@hasna/todos 0.11.40 → 0.11.41

package/dist/server/index.js

@@ -846,6 +846,141 @@ var init_migrations = __esm(() => {
   CREATE INDEX IF NOT EXISTS idx_api_keys_prefix ON api_keys(prefix);
   CREATE INDEX IF NOT EXISTS idx_api_keys_active ON api_keys(revoked_at, expires_at);
   INSERT OR IGNORE INTO _migrations (id) VALUES (50);
+  `,
+    `
+  CREATE TABLE IF NOT EXISTS task_git_refs (
+    id TEXT PRIMARY KEY,
+    task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+    ref_type TEXT NOT NULL CHECK(ref_type IN ('branch', 'pull_request')),
+    name TEXT NOT NULL,
+    url TEXT,
+    provider TEXT,
+    metadata TEXT DEFAULT '{}',
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    updated_at TEXT NOT NULL DEFAULT (datetime('now')),
+    UNIQUE(task_id, ref_type, name)
+  );
+  CREATE INDEX IF NOT EXISTS idx_task_git_refs_task ON task_git_refs(task_id);
+  CREATE INDEX IF NOT EXISTS idx_task_git_refs_lookup ON task_git_refs(ref_type, name);
+  CREATE INDEX IF NOT EXISTS idx_task_git_refs_url ON task_git_refs(url);
+
+  CREATE TABLE IF NOT EXISTS task_verifications (
+    id TEXT PRIMARY KEY,
+    task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+    command TEXT NOT NULL,
+    status TEXT NOT NULL DEFAULT 'unknown' CHECK(status IN ('passed', 'failed', 'unknown')),
+    output_summary TEXT,
+    artifact_path TEXT,
+    agent_id TEXT,
+    run_at TEXT NOT NULL DEFAULT (datetime('now')),
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_task_verifications_task ON task_verifications(task_id);
+  CREATE INDEX IF NOT EXISTS idx_task_verifications_status ON task_verifications(status);
+  INSERT OR IGNORE INTO _migrations (id) VALUES (51);
+  `,
+    `
+  CREATE TABLE IF NOT EXISTS task_runs (
+    id TEXT PRIMARY KEY,
+    task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+    agent_id TEXT,
+    title TEXT,
+    status TEXT NOT NULL DEFAULT 'running' CHECK(status IN ('running', 'completed', 'failed', 'cancelled')),
+    summary TEXT,
+    metadata TEXT DEFAULT '{}',
+    started_at TEXT NOT NULL DEFAULT (datetime('now')),
+    completed_at TEXT,
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_task_runs_task ON task_runs(task_id);
+  CREATE INDEX IF NOT EXISTS idx_task_runs_agent ON task_runs(agent_id);
+  CREATE INDEX IF NOT EXISTS idx_task_runs_status ON task_runs(status);
+  CREATE INDEX IF NOT EXISTS idx_task_runs_started ON task_runs(started_at);
+
+  CREATE TABLE IF NOT EXISTS task_run_events (
+    id TEXT PRIMARY KEY,
+    run_id TEXT NOT NULL REFERENCES task_runs(id) ON DELETE CASCADE,
+    task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+    event_type TEXT NOT NULL CHECK(event_type IN ('started', 'progress', 'claim', 'comment', 'command', 'file', 'artifact', 'completed', 'failed', 'cancelled')),
+    message TEXT,
+    data TEXT DEFAULT '{}',
+    agent_id TEXT,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_task_run_events_run ON task_run_events(run_id);
+  CREATE INDEX IF NOT EXISTS idx_task_run_events_task ON task_run_events(task_id);
+  CREATE INDEX IF NOT EXISTS idx_task_run_events_type ON task_run_events(event_type);
+
+  CREATE TABLE IF NOT EXISTS task_run_commands (
+    id TEXT PRIMARY KEY,
+    run_id TEXT NOT NULL REFERENCES task_runs(id) ON DELETE CASCADE,
+    task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+    command TEXT NOT NULL,
+    status TEXT NOT NULL DEFAULT 'unknown' CHECK(status IN ('passed', 'failed', 'unknown')),
+    exit_code INTEGER,
+    output_summary TEXT,
+    artifact_path TEXT,
+    agent_id TEXT,
+    started_at TEXT,
+    completed_at TEXT,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_task_run_commands_run ON task_run_commands(run_id);
+  CREATE INDEX IF NOT EXISTS idx_task_run_commands_task ON task_run_commands(task_id);
+  CREATE INDEX IF NOT EXISTS idx_task_run_commands_status ON task_run_commands(status);
+
+  CREATE TABLE IF NOT EXISTS task_run_artifacts (
+    id TEXT PRIMARY KEY,
+    run_id TEXT NOT NULL REFERENCES task_runs(id) ON DELETE CASCADE,
+    task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+    path TEXT NOT NULL,
+    artifact_type TEXT,
+    description TEXT,
+    size_bytes INTEGER,
+    sha256 TEXT,
+    metadata TEXT DEFAULT '{}',
+    agent_id TEXT,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_task_run_artifacts_run ON task_run_artifacts(run_id);
+  CREATE INDEX IF NOT EXISTS idx_task_run_artifacts_task ON task_run_artifacts(task_id);
+  CREATE INDEX IF NOT EXISTS idx_task_run_artifacts_path ON task_run_artifacts(path);
+  INSERT OR IGNORE INTO _migrations (id) VALUES (52);
+  `,
+    `
+  CREATE TABLE IF NOT EXISTS inbox_items (
+    id TEXT PRIMARY KEY,
+    task_id TEXT REFERENCES tasks(id) ON DELETE SET NULL,
+    source_type TEXT NOT NULL CHECK(source_type IN ('pasted_error', 'ci_log', 'git_context', 'github_issue', 'file', 'other')),
+    source_name TEXT,
+    source_url TEXT,
+    title TEXT NOT NULL,
+    body TEXT,
+    fingerprint TEXT NOT NULL UNIQUE,
+    status TEXT NOT NULL DEFAULT 'triaged' CHECK(status IN ('new', 'triaged', 'ignored')),
+    metadata TEXT DEFAULT '{}',
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_inbox_items_task ON inbox_items(task_id);
+  CREATE INDEX IF NOT EXISTS idx_inbox_items_source ON inbox_items(source_type, source_name);
+  CREATE INDEX IF NOT EXISTS idx_inbox_items_status ON inbox_items(status);
+  INSERT OR IGNORE INTO _migrations (id) VALUES (53);
+  `,
+    `
+  ALTER TABLE handoffs ADD COLUMN session_id TEXT;
+  ALTER TABLE handoffs ADD COLUMN task_ids TEXT;
+  ALTER TABLE handoffs ADD COLUMN relevant_files TEXT;
+  ALTER TABLE handoffs ADD COLUMN run_ids TEXT;
+  CREATE TABLE IF NOT EXISTS handoff_acknowledgements (
+    handoff_id TEXT NOT NULL REFERENCES handoffs(id) ON DELETE CASCADE,
+    agent_id TEXT NOT NULL,
+    acknowledged_at TEXT NOT NULL DEFAULT (datetime('now')),
+    PRIMARY KEY (handoff_id, agent_id)
+  );
+  CREATE INDEX IF NOT EXISTS idx_handoff_acks_agent ON handoff_acknowledgements(agent_id, acknowledged_at);
+  INSERT OR IGNORE INTO _migrations (id) VALUES (54);
   `
   ];
 });
@@ -930,6 +1065,17 @@ function ensureSchema(db) {
       task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
       tag TEXT NOT NULL, PRIMARY KEY (task_id, tag)
     )`);
+  ensureTable("task_dependencies", `
+    CREATE TABLE task_dependencies (
+      task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+      depends_on TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+      external_project_id TEXT,
+      external_task_id TEXT,
+      PRIMARY KEY (task_id, depends_on),
+      CHECK (task_id != depends_on)
+    )`);
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_dependencies_task ON task_dependencies(task_id)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_dependencies_depends_on ON task_dependencies(depends_on)");
   ensureTable("task_history", `
     CREATE TABLE task_history (
       id TEXT PRIMARY KEY, task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
@@ -987,6 +1133,30 @@ function ensureSchema(db) {
       created_at TEXT NOT NULL DEFAULT (datetime('now')),
       updated_at TEXT NOT NULL DEFAULT (datetime('now'))
     )`);
+  ensureTable("handoffs", `
+    CREATE TABLE handoffs (
+      id TEXT PRIMARY KEY,
+      agent_id TEXT,
+      project_id TEXT REFERENCES projects(id) ON DELETE SET NULL,
+      session_id TEXT,
+      summary TEXT NOT NULL,
+      completed TEXT,
+      in_progress TEXT,
+      blockers TEXT,
+      next_steps TEXT,
+      task_ids TEXT,
+      relevant_files TEXT,
+      run_ids TEXT,
+      created_at TEXT NOT NULL DEFAULT (datetime('now'))
+    )`);
+  ensureTable("handoff_acknowledgements", `
+    CREATE TABLE handoff_acknowledgements (
+      handoff_id TEXT NOT NULL REFERENCES handoffs(id) ON DELETE CASCADE,
+      agent_id TEXT NOT NULL,
+      acknowledged_at TEXT NOT NULL DEFAULT (datetime('now')),
+      PRIMARY KEY (handoff_id, agent_id)
+    )`);
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_handoff_acks_agent ON handoff_acknowledgements(agent_id, acknowledged_at)");
   ensureTable("task_relationships", `
     CREATE TABLE task_relationships (
       id TEXT PRIMARY KEY,
@@ -998,6 +1168,121 @@ function ensureSchema(db) {
       created_at TEXT NOT NULL DEFAULT (datetime('now')),
       CHECK (source_task_id != target_task_id)
     )`);
+  ensureTable("task_git_refs", `
+    CREATE TABLE task_git_refs (
+      id TEXT PRIMARY KEY,
+      task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+      ref_type TEXT NOT NULL CHECK(ref_type IN ('branch', 'pull_request')),
+      name TEXT NOT NULL,
+      url TEXT,
+      provider TEXT,
+      metadata TEXT DEFAULT '{}',
+      created_at TEXT NOT NULL DEFAULT (datetime('now')),
+      updated_at TEXT NOT NULL DEFAULT (datetime('now')),
+      UNIQUE(task_id, ref_type, name)
+    )`);
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_git_refs_task ON task_git_refs(task_id)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_git_refs_lookup ON task_git_refs(ref_type, name)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_git_refs_url ON task_git_refs(url)");
+  ensureTable("task_verifications", `
+    CREATE TABLE task_verifications (
+      id TEXT PRIMARY KEY,
+      task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+      command TEXT NOT NULL,
+      status TEXT NOT NULL DEFAULT 'unknown' CHECK(status IN ('passed', 'failed', 'unknown')),
+      output_summary TEXT,
+      artifact_path TEXT,
+      agent_id TEXT,
+      run_at TEXT NOT NULL DEFAULT (datetime('now')),
+      created_at TEXT NOT NULL DEFAULT (datetime('now'))
+    )`);
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_verifications_task ON task_verifications(task_id)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_verifications_status ON task_verifications(status)");
+  ensureTable("task_runs", `
+    CREATE TABLE task_runs (
+      id TEXT PRIMARY KEY,
+      task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+      agent_id TEXT,
+      title TEXT,
+      status TEXT NOT NULL DEFAULT 'running' CHECK(status IN ('running', 'completed', 'failed', 'cancelled')),
+      summary TEXT,
+      metadata TEXT DEFAULT '{}',
+      started_at TEXT NOT NULL DEFAULT (datetime('now')),
+      completed_at TEXT,
+      created_at TEXT NOT NULL DEFAULT (datetime('now')),
+      updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+    )`);
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_runs_task ON task_runs(task_id)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_runs_agent ON task_runs(agent_id)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_runs_status ON task_runs(status)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_runs_started ON task_runs(started_at)");
+  ensureTable("task_run_events", `
+    CREATE TABLE task_run_events (
+      id TEXT PRIMARY KEY,
+      run_id TEXT NOT NULL REFERENCES task_runs(id) ON DELETE CASCADE,
+      task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+      event_type TEXT NOT NULL CHECK(event_type IN ('started', 'progress', 'claim', 'comment', 'command', 'file', 'artifact', 'completed', 'failed', 'cancelled')),
+      message TEXT,
+      data TEXT DEFAULT '{}',
+      agent_id TEXT,
+      created_at TEXT NOT NULL DEFAULT (datetime('now'))
+    )`);
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_run_events_run ON task_run_events(run_id)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_run_events_task ON task_run_events(task_id)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_run_events_type ON task_run_events(event_type)");
+  ensureTable("task_run_commands", `
+    CREATE TABLE task_run_commands (
+      id TEXT PRIMARY KEY,
+      run_id TEXT NOT NULL REFERENCES task_runs(id) ON DELETE CASCADE,
+      task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+      command TEXT NOT NULL,
+      status TEXT NOT NULL DEFAULT 'unknown' CHECK(status IN ('passed', 'failed', 'unknown')),
+      exit_code INTEGER,
+      output_summary TEXT,
+      artifact_path TEXT,
+      agent_id TEXT,
+      started_at TEXT,
+      completed_at TEXT,
+      created_at TEXT NOT NULL DEFAULT (datetime('now'))
+    )`);
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_run_commands_run ON task_run_commands(run_id)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_run_commands_task ON task_run_commands(task_id)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_run_commands_status ON task_run_commands(status)");
+  ensureTable("task_run_artifacts", `
+    CREATE TABLE task_run_artifacts (
+      id TEXT PRIMARY KEY,
+      run_id TEXT NOT NULL REFERENCES task_runs(id) ON DELETE CASCADE,
+      task_id TEXT NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+      path TEXT NOT NULL,
+      artifact_type TEXT,
+      description TEXT,
+      size_bytes INTEGER,
+      sha256 TEXT,
+      metadata TEXT DEFAULT '{}',
+      agent_id TEXT,
+      created_at TEXT NOT NULL DEFAULT (datetime('now'))
+    )`);
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_run_artifacts_run ON task_run_artifacts(run_id)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_run_artifacts_task ON task_run_artifacts(task_id)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_task_run_artifacts_path ON task_run_artifacts(path)");
+  ensureTable("inbox_items", `
+    CREATE TABLE inbox_items (
+      id TEXT PRIMARY KEY,
+      task_id TEXT REFERENCES tasks(id) ON DELETE SET NULL,
+      source_type TEXT NOT NULL CHECK(source_type IN ('pasted_error', 'ci_log', 'git_context', 'github_issue', 'file', 'other')),
+      source_name TEXT,
+      source_url TEXT,
+      title TEXT NOT NULL,
+      body TEXT,
+      fingerprint TEXT NOT NULL UNIQUE,
+      status TEXT NOT NULL DEFAULT 'triaged' CHECK(status IN ('new', 'triaged', 'ignored')),
+      metadata TEXT DEFAULT '{}',
+      created_at TEXT NOT NULL DEFAULT (datetime('now')),
+      updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+    )`);
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_inbox_items_task ON inbox_items(task_id)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_inbox_items_source ON inbox_items(source_type, source_name)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_inbox_items_status ON inbox_items(status)");
   ensureTable("kg_edges", `
     CREATE TABLE kg_edges (
       id TEXT PRIMARY KEY,
@@ -1159,6 +1444,10 @@ function ensureSchema(db) {
   ensureColumn("orgs", "synced_at", "TEXT");
   ensureColumn("handoffs", "machine_id", "TEXT");
   ensureColumn("handoffs", "synced_at", "TEXT");
+  ensureColumn("handoffs", "session_id", "TEXT");
+  ensureColumn("handoffs", "task_ids", "TEXT");
+  ensureColumn("handoffs", "relevant_files", "TEXT");
+  ensureColumn("handoffs", "run_ids", "TEXT");
   ensureColumn("task_checklists", "machine_id", "TEXT");
   ensureColumn("project_sources", "machine_id", "TEXT");
   ensureColumn("project_sources", "synced_at", "TEXT");
@@ -1363,6 +1652,7 @@ __export(exports_database, {
   now: () => now,
   lockExpiryCutoff: () => lockExpiryCutoff,
   isLockExpired: () => isLockExpired,
+  getDatabasePath: () => getDatabasePath,
   getDatabase: () => getDatabase,
   closeDatabase: () => closeDatabase,
   clearExpiredLocks: () => clearExpiredLocks,
@@ -1424,6 +1714,9 @@ function getDbPath() {
   }
   return newPath;
 }
+function getDatabasePath() {
+  return getDbPath();
+}
 function ensureDir(filePath) {
   if (isInMemoryDb(filePath))
     return;
@@ -1461,12 +1754,12 @@ function now() {
 function uuid() {
   return crypto.randomUUID();
 }
-function isLockExpired(lockedAt) {
+function isLockExpired(lockedAt, nowMs = Date.now()) {
   if (!lockedAt)
     return true;
   const lockTime = new Date(lockedAt).getTime();
   const expiryMs = LOCK_EXPIRY_MINUTES * 60 * 1000;
-  return Date.now() - lockTime > expiryMs;
+  return nowMs - lockTime > expiryMs;
 }
 function lockExpiryCutoff(nowMs = Date.now()) {
   const expiryMs = LOCK_EXPIRY_MINUTES * 60 * 1000;
@@ -1516,6 +1809,498 @@ var init_database = __esm(() => {
   ALLOWED_TABLES = new Set(["tasks", "projects", "agents", "plans", "task_lists", "task_templates"]);
 });
 
+// src/lib/recurrence.ts
+function parseRecurrenceRule(rule) {
+  const normalized = rule.trim().toLowerCase();
+  if (normalized === "every weekday" || normalized === "every weekdays") {
+    return { type: "specific_days", days: [1, 2, 3, 4, 5] };
+  }
+  if (normalized === "every day" || normalized === "daily") {
+    return { type: "interval", interval: 1, unit: "day" };
+  }
+  if (normalized === "every week" || normalized === "weekly") {
+    return { type: "interval", interval: 1, unit: "week" };
+  }
+  if (normalized === "every month" || normalized === "monthly") {
+    return { type: "interval", interval: 1, unit: "month" };
+  }
+  const intervalMatch = normalized.match(/^every\s+(\d+)\s+(day|week|month)s?$/);
+  if (intervalMatch) {
+    return {
+      type: "interval",
+      interval: parseInt(intervalMatch[1], 10),
+      unit: intervalMatch[2]
+    };
+  }
+  const daysMatch = normalized.match(/^every\s+(.+)$/);
+  if (daysMatch) {
+    const dayParts = daysMatch[1].split(/[,\s]+/).map((d) => d.trim()).filter(Boolean);
+    const days = [];
+    for (const part of dayParts) {
+      const dayNum = DAY_NAMES[part];
+      if (dayNum !== undefined) {
+        days.push(dayNum);
+      }
+    }
+    if (days.length > 0) {
+      return { type: "specific_days", days: days.sort((a, b) => a - b) };
+    }
+  }
+  throw new Error(`Invalid recurrence rule: "${rule}". Supported formats: "every day", "every weekday", "every week", "every 2 weeks", "every month", "every N days/weeks/months", "every monday", "every mon,wed,fri"`);
+}
+function isValidRecurrenceRule(rule) {
+  try {
+    parseRecurrenceRule(rule);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function nextOccurrence(rule, from) {
+  const parsed = parseRecurrenceRule(rule);
+  const base = from || new Date;
+  if (parsed.type === "interval") {
+    const next = new Date(base);
+    if (parsed.unit === "day") {
+      next.setDate(next.getDate() + parsed.interval);
+    } else if (parsed.unit === "week") {
+      next.setDate(next.getDate() + parsed.interval * 7);
+    } else if (parsed.unit === "month") {
+      next.setMonth(next.getMonth() + parsed.interval);
+    }
+    return next.toISOString();
+  }
+  if (parsed.type === "specific_days") {
+    const currentDay = base.getDay();
+    const days = parsed.days;
+    let daysToAdd = Infinity;
+    for (const day of days) {
+      let diff = day - currentDay;
+      if (diff <= 0)
+        diff += 7;
+      if (diff < daysToAdd)
+        daysToAdd = diff;
+    }
+    const next = new Date(base);
+    next.setDate(next.getDate() + daysToAdd);
+    return next.toISOString();
+  }
+  throw new Error(`Cannot calculate next occurrence for rule: "${rule}"`);
+}
+var DAY_NAMES;
+var init_recurrence = __esm(() => {
+  DAY_NAMES = {
+    sunday: 0,
+    sun: 0,
+    monday: 1,
+    mon: 1,
+    tuesday: 2,
+    tue: 2,
+    wednesday: 3,
+    wed: 3,
+    thursday: 4,
+    thu: 4,
+    friday: 5,
+    fri: 5,
+    saturday: 6,
+    sat: 6
+  };
+});
+
+// src/lib/doctor.ts
+var exports_doctor = {};
+__export(exports_doctor, {
+  runTodosDoctor: () => runTodosDoctor
+});
+import { chmodSync, copyFileSync, existsSync as existsSync5, mkdirSync as mkdirSync4, statSync as statSync2 } from "fs";
+import { basename, dirname as dirname5, join as join4 } from "path";
+function tableExists(db, table) {
+  return Boolean(db.query("SELECT name FROM sqlite_master WHERE type='table' AND name=?").get(table));
+}
+function quoteIdent(identifier) {
+  return `"${identifier.replace(/"/g, '""')}"`;
+}
+function getTableColumns(db, table) {
+  try {
+    const rows = db.query(`PRAGMA table_info(${quoteIdent(table)})`).all();
+    return new Set(rows.map((row) => row.name));
+  } catch {
+    return new Set;
+  }
+}
+function countQuery(db, sql) {
+  try {
+    const row = db.query(sql).get();
+    return row?.count ?? 0;
+  } catch {
+    return 0;
+  }
+}
+function getMigrationLevel(db) {
+  try {
+    const row = db.query("SELECT MAX(id) as max_id FROM _migrations").get();
+    return row?.max_id ?? 0;
+  } catch {
+    return 0;
+  }
+}
+function addCheck(checks, check) {
+  checks.push(check);
+}
+function listUserTables(db) {
+  return db.query("SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%'").all().map((row) => row.name).sort();
+}
+function findCorruptJsonMetadata(db) {
+  const corrupt = [];
+  for (const table of listUserTables(db)) {
+    const columns = getTableColumns(db, table);
+    if (!columns.has("metadata"))
+      continue;
+    const rows = db.query(`SELECT rowid, metadata FROM ${quoteIdent(table)} WHERE metadata IS NOT NULL AND metadata != ''`).all();
+    for (const row of rows) {
+      try {
+        JSON.parse(row.metadata);
+      } catch {
+        corrupt.push({ table, column: "metadata", rowid: row.rowid });
+      }
+    }
+  }
+  return corrupt;
+}
+function getIndexColumns(db, indexName) {
+  return db.query(`PRAGMA index_info(${quoteIdent(indexName)})`).all().map((row) => row.name).filter(Boolean);
+}
+function findDuplicateIndexes(db) {
+  const duplicates = [];
+  for (const table of listUserTables(db)) {
+    const indexes = db.query(`PRAGMA index_list(${quoteIdent(table)})`).all();
+    const groups = new Map;
+    for (const index of indexes) {
+      if (index.origin === "pk" || index.name.startsWith("sqlite_autoindex"))
+        continue;
+      const columns = getIndexColumns(db, index.name);
+      if (columns.length === 0)
+        continue;
+      const key = `${index.unique}:${columns.join(",")}`;
+      const current = groups.get(key) ?? [];
+      current.push({ name: index.name, origin: index.origin, columns });
+      groups.set(key, current);
+    }
+    for (const group of groups.values()) {
+      if (group.length < 2)
+        continue;
+      const [kept, ...rest] = group;
+      for (const duplicate of rest) {
+        duplicates.push({ table, duplicate: duplicate.name, kept: kept.name, columns: duplicate.columns });
+      }
+    }
+  }
+  return duplicates;
+}
+function findMissingProjectRoots(db) {
+  if (!tableExists(db, "projects"))
+    return 0;
+  let missing = 0;
+  const rows = db.query("SELECT path FROM projects WHERE path IS NOT NULL AND path != ''").all();
+  for (const row of rows) {
+    if (/^[a-z]+:\/\//i.test(row.path))
+      continue;
+    if (!row.path.startsWith("/"))
+      continue;
+    if (!existsSync5(row.path))
+      missing++;
+  }
+  return missing;
+}
+function addTaskStateChecks(db, checks) {
+  if (!tableExists(db, "tasks"))
+    return;
+  const columns = getTableColumns(db, "tasks");
+  const staleCutoff = new Date(Date.now() - 30 * 60 * 1000).toISOString();
+  if (columns.has("updated_at") && columns.has("status")) {
+    const staleTasks = countQuery(db, `SELECT COUNT(*) as count FROM tasks WHERE status = 'in_progress' AND updated_at < '${staleCutoff}'`);
+    if (staleTasks > 0) {
+      addCheck(checks, {
+        severity: "warn",
+        type: "stale_tasks",
+        message: `${staleTasks} tasks stuck in_progress for more than 30 minutes`,
+        count: staleTasks,
+        repairable: false
+      });
+    }
+  }
+  if (columns.has("recurrence_rule") && columns.has("status")) {
+    const dueAtSelect = columns.has("due_at") ? "due_at" : "NULL as due_at";
+    const recurring = db.query(`SELECT recurrence_rule, ${dueAtSelect} FROM tasks WHERE status IN ('pending', 'in_progress') AND recurrence_rule IS NOT NULL AND recurrence_rule != ''`).all();
+    const invalidRecurrence = recurring.filter((task) => !isValidRecurrenceRule(task.recurrence_rule));
+    if (invalidRecurrence.length > 0) {
+      addCheck(checks, {
+        severity: "error",
+        type: "invalid_recurrence",
+        message: `${invalidRecurrence.length} tasks have invalid recurrence rules`,
+        count: invalidRecurrence.length,
+        repairable: false
+      });
+    }
+    const nowIso = new Date().toISOString();
+    const overdueRecurring = recurring.filter((task) => task.due_at !== null && task.due_at < nowIso);
+    if (overdueRecurring.length > 0) {
+      addCheck(checks, {
+        severity: "warn",
+        type: "overdue_recurring",
+        message: `${overdueRecurring.length} recurring tasks are past due`,
+        count: overdueRecurring.length,
+        repairable: false
+      });
+    }
+  }
+}
+function databasePermissionsAreUnsafe(dbPath) {
+  if (dbPath === ":memory:" || dbPath.startsWith("file::memory:"))
+    return false;
+  try {
+    return (statSync2(dbPath).mode & 63) !== 0;
+  } catch {
+    return false;
+  }
+}
+function createBackup(dbPath) {
+  if (dbPath === ":memory:" || dbPath.startsWith("file::memory:"))
+    return;
+  if (!existsSync5(dbPath))
+    return;
+  const stamp = now().replace(/[:.]/g, "-");
+  const backupDir = join4(dirname5(dbPath), `${basename(dbPath)}.backup-${stamp}`);
+  const files = [];
+  mkdirSync4(backupDir, { recursive: true });
+  for (const source of [dbPath, `${dbPath}-wal`, `${dbPath}-shm`]) {
+    if (!existsSync5(source))
+      continue;
+    const target = join4(backupDir, basename(source));
+    copyFileSync(source, target);
+    files.push(target);
+  }
+  return files.length > 0 ? { path: backupDir, files } : undefined;
+}
+function pushRepair(repairs, type, message, applied, count) {
+  repairs.push({ type, message, applied, count });
+}
+function summarize2(checks, repairs) {
+  return {
+    errors: checks.filter((check) => check.severity === "error").length,
+    warnings: checks.filter((check) => check.severity === "warn").length,
+    infos: checks.filter((check) => check.severity === "info").length,
+    repairable: checks.filter((check) => check.repairable).length,
+    applied: repairs.filter((repair) => repair.applied).length
+  };
+}
+function deleteOrphans(db, table, where) {
+  const before = countQuery(db, `SELECT COUNT(*) as count FROM ${table} WHERE ${where}`);
+  if (before > 0)
+    db.run(`DELETE FROM ${table} WHERE ${where}`);
+  return before;
+}
+function runTodosDoctor(options = {}) {
+  const db = options.db ?? getDatabase();
+  const dbPath = options.dbPath ?? getDatabasePath();
+  const apply = options.apply === true;
+  const checks = [];
+  const repairs = [];
+  const migrationCurrent = getMigrationLevel(db);
+  const migrationExpected = MIGRATIONS.length;
+  if (migrationCurrent < migrationExpected) {
+    addCheck(checks, {
+      severity: "error",
+      type: "migration_level",
+      message: `Migration level ${migrationCurrent}; expected ${migrationExpected}`,
+      repairable: true
+    });
+  } else {
+    addCheck(checks, {
+      severity: "info",
+      type: "migration_level",
+      message: `Schema at migration ${migrationCurrent}`
+    });
+  }
+  const missingTables = REQUIRED_TABLES.filter((table) => !tableExists(db, table));
+  if (missingTables.length > 0) {
+    addCheck(checks, {
+      severity: "error",
+      type: "missing_schema_tables",
+      message: `Missing schema tables: ${missingTables.join(", ")}`,
+      count: missingTables.length,
+      repairable: true
+    });
+  }
+  const orphanedParents = tableExists(db, "tasks") ? countQuery(db, "SELECT COUNT(*) as count FROM tasks t WHERE t.parent_id IS NOT NULL AND NOT EXISTS (SELECT 1 FROM tasks p WHERE p.id = t.parent_id)") : 0;
+  if (orphanedParents > 0) {
+    addCheck(checks, {
+      severity: "error",
+      type: "orphaned_task_parents",
+      message: `${orphanedParents} tasks reference missing parent tasks`,
+      count: orphanedParents,
+      repairable: true
+    });
+  }
+  const orphanedDependencies = tableExists(db, "task_dependencies") && tableExists(db, "tasks") ? countQuery(db, "SELECT COUNT(*) as count FROM task_dependencies d WHERE NOT EXISTS (SELECT 1 FROM tasks t WHERE t.id = d.task_id) OR NOT EXISTS (SELECT 1 FROM tasks t WHERE t.id = d.depends_on)") : 0;
+  if (orphanedDependencies > 0) {
+    addCheck(checks, {
+      severity: "error",
+      type: "orphaned_task_dependencies",
+      message: `${orphanedDependencies} dependency rows reference missing tasks`,
+      count: orphanedDependencies,
+      repairable: true
+    });
+  }
+  const orphanTables = [
+    ["task_comments", "NOT EXISTS (SELECT 1 FROM tasks t WHERE t.id = task_comments.task_id)"],
+    ["task_runs", "NOT EXISTS (SELECT 1 FROM tasks t WHERE t.id = task_runs.task_id)"],
+    ["task_run_events", "NOT EXISTS (SELECT 1 FROM tasks t WHERE t.id = task_run_events.task_id) OR NOT EXISTS (SELECT 1 FROM task_runs r WHERE r.id = task_run_events.run_id)"],
+    ["task_run_commands", "NOT EXISTS (SELECT 1 FROM tasks t WHERE t.id = task_run_commands.task_id) OR NOT EXISTS (SELECT 1 FROM task_runs r WHERE r.id = task_run_commands.run_id)"],
+    ["task_run_artifacts", "NOT EXISTS (SELECT 1 FROM tasks t WHERE t.id = task_run_artifacts.task_id) OR NOT EXISTS (SELECT 1 FROM task_runs r WHERE r.id = task_run_artifacts.run_id)"]
+  ];
+  let orphanedRows = 0;
+  for (const [table, where] of orphanTables) {
+    if (!tableExists(db, table))
+      continue;
+    orphanedRows += countQuery(db, `SELECT COUNT(*) as count FROM ${table} WHERE ${where}`);
+  }
+  if (orphanedRows > 0) {
+    addCheck(checks, {
+      severity: "error",
+      type: "orphaned_child_rows",
+      message: `${orphanedRows} child rows reference missing tasks or runs`,
+      count: orphanedRows,
+      repairable: true
+    });
+  }
+  addTaskStateChecks(db, checks);
+  const corruptJson = findCorruptJsonMetadata(db);
+  if (corruptJson.length > 0) {
+    addCheck(checks, {
+      severity: "error",
+      type: "corrupt_json_metadata",
+      message: `${corruptJson.length} metadata values are not valid JSON`,
+      count: corruptJson.length,
+      repairable: true
+    });
+  }
+  const duplicateIndexes = findDuplicateIndexes(db);
+  if (duplicateIndexes.length > 0) {
+    addCheck(checks, {
+      severity: "warn",
+      type: "duplicate_indexes",
+      message: `${duplicateIndexes.length} duplicate index definitions found`,
+      count: duplicateIndexes.length,
+      repairable: true
+    });
+  }
+  const missingProjectRoots = findMissingProjectRoots(db);
+  if (missingProjectRoots > 0) {
+    addCheck(checks, {
+      severity: "warn",
+      type: "missing_project_roots",
+      message: `${missingProjectRoots} project paths do not exist on this machine`,
+      count: missingProjectRoots,
+      repairable: false
+    });
+  }
+  const unsafePermissions = databasePermissionsAreUnsafe(dbPath);
+  addCheck(checks, unsafePermissions ? {
+    severity: "warn",
+    type: "database_permissions",
+    message: "Database file is readable or writable by group/others",
+    repairable: true
+  } : {
+    severity: "info",
+    type: "database_permissions",
+    message: "Database file permissions are private"
+  });
+  let backup;
+  const hasRepairableIssue = checks.some((check) => check.repairable && check.severity !== "info");
+  if (apply && hasRepairableIssue) {
+    backup = createBackup(dbPath);
+    if (backup)
+      pushRepair(repairs, "backup_created", `Created backup at ${backup.path}`, true, backup.files.length);
+    else
+      pushRepair(repairs, "backup_created", "Backup skipped for in-memory or missing database path", false, 0);
+    if (migrationCurrent < migrationExpected || missingTables.length > 0) {
+      runMigrations(db);
+      ensureSchema(db);
+      pushRepair(repairs, "schema_repair", "Ran migration and schema safety net", true);
+    }
+    if (orphanedParents > 0) {
+      db.run("UPDATE tasks SET parent_id = NULL WHERE parent_id IS NOT NULL AND NOT EXISTS (SELECT 1 FROM tasks p WHERE p.id = tasks.parent_id)");
+      pushRepair(repairs, "orphaned_task_parents", "Cleared missing parent references", true, orphanedParents);
+    }
+    if (orphanedDependencies > 0 && tableExists(db, "task_dependencies")) {
+      const count = deleteOrphans(db, "task_dependencies", "NOT EXISTS (SELECT 1 FROM tasks t WHERE t.id = task_dependencies.task_id) OR NOT EXISTS (SELECT 1 FROM tasks t WHERE t.id = task_dependencies.depends_on)");
+      pushRepair(repairs, "orphaned_task_dependencies", "Deleted dependency rows referencing missing tasks", true, count);
+    }
+    for (const [table, where] of orphanTables) {
+      if (!tableExists(db, table))
+        continue;
+      const count = deleteOrphans(db, table, where);
+      if (count > 0)
+        pushRepair(repairs, "orphaned_child_rows", `Deleted orphaned rows from ${table}`, true, count);
+    }
+    if (corruptJson.length > 0) {
+      for (const cell of corruptJson) {
+        db.run(`UPDATE ${quoteIdent(cell.table)} SET ${quoteIdent(cell.column)} = '{}' WHERE rowid = ?`, [cell.rowid]);
+      }
+      pushRepair(repairs, "corrupt_json_metadata", "Reset invalid metadata JSON values to {}", true, corruptJson.length);
+    }
+    if (duplicateIndexes.length > 0) {
+      let dropped = 0;
+      for (const duplicate of duplicateIndexes) {
+        db.run(`DROP INDEX IF EXISTS ${quoteIdent(duplicate.duplicate)}`);
+        dropped++;
+      }
+      pushRepair(repairs, "duplicate_indexes", "Dropped duplicate non-primary indexes", true, dropped);
+    }
+    if (unsafePermissions) {
+      try {
+        chmodSync(dbPath, 384);
+        pushRepair(repairs, "database_permissions", "Changed database file mode to 0600", true);
+      } catch (error) {
+        pushRepair(repairs, "database_permissions", error instanceof Error ? error.message : "Failed to repair database permissions", false);
+      }
+    }
+  }
+  const finalChecks = apply && hasRepairableIssue ? runTodosDoctor({ db, dbPath, apply: false }).checks : checks;
+  const summary = summarize2(finalChecks, repairs);
+  return {
+    ok: !finalChecks.some((check) => check.severity === "error"),
+    dry_run: !apply,
+    database_path: dbPath,
+    migration: { current: getMigrationLevel(db), expected: migrationExpected },
+    backup,
+    checks: finalChecks,
+    repairs,
+    summary
+  };
+}
+var REQUIRED_TABLES;
+var init_doctor = __esm(() => {
+  init_database();
+  init_migrations();
+  init_schema();
+  init_recurrence();
+  REQUIRED_TABLES = [
+    "_migrations",
+    "projects",
+    "tasks",
+    "plans",
+    "agents",
+    "task_dependencies",
+    "task_comments",
+    "task_runs",
+    "task_run_events",
+    "task_run_commands",
+    "task_run_artifacts"
+  ];
+});
+
 // src/lib/package-version.ts
 import { existsSync, readFileSync } from "fs";
 import { dirname, join } from "path";
@@ -1541,8 +2326,8 @@ function getPackageVersion(fromUrl = import.meta.url) {
 
 // src/server/serve.ts
 init_database();
-import { existsSync as existsSync5 } from "fs";
-import { join as join5, dirname as dirname4, extname } from "path";
+import { existsSync as existsSync6 } from "fs";
+import { join as join6, dirname as dirname6, extname } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 
 // src/db/api-keys.ts
@@ -1806,6 +2591,457 @@ function checkCompletionGuard(task, agentId, db, configOverride) {
   }
 }
 
+// src/lib/event-hooks.ts
+import { createHash as createHash2, randomUUID } from "crypto";
+import { appendFileSync, mkdirSync as mkdirSync3 } from "fs";
+import { dirname as dirname4, resolve as resolve4 } from "path";
+import { createConnection } from "net";
+
+// src/lib/redaction.ts
+function redactEvidenceText(value) {
+  return value.replace(/\b(AKIA|ASIA)[0-9A-Z]{16}\b/g, "[REDACTED_AWS_KEY]").replace(/-----BEGIN (?:RSA |EC |OPENSSH |)PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |OPENSSH |)PRIVATE KEY-----/g, "[REDACTED_PRIVATE_KEY]").replace(/\bsk-[A-Za-z0-9_-]{12,}\b/g, "[REDACTED_TOKEN]").replace(/\b([A-Za-z0-9_]*(?:API_KEY|TOKEN|SECRET|PASSWORD)[A-Za-z0-9_]*)\s*=\s*['"]?[^'"\s]{8,}/gi, "$1=[REDACTED]").replace(/\b(bearer)\s+[A-Za-z0-9._~+/=-]{12,}/gi, "$1 [REDACTED]");
+}
+function redactValue(value) {
+  if (typeof value === "string")
+    return redactEvidenceText(value);
+  if (Array.isArray(value))
+    return value.map(redactValue);
+  if (value && typeof value === "object") {
+    const redacted = {};
+    for (const [key, child] of Object.entries(value)) {
+      if (/api[_-]?key|token|secret|password/i.test(key)) {
+        redacted[key] = "[REDACTED]";
+      } else {
+        redacted[key] = redactValue(child);
+      }
+    }
+    return redacted;
+  }
+  return value;
+}
+
+// src/lib/runner-sandbox.ts
+import { relative as relative2, resolve as resolve3 } from "path";
+
+// src/lib/workspace-trust.ts
+import { relative, resolve as resolve2 } from "path";
+var DEFAULT_DENYLIST = ["rm -rf", "mkfs", "dd if=", "curl | sh", "wget | sh"];
+var DEFAULT_ENV_REDACTIONS = ["API_KEY", "TOKEN", "SECRET", "PASSWORD", "AUTH"];
+var PRESET_DEFAULTS = {
+  restricted: {
+    trusted: false,
+    preset: "restricted",
+    command_allowlist: ["todos"],
+    command_denylist: DEFAULT_DENYLIST,
+    tool_permissions: ["read"],
+    write_scopes: [],
+    env_redactions: DEFAULT_ENV_REDACTIONS,
+    require_prompt_for_unsafe: true
+  },
+  readonly: {
+    trusted: false,
+    preset: "readonly",
+    command_allowlist: ["todos", "git status", "git diff", "bun test"],
+    command_denylist: DEFAULT_DENYLIST,
+    tool_permissions: ["read", "list", "search"],
+    write_scopes: [],
+    env_redactions: DEFAULT_ENV_REDACTIONS,
+    require_prompt_for_unsafe: true
+  },
+  standard: {
+    trusted: true,
+    preset: "standard",
+    command_allowlist: ["todos", "git", "bun", "rg"],
+    command_denylist: DEFAULT_DENYLIST,
+    tool_permissions: ["read", "write", "test", "mcp"],
+    write_scopes: ["."],
+    env_redactions: DEFAULT_ENV_REDACTIONS,
+    require_prompt_for_unsafe: true
+  },
+  trusted: {
+    trusted: true,
+    preset: "trusted",
+    command_allowlist: ["*"],
+    command_denylist: DEFAULT_DENYLIST,
+    tool_permissions: ["*"],
+    write_scopes: ["."],
+    env_redactions: DEFAULT_ENV_REDACTIONS,
+    require_prompt_for_unsafe: false
+  }
+};
+function normalizePath(path) {
+  return resolve2(path);
+}
+function unique(values) {
+  return Array.from(new Set((values || []).map((value) => value.trim()).filter(Boolean)));
+}
+function defaultProfile(root, preset) {
+  return {
+    root,
+    ...PRESET_DEFAULTS[preset]
+  };
+}
+function configuredProfiles(config = loadConfig()) {
+  return Object.values(config.workspace_trust || {}).map((profile) => ({ ...profile, root: normalizePath(profile.root) })).sort((a, b) => b.root.length - a.root.length);
+}
+function isPathInside(root, path) {
+  const rel = relative(root, path);
+  return rel === "" || !rel.startsWith("..") && !rel.startsWith("/") && !/^[A-Za-z]:/.test(rel);
+}
+function matchesPattern(value, pattern) {
+  if (pattern === "*")
+    return true;
+  if (pattern.includes("*")) {
+    const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+    return new RegExp(`^${escaped}$`, "i").test(value);
+  }
+  return value === pattern || value.startsWith(`${pattern} `) || value.includes(pattern);
+}
+function profileFor(path) {
+  const resolved = normalizePath(path);
+  for (const profile of configuredProfiles()) {
+    if (isPathInside(profile.root, resolved))
+      return { profile, matchedRoot: profile.root };
+  }
+  return { profile: defaultProfile(resolved, "restricted"), matchedRoot: null };
+}
+function getWorkspaceTrustStatus(path = process.cwd()) {
+  const root = normalizePath(path);
+  const { profile, matchedRoot } = profileFor(root);
+  return {
+    root,
+    trusted: profile.trusted,
+    matched_root: matchedRoot,
+    profile
+  };
+}
+function writeAllowed(profile, root, writePath) {
+  const target = normalizePath(writePath.startsWith("/") ? writePath : `${root}/${writePath}`);
+  return profile.write_scopes.some((scope) => {
+    const scopeRoot = normalizePath(scope.startsWith("/") ? scope : `${root}/${scope}`);
+    return isPathInside(scopeRoot, target);
+  });
+}
+function redactedEnvKeys(profile, env) {
+  if (!env)
+    return [];
+  const patterns = unique([...DEFAULT_ENV_REDACTIONS, ...profile.env_redactions]).map((item) => item.toUpperCase());
+  return Object.keys(env).filter((key) => patterns.some((pattern) => key.toUpperCase().includes(pattern)));
+}
+function checkWorkspacePermission(input = {}) {
+  const status = getWorkspaceTrustStatus(input.path || process.cwd());
+  const reasons = [];
+  const profile = status.profile;
+  if (!status.matched_root)
+    reasons.push("workspace is not trusted");
+  if (input.command) {
+    if (profile.command_denylist.some((pattern) => matchesPattern(input.command, pattern))) {
+      reasons.push("command matches denylist");
+    } else if (!profile.command_allowlist.some((pattern) => matchesPattern(input.command, pattern))) {
+      reasons.push("command is not in allowlist");
+    }
+  }
+  if (input.tool && !profile.tool_permissions.some((permission) => matchesPattern(input.tool, permission))) {
+    reasons.push("tool permission is not allowed");
+  }
+  if (input.write_path && !writeAllowed(profile, status.matched_root || status.root, input.write_path)) {
+    reasons.push("write path is outside allowed scopes");
+  }
+  const redacted = redactedEnvKeys(profile, input.env);
+  const allowed = reasons.length === 0;
+  return {
+    allowed,
+    requires_prompt: !allowed && profile.require_prompt_for_unsafe,
+    reasons,
+    status,
+    redacted_env_keys: redacted
+  };
+}
+
+// src/lib/runner-sandbox.ts
+var DEFAULT_COMMAND_DENYLIST = ["rm -rf", "mkfs", "dd if=", "curl | sh", "wget | sh"];
+var DEFAULT_ENV_REDACTIONS2 = ["API_KEY", "TOKEN", "SECRET", "PASSWORD", "AUTH"];
+function normalizePath2(path) {
+  return resolve3(path);
+}
+function unique2(values) {
+  return Array.from(new Set((values || []).map((value) => value.trim()).filter(Boolean)));
+}
+function configuredProfiles2(config = loadConfig()) {
+  return Object.values(config.runner_sandboxes || {}).map((profile) => ({
+    ...profile,
+    root: normalizePath2(profile.root),
+    cwd_boundary: normalizePath2(profile.cwd_boundary || profile.root)
+  })).sort((a, b) => a.name.localeCompare(b.name));
+}
+function isPathInside2(root, path) {
+  const rel = relative2(root, path);
+  return rel === "" || !rel.startsWith("..") && !rel.startsWith("/") && !/^[A-Za-z]:/.test(rel);
+}
+function matchesPattern2(value, pattern) {
+  if (pattern === "*")
+    return true;
+  if (pattern.includes("*")) {
+    const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+    return new RegExp(`^${escaped}$`, "i").test(value);
+  }
+  return value === pattern || value.startsWith(`${pattern} `) || value.includes(pattern);
+}
+function resolveFromRoot(root, path) {
+  return normalizePath2(path.startsWith("/") ? path : `${root}/${path}`);
+}
+function defaultProfile2(name, root) {
+  const normalizedRoot = normalizePath2(root);
+  return {
+    name,
+    root: normalizedRoot,
+    command_allowlist: ["todos", "git", "bun"],
+    command_denylist: DEFAULT_COMMAND_DENYLIST,
+    cwd_boundary: normalizedRoot,
+    write_scopes: ["."],
+    env_allowlist: ["PATH", "HOME", "SHELL", "TMPDIR", "TEMP", "TMP", "CI", "NODE_ENV", "BUN_ENV"],
+    env_redactions: DEFAULT_ENV_REDACTIONS2,
+    network_policy: "none",
+    require_approval: true,
+    audit_evidence: true
+  };
+}
+function profileByName(name, path) {
+  const profiles = configuredProfiles2();
+  if (name) {
+    const found = profiles.find((profile) => profile.name === name);
+    if (found)
+      return found;
+    return defaultProfile2(name, path);
+  }
+  const resolved = normalizePath2(path);
+  return profiles.find((profile) => isPathInside2(profile.root, resolved)) || defaultProfile2("default", resolved);
+}
+function redactedEnvKeys2(profile, env) {
+  if (!env)
+    return [];
+  const patterns = unique2([...DEFAULT_ENV_REDACTIONS2, ...profile.env_redactions]).map((item) => item.toUpperCase());
+  return Object.keys(env).filter((key) => patterns.some((pattern) => key.toUpperCase().includes(pattern)));
+}
+function omittedEnvKeys(profile, env) {
+  if (!env)
+    return [];
+  if (profile.env_allowlist.includes("*"))
+    return [];
+  return Object.keys(env).filter((key) => !profile.env_allowlist.some((pattern) => matchesPattern2(key, pattern)));
+}
+function resolveFromCwd(cwd, path) {
+  return normalizePath2(path.startsWith("/") ? path : `${cwd}/${path}`);
+}
+function writeAllowed2(profile, cwd, writePath) {
+  const target = resolveFromCwd(cwd, writePath);
+  return profile.write_scopes.some((scope) => isPathInside2(resolveFromRoot(profile.root, scope), target));
+}
+function checkRunnerSandbox(input = {}) {
+  const path = normalizePath2(input.path || input.cwd || process.cwd());
+  const profile = profileByName(input.name, path);
+  const cwd = resolveFromRoot(profile.root, input.cwd || profile.root);
+  const reasons = [];
+  const writePaths = input.write_paths || [];
+  const resolvedWritePaths = writePaths.map((writePath) => resolveFromCwd(cwd, writePath));
+  if (!isPathInside2(profile.cwd_boundary, cwd))
+    reasons.push("cwd is outside sandbox boundary");
+  if (input.command) {
+    if (profile.command_denylist.some((pattern) => matchesPattern2(input.command, pattern))) {
+      reasons.push("command matches sandbox denylist");
+    } else if (!profile.command_allowlist.some((pattern) => matchesPattern2(input.command, pattern))) {
+      reasons.push("command is not in sandbox allowlist");
+    }
+  }
+  for (const writePath of writePaths) {
+    if (!writeAllowed2(profile, cwd, writePath)) {
+      reasons.push(`write path is outside sandbox scopes: ${writePath}`);
+    }
+  }
+  if (input.network && profile.network_policy === "none") {
+    reasons.push("network access is disabled by sandbox policy");
+  }
+  const trustChecks = [
+    checkWorkspacePermission({ path: profile.root, command: input.command, env: input.env }),
+    ...resolvedWritePaths.map((writePath) => checkWorkspacePermission({ path: profile.root, write_path: writePath }))
+  ];
+  for (const trust of trustChecks) {
+    for (const reason of trust.reasons)
+      reasons.push(`workspace trust: ${reason}`);
+  }
+  const redacted = redactedEnvKeys2(profile, input.env);
+  const omitted = omittedEnvKeys(profile, input.env);
+  const effective = Object.keys(input.env || {}).filter((key) => !omitted.includes(key));
+  const uniqueReasons = unique2(reasons);
+  const allowed = uniqueReasons.length === 0;
+  return {
+    allowed,
+    requires_approval: !allowed && profile.require_approval,
+    reasons: uniqueReasons,
+    profile,
+    redacted_env_keys: redacted,
+    omitted_env_keys: omitted,
+    effective_env_keys: effective,
+    audit_evidence: profile.audit_evidence ? {
+      sandbox: profile.name,
+      root: profile.root,
+      cwd,
+      command: input.command,
+      write_paths: writePaths,
+      network_requested: Boolean(input.network),
+      network_policy: profile.network_policy,
+      allowed,
+      reasons: uniqueReasons
+    } : null
+  };
+}
+
+// src/lib/event-hooks.ts
+var VALID_TARGETS = new Set(["stdout", "file", "socket", "script"]);
+function clampAttempts(value) {
+  if (!Number.isFinite(value))
+    return 1;
+  return Math.min(5, Math.max(1, Math.trunc(value)));
+}
+function eventMatches(hook, eventType) {
+  return hook.enabled !== false && (hook.events.includes("*") || hook.events.includes(eventType));
+}
+function canonicalEvent(input) {
+  return JSON.stringify(input);
+}
+function buildEnvelope(type, payload, timestamp = new Date().toISOString()) {
+  const base = {
+    id: randomUUID(),
+    type,
+    timestamp,
+    payload: redactValue(payload ?? {}),
+    source: { package: "@hasna/todos", local_only: true }
+  };
+  const digest = createHash2("sha256").update(canonicalEvent(base)).digest("hex");
+  return { ...base, integrity: { algorithm: "sha256", digest } };
+}
+function summarize(value) {
+  const redacted = redactEvidenceText(value.trim());
+  if (!redacted)
+    return;
+  return redacted.length > 1000 ? `${redacted.slice(0, 997)}...` : redacted;
+}
+function sleep(ms) {
+  return new Promise((resolveSleep) => setTimeout(resolveSleep, ms));
+}
+async function writeSocket(socketPath, line) {
+  await new Promise((resolveWrite, rejectWrite) => {
+    const socket = createConnection(socketPath);
+    const timeout = setTimeout(() => {
+      socket.destroy();
+      rejectWrite(new Error(`socket write timed out: ${socketPath}`));
+    }, 1000);
+    socket.on("error", (error) => {
+      clearTimeout(timeout);
+      rejectWrite(error);
+    });
+    socket.on("connect", () => {
+      socket.end(line, () => {
+        clearTimeout(timeout);
+        resolveWrite();
+      });
+    });
+  });
+}
+async function deliverScript(hook, envelope) {
+  const command = hook.command;
+  const cwd = hook.cwd || process.cwd();
+  if (hook.sandbox) {
+    const check = checkRunnerSandbox({ name: hook.sandbox, cwd, command, env: hook.env });
+    if (!check.allowed)
+      throw new Error(check.reasons.join("; "));
+  }
+  const proc = Bun.spawn(["bash", "-lc", command], {
+    cwd,
+    env: {
+      ...process.env,
+      ...hook.env || {},
+      TODOS_EVENT_JSON: JSON.stringify(envelope),
+      TODOS_EVENT_ID: envelope.id,
+      TODOS_EVENT_TYPE: envelope.type,
+      TODOS_EVENT_INTEGRITY: envelope.integrity.digest,
+      TODOS_HOOK_NAME: hook.name
+    },
+    stdout: "pipe",
+    stderr: "pipe"
+  });
+  const [stdout, stderr, exitCode] = await Promise.all([
+    new Response(proc.stdout).text(),
+    new Response(proc.stderr).text(),
+    proc.exited
+  ]);
+  return { exitCode, output: summarize([stdout, stderr].filter(Boolean).join(`
+`)) };
+}
+async function deliverHook(hook, envelope) {
+  const line = `${JSON.stringify(envelope)}
+`;
+  const maxAttempts = clampAttempts(hook.retry?.attempts ?? 1);
+  const backoffMs = Math.max(0, hook.retry?.backoff_ms ?? 0);
+  let lastError;
+  let output;
+  for (let attempt = 1;attempt <= maxAttempts; attempt++) {
+    try {
+      if (hook.target === "stdout") {
+        output = line.trim();
+      } else if (hook.target === "file") {
+        const filePath = resolve4(hook.file_path);
+        mkdirSync3(dirname4(filePath), { recursive: true });
+        appendFileSync(filePath, line);
+      } else if (hook.target === "socket") {
+        await writeSocket(hook.socket_path, line);
+      } else {
+        const result = await deliverScript(hook, envelope);
+        output = result.output;
+        if (result.exitCode !== 0)
+          throw new Error(`script exited ${result.exitCode}${output ? `: ${output}` : ""}`);
+      }
+      return {
+        hook: hook.name,
+        event_id: envelope.id,
+        event_type: envelope.type,
+        target: hook.target,
+        status: "delivered",
+        attempts: attempt,
+        integrity: envelope.integrity,
+        output_summary: output
+      };
+    } catch (error) {
+      lastError = error instanceof Error ? error.message : String(error);
+      if (attempt < maxAttempts && backoffMs > 0)
+        await sleep(backoffMs);
+    }
+  }
+  return {
+    hook: hook.name,
+    event_id: envelope.id,
+    event_type: envelope.type,
+    target: hook.target,
+    status: "failed",
+    attempts: maxAttempts,
+    integrity: envelope.integrity,
+    error: redactEvidenceText(lastError || "delivery failed")
+  };
+}
+function listLocalEventHooks() {
+  return Object.values(loadConfig().local_event_hooks || {}).sort((a, b) => a.name.localeCompare(b.name));
+}
+async function emitLocalEventHooks(input) {
+  const hooks = (input.hooks || listLocalEventHooks()).filter((hook) => eventMatches(hook, input.type));
+  if (hooks.length === 0)
+    return [];
+  const envelope = buildEnvelope(input.type, input.payload, input.timestamp);
+  return Promise.all(hooks.map((hook) => deliverHook(hook, envelope)));
+}
+function emitLocalEventHooksQuiet(input) {
+  emitLocalEventHooks(input).catch(() => {});
+}
+
 // src/db/audit.ts
 init_database();
 function logTaskChange(taskId, action, field, oldValue, newValue, agentId, db) {
@@ -2439,9 +3675,14 @@ function updateTask(id, input, db) {
     logTaskChange(id, "approve", "approved_by", null, input.approved_by, agentId, d);
   if (input.assigned_to !== undefined && input.assigned_to !== task.assigned_to) {
     dispatchWebhook("task.assigned", { id, assigned_to: input.assigned_to, title: task.title }, d).catch(() => {});
+    emitLocalEventHooksQuiet({ type: "task.assigned", payload: { id, assigned_to: input.assigned_to, title: task.title } });
   }
   if (input.status !== undefined && input.status !== task.status) {
     dispatchWebhook("task.status_changed", { id, old_status: task.status, new_status: input.status, title: task.title }, d).catch(() => {});
+    emitLocalEventHooksQuiet({ type: "task.status_changed", payload: { id, old_status: task.status, new_status: input.status, title: task.title } });
+  }
+  if (input.approved_by !== undefined) {
+    emitLocalEventHooksQuiet({ type: "approval.decided", payload: { id, approved_by: input.approved_by, title: task.title } });
   }
   return {
     ...task,
@@ -2468,93 +3709,7 @@ function deleteTask(id, db) {
 }
 // src/db/task-lifecycle.ts
 init_database();
-
-// src/lib/recurrence.ts
-var DAY_NAMES = {
-  sunday: 0,
-  sun: 0,
-  monday: 1,
-  mon: 1,
-  tuesday: 2,
-  tue: 2,
-  wednesday: 3,
-  wed: 3,
-  thursday: 4,
-  thu: 4,
-  friday: 5,
-  fri: 5,
-  saturday: 6,
-  sat: 6
-};
-function parseRecurrenceRule(rule) {
-  const normalized = rule.trim().toLowerCase();
-  if (normalized === "every weekday" || normalized === "every weekdays") {
-    return { type: "specific_days", days: [1, 2, 3, 4, 5] };
-  }
-  if (normalized === "every day" || normalized === "daily") {
-    return { type: "interval", interval: 1, unit: "day" };
-  }
-  if (normalized === "every week" || normalized === "weekly") {
-    return { type: "interval", interval: 1, unit: "week" };
-  }
-  if (normalized === "every month" || normalized === "monthly") {
-    return { type: "interval", interval: 1, unit: "month" };
-  }
-  const intervalMatch = normalized.match(/^every\s+(\d+)\s+(day|week|month)s?$/);
-  if (intervalMatch) {
-    return {
-      type: "interval",
-      interval: parseInt(intervalMatch[1], 10),
-      unit: intervalMatch[2]
-    };
-  }
-  const daysMatch = normalized.match(/^every\s+(.+)$/);
-  if (daysMatch) {
-    const dayParts = daysMatch[1].split(/[,\s]+/).map((d) => d.trim()).filter(Boolean);
-    const days = [];
-    for (const part of dayParts) {
-      const dayNum = DAY_NAMES[part];
-      if (dayNum !== undefined) {
-        days.push(dayNum);
-      }
-    }
-    if (days.length > 0) {
-      return { type: "specific_days", days: days.sort((a, b) => a - b) };
-    }
-  }
-  throw new Error(`Invalid recurrence rule: "${rule}". Supported formats: "every day", "every weekday", "every week", "every 2 weeks", "every month", "every N days/weeks/months", "every monday", "every mon,wed,fri"`);
-}
-function nextOccurrence(rule, from) {
-  const parsed = parseRecurrenceRule(rule);
-  const base = from || new Date;
-  if (parsed.type === "interval") {
-    const next = new Date(base);
-    if (parsed.unit === "day") {
-      next.setDate(next.getDate() + parsed.interval);
-    } else if (parsed.unit === "week") {
-      next.setDate(next.getDate() + parsed.interval * 7);
-    } else if (parsed.unit === "month") {
-      next.setMonth(next.getMonth() + parsed.interval);
-    }
-    return next.toISOString();
-  }
-  if (parsed.type === "specific_days") {
-    const currentDay = base.getDay();
-    const days = parsed.days;
-    let daysToAdd = Infinity;
-    for (const day of days) {
-      let diff = day - currentDay;
-      if (diff <= 0)
-        diff += 7;
-      if (diff < daysToAdd)
-        daysToAdd = diff;
-    }
-    const next = new Date(base);
-    next.setDate(next.getDate() + daysToAdd);
-    return next.toISOString();
-  }
-  throw new Error(`Cannot calculate next occurrence for rule: "${rule}"`);
-}
+init_recurrence();
 
 // src/db/templates.ts
 init_database();
@@ -2681,6 +3836,13 @@ function getTaskDependencies(taskId, db) {
 
 // src/db/task-lifecycle.ts
 var MAX_SPAWN_DEPTH = 10;
+function assertStartable(task, agentId) {
+  if (task.status === "pending")
+    return;
+  if (task.status === "in_progress")
+    return;
+  throw new Error(`Task is ${task.status} and cannot be started by ${agentId}`);
+}
 function getBlockingDeps(id, db) {
   const d = db || getDatabase();
   const deps = getTaskDependencies(id, d);
@@ -2699,22 +3861,38 @@ function startTask(id, agentId, db) {
   const task = getTask(id, d);
   if (!task)
     throw new TaskNotFoundError(id);
+  assertStartable(task, agentId);
   const blocking = getBlockingDeps(id, d);
   if (blocking.length > 0) {
     const blockerIds = blocking.map((b) => b.id.slice(0, 8)).join(", ");
+    emitLocalEventHooksQuiet({
+      type: "task.blocked",
+      payload: {
+        id,
+        agent_id: agentId,
+        title: task.title,
+        blockers: blocking.map((b) => ({ id: b.id, short_id: b.short_id, title: b.title, status: b.status }))
+      }
+    });
     throw new Error(`Task is blocked by ${blocking.length} unfinished dependency(ies): ${blockerIds}`);
   }
   const cutoff = lockExpiryCutoff();
   const timestamp = now();
   const result = d.run(`UPDATE tasks SET status = 'in_progress', assigned_to = ?, locked_by = ?, locked_at = ?, started_at = COALESCE(started_at, ?), version = version + 1, updated_at = ?
-     WHERE id = ? AND (locked_by IS NULL OR locked_by = ? OR locked_at < ?)`, [agentId, agentId, timestamp, timestamp, timestamp, id, agentId, cutoff]);
+     WHERE id = ? AND status IN ('pending', 'in_progress') AND (locked_by IS NULL OR locked_by = ? OR locked_at < ?)`, [agentId, agentId, timestamp, timestamp, timestamp, id, agentId, cutoff]);
   if (result.changes === 0) {
-    if (task.locked_by && task.locked_by !== agentId && !isLockExpired(task.locked_at)) {
-      throw new LockError(id, task.locked_by);
+    const current = getTask(id, d);
+    if (!current)
+      throw new TaskNotFoundError(id);
+    assertStartable(current, agentId);
+    if (current.locked_by && current.locked_by !== agentId && !isLockExpired(current.locked_at)) {
+      throw new LockError(id, current.locked_by);
     }
+    throw new Error(`Task ${id} could not be started because it changed during claim`);
   }
   logTaskChange(id, "start", "status", "pending", "in_progress", agentId, d);
   dispatchWebhook("task.started", { id, agent_id: agentId, title: task.title }, d).catch(() => {});
+  emitLocalEventHooksQuiet({ type: "task.started", payload: { id, agent_id: agentId, title: task.title } });
   return { ...task, status: "in_progress", assigned_to: agentId, locked_by: agentId, locked_at: timestamp, started_at: task.started_at || timestamp, version: task.version + 1, updated_at: timestamp };
 }
 function completeTask(id, agentId, db, options) {
@@ -2752,6 +3930,7 @@ function completeTask(id, agentId, db, options) {
   tx();
   logTaskChange(id, "complete", "status", task.status, "completed", agentId || null, d);
   dispatchWebhook("task.completed", { id, agent_id: agentId, title: task.title, completed_at: timestamp }, d).catch(() => {});
+  emitLocalEventHooksQuiet({ type: "task.completed", payload: { id, agent_id: agentId, title: task.title, completed_at: timestamp } });
   let spawnedTask = null;
   if (task.recurrence_rule && !options?.skip_recurrence) {
     spawnedTask = spawnNextRecurrence(task, d);
@@ -2793,6 +3972,7 @@ function completeTask(id, agentId, db, options) {
     meta._unblocked = unblockedDeps.map((d2) => ({ id: d2.id, short_id: d2.short_id, title: d2.title }));
     for (const dep of unblockedDeps) {
       dispatchWebhook("task.unblocked", { id: dep.id, unblocked_by: id, title: dep.title }, d).catch(() => {});
+      emitLocalEventHooksQuiet({ type: "task.unblocked", payload: { id: dep.id, unblocked_by: id, title: dep.title } });
     }
   }
   return { ...task, status: "completed", locked_by: null, locked_at: null, completed_at: timestamp, confidence, version: task.version + 1, updated_at: timestamp, metadata: meta };
@@ -2905,6 +4085,7 @@ function failTask(id, agentId, reason, options, db) {
      WHERE id = ?`, [JSON.stringify(meta), timestamp, id]);
   logTaskChange(id, "fail", "status", task.status, "failed", agentId || null, d);
   dispatchWebhook("task.failed", { id, reason, error_code: options?.error_code, agent_id: agentId, title: task.title }, d).catch(() => {});
+  emitLocalEventHooksQuiet({ type: "task.failed", payload: { id, reason, error_code: options?.error_code, agent_id: agentId, title: task.title } });
   const failedTask = {
     ...task,
     status: "failed",
@@ -2949,21 +4130,23 @@ function failTask(id, agentId, reason, options, db) {
   }
   return { task: failedTask, retryTask };
 }
-function getStaleTasks(staleMinutes = 30, filters, db) {
+function getStaleTasks(staleQuery = 30, filters, db) {
   const d = db || getDatabase();
+  const staleMinutes = typeof staleQuery === "number" ? staleQuery : staleQuery.minutes ?? (staleQuery.hours !== undefined ? staleQuery.hours * 60 : 30);
+  const effectiveFilters = typeof staleQuery === "number" ? filters : { project_id: staleQuery.project_id, task_list_id: staleQuery.task_list_id };
   const cutoff = new Date(Date.now() - staleMinutes * 60 * 1000).toISOString();
   const conditions = [
     "status = 'in_progress'",
     "(updated_at < ? OR (locked_at IS NOT NULL AND locked_at < ?))"
   ];
   const params = [cutoff, cutoff];
-  if (filters?.project_id) {
+  if (effectiveFilters?.project_id) {
     conditions.push("project_id = ?");
-    params.push(filters.project_id);
+    params.push(effectiveFilters.project_id);
   }
-  if (filters?.task_list_id) {
+  if (effectiveFilters?.task_list_id) {
     conditions.push("task_list_id = ?");
-    params.push(filters.task_list_id);
+    params.push(effectiveFilters.task_list_id);
   }
   const where = conditions.join(" AND ");
   const rows = d.query(`SELECT * FROM tasks WHERE ${where} ORDER BY updated_at ASC`).all(...params);
@@ -3540,7 +4723,12 @@ function updatePlan(id, input, db) {
   }
   params.push(id);
   d.run(`UPDATE plans SET ${sets.join(", ")} WHERE id = ?`, params);
-  return getPlan(id, d);
+  const updated = getPlan(id, d);
+  emitLocalEventHooksQuiet({
+    type: "plan.updated",
+    payload: { id, old_status: plan.status, new_status: updated.status, name: updated.name, project_id: updated.project_id }
+  });
+  return updated;
 }
 function deletePlan(id, db) {
   const d = db || getDatabase();
@@ -3548,9 +4736,6 @@ function deletePlan(id, db) {
   return result.changes > 0;
 }
 
-// src/server/routes.ts
-init_database();
-
 // src/db/orgs.ts
 init_database();
 function rowToOrg(row) {
@@ -3635,7 +4820,7 @@ function listComments(taskId, db) {
 }
 
 // src/server/routes.ts
-import { join as join4, resolve as resolve2, sep } from "path";
+import { join as join5, resolve as resolve5, sep } from "path";
 function parseFieldsParam(url) {
   const fieldsParam = url.searchParams.get("fields");
   return fieldsParam ? fieldsParam.split(",").map((f) => f.trim()).filter(Boolean) : undefined;
@@ -4206,16 +5391,8 @@ async function handleBulkDeleteProjects(req, _ctx, json2) {
   }
 }
 function handleDoctor(_ctx, json2) {
-  const issues = [];
-  const staleItems = getStaleTasks(30);
-  if (staleItems.length > 0)
-    issues.push({ severity: "warn", type: "stale_tasks", message: `${staleItems.length} tasks stuck in_progress >30min`, count: staleItems.length });
-  const withParent = getDatabase().query("SELECT COUNT(*) as c FROM tasks t WHERE t.parent_id IS NOT NULL AND NOT EXISTS (SELECT 1 FROM tasks p WHERE p.id = t.parent_id)").get();
-  if (withParent.c > 0)
-    issues.push({ severity: "error", type: "orphaned_parents", message: `${withParent.c} tasks reference non-existent parent IDs`, count: withParent.c });
-  if (issues.length === 0)
-    issues.push({ severity: "info", type: "healthy", message: "No issues found" });
-  return json2({ ok: !issues.some((i) => i.severity === "error"), issues });
+  const { runTodosDoctor: runTodosDoctor2 } = (init_doctor(), __toCommonJS(exports_doctor));
+  return json2(runTodosDoctor2({ apply: false }));
 }
 function handleReport(_req, url, _ctx, json2) {
   const days = parseInt(url.searchParams.get("days") || "7", 10);
@@ -4343,9 +5520,9 @@ function handleStaticFiles(path, method, ctx, json2, serveStaticFile2) {
   if (!ctx.dashboardExists || method !== "GET" && method !== "HEAD")
     return null;
   if (path !== "/") {
-    const filePath = join4(ctx.dashboardDir, path);
-    const resolvedFile = resolve2(filePath);
-    const resolvedBase = resolve2(ctx.dashboardDir);
+    const filePath = join5(ctx.dashboardDir, path);
+    const resolvedFile = resolve5(filePath);
+    const resolvedBase = resolve5(ctx.dashboardDir);
     if (!resolvedFile.startsWith(resolvedBase + sep) && resolvedFile !== resolvedBase) {
       return json2({ error: "Forbidden" }, 403);
     }
@@ -4353,7 +5530,7 @@ function handleStaticFiles(path, method, ctx, json2, serveStaticFile2) {
     if (res2)
       return res2;
   }
-  const indexPath = join4(ctx.dashboardDir, "index.html");
+  const indexPath = join5(ctx.dashboardDir, "index.html");
   const res = serveStaticFile2(indexPath);
   if (res)
     return res;
@@ -4364,21 +5541,21 @@ function handleStaticFiles(path, method, ctx, json2, serveStaticFile2) {
 function resolveDashboardDir() {
   const candidates = [];
   try {
-    const scriptDir = dirname4(fileURLToPath2(import.meta.url));
-    candidates.push(join5(scriptDir, "..", "dashboard", "dist"));
-    candidates.push(join5(scriptDir, "..", "..", "dashboard", "dist"));
+    const scriptDir = dirname6(fileURLToPath2(import.meta.url));
+    candidates.push(join6(scriptDir, "..", "dashboard", "dist"));
+    candidates.push(join6(scriptDir, "..", "..", "dashboard", "dist"));
   } catch {}
   if (process.argv[1]) {
-    const mainDir = dirname4(process.argv[1]);
-    candidates.push(join5(mainDir, "..", "dashboard", "dist"));
-    candidates.push(join5(mainDir, "..", "..", "dashboard", "dist"));
+    const mainDir = dirname6(process.argv[1]);
+    candidates.push(join6(mainDir, "..", "dashboard", "dist"));
+    candidates.push(join6(mainDir, "..", "..", "dashboard", "dist"));
   }
-  candidates.push(join5(process.cwd(), "dashboard", "dist"));
+  candidates.push(join6(process.cwd(), "dashboard", "dist"));
   for (const candidate of candidates) {
-    if (existsSync5(candidate))
+    if (existsSync6(candidate))
       return candidate;
   }
-  return join5(process.cwd(), "dashboard", "dist");
+  return join6(process.cwd(), "dashboard", "dist");
 }
 var MIME_TYPES = {
   ".html": "text/html; charset=utf-8",
@@ -4450,7 +5627,7 @@ function json(data, status = 200, headers) {
   });
 }
 function serveStaticFile(filePath) {
-  if (!existsSync5(filePath))
+  if (!existsSync6(filePath))
     return null;
   const ext = extname(filePath);
   const contentType = MIME_TYPES[ext] || "application/octet-stream";
@@ -4529,7 +5706,7 @@ data: ${data}
       filteredSseClients.delete(client);
   }
   const dashboardDir = resolveDashboardDir();
-  const dashboardExists = existsSync5(dashboardDir);
+  const dashboardExists = existsSync6(dashboardDir);
   if (!dashboardExists) {
     console.error(`
 Dashboard not found at: ${dashboardDir}`);