@yemi33/minions 0.1.2048 → 0.1.2049

package/dashboard/js/detail-panel.js

@@ -18,6 +18,7 @@ function renderDetailTabs(detail) {
     { id: 'history', label: 'History' },
     { id: 'output', label: 'Output Log' },
   ];
+  // eslint-disable-next-line no-unsanitized/property -- reason: composed from compile-time constants (no user data flows in)
   document.getElementById('detail-tabs').innerHTML = tabs.map(t =>
     '<div class="detail-tab ' + (t.id === currentTab ? 'active' : '') + '" onclick="switchTab(\'' + t.id + '\')">' + t.label + '</div>'
   ).join('');
@@ -89,9 +90,11 @@ function renderDetailContent(detail, tab) {
       html += '<h4>Latest Output</h4><div class="section">' + renderMd(detail.outputLog) + '</div>';
     }
 
+    // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml()/renderMd() (fields: status task, dispatch task/result/reason, inbox name/content, output log, result summary)
     el.innerHTML = html;
   } else if (tab === 'live') {
     var startedAt = detail.statusData?.started_at;
+    // eslint-disable-next-line no-unsanitized/property -- reason: composed from internal server timestamp and static live-chat controls (no user data flows in)
     el.innerHTML =
       '<div id="live-chat" style="display:flex;flex-direction:column;height:60vh">' +
         '<div id="live-messages" style="flex:1;overflow-y:auto;padding:8px;font-size:11px;line-height:1.6;display:flex;flex-direction:column"></div>' +
@@ -110,6 +113,7 @@ function renderDetailContent(detail, tab) {
     startLiveStream(currentAgentId);
   } else if (tab === 'charter') {
     const charterContent = detail.charter || '';
+    // eslint-disable-next-line no-unsanitized/property -- reason: renderMd() escapes charter display content and escHtml() escapes textarea content before assembling HTML (see dashboard/js/utils.js)
     el.innerHTML =
       '<div style="display:flex;gap:6px;margin-bottom:8px">' +
         '<button class="pr-pager-btn" id="charter-edit-btn" style="font-size:10px;padding:2px 10px" onclick="_toggleCharterEdit()">Edit</button>' +
@@ -139,8 +143,10 @@ function renderDetailContent(detail, tab) {
     }
     // Raw history.md
     html += '<h4>Task History</h4><div class="section">' + renderMd(detail.history || 'No history yet.') + '</div>';
+    // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml()/renderMd() (fields: dispatch task, type, result, reason, history)
     el.innerHTML = html;
   } else if (tab === 'output') {
+    // eslint-disable-next-line no-unsanitized/property -- reason: renderAgentOutput() escapes all user-controlled fields before assembling HTML (see dashboard/js/render-utils.js)
     el.innerHTML = '<div class="section">' + (detail.outputLog ? renderAgentOutput(detail.outputLog) : 'No output log. The coordinator will save agent output here when tasks complete.') + '</div>';
   }
 }
@@ -175,6 +181,7 @@ async function _saveCharter() {
       body: JSON.stringify({ agent: currentAgentId, content })
     });
     if (res.ok) {
+      // eslint-disable-next-line no-unsanitized/property -- reason: renderMd() escapes all user-controlled fields before assembling HTML (see dashboard/js/utils.js)
       document.getElementById('charter-view').innerHTML = renderMd(content);
       _charterRawCache = content;
       _cancelCharterEdit();

package/dashboard/js/fre.js

@@ -158,6 +158,7 @@ function renderFre(statusOrProjects) {
     return ({ '<': '&lt;', '>': '&gt;', '&': '&amp;', '"': '&quot;', "'": '&#39;' })[c];
   });
 
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; runtime label is escaped into safeRuntime before interpolation (field: runtimeCli)
   mount.innerHTML =
     '<div id="fre-card" style="' + cardStyle + '">' +
       '<div style="display:flex;align-items:center;justify-content:space-between;margin-bottom:10px">' +

package/dashboard/js/live-stream.js

@@ -28,6 +28,7 @@ function renderLiveChatMessage(raw) {
   const el = document.getElementById('live-messages');
   if (!el) return;
   const html = renderAgentOutput(raw);
+  // eslint-disable-next-line no-unsanitized/method -- reason: renderAgentOutput() escapes all user-controlled fields before assembling HTML (see dashboard/js/render-utils.js)
   if (html) el.insertAdjacentHTML('beforeend', html);
 
   // Auto-scroll
@@ -106,6 +107,7 @@ async function sendSteering() {
   // Immediate feedback — show the message right away
   const el = document.getElementById('live-messages');
   if (el) {
+    // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: steering message)
     el.insertAdjacentHTML('beforeend', '<div style="align-self:flex-end;background:var(--blue);color:#fff;padding:6px 12px;border-radius:12px 12px 2px 12px;max-width:80%;margin:4px 0;font-size:12px">' + escHtml(message) +
       '<div id="steer-pending" style="font-size:9px;opacity:0.7;margin-top:2px">\u2197 Sending...</div></div>');
     el.scrollTop = el.scrollHeight;

package/dashboard/js/modal-qa.js

@@ -63,7 +63,9 @@ function _qaMaybeScrollThreadToBottom(thread, shouldFollow) {
 function _qaInsertBeforeQueued(container, html) {
   if (!container) return;
   const firstQueued = container.querySelector && container.querySelector('.qa-queued-item');
+  // eslint-disable-next-line no-unsanitized/method -- reason: html is produced by modal QA builders that wrap user data in escHtml()/renderMd() before insertion
   if (firstQueued) firstQueued.insertAdjacentHTML('beforebegin', html);
+  // eslint-disable-next-line no-unsanitized/method -- reason: html is produced by modal QA builders that wrap user data in escHtml()/renderMd() before insertion
   else container.insertAdjacentHTML('beforeend', html);
 }
 
@@ -268,8 +270,10 @@ function _qaLoadSessionState(key) {
   const thread = _qaThreadEl();
   if (thread) {
     const tmp = document.createElement('div');
+    // eslint-disable-next-line no-unsanitized/property -- reason: prior.threadHtml is a sanitized modal QA thread buffer produced by escHtml()/renderMd()-wrapped builders
     tmp.innerHTML = prior?.threadHtml || '';
     if (!_qaProcessing) tmp.querySelectorAll('.modal-qa-loading').forEach(el => el.remove());
+    // eslint-disable-next-line no-unsanitized/property -- reason: tmp.innerHTML is copied from sanitized modal QA thread markup after removing loading placeholders
     thread.innerHTML = tmp.innerHTML;
   }
 }
@@ -404,6 +408,7 @@ function _qaBuildLiveProgressHtml(loadingId, label, elapsedSeconds, streamedText
 
 function _qaMutateThreadHtml(key, mutate) {
   const tmp = document.createElement('div');
+  // eslint-disable-next-line no-unsanitized/property -- reason: threadHtml is a sanitized modal QA thread buffer produced by escHtml()/renderMd()-wrapped builders
   tmp.innerHTML = _qaIsActiveSession(key) ? _qaThreadHtml() : ((_qaSessions.get(key) || {}).threadHtml || '');
   mutate(tmp);
   const html = tmp.innerHTML;
@@ -412,6 +417,7 @@ function _qaMutateThreadHtml(key, mutate) {
     const thread = _qaThreadEl();
     if (thread) {
       const shouldFollow = _qaShouldFollowThread(thread);
+      // eslint-disable-next-line no-unsanitized/property -- reason: html is a sanitized modal QA thread buffer produced by escHtml()/renderMd()-wrapped builders
       thread.innerHTML = html;
       _qaMaybeScrollThreadToBottom(thread, shouldFollow);
     }
@@ -570,6 +576,7 @@ function modalSend() {
       return;
     }
     _qaQueue.push({ message, selection });
+    // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: queued message)
     thread.insertAdjacentHTML('beforeend', _qaBuildQueuedHtml(message));
     _qaScrollThreadToBottom(thread);
     _showThreadWrap();
@@ -654,6 +661,7 @@ async function _processQaMessage(message, selection, opts) {
     const updatedThreadHtml = _qaMutateThreadHtml(sessionKey, tmp => {
       const loadingEl = tmp.querySelector('#' + loadingId);
       if (!loadingEl) return;
+      // eslint-disable-next-line no-unsanitized/property -- reason: _qaBuildLiveProgressHtml() uses renderMd()/formatToolSummary() to escape streamed text and tool fields before assembling HTML
       loadingEl.innerHTML = _qaBuildLiveProgressHtml(
         loadingId,
         _qaProgressLabel(elapsed),
@@ -813,6 +821,7 @@ async function _processQaMessage(message, selection, opts) {
             if (isJson) {
               body.textContent = display;
             } else {
+              // eslint-disable-next-line no-unsanitized/property -- reason: renderMd() escapes all user-controlled fields before assembling HTML (see dashboard/js/utils.js)
               body.innerHTML = renderMd(display);
               body.style.fontFamily = "'Segoe UI', system-ui, sans-serif";
               body.style.whiteSpace = 'normal';

package/dashboard/js/modal.js

@@ -122,6 +122,7 @@ function renderArchiveButtons(archives) {
   archivedPrds = archives;
   const el = document.getElementById('archive-btns');
   if (!archives.length) { el.innerHTML = ''; return; }
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: archive version)
   el.innerHTML = archives.map((a, i) =>
     '<button class="archive-btn" onclick="openArchive(' + i + ')">Archived: ' + escHtml(a.version) + ' (' + a.total + ' items)</button>'
   ).join(' ');

package/dashboard/js/qa.js

@@ -56,6 +56,7 @@ async function loadQaTargets() {
   } catch (e) { err = e; }
 
   if (err) {
+    // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: err.message)
     const frag = document.createRange().createContextualFragment(
       '<p class="empty" style="color:var(--red)">Failed to load targets: ' + escHtml(err.message || String(err)) + '</p>'
     );
@@ -134,6 +135,7 @@ async function loadQaTargets() {
   // the dynamic-innerHTML regression gate (cf. test/unit.test.js
   // DYNAMIC_INNERHTML_BASELINE — all interpolated fields above are wrapped
   // in escHtml()).
+  // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: target name, project, source, ports)
   const frag = document.createRange().createContextualFragment(rows);
   root.replaceChildren(frag);
 }
@@ -176,6 +178,7 @@ async function loadQaRunbooks() {
   _qaRunbooksCache = items;
 
   if (err) {
+    // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: err.message)
     const frag = document.createRange().createContextualFragment(
       '<p class="empty" style="color:var(--red)">Failed to load runbooks: ' + escHtml(err.message || String(err)) + '</p>'
     );
@@ -204,6 +207,7 @@ async function loadQaRunbooks() {
       '<button class="qa-btn-primary qa-runbook-run-btn" data-runbook-id="' + escHtml(id) + '" onclick="qaRunRunbook(this.dataset.runbookId)">Run</button>' +
       '</div>';
   }).join('');
+  // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: runbook id, name, target)
   const frag = document.createRange().createContextualFragment(rows);
   root.replaceChildren(frag);
 }
@@ -337,6 +341,7 @@ async function loadQaRuns() {
   } catch (e) { err = e; }
 
   if (err) {
+    // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: err.message)
     const frag = document.createRange().createContextualFragment(
       '<p class="empty" style="color:var(--red)">Failed to load runs: ' + escHtml(err.message || String(err)) + '</p>'
     );
@@ -351,6 +356,7 @@ async function loadQaRuns() {
     return;
   }
   const rows = items.map(_qaRenderRunRow).join('');
+  // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: run id, status, runbook, target, timestamp, workItemId, agentId, artifact file names)
   const frag = document.createRange().createContextualFragment(rows);
   root.replaceChildren(frag);
 }

package/dashboard/js/refresh.js

@@ -64,7 +64,7 @@ function _detectPageChanges(data) {
 // for the same input. Cross-restart safety lives in the dashboardBuildId
 // reload path below — RENDER_VERSIONS handles the within-process case.
 const RENDER_VERSIONS = {
-  agents: 1,
+  agents: 2,
   prdProgress: 1,
   prdPrs: 1,
   inbox: 2,
@@ -166,6 +166,7 @@ function _processStatusUpdate(data) {
   const engineState = (data.engine && data.engine.state) ? data.engine.state : 'stopped';
   document.getElementById('setup-banner').style.display = (!data.initialized && engineState !== 'stopped') ? 'block' : 'none';
   const autoEl = document.getElementById('auto-approve-badge');
+  // eslint-disable-next-line no-unsanitized/property -- reason: composed from compile-time constants (no user data flows in)
   if (autoEl) autoEl.innerHTML = data.autoMode?.approvePlans
     ? '<span style="font-size:9px;font-weight:600;padding:1px 6px;border-radius:3px;background:rgba(63,185,80,0.15);color:var(--green);border:1px solid rgba(63,185,80,0.3)">AUTO-APPROVE</span>'
     : '';
@@ -242,6 +243,7 @@ function _processStatusUpdate(data) {
       var wt = data.engine.worktreeCount != null ? data.engine.worktreeCount : '-';
       var tick = data.engine.tick || '-';
       var pid = data.engine.pid || '-';
+      // eslint-disable-next-line no-unsanitized/property -- reason: composed from internal engine metrics (pid, tick, worktreeCount; no user data flows in)
       qs.innerHTML = '<span>PID: <b>' + pid + '</b></span><span>Tick: <b>' + tick + '</b></span><span>Worktrees: <b>' + wt + '</b></span>';
     }
   }

package/dashboard/js/render-agents.js

@@ -35,13 +35,23 @@ function _runtimeTagHtml(runtime) {
   return '<span class="agent-runtime-tag" title="Runtime: ' + escapeHtml(fallback) + '" style="font-size:9px;font-weight:600;letter-spacing:0.4px;text-transform:uppercase;padding:1px 5px;margin-left:6px;border:1px solid var(--muted);border-radius:3px;color:var(--muted);background:transparent">' + escapeHtml(fallback) + '</span>';
 }
 
+// W-mpmwxk4y00053271 — compact text chip showing the resolved model next to
+// the runtime tag. Returns '' when the model is unknown so the row degrades
+// gracefully instead of rendering "null" / "undefined". Caleb feedback:
+// "The model is really critical piece of information to me as a user."
+function _modelChipHtml(model) {
+  if (!model || typeof model !== 'string') return '';
+  return '<span class="agent-model-tag" title="Model: ' + escapeHtml(model) + '" style="font-size:9px;font-weight:600;letter-spacing:0.4px;padding:1px 5px;margin-left:4px;border:1px solid var(--muted);border-radius:3px;color:var(--muted);background:transparent">' + escapeHtml(model) + '</span>';
+}
+
 function renderAgents(agents) {
   agentData = agents;
   const grid = document.getElementById('agents-grid');
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escapeHtml()/renderMd() (fields: agent id, emoji, name, status, role, lastAction, warning, resultSummary, blocking tool)
   grid.innerHTML = agents.map(a => `
     <div class="agent-card ${statusColor(a.status)}" data-agent-id="${escapeHtml(a.id)}" onclick="if(shouldIgnoreSelectionClick(event))return;openAgentDetail(this.dataset.agentId)">
       <div class="agent-card-header">
-        <span class="agent-name"><span class="agent-emoji">${escapeHtml(a.emoji)}</span>${escapeHtml(a.name)}${_runtimeTagHtml(a.runtime)}</span>
+        <span class="agent-name"><span class="agent-emoji">${escapeHtml(a.emoji)}</span>${escapeHtml(a.name)}${_runtimeTagHtml(a.runtime)}${_modelChipHtml(a.model)}</span>
         <span class="status-badge ${escapeHtml(a.status)}">${escapeHtml(a.status)}</span>
       </div>
       <div class="agent-role">${escapeHtml(a.role)}</div>
@@ -83,19 +93,35 @@ async function openAgentDetail(id) {
   runtimeSpan.style.cssText = 'display:inline-block;margin-left:10px';
   if (runtimeMeta && runtimeMeta.svg) {
     runtimeSpan.style.color = runtimeMeta.color;
+    // eslint-disable-next-line no-unsanitized/property -- reason: composed from compile-time constants (no user data flows in)
     runtimeSpan.innerHTML = runtimeMeta.svg.replace('width="13"', 'width="18"').replace('height="13"', 'height="18"');
     runtimeSpan.setAttribute('aria-label', runtimeMeta.label + ' runtime');
   } else {
     runtimeSpan.style.cssText += ';font-size:10px;font-weight:600;letter-spacing:0.4px;text-transform:uppercase;padding:2px 6px;border:1px solid var(--muted);border-radius:3px;color:var(--muted)';
     runtimeSpan.textContent = agent.runtime || 'unknown';
   }
-  nameEl.replaceChildren(
+  // W-mpmwxk4y00053271 — mirror the model chip the card shows so the detail
+  // header stays in sync. textContent path keeps the model string from being
+  // interpreted as HTML.
+  const modelSpan = (agent.model && typeof agent.model === 'string')
+    ? (() => {
+        const s = document.createElement('span');
+        s.title = 'Model: ' + agent.model;
+        s.style.cssText = 'display:inline-block;margin-left:6px;font-size:10px;font-weight:600;letter-spacing:0.4px;padding:2px 6px;border:1px solid var(--muted);border-radius:3px;color:var(--muted)';
+        s.textContent = agent.model;
+        return s;
+      })()
+    : null;
+  const children = [
     emojiSpan,
     document.createTextNode(' ' + (agent.name || '') + ' \u2014 ' + (agent.role || '')),
     runtimeSpan,
-  );
+  ];
+  if (modelSpan) children.push(modelSpan);
+  nameEl.replaceChildren(...children);
 
   const badgeClass = agent.status;
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; status is an internal bounded enum and all user data is wrapped in escapeHtml()/renderMd() (fields: lastAction, blocking tool, resultSummary)
   document.getElementById('detail-status-line').innerHTML =
     '<span class="status-badge ' + badgeClass + '">' + agent.status.toUpperCase() + '</span> ' +
     '<span style="color:var(--muted)">' + escapeHtml(agent.lastAction) + '</span>' +
@@ -112,6 +138,7 @@ async function openAgentDetail(id) {
     renderDetailTabs(detail);
     renderDetailContent(detail, currentTab);
   } catch(e) {
+    // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escapeHtml() (fields: error message, agent id)
     document.getElementById('detail-content').innerHTML =
       '<div style="padding:24px;text-align:center">' +
         '<div style="color:var(--red);margin-bottom:12px">Error loading agent detail: ' + escapeHtml(e.message) + '</div>' +

package/dashboard/js/render-dispatch.js

@@ -101,6 +101,7 @@ function _wireEngineRestartClick(button) {
 
 function _renderEngineRestartSuccessBanner(el) {
   const pid = _engineRestartState?.pid || '?';
+  // eslint-disable-next-line no-unsanitized/property -- reason: composed from internal restart PID and fixed status markup (no user data flows in)
   el.innerHTML =
     '<span class="engine-alert-msg" style="color:var(--green)">&#x2713; Engine restarted (PID ' + pid + ') — waiting for first heartbeat...</span>';
   el.style.display = 'flex';
@@ -108,6 +109,7 @@ function _renderEngineRestartSuccessBanner(el) {
 
 function _renderEngineRestartRetryBanner(el) {
   const attempts = _engineRestartState?.retryCount || 0;
+  // eslint-disable-next-line no-unsanitized/property -- reason: composed from internal restart retry count and fixed action markup (no user data flows in)
   el.innerHTML =
     '<span class="engine-alert-msg">&#x26A0;&#xFE0F; Engine restart didn\'t take — heartbeat still stale (attempt ' + attempts + ' of ' + _ENGINE_RESTART_MAX_RETRIES + ').</span>' +
     '<span class="engine-alert-action" id="engine-alert-restart">Retry restart</span>';
@@ -117,6 +119,7 @@ function _renderEngineRestartRetryBanner(el) {
 
 function _renderEngineStaleBanner(el, staleMs) {
   const mins = Math.max(1, Math.round(staleMs / 60000));
+  // eslint-disable-next-line no-unsanitized/property -- reason: composed from internal heartbeat age and fixed action markup (no user data flows in)
   el.innerHTML =
     '<span class="engine-alert-msg">&#x26A0;&#xFE0F; Engine heartbeat is stale (' + mins + 'm old). Dispatch may be stuck.</span>' +
     '<span class="engine-alert-action" id="engine-alert-restart">Restart engine</span>';
@@ -162,6 +165,7 @@ function renderAdoThrottleAlert(adoThrottle) {
     return;
   }
   const resumeTime = formatLocalTime(adoThrottle.retryAfter);
+  // eslint-disable-next-line no-unsanitized/property -- reason: composed from internal ADO throttle timestamp and counters (no user data flows in)
   el.innerHTML =
     '<span class="engine-alert-msg">&#x26A0;&#xFE0F; ADO rate-limited — resume ~' + resumeTime + ' (' + adoThrottle.consecutiveHits + ' consecutive hit' + (adoThrottle.consecutiveHits !== 1 ? 's' : '') + ')</span>';
   el.style.display = 'flex';
@@ -176,6 +180,7 @@ function renderGhThrottleAlert(ghThrottle) {
     return;
   }
   const resumeTime = formatLocalTime(ghThrottle.retryAfter);
+  // eslint-disable-next-line no-unsanitized/property -- reason: composed from internal GitHub throttle timestamp and counters (no user data flows in)
   el.innerHTML =
     '<span class="engine-alert-msg">&#x26A0;&#xFE0F; GitHub rate-limited — resume ~' + resumeTime + ' (' + ghThrottle.consecutiveHits + ' consecutive hit' + (ghThrottle.consecutiveHits !== 1 ? 's' : '') + ')</span>';
   el.style.display = 'flex';
@@ -186,6 +191,7 @@ function renderDispatch(dispatch) {
 
   // Stats
   const stats = document.getElementById('dispatch-stats');
+  // eslint-disable-next-line no-unsanitized/property -- reason: composed from internal dispatch counts (no user data flows in)
   stats.innerHTML =
     '<div class="dispatch-stat"><div class="dispatch-stat-num yellow">' + (dispatch.active || []).length + '</div><div class="dispatch-stat-label">Active</div></div>' +
     '<div class="dispatch-stat"><div class="dispatch-stat-num blue">' + (dispatch.pending || []).length + '</div><div class="dispatch-stat-label">Pending</div></div>' +
@@ -205,6 +211,7 @@ function renderDispatch(dispatch) {
   // Active
   const activeEl = document.getElementById('dispatch-active');
   if ((dispatch.active || []).length > 0) {
+    // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: dispatch type, agent, task)
     activeEl.innerHTML = '<div style="font-size:11px;color:var(--green);margin-bottom:6px;font-weight:600">ACTIVE</div><div class="dispatch-list">' +
       dispatch.active.map(d => dispatchItemHtml(d,
         '<span class="dispatch-time">' + shortTime(d.started_at) + '</span>'
@@ -216,6 +223,7 @@ function renderDispatch(dispatch) {
   // Pending
   const pendingEl = document.getElementById('dispatch-pending');
   if ((dispatch.pending || []).length > 0) {
+    // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: dispatch type, agent, task, skip reason)
     pendingEl.innerHTML = '<div style="font-size:11px;color:var(--yellow);margin:8px 0 6px;font-weight:600">PENDING</div><div class="dispatch-list">' +
       dispatch.pending.map(d => dispatchItemHtml(d,
         d.skipReason ? '<span style="font-size:9px;color:var(--muted);margin-left:6px" title="' + escHtml(d.skipReason) + '">' + escHtml(d.skipReason.replace(/_/g, ' ')) + '</span>' : ''
@@ -237,6 +245,7 @@ function renderDispatch(dispatch) {
     const compStart = _completedPage * COMPLETED_PER_PAGE;
     const pageCompleted = completed.slice(compStart, compStart + COMPLETED_PER_PAGE);
 
+    // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: dispatch id, type, agent, task, result, reason)
     completedEl.innerHTML = '<table class="pr-table"><thead><tr><th>ID</th><th>Type</th><th>Agent</th><th>Task</th><th>Result</th><th>Completed</th></tr></thead><tbody>' +
       pageCompleted.map(d => {
         const isError = d.result === 'error';
@@ -258,6 +267,7 @@ function renderDispatch(dispatch) {
       page: _completedPage, totalPages: totalCompPages,
       onPrev: '_completedPrev()', onNext: '_completedNext()',
     });
+    // eslint-disable-next-line no-unsanitized/method -- reason: composed from internal numeric page bounds and fixed renderPager() callback names (no user data flows in)
     if (compPager) completedEl.insertAdjacentHTML('beforeend', compPager);
   } else {
     completedEl.innerHTML = '<p class="empty">No completed dispatches yet.</p>';
@@ -278,6 +288,7 @@ function renderEngineLog(log) {
   const logStart = _logPage * LOG_PER_PAGE;
   const pageLog = reversed.slice(logStart, logStart + LOG_PER_PAGE);
 
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: log message)
   el.innerHTML = pageLog.map(e =>
     '<div class="log-entry">' +
       '<span class="log-ts">' + shortTime(e.timestamp) + '</span> ' +
@@ -290,6 +301,7 @@ function renderEngineLog(log) {
     page: _logPage, totalPages: totalLogPages,
     onPrev: '_logPrev()', onNext: '_logNext()',
   });
+  // eslint-disable-next-line no-unsanitized/method -- reason: composed from internal numeric page bounds and fixed renderPager() callback names (no user data flows in)
   if (logPager) el.insertAdjacentHTML('beforeend', logPager);
 }
 

package/dashboard/js/render-inbox.js

@@ -25,6 +25,7 @@ function renderInbox(inbox) {
   const inboxStart = _inboxPage * INBOX_PER_PAGE;
   const pageInbox = inbox.slice(inboxStart, inboxStart + INBOX_PER_PAGE);
 
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escapeHtml() (fields: inbox name, age, content, pin key)
   list.innerHTML = pageInbox.map((item, i) => {
     const idx = inboxStart + i;
     const pk = inboxPinKey(item.name);
@@ -47,6 +48,7 @@ function renderInbox(inbox) {
     page: _inboxPage, totalPages: totalInboxPages,
     onPrev: '_inboxPrev()', onNext: '_inboxNext()',
   });
+  // eslint-disable-next-line no-unsanitized/method -- reason: composed from internal numeric page bounds and fixed renderPager() callback names (no user data flows in)
   if (inboxPager) list.insertAdjacentHTML('beforeend', inboxPager);
   restoreNotifBadges();
 }
@@ -67,6 +69,7 @@ function promoteToKB(name) {
     ).join('') +
     '</div></div>';
   document.getElementById('modal-title').textContent = 'Add to Knowledge Base';
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escapeHtml() (fields: inbox item name)
   document.getElementById('modal-body').innerHTML = picker;
   document.getElementById('modal').classList.add('open');
 }
@@ -83,6 +86,7 @@ function renderNotes(notes) {
   }
 
   if (!content || !content.trim()) { el.innerHTML = '<p class="empty">No team notes yet.</p>'; return; }
+  // eslint-disable-next-line no-unsanitized/property -- reason: renderMd() escapes all user-controlled fields before assembling HTML (see dashboard/js/utils.js)
   el.innerHTML = '<div class="notes-preview" data-file="notes.md" onclick="openNotesModal()" title="Click to expand">' + renderMd(content) + '</div>';
   el.querySelector('.notes-preview')._rawContent = content;
   restoreNotifBadges();
@@ -93,6 +97,7 @@ function openNotesModal() {
   if (!preview) return;
   const content = preview._rawContent || preview.textContent;
   document.getElementById('modal-title').textContent = 'Team Notes';
+  // eslint-disable-next-line no-unsanitized/property -- reason: renderMd() escapes all user-controlled fields before assembling HTML (see dashboard/js/utils.js)
   document.getElementById('modal-body').innerHTML = renderMd(content);
   document.getElementById('modal-body').style.fontFamily = "'Segoe UI', system-ui, sans-serif";
   document.getElementById('modal-body').style.whiteSpace = 'normal';
@@ -145,6 +150,7 @@ async function modalSaveEdit() {
 function modalCancelEdit() {
   const body = document.getElementById('modal-body');
   body.contentEditable = 'false';
+  // eslint-disable-next-line no-unsanitized/property -- reason: renderMd() escapes all user-controlled fields before assembling HTML (see dashboard/js/utils.js)
   body.innerHTML = renderMd(_modalDocContext.content); // revert (render Markdown, not raw text)
   body.style.border = '';
   body.style.padding = '';

package/dashboard/js/render-kb.js

@@ -108,6 +108,7 @@ function renderKnowledgeBase() {
     const label = KB_CAT_LABELS[cat] || cat;
     tabsHtml += '<button class="kb-tab ' + (_kbActiveTab === cat ? 'active' : '') + '" onclick="kbSetTab(\'' + cat + '\')">' + label + ' <span class="badge">' + catArr.length + '</span></button>';
   }
+  // eslint-disable-next-line no-unsanitized/property -- reason: composed from known KB category constants and item counts (no user data flows in)
   tabsEl.innerHTML = tabsHtml;
 
   // Filter items for active tab
@@ -134,6 +135,7 @@ function renderKnowledgeBase() {
   const kbStart = _kbPage * KB_PER_PAGE;
   const pageItems = items.slice(kbStart, kbStart + KB_PER_PAGE);
 
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escapeHtml() (fields: category, file, title, agent, preview)
   listEl.innerHTML = pageItems.map(item => {
     const icon = KB_CAT_ICONS[item.category] || '\u{1F4C4}';
     const label = KB_CAT_LABELS[item.category] || item.category;
@@ -159,6 +161,7 @@ function renderKnowledgeBase() {
     page: _kbPage, totalPages: totalKbPages,
     onPrev: '_kbPrev()', onNext: '_kbNext()',
   });
+  // eslint-disable-next-line no-unsanitized/method -- reason: composed from internal numeric page bounds and fixed renderPager() callback names (no user data flows in)
   if (kbPager) listEl.insertAdjacentHTML('beforeend', kbPager);
   restoreNotifBadges();
 }
@@ -238,6 +241,7 @@ async function kbOpenItem(category, file) {
     const display = content.replace(/^---[\s\S]*?---\n*/m, '');
     document.getElementById('modal-title').textContent = file;
     const modalBody = document.getElementById('modal-body');
+    // eslint-disable-next-line no-unsanitized/property -- reason: renderMd() escapes all user-controlled fields before assembling HTML (see dashboard/js/utils.js)
     modalBody.innerHTML = renderMd(display);
     _modalDocContext = { title: file, content: display, selection: '' };
     _modalFilePath = 'knowledge/' + category + '/' + file; showModalQa();

package/dashboard/js/render-managed.js

@@ -178,6 +178,7 @@ async function renderManagedProcesses() {
   // first append so each mount needs its own copy).
   for (const m of liveMounts) {
     if (m.countEl) m.countEl.textContent = countText;
+    // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: fetch error, project, process name, ports, attrs, uptime, ttl)
     const frag = document.createRange().createContextualFragment(html);
     m.root.replaceChildren(frag);
   }

package/dashboard/js/render-meetings.js

@@ -30,6 +30,7 @@ function renderMeetings(meetings) {
   const visible = _showArchived ? meetings : active;
   if (visible.length === 0) {
     el.innerHTML = '<p class="empty">No active meetings.</p>';
+    // eslint-disable-next-line no-unsanitized/method -- reason: composed from internal archived count and fixed toggle markup (no user data flows in)
     if (archived.length) el.insertAdjacentHTML('beforeend', '<div style="text-align:center;margin-top:8px"><button class="pr-pager-btn" style="font-size:10px" onclick="_toggleArchivedMeetings()">Show ' + archived.length + ' archived</button></div>');
     _mtgTotalPages = 1;
     return;
@@ -41,6 +42,7 @@ function renderMeetings(meetings) {
   const start = _mtgPage * MTG_PER_PAGE;
   const pageItems = visible.slice(start, start + MTG_PER_PAGE);
 
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: meeting id, title, participants, time, agenda)
   el.innerHTML = pageItems.map(m => {
     const statusColor = statusColors[m.status] || 'var(--muted)';
     const statusLabel = statusLabels[m.status] || m.status;
@@ -72,6 +74,7 @@ function renderMeetings(meetings) {
   }).join('');
 
   if (visible.length > MTG_PER_PAGE) {
+    // eslint-disable-next-line no-unsanitized/method -- reason: composed from internal numeric page bounds and fixed pager actions (no user data flows in)
     el.insertAdjacentHTML('beforeend', '<div class="pr-pager">' +
       '<span class="pr-page-info">Showing ' + (start + 1) + ' to ' + Math.min(start + MTG_PER_PAGE, visible.length) + ' of ' + visible.length + '</span>' +
       '<div class="pr-pager-btns">' +
@@ -81,6 +84,7 @@ function renderMeetings(meetings) {
   }
 
   if (archived.length > 0) {
+    // eslint-disable-next-line no-unsanitized/method -- reason: composed from internal archived count and fixed toggle label (no user data flows in)
     el.insertAdjacentHTML('beforeend', '<div style="text-align:center;margin-top:8px"><button class="pr-pager-btn" style="font-size:10px" onclick="_toggleArchivedMeetings()">' +
       (_showArchived ? 'Hide' : 'Show') + ' ' + archived.length + ' archived</button></div>');
   }
@@ -213,6 +217,7 @@ function _renderMeetingDetail(m) {
       document.getElementById('modal-title').textContent = 'Meeting: ' + m.title;
       var body = document.getElementById('modal-body');
       var scrollTop = body.scrollTop;
+      // eslint-disable-next-line no-unsanitized/property -- reason: renderMd() escapes all user-controlled markdown fields before assembling HTML (see dashboard/js/utils.js); ids and labels use escHtml()
       body.innerHTML = html;
       body.style.fontFamily = "'Segoe UI', system-ui, sans-serif";
       body.style.whiteSpace = 'normal';
@@ -274,6 +279,7 @@ function openCreateMeetingModal() {
   const inputStyle = 'display:block;width:100%;margin-top:4px;padding:6px 8px;background:var(--bg);border:1px solid var(--border);border-radius:var(--radius-sm);color:var(--text);font-size:var(--text-md);font-family:inherit';
 
   document.getElementById('modal-title').textContent = 'New Team Meeting';
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: agent id, name, role)
   document.getElementById('modal-body').innerHTML =
     '<div style="display:flex;flex-direction:column;gap:10px">' +
       '<label style="color:var(--text);font-size:var(--text-md)">Title<input id="mtg-title" style="' + inputStyle + '" placeholder="e.g. Should we add SQLite?"></label>' +

package/dashboard/js/render-other.js

@@ -9,6 +9,7 @@ function renderProjects(projects) {
       '<span onclick="openScanProjectsModal()" style="background:var(--surface2);border:1px solid var(--border);border-radius:4px;padding:3px 10px;color:var(--blue);font-weight:500;cursor:pointer;border-style:dashed;font-size:10px">Scan</span>';
     return;
   }
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: project name, path, branch metadata)
   list.innerHTML = visible.map(p =>
     '<span data-project="' + escHtml(p.name) + '" title="' + escHtml(p.path || '') + '" style="display:inline-flex;align-items:center;gap:6px;background:var(--surface2);border:1px solid var(--border);border-radius:4px;padding:3px 10px;color:var(--blue);font-weight:500;cursor:help">' +
       escHtml(p.name) +
@@ -137,6 +138,7 @@ function renderMcpServers(servers) {
     el.innerHTML = '<p class="empty">No MCP servers found. Add them via <code>claude mcp add</code> / <code>copilot mcp add</code>, install a plugin that ships one, or drop a <code>.mcp.json</code> into a registered project — they\'ll appear here automatically.</p>';
     return;
   }
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: server source, status, args, command, name)
   el.innerHTML = '<div style="display:flex;flex-wrap:wrap;gap:6px;margin-bottom:8px">' +
     servers.map(s =>
       '<div style="font-size:11px;padding:5px 10px;background:var(--surface2);border:1px solid var(--border);border-radius:6px;color:var(--text)" title="' + escHtml([s.source, s.status, s.args || s.command].filter(Boolean).join(' · ')) + '">' +
@@ -202,6 +204,7 @@ function renderMetrics(metrics) {
     '</tr>';
   }
   html += '</tbody></table>';
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: agent id)
   el.innerHTML = html;
   renderLlmPerf(metrics);
   renderTokenUsage(metrics);
@@ -250,6 +253,7 @@ function renderLlmPerf(metrics) {
     }
   }
   html += '</tbody></table>';
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: LLM call type)
   el.innerHTML = html;
 }
 
@@ -401,12 +405,14 @@ function renderTokenUsage(metrics) {
     html += '</tbody></table>';
   }
 
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: agent id, model label, engine category)
   el.innerHTML = html;
 }
 
 
 async function openScanProjectsModal() {
   document.getElementById('modal-title').textContent = 'Scan for Projects';
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: default scan path)
   document.getElementById('modal-body').innerHTML =
     '<div style="display:flex;flex-direction:column;gap:12px">' +
       '<div style="display:flex;gap:8px;align-items:flex-end">' +
@@ -439,8 +445,10 @@ async function _runProjectScan() {
       body: JSON.stringify({ path: scanPath, depth: Number(depth) })
     });
     var data = await res.json();
+    // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: scan error)
     if (!res.ok) { resultsEl.innerHTML = '<span style="color:var(--red)">Error: ' + escHtml(data.error) + '</span>'; return; }
     var repos = data.repos || [];
+    // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: scan path)
     if (repos.length === 0) { resultsEl.innerHTML = '<span style="color:var(--muted)">No git repos found in ' + escHtml(scanPath) + '</span>'; return; }
 
     var html = '<div style="margin-bottom:8px;font-size:11px;color:var(--muted)">' + repos.length + ' repos found — select to add:</div>';
@@ -467,8 +475,10 @@ async function _runProjectScan() {
       '</div>' +
       '<button onclick="_addSelectedProjects()" style="padding:6px 16px;background:var(--green);color:#fff;border:none;border-radius:var(--radius-sm);cursor:pointer">Add Selected</button>' +
     '</div>';
+    // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: repo host, name, path, description)
     resultsEl.innerHTML = html;
     window._scanRepos = repos;
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: error message)
   } catch (e) { resultsEl.innerHTML = '<span style="color:var(--red)">Error: ' + escHtml(e.message) + '</span>'; }
 }
 
@@ -640,6 +650,7 @@ async function renderKeepProcesses() {
   // append so each mount needs its own copy).
   for (const m of liveMounts) {
     if (m.countEl) m.countEl.textContent = countText;
+    // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: fetch error, agent id, reason, file path, work item id, purpose, cwd)
     const frag = document.createRange().createContextualFragment(html);
     m.root.replaceChildren(frag);
   }

package/dashboard/js/render-pinned.js

@@ -10,6 +10,7 @@ function renderPinned(entries) {
   }
   // Store entries for click-to-view (full content available in status response)
   window._pinnedEntries = entries;
+  // eslint-disable-next-line no-unsanitized/property -- reason: structural HTML is a string literal; all user data wrapped in escHtml()/renderMd() (fields: title, content)
   el.innerHTML = entries.map((e, i) =>
     '<div class="pinned-card" data-file="pinned:' + escHtml(e.title) + '" style="padding:8px 12px;margin-bottom:6px;background:var(--surface2);border-left:3px solid ' +
       (e.level === 'critical' ? 'var(--red)' : e.level === 'warning' ? 'var(--yellow)' : 'var(--blue)') +
@@ -90,6 +91,7 @@ function openPinnedView(idx) {
   const entry = (window._pinnedEntries || [])[idx];
   if (!entry) return;
   document.getElementById('modal-title').textContent = entry.title;
+  // eslint-disable-next-line no-unsanitized/property -- reason: renderMd() escapes all user-controlled fields before assembling HTML (see dashboard/js/utils.js)
   document.getElementById('modal-body').innerHTML = renderMd(entry.content);
   document.getElementById('modal-body').style.fontFamily = "'Segoe UI', system-ui, sans-serif";
   document.getElementById('modal-body').style.whiteSpace = 'normal';