@yemi33/minions 0.1.2086 → 0.1.2088

package/dashboard.js

@@ -73,11 +73,6 @@ const TITLE_SUFFIX = IS_DEV_MODE ? ' [DEV]' : '';
 
 const PORT = parseInt(process.env.PORT || process.argv[2]) || 7331;
 let CONFIG = queries.getConfig();
-// Mirror cli.js: clear persisted statusWorkItemsRetentionDays=7 + the matching
-// meetings field (prior default 7) so the new default (0, no trim) reaches the
-// /api/status slimmers without needing an engine bounce first.
-try { shared.applyStatusWorkItemsRetentionMigration(CONFIG); } catch { /* best-effort */ }
-try { shared.applyStatusMeetingsRetentionMigration(CONFIG); } catch { /* best-effort */ }
 let PROJECTS = _getProjects(CONFIG);
 const CONFIG_PATH = path.join(MINIONS_DIR, 'config.json');
 const PINNED_PATH = path.join(MINIONS_DIR, 'pinned.md');
@@ -100,8 +95,6 @@ function ensureConfiguredProjectStateFiles() {
 
 function reloadConfig() {
   CONFIG = queries.getConfig();
-  try { shared.applyStatusWorkItemsRetentionMigration(CONFIG); } catch { /* best-effort */ }
-  try { shared.applyStatusMeetingsRetentionMigration(CONFIG); } catch { /* best-effort */ }
   PROJECTS = _getProjects(CONFIG);
   ensureConfiguredProjectStateFiles();
 }
@@ -1744,6 +1737,14 @@ function invalidateStatusCache(_opts) {
 function _buildStatusFastState() {
   // reloadConfig is called by both sync and async callers before this — kept
   // outside so the async path can yield between reload and rebuild.
+  //
+  // Issue #2949 — the heavy slices (agents/workItems/pullRequests/dispatch/
+  // metrics/inbox/notes/engineLog/watches/meetings/qaRuns/qaSessions/
+  // meetingsTotal) all moved to dedicated /api/<x> endpoints or /state/<path>
+  // static-file passthrough. They're not in this snapshot anymore — every
+  // page now fetches its own dedicated endpoint with input-mtime ETag, so
+  // there's no outer cache that can hold a fresh disk write hostage.
+  // /api/status is now just the small live engine/throttle envelope.
   const engineState = getEngineState();
   const hbAge = engineState.heartbeat ? Date.now() - engineState.heartbeat : 0;
   // W-mpof1xxe000ac689 — Two-signal liveness check. heartbeat (15s cadence,
@@ -1752,309 +1753,38 @@ function _buildStatusFastState() {
   // heartbeat writer silently dies but tickInner keeps running, the heartbeat
   // ages past 120s while lastTickAt stays fresh — the dashboard used to lie
   // ("STALE") on a provably-ticking engine. Engine is alive iff ANY signal is
-  // fresh; only when BOTH age past threshold do we trip the badge. The tick
-  // threshold is floored by ENGINE_HEARTBEAT_STALE_MS so a misconfigured 5s
-  // tickInterval cannot trip the boolean in 10s.
+  // fresh; only when BOTH age past threshold do we trip the badge.
   const tickInterval = Number(CONFIG?.engine?.tickInterval) || shared.ENGINE_DEFAULTS.tickInterval;
   const tickStaleThresholdMs = Math.max(ENGINE_HEARTBEAT_STALE_MS, 2 * tickInterval);
   const tickAge = engineState.lastTickAt ? Date.now() - engineState.lastTickAt : Infinity;
   return {
-    agents: getAgents(),
-    inbox: getInbox(),
-    notes: getNotesWithMeta(),
-    pullRequests: getPullRequests(),
     engine: {
       ...engineState,
       worktreeCount: _countWorktrees(),
-      // Snapshot-time staleness. Frozen with the snapshot; the client renders
-      // off these instead of recomputing Date.now() - heartbeat against a
-      // possibly-cached payload (false-positive banner regression #2754).
       heartbeatAgeMs: engineState.heartbeat ? hbAge : null,
       heartbeatStale: !!(engineState.heartbeat
         && hbAge > ENGINE_HEARTBEAT_STALE_MS
         && tickAge > tickStaleThresholdMs),
-      // W-mpnc4u8c001d9d6c — Surface the tick cadence so the client's
-      // #engine-quick-stats "Next tick in Xs" countdown reads the SAME value
-      // the engine actually uses (Settings parity rule). Paired with
-      // control.lastTickAt (above) stamped at the start of every tickInner.
       tickInterval: tickInterval,
     },
     adoThrottle: ado.getAdoThrottleState(),
     ghThrottle: gh.getGhThrottleState(),
-    dispatch: getDispatchQueue(),
-    engineLog: getEngineLog(),
-    metrics: getMetrics(),
-    workItems: _slimWorkItemsForStatus(getWorkItems()),
-    watches: watchesMod.getWatches(),
-    meetings: _safeStatusSlice('meetings', () => _slimMeetingsForStatus(meetingMod.getMeetings()), []),
-    // Top-level full meeting count (NOT slim slice length). Surfaced so the
-    // sidebar activity-dot counter (dashboard/js/refresh.js _pageCounters.meetings)
-    // still fires when ANY meeting — including old/archived ones dropped from
-    // the slim slice by statusMeetingsRetentionDays — gains a new round.
-    // Without this, completing the third round of an archived meeting would
-    // silently fail to light the sidebar dot. (W-mphlrxx6000a8760)
-    meetingsTotal: _safeStatusSlice('meetingsTotal', () => _countMeetingsForStatus(), 0),
-    // QA runs — surfaced for the sidebar activity-dot counter and any future
-    // CC/aggregate view. Tab-level rendering keeps its own /api/qa/runs poll
-    // (5 s while the QA page is mounted). qa-runs.json is in the mtime tracker
-    // so a new run lights the dot within one /api/status poll cycle (~4 s).
-    // Uses the unsorted summary helper rather than listRuns({limit:50}) — the
-    // latter reads + sorts the FULL qa-runs.json on every fast-state rebuild
-    // and would charge O(N log N) to the /api/status hot path. The summary
-    // helper returns { total, sig } without sorting; that's all the sidebar
-    // counter needs to detect new runs and status flips.
-    qaRuns: _safeStatusSlice('qaRuns', () => qaRunsMod.summarizeRunsForStatus(), { total: 0, sig: '' }),
-    // QA sessions — same role as qaRuns above. The sidebar activity-dot
-    // for QA Sessions polls this slice for the cheap { total, sig } summary
-    // so a new session or a state transition lights the dot within one
-    // /api/status cycle. summarizeSessionsForStatus is unsorted (mirrors
-    // qaRunsMod.summarizeRunsForStatus) so this stays O(N) and doesn't
-    // charge sort cost to the /api/status hot path.
-    qaSessions: _safeStatusSlice('qaSessions', () => {
-      const qaSessions = require('./engine/qa-sessions');
-      return qaSessions.summarizeSessionsForStatus();
-    }, { total: 0, sig: '' }),
   };
 }
 
-// Run a status-slice producer with rate-limited error logging. The lazy-
-// require IIFEs this replaces silently degraded to fallback values if the
-// underlying module had a syntax error or got renamed — sidebar dots went
-// dark with no diagnostic. We keep returning the fallback so the rest of
-// the status payload survives, but we log once per minute per slice so a
-// persistent error doesn't spam the engine log AND isn't invisible.
-const _statusSliceErrorLastLogged = new Map();
-function _safeStatusSlice(name, fn, fallback) {
-  try {
-    return fn();
-  } catch (e) {
-    const now = Date.now();
-    const last = _statusSliceErrorLastLogged.get(name) || 0;
-    if (now - last > 60000) {
-      _statusSliceErrorLastLogged.set(name, now);
-      console.error('[status] slice ' + name + ' failed: ' + (e && e.message || e));
-    }
-    return fallback;
-  }
-}
-
-// ── /api/status workItems slimming (W-mphejzmj000718bf) ─────────────────────
-// Project each work item onto a narrow shape that omits the large free-text
-// fields (description, full acceptanceCriteria, full references) before
-// shipping on /api/status. The dashboard never renders description/AC/
-// references-detail off the cached slice — `wiRow` only needs counts +
-// status/badge fields, and `openWorkItemDetail` fetches the full record on
-// demand via GET /api/work-items/<id>. This slim projection is the bulk of
-// the payload savings (~3MB → <500KB typical) and runs unconditionally.
-//
-// engine.statusWorkItemsRetentionDays is an optional second-tier filter that
-// drops terminal (done/failed/cancelled) items older than N days. Default 0
-// = no trim (legacy behavior, full list shipped). Set to a positive integer
-// to opt into the date-based trim. Active items (pending/dispatched/queued)
-// are ALWAYS kept regardless of age.
-const _ACTIVE_WI_STATUSES_FOR_STATUS = new Set(['pending', 'dispatched', 'queued', 'paused', 'decomposed']);
-const _TERMINAL_WI_STATUSES_FOR_STATUS = new Set(['done', 'failed', 'cancelled']);
-function _resolveStatusWorkItemsRetentionDays() {
-  const raw = CONFIG?.engine?.statusWorkItemsRetentionDays;
-  if (raw === 0 || raw === '0') return 0;
-  const n = Number(raw);
-  if (Number.isFinite(n) && n >= 0) return n;
-  return shared.ENGINE_DEFAULTS.statusWorkItemsRetentionDays;
-}
-function _slimWorkItemForStatus(item) {
-  const slim = {
-    id: item.id,
-    title: item.title,
-    status: item.status,
-    type: item.type,
-    priority: item.priority,
-    _source: item._source,
-    created: item.created,
-  };
-  if (item.dispatched_to !== undefined) slim.dispatched_to = item.dispatched_to;
-  if (item.agent !== undefined) slim.agent = item.agent;
-  if (item._pr !== undefined) slim._pr = item._pr;
-  if (item._prUrl !== undefined) slim._prUrl = item._prUrl;
-  if (item._skipReason !== undefined) slim._skipReason = item._skipReason;
-  if (item._blockedBy !== undefined) slim._blockedBy = item._blockedBy;
-  if (item._humanFeedback !== undefined) slim._humanFeedback = item._humanFeedback;
-  if (Array.isArray(item.completedAgents)) slim.completedAgents = item.completedAgents;
-  if (item.failReason !== undefined) slim.failReason = item.failReason;
-  if (item.branchStrategy !== undefined) slim.branchStrategy = item.branchStrategy;
-  if (item.scope !== undefined) slim.scope = item.scope;
-  if (item.completedAt !== undefined) slim.completedAt = item.completedAt;
-  if (item.dispatched_at !== undefined) slim.dispatched_at = item.dispatched_at;
-  if (item._reopened !== undefined) slim._reopened = item._reopened;
-  if (item._pendingReason !== undefined) slim._pendingReason = item._pendingReason;
-  if (item._managedSpawnPartial !== undefined) slim._managedSpawnPartial = item._managedSpawnPartial;
-  if (item._securityFlag !== undefined) slim._securityFlag = item._securityFlag;
-  if (item._artifacts !== undefined) slim._artifacts = item._artifacts;
-  // Cross-slice fields read by derivePlanStatus / render-prd / refresh.js
-  // (sourcePlan, planFile, itemType, project, parent_id). Without these the
-  // plan-status derivation and decomposed-children rollup regress.
-  if (item.sourcePlan !== undefined) slim.sourcePlan = item.sourcePlan;
-  if (item.planFile !== undefined) slim.planFile = item.planFile;
-  if (item.itemType !== undefined) slim.itemType = item.itemType;
-  if (item.project !== undefined) slim.project = item.project;
-  if (item.parent_id !== undefined) slim.parent_id = item.parent_id;
-  // PR follow-up subobject is small and drives the +N chip + row badge.
-  if (item.meta && item.meta.pr_followup) slim.meta = { pr_followup: item.meta.pr_followup };
-  // Counts only — the modal fetches full arrays on demand via /api/work-items/<id>.
-  slim.referencesCount = Array.isArray(item.references) ? item.references.length : 0;
-  slim.acceptanceCriteriaCount = Array.isArray(item.acceptanceCriteria) ? item.acceptanceCriteria.length : 0;
-  return slim;
-}
-function _slimWorkItemsForStatus(items) {
-  if (!Array.isArray(items)) return items;
-  const retentionDays = _resolveStatusWorkItemsRetentionDays();
-  if (retentionDays <= 0) {
-    // Trimming disabled — keep full list but still flatten via slim shape
-    // so wire format is consistent (renderers never have to handle the old
-    // heavy fields). Set retentionDays to a huge value if you want EVERY
-    // terminal item, not just recent ones — 0 means "skip the date filter".
-    return items.map(_slimWorkItemForStatus);
-  }
-  const cutoffMs = Date.now() - retentionDays * 24 * 60 * 60 * 1000;
-  const surviving = [];
-  for (const item of items) {
-    if (!item) continue;
-    const status = item.status || 'pending';
-    if (_TERMINAL_WI_STATUSES_FOR_STATUS.has(status)) {
-      const ts = item.completedAt || item.dispatched_at || item.created || '';
-      const tsMs = ts ? Date.parse(ts) : NaN;
-      // Drop only when we have a parseable timestamp and it's beyond the
-      // window. Items with missing/unparseable timestamps stay visible —
-      // we'd rather over-include than silently hide them.
-      if (Number.isFinite(tsMs) && tsMs < cutoffMs) {
-        continue;
-      }
-    } else if (!_ACTIVE_WI_STATUSES_FOR_STATUS.has(status)) {
-      // Unknown status — keep, so a future status value isn't silently
-      // hidden until the constant set is updated.
-    }
-    surviving.push(_slimWorkItemForStatus(item));
-  }
-  return surviving;
-}
-
-// ── /api/status meetings slimming (W-mphlrxx6000a8760) ──────────────────────
-// Mirrors the workItems slim above (PR #2816). Meetings were the second
-// largest /api/status slice — live measurement: 22 meetings / 4.3MB
-// (60% of the 7.2MB payload) before slimming. The list renderer in
-// dashboard/js/render-meetings.js:renderMeetings only needs:
-//   - id, title, status, round, participants, agenda(short), createdAt,
-//     completedAt
-//   - per-participant booleans of findings/debate (used to pick the
-//     ✓/⏳/○ icon — `m.findings?.[p]` truthy check, line 48-50)
-// The detail modal calls `/api/meetings/:id` which serves the full record
-// (findings.content + debate.content + conclusion + transcript bodies), so
-// dropping those bodies from the slice is safe. The slim projection alone
-// delivers the bulk of the payload savings and always runs.
-//
-// engine.statusMeetingsRetentionDays is an optional second-tier filter that
-// drops terminal (completed/archived) meetings older than N days. Default 0
-// = no trim (legacy behavior, full list shipped — but still slim-shaped).
-// Active meetings (investigating/debating/concluding) are ALWAYS kept.
-const _ACTIVE_MEETING_STATUSES_FOR_STATUS = new Set(['investigating', 'debating', 'concluding']);
-const _TERMINAL_MEETING_STATUSES_FOR_STATUS = new Set(['completed', 'archived']);
-function _resolveStatusMeetingsRetentionDays() {
-  const raw = CONFIG?.engine?.statusMeetingsRetentionDays;
-  if (raw === 0 || raw === '0') return 0;
-  const n = Number(raw);
-  if (Number.isFinite(n) && n >= 0) return n;
-  return shared.ENGINE_DEFAULTS.statusMeetingsRetentionDays;
-}
-function _slimMeetingForStatus(meeting) {
-  // Reduce findings/debate objects to {agentId: true} sentinels — the list
-  // renderer only checks `m.findings?.[p]` for truthiness when picking the
-  // participant-badge icon. Keeping just the keys preserves that contract
-  // while dropping the per-round agent transcript bodies (~95KB+ each).
-  const findingsKeys = meeting.findings && typeof meeting.findings === 'object'
-    ? Object.keys(meeting.findings) : [];
-  const debateKeys = meeting.debate && typeof meeting.debate === 'object'
-    ? Object.keys(meeting.debate) : [];
-  const findings = {};
-  for (const k of findingsKeys) findings[k] = true;
-  const debate = {};
-  for (const k of debateKeys) debate[k] = true;
-  const slim = {
-    id: meeting.id,
-    title: meeting.title,
-    status: meeting.status,
-    round: meeting.round,
-    participants: Array.isArray(meeting.participants) ? meeting.participants : [],
-    agenda: meeting.agenda,
-    createdAt: meeting.createdAt,
-    findings,
-    debate,
-  };
-  if (meeting.completedAt !== undefined) slim.completedAt = meeting.completedAt;
-  if (meeting.roundStartedAt !== undefined) slim.roundStartedAt = meeting.roundStartedAt;
-  if (meeting.createdBy !== undefined) slim.createdBy = meeting.createdBy;
-  return slim;
-}
-function _slimMeetingsForStatus(meetings) {
-  if (!Array.isArray(meetings)) return meetings;
-  const retentionDays = _resolveStatusMeetingsRetentionDays();
-  if (retentionDays <= 0) {
-    // Trimming disabled — keep full list but still flatten via slim shape
-    // so wire format is consistent and the heavy bodies never ship via
-    // /api/status regardless of operator config.
-    return meetings.map(_slimMeetingForStatus);
-  }
-  const cutoffMs = Date.now() - retentionDays * 24 * 60 * 60 * 1000;
-  const surviving = [];
-  for (const meeting of meetings) {
-    if (!meeting) continue;
-    const status = meeting.status || 'investigating';
-    if (_TERMINAL_MEETING_STATUSES_FOR_STATUS.has(status)) {
-      const ts = meeting.completedAt || meeting.roundStartedAt || meeting.createdAt || '';
-      const tsMs = ts ? Date.parse(ts) : NaN;
-      // Drop only when we have a parseable timestamp and it's beyond the
-      // window. Meetings with missing/unparseable timestamps stay visible —
-      // we'd rather over-include than silently hide them.
-      if (Number.isFinite(tsMs) && tsMs < cutoffMs) {
-        continue;
-      }
-    } else if (!_ACTIVE_MEETING_STATUSES_FOR_STATUS.has(status)) {
-      // Unknown status — keep, so a future round name isn't silently
-      // hidden until the constant set is updated.
-    }
-    surviving.push(_slimMeetingForStatus(meeting));
-  }
-  return surviving;
-}
-// Count meetings on disk without rehydrating bodies — backs the sidebar
-// activity dot signature so new rounds in trimmed/archived meetings still
-// flip the counter (refresh.js _pageCounters.meetings reads meetingsTotal).
-function _countMeetingsForStatus() {
-  const meetings = meetingMod.getMeetings();
-  return Array.isArray(meetings) ? meetings.length : 0;
-}
-
 // Build the slow-state slice (rarely-changing data: ~60s TTL).
 function _buildStatusSlowState() {
-  const prdInfo = getPrdInfo();
+  // Issue #2949 — heavy slices moved to dedicated endpoints (see header on
+  // _buildStatusFastState). prdProgress + prd → /api/prd, verifyGuides →
+  // /api/verify-guides, archivedPrds → /api/archived-prds, schedules →
+  // /api/schedules, pipelines → /api/pipelines, pinned → /api/pinned.
+  // What's left here is genuine "shape of the install" state that has no
+  // staleness problem: projects + git status (server-only compute), runtime
+  // capability roll-ups (skills + mcpServers), config-derived autoMode +
+  // initialized + installId, and the version banner.
   return {
-    prdProgress: prdInfo.progress,
-    prd: prdInfo.status,
-    verifyGuides: getVerifyGuides(),
-    archivedPrds: getArchivedPrds(),
     skills: getSkills(),
     mcpServers: getMcpServers(),
-    schedules: (() => {
-      const scheds = CONFIG.schedules || [];
-      const runs = shared.safeJson(path.join(MINIONS_DIR, 'engine', 'schedule-runs.json')) || {};
-      return scheds.map(s => {
-        const runEntry = runs[s.id];
-        // Backward compat: runEntry can be a string (old format) or object (new format with back-references)
-        const _lastRun = typeof runEntry === 'string' ? runEntry : (runEntry?.lastRun || runEntry?.lastCompletedAt || null);
-        const extra = typeof runEntry === 'object' && runEntry ? { _lastWorkItemId: runEntry.lastWorkItemId, _lastResult: runEntry.lastResult, _lastCompletedAt: runEntry.lastCompletedAt } : {};
-        return { ...s, _lastRun, ...extra };
-      });
-    })(),
-    pipelines: (() => { try { const pl = require('./engine/pipeline'); return pl.getPipelines().map(p => ({ ...p, runs: (pl.getPipelineRuns()[p.id] || []).slice(-5) })); } catch { return []; } })(),
-    pinned: (() => { try { return parsePinnedEntries(safeRead(PINNED_PATH)); } catch { return []; } })(),
     projects: PROJECTS.map(p => {
       const status = getProjectGitStatus(p.localPath, p.mainBranch);
       const mainBranch = p.mainBranch || null;
@@ -2357,6 +2087,331 @@ function getStatusJson() {
   return _statusCacheJson;
 }
 
+// ── /state/<path> — raw state-file passthrough ────────────────────────────
+// Static-file handler that serves files from under MINIONS_DIR directly,
+// bypassing the /api/status assembled-snapshot cache. Per-page polls hit
+// this instead of /api/status so a stale outer cache cannot hold a fresh
+// disk write hostage. ETag = mtimeMs + size → 304 when unchanged.
+//
+// Safety:
+//   1. shared.sanitizePath rejects null bytes / .. / absolute paths and
+//      asserts the resolved target stays under MINIONS_DIR.
+//   2. Top-level dir must be in STATE_READ_ALLOWED_DIRS — no exposing
+//      config.json, .install-id, source code, .gitignored secrets.
+//   3. STATE_READ_DENIED_PATTERNS deny-lists sensitive files INSIDE
+//      allowed dirs (SQLite db, .backup sidecars, live-output.log,
+//      session.json — any of which leak credentials or runtime state).
+//   4. Symlinks are rejected outright (no follow → realpath round-trip).
+//   5. Directory paths return a JSON listing [{name,size,mtimeMs,isDir}],
+//      one level deep — needed for inbox/ and notes/inbox/ enumeration.
+const STATE_READ_ALLOWED_DIRS = new Set([
+  'projects', 'engine', 'prd', 'notes', 'plans',
+  'pipelines', 'knowledge', 'agents', 'watches.d',
+  'meetings',
+]);
+// Single-file allowances for state files that live at MINIONS_DIR root
+// rather than inside an allowlisted directory. Currently: notes.md (consolidated
+// human + agent notes; renderer needs raw markdown). Keep this tight.
+const STATE_READ_ALLOWED_FILES = new Set([
+  'notes.md',
+]);
+// Sensitive session-bearing JSON filenames that must NEVER be served via
+// /state/<path>. Exact basename match (not a broad regex) so we don't
+// silently swallow legitimate user filenames like plans/redis-sessions.md
+// or meetings/MTG-debugging-sessions-*.json. (Round-2 review finding #9.)
+const STATE_READ_DENIED_BASENAMES = new Set([
+  'session.json',
+  'sessions.json',
+  'cc-session.json',
+  'cc-sessions.json',
+  'qa-sessions.json',
+  'qa-sessions-history.json',
+  'session-state.json',
+  'session-token.json',
+  'keep-pids.json',
+  // doc-sessions.json holds user-authored doc-chat conversation state
+  // (questions + document context + LLM responses). Was previously denied
+  // via a broad *sessions?.json regex that round-2 #9 narrowed; restoring
+  // explicit coverage here. (Round-3 review finding #2.)
+  'doc-sessions.json',
+]);
+const STATE_READ_DENIED_PATTERNS = [
+  /(^|[\\/])state\.db($|-wal$|-shm$)/i,
+  /\.backup$/i,
+  // Engine writes several stdout-bearing log shapes under agents/<id>/:
+  //   - live-output.log         (tail-followed during the run)
+  //   - output.log              (legacy post-run dump)
+  //   - output-<agent>-<type>-<id>.log (per-dispatch named log written by
+  //     lifecycle.js — typically the largest single byte source)
+  //   - live-output-prev.log    (rotation backup of the previous run)
+  // All contain agent stdout that can leak credentials echoed in error
+  // stack traces and untrusted PR-comment content. (Round-3 review #1.)
+  // `-[^\\/]*` (zero-or-more, NOT one-or-more) so degenerate `output-.log`
+  // and `live-output-.log` variants are also caught — a malformed dispatch
+  // template resolving the id to empty would otherwise slip past.
+  // (Round-4 #4.)
+  /(^|[\\/])(live-)?output(-prev|-[^\\/]*)?\.log$/i,
+  /(^|[\\/])\.env($|\.)/i,
+];
+function _isStateReadPathDenied(rel) {
+  if (STATE_READ_DENIED_PATTERNS.some(re => re.test(rel))) return true;
+  // Basename comparison — extract the trailing segment and compare against
+  // the known-sensitive set. Forward and backslash both supported so
+  // Windows-shaped rel paths are caught.
+  const base = rel.split(/[\\/]/).pop() || '';
+  return STATE_READ_DENIED_BASENAMES.has(base.toLowerCase());
+}
+function _stateReadContentType(ext) {
+  switch (ext.toLowerCase()) {
+    case '.json': return 'application/json; charset=utf-8';
+    case '.md': return 'text/markdown; charset=utf-8';
+    case '.txt': case '.log': return 'text/plain; charset=utf-8';
+    default: return 'application/octet-stream';
+  }
+}
+// ── Dedicated fresh-JSON endpoint pattern ─────────────────────────────────
+// Companion to /state/<path>. /state/ is "serve a single file verbatim";
+// serveFreshJson is "run server-side enrichment, ETag off input mtimes."
+//
+// Used for slices whose payload joins multiple files (agents derived from
+// config + dispatch + inbox + steering, metrics derived from metrics.json
+// + dispatch + PRs, PRD derived from PRD dir + work-items + PRs, etc.).
+// Replicating those joins in browser JS would be brittle, and shipping the
+// fully-enriched result through /api/status pays the staleness tax that
+// issue #2949 documented. This pattern bypasses both:
+//
+//   1. Caller supplies an array of input file paths.
+//   2. We statSync each one and take MAX(mtimeMs). That's the ETag.
+//   3. If the client's If-None-Match matches → 304 with no body.
+//   4. Otherwise call `builder()` to assemble the response from scratch
+//      (no outer cache layer to go stale).
+//   5. Stamp ETag + Content-Type and send.
+//
+// Cost per request when ETag matches: N statSync calls (microseconds).
+// Cost on a miss: same N statSync + the builder, which is exactly the
+// existing queries.getAgents() / getMetrics() / etc. that /api/status
+// already pays. Net change: same compute, no caching, always-fresh.
+function _maxInputMtimeMs(inputs) {
+  let max = 0;
+  for (const fp of inputs) {
+    try {
+      // Use lstatSync so a broken Windows junction (common after DevBox
+      // swap) or a circular symlink doesn't block the event loop on a
+      // ~30 s OS timeout trying to follow the link. Engine never writes
+      // symlinks into state dirs in normal operation, so an lstat that
+      // detects a symlink is treated as "skip" — the input is effectively
+      // not tracked. (Round-2 review finding #7.)
+      const s = fs.lstatSync(fp);
+      if (s.isSymbolicLink()) continue;
+      if (s.mtimeMs > max) max = s.mtimeMs;
+      // Directory inputs: dir mtime only advances on add/remove of
+      // immediate entries, not on in-place file edits. Walk two levels
+      // down so editing prd/<plan>.json in place (depth 1) and
+      // agents/<id>/live-output.log (depth 2) both bust the ETag.
+      // Steering edits at agents/<id>/inbox/steering-*.md (depth 3)
+      // currently rely on add/remove cadence rather than per-file content
+      // mtime — accept this lag rather than walking unbounded.
+      // (Review finding #6.)
+      if (s.isDirectory()) {
+        let level1;
+        try { level1 = fs.readdirSync(fp); } catch { level1 = []; }
+        for (const name of level1) {
+          const child = path.join(fp, name);
+          let cs;
+          try { cs = fs.lstatSync(child); } catch { continue; }
+          if (cs.isSymbolicLink()) continue;
+          if (cs.mtimeMs > max) max = cs.mtimeMs;
+          if (cs.isDirectory()) {
+            let level2;
+            try { level2 = fs.readdirSync(child); } catch { level2 = []; }
+            for (const inner of level2) {
+              try {
+                const is = fs.lstatSync(path.join(child, inner));
+                if (is.isSymbolicLink()) continue;
+                if (is.mtimeMs > max) max = is.mtimeMs;
+              } catch { /* skip unreadable */ }
+            }
+          }
+        }
+      }
+    } catch {
+      // Missing input = not yet on disk. Don't bust the ETag — a builder
+      // that legitimately depends on the file will surface its own empty
+      // state, and the ETag will move once the file appears.
+    }
+  }
+  return Math.floor(max);
+}
+function serveFreshJson(req, res, opts) {
+  const inputs = Array.isArray(opts && opts.inputs) ? opts.inputs : [];
+  const builder = opts && typeof opts.builder === 'function' ? opts.builder : null;
+  const tag = opts && opts.tag ? String(opts.tag) : 'v';
+  if (!builder) {
+    res.statusCode = 500;
+    res.setHeader('Content-Type', 'application/json');
+    res.end(JSON.stringify({ error: 'serveFreshJson: builder is required' }));
+    return;
+  }
+  const mtime = _maxInputMtimeMs(inputs);
+  const etag = '"' + tag + '-' + mtime + '"';
+  res.setHeader('ETag', etag);
+  res.setHeader('Cache-Control', 'private, max-age=0, must-revalidate');
+  if (req && req.headers && req.headers['if-none-match'] === etag) {
+    res.statusCode = 304;
+    res.end();
+    return;
+  }
+  let payload;
+  try {
+    payload = builder();
+  } catch (e) {
+    res.statusCode = 500;
+    res.setHeader('Content-Type', 'application/json');
+    res.end(JSON.stringify({ error: e && e.message || String(e) }));
+    return;
+  }
+  res.statusCode = 200;
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  res.end(JSON.stringify(payload));
+}
+
+function handleStateRead(req, res) {
+  const urlPath = req.url.split('?')[0];
+  const rel = decodeURIComponent(urlPath.slice('/state/'.length));
+  if (!rel) {
+    res.statusCode = 400;
+    res.setHeader('Content-Type', 'application/json');
+    res.end(JSON.stringify({ error: 'path required' }));
+    return;
+  }
+  // Top-level allowlist — first path segment must match a permitted
+  // directory OR (when there is no further path) a permitted root file.
+  // STRICT-CASE comparison: case-folding the allowlist would create
+  // Linux/Windows divergence (Windows NTFS resolves /state/PROJECTS/... to
+  // the real lowercase dir and serves 200; Linux ext4 returns 404 since
+  // sanitizePath preserves the literal-case path that lstat would then
+  // miss). yemi33 PR Tests runs Windows-only — case-folding lets a
+  // platform-divergent path land without CI signal. URLs in this codebase
+  // are canonically lowercase; reject mixed-case to keep parity.
+  // (Round-4 #5 — reverts the round-3 case-insensitive change.)
+  const segments = rel.split(/[\\/]/);
+  const top = segments[0] || '';
+  const isSingleSegment = segments.length === 1;
+  if (!STATE_READ_ALLOWED_DIRS.has(top) &&
+      !(isSingleSegment && STATE_READ_ALLOWED_FILES.has(top))) {
+    res.statusCode = 403;
+    res.setHeader('Content-Type', 'application/json');
+    res.end(JSON.stringify({ error: 'forbidden' }));
+    return;
+  }
+  if (_isStateReadPathDenied(rel)) {
+    res.statusCode = 403;
+    res.setHeader('Content-Type', 'application/json');
+    res.end(JSON.stringify({ error: 'forbidden file' }));
+    return;
+  }
+  let resolved;
+  try {
+    resolved = shared.sanitizePath(rel, MINIONS_DIR);
+  } catch (e) {
+    res.statusCode = 403;
+    res.setHeader('Content-Type', 'application/json');
+    res.end(JSON.stringify({ error: e.message }));
+    return;
+  }
+  let lstat;
+  try { lstat = fs.lstatSync(resolved); }
+  catch {
+    res.statusCode = 404;
+    res.setHeader('Content-Type', 'application/json');
+    res.end(JSON.stringify({ error: 'not found' }));
+    return;
+  }
+  // Reject symlinks outright — even if they point inside MINIONS_DIR, they
+  // can be swapped after the allowlist check (TOCTOU) to escape. Engine
+  // never writes symlinks into state dirs in normal operation.
+  if (lstat.isSymbolicLink()) {
+    res.statusCode = 403;
+    res.setHeader('Content-Type', 'application/json');
+    res.end(JSON.stringify({ error: 'symlinks not served' }));
+    return;
+  }
+  if (lstat.isDirectory()) {
+    // One-level directory listing for enumeration (inbox, archive, etc.).
+    // Per-entry stat lives inside the inner try-catch so a single bad entry
+    // doesn't fail the whole listing — bad entry just gets dropped.
+    const etag = '"dir-' + Math.floor(lstat.mtimeMs) + '"';
+    res.setHeader('ETag', etag);
+    res.setHeader('Cache-Control', 'private, max-age=0, must-revalidate');
+    if (req.headers['if-none-match'] === etag) {
+      res.statusCode = 304;
+      res.end();
+      return;
+    }
+    let entries;
+    try {
+      entries = fs.readdirSync(resolved).map(name => {
+        // Re-apply the deny-list to entry names so the listing doesn't
+        // leak the existence of state.db / *.backup / live-output.log /
+        // session.json / .env* even though the per-file fetch for them
+        // would 403. Deny patterns match against the relative path,
+        // mirroring the request-time check above. (Review finding #8.)
+        const childRel = (rel + '/' + name).replace(/\\/g, '/');
+        if (_isStateReadPathDenied(childRel)) return null;
+        try {
+          const s = fs.lstatSync(path.join(resolved, name));
+          if (s.isSymbolicLink()) return null;
+          return {
+            name,
+            size: s.size,
+            mtimeMs: Math.floor(s.mtimeMs),
+            isDir: s.isDirectory(),
+          };
+        } catch { return null; }
+      }).filter(Boolean);
+    } catch (e) {
+      res.statusCode = 500;
+      res.setHeader('Content-Type', 'application/json');
+      res.end(JSON.stringify({ error: e.message }));
+      return;
+    }
+    res.statusCode = 200;
+    res.setHeader('Content-Type', 'application/json; charset=utf-8');
+    res.end(JSON.stringify({ path: rel.replace(/\\/g, '/'), entries }));
+    return;
+  }
+  // File path: mtime+size ETag, stream the bytes.
+  const etag = '"' + Math.floor(lstat.mtimeMs) + '-' + lstat.size + '"';
+  res.setHeader('ETag', etag);
+  res.setHeader('Cache-Control', 'private, max-age=0, must-revalidate');
+  if (req.headers['if-none-match'] === etag) {
+    res.statusCode = 304;
+    res.end();
+    return;
+  }
+  res.statusCode = 200;
+  res.setHeader('Content-Type', _stateReadContentType(path.extname(resolved)));
+  try {
+    const stream = fs.createReadStream(resolved);
+    stream.on('error', (err) => {
+      if (!res.headersSent) {
+        res.statusCode = 500;
+        res.setHeader('Content-Type', 'application/json');
+        res.end(JSON.stringify({ error: err.message }));
+      } else if (!res.writableEnded) {
+        res.end();
+      }
+    });
+    stream.pipe(res);
+  } catch (e) {
+    if (!res.headersSent) {
+      res.statusCode = 500;
+      res.setHeader('Content-Type', 'application/json');
+      res.end(JSON.stringify({ error: e.message }));
+    }
+  }
+}
+
 // Top-level /api/status request handler (W-mpehsyhv0017085a). Extracted from
 // the inline route handler so unit tests can call it with mock req/res and so
 // production routing has a single source of truth. The inline route delegates
@@ -2386,7 +2441,6 @@ async function _handleStatusRequest(req, res) {
     if (_ifNoneMatchHasEtag(inm, currentEtag)) {
       res.setHeader('ETag', currentEtag);
       res.setHeader('Cache-Control', 'private, max-age=0, must-revalidate');
-      res.setHeader('Access-Control-Allow-Origin', '*');
       res.statusCode = 304;
       res.end();
       return;
@@ -2395,7 +2449,6 @@ async function _handleStatusRequest(req, res) {
     // Use pre-serialized JSON and pre-computed gzip buffer — zero per-request compression
     const json = getStatusJson();
     res.setHeader('Content-Type', 'application/json');
-    res.setHeader('Access-Control-Allow-Origin', '*');
     res.setHeader('ETag', currentEtag);
     res.setHeader('Cache-Control', 'private, max-age=0, must-revalidate');
     res.statusCode = 200;
@@ -4715,9 +4768,12 @@ function checkRateLimit(key, maxPerMinute) {
 function jsonReply(res, code, data, req) {
   res.setHeader('Content-Type', 'application/json');
   // Access-Control-Allow-Origin is set ONCE by the server dispatcher prelude:
-  // `*` for GET/HEAD (read-only), never for mutating responses (Origin gate
-  // already blocked cross-origin POSTs). Setting it here would reopen the
-  // cross-origin write path.
+  // echoed `Origin` for GET/HEAD ONLY when the origin is the dashboard's own
+  // served origin or an entry in `config.engine.allowedDashboardOrigins`;
+  // never on mutating responses (Origin gate already blocked cross-origin
+  // POSTs). Handlers must NOT set ACAO themselves — doing so would either
+  // override the prelude's narrowed value back to `*` (P-bfa2c-cors-wildcard
+  // regression) or re-open the cross-origin write path.
   res.statusCode = code;
   const json = JSON.stringify(data);
   const ae = req && req.headers && req.headers['accept-encoding'] || '';
@@ -4870,11 +4926,21 @@ const server = http.createServer(async (req, res) => {
     }
   }
 
-  // GET: permit cross-origin reads for external monitoring tools (curl, uptime
-  // checks). Mutating responses deliberately do NOT set ACAO — cross-origin
-  // browsers cannot use them anyway (Origin check blocks that path).
+  // GET/HEAD: narrow CORS. Echo the request's `Origin` in
+  // `Access-Control-Allow-Origin` ONLY if it matches the dashboard's own
+  // served origin (`http://localhost:7331`) or an entry in
+  // `config.engine.allowedDashboardOrigins` (default []). When no `Origin`
+  // header is present (curl, uptime monitors, Node http.request without
+  // Origin), do not emit ACAO at all — preserves the local-tooling path.
+  // The previous wildcard (`*`) let any cross-origin browser page issue
+  // `fetch` to http://localhost:7331/api/* and read the JSON response,
+  // exposing operator-private state (config, work items, agent
+  // transcripts). See P-bfa2c-cors-wildcard + docs/security.md.
   if (req.method === 'GET' || req.method === 'HEAD') {
-    res.setHeader('Access-Control-Allow-Origin', '*');
+    if (_rawOrigin && shared.isAllowedDashboardOrigin(_rawOrigin, CONFIG)) {
+      res.setHeader('Access-Control-Allow-Origin', _rawOrigin);
+      res.setHeader('Vary', 'Origin');
+    }
   }
 
   // ── Route Handler Functions ───────────────────────────────────────────────
@@ -6017,7 +6083,6 @@ const server = http.createServer(async (req, res) => {
     const livePath = path.join(agentDir, 'live-output.log');
     const prevPath = path.join(agentDir, 'live-output-prev.log');
     res.setHeader('Content-Type', 'text/plain; charset=utf-8');
-    res.setHeader('Access-Control-Allow-Origin', '*');
     const params = new URL(req.url, 'http://localhost').searchParams;
     const rawTail = parseInt(params.get('tail'));
     if (params.has('tail') && isNaN(rawTail)) return jsonReply(res, 400, { error: 'tail must be a number' });
@@ -6080,7 +6145,6 @@ const server = http.createServer(async (req, res) => {
     const outputPath = path.join(MINIONS_DIR, 'agents', agentId, 'output.log');
     const content = safeRead(outputPath);
     res.setHeader('Content-Type', 'text/plain; charset=utf-8');
-    res.setHeader('Access-Control-Allow-Origin', '*');
     res.end(content || 'No output log found for this agent.');
     return;
   }
@@ -6088,7 +6152,6 @@ const server = http.createServer(async (req, res) => {
   async function handleNotesFull(req, res) {
     const content = safeRead(path.join(MINIONS_DIR, 'notes.md'));
     res.setHeader('Content-Type', 'text/plain; charset=utf-8');
-    res.setHeader('Access-Control-Allow-Origin', '*');
     res.end(content || 'No notes file found.');
     return;
   }
@@ -6155,7 +6218,6 @@ const server = http.createServer(async (req, res) => {
     const content = safeRead(path.join(kbCatDir, file));
     if (content === null) return jsonReply(res, 404, { error: 'not found' });
     res.setHeader('Content-Type', 'text/plain; charset=utf-8');
-    res.setHeader('Access-Control-Allow-Origin', '*');
     res.end(content);
     return;
   }
@@ -6361,7 +6423,6 @@ const server = http.createServer(async (req, res) => {
     if (!content) return jsonReply(res, 404, { error: 'not found' });
     const contentType = file.endsWith('.json') ? 'application/json' : 'text/plain';
     res.setHeader('Content-Type', contentType + '; charset=utf-8');
-    res.setHeader('Access-Control-Allow-Origin', '*');
     res.end(content);
     return;
   }
@@ -6383,7 +6444,6 @@ const server = http.createServer(async (req, res) => {
     const contentType = file.endsWith('.json') ? 'application/json' : 'text/plain';
     res.setHeader('Content-Type', contentType + '; charset=utf-8');
     res.setHeader('Cache-Control', 'no-cache');
-    res.setHeader('Access-Control-Allow-Origin', '*');
     res.end(content);
     return;
   }
@@ -7390,7 +7450,6 @@ What would you like to discuss or change? When you're happy, say "approve" and I
     const skillPath = _resolveSkillReadPath({ file, dir, source, config: CONFIG });
     const content = skillPath ? (safeRead(skillPath) || '') : '';
     res.setHeader('Content-Type', 'text/plain; charset=utf-8');
-    res.setHeader('Access-Control-Allow-Origin', '*');
     res.end(content || 'Skill not found.');
     return;
   }
@@ -8657,20 +8716,6 @@ What would you like to discuss or change? When you're happy, say "approve" and I
     }
   }
 
-  async function handleSchedulesList(req, res) {
-    reloadConfig();
-    const schedules = CONFIG.schedules || [];
-    const runs = shared.safeJson(path.join(MINIONS_DIR, 'engine', 'schedule-runs.json')) || {};
-    const result = schedules.map(s => {
-      const runEntry = runs[s.id];
-      // Backward compat: runEntry can be a string (old format) or object (new format with back-references)
-      const _lastRun = typeof runEntry === 'string' ? runEntry : (runEntry?.lastRun || runEntry?.lastCompletedAt || null);
-      const extra = typeof runEntry === 'object' && runEntry ? { _lastWorkItemId: runEntry.lastWorkItemId, _lastResult: runEntry.lastResult, _lastCompletedAt: runEntry.lastCompletedAt } : {};
-      return { ...s, _lastRun, ...extra };
-    });
-    return jsonReply(res, 200, { schedules: result });
-  }
-
   async function handleSchedulesCreate(req, res) {
     const body = await readBody(req);
     let { id, cron, title, type, project, agent, description, priority, enabled } = body;
@@ -9058,35 +9103,6 @@ What would you like to discuss or change? When you're happy, say "approve" and I
         }
         // String fields
         if (e.worktreeRoot !== undefined) _setEngineConfig('worktreeRoot', String(e.worktreeRoot || D.worktreeRoot));
-        // W-mphejzmj000718bf: /api/status workItems retention window. Handled
-        // outside the numericFields loop because `Number(0) || D[key]`
-        // collapses the "disable trim" value (0) back to the default — we
-        // want 0 to actually persist as "skip the date filter".
-        if (e.statusWorkItemsRetentionDays !== undefined) {
-          const raw = e.statusWorkItemsRetentionDays;
-          if (raw === '' || raw === null) {
-            _deleteEngineConfig('statusWorkItemsRetentionDays');
-          } else {
-            let val = Number(raw);
-            if (!Number.isFinite(val) || val < 0) val = D.statusWorkItemsRetentionDays;
-            if (val > 365) { _clamped.push(`statusWorkItemsRetentionDays: ${val} → 365 (range: 0–365)`); val = 365; }
-            _setEngineConfig('statusWorkItemsRetentionDays', val);
-          }
-        }
-        // W-mphlrxx6000a8760: /api/status meetings retention window. Same
-        // shape as statusWorkItemsRetentionDays — 0 must persist literally
-        // (disables trim), so handled outside the numericFields loop.
-        if (e.statusMeetingsRetentionDays !== undefined) {
-          const raw = e.statusMeetingsRetentionDays;
-          if (raw === '' || raw === null) {
-            _deleteEngineConfig('statusMeetingsRetentionDays');
-          } else {
-            let val = Number(raw);
-            if (!Number.isFinite(val) || val < 0) val = D.statusMeetingsRetentionDays;
-            if (val > 365) { _clamped.push(`statusMeetingsRetentionDays: ${val} → 365 (range: 0–365)`); val = 365; }
-            _setEngineConfig('statusMeetingsRetentionDays', val);
-          }
-        }
         // W-mpejf0fq000e84d6: operator login override. Empty string clears
         // the override (engine falls back to gh/git/os resolution); any other
         // value pins the login used in `user/<login>/<wi-id>-<slug>` branches.
@@ -9540,7 +9556,6 @@ What would you like to discuss or change? When you're happy, say "approve" and I
 
   async function handleAgentDetail(req, res, match) {
     res.setHeader('Content-Type', 'application/json');
-    res.setHeader('Access-Control-Allow-Origin', '*');
     try {
       res.end(JSON.stringify(getAgentDetail(match[1])));
     } catch (e) {
@@ -10165,7 +10180,6 @@ What would you like to discuss or change? When you're happy, say "approve" and I
         opts.status = statusRaw;
       }
       const runs = qa.listRuns(opts);
-      res.setHeader('Access-Control-Allow-Origin', '*');
       return jsonReply(res, 200, { runs, generatedAt: new Date().toISOString() }, req);
     } catch (e) {
       return jsonReply(res, 500, { error: e.message }, req);
@@ -10181,7 +10195,6 @@ What would you like to discuss or change? When you're happy, say "approve" and I
       }
       const run = qa.getRun(id);
       if (!run) return jsonReply(res, 404, { error: 'qa run not found' }, req);
-      res.setHeader('Access-Control-Allow-Origin', '*');
       return jsonReply(res, 200, { run }, req);
     } catch (e) {
       return jsonReply(res, 500, { error: e.message }, req);
@@ -10225,7 +10238,6 @@ What would you like to discuss or change? When you're happy, say "approve" and I
       if (!stat.isFile()) return jsonReply(res, 404, { error: 'artifact not found' }, req);
       res.setHeader('Content-Type', _qaArtifactContentType(file));
       res.setHeader('Content-Length', String(stat.size));
-      res.setHeader('Access-Control-Allow-Origin', '*');
       res.statusCode = 200;
       fs.createReadStream(real).pipe(res);
       return;
@@ -10633,6 +10645,192 @@ What would you like to discuss or change? When you're happy, say "approve" and I
 
     // Status & health
     { method: 'GET', path: '/api/status', desc: 'Full dashboard status snapshot (agents, PRDs, work items, dispatch, etc.)', handler: handleStatus },
+    // Raw state-file passthrough (no /api/ prefix — this serves files, not API
+    // responses). Allowlisted top-level dirs only; mtime+size ETag → 304.
+    { method: 'GET', path: /^\/state\/.+/, desc: 'Serve a raw state file (or directory listing) from MINIONS_DIR with mtime/size ETag', handler: handleStateRead },
+    // ── Dedicated fresh-JSON endpoints (issue #2949) ───────────────────────
+    // Each runs the existing server-side enrichment fresh on every request,
+    // ETag computed from input file mtimes — no outer cache, no staleness.
+    // Pages call these instead of relying on /api/status's assembled snapshot.
+    { method: 'GET', path: '/api/agents', desc: 'Live agent roster with status/lastAction/runtime/inbox/charter — derived from config + dispatch + agents dir', handler: (req, res) => {
+      return serveFreshJson(req, res, {
+        tag: 'agents',
+        inputs: [
+          CONFIG_PATH,
+          path.join(ENGINE_DIR, 'dispatch.json'),
+          INBOX_DIR,
+          AGENTS_DIR,
+        ],
+        builder: () => getAgents(),
+      });
+    }},
+    { method: 'GET', path: '/api/work-items', desc: 'Fully-enriched work items (per-project files joined + dispatch/PR cross-reference) — fresh on every request', handler: (req, res) => {
+      const config = queries.getConfig();
+      const projects = config.projects || [];
+      const inputs = [
+        CONFIG_PATH,
+        path.join(ENGINE_DIR, 'dispatch.json'),
+      ];
+      for (const p of projects) {
+        if (p && p.name) {
+          inputs.push(path.join(MINIONS_DIR, 'projects', p.name, 'work-items.json'));
+          inputs.push(path.join(MINIONS_DIR, 'projects', p.name, 'pull-requests.json'));
+        }
+      }
+      return serveFreshJson(req, res, {
+        tag: 'work-items',
+        inputs,
+        builder: () => getWorkItems(),
+      });
+    }},
+    { method: 'GET', path: '/api/pull-requests', desc: 'Fully-enriched pull requests (per-project files joined + url backfill + _project stamp)', handler: (req, res) => {
+      const config = queries.getConfig();
+      const projects = config.projects || [];
+      const inputs = [CONFIG_PATH];
+      for (const p of projects) {
+        if (p && p.name) inputs.push(path.join(MINIONS_DIR, 'projects', p.name, 'pull-requests.json'));
+      }
+      return serveFreshJson(req, res, {
+        tag: 'pull-requests',
+        inputs,
+        builder: () => queries.getPullRequests(),
+      });
+    }},
+    { method: 'GET', path: '/api/dispatch', desc: 'Live dispatch queue with completion-report summaries (pending/active/completed slices)', handler: (req, res) => {
+      return serveFreshJson(req, res, {
+        tag: 'dispatch',
+        inputs: [
+          path.join(ENGINE_DIR, 'dispatch.json'),
+          path.join(ENGINE_DIR, 'metrics.json'),
+        ],
+        builder: () => getDispatchQueue(),
+      });
+    }},
+    { method: 'GET', path: '/api/metrics', desc: 'Per-agent metrics with PR/runtime enrichment (joined against pull-requests + dispatch.completed)', handler: (req, res) => {
+      const config = queries.getConfig();
+      const projects = config.projects || [];
+      const inputs = [
+        path.join(ENGINE_DIR, 'metrics.json'),
+        path.join(ENGINE_DIR, 'dispatch.json'),
+      ];
+      for (const p of projects) {
+        if (p && p.name) inputs.push(path.join(MINIONS_DIR, 'projects', p.name, 'pull-requests.json'));
+      }
+      return serveFreshJson(req, res, {
+        tag: 'metrics',
+        inputs,
+        builder: () => getMetrics(),
+      });
+    }},
+    { method: 'GET', path: '/api/prd', desc: 'PRD status + progress derived from prd/*.json × per-project work-items × pull-requests', handler: (req, res) => {
+      const config = queries.getConfig();
+      const projects = config.projects || [];
+      const inputs = [
+        CONFIG_PATH,
+        PRD_DIR,
+        path.join(PRD_DIR, 'archive'),
+        // Plans dir — getPrdInfo statSyncs plans/<plan.source_plan> to
+        // compute the `planStale` flag; edits to plans/*.md need to bust
+        // the ETag so the Regenerate prompt surfaces. (Review finding #7.)
+        path.join(MINIONS_DIR, 'plans'),
+        // Central work-items.json at MINIONS_DIR root — getPrdInfo
+        // cross-references plan items lacking a project scope. (Review #7.)
+        path.join(MINIONS_DIR, 'work-items.json'),
+      ];
+      for (const p of projects) {
+        if (p && p.name) {
+          inputs.push(path.join(MINIONS_DIR, 'projects', p.name, 'work-items.json'));
+          inputs.push(path.join(MINIONS_DIR, 'projects', p.name, 'pull-requests.json'));
+        }
+      }
+      return serveFreshJson(req, res, {
+        tag: 'prd',
+        inputs,
+        builder: () => getPrdInfo(),
+      });
+    }},
+    { method: 'GET', path: '/api/archived-prds', desc: 'List of archived PRD files with status + completedAt', handler: (req, res) => {
+      return serveFreshJson(req, res, {
+        tag: 'archived-prds',
+        inputs: [path.join(PRD_DIR, 'archive')],
+        builder: () => getArchivedPrds(),
+      });
+    }},
+    { method: 'GET', path: '/api/verify-guides', desc: 'List of generated verify-guide files under prd/guides/', handler: (req, res) => {
+      return serveFreshJson(req, res, {
+        tag: 'verify-guides',
+        inputs: [path.join(PRD_DIR, 'guides')],
+        builder: () => getVerifyGuides(),
+      });
+    }},
+    { method: 'GET', path: '/api/pinned', desc: 'Parsed pinned-notes entries from pinned.md (prepended to every agent prompt)', handler: (req, res) => {
+      return serveFreshJson(req, res, {
+        tag: 'pinned',
+        inputs: [PINNED_PATH],
+        builder: () => {
+          try { return parsePinnedEntries(safeRead(PINNED_PATH)); } catch { return []; }
+        },
+      });
+    }},
+    { method: 'GET', path: '/api/schedules', desc: 'Schedule definitions merged with schedule-runs.json overlay (_lastRun/_lastResult/_lastCompletedAt)', handler: (req, res) => {
+      return serveFreshJson(req, res, {
+        tag: 'schedules',
+        inputs: [CONFIG_PATH, path.join(ENGINE_DIR, 'schedule-runs.json')],
+        builder: () => {
+          // Read config.json directly via queries.getConfig() rather than
+          // calling reloadConfig() — the latter cascades into
+          // ensureConfiguredProjectStateFiles() which acquires
+          // mutateJsonFileLocked on every project's work-items.json AND
+          // pull-requests.json, putting the schedules sidebar poll on the
+          // critical path of every engine PR/WI writer. The builder only
+          // needs config.schedules; getConfig is a pure disk read.
+          // (Round-2 review finding #3.)
+          const cfg = queries.getConfig() || {};
+          const scheds = cfg.schedules || [];
+          const runs = shared.safeJson(path.join(ENGINE_DIR, 'schedule-runs.json')) || {};
+          return scheds.map(s => {
+            const runEntry = runs[s.id];
+            const _lastRun = typeof runEntry === 'string' ? runEntry : (runEntry?.lastRun || runEntry?.lastCompletedAt || null);
+            const extra = typeof runEntry === 'object' && runEntry ? { _lastWorkItemId: runEntry.lastWorkItemId, _lastResult: runEntry.lastResult, _lastCompletedAt: runEntry.lastCompletedAt } : {};
+            return { ...s, _lastRun, ...extra };
+          });
+        },
+      });
+    }},
+    { method: 'GET', path: '/api/pipelines', desc: 'Pipeline definitions merged with last-5 runs each from pipeline-runs.json', handler: (req, res) => {
+      return serveFreshJson(req, res, {
+        tag: 'pipelines',
+        inputs: [
+          path.join(MINIONS_DIR, 'pipelines'),
+          path.join(ENGINE_DIR, 'pipeline-runs.json'),
+        ],
+        builder: () => {
+          try {
+            const pl = require('./engine/pipeline');
+            return pl.getPipelines().map(p => ({ ...p, runs: (pl.getPipelineRuns()[p.id] || []).slice(-5) }));
+          } catch {
+            return [];
+          }
+        },
+      });
+    }},
+    { method: 'GET', path: '/api/qa-runs-summary', desc: 'Sidebar-counter summary {total, sig} for QA runs (sidebar activity-dot signal)', handler: (req, res) => {
+      return serveFreshJson(req, res, {
+        tag: 'qa-runs-summary',
+        inputs: [path.join(ENGINE_DIR, 'qa-runs.json')],
+        builder: () => qaRunsMod.summarizeRunsForStatus(),
+      });
+    }},
+    { method: 'GET', path: '/api/meetings-total', desc: 'Total meeting count (sidebar activity-dot signal — cheaper than fetching /api/meetings)', handler: (req, res) => {
+      return serveFreshJson(req, res, {
+        tag: 'meetings-total',
+        inputs: [path.join(MINIONS_DIR, 'meetings')],
+        builder: () => {
+          const meetings = meetingMod.getMeetings();
+          return { total: Array.isArray(meetings) ? meetings.length : 0 };
+        },
+      });
+    }},
     { method: 'GET', path: '/api/browser-presence', desc: 'Whether a dashboard browser tab was recently active', handler: (req, res) => {
       return jsonReply(res, 200, _getDashboardBrowserPresence(), req);
     }},
@@ -11107,7 +11305,6 @@ What would you like to discuss or change? When you're happy, say "approve" and I
 
     // Schedules
     { method: 'POST', path: '/api/schedules/parse-natural', desc: 'Parse natural language schedule text into cron expression', params: 'text', handler: handleSchedulesParseNatural },
-    { method: 'GET', path: '/api/schedules', desc: 'Return schedules from config + last-run times', handler: handleSchedulesList },
     { method: 'POST', path: '/api/schedules', desc: 'Create a new schedule', params: 'cron, title, id?, type?, project?, agent?, description?, priority?, enabled?', handler: handleSchedulesCreate },
     { method: 'POST', path: '/api/schedules/update', desc: 'Update an existing schedule', params: 'id, cron?, title?, type?, project?, agent?, description?, priority?, enabled?', handler: handleSchedulesUpdate },
     { method: 'POST', path: '/api/schedules/delete', desc: 'Delete a schedule', params: 'id', handler: handleSchedulesDelete },
@@ -11579,6 +11776,15 @@ module.exports = {
   refreshStatusAsync,
   handleStatus: _handleStatusRequest,
   invalidateStatusCache,
+  // Raw state-file passthrough — exported for direct unit testing.
+  handleStateRead,
+  STATE_READ_ALLOWED_DIRS,
+  STATE_READ_ALLOWED_FILES,
+  STATE_READ_DENIED_PATTERNS,
+  STATE_READ_DENIED_BASENAMES,
+  // Dedicated fresh-JSON endpoint helper (issue #2949).
+  serveFreshJson,
+  _maxInputMtimeMs,
   _getStatusCacheVersion,
   _setStatusRefreshHook,
   _resetStatusCacheForTesting,