@useorgx/openclaw-plugin 0.2.1 → 0.3.1

package/dist/http-handler.js

@@ -8,6 +8,7 @@
  *   /orgx/api/agents     → agent states
  *   /orgx/api/activity   → activity feed
  *   /orgx/api/initiatives → initiative data
+ *   /orgx/api/health     → plugin diagnostics + outbox/sync status
  *   /orgx/api/onboarding → onboarding / config state
  *   /orgx/api/delegation/preflight → delegation preflight
  *   /orgx/api/runs/:id/checkpoints → list/create checkpoints
@@ -15,9 +16,656 @@
  *   /orgx/api/runs/:id/actions/:action → run control action
  */
 import { readFileSync, existsSync } from "node:fs";
-import { join, extname } from "node:path";
+import { homedir } from "node:os";
+import { join, extname, normalize, resolve, relative, sep } from "node:path";
 import { fileURLToPath } from "node:url";
+import { spawn } from "node:child_process";
+import { createHash, randomUUID } from "node:crypto";
 import { formatStatus, formatAgents, formatActivity, formatInitiatives, getOnboardingState, } from "./dashboard-api.js";
+import { loadLocalOpenClawSnapshot, loadLocalTurnDetail, toLocalLiveActivity, toLocalLiveAgents, toLocalLiveInitiatives, toLocalSessionTree, } from "./local-openclaw.js";
+import { defaultOutboxAdapter } from "./adapters/outbox.js";
+import { readAgentContexts, upsertAgentContext } from "./agent-context-store.js";
+import { getAgentRun, markAgentRunStopped, readAgentRuns, upsertAgentRun, } from "./agent-run-store.js";
+import { readByokKeys, writeByokKeys } from "./byok-store.js";
+// =============================================================================
+// Helpers
+// =============================================================================
+function safeErrorMessage(err) {
+    if (err instanceof Error)
+        return err.message;
+    if (typeof err === "string")
+        return err;
+    return "Unexpected error";
+}
+function isUserScopedApiKey(apiKey) {
+    return apiKey.trim().toLowerCase().startsWith("oxk_");
+}
+function parseJsonSafe(value) {
+    try {
+        return JSON.parse(value);
+    }
+    catch {
+        return null;
+    }
+}
+function maskSecret(value) {
+    if (!value)
+        return null;
+    const trimmed = value.trim();
+    if (!trimmed)
+        return null;
+    if (trimmed.length <= 8)
+        return `${trimmed[0]}…${trimmed.slice(-1)}`;
+    return `${trimmed.slice(0, 4)}…${trimmed.slice(-4)}`;
+}
+function modelImpliesByok(model) {
+    const lower = (model ?? "").trim().toLowerCase();
+    if (!lower)
+        return false;
+    return (lower.includes("openrouter") ||
+        lower.includes("anthropic") ||
+        lower.includes("openai"));
+}
+async function fetchBillingStatusSafe(client) {
+    try {
+        return await client.getBillingStatus();
+    }
+    catch {
+        return null;
+    }
+}
+function resolveByokEnvOverrides() {
+    const stored = readByokKeys();
+    const env = {};
+    const openai = stored?.openaiApiKey?.trim() ?? "";
+    const anthropic = stored?.anthropicApiKey?.trim() ?? "";
+    const openrouter = stored?.openrouterApiKey?.trim() ?? "";
+    if (openai)
+        env.OPENAI_API_KEY = openai;
+    if (anthropic)
+        env.ANTHROPIC_API_KEY = anthropic;
+    if (openrouter)
+        env.OPENROUTER_API_KEY = openrouter;
+    return env;
+}
+async function runCommandCollect(input) {
+    const timeoutMs = input.timeoutMs ?? 10_000;
+    return await new Promise((resolve, reject) => {
+        const child = spawn(input.command, input.args, {
+            env: input.env ? { ...process.env, ...input.env } : process.env,
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        let stdout = "";
+        let stderr = "";
+        const timer = timeoutMs
+            ? setTimeout(() => {
+                try {
+                    child.kill("SIGKILL");
+                }
+                catch {
+                    // best effort
+                }
+                reject(new Error(`Command timed out after ${timeoutMs}ms`));
+            }, timeoutMs)
+            : null;
+        child.stdout?.on("data", (chunk) => {
+            stdout += chunk.toString("utf8");
+        });
+        child.stderr?.on("data", (chunk) => {
+            stderr += chunk.toString("utf8");
+        });
+        child.on("error", (err) => {
+            if (timer)
+                clearTimeout(timer);
+            reject(err);
+        });
+        child.on("close", (code) => {
+            if (timer)
+                clearTimeout(timer);
+            resolve({ stdout, stderr, exitCode: typeof code === "number" ? code : null });
+        });
+    });
+}
+async function listOpenClawAgents() {
+    const result = await runCommandCollect({
+        command: "openclaw",
+        args: ["agents", "list", "--json"],
+        timeoutMs: 5_000,
+        env: resolveByokEnvOverrides(),
+    });
+    if (result.exitCode !== 0) {
+        throw new Error(result.stderr.trim() || "openclaw agents list failed");
+    }
+    const parsed = parseJsonSafe(result.stdout);
+    if (!Array.isArray(parsed)) {
+        throw new Error("openclaw agents list returned invalid JSON");
+    }
+    return parsed.filter((entry) => Boolean(entry && typeof entry === "object"));
+}
+function spawnOpenClawAgentTurn(input) {
+    const args = [
+        "agent",
+        "--agent",
+        input.agentId,
+        "--session-id",
+        input.sessionId,
+        "--message",
+        input.message,
+    ];
+    if (input.thinking) {
+        args.push("--thinking", input.thinking);
+    }
+    const child = spawn("openclaw", args, {
+        env: { ...process.env, ...resolveByokEnvOverrides() },
+        stdio: "ignore",
+        detached: true,
+    });
+    child.unref();
+    return { pid: child.pid ?? null };
+}
+function normalizeOpenClawProvider(value) {
+    const raw = (value ?? "").trim().toLowerCase();
+    if (!raw)
+        return null;
+    if (raw === "auto")
+        return null;
+    if (raw === "claude")
+        return "anthropic";
+    if (raw === "anthropic")
+        return "anthropic";
+    if (raw === "openrouter" || raw === "open-router")
+        return "openrouter";
+    if (raw === "openai")
+        return "openai";
+    return null;
+}
+async function setOpenClawAgentModel(input) {
+    const agentId = input.agentId.trim();
+    const model = input.model.trim();
+    if (!agentId || !model) {
+        throw new Error("agentId and model are required");
+    }
+    const result = await runCommandCollect({
+        command: "openclaw",
+        args: ["models", "--agent", agentId, "set", model],
+        timeoutMs: 10_000,
+        env: resolveByokEnvOverrides(),
+    });
+    if (result.exitCode !== 0) {
+        throw new Error(result.stderr.trim() || `openclaw models set failed for ${agentId}`);
+    }
+}
+async function listOpenClawProviderModels(input) {
+    const result = await runCommandCollect({
+        command: "openclaw",
+        args: [
+            "models",
+            "--agent",
+            input.agentId,
+            "list",
+            "--provider",
+            input.provider,
+            "--json",
+        ],
+        timeoutMs: 10_000,
+        env: resolveByokEnvOverrides(),
+    });
+    if (result.exitCode !== 0) {
+        throw new Error(result.stderr.trim() || "openclaw models list failed");
+    }
+    const parsed = parseJsonSafe(result.stdout);
+    if (!parsed || typeof parsed !== "object") {
+        const trimmed = result.stdout.trim();
+        if (!trimmed || /no models found/i.test(trimmed)) {
+            return [];
+        }
+        throw new Error("openclaw models list returned invalid JSON");
+    }
+    const modelsRaw = "models" in parsed && Array.isArray(parsed.models)
+        ? parsed.models
+        : [];
+    return modelsRaw
+        .map((entry) => {
+        if (!entry || typeof entry !== "object")
+            return null;
+        const row = entry;
+        const key = typeof row.key === "string" ? row.key.trim() : "";
+        const tags = Array.isArray(row.tags)
+            ? row.tags.filter((t) => typeof t === "string")
+            : [];
+        if (!key)
+            return null;
+        return { key, tags };
+    })
+        .filter((entry) => Boolean(entry));
+}
+function pickPreferredModel(models) {
+    if (models.length === 0)
+        return null;
+    const preferred = models.find((m) => m.tags.some((t) => t === "default"));
+    return preferred?.key ?? models[0]?.key ?? null;
+}
+async function configureOpenClawProviderRouting(input) {
+    const requestedModel = (input.requestedModel ?? "").trim() || null;
+    // Fast path: use known aliases where possible.
+    const aliasByProvider = {
+        anthropic: "opus",
+        openrouter: "sonnet",
+        openai: null,
+    };
+    const candidate = requestedModel ?? aliasByProvider[input.provider];
+    if (candidate) {
+        try {
+            await setOpenClawAgentModel({ agentId: input.agentId, model: candidate });
+            return { provider: input.provider, model: candidate };
+        }
+        catch {
+            // Fall through to discovery-based selection.
+        }
+    }
+    const models = await listOpenClawProviderModels({
+        agentId: input.agentId,
+        provider: input.provider,
+    });
+    const selected = pickPreferredModel(models);
+    if (!selected) {
+        throw new Error(`No ${input.provider} models configured for agent ${input.agentId}. Add a model in OpenClaw and retry.`);
+    }
+    await setOpenClawAgentModel({ agentId: input.agentId, model: selected });
+    return { provider: input.provider, model: selected };
+}
+function isPidAlive(pid) {
+    if (!Number.isFinite(pid) || pid <= 0)
+        return false;
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function stopDetachedProcess(pid) {
+    const alive = isPidAlive(pid);
+    if (!alive) {
+        return { stopped: true, wasRunning: false };
+    }
+    const tryKill = (signal) => {
+        try {
+            // Detached child becomes its own process group (pgid = pid) on Unix.
+            process.kill(-pid, signal);
+            return;
+        }
+        catch {
+            // Fall back to direct pid kill.
+        }
+        try {
+            process.kill(pid, signal);
+        }
+        catch {
+            // ignore
+        }
+    };
+    tryKill("SIGTERM");
+    await new Promise((resolve) => setTimeout(resolve, 450));
+    if (isPidAlive(pid)) {
+        tryKill("SIGKILL");
+    }
+    return { stopped: !isPidAlive(pid), wasRunning: true };
+}
+function getScopedAgentIds(contexts) {
+    const scoped = new Set();
+    for (const [key, ctx] of Object.entries(contexts)) {
+        if (!ctx || typeof ctx !== "object")
+            continue;
+        const agentId = (ctx.agentId ?? key).trim();
+        if (!agentId)
+            continue;
+        const initiativeId = ctx.initiativeId?.trim() ?? "";
+        if (initiativeId) {
+            scoped.add(agentId);
+        }
+    }
+    return scoped;
+}
+function applyAgentContextsToSessionTree(input, contexts) {
+    if (!input || !Array.isArray(input.nodes))
+        return input;
+    const groupsById = new Map();
+    for (const group of input.groups ?? []) {
+        if (!group)
+            continue;
+        groupsById.set(group.id, {
+            id: group.id,
+            label: group.label,
+            status: group.status ?? null,
+        });
+    }
+    const nodes = input.nodes.map((node) => {
+        const agentId = node.agentId?.trim() ?? "";
+        if (!agentId)
+            return node;
+        const ctx = contexts[agentId];
+        const initiativeId = ctx?.initiativeId?.trim() ?? "";
+        if (!initiativeId)
+            return node;
+        const groupId = initiativeId;
+        const ctxTitle = ctx.initiativeTitle?.trim() ?? "";
+        const groupLabel = ctxTitle || node.groupLabel || initiativeId;
+        const existing = groupsById.get(groupId);
+        if (!existing) {
+            groupsById.set(groupId, {
+                id: groupId,
+                label: groupLabel,
+                status: node.status ?? null,
+            });
+        }
+        else if (ctxTitle && (existing.label === groupId || existing.label.startsWith("Agent "))) {
+            groupsById.set(groupId, { ...existing, label: groupLabel });
+        }
+        return {
+            ...node,
+            initiativeId,
+            workstreamId: ctx.workstreamId ?? node.workstreamId ?? null,
+            groupId,
+            groupLabel,
+        };
+    });
+    // Ensure every node's group exists.
+    for (const node of nodes) {
+        if (!groupsById.has(node.groupId)) {
+            groupsById.set(node.groupId, {
+                id: node.groupId,
+                label: node.groupLabel || node.groupId,
+                status: node.status ?? null,
+            });
+        }
+    }
+    return {
+        ...input,
+        nodes,
+        groups: Array.from(groupsById.values()),
+    };
+}
+function applyAgentContextsToActivity(input, contexts) {
+    if (!Array.isArray(input))
+        return [];
+    return input.map((item) => {
+        const agentId = item.agentId?.trim() ?? "";
+        if (!agentId)
+            return item;
+        const ctx = contexts[agentId];
+        const initiativeId = ctx?.initiativeId?.trim() ?? "";
+        if (!initiativeId)
+            return item;
+        const metadata = item.metadata && typeof item.metadata === "object"
+            ? { ...item.metadata }
+            : {};
+        metadata.orgx_context = {
+            initiativeId,
+            workstreamId: ctx.workstreamId ?? null,
+            taskId: ctx.taskId ?? null,
+            updatedAt: ctx.updatedAt,
+        };
+        return {
+            ...item,
+            initiativeId,
+            metadata,
+        };
+    });
+}
+function mergeSessionTrees(base, extra) {
+    const seenNodes = new Set();
+    const nodes = [];
+    for (const node of base.nodes ?? []) {
+        seenNodes.add(node.id);
+        nodes.push(node);
+    }
+    for (const node of extra.nodes ?? []) {
+        if (seenNodes.has(node.id))
+            continue;
+        seenNodes.add(node.id);
+        nodes.push(node);
+    }
+    const seenEdges = new Set();
+    const edges = [];
+    for (const edge of base.edges ?? []) {
+        const key = `${edge.parentId}→${edge.childId}`;
+        seenEdges.add(key);
+        edges.push(edge);
+    }
+    for (const edge of extra.edges ?? []) {
+        const key = `${edge.parentId}→${edge.childId}`;
+        if (seenEdges.has(key))
+            continue;
+        seenEdges.add(key);
+        edges.push(edge);
+    }
+    const groupsById = new Map();
+    for (const group of base.groups ?? []) {
+        groupsById.set(group.id, group);
+    }
+    for (const group of extra.groups ?? []) {
+        const existing = groupsById.get(group.id);
+        if (!existing) {
+            groupsById.set(group.id, group);
+            continue;
+        }
+        const nextLabel = existing.label === existing.id && group.label && group.label !== group.id
+            ? group.label
+            : existing.label;
+        groupsById.set(group.id, { ...existing, label: nextLabel });
+    }
+    return {
+        nodes,
+        edges,
+        groups: Array.from(groupsById.values()),
+    };
+}
+function mergeActivities(base, extra, limit) {
+    const merged = [...(base ?? []), ...(extra ?? [])].sort((a, b) => Date.parse(b.timestamp) - Date.parse(a.timestamp));
+    const deduped = [];
+    const seen = new Set();
+    for (const item of merged) {
+        if (seen.has(item.id))
+            continue;
+        seen.add(item.id);
+        deduped.push(item);
+        if (deduped.length >= limit)
+            break;
+    }
+    return deduped;
+}
+const ACTIVITY_HEADLINE_TIMEOUT_MS = 4_000;
+const ACTIVITY_HEADLINE_CACHE_TTL_MS = 12 * 60 * 60_000;
+const ACTIVITY_HEADLINE_CACHE_MAX = 1_000;
+const ACTIVITY_HEADLINE_MAX_INPUT_CHARS = 8_000;
+const DEFAULT_ACTIVITY_HEADLINE_MODEL = "openai/gpt-4.1-nano";
+const activityHeadlineCache = new Map();
+let resolvedActivitySummaryApiKey;
+function normalizeSpaces(value) {
+    return value.replace(/\s+/g, " ").trim();
+}
+function stripMarkdownLite(value) {
+    return value
+        .replace(/```[\s\S]*?```/g, " ")
+        .replace(/`([^`]+)`/g, "$1")
+        .replace(/\*\*([^*]+)\*\*/g, "$1")
+        .replace(/__([^_]+)__/g, "$1")
+        .replace(/\*([^*\n]+)\*/g, "$1")
+        .replace(/_([^_\n]+)_/g, "$1")
+        .replace(/\[([^\]]+)\]\(([^)\s]+)\)/g, "$1")
+        .replace(/^\s{0,3}#{1,6}\s+/gm, "")
+        .replace(/^\s*[-*]\s+/gm, "")
+        .replace(/^\s*\d+\.\s+/gm, "")
+        .replace(/\r\n/g, "\n")
+        .trim();
+}
+function cleanActivityHeadline(value) {
+    const lines = stripMarkdownLite(value)
+        .split("\n")
+        .map((line) => normalizeSpaces(line))
+        .filter((line) => line.length > 0 && !/^\|?[:\-| ]+\|?$/.test(line));
+    const headline = lines[0] ?? "";
+    if (!headline)
+        return "";
+    if (headline.length <= 108)
+        return headline;
+    return `${headline.slice(0, 107).trimEnd()}…`;
+}
+function heuristicActivityHeadline(text, title) {
+    const cleanedText = cleanActivityHeadline(text);
+    if (cleanedText.length > 0)
+        return cleanedText;
+    const cleanedTitle = cleanActivityHeadline(title ?? "");
+    if (cleanedTitle.length > 0)
+        return cleanedTitle;
+    return "Activity update";
+}
+function resolveActivitySummaryApiKey() {
+    if (resolvedActivitySummaryApiKey !== undefined) {
+        return resolvedActivitySummaryApiKey;
+    }
+    const candidates = [
+        process.env.ORGX_ACTIVITY_SUMMARY_API_KEY ?? "",
+        process.env.OPENROUTER_API_KEY ?? "",
+    ];
+    const key = candidates.find((candidate) => candidate.trim().length > 0)?.trim() ?? "";
+    resolvedActivitySummaryApiKey = key || null;
+    return resolvedActivitySummaryApiKey;
+}
+function trimActivityHeadlineCache() {
+    while (activityHeadlineCache.size > ACTIVITY_HEADLINE_CACHE_MAX) {
+        const firstKey = activityHeadlineCache.keys().next().value;
+        if (!firstKey)
+            break;
+        activityHeadlineCache.delete(firstKey);
+    }
+}
+function extractCompletionText(payload) {
+    const choices = payload.choices;
+    if (!Array.isArray(choices) || choices.length === 0)
+        return null;
+    const first = choices[0];
+    if (!first || typeof first !== "object")
+        return null;
+    const firstRecord = first;
+    const message = firstRecord.message;
+    if (message && typeof message === "object") {
+        const content = message.content;
+        if (typeof content === "string") {
+            return content;
+        }
+        if (Array.isArray(content)) {
+            const textParts = content
+                .map((part) => {
+                if (typeof part === "string")
+                    return part;
+                if (!part || typeof part !== "object")
+                    return "";
+                const record = part;
+                return typeof record.text === "string" ? record.text : "";
+            })
+                .filter((part) => part.length > 0);
+            if (textParts.length > 0) {
+                return textParts.join(" ");
+            }
+        }
+    }
+    return pickString(firstRecord, ["text", "content"]);
+}
+async function summarizeActivityHeadline(input) {
+    const normalizedText = normalizeSpaces(input.text).slice(0, ACTIVITY_HEADLINE_MAX_INPUT_CHARS);
+    const normalizedTitle = normalizeSpaces(input.title ?? "");
+    const normalizedType = normalizeSpaces(input.type ?? "");
+    const heuristic = heuristicActivityHeadline(normalizedText, normalizedTitle);
+    const cacheKey = createHash("sha256")
+        .update(`${normalizedType}\n${normalizedTitle}\n${normalizedText}`)
+        .digest("hex");
+    const cached = activityHeadlineCache.get(cacheKey);
+    if (cached && cached.expiresAt > Date.now()) {
+        return { headline: cached.headline, source: cached.source, model: null };
+    }
+    const apiKey = resolveActivitySummaryApiKey();
+    if (!apiKey) {
+        activityHeadlineCache.set(cacheKey, {
+            headline: heuristic,
+            source: "heuristic",
+            expiresAt: Date.now() + ACTIVITY_HEADLINE_CACHE_TTL_MS,
+        });
+        trimActivityHeadlineCache();
+        return { headline: heuristic, source: "heuristic", model: null };
+    }
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), ACTIVITY_HEADLINE_TIMEOUT_MS);
+    const model = process.env.ORGX_ACTIVITY_SUMMARY_MODEL?.trim() || DEFAULT_ACTIVITY_HEADLINE_MODEL;
+    const prompt = [
+        "Create one short activity title for a dashboard header.",
+        "Rules:",
+        "- Max 96 characters.",
+        "- Keep key numbers/status markers (for example: 15 tasks, 0 blocked).",
+        "- No markdown, no quotes, no trailing period unless needed.",
+        "- Prefer plain language over jargon.",
+        "",
+        `Type: ${normalizedType || "activity"}`,
+        normalizedTitle ? `Current title: ${normalizedTitle}` : "",
+        "Full detail:",
+        normalizedText,
+    ]
+        .filter(Boolean)
+        .join("\n");
+    try {
+        const response = await fetch("https://openrouter.ai/api/v1/chat/completions", {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${apiKey}`,
+            },
+            body: JSON.stringify({
+                model,
+                temperature: 0.1,
+                max_tokens: 48,
+                messages: [
+                    {
+                        role: "system",
+                        content: "You write concise activity headers for operational dashboards. Return only the header text.",
+                    },
+                    {
+                        role: "user",
+                        content: prompt,
+                    },
+                ],
+            }),
+            signal: controller.signal,
+        });
+        if (!response.ok) {
+            throw new Error(`headline model request failed (${response.status})`);
+        }
+        const payload = (await response.json());
+        const generated = cleanActivityHeadline(extractCompletionText(payload) ?? "");
+        const headline = generated || heuristic;
+        const source = generated ? "llm" : "heuristic";
+        activityHeadlineCache.set(cacheKey, {
+            headline,
+            source,
+            expiresAt: Date.now() + ACTIVITY_HEADLINE_CACHE_TTL_MS,
+        });
+        trimActivityHeadlineCache();
+        return { headline, source, model };
+    }
+    catch {
+        activityHeadlineCache.set(cacheKey, {
+            headline: heuristic,
+            source: "heuristic",
+            expiresAt: Date.now() + ACTIVITY_HEADLINE_CACHE_TTL_MS,
+        });
+        trimActivityHeadlineCache();
+        return { headline: heuristic, source: "heuristic", model: null };
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
 // =============================================================================
 // Content-Type mapping
 // =============================================================================
@@ -42,19 +690,85 @@ function contentType(filePath) {
     return MIME_TYPES[extname(filePath).toLowerCase()] ?? "application/octet-stream";
 }
 // =============================================================================
-// CORS headers (for local dev)
+// CORS + response hardening
 // =============================================================================
 const CORS_HEADERS = {
-    "Access-Control-Allow-Origin": "*",
-    "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
+    "Access-Control-Allow-Methods": "GET, POST, PATCH, OPTIONS",
+    "Access-Control-Allow-Headers": "Content-Type, Authorization, X-OrgX-Api-Key, X-API-Key, X-OrgX-User-Id",
+    Vary: "Origin",
+};
+const SECURITY_HEADERS = {
+    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "DENY",
+    "Referrer-Policy": "same-origin",
+    "Cross-Origin-Resource-Policy": "same-origin",
 };
+function normalizeHost(value) {
+    return value.trim().toLowerCase().replace(/^\[|\]$/g, "");
+}
+function isLoopbackHost(hostname) {
+    const host = normalizeHost(hostname);
+    return host === "localhost" || host === "127.0.0.1" || host === "::1";
+}
+function isTrustedOrigin(origin) {
+    try {
+        const parsed = new URL(origin);
+        if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+            return false;
+        }
+        return isLoopbackHost(parsed.hostname);
+    }
+    catch {
+        return false;
+    }
+}
+function isTrustedRequestSource(headers) {
+    const fetchSite = pickHeaderString(headers, ["sec-fetch-site"]);
+    if (fetchSite) {
+        const normalizedFetchSite = fetchSite.trim().toLowerCase();
+        if (normalizedFetchSite !== "same-origin" &&
+            normalizedFetchSite !== "same-site" &&
+            normalizedFetchSite !== "none") {
+            return false;
+        }
+    }
+    const origin = pickHeaderString(headers, ["origin"]);
+    if (origin) {
+        return isTrustedOrigin(origin);
+    }
+    const referer = pickHeaderString(headers, ["referer"]);
+    if (referer) {
+        try {
+            return isTrustedOrigin(new URL(referer).origin);
+        }
+        catch {
+            return false;
+        }
+    }
+    return true;
+}
+const STREAM_IDLE_TIMEOUT_MS = 60_000;
 // =============================================================================
 // Resolve the dashboard/dist/ directory relative to this file
 // =============================================================================
 const __filename = fileURLToPath(import.meta.url);
 // src/http-handler.ts → up to plugin root → dashboard/dist
 const DIST_DIR = join(__filename, "..", "..", "dashboard", "dist");
+const RESOLVED_DIST_DIR = resolve(DIST_DIR);
+const RESOLVED_DIST_ASSETS_DIR = resolve(DIST_DIR, "assets");
+function resolveSafeDistPath(subPath) {
+    if (!subPath || subPath.includes("\0"))
+        return null;
+    const normalized = normalize(subPath).replace(/^([/\\])+/, "");
+    if (!normalized || normalized === ".")
+        return null;
+    const candidate = resolve(DIST_DIR, normalized);
+    const rel = relative(RESOLVED_DIST_DIR, candidate);
+    if (!rel || rel === "." || rel.startsWith("..") || rel.includes(`..${sep}`)) {
+        return null;
+    }
+    return candidate;
+}
 // =============================================================================
 // Helpers
 // =============================================================================
@@ -62,6 +776,7 @@ function sendJson(res, status, data) {
     const body = JSON.stringify(data);
     res.writeHead(status, {
         "Content-Type": "application/json; charset=utf-8",
+        ...SECURITY_HEADERS,
         ...CORS_HEADERS,
     });
     res.end(body);
@@ -72,6 +787,7 @@ function sendFile(res, filePath, cacheControl) {
         res.writeHead(200, {
             "Content-Type": contentType(filePath),
             "Cache-Control": cacheControl,
+            ...SECURITY_HEADERS,
             ...CORS_HEADERS,
         });
         res.end(content);
@@ -83,6 +799,7 @@ function sendFile(res, filePath, cacheControl) {
 function send404(res) {
     res.writeHead(404, {
         "Content-Type": "text/plain; charset=utf-8",
+        ...SECURITY_HEADERS,
         ...CORS_HEADERS,
     });
     res.end("Not Found");
@@ -95,6 +812,7 @@ function sendIndexHtml(res) {
     else {
         res.writeHead(503, {
             "Content-Type": "text/html; charset=utf-8",
+            ...SECURITY_HEADERS,
             ...CORS_HEADERS,
         });
         res.end("<html><body><h1>Dashboard not built</h1>" +
@@ -127,11 +845,120 @@ function parseJsonBody(body) {
             return {};
         }
     }
+    if (body instanceof Uint8Array) {
+        try {
+            const parsed = JSON.parse(Buffer.from(body).toString("utf8"));
+            return typeof parsed === "object" && parsed !== null
+                ? parsed
+                : {};
+        }
+        catch {
+            return {};
+        }
+    }
+    if (body instanceof ArrayBuffer) {
+        try {
+            const parsed = JSON.parse(Buffer.from(body).toString("utf8"));
+            return typeof parsed === "object" && parsed !== null
+                ? parsed
+                : {};
+        }
+        catch {
+            return {};
+        }
+    }
     if (typeof body === "object") {
         return body;
     }
     return {};
 }
+const MAX_JSON_BODY_BYTES = 1_000_000;
+const JSON_BODY_TIMEOUT_MS = 2_000;
+function chunkToBuffer(chunk) {
+    if (!chunk)
+        return Buffer.alloc(0);
+    if (Buffer.isBuffer(chunk))
+        return chunk;
+    if (typeof chunk === "string")
+        return Buffer.from(chunk, "utf8");
+    if (chunk instanceof Uint8Array)
+        return Buffer.from(chunk);
+    try {
+        return Buffer.from(JSON.stringify(chunk), "utf8");
+    }
+    catch {
+        return Buffer.from(String(chunk), "utf8");
+    }
+}
+async function readRequestBodyBuffer(req) {
+    const on = req.on ? req.on.bind(req) : null;
+    if (!on)
+        return null;
+    return await new Promise((resolve) => {
+        const chunks = [];
+        let totalBytes = 0;
+        let finished = false;
+        const finish = (buffer) => {
+            if (finished)
+                return;
+            finished = true;
+            clearTimeout(timer);
+            resolve(buffer);
+        };
+        const timer = setTimeout(() => finish(null), JSON_BODY_TIMEOUT_MS);
+        on("data", (chunk) => {
+            const buf = chunkToBuffer(chunk);
+            if (buf.length === 0)
+                return;
+            totalBytes += buf.length;
+            if (totalBytes > MAX_JSON_BODY_BYTES) {
+                finish(null);
+                return;
+            }
+            chunks.push(buf);
+        });
+        const onDone = () => {
+            if (chunks.length === 0) {
+                finish(Buffer.alloc(0));
+            }
+            else {
+                finish(Buffer.concat(chunks, totalBytes));
+            }
+        };
+        const once = (req.once ?? req.on)?.bind(req) ?? null;
+        if (once) {
+            once("end", onDone);
+            once("error", () => finish(null));
+        }
+        else {
+            on("end", onDone);
+            on("error", () => finish(null));
+        }
+    });
+}
+async function parseJsonRequest(req) {
+    const body = req.body;
+    if (typeof body === "string" && body.length > 0) {
+        return parseJsonBody(body);
+    }
+    if (Buffer.isBuffer(body) && body.length > 0) {
+        return parseJsonBody(body);
+    }
+    if (body instanceof Uint8Array && body.byteLength > 0) {
+        return parseJsonBody(body);
+    }
+    if (body instanceof ArrayBuffer && body.byteLength > 0) {
+        return parseJsonBody(body);
+    }
+    if (body && typeof body === "object" && !Buffer.isBuffer(body)) {
+        return parseJsonBody(body);
+    }
+    const streamed = await readRequestBodyBuffer(req);
+    if (!streamed || streamed.length === 0) {
+        return {};
+    }
+    return parseJsonBody(streamed);
+}
 function pickString(record, keys) {
     for (const key of keys) {
         const value = record[key];
@@ -141,6 +968,23 @@ function pickString(record, keys) {
     }
     return null;
 }
+function pickHeaderString(headers, keys) {
+    for (const key of keys) {
+        const candidates = [key, key.toLowerCase(), key.toUpperCase()];
+        for (const candidate of candidates) {
+            const raw = headers[candidate];
+            if (typeof raw === "string" && raw.trim().length > 0) {
+                return raw.trim();
+            }
+            if (Array.isArray(raw)) {
+                const first = raw.find((value) => typeof value === "string" && value.trim().length > 0);
+                if (first)
+                    return first.trim();
+            }
+        }
+    }
+    return null;
+}
 function pickNumber(record, keys) {
     for (const key of keys) {
         const value = record[key];
@@ -207,41 +1051,1987 @@ function mapDecisionEntity(entity) {
         metadata: record,
     };
 }
-// =============================================================================
-// Factory
-// =============================================================================
-export function createHttpHandler(config, client, getSnapshot) {
-    const dashboardEnabled = config.dashboardEnabled ??
-        true;
-    return async function handler(req, res) {
-        const method = (req.method ?? "GET").toUpperCase();
-        const rawUrl = req.url ?? "/";
-        const [path, queryString] = rawUrl.split("?", 2);
-        const url = path;
-        const searchParams = new URLSearchParams(queryString ?? "");
-        // Only handle /orgx paths — return false for everything else
-        if (!url.startsWith("/orgx")) {
-            return false;
+function parsePositiveInt(raw, fallback) {
+    if (!raw)
+        return fallback;
+    const parsed = Number(raw);
+    if (!Number.isFinite(parsed))
+        return fallback;
+    return Math.max(1, Math.floor(parsed));
+}
+function parseBooleanQuery(raw) {
+    if (!raw)
+        return false;
+    const normalized = raw.trim().toLowerCase();
+    return (normalized === "1" ||
+        normalized === "true" ||
+        normalized === "yes" ||
+        normalized === "on");
+}
+const DEFAULT_DURATION_HOURS = {
+    initiative: 40,
+    workstream: 16,
+    milestone: 6,
+    task: 2,
+};
+function readBudgetEnvNumber(name, fallback, bounds = {}) {
+    const raw = process.env[name];
+    if (typeof raw !== "string" || raw.trim().length === 0)
+        return fallback;
+    const parsed = Number(raw);
+    if (!Number.isFinite(parsed))
+        return fallback;
+    if (typeof bounds.min === "number" && parsed < bounds.min)
+        return fallback;
+    if (typeof bounds.max === "number" && parsed > bounds.max)
+        return fallback;
+    return parsed;
+}
+const DEFAULT_TOKEN_MODEL_PRICING_USD_PER_1M = {
+    // GPT-5.3 Codex API pricing is not published yet; use GPT-5.2 Codex pricing as proxy.
+    gpt53CodexProxy: {
+        input: readBudgetEnvNumber("ORGX_BUDGET_GPT53_CODEX_INPUT_PER_1M", 1.75, { min: 0 }),
+        cachedInput: readBudgetEnvNumber("ORGX_BUDGET_GPT53_CODEX_CACHED_INPUT_PER_1M", 0.175, {
+            min: 0,
+        }),
+        output: readBudgetEnvNumber("ORGX_BUDGET_GPT53_CODEX_OUTPUT_PER_1M", 14, { min: 0 }),
+    },
+    opus46: {
+        input: readBudgetEnvNumber("ORGX_BUDGET_OPUS46_INPUT_PER_1M", 5, { min: 0 }),
+        // Anthropic does not publish a fixed cached-input rate on the model page.
+        cachedInput: readBudgetEnvNumber("ORGX_BUDGET_OPUS46_CACHED_INPUT_PER_1M", 5, { min: 0 }),
+        output: readBudgetEnvNumber("ORGX_BUDGET_OPUS46_OUTPUT_PER_1M", 25, { min: 0 }),
+    },
+};
+const DEFAULT_TOKEN_BUDGET_ASSUMPTIONS = {
+    tokensPerHour: readBudgetEnvNumber("ORGX_BUDGET_TOKENS_PER_HOUR", 1_200_000, { min: 1 }),
+    inputShare: readBudgetEnvNumber("ORGX_BUDGET_INPUT_TOKEN_SHARE", 0.86, { min: 0, max: 1 }),
+    cachedInputShare: readBudgetEnvNumber("ORGX_BUDGET_CACHED_INPUT_SHARE", 0.15, {
+        min: 0,
+        max: 1,
+    }),
+    contingencyMultiplier: readBudgetEnvNumber("ORGX_BUDGET_CONTINGENCY_MULTIPLIER", 1.3, {
+        min: 0.1,
+    }),
+    roundingStepUsd: readBudgetEnvNumber("ORGX_BUDGET_ROUNDING_STEP_USD", 5, { min: 0.01 }),
+};
+const DEFAULT_TOKEN_MODEL_MIX = {
+    gpt53CodexProxy: 0.7,
+    opus46: 0.3,
+};
+function modelCostPerMillionTokensUsd(pricing) {
+    const inputShare = DEFAULT_TOKEN_BUDGET_ASSUMPTIONS.inputShare;
+    const outputShare = Math.max(0, 1 - inputShare);
+    const cachedShare = DEFAULT_TOKEN_BUDGET_ASSUMPTIONS.cachedInputShare;
+    const uncachedShare = Math.max(0, 1 - cachedShare);
+    const effectiveInputRate = pricing.input * uncachedShare + pricing.cachedInput * cachedShare;
+    return inputShare * effectiveInputRate + outputShare * pricing.output;
+}
+function estimateBudgetUsdFromDurationHours(durationHours) {
+    if (!Number.isFinite(durationHours) || durationHours <= 0)
+        return 0;
+    const blendedPerMillionUsd = DEFAULT_TOKEN_MODEL_MIX.gpt53CodexProxy *
+        modelCostPerMillionTokensUsd(DEFAULT_TOKEN_MODEL_PRICING_USD_PER_1M.gpt53CodexProxy) +
+        DEFAULT_TOKEN_MODEL_MIX.opus46 *
+            modelCostPerMillionTokensUsd(DEFAULT_TOKEN_MODEL_PRICING_USD_PER_1M.opus46);
+    const tokenMillions = (durationHours * DEFAULT_TOKEN_BUDGET_ASSUMPTIONS.tokensPerHour) / 1_000_000;
+    const rawBudgetUsd = tokenMillions *
+        blendedPerMillionUsd *
+        DEFAULT_TOKEN_BUDGET_ASSUMPTIONS.contingencyMultiplier;
+    const roundedBudgetUsd = Math.round(rawBudgetUsd / DEFAULT_TOKEN_BUDGET_ASSUMPTIONS.roundingStepUsd) *
+        DEFAULT_TOKEN_BUDGET_ASSUMPTIONS.roundingStepUsd;
+    return Math.max(0, roundedBudgetUsd);
+}
+function isLegacyHourlyBudget(budgetUsd, durationHours) {
+    if (!Number.isFinite(budgetUsd) || !Number.isFinite(durationHours) || durationHours <= 0) {
+        return false;
+    }
+    const legacyHourlyBudget = durationHours * 40;
+    return Math.abs(budgetUsd - legacyHourlyBudget) <= 0.5;
+}
+const DEFAULT_BUDGET_USD = {
+    initiative: estimateBudgetUsdFromDurationHours(DEFAULT_DURATION_HOURS.initiative),
+    workstream: estimateBudgetUsdFromDurationHours(DEFAULT_DURATION_HOURS.workstream),
+    milestone: estimateBudgetUsdFromDurationHours(DEFAULT_DURATION_HOURS.milestone),
+    task: estimateBudgetUsdFromDurationHours(DEFAULT_DURATION_HOURS.task),
+};
+const PRIORITY_LABEL_TO_NUM = {
+    urgent: 10,
+    high: 25,
+    medium: 50,
+    low: 75,
+};
+function clampPriority(value) {
+    if (!Number.isFinite(value))
+        return 60;
+    return Math.max(1, Math.min(100, Math.round(value)));
+}
+function mapPriorityNumToLabel(priorityNum) {
+    if (priorityNum <= 12)
+        return "urgent";
+    if (priorityNum <= 30)
+        return "high";
+    if (priorityNum <= 60)
+        return "medium";
+    return "low";
+}
+function getRecordMetadata(record) {
+    const metadata = record.metadata;
+    if (metadata && typeof metadata === "object" && !Array.isArray(metadata)) {
+        return metadata;
+    }
+    return {};
+}
+function extractBudgetUsdFromText(...texts) {
+    for (const text of texts) {
+        if (typeof text !== "string" || text.trim().length === 0)
+            continue;
+        const moneyMatch = /(?:expected\s+budget|budget)[^0-9$]{0,24}\$?\s*([0-9][0-9,]*(?:\.[0-9]{1,2})?)/i.exec(text);
+        if (!moneyMatch)
+            continue;
+        const numeric = Number(moneyMatch[1].replace(/,/g, ""));
+        if (Number.isFinite(numeric) && numeric >= 0)
+            return numeric;
+    }
+    return null;
+}
+function extractDurationHoursFromText(...texts) {
+    for (const text of texts) {
+        if (typeof text !== "string" || text.trim().length === 0)
+            continue;
+        const durationMatch = /(?:expected\s+duration|duration)[^0-9]{0,24}([0-9]+(?:\.[0-9]+)?)\s*h/i.exec(text);
+        if (!durationMatch)
+            continue;
+        const numeric = Number(durationMatch[1]);
+        if (Number.isFinite(numeric) && numeric >= 0)
+            return numeric;
+    }
+    return null;
+}
+function pickStringArray(record, keys) {
+    for (const key of keys) {
+        const value = record[key];
+        if (Array.isArray(value)) {
+            const items = value
+                .filter((entry) => typeof entry === "string")
+                .map((entry) => entry.trim())
+                .filter(Boolean);
+            if (items.length > 0)
+                return items;
         }
-        // Handle CORS preflight
-        if (method === "OPTIONS") {
-            res.writeHead(204, CORS_HEADERS);
-            res.end();
-            return true;
+        if (typeof value === "string") {
+            const items = value
+                .split(",")
+                .map((entry) => entry.trim())
+                .filter(Boolean);
+            if (items.length > 0)
+                return items;
+        }
+    }
+    return [];
+}
+function dedupeStrings(items) {
+    const seen = new Set();
+    const out = [];
+    for (const item of items) {
+        if (!item || seen.has(item))
+            continue;
+        seen.add(item);
+        out.push(item);
+    }
+    return out;
+}
+function normalizePriorityForEntity(record) {
+    const explicitPriorityNum = pickNumber(record, [
+        "priority_num",
+        "priorityNum",
+        "priority_number",
+    ]);
+    const priorityLabelRaw = pickString(record, ["priority", "priority_label"]);
+    if (explicitPriorityNum !== null) {
+        const clamped = clampPriority(explicitPriorityNum);
+        return {
+            priorityNum: clamped,
+            priorityLabel: priorityLabelRaw ?? mapPriorityNumToLabel(clamped),
+        };
+    }
+    if (priorityLabelRaw) {
+        const mapped = PRIORITY_LABEL_TO_NUM[priorityLabelRaw.toLowerCase()] ?? 60;
+        return {
+            priorityNum: mapped,
+            priorityLabel: priorityLabelRaw.toLowerCase(),
+        };
+    }
+    return {
+        priorityNum: 60,
+        priorityLabel: null,
+    };
+}
+function normalizeDependencies(record) {
+    const metadata = getRecordMetadata(record);
+    const direct = pickStringArray(record, [
+        "depends_on",
+        "dependsOn",
+        "dependency_ids",
+        "dependencyIds",
+        "dependencies",
+    ]);
+    const nested = pickStringArray(metadata, [
+        "depends_on",
+        "dependsOn",
+        "dependency_ids",
+        "dependencyIds",
+        "dependencies",
+    ]);
+    return dedupeStrings([...direct, ...nested]);
+}
+function normalizeAssignedAgents(record) {
+    const metadata = getRecordMetadata(record);
+    const ids = dedupeStrings([
+        ...pickStringArray(record, ["assigned_agent_ids", "assignedAgentIds"]),
+        ...pickStringArray(metadata, ["assigned_agent_ids", "assignedAgentIds"]),
+    ]);
+    const names = dedupeStrings([
+        ...pickStringArray(record, ["assigned_agent_names", "assignedAgentNames"]),
+        ...pickStringArray(metadata, ["assigned_agent_names", "assignedAgentNames"]),
+    ]);
+    const objectCandidates = [
+        record.assigned_agents,
+        record.assignedAgents,
+        metadata.assigned_agents,
+        metadata.assignedAgents,
+    ];
+    const fromObjects = [];
+    for (const candidate of objectCandidates) {
+        if (!Array.isArray(candidate))
+            continue;
+        for (const entry of candidate) {
+            if (!entry || typeof entry !== "object")
+                continue;
+            const item = entry;
+            const id = pickString(item, ["id", "agent_id", "agentId"]) ?? "";
+            const name = pickString(item, ["name", "agent_name", "agentName"]) ?? id;
+            if (!name)
+                continue;
+            fromObjects.push({
+                id: id || `name:${name}`,
+                name,
+                domain: pickString(item, ["domain", "role"]),
+            });
+        }
+    }
+    const merged = [...fromObjects];
+    if (merged.length === 0 && (names.length > 0 || ids.length > 0)) {
+        const maxLen = Math.max(names.length, ids.length);
+        for (let i = 0; i < maxLen; i += 1) {
+            const id = ids[i] ?? `name:${names[i] ?? `agent-${i + 1}`}`;
+            const name = names[i] ?? ids[i] ?? `Agent ${i + 1}`;
+            merged.push({ id, name, domain: null });
+        }
+    }
+    const seen = new Set();
+    const deduped = [];
+    for (const item of merged) {
+        const key = `${item.id}:${item.name}`.toLowerCase();
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        deduped.push(item);
+    }
+    return deduped;
+}
+function toMissionControlNode(type, entity, fallbackInitiativeId) {
+    const record = entity;
+    const metadata = getRecordMetadata(record);
+    const initiativeId = pickString(record, ["initiative_id", "initiativeId"]) ??
+        pickString(metadata, ["initiative_id", "initiativeId"]) ??
+        (type === "initiative" ? String(record.id ?? fallbackInitiativeId) : fallbackInitiativeId);
+    const workstreamId = type === "workstream"
+        ? String(record.id ?? "")
+        : pickString(record, ["workstream_id", "workstreamId"]) ??
+            pickString(metadata, ["workstream_id", "workstreamId"]);
+    const milestoneId = type === "milestone"
+        ? String(record.id ?? "")
+        : pickString(record, ["milestone_id", "milestoneId"]) ??
+            pickString(metadata, ["milestone_id", "milestoneId"]);
+    const parentIdRaw = pickString(record, ["parentId", "parent_id"]) ??
+        pickString(metadata, ["parentId", "parent_id"]);
+    const parentId = parentIdRaw ??
+        (type === "initiative"
+            ? null
+            : type === "workstream"
+                ? initiativeId
+                : type === "milestone"
+                    ? workstreamId ?? initiativeId
+                    : milestoneId ?? workstreamId ?? initiativeId);
+    const status = pickString(record, ["status"]) ??
+        (type === "task" ? "todo" : "planned");
+    const dueDate = toIsoString(pickString(record, ["due_date", "dueDate", "target_date", "targetDate"]));
+    const etaEndAt = toIsoString(pickString(record, ["eta_end_at", "etaEndAt"]));
+    const expectedDuration = pickNumber(record, [
+        "expected_duration_hours",
+        "expectedDurationHours",
+        "duration_hours",
+        "durationHours",
+    ]) ??
+        pickNumber(metadata, [
+            "expected_duration_hours",
+            "expectedDurationHours",
+            "duration_hours",
+            "durationHours",
+        ]) ??
+        extractDurationHoursFromText(pickString(record, ["description", "summary", "context"]), pickString(metadata, ["description", "summary", "context"])) ??
+        DEFAULT_DURATION_HOURS[type];
+    const explicitBudget = pickNumber(record, [
+        "expected_budget_usd",
+        "expectedBudgetUsd",
+        "budget_usd",
+        "budgetUsd",
+    ]) ??
+        pickNumber(metadata, [
+            "expected_budget_usd",
+            "expectedBudgetUsd",
+            "budget_usd",
+            "budgetUsd",
+        ]);
+    const extractedBudget = extractBudgetUsdFromText(pickString(record, ["description", "summary", "context"]), pickString(metadata, ["description", "summary", "context"])) ?? null;
+    const tokenModeledBudget = estimateBudgetUsdFromDurationHours(expectedDuration > 0 ? expectedDuration : DEFAULT_DURATION_HOURS[type]) || DEFAULT_BUDGET_USD[type];
+    const expectedBudget = explicitBudget ??
+        (typeof extractedBudget === "number"
+            ? isLegacyHourlyBudget(extractedBudget, expectedDuration)
+                ? tokenModeledBudget
+                : extractedBudget
+            : DEFAULT_BUDGET_USD[type]);
+    const priority = normalizePriorityForEntity(record);
+    return {
+        id: String(record.id ?? ""),
+        type,
+        title: pickString(record, ["title", "name"]) ??
+            `${type[0].toUpperCase()}${type.slice(1)} ${String(record.id ?? "")}`,
+        status,
+        parentId: parentId ?? null,
+        initiativeId: initiativeId ?? null,
+        workstreamId: workstreamId ?? null,
+        milestoneId: milestoneId ?? null,
+        priorityNum: priority.priorityNum,
+        priorityLabel: priority.priorityLabel,
+        dependencyIds: normalizeDependencies(record),
+        dueDate,
+        etaEndAt,
+        expectedDurationHours: expectedDuration > 0 ? expectedDuration : DEFAULT_DURATION_HOURS[type],
+        expectedBudgetUsd: expectedBudget >= 0 ? expectedBudget : DEFAULT_BUDGET_USD[type],
+        assignedAgents: normalizeAssignedAgents(record),
+        updatedAt: toIsoString(pickString(record, [
+            "updated_at",
+            "updatedAt",
+            "created_at",
+            "createdAt",
+        ])),
+    };
+}
+function isTodoStatus(status) {
+    const normalized = status.toLowerCase();
+    return (normalized === "todo" ||
+        normalized === "not_started" ||
+        normalized === "planned" ||
+        normalized === "backlog" ||
+        normalized === "pending");
+}
+function isInProgressStatus(status) {
+    const normalized = status.toLowerCase();
+    return (normalized === "in_progress" ||
+        normalized === "active" ||
+        normalized === "running" ||
+        normalized === "queued");
+}
+function isDoneStatus(status) {
+    const normalized = status.toLowerCase();
+    return (normalized === "done" ||
+        normalized === "completed" ||
+        normalized === "cancelled" ||
+        normalized === "archived" ||
+        normalized === "deleted");
+}
+function detectCycleEdgeKeys(edges) {
+    const adjacency = new Map();
+    for (const edge of edges) {
+        const list = adjacency.get(edge.from) ?? [];
+        list.push(edge.to);
+        adjacency.set(edge.from, list);
+    }
+    const visiting = new Set();
+    const visited = new Set();
+    const cycleEdgeKeys = new Set();
+    function dfs(nodeId) {
+        if (visited.has(nodeId))
+            return;
+        visiting.add(nodeId);
+        const next = adjacency.get(nodeId) ?? [];
+        for (const childId of next) {
+            if (visiting.has(childId)) {
+                cycleEdgeKeys.add(`${nodeId}->${childId}`);
+                continue;
+            }
+            dfs(childId);
+        }
+        visiting.delete(nodeId);
+        visited.add(nodeId);
+    }
+    for (const key of adjacency.keys()) {
+        if (!visited.has(key))
+            dfs(key);
+    }
+    return cycleEdgeKeys;
+}
+async function listEntitiesSafe(client, type, filters) {
+    try {
+        const response = await client.listEntities(type, filters);
+        const items = Array.isArray(response.data) ? response.data : [];
+        return { items, warning: null };
+    }
+    catch (err) {
+        return {
+            items: [],
+            warning: `${type} unavailable (${safeErrorMessage(err)})`,
+        };
+    }
+}
+async function buildMissionControlGraph(client, initiativeId) {
+    const degraded = [];
+    const [initiativeResult, workstreamResult, milestoneResult, taskResult] = await Promise.all([
+        listEntitiesSafe(client, "initiative", { limit: 300 }),
+        listEntitiesSafe(client, "workstream", {
+            initiative_id: initiativeId,
+            limit: 500,
+        }),
+        listEntitiesSafe(client, "milestone", {
+            initiative_id: initiativeId,
+            limit: 700,
+        }),
+        listEntitiesSafe(client, "task", {
+            initiative_id: initiativeId,
+            limit: 1200,
+        }),
+    ]);
+    for (const warning of [
+        initiativeResult.warning,
+        workstreamResult.warning,
+        milestoneResult.warning,
+        taskResult.warning,
+    ]) {
+        if (warning)
+            degraded.push(warning);
+    }
+    const initiativeEntity = initiativeResult.items.find((item) => String(item.id ?? "") === initiativeId);
+    const initiativeNode = initiativeEntity
+        ? toMissionControlNode("initiative", initiativeEntity, initiativeId)
+        : {
+            id: initiativeId,
+            type: "initiative",
+            title: `Initiative ${initiativeId.slice(0, 8)}`,
+            status: "active",
+            parentId: null,
+            initiativeId,
+            workstreamId: null,
+            milestoneId: null,
+            priorityNum: 60,
+            priorityLabel: null,
+            dependencyIds: [],
+            dueDate: null,
+            etaEndAt: null,
+            expectedDurationHours: DEFAULT_DURATION_HOURS.initiative,
+            expectedBudgetUsd: DEFAULT_BUDGET_USD.initiative,
+            assignedAgents: [],
+            updatedAt: null,
+        };
+    const workstreamNodes = workstreamResult.items.map((item) => toMissionControlNode("workstream", item, initiativeId));
+    const milestoneNodes = milestoneResult.items.map((item) => toMissionControlNode("milestone", item, initiativeId));
+    const taskNodes = taskResult.items.map((item) => toMissionControlNode("task", item, initiativeId));
+    const nodes = [
+        initiativeNode,
+        ...workstreamNodes,
+        ...milestoneNodes,
+        ...taskNodes,
+    ];
+    const nodeMap = new Map(nodes.map((node) => [node.id, node]));
+    for (const node of nodes) {
+        const validDependencies = dedupeStrings(node.dependencyIds.filter((depId) => depId !== node.id && nodeMap.has(depId)));
+        node.dependencyIds = validDependencies;
+    }
+    let edges = [];
+    for (const node of nodes) {
+        if (node.type === "initiative")
+            continue;
+        for (const depId of node.dependencyIds) {
+            edges.push({
+                from: depId,
+                to: node.id,
+                kind: "depends_on",
+            });
+        }
+    }
+    edges = edges.filter((edge, index, arr) => arr.findIndex((candidate) => candidate.from === edge.from &&
+        candidate.to === edge.to &&
+        candidate.kind === edge.kind) === index);
+    const cyclicEdgeKeys = detectCycleEdgeKeys(edges);
+    if (cyclicEdgeKeys.size > 0) {
+        degraded.push(`Detected ${cyclicEdgeKeys.size} cyclic dependency edge(s); excluded from ETA graph.`);
+        edges = edges.filter((edge) => !cyclicEdgeKeys.has(`${edge.from}->${edge.to}`));
+        for (const node of nodes) {
+            node.dependencyIds = node.dependencyIds.filter((depId) => !cyclicEdgeKeys.has(`${depId}->${node.id}`));
+        }
+    }
+    const etaMemo = new Map();
+    const etaVisiting = new Set();
+    const computeEtaEpoch = (nodeId) => {
+        const node = nodeMap.get(nodeId);
+        if (!node)
+            return Date.now();
+        const cached = etaMemo.get(nodeId);
+        if (cached !== undefined)
+            return cached;
+        const parsedEtaOverride = node.etaEndAt ? Date.parse(node.etaEndAt) : Number.NaN;
+        if (Number.isFinite(parsedEtaOverride)) {
+            etaMemo.set(nodeId, parsedEtaOverride);
+            return parsedEtaOverride;
+        }
+        const parsedDueDate = node.dueDate ? Date.parse(node.dueDate) : Number.NaN;
+        if (Number.isFinite(parsedDueDate)) {
+            etaMemo.set(nodeId, parsedDueDate);
+            return parsedDueDate;
+        }
+        if (etaVisiting.has(nodeId)) {
+            degraded.push(`ETA cycle fallback on node ${nodeId}.`);
+            const fallback = Date.now();
+            etaMemo.set(nodeId, fallback);
+            return fallback;
+        }
+        etaVisiting.add(nodeId);
+        let dependencyMax = 0;
+        for (const depId of node.dependencyIds) {
+            dependencyMax = Math.max(dependencyMax, computeEtaEpoch(depId));
+        }
+        etaVisiting.delete(nodeId);
+        const durationMs = (node.expectedDurationHours > 0
+            ? node.expectedDurationHours
+            : DEFAULT_DURATION_HOURS[node.type]) * 60 * 60 * 1000;
+        const eta = Math.max(Date.now(), dependencyMax) + durationMs;
+        etaMemo.set(nodeId, eta);
+        return eta;
+    };
+    for (const node of nodes) {
+        const eta = computeEtaEpoch(node.id);
+        if (Number.isFinite(eta)) {
+            node.etaEndAt = new Date(eta).toISOString();
+        }
+    }
+    const taskNodesOnly = nodes.filter((node) => node.type === "task");
+    const hasActiveTasks = taskNodesOnly.some((node) => isInProgressStatus(node.status));
+    const hasTodoTasks = taskNodesOnly.some((node) => isTodoStatus(node.status));
+    if (initiativeNode.status.toLowerCase() === "active" &&
+        !hasActiveTasks &&
+        hasTodoTasks) {
+        initiativeNode.status = "paused";
+    }
+    const nodeById = new Map(nodes.map((node) => [node.id, node]));
+    const taskIsReady = (task) => task.dependencyIds.every((depId) => {
+        const dependency = nodeById.get(depId);
+        return dependency ? isDoneStatus(dependency.status) : true;
+    });
+    const taskHasBlockedParent = (task) => {
+        const milestone = task.milestoneId ? nodeById.get(task.milestoneId) ?? null : null;
+        const workstream = task.workstreamId ? nodeById.get(task.workstreamId) ?? null : null;
+        return (milestone?.status?.toLowerCase() === "blocked" ||
+            workstream?.status?.toLowerCase() === "blocked");
+    };
+    const recentTodos = nodes
+        .filter((node) => node.type === "task" && isTodoStatus(node.status))
+        .sort((a, b) => {
+        const aReady = taskIsReady(a);
+        const bReady = taskIsReady(b);
+        if (aReady !== bReady)
+            return aReady ? -1 : 1;
+        const aBlocked = taskHasBlockedParent(a);
+        const bBlocked = taskHasBlockedParent(b);
+        if (aBlocked !== bBlocked)
+            return aBlocked ? 1 : -1;
+        const priorityDelta = a.priorityNum - b.priorityNum;
+        if (priorityDelta !== 0)
+            return priorityDelta;
+        const aDue = a.dueDate ? Date.parse(a.dueDate) : Number.POSITIVE_INFINITY;
+        const bDue = b.dueDate ? Date.parse(b.dueDate) : Number.POSITIVE_INFINITY;
+        if (aDue !== bDue)
+            return aDue - bDue;
+        const aEta = a.etaEndAt ? Date.parse(a.etaEndAt) : Number.POSITIVE_INFINITY;
+        const bEta = b.etaEndAt ? Date.parse(b.etaEndAt) : Number.POSITIVE_INFINITY;
+        if (aEta !== bEta)
+            return aEta - bEta;
+        const aEpoch = a.updatedAt ? Date.parse(a.updatedAt) : 0;
+        const bEpoch = b.updatedAt ? Date.parse(b.updatedAt) : 0;
+        return aEpoch - bEpoch;
+    })
+        .map((node) => node.id);
+    return {
+        initiative: {
+            id: initiativeNode.id,
+            title: initiativeNode.title,
+            status: initiativeNode.status,
+            summary: initiativeEntity
+                ? pickString(initiativeEntity, [
+                    "summary",
+                    "description",
+                    "context",
+                ])
+                : null,
+            assignedAgents: initiativeNode.assignedAgents,
+        },
+        nodes,
+        edges,
+        recentTodos,
+        degraded,
+    };
+}
+function normalizeEntityMutationPayload(payload) {
+    const next = { ...payload };
+    const priorityNumRaw = pickNumber(next, ["priority_num", "priorityNum"]);
+    const priorityLabelRaw = pickString(next, ["priority", "priority_label"]);
+    if (priorityNumRaw !== null) {
+        const clamped = clampPriority(priorityNumRaw);
+        next.priority_num = clamped;
+        if (!priorityLabelRaw) {
+            next.priority = mapPriorityNumToLabel(clamped);
+        }
+    }
+    else if (priorityLabelRaw) {
+        next.priority_num = PRIORITY_LABEL_TO_NUM[priorityLabelRaw.toLowerCase()] ?? 60;
+        next.priority = priorityLabelRaw.toLowerCase();
+    }
+    const dependsOnArray = pickStringArray(next, ["depends_on", "dependsOn", "dependencies"]);
+    if (dependsOnArray.length > 0) {
+        next.depends_on = dedupeStrings(dependsOnArray);
+    }
+    else if ("depends_on" in next) {
+        next.depends_on = [];
+    }
+    const expectedDuration = pickNumber(next, [
+        "expected_duration_hours",
+        "expectedDurationHours",
+    ]);
+    if (expectedDuration !== null) {
+        next.expected_duration_hours = Math.max(0, expectedDuration);
+    }
+    const expectedBudget = pickNumber(next, [
+        "expected_budget_usd",
+        "expectedBudgetUsd",
+        "budget_usd",
+        "budgetUsd",
+    ]);
+    if (expectedBudget !== null) {
+        next.expected_budget_usd = Math.max(0, expectedBudget);
+    }
+    const etaEndAt = pickString(next, ["eta_end_at", "etaEndAt"]);
+    if (etaEndAt !== null) {
+        next.eta_end_at = toIsoString(etaEndAt) ?? null;
+    }
+    const assignedIds = pickStringArray(next, [
+        "assigned_agent_ids",
+        "assignedAgentIds",
+    ]);
+    const assignedNames = pickStringArray(next, [
+        "assigned_agent_names",
+        "assignedAgentNames",
+    ]);
+    if (assignedIds.length > 0) {
+        next.assigned_agent_ids = dedupeStrings(assignedIds);
+    }
+    if (assignedNames.length > 0) {
+        next.assigned_agent_names = dedupeStrings(assignedNames);
+    }
+    return next;
+}
+async function resolveAutoAssignments(input) {
+    const warnings = [];
+    const assignedById = new Map();
+    const addAgent = (agent) => {
+        const key = agent.id || `name:${agent.name}`;
+        if (!assignedById.has(key))
+            assignedById.set(key, agent);
+    };
+    let liveAgents = [];
+    try {
+        const data = await input.client.getLiveAgents({
+            initiative: input.initiativeId,
+            includeIdle: true,
+        });
+        liveAgents = (Array.isArray(data.agents) ? data.agents : [])
+            .map((raw) => {
+            if (!raw || typeof raw !== "object")
+                return null;
+            const record = raw;
+            const id = pickString(record, ["id", "agentId"]) ?? "";
+            const name = pickString(record, ["name", "agentName"]) ?? (id ? `Agent ${id}` : "");
+            if (!name)
+                return null;
+            return {
+                id: id || `name:${name}`,
+                name,
+                domain: pickString(record, ["domain", "role"]),
+                status: pickString(record, ["status"]),
+            };
+        })
+            .filter((item) => item !== null);
+    }
+    catch (err) {
+        warnings.push(`live agent lookup failed (${safeErrorMessage(err)})`);
+    }
+    const orchestrator = liveAgents.find((agent) => /holt|orchestrator/i.test(agent.name) ||
+        /orchestrator/i.test(agent.domain ?? ""));
+    if (orchestrator)
+        addAgent(orchestrator);
+    let assignmentSource = "fallback";
+    try {
+        const preflight = await input.client.delegationPreflight({
+            intent: `${input.title}${input.summary ? `: ${input.summary}` : ""}`,
+        });
+        const recommendations = preflight.data?.recommended_split ?? [];
+        const recommendedDomains = dedupeStrings(recommendations
+            .map((entry) => String(entry.owner_domain ?? "").trim().toLowerCase())
+            .filter(Boolean));
+        for (const domain of recommendedDomains) {
+            const matched = liveAgents.find((agent) => (agent.domain ?? "").toLowerCase().includes(domain));
+            if (matched)
+                addAgent(matched);
+        }
+        if (recommendedDomains.length > 0) {
+            assignmentSource = "orchestrator";
+        }
+    }
+    catch (err) {
+        warnings.push(`delegation preflight failed (${safeErrorMessage(err)})`);
+    }
+    if (assignedById.size === 0) {
+        const text = `${input.title} ${input.summary ?? ""}`.toLowerCase();
+        const fallbackDomains = [];
+        if (/market|campaign|thread|article|tweet|copy/.test(text)) {
+            fallbackDomains.push("marketing");
+        }
+        else if (/design|ux|ui|a11y|accessibility/.test(text)) {
+            fallbackDomains.push("design");
+        }
+        else if (/ops|incident|runbook|reliability/.test(text)) {
+            fallbackDomains.push("operations");
+        }
+        else if (/sales|deal|pipeline|mrr/.test(text)) {
+            fallbackDomains.push("sales");
+        }
+        else {
+            fallbackDomains.push("engineering", "product");
+        }
+        for (const domain of fallbackDomains) {
+            const matched = liveAgents.find((agent) => (agent.domain ?? "").toLowerCase().includes(domain));
+            if (matched)
+                addAgent(matched);
+        }
+    }
+    if (assignedById.size === 0 && liveAgents.length > 0) {
+        addAgent(liveAgents[0]);
+        warnings.push("using first available live agent as fallback");
+    }
+    const assignedAgents = Array.from(assignedById.values());
+    const updatePayload = normalizeEntityMutationPayload({
+        assigned_agent_ids: assignedAgents.map((agent) => agent.id),
+        assigned_agent_names: assignedAgents.map((agent) => agent.name),
+        assignment_source: assignmentSource,
+    });
+    let updatedEntity;
+    try {
+        updatedEntity = await input.client.updateEntity(input.entityType, input.entityId, updatePayload);
+    }
+    catch (err) {
+        warnings.push(`assignment patch failed (${safeErrorMessage(err)})`);
+    }
+    return {
+        ok: true,
+        assignment_source: assignmentSource,
+        assigned_agents: assignedAgents,
+        warnings,
+        ...(updatedEntity ? { updated_entity: updatedEntity } : {}),
+    };
+}
+// =============================================================================
+// Factory
+// =============================================================================
+export function createHttpHandler(config, client, getSnapshot, onboarding, diagnostics, adapters) {
+    const dashboardEnabled = config.dashboardEnabled ??
+        true;
+    const outboxAdapter = adapters?.outbox ?? defaultOutboxAdapter;
+    const autoContinueRuns = new Map();
+    let autoContinueTickInFlight = false;
+    const AUTO_CONTINUE_TICK_MS = 2_500;
+    function normalizeTokenBudget(value, fallback) {
+        if (typeof value === "number" && Number.isFinite(value)) {
+            return Math.max(1_000, Math.round(value));
+        }
+        if (typeof value === "string" && value.trim().length > 0) {
+            const parsed = Number(value);
+            if (Number.isFinite(parsed)) {
+                return Math.max(1_000, Math.round(parsed));
+            }
+        }
+        return Math.max(1_000, Math.round(fallback));
+    }
+    function defaultAutoContinueTokenBudget() {
+        const hours = readBudgetEnvNumber("ORGX_AUTO_CONTINUE_BUDGET_HOURS", 4, {
+            min: 0.05,
+            max: 24,
+        });
+        const fallback = DEFAULT_TOKEN_BUDGET_ASSUMPTIONS.tokensPerHour *
+            hours *
+            DEFAULT_TOKEN_BUDGET_ASSUMPTIONS.contingencyMultiplier;
+        return normalizeTokenBudget(process.env.ORGX_AUTO_CONTINUE_TOKEN_BUDGET, fallback);
+    }
+    function estimateTokensForDurationHours(durationHours) {
+        if (!Number.isFinite(durationHours) || durationHours <= 0)
+            return 0;
+        const raw = durationHours *
+            DEFAULT_TOKEN_BUDGET_ASSUMPTIONS.tokensPerHour *
+            DEFAULT_TOKEN_BUDGET_ASSUMPTIONS.contingencyMultiplier;
+        return Math.max(0, Math.round(raw));
+    }
+    function isSafePathSegment(value) {
+        const normalized = value.trim();
+        if (!normalized || normalized === "." || normalized === "..")
+            return false;
+        if (normalized.includes("/") || normalized.includes("\\") || normalized.includes("\0")) {
+            return false;
+        }
+        if (normalized.includes(".."))
+            return false;
+        return true;
+    }
+    function toFiniteNumber(value) {
+        if (typeof value === "number" && Number.isFinite(value))
+            return value;
+        if (typeof value === "string" && value.trim().length > 0) {
+            const parsed = Number(value);
+            if (Number.isFinite(parsed))
+                return parsed;
+        }
+        return null;
+    }
+    function readOpenClawSessionSummary(input) {
+        const agentId = input.agentId.trim();
+        const sessionId = input.sessionId.trim();
+        if (!agentId || !sessionId) {
+            return { tokens: 0, costUsd: 0, hadError: false, errorMessage: null };
+        }
+        if (!isSafePathSegment(agentId) || !isSafePathSegment(sessionId)) {
+            return { tokens: 0, costUsd: 0, hadError: false, errorMessage: null };
+        }
+        const jsonlPath = join(homedir(), ".openclaw", "agents", agentId, "sessions", `${sessionId}.jsonl`);
+        try {
+            if (!existsSync(jsonlPath)) {
+                return { tokens: 0, costUsd: 0, hadError: false, errorMessage: null };
+            }
+            const raw = readFileSync(jsonlPath, "utf8");
+            const lines = raw.split("\n");
+            let tokens = 0;
+            let costUsd = 0;
+            let hadError = false;
+            let errorMessage = null;
+            for (const line of lines) {
+                const trimmed = line.trim();
+                if (!trimmed)
+                    continue;
+                try {
+                    const evt = JSON.parse(trimmed);
+                    if (evt.type !== "message")
+                        continue;
+                    const msg = evt.message;
+                    if (!msg || typeof msg !== "object")
+                        continue;
+                    const usage = msg.usage;
+                    if (usage && typeof usage === "object") {
+                        const totalTokens = toFiniteNumber(usage.totalTokens) ??
+                            toFiniteNumber(usage.total_tokens) ??
+                            null;
+                        const inputTokens = toFiniteNumber(usage.input) ?? 0;
+                        const outputTokens = toFiniteNumber(usage.output) ?? 0;
+                        const cacheReadTokens = toFiniteNumber(usage.cacheRead) ?? 0;
+                        const cacheWriteTokens = toFiniteNumber(usage.cacheWrite) ?? 0;
+                        tokens += Math.max(0, Math.round(totalTokens ??
+                            inputTokens + outputTokens + cacheReadTokens + cacheWriteTokens));
+                        const cost = usage.cost;
+                        const costTotal = cost ? toFiniteNumber(cost.total) : null;
+                        if (costTotal !== null) {
+                            costUsd += Math.max(0, costTotal);
+                        }
+                    }
+                    const stopReason = typeof msg.stopReason === "string" ? msg.stopReason : "";
+                    const msgError = typeof msg.errorMessage === "string" && msg.errorMessage.trim().length > 0
+                        ? msg.errorMessage.trim()
+                        : null;
+                    if (stopReason === "error" || msgError) {
+                        hadError = true;
+                        errorMessage = msgError ?? errorMessage;
+                    }
+                }
+                catch {
+                    // Ignore malformed lines.
+                }
+            }
+            return {
+                tokens,
+                costUsd: Math.round(costUsd * 10_000) / 10_000,
+                hadError,
+                errorMessage,
+            };
+        }
+        catch {
+            return { tokens: 0, costUsd: 0, hadError: false, errorMessage: null };
+        }
+    }
+    async function fetchInitiativeEntity(initiativeId) {
+        try {
+            const list = await client.listEntities("initiative", { limit: 200 });
+            const match = list.data.find((candidate) => String(candidate?.id ?? "") === initiativeId);
+            return match ?? null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async function updateInitiativeMetadata(initiativeId, patch) {
+        const existing = await fetchInitiativeEntity(initiativeId);
+        const existingMeta = existing && typeof existing === "object"
+            ? getRecordMetadata(existing)
+            : {};
+        const nextMeta = { ...existingMeta, ...patch };
+        await client.updateEntity("initiative", initiativeId, { metadata: nextMeta });
+    }
+    async function updateInitiativeAutoContinueState(input) {
+        const now = new Date().toISOString();
+        const patch = {
+            auto_continue_enabled: true,
+            auto_continue_status: input.run.status,
+            auto_continue_stop_reason: input.run.stopReason,
+            auto_continue_started_at: input.run.startedAt,
+            auto_continue_stopped_at: input.run.stoppedAt,
+            auto_continue_updated_at: now,
+            auto_continue_token_budget: input.run.tokenBudget,
+            auto_continue_tokens_used: input.run.tokensUsed,
+            auto_continue_active_task_id: input.run.activeTaskId,
+            auto_continue_active_run_id: input.run.activeRunId,
+            auto_continue_active_task_token_estimate: input.run.activeTaskTokenEstimate,
+            auto_continue_last_task_id: input.run.lastTaskId,
+            auto_continue_last_run_id: input.run.lastRunId,
+            auto_continue_include_verification: input.run.includeVerification,
+            auto_continue_workstream_filter: input.run.allowedWorkstreamIds,
+            ...(input.run.lastError ? { auto_continue_last_error: input.run.lastError } : {}),
+        };
+        await updateInitiativeMetadata(input.initiativeId, patch);
+    }
+    async function stopAutoContinueRun(input) {
+        const now = new Date().toISOString();
+        input.run.status = "stopped";
+        input.run.stopReason = input.reason;
+        input.run.stoppedAt = now;
+        input.run.updatedAt = now;
+        input.run.stopRequested = false;
+        input.run.activeRunId = null;
+        input.run.activeTaskId = null;
+        if (input.error)
+            input.run.lastError = input.error;
+        try {
+            if (input.reason === "completed") {
+                await client.updateEntity("initiative", input.run.initiativeId, {
+                    status: "completed",
+                });
+            }
+            else {
+                await client.updateEntity("initiative", input.run.initiativeId, {
+                    status: "paused",
+                });
+            }
+        }
+        catch {
+            // best effort; UI still derives paused state locally
+        }
+        try {
+            await updateInitiativeAutoContinueState({
+                initiativeId: input.run.initiativeId,
+                run: input.run,
+            });
+        }
+        catch {
+            // best effort
+        }
+    }
+    async function tickAutoContinueRun(run) {
+        if (run.status !== "running" && run.status !== "stopping")
+            return;
+        const now = new Date().toISOString();
+        // 1) If we have an active run, wait for it to finish.
+        if (run.activeRunId) {
+            const record = getAgentRun(run.activeRunId);
+            const pid = record?.pid ?? null;
+            if (pid && isPidAlive(pid)) {
+                return;
+            }
+            // Run finished (or pid missing). Mark stopped and auto-complete the task.
+            if (record) {
+                try {
+                    markAgentRunStopped(record.runId);
+                }
+                catch {
+                    // ignore
+                }
+                const summary = readOpenClawSessionSummary({
+                    agentId: record.agentId,
+                    sessionId: record.runId,
+                });
+                const modeledTokens = run.activeTaskTokenEstimate ?? 0;
+                const consumedTokens = summary.tokens > 0 ? summary.tokens : modeledTokens;
+                run.tokensUsed += Math.max(0, consumedTokens);
+                run.activeTaskTokenEstimate = null;
+                if (record.taskId) {
+                    try {
+                        await client.updateEntity("task", record.taskId, {
+                            status: summary.hadError ? "blocked" : "done",
+                        });
+                    }
+                    catch (err) {
+                        run.lastError = safeErrorMessage(err);
+                    }
+                }
+                run.lastRunId = record.runId;
+                run.lastTaskId = record.taskId ?? run.lastTaskId;
+                run.activeRunId = null;
+                run.activeTaskId = null;
+                run.updatedAt = now;
+                if (summary.hadError && summary.errorMessage) {
+                    run.lastError = summary.errorMessage;
+                }
+                try {
+                    await updateInitiativeAutoContinueState({
+                        initiativeId: run.initiativeId,
+                        run,
+                    });
+                }
+                catch {
+                    // best effort
+                }
+            }
+            else {
+                // No record; clear active pointers so we can continue.
+                run.activeRunId = null;
+                run.activeTaskId = null;
+            }
+            // If a stop was requested, finalize after the active run completes.
+            if (run.stopRequested) {
+                await stopAutoContinueRun({ run, reason: "stopped" });
+                return;
+            }
+        }
+        if (run.stopRequested) {
+            run.status = "stopping";
+            run.updatedAt = now;
+            await stopAutoContinueRun({ run, reason: "stopped" });
+            return;
+        }
+        // 2) Enforce token guardrail before starting a new task.
+        if (run.tokensUsed >= run.tokenBudget) {
+            await stopAutoContinueRun({ run, reason: "budget_exhausted" });
+            return;
+        }
+        // 3) Pick next-up task and dispatch.
+        let graph;
+        try {
+            graph = await buildMissionControlGraph(client, run.initiativeId);
+        }
+        catch (err) {
+            await stopAutoContinueRun({
+                run,
+                reason: "error",
+                error: safeErrorMessage(err),
+            });
+            return;
+        }
+        const nodes = graph.nodes;
+        const nodeById = new Map(nodes.map((node) => [node.id, node]));
+        const taskNodes = nodes.filter((node) => node.type === "task");
+        const todoTasks = taskNodes.filter((node) => isTodoStatus(node.status));
+        if (todoTasks.length === 0) {
+            await stopAutoContinueRun({ run, reason: "completed" });
+            return;
+        }
+        const taskIsReady = (task) => task.dependencyIds.every((depId) => {
+            const dependency = nodeById.get(depId);
+            return dependency ? isDoneStatus(dependency.status) : true;
+        });
+        const taskHasBlockedParent = (task) => {
+            const milestone = task.milestoneId ? nodeById.get(task.milestoneId) ?? null : null;
+            const workstream = task.workstreamId ? nodeById.get(task.workstreamId) ?? null : null;
+            return (milestone?.status?.toLowerCase() === "blocked" ||
+                workstream?.status?.toLowerCase() === "blocked");
+        };
+        let nextTaskNode = null;
+        for (const taskId of graph.recentTodos) {
+            const node = nodeById.get(taskId);
+            if (!node || node.type !== "task")
+                continue;
+            if (!isTodoStatus(node.status))
+                continue;
+            if (!run.includeVerification &&
+                typeof node.title === "string" &&
+                /^verification\s+scenario/i.test(node.title)) {
+                continue;
+            }
+            if (run.allowedWorkstreamIds &&
+                node.workstreamId &&
+                !run.allowedWorkstreamIds.includes(node.workstreamId)) {
+                continue;
+            }
+            if (node.workstreamId) {
+                const ws = nodeById.get(node.workstreamId);
+                if (ws && !isInProgressStatus(ws.status)) {
+                    continue;
+                }
+            }
+            if (!taskIsReady(node))
+                continue;
+            if (taskHasBlockedParent(node))
+                continue;
+            nextTaskNode = node;
+            break;
+        }
+        if (!nextTaskNode) {
+            await stopAutoContinueRun({ run, reason: "blocked" });
+            return;
+        }
+        const nextTaskTokenEstimate = estimateTokensForDurationHours(typeof nextTaskNode.expectedDurationHours === "number"
+            ? nextTaskNode.expectedDurationHours
+            : 0);
+        if (nextTaskTokenEstimate > 0 &&
+            run.tokensUsed + nextTaskTokenEstimate > run.tokenBudget) {
+            await stopAutoContinueRun({ run, reason: "budget_exhausted" });
+            return;
+        }
+        const agentId = run.agentId || "main";
+        const sessionId = randomUUID();
+        const initiativeNode = nodes.find((node) => node.type === "initiative") ?? null;
+        const workstreamTitle = nextTaskNode.workstreamId
+            ? nodeById.get(nextTaskNode.workstreamId)?.title ?? null
+            : null;
+        const milestoneTitle = nextTaskNode.milestoneId
+            ? nodeById.get(nextTaskNode.milestoneId)?.title ?? null
+            : null;
+        const message = [
+            initiativeNode ? `Initiative: ${initiativeNode.title}` : null,
+            workstreamTitle ? `Workstream: ${workstreamTitle}` : null,
+            milestoneTitle ? `Milestone: ${milestoneTitle}` : null,
+            "",
+            `Task: ${nextTaskNode.title}`,
+            "",
+            "Execute this task. When finished, provide a concise completion summary and any relevant commands/notes.",
+        ]
+            .filter((line) => typeof line === "string")
+            .join("\n");
+        try {
+            await client.updateEntity("task", nextTaskNode.id, {
+                status: "in_progress",
+            });
+        }
+        catch (err) {
+            await stopAutoContinueRun({
+                run,
+                reason: "error",
+                error: safeErrorMessage(err),
+            });
+            return;
+        }
+        upsertAgentContext({
+            agentId,
+            initiativeId: run.initiativeId,
+            initiativeTitle: initiativeNode?.title ?? null,
+            workstreamId: nextTaskNode.workstreamId,
+            taskId: nextTaskNode.id,
+        });
+        const spawned = spawnOpenClawAgentTurn({
+            agentId,
+            sessionId,
+            message,
+        });
+        upsertAgentRun({
+            runId: sessionId,
+            agentId,
+            pid: spawned.pid,
+            message,
+            provider: null,
+            model: null,
+            initiativeId: run.initiativeId,
+            initiativeTitle: initiativeNode?.title ?? null,
+            workstreamId: nextTaskNode.workstreamId,
+            taskId: nextTaskNode.id,
+            startedAt: now,
+            status: "running",
+        });
+        run.lastTaskId = nextTaskNode.id;
+        run.lastRunId = sessionId;
+        run.activeTaskId = nextTaskNode.id;
+        run.activeRunId = sessionId;
+        run.activeTaskTokenEstimate = nextTaskTokenEstimate > 0 ? nextTaskTokenEstimate : null;
+        run.updatedAt = now;
+        try {
+            await client.updateEntity("initiative", run.initiativeId, { status: "active" });
+        }
+        catch {
+            // best effort
+        }
+        try {
+            await updateInitiativeAutoContinueState({
+                initiativeId: run.initiativeId,
+                run,
+            });
+        }
+        catch {
+            // best effort
+        }
+    }
+    async function tickAllAutoContinue() {
+        if (autoContinueTickInFlight)
+            return;
+        autoContinueTickInFlight = true;
+        try {
+            for (const run of autoContinueRuns.values()) {
+                try {
+                    await tickAutoContinueRun(run);
+                }
+                catch (err) {
+                    // Never let one loop crash the whole handler.
+                    run.lastError = safeErrorMessage(err);
+                    run.updatedAt = new Date().toISOString();
+                    await stopAutoContinueRun({ run, reason: "error", error: run.lastError });
+                }
+            }
+        }
+        finally {
+            autoContinueTickInFlight = false;
+        }
+    }
+    const autoContinueTimer = setInterval(() => {
+        void tickAllAutoContinue();
+    }, AUTO_CONTINUE_TICK_MS);
+    autoContinueTimer.unref?.();
+    return async function handler(req, res) {
+        const method = (req.method ?? "GET").toUpperCase();
+        const rawUrl = req.url ?? "/";
+        const [path, queryString] = rawUrl.split("?", 2);
+        const url = path;
+        const searchParams = new URLSearchParams(queryString ?? "");
+        // Only handle /orgx paths — return false for everything else
+        if (!url.startsWith("/orgx")) {
+            return false;
+        }
+        // Handle CORS preflight
+        if (method === "OPTIONS") {
+            if (url.startsWith("/orgx/api/") && !isTrustedRequestSource(req.headers)) {
+                sendJson(res, 403, {
+                    error: "Cross-origin browser requests are blocked for /orgx/api endpoints.",
+                });
+                return true;
+            }
+            res.writeHead(204, {
+                ...SECURITY_HEADERS,
+                ...CORS_HEADERS,
+            });
+            res.end();
+            return true;
         }
         // ── API endpoints ──────────────────────────────────────────────────────
         if (url.startsWith("/orgx/api/")) {
+            if (!isTrustedRequestSource(req.headers)) {
+                sendJson(res, 403, {
+                    error: "Cross-origin browser requests are blocked for /orgx/api endpoints.",
+                });
+                return true;
+            }
             const route = url.replace("/orgx/api/", "").replace(/\/+$/, "");
             const decisionApproveMatch = route.match(/^live\/decisions\/([^/]+)\/approve$/);
             const runActionMatch = route.match(/^runs\/([^/]+)\/actions\/([^/]+)$/);
             const runCheckpointsMatch = route.match(/^runs\/([^/]+)\/checkpoints$/);
             const runCheckpointRestoreMatch = route.match(/^runs\/([^/]+)\/checkpoints\/([^/]+)\/restore$/);
             const isDelegationPreflight = route === "delegation/preflight";
+            const isMissionControlAutoAssignmentRoute = route === "mission-control/assignments/auto";
+            const isMissionControlAutoContinueStartRoute = route === "mission-control/auto-continue/start";
+            const isMissionControlAutoContinueStopRoute = route === "mission-control/auto-continue/stop";
             const isEntitiesRoute = route === "entities";
+            const entityActionMatch = route.match(/^entities\/([^/]+)\/([^/]+)\/([^/]+)$/);
+            const isOnboardingStartRoute = route === "onboarding/start";
+            const isOnboardingStatusRoute = route === "onboarding/status";
+            const isOnboardingManualKeyRoute = route === "onboarding/manual-key";
+            const isOnboardingDisconnectRoute = route === "onboarding/disconnect";
+            const isLiveActivityHeadlineRoute = route === "live/activity/headline";
+            const isAgentLaunchRoute = route === "agents/launch";
+            const isAgentStopRoute = route === "agents/stop";
+            const isAgentRestartRoute = route === "agents/restart";
+            const isByokSettingsRoute = route === "settings/byok";
+            if (method === "POST" && isOnboardingStartRoute) {
+                try {
+                    const payload = await parseJsonRequest(req);
+                    const started = await onboarding.startPairing({
+                        openclawVersion: pickString(payload, ["openclawVersion", "openclaw_version"]) ??
+                            undefined,
+                        platform: pickString(payload, ["platform"]) ?? undefined,
+                        deviceName: pickString(payload, ["deviceName", "device_name"]) ?? undefined,
+                    });
+                    sendJson(res, 200, {
+                        ok: true,
+                        data: {
+                            pairingId: started.pairingId,
+                            connectUrl: started.connectUrl,
+                            expiresAt: started.expiresAt,
+                            pollIntervalMs: started.pollIntervalMs,
+                            state: getOnboardingState(started.state),
+                        },
+                    });
+                }
+                catch (err) {
+                    sendJson(res, 400, {
+                        ok: false,
+                        error: safeErrorMessage(err),
+                    });
+                }
+                return true;
+            }
+            if (method === "GET" && isOnboardingStatusRoute) {
+                try {
+                    const state = await onboarding.getStatus();
+                    sendJson(res, 200, {
+                        ok: true,
+                        data: getOnboardingState(state),
+                    });
+                }
+                catch (err) {
+                    sendJson(res, 500, {
+                        ok: false,
+                        error: safeErrorMessage(err),
+                    });
+                }
+                return true;
+            }
+            if (method === "POST" && isOnboardingManualKeyRoute) {
+                try {
+                    const payload = await parseJsonRequest(req);
+                    const authHeader = pickHeaderString(req.headers, ["authorization"]);
+                    const bearerApiKey = authHeader && authHeader.toLowerCase().startsWith("bearer ")
+                        ? authHeader.slice("bearer ".length).trim()
+                        : null;
+                    const headerApiKey = pickHeaderString(req.headers, [
+                        "x-orgx-api-key",
+                        "x-api-key",
+                    ]);
+                    const apiKey = pickString(payload, ["apiKey", "api_key"]) ??
+                        headerApiKey ??
+                        bearerApiKey;
+                    if (!apiKey) {
+                        sendJson(res, 400, {
+                            ok: false,
+                            error: "apiKey is required",
+                        });
+                        return true;
+                    }
+                    const requestedUserId = pickString(payload, ["userId", "user_id"]) ??
+                        pickHeaderString(req.headers, ["x-orgx-user-id", "x-user-id"]) ??
+                        undefined;
+                    const userId = isUserScopedApiKey(apiKey) ? undefined : requestedUserId;
+                    const state = await onboarding.submitManualKey({
+                        apiKey,
+                        userId,
+                    });
+                    sendJson(res, 200, {
+                        ok: true,
+                        data: getOnboardingState(state),
+                    });
+                }
+                catch (err) {
+                    sendJson(res, 400, {
+                        ok: false,
+                        error: safeErrorMessage(err),
+                    });
+                }
+                return true;
+            }
+            if (method === "POST" && isOnboardingDisconnectRoute) {
+                try {
+                    const state = await onboarding.disconnect();
+                    sendJson(res, 200, {
+                        ok: true,
+                        data: getOnboardingState(state),
+                    });
+                }
+                catch (err) {
+                    sendJson(res, 500, {
+                        ok: false,
+                        error: safeErrorMessage(err),
+                    });
+                }
+                return true;
+            }
+            if (method === "POST" && isAgentLaunchRoute) {
+                try {
+                    const payload = await parseJsonRequest(req);
+                    const agentId = (pickString(payload, ["agentId", "agent_id", "id"]) ??
+                        searchParams.get("agentId") ??
+                        searchParams.get("agent_id") ??
+                        searchParams.get("id") ??
+                        "")
+                        .trim();
+                    if (!agentId) {
+                        sendJson(res, 400, { ok: false, error: "agentId is required" });
+                        return true;
+                    }
+                    if (!/^[a-zA-Z0-9_-]+$/.test(agentId)) {
+                        sendJson(res, 400, {
+                            ok: false,
+                            error: "agentId must be a simple identifier (letters, numbers, _ or -).",
+                        });
+                        return true;
+                    }
+                    const sessionId = (pickString(payload, ["sessionId", "session_id"]) ??
+                        searchParams.get("sessionId") ??
+                        searchParams.get("session_id") ??
+                        "")
+                        .trim() ||
+                        randomUUID();
+                    const initiativeId = pickString(payload, ["initiativeId", "initiative_id"]) ??
+                        searchParams.get("initiativeId") ??
+                        searchParams.get("initiative_id") ??
+                        null;
+                    const initiativeTitle = pickString(payload, [
+                        "initiativeTitle",
+                        "initiative_title",
+                        "initiativeName",
+                        "initiative_name",
+                    ]) ??
+                        searchParams.get("initiativeTitle") ??
+                        searchParams.get("initiative_title") ??
+                        searchParams.get("initiativeName") ??
+                        searchParams.get("initiative_name") ??
+                        null;
+                    const workstreamId = pickString(payload, ["workstreamId", "workstream_id"]) ??
+                        searchParams.get("workstreamId") ??
+                        searchParams.get("workstream_id") ??
+                        null;
+                    const taskId = pickString(payload, ["taskId", "task_id"]) ??
+                        searchParams.get("taskId") ??
+                        searchParams.get("task_id") ??
+                        null;
+                    const thinking = (pickString(payload, ["thinking"]) ??
+                        searchParams.get("thinking") ??
+                        "")
+                        .trim() || null;
+                    const provider = normalizeOpenClawProvider(pickString(payload, ["provider", "modelProvider", "model_provider"]) ??
+                        searchParams.get("provider") ??
+                        searchParams.get("modelProvider") ??
+                        searchParams.get("model_provider") ??
+                        null);
+                    const requestedModel = (pickString(payload, ["model", "modelId", "model_id"]) ??
+                        searchParams.get("model") ??
+                        searchParams.get("modelId") ??
+                        searchParams.get("model_id") ??
+                        "")
+                        .trim() || null;
+                    const dryRunRaw = payload.dryRun ??
+                        payload.dry_run ??
+                        searchParams.get("dryRun") ??
+                        searchParams.get("dry_run") ??
+                        null;
+                    const dryRun = typeof dryRunRaw === "boolean"
+                        ? dryRunRaw
+                        : parseBooleanQuery(typeof dryRunRaw === "string" ? dryRunRaw : null);
+                    let requiresPremiumLaunch = Boolean(provider) || modelImpliesByok(requestedModel);
+                    if (!requiresPremiumLaunch) {
+                        try {
+                            const agents = await listOpenClawAgents();
+                            const agentEntry = agents.find((entry) => String(entry.id ?? "").trim() === agentId) ??
+                                null;
+                            const agentModel = agentEntry && typeof agentEntry.model === "string"
+                                ? agentEntry.model
+                                : null;
+                            requiresPremiumLaunch = modelImpliesByok(agentModel);
+                        }
+                        catch {
+                            // ignore
+                        }
+                    }
+                    if (requiresPremiumLaunch) {
+                        const billingStatus = await fetchBillingStatusSafe(client);
+                        if (billingStatus && billingStatus.plan === "free") {
+                            const pricingUrl = `${client.getBaseUrl().replace(/\/+$/, "")}/pricing`;
+                            sendJson(res, 402, {
+                                ok: false,
+                                code: "upgrade_required",
+                                error: "BYOK agent launch requires a paid OrgX plan. Upgrade, then retry.",
+                                currentPlan: billingStatus.plan,
+                                requiredPlan: "starter",
+                                actions: {
+                                    checkout: "/orgx/api/billing/checkout",
+                                    portal: "/orgx/api/billing/portal",
+                                    pricing: pricingUrl,
+                                },
+                            });
+                            return true;
+                        }
+                    }
+                    const messageInput = (pickString(payload, ["message", "prompt", "text"]) ??
+                        searchParams.get("message") ??
+                        searchParams.get("prompt") ??
+                        searchParams.get("text") ??
+                        "")
+                        .trim();
+                    const message = messageInput ||
+                        (initiativeTitle
+                            ? `Kick off: ${initiativeTitle}`
+                            : initiativeId
+                                ? `Kick off initiative ${initiativeId}`
+                                : `Kick off agent ${agentId}`);
+                    if (dryRun) {
+                        sendJson(res, 200, {
+                            ok: true,
+                            dryRun: true,
+                            agentId,
+                            initiativeId,
+                            workstreamId,
+                            taskId,
+                            requiresPremiumLaunch,
+                            startedAt: new Date().toISOString(),
+                            message,
+                        });
+                        return true;
+                    }
+                    let routedProvider = null;
+                    let routedModel = null;
+                    if (provider) {
+                        const routed = await configureOpenClawProviderRouting({
+                            agentId,
+                            provider,
+                            requestedModel,
+                        });
+                        routedProvider = routed.provider;
+                        routedModel = routed.model;
+                    }
+                    upsertAgentContext({
+                        agentId,
+                        initiativeId,
+                        initiativeTitle,
+                        workstreamId,
+                        taskId,
+                    });
+                    const spawned = spawnOpenClawAgentTurn({
+                        agentId,
+                        sessionId,
+                        message,
+                        thinking,
+                    });
+                    upsertAgentRun({
+                        runId: sessionId,
+                        agentId,
+                        pid: spawned.pid,
+                        message,
+                        provider: routedProvider,
+                        model: routedModel,
+                        initiativeId,
+                        initiativeTitle,
+                        workstreamId,
+                        taskId,
+                        startedAt: new Date().toISOString(),
+                        status: "running",
+                    });
+                    sendJson(res, 202, {
+                        ok: true,
+                        agentId,
+                        sessionId,
+                        pid: spawned.pid,
+                        provider: routedProvider,
+                        model: routedModel,
+                        initiativeId,
+                        workstreamId,
+                        taskId,
+                        startedAt: new Date().toISOString(),
+                    });
+                }
+                catch (err) {
+                    sendJson(res, 500, {
+                        ok: false,
+                        error: safeErrorMessage(err),
+                    });
+                }
+                return true;
+            }
+            if (method === "POST" && isAgentStopRoute) {
+                try {
+                    const payload = await parseJsonRequest(req);
+                    const runId = (pickString(payload, ["runId", "run_id", "sessionId", "session_id"]) ??
+                        searchParams.get("runId") ??
+                        searchParams.get("run_id") ??
+                        searchParams.get("sessionId") ??
+                        searchParams.get("session_id") ??
+                        "")
+                        .trim();
+                    if (!runId) {
+                        sendJson(res, 400, { ok: false, error: "runId is required" });
+                        return true;
+                    }
+                    const record = getAgentRun(runId);
+                    if (!record) {
+                        sendJson(res, 404, { ok: false, error: "Run not found" });
+                        return true;
+                    }
+                    if (!record.pid) {
+                        sendJson(res, 409, { ok: false, error: "Run has no tracked pid" });
+                        return true;
+                    }
+                    const result = await stopDetachedProcess(record.pid);
+                    const updated = markAgentRunStopped(runId);
+                    sendJson(res, 200, {
+                        ok: true,
+                        runId,
+                        agentId: record.agentId,
+                        pid: record.pid,
+                        stopped: result.stopped,
+                        wasRunning: result.wasRunning,
+                        record: updated,
+                    });
+                }
+                catch (err) {
+                    sendJson(res, 500, { ok: false, error: safeErrorMessage(err) });
+                }
+                return true;
+            }
+            if (method === "POST" && isAgentRestartRoute) {
+                try {
+                    const payload = await parseJsonRequest(req);
+                    const previousRunId = (pickString(payload, ["runId", "run_id", "sessionId", "session_id"]) ??
+                        searchParams.get("runId") ??
+                        searchParams.get("run_id") ??
+                        searchParams.get("sessionId") ??
+                        searchParams.get("session_id") ??
+                        "")
+                        .trim();
+                    if (!previousRunId) {
+                        sendJson(res, 400, { ok: false, error: "runId is required" });
+                        return true;
+                    }
+                    const record = getAgentRun(previousRunId);
+                    if (!record) {
+                        sendJson(res, 404, { ok: false, error: "Run not found" });
+                        return true;
+                    }
+                    const messageOverride = (pickString(payload, ["message", "prompt", "text"]) ??
+                        searchParams.get("message") ??
+                        searchParams.get("prompt") ??
+                        searchParams.get("text") ??
+                        "")
+                        .trim() || null;
+                    const providerOverride = normalizeOpenClawProvider(pickString(payload, ["provider", "modelProvider", "model_provider"]) ??
+                        searchParams.get("provider") ??
+                        searchParams.get("modelProvider") ??
+                        searchParams.get("model_provider") ??
+                        record.provider ??
+                        null);
+                    const requestedModel = (pickString(payload, ["model", "modelId", "model_id"]) ??
+                        searchParams.get("model") ??
+                        searchParams.get("modelId") ??
+                        searchParams.get("model_id") ??
+                        record.model ??
+                        "")
+                        .trim() || null;
+                    let requiresPremiumRestart = Boolean(providerOverride) ||
+                        modelImpliesByok(requestedModel) ||
+                        modelImpliesByok(record.model ?? null);
+                    if (!requiresPremiumRestart) {
+                        try {
+                            const agents = await listOpenClawAgents();
+                            const agentEntry = agents.find((entry) => String(entry.id ?? "").trim() === record.agentId) ?? null;
+                            const agentModel = agentEntry && typeof agentEntry.model === "string"
+                                ? agentEntry.model
+                                : null;
+                            requiresPremiumRestart = modelImpliesByok(agentModel);
+                        }
+                        catch {
+                            // ignore
+                        }
+                    }
+                    if (requiresPremiumRestart) {
+                        const billingStatus = await fetchBillingStatusSafe(client);
+                        if (billingStatus && billingStatus.plan === "free") {
+                            const pricingUrl = `${client.getBaseUrl().replace(/\/+$/, "")}/pricing`;
+                            sendJson(res, 402, {
+                                ok: false,
+                                code: "upgrade_required",
+                                error: "BYOK agent launch requires a paid OrgX plan. Upgrade, then retry.",
+                                currentPlan: billingStatus.plan,
+                                requiredPlan: "starter",
+                                actions: {
+                                    checkout: "/orgx/api/billing/checkout",
+                                    portal: "/orgx/api/billing/portal",
+                                    pricing: pricingUrl,
+                                },
+                            });
+                            return true;
+                        }
+                    }
+                    const sessionId = randomUUID();
+                    const message = messageOverride ?? record.message ?? `Restart agent ${record.agentId}`;
+                    let routedProvider = providerOverride ?? null;
+                    let routedModel = requestedModel ?? null;
+                    if (providerOverride) {
+                        const routed = await configureOpenClawProviderRouting({
+                            agentId: record.agentId,
+                            provider: providerOverride,
+                            requestedModel,
+                        });
+                        routedProvider = routed.provider;
+                        routedModel = routed.model;
+                    }
+                    upsertAgentContext({
+                        agentId: record.agentId,
+                        initiativeId: record.initiativeId,
+                        initiativeTitle: record.initiativeTitle,
+                        workstreamId: record.workstreamId,
+                        taskId: record.taskId,
+                    });
+                    const spawned = spawnOpenClawAgentTurn({
+                        agentId: record.agentId,
+                        sessionId,
+                        message,
+                    });
+                    upsertAgentRun({
+                        runId: sessionId,
+                        agentId: record.agentId,
+                        pid: spawned.pid,
+                        message,
+                        provider: routedProvider,
+                        model: routedModel,
+                        initiativeId: record.initiativeId,
+                        initiativeTitle: record.initiativeTitle,
+                        workstreamId: record.workstreamId,
+                        taskId: record.taskId,
+                        startedAt: new Date().toISOString(),
+                        status: "running",
+                    });
+                    sendJson(res, 202, {
+                        ok: true,
+                        previousRunId,
+                        sessionId,
+                        agentId: record.agentId,
+                        pid: spawned.pid,
+                        provider: routedProvider,
+                        model: routedModel,
+                    });
+                }
+                catch (err) {
+                    sendJson(res, 500, { ok: false, error: safeErrorMessage(err) });
+                }
+                return true;
+            }
+            if (method === "POST" && isMissionControlAutoContinueStartRoute) {
+                try {
+                    const payload = await parseJsonRequest(req);
+                    const initiativeId = (pickString(payload, ["initiativeId", "initiative_id"]) ??
+                        searchParams.get("initiativeId") ??
+                        searchParams.get("initiative_id") ??
+                        "")
+                        .trim();
+                    if (!initiativeId) {
+                        sendJson(res, 400, { ok: false, error: "initiativeId is required" });
+                        return true;
+                    }
+                    const agentIdRaw = (pickString(payload, ["agentId", "agent_id"]) ??
+                        searchParams.get("agentId") ??
+                        searchParams.get("agent_id") ??
+                        "main")
+                        .trim();
+                    const agentId = agentIdRaw || "main";
+                    if (!/^[a-zA-Z0-9_-]+$/.test(agentId)) {
+                        sendJson(res, 400, {
+                            ok: false,
+                            error: "agentId must be a simple identifier (letters, numbers, _ or -).",
+                        });
+                        return true;
+                    }
+                    let requiresPremiumAutoContinue = false;
+                    try {
+                        const agents = await listOpenClawAgents();
+                        const agentEntry = agents.find((entry) => String(entry.id ?? "").trim() === agentId) ??
+                            null;
+                        const agentModel = agentEntry && typeof agentEntry.model === "string"
+                            ? agentEntry.model
+                            : null;
+                        requiresPremiumAutoContinue = modelImpliesByok(agentModel);
+                    }
+                    catch {
+                        // ignore
+                    }
+                    if (requiresPremiumAutoContinue) {
+                        const billingStatus = await fetchBillingStatusSafe(client);
+                        if (billingStatus && billingStatus.plan === "free") {
+                            const pricingUrl = `${client.getBaseUrl().replace(/\/+$/, "")}/pricing`;
+                            sendJson(res, 402, {
+                                ok: false,
+                                code: "upgrade_required",
+                                error: "Auto-continue for BYOK agents requires a paid OrgX plan. Upgrade, then retry.",
+                                currentPlan: billingStatus.plan,
+                                requiredPlan: "starter",
+                                actions: {
+                                    checkout: "/orgx/api/billing/checkout",
+                                    portal: "/orgx/api/billing/portal",
+                                    pricing: pricingUrl,
+                                },
+                            });
+                            return true;
+                        }
+                    }
+                    const tokenBudget = pickNumber(payload, [
+                        "tokenBudget",
+                        "token_budget",
+                        "tokenBudgetTokens",
+                        "token_budget_tokens",
+                        "maxTokens",
+                        "max_tokens",
+                    ]) ??
+                        searchParams.get("tokenBudget") ??
+                        searchParams.get("token_budget") ??
+                        searchParams.get("tokenBudgetTokens") ??
+                        searchParams.get("token_budget_tokens") ??
+                        searchParams.get("maxTokens") ??
+                        searchParams.get("max_tokens") ??
+                        null;
+                    const includeVerificationRaw = payload.includeVerification ??
+                        payload.include_verification ??
+                        searchParams.get("includeVerification") ??
+                        searchParams.get("include_verification") ??
+                        null;
+                    const includeVerification = typeof includeVerificationRaw === "boolean"
+                        ? includeVerificationRaw
+                        : parseBooleanQuery(typeof includeVerificationRaw === "string"
+                            ? includeVerificationRaw
+                            : null);
+                    const workstreamFilter = dedupeStrings([
+                        ...pickStringArray(payload, [
+                            "workstreamIds",
+                            "workstream_ids",
+                            "workstreamId",
+                            "workstream_id",
+                        ]),
+                        ...(searchParams.get("workstreamIds") ??
+                            searchParams.get("workstream_ids") ??
+                            searchParams.get("workstreamId") ??
+                            searchParams.get("workstream_id") ??
+                            "")
+                            .split(",")
+                            .map((entry) => entry.trim())
+                            .filter(Boolean),
+                    ]);
+                    const allowedWorkstreamIds = workstreamFilter.length > 0 ? workstreamFilter : null;
+                    const now = new Date().toISOString();
+                    const existing = autoContinueRuns.get(initiativeId) ?? null;
+                    const run = existing ??
+                        {
+                            initiativeId,
+                            agentId,
+                            includeVerification: false,
+                            allowedWorkstreamIds: null,
+                            tokenBudget: defaultAutoContinueTokenBudget(),
+                            tokensUsed: 0,
+                            status: "running",
+                            stopReason: null,
+                            stopRequested: false,
+                            startedAt: now,
+                            stoppedAt: null,
+                            updatedAt: now,
+                            lastError: null,
+                            lastTaskId: null,
+                            lastRunId: null,
+                            activeTaskId: null,
+                            activeRunId: null,
+                            activeTaskTokenEstimate: null,
+                        };
+                    run.agentId = agentId;
+                    run.includeVerification = includeVerification;
+                    run.allowedWorkstreamIds = allowedWorkstreamIds;
+                    run.tokenBudget = normalizeTokenBudget(tokenBudget, run.tokenBudget || defaultAutoContinueTokenBudget());
+                    run.status = "running";
+                    run.stopReason = null;
+                    run.stopRequested = false;
+                    run.startedAt = now;
+                    run.stoppedAt = null;
+                    run.updatedAt = now;
+                    run.lastError = null;
+                    autoContinueRuns.set(initiativeId, run);
+                    try {
+                        await client.updateEntity("initiative", initiativeId, { status: "active" });
+                    }
+                    catch {
+                        // best effort
+                    }
+                    try {
+                        await updateInitiativeAutoContinueState({ initiativeId, run });
+                    }
+                    catch {
+                        // best effort
+                    }
+                    sendJson(res, 200, { ok: true, run });
+                }
+                catch (err) {
+                    sendJson(res, 500, { ok: false, error: safeErrorMessage(err) });
+                }
+                return true;
+            }
+            if (method === "POST" && isMissionControlAutoContinueStopRoute) {
+                try {
+                    const payload = await parseJsonRequest(req);
+                    const initiativeId = (pickString(payload, ["initiativeId", "initiative_id"]) ??
+                        searchParams.get("initiativeId") ??
+                        searchParams.get("initiative_id") ??
+                        "")
+                        .trim();
+                    if (!initiativeId) {
+                        sendJson(res, 400, { ok: false, error: "initiativeId is required" });
+                        return true;
+                    }
+                    const run = autoContinueRuns.get(initiativeId) ?? null;
+                    if (!run) {
+                        sendJson(res, 404, { ok: false, error: "No auto-continue run found" });
+                        return true;
+                    }
+                    const now = new Date().toISOString();
+                    run.stopRequested = true;
+                    run.status = run.activeRunId ? "stopping" : "stopped";
+                    run.updatedAt = now;
+                    if (!run.activeRunId) {
+                        await stopAutoContinueRun({ run, reason: "stopped" });
+                    }
+                    else {
+                        try {
+                            await updateInitiativeAutoContinueState({ initiativeId, run });
+                        }
+                        catch {
+                            // best effort
+                        }
+                    }
+                    sendJson(res, 200, { ok: true, run });
+                }
+                catch (err) {
+                    sendJson(res, 500, { ok: false, error: safeErrorMessage(err) });
+                }
+                return true;
+            }
             if (method === "POST" &&
                 (route === "live/decisions/approve" || decisionApproveMatch)) {
                 try {
-                    const payload = parseJsonBody(req.body);
+                    const payload = await parseJsonRequest(req);
                     const action = payload.action === "reject" ? "reject" : "approve";
                     const note = typeof payload.note === "string" && payload.note.trim().length > 0
                         ? payload.note.trim()
@@ -277,14 +3067,14 @@ export function createHttpHandler(config, client, getSnapshot) {
                 }
                 catch (err) {
                     sendJson(res, 500, {
-                        error: err instanceof Error ? err.message : String(err),
+                        error: safeErrorMessage(err),
                     });
                 }
                 return true;
             }
             if (method === "POST" && isDelegationPreflight) {
                 try {
-                    const payload = parseJsonBody(req.body);
+                    const payload = await parseJsonRequest(req);
                     const intent = pickString(payload, ["intent"]);
                     if (!intent) {
                         sendJson(res, 400, { error: "intent is required" });
@@ -303,7 +3093,40 @@ export function createHttpHandler(config, client, getSnapshot) {
                 }
                 catch (err) {
                     sendJson(res, 500, {
-                        error: err instanceof Error ? err.message : String(err),
+                        error: safeErrorMessage(err),
+                    });
+                }
+                return true;
+            }
+            if (method === "POST" && isMissionControlAutoAssignmentRoute) {
+                try {
+                    const payload = await parseJsonRequest(req);
+                    const entityId = pickString(payload, ["entity_id", "entityId"]);
+                    const entityType = pickString(payload, ["entity_type", "entityType"]);
+                    const initiativeId = pickString(payload, ["initiative_id", "initiativeId"]) ?? null;
+                    const title = pickString(payload, ["title", "name"]) ?? "Untitled";
+                    const summary = pickString(payload, ["summary", "description", "context"]) ?? null;
+                    if (!entityId || !entityType) {
+                        sendJson(res, 400, {
+                            ok: false,
+                            error: "entity_id and entity_type are required.",
+                        });
+                        return true;
+                    }
+                    const assignment = await resolveAutoAssignments({
+                        client,
+                        entityId,
+                        entityType,
+                        initiativeId,
+                        title,
+                        summary,
+                    });
+                    sendJson(res, 200, assignment);
+                }
+                catch (err) {
+                    sendJson(res, 500, {
+                        ok: false,
+                        error: safeErrorMessage(err),
                     });
                 }
                 return true;
@@ -311,7 +3134,7 @@ export function createHttpHandler(config, client, getSnapshot) {
             if (runCheckpointsMatch && method === "POST") {
                 try {
                     const runId = decodeURIComponent(runCheckpointsMatch[1]);
-                    const payload = parseJsonBody(req.body);
+                    const payload = await parseJsonRequest(req);
                     const reason = pickString(payload, ["reason"]) ?? undefined;
                     const rawPayload = payload.payload;
                     const checkpointPayload = rawPayload && typeof rawPayload === "object" && !Array.isArray(rawPayload)
@@ -325,7 +3148,7 @@ export function createHttpHandler(config, client, getSnapshot) {
                 }
                 catch (err) {
                     sendJson(res, 500, {
-                        error: err instanceof Error ? err.message : String(err),
+                        error: safeErrorMessage(err),
                     });
                 }
                 return true;
@@ -334,7 +3157,7 @@ export function createHttpHandler(config, client, getSnapshot) {
                 try {
                     const runId = decodeURIComponent(runCheckpointRestoreMatch[1]);
                     const checkpointId = decodeURIComponent(runCheckpointRestoreMatch[2]);
-                    const payload = parseJsonBody(req.body);
+                    const payload = await parseJsonRequest(req);
                     const reason = pickString(payload, ["reason"]) ?? undefined;
                     const data = await client.restoreRunCheckpoint(runId, {
                         checkpointId,
@@ -344,7 +3167,7 @@ export function createHttpHandler(config, client, getSnapshot) {
                 }
                 catch (err) {
                     sendJson(res, 500, {
-                        error: err instanceof Error ? err.message : String(err),
+                        error: safeErrorMessage(err),
                     });
                 }
                 return true;
@@ -353,7 +3176,7 @@ export function createHttpHandler(config, client, getSnapshot) {
                 try {
                     const runId = decodeURIComponent(runActionMatch[1]);
                     const action = decodeURIComponent(runActionMatch[2]);
-                    const payload = parseJsonBody(req.body);
+                    const payload = await parseJsonRequest(req);
                     const checkpointId = pickString(payload, ["checkpointId", "checkpoint_id"]);
                     const reason = pickString(payload, ["reason"]);
                     const data = await client.runAction(runId, action, {
@@ -364,19 +3187,74 @@ export function createHttpHandler(config, client, getSnapshot) {
                 }
                 catch (err) {
                     sendJson(res, 500, {
-                        error: err instanceof Error ? err.message : String(err),
+                        error: safeErrorMessage(err),
+                    });
+                }
+                return true;
+            }
+            // Entity action / delete route: POST /orgx/api/entities/{type}/{id}/{action}
+            if (entityActionMatch && method === "POST") {
+                try {
+                    const entityType = decodeURIComponent(entityActionMatch[1]);
+                    const entityId = decodeURIComponent(entityActionMatch[2]);
+                    const entityAction = decodeURIComponent(entityActionMatch[3]);
+                    const payload = await parseJsonRequest(req);
+                    if (entityAction === "delete") {
+                        // Delete via status update
+                        const entity = await client.updateEntity(entityType, entityId, {
+                            status: "deleted",
+                        });
+                        sendJson(res, 200, { ok: true, entity });
+                    }
+                    else {
+                        // Map action to status update
+                        const statusMap = {
+                            start: "in_progress",
+                            complete: "done",
+                            block: "blocked",
+                            unblock: "in_progress",
+                            pause: "paused",
+                            resume: "active",
+                        };
+                        const newStatus = statusMap[entityAction];
+                        if (!newStatus) {
+                            sendJson(res, 400, {
+                                error: `Unknown entity action: ${entityAction}`,
+                            });
+                            return true;
+                        }
+                        const entity = await client.updateEntity(entityType, entityId, {
+                            status: newStatus,
+                            ...(payload.force ? { force: true } : {}),
+                        });
+                        sendJson(res, 200, { ok: true, entity });
+                    }
+                }
+                catch (err) {
+                    sendJson(res, 500, {
+                        error: safeErrorMessage(err),
                     });
                 }
                 return true;
             }
             if (method !== "GET" &&
+                method !== "HEAD" &&
                 !(runCheckpointsMatch && method === "POST") &&
                 !(runCheckpointRestoreMatch && method === "POST") &&
                 !(runActionMatch && method === "POST") &&
                 !(isDelegationPreflight && method === "POST") &&
-                !(isEntitiesRoute && method === "POST")) {
+                !(isMissionControlAutoAssignmentRoute && method === "POST") &&
+                !(isEntitiesRoute && method === "POST") &&
+                !(isEntitiesRoute && method === "PATCH") &&
+                !(entityActionMatch && method === "POST") &&
+                !(isOnboardingStartRoute && method === "POST") &&
+                !(isOnboardingManualKeyRoute && method === "POST") &&
+                !(isOnboardingDisconnectRoute && method === "POST") &&
+                !(isByokSettingsRoute && method === "POST") &&
+                !(isLiveActivityHeadlineRoute && method === "POST")) {
                 res.writeHead(405, {
                     "Content-Type": "text/plain",
+                    ...SECURITY_HEADERS,
                     ...CORS_HEADERS,
                 });
                 res.end("Method Not Allowed");
@@ -394,12 +3272,150 @@ export function createHttpHandler(config, client, getSnapshot) {
                             // use null snapshot
                         }
                     }
-                    sendJson(res, 200, formatStatus(snapshot));
+                    if (method === "HEAD") {
+                        // The dashboard uses a HEAD probe to determine connection state.
+                        // Mirror the GET semantics (connected vs not) via status code,
+                        // but omit a response body.
+                        res.writeHead(snapshot ? 200 : 503, {
+                            ...SECURITY_HEADERS,
+                            ...CORS_HEADERS,
+                        });
+                        res.end();
+                        return true;
+                    }
+                    sendJson(res, 200, formatStatus(snapshot));
+                    return true;
+                }
+                case "health": {
+                    const probeRemote = parseBooleanQuery(searchParams.get("probe") ?? searchParams.get("probe_remote"));
+                    try {
+                        if (diagnostics?.getHealth) {
+                            const health = await diagnostics.getHealth({ probeRemote });
+                            sendJson(res, 200, health);
+                            return true;
+                        }
+                        const outbox = await outboxAdapter.readSummary();
+                        sendJson(res, 200, {
+                            ok: true,
+                            status: "ok",
+                            generatedAt: new Date().toISOString(),
+                            checks: [],
+                            plugin: {
+                                baseUrl: config.baseUrl,
+                            },
+                            auth: {
+                                hasApiKey: Boolean(config.apiKey),
+                            },
+                            outbox: {
+                                pendingTotal: outbox.pendingTotal,
+                                pendingByQueue: outbox.pendingByQueue,
+                                oldestEventAt: outbox.oldestEventAt,
+                                newestEventAt: outbox.newestEventAt,
+                                replayStatus: "idle",
+                                lastReplayAttemptAt: null,
+                                lastReplaySuccessAt: null,
+                                lastReplayFailureAt: null,
+                                lastReplayError: null,
+                            },
+                            remote: {
+                                enabled: false,
+                                reachable: null,
+                                latencyMs: null,
+                                error: null,
+                            },
+                        });
+                    }
+                    catch (err) {
+                        sendJson(res, 500, {
+                            error: safeErrorMessage(err),
+                        });
+                    }
                     return true;
                 }
                 case "agents":
                     sendJson(res, 200, formatAgents(getSnapshot()));
                     return true;
+                case "agents/catalog": {
+                    try {
+                        const [openclawAgents, localSnapshot] = await Promise.all([
+                            listOpenClawAgents(),
+                            loadLocalOpenClawSnapshot(240).catch(() => null),
+                        ]);
+                        const localById = new Map();
+                        if (localSnapshot) {
+                            for (const agent of localSnapshot.agents) {
+                                localById.set(agent.id, {
+                                    status: agent.status,
+                                    currentTask: agent.currentTask,
+                                    runId: agent.runId,
+                                    startedAt: agent.startedAt,
+                                    blockers: agent.blockers,
+                                });
+                            }
+                        }
+                        const contexts = readAgentContexts().agents;
+                        const runs = readAgentRuns().runs;
+                        const latestRunByAgent = new Map();
+                        for (const run of Object.values(runs)) {
+                            if (!run || typeof run !== "object")
+                                continue;
+                            const agentId = typeof run.agentId === "string" ? run.agentId.trim() : "";
+                            if (!agentId)
+                                continue;
+                            const existing = latestRunByAgent.get(agentId);
+                            const nextTs = Date.parse(run.startedAt ?? "");
+                            const existingTs = existing ? Date.parse(existing.startedAt ?? "") : 0;
+                            // Prefer latest running record; fall back to latest overall if none running.
+                            if (!existing) {
+                                latestRunByAgent.set(agentId, run);
+                                continue;
+                            }
+                            const existingRunning = existing.status === "running";
+                            const nextRunning = run.status === "running";
+                            if (nextRunning && !existingRunning) {
+                                latestRunByAgent.set(agentId, run);
+                                continue;
+                            }
+                            if (nextRunning === existingRunning && nextTs > existingTs) {
+                                latestRunByAgent.set(agentId, run);
+                            }
+                        }
+                        const agents = openclawAgents.map((entry) => {
+                            const id = typeof entry.id === "string" ? entry.id.trim() : "";
+                            const name = typeof entry.name === "string" && entry.name.trim().length > 0
+                                ? entry.name.trim()
+                                : id || "unknown";
+                            const local = id ? localById.get(id) ?? null : null;
+                            const context = id ? contexts[id] ?? null : null;
+                            const runFromSession = id && local?.runId ? runs[local.runId] ?? null : null;
+                            const run = runFromSession ?? (id ? latestRunByAgent.get(id) ?? null : null);
+                            return {
+                                id,
+                                name,
+                                workspace: typeof entry.workspace === "string" ? entry.workspace : null,
+                                model: typeof entry.model === "string" ? entry.model : null,
+                                isDefault: Boolean(entry.isDefault),
+                                status: local?.status ?? null,
+                                currentTask: local?.currentTask ?? null,
+                                runId: local?.runId ?? null,
+                                startedAt: local?.startedAt ?? null,
+                                blockers: local?.blockers ?? [],
+                                context,
+                                run,
+                            };
+                        });
+                        sendJson(res, 200, {
+                            generatedAt: new Date().toISOString(),
+                            agents,
+                        });
+                    }
+                    catch (err) {
+                        sendJson(res, 500, {
+                            error: safeErrorMessage(err),
+                        });
+                    }
+                    return true;
+                }
                 case "activity":
                     sendJson(res, 200, formatActivity(getSnapshot()));
                     return true;
@@ -407,12 +3423,255 @@ export function createHttpHandler(config, client, getSnapshot) {
                     sendJson(res, 200, formatInitiatives(getSnapshot()));
                     return true;
                 case "onboarding":
-                    sendJson(res, 200, getOnboardingState(config, dashboardEnabled));
+                    sendJson(res, 200, getOnboardingState(await onboarding.getStatus()));
+                    return true;
+                case "mission-control/auto-continue/status": {
+                    const initiativeId = searchParams.get("initiative_id") ??
+                        searchParams.get("initiativeId") ??
+                        "";
+                    const id = initiativeId.trim();
+                    if (!id) {
+                        sendJson(res, 400, {
+                            ok: false,
+                            error: "Query parameter 'initiative_id' is required.",
+                        });
+                        return true;
+                    }
+                    const run = autoContinueRuns.get(id) ?? null;
+                    sendJson(res, 200, {
+                        ok: true,
+                        initiativeId: id,
+                        run,
+                        defaults: {
+                            tokenBudget: defaultAutoContinueTokenBudget(),
+                            tickMs: AUTO_CONTINUE_TICK_MS,
+                        },
+                    });
+                    return true;
+                }
+                case "billing/status": {
+                    if (method !== "GET") {
+                        sendJson(res, 405, { ok: false, error: "Method not allowed" });
+                        return true;
+                    }
+                    try {
+                        const status = await client.getBillingStatus();
+                        sendJson(res, 200, { ok: true, data: status });
+                    }
+                    catch (err) {
+                        sendJson(res, 200, { ok: false, error: safeErrorMessage(err) });
+                    }
+                    return true;
+                }
+                case "billing/checkout": {
+                    if (method !== "POST") {
+                        sendJson(res, 405, { ok: false, error: "Method not allowed" });
+                        return true;
+                    }
+                    const basePricingUrl = `${client.getBaseUrl().replace(/\/+$/, "")}/pricing`;
+                    try {
+                        const payload = await parseJsonRequest(req);
+                        const planIdRaw = (pickString(payload, ["planId", "plan_id", "plan"]) ?? "starter").trim().toLowerCase();
+                        const billingCycleRaw = (pickString(payload, ["billingCycle", "billing_cycle"]) ?? "monthly").trim().toLowerCase();
+                        const planId = planIdRaw === "team" || planIdRaw === "enterprise" ? planIdRaw : "starter";
+                        const billingCycle = billingCycleRaw === "annual" ? "annual" : "monthly";
+                        const result = await client.createBillingCheckout({
+                            planId,
+                            billingCycle,
+                        });
+                        const url = result?.url ?? result?.checkout_url ?? null;
+                        sendJson(res, 200, { ok: true, data: { url: url ?? basePricingUrl } });
+                    }
+                    catch (err) {
+                        // If the remote billing endpoints are not deployed yet, degrade gracefully.
+                        sendJson(res, 200, { ok: true, data: { url: basePricingUrl } });
+                    }
+                    return true;
+                }
+                case "billing/portal": {
+                    if (method !== "POST") {
+                        sendJson(res, 405, { ok: false, error: "Method not allowed" });
+                        return true;
+                    }
+                    const basePricingUrl = `${client.getBaseUrl().replace(/\/+$/, "")}/pricing`;
+                    try {
+                        const result = await client.createBillingPortal();
+                        const url = result?.url ?? null;
+                        sendJson(res, 200, { ok: true, data: { url: url ?? basePricingUrl } });
+                    }
+                    catch (err) {
+                        sendJson(res, 200, { ok: true, data: { url: basePricingUrl } });
+                    }
+                    return true;
+                }
+                case "settings/byok": {
+                    const stored = readByokKeys();
+                    const effectiveOpenai = stored?.openaiApiKey ?? process.env.OPENAI_API_KEY ?? null;
+                    const effectiveAnthropic = stored?.anthropicApiKey ?? process.env.ANTHROPIC_API_KEY ?? null;
+                    const effectiveOpenrouter = stored?.openrouterApiKey ?? process.env.OPENROUTER_API_KEY ?? null;
+                    const toProvider = (input) => {
+                        const hasStored = typeof input.storedValue === "string" && input.storedValue.trim().length > 0;
+                        const hasEnv = typeof input.envValue === "string" && input.envValue.trim().length > 0;
+                        const source = hasStored ? "stored" : hasEnv ? "env" : "none";
+                        return {
+                            configured: Boolean(input.effective && input.effective.trim().length > 0),
+                            source,
+                            masked: maskSecret(input.effective),
+                        };
+                    };
+                    if (method === "POST") {
+                        try {
+                            const payload = await parseJsonRequest(req);
+                            const updates = {};
+                            const setIfPresent = (key, aliases) => {
+                                for (const alias of aliases) {
+                                    if (!Object.prototype.hasOwnProperty.call(payload, alias))
+                                        continue;
+                                    const raw = payload[alias];
+                                    if (raw === null) {
+                                        updates[key] = null;
+                                        return;
+                                    }
+                                    if (typeof raw === "string") {
+                                        updates[key] = raw;
+                                        return;
+                                    }
+                                }
+                            };
+                            setIfPresent("openaiApiKey", ["openaiApiKey", "openai_api_key", "openaiKey", "openai_key"]);
+                            setIfPresent("anthropicApiKey", [
+                                "anthropicApiKey",
+                                "anthropic_api_key",
+                                "anthropicKey",
+                                "anthropic_key",
+                            ]);
+                            setIfPresent("openrouterApiKey", [
+                                "openrouterApiKey",
+                                "openrouter_api_key",
+                                "openrouterKey",
+                                "openrouter_key",
+                            ]);
+                            const saved = writeByokKeys(updates);
+                            const nextEffectiveOpenai = saved.openaiApiKey ?? process.env.OPENAI_API_KEY ?? null;
+                            const nextEffectiveAnthropic = saved.anthropicApiKey ?? process.env.ANTHROPIC_API_KEY ?? null;
+                            const nextEffectiveOpenrouter = saved.openrouterApiKey ?? process.env.OPENROUTER_API_KEY ?? null;
+                            sendJson(res, 200, {
+                                ok: true,
+                                updatedAt: saved.updatedAt,
+                                providers: {
+                                    openai: toProvider({
+                                        storedValue: saved.openaiApiKey,
+                                        envValue: process.env.OPENAI_API_KEY,
+                                        effective: nextEffectiveOpenai,
+                                    }),
+                                    anthropic: toProvider({
+                                        storedValue: saved.anthropicApiKey,
+                                        envValue: process.env.ANTHROPIC_API_KEY,
+                                        effective: nextEffectiveAnthropic,
+                                    }),
+                                    openrouter: toProvider({
+                                        storedValue: saved.openrouterApiKey,
+                                        envValue: process.env.OPENROUTER_API_KEY,
+                                        effective: nextEffectiveOpenrouter,
+                                    }),
+                                },
+                            });
+                        }
+                        catch (err) {
+                            sendJson(res, 500, { ok: false, error: safeErrorMessage(err) });
+                        }
+                        return true;
+                    }
+                    sendJson(res, 200, {
+                        ok: true,
+                        updatedAt: stored?.updatedAt ?? null,
+                        providers: {
+                            openai: toProvider({
+                                storedValue: stored?.openaiApiKey,
+                                envValue: process.env.OPENAI_API_KEY,
+                                effective: effectiveOpenai,
+                            }),
+                            anthropic: toProvider({
+                                storedValue: stored?.anthropicApiKey,
+                                envValue: process.env.ANTHROPIC_API_KEY,
+                                effective: effectiveAnthropic,
+                            }),
+                            openrouter: toProvider({
+                                storedValue: stored?.openrouterApiKey,
+                                envValue: process.env.OPENROUTER_API_KEY,
+                                effective: effectiveOpenrouter,
+                            }),
+                        },
+                    });
+                    return true;
+                }
+                case "settings/byok/health": {
+                    let agentId = searchParams.get("agentId") ??
+                        searchParams.get("agent_id") ??
+                        "";
+                    agentId = agentId.trim();
+                    if (!agentId) {
+                        try {
+                            const agents = await listOpenClawAgents();
+                            const defaultAgent = agents.find((entry) => Boolean(entry.isDefault)) ?? agents[0] ?? null;
+                            const candidate = defaultAgent && typeof defaultAgent.id === "string" ? defaultAgent.id.trim() : "";
+                            if (candidate)
+                                agentId = candidate;
+                        }
+                        catch {
+                            // ignore
+                        }
+                    }
+                    if (!agentId)
+                        agentId = "main";
+                    const providers = {};
+                    for (const provider of ["openai", "anthropic", "openrouter"]) {
+                        try {
+                            const models = await listOpenClawProviderModels({ agentId, provider });
+                            providers[provider] = {
+                                ok: true,
+                                modelCount: models.length,
+                                sample: models.slice(0, 4).map((model) => model.key),
+                            };
+                        }
+                        catch (err) {
+                            providers[provider] = {
+                                ok: false,
+                                error: safeErrorMessage(err),
+                            };
+                        }
+                    }
+                    sendJson(res, 200, {
+                        ok: true,
+                        agentId,
+                        providers,
+                    });
+                    return true;
+                }
+                case "mission-control/graph": {
+                    const initiativeId = searchParams.get("initiative_id") ??
+                        searchParams.get("initiativeId");
+                    if (!initiativeId || initiativeId.trim().length === 0) {
+                        sendJson(res, 400, {
+                            error: "Query parameter 'initiative_id' is required.",
+                        });
+                        return true;
+                    }
+                    try {
+                        const graph = await buildMissionControlGraph(client, initiativeId.trim());
+                        sendJson(res, 200, graph);
+                    }
+                    catch (err) {
+                        sendJson(res, 500, {
+                            error: safeErrorMessage(err),
+                        });
+                    }
                     return true;
+                }
                 case "entities": {
                     if (method === "POST") {
                         try {
-                            const payload = parseJsonBody(req.body);
+                            const payload = await parseJsonRequest(req);
                             const type = pickString(payload, ["type"]);
                             const title = pickString(payload, ["title", "name"]);
                             if (!type || !title) {
@@ -421,14 +3680,61 @@ export function createHttpHandler(config, client, getSnapshot) {
                                 });
                                 return true;
                             }
-                            const data = { ...payload, title };
+                            const data = normalizeEntityMutationPayload({ ...payload, title });
                             delete data.type;
-                            const entity = await client.createEntity(type, data);
-                            sendJson(res, 201, { ok: true, entity });
+                            let entity = await client.createEntity(type, data);
+                            let autoAssignment = null;
+                            if (type === "initiative" || type === "workstream") {
+                                const entityRecord = entity;
+                                autoAssignment = await resolveAutoAssignments({
+                                    client,
+                                    entityId: String(entityRecord.id ?? ""),
+                                    entityType: type,
+                                    initiativeId: type === "initiative"
+                                        ? String(entityRecord.id ?? "")
+                                        : pickString(data, ["initiative_id", "initiativeId"]),
+                                    title: pickString(entityRecord, ["title", "name"]) ??
+                                        title ??
+                                        "Untitled",
+                                    summary: pickString(entityRecord, [
+                                        "summary",
+                                        "description",
+                                        "context",
+                                    ]) ?? null,
+                                });
+                                if (autoAssignment.updated_entity) {
+                                    entity = autoAssignment.updated_entity;
+                                }
+                            }
+                            sendJson(res, 201, { ok: true, entity, auto_assignment: autoAssignment });
+                        }
+                        catch (err) {
+                            sendJson(res, 500, {
+                                error: safeErrorMessage(err),
+                            });
+                        }
+                        return true;
+                    }
+                    if (method === "PATCH") {
+                        try {
+                            const payload = await parseJsonRequest(req);
+                            const type = pickString(payload, ["type"]);
+                            const id = pickString(payload, ["id"]);
+                            if (!type || !id) {
+                                sendJson(res, 400, {
+                                    error: "Both 'type' and 'id' are required for PATCH.",
+                                });
+                                return true;
+                            }
+                            const updates = { ...payload };
+                            delete updates.type;
+                            delete updates.id;
+                            const entity = await client.updateEntity(type, id, normalizeEntityMutationPayload(updates));
+                            sendJson(res, 200, { ok: true, entity });
                         }
                         catch (err) {
                             sendJson(res, 500, {
-                                error: err instanceof Error ? err.message : String(err),
+                                error: safeErrorMessage(err),
                             });
                         }
                         return true;
@@ -442,22 +3748,288 @@ export function createHttpHandler(config, client, getSnapshot) {
                             return true;
                         }
                         const status = searchParams.get("status") ?? undefined;
+                        const initiativeId = searchParams.get("initiative_id") ?? undefined;
                         const limit = searchParams.get("limit")
                             ? Number(searchParams.get("limit"))
                             : undefined;
                         const data = await client.listEntities(type, {
                             status,
+                            initiative_id: initiativeId,
                             limit: Number.isFinite(limit) ? limit : undefined,
                         });
                         sendJson(res, 200, data);
                     }
                     catch (err) {
                         sendJson(res, 500, {
-                            error: err instanceof Error ? err.message : String(err),
+                            error: safeErrorMessage(err),
                         });
                     }
                     return true;
                 }
+                case "dashboard-bundle":
+                case "live/snapshot": {
+                    const sessionsLimit = parsePositiveInt(searchParams.get("sessionsLimit") ?? searchParams.get("sessions_limit"), 320);
+                    const activityLimit = parsePositiveInt(searchParams.get("activityLimit") ?? searchParams.get("activity_limit"), 600);
+                    const decisionsLimit = parsePositiveInt(searchParams.get("decisionsLimit") ?? searchParams.get("decisions_limit"), 120);
+                    const initiative = searchParams.get("initiative");
+                    const run = searchParams.get("run");
+                    const since = searchParams.get("since");
+                    const decisionStatus = searchParams.get("status") ?? "pending";
+                    const includeIdleRaw = searchParams.get("include_idle");
+                    const includeIdle = includeIdleRaw === null ? undefined : includeIdleRaw !== "false";
+                    const degraded = [];
+                    const agentContexts = readAgentContexts().agents;
+                    const scopedAgentIds = getScopedAgentIds(agentContexts);
+                    let outboxStatus = null;
+                    try {
+                        if (diagnostics?.getHealth) {
+                            const health = await diagnostics.getHealth({ probeRemote: false });
+                            if (health && typeof health === "object") {
+                                const maybeOutbox = health.outbox;
+                                if (maybeOutbox && typeof maybeOutbox === "object") {
+                                    outboxStatus = maybeOutbox;
+                                }
+                            }
+                        }
+                        if (!outboxStatus) {
+                            const outbox = await outboxAdapter.readSummary();
+                            outboxStatus = {
+                                pendingTotal: outbox.pendingTotal,
+                                pendingByQueue: outbox.pendingByQueue,
+                                oldestEventAt: outbox.oldestEventAt,
+                                newestEventAt: outbox.newestEventAt,
+                                replayStatus: "idle",
+                                lastReplayAttemptAt: null,
+                                lastReplaySuccessAt: null,
+                                lastReplayFailureAt: null,
+                                lastReplayError: null,
+                            };
+                        }
+                    }
+                    catch (err) {
+                        degraded.push(`outbox status unavailable (${safeErrorMessage(err)})`);
+                        outboxStatus = {
+                            pendingTotal: 0,
+                            pendingByQueue: {},
+                            oldestEventAt: null,
+                            newestEventAt: null,
+                            replayStatus: "idle",
+                            lastReplayAttemptAt: null,
+                            lastReplaySuccessAt: null,
+                            lastReplayFailureAt: null,
+                            lastReplayError: null,
+                        };
+                    }
+                    let localSnapshot = null;
+                    const ensureLocalSnapshot = async (minimumLimit) => {
+                        if (!localSnapshot || localSnapshot.sessions.length < minimumLimit) {
+                            localSnapshot = await loadLocalOpenClawSnapshot(minimumLimit);
+                        }
+                        return localSnapshot;
+                    };
+                    const settled = await Promise.allSettled([
+                        client.getLiveSessions({
+                            initiative,
+                            limit: sessionsLimit,
+                        }),
+                        client.getLiveActivity({
+                            run,
+                            since,
+                            limit: activityLimit,
+                        }),
+                        client.getHandoffs(),
+                        client.getLiveDecisions({
+                            status: decisionStatus,
+                            limit: decisionsLimit,
+                        }),
+                        client.getLiveAgents({
+                            initiative,
+                            includeIdle,
+                        }),
+                    ]);
+                    // sessions
+                    let sessions = {
+                        nodes: [],
+                        edges: [],
+                        groups: [],
+                    };
+                    const sessionsResult = settled[0];
+                    if (sessionsResult.status === "fulfilled") {
+                        sessions = sessionsResult.value;
+                    }
+                    else {
+                        degraded.push(`sessions unavailable (${safeErrorMessage(sessionsResult.reason)})`);
+                        try {
+                            let local = toLocalSessionTree(await ensureLocalSnapshot(Math.max(sessionsLimit, 200)), sessionsLimit);
+                            local = applyAgentContextsToSessionTree(local, agentContexts);
+                            if (initiative && initiative.trim().length > 0) {
+                                const filteredNodes = local.nodes.filter((node) => node.initiativeId === initiative || node.groupId === initiative);
+                                const filteredIds = new Set(filteredNodes.map((node) => node.id));
+                                const filteredGroupIds = new Set(filteredNodes.map((node) => node.groupId));
+                                local = {
+                                    nodes: filteredNodes,
+                                    edges: local.edges.filter((edge) => filteredIds.has(edge.parentId) && filteredIds.has(edge.childId)),
+                                    groups: local.groups.filter((group) => filteredGroupIds.has(group.id)),
+                                };
+                            }
+                            sessions = local;
+                        }
+                        catch (localErr) {
+                            degraded.push(`sessions local fallback failed (${safeErrorMessage(localErr)})`);
+                        }
+                    }
+                    // activity
+                    let activity = [];
+                    const activityResult = settled[1];
+                    if (activityResult.status === "fulfilled") {
+                        activity = Array.isArray(activityResult.value.activities)
+                            ? activityResult.value.activities
+                            : [];
+                    }
+                    else {
+                        degraded.push(`activity unavailable (${safeErrorMessage(activityResult.reason)})`);
+                        try {
+                            const local = await toLocalLiveActivity(await ensureLocalSnapshot(Math.max(activityLimit, 240)), Math.max(activityLimit, 240));
+                            let filtered = local.activities;
+                            if (run && run.trim().length > 0) {
+                                filtered = filtered.filter((item) => item.runId === run);
+                            }
+                            if (since && since.trim().length > 0) {
+                                const sinceEpoch = Date.parse(since);
+                                if (Number.isFinite(sinceEpoch)) {
+                                    filtered = filtered.filter((item) => Date.parse(item.timestamp) >= sinceEpoch);
+                                }
+                            }
+                            filtered = applyAgentContextsToActivity(filtered, agentContexts);
+                            activity = filtered.slice(0, activityLimit);
+                        }
+                        catch (localErr) {
+                            degraded.push(`activity local fallback failed (${safeErrorMessage(localErr)})`);
+                        }
+                    }
+                    // handoffs
+                    let handoffs = [];
+                    const handoffsResult = settled[2];
+                    if (handoffsResult.status === "fulfilled") {
+                        handoffs = Array.isArray(handoffsResult.value.handoffs)
+                            ? handoffsResult.value.handoffs
+                            : [];
+                    }
+                    else {
+                        degraded.push(`handoffs unavailable (${safeErrorMessage(handoffsResult.reason)})`);
+                    }
+                    // decisions
+                    let decisions = [];
+                    const decisionsResult = settled[3];
+                    if (decisionsResult.status === "fulfilled") {
+                        decisions = decisionsResult.value.decisions
+                            .map(mapDecisionEntity)
+                            .sort((a, b) => b.waitingMinutes - a.waitingMinutes);
+                    }
+                    else {
+                        degraded.push(`decisions unavailable (${safeErrorMessage(decisionsResult.reason)})`);
+                    }
+                    // agents
+                    let agents = [];
+                    const agentsResult = settled[4];
+                    if (agentsResult.status === "fulfilled") {
+                        agents = Array.isArray(agentsResult.value.agents)
+                            ? agentsResult.value.agents
+                            : [];
+                    }
+                    else {
+                        degraded.push(`agents unavailable (${safeErrorMessage(agentsResult.reason)})`);
+                        try {
+                            const local = toLocalLiveAgents(await ensureLocalSnapshot(Math.max(sessionsLimit, 240)));
+                            let localAgents = local.agents;
+                            if (initiative && initiative.trim().length > 0) {
+                                localAgents = localAgents.filter((agent) => agent.initiativeId === initiative);
+                            }
+                            if (includeIdle === false) {
+                                localAgents = localAgents.filter((agent) => agent.status !== "idle");
+                            }
+                            agents = localAgents;
+                        }
+                        catch (localErr) {
+                            degraded.push(`agents local fallback failed (${safeErrorMessage(localErr)})`);
+                        }
+                    }
+                    // Merge locally-launched OpenClaw agent sessions/activity into the snapshot so
+                    // the UI reflects one-click launches even when the cloud reporting plane is reachable.
+                    if (scopedAgentIds.size > 0) {
+                        try {
+                            const minimum = Math.max(Math.max(sessionsLimit, activityLimit), 240);
+                            const snapshot = await ensureLocalSnapshot(minimum);
+                            const scopedSnapshot = {
+                                ...snapshot,
+                                sessions: snapshot.sessions.filter((session) => Boolean(session.agentId && scopedAgentIds.has(session.agentId))),
+                                agents: snapshot.agents.filter((agent) => scopedAgentIds.has(agent.id)),
+                            };
+                            // Sessions
+                            let localSessions = applyAgentContextsToSessionTree(toLocalSessionTree(scopedSnapshot, sessionsLimit), agentContexts);
+                            if (initiative && initiative.trim().length > 0) {
+                                const filteredNodes = localSessions.nodes.filter((node) => node.initiativeId === initiative || node.groupId === initiative);
+                                const filteredIds = new Set(filteredNodes.map((node) => node.id));
+                                const filteredGroupIds = new Set(filteredNodes.map((node) => node.groupId));
+                                localSessions = {
+                                    nodes: filteredNodes,
+                                    edges: localSessions.edges.filter((edge) => filteredIds.has(edge.parentId) && filteredIds.has(edge.childId)),
+                                    groups: localSessions.groups.filter((group) => filteredGroupIds.has(group.id)),
+                                };
+                            }
+                            sessions = mergeSessionTrees(sessions, localSessions);
+                            // Activity
+                            const localActivity = await toLocalLiveActivity(scopedSnapshot, Math.max(activityLimit, 240));
+                            let localItems = applyAgentContextsToActivity(localActivity.activities, agentContexts);
+                            if (run && run.trim().length > 0) {
+                                localItems = localItems.filter((item) => item.runId === run);
+                            }
+                            if (since && since.trim().length > 0) {
+                                const sinceEpoch = Date.parse(since);
+                                if (Number.isFinite(sinceEpoch)) {
+                                    localItems = localItems.filter((item) => Date.parse(item.timestamp) >= sinceEpoch);
+                                }
+                            }
+                            activity = mergeActivities(activity, localItems, activityLimit);
+                        }
+                        catch (err) {
+                            degraded.push(`local agent merge failed (${safeErrorMessage(err)})`);
+                        }
+                    }
+                    // include locally buffered events so offline-generated actions are visible
+                    try {
+                        const buffered = await outboxAdapter.readAllItems();
+                        if (buffered.length > 0) {
+                            const merged = [...activity, ...buffered]
+                                .sort((a, b) => Date.parse(b.timestamp) - Date.parse(a.timestamp))
+                                .slice(0, activityLimit);
+                            const deduped = [];
+                            const seen = new Set();
+                            for (const item of merged) {
+                                if (seen.has(item.id))
+                                    continue;
+                                seen.add(item.id);
+                                deduped.push(item);
+                            }
+                            activity = deduped;
+                        }
+                    }
+                    catch (err) {
+                        degraded.push(`outbox unavailable (${safeErrorMessage(err)})`);
+                    }
+                    sendJson(res, 200, {
+                        sessions,
+                        activity,
+                        handoffs,
+                        decisions,
+                        agents,
+                        outbox: outboxStatus,
+                        generatedAt: new Date().toISOString(),
+                        degraded: degraded.length > 0 ? degraded : undefined,
+                    });
+                    return true;
+                }
+                // Legacy endpoints retained for backwards compatibility.
                 case "live/sessions": {
                     try {
                         const initiative = searchParams.get("initiative");
@@ -471,9 +4043,32 @@ export function createHttpHandler(config, client, getSnapshot) {
                         sendJson(res, 200, data);
                     }
                     catch (err) {
-                        sendJson(res, 500, {
-                            error: err instanceof Error ? err.message : String(err),
-                        });
+                        try {
+                            const initiative = searchParams.get("initiative");
+                            const limitRaw = searchParams.get("limit")
+                                ? Number(searchParams.get("limit"))
+                                : undefined;
+                            const limit = Number.isFinite(limitRaw) ? Math.max(1, Number(limitRaw)) : 100;
+                            let local = toLocalSessionTree(await loadLocalOpenClawSnapshot(Math.max(limit, 200)), limit);
+                            local = applyAgentContextsToSessionTree(local, readAgentContexts().agents);
+                            if (initiative && initiative.trim().length > 0) {
+                                const filteredNodes = local.nodes.filter((node) => node.initiativeId === initiative || node.groupId === initiative);
+                                const filteredIds = new Set(filteredNodes.map((node) => node.id));
+                                const filteredGroupIds = new Set(filteredNodes.map((node) => node.groupId));
+                                local = {
+                                    nodes: filteredNodes,
+                                    edges: local.edges.filter((edge) => filteredIds.has(edge.parentId) && filteredIds.has(edge.childId)),
+                                    groups: local.groups.filter((group) => filteredGroupIds.has(group.id)),
+                                };
+                            }
+                            sendJson(res, 200, local);
+                        }
+                        catch (localErr) {
+                            sendJson(res, 500, {
+                                error: safeErrorMessage(err),
+                                localFallbackError: safeErrorMessage(localErr),
+                            });
+                        }
                     }
                     return true;
                 }
@@ -491,9 +4086,103 @@ export function createHttpHandler(config, client, getSnapshot) {
                         });
                         sendJson(res, 200, data);
                     }
+                    catch (err) {
+                        try {
+                            const run = searchParams.get("run");
+                            const limitRaw = searchParams.get("limit")
+                                ? Number(searchParams.get("limit"))
+                                : undefined;
+                            const since = searchParams.get("since");
+                            const limit = Number.isFinite(limitRaw) ? Math.max(1, Number(limitRaw)) : 240;
+                            const localSnapshot = await loadLocalOpenClawSnapshot(Math.max(limit, 240));
+                            let local = await toLocalLiveActivity(localSnapshot, Math.max(limit, 240));
+                            if (run && run.trim().length > 0) {
+                                local = {
+                                    activities: local.activities.filter((item) => item.runId === run),
+                                    total: local.activities.filter((item) => item.runId === run).length,
+                                };
+                            }
+                            if (since && since.trim().length > 0) {
+                                const sinceEpoch = Date.parse(since);
+                                if (Number.isFinite(sinceEpoch)) {
+                                    const filtered = local.activities.filter((item) => Date.parse(item.timestamp) >= sinceEpoch);
+                                    local = {
+                                        activities: filtered,
+                                        total: filtered.length,
+                                    };
+                                }
+                            }
+                            const activitiesWithContexts = applyAgentContextsToActivity(local.activities, readAgentContexts().agents);
+                            sendJson(res, 200, {
+                                activities: activitiesWithContexts.slice(0, limit),
+                                total: local.total,
+                            });
+                        }
+                        catch (localErr) {
+                            sendJson(res, 500, {
+                                error: safeErrorMessage(err),
+                                localFallbackError: safeErrorMessage(localErr),
+                            });
+                        }
+                    }
+                    return true;
+                }
+                case "live/activity/detail": {
+                    const turnId = searchParams.get("turnId") ?? searchParams.get("turn_id");
+                    const sessionKey = searchParams.get("sessionKey") ?? searchParams.get("session_key");
+                    const run = searchParams.get("run");
+                    if (!turnId || turnId.trim().length === 0) {
+                        sendJson(res, 400, { error: "turnId is required" });
+                        return true;
+                    }
+                    try {
+                        const detail = await loadLocalTurnDetail({
+                            turnId,
+                            sessionKey,
+                            runId: run,
+                        });
+                        if (!detail) {
+                            sendJson(res, 404, {
+                                error: "Turn detail unavailable",
+                                turnId,
+                            });
+                            return true;
+                        }
+                        sendJson(res, 200, { detail });
+                    }
+                    catch (err) {
+                        sendJson(res, 500, { error: safeErrorMessage(err), turnId });
+                    }
+                    return true;
+                }
+                case "live/activity/headline": {
+                    if (method !== "POST") {
+                        sendJson(res, 405, { error: "Use POST /orgx/api/live/activity/headline" });
+                        return true;
+                    }
+                    try {
+                        const payload = await parseJsonRequest(req);
+                        const text = pickString(payload, ["text", "summary", "detail", "content"]);
+                        if (!text) {
+                            sendJson(res, 400, { error: "text is required" });
+                            return true;
+                        }
+                        const title = pickString(payload, ["title", "name"]);
+                        const type = pickString(payload, ["type", "kind"]);
+                        const result = await summarizeActivityHeadline({
+                            text,
+                            title,
+                            type,
+                        });
+                        sendJson(res, 200, {
+                            headline: result.headline,
+                            source: result.source,
+                            model: result.model,
+                        });
+                    }
                     catch (err) {
                         sendJson(res, 500, {
-                            error: err instanceof Error ? err.message : String(err),
+                            error: safeErrorMessage(err),
                         });
                     }
                     return true;
@@ -510,9 +4199,31 @@ export function createHttpHandler(config, client, getSnapshot) {
                         sendJson(res, 200, data);
                     }
                     catch (err) {
-                        sendJson(res, 500, {
-                            error: err instanceof Error ? err.message : String(err),
-                        });
+                        try {
+                            const initiative = searchParams.get("initiative");
+                            const includeIdleRaw = searchParams.get("include_idle");
+                            const includeIdle = includeIdleRaw === null ? undefined : includeIdleRaw !== "false";
+                            const localSnapshot = await loadLocalOpenClawSnapshot(240);
+                            const local = toLocalLiveAgents(localSnapshot);
+                            let agents = local.agents;
+                            if (initiative && initiative.trim().length > 0) {
+                                agents = agents.filter((agent) => agent.initiativeId === initiative);
+                            }
+                            if (includeIdle === false) {
+                                agents = agents.filter((agent) => agent.status !== "idle");
+                            }
+                            const summary = agents.reduce((acc, agent) => {
+                                acc[agent.status] = (acc[agent.status] ?? 0) + 1;
+                                return acc;
+                            }, {});
+                            sendJson(res, 200, { agents, summary });
+                        }
+                        catch (localErr) {
+                            sendJson(res, 500, {
+                                error: safeErrorMessage(err),
+                                localFallbackError: safeErrorMessage(localErr),
+                            });
+                        }
                     }
                     return true;
                 }
@@ -529,9 +4240,28 @@ export function createHttpHandler(config, client, getSnapshot) {
                         sendJson(res, 200, data);
                     }
                     catch (err) {
-                        sendJson(res, 500, {
-                            error: err instanceof Error ? err.message : String(err),
-                        });
+                        try {
+                            const id = searchParams.get("id");
+                            const limitRaw = searchParams.get("limit")
+                                ? Number(searchParams.get("limit"))
+                                : undefined;
+                            const limit = Number.isFinite(limitRaw) ? Math.max(1, Number(limitRaw)) : 100;
+                            const local = toLocalLiveInitiatives(await loadLocalOpenClawSnapshot(240));
+                            let initiatives = local.initiatives;
+                            if (id && id.trim().length > 0) {
+                                initiatives = initiatives.filter((item) => item.id === id);
+                            }
+                            sendJson(res, 200, {
+                                initiatives: initiatives.slice(0, limit),
+                                total: initiatives.length,
+                            });
+                        }
+                        catch (localErr) {
+                            sendJson(res, 500, {
+                                error: safeErrorMessage(err),
+                                localFallbackError: safeErrorMessage(localErr),
+                            });
+                        }
                     }
                     return true;
                 }
@@ -553,9 +4283,10 @@ export function createHttpHandler(config, client, getSnapshot) {
                             total: data.total,
                         });
                     }
-                    catch (err) {
-                        sendJson(res, 500, {
-                            error: err instanceof Error ? err.message : String(err),
+                    catch {
+                        sendJson(res, 200, {
+                            decisions: [],
+                            total: 0,
                         });
                     }
                     return true;
@@ -565,10 +4296,8 @@ export function createHttpHandler(config, client, getSnapshot) {
                         const data = await client.getHandoffs();
                         sendJson(res, 200, data);
                     }
-                    catch (err) {
-                        sendJson(res, 500, {
-                            error: err instanceof Error ? err.message : String(err),
-                        });
+                    catch {
+                        sendJson(res, 200, { handoffs: [] });
                     }
                     return true;
                 }
@@ -579,16 +4308,49 @@ export function createHttpHandler(config, client, getSnapshot) {
                         return true;
                     }
                     const target = `${config.baseUrl.replace(/\/+$/, "")}/api/client/live/stream${queryString ? `?${queryString}` : ""}`;
+                    const streamAbortController = new AbortController();
+                    let reader = null;
+                    let closed = false;
+                    let streamOpened = false;
+                    let idleTimer = null;
+                    const clearIdleTimer = () => {
+                        if (idleTimer) {
+                            clearTimeout(idleTimer);
+                            idleTimer = null;
+                        }
+                    };
+                    const closeStream = () => {
+                        if (closed)
+                            return;
+                        closed = true;
+                        clearIdleTimer();
+                        streamAbortController.abort();
+                        if (reader) {
+                            void reader.cancel().catch(() => undefined);
+                        }
+                        if (streamOpened && !res.writableEnded) {
+                            res.end();
+                        }
+                    };
+                    const resetIdleTimer = () => {
+                        clearIdleTimer();
+                        idleTimer = setTimeout(() => {
+                            closeStream();
+                        }, STREAM_IDLE_TIMEOUT_MS);
+                    };
                     try {
+                        const includeUserHeader = Boolean(config.userId && config.userId.trim().length > 0) &&
+                            !isUserScopedApiKey(config.apiKey);
                         const upstream = await fetch(target, {
                             method: "GET",
                             headers: {
                                 Authorization: `Bearer ${config.apiKey}`,
                                 Accept: "text/event-stream",
-                                ...(config.userId
+                                ...(includeUserHeader
                                     ? { "X-Orgx-User-Id": config.userId }
                                     : {}),
                             },
+                            signal: streamAbortController.signal,
                         });
                         const contentType = upstream.headers.get("content-type")?.toLowerCase() ?? "";
                         if (!upstream.ok || !contentType.includes("text/event-stream")) {
@@ -607,29 +4369,59 @@ export function createHttpHandler(config, client, getSnapshot) {
                             "Content-Type": "text/event-stream; charset=utf-8",
                             "Cache-Control": "no-cache, no-transform",
                             Connection: "keep-alive",
+                            ...SECURITY_HEADERS,
                             ...CORS_HEADERS,
                         });
+                        streamOpened = true;
                         if (!upstream.body) {
-                            res.end();
+                            closeStream();
                             return true;
                         }
-                        const reader = upstream.body.getReader();
+                        req.on?.("close", closeStream);
+                        req.on?.("aborted", closeStream);
+                        res.on?.("close", closeStream);
+                        res.on?.("finish", closeStream);
+                        reader = upstream.body.getReader();
+                        const streamReader = reader;
+                        resetIdleTimer();
+                        const waitForDrain = async () => {
+                            if (typeof res.once === "function") {
+                                await new Promise((resolve) => {
+                                    res.once?.("drain", () => resolve());
+                                });
+                            }
+                        };
                         const pump = async () => {
-                            while (true) {
-                                const { done, value } = await reader.read();
-                                if (done)
-                                    break;
-                                if (value)
-                                    write(Buffer.from(value));
+                            try {
+                                while (!closed) {
+                                    const { done, value } = await streamReader.read();
+                                    if (done)
+                                        break;
+                                    if (!value || value.byteLength === 0)
+                                        continue;
+                                    resetIdleTimer();
+                                    const accepted = write(Buffer.from(value));
+                                    if (accepted === false) {
+                                        await waitForDrain();
+                                    }
+                                }
+                            }
+                            catch {
+                                // Swallow pump errors; client disconnects are expected.
+                            }
+                            finally {
+                                closeStream();
                             }
-                            res.end();
                         };
                         void pump();
                     }
                     catch (err) {
-                        sendJson(res, 500, {
-                            error: err instanceof Error ? err.message : String(err),
-                        });
+                        closeStream();
+                        if (!streamOpened && !res.writableEnded) {
+                            sendJson(res, 500, {
+                                error: safeErrorMessage(err),
+                            });
+                        }
                     }
                     return true;
                 }
@@ -646,7 +4438,7 @@ export function createHttpHandler(config, client, getSnapshot) {
                         }
                         catch (err) {
                             sendJson(res, 500, {
-                                error: err instanceof Error ? err.message : String(err),
+                                error: safeErrorMessage(err),
                             });
                         }
                         return true;
@@ -664,6 +4456,7 @@ export function createHttpHandler(config, client, getSnapshot) {
         if (!dashboardEnabled) {
             res.writeHead(404, {
                 "Content-Type": "text/plain",
+                ...SECURITY_HEADERS,
                 ...CORS_HEADERS,
             });
             res.end("Dashboard is disabled");
@@ -675,8 +4468,14 @@ export function createHttpHandler(config, client, getSnapshot) {
             // Static assets: /orgx/live/assets/* → dashboard/dist/assets/*
             // Hashed filenames get long-lived cache
             if (subPath.startsWith("assets/")) {
-                const assetPath = join(DIST_DIR, subPath);
-                if (existsSync(assetPath)) {
+                const assetPath = resolveSafeDistPath(subPath);
+                let isWithinAssetsDir = false;
+                if (assetPath) {
+                    isWithinAssetsDir =
+                        assetPath === RESOLVED_DIST_ASSETS_DIR ||
+                            assetPath.startsWith(`${RESOLVED_DIST_ASSETS_DIR}${sep}`);
+                }
+                if (assetPath && isWithinAssetsDir && existsSync(assetPath)) {
                     sendFile(res, assetPath, "public, max-age=31536000, immutable");
                 }
                 else {
@@ -685,9 +4484,9 @@ export function createHttpHandler(config, client, getSnapshot) {
                 return true;
             }
             // Check for an exact file match (e.g. favicon, manifest)
-            if (subPath && !subPath.includes("..")) {
-                const filePath = join(DIST_DIR, subPath);
-                if (existsSync(filePath)) {
+            if (subPath) {
+                const filePath = resolveSafeDistPath(subPath);
+                if (filePath && existsSync(filePath)) {
                     sendFile(res, filePath, "no-cache");
                     return true;
                 }
@@ -701,6 +4500,7 @@ export function createHttpHandler(config, client, getSnapshot) {
             // Redirect to dashboard
             res.writeHead(302, {
                 Location: "/orgx/live",
+                ...SECURITY_HEADERS,
                 ...CORS_HEADERS,
             });
             res.end();