jettypod 4.4.116 → 4.4.120

package/apps/dashboard/electron/main.js

@@ -1,5 +1,8 @@
-const { app, BrowserWindow, Menu, dialog } = require('electron');
-const { spawn, execSync } = require('child_process');
+const { app, BrowserWindow, Menu, dialog, shell, ipcMain } = require('electron');
+const { spawn, exec, execFile } = require('child_process');
+const { promisify } = require('util');
+const execAsync = promisify(exec);
+const execFileAsync = promisify(execFile);
 const path = require('path');
 const fs = require('fs');
 const http = require('http');
@@ -7,6 +10,7 @@ const { WebSocketServer } = require('ws');
 const { registerIpcHandlers, closeDb } = require('./ipc-handlers');
 const { ingestCucumberResults, closeIngesterDb } = require('./test-results-ingester');
 const { autoUpdater } = require('electron-updater');
+const sessionManager = require('./session-manager');
 
 // Track child processes and servers for cleanup
 let nextProcess = null;
@@ -16,8 +20,11 @@ const windows = new Set(); // Track all open windows
 let wss = null;
 let dbPollInterval = null;
 let testResultsPollInterval = null;
+let worktreeCleanupInterval = null;
 let lastDbMtimes = { db: null, wal: null };
 let lastTestResultsMtime = null;
+// Map of worktree path → last mtime for cucumber-results.json
+const worktreeTestResultsMtimes = new Map();
 
 // Track Claude processes by session ID
 const claudeProcesses = new Map();
@@ -32,7 +39,9 @@ const isPackaged = app.isPackaged;
 // Suppress noisy EGL GPU driver error logs (eglQueryDeviceAttribEXT: Bad attribute)
 app.commandLine.appendSwitch('enable-logging', 'stderr');
 app.commandLine.appendSwitch('log-level', '2');
-app.commandLine.appendSwitch('use-angle', 'metal');
+// Disable hardware acceleration to prevent GPU process crashes (exit_code=512)
+// that cause blank white screens. Software rendering is sufficient for this app.
+app.disableHardwareAcceleration();
 
 // Last-selected project persistence (for dev mode)
 const LAST_SELECTED_PROJECT_PATH = path.join(
@@ -90,6 +99,26 @@ function hasValidProject(projectPath) {
   return fs.existsSync(dbPath);
 }
 
+// Determine the correct start URL based on auth state, Claude Code, and project status.
+// Used both at initial window creation and after OAuth callback.
+function getStartUrl() {
+  if (isPackaged && !isAuthenticated()) {
+    const authPage = hasLoggedInBefore() ? '/login' : '/signup';
+    log(`No auth token, showing ${authPage} screen`);
+    return `http://localhost:3000${authPage}`;
+  } else if (!claudeCodeInstalled) {
+    log('Claude Code not installed, showing install screen');
+    return 'http://localhost:3000/install-claude';
+  } else if (!claudeCodeAuthenticated) {
+    log('Claude Code not authenticated, showing connect screen');
+    return 'http://localhost:3000/connect-claude';
+  } else {
+    const hasProject = hasValidProject(projectRoot);
+    log(`Project configured: ${hasProject}, loading: ${hasProject ? '/' : '/welcome'}`);
+    return hasProject ? 'http://localhost:3000' : 'http://localhost:3000/welcome';
+  }
+}
+
 // Set the project root (called when user selects a project)
 async function setProjectRoot(newPath) {
   projectRoot = newPath;
@@ -145,8 +174,39 @@ function getMainWindow() {
 // WebSocket configuration
 const WS_PORT = 47808;
 
+// Persistent log file for diagnostics
+const LOG_DIR = path.join(app.getPath('home'), 'Library', 'Logs', 'jettypod');
+const LOG_FILE = path.join(LOG_DIR, 'main.log');
+const MAX_LOG_SIZE = 5 * 1024 * 1024; // 5MB
+
+let logStream = null;
+
+function initLogFile() {
+  try {
+    fs.mkdirSync(LOG_DIR, { recursive: true });
+    // Rotate if too large
+    if (fs.existsSync(LOG_FILE)) {
+      const stats = fs.statSync(LOG_FILE);
+      if (stats.size > MAX_LOG_SIZE) {
+        const rotated = `${LOG_FILE}.1`;
+        if (fs.existsSync(rotated)) fs.unlinkSync(rotated);
+        fs.renameSync(LOG_FILE, rotated);
+      }
+    }
+    logStream = fs.createWriteStream(LOG_FILE, { flags: 'a' });
+  } catch {
+    // Fall back to console-only logging
+  }
+}
+
+initLogFile();
+
 function log(msg) {
-  console.log(`[Electron] ${msg}`);
+  const line = `[${new Date().toISOString()}] [Electron] ${msg}`;
+  console.log(line);
+  if (logStream) {
+    logStream.write(line + '\n');
+  }
 }
 
 /**
@@ -198,6 +258,7 @@ function getShellEnv() {
 
   // Common paths where npm/node might be installed (fallback for users who have it)
   const additionalPaths = [
+    `${home}/.claude/local`,                   // Official Claude Code install script
     '/usr/local/bin',                          // Homebrew (Intel Mac) / common location
     '/opt/homebrew/bin',                       // Homebrew (Apple Silicon)
     '/opt/homebrew/sbin',
@@ -252,7 +313,7 @@ function getShellEnv() {
  * - Orphaned processes on port 3000
  * - Orphaned next-router-worker processes
  */
-function cleanupStaleResources() {
+async function cleanupStaleResources() {
   log('Cleaning up stale resources...');
 
   // 1. Remove Next.js lock file if it exists
@@ -266,63 +327,33 @@ function cleanupStaleResources() {
     }
   }
 
-  // 2. Kill any process using port 3000 (Next.js dev server port)
-  try {
-    const pidsOnPort = execSync('lsof -ti:3000 2>/dev/null || true', { encoding: 'utf-8' }).trim();
-    if (pidsOnPort) {
-      const pids = pidsOnPort.split('\n').filter(Boolean);
+  // Helper to kill PIDs from a shell command
+  async function killPidsFromCommand(cmd, label) {
+    try {
+      const { stdout } = await execAsync(cmd, { encoding: 'utf-8' });
+      const pids = stdout.trim().split('\n').filter(Boolean);
       for (const pid of pids) {
+        if (parseInt(pid, 10) === process.pid) continue;
         try {
           process.kill(parseInt(pid, 10), 'SIGKILL');
-          log(`Killed stale process on port 3000: PID ${pid}`);
+          log(`Killed ${label}: PID ${pid}`);
         } catch (killErr) {
-          // Process may have already exited
           log(`Could not kill PID ${pid}: ${killErr.message}`);
         }
       }
+    } catch (err) {
+      // Command failed or no processes found - that's fine
     }
-  } catch (err) {
-    // lsof command failed or no processes found - that's fine
-    log(`Port 3000 check: ${err.message || 'no stale processes'}`);
   }
 
+  // 2. Kill any process using port 3000 (Next.js dev server port)
+  await killPidsFromCommand('lsof -ti:3000 2>/dev/null || true', 'stale process on port 3000');
+
   // 3. Kill orphaned next-router-worker processes
-  try {
-    const routerWorkers = execSync('pgrep -f "next-router-worker" 2>/dev/null || true', { encoding: 'utf-8' }).trim();
-    if (routerWorkers) {
-      const pids = routerWorkers.split('\n').filter(Boolean);
-      for (const pid of pids) {
-        try {
-          process.kill(parseInt(pid, 10), 'SIGKILL');
-          log(`Killed orphaned next-router-worker: PID ${pid}`);
-        } catch (killErr) {
-          log(`Could not kill router worker PID ${pid}: ${killErr.message}`);
-        }
-      }
-    }
-  } catch (err) {
-    // No orphaned workers - that's fine
-  }
+  await killPidsFromCommand('pgrep -f "next-router-worker" 2>/dev/null || true', 'orphaned next-router-worker');
 
   // 4. Kill any orphaned node processes running our dev script
-  try {
-    const devProcesses = execSync(`pgrep -f "node.*next.*dev" 2>/dev/null || true`, { encoding: 'utf-8' }).trim();
-    if (devProcesses) {
-      const pids = devProcesses.split('\n').filter(Boolean);
-      for (const pid of pids) {
-        // Don't kill ourselves
-        if (parseInt(pid, 10) === process.pid) continue;
-        try {
-          process.kill(parseInt(pid, 10), 'SIGKILL');
-          log(`Killed orphaned Next.js dev process: PID ${pid}`);
-        } catch (killErr) {
-          log(`Could not kill dev process PID ${pid}: ${killErr.message}`);
-        }
-      }
-    }
-  } catch (err) {
-    // No orphaned processes - that's fine
-  }
+  await killPidsFromCommand('pgrep -f "node.*next.*dev" 2>/dev/null || true', 'orphaned Next.js dev process');
 
   log('Stale resource cleanup complete');
 }
@@ -446,7 +477,7 @@ function startNextServer() {
 // (Moved from apps/ws-server/server.js)
 
 const wsClients = new Set();
-const DB_POLL_MS = 50; // Poll database every 50ms (same as lib/db-watcher.js)
+const DB_POLL_MS = 500; // Poll database every 500ms (same as lib/db-watcher.js)
 
 function broadcastToClients(message) {
   const payload = JSON.stringify(message);
@@ -526,7 +557,102 @@ function startDatabasePolling() {
   }, DB_POLL_MS);
 }
 
+// Get active worktree paths from SQLite
+function getActiveWorktreePaths() {
+  if (!projectRoot) return [];
+  const dbPath = path.join(projectRoot, '.jettypod', 'work.db');
+  if (!fs.existsSync(dbPath)) return [];
+  try {
+    const Database = require('better-sqlite3');
+    const db = new Database(dbPath, { readonly: true });
+    const rows = db.prepare("SELECT worktree_path FROM worktrees WHERE status = 'active'").all();
+    db.close();
+    return rows.map(r => r.worktree_path).filter(p => fs.existsSync(p));
+  } catch {
+    return [];
+  }
+}
+
+// Periodic worktree cleanup — catches orphaned worktrees from done/cancelled items
+const WORKTREE_CLEANUP_MS = 60000; // 60 seconds
+
+function startWorktreeCleanup() {
+  if (!projectRoot) {
+    log('[cleanup] No project selected, skipping worktree cleanup');
+    return;
+  }
+
+  log('[cleanup] Starting periodic worktree cleanup (every 60s)');
+
+  worktreeCleanupInterval = setInterval(() => {
+    if (!projectRoot) return;
+
+    const dbPath = path.join(projectRoot, '.jettypod', 'work.db');
+    if (!fs.existsSync(dbPath)) return;
+
+    try {
+      const Database = require('better-sqlite3');
+      const db = new Database(dbPath, { readonly: true });
+      const orphans = db.prepare(`
+        SELECT w.id as worktree_id, w.work_item_id, w.worktree_path, wi.status as work_status
+        FROM worktrees w
+        JOIN work_items wi ON w.work_item_id = wi.id
+        WHERE w.status IN ('active', 'merged')
+        AND wi.status IN ('done', 'cancelled')
+      `).all();
+      db.close();
+
+      if (orphans.length === 0) return;
+
+      log(`[cleanup] Found ${orphans.length} orphaned worktree(s), running cleanup...`);
+
+      // Shell out to jettypod CLI for the actual cleanup (non-blocking)
+      const cliPath = getBundledCliPath();
+      execAsync(`"${cliPath}" work cleanup`, { cwd: projectRoot, timeout: 30000 })
+        .then(({ stdout }) => {
+          if (stdout && stdout.trim()) {
+            log(`[cleanup] ${stdout.trim()}`);
+          }
+        })
+        .catch((err) => {
+          log(`[cleanup] Cleanup failed: ${err.message}`);
+        });
+    } catch {
+      // Silently ignore — will retry on next interval
+    }
+  }, WORKTREE_CLEANUP_MS);
+}
+
+// Check a single cucumber-results.json path for changes, ingest + broadcast if changed
+function checkTestResultsFile(resultsPath, mtimeKey, getMtime, setMtime) {
+  if (!fs.existsSync(resultsPath)) {
+    if (getMtime() !== null) setMtime(null);
+    return;
+  }
+
+  const stats = fs.statSync(resultsPath);
+  if (stats.mtimeMs !== getMtime()) {
+    setMtime(stats.mtimeMs);
+    log(`[WS] Test results changed: ${resultsPath}`);
+
+    try {
+      const count = ingestCucumberResults(projectRoot, resultsPath);
+      if (count > 0) {
+        log(`[WS] Ingested ${count} test results into database`);
+      }
+    } catch (err) {
+      log(`[WS] Failed to ingest test results: ${err.message}`);
+    }
+
+    broadcastToClients({
+      type: 'test_change',
+      timestamp: Date.now()
+    });
+  }
+}
+
 // Watch for test results file changes (cucumber-results.json)
+// Monitors both projectRoot and all active worktrees
 function startTestResultsPolling() {
   if (!projectRoot) {
     log(`[WS] No project selected, skipping test results watcher`);
@@ -548,36 +674,55 @@ function startTestResultsPolling() {
     log(`[WS] Test results file not found at ${testResultsPath}, will watch for creation`);
   }
 
+  // Refresh worktree list periodically (every 10s via counter)
+  let worktreePaths = getActiveWorktreePaths();
+  let tickCount = 0;
+  const WORKTREE_REFRESH_TICKS = Math.round(10000 / DB_POLL_MS); // ~10 seconds
+
+  if (worktreePaths.length > 0) {
+    log(`[WS] Also watching ${worktreePaths.length} active worktree(s) for test results`);
+  }
+
   // Poll for test results changes
   testResultsPollInterval = setInterval(() => {
     try {
-      if (!fs.existsSync(testResultsPath)) {
-        // File doesn't exist yet - reset mtime so we detect when it's created
-        if (lastTestResultsMtime !== null) {
-          lastTestResultsMtime = null;
-        }
-        return;
+      // Check main project root
+      checkTestResultsFile(
+        testResultsPath,
+        'root',
+        () => lastTestResultsMtime,
+        (v) => { lastTestResultsMtime = v; }
+      );
+
+      // Check active worktrees
+      for (const wtPath of worktreePaths) {
+        const wtResultsPath = path.join(wtPath, 'cucumber-results.json');
+        checkTestResultsFile(
+          wtResultsPath,
+          wtPath,
+          () => worktreeTestResultsMtimes.get(wtPath) ?? null,
+          (v) => {
+            if (v === null) {
+              worktreeTestResultsMtimes.delete(wtPath);
+            } else {
+              worktreeTestResultsMtimes.set(wtPath, v);
+            }
+          }
+        );
       }
 
-      const stats = fs.statSync(testResultsPath);
-      if (stats.mtimeMs !== lastTestResultsMtime) {
-        lastTestResultsMtime = stats.mtimeMs;
-        log(`[WS] Test results changed`);
-
-        // Ingest results into SQLite before broadcasting
-        try {
-          const count = ingestCucumberResults(projectRoot);
-          if (count > 0) {
-            log(`[WS] Ingested ${count} test results into database`);
+      // Periodically refresh worktree list
+      tickCount++;
+      if (tickCount >= WORKTREE_REFRESH_TICKS) {
+        tickCount = 0;
+        const newPaths = getActiveWorktreePaths();
+        // Clean up mtimes for removed worktrees
+        for (const oldPath of worktreePaths) {
+          if (!newPaths.includes(oldPath)) {
+            worktreeTestResultsMtimes.delete(oldPath);
           }
-        } catch (err) {
-          log(`[WS] Failed to ingest test results: ${err.message}`);
         }
-
-        broadcastToClients({
-          type: 'test_change',
-          timestamp: Date.now()
-        });
+        worktreePaths = newPaths;
       }
     } catch {
       // File might be temporarily locked during writes - ignore
@@ -598,17 +743,45 @@ function restartPolling() {
     clearInterval(testResultsPollInterval);
     testResultsPollInterval = null;
     lastTestResultsMtime = null;
+    worktreeTestResultsMtimes.clear();
+  }
+  if (worktreeCleanupInterval) {
+    clearInterval(worktreeCleanupInterval);
+    worktreeCleanupInterval = null;
   }
 
   // Start polling for the new project
   startDatabasePolling();
   startTestResultsPolling();
+  startWorktreeCleanup();
+}
+
+function isPortInUse(port) {
+  return new Promise((resolve) => {
+    const net = require('net');
+    const server = net.createServer();
+    server.once('error', (err) => {
+      resolve(err.code === 'EADDRINUSE');
+    });
+    server.once('listening', () => {
+      server.close();
+      resolve(false);
+    });
+    server.listen(port);
+  });
 }
 
 function startEmbeddedWebSocketServer() {
-  return new Promise((resolve, reject) => {
+  return new Promise(async (resolve, reject) => {
     log('Starting embedded WebSocket server...');
 
+    // Skip if standalone ws-server.js is already running (e.g. npm run dev)
+    if (await isPortInUse(WS_PORT)) {
+      log(`[WS] Port ${WS_PORT} already in use — standalone WS server detected, skipping`);
+      resolve();
+      return;
+    }
+
     try {
       wss = new WebSocketServer({ port: WS_PORT });
 
@@ -626,6 +799,7 @@ function startEmbeddedWebSocketServer() {
 
         ws.on('error', (error) => {
           log(`[WS] WebSocket error: ${error.message}`);
+          ws.close();
           wsClients.delete(ws);
         });
       });
@@ -637,6 +811,7 @@ function startEmbeddedWebSocketServer() {
 
       startDatabasePolling();
       startTestResultsPolling();
+      startWorktreeCleanup();
 
       log(`[WS] WebSocket server running on ws://localhost:${WS_PORT}`);
       resolve();
@@ -659,9 +834,16 @@ function stopWebSocketServer() {
     clearInterval(testResultsPollInterval);
     testResultsPollInterval = null;
     lastTestResultsMtime = null;
+    worktreeTestResultsMtimes.clear();
     log('[WS] Test results polling stopped');
   }
 
+  if (worktreeCleanupInterval) {
+    clearInterval(worktreeCleanupInterval);
+    worktreeCleanupInterval = null;
+    log('[cleanup] Worktree cleanup stopped');
+  }
+
   if (wss) {
     // Close all client connections
     for (const client of wsClients) {
@@ -768,6 +950,7 @@ function killClaude(sessionId) {
   }
 
   log(`[Claude:${sessionId}] Killing process`);
+  claudeProcess.stdin.destroy();
   claudeProcess.kill('SIGTERM');
   claudeProcesses.delete(sessionId);
   return { success: true };
@@ -777,6 +960,7 @@ function killAllClaudeProcesses() {
   log(`[Claude] Killing all ${claudeProcesses.size} processes`);
   for (const [sessionId, process] of claudeProcesses) {
     log(`[Claude] Killing session ${sessionId}`);
+    process.stdin.destroy();
     process.kill('SIGTERM');
   }
   claudeProcesses.clear();
@@ -948,7 +1132,10 @@ module.exports = {
   writeLastSelectedProject,
   installClaudeCode,
   updateClaudeCode,
-  getClaudeCodeInstalled
+  getClaudeCodeInstalled,
+  getClaudeCodeAuthenticated,
+  checkClaudeCodeAuthenticated,
+  loginClaudeCode
 };
 
 // ==================== Application Menu ====================
@@ -1069,7 +1256,19 @@ function buildApplicationMenu() {
         {
           label: 'Check for Updates',
           click: async () => {
+            const headers = sessionManager.getUpdaterHeaders();
+            if (!headers.Authorization) {
+              dialog.showMessageBox({
+                type: 'warning',
+                title: 'Update Check Unavailable',
+                message: 'Not signed in.',
+                detail: 'Please sign in to check for updates.',
+                buttons: ['OK']
+              });
+              return;
+            }
             log('[AutoUpdate] Manual check for updates...');
+            autoUpdater.requestHeaders = headers;
             try {
               const result = await autoUpdater.checkForUpdates();
               if (result && result.updateInfo) {
@@ -1115,6 +1314,7 @@ function createWindow() {
     width: 1400,
     height: 900,
     title: 'JettyPod',
+    backgroundColor: '#FAF9F7',
     webPreferences: {
       nodeIntegration: false,
       contextIsolation: true,
@@ -1124,24 +1324,7 @@ function createWindow() {
 
   windows.add(mainWindow);
 
-  // Determine start URL based on access code, Claude Code, and project status
-  let startUrl;
-  if (isPackaged && !isAccessGranted()) {
-    // Access code required - show access code screen (production only)
-    startUrl = 'http://localhost:3000/access-code';
-    log('Access not granted, showing access code screen');
-  } else if (!claudeCodeInstalled) {
-    // Claude Code is required - show install screen
-    startUrl = 'http://localhost:3000/install-claude';
-    log('Claude Code not installed, showing install screen');
-  } else {
-    // Check if we have a valid project configured
-    const hasProject = hasValidProject(projectRoot);
-    startUrl = hasProject ? 'http://localhost:3000' : 'http://localhost:3000/welcome';
-    log(`Project configured: ${hasProject}, loading: ${startUrl}`);
-  }
-
-  mainWindow.loadURL(startUrl);
+  mainWindow.loadURL(getStartUrl());
 
   // Open DevTools in development
   if (process.env.NODE_ENV === 'development') {
@@ -1201,6 +1384,7 @@ function createNewWindow() {
     width: 1400,
     height: 900,
     title: 'JettyPod',
+    backgroundColor: '#FAF9F7',
     webPreferences: {
       nodeIntegration: false,
       contextIsolation: true,
@@ -1260,21 +1444,25 @@ function cleanup() {
 
 // ==================== Claude Code Detection ====================
 
-// Track whether Claude Code is installed (checked on startup)
+// Track whether Claude Code is installed and authenticated (checked on startup)
 let claudeCodeInstalled = false;
+let claudeCodeAuthenticated = false;
+let claudeCodeNeedsUpdate = false;
 
 /**
  * Check if Claude Code CLI is installed
  * Uses 'which claude' to detect installation
  * @returns {boolean} true if Claude Code is installed
  */
-function checkClaudeCodeInstalled() {
+async function checkClaudeCodeInstalled() {
+  const shellEnv = getShellEnv();
+  log(`[ClaudeCode] Checking with PATH: ${shellEnv.PATH}`);
   try {
-    execSync('which claude', { encoding: 'utf-8', stdio: 'pipe', env: getShellEnv() });
-    log('[ClaudeCode] Claude Code is installed');
+    const { stdout } = await execFileAsync('which', ['claude'], { encoding: 'utf-8', env: shellEnv });
+    log(`[ClaudeCode] Claude Code found at: ${stdout.trim()}`);
     return true;
   } catch {
-    log('[ClaudeCode] Claude Code is NOT installed');
+    log('[ClaudeCode] Claude Code is NOT installed (not found in PATH)');
     return false;
   }
 }
@@ -1377,6 +1565,125 @@ function getClaudeCodeInstalled() {
   return claudeCodeInstalled;
 }
 
+function getClaudeCodeAuthenticated() {
+  return claudeCodeAuthenticated;
+}
+
+/**
+ * Check if Claude Code CLI is authenticated using `claude auth status --json`.
+ * This is a local check (no API call), so it returns instantly.
+ * On any unexpected failure, defaults to false (shows connect screen)
+ * so the user can authenticate rather than hitting a broken state.
+ * @returns {boolean} true if Claude Code is authenticated
+ */
+async function checkClaudeCodeAuthenticated() {
+  if (!claudeCodeInstalled) return false;
+  const shellEnv = getShellEnv();
+  try {
+    const { stdout } = await execFileAsync('claude', ['auth', 'status', '--json'], {
+      encoding: 'utf-8',
+      env: shellEnv,
+      timeout: 10000
+    });
+    const status = JSON.parse(stdout);
+    if (status.loggedIn) {
+      log('[ClaudeCode] Claude Code is authenticated');
+      return true;
+    }
+    log('[ClaudeCode] Claude Code is NOT authenticated');
+    return false;
+  } catch (err) {
+    const combined = (err.stderr || '') + (err.stdout || '') + (err.message || '');
+
+    if (combined.includes('needs an update') || combined.includes('needs_update')) {
+      log('[ClaudeCode] CLI is outdated, flagging for auto-update');
+      claudeCodeNeedsUpdate = true;
+      return false;
+    }
+
+    log(`[ClaudeCode] Auth check failed, defaulting to unauthenticated: ${combined}`);
+    return false;
+  }
+}
+
+/**
+ * Spawn `claude auth login` to trigger browser-based OAuth authentication.
+ * The CLI prints an auth URL to stdout/stderr. We capture it and open it
+ * with shell.openExternal() since the spawned process has no TTY.
+ * @returns {Promise<{success: boolean, error?: string}>}
+ */
+function loginClaudeCode() {
+  return new Promise((resolve) => {
+    const shellEnv = getShellEnv();
+    log('[ClaudeCode] Starting claude auth login...');
+
+    const loginProcess = spawn(getUserShell(), ['-lc', 'claude auth login'], {
+      env: shellEnv,
+      stdio: 'pipe'
+    });
+
+    let stdout = '';
+    let stderr = '';
+    let urlOpened = false;
+
+    const tryOpenUrl = (text) => {
+      if (urlOpened) return;
+      // Match OAuth/auth URLs the CLI prints for non-TTY environments
+      const urlMatch = text.match(/https?:\/\/\S+/);
+      if (urlMatch) {
+        const url = urlMatch[0];
+        log(`[ClaudeCode] Found auth URL, opening in browser: ${url}`);
+        shell.openExternal(url);
+        urlOpened = true;
+      }
+    };
+
+    loginProcess.stdout.on('data', (data) => {
+      const chunk = data.toString();
+      stdout += chunk;
+      log(`[ClaudeCode] stdout: ${chunk.trim()}`);
+      tryOpenUrl(chunk);
+    });
+
+    loginProcess.stderr.on('data', (data) => {
+      const chunk = data.toString();
+      stderr += chunk;
+      log(`[ClaudeCode] stderr: ${chunk.trim()}`);
+      tryOpenUrl(chunk);
+    });
+
+    loginProcess.on('close', async (code) => {
+      if (code === 0) {
+        claudeCodeAuthenticated = true;
+        log('[ClaudeCode] Auth completed successfully');
+        resolve({ success: true });
+      } else if (stderr.includes('needs an update') || stderr.includes('needs_update') ||
+                 stdout.includes('needs an update') || stdout.includes('needs_update')) {
+        log('[ClaudeCode] CLI outdated during login, running auto-update...');
+        const updateResult = await updateClaudeCode();
+        if (updateResult.success) {
+          log('[ClaudeCode] Auto-update succeeded, retrying login');
+          claudeCodeNeedsUpdate = false;
+          // Retry login after update
+          const retryResult = await loginClaudeCode();
+          resolve(retryResult);
+        } else {
+          log(`[ClaudeCode] Auto-update failed: ${updateResult.error}`);
+          resolve({ success: false, error: 'Claude Code needs an update but the update failed. Please run "claude update" manually.' });
+        }
+      } else {
+        log(`[ClaudeCode] Auth failed with code ${code}: ${stderr}`);
+        resolve({ success: false, error: stderr || `Auth exited with code ${code}` });
+      }
+    });
+
+    loginProcess.on('error', (err) => {
+      log(`[ClaudeCode] Auth spawn error: ${err.message}`);
+      resolve({ success: false, error: err.message });
+    });
+  });
+}
+
 // ==================== PATH Setup ====================
 
 const SYMLINK_PATH = '/usr/local/bin/jettypod';
@@ -1397,7 +1704,7 @@ function getBundledCliPath() {
  * Setup PATH by creating symlink to /usr/local/bin
  * Uses osascript to request admin privileges
  */
-async function setupPathOnFirstLaunch() {
+async function setupCliSymlink() {
   // Only run on macOS
   if (process.platform !== 'darwin') {
     log('[PATH] Not macOS, skipping PATH setup');
@@ -1413,19 +1720,29 @@ async function setupPathOnFirstLaunch() {
     return;
   }
 
-  // Skip setup if symlink already exists (subsequent launches)
-  if (fs.existsSync(SYMLINK_PATH)) {
-    log('[PATH] Symlink already exists, skipping PATH setup');
-    return;
+  // Check if symlink already points to the correct bundled CLI
+  try {
+    const currentTarget = fs.readlinkSync(SYMLINK_PATH);
+    if (currentTarget === bundledPath) {
+      log('[PATH] Symlink already points to bundled CLI, skipping');
+      return;
+    }
+    log(`[PATH] Symlink points to ${currentTarget}, updating to bundled CLI`);
+  } catch {
+    // Symlink doesn't exist or isn't a symlink — create it
+    log('[PATH] No existing symlink, creating');
   }
 
   log('[PATH] Setting up PATH with admin privileges...');
 
-  // Use osascript to run ln with admin privileges
-  const script = `do shell script "ln -sf '${bundledPath}' '${SYMLINK_PATH}'" with administrator privileges`;
+  // Use osascript to run ln with admin privileges.
+  // mkdir -p ensures the parent directory exists (e.g. /usr/local/bin may not
+  // exist on fresh Apple Silicon Macs which use /opt/homebrew/bin by default).
+  const symlinkDir = path.dirname(SYMLINK_PATH);
+  const script = `do shell script "mkdir -p '${symlinkDir}' && ln -sf '${bundledPath}' '${SYMLINK_PATH}'" with administrator privileges`;
 
   try {
-    execSync(`osascript -e '${script}'`, { encoding: 'utf-8' });
+    await execAsync(`osascript -e '${script}'`, { encoding: 'utf-8' });
     log('[PATH] Symlink created successfully');
   } catch (error) {
     // User cancelled or error occurred
@@ -1433,35 +1750,117 @@ async function setupPathOnFirstLaunch() {
   }
 }
 
-// ==================== Access Code Gating ====================
+// ==================== Subscription & Access ====================
 
 /**
- * Get path to access-granted.json file
+ * Get path to subscription.json file
  * Stored in Electron's userData directory (~/.config/JettyPod/)
  */
-function getAccessGrantedPath() {
-  return path.join(app.getPath('userData'), 'access-granted.json');
+function getSubscriptionPath() {
+  return path.join(app.getPath('userData'), 'subscription.json');
+}
+
+/**
+ * Get the path to the auth state file.
+ * Stored alongside subscription.json in Electron's userData directory.
+ */
+function getAuthPath() {
+  return path.join(app.getPath('userData'), 'auth.json');
+}
+
+/**
+ * Check if there's a stored auth token (JWT).
+ * Does NOT validate the token — just checks if auth.json exists with a token.
+ */
+function isAuthenticated() {
+  const authPath = getAuthPath();
+  if (!fs.existsSync(authPath)) {
+    log('[Auth] No auth.json found');
+    return false;
+  }
+
+  try {
+    const data = JSON.parse(fs.readFileSync(authPath, 'utf-8'));
+    if (data.token) {
+      log('[Auth] Auth token found');
+      return true;
+    }
+  } catch (error) {
+    log(`[Auth] Error reading auth file: ${error.message}`);
+  }
+
+  return false;
+}
+
+/**
+ * Check if the user has ever logged in before.
+ * Uses a persistent marker file that survives logout (auth.json deletion).
+ */
+function hasLoggedInBefore() {
+  try {
+    const markerPath = path.join(app.getPath('userData'), 'has-logged-in');
+    return fs.existsSync(markerPath);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Mark that the user has logged in at least once.
+ * Called after successful authentication (both OAuth and OTP).
+ */
+function markHasLoggedIn() {
+  try {
+    const markerPath = path.join(app.getPath('userData'), 'has-logged-in');
+    const dir = path.dirname(markerPath);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+    if (!fs.existsSync(markerPath)) {
+      fs.writeFileSync(markerPath, new Date().toISOString());
+      log('[Auth] Marked user as having logged in before');
+    }
+  } catch (error) {
+    log(`[Auth] Failed to write login marker: ${error.message}`);
+  }
+}
+
+/**
+ * Read the Stripe customer ID from subscription config.
+ * Returns null if no subscription is stored.
+ * Written by the Stripe checkout flow (chore #1000535).
+ */
+function getSubscriptionCustomerId() {
+  const subPath = getSubscriptionPath();
+  if (!fs.existsSync(subPath)) return null;
+  try {
+    const data = JSON.parse(fs.readFileSync(subPath, 'utf-8'));
+    return data.customerId || null;
+  } catch (error) {
+    log(`[Subscription] Error reading subscription file: ${error.message}`);
+    return null;
+  }
 }
 
 /**
- * Check if app access has been granted via access code
- * @returns {boolean} True if access has been granted
+ * Check if there's an active subscription stored locally.
+ * Full validation against Stripe happens on update check / app refresh.
  */
-function isAccessGranted() {
-  const accessPath = getAccessGrantedPath();
-  if (!fs.existsSync(accessPath)) {
-    log('[Access] No access-granted.json found');
+function isSubscriptionActive() {
+  const subPath = getSubscriptionPath();
+  if (!fs.existsSync(subPath)) {
+    log('[Subscription] No subscription.json found');
     return false;
   }
 
   try {
-    const data = JSON.parse(fs.readFileSync(accessPath, 'utf-8'));
-    if (data.activated) {
-      log('[Access] Access granted');
+    const data = JSON.parse(fs.readFileSync(subPath, 'utf-8'));
+    if (data.customerId) {
+      log('[Subscription] Active subscription found');
       return true;
     }
   } catch (error) {
-    log(`[Access] Error reading access file: ${error.message}`);
+    log(`[Subscription] Error reading subscription file: ${error.message}`);
   }
 
   return false;
@@ -1510,6 +1909,16 @@ function copyDirSync(src, dest) {
     if (entry.isDirectory()) {
       copyDirSync(srcPath, destPath);
     } else {
+      // Skip copy if dest exists and has same or newer mtime + same size
+      try {
+        const srcStat = fs.statSync(srcPath);
+        const destStat = fs.statSync(destPath);
+        if (destStat.mtimeMs >= srcStat.mtimeMs && destStat.size === srcStat.size) {
+          continue;
+        }
+      } catch {
+        // dest doesn't exist — copy it
+      }
       fs.copyFileSync(srcPath, destPath);
     }
   }
@@ -1652,28 +2061,168 @@ autoUpdater.on('update-downloaded', (info) => {
 
 // ==================== App Lifecycle ====================
 
+// Register jettypod:// protocol for OAuth callback
+if (!isPackaged) {
+  // Dev mode: pass app path so macOS can route the URL to this Electron instance
+  app.setAsDefaultProtocolClient('jettypod', process.execPath, [path.resolve(process.argv[1])]);
+} else {
+  app.setAsDefaultProtocolClient('jettypod');
+}
+
+/**
+ * Decode a JWT payload without verifying the signature.
+ * Used to extract user info (email, plan) from the token before saving.
+ */
+function decodeJWTPayload(token) {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+    const payload = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+    return JSON.parse(Buffer.from(payload, 'base64').toString('utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Handle a jettypod:// protocol URL (OAuth callback).
+ * Saves the token + decoded user info to auth.json and navigates to the dashboard.
+ */
+function handleProtocolUrl(url) {
+  log(`[Auth] Protocol handler received: ${url}`);
+
+  try {
+    const parsed = new URL(url);
+    // jettypod://auth/callback parses as hostname='auth', pathname='/callback'
+    const isAuthCallback =
+      (parsed.hostname === 'auth' && parsed.pathname === '/callback') ||
+      parsed.pathname === '//auth/callback' ||
+      parsed.pathname === '/auth/callback';
+    if (isAuthCallback) {
+      const token = parsed.searchParams.get('token');
+      if (token && mainWindow) {
+        // Decode JWT to extract user info (sub, email, plan)
+        const payload = decodeJWTPayload(token);
+        const user = payload ? { id: payload.sub, email: payload.email, plan: payload.plan } : undefined;
+
+        // Save auth.json with token AND user data
+        const authPath = path.join(app.getPath('userData'), 'auth.json');
+        const dir = path.dirname(authPath);
+        if (!fs.existsSync(dir)) {
+          fs.mkdirSync(dir, { recursive: true });
+        }
+        fs.writeFileSync(authPath, JSON.stringify({ token, user, savedAt: new Date().toISOString() }, null, 2));
+        markHasLoggedIn();
+        log('[Auth] Token + user data saved from OAuth callback');
+
+        // Navigate to the appropriate onboarding/dashboard page
+        mainWindow.loadURL(getStartUrl());
+        mainWindow.focus();
+      }
+    } else if (parsed.hostname === 'subscription' && parsed.pathname === '/activated') {
+      log('[Auth] Subscription activated deep link received');
+      if (mainWindow) {
+        mainWindow.loadURL(getStartUrl());
+        mainWindow.focus();
+      }
+    }
+  } catch (error) {
+    log(`[Auth] Error handling protocol URL: ${error.message}`);
+  }
+}
+
+// Single-instance lock: ensure deep links are routed to the existing instance
+const gotTheLock = app.requestSingleInstanceLock();
+
+if (!gotTheLock) {
+  // Another instance is already running — quit this one.
+  // The URL (if any) will be forwarded to the existing instance via 'second-instance'.
+  app.quit();
+} else {
+  // On macOS, protocol URLs for a running app arrive via 'open-url'.
+  app.on('open-url', (event, url) => {
+    event.preventDefault();
+    handleProtocolUrl(url);
+  });
+
+  // On Windows/Linux (and macOS second-instance fallback), the URL arrives here.
+  app.on('second-instance', (_event, commandLine) => {
+    // The protocol URL is typically the last argument
+    const url = commandLine.find(arg => arg.startsWith('jettypod://'));
+    if (url) {
+      handleProtocolUrl(url);
+    }
+    // Focus the main window
+    if (mainWindow) {
+      if (mainWindow.isMinimized()) mainWindow.restore();
+      mainWindow.focus();
+    }
+  });
+}
+
 app.whenReady().then(async () => {
   log('Electron app ready');
 
+  // Start session manager (handles auth heartbeat + auto-updater token)
+  sessionManager.setLogger(log);
+  if (isAuthenticated()) {
+    sessionManager.start();
+  }
+
   // Check for updates in the background (only in packaged app)
-  if (isPackaged) {
-    log('[AutoUpdate] Checking for updates...');
-    try {
-      await autoUpdater.checkForUpdatesAndNotify();
-    } catch (error) {
-      // Log error but don't crash - auto-update failures shouldn't prevent app launch
-      console.error('[AutoUpdate] Failed to check for updates:', error.message);
-      log(`[AutoUpdate] Update check failed: ${error.message}`);
+  if (isPackaged && isAuthenticated()) {
+    const headers = sessionManager.getUpdaterHeaders();
+    if (headers.Authorization) {
+      autoUpdater.requestHeaders = headers;
+      log('[AutoUpdate] Checking for updates with JWT...');
+      try {
+        await autoUpdater.checkForUpdatesAndNotify();
+      } catch (error) {
+        log(`[AutoUpdate] Update check failed: ${error.message}`);
+      }
+    } else {
+      log('[AutoUpdate] Skipping update check - no auth token');
     }
   }
 
   // Check if Claude Code is installed (for dependency flow)
   // Updates the global claudeCodeInstalled variable
-  claudeCodeInstalled = checkClaudeCodeInstalled();
+  claudeCodeInstalled = await checkClaudeCodeInstalled();
   log(`Claude Code installed: ${claudeCodeInstalled}`);
 
+  // Check if Claude Code is authenticated (only if installed)
+  // Wrapped in try/catch so a catastrophic failure here doesn't crash startup
+  if (claudeCodeInstalled) {
+    try {
+      claudeCodeAuthenticated = await checkClaudeCodeAuthenticated();
+    } catch (err) {
+      log(`[ClaudeCode] Auth check crashed unexpectedly: ${err.message}`);
+      claudeCodeAuthenticated = false;
+    }
+
+    // Auto-update if CLI is outdated, then retry auth check
+    if (!claudeCodeAuthenticated && claudeCodeNeedsUpdate) {
+      log('[ClaudeCode] CLI outdated, running auto-update...');
+      const updateResult = await updateClaudeCode();
+      if (updateResult.success) {
+        log('[ClaudeCode] Auto-update succeeded, retrying auth check');
+        claudeCodeNeedsUpdate = false;
+        try {
+          claudeCodeAuthenticated = await checkClaudeCodeAuthenticated();
+        } catch (err) {
+          log(`[ClaudeCode] Auth re-check crashed: ${err.message}`);
+          claudeCodeAuthenticated = false;
+        }
+      } else {
+        log(`[ClaudeCode] Auto-update failed: ${updateResult.error}`);
+      }
+    }
+
+    log(`Claude Code authenticated: ${claudeCodeAuthenticated}`);
+  }
+
   // Setup PATH on first launch (creates symlink to /usr/local/bin)
-  await setupPathOnFirstLaunch();
+  await setupCliSymlink();
 
   // Sync bundled skills to ~/.claude/skills/
   syncSkills();
@@ -1686,8 +2235,19 @@ app.whenReady().then(async () => {
   // Register IPC handlers for database operations
   registerIpcHandlers();
 
+  // Post-login navigation: returns the correct path based on Claude Code state
+  ipcMain.handle('auth:getPostLoginPath', () => {
+    const url = getStartUrl();
+    // Extract just the path from the full URL
+    try {
+      return new URL(url).pathname;
+    } catch {
+      return '/';
+    }
+  });
+
   // Clean up stale resources from previous runs (lock files, orphaned processes)
-  cleanupStaleResources();
+  await cleanupStaleResources();
 
   try {
     // Start servers in parallel