@jhizzard/termdeck 0.6.9 → 0.7.0

package/README.md

@@ -171,7 +171,7 @@ Honest limits, stated upfront so the skeptic has nothing to chase:
 - **Not a replacement for reading docs.** It's the shortest path to a memory you already wrote. If the memory isn't there, the feature does nothing.
 - **Not fully local by default.** Tier 2+ reaches out to Supabase for storage and OpenAI for embeddings. Tier 1 is fully local. A fully-local Tier 2 (local Postgres + local embeddings) is on the roadmap.
 - **Not free forever.** Tier 2+ pays OpenAI fractions of a cent per memory for embeddings. Self-hosted embeddings via Ollama are on the roadmap.
-- **Not proven at scale.** v0.6.4, validated against 4,669 memories in one developer's production store. The Rumen 2026-04-19 re-kickstart processed 166 sessions into 166 insights in ~5.5 minutes. No multi-user data yet. Bug reports and issues welcome.
+- **Not proven at scale.** v0.7.0, validated against 4,669 memories in one developer's production store. The Rumen 2026-04-19 re-kickstart processed 166 sessions into 166 insights in ~5.5 minutes. No multi-user data yet. Bug reports and issues welcome.
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jhizzard/termdeck",
-  "version": "0.6.9",
+  "version": "0.7.0",
   "description": "Browser-based terminal multiplexer with metadata overlays, panel flashback memory recall, and AI-aware session management",
   "bin": {
     "termdeck": "./packages/cli/src/index.js"

package/packages/client/public/app.js

@@ -159,6 +159,7 @@
                     `<option value="${tid}" ${tid === meta.theme ? 'selected' : ''}>${t.label}</option>`
                   ).join('')}
                 </select>
+                <a class="theme-reset" id="theme-reset-${id}" href="javascript:void(0)" onclick="resetTheme('${id}')" title="Revert to project / global default from config.yaml" style="font-size:11px;color:#7aa2f7;text-decoration:none;margin-left:4px;opacity:0.7;cursor:pointer">↺ default</a>
                 <button class="ctrl-btn" onclick="focusPanel('${id}')">focus</button>
                 <button class="ctrl-btn" onclick="halfPanel('${id}')">half</button>
                 <button class="ctrl-btn reply-toggle" id="reply-btn-${id}" onclick="toggleReplyForm('${id}')" title="Send text to another terminal">reply ▸</button>
@@ -1309,10 +1310,25 @@
       const themeObj = getThemeObject(themeId);
       entry.terminal.options.theme = themeObj;
 
-      // Persist to server
+      // Persist to server (writes to sessions.theme_override server-side)
       api('PATCH', `/api/sessions/${id}`, { theme: themeId });
     }
 
+    // v0.7.0: clear sessions.theme_override server-side and snap the panel back
+    // to whatever the resolver currently picks (project default → global default
+    // → tokyo-night). Server returns the resolved value in the PATCH response so
+    // the dropdown + xterm theme update without waiting for the 2s broadcast.
+    async function resetTheme(id) {
+      const entry = state.sessions.get(id);
+      if (!entry) return;
+      const updated = await api('PATCH', '/api/sessions/' + id, { theme: null });
+      const resolved = updated && updated.meta && updated.meta.theme;
+      if (!resolved) return;
+      entry.terminal.options.theme = getThemeObject(resolved);
+      const sel = document.getElementById('theme-' + id);
+      if (sel && sel.value !== resolved) sel.value = resolved;
+    }
+
     async function askAI(id, question) {
       if (!question.trim()) return;
       const entry = state.sessions.get(id);

package/packages/server/src/auth.js

@@ -1,4 +1,4 @@
-// Optional token authentication for TermDeck (Sprint 9 T3).
+// Optional token authentication for TermDeck (Sprint 9 T3, extended Sprint 32).
 //
 // When no token is configured, auth is a no-op — `createAuthMiddleware()` returns
 // null and callers skip wiring. When a token is configured (config.auth.token
@@ -9,8 +9,19 @@
 //   - termdeck_token=<token> cookie
 //
 // Browser requests without a valid token receive a minimal HTML login page that
-// stores the token in a cookie client-side and retries. API requests get a
-// JSON 401.
+// POSTs to /api/auth/login. The login handler validates the token and issues a
+// Set-Cookie header with HttpOnly + SameSite=Lax + Max-Age=2592000 (30 days),
+// and Secure when the request was over HTTPS (direct or via X-Forwarded-Proto).
+// API requests get a JSON 401.
+//
+// 30-day cookie trade-off (v0.7.0):
+// TermDeck is intended as a local dev tool. Brad's 2026-04-26 feedback ("is
+// there a way not to have to enter the token at each termdeck session?")
+// showed the per-browser-session re-prompt was a real adoption tax. The
+// compromise risk of a longer cookie is bounded by the local-only attack
+// surface (HttpOnly blocks JS exfiltration, SameSite=Lax blocks CSRF on
+// cross-site POSTs, Secure-when-HTTPS prevents plaintext sniffing on the
+// reverse-proxy path documented in docs/DEPLOYMENT.md). UX wins.
 
 function getConfiguredToken(config) {
   const fromConfig = config && config.auth && config.auth.token;
@@ -63,6 +74,51 @@ function extractToken(req) {
   return null;
 }
 
+// 30 days in seconds — see head-of-file trade-off note.
+const COOKIE_MAX_AGE_SECONDS = 2592000;
+
+// HTTPS detection for the Secure cookie flag. Express sets req.protocol from
+// the socket; behind a reverse proxy with `app.set('trust proxy', ...)` it
+// reads X-Forwarded-Proto. We also fall back to reading the header directly
+// so the helper is correct even when trust-proxy isn't enabled.
+function isSecureRequest(req) {
+  if (!req) return false;
+  if (req.protocol === 'https') return true;
+  const xfp = req.headers && req.headers['x-forwarded-proto'];
+  if (typeof xfp === 'string') {
+    const first = xfp.split(',')[0].trim().toLowerCase();
+    if (first === 'https') return true;
+  }
+  return false;
+}
+
+function buildAuthCookie(token, secure) {
+  const parts = [
+    `termdeck_token=${encodeURIComponent(token)}`,
+    'Path=/',
+    `Max-Age=${COOKIE_MAX_AGE_SECONDS}`,
+    'HttpOnly',
+    'SameSite=Lax',
+  ];
+  if (secure) parts.push('Secure');
+  return parts.join('; ');
+}
+
+function writeAuthCookie(req, res, token) {
+  res.setHeader('Set-Cookie', buildAuthCookie(token, isSecureRequest(req)));
+}
+
+function handleLogin(req, res, configuredToken) {
+  const provided =
+    (req.body && typeof req.body.token === 'string' && req.body.token.trim()) ||
+    extractToken(req);
+  if (!provided || provided !== configuredToken) {
+    return res.status(401).json({ error: 'unauthorized' });
+  }
+  writeAuthCookie(req, res, configuredToken);
+  return res.status(200).json({ ok: true });
+}
+
 function loginPage() {
   return `<!doctype html>
 <html lang="en">
@@ -104,12 +160,14 @@ function submitToken(e) {
   err.textContent = '';
   var t = document.getElementById('t').value.trim();
   if (!t) return false;
-  document.cookie = 'termdeck_token=' + encodeURIComponent(t) +
-    '; path=/; SameSite=Strict; Max-Age=2592000';
   var next = new URLSearchParams(location.search).get('next') || '/';
-  fetch('/api/config', { credentials: 'same-origin' }).then(function(r) {
+  fetch('/api/auth/login', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    credentials: 'same-origin',
+    body: JSON.stringify({ token: t })
+  }).then(function(r) {
     if (r.ok) { location.href = next; return; }
-    document.cookie = 'termdeck_token=; path=/; Max-Age=0';
     err.textContent = 'Invalid token.';
   }).catch(function() {
     err.textContent = 'Network error.';
@@ -130,6 +188,13 @@ function createAuthMiddleware(config) {
     // without being handed a secret.
     if (req.path === '/api/health') return next();
 
+    // The login endpoint validates credentials and issues the cookie itself —
+    // it must run before the token-required check below or browsers could
+    // never reach it.
+    if (req.method === 'POST' && req.path === '/api/auth/login') {
+      return handleLogin(req, res, token);
+    }
+
     const provided = extractToken(req);
     if (provided && provided === token) return next();
 
@@ -168,5 +233,11 @@ module.exports = {
   verifyWebSocketUpgrade,
   getConfiguredToken,
   hasAuth,
-  loginPage
+  loginPage,
+  // Exposed for tests + future reuse by other server modules.
+  buildAuthCookie,
+  isSecureRequest,
+  writeAuthCookie,
+  handleLogin,
+  COOKIE_MAX_AGE_SECONDS,
 };

package/packages/server/src/database.js

@@ -27,7 +27,8 @@ function initDatabase(Database) {
       exited_at TEXT,
       exit_code INTEGER,
       reason TEXT,
-      theme TEXT DEFAULT 'tokyo-night'
+      theme TEXT DEFAULT 'tokyo-night',
+      theme_override TEXT
     );
 
     CREATE TABLE IF NOT EXISTS command_history (
@@ -54,7 +55,6 @@ function initDatabase(Database) {
     CREATE TABLE IF NOT EXISTS projects (
       name TEXT PRIMARY KEY,
       path TEXT NOT NULL,
-      default_theme TEXT DEFAULT 'tokyo-night',
       default_command TEXT DEFAULT 'bash',
       rag_namespace TEXT,
       created_at TEXT NOT NULL
@@ -79,6 +79,42 @@ function initDatabase(Database) {
     console.warn('[db] command_history.source migration failed:', err.message);
   }
 
+  // Migration (v0.7.0): add sessions.theme_override and backfill from theme.
+  // The backfill runs exactly once — only when the column is being added — so
+  // post-migration sessions created with theme_override=NULL stay un-overridden
+  // and pick up config.yaml changes via the theme-resolver. Pre-v0.7.0 rows
+  // had `theme` written by the dropdown PATCH, so treating them as user-set is
+  // the correct preservation of customizations.
+  // (SQLite has no `ADD COLUMN IF NOT EXISTS`, so we PRAGMA-check first — same
+  // pattern as the command_history.source migration above.)
+  try {
+    const cols = db.prepare(`PRAGMA table_info(sessions)`).all();
+    const hasOverride = cols.some((c) => c.name === 'theme_override');
+    if (!hasOverride) {
+      db.exec(`ALTER TABLE sessions ADD COLUMN theme_override TEXT`);
+      const updated = db.prepare(`UPDATE sessions SET theme_override = theme WHERE theme IS NOT NULL`).run();
+      console.log(`[db] Migrated sessions: added 'theme_override' column, backfilled ${updated.changes} row(s) from theme`);
+    }
+  } catch (err) {
+    console.warn('[db] sessions.theme_override migration failed:', err.message);
+  }
+
+  // Migration (v0.7.0): drop the dead projects.default_theme column. It was
+  // CREATE'd in early v0.1 but was never read or written by any code path
+  // (see Sprint 32 T1 grep). Removing it eliminates a latent contract-drift
+  // trap. SQLite supports DROP COLUMN since 3.35 (well below better-sqlite3's
+  // bundled version). No `IF EXISTS` in SQLite, so PRAGMA-check first.
+  try {
+    const cols = db.prepare(`PRAGMA table_info(projects)`).all();
+    const hasDefaultTheme = cols.some((c) => c.name === 'default_theme');
+    if (hasDefaultTheme) {
+      db.exec(`ALTER TABLE projects DROP COLUMN default_theme`);
+      console.log("[db] Migrated projects: dropped dead 'default_theme' column");
+    }
+  } catch (err) {
+    console.warn('[db] projects.default_theme drop migration failed:', err.message);
+  }
+
   return db;
 }
 

package/packages/server/src/health.js

@@ -0,0 +1,377 @@
+// Runtime health snapshot — the v0.7.0 sibling of v0.6.9's
+// auditPreconditions/verifyOutcomes (packages/server/src/setup/preconditions.js).
+//
+// Why this module exists
+// ──────────────────────
+// v0.6.9 closed the install-time precondition-drift class with a front-loaded
+// audit and a post-write verify inside the wizards. That defends the moment
+// the user runs `termdeck init --mnestra` / `--rumen`. It does not defend
+// later — when an extension gets disabled in the Supabase dashboard, when a
+// migration loader picks up a stale set on a subsequent reinstall, or when
+// the cron job is paused without anyone noticing. `/api/health/full` answers
+// "is this install actually healthy *right now*?" by re-running the same
+// SELECTs at runtime instead of install-time.
+//
+// Required vs warn checks
+// ───────────────────────
+// Required checks (sqlite, mnestra-pg, memory-items-col, pg-cron-ext,
+// pg-net-ext, vault-secret, cron-job-active) drive the overall `ok` flag —
+// any non-pass marks the report unhealthy and the route returns 503. Warn
+// checks (mnestra-webhook, rumen-pool) are best-effort: a failure surfaces
+// as `warn` with detail, but does not flip `ok`.
+//
+// Caching
+// ───────
+// Reports cached in module scope for 30s. `getFullHealth(config, { refresh: true })`
+// or the `?refresh=1` query param bypasses the cache. The TTL is reflected
+// in the response's `ttlSeconds` field so polling clients can self-pace.
+//
+// Error handling
+// ──────────────
+// Every check is wrapped: any unexpected error downgrades that single check
+// to `fail` (or `warn` for warn-checks) with the error message in `detail`.
+// `getFullHealth()` always resolves with a structured report — never throws.
+
+'use strict';
+
+const http = require('http');
+const https = require('https');
+
+const TTL_SECONDS = 30;
+const TTL_MS = TTL_SECONDS * 1000;
+
+const REQUIRED_CHECKS = new Set([
+  'sqlite',
+  'mnestra-pg',
+  'memory-items-col',
+  'pg-cron-ext',
+  'pg-net-ext',
+  'vault-secret',
+  'cron-job-active'
+]);
+
+let _cache = null;
+let _cachedAt = 0;
+
+// ── SQLite check ────────────────────────────────────────────────────────────
+
+function checkSqlite(db) {
+  if (!db) {
+    return { name: 'sqlite', status: 'fail', detail: 'better-sqlite3 not initialized' };
+  }
+  try {
+    const row = db.prepare('SELECT 1 AS ok').get();
+    if (row && row.ok === 1) return { name: 'sqlite', status: 'pass' };
+    return { name: 'sqlite', status: 'fail', detail: 'SELECT 1 returned unexpected result' };
+  } catch (err) {
+    return { name: 'sqlite', status: 'fail', detail: err && err.message ? err.message : String(err) };
+  }
+}
+
+// ── Postgres-side checks ────────────────────────────────────────────────────
+//
+// These mirror auditRumenPreconditions + verifyMnestraOutcomes + verifyRumenOutcomes
+// from setup/preconditions.js. We deliberately copy the SQL rather than
+// import the helper — preconditions.js is owned by other lanes and concurrent
+// edits to share code would step on T1/T4. The queries are small and stable.
+
+async function safeQueryRow(client, sql) {
+  try {
+    const r = await client.query(sql);
+    if (r.rows && r.rows.length > 0 && r.rows[0].ok) return { ok: true };
+    return { ok: false };
+  } catch (err) {
+    return { error: err && err.message ? err.message : String(err) };
+  }
+}
+
+async function safeQueryRows(client, sql) {
+  try {
+    const r = await client.query(sql);
+    return { rows: r.rows || [] };
+  } catch (err) {
+    return { error: err && err.message ? err.message : String(err) };
+  }
+}
+
+async function openPgClient(databaseUrl) {
+  if (!databaseUrl) return null;
+  let pgRunner;
+  try { pgRunner = require('./setup/pg-runner'); } catch (_e) { return null; }
+  try { return await pgRunner.connect(databaseUrl); } catch (_e) { return null; }
+}
+
+async function runPgChecks({ databaseUrl, _pgClient }) {
+  const checks = [];
+  const client = _pgClient || (await openPgClient(databaseUrl));
+  const owned = !_pgClient;
+
+  if (!client) {
+    checks.push({
+      name: 'mnestra-pg',
+      status: 'fail',
+      detail: databaseUrl
+        ? 'could not connect to Postgres using DATABASE_URL'
+        : 'DATABASE_URL not configured (set in ~/.termdeck/secrets.env)'
+    });
+    // Dependent checks can't run without a connection — surface them as
+    // fail rather than silently skipping so the report is complete.
+    for (const name of ['memory-items-col', 'pg-cron-ext', 'pg-net-ext', 'vault-secret', 'cron-job-active']) {
+      checks.push({ name, status: 'fail', detail: 'pg unavailable' });
+    }
+    return checks;
+  }
+
+  try {
+    const ping = await safeQueryRow(client, 'SELECT 1 AS ok');
+    if (ping.error) {
+      checks.push({ name: 'mnestra-pg', status: 'fail', detail: ping.error });
+    } else if (!ping.ok) {
+      checks.push({ name: 'mnestra-pg', status: 'fail', detail: 'SELECT 1 returned no row' });
+    } else {
+      checks.push({ name: 'mnestra-pg', status: 'pass' });
+    }
+
+    // memory_items.source_session_id — the v0.6.5 column from Brad's saga.
+    const col = await safeQueryRow(client,
+      "SELECT 1 AS ok FROM information_schema.columns " +
+      "WHERE table_schema = 'public' AND table_name = 'memory_items' AND column_name = 'source_session_id'");
+    if (col.error) {
+      checks.push({ name: 'memory-items-col', status: 'fail', detail: col.error });
+    } else if (!col.ok) {
+      checks.push({
+        name: 'memory-items-col',
+        status: 'fail',
+        detail:
+          'memory_items.source_session_id missing — re-run termdeck init --mnestra --yes ' +
+          '(if loader picked up a stale set, first: npm cache clean --force && npm i -g @jhizzard/termdeck@latest)'
+      });
+    } else {
+      checks.push({ name: 'memory-items-col', status: 'pass' });
+    }
+
+    const cron = await safeQueryRow(client,
+      "SELECT 1 AS ok FROM pg_extension WHERE extname = 'pg_cron'");
+    if (cron.error) {
+      checks.push({ name: 'pg-cron-ext', status: 'fail', detail: cron.error });
+    } else if (!cron.ok) {
+      checks.push({
+        name: 'pg-cron-ext',
+        status: 'fail',
+        detail: 'extension not enabled — Supabase dashboard → Database → Extensions → pg_cron'
+      });
+    } else {
+      checks.push({ name: 'pg-cron-ext', status: 'pass' });
+    }
+
+    const net = await safeQueryRow(client,
+      "SELECT 1 AS ok FROM pg_extension WHERE extname = 'pg_net'");
+    if (net.error) {
+      checks.push({ name: 'pg-net-ext', status: 'fail', detail: net.error });
+    } else if (!net.ok) {
+      checks.push({
+        name: 'pg-net-ext',
+        status: 'fail',
+        detail: 'extension not enabled — Supabase dashboard → Database → Extensions → pg_net'
+      });
+    } else {
+      checks.push({ name: 'pg-net-ext', status: 'pass' });
+    }
+
+    const vault = await safeQueryRow(client,
+      "SELECT 1 AS ok FROM vault.decrypted_secrets WHERE name = 'rumen_service_role_key'");
+    if (vault.error) {
+      checks.push({
+        name: 'vault-secret',
+        status: 'fail',
+        detail: `vault.decrypted_secrets unreadable — ${vault.error}`
+      });
+    } else if (!vault.ok) {
+      checks.push({
+        name: 'vault-secret',
+        status: 'fail',
+        detail: 'rumen_service_role_key missing — Supabase dashboard → Project Settings → Vault → New secret'
+      });
+    } else {
+      checks.push({ name: 'vault-secret', status: 'pass' });
+    }
+
+    const job = await safeQueryRows(client,
+      "SELECT active FROM cron.job WHERE jobname = 'rumen-tick'");
+    if (job.error) {
+      checks.push({ name: 'cron-job-active', status: 'fail', detail: `cron.job unreadable — ${job.error}` });
+    } else if (!job.rows || job.rows.length === 0) {
+      checks.push({
+        name: 'cron-job-active',
+        status: 'fail',
+        detail: 'rumen-tick row not found — re-run `termdeck init --rumen`'
+      });
+    } else if (!job.rows[0].active) {
+      checks.push({
+        name: 'cron-job-active',
+        status: 'fail',
+        detail:
+          "rumen-tick paused — SELECT cron.alter_job((SELECT jobid FROM cron.job WHERE jobname = 'rumen-tick'), active := true);"
+      });
+    } else {
+      checks.push({ name: 'cron-job-active', status: 'pass' });
+    }
+  } finally {
+    if (owned) {
+      try { await client.end(); } catch (_e) { /* ignore */ }
+    }
+  }
+
+  return checks;
+}
+
+// ── Warn checks ─────────────────────────────────────────────────────────────
+
+function httpReachable(url, timeoutMs = 2000) {
+  return new Promise((resolve) => {
+    const mod = url.startsWith('https:') ? https : http;
+    let req;
+    try {
+      req = mod.get(url, { timeout: timeoutMs }, (res) => {
+        const ok = res.statusCode != null && res.statusCode < 500;
+        res.resume();
+        resolve({ ok, status: res.statusCode });
+      });
+    } catch (err) {
+      resolve({ ok: false, error: err && err.message ? err.message : String(err) });
+      return;
+    }
+    req.on('error', (err) => resolve({ ok: false, error: err && err.message ? err.message : String(err) }));
+    req.on('timeout', () => { try { req.destroy(); } catch (_e) { /* gone */ } resolve({ ok: false, error: 'timeout' }); });
+  });
+}
+
+async function checkMnestraWebhook(config, options) {
+  if (options && typeof options._mnestraWebhookProbe === 'function') {
+    try {
+      const r = await options._mnestraWebhookProbe();
+      if (r && r.ok) return { name: 'mnestra-webhook', status: 'pass' };
+      return { name: 'mnestra-webhook', status: 'warn', detail: (r && r.detail) || 'unreachable' };
+    } catch (err) {
+      return { name: 'mnestra-webhook', status: 'warn', detail: err && err.message ? err.message : String(err) };
+    }
+  }
+  const rag = (config && config.rag) || {};
+  if (!rag.mnestraWebhookUrl) {
+    return { name: 'mnestra-webhook', status: 'warn', detail: 'webhook URL not configured' };
+  }
+  const healthUrl = String(rag.mnestraWebhookUrl).replace(/\/mnestra\/?$/, '/healthz');
+  const r = await httpReachable(healthUrl, 2000);
+  if (r.ok) return { name: 'mnestra-webhook', status: 'pass' };
+  return {
+    name: 'mnestra-webhook',
+    status: 'warn',
+    detail: r.error ? `unreachable — ${r.error}` : `HTTP ${r.status || '???'}`
+  };
+}
+
+async function checkRumenPool(config, options) {
+  if (options && typeof options._rumenPoolProbe === 'function') {
+    try {
+      const r = await options._rumenPoolProbe();
+      if (r && r.ok) return { name: 'rumen-pool', status: 'pass' };
+      return { name: 'rumen-pool', status: 'warn', detail: (r && r.detail) || 'unreachable (best-effort)' };
+    } catch (err) {
+      return { name: 'rumen-pool', status: 'warn', detail: err && err.message ? err.message : String(err) };
+    }
+  }
+  let pg;
+  try { pg = require('pg'); } catch (_e) { pg = null; }
+  if (!pg) return { name: 'rumen-pool', status: 'warn', detail: 'pg module not installed' };
+
+  const dbUrl = (config && config.rag && config.rag.databaseUrl) || process.env.DATABASE_URL;
+  if (!dbUrl) return { name: 'rumen-pool', status: 'warn', detail: 'DATABASE_URL not set' };
+
+  const pool = new pg.Pool({ connectionString: dbUrl, max: 1, connectionTimeoutMillis: 3000 });
+  try {
+    const res = await pool.query('SELECT 1 AS ok');
+    if (res.rows[0] && res.rows[0].ok === 1) return { name: 'rumen-pool', status: 'pass' };
+    return { name: 'rumen-pool', status: 'warn', detail: 'SELECT 1 returned unexpected result' };
+  } catch (err) {
+    return { name: 'rumen-pool', status: 'warn', detail: err && err.message ? err.message : String(err) };
+  } finally {
+    try { await pool.end(); } catch (_e) { /* ignore */ }
+  }
+}
+
+// ── Aggregator ──────────────────────────────────────────────────────────────
+
+async function getFullHealth(config = {}, options = {}) {
+  const refresh = !!options.refresh;
+  if (!refresh && _cache && (Date.now() - _cachedAt) < TTL_MS) {
+    return _cache;
+  }
+
+  const db = options.db || (config && config._db) || null;
+  const databaseUrl =
+    options.databaseUrl ||
+    (config && config.rag && config.rag.databaseUrl) ||
+    process.env.DATABASE_URL ||
+    null;
+
+  const checks = [];
+
+  // 1. SQLite (sync — small DB, no risk of blocking)
+  try { checks.push(checkSqlite(db)); }
+  catch (err) { checks.push({ name: 'sqlite', status: 'fail', detail: err && err.message ? err.message : String(err) }); }
+
+  // 2-7. Postgres-side suite
+  let pgChecks;
+  try { pgChecks = await runPgChecks({ databaseUrl, _pgClient: options._pgClient }); }
+  catch (err) {
+    pgChecks = [{
+      name: 'mnestra-pg',
+      status: 'fail',
+      detail: err && err.message ? err.message : String(err)
+    }];
+    for (const name of ['memory-items-col', 'pg-cron-ext', 'pg-net-ext', 'vault-secret', 'cron-job-active']) {
+      pgChecks.push({ name, status: 'fail', detail: 'pg suite aborted' });
+    }
+  }
+  for (const c of pgChecks) checks.push(c);
+
+  // 8. Mnestra webhook (warn)
+  let webhook;
+  try { webhook = await checkMnestraWebhook(config, options); }
+  catch (err) { webhook = { name: 'mnestra-webhook', status: 'warn', detail: err && err.message ? err.message : String(err) }; }
+  checks.push(webhook);
+
+  // 9. Rumen pool (warn)
+  let pool;
+  try { pool = await checkRumenPool(config, options); }
+  catch (err) { pool = { name: 'rumen-pool', status: 'warn', detail: err && err.message ? err.message : String(err) }; }
+  checks.push(pool);
+
+  const ok = checks
+    .filter((c) => REQUIRED_CHECKS.has(c.name))
+    .every((c) => c.status === 'pass');
+
+  const report = {
+    ok,
+    timestamp: new Date().toISOString(),
+    ttlSeconds: TTL_SECONDS,
+    checks
+  };
+
+  _cache = report;
+  _cachedAt = Date.now();
+
+  return report;
+}
+
+// Test seam — drop the cache between cases so call-count assertions hold.
+function _resetCache() {
+  _cache = null;
+  _cachedAt = 0;
+}
+
+module.exports = {
+  getFullHealth,
+  REQUIRED_CHECKS,
+  _resetCache
+};

package/packages/server/src/index.js

@@ -59,6 +59,7 @@ const { createBridge } = require('./mnestra-bridge');
 const { writeSessionLog } = require('./session-logger');
 const { TranscriptWriter } = require('./transcripts');
 const { createHealthHandler, runPreflight } = require('./preflight');
+const { getFullHealth } = require('./health');
 const { themes, statusColors } = require('./themes');
 const { loadConfig, addProject } = require('./config');
 const { createAuthMiddleware, verifyWebSocketUpgrade, hasAuth } = require('./auth');
@@ -146,6 +147,24 @@ function createServer(config) {
   // or scope the response to a minimal {status, version} payload.
   app.get('/api/health', createHealthHandler(config));
 
+  // GET /api/health/full - v0.7.0 runtime health snapshot (Sprint 32 T3)
+  // Mirrors the install-time auditPreconditions/verifyOutcomes pattern from
+  // v0.6.9 at runtime: re-runs the same SELECTs against pg_extension,
+  // vault.decrypted_secrets, cron.job, and information_schema.columns so a
+  // post-install drift (extension toggled off, schedule paused, stale loader
+  // shadow) is observable without a re-install. Cached 30s; pass ?refresh=1
+  // to bypass. Required checks drive the response status (200 ok / 503 fail);
+  // warn checks (mnestra-webhook, rumen-pool) never flip ok.
+  app.get('/api/health/full', async (req, res) => {
+    const refresh = req.query.refresh === '1' || req.query.refresh === 'true';
+    try {
+      const report = await getFullHealth(config, { refresh, db });
+      res.status(report.ok ? 200 : 503).json(report);
+    } catch (err) {
+      res.status(500).json({ ok: false, error: err && err.message ? err.message : String(err) });
+    }
+  });
+
   // GET /api/setup - setup wizard tier status (Sprint 19 T1)
   // Reuses preflight checks (mnestra_reachable, rumen_recent) and pairs them
   // with filesystem + config signals to classify which of the 4 TermDeck tiers

package/packages/server/src/session.js

@@ -1,9 +1,19 @@
 // Session manager - PTY lifecycle, metadata tracking, output analysis
-// Each session wraps a node-pty instance with rich metadata
+// Each session wraps a node-pty instance with rich metadata.
+//
+// v0.7.0 theme model (see theme-resolver.js): meta.theme is a *getter* that
+// resolves at read time from { session.theme_override → project default →
+// global default → 'tokyo-night' }. The session no longer snapshots a theme
+// string into meta at construction. This is the getter form (vs. the
+// alternative of recomputing-and-writing on every metadata broadcast) because
+// it makes the resolution path explicit at every read site and keeps the
+// metadata broadcast in index.js untouched — `s.meta.theme` already returns
+// the right thing whenever index.js dereferences it.
 
 const { v4: uuidv4 } = require('uuid');
 const os = require('os');
 const path = require('path');
+const { resolveTheme } = require('./theme-resolver');
 
 // Strip ANSI escape codes for pattern matching
 function stripAnsi(str) {
@@ -69,6 +79,24 @@ class Session {
     this.pty = null;
     this.ws = null;
 
+    // v0.7.0: theme_override is the user's explicit dropdown choice (NULL = no
+    // override → resolveTheme falls through to project / global default at
+    // read time). The legacy `options.theme` argument is intentionally NOT
+    // stored as an override here — it arrives from index.js already
+    // pre-defaulted (`theme || project.defaultTheme || config.defaultTheme`),
+    // which means we can no longer distinguish a real user choice from the
+    // server-filled default at the create-call boundary. Real overrides come
+    // through PATCH /api/sessions/:id (see updateMeta below).
+    this.theme_override = options.themeOverride != null ? options.themeOverride : null;
+
+    // Project (mirrored from meta for theme-resolver convenience — resolveTheme
+    // reads `session.project`, not `session.meta.project`).
+    Object.defineProperty(this, 'project', {
+      get: () => this.meta.project,
+      enumerable: false,
+      configurable: true
+    });
+
     // Metadata
     this.meta = {
       type: options.type || 'shell',        // shell, claude-code, gemini, python-server, one-shot
@@ -89,14 +117,23 @@ class Session {
       exitCode: null,
       childProcesses: [],
 
-      // Theme
-      theme: options.theme || 'tokyo-night',
-
       // RAG
       ragEnabled: options.ragEnabled !== false,
       ragEvents: []                          // buffer before flush
     };
 
+    // theme is render-time resolved (see header comment + theme-resolver.js).
+    // Reads call resolveTheme(this, undefined) which falls back to the cached
+    // ~/.termdeck/config.yaml. Writes route to theme_override so PATCH/UPDATE
+    // through `session.meta.theme = 'dracula'` persists correctly. Setting
+    // null clears the override and reverts to the config-derived default.
+    Object.defineProperty(this.meta, 'theme', {
+      get: () => resolveTheme(this),
+      set: (val) => { this.theme_override = val == null ? null : val; },
+      enumerable: true,
+      configurable: true
+    });
+
     // Transcript chunk counter — monotonic per session for deterministic replay
     this.transcriptChunkIndex = 0;
 
@@ -383,11 +420,16 @@ class SessionManager {
     const session = new Session(options);
     this.sessions.set(session.id, session);
 
-    // Persist to SQLite
+    // Persist to SQLite. Both columns get written:
+    //   theme           — legacy; the resolved value at create time, kept for
+    //                     backward-compat with any consumer that still reads it.
+    //                     Not authoritative post-v0.7.0.
+    //   theme_override  — v0.7.0 authoritative column. NULL on create — only
+    //                     a PATCH from the dropdown sets it (see updateMeta).
     if (this.db) {
       this.db.prepare(`
-        INSERT INTO sessions (id, type, project, label, command, cwd, created_at, reason, theme)
-        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+        INSERT INTO sessions (id, type, project, label, command, cwd, created_at, reason, theme, theme_override)
+        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
       `).run(
         session.id,
         session.meta.type,
@@ -397,7 +439,8 @@ class SessionManager {
         session.meta.cwd,
         session.meta.createdAt,
         session.meta.reason,
-        session.meta.theme
+        session.meta.theme,           // resolved snapshot, legacy column
+        session.theme_override        // NULL by default
       );
     }
 
@@ -435,14 +478,16 @@ class SessionManager {
     const applied = {};
     for (const [key, val] of Object.entries(updates)) {
       if (!SessionManager.PATCHABLE_META_FIELDS.has(key)) continue;
-      session.meta[key] = val;
+      session.meta[key] = val;          // theme assignment routes through the setter → theme_override
       applied[key] = val;
     }
 
-    // Persist theme changes to SQLite
-    if (applied.theme && this.db) {
-      this.db.prepare('UPDATE sessions SET theme = ? WHERE id = ?')
-        .run(applied.theme, id);
+    // Persist theme changes to SQLite. v0.7.0: writes go to theme_override
+    // (the authoritative column); a `theme: null` PATCH clears the override
+    // and reverts the session to the config-derived default at next read.
+    if ('theme' in applied && this.db) {
+      this.db.prepare('UPDATE sessions SET theme_override = ? WHERE id = ?')
+        .run(applied.theme == null ? null : applied.theme, id);
     }
 
     this._emit('session:updated', session);

package/packages/server/src/theme-resolver.js

@@ -0,0 +1,77 @@
+// Theme resolver — render-time theme resolution (v0.7.0).
+//
+// Pre-v0.7.0, the theme each terminal rendered with was snapshotted at session
+// creation time and written into sessions.theme. Editing ~/.termdeck/config.yaml
+// and restarting the server did not change existing terminals' themes — they
+// kept whatever the wizard had written into SQLite at create time.
+// (Brad, 2026-04-26: "ignores changes to config.yaml and is stuck in tokyo night.")
+//
+// v0.7.0 separates "the user explicitly chose a theme for this terminal" from
+// "fall back to whatever the config currently says is the default":
+//
+//   sessions.theme_override  →  user's explicit choice via the dropdown (NULL = no override)
+//   config.projects[p].defaultTheme → per-project default in YAML
+//   config.defaultTheme       →  global default in YAML
+//   'tokyo-night'             →  hard-coded floor
+//
+// resolveTheme(session, config) walks that ladder. Called at *read time*
+// (every metadata broadcast), so editing config.yaml + restarting the server
+// — or just editing it, since getCurrentConfig() invalidates on file mtime —
+// propagates to all un-overridden sessions immediately.
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+let _configCache = { mtimeMs: 0, value: null, frozen: false };
+
+function getCurrentConfig() {
+  // Used as the second-arg fallback when the caller doesn't pass an explicit
+  // config (production path: meta.theme getter inside Session). Keyed off the
+  // YAML file's mtime so a Brad-style "edit config.yaml + restart" — and even
+  // an edit *without* restart — picks up the new defaults on the next read.
+  if (_configCache.frozen) return _configCache.value;
+  try {
+    const cfgPath = path.join(os.homedir(), '.termdeck', 'config.yaml');
+    const stat = fs.statSync(cfgPath);
+    if (_configCache.value && stat.mtimeMs === _configCache.mtimeMs) {
+      return _configCache.value;
+    }
+    const { loadConfig } = require('./config');
+    _configCache = { mtimeMs: stat.mtimeMs, value: loadConfig(), frozen: false };
+    return _configCache.value;
+  } catch {
+    return _configCache.value || {};
+  }
+}
+
+function resolveTheme(session, config) {
+  const cfg = config || getCurrentConfig();
+  const project = session && session.project;
+  const projectDefault = cfg && cfg.projects && project && cfg.projects[project] && cfg.projects[project].defaultTheme;
+  return (
+    (session && session.theme_override) ||
+    projectDefault ||
+    (cfg && cfg.defaultTheme) ||
+    'tokyo-night'
+  );
+}
+
+// Test seam: freezes the cache so the disk-mtime check is bypassed. Lets unit
+// tests inject a config without an actual ~/.termdeck/config.yaml on disk (or
+// while the user *does* have one — important: the dev box typically has a real
+// config.yaml that would otherwise leak into tests). Production never calls this.
+function _setCachedConfigForTests(value) {
+  _configCache = { mtimeMs: Number.MAX_SAFE_INTEGER, value, frozen: true };
+}
+
+function _resetCacheForTests() {
+  _configCache = { mtimeMs: 0, value: null, frozen: false };
+}
+
+module.exports = {
+  resolveTheme,
+  getCurrentConfig,
+  _setCachedConfigForTests,
+  _resetCacheForTests
+};