myrlin-workbook 0.9.0 → 0.9.2

package/README.md

@@ -54,6 +54,8 @@ CWM_PASSWORD=mypassword npx myrlin-workbook
 
 Password lookup order: `CWM_PASSWORD` env var > `~/.myrlin/config.json` > `./state/config.json` > auto-generate.
 
+On startup, the console prints a clickable URL with a one-time token (e.g., `http://127.0.0.1:3456?token=<random>`). Click it to auto-login — the token is single-use and expires after 60 seconds, so it's safe even if it appears in terminal logs. The token is stripped from the URL bar immediately after login.
+
 ### Prerequisites
 
 - **Node.js 18+** ([download](https://nodejs.org))

package/package.json

@@ -1,64 +1,64 @@
-{
-  "name": "myrlin-workbook",
-  "version": "0.9.0",
-  "description": "Browser-based project manager for Claude Code sessions - session discovery, multi-terminal, cost tracking, docs, and kanban board",
-  "main": "src/index.js",
-  "bin": {
-    "myrlin-workbook": "./src/gui.js",
-    "myrlin": "./src/gui.js",
-    "myrlin-tui": "./src/index.js",
-    "cwm": "./src/index.js"
-  },
-  "scripts": {
-    "start": "node src/index.js",
-    "demo": "node src/demo.js",
-    "gui": "node src/supervisor.js",
-    "gui:bare": "node src/gui.js",
-    "gui:demo": "node src/supervisor.js --demo",
-    "test": "node test/run.js",
-    "mcp:visual-qa": "node src/mcp/visual-qa.js",
-    "gui:cdp": "node src/supervisor.js --cdp",
-    "postinstall": "node scripts/postinstall.js",
-    "restart": "bash scripts/restart-gui.sh"
-  },
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/therealarthur/myrlin-workbook.git"
-  },
-  "homepage": "https://github.com/therealarthur/myrlin-workbook",
-  "engines": {
-    "node": ">=18.0.0"
-  },
-  "keywords": [
-    "claude",
-    "workspace",
-    "manager",
-    "terminal",
-    "tui",
-    "ai",
-    "coding-assistant",
-    "session-manager",
-    "developer-tools",
-    "xterm",
-    "myrlin"
-  ],
-  "author": "Arthur",
-  "license": "AGPL-3.0-only",
-  "dependencies": {
-    "blessed": "^0.1.81",
-    "blessed-contrib": "^4.11.0",
-    "chalk": "^5.6.2",
-    "chrome-remote-interface": "^0.34.0",
-    "express": "^5.2.1",
-    "node-pty": "^1.1.0",
-    "ws": "^8.19.0"
-  },
-  "devDependencies": {
-    "@playwright/test": "^1.58.2",
-    "@xterm/addon-fit": "^0.11.0",
-    "@xterm/addon-web-links": "^0.12.0",
-    "@xterm/xterm": "^6.0.0",
-    "ffmpeg-static": "^5.3.0",
-    "sharp": "^0.34.5"
-  }
-}
+{
+  "name": "myrlin-workbook",
+  "version": "0.9.2",
+  "description": "Browser-based project manager for Claude Code sessions - session discovery, multi-terminal, cost tracking, docs, and kanban board",
+  "main": "src/index.js",
+  "bin": {
+    "myrlin-workbook": "./src/gui.js",
+    "myrlin": "./src/gui.js",
+    "myrlin-tui": "./src/index.js",
+    "cwm": "./src/index.js"
+  },
+  "scripts": {
+    "start": "node src/index.js",
+    "demo": "node src/demo.js",
+    "gui": "node src/supervisor.js",
+    "gui:bare": "node src/gui.js",
+    "gui:demo": "node src/supervisor.js --demo",
+    "test": "node test/run.js",
+    "mcp:visual-qa": "node src/mcp/visual-qa.js",
+    "gui:cdp": "node src/supervisor.js --cdp",
+    "postinstall": "node scripts/postinstall.js",
+    "restart": "bash scripts/restart-gui.sh"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/therealarthur/myrlin-workbook.git"
+  },
+  "homepage": "https://github.com/therealarthur/myrlin-workbook",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "keywords": [
+    "claude",
+    "workspace",
+    "manager",
+    "terminal",
+    "tui",
+    "ai",
+    "coding-assistant",
+    "session-manager",
+    "developer-tools",
+    "xterm",
+    "myrlin"
+  ],
+  "author": "Arthur",
+  "license": "AGPL-3.0-only",
+  "dependencies": {
+    "blessed": "^0.1.81",
+    "blessed-contrib": "^4.11.0",
+    "chalk": "^5.6.2",
+    "chrome-remote-interface": "^0.34.0",
+    "express": "^5.2.1",
+    "node-pty": "^1.1.0",
+    "ws": "^8.19.0"
+  },
+  "devDependencies": {
+    "@playwright/test": "^1.58.2",
+    "@xterm/addon-fit": "^0.11.0",
+    "@xterm/addon-web-links": "^0.12.0",
+    "@xterm/xterm": "^6.0.0",
+    "ffmpeg-static": "^5.3.0",
+    "sharp": "^0.34.5"
+  }
+}

package/src/gui.js

@@ -16,6 +16,7 @@
 const { getStore } = require('./state/store');
 const { startServer, getPtyManager } = require('./web/server');
 const { backupFrontend } = require('./web/backup');
+const { generateStartupToken } = require('./web/auth');
 
 // ─── Initialize Store ──────────────────────────────────────
 
@@ -92,7 +93,9 @@ const port = parseInt(process.env.PORT, 10) || 3456;
 const host = process.env.CWM_HOST || '127.0.0.1';
 const server = startServer(port, host);
 
-console.log(`CWM GUI running at http://${host}:${port}`);
+const startupToken = generateStartupToken();
+const authUrl = `http://${host}:${port}?token=${encodeURIComponent(startupToken)}`;
+console.log(`CWM GUI running at ${authUrl}`);
 console.log('Press Ctrl+C to stop.');
 
 // Snapshot frontend files as "last known good" on successful start
@@ -167,7 +170,7 @@ function openBrowserWithCDP(url, cdpPort) {
 if (!process.env.CWM_NO_OPEN) {
   const cdpEnabled = process.argv.includes('--cdp');
   const cdpPort = parseInt(process.env.CDP_PORT, 10) || 9222;
-  const url = `http://localhost:${port}`;
+  const url = authUrl;
 
   if (cdpEnabled) {
     openBrowserWithCDP(url, cdpPort);

package/src/web/auth.js

@@ -1,308 +1,399 @@
-/**
- * Authentication module for Claude Workspace Manager Web API.
- * Uses a simple in-memory token approach with Bearer token auth.
- *
- * - POST /api/auth/login - Validates password, returns a Bearer token
- * - POST /api/auth/logout - Invalidates the token
- * - GET  /api/auth/check - Validates current token
- *
- * Protected routes use the requireAuth middleware which checks
- * the Authorization: Bearer <token> header.
- *
- * Password is loaded from (in priority order):
- *   1. CWM_PASSWORD environment variable
- *   2. ~/.myrlin/config.json (persists across npx updates/reinstalls)
- *   3. ./state/config.json (local project config)
- *   4. Auto-generated on first run (saved to both locations)
- *
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-const crypto = require('crypto');
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-
-// ─── Configuration ─────────────────────────────────────────
-const TOKEN_BYTE_LENGTH = 32;
-const HOME_CONFIG_DIR = path.join(os.homedir(), '.myrlin');
-const HOME_CONFIG_FILE = path.join(HOME_CONFIG_DIR, 'config.json');
-const LOCAL_CONFIG_DIR = path.join(__dirname, '..', '..', 'state');
-const LOCAL_CONFIG_FILE = path.join(LOCAL_CONFIG_DIR, 'config.json');
-
-// ─── Rate Limiting ─────────────────────────────────────────
-// Simple in-memory rate limiter: max 5 login attempts per IP per 60 seconds
-const LOGIN_RATE_LIMIT = 5;
-const LOGIN_RATE_WINDOW_MS = 60 * 1000; // 1 minute
-const loginAttempts = new Map(); // IP -> { count, resetAt }
-
-/**
- * Check if a login attempt from this IP should be rate-limited.
- * @param {string} ip - Client IP address
- * @returns {boolean} true if rate limited (should reject)
- */
-function isRateLimited(ip) {
-  const now = Date.now();
-  const entry = loginAttempts.get(ip);
-
-  if (!entry || now > entry.resetAt) {
-    // Window expired or new IP - start fresh
-    loginAttempts.set(ip, { count: 1, resetAt: now + LOGIN_RATE_WINDOW_MS });
-    return false;
-  }
-
-  entry.count++;
-  if (entry.count > LOGIN_RATE_LIMIT) {
-    return true;
-  }
-  return false;
-}
-
-// Clean up stale rate limit entries every 5 minutes
-setInterval(() => {
-  const now = Date.now();
-  for (const [ip, entry] of loginAttempts) {
-    if (now > entry.resetAt) {
-      loginAttempts.delete(ip);
-    }
-  }
-}, 5 * 60 * 1000).unref();
-
-// ─── Password Management ──────────────────────────────────
-
-/**
- * Read password from a config file, returns null if not found.
- * @param {string} filePath - Path to config.json
- * @returns {string|null}
- */
-function readPasswordFromFile(filePath) {
-  try {
-    if (fs.existsSync(filePath)) {
-      const config = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
-      if (config.password && typeof config.password === 'string') {
-        return config.password;
-      }
-    }
-  } catch (_) {
-    // Corrupted config - skip
-  }
-  return null;
-}
-
-/**
- * Save password to a config file (merges with existing keys).
- * @param {string} dir - Config directory path
- * @param {string} filePath - Config file path
- * @param {string} password - Password to save
- */
-function savePasswordToFile(dir, filePath, password) {
-  try {
-    if (!fs.existsSync(dir)) {
-      fs.mkdirSync(dir, { recursive: true });
-    }
-    const config = {};
-    try {
-      if (fs.existsSync(filePath)) {
-        Object.assign(config, JSON.parse(fs.readFileSync(filePath, 'utf-8')));
-      }
-    } catch (_) {}
-    config.password = password;
-    fs.writeFileSync(filePath, JSON.stringify(config, null, 2), 'utf-8');
-  } catch (err) {
-    // Non-fatal: password still works in memory for this session
-  }
-}
-
-/**
- * Load or generate the auth password.
- * Priority: env var > ~/.myrlin/config.json > ./state/config.json > auto-generate.
- * When auto-generating, saves to both ~/.myrlin/ and ./state/ so the password
- * persists across npx cache clears and project reinstalls.
- * @returns {string}
- */
-function loadPassword() {
-  // 1. Environment variable (highest priority, always wins)
-  if (process.env.CWM_PASSWORD) {
-    return process.env.CWM_PASSWORD;
-  }
-
-  // 2. Home directory config (~/.myrlin/config.json) — persists across reinstalls
-  const homePassword = readPasswordFromFile(HOME_CONFIG_FILE);
-  if (homePassword) {
-    // Also sync to local config so it's visible in the project
-    savePasswordToFile(LOCAL_CONFIG_DIR, LOCAL_CONFIG_FILE, homePassword);
-    return homePassword;
-  }
-
-  // 3. Local project config (./state/config.json)
-  const localPassword = readPasswordFromFile(LOCAL_CONFIG_FILE);
-  if (localPassword) {
-    // Promote to home config for persistence across reinstalls
-    savePasswordToFile(HOME_CONFIG_DIR, HOME_CONFIG_FILE, localPassword);
-    return localPassword;
-  }
-
-  // 4. Auto-generate and save to both locations
-  const generated = crypto.randomBytes(16).toString('base64url');
-  savePasswordToFile(HOME_CONFIG_DIR, HOME_CONFIG_FILE, generated);
-  savePasswordToFile(LOCAL_CONFIG_DIR, LOCAL_CONFIG_FILE, generated);
-
-  console.log('');
-  console.log('══════════════════════════════════════════════════');
-  console.log('  CWM auto-generated password: ' + generated);
-  console.log('  Saved to: ~/.myrlin/config.json');
-  console.log('  Set CWM_PASSWORD env var to override.');
-  console.log('══════════════════════════════════════════════════');
-  console.log('');
-
-  return generated;
-}
-
-const AUTH_PASSWORD = loadPassword();
-
-// In-memory set of valid tokens. Tokens survive for the lifetime of
-// the server process. A restart invalidates all tokens (acceptable
-// for a local dev-tool).
-const activeTokens = new Set();
-
-// ─── Helpers ───────────────────────────────────────────────
-
-/**
- * Generate a cryptographically random hex token.
- * @returns {string} 64-character hex string
- */
-function generateToken() {
-  return crypto.randomBytes(TOKEN_BYTE_LENGTH).toString('hex');
-}
-
-/**
- * Extract the Bearer token from an Authorization header value.
- * Returns null if the header is missing or malformed.
- * @param {string|undefined} headerValue - The raw Authorization header
- * @returns {string|null}
- */
-function extractBearerToken(headerValue) {
-  if (!headerValue || typeof headerValue !== 'string') return null;
-  const parts = headerValue.split(' ');
-  if (parts.length !== 2 || parts[0] !== 'Bearer') return null;
-  return parts[1];
-}
-
-// ─── Middleware ─────────────────────────────────────────────
-
-/**
- * Express middleware that requires a valid Bearer token.
- * Responds with 401 if the token is missing or invalid.
- */
-function requireAuth(req, res, next) {
-  const token = extractBearerToken(req.headers.authorization);
-
-  if (!token || !activeTokens.has(token)) {
-    return res.status(401).json({
-      error: 'Unauthorized',
-      message: 'Valid Bearer token required. POST /api/auth/login to authenticate.',
-    });
-  }
-
-  // Attach token to request for downstream use (e.g. logout)
-  req.authToken = token;
-  next();
-}
-
-// ─── Route Setup ───────────────────────────────────────────
-
-/**
- * Mount authentication routes on the Express app.
- * These routes are NOT protected by requireAuth - they are public.
- *
- * @param {import('express').Express} app - The Express application
- */
-function setupAuth(app) {
-  /**
-   * POST /api/auth/login
-   * Body: { password: string }
-   * Returns: { success: true, token: string } or { success: false, error: string }
-   */
-  app.post('/api/auth/login', (req, res) => {
-    // Rate limiting
-    const clientIp = req.ip || req.connection.remoteAddress || 'unknown';
-    if (isRateLimited(clientIp)) {
-      return res.status(429).json({
-        success: false,
-        error: 'Too many login attempts. Try again in 1 minute.',
-      });
-    }
-
-    const { password } = req.body || {};
-
-    if (!password || typeof password !== 'string') {
-      return res.status(400).json({
-        success: false,
-        error: 'Missing or invalid password field in request body.',
-      });
-    }
-
-    // Constant-time comparison to mitigate timing attacks
-    const passwordBuffer = Buffer.from(password, 'utf-8');
-    const expectedBuffer = Buffer.from(AUTH_PASSWORD, 'utf-8');
-    const isValid =
-      passwordBuffer.length === expectedBuffer.length &&
-      crypto.timingSafeEqual(passwordBuffer, expectedBuffer);
-
-    if (!isValid) {
-      return res.status(403).json({
-        success: false,
-        error: 'Invalid password.',
-      });
-    }
-
-    const token = generateToken();
-    activeTokens.add(token);
-
-    return res.json({ success: true, token });
-  });
-
-  /**
-   * POST /api/auth/logout
-   * Requires Authorization: Bearer <token>
-   * Removes the token from the active set.
-   */
-  app.post('/api/auth/logout', (req, res) => {
-    const token = extractBearerToken(req.headers.authorization);
-
-    if (token) {
-      activeTokens.delete(token);
-    }
-
-    return res.json({ success: true });
-  });
-
-  /**
-   * GET /api/auth/check
-   * Returns whether the provided Bearer token is still valid.
-   */
-  app.get('/api/auth/check', (req, res) => {
-    const token = extractBearerToken(req.headers.authorization);
-    const authenticated = !!token && activeTokens.has(token);
-
-    return res.json({ authenticated });
-  });
-}
-
-/**
- * Check if a raw token string is valid (exists in activeTokens).
- * Used by SSE endpoint which can't use requireAuth middleware.
- * @param {string} token - The raw token string
- * @returns {boolean}
- */
-function isValidToken(token) {
-  return !!token && activeTokens.has(token);
-}
-
-// ─── Exports ───────────────────────────────────────────────
-
-module.exports = {
-  setupAuth,
-  requireAuth,
-  isValidToken,
-};
+/**
+ * Authentication module for Claude Workspace Manager Web API.
+ * Uses a simple in-memory token approach with Bearer token auth.
+ *
+ * - POST /api/auth/login - Validates password, returns a Bearer token
+ * - POST /api/auth/logout - Invalidates the token
+ * - GET  /api/auth/check - Validates current token
+ *
+ * Protected routes use the requireAuth middleware which checks
+ * the Authorization: Bearer <token> header.
+ *
+ * Password is loaded from (in priority order):
+ *   1. CWM_PASSWORD environment variable
+ *   2. ~/.myrlin/config.json (persists across npx updates/reinstalls)
+ *   3. ./state/config.json (local project config)
+ *   4. Auto-generated on first run (saved to both locations)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+// ─── Configuration ─────────────────────────────────────────
+const TOKEN_BYTE_LENGTH = 32;
+const STARTUP_TOKEN_TTL_MS = 60 * 1000; // 60 seconds
+const HOME_CONFIG_DIR = path.join(os.homedir(), '.myrlin');
+const HOME_CONFIG_FILE = path.join(HOME_CONFIG_DIR, 'config.json');
+const LOCAL_CONFIG_DIR = path.join(__dirname, '..', '..', 'state');
+const LOCAL_CONFIG_FILE = path.join(LOCAL_CONFIG_DIR, 'config.json');
+
+// ─── Rate Limiting ─────────────────────────────────────────
+// Simple in-memory rate limiter: max 5 login attempts per IP per 60 seconds
+const LOGIN_RATE_LIMIT = 5;
+const LOGIN_RATE_WINDOW_MS = 60 * 1000; // 1 minute
+const loginAttempts = new Map(); // IP -> { count, resetAt }
+
+/**
+ * Check if a login attempt from this IP should be rate-limited.
+ * @param {string} ip - Client IP address
+ * @returns {boolean} true if rate limited (should reject)
+ */
+function isRateLimited(ip) {
+  const now = Date.now();
+  const entry = loginAttempts.get(ip);
+
+  if (!entry || now > entry.resetAt) {
+    // Window expired or new IP - start fresh
+    loginAttempts.set(ip, { count: 1, resetAt: now + LOGIN_RATE_WINDOW_MS });
+    return false;
+  }
+
+  entry.count++;
+  if (entry.count > LOGIN_RATE_LIMIT) {
+    return true;
+  }
+  return false;
+}
+
+// Clean up stale rate limit entries every 5 minutes
+setInterval(() => {
+  const now = Date.now();
+  for (const [ip, entry] of loginAttempts) {
+    if (now > entry.resetAt) {
+      loginAttempts.delete(ip);
+    }
+  }
+}, 5 * 60 * 1000).unref();
+
+// ─── Password Management ──────────────────────────────────
+
+/**
+ * Read password from a config file, returns null if not found.
+ * @param {string} filePath - Path to config.json
+ * @returns {string|null}
+ */
+function readPasswordFromFile(filePath) {
+  try {
+    if (fs.existsSync(filePath)) {
+      const config = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+      if (config.password && typeof config.password === 'string') {
+        return config.password;
+      }
+    }
+  } catch (_) {
+    // Corrupted config - skip
+  }
+  return null;
+}
+
+/**
+ * Save password to a config file (merges with existing keys).
+ * @param {string} dir - Config directory path
+ * @param {string} filePath - Config file path
+ * @param {string} password - Password to save
+ */
+function savePasswordToFile(dir, filePath, password) {
+  try {
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+    const config = {};
+    try {
+      if (fs.existsSync(filePath)) {
+        Object.assign(config, JSON.parse(fs.readFileSync(filePath, 'utf-8')));
+      }
+    } catch (_) {}
+    config.password = password;
+    fs.writeFileSync(filePath, JSON.stringify(config, null, 2), 'utf-8');
+  } catch (err) {
+    // Non-fatal: password still works in memory for this session
+  }
+}
+
+/**
+ * Load or generate the auth password.
+ * Priority: env var > ~/.myrlin/config.json > ./state/config.json > auto-generate.
+ * When auto-generating, saves to both ~/.myrlin/ and ./state/ so the password
+ * persists across npx cache clears and project reinstalls.
+ * @returns {string}
+ */
+function loadPassword() {
+  // 1. Environment variable (highest priority, always wins)
+  if (process.env.CWM_PASSWORD) {
+    return process.env.CWM_PASSWORD;
+  }
+
+  // 2. Home directory config (~/.myrlin/config.json) — persists across reinstalls
+  const homePassword = readPasswordFromFile(HOME_CONFIG_FILE);
+  if (homePassword) {
+    // Also sync to local config so it's visible in the project
+    savePasswordToFile(LOCAL_CONFIG_DIR, LOCAL_CONFIG_FILE, homePassword);
+    return homePassword;
+  }
+
+  // 3. Local project config (./state/config.json)
+  const localPassword = readPasswordFromFile(LOCAL_CONFIG_FILE);
+  if (localPassword) {
+    // Promote to home config for persistence across reinstalls
+    savePasswordToFile(HOME_CONFIG_DIR, HOME_CONFIG_FILE, localPassword);
+    return localPassword;
+  }
+
+  // 4. Auto-generate and save to both locations
+  const generated = crypto.randomBytes(16).toString('base64url');
+  savePasswordToFile(HOME_CONFIG_DIR, HOME_CONFIG_FILE, generated);
+  savePasswordToFile(LOCAL_CONFIG_DIR, LOCAL_CONFIG_FILE, generated);
+
+  console.log('');
+  console.log('══════════════════════════════════════════════════');
+  console.log('  CWM auto-generated password: ' + generated);
+  console.log('  Saved to: ~/.myrlin/config.json');
+  console.log('  Set CWM_PASSWORD env var to override.');
+  console.log('══════════════════════════════════════════════════');
+  console.log('');
+
+  return generated;
+}
+
+const AUTH_PASSWORD = loadPassword();
+
+// In-memory set of valid tokens. Tokens survive for the lifetime of
+// the server process. A restart invalidates all tokens (acceptable
+// for a local dev-tool).
+const activeTokens = new Set();
+
+// ─── One-Time Startup Tokens ──────────────────────────────
+// Map of token → { createdAt, used }. Single-use, short-lived tokens
+// embedded in the startup URL so the browser can auto-login without
+// exposing the actual password.
+const startupTokens = new Map();
+
+/**
+ * Generate a one-time startup token for URL-based auto-login.
+ * The token is single-use and expires after STARTUP_TOKEN_TTL_MS.
+ * @returns {string} The generated token
+ */
+function generateStartupToken() {
+  const token = crypto.randomBytes(TOKEN_BYTE_LENGTH).toString('hex');
+  startupTokens.set(token, { createdAt: Date.now(), used: false });
+  return token;
+}
+
+// Clean up expired/used startup tokens every 5 minutes
+setInterval(() => {
+  const now = Date.now();
+  for (const [token, entry] of startupTokens) {
+    if (entry.used || now - entry.createdAt > STARTUP_TOKEN_TTL_MS) {
+      startupTokens.delete(token);
+    }
+  }
+}, 5 * 60 * 1000).unref();
+
+// ─── Helpers ───────────────────────────────────────────────
+
+/**
+ * Generate a cryptographically random hex token.
+ * @returns {string} 64-character hex string
+ */
+function generateToken() {
+  return crypto.randomBytes(TOKEN_BYTE_LENGTH).toString('hex');
+}
+
+/**
+ * Extract the Bearer token from an Authorization header value.
+ * Returns null if the header is missing or malformed.
+ * @param {string|undefined} headerValue - The raw Authorization header
+ * @returns {string|null}
+ */
+function extractBearerToken(headerValue) {
+  if (!headerValue || typeof headerValue !== 'string') return null;
+  const parts = headerValue.split(' ');
+  if (parts.length !== 2 || parts[0] !== 'Bearer') return null;
+  return parts[1];
+}
+
+// ─── Middleware ─────────────────────────────────────────────
+
+/**
+ * Express middleware that requires a valid Bearer token.
+ * Responds with 401 if the token is missing or invalid.
+ */
+function requireAuth(req, res, next) {
+  const token = extractBearerToken(req.headers.authorization);
+
+  if (!token || !activeTokens.has(token)) {
+    return res.status(401).json({
+      error: 'Unauthorized',
+      message: 'Valid Bearer token required. POST /api/auth/login to authenticate.',
+    });
+  }
+
+  // Attach token to request for downstream use (e.g. logout)
+  req.authToken = token;
+  next();
+}
+
+// ─── Route Setup ───────────────────────────────────────────
+
+/**
+ * Mount authentication routes on the Express app.
+ * These routes are NOT protected by requireAuth - they are public.
+ *
+ * @param {import('express').Express} app - The Express application
+ */
+function setupAuth(app) {
+  /**
+   * POST /api/auth/login
+   * Body: { password: string }
+   * Returns: { success: true, token: string } or { success: false, error: string }
+   */
+  app.post('/api/auth/login', (req, res) => {
+    // Rate limiting
+    const clientIp = req.ip || req.connection.remoteAddress || 'unknown';
+    if (isRateLimited(clientIp)) {
+      return res.status(429).json({
+        success: false,
+        error: 'Too many login attempts. Try again in 1 minute.',
+      });
+    }
+
+    const { password } = req.body || {};
+
+    if (!password || typeof password !== 'string') {
+      return res.status(400).json({
+        success: false,
+        error: 'Missing or invalid password field in request body.',
+      });
+    }
+
+    // Constant-time comparison to mitigate timing attacks
+    const passwordBuffer = Buffer.from(password, 'utf-8');
+    const expectedBuffer = Buffer.from(AUTH_PASSWORD, 'utf-8');
+    const isValid =
+      passwordBuffer.length === expectedBuffer.length &&
+      crypto.timingSafeEqual(passwordBuffer, expectedBuffer);
+
+    if (!isValid) {
+      return res.status(403).json({
+        success: false,
+        error: 'Invalid password.',
+      });
+    }
+
+    const token = generateToken();
+    activeTokens.add(token);
+
+    return res.json({ success: true, token });
+  });
+
+  /**
+   * POST /api/auth/token-login
+   * Body: { token: string }
+   * Exchanges a one-time startup token for a session Bearer token.
+   * The startup token must exist, not be expired (60s TTL), and not already used.
+   * Returns: { success: true, token: string } or { success: false, error: string }
+   */
+  app.post('/api/auth/token-login', (req, res) => {
+    // Rate limiting (same as login)
+    const clientIp = req.ip || req.connection.remoteAddress || 'unknown';
+    if (isRateLimited(clientIp)) {
+      return res.status(429).json({
+        success: false,
+        error: 'Too many login attempts. Try again in 1 minute.',
+      });
+    }
+
+    const { token: startupToken } = req.body || {};
+
+    if (!startupToken || typeof startupToken !== 'string') {
+      return res.status(400).json({
+        success: false,
+        error: 'Missing or invalid token field in request body.',
+      });
+    }
+
+    const entry = startupTokens.get(startupToken);
+    if (!entry) {
+      return res.status(403).json({
+        success: false,
+        error: 'Invalid or expired startup token.',
+      });
+    }
+
+    // Check expiry
+    if (Date.now() - entry.createdAt > STARTUP_TOKEN_TTL_MS) {
+      startupTokens.delete(startupToken);
+      return res.status(403).json({
+        success: false,
+        error: 'Startup token has expired.',
+      });
+    }
+
+    // Check single-use
+    if (entry.used) {
+      return res.status(403).json({
+        success: false,
+        error: 'Startup token has already been used.',
+      });
+    }
+
+    // Mark as used and remove from map (single-use)
+    startupTokens.delete(startupToken);
+
+    // Issue a session token
+    const sessionToken = generateToken();
+    activeTokens.add(sessionToken);
+
+    return res.json({ success: true, token: sessionToken });
+  });
+
+  /**
+   * POST /api/auth/logout
+   * Requires Authorization: Bearer <token>
+   * Removes the token from the active set.
+   */
+  app.post('/api/auth/logout', (req, res) => {
+    const token = extractBearerToken(req.headers.authorization);
+
+    if (token) {
+      activeTokens.delete(token);
+    }
+
+    return res.json({ success: true });
+  });
+
+  /**
+   * GET /api/auth/check
+   * Returns whether the provided Bearer token is still valid.
+   */
+  app.get('/api/auth/check', (req, res) => {
+    const token = extractBearerToken(req.headers.authorization);
+    const authenticated = !!token && activeTokens.has(token);
+
+    return res.json({ authenticated });
+  });
+}
+
+/**
+ * Check if a raw token string is valid (exists in activeTokens).
+ * Used by SSE endpoint which can't use requireAuth middleware.
+ * @param {string} token - The raw token string
+ * @returns {boolean}
+ */
+function isValidToken(token) {
+  return !!token && activeTokens.has(token);
+}
+
+// ─── Exports ───────────────────────────────────────────────
+
+module.exports = {
+  setupAuth,
+  requireAuth,
+  isValidToken,
+  generateStartupToken,
+  _startupTokens: startupTokens,
+};

package/src/web/pty-manager.js

@@ -186,7 +186,10 @@ class PtySessionManager {
       fullCommand += ' --verbose';
     }
     if (model) {
-      fullCommand += ' --model ' + model;
+      // Single-quote the model value so shell glob characters in aliases like
+      // sonnet[1m] are not expanded by bash before being passed to claude.
+      const safeModel = "'" + model.replace(/'/g, "'\\''") + "'";
+      fullCommand += ' --model ' + safeModel;
     }
     // Extra flags (e.g. from worktree task flags checkboxes), validated upstream
     if (Array.isArray(flags)) {

package/src/web/public/app.js

@@ -1816,25 +1816,42 @@ class CWMApp {
 
 
 
+  async _initializeApp() {
+    this.showApp();
+    this.initDragAndDrop();
+    this.initTerminalResize();
+    this.initTerminalGroups();
+    this.initTerminalPaneSwipe();
+    this.initNotesEditor();
+    this.initAIInsights();
+    await this.loadAll();
+    this.connectSSE();
+    this.startConflictChecks();
+    this.checkForUpdates();
+  }
+
   async init() {
     // Restore sidebar width & collapse state from localStorage
     this.restoreSidebarState();
 
+    // Auto-login via URL ?token=xxx parameter (one-time startup token)
+    const params = new URLSearchParams(window.location.search);
+    const urlToken = params.get('token');
+    if (urlToken) {
+      // Always strip token from URL to avoid leaking in browser history/referrer
+      window.history.replaceState({}, '', window.location.pathname);
+      try {
+        await this.tokenLogin(urlToken);
+        return; // tokenLogin() handles showApp/loadAll/connectSSE
+      } catch {
+        // Fall through to normal login form
+      }
+    }
+
     if (this.state.token) {
       const valid = await this.checkAuth();
       if (valid) {
-        this.showApp();
-        this.initDragAndDrop();
-        this.initTerminalResize();
-        this.initTerminalGroups();
-        // Initialize mobile swipe gestures for pane switching
-        this.initTerminalPaneSwipe();
-        this.initNotesEditor();
-        this.initAIInsights();
-        await this.loadAll();
-        this.connectSSE();
-        this.startConflictChecks();
-        this.checkForUpdates();
+        await this._initializeApp();
       } else {
         this.state.token = null;
         localStorage.removeItem('cwm_token');
@@ -1911,18 +1928,7 @@ class CWMApp {
       if (data.success && data.token) {
         this.state.token = data.token;
         localStorage.setItem('cwm_token', data.token);
-        this.showApp();
-        this.initDragAndDrop();
-        this.initTerminalResize();
-        this.initTerminalGroups();
-        // Initialize mobile swipe gestures for pane switching
-        this.initTerminalPaneSwipe();
-        this.initNotesEditor();
-        this.initAIInsights();
-        await this.loadAll();
-        this.connectSSE();
-        this.startConflictChecks();
-        this.checkForUpdates();
+        await this._initializeApp();
       } else {
         this.els.loginError.textContent = 'Invalid password. Please try again.';
       }
@@ -1934,6 +1940,17 @@ class CWMApp {
     }
   }
 
+  async tokenLogin(startupToken) {
+    const data = await this.api('POST', '/api/auth/token-login', { token: startupToken });
+    if (data.success && data.token) {
+      this.state.token = data.token;
+      localStorage.setItem('cwm_token', data.token);
+      await this._initializeApp();
+    } else {
+      throw new Error(data.error || 'Token login failed');
+    }
+  }
+
   async logout() {
     try {
       await this.api('POST', '/api/auth/logout');
@@ -2787,9 +2804,11 @@ class CWMApp {
     const currentModel = session.model || null;
 
     const modelOptions = [
-      { id: 'claude-opus-4-6', label: 'Opus' },
-      { id: 'claude-sonnet-4-5-20250929', label: 'Sonnet' },
-      { id: 'claude-haiku-4-5-20251001', label: 'Haiku' },
+      { id: 'opus',        label: 'Opus' },
+      { id: 'sonnet',      label: 'Sonnet' },
+      { id: 'haiku',       label: 'Haiku' },
+      { id: 'sonnet[1m]',  label: 'Sonnet 1M' },
+      { id: 'opusplan',    label: 'OpusPlan' },
     ];
 
     const items = [];
@@ -3569,8 +3588,8 @@ class CWMApp {
       { key: 'enableTd', label: 'td Task Management', description: 'Show td issue tracking integration (github.com/marcus/td). When disabled, hides all td UI including the docs panel section and sidebar toggle.', category: 'Advanced' },
       { key: 'tdBinary', label: 'td Binary Path', description: 'Optional. td is an alternative task management system (github.com/marcus/td) — Myrlin works fine without it. If installed, set the absolute path to the binary here, or leave blank to use the TD_BINARY environment variable or "td" from PATH. Example: /home/user/go/bin/td', category: 'Advanced', type: 'server-text', placeholder: 'e.g. /home/user/go/bin/td', apiEndpoint: '/api/td/binary', apiField: 'binary' },
       { key: 'maxConcurrentTasks', label: 'Max Concurrent Tasks', description: 'Maximum number of worktree tasks that can run simultaneously (1-8)', category: 'Advanced', type: 'number', min: 1, max: 8 },
-      { key: 'defaultModelPlanning', label: 'Default Model (Planning)', description: 'Auto-assign when tasks enter Planning. Haiku is fast/cheap for exploration. Only applies to tasks without a model set.', category: 'Advanced', type: 'select', options: [{ value: '', label: 'None' }, { value: 'claude-haiku-4-5-20251001', label: 'Haiku (fast, cheap)' }, { value: 'claude-sonnet-4-6', label: 'Sonnet (balanced)' }, { value: 'claude-opus-4-6', label: 'Opus (thorough)' }] },
-      { key: 'defaultModelRunning', label: 'Default Model (Running)', description: 'Auto-assign when tasks enter Running. Sonnet balances speed and quality for implementation. Only applies to tasks without a model set.', category: 'Advanced', type: 'select', options: [{ value: '', label: 'None' }, { value: 'claude-haiku-4-5-20251001', label: 'Haiku (fast, cheap)' }, { value: 'claude-sonnet-4-6', label: 'Sonnet (balanced)' }, { value: 'claude-opus-4-6', label: 'Opus (thorough)' }] },
+      { key: 'defaultModelPlanning', label: 'Default Model (Planning)', description: 'Auto-assign when tasks enter Planning. Haiku is fast/cheap for exploration. Only applies to tasks without a model set.', category: 'Advanced', type: 'select', options: [{ value: '', label: 'None' }, { value: 'haiku', label: 'Haiku (fast, cheap)' }, { value: 'sonnet', label: 'Sonnet (balanced)' }, { value: 'opus', label: 'Opus (thorough)' }, { value: 'sonnet[1m]', label: 'Sonnet 1M' }, { value: 'opusplan', label: 'OpusPlan' }] },
+      { key: 'defaultModelRunning', label: 'Default Model (Running)', description: 'Auto-assign when tasks enter Running. Sonnet balances speed and quality for implementation. Only applies to tasks without a model set.', category: 'Advanced', type: 'select', options: [{ value: '', label: 'None' }, { value: 'haiku', label: 'Haiku (fast, cheap)' }, { value: 'sonnet', label: 'Sonnet (balanced)' }, { value: 'opus', label: 'Opus (thorough)' }, { value: 'sonnet[1m]', label: 'Sonnet 1M' }, { value: 'opusplan', label: 'OpusPlan' }] },
       { key: 'anthropicApiKey', label: 'Anthropic API Key', description: 'Required for AI-powered session finder. Uses Claude Haiku for fast, low-cost semantic search across your projects and sessions. Get a key at console.anthropic.com.', category: 'AI', type: 'server-text', placeholder: 'sk-ant-...', apiEndpoint: '/api/keys/anthropic', apiField: 'key' },
       { key: 'cfNamedTunnel', label: 'Cloudflare Named Tunnel', description: 'Expose Myrlin on the internet via your own domain. Go to one.dash.cloudflare.com → Networks → Tunnels → Create a tunnel, then copy the token from the install command (the long eyJ… string).', category: 'Remote Access', type: 'tunnel' },
     ];
@@ -5226,10 +5245,12 @@ class CWMApp {
 
     // Model selection submenu
     const modelOptions = [
-      { id: '', label: 'Default' },
-      { id: 'claude-opus-4-6', label: 'Opus' },
-      { id: 'claude-sonnet-4-6', label: 'Sonnet' },
-      { id: 'claude-haiku-4-5-20251001', label: 'Haiku' },
+      { id: '',           label: 'Default' },
+      { id: 'opus',       label: 'Opus' },
+      { id: 'sonnet',     label: 'Sonnet' },
+      { id: 'haiku',      label: 'Haiku' },
+      { id: 'sonnet[1m]', label: 'Sonnet 1M' },
+      { id: 'opusplan',   label: 'OpusPlan' },
     ];
     const currentTaskModel = task.model || '';
     const currentModelLabel = currentTaskModel ? (modelOptions.find(m => m.id === currentTaskModel)?.label || 'Custom') : 'Default';
@@ -13733,10 +13754,12 @@ class CWMApp {
 
     // Add model selector
     fields.push({ key: 'model', label: 'Model', type: 'select', options: [
-      { value: '', label: 'Default' },
-      { value: 'claude-opus-4-6', label: 'Opus' },
-      { value: 'claude-sonnet-4-6', label: 'Sonnet' },
-      { value: 'claude-haiku-4-5-20251001', label: 'Haiku' },
+      { value: '',           label: 'Default' },
+      { value: 'opus',       label: 'Opus' },
+      { value: 'sonnet',     label: 'Sonnet' },
+      { value: 'haiku',      label: 'Haiku' },
+      { value: 'sonnet[1m]', label: 'Sonnet 1M' },
+      { value: 'opusplan',   label: 'OpusPlan' },
     ]});
 
     const result = await this.showPromptModal({

package/src/web/public/index.html

@@ -1467,9 +1467,11 @@
             <label class="launcher-form-label" for="launcher-model">Model</label>
             <select id="launcher-model" class="launcher-form-input">
               <option value="">Default</option>
-              <option value="claude-sonnet-4-20250514">Sonnet</option>
-              <option value="claude-opus-4-20250514">Opus</option>
-              <option value="claude-haiku-3-5-20241022">Haiku</option>
+              <option value="opus">Opus</option>
+              <option value="sonnet">Sonnet</option>
+              <option value="haiku">Haiku</option>
+              <option value="sonnet[1m]">Sonnet 1M (long context)</option>
+              <option value="opusplan">OpusPlan (plan with Opus, run with Sonnet)</option>
             </select>
           </div>
         </div>

package/src/web/public/terminal.js

@@ -252,6 +252,11 @@ class TerminalPane {
     this._needsInput = false;        // Whether a question was detected that wasn't auto-answered
     this._needsInputTimer = null;    // Timer to clear needsInput after new output
     this._autoTrustEnabled = false;  // Set by app layer for worktree task terminals
+    // Write batching buffers — must be initialized here so _status() calls in
+    // mount() (before connectWs runs) don't produce "undefined" prefixes.
+    this._writeBuf = '';
+    this._activitySample = '';
+    this._writeRaf = null;
   }
 
   _log(msg) {

package/src/web/server.js

@@ -2846,10 +2846,21 @@ app.get('/api/cost/dashboard', requireAuth, (req, res) => {
             }
           }
 
-          // Check if within period for periodCost
-          if (cutoffDate && costData.lastMessage && costData.lastMessage >= cutoffDate) {
+          // Apportion session cost to the period using per-message cost and
+          // message timestamps, not the full session cost. This ensures "Last 24h"
+          // only counts cost from messages sent in the last 24 hours, not the
+          // entire lifetime of any session that was recently active.
+          if (!cutoffDate) {
             periodCost += sessionCost;
-          } else if (!cutoffDate) {
+          } else if (samples && samples.length > 0 && costData.messageCount > 0) {
+            const perMsgCost = sessionCost / costData.messageCount;
+            let periodMessages = 0;
+            for (const sample of samples) {
+              if (sample.ts && sample.ts >= cutoffDate) periodMessages++;
+            }
+            periodCost += perMsgCost * periodMessages;
+          } else if (costData.lastMessage && costData.lastMessage >= cutoffDate) {
+            // Fallback: no timestamp samples available, use full cost
             periodCost += sessionCost;
           }