@worca/ui 0.36.0 → 0.37.0

package/app/styles.css

@@ -2202,7 +2202,6 @@ sl-details.dispatch-section-details::part(content) {
 
 .pricing-model-name {
   font-weight: 500;
-  text-transform: uppercase;
 }
 
 .pricing-table sl-input {
@@ -2226,6 +2225,28 @@ sl-input.pricing-input::part(input) {
   margin-bottom: 8px;
 }
 
+/* Inline explainer that distinguishes alt-endpoint overrides from default
+   Anthropic runs (where Claude CLI's total_cost_usd remains authoritative). */
+.pricing-source-note {
+  display: block;
+  margin: 12px 0;
+  font-size: 13px;
+  line-height: 1.5;
+}
+
+.pricing-source-note strong {
+  display: block;
+  margin-bottom: 4px;
+}
+
+.pricing-source-note code {
+  font-family: var(--sl-font-mono, ui-monospace, SFMono-Regular, monospace);
+  font-size: 0.92em;
+  padding: 1px 4px;
+  background: var(--sl-color-neutral-100, rgba(127, 127, 127, 0.12));
+  border-radius: 3px;
+}
+
 /* Settings toast overlay */
 .settings-toast {
   position: fixed;
@@ -5308,6 +5329,10 @@ sl-tooltip.bead-tooltip::part(body) {
   transition: border-color 0.15s ease, box-shadow 0.15s ease;
 }
 
+.model-card .settings-card-title {
+  text-transform: none;
+}
+
 .model-card.is-dirty {
   border-color: var(--status-running, #3b82f6);
   box-shadow: 0 0 0 1px var(--status-running, #3b82f6);
@@ -6217,6 +6242,17 @@ sl-tooltip.bead-tooltip::part(body) {
   color: var(--fg-muted);
 }
 
+/* W-061: plan revision selector inside the plan dialog */
+.plan-iter-selector {
+  display: flex;
+  flex-wrap: wrap;
+  align-items: center;
+  gap: 6px;
+  margin: 0 0 12px;
+  padding-bottom: 12px;
+  border-bottom: 1px solid var(--border, var(--bg-secondary));
+}
+
 /* --- sl-dialog: wider markdown-body dialogs (plan, guide) --- */
 
 sl-dialog.markdown-dialog::part(panel) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@worca/ui",
-  "version": "0.36.0",
+  "version": "0.37.0",
   "description": "Pipeline monitoring UI for worca-cc",
   "license": "MIT",
   "author": "Sinisha Djukic",

package/server/app.js

@@ -102,6 +102,23 @@ export function buildWorkspaceArgs(workspace_root, workspace_id, manifest) {
   return args;
 }
 
+/**
+ * Returns true when `host` resolves to a loopback bind — undefined/null are
+ * treated as loopback because the production default in
+ * `worca-ui/server/index.js` is `127.0.0.1`. Used by the outbound-send route
+ * to refuse exposing user-addressable chat from a non-loopback bind.
+ *
+ * @param {string|undefined|null} host
+ * @returns {boolean}
+ */
+export function isLoopbackHost(host) {
+  if (host === undefined || host === null || host === '') return true;
+  if (host === 'localhost' || host === '::1') return true;
+  if (host === '::ffff:127.0.0.1') return true;
+  if (host.startsWith('127.')) return true;
+  return false;
+}
+
 export function createApp(options = {}) {
   const app = express();
   const appDir = join(dirname(fileURLToPath(import.meta.url)), '..', 'app');
@@ -865,6 +882,68 @@ export function createApp(options = {}) {
     res.json(integrations.status());
   });
 
+  // POST /api/integrations/send — fan out a NormalizedMessage to one or
+  // more chat platforms through the same allowlist + rate-limiter pipeline
+  // the worca event fan-out uses. Drives the worca-notify skill.
+  //
+  // Body shape:
+  //   {
+  //     platforms?: string[],         // omit → all enabled chat adapters
+  //     message: NormalizedMessage,   // { title, body: MessageSegment[], severity }
+  //     chat_id?: string              // override the configured chat_id
+  //   }
+  //
+  // Returns 200 with `{ results: [{ platform, ok, error? }] }` for both
+  // total-success and partial-success cases; 4xx only for malformed input.
+  //
+  // Auth model: the endpoint is INTENTIONALLY restricted to loopback binds
+  // (127.0.0.0/8, ::1, localhost). The CSRF middleware above lets through
+  // requests with no Origin header (so webhooks work); without this guard,
+  // a UI server started with HOST=0.0.0.0 or --host <public-ip> would expose
+  // unauthenticated send-to-user's-chat to anything that can reach the port.
+  // 503 (subsystem disabled) and 403 (non-loopback bind) are terminal —
+  // retrying won't help.
+  app.post('/api/integrations/send', async (req, res) => {
+    if (!isLoopbackHost(serverHost)) {
+      return res.status(403).json({
+        error:
+          'send endpoint is restricted to loopback binds; ' +
+          'restart the UI server on 127.0.0.1 / ::1 / localhost ' +
+          'to send notifications',
+      });
+    }
+    const integrations = app.locals.integrations;
+    if (!integrations) {
+      return res
+        .status(503)
+        .json({ error: 'integrations subsystem not initialized' });
+    }
+    if (integrations.status?.().enabled === false) {
+      return res
+        .status(503)
+        .json({ error: 'integrations subsystem disabled in config' });
+    }
+    const { platforms, message, chat_id: chatIdOverride } = req.body ?? {};
+    if (!message || typeof message !== 'object') {
+      return res
+        .status(400)
+        .json({ error: 'message is required and must be an object' });
+    }
+    if (platforms !== undefined && !Array.isArray(platforms)) {
+      return res.status(400).json({ error: 'platforms must be an array' });
+    }
+    try {
+      const out = await integrations.sendOutbound({
+        platforms,
+        message,
+        chatIdOverride,
+      });
+      res.json(out);
+    } catch (err) {
+      res.status(400).json({ error: String(err?.message ?? err) });
+    }
+  });
+
   // GET /api/integrations/config — return saved config (secrets redacted)
   app.get('/api/integrations/config', (_req, res) => {
     const configPath = join(prefsDir, 'integrations', 'config.json');

package/server/integrations/index.js

@@ -31,10 +31,61 @@ const NO_OP_STUB = {
   status() {
     return { enabled: false };
   },
+  enabledPlatforms() {
+    return [];
+  },
+  async sendOutbound() {
+    return {
+      results: [
+        {
+          platform: '(none)',
+          ok: false,
+          error: 'integrations subsystem disabled',
+        },
+      ],
+    };
+  },
   strictInboxVerification: false,
   secrets: [],
 };
 
+// Chat-capable adapter names. `webhook_out` is excluded — it's an
+// event-fan-out destination, not a chat platform users can address by name.
+const CHAT_PLATFORMS = ['telegram', 'discord', 'slack'];
+
+/**
+ * Strip credentials from adapter error messages before surfacing them
+ * through sendOutbound results. Adapters' underlying `fetch` failures
+ * frequently embed the full request URL (including bot tokens for
+ * Telegram and webhook secrets for Slack/Discord) in the error text;
+ * one redaction pattern per known shape.
+ *
+ * Patterns covered:
+ *   - Telegram bot URL token:          `bot<digits>:<token>`
+ *   - Slack incoming-webhook URL:      `hooks.slack.com/services/T…/B…/<24>`
+ *   - Discord webhook URL:             `discord(app)?.com/api/webhooks/<id>/<token>`
+ *   - Slack OAuth tokens:              `xox[abprs]-<token>`
+ *
+ * Exported for tests; the per-platform error path in sendOutbound is the
+ * sole production caller today.
+ *
+ * @param {unknown} input
+ * @returns {string}
+ */
+export function redactSecrets(input) {
+  return String(input)
+    .replace(/bot\d+:[A-Za-z0-9_-]+/g, 'bot<redacted>')
+    .replace(
+      /hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/g,
+      'hooks.slack.com/services/<redacted>',
+    )
+    .replace(
+      /discord(?:app)?\.com\/api\/webhooks\/\d+\/[A-Za-z0-9_-]+/g,
+      'discord.com/api/webhooks/<redacted>',
+    )
+    .replace(/xox[abprs]-[A-Za-z0-9-]+/g, 'xox<redacted>');
+}
+
 /**
  * @param {{
  *   port: number,
@@ -195,6 +246,116 @@ export function createIntegrations({
     }
   }
 
+  /**
+   * Names of chat-capable adapters currently booted (enabled in config and
+   * successfully constructed). Drives the worca-notify skill's default
+   * fan-out target list. Excludes webhook_out (not a chat platform).
+   * @returns {string[]}
+   */
+  function enabledPlatforms() {
+    return [...adapterMap.keys()].filter((n) => CHAT_PLATFORMS.includes(n));
+  }
+
+  /**
+   * Send a NormalizedMessage to one or more chat platforms through the same
+   * allowlist + rate-limiter pipeline as pipeline-event fan-out. Used by the
+   * POST /api/integrations/send route (which the worca-notify skill calls).
+   *
+   * Per-platform failures are returned as individual result entries, never
+   * thrown — the caller decides whether a partial success is acceptable. The
+   * overall promise rejects only for caller-error inputs (invalid message).
+   *
+   * @param {{
+   *   platforms?: string[],
+   *   message: import('./adapter.js').NormalizedMessage,
+   *   chatIdOverride?: string,
+   * }} opts
+   * @returns {Promise<{results: Array<{platform: string, ok: boolean, error?: string}>}>}
+   */
+  async function sendOutbound({ platforms, message, chatIdOverride }) {
+    if (!message || typeof message !== 'object') {
+      throw new Error('message must be an object');
+    }
+    if (!Array.isArray(message.body)) {
+      throw new Error('message.body must be an array of segments');
+    }
+    if (
+      chatIdOverride !== undefined &&
+      chatIdOverride !== null &&
+      typeof chatIdOverride !== 'string' &&
+      typeof chatIdOverride !== 'number'
+    ) {
+      throw new Error('chat_id must be a string or number');
+    }
+
+    const targets =
+      Array.isArray(platforms) && platforms.length > 0
+        ? platforms
+        : enabledPlatforms();
+
+    const results = [];
+    for (const name of targets) {
+      const entry = adapterMap.get(name);
+      if (!entry) {
+        results.push({
+          platform: name,
+          ok: false,
+          error: CHAT_PLATFORMS.includes(name)
+            ? 'platform not enabled or not configured'
+            : 'unknown platform',
+        });
+        continue;
+      }
+
+      const chatId =
+        chatIdOverride !== undefined && chatIdOverride !== null
+          ? String(chatIdOverride)
+          : String(
+              entry.adapterCfg.chat_id ?? entry.adapterCfg.channel_id ?? '',
+            );
+
+      if (!chatId) {
+        results.push({
+          platform: name,
+          ok: false,
+          error: 'no chat_id configured for this platform',
+        });
+        continue;
+      }
+
+      if (!allowlist.isAllowed({ platform: name, chatId })) {
+        results.push({
+          platform: name,
+          ok: false,
+          error: 'chat_id not in allowlist',
+        });
+        continue;
+      }
+
+      try {
+        const rl = rateLimiters.get(name);
+        const sendFn = (m) => entry.adapter.send(chatId, m);
+        if (rl) {
+          await rl.send(message, sendFn);
+        } else {
+          await sendFn(message);
+        }
+        results.push({ platform: name, ok: true });
+      } catch (err) {
+        // Strip credentials from the error before surfacing — adapters'
+        // fetch failures can echo full request URLs that embed bot tokens
+        // (Telegram), webhook secrets (Slack/Discord), or OAuth tokens.
+        results.push({
+          platform: name,
+          ok: false,
+          error: redactSecrets(err?.message ?? err),
+        });
+      }
+    }
+
+    return { results };
+  }
+
   function onEvent(stored) {
     const rawBody = stored[RAW_BODY];
     const sigHeader = stored.headers?.['x-worca-signature'];
@@ -276,6 +437,8 @@ export function createIntegrations({
     status,
     reloadAdapter,
     removeAdapter,
+    enabledPlatforms,
+    sendOutbound,
     /** @internal — used by detect endpoint to pause/resume adapter */
     _getAdapter: (name) => adapterMap.get(name) ?? null,
     strictInboxVerification: cfg.strict_inbox_verification ?? false,

package/server/project-routes.js

@@ -76,7 +76,9 @@ function validateRunId(runId) {
 // worktree runs registered in <worcaDir>/multi/pipelines.d/.
 import {
   findRunStatusPath,
+  listPlanIterations,
   readPipelineOverlay,
+  resolveRunDir,
   updatePipelineStatus,
 } from './run-dir-resolver.js';
 export { findRunStatusPath };
@@ -783,25 +785,77 @@ export function createProjectScopedRoutes({
     }
   });
 
-  // GET /api/projects/:projectId/runs/:runId/plan — per-run plan markdown
+  // GET /api/projects/:projectId/runs/:runId/plan-iterations — list the
+  // append-only numbered plan revisions (W-061). plan-001 is the original
+  // input; each plan_review revision appends the next number. Returns
+  // `{ ok, iterations: [{n, file}], latest }` (empty list for pre-W-061 runs).
+  router.get('/runs/:runId/plan-iterations', requireWorcaDir, (req, res) => {
+    const { runId } = req.params;
+    if (!validateRunId(runId)) {
+      return res.status(400).json({ ok: false, error: 'Invalid runId' });
+    }
+    const { worcaDir } = req.project;
+    const runDir = resolveRunDir(worcaDir, runId);
+    const iterations = listPlanIterations(runDir);
+    const latest = iterations.length
+      ? iterations[iterations.length - 1].n
+      : null;
+    return res.json({
+      ok: true,
+      iterations: iterations.map((it) => ({ n: it.n, file: it.file })),
+      latest,
+    });
+  });
+
+  // GET /api/projects/:projectId/runs/:runId/plan — plan markdown.
   //
-  // Returns the markdown content of the run's plan file. Two sources, in
-  // priority order:
+  // W-061: prefers the run dir's numbered plan iterations (plan-NNN.md) and
+  // serves the latest by default, or a specific one via `?iteration=N`. Falls
+  // back, for pre-W-061 runs, to:
   //   1. stages.plan.plan_file — set by workspace children that received a
-  //      pre-built per-repo plan from the workspace planner. May point at
-  //      an absolute path under the workspace run dir.
+  //      pre-built per-repo plan from the workspace planner.
   //   2. <worktree>/MASTER_PLAN.md — generated by a standalone pipeline's
-  //      own PLAN stage. status.json doesn't always carry the path so we
-  //      reconstruct it from the worktree.
+  //      own PLAN stage.
   //
-  // Returns 404 when neither path exists / is readable. Replies in
-  // text/markdown so the client just streams it into the dialog body.
+  // Returns 404 when nothing is readable. Replies in text/markdown so the
+  // client just streams it into the dialog body.
   router.get('/runs/:runId/plan', requireWorcaDir, (req, res) => {
     const { runId } = req.params;
     if (!validateRunId(runId)) {
       return res.status(400).json({ ok: false, error: 'Invalid runId' });
     }
     const { worcaDir } = req.project;
+
+    // W-061: numbered plan iterations are the authoritative source.
+    const runDir = resolveRunDir(worcaDir, runId);
+    const iterations = listPlanIterations(runDir);
+    if (iterations.length > 0) {
+      let chosen;
+      const wantRaw = req.query.iteration;
+      if (wantRaw !== undefined) {
+        const want = Number.parseInt(wantRaw, 10);
+        chosen = iterations.find((it) => it.n === want);
+        if (!chosen) {
+          return res
+            .status(404)
+            .json({ ok: false, error: `Plan iteration ${wantRaw} not found` });
+        }
+      } else {
+        chosen = iterations[iterations.length - 1]; // latest = current plan
+      }
+      try {
+        res.setHeader('Content-Type', 'text/markdown; charset=utf-8');
+        res.send(readFileSync(chosen.path, 'utf8'));
+        return;
+      } catch (err) {
+        return res.status(500).json({
+          ok: false,
+          error: `Failed to read plan file: ${err.message}`,
+        });
+      }
+    }
+
+    // Legacy fallback (pre-W-061 runs with no numbered plan files).
     const statusPath = findRunStatusPath(worcaDir, runId);
     if (!statusPath) {
       return res
@@ -817,10 +871,6 @@ export function createProjectScopedRoutes({
         .json({ ok: false, error: `Failed to read status: ${err.message}` });
     }
     const planFile = status?.stages?.plan?.plan_file ?? null;
-    // `status.worktree` is a boolean flag (true when the run is hosted in a
-    // worktree), not a path. The actual worktree path lives in the
-    // pipelines.d registry entry. Walk it via the overlay so we can offer
-    // the MASTER_PLAN.md fallback even when stage.plan_file isn't set.
     const overlay = readPipelineOverlay(worcaDir, runId);
     const worktreePath =
       typeof overlay?.worktree_path === 'string' ? overlay.worktree_path : null;

package/server/run-dir-resolver.js

@@ -13,9 +13,45 @@
  *   3. `<worcaDir>/multi/pipelines.d/<runId>.json` → `<worktree_path>/.worca/runs/<runId>/`
  */
 
-import { existsSync, readFileSync, renameSync, writeFileSync } from 'node:fs';
+import {
+  existsSync,
+  readdirSync,
+  readFileSync,
+  renameSync,
+  writeFileSync,
+} from 'node:fs';
 import { join } from 'node:path';
 
+// W-061: plans are stored in the run dir as append-only numbered files
+// (plan-001.md, plan-002.md, …). plan-001 is the original input — the ingested
+// copy for a provided plan, or the Planner's first draft. Each plan_review
+// revision appends the next number; the highest number is the current plan.
+const PLAN_ITERATION_RE = /^plan-(\d{3})\.md$/;
+
+/**
+ * List the numbered plan iterations in a run dir, ascending by number.
+ * @param {string|null} runDir - absolute path to the run dir
+ * @returns {Array<{n:number,file:string,path:string}>} ascending by n; [] if none
+ */
+export function listPlanIterations(runDir) {
+  if (!runDir || !existsSync(runDir)) return [];
+  let files;
+  try {
+    files = readdirSync(runDir);
+  } catch {
+    return [];
+  }
+  return files
+    .map((f) => {
+      const m = f.match(PLAN_ITERATION_RE);
+      return m
+        ? { n: Number.parseInt(m[1], 10), file: f, path: join(runDir, f) }
+        : null;
+    })
+    .filter((it) => it !== null)
+    .sort((a, b) => a.n - b.n);
+}
+
 /**
  * Resolve a runId to its on-disk run directory.
  * @param {string} worcaDir - the parent project's .worca directory

package/server/settings-validator.js

@@ -25,6 +25,8 @@ const VALID_EFFORT_RUNGS = ['low', 'medium', 'high', 'xhigh', 'max'];
 const VALID_AUTO_MODES = ['disabled', 'reactive', 'adaptive'];
 const VALID_EFFORT_KEYS = ['auto_mode', 'auto_cap'];
 const VALID_MILESTONES = ['plan_approval', 'pr_approval', 'deploy_approval'];
+const VALID_PLAN_REVIEW_MODES = ['review', 'review_and_edit'];
+const VALID_PLAN_REVIEW_ENFORCE = ['auto', 'review', 'review_and_edit'];
 const VALID_GUARDS = [
   'block_rm_rf',
   'block_env_write',
@@ -176,6 +178,16 @@ export function validateSettingsPayload(body, options = {}) {
             if (cfg.agent !== undefined && !VALID_AGENTS.includes(cfg.agent)) {
               details.push(`Invalid agent "${cfg.agent}" for stage "${name}"`);
             }
+            if (name === 'plan_review' && cfg.mode !== undefined) {
+              if (
+                typeof cfg.mode !== 'string' ||
+                !VALID_PLAN_REVIEW_MODES.includes(cfg.mode)
+              ) {
+                details.push(
+                  `stages.plan_review.mode must be one of: ${VALID_PLAN_REVIEW_MODES.join(', ')}`,
+                );
+              }
+            }
           }
         }
       }
@@ -407,6 +419,16 @@ export function validateSettingsPayload(body, options = {}) {
         details.push('worca.governance must be an object');
       } else {
         const g = w.governance;
+        if (g.plan_review_enforce !== undefined) {
+          if (
+            typeof g.plan_review_enforce !== 'string' ||
+            !VALID_PLAN_REVIEW_ENFORCE.includes(g.plan_review_enforce)
+          ) {
+            details.push(
+              `governance.plan_review_enforce must be one of: ${VALID_PLAN_REVIEW_ENFORCE.join(', ')}`,
+            );
+          }
+        }
         if (g.guards !== undefined) {
           if (
             typeof g.guards !== 'object' ||