Merge origin/main into feat-remote-workspace

Re-merge to clear CONFLICTING after main advanced today. Main brought in:
iOS sign-out local-first/offline-safe revocation (#5776), iOS workspace
list groups/unread-dots/last-activity previews + shared Unread filter
(#5726), Focus/DND-honoring fallback notification sound (#5651), and the
budget refreshes #6018/#6020/#6025. #6020 extracted NotificationSoundSettings
out of TerminalNotificationStore.swift into a new Sources/NotificationSoundSettings.swift;
#6025 deduped the TerminalNotificationStore budget entry.

Conflict resolution:
- Sources/TerminalNotificationStore.swift: main redesigned this file by
  extracting the NotificationSoundSettings enum. Took main's version (the
  extraction wins). The slice's two edits here (import CmuxFoundation; swap
  ProcessPipeReader.readDataToEndOfFileOrEmpty(from:) for the new
  FileHandle.readDataToEndOfFileOrEmpty() extension) both targeted the enum
  body that main moved, so they no longer belong in this file.
- Sources/NotificationSoundSettings.swift (main's new extracted file):
  RE-LIFT. The slice removed the app-target ProcessPipeReader type in favor of
  a CmuxFoundation FileHandle extension, so main's extracted file would not
  compile as-is. Re-lifted the slice's migration here: added
  import CmuxFoundation and switched the errorPipe read to
  errorPipe.fileHandleForReading.readDataToEndOfFileOrEmpty().
- .github/swift-file-length-budget.tsv: two conflict regions (slice vs main
  ordering, plus #6025's TerminalNotificationStore dedup). Regenerated the
  whole budget to merged-tree actual counts via --write-budget; check passes.
- cmux.xcodeproj/project.pbxproj: auto-merged, re-normalized; check-pbxproj
  passes, NotificationSoundSettings.swift wired, no ID collisions.

Slice packages (CmuxCore/CmuxRemoteDaemon/CmuxRemoteSession/CmuxRemoteWorkspace)
and the modified CmuxFoundation kept intact; ghostty pointer matches origin/main;
no CmuxControlSocket phantom inherited.

Gates: ensure-ghosttykit OK, swift_file_length_budget exit 0,
lint-ios-package-conventions exit 0, all slice packages + CmuxFoundation
swift build OK, app xcodebuild Debug BUILD SUCCEEDED.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

Author: azooz2003-bit

.github/swift-file-length-budget.tsv

@@ -5,9 +5,9 @@
 19266	Sources/ContentView.swift
 18118	Sources/AppDelegate.swift
 16674	Sources/GhosttyTerminalView.swift
-14787	Sources/TerminalController.swift
+14635	Sources/TerminalController.swift
 13568	Sources/Panels/BrowserPanel.swift
-12405	Sources/Workspace.swift
+12410	Sources/Workspace.swift
 12044	cmuxTests/AppDelegateShortcutRoutingTests.swift
 10020	Sources/TabManager.swift
 9345	cmuxTests/CLINotifyProcessIntegrationRegressionTests.swift
@@ -21,7 +21,7 @@
 6071	Sources/TextBoxInput.swift
 5482	cmuxTests/BrowserConfigTests.swift
 5462	Sources/cmuxApp.swift
-4827	Packages/CmuxMobileShell/Sources/CmuxMobileShell/MobileShellComposite.swift
+4801	Packages/CmuxMobileShell/Sources/CmuxMobileShell/MobileShellComposite.swift
 4460	Sources/Panels/FilePreviewPanel.swift
 4400	cmuxTests/BrowserPanelTests.swift
 4227	Sources/BrowserWindowPortal.swift
@@ -38,17 +38,17 @@
 2565	Sources/Panels/CmuxWebView.swift
 2545	cmuxTests/WorkspaceManualUnreadTests.swift
 2544	cmuxTests/CommandPaletteSearchEngineTests.swift
-2528	Sources/TerminalNotificationStore.swift
 2516	Sources/KeyboardShortcutSettings.swift
-2340	Sources/Mobile/MobileHostService.swift
 2327	cmuxTests/CJKIMEInputTests.swift
+2322	Sources/Mobile/MobileHostService.swift
 2314	Sources/FileExplorerView.swift
 2260	Sources/TerminalWindowPortal.swift
 2199	Sources/SessionPersistence.swift
 2123	cmuxTests/ShortcutAndCommandPaletteTests.swift
 2117	cmuxTests/CmuxConfigTests.swift
 2030	Sources/KeyboardShortcutSettingsFileStore.swift
 1949	Sources/Panels/BrowserWebAuthnSupport.swift
+1941	Sources/TerminalNotificationStore.swift
 1860	cmuxTests/NotificationAndMenuBarTests.swift
 1794	Sources/SessionIndexStore.swift
 1751	Sources/WindowDragHandleView.swift
@@ -70,7 +70,7 @@
 1362	Sources/CMUXInstalledExtensionSidebarHostView.swift
 1313	cmuxTests/MobileHostAuthorizationTests.swift
 1285	cmuxUITests/SidebarHelpMenuUITests.swift
-1239	Sources/Feed/FeedCoordinator.swift
+1255	Sources/Feed/FeedCoordinator.swift
 1205	Packages/CmuxMobileTerminal/Sources/CmuxMobileTerminal/TerminalInputTextView.swift
 1197	cmuxTests/CodexAppServerSessionTests.swift
 1156	cmuxTests/SidebarOrderingTests.swift
@@ -109,12 +109,12 @@
 768	Sources/MainWindowFocusController.swift
 762	Packages/CmuxMobileTransport/Sources/CmuxMobileTransport/CmxNetworkByteTransport.swift
 760	Packages/CMUXAgentLaunch/Tests/CMUXAgentLaunchTests/AgentLaunchSanitizerTests.swift
-757	Packages/CmuxAuthRuntime/Sources/CmuxAuthRuntime/Coordinator/AuthCoordinator.swift
 756	Sources/Panels/AgentSessionWebRendererCoordinator.swift
 752	cmuxUITests/CloseWorkspaceCmdDUITests.swift
 751	Sources/TerminalController+ControlWorkspaceContext.swift
 739	Sources/App/MenuBarExtraController.swift
 738	Packages/CMUXProjectModel/Sources/CMUXProjectModel/XcodeProjectAdapter.swift
+738	Packages/CmuxAuthRuntime/Sources/CmuxAuthRuntime/Coordinator/AuthCoordinator.swift
 716	Sources/TaskManagerSnapshot.swift
 714	Sources/AppleScriptSupport.swift
 710	Sources/TerminalSSHSessionDetector.swift
@@ -126,6 +126,7 @@
 697	cmuxTests/TerminalNotificationClearAllTests.swift
 696	cmuxTests/UpdatePillReleaseVisibilityTests.swift
 693	Sources/Panels/BrowserPopupWindowController.swift
+691	Sources/NotificationSoundSettings.swift
 691	cmuxTests/TaskManagerResourcesTests.swift
 683	Packages/CmuxSwiftRender/Sources/CmuxSwiftRender/SwiftViewInterpreter.swift
 683	Sources/Panels/CodexAppServerSession.swift

Packages/CmuxAuthRuntime/Sources/CmuxAuthRuntime/BrowserSignIn/HostBrowserSignInFlow.swift

@@ -345,6 +345,21 @@ public final class HostBrowserSignInFlow {
             try await coordinator.completeExternalSignIn()
         } catch {
             log.log("auth.callback completion failed: \(error)")
+            // No flow-side seed clear here, deliberately. When a sign-out
+            // raced the validation round trip, the seeds were already in the
+            // store when the coordinator's local-first clear ran (they are
+            // seeded before `completeExternalSignIn`), so the coordinator's
+            // clear owns wiping them. Clearing here instead RACES that
+            // sign-out: the flow bumps `signOutGeneration` before the
+            // coordinator captures the teardown credentials with raw store
+            // reads, so a clear from this catch can empty the store inside
+            // the capture window and silently strip the best-effort server
+            // teardown (push unregister, session revocation) of its
+            // credentials. A coordinator-level cancellation without a
+            // sign-out (a concurrent publish) must not clear either: in
+            // production the published session is typically authenticated by
+            // these very tokens (same shared store), and clearing them would
+            // strand it.
             return false
         }
         log.log("auth.callback.coordinator.complete.end attempt=\(attemptID.map(String.init) ?? "external") signedIn=\(coordinator.isAuthenticated)")

Packages/CmuxAuthRuntime/Sources/CmuxAuthRuntime/Client/AuthClient.swift

@@ -60,6 +60,45 @@ public protocol AuthClient: Sendable {
     ///   - anchor: The presentation-anchor provider for the auth UI.
     func signInWithOAuth(provider: String, anchor: any AuthPresentationAnchoring) async throws
 
-    /// Clear the persisted Stack session (tokens) for the current device.
-    func signOut() async throws
+    /// The access token exactly as stored, with no freshness check and no
+    /// network refresh (unlike ``accessToken()``, which may mint a new token
+    /// over the network when the stored one looks stale).
+    ///
+    /// For capturing the credentials a best-effort server-side teardown needs
+    /// before ``clearLocalSession()`` destroys them; never blocks on
+    /// connectivity.
+    func storedAccessToken() async -> String?
+
+    /// Clear the locally persisted session (tokens) without any network call.
+    /// The device is signed out once this returns, regardless of connectivity.
+    func clearLocalSession() async
+
+    /// Clear the locally persisted session only while the stored refresh
+    /// token still equals `refreshToken`: an atomic compare-and-clear at the
+    /// token store. For stale-session cleanup that can race a fresh sign-in's
+    /// store write; a store that changed owners after the cleanup decision is
+    /// left alone. User-intent sign-out keeps using the unconditional
+    /// ``clearLocalSession()``.
+    func clearLocalSession(ifRefreshTokenMatches refreshToken: String) async
+
+    /// Revoke the server-side session the captured token pair authenticates,
+    /// without touching local token storage (the local session is typically
+    /// already cleared by ``clearLocalSession()`` when this runs).
+    ///
+    /// Best-effort by contract: callers bound it with a deadline and log
+    /// failures rather than letting revocation gate sign-out.
+    func revokeSession(accessToken: String?, refreshToken: String?) async throws
+
+    /// A likely-valid access token for an explicit captured token pair,
+    /// resolved through an ephemeral store that never touches local token
+    /// storage: the captured access token when still fresh, else one freshly
+    /// minted from the captured refresh token.
+    ///
+    /// For the sign-out teardown: the raw capture can hold an expired access
+    /// token (or none on a refresh-only store), and the cmux API
+    /// authenticates with the Bearer + refresh header pair, so the bounded
+    /// best-effort teardown needs a usable access token even though the local
+    /// session is already cleared. Best-effort: returns `nil` when no token
+    /// could be resolved (offline, dead server).
+    func freshAccessToken(accessToken: String?, refreshToken: String) async -> String?
 }

Packages/CmuxAuthRuntime/Sources/CmuxAuthRuntime/Client/StackAuthClient.swift

@@ -81,8 +81,39 @@ public struct StackAuthClient: AuthClient {
         try await stack.signInWithOAuth(provider: provider, presentationContextProvider: anchor)
     }
 
-    public func signOut() async throws {
-        try await stack.signOut()
+    /// The access token exactly as stored: a raw read, no freshness check,
+    /// no network refresh. See ``AuthClient/storedAccessToken()``.
+    public func storedAccessToken() async -> String? {
+        await stack.getStoredAccessToken()
+    }
+
+    /// Clear the locally persisted Stack session unconditionally, with no
+    /// network call. See ``AuthClient/clearLocalSession()``.
+    public func clearLocalSession() async {
+        await stack.clearStoredTokens()
+    }
+
+    /// Compare-and-clear the locally persisted Stack session, atomic at the
+    /// SDK token store. See
+    /// ``AuthClient/clearLocalSession(ifRefreshTokenMatches:)``.
+    public func clearLocalSession(ifRefreshTokenMatches refreshToken: String) async {
+        await stack.clearStoredTokens(ifRefreshTokenEquals: refreshToken)
+    }
+
+    /// Revoke the server-side session the captured token pair authenticates,
+    /// through an ephemeral token store that never writes to the app's real
+    /// keychain. See ``AuthClient/revokeSession(accessToken:refreshToken:)``.
+    public func revokeSession(accessToken: String?, refreshToken: String?) async throws {
+        // Nothing to authenticate the DELETE with; skip the round trip.
+        guard accessToken != nil || refreshToken != nil else { return }
+        try await stack.revokeSession(accessToken: accessToken, refreshToken: refreshToken)
+    }
+
+    /// A likely-valid access token for an explicit captured pair, resolved
+    /// without touching local token storage. See
+    /// ``AuthClient/freshAccessToken(accessToken:refreshToken:)``.
+    public func freshAccessToken(accessToken: String?, refreshToken: String) async -> String? {
+        await stack.likelyValidAccessToken(accessToken: accessToken, refreshToken: refreshToken)
     }
 
     private static func mapped(_ user: CurrentUser) async -> CMUXAuthUser {