create-walle 0.9.29 → 0.9.30

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-walle",
-  "version": "0.9.29",
+  "version": "0.9.30",
   "description": "CTM + Wall-E — AI coding dashboard and personal digital twin agent. Multi-agent terminal for Claude Code, Codex, Gemini, Aider, OpenCode, and more, plus prompt editor, task queue, remote phone and tablet access, code/doc review, and an agent that learns from Slack, email & calendar.",
   "bin": {
     "create-walle": "bin/create-walle.js"

package/template/bin/ctm-launch.sh

@@ -9,10 +9,35 @@
 # LaunchAgent plist never needs to change.
 set -euo pipefail
 ROOT="$(cd "$(dirname "$0")/.." && pwd)"
-NODE_BIN="$(bash "$ROOT/bin/node-bin.sh")"
+# CTM_LAUNCH_NODE_BIN lets a test inject the pinned node without running node-bin.sh.
+NODE_BIN="${CTM_LAUNCH_NODE_BIN:-"$(bash "$ROOT/bin/node-bin.sh")"}"
 SERVER="$ROOT/claude-task-manager/server.js"
 PINNED_V="$("$NODE_BIN" -v 2>/dev/null)"
 
+# Exec the chosen runtime — or, under CTM_LAUNCH_PRINT_CHOICE (tests), print the path it WOULD exec
+# and exit 0 without launching the server. Keeps the candidate ladder below assertable end-to-end.
+_exec_choice() {
+  local bin="$1"; shift
+  if [ -n "${CTM_LAUNCH_PRINT_CHOICE:-}" ]; then printf '%s\n' "$bin"; exit 0; fi
+  exec "$bin" "$SERVER" "$@"
+}
+
+# Self-heal the native SQLite driver BEFORE exec'ing the server. A hard power-off can leave
+# better_sqlite3.node torn on disk, and a Homebrew node upgrade can leave it built for the wrong
+# ABI. The server DETECTS this but cannot hot-reload a native module mid-process, so it wedges
+# the boot: DB-owner worker dies -> "Database not initialized" everywhere -> no port bound ->
+# launchd respawns into the SAME broken state every ~5s (a respawn spiral that never converges).
+# Running the preflight here rebuilds the driver if needed, so the fresh `exec` below loads a good
+# binary. It is cheap on the happy path (a require + smoke-test that early-returns when the ABI
+# already matches) and only does the heavy `npm rebuild` when the driver is genuinely broken.
+# Best-effort: a failure here never blocks the boot — the server's own in-process repair still runs.
+# Skipped under CTM_LAUNCH_PRINT_CHOICE: it is irrelevant to runtime selection and needs a real DB.
+CHECK_DRIVER="$ROOT/claude-task-manager/bin/check-sqlite-driver.js"
+if [ -z "${CTM_LAUNCH_PRINT_CHOICE:-}" ] && [ -f "$CHECK_DRIVER" ]; then
+  ( cd "$ROOT/claude-task-manager" && "$NODE_BIN" "$CHECK_DRIVER" ) >/tmp/ctm-boot-sqlite-check.log 2>&1 \
+    || echo "[ctm-launch] sqlite driver preflight reported a problem; see /tmp/ctm-boot-sqlite-check.log (boot continues; server self-repair still applies)" >&2
+fi
+
 # Prefer a STABLE-IDENTITY node so macOS TCC grants (e.g. the "Coding Task Manager would like to
 # access data from other apps" prompt) PERSIST across restarts. macOS keys a TCC grant to the
 # binary's code-signing Designated Requirement: a notarized / Developer-ID-signed node keeps its
@@ -23,46 +48,66 @@ PINNED_V="$("$NODE_BIN" -v 2>/dev/null)"
 # bump can never select a mismatched-ABI runtime (preserves the "upgrade = edit .node-version"
 # guarantee, and the daemon's native modules stay ABI-correct).
 _ver_match() { [ -x "$1" ] && [ "$("$1" -v 2>/dev/null)" = "$PINNED_V" ]; }
+# Does this binary carry a stable code-signing Team Identifier (Developer-ID signed)? Signal that a
+# TCC/Full-Disk-Access grant will PERSIST and that prompts show a branded name. A fast local read.
+# NB this alone CANNOT distinguish "our branded CTM bundle" from the bare notarized node — the
+# notarized node is also Developer-ID signed (Team HX7739G8FX, Node.js Foundation). The discriminator
+# is the code-signing IDENTIFIER (see _is_ctm_bundle_identity).
+# NB capture codesign's output FIRST, then match the string — do NOT pipe `codesign | grep -q`.
+# `grep -q` exits on the first match and closes the pipe; codesign then dies with SIGPIPE (141), and
+# under `set -o pipefail` (above) the pipeline is reported as FAILED even though the pattern matched.
+# That false-negative is exactly what made the daemon keep running the wrong node. Capturing to a
+# var runs codesign to completion (exit 0), then a here-string grep has no upstream to kill.
+_has_team_id() { local o; o="$(codesign -dv "$1" 2>&1)" || true; grep -q '^TeamIdentifier=[A-Z0-9]' <<<"$o"; }
+# Is this binary OUR branded CTM bundle (Identifier=com.walle.ctm)? That is the EXACT identity the
+# Full Disk Access banner tells the user to grant ("Coding Task Manager.app"). The notarized node's
+# Identifier is "node", so this cleanly separates the two.
+_is_ctm_bundle_identity() { local o; o="$(codesign -dv "$1" 2>&1)" || true; grep -q '^Identifier=com\.walle\.ctm$' <<<"$o"; }
+
+CTM_BUNDLE="$HOME/.walle/bundles/Coding Task Manager.app/Contents/MacOS/Coding Task Manager"
 
-# 0) The stable daemon node chosen by bin/ensure-stable-node.js (run off the boot path from
-#    restart-ctm.sh). On a machine WITH a Developer ID this is the branded, Dev-ID-signed CTM
-#    bundle exec — both grant-persisting AND shown as "Coding Task Manager" (not "node") in TCC
-#    prompts; without a Developer ID it is the bare notarized node. Reading the marker keeps
-#    codesign OFF this launchd boot path; the version check rejects a stale marker.
+# 0) The branded CTM bundle (Identifier=com.walle.ctm) — the EXACT identity the FDA banner asks the
+#    user to grant Full Disk Access to. Prefer it ABOVE the stable-node marker. WHY first: the marker
+#    written by ensure-stable-node.js can point at the bare notarized node ("node", Team HX7739G8FX);
+#    because that node IS Developer-ID signed it would satisfy a naive "has a Team Identifier" check
+#    and win — the daemon then runs as "node", the user's grant to "Coding Task Manager.app" never
+#    applies, and the macOS "network volume"/FDA prompt recurs on EVERY restart. Checking THIS bundle
+#    path + its com.walle.ctm identity makes the grant-matching runtime authoritative. Gated on the
+#    version (ABI) match too. Costs one fast `codesign -dv` read per boot (boots are rare); on a
+#    no-Dev-ID machine the bundle is absent/self-signed so this falls through with no behavior change.
+if _ver_match "$CTM_BUNDLE" && _is_ctm_bundle_identity "$CTM_BUNDLE" && _has_team_id "$CTM_BUNDLE"; then
+  _exec_choice "$CTM_BUNDLE" "$@"
+fi
+# 1) The stable daemon node chosen by bin/ensure-stable-node.js (run off the boot path from
+#    restart-ctm.sh). On a machine WITHOUT a Developer ID this is the bare notarized node — the best
+#    stable identity available there. Version-gated; the version check rejects a stale marker.
 MARKER="$HOME/.walle/.stable-daemon-node"
 if [ -f "$MARKER" ]; then
   STABLE_NODE="$(head -n1 "$MARKER" 2>/dev/null)"
   if [ -n "$STABLE_NODE" ] && _ver_match "$STABLE_NODE"; then
-    exec "$STABLE_NODE" "$SERVER" "$@"
+    _exec_choice "$STABLE_NODE" "$@"
   fi
 fi
-# 1) Notarized node handed in by the downloadable Developer-ID Wall-E.app.
+# 2) Notarized node handed in by the downloadable Developer-ID Wall-E.app.
 if [ -n "${WALLE_NOTARIZED_NODE:-}" ] && _ver_match "$WALLE_NOTARIZED_NODE"; then
-  exec "$WALLE_NOTARIZED_NODE" "$SERVER" "$@"
-fi
-# 2) The branded .app bundle node when it carries a stable Team Identifier (Developer-ID-signed by
-#    ensure-stable-node.js) — branded AND grant-persisting. `codesign -dv` is a fast local read; it
-#    runs only on a cold boot where the marker is absent/stale.
-CTM_BUNDLE="$HOME/.walle/bundles/Coding Task Manager.app/Contents/MacOS/Coding Task Manager"
-if _ver_match "$CTM_BUNDLE" && codesign -dv "$CTM_BUNDLE" 2>&1 | grep -q '^TeamIdentifier=[A-Z0-9]'; then
-  exec "$CTM_BUNDLE" "$SERVER" "$@"
+  _exec_choice "$WALLE_NOTARIZED_NODE" "$@"
 fi
 # 2.5) The adopted Developer-ID-notarized Wall-E.app's vendored node (create-walle
 #    ensureNotarizedBrandedApp) — branded "Wall-E" AND grant-persisting, for no-Dev-ID machines.
 #    Gated on the version match + a stable Team Identifier (skips a self-signed/wrong bundle).
 BRANDED_APP_NODE="$HOME/.walle/notarized-app/Wall-E.app/Contents/Resources/node"
-if _ver_match "$BRANDED_APP_NODE" && codesign -dv "$BRANDED_APP_NODE" 2>&1 | grep -q '^TeamIdentifier=[A-Z0-9]'; then
-  exec "$BRANDED_APP_NODE" "$SERVER" "$@"
+if _ver_match "$BRANDED_APP_NODE" && _has_team_id "$BRANDED_APP_NODE"; then
+  _exec_choice "$BRANDED_APP_NODE" "$@"
 fi
 # 3) Notarized node we provisioned ourselves (~/.walle/notarized-node) — stable but anonymous
 #    ("node"); the fallback for machines without a Developer ID.
 NOTARIZED_NODE="$HOME/.walle/notarized-node/bin/node"
 if _ver_match "$NOTARIZED_NODE"; then
-  exec "$NOTARIZED_NODE" "$SERVER" "$@"
+  _exec_choice "$NOTARIZED_NODE" "$@"
 fi
 # 4) The branded bundle node even if only self-signed (branded name, but may re-prompt).
 if _ver_match "$CTM_BUNDLE"; then
-  exec "$CTM_BUNDLE" "$SERVER" "$@"
+  _exec_choice "$CTM_BUNDLE" "$@"
 fi
 # 5) Last resort: the pinned node (ABI-correct, but no stable TCC identity → may re-prompt).
-exec "$NODE_BIN" "$SERVER" "$@"
+_exec_choice "$NODE_BIN" "$@"

package/template/bin/dev.sh

@@ -164,6 +164,19 @@ mkdir -p "$DEV_DIR"
 # (corruption + contention). A throwaway CODEX_HOME keeps dev codex writes — and
 # CTM's own rollout reads, which resolve via the same CODEX_HOME — inside DEV_DIR.
 mkdir -p "$DEV_DIR/codex/sessions"
+# Seed the throwaway CODEX_HOME with the user's existing Codex login. The isolation above
+# relocates CODEX_HOME, which ALSO relocates ~/.codex/auth.json — so without this, dev codex
+# sessions are logged out and prompt for `codex login` (the "codex login issue in staging").
+# Copy only auth.json from the real ~/.codex so dev codex is authenticated while rollouts/sessions
+# stay isolated in DEV_DIR. We deliberately do NOT copy config.toml — it can carry MCP entries that
+# point at the user's primary (e.g. the node_repl missing-binary noise). Idempotent: never clobber
+# an existing dev login.
+_REAL_CODEX_HOME="$HOME/.codex"
+if [[ -f "$_REAL_CODEX_HOME/auth.json" && ! -f "$DEV_DIR/codex/auth.json" ]]; then
+  cp "$_REAL_CODEX_HOME/auth.json" "$DEV_DIR/codex/auth.json" 2>/dev/null \
+    && chmod 600 "$DEV_DIR/codex/auth.json" 2>/dev/null \
+    && echo "  seeded dev CODEX_HOME auth from $_REAL_CODEX_HOME/auth.json"
+fi
 
 cleanup_processes() {
   local stale_args=()

package/template/bin/ensure-stable-node.js

@@ -65,6 +65,17 @@ function resolveStableNode(deps) {
         if (t.exec === ctmExec && team) ctmTeam = team;
       }
       if (ctmTeam) return ctmExec;
+      // Re-signing did not land a Team Identifier THIS run (e.g. a transient codesign failure), but
+      // the CTM bundle may ALREADY be Developer-ID-signed on disk from a prior run — that signature
+      // is self-contained and stays valid regardless. Prefer it over the anonymous notarized node so
+      // the marker records the BRANDED identity and the daemon keeps matching the user's Full Disk
+      // Access grant to "Coding Task Manager.app" (otherwise it runs as "node" → the FDA banner
+      // re-prompts every restart). Gated on existing + version-matching the pin (ABI safety).
+      if (ctmExec && existsSync(ctmExec) && (!pin || cw.nodeReportsVersion(ctmExec, pin))
+          && codesign.localCodeSignTeamId && codesign.localCodeSignTeamId(ctmExec)) {
+        log('CTM bundle already Developer-ID-signed on disk → using it (skip notarized fallback)');
+        return ctmExec;
+      }
     } catch (e) {
       log(`bundle signing failed: ${e && e.message ? e.message : e}`);
     }

package/template/bin/node-bin.sh

@@ -44,6 +44,15 @@ if [[ -z "$PIN" ]]; then
 fi
 
 candidates=(
+  # Immutable, self-managed runtimes FIRST. A `brew upgrade node` (often dragged in by an
+  # unrelated `brew install`) repoints or deletes the Cellar dir below, which would otherwise
+  # leave this resolver unable to find the pin -> daemon won't start. These vendored nodes are
+  # provisioned by bin/ensure-stable-node.js / create-walle and are not touched by Homebrew, so
+  # resolution survives that churn. Every candidate is STILL gated on an exact version match with
+  # the pin in the loop below, so a stale vendored node is skipped (it can never select a wrong ABI).
+  "$HOME/.walle/notarized-node/bin/node"
+  "$HOME/.walle/notarized-app/Wall-E.app/Contents/Resources/node"
+  "$HOME/.walle/bundles/Coding Task Manager.app/Contents/MacOS/Coding Task Manager"
   "/opt/homebrew/Cellar/node/$PIN/bin/node"
   "/usr/local/Cellar/node/$PIN/bin/node"
   "$HOME/.fnm/node-versions/v$PIN/installation/bin/node"

package/template/claude-task-manager/api-prompts.js

@@ -13,6 +13,7 @@ const permissionMatch = require('./lib/permission-match');
 // CTM permissions are a standalone global config in the CTM DB.
 const walleClient = require('./lib/walle-client');
 const claudeDesktopSessions = require('./lib/claude-desktop-sessions');
+const desktopFork = require('./lib/desktop-fork');
 const skillAutocomplete = require('./lib/skill-autocomplete');
 const skillIntentResolver = require('./lib/skill-intent-resolver');
 const resourceLinks = require('./lib/resource-links');
@@ -48,6 +49,26 @@ const CONVERSATION_IMPORT_MIN_INTERVAL_MS = Math.max(0, Number(process.env.CTM_C
 const CONVERSATION_IMPORT_FORCE_BYTES = Math.max(0, Number(process.env.CTM_CONVERSATION_IMPORT_FORCE_BYTES ?? 256 * 1024));
 const _lastConversationImportAt = new Map(); // sessionId → Date.now() of last completed import
 
+// Event-driven (near-real-time) durable import. The 8s floor above exists to stop a hot session's
+// rapid small appends from re-processing the WHOLE conversation each tick (the giant-transcript
+// write-lock thrash). With blob retirement the common case is now an O(Δ) append (a tiny write on
+// the low-priority lane), so when this is on we track the live tail at a short coalescing window —
+// but ONLY for the cheap append path. A session that recently fell back to a FULL rebuild keeps the
+// long floor so a rewrite-in-progress session can't thrash. Off → exact 8s/batch behavior.
+const CONVERSATION_IMPORT_EVENT_DRIVEN = process.env.CTM_CONVERSATION_IMPORT_EVENT_DRIVEN === '1';
+const CONVERSATION_IMPORT_EVENT_DRIVEN_MIN_INTERVAL_MS = Math.max(0, Number(
+  process.env.CTM_CONVERSATION_IMPORT_EVENT_DRIVEN_MIN_INTERVAL_MS ?? 250));
+const _lastConversationFullRebuildAt = new Map(); // sessionId → Date.now() of last FULL rebuild
+
+// Pure decision: the debounce floor for a hot session's small-growth (append-eligible) re-import.
+// Extracted so the rebuild-thrash guard is unit-testable without the import machinery.
+function _conversationImportFloorMs({ eventDriven, baseFloorMs, eventFloorMs, lastRebuildAt, now }) {
+  if (!eventDriven) return baseFloorMs;
+  // Held back to the long floor only while a recent full rebuild is still "warm".
+  const rebuiltRecently = lastRebuildAt > 0 && (now - lastRebuildAt) < baseFloorMs;
+  return rebuiltRecently ? baseFloorMs : eventFloorMs;
+}
+
 function setDbMaintenanceRunner(fn) {
   dbMaintenanceRunner = typeof fn === 'function' ? fn : null;
 }
@@ -192,6 +213,10 @@ function handlePromptApi(req, res, url) {
   const p = url.pathname;
   const m = req.method;
 
+  // --- Claude Desktop → Code conversion (snapshot-and-fork) ---
+  if (p === '/api/claude-desktop/forks' && m === 'GET') return handleListDesktopForks(req, res);
+  if (p === '/api/claude-desktop/convert' && m === 'POST') return handleConvertDesktopSession(req, res);
+
   // --- Prompts ---
   if (p === '/api/prompts' && m === 'GET') return handleListPrompts(req, res, url);
   if (p === '/api/prompts' && m === 'POST') return handleCreatePrompt(req, res);
@@ -392,6 +417,70 @@ function handleListPrompts(req, res, url) {
   jsonResponse(res, 200, db.listPrompts(opts));
 }
 
+// Convert a read-only Claude Desktop conversation into a resumable Claude Code session.
+// Thin HTTP wrapper around lib/desktop-fork.convertDesktopConversation; `deps` is injectable
+// for unit tests (defaults to the real Desktop cache + fork orchestrator).
+const DESKTOP_CACHE_ONLY_MESSAGE =
+  'Claude Desktop has only cached this conversation in the recent list — the full transcript ' +
+  'is not in the local cache yet. Open the conversation in Claude Desktop once, then rescan, ' +
+  'before converting it to a Claude Code session.';
+
+// List Desktop conversations that already have a live Claude Code fork, so the client can
+// flip "Convert" → "Resume fork" per conversation. Excludes forks whose transcript was
+// deleted (those should re-offer conversion). `deps` injectable for tests.
+function handleListDesktopForks(req, res, deps = {}) {
+  const dbm = deps.db || db;
+  const fsx = deps.fs || fs;
+  let rows;
+  try {
+    rows = dbm.listDesktopForks() || [];
+  } catch (e) {
+    return jsonResponse(res, 500, { error: 'list_failed', message: e && e.message || 'failed' });
+  }
+  const forks = rows
+    .filter((f) => f.jsonlPath && fsx.existsSync(f.jsonlPath))
+    .map((f) => ({ desktopUuid: f.desktopUuid, forkSessionId: f.forkSessionId, cwd: f.projectPath || '' }));
+  return jsonResponse(res, 200, { forks });
+}
+
+async function handleConvertDesktopSession(req, res, deps = {}) {
+  const desktop = deps.desktop || claudeDesktopSessions;
+  const fork = deps.fork || desktopFork;
+
+  let body;
+  try {
+    body = await readBody(req);
+  } catch {
+    return jsonResponse(res, 400, { error: 'invalid_body' });
+  }
+
+  const desktopUuid = String((body && body.desktopUuid) || '').trim();
+  const cwd = String((body && body.cwd) || '').trim();
+  if (!desktopUuid || !cwd) {
+    return jsonResponse(res, 400, { error: 'desktopUuid and cwd are required' });
+  }
+
+  const session = desktop.getSession(desktopUuid);
+  if (!session) {
+    return jsonResponse(res, 404, { error: 'Claude Desktop conversation not found' });
+  }
+
+  const messages = desktop.getMessages(desktopUuid) || [];
+  if (messages.length === 0) {
+    return jsonResponse(res, 409, { error: 'cache_only', message: DESKTOP_CACHE_ONLY_MESSAGE });
+  }
+
+  try {
+    const result = fork.convertDesktopConversation({ session, cwd });
+    return jsonResponse(res, 200, { ok: true, ...result });
+  } catch (e) {
+    if (/no .*message/i.test(e && e.message || '')) {
+      return jsonResponse(res, 409, { error: 'cache_only', message: DESKTOP_CACHE_ONLY_MESSAGE });
+    }
+    return jsonResponse(res, 500, { error: 'convert_failed', message: e && e.message || 'conversion failed' });
+  }
+}
+
 async function handleCreatePrompt(req, res) {
   try {
     const data = await readBody(req);
@@ -1555,6 +1644,8 @@ async function _importCompactPair(parsed, jsonlPath, bakPath, jsonlSize, bakSize
     model_provider: parsed.modelProvider || (existing && existing.model_provider) || CLAUDE_MODEL_PROVIDER,
     model_id: parsed.modelId || (existing && existing.model_id) || '',
     import_parser_version: DEFAULT_CONVERSATION_IMPORT_PARSER_VERSION,
+    // Chunked-import route (cold/large): defer rows to content-rows-backfill, keep the real blob.
+    ..._chunkedImportFlags(parsed.sessionId, allMessages, totalSize, 'compact-pair'),
   });
   return true;
 }
@@ -1683,7 +1774,15 @@ async function _conversationImportCandidates(allFiles, lastScanAt) {
         const lastAt = _lastConversationImportAt.get(sessionId) || 0;
         const sinceLast = Date.now() - lastAt;
         const grewBytes = Math.max(0, effectiveSize - existingSize);
-        if (lastAt > 0 && sinceLast < CONVERSATION_IMPORT_MIN_INTERVAL_MS && grewBytes < CONVERSATION_IMPORT_FORCE_BYTES) {
+        // Near-real-time floor for the cheap append path; long floor right after a full rebuild.
+        const floorMs = _conversationImportFloorMs({
+          eventDriven: CONVERSATION_IMPORT_EVENT_DRIVEN,
+          baseFloorMs: CONVERSATION_IMPORT_MIN_INTERVAL_MS,
+          eventFloorMs: CONVERSATION_IMPORT_EVENT_DRIVEN_MIN_INTERVAL_MS,
+          lastRebuildAt: _lastConversationFullRebuildAt.get(sessionId) || 0,
+          now: Date.now(),
+        });
+        if (lastAt > 0 && sinceLast < floorMs && grewBytes < CONVERSATION_IMPORT_FORCE_BYTES) {
           continue; // imported very recently and only a little new data — let appends coalesce
         }
       }
@@ -1734,6 +1833,46 @@ function _backgroundTranscriptImportMaxBytes() {
   return Math.max(256 * 1024, Number.isFinite(raw) ? raw : BACKGROUND_TRANSCRIPT_IMPORT_DEFAULT_BYTES);
 }
 
+// Phase 1.5: a cold/large full-rebuild's inline session_message_rows write (delete-all + insert-all)
+// can block the db-owner worker for seconds — over the coop slice budget. Above a message-count
+// threshold, route the import through the CHUNKED path: importSessionConversation writes the blob +
+// stamps the source-len HWM now (forceBlobWrite + skipMessageRows), then content-rows-backfill fills
+// rows in windows across slices. Returns the two flags to spread into the importSessionConversation
+// options. Applied at every large cold-import call site (codex / claude-desktop / generic claude).
+// Over-cap sessions ignore forceBlobWrite downstream (empty blob, transcript-store source of truth).
+// Routing counters (per import run) — surfaced in the always-on [auto-import] summary so the
+// chunked-vs-inline distribution is visible WITHOUT depending on CTM_COOP_LOG reaching the worker
+// thread. Reset by runIncrementalConversationImport after it logs them.
+const _chunkedRouteStats = { chunked: 0, inline: 0 };
+function _readResetChunkedRouteStats() {
+  const s = { ..._chunkedRouteStats };
+  _chunkedRouteStats.chunked = 0; _chunkedRouteStats.inline = 0;
+  return s;
+}
+
+function _chunkedImportFlags(sessionId, messages, fileSize, reason) {
+  // Gated on the coop scheduler: deferring rows only helps when the cooperative scheduler is driving
+  // bounded slices (and the content-rows-backfill coop/legacy job fills the deferred rows). With the
+  // flag OFF the import behaves byte-for-byte as legacy (rows written inline) — so merging this branch
+  // is a true no-op on the primary until CTM_COOP_SCHEDULER=1 is set.
+  if (process.env.CTM_COOP_SCHEDULER !== '1') return { skipMessageRows: false, forceBlobWrite: false };
+  const minMsgs = Math.max(1, Number(process.env.CTM_IMPORT_CHUNK_MIN_MSGS || 1000));
+  // ALSO trigger on file size: a giant rollout is tail-bounded at parse time (transcriptMaxBytes),
+  // so `messages.length` here can be small even though the session is huge and its inline row write
+  // would block the worker. Keying on the JSONL byte high-water-mark catches those. Default 2MB.
+  const minBytes = Math.max(1, Number(process.env.CTM_IMPORT_CHUNK_MIN_BYTES || 2 * 1024 * 1024));
+  const n = Array.isArray(messages) ? messages.length : 0;
+  const bytes = Number(fileSize || 0);
+  const useChunked = n > minMsgs || bytes > minBytes;
+  _chunkedRouteStats[useChunked ? 'chunked' : 'inline'] += 1;
+  if (process.env.CTM_COOP_LOG === '1') {
+    const fileMB = (bytes / (1024 * 1024)).toFixed(1);
+    const trig = useChunked ? (n > minMsgs ? 'msgs' : 'bytes') : 'none';
+    console.log(`[coop-import] sid=${String(sessionId || '').slice(0, 8)} msgs=${n} fileMB=${fileMB} path=${useChunked ? 'chunked' : 'inline'} trigger=${trig} reason=${reason}`);
+  }
+  return { skipMessageRows: useChunked, forceBlobWrite: useChunked };
+}
+
 function _codexImportedFileSize(parsedFileSize, prevFileSize, parsedTail) {
   const fileSize = Math.max(0, Number(parsedFileSize || 0));
   const prev = Math.max(0, Number(prevFileSize || 0));
@@ -1852,6 +1991,9 @@ async function _importCodexSessionFile(parsed, filePath, options = {}) {
     model_provider: modelProvider,
     model_id: model || (existing && existing.model_id) || '',
     import_parser_version: parserVersion,
+    // Chunked-import route (cold/large codex rollout — the giant-session case): defer rows to
+    // content-rows-backfill, keep the real blob. Over-cap rollouts ignore forceBlobWrite downstream.
+    ..._chunkedImportFlags(sessionId, allMessages, importedFileSize, 'codex'),
   });
 
   try {
@@ -2050,6 +2192,8 @@ async function importSessionFile(filePath, projectPath, projectEntry, options =
       model_provider: parsed.modelProvider || (existing && existing.model_provider) || CLAUDE_MODEL_PROVIDER,
       model_id: parsed.modelId || (existing && existing.model_id) || '',
       import_parser_version: DEFAULT_CONVERSATION_IMPORT_PARSER_VERSION,
+      // Chunked-import route (cold/large): defer rows to content-rows-backfill, keep the real blob.
+      ..._chunkedImportFlags(parsed.sessionId, messages, parsed.fileSize, 'claude-desktop'),
     });
     return true;
   }
@@ -2131,7 +2275,12 @@ async function importSessionFile(filePath, projectPath, projectEntry, options =
       rename_name: parsedRename || parsed.renameName || '',
       import_parser_version: DEFAULT_CONVERSATION_IMPORT_PARSER_VERSION,
     });
-    if (appended && appended.ok) return true;
+    if (appended && appended.ok) {
+      // Cheap O(Δ) append succeeded — clear any rebuild backoff so event-driven mode
+      // tracks this session's live tail at the fast cadence.
+      _lastConversationFullRebuildAt.delete(parsed.sessionId);
+      return true;
+    }
   }
 
   // Full rebuild: cold import, file shrank/rotated, or the append guard refused. Load the base
@@ -2173,6 +2322,11 @@ async function importSessionFile(filePath, projectPath, projectEntry, options =
   // but an empty new parse must not wipe an existing rename.
   const mergedRename = signals.renameName || parsedRename || parsed.renameName || (existing && existing.rename_name) || '';
 
+  // This is the expensive full-rebuild path (cold import, file shrank/rotated, or the append
+  // guard refused a non-clean-prefix). Stamp the rebuild clock so event-driven mode keeps the
+  // long debounce floor for this session until a cheap append succeeds again (no rebuild thrash).
+  try { _lastConversationFullRebuildAt.set(parsed.sessionId, Date.now()); } catch {}
+
   db.importSessionConversation({
     session_id: parsed.sessionId,
     project_path: parsed.cwd || parsed.project,
@@ -2192,6 +2346,8 @@ async function importSessionFile(filePath, projectPath, projectEntry, options =
     model_provider: parsed.modelProvider || (existing && existing.model_provider) || CLAUDE_MODEL_PROVIDER,
     model_id: parsed.modelId || (existing && existing.model_id) || '',
     import_parser_version: DEFAULT_CONVERSATION_IMPORT_PARSER_VERSION,
+    // Chunked-import route (cold/large): defer rows to content-rows-backfill, keep the real blob.
+    ..._chunkedImportFlags(parsed.sessionId, allMessages, parsed.fileSize, 'full-rebuild'),
   });
   return true;
 }
@@ -2209,19 +2365,27 @@ async function handleImportConversations(req, res) {
 // Incremental auto-import: only processes files modified since last scan
 // Uses async filesystem operations to avoid blocking the event loop
 // (critical when ~/.claude/projects is on Dropbox/network-synced FS)
-async function runIncrementalConversationImport() {
+async function runIncrementalConversationImport(opts = {}) {
+  const _now = typeof opts.now === 'function' ? opts.now : () => Date.now();
   // Capture scanStart BEFORE anything else — we advance lastScanAt even on
   // partial failure so a single bad file doesn't stall the whole job forever.
   // Previously, a top-level failure kept lastScanAt frozen, causing repeated
   // full rescans + repeated failures (stall bug observed in production).
-  const scanStart = Date.now();
+  const scanStart = _now();
   let imported = 0;
   let scanned = 0;
   let total = 0;
   let failed = 0;
   let hitLimit = false;
   let hitLimitLabel = '';
-  const maxImportedPerRun = Math.max(1, Number(process.env.CTM_CONVERSATION_IMPORT_MAX_PER_RUN || 12));
+  // Wall-clock slice budget: a single giant/cold full-rebuild can overrun the COUNT cap on TIME, so
+  // also stop between files once the budget is spent. 0/absent = no time cap (legacy behavior).
+  const budgetMs = Math.max(0, Number(opts.budgetMs ?? process.env.CTM_CONVERSATION_IMPORT_BUDGET_MS ?? 0));
+  const deadline = budgetMs > 0 ? scanStart + budgetMs : Infinity;
+  // Smaller cap (4) applies only when a slice budget is active (coop driver re-wakes immediately on
+  // hasMore, so smaller slices drain just as fast while keeping each worker op short). Legacy path
+  // (no budget) keeps the original default of 12 so flag-OFF import drain is unchanged.
+  const maxImportedPerRun = Math.max(1, Number(process.env.CTM_CONVERSATION_IMPORT_MAX_PER_RUN || (budgetMs > 0 ? 4 : 12)));
   const maxProcessedPerRun = Math.max(1, Number(process.env.CTM_CONVERSATION_IMPORT_MAX_PROCESSED_PER_RUN || maxImportedPerRun));
   const retryAfterMsRaw = Number(process.env.CTM_CONVERSATION_IMPORT_RETRY_AFTER_MS || CONVERSATION_IMPORT_RETRY_AFTER_MS);
   const retryAfterMs = Number.isFinite(retryAfterMsRaw) && retryAfterMsRaw >= 1000
@@ -2262,6 +2426,11 @@ async function runIncrementalConversationImport() {
           hitLimitLabel = importLimited ? `${maxImportedPerRun} imports` : `${maxProcessedPerRun} files`;
           break;
         }
+        if (_now() >= deadline && scanned < candidates.length) {
+          hitLimit = true;
+          hitLimitLabel = `${budgetMs}ms budget`;
+          break;
+        }
         await new Promise((resolve) => setImmediate(resolve));
       } catch (e) {
         failed++;
@@ -2271,9 +2440,11 @@ async function runIncrementalConversationImport() {
       }
     }
 
+    const _rt = _readResetChunkedRouteStats();
     if (imported > 0 || failed > 0) {
       const suffix = hitLimit ? `, paused after ${hitLimitLabel}` : '';
-      console.log(`[auto-import] Imported ${imported}, failed ${failed} (scanned ${scanned}/${total}${suffix})`);
+      const route = (_rt.chunked || _rt.inline) ? ` route=chunked:${_rt.chunked}/inline:${_rt.inline}` : '';
+      console.log(`[auto-import] Imported ${imported}, failed ${failed} (scanned ${scanned}/${total}${suffix})${route}`);
     }
     return {
       imported,
@@ -2282,11 +2453,12 @@ async function runIncrementalConversationImport() {
       candidates: candidates.length,
       failed,
       remaining: hitLimit,
+      hasMore: hitLimit,
       retry_after_ms: hitLimit ? retryAfterMs : undefined,
     };
   } catch (e) {
     console.error('[auto-import] Top-level error:', e.message);
-    return { imported, scanned, total, failed, error: e.message };
+    return { imported, scanned, total, failed, error: e.message, hasMore: false };
   } finally {
     // Always advance the timestamp — even on error — so we don't re-scan the
     // same problematic files forever on every tick.
@@ -2379,6 +2551,8 @@ async function runCursorConversationImport({ cursorHome } = {}) {
           hostname: '',
           import_parser_version: CURSOR_IMPORT_PARSER_VERSION,
           rename_name: '',
+          // Chunked-import route (cold/large cursor session): defer rows to content-rows-backfill.
+          ..._chunkedImportFlags(ctmId, fields.messages, 0, 'cursor'),
         });
         if (sig) _cursorImportSignatures.set(ctmId, sig);
         imported += 1;
@@ -5149,4 +5323,4 @@ function safeParse(json, fallback) {
   try { return JSON.parse(json); } catch { return fallback; }
 }
 
-module.exports = { handlePromptApi, queueEngine, runIncrementalConversationImport, runCursorConversationImport, importSessionFile, setUiPrefsBroadcaster, setPromptExecutionsOffThread, setDbMaintenanceRunner, setImageSaveRunner, ensureHotkeyDaemon, hotkeyEnsureAction, screenshotResponsibleContext, screenshotNodeCandidates, probeScreenshotNodeGranted, _ingestPathFromInput, _ingestSourceAllowed, _conversationImportCandidates, _ingestTranscriptStoreForParsedFile, _learnSignatureRules, _appendBlocklistExceptions, _finalizePermIntent, _denyHinted, _lastConversationImportAt };
+module.exports = { handlePromptApi, handleConvertDesktopSession, handleListDesktopForks, queueEngine, runIncrementalConversationImport, runCursorConversationImport, importSessionFile, _chunkedImportFlags, setUiPrefsBroadcaster, setPromptExecutionsOffThread, setDbMaintenanceRunner, setImageSaveRunner, ensureHotkeyDaemon, hotkeyEnsureAction, screenshotResponsibleContext, screenshotNodeCandidates, probeScreenshotNodeGranted, _ingestPathFromInput, _ingestSourceAllowed, _conversationImportCandidates, _ingestTranscriptStoreForParsedFile, _learnSignatureRules, _appendBlocklistExceptions, _finalizePermIntent, _denyHinted, _lastConversationImportAt, _conversationImportFloorMs, _lastConversationFullRebuildAt };