@jagilber-org/index-server 1.27.0 → 1.28.0

package/dist/dashboard/client/js/admin.events.js

@@ -0,0 +1,256 @@
+/**
+ * admin.events.js — Recent events panel + nav-bubble polling.
+ *
+ * Polls /api/admin/events/counts every 10s for an unread bubble on the
+ * Monitoring nav button. When the Monitoring section is active, also fetches
+ * the full event list and renders into #events-panel.
+ *
+ * Client-side pagination + text search + per-row collapse-to-detail.
+ */
+(function() {
+    var lastSeenId = 0;
+    var pollTimer = null;
+    var refreshTimer = null;
+    var allEvents = [];      // most-recent-first cache
+    var filterText = '';
+    var filterLevel = '';
+    var pageIndex = 0;
+    var pageSize = 50;
+
+    function adminFetch(url, opts) {
+        if (window.adminAuth && typeof window.adminAuth.adminFetch === 'function') {
+            return window.adminAuth.adminFetch(url, opts);
+        }
+        return fetch(url, opts);
+    }
+
+    function escapeText(s) {
+        if (s == null) return '';
+        return String(s)
+            .replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;')
+            .replace(/"/g, '&quot;').replace(/'/g, '&#39;');
+    }
+
+    function highlight(text, term) {
+        var escaped = escapeText(text);
+        if (!term) return escaped;
+        try {
+            // Escape regex meta in user input.
+            var re = new RegExp(term.replace(/[-/\\^$*+?.()|[\]{}]/g, '\\$&'), 'gi');
+            return escaped.replace(re, function(m) { return '<mark>' + m + '</mark>'; });
+        } catch (_err) { void _err; return escaped; }
+    }
+
+    function applyFilters() {
+        var t = filterText.trim().toLowerCase();
+        return allEvents.filter(function(e) {
+            if (filterLevel && e.level !== filterLevel) return false;
+            if (!t) return true;
+            var hay = (e.msg || '') + ' ' + (e.detail || '');
+            return hay.toLowerCase().indexOf(t) !== -1;
+        });
+    }
+
+    function renderEvents() {
+        var panel = document.getElementById('events-panel');
+        var pager = document.getElementById('events-pager');
+        var pageInfo = document.getElementById('events-page-info');
+        if (!panel) return;
+
+        var filtered = applyFilters();
+        var totalPages = Math.max(1, Math.ceil(filtered.length / pageSize));
+        if (pageIndex >= totalPages) pageIndex = totalPages - 1;
+        if (pageIndex < 0) pageIndex = 0;
+        var start = pageIndex * pageSize;
+        var slice = filtered.slice(start, start + pageSize);
+
+        panel.classList.remove('loading');
+        if (filtered.length === 0) {
+            panel.innerHTML = '<div class="muted">' + (allEvents.length === 0 ? 'No recent events.' : 'No events match the current filter.') + '</div>';
+            if (pager) pager.classList.add('hidden');
+            return;
+        }
+
+        var rows = slice.map(function(e) {
+            var lvlClass = e.level === 'ERROR' ? 'level-error' : 'level-warn';
+            var ts = e.ts ? new Date(e.ts).toLocaleTimeString() : '';
+            var msgHtml = highlight(e.msg || '', filterText);
+            var detailHtml = e.detail ? '<div class="event-detail muted">' + highlight(e.detail, filterText) + '</div>' : '';
+            var caret = e.detail ? '<span class="toggle-caret">▶</span> ' : '';
+            return '<tr class="event-row ' + lvlClass + '" data-evt-id="' + e.id + '">'
+                + '<td class="event-ts">' + escapeText(ts) + '</td>'
+                + '<td class="event-level"><span class="event-badge ' + lvlClass + '">' + escapeText(e.level) + '</span></td>'
+                + '<td class="event-msg">' + caret + msgHtml + detailHtml + '</td>'
+                + '</tr>';
+        }).join('');
+
+        panel.innerHTML = '<table class="events-table">'
+            + '<thead><tr><th>Time</th><th>Level</th><th>Message</th></tr></thead>'
+            + '<tbody>' + rows + '</tbody></table>';
+
+        if (pager) {
+            pager.classList.remove('hidden');
+            if (pageInfo) {
+                pageInfo.textContent = 'Page ' + (pageIndex + 1) + ' of ' + totalPages
+                    + ' · ' + filtered.length + ' event' + (filtered.length === 1 ? '' : 's')
+                    + (filtered.length !== allEvents.length ? ' (filtered from ' + allEvents.length + ')' : '');
+            }
+            var prev = document.getElementById('events-prev');
+            var next = document.getElementById('events-next');
+            if (prev) prev.disabled = pageIndex === 0;
+            if (next) next.disabled = pageIndex >= totalPages - 1;
+        }
+    }
+
+    function loadEvents() {
+        var levelSel = document.getElementById('events-level-filter');
+        filterLevel = levelSel ? levelSel.value : '';
+        // Always fetch the buffer max — pagination/filter is client-side so
+        // searching can hit older events without round-trips.
+        adminFetch('/api/admin/events?limit=1000')
+            .then(function(r) { return r.json(); })
+            .then(function(data) {
+                if (!data || !data.success) return;
+                // listEvents returns oldest→newest; reverse for newest-first paging.
+                allEvents = (data.events || []).slice().reverse();
+                if (data.counts) {
+                    lastSeenId = data.counts.latestId || lastSeenId;
+                    updateBubble({ warn: 0, error: 0, total: 0 });
+                    var summary = document.getElementById('events-counts-summary');
+                    if (summary) summary.textContent = '(' + (data.counts.warn || 0) + ' warn / ' + (data.counts.error || 0) + ' error in buffer)';
+                }
+                renderEvents();
+            })
+            .catch(function() { /* ignore transient errors */ });
+    }
+
+    function clearEventsBuffer() {
+        adminFetch('/api/admin/events', { method: 'DELETE' })
+            .then(function(r) { return r.json(); })
+            .then(function() { allEvents = []; pageIndex = 0; loadEvents(); })
+            .catch(function() { /* ignore */ });
+    }
+
+    function updateBubble(counts) {
+        var bubble = document.getElementById('nav-events-bubble');
+        if (!bubble) return;
+        var total = (counts.warn || 0) + (counts.error || 0);
+        if (total > 0) {
+            bubble.textContent = total > 99 ? '99+' : String(total);
+            bubble.hidden = false;
+            bubble.classList.toggle('has-error', (counts.error || 0) > 0);
+        } else {
+            bubble.hidden = true;
+            bubble.classList.remove('has-error');
+        }
+    }
+
+    function pollCounts() {
+        adminFetch('/api/admin/events/counts?since=' + encodeURIComponent(lastSeenId))
+            .then(function(r) { return r.json(); })
+            .then(function(data) {
+                if (!data || !data.success || !data.counts) return;
+                updateBubble(data.counts);
+            })
+            .catch(function() { /* ignore */ });
+    }
+
+    function startPolling() {
+        stopPolling();
+        pollCounts();
+        pollTimer = setInterval(pollCounts, 10000);
+    }
+    function stopPolling() {
+        if (pollTimer) { clearInterval(pollTimer); pollTimer = null; }
+    }
+
+    function startMonitoringRefresh() {
+        stopMonitoringRefresh();
+        refreshTimer = setInterval(function() {
+            var section = document.getElementById('monitoring-section');
+            if (section && !section.classList.contains('hidden')) loadEvents();
+        }, 15000);
+    }
+    function stopMonitoringRefresh() {
+        if (refreshTimer) { clearInterval(refreshTimer); refreshTimer = null; }
+    }
+
+    // When user navigates to Monitoring, load events; mark-as-read by adopting latestId.
+    document.addEventListener('click', function(ev) {
+        var t = ev.target;
+        if (t && t.getAttribute && t.getAttribute('data-section') === 'monitoring') {
+            setTimeout(loadEvents, 50);
+        }
+    }, true);
+
+    // Row expand/collapse (delegated; only inside events-panel).
+    function attachPanelHandlers() {
+        var panel = document.getElementById('events-panel');
+        if (!panel || panel._evtBound) return;
+        panel._evtBound = true;
+        panel.addEventListener('click', function(ev) {
+            var row = ev.target.closest && ev.target.closest('tr.event-row');
+            if (!row) return;
+            // Don't toggle on selection of text within already-expanded detail.
+            var sel = window.getSelection && window.getSelection();
+            if (sel && sel.toString().length > 0) return;
+            row.classList.toggle('expanded');
+        });
+    }
+
+    function attachControlHandlers() {
+        var search = document.getElementById('events-search');
+        if (search && !search._evtBound) {
+            search._evtBound = true;
+            var debounce;
+            search.addEventListener('input', function() {
+                clearTimeout(debounce);
+                debounce = setTimeout(function() {
+                    filterText = search.value || '';
+                    pageIndex = 0;
+                    renderEvents();
+                }, 120);
+            });
+        }
+        var pageSel = document.getElementById('events-page-size');
+        if (pageSel && !pageSel._evtBound) {
+            pageSel._evtBound = true;
+            pageSel.addEventListener('change', function() {
+                var n = parseInt(pageSel.value, 10);
+                if (Number.isFinite(n) && n > 0) { pageSize = n; pageIndex = 0; renderEvents(); }
+            });
+        }
+        var prev = document.getElementById('events-prev');
+        if (prev && !prev._evtBound) {
+            prev._evtBound = true;
+            prev.addEventListener('click', function() { if (pageIndex > 0) { pageIndex--; renderEvents(); } });
+        }
+        var next = document.getElementById('events-next');
+        if (next && !next._evtBound) {
+            next._evtBound = true;
+            next.addEventListener('click', function() { pageIndex++; renderEvents(); });
+        }
+    }
+
+    // Init after DOM ready (script is `defer`).
+    function init() {
+        startPolling();
+        startMonitoringRefresh();
+        attachPanelHandlers();
+        attachControlHandlers();
+        var levelFilter = document.getElementById('events-level-filter');
+        if (levelFilter && !levelFilter._evtBound) {
+            levelFilter._evtBound = true;
+            levelFilter.addEventListener('change', function() { pageIndex = 0; loadEvents(); });
+        }
+    }
+
+    if (document.readyState === 'loading') {
+        document.addEventListener('DOMContentLoaded', init);
+    } else {
+        init();
+    }
+
+    window.loadEvents = loadEvents;
+    window.clearEvents = clearEventsBuffer;
+})();

package/dist/dashboard/client/js/admin.feedback.js

@@ -4,7 +4,7 @@
  * Human-operator surface for browsing, creating, editing, and deleting
  * persisted feedback entries, plus a client-side GitHub issue handoff.
  *
- * Design constraints (Morpheus architecture review / decisions.md G-1..G-8):
+ * Design constraints (architecture review / decisions.md G-1..G-8):
  *   - CRUD against /api/admin/feedback (operator-tier, NOT the MCP surface)
  *   - GitHub handoff is client-side ONLY — window.open with pre-filled URL
  *   - No server-side GitHub API calls, no token handling, no OAuth

package/dist/dashboard/client/js/admin.instructions.js

@@ -448,7 +448,7 @@
 
   function formatInstructionJson(){ const ta = document.getElementById('instruction-content'); if(!ta) return; try{ const parsed = JSON.parse(ta.value); ta.value = JSON.stringify(parsed, null, 2); updateInstructionEditorDiagnostics(); } catch { globals.showError && globals.showError('Cannot format: invalid JSON'); } }
 
-  function applyInstructionTemplate(){ const ta = document.getElementById('instruction-content'); if(!ta) return; if(ta.value.trim() && !confirm('Replace current content with template?')) return; const now = new Date().toISOString(); const template = { id:'sample-instruction', title:'Sample Instruction', body:'Detailed instruction content here.\nAdd multi-line guidance and steps.', contentType:'instruction', priority:50, audience:'all', requirement:'optional', categories:['general'], primaryCategory:'general', schemaVersion:'4', status:'draft', owner:'you@example.com', version:'1.0.0', reviewIntervalDays:180, semanticSummary:'Brief summary of what this instruction covers.', createdAt: now, updatedAt: now }; ta.value = JSON.stringify(template, null, 2); updateInstructionEditorDiagnostics(); }
+  function applyInstructionTemplate(){ const ta = document.getElementById('instruction-content'); if(!ta) return; if(ta.value.trim() && !confirm('Replace current content with template?')) return; const now = new Date().toISOString(); const template = { id:'sample-instruction', title:'Sample Instruction', body:'Detailed instruction content here.\nAdd multi-line guidance and steps.', contentType:'instruction', priority:50, audience:'all', requirement:'optional', categories:['general'], primaryCategory:'general', schemaVersion:'5', status:'draft', owner:'you@example.com', version:'1.0.0', reviewIntervalDays:180, semanticSummary:'Brief summary of what this instruction covers.', createdAt: now, updatedAt: now }; ta.value = JSON.stringify(template, null, 2); updateInstructionEditorDiagnostics(); }
 
   async function deleteInstruction(name) {
     if (!confirm('Delete instruction ' + name + '?')) return;

package/dist/dashboard/client/js/admin.maintenance.js

@@ -76,25 +76,43 @@
     }
 
     async function restoreSelectedBackup() {
+        const statusEl = document.getElementById('backup-restore-status');
+        const sel = document.getElementById('backup-select');
         try {
-            const sel = document.getElementById('backup-select');
-            const statusEl = document.getElementById('backup-restore-status');
-            if (!sel || !sel.value) { if (statusEl) statusEl.textContent = 'Select a backup first'; return; }
+            if (!sel || !sel.value) {
+                if (statusEl) statusEl.textContent = 'Select a backup first';
+                console.warn('[restore] aborted: no backup selected');
+                return;
+            }
             const choice = sel.value;
-            if (!confirm(`Restore backup ${choice}? Current instructions will be safety-backed up first.`)) return;
+            if (!confirm(`Restore backup ${choice}? Current instructions will be safety-backed up first.`)) {
+                console.info('[restore] aborted: user cancelled confirm dialog for', choice);
+                if (statusEl) statusEl.textContent = 'Restore cancelled';
+                return;
+            }
             if (statusEl) statusEl.textContent = 'Restoring...';
+            console.info('[restore] POST /api/admin/maintenance/restore', { backupId: choice });
             const res = await adminAuth.adminFetch('/api/admin/maintenance/restore', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ backupId: choice }) });
-            const data = await res.json();
-            if (data.success) {
+            console.info('[restore] response status', res.status);
+            const data = await res.json().catch(function(e){ console.error('[restore] failed to parse JSON', e); return { success: false, error: 'invalid JSON response' }; });
+            console.info('[restore] response body', data);
+            if (res.ok && data.success) {
                 if (statusEl) statusEl.textContent = `Restored ${choice} (${data.restored || 0} files)`;
+                if (typeof showSuccess === 'function') showSuccess(`Restored ${choice} (${data.restored || 0} files)`);
                 // Re-load stats & instructions to reflect changes
                 if (typeof loadOverviewData === 'function') loadOverviewData();
                 if (typeof currentSection !== 'undefined' && currentSection === 'instructions' && typeof loadInstructions === 'function') loadInstructions();
+                loadBackups();
             } else {
-                if (statusEl) statusEl.textContent = `Restore failed: ${data.error || data.message || 'unknown'}`;
+                const msg = `Restore failed: ${data.error || data.message || ('HTTP ' + res.status)}`;
+                if (statusEl) statusEl.textContent = msg;
+                console.error('[restore]', msg);
+                alert(msg);
             }
         } catch (err) {
-            if (statusEl) statusEl.textContent = 'Error restoring backup';
+            console.error('[restore] exception', err);
+            if (statusEl) statusEl.textContent = 'Error restoring backup: ' + (err && err.message || err);
+            alert('Error restoring backup: ' + (err && err.message || err));
         }
     }
 
@@ -104,7 +122,8 @@
             const data = await response.json();
 
             if (data.success) {
-                if (typeof displayMaintenanceStatus === 'function') displayMaintenanceStatus(data.maintenance); // lgtm[js/unneeded-defensive-code] — global may load asynchronously across dashboard panels
+                // displayMaintenanceStatus is declared in this same module (function declaration, hoisted).
+                displayMaintenanceStatus(data.maintenance);
             } else {
                 if (typeof showError === 'function') showError('Failed to load maintenance status');
             }
@@ -350,18 +369,36 @@
 
     async function handleBackupFileSelected(ev){
         const file = ev.target && ev.target.files && ev.target.files[0];
-        if(!file) return;
+        if(!file) {
+            console.warn('[restore-from-file] no file selected');
+            return;
+        }
+        const statusEl = document.getElementById('backup-restore-status');
         try {
             const lowerName = file.name.toLowerCase();
             const arrayBuffer = await file.arrayBuffer();
             const bytes = new Uint8Array(arrayBuffer);
             const zipBackup = looksLikeZip(bytes) || lowerName.endsWith('.zip');
+            console.info('[restore-from-file] selected', { name: file.name, size: file.size, zip: zipBackup });
 
             if(!zipBackup && !lowerName.endsWith('.json')){ alert('Please select a .json or .zip backup file'); return; }
 
+            // "Restore from File" performs import + restore in one shot via ?restore=1.
+            // The current instructions/ are safety-backed up by the server before overwrite.
+            const fileCount = zipBackup ? null : (function(){ try { return Object.keys(JSON.parse(new TextDecoder('utf-8').decode(bytes)).files || {}).length; } catch { return null; } })();
+            const promptMsg = 'Restore from ' + file.name + '?\n\nThis will overwrite the live instructions. A safety backup of the current state will be taken first.' + (fileCount != null ? '\n\nFile count in bundle: ' + fileCount : '');
+            if(!confirm(promptMsg)) {
+                console.info('[restore-from-file] cancelled by user');
+                if (statusEl) statusEl.textContent = 'Restore cancelled';
+                return;
+            }
+
+            if (statusEl) statusEl.textContent = 'Importing & restoring ' + file.name + '...';
+
+            let res;
             if(zipBackup){
-                if(!confirm('Import backup from ' + file.name + '? (zip archive)')) return;
-                const res = await adminAuth.adminFetch('/api/admin/maintenance/backup/import', {
+                console.info('[restore-from-file] POST /api/admin/maintenance/backup/import?restore=1 (zip)', { bytes: arrayBuffer.byteLength });
+                res = await adminAuth.adminFetch('/api/admin/maintenance/backup/import?restore=1', {
                     method:'POST',
                     headers:{
                         'Content-Type':'application/zip',
@@ -369,29 +406,35 @@
                     },
                     body: arrayBuffer,
                 });
-                const data = await res.json();
-                if(data.success){
-                    if(typeof showSuccess === 'function') showSuccess(data.message || 'Imported');
-                    loadMaintenanceStatus(); loadBackups();
-                } else {
-                    alert('Import failed: '+(data.error||'unknown'));
-                }
-                return;
+            } else {
+                const text = new TextDecoder('utf-8').decode(bytes);
+                const bundle = JSON.parse(text);
+                if(!bundle.files || typeof bundle.files !== 'object'){ alert('Invalid backup file: must contain a "files" object'); return; }
+                console.info('[restore-from-file] POST /api/admin/maintenance/backup/import?restore=1 (json)', { files: Object.keys(bundle.files).length });
+                res = await adminAuth.adminFetch('/api/admin/maintenance/backup/import?restore=1', { method:'POST', headers:{'Content-Type':'application/json'}, body: JSON.stringify(bundle) });
             }
-
-            const text = new TextDecoder('utf-8').decode(bytes);
-            const bundle = JSON.parse(text);
-            if(!bundle.files || typeof bundle.files !== 'object'){ alert('Invalid backup file: must contain a "files" object'); return; }
-            if(!confirm('Import backup from ' + file.name + '? (' + Object.keys(bundle.files).length + ' files)')) return;
-            const res = await adminAuth.adminFetch('/api/admin/maintenance/backup/import', { method:'POST', headers:{'Content-Type':'application/json'}, body: JSON.stringify(bundle) });
-            const data = await res.json();
-            if(data.success){
-                if(typeof showSuccess === 'function') showSuccess(data.message || 'Imported');
-                loadMaintenanceStatus(); loadBackups();
+            console.info('[restore-from-file] response status', res.status);
+            const data = await res.json().catch(function(e){ console.error('[restore-from-file] failed to parse JSON', e); return { success: false, error: 'invalid JSON response' }; });
+            console.info('[restore-from-file] response body', data);
+            if(res.ok && data.success){
+                const msg = data.message || ('Imported and restored ' + (data.backupId || ''));
+                if(typeof showSuccess === 'function') showSuccess(msg);
+                if (statusEl) statusEl.textContent = msg;
+                loadMaintenanceStatus();
+                loadBackups();
+                if (typeof loadOverviewData === 'function') loadOverviewData();
+                if (typeof currentSection !== 'undefined' && currentSection === 'instructions' && typeof loadInstructions === 'function') loadInstructions();
             } else {
-                alert('Import failed: '+(data.error||'unknown'));
+                const errMsg = 'Restore failed: ' + (data.error || data.message || ('HTTP ' + res.status));
+                console.error('[restore-from-file]', errMsg, data);
+                if (statusEl) statusEl.textContent = errMsg;
+                alert(errMsg);
             }
-        } catch(e){ alert('Import error: '+(e.message||e)); }
+        } catch(e){
+            console.error('[restore-from-file] exception', e);
+            if (statusEl) statusEl.textContent = 'Error: ' + (e.message||e);
+            alert('Restore-from-file error: '+(e.message||e));
+        }
     }
 
     // Signal Groom: apply usage signals to instruction priority/requirement

package/dist/dashboard/client/js/admin.sessions.js

@@ -147,7 +147,7 @@
                 if (connEl) connEl.innerHTML = '<div class="error-message">Error loading active connections</div>';
             }
 
-            try { if (typeof loadSessionHistory === 'function') loadSessionHistory(parseInt(document.getElementById('session-history-limit')?.value || '50', 10)); } catch {} // lgtm[js/unneeded-defensive-code] — global may load asynchronously across dashboard panels
+            try { loadSessionHistory(parseInt(document.getElementById('session-history-limit')?.value || '50', 10)); } catch {}
             window.__lastSessionsCount = sessionsCount;
             window.__lastConnectionsCount = connectionsCount;
             updateSessionsNavBadge();

package/dist/dashboard/security/SecurityMonitor.js

@@ -473,11 +473,11 @@ class SecurityMonitor {
     // Utility methods for simulated monitoring
     getCPUUsage() {
         // Simulate CPU usage between 10-80%
-        return Math.random() * 70 + 10;
+        return Math.random() * 70 + 10; // nosemgrep: insecure-randomness — simulated metric, not security context
     }
     getAverageAPILatency() {
         // Simulate API latency between 50-300ms
-        return Math.random() * 250 + 50;
+        return Math.random() * 250 + 50; // nosemgrep: insecure-randomness — simulated metric, not security context
     }
     checkForSuspiciousPatterns(patterns, _caseSensitive) {
         // Simulate 1% chance of detecting suspicious pattern

package/dist/dashboard/server/AdminPanel.js

@@ -25,6 +25,14 @@ const AdminPanelConfig_1 = require("./AdminPanelConfig");
 const AdminPanelState_1 = require("./AdminPanelState");
 const backupZip_1 = require("../../services/backupZip");
 const auditLog_1 = require("../../services/auditLog");
+const logger_1 = require("../../services/logger");
+// Stackless WARN: the log-hygiene gate (scripts/crawl-logs.mjs --strict)
+// treats WARN-with-stack as a budget violation (max-stack-warn=5). logWarn()
+// auto-captures a JS stack via captureCallStack(), so for routine admin
+// rejection paths use log('WARN', ...) directly with a serialized detail.
+const warnStruct = (msg, detail) => (0, logger_1.log)('WARN', msg, { detail: detail === undefined ? undefined : typeof detail === 'string' ? detail : JSON.stringify(detail) });
+const embeddingTrigger_1 = require("../../services/embeddingTrigger");
+const migrationEngine_1 = require("../../services/storage/migrationEngine");
 const adm_zip_1 = __importDefault(require("adm-zip"));
 class AdminPanel {
     panelConfig;
@@ -265,7 +273,7 @@ class AdminPanel {
                     source: safeId,
                     originalCount: existing.length,
                 });
-                process.stderr.write(`[admin] Pre-restore safety backup created: ${safetyId}.zip\n`);
+                (0, logger_1.logInfo)('[admin] pre-restore safety backup created', { safetyId, originalCount: existing.length });
             }
             let restored = 0;
             if (isZip) {
@@ -282,11 +290,58 @@ class AdminPanel {
                 }
             }
             this.indexStatsCache = null;
-            process.stderr.write(`[admin] Restored backup ${safeId} (${restored} instruction files)\n`);
+            // Restore wrote JSON files to instructionsDir, but the live index may
+            // not be sourcing from disk:
+            //  - JSON backend: IndexContext re-reads on next ensureLoaded() because
+            //    instructionsDir mtime changed (no .index-version file in dev).
+            //  - SQLite backend: source of truth is the .db at storage.sqlitePath,
+            //    NOT the JSON files. Without re-ingesting, the dashboard keeps
+            //    showing the pre-restore row count (RCA 2026-05-01: 702-file zip
+            //    restored, Overview kept showing 2 seed-bootstrap entries).
+            // Therefore: re-ingest into SQLite when applicable, then invalidate the
+            // in-memory cache so the next read reflects the restored set.
+            const backend = (0, runtimeConfig_1.getRuntimeConfig)().storage?.backend ?? 'json';
+            let sqliteIngest;
+            if (backend === 'sqlite') {
+                try {
+                    const dbPath = (0, runtimeConfig_1.getRuntimeConfig)().storage?.sqlitePath
+                        ?? path_1.default.join(process.cwd(), 'data', 'index.db');
+                    const mr = (0, migrationEngine_1.migrateJsonToSqlite)(instructionsDir, dbPath);
+                    sqliteIngest = { migrated: mr.migrated, errors: mr.errors.length };
+                    (0, logger_1.logInfo)('[admin] post-restore sqlite re-ingest', { backupId: safeId, ...sqliteIngest });
+                }
+                catch (err) {
+                    (0, logger_1.logError)('[admin] post-restore sqlite re-ingest failed', {
+                        backupId: safeId,
+                        error: err instanceof Error ? err.message : String(err),
+                    });
+                }
+            }
+            (0, indexContext_1.touchIndexVersion)();
+            (0, indexContext_1.invalidate)();
+            let afterCount = -1;
+            try {
+                afterCount = Object.keys((0, indexContext_1.ensureLoaded)().byId || {}).length;
+            }
+            catch (reloadErr) {
+                (0, logger_1.logError)('[admin] post-restore reload failed', {
+                    backupId: safeId,
+                    error: reloadErr instanceof Error ? reloadErr.message : String(reloadErr),
+                });
+            }
+            (0, logger_1.logInfo)('[admin] backup restored', { backupId: safeId, restored, source: isZip ? 'zip' : 'dir', backend, afterCount, ...(sqliteIngest ? { sqliteIngest } : {}) });
+            // Fire-and-forget embedding compute when semantic is enabled — addresses
+            // post-import gap where embeddings file is missing until manually triggered.
+            try {
+                (0, embeddingTrigger_1.scheduleEmbeddingComputeAfterImport)(`restore:${safeId}`);
+            }
+            catch { /* never block restore */ }
             return { success: true, message: `Backup ${safeId} restored`, restored };
         }
         catch (error) {
             const errMsg = error instanceof Error ? error.message : String(error);
+            const stack = error instanceof Error ? error.stack : undefined;
+            (0, logger_1.logError)('[admin] backup restore failed', { backupId, error: errMsg, stack });
             (0, auditLog_1.logAudit)('admin/backup/restore_failed', backupId ? [String(backupId)] : undefined, { error: errMsg }, 'mutation');
             return { success: false, message: `Restore failed: ${errMsg}` };
         }
@@ -516,29 +571,49 @@ class AdminPanel {
             };
             zip.addFile('manifest.json', Buffer.from(JSON.stringify(manifest, null, 2)));
             zip.writeZip(zipPath);
-            process.stderr.write(`[admin] Imported backup from file: ${backupId}.zip (${written} files)\n`);
+            (0, logger_1.logInfo)('[admin] importBackup complete', { backupId, files: written, mode: 'json' });
             return { success: true, message: `Imported ${written} files as ${backupId}`, backupId, files: written };
         }
         catch (error) {
             const errMsg = error instanceof Error ? error.message : String(error);
+            const stack = error instanceof Error ? error.stack : undefined;
+            (0, logger_1.logError)('[admin] importBackup failed', { error: errMsg, stack, mode: 'json' });
             (0, auditLog_1.logAudit)('admin/backup/import_failed', undefined, { error: errMsg, mode: 'json' }, 'mutation');
             return { success: false, message: `Import failed: ${errMsg}` };
         }
     }
     /** Import a zip backup uploaded by the client without rewriting its contents. */
     importZipBackup(zipBuffer, sourceName) {
+        // CodeQL: Array.isArray is the negative pattern recognized by the
+        // js/type-confusion-through-parameter-tampering query. Buffer.isBuffer
+        // alone is not treated as narrowing, so guard before any .length read.
+        const sizeBytes = !Array.isArray(zipBuffer) && Buffer.isBuffer(zipBuffer) ? zipBuffer.length : 0;
+        const safeSource = typeof sourceName === 'string' && !Array.isArray(sourceName) ? sourceName : undefined;
+        (0, logger_1.logInfo)('[admin] importZipBackup start', { sourceName: safeSource ? path_1.default.basename(safeSource) : undefined, sizeBytes });
         try {
-            if (!Buffer.isBuffer(zipBuffer) || zipBuffer.length === 0) {
+            if (Array.isArray(zipBuffer) || !Buffer.isBuffer(zipBuffer) || zipBuffer.length === 0) {
                 const msg = 'Invalid zip backup: upload was empty';
+                warnStruct('[admin] importZipBackup rejected', { reason: 'empty-buffer', sizeBytes });
                 (0, auditLog_1.logAudit)('admin/backup/import_failed', undefined, { error: msg, mode: 'zip' }, 'mutation');
                 return { success: false, message: msg };
             }
-            const zip = new adm_zip_1.default(zipBuffer);
+            let zip;
+            try {
+                zip = new adm_zip_1.default(zipBuffer);
+            }
+            catch (e) {
+                const errMsg = e instanceof Error ? e.message : String(e);
+                (0, logger_1.logError)('[admin] importZipBackup zip-parse-error', { error: errMsg, sizeBytes });
+                (0, auditLog_1.logAudit)('admin/backup/import_failed', undefined, { error: errMsg, mode: 'zip' }, 'mutation');
+                return { success: false, message: `Import failed: ${errMsg}` };
+            }
+            const allEntries = zip.getEntries().map(e => e.entryName);
             const instructionFiles = zip.getEntries()
                 .map(entry => path_1.default.basename(entry.entryName))
                 .filter(name => name.toLowerCase().endsWith('.json') && name === path_1.default.basename(name) && name !== 'manifest.json');
             if (!instructionFiles.length) {
                 const msg = 'Invalid zip backup: contains no instruction files';
+                warnStruct('[admin] importZipBackup rejected', { reason: 'no-instruction-files', entryCount: allEntries.length, sample: allEntries.slice(0, 10) });
                 (0, auditLog_1.logAudit)('admin/backup/import_failed', undefined, { error: msg, mode: 'zip' }, 'mutation');
                 return { success: false, message: msg };
             }
@@ -551,11 +626,13 @@ class AdminPanel {
                 fs_1.default.mkdirSync(this.backupRoot, { recursive: true });
             fs_1.default.writeFileSync(zipPath, zipBuffer); // lgtm[js/http-to-file-access] — zipPath is generated under controlled backupRoot; admin endpoint behind dashboardAdminAuth
             const safeSourceName = sourceName ? path_1.default.basename(sourceName) : undefined;
-            process.stderr.write(`[admin] Imported zip backup from file: ${backupId}.zip (${instructionFiles.length} files${safeSourceName ? `, source=${safeSourceName}` : ''})\n`);
+            (0, logger_1.logInfo)('[admin] importZipBackup complete', { backupId, files: instructionFiles.length, source: safeSourceName, zipPath });
             return { success: true, message: `Imported ${instructionFiles.length} files as ${backupId}`, backupId, files: instructionFiles.length };
         }
         catch (error) {
             const errMsg = error instanceof Error ? error.message : String(error);
+            const stack = error instanceof Error ? error.stack : undefined;
+            (0, logger_1.logError)('[admin] importZipBackup failed', { error: errMsg, stack, sourceName: sourceName ? path_1.default.basename(sourceName) : undefined, sizeBytes });
             (0, auditLog_1.logAudit)('admin/backup/import_failed', undefined, { error: errMsg, mode: 'zip' }, 'mutation');
             return { success: false, message: `Import failed: ${errMsg}` };
         }

package/dist/dashboard/server/AdminPanelConfig.d.ts

@@ -3,6 +3,10 @@
  *
  * Owns the AdminConfig data structure and provides CRUD methods for
  * reading and updating admin panel configuration.
+ *
+ * Updates here mutate `process.env.INDEX_SERVER_*` and call `reloadRuntimeConfig()`
+ * so the dashboard "Server Configuration" panel reflects (and applies to) the
+ * single runtimeConfig source of truth.
  */
 export interface AdminConfig {
     serverSettings: {
@@ -30,11 +34,18 @@ export declare class AdminPanelConfig {
     private config;
     constructor();
     private loadDefaultConfig;
+    /** Re-read from runtime config so callers always see the current authoritative values. */
     getAdminConfig(): AdminConfig;
     updateAdminConfig(updates: Partial<AdminConfig>): {
         success: boolean;
         message: string;
+        appliedFields?: string[];
     };
+    /**
+     * Apply incoming serverSettings to `process.env.INDEX_SERVER_*` and reload runtime config
+     * so the dashboard form actually drives behavior. Bind every editable field to its env var
+     * (per constitution S-4: "All environment configuration must flow through runtimeConfig.ts").
+     */
     private applyConfigChanges;
     /** Session timeout in milliseconds — consumed by state management. */
     get sessionTimeout(): number;