@femtomc/mu-server 26.2.75 → 26.2.76

package/README.md

@@ -2,7 +2,7 @@
 
 HTTP API server for mu control-plane infrastructure. Powers `mu serve`, messaging frontend transport routes, and control-plane/session coordination endpoints.
 
-> Scope note: server-routed business query/mutation gateway endpoints have been removed. Business reads/writes are CLI-first, while long-lived runtime coordination (runs/activities/heartbeats/cron) stays server-owned.
+> Scope note: server-routed business query/mutation gateway endpoints have been removed. Business reads/writes are CLI-first, while long-lived runtime coordination (runs/heartbeats/cron) stays server-owned.
 
 ## Installation
 
@@ -37,7 +37,7 @@ Bun.serve(server);
 
 ### Status
 
-- `GET /api/status` - Returns repository + control-plane runtime status
+- `GET /api/control-plane/status` - Returns repository + control-plane runtime status
   ```json
   {
     "repo_root": "/path/to/repo",
@@ -76,8 +76,8 @@ Bun.serve(server);
 
 ### Config + Control Plane Admin
 
-- `GET /api/config` - Read redacted `.mu/config.json` plus presence booleans
-- `POST /api/config` - Apply a partial patch to `.mu/config.json`
+- `GET /api/control-plane/config` - Read redacted `.mu/config.json` plus presence booleans
+- `POST /api/control-plane/config` - Apply a partial patch to `.mu/config.json`
   - Body:
   ```json
   {
@@ -85,6 +85,10 @@ Bun.serve(server);
       "control_plane": {
         "adapters": {
           "slack": { "signing_secret": "..." }
+        },
+        "memory_index": {
+          "enabled": true,
+          "every_ms": 300000
         }
       }
     }
@@ -101,26 +105,10 @@ Bun.serve(server);
 - `POST /api/control-plane/rollback` - Explicit rollback trigger (same pipeline, reason=`rollback`)
 - `GET /api/control-plane/channels` - Capability/discovery snapshot for mounted adapter channels (route, verification contract, configured/active/frontend flags)
 
-### Session Flash Inbox (cross-session context handoff)
+### Session Turn Injection (control-plane)
 
-- `POST /api/session-flash` - Create a session-targeted flash message
-  ```json
-  {
-    "session_id": "operator-abc123",
-    "session_kind": "cp_operator",
-    "body": "Use context id ctx-123 for this question",
-    "context_ids": ["ctx-123"],
-    "source": "neovim"
-  }
-  ```
-- `GET /api/session-flash` - List flash messages
-  - Query params: `session_id`, `session_kind`, `status=pending|delivered|all`, `contains`, `limit`
-- `GET /api/session-flash/:flash_id` - Get one flash message by id
-- `POST /api/session-flash/ack` - Mark a flash message delivered/acknowledged
-
-### Session Turn Injection (canonical transcript turn)
-
-- `POST /api/session-turn` - Run a real turn in an existing target session and return reply + new context cursor
+- `POST /api/control-plane/turn` - Run a real turn in an existing target session and return reply + new context cursor
+  - Requires Neovim frontend shared-secret header (`x-mu-neovim-secret`)
   ```json
   {
     "session_id": "operator-abc123",
@@ -135,24 +123,25 @@ Bun.serve(server);
 ### Control-plane Coordination Endpoints
 
 - Runs:
-  - `GET /api/runs`
-  - `POST /api/runs/start`
-  - `POST /api/runs/resume`
-  - `POST /api/runs/interrupt`
-  - `GET /api/runs/:id`
-  - `GET /api/runs/:id/trace`
+  - `GET /api/control-plane/runs`
+  - `POST /api/control-plane/runs/start`
+  - `POST /api/control-plane/runs/resume`
+  - `POST /api/control-plane/runs/interrupt`
+  - `GET /api/control-plane/runs/:id`
+  - `GET /api/control-plane/runs/:id/trace`
 - Scheduling + orchestration:
   - `GET|POST|PATCH|DELETE /api/heartbeats...`
   - `GET|POST|PATCH|DELETE /api/cron...`
-  - `GET|POST /api/activities...`
+  - Heartbeat programs support an optional free-form `prompt` field; when present it becomes the primary wake instruction sent to the operator turn path.
   - Heartbeat/cron ticks dispatch operator wake turns and broadcast the resulting operator reply.
+  - Built-in memory-index maintenance runs on the server heartbeat scheduler (config: `control_plane.memory_index`).
 - Identity bindings:
-  - `GET /api/identities`
-  - `POST /api/identities/link`
-  - `POST /api/identities/unlink`
+  - `GET /api/control-plane/identities`
+  - `POST /api/control-plane/identities/link`
+  - `POST /api/control-plane/identities/unlink`
 - Observability:
-  - `GET /api/events`
-  - `GET /api/events/tail`
+  - `GET /api/control-plane/events`
+  - `GET /api/control-plane/events/tail`
 
 ## Running the Server
 

package/dist/api/control_plane.js

@@ -1,4 +1,9 @@
 import { CONTROL_PLANE_CHANNEL_ADAPTER_SPECS } from "@femtomc/mu-control-plane";
+import { configRoutes } from "./config.js";
+import { eventRoutes } from "./events.js";
+import { identityRoutes } from "./identities.js";
+import { runRoutes } from "./runs.js";
+import { sessionTurnRoutes } from "./session_turn.js";
 function asRecord(value) {
     if (!value || typeof value !== "object" || Array.isArray(value)) {
         return null;
@@ -32,6 +37,30 @@ function configuredForChannel(config, channel) {
 }
 export async function controlPlaneRoutes(request, url, deps, headers) {
     const path = url.pathname;
+    if (path === "/api/control-plane" || path === "/api/control-plane/status") {
+        if (request.method !== "GET") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        return Response.json({
+            repo_root: deps.context.repoRoot,
+            control_plane: deps.getControlPlaneStatus(),
+        }, { headers });
+    }
+    if (path === "/api/control-plane/config") {
+        return configRoutes(request, url, deps, headers);
+    }
+    if (path === "/api/control-plane/identities" ||
+        path === "/api/control-plane/identities/link" ||
+        path === "/api/control-plane/identities/unlink") {
+        return identityRoutes(request, url, deps, headers);
+    }
+    if (path.startsWith("/api/control-plane/events")) {
+        const response = await eventRoutes(request, deps.context);
+        headers.forEach((value, key) => {
+            response.headers.set(key, value);
+        });
+        return response;
+    }
     if (path === "/api/control-plane/reload") {
         if (request.method !== "POST") {
             return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
@@ -80,5 +109,11 @@ export async function controlPlaneRoutes(request, url, deps, headers) {
             channels,
         }, { headers });
     }
+    if (path === "/api/control-plane/runs" || path.startsWith("/api/control-plane/runs/")) {
+        return runRoutes(request, url, deps, headers);
+    }
+    if (path === "/api/control-plane/turn") {
+        return sessionTurnRoutes(request, url, deps, headers);
+    }
     return Response.json({ error: "Not Found" }, { status: 404, headers });
 }

package/dist/api/events.js

@@ -64,7 +64,11 @@ function parseSinceMs(value) {
 }
 export async function eventRoutes(request, context) {
     const url = new URL(request.url);
-    const path = url.pathname.replace("/api/events", "") || "/";
+    const pathname = url.pathname;
+    if (!pathname.startsWith("/api/control-plane/events")) {
+        return new Response("Not Found", { status: 404 });
+    }
+    const path = pathname.slice("/api/control-plane/events".length) || "/";
     const method = request.method;
     if (method !== "GET") {
         return new Response("Method Not Allowed", { status: 405 });
@@ -79,13 +83,13 @@ export async function eventRoutes(request, context) {
             sinceMs: parseSinceMs(url.searchParams.get("since")),
             contains: trimOrNull(url.searchParams.get("contains")),
         };
-        // Tail - GET /api/events/tail?n=50
+        // Tail - GET /api/control-plane/events/tail?n=50
         if (path === "/tail") {
             const n = Math.min(Math.max(1, parseInt(url.searchParams.get("n") ?? "50", 10) || 50), 500);
             const filtered = applyEventFilters(allEvents, filters);
             return Response.json(filtered.slice(-n));
         }
-        // Query - GET /api/events?type=...&source=...&issue_id=...&run_id=...&since=...&contains=...&limit=50
+        // Query - GET /api/control-plane/events?type=...&source=...&issue_id=...&run_id=...&since=...&contains=...&limit=50
         if (path === "/") {
             const limit = Math.min(Math.max(1, parseInt(url.searchParams.get("limit") ?? "50", 10) || 50), 500);
             const filtered = applyEventFilters(allEvents, filters);

package/dist/api/heartbeats.js

@@ -26,6 +26,10 @@ export async function heartbeatRoutes(request, url, deps, headers) {
         if (!title) {
             return Response.json({ error: "title is required" }, { status: 400, headers });
         }
+        if ("prompt" in body && typeof body.prompt !== "string" && body.prompt !== null) {
+            return Response.json({ error: "prompt must be string or null" }, { status: 400, headers });
+        }
+        const prompt = typeof body.prompt === "string" ? body.prompt : body.prompt === null ? null : undefined;
         const everyMs = typeof body.every_ms === "number" && Number.isFinite(body.every_ms)
             ? Math.max(0, Math.trunc(body.every_ms))
             : undefined;
@@ -34,6 +38,7 @@ export async function heartbeatRoutes(request, url, deps, headers) {
         try {
             const program = await deps.heartbeatPrograms.create({
                 title,
+                prompt,
                 everyMs,
                 reason,
                 enabled,
@@ -63,7 +68,7 @@ export async function heartbeatRoutes(request, url, deps, headers) {
             return Response.json({ error: "program_id is required" }, { status: 400, headers });
         }
         try {
-            const result = await deps.heartbeatPrograms.update({
+            const updateOpts = {
                 programId,
                 title: typeof body.title === "string" ? body.title : undefined,
                 everyMs: typeof body.every_ms === "number" && Number.isFinite(body.every_ms)
@@ -74,7 +79,19 @@ export async function heartbeatRoutes(request, url, deps, headers) {
                 metadata: body.metadata && typeof body.metadata === "object" && !Array.isArray(body.metadata)
                     ? body.metadata
                     : undefined,
-            });
+            };
+            if ("prompt" in body) {
+                if (typeof body.prompt === "string") {
+                    updateOpts.prompt = body.prompt;
+                }
+                else if (body.prompt === null) {
+                    updateOpts.prompt = null;
+                }
+                else {
+                    return Response.json({ error: "prompt must be string or null" }, { status: 400, headers });
+                }
+            }
+            const result = await deps.heartbeatPrograms.update(updateOpts);
             if (result.ok) {
                 return Response.json(result, { headers });
             }

package/dist/api/identities.js

@@ -4,7 +4,7 @@ export async function identityRoutes(request, url, deps, headers) {
     const cpPaths = getControlPlanePaths(deps.context.repoRoot);
     const identityStore = new IdentityStore(cpPaths.identitiesPath);
     await identityStore.load();
-    if (path === "/api/identities") {
+    if (path === "/api/control-plane/identities") {
         if (request.method !== "GET") {
             return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
         }
@@ -12,7 +12,7 @@ export async function identityRoutes(request, url, deps, headers) {
         const bindings = identityStore.listBindings({ includeInactive });
         return Response.json({ count: bindings.length, bindings }, { headers });
     }
-    if (path === "/api/identities/link") {
+    if (path === "/api/control-plane/identities/link") {
         if (request.method !== "POST") {
             return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
         }
@@ -64,7 +64,7 @@ export async function identityRoutes(request, url, deps, headers) {
                 return Response.json({ ok: false, kind: "principal_already_linked", binding: decision.binding }, { status: 409, headers });
         }
     }
-    if (path === "/api/identities/unlink") {
+    if (path === "/api/control-plane/identities/unlink") {
         if (request.method !== "POST") {
             return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
         }

package/dist/api/runs.js

@@ -1,6 +1,6 @@
 export async function runRoutes(request, url, deps, headers) {
     const path = url.pathname;
-    if (path === "/api/runs") {
+    if (path === "/api/control-plane/runs") {
         if (request.method !== "GET") {
             return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
         }
@@ -10,7 +10,7 @@ export async function runRoutes(request, url, deps, headers) {
         const runs = await deps.controlPlaneProxy.listRuns?.({ status, limit });
         return Response.json({ count: runs?.length ?? 0, runs: runs ?? [] }, { headers });
     }
-    if (path === "/api/runs/start") {
+    if (path === "/api/control-plane/runs/start") {
         if (request.method !== "POST") {
             return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
         }
@@ -39,7 +39,7 @@ export async function runRoutes(request, url, deps, headers) {
             return Response.json({ error: deps.describeError(err) }, { status: 500, headers });
         }
     }
-    if (path === "/api/runs/resume") {
+    if (path === "/api/control-plane/runs/resume") {
         if (request.method !== "POST") {
             return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
         }
@@ -68,7 +68,7 @@ export async function runRoutes(request, url, deps, headers) {
             return Response.json({ error: deps.describeError(err) }, { status: 500, headers });
         }
     }
-    if (path === "/api/runs/interrupt") {
+    if (path === "/api/control-plane/runs/interrupt") {
         if (request.method !== "POST") {
             return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
         }
@@ -90,8 +90,8 @@ export async function runRoutes(request, url, deps, headers) {
         }
         return Response.json(result, { status: result.ok ? 200 : 404, headers });
     }
-    if (path.startsWith("/api/runs/")) {
-        const rest = path.slice("/api/runs/".length);
+    if (path.startsWith("/api/control-plane/runs/")) {
+        const rest = path.slice("/api/control-plane/runs/".length);
         const [rawId, maybeSub] = rest.split("/");
         const idOrRoot = decodeURIComponent(rawId ?? "").trim();
         if (idOrRoot.length === 0) {

package/dist/api/session_turn.d.ts

@@ -1,38 +1,2 @@
-import { type CreateMuSessionOpts, type MuSession } from "@femtomc/mu-agent";
 import type { ServerRoutingDependencies } from "../server_routing.js";
-export type SessionTurnRequest = {
-    session_id: string;
-    session_kind: string | null;
-    body: string;
-    source: string | null;
-    provider: string | null;
-    model: string | null;
-    thinking: string | null;
-    session_file: string | null;
-    session_dir: string | null;
-    extension_profile: string | null;
-};
-export type SessionTurnResult = {
-    session_id: string;
-    session_kind: string | null;
-    session_file: string;
-    context_entry_id: string | null;
-    reply: string;
-    source: string | null;
-    completed_at_ms: number;
-};
-export declare class SessionTurnError extends Error {
-    readonly status: number;
-    constructor(status: number, message: string);
-}
-export declare function parseSessionTurnRequest(body: Record<string, unknown>): {
-    request: SessionTurnRequest | null;
-    error: string | null;
-};
-export declare function executeSessionTurn(opts: {
-    repoRoot: string;
-    request: SessionTurnRequest;
-    sessionFactory?: (opts: CreateMuSessionOpts) => Promise<MuSession>;
-    nowMs?: () => number;
-}): Promise<SessionTurnResult>;
 export declare function sessionTurnRoutes(request: Request, url: URL, deps: ServerRoutingDependencies, headers: Headers): Promise<Response>;