npm - @monoes/monomindcli - Versions diffs - 1.11.14 → 1.13.0 - Mend

@monoes/monomindcli 1.11.14 → 1.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (434) hide show

package/.claude/agents/generated/channel-intelligence-director.md +87 -0
package/.claude/agents/generated/chief-growth-officer.md +88 -0
package/.claude/agents/generated/content-seo-strategist.md +90 -0
package/.claude/agents/generated/developer-community-strategist.md +91 -0
package/.claude/agents/generated/outreach-partnership-strategist.md +90 -0
package/.claude/agents/generated/social-media-strategist.md +91 -0
package/.claude/agents/generated/video-visual-strategist.md +90 -0
package/.claude/commands/mastermind/master.md +1 -1
package/.claude/helpers/auto-memory-hook.mjs +13 -4
package/.claude/helpers/control-start.cjs +5 -0
package/.claude/helpers/event-logger.cjs +114 -0
package/.claude/helpers/handlers/adr-draft-handler.cjs +19 -5
package/.claude/helpers/handlers/agent-start-handler.cjs +13 -4
package/.claude/helpers/handlers/compact-handler.cjs +2 -0
package/.claude/helpers/handlers/edit-handler.cjs +1 -1
package/.claude/helpers/handlers/gates-handler.cjs +3 -0
package/.claude/helpers/handlers/graph-status-handler.cjs +14 -8
package/.claude/helpers/handlers/loops-status-handler.cjs +5 -2
package/.claude/helpers/handlers/route-handler.cjs +24 -10
package/.claude/helpers/handlers/session-handler.cjs +11 -4
package/.claude/helpers/handlers/session-restore-handler.cjs +35 -19
package/.claude/helpers/handlers/task-handler.cjs +13 -5
package/.claude/helpers/hook-handler.cjs +40 -0
package/.claude/helpers/intelligence.cjs +130 -53
package/.claude/helpers/loop-tracker.cjs +15 -3
package/.claude/helpers/memory-palace.cjs +461 -0
package/.claude/helpers/memory.cjs +138 -14
package/.claude/helpers/metrics-db.mjs +87 -0
package/.claude/helpers/router.cjs +300 -42
package/.claude/helpers/session.cjs +89 -30
package/.claude/helpers/statusline.cjs +148 -4
package/.claude/helpers/toggle-statusline.cjs +73 -0
package/.claude/helpers/token-tracker.cjs +934 -0
package/.claude/helpers/utils/micro-agents.cjs +20 -4
package/.claude/helpers/utils/monograph.cjs +39 -4
package/.claude/helpers/utils/telemetry.cjs +3 -3
package/.claude/skills/mastermind/_protocol.md +25 -15
package/.claude/skills/mastermind/architect.md +3 -3
package/.claude/skills/mastermind/autodev.md +4 -2
package/.claude/skills/mastermind/idea.md +10 -0
package/.claude/skills/mastermind/ops.md +3 -3
package/.claude/skills/mastermind/runorg.md +153 -86
package/dist/src/agents/registry-builder.d.ts.map +1 -1
package/dist/src/agents/registry-builder.js +2 -0
package/dist/src/agents/registry-builder.js.map +1 -1
package/dist/src/autopilot-state.d.ts.map +1 -1
package/dist/src/autopilot-state.js +10 -5
package/dist/src/autopilot-state.js.map +1 -1
package/dist/src/benchmarks/benchmark-runner.d.ts.map +1 -1
package/dist/src/benchmarks/benchmark-runner.js +13 -0
package/dist/src/benchmarks/benchmark-runner.js.map +1 -1
package/dist/src/benchmarks/metric-evaluators.d.ts.map +1 -1
package/dist/src/benchmarks/metric-evaluators.js +20 -9
package/dist/src/benchmarks/metric-evaluators.js.map +1 -1
package/dist/src/browser/actions.d.ts.map +1 -1
package/dist/src/browser/actions.js +10 -3
package/dist/src/browser/actions.js.map +1 -1
package/dist/src/browser/browser.d.ts.map +1 -1
package/dist/src/browser/browser.js +12 -2
package/dist/src/browser/browser.js.map +1 -1
package/dist/src/browser/cdp.d.ts.map +1 -1
package/dist/src/browser/cdp.js +21 -3
package/dist/src/browser/cdp.js.map +1 -1
package/dist/src/browser/har.d.ts.map +1 -1
package/dist/src/browser/har.js +27 -5
package/dist/src/browser/har.js.map +1 -1
package/dist/src/commands/agent.d.ts.map +1 -1
package/dist/src/commands/agent.js +11 -8
package/dist/src/commands/agent.js.map +1 -1
package/dist/src/commands/analyze.d.ts.map +1 -1
package/dist/src/commands/analyze.js +36 -21
package/dist/src/commands/analyze.js.map +1 -1
package/dist/src/commands/autopilot.d.ts.map +1 -1
package/dist/src/commands/autopilot.js +12 -4
package/dist/src/commands/autopilot.js.map +1 -1
package/dist/src/commands/benchmark.d.ts.map +1 -1
package/dist/src/commands/benchmark.js +51 -8
package/dist/src/commands/benchmark.js.map +1 -1
package/dist/src/commands/browse.d.ts.map +1 -1
package/dist/src/commands/browse.js +5 -2
package/dist/src/commands/browse.js.map +1 -1
package/dist/src/commands/claims.d.ts.map +1 -1
package/dist/src/commands/claims.js +29 -11
package/dist/src/commands/claims.js.map +1 -1
package/dist/src/commands/cleanup.d.ts.map +1 -1
package/dist/src/commands/cleanup.js +25 -5
package/dist/src/commands/cleanup.js.map +1 -1
package/dist/src/commands/config.d.ts.map +1 -1
package/dist/src/commands/config.js +15 -7
package/dist/src/commands/config.js.map +1 -1
package/dist/src/commands/daemon.d.ts.map +1 -1
package/dist/src/commands/daemon.js +6 -0
package/dist/src/commands/daemon.js.map +1 -1
package/dist/src/commands/deployment.d.ts.map +1 -1
package/dist/src/commands/deployment.js +34 -19
package/dist/src/commands/deployment.js.map +1 -1
package/dist/src/commands/doctor.d.ts.map +1 -1
package/dist/src/commands/doctor.js +133 -15
package/dist/src/commands/doctor.js.map +1 -1
package/dist/src/commands/guidance.d.ts.map +1 -1
package/dist/src/commands/guidance.js +15 -2
package/dist/src/commands/guidance.js.map +1 -1
package/dist/src/commands/hive-mind.d.ts.map +1 -1
package/dist/src/commands/hive-mind.js +37 -14
package/dist/src/commands/hive-mind.js.map +1 -1
package/dist/src/commands/hooks.d.ts.map +1 -1
package/dist/src/commands/hooks.js +42 -25
package/dist/src/commands/hooks.js.map +1 -1
package/dist/src/commands/init.d.ts.map +1 -1
package/dist/src/commands/init.js +9 -4
package/dist/src/commands/init.js.map +1 -1
package/dist/src/commands/issues.d.ts.map +1 -1
package/dist/src/commands/issues.js +29 -26
package/dist/src/commands/issues.js.map +1 -1
package/dist/src/commands/mcp.d.ts.map +1 -1
package/dist/src/commands/mcp.js +11 -5
package/dist/src/commands/mcp.js.map +1 -1
package/dist/src/commands/memory.d.ts.map +1 -1
package/dist/src/commands/memory.js +10 -0
package/dist/src/commands/memory.js.map +1 -1
package/dist/src/commands/migrate.js +5 -5
package/dist/src/commands/migrate.js.map +1 -1
package/dist/src/commands/monograph.d.ts.map +1 -1
package/dist/src/commands/monograph.js +18 -5
package/dist/src/commands/monograph.js.map +1 -1
package/dist/src/commands/monovector/backup.d.ts.map +1 -1
package/dist/src/commands/monovector/backup.js +8 -2
package/dist/src/commands/monovector/backup.js.map +1 -1
package/dist/src/commands/monovector/benchmark.d.ts.map +1 -1
package/dist/src/commands/monovector/benchmark.js +20 -7
package/dist/src/commands/monovector/benchmark.js.map +1 -1
package/dist/src/commands/monovector/import.d.ts.map +1 -1
package/dist/src/commands/monovector/import.js +15 -0
package/dist/src/commands/monovector/import.js.map +1 -1
package/dist/src/commands/monovector/migrate.d.ts.map +1 -1
package/dist/src/commands/monovector/migrate.js +4 -1
package/dist/src/commands/monovector/migrate.js.map +1 -1
package/dist/src/commands/monovector/optimize.d.ts.map +1 -1
package/dist/src/commands/monovector/optimize.js +11 -0
package/dist/src/commands/monovector/optimize.js.map +1 -1
package/dist/src/commands/monovector/setup.d.ts.map +1 -1
package/dist/src/commands/monovector/setup.js +11 -1
package/dist/src/commands/monovector/setup.js.map +1 -1
package/dist/src/commands/neural.js +1 -1
package/dist/src/commands/neural.js.map +1 -1
package/dist/src/commands/performance.d.ts.map +1 -1
package/dist/src/commands/performance.js +20 -7
package/dist/src/commands/performance.js.map +1 -1
package/dist/src/commands/platforms.d.ts.map +1 -1
package/dist/src/commands/platforms.js +90 -8
package/dist/src/commands/platforms.js.map +1 -1
package/dist/src/commands/plugins.d.ts.map +1 -1
package/dist/src/commands/plugins.js +12 -5
package/dist/src/commands/plugins.js.map +1 -1
package/dist/src/commands/process.d.ts.map +1 -1
package/dist/src/commands/process.js +33 -10
package/dist/src/commands/process.js.map +1 -1
package/dist/src/commands/progress.d.ts.map +1 -1
package/dist/src/commands/progress.js +5 -3
package/dist/src/commands/progress.js.map +1 -1
package/dist/src/commands/providers.js +5 -5
package/dist/src/commands/providers.js.map +1 -1
package/dist/src/commands/replay.d.ts.map +1 -1
package/dist/src/commands/replay.js +8 -2
package/dist/src/commands/replay.js.map +1 -1
package/dist/src/commands/route.d.ts.map +1 -1
package/dist/src/commands/route.js +27 -7
package/dist/src/commands/route.js.map +1 -1
package/dist/src/commands/security.d.ts.map +1 -1
package/dist/src/commands/security.js +4 -0
package/dist/src/commands/security.js.map +1 -1
package/dist/src/commands/session.d.ts.map +1 -1
package/dist/src/commands/session.js +12 -1
package/dist/src/commands/session.js.map +1 -1
package/dist/src/commands/start.d.ts.map +1 -1
package/dist/src/commands/start.js +11 -4
package/dist/src/commands/start.js.map +1 -1
package/dist/src/commands/status.d.ts.map +1 -1
package/dist/src/commands/status.js +7 -4
package/dist/src/commands/status.js.map +1 -1
package/dist/src/commands/swarm.d.ts.map +1 -1
package/dist/src/commands/swarm.js +27 -13
package/dist/src/commands/swarm.js.map +1 -1
package/dist/src/commands/task.d.ts.map +1 -1
package/dist/src/commands/task.js +26 -11
package/dist/src/commands/task.js.map +1 -1
package/dist/src/commands/tokens.d.ts.map +1 -1
package/dist/src/commands/tokens.js +7 -2
package/dist/src/commands/tokens.js.map +1 -1
package/dist/src/commands/transfer-store.d.ts.map +1 -1
package/dist/src/commands/transfer-store.js +36 -22
package/dist/src/commands/transfer-store.js.map +1 -1
package/dist/src/commands/update.d.ts.map +1 -1
package/dist/src/commands/update.js +15 -3
package/dist/src/commands/update.js.map +1 -1
package/dist/src/commands/workflow.d.ts.map +1 -1
package/dist/src/commands/workflow.js +39 -6
package/dist/src/commands/workflow.js.map +1 -1
package/dist/src/consensus/audit-writer.d.ts.map +1 -1
package/dist/src/consensus/audit-writer.js +18 -7
package/dist/src/consensus/audit-writer.js.map +1 -1
package/dist/src/consensus/vote-signer.d.ts.map +1 -1
package/dist/src/consensus/vote-signer.js +25 -8
package/dist/src/consensus/vote-signer.js.map +1 -1
package/dist/src/index.d.ts.map +1 -1
package/dist/src/index.js +7 -3
package/dist/src/index.js.map +1 -1
package/dist/src/init/executor.d.ts.map +1 -1
package/dist/src/init/executor.js +14 -11
package/dist/src/init/executor.js.map +1 -1
package/dist/src/init/shared-instructions-generator.d.ts.map +1 -1
package/dist/src/init/shared-instructions-generator.js +20 -4
package/dist/src/init/shared-instructions-generator.js.map +1 -1
package/dist/src/init/statusline-generator.d.ts.map +1 -1
package/dist/src/init/statusline-generator.js +36 -15
package/dist/src/init/statusline-generator.js.map +1 -1
package/dist/src/mcp-tools/a2a-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/a2a-tools.js +98 -13
package/dist/src/mcp-tools/a2a-tools.js.map +1 -1
package/dist/src/mcp-tools/agent-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/agent-tools.js +16 -3
package/dist/src/mcp-tools/agent-tools.js.map +1 -1
package/dist/src/mcp-tools/analyze-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/analyze-tools.js +80 -17
package/dist/src/mcp-tools/analyze-tools.js.map +1 -1
package/dist/src/mcp-tools/browser-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/browser-tools.js +84 -22
package/dist/src/mcp-tools/browser-tools.js.map +1 -1
package/dist/src/mcp-tools/claims-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/claims-tools.js +35 -7
package/dist/src/mcp-tools/claims-tools.js.map +1 -1
package/dist/src/mcp-tools/config-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/config-tools.js +82 -17
package/dist/src/mcp-tools/config-tools.js.map +1 -1
package/dist/src/mcp-tools/coordination-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/coordination-tools.js +37 -4
package/dist/src/mcp-tools/coordination-tools.js.map +1 -1
package/dist/src/mcp-tools/daa-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/daa-tools.js +49 -7
package/dist/src/mcp-tools/daa-tools.js.map +1 -1
package/dist/src/mcp-tools/embeddings-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/embeddings-tools.js +45 -18
package/dist/src/mcp-tools/embeddings-tools.js.map +1 -1
package/dist/src/mcp-tools/github-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/github-tools.js +75 -25
package/dist/src/mcp-tools/github-tools.js.map +1 -1
package/dist/src/mcp-tools/guidance-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/guidance-tools.js +32 -10
package/dist/src/mcp-tools/guidance-tools.js.map +1 -1
package/dist/src/mcp-tools/hive-mind-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/hive-mind-tools.js +91 -20
package/dist/src/mcp-tools/hive-mind-tools.js.map +1 -1
package/dist/src/mcp-tools/hooks-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/hooks-tools.js +188 -29
package/dist/src/mcp-tools/hooks-tools.js.map +1 -1
package/dist/src/mcp-tools/memory-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/memory-tools.js +25 -7
package/dist/src/mcp-tools/memory-tools.js.map +1 -1
package/dist/src/mcp-tools/monograph-compat.d.ts.map +1 -1
package/dist/src/mcp-tools/monograph-compat.js +11 -2
package/dist/src/mcp-tools/monograph-compat.js.map +1 -1
package/dist/src/mcp-tools/monograph-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/monograph-tools.js +476 -62
package/dist/src/mcp-tools/monograph-tools.js.map +1 -1
package/dist/src/mcp-tools/neural-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/neural-tools.js +44 -9
package/dist/src/mcp-tools/neural-tools.js.map +1 -1
package/dist/src/mcp-tools/performance-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/performance-tools.js +45 -10
package/dist/src/mcp-tools/performance-tools.js.map +1 -1
package/dist/src/mcp-tools/progress-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/progress-tools.js +7 -4
package/dist/src/mcp-tools/progress-tools.js.map +1 -1
package/dist/src/mcp-tools/request-tracker.d.ts.map +1 -1
package/dist/src/mcp-tools/request-tracker.js +15 -1
package/dist/src/mcp-tools/request-tracker.js.map +1 -1
package/dist/src/mcp-tools/security-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/security-tools.js +61 -9
package/dist/src/mcp-tools/security-tools.js.map +1 -1
package/dist/src/mcp-tools/session-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/session-tools.js +45 -14
package/dist/src/mcp-tools/session-tools.js.map +1 -1
package/dist/src/mcp-tools/swarm-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/swarm-tools.js +15 -3
package/dist/src/mcp-tools/swarm-tools.js.map +1 -1
package/dist/src/mcp-tools/system-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/system-tools.js +14 -7
package/dist/src/mcp-tools/system-tools.js.map +1 -1
package/dist/src/mcp-tools/task-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/task-tools.js +52 -10
package/dist/src/mcp-tools/task-tools.js.map +1 -1
package/dist/src/mcp-tools/terminal-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/terminal-tools.js +40 -6
package/dist/src/mcp-tools/terminal-tools.js.map +1 -1
package/dist/src/mcp-tools/transfer-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/transfer-tools.js +37 -4
package/dist/src/mcp-tools/transfer-tools.js.map +1 -1
package/dist/src/mcp-tools/workflow-tools.d.ts.map +1 -1
package/dist/src/mcp-tools/workflow-tools.js +29 -6
package/dist/src/mcp-tools/workflow-tools.js.map +1 -1
package/dist/src/memory/ewc-consolidation.d.ts.map +1 -1
package/dist/src/memory/ewc-consolidation.js +26 -10
package/dist/src/memory/ewc-consolidation.js.map +1 -1
package/dist/src/memory/intelligence.d.ts.map +1 -1
package/dist/src/memory/intelligence.js +80 -19
package/dist/src/memory/intelligence.js.map +1 -1
package/dist/src/memory/memory-bridge.d.ts.map +1 -1
package/dist/src/memory/memory-bridge.js +21 -2
package/dist/src/memory/memory-bridge.js.map +1 -1
package/dist/src/memory/memory-initializer.d.ts.map +1 -1
package/dist/src/memory/memory-initializer.js +67 -3
package/dist/src/memory/memory-initializer.js.map +1 -1
package/dist/src/memory/sona-optimizer.d.ts.map +1 -1
package/dist/src/memory/sona-optimizer.js +14 -4
package/dist/src/memory/sona-optimizer.js.map +1 -1
package/dist/src/monovector/command-outcomes.d.ts.map +1 -1
package/dist/src/monovector/command-outcomes.js +43 -7
package/dist/src/monovector/command-outcomes.js.map +1 -1
package/dist/src/monovector/coverage-router.d.ts.map +1 -1
package/dist/src/monovector/coverage-router.js +8 -4
package/dist/src/monovector/coverage-router.js.map +1 -1
package/dist/src/monovector/coverage-tools.d.ts.map +1 -1
package/dist/src/monovector/coverage-tools.js +6 -3
package/dist/src/monovector/coverage-tools.js.map +1 -1
package/dist/src/monovector/diff-classifier.d.ts.map +1 -1
package/dist/src/monovector/diff-classifier.js +13 -0
package/dist/src/monovector/diff-classifier.js.map +1 -1
package/dist/src/monovector/route-outcomes.d.ts +2 -1
package/dist/src/monovector/route-outcomes.d.ts.map +1 -1
package/dist/src/monovector/route-outcomes.js +46 -4
package/dist/src/monovector/route-outcomes.js.map +1 -1
package/dist/src/plugins/manager.d.ts.map +1 -1
package/dist/src/plugins/manager.js +8 -3
package/dist/src/plugins/manager.js.map +1 -1
package/dist/src/plugins/store/discovery.d.ts.map +1 -1
package/dist/src/plugins/store/discovery.js +46 -2
package/dist/src/plugins/store/discovery.js.map +1 -1
package/dist/src/plugins/store/search.d.ts.map +1 -1
package/dist/src/plugins/store/search.js +5 -4
package/dist/src/plugins/store/search.js.map +1 -1
package/dist/src/production/circuit-breaker.d.ts.map +1 -1
package/dist/src/production/circuit-breaker.js +17 -3
package/dist/src/production/circuit-breaker.js.map +1 -1
package/dist/src/production/error-handler.d.ts.map +1 -1
package/dist/src/production/error-handler.js +3 -0
package/dist/src/production/error-handler.js.map +1 -1
package/dist/src/production/monitoring.d.ts.map +1 -1
package/dist/src/production/monitoring.js +20 -3
package/dist/src/production/monitoring.js.map +1 -1
package/dist/src/production/rate-limiter.d.ts.map +1 -1
package/dist/src/production/rate-limiter.js +13 -4
package/dist/src/production/rate-limiter.js.map +1 -1
package/dist/src/production/retry.d.ts.map +1 -1
package/dist/src/production/retry.js +17 -9
package/dist/src/production/retry.js.map +1 -1
package/dist/src/routing/embed-worker.js +6 -2
package/dist/src/routing/embed-worker.js.map +1 -1
package/dist/src/routing/embedder.d.ts.map +1 -1
package/dist/src/routing/embedder.js +0 -0
package/dist/src/routing/embedder.js.map +1 -1
package/dist/src/routing/llm-caller.d.ts.map +1 -1
package/dist/src/routing/llm-caller.js +13 -2
package/dist/src/routing/llm-caller.js.map +1 -1
package/dist/src/routing/route-layer-factory.d.ts.map +1 -1
package/dist/src/routing/route-layer-factory.js +18 -3
package/dist/src/routing/route-layer-factory.js.map +1 -1
package/dist/src/services/claim-service.d.ts +1 -0
package/dist/src/services/claim-service.d.ts.map +1 -1
package/dist/src/services/claim-service.js +8 -0
package/dist/src/services/claim-service.js.map +1 -1
package/dist/src/services/config-file-manager.d.ts.map +1 -1
package/dist/src/services/config-file-manager.js +14 -2
package/dist/src/services/config-file-manager.js.map +1 -1
package/dist/src/services/headless-worker-executor.d.ts.map +1 -1
package/dist/src/services/headless-worker-executor.js +18 -2
package/dist/src/services/headless-worker-executor.js.map +1 -1
package/dist/src/services/worker-daemon.d.ts.map +1 -1
package/dist/src/services/worker-daemon.js +348 -17
package/dist/src/services/worker-daemon.js.map +1 -1
package/dist/src/transfer/anonymization/index.d.ts +0 -3
package/dist/src/transfer/anonymization/index.d.ts.map +1 -1
package/dist/src/transfer/anonymization/index.js +16 -1
package/dist/src/transfer/anonymization/index.js.map +1 -1
package/dist/src/transfer/export.d.ts.map +1 -1
package/dist/src/transfer/export.js +8 -0
package/dist/src/transfer/export.js.map +1 -1
package/dist/src/transfer/ipfs/upload.d.ts.map +1 -1
package/dist/src/transfer/ipfs/upload.js +33 -3
package/dist/src/transfer/ipfs/upload.js.map +1 -1
package/dist/src/transfer/serialization/cfp.d.ts.map +1 -1
package/dist/src/transfer/serialization/cfp.js +8 -2
package/dist/src/transfer/serialization/cfp.js.map +1 -1
package/dist/src/transfer/storage/gcs.d.ts.map +1 -1
package/dist/src/transfer/storage/gcs.js +37 -3
package/dist/src/transfer/storage/gcs.js.map +1 -1
package/dist/src/transfer/store/discovery.d.ts.map +1 -1
package/dist/src/transfer/store/discovery.js +45 -3
package/dist/src/transfer/store/discovery.js.map +1 -1
package/dist/src/transfer/store/download.d.ts.map +1 -1
package/dist/src/transfer/store/download.js +5 -0
package/dist/src/transfer/store/download.js.map +1 -1
package/dist/src/transfer/store/publish.d.ts.map +1 -1
package/dist/src/transfer/store/publish.js +13 -1
package/dist/src/transfer/store/publish.js.map +1 -1
package/dist/src/transfer/store/registry.d.ts +8 -0
package/dist/src/transfer/store/registry.d.ts.map +1 -1
package/dist/src/transfer/store/registry.js +30 -5
package/dist/src/transfer/store/registry.js.map +1 -1
package/dist/src/transfer/store/search.d.ts.map +1 -1
package/dist/src/transfer/store/search.js +20 -5
package/dist/src/transfer/store/search.js.map +1 -1
package/dist/src/ui/collector.mjs +39 -5
package/dist/src/ui/dashboard.html +1603 -1284
package/dist/src/ui/orgs.html +722 -12
package/dist/src/ui/server.mjs +717 -136
package/dist/src/update/checker.d.ts.map +1 -1
package/dist/src/update/checker.js +59 -7
package/dist/src/update/checker.js.map +1 -1
package/dist/src/update/executor.d.ts.map +1 -1
package/dist/src/update/executor.js +50 -3
package/dist/src/update/executor.js.map +1 -1
package/dist/src/update/index.d.ts.map +1 -1
package/dist/src/update/index.js +18 -1
package/dist/src/update/index.js.map +1 -1
package/dist/src/update/rate-limiter.d.ts +6 -0
package/dist/src/update/rate-limiter.d.ts.map +1 -1
package/dist/src/update/rate-limiter.js +79 -7
package/dist/src/update/rate-limiter.js.map +1 -1
package/dist/src/update/validator.d.ts.map +1 -1
package/dist/src/update/validator.js +52 -1
package/dist/src/update/validator.js.map +1 -1
package/dist/tsconfig.tsbuildinfo +1 -1
package/package.json +2 -3
package/dist/src/ui/data/mastermind-events.jsonl +0 -59

package/dist/src/ui/server.mjs CHANGED Viewed

@@ -11,6 +11,7 @@ const buildDocsState = new Map();
 // Pricing per token (mirrors token-tracker.cjs FALLBACK_PRICING)
 const _SJ_PRICING = {
+  'claude-opus-4-8':   { in: 5e-6,    out: 25e-6,   cw: 6.25e-6,  cr: 0.5e-6  },
   'claude-opus-4-6':   { in: 5e-6,    out: 25e-6,   cw: 6.25e-6,  cr: 0.5e-6  },
   'claude-opus-4-5':   { in: 5e-6,    out: 25e-6,   cw: 6.25e-6,  cr: 0.5e-6  },
   'claude-opus-4':     { in: 15e-6,   out: 75e-6,   cw: 18.75e-6, cr: 1.5e-6  },
@@ -20,13 +21,16 @@ const _SJ_PRICING = {
   'claude-3-7-sonnet': { in: 3e-6,    out: 15e-6,   cw: 3.75e-6,  cr: 0.3e-6  },
   'claude-3-5-sonnet': { in: 3e-6,    out: 15e-6,   cw: 3.75e-6,  cr: 0.3e-6  },
   'claude-haiku-4-5':  { in: 1e-6,    out: 5e-6,    cw: 1.25e-6,  cr: 0.1e-6  },
+  'claude-haiku-4':    { in: 0.8e-6,  out: 4e-6,    cw: 1e-6,     cr: 0.08e-6 },
   'claude-3-5-haiku':  { in: 0.8e-6,  out: 4e-6,    cw: 1e-6,     cr: 0.08e-6 },
   'gpt-4o':            { in: 2.5e-6,  out: 10e-6,   cw: 2.5e-6,   cr: 1.25e-6 },
   'gpt-4o-mini':       { in: 0.15e-6, out: 0.6e-6,  cw: 0.15e-6,  cr: 0.075e-6 },
   'gemini-2.5-pro':    { in: 1.25e-6, out: 10e-6,   cw: 1.25e-6,  cr: 0.315e-6 },
 };
 function _sjGetPricing(model) {
-  const canonical = (model || '').replace(/@.*$/, '').replace(/-\d{8}$/, '');
+  const _ALIAS = { 'haiku': 'claude-haiku-4-5', 'opus': 'claude-opus-4-6', 'sonnet': 'claude-sonnet-4-6' };
+  let canonical = (model || '').replace(/@.*$/, '').replace(/-\d{8}$/, '');
+  canonical = _ALIAS[canonical] || canonical;
   if (_SJ_PRICING[canonical]) return _SJ_PRICING[canonical];
   for (const k of Object.keys(_SJ_PRICING)) { if (canonical.startsWith(k) || canonical.includes(k)) return _SJ_PRICING[k]; }
   return null;
@@ -51,7 +55,7 @@ function categorizeTool(name) {
   if (['Read','Write','Edit','MultiEdit','Glob','Grep','LS'].includes(name)) return 'file';
   if (name === 'Bash') return 'bash';
   if (['Agent','Task'].includes(name)) return 'agent';
-  if (name.startsWith('mcp__monobrain__memory') || name.startsWith('mcp__monobrain__agentdb')) return 'memory';
+  if (name.startsWith('mcp__monomind__memory') || name.startsWith('mcp__monomind__agentdb')) return 'memory';
   if (['WebFetch','WebSearch'].includes(name)) return 'web';
   if (name === 'TodoWrite' || name === 'TodoRead') return 'task';
   if (name === 'Skill') return 'skill';
@@ -131,8 +135,8 @@ function buildToolLabel(name, input) {
   if (name === 'WebFetch') return `Fetch ${(input.url || '').slice(0, 50)}`;
   if (name === 'WebSearch') return `Search ${(input.query || '').slice(0, 40)}`;
   if (name === 'Skill') return `Skill: ${input.skill || '?'}`;
-  if (name.startsWith('mcp__monobrain__memory')) return name.replace('mcp__monobrain__memory_', 'mem:');
-  if (name.startsWith('mcp__')) return name.replace('mcp__monobrain__', '⬡ ').replace('mcp__', '⬡ ').slice(0, 40);
+  if (name.startsWith('mcp__monomind__memory')) return name.replace('mcp__monomind__memory_', 'mem:');
+  if (name.startsWith('mcp__')) return name.replace('mcp__monomind__', '⬡ ').replace('mcp__', '⬡ ').slice(0, 40);
   return name.slice(0, 40);
 }
@@ -179,6 +183,41 @@ function pathToSections(filename) {
 const sseClients = new Set();
 // Mastermind real-time event stream clients
 const mmSseClients = new Set();
+// Active org run tracking: org -> runId (enables event routing for orgs without runId in payload)
+const activeOrgRuns = new Map();
+// Returns the shared git directory parent so run files survive branch switches and
+// are shared across all worktrees. In a worktree, .git is a FILE pointing to the
+// shared .git dir (e.g. /main/.git/worktrees/feat); we navigate up two levels to
+// reach /main/.git, then up one more to /main/ for the monomind data root.
+// Falls back to the working directory if git isn't available.
+const _gitMonomindCache = new Map();
+function _getGitMonomindDir(workDir) {
+  if (!workDir) return null;
+  if (_gitMonomindCache.has(workDir)) return _gitMonomindCache.get(workDir);
+  let result = null;
+  try {
+    const gitEntry = path.join(workDir, '.git');
+    const st = fs.statSync(gitEntry);
+    if (st.isDirectory()) {
+      // Regular repo: .git is a directory
+      result = path.join(gitEntry, 'monomind');
+    } else if (st.isFile()) {
+      // Worktree: .git is a text file "gitdir: /main/.git/worktrees/name"
+      const m = fs.readFileSync(gitEntry, 'utf8').trim().match(/^gitdir:\s*(.+)/);
+      if (m) {
+        // Resolve relative paths (gitdir can be relative to the worktree root)
+        const worktreeDir = path.resolve(workDir, m[1].trim());
+        // /main/.git/worktrees/name -> /main/.git -> /main/.git/monomind
+        const commonGitDir = path.dirname(path.dirname(worktreeDir));
+        result = path.join(commonGitDir, 'monomind');
+      }
+    }
+  } catch {}
+  if (!result) result = path.join(workDir, '.monomind'); // fallback
+  _gitMonomindCache.set(workDir, result);
+  return result;
+}
 // Server state
 let running = false;
@@ -370,12 +409,22 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         const cwd = projectDir || process.cwd();
         const name = gitExec('git config user.name', { cwd, encoding: 'utf8' }).trim();
         const email = gitExec('git config user.email', { cwd, encoding: 'utf8' }).trim();
+        let remoteUrl = '';
+        try { remoteUrl = gitExec('git remote get-url origin', { cwd, encoding: 'utf8' }).trim(); } catch {}
+        // Normalise SSH remote to HTTPS URL for browser linking
+        if (remoteUrl.startsWith('git@')) {
+          remoteUrl = remoteUrl.replace(/^git@([^:]+):/, 'https://$1/').replace(/\.git$/, '');
+        } else if (remoteUrl.endsWith('.git')) {
+          remoteUrl = remoteUrl.slice(0, -4);
+        }
+        let branch = '';
+        try { branch = gitExec('git rev-parse --abbrev-ref HEAD', { cwd, encoding: 'utf8' }).trim(); } catch {}
         res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
-        res.end(JSON.stringify({ name, email, cwd }));
+        res.end(JSON.stringify({ name, email, cwd, remoteUrl, branch }));
       } catch (_) {
         const cwd2 = projectDir || process.cwd();
         res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
-        res.end(JSON.stringify({ name: '', email: '', cwd: cwd2 }));
+        res.end(JSON.stringify({ name: '', email: '', cwd: cwd2, remoteUrl: '', branch: '' }));
       }
       return;
     }
@@ -410,7 +459,23 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         return;
       }
       try {
-        const raw = fs.readFileSync(file, 'utf8');
+        // Security: validate that the requested file stays within the user's
+        // home directory. Without this, ?file=/etc/passwd discloses arbitrary
+        // system files to any process that can reach localhost:4242.
+        const _resolvedFile = path.resolve(file);
+        const _homeDir = os.homedir();
+        if (!_resolvedFile.startsWith(_homeDir + path.sep) && !_resolvedFile.startsWith(_homeDir)) {
+          res.writeHead(403, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Access denied: file must be within the home directory' }));
+          return;
+        }
+        // Only allow JSONL files (session logs).
+        if (!_resolvedFile.endsWith('.jsonl')) {
+          res.writeHead(403, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Access denied: only .jsonl files are permitted' }));
+          return;
+        }
+        const raw = fs.readFileSync(_resolvedFile, 'utf8');
         const allLines = raw.split('\n').filter(Boolean);
         const lines = allLines.slice(-limit);
         const events = parseSessionLines(lines);
@@ -450,7 +515,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         for (const { f, mtime } of sessionFiles) {
           const fp = path.join(projectClaudeDir, f);
           const id = f.replace('.jsonl', '');
-          let lastPrompt = '', summaries = [], totalDurationMs = 0, totalMessages = 0, firstTs = null, lastTs = null, totalCost = 0, toolCalls = 0, userMessages = 0, cacheReadTokens = 0, totalInputTokens = 0;
+          let lastPrompt = '', summaries = [], totalDurationMs = 0, totalMessages = 0, firstTs = null, lastTs = null, totalCost = 0, toolCalls = 0, userMessages = 0, cacheReadTokens = 0, totalInputTokens = 0, errorCount = 0;
           const modelBreakdown = {};
           const filesTouchedSet = new Set();
           try {
@@ -460,7 +525,12 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
               let e; try { e = JSON.parse(line); } catch { continue; }
               if (e.timestamp) { if (!firstTs) firstTs = e.timestamp; lastTs = e.timestamp; }
               if (e.type === 'last-prompt' && e.lastPrompt) lastPrompt = e.lastPrompt;
-              if (e.type === 'user') userMessages++;
+              if (e.type === 'user') {
+                userMessages++;
+                for (const b of (e.message?.content || [])) {
+                  if (b && b.type === 'tool_result' && b.is_error) errorCount++;
+                }
+              }
               if (e.type === 'system' && e.subtype === 'compact_boundary') pendingCompact = true;
               if (pendingCompact && e.type === 'user') {
                 const msg = e.message || {};
@@ -502,7 +572,9 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
             }
           } catch {}
           const filesTouched = [...filesTouchedSet].slice(0, 20);
-          sessions.push({ id, mtime, firstTs, lastTs, lastPrompt, summaries, totalDurationMs, totalMessages, totalCost, toolCalls, userMessages, cacheReadTokens, totalInputTokens, modelBreakdown, filesTouched, file: fp });
+          const compactCount = summaries.length;
+          const summary = summaries.length ? summaries[summaries.length - 1].text : null;
+          sessions.push({ id, mtime, firstTs, lastTs, lastPrompt, summaries, summary, compactCount, errorCount, totalDurationMs, totalMessages, totalCost, toolCalls, userMessages, cacheReadTokens, totalInputTokens, modelBreakdown, filesTouched, file: fp });
         }
         res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*', 'Cache-Control': 'no-cache' });
         res.end(JSON.stringify({ sessions }));
@@ -569,6 +641,69 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       return;
     }
+    // ------------------------------------------------------- GET /api/recent-events
+    if (req.method === 'GET' && url === '/api/recent-events') {
+      try {
+        const qs = new URL(req.url, 'http://localhost').searchParams;
+        const dir = qs.get('dir') || projectDir || process.cwd();
+        const limit = Math.min(parseInt(qs.get('limit') || '50', 10), 200);
+        const d = path.resolve(dir || process.cwd());
+        const slug = d.replace(/\//g, '-');
+        const projectClaudeDir = path.join(os.homedir(), '.claude', 'projects', slug);
+        let sessionFiles = [];
+        try {
+          sessionFiles = fs.readdirSync(projectClaudeDir)
+            .filter(f => f.endsWith('.jsonl'))
+            .map(f => { try { return { f, mtime: fs.statSync(path.join(projectClaudeDir, f)).mtimeMs }; } catch { return null; } })
+            .filter(Boolean)
+            .sort((a, b) => b.mtime - a.mtime)
+            .slice(0, 5); // check last 5 sessions
+        } catch {}
+        const events = [];
+        const HOOK_RE = /^<(local-command-|command-name>|command-message>)/;
+        for (const { f } of sessionFiles) {
+          const fp = path.join(projectClaudeDir, f);
+          const sessId = f.replace('.jsonl', '');
+          try {
+            const lines = fs.readFileSync(fp, 'utf8').split('\n').filter(Boolean).slice(-200);
+            for (const line of lines) {
+              let e; try { e = JSON.parse(line); } catch { continue; }
+              if (e.type === 'assistant') {
+                const content = e.message?.content || [];
+                for (const block of content) {
+                  if (block?.type === 'tool_use') {
+                    events.push({ kind: 'tool', ts: e.timestamp, tool: block.name, session: sessId });
+                  }
+                }
+              } else if (e.type === 'user') {
+                const content = e.message?.content || [];
+                for (const block of content) {
+                  if (block?.type === 'text' && block.text?.trim() && !HOOK_RE.test(block.text.trim())) {
+                    events.push({ kind: 'user', ts: e.timestamp, text: block.text.slice(0, 120), session: sessId });
+                  }
+                }
+              }
+            }
+          } catch {}
+        }
+        // sort by ts desc, take limit
+        events.sort((a, b) => {
+          const ta = a.ts ? new Date(a.ts).getTime() : 0;
+          const tb = b.ts ? new Date(b.ts).getTime() : 0;
+          return tb - ta;
+        });
+        res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
+        res.end(JSON.stringify({ events: events.slice(0, limit) }));
+      } catch (err) {
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: err.message }));
+      }
+      return;
+    }
     // ------------------------------------------------------- GET /api/tool-errors
     if (req.method === 'GET' && url === '/api/tool-errors') {
       try {
@@ -891,7 +1026,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     // ------------------------------------------------------- PUT /api/memory-file
     if (req.method === 'PUT' && url === '/api/memory-file') {
       let body = '';
-      req.on('data', chunk => { body += chunk; });
+      req.on('data', chunk => { body += chunk; if (body.length > 2097152) { req.destroy(); return; } });
       req.on('end', () => {
         try {
           const qs = new URL(req.url, 'http://localhost').searchParams;
@@ -925,7 +1060,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     // ------------------------------------------------------- DELETE /api/memory-file
     if (req.method === 'DELETE' && url === '/api/memory-file') {
       let body = '';
-      req.on('data', chunk => { body += chunk; });
+      req.on('data', chunk => { body += chunk; if (body.length > 2097152) { req.destroy(); return; } });
       req.on('end', () => {
         try {
           const qs = new URL(req.url, 'http://localhost').searchParams;
@@ -1060,8 +1195,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
             let alive = false;
             try { process.kill(pid, 0); alive = true; } catch {}
             const alreadyTracked = loops.some(l => l.id === sessionId || l.sessionId === sessionId);
-            const hasRepeatLoops = loops.some(l => l.source === '_repeat.md');
-            if (alive && sessionId && !alreadyTracked && !hasRepeatLoops && !stopFiles.has(sessionId)) {
+            if (alive && sessionId && !alreadyTracked && !stopFiles.has(sessionId)) {
               // Try to extract ScheduleWakeup context from session JSONL
               let loopEntry = null;
               try {
@@ -1144,6 +1278,10 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
           }
         } catch {}
+        // Dedup: suppress scheduled_tasks_lock noise when real repeat loops exist
+        const hasRepeatLoops = loops.some(l => l.source !== 'scheduled_tasks_lock' && l.source !== 'schedule_wakeup_hook');
+        if (hasRepeatLoops) loops = loops.filter(l => l.source !== 'scheduled_tasks_lock' && l.source !== 'schedule_wakeup_hook');
         loops.sort((a, b) => (b.startedAt || 0) - (a.startedAt || 0));
         res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*', 'Cache-Control': 'no-cache' });
         res.end(JSON.stringify({ loops }));
@@ -1154,13 +1292,14 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     // ---------------------------------------------------------- POST /api/loops/stop
     if (req.method === 'POST' && url === '/api/loops/stop') {
       let body = '';
-      req.on('data', chunk => { body += chunk; });
+      req.on('data', chunk => { body += chunk; if (body.length > 2097152) { req.destroy(); return; } });
       req.on('end', () => {
         try {
-          const stopQs = new URL(req.url, 'http://localhost').searchParams;
           const { id } = JSON.parse(body);
           if (!id) { res.writeHead(400); res.end(JSON.stringify({ error: 'id required' })); return; }
-          const loopsDir = path.join(stopQs.get('dir') || projectDir || process.cwd(), '.monomind', 'loops');
+          const _stopQs = new URL(req.url, 'http://localhost').searchParams;
+          const _stopDir = path.resolve(_stopQs.get('dir') || projectDir || process.cwd());
+          const loopsDir = path.join(_stopDir, '.monomind', 'loops');
           fs.mkdirSync(loopsDir, { recursive: true });
           fs.writeFileSync(path.join(loopsDir, `${id}.stop`), `stop-requested-${Date.now()}`);
           res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
@@ -1173,17 +1312,27 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     // ---------------------------------------------------------- POST /api/loops/create
     if (req.method === 'POST' && url === '/api/loops/create') {
       let body = '';
-      req.on('data', chunk => { body += chunk; });
+      req.on('data', chunk => { body += chunk; if (body.length > 2097152) { req.destroy(); return; } });
       req.on('end', () => {
         try {
-          const createQs = new URL(req.url, 'http://localhost').searchParams;
-          const { name, prompt, interval, maxReps } = JSON.parse(body);
+          const _qs = new URL(req.url, 'http://localhost').searchParams;
+          const { name: _rawName, prompt: _rawPrompt, interval: _rawInterval, maxReps: _rawMaxReps } = JSON.parse(body);
+          // Cap field sizes to prevent individual large-field disk inflation.
+          // The 2MB body cap already limits total payload, but a single field
+          // near 2MB would produce a multi-MB loop config file per request.
+          const MAX_LOOP_PROMPT_LEN = 64 * 1024;  // 64 KB
+          const MAX_LOOP_NAME_LEN = 512;
+          const MAX_LOOP_INTERVAL_LEN = 64;
+          const prompt = typeof _rawPrompt === 'string' ? _rawPrompt.slice(0, MAX_LOOP_PROMPT_LEN) : null;
+          const name = typeof _rawName === 'string' ? _rawName.slice(0, MAX_LOOP_NAME_LEN) : null;
+          const interval = typeof _rawInterval === 'string' ? _rawInterval.slice(0, MAX_LOOP_INTERVAL_LEN) : null;
+          const maxReps = typeof _rawMaxReps === 'number' && Number.isFinite(_rawMaxReps) ? Math.max(1, Math.min(Math.floor(_rawMaxReps), 10000)) : null;
           if (!prompt) { res.writeHead(400); res.end(JSON.stringify({ error: 'prompt required' })); return; }
-          const loopsDir = path.join(createQs.get('dir') || projectDir || process.cwd(), '.monomind', 'loops');
+          const loopsDir = path.join(path.resolve(_qs.get('dir') || projectDir || process.cwd()), '.monomind', 'loops');
           fs.mkdirSync(loopsDir, { recursive: true });
           const id = `loop-${Date.now()}-${Math.random().toString(36).slice(2,7)}`;
           const nowMs = Date.now();
-          const loop = { id, type: 'repeat', name: name || prompt.slice(0, 40), prompt, interval: interval || '1h', maxReps: maxReps || null, status: 'active', currentRep: 0, startedAt: nowMs, lastRunAt: null };
+          const loop = { id, type: 'repeat', name: name || prompt.slice(0, 40), prompt, interval: interval || '1h', maxReps, status: 'active', currentRep: 0, startedAt: nowMs, lastRunAt: null };
           fs.writeFileSync(path.join(loopsDir, `${id}.json`), JSON.stringify(loop, null, 2));
           res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
           res.end(JSON.stringify({ ok: true, id }));
@@ -1196,7 +1345,10 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     if (req.method === 'GET' && url === '/api/session-errors') {
       const qs = new URL(req.url, 'http://localhost').searchParams;
       const d = path.resolve(qs.get('dir') || projectDir || process.cwd());
-      const sessionId = qs.get('id') || '';
+      // Cap sessionId to prevent O(n×m) DoS via f.includes(sessionId) substring
+      // match against every filename when sessionId is a very long string.
+      const _rawSessId = qs.get('id') || '';
+      const sessionId = _rawSessId.slice(0, 256);
       const slug = d.replace(/\//g, '-');
       const projectClaudeDir = path.join(os.homedir(), '.claude', 'projects', slug);
       try {
@@ -1267,7 +1419,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     // ------------------------------------------------------- DELETE /api/knowledge-chunk
     if (req.method === 'DELETE' && url === '/api/knowledge-chunk') {
       let body = '';
-      req.on('data', chunk => { body += chunk; });
+      req.on('data', chunk => { body += chunk; if (body.length > 2097152) { req.destroy(); return; } });
       req.on('end', () => {
         try {
           const qs = new URL(req.url, 'http://localhost').searchParams;
@@ -1306,7 +1458,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     // ------------------------------------------------------- PUT /api/knowledge-chunk
     if (req.method === 'PUT' && url === '/api/knowledge-chunk') {
       let body = '';
-      req.on('data', chunk => { body += chunk; });
+      req.on('data', chunk => { body += chunk; if (body.length > 2097152) { req.destroy(); return; } });
       req.on('end', () => {
         try {
           const qs = new URL(req.url, 'http://localhost').searchParams;
@@ -1802,7 +1954,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const qs = new URL(req.url, 'http://localhost').searchParams;
         const dir = qs.get('dir') || projectDir || process.cwd();
-        const q = (qs.get('q') || '').trim();
+        // Cap ?q= to prevent DoS via megabyte FTS query strings.
+        const q = (qs.get('q') || '').trim().slice(0, 4096);
         const limit = Math.min(100, parseInt(qs.get('limit') || '50', 10));
         const d = path.resolve(dir || process.cwd());
         const dbPath = path.join(d, '.monomind', 'monograph.db');
@@ -1936,7 +2089,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const qs = new URL(req.url, 'http://localhost').searchParams;
         const dir = qs.get('dir') || projectDir || process.cwd();
-        const q = qs.get('q') || '';
+        const q = (qs.get('q') || '').trim().slice(0, 4096);
         const d = path.resolve(dir || process.cwd());
         const dbPath = path.join(d, '.monomind', 'monograph.db');
         if (!q) { res.writeHead(400); res.end(JSON.stringify({ error: 'Missing ?q= parameter' })); return; }
@@ -1973,7 +2126,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const qs = new URL(req.url, 'http://localhost').searchParams;
         const dir = qs.get('dir') || projectDir || process.cwd();
-        const nodeQ = qs.get('node') || '';
+        const nodeQ = (qs.get('node') || '').trim().slice(0, 4096);
         const d = path.resolve(dir || process.cwd());
         const dbPath = path.join(d, '.monomind', 'monograph.db');
         if (!nodeQ) { res.writeHead(400); res.end(JSON.stringify({ error: 'Missing ?node= parameter' })); return; }
@@ -2015,8 +2168,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const qs = new URL(req.url, 'http://localhost').searchParams;
         const dir = qs.get('dir') || projectDir || process.cwd();
-        const from = qs.get('from') || '';
-        const to = qs.get('to') || '';
+        const from = (qs.get('from') || '').trim().slice(0, 4096);
+        const to = (qs.get('to') || '').trim().slice(0, 4096);
         const d = path.resolve(dir || process.cwd());
         const dbPath = path.join(d, '.monomind', 'monograph.db');
         if (!from || !to) { res.writeHead(400); res.end(JSON.stringify({ error: 'Missing ?from= and ?to= parameters' })); return; }
@@ -2136,7 +2289,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     // -------------------------------------------------- POST /api/mcp/call
     if (req.method === 'POST' && url === '/api/mcp/call') {
       let body = '';
-      req.on('data', c => body += c);
+      req.on('data', c => { body += c; if (body.length > 2097152) { req.destroy(); return; } });
       req.on('end', async () => {
         const json = res => { res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' }); };
         const ok = (data) => { json(res); res.end(JSON.stringify({ content: [{ type: 'text', text: typeof data === 'string' ? data : JSON.stringify(data, null, 2) }] })); };
@@ -2184,7 +2337,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
               ok(`nodes: ${n}\nedges: ${e}`);
             } else if (tool === 'monograph_cypher') {
               // Translate basic MATCH (n:Label) queries to SQL
-              const q = (input.query || '').trim();
+              const q = (String(input.query || '')).trim().slice(0, 4096);
               const labelMatch = q.match(/MATCH\s+\(n:(\w+)\)/i);
               if (labelMatch) {
                 const label = labelMatch[1];
@@ -2242,12 +2395,13 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
             } else if (tool === 'monograph_diff') {
               ok('Graph diff: compare two snapshots using monograph snapshot + monograph diff commands');
             } else if (tool === 'monograph_rename') {
-              const sym = input.symbolName || '';
+              // Cap sym to prevent O(n) FTS scan DoS via oversized query string.
+              const sym = String(input.symbolName || '').slice(0, 4096);
               if (!sym) { ok('Provide symbolName to rename'); return; }
               const hits = ftsSearch(db2, sym, 20);
               ok(`Found ${hits.length} occurrences of "${sym}":\n` + hits.map(h => `  ${h.filePath || '?'}:${h.startLine || '?'} — ${h.name}`).join('\n'));
             } else if (tool === 'monograph_impact') {
-              const target = input.target || '';
+              const target = String(input.target || '').slice(0, 4096);
               const dir3 = input.direction || 'both';
               const depth = input.maxDepth || 4;
               const hits = ftsSearch(db2, target, 5);
@@ -2274,7 +2428,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
               }
               ok(`Impact of "${hits[0].name}" (${dir3}, depth=${depth}):\n` + (results.join('\n') || '  (no dependencies found)'));
             } else if (tool === 'monograph_context') {
-              const id = input.id || '';
+              const id = String(input.id || '').slice(0, 4096);
               const hits = ftsSearch(db2, id, 5);
               if (!hits.length) { ok(`Node not found: ${id}`); return; }
               const node = hits[0];
@@ -2282,7 +2436,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
               const inEdges = db2.prepare('SELECT e.relation, n.name FROM edges e JOIN nodes n ON n.id = e.source_id WHERE e.target_id = ? LIMIT 20').all(node.id);
               ok(`# ${node.name} (${node.label})\nFile: ${node.filePath || '?'}\n\n**Imports / depends on (${outEdges.length}):**\n${outEdges.map(e => `  → ${e.name} [${e.relation}]`).join('\n') || '  (none)'}\n\n**Used by / depended on by (${inEdges.length}):**\n${inEdges.map(e => `  ← ${e.name} [${e.relation}]`).join('\n') || '  (none)'}`);
             } else if (tool === 'monograph_query' || tool === 'monograph_suggest') {
-              const q2 = input.query || input.task || '';
+              const q2 = String(input.query || input.task || '').slice(0, 4096);
               const hits2 = ftsSearch(db2, q2, 20);
               ok(hits2.map(h => `${h.name} (${h.label}) — ${h.filePath || '?'}:${h.startLine || '?'}`).join('\n') || 'No results');
@@ -2631,7 +2785,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
           if (['Read','Write','Edit','MultiEdit','Glob','Grep','LS'].includes(name)) return 'file';
           if (name === 'Bash') return 'bash';
           if (['Agent','Task'].includes(name)) return 'agent';
-          if (name.startsWith('mcp__monobrain__memory') || name.startsWith('mcp__monobrain__agentdb')) return 'memory';
+          if (name.startsWith('mcp__monomind__memory') || name.startsWith('mcp__monomind__agentdb')) return 'memory';
           if (['WebFetch','WebSearch'].includes(name)) return 'web';
           if (name === 'Skill') return 'skill';
           return 'other';
@@ -2648,9 +2802,35 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
           try { stat = fs.statSync(fp); } catch { continue; }
           // Skip files over size cap to avoid memory spikes on large sessions
+          // But still do a lightweight scan for agent spawns (tool_use blocks named Agent/Task)
           if (stat.size > JSONL_SIZE_CAP) {
+            const truncSpawns = {};
+            try {
+              const raw = fs.readFileSync(fp, 'utf8');
+              for (const line of raw.split('\n')) {
+                if (!line.includes('"tool_use"') || (!line.includes('"Agent"') && !line.includes('"Task"'))) continue;
+                let e; try { e = JSON.parse(line); } catch { continue; }
+                if (e.type !== 'assistant') continue;
+                for (const block of (e.message?.content || [])) {
+                  if (!block || block.type !== 'tool_use') continue;
+                  if (block.name !== 'Agent' && block.name !== 'Task') continue;
+                  const sub = block.input?.subagent_type || block.input?.description || '?';
+                  truncSpawns[sub] = (truncSpawns[sub] || 0) + 1;
+                }
+              }
+            } catch {}
             nodes.push({ id: sid, type: 'session', label: sid.slice(0,8), turns: 0, totalTools: 0,
-              toolCounts: {}, cost: 0, mtime: stat.mtimeMs, size: stat.size, agentSpawns: {}, truncated: true });
+              toolCounts: {}, cost: 0, mtime: stat.mtimeMs, size: stat.size, agentSpawns: truncSpawns, truncated: true });
+            for (const [subType, count] of Object.entries(truncSpawns)) {
+              const nodeId = 'agent::' + subType;
+              if (!agentTypeNodes[subType]) {
+                agentTypeNodes[subType] = true;
+                nodes.push({ id: nodeId, type: 'agenttype', label: subType, totalSpawns: 0 });
+              }
+              const aNode = nodes.find(n => n.id === nodeId);
+              if (aNode) aNode.totalSpawns = (aNode.totalSpawns || 0) + count;
+              edges.push({ source: sid, target: nodeId, weight: count, label: String(count) });
+            }
             continue;
           }
@@ -2663,7 +2843,12 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
             const lines = raw.split('\n').filter(Boolean);
             for (const line of lines) {
               let e; try { e = JSON.parse(line); } catch { continue; }
-              if (e.type === 'user') turns++;
+              if (e.type === 'user') {
+                // Only count actual human turns, not tool-result responses
+                const ct = e.message?.content;
+                const isToolResult = Array.isArray(ct) && ct.length > 0 && ct.every(b => b && b.type === 'tool_result');
+                if (!isToolResult) turns++;
+              }
               if (e.type === 'assistant') {
                 for (const block of (e.message?.content || [])) {
                   if (!block || block.type !== 'tool_use') continue;
@@ -2674,8 +2859,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
                     agentSpawns[sub] = (agentSpawns[sub] || 0) + 1;
                   }
                 }
+                if (e.message?.usage) totalCost += _sjCalcCost(e.message.model || '', e.message.usage);
               }
-              if (e.costUSD) totalCost += e.costUSD;
             }
           } catch {}
@@ -2733,8 +2918,13 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const qs = new URL(req.url, 'http://localhost').searchParams;
         const dir = qs.get('dir') || projectDir || process.cwd();
-        const swarmId = qs.get('swarmId') || undefined;
-        const agentId = qs.get('agentId') || undefined;
+        // Cap swarmId and agentId to prevent O(n×m) DoS: filter() compares
+        // each event against the query string, so a megabyte-scale ID causes
+        // O(events × m) string comparisons.
+        const _rawSwarmId = qs.get('swarmId') || undefined;
+        const _rawAgentId = qs.get('agentId') || undefined;
+        const swarmId = typeof _rawSwarmId === 'string' ? _rawSwarmId.slice(0, 256) : undefined;
+        const agentId = typeof _rawAgentId === 'string' ? _rawAgentId.slice(0, 256) : undefined;
         const last = qs.get('last') ? parseInt(qs.get('last')) : undefined;
         const events = collectSwarmEvents(path.resolve(dir), { swarmId, agentId, last });
         res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*', 'Cache-Control': 'no-cache' });
@@ -2778,47 +2968,71 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     if (req.method === 'GET' && url.startsWith('/api/token-usage')) {
       try {
         const qs = new URL(req.url, 'http://localhost').searchParams;
-        const period = qs.get('period') || 'today';
+        const period = ['today','week','30days','month'].includes(qs.get('period')) ? qs.get('period') : 'today';
         const dir = path.resolve(qs.get('dir') || projectDir || process.cwd());
-        // Determine date window
-        const now = new Date();
-        const todayStr = now.toISOString().slice(0, 10);
-        let fromStr;
-        let daysBack;
-        if (period === 'today') {
-          fromStr = todayStr; daysBack = 1;
-        } else if (period === 'week') {
-          const d = new Date(now); d.setDate(d.getDate() - 6);
-          fromStr = d.toISOString().slice(0, 10); daysBack = 7;
-        } else if (period === '30d' || period === '30days') {
-          const d = new Date(now); d.setDate(d.getDate() - 29);
-          fromStr = d.toISOString().slice(0, 10); daysBack = 30;
-        } else { // month
-          fromStr = now.toISOString().slice(0, 7) + '-01'; daysBack = 32;
-        }
-        const raw = collectTokens(dir, Math.max(daysBack + 1, 14));
-        // Filter daily to the requested window
-        const daily = (raw.daily || []).filter(d => d.date >= fromStr);
-        // Aggregate summary for the period
-        let cost = 0, calls = 0, tokensIn = 0, tokensOut = 0;
-        for (const d of daily) { cost += d.cost; calls += d.calls; tokensIn += d.tokensIn; tokensOut += d.tokensOut; }
-        // Filter rows to sessions that had activity in the window
-        const rows = (raw.rows || []).filter(r => {
-          // rows don't have dates yet, just include top ones by cost
-          return true;
-        }).slice(0, 30);
-        const summary = {
-          todayCost: cost,
-          todayCalls: calls,
-          cost, calls,
-          totalTokens: tokensIn + tokensOut,
-          modelCount: Object.keys(raw.summary?.modelBreakdown || {}).length || null,
+        const trackerPath = path.join(dir, '.claude', 'helpers', 'token-tracker.cjs');
+        const fallback = () => {
+          const summary = (() => { try { return JSON.parse(fs.readFileSync(path.join(dir, '.monomind', 'metrics', 'token-summary.json'), 'utf8')); } catch { return {}; } })();
+          res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*', 'Cache-Control': 'no-cache' });
+          const fbSum = { todayCost: summary.todayCost || 0, cost: summary.todayCost || 0, todayCalls: summary.todayCalls || 0, calls: summary.todayCalls || 0, totalTokens: 0, totalTokensIn: 0, totalTokensOut: 0, cacheTokens: 0, modelCount: 0 };
+          res.end(JSON.stringify({ summary: fbSum, totalCost: summary.todayCost || 0, totalCalls: summary.todayCalls || 0, totalIn: 0, totalOut: 0, totalCR: 0, totalCW: 0, rows: [], models: [], categories: [], tools: [], mcpServers: [], projects: [], modelBreakdown: {}, categoryBreakdown: {}, toolBreakdown: {}, mcpBreakdown: {}, periodLabel: period }));
         };
-        res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*', 'Cache-Control': 'no-cache' });
-        res.end(JSON.stringify({ summary, daily, rows, periodLabel: period }));
+        if (!fs.existsSync(trackerPath)) { fallback(); return; }
+        try {
+          const _req = createRequire(import.meta.url);
+          const tracker = _req(trackerPath);
+          const range = tracker.getDateRange(period);
+          const projects = tracker.parseAllSessions(range.start, range.end);
+          let totalCost = 0, totalIn = 0, totalOut = 0, totalCR = 0, totalCW = 0, totalCalls = 0;
+          const modelBreakdown = {}, categoryBreakdown = {}, toolBreakdown = {}, mcpBreakdown = {};
+          for (const p of projects) {
+            totalCost += p.totalCost || 0;
+            for (const s of (p.sessions || [])) {
+              totalIn += s.totalInputTokens || 0;
+              totalOut += s.totalOutputTokens || 0;
+              totalCR += s.totalCacheRead || 0;
+              totalCW += s.totalCacheWrite || 0;
+              totalCalls += s.apiCalls || 0;
+              for (const [mn, m] of Object.entries(s.modelBreakdown || {})) {
+                if (!modelBreakdown[mn]) modelBreakdown[mn] = { calls: 0, cost: 0, tokens: 0 };
+                modelBreakdown[mn].calls += m.calls || 0;
+                modelBreakdown[mn].cost += m.cost || 0;
+                modelBreakdown[mn].tokens += m.tokens || 0;
+              }
+              for (const [cat, c] of Object.entries(s.categoryBreakdown || {})) {
+                if (!categoryBreakdown[cat]) categoryBreakdown[cat] = { turns: 0, cost: 0 };
+                categoryBreakdown[cat].turns += c.turns || 0;
+                categoryBreakdown[cat].cost += c.cost || 0;
+              }
+              for (const [tool, t] of Object.entries(s.toolBreakdown || {})) {
+                if (!toolBreakdown[tool]) toolBreakdown[tool] = { calls: 0 };
+                toolBreakdown[tool].calls += t.calls || 0;
+              }
+              for (const [srv, m] of Object.entries(s.mcpBreakdown || {})) {
+                if (!mcpBreakdown[srv]) mcpBreakdown[srv] = { calls: 0 };
+                mcpBreakdown[srv].calls += m.calls || 0;
+              }
+            }
+          }
+          // Build client-friendly arrays from breakdown dicts
+          const models = Object.entries(modelBreakdown).map(([model, m]) => ({ model, cost: m.cost, calls: m.calls, tokens: m.tokens })).sort((a, b) => b.cost - a.cost);
+          const categories = Object.entries(categoryBreakdown).map(([category, c]) => ({ category, turns: c.turns, cost: c.cost })).sort((a, b) => b.turns - a.turns);
+          const tools = Object.entries(toolBreakdown).map(([tool, t]) => ({ tool, count: t.calls })).sort((a, b) => b.count - a.count);
+          const mcpServers = Object.entries(mcpBreakdown).map(([server, m]) => ({ server, count: m.calls })).sort((a, b) => b.count - a.count);
+          const projectRows = projects.map(p => ({ project: p.name || p.slug || p.dir || '?', cost: p.totalCost || 0 })).sort((a, b) => b.cost - a.cost);
+          // Build rows array from sessions for per-session table
+          const rows = [];
+          for (const p of projects) {
+            for (const s of (p.sessions || [])) {
+              rows.push({ id: s.id || '', session: s.lastPrompt || s.id || '', calls: s.apiCalls || 0, cost: s.totalCost || 0, tokens: (s.totalInputTokens || 0) + (s.totalOutputTokens || 0) });
+            }
+          }
+          rows.sort((a, b) => b.cost - a.cost);
+          // Summary object matching client expectations
+          const summary = { todayCost: totalCost, cost: totalCost, todayCalls: totalCalls, calls: totalCalls, totalTokens: totalIn + totalOut, totalTokensIn: totalIn, totalTokensOut: totalOut, cacheTokens: totalCR, modelCount: models.length };
+          res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*', 'Cache-Control': 'no-cache' });
+          res.end(JSON.stringify({ summary, totalCost, totalCalls, totalIn, totalOut, totalCR, totalCW, rows, models, categories, tools, mcpServers, projects: projectRows, modelBreakdown, categoryBreakdown, toolBreakdown, mcpBreakdown, periodLabel: period }));
+        } catch (e) { fallback(); }
       } catch (err) {
         res.writeHead(500, { 'Content-Type': 'application/json' });
         res.end(JSON.stringify({ error: err.message }));
@@ -2972,7 +3186,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         const orgsDir = path.join(path.resolve(_orgsQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs');
         let orgs = [];
         if (fs.existsSync(orgsDir)) {
-          const _sidecarSuffixRe = /-(approvals|state|activity|goals|routines|projects|members|issues|workspaces|worktrees|environments|plugins|adapters|bootstrap|threads|budgets|project-workspaces|approval-comments|secrets)\.json$/;
+          const _sidecarSuffixRe = /-(approvals|state|activity|goals|routines|projects|members|issues|workspaces|worktrees|environments|plugins|adapters|bootstrap|threads|budgets|project-workspaces|approval-comments|secrets|join-requests|skills)\.json$/;
           const files = fs.readdirSync(orgsDir).filter(f => f.endsWith('.json') && !_sidecarSuffixRe.test(f));
           // Read events file once, outside the per-org loop
           let recentLines = [];
@@ -3003,7 +3217,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
                 const stopTs = lastStop ? (JSON.parse(lastStop).ts || 0) : 0;
                 running = startTs > stopTs;
               }
-              orgs.push({ name: cfg.name, goal: cfg.goal, roles: cfg.roles?.length || 0, topology: cfg.topology, created_at: cfg.created_at, running, status: cfg.status, loop: cfg.loop ? { poll_interval_minutes: cfg.loop.poll_interval_minutes, last_run: cfg.loop.last_run, next_run: cfg.loop.next_run } : undefined });
+              orgs.push({ name: cfg.name, goal: cfg.goal, roles: Array.isArray(cfg.roles) ? cfg.roles : [], topology: cfg.topology, created_at: cfg.created_at, running, status: cfg.status, loop: cfg.loop ? { poll_interval_minutes: cfg.loop.poll_interval_minutes, last_run: cfg.loop.last_run, next_run: cfg.loop.next_run } : undefined });
             } catch(_) {}
           }
         }
@@ -3013,12 +3227,65 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       return;
     }
+    // POST /api/orgs/:name/import — import an org config by name (orgs.html upload flow)
+    if (req.method === 'POST' && /^\/api\/orgs\/[a-z0-9][a-z0-9_-]{0,63}\/import$/i.test(url)) {
+      let body = '';
+      req.on('data', c => { body += c; if (body.length > 2e6) req.destroy(); });
+      req.on('end', () => {
+        try {
+          const urlParts = url.split('/');
+          const orgName = decodeURIComponent(urlParts[3]);
+          if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400, { 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: 'Invalid org name' })); return; }
+          const cfg = JSON.parse(body);
+          const _importQs = new URL(req.url, 'http://localhost').searchParams;
+          const dir = path.resolve(_importQs.get('dir') || projectDir || process.cwd());
+          const orgsDir = path.join(dir, '.monomind', 'orgs');
+          fs.mkdirSync(orgsDir, { recursive: true });
+          const destFile = path.join(orgsDir, `${orgName}.json`);
+          fs.writeFileSync(destFile, JSON.stringify({ ...cfg, name: orgName }, null, 2), 'utf8');
+          res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
+          res.end(JSON.stringify({ ok: true, name: orgName, file: destFile }));
+        } catch (e) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: e.message }));
+        }
+      });
+      return;
+    }
+    // POST /api/orgs — import / create org from JSON body
+    if (req.method === 'POST' && url === '/api/orgs') {
+      let body = '';
+      req.on('data', c => { body += c; if (body.length > 2e6) req.destroy(); });
+      req.on('end', () => {
+        try {
+          const cfg = JSON.parse(body);
+          const qs = new URL(req.url, 'http://localhost').searchParams;
+          const dir = qs.get('dir') || cfg.dir || projectDir || process.cwd();
+          const name = (cfg.name || '').toLowerCase().replace(/[^a-z0-9_-]/g, '-').replace(/^-+|-+$/g, '').slice(0, 64);
+          if (!name) { res.writeHead(400, { 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: 'Invalid org name' })); return; }
+          const orgsDir = path.join(path.resolve(dir), '.monomind', 'orgs');
+          fs.mkdirSync(orgsDir, { recursive: true });
+          const destFile = path.join(orgsDir, `${name}.json`);
+          const cleanCfg = Object.fromEntries(Object.entries({ ...cfg, name }).filter(([k]) => !k.startsWith('_')));
+          fs.writeFileSync(destFile, JSON.stringify(cleanCfg, null, 2), 'utf8');
+          res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
+          res.end(JSON.stringify({ ok: true, name, file: destFile }));
+        } catch (e) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: e.message }));
+        }
+      });
+      return;
+    }
     // GET /api/orgs/:name — get specific org config (exact path: /api/orgs/<slug>)
     if (req.method === 'GET' && /^\/api\/orgs\/[a-z0-9][a-z0-9_-]{0,63}$/i.test(url)) {
       try {
         const orgName = decodeURIComponent(url.slice('/api/orgs/'.length));
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const f = path.join(projectDir || process.cwd(), '.monomind', 'orgs', `${orgName}.json`);
+        const _orgsOneQs = new URL(req.url, 'http://localhost').searchParams;
+        const f = path.join(path.resolve(_orgsOneQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs', `${orgName}.json`);
         if (!fs.existsSync(f)) { res.writeHead(404); res.end('{"error":"not found"}'); return; }
         res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
         res.end(fs.readFileSync(f, 'utf8'));
@@ -3050,8 +3317,17 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         const stopFile = path.join(orgsDir, '.stops', `${orgName}.stop`);
         const running = !fs.existsSync(stopFile) && Object.values(state.agents || {}).some(a => a.status === 'running');
+        // Read real tasks from the task store and group by status column
+        const taskStoreData = readJsonSafe(path.join(d, '.monomind', 'tasks', 'store.json'));
+        const allTasks = taskStoreData ? Object.values(taskStoreData.tasks || {}) : [];
+        const tasks = {
+          todo: allTasks.filter(t => t.status === 'pending').map(t => ({ id: t.taskId, description: t.description, status: 'todo', ts: t.createdAt })),
+          doing: allTasks.filter(t => t.status === 'in_progress').map(t => ({ id: t.taskId, description: t.description, status: 'doing', ts: t.startedAt || t.createdAt })),
+          done: allTasks.filter(t => t.status === 'completed' || t.status === 'failed' || t.status === 'cancelled').map(t => ({ id: t.taskId, description: t.description, status: t.status, ts: t.completedAt || t.createdAt })),
+        };
         const result = { config, state, goals: goalsData.goals, routines: routinesData.routines,
-          approvals: approvalsData.approvals, running, tasks: { todo: [], doing: [], done: [] } };
+          approvals: approvalsData.approvals, running, tasks };
         res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
         res.end(JSON.stringify(result));
@@ -3115,7 +3391,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         const parts = url.split('/');
         const orgName = decodeURIComponent(parts[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('[]'); return; }
-        const d = projectDir || process.cwd();
+        const _projsQs = new URL(req.url, 'http://localhost').searchParams;
+        const d = path.resolve(_projsQs.get('dir') || projectDir || process.cwd());
         const projFile = path.join(d, '.monomind', 'orgs', `${orgName}-projects.json`);
         if (!fs.existsSync(projFile)) { res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' }); res.end('[]'); return; }
         const data = JSON.parse(fs.readFileSync(projFile, 'utf8'));
@@ -3131,7 +3408,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         const parts = url.split('/');
         const orgName = decodeURIComponent(parts[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('{}'); return; }
-        const d = projectDir || process.cwd();
+        const _membersQs = new URL(req.url, 'http://localhost').searchParams;
+        const d = path.resolve(_membersQs.get('dir') || projectDir || process.cwd());
         const membersFile = path.join(d, '.monomind', 'orgs', `${orgName}-members.json`);
         if (!fs.existsSync(membersFile)) {
           res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
@@ -3151,7 +3429,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         const parts = url.split('/');
         const orgName = decodeURIComponent(parts[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('{}'); return; }
-        const d = projectDir || process.cwd();
+        const _adaptersQs = new URL(req.url, 'http://localhost').searchParams;
+        const d = path.resolve(_adaptersQs.get('dir') || projectDir || process.cwd());
         const adaptersFile = path.join(d, '.monomind', 'orgs', `${orgName}-adapters.json`);
         if (!fs.existsSync(adaptersFile)) {
           // Return defaults derived from org config if available
@@ -3179,7 +3458,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         const parts = url.split('/');
         const orgName = decodeURIComponent(parts[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('{}'); return; }
-        const d = projectDir || process.cwd();
+        const _skillsQs = new URL(req.url, 'http://localhost').searchParams;
+        const d = path.resolve(_skillsQs.get('dir') || projectDir || process.cwd());
         const skillsDir = path.join(d, '.claude', 'skills');
         const orgFile = path.join(d, '.monomind', 'orgs', `${orgName}.json`);
@@ -3286,13 +3566,13 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     // GET /api/org/:name/search?q=<query> — fuzzy search across org data
     if (req.method === 'GET' && /^\/api\/org\/[a-z0-9][a-z0-9_-]{0,63}\/search(\?.*)?$/i.test(url)) {
       try {
-        const urlObj = new URL(`http://x${url}`);
+        const urlObj = new URL(`http://x${req.url}`);
         const orgName = decodeURIComponent(urlObj.pathname.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('{}'); return; }
         const q = (urlObj.searchParams.get('q') || '').toLowerCase().trim();
         if (!q || q.length < 2) { res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' }); res.end('{"hits":[]}'); return; }
-        const d = projectDir || process.cwd();
+        const d = path.resolve(urlObj.searchParams.get('dir') || projectDir || process.cwd());
         const orgsDir = path.join(d, '.monomind', 'orgs');
         const readJ = (f) => { try { return JSON.parse(fs.readFileSync(f, 'utf8')); } catch(_) { return null; } };
@@ -3310,8 +3590,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         // Goals
         const goals = readJ(path.join(orgsDir, `${orgName}-goals.json`));
         for (const g of (goals?.goals || [])) {
-          if (match(g.title) || match(g.description)) {
-            hits.push({ type: 'goal', id: g.id, title: g.title, meta: g.status || 'open' });
+          if (match(g.title) || match(g.text) || match(g.goal) || match(g.description)) {
+            hits.push({ type: 'goal', id: g.id, title: g.title || g.text || g.goal, meta: g.status || 'open' });
           }
         }
@@ -3339,6 +3619,14 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
           }
         }
+        // Issues
+        const issuesData = readJ(path.join(orgsDir, `${orgName}-issues.json`));
+        for (const i of (issuesData?.issues || [])) {
+          if (match(i.title) || match(i.description) || match(i.slug)) {
+            hits.push({ type: 'issue', id: i.id || i.slug, title: i.title || i.slug, meta: i.status || 'open' });
+          }
+        }
         // Recent activity events
         const eventsFile = path.join(d, 'data', 'mastermind-events.jsonl');
         if (fs.existsSync(eventsFile)) {
@@ -3365,13 +3653,17 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const issuesPath = path.join(projectDir || process.cwd(), '.monomind', 'orgs', `${orgName}-issues.json`);
+        const _issuesQs = new URL(req.url, 'http://localhost').searchParams;
+        const _issuesDir = path.resolve(_issuesQs.get('dir') || projectDir || process.cwd());
+        const issuesPath = path.join(_issuesDir, '.monomind', 'orgs', `${orgName}-issues.json`);
         let payload = { issues: [] };
         try {
           const raw = JSON.parse(fs.readFileSync(issuesPath, 'utf8'));
           payload.issues = (raw.issues || []).map(i => ({
-            id: i.id, slug: i.slug, title: i.title, status: i.status || 'open',
+            id: i.id, slug: i.slug, title: i.title, description: i.description || null,
+            status: i.status || 'open',
             priority: i.priority || 'medium', assignee_id: i.assignee_id || null,
+            assignee: i.assignee || i.assignee_id || null,
             project_id: i.project_id || null, parent_id: i.parent_id || null,
             created_at: i.created_at, updated_at: i.updated_at
           }));
@@ -3422,11 +3714,12 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         try {
           const actPath = path.join(base, `${orgName}-activity.jsonl`);
           const lines = fs.readFileSync(actPath, 'utf8').split('\n').filter(Boolean);
-          const cutoff = new Date(Date.now() - 7 * 24 * 60 * 60 * 1000).toISOString();
+          const cutoffMs = Date.now() - 7 * 24 * 60 * 60 * 1000;
           lines.forEach(line => {
             try {
               const ev = JSON.parse(line);
-              if (!ev.ts || ev.ts < cutoff) return;
+              const evMs = typeof ev.ts === 'number' ? ev.ts : (ev.ts ? Date.parse(ev.ts) : 0);
+              if (!evMs || evMs < cutoffMs) return;
               totalRuns++;
               if (ev.type && ev.type.includes('complete')) successRuns++;
             } catch(_) {}
@@ -3460,7 +3753,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const envsPath = path.join(projectDir || process.cwd(), '.monomind', 'orgs', `${orgName}-environments.json`);
+        const _envsQs = new URL(req.url, 'http://localhost').searchParams;
+        const envsPath = path.join(path.resolve(_envsQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs', `${orgName}-environments.json`);
         let payload = { environments: [], default_env: null };
         try {
           const raw = JSON.parse(fs.readFileSync(envsPath, 'utf8'));
@@ -3486,7 +3780,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const base = path.join(projectDir || process.cwd(), '.monomind', 'orgs');
+        const _wsQs = new URL(req.url, 'http://localhost').searchParams;
+        const base = path.join(path.resolve(_wsQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs');
         let payload = { workspaces: [] };
         try {
           const wsRaw = JSON.parse(fs.readFileSync(path.join(base, `${orgName}-workspaces.json`), 'utf8'));
@@ -3509,17 +3804,18 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     }
     // GET /api/org/:name/invites — active invites + pending join requests
-    if (req.method === 'GET' && url.match(/^\/api\/org\/[a-z0-9][a-z0-9_-]{0,63}\/invites$/i)) {
+    if (req.method === 'GET' && url.match(/^\/api\/org\/[a-z0-9][a-z0-9_-]{0,63}\/invites(\?.*)?$/i)) {
       try {
-        const orgName = decodeURIComponent(url.split('/')[3]);
+        const orgName = decodeURIComponent(url.split('/')[3].split('?')[0]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const base = path.join(projectDir || process.cwd(), '.monomind', 'orgs');
+        const _invitesQs = new URL(req.url, 'http://localhost').searchParams;
+        const base = path.join(path.resolve(_invitesQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs');
         let payload = { invites: [], join_requests: [] };
         try {
           const raw = JSON.parse(fs.readFileSync(path.join(base, `${orgName}-members.json`), 'utf8'));
           const all = raw.join_requests || [];
           payload.invites = all.filter(r => r.type === 'invite' && r.status === 'pending')
-            .map(r => ({ id: r.id, token: r.token ? r.token.slice(0, 8) + '…' : r.id, role: r.role || 'operator', createdAt: r.createdAt || null, status: r.status }));
+            .map(r => ({ id: r.id, token: r.token ? r.token.slice(0, 8) + '…' : r.id, role: r.role || 'operator', createdAt: r.createdAt || null, expiresAt: r.expiresAt || null, status: r.status }));
           payload.join_requests = all.filter(r => r.type !== 'invite' && r.status === 'pending_approval')
             .map(r => ({ id: r.id, requestType: r.requestType || 'human', role: r.role || 'viewer', createdAt: r.createdAt || null, message: r.message || '' }));
         } catch(_) { /* members file missing */ }
@@ -3534,7 +3830,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const base = path.join(projectDir || process.cwd(), '.monomind');
+        const _pluginsQs = new URL(req.url, 'http://localhost').searchParams;
+        const base = path.join(path.resolve(_pluginsQs.get('dir') || projectDir || process.cwd()), '.monomind');
         let plugins = [];
         try {
           const reg = JSON.parse(fs.readFileSync(path.join(base, 'plugins', 'registry.json'), 'utf8'));
@@ -3572,7 +3869,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const base = path.join(projectDir || process.cwd(), '.monomind', 'orgs');
+        const _myIssuesQs = new URL(req.url, 'http://localhost').searchParams;
+        const base = path.join(path.resolve(_myIssuesQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs');
         let payload = { issues: [] };
         try {
           const raw = JSON.parse(fs.readFileSync(path.join(base, `${orgName}-issues.json`), 'utf8'));
@@ -3582,12 +3880,15 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
             .map(i => ({
               id: i.id,
               title: i.title || null,
+              description: i.description || null,
               status: i.status || 'open',
               priority: i.priority || 'medium',
               assigneeId: i.assigneeId || i.assigned_to || null,
               projectId: i.projectId || i.project_id || null,
               createdAt: i.createdAt || null,
               lastActivityAt: i.lastActivityAt || null,
+              updated_at: i.updated_at || i.lastActivityAt || i.updatedAt || i.ts || null,
+              ts: i.ts || i.updated_at || i.lastActivityAt || null,
             }));
         } catch(_) { /* issues file missing */ }
         res.writeHead(200, { 'Content-Type': 'application/json' });
@@ -3601,7 +3902,9 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const base = path.join(projectDir || process.cwd(), '.monomind', 'orgs');
+        const _agentsQs = new URL(req.url, 'http://localhost').searchParams;
+        const d = path.resolve(_agentsQs.get('dir') || projectDir || process.cwd());
+        const base = path.join(d, '.monomind', 'orgs');
         const readJsonSafe = (f) => { try { return JSON.parse(fs.readFileSync(f, 'utf8')); } catch(_) { return null; } };
         const config = readJsonSafe(path.join(base, `${orgName}.json`)) || {};
         const stateData = readJsonSafe(path.join(base, `${orgName}-state.json`)) || {};
@@ -3614,8 +3917,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
           return {
             id: r.id,
             title: r.title || r.id,
-            adapterType: (r.adapter && r.adapter.type) || null,
-            adapterModel: (r.adapter && r.adapter.model) || null,
+            adapterType: r.agent_type || r.type || null,
+            adapterModel: (r.adapter_config && r.adapter_config.model) || (r.adapter && r.adapter.model) || null,
             governance: r.governance || null,
             reportsTo: r.reports_to || null,
             status: s.status || 'idle',
@@ -3636,7 +3939,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const orgName = decodeURIComponent(url.split('/')[3].split('?')[0]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const base = path.join(projectDir || process.cwd(), '.monomind', 'orgs');
+        const _approvalsQs = new URL(req.url, 'http://localhost').searchParams;
+        const base = path.join(path.resolve(_approvalsQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs');
         const readJsonSafe = (f) => { try { return JSON.parse(fs.readFileSync(f, 'utf8')); } catch(_) { return null; } };
         const data = readJsonSafe(path.join(base, `${orgName}-approvals.json`)) || { approvals: [] };
         const approvals = (data.approvals || [])
@@ -3671,7 +3975,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     // Body: { action: "approve" | "reject" | "revision_requested" }
     if (req.method === 'POST' && url.match(/^\/api\/org\/[a-z0-9][a-z0-9_-]{0,63}\/approvals\/[^/]+$/i)) {
       let body = '';
-      for await (const chunk of req) body += chunk;
+      for await (const chunk of req) { body += chunk; if (body.length > 2097152) { req.destroy(); break; } }
       try {
         const parts = url.split('/');
         const orgName = decodeURIComponent(parts[3]);
@@ -3683,7 +3987,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         if (!['approve', 'reject', 'revision_requested'].includes(action)) {
           res.writeHead(400); res.end('{"error":"action must be approve, reject, or revision_requested"}'); return;
         }
-        const base = path.join(projectDir || process.cwd(), '.monomind', 'orgs');
+        const _postApprovalsQs = new URL(req.url, 'http://localhost').searchParams;
+        const base = path.join(path.resolve(_postApprovalsQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs');
         const approvalsFile = path.join(base, `${orgName}-approvals.json`);
         let data = { approvals: [] };
         try { data = JSON.parse(fs.readFileSync(approvalsFile, 'utf8')); } catch(_) {}
@@ -3701,7 +4006,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         fs.renameSync(tmp, approvalsFile);
         // Emit org:approval:resolved event so boss agent unblocks
         const event = { type: 'org:approval:resolved', org: orgName, approval_id: approvalId, status, ts: Date.now() };
-        try { fs.appendFileSync(path.join(projectDir || process.cwd(), 'data', 'mastermind-events.jsonl'), JSON.stringify(event) + '\n'); } catch(_) {}
+        try { fs.appendFileSync(path.join(path.resolve(_postApprovalsQs.get('dir') || projectDir || process.cwd()), 'data', 'mastermind-events.jsonl'), JSON.stringify(event) + '\n'); } catch(_) {}
         const msg = `data: ${JSON.stringify(event)}\n\n`;
         for (const c of mmSseClients) { try { c.write(msg); } catch(_) { mmSseClients.delete(c); } }
         res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
@@ -3715,7 +4020,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const base = path.join(projectDir || process.cwd(), '.monomind', 'orgs');
+        const _secretsQs = new URL(req.url, 'http://localhost').searchParams;
+        const base = path.join(path.resolve(_secretsQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs');
         const secretsDir = path.join(base, '.secrets');
         const readJsonSafe = (f) => { try { return JSON.parse(fs.readFileSync(f, 'utf8')); } catch(_) { return null; } };
         // Read secrets index — NEVER expose actual values
@@ -3723,6 +4029,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         const data = readJsonSafe(indexFile) || { secrets: [] };
         const secrets = (data.secrets || []).map(s => ({
           name: s.name,
+          purpose: s.purpose || null,
           maskedRef: s.maskedRef || `${(s.name||'').substring(0,4)}***`,
           status: s.status || 'active',
           createdAt: s.createdAt || null,
@@ -3742,7 +4049,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const base = path.join(projectDir || process.cwd(), '.monomind', 'orgs');
+        const _budgetsQs = new URL(req.url, 'http://localhost').searchParams;
+        const base = path.join(path.resolve(_budgetsQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs');
         let budgetData = { org_budget: {}, agent_budgets: {}, period: 'monthly', currency: 'USD' };
         try { budgetData = JSON.parse(fs.readFileSync(path.join(base, `${orgName}-budgets.json`), 'utf8')); } catch(_) {}
         // Enrich with per-agent spend from state file.
@@ -3785,12 +4093,17 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const threadsFile = path.join(projectDir || process.cwd(), '.monomind', 'orgs', `${orgName}-threads.jsonl`);
+        const _threadsQs = new URL(req.url, 'http://localhost').searchParams;
+        const threadsFile = path.join(path.resolve(_threadsQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs', `${orgName}-threads.jsonl`);
         let threads = [];
         try {
           const lines = fs.readFileSync(threadsFile, 'utf8').split('\n').filter(l => l.trim());
           threads = lines.map(l => { try { return JSON.parse(l); } catch(_) { return null; } }).filter(Boolean);
-          threads = threads.filter(t => t.type === 'thread' || !t.type);
+          threads = threads.filter(t => t.type === 'thread' || !t.type).map(t => ({
+            ...t,
+            author: t.author || t.authorName || t.createdBy || t.authorId || null,
+            messageCount: t.messageCount != null ? t.messageCount : (Array.isArray(t.messages) ? t.messages.length : (typeof t.messages === 'number' ? t.messages : null)),
+          }));
         } catch(_) {}
         res.writeHead(200, { 'Content-Type': 'application/json' });
         res.end(JSON.stringify({ threads }));
@@ -3804,7 +4117,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const orgName = decodeURIComponent(url.split('/')[3].split('?')[0]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const joinFile = path.join(projectDir || process.cwd(), '.monomind', 'orgs', `${orgName}-join-requests.json`);
+        const _joinQs = new URL(req.url, 'http://localhost').searchParams;
+        const joinFile = path.join(path.resolve(_joinQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs', `${orgName}-join-requests.json`);
         let requests = [];
         try {
           const raw = fs.readFileSync(joinFile, 'utf8');
@@ -3831,7 +4145,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const goalsFile = path.join(projectDir || process.cwd(), '.monomind', 'orgs', `${orgName}-goals.json`);
+        const _goalsQs = new URL(req.url, 'http://localhost').searchParams;
+        const goalsFile = path.join(path.resolve(_goalsQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs', `${orgName}-goals.json`);
         let data = { goals: [] };
         try { data = JSON.parse(fs.readFileSync(goalsFile, 'utf8')); } catch(_) {}
         res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
@@ -3845,7 +4160,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const routinesFile = path.join(projectDir || process.cwd(), '.monomind', 'orgs', `${orgName}-routines.json`);
+        const _routinesQs = new URL(req.url, 'http://localhost').searchParams;
+        const routinesFile = path.join(path.resolve(_routinesQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs', `${orgName}-routines.json`);
         let data = { routines: [] };
         try { data = JSON.parse(fs.readFileSync(routinesFile, 'utf8')); } catch(_) {}
         res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
@@ -3858,13 +4174,14 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     // Body: { goals: [{id, title, description, status, priority, assignee_id, created_at}] }
     if (req.method === 'POST' && url.match(/^\/api\/org\/[a-z0-9][a-z0-9_-]{0,63}\/goals$/i)) {
       let body = '';
-      for await (const chunk of req) body += chunk;
+      for await (const chunk of req) { body += chunk; if (body.length > 2097152) { req.destroy(); break; } }
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
         const parsed = JSON.parse(body);
         if (!parsed || !Array.isArray(parsed.goals)) { res.writeHead(400); res.end('{"error":"goals array required"}'); return; }
-        const goalsFile = path.join(projectDir || process.cwd(), '.monomind', 'orgs', `${orgName}-goals.json`);
+        const _postGoalsQs = new URL(req.url, 'http://localhost').searchParams;
+        const goalsFile = path.join(path.resolve(_postGoalsQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs', `${orgName}-goals.json`);
         const tmp = `${goalsFile}.tmp`;
         const payload = { org: orgName, updated_at: new Date().toISOString(), goals: parsed.goals };
         fs.writeFileSync(tmp, JSON.stringify(payload, null, 2), 'utf-8');
@@ -3879,13 +4196,14 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     // Body: { routines: [{name, description, schedule, enabled, last_run, next_run}] }
     if (req.method === 'POST' && url.match(/^\/api\/org\/[a-z0-9][a-z0-9_-]{0,63}\/routines$/i)) {
       let body = '';
-      for await (const chunk of req) body += chunk;
+      for await (const chunk of req) { body += chunk; if (body.length > 2097152) { req.destroy(); break; } }
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
         const parsed = JSON.parse(body);
         if (!parsed || !Array.isArray(parsed.routines)) { res.writeHead(400); res.end('{"error":"routines array required"}'); return; }
-        const routinesFile = path.join(projectDir || process.cwd(), '.monomind', 'orgs', `${orgName}-routines.json`);
+        const _postRoutinesQs = new URL(req.url, 'http://localhost').searchParams;
+        const routinesFile = path.join(path.resolve(_postRoutinesQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs', `${orgName}-routines.json`);
         const tmp = `${routinesFile}.tmp`;
         const payload = { org: orgName, updated_at: new Date().toISOString(), routines: parsed.routines };
         fs.writeFileSync(tmp, JSON.stringify(payload, null, 2), 'utf-8');
@@ -3896,16 +4214,95 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       return;
     }
-    // DELETE /api/orgs/:name — delete an org config and all associated data files
-    if (req.method === 'DELETE' && url.match(/^\/api\/orgs\/[a-z0-9][a-z0-9_-]{0,63}$/i)) {
+    // GET /api/org/:name/files — all files related to an org
+    if (req.method === 'GET' && url.match(/^\/api\/org\/[a-z0-9][a-z0-9_-]{0,63}\/files$/i)) {
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
+        if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('{"error":"Invalid org name"}'); return; }
+        const _filesQs = new URL(req.url, 'http://localhost').searchParams;
+        const d = path.resolve(_filesQs.get('dir') || projectDir || process.cwd());
+        const orgsDir = path.join(d, '.monomind', 'orgs');
+        const files = [];
+        const seen = new Set();
+        const addFile = (fp, type) => {
+          if (seen.has(fp)) return; seen.add(fp);
+          try { const st = fs.statSync(fp); files.push({ name: path.basename(fp), path: fp, type, size: st.size, mtime: st.mtime.toISOString() }); } catch (_) {}
+        };
+        addFile(path.join(orgsDir, orgName + '.json'), 'config');
+        for (const s of ['-state','-approvals','-goals','-routines','-projects','-members','-issues','-threads','-budgets']) {
+          const fp = path.join(orgsDir, orgName + s + '.json');
+          if (fs.existsSync(fp)) addFile(fp, s.slice(1));
+        }
+        const walkDir = (dir, depth) => {
+          if (depth > 3) return;
+          let entries; try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch (_) { return; }
+          for (const e of entries) {
+            if (e.name.startsWith('.')) continue;
+            const fp = path.join(dir, e.name);
+            if (e.isDirectory()) walkDir(fp, depth + 1);
+            else addFile(fp, 'generated');
+          }
+        };
+        const orgWorkDir = path.join(orgsDir, orgName);
+        if (fs.existsSync(orgWorkDir)) walkDir(orgWorkDir, 0);
+        let orgCfg = null;
+        try { orgCfg = JSON.parse(fs.readFileSync(path.join(orgsDir, orgName + '.json'), 'utf8')); } catch (_) {}
+        if (orgCfg && Array.isArray(orgCfg.roles)) {
+          const agentsDir = path.join(d, '.claude', 'agents');
+          const walkAgents = (dir) => {
+            let entries; try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch (_) { return; }
+            for (const e of entries) {
+              if (e.isDirectory()) { walkAgents(path.join(dir, e.name)); continue; }
+              if (!e.name.endsWith('.md')) continue;
+              const fp = path.join(dir, e.name);
+              const base = e.name.replace('.md', '').toLowerCase();
+              if (orgCfg.roles.some(r => base === (r.id||'').toLowerCase() || base === (r.agent_type||'').toLowerCase() || (r.instructions_file||'').endsWith(e.name))) addFile(fp, 'agent-definition');
+            }
+          };
+          if (fs.existsSync(agentsDir)) walkAgents(agentsDir);
+        }
+        files.sort((a, b) => new Date(b.mtime) - new Date(a.mtime));
+        res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*', 'Cache-Control': 'no-cache' });
+        res.end(JSON.stringify(files));
+      } catch (e) { res.writeHead(500); res.end(JSON.stringify({ error: e.message })); }
+      return;
+    }
+    // GET /api/file-content — return raw text content of a .monomind file
+    if (req.method === 'GET' && url === '/api/file-content') {
+      try {
+        const _fcQs = new URL(req.url, 'http://localhost').searchParams;
+        const rawPath = _fcQs.get('path');
+        const baseDir = path.resolve(_fcQs.get('dir') || projectDir || process.cwd());
+        if (!rawPath) { res.writeHead(400); res.end('Missing path'); return; }
+        const resolved = path.resolve(rawPath);
+        // Security: must be inside .monomind of the project dir
+        const monomindDir = path.join(baseDir, '.monomind');
+        if (!resolved.startsWith(monomindDir + path.sep) && resolved !== monomindDir) {
+          res.writeHead(403); res.end('Forbidden'); return;
+        }
+        if (!fs.existsSync(resolved)) { res.writeHead(404); res.end('Not found'); return; }
+        const stat = fs.statSync(resolved);
+        if (!stat.isFile()) { res.writeHead(400); res.end('Not a file'); return; }
+        if (stat.size > 524288) { res.writeHead(413); res.end('File too large'); return; }
+        const content = fs.readFileSync(resolved, 'utf8');
+        res.writeHead(200, { 'Content-Type': 'text/plain; charset=utf-8', 'Access-Control-Allow-Origin': '*' });
+        res.end(content);
+      } catch(_) { res.writeHead(500); res.end('Internal error'); }
+      return;
+    }
+    // DELETE /api/orgs/:name — delete an org config and all associated data files
+    if (req.method === 'DELETE' && url.match(/^\/api\/orgs\/[a-z0-9][a-z0-9_-]{0,63}(\?.*)?$/i)) {
+      try {
+        const orgName = decodeURIComponent(url.split('/')[3].split('?')[0]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
-        const orgsDir = path.join(projectDir || process.cwd(), '.monomind', 'orgs');
+        const _delOrgQs = new URL(req.url, 'http://localhost').searchParams;
+        const orgsDir = path.join(path.resolve(_delOrgQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs');
         const configFile = path.join(orgsDir, `${orgName}.json`);
         if (!fs.existsSync(configFile)) { res.writeHead(404); res.end('{"error":"org not found"}'); return; }
         // Remove all org-associated files (config + state + data)
-        const suffixes = ['', '-state', '-goals', '-routines', '-approvals', '-activity', '-issues', '-members', '-projects', '-workspaces', '-worktrees', '-environments', '-plugins', '-adapters'];
+        const suffixes = ['', '-state', '-goals', '-routines', '-approvals', '-activity', '-issues', '-members', '-projects', '-workspaces', '-worktrees', '-environments', '-plugins', '-adapters', '-budgets', '-threads', '-secrets', '-join-requests', '-bootstrap', '-project-workspaces', '-approval-comments', '-skills'];
         for (const suf of suffixes) {
           const f = path.join(orgsDir, `${orgName}${suf}.json`);
           try { if (fs.existsSync(f)) fs.unlinkSync(f); } catch(_) {}
@@ -3914,6 +4311,18 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         }
         // Remove stop file if present
         try { fs.unlinkSync(path.join(orgsDir, '.stops', `${orgName}.stop`)); } catch(_) {}
+        // Remove org subdirectory under .monomind/orgs/ (legacy flat-file location)
+        try { const orgWorkDir = path.join(orgsDir, orgName); if (fs.existsSync(orgWorkDir)) fs.rmSync(orgWorkDir, { recursive: true, force: true }); } catch(_) {}
+        // Remove org subdirectory under git-safe location (.git/monomind/orgs/<name>/) so run
+        // files written by the worktree-aware path (feat 880f034e) are also cleaned up on delete
+        try {
+          const _delWorkDir = path.resolve(_delOrgQs.get('dir') || projectDir || process.cwd());
+          const _delGitMonoDir = _getGitMonomindDir(_delWorkDir);
+          if (_delGitMonoDir) {
+            const gitOrgDir = path.join(_delGitMonoDir, 'orgs', orgName);
+            if (fs.existsSync(gitOrgDir)) fs.rmSync(gitOrgDir, { recursive: true, force: true });
+          }
+        } catch(_) {}
         // Remove loop prompt file if present (created for scheduled orgs by createorg)
         try { const lpf = path.join(path.resolve(projectDir || process.cwd()), '.monomind', 'loops', `${orgName}.md`); if (fs.existsSync(lpf)) fs.unlinkSync(lpf); } catch(_) {}
         // Emit org:delete event
@@ -3932,13 +4341,15 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end('Invalid org name'); return; }
+        const _stopOrgQs = new URL(req.url, 'http://localhost').searchParams;
+        const _stopOrgBase = path.resolve(_stopOrgQs.get('dir') || projectDir || process.cwd());
         const stopEvent = { type: 'org:stop', org: orgName, ts: Date.now() };
-        const dataDir = path.join(projectDir || process.cwd(), 'data');
+        const dataDir = path.join(_stopOrgBase, 'data');
         try { fs.mkdirSync(dataDir, { recursive: true }); } catch(_) {}
         try { fs.appendFileSync(path.join(dataDir, 'mastermind-events.jsonl'), JSON.stringify(stopEvent) + '\n'); } catch(_) {}
         // Write stop marker file for boss agent to detect
         try {
-          const stopDir = path.join(projectDir || process.cwd(), '.monomind', 'orgs', '.stops');
+          const stopDir = path.join(_stopOrgBase, '.monomind', 'orgs', '.stops');
           fs.mkdirSync(stopDir, { recursive: true });
           fs.writeFileSync(path.join(stopDir, `${orgName}.stop`), String(Date.now()));
         } catch(_) {}
@@ -3953,7 +4364,7 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
     // POST /api/orgs/:name/copy — copy org config to another project directory
     if (req.method === 'POST' && url.match(/^\/api\/orgs\/[a-z0-9][a-z0-9_-]{0,63}\/copy$/i)) {
       let body = '';
-      for await (const chunk of req) body += chunk;
+      for await (const chunk of req) { body += chunk; if (body.length > 2097152) { req.destroy(); break; } }
       try {
         const orgName = decodeURIComponent(url.split('/')[3]);
         if (orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) { res.writeHead(400); res.end(JSON.stringify({ error: 'Invalid org name' })); return; }
@@ -3962,7 +4373,8 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         const destination = payload.destination ? String(payload.destination).trim() : '';
         if (!destination) { res.writeHead(400); res.end(JSON.stringify({ error: 'destination is required' })); return; }
         if (!path.isAbsolute(destination)) { res.writeHead(400); res.end(JSON.stringify({ error: 'destination must be an absolute path' })); return; }
-        const srcOrgsDir = path.join(projectDir || process.cwd(), '.monomind', 'orgs');
+        const _copyOrgQs = new URL(req.url, 'http://localhost').searchParams;
+        const srcOrgsDir = path.join(path.resolve(_copyOrgQs.get('dir') || projectDir || process.cwd()), '.monomind', 'orgs');
         const srcFile = path.join(srcOrgsDir, `${orgName}.json`);
         if (!fs.existsSync(srcFile)) { res.writeHead(404); res.end(JSON.stringify({ error: 'org not found' })); return; }
         const destOrgsDir = path.join(path.resolve(destination), '.monomind', 'orgs');
@@ -3975,16 +4387,87 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       return;
     }
+    // GET /api/org/:name/runs — list structured run files for an org
+    if (req.method === 'GET' && /^\/api\/org\/[a-z0-9][a-z0-9_-]{0,63}\/runs(\?.*)?$/i.test(url)) {
+      try {
+        const _rQs = new URL(req.url, 'http://localhost').searchParams;
+        const _rOrgName = decodeURIComponent(url.split('/')[3] || '');
+        const _rWorkDir = path.resolve(_rQs.get('dir') || projectDir || process.cwd());
+        const _rMonoDir = _getGitMonomindDir(_rWorkDir) || path.join(_rWorkDir, '.monomind');
+        const _rDir = path.join(_rMonoDir, 'orgs', _rOrgName, 'runs');
+        const runs = [];
+        if (fs.existsSync(_rDir)) {
+          const files = fs.readdirSync(_rDir).filter(f => f.endsWith('.jsonl')).sort().reverse();
+          for (const f of files.slice(0, 50)) {
+            try {
+              const raw = fs.readFileSync(path.join(_rDir, f), 'utf8');
+              const allLines = raw.split('\n').filter(Boolean);
+              const eventCount = allLines.length;
+              const parse = l => { try { return JSON.parse(l); } catch { return null; } };
+              const headEvents = allLines.slice(0, 5).map(parse).filter(Boolean);
+              const tailEvents = allLines.slice(-5).map(parse).filter(Boolean);
+              const first = headEvents.find(e => e.type === 'run:start') || headEvents[0];
+              const last = tailEvents.slice().reverse().find(e => e.type === 'run:complete' || e.type === 'org:complete');
+              const cycles = allLines.filter(l => l.includes('"org:checkpoint"')).length;
+              const lastEvent = tailEvents[tailEvents.length - 1] || headEvents[headEvents.length - 1];
+              const ageMs = lastEvent?.ts ? Date.now() - lastEvent.ts : Infinity;
+              const isStale = !last && ageMs > 30 * 60 * 1000;
+              runs.push({ runId: f.replace('.jsonl', ''), startedAt: first?.ts || 0, endedAt: last?.ts || 0,
+                status: last ? 'complete' : isStale ? 'stale' : 'running',
+                eventCount, cycleCount: cycles, goal: first?.goal || '', bossRole: first?.bossRole || '' });
+            } catch (_) {}
+          }
+        }
+        res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*', 'Cache-Control': 'no-cache' });
+        res.end(JSON.stringify(runs));
+      } catch (_) { res.writeHead(500); res.end('[]'); }
+      return;
+    }
+    // GET /api/org/:name/runs/:runId — get all events for a specific run
+    if (req.method === 'GET' && /^\/api\/org\/[a-z0-9][a-z0-9_-]{0,63}\/runs\/[a-z0-9][a-z0-9_-]{0,79}(\?.*)?$/i.test(url)) {
+      try {
+        const _rvQs = new URL(req.url, 'http://localhost').searchParams;
+        const _rvParts = url.replace(/\?.*$/, '').split('/');
+        const _rvOrgName = decodeURIComponent(_rvParts[3] || '');
+        const _rvRunId = decodeURIComponent(_rvParts[5] || '');
+        const _rvWorkDir = path.resolve(_rvQs.get('dir') || projectDir || process.cwd());
+        const _rvMonoDir = _getGitMonomindDir(_rvWorkDir) || path.join(_rvWorkDir, '.monomind');
+        const _rvFile = path.join(_rvMonoDir, 'orgs', _rvOrgName, 'runs', `${_rvRunId}.jsonl`);
+        if (!fs.existsSync(_rvFile)) { res.writeHead(404); res.end('{"error":"run not found"}'); return; }
+        const events = fs.readFileSync(_rvFile, 'utf8').split('\n').filter(Boolean)
+          .map(l => { try { return JSON.parse(l); } catch { return null; } }).filter(Boolean);
+        res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*', 'Cache-Control': 'no-cache' });
+        res.end(JSON.stringify(events));
+      } catch (_) { res.writeHead(500); res.end('[]'); }
+      return;
+    }
     // ------------------------------------------------- Mastermind event system
     // POST /api/mastermind/event — ingest event from mastermind skill
     if (req.method === 'POST' && url === '/api/mastermind/event') {
       let body = '';
-      for await (const chunk of req) body += chunk;
+      for await (const chunk of req) { body += chunk; if (body.length > 2097152) { req.destroy(); break; } }
       let event = {};
       try { event = JSON.parse(body); } catch (_) {}
       event.ts = event.ts || Date.now();
-      // Use project path from event if provided (multi-project support)
-      const eventProject = event.project && path.isAbsolute(event.project) ? event.project : null;
+      // Use project path from event if provided (multi-project support).
+      // Security: path.isAbsolute() alone is insufficient — an attacker can
+      // supply event.project="/etc" and cause writes to system directories.
+      // Only accept paths that resolve to an existing directory AND are not
+      // the filesystem root (/), AND are not obviously system paths.
+      // Cap to 4096 chars to prevent OOM from huge path strings.
+      const _rawProject = event.project;
+      let eventProject = null;
+      if (typeof _rawProject === 'string' && _rawProject.length > 0 && _rawProject.length <= 4096
+          && path.isAbsolute(_rawProject)) {
+        // Reject filesystem root and common system directories
+        const _norm = path.resolve(_rawProject);
+        const _systemPaths = ['/', '/etc', '/usr', '/bin', '/sbin', '/lib', '/lib64', '/boot', '/dev', '/sys', '/proc', '/tmp'];
+        if (!_systemPaths.includes(_norm) && !_systemPaths.some(p => _norm.startsWith(p + '/'))) {
+          eventProject = _norm;
+        }
+      }
       const root = eventProject || projectDir || process.cwd();
       const dataDir = path.join(root, 'data');
       try { fs.mkdirSync(dataDir, { recursive: true }); } catch (_) {}
@@ -3998,6 +4481,28 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
         } catch (_) {}
       }
       try { fs.appendFileSync(path.join(dataDir, 'mastermind-events.jsonl'), JSON.stringify(event) + '\n'); } catch (_) {}
+      // Track active runs and route org events to run files
+      if (event.org) {
+        const _orgKey = String(event.org).trim();
+        // Any event with both org+runId updates the active run map (run:start written directly to file so org:start is first via curl)
+        if (event.runId) activeOrgRuns.set(_orgKey, String(event.runId).trim());
+        else if (activeOrgRuns.has(_orgKey)) event.runId = activeOrgRuns.get(_orgKey);
+        if (event.type === 'run:complete' || event.type === 'org:complete') activeOrgRuns.delete(_orgKey);
+      }
+      // Persist to git-safe run file (survives branch switches + shared across worktrees)
+      if (event.org && event.runId) {
+        try {
+          const _orn = String(event.org).trim();
+          const _rid = String(event.runId).trim();
+          if (_orn.length > 0 && _orn.length <= 64 && /^[a-z0-9][a-z0-9_-]*$/i.test(_orn)
+              && _rid.length > 0 && _rid.length <= 80 && /^[a-z0-9][a-z0-9_-]*$/i.test(_rid)) {
+            const _monoDir = _getGitMonomindDir(root) || path.join(root, '.monomind');
+            const _runDir = path.join(_monoDir, 'orgs', _orn, 'runs');
+            fs.mkdirSync(_runDir, { recursive: true });
+            fs.appendFileSync(path.join(_runDir, `${_rid}.jsonl`), JSON.stringify(event) + '\n');
+          }
+        } catch (_) {}
+      }
       // Persist session
       try {
         const sessFile = path.join(dataDir, 'mastermind-sessions.json');
@@ -4016,12 +4521,19 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
           }
         }
         fs.writeFileSync(sessFile, JSON.stringify(sessions.slice(0, 50), null, 2));
-        // Also write individual session file for direct traceability
+        // Also write individual session file for direct traceability.
+        // Security: validate event.session before using it as a filename to
+        // prevent path traversal (e.g. "../../../etc/cron.d/payload").
         const sessionObj = sessions.find(s => s.id === event.session);
         if (sessionObj) {
           const sessDir = path.join(dataDir, 'sessions');
           try { fs.mkdirSync(sessDir, { recursive: true }); } catch (_) {}
-          try { fs.writeFileSync(path.join(sessDir, `${event.session}.json`), JSON.stringify(sessionObj, null, 2)); } catch (_) {}
+          try {
+            const _sid = String(event.session || '').trim();
+            if (_sid.length > 0 && _sid.length <= 128 && /^[a-zA-Z0-9_.-]+$/.test(_sid)) {
+              fs.writeFileSync(path.join(sessDir, `${_sid}.json`), JSON.stringify(sessionObj, null, 2));
+            }
+          } catch (_) {}
         }
       } catch (_) {}
       // For org:stop events, write a stop marker the boss agent can detect
@@ -4198,6 +4710,75 @@ export async function startServer({ port = 4242, projectDir, openBrowser = true
       return;
     }
+    // GET /api/status — live system snapshot for dashboard polling
+    if (req.method === 'GET' && url === '/api/status') {
+      try {
+        const root = projectDir || process.cwd();
+        // Active org runs: { orgName -> runId }
+        const orgRuns = {};
+        activeOrgRuns.forEach((runId, org) => { orgRuns[org] = runId; });
+        // Recent events (last 10)
+        let recentEvents = [];
+        try {
+          const evPath = path.join(root, 'data', 'mastermind-events.jsonl');
+          const lines = fs.readFileSync(evPath, 'utf8').split('\n').filter(l => l.trim()).slice(-10);
+          recentEvents = lines.map(l => { try { return JSON.parse(l); } catch(_) { return null; } }).filter(Boolean);
+        } catch(_) {}
+        res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
+        res.end(JSON.stringify({
+          ts: Date.now(),
+          uptime: process.uptime(),
+          sseClients: mmSseClients.size,
+          activeOrgs: Object.keys(orgRuns).length,
+          orgRuns,
+          recentEvents,
+        }));
+      } catch(err) {
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: err.message }));
+      }
+      return;
+    }
+    // GET /api/orgs/:name/runs/current — events from the active run file for an org
+    if (req.method === 'GET' && /^\/api\/orgs\/[^/]+\/runs\/current$/.test(url)) {
+      try {
+        const orgName = decodeURIComponent(url.split('/')[3]);
+        const root = projectDir || process.cwd();
+        // Validate orgName
+        if (!orgName || orgName.length > 64 || !/^[a-z0-9][a-z0-9_-]*$/i.test(orgName)) {
+          res.writeHead(400); res.end('{"error":"invalid org name"}'); return;
+        }
+        const runId = activeOrgRuns.get(orgName);
+        const monoDir = _getGitMonomindDir(root) || path.join(root, '.monomind');
+        // Try active run first, then fall back to most recent run file
+        let runFile = null;
+        if (runId) {
+          const candidate = path.join(monoDir, 'orgs', orgName, 'runs', `${runId}.jsonl`);
+          if (fs.existsSync(candidate)) runFile = candidate;
+        }
+        if (!runFile) {
+          const runsDir = path.join(monoDir, 'orgs', orgName, 'runs');
+          if (fs.existsSync(runsDir)) {
+            const files = fs.readdirSync(runsDir).filter(f => f.endsWith('.jsonl'));
+            if (files.length) {
+              files.sort();
+              runFile = path.join(runsDir, files[files.length - 1]);
+            }
+          }
+        }
+        if (!runFile) { res.writeHead(404); res.end('{"events":[],"runId":null}'); return; }
+        const detectedRunId = path.basename(runFile, '.jsonl');
+        const lines = fs.readFileSync(runFile, 'utf8').split('\n').filter(l => l.trim()).slice(-100);
+        const events = lines.map(l => { try { return JSON.parse(l); } catch(_) { return null; } }).filter(Boolean);
+        res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
+        res.end(JSON.stringify({ runId: detectedRunId, events, active: activeOrgRuns.has(orgName) }));
+      } catch(err) {
+        res.writeHead(500); res.end(JSON.stringify({ error: err.message }));
+      }
+      return;
+    }
     // GET /api/mastermind/metrics — aggregate system metrics from token-summary and swarm-activity
     if (req.method === 'GET' && url === '/api/mastermind/metrics') {
       try {