@yemi33/minions 0.1.2070 → 0.1.2072

package/dashboard.js

@@ -1797,6 +1797,16 @@ function _buildStatusFastState() {
     // helper returns { total, sig } without sorting; that's all the sidebar
     // counter needs to detect new runs and status flips.
     qaRuns: _safeStatusSlice('qaRuns', () => qaRunsMod.summarizeRunsForStatus(), { total: 0, sig: '' }),
+    // QA sessions — same role as qaRuns above. The sidebar activity-dot
+    // for QA Sessions polls this slice for the cheap { total, sig } summary
+    // so a new session or a state transition lights the dot within one
+    // /api/status cycle. summarizeSessionsForStatus is unsorted (mirrors
+    // qaRunsMod.summarizeRunsForStatus) so this stays O(N) and doesn't
+    // charge sort cost to the /api/status hot path.
+    qaSessions: _safeStatusSlice('qaSessions', () => {
+      const qaSessions = require('./engine/qa-sessions');
+      return qaSessions.summarizeSessionsForStatus();
+    }, { total: 0, sig: '' }),
   };
 }
 
@@ -6110,6 +6120,17 @@ const server = http.createServer(async (req, res) => {
 
   async function handleKnowledgeRead(req, res, match) {
     const cat = match[1];
+    // P-bfa2b-kb-path-traversal — whitelist the category param BEFORE any
+    // path.join. Without this, cat='..' collapses kbCatDir to MINIONS_DIR
+    // (path.join normalizes '..') and the next sanitizePath('config.json',
+    // MINIONS_DIR) check still passes, allowing safeRead to disclose
+    // config.json / work-items.json / engine state to any browser the
+    // operator has open. The whitelist also rejects encoded variants
+    // (`%2e%2e`, `..%2f`, etc.) since none of those are valid category
+    // names. Single source of truth lives in shared.KB_READABLE_CATEGORIES.
+    if (!shared.KB_READABLE_CATEGORIES.includes(cat)) {
+      return jsonReply(res, 400, { error: 'invalid category' });
+    }
     const file = decodeURIComponent(match[2]);
     // Prevent path traversal
     const kbCatDir = path.join(MINIONS_DIR, 'knowledge', cat);
@@ -9571,6 +9592,11 @@ What would you like to discuss or change? When you're happy, say "approve" and I
       }
       const keepProcessSweep = require('./engine/keep-process-sweep');
       const filePath = path.join(MINIONS_DIR, 'agents', agentId, keepProcessSweep.KEEP_PIDS_FILENAME);
+      // Pre-lock validation: existence + parse + pid-present. Surfaces clean
+      // 404/400 responses without taking the lock when there's nothing to
+      // mutate. The authoritative read-modify-write happens inside
+      // mutateJsonFileLocked below — that callback re-reads the on-disk state
+      // so a concurrent kill that already removed our pid is handled safely.
       let raw;
       try { raw = fs.readFileSync(filePath, 'utf8'); }
       catch { return jsonReply(res, 404, { error: 'keep-pids.json not found for agent' }, req); }
@@ -9581,17 +9607,38 @@ What would you like to discuss or change? When you're happy, say "approve" and I
       if (!pidsBefore.includes(pidNum)) {
         return jsonReply(res, 404, { error: `pid ${pidNum} not declared in ${filePath}` }, req);
       }
+      // Kill OUTSIDE the lock — process kills (and any other syscalls beyond
+      // the file mutation) must not live inside a mutateJsonFileLocked
+      // callback per the lock-discipline rule in copilot-instructions.md.
       const killed = shared.killByPidImmediate(pidNum);
-      const remaining = pidsBefore.filter((p) => p !== pidNum);
+      // P-bfa1b — wrap the keep-pids.json read-modify-write in
+      // mutateJsonFileLocked so two concurrent /api/keep-processes/kill
+      // calls cannot each read the pre-mutation pids[] snapshot and clobber
+      // each other's writes. The callback is synchronous, mutation-only:
+      // no kills, no awaits, no network. The unlink (when remaining is
+      // empty) runs AFTER the lock releases.
+      let remaining = pidsBefore.filter((p) => p !== pidNum);
+      let shouldUnlink = false;
+      try {
+        mutateJsonFileLocked(filePath, (data) => {
+          if (!data || typeof data !== 'object' || Array.isArray(data)) return data;
+          const currentPids = Array.isArray(data.pids) ? data.pids.map(Number) : [];
+          remaining = currentPids.filter((p) => p !== pidNum);
+          if (remaining.length === 0) {
+            shouldUnlink = true;
+            return data;
+          }
+          data.pids = remaining;
+          return data;
+        }, { skipWriteIfUnchanged: true });
+      } catch (e) {
+        return jsonReply(res, 500, { error: `failed to update keep-pids.json: ${e.message}` }, req);
+      }
       let action;
-      if (remaining.length === 0) {
+      if (shouldUnlink) {
         try { fs.unlinkSync(filePath); } catch {}
         action = 'killed-and-removed-file';
       } else {
-        parsed.pids = remaining;
-        try { fs.writeFileSync(filePath, JSON.stringify(parsed, null, 2)); } catch (e) {
-          return jsonReply(res, 500, { error: `failed to update keep-pids.json: ${e.message}` }, req);
-        }
         action = 'killed-and-updated-file';
       }
       shared.log('info', `keep-processes manual kill: agent=${agentId} pid=${pidNum} killed=${killed} action=${action}`);
@@ -10166,6 +10213,348 @@ What would you like to discuss or change? When you're happy, say "approve" and I
     }
   }
 
+  // ── QA Sessions + Runners endpoints (P-d2f5a8c9) ────────────────────────────
+  // Thin HTTP wrappers over engine/qa-sessions.js + engine/qa-runners.js. The
+  // lifecycle (state machine, work-item builders, dispatch chain) lives in
+  // those modules; these handlers translate HTTP into the right call,
+  // resolve project/wiPath the same way handleQaRunbookRun does, and shape
+  // qa-sessions thrown errors into 400/404/409 instead of 500.
+  //
+  // Endpoint summary:
+  //   POST /api/qa/session                       create + queueSetup (pending→spawning)
+  //   GET  /api/qa/sessions                      list (?limit= ?state=)
+  //   GET  /api/qa/sessions/<id>                 fetch single
+  //   POST /api/qa/sessions/<id>/approve         awaiting-approval → executing
+  //   POST /api/qa/sessions/<id>/edit            awaiting-approval → drafting (with feedback)
+  //   POST /api/qa/sessions/<id>/cancel          any non-terminal → killed
+  //   POST /api/qa/sessions/<id>/kill            cancel + kill managed-spawn
+  //   POST /api/qa/sessions/<id>/dismiss         non-terminal → done
+  //   GET  /api/qa/runners                       list registered runner adapters
+  //   POST /api/qa/runners/reload                clear registry + re-register + re-scan plugins
+
+  // Map a qa-sessions thrown error to an HTTP status. The module throws
+  // descriptive strings on illegal transitions / missing sessions; pre-PR4
+  // callers swallowed these as 500 — that loses the error semantics we need
+  // (404 for unknown sessions, 409 for wrong state, 400 for spec/feedback
+  // violations).
+  function _qaSessionsErrorToStatus(err) {
+    const msg = (err && err.message) || '';
+    if (/session not found/i.test(msg)) return 404;
+    if (/unsafe sessionId/i.test(msg)) return 400;
+    if (/illegal state transition/i.test(msg)) return 409;
+    if (/requires state /i.test(msg)) return 409;
+    if (/requires non-terminal/i.test(msg)) return 409;
+    if (/invalid spec|requires |exceeds /i.test(msg)) return 400;
+    return 500;
+  }
+
+  // Resolve the (project, wiPath) tuple for a session create/approve/edit
+  // request. session.spec.project (or the create-time project field) decides
+  // which work-items.json receives the new WI. central → root-level
+  // work-items.json. Returns { error } on resolution failure so the handler
+  // can reply 400.
+  function _qaSessionsResolveTarget(projectName) {
+    const target = resolveWorkItemsCreateTarget(projectName || '');
+    if (target.error) return { error: target.error };
+    return { wiPath: target.wiPath, project: target.project ? target.project.name : null };
+  }
+
+  async function handleQaSessionCreate(req, res) {
+    try {
+      const body = await readBody(req);
+      // Validate first so a bad spec returns 400 BEFORE we touch state. The
+      // body shape is identical to qaSessions.validateSpec — target, flowsRaw,
+      // mode, capture, runner, project, createdBy — so we forward it
+      // verbatim.
+      const qaSessions = require('./engine/qa-sessions');
+      const v = qaSessions.validateSpec(body);
+      if (!v.ok) return jsonReply(res, 400, { error: 'invalid spec', details: v.errors }, req);
+
+      // Stamp the operator identity from the standard tracing header so the
+      // session record carries the same _originAgent/_originWi audit trail
+      // POST /api/work-items uses. Skipped when the header is missing — the
+      // session record's createdBy stays null.
+      const originAgent = req.headers['x-minions-agent'];
+      const createSpec = { ...body };
+      if (originAgent && typeof originAgent === 'string' && createSpec.createdBy === undefined) {
+        createSpec.createdBy = originAgent;
+      }
+
+      const resolved = _qaSessionsResolveTarget(createSpec.project);
+      if (resolved.error) return jsonReply(res, 400, { error: resolved.error }, req);
+
+      let session;
+      try { session = qaSessions.createSession(createSpec); }
+      catch (e) { return jsonReply(res, 400, { error: e.message, details: e.validationErrors }, req); }
+
+      let setupWiId = null;
+      try {
+        setupWiId = qaSessions.queueSetup(session.id, {
+          wiPath: resolved.wiPath,
+          project: resolved.project,
+        });
+      } catch (e) {
+        // queueSetup throws when pending→spawning is rejected (createSession
+        // succeeded but transition failed — e.g. concurrent call). Surface
+        // the session id so the caller can poll /api/qa/sessions/<id>; the
+        // session record itself was persisted.
+        return jsonReply(res, _qaSessionsErrorToStatus(e), {
+          error: e.message,
+          sessionId: session.id,
+        }, req);
+      }
+
+      invalidateStatusCache();
+      return jsonReply(res, 200, {
+        sessionId: session.id,
+        state: 'spawning',
+        setupWorkItemId: setupWiId,
+        managedSpawnName: session.managedSpawnName,
+      }, req);
+    } catch (e) {
+      return jsonReply(res, 500, { error: e.message }, req);
+    }
+  }
+
+  function handleQaSessionsList(req, res) {
+    try {
+      const qaSessions = require('./engine/qa-sessions');
+      const u = new URL(req.url, 'http://x');
+      const limitRaw = u.searchParams.get('limit');
+      const stateRaw = u.searchParams.get('state');
+      const opts = {};
+      if (limitRaw != null && limitRaw !== '') {
+        const n = Number(limitRaw);
+        if (!Number.isFinite(n) || n <= 0) {
+          return jsonReply(res, 400, { error: 'limit must be a positive number' }, req);
+        }
+        opts.limit = Math.floor(n);
+      }
+      if (stateRaw) {
+        if (!qaSessions.isValidState(stateRaw)) {
+          return jsonReply(res, 400, {
+            error: `state must be one of ${Object.values(qaSessions.QA_SESSION_STATE).join(', ')}`,
+          }, req);
+        }
+        opts.state = stateRaw;
+      }
+      const sessions = qaSessions.listSessions(opts);
+      return jsonReply(res, 200, { sessions, generatedAt: new Date().toISOString() }, req);
+    } catch (e) {
+      return jsonReply(res, 500, { error: e.message }, req);
+    }
+  }
+
+  function handleQaSessionsById(req, res, match) {
+    try {
+      const qaSessions = require('./engine/qa-sessions');
+      const id = decodeURIComponent(match[1] || '');
+      // Reuse the qa-artifacts safe-segment guard — sessionId travels into
+      // qa-tests/<id>/ paths inside qaSessions and is already validated by
+      // _isSafeSessionId there. The handler-level guard avoids a thrown
+      // error before getSession even runs.
+      if (!_qaIsSafeSegment(id)) return jsonReply(res, 400, { error: 'invalid session id' }, req);
+      const session = qaSessions.getSession(id);
+      if (!session) return jsonReply(res, 404, { error: 'qa session not found' }, req);
+      return jsonReply(res, 200, { session }, req);
+    } catch (e) {
+      return jsonReply(res, 500, { error: e.message }, req);
+    }
+  }
+
+  // Shared helper for approve + edit + cancel + kill + dismiss — each takes
+  // a sessionId from the URL and a body, delegates to qaSessions.* and maps
+  // module errors to HTTP statuses.
+  async function _qaSessionAction(req, res, match, action) {
+    try {
+      const qaSessions = require('./engine/qa-sessions');
+      const id = decodeURIComponent((match && match[1]) || '');
+      if (!_qaIsSafeSegment(id)) return jsonReply(res, 400, { error: 'invalid session id' }, req);
+      const session = qaSessions.getSession(id);
+      if (!session) return jsonReply(res, 404, { error: 'qa session not found' }, req);
+      const body = await readBody(req);
+      return await action(qaSessions, session, body);
+    } catch (e) {
+      return jsonReply(res, _qaSessionsErrorToStatus(e), { error: e.message }, req);
+    }
+  }
+
+  // POST /api/qa/sessions/<id>/approve — awaiting-approval → executing. The
+  // handler creates the qa-runs record server-side (mirrors handleQaRunbookRun)
+  // so the caller doesn't have to. The synthetic runbookId is
+  // `qa-session-<id>` so the qa-runs view can distinguish session-spawned
+  // runs from runbook-spawned ones at a glance.
+  async function handleQaSessionApprove(req, res, match) {
+    return _qaSessionAction(req, res, match, async (qaSessions, session) => {
+      const resolved = _qaSessionsResolveTarget(session.spec.project);
+      if (resolved.error) return jsonReply(res, 400, { error: resolved.error }, req);
+
+      const qaRuns = require('./engine/qa-runs');
+      const run = qaRuns.createRun({
+        runbookId: 'qa-session-' + session.id,
+        targetName: session.managedSpawnName,
+        project: resolved.project || session.spec.project || null,
+        workItemId: null, // back-filled below
+      });
+
+      let executeWiId;
+      try {
+        executeWiId = qaSessions.approveDraft(session.id, {
+          wiPath: resolved.wiPath,
+          qaRunId: run.id,
+          project: resolved.project,
+        });
+      } catch (e) {
+        return jsonReply(res, _qaSessionsErrorToStatus(e), { error: e.message }, req);
+      }
+
+      try { qaRuns.setRunWorkItemId(run.id, executeWiId); }
+      catch (_e) { /* non-fatal — engine still resolves run by id */ }
+
+      // Also stamp the qaRunId onto the session record so /api/qa/sessions/<id>
+      // shows the linked run without forcing the client to traverse WI meta.
+      try { qaSessions.setSessionQaRunId(session.id, run.id); } catch (_e) { /* non-fatal */ }
+
+      invalidateStatusCache();
+      return jsonReply(res, 200, {
+        sessionId: session.id,
+        state: 'executing',
+        executeWorkItemId: executeWiId,
+        qaRunId: run.id,
+      }, req);
+    });
+  }
+
+  // POST /api/qa/sessions/<id>/edit — awaiting-approval → drafting. The body
+  // must include non-empty `feedback` (≤ qaSessions.LIMITS.feedbackMax) that
+  // re-fires DRAFT with the user's natural-language steering.
+  async function handleQaSessionEdit(req, res, match) {
+    return _qaSessionAction(req, res, match, async (qaSessions, session, body) => {
+      const feedback = body && typeof body.feedback === 'string' ? body.feedback : '';
+      if (!feedback.trim()) return jsonReply(res, 400, { error: 'feedback required' }, req);
+
+      const resolved = _qaSessionsResolveTarget(session.spec.project);
+      if (resolved.error) return jsonReply(res, 400, { error: resolved.error }, req);
+
+      let draftWiId;
+      try {
+        draftWiId = qaSessions.editDraft(session.id, {
+          wiPath: resolved.wiPath,
+          feedback,
+          project: resolved.project,
+        });
+      } catch (e) {
+        return jsonReply(res, _qaSessionsErrorToStatus(e), { error: e.message }, req);
+      }
+
+      invalidateStatusCache();
+      return jsonReply(res, 200, {
+        sessionId: session.id,
+        state: 'drafting',
+        draftWorkItemId: draftWiId,
+      }, req);
+    });
+  }
+
+  // POST /api/qa/sessions/<id>/cancel — any non-terminal → killed. Does NOT
+  // touch the managed-spawn (use /kill if the spawn must die too). Idempotent
+  // on already-terminal sessions: returns 409 with the current state so the
+  // caller knows the operation was a no-op.
+  async function handleQaSessionCancel(req, res, match) {
+    return _qaSessionAction(req, res, match, async (qaSessions, session, body) => {
+      const reason = body && typeof body.reason === 'string' ? body.reason : null;
+      let updated;
+      try { updated = qaSessions.cancelSession(session.id, { reason }); }
+      catch (e) { return jsonReply(res, _qaSessionsErrorToStatus(e), { error: e.message }, req); }
+      invalidateStatusCache();
+      return jsonReply(res, 200, {
+        sessionId: session.id,
+        state: updated && updated.state,
+      }, req);
+    });
+  }
+
+  // POST /api/qa/sessions/<id>/kill — same as cancel but also kills the
+  // managed-spawn via removeManagedSpec(). Best-effort on the spawn kill —
+  // we still mark the session killed even if no managed-spawn exists yet
+  // (e.g., session was killed while still in `pending` before SETUP ran).
+  async function handleQaSessionKill(req, res, match) {
+    return _qaSessionAction(req, res, match, async (qaSessions, session, body) => {
+      const reason = body && typeof body.reason === 'string' ? body.reason : null;
+
+      // Kill the managed-spawn FIRST so the session record gets a true
+      // post-kill state. Wrapped in try/catch because the spawn may not
+      // exist (pending state) or the module may be missing in tests.
+      try {
+        const managedSpawn = require('./engine/managed-spawn');
+        const specs = managedSpawn.listManagedSpecs();
+        const spec = specs.find(s => s && s.name === session.managedSpawnName);
+        if (spec) managedSpawn.removeManagedSpec(session.managedSpawnName);
+      } catch (e) {
+        shared.log('warn', `qa-sessions: managed-spawn kill failed for ${session.id}: ${e.message}`);
+      }
+
+      let updated;
+      try { updated = qaSessions.killSession(session.id, { reason }); }
+      catch (e) { return jsonReply(res, _qaSessionsErrorToStatus(e), { error: e.message }, req); }
+      invalidateStatusCache();
+      return jsonReply(res, 200, {
+        sessionId: session.id,
+        state: updated && updated.state,
+        killedSpawn: session.managedSpawnName,
+      }, req);
+    });
+  }
+
+  // POST /api/qa/sessions/<id>/dismiss — non-terminal → done without running
+  // EXECUTE. Useful when the user accepts the draft as final but doesn't
+  // want to execute (e.g., reviewing a test before merging it).
+  async function handleQaSessionDismiss(req, res, match) {
+    return _qaSessionAction(req, res, match, async (qaSessions, session, body) => {
+      const summary = body && typeof body.summary === 'string' ? body.summary : null;
+      let updated;
+      try { updated = qaSessions.dismissSession(session.id, { summary }); }
+      catch (e) { return jsonReply(res, _qaSessionsErrorToStatus(e), { error: e.message }, req); }
+      invalidateStatusCache();
+      return jsonReply(res, 200, {
+        sessionId: session.id,
+        state: updated && updated.state,
+      }, req);
+    });
+  }
+
+  // GET /api/qa/runners — list registered runner adapters (built-ins +
+  // qa-runners.d/ plugins). Returns metadata only (name, priority, label,
+  // description, installHint) — hooks are intentionally stripped server-side
+  // because they're functions and not JSON-serializable.
+  function handleQaRunnersList(req, res) {
+    try {
+      const qaRunners = require('./engine/qa-runners');
+      const runners = qaRunners.listRunners();
+      return jsonReply(res, 200, { runners }, req);
+    } catch (e) {
+      return jsonReply(res, 500, { error: e.message }, req);
+    }
+  }
+
+  // POST /api/qa/runners/reload — clear the in-process registry, re-register
+  // built-ins, then re-scan qa-runners.d/ for plugin edits. Hot-reload entry
+  // point referenced from engine/qa-runners.js docs. Returns the new runner
+  // list so the caller can confirm the reload picked up edited/added plugins.
+  async function handleQaRunnersReload(req, res) {
+    try {
+      const qaRunners = require('./engine/qa-runners');
+      qaRunners._clearRunners();
+      qaRunners._registerBuiltins();
+      qaRunners._loadRunnerPlugins();
+      const runners = qaRunners.listRunners();
+      shared.log('info', `qa-runners reload: ${runners.length} runner(s) registered`);
+      return jsonReply(res, 200, { reloaded: true, runners }, req);
+    } catch (e) {
+      return jsonReply(res, 500, { error: e.message }, req);
+    }
+  }
+
   // ── Route Registry ──────────────────────────────────────────────────────────
   // Order matters: specific routes before general ones (e.g., /api/plans/approve before /api/plans/:file)
 
@@ -10256,6 +10645,21 @@ What would you like to discuss or change? When you're happy, say "approve" and I
     { method: 'GET',  path: /^\/api\/qa\/runbooks\/([^/?]+)$/, template: '/api/qa/runbooks/<id>', desc: 'Get a single QA runbook by id.', handler: handleQaRunbooksGet },
     { method: 'POST', path: '/api/qa/runbooks', desc: 'Create or update a QA runbook. Body: full runbook spec (id, name, project, targetName, steps[], expectedArtifacts[]).', handler: handleQaRunbooksSave },
     { method: 'DELETE', path: /^\/api\/qa\/runbooks\/([^/?]+)$/, template: '/api/qa/runbooks/<id>', desc: 'Delete a QA runbook by id.', handler: handleQaRunbooksDelete },
+    // QA Sessions endpoints (P-d2f5a8c9). HTTP wrappers over engine/qa-sessions.js.
+    // The state-action routes (/approve, /edit, /cancel, /kill, /dismiss) MUST
+    // sit BEFORE the catch-all /api/qa/sessions/<id> GET regex so the action
+    // suffix doesn't get swallowed as part of the id segment.
+    { method: 'POST', path: '/api/qa/session', desc: 'Create a QA session and queue its SETUP work item. Body: { target, flowsRaw, mode?, capture?, runner?, project?, createdBy? }.', params: 'target, flowsRaw, mode?, capture?, runner?, project?, X-Minions-Agent?', handler: handleQaSessionCreate },
+    { method: 'GET',  path: '/api/qa/sessions', desc: 'List QA sessions (newest first). Optional ?limit=N and ?state=pending|spawning|drafting|awaiting-approval|executing|done|failed|killed filters.', handler: handleQaSessionsList },
+    { method: 'POST', path: /^\/api\/qa\/sessions\/([^/?]+)\/approve$/, template: '/api/qa/sessions/<id>/approve', desc: 'Approve a draft (awaiting-approval → executing). Creates the linked qa-runs record server-side and queues the EXECUTE work item.', handler: handleQaSessionApprove },
+    { method: 'POST', path: /^\/api\/qa\/sessions\/([^/?]+)\/edit$/, template: '/api/qa/sessions/<id>/edit', desc: 'Edit a draft (awaiting-approval → drafting). Body: { feedback }. Re-fires DRAFT with the feedback threaded into the prompt.', params: 'feedback', handler: handleQaSessionEdit },
+    { method: 'POST', path: /^\/api\/qa\/sessions\/([^/?]+)\/cancel$/, template: '/api/qa/sessions/<id>/cancel', desc: 'Cancel a session (non-terminal → killed). Does NOT touch the managed-spawn — use /kill for that.', params: 'reason?', handler: handleQaSessionCancel },
+    { method: 'POST', path: /^\/api\/qa\/sessions\/([^/?]+)\/kill$/, template: '/api/qa/sessions/<id>/kill', desc: 'Kill a session and its managed-spawn (non-terminal → killed). Best-effort on the spawn kill.', params: 'reason?', handler: handleQaSessionKill },
+    { method: 'POST', path: /^\/api\/qa\/sessions\/([^/?]+)\/dismiss$/, template: '/api/qa/sessions/<id>/dismiss', desc: 'Mark a session done without running EXECUTE (non-terminal → done).', params: 'summary?', handler: handleQaSessionDismiss },
+    { method: 'GET',  path: /^\/api\/qa\/sessions\/([^/?]+)$/, template: '/api/qa/sessions/<id>', desc: 'Fetch a single QA session record by id.', handler: handleQaSessionsById },
+    // QA Runners endpoints (P-d2f5a8c9). Pluggable runner-adapter registry.
+    { method: 'GET',  path: '/api/qa/runners', desc: 'List registered QA runner adapters (built-ins + qa-runners.d/ plugins). Returns metadata only (no hooks).', handler: handleQaRunnersList },
+    { method: 'POST', path: '/api/qa/runners/reload', desc: 'Clear the in-process runner registry, re-register built-ins, and re-scan qa-runners.d/ for plugin edits.', handler: handleQaRunnersReload },
 
     // Work items
     { method: 'POST', path: '/api/work-items', desc: 'Create a new work item', params: 'title, type?, description?, priority?, project?, agent?, agents?, scope?, references?, acceptanceCriteria?, skipPr?, oneShot?, meta?, meta.pr_followup?, X-Minions-Agent?, X-Minions-Origin-Wi?', handler: handleWorkItemsCreate },