docs(wake-lock): record wake-lock change workflow

Add the wake-lock SCR, discussion summary, and task artifacts that captured investigation, specification, and implementation handoff for the system-sleep-only behavior change.

.github/workflows/build-and-upload.yml

@@ -53,7 +53,7 @@ on:
 # least-privilege (e.g. dev CI uses read-only; releases grant write).
 
 env:
-  NODE_VERSION: 20
+  NODE_VERSION: 22
 
 jobs:
   build-macos:
@@ -372,7 +372,7 @@ jobs:
             if [ "$attempt" -gt 1 ]; then
               echo "Retrying Tauri CLI install (attempt $attempt)..."
             fi
-            npm install @tauri-apps/cli@2.9.4 @tauri-apps/cli-darwin-x64@2.9.4 --no-save --no-audit --no-fund --workspaces=false
+            npm install @tauri-apps/cli@2.10.1 @tauri-apps/cli-darwin-x64@2.10.1 --no-save --no-audit --no-fund --workspaces=false
             node -e "require('@tauri-apps/cli'); console.log('Tauri CLI loaded')" && exit 0
           done
           echo "Tauri CLI failed to load after retries" >&2
@@ -456,7 +456,7 @@ jobs:
             if [ "$attempt" -gt 1 ]; then
               echo "Retrying Tauri CLI install (attempt $attempt)..."
             fi
-            npm install @tauri-apps/cli@2.9.4 @tauri-apps/cli-darwin-arm64@2.9.4 --no-save --no-audit --no-fund --workspaces=false
+            npm install @tauri-apps/cli@2.10.1 @tauri-apps/cli-darwin-arm64@2.10.1 --no-save --no-audit --no-fund --workspaces=false
             node -e "require('@tauri-apps/cli'); console.log('Tauri CLI loaded')" && exit 0
           done
           echo "Tauri CLI failed to load after retries" >&2
@@ -542,7 +542,7 @@ jobs:
             if [ "$attempt" -gt 1 ]; then
               echo "Retrying Tauri CLI install (attempt $attempt)..."
             fi
-            npm install @tauri-apps/cli@2.9.4 @tauri-apps/cli-win32-x64-msvc@2.9.4 --no-save --no-audit --no-fund --workspaces=false
+            npm install @tauri-apps/cli@2.10.1 @tauri-apps/cli-win32-x64-msvc@2.10.1 --no-save --no-audit --no-fund --workspaces=false
             node -e "require('@tauri-apps/cli'); console.log('Tauri CLI loaded')" && exit 0
           done
           echo "Tauri CLI failed to load after retries" >&2
@@ -614,6 +614,7 @@ jobs:
           sudo apt-get install -y \
             build-essential \
             pkg-config \
+            xdg-utils \
             libgtk-3-dev \
             libglib2.0-dev \
             libwebkit2gtk-4.1-dev \
@@ -642,6 +643,7 @@ jobs:
             if [ "$attempt" -gt 1 ]; then
               echo "Retrying Tauri CLI install (attempt $attempt)..."
             fi
+            # Tauri CLI 2.10.1 regresses Linux AppImage bundling in CI; keep Linux on the last known-good CLI.
             npm install @tauri-apps/cli@2.9.4 @tauri-apps/cli-linux-x64-gnu@2.9.4 --no-save --no-audit --no-fund --workspaces=false
             node -e "require('@tauri-apps/cli'); console.log('Tauri CLI loaded')" && exit 0
           done
@@ -741,6 +743,7 @@ jobs:
           sudo apt-get install -y \
             build-essential \
             pkg-config \
+            xdg-utils \
             gcc-aarch64-linux-gnu \
             g++-aarch64-linux-gnu \
             libgtk-3-dev:arm64 \

.github/workflows/manual-npm-publish.yml

@@ -46,7 +46,8 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     env:
-      NODE_VERSION: 20
+      NODE_VERSION: 22
+      PUBLISH_NPM_VERSION: 11.5.1
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -59,17 +60,24 @@ jobs:
           node-version: ${{ env.NODE_VERSION }}
           registry-url: https://registry.npmjs.org
 
-      - name: Ensure npm >=11.5.1
-        run: npm install -g npm@latest
+      - name: Prepare pinned npm CLI
+        shell: bash
+        run: |
+          set -euo pipefail
+          tool_dir="$RUNNER_TEMP/publish-npm"
+          mkdir -p "$tool_dir"
+          npm install --prefix "$tool_dir" "npm@${PUBLISH_NPM_VERSION}" --no-audit --no-fund
+          echo "PINNED_NPM_CLI=$tool_dir/node_modules/npm/bin/npm-cli.js" >> "$GITHUB_ENV"
+          node "$tool_dir/node_modules/npm/bin/npm-cli.js" --version
 
       - name: Install dependencies
-        run: npm ci --workspaces
+        run: node "$PINNED_NPM_CLI" ci --workspaces
 
       - name: Ensure rollup native binary
-        run: npm install @rollup/rollup-linux-x64-gnu --no-save
+        run: node "$PINNED_NPM_CLI" install @rollup/rollup-linux-x64-gnu --no-save
 
       - name: Build server package (includes UI bundling)
-        run: npm run build --workspace packages/server
+        run: node "$PINNED_NPM_CLI" run build --workspace packages/server
 
       - name: Set publish metadata
         shell: bash
@@ -83,7 +91,7 @@ jobs:
           echo "PACKAGE_NAME=${{ inputs.package_name }}" >> "$GITHUB_ENV"
 
       - name: Bump package version for publish
-        run: npm version ${VERSION} --workspaces --include-workspace-root --no-git-tag-version --allow-same-version
+        run: node "$PINNED_NPM_CLI" version ${VERSION} --workspaces --include-workspace-root --no-git-tag-version --allow-same-version
 
       - name: Set server package name for publish
         shell: bash
@@ -107,4 +115,4 @@ jobs:
           else
             echo "Using NPM_TOKEN authentication"
           fi
-          npm publish --workspace packages/server --access public --tag ${DIST_TAG} --provenance
+          node "$PINNED_NPM_CLI" publish --workspace packages/server --access public --tag ${DIST_TAG} --provenance

.github/workflows/release-ui.yml

@@ -14,7 +14,7 @@ permissions:
   contents: read
 
 env:
-  NODE_VERSION: 20
+  NODE_VERSION: 22
 
 jobs:
   release-ui:

.github/workflows/reusable-release.yml

@@ -39,7 +39,7 @@ permissions:
   contents: write
 
 env:
-  NODE_VERSION: 20
+  NODE_VERSION: 22
 
 jobs:
   prepare-release:

docs/features/wake-lock/SPECIFICATION.md

@@ -0,0 +1,17 @@
+# Wake Lock Behavior
+
+## Product Rule
+
+CodeNomad only requests a wake lock for qualifying active work that is already running and can continue without continuous foreground interaction. The goal is to prevent idle system sleep where the platform supports that behavior without intentionally keeping the display awake.
+
+Wake lock must not be held when work is idle, paused, completed, cancelled, failed, or waiting for new user input or permission before it can continue.
+
+## Platform Behavior
+
+- **Electron:** request system-sleep-only behavior with `prevent-app-suspension`.
+- **Tauri:** request the native keep-awake mode with `display: false`, `idle: true`, and `sleep: false`.
+- **Web:** do not fall back to `navigator.wakeLock.request("screen")`; if a true system-sleep-only primitive is unavailable, CodeNomad degrades to no wake lock.
+
+## Release Expectations
+
+Wake lock should be released promptly when qualifying active work ends or when the app cleans up the active session lifecycle.

docs/scrs/SCR-2026-04-21-001-wake-lock-system-sleep-only.md

@@ -0,0 +1,79 @@
+---
+id: SCR-2026-04-21-001
+title: Wake lock should allow screen lock while preventing system sleep
+status: draft
+---
+
+# Summary
+
+Refine wake-lock behavior so the product protects long-running active work from device/system sleep without intentionally keeping the display awake. The desired product experience is: users may lock the screen or let the display sleep, and in-platform work should continue whenever the platform can support that behavior.
+
+# Problem
+
+Current wake-lock behavior on desktop is oriented around display wake, which prevents normal screen lock or display sleep behavior on macOS and does not match the requested product outcome. The Product Owner wants wake lock to protect only against system/device sleep during active work, not against display sleep or screen lock. Scope includes Electron, Tauri, and web, with documented best-effort degradation where platform APIs cannot provide a system-sleep-only capability.
+
+# Requested Outcome
+
+- Allow the screen/display to sleep or lock normally while qualifying work is in progress.
+- Prevent only system/device sleep during qualifying active work on platforms that support a system-sleep-only hold.
+- Keep platform behavior aligned to a single product rule: never intentionally keep the display awake as a fallback for this feature.
+- Apply the behavior across Electron, Tauri, and web using best-effort platform support with explicit limitation handling.
+
+# Product Scope
+
+## Active Work Definition
+
+For this change, **active work** means a user-initiated or product-initiated in-app operation that:
+
+- has started execution,
+- is represented by the product as still in progress,
+- is expected to continue without continuous foreground interaction, and
+- would lose reliability or stop early if the device enters normal system sleep.
+
+Active work does **not** include:
+
+- the app merely being open or focused,
+- idle viewing or reading states,
+- paused, completed, failed, or cancelled work,
+- states waiting indefinitely for new user input before further execution, or
+- generic background presence without a currently running task.
+
+## Product Behavior Rule
+
+- When active work starts, the product may request a wake lock only if the platform can do so **without intentionally blocking screen lock or display sleep**.
+- When active work ends, pauses, fails, is cancelled, or no longer needs protection, the product must release the wake lock promptly.
+- The product intent is consistent across platforms, but implementation is **best-effort by platform capability**, not strict-identical by mechanism.
+
+## Fallback Policy
+
+- If a platform can provide **system-sleep-only** protection, the product should use it.
+- If a platform can only provide a **display/screen wake** lock that keeps the screen awake, the product must **not** use that mode as a fallback for this feature.
+- In unsupported or partially supported environments, the product should fall back to **no wake lock** rather than preserving the old display-wake behavior.
+- Unsupported behavior must be treated as a documented platform limitation, not as a product failure.
+
+## Platform Expectations
+
+- **Electron:** In scope to use a system-sleep-only mode if available.
+- **Tauri:** In scope to use a system-sleep-only mode if available through the chosen Tauri/native path.
+- **Web:** Default expectation is unsupported or partially supported for this exact behavior unless a browser/runtime exposes a true system-sleep-only primitive. A screen wake lock that keeps the display awake is not an acceptable substitute.
+
+## Non-Goals
+
+- Keeping the display continuously awake during long-running work.
+- Preserving current display-wake behavior on platforms where that is the only available wake-lock mode.
+- Inventing platform-specific user settings to choose between display wake and system-sleep-only behavior as part of this SCR.
+
+# Acceptance Criteria
+
+- AC-1: The specification defines **active work** in user-observable product terms, including the states that do and do not qualify for wake-lock protection.
+- AC-2: The specification defines a single cross-platform product rule: qualifying active work should protect against system sleep where possible, while screen lock and display sleep remain allowed.
+- AC-3: The specification defines the fallback policy for unsupported platforms: if system-sleep-only protection is unavailable, the product must not substitute display/screen wake behavior and must instead degrade to no wake lock.
+- AC-4: Platform expectations are documented for Electron, Tauri, and web, including the explicit expectation that web is best-effort and may remain unsupported for this exact behavior.
+- AC-5: The specification defines wake-lock release expectations so protection ends promptly when qualifying active work is no longer running.
+- AC-6: Any implementation derived from this SCR must document user-visible limitations for unsupported platforms in the appropriate product-facing documentation if final technical validation confirms those limitations.
+
+# Implementation Notes For Follow-On Technical Assessment
+
+- Electron and Tauri feasibility still requires technical validation of the exact API mode, lifecycle reliability, and background-execution behavior.
+- Web feasibility still requires confirmation of browser/runtime support, permission constraints, visibility restrictions, and whether any supported runtime offers a true system-sleep-only primitive.
+- If technical validation shows a desktop platform cannot provide system-sleep-only behavior safely, implementation should follow the fallback policy above rather than retaining display-wake behavior.

package.json

@@ -29,8 +29,14 @@
     "google-auth-library": "^10.5.0"
   },
   "devDependencies": {
-    "@esbuild/darwin-arm64": "^0.28.0",
-    "@rollup/rollup-darwin-arm64": "^4.60.2",
     "baseline-browser-mapping": "^2.9.11"
+  },
+  "optionalDependencies": {
+    "@rollup/rollup-darwin-arm64": "4.52.5",
+    "@rollup/rollup-darwin-x64": "4.52.5",
+    "@rollup/rollup-linux-arm64-gnu": "4.52.5",
+    "@rollup/rollup-linux-x64-gnu": "4.52.5",
+    "@rollup/rollup-win32-arm64-msvc": "4.52.5",
+    "@rollup/rollup-win32-x64-msvc": "4.52.5"
   }
 }

packages/electron-app/electron/main/ipc.ts

@@ -92,7 +92,7 @@ export function setupCliIPC(mainWindow: BrowserWindow, cliManager: CliProcessMan
         return { enabled: true }
       }
       try {
-        wakeLockId = powerSaveBlocker.start("prevent-display-sleep")
+        wakeLockId = powerSaveBlocker.start("prevent-app-suspension")
       } catch {
         wakeLockId = null
         return { enabled: false }

packages/electron-app/electron/main/main.ts

@@ -118,6 +118,8 @@ function loadLoadingScreen(window: BrowserWindow) {
   loader.catch((error) => {
     console.error("[cli] failed to load loading screen:", error)
   })
+
+  return loader
 }
 
 function getAllowedRendererOrigins(window?: BrowserWindow | null): string[] {
@@ -277,6 +279,7 @@ function createWindow() {
       contextIsolation: true,
       nodeIntegration: false,
       spellcheck: !isMac,
+      additionalArguments: ["--codenomad-window-context=local"],
     },
   })
 
@@ -291,7 +294,7 @@ function createWindow() {
   showingLoadingScreen = true
   currentCliUrl = null
   clearWindowAllowedOrigin(window)
-  loadLoadingScreen(window)
+  const loadingReady = loadLoadingScreen(window)
 
   if (process.env.NODE_ENV === "development") {
     window.webContents.openDevTools({ mode: "detach" })
@@ -310,11 +313,7 @@ function createWindow() {
     showingLoadingScreen = false
   })
 
-  if (pendingCliUrl) {
-    const url = pendingCliUrl
-    pendingCliUrl = null
-    startCliPreload(url)
-  }
+  return loadingReady
 }
 
 function showLoadingScreen(force = false) {
@@ -440,6 +439,7 @@ async function openRemoteWindow(payload: { id: string; name: string; baseUrl: st
       contextIsolation: true,
       nodeIntegration: false,
       spellcheck: !isMac,
+      additionalArguments: ["--codenomad-window-context=remote"],
     },
   })
 
@@ -620,7 +620,8 @@ app.whenReady().then(() => {
     // ignore
   }
 
-  startCli()
+  const loadingReady = createWindow()
+  ;(mainWindow as BrowserWindow & { __codenomadOpenRemoteWindow?: typeof openRemoteWindow }).__codenomadOpenRemoteWindow = openRemoteWindow
 
   if (isMac) {
     session.defaultSession.setSpellCheckerEnabled(false)
@@ -637,8 +638,11 @@ app.whenReady().then(() => {
     }
   }
 
-  createWindow()
-  ;(mainWindow as BrowserWindow & { __codenomadOpenRemoteWindow?: typeof openRemoteWindow }).__codenomadOpenRemoteWindow = openRemoteWindow
+  void loadingReady.finally(() => {
+    setTimeout(() => {
+      void startCli()
+    }, 0)
+  })
 
   app.on("certificate-error", (event, _webContents, url, error, _certificate, callback) => {
     if (isInsecureOriginAllowed(url)) {

packages/electron-app/electron/main/process-manager.ts

@@ -38,7 +38,7 @@ interface StartOptions {
 
 interface CliEntryResolution {
   entry: string
-  runner: "node" | "tsx"
+  runner: "node" | "tsx" | "standalone"
   runnerPath?: string
 }
 
@@ -148,15 +148,15 @@ export class CliProcessManager extends EventEmitter {
     const listeningMode = this.resolveListeningMode()
     const host = resolveHostForMode(listeningMode)
     const args = this.buildCliArgs(options, host)
+    const cliEntry = this.resolveCliEntry(options)
 
     let child: ManagedChild
 
-    if (this.shouldUsePackagedShellSupervisor(options)) {
-      const runtimePath = this.resolveShellNodeCommand()
-      const entryPath = this.resolveBundledProdEntry()
+    if (this.shouldUsePackagedShellSupervisor(options, cliEntry)) {
       const supervisorPath = this.resolveCliSupervisorPath()
       const shellEnv = supportsUserShell() ? getUserShellEnv() : { ...process.env }
-      const shellCommand = buildUserShellCommand(`exec ${this.buildExecutableCommand(runtimePath, [entryPath, ...args])}`)
+      const shellTarget = cliEntry.runner === "standalone" ? this.buildExecutableCommand(cliEntry.entry, args) : this.buildCommand(cliEntry, args)
+      const shellCommand = buildUserShellCommand(`exec ${shellTarget}`)
       const supervisorPayload = JSON.stringify({
         command: shellCommand.command,
         args: shellCommand.args,
@@ -164,28 +164,33 @@ export class CliProcessManager extends EventEmitter {
       })
 
       console.info(
-        `[cli] launching CodeNomad CLI (${options.dev ? "dev" : "prod"}) via utility supervisor using node at ${runtimePath} (host=${host})`,
+        `[cli] launching CodeNomad CLI (${options.dev ? "dev" : "prod"}) via utility supervisor using ${cliEntry.runner} at ${cliEntry.entry} (host=${host})`,
       )
       console.info(`[cli] utility supervisor: ${supervisorPath}`)
       console.info(`[cli] shell command: ${shellCommand.command} ${shellCommand.args.join(" ")}`)
 
       child = utilityProcess.fork(supervisorPath, [supervisorPayload], {
-        env: shellEnv,
+        env: cliEntry.runner === "standalone" ? shellEnv : { ...shellEnv, ELECTRON_RUN_AS_NODE: "1" },
         stdio: "pipe",
         serviceName: "CodeNomad CLI Supervisor",
       })
       this.childLaunchMode = "utility"
     } else {
-      const cliEntry = this.resolveCliEntry(options)
       console.info(
         `[cli] launching CodeNomad CLI (${options.dev ? "dev" : "prod"}) using ${cliEntry.runner} at ${cliEntry.entry} (host=${host})`,
       )
 
       const env = supportsUserShell() ? getUserShellEnv() : { ...process.env }
-      env.ELECTRON_RUN_AS_NODE = "1"
+      if (cliEntry.runner !== "standalone") {
+        env.ELECTRON_RUN_AS_NODE = "1"
+      }
 
       const spawnDetails = supportsUserShell()
-        ? buildUserShellCommand(`ELECTRON_RUN_AS_NODE=1 exec ${this.buildCommand(cliEntry, args)}`)
+        ? buildUserShellCommand(
+            `${cliEntry.runner === "standalone" ? "" : "ELECTRON_RUN_AS_NODE=1 "}exec ${
+              cliEntry.runner === "standalone" ? this.buildExecutableCommand(cliEntry.entry, args) : this.buildCommand(cliEntry, args)
+            }`,
+          )
         : this.buildDirectSpawn(cliEntry, args)
 
       const detached = process.platform !== "win32"
@@ -563,6 +568,10 @@ export class CliProcessManager extends EventEmitter {
   }
 
   private buildCommand(cliEntry: CliEntryResolution, args: string[]): string {
+    if (cliEntry.runner === "standalone") {
+      return this.buildExecutableCommand(cliEntry.entry, args)
+    }
+
     const parts = [JSON.stringify(process.execPath)]
     if (cliEntry.runner === "tsx" && cliEntry.runnerPath) {
       parts.push(JSON.stringify(cliEntry.runnerPath))
@@ -577,6 +586,10 @@ export class CliProcessManager extends EventEmitter {
   }
 
   private buildDirectSpawn(cliEntry: CliEntryResolution, args: string[]) {
+    if (cliEntry.runner === "standalone") {
+      return { command: cliEntry.entry, args }
+    }
+
     if (cliEntry.runner === "tsx") {
       return { command: process.execPath, args: [cliEntry.runnerPath!, cliEntry.entry, ...args] }
     }
@@ -593,9 +606,8 @@ export class CliProcessManager extends EventEmitter {
       const devEntry = this.resolveDevEntry()
       return { entry: devEntry, runner: "tsx", runnerPath: tsxPath }
     }
- 
-    const distEntry = this.resolveProdEntry()
-    return { entry: distEntry, runner: "node" }
+
+    return { entry: this.resolveStandaloneProdEntry(), runner: "standalone" }
   }
  
   private resolveTsx(): string | null {
@@ -635,20 +647,25 @@ export class CliProcessManager extends EventEmitter {
     return entry
   }
  
-  private resolveProdEntry(): string {
-    try {
-      const entry = nodeRequire.resolve("@neuralnomads/codenomad/dist/bin.js")
-      if (existsSync(entry)) {
-        return entry
+  private resolveStandaloneProdEntry(): string {
+    const executableName = process.platform === "win32" ? "codenomad-server.exe" : "codenomad-server"
+    const candidates = [
+      path.join(process.resourcesPath, "server", "dist", executableName),
+      path.join(mainDirname, "../resources/server/dist", executableName),
+      path.resolve(process.cwd(), "..", "server", "dist", executableName),
+    ]
+
+    for (const candidate of candidates) {
+      if (existsSync(candidate)) {
+        return candidate
       }
-    } catch {
-      // fall through to error below
     }
-    throw new Error("Unable to locate CodeNomad CLI build (dist/bin.js). Run npm run build --workspace @neuralnomads/codenomad.")
+
+    throw new Error(`Unable to locate standalone CodeNomad server executable (${executableName}). Run npm run build:standalone --workspace @neuralnomads/codenomad.`)
   }
 
-  private shouldUsePackagedShellSupervisor(options: StartOptions): boolean {
-    return !options.dev && app.isPackaged && process.platform === "darwin"
+  private shouldUsePackagedShellSupervisor(options: StartOptions, cliEntry: CliEntryResolution): boolean {
+    return !options.dev && app.isPackaged && process.platform === "darwin" && cliEntry.runner !== "standalone"
   }
 
   private resolveCliSupervisorPath(): string {
@@ -666,26 +683,6 @@ export class CliProcessManager extends EventEmitter {
     throw new Error("Unable to locate CodeNomad CLI supervisor script.")
   }
 
-  private resolveShellNodeCommand(): string {
-    const configured = process.env.NODE_BINARY?.trim()
-    return configured && configured.length > 0 ? configured : "node"
-  }
-
-  private resolveBundledProdEntry(): string {
-    const candidates = [
-      path.join(process.resourcesPath, "server", "dist", "bin.js"),
-      path.join(mainDirname, "../resources/server/dist/bin.js"),
-    ]
-
-    for (const candidate of candidates) {
-      if (existsSync(candidate)) {
-        return candidate
-      }
-    }
-
-    throw new Error("Unable to locate bundled CodeNomad CLI build in app resources.")
-  }
-
   private describeUtilityProcessError(error: unknown): string {
     if (error instanceof Error && error.message) {
       return error.message

packages/electron-app/electron/preload/index.cjs

@@ -1,6 +1,19 @@
 const { contextBridge, ipcRenderer, webUtils } = require("electron")
 
-const electronAPI = {
+function resolveWindowContext() {
+  const prefix = "--codenomad-window-context="
+  const arg = process.argv.find((value) => typeof value === "string" && value.startsWith(prefix))
+  const context = arg ? arg.slice(prefix.length) : "local"
+  return context === "remote" ? "remote" : "local"
+}
+
+function resolveRuntimeHost(windowContext) {
+  return "electron"
+}
+
+const windowContext = resolveWindowContext()
+
+const localElectronAPI = {
   onCliStatus: (callback) => {
     ipcRenderer.on("cli:status", (_, data) => callback(data))
     return () => ipcRenderer.removeAllListeners("cli:status")
@@ -26,4 +39,15 @@ const electronAPI = {
   openRemoteWindow: (payload) => ipcRenderer.invoke("remote:openWindow", payload),
 }
 
-contextBridge.exposeInMainWorld("electronAPI", electronAPI)
+const remoteElectronAPI = {
+  requestMicrophoneAccess: localElectronAPI.requestMicrophoneAccess,
+  setWakeLock: localElectronAPI.setWakeLock,
+  showNotification: localElectronAPI.showNotification,
+}
+
+contextBridge.exposeInMainWorld(
+  "electronAPI",
+  windowContext === "local" ? localElectronAPI : remoteElectronAPI,
+)
+contextBridge.exposeInMainWorld("__CODENOMAD_WINDOW_CONTEXT__", windowContext)
+contextBridge.exposeInMainWorld("__CODENOMAD_RUNTIME_HOST__", resolveRuntimeHost(windowContext))

packages/electron-app/package.json

@@ -62,7 +62,7 @@
     "vite-plugin-solid": "^2.10.0"
   },
   "build": {
-    "appId": "ai.opencode.client",
+    "appId": "ai.neuralnomads.codenomad.client",
     "productName": "CodeNomad",
     "directories": {
       "output": "release",

packages/electron-app/scripts/build.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 import { spawn } from "child_process"
-import { existsSync } from "fs"
+import { existsSync, readFileSync } from "fs"
 import path, { join } from "path"
 import { fileURLToPath } from "url"
 
@@ -14,6 +14,46 @@ const npxCmd = process.platform === "win32" ? "npx.cmd" : "npx"
 const nodeModulesPath = join(appDir, "node_modules")
 const workspaceNodeModulesPath = join(workspaceRoot, "node_modules")
 
+function getPlatformEsbuildPackage() {
+  const platformKey = `${process.platform}-${process.arch}`
+  const platformPackages = {
+    "linux-x64": "@esbuild/linux-x64",
+    "linux-arm64": "@esbuild/linux-arm64",
+    "darwin-arm64": "@esbuild/darwin-arm64",
+    "darwin-x64": "@esbuild/darwin-x64",
+    "win32-arm64": "@esbuild/win32-arm64",
+    "win32-x64": "@esbuild/win32-x64",
+  }
+
+  return platformPackages[platformKey] ?? null
+}
+
+async function ensureEsbuildPlatformBinary() {
+  const pkgName = getPlatformEsbuildPackage()
+  if (!pkgName) {
+    return
+  }
+
+  const platformPackagePath = join(workspaceNodeModulesPath, ...pkgName.split("/"))
+  if (existsSync(platformPackagePath)) {
+    return
+  }
+
+  let esbuildVersion = ""
+  try {
+    esbuildVersion = JSON.parse(readFileSync(join(workspaceNodeModulesPath, "esbuild", "package.json"), "utf-8")).version ?? ""
+  } catch {
+    // leave version empty; fallback install will use latest compatible
+  }
+
+  const packageSpec = esbuildVersion ? `${pkgName}@${esbuildVersion}` : pkgName
+  console.log("📦 Step 0/3: Restoring esbuild platform binary...\n")
+  await run(npmCmd, ["install", packageSpec, "--no-save", "--ignore-scripts", "--fund=false", "--audit=false"], {
+    cwd: workspaceRoot,
+    env: { NODE_PATH: workspaceNodeModulesPath },
+  })
+}
+
 const platforms = {
   mac: {
     args: ["--mac", "--x64", "--arm64"],
@@ -105,6 +145,8 @@ async function build(platform) {
   console.log(`\n🔨 Building for: ${config.description}\n`)
 
   try {
+    await ensureEsbuildPlatformBinary()
+
     console.log("📦 Step 1/3: Building CLI dependency...\n")
     await run(npmCmd, ["run", "build", "--workspace", "@neuralnomads/codenomad"], {
       cwd: workspaceRoot,

packages/electron-app/scripts/prepare-resources.js

@@ -16,6 +16,7 @@ const npmNodeExecPath = process.env.npm_node_execpath
 
 const serverSources = ["dist", "public", "node_modules", "package.json"]
 const serverDepsMarker = join(serverRoot, "node_modules", "fastify", "package.json")
+const standaloneMarker = join(serverRoot, "dist", process.platform === "win32" ? "codenomad-server.exe" : "codenomad-server")
 
 function log(message) {
   console.log(`[prepare-resources] ${message}`)
@@ -29,6 +30,34 @@ function ensureServerBuild() {
   }
 }
 
+function ensureStandaloneServerBuild() {
+  log("building standalone server executable")
+  const result = spawnSync(
+    "npm",
+    ["run", "build:standalone", "--workspace", "@neuralnomads/codenomad"],
+    {
+      cwd: workspaceRoot,
+      stdio: "inherit",
+      env: {
+        ...process.env,
+        PATH: `${join(workspaceRoot, "node_modules", ".bin")}${path.delimiter}${process.env.PATH ?? ""}`,
+      },
+      shell: process.platform === "win32",
+    },
+  )
+
+  if (result.status !== 0) {
+    if (result.error) {
+      throw result.error
+    }
+    throw new Error(`standalone server build exited with code ${result.status ?? 1}`)
+  }
+
+  if (!fs.existsSync(standaloneMarker)) {
+    throw new Error(`Standalone server executable missing after build: ${standaloneMarker}`)
+  }
+}
+
 function ensureServerDependencies() {
   if (fs.existsSync(serverDepsMarker)) {
     return
@@ -65,6 +94,51 @@ function ensureServerDependencies() {
   }
 }
 
+function ensureEsbuildPlatformBinary() {
+  const platformKey = `${process.platform}-${process.arch}`
+  const platformPackages = {
+    "linux-x64": "@esbuild/linux-x64",
+    "linux-arm64": "@esbuild/linux-arm64",
+    "darwin-arm64": "@esbuild/darwin-arm64",
+    "darwin-x64": "@esbuild/darwin-x64",
+    "win32-arm64": "@esbuild/win32-arm64",
+    "win32-x64": "@esbuild/win32-x64",
+  }
+
+  const pkgName = platformPackages[platformKey]
+  if (!pkgName) {
+    return
+  }
+
+  const platformPackagePath = join(workspaceRoot, "node_modules", ...pkgName.split("/"))
+  if (fs.existsSync(platformPackagePath)) {
+    return
+  }
+
+  let esbuildVersion = ""
+  try {
+    esbuildVersion = JSON.parse(fs.readFileSync(join(workspaceRoot, "node_modules", "esbuild", "package.json"), "utf-8")).version ?? ""
+  } catch {
+    // leave version empty; fallback install will use latest compatible
+  }
+
+  const packageSpec = esbuildVersion ? `${pkgName}@${esbuildVersion}` : pkgName
+  log("installing esbuild platform binary (optional dep workaround)")
+
+  const result = spawnSync("npm", ["install", packageSpec, "--no-save", "--ignore-scripts", "--fund=false", "--audit=false"], {
+    cwd: workspaceRoot,
+    stdio: "inherit",
+    shell: process.platform === "win32",
+  })
+
+  if (result.status !== 0) {
+    if (result.error) {
+      throw result.error
+    }
+    throw new Error(`esbuild platform install exited with code ${result.status ?? 1}`)
+  }
+}
+
 function copyServerArtifacts() {
   fs.rmSync(serverDest, { recursive: true, force: true })
   fs.mkdirSync(serverDest, { recursive: true })
@@ -121,7 +195,9 @@ function stripNodeModuleBins() {
 
 async function main() {
   ensureServerBuild()
+  ensureStandaloneServerBuild()
   ensureServerDependencies()
+  ensureEsbuildPlatformBinary()
   copyServerArtifacts()
   stripNodeModuleBins()
 }

packages/opencode-config/package.json

@@ -4,6 +4,6 @@
   "private": true,
   "license": "MIT",
   "dependencies": {
-    "@opencode-ai/plugin": "1.3.7"
+    "@opencode-ai/plugin": "1.14.19"
   }
-}
+}

packages/server/package.json

@@ -18,6 +18,7 @@
   },
   "scripts": {
     "build": "npm run build:ui && npm run prepare-ui && tsc -p tsconfig.json && node ./scripts/copy-auth-pages.mjs && npm run prepare-config",
+    "build:standalone": "node ./scripts/build-standalone.mjs",
     "build:ui": "npm run build --prefix ../ui",
     "prepare-ui": "node ./scripts/copy-ui-dist.mjs",
     "prepare-config": "node ./scripts/copy-opencode-config.mjs",
@@ -25,16 +26,16 @@
     "typecheck": "tsc --noEmit -p tsconfig.json"
   },
   "dependencies": {
-    "@fastify/cors": "^8.5.0",
-    "@fastify/reply-from": "^9.8.0",
-    "@fastify/static": "^7.0.4",
+    "@fastify/cors": "^11.2.0",
+    "@fastify/reply-from": "^12.6.2",
+    "@fastify/static": "^9.1.1",
     "commander": "^12.1.0",
-    "fastify": "^4.28.1",
+    "fastify": "^5.8.5",
     "fuzzysort": "^2.0.4",
     "node-forge": "^1.3.3",
     "openai": "^6.27.0",
     "pino": "^9.4.0",
-    "undici": "^6.19.8",
+    "undici": "^8.1.0",
     "yaml": "^2.4.2",
     "yauzl": "^2.10.0",
     "zod": "^3.23.8"
@@ -42,6 +43,7 @@
   "devDependencies": {
     "@types/node-forge": "^1.3.14",
     "@types/yauzl": "^2.10.0",
+    "bun": "^1.3.13",
     "cross-env": "^7.0.3",
     "ts-node": "^10.9.2",
     "tsx": "^4.20.6",

packages/server/scripts/build-standalone.mjs

@@ -0,0 +1,99 @@
+#!/usr/bin/env node
+import fs from "fs"
+import path from "path"
+import { spawnSync } from "child_process"
+import { fileURLToPath } from "url"
+
+const __filename = fileURLToPath(import.meta.url)
+const __dirname = path.dirname(__filename)
+const cliRoot = path.resolve(__dirname, "..")
+const distDir = path.join(cliRoot, "dist")
+const publicDir = path.join(cliRoot, "public")
+const authPagesSourceDir = path.join(distDir, "server", "routes", "auth-pages")
+const authPagesTargetDir = path.join(distDir, "auth-pages")
+const explicitTarget = process.env.CODENOMAD_STANDALONE_TARGET?.trim()
+const outputName = (explicitTarget?.includes("windows") || process.platform === "win32") ? "codenomad-server.exe" : "codenomad-server"
+const outputPath = path.join(distDir, outputName)
+const packageJsonPath = path.join(cliRoot, "package.json")
+
+function resolveBunCommand() {
+  const executableName = process.platform === "win32" ? "bun.exe" : "bun"
+  const localBinName = process.platform === "win32" ? "bun.cmd" : "bun"
+  const candidates = [
+    path.join(cliRoot, "node_modules", ".bin", localBinName),
+    path.join(cliRoot, "..", "..", "node_modules", ".bin", localBinName),
+    path.join(cliRoot, "node_modules", "bun", "bin", executableName),
+    path.join(cliRoot, "..", "..", "node_modules", "bun", "bin", executableName),
+  ]
+
+  for (const candidate of candidates) {
+    if (fs.existsSync(candidate)) {
+      return candidate
+    }
+  }
+
+  return "bun"
+}
+
+function fail(message) {
+  console.error(`[build-standalone] ${message}`)
+  process.exit(1)
+}
+
+function ensureArtifacts() {
+  const requiredPaths = [distDir, publicDir, authPagesSourceDir, packageJsonPath]
+  const missing = requiredPaths.filter((filePath) => !fs.existsSync(filePath))
+  if (missing.length > 0) {
+    fail(`Missing required build artifacts: ${missing.join(", ")}. Run npm run build first.`)
+  }
+
+  const bunResult = spawnSync(resolveBunCommand(), ["-v"], { cwd: cliRoot, encoding: "utf-8", shell: process.platform === "win32" })
+  if (bunResult.status !== 0) {
+    fail("Bun is required to build the standalone server executable. Install dependencies so the local Bun binary is available.")
+  }
+}
+
+function syncStandaloneAuthPages() {
+  fs.rmSync(authPagesTargetDir, { recursive: true, force: true })
+  fs.mkdirSync(path.dirname(authPagesTargetDir), { recursive: true })
+  fs.cpSync(authPagesSourceDir, authPagesTargetDir, { recursive: true })
+}
+
+function buildStandaloneExecutable() {
+  fs.rmSync(outputPath, { force: true })
+  const bunCommand = resolveBunCommand()
+
+  const args = ["build", "--compile"]
+  if (explicitTarget) {
+    args.push(`--target=${explicitTarget}`)
+  }
+  args.push(path.join(cliRoot, "src", "index.ts"), "--outfile", outputPath)
+
+  const result = spawnSync(bunCommand, args, {
+    cwd: cliRoot,
+    stdio: "inherit",
+    shell: process.platform === "win32",
+  })
+
+  if (result.status !== 0) {
+    if (result.error) {
+      throw result.error
+    }
+    throw new Error(`bun build --compile exited with code ${result.status ?? 1}`)
+  }
+}
+
+function main() {
+  ensureArtifacts()
+  syncStandaloneAuthPages()
+
+  buildStandaloneExecutable()
+  console.log(`[build-standalone] built ${outputPath}`)
+}
+
+try {
+  main()
+} catch (error) {
+  console.error("[build-standalone] failed:", error)
+  process.exit(1)
+}

packages/server/scripts/copy-opencode-config.mjs

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { spawnSync } from "child_process"
-import { cpSync, existsSync, mkdirSync, rmSync } from "fs"
+import { cpSync, existsSync, mkdirSync, readdirSync, rmSync } from "fs"
 import path from "path"
 import { fileURLToPath } from "url"
 
@@ -14,6 +14,67 @@ const selfLinkDir = path.resolve(nodeModulesDir, "@codenomad", "opencode-config"
 const npmExecPath = process.env.npm_execpath
 const npmNodeExecPath = process.env.npm_node_execpath
 
+function stripNodeModuleBins(rootDir) {
+  const root = path.join(rootDir, "node_modules")
+  if (!existsSync(root)) {
+    return 0
+  }
+
+  const stack = [root]
+  let removed = 0
+
+  while (stack.length > 0) {
+    const current = stack.pop()
+    if (!current) break
+
+    let entries
+    try {
+      entries = readdirSync(current, { withFileTypes: true })
+    } catch {
+      continue
+    }
+
+    for (const entry of entries) {
+      const full = path.join(current, entry.name)
+      if (entry.name === ".bin") {
+        rmSync(full, { recursive: true, force: true })
+        removed += 1
+        continue
+      }
+
+      if (entry.isDirectory()) {
+        stack.push(full)
+      }
+    }
+  }
+
+  return removed
+}
+
+function stripOptionalNativeAddons(rootDir) {
+  const nodeModulesRoot = path.join(rootDir, "node_modules")
+  if (!existsSync(nodeModulesRoot)) {
+    return 0
+  }
+
+  const removablePaths = [
+    path.join(nodeModulesRoot, "@msgpackr-extract"),
+    path.join(nodeModulesRoot, "msgpackr-extract"),
+  ]
+
+  let removed = 0
+  for (const targetPath of removablePaths) {
+    if (!existsSync(targetPath)) {
+      continue
+    }
+
+    rmSync(targetPath, { recursive: true, force: true })
+    removed += 1
+  }
+
+  return removed
+}
+
 if (!existsSync(sourceDir)) {
   console.error(`[copy-opencode-config] Missing source directory at ${sourceDir}`)
   process.exit(1)
@@ -58,4 +119,14 @@ rmSync(targetDir, { recursive: true, force: true })
 mkdirSync(path.dirname(targetDir), { recursive: true })
 cpSync(sourceDir, targetDir, { recursive: true })
 
+const removedBins = stripNodeModuleBins(targetDir)
+if (removedBins > 0) {
+  console.log(`[copy-opencode-config] Removed ${removedBins} node_modules/.bin directories`)
+}
+
+const removedNativeAddons = stripOptionalNativeAddons(targetDir)
+if (removedNativeAddons > 0) {
+  console.log(`[copy-opencode-config] Removed ${removedNativeAddons} optional native addon package paths`)
+}
+
 console.log(`[copy-opencode-config] Copied ${sourceDir} -> ${targetDir}`)

packages/server/src/api-types.ts

@@ -343,6 +343,7 @@ export interface RemoteProxySessionCreateRequest {
 }
 
 export interface RemoteProxySessionCreateResponse {
+  sessionId: string
   windowUrl: string
 }
 

packages/server/src/index.ts

@@ -29,13 +29,14 @@ import { SideCarManager } from "./sidecars/manager"
 import { ClientConnectionManager } from "./clients/connection-manager"
 import { PluginChannelManager } from "./plugins/channel"
 import { VoiceModeManager } from "./plugins/voice-mode"
+import { readServerPackageVersion, resolveServerPublicDir } from "./runtime-paths"
 
 const require = createRequire(import.meta.url)
 
-const packageJson = require("../package.json") as { version: string }
+const packageJson = { version: readServerPackageVersion(import.meta.url) }
 const __filename = fileURLToPath(import.meta.url)
 const __dirname = path.dirname(__filename)
-const DEFAULT_UI_STATIC_DIR = path.resolve(__dirname, "../public")
+const DEFAULT_UI_STATIC_DIR = resolveServerPublicDir(import.meta.url)
 
 interface CliOptions {
   host: string
@@ -376,10 +377,6 @@ async function main() {
       })
     : null
 
-  if (uiResolution.uiDevServerUrl && options.https) {
-    throw new InvalidArgumentError("UI dev proxy is only supported with --https=false --http=true")
-  }
-
   const remoteAccessEnabled = options.host === "0.0.0.0" || !isLoopbackHost(options.host)
 
   const clientConnectionManager = new ClientConnectionManager(logger.child({ component: "client-connections" }))

packages/server/src/opencode-config.ts

@@ -1,22 +1,11 @@
 import { existsSync } from "fs"
-import path from "path"
-import { fileURLToPath } from "url"
 import { createLogger } from "./logger"
+import { resolveOpencodeTemplateDir } from "./runtime-paths"
 
 const log = createLogger({ component: "opencode-config" })
-const __filename = fileURLToPath(import.meta.url)
-const __dirname = path.dirname(__filename)
-const devTemplateDir = path.resolve(__dirname, "../../opencode-config")
-const resourcesPath = (process as NodeJS.Process & { resourcesPath?: string }).resourcesPath
-const prodTemplateDirs = [
-  resourcesPath ? path.resolve(resourcesPath, "opencode-config") : undefined,
-  path.resolve(__dirname, "opencode-config"),
-].filter((dir): dir is string => Boolean(dir))
+const templateDir = resolveOpencodeTemplateDir(import.meta.url)
 
-const isDevBuild = Boolean(process.env.CODENOMAD_DEV ?? process.env.CLI_UI_DEV_SERVER) || existsSync(devTemplateDir)
-const templateDir = isDevBuild
-  ? devTemplateDir
-  : prodTemplateDirs.find((dir) => existsSync(dir)) ?? prodTemplateDirs[0]
+const isDevBuild = Boolean(process.env.CODENOMAD_DEV ?? process.env.CLI_UI_DEV_SERVER)
 
 export function getOpencodeConfigDir(): string {
   if (!existsSync(templateDir)) {

packages/server/src/runtime-paths.ts

@@ -0,0 +1,79 @@
+import fs from "fs"
+import path from "path"
+import { fileURLToPath } from "url"
+
+function safeModuleDir(importMetaUrl: string): string | null {
+  try {
+    return path.dirname(fileURLToPath(importMetaUrl))
+  } catch {
+    return null
+  }
+}
+
+function firstExistingPath(candidates: Array<string | null | undefined>, predicate: (value: string) => boolean): string | null {
+  for (const candidate of candidates) {
+    if (!candidate) continue
+    if (predicate(candidate)) {
+      return candidate
+    }
+  }
+  return null
+}
+
+export function getPackagedDistDir(): string {
+  return path.dirname(process.execPath)
+}
+
+export function resolveServerPackageRoot(importMetaUrl: string): string {
+  const moduleDir = safeModuleDir(importMetaUrl)
+  const configuredRoot = process.env.CODENOMAD_SERVER_ROOT?.trim()
+  const candidates = [
+    configuredRoot ? path.resolve(configuredRoot) : null,
+    moduleDir ? path.resolve(moduleDir, "..") : null,
+    path.resolve(getPackagedDistDir(), ".."),
+  ]
+
+  return (
+    firstExistingPath(candidates, (value) => fs.existsSync(path.join(value, "package.json"))) ??
+    candidates.find((value): value is string => Boolean(value)) ??
+    process.cwd()
+  )
+}
+
+export function resolveServerPublicDir(importMetaUrl: string): string {
+  const moduleDir = safeModuleDir(importMetaUrl)
+  const candidates = [moduleDir ? path.resolve(moduleDir, "../public") : null, path.join(resolveServerPackageRoot(importMetaUrl), "public")]
+
+  return firstExistingPath(candidates, (value) => fs.existsSync(value)) ?? candidates[candidates.length - 1]!
+}
+
+export function resolveAuthTemplatePath(importMetaUrl: string, fileName: string): string {
+  const moduleDir = safeModuleDir(importMetaUrl)
+  const distDir = getPackagedDistDir()
+  const candidates = [
+    moduleDir ? path.join(moduleDir, "auth-pages", fileName) : null,
+    path.join(distDir, "auth-pages", fileName),
+    path.join(distDir, "server", "routes", "auth-pages", fileName),
+  ]
+
+  return firstExistingPath(candidates, (value) => fs.existsSync(value)) ?? candidates[0]!
+}
+
+export function resolveOpencodeTemplateDir(importMetaUrl: string): string {
+  const moduleDir = safeModuleDir(importMetaUrl)
+  const resourcesPath = (process as NodeJS.Process & { resourcesPath?: string }).resourcesPath
+  const candidates = [
+    moduleDir ? path.resolve(moduleDir, "../../opencode-config") : null,
+    resourcesPath ? path.resolve(resourcesPath, "opencode-config") : null,
+    moduleDir ? path.resolve(moduleDir, "opencode-config") : null,
+    path.join(getPackagedDistDir(), "opencode-config"),
+  ]
+
+  return firstExistingPath(candidates, (value) => fs.existsSync(value)) ?? candidates[candidates.length - 1]!
+}
+
+export function readServerPackageVersion(importMetaUrl: string): string {
+  const packageJsonPath = path.join(resolveServerPackageRoot(importMetaUrl), "package.json")
+  const parsed = JSON.parse(fs.readFileSync(packageJsonPath, "utf-8")) as { version?: unknown }
+  return typeof parsed.version === "string" && parsed.version.trim().length > 0 ? parsed.version : "0.0.0"
+}

packages/server/src/server/__tests__/remote-proxy.test.ts

@@ -0,0 +1,248 @@
+import assert from "node:assert/strict"
+import { after, afterEach, describe, it } from "node:test"
+import fs from "node:fs"
+import http, { type IncomingMessage, type ServerResponse } from "node:http"
+import os from "node:os"
+import path from "node:path"
+
+import { Agent, fetch } from "undici"
+
+import type { AuthManager } from "../../auth/manager"
+import type { Logger } from "../../logger"
+import { RemoteProxySessionManager } from "../remote-proxy"
+import { resolveHttpsOptions } from "../tls"
+
+const sharedTempDir = fs.mkdtempSync(path.join(os.tmpdir(), "codenomad-remote-proxy-test-"))
+const sharedTls = resolveHttpsOptions({
+  enabled: true,
+  configDir: sharedTempDir,
+  host: "127.0.0.1",
+  logger: createStubLogger(),
+})
+
+if (!sharedTls) {
+  throw new Error("Failed to generate HTTPS options for remote proxy tests")
+}
+
+const sharedHttpsOptions = sharedTls.httpsOptions
+
+const httpsDispatcher = new Agent({ connect: { rejectUnauthorized: false } })
+const managers = new Set<RemoteProxySessionManager>()
+
+afterEach(async () => {
+  for (const manager of managers) {
+    await disposeManager(manager)
+  }
+  managers.clear()
+})
+
+after(() => {
+  fs.rmSync(sharedTempDir, { recursive: true, force: true })
+  httpsDispatcher.close().catch(() => {})
+})
+
+describe("RemoteProxySessionManager", () => {
+  it("blocks proxying before activation and keeps bootstrap tokens scoped per session", async () => {
+    await withUpstreamServer(async (upstreamBaseUrl) => {
+      const manager = createSessionManager()
+      const session1 = await createSession(manager, `${upstreamBaseUrl}/base`)
+      const session2 = await createSession(manager, `${upstreamBaseUrl}/base`)
+
+      const blocked = await proxyFetch(`${session1.proxyOrigin}/status`)
+      assert.equal(blocked.status, 403)
+
+      const wrongTokenResponse = await proxyFetch(`${session1.proxyOrigin}/__codenomad/api/auth/token`, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ token: session2.token }),
+      })
+      assert.equal(wrongTokenResponse.status, 401)
+
+      assert.equal(await activateSession(session1), true)
+      assert.equal(await activateSession(session2), true)
+    }, (req, res) => {
+      res.writeHead(200, { "content-type": "text/plain" })
+      res.end(req.url ?? "")
+    })
+  })
+
+  it("preserves remote base paths and rewrites same-origin redirects to the local proxy origin", async () => {
+    await withUpstreamServer(async (upstreamBaseUrl) => {
+      const manager = createSessionManager()
+      const session = await createSession(manager, `${upstreamBaseUrl}/base`)
+
+      await activateSession(session)
+
+      const apiResponse = await proxyFetch(`${session.proxyOrigin}/api/auth/status?foo=bar`)
+      assert.equal(apiResponse.status, 200)
+      assert.equal(await apiResponse.text(), "/base/api/auth/status?foo=bar")
+
+      const redirectResponse = await proxyFetch(`${session.proxyOrigin}/redirect`, { redirect: "manual" })
+      assert.equal(redirectResponse.status, 302)
+      assert.equal(redirectResponse.headers.get("location"), `${session.proxyOrigin}/base/after?ok=1`)
+    }, (req, res) => {
+      const requestUrl = req.url ?? ""
+      if (requestUrl === "/base/redirect") {
+        res.writeHead(302, { location: "/base/after?ok=1" })
+        res.end()
+        return
+      }
+
+      res.writeHead(200, { "content-type": "text/plain" })
+      res.end(requestUrl)
+    })
+  })
+
+  it("rewrites set-cookie names for the proxy and restores cookie names on proxied requests", async () => {
+    await withUpstreamServer(async (upstreamBaseUrl) => {
+      const manager = createSessionManager()
+      const session = await createSession(manager, `${upstreamBaseUrl}/base`)
+
+      await activateSession(session)
+
+      const loginResponse = await proxyFetch(`${session.proxyOrigin}/login`)
+      assert.equal(loginResponse.status, 200)
+      const setCookie = getSetCookie(loginResponse)[0]
+
+      assert.match(setCookie, /^cnrp_[0-9a-f]+_session=abc123/i)
+      assert.doesNotMatch(setCookie, /domain=/i)
+
+      const cookieHeader = setCookie.split(";", 1)[0]
+      const whoamiResponse = await proxyFetch(`${session.proxyOrigin}/whoami`, {
+        headers: { cookie: cookieHeader },
+      })
+
+      assert.equal(await whoamiResponse.text(), "session=abc123")
+    }, (req, res) => {
+      const requestUrl = req.url ?? ""
+      if (requestUrl === "/base/login") {
+        res.writeHead(200, {
+          "content-type": "text/plain",
+          "set-cookie": "session=abc123; Path=/; Secure; HttpOnly; Domain=127.0.0.1",
+        })
+        res.end("ok")
+        return
+      }
+
+      if (requestUrl === "/base/whoami") {
+        res.writeHead(200, { "content-type": "text/plain" })
+        res.end(req.headers.cookie ?? "")
+        return
+      }
+
+      res.writeHead(404, { "content-type": "text/plain" })
+      res.end(requestUrl)
+    })
+  })
+
+  it("supports explicit deletion and idle cleanup of sessions", async () => {
+    await withUpstreamServer(async (upstreamBaseUrl) => {
+      const manager = createSessionManager()
+      const session = await createSession(manager, `${upstreamBaseUrl}/base`)
+
+      assert.equal(await manager.deleteSession(session.sessionId), true)
+      assert.equal(await manager.deleteSession(session.sessionId), false)
+
+      const session3 = await createSession(manager, `${upstreamBaseUrl}/base`)
+      const internalSessions = (manager as any).sessions as Map<string, { lastAccessAt: number }>
+      const internalCleanup = (manager as any).cleanupExpiredSessions as () => Promise<void>
+
+      internalSessions.get(session3.sessionId)!.lastAccessAt = Date.now() - 31 * 60_000
+      await internalCleanup.call(manager)
+
+      assert.equal(internalSessions.has(session3.sessionId), false)
+      assert.equal(await manager.deleteSession(session3.sessionId), false)
+    }, (_req, res) => {
+      res.writeHead(200, { "content-type": "text/plain" })
+      res.end("ok")
+    })
+  })
+})
+
+function createSessionManager() {
+  const manager = new RemoteProxySessionManager({
+    authManager: {
+      isLoopbackRequest: () => true,
+    } as unknown as AuthManager,
+    logger: createStubLogger(),
+    httpsOptions: sharedHttpsOptions,
+  })
+  managers.add(manager)
+  return manager
+}
+
+async function createSession(manager: RemoteProxySessionManager, baseUrl: string) {
+  const created = await manager.createSession(baseUrl, false)
+  const windowUrl = new URL(created.windowUrl)
+  return {
+    sessionId: created.sessionId,
+    windowUrl,
+    proxyOrigin: windowUrl.origin,
+    token: decodeURIComponent(windowUrl.hash.replace(/^#/, "")),
+  }
+}
+
+async function activateSession(session: { proxyOrigin: string; token: string }) {
+  const response = await proxyFetch(`${session.proxyOrigin}/__codenomad/api/auth/token`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ token: session.token }),
+  })
+  if (!response.ok) {
+    return false
+  }
+  const body = (await response.json()) as { ok?: boolean }
+  return body.ok === true
+}
+
+function getSetCookie(response: Awaited<ReturnType<typeof fetch>>): string[] {
+  const values = (response.headers as any).getSetCookie?.() as string[] | undefined
+  if (Array.isArray(values) && values.length > 0) {
+    return values
+  }
+  const fallback = response.headers.get("set-cookie")
+  return fallback ? [fallback] : []
+}
+
+async function proxyFetch(url: string, init?: Parameters<typeof fetch>[1]) {
+  return fetch(url, { dispatcher: httpsDispatcher, ...init })
+}
+
+async function disposeManager(manager: RemoteProxySessionManager) {
+  const sessions = Array.from(((manager as any).sessions as Map<string, unknown>).keys())
+  for (const sessionId of sessions) {
+    await manager.deleteSession(sessionId)
+  }
+  clearInterval((manager as any).cleanupTimer as NodeJS.Timeout)
+}
+
+async function withUpstreamServer(
+  callback: (baseUrl: string) => Promise<void>,
+  handler: (req: IncomingMessage, res: ServerResponse<IncomingMessage>) => void,
+) {
+  const server = http.createServer(handler)
+  await new Promise<void>((resolve) => server.listen(0, "127.0.0.1", () => resolve()))
+
+  try {
+    const address = server.address()
+    if (!address || typeof address === "string") {
+      throw new Error("Failed to resolve upstream server address")
+    }
+    await callback(`http://127.0.0.1:${address.port}`)
+  } finally {
+    await new Promise<void>((resolve, reject) => server.close((error) => (error ? reject(error) : resolve())))
+  }
+}
+
+function createStubLogger(): Logger {
+  const logger = {
+    info() {},
+    warn() {},
+    error() {},
+    child() {
+      return logger
+    },
+  }
+
+  return logger as unknown as Logger
+}

packages/server/src/server/http-server.ts

@@ -5,6 +5,8 @@ import replyFrom from "@fastify/reply-from"
 import fs from "fs"
 import { connect as connectTcp, type Socket } from "net"
 import path from "path"
+import { Readable } from "stream"
+import { pipeline } from "stream/promises"
 import { connect as connectTls, type TLSSocket } from "tls"
 import { fetch } from "undici"
 import type { Logger } from "../logger"
@@ -202,7 +204,12 @@ export function createHttpServer(deps: HttpServerDeps) {
       publicPagePaths.add("/auth/token")
     }
 
-    if (publicApiPaths.has(pathname) || publicPagePaths.has(pathname)) {
+    const isLoopbackRemoteProxyDelete =
+      request.method === "DELETE" &&
+      pathname.startsWith("/api/remote-proxy/sessions/") &&
+      deps.authManager.isLoopbackRequest(request)
+
+    if (publicApiPaths.has(pathname) || publicPagePaths.has(pathname) || isLoopbackRemoteProxyDelete) {
       done()
       return
     }
@@ -621,57 +628,57 @@ async function proxyWorkspaceRequest(args: {
     logger.trace({ workspaceId, targetUrl, body: request.body }, "Instance proxy payload")
   }
 
-  return reply.from(targetUrl, {
-    rewriteRequestHeaders: (_originalRequest, headers) => {
-      if (instanceAuthHeader) {
-        headers.authorization = instanceAuthHeader
-      }
+  const headers = buildWorkspaceInstanceProxyHeaders(request.headers, instanceAuthHeader, directory)
 
-      // OpenCode expects the *full* path; we send it via header to avoid query tampering.
-      const isNonASCII = /[^\x00-\x7F]/.test(directory)
-      const encodedDirectory = isNonASCII ? encodeURIComponent(directory) : directory
+  if (logger.isLevelEnabled("trace")) {
+    logger.trace(
+      {
+        workspaceId,
+        method: request.method,
+        targetUrl,
+        worktreeSlug,
+        directory,
+        contentType: request.headers["content-type"],
+        body: bodyToJson(request.body),
+        headers: redactProxyHeadersForLogs(headers),
+      },
+      "Proxy -> OpenCode request",
+    )
+  }
 
-      // Overwrite any client-provided value (case-insensitive headers are normalized by Node).
-      ;(headers as Record<string, unknown>)["x-opencode-directory"] = encodedDirectory
+  const init: any = {
+    method: request.method,
+    headers,
+    redirect: "manual",
+  }
 
-      if (logger.isLevelEnabled("trace")) {
-        const outgoing: Record<string, unknown> = {}
-        for (const [key, value] of Object.entries(headers as Record<string, unknown>)) {
-          outgoing[key] = value
-        }
+  if (request.method !== "GET" && request.method !== "HEAD") {
+    const body = toProxyRequestBody(request.body)
+    if (body !== undefined) {
+      init.body = body
+      init.duplex = "half"
+    }
+  }
 
-        // Redact sensitive headers.
-        for (const key of Object.keys(outgoing)) {
-          const lower = key.toLowerCase()
-          if (lower === "authorization" || lower === "cookie" || lower === "set-cookie") {
-            outgoing[key] = "<redacted>"
-          }
-        }
+  try {
+    const response = await fetch(targetUrl, init)
+    reply.code(response.status)
+    applyInstanceProxyResponseHeaders(reply, response)
 
-        logger.trace(
-          {
-            workspaceId,
-            method: request.method,
-            targetUrl,
-            worktreeSlug,
-            directory,
-            contentType: request.headers["content-type"],
-            body: bodyToJson(request.body),
-            headers: outgoing,
-          },
-          "Proxy -> OpenCode request",
-        )
-      }
+    if (!response.body || request.method === "HEAD") {
+      reply.send()
+      return
+    }
 
-      return headers
-    },
-    onError: (proxyReply, { error }) => {
-      logger.error({ err: error, workspaceId, targetUrl }, "Failed to proxy workspace request")
-      if (!proxyReply.sent) {
-        proxyReply.code(502).send({ error: "Workspace instance proxy failed" })
-      }
-    },
-  })
+    reply.hijack()
+    reply.raw.writeHead(reply.statusCode, toOutgoingHeaders(reply.getHeaders()))
+    await pipeline(Readable.fromWeb(response.body as any), reply.raw)
+  } catch (error) {
+    logger.error({ err: error, workspaceId, targetUrl }, "Failed to proxy workspace request")
+    if (!reply.sent) {
+      reply.code(502).send({ error: "Workspace instance proxy failed" })
+    }
+  }
 }
 
 function extractOpencodeDirectoryOverride(pathSuffix: string | undefined): {
@@ -862,12 +869,90 @@ function isApiRequest(rawUrl: string | null | undefined) {
 function buildProxyHeaders(headers: FastifyRequest["headers"]): Record<string, string> {
   const result: Record<string, string> = {}
   for (const [key, value] of Object.entries(headers ?? {})) {
-    if (!value || key.toLowerCase() === "host") continue
+    const lower = key.toLowerCase()
+    if (!value || lower === "host" || isHopByHopHeader(lower)) continue
     result[key] = Array.isArray(value) ? value.join(",") : value
   }
   return result
 }
 
+function toProxyRequestBody(body: unknown): any {
+  if (body == null) {
+    return undefined
+  }
+  if (typeof (body as { pipe?: unknown }).pipe === "function") {
+    return body
+  }
+  if (typeof (body as { [Symbol.asyncIterator]?: unknown })[Symbol.asyncIterator] === "function") {
+    return body
+  }
+  if (Buffer.isBuffer(body) || typeof body === "string" || body instanceof Uint8Array) {
+    return body
+  }
+  return JSON.stringify(body)
+}
+
+function buildWorkspaceInstanceProxyHeaders(
+  headers: FastifyRequest["headers"],
+  instanceAuthHeader: string | undefined,
+  directory: string,
+): Record<string, string> {
+  const next = buildProxyHeaders(headers)
+  if (instanceAuthHeader) {
+    next.authorization = instanceAuthHeader
+  }
+
+  const isNonASCII = /[^\x00-\x7F]/.test(directory)
+  next["x-opencode-directory"] = isNonASCII ? encodeURIComponent(directory) : directory
+  return next
+}
+
+function redactProxyHeadersForLogs(headers: Record<string, string>): Record<string, string> {
+  const outgoing = { ...headers }
+  for (const key of Object.keys(outgoing)) {
+    const lower = key.toLowerCase()
+    if (lower === "authorization" || lower === "cookie" || lower === "set-cookie") {
+      outgoing[key] = "<redacted>"
+    }
+  }
+  return outgoing
+}
+
+function applyInstanceProxyResponseHeaders(reply: FastifyReply, response: any) {
+  response.headers.forEach((value: string, key: string) => {
+    const lower = key.toLowerCase()
+    if (isHopByHopHeader(lower) || lower === "content-length" || lower === "content-encoding") {
+      return
+    }
+
+    reply.header(key, value)
+  })
+}
+
+function toOutgoingHeaders(headers: ReturnType<FastifyReply["getHeaders"]>): Record<string, string | string[]> {
+  const next: Record<string, string | string[]> = {}
+  for (const [key, value] of Object.entries(headers)) {
+    if (value === undefined) {
+      continue
+    }
+    next[key] = Array.isArray(value) ? value.map(String) : String(value)
+  }
+  return next
+}
+
+function isHopByHopHeader(name: string): boolean {
+  return new Set([
+    "connection",
+    "keep-alive",
+    "proxy-authenticate",
+    "proxy-authorization",
+    "te",
+    "trailer",
+    "transfer-encoding",
+    "upgrade",
+  ]).has(name)
+}
+
 async function proxySideCarRequest(args: {
   request: FastifyRequest
   reply: FastifyReply

packages/server/src/server/remote-proxy.ts

@@ -1,6 +1,7 @@
 import Fastify, { type FastifyInstance, type FastifyReply, type FastifyRequest } from "fastify"
 import { randomBytes, randomUUID } from "crypto"
 import { Readable } from "stream"
+import { pipeline } from "stream/promises"
 import { Agent, fetch } from "undici"
 import type { AuthManager } from "../auth/manager"
 import type { Logger } from "../logger"
@@ -12,6 +13,7 @@ const SESSION_IDLE_TTL_MS = 30 * 60_000
 
 interface RemoteProxySession {
   id: string
+  bootstrapToken: string
   targetBaseUrl: URL
   skipTlsVerify: boolean
   localBaseUrl: URL
@@ -31,6 +33,11 @@ export interface RemoteProxySessionManagerOptions {
   httpsOptions?: { key: string | Buffer; cert: string | Buffer; ca?: string | Buffer }
 }
 
+export interface RemoteProxySessionCreateResult {
+  sessionId: string
+  windowUrl: string
+}
+
 export class RemoteProxySessionManager {
   private readonly sessions = new Map<string, RemoteProxySession>()
   private readonly cleanupTimer: NodeJS.Timeout
@@ -42,24 +49,21 @@ export class RemoteProxySessionManager {
     this.cleanupTimer.unref()
   }
 
-  async createSession(baseUrl: string, skipTlsVerify: boolean): Promise<string> {
+  async createSession(baseUrl: string, skipTlsVerify: boolean): Promise<RemoteProxySessionCreateResult> {
     if (!this.options.httpsOptions) {
       throw new Error("Local HTTPS is required for remote proxy sessions")
     }
 
     const targetBaseUrl = normalizeBaseUrl(baseUrl)
-    const token = this.options.authManager.issueBootstrapToken()
-    if (!token) {
-      throw new Error("Bootstrap token generation is unavailable")
-    }
-
     const sessionId = randomUUID()
+    const bootstrapToken = randomBytes(32).toString("base64url")
     const dispatcher = skipTlsVerify ? new Agent({ connect: { rejectUnauthorized: false } }) : undefined
     const app = Fastify({ logger: false, https: this.options.httpsOptions })
     let session: RemoteProxySession | null = null
 
     app.removeAllContentTypeParsers()
-    app.addContentTypeParser("*", (req, body, done) => done(null, body))
+    // Preserve raw request bodies for proxying while still letting token JSON parse from Buffer.
+    app.addContentTypeParser("*", { parseAs: "buffer" }, (_req, body, done) => done(null, body))
 
     app.get(BOOTSTRAP_PAGE_PATH, async (request, reply) => {
       if (!this.options.authManager.isLoopbackRequest(request)) {
@@ -79,14 +83,14 @@ export class RemoteProxySessionManager {
         return
       }
 
-      const body = parseTokenBody(request.body)
-      if (!this.options.authManager.consumeBootstrapToken(body.token)) {
-        reply.code(401).send({ error: "Invalid token" })
+      if (!session) {
+        reply.code(503).send({ error: "Remote proxy session is unavailable" })
         return
       }
 
-      if (!session) {
-        reply.code(503).send({ error: "Remote proxy session is unavailable" })
+      const body = parseTokenBody(request.body)
+      if (body.token !== session.bootstrapToken) {
+        reply.code(401).send({ error: "Invalid token" })
         return
       }
 
@@ -133,11 +137,12 @@ export class RemoteProxySessionManager {
 
     session = {
       id: sessionId,
+      bootstrapToken,
       targetBaseUrl,
       skipTlsVerify,
       localBaseUrl,
       entryUrl,
-      bootstrapUrl: `${localBaseUrl.origin}${BOOTSTRAP_PAGE_PATH}?returnTo=${encodeURIComponent(returnTo)}#${encodeURIComponent(token)}`,
+      bootstrapUrl: `${localBaseUrl.origin}${BOOTSTRAP_PAGE_PATH}?returnTo=${encodeURIComponent(returnTo)}#${encodeURIComponent(bootstrapToken)}`,
       activated: false,
       cookiePrefix: `cnrp_${randomBytes(6).toString("hex")}_`,
       app,
@@ -152,7 +157,11 @@ export class RemoteProxySessionManager {
       "Created remote proxy session",
     )
 
-    return session.bootstrapUrl
+    return { sessionId, windowUrl: session.bootstrapUrl }
+  }
+
+  async deleteSession(sessionId: string): Promise<boolean> {
+    return this.disposeSession(sessionId)
   }
 
   private async cleanupExpiredSessions() {
@@ -165,16 +174,17 @@ export class RemoteProxySessionManager {
     }
   }
 
-  private async disposeSession(sessionId: string) {
+  private async disposeSession(sessionId: string): Promise<boolean> {
     const session = this.sessions.get(sessionId)
     if (!session) {
-      return
+      return false
     }
 
     this.sessions.delete(sessionId)
     session.dispatcher?.close().catch(() => {})
     await session.app.close().catch(() => {})
     this.options.logger.info({ sessionId }, "Disposed remote proxy session")
+    return true
   }
 }
 
@@ -336,7 +346,9 @@ async function proxyRequest(args: {
       return
     }
 
-    reply.send(Readable.fromWeb(response.body as any))
+    reply.hijack()
+    reply.raw.writeHead(reply.statusCode, toOutgoingHeaders(reply.getHeaders()))
+    await pipeline(Readable.fromWeb(response.body as any), reply.raw)
   } catch (error) {
     logger.error({ err: error, upstreamUrl }, "Failed to proxy remote session request")
     if (!reply.sent) {
@@ -394,7 +406,12 @@ function filterRequestHeaders(
   for (const [key, value] of Object.entries(headers ?? {})) {
     if (!value) continue
     const lower = key.toLowerCase()
-    if (isHopByHopHeader(lower) || lower === "host" || lower === "content-length") {
+    if (
+      isHopByHopHeader(lower) ||
+      lower === "host" ||
+      lower === "content-length" ||
+      lower === "accept-encoding"
+    ) {
       continue
     }
     if (lower === "origin") {
@@ -452,7 +469,12 @@ function applyResponseHeaders(reply: FastifyReply, response: any, session: Remot
 
   response.headers.forEach((value: string, key: string) => {
     const lower = key.toLowerCase()
-    if (isHopByHopHeader(lower) || lower === "set-cookie") {
+    if (
+      isHopByHopHeader(lower) ||
+      lower === "set-cookie" ||
+      lower === "content-length" ||
+      lower === "content-encoding"
+    ) {
       return
     }
 
@@ -465,6 +487,17 @@ function applyResponseHeaders(reply: FastifyReply, response: any, session: Remot
   })
 }
 
+function toOutgoingHeaders(headers: ReturnType<FastifyReply["getHeaders"]>): Record<string, string | string[]> {
+  const next: Record<string, string | string[]> = {}
+  for (const [key, value] of Object.entries(headers)) {
+    if (value === undefined) {
+      continue
+    }
+    next[key] = Array.isArray(value) ? value.map(String) : String(value)
+  }
+  return next
+}
+
 function rewriteSetCookie(cookie: string, cookiePrefix: string): string {
   const parts = cookie.split(";").map((part) => part.trim())
   const first = parts.shift() ?? ""

packages/server/src/server/routes/auth.ts

@@ -3,6 +3,7 @@ import fs from "fs"
 import { z } from "zod"
 import type { AuthManager } from "../../auth/manager"
 import { isLoopbackAddress } from "../../auth/http-auth"
+import { resolveAuthTemplatePath } from "../../runtime-paths"
 
 interface RouteDeps {
   authManager: AuthManager
@@ -21,21 +22,21 @@ const PasswordSchema = z.object({
   password: z.string().min(8),
 })
 
-const LOGIN_TEMPLATE_URL = new URL("./auth-pages/login.html", import.meta.url)
-const TOKEN_TEMPLATE_URL = new URL("./auth-pages/token.html", import.meta.url)
+const LOGIN_TEMPLATE_PATH = resolveAuthTemplatePath(import.meta.url, "login.html")
+const TOKEN_TEMPLATE_PATH = resolveAuthTemplatePath(import.meta.url, "token.html")
 
 let cachedLoginTemplate: string | null = null
 let cachedTokenTemplate: string | null = null
 
-function readTemplate(url: URL, cache: string | null): string {
+function readTemplate(filePath: string, cache: string | null): string {
   if (cache) return cache
-  const content = fs.readFileSync(url, "utf-8")
+  const content = fs.readFileSync(filePath, "utf-8")
   return content
 }
 
 function getLoginHtml(defaultUsername: string): string {
   if (!cachedLoginTemplate) {
-    cachedLoginTemplate = readTemplate(LOGIN_TEMPLATE_URL, null)
+    cachedLoginTemplate = readTemplate(LOGIN_TEMPLATE_PATH, null)
   }
 
   const escapedUsername = escapeHtml(defaultUsername)
@@ -44,7 +45,7 @@ function getLoginHtml(defaultUsername: string): string {
 
 function getTokenHtml(): string {
   if (!cachedTokenTemplate) {
-    cachedTokenTemplate = readTemplate(TOKEN_TEMPLATE_URL, null)
+    cachedTokenTemplate = readTemplate(TOKEN_TEMPLATE_PATH, null)
   }
 
   return cachedTokenTemplate

packages/server/src/server/routes/remote-proxy.ts

@@ -1,6 +1,7 @@
 import type { FastifyInstance } from "fastify"
 import { z } from "zod"
 import type { RemoteProxySessionCreateResponse } from "../../api-types"
+import { isLoopbackAddress } from "../../auth/http-auth"
 import type { Logger } from "../../logger"
 import type { RemoteProxySessionManager } from "../remote-proxy"
 
@@ -14,16 +15,40 @@ const CreateSessionSchema = z.object({
   skipTlsVerify: z.boolean().optional(),
 })
 
+const SessionParamsSchema = z.object({
+  id: z.string().uuid(),
+})
+
 export function registerRemoteProxyRoutes(app: FastifyInstance, deps: RouteDeps) {
   app.post("/api/remote-proxy/sessions", async (request, reply): Promise<RemoteProxySessionCreateResponse | { error: string }> => {
     try {
       const body = CreateSessionSchema.parse(request.body ?? {})
-      const windowUrl = await deps.sessionManager.createSession(body.baseUrl, Boolean(body.skipTlsVerify))
-      return { windowUrl }
+      return await deps.sessionManager.createSession(body.baseUrl, Boolean(body.skipTlsVerify))
     } catch (error) {
       deps.logger.warn({ err: error }, "Failed to create remote proxy session")
       reply.code(400)
       return { error: error instanceof Error ? error.message : "Failed to create remote proxy session" }
     }
   })
+
+  app.delete("/api/remote-proxy/sessions/:id", async (request, reply): Promise<{ ok: boolean } | { error: string }> => {
+    if (!isLoopbackAddress(request.socket.remoteAddress)) {
+      reply.code(404)
+      return { error: "Not found" }
+    }
+
+    try {
+      const params = SessionParamsSchema.parse(request.params ?? {})
+      const deleted = await deps.sessionManager.deleteSession(params.id)
+      if (!deleted) {
+        reply.code(404)
+        return { error: "Remote proxy session not found" }
+      }
+      return { ok: true }
+    } catch (error) {
+      deps.logger.warn({ err: error }, "Failed to delete remote proxy session")
+      reply.code(400)
+      return { error: error instanceof Error ? error.message : "Failed to delete remote proxy session" }
+    }
+  })
 }

packages/server/src/server/routes/settings.ts

@@ -1,6 +1,6 @@
 import { FastifyInstance } from "fastify"
 import { z } from "zod"
-import { probeBinaryVersion } from "../../workspaces/runtime"
+import { probeBinaryVersion } from "../../workspaces/spawn"
 import type { SettingsService } from "../../settings/service"
 import type { Logger } from "../../logger"
 import { sanitizeConfigDoc, sanitizeConfigOwner } from "../../settings/public-config"

packages/server/src/workspaces/__tests__/spawn.test.ts

@@ -0,0 +1,193 @@
+import assert from "node:assert/strict"
+import { describe, it } from "node:test"
+
+import { buildWindowsSpawnSpec, buildWslSignalSpec, parseWslUncPath, resolveWslWorkingDirectory } from "../spawn"
+
+describe("parseWslUncPath", () => {
+  it("parses WSL UNC paths into distro and linux path", () => {
+    assert.deepEqual(parseWslUncPath(String.raw`\\wsl.localhost\Ubuntu\home\dev\.opencode\bin\opencode`), {
+      distro: "Ubuntu",
+      linuxPath: "/home/dev/.opencode/bin/opencode",
+    })
+  })
+
+  it("supports the legacy wsl$ UNC prefix", () => {
+    assert.deepEqual(parseWslUncPath(String.raw`\\wsl$\Ubuntu\home\dev`), {
+      distro: "Ubuntu",
+      linuxPath: "/home/dev",
+    })
+  })
+})
+
+describe("resolveWslWorkingDirectory", () => {
+  it("keeps WSL workspace folders in the same distro", () => {
+    assert.equal(
+      JSON.stringify(resolveWslWorkingDirectory(String.raw`\\wsl.localhost\Ubuntu\home\dev\workspace`, "Ubuntu")),
+      JSON.stringify({ kind: "linux", path: "/home/dev/workspace" }),
+    )
+  })
+
+  it("keeps Windows drive paths so WSL can resolve them with wslpath", () => {
+    assert.equal(
+      JSON.stringify(resolveWslWorkingDirectory(String.raw`C:\Users\dev\workspace`, "Ubuntu")),
+      JSON.stringify({ kind: "windows", path: String.raw`C:\Users\dev\workspace` }),
+    )
+  })
+
+  it("keeps UNC network paths so WSL can resolve them with wslpath", () => {
+    assert.equal(
+      JSON.stringify(resolveWslWorkingDirectory(String.raw`\\server\share\workspace`, "Ubuntu")),
+      JSON.stringify({ kind: "windows", path: String.raw`\\server\share\workspace` }),
+    )
+  })
+
+  it("rejects WSL workspace folders from a different distro", () => {
+    assert.equal(resolveWslWorkingDirectory(String.raw`\\wsl.localhost\Debian\home\dev\workspace`, "Ubuntu"), null)
+  })
+})
+
+describe("buildWindowsSpawnSpec", () => {
+  it("wraps WSL binaries with wsl.exe and propagates required env vars", () => {
+    const spec = buildWindowsSpawnSpec(
+      String.raw`\\wsl.localhost\Ubuntu\home\dev\.opencode\bin\opencode`,
+      ["serve", "--port", "0"],
+      {
+        cwd: String.raw`\\wsl.localhost\Ubuntu\home\dev\workspace`,
+        env: {
+          OPENCODE_CONFIG_DIR: String.raw`C:\Users\dev\AppData\Roaming\CodeNomad\opencode-config`,
+          CODENOMAD_INSTANCE_ID: "workspace-123",
+          OPENCODE_SERVER_PASSWORD: "secret",
+        },
+        propagateEnvKeys: ["OPENCODE_CONFIG_DIR", "CODENOMAD_INSTANCE_ID", "OPENCODE_SERVER_PASSWORD"],
+      },
+    )
+
+    assert.equal(spec.command, "wsl.exe")
+    assert.deepEqual(spec.args, [
+      "--distribution",
+      "Ubuntu",
+      "--cd",
+      "/home/dev/workspace",
+      "--exec",
+      "/home/dev/.opencode/bin/opencode",
+      "serve",
+      "--port",
+      "0",
+    ])
+    assert.equal(spec.cwd, undefined)
+    assert.equal(spec.env?.WSLENV, "OPENCODE_CONFIG_DIR/p:CODENOMAD_INSTANCE_ID:OPENCODE_SERVER_PASSWORD")
+  })
+
+  it("upgrades existing WSLENV path entries to include /p", () => {
+    const spec = buildWindowsSpawnSpec(
+      String.raw`\\wsl.localhost\Ubuntu\home\dev\.opencode\bin\opencode`,
+      ["serve"],
+      {
+        env: {
+          OPENCODE_CONFIG_DIR: String.raw`C:\Users\dev\AppData\Roaming\CodeNomad\opencode-config`,
+          WSLENV: "OPENCODE_CONFIG_DIR:CODENOMAD_INSTANCE_ID/u",
+        },
+        propagateEnvKeys: ["OPENCODE_CONFIG_DIR", "CODENOMAD_INSTANCE_ID"],
+      },
+    )
+
+    assert.equal(spec.env?.WSLENV, "OPENCODE_CONFIG_DIR/p:CODENOMAD_INSTANCE_ID/u")
+  })
+
+  it("propagates inherited known path variables even when they are not explicitly requested", () => {
+    const spec = buildWindowsSpawnSpec(
+      String.raw`\\wsl.localhost\Ubuntu\home\dev\.opencode\bin\opencode`,
+      ["serve"],
+      {
+        env: {
+          NODE_EXTRA_CA_CERTS: String.raw`C:\certs\root.pem`,
+        },
+      },
+    )
+
+    assert.equal(spec.env?.WSLENV, "NODE_EXTRA_CA_CERTS/p")
+  })
+
+  it("uses wslpath for Windows workspace folders instead of assuming /mnt", () => {
+    const spec = buildWindowsSpawnSpec(
+      String.raw`\\wsl.localhost\Ubuntu\home\dev\.opencode\bin\opencode`,
+      ["serve", "--port", "0"],
+      {
+        cwd: String.raw`C:\Users\dev\workspace`,
+      },
+    )
+
+    assert.equal(spec.command, "wsl.exe")
+    assert.deepEqual(spec.args, [
+      "--distribution",
+      "Ubuntu",
+      "--exec",
+      "sh",
+      "-lc",
+      'cd "$(wslpath -au "$1")" && shift && exec "$@"',
+      "codenomad-wsl-launch",
+      String.raw`C:\Users\dev\workspace`,
+      "/home/dev/.opencode/bin/opencode",
+      "serve",
+      "--port",
+      "0",
+    ])
+  })
+
+  it("uses wslpath for UNC network workspace folders", () => {
+    const spec = buildWindowsSpawnSpec(
+      String.raw`\\wsl.localhost\Ubuntu\home\dev\.opencode\bin\opencode`,
+      ["serve"],
+      {
+        cwd: String.raw`\\server\share\workspace`,
+      },
+    )
+
+    assert.equal(spec.command, "wsl.exe")
+    assert.deepEqual(spec.args, [
+      "--distribution",
+      "Ubuntu",
+      "--exec",
+      "sh",
+      "-lc",
+      'cd "$(wslpath -au "$1")" && shift && exec "$@"',
+      "codenomad-wsl-launch",
+      String.raw`\\server\share\workspace`,
+      "/home/dev/.opencode/bin/opencode",
+      "serve",
+    ])
+  })
+
+  it("can wrap WSL launches to emit the Linux PID marker", () => {
+    const spec = buildWindowsSpawnSpec(
+      String.raw`\\wsl.localhost\Ubuntu\home\dev\.opencode\bin\opencode`,
+      ["serve"],
+      {
+        cwd: String.raw`\\wsl.localhost\Ubuntu\home\dev\workspace`,
+        wslPidMarker: "__CODENOMAD_WSL_PID__:",
+      },
+    )
+
+    assert.equal(spec.command, "wsl.exe")
+    assert.deepEqual(spec.args, [
+      "--distribution",
+      "Ubuntu",
+      "--exec",
+      "sh",
+      "-lc",
+      `printf '%s%s\\n' '__CODENOMAD_WSL_PID__:' "$$" && cd "$1" && shift && exec "$@"`,
+      "codenomad-wsl-launch",
+      "/home/dev/workspace",
+      "/home/dev/.opencode/bin/opencode",
+      "serve",
+    ])
+    assert.equal(spec.wsl?.pidMarker, "__CODENOMAD_WSL_PID__:")
+  })
+
+  it("builds the WSL kill command for tracked Linux PIDs", () => {
+    const spec = buildWslSignalSpec("Ubuntu", 4321, "SIGTERM")
+
+    assert.equal(spec.command, "wsl.exe")
+    assert.deepEqual(spec.args, ["--distribution", "Ubuntu", "--exec", "kill", "-TERM", "4321"])
+  })
+})

packages/server/src/workspaces/manager.ts

@@ -21,6 +21,70 @@ import {
 
 const STARTUP_STABILITY_DELAY_MS = 1500
 
+function defaultShellPath(): string {
+  const configured = process.env.SHELL?.trim()
+  if (configured) {
+    return configured
+  }
+
+  return process.platform === "darwin" ? "/bin/zsh" : "/bin/bash"
+}
+
+function shellEscape(input: string): string {
+  if (!input) return "''"
+  return `'${input.replace(/'/g, `'\\''`)}'`
+}
+
+function wrapCommandForShell(command: string, shellPath: string): string {
+  const shellName = path.basename(shellPath).toLowerCase()
+
+  if (shellName.includes("bash")) {
+    return `if [ -f ~/.bashrc ]; then source ~/.bashrc >/dev/null 2>&1; fi; ${command}`
+  }
+
+  if (shellName.includes("zsh")) {
+    return `if [ -f ~/.zshrc ]; then source ~/.zshrc >/dev/null 2>&1; fi; ${command}`
+  }
+
+  return command
+}
+
+function buildShellArgs(shellPath: string, command: string): string[] {
+  const shellName = path.basename(shellPath).toLowerCase()
+  if (shellName.includes("zsh")) {
+    return ["-l", "-i", "-c", command]
+  }
+  return ["-l", "-c", command]
+}
+
+function resolveBinaryPathFromUserShell(identifier: string): string | null {
+  if (process.platform === "win32") {
+    return null
+  }
+
+  const shellPath = defaultShellPath()
+  const lookupCommand = wrapCommandForShell(`command -v ${shellEscape(identifier)}`, shellPath)
+  const result = spawnSync(shellPath, buildShellArgs(shellPath, lookupCommand), {
+    encoding: "utf8",
+    env: {
+      ...process.env,
+      npm_config_prefix: undefined,
+      NPM_CONFIG_PREFIX: undefined,
+    },
+  })
+
+  if (result.status !== 0) {
+    return null
+  }
+
+  const resolved = String(result.stdout ?? "")
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .find((line) => line.length > 0)
+
+  return resolved ?? null
+}
+
 interface WorkspaceManagerOptions {
   rootDir: string
   settings: SettingsService
@@ -266,6 +330,12 @@ export class WorkspaceManager {
       this.options.logger.warn({ identifier, err: error }, "Failed to resolve binary path from system PATH")
     }
 
+    const shellResolved = resolveBinaryPathFromUserShell(identifier)
+    if (shellResolved) {
+      this.options.logger.debug({ identifier, resolved: shellResolved }, "Resolved binary path from user shell")
+      return shellResolved
+    }
+
     return identifier
   }
 

packages/server/src/workspaces/runtime.ts

@@ -4,100 +4,10 @@ import path from "path"
 import { EventBus } from "../events/bus"
 import { LogLevel, WorkspaceLogEntry } from "../api-types"
 import { Logger } from "../logger"
-
-export const WINDOWS_CMD_EXTENSIONS = new Set([".cmd", ".bat"])
-export const WINDOWS_POWERSHELL_EXTENSIONS = new Set([".ps1"])
-
-const VERSION_REGEX = /([0-9]+\.[0-9]+\.[0-9A-Za-z.-]+)/
-
-export function buildSpawnSpec(binaryPath: string, args: string[]) {
-  if (process.platform !== "win32") {
-    return { command: binaryPath, args, options: {} as const }
-  }
-
-  const extension = path.extname(binaryPath).toLowerCase()
-
-  if (WINDOWS_CMD_EXTENSIONS.has(extension)) {
-    const comspec = process.env.ComSpec || "cmd.exe"
-    // cmd.exe requires the full command as a single string.
-    // Using the ""<script> <args>"" pattern ensures paths with spaces are handled.
-    const commandLine = `""${binaryPath}" ${args.join(" ")}"`
-
-    return {
-      command: comspec,
-      args: ["/d", "/s", "/c", commandLine],
-      options: { windowsVerbatimArguments: true } as const,
-    }
-  }
-
-  if (WINDOWS_POWERSHELL_EXTENSIONS.has(extension)) {
-    // powershell.exe ships with Windows. (pwsh may not.)
-    return {
-      command: "powershell.exe",
-      args: ["-NoProfile", "-ExecutionPolicy", "Bypass", "-File", binaryPath, ...args],
-      options: {} as const,
-    }
-  }
-
-  return { command: binaryPath, args, options: {} as const }
-}
-
-export function probeBinaryVersion(binaryPath: string): {
-  valid: boolean
-  version?: string
-  reported?: string
-  error?: string
-} {
-  if (!binaryPath) {
-    return { valid: false, error: "Missing binary path" }
-  }
-
-  const spec = buildSpawnSpec(binaryPath, ["--version"])
-
-  try {
-    const result = spawnSync(spec.command, spec.args, {
-      encoding: "utf8",
-      windowsVerbatimArguments: Boolean(
-        (spec.options as { windowsVerbatimArguments?: boolean }).windowsVerbatimArguments,
-      ),
-    })
-
-    if (result.error) {
-      return { valid: false, error: result.error.message }
-    }
-
-    if (result.status !== 0) {
-      const stderr = result.stderr?.trim()
-      const stdout = result.stdout?.trim()
-      const combined = stderr || stdout
-      const error = combined ? `Exited with code ${result.status}: ${combined}` : `Exited with code ${result.status}`
-      return { valid: false, error }
-    }
-
-    const stdoutLines = String(result.stdout ?? "")
-      .split(/\r?\n/)
-      .map((line) => line.trim())
-      .filter((line) => line.length > 0)
-    const stderrLines = String(result.stderr ?? "")
-      .split(/\r?\n/)
-      .map((line) => line.trim())
-      .filter((line) => line.length > 0)
-
-    // Prefer stdout; fall back to stderr (some tools report version there).
-    const reported = stdoutLines[0] ?? stderrLines[0]
-    if (!reported) {
-      return { valid: true }
-    }
-
-    const versionMatch = reported.match(VERSION_REGEX)
-    const version = versionMatch?.[1]
-    return { valid: true, version, reported }
-  } catch (error) {
-    return { valid: false, error: error instanceof Error ? error.message : String(error) }
-  }
-}
+import { buildSpawnSpec, buildWslSignalSpec } from "./spawn"
 
 const SENSITIVE_ENV_KEY = /(PASSWORD|TOKEN|SECRET)/i
+const WSL_PID_MARKER = "__CODENOMAD_WSL_PID__:"
 
 function redactEnvironment(env: Record<string, string | undefined>): Record<string, string | undefined> {
   const redacted: Record<string, string | undefined> = {}
@@ -130,6 +40,10 @@ export interface ProcessExitInfo {
 interface ManagedProcess {
   child: ChildProcess
   requestedStop: boolean
+  wsl?: {
+    distro: string
+    linuxPid: number | null
+  }
 }
 
 export class WorkspaceRuntime {
@@ -167,7 +81,13 @@ export class WorkspaceRuntime {
     }
 
     return new Promise((resolve, reject) => {
-      const spec = buildSpawnSpec(options.binaryPath, args)
+      const propagatedEnvKeys = Object.keys(options.environment ?? {})
+      const spec = buildSpawnSpec(options.binaryPath, args, {
+        cwd: options.folder,
+        env,
+        propagateEnvKeys: propagatedEnvKeys,
+        wslPidMarker: WSL_PID_MARKER,
+      })
       const commandLine = [spec.command, ...spec.args].join(" ")
       this.logger.info(
         {
@@ -197,14 +117,18 @@ export class WorkspaceRuntime {
       )
       const detached = process.platform !== "win32"
       const child = spawn(spec.command, spec.args, {
-        cwd: options.folder,
-        env,
+        cwd: spec.cwd,
+        env: spec.env,
         stdio: ["ignore", "pipe", "pipe"],
         detached,
         ...spec.options,
       })
 
-      const managed: ManagedProcess = { child, requestedStop: false }
+      const managed: ManagedProcess = {
+        child,
+        requestedStop: false,
+        ...(spec.wsl ? { wsl: { distro: spec.wsl.distro, linuxPid: null } } : {}),
+      }
       this.processes.set(options.workspaceId, managed)
 
       let stdoutBuffer = ""
@@ -284,6 +208,15 @@ export class WorkspaceRuntime {
           const trimmed = line.trim()
           if (!trimmed) continue
 
+          if (managed.wsl && trimmed.startsWith(WSL_PID_MARKER)) {
+            const linuxPid = Number.parseInt(trimmed.slice(WSL_PID_MARKER.length), 10)
+            if (Number.isFinite(linuxPid) && linuxPid > 0) {
+              managed.wsl.linuxPid = linuxPid
+              this.logger.debug({ workspaceId: options.workspaceId, linuxPid }, "Captured WSL OpenCode PID")
+            }
+            continue
+          }
+
           recentStdout.push(trimmed)
           if (recentStdout.length > MAX_OUTPUT_LINES) {
             recentStdout.shift()
@@ -398,11 +331,44 @@ export class WorkspaceRuntime {
       }
     }
 
+    const trySignalWslProcess = (signal: NodeJS.Signals) => {
+      if (process.platform !== "win32" || !managed.wsl?.linuxPid) {
+        return false
+      }
+
+      try {
+        const spec = buildWslSignalSpec(managed.wsl.distro, managed.wsl.linuxPid, signal)
+        const result = spawnSync(spec.command, spec.args, { encoding: "utf8" })
+        const exitCode = result.status
+        if (exitCode === 0) {
+          return true
+        }
+
+        const stderr = (result.stderr ?? "").toString().toLowerCase()
+        const stdout = (result.stdout ?? "").toString().toLowerCase()
+        const combined = `${stdout}\n${stderr}`
+        if (combined.includes("no such process") || combined.includes("not found")) {
+          return true
+        }
+
+        this.logger.debug(
+          { workspaceId, pid, linuxPid: managed.wsl.linuxPid, distro: managed.wsl.distro, exitCode, stderr: result.stderr, stdout: result.stdout },
+          "WSL kill failed",
+        )
+        return false
+      } catch (error) {
+        this.logger.debug({ workspaceId, pid, linuxPid: managed.wsl.linuxPid, distro: managed.wsl.distro, err: error }, "WSL kill failed to execute")
+        return false
+      }
+    }
+
     const sendStopSignal = (signal: NodeJS.Signals) => {
       if (process.platform === "win32") {
-        // Best-effort: terminate the whole process tree rooted at pid.
-        // Use /F only for escalation.
-        tryTaskkill(signal === "SIGKILL")
+        // WSL-backed launches need a Linux signal first because the tracked Windows PID belongs to wsl.exe.
+        if (!trySignalWslProcess(signal)) {
+          // Fallback to the Windows process tree rooted at pid. Use /F only for escalation.
+          tryTaskkill(signal === "SIGKILL")
+        }
         return
       }
 

packages/server/src/workspaces/spawn.ts

@@ -0,0 +1,307 @@
+import { spawnSync } from "child_process"
+import path from "path"
+
+export const WINDOWS_CMD_EXTENSIONS = new Set([".cmd", ".bat"])
+export const WINDOWS_POWERSHELL_EXTENSIONS = new Set([".ps1"])
+
+const VERSION_REGEX = /([0-9]+\.[0-9]+\.[0-9A-Za-z.-]+)/
+const WSL_UNC_PATH_REGEX = /^\\\\wsl(?:\.localhost|\$)\\([^\\/]+)(?:[\\/](.*))?$/i
+const WSL_PATH_ENV_KEYS = new Set(["OPENCODE_CONFIG_DIR", "NODE_EXTRA_CA_CERTS"])
+
+export interface SpawnSpec {
+  command: string
+  args: string[]
+  options: {
+    windowsVerbatimArguments?: boolean
+  }
+  cwd?: string
+  env?: NodeJS.ProcessEnv
+  wsl?: {
+    distro: string
+    pidMarker?: string
+  }
+}
+
+interface BuildSpawnSpecOptions {
+  cwd?: string
+  env?: NodeJS.ProcessEnv
+  propagateEnvKeys?: string[]
+  wslPidMarker?: string
+}
+
+interface WslPath {
+  distro: string
+  linuxPath: string
+}
+
+export type WslWorkingDirectory =
+  | { kind: "linux"; path: string }
+  | { kind: "windows"; path: string }
+
+export function parseWslUncPath(input: string): WslPath | null {
+  const normalized = input.trim().replace(/\//g, "\\")
+  const match = normalized.match(WSL_UNC_PATH_REGEX)
+  if (!match) {
+    return null
+  }
+
+  const distro = match[1] ?? ""
+  const remainder = match[2] ?? ""
+  const segments = remainder.split(/\\+/).filter((segment) => segment.length > 0)
+
+  return {
+    distro,
+    linuxPath: segments.length > 0 ? `/${segments.join("/")}` : "/",
+  }
+}
+
+export function resolveWslWorkingDirectory(folder: string, distro: string): WslWorkingDirectory | null {
+  const wslFolder = parseWslUncPath(folder)
+  if (wslFolder) {
+    return wslFolder.distro.toLowerCase() === distro.toLowerCase() ? { kind: "linux", path: wslFolder.linuxPath } : null
+  }
+
+  const windowsFolder = normalizeWindowsPath(folder)
+  return windowsFolder ? { kind: "windows", path: windowsFolder } : null
+}
+
+export function buildWindowsSpawnSpec(binaryPath: string, args: string[], options: BuildSpawnSpecOptions = {}): SpawnSpec {
+  const wslPath = parseWslUncPath(binaryPath)
+  if (wslPath) {
+    return buildWslSpawnSpec(wslPath, args, options)
+  }
+
+  const extension = path.extname(binaryPath).toLowerCase()
+
+  if (WINDOWS_CMD_EXTENSIONS.has(extension)) {
+    const comspec = process.env.ComSpec || "cmd.exe"
+    // cmd.exe requires the full command as a single string.
+    // Using the ""<script> <args>"" pattern ensures paths with spaces are handled.
+    const commandLine = `""${binaryPath}" ${args.join(" ")}"`
+
+    return {
+      command: comspec,
+      args: ["/d", "/s", "/c", commandLine],
+      options: { windowsVerbatimArguments: true },
+      cwd: options.cwd,
+      env: options.env,
+    }
+  }
+
+  if (WINDOWS_POWERSHELL_EXTENSIONS.has(extension)) {
+    // powershell.exe ships with Windows. (pwsh may not.)
+    return {
+      command: "powershell.exe",
+      args: ["-NoProfile", "-ExecutionPolicy", "Bypass", "-File", binaryPath, ...args],
+      options: {},
+      cwd: options.cwd,
+      env: options.env,
+    }
+  }
+
+  return {
+    command: binaryPath,
+    args,
+    options: {},
+    cwd: options.cwd,
+    env: options.env,
+  }
+}
+
+export function buildSpawnSpec(binaryPath: string, args: string[], options: BuildSpawnSpecOptions = {}): SpawnSpec {
+  if (process.platform !== "win32") {
+    return {
+      command: binaryPath,
+      args,
+      options: {},
+      cwd: options.cwd,
+      env: options.env,
+    }
+  }
+
+  return buildWindowsSpawnSpec(binaryPath, args, options)
+}
+
+export function buildWslSignalSpec(distro: string, linuxPid: number, signal: NodeJS.Signals): SpawnSpec {
+  return {
+    command: "wsl.exe",
+    args: ["--distribution", distro, "--exec", "kill", signal === "SIGKILL" ? "-KILL" : "-TERM", String(linuxPid)],
+    options: {},
+    wsl: { distro },
+  }
+}
+
+export function probeBinaryVersion(binaryPath: string): {
+  valid: boolean
+  version?: string
+  reported?: string
+  error?: string
+} {
+  if (!binaryPath) {
+    return { valid: false, error: "Missing binary path" }
+  }
+
+  try {
+    const spec = buildSpawnSpec(binaryPath, ["--version"])
+    const result = spawnSync(spec.command, spec.args, {
+      encoding: "utf8",
+      cwd: spec.cwd,
+      env: spec.env,
+      windowsVerbatimArguments: Boolean(spec.options.windowsVerbatimArguments),
+    })
+
+    if (result.error) {
+      return { valid: false, error: result.error.message }
+    }
+
+    if (result.status !== 0) {
+      const stderr = result.stderr?.trim()
+      const stdout = result.stdout?.trim()
+      const combined = stderr || stdout
+      const error = combined ? `Exited with code ${result.status}: ${combined}` : `Exited with code ${result.status}`
+      return { valid: false, error }
+    }
+
+    const stdoutLines = String(result.stdout ?? "")
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter((line) => line.length > 0)
+    const stderrLines = String(result.stderr ?? "")
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter((line) => line.length > 0)
+
+    // Prefer stdout; fall back to stderr (some tools report version there).
+    const reported = stdoutLines[0] ?? stderrLines[0]
+    if (!reported) {
+      return { valid: true }
+    }
+
+    const versionMatch = reported.match(VERSION_REGEX)
+    const version = versionMatch?.[1]
+    return { valid: true, version, reported }
+  } catch (error) {
+    return { valid: false, error: error instanceof Error ? error.message : String(error) }
+  }
+}
+
+function buildWslSpawnSpec(wslPath: WslPath, args: string[], options: BuildSpawnSpecOptions): SpawnSpec {
+  const workingDirectory = options.cwd ? resolveWslWorkingDirectory(options.cwd, wslPath.distro) : undefined
+  if (options.cwd && !workingDirectory) {
+    throw new Error(
+      `Unable to translate workspace folder for WSL binary in distro "${wslPath.distro}": ${options.cwd}`,
+    )
+  }
+
+  const wslArgs = ["--distribution", wslPath.distro]
+  const shouldWrapWithShell = Boolean(options.wslPidMarker) || workingDirectory?.kind === "windows"
+
+  if (!shouldWrapWithShell && workingDirectory?.kind === "linux") {
+    wslArgs.push("--cd", workingDirectory.path)
+  }
+
+  if (shouldWrapWithShell) {
+    const launchScript = buildWslLaunchScript(workingDirectory ?? undefined, options.wslPidMarker)
+    wslArgs.push(
+      "--exec",
+      "sh",
+      "-lc",
+      launchScript,
+      "codenomad-wsl-launch",
+    )
+    if (workingDirectory) {
+      wslArgs.push(workingDirectory.path)
+    }
+    wslArgs.push(
+      wslPath.linuxPath,
+      ...args,
+    )
+  } else {
+    wslArgs.push("--exec", wslPath.linuxPath, ...args)
+  }
+
+  return {
+    command: "wsl.exe",
+    args: wslArgs,
+    options: {},
+    env: buildWslEnvironment(options.env, options.propagateEnvKeys),
+    wsl: { distro: wslPath.distro, pidMarker: options.wslPidMarker },
+  }
+}
+
+function buildWslLaunchScript(workingDirectory: WslWorkingDirectory | undefined, pidMarker: string | undefined): string {
+  const steps: string[] = []
+
+  if (pidMarker) {
+    steps.push(`printf '%s%s\\n' '${pidMarker}' "$$"`)
+  }
+
+  if (workingDirectory?.kind === "linux") {
+    steps.push('cd "$1"')
+    steps.push("shift")
+  } else if (workingDirectory?.kind === "windows") {
+    steps.push('cd "$(wslpath -au "$1")"')
+    steps.push("shift")
+  }
+
+  steps.push('exec "$@"')
+  return steps.join(" && ")
+}
+
+function normalizeWindowsPath(input: string): string | null {
+  const normalized = path.win32.normalize(input.trim().replace(/\//g, "\\"))
+  if (!normalized) {
+    return null
+  }
+
+  if (/^[A-Za-z]:/.test(normalized) || normalized.startsWith("\\\\")) {
+    return normalized
+  }
+
+  return null
+}
+
+function buildWslEnvironment(env: NodeJS.ProcessEnv | undefined, propagateEnvKeys: string[] | undefined): NodeJS.ProcessEnv | undefined {
+  if (!env) {
+    return env
+  }
+
+  const keysToPropagate = Array.from(
+    new Set([
+      ...(propagateEnvKeys ?? []).filter((key) => env[key] !== undefined),
+      ...Array.from(WSL_PATH_ENV_KEYS).filter((key) => env[key] !== undefined),
+    ]),
+  )
+  if (keysToPropagate.length === 0) {
+    return env
+  }
+
+  const next = { ...env }
+  const entries = (next.WSLENV ?? "").split(":").filter((entry) => entry.length > 0)
+  const byName = new Map(entries.map((entry) => [entry.split("/")[0] ?? entry, entry]))
+
+  for (const key of keysToPropagate) {
+    const existingEntry = byName.get(key)
+    if (existingEntry) {
+      byName.set(key, ensureWslenvEntry(existingEntry, WSL_PATH_ENV_KEYS.has(key)))
+      continue
+    }
+    byName.set(key, WSL_PATH_ENV_KEYS.has(key) ? `${key}/p` : key)
+  }
+
+  next.WSLENV = Array.from(byName.values()).join(":")
+  return next
+}
+
+function ensureWslenvEntry(entry: string, requiresPathTranslation: boolean): string {
+  if (!requiresPathTranslation) {
+    return entry
+  }
+
+  const [name, rawFlags = ""] = entry.split("/")
+  if (rawFlags.includes("p")) {
+    return entry
+  }
+
+  return rawFlags.length > 0 ? `${name}/${rawFlags}p` : `${name}/p`
+}

packages/tauri-app/Cargo.lock

@@ -47,15 +47,6 @@ version = "1.0.102"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
 
-[[package]]
-name = "arc-swap"
-version = "1.9.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a3a1fd6f75306b68087b831f025c712524bcb19aad54e557b1129cfa0a2b207"
-dependencies = [
- "rustversion",
-]
-
 [[package]]
 name = "async-broadcast"
 version = "0.7.2"
@@ -244,83 +235,6 @@ dependencies = [
  "fs_extra",
 ]
 
-[[package]]
-name = "axum"
-version = "0.7.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "edca88bc138befd0323b20752846e6587272d3b03b0343c8ea28a6f819e6e71f"
-dependencies = [
- "async-trait",
- "axum-core",
- "bytes",
- "futures-util",
- "http",
- "http-body",
- "http-body-util",
- "hyper",
- "hyper-util",
- "itoa",
- "matchit",
- "memchr",
- "mime",
- "percent-encoding",
- "pin-project-lite",
- "rustversion",
- "serde",
- "serde_json",
- "serde_path_to_error",
- "serde_urlencoded",
- "sync_wrapper",
- "tokio",
- "tower",
- "tower-layer",
- "tower-service",
- "tracing",
-]
-
-[[package]]
-name = "axum-core"
-version = "0.4.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "09f2bd6146b97ae3359fa0cc6d6b376d9539582c7b4220f041a33ec24c226199"
-dependencies = [
- "async-trait",
- "bytes",
- "futures-util",
- "http",
- "http-body",
- "http-body-util",
- "mime",
- "pin-project-lite",
- "rustversion",
- "sync_wrapper",
- "tower-layer",
- "tower-service",
- "tracing",
-]
-
-[[package]]
-name = "axum-server"
-version = "0.7.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1ab4a3ec9ea8a657c72d99a03a824af695bd0fb5ec639ccbd9cd3543b41a5f9"
-dependencies = [
- "arc-swap",
- "bytes",
- "fs-err",
- "http",
- "http-body",
- "hyper",
- "hyper-util",
- "pin-project-lite",
- "rustls",
- "rustls-pemfile",
- "rustls-pki-types",
- "tokio",
- "tokio-rustls",
- "tower-service",
-]
-
 [[package]]
 name = "base64"
 version = "0.21.7"
@@ -586,17 +500,11 @@ name = "codenomad-tauri"
 version = "0.14.0"
 dependencies = [
  "anyhow",
- "axum",
- "axum-server",
  "base64 0.22.1",
- "bytes",
  "dirs 5.0.1",
- "futures-util",
  "keepawake",
  "libc",
- "once_cell",
  "parking_lot",
- "rand 0.8.5",
  "regex",
  "reqwest 0.12.28",
  "rustls",
@@ -609,8 +517,6 @@ dependencies = [
  "tauri-plugin-global-shortcut",
  "tauri-plugin-notification",
  "tauri-plugin-opener",
- "thiserror 1.0.69",
- "tokio",
  "url",
  "webkit2gtk",
  "which",
@@ -1283,16 +1189,6 @@ dependencies = [
  "percent-encoding",
 ]
 
-[[package]]
-name = "fs-err"
-version = "3.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "73fde052dbfc920003cfd2c8e2c6e6d4cc7c1091538c3a24226cec0665ab08c0"
-dependencies = [
- "autocfg",
- "tokio",
-]
-
 [[package]]
 name = "fs_extra"
 version = "1.3.0"
@@ -1872,12 +1768,6 @@ version = "1.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87"
 
-[[package]]
-name = "httpdate"
-version = "1.0.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
-
 [[package]]
 name = "hyper"
 version = "1.8.1"
@@ -1892,7 +1782,6 @@ dependencies = [
  "http",
  "http-body",
  "httparse",
- "httpdate",
  "itoa",
  "pin-project-lite",
  "pin-utils",
@@ -2441,12 +2330,6 @@ version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2532096657941c2fea9c289d370a250971c689d4f143798ff67113ec042024a5"
 
-[[package]]
-name = "matchit"
-version = "0.7.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e7465ac9959cc2b1404e8e2367b43684a6d13790fe23056cc8c6c5a6b7bcb94"
-
 [[package]]
 name = "memchr"
 version = "2.8.0"
@@ -3670,15 +3553,6 @@ dependencies = [
  "zeroize",
 ]
 
-[[package]]
-name = "rustls-pemfile"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "rustls-pki-types"
 version = "1.14.0"
@@ -3892,17 +3766,6 @@ dependencies = [
  "zmij",
 ]
 
-[[package]]
-name = "serde_path_to_error"
-version = "0.1.20"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "10a9ff822e371bb5403e391ecd83e182e0e77ba7f6fe0160b795797109d1b457"
-dependencies = [
- "itoa",
- "serde",
- "serde_core",
-]
-
 [[package]]
 name = "serde_repr"
 version = "0.1.20"
@@ -4812,21 +4675,9 @@ dependencies = [
  "mio",
  "pin-project-lite",
  "socket2",
- "tokio-macros",
  "windows-sys 0.61.2",
 ]
 
-[[package]]
-name = "tokio-macros"
-version = "2.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c55a2eff8b69ce66c84f85e1da1c233edc36ceb85a2058d11b0d6a3c7e7569c"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.117",
-]
-
 [[package]]
 name = "tokio-rustls"
 version = "0.26.4"
@@ -4968,7 +4819,6 @@ dependencies = [
  "tokio",
  "tower-layer",
  "tower-service",
- "tracing",
 ]
 
 [[package]]
@@ -5007,7 +4857,6 @@ version = "0.1.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
 dependencies = [
- "log",
  "pin-project-lite",
  "tracing-attributes",
  "tracing-core",

packages/tauri-app/package.json

@@ -14,7 +14,6 @@
     "build": "tauri build"
   },
   "devDependencies": {
-    "@tauri-apps/cli": "^2.9.4",
-    "@tauri-apps/cli-darwin-arm64": "^2.9.4"
+    "@tauri-apps/cli": "^2.10.1"
   }
 }

packages/tauri-app/scripts/prebuild.js

@@ -21,6 +21,7 @@ const serverDevInstallCommand =
 const uiDevInstallCommand =
   "npm install --workspace @codenomad/ui --include-workspace-root=false --install-strategy=nested --fund=false --audit=false"
 const serverPrepareUiCommand = "npm run prepare-ui --workspace @neuralnomads/codenomad"
+const serverStandaloneBuildCommand = "npm run build:standalone --workspace @neuralnomads/codenomad"
 
 const envWithRootBin = {
   ...process.env,
@@ -37,6 +38,12 @@ const braceExpansionPath = path.join(
   "package.json",
 )
 
+const serverBuildDependencyPaths = [
+  path.join(serverRoot, "node_modules", "typescript", "package.json"),
+  path.join(serverRoot, "node_modules", "@types", "node-forge", "package.json"),
+  path.join(serverRoot, "node_modules", "@types", "yauzl", "package.json"),
+]
+
 const viteBinPath = path.join(uiRoot, "node_modules", ".bin", "vite")
 
 async function ensureMonacoAssets() {
@@ -71,6 +78,15 @@ function ensureServerBuild() {
   }
 }
 
+function ensureStandaloneServerBuild() {
+  console.log("[prebuild] building standalone server executable...")
+  execSync(serverStandaloneBuildCommand, {
+    cwd: workspaceRoot,
+    stdio: "inherit",
+    env: envWithRootBin,
+  })
+}
+
 function ensureUiBuild() {
   const loadingHtml = path.join(uiDist, "loading.html")
   if (fs.existsSync(loadingHtml)) {
@@ -98,7 +114,7 @@ function syncServerUiBundle() {
 }
 
 function ensureServerDevDependencies() {
-  if (fs.existsSync(braceExpansionPath)) {
+  if (serverBuildDependencyPaths.every((filePath) => fs.existsSync(filePath))) {
     return
   }
 
@@ -111,15 +127,19 @@ function ensureServerDevDependencies() {
 }
 
 function ensureServerDependencies() {
-  if (fs.existsSync(braceExpansionPath)) {
-    return
-  }
-
-  console.log("[prebuild] ensuring server production dependencies...")
-  execSync(serverInstallCommand, {
+  console.log("[prebuild] pruning server to production dependencies...")
+  execSync("npm prune --omit=dev --ignore-scripts --workspaces=false --fund=false --audit=false", {
     cwd: serverRoot,
     stdio: "inherit",
   })
+
+  if (!fs.existsSync(braceExpansionPath)) {
+    console.log("[prebuild] restoring missing server production dependencies...")
+    execSync(serverInstallCommand, {
+      cwd: serverRoot,
+      stdio: "inherit",
+    })
+  }
 }
 
 function ensureUiDevDependencies() {
@@ -142,6 +162,7 @@ function ensureRollupPlatformBinary() {
     "linux-arm64": "@rollup/rollup-linux-arm64-gnu",
     "darwin-arm64": "@rollup/rollup-darwin-arm64",
     "darwin-x64": "@rollup/rollup-darwin-x64",
+    "win32-arm64": "@rollup/rollup-win32-arm64-msvc",
     "win32-x64": "@rollup/rollup-win32-x64-msvc",
   }
 
@@ -171,6 +192,47 @@ function ensureRollupPlatformBinary() {
   })
 }
 
+function ensureEsbuildPlatformBinary() {
+  const platformKey = `${process.platform}-${process.arch}`
+  const platformPackages = {
+    "linux-x64": "@esbuild/linux-x64",
+    "linux-arm64": "@esbuild/linux-arm64",
+    "darwin-arm64": "@esbuild/darwin-arm64",
+    "darwin-x64": "@esbuild/darwin-x64",
+    "win32-arm64": "@esbuild/win32-arm64",
+    "win32-x64": "@esbuild/win32-x64",
+  }
+
+  const pkgName = platformPackages[platformKey]
+  if (!pkgName) {
+    return
+  }
+
+  const platformPackagePath = path.join(workspaceRoot, "node_modules", ...pkgName.split("/"))
+  if (fs.existsSync(platformPackagePath)) {
+    return
+  }
+
+  let esbuildVersion = ""
+  try {
+    esbuildVersion = require(path.join(workspaceRoot, "node_modules", "esbuild", "package.json")).version
+  } catch {
+    try {
+      esbuildVersion = require(path.join(workspaceRoot, "node_modules", "vite", "node_modules", "esbuild", "package.json")).version
+    } catch {
+      // leave version empty; fallback install will use latest compatible
+    }
+  }
+
+  const packageSpec = esbuildVersion ? `${pkgName}@${esbuildVersion}` : pkgName
+
+  console.log("[prebuild] installing esbuild platform binary (optional dep workaround)...")
+  execSync(`npm install ${packageSpec} --no-save --ignore-scripts --fund=false --audit=false`, {
+    cwd: workspaceRoot,
+    stdio: "inherit",
+  })
+}
+
 function copyServerArtifacts() {
   fs.rmSync(serverDest, { recursive: true, force: true })
   fs.mkdirSync(serverDest, { recursive: true })
@@ -249,8 +311,10 @@ function copyUiLoadingAssets() {
   ensureUiDevDependencies()
   await ensureMonacoAssets()
   ensureRollupPlatformBinary()
-  ensureServerDependencies()
+  ensureEsbuildPlatformBinary()
   ensureServerBuild()
+  ensureStandaloneServerBuild()
+  ensureServerDependencies()
   ensureUiBuild()
   syncServerUiBundle()
   copyServerArtifacts()

packages/tauri-app/src-tauri/Cargo.toml

@@ -5,27 +5,19 @@ edition = "2021"
 license = "MIT"
 
 [build-dependencies]
-tauri-build = { version = "2.5.2", features = [] }
+tauri-build = { version = "2.5.6", features = [] }
 
 [dependencies]
-tauri = { version = "2.5.2", features = [ "devtools"] }
+tauri = { version = "2.10.1", features = [ "devtools"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 serde_yaml = "0.9"
-axum = "0.7"
-axum-server = { version = "0.7", features = ["tls-rustls"] }
 base64 = "0.22"
-bytes = "1"
-futures-util = "0.3"
 rustls = { version = "0.23", features = ["ring"] }
 reqwest = { version = "0.12", default-features = false, features = ["http2", "charset", "json", "stream", "rustls-tls"] }
-rand = "0.8"
 regex = "1"
-once_cell = "1"
 parking_lot = "0.12"
-thiserror = "1"
 anyhow = "1"
-tokio = { version = "1", features = ["macros", "rt-multi-thread", "net", "sync"] }
 which = "4"
 libc = "0.2"
 keepawake = "0.6"

packages/tauri-app/src-tauri/icons/linux/ai.neuralnomads.codenomad.client.desktop

@@ -0,0 +1,9 @@
+[Desktop Entry]
+Categories=
+Exec=codenomad-tauri
+StartupWMClass=codenomad-tauri
+Icon=codenomad-tauri
+Name=CodeNomad
+NoDisplay=true
+Terminal=false
+Type=Application

packages/tauri-app/src-tauri/src/cert_manager.rs

@@ -152,6 +152,10 @@ fn trusted_marker_value(cert_der: &[u8]) -> String {
     cert_der.iter().map(|byte| format!("{byte:02x}")).collect()
 }
 
+fn trusted_marker_file_suffix(cert_der: &[u8]) -> String {
+    trusted_marker_value(cert_der).chars().take(16).collect()
+}
+
 fn has_matching_trusted_marker(cert_der: &[u8]) -> bool {
     trusted_marker_path()
         .ok()
@@ -170,8 +174,11 @@ fn write_trusted_marker(cert_der: &[u8]) -> Result<(), String> {
         .map_err(|e| format!("Failed to write trust marker: {e}"))
 }
 
-/// Adds the DER-encoded CA certificate to the Windows `CurrentUser\Root` store.
-/// This will show a one-time Windows security confirmation dialog when needed.
+#[cfg(windows)]
+pub fn needs_trust_in_store(cert_der: &[u8]) -> Result<bool, String> {
+    Ok(!windows_cert_is_trusted(cert_der)?)
+}
+
 #[cfg(windows)]
 pub fn trust_cert_in_store(cert_der: &[u8]) -> Result<(), String> {
     use windows_sys::Win32::Security::Cryptography::{
@@ -179,7 +186,7 @@ pub fn trust_cert_in_store(cert_der: &[u8]) -> Result<(), String> {
         CERT_STORE_ADD_REPLACE_EXISTING, PKCS_7_ASN_ENCODING, X509_ASN_ENCODING,
     };
 
-    if has_matching_trusted_marker(cert_der) {
+    if !needs_trust_in_store(cert_der)? {
         return Ok(());
     }
 
@@ -215,7 +222,201 @@ pub fn trust_cert_in_store(cert_der: &[u8]) -> Result<(), String> {
     Ok(())
 }
 
-#[cfg(not(windows))]
+#[cfg(target_os = "macos")]
+pub fn needs_trust_in_store(cert_der: &[u8]) -> Result<bool, String> {
+    Ok(!(has_matching_trusted_marker(cert_der) && macos_cert_is_trusted(cert_der)?))
+}
+
+#[cfg(target_os = "macos")]
+pub fn trust_cert_in_store(cert_der: &[u8]) -> Result<(), String> {
+    use std::process::Command;
+
+    if !needs_trust_in_store(cert_der)? {
+        return Ok(());
+    }
+
+    let temp_path = env::temp_dir().join(format!(
+        "codenomad-server-ca-{}.cer",
+        trusted_marker_file_suffix(cert_der)
+    ));
+    fs::write(&temp_path, cert_der)
+        .map_err(|e| format!("Failed to write temporary certificate {}: {e}", temp_path.display()))?;
+
+    let keychain_path = resolve_macos_user_keychain()?;
+
+    let mut command = Command::new("/usr/bin/security");
+    command.args(["add-trusted-cert", "-r", "trustRoot", "-k"]);
+    command.arg(&keychain_path);
+
+    let output = command.arg(&temp_path).output().map_err(|e| {
+        format!(
+            "Failed to launch macOS security tool to trust the local CA certificate: {e}"
+        )
+    })?;
+
+    let _ = fs::remove_file(&temp_path);
+
+    if !output.status.success() {
+        let stderr = String::from_utf8_lossy(&output.stderr).trim().to_string();
+        let detail = if stderr.is_empty() {
+            format!("security exited with status {}", output.status)
+        } else {
+            stderr
+        };
+        return Err(format!(
+            "Failed to add the local CodeNomad CA certificate to the macOS trust settings: {detail}"
+        ));
+    }
+
+    if !macos_cert_is_trusted(cert_der)? {
+        return Err(format!(
+            "Added the local CodeNomad CA certificate to {} but could not verify that macOS trusts it",
+            keychain_path.display()
+        ));
+    }
+
+    write_trusted_marker(cert_der)?;
+    Ok(())
+}
+
+#[cfg(windows)]
+fn windows_cert_is_trusted(cert_der: &[u8]) -> Result<bool, String> {
+    use windows_sys::Win32::Security::Cryptography::{
+        CertCloseStore, CertEnumCertificatesInStore, CertOpenSystemStoreW,
+    };
+
+    let store_name: Vec<u16> = "Root\0".encode_utf16().collect();
+
+    unsafe {
+        let store = CertOpenSystemStoreW(0, store_name.as_ptr());
+        if store.is_null() {
+            return Err("Failed to open CurrentUser\\Root certificate store".into());
+        }
+
+        let mut context = CertEnumCertificatesInStore(store, std::ptr::null());
+        while !context.is_null() {
+            let encoded = std::slice::from_raw_parts(
+                (*context).pbCertEncoded,
+                (*context).cbCertEncoded as usize,
+            );
+            if encoded == cert_der {
+                CertCloseStore(store, 0);
+                return Ok(true);
+            }
+
+            context = CertEnumCertificatesInStore(store, context);
+        }
+
+        CertCloseStore(store, 0);
+        Ok(false)
+    }
+}
+
+#[cfg(target_os = "macos")]
+fn resolve_macos_user_keychain() -> Result<PathBuf, String> {
+    let output = std::process::Command::new("/usr/bin/security")
+        .args(["default-keychain", "-d", "user"])
+        .output()
+        .map_err(|e| format!("Failed to resolve macOS default user keychain: {e}"))?;
+
+    if output.status.success() {
+        let stdout = String::from_utf8_lossy(&output.stdout);
+        let trimmed = stdout.trim().trim_matches('"');
+        if !trimmed.is_empty() {
+            return Ok(PathBuf::from(trimmed));
+        }
+    }
+
+    let home = dirs::home_dir().or_else(|| env::var("HOME").ok().map(PathBuf::from));
+    let home = home.ok_or_else(|| "Cannot determine home directory for macOS keychain lookup".to_string())?;
+    Ok(home.join("Library/Keychains/login.keychain-db"))
+}
+
+#[cfg(target_os = "macos")]
+fn macos_cert_is_trusted(cert_der: &[u8]) -> Result<bool, String> {
+    use std::process::Command;
+
+    let temp_path = env::temp_dir().join(format!(
+        "codenomad-server-ca-verify-{}.cer",
+        trusted_marker_file_suffix(cert_der)
+    ));
+    fs::write(&temp_path, cert_der)
+        .map_err(|e| format!("Failed to write temporary certificate {}: {e}", temp_path.display()))?;
+
+    let keychain_path = resolve_macos_user_keychain()?;
+    let fingerprint = macos_cert_sha256(&temp_path)?;
+    let find_output = Command::new("/usr/bin/security")
+        .args(["find-certificate", "-a", "-Z", "-c", "CodeNomad Local CA"])
+        .arg(&keychain_path)
+        .output()
+        .map_err(|e| format!("Failed to query macOS keychain certificates: {e}"))?;
+
+    if !find_output.status.success() {
+        let _ = fs::remove_file(&temp_path);
+        let stderr = String::from_utf8_lossy(&find_output.stderr).trim().to_string();
+        let detail = if stderr.is_empty() {
+            format!("security exited with status {}", find_output.status)
+        } else {
+            stderr
+        };
+        return Err(format!(
+            "Failed to inspect the macOS keychain for the local CodeNomad CA certificate: {detail}"
+        ));
+    }
+
+    let stdout = String::from_utf8_lossy(&find_output.stdout);
+    if !stdout.to_ascii_uppercase().contains(&fingerprint) {
+        let _ = fs::remove_file(&temp_path);
+        return Ok(false);
+    }
+
+    let verify_output = Command::new("/usr/bin/security")
+        .args(["verify-cert", "-q", "-L", "-l", "-p", "basic", "-c"])
+        .arg(&temp_path)
+        .args(["-k"])
+        .arg(&keychain_path)
+        .output()
+        .map_err(|e| format!("Failed to verify macOS trust for the local CodeNomad CA certificate: {e}"))?;
+
+    let _ = fs::remove_file(&temp_path);
+    Ok(verify_output.status.success())
+}
+
+#[cfg(target_os = "macos")]
+fn macos_cert_sha256(cert_path: &Path) -> Result<String, String> {
+    let output = std::process::Command::new("/usr/bin/shasum")
+        .args(["-a", "256"])
+        .arg(cert_path)
+        .output()
+        .map_err(|e| format!("Failed to compute SHA-256 for {}: {e}", cert_path.display()))?;
+
+    if !output.status.success() {
+        let stderr = String::from_utf8_lossy(&output.stderr).trim().to_string();
+        let detail = if stderr.is_empty() {
+            format!("shasum exited with status {}", output.status)
+        } else {
+            stderr
+        };
+        return Err(format!(
+            "Failed to compute SHA-256 for {}: {detail}",
+            cert_path.display()
+        ));
+    }
+
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    let hash = stdout
+        .split_whitespace()
+        .next()
+        .ok_or_else(|| format!("Failed to parse SHA-256 output for {}", cert_path.display()))?;
+    Ok(hash.to_ascii_uppercase())
+}
+
+#[cfg(all(not(windows), not(target_os = "macos")))]
+pub fn needs_trust_in_store(_cert_der: &[u8]) -> Result<bool, String> {
+    Ok(false)
+}
+
+#[cfg(all(not(windows), not(target_os = "macos")))]
 pub fn trust_cert_in_store(_cert_der: &[u8]) -> Result<(), String> {
     // Non-Windows platforms use native webview-specific handling instead of OS trust-store writes.
     Ok(())

packages/tauri-app/src-tauri/src/cli_manager.rs

@@ -38,6 +38,7 @@ use windows_sys::Win32::System::JobObjects::{
 
 #[cfg(windows)]
 const CREATE_NO_WINDOW: u32 = 0x08000000;
+const MISSING_NODE_PREFIX: &str = "CODENOMAD_MISSING_NODE:";
 
 #[cfg(windows)]
 #[derive(Debug)]
@@ -135,6 +136,10 @@ fn workspace_root() -> Option<PathBuf> {
     })
 }
 
+fn launch_cwd() -> Option<PathBuf> {
+    std::env::current_dir().ok()
+}
+
 const SESSION_COOKIE_NAME_PREFIX: &str = "codenomad_session";
 
 const CLI_STOP_GRACE_SECS: u64 = 30;
@@ -623,42 +628,54 @@ impl CliProcessManager {
             log_line("development mode: will prefer tsx + source if present");
         }
 
-        let cwd = workspace_root();
+        let cwd = launch_cwd();
         if let Some(ref c) = cwd {
             log_line(&format!("using cwd={}", c.display()));
         }
 
         let use_user_shell = supports_user_shell();
 
+        if resolution.runner == Runner::Tsx
+            && !use_user_shell
+            && which::which(&resolution.node_binary).is_err()
+        {
+            return Err(anyhow::anyhow!(
+                "Node binary '{}' not found. CodeNomad development mode requires Node.js installed on the system, or set NODE_BINARY to a valid runtime path.",
+                resolution.node_binary
+            ));
+        }
+
         let command_info = if use_user_shell {
             log_line("spawning via user shell");
             ShellCommandType::UserShell(build_shell_command_string(&resolution, &args)?)
         } else {
-            log_line("spawning directly with node");
+            log_line(if resolution.runner == Runner::Standalone {
+                "spawning directly with standalone executable"
+            } else {
+                "spawning directly with node"
+            });
             ShellCommandType::Direct(DirectCommand {
-                program: resolution.node_binary.clone(),
+                program: if resolution.runner == Runner::Standalone {
+                    resolution.entry.clone()
+                } else {
+                    resolution.node_binary.clone()
+                },
                 args: resolution.runner_args(&args),
             })
         };
 
-        if !use_user_shell {
-            if which::which(&resolution.node_binary).is_err() {
-                return Err(anyhow::anyhow!(
-                    "Node binary not found. Make sure Node.js is installed."
-                ));
-            }
-        }
-
         let child = match &command_info {
             ShellCommandType::UserShell(cmd) => {
                 log_line(&format!("spawn command: {} {:?}", cmd.shell, cmd.args));
                 let mut c = Command::new(&cmd.shell);
                 c.args(&cmd.args)
-                    .env("ELECTRON_RUN_AS_NODE", "1")
                     .env_remove("npm_config_prefix")
                     .env_remove("NPM_CONFIG_PREFIX")
                     .stdout(Stdio::piped())
                     .stderr(Stdio::piped());
+                if resolution.runner != Runner::Standalone {
+                    c.env("ELECTRON_RUN_AS_NODE", "1");
+                }
                 configure_spawn(&mut c);
                 if let Some(ref cwd) = cwd {
                     c.current_dir(cwd);
@@ -671,9 +688,11 @@ impl CliProcessManager {
                 log_line(&format!("spawn command: {} {:?}", cmd.program, cmd.args));
                 let mut c = Command::new(&cmd.program);
                 c.args(&cmd.args)
-                    .env("ELECTRON_RUN_AS_NODE", "1")
                     .stdout(Stdio::piped())
                     .stderr(Stdio::piped());
+                if resolution.runner != Runner::Standalone {
+                    c.env("ELECTRON_RUN_AS_NODE", "1");
+                }
                 configure_spawn(&mut c);
                 if let Some(ref cwd) = cwd {
                     c.current_dir(cwd);
@@ -920,6 +939,17 @@ impl CliProcessManager {
                             continue;
                         }
 
+                        if let Some(node_binary) = line.strip_prefix(MISSING_NODE_PREFIX) {
+                            let mut locked = status.lock();
+                            if locked.error.is_none() {
+                                locked.error = Some(format!(
+                                    "Node binary '{}' not found in the desktop shell environment. CodeNomad development mode requires Node.js installed on the system, or set NODE_BINARY to a valid runtime path.",
+                                    node_binary.trim()
+                                ));
+                            }
+                            continue;
+                        }
+
                         if let Some(url) = local_url_regex
                             .as_ref()
                             .and_then(|re| re.captures(line).and_then(|c| c.get(1)))
@@ -1036,7 +1066,7 @@ struct CliEntry {
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 enum Runner {
-    Node,
+    Standalone,
     Tsx,
 }
 
@@ -1057,17 +1087,17 @@ impl CliEntry {
             }
         }
 
-        if let Some(entry) = resolve_dist_entry(app) {
+        if let Some(entry) = resolve_standalone_entry(app) {
             return Ok(Self {
                 entry,
-                runner: Runner::Node,
+                runner: Runner::Standalone,
                 runner_path: None,
-                node_binary,
+                node_binary: String::new(),
             });
         }
 
         Err(anyhow::anyhow!(
-            "Unable to locate CodeNomad CLI build (dist/bin.js). Please build @neuralnomads/codenomad."
+            "Unable to locate the packaged CodeNomad standalone server. Please rebuild the desktop bundle."
         ))
     }
 
@@ -1083,7 +1113,8 @@ impl CliEntry {
         ];
 
         if dev {
-            // Dev: plain HTTP + Vite dev server proxy.
+            // Dev: keep loopback HTTP for the Vite proxy, but also enable HTTPS so
+            // remote proxy sessions can still spin up secure local windows.
             let ui_dev_server = std::env::var("VITE_DEV_SERVER_URL")
                 .ok()
                 .filter(|value| !value.trim().is_empty())
@@ -1100,7 +1131,7 @@ impl CliEntry {
                 .unwrap_or_else(|| "info".to_string());
 
             args.push("--https".to_string());
-            args.push("false".to_string());
+            args.push("true".to_string());
             args.push("--http".to_string());
             args.push("true".to_string());
             args.push("--http-port".to_string());
@@ -1120,6 +1151,10 @@ impl CliEntry {
     }
 
     fn runner_args(&self, cli_args: &[String]) -> Vec<String> {
+        if self.runner == Runner::Standalone {
+            return cli_args.to_vec();
+        }
+
         let mut args = VecDeque::new();
         if self.runner == Runner::Tsx {
             if let Some(path) = &self.runner_path {
@@ -1192,45 +1227,37 @@ fn resolve_dev_entry(_app: &AppHandle) -> Option<String> {
     first_existing(candidates)
 }
 
-fn resolve_dist_entry(_app: &AppHandle) -> Option<String> {
+fn resolve_standalone_entry(_app: &AppHandle) -> Option<String> {
+    let executable_name = if cfg!(windows) {
+        "codenomad-server.exe"
+    } else {
+        "codenomad-server"
+    };
     let base = workspace_root();
-    let mut candidates: Vec<Option<PathBuf>> = vec![
-        base.as_ref().map(|p| p.join("packages/server/dist/bin.js")),
-        base.as_ref()
-            .map(|p| p.join("packages/server/dist/index.js")),
-        base.as_ref().map(|p| p.join("server/dist/bin.js")),
-        base.as_ref().map(|p| p.join("server/dist/index.js")),
-    ];
+    let mut candidates = vec![base
+        .as_ref()
+        .map(|p| p.join("packages/server/dist").join(executable_name))];
 
     if let Ok(exe) = std::env::current_exe() {
         if let Some(dir) = exe.parent() {
-            candidates.push(Some(dir.join("resources/server/dist/bin.js")));
-            candidates.push(Some(dir.join("resources/server/dist/index.js")));
-            candidates.push(Some(dir.join("resources/server/dist/server/bin.js")));
-            candidates.push(Some(dir.join("resources/server/dist/server/index.js")));
+            candidates.push(Some(
+                dir.join("resources/server/dist").join(executable_name),
+            ));
 
             let resources = dir.join("../Resources");
-            candidates.push(Some(resources.join("server/dist/bin.js")));
-            candidates.push(Some(resources.join("server/dist/index.js")));
-            candidates.push(Some(resources.join("server/dist/server/bin.js")));
-            candidates.push(Some(resources.join("server/dist/server/index.js")));
-            candidates.push(Some(resources.join("resources/server/dist/bin.js")));
-            candidates.push(Some(resources.join("resources/server/dist/index.js")));
-            candidates.push(Some(resources.join("resources/server/dist/server/bin.js")));
+            candidates.push(Some(resources.join("server/dist").join(executable_name)));
             candidates.push(Some(
-                resources.join("resources/server/dist/server/index.js"),
+                resources
+                    .join("resources/server/dist")
+                    .join(executable_name),
             ));
 
             let linux_resource_roots = [dir.join("../lib/CodeNomad"), dir.join("../lib/codenomad")];
             for root in linux_resource_roots {
-                candidates.push(Some(root.join("server/dist/bin.js")));
-                candidates.push(Some(root.join("server/dist/index.js")));
-                candidates.push(Some(root.join("server/dist/server/bin.js")));
-                candidates.push(Some(root.join("server/dist/server/index.js")));
-                candidates.push(Some(root.join("resources/server/dist/bin.js")));
-                candidates.push(Some(root.join("resources/server/dist/index.js")));
-                candidates.push(Some(root.join("resources/server/dist/server/bin.js")));
-                candidates.push(Some(root.join("resources/server/dist/server/index.js")));
+                candidates.push(Some(root.join("server/dist").join(executable_name)));
+                candidates.push(Some(
+                    root.join("resources/server/dist").join(executable_name),
+                ));
             }
         }
     }
@@ -1244,16 +1271,55 @@ fn build_shell_command_string(
 ) -> anyhow::Result<ShellCommand> {
     let shell = default_shell();
     let mut quoted: Vec<String> = Vec::new();
-    quoted.push(shell_escape(&entry.node_binary));
-    for arg in entry.runner_args(cli_args) {
-        quoted.push(shell_escape(&arg));
-    }
-    let command = format!("ELECTRON_RUN_AS_NODE=1 exec {}", quoted.join(" "));
-    let args = build_shell_args(&shell, &command);
+    let command = if entry.runner == Runner::Standalone {
+        quoted.push(shell_escape(&entry.entry));
+        for arg in cli_args {
+            quoted.push(shell_escape(arg));
+        }
+        format!("exec {}", quoted.join(" "))
+    } else {
+        quoted.push(shell_escape(&entry.node_binary));
+        for arg in entry.runner_args(cli_args) {
+            quoted.push(shell_escape(&arg));
+        }
+        format!(
+            "if command -v {} >/dev/null 2>&1; then ELECTRON_RUN_AS_NODE=1 exec {}; else printf '%s%s\\n' '{}' {} >&2; exit 127; fi",
+            shell_escape(&entry.node_binary),
+            quoted.join(" "),
+            MISSING_NODE_PREFIX,
+            shell_escape(&entry.node_binary),
+        )
+    };
+    let wrapped_command = wrap_command_for_shell(&command, &shell);
+    let args = build_shell_args(&shell, &wrapped_command);
     log_line(&format!("user shell command: {} {:?}", shell, args));
     Ok(ShellCommand { shell, args })
 }
 
+fn wrap_command_for_shell(command: &str, shell: &str) -> String {
+    let shell_name = std::path::Path::new(shell)
+        .file_name()
+        .and_then(OsStr::to_str)
+        .unwrap_or("")
+        .to_lowercase();
+
+    if shell_name.contains("bash") {
+        return format!(
+            "if [ -f ~/.bashrc ]; then source ~/.bashrc >/dev/null 2>&1; fi; {}",
+            command
+        );
+    }
+
+    if shell_name.contains("zsh") {
+        return format!(
+            "if [ -f ~/.zshrc ]; then source ~/.zshrc >/dev/null 2>&1; fi; {}",
+            command
+        );
+    }
+
+    command.to_string()
+}
+
 fn default_shell() -> String {
     if let Ok(shell) = std::env::var("SHELL") {
         if !shell.trim().is_empty() {
@@ -1288,8 +1354,11 @@ fn build_shell_args(shell: &str, command: &str) -> Vec<String> {
         .unwrap_or("")
         .to_lowercase();
 
-    let _ = shell_name;
-    vec!["-l".into(), "-c".into(), command.into()]
+    if shell_name.contains("zsh") {
+        vec!["-l".into(), "-i".into(), "-c".into(), command.into()]
+    } else {
+        vec!["-l".into(), "-c".into(), command.into()]
+    }
 }
 
 fn first_existing(paths: Vec<Option<PathBuf>>) -> Option<String> {

packages/tauri-app/src-tauri/src/linux_tls.rs

@@ -3,8 +3,8 @@ use tauri::{AppHandle, Manager, WebviewWindow};
 use url::Url;
 use webkit2gtk::{WebContextExt, WebView, WebViewExt};
 
-pub fn should_bootstrap_tls_navigation(target_url: &Url, skip_tls_verify: bool) -> bool {
-    skip_tls_verify && target_url.scheme() == "https"
+pub fn should_bootstrap_tls_navigation(target_url: &Url, allow_tls_certificate: bool) -> bool {
+    allow_tls_certificate && target_url.scheme() == "https"
 }
 
 pub fn ensure_remote_window_tls_handler(

packages/tauri-app/src-tauri/src/main.rs

@@ -40,6 +40,8 @@ const DEFAULT_ZOOM_LEVEL: f64 = 1.0;
 const ZOOM_STEP: f64 = 0.1;
 const MIN_ZOOM_LEVEL: f64 = 0.2;
 const MAX_ZOOM_LEVEL: f64 = 5.0;
+const LOCAL_WINDOW_CONTEXT_SCRIPT: &str = "window.__CODENOMAD_WINDOW_CONTEXT__ = 'local';";
+const REMOTE_WINDOW_CONTEXT_SCRIPT: &str = "window.__CODENOMAD_WINDOW_CONTEXT__ = 'remote';";
 
 #[cfg(windows)]
 const WINDOWS_APP_USER_MODEL_ID: &str = "ai.neuralnomads.codenomad.client";
@@ -49,6 +51,7 @@ pub struct AppState {
     pub wake_lock: Mutex<Option<KeepAwake>>,
     pub zoom_level: Mutex<f64>,
     pub remote_origins: Mutex<HashMap<String, String>>,
+    pub remote_proxy_sessions: Mutex<HashMap<String, String>>,
     pub remote_skip_tls_verify: Mutex<HashMap<String, bool>>,
     pub remote_tls_handlers: Mutex<HashSet<String>>,
 }
@@ -60,10 +63,58 @@ struct RemoteWindowPayload {
     name: String,
     base_url: String,
     entry_url: Option<String>,
+    proxy_session_id: Option<String>,
     #[allow(dead_code)]
     skip_tls_verify: bool,
 }
 
+fn schedule_remote_proxy_session_cleanup(app: AppHandle, session_id: String) {
+    tauri::async_runtime::spawn(async move {
+        if let Err(err) = cleanup_remote_proxy_session(&app, &session_id).await {
+            eprintln!(
+                "[tauri] failed to clean up remote proxy session {}: {}",
+                session_id, err
+            );
+        }
+    });
+}
+
+async fn cleanup_remote_proxy_session(app: &AppHandle, session_id: &str) -> Result<(), String> {
+    let status = app.state::<AppState>().manager.status();
+    let Some(base_url) = status.url else {
+        return Ok(());
+    };
+
+    let mut cleanup_url = Url::parse(&base_url).map_err(|err| err.to_string())?;
+    cleanup_url.set_path(&format!("/api/remote-proxy/sessions/{session_id}"));
+    cleanup_url.set_query(None);
+    cleanup_url.set_fragment(None);
+
+    let client = if cleanup_url.scheme() == "https" {
+        let local_cert = cert_manager::ensure_local_cert()?;
+        let ca_cert = reqwest::Certificate::from_der(&local_cert.ca_cert_der)
+            .map_err(|err| err.to_string())?;
+        reqwest::Client::builder()
+            .add_root_certificate(ca_cert)
+            .build()
+            .map_err(|err| err.to_string())?
+    } else {
+        reqwest::Client::new()
+    };
+
+    let response = client
+        .delete(cleanup_url.as_str())
+        .send()
+        .await
+        .map_err(|err| err.to_string())?;
+
+    if response.status().is_success() || response.status() == reqwest::StatusCode::NOT_FOUND {
+        return Ok(());
+    }
+
+    Err(format!("unexpected status {}", response.status()))
+}
+
 #[derive(Debug, Default, Deserialize)]
 #[serde(default, rename_all = "camelCase")]
 struct WakeLockConfig {
@@ -94,8 +145,8 @@ fn wake_lock_start(
     config: Option<WakeLockConfig>,
 ) -> Result<(), String> {
     let config = config.unwrap_or(WakeLockConfig {
-        display: true,
-        idle: false,
+        display: false,
+        idle: true,
         sleep: false,
     });
 
@@ -193,6 +244,9 @@ async fn open_remote_window_impl(
 
     let window_url = parsed.clone();
 
+    let allow_linux_tls_certificate =
+        parsed.scheme() == "https" && (payload.proxy_session_id.is_some() || payload.skip_tls_verify);
+
     app.state::<AppState>()
         .remote_origins
         .lock()
@@ -202,7 +256,25 @@ async fn open_remote_window_impl(
         .remote_skip_tls_verify
         .lock()
         .map_err(|err| err.to_string())?
-        .insert(label.clone(), parsed.scheme() == "https");
+        .insert(label.clone(), allow_linux_tls_certificate);
+
+    let replaced_session = {
+        let state = app.state::<AppState>();
+        let mut sessions = state
+            .remote_proxy_sessions
+            .lock()
+            .map_err(|err| err.to_string())?;
+        match payload.proxy_session_id.clone() {
+            Some(session_id) => sessions.insert(label.clone(), session_id),
+            None => sessions.remove(&label),
+        }
+    };
+
+    if let Some(previous) = replaced_session {
+        if payload.proxy_session_id.as_deref() != Some(previous.as_str()) {
+            schedule_remote_proxy_session_cleanup(app.clone(), previous);
+        }
+    }
 
     if let Some(existing) = app.get_webview_window(&label) {
         #[cfg(target_os = "linux")]
@@ -217,8 +289,10 @@ async fn open_remote_window_impl(
     }
 
     #[cfg(target_os = "linux")]
-    let initial_url = if linux_tls::should_bootstrap_tls_navigation(&window_url, payload.skip_tls_verify)
-    {
+    let initial_url = if linux_tls::should_bootstrap_tls_navigation(
+        &window_url,
+        allow_linux_tls_certificate,
+    ) {
         Url::parse("about:blank").map_err(|err| err.to_string())?
     } else {
         window_url.clone()
@@ -228,6 +302,7 @@ async fn open_remote_window_impl(
     let initial_url = window_url.clone();
 
     let window = WebviewWindowBuilder::new(&app, label.clone(), WebviewUrl::External(initial_url.clone()))
+        .initialization_script(REMOTE_WINDOW_CONTEXT_SCRIPT)
         .title(title)
         .inner_size(1400.0, 900.0)
         .min_inner_size(800.0, 600.0)
@@ -249,6 +324,11 @@ async fn open_remote_window_impl(
             if let Ok(mut origins) = app_handle.state::<AppState>().remote_origins.lock() {
                 origins.remove(&label_for_cleanup);
             }
+            if let Ok(mut sessions) = app_handle.state::<AppState>().remote_proxy_sessions.lock() {
+                if let Some(session_id) = sessions.remove(&label_for_cleanup) {
+                    schedule_remote_proxy_session_cleanup(app_handle.clone(), session_id);
+                }
+            }
             if let Ok(mut values) = app_handle.state::<AppState>().remote_skip_tls_verify.lock() {
                 values.remove(&label_for_cleanup);
             }
@@ -261,13 +341,31 @@ async fn open_remote_window_impl(
     Ok(())
 }
 
+#[tauri::command]
+fn needs_local_certificate_install() -> Result<bool, String> {
+    #[cfg(not(target_os = "linux"))]
+    {
+        let local_cert = cert_manager::ensure_local_cert().map_err(|err| {
+            format!("Failed to load the local HTTPS certificate for the remote proxy window: {err}")
+        })?;
+        return cert_manager::needs_trust_in_store(&local_cert.ca_cert_der).map_err(|err| {
+            format!("Failed to inspect the local CodeNomad certificate trust state: {err}")
+        });
+    }
+
+    #[cfg(target_os = "linux")]
+    {
+        Ok(false)
+    }
+}
+
 #[tauri::command]
 async fn open_remote_window(app: AppHandle, payload: RemoteWindowPayload) -> Result<(), String> {
     #[cfg(not(target_os = "linux"))]
     {
         let entry_url = payload.entry_url.as_deref().unwrap_or(payload.base_url.as_str());
         let parsed = Url::parse(entry_url).map_err(|err| err.to_string())?;
-        if parsed.scheme() == "https" {
+        if payload.proxy_session_id.is_some() && parsed.scheme() == "https" {
             let local_cert = cert_manager::ensure_local_cert().map_err(|err| {
                 format!(
                     "Failed to load the local HTTPS certificate for the remote proxy window: {err}"
@@ -440,12 +538,16 @@ fn main() {
             wake_lock: Mutex::new(None),
             zoom_level: Mutex::new(DEFAULT_ZOOM_LEVEL),
             remote_origins: Mutex::new(HashMap::new()),
+            remote_proxy_sessions: Mutex::new(HashMap::new()),
             remote_skip_tls_verify: Mutex::new(HashMap::new()),
             remote_tls_handlers: Mutex::new(HashSet::new()),
         })
         .setup(|app| {
             set_windows_app_user_model_id();
             build_menu(&app.handle())?;
+            if let Some(window) = app.get_webview_window("main") {
+                let _ = window.eval(LOCAL_WINDOW_CONTEXT_SCRIPT);
+            }
             if let Some(shortcut) = fullscreen_shortcut() {
                 let shortcut_manager = app.handle().global_shortcut();
                 let _ = shortcut_manager.register(shortcut.clone());
@@ -480,6 +582,7 @@ fn main() {
             cli_restart,
             wake_lock_start,
             wake_lock_stop,
+            needs_local_certificate_install,
             open_remote_window
         ])
         .on_menu_event(|app_handle, event| {

packages/tauri-app/src-tauri/src/remote_proxy.rs

@@ -1,460 +0,0 @@
-use axum::body::Body;
-use axum::extract::{Request, State};
-use axum::http::{HeaderMap, HeaderName, HeaderValue, StatusCode, Uri};
-use axum::response::Response;
-use axum::routing::any;
-use axum::Router;
-use axum_server::tls_rustls::RustlsConfig;
-use futures_util::TryStreamExt;
-use rand::RngCore;
-use reqwest::redirect::Policy;
-use reqwest::Client;
-use std::collections::HashSet;
-use std::sync::atomic::{AtomicBool, Ordering};
-use std::sync::Arc;
-use url::Url;
-
-const PROXY_TOKEN_QUERY: &str = "proxy_token";
-
-#[derive(Clone)]
-struct ProxyState {
-    client: Client,
-    target_base_url: Url,
-    local_base_url: Url,
-    session_token: String,
-    session_activated: Arc<AtomicBool>,
-}
-
-/// TLS configuration for the local HTTPS proxy.
-pub struct ProxyTlsConfig {
-    pub cert_pem: String,
-    pub key_pem: String,
-}
-
-pub struct RemoteProxyHandle {
-    local_base_url: Url,
-    entry_url: Url,
-    target_base_url: Url,
-    skip_tls_verify: bool,
-    server_handle: axum_server::Handle,
-}
-
-impl RemoteProxyHandle {
-    pub fn local_base_url(&self) -> &Url {
-        &self.local_base_url
-    }
-
-    pub fn entry_url(&self) -> &Url {
-        &self.entry_url
-    }
-
-    pub fn matches(&self, target_base_url: &Url, skip_tls_verify: bool) -> bool {
-        self.target_base_url == *target_base_url && self.skip_tls_verify == skip_tls_verify
-    }
-
-    pub fn shutdown(&self) {
-        self.server_handle.shutdown();
-    }
-}
-
-impl Drop for RemoteProxyHandle {
-    fn drop(&mut self) {
-        self.shutdown();
-    }
-}
-
-pub async fn start_remote_proxy(
-    target_base_url: Url,
-    skip_tls_verify: bool,
-    tls_config: Option<ProxyTlsConfig>,
-) -> Result<RemoteProxyHandle, String> {
-    let client = Client::builder()
-        .redirect(Policy::none())
-        .danger_accept_invalid_certs(skip_tls_verify)
-        .build()
-        .map_err(|err| err.to_string())?;
-
-    // Pre-bind a std TcpListener on port 0 to discover the actual port
-    let std_listener = std::net::TcpListener::bind("127.0.0.1:0")
-        .map_err(|err| err.to_string())?;
-    let address = std_listener.local_addr().map_err(|err| err.to_string())?;
-
-    let scheme = if tls_config.is_some() { "https" } else { "http" };
-    let local_base_url =
-        Url::parse(&format!("{scheme}://{address}")).map_err(|err| err.to_string())?;
-    let session_token = generate_session_token();
-    let mut entry_url = local_base_url.clone();
-    entry_url.set_path(target_base_url.path());
-    entry_url.set_query(Some(&format!("{PROXY_TOKEN_QUERY}={session_token}")));
-
-    let state = Arc::new(ProxyState {
-        client,
-        target_base_url: target_base_url.clone(),
-        local_base_url: local_base_url.clone(),
-        session_token,
-        session_activated: Arc::new(AtomicBool::new(false)),
-    });
-
-    let app = Router::new()
-        .route("/*path", any(proxy_request))
-        .route("/", any(proxy_request))
-        .with_state(state);
-
-    let server_handle = axum_server::Handle::new();
-    let handle_clone = server_handle.clone();
-
-    if let Some(tls) = tls_config {
-        let rustls_config =
-            RustlsConfig::from_pem(tls.cert_pem.into_bytes(), tls.key_pem.into_bytes())
-                .await
-                .map_err(|err| format!("Failed to build RustlsConfig: {err}"))?;
-
-        tauri::async_runtime::spawn(async move {
-            let server = axum_server::from_tcp_rustls(std_listener, rustls_config)
-                .handle(handle_clone)
-                .serve(app.into_make_service());
-
-            if let Err(err) = server.await {
-                eprintln!("[tauri] remote proxy (HTTPS) stopped with error: {err}");
-            }
-        });
-    } else {
-        tauri::async_runtime::spawn(async move {
-            let server = axum_server::from_tcp(std_listener)
-                .handle(handle_clone)
-                .serve(app.into_make_service());
-
-            if let Err(err) = server.await {
-                eprintln!("[tauri] remote proxy (HTTP) stopped with error: {err}");
-            }
-        });
-    }
-
-    Ok(RemoteProxyHandle {
-        local_base_url,
-        entry_url,
-        target_base_url,
-        skip_tls_verify,
-        server_handle,
-    })
-}
-
-async fn proxy_request(
-    State(state): State<Arc<ProxyState>>,
-    request: Request,
-) -> Result<Response<Body>, StatusCode> {
-    if !state.session_activated.load(Ordering::SeqCst) {
-        if request_bootstraps_session(&request, &state.session_token) {
-            state.session_activated.store(true, Ordering::SeqCst);
-            return Ok(build_bootstrap_response(request.uri())?);
-        }
-        return Err(StatusCode::FORBIDDEN);
-    }
-
-    let upstream_url = build_upstream_url(&state.target_base_url, request.uri())
-        .map_err(|_| StatusCode::BAD_REQUEST)?;
-
-    let mut builder = state
-        .client
-        .request(request.method().clone(), upstream_url.clone());
-    builder = builder.headers(filter_request_headers(
-        request.headers(),
-        &state.target_base_url,
-    )?);
-
-    let body = axum::body::to_bytes(request.into_body(), usize::MAX)
-        .await
-        .map_err(|_| StatusCode::BAD_REQUEST)?;
-    if !body.is_empty() {
-        builder = builder.body(body);
-    }
-
-    let upstream = builder.send().await.map_err(map_upstream_error)?;
-    let status = upstream.status();
-    let headers = rewrite_response_headers(
-        upstream.headers(),
-        &state.target_base_url,
-        &state.local_base_url,
-    )?;
-    let stream = upstream
-        .bytes_stream()
-        .map_err(|err| std::io::Error::other(err.to_string()));
-
-    let mut response = Response::new(Body::from_stream(stream));
-    *response.status_mut() = status;
-    *response.headers_mut() = headers;
-    Ok(response)
-}
-
-fn build_upstream_url(base_url: &Url, uri: &Uri) -> Result<Url, url::ParseError> {
-    let mut url = base_url.clone();
-    url.set_path(&rewrite_request_path(base_url, uri.path()));
-    url.set_query(strip_proxy_token_query(uri.query()).as_deref());
-    Ok(url)
-}
-
-fn rewrite_request_path(base_url: &Url, request_path: &str) -> String {
-    let base_path = normalized_base_path(base_url);
-    if base_path == "/" {
-        return request_path.to_string();
-    }
-
-    if request_path == "/" {
-        return base_path.to_string();
-    }
-
-    if path_has_base_prefix(base_path, request_path) {
-        return request_path.to_string();
-    }
-
-    format!("{base_path}{request_path}")
-}
-
-fn normalized_base_path(base_url: &Url) -> &str {
-    let path = base_url.path();
-    if path.is_empty() { "/" } else { path }
-}
-
-fn path_has_base_prefix(base_path: &str, request_path: &str) -> bool {
-    request_path == base_path
-        || request_path
-            .strip_prefix(base_path)
-            .is_some_and(|suffix| suffix.starts_with('/'))
-}
-
-fn generate_session_token() -> String {
-    let mut bytes = [0_u8; 16];
-    rand::thread_rng().fill_bytes(&mut bytes);
-    bytes.iter().map(|byte| format!("{byte:02x}")).collect()
-}
-
-fn request_bootstraps_session(request: &Request, session_token: &str) -> bool {
-    request.uri().query().is_some_and(|query| {
-        url::form_urlencoded::parse(query.as_bytes())
-            .any(|(name, value)| name == PROXY_TOKEN_QUERY && value == session_token)
-    })
-}
-
-fn build_bootstrap_response(uri: &Uri) -> Result<Response<Body>, StatusCode> {
-    let redirect_target = sanitized_request_target(uri);
-
-    Response::builder()
-        .status(StatusCode::FOUND)
-        .header(axum::http::header::LOCATION, redirect_target)
-        .body(Body::empty())
-        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)
-}
-
-fn sanitized_request_target(uri: &Uri) -> String {
-    let path = if uri.path().is_empty() { "/" } else { uri.path() };
-    match strip_proxy_token_query(uri.query()) {
-        Some(query) if !query.is_empty() => format!("{path}?{query}"),
-        _ => path.to_string(),
-    }
-}
-
-fn strip_proxy_token_query(query: Option<&str>) -> Option<String> {
-    let query = query?;
-    let filtered: Vec<(std::borrow::Cow<'_, str>, std::borrow::Cow<'_, str>)> =
-        url::form_urlencoded::parse(query.as_bytes())
-            .filter(|(name, _)| name != PROXY_TOKEN_QUERY)
-            .collect();
-
-    if filtered.is_empty() {
-        return None;
-    }
-
-    Some(
-        url::form_urlencoded::Serializer::new(String::new())
-            .extend_pairs(filtered)
-            .finish(),
-    )
-}
-
-fn filter_request_headers(
-    headers: &HeaderMap,
-    target_base_url: &Url,
-) -> Result<HeaderMap, StatusCode> {
-    let mut forwarded = HeaderMap::new();
-    for (name, value) in headers {
-        if is_hop_by_hop_header(name) || *name == axum::http::header::HOST {
-            continue;
-        }
-        forwarded.append(name.clone(), value.clone());
-    }
-
-    let host = target_base_url.host_str().ok_or(StatusCode::BAD_REQUEST)?;
-    let host_value = match target_base_url.port() {
-        Some(port) => format!("{host}:{port}"),
-        None => host.to_string(),
-    };
-    forwarded.insert(
-        axum::http::header::HOST,
-        HeaderValue::from_str(&host_value).map_err(|_| StatusCode::BAD_REQUEST)?,
-    );
-
-    let target_origin = target_base_url.origin().ascii_serialization();
-    if let Ok(origin) = HeaderValue::from_str(&target_origin) {
-        forwarded.insert(axum::http::header::ORIGIN, origin);
-    }
-
-    if let Some(referer) = rewrite_referer_header(headers, target_base_url) {
-        forwarded.insert(
-            axum::http::header::REFERER,
-            HeaderValue::from_str(&referer).map_err(|_| StatusCode::BAD_REQUEST)?,
-        );
-    }
-
-    Ok(forwarded)
-}
-
-fn rewrite_referer_header(headers: &HeaderMap, target_base_url: &Url) -> Option<String> {
-    let referer = headers.get(axum::http::header::REFERER)?.to_str().ok()?;
-    let parsed = Url::parse(referer).ok()?;
-
-    let mut rewritten = target_base_url.clone();
-    rewritten.set_path(&rewrite_request_path(target_base_url, parsed.path()));
-    rewritten.set_query(parsed.query());
-    rewritten.set_fragment(parsed.fragment());
-    Some(rewritten.to_string())
-}
-
-fn rewrite_response_headers(
-    headers: &HeaderMap,
-    target_base_url: &Url,
-    local_base_url: &Url,
-) -> Result<HeaderMap, StatusCode> {
-    let mut rewritten = HeaderMap::new();
-    for (name, value) in headers {
-        if is_hop_by_hop_header(name) {
-            continue;
-        }
-
-        if *name == axum::http::header::LOCATION {
-            if let Ok(location) = value.to_str() {
-                let next = rewrite_location(location, target_base_url, local_base_url);
-                rewritten.append(
-                    name.clone(),
-                    HeaderValue::from_str(&next).map_err(|_| StatusCode::BAD_GATEWAY)?,
-                );
-                continue;
-            }
-        }
-
-        if *name == axum::http::header::SET_COOKIE {
-            if let Ok(cookie) = value.to_str() {
-                let next = rewrite_set_cookie(cookie);
-                rewritten.append(
-                    name.clone(),
-                    HeaderValue::from_str(&next).map_err(|_| StatusCode::BAD_GATEWAY)?,
-                );
-                continue;
-            }
-        }
-
-        rewritten.append(name.clone(), value.clone());
-    }
-    Ok(rewritten)
-}
-
-fn rewrite_set_cookie(cookie: &str) -> String {
-    cookie
-        .split(';')
-        .map(str::trim)
-        .filter(|part| !part.get(..7).is_some_and(|prefix| prefix.eq_ignore_ascii_case("Domain=")))
-        .collect::<Vec<_>>()
-        .join("; ")
-}
-
-fn rewrite_location(location: &str, target_base_url: &Url, local_base_url: &Url) -> String {
-    let Ok(parsed) = target_base_url.join(location) else {
-        return location.to_string();
-    };
-
-    if parsed.origin() != target_base_url.origin() {
-        return location.to_string();
-    }
-
-    let mut rewritten = local_base_url.clone();
-    rewritten.set_path(parsed.path());
-    rewritten.set_query(parsed.query());
-    rewritten.set_fragment(parsed.fragment());
-    rewritten.to_string()
-}
-
-fn map_upstream_error(error: reqwest::Error) -> StatusCode {
-    if error.is_timeout() {
-        StatusCode::GATEWAY_TIMEOUT
-    } else if error.is_connect() {
-        StatusCode::BAD_GATEWAY
-    } else {
-        StatusCode::INTERNAL_SERVER_ERROR
-    }
-}
-
-fn is_hop_by_hop_header(name: &HeaderName) -> bool {
-    static HOP_BY_HOP: std::sync::OnceLock<HashSet<&'static str>> = std::sync::OnceLock::new();
-    HOP_BY_HOP
-        .get_or_init(|| {
-            HashSet::from([
-                "connection",
-                "keep-alive",
-                "proxy-authenticate",
-                "proxy-authorization",
-                "te",
-                "trailer",
-                "transfer-encoding",
-                "upgrade",
-            ])
-        })
-        .contains(name.as_str())
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn build_upstream_url_prefixes_root_relative_requests_under_base_path() {
-        let base = Url::parse("https://example.com/app").unwrap();
-        let uri = "/api/auth/status?foo=bar".parse::<Uri>().unwrap();
-
-        let upstream = build_upstream_url(&base, &uri).unwrap();
-
-        assert_eq!(upstream.as_str(), "https://example.com/app/api/auth/status?foo=bar");
-    }
-
-    #[test]
-    fn build_upstream_url_keeps_requests_already_under_base_path() {
-        let base = Url::parse("https://example.com/app").unwrap();
-        let uri = "/app/api/auth/status?foo=bar".parse::<Uri>().unwrap();
-
-        let upstream = build_upstream_url(&base, &uri).unwrap();
-
-        assert_eq!(upstream.as_str(), "https://example.com/app/api/auth/status?foo=bar");
-    }
-
-    #[test]
-    fn build_upstream_url_maps_root_to_base_path() {
-        let base = Url::parse("https://example.com/app").unwrap();
-        let uri = "/".parse::<Uri>().unwrap();
-
-        let upstream = build_upstream_url(&base, &uri).unwrap();
-
-        assert_eq!(upstream.as_str(), "https://example.com/app");
-    }
-
-    #[test]
-    fn rewrite_referer_header_prefixes_root_relative_path_under_base_path() {
-        let target = Url::parse("https://example.com/app").unwrap();
-        let mut headers = HeaderMap::new();
-        headers.insert(
-            axum::http::header::REFERER,
-            HeaderValue::from_static("https://127.0.0.1:3000/api/auth/status?foo=bar"),
-        );
-
-        let referer = rewrite_referer_header(&headers, &target).unwrap();
-
-        assert_eq!(referer, "https://example.com/app/api/auth/status?foo=bar");
-    }
-}

packages/tauri-app/src-tauri/tauri.conf.json

@@ -9,6 +9,7 @@
     "frontendDist": "resources/ui-loading"
   },
   "app": {
+    "enableGTKAppId": true,
     "withGlobalTauri": true,
     "windows": [
       {
@@ -41,6 +42,30 @@
   },
   "bundle": {
     "active": true,
+    "linux": {
+      "deb": {
+        "files": {
+          "/usr/share/applications/ai.neuralnomads.codenomad.client.desktop": "icons/linux/ai.neuralnomads.codenomad.client.desktop",
+          "/usr/share/icons/hicolor/32x32/apps/codenomad-tauri.png": "icons/linux/32x32.png",
+          "/usr/share/icons/hicolor/48x48/apps/codenomad-tauri.png": "icons/linux/48x48.png",
+          "/usr/share/icons/hicolor/64x64/apps/codenomad-tauri.png": "icons/linux/64x64.png",
+          "/usr/share/icons/hicolor/128x128/apps/codenomad-tauri.png": "icons/linux/128x128.png",
+          "/usr/share/icons/hicolor/256x256/apps/codenomad-tauri.png": "icons/linux/256x256.png",
+          "/usr/share/icons/hicolor/512x512/apps/codenomad-tauri.png": "icons/linux/512x512.png"
+        }
+      },
+      "rpm": {
+        "files": {
+          "/usr/share/applications/ai.neuralnomads.codenomad.client.desktop": "icons/linux/ai.neuralnomads.codenomad.client.desktop",
+          "/usr/share/icons/hicolor/32x32/apps/codenomad-tauri.png": "icons/linux/32x32.png",
+          "/usr/share/icons/hicolor/48x48/apps/codenomad-tauri.png": "icons/linux/48x48.png",
+          "/usr/share/icons/hicolor/64x64/apps/codenomad-tauri.png": "icons/linux/64x64.png",
+          "/usr/share/icons/hicolor/128x128/apps/codenomad-tauri.png": "icons/linux/128x128.png",
+          "/usr/share/icons/hicolor/256x256/apps/codenomad-tauri.png": "icons/linux/256x256.png",
+          "/usr/share/icons/hicolor/512x512/apps/codenomad-tauri.png": "icons/linux/512x512.png"
+        }
+      }
+    },
     "resources": [
       "resources/server",
       "resources/ui-loading"

packages/ui/src/App.tsx

@@ -22,7 +22,7 @@ import { getLogger } from "./lib/logger"
 import { launchError, showLaunchError, clearLaunchError } from "./stores/launch-errors"
 import { formatLaunchErrorMessage, isMissingBinaryMessage } from "./lib/launch-errors"
 import { initReleaseNotifications } from "./stores/releases"
-import { runtimeEnv } from "./lib/runtime-env"
+import { isTauriHost, isWebHost, runtimeEnv } from "./lib/runtime-env"
 import { useI18n } from "./lib/i18n"
 import { setWakeLockDesired } from "./lib/native/wake-lock"
 import {
@@ -50,7 +50,7 @@ import {
   updateSessionModel,
 } from "./stores/sessions"
 
-import { getInstanceSessionIndicatorStatus } from "./stores/session-status"
+import { hasWakeLockEligibleWork } from "./stores/session-status"
 import { openSettings } from "./stores/settings-screen"
 import {
   closeSidecarTab,
@@ -137,7 +137,7 @@ const App: Component = () => {
   createEffect(() => {
     if (typeof document === "undefined") return
     const shouldShow =
-      runtimeEnv.host !== "web" && runtimeEnv.platform !== "mobile" && (preferences().showKeyboardShortcutHints ?? true)
+      !isWebHost() && runtimeEnv.platform !== "mobile" && (preferences().showKeyboardShortcutHints ?? true)
     document.documentElement.dataset.keyboardHints = shouldShow ? "show" : "hide"
   })
 
@@ -204,8 +204,7 @@ const App: Component = () => {
   const shouldHoldWakeLock = createMemo(() => {
     const map = instances()
     for (const id of map.keys()) {
-      const status = getInstanceSessionIndicatorStatus(id)
-      if (status !== "idle") {
+      if (hasWakeLockEligibleWork(id)) {
         return true
       }
     }
@@ -444,7 +443,7 @@ const App: Component = () => {
 
   // Listen for Tauri menu events
   onMount(() => {
-    if (runtimeEnv.host === "tauri") {
+    if (isTauriHost()) {
       const tauriBridge = (window as { __TAURI__?: { event?: { listen: (event: string, handler: (event: { payload: unknown }) => void) => Promise<() => void> } } }).__TAURI__
       if (tauriBridge?.event) {
         let unlistenMenu: (() => void) | null = null

packages/ui/src/components/directory-browser-dialog.tsx

@@ -58,6 +58,16 @@ function resolveAbsolutePath(root: string, relativePath: string) {
   return `${trimmedRoot}${normalized}`
 }
 
+function getAbsolutePathFromMetadata(metadata: FileSystemListingMetadata | null) {
+  if (!metadata || metadata.pathKind === "drives") {
+    return ""
+  }
+  if (metadata.pathKind === "relative") {
+    return resolveAbsolutePath(metadata.rootPath, metadata.currentPath)
+  }
+  return metadata.displayPath
+}
+
 type FolderRow =
   | { type: "up"; path: string }
   | { type: "folder"; entry: FileSystemEntry }
@@ -67,6 +77,8 @@ const DirectoryBrowserDialog: Component<DirectoryBrowserDialogProps> = (props) =
   const [rootPath, setRootPath] = createSignal("")
   const [loading, setLoading] = createSignal(false)
   const [error, setError] = createSignal<string | null>(null)
+  const [pathInput, setPathInput] = createSignal("")
+  const [pathInputDirty, setPathInputDirty] = createSignal(false)
   const [creatingFolder, setCreatingFolder] = createSignal(false)
   const [directoryChildren, setDirectoryChildren] = createSignal<Map<string, FileSystemEntry[]>>(new Map())
   const [loadingPaths, setLoadingPaths] = createSignal<Set<string>>(new Set())
@@ -75,12 +87,16 @@ const DirectoryBrowserDialog: Component<DirectoryBrowserDialogProps> = (props) =
 
   const metadataCache = new Map<string, FileSystemListingMetadata>()
   const inFlightRequests = new Map<string, Promise<FileSystemListingMetadata>>()
+  let latestNavigationId = 0
 
   function resetState() {
+    setRootPath("")
     setDirectoryChildren(new Map<string, FileSystemEntry[]>())
     setLoadingPaths(new Set<string>())
     setCurrentPathKey(null)
     setCurrentMetadata(null)
+    setPathInput("")
+    setPathInputDirty(false)
     metadataCache.clear()
     inFlightRequests.clear()
     setError(null)
@@ -109,11 +125,7 @@ const DirectoryBrowserDialog: Component<DirectoryBrowserDialogProps> = (props) =
   async function initialize() {
     setLoading(true)
     try {
-      const metadata = await loadDirectory()
-      applyMetadata(metadata)
-    } catch (err) {
-      const message = err instanceof Error ? err.message : t("directoryBrowser.load.errorFallback")
-      setError(message)
+      await navigateTo()
     } finally {
       setLoading(false)
     }
@@ -197,13 +209,22 @@ const DirectoryBrowserDialog: Component<DirectoryBrowserDialogProps> = (props) =
   }
 
   async function navigateTo(path?: string) {
+    const navigationId = ++latestNavigationId
     setError(null)
     try {
       const metadata = await loadDirectory(path)
+      if (navigationId !== latestNavigationId) {
+        return null
+      }
       applyMetadata(metadata)
+      return metadata
     } catch (err) {
+      if (navigationId !== latestNavigationId) {
+        return null
+      }
       const message = err instanceof Error ? err.message : t("directoryBrowser.load.errorFallback")
       setError(message)
+      return null
     }
   }
 
@@ -225,31 +246,58 @@ const DirectoryBrowserDialog: Component<DirectoryBrowserDialogProps> = (props) =
   })
 
   function handleNavigateTo(path: string) {
+    setPathInputDirty(false)
     void navigateTo(path)
   }
 
   function handleNavigateUp() {
     const parent = currentMetadata()?.parentPath
     if (parent) {
+      setPathInputDirty(false)
       void navigateTo(parent)
     }
   }
 
   const currentAbsolutePath = createMemo(() => {
-    const metadata = currentMetadata()
-    if (!metadata) {
-      return ""
+    return getAbsolutePathFromMetadata(currentMetadata())
+  })
+
+  createEffect(() => {
+    const absolutePath = currentAbsolutePath()
+    if (!pathInputDirty()) {
+      setPathInput(absolutePath)
     }
-    if (metadata.pathKind === "drives") {
-      return ""
-    }
-    if (metadata.pathKind === "relative") {
-      return resolveAbsolutePath(metadata.rootPath, metadata.currentPath)
-    }
-    return metadata.displayPath
   })
 
   const canSelectCurrent = createMemo(() => Boolean(currentAbsolutePath()))
+  const canSubmitPath = createMemo(() => pathInput().trim().length > 0)
+
+  async function handlePathSubmit() {
+    const target = pathInput().trim()
+    if (!target) {
+      return
+    }
+    const metadata = await navigateTo(target)
+    if (!metadata) {
+      return
+    }
+    setPathInputDirty(false)
+    setPathInput(getAbsolutePathFromMetadata(metadata))
+  }
+
+  async function handleSelectCurrent() {
+    const target = pathInput().trim()
+    const metadata = target && target !== currentAbsolutePath() ? await navigateTo(target) : currentMetadata()
+    if (!metadata) {
+      return
+    }
+    setPathInputDirty(false)
+    const absolute = getAbsolutePathFromMetadata(metadata)
+    if (absolute) {
+      setPathInput(absolute)
+      props.onSelect(absolute)
+    }
+  }
 
   function handleEntrySelect(entry: FileSystemEntry) {
     const absolutePath = entry.absolutePath
@@ -262,10 +310,13 @@ const DirectoryBrowserDialog: Component<DirectoryBrowserDialogProps> = (props) =
 
   async function handleCreateFolder() {
     if (creatingFolder()) return
-    const metadata = currentMetadata()
+    const target = pathInput().trim()
+    const metadata = target && target !== currentAbsolutePath() ? await navigateTo(target) : currentMetadata()
     if (!metadata || metadata.pathKind === "drives") {
       return
     }
+    setPathInputDirty(false)
+    setPathInput(getAbsolutePathFromMetadata(metadata))
 
     const name =
       (await showPromptDialog(t("directoryBrowser.createFolder.promptMessage"), {
@@ -338,19 +389,29 @@ const DirectoryBrowserDialog: Component<DirectoryBrowserDialogProps> = (props) =
                 <div class="directory-browser-current">
                   <div class="directory-browser-current-meta">
                     <span class="directory-browser-current-label">{t("directoryBrowser.currentFolder")}</span>
-                    <span class="directory-browser-current-path">{currentAbsolutePath()}</span>
+                    <input
+                      type="text"
+                      value={pathInput()}
+                      onInput={(event) => {
+                        setPathInput(event.currentTarget.value)
+                        setPathInputDirty(true)
+                      }}
+                      onKeyDown={(event) => {
+                        if (event.key === "Enter") {
+                          event.preventDefault()
+                          void handlePathSubmit()
+                        }
+                      }}
+                      spellcheck={false}
+                      class="selector-input directory-browser-current-path"
+                    />
                   </div>
                   <div class="directory-browser-current-actions">
                     <button
                       type="button"
                       class="selector-button selector-button-secondary directory-browser-select directory-browser-current-select"
-                      disabled={!canSelectCurrent() || creatingFolder()}
-                      onClick={() => {
-                        const absolute = currentAbsolutePath()
-                        if (absolute) {
-                          props.onSelect(absolute)
-                        }
-                      }}
+                      disabled={(!canSelectCurrent() && !canSubmitPath()) || creatingFolder()}
+                      onClick={() => void handleSelectCurrent()}
                     >
                       {t("directoryBrowser.selectCurrent")}
                     </button>

packages/ui/src/components/file-viewer/monaco-diff-viewer.tsx

@@ -19,12 +19,60 @@ interface MonacoDiffViewerProps {
   insertContextLabel?: string
 }
 
+function getLineCount(value: string): number {
+  if (!value) return 1
+  return value.split("\n").length
+}
+
+function getDigitCount(value: number): number {
+  return String(Math.max(1, value)).length
+}
+
+function getUnifiedGutterSizing(options: { before: string; after: string }) {
+  const beforeLineCount = getLineCount(options.before)
+  const afterLineCount = getLineCount(options.after)
+  const beforeDigitCount = getDigitCount(beforeLineCount)
+  const afterDigitCount = getDigitCount(afterLineCount)
+  const maxDigitCount = Math.max(beforeDigitCount, afterDigitCount)
+  const extraDigits = Math.max(0, maxDigitCount - 2)
+  const beforeNumberChars = Math.max(2, beforeDigitCount)
+  const afterNumberChars = Math.max(2, afterDigitCount)
+  const fourDigitPenalty = Math.max(0, maxDigitCount - 3)
+
+  return {
+    diffEditorLineNumbersMinChars: Math.max(beforeNumberChars, afterNumberChars),
+    originalLineNumbersMinChars: beforeNumberChars,
+    modifiedLineNumbersMinChars: afterNumberChars,
+    lineDecorationsWidth: 6 + extraDigits * 2 + fourDigitPenalty * 2,
+  }
+}
+
+function getSplitGutterSizing(options: { before: string; after: string }) {
+  const beforeLineCount = getLineCount(options.before)
+  const afterLineCount = getLineCount(options.after)
+  const beforeDigitCount = getDigitCount(beforeLineCount)
+  const afterDigitCount = getDigitCount(afterLineCount)
+  const maxDigitCount = Math.max(beforeDigitCount, afterDigitCount)
+  const extraDigits = Math.max(0, maxDigitCount - 2)
+  const beforeNumberChars = Math.max(2, beforeDigitCount)
+  const afterNumberChars = Math.max(2, afterDigitCount)
+  const fourDigitPenalty = Math.max(0, maxDigitCount - 3)
+
+  return {
+    diffEditorLineNumbersMinChars: Math.max(beforeNumberChars, afterNumberChars),
+    originalLineNumbersMinChars: beforeNumberChars,
+    modifiedLineNumbersMinChars: afterNumberChars,
+    lineDecorationsWidth: 8 + extraDigits * 2 + fourDigitPenalty,
+  }
+}
+
 export function MonacoDiffViewer(props: MonacoDiffViewerProps) {
   const { isDark } = useTheme()
   let host: HTMLDivElement | undefined
 
   let diffEditor: any = null
   let monaco: any = null
+  let splitLayoutFrame: number | null = null
   const [ready, setReady] = createSignal(false)
   const [hoveredLine, setHoveredLine] = createSignal<number | null>(null)
   const [selectedRange, setSelectedRange] = createSignal<{ startLine: number; endLine: number } | null>(null)
@@ -55,6 +103,44 @@ export function MonacoDiffViewer(props: MonacoDiffViewerProps) {
     diffEditor = null
   }
 
+  const clearSplitLayoutVariables = () => {
+    if (!host) return
+    host.style.removeProperty("--split-original-line-number-width")
+    host.style.removeProperty("--split-original-delete-sign-left")
+    host.style.removeProperty("--split-original-gutter-width")
+  }
+
+  const syncSplitLayoutVariables = (options: {
+    viewMode: "split" | "unified"
+    originalLineNumbersMinChars: number
+    lineDecorationsWidth: number
+  }) => {
+    if (!host) return
+    if (splitLayoutFrame !== null && typeof window !== "undefined") {
+      window.cancelAnimationFrame(splitLayoutFrame)
+      splitLayoutFrame = null
+    }
+    if (options.viewMode !== "split" || typeof window === "undefined") {
+      clearSplitLayoutVariables()
+      return
+    }
+
+    splitLayoutFrame = window.requestAnimationFrame(() => {
+      splitLayoutFrame = null
+      if (!host) return
+      const originalLineNumbers = host.querySelector<HTMLElement>(".editor.original .line-numbers")
+      const measuredWidth = originalLineNumbers?.getBoundingClientRect().width ?? 0
+      const lineNumberWidth =
+        measuredWidth > 0 ? measuredWidth : Math.max(12, options.originalLineNumbersMinChars * 6)
+      host.style.setProperty("--split-original-line-number-width", `${lineNumberWidth}px`)
+      host.style.setProperty("--split-original-delete-sign-left", `${lineNumberWidth}px`)
+      host.style.setProperty(
+        "--split-original-gutter-width",
+        `${lineNumberWidth + options.lineDecorationsWidth}px`,
+      )
+    })
+  }
+
   const getModifiedEditor = () => diffEditor?.getModifiedEditor?.() ?? null
 
   const getActiveInsertRange = () => {
@@ -120,7 +206,7 @@ export function MonacoDiffViewer(props: MonacoDiffViewerProps) {
         renderWhitespace: "selection",
         fontSize: 13,
         wordWrap: props.wordWrap === "on" ? "on" : "off",
-        glyphMargin: true,
+        glyphMargin: false,
         folding: false,
         // Keep enough gutter space so unified diffs don't overlap `+`/`-` markers.
         lineNumbersMinChars: 4,
@@ -139,6 +225,11 @@ export function MonacoDiffViewer(props: MonacoDiffViewerProps) {
 
     onCleanup(() => {
       cancelled = true
+      if (splitLayoutFrame !== null && typeof window !== "undefined") {
+        window.cancelAnimationFrame(splitLayoutFrame)
+        splitLayoutFrame = null
+      }
+      clearSplitLayoutVariables()
       setReady(false)
       disposeEditor()
     })
@@ -149,6 +240,11 @@ export function MonacoDiffViewer(props: MonacoDiffViewerProps) {
     monaco.editor.setTheme(isDark() ? "vs-dark" : "vs")
   })
 
+  createEffect(() => {
+    if (!host) return
+    host.dataset.viewMode = props.viewMode === "split" ? "split" : "unified"
+  })
+
   createEffect(() => {
     if (!ready() || !monaco || !diffEditor) return
     const modifiedEditor = diffEditor.getModifiedEditor?.()
@@ -222,10 +318,23 @@ export function MonacoDiffViewer(props: MonacoDiffViewerProps) {
     const viewMode = props.viewMode === "unified" ? "unified" : "split"
     const contextMode = props.contextMode === "collapsed" ? "collapsed" : "expanded"
     const wordWrap = props.wordWrap === "on" ? "on" : "off"
-
+    const { before, after } = resolvedContent()
+    const sizing =
+      viewMode === "unified"
+        ? getUnifiedGutterSizing({ before, after })
+        : getSplitGutterSizing({ before, after })
+    const {
+      diffEditorLineNumbersMinChars,
+      originalLineNumbersMinChars,
+      modifiedLineNumbersMinChars,
+      lineDecorationsWidth,
+    } = sizing
     diffEditor.updateOptions({
       renderSideBySide: viewMode === "split",
       renderSideBySideInlineBreakpoint: 0,
+      renderIndicators: true,
+      lineNumbersMinChars: diffEditorLineNumbersMinChars,
+      lineDecorationsWidth,
       hideUnchangedRegions:
         contextMode === "collapsed"
           ? { enabled: true }
@@ -234,16 +343,30 @@ export function MonacoDiffViewer(props: MonacoDiffViewerProps) {
     })
 
     try {
-      diffEditor.getOriginalEditor?.()?.updateOptions?.({ wordWrap })
+      diffEditor.getOriginalEditor?.()?.updateOptions?.({
+        wordWrap,
+        lineNumbersMinChars: originalLineNumbersMinChars,
+        lineDecorationsWidth,
+      })
     } catch {
       // ignore
     }
 
     try {
-      diffEditor.getModifiedEditor?.()?.updateOptions?.({ wordWrap })
+      diffEditor.getModifiedEditor?.()?.updateOptions?.({
+        wordWrap,
+        lineNumbersMinChars: modifiedLineNumbersMinChars,
+        lineDecorationsWidth,
+      })
     } catch {
       // ignore
     }
+
+    syncSplitLayoutVariables({
+      viewMode,
+      originalLineNumbersMinChars,
+      lineDecorationsWidth,
+    })
   })
 
   createEffect(() => {

packages/ui/src/components/folder-selection-view.tsx

@@ -5,7 +5,7 @@ import { Folder, Clock, Trash2, FolderPlus, Settings, ChevronRight, MonitorUp, S
 import { useConfig } from "../stores/preferences"
 import DirectoryBrowserDialog from "./directory-browser-dialog"
 import Kbd from "./kbd"
-import { openNativeFolderDialog, supportsNativeDialogs } from "../lib/native/native-functions"
+import { openNativeFolderDialog, supportsNativeDialogsInCurrentWindow } from "../lib/native/native-functions"
 import { useFolderDrop } from "../lib/hooks/use-folder-drop"
 import VersionPill from "./version-pill"
 import { DiscordSymbolIcon, GitHubMarkIcon } from "./brand-icons"
@@ -16,7 +16,7 @@ import { showAlertDialog } from "../stores/alerts"
 import { openSettings, settingsOpen } from "../stores/settings-screen"
 import { openExternalUrl } from "../lib/external-url"
 import { serverApi } from "../lib/api-client"
-import { runtimeEnv } from "../lib/runtime-env"
+import { canOpenRemoteWindows, isTauriHost } from "../lib/runtime-env"
 import { openRemoteServerWindow } from "../lib/native/remote-window"
 
 const codeNomadLogo = new URL("../images/CodeNomad-Icon.png", import.meta.url).href
@@ -58,7 +58,6 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
   const [serverDialogError, setServerDialogError] = createSignal<string | null>(null)
   const [isSavingServer, setIsSavingServer] = createSignal(false)
   const [connectingServerId, setConnectingServerId] = createSignal<string | null>(null)
-  const nativeDialogsAvailable = supportsNativeDialogs()
   let recentListRef: HTMLDivElement | undefined
 
   type LanguageOption = { value: Locale; label: string }
@@ -78,6 +77,7 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
   const folders = () => recentFolders()
   const serverList = () => remoteServers()
   const isLoading = () => Boolean(props.isLoading)
+  const canUseRemoteServerWindows = () => canOpenRemoteWindows()
 
   function getActiveListLength() {
     return activeTab() === "local" ? folders().length : serverList().length
@@ -124,17 +124,7 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
 
     const normalizedKey = e.key.toLowerCase()
     const isBrowseShortcut = (e.metaKey || e.ctrlKey) && !e.shiftKey && normalizedKey === "n"
-    const blockedKeys = [
-      "ArrowDown",
-      "ArrowUp",
-      "PageDown",
-      "PageUp",
-      "Home",
-      "End",
-      "Enter",
-      "Backspace",
-      "Delete",
-    ]
+    const blockedKeys = ["ArrowDown", "ArrowUp", "PageDown", "PageUp", "Home", "End", "Enter"]
 
     if (isLoading()) {
       if (isBrowseShortcut || blockedKeys.includes(e.key)) {
@@ -192,21 +182,6 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
     } else if (e.key === "Enter") {
       e.preventDefault()
       handleEnterKey()
-    } else if (e.key === "Backspace" || e.key === "Delete") {
-      e.preventDefault()
-      if (listLength > 0 && focusMode() === "recent") {
-        if (activeTab() === "local") {
-          const folder = folders()[selectedIndex()]
-          if (folder) {
-            handleRemove(folder.path)
-          }
-        } else {
-          const server = serverList()[selectedIndex()]
-          if (server) {
-            removeRemoteServerProfile(server.id)
-          }
-        }
-      }
     }
   }
 
@@ -231,6 +206,10 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
 
   createEffect(() => {
     activeTab()
+    if (!canUseRemoteServerWindows() && activeTab() !== "local") {
+      setActiveTab("local")
+      return
+    }
     setSelectedIndex(0)
     setFocusMode("recent")
   })
@@ -305,11 +284,16 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
   }
 
   function openServerDialog() {
+    if (!canUseRemoteServerWindows()) return
     resetServerDialog()
     setIsServerDialogOpen(true)
   }
 
   async function probeAndOpenServer(input: { id?: string; name: string; baseUrl: string; skipTlsVerify: boolean }, openWindow: boolean) {
+    if (openWindow && !canUseRemoteServerWindows()) {
+      throw new Error("Remote server windows can only be opened from a local desktop window")
+    }
+
     const trimmedName = input.name.trim()
     const trimmedUrl = input.baseUrl.trim()
     if (!trimmedName || !trimmedUrl) {
@@ -333,15 +317,23 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
     })
 
     if (openWindow) {
-      const windowUrl =
-        runtimeEnv.host === "tauri"
-          ? (await serverApi.createRemoteProxySession({
+      const remoteProxySession =
+        isTauriHost() && profile.skipTlsVerify && profile.baseUrl.startsWith("https://")
+          ? await serverApi.createRemoteProxySession({
               baseUrl: profile.baseUrl,
               skipTlsVerify: profile.skipTlsVerify,
-            })).windowUrl
+            })
           : undefined
 
-      await openRemoteServerWindow(profile, windowUrl)
+      try {
+        await openRemoteServerWindow(profile, remoteProxySession?.windowUrl, remoteProxySession?.sessionId)
+      } catch (error) {
+        if (remoteProxySession) {
+          void serverApi.deleteRemoteProxySession(remoteProxySession.sessionId).catch(() => {})
+        }
+        throw error
+      }
+
       await markRemoteServerConnected(profile.id)
     }
 
@@ -371,6 +363,7 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
   }
 
   async function handleConnectSavedServer(id: string) {
+    if (!canUseRemoteServerWindows()) return
     const target = remoteServers().find((entry) => entry.id === id)
     if (!target || connectingServerId()) return
     setConnectingServerId(id)
@@ -389,7 +382,7 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
   async function handleBrowse() {
     if (isLoading()) return
     setFocusMode("new")
-    if (nativeDialogsAvailable) {
+    if (supportsNativeDialogsInCurrentWindow()) {
       const fallbackPath = folders()[0]?.path
       const selected = await openNativeFolderDialog({
         title: t("folderSelection.dialog.title"),
@@ -546,15 +539,17 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
             >
               <Settings class="w-4 h-4" />
             </button>
-            <button
-              type="button"
-              class="selector-button selector-button-secondary w-auto p-2 inline-flex items-center justify-center"
-              onClick={() => openSettings("remote")}
-              aria-label={t("instanceTabs.remote.ariaLabel")}
-              title={t("instanceTabs.remote.title")}
-            >
-              <MonitorUp class="w-4 h-4" />
-            </button>
+            <Show when={canUseRemoteServerWindows()}>
+              <button
+                type="button"
+                class="selector-button selector-button-secondary w-auto p-2 inline-flex items-center justify-center"
+                onClick={() => openSettings("remote")}
+                aria-label={t("instanceTabs.remote.ariaLabel")}
+                title={t("instanceTabs.remote.title")}
+              >
+                <MonitorUp class="w-4 h-4" />
+              </button>
+            </Show>
             <Show when={props.onClose}>
               <button
                 type="button"
@@ -628,7 +623,7 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
               <div class="order-1 lg:order-2 flex flex-col gap-4 flex-1 min-h-0 overflow-hidden">
                 <div class="panel flex flex-col flex-1 min-h-0">
                   <div class="panel-header !gap-0 !p-0">
-                    <div class="grid grid-cols-2 gap-0 overflow-hidden border border-base rounded-t-lg rounded-b-none">
+                    <div class={`grid ${canUseRemoteServerWindows() ? "grid-cols-2" : "grid-cols-1"} gap-0 overflow-hidden border border-base rounded-t-lg rounded-b-none`}>
                       <button
                         type="button"
                         class="border-r border-base px-4 py-3 text-left transition-colors"
@@ -663,35 +658,37 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
                           )}
                         </p>
                       </button>
-                      <button
-                        type="button"
-                        class="px-4 py-3 text-left transition-colors"
-                        classList={{
-                          "text-primary": activeTab() === "servers",
-                          "text-muted hover:text-secondary": activeTab() !== "servers",
-                        }}
-                        style={{
-                          "background-color": "var(--surface-secondary)",
-                        }}
-                        onClick={() => setActiveTab("servers")}
-                      >
-                        <div
-                          class="panel-title text-base"
-                          style={{
-                            color: activeTab() === "servers" ? "var(--text-primary)" : "var(--text-secondary)",
+                      <Show when={canUseRemoteServerWindows()}>
+                        <button
+                          type="button"
+                          class="px-4 py-3 text-left transition-colors"
+                          classList={{
+                            "text-primary": activeTab() === "servers",
+                            "text-muted hover:text-secondary": activeTab() !== "servers",
                           }}
-                        >
-                          {t("folderSelection.tabs.servers")}
-                        </div>
-                        <p
-                          class="panel-subtitle mt-1"
                           style={{
-                            color: activeTab() === "servers" ? "var(--text-muted)" : "var(--text-secondary)",
+                            "background-color": "var(--surface-secondary)",
                           }}
+                          onClick={() => setActiveTab("servers")}
                         >
-                          {t("folderSelection.servers.count", { count: remoteServers().length })}
-                        </p>
-                      </button>
+                          <div
+                            class="panel-title text-base"
+                            style={{
+                              color: activeTab() === "servers" ? "var(--text-primary)" : "var(--text-secondary)",
+                            }}
+                          >
+                            {t("folderSelection.tabs.servers")}
+                          </div>
+                          <p
+                            class="panel-subtitle mt-1"
+                            style={{
+                              color: activeTab() === "servers" ? "var(--text-muted)" : "var(--text-secondary)",
+                            }}
+                          >
+                            {t("folderSelection.servers.count", { count: remoteServers().length })}
+                          </p>
+                        </button>
+                      </Show>
                     </div>
                   </div>
 
@@ -699,23 +696,25 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
                     when={activeTab() === "local"}
                     fallback={
                       <Show
-                        when={remoteServers().length > 0}
+                        when={canUseRemoteServerWindows() && remoteServers().length > 0}
                         fallback={
-                          <div class="panel-empty-state flex-1">
-                            <div class="panel-empty-state-icon">
-                              <Globe class="w-12 h-12 mx-auto" />
+                          <Show when={canUseRemoteServerWindows()}>
+                            <div class="panel-empty-state flex-1">
+                              <div class="panel-empty-state-icon">
+                                <Globe class="w-12 h-12 mx-auto" />
+                              </div>
+                              <p class="panel-empty-state-title">{t("folderSelection.servers.empty.title")}</p>
+                              <p class="panel-empty-state-description">{t("folderSelection.servers.empty.description")}</p>
+                              <button
+                                type="button"
+                                class="button-primary mt-4 w-auto self-center inline-flex items-center justify-center gap-2 px-4"
+                                onClick={openServerDialog}
+                              >
+                                <Globe class="w-4 h-4" />
+                                <span>{t("folderSelection.actions.connectButton")}</span>
+                              </button>
                             </div>
-                            <p class="panel-empty-state-title">{t("folderSelection.servers.empty.title")}</p>
-                            <p class="panel-empty-state-description">{t("folderSelection.servers.empty.description")}</p>
-                            <button
-                              type="button"
-                              class="button-primary mt-4 w-auto self-center inline-flex items-center justify-center gap-2 px-4"
-                              onClick={openServerDialog}
-                            >
-                              <Globe class="w-4 h-4" />
-                              <span>{t("folderSelection.actions.connectButton")}</span>
-                            </button>
-                          </div>
+                          </Show>
                         }
                       >
                         <div
@@ -883,15 +882,17 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
                     </div>
                   </button>
 
-                  <button
-                    onClick={openServerDialog}
-                    class="button-primary w-full flex items-center justify-center text-sm"
-                  >
-                    <div class="flex items-center gap-2">
-                      <Globe class="w-4 h-4" />
-                      <span>{t("folderSelection.actions.connectButton")}</span>
-                    </div>
-                  </button>
+                  <Show when={canUseRemoteServerWindows()}>
+                    <button
+                      onClick={openServerDialog}
+                      class="button-primary w-full flex items-center justify-center text-sm"
+                    >
+                      <div class="flex items-center gap-2">
+                        <Globe class="w-4 h-4" />
+                        <span>{t("folderSelection.actions.connectButton")}</span>
+                      </div>
+                    </button>
+                  </Show>
                 </div>
 
                 {/* OpenCode settings section */}
@@ -927,10 +928,6 @@ const FolderSelectionView: Component<FolderSelectionViewProps> = (props) => {
                     <kbd class="kbd">Enter</kbd>
                     <span>{t("folderSelection.hints.select")}</span>
                   </div>
-                  <div class="flex items-center gap-1.5">
-                    <kbd class="kbd">Del</kbd>
-                    <span>{t("folderSelection.hints.remove")}</span>
-                  </div>
                 </Show>
                 <div class="flex items-center gap-1.5">
                   <Kbd shortcut="cmd+n" class="kbd-hint" />

packages/ui/src/components/instance-tabs.tsx

@@ -6,6 +6,7 @@ import { Plus, MonitorUp, Bell, BellOff, Settings } from "lucide-solid"
 import { keyboardRegistry } from "../lib/keyboard-registry"
 import { useI18n } from "../lib/i18n"
 import { isOsNotificationSupportedSync } from "../lib/os-notifications"
+import { canOpenRemoteWindows } from "../lib/runtime-env"
 import { useConfig } from "../stores/preferences"
 import { openSettings } from "../stores/settings-screen"
 import type { AppTabRecord } from "../stores/app-tabs"
@@ -99,14 +100,16 @@ const InstanceTabs: Component<InstanceTabsProps> = (props) => {
               <Dynamic component={notificationIcon()} class="w-4 h-4" />
             </button>
 
-             <button
-               class="new-tab-button tab-remote-button"
-               onClick={() => openSettings("remote")}
-               title={t("instanceTabs.remote.title")}
-               aria-label={t("instanceTabs.remote.ariaLabel")}
-             >
-               <MonitorUp class="w-4 h-4" />
-             </button>
+             <Show when={canOpenRemoteWindows()}>
+               <button
+                 class="new-tab-button tab-remote-button"
+                 onClick={() => openSettings("remote")}
+                 title={t("instanceTabs.remote.title")}
+                 aria-label={t("instanceTabs.remote.ariaLabel")}
+               >
+                 <MonitorUp class="w-4 h-4" />
+               </button>
+             </Show>
           </div>
         </div>
       </div>

packages/ui/src/components/instance-welcome-view.tsx

@@ -171,9 +171,6 @@ const InstanceWelcomeView: Component<InstanceWelcomeViewProps> = (props) => {
     } else if (e.key === "Enter") {
       e.preventDefault()
       void handleEnterKey()
-    } else if (e.key === "Delete" || e.key === "Backspace") {
-      e.preventDefault()
-      void handleDeleteKey()
     }
   }
 
@@ -187,29 +184,6 @@ const InstanceWelcomeView: Component<InstanceWelcomeViewProps> = (props) => {
     }
   }
  
-  async function handleDeleteKey() {
-    const sessions = parentSessions()
-    const index = selectedIndex()
- 
-    if (index >= sessions.length) {
-      return
-    }
- 
-    await handleSessionDelete(sessions[index].id)
- 
-    const updatedSessions = parentSessions()
-    if (updatedSessions.length === 0) {
-      setFocusMode("new-session")
-      setSelectedIndex(0)
-      return
-    }
- 
-    const nextIndex = Math.min(index, updatedSessions.length - 1)
-    setSelectedIndex(nextIndex)
-    setFocusMode("sessions")
-    scrollToIndex(nextIndex)
-  }
- 
    onMount(() => {
     window.addEventListener("keydown", handleKeyDown)
 
@@ -562,10 +536,6 @@ const InstanceWelcomeView: Component<InstanceWelcomeViewProps> = (props) => {
             <kbd class="kbd">Enter</kbd>
             <span>{t("instanceWelcome.hints.resume")}</span>
           </div>
-          <div class="flex items-center gap-1.5">
-            <kbd class="kbd">Del</kbd>
-            <span>{t("instanceWelcome.hints.delete")}</span>
-          </div>
         </div>
       </div>
 

packages/ui/src/components/instance/instance-shell2.tsx

@@ -357,7 +357,11 @@ const InstanceShell2: Component<InstanceShellProps> = (props) => {
     const pill = activeSessionStatusPill()
     if (!pill) return null
     return (
-      <span class={`status-indicator session-status session-status-list ${pill.className}`} title={pill.title}>
+      <span
+        class={`status-indicator session-status session-status-list ${pill.className} notranslate`}
+        title={pill.title}
+        translate="no"
+      >
         {pill.showAlertIcon ? <ShieldAlert class="w-3.5 h-3.5" aria-hidden="true" /> : <span class="status-dot" />}
         {pill.text}
       </span>

packages/ui/src/components/instance/shell/right-panel/tabs/GitChangesTab.tsx

@@ -384,6 +384,7 @@ const GitChangesTab: Component<GitChangesTabProps> = (props) => {
                 onContextModeChange={props.onContextModeChange}
                 onWordWrapModeChange={props.onWordWrapModeChange}
               />
+
             </>
           }
         list={{ panel: renderGroupedList, overlay: renderGroupedList }}

packages/ui/src/components/message-section.tsx

@@ -638,18 +638,25 @@ export default function MessageSection(props: MessageSectionProps) {
   const autoPinHoldTargetKey = createMemo(() => {
     if (!holdLongAssistantRepliesEnabled()) return null
     const messageId = lastVisibleMessageId()
-    return isAssistantTextMessage(messageId) ? messageId : null
+    return isStreamingAssistantTextMessage(messageId) ? messageId : null
   })
 
   function toggleHoldLongAssistantReplies() {
     updatePreferences({ holdLongAssistantReplies: !holdLongAssistantRepliesEnabled() })
   }
 
-  function isAssistantTextMessage(messageId: string | null | undefined) {
+  function isStreamingAssistantTextMessage(messageId: string | null | undefined) {
     if (!messageId) return false
     const resolvedStore = store()
     const record = resolvedStore.getMessage(messageId)
     if (!record || record.role !== "assistant") return false
+    if (record.status !== "streaming") return false
+
+    const info = resolvedStore.getMessageInfo(messageId)
+    if (!info) return false
+    const timeInfo = info?.time as { end?: number } | undefined
+    const isStreaming = timeInfo?.end === undefined || timeInfo.end === 0
+    if (!isStreaming) return false
 
     const { orderedParts } = buildRecordDisplayData(props.instanceId, record)
     return orderedParts.some((part) => {

packages/ui/src/components/opencode-binary-selector.tsx

@@ -3,7 +3,7 @@ import { FolderOpen, Trash2, Check, AlertCircle, Loader2, Plus } from "lucide-so
 import { useConfig } from "../stores/preferences"
 import { serverApi } from "../lib/api-client"
 import FileSystemBrowserDialog from "./filesystem-browser-dialog"
-import { openNativeFileDialog, supportsNativeDialogs } from "../lib/native/native-functions"
+import { openNativeFileDialog, supportsNativeDialogsInCurrentWindow } from "../lib/native/native-functions"
 import { useI18n } from "../lib/i18n"
 import { getLogger } from "../lib/logger"
 const log = getLogger("actions")
@@ -38,7 +38,6 @@ const OpenCodeBinarySelector: Component<OpenCodeBinarySelectorProps> = (props) =
   const [versionInfo, setVersionInfo] = createSignal<Map<string, string>>(new Map<string, string>())
   const [validatingPaths, setValidatingPaths] = createSignal<Set<string>>(new Set<string>())
   const [isBinaryBrowserOpen, setIsBinaryBrowserOpen] = createSignal(false)
-  const nativeDialogsAvailable = supportsNativeDialogs()
  
   const binaries = () => opencodeBinaries()
 
@@ -139,7 +138,7 @@ const OpenCodeBinarySelector: Component<OpenCodeBinarySelectorProps> = (props) =
   async function handleBrowseBinary() {
     if (props.disabled) return
     setValidationError(null)
-    if (nativeDialogsAvailable) {
+    if (supportsNativeDialogsInCurrentWindow()) {
       const selected = await openNativeFileDialog({
         title: t("opencodeBinarySelector.dialog.title"),
       })

packages/ui/src/components/prompt-input.tsx

@@ -581,113 +581,6 @@ export default function PromptInput(props: PromptInputProps) {
                 autoCapitalize="off"
                 autocomplete="off"
               />
-              <div class="prompt-nav-buttons">
-                <div class="prompt-nav-column prompt-nav-column-left">
-                  <Show when={showVoiceInput()}>
-                    <button
-                      type="button"
-                      class={`prompt-voice-button prompt-nav-voice-button ${voiceInput.isRecording() ? "is-recording" : ""}`}
-                      onPointerDown={(event) => {
-                        event.preventDefault()
-                        beginVoicePress(event)
-                      }}
-                      onPointerUp={(event) => {
-                        event.preventDefault()
-                        endVoicePress()
-                      }}
-                      onPointerCancel={() => endVoicePress()}
-                      onLostPointerCapture={() => endVoicePress()}
-                      onKeyDown={(event) => {
-                        if (event.repeat) return
-                        if (event.key !== " " && event.key !== "Enter") return
-                        event.preventDefault()
-                        beginVoicePress(event)
-                      }}
-                      onKeyUp={(event) => {
-                        if (event.key !== " " && event.key !== "Enter") return
-                        event.preventDefault()
-                        endVoicePress()
-                      }}
-                      onBlur={() => endVoicePress()}
-                      disabled={!voiceInput.isRecording() && (props.disabled || voiceInput.isTranscribing() || !voiceInput.canUseVoiceInput())}
-                      aria-label={voiceInput.buttonTitle()}
-                      title={voiceInput.buttonTitle()}
-                    >
-                      <Show
-                        when={voiceInput.isRecording()}
-                        fallback={
-                          <Show when={voiceInput.isTranscribing()} fallback={<Mic class="h-4 w-4" aria-hidden="true" />}>
-                            <Loader2 class="h-4 w-4 animate-spin" aria-hidden="true" />
-                          </Show>
-                        }
-                      >
-                        <Mic class="h-4 w-4" aria-hidden="true" />
-                      </Show>
-                    </button>
-                  </Show>
-                  <Show when={showConversationToggle()}>
-                    <button
-                      type="button"
-                      class={`prompt-voice-button prompt-nav-voice-button prompt-conversation-button ${conversationModeEnabled() ? "is-active" : ""}`}
-                      onClick={() => toggleConversationMode(props.instanceId)}
-                      disabled={!conversationModeEnabled() && !canToggleConversationMode()}
-                      aria-pressed={conversationModeEnabled()}
-                      aria-label={conversationModeButtonTitle()}
-                      title={conversationModeButtonTitle()}
-                    >
-                      <Volume2 class="h-4 w-4" aria-hidden="true" />
-                    </button>
-                  </Show>
-                  <button
-                    type="button"
-                    class="prompt-clear-button"
-                    onClick={handleClearPrompt}
-                    disabled={!canClearPrompt()}
-                    aria-label={t("promptInput.clear.ariaLabel")}
-                    title={t("promptInput.clear.title")}
-                  >
-                    <X class="h-4 w-4" aria-hidden="true" />
-                  </button>
-                </div>
-                <div class="prompt-nav-column prompt-nav-column-right">
-                  <ExpandButton
-                    expandState={expandState}
-                    onToggleExpand={handleExpandToggle}
-                  />
-                  <Show when={hasHistory()}>
-                    <button
-                      type="button"
-                      class="prompt-history-button"
-                      onClick={() =>
-                        selectPreviousHistory({
-                          force: true,
-                          isPickerOpen: showPicker(),
-                          getTextarea: () => textareaRef,
-                        })
-                      }
-                      disabled={!canHistoryGoPrevious()}
-                      aria-label={t("promptInput.history.previousAriaLabel")}
-                    >
-                      <ArrowBigUp class="h-5 w-5" aria-hidden="true" />
-                    </button>
-                    <button
-                      type="button"
-                      class="prompt-history-button"
-                      onClick={() =>
-                        selectNextHistory({
-                          force: true,
-                          isPickerOpen: showPicker(),
-                          getTextarea: () => textareaRef,
-                        })
-                      }
-                      disabled={!canHistoryGoNext()}
-                      aria-label={t("promptInput.history.nextAriaLabel")}
-                    >
-                      <ArrowBigDown class="h-5 w-5" aria-hidden="true" />
-                    </button>
-                  </Show>
-                </div>
-              </div>
               <Show when={shouldShowOverlay()}>
                 <div class={`prompt-input-overlay keyboard-hints ${mode() === "shell" ? "shell-mode" : ""}`}>
                   <Show
@@ -742,6 +635,116 @@ export default function PromptInput(props: PromptInputProps) {
         </div>
 
         <div class="prompt-input-actions">
+          <div class="prompt-nav-buttons">
+            <div class="prompt-nav-column prompt-nav-column-left">
+              <Show when={showVoiceInput()}>
+                <button
+                  type="button"
+                  class={`prompt-voice-button prompt-nav-voice-button ${voiceInput.isRecording() ? "is-recording" : ""}`}
+                  onPointerDown={(event) => {
+                    event.preventDefault()
+                    beginVoicePress(event)
+                  }}
+                  onPointerUp={(event) => {
+                    event.preventDefault()
+                    endVoicePress()
+                  }}
+                  onPointerCancel={() => endVoicePress()}
+                  onLostPointerCapture={() => endVoicePress()}
+                  onKeyDown={(event) => {
+                    if (event.repeat) return
+                    if (event.key !== " " && event.key !== "Enter") return
+                    event.preventDefault()
+                    beginVoicePress(event)
+                  }}
+                  onKeyUp={(event) => {
+                    if (event.key !== " " && event.key !== "Enter") return
+                    event.preventDefault()
+                    endVoicePress()
+                  }}
+                  onBlur={() => endVoicePress()}
+                  disabled={!voiceInput.isRecording() && (props.disabled || voiceInput.isTranscribing() || !voiceInput.canUseVoiceInput())}
+                  aria-label={voiceInput.buttonTitle()}
+                  title={voiceInput.buttonTitle()}
+                >
+                  <Show
+                    when={voiceInput.isRecording()}
+                    fallback={
+                      <Show when={voiceInput.isTranscribing()} fallback={<Mic class="h-4 w-4" aria-hidden="true" />}>
+                        <Loader2 class="h-4 w-4 animate-spin" aria-hidden="true" />
+                      </Show>
+                    }
+                  >
+                    <Mic class="h-4 w-4" aria-hidden="true" />
+                  </Show>
+                </button>
+              </Show>
+              <Show when={showConversationToggle()}>
+                <button
+                  type="button"
+                  class={`prompt-voice-button prompt-nav-voice-button prompt-conversation-button ${conversationModeEnabled() ? "is-active" : ""}`}
+                  onClick={() => toggleConversationMode(props.instanceId)}
+                  disabled={!conversationModeEnabled() && !canToggleConversationMode()}
+                  aria-pressed={conversationModeEnabled()}
+                  aria-label={conversationModeButtonTitle()}
+                  title={conversationModeButtonTitle()}
+                >
+                  <Volume2 class="h-4 w-4" aria-hidden="true" />
+                </button>
+              </Show>
+              <button
+                type="button"
+                class="prompt-clear-button"
+                onClick={handleClearPrompt}
+                disabled={!canClearPrompt()}
+                aria-label={t("promptInput.clear.ariaLabel")}
+                title={t("promptInput.clear.title")}
+              >
+                <X class="h-4 w-4" aria-hidden="true" />
+              </button>
+            </div>
+            <div class="prompt-nav-column prompt-nav-column-right">
+              <ExpandButton
+                expandState={expandState}
+                onToggleExpand={handleExpandToggle}
+              />
+              <Show when={hasHistory()}>
+                <button
+                  type="button"
+                  class="prompt-history-button"
+                  onClick={() =>
+                    selectPreviousHistory({
+                      force: true,
+                      isPickerOpen: showPicker(),
+                      getTextarea: () => textareaRef,
+                    })
+                  }
+                  disabled={!canHistoryGoPrevious()}
+                  aria-label={t("promptInput.history.previousAriaLabel")}
+                >
+                  <ArrowBigUp class="h-5 w-5" aria-hidden="true" />
+                </button>
+                <button
+                  type="button"
+                  class="prompt-history-button"
+                  onClick={() =>
+                    selectNextHistory({
+                      force: true,
+                      isPickerOpen: showPicker(),
+                      getTextarea: () => textareaRef,
+                    })
+                  }
+                  disabled={!canHistoryGoNext()}
+                  aria-label={t("promptInput.history.nextAriaLabel")}
+                >
+                  <ArrowBigDown class="h-5 w-5" aria-hidden="true" />
+                </button>
+              </Show>
+            </div>
+          </div>
+        </div>
+
+        <div class="prompt-input-primary-actions">
           <button
             type="button"
             class="stop-button"

packages/ui/src/components/session-list.tsx

@@ -520,7 +520,11 @@ const SessionList: Component<SessionListProps> = (props) => {
                   <ChevronDown class={`w-3.5 h-3.5 transition-transform ${rowProps.expanded ? "" : "-rotate-90"}`} />
                 </span>
               </Show>
-              <span class={`status-indicator session-status session-status-list ${statusClassName()}`} title={statusTooltip()}>
+              <span
+                class={`status-indicator session-status session-status-list ${statusClassName()} notranslate`}
+                title={statusTooltip()}
+                translate="no"
+              >
                 {needsInput() ? <ShieldAlert class="w-3.5 h-3.5" aria-hidden="true" /> : <span class="status-dot" />}
                 {statusText()}
               </span>
@@ -736,7 +740,9 @@ const SessionList: Component<SessionListProps> = (props) => {
         <div class="session-list-header p-3 border-b border-base">
           {props.headerContent ?? (
             <div class="flex items-center justify-between gap-3">
-              <h3 class="text-sm font-semibold text-primary">{t("sessionList.header.title")}</h3>
+              <h3 class="text-sm font-semibold text-primary notranslate" translate="no">
+                {t("sessionList.header.title")}
+              </h3>
               <KeyboardHint
                 shortcuts={[keyboardRegistry.get("session-prev")!, keyboardRegistry.get("session-next")!].filter(Boolean)}
               />

packages/ui/src/components/settings-screen.tsx

@@ -15,25 +15,33 @@ import { OpenCodeSettingsSection } from "./settings/opencode-settings-section"
 import { RemoteAccessSettingsSection } from "./settings/remote-access-settings-section"
 import { SpeechSettingsSection } from "./settings/speech-settings-section"
 import { SideCarsSettingsSection } from "./settings/sidecars-settings-section"
+import { canOpenRemoteWindows } from "../lib/runtime-env"
 
 export const SettingsScreen: Component = () => {
   const { t } = useI18n()
 
-  const sections = createMemo(() => [
-    { id: "appearance" as SettingsSectionId, icon: Paintbrush, label: t("settings.nav.appearance") },
-    { id: "notifications" as SettingsSectionId, icon: Bell, label: t("settings.nav.notifications") },
-    { id: "remote" as SettingsSectionId, icon: MonitorUp, label: t("settings.nav.remote") },
-    { id: "speech" as SettingsSectionId, icon: Volume2, label: t("settings.nav.speech") },
-    { id: "sidecars" as SettingsSectionId, icon: Globe, label: t("settings.nav.sidecars") },
-    { id: "opencode" as SettingsSectionId, icon: Terminal, label: t("settings.nav.opencode") },
-  ])
+  const sections = createMemo(() => {
+    const items = [
+      { id: "appearance" as SettingsSectionId, icon: Paintbrush, label: t("settings.nav.appearance") },
+      { id: "notifications" as SettingsSectionId, icon: Bell, label: t("settings.nav.notifications") },
+      { id: "speech" as SettingsSectionId, icon: Volume2, label: t("settings.nav.speech") },
+      { id: "sidecars" as SettingsSectionId, icon: Globe, label: t("settings.nav.sidecars") },
+      { id: "opencode" as SettingsSectionId, icon: Terminal, label: t("settings.nav.opencode") },
+    ]
+
+    if (canOpenRemoteWindows()) {
+      items.splice(2, 0, { id: "remote" as SettingsSectionId, icon: MonitorUp, label: t("settings.nav.remote") })
+    }
+
+    return items
+  })
 
   const renderSection = () => {
     switch (activeSettingsSection()) {
       case "notifications":
         return <NotificationsSettingsSection />
       case "remote":
-        return <RemoteAccessSettingsSection />
+        return canOpenRemoteWindows() ? <RemoteAccessSettingsSection /> : <AppearanceSettingsSection />
       case "speech":
         return <SpeechSettingsSection />
       case "sidecars":

packages/ui/src/components/tool-call/diagnostics.ts

@@ -17,6 +17,8 @@ interface LspDiagnostic {
   range?: LspRange
 }
 
+export type DiagnosticsMap = Record<string, LspDiagnostic[] | undefined>
+
 export interface DiagnosticEntry {
   id: string
   severity: number
@@ -30,7 +32,7 @@ export interface DiagnosticEntry {
   column: number
 }
 
-function normalizeDiagnosticPath(path: string) {
+export function normalizeDiagnosticPath(path: string) {
   return path.replace(/\\/g, "/")
 }
 
@@ -53,49 +55,73 @@ export function extractDiagnostics(state: ToolState | undefined): DiagnosticEntr
 
   const metadata = (state.metadata || {}) as Record<string, unknown>
   const input = (state.input || {}) as Record<string, unknown>
-  const diagnosticsMap = metadata?.diagnostics as Record<string, LspDiagnostic[] | undefined> | undefined
+  const diagnosticsMap = metadata?.diagnostics as DiagnosticsMap | undefined
   if (!diagnosticsMap) return []
 
-  const preferredPath = [input.filePath, metadata.filePath, metadata.filepath, input.path].find(
-    (value) => typeof value === "string" && value.length > 0,
-  ) as string | undefined
+  return buildDiagnosticEntries(diagnosticsMap, [input.filePath, metadata.filePath, metadata.filepath, input.path].map((value) =>
+    typeof value === "string" ? value : undefined,
+  ))
+}
 
-  const normalizedPreferred = preferredPath ? normalizeDiagnosticPath(preferredPath) : undefined
-  if (!normalizedPreferred) return []
-  const candidateEntries = Object.entries(diagnosticsMap).filter(([, items]) => Array.isArray(items) && items.length > 0)
-  if (candidateEntries.length === 0) return []
+export function resolveDiagnosticsKey(diagnostics: DiagnosticsMap, preferredPaths: Array<string | undefined>): string | undefined {
+  if (Object.keys(diagnostics).length === 0) return undefined
 
-  const prioritizedEntries = candidateEntries.filter(([path]) => {
-    const normalized = normalizeDiagnosticPath(path)
-    return normalized === normalizedPreferred
-  })
+  const normalizedPreferred = preferredPaths
+    .filter((value): value is string => typeof value === "string" && value.length > 0)
+    .map((value) => normalizeDiagnosticPath(value))
 
-  if (prioritizedEntries.length === 0) return []
+  if (normalizedPreferred.length === 0) return undefined
+
+  for (const preferred of normalizedPreferred) {
+    if (diagnostics[preferred]) return preferred
+  }
+
+  const keys = Object.keys(diagnostics)
+
+  for (const preferred of normalizedPreferred) {
+    const direct = keys.find((key) => normalizeDiagnosticPath(key) === preferred)
+    if (direct) return direct
+  }
+
+  for (const preferred of normalizedPreferred) {
+    const suffixMatch = keys.find((key) => {
+      const normalized = normalizeDiagnosticPath(key)
+      return normalized === preferred || normalized.endsWith("/" + preferred)
+    })
+    if (suffixMatch) return suffixMatch
+  }
+
+  return undefined
+}
+
+export function buildDiagnosticEntries(diagnostics: DiagnosticsMap, preferredPaths: Array<string | undefined>): DiagnosticEntry[] {
+  const key = resolveDiagnosticsKey(diagnostics, preferredPaths)
+  if (!key) return []
+
+  const list = diagnostics[key]
+  if (!Array.isArray(list) || list.length === 0) return []
 
   const entries: DiagnosticEntry[] = []
-  for (const [pathKey, list] of prioritizedEntries) {
-    if (!Array.isArray(list)) continue
-    const normalizedPath = normalizeDiagnosticPath(pathKey)
-    for (let index = 0; index < list.length; index++) {
-      const diagnostic = list[index]
-      if (!diagnostic || typeof diagnostic.message !== "string") continue
-      const tone = determineSeverityTone(typeof diagnostic.severity === "number" ? diagnostic.severity : undefined)
-      const severityMeta = getSeverityMeta(tone)
-      const line = typeof diagnostic.range?.start?.line === "number" ? diagnostic.range.start.line + 1 : 0
-      const column = typeof diagnostic.range?.start?.character === "number" ? diagnostic.range.start.character + 1 : 0
-      entries.push({
-        id: `${normalizedPath}-${index}-${diagnostic.message}`,
-        severity: severityMeta.rank,
-        tone,
-        label: severityMeta.label,
-        icon: severityMeta.icon,
-        message: diagnostic.message,
-        filePath: normalizedPath,
-        displayPath: getRelativePath(normalizedPath),
-        line,
-        column,
-      })
-    }
+  const normalizedPath = normalizeDiagnosticPath(key)
+  for (let index = 0; index < list.length; index++) {
+    const diagnostic = list[index]
+    if (!diagnostic || typeof diagnostic.message !== "string") continue
+    const tone = determineSeverityTone(typeof diagnostic.severity === "number" ? diagnostic.severity : undefined)
+    const severityMeta = getSeverityMeta(tone)
+    const line = typeof diagnostic.range?.start?.line === "number" ? diagnostic.range.start.line + 1 : 0
+    const column = typeof diagnostic.range?.start?.character === "number" ? diagnostic.range.start.character + 1 : 0
+    entries.push({
+      id: `${normalizedPath}-${index}-${diagnostic.message}`,
+      severity: severityMeta.rank,
+      tone,
+      label: severityMeta.label,
+      icon: severityMeta.icon,
+      message: diagnostic.message,
+      filePath: normalizedPath,
+      displayPath: getRelativePath(normalizedPath),
+      line,
+      column,
+    })
   }
 
   return entries.sort((a, b) => a.severity - b.severity)

packages/ui/src/components/tool-call/renderers/apply-patch.tsx

@@ -1,107 +1,14 @@
 import { For, Show, createMemo } from "solid-js"
 import type { ToolRenderer } from "../types"
 import { getRelativePath, getToolName, isToolStateCompleted, readToolStatePayload } from "../utils"
-import type { DiagnosticEntry } from "../diagnostics"
-
-type LspRangePosition = {
-  line?: number
-  character?: number
-}
-
-type LspRange = {
-  start?: LspRangePosition
-}
-
-type LspDiagnostic = {
-  message?: string
-  severity?: number
-  range?: LspRange
-}
+import { buildDiagnosticEntries, type DiagnosticEntry, type DiagnosticsMap } from "../diagnostics"
 
 type ApplyPatchFile = {
   filePath?: string
   relativePath?: string
   type?: string
   diff?: string
-}
-
-function normalizePath(value: string): string {
-  return value.replace(/\\/g, "/")
-}
-
-function determineSeverityTone(severity?: number): DiagnosticEntry["tone"] {
-  if (severity === 1) return "error"
-  if (severity === 2) return "warning"
-  return "info"
-}
-
-function getSeverityMeta(tone: DiagnosticEntry["tone"], t: (key: string, params?: Record<string, unknown>) => string) {
-  if (tone === "error") return { label: t("toolCall.diagnostics.severity.error.short"), icon: "!", rank: 0 }
-  if (tone === "warning") return { label: t("toolCall.diagnostics.severity.warning.short"), icon: "!", rank: 1 }
-  return { label: t("toolCall.diagnostics.severity.info.short"), icon: "i", rank: 2 }
-}
-
-function resolveDiagnosticsKey(
-  diagnostics: Record<string, LspDiagnostic[] | undefined>,
-  file: ApplyPatchFile,
-): string | undefined {
-  const absolute = typeof file.filePath === "string" ? normalizePath(file.filePath) : ""
-  const relative = typeof file.relativePath === "string" ? normalizePath(file.relativePath) : ""
-  if (absolute && diagnostics[absolute]) return absolute
-  if (relative && diagnostics[relative]) return relative
-
-  if (absolute) {
-    const direct = Object.keys(diagnostics).find((key) => normalizePath(key) === absolute)
-    if (direct) return direct
-  }
-
-  if (relative) {
-    const suffixMatch = Object.keys(diagnostics).find((key) => {
-      const normalized = normalizePath(key)
-      return normalized === relative || normalized.endsWith("/" + relative)
-    })
-    if (suffixMatch) return suffixMatch
-  }
-
-  return undefined
-}
-
-function buildDiagnostics(
-  diagnostics: Record<string, LspDiagnostic[] | undefined>,
-  file: ApplyPatchFile,
-  t: (key: string, params?: Record<string, unknown>) => string,
-): DiagnosticEntry[] {
-  const key = resolveDiagnosticsKey(diagnostics, file)
-  if (!key) return []
-  const list = diagnostics[key]
-  if (!Array.isArray(list) || list.length === 0) return []
-
-  const normalizedKey = normalizePath(key)
-  const entries: DiagnosticEntry[] = []
-  for (let index = 0; index < list.length; index++) {
-    const diagnostic = list[index]
-    if (!diagnostic || typeof diagnostic.message !== "string") continue
-
-    const tone = determineSeverityTone(typeof diagnostic.severity === "number" ? diagnostic.severity : undefined)
-    const severityMeta = getSeverityMeta(tone, t)
-    const line = typeof diagnostic.range?.start?.line === "number" ? diagnostic.range.start.line + 1 : 0
-    const column = typeof diagnostic.range?.start?.character === "number" ? diagnostic.range.start.character + 1 : 0
-
-    entries.push({
-      id: `${normalizedKey}-${index}-${diagnostic.message}`,
-      severity: severityMeta.rank,
-      tone,
-      label: severityMeta.label,
-      icon: severityMeta.icon,
-      message: diagnostic.message,
-      filePath: normalizedKey,
-      displayPath: getRelativePath(normalizedKey),
-      line,
-      column,
-    })
-  }
-
-  return entries.sort((a, b) => a.severity - b.severity)
+  patch?: string
 }
 
 function DiagnosticsInline(props: { entries: DiagnosticEntry[]; label: string; t: (key: string, params?: Record<string, unknown>) => string }) {
@@ -164,7 +71,7 @@ export const applyPatchRenderer: ToolRenderer = {
     })
     const diagnosticsMap = createMemo(() => {
       const value = (payload.metadata as any).diagnostics
-      return value && typeof value === "object" ? (value as Record<string, LspDiagnostic[] | undefined>) : {}
+      return value && typeof value === "object" ? (value as DiagnosticsMap) : {}
     })
 
     if (files().length === 0) {
@@ -178,9 +85,9 @@ export const applyPatchRenderer: ToolRenderer = {
         <For each={files()}>
           {(file, index) => {
             const labelBase = file.relativePath || file.filePath || t("toolCall.applyPatch.fileFallback", { number: index() + 1 })
-            const diffText = typeof file.diff === "string" ? file.diff : ""
+            const diffText = typeof file.diff === "string" ? file.diff : typeof file.patch === "string" ? file.patch : ""
             const filePath = typeof file.filePath === "string" ? file.filePath : file.relativePath
-            const entries = createMemo(() => buildDiagnostics(diagnosticsMap(), file, t))
+            const entries = createMemo(() => buildDiagnosticEntries(diagnosticsMap(), [file.filePath, file.relativePath]))
 
             return (
               <div class="tool-call-apply-patch-file">

packages/ui/src/components/virtual-follow-list.tsx

@@ -3,7 +3,6 @@ import { Virtualizer, type VirtualizerHandle } from "virtua/solid"
 
 const DEFAULT_SCROLL_SENTINEL_MARGIN_PX = 48
 const DEFAULT_HOLD_TARGET_TOP_THRESHOLD_PX = 8
-const DEFAULT_HOLD_TARGET_TOP_OVERSHOOT_PX = 128
 const USER_SCROLL_INTENT_WINDOW_MS = 600
 const SCROLL_INTENT_KEYS = new Set(["ArrowUp", "ArrowDown", "PageUp", "PageDown", "Home", "End", " ", "Spacebar"])
 
@@ -162,8 +161,9 @@ export default function VirtualFollowList<T>(props: VirtualFollowListProps<T>) {
   const [showScrollTopButton, setShowScrollTopButton] = createSignal(false)
   const [showScrollBottomButton, setShowScrollBottomButton] = createSignal(false)
   const [activeKey, setActiveKey] = createSignal<string | null>(null)
-  const [heldItemCount, setHeldItemCount] = createSignal<number | null>(null)
-  const effectiveSuspendAutoPinToBottom = () => externalSuspendAutoPinToBottom() || heldItemCount() !== null
+  const [activeHoldTargetKey, setActiveHoldTargetKey] = createSignal<string | null>(null)
+  const [didTriggerHoldForCurrentTarget, setDidTriggerHoldForCurrentTarget] = createSignal(false)
+  const effectiveSuspendAutoPinToBottom = () => externalSuspendAutoPinToBottom() || activeHoldTargetKey() !== null
 
   const scrollButtonsCount = createMemo(() => (showScrollTopButton() ? 1 : 0) + (showScrollBottomButton() ? 1 : 0))
   const itemElements = new Map<string, HTMLDivElement>()
@@ -197,6 +197,17 @@ export default function VirtualFollowList<T>(props: VirtualFollowListProps<T>) {
     return performance.now() <= userScrollIntentUntil
   }
 
+  function clearAutoPinHold(options?: { resumeBottom?: boolean }) {
+    if (activeHoldTargetKey() === null) return
+    setActiveHoldTargetKey(null)
+    if (options?.resumeBottom && autoScroll()) {
+      requestAnimationFrame(() => {
+        if (!autoScroll() || activeHoldTargetKey() !== null) return
+        scrollToBottom(false)
+      })
+    }
+  }
+
   function attachScrollIntentListeners(element: HTMLDivElement | undefined) {
     if (detachScrollIntentListeners) {
       detachScrollIntentListeners()
@@ -258,7 +269,7 @@ export default function VirtualFollowList<T>(props: VirtualFollowListProps<T>) {
     // scrollbar). If follow mode stays enabled, the next render notification
     // snaps the list straight back to bottom. A real upward viewport move away
     // from bottom should always break follow unless a hold target is active.
-    if (wasPinnedAtBottom && scrolledUp && autoScroll() && !atBottom && heldItemCount() === null) {
+    if (wasPinnedAtBottom && scrolledUp && autoScroll() && !atBottom && activeHoldTargetKey() === null) {
       setAutoScroll(false)
       lastObservedPinnedAtBottom = false
       return
@@ -266,9 +277,7 @@ export default function VirtualFollowList<T>(props: VirtualFollowListProps<T>) {
 
     // Sync autoScroll state based on scroll position if it was a user scroll
     if (hasUserScrollIntent()) {
-      if (atBottom && heldItemCount() !== null) {
-        setHeldItemCount(null)
-      }
+      clearAutoPinHold()
       if (atBottom && !autoScroll()) {
         setAutoScroll(true)
       } else if (!atBottom && autoScroll()) {
@@ -304,7 +313,6 @@ export default function VirtualFollowList<T>(props: VirtualFollowListProps<T>) {
       }
     }
     updateScrollButtons()
-    updateAutoPinHold()
     props.onScroll?.()
 
     // Find active key (roughly the first visible item)
@@ -336,25 +344,14 @@ export default function VirtualFollowList<T>(props: VirtualFollowListProps<T>) {
 
   function updateAutoPinHold() {
     const element = scrollElement()
-    const itemCount = props.items().length
-    const heldCount = heldItemCount()
     if (!element) return
 
-    if (heldCount !== null) {
-      if (itemCount > heldCount) {
-        setHeldItemCount(null)
-        if (autoScroll()) {
-          requestAnimationFrame(() => {
-            if (!autoScroll()) return
-            scrollToBottom(false)
-          })
-        }
-        return
-      }
+    const targetKey = holdTargetKey()
+    const heldKey = activeHoldTargetKey()
 
-      if (itemCount < heldCount) {
-        setHeldItemCount(null)
-        return
+    if (heldKey !== null) {
+      if (targetKey !== heldKey) {
+        clearAutoPinHold({ resumeBottom: true })
       }
 
       return
@@ -362,9 +359,8 @@ export default function VirtualFollowList<T>(props: VirtualFollowListProps<T>) {
 
     if (!autoScroll()) return
     if (externalSuspendAutoPinToBottom()) return
-
-    const targetKey = holdTargetKey()
     if (!targetKey) return
+    if (didTriggerHoldForCurrentTarget()) return
 
     const itemWrapper = itemElements.get(targetKey)
     if (!itemWrapper) return
@@ -375,12 +371,13 @@ export default function VirtualFollowList<T>(props: VirtualFollowListProps<T>) {
     const relativeTop = targetRect.top - containerRect.top
     const exceedsViewport = targetRect.height > element.clientHeight
 
-    if (
-      exceedsViewport &&
-      relativeTop <= holdTargetTopThresholdPx() &&
-      relativeTop >= holdTargetTopThresholdPx() - DEFAULT_HOLD_TARGET_TOP_OVERSHOOT_PX
-    ) {
-      setHeldItemCount(itemCount)
+    if (exceedsViewport && relativeTop < 0) {
+      const alignDelta = relativeTop - holdTargetTopThresholdPx()
+      if (Math.abs(alignDelta) > 1) {
+        element.scrollTop = Math.max(0, element.scrollTop + alignDelta)
+      }
+      setActiveHoldTargetKey(targetKey)
+      setDidTriggerHoldForCurrentTarget(true)
     }
   }
 
@@ -396,7 +393,7 @@ export default function VirtualFollowList<T>(props: VirtualFollowListProps<T>) {
     },
     notifyContentRendered: () => {
       updateAutoPinHold()
-      if (heldItemCount() !== null) return
+      if (activeHoldTargetKey() !== null) return
       if (autoScroll() && !effectiveSuspendAutoPinToBottom()) {
         scrollToBottom(true)
       }
@@ -412,14 +409,23 @@ export default function VirtualFollowList<T>(props: VirtualFollowListProps<T>) {
 
   createEffect(on(() => props.resetKey?.(), () => {
     itemElements.clear()
-    setHeldItemCount(null)
+    setActiveHoldTargetKey(null)
+    setDidTriggerHoldForCurrentTarget(false)
     lastObservedScrollOffset = 0
     lastObservedPinnedAtBottom = false
   }))
 
+  createEffect(on(holdTargetKey, (nextTargetKey, prevTargetKey) => {
+    if (nextTargetKey !== prevTargetKey && didTriggerHoldForCurrentTarget()) {
+      setDidTriggerHoldForCurrentTarget(false)
+    }
+    if (activeHoldTargetKey() === null) return
+    if (nextTargetKey === activeHoldTargetKey()) return
+    clearAutoPinHold({ resumeBottom: true })
+  }, { defer: true }))
+
   // Handle autoScroll (Follow) on items change
   createEffect(on(() => props.items().length, (len, prevLen) => {
-    updateAutoPinHold()
     if (len > (prevLen ?? 0) && autoScroll() && !effectiveSuspendAutoPinToBottom() && !suppressAutoScrollOnce) {
       requestAnimationFrame(() => scrollToBottom(true))
     }
@@ -428,16 +434,11 @@ export default function VirtualFollowList<T>(props: VirtualFollowListProps<T>) {
 
   // Handle followToken change
   createEffect(on(() => props.followToken?.(), () => {
-    updateAutoPinHold()
     if (autoScroll() && !effectiveSuspendAutoPinToBottom()) {
       scrollToBottom(true)
     }
   }, { defer: true }))
 
-  createEffect(on(() => holdTargetKey(), () => {
-    updateAutoPinHold()
-  }, { defer: true }))
-
   // Reset state on resetKey change
   createEffect(on(() => props.resetKey?.(), (nextKey) => {
     if (nextKey === lastResetKey) return
@@ -460,13 +461,6 @@ export default function VirtualFollowList<T>(props: VirtualFollowListProps<T>) {
     }
   })
 
-  createEffect(() => {
-    if (typeof window === "undefined") return
-    const handleResize = () => updateAutoPinHold()
-    window.addEventListener("resize", handleResize)
-    onCleanup(() => window.removeEventListener("resize", handleResize))
-  })
-
   return (
     <div class="virtual-follow-list-shell" ref={shellElement => {
       setShellElement(shellElement)

packages/ui/src/components/worktree-selector.tsx

@@ -26,6 +26,14 @@ type WorktreeOption =
   | { kind: "action"; key: "__create__"; label: string }
   | { kind: "worktree"; key: string; slug: string; directory: string; raw: WorktreeDescriptor }
 
+type DeleteErrorKind = "localChanges" | "inUse" | "notFound" | "permissionDenied" | "unknown"
+
+type DeleteErrorDetails = {
+  summary: string
+  causeLabel: string
+  nextStep: string
+}
+
 function preventSelectPress(event: PointerEvent | MouseEvent) {
   // Prevent Select.Item from treating this as a selection.
   // We intentionally prevent default to stop Kobalte's internal press handling.
@@ -64,6 +72,57 @@ function relativePath(fromDir: string, toDir: string): string {
   return relParts.join("/") || "."
 }
 
+function extractDeleteErrorMessage(input: string): string {
+  const trimmed = (input ?? "").trim()
+  if (!trimmed) return ""
+
+  try {
+    const parsed = JSON.parse(trimmed) as { error?: unknown }
+    if (typeof parsed?.error === "string" && parsed.error.trim()) {
+      return parsed.error.trim()
+    }
+  } catch {
+    // Fall back to the raw string when the backend returned plain text.
+  }
+
+  return trimmed
+}
+
+function classifyDeleteError(message: string): DeleteErrorKind {
+  const normalized = message.toLowerCase()
+
+  if (
+    normalized.includes("modified or untracked files") ||
+    normalized.includes("contains modified") ||
+    normalized.includes("contains untracked") ||
+    normalized.includes("use --force to delete it")
+  ) {
+    return "localChanges"
+  }
+
+  if (
+    normalized.includes("in use") ||
+    normalized.includes("resource busy") ||
+    normalized.includes("device or resource busy") ||
+    normalized.includes("ebusy") ||
+    normalized.includes("file is being used") ||
+    normalized.includes("process cannot access the file") ||
+    normalized.includes("directory not empty")
+  ) {
+    return "inUse"
+  }
+
+  if (normalized.includes("not found") || normalized.includes("no such file") || normalized.includes("cannot find")) {
+    return "notFound"
+  }
+
+  if (normalized.includes("permission denied") || normalized.includes("access is denied") || normalized.includes("eperm")) {
+    return "permissionDenied"
+  }
+
+  return "unknown"
+}
+
 interface WorktreeSelectorProps {
   instanceId: string
   sessionId: string
@@ -80,6 +139,7 @@ export default function WorktreeSelector(props: WorktreeSelectorProps) {
   const [deleteTarget, setDeleteTarget] = createSignal<WorktreeOption & { kind: "worktree" } | null>(null)
   const [forceDelete, setForceDelete] = createSignal(false)
   const [isDeleting, setIsDeleting] = createSignal(false)
+  const [deleteError, setDeleteError] = createSignal<string | null>(null)
 
   const session = createMemo(() => sessions().get(props.instanceId)?.get(props.sessionId))
   const isChildSession = createMemo(() => Boolean(session()?.parentId))
@@ -114,10 +174,16 @@ export default function WorktreeSelector(props: WorktreeSelectorProps) {
   const openDeleteDialog = (opt: WorktreeOption & { kind: "worktree" }) => {
     if (opt.slug === "root") return
     setForceDelete(false)
+    setDeleteError(null)
     setDeleteTarget(opt)
     setDeleteOpen(true)
   }
 
+  const closeDeleteDialog = () => {
+    setDeleteOpen(false)
+    setDeleteError(null)
+  }
+
   const repoRoot = createMemo(() => {
     const list = getWorktrees(props.instanceId)
     return list.find((wt) => wt.slug === "root")?.directory ?? ""
@@ -139,6 +205,89 @@ export default function WorktreeSelector(props: WorktreeSelectorProps) {
     }
   }
 
+  const sanitizeDeleteError = (input: string) => {
+    let sanitized = (input ?? "").trim()
+    if (!sanitized) {
+      return t("instanceShell.worktree.delete.error.fallback")
+    }
+
+    sanitized = sanitized.replace(/[A-Za-z]:[\\/][^\r\n"']+/g, "[path]")
+    sanitized = sanitized.replace(/\\Users\\[^\\/\r\n]+/gi, "\\Users\\[user]")
+    sanitized = sanitized.replace(/\/Users\/[^/\r\n]+/g, "/Users/[user]")
+    sanitized = sanitized.replace(/\/home\/[^/\r\n]+/g, "/home/[user]")
+    sanitized = sanitized.replace(/([A-Za-z]:[\\/])?Users[\\/][^\\/\r\n]+/gi, "$1Users/[user]")
+    return sanitized
+  }
+
+  const handleCopyDeleteError = async (mode: "raw" | "sanitized") => {
+    const raw = deleteError()
+    if (!raw) return
+    const text = mode === "sanitized" ? sanitizeDeleteError(raw) : raw
+
+    try {
+      const ok = await copyToClipboard(text)
+      showToastNotification({
+        message: ok
+          ? t(mode === "sanitized" ? "instanceShell.worktree.delete.error.copySanitizedSuccess" : "instanceShell.worktree.delete.error.copySuccess")
+          : t("instanceShell.worktree.delete.error.copyFailure"),
+        variant: ok ? "success" : "error",
+      })
+    } catch (error) {
+      log.error("Failed to copy delete worktree error", error)
+      showToastNotification({
+        message: t("instanceShell.worktree.delete.error.copyFailure"),
+        variant: "error",
+      })
+    }
+  }
+
+  const deleteErrorDetails = createMemo<DeleteErrorDetails | null>(() => {
+    const raw = deleteError()
+    if (!raw) return null
+
+    const parsed = extractDeleteErrorMessage(raw)
+    const kind = classifyDeleteError(parsed)
+
+    switch (kind) {
+      case "localChanges":
+        return {
+          summary: t("instanceShell.worktree.delete.error.summary.localChanges"),
+          causeLabel: t("instanceShell.worktree.delete.error.cause.localChanges"),
+          nextStep: t("instanceShell.worktree.delete.error.nextStep.localChanges"),
+        }
+      case "inUse":
+        return {
+          summary: t("instanceShell.worktree.delete.error.summary.inUse"),
+          causeLabel: t("instanceShell.worktree.delete.error.cause.inUse"),
+          nextStep: t("instanceShell.worktree.delete.error.nextStep.inUse"),
+        }
+      case "notFound":
+        return {
+          summary: t("instanceShell.worktree.delete.error.summary.notFound"),
+          causeLabel: t("instanceShell.worktree.delete.error.cause.notFound"),
+          nextStep: t("instanceShell.worktree.delete.error.nextStep.notFound"),
+        }
+      case "permissionDenied":
+        return {
+          summary: t("instanceShell.worktree.delete.error.summary.permissionDenied"),
+          causeLabel: t("instanceShell.worktree.delete.error.cause.permissionDenied"),
+          nextStep: t("instanceShell.worktree.delete.error.nextStep.permissionDenied"),
+        }
+      default:
+        return {
+          summary: t("instanceShell.worktree.delete.error.summary.unknown"),
+          causeLabel: t("instanceShell.worktree.delete.error.cause.unknown"),
+          nextStep: t("instanceShell.worktree.delete.error.nextStep.unknown"),
+        }
+    }
+  })
+
+  const displayDeleteError = createMemo(() => {
+    const raw = deleteError()
+    if (!raw) return null
+    return extractDeleteErrorMessage(raw)
+  })
+
   const handleChange = async (value: WorktreeOption | null) => {
     if (worktreesUnavailable()) return
     if (!value) return
@@ -343,22 +492,23 @@ export default function WorktreeSelector(props: WorktreeSelectorProps) {
         </Dialog.Portal>
       </Dialog>
 
-      <Dialog open={deleteOpen()} onOpenChange={(open) => !open && setDeleteOpen(false)}>
+      <Dialog open={deleteOpen()} onOpenChange={(open) => !open && closeDeleteDialog()}>
         <Dialog.Portal>
           <Dialog.Overlay class="modal-overlay" />
-          <div class="fixed inset-0 z-50 flex items-center justify-center p-4">
-            <Dialog.Content class="modal-surface w-full max-w-md p-6 flex flex-col gap-5">
+          <div class="fixed inset-0 z-50 flex items-center justify-center p-3 md:p-4">
+            <Dialog.Content class="modal-surface w-[clamp(640px,45vw,960px)] max-w-[calc(100vw-2rem)] max-h-[calc(100vh-2rem)] overflow-y-auto p-4 flex flex-col gap-3">
               <div>
                 <Dialog.Title class="text-xl font-semibold text-primary">Delete worktree</Dialog.Title>
-                <Dialog.Description class="text-sm text-secondary mt-2">Removes the git worktree checkout directory for this branch.</Dialog.Description>
+                <Dialog.Description class="text-sm text-secondary mt-1">Deletes this branch worktree and its local folder.</Dialog.Description>
               </div>
 
               <Show when={deleteTarget()}>
                 {(target) => (
-                  <div class="rounded-lg border border-base bg-surface-secondary p-4">
-                    <p class="text-xs font-medium text-muted uppercase tracking-wide mb-1">Worktree</p>
-                    <p class="text-sm font-mono text-primary break-all">{target().slug}</p>
-                    <p class="text-[11px] text-secondary mt-2 break-all font-mono">{target().directory}</p>
+                  <div class="rounded-lg border border-base bg-surface-secondary px-3 py-2">
+                    <p class="text-sm text-primary">
+                      Worktree <span class="font-semibold font-mono">&quot;{target().slug}&quot;</span>
+                    </p>
+                    <p class="text-[11px] text-secondary break-all font-mono leading-5">{target().directory}</p>
                   </div>
                 )}
               </Show>
@@ -377,7 +527,7 @@ export default function WorktreeSelector(props: WorktreeSelectorProps) {
                 <button
                   type="button"
                   class="selector-button selector-button-secondary"
-                  onClick={() => setDeleteOpen(false)}
+                  onClick={closeDeleteDialog}
                   disabled={isDeleting()}
                 >
                   Cancel
@@ -389,12 +539,13 @@ export default function WorktreeSelector(props: WorktreeSelectorProps) {
                   onClick={() => {
                     const target = deleteTarget()
                     if (!target) {
-                      setDeleteOpen(false)
+                      closeDeleteDialog()
                       return
                     }
 
                     void (async () => {
                       setIsDeleting(true)
+                      setDeleteError(null)
                       await deleteWorktree(props.instanceId, target.slug, { force: forceDelete() })
                       await reloadWorktrees(props.instanceId)
                       await reloadWorktreeMap(props.instanceId)
@@ -403,15 +554,12 @@ export default function WorktreeSelector(props: WorktreeSelectorProps) {
                         await setWorktreeSlugForParentSession(props.instanceId, parentId(), "root")
                       }
 
-                      setDeleteOpen(false)
+                      closeDeleteDialog()
                       showToastNotification({ message: `Deleted worktree ${target.slug}`, variant: "success" })
                     })()
                       .catch((error) => {
                         log.warn("Failed to delete worktree", error)
-                        showToastNotification({
-                          message: error instanceof Error ? error.message : "Failed to delete worktree",
-                          variant: "error",
-                        })
+                        setDeleteError(error instanceof Error ? error.message : t("instanceShell.worktree.delete.error.fallback"))
                       })
                       .finally(() => {
                         setIsDeleting(false)
@@ -421,6 +569,56 @@ export default function WorktreeSelector(props: WorktreeSelectorProps) {
                   {isDeleting() ? "Deleting..." : "Delete"}
                 </button>
               </div>
+
+              <Show when={displayDeleteError()}>
+                {(message) => (
+                  <div class="rounded-lg border border-danger bg-danger/10 p-3 flex flex-col gap-2">
+                    <div class="flex flex-col gap-1">
+                      <p class="text-xs font-medium text-danger uppercase tracking-wide">
+                        {t("instanceShell.worktree.delete.error.title")}
+                      </p>
+                      <Show when={deleteErrorDetails()}>
+                        {(details) => (
+                          <>
+                            <p class="text-sm text-primary font-medium">{details().summary}</p>
+                            <p class="text-sm text-secondary">
+                              <span class="font-medium text-primary">{t("instanceShell.worktree.delete.error.causeLabel")}</span>{" "}
+                              {details().causeLabel}
+                            </p>
+                            <p class="text-sm text-secondary">
+                              <span class="font-medium text-primary">{t("instanceShell.worktree.delete.error.nextStepLabel")}</span>{" "}
+                              {details().nextStep}
+                            </p>
+                          </>
+                        )}
+                      </Show>
+                    </div>
+
+                    <pre class="max-h-[40vh] overflow-auto whitespace-pre-wrap break-all rounded border border-danger/30 bg-surface-primary px-3 py-2 text-xs text-primary select-text leading-5">{message()}</pre>
+
+                    <div class="grid grid-cols-2 gap-2">
+                      <button
+                        type="button"
+                        class="selector-button selector-button-secondary"
+                        onClick={() => {
+                          void handleCopyDeleteError("raw")
+                        }}
+                      >
+                        {t("instanceShell.worktree.delete.error.copyRaw")}
+                      </button>
+                      <button
+                        type="button"
+                        class="selector-button selector-button-secondary"
+                        onClick={() => {
+                          void handleCopyDeleteError("sanitized")
+                        }}
+                      >
+                        {t("instanceShell.worktree.delete.error.copySanitized")}
+                      </button>
+                    </div>
+                  </div>
+                )}
+              </Show>
             </Dialog.Content>
           </div>
         </Dialog.Portal>

packages/ui/src/lib/api-client.ts

@@ -264,6 +264,9 @@ export const serverApi = {
       body: JSON.stringify(payload),
     })
   },
+  deleteRemoteProxySession(id: string): Promise<void> {
+    return request(`/api/remote-proxy/sessions/${encodeURIComponent(id)}`, { method: "DELETE" })
+  },
   fetchAuthStatus(): Promise<{ authenticated: boolean; username?: string; passwordUserProvided?: boolean }> {
     return request<{ authenticated: boolean; username?: string; passwordUserProvided?: boolean }>("/api/auth/status")
   },

packages/ui/src/lib/hooks/use-folder-drop.ts

@@ -7,7 +7,7 @@ import {
   normalizeDroppedDirectoryPaths,
   supportsDesktopFolderDrop,
 } from "../native/desktop-file-drop"
-import { runtimeEnv } from "../runtime-env"
+import { isTauriHost } from "../runtime-env"
 
 interface UseFolderDropOptions {
   enabled: Accessor<boolean>
@@ -94,7 +94,7 @@ export function useFolderDrop(options: UseFolderDropOptions): {
 
   const bind: FolderDropBindings = {
     onDragEnter(event) {
-      if (!isSupported || runtimeEnv.host === "tauri" || !options.enabled() || !containsFileDrop(event)) {
+      if (!isSupported || isTauriHost() || !options.enabled() || !containsFileDrop(event)) {
         return
       }
       event.preventDefault()
@@ -102,7 +102,7 @@ export function useFolderDrop(options: UseFolderDropOptions): {
       setIsActive(true)
     },
     onDragOver(event) {
-      if (!isSupported || runtimeEnv.host === "tauri" || !options.enabled() || !containsFileDrop(event)) {
+      if (!isSupported || isTauriHost() || !options.enabled() || !containsFileDrop(event)) {
         return
       }
       event.preventDefault()
@@ -112,7 +112,7 @@ export function useFolderDrop(options: UseFolderDropOptions): {
       setIsActive(true)
     },
     onDragLeave(event) {
-      if (!isSupported || runtimeEnv.host === "tauri" || !containsFileDrop(event)) {
+      if (!isSupported || isTauriHost() || !containsFileDrop(event)) {
         return
       }
       event.preventDefault()
@@ -134,7 +134,7 @@ export function useFolderDrop(options: UseFolderDropOptions): {
         return
       }
 
-      if (runtimeEnv.host === "tauri") {
+      if (isTauriHost()) {
         reset()
         return
       }

packages/ui/src/lib/i18n/messages/en/folderSelection.ts

@@ -69,5 +69,10 @@ export const folderSelectionMessages = {
   "folderSelection.servers.dialog.connecting": "Connecting...",
   "folderSelection.servers.dialog.errorRequired": "Server name and URL are required.",
   "folderSelection.servers.dialog.errorConnect": "Could not connect to the remote server.",
+  "folderSelection.servers.certificateInstall.title": "Install Local Certificate",
+  "folderSelection.servers.certificateInstall.confirmMessage": "CodeNomad needs to install a local certificate to open self-signed HTTPS remote windows. This certificate is only used for local desktop proxy traffic on your machine. Your operating system may show a second certificate prompt after this.",
+  "folderSelection.servers.certificateInstall.confirmLabel": "Continue",
+  "folderSelection.servers.certificateInstall.cancelLabel": "Cancel",
+  "folderSelection.servers.certificateInstall.cancelled": "CodeNomad needs the local certificate to be trusted before it can open self-signed HTTPS remote windows.",
   "folderSelection.sidecars.button": "Open SideCar",
 } as const

packages/ui/src/lib/i18n/messages/en/instance.ts

@@ -158,6 +158,30 @@ export const instanceMessages = {
   "instanceShell.diff.enableWordWrap": "Enable word wrap",
   "instanceShell.diff.disableWordWrap": "Disable word wrap",
   "instanceShell.worktree.create": "+ Create worktree",
+  "instanceShell.worktree.delete.error.title": "Delete failed",
+  "instanceShell.worktree.delete.error.fallback": "Failed to delete worktree",
+  "instanceShell.worktree.delete.error.causeLabel": "Likely cause:",
+  "instanceShell.worktree.delete.error.nextStepLabel": "Suggested next step:",
+  "instanceShell.worktree.delete.error.summary.localChanges": "Git refused to delete this worktree because it has modified or untracked files.",
+  "instanceShell.worktree.delete.error.summary.inUse": "CodeNomad could not delete this worktree because something is still using files in the directory.",
+  "instanceShell.worktree.delete.error.summary.notFound": "CodeNomad could not delete this worktree because the directory or worktree record was not found.",
+  "instanceShell.worktree.delete.error.summary.permissionDenied": "CodeNomad could not delete this worktree because access to the directory was denied.",
+  "instanceShell.worktree.delete.error.summary.unknown": "CodeNomad could not delete this worktree.",
+  "instanceShell.worktree.delete.error.cause.localChanges": "Local changes",
+  "instanceShell.worktree.delete.error.cause.inUse": "Another process is using this worktree",
+  "instanceShell.worktree.delete.error.cause.notFound": "The worktree directory or record is missing",
+  "instanceShell.worktree.delete.error.cause.permissionDenied": "Insufficient filesystem permissions",
+  "instanceShell.worktree.delete.error.cause.unknown": "The backend returned an unclassified delete error",
+  "instanceShell.worktree.delete.error.nextStep.localChanges": "Enable Force delete if you want to discard local changes, or clean the worktree and try again.",
+  "instanceShell.worktree.delete.error.nextStep.inUse": "Close terminals, editors, watchers, or background processes using this worktree and try again.",
+  "instanceShell.worktree.delete.error.nextStep.notFound": "Refresh worktrees and try again. If it still fails, inspect the worktree path on disk.",
+  "instanceShell.worktree.delete.error.nextStep.permissionDenied": "Check filesystem permissions and close applications that may be locking this directory, then try again.",
+  "instanceShell.worktree.delete.error.nextStep.unknown": "Review the raw error below for details, then retry after addressing the reported problem.",
+  "instanceShell.worktree.delete.error.copyRaw": "Copy error",
+  "instanceShell.worktree.delete.error.copySanitized": "Copy sanitized",
+  "instanceShell.worktree.delete.error.copySuccess": "Copied delete error",
+  "instanceShell.worktree.delete.error.copySanitizedSuccess": "Copied sanitized delete error",
+  "instanceShell.worktree.delete.error.copyFailure": "Failed to copy delete error",
 
   "instanceShell.plan.noSessionSelected": "Select a session to view plan.",
   "instanceShell.plan.empty": "Nothing planned yet.",

packages/ui/src/lib/i18n/messages/es/folderSelection.ts

@@ -69,5 +69,10 @@ export const folderSelectionMessages = {
   "folderSelection.servers.dialog.connecting": "Conectando...",
   "folderSelection.servers.dialog.errorRequired": "El nombre y la URL del servidor son obligatorios.",
   "folderSelection.servers.dialog.errorConnect": "No se pudo conectar al servidor remoto.",
+  "folderSelection.servers.certificateInstall.title": "Instalar certificado local",
+  "folderSelection.servers.certificateInstall.confirmMessage": "CodeNomad necesita instalar un certificado local para abrir ventanas remotas HTTPS autofirmadas. Este certificado solo se usa para el trafico del proxy local de escritorio en tu equipo. Es posible que tu sistema operativo muestre un segundo aviso de certificado despues de esto.",
+  "folderSelection.servers.certificateInstall.confirmLabel": "Continuar",
+  "folderSelection.servers.certificateInstall.cancelLabel": "Cancelar",
+  "folderSelection.servers.certificateInstall.cancelled": "CodeNomad necesita que el certificado local sea de confianza antes de poder abrir ventanas remotas HTTPS autofirmadas.",
   "folderSelection.sidecars.button": "Open SideCar",
 } as const

packages/ui/src/lib/i18n/messages/es/instance.ts

@@ -166,6 +166,30 @@ export const instanceMessages = {
   "instanceShell.backgroundProcesses.actions.output": "Salida",
   "instanceShell.backgroundProcesses.actions.stop": "Detener",
   "instanceShell.backgroundProcesses.actions.terminate": "Terminar",
+  "instanceShell.worktree.delete.error.title": "Error al eliminar",
+  "instanceShell.worktree.delete.error.fallback": "Error al eliminar el worktree",
+  "instanceShell.worktree.delete.error.causeLabel": "Causa probable:",
+  "instanceShell.worktree.delete.error.nextStepLabel": "Siguiente paso sugerido:",
+  "instanceShell.worktree.delete.error.summary.localChanges": "Git rechazo la eliminacion de este worktree porque contiene archivos modificados o sin seguimiento.",
+  "instanceShell.worktree.delete.error.summary.inUse": "CodeNomad no pudo eliminar este worktree porque algo sigue usando archivos dentro del directorio.",
+  "instanceShell.worktree.delete.error.summary.notFound": "CodeNomad no pudo eliminar este worktree porque no se encontro el directorio o el registro del worktree.",
+  "instanceShell.worktree.delete.error.summary.permissionDenied": "CodeNomad no pudo eliminar este worktree porque se denego el acceso al directorio.",
+  "instanceShell.worktree.delete.error.summary.unknown": "CodeNomad no pudo eliminar este worktree.",
+  "instanceShell.worktree.delete.error.cause.localChanges": "Cambios locales",
+  "instanceShell.worktree.delete.error.cause.inUse": "Otro proceso esta usando este worktree",
+  "instanceShell.worktree.delete.error.cause.notFound": "Falta el directorio o el registro del worktree",
+  "instanceShell.worktree.delete.error.cause.permissionDenied": "Permisos insuficientes del sistema de archivos",
+  "instanceShell.worktree.delete.error.cause.unknown": "El backend devolvio un error de eliminacion sin clasificar",
+  "instanceShell.worktree.delete.error.nextStep.localChanges": "Activa Forzar eliminacion si quieres descartar los cambios locales, o limpia el worktree e intentalo de nuevo.",
+  "instanceShell.worktree.delete.error.nextStep.inUse": "Cierra terminales, editores, observadores o procesos en segundo plano que usen este worktree y vuelve a intentarlo.",
+  "instanceShell.worktree.delete.error.nextStep.notFound": "Recarga los worktrees y vuelve a intentarlo. Si sigue fallando, inspecciona la ruta del worktree en disco.",
+  "instanceShell.worktree.delete.error.nextStep.permissionDenied": "Revisa los permisos del sistema de archivos y cierra aplicaciones que puedan estar bloqueando este directorio, luego vuelve a intentarlo.",
+  "instanceShell.worktree.delete.error.nextStep.unknown": "Revisa el error sin procesar de abajo para ver los detalles y vuelve a intentarlo despues de corregir el problema indicado.",
+  "instanceShell.worktree.delete.error.copyRaw": "Copiar error",
+  "instanceShell.worktree.delete.error.copySanitized": "Copiar saneado",
+  "instanceShell.worktree.delete.error.copySuccess": "Error de eliminacion copiado",
+  "instanceShell.worktree.delete.error.copySanitizedSuccess": "Error de eliminacion saneado copiado",
+  "instanceShell.worktree.delete.error.copyFailure": "No se pudo copiar el error de eliminacion",
 
   "versionPill.appWithVersion": "App {version}",
   "versionPill.ui": "UI",

packages/ui/src/lib/i18n/messages/fr/folderSelection.ts

@@ -69,5 +69,10 @@ export const folderSelectionMessages = {
   "folderSelection.servers.dialog.connecting": "Connexion...",
   "folderSelection.servers.dialog.errorRequired": "Le nom du serveur et l'URL sont requis.",
   "folderSelection.servers.dialog.errorConnect": "Impossible de se connecter au serveur distant.",
+  "folderSelection.servers.certificateInstall.title": "Installer le certificat local",
+  "folderSelection.servers.certificateInstall.confirmMessage": "CodeNomad doit installer un certificat local pour ouvrir des fenetres distantes HTTPS auto-signees. Ce certificat est utilise uniquement pour le trafic du proxy local de bureau sur votre machine. Votre systeme d'exploitation peut afficher une seconde invite de certificat apres cela.",
+  "folderSelection.servers.certificateInstall.confirmLabel": "Continuer",
+  "folderSelection.servers.certificateInstall.cancelLabel": "Annuler",
+  "folderSelection.servers.certificateInstall.cancelled": "CodeNomad a besoin que le certificat local soit approuve avant de pouvoir ouvrir des fenetres distantes HTTPS auto-signees.",
   "folderSelection.sidecars.button": "Open SideCar",
 } as const

packages/ui/src/lib/i18n/messages/fr/instance.ts

@@ -166,6 +166,30 @@ export const instanceMessages = {
   "instanceShell.backgroundProcesses.actions.output": "Sortie",
   "instanceShell.backgroundProcesses.actions.stop": "Arrêter",
   "instanceShell.backgroundProcesses.actions.terminate": "Terminer",
+  "instanceShell.worktree.delete.error.title": "Echec de suppression",
+  "instanceShell.worktree.delete.error.fallback": "Impossible de supprimer le worktree",
+  "instanceShell.worktree.delete.error.causeLabel": "Cause probable :",
+  "instanceShell.worktree.delete.error.nextStepLabel": "Etape suivante suggeree :",
+  "instanceShell.worktree.delete.error.summary.localChanges": "Git a refuse de supprimer ce worktree car il contient des fichiers modifies ou non suivis.",
+  "instanceShell.worktree.delete.error.summary.inUse": "CodeNomad n'a pas pu supprimer ce worktree car quelque chose utilise encore des fichiers dans ce dossier.",
+  "instanceShell.worktree.delete.error.summary.notFound": "CodeNomad n'a pas pu supprimer ce worktree car le dossier ou l'enregistrement du worktree est introuvable.",
+  "instanceShell.worktree.delete.error.summary.permissionDenied": "CodeNomad n'a pas pu supprimer ce worktree car l'acces au dossier a ete refuse.",
+  "instanceShell.worktree.delete.error.summary.unknown": "CodeNomad n'a pas pu supprimer ce worktree.",
+  "instanceShell.worktree.delete.error.cause.localChanges": "Modifications locales",
+  "instanceShell.worktree.delete.error.cause.inUse": "Un autre processus utilise ce worktree",
+  "instanceShell.worktree.delete.error.cause.notFound": "Le dossier ou l'enregistrement du worktree est manquant",
+  "instanceShell.worktree.delete.error.cause.permissionDenied": "Permissions du systeme de fichiers insuffisantes",
+  "instanceShell.worktree.delete.error.cause.unknown": "Le backend a renvoye une erreur de suppression non classee",
+  "instanceShell.worktree.delete.error.nextStep.localChanges": "Activez la suppression forcee si vous voulez jeter les modifications locales, ou nettoyez le worktree puis reessayez.",
+  "instanceShell.worktree.delete.error.nextStep.inUse": "Fermez les terminaux, editeurs, observateurs ou processus en arrière-plan qui utilisent ce worktree puis reessayez.",
+  "instanceShell.worktree.delete.error.nextStep.notFound": "Rechargez les worktrees puis reessayez. Si cela echoue encore, inspectez le chemin du worktree sur le disque.",
+  "instanceShell.worktree.delete.error.nextStep.permissionDenied": "Verifiez les permissions du systeme de fichiers et fermez les applications qui peuvent verrouiller ce dossier, puis reessayez.",
+  "instanceShell.worktree.delete.error.nextStep.unknown": "Consultez l'erreur brute ci-dessous pour les details, puis reessayez apres avoir corrige le probleme signale.",
+  "instanceShell.worktree.delete.error.copyRaw": "Copier l'erreur",
+  "instanceShell.worktree.delete.error.copySanitized": "Copier la version nettoyee",
+  "instanceShell.worktree.delete.error.copySuccess": "Erreur de suppression copiee",
+  "instanceShell.worktree.delete.error.copySanitizedSuccess": "Erreur de suppression nettoyee copiee",
+  "instanceShell.worktree.delete.error.copyFailure": "Impossible de copier l'erreur de suppression",
 
   "versionPill.appWithVersion": "Appli {version}",
   "versionPill.ui": "UI",

packages/ui/src/lib/i18n/messages/he/folderSelection.ts

@@ -69,5 +69,10 @@ export const folderSelectionMessages = {
   "folderSelection.servers.dialog.connecting": "מתחבר...",
   "folderSelection.servers.dialog.errorRequired": "שם השרת והכתובת הם שדות חובה.",
   "folderSelection.servers.dialog.errorConnect": "לא ניתן היה להתחבר לשרת המרוחק.",
+  "folderSelection.servers.certificateInstall.title": "התקנת אישור מקומי",
+  "folderSelection.servers.certificateInstall.confirmMessage": "CodeNomad צריך להתקין אישור מקומי כדי לפתוח חלונות HTTPS מרוחקים עם אישור בחתימה עצמית. האישור הזה משמש רק לתעבורת ה-proxy המקומי של האפליקציה במחשב שלך. ייתכן שמערכת ההפעלה תציג לאחר מכן בקשת אישור נוספת.",
+  "folderSelection.servers.certificateInstall.confirmLabel": "המשך",
+  "folderSelection.servers.certificateInstall.cancelLabel": "ביטול",
+  "folderSelection.servers.certificateInstall.cancelled": "CodeNomad צריך שהאישור המקומי יהיה מהימן לפני שיוכל לפתוח חלונות HTTPS מרוחקים עם אישור בחתימה עצמית.",
   "folderSelection.sidecars.button": "Open SideCar",
 } as const

packages/ui/src/lib/i18n/messages/he/instance.ts

@@ -174,6 +174,30 @@ export const instanceMessages = {
   "instanceShell.backgroundProcesses.actions.output": "פלט",
   "instanceShell.backgroundProcesses.actions.stop": "עצור",
   "instanceShell.backgroundProcesses.actions.terminate": "סיים",
+  "instanceShell.worktree.delete.error.title": "המחיקה נכשלה",
+  "instanceShell.worktree.delete.error.fallback": "מחיקת ה-worktree נכשלה",
+  "instanceShell.worktree.delete.error.causeLabel": "סיבה סבירה:",
+  "instanceShell.worktree.delete.error.nextStepLabel": "השלב הבא המומלץ:",
+  "instanceShell.worktree.delete.error.summary.localChanges": "Git סירב למחוק את ה-worktree הזה כי יש בו קבצים ששונו או קבצים לא במעקב.",
+  "instanceShell.worktree.delete.error.summary.inUse": "CodeNomad לא הצליח למחוק את ה-worktree הזה כי משהו עדיין משתמש בקבצים שבתיקייה.",
+  "instanceShell.worktree.delete.error.summary.notFound": "CodeNomad לא הצליח למחוק את ה-worktree הזה כי התיקייה או רשומת ה-worktree לא נמצאו.",
+  "instanceShell.worktree.delete.error.summary.permissionDenied": "CodeNomad לא הצליח למחוק את ה-worktree הזה כי הגישה לתיקייה נדחתה.",
+  "instanceShell.worktree.delete.error.summary.unknown": "CodeNomad לא הצליח למחוק את ה-worktree הזה.",
+  "instanceShell.worktree.delete.error.cause.localChanges": "שינויים מקומיים",
+  "instanceShell.worktree.delete.error.cause.inUse": "תהליך אחר משתמש ב-worktree הזה",
+  "instanceShell.worktree.delete.error.cause.notFound": "תיקיית ה-worktree או הרשומה שלו חסרות",
+  "instanceShell.worktree.delete.error.cause.permissionDenied": "אין הרשאות מתאימות במערכת הקבצים",
+  "instanceShell.worktree.delete.error.cause.unknown": "ה-backend החזיר שגיאת מחיקה שלא סווגה",
+  "instanceShell.worktree.delete.error.nextStep.localChanges": "הפעילו מחיקה בכפייה אם אתם רוצים לזרוק את השינויים המקומיים, או נקו את ה-worktree ונסו שוב.",
+  "instanceShell.worktree.delete.error.nextStep.inUse": "סגרו טרמינלים, עורכים, watchers או תהליכי רקע שמשתמשים ב-worktree הזה ונסו שוב.",
+  "instanceShell.worktree.delete.error.nextStep.notFound": "רעננו את רשימת ה-worktrees ונסו שוב. אם זה עדיין נכשל, בדקו את נתיב ה-worktree על הדיסק.",
+  "instanceShell.worktree.delete.error.nextStep.permissionDenied": "בדקו את הרשאות מערכת הקבצים וסגרו אפליקציות שעשויות לנעול את התיקייה הזאת, ואז נסו שוב.",
+  "instanceShell.worktree.delete.error.nextStep.unknown": "עיינו בשגיאה הגולמית למטה לפרטים, ואז נסו שוב אחרי טיפול בבעיה שדווחה.",
+  "instanceShell.worktree.delete.error.copyRaw": "העתק שגיאה",
+  "instanceShell.worktree.delete.error.copySanitized": "העתק גרסה מסוננת",
+  "instanceShell.worktree.delete.error.copySuccess": "שגיאת המחיקה הועתקה",
+  "instanceShell.worktree.delete.error.copySanitizedSuccess": "שגיאת המחיקה המסוננת הועתקה",
+  "instanceShell.worktree.delete.error.copyFailure": "העתקת שגיאת המחיקה נכשלה",
 
   "versionPill.appWithVersion": "אפליקציה {version}",
   "versionPill.ui": "ממשק",

packages/ui/src/lib/i18n/messages/ja/folderSelection.ts

@@ -69,5 +69,10 @@ export const folderSelectionMessages = {
   "folderSelection.servers.dialog.connecting": "接続中...",
   "folderSelection.servers.dialog.errorRequired": "サーバー名と URL は必須です。",
   "folderSelection.servers.dialog.errorConnect": "リモートサーバーに接続できませんでした。",
+  "folderSelection.servers.certificateInstall.title": "ローカル証明書をインストール",
+  "folderSelection.servers.certificateInstall.confirmMessage": "CodeNomad は自己署名 HTTPS のリモートウィンドウを開くために、ローカル証明書をインストールする必要があります。この証明書は、このマシン上のローカルデスクトッププロキシ通信にのみ使用されます。この後、OS が追加の証明書プロンプトを表示する場合があります。",
+  "folderSelection.servers.certificateInstall.confirmLabel": "続行",
+  "folderSelection.servers.certificateInstall.cancelLabel": "キャンセル",
+  "folderSelection.servers.certificateInstall.cancelled": "自己署名 HTTPS のリモートウィンドウを開くには、CodeNomad のローカル証明書を信頼する必要があります。",
   "folderSelection.sidecars.button": "Open SideCar",
 } as const

packages/ui/src/lib/i18n/messages/ja/instance.ts

@@ -166,6 +166,30 @@ export const instanceMessages = {
   "instanceShell.backgroundProcesses.actions.output": "出力",
   "instanceShell.backgroundProcesses.actions.stop": "停止",
   "instanceShell.backgroundProcesses.actions.terminate": "終了",
+  "instanceShell.worktree.delete.error.title": "削除に失敗しました",
+  "instanceShell.worktree.delete.error.fallback": "worktree の削除に失敗しました",
+  "instanceShell.worktree.delete.error.causeLabel": "考えられる原因:",
+  "instanceShell.worktree.delete.error.nextStepLabel": "推奨される次の手順:",
+  "instanceShell.worktree.delete.error.summary.localChanges": "この worktree に変更済みまたは未追跡のファイルがあるため、Git が削除を拒否しました。",
+  "instanceShell.worktree.delete.error.summary.inUse": "このディレクトリ内のファイルがまだ使用中のため、CodeNomad はこの worktree を削除できませんでした。",
+  "instanceShell.worktree.delete.error.summary.notFound": "ディレクトリまたは worktree レコードが見つからなかったため、CodeNomad はこの worktree を削除できませんでした。",
+  "instanceShell.worktree.delete.error.summary.permissionDenied": "ディレクトリへのアクセスが拒否されたため、CodeNomad はこの worktree を削除できませんでした。",
+  "instanceShell.worktree.delete.error.summary.unknown": "CodeNomad はこの worktree を削除できませんでした。",
+  "instanceShell.worktree.delete.error.cause.localChanges": "ローカル変更",
+  "instanceShell.worktree.delete.error.cause.inUse": "別のプロセスがこの worktree を使用中です",
+  "instanceShell.worktree.delete.error.cause.notFound": "worktree のディレクトリまたは記録が見つかりません",
+  "instanceShell.worktree.delete.error.cause.permissionDenied": "ファイルシステム権限が不足しています",
+  "instanceShell.worktree.delete.error.cause.unknown": "バックエンドが分類できない削除エラーを返しました",
+  "instanceShell.worktree.delete.error.nextStep.localChanges": "ローカル変更を破棄したい場合は Force delete を有効にするか、worktree を整理してから再試行してください。",
+  "instanceShell.worktree.delete.error.nextStep.inUse": "この worktree を使用している端末、エディタ、watcher、バックグラウンドプロセスを閉じてから再試行してください。",
+  "instanceShell.worktree.delete.error.nextStep.notFound": "worktree 一覧を更新して再試行してください。まだ失敗する場合は、ディスク上の worktree パスを確認してください。",
+  "instanceShell.worktree.delete.error.nextStep.permissionDenied": "ファイルシステム権限を確認し、このディレクトリをロックしている可能性のあるアプリを閉じてから再試行してください。",
+  "instanceShell.worktree.delete.error.nextStep.unknown": "下の生エラーで詳細を確認し、報告された問題に対処してから再試行してください。",
+  "instanceShell.worktree.delete.error.copyRaw": "エラーをコピー",
+  "instanceShell.worktree.delete.error.copySanitized": "サニタイズ済みをコピー",
+  "instanceShell.worktree.delete.error.copySuccess": "削除エラーをコピーしました",
+  "instanceShell.worktree.delete.error.copySanitizedSuccess": "サニタイズ済みの削除エラーをコピーしました",
+  "instanceShell.worktree.delete.error.copyFailure": "削除エラーをコピーできませんでした",
 
   "versionPill.appWithVersion": "アプリ {version}",
   "versionPill.ui": "UI",

packages/ui/src/lib/i18n/messages/ru/folderSelection.ts

@@ -69,5 +69,10 @@ export const folderSelectionMessages = {
   "folderSelection.servers.dialog.connecting": "Подключение...",
   "folderSelection.servers.dialog.errorRequired": "Имя сервера и URL обязательны.",
   "folderSelection.servers.dialog.errorConnect": "Не удалось подключиться к удаленному серверу.",
+  "folderSelection.servers.certificateInstall.title": "Установить локальный сертификат",
+  "folderSelection.servers.certificateInstall.confirmMessage": "CodeNomad должен установить локальный сертификат, чтобы открывать удаленные HTTPS-окна с самоподписанным сертификатом. Этот сертификат используется только для трафика локального настольного прокси на вашем устройстве. После этого ваша операционная система может показать второе предупреждение о сертификате.",
+  "folderSelection.servers.certificateInstall.confirmLabel": "Продолжить",
+  "folderSelection.servers.certificateInstall.cancelLabel": "Отмена",
+  "folderSelection.servers.certificateInstall.cancelled": "CodeNomad должен доверять локальному сертификату, прежде чем сможет открывать удаленные HTTPS-окна с самоподписанным сертификатом.",
   "folderSelection.sidecars.button": "Open SideCar",
 } as const

packages/ui/src/lib/i18n/messages/ru/instance.ts

@@ -166,6 +166,30 @@ export const instanceMessages = {
   "instanceShell.backgroundProcesses.actions.output": "Вывод",
   "instanceShell.backgroundProcesses.actions.stop": "Остановить",
   "instanceShell.backgroundProcesses.actions.terminate": "Завершить",
+  "instanceShell.worktree.delete.error.title": "Удаление не удалось",
+  "instanceShell.worktree.delete.error.fallback": "Не удалось удалить worktree",
+  "instanceShell.worktree.delete.error.causeLabel": "Вероятная причина:",
+  "instanceShell.worktree.delete.error.nextStepLabel": "Рекомендуемый следующий шаг:",
+  "instanceShell.worktree.delete.error.summary.localChanges": "Git отказался удалять этот worktree, потому что в нем есть измененные или неотслеживаемые файлы.",
+  "instanceShell.worktree.delete.error.summary.inUse": "CodeNomad не смог удалить этот worktree, потому что что-то все еще использует файлы в каталоге.",
+  "instanceShell.worktree.delete.error.summary.notFound": "CodeNomad не смог удалить этот worktree, потому что каталог или запись worktree не найдены.",
+  "instanceShell.worktree.delete.error.summary.permissionDenied": "CodeNomad не смог удалить этот worktree, потому что доступ к каталогу был запрещен.",
+  "instanceShell.worktree.delete.error.summary.unknown": "CodeNomad не смог удалить этот worktree.",
+  "instanceShell.worktree.delete.error.cause.localChanges": "Локальные изменения",
+  "instanceShell.worktree.delete.error.cause.inUse": "Другой процесс использует этот worktree",
+  "instanceShell.worktree.delete.error.cause.notFound": "Каталог или запись worktree отсутствуют",
+  "instanceShell.worktree.delete.error.cause.permissionDenied": "Недостаточно прав файловой системы",
+  "instanceShell.worktree.delete.error.cause.unknown": "Бэкенд вернул неклассифицированную ошибку удаления",
+  "instanceShell.worktree.delete.error.nextStep.localChanges": "Включите принудительное удаление, если хотите отбросить локальные изменения, либо очистите worktree и попробуйте снова.",
+  "instanceShell.worktree.delete.error.nextStep.inUse": "Закройте терминалы, редакторы, watcher-процессы или фоновые процессы, использующие этот worktree, и попробуйте снова.",
+  "instanceShell.worktree.delete.error.nextStep.notFound": "Обновите список worktree и попробуйте снова. Если ошибка сохранится, проверьте путь worktree на диске.",
+  "instanceShell.worktree.delete.error.nextStep.permissionDenied": "Проверьте права файловой системы и закройте приложения, которые могут удерживать этот каталог, затем попробуйте снова.",
+  "instanceShell.worktree.delete.error.nextStep.unknown": "Посмотрите необработанную ошибку ниже, затем попробуйте снова после устранения указанной проблемы.",
+  "instanceShell.worktree.delete.error.copyRaw": "Копировать ошибку",
+  "instanceShell.worktree.delete.error.copySanitized": "Копировать обезличенную",
+  "instanceShell.worktree.delete.error.copySuccess": "Ошибка удаления скопирована",
+  "instanceShell.worktree.delete.error.copySanitizedSuccess": "Обезличенная ошибка удаления скопирована",
+  "instanceShell.worktree.delete.error.copyFailure": "Не удалось скопировать ошибку удаления",
 
   "versionPill.appWithVersion": "Приложение {version}",
   "versionPill.ui": "UI",

packages/ui/src/lib/i18n/messages/zh-Hans/folderSelection.ts

@@ -69,5 +69,10 @@ export const folderSelectionMessages = {
   "folderSelection.servers.dialog.connecting": "连接中...",
   "folderSelection.servers.dialog.errorRequired": "服务器名称和 URL 为必填项。",
   "folderSelection.servers.dialog.errorConnect": "无法连接到远程服务器。",
+  "folderSelection.servers.certificateInstall.title": "安装本地证书",
+  "folderSelection.servers.certificateInstall.confirmMessage": "CodeNomad 需要安装本地证书，才能打开使用自签名 HTTPS 的远程窗口。此证书仅用于你这台设备上的本地桌面代理流量。之后你的操作系统可能还会显示第二个证书提示。",
+  "folderSelection.servers.certificateInstall.confirmLabel": "继续",
+  "folderSelection.servers.certificateInstall.cancelLabel": "取消",
+  "folderSelection.servers.certificateInstall.cancelled": "CodeNomad 需要先信任本地证书，才能打开使用自签名 HTTPS 的远程窗口。",
   "folderSelection.sidecars.button": "Open SideCar",
 } as const

packages/ui/src/lib/i18n/messages/zh-Hans/instance.ts

@@ -166,6 +166,30 @@ export const instanceMessages = {
   "instanceShell.backgroundProcesses.actions.output": "输出",
   "instanceShell.backgroundProcesses.actions.stop": "停止",
   "instanceShell.backgroundProcesses.actions.terminate": "终止",
+  "instanceShell.worktree.delete.error.title": "删除失败",
+  "instanceShell.worktree.delete.error.fallback": "删除 worktree 失败",
+  "instanceShell.worktree.delete.error.causeLabel": "可能原因：",
+  "instanceShell.worktree.delete.error.nextStepLabel": "建议的下一步：",
+  "instanceShell.worktree.delete.error.summary.localChanges": "Git 拒绝删除这个 worktree，因为其中包含已修改或未跟踪的文件。",
+  "instanceShell.worktree.delete.error.summary.inUse": "CodeNomad 无法删除这个 worktree，因为目录中的文件仍在被某些进程使用。",
+  "instanceShell.worktree.delete.error.summary.notFound": "CodeNomad 无法删除这个 worktree，因为目录或 worktree 记录未找到。",
+  "instanceShell.worktree.delete.error.summary.permissionDenied": "CodeNomad 无法删除这个 worktree，因为目录访问被拒绝。",
+  "instanceShell.worktree.delete.error.summary.unknown": "CodeNomad 无法删除这个 worktree。",
+  "instanceShell.worktree.delete.error.cause.localChanges": "本地更改",
+  "instanceShell.worktree.delete.error.cause.inUse": "另一个进程正在使用这个 worktree",
+  "instanceShell.worktree.delete.error.cause.notFound": "worktree 目录或记录缺失",
+  "instanceShell.worktree.delete.error.cause.permissionDenied": "文件系统权限不足",
+  "instanceShell.worktree.delete.error.cause.unknown": "后端返回了未分类的删除错误",
+  "instanceShell.worktree.delete.error.nextStep.localChanges": "如果你想丢弃本地更改，请启用强制删除，或者先清理 worktree 后再重试。",
+  "instanceShell.worktree.delete.error.nextStep.inUse": "关闭正在使用这个 worktree 的终端、编辑器、watcher 或后台进程，然后再试一次。",
+  "instanceShell.worktree.delete.error.nextStep.notFound": "刷新 worktree 列表后再试一次。如果仍然失败，请检查磁盘上的 worktree 路径。",
+  "instanceShell.worktree.delete.error.nextStep.permissionDenied": "检查文件系统权限，并关闭可能锁定此目录的应用程序，然后再试一次。",
+  "instanceShell.worktree.delete.error.nextStep.unknown": "查看下方原始错误详情，并在处理提示的问题后再次重试。",
+  "instanceShell.worktree.delete.error.copyRaw": "复制错误",
+  "instanceShell.worktree.delete.error.copySanitized": "复制脱敏内容",
+  "instanceShell.worktree.delete.error.copySuccess": "已复制删除错误",
+  "instanceShell.worktree.delete.error.copySanitizedSuccess": "已复制脱敏后的删除错误",
+  "instanceShell.worktree.delete.error.copyFailure": "复制删除错误失败",
 
   "versionPill.appWithVersion": "应用 {version}",
   "versionPill.ui": "UI",

packages/ui/src/lib/native/cli.ts

@@ -1,12 +1,16 @@
 import { invoke } from "@tauri-apps/api/core"
-import { runtimeEnv } from "../runtime-env"
+import { canRestartCli, isElectronHost, isTauriHost } from "../runtime-env"
 import { getLogger } from "../logger"
 const log = getLogger("actions")
 
 
 export async function restartCli(): Promise<boolean> {
+  if (!canRestartCli()) {
+    return false
+  }
+
   try {
-    if (runtimeEnv.host === "electron") {
+    if (isElectronHost()) {
       const api = (window as typeof window & { electronAPI?: { restartCli?: () => Promise<unknown> } }).electronAPI
       if (api?.restartCli) {
         await api.restartCli()
@@ -15,7 +19,7 @@ export async function restartCli(): Promise<boolean> {
       return false
     }
 
-    if (runtimeEnv.host === "tauri") {
+    if (isTauriHost()) {
       if (typeof window.__TAURI__?.core?.invoke === "function") {
         await invoke("cli_restart")
         return true

packages/ui/src/lib/native/desktop-file-drop.ts

@@ -1,6 +1,6 @@
 import { listen } from "@tauri-apps/api/event"
 import { getLogger } from "../logger"
-import { runtimeEnv } from "../runtime-env"
+import { canUseDesktopFolderDrop, isElectronHost, isTauriHost, runtimeEnv } from "../runtime-env"
 
 const log = getLogger("actions")
 
@@ -21,7 +21,7 @@ function getFilePath(file: File): string | null {
   if (typeof file.path === "string" && file.path.trim().length > 0) {
     return file.path
   }
-  if (runtimeEnv.host === "electron") {
+  if (isElectronHost()) {
     const electronPath = (window as Window & { electronAPI?: ElectronAPI }).electronAPI?.getPathForFile?.(file)
     if (typeof electronPath === "string" && electronPath.trim().length > 0) {
       return electronPath
@@ -44,7 +44,7 @@ async function resolveElectronDirectoryPaths(paths: string[]): Promise<string[]>
 }
 
 export function supportsDesktopFolderDrop(): boolean {
-  return runtimeEnv.platform === "desktop" && runtimeEnv.host !== "web"
+  return runtimeEnv.platform === "desktop" && canUseDesktopFolderDrop()
 }
 
 export function containsFileDrop(event: DragEvent): boolean {
@@ -97,14 +97,14 @@ export async function normalizeDroppedDirectoryPaths(paths: string[]): Promise<s
   if (uniquePaths.length === 0) {
     return []
   }
-  if (runtimeEnv.host === "electron") {
+  if (isElectronHost()) {
     return resolveElectronDirectoryPaths(uniquePaths)
   }
   return uniquePaths
 }
 
 export async function listenForNativeFolderDrops(onDrop: (paths: string[]) => void): Promise<() => void> {
-  if (runtimeEnv.host !== "tauri") {
+  if (!isTauriHost()) {
     return () => {}
   }
 
@@ -126,7 +126,7 @@ export async function listenForNativeFolderDrops(onDrop: (paths: string[]) => vo
 }
 
 export async function listenForNativeFolderDropState(onState: (state: NativeFolderDropState) => void): Promise<() => void> {
-  if (runtimeEnv.host !== "tauri") {
+  if (!isTauriHost()) {
     return () => {}
   }
 

packages/ui/src/lib/native/native-functions.ts

@@ -1,4 +1,4 @@
-import { runtimeEnv } from "../runtime-env"
+import { canUseNativeDialogs, isElectronHost, isTauriHost } from "../runtime-env"
 import type { NativeDialogOptions } from "./types"
 import { openElectronNativeDialog } from "./electron/functions"
 import { openTauriNativeDialog } from "./tauri/functions"
@@ -6,20 +6,23 @@ import { openTauriNativeDialog } from "./tauri/functions"
 export type { NativeDialogOptions, NativeDialogFilter, NativeDialogMode } from "./types"
 
 function resolveNativeHandler(): ((options: NativeDialogOptions) => Promise<string | null>) | null {
-  switch (runtimeEnv.host) {
-    case "electron":
-      return openElectronNativeDialog
-    case "tauri":
-      return openTauriNativeDialog
-    default:
-      return null
+  if (isElectronHost()) {
+    return openElectronNativeDialog
   }
+  if (isTauriHost()) {
+    return openTauriNativeDialog
+  }
+  return null
 }
 
 export function supportsNativeDialogs(): boolean {
   return resolveNativeHandler() !== null
 }
 
+export function supportsNativeDialogsInCurrentWindow(): boolean {
+  return canUseNativeDialogs()
+}
+
 async function openNativeDialog(options: NativeDialogOptions): Promise<string | null> {
   const handler = resolveNativeHandler()
   if (!handler) {

packages/ui/src/lib/native/remote-window.ts

@@ -1,28 +1,37 @@
 import { invoke } from "@tauri-apps/api/core"
 import type { RemoteServerProfile } from "../../../../server/src/api-types"
-import { runtimeEnv } from "../runtime-env"
+import { showConfirmDialog } from "../../stores/alerts"
+import { tGlobal } from "../i18n"
+import { canOpenRemoteWindows, isElectronHost, isTauriHost } from "../runtime-env"
 
 export interface RemoteWindowOpenPayload {
   id: string
   name: string
   baseUrl: string
   entryUrl?: string
+  proxySessionId?: string
   skipTlsVerify: boolean
 }
 
 export async function openRemoteServerWindow(
   profile: Pick<RemoteServerProfile, "id" | "name" | "baseUrl" | "skipTlsVerify">,
   entryUrl?: string,
+  proxySessionId?: string,
 ): Promise<void> {
+  if (!canOpenRemoteWindows()) {
+    throw new Error("Remote server windows can only be opened from a local desktop window")
+  }
+
   const payload: RemoteWindowOpenPayload = {
     id: profile.id,
     name: profile.name,
     baseUrl: profile.baseUrl,
     entryUrl,
+    proxySessionId,
     skipTlsVerify: profile.skipTlsVerify,
   }
 
-  if (runtimeEnv.host === "electron") {
+  if (isElectronHost()) {
     const api = (window as Window & { electronAPI?: ElectronAPI }).electronAPI
     if (typeof api?.openRemoteWindow === "function") {
       await api.openRemoteWindow(payload)
@@ -30,7 +39,29 @@ export async function openRemoteServerWindow(
     }
   }
 
-  if (runtimeEnv.host === "tauri") {
+  if (isTauriHost()) {
+    const requiresLocalCertificate =
+      proxySessionId !== undefined && (entryUrl ?? profile.baseUrl).startsWith("https://")
+
+    if (requiresLocalCertificate) {
+      const needsInstall = await invoke<boolean>("needs_local_certificate_install")
+      if (needsInstall) {
+        const accepted = await showConfirmDialog(
+          tGlobal("folderSelection.servers.certificateInstall.confirmMessage"),
+          {
+            title: tGlobal("folderSelection.servers.certificateInstall.title"),
+            variant: "warning",
+            confirmLabel: tGlobal("folderSelection.servers.certificateInstall.confirmLabel"),
+            cancelLabel: tGlobal("folderSelection.servers.certificateInstall.cancelLabel"),
+          },
+        )
+
+        if (!accepted) {
+          throw new Error(tGlobal("folderSelection.servers.certificateInstall.cancelled"))
+        }
+      }
+    }
+
     await invoke("open_remote_window", { payload })
     return
   }

packages/ui/src/lib/native/wake-lock.ts

@@ -1,5 +1,5 @@
 import { invoke } from "@tauri-apps/api/core"
-import { runtimeEnv } from "../runtime-env"
+import { isElectronHost, isTauriHost } from "../runtime-env"
 import { getLogger } from "../logger"
 
 const log = getLogger("actions")
@@ -9,61 +9,16 @@ let inFlight: Promise<boolean> | null = null
 
 let applied = false
 
-let webWakeLock: any = null
-
-async function setWebWakeLock(enabled: boolean): Promise<boolean> {
-  if (typeof navigator === "undefined") return false
-
-  const api = (navigator as any).wakeLock
-  if (!api?.request) {
-    return false
-  }
-
-  try {
-    if (enabled) {
-      if (webWakeLock) {
-        return true
-      }
-      webWakeLock = await api.request("screen")
-      try {
-        webWakeLock.addEventListener?.("release", () => {
-          // If the lock is released by the UA (e.g., tab hidden), clear local state.
-          webWakeLock = null
-          if (desired) {
-            // Re-acquire best-effort.
-            queueMicrotask(() => {
-              void setWakeLockDesired(true)
-            })
-          }
-        })
-      } catch {
-        // optional
-      }
-      return true
-    }
-
-    if (webWakeLock) {
-      await webWakeLock.release?.()
-    }
-    webWakeLock = null
-    return false
-  } catch (error) {
-    log.log("[wake-lock] web wake lock failed", error)
-    webWakeLock = null
-    return false
-  }
-}
-
 function hasAnyWakeLockSupport(): boolean {
   if (typeof window === "undefined") return false
-  if (runtimeEnv.host === "electron") {
+  if (isElectronHost()) {
     const api = (window as any).electronAPI
     if (api?.setWakeLock) return true
   }
-  if (runtimeEnv.host === "tauri") {
+  if (isTauriHost()) {
     return typeof window.__TAURI__?.core?.invoke === "function"
   }
-  return Boolean((navigator as any)?.wakeLock?.request)
+  return false
 }
 
 async function setElectronWakeLock(enabled: boolean): Promise<boolean> {
@@ -89,9 +44,7 @@ async function setTauriWakeLock(enabled: boolean): Promise<boolean> {
     }
 
     if (enabled) {
-      // Match Electron's prevent-display-sleep behavior by keeping the display
-      // awake without blocking explicit system sleep requests.
-      await invoke("wake_lock_start", { config: { display: true, idle: false, sleep: false } })
+      await invoke("wake_lock_start", { config: { display: false, idle: true, sleep: false } })
       return true
     }
 
@@ -106,19 +59,17 @@ async function setTauriWakeLock(enabled: boolean): Promise<boolean> {
 async function applyWakeLock(enabled: boolean): Promise<boolean> {
   if (typeof window === "undefined") return false
 
-  if (runtimeEnv.host === "electron") {
+  if (isElectronHost()) {
     const ok = await setElectronWakeLock(enabled)
-    if (ok || !enabled) return ok
-    // fallback to web API if electron preload didn't expose it
+    return ok
   }
 
-  if (runtimeEnv.host === "tauri") {
+  if (isTauriHost()) {
     const ok = await setTauriWakeLock(enabled)
-    if (ok || !enabled) return ok
-    // fallback to web API if tauri command isn't available
+    return ok
   }
 
-  return await setWebWakeLock(enabled)
+  return false
 }
 
 export function setWakeLockDesired(nextDesired: boolean): Promise<boolean> {

packages/ui/src/lib/runtime-env.ts

@@ -2,10 +2,12 @@ import { getLogger } from "./logger"
 
 export type HostRuntime = "electron" | "tauri" | "web"
 export type PlatformKind = "desktop" | "mobile"
+export type WindowContextKind = "local" | "remote"
 
 export interface RuntimeEnvironment {
   host: HostRuntime
   platform: PlatformKind
+  windowContext: WindowContextKind
 }
 
 declare global {
@@ -14,6 +16,7 @@ declare global {
   }
 
   interface Window {
+    __CODENOMAD_WINDOW_CONTEXT__?: WindowContextKind
     electronAPI?: unknown
     __TAURI__?: {
       core?: TauriCoreModule
@@ -21,11 +24,41 @@ declare global {
   }
 }
 
+function detectWindowContext(): WindowContextKind {
+  if (typeof window === "undefined") {
+    return "remote"
+  }
+
+  if (window.__CODENOMAD_WINDOW_CONTEXT__ === "remote") {
+    return "remote"
+  }
+
+  if (window.__CODENOMAD_WINDOW_CONTEXT__ === "local") {
+    return "local"
+  }
+
+  const win = window as Window & { electronAPI?: unknown }
+  if (typeof win.electronAPI !== "undefined" || typeof win.__TAURI__ !== "undefined") {
+    return "local"
+  }
+
+  if (typeof navigator !== "undefined" && /tauri/i.test(navigator.userAgent)) {
+    return "local"
+  }
+
+  return "remote"
+}
+
 function detectHost(): HostRuntime {
   if (typeof window === "undefined") {
     return "web"
   }
 
+  const explicitHost = window.__CODENOMAD_RUNTIME_HOST__
+  if (explicitHost) {
+    return explicitHost
+  }
+
   const win = window as Window & { electronAPI?: unknown }
   if (typeof win.electronAPI !== "undefined") {
     return "electron"
@@ -71,16 +104,24 @@ export function detectRuntimeEnvironment(): RuntimeEnvironment {
   cachedEnv = {
     host: detectHost(),
     platform: detectPlatform(),
+    windowContext: detectWindowContext(),
   }
   if (typeof window !== "undefined") {
-    log.info(`[runtime] host=${cachedEnv.host} platform=${cachedEnv.platform}`)
+    log.info(`[runtime] host=${cachedEnv.host} platform=${cachedEnv.platform} context=${cachedEnv.windowContext}`)
   }
   return cachedEnv
 }
 
 export const runtimeEnv = detectRuntimeEnvironment()
 
-export const isElectronHost = () => runtimeEnv.host === "electron"
-export const isTauriHost = () => runtimeEnv.host === "tauri"
-export const isWebHost = () => runtimeEnv.host === "web"
-export const isMobilePlatform = () => runtimeEnv.platform === "mobile"
+export const isElectronHost = () => detectHost() === "electron"
+export const isTauriHost = () => detectHost() === "tauri"
+export const isWebHost = () => detectHost() === "web"
+export const isDesktopHost = () => isElectronHost() || isTauriHost()
+export const isMobilePlatform = () => detectPlatform() === "mobile"
+export const isLocalWindow = () => detectWindowContext() === "local"
+export const isRemoteWindow = () => detectWindowContext() === "remote"
+export const canUseNativeDialogs = () => isDesktopHost() && isLocalWindow()
+export const canOpenRemoteWindows = () => isDesktopHost() && isLocalWindow()
+export const canRestartCli = () => isDesktopHost() && isLocalWindow()
+export const canUseDesktopFolderDrop = () => isDesktopHost() && isLocalWindow()

packages/ui/src/lib/settings/behavior-registry.ts

@@ -6,7 +6,7 @@ import type {
 } from "../../stores/preferences"
 import type { Command } from "../commands"
 import { tGlobal } from "../i18n"
-import { runtimeEnv } from "../runtime-env"
+import { isWebHost } from "../runtime-env"
 
 export type BehaviorSettingKind = "toggle" | "enum"
 
@@ -84,7 +84,7 @@ export function getBehaviorSettings(actions: BehaviorRegistryActions): BehaviorS
           next,
         )
       },
-      disabled: () => runtimeEnv.host === "web",
+      disabled: () => isWebHost(),
     },
     {
       kind: "toggle",
@@ -337,13 +337,13 @@ export function getBehaviorCommands(actions: BehaviorRegistryActions): Command[]
         ),
       description: () =>
         tGlobal(
-          runtimeEnv.host === "web"
+          isWebHost()
             ? "commands.keyboardShortcutHints.description.disabledWeb"
             : "commands.keyboardShortcutHints.description",
         ),
       category: "System",
       keywords: () => splitKeywords("commands.keyboardShortcutHints.keywords"),
-      disabled: () => runtimeEnv.host === "web",
+      disabled: () => isWebHost(),
       action: actions.toggleKeyboardShortcutHints,
     },
     {

packages/ui/src/stores/session-events.ts

@@ -397,7 +397,8 @@ function handleMessageUpdate(instanceId: string, event: MessageUpdateEvent | Mes
 
     const role: MessageRole = info.role === "user" ? "user" : "assistant"
     const hasError = Boolean((info as any).error)
-    const status: MessageStatus = hasError ? "error" : "complete"
+    const hasEnded = typeof timeInfo.end === "number" && timeInfo.end > 0
+    const status: MessageStatus = hasError ? "error" : hasEnded ? "complete" : "streaming"
 
     let record = store.getMessage(messageId)
     if (!record) {

packages/ui/src/stores/session-status.test.ts

@@ -0,0 +1,20 @@
+import assert from "node:assert/strict"
+import { describe, it } from "node:test"
+
+import { shouldSessionHoldWakeLock } from "./wake-lock-eligibility.ts"
+
+describe("shouldSessionHoldWakeLock", () => {
+  it("holds wake lock only for qualifying active work", () => {
+    assert.equal(shouldSessionHoldWakeLock({ status: "working", pendingPermission: false, pendingQuestion: false }), true)
+    assert.equal(
+      shouldSessionHoldWakeLock({ status: "compacting", pendingPermission: false, pendingQuestion: false }),
+      true,
+    )
+    assert.equal(shouldSessionHoldWakeLock({ status: "idle", pendingPermission: false, pendingQuestion: false }), false)
+  })
+
+  it("does not hold wake lock while waiting for permission or input", () => {
+    assert.equal(shouldSessionHoldWakeLock({ status: "working", pendingPermission: true, pendingQuestion: false }), false)
+    assert.equal(shouldSessionHoldWakeLock({ status: "working", pendingPermission: false, pendingQuestion: true }), false)
+  })
+})

packages/ui/src/stores/session-status.ts

@@ -1,11 +1,27 @@
 import type { Session, SessionRetryState, SessionStatus } from "../types/session"
 import { getInstanceSessionIndicatorStatusCached, sessions } from "./session-state"
+import { shouldSessionHoldWakeLock } from "./wake-lock-eligibility"
 
 function getSession(instanceId: string, sessionId: string): Session | null {
   const instanceSessions = sessions().get(instanceId)
   return instanceSessions?.get(sessionId) ?? null
 }
 
+export function hasWakeLockEligibleWork(instanceId: string): boolean {
+  const instanceSessions = sessions().get(instanceId)
+  if (!instanceSessions) {
+    return false
+  }
+
+  for (const session of instanceSessions.values()) {
+    if (shouldSessionHoldWakeLock(session)) {
+      return true
+    }
+  }
+
+  return false
+}
+
 export function getSessionStatus(instanceId: string, sessionId: string): SessionStatus {
   const session = getSession(instanceId, sessionId)
   if (!session) {

packages/ui/src/stores/wake-lock-eligibility.ts

@@ -0,0 +1,11 @@
+import type { Session } from "../types/session"
+
+export function shouldSessionHoldWakeLock(
+  session: Pick<Session, "status" | "pendingPermission" | "pendingQuestion">,
+): boolean {
+  if (session.pendingPermission || session.pendingQuestion) {
+    return false
+  }
+
+  return session.status === "working" || session.status === "compacting"
+}

packages/ui/src/styles/messaging/prompt-input.css

@@ -6,7 +6,7 @@
 
 .prompt-input-wrapper {
   @apply grid items-stretch;
-  grid-template-columns: minmax(0, 1fr) 64px;
+  grid-template-columns: minmax(0, 1fr) 72px 64px;
   gap: 0;
   padding: 0;
 }
@@ -19,6 +19,16 @@
   gap: 0.5rem;
 }
 
+.prompt-input-primary-actions {
+  @apply flex flex-col items-center;
+  align-self: stretch;
+  justify-content: space-between;
+  width: 100%;
+  gap: 0.5rem;
+  padding: 0.5rem 0.25rem;
+  border-inline-start: 1px solid var(--border-base);
+}
+
 .prompt-input-field-container {
   position: relative;
   width: 100%;
@@ -37,7 +47,7 @@
 .prompt-input {
   @apply w-full pt-2.5 border text-sm resize-none outline-none transition-colors;
   padding-inline-start: 0.75rem;
-  padding-inline-end: 7.5rem;
+  padding-inline-end: 0.75rem;
   font-family: inherit;
   background-color: var(--surface-base);
   color: var(--text-primary);
@@ -85,16 +95,12 @@
 
 /* Navigation buttons container (expand, prev, next). */
 .prompt-nav-buttons {
-  position: absolute;
-  top: 0.25rem;
-  inset-inline-end: 0.25rem;
-  bottom: 0.25rem;
   display: flex;
   flex-direction: row;
   align-items: flex-start;
-  justify-content: flex-end;
+  justify-content: center;
   gap: 0.125rem;
-  z-index: 2;
+  width: 100%;
 }
 
 .prompt-nav-column {
@@ -287,7 +293,6 @@
   @apply w-10 h-10 rounded-md border-none cursor-pointer flex items-center justify-center transition-all flex-shrink-0;
   background-color: var(--accent-primary);
   color: var(--text-inverted);
-  margin-top: auto;
 }
 
 .send-button.shell-mode {
@@ -421,7 +426,7 @@
 
 @media (max-width: 720px) {
   .prompt-input-wrapper {
-    grid-template-columns: minmax(0, 1fr) 40px;
+    grid-template-columns: minmax(0, 1fr) 64px 40px;
   }
 }
 
@@ -429,7 +434,6 @@
   .prompt-input {
     min-height: 0;
     padding: 0.5rem 0.75rem;
-    padding-inline-end: 7.5rem;
     padding-bottom: 0.75rem;
   }
 

packages/ui/src/styles/panels/right-panel.css

@@ -611,6 +611,40 @@
   z-index: 30;
 }
 
+.file-viewer-content--monaco .monaco-viewer[data-view-mode="unified"] .line-numbers {
+  text-align: left !important;
+  padding-left: 4px;
+}
+
+.file-viewer-content--monaco .monaco-viewer[data-view-mode="split"] .editor.original .line-numbers,
+.file-viewer-content--monaco .monaco-viewer[data-view-mode="split"] .editor.modified .line-numbers {
+  text-align: left !important;
+  padding-left: 4px;
+}
+
+.file-viewer-content--monaco .monaco-viewer[data-view-mode="split"] .editor.original .glyph-margin {
+  width: 0 !important;
+}
+
+.file-viewer-content--monaco .monaco-viewer[data-view-mode="split"] .editor.original .line-numbers {
+  left: 0 !important;
+}
+
+.file-viewer-content--monaco .monaco-viewer[data-view-mode="split"] .editor.original .cldr.delete-sign {
+  left: var(--split-original-delete-sign-left, 14px) !important;
+}
+
+.file-viewer-content--monaco .monaco-viewer[data-view-mode="split"] .editor.original .margin,
+.file-viewer-content--monaco .monaco-viewer[data-view-mode="split"] .editor.original .margin-view-zones,
+.file-viewer-content--monaco .monaco-viewer[data-view-mode="split"] .editor.original .margin-view-overlays {
+  width: var(--split-original-gutter-width, 24px) !important;
+}
+
+.file-viewer-content--monaco .monaco-viewer[data-view-mode="split"] .editor.original .editor-scrollable {
+  left: var(--split-original-gutter-width, 24px) !important;
+  width: calc(100% - var(--split-original-gutter-width, 24px)) !important;
+}
+
 .file-viewer-empty {
   @apply flex flex-col items-center justify-center h-full gap-3 text-center;
   color: var(--text-muted);

packages/ui/src/types/global.d.ts

@@ -38,6 +38,7 @@ declare global {
       name: string
       baseUrl: string
       entryUrl?: string
+      proxySessionId?: string
       skipTlsVerify: boolean
     }) => Promise<{ ok: boolean }>
   }
@@ -62,10 +63,12 @@ declare global {
   }
 
   interface Window {
-     __CODENOMAD_API_BASE__?: string
-     __CODENOMAD_EVENTS_URL__?: string
-     electronAPI?: ElectronAPI
-     __TAURI__?: TauriBridge
-     codenomadLogger?: LoggerControls
+      __CODENOMAD_API_BASE__?: string
+      __CODENOMAD_EVENTS_URL__?: string
+      __CODENOMAD_RUNTIME_HOST__?: "electron" | "tauri" | "web"
+      __CODENOMAD_WINDOW_CONTEXT__?: "local" | "remote"
+      electronAPI?: ElectronAPI
+      __TAURI__?: TauriBridge
+      codenomadLogger?: LoggerControls
    }
  }

tasks/current.md

@@ -0,0 +1,19 @@
+# Current Tasks
+
+## Active Discussions
+
+- DISCUSSION-001 — Wake lock behavior change for macOS sleep vs screen lock — summarized, routed to task 056
+
+## Active
+
+- 055-wake-lock-investigation.md — standard / investigation / logic — Assigned to tech_lead
+- 056-wake-lock-behavior-change.md — complex / spec / logic — Assigned to business_analyst
+- 057-implement-system-sleep-only-wake-lock.md — complex / implementation / logic — Assigned to workflow_runner
+
+## Todo
+
+- 023-symbol-attachments.md
+
+## Blocked
+
+- None.

tasks/discussions/DISCUSSION-001-wake-lock-behavior-change-for-macos-sleep-vs-screen-lock.md

@@ -0,0 +1,76 @@
+---
+id: DISCUSSION-001
+title: "Wake lock behavior change for macOS sleep vs screen lock"
+status: closed
+summarized_by: business_analyst
+source: runtime-transcript
+---
+
+# Discussion Summary
+
+## Topic
+Change wake lock behavior so screen lock/display sleep is allowed while system sleep is still prevented during active work.
+
+## Purpose
+Capture a workflow-ready summary of a requested product behavior change affecting desktop apps and web, including current behavior, desired behavior, scope, and unresolved platform feasibility.
+
+## Repository Truth Relevant To This Discussion
+- Current desktop wake lock behavior is effectively configured as a display wake lock.
+- Electron currently uses `prevent-display-sleep`.
+- Tauri currently includes `display: true` in its wake-lock-related configuration.
+- This current setup keeps the screen awake and blocks normal screen lock/display sleep on macOS.
+
+## Facts Established
+- The reported problem is specific to current wake lock behavior preventing screen lock on macOS.
+- The user wants wake lock to allow screen lock while still preventing the device from going to sleep.
+- The requested scope was expanded beyond macOS-only behavior.
+- The user explicitly requested coverage for all desktop apps and web.
+- Browser/web platform limitations may affect how fully the requested behavior can be implemented.
+
+## Requirements Captured
+- Wake lock must allow the display to sleep or lock normally.
+- Wake lock must prevent only system sleep while work is active.
+- On macOS, the screen should be able to turn off and lock while the machine remains awake enough to continue the task.
+- The change should be researched and then applied, not just discussed.
+- Scope should include all desktop apps and web, subject to technical feasibility.
+
+## Constraints
+- The change affects multiple platforms and should not be treated as a macOS-only behavior change.
+- Web support may be constrained by browser capabilities and wake lock API limitations.
+- Platform-specific implementation details may differ between Electron, Tauri, and web.
+
+## Non-Goals
+- Keeping the display continuously awake.
+- Preserving the current display-wake behavior on macOS.
+- Defining a macOS-only special case unless later justified.
+
+## Decisions Made
+- Preferred product direction: allow display sleep/screen lock while preventing only system sleep during active work.
+- Scope direction confirmed by the user: all desktop apps and web.
+- The discussion should move into tracked workflow work with product and technical input before implementation.
+
+## Assumptions
+- “Work is active” refers to periods when the application is performing a task that currently relies on wake lock protection.
+- The intended outcome is continued task execution while the screen is locked or asleep, not continuous visual display.
+- Some platforms may require best-effort behavior rather than identical implementation mechanics.
+
+## Open Questions
+- What exact user-facing definition of “work is active” should trigger wake lock behavior across products?
+- What behavior is achievable on web given browser/API support and permission constraints?
+- If a platform cannot prevent only system sleep without also affecting display sleep, what fallback behavior is acceptable?
+- Should platform-specific differences be exposed to users or documented in product behavior notes?
+
+## Risks Or Concerns
+- Web may not support the requested behavior fully or consistently across browsers.
+- A platform may not offer a clean “prevent system sleep only” mode, creating inconsistent behavior across products.
+- Changing wake lock semantics could affect long-running task reliability if background execution assumptions are wrong.
+
+## Referenced Files Or Areas
+- Electron wake lock implementation using `prevent-display-sleep`
+- Tauri wake lock / `keepawake` configuration currently using `display: true`
+- Cross-platform wake lock behavior for desktop apps
+- Web wake lock behavior and browser capability research areas
+
+## Recommended Workflow Next Step
+- assigned_to: product_manager
+- why: Create a tracked task and SCR-ready handoff for cross-platform research and specification, then route to business analyst and technical architect for requirements and feasibility clarification before implementation.

tasks/todo/055-wake-lock-investigation.md

@@ -0,0 +1,54 @@
+---
+title: Wake Lock Investigation
+complexity: standard
+track: investigation
+slice: logic
+status: active
+assigned_to: tech_lead
+---
+
+# Goal
+
+Understand and explain how wake lock is held across `packages/ui`, `packages/tauri-app`, and `packages/electron-app`, including which layer initiates the request, which native/platform APIs are used, and how acquire/release lifecycle is coordinated.
+
+# Request Context
+
+The Product Owner asked: "Understand how we hold wake lock in packages/ui packages/tauri-app and packages/electron-app".
+
+# Acceptance Criteria
+
+- AC-1: Identify all wake-lock-related code paths in `packages/ui`, `packages/tauri-app`, and `packages/electron-app`.
+- AC-2: Explain which package owns the wake-lock decision and which package executes the platform-specific hold/release behavior.
+- AC-3: Describe the acquire and release lifecycle, including triggering events, cleanup behavior, and any fallback or unsupported-platform handling.
+- AC-4: Note any discrepancies, risks, or unclear behavior discovered during the investigation.
+
+# Instructions For Assigned Agent
+
+1. Read this task file first.
+2. Investigate the repository code paths relevant to wake lock in the three packages named above.
+3. Produce a concise technical report using the specialist output contract sections:
+   - Summary
+   - Work Performed
+   - Acceptance Criteria Coverage
+   - Documentation Impact
+   - Open Risks
+   - Recommended Next Step
+4. Include file paths and function/module names for the relevant wake-lock implementation points.
+5. Update this task file with a `# Post Implementation Task Updates` section and `## Tech Lead: Post Implementation Expectations` bullets describing the observable outputs of your investigation.
+
+# Discussion Record
+
+- Created by PMA to answer a direct user investigation request about wake-lock behavior across UI and native app shells.
+
+# Notes
+
+- This is investigation only. Do not implement changes.
+- Repository has unrelated untracked items in the working tree (`.nomadworks/`, `.playwright-cli/`, `cloudsecrets`, `tmp/`). Treat them as pre-existing and out of scope unless directly relevant.
+
+# Post Implementation Task Updates
+
+## Tech Lead: Post Implementation Expectations
+
+- Deliver a wake-lock investigation report that traces the call flow from `packages/ui/src/App.tsx` through `packages/ui/src/lib/native/wake-lock.ts` into the Electron preload/main IPC path and the Tauri command path.
+- Identify which session states cause the UI to request wake lock and which native APIs actually hold or release the lock on Electron and Tauri.
+- Document lifecycle behavior for acquire, release, fallback handling, unsupported-platform behavior, and any cleanup gaps or discrepancies discovered during review.