diff --git a/.gitignore b/.gitignore
index a1777bf0..ee1b0666 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,3 +33,4 @@ broker/target/
 .context/
 docs/broker-protocol.md
 docs/ralph-broker-plan.md
+review-tasks/
diff --git a/PHASE-4-VISIBLE-REFLOW.md b/PHASE-4-VISIBLE-REFLOW.md
deleted file mode 100644
index e2100d47..00000000
--- a/PHASE-4-VISIBLE-REFLOW.md
+++ /dev/null
@@ -1,189 +0,0 @@
-# Phase 4 — Visible-Grid Reflow on Resize
-
-Followup to `SCROLLBACK-REFLOW-PLAN.md`. Phases 1-3 fixed scrollback reflow at snapshot time. This phase fixes the visible grid: when the terminal resizes (rotation, keyboard up/down, grid↔single switch), the broker's active grid currently just `resize_with(cols, blank)` — pad/truncate per row, no awareness of paragraphs spanning rows.
-
-## Trigger
-
-Open this when a user reports: "after resizing my terminal, the visible screen content looks wrong — text spilling, cursor in wrong place, prompt half-visible". Phases 1-3 don't address this; the visible grid remains naive.
-
-## Symptom example
-
-```
-before resize (cols=120):
-  $ very long command that wraps onto next row at col 121 |  ← cursor here
-  continuation
-
-after resize to cols=60 (today):
-  $ very long command that wraps onto next row at col 121
-  | ← cursor lost; line stuck mid-content; no rewrap
-```
-
-After fix:
-```
-  $ very long command that wraps
-  onto next row at col 121
-  continuation
-                      | ← cursor on its content
-```
-
-## Architecture
-
-Reuse the same wrap-marker primitive Phase 1 introduced. Visible grid rows already carry `Row.wrapped` (set in `put_char` auto-wrap path). On resize:
-
-1. Coalesce active grid rows into paragraphs using `wrapped` flags
-2. Track cursor's current paragraph + cell offset within it (BEFORE rewrap)
-3. Rewrap each paragraph at new `cols` using the same `flush_paragraph` logic
-4. If rewrap produces > new `rows`: spill the oldest paragraphs into scrollback (primary only — alt is throwaway)
-5. If rewrap produces < new `rows`: pad with blank rows at the bottom (or pull from scrollback tail — see "open question")
-6. Reposition cursor: find which output row contains the saved cell offset, set (row, col) accordingly
-
-## Files
-
-| File | Change |
-| --- | --- |
-| `broker/src/terminal_state.rs` | rewrite `Inner::resize` to use paragraph reflow |
-| `broker/src/terminal_state.rs` | factor `reflow_lines` / `flush_paragraph` to reuse |
-| `broker/src/terminal_state.rs` | new tests for visible-grid resize |
-
-No protocol changes — this is purely server-side. No client changes either; the snapshot already carries reflowed visible rows, and `SessionResized` event semantics are unchanged.
-
-## Tasks
-
-## 1. Cursor offset tracking
-
-Before rewrap, compute `(paragraph_index, cell_offset_in_paragraph)` from current `(cursor.row, cursor.col)`:
-
-```rust
-fn cursor_to_logical(grid: &Grid, cursor: &CursorPos) -> (usize, usize) {
-    let mut para_idx = 0;
-    let mut offset = 0;
-    let mut row = 0;
-    while row < cursor.row {
-        offset += grid.lines[row].cells.len();
-        if !grid.lines[row].wrapped {
-            para_idx += 1;
-            offset = 0;
-        }
-        row += 1;
-    }
-    offset += cursor.col;
-    (para_idx, offset)
-}
-```
-
-After rewrap, walk the new rows to find which one contains paragraph `para_idx` at cell `offset`:
-
-```rust
-fn logical_to_cursor(rows: &[Row], target_para: usize, target_offset: usize) -> CursorPos {
-    let mut para_idx = 0;
-    let mut offset = 0;
-    for (r, row) in rows.iter().enumerate() {
-        if para_idx == target_para && offset + row.cells.len() > target_offset {
-            return CursorPos { row: r, col: target_offset - offset };
-        }
-        offset += row.cells.len();
-        if !row.wrapped {
-            para_idx += 1;
-            offset = 0;
-        }
-    }
-    CursorPos { row: rows.len().saturating_sub(1), col: 0 }
-}
-```
-
-## 2. Rewrap on resize (primary buffer)
-
-In `Inner::resize` (`terminal_state.rs:279`), before the existing `primary.resize` call:
-
-```rust
-let (cur_para, cur_offset) = cursor_to_logical(&self.primary, &self.cursor);
-let reflowed = reflow_lines(&self.primary.lines, cols);
-// Spill overflow into scrollback (oldest first).
-let overflow = reflowed.len().saturating_sub(rows);
-for row in reflowed.iter().take(overflow) {
-    self.scrollback.push_back(row.clone());
-}
-while self.scrollback.len() > self.scrollback_max {
-    self.scrollback.pop_front();
-}
-let kept: Vec<Row> = reflowed.into_iter().skip(overflow).collect();
-self.primary.lines = kept;
-self.primary.lines.resize_with(rows, || blank_line(cols));
-self.primary.cols = cols;
-self.primary.rows = rows;
-self.cursor = logical_to_cursor(&self.primary.lines, cur_para.saturating_sub(overflow), cur_offset);
-```
-
-## 3. Alt-screen rewrap (truncate, no scrollback)
-
-For `self.alt`, same rewrap but if it overflows new `rows`, truncate from the TOP (alt screen has no scrollback). TUI apps will issue full redraw on SIGWINCH so any lost content gets repainted by the app itself.
-
-## 4. Tests
-
-```rust
-#[test]
-fn resize_shrink_rewraps_visible_grid() {
-    let mut t = TerminalState::new(10, 3);
-    t.feed(b"hello world!"); // wraps in 10 cols
-    // Now resize to 5 cols — "hello world!" should re-wrap to 3 rows.
-    t.resize(5, 5);
-    // verify visible content equivalent paragraph at width 5
-}
-
-#[test]
-fn resize_grow_unwraps_continuation() {
-    let mut t = TerminalState::new(5, 3);
-    t.feed(b"helloworld");
-    t.resize(20, 3);
-    // "helloworld" now fits on one row
-}
-
-#[test]
-fn resize_overflow_spills_to_scrollback() {
-    let mut t = TerminalState::new(20, 3);
-    t.feed(b"line1\nline2\nline3");
-    t.resize(5, 2); // shrink — first paragraph overflow
-    assert!(!t.inner.scrollback.is_empty());
-}
-
-#[test]
-fn resize_preserves_cursor_relative_position() {
-    let mut t = TerminalState::new(10, 3);
-    t.feed(b"hello "); // cursor at (0, 6)
-    t.resize(3, 5);
-    // cursor should still point at the cell after the space — now at (2, 0)
-}
-
-#[test]
-fn resize_alt_screen_truncates_top() {
-    // enter alt, fill with content, shrink, verify top truncated, no scrollback
-}
-
-#[test]
-fn resize_no_op_when_dims_unchanged() {
-    // sanity: resize to same dims must be idempotent
-}
-```
-
-## Open questions
-
-1. **Pull from scrollback when growing?** tmux does this. Simpler: don't — let the next live PTY redraw fill the new space. Recommendation: defer pulling; ship without and see if anyone cares.
-2. **Cursor on a wrapped boundary?** If cursor is exactly at end of a wrapped row (`pending_wrap=true`), is it "on" that row or the next? Decision: treat `pending_wrap` as "cursor is logically at offset = end of this row's cells". Existing emulator semantics already handle this; preserve them.
-3. **What about the scroll region?** `scroll_top` / `scroll_bottom` currently get reset in `Inner::resize` (line 284-285). Keep that — TUI apps re-issue DECSTBM on SIGWINCH if they care.
-4. **Performance?** Reflow runs on every resize, which is debounced at 80ms server-side. For typical 24-row visible grid, this is microseconds. No concern.
-
-## Estimated effort
-
-~6h focused. Cursor handling is the highest-risk piece — that's where tmux/alacritty have historically had the most reflow bugs. Plan extra test time on cursor invariants.
-
-## When NOT to do this
-
-Skip / defer if:
-- Phases 1-3 fully resolve user reports (most likely outcome — the bulk of "weird history" is scrollback)
-- We decide to migrate the broker emulator to a vetted crate (vte's `Term`, ghostty's terminal core) — they already implement reflow correctly and we'd inherit it for free
-
-## Related
-
-- `SCROLLBACK-REFLOW-PLAN.md` — Phases 1-3 (shipped)
-- tmux `aggressive-resize` — reference behavior
-- ghostty's `Terminal.reflow` — reference implementation
diff --git a/REVIEW_FIX_PLAN.md b/REVIEW_FIX_PLAN.md
deleted file mode 100644
index 5162c08e..00000000
--- a/REVIEW_FIX_PLAN.md
+++ /dev/null
@@ -1,117 +0,0 @@
-# PR #123 — Review Fix Plan
-
-Status legend: `[ ]` not started · `[~]` in progress · `[x]` done
-
-Each phase is independently shippable. #1–#3 + #10 are merge-blockers; the rest can land as follow-ups.
-
----
-
-## Phase 1 — Ship-blockers (must land before merging #123)
-
-### [x] 1. Close the socket-perms TOCTOU race
-**File:** `broker/src/server.rs:~110`
-**Problem:** `UnixListener::bind` creates the socket with default umask; `set_permissions(0o600)` runs after — local attacker can `connect()` in between.
-**Fix:**
-- `umask(0o077)` before bind, restore after, OR
-- bind in a 0o700 parent dir (always — not only when path literally ends in `.wolfpack`) and `rename` into place
-- harden the *parent dir* unconditionally for the fallback path, not pattern-matched on name
-**Test:** integration test that `stat`s the socket immediately after `wait_ready` and asserts `0o600`. Parallel test using a custom socket path locks in parent-dir hardening.
-
-### [x] 2. Fix snapshot→subscribe seq gap
-**Files:** `src/server/broker-backend.ts:~372`, `src/broker/client.ts` (subscribe call site)
-**Problem:** `getSessionPrefill` returns `snapshot.seq = N`, then `client.subscribe` attaches at broker's `current_seq = M ≥ N` with **no `since_seq`**. Bytes `(N, M]` sit in the ring but are never replayed → relies on byte-overlap heuristics.
-**Fix:** pass `sinceSeq: snapshot.seq` to `subscribe`. Broker already replays from ring. Remove or downgrade `__stripInitialPtyOverlap` once seq-based replay covers the gap.
-**Test:** integration test injecting PTY output between snapshot capture and subscribe attach; assert no bytes lost and no duplicates.
-
-### [x] 3. Surface subscribe RPC errors in BrokerBackend
-**File:** `src/server/broker-backend.ts:361-392`
-**Problem:** RPC failure leaves local cb registered with refcount=1 → silent leak, no error to caller.
-**Fix:** await the RPC inside `subscribeOutput`, unwind local cb registration on rejection, propagate error.
-**Test:** unit in `broker-backend.test.ts` mocking RPC failure; assert no leaked subscriber state and that caller observes the error.
-
-### [x] 10. Investigate & fix: black screen after time on another session; devtools-resize unblocks but with limited scrollback
-**Symptom:** switch to another session, come back later → terminal canvas blank → opening devtools triggers layout/resize → screen renders but scrollback is short.
-
-**Two compounding hypotheses:**
-- **(a) renderer canvas invalidation.** xterm's canvas/webgl backing store can be invalidated by browser when the host element is hidden/unmounted. Only a forced reflow (resize, devtools toggle) triggers `term.refresh()`. The existing `visibilitychange` handler at `public/app.ts:2860` covers tab visibility but **not** in-app session switches — tab is still visible, only a different DOM node is shown.
-- **(b) prefill mode truncates scrollback.** The first prefill into xterm's in-memory ring is `prefillMode: "viewport"` for grid cells (right) but possibly also for the focused single-session view (wrong). After the forced redraw, xterm draws what's in *its* ring — the broker's full scrollback was never streamed. So the post-resize render shows only the visible screen + whatever fit.
-
-**Investigation steps:**
-- repro: open session, switch away >X minutes, switch back. Log `term._core._renderService` state and `document.visibilityState` at the black-frame moment.
-- confirm `visibilitychange` does NOT fire on in-app session switch (expected — tab still visible).
-- check exactly what triggers redraw when devtools opens: window resize? `ResizeObserver`? Add instrumentation.
-- audit `prefillMode` per controller: single-session vs grid cell, first attach vs reconnect.
-- check whether `term.refresh()` alone (without resize) clears the black frame in repro — that pins the hypothesis to (a) vs (b).
-
-**Likely fix:**
-- on session show/focus, call `term.refresh(0, term.rows - 1)` unconditionally (cheap, idempotent) → addresses (a)
-- for the active single-session view, default `prefillMode: "full"`; viewport mode stays for grid cells → addresses (b)
-- on long-stale return (>`DESKTOP_STALE_THRESHOLD_MS`-equivalent applied to session-switch, not just tab-visibility), force `reconnect()` so broker re-streams from current snapshot+scrollback
-- add `IntersectionObserver` on the terminal element → on becoming visible after being hidden, fire refresh + (if stale) reconnect
-
-**Test:** e2e — open session, toggle hide/show via `display:none`, assert canvas non-blank within 100ms. Separate test: stale (>60s) session switch triggers a snapshot RPC and full-scrollback prefill.
-
----
-
-## Phase 2 — Notable concerns (tracked issues, follow-up PRs)
-
-### [x] 4. Notify clients on broadcast `Lagged`
-**File:** `broker/src/server.rs:475-512`
-**Fix:** on `Lagged(n)`, emit `subscription_dropped` event (new) or reuse `snapshot_invalidated`. Client auto-resyncs via fresh snapshot+subscribe. Don't tear down the connection.
-**TS:** handler in `src/broker/client.ts` re-issues snapshot + subscribe with current seq.
-**Test:** integration test with one slow consumer + one fast producer; assert the slow consumer gets a resync event and recovers.
-
-### [x] 5. Signal replay truncation on subscribe
-**Files:** `broker/src/output_bus.rs`, `broker/src/protocol.rs`
-**Fix:** add `replay_truncated: bool` to `SubscribeResponse`; set when `since_seq < earliest_seq_in_ring`. TS treats it as "fetch snapshot before live."
-**Test:** unit on `output_bus` with ring eviction; assert the flag.
-
-### [x] 6. Move resize event emission onto `Session`
-**Files:** `broker/src/session.rs:308-329`, `broker/src/session_router.rs`
-**Fix:** `Session::resize` calls `EventSender::session_resized` directly; router becomes a thin caller.
-**Why:** invariant lives with the type that owns the state — drift risk goes away.
-
-### [x] 7. Tighten `unsubscribe` semantics + test session-id reuse
-**File:** `broker/src/server.rs:431-467`
-**Fix:** drain pending writer mpsc for that subscription before acking unsubscribe, or document the lag and add a fence frame.
-**Test:** unsub session A, immediately sub session B with same recycled name (post-reap); assert no A-frames delivered as B.
-
----
-
-## Phase 3 — Test coverage gaps
-
-### [x] 8. Add the missing failure-mode tests
-- malformed JSON in `control_request` payload → broker returns typed error, connection survives
-- oversized frame (>16 MiB) over a live socket (currently only codec-level test) → connection dropped cleanly
-- slow consumer end-to-end exceeding `DEFAULT_BROADCAST_CAPACITY` → exercises #4 path
-- broker `SIGKILL` mid-session + client reconnect — manual + scripted via `kill -9`
-- socket perms: `stat` after start, assert `0o600` (covered by #1's test)
-
----
-
-## Phase 4 — Minor cleanup (single bundled PR, post-merge)
-
-### [x] 9. Polish
-- pooled buffer in `broker/src/codec.rs:72` — deferred (profiling needed)
-- fix TS `unsubscribe` return type — done (`Promise<ControlResponse | null>` → `Promise<void>`)
-- `BrokerBackend.list()` cache TTL — deferred (O(1) on cache hit; miss-path acceptable for current session counts)
-- extract `terminal_state.rs` vte-tracking layer — deferred (architectural, separate PR)
-
----
-
-## Out of scope
-- redesigning broadcast vs ring capacity coupling (#5 makes truncation observable; decoupling sizes is a separate proposal)
-- replacing xterm with ghostty-web everywhere
-
----
-
-## Sequencing
-1. **before merge:** #1, #2, #3, #10 — parallelizable, different files
-2. **week of merge:** #4 + #5 as a pair — slow-consumer recovery needs both
-3. **opportunistic:** #6, #7, #8, #9
-
-## Verification gate before declaring done
-- all Phase 1 boxes checked
-- `cargo test` + `bun test` + e2e suite green
-- manual repro of #10 confirmed fixed on real device (desktop + mobile)
-- CI captures `stat` of socket post-start showing `0o600`
diff --git a/context.md b/context.md
deleted file mode 100644
index bb319bd6..00000000
--- a/context.md
+++ /dev/null
@@ -1,135 +0,0 @@
-<!-- generated by /edc:edc-build -->
-# Wolfpack — Architecture Context
-
-Wolfpack is a PWA mobile command center for AI agent sessions. The TypeScript server delegates session ownership to a mandatory Rust broker daemon (`wolfpack-broker`) over a Unix socket; the server itself never owns PTYs. It runs as a local HTTP/WebSocket process on a developer machine, exposed over Tailscale HTTPS so it can be controlled from a phone or remote browser. A single Bun binary bundles all frontend assets, server code, and CLI tooling. Default port: 18790.
-
----
-
-## Module Index
-
-| Module | Key Files | Context |
-|--------|-----------|---------|
-| Auth | `src/auth.ts` | [.context/auth.md](.context/auth.md) |
-| Validation | `src/validation.ts`, `src/ws-constants.ts`, `src/wolfpack-context.ts` | [.context/validation.md](.context/validation.md) |
-| Server Core | `src/server/index.ts`, `src/server/routes.ts`, `src/server/http.ts` | [.context/server-core.md](.context/server-core.md) |
-| WebSocket | `src/server/websocket.ts`, `src/take-control-logic.ts`, `src/reconnect-hydration.ts` | [.context/websocket.md](.context/websocket.md) |
-| Session Backends | `src/server/backend.ts`, `src/server/broker-backend.ts`, `src/server/mock-backend.ts`, `src/server/strip-ansi.ts`, `src/server/shell.ts`, `src/server/dev-dir.ts` | [.context/session-backends.md](.context/session-backends.md) |
-| Broker Client | `src/broker/client.ts`, `src/broker/codec.ts`, `broker/` (Rust daemon) | — |
-| Ralph Orchestration | `src/ralph-macchio.ts`, `src/server/ralph.ts`, `src/ralph-skill-audit.ts`, `src/ralph-skill-cleanup.ts`, `src/worktree.ts` | [.context/ralph.md](.context/ralph.md) |
-| Push Notifications | `src/server/push.ts`, `public/sw-push.js` | [.context/push.md](.context/push.md) |
-| CLI | `src/cli/index.ts`, `src/cli/config.ts`, `src/cli/setup.ts`, `src/cli/service.ts`, `src/cli/doctor.ts`, `src/cli/formatting.ts` | [.context/cli.md](.context/cli.md) |
-| Frontend | `public/app.ts`, `public/app-state.ts`, `public/app-ralph.ts`, `public/app-grid.ts`, `public/app-touch.ts`, `public/index.html`, `public/manifest.json`, `public/sw-push.js`, `public/wolfpack-lib.js` | [.context/frontend.md](.context/frontend.md) |
-| Shared Utilities | `src/log.ts`, `src/triage.ts`, `src/qr.ts`, `src/shared/process-cleanup.ts`, `src/public-assets.ts`, `src/terminal-buffer.ts`, `src/terminal-input.ts`, `src/grid-logic.ts`, `src/test-hooks.ts`, `src/types.d.ts` | [.context/shared.md](.context/shared.md) |
-| Build & Scripts | `scripts/build.ts`, `scripts/bundle-app.ts`, `scripts/gen-assets.ts`, `scripts/bundle-ghostty.ts`, `scripts/bundle-client-lib.ts` | [.context/build.md](.context/build.md) |
-| Tests | `tests/unit/`, `tests/integration/`, `tests/e2e/`, `tests/snapshot/` | [.context/tests.md](.context/tests.md) |
-
----
-
-## Actors
-
-- **Mobile/remote browser** — authenticates via JWT, consumes HTTP API and WebSocket connections over Tailscale HTTPS
-- **Wolfpack server** — single Bun process; serves frontend, handles HTTP API, manages WS sessions, spawns ralph workers
-- **Ralph worker** — detached Bun subprocess per project; runs the AI agent iteration loop against a plan file
-- **AI agent** (claude, gemini, codex, cursor) — spawned by ralph worker; executes tasks in a project directory, optionally sandboxed via `srt`
-- **wolfpack-broker** — mandatory Rust daemon; owns all PTY sessions, exposes a Unix-socket RPC + event protocol consumed by the wolfpack server
-- **Tailscale daemon** — provides HTTPS termination and injects `Tailscale-User-Login` header (trusted boundary)
-- **Peer wolfpack instances** — other wolfpack servers on the same tailnet; queried via `/api/info` for session aggregation
-
----
-
-## Key End-to-End Flows
-
-- **Auth → Session → WS Relay**: browser JWT auth → `/api/sessions` → WS upgrade → `handlePtyWs` → `setupNewPtyEntry` → ghostty-web renders PTY output
-- **Ralph Lifecycle**: `POST /api/ralph/start` → atomic lock → detached worker spawn → iteration loop (extract task → run agent → mark done) → push notification on completion
-- **Push Notification**: browser subscribes → VAPID key exchange → server detects state transition → RFC 8291 encrypt → POST to FCM/APNs → service worker `showNotification`
-- **Take-Control**: second viewer → `viewer_conflict` → `take_control` message → `performImmediateTakeover` → old viewer displaced (close 4002) → new viewer gets `control_granted`
-- **Peer Aggregation**: `GET /api/ralph?aggregate=true` → probe peers via `/api/info` → forward auth header → `validatePeerLoops` strip → merge results
-
----
-
-## Global Invariants
-
-1. **Path containment**: all project directory access is guarded by `isUnderDevDir(realpathSync(dir))` using proper boundary check (`=== baseDir || startsWith(baseDir + "/")`) after symlink rejection via `lstatSync`. (`src/server/routes.ts:134`, `src/server/dev-dir.ts`)
-
-2. **JWT always timingSafeEqual**: signature comparison uses `Buffer.timingSafeEqual` with pre-checked length equality. String equality never used. (`src/auth.ts:143-146`)
-
-3. **Auth disabled by default**: if `WOLFPACK_JWT_SECRET` is unset or < 32 chars, all requests pass unauthenticated. Intentional for local dev. (`src/auth.ts:98`)
-
-4. **Single viewer per PTY session**: `activePtySessions` enforces one `viewer` per entry. Concurrent WS connections receive `viewer_conflict` and must explicitly take control. (`src/server/websocket.ts:32`)
-
-5. **Lock atomicity**: ralph lock uses `{ flag: "wx" }` — fails if file exists. PID written after spawn. Stale lock detected by PID liveness check + cmdline verification. (`src/server/routes.ts:657`)
-
-6. **Shell args never interpolated**: all git and agent invocations use array form (`execFile`, `execFileSync`, `spawn` with args array). No string shell interpolation. One exception: `BrokerBackend.createSession` uses `shellEscape` before `-lic` when wrapping the agent command. (`src/server/broker-backend.ts`)
-
-7. **WOLFPACK_TEST gate**: all test-only hooks throw unless `process.env.WOLFPACK_TEST` is set. (`src/test-hooks.ts`)
-
-8. **Push endpoint allowlist**: push subscription endpoints must have exact-match hostname in `ALLOWED_PUSH_HOSTS`. Prevents SSRF. (`src/server/push.ts:101`)
-
-9. **CSP nonce**: every HTML response gets a fresh cryptographically-random 16-byte nonce. All `<script>` tags are rewritten at response time. (`src/server/http.ts:143-177`)
-
-10. **Rate limiting before route dispatch**: global (120/s) and poll-heavy (10/s) rate limits checked after JWT auth but before route handlers. (`src/server/index.ts:154-163`)
-
-11. **Peer response schema validation**: all data from peer wolfpack instances is validated and stripped of unknown keys before use. (`src/server/routes.ts:91`)
-
-12. **Progress tracking is additive**: `progress.txt` is append-only. Completion tracked by a Set over `DONE:` prefixed lines. Never modifies the plan file to mark completion. (`src/ralph-macchio.ts:199`)
-
----
-
-## Trust Boundaries
-
-```
-Internet / Tailscale network
-  └─ Tailscale HTTPS endpoint (outer boundary — TLS + Tailscale ACLs)
-       │  Tailscale-User-Login header injected by daemon (unforgeable via tailscale serve)
-       └─ Wolfpack HTTP server (127.0.0.1:<port>)
-            │
-            ├─ CORS check (allowlist: localhost:<port>, *.<tailnet-suffix>)
-            │
-            ├─ JWT gate (all /api/* except /api/info)
-            │   └─ Disabled if WOLFPACK_JWT_SECRET absent or <32 chars
-            │
-            ├─ Rate limiting (120 req/s global, 10 req/s poll paths, per-IP)
-            │
-            ├─ Route handlers
-            │   ├─ Path validation: lstat + realpath + isUnderDevDir
-            │   ├─ Input validation: CMD_REGEX, BRANCH_REGEX, isValidSessionName, etc.
-            │   └─ Peer responses: validatePeerLoops (schema-strip)
-            │
-            ├─ WebSocket
-            │   ├─ CORS + JWT + isAllowedSession checks on upgrade
-            │   ├─ Binary input: capped at 16KB
-            │   ├─ Key input: WS_ALLOWED_KEYS whitelist (classic terminal)
-            │   └─ Text input: free-form (PTY mode, after auth)
-            │
-            ├─ wolfpack-broker (Unix-socket RPC; broker owns PTYs)
-            │   ├─ Input: WS_ALLOWED_KEYS for classic; raw bytes for PTY
-            │   └─ Agent commands wrapped via shellEscape before reaching broker
-            │
-            ├─ Ralph worker (detached subprocess)
-            │   ├─ Lock file prevents concurrent starts
-            │   ├─ srt sandbox: network allowlist, filesystem scope
-            │   └─ Plan/progress files in projectDir only
-            │
-            ├─ Push endpoints (allowlisted: FCM, APNS, Mozilla, WNS)
-            │   └─ Payload encrypted RFC 8291; endpoint HTTPS only
-            │
-            └─ Filesystem
-                 └─ DEV_DIR boundary; symlinks rejected; SAFE_FILENAME for log paths
-```
-
----
-
-## Cross-Module Cascade Risks
-
-| Coupling | Risk |
-|----------|------|
-| `public-assets.ts` → `http.ts` + `routes.ts` | ~900KB static Map in memory for server lifetime. Stale if `public/` edited without regenerating. CI catches this. |
-| Broker socket disappearance → `BackendRouter` | If the broker socket goes away mid-flight, `recheckBroker` logs fatal and the next op surfaces 4001. There is no fallback — wolfpack will not boot or accept new sessions until the broker is restarted. |
-| `sessionDirMap` in `dev-dir.ts` → `routes.ts` `validateProjectDir` | Map starts empty on restart; populated at session-create time + by broker `list_sessions`. Routes that call `sessionDir()` before any list call get `undefined`. Affects `/api/git-status`. |
-| `activePtySessions` in `websocket.ts` → broker output stream | Missed `teardownPty` call leaks the broker output subscription and holds WS open. Mitigated by `detach` on WS close and explicit cleanup in `performImmediateTakeover`. |
-| Ralph lock file → `routes.ts` start/cancel/status | Lock PID mismatch (PID reuse on Linux after 32-bit PID wrap) allows cancelling wrong process. Mitigated by cmdline check but `ps` race window remains. |
-| JWT config singleton → all API routes | Late `WOLFPACK_JWT_SECRET` env set has no effect until restart. Setting it after server start yields unauthenticated access. |
-| `RALPH_AGENT_CONTEXT` / `INTERACTIVE_CONTEXT` → agent behavior | These strings are injected verbatim into agent prompts. Changes affect all running ralph sessions without any versioning mechanism. |
-| `wolfpack-lib.js` (WP object) → `app.bundle.js` HTML inline code | If bundled WP functions diverge from HTML inline counterparts, behavior differs between tested and production paths. No automated consistency check. |
-| `tailscale-user-login` header → CORS bypass | If wolfpack is exposed via a non-Tailscale proxy that forwards arbitrary headers, CORS origin reconstruction from Referer becomes exploitable. Documented in `src/server/index.ts:108`. |
-| Push subscription endpoints → `sendPush` | Stored subscriptions from before `ALLOWED_PUSH_HOSTS` check was added could have arbitrary endpoints. Mitigated by HTTPS-only re-check in `sendPush`, but not by the hostname allowlist check. |
diff --git a/docs/ralph-broker-plan.md b/docs/ralph-broker-plan.md
deleted file mode 100644
index 8f8ebdc8..00000000
--- a/docs/ralph-broker-plan.md
+++ /dev/null
@@ -1,518 +0,0 @@
-# PLAN (ralph): persistent Rust PTY broker, full tmux removal
-
-Ralph executes this file as the implementation plan for the final terminal architecture.
-
-This is not a temporary migration or a stopgap plan.
-
-The target end state is fixed:
-
-- Bun Wolfpack server stays
-- Rust broker daemon is added inside this repo
-- broker is the only PTY/session owner
-- browser connects to Wolfpack, Wolfpack connects to broker
-- `tmux` is removed from the session execution path
-- obsolete `tmux` and in-process PTY ownership paths are fully cleaned up after broker parity is reached
-
-User decisions locked in:
-
-- single interactive viewer per session
-- take-control displaces the current viewer
-- broker restart may kill sessions in v1
-- browser reconnect must restore:
-  - current visible screen correctly
-  - prior scrollback transcript
-  - ANSI-faithful terminal state
-- browser copy must be practically usable
-  - terminal-native selection is acceptable
-  - transcript-backed copy UX is acceptable
-- image paste is out of scope now, but the architecture must not block it later
-- full test coverage is mandatory:
-  - unit
-  - integration
-  - e2e
-  - crash/restart recovery
-  - resize/reconnect/TUI regressions
-
----
-
-## Delivery rules
-
-Ralph must not:
-
-- introduce a new temporary persistence layer as the final result
-- leave `tmux` as a hidden fallback in the final path
-- ship a broker that only preserves child process liveness but not reconnect state quality
-- reduce reconnect fidelity to plain-text-only state
-
-Ralph may:
-
-- sequence work by checkpoints
-- keep old code temporarily during implementation
-- delete old code only after equivalent broker behavior is landed and verified
-
----
-
-## Architecture invariants
-
-These are hard requirements, not suggestions.
-
-1. Wolfpack does not own the lifetime of terminal child processes.
-2. Broker is the sole PTY/session owner.
-3. Reconnect state comes from one canonical broker-owned source.
-4. Browser attach must not combine two separate history sources.
-5. There is exactly one interactive viewer at a time.
-6. Control messages and stdin bytes remain strictly separate.
-7. Final system contains no `tmux` execution path.
-8. Final system contains no in-process PTY session ownership path in Wolfpack.
-
----
-
-## Checkpoints
-
-Each checkpoint ends with explicit test gates. Ralph should not treat a checkpoint as complete until all listed gates are green.
-
-Statuses:
-
-- **[FULL]** Ralph completes end-to-end inside the sandbox.
-- **[GATED]** Ralph lands code, then pauses for user-run or environment-dependent verification.
-
----
-
-## 1. Define broker protocol and repo layout
-
-[FULL]
-
-Create the in-repo structure for the broker and write the protocol contract first.
-
-Tasks:
-
-- add top-level Rust crate for the broker
-- choose directory layout and stick to it:
-  - `broker/` preferred unless repo constraints force `crates/brokerd/`
-- add protocol doc defining:
-  - `list_sessions`
-  - `create_session`
-  - `kill_session`
-  - `session_info`
-  - `snapshot`
-  - `write_stdin`
-  - `resize`
-  - `subscribe`
-- define message/frame boundaries:
-  - structured control plane
-  - binary live-output plane
-- define exact snapshot payload fields needed for reconnect
-
-Acceptance:
-
-- protocol document checked in
-- Rust crate scaffolds build
-- no Wolfpack runtime code changed yet
-
-Tests:
-
-- Rust unit tests for protocol serialization/deserialization
-
----
-
-## 2. Implement broker daemon skeleton
-
-[FULL]
-
-Build the broker process skeleton without PTY session semantics first.
-
-Tasks:
-
-- daemon entrypoint
-- Unix socket listener
-- request router
-- broker process lifecycle
-- logging
-- health/error handling for disconnected Wolfpack client
-
-Acceptance:
-
-- broker starts
-- Wolfpack can connect to the socket
-- stub protocol round-trips work
-
-Tests:
-
-- Rust unit tests for request routing
-- integration test for socket connect/request/response lifecycle
-
----
-
-## 3. Implement broker-owned session metadata and lifecycle
-
-[FULL]
-
-Add real session creation and ownership inside the broker.
-
-Tasks:
-
-- create PTY session from `cwd + cmd`
-- persist broker-side metadata in memory:
-  - name
-  - cwd
-  - command argv/string
-  - pid
-  - cols/rows
-  - started-at
-  - alive state
-- enforce single source of truth for session existence
-- implement kill/list/session-info routes
-
-Acceptance:
-
-- broker can create, list, inspect, and kill sessions without Wolfpack owning children
-- broker is now the process parent for sessions
-
-Tests:
-
-- Rust unit tests for session registry behavior
-- integration tests for duplicate names, kill semantics, liveness transitions
-
----
-
-## 4. Implement canonical terminal state in broker
-
-[GATED]
-
-This is the critical checkpoint. Do not fake this with a plain byte ring.
-
-Tasks:
-
-- maintain terminal-state model inside broker
-- maintain transcript tail
-- maintain reconnect snapshot state
-- snapshot must support:
-  - current visible screen
-  - scrollback transcript
-  - ANSI-faithful state restoration target
-- define and implement the internal state update pipeline from PTY output
-
-Requirements:
-
-- reconnect quality must satisfy the locked decision set
-- broker state must be authoritative, not browser-local cache
-
-Acceptance:
-
-- broker can serve a snapshot for an active TUI session
-- snapshot is sufficient to restore terminal state on reconnect
-
-Tests:
-
-- Rust unit tests for state update pipeline
-- integration fixtures for:
-  - plain shell output
-  - carriage-return redraws
-  - ANSI color/state changes
-  - TUI-like partial redraw streams
-- regression tests asserting snapshot correctness against fixture streams
-
-User gate:
-
-- manual broker-level validation against a real Claude TUI session
-- confirm reconnect snapshot is not visually or semantically degraded
-
----
-
-## 5. Add Wolfpack BrokerBackend
-
-[FULL]
-
-Integrate broker into Wolfpack through a dedicated backend implementation.
-
-Tasks:
-
-- add `BrokerBackend`
-- map existing `SessionBackend`-style responsibilities to broker RPC
-- broker-backed implementations for:
-  - list
-  - createSession
-  - killSession
-  - resize
-  - sessionDir/session metadata
-  - triage text capture source
-- wire Wolfpack startup to broker availability
-
-Acceptance:
-
-- Wolfpack session APIs can operate against broker-owned sessions
-- broker metadata cleanly replaces local PTY metadata needs
-
-Tests:
-
-- unit tests for `BrokerBackend`
-- integration tests for create/list/kill/sessionDir/resize flows through Wolfpack
-
----
-
-## 6. Replace `/ws/pty` attach path with broker streaming
-
-[GATED]
-
-This checkpoint replaces the current local PTY attach model.
-
-Tasks:
-
-- rewrite desktop attach/reconnect path to:
-  - request broker snapshot
-  - hydrate browser from broker snapshot
-  - subscribe to broker live output
-- forward browser stdin to broker
-- forward browser resize to broker
-- preserve single interactive viewer semantics and take-control behavior
-- keep control-plane and binary stdin paths separate
-
-Acceptance:
-
-- Wolfpack no longer spawns a local PTY session for desktop attach
-- live session data reaches browser through broker stream
-- take-control still works with single interactive viewer semantics
-
-Tests:
-
-- unit tests for WebSocket control-path behavior
-- integration tests for:
-  - attach
-  - reconnect
-  - take-control
-  - resize
-  - session-ended paths
-- e2e tests for:
-  - shell session reconnect
-  - Claude TUI reconnect
-  - viewer displacement/take-control
-
-User gate:
-
-- manual desktop and mobile validation against a real Claude session
-
----
-
-## 7. Add restart/crash recovery coverage
-
-[GATED]
-
-Prove the main requirement: Wolfpack restart does not kill broker-owned sessions.
-
-Tasks:
-
-- define restart test harness
-- verify session survives Wolfpack process restart
-- verify browser reconnect rehydrates correctly after Wolfpack restart
-- verify broker restart behavior is explicit and tested as a failure boundary
-
-Acceptance:
-
-- automated proof that Wolfpack restart leaves session alive
-- automated proof that reconnect state after restart is correct
-- automated proof that broker restart may kill sessions in v1 and is surfaced cleanly
-
-Tests:
-
-- integration tests exercising server restart with live session
-- e2e recovery tests across restart
-- regression tests for:
-  - current screen restoration
-  - transcript restoration
-  - ANSI/TUI restoration
-
-User gate:
-
-- manual restart verification using the installed service flow
-
----
-
-## 8. Make browser copy practically usable
-
-[GATED]
-
-The exact UX is flexible. The outcome is not.
-
-Tasks:
-
-- choose one of:
-  - true browser terminal selection/copy path
-  - transcript-backed selection/copy path
-- implement practical copy UX for desktop and mobile constraints
-- ensure solution is compatible with broker-owned canonical state
-- do not implement image paste here
-
-Acceptance:
-
-- users can practically select/copy text from the browser
-- behavior works on the target UI paths
-
-Tests:
-
-- unit tests for copy helpers
-- integration tests for transcript/copy APIs if added
-- e2e tests for copy flow on desktop path
-- mobile interaction coverage if selection UX is custom
-
-User gate:
-
-- manual browser copy validation on real target devices/browsers
-
----
-
-## 9. Remove tmux from execution path
-
-[FULL]
-
-Once broker path is proven, remove `tmux` from actual session execution.
-
-Tasks:
-
-- stop creating new `tmux` sessions
-- remove `tmux` backend from startup/backend selection
-- remove `tmux` execution-path references from server logic
-- remove `tmux`-specific WebSocket attach logic
-- remove `tmux`-specific resize/history workarounds
-
-Acceptance:
-
-- no live code path can execute a Wolfpack session through `tmux`
-
-Tests:
-
-- unit/integration coverage updated to remove `tmux` assumptions
-
----
-
-## 10. Full cleanup of obsolete paths
-
-[FULL]
-
-This checkpoint exists because full cleanup was explicitly requested.
-
-Tasks:
-
-- remove obsolete `tmux` code
-- remove obsolete in-process PTY ownership code
-- simplify backend routing to broker-only architecture
-- delete dead tests that only exist for old backends
-- replace them with broker-path coverage
-- update docs and config semantics
-- ensure install/uninstall/service flows include broker lifecycle cleanly
-
-Acceptance:
-
-- final architecture has one session owner: broker
-- no stale fallback/backend-selection complexity remains
-- docs match reality
-
-Tests:
-
-- full test suite green
-
----
-
-## 11. Packaging and service integration
-
-[GATED]
-
-Broker must be built and shipped with Wolfpack and run as its own service, installed with or started by Wolfpack.
-
-Tasks:
-
-- add broker build to release/build pipeline
-- ship broker artifact with Wolfpack
-- wire install/start/stop/uninstall flows
-- define service relationship between Wolfpack server and broker
-- verify clean startup ordering and shutdown behavior
-
-Acceptance:
-
-- release artifacts include broker
-- installed Wolfpack can run/start broker correctly
-- broker service lifecycle is coherent on supported platforms
-
-Tests:
-
-- snapshot tests for generated service definitions if applicable
-- integration tests for service wiring where possible
-
-User gate:
-
-- manual install/start/stop/uninstall verification on target platform(s)
-
----
-
-## 12. Final regression pass
-
-[GATED]
-
-Run the full matrix the user explicitly asked for.
-
-Required test categories:
-
-- unit
-- integration
-- e2e
-- crash/restart recovery
-- resize/reconnect/TUI regressions
-
-Scenario coverage must include at least:
-
-- plain shell session
-- Claude TUI session
-- desktop attach
-- mobile attach where relevant
-- take-control displacement
-- Wolfpack restart recovery
-- broker restart failure boundary
-- copy behavior
-
-Acceptance:
-
-- full matrix green
-- no remaining `tmux` execution path
-- no remaining in-process PTY ownership path
-
-User gate:
-
-- final manual signoff after end-to-end verification
-
----
-
-## Execution order
-
-Implement strictly in this order:
-
-1. protocol and crate layout
-2. broker skeleton
-3. broker session lifecycle
-4. canonical terminal state
-5. Wolfpack BrokerBackend
-6. `/ws/pty` broker streaming
-7. restart/crash recovery
-8. browser copy usability
-9. remove `tmux` execution path
-10. full cleanup of obsolete paths
-11. packaging/service integration
-12. final regression pass
-
-No checkpoint may be skipped.
-
----
-
-## Completion criteria
-
-This plan is complete only when:
-
-- broker is the only PTY/session owner
-- Wolfpack restart leaves sessions alive
-- reconnect restores visible screen + transcript + ANSI-faithful state
-- take-control semantics still work
-- browser copy is practically usable
-- broker is shipped/managed with Wolfpack
-- `tmux` path is gone
-- old in-process PTY ownership path is gone
-- full regression matrix is green
-
-Awaiting go before execution.
diff --git a/review-tasks/.context.md b/review-tasks/.context.md
deleted file mode 100644
index 38007c03..00000000
--- a/review-tasks/.context.md
+++ /dev/null
@@ -1,31 +0,0 @@
-# Review Task: `.context`
-
-## Target
-dev
-## Baseline
-main
-
-## Files to review
-- .context/.meta.json
-- .context/cli.md
-- .context/client.md
-- .context/complexity.md
-- .context/context.md
-- .context/core.md
-- .context/full-context.md
-- .context/issues.md
-- .context/ralph.md
-- .context/server.md
-- .context/tests.md
-
-## Instructions
-
-1. Read `.context/context.md` — module map, invariants, trust boundaries
-2. Read `.context/issues.md` if it exists — cross-reference known issues against the files above
-3. Read `.context/.context.md` if it exists — deep per-module context, invariants, call graphs
-4. Use the edc-review skill to perform the full review on the files listed above
-5. Write your report to `review-tasks/report-.context.md`
-
-DO NOT write your own review methodology.
-DO NOT skip reading the context files.
-USE the edc-review skill.
diff --git a/review-tasks/manifest.json b/review-tasks/manifest.json
deleted file mode 100644
index fb49683b..00000000
--- a/review-tasks/manifest.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-  "target": "dev",
-  "baseline": "main",
-  "head": "5e1f434bf48aa08ab7f5d7a4a311d66d20a44120",
-  "modules": [
-    { "module": ".context", "files": [".context/.meta.json",".context/cli.md",".context/client.md",".context/complexity.md",".context/context.md",".context/core.md",".context/full-context.md",".context/issues.md",".context/ralph.md",".context/server.md",".context/tests.md"] }    ,
-    { "module": "public", "files": ["public/app-grid.ts","public/app-ralph.ts","public/app-state.ts","public/app.ts","public/index.html","public/styles.css","public/sw-push.js"] }    ,
-    { "module": "root", "files": ["DIFFERENTIAL_REVIEW_REPORT.md","README.md","REVIEW-DEV-VS-MAIN.md","REVIEW-PR106.md","install.sh"] }    ,
-    { "module": "src", "files": ["src/auth.ts","src/cli/config.ts","src/cli/index.ts","src/cli/service.ts","src/cli/setup.ts","src/log.ts","src/public-assets.ts","src/server/backend.ts","src/server/http.ts","src/server/index.ts","src/server/mock-backend.ts","src/server/pty-backend.ts","src/server/push.ts","src/server/ring-buffer.ts","src/server/routes.ts","src/server/tmux-backend.ts","src/server/tmux.ts","src/server/websocket.ts","src/test-hooks.ts","src/triage.ts","src/wolfpack-context.ts","src/worktree.ts"] }    ,
-    { "module": "tests", "files": ["tests/e2e/test-server.ts","tests/integration/api.test.ts","tests/integration/auth-middleware.test.ts","tests/integration/boot-backend.test.ts","tests/integration/concurrent-pty-viewer.test.ts","tests/integration/desktop-grid.test.ts","tests/integration/desktop-terminal.test.ts","tests/integration/prompt-reconnect.test.ts","tests/integration/pty-takeover.test.ts","tests/integration/pty-test-helpers.ts","tests/integration/rate-limit.test.ts","tests/integration/take-control.test.ts","tests/integration/ws-dispatch.test.ts","tests/unit/backend-router.test.ts","tests/unit/backend.test.ts","tests/unit/config-validation.test.ts","tests/unit/escaping.test.ts","tests/unit/pty-backend.test.ts","tests/unit/push.test.ts","tests/unit/ralph-worktree.test.ts","tests/unit/ring-buffer.test.ts","tests/unit/strip-ansi.test.ts","tests/unit/tailscale-exec.test.ts","tests/unit/triage.test.ts"] }
-  ]
-}
diff --git a/review-tasks/public.md b/review-tasks/public.md
deleted file mode 100644
index e8abcf1a..00000000
--- a/review-tasks/public.md
+++ /dev/null
@@ -1,27 +0,0 @@
-# Review Task: `public`
-
-## Target
-dev
-## Baseline
-main
-
-## Files to review
-- public/app-grid.ts
-- public/app-ralph.ts
-- public/app-state.ts
-- public/app.ts
-- public/index.html
-- public/styles.css
-- public/sw-push.js
-
-## Instructions
-
-1. Read `.context/context.md` — module map, invariants, trust boundaries
-2. Read `.context/issues.md` if it exists — cross-reference known issues against the files above
-3. Read `.context/public.md` if it exists — deep per-module context, invariants, call graphs
-4. Use the edc-review skill to perform the full review on the files listed above
-5. Write your report to `review-tasks/report-public.md`
-
-DO NOT write your own review methodology.
-DO NOT skip reading the context files.
-USE the edc-review skill.
diff --git a/review-tasks/report-.context.md b/review-tasks/report-.context.md
deleted file mode 100644
index bc3f1af4..00000000
--- a/review-tasks/report-.context.md
+++ /dev/null
@@ -1,76 +0,0 @@
-# Review Report: .context module — PR #106
-
-## Summary
-
-The `.context/` documentation was rebuilt in this session (commit `5e1f434`) via `edc-build`, replacing the old 5-module layout (`server.md`, `client.md`, `core.md`, `ralph.md`, `cli.md`) with a 12-module layout. The rebuild is internally consistent and the `.meta.json` `lastCommit` matches `HEAD`. However, 9 of the 12 new per-module context files and the new `context.md` root index are **untracked** (never committed), so the review task file was generated from a stale git diff and missed the majority of new modules. Three post-fix accuracy issues were found in `push.md` and `frontend.md`.
-
----
-
-## Findings
-
-### [CTX-01] Nine new context modules are untracked — review task file only covers old structure
-**Severity:** high
-**File(s):** `.context/auth.md`, `.context/build.md`, `.context/frontend.md`, `.context/push.md`, `.context/server-core.md`, `.context/session-backends.md`, `.context/shared.md`, `.context/validation.md`, `.context/websocket.md`, `context.md` (repo root)
-**Description:** `git status` shows these 9 new per-module context files and the new `context.md` root index as untracked (`??`). The edc-review orchestrator uses `git diff main..HEAD --name-only` to enumerate changed files; untracked files are invisible to this command. As a result, the review task file listed only the 7 modified + 4 deleted old files and omitted the 9 new modules entirely.
-**Impact:** Auth, Validation, Server Core, WebSocket, Session Backends, Push, Frontend, Shared, and Build context files were not included in any review task — roughly 75% of the new documentation is unreviewed by the orchestrated workflow.
-**Suggested fix:** Stage and commit all new `.context/` files and `context.md` before running `edc-review`. Run `git add .context/ context.md && git commit -m "chore: commit rebuilt edc context"`, then regenerate review tasks.
-
----
-
-### [CTX-02] push.md: `hkdfSha256` described as "documented constraint" — now an enforced guard
-**Severity:** low
-**File(s):** `.context/push.md:77`, `src/server/push.ts:244`
-**Description:** `push.md` states: *"`hkdfSha256` is limited to 32-byte output (single HMAC block). Documented constraint; correct for AES-128-GCM key (16) and nonce (12) derivation."* Commit `5e1f434` added an explicit `throw` at `push.ts:244`: `if (length > 32) throw new Error(...)`. The constraint is no longer merely documented — it is actively enforced at runtime.
-**Impact:** Documentation understates the safety guarantee. A reader of `push.md` may incorrectly believe the limit is advisory; the code now hard-fails on violation.
-**Suggested fix:** Update `push.md` line 77 to: *"`hkdfSha256` enforces a 32-byte output limit via a runtime `throw` — single HMAC block only. Correct for AES-128-GCM key (16) and nonce (12) derivation."*
-
----
-
-### [CTX-03] push.md: `derToRaw` description omits post-fix validation throws
-**Severity:** low
-**File(s):** `.context/push.md:78`, `src/server/push.ts:212-226`
-**Description:** `push.md` states: *"`derToRaw` handles P-256 DER signatures only. P-256 sigs are always < 128 bytes, so multi-byte BER length encoding cannot occur."* Commit `5e1f434` added explicit validation: `derToRaw` now throws on invalid DER header (`der[0] !== 0x30`), missing INTEGER tags, and length overflow. The description implies correctness is guaranteed by invariant; the code now actively validates.
-**Impact:** Understates the hardening; readers may not realize the function will now surface errors on corrupted or attacker-crafted DER blobs rather than silently misbehaving.
-**Suggested fix:** Update `push.md` line 78: *"`derToRaw` validates DER header, INTEGER tags, and length bounds — throws on malformed input. P-256 DER signatures are always < 128 bytes so no multi-byte BER length encoding occurs."*
-
----
-
-### [CTX-04] frontend.md: `escAttr` character list incomplete — missing `\t` tab escape
-**Severity:** low
-**File(s):** `.context/frontend.md:50`, `public/app-state.ts:21`
-**Description:** `frontend.md` documents `escAttr` as escaping `\`, `'`, `"`, `<`, `>`, `&`, and newlines. Commit `5e1f434` added `.replace(/\t/g, "\\t")` to `escAttr` (HIGH-02 fix). The `\t` tab escape is absent from the documentation.
-**Impact:** Minor doc drift. Readers building new `onclick` attribute patterns may not account for tab characters in user-supplied values.
-**Suggested fix:** Update `frontend.md` line 50: *"Escapes `\`, `'`, `"`, `<`, `>`, `&`, newlines, and tabs."*
-
----
-
-### [CTX-05] issues.md: SERV-4 and CLI-1 are duplicate entries for the same issue
-**Severity:** low
-**File(s):** `.context/issues.md:54-57`, `.context/issues.md:138-141`
-**Description:** `SERV-4` ("serviceStop auth gap", under Server Core) and `CLI-1` ("serviceStop unauthenticated localhost call", under CLI) describe the same root cause with nearly identical text. Both note `serviceStop()` in `src/cli/service.ts` calls `/api/backend` without an auth header, yielding 401 and confusing UX. Neither entry notes the partial UX improvement from `5e1f434` (now prompts user to confirm before stopping when count is unavailable).
-**Impact:** Duplicate entries create review noise and risk one copy being marked fixed while the other persists as if open.
-**Suggested fix:** Remove `CLI-1`. Update `SERV-4` to note the `5e1f434` UX improvement and that the root gap (no auth header) remains.
-
----
-
-### [CTX-06] Meta freshness: `lastCommit` matches HEAD — context is fresh
-**Severity:** info
-**File(s):** `.context/.meta.json:2`
-**Description:** `.meta.json` `lastCommit` = `5e1f434bf48aa08ab7f5d7a4a311d66d20a44120` = `git rev-parse HEAD`. The `--check-context` assertion will pass.
-**Impact:** None. Noted for completeness.
-**Suggested fix:** N/A.
-
----
-
-### [CTX-07] coverage gap: `src/wolfpack-client-lib.ts` not tracked in `.meta.json` modules
-**Severity:** info
-**File(s):** `.context/.meta.json`, `src/wolfpack-client-lib.ts`
-**Description:** `wolfpack-client-lib.ts` is the barrel entry point re-exporting `terminal-buffer.ts`, `terminal-input.ts`, `grid-logic.ts`, `take-control-logic.ts`, `reconnect-hydration.ts` for bundling into `public/wolfpack-lib.js`. Referenced in `full-context.md` and `build.md` but not tracked in any `.meta.json` module, so changes won't trigger a stale-context signal.
-**Impact:** Very low — pure re-export barrel with no logic. Content changes would be caught via the modules it re-exports.
-**Suggested fix:** Optionally add to `build` module files in `.meta.json`, or leave as-is.
-
----
-
-## Verdict
-
-Meta freshness: PASS (lastCommit = HEAD). Internal consistency: PASS — `context.md` module index matches on-disk `.context/` files, and `.meta.json` module registry aligns with `context.md`. Line number spot-checks pass (auth.ts:81, 98, 143-146, 184; routes.ts:134, 657; http.ts:142-179; push.ts:101, 125) within ±2 lines. The critical finding (CTX-01) is a workflow gap — 9 new context modules are on disk but uncommitted, making them invisible to `git diff`-based review tooling. CTX-02/03/04 are minor post-fix doc drift from commit `5e1f434`. No claim was found to be factually wrong against source code.
diff --git a/review-tasks/report-public.md b/review-tasks/report-public.md
deleted file mode 100644
index 703a4b3a..00000000
--- a/review-tasks/report-public.md
+++ /dev/null
@@ -1,131 +0,0 @@
-# Review Report: public/ module — PR #106
-
-## Summary
-
-Large diff (~870 lines): push notification infrastructure (new `sw-push.js`, reworked `requestNotifications`/`unsubscribeNotifications`), scroll-lock monkey-patch for ghostty-web, `_term.reset()` vs `clear()` fix, `useClassicMobile()` hardcoded `false`, binary running/idle triage, snapshot-key ordering fix, backend toggle UI, `AbortSignal.timeout` for remote machines, DOM dispose ordering fixes. No critical issues. Most of the push notification subsystem has correctness gaps.
-
-## Diff Scope
-
-- `public/app-state.ts` — push subscribe/unsubscribe logic, `syncNotificationsPermission`
-- `public/app.ts` — scroll-lock, `_term.reset()`, classic-mobile disable, snapshot key ordering, `AbortSignal.timeout`, visibility guard removal
-- `public/app-grid.ts` — `suspendGridMode` dispose ordering fix
-- `public/sw-push.js` — new service worker for push notifications
-- `public/index.html`, `public/styles.css` — minor UI updates
-- `public/app-ralph.ts` — minimal changes
-
-## Findings
-
-### [PUB-01] `syncNotificationsPermission` bypasses `toggleSetting` — server subscription leaks on OS-level permission revoke
-**Severity:** medium
-**File(s):** `public/app-state.ts:346-357`
-**Category:** correctness / invariant (FE-3)
-
-When browser notification permission is revoked externally (OS settings), `syncNotificationsPermission` directly writes `wpSettings.notifications = false` and hand-serializes `localStorage`, bypassing `toggleSetting()`. The invariant (FE-3, frontend.md) is that settings mutations MUST go through `toggleSetting()`. The critical effect: `toggleSetting("notifications", false)` would call `applySetting("notifications", false)` → `unsubscribeNotifications()` → `POST /api/push/unsubscribe`. The direct write skips this. Server holds a stale active push endpoint after every external permission revoke; pushes are silently discarded by the browser but the server continues sending them.
-
-**Impact:** Server accumulates stale push subscriptions; wastes bandwidth and increases attack surface.
-
-**Suggested fix:** Call `toggleSetting("notifications", false); state.notificationsEnabled = false;` instead of the direct write.
-
-### [PUB-02] Push `fetch()` calls bypass JWT on JWT-gated deployments
-**Severity:** medium
-**File(s):** `public/app-state.ts:178, 193, 219`
-**Category:** security / correctness
-
-`requestNotifications()` and `unsubscribeNotifications()` call `fetch("/api/push/vapid-key")`, `fetch("/api/push/subscribe")`, and `fetch("/api/push/unsubscribe")` directly. All three are `/api/*` paths; `shouldAuthenticateApiPath` returns `true` for all `/api/*` except `/api/info`. On a JWT-configured deployment, all three return 401, push subscription silently fails in console, user sees toggle flip but is never subscribed.
-
-Note: the `api()` helper in `app.ts` also omits JWT injection (confirmed by reading `app.ts:1437-1455`). The whole app relies on JWT being disabled (AUTH-1 default). This is a pre-existing design gap, but the new push functions in `app-state.ts` can't even import `api()` (different module), making it worse. On any deployment with `WOLFPACK_JWT_SECRET` configured, push notifications are dead on arrival.
-
-**Impact:** Push notifications non-functional on any auth-enabled deployment.
-
-**Suggested fix:** Move push logic into `app.ts` where `api()` is accessible. Long-term: `api()` should inject JWT from localStorage.
-
-### [PUB-03] `unsubscribeNotifications` — server call failure leaves browser subscription active
-**Severity:** low
-**File(s):** `public/app-state.ts:211-232`
-**Category:** correctness
-
-`await fetch("/api/push/unsubscribe")` runs before `await sub.unsubscribe()`, both inside one `try/catch`. If the server call throws (network error, 4xx), catch swallows it and returns without calling `sub.unsubscribe()` — browser subscription stays active, `state.notificationsEnabled` stays `true`, user thinks they've unsubscribed.
-
-**Impact:** Unsubscribe UX broken on transient network errors.
-
-**Suggested fix:** Unsubscribe browser-side unconditionally; treat server removal as best-effort:
-```ts
-await sub.unsubscribe();
-state.notificationsEnabled = false;
-fetch("/api/push/unsubscribe", { method: "POST", ... }).catch(() => {});
-```
-
-### [PUB-04] `checkStateTransitions` visibility guard removed — haptic fires on foreground transitions
-**Severity:** low
-**File(s):** `public/app.ts:2802-2821`
-**Category:** UX regression
-
-Old code: `if (document.visibilityState === "visible") return;`. Removed in this PR. Haptic `[200, 100, 200]` now fires every time a session transitions `running → idle` even when the user is actively watching the session list. The guard existed specifically to avoid vibrating the phone when the transition is already visible. Also the `state.notificationsEnabled` guard was removed — haptic now fires whenever `wpSettings.notifications` is true regardless of whether push subscription succeeded.
-
-**Impact:** Annoying buzzing when user is already looking at the session list.
-
-**Suggested fix:** Restore the visibility guard, at minimum for the haptic call.
-
-### [PUB-05] `AbortSignal.timeout` — unavailable on iOS 15 Safari
-**Severity:** low
-**File(s):** `public/app.ts:1744`
-**Category:** correctness
-
-`AbortSignal.timeout(5000)` is used in `fetchMachine` for remote machine requests. Available since Safari 16 (iOS 16+). On iOS 15, `AbortSignal.timeout` is `undefined` — calling it throws `TypeError`. The whole `fetchMachine` call aborts, showing the machine as offline.
-
-**Impact:** Remote machines appear offline on iOS 15.
-
-**Suggested fix:** `typeof AbortSignal.timeout === "function" ? AbortSignal.timeout(5000) : undefined`
-
-### [PUB-06] `sw-push.js` — `client.url.includes(origin)` should be `startsWith`
-**Severity:** low
-**File(s):** `public/sw-push.js:24`
-**Category:** security (cosmetic in SW context)
-
-```js
-if (client.url.includes(self.location.origin) && "focus" in client)
-```
-`.includes()` matches if the origin appears anywhere in the client URL. In a SW context all clients are same-origin so this is effectively harmless — cross-origin pages can't be controlled by this SW. But semantics are wrong.
-
-**Impact:** Currently harmless, but incorrect intent.
-
-**Suggested fix:** `client.url.startsWith(self.location.origin)`
-
-### [PUB-07] `app-grid.ts` dispose ordering — `suspendGridMode` fix correct, minor caveat
-**Severity:** info
-**File(s):** `public/app-grid.ts:389-395`
-**Category:** correctness
-
-Fix is sound: `controller.dispose()` before `_cellElement.remove()` matches `dispose()`'s internal use of `_container.removeEventListener`. The loop iterates `for (const gs of state.gridSessions)` then `state.gridSessions = []` — safe, loop completes first. `_cellElement` is nulled even in suspend (not just remove), meaning `restorePreservedGrid` must re-create cells from scratch — consistent with existing behavior.
-
-### [PUB-08] `useClassicMobile()` hardcoded `false` — dead code kept
-**Severity:** info
-**File(s):** `public/app.ts:12-19`
-**Category:** correctness
-
-`useClassicMobile()` returns `false`; all classic mobile paths (`initClassicMobile`, `handleTerminalWs`, `applyTerminalPane`, `destroyClassicMobile`, `startClassicPolling`) are dead. The PR comment says "cleanup in follow-up PR" — acceptable. Verified the event listeners inside these functions are registered lazily (inside `initClassicMobile`), so they don't attach at boot.
-
-### [PUB-09] `applyTerminalPane` search highlight — correct fix
-**Severity:** info
-**File(s):** `public/app.ts:3864-3883`
-**Category:** security
-
-The old `esc(pane).replace(re, m => \`<mark>${m}</mark>\`)` ran the regex on HTML-escaped text, which could split `&amp;` and produce broken HTML. New approach: run regex on raw `pane`, then `esc()` each segment. This is correct — `match[0]` is raw text, `esc()` applied to it is safe. No finding; confirming this fix is sound.
-
-### [PUB-10] `destroyTerminal` always calls `flushSnapshot()` — risk of empty-snapshot eviction
-**Severity:** info
-**File(s):** `public/app.ts:2343-2348`
-**Category:** correctness
-
-`flushSnapshot()` is now always called in `destroyTerminal()` regardless of whether `snapshotTimer` was pending. If called before a terminal was ever created (`state.terminalController === null`), `flushSnapshot()` may write an empty snapshot under `state.currentSession`'s key, evicting a valid cached snapshot. Risk is low if `flushSnapshot()` guards against null controller, but should be confirmed.
-
-### [PUB-11] `openSession` snapshot-key ordering fix — correct
-**Severity:** info
-**File(s):** `public/app.ts:1893-1897`
-**Category:** correctness
-
-Moving `destroyTerminal()` before `setState({ currentSession: name })` is correct: `flushSnapshot()` inside `destroyTerminal()` uses `state.currentSession` as the key. Old order would save the OLD terminal's content under the NEW session's key. Fix is sound.
-
-## Verdict
-
-**Approve with fixes for PUB-01 through PUB-04.** The ghostty-web workarounds, dispose ordering, snapshot key fix, search highlight fix, and force-reconnect changes are all correct and well-commented. The push notification subsystem has four correctness/UX gaps that should be addressed before merge, particularly PUB-01 (stale server subscriptions on permission revoke) and PUB-02 (push broken on JWT deployments).
diff --git a/review-tasks/report-root.md b/review-tasks/report-root.md
deleted file mode 100644
index 6b3f9284..00000000
--- a/review-tasks/report-root.md
+++ /dev/null
@@ -1,108 +0,0 @@
-# Review Report: root files — PR #106
-
-## Summary
-
-5 root-level files changed: `README.md` updated for dual-backend architecture, `install.sh` significantly simplified (removed auto-install logic), and 3 review/diff docs added then deleted (net: they are absent in working tree but present in the diff as additions from `main`'s perspective — git diff `main...HEAD` shows them being added, but `git status` marks them deleted in the worktree because they were subsequently removed by later commits).
-
-**Overall verdict:** APPROVE with minor docs fixes. No security regressions. The install.sh simplification is a net positive. README has 3 stale doc references that should be corrected.
-
----
-
-## Diff Scope
-
-| File | Change | Lines |
-|------|--------|-------|
-| `README.md` | Modified — dual-backend docs, security section, config update | +71/-8 |
-| `install.sh` | Modified — removed auto-install logic, added security hints | +18/-125 |
-| `DIFFERENTIAL_REVIEW_REPORT.md` | Added in branch (deleted in working tree — review artifact) | +126 |
-| `REVIEW-DEV-VS-MAIN.md` | Added in branch (deleted in working tree — review artifact) | +401 |
-| `REVIEW-PR106.md` | Added in branch (deleted in working tree — review artifact) | +110 |
-
-Review artifacts (`DIFFERENTIAL_REVIEW_REPORT.md`, `REVIEW-DEV-VS-MAIN.md`, `REVIEW-PR106.md`) are deleted from the working tree in the tip commit of `dev` — they were added in earlier commits and removed before merge. Git diff from `main` still shows them as additions because `main` has none of them. The deletion is correct housekeeping; no concern.
-
----
-
-## Findings
-
-### [ROOT-01] README feature list references removed `needs-input` triage state
-**Severity:** low
-**File(s):** `README.md:168`
-**Category:** docs
-**Description:**
-The Features → Session Management bullet still reads: `Session triage — running, idle, and needs-input states with color-coded indicators`. The `needs-input` triage state and `isInputPrompt()` were removed from `src/triage.ts` in this PR (triage is now binary `running | idle`). The README was not updated to match.
-**Impact:** Users who search for `needs-input` behavior based on the README will find it absent. Minor accuracy issue; no security impact.
-**Suggested fix:** Change to `Session triage — running and idle states with color-coded indicators` (or a description matching the new binary model).
-
----
-
-### [ROOT-02] README Desktop section mentions xterm.js but desktop terminal uses ghostty-web
-**Severity:** low
-**File(s):** `README.md:174`
-**Category:** docs
-**Description:**
-`- **xterm.js PTY** — full terminal emulator with direct PTY connection (not capture-pane polling)` — xterm.js is not used. The desktop terminal is `ghostty-web.bundle.js` (ghostty-web 0.4.0). The `ghostty-web.bundle.js` includes an xterm.js compatibility shim internally, but from the user/docs perspective the terminal is ghostty-web, not xterm.js. The Mobile section correctly references ghostty-web WASM.
-**Impact:** Inaccurate documentation. Users familiar with xterm.js won't find it; the bundle name is `ghostty-web.bundle.js`.
-**Suggested fix:** Change to `- **ghostty-web PTY** — full terminal emulator with direct PTY connection (not capture-pane polling)`
-
----
-
-### [ROOT-03] README Mobile section says Classic is default; code changed default to wasm
-**Severity:** low
-**File(s):** `README.md:183`, `public/app-state.ts:72`
-**Category:** docs
-**Description:**
-`README.md:183` reads: `- **Classic** (default) — lightweight capture-pane polling.` But `public/app-state.ts:72` now sets `mobileTerminal:"wasm"` as the default (changed from `"classic"` in main). The README was not updated. This is also noted as LOW-04 in `REVIEW-DEV-VS-MAIN.md` as a behavioral change with no migration path.
-**Impact:** New users reading the README expect Classic as default; they get WASM. Mismatch between docs and code.
-**Suggested fix:** Update to remove "(default)" from Classic and add "*(default)*" to the Ghostty (WASM) entry.
-
----
-
-### [ROOT-04] README Security section says raw IP "won't work" — imprecise, potentially misleading
-**Severity:** info
-**File(s):** `README.md:216`, `install.sh:213,222`
-**Category:** docs
-**Description:**
-The README security section correctly explains: raw IP access bypasses CORS but still works. The install.sh post-install message says: `not your machine's IP (it won't work)`. These conflict: raw IP does work; it just reduces security. `install.sh` overstates the constraint.
-**Impact:** User confusion rather than security gap. The README is accurate; install.sh is not.
-**Suggested fix:** Change `install.sh:213,222` parenthetical from `(it won't work)` to `(bypasses CORS protection)`.
-
----
-
-### [ROOT-05] `install.sh` uses `set +e` with silent failure on service-upgrade path
-**Severity:** low
-**File(s):** `install.sh:14`, `install.sh:155-162`
-**Category:** security
-**Description:**
-`set +e` disables exit-on-error for the entire script. Download, chmod, codesign, and symlink steps all have explicit `if !` guards. However, the service-upgrade block (lines 155-162) swallows a failed `service install` with a dim message and continues. Not a regression from `main`, but the removal of the large auto-install block makes this pattern more visible.
-**Impact:** A failed service upgrade during a re-install is not surfaced to the operator. Low impact since the final `exec wolfpack setup` step would expose the issue.
-**Suggested fix:** Add an explicit failure message to the service restart command or add `set -u` for uninitialized variable protection.
-
----
-
-### [ROOT-06] Review artifact docs deleted from working tree — confirm staged before merge
-**Severity:** info
-**File(s):** `DIFFERENTIAL_REVIEW_REPORT.md`, `REVIEW-DEV-VS-MAIN.md`, `REVIEW-PR106.md`
-**Category:** hygiene
-**Description:**
-`git status` shows `D` (deleted) for all three review files. These were generated review artifacts committed to `dev` during the review cycle and later deleted. This is correct housekeeping — they should not appear in `main`.
-**Impact:** None if deletions are committed. Confirm they are staged (not just working-tree changes) before merging.
-**Suggested fix:** Run `git status` to verify deletions are committed to the branch tip, not just working-tree. Run `git add -u` and commit if needed.
-
----
-
-## Verdict
-
-**APPROVE with minor fixes.**
-
-The dual-backend README additions are accurate and well-written. The install.sh simplification (removing auto-install logic and the `curl | sudo sh` Tailscale install pattern) is the right call — it was a footgun with no hash verification and a hard brew/apt dependency. The security hints added post-install are useful.
-
-Must fix before merge:
-- ROOT-03 (code/docs mismatch on mobile terminal default — new users get WASM, README says Classic)
-
-Recommended:
-- ROOT-01 (stale `needs-input` reference — one-line fix)
-- ROOT-02 (xterm.js reference — one-line fix)
-- ROOT-04 (conflicting install.sh phrasing)
-
-Informational only (no action required):
-- ROOT-05, ROOT-06
diff --git a/review-tasks/report-src.md b/review-tasks/report-src.md
deleted file mode 100644
index 4b09c1cf..00000000
--- a/review-tasks/report-src.md
+++ /dev/null
@@ -1,108 +0,0 @@
-# Review Report: src/ module — PR #106
-
-## Summary
-
-22 files reviewed across auth, server, CLI, and shared modules. The PR primarily hardens push crypto, fixes a SSRF concern, improves auth UX, and refactors backend selection. The critical path (JWT validation, path containment, shell-arg safety) is intact. One medium SSRF regression path through stored subscriptions, plus a handful of low-severity asymmetries in validation/escaping and test-hook guarding.
-
-## Diff Scope
-
-- `src/server/push.ts` — added explicit DER validation, HKDF length enforcement, notify debounce testing hooks
-- `src/server/pty-backend.ts` / `src/server/tmux-backend.ts` — cleaner backend split; `PtyBackend` uses `-lic` directly
-- `src/server/backend.ts` — `backendFor()` selector, `__resetBackend()` test hook
-- `src/server/routes.ts` — unified close-code constants from `ws-constants.ts`
-- `src/server/http.ts` — CSP nonce fix, rate-limiter accessors, auth middleware
-- `src/server/websocket.ts` — take-control state machine tightened
-- `src/auth.ts` — JWT UX: return 401 with specific reason
-- `src/cli/*` — doctor/setup tweaks, service install UX
-- `src/test-hooks.ts` — new `__resetJwtAuthConfig`, `__resetBackend`, `__setDevDir`
-- `src/worktree.ts`, `src/wolfpack-context.ts` — minor
-- `src/log.ts`, `src/public-assets.ts`, `src/triage.ts` — incidental
-
-## Findings
-
-### [SRC-01] `sendPush` SSRF regression path via stored subscriptions
-**Severity:** medium
-**File(s):** `src/server/push.ts:317`
-**Category:** security
-
-`sendPush` filter (`validSubs`) re-validates HTTPS only, not the hostname allowlist. A subscription persisted to disk BEFORE `ALLOWED_PUSH_HOSTS` was introduced (PUSH-2 in issues.md) bypasses the allowlist and receives push POSTs with notification content. New subscriptions are validated at `POST /api/push/subscribe`, but legacy entries on disk are not re-checked.
-
-**Impact:** Endpoints outside the allowlist continue receiving plaintext endpoint URLs / encrypted payloads. SSRF-adjacent if attacker can influence the on-disk subscription store.
-
-**Suggested fix:** Add `&& ALLOWED_PUSH_HOSTS.has(url.hostname)` to the `validSubs` filter in `sendPush`.
-
-### [SRC-02] `PtyBackend` omits `shellEscape` on `fullCmd`
-**Severity:** low
-**File(s):** `src/server/pty-backend.ts:112`
-**Category:** security / invariant
-
-`TmuxBackend` wraps its shell command in `shellEscape`; `PtyBackend` passes the constructed `shellCmd` directly to `-lic`. Currently safe due to `CMD_REGEX` validation at the route layer, but the asymmetry is a maintenance footgun. If `CMD_REGEX` is ever loosened (e.g. to allow spaces in a future path), `PtyBackend` silently becomes injectable while `TmuxBackend` stays safe.
-
-**Impact:** Defense-in-depth gap; not exploitable today.
-
-**Suggested fix:** Apply `shellEscape(shellCmd)` symmetrically in `PtyBackend` to match `TmuxBackend`.
-
-### [SRC-03] push test-reset functions missing `WOLFPACK_TEST` guard
-**Severity:** low
-**File(s):** `src/server/push.ts:459`
-**Category:** invariant
-
-`_testingResetDebounce()` and the `_testing` export lack the `WOLFPACK_TEST` throw-guard required by invariant #7 (context.md). Every other test hook added in this PR (`__resetJwtAuthConfig`, `__resetBackend`, `__setDevDir`) correctly guards.
-
-**Impact:** Inadvertent call in production would silently suppress all push notifications by clearing debounce state, enabling a notification storm.
-
-**Suggested fix:** Gate exports with `if (!process.env.WOLFPACK_TEST) throw new Error("test-only hook")`.
-
-### [SRC-04] `__resetBackend` test hook lacks WOLFPACK_TEST guard symmetry
-**Severity:** low
-**File(s):** `src/server/backend.ts`
-**Category:** invariant
-
-Similar to SRC-03: verify the new `__resetBackend()` export is guarded per invariant #7. If not, a production caller could swap out the live backend mid-flight.
-
-**Impact:** Live backend swap would disrupt active sessions.
-
-**Suggested fix:** Confirm the guard exists; add if missing.
-
-### [SRC-05] JWT auth UX: 401 body leaks detail
-**Severity:** low
-**File(s):** `src/auth.ts`
-**Category:** security
-
-Auth failure path returns a reason string in the 401 body (e.g. "token expired", "invalid signature"). Useful for CLI UX but provides an oracle for signature-vs-claim failures during brute force.
-
-**Impact:** Minor information disclosure to an attacker enumerating JWT validation failures.
-
-**Suggested fix:** Collapse all validation failures to a single generic "unauthorized" message; log the specific reason server-side only.
-
-### [SRC-06] `backendFor()` selector — consistent derivation, no finding
-**Severity:** info
-**File(s):** `src/server/backend.ts`
-**Category:** correctness
-
-New `backendFor(sessionName)` helper deterministically selects the backend based on session name format. Used consistently in `getBackendTypeForSession`. No finding — this is a clean refactor.
-
-### [SRC-07] CSP nonce injection preserved across HTML transforms
-**Severity:** info
-**File(s):** `src/server/http.ts`
-**Category:** security
-
-CSP nonce is correctly injected into the HTML head before serving. No finding.
-
-### [SRC-08] Close-code unification via `ws-constants.ts`
-**Severity:** info
-**File(s):** `src/server/routes.ts`, `src/server/websocket.ts`
-**Category:** correctness
-
-Close codes now sourced from `ws-constants.ts` (`CLOSE_CODE_SESSION_UNAVAILABLE = 4001`, etc.). Eliminates drift risk. No finding.
-
-### [SRC-09] Rate-limiter test hook exposure
-**Severity:** info
-**File(s):** `src/server/http.ts`
-**Category:** testability
-
-`__pollRateLimiter` and `__globalRateLimiter` expose internal `._map` for clearing in tests. Documented pattern, used correctly in `api.test.ts`. No finding.
-
-## Verdict
-
-**Approve with fix for SRC-01 (medium).** The push SSRF regression path is the only finding that warrants a must-fix gate. SRC-02 / SRC-03 / SRC-04 / SRC-05 are low-severity hardening items that can follow in a cleanup commit. The overall diff is disciplined and preserves all critical invariants.
diff --git a/review-tasks/report-tests.md b/review-tasks/report-tests.md
deleted file mode 100644
index ea0e0013..00000000
--- a/review-tasks/report-tests.md
+++ /dev/null
@@ -1,138 +0,0 @@
-# Review Report: tests/ module — PR #106
-
-## Summary
-
-24 files changed, 2992 diff lines. The dominant change is migration from `__setTestOverrides()` (tmux stub shims) to `__setTestBackend(MockBackend)` — tests now exercise real `BackendRouter` routing. Eight new unit test files cover previously untested modules (ring buffer, PTY backend, push crypto/VAPID, strip-ansi, tailscale exec, backend singleton, backend router). The migration is broadly correct. Two correctness issues require fixing before merge.
-
-## Diff Scope
-
-- `tests/integration/api.test.ts` — rewritten against real server (~750 lines)
-- `tests/integration/pty-test-helpers.ts` — MockBackend boot helper
-- `tests/integration/auth-middleware.test.ts` — JWT config singleton handling
-- `tests/integration/pty-takeover.test.ts`, `concurrent-pty-viewer.test.ts`, `take-control.test.ts` — WS lifecycle
-- `tests/integration/desktop-terminal.test.ts`, `desktop-grid.test.ts` — close-code assertions
-- `tests/integration/boot-backend.test.ts` — new, tests backend singleton init
-- `tests/unit/` — 8 new test files
-- `tests/unit/ralph-worktree.test.ts` — gpgsign fix
-- `tests/unit/triage.test.ts` — `isInputPrompt` removal
-
-## Findings
-
-### [TEST-01] Notify rate limiter state not reset between tests — order-dependent
-**Severity:** medium
-**File(s):** `tests/integration/api.test.ts:774-784`
-**Category:** flakiness
-
-`beforeEach` clears `__pollRateLimiter._map` and `__globalRateLimiter._map` but NOT `notifyTimestamps` (module-level in `push.ts`). The test comment acknowledges "already sent 1 call above" — explicit ordering dependency. If test order changes or the preceding `valid notification → 200` test is skipped, the burst count is different.
-
-**Impact:** Test order-dependent; flaky under re-ordering or parallel runs.
-
-**Suggested fix:** `_testing.notifyTimestamps = []` (or `_testing.resetDebounce()`) in the notify `beforeEach`, mirroring `tests/unit/push.test.ts:319-321`.
-
-### [TEST-02] Subscription cap test has no try/finally — leaks real files on assertion failure
-**Severity:** medium
-**File(s):** `tests/unit/push.test.ts:284-312`
-**Category:** cleanup
-
-The cap test adds up to 20 real entries to `~/.wolfpack/push-subscriptions.json`. The cleanup `for (const ep of added) removeSubscription(ep)` is inline — if any `expect()` throws mid-loop, the file retains garbage entries. Subsequent runs start with a non-zero `getSubscriptionCount()` baseline, potentially failing the cap logic.
-
-**Impact:** Persistent cross-run test pollution.
-
-**Suggested fix:** Wrap body in `try/finally { for (const ep of added) removeSubscription(ep); }`.
-
-### [TEST-03] session-unavailable test weakened — 4001 close code regression no longer locked in
-**Severity:** medium
-**File(s):** `tests/integration/desktop-terminal.test.ts:463-475`
-**Category:** correctness
-
-Old test verified the server sends WS close code `4001` before any prefill messages. New test accepts either "connect throws" OR `ev.code >= 1000` — the latter accepts any close code including `1000`. Because the server correctly rejects at the HTTP upgrade level (403 Forbidden, not a WS close), the `catch` branch fires and the test passes unconditionally regardless of what code the server would send. The regression lock is gone.
-
-**Impact:** Regression in close-code semantics (frontend takes-control state machine depends on 4001) would pass unnoticed.
-
-**Suggested fix:** Assert the `catch` branch fires (HTTP 403 rejection), and fail if the upgrade was accepted. Or use a helper that validates close code matches `CLOSE_CODE_SESSION_UNAVAILABLE`.
-
-### [TEST-04] bootTestServer leaks `__setTestBackend` singleton across loop iterations
-**Severity:** low
-**File(s):** `tests/integration/boot-backend.test.ts:14-38`
-**Category:** cleanup
-
-The `for (const backendType of ["tmux", "pty"])` loop calls `bootTestServer()` twice. Each call calls `__setTestBackend(mock, backendType)` (global mutation) but `ctx.cleanup()` does NOT call `__resetBackend()`. The second iteration overwrites the singleton left by the first, but any test in the same bun worker running after this file inherits a "pty" mock backend. Same contamination class as the pre-existing JWT singleton issue (TEST-1 in issues.md).
-
-**Impact:** Cross-file test contamination under same bun worker.
-
-**Suggested fix:** Add `__resetBackend()` to `ctx.cleanup()` in `pty-test-helpers.ts`.
-
-### [TEST-05] sendTakeControl sends two frames — relies on in-order delivery
-**Severity:** low
-**File(s):** `tests/integration/pty-test-helpers.ts:150-153`
-**Category:** flakiness
-
-`sendTakeControl` sends `attach` then `take_control` as two separate sends. WS message ordering within a single connection is guaranteed by the spec so this is safe. Noted for awareness — the comment in the helper is sufficient documentation. No action required.
-
-### [TEST-06] backend-router.test.ts uses Object.create + `(router as any).field` for private fields
-**Severity:** low
-**File(s):** `tests/unit/backend-router.test.ts:19-30`
-**Category:** correctness
-
-`createTestRouter()` bypasses `BackendRouter`'s constructor (which spawns real PtyBackend/TmuxBackend) via `Object.create(BackendRouter.prototype)` and manually injects private fields by string name. A field rename in production would produce silent wrong behavior rather than a type error. The `(router as any)` cast disables TypeScript's protection.
-
-**Impact:** Silent test breakage on private-field rename.
-
-**Suggested fix:** Add a comment listing the private field names and noting they must stay in sync with `BackendRouter`. Alternatively expose a test-only static factory.
-
-### [TEST-07] pty-backend.test.ts uses fixed `sleep()` waits — inherently flaky on loaded CI
-**Severity:** low
-**File(s):** `tests/unit/pty-backend.test.ts:70-87`
-**Category:** flakiness
-
-`capturePane captures PTY output` and `send writes to PTY` use `sleep(300)` + `sleep(500)` before asserting output content. On loaded CI macOS runners, process spawn + shell prompt + command echo can exceed 800ms. Tests are placed in `tests/unit/` despite being labeled "integration-ish" (spawning real PTY processes).
-
-**Impact:** Flaky under CI load.
-
-**Suggested fix:** Replace fixed sleeps with a poll loop: `while (Date.now() < deadline && !output.includes(marker)) { await sleep(50); output = await capturePane(); }`.
-
-### [TEST-08] triage.test.ts removes isInputPrompt tests — behavioral change correctly locked
-**Severity:** info
-**File(s):** `tests/unit/triage.test.ts`
-**Category:** coverage
-
-`isInputPrompt` is removed from production (`TriageStatus` is now `"running" | "idle"` only). The test file correctly removes all `isInputPrompt` tests. The `api.test.ts` rename of "classifies needs-input" → "classifies idle" with updated assertion is correct behavior lock-in for the intentional `needs-input` removal. No action needed.
-
-### [TEST-09] ralph-worktree.test.ts gpgsign fix is correct
-**Severity:** info
-**File(s):** `tests/unit/ralph-worktree.test.ts:11`
-**Category:** correctness
-
-Added `-c commit.gpgsign=false` to git invocations. Prevents CI hang on machines with global GPG signing configured. Correct fix, no action needed.
-
-### [TEST-10] escaping.test.ts escAttr inline copy updated in sync with production
-**Severity:** info
-**File(s):** `tests/unit/escaping.test.ts:22-33`
-**Category:** mirror
-
-The inline `escAttr` copy in the test was updated to match the `\n`, `\r`, `\t` escaping added to `public/app-state.ts`. Both are now in sync. Pre-existing mirror pattern (FE-2/complexity.md). Future changes to `app-state.ts` still require manual sync.
-
-### [TEST-11] validation.test.ts stale inline replica — not addressed, pre-existing
-**Severity:** info
-**File(s):** `tests/unit/validation.test.ts` (unchanged)
-**Category:** mirror
-
-Pre-existing: inline copies of `isValidSessionName`, `isValidProjectName`, etc. not imported from `src/`. `validation-extracted.test.ts` + `validation-fuzzing.test.ts` cover the real code. Out of scope for this PR but still present.
-
-### [TEST-12] ralph-api.test.ts hand-rolled server mirror — not addressed, pre-existing
-**Severity:** info
-**File(s):** `tests/integration/ralph-api.test.ts` (unchanged)
-**Category:** mirror
-
-1683-LOC hand-rolled server reimplementing ralph route handlers (complexity.md finding). This PR fixed the equivalent pattern in `api.test.ts` but not `ralph-api.test.ts`. Out of scope; track separately.
-
-## Verdict
-
-**Approve with required fixes:**
-
-- TEST-01 (required): Add `_testing.notifyTimestamps = []` to `beforeEach` in notify test block in `api.test.ts`
-- TEST-02 (required): Wrap subscription cap test body in `try/finally` for cleanup
-- TEST-03 (recommended): Strengthen session-unavailable test to assert rejection rather than accept any outcome
-- TEST-07 (recommended): Replace fixed `sleep()` in `pty-backend.test.ts` with poll-based waits
-
-Pre-existing debt in `validation.test.ts` and `ralph-api.test.ts` remains but was not introduced by this PR.
diff --git a/review-tasks/root.md b/review-tasks/root.md
deleted file mode 100644
index 34e59a9d..00000000
--- a/review-tasks/root.md
+++ /dev/null
@@ -1,25 +0,0 @@
-# Review Task: `root`
-
-## Target
-dev
-## Baseline
-main
-
-## Files to review
-- DIFFERENTIAL_REVIEW_REPORT.md
-- README.md
-- REVIEW-DEV-VS-MAIN.md
-- REVIEW-PR106.md
-- install.sh
-
-## Instructions
-
-1. Read `.context/context.md` — module map, invariants, trust boundaries
-2. Read `.context/issues.md` if it exists — cross-reference known issues against the files above
-3. Read `.context/root.md` if it exists — deep per-module context, invariants, call graphs
-4. Use the edc-review skill to perform the full review on the files listed above
-5. Write your report to `review-tasks/report-root.md`
-
-DO NOT write your own review methodology.
-DO NOT skip reading the context files.
-USE the edc-review skill.
diff --git a/review-tasks/src.md b/review-tasks/src.md
deleted file mode 100644
index d6de2262..00000000
--- a/review-tasks/src.md
+++ /dev/null
@@ -1,42 +0,0 @@
-# Review Task: `src`
-
-## Target
-dev
-## Baseline
-main
-
-## Files to review
-- src/auth.ts
-- src/cli/config.ts
-- src/cli/index.ts
-- src/cli/service.ts
-- src/cli/setup.ts
-- src/log.ts
-- src/public-assets.ts
-- src/server/backend.ts
-- src/server/http.ts
-- src/server/index.ts
-- src/server/mock-backend.ts
-- src/server/pty-backend.ts
-- src/server/push.ts
-- src/server/ring-buffer.ts
-- src/server/routes.ts
-- src/server/tmux-backend.ts
-- src/server/tmux.ts
-- src/server/websocket.ts
-- src/test-hooks.ts
-- src/triage.ts
-- src/wolfpack-context.ts
-- src/worktree.ts
-
-## Instructions
-
-1. Read `.context/context.md` — module map, invariants, trust boundaries
-2. Read `.context/issues.md` if it exists — cross-reference known issues against the files above
-3. Read `.context/src.md` if it exists — deep per-module context, invariants, call graphs
-4. Use the edc-review skill to perform the full review on the files listed above
-5. Write your report to `review-tasks/report-src.md`
-
-DO NOT write your own review methodology.
-DO NOT skip reading the context files.
-USE the edc-review skill.
diff --git a/review-tasks/tests.md b/review-tasks/tests.md
deleted file mode 100644
index 0d0bd7b3..00000000
--- a/review-tasks/tests.md
+++ /dev/null
@@ -1,44 +0,0 @@
-# Review Task: `tests`
-
-## Target
-dev
-## Baseline
-main
-
-## Files to review
-- tests/e2e/test-server.ts
-- tests/integration/api.test.ts
-- tests/integration/auth-middleware.test.ts
-- tests/integration/boot-backend.test.ts
-- tests/integration/concurrent-pty-viewer.test.ts
-- tests/integration/desktop-grid.test.ts
-- tests/integration/desktop-terminal.test.ts
-- tests/integration/prompt-reconnect.test.ts
-- tests/integration/pty-takeover.test.ts
-- tests/integration/pty-test-helpers.ts
-- tests/integration/rate-limit.test.ts
-- tests/integration/take-control.test.ts
-- tests/integration/ws-dispatch.test.ts
-- tests/unit/backend-router.test.ts
-- tests/unit/backend.test.ts
-- tests/unit/config-validation.test.ts
-- tests/unit/escaping.test.ts
-- tests/unit/pty-backend.test.ts
-- tests/unit/push.test.ts
-- tests/unit/ralph-worktree.test.ts
-- tests/unit/ring-buffer.test.ts
-- tests/unit/strip-ansi.test.ts
-- tests/unit/tailscale-exec.test.ts
-- tests/unit/triage.test.ts
-
-## Instructions
-
-1. Read `.context/context.md` — module map, invariants, trust boundaries
-2. Read `.context/issues.md` if it exists — cross-reference known issues against the files above
-3. Read `.context/tests.md` if it exists — deep per-module context, invariants, call graphs
-4. Use the edc-review skill to perform the full review on the files listed above
-5. Write your report to `review-tasks/report-tests.md`
-
-DO NOT write your own review methodology.
-DO NOT skip reading the context files.
-USE the edc-review skill.
diff --git a/sandbox-test.txt b/sandbox-test.txt
deleted file mode 100644
index ca4ad0f8..00000000
--- a/sandbox-test.txt
+++ /dev/null
@@ -1 +0,0 @@
-hello from sandbox test