@yemi33/minions 0.1.1779 → 0.1.1781

package/CHANGELOG.md

@@ -1,10 +1,18 @@
 # Changelog
 
-## 0.1.1779 (2026-05-07)
+## 0.1.1781 (2026-05-07)
+
+### Fixes
+- plug Property-1 holes + consolidate isPathInside helper
+
+## 0.1.1780 (2026-05-07)
+
+### Features
+- fix command center action parity (#2174)
+
+## 0.1.1778 (2026-05-07)
 
 ### Features
-- fix cc doc chat resume continuity (#2184)
-- consolidate CC dispatch action type (#2183)
 - harden dashboard state mutations (#2175)
 
 ## 0.1.1777 (2026-05-07)

package/dashboard/js/command-center.js

@@ -980,8 +980,25 @@ function ccRetryLast(tabId, retryId) {
   });
 }
 
-async function _ccFetch(url, body) {
-  var res = await fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) });
+async function _ccFetch(url, body, method) {
+  method = (method || 'POST').toUpperCase();
+  var fetchUrl = url;
+  var opts = { method: method, headers: { 'Content-Type': 'application/json' } };
+  if (method === 'GET') {
+    var qs = new URLSearchParams();
+    Object.entries(body || {}).forEach(function(entry) {
+      var key = entry[0], value = entry[1];
+      if (value === undefined || value === null) return;
+      if (Array.isArray(value)) value.forEach(function(v) { qs.append(key, String(v)); });
+      else if (typeof value === 'object') qs.append(key, JSON.stringify(value));
+      else qs.append(key, String(value));
+    });
+    var text = qs.toString();
+    if (text) fetchUrl += (fetchUrl.includes('?') ? '&' : '?') + text;
+  } else {
+    opts.body = JSON.stringify(body || {});
+  }
+  var res = await fetch(fetchUrl, opts);
   if (!res.ok) {
     var d = await res.json().catch(function() { return {}; });
     var err = new Error(d.error || 'Request failed (' + res.status + ')');
@@ -1068,22 +1085,25 @@ async function ccExecuteAction(action, targetTabId) {
         if (notePageLink && !notePageLink.querySelector('.notif-badge')) { var noteCurPage = document.querySelector('.sidebar-link.active')?.getAttribute('data-page'); if (noteCurPage !== 'inbox') showNotifBadge(notePageLink); }
         break;
       }
-      case 'pin': {
+      case 'pin':
+      case 'pin-to-pinned': {
         await _ccFetch('/api/pinned', { title: action.title, content: action.content || action.description, level: action.level || '' });
         status.innerHTML = '&#x1F4CC; Pinned: <strong>' + escHtml(action.title) + '</strong> — visible to all agents';
         status.style.color = 'var(--green)';
         break;
       }
       case 'plan': {
-        await _ccFetch('/api/plan', { title: action.title, description: action.description, project: action.project, branchStrategy: action.branchStrategy || 'parallel' });
+        var branchStrategy = action.branch_strategy || action.branchStrategy || 'parallel';
+        await _ccFetch('/api/plan', { title: action.title, description: action.description, project: action.project, branch_strategy: branchStrategy, branchStrategy: branchStrategy });
         status.innerHTML = '&#10003; Plan queued: <strong>' + escHtml(action.title) + '</strong>';
         status.style.color = 'var(--green)';
         wakeEngine();
         break;
       }
       case 'cancel': {
-        await _ccFetch('/api/agents/cancel', { agentId: action.agent, reason: action.reason || 'Cancelled via command center' });
-        status.innerHTML = '&#10003; Cancelled agent: <strong>' + escHtml(action.agent) + '</strong>';
+        var cancelAgent = action.agent || action.agentId || '';
+        await _ccFetch('/api/agents/cancel', { agent: cancelAgent, agentId: cancelAgent, task: action.task || action.cancelTask || '', reason: action.reason || 'Cancelled via command center' });
+        status.innerHTML = '&#10003; Cancelled agent: <strong>' + escHtml(cancelAgent || action.task || action.cancelTask || '') + '</strong>';
         status.style.color = 'var(--orange)';
         break;
       }
@@ -1475,8 +1495,9 @@ async function ccExecuteAction(action, targetTabId) {
         break;
       }
       case 'add-project': {
-        await _ccFetch('/api/projects/add', { localPath: action.localPath, name: action.name || '', repoHost: action.repoHost || 'github' });
-        status.innerHTML = '&#10003; Project added: <strong>' + escHtml(action.name || action.localPath) + '</strong>';
+        var projectPath = action.path || action.localPath;
+        await _ccFetch('/api/projects/add', { path: projectPath, localPath: projectPath, name: action.name || '', repoHost: action.repoHost || 'github', allowNonRepo: action.allowNonRepo, confirmToken: action.confirmToken });
+        status.innerHTML = '&#10003; Project added: <strong>' + escHtml(action.name || projectPath) + '</strong>';
         status.style.color = 'var(--green)';
         break;
       }
@@ -1507,7 +1528,7 @@ async function ccExecuteAction(action, targetTabId) {
       default: {
         // Generic fallback: if action has an `endpoint` field, call it directly (local API only)
         if (action.endpoint && action.endpoint.startsWith('/api/') && !action.endpoint.includes('..') && !/\%2e/i.test(action.endpoint)) {
-          var genRes = await _ccFetch(action.endpoint, action.params || {});
+          var genRes = await _ccFetch(action.endpoint, action.params || {}, action.method || 'POST');
           var genData = await genRes.json().catch(function() { return {}; });
           status.innerHTML = '&#10003; ' + escHtml(action.type) + ': ' + escHtml(genData.message || genData.id || 'done');
           status.style.color = 'var(--green)';

package/dashboard.js

@@ -1449,6 +1449,13 @@ try {
 let _preambleCache = null;
 let _preambleCacheTs = 0;
 const PREAMBLE_TTL = 30000; // 30s — longer TTL since preamble is lightweight orientation, not real-time data
+const CC_API_FALLBACK_TIMEOUT_MS = 15000;
+const CC_API_FALLBACK_METHODS = new Set(['GET', 'POST', 'DELETE']);
+const CC_API_FALLBACK_BLOCKED_PREFIXES = [
+  '/api/command-center',
+  '/api/doc-chat',
+  '/api/bot',
+];
 
 // SoT for CC's runtime API index. Captured lazily on the first HTTP request
 // because ROUTES is closed over inside the request handler. Subsequent
@@ -1569,13 +1576,20 @@ function _routesAsMeta(routes) {
 
 function _captureApiRoutesMeta(routes) {
   if (_ccApiRoutesMeta || !Array.isArray(routes)) return;
-  _ccApiRoutesMeta = _routesAsMeta(routes);
+  _ccApiRoutesMeta = routes.map(r => ({
+    ..._routesAsMeta([r])[0],
+    _pathRegex: r.path instanceof RegExp ? r.path : null,
+  }));
+}
+
+function _resetCcApiRoutesMetaForTest() {
+  _ccApiRoutesMeta = null;
 }
 
 function _formatCcApiRoutesIndex() {
   if (!Array.isArray(_ccApiRoutesMeta) || _ccApiRoutesMeta.length === 0) return '';
   return _ccApiRoutesMeta
-    .filter(r => r.path.startsWith('/api/'))
+    .filter(r => r.path.startsWith('/api/') || r.path.startsWith('/^\\/api'))
     .map(r => {
       const params = r.params ? ` — params: ${r.params}` : '';
       const flags = [
@@ -1635,8 +1649,8 @@ ${apiIndex || '(routes not yet captured — first request still pending)'}
 ### CLI Index (auto-generated from engine/cli.js CLI_COMMAND_DOCS — single source of truth)
 ${cliIndex || '(unavailable)'}
 
-For \`POST /api/...\` endpoints marked \`generic-fallback\` and not covered by a named CC action, use the generic fallback:
-\`{"type":"<descriptive>","endpoint":"/api/...","params":{...}}\`.` : '';
+For any safe local \`/api/...\` endpoint not covered by a named CC action, use the generic fallback:
+\`{"type":"<descriptive>","endpoint":"/api/...","method":"GET|POST|DELETE","params":{...}}\`.` : '';
 
   const result = `### Agents
 ${agents}
@@ -2232,6 +2246,292 @@ function _ccValidateAction(action) {
   }
 }
 
+let _ccLocalApiInvokerForTest = null;
+
+function _setCcLocalApiInvokerForTest(fn) {
+  _ccLocalApiInvokerForTest = typeof fn === 'function' ? fn : null;
+}
+
+function _ccRouteMethodsForPath(pathname) {
+  if (!Array.isArray(_ccApiRoutesMeta) || _ccApiRoutesMeta.length === 0) return null;
+  const methods = new Set();
+  for (const route of _ccApiRoutesMeta) {
+    if (route._pathRegex instanceof RegExp) {
+      route._pathRegex.lastIndex = 0;
+      if (route._pathRegex.test(pathname)) methods.add(String(route.method || '').toUpperCase());
+    } else if (route.path === pathname) {
+      methods.add(String(route.method || '').toUpperCase());
+    }
+  }
+  return methods;
+}
+
+function _ccValidateLocalApiFallback(endpoint, method) {
+  if (typeof endpoint !== 'string' || !endpoint.trim()) return 'generic API fallback requires endpoint';
+  const raw = endpoint.trim();
+  if (!(raw === '/api' || raw.startsWith('/api/'))) return 'generic API fallback endpoint must be a local /api/ path';
+  if (/[\0\r\n\\]/.test(raw) || raw.includes('..') || /%2e/i.test(raw) || /%5c/i.test(raw)) {
+    return 'generic API fallback endpoint is unsafe';
+  }
+  let parsed;
+  try {
+    parsed = new URL(raw, 'http://127.0.0.1');
+  } catch {
+    return 'generic API fallback endpoint is invalid';
+  }
+  if (parsed.origin !== 'http://127.0.0.1' || !(parsed.pathname === '/api' || parsed.pathname.startsWith('/api/'))) {
+    return 'generic API fallback endpoint must be a local /api/ path';
+  }
+  if (CC_API_FALLBACK_BLOCKED_PREFIXES.some(prefix => parsed.pathname === prefix || parsed.pathname.startsWith(prefix + '/'))) {
+    return 'generic API fallback cannot call Command Center, doc-chat, or bot endpoints';
+  }
+  if (/stream/i.test(parsed.pathname) || parsed.pathname === '/api/hot-reload') {
+    return 'generic API fallback cannot call streaming endpoints';
+  }
+  const normalizedMethod = String(method || 'POST').toUpperCase();
+  if (!CC_API_FALLBACK_METHODS.has(normalizedMethod)) {
+    return `generic API fallback method ${normalizedMethod} is not allowed`;
+  }
+  const routeMethods = _ccRouteMethodsForPath(parsed.pathname);
+  if (routeMethods && routeMethods.size > 0 && !routeMethods.has(normalizedMethod)) {
+    return `API endpoint ${parsed.pathname} does not allow ${normalizedMethod}; allowed methods: ${[...routeMethods].join(', ')}`;
+  }
+  if (routeMethods && routeMethods.size === 0) {
+    return `API endpoint ${parsed.pathname} is not in the local API index`;
+  }
+  return null;
+}
+
+function _ccBuildQueryString(params) {
+  if (!params || typeof params !== 'object' || Array.isArray(params)) return '';
+  const search = new URLSearchParams();
+  for (const [key, value] of Object.entries(params)) {
+    if (value === undefined || value === null) continue;
+    if (Array.isArray(value)) {
+      for (const item of value) search.append(key, String(item));
+    } else if (typeof value === 'object') {
+      search.append(key, JSON.stringify(value));
+    } else {
+      search.append(key, String(value));
+    }
+  }
+  const text = search.toString();
+  return text ? '?' + text : '';
+}
+
+function _ccRequestPath(endpoint, method, params) {
+  const parsed = new URL(endpoint, 'http://127.0.0.1');
+  if (method === 'GET') {
+    const extra = _ccBuildQueryString(params);
+    if (extra) {
+      const glue = parsed.search ? '&' : '?';
+      return parsed.pathname + parsed.search + glue + extra.slice(1);
+    }
+  }
+  return parsed.pathname + parsed.search;
+}
+
+async function _ccInvokeLocalApi({ method, endpoint, params }) {
+  if (_ccLocalApiInvokerForTest) return _ccLocalApiInvokerForTest({ method, endpoint, params });
+  const requestPath = _ccRequestPath(endpoint, method, params);
+  return new Promise((resolve, reject) => {
+    const body = method === 'GET' ? null : JSON.stringify(params || {});
+    const req = http.request({
+      hostname: '127.0.0.1',
+      port: PORT,
+      method,
+      path: requestPath,
+      timeout: CC_API_FALLBACK_TIMEOUT_MS,
+      headers: body ? {
+        'Content-Type': 'application/json',
+        'Content-Length': Buffer.byteLength(body),
+      } : {},
+    }, res => {
+      let text = '';
+      res.setEncoding('utf8');
+      res.on('data', chunk => { text += chunk; });
+      res.on('end', () => {
+        let data = text;
+        try { data = text ? JSON.parse(text) : {}; } catch { /* non-JSON API response */ }
+        resolve({ status: res.statusCode || 0, data });
+      });
+    });
+    req.on('timeout', () => {
+      req.destroy(new Error(`local API fallback timed out after ${CC_API_FALLBACK_TIMEOUT_MS}ms`));
+    });
+    req.on('error', reject);
+    if (body) req.write(body);
+    req.end();
+  });
+}
+
+function _ccApiRequest(endpoint, params = {}, method = 'POST') {
+  return { endpoint, params, method };
+}
+
+function _ccMappedApiRequests(action) {
+  switch (action.type) {
+    case 'pin':
+    case 'pin-to-pinned':
+      return _ccApiRequest('/api/pinned', { title: action.title, content: action.content || action.description, level: action.level || '' });
+    case 'plan': {
+      const branchStrategy = action.branch_strategy || action.branchStrategy || 'parallel';
+      return _ccApiRequest('/api/plan', {
+        title: action.title, description: action.description || '', priority: action.priority,
+        project: action.project, agent: action.agent, branch_strategy: branchStrategy,
+      });
+    }
+    case 'cancel':
+      return _ccApiRequest('/api/agents/cancel', {
+        agent: action.agent || action.agentId,
+        task: action.task || action.cancelTask,
+        reason: action.reason || 'Cancelled via command center',
+      });
+    case 'retry':
+      return (action.ids || []).map(id => _ccApiRequest('/api/work-items/retry', { id, source: action.source || '' }));
+    case 'pause-plan':
+      return _ccApiRequest('/api/plans/pause', { file: action.file });
+    case 'approve-plan':
+      return _ccApiRequest('/api/plans/approve', { file: action.file });
+    case 'reject-plan':
+      return _ccApiRequest('/api/plans/reject', { file: action.file, reason: action.reason || '' });
+    case 'archive-plan':
+      return _ccApiRequest('/api/plans/archive', { file: action.file });
+    case 'unarchive-plan':
+      return _ccApiRequest('/api/plans/unarchive', { file: action.file });
+    case 'execute-plan':
+      return _ccApiRequest('/api/plans/execute', { file: action.file, project: action.project || '' });
+    case 'trigger-verify':
+      return _ccApiRequest('/api/plans/trigger-verify', { file: action.file });
+    case 'regenerate-plan':
+      return _ccApiRequest('/api/plans/approve', { file: action.file, forceRegen: true });
+    case 'revise-plan':
+      return _ccApiRequest('/api/plans/revise', { file: action.file, feedback: action.feedback || action.description, requestedBy: 'command-center' });
+    case 'edit-prd-item':
+      return _ccApiRequest('/api/prd-items/update', {
+        source: action.source, itemId: action.itemId, name: action.name, description: action.description,
+        priority: action.priority, estimated_complexity: action.estimated_complexity || action.complexity,
+      });
+    case 'remove-prd-item':
+      return _ccApiRequest('/api/prd-items/remove', { source: action.source, itemId: action.itemId });
+    case 'reopen-prd-item':
+      return _ccApiRequest('/api/prd-items/update', { source: action.file, itemId: action.id, status: 'updated' });
+    case 'delete-work-item':
+      return _ccApiRequest('/api/work-items/delete', { id: action.id, source: action.source || '' });
+    case 'cancel-work-item':
+      return _ccApiRequest('/api/work-items/cancel', { id: action.id, source: action.source || '', reason: action.reason || 'cc' });
+    case 'archive-work-item':
+      return _ccApiRequest('/api/work-items/archive', { id: action.id });
+    case 'work-item-feedback':
+      return _ccApiRequest('/api/work-items/feedback', { id: action.id, rating: action.rating || 'up', comment: action.comment || '' });
+    case 'schedule':
+      return _ccApiRequest(action._update ? '/api/schedules/update' : '/api/schedules', {
+        id: action.id, title: action.title, cron: action.cron, type: action.workType || 'implement',
+        project: action.project, agent: action.agent, description: action.description,
+        priority: action.priority, enabled: action.enabled !== false,
+      });
+    case 'delete-schedule':
+      return _ccApiRequest('/api/schedules/delete', { id: action.id });
+    case 'edit-pipeline':
+      return _ccApiRequest('/api/pipelines/update', {
+        id: action.id, title: action.title, stages: action.stages,
+        trigger: action.trigger, enabled: action.enabled, stopWhen: action.stopWhen,
+        monitoredResources: action.monitoredResources,
+      });
+    case 'delete-pipeline':
+      return _ccApiRequest('/api/pipelines/delete', { id: action.id });
+    case 'trigger-pipeline':
+      return _ccApiRequest('/api/pipelines/trigger', { id: action.id });
+    case 'continue-pipeline':
+      return _ccApiRequest('/api/pipelines/continue', { id: action.id, stageId: action.stageId });
+    case 'abort-pipeline':
+      return _ccApiRequest('/api/pipelines/abort', { id: action.id });
+    case 'retrigger-pipeline':
+      return _ccApiRequest('/api/pipelines/retrigger', { id: action.id });
+    case 'add-meeting-note':
+      return _ccApiRequest('/api/meetings/note', { id: action.id, note: action.note || action.content });
+    case 'advance-meeting':
+      return _ccApiRequest('/api/meetings/advance', { id: action.id });
+    case 'end-meeting':
+      return _ccApiRequest('/api/meetings/end', { id: action.id });
+    case 'archive-meeting':
+      return _ccApiRequest('/api/meetings/archive', { id: action.id });
+    case 'unarchive-meeting':
+      return _ccApiRequest('/api/meetings/unarchive', { id: action.id });
+    case 'delete-meeting':
+      return _ccApiRequest('/api/meetings/delete', { id: action.id });
+    case 'set-config':
+      return _ccApiRequest('/api/settings', { engine: { [action.setting]: action.value } });
+    case 'update-routing':
+      return _ccApiRequest('/api/settings/routing', { content: action.content });
+    case 'steer-agent':
+      return _ccApiRequest('/api/agents/steer', { agent: action.agent, message: action.message || action.content });
+    case 'link-pr':
+      return _ccApiRequest('/api/pull-requests/link', { url: action.url, title: action.title || '', project: action.project || '', autoObserve: action.autoObserve !== false });
+    case 'delete-pr':
+      return _ccApiRequest('/api/pull-requests/delete', { id: action.id, project: action.project || '' });
+    case 'file-bug':
+      return _ccApiRequest('/api/issues/create', { title: action.title, description: action.description, labels: action.labels });
+    case 'promote-to-kb':
+      return _ccApiRequest('/api/inbox/promote-kb', { name: action.file, category: action.category || 'project-notes' });
+    case 'kb-sweep':
+      return _ccApiRequest('/api/knowledge/sweep', {});
+    case 'toggle-kb-pin':
+      return _ccApiRequest('/api/kb-pins/toggle', { key: action.key });
+    case 'unpin':
+      return _ccApiRequest('/api/pinned' + '/remove', { title: action.title });
+    case 'add-project':
+      return _ccApiRequest('/api/projects/add', {
+        path: action.path || action.localPath, name: action.name || '',
+        repoHost: action.repoHost || 'github', allowNonRepo: action.allowNonRepo,
+        confirmToken: action.confirmToken,
+      });
+    case 'restart-engine':
+      return _ccApiRequest('/api/engine/restart', {});
+    case 'reset-settings':
+      return _ccApiRequest('/api/settings/reset', {});
+    default:
+      if (action.endpoint) return _ccApiRequest(action.endpoint, action.params || {}, action.method || 'POST');
+      return null;
+  }
+}
+
+async function _ccExecuteLocalApiAction(action) {
+  const mapped = _ccMappedApiRequests(action);
+  if (!mapped) return null;
+  const requests = Array.isArray(mapped) ? mapped : [mapped];
+  if (requests.length === 0) throw new Error(`${action.type} action has no API requests to execute`);
+  const apiResults = [];
+  for (const request of requests) {
+    const method = String(request.method || 'POST').toUpperCase();
+    const endpoint = String(request.endpoint || '').trim();
+    const params = request.params || {};
+    const validationError = _ccValidateLocalApiFallback(endpoint, method);
+    if (validationError) throw new Error(validationError);
+    const response = await _ccInvokeLocalApi({ method, endpoint, params });
+    const status = Number(response?.status) || 0;
+    const data = response?.data === undefined ? {} : response.data;
+    if (status < 200 || status >= 300) {
+      const detail = data && typeof data === 'object' && data.error ? data.error : `HTTP ${status}`;
+      throw new Error(`${method} ${endpoint} failed: ${detail}`);
+    }
+    if (data && typeof data === 'object' && data.error) throw new Error(`${method} ${endpoint} failed: ${data.error}`);
+    apiResults.push({ status, data, endpoint, method });
+  }
+  const firstData = apiResults[0]?.data && typeof apiResults[0].data === 'object' ? apiResults[0].data : {};
+  return {
+    type: action.type,
+    ok: true,
+    endpoint: apiResults[0]?.endpoint,
+    method: apiResults[0]?.method,
+    status: apiResults[0]?.status,
+    ...(firstData.id ? { id: firstData.id } : {}),
+    ...(firstData.file ? { file: firstData.file } : {}),
+    ...(firstData.message ? { message: firstData.message } : {}),
+    ...(apiResults.length > 1 ? { count: apiResults.length, results: apiResults.map(r => r.data) } : { data: firstData }),
+  };
+}
+
 async function executeCCActions(actions) {
   const results = [];
   for (const rawAction of actions) {
@@ -2496,10 +2796,16 @@ async function executeCCActions(actions) {
           results.push({ type: 'resume-watch', id: action.id, ok: !!resumed });
           break;
         }
-        default:
-          // Server didn't handle — frontend must execute
-          results.push({ type: action.type });
+        default: {
+          const apiResult = await _ccExecuteLocalApiAction(action);
+          if (apiResult) {
+            results.push(apiResult);
+          } else {
+            // Server didn't handle — frontend must execute.
+            results.push({ type: action.type });
+          }
           break;
+        }
       }
     } catch (e) {
       results.push({ type: action.type, error: e.message });
@@ -3059,7 +3365,7 @@ async function _retryDocChatAfterResumeFailure({ result, initialPass, freshSessi
 function _buildDocChatErrorEnvelope(result) {
   return {
     code: result.code ?? null,
-    stderr: (result.stderr || '').slice(-2048),
+    stderr: String(result.stderr || '').slice(-2048),
     errorClass: result.errorClass || null,
     errorMessage: result.errorMessage || null,
     runtime: result.runtime || null,
@@ -4173,7 +4479,7 @@ const server = http.createServer(async (req, res) => {
         id, title: body.title, type: 'plan',
         priority: body.priority || 'high', description: body.description || '',
         status: WI_STATUS.PENDING, created: new Date().toISOString(), createdBy: 'dashboard',
-        branchStrategy: body.branch_strategy || 'parallel',
+        branchStrategy: body.branch_strategy || body.branchStrategy || 'parallel',
       };
       if (body.project) item.project = body.project;
       if (body.agent) item.agent = body.agent;
@@ -4376,14 +4682,17 @@ const server = http.createServer(async (req, res) => {
   async function handleAgentsCancel(req, res) {
     try {
       const body = await readBody(req);
+      const requestedAgent = body.agent || body.agentId;
+      const requestedTask = body.task || body.cancelTask;
+      if (!requestedAgent && !requestedTask) return jsonReply(res, 400, { error: 'agent or task required' });
       const dispatchPath = path.join(MINIONS_DIR, 'engine', 'dispatch.json');
       const dispatch = safeJsonObj(dispatchPath);
       const active = dispatch.active || [];
       const cancelled = [];
 
       for (const d of active) {
-        const matchAgent = body.agent && d.agent === body.agent;
-        const matchTask = body.task && (d.task || '').toLowerCase().includes((body.task || '').toLowerCase());
+        const matchAgent = requestedAgent && d.agent === requestedAgent;
+        const matchTask = requestedTask && (d.task || '').toLowerCase().includes(String(requestedTask).toLowerCase());
         if (!matchAgent && !matchTask) continue;
 
         // Kill agent process
@@ -7429,7 +7738,7 @@ What would you like to discuss or change? When you're happy, say "approve" and I
     { method: 'POST', path: '/api/notes-save', desc: 'Save edited notes.md content', params: 'content, file?', handler: handleNotesSave },
 
     // Plans
-    { method: 'POST', path: '/api/plan', desc: 'Create a plan work item that chains to PRD on completion', params: 'title, description?, priority?, project?, agent?, branch_strategy?', handler: handlePlanCreate },
+    { method: 'POST', path: '/api/plan', desc: 'Create a plan work item that chains to PRD on completion', params: 'title, description?, priority?, project?, agent?, branch_strategy? or branchStrategy?', handler: handlePlanCreate },
     { method: 'GET', path: '/api/plans', desc: 'List plan files (.md drafts + .json PRDs)', handler: handlePlansList },
     { method: 'POST', path: '/api/plans/trigger-verify', desc: 'Manually trigger verification for a completed plan', params: 'file', handler: handlePlansTriggerVerify },
     { method: 'POST', path: '/api/plans/approve', desc: 'Approve a plan for execution', params: 'file, approvedBy?', handler: handlePlansApprove },
@@ -7614,7 +7923,7 @@ What would you like to discuss or change? When you're happy, say "approve" and I
         inboxCount: steering.listUnreadSteeringMessages(agentId).length,
       });
     }},
-    { method: 'POST', path: '/api/agents/cancel', desc: 'Cancel an active agent by ID or task substring', params: 'agent?, task?', handler: handleAgentsCancel },
+    { method: 'POST', path: '/api/agents/cancel', desc: 'Cancel an active agent by ID or task substring', params: 'agent? or agentId?, task?', handler: handleAgentsCancel },
     { method: 'POST', path: /^\/api\/agent\/([\w-]+)\/kill$/, template: '/api/agent/:id/kill', desc: 'Kill a running agent: stop process, clear dispatch, reset work items to pending', handler: handleAgentKill },
     { method: 'GET', path: /^\/api\/agent\/([\w-]+)\/live-stream(?:\?.*)?$/, template: '/api/agent/:id/live-stream', desc: 'SSE real-time live output streaming', handler: handleAgentLiveStream },
     { method: 'GET', path: /^\/api\/agent\/([\w-]+)\/live(?:\?.*)?$/, template: '/api/agent/:id/live', desc: 'Tail live output for a working agent', params: 'tail? (bytes, default 8192)', handler: handleAgentLive },
@@ -8086,7 +8395,11 @@ module.exports = {
   _resolveWorkItemsCreateTarget: resolveWorkItemsCreateTarget,
   _collectArchivedWorkItems: collectArchivedWorkItems,
   _createPipelineFromAction: createPipelineFromAction,
+  _setCcLocalApiInvokerForTest,
+  _resetCcApiRoutesMetaForTest,
+  _ccValidateLocalApiFallback,
   executeCCActions,
+  executeDocChatActions,
   buildCCStatePreamble,
   _routesAsMeta,
   _buildTranscriptCarryover,

package/docs/command-center.md

@@ -93,6 +93,8 @@ When you ask CC to *do* something, it includes structured action blocks in its r
 | `remove-prd-item` | Remove a PRD item | "Remove P011 from the plan" |
 | `delete-work-item` | Delete a work item | "Delete work item W025" |
 
+For endpoints without a named action, CC may emit a local API fallback action with `endpoint`, `method`, and `params`. The server only invokes safe local `/api/...` paths, validates the requested method against the route index when available, sends GET params as query strings, and rejects streaming/recursive CC/doc-chat endpoints.
+
 ## Error Handling
 
 - **Frontend timeout**: 10-minute `AbortSignal` on the fetch — prevents infinite "thinking" spinner
@@ -155,4 +157,3 @@ Frontend
 ## Command Bar
 
 The command bar at the top of the dashboard routes all input to the CC panel. Typing in the command bar opens the CC drawer and sends the message as a CC turn.
-

package/engine/cleanup.js

@@ -369,13 +369,23 @@ async function runCleanup(config, verbose = false) {
   // 2b. Detect git worktrees registered inside any linked project's working tree.
   // Nested worktrees cause glob/grep tools running with cwd=projectRoot to match
   // BOTH copies of every file; a single Edit/MultiEdit then writes the same
-  // change to both locations, producing "mirror dirty file" leaks (W-cc-doc-chat-continuity).
+  // change to both locations, producing mirror-write leaks.
   // We only WARN here — removing someone else's worktree without consent could
   // destroy in-flight work. The operator runs `git worktree remove <path>`.
   cleaned.nestedWorktrees = 0;
+  const _scannedRoots = new Set(); // dedup projects sharing localPath
   for (const project of projects) {
-    const root = project.localPath ? path.resolve(project.localPath) : null;
-    if (!root || !fs.existsSync(root)) continue;
+    if (!project.localPath) continue;
+    const root = path.resolve(project.localPath);
+    if (_scannedRoots.has(root)) continue;
+    _scannedRoots.add(root);
+    if (!fs.existsSync(root)) {
+      // Configured project whose checkout has been moved or deleted — surface
+      // it so the operator knows their config is out of sync. A missing root
+      // means we cannot scan it, leaving nested worktrees there undetectable.
+      log('warn', `Project "${project.name || root}" has localPath "${root}" which does not exist on disk — skipping worktree scan`);
+      continue;
+    }
     let raw;
     try {
       raw = String(shared.execSilent('git worktree list --porcelain', { cwd: root, timeout: 10000, windowsHide: true }) || '');
@@ -384,8 +394,7 @@ async function runCleanup(config, verbose = false) {
       if (!line.startsWith('worktree ')) continue;
       const wt = line.slice('worktree '.length).trim();
       if (!wt) continue;
-      if (path.resolve(wt) === root) continue; // main worktree — expected
-      if (!shared.isPathInsideOrEqual(wt, root)) continue;
+      if (!shared.isPathInside(wt, root)) continue; // strict — main worktree (equal path) is expected, descendants are the leak
       cleaned.nestedWorktrees++;
       log('warn', `Nested worktree in project "${project.name || root}": "${wt}" is inside "${root}". This causes glob tools to match both copies and produces mirror writes. Run: git worktree remove "${wt}"`);
     }

package/engine/copilot-models.json

@@ -1,5 +1,5 @@
 {
   "runtime": "copilot",
   "models": null,
-  "cachedAt": "2026-05-07T23:23:28.356Z"
+  "cachedAt": "2026-05-07T23:33:01.432Z"
 }

package/engine/meeting.js

@@ -155,17 +155,12 @@ function getStructuredNoteArtifacts(structuredCompletion) {
   );
 }
 
-function isPathInside(parent, child) {
-  const rel = path.relative(parent, child);
-  return Boolean(rel && !rel.startsWith('..') && !path.isAbsolute(rel));
-}
-
 function resolveMeetingNoteArtifactPath(artifactPath) {
   const raw = String(artifactPath || '').trim();
   if (!raw || raw.includes('\0')) return null;
   const resolved = path.resolve(path.isAbsolute(raw) ? raw : path.join(shared.MINIONS_DIR, raw));
   const root = path.resolve(MEETING_NOTE_ARTIFACT_ROOT);
-  if (!isPathInside(root, resolved)) return null;
+  if (!shared.isPathInside(resolved, root)) return null;
   if (path.extname(resolved).toLowerCase() !== '.md') return null;
   return resolved;
 }
@@ -179,7 +174,7 @@ function readMeetingNoteArtifact(artifactPath) {
   try {
     const realRoot = fs.realpathSync(MEETING_NOTE_ARTIFACT_ROOT);
     const realPath = fs.realpathSync(resolved);
-    if (!isPathInside(realRoot, realPath)) {
+    if (!shared.isPathInside(realPath, realRoot)) {
       log('warn', `Ignoring meeting note artifact outside notes/inbox: ${artifactPath}`);
       return '';
     }
@@ -914,7 +909,6 @@ module.exports = {
   // exported for testing — engine code MUST go through
   // getMeetings/discoverMeetingWork/collectMeetingFindings/checkMeetingTimeouts,
   // never these helpers directly.
-  isPathInside,
   resolveMeetingNoteArtifactPath,
   cleanMeetingSummaryText,
   splitMeetingSummaryFragments,

package/engine/preflight.js

@@ -275,10 +275,9 @@ function runPreflight(opts = {}) {
     // 5. worktreeRoot config check — for every linked project, verify that the
     //    configured engine.worktreeRoot resolves OUTSIDE the project's
     //    localPath. A nested worktreeRoot causes glob/grep to match both
-    //    copies of every file, producing silent mirror writes (the W-cc-doc-
-    //    chat-continuity leak class). Hard-fail at preflight so the operator
-    //    sees it before any agent dispatch — the runtime guard in spawnAgent
-    //    is the second line of defense.
+    //    copies of every file, producing silent mirror writes. Hard-fail at
+    //    preflight so the operator sees it before any agent dispatch — the
+    //    runtime guard in spawnAgent is the second line of defense.
     try {
       const path = require('path');
       const projects = shared.getProjects(opts.config) || [];

package/engine/shared.js

@@ -2143,30 +2143,40 @@ function buildWorktreeDirName({
 }
 
 /**
- * True when `childPath` is the same as or nested within `parentPath`. Uses
- * `path.relative` so it's cross-platform and resilient to mixed separators
- * (Windows worktree paths often arrive with forward slashes from git output).
- * Returns false when paths refer to different roots/drives or `childPath`
- * escapes via `..`.
- *
- * Why this helper exists: a git worktree placed inside the parent repo's
- * working tree causes glob/grep tools running with `cwd = projectRoot` to
- * match BOTH copies of every file. A single Edit/MultiEdit then writes the
- * same change to both locations, producing the "mirror dirty file" pattern.
- * Worktrees must always be siblings/cousins of the project root, never
- * descendants.
+ * True when `childPath` is strictly nested within `parentPath` (descendant,
+ * NOT the same path). Cross-platform via `path.relative`; resilient to mixed
+ * separators. Returns false for equal paths, different roots/drives, or
+ * `childPath` escapes via `..`.
  */
-function isPathInsideOrEqual(childPath, parentPath) {
+function isPathInside(childPath, parentPath) {
   if (!childPath || !parentPath) return false;
   const childAbs = path.resolve(String(childPath));
   const parentAbs = path.resolve(String(parentPath));
   const rel = path.relative(parentAbs, childAbs);
-  if (rel === '') return true;
+  if (rel === '') return false;
   if (rel.startsWith('..')) return false;
   if (path.isAbsolute(rel)) return false;
   return true;
 }
 
+/**
+ * Same as `isPathInside` but ALSO returns true when paths are equal.
+ *
+ * Why this helper exists: a git worktree placed at — or inside — the parent
+ * repo's working tree causes glob/grep tools running with `cwd = projectRoot`
+ * to match BOTH copies of every file. A single Edit/MultiEdit then writes
+ * the same change to both locations, producing the "mirror dirty file"
+ * pattern. Worktrees must always be siblings/cousins of the project root,
+ * never the root itself nor a descendant.
+ */
+function isPathInsideOrEqual(childPath, parentPath) {
+  if (!childPath || !parentPath) return false;
+  const childAbs = path.resolve(String(childPath));
+  const parentAbs = path.resolve(String(parentPath));
+  if (childAbs === parentAbs) return true;
+  return isPathInside(childAbs, parentAbs);
+}
+
 /**
  * Throws when `worktreePath` would land inside (or equal) `projectRoot`.
  * Called by the engine spawn path before `git worktree add`, and by the
@@ -3257,6 +3267,7 @@ module.exports = {
   sanitizePath,
   sanitizeBranch,
   buildWorktreeDirName, // exported for testing
+  isPathInside,
   isPathInsideOrEqual,
   assertWorktreeOutsideProject,
   isLiveCommandCenterPath,

package/engine.js

@@ -666,6 +666,7 @@ async function spawnAgent(dispatchItem, config) {
               if (eShared.message?.includes('already used by worktree') || eShared.message?.includes('already checked out')) {
                 const existingWtPath = await findExistingWorktree(rootDir, branchName);
                 if (existingWtPath && fs.existsSync(existingWtPath)) {
+                  shared.assertWorktreeOutsideProject(existingWtPath, rootDir);
                   log('info', `Shared branch ${branchName} already checked out at ${existingWtPath} — reusing`);
                   worktreePath = existingWtPath;
                 } else { throw eShared; }
@@ -723,6 +724,7 @@ async function spawnAgent(dispatchItem, config) {
                         log('warn', `Branch ${branchName} actively used by another agent at ${existingWtPath} — cannot create worktree`);
                         throw e2;
                       }
+                      shared.assertWorktreeOutsideProject(existingWtPath, rootDir);
                       log('info', `Branch ${branchName} already checked out at ${existingWtPath} — reusing`);
                       worktreePath = existingWtPath;
                     } else if (existingWtPath && !fs.existsSync(existingWtPath)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yemi33/minions",
-  "version": "0.1.1779",
+  "version": "0.1.1781",
   "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
   "bin": {
     "minions": "bin/minions.js"

package/prompts/cc-system.md

@@ -81,7 +81,7 @@ I'll dispatch dallas to fix that bug.
 ===ACTIONS===
 [{"type": "dispatch", "title": "Fix login bug", "workType": "fix", "agents": ["dallas"], "project": "MyApp", "description": "..."}]
 
-**Generic fallback:** For any action not listed below, include `"endpoint": "/api/..."` and `"params": {...}` to call the API directly. Example: `{"type": "custom-op", "endpoint": "/api/some/endpoint", "params": {"key": "value"}}`.
+**Generic fallback:** For any action not listed below, include `"endpoint": "/api/..."`, `"method": "GET|POST|DELETE"`, and `"params": {...}` to call the API directly. Omit `method` only for POST endpoints. Example: `{"type": "custom-op", "endpoint": "/api/some/endpoint", "method": "POST", "params": {"key": "value"}}`.
 
 **Required fields per action type — server rejects with an error if missing:**
 
@@ -143,7 +143,7 @@ Additional actions (all take `id` or `file` as primary key):
 - KB/Inbox: promote-to-kb (file, category), kb-sweep, toggle-kb-pin (key)
 - Plan lifecycle: revise-plan (file, feedback — dispatches agent to revise)
 - Pipeline: continue-pipeline (id — resume past wait stage)
-- Projects: add-project (localPath, name, repoHost)
+- Projects: add-project (path or localPath, name, repoHost)
 - Engine: restart-engine, reset-settings
 - Other: unpin (title), link-pr (url, title, project, autoObserve), delete-pr (id, project), update-routing (content), file-bug (title, description, labels)
 
@@ -159,8 +159,8 @@ Terms like schedules, pipelines, agents, inbox, work items, plans, PRD, PRs, dis
 ## API & CLI Index (auto-injected)
 Your state preamble (delivered alongside this prompt at session start) carries an auto-generated **API Index** rendered from `dashboard.js` `ROUTES` and a **CLI Index** rendered from `engine/cli.js` `CLI_COMMAND_DOCS`. Both are single-source-of-truth — adding a new HTTP endpoint or CLI command auto-surfaces it in your preamble; do not memorize the named action shorthand list above as exhaustive.
 
-For a `POST /api/...` endpoint marked `generic-fallback` in the API Index that doesn't have a matching named action above, emit the generic fallback shape:
-`{"type":"<short-descriptor>","endpoint":"/api/...","params":{...}}`
-The action runner POSTs `params` as JSON; do not use the fallback for read-only GET routes, DELETE routes, or endpoints not marked generic-fallback.
+For any safe local `/api/...` endpoint that doesn't have a matching named action above, emit the generic fallback shape:
+`{"type":"<short-descriptor>","endpoint":"/api/...","method":"GET|POST|DELETE","params":{...}}`
+The action runner enforces the endpoint method from the API index when available, sends GET params as query strings, sends POST/DELETE params as JSON, and rejects Command Center, doc-chat, bot, or streaming endpoints.
 
 For CLI commands (`minions <cmd>`), use Bash to invoke them when delegating would be heavier than just running the command.