@cluesmith/codev 2.0.0-rc.3 → 2.0.0-rc.32

package/dist/agent-farm/servers/dashboard-server.js

@@ -10,14 +10,14 @@ import net from 'node:net';
 import httpProxy from 'http-proxy';
 import { spawn, execSync, exec } from 'node:child_process';
 import { promisify } from 'node:util';
-import { randomUUID } from 'node:crypto';
+import { randomUUID, timingSafeEqual } from 'node:crypto';
 import { fileURLToPath } from 'node:url';
 const execAsync = promisify(exec);
 import { Command } from 'commander';
 import { getPortForTerminal } from '../utils/terminal-ports.js';
 import { escapeHtml, parseJsonBody, isRequestAllowed as isRequestAllowedBase, } from '../utils/server-utils.js';
-import { loadState, getAnnotations, addAnnotation, removeAnnotation, getUtils, tryAddUtil, removeUtil, getBuilder, getBuilders, removeBuilder, upsertBuilder, clearState, } from '../state.js';
-import { spawnTtyd } from '../utils/shell.js';
+import { loadState, getAnnotations, addAnnotation, removeAnnotation, getUtils, addUtil, removeUtil, updateUtil, getBuilder, getBuilders, removeBuilder, upsertBuilder, clearState, getArchitect, setArchitect, } from '../state.js';
+import { TerminalManager } from '../../terminal/pty-manager.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 // Default dashboard port
@@ -91,6 +91,131 @@ function findTemplatePath(filename, required = false) {
 const projectRoot = findProjectRoot();
 // Use modular dashboard template (Spec 0060)
 const templatePath = findTemplatePath('dashboard/index.html', true);
+// Terminal backend is always node-pty (Spec 0085)
+const terminalBackend = 'node-pty';
+// Load dashboard frontend preference from config (Spec 0085)
+function loadDashboardFrontend() {
+    const configPath = path.resolve(projectRoot, 'codev', 'config.json');
+    if (fs.existsSync(configPath)) {
+        try {
+            const config = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
+            return config?.dashboard?.frontend ?? 'react';
+        }
+        catch { /* ignore */ }
+    }
+    return 'react';
+}
+const dashboardFrontend = loadDashboardFrontend();
+// React dashboard dist path (built by Vite)
+const reactDashboardPath = path.resolve(__dirname, '../../../dashboard/dist');
+const useReactDashboard = dashboardFrontend === 'react' && fs.existsSync(reactDashboardPath);
+if (useReactDashboard) {
+    console.log('Dashboard frontend: React');
+}
+else if (dashboardFrontend === 'react') {
+    console.log('Dashboard frontend: React (dist not found, falling back to legacy)');
+}
+else {
+    console.log('Dashboard frontend: legacy');
+}
+const terminalManager = new TerminalManager({ projectRoot });
+console.log('Terminal backend: node-pty');
+// Clear stale terminalIds on startup — TerminalManager starts empty, so any
+// persisted terminalId from a previous run is no longer valid.
+{
+    const arch = getArchitect();
+    if (arch?.terminalId) {
+        setArchitect({ ...arch, terminalId: undefined });
+    }
+    for (const builder of getBuilders()) {
+        if (builder.terminalId) {
+            upsertBuilder({ ...builder, terminalId: undefined });
+        }
+    }
+    for (const util of getUtils()) {
+        if (util.terminalId) {
+            updateUtil(util.id, { terminalId: undefined });
+        }
+    }
+}
+// Auto-create architect PTY session if architect exists with a tmux session
+async function initArchitectTerminal() {
+    const architect = getArchitect();
+    if (!architect || !architect.tmuxSession || architect.terminalId)
+        return;
+    try {
+        // Verify the tmux session actually exists before trying to attach.
+        // If it doesn't exist, tmux attach exits immediately, leaving a dead terminalId.
+        const { spawnSync } = await import('node:child_process');
+        const probe = spawnSync('tmux', ['has-session', '-t', architect.tmuxSession], { stdio: 'ignore' });
+        if (probe.status !== 0) {
+            console.log(`initArchitectTerminal: tmux session '${architect.tmuxSession}' does not exist yet`);
+            return;
+        }
+        // Use tmux directly (not via bash -c) to avoid DA response chaff.
+        // bash -c creates a brief window where readline echoes DA responses as text.
+        const info = await terminalManager.createSession({
+            command: 'tmux',
+            args: ['attach-session', '-t', architect.tmuxSession],
+            cwd: projectRoot,
+            cols: 200,
+            rows: 50,
+            label: 'architect',
+        });
+        // Wait to detect immediate exit (e.g., tmux session disappeared between check and attach)
+        await new Promise((resolve) => setTimeout(resolve, 500));
+        const session = terminalManager.getSession(info.id);
+        if (!session || session.info.exitCode !== undefined) {
+            console.error(`initArchitectTerminal: PTY exited immediately (exit=${session?.info.exitCode})`);
+            terminalManager.killSession(info.id);
+            return;
+        }
+        setArchitect({ ...architect, terminalId: info.id });
+        console.log(`Architect terminal session created: ${info.id}`);
+    }
+    catch (err) {
+        console.error('Failed to create architect terminal session:', err.message);
+    }
+}
+// Poll for architect state and create PTY session once available
+// start.ts writes architect to DB before spawning this server, but there can be a small delay
+(async function waitForArchitectAndInit() {
+    for (let attempt = 0; attempt < 30; attempt++) {
+        await new Promise((resolve) => setTimeout(resolve, 500));
+        try {
+            const arch = getArchitect();
+            if (!arch)
+                continue;
+            if (arch.terminalId)
+                return; // Already has terminal
+            if (!arch.tmuxSession)
+                continue; // No tmux session yet
+            console.log(`initArchitectTerminal: attempt ${attempt + 1}, tmux=${arch.tmuxSession}`);
+            await initArchitectTerminal();
+            const updated = getArchitect();
+            if (updated?.terminalId) {
+                console.log(`initArchitectTerminal: success, terminalId=${updated.terminalId}`);
+                return;
+            }
+            console.log(`initArchitectTerminal: attempt ${attempt + 1} failed, terminalId still unset`);
+        }
+        catch (err) {
+            console.error(`initArchitectTerminal: attempt ${attempt + 1} error:`, err.message);
+        }
+    }
+    console.warn('initArchitectTerminal: gave up after 30 attempts');
+})();
+// Log telemetry
+try {
+    const metricsPath = path.join(projectRoot, '.agent-farm', 'metrics.log');
+    fs.mkdirSync(path.dirname(metricsPath), { recursive: true });
+    fs.appendFileSync(metricsPath, JSON.stringify({
+        event: 'backend_selected',
+        backend: 'node-pty',
+        timestamp: new Date().toISOString(),
+    }) + '\n');
+}
+catch { /* ignore */ }
 // Clean up dead processes from state (called on state load)
 function cleanupDeadProcesses() {
     // Clean up dead shell processes
@@ -217,6 +342,9 @@ async function killProcessGracefully(pid, tmuxSession) {
     if (tmuxSession) {
         killTmuxSession(tmuxSession);
     }
+    // Guard: PID 0 sends signal to entire process group — never do that
+    if (!pid || pid <= 0)
+        return;
     try {
         // First try SIGTERM
         process.kill(pid, 'SIGTERM');
@@ -281,42 +409,24 @@ function tmuxSessionExists(sessionName) {
         return false;
     }
 }
-// Create a persistent tmux session and attach ttyd to it
-// Idempotent: if session exists, just spawn ttyd to attach to it
-function spawnTmuxWithTtyd(sessionName, shellCommand, ttydPort, cwd) {
+// Create a PTY terminal session via the TerminalManager.
+// Returns the terminal session ID, or null on failure.
+async function createTerminalSession(shellCommand, cwd, label) {
+    if (!terminalManager)
+        return null;
     try {
-        // Only create session if it doesn't exist (idempotent)
-        if (!tmuxSessionExists(sessionName)) {
-            // Create tmux session with the shell command
-            execSync(`tmux new-session -d -s "${sessionName}" -x 200 -y 50 "${shellCommand}"`, { cwd, stdio: 'ignore' });
-            // Hide the tmux status bar (dashboard has its own tabs)
-            execSync(`tmux set-option -t "${sessionName}" status off`, { stdio: 'ignore' });
-            // Enable mouse support in the session
-            execSync(`tmux set-option -t "${sessionName}" -g mouse on`, { stdio: 'ignore' });
-            // Enable OSC 52 clipboard (allows copy to browser clipboard via ttyd)
-            execSync(`tmux set-option -t "${sessionName}" -g set-clipboard on`, { stdio: 'ignore' });
-            // Enable passthrough for hyperlinks and clipboard
-            execSync(`tmux set-option -t "${sessionName}" -g allow-passthrough on`, { stdio: 'ignore' });
-            // Copy selection to clipboard when mouse is released
-            // Use copy-pipe-and-cancel with pbcopy to directly copy to system clipboard
-            // (OSC 52 via set-clipboard doesn't work reliably through ttyd/xterm.js)
-            execSync(`tmux bind-key -T copy-mode MouseDragEnd1Pane send-keys -X copy-pipe-and-cancel "pbcopy"`, { stdio: 'ignore' });
-            execSync(`tmux bind-key -T copy-mode-vi MouseDragEnd1Pane send-keys -X copy-pipe-and-cancel "pbcopy"`, { stdio: 'ignore' });
-        }
-        // Start ttyd to attach to the tmux session
-        const customIndexPath = findTemplatePath('ttyd-index.html');
-        const ttydProcess = spawnTtyd({
-            port: ttydPort,
-            sessionName,
+        const info = await terminalManager.createSession({
+            command: '/bin/bash',
+            args: ['-c', shellCommand],
             cwd,
-            customIndexPath: customIndexPath ?? undefined,
+            cols: 200,
+            rows: 50,
+            label,
         });
-        return ttydProcess?.pid ?? null;
+        return info.id;
     }
     catch (err) {
-        console.error(`Failed to create tmux session ${sessionName}:`, err.message);
-        // Cleanup any partial session
-        killTmuxSession(sessionName);
+        console.error(`Failed to create terminal session:`, err.message);
         return null;
     }
 }
@@ -336,7 +446,7 @@ function generateShortId() {
  * Spawn a worktree builder - creates git worktree and starts builder CLI
  * Similar to shell spawning but with git worktree isolation
  */
-function spawnWorktreeBuilder(builderPort, state) {
+async function spawnWorktreeBuilder(builderPort, state) {
     const shortId = generateShortId();
     const builderId = `worktree-${shortId}`;
     const branchName = `builder/worktree-${shortId}`;
@@ -364,29 +474,10 @@ function spawnWorktreeBuilder(builderPort, state) {
                 // Use default
             }
         }
-        // Create tmux session with builder command
-        execSync(`tmux new-session -d -s "${sessionName}" -x 200 -y 50 -c "${worktreePath}" "${builderCommand}"`, { cwd: worktreePath, stdio: 'ignore' });
-        // Hide the tmux status bar (dashboard has its own tabs)
-        execSync(`tmux set-option -t "${sessionName}" status off`, { stdio: 'ignore' });
-        // Enable mouse support
-        execSync(`tmux set-option -t "${sessionName}" -g mouse on`, { stdio: 'ignore' });
-        execSync(`tmux set-option -t "${sessionName}" -g set-clipboard on`, { stdio: 'ignore' });
-        execSync(`tmux set-option -t "${sessionName}" -g allow-passthrough on`, { stdio: 'ignore' });
-        // Copy selection to clipboard when mouse is released (pbcopy for macOS)
-        execSync(`tmux bind-key -T copy-mode MouseDragEnd1Pane send-keys -X copy-pipe-and-cancel "pbcopy"`, { stdio: 'ignore' });
-        execSync(`tmux bind-key -T copy-mode-vi MouseDragEnd1Pane send-keys -X copy-pipe-and-cancel "pbcopy"`, { stdio: 'ignore' });
-        // Start ttyd connecting to the tmux session
-        const customIndexPath = findTemplatePath('ttyd-index.html');
-        const ttydProcess = spawnTtyd({
-            port: builderPort,
-            sessionName,
-            cwd: worktreePath,
-            customIndexPath: customIndexPath ?? undefined,
-        });
-        const pid = ttydProcess?.pid ?? null;
-        if (!pid) {
+        // Create PTY terminal session via node-pty
+        const terminalId = await createTerminalSession(builderCommand, worktreePath, `builder-${builderId}`);
+        if (!terminalId) {
             // Cleanup on failure
-            killTmuxSession(sessionName);
             try {
                 execSync(`git worktree remove "${worktreePath}" --force`, { cwd: projectRoot, stdio: 'ignore' });
                 execSync(`git branch -D "${branchName}"`, { cwd: projectRoot, stdio: 'ignore' });
@@ -399,16 +490,17 @@ function spawnWorktreeBuilder(builderPort, state) {
         const builder = {
             id: builderId,
             name: `Worktree ${shortId}`,
-            port: builderPort,
-            pid,
+            port: 0,
+            pid: 0,
             status: 'implementing',
             phase: 'interactive',
             worktree: worktreePath,
             branch: branchName,
             tmuxSession: sessionName,
             type: 'worktree',
+            terminalId,
         };
-        return { builder, pid };
+        return { builder, pid: 0 };
     }
     catch (err) {
         console.error(`Failed to spawn worktree builder:`, err.message);
@@ -888,6 +980,115 @@ function isRequestAllowed(req) {
     }
     return isRequestAllowedBase(req);
 }
+/**
+ * Timing-safe token comparison to prevent timing attacks
+ */
+function isValidToken(provided, expected) {
+    if (!provided)
+        return false;
+    // Ensure both strings are same length for timing-safe comparison
+    const providedBuf = Buffer.from(provided);
+    const expectedBuf = Buffer.from(expected);
+    if (providedBuf.length !== expectedBuf.length) {
+        // Still do a comparison to maintain constant time
+        timingSafeEqual(expectedBuf, expectedBuf);
+        return false;
+    }
+    return timingSafeEqual(providedBuf, expectedBuf);
+}
+/**
+ * Generate HTML for login page
+ */
+function getLoginPageHtml() {
+    return `<!DOCTYPE html>
+<html>
+<head>
+  <title>Dashboard Login</title>
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <style>
+    body { font-family: system-ui; background: #1a1a2e; color: #eee;
+           display: flex; justify-content: center; align-items: center;
+           min-height: 100vh; margin: 0; }
+    .login { background: #16213e; padding: 2rem; border-radius: 8px;
+             max-width: 400px; width: 90%; }
+    h1 { margin-top: 0; }
+    input { width: 100%; padding: 0.75rem; margin: 0.5rem 0;
+            border: 1px solid #444; border-radius: 4px;
+            background: #0f0f23; color: #eee; font-size: 1rem;
+            box-sizing: border-box; }
+    button { width: 100%; padding: 0.75rem; margin-top: 1rem;
+             background: #4a7c59; color: white; border: none;
+             border-radius: 4px; font-size: 1rem; cursor: pointer; }
+    button:hover { background: #5a9c69; }
+    .error { color: #ff6b6b; margin-top: 0.5rem; display: none; }
+  </style>
+</head>
+<body>
+  <div class="login">
+    <h1>Agent Farm Login</h1>
+    <p>Enter your API key to access the dashboard.</p>
+    <input type="password" id="key" placeholder="API Key" autofocus>
+    <div class="error" id="error">Invalid API key</div>
+    <button onclick="login()">Login</button>
+  </div>
+  <script>
+    // Check for key in URL (from QR code scan) or localStorage
+    (async function() {
+      const urlParams = new URLSearchParams(window.location.search);
+      const keyFromUrl = urlParams.get('key');
+      const keyFromStorage = localStorage.getItem('codev_web_key');
+      const key = keyFromUrl || keyFromStorage;
+
+      if (key) {
+        if (keyFromUrl) {
+          localStorage.setItem('codev_web_key', keyFromUrl);
+        }
+        await verifyAndLoadDashboard(key);
+      }
+    })();
+
+    async function verifyAndLoadDashboard(key) {
+      try {
+        // Fetch the actual dashboard with auth header
+        const res = await fetch(window.location.pathname, {
+          headers: {
+            'Authorization': 'Bearer ' + key,
+            'Accept': 'text/html'
+          }
+        });
+        if (res.ok) {
+          // Replace entire page with dashboard
+          const html = await res.text();
+          document.open();
+          document.write(html);
+          document.close();
+          // Clean URL without reload
+          history.replaceState({}, '', window.location.pathname);
+        } else {
+          // Key invalid
+          localStorage.removeItem('codev_web_key');
+          document.getElementById('error').style.display = 'block';
+          document.getElementById('error').textContent = 'Invalid API key';
+        }
+      } catch (e) {
+        document.getElementById('error').style.display = 'block';
+        document.getElementById('error').textContent = 'Connection error';
+      }
+    }
+
+    async function login() {
+      const key = document.getElementById('key').value;
+      if (!key) return;
+      localStorage.setItem('codev_web_key', key);
+      await verifyAndLoadDashboard(key);
+    }
+    document.getElementById('key').addEventListener('keypress', (e) => {
+      if (e.key === 'Enter') login();
+    });
+  </script>
+</body>
+</html>`;
+}
 // Create server
 const server = http.createServer(async (req, res) => {
     // Security: Validate Host and Origin headers
@@ -896,17 +1097,37 @@ const server = http.createServer(async (req, res) => {
         res.end('Forbidden');
         return;
     }
+    // CRITICAL: When CODEV_WEB_KEY is set, ALL requests require auth
+    // NO localhost bypass - tunnel daemons (cloudflared) run locally and proxy
+    // to localhost, so checking remoteAddress would incorrectly trust remote traffic
+    const webKey = process.env.CODEV_WEB_KEY;
+    if (webKey) {
+        const authHeader = req.headers.authorization;
+        const token = authHeader?.replace('Bearer ', '');
+        if (!isValidToken(token, webKey)) {
+            // Return login page for HTML requests, 401 for API
+            if (req.headers.accept?.includes('text/html')) {
+                res.writeHead(200, { 'Content-Type': 'text/html' });
+                res.end(getLoginPageHtml());
+                return;
+            }
+            res.writeHead(401, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: 'Unauthorized' }));
+            return;
+        }
+    }
+    // When CODEV_WEB_KEY is NOT set: no auth required (local dev mode only)
     // CORS headers
     const origin = req.headers.origin;
-    if (insecureRemoteMode) {
-        // Allow any origin in insecure remote mode
+    if (insecureRemoteMode || webKey) {
+        // Allow any origin in insecure remote mode or when using auth (tunnel access)
         res.setHeader('Access-Control-Allow-Origin', origin || '*');
     }
     else if (origin && (origin.startsWith('http://localhost:') || origin.startsWith('http://127.0.0.1:'))) {
         res.setHeader('Access-Control-Allow-Origin', origin);
     }
     res.setHeader('Access-Control-Allow-Methods', 'GET, POST, DELETE, OPTIONS');
-    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
     // Prevent caching of API responses
     res.setHeader('Cache-Control', 'no-store');
     if (req.method === 'OPTIONS') {
@@ -916,6 +1137,12 @@ const server = http.createServer(async (req, res) => {
     }
     const url = new URL(req.url || '/', `http://localhost:${port}`);
     try {
+        // Spec 0085: node-pty terminal manager REST API routes
+        if (terminalManager && url.pathname.startsWith('/api/terminals')) {
+            if (terminalManager.handleRequest(req, res)) {
+                return;
+            }
+        }
         // API: Get state
         if (req.method === 'GET' && url.pathname === '/api/state') {
             const state = loadStateWithCleanup();
@@ -1025,14 +1252,12 @@ const server = http.createServer(async (req, res) => {
             // Find available port for builder
             const builderPort = await findAvailablePort(CONFIG.builderPortStart, builderState);
             // Spawn worktree builder
-            const result = spawnWorktreeBuilder(builderPort, builderState);
+            const result = await spawnWorktreeBuilder(builderPort, builderState);
             if (!result) {
                 res.writeHead(500, { 'Content-Type': 'text/plain' });
                 res.end('Failed to spawn worktree builder');
                 return;
             }
-            // Wait for ttyd to be ready
-            await new Promise((resolve) => setTimeout(resolve, 500));
             // Save builder to state
             upsertBuilder(result.builder);
             res.writeHead(201, { 'Content-Type': 'application/json' });
@@ -1165,49 +1390,25 @@ const server = http.createServer(async (req, res) => {
             const shellCommand = command
                 ? `${shell} -c '${command.replace(/'/g, "'\\''")}; exec ${shell}'`
                 : shell;
-            // Retry loop for concurrent port allocation race conditions
-            const MAX_PORT_RETRIES = 5;
-            let utilPort = null;
-            let pid = null;
-            for (let attempt = 0; attempt < MAX_PORT_RETRIES; attempt++) {
-                // Get fresh state on each attempt to see newly allocated ports
-                const currentState = loadState();
-                const candidatePort = await findAvailablePort(CONFIG.utilPortStart, currentState);
-                // Start tmux session with ttyd attached (use cwd which may be worktree)
-                const spawnedPid = spawnTmuxWithTtyd(sessionName, shellCommand, candidatePort, cwd);
-                if (!spawnedPid) {
-                    res.writeHead(500, { 'Content-Type': 'text/plain' });
-                    res.end('Failed to start shell');
-                    return;
-                }
-                // Wait for ttyd to be ready
-                await new Promise((resolve) => setTimeout(resolve, 500));
-                // Try to add util record - may fail if port was taken by concurrent request
-                const util = {
-                    id,
-                    name: utilName,
-                    port: candidatePort,
-                    pid: spawnedPid,
-                    tmuxSession: sessionName,
-                    worktreePath: worktreePath, // Track for cleanup on tab close
-                };
-                if (tryAddUtil(util)) {
-                    // Success - port reserved
-                    utilPort = candidatePort;
-                    pid = spawnedPid;
-                    break;
-                }
-                // Port conflict - kill the spawned process and retry
-                console.log(`[info] Port ${candidatePort} conflict, retrying (attempt ${attempt + 1}/${MAX_PORT_RETRIES})`);
-                await killProcessGracefully(spawnedPid);
-            }
-            if (utilPort === null || pid === null) {
+            // Create PTY terminal session via node-pty
+            const terminalId = await createTerminalSession(shellCommand, cwd, `shell-${utilName}`);
+            if (!terminalId) {
                 res.writeHead(500, { 'Content-Type': 'text/plain' });
-                res.end('Failed to allocate port after multiple retries');
+                res.end('Failed to create terminal session');
                 return;
             }
+            const util = {
+                id,
+                name: utilName,
+                port: 0,
+                pid: 0,
+                tmuxSession: sessionName,
+                worktreePath: worktreePath,
+                terminalId,
+            };
+            addUtil(util);
             res.writeHead(201, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({ success: true, id, port: utilPort, name: utilName }));
+            res.end(JSON.stringify({ success: true, id, port: 0, name: utilName, terminalId }));
             return;
         }
         // API: Check if tab process is running (Bugfix #132)
@@ -1228,7 +1429,14 @@ const server = http.createServer(async (req, res) => {
                 const util = tabUtils.find((u) => u.id === utilId);
                 if (util) {
                     found = true;
-                    running = isProcessRunning(util.pid);
+                    // Check tmux session status (Spec 0076)
+                    if (util.tmuxSession) {
+                        running = tmuxSessionExists(util.tmuxSession);
+                    }
+                    else {
+                        // Fallback for shells without tmux session (shouldn't happen in practice)
+                        running = isProcessRunning(util.pid);
+                    }
                 }
             }
             // Check if it's a builder tab
@@ -1237,7 +1445,14 @@ const server = http.createServer(async (req, res) => {
                 const builder = getBuilder(builderId);
                 if (builder) {
                     found = true;
-                    running = isProcessRunning(builder.pid);
+                    // Check tmux session status (Spec 0076)
+                    if (builder.tmuxSession) {
+                        running = tmuxSessionExists(builder.tmuxSession);
+                    }
+                    else {
+                        // Fallback for builders without tmux session (shouldn't happen in practice)
+                        running = isProcessRunning(builder.pid);
+                    }
                 }
             }
             if (found) {
@@ -1281,6 +1496,10 @@ const server = http.createServer(async (req, res) => {
                 const tabUtils = getUtils();
                 const util = tabUtils.find((u) => u.id === utilId);
                 if (util) {
+                    // Kill PTY session if present
+                    if (util.terminalId && terminalManager) {
+                        terminalManager.killSession(util.terminalId);
+                    }
                     await killProcessGracefully(util.pid, util.tmuxSession);
                     // Note: worktrees are NOT cleaned up on tab close - they may contain useful context
                     // Users can manually clean up with `git worktree list` and `git worktree remove`
@@ -1660,20 +1879,6 @@ const server = http.createServer(async (req, res) => {
             }
             return;
         }
-        // API: Get daily activity summary (Spec 0059)
-        if (req.method === 'GET' && url.pathname === '/api/activity-summary') {
-            try {
-                const activitySummary = await collectActivitySummary(projectRoot);
-                res.writeHead(200, { 'Content-Type': 'application/json' });
-                res.end(JSON.stringify(activitySummary));
-            }
-            catch (err) {
-                console.error('Activity summary error:', err);
-                res.writeHead(500, { 'Content-Type': 'application/json' });
-                res.end(JSON.stringify({ error: err.message }));
-            }
-            return;
-        }
         // API: Hot reload check (Spec 0060)
         // Returns modification times for all dashboard CSS/JS files
         if (req.method === 'GET' && url.pathname === '/api/hot-reload') {
@@ -1751,7 +1956,7 @@ const server = http.createServer(async (req, res) => {
             return;
         }
         // Terminal proxy route (Spec 0062 - Secure Remote Access)
-        // Routes /terminal/:id to the appropriate ttyd instance
+        // Routes /terminal/:id to the appropriate terminal instance
         const terminalMatch = url.pathname.match(/^\/terminal\/([^/]+)(\/.*)?$/);
         if (terminalMatch) {
             const terminalId = terminalMatch[1];
@@ -1784,8 +1989,49 @@ const server = http.createServer(async (req, res) => {
             terminalProxy.web(req, res, { target: `http://localhost:${annotation.port}` });
             return;
         }
-        // Serve dashboard
-        if (req.method === 'GET' && (url.pathname === '/' || url.pathname === '/index.html')) {
+        // Serve dashboard (Spec 0085: React or legacy based on config)
+        if (useReactDashboard && req.method === 'GET') {
+            // Serve React dashboard static files
+            const filePath = url.pathname === '/' || url.pathname === '/index.html'
+                ? path.join(reactDashboardPath, 'index.html')
+                : path.join(reactDashboardPath, url.pathname);
+            // Security: Prevent path traversal
+            const resolved = path.resolve(filePath);
+            if (!resolved.startsWith(reactDashboardPath)) {
+                res.writeHead(403, { 'Content-Type': 'text/plain' });
+                res.end('Forbidden');
+                return;
+            }
+            if (fs.existsSync(resolved) && fs.statSync(resolved).isFile()) {
+                const ext = path.extname(resolved);
+                const mimeTypes = {
+                    '.html': 'text/html; charset=utf-8',
+                    '.js': 'application/javascript',
+                    '.css': 'text/css',
+                    '.json': 'application/json',
+                    '.svg': 'image/svg+xml',
+                    '.png': 'image/png',
+                    '.ico': 'image/x-icon',
+                    '.map': 'application/json',
+                };
+                const contentType = mimeTypes[ext] ?? 'application/octet-stream';
+                // Cache static assets (hashed filenames) but not index.html
+                if (ext !== '.html') {
+                    res.setHeader('Cache-Control', 'public, max-age=31536000, immutable');
+                }
+                res.writeHead(200, { 'Content-Type': contentType });
+                fs.createReadStream(resolved).pipe(res);
+                return;
+            }
+            // SPA fallback: serve index.html for client-side routing
+            if (!url.pathname.startsWith('/api/') && !url.pathname.startsWith('/ws/') && !url.pathname.startsWith('/terminal/') && !url.pathname.startsWith('/annotation/')) {
+                res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+                fs.createReadStream(path.join(reactDashboardPath, 'index.html')).pipe(res);
+                return;
+            }
+        }
+        if (!useReactDashboard && req.method === 'GET' && (url.pathname === '/' || url.pathname === '/index.html')) {
+            // Legacy vanilla JS dashboard
             try {
                 let template = fs.readFileSync(templatePath, 'utf-8');
                 const state = loadStateWithCleanup();
@@ -1814,15 +2060,37 @@ const server = http.createServer(async (req, res) => {
         res.end('Internal server error: ' + err.message);
     }
 });
+// Spec 0085: Attach node-pty WebSocket handler for /ws/terminal/:id routes
+if (terminalManager) {
+    terminalManager.attachWebSocket(server);
+}
 // WebSocket upgrade handler for terminal proxy (Spec 0062)
-// ttyd uses WebSocket for bidirectional terminal communication
+// WebSocket for bidirectional terminal communication
 server.on('upgrade', (req, socket, head) => {
-    // Security check
+    // Security check for non-auth mode
     const host = req.headers.host;
-    if (!insecureRemoteMode && host && !host.startsWith('localhost') && !host.startsWith('127.0.0.1')) {
+    if (!insecureRemoteMode && !process.env.CODEV_WEB_KEY && host && !host.startsWith('localhost') && !host.startsWith('127.0.0.1')) {
         socket.destroy();
         return;
     }
+    // CRITICAL: When CODEV_WEB_KEY is set, ALL WebSocket upgrades require auth
+    // NO localhost bypass - tunnel daemons run locally, so remoteAddress is unreliable
+    const webKey = process.env.CODEV_WEB_KEY;
+    if (webKey && !insecureRemoteMode) {
+        // Check Sec-WebSocket-Protocol for auth token
+        // Format: "auth-<token>, tty" or just "tty"
+        const protocols = req.headers['sec-websocket-protocol']?.split(',').map((p) => p.trim()) || [];
+        const authProtocol = protocols.find((p) => p.startsWith('auth-'));
+        const token = authProtocol?.substring(5); // Remove 'auth-' prefix
+        if (!isValidToken(token, webKey)) {
+            socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
+            socket.destroy();
+            return;
+        }
+        // Remove auth protocol from the list before forwarding
+        const cleanProtocols = protocols.filter((p) => !p.startsWith('auth-'));
+        req.headers['sec-websocket-protocol'] = cleanProtocols.join(', ') || 'tty';
+    }
     const reqUrl = new URL(req.url || '/', `http://localhost:${port}`);
     const terminalMatch = reqUrl.pathname.match(/^\/terminal\/([^/]+)(\/.*)?$/);
     if (terminalMatch) {
@@ -1869,4 +2137,17 @@ else {
         console.log(`Dashboard: http://localhost:${port}`);
     });
 }
+// Spec 0085: Graceful shutdown for node-pty terminal manager
+process.on('SIGTERM', () => {
+    if (terminalManager) {
+        terminalManager.shutdown();
+    }
+    process.exit(0);
+});
+process.on('SIGINT', () => {
+    if (terminalManager) {
+        terminalManager.shutdown();
+    }
+    process.exit(0);
+});
 //# sourceMappingURL=dashboard-server.js.map