `);
+  ensureRuntimeKernelTables(getDb());
 
   // Add pinned column to prompts if not exists
   const cols = getDb().prepare("PRAGMA table_info(prompts)").all();
@@ -2385,6 +2509,34 @@ function migrateSchemaIfNeeded() {
       // Non-fatal: dropping a dormant cache table; the app runs fine if it lingers.
     }
   }
+  if (getSchemaVersion() < 11) {
+    try {
+      migrateToV11();
+    } catch (e) {
+      console.error('[db] Schema migration to v11 FAILED:', e.message);
+      console.error('[db] Stack:', e.stack);
+      // Non-fatal: the column only enables Claude Desktop → Code fork dedup; absent it,
+      // getForkForDesktopUuid simply returns null and conversion stays available.
+    }
+  }
+}
+
+/**
+ * Schema v11: link a converted Claude Desktop conversation to its resumable Claude Code
+ * fork. A read-only Desktop conversation can be snapshot-and-forked into a real Code session
+ * (see lib/claude-desktop-sessions.js materializeForkTranscript); we record the originating
+ * Desktop uuid on the fork's agent_sessions row so the same conversation is never offered for
+ * conversion twice — the sidebar shows "Resume fork" instead. Idempotent via PRAGMA pre-check.
+ */
+function migrateToV11() {
+  const d = getDb();
+  const cols = d.prepare('PRAGMA table_info(agent_sessions)').all();
+  if (!cols.find((c) => c.name === 'forked_from_desktop_uuid')) {
+    d.prepare("ALTER TABLE agent_sessions ADD COLUMN forked_from_desktop_uuid TEXT DEFAULT ''").run();
+  }
+  d.exec("CREATE INDEX IF NOT EXISTS idx_agent_forked_desktop ON agent_sessions(forked_from_desktop_uuid) WHERE forked_from_desktop_uuid != ''");
+  setSchemaVersion(11);
+  console.log('[db] Schema migrated to v11 (Claude Desktop fork linkage)');
 }
 
 /**
@@ -3048,6 +3200,7 @@ function createV1Tables() {
       parent_agent_session_id TEXT DEFAULT '',
       agent_nickname TEXT DEFAULT '',
       agent_role TEXT DEFAULT '',
+      forked_from_desktop_uuid TEXT DEFAULT '',
       created_at TEXT DEFAULT (datetime('now')),
       updated_at TEXT DEFAULT (datetime('now')),
       FOREIGN KEY (ctm_session_id) REFERENCES ctm_sessions(id) ON DELETE CASCADE
@@ -3069,6 +3222,7 @@ function createV1Tables() {
   d.exec('CREATE INDEX IF NOT EXISTS idx_agent_slug ON agent_sessions(slug)');
   d.exec('CREATE INDEX IF NOT EXISTS idx_agent_parent_session ON agent_sessions(parent_agent_session_id)');
   d.exec('CREATE INDEX IF NOT EXISTS idx_agent_thread_source ON agent_sessions(thread_source)');
+  d.exec("CREATE INDEX IF NOT EXISTS idx_agent_forked_desktop ON agent_sessions(forked_from_desktop_uuid) WHERE forked_from_desktop_uuid != ''");
 }
 
 // --- Settings CRUD ---
@@ -3384,6 +3538,501 @@ function deleteRuntimeTasksForSession(ctmSessionId, { completedOnly = false } =
   return result.changes || 0;
 }
 
+function _parseJsonObject(value) {
+  try {
+    const parsed = JSON.parse(value || '{}');
+    return parsed && typeof parsed === 'object' && !Array.isArray(parsed) ? parsed : {};
+  } catch {
+    return {};
+  }
+}
+
+function _parseJsonArray(value) {
+  try {
+    const parsed = JSON.parse(value || '[]');
+    return Array.isArray(parsed) ? parsed : [];
+  } catch {
+    return [];
+  }
+}
+
+function _parseRuntimeEvent(row) {
+  if (!row) return null;
+  return {
+    id: row.id,
+    eventId: row.event_id,
+    event_id: row.event_id,
+    idempotencyKey: row.idempotency_key,
+    idempotency_key: row.idempotency_key,
+    ctmSessionId: row.ctm_session_id,
+    ctm_session_id: row.ctm_session_id,
+    agentSessionId: row.agent_session_id || '',
+    agent_session_id: row.agent_session_id || '',
+    turnId: row.turn_id || '',
+    turn_id: row.turn_id || '',
+    adapter: row.adapter || 'unknown',
+    type: row.event_type || '',
+    event_type: row.event_type || '',
+    payload: _parseJsonObject(row.payload_json),
+    payload_json: row.payload_json || '{}',
+    createdAtMs: Number(row.created_at_ms || 0),
+    created_at_ms: Number(row.created_at_ms || 0),
+    created_at: row.created_at || '',
+  };
+}
+
+function appendRuntimeEvent(event = {}) {
+  const normalized = normalizeRuntimeEvent(event);
+  if (!normalized.ctmSessionId || !normalized.type) return null;
+  getDb().prepare(`
+    INSERT OR IGNORE INTO ctm_runtime_events (
+      event_id, idempotency_key, ctm_session_id, agent_session_id, turn_id,
+      adapter, event_type, payload_json, created_at_ms
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `).run(
+    normalized.eventId,
+    normalized.idempotencyKey,
+    normalized.ctmSessionId,
+    normalized.agentSessionId,
+    normalized.turnId,
+    normalized.adapter,
+    normalized.type,
+    _runtimeJsonObject(normalized.payload),
+    normalized.createdAtMs
+  );
+  return _parseRuntimeEvent(getDb().prepare(`
+    SELECT * FROM ctm_runtime_events
+     WHERE idempotency_key = ?
+     ORDER BY id ASC
+     LIMIT 1
+  `).get(normalized.idempotencyKey));
+}
+
+function listRuntimeEvents(ctmSessionId, { sinceId = 0, turnId = '', limit = 1000 } = {}) {
+  const cleanSessionId = String(ctmSessionId || '').trim();
+  if (!cleanSessionId) return [];
+  const cap = Math.max(1, Math.min(Number(limit) || 1000, 5000));
+  const minId = Math.max(0, Number(sinceId || 0) || 0);
+  const cleanTurnId = String(turnId || '').trim();
+  const rows = cleanTurnId
+    ? getDb().prepare(`
+        SELECT * FROM ctm_runtime_events
+         WHERE ctm_session_id = ? AND turn_id = ? AND id > ?
+         ORDER BY id ASC
+         LIMIT ?
+      `).all(cleanSessionId, cleanTurnId, minId, cap)
+    : getDb().prepare(`
+        SELECT * FROM ctm_runtime_events
+         WHERE ctm_session_id = ? AND id > ?
+         ORDER BY id ASC
+         LIMIT ?
+      `).all(cleanSessionId, minId, cap);
+  return rows.map(_parseRuntimeEvent).filter(Boolean);
+}
+
+// Latest event whose event_type is one of `eventTypes` for a session — the highest id wins.
+// Backs latestContextTruth, which previously fetched + JSON-parsed the oldest 1000 events per
+// session per poll just to find the latest token_usage + latest compact (a 3.98s/4min on-main cost
+// in the live CPU profile, and wrong once a session exceeds 1000 events). One indexed DESC LIMIT 1
+// seek per type (idx_ctm_runtime_events_session_type) → O(1), parses at most one row per type.
+function latestRuntimeEventOfTypes(ctmSessionId, eventTypes, { turnId = '' } = {}) {
+  const cleanSessionId = String(ctmSessionId || '').trim();
+  if (!cleanSessionId || !Array.isArray(eventTypes) || eventTypes.length === 0) return null;
+  const cleanTurnId = String(turnId || '').trim();
+  const d = getDb();
+  let best = null;
+  for (const t of eventTypes) {
+    const et = String(t || '').trim();
+    if (!et) continue;
+    const row = cleanTurnId
+      ? d.prepare(
+          'SELECT * FROM ctm_runtime_events WHERE ctm_session_id = ? AND turn_id = ? AND event_type = ? ORDER BY id DESC LIMIT 1'
+        ).get(cleanSessionId, cleanTurnId, et)
+      : d.prepare(
+          'SELECT * FROM ctm_runtime_events WHERE ctm_session_id = ? AND event_type = ? ORDER BY id DESC LIMIT 1'
+        ).get(cleanSessionId, et);
+    if (row && (!best || Number(row.id) > Number(best.id))) best = row;
+  }
+  return best ? _parseRuntimeEvent(best) : null;
+}
+
+function _parseRuntimeTurn(row) {
+  if (!row) return null;
+  return {
+    ctmSessionId: row.ctm_session_id,
+    ctm_session_id: row.ctm_session_id,
+    turnId: row.turn_id,
+    turn_id: row.turn_id,
+    agentSessionId: row.agent_session_id || '',
+    agent_session_id: row.agent_session_id || '',
+    parentTurnId: row.parent_turn_id || '',
+    parent_turn_id: row.parent_turn_id || '',
+    userInputEventId: row.user_input_event_id || '',
+    user_input_event_id: row.user_input_event_id || '',
+    status: row.status || 'open',
+    openedAtMs: Number(row.opened_at_ms || 0),
+    opened_at_ms: Number(row.opened_at_ms || 0),
+    closedAtMs: Number(row.closed_at_ms || 0),
+    closed_at_ms: Number(row.closed_at_ms || 0),
+    modelRoute: _parseJsonObject(row.model_route_json),
+    model_route_json: row.model_route_json || '{}',
+    compactBoundary: _parseJsonObject(row.compact_boundary_json),
+    compact_boundary_json: row.compact_boundary_json || '{}',
+    metadata: _parseJsonObject(row.metadata_json),
+    metadata_json: row.metadata_json || '{}',
+    updatedAtMs: Number(row.updated_at_ms || 0),
+    updated_at_ms: Number(row.updated_at_ms || 0),
+  };
+}
+
+function upsertRuntimeTurn(turn = {}) {
+  const normalized = normalizeTurnRecord(turn);
+  if (!normalized.ctmSessionId || !normalized.turnId) return null;
+  const now = Date.now();
+  getDb().prepare(`
+    INSERT INTO ctm_runtime_turns (
+      ctm_session_id, turn_id, agent_session_id, parent_turn_id, user_input_event_id,
+      status, opened_at_ms, closed_at_ms, model_route_json, compact_boundary_json,
+      metadata_json, updated_at_ms
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    ON CONFLICT(ctm_session_id, turn_id) DO UPDATE SET
+      agent_session_id = excluded.agent_session_id,
+      parent_turn_id = excluded.parent_turn_id,
+      user_input_event_id = excluded.user_input_event_id,
+      status = excluded.status,
+      opened_at_ms = MIN(ctm_runtime_turns.opened_at_ms, excluded.opened_at_ms),
+      closed_at_ms = excluded.closed_at_ms,
+      model_route_json = CASE
+        WHEN excluded.model_route_json = '{}' THEN ctm_runtime_turns.model_route_json
+        ELSE excluded.model_route_json
+      END,
+      compact_boundary_json = CASE
+        WHEN excluded.compact_boundary_json = '{}' THEN ctm_runtime_turns.compact_boundary_json
+        ELSE excluded.compact_boundary_json
+      END,
+      metadata_json = CASE
+        WHEN excluded.metadata_json = '{}' THEN ctm_runtime_turns.metadata_json
+        ELSE excluded.metadata_json
+      END,
+      updated_at_ms = excluded.updated_at_ms
+  `).run(
+    normalized.ctmSessionId,
+    normalized.turnId,
+    normalized.agentSessionId,
+    normalized.parentTurnId,
+    normalized.userInputEventId,
+    normalized.status,
+    normalized.openedAtMs,
+    normalized.closedAtMs,
+    _runtimeJsonObject(normalized.modelRoute),
+    _runtimeJsonObject(normalized.compactBoundary),
+    _runtimeJsonObject(normalized.metadata),
+    now
+  );
+  return getRuntimeTurn(normalized.ctmSessionId, normalized.turnId);
+}
+
+function getRuntimeTurn(ctmSessionId, turnId) {
+  const row = getDb().prepare('SELECT * FROM ctm_runtime_turns WHERE ctm_session_id = ? AND turn_id = ?')
+    .get(String(ctmSessionId || '').trim(), String(turnId || '').trim());
+  return _parseRuntimeTurn(row);
+}
+
+function listRuntimeTurns(ctmSessionId, { status = '', limit = 200 } = {}) {
+  const cleanSessionId = String(ctmSessionId || '').trim();
+  if (!cleanSessionId) return [];
+  const cap = Math.max(1, Math.min(Number(limit) || 200, 1000));
+  const cleanStatus = String(status || '').trim();
+  const rows = cleanStatus
+    ? getDb().prepare('SELECT * FROM ctm_runtime_turns WHERE ctm_session_id = ? AND status = ? ORDER BY opened_at_ms ASC LIMIT ?').all(cleanSessionId, cleanStatus, cap)
+    : getDb().prepare('SELECT * FROM ctm_runtime_turns WHERE ctm_session_id = ? ORDER BY opened_at_ms ASC LIMIT ?').all(cleanSessionId, cap);
+  return rows.map(_parseRuntimeTurn).filter(Boolean);
+}
+
+function _parseRuntimeInputEnvelope(row) {
+  if (!row) return null;
+  return {
+    inputId: row.input_id,
+    input_id: row.input_id,
+    ctmSessionId: row.ctm_session_id,
+    ctm_session_id: row.ctm_session_id,
+    agentSessionId: row.agent_session_id || '',
+    agent_session_id: row.agent_session_id || '',
+    mode: row.mode || 'mailbox',
+    source: row.source || 'runtime',
+    text: row.text || '',
+    attachments: _parseJsonArray(row.attachments_json),
+    attachments_json: row.attachments_json || '[]',
+    createdAtMs: Number(row.created_at_ms || 0),
+    created_at_ms: Number(row.created_at_ms || 0),
+    acceptedAtMs: Number(row.accepted_at_ms || 0),
+    accepted_at_ms: Number(row.accepted_at_ms || 0),
+    deliveredAtMs: Number(row.delivered_at_ms || 0),
+    delivered_at_ms: Number(row.delivered_at_ms || 0),
+    result: row.result || 'pending',
+    resultReason: row.result_reason || '',
+    result_reason: row.result_reason || '',
+    metadata: _parseJsonObject(row.metadata_json),
+    metadata_json: row.metadata_json || '{}',
+    updatedAtMs: Number(row.updated_at_ms || 0),
+    updated_at_ms: Number(row.updated_at_ms || 0),
+  };
+}
+
+function upsertRuntimeInputEnvelope(input = {}) {
+  const normalized = normalizeInputEnvelope(input);
+  if (!normalized.ctmSessionId || !normalized.inputId) return null;
+  const now = Date.now();
+  getDb().prepare(`
+    INSERT INTO ctm_runtime_input_envelopes (
+      input_id, ctm_session_id, agent_session_id, mode, source, text,
+      attachments_json, created_at_ms, accepted_at_ms, delivered_at_ms,
+      result, result_reason, metadata_json, updated_at_ms
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    ON CONFLICT(input_id) DO UPDATE SET
+      ctm_session_id = excluded.ctm_session_id,
+      agent_session_id = excluded.agent_session_id,
+      mode = excluded.mode,
+      source = excluded.source,
+      text = excluded.text,
+      attachments_json = excluded.attachments_json,
+      created_at_ms = MIN(ctm_runtime_input_envelopes.created_at_ms, excluded.created_at_ms),
+      accepted_at_ms = excluded.accepted_at_ms,
+      delivered_at_ms = excluded.delivered_at_ms,
+      result = excluded.result,
+      result_reason = excluded.result_reason,
+      metadata_json = excluded.metadata_json,
+      updated_at_ms = excluded.updated_at_ms
+  `).run(
+    normalized.inputId,
+    normalized.ctmSessionId,
+    normalized.agentSessionId,
+    normalized.mode,
+    normalized.source,
+    normalized.text,
+    _runtimeJsonArray(normalized.attachments),
+    normalized.createdAtMs,
+    normalized.acceptedAtMs,
+    normalized.deliveredAtMs,
+    normalized.result,
+    normalized.resultReason,
+    _runtimeJsonObject(normalized.metadata),
+    now
+  );
+  return _parseRuntimeInputEnvelope(getDb().prepare('SELECT * FROM ctm_runtime_input_envelopes WHERE input_id = ?').get(normalized.inputId));
+}
+
+function updateRuntimeInputEnvelope(inputId, patch = {}) {
+  const existing = _parseRuntimeInputEnvelope(getDb().prepare('SELECT * FROM ctm_runtime_input_envelopes WHERE input_id = ?').get(String(inputId || '').trim()));
+  if (!existing) return null;
+  return upsertRuntimeInputEnvelope({
+    ...existing,
+    ...patch,
+    inputId: existing.inputId,
+    ctmSessionId: patch.ctmSessionId || patch.ctm_session_id || existing.ctmSessionId,
+  });
+}
+
+function getRuntimeInputEnvelope(inputId) {
+  const cleanInputId = String(inputId || '').trim();
+  if (!cleanInputId) return null;
+  return _parseRuntimeInputEnvelope(getDb().prepare('SELECT * FROM ctm_runtime_input_envelopes WHERE input_id = ?').get(cleanInputId));
+}
+
+function listRuntimeInputEnvelopes(ctmSessionId, { result = '', limit = 200 } = {}) {
+  const cleanSessionId = String(ctmSessionId || '').trim();
+  if (!cleanSessionId) return [];
+  const cap = Math.max(1, Math.min(Number(limit) || 200, 1000));
+  const cleanResult = String(result || '').trim();
+  const rows = cleanResult
+    ? getDb().prepare('SELECT * FROM ctm_runtime_input_envelopes WHERE ctm_session_id = ? AND result = ? ORDER BY created_at_ms ASC LIMIT ?').all(cleanSessionId, cleanResult, cap)
+    : getDb().prepare('SELECT * FROM ctm_runtime_input_envelopes WHERE ctm_session_id = ? ORDER BY created_at_ms ASC LIMIT ?').all(cleanSessionId, cap);
+  return rows.map(_parseRuntimeInputEnvelope).filter(Boolean);
+}
+
+function _parseRuntimeRouteSnapshot(row) {
+  if (!row) return null;
+  return {
+    routeId: row.route_id,
+    route_id: row.route_id,
+    ctmSessionId: row.ctm_session_id,
+    ctm_session_id: row.ctm_session_id,
+    agentSessionId: row.agent_session_id || '',
+    agent_session_id: row.agent_session_id || '',
+    turnId: row.turn_id || '',
+    turn_id: row.turn_id || '',
+    requestedModel: row.requested_model || '',
+    requested_model: row.requested_model || '',
+    resolvedModel: row.resolved_model || '',
+    resolved_model: row.resolved_model || '',
+    provider: row.provider || '',
+    connectionLayer: row.connection_layer || 'unknown',
+    connection_layer: row.connection_layer || 'unknown',
+    routeSource: row.route_source || 'unknown',
+    route_source: row.route_source || 'unknown',
+    supportsImages: !!row.supports_images,
+    supports_images: !!row.supports_images,
+    supportsTools: !!row.supports_tools,
+    supports_tools: !!row.supports_tools,
+    supportsMcp: !!row.supports_mcp,
+    supports_mcp: !!row.supports_mcp,
+    createdAtMs: Number(row.created_at_ms || 0),
+    created_at_ms: Number(row.created_at_ms || 0),
+    metadata: _parseJsonObject(row.metadata_json),
+    metadata_json: row.metadata_json || '{}',
+  };
+}
+
+function upsertRuntimeRouteSnapshot(snapshot = {}) {
+  const normalized = normalizeRouteSnapshot(snapshot);
+  if (!normalized.ctmSessionId || !normalized.routeId) return null;
+  getDb().prepare(`
+    INSERT INTO ctm_runtime_route_snapshots (
+      route_id, ctm_session_id, agent_session_id, turn_id, requested_model,
+      resolved_model, provider, connection_layer, route_source, supports_images,
+      supports_tools, supports_mcp, created_at_ms, metadata_json
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    ON CONFLICT(route_id) DO UPDATE SET
+      ctm_session_id = excluded.ctm_session_id,
+      agent_session_id = excluded.agent_session_id,
+      turn_id = excluded.turn_id,
+      requested_model = excluded.requested_model,
+      resolved_model = excluded.resolved_model,
+      provider = excluded.provider,
+      connection_layer = excluded.connection_layer,
+      route_source = excluded.route_source,
+      supports_images = excluded.supports_images,
+      supports_tools = excluded.supports_tools,
+      supports_mcp = excluded.supports_mcp,
+      created_at_ms = excluded.created_at_ms,
+      metadata_json = excluded.metadata_json
+  `).run(
+    normalized.routeId,
+    normalized.ctmSessionId,
+    normalized.agentSessionId,
+    normalized.turnId,
+    normalized.requestedModel,
+    normalized.resolvedModel,
+    normalized.provider,
+    normalized.connectionLayer,
+    normalized.routeSource,
+    normalized.supportsImages ? 1 : 0,
+    normalized.supportsTools ? 1 : 0,
+    normalized.supportsMcp ? 1 : 0,
+    normalized.createdAtMs,
+    _runtimeJsonObject(normalized.metadata)
+  );
+  return _parseRuntimeRouteSnapshot(getDb().prepare('SELECT * FROM ctm_runtime_route_snapshots WHERE route_id = ?').get(normalized.routeId));
+}
+
+function getLatestRuntimeRouteSnapshot(ctmSessionId, { turnId = '' } = {}) {
+  const cleanSessionId = String(ctmSessionId || '').trim();
+  if (!cleanSessionId) return null;
+  const cleanTurnId = String(turnId || '').trim();
+  const row = cleanTurnId
+    ? getDb().prepare('SELECT * FROM ctm_runtime_route_snapshots WHERE ctm_session_id = ? AND turn_id = ? ORDER BY created_at_ms DESC LIMIT 1').get(cleanSessionId, cleanTurnId)
+    : getDb().prepare('SELECT * FROM ctm_runtime_route_snapshots WHERE ctm_session_id = ? ORDER BY created_at_ms DESC LIMIT 1').get(cleanSessionId);
+  return _parseRuntimeRouteSnapshot(row);
+}
+
+function _parseRuntimeApproval(row) {
+  if (!row) return null;
+  return {
+    approvalId: row.approval_id,
+    approval_id: row.approval_id,
+    ctmSessionId: row.ctm_session_id,
+    ctm_session_id: row.ctm_session_id,
+    agentSessionId: row.agent_session_id || '',
+    agent_session_id: row.agent_session_id || '',
+    turnId: row.turn_id || '',
+    turn_id: row.turn_id || '',
+    sourceEventId: row.source_event_id || '',
+    source_event_id: row.source_event_id || '',
+    status: row.status || 'pending',
+    prompt: row.prompt || '',
+    toolName: row.tool_name || '',
+    tool_name: row.tool_name || '',
+    decision: row.decision || '',
+    decidedBy: row.decided_by || '',
+    decided_by: row.decided_by || '',
+    requestedAtMs: Number(row.requested_at_ms || 0),
+    requested_at_ms: Number(row.requested_at_ms || 0),
+    resolvedAtMs: Number(row.resolved_at_ms || 0),
+    resolved_at_ms: Number(row.resolved_at_ms || 0),
+    metadata: _parseJsonObject(row.metadata_json),
+    metadata_json: row.metadata_json || '{}',
+    updatedAtMs: Number(row.updated_at_ms || 0),
+    updated_at_ms: Number(row.updated_at_ms || 0),
+  };
+}
+
+function upsertRuntimeApproval(approval = {}) {
+  const normalized = normalizeApprovalRecord(approval);
+  if (!normalized.ctmSessionId || !normalized.approvalId) return null;
+  const now = Date.now();
+  getDb().prepare(`
+    INSERT INTO ctm_runtime_approvals (
+      approval_id, ctm_session_id, agent_session_id, turn_id, source_event_id,
+      status, prompt, tool_name, decision, decided_by, requested_at_ms,
+      resolved_at_ms, metadata_json, updated_at_ms
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    ON CONFLICT(approval_id) DO UPDATE SET
+      ctm_session_id = excluded.ctm_session_id,
+      agent_session_id = excluded.agent_session_id,
+      turn_id = excluded.turn_id,
+      source_event_id = excluded.source_event_id,
+      status = excluded.status,
+      prompt = excluded.prompt,
+      tool_name = excluded.tool_name,
+      decision = excluded.decision,
+      decided_by = excluded.decided_by,
+      requested_at_ms = MIN(ctm_runtime_approvals.requested_at_ms, excluded.requested_at_ms),
+      resolved_at_ms = excluded.resolved_at_ms,
+      metadata_json = excluded.metadata_json,
+      updated_at_ms = excluded.updated_at_ms
+  `).run(
+    normalized.approvalId,
+    normalized.ctmSessionId,
+    normalized.agentSessionId,
+    normalized.turnId,
+    normalized.sourceEventId,
+    normalized.status,
+    normalized.prompt,
+    normalized.toolName,
+    normalized.decision,
+    normalized.decidedBy,
+    normalized.requestedAtMs,
+    normalized.resolvedAtMs,
+    _runtimeJsonObject(normalized.metadata),
+    now
+  );
+  return _parseRuntimeApproval(getDb().prepare('SELECT * FROM ctm_runtime_approvals WHERE approval_id = ?').get(normalized.approvalId));
+}
+
+function resolveRuntimeApproval(approvalId, { decision = '', decidedBy = '', status = 'approved', metadata = {} } = {}) {
+  const existing = _parseRuntimeApproval(getDb().prepare('SELECT * FROM ctm_runtime_approvals WHERE approval_id = ?').get(String(approvalId || '').trim()));
+  if (!existing) return null;
+  return upsertRuntimeApproval({
+    ...existing,
+    status,
+    decision,
+    decidedBy,
+    resolvedAtMs: Date.now(),
+    metadata: { ...(existing.metadata || {}), ...(metadata || {}) },
+  });
+}
+
+function listRuntimeApprovals(ctmSessionId, { status = '', limit = 100 } = {}) {
+  const cleanSessionId = String(ctmSessionId || '').trim();
+  if (!cleanSessionId) return [];
+  const cap = Math.max(1, Math.min(Number(limit) || 100, 500));
+  const cleanStatus = String(status || '').trim();
+  const rows = cleanStatus
+    ? getDb().prepare('SELECT * FROM ctm_runtime_approvals WHERE ctm_session_id = ? AND status = ? ORDER BY requested_at_ms DESC LIMIT ?').all(cleanSessionId, cleanStatus, cap)
+    : getDb().prepare('SELECT * FROM ctm_runtime_approvals WHERE ctm_session_id = ? ORDER BY requested_at_ms DESC LIMIT ?').all(cleanSessionId, cap);
+  return rows.map(_parseRuntimeApproval).filter(Boolean);
+}
+
 // --- Domain auto-classification ---
 const DOMAIN_RULES = [
   { domain: 'coding', patterns: /\b(code|function|class|method|variable|bug|test|refactor|implement|api|endpoint|import|export|module|compile|syntax|type(script)?|lint|format|regex|array|object|string|int|float|boolean|null|undefined|return|async|await|promise|callback|error handling|unit test|integration test|debug|stack trace|exception|try.catch|react|component|hook|useState|useEffect|vue|angular|svelte|html|css|dom|frontend|backend|database|sql|orm|schema|migration|git|commit|branch|merge|pr|pull.request|npm|pip|cargo|maven|gradle|python|javascript|java|rust|go|ruby|php|swift|kotlin)\b/i },
@@ -4373,6 +5022,14 @@ const _overCapImportLogged = new Set(); // session_id → already warned about a
 // when the count grew past a delta (or the model changed); otherwise the upsert's COALESCE preserves
 // the prior stored value — exact recompute still happens on the live path for Claude/Codex.
 const _importTokenEstimateLen = new Map();
+// Blob retirement is the shipped default: stop writing the monolithic `messages` blob (store '[]')
+// because the faithful session_message_rows serve every read. Two safety conditions gate it:
+//   - CTM_DUAL_WRITE_BLOB=1 → rollback hatch: keep dual-writing the real blob.
+//   - CTM_SESSION_ROWS=0    → rows READ path is off, so nulling the blob would blind reads → keep it.
+// lib/session-content-backfill.js mirrors this predicate for the reclaim sweep (keep them in lockstep).
+function _blobRetirementActive() {
+  return process.env.CTM_DUAL_WRITE_BLOB !== '1' && process.env.CTM_SESSION_ROWS !== '0';
+}
 function importSessionConversation({
   session_id, project_path, messages, user_msg_count, assistant_msg_count,
   search_messages,
@@ -4386,6 +5043,10 @@ function importSessionConversation({
   // render shape differs from `messages` (Wall-E persists review-shaped rows, not the raw transcript
   // blob shape). The metadata upsert + blob still happen so the freshness gate + legacy reads work.
   skipMessageRows,
+  // When true, write the real blob even under blob retirement so the session renders from the blob
+  // while content-rows-backfill fills rows across slices (chunked/cold-import route). Over-cap still
+  // wins — a multi-GB stringify is never safe regardless of this flag.
+  forceBlobWrite,
 }) {
   // Attribution: the whole import is one synchronous span — a JSON.stringify of
   // the full message array (multi-MB for 2000+ prompt sessions) + an upsert + a
@@ -4404,16 +5065,19 @@ function importSessionConversation({
   let _isOverParseCap = null;
   try { _isOverParseCap = require('./lib/size-cap').isOverParseCap; } catch { /* optional */ }
   const _overParseCap = typeof _isOverParseCap === 'function' ? _isOverParseCap(file_size) : false;
-  // Phase 7 (blob retirement): once reads are served from session_message_rows
-  // (CTM_SESSION_ROWS=1, verified 100% via /api/ctm/session-rows-status), set
-  // CTM_DUAL_WRITE_BLOB=0 to STOP writing the monolithic messages blob (store '[]')
-  // — this is what ends the O(N²) JSON.stringify-the-whole-array on every append.
-  // SAFETY: only honor the flag when the rows READ path is on (CTM_SESSION_ROWS=1),
-  // otherwise nulling the blob would blind every read. And the row write below
-  // restores the real blob if it fails, so a session is never left empty. Default
-  // unset = keep dual-writing the blob; existing users/legacy reads are unchanged.
-  const _retireBlob = process.env.CTM_DUAL_WRITE_BLOB === '0' && process.env.CTM_SESSION_ROWS !== '0';
-  const _skipBlobWrite = _overParseCap || _retireBlob;
+  // Phase 7 (blob retirement): reads are served from session_message_rows (the
+  // faithful per-message store), so the monolithic `messages` blob is dead weight
+  // and its full-array JSON.stringify on every append is the O(N²) write cost we
+  // want gone. DEFAULT (shipped to everyone, incl. npx): retire the blob (store
+  // '[]'). Rollback hatch: CTM_DUAL_WRITE_BLOB=1 keeps dual-writing the real blob.
+  // SAFETY: only retire when the rows READ path is on (CTM_SESSION_ROWS != '0',
+  // the default), otherwise nulling the blob would blind every read; and the row
+  // write below restores the real blob if it fails, so a session is never empty.
+  const _retireBlob = _blobRetirementActive();
+  // forceBlobWrite (cold/large chunked-import route) writes the real blob even under retirement so
+  // the session renders from blob while content-rows-backfill fills rows across slices. Over-cap
+  // still wins (a multi-GB stringify is never safe).
+  const _skipBlobWrite = _overParseCap || (_retireBlob && !forceBlobWrite);
   if (_overParseCap && !_overCapImportLogged.has(session_id)) {
     _overCapImportLogged.add(session_id);
     console.warn(`[db] session_conversations import over parse cap (file_size=${file_size}) for ${String(session_id || '').slice(0, 8)} — storing empty blob, skipping full stringify/row-rewrite.`);
@@ -4435,7 +5099,8 @@ function importSessionConversation({
   const _prevEst = _importTokenEstimateLen.get(session_id);
   const _modelChanged = !_prevEst || _prevEst.model !== (model_id || '');
   const _grewEnough = !_prevEst || _reestimateDelta === 0 || (_msgLen - _prevEst.len) >= _reestimateDelta;
-  if (!_overParseCap && (_modelChanged || _grewEnough)) {
+  const _chunkedRoute = !!forceBlobWrite && !!skipMessageRows && !_overParseCap;
+  if (!_overParseCap && !_chunkedRoute && (_modelChanged || _grewEnough)) {
     try {
       const summary = require('./lib/session-token-usage').estimateFromMessages(messages || [], model_id || '');
       if (summary && summary.total > 0) {
@@ -4490,6 +5155,14 @@ function importSessionConversation({
       _tokTotal, _tokCtx, _tokWindow, _tokExact, _tokBreakdown
     );
 
+    // Chunked-import route: rows are written later by content-rows-backfill (in windows). Stamp the
+    // render-gate HWM now so findUnbackfilledSessions (extracted_source_len>0 AND rows<len) adopts
+    // this session; appendSessionMessageRowsChunk re-stamps the same value idempotently on completion.
+    if (_chunkedRoute) {
+      try { _setExtractedSourceLen(getDb(), session_id, _msgLen, _lastMessageAt); }
+      catch (e) { console.error('[db] chunked-import source-len stamp failed:', e.message); }
+    }
+
     // Keep message-level search/review surfaces in lockstep with the durable
     // conversation cache. The older one-shot backfill path intentionally skips
     // sessions that already have rows, which made long-running imported Codex
@@ -5280,7 +5953,27 @@ const _AI_REFINEMENT_FAILED_MAX_ROWS = Number(process.env.CTM_AI_REFINEMENT_FAIL
 // (a few new failed rows/hour) never approaches the cap.
 const _AI_REFINEMENT_PRUNE_MAX_PER_RUN = Number(process.env.CTM_AI_REFINEMENT_PRUNE_MAX_PER_RUN || 5000);
 
-function addApprovalObservation({
+const _APPROVAL_OBS_INSERT_SQL = `
+    INSERT INTO approval_observations (
+      session_id,
+      provider_id,
+      source,
+      raw_detected,
+      gated,
+      gate_reason,
+      parse_status,
+      policy_decision,
+      decided_by,
+      keystroke_status,
+      screen_fingerprint,
+      redacted_screen_tail,
+      debug_lines
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `;
+
+// Bind args for one approval_observations row. SHARED by the single-row insert and the batch
+// insert so per-row semantics (tail trimming, debug cap) can never diverge between the two paths.
+function _bindApprovalObservationRow({
   sessionId,
   providerId,
   source,
@@ -5304,23 +5997,7 @@ function addApprovalObservation({
   const _tailMax = _keepFullTail
     ? _APPROVAL_OBS_TAIL_MAX_GATED
     : _APPROVAL_OBS_TAIL_MAX_UNGATED;
-  const result = getDb().prepare(`
-    INSERT INTO approval_observations (
-      session_id,
-      provider_id,
-      source,
-      raw_detected,
-      gated,
-      gate_reason,
-      parse_status,
-      policy_decision,
-      decided_by,
-      keystroke_status,
-      screen_fingerprint,
-      redacted_screen_tail,
-      debug_lines
-    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-  `).run(
+  return [
     sessionId || '',
     providerId || '',
     source || '',
@@ -5334,10 +6011,36 @@ function addApprovalObservation({
     screenFingerprint || '',
     String(redactedScreenTail || '').slice(-_tailMax),
     debug.slice(-2000),
-  );
+  ];
+}
+
+function addApprovalObservation(observation = {}) {
+  const result = getDb().prepare(_APPROVAL_OBS_INSERT_SQL).run(..._bindApprovalObservationRow(observation));
   return result.lastInsertRowid;
 }
 
+// Coalesced sink for the approval-observation write path: insert N observations in ONE
+// transaction (one write-lock acquire / one commit) with byte-identical per-row semantics to
+// addApprovalObservation. The single-threaded db-owner worker was flooded by one INSERT op per
+// event (~20k/day); batching collapses that to a few ops/flush-window. Falsy entries are skipped;
+// returns the number of rows inserted.
+function addApprovalObservationsBatch(entries) {
+  if (!Array.isArray(entries) || entries.length === 0) return 0;
+  const valid = entries.filter((e) => e && typeof e === 'object');
+  if (valid.length === 0) return 0;
+  const d = getDb();
+  const stmt = d.prepare(_APPROVAL_OBS_INSERT_SQL);
+  const insertAll = d.transaction((rows) => {
+    let inserted = 0;
+    for (const obs of rows) {
+      stmt.run(..._bindApprovalObservationRow(obs));
+      inserted++;
+    }
+    return inserted;
+  });
+  return insertAll(valid);
+}
+
 // Retention for approval_observations. The approver records ~20k observations/day, each
 // historically carrying a ~4KB screen tail, with no pruning — the table had grown to
 // 267MB. This caps it by age and by row count. Heavy DELETE → run on the db-owner worker
@@ -7259,6 +7962,9 @@ function replaceSessionMessages(sessionId, messages) {
 // transcript timestamp is available, advance last_message_at without allowing
 // partial rewrites or compacted sources to move activity backward.
 function _setExtractedSourceLen(d, ctmSessionId, sourceLen, lastMessageAt = '') {
+  // Any row write reaches here to advance the watermark — drop the cached rows-available verdict so
+  // sessionContentRowsAvailable re-COUNTs once against the new state (covers same-watermark mutations).
+  _invalidateRowsAvailCache(ctmSessionId);
   try {
     d.prepare('UPDATE session_conversations SET extracted_source_len = ? WHERE ctm_session_id = ?')
       .run(Number(sourceLen) || 0, ctmSessionId);
@@ -7432,6 +8138,42 @@ function replaceSessionMessageRows(sessionId, messages) {
   return normalized.length;
 }
 
+// Incremental, resumable backfill of ONE session's rows in a bounded chunk. The background
+// migration calls this once per session per scheduler tick so a single giant session (16k+
+// messages) is never rewritten in one write-lock-holding transaction — it fills in index order
+// across ticks. The store is dense and keyed by message_index, so INSERT OR IGNORE makes this
+// idempotent: re-running resumes from the existing row count (passed as startIndex) and never
+// double-writes. extracted_source_len (the render gate's target) is only stamped when the final
+// chunk lands, so a half-filled session stays on the blob path (sessionContentRowsAvailable=false)
+// until it is 100% backfilled. Returns {written, nextIndex, complete}.
+function appendSessionMessageRowsChunk(sessionId, messages, startIndex = 0, maxCount = 0) {
+  if (!sessionId || !_tableExists('session_message_rows')) {
+    return { written: 0, nextIndex: Number(startIndex) || 0, complete: false };
+  }
+  const d = getDb();
+  const normalized = Array.isArray(messages) ? messages : [];
+  const start = Math.max(0, Math.min(normalized.length, Number(startIndex) || 0));
+  const cap = Number(maxCount) > 0 ? Number(maxCount) : (normalized.length - start);
+  const end = Math.min(normalized.length, start + Math.max(1, cap));
+  const insertRow = d.prepare(
+    'INSERT OR IGNORE INTO session_message_rows (ctm_session_id, message_index, role, text, timestamp, meta) VALUES (?, ?, ?, ?, ?, ?)'
+  );
+  const writeRow = (i) => {
+    const m = normalized[i] || {};
+    return insertRow.run(
+      sessionId, i, String(m.role || ''),
+      String(m.text != null ? m.text : (m.content != null ? m.content : '')),
+      m.timestamp != null ? String(m.timestamp) : '',
+      _messageRowMeta(m)
+    );
+  };
+  let written = 0;
+  d.transaction(() => { for (let i = start; i < end; i++) { if (writeRow(i).changes > 0) written++; } })();
+  const complete = end >= normalized.length;
+  if (complete) _setExtractedSourceLen(d, sessionId, normalized.length, _lastMessageAtFromMessages(normalized));
+  return { written, nextIndex: end, complete };
+}
+
 // O(Δ) append of NEW messages after a verified-dense, unchanged-prefix base. Unlike
 // replaceSessionMessageRows this NEVER loads or rewrites the base array, so it stays O(Δ) for an
 // active multi-thousand-message session (that full-array load + re-process was the giant-transcript
@@ -7558,8 +8300,10 @@ function appendSessionConversation({
 function getSessionMessagesArray(sessionId, { fallbackToBlob = true } = {}) {
   const d = getDb();
   if (_tableExists('session_message_rows')) {
-    const rows = d.prepare('SELECT role, text, timestamp, meta FROM session_message_rows WHERE ctm_session_id = ? ORDER BY message_index ASC').all(sessionId);
-    if (rows.length) return rows.map(_messageRowToObject);
+    // Delegate the SELECT + row→object map to the shared lib so this row read is byte-identical
+    // to the read-pool worker's off-thread getSessionMessagesArray op (parity by construction).
+    const rows = require('./lib/session-messages-page').getMessagesArray(d, { sessionId });
+    if (rows.length) return rows;
   }
   if (fallbackToBlob) {
     try {
@@ -7573,16 +8317,40 @@ function getSessionMessagesArray(sessionId, { fallbackToBlob = true } = {}) {
 // True only when the faithful rows can serve this session: present AND fully backfilled
 // (row count covers the conversation's extracted length). A half-migrated session returns
 // false → the caller uses the complete blob/JSONL path.
+// Watermark-keyed cache of the "rows fully cover the conversation" verdict. sessionContentRowsAvailable
+// is on MANY hot/periodic main-loop paths — most heavily the per-codex-session snapshot serialize
+// (_serializeSessionSnapshot → _codexRolloutHistoryActive → _codexRowLookupId), plus the
+// apiSessionMessages gate, attach, and exit — and each call ran an O(rows) COUNT(*) that cold-page
+// faults for seconds (the `(unknown)` cpu-low apiSessionMessages/snapshot freeze on the primary).
+// The gate is `cnt >= expected` where expected = extracted_source_len (the import high-water mark).
+// Rows only grow and `expected` advances only as import progresses, so a TRUE verdict stays true
+// while `expected` is unchanged. Cache ONLY true verdicts keyed on `expected`: a key match means
+// cnt was already ≥ this watermark and (rows-only-grow) still is — skip the COUNT(*). A false/
+// half-migrated verdict is NOT cached (it must be re-checked so a just-completed migration is
+// picked up). Row writes invalidate the entry (belt-and-suspenders for a same-watermark row
+// mutation). CTM_ROWS_AVAIL_CACHE=0 disables.
+const _rowsAvailCache = new Map(); // ctm_session_id -> expected (watermark at which it was TRUE)
+function _invalidateRowsAvailCache(sessionId) { _rowsAvailCache.delete(String(sessionId || '')); }
 function sessionContentRowsAvailable(sessionId) {
   try {
     const d = getDb();
     if (!_tableExists('session_message_rows')) return false;
-    const cnt = Number(d.prepare('SELECT COUNT(*) AS n FROM session_message_rows WHERE ctm_session_id = ?').get(sessionId).n);
-    if (cnt === 0) return false;
+    // Cheap watermark read first (single non-blob column); also lets us skip the COUNT entirely for
+    // sessions with no HWM (always false under the old logic too).
     const conv = d.prepare('SELECT extracted_source_len FROM session_conversations WHERE ctm_session_id = ?').get(sessionId);
     const expected = conv ? Number(conv.extracted_source_len) : 0;
-    if (!(expected > 0) || cnt < expected) return false; // unknown HWM or half-migrated → blob path
-    return true;
+    if (!(expected > 0)) { _invalidateRowsAvailCache(sessionId); return false; } // unknown HWM → blob path
+    const cacheOn = process.env.CTM_ROWS_AVAIL_CACHE !== '0';
+    if (cacheOn && _rowsAvailCache.get(sessionId) === expected) return true; // TRUE@expected still holds (rows only grow)
+    const cnt = Number(d.prepare('SELECT COUNT(*) AS n FROM session_message_rows WHERE ctm_session_id = ?').get(sessionId).n);
+    const available = cnt > 0 && cnt >= expected; // unknown HWM or half-migrated → blob path
+    if (available && cacheOn) {
+      _rowsAvailCache.set(sessionId, expected);
+      if (_rowsAvailCache.size > 1024) { const k = _rowsAvailCache.keys().next().value; _rowsAvailCache.delete(k); }
+    } else {
+      _invalidateRowsAvailCache(sessionId);
+    }
+    return available;
   } catch { return false; }
 }
 
@@ -7704,8 +8472,15 @@ function runContentRowsBackfillSweep(options = {}) {
   const limit = Math.max(1, Math.min(500, Number(o.limit) || 25));
   const budgetMs = Math.max(0, Number(o.budgetMs ?? process.env.CTM_ROWS_BACKFILL_BUDGET_MS ?? 250));
   const maxRows = Math.max(0, Number(o.maxRows ?? process.env.CTM_ROWS_BACKFILL_MAX_ROWS ?? 3000));
+  // Per-session row cap: migrate a giant session in bounded slices across ticks (resumable) so one
+  // session can't hold the write lock for its whole length. 0 = whole-session (legacy/tests).
+  const maxRowsPerSession = Math.max(0, Number(o.maxRowsPerSession ?? process.env.CTM_ROWS_BACKFILL_MAX_ROWS_PER_SESSION ?? 2000));
   const bf = require('./lib/session-content-backfill');
-  return bf.runContentRowsBackfillSweep(getDb(), replaceSessionMessageRows, { limit, budgetMs, maxRows });
+  return bf.runContentRowsBackfillSweep(getDb(), replaceSessionMessageRows, {
+    limit, budgetMs, maxRows, maxRowsPerSession,
+    appendChunk: appendSessionMessageRowsChunk,
+    getRowCount: (id) => countSessionMessageRows(id),
+  });
 }
 
 // Migration completeness for GET /api/ctm/session-rows-status (+ the cutover gate).
@@ -7733,9 +8508,28 @@ function _messageFreshnessStatsForId(id, { userOnly = false } = {}) {
   const d = getDb();
   const bindId = String(id);
   const whereRole = userOnly ? " AND role = 'user'" : '';
-  const readStats = (table) => d.prepare(
+  // The all-message session_message_rows store is DENSE — every message is a row at its array index
+  // (replaceSessionMessageRows / appendSessionMessageRowsChunk write message_index = i contiguously
+  // from 0, an invariant the row write paths already rely on), so COUNT(*) === MAX(message_index)+1.
+  // The per-poll COUNT(*) over a giant (14k-19k-row) session was a 5.25s/4min on-main cost in the
+  // live CPU profile; the query already computes MAX (an O(1) index seek), so deriving rows from it
+  // drops the only O(rows) term with NO schema or write-path change — strictly better than a
+  // maintained counter (no cross-thread drift). Equivalent as a change-detector: maxIndex moves on
+  // every append, and the store is append-only / full-replace (no mid-array deletes), so maxIndex+1
+  // changes exactly when the message set does. User-only rows are SPARSE (no density) and the legacy
+  // session_messages store isn't guaranteed dense, so both keep the exact COUNT(*).
+  const countStats = (table) => d.prepare(
     `SELECT COALESCE(MAX(message_index), -1) AS maxIndex, COUNT(*) AS rows FROM ${table} WHERE ctm_session_id = ?${whereRole}`
   ).get(bindId);
+  const denseStats = (table) => {
+    const r = d.prepare(
+      `SELECT COALESCE(MAX(message_index), -1) AS maxIndex FROM ${table} WHERE ctm_session_id = ?`
+    ).get(bindId);
+    const maxIndex = Number(r && r.maxIndex != null ? r.maxIndex : -1);
+    return { maxIndex, rows: maxIndex + 1 };
+  };
+  const readStats = (table) =>
+    (!userOnly && table === 'session_message_rows') ? denseStats(table) : countStats(table);
 
   // The row store is the default read source, but migration and tests can leave
   // some sessions present only in the legacy filtered index. Pick per session
@@ -8180,10 +8974,10 @@ function getLatestAgentSessionForCtm(ctmSessionId, options = {}) {
   return null;
 }
 
-function getSessionConversationSourceIds(id, options = {}) {
+function getSessionConversationSourceIds(id, options = {}, db) {
   const cleanId = String(id || '').trim();
   if (!cleanId) return [];
-  const identity = getSessionIdentity(cleanId);
+  const identity = getSessionIdentity(cleanId, db);
   const ids = [];
   const add = (value) => {
     const s = String(value || '').trim();
@@ -8210,10 +9004,13 @@ function getSessionConversationSourceIds(id, options = {}) {
  * lifecycle/restore table; orphan recovery can use it explicitly, but normal
  * reads must not treat it as a second mapping source.
  */
-function getSessionIdentity(id) {
+function getSessionIdentity(id, db) {
   const cleanId = String(id || '').trim();
   if (!cleanId) return null;
-  const d = getDb();
+  // db-injectable: the read-pool worker passes its own read-only connection so the
+  // prompt-index input resolution runs off the main loop (parity by construction —
+  // same query bodies, different handle). Existing callers pass nothing → singleton.
+  const d = db || getDb();
 
   let ctm = d.prepare('SELECT * FROM ctm_sessions WHERE id = ?').get(cleanId) || null;
   let ctmSessionId = ctm ? ctm.id : '';
@@ -8710,14 +9507,15 @@ function upsertAgentSessionIdentity(agentSessionId, data = {}) {
     parent_agent_session_id: lineage.parent_agent_session_id,
     agent_nickname: lineage.agent_nickname,
     agent_role: lineage.agent_role,
+    forked_from_desktop_uuid: data.forkedFromDesktopUuid || data.forked_from_desktop_uuid || '',
   };
   d.prepare(`
     INSERT INTO agent_sessions (agent_session_id, ctm_session_id, provider, provider_resume_id, project_path, jsonl_path,
       first_message, file_size, modified_at, hostname, model, git_branch, user_msg_count, slug,
-      thread_source, parent_agent_session_id, agent_nickname, agent_role)
+      thread_source, parent_agent_session_id, agent_nickname, agent_role, forked_from_desktop_uuid)
     VALUES (@agent_session_id, @ctm_session_id, @provider, @provider_resume_id, @project_path, @jsonl_path,
       @first_message, @file_size, @modified_at, @hostname, @model, @git_branch, @user_msg_count, @slug,
-      @thread_source, @parent_agent_session_id, @agent_nickname, @agent_role)
+      @thread_source, @parent_agent_session_id, @agent_nickname, @agent_role, @forked_from_desktop_uuid)
     ON CONFLICT(agent_session_id) DO UPDATE SET
       ctm_session_id = COALESCE(agent_sessions.ctm_session_id, excluded.ctm_session_id),
       provider = COALESCE(NULLIF(excluded.provider, ''), agent_sessions.provider),
@@ -8736,10 +9534,40 @@ function upsertAgentSessionIdentity(agentSessionId, data = {}) {
       parent_agent_session_id = COALESCE(NULLIF(excluded.parent_agent_session_id, ''), agent_sessions.parent_agent_session_id),
       agent_nickname = COALESCE(NULLIF(excluded.agent_nickname, ''), agent_sessions.agent_nickname),
       agent_role = COALESCE(NULLIF(excluded.agent_role, ''), agent_sessions.agent_role),
+      forked_from_desktop_uuid = COALESCE(NULLIF(excluded.forked_from_desktop_uuid, ''), agent_sessions.forked_from_desktop_uuid),
       updated_at = datetime('now')
   `).run(params);
 }
 
+/**
+ * Look up the Claude Code fork that was created from a given Claude Desktop conversation.
+ * Returns the fork's agent_sessions row ({ agent_session_id, jsonl_path, ctm_session_id })
+ * or null when the conversation has never been converted. Callers verify the fork still
+ * exists (row + jsonl file) before treating the conversation as already-converted; a deleted
+ * fork should re-offer conversion. Anchored on the stable Desktop uuid so a re-scan of the
+ * Desktop cache never mints a duplicate fork.
+ */
+function getForkForDesktopUuid(desktopUuid) {
+  const id = String(desktopUuid || '').trim();
+  if (!id) return null;
+  return getDb().prepare(
+    'SELECT agent_session_id, jsonl_path, ctm_session_id FROM agent_sessions WHERE forked_from_desktop_uuid = ? LIMIT 1'
+  ).get(id) || null;
+}
+
+/**
+ * List every Claude Code fork created from a Claude Desktop conversation, keyed by the
+ * originating Desktop uuid. The client fetches this to decide, per Desktop conversation,
+ * whether to offer "Convert" or "Resume fork". Callers verify the transcript still exists
+ * before trusting the link (a deleted fork should re-offer conversion).
+ */
+function listDesktopForks() {
+  return getDb().prepare(
+    "SELECT forked_from_desktop_uuid AS desktopUuid, agent_session_id AS forkSessionId, jsonl_path AS jsonlPath, project_path AS projectPath " +
+    "FROM agent_sessions WHERE forked_from_desktop_uuid != ''"
+  ).all();
+}
+
 function setSessionStar(id, starred) {
   // Try ctm_sessions first
   const result = getDb().prepare("UPDATE ctm_sessions SET starred = ?, updated_at = datetime('now') WHERE id = ?")
@@ -9558,8 +10386,8 @@ function deleteCtmSession(ctmSessionId) {
 
 // Legacy compatibility: upsertSessionIndex is now a no-op (session_index dropped)
 function upsertSessionIndex() {}
-function resolveSessionId(id) {
-  const identity = getSessionIdentity(id);
+function resolveSessionId(id, db) {
+  const identity = getSessionIdentity(id, db);
   if (!identity) return null;
   return {
     ctm_session_id: identity.ctm_session_id,
@@ -9575,6 +10403,12 @@ module.exports = {
   getWriteLockStats, resetWriteLockStats,
   getStorageRisk,
   getSqliteDriverStatus,
+  ensureRuntimeKernelTables,
+  appendRuntimeEvent, listRuntimeEvents, latestRuntimeEventOfTypes,
+  upsertRuntimeTurn, getRuntimeTurn, listRuntimeTurns,
+  upsertRuntimeInputEnvelope, updateRuntimeInputEnvelope, getRuntimeInputEnvelope, listRuntimeInputEnvelopes,
+  upsertRuntimeRouteSnapshot, getLatestRuntimeRouteSnapshot,
+  upsertRuntimeApproval, resolveRuntimeApproval, listRuntimeApprovals,
   getSetting, getSettingsByPrefix, setSetting,
   addSessionDiagnostic, flushSessionDiagnostics, listSessionDiagnostics,
   upsertRuntimeTask, updateRuntimeTask, getRuntimeTask, listRuntimeTasks, deleteRuntimeTasksForSession,
@@ -9587,8 +10421,8 @@ module.exports = {
   listPermissionLog, addPermissionLog,
   getAlwaysAskTools, setAlwaysAsk,
   importSessionConversation, appendSessionConversation, appendSessionMessageRows, listSessionConversations, getSessionConversation, getSessionConversationMeta, getSessionConversationMessages, updateSessionModel,
-  replaceSessionMessageRows, getSessionMessagesArray, sessionContentRowsAvailable, getSessionMessagesPage, getSessionMessagesTurnPage, countSessionMessageRows,
-  runContentRowsBackfillSweep, getSessionRowsStatus, retireLegacyStores, runVacuum,
+  replaceSessionMessageRows, appendSessionMessageRowsChunk, getSessionMessagesArray, sessionContentRowsAvailable, getSessionMessagesPage, getSessionMessagesTurnPage, countSessionMessageRows,
+  runContentRowsBackfillSweep, getSessionRowsStatus, retireLegacyStores, runVacuum, _blobRetirementActive,
   updateSessionTokens, getSessionTokens,
   pickDisplayTitle,
   getSessionTitle, setSessionTitle, isSessionUserRenamed, getAllSessionTitles,
@@ -9601,7 +10435,7 @@ module.exports = {
   listAutoApprovals, upsertAutoApproval, toggleAutoApproval, deleteAutoApproval, getEnabledAutoApprovals,
   listApprovalRules, upsertApprovalRule, findApprovalRuleBySignature, toggleApprovalRule, deleteApprovalRule, incrementApprovalRuleMatch,
   addApprovalDecision, listApprovalDecisions, resolveApprovalDecision, getPendingEscalations,
-  addApprovalObservation, listApprovalObservations, pruneApprovalObservations, pruneApprovalAiRefinementRules,
+  addApprovalObservation, addApprovalObservationsBatch, listApprovalObservations, pruneApprovalObservations, pruneApprovalAiRefinementRules,
   getApprovalRescuePattern, saveApprovalRescuePattern, listApprovalRescuePatterns,
   getApprovalAiRefinementRule, saveApprovalAiRefinementRule, listApprovalAiRefinementRules,
   findActiveApprovalAiRefinementRules, saveApprovalAiRefinementWarning, listApprovalAiRefinementWarnings,
@@ -9639,7 +10473,7 @@ module.exports = {
   setSessionTitleNew, setSessionTitleStatusNew, getSessionTitleNew, getSessionTitlesByIds, getSessionDisplayTitleInfo, isUserSessionTitleCandidate, promoteStartupTaskTitleIfUserNamed, repairSessionTitlesFromStartupTasks, getAllSessionsData,
   repairCodexSessionMetadataFromConversations, repairCodexRolloutAgentIdentities, detachPromotedProviderChildSessions,
   listProviderChildAgentOwnerMappings,
-  getAgentSessions, getAgentSession, deleteCtmSession,
+  getAgentSessions, getAgentSession, getForkForDesktopUuid, listDesktopForks, deleteCtmSession,
   // Schema version
   getSchemaVersion,
 };