@yemi33/minions 0.1.2105 → 0.1.2106

package/dashboard/js/qa.js

@@ -1,24 +1,31 @@
-// dashboard/js/qa.js — QA tab UI (W-mpeiwz6k0005bf34-d).
+// dashboard/js/qa.js — QA tab UI.
 //
-// Three sections:
-//  1. Targets — slim dedup'd list of /api/managed-processes + /api/keep-processes
-//     with a health badge and a link back to /engine (full inventory tables
-//     live on /engine; see W-mpdad3mq000m53bb — do NOT mirror them here).
-//  2. Runbooks — list from GET /api/qa/runbooks with an enabled "+ New runbook"
-//     button that opens an inline form (name / target dropdown / steps textarea
-//     / expected-artifacts repeater) wired to POST /api/qa/runbooks. Each row
-//     has a "Run" button that POSTs to /api/qa/runbooks/run.
-//  3. Runs — list from GET /api/qa/runs?limit=50, polled every 5s while the
-//     QA page is active. Each row links to the live agent stream and renders
-//     inline artifact previews via /api/qa/artifacts/<runId>/<file>
+// Originally W-mpeiwz6k0005bf34-d shipped this as a three-section tab with
+// inline forms for "Start QA Session" and "+ New runbook". W-mpxp7a3e000g0a49
+// (this rewrite) demoted the page to passive monitoring: session and runbook
+// CREATION now flow through Command Center; this page only renders what is
+// happening and exposes per-row operational controls.
+//
+// Sections (top → bottom):
+//  1. Active QA Sessions — non-terminal sessions only, with a CC-pitch card
+//     at the top and a collapsed disclosure for terminal sessions (last 10).
+//     Per-card controls: approve / edit / cancel / dismiss / kill.
+//  2. Live Targets — slim dedup'd list of /api/managed-processes +
+//     /api/keep-processes with a health badge and a link to /engine
+//     (W-mpdad3mq000m53bb — do NOT mirror the full inventory here).
+//  3. Recent Runs — list from GET /api/qa/runs?limit=20, polled every 5s
+//     while the QA page is active. Each row links to the live agent stream
+//     and renders inline artifact previews via /api/qa/artifacts/<runId>/<file>
 //     (screenshots as <img>, videos as <video>, logs as 40-line text preview
 //     with a "View full" link). No direct filesystem paths are exposed —
 //     artifact URLs always go through /api/qa/artifacts/.
+//  4. Validation Runbooks — collapsed disclosure with a small CC-pitch and
+//     the runbook list. Each row has a Run + Delete button.
 //
-// The polling interval is cleared on page navigation via the switchPage
-// wrapper below (matches the same pattern keep_processes / managed-spawn
-// uses on /engine). The wrapper ALSO closes any open managed-log SSE so a
-// modal opened from /engine doesn't keep streaming after the user navigates.
+// The polling interval is cleared on page navigation via the PAGE_LEAVE_HOOKS
+// in state.js (W-mpgb0xa7000d90d4). closeManagedLog is invoked from the same
+// hook so a modal opened from /engine doesn't keep streaming after the user
+// navigates.
 
 let _qaRunsPollInterval = null;
 let _qaTargetsCache = [];
@@ -39,6 +46,22 @@ function _startQaRunsPoll() {
   _qaRunsPollInterval = setInterval(loadQaRuns, 5000);
 }
 
+// W-mpxp7a3e000g0a49 — open Command Center drawer + focus the composer.
+// toggleCommandCenter() flips _ccOpen, so re-invoking when already open
+// would close it; guard against that and just focus the input instead.
+function qaFocusCommandCenter() {
+  try {
+    const alreadyOpen = (typeof _ccOpen !== 'undefined') ? !!_ccOpen
+      : ((typeof window !== 'undefined') && !!window._ccOpen);
+    if (!alreadyOpen && typeof toggleCommandCenter === 'function') {
+      toggleCommandCenter();
+      return; // toggleCommandCenter focuses #cc-input on open
+    }
+    const input = document.getElementById('cc-input');
+    if (input) input.focus();
+  } catch (_e) { /* never let a focus helper crash the page */ }
+}
+
 // ── Section 1: Targets ─────────────────────────────────────────────────────
 async function loadQaTargets() {
   const root = document.getElementById('qa-targets-content');
@@ -176,6 +199,7 @@ async function loadQaRunbooks() {
     }
   } catch (e) { err = e; }
   _qaRunbooksCache = items;
+  _qaUpdateRunbooksDisclosureCount(items.length);
 
   if (err) {
     // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: err.message)
@@ -187,7 +211,7 @@ async function loadQaRunbooks() {
   }
   if (!items.length) {
     const frag = document.createRange().createContextualFragment(
-      '<p class="empty">No runbooks yet. Click <strong>+ New runbook</strong> to create one.</p>'
+      '<p class="empty">No runbooks saved yet.</p>'
     );
     root.replaceChildren(frag);
     return;
@@ -204,7 +228,10 @@ async function loadQaRunbooks() {
           artifactsCount + ' expected artifact' + (artifactsCount === 1 ? '' : 's') +
         '</div>' +
       '</div>' +
-      '<button class="qa-btn-primary qa-runbook-run-btn" data-runbook-id="' + escHtml(id) + '" onclick="qaRunRunbook(this.dataset.runbookId)">Run</button>' +
+      '<div class="qa-runbook-actions" style="display:flex;gap:var(--space-2)">' +
+        '<button class="qa-btn-primary qa-runbook-run-btn" data-runbook-id="' + escHtml(id) + '" onclick="qaRunRunbook(this.dataset.runbookId)">Run</button>' +
+        '<button class="qa-btn-ghost qa-btn-danger qa-runbook-delete-btn" data-runbook-id="' + escHtml(id) + '" onclick="qaDeleteRunbook(this.dataset.runbookId)">Delete</button>' +
+      '</div>' +
       '</div>';
   }).join('');
   // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: runbook id, name, target)
@@ -212,93 +239,27 @@ async function loadQaRunbooks() {
   root.replaceChildren(frag);
 }
 
-function qaShowNewRunbookForm() {
-  const wrap = document.getElementById('qa-runbook-form-wrap');
-  if (!wrap) return;
-  wrap.style.display = 'block';
-  // Make sure target dropdown reflects the current target cache.
-  _qaPopulateTargetDropdown();
-  const name = document.getElementById('qa-runbook-name');
-  if (name) name.focus();
-}
-
-function qaHideNewRunbookForm() {
-  const wrap = document.getElementById('qa-runbook-form-wrap');
-  if (!wrap) return;
-  wrap.style.display = 'none';
-  const msg = document.getElementById('qa-runbook-form-msg');
-  if (msg) msg.textContent = '';
-}
-
-function qaAddArtifactRow() {
-  const wrap = document.getElementById('qa-runbook-artifacts');
-  if (!wrap) return;
-  const row = document.createElement('div');
-  row.className = 'qa-artifact-row';
-  const input = document.createElement('input');
-  input.type = 'text';
-  input.className = 'qa-form-input qa-artifact-input';
-  input.placeholder = 'log:test.log';
-  const btn = document.createElement('button');
-  btn.type = 'button';
-  btn.className = 'qa-btn-ghost';
-  btn.textContent = '−';
-  btn.onclick = function () { qaRemoveArtifactRow(btn); };
-  row.appendChild(input);
-  row.appendChild(btn);
-  wrap.appendChild(row);
-}
-
-function qaRemoveArtifactRow(btn) {
-  const row = btn && btn.closest ? btn.closest('.qa-artifact-row') : null;
-  if (!row) return;
-  const wrap = document.getElementById('qa-runbook-artifacts');
-  if (wrap && wrap.children.length <= 1) {
-    // Don't delete the last row — just clear it.
-    const inp = row.querySelector('input');
-    if (inp) inp.value = '';
-    return;
-  }
-  row.remove();
+// W-mpxp7a3e000g0a49 — keep the "Show saved runbooks (N)" disclosure summary
+// in sync with the runbook count after every load.
+function _qaUpdateRunbooksDisclosureCount(n) {
+  const sum = document.getElementById('qa-runbooks-disclosure-summary');
+  if (sum) sum.textContent = 'Show saved runbooks (' + n + ')';
 }
 
-async function qaSaveRunbook() {
-  const msg = document.getElementById('qa-runbook-form-msg');
-  const name = (document.getElementById('qa-runbook-name') || {}).value || '';
-  const target = (document.getElementById('qa-runbook-target') || {}).value || '';
-  const stepsRaw = (document.getElementById('qa-runbook-steps') || {}).value || '';
-  const artifactInputs = document.querySelectorAll('#qa-runbook-artifacts .qa-artifact-input');
-  const expectedArtifacts = Array.from(artifactInputs)
-    .map(function (i) { return (i.value || '').trim(); })
-    .filter(Boolean);
-  if (!name.trim() || !target.trim() || !stepsRaw.trim()) {
-    if (msg) { msg.textContent = 'Name, target and steps are required.'; msg.style.color = 'var(--red)'; }
-    return;
-  }
-  if (msg) { msg.textContent = 'Saving…'; msg.style.color = 'var(--muted)'; }
+async function qaDeleteRunbook(id) {
+  if (!id) return;
+  const rb = _qaRunbooksCache.find(function (r) { return (r.id || r.name) === id; });
+  const label = rb ? (rb.name || id) : id;
+  if (!confirm('Delete runbook "' + label + '"? This cannot be undone.')) return;
   try {
-    const res = await fetch('/api/qa/runbooks', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({
-        name: name.trim(),
-        target: target.trim(),
-        steps: stepsRaw,
-        expectedArtifacts,
-      }),
-    });
+    const res = await fetch('/api/qa/runbooks/' + encodeURIComponent(id), { method: 'DELETE' });
     if (!res.ok) {
       const txt = await res.text().catch(() => '');
       throw new Error('HTTP ' + res.status + (txt ? ': ' + txt.slice(0, 200) : ''));
     }
-    if (msg) { msg.textContent = 'Saved.'; msg.style.color = 'var(--green)'; }
-    // Reset form + reload list.
-    const form = document.getElementById('qa-runbook-form');
-    if (form) form.reset();
-    qaHideNewRunbookForm();
     loadQaRunbooks();
   } catch (e) {
-    if (msg) { msg.textContent = 'Failed to save: ' + (e.message || String(e)); msg.style.color = 'var(--red)'; }
+    alert('Failed to delete runbook "' + label + '": ' + (e.message || String(e)));
   }
 }
 
@@ -331,7 +292,7 @@ async function loadQaRuns() {
   let items = [];
   let err = null;
   try {
-    const res = await fetch('/api/qa/runs?limit=50');
+    const res = await fetch('/api/qa/runs?limit=20');
     if (res.ok) {
       const data = await res.json();
       items = Array.isArray(data && data.items) ? data.items : (Array.isArray(data) ? data : []);
@@ -550,29 +511,16 @@ function _startQaSessionsPoll() {
   _qaSessionsPollInterval = setInterval(loadQaSessions, 3000);
 }
 
-// Show / hide the per-target-kind sub-input. Called from the kind dropdown
-// onchange so users only see the field that maps to their selected kind.
-function qaSessionTargetKindChanged() {
-  const kind = document.getElementById('qa-session-target-kind');
-  if (!kind) return;
-  const wraps = {
-    pr: 'qa-session-target-pr-wrap',
-    branch: 'qa-session-target-branch-wrap',
-    commit: 'qa-session-target-sha-wrap',
-    current: 'qa-session-target-worktree-wrap',
-  };
-  for (const id of Object.values(wraps)) {
-    const el = document.getElementById(id);
-    if (el) el.style.display = 'none';
-  }
-  const showId = wraps[kind.value];
-  if (showId) {
-    const el = document.getElementById(showId);
-    if (el) el.style.display = '';
-  }
-}
+// W-mpxp7a3e000g0a49 — qaSessionTargetKindChanged removed; the inline
+// "Start QA Session" form has moved to Command Center. loadQaRunners and
+// loadQaProjectsSelect below are no-ops on this page (their target DOM
+// elements were removed with the form) but remain exported so the
+// PAGE_LAZY_LOADERS registry in state.js can still reference them by
+// name without throwing.
 
 async function loadQaRunners() {
+  // Form removed (W-mpxp7a3e000g0a49) — dropdown no longer exists, so this
+  // early-returns. Kept exported because PAGE_LAZY_LOADERS.qa references it.
   const sel = document.getElementById('qa-session-runner');
   if (!sel) return;
   try {
@@ -628,8 +576,9 @@ async function loadQaProjectsSelect() {
 }
 
 async function loadQaSessions() {
-  const root = document.getElementById('qa-sessions-content');
-  if (!root) return;
+  const activeRoot = document.getElementById('qa-sessions-content');
+  const recentRoot = document.getElementById('qa-sessions-recent-content');
+  if (!activeRoot) return;
   let sessions = [];
   let err = null;
   try {
@@ -643,27 +592,46 @@ async function loadQaSessions() {
     const frag = document.createRange().createContextualFragment(
       '<p class="empty" style="color:var(--red)">Failed to load sessions: ' + escHtml(err.message || String(err)) + '</p>'
     );
-    root.replaceChildren(frag);
+    activeRoot.replaceChildren(frag);
     return;
   }
 
   _qaSessionsCache = sessions;
-  if (!sessions.length) {
+
+  // W-mpxp7a3e000g0a49 — split into active (non-terminal) + recent (terminal,
+  // last 10). Active list is the primary surface; terminal sessions live
+  // behind a collapsed disclosure to keep the page scannable.
+  const active = sessions.filter(s => s && !QA_SESSION_TERMINAL_STATES.has(s.state));
+  const terminal = sessions.filter(s => s && QA_SESSION_TERMINAL_STATES.has(s.state)).slice(0, 10);
+
+  if (!active.length) {
     const frag = document.createRange().createContextualFragment(
-      '<p class="empty">No QA sessions yet. Use the form above to start one.</p>'
+      '<p class="empty">No active QA sessions.</p>'
     );
-    root.replaceChildren(frag);
-    _qaAfterSessionsRender();
-    return;
+    activeRoot.replaceChildren(frag);
+  } else {
+    let html = '';
+    for (const s of active) html += _qaRenderSessionCard(s);
+    // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: session id, state, target sub-fields, mode, runner, error/summary/failureClass)
+    const frag = document.createRange().createContextualFragment(html);
+    activeRoot.replaceChildren(frag);
   }
 
-  let html = '';
-  for (const s of sessions) {
-    html += _qaRenderSessionCard(s);
+  if (recentRoot) {
+    if (!terminal.length) {
+      const frag = document.createRange().createContextualFragment(
+        '<p class="empty">No recent sessions.</p>'
+      );
+      recentRoot.replaceChildren(frag);
+    } else {
+      let html = '';
+      for (const s of terminal) html += _qaRenderSessionCard(s);
+      // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: session id, state, target sub-fields, mode, runner, error/summary/failureClass)
+      const frag = document.createRange().createContextualFragment(html);
+      recentRoot.replaceChildren(frag);
+    }
   }
-  // eslint-disable-next-line no-unsanitized/method -- reason: structural HTML is a string literal; all user data wrapped in escHtml() (fields: session id, state, target sub-fields, mode, runner, error/summary/failureClass)
-  const frag = document.createRange().createContextualFragment(html);
-  root.replaceChildren(frag);
+
   _qaAfterSessionsRender();
 }
 
@@ -695,11 +663,13 @@ function _qaRenderSessionCard(s) {
   const phases = _qaRenderPhaseChips(state);
 
   // Action buttons depend on session state:
-  //   - awaiting-approval → [APPROVE & RUN] [EDIT] [CANCEL]
+  //   - awaiting-approval → [REVIEW DRAFT] [APPROVE & RUN] [EDIT] [CANCEL]
+  //     The Review draft button comes first so users read before approving.
   //   - non-terminal      → footer always shows [DISMISS] [KILL SPAWN]
   //   - terminal          → no actions
   let actions = '';
   if (state === 'awaiting-approval') {
+    actions += '<button class="qa-btn-ghost" onclick="qaSessionReviewDraft(\'' + escHtml(id) + '\')">Review draft</button>';
     actions += '<button class="qa-btn-primary" onclick="qaSessionApprove(\'' + escHtml(id) + '\')">Approve &amp; run</button>';
     actions += '<button class="qa-btn-ghost" onclick="qaSessionEditPrompt(\'' + escHtml(id) + '\')">Edit</button>';
     actions += '<button class="qa-btn-ghost" onclick="qaSessionCancel(\'' + escHtml(id) + '\')">Cancel</button>';
@@ -788,71 +758,9 @@ function _qaSummarizeTarget(target) {
   }
 }
 
-async function qaSubmitSessionForm() {
-  const msg = document.getElementById('qa-session-form-msg');
-  const submit = document.getElementById('qa-session-submit');
-  if (msg) msg.textContent = '';
-  if (submit) submit.disabled = true;
-
-  const kind = (document.getElementById('qa-session-target-kind') || {}).value;
-  const target = { kind };
-  if (kind === 'pr')     target.prId    = (document.getElementById('qa-session-target-pr-id') || {}).value || '';
-  if (kind === 'branch') target.branch  = (document.getElementById('qa-session-target-branch') || {}).value || '';
-  if (kind === 'commit') target.sha     = (document.getElementById('qa-session-target-sha') || {}).value || '';
-  if (kind === 'current') {
-    const wt = (document.getElementById('qa-session-target-worktree') || {}).value || '';
-    if (wt) target.worktree = wt;
-  }
-  const flowsRaw = (document.getElementById('qa-session-flows') || {}).value || '';
-  const mode = (document.getElementById('qa-session-mode') || {}).value || 'confirm';
-  const runner = (document.getElementById('qa-session-runner') || {}).value || '';
-  // W-mpq6xqzj000606d0 — Multi-select projects dropdown. First selected =
-  // primary (drives DRAFT/EXECUTE); rest = co-services (dev-up only).
-  // Empty selection = central (no project).
-  const projectsSel = document.getElementById('qa-session-projects');
-  const projects = projectsSel
-    ? Array.from(projectsSel.selectedOptions || []).map(o => o.value).filter(Boolean)
-    : [];
-  const capture = {
-    video: !!(document.getElementById('qa-session-capture-video') || {}).checked,
-    screenshots: !!(document.getElementById('qa-session-capture-screenshots') || {}).checked,
-    logs: !!(document.getElementById('qa-session-capture-logs') || {}).checked,
-  };
-  const body = { target, flowsRaw, mode, capture };
-  if (runner) body.runner = runner;
-  if (projects.length > 0) body.projects = projects;
-
-  try {
-    const res = await fetch('/api/qa/session', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify(body),
-    });
-    const json = await res.json().catch(() => ({}));
-    if (!res.ok) {
-      if (msg) msg.textContent = 'Error ' + res.status + ': ' + (json.error || 'unknown');
-      if (msg) msg.style.color = 'var(--red)';
-      return;
-    }
-    if (msg) {
-      msg.textContent = 'Session ' + (json.sessionId || '') + ' queued.';
-      msg.style.color = 'var(--green)';
-    }
-    // Reset only the flows (the rest is sticky for fast iteration).
-    const flowsEl = document.getElementById('qa-session-flows');
-    if (flowsEl) flowsEl.value = '';
-    // Optimistic refresh + restart polling — a new non-terminal session
-    // means the auto-stop heuristic should reactivate.
-    _startQaSessionsPoll();
-  } catch (e) {
-    if (msg) {
-      msg.textContent = 'Network error: ' + (e && e.message || String(e));
-      msg.style.color = 'var(--red)';
-    }
-  } finally {
-    if (submit) submit.disabled = false;
-  }
-}
+// W-mpxp7a3e000g0a49 — qaSubmitSessionForm removed; creating QA sessions
+// now flows through Command Center (POST /api/qa/session is still wired
+// for CC and external callers, but the inline form on this page is gone).
 
 async function _qaSessionPost(url, label, body) {
   try {
@@ -904,3 +812,289 @@ function qaSessionEditPrompt(id) {
   if (!fb || !fb.trim()) return null;
   return qaSessionEdit(id, fb);
 }
+
+// ── Review draft modal (W-mpxpvpwn000ra419) ──────────────────────────────
+//
+// Greenfield modal infrastructure. There is no reusable generic modal in
+// dashboard/js/* today (modal-qa.js is doc-chat, not a modal shell), so the
+// minimal one below is inlined here. Read-only by design — editing a draft
+// continues to flow through the existing prompt()-based qaSessionEditPrompt
+// path. The "Request edit" button in the modal footer just calls it.
+//
+// All DOM construction uses document.createElement + appendChild (and
+// textContent for any caller-supplied content) so eslint-plugin-no-unsanitized
+// stays happy. The only HTML-string interpolation is for static structural
+// markup (icons + class names), which the lint rule explicitly allows.
+//
+// State invariants:
+//  - Idempotent open: a re-open while a modal is already mounted no-ops if
+//    the sessionId matches, or closes-then-reopens for a different session.
+//  - Close on backdrop click + Esc; both paths route through _qaModalClose
+//    so the keydown listener and focus restore happen exactly once.
+//  - Focus restores to the originating button on close (a11y).
+
+let _qaModalState = null; // { sessionId, root, originButton, keydownHandler }
+
+function qaSessionReviewDraft(id) {
+  if (!id) return null;
+  // Idempotent: same id → no-op; different id → close + reopen.
+  if (_qaModalState) {
+    if (_qaModalState.sessionId === id) return null;
+    _qaModalClose();
+  }
+  _qaInstallModalStyle();
+  // Capture the focused button so we can restore focus on close (a11y).
+  const originButton = (document.activeElement && document.activeElement.tagName === 'BUTTON')
+    ? document.activeElement
+    : null;
+  // Mount the shell synchronously with a "Loading…" body so the modal feels
+  // responsive even on slow fetches. We replace the body once the test file
+  // comes back from /api/qa/sessions/<id>/test.
+  const root = _qaBuildModalShell(id);
+  document.body.appendChild(root);
+  const keydownHandler = (e) => {
+    if (e.key === 'Escape') {
+      e.preventDefault();
+      _qaModalClose();
+    }
+  };
+  document.addEventListener('keydown', keydownHandler);
+  _qaModalState = { sessionId: id, root, originButton, keydownHandler };
+  // Fetch + render body. We don't block opening on the fetch — the spinner
+  // is shown until the response lands.
+  fetch('/api/qa/sessions/' + encodeURIComponent(id) + '/test')
+    .then(res => res.json().catch(() => ({})).then(json => ({ res, json })))
+    .then(({ res, json }) => {
+      if (!_qaModalState || _qaModalState.sessionId !== id) return; // closed mid-flight
+      if (!res.ok || !json || !json.ok) {
+        _qaModalRenderError(json && json.error ? String(json.error) : 'Failed to load draft (' + res.status + ')');
+        return;
+      }
+      _qaModalRenderBody(json);
+    })
+    .catch((e) => {
+      if (!_qaModalState || _qaModalState.sessionId !== id) return;
+      _qaModalRenderError(e && e.message || String(e));
+    });
+  return null;
+}
+
+function _qaModalClose() {
+  if (!_qaModalState) return;
+  const { root, originButton, keydownHandler } = _qaModalState;
+  _qaModalState = null;
+  if (keydownHandler) document.removeEventListener('keydown', keydownHandler);
+  if (root && root.parentNode) root.parentNode.removeChild(root);
+  // Restore focus to the originating button for keyboard navigation.
+  if (originButton && typeof originButton.focus === 'function') {
+    try { originButton.focus(); } catch (_) { /* noop */ }
+  }
+}
+
+function _qaBuildModalShell(sessionId) {
+  const backdrop = document.createElement('div');
+  backdrop.className = 'qa-modal-backdrop';
+  backdrop.setAttribute('role', 'dialog');
+  backdrop.setAttribute('aria-modal', 'true');
+  backdrop.setAttribute('aria-label', 'Review drafted QA test');
+  backdrop.addEventListener('click', (e) => {
+    if (e.target === backdrop) _qaModalClose();
+  });
+
+  const shell = document.createElement('div');
+  shell.className = 'qa-modal-shell';
+  backdrop.appendChild(shell);
+
+  // Header
+  const header = document.createElement('div');
+  header.className = 'qa-modal-header';
+  const title = document.createElement('div');
+  title.className = 'qa-modal-title';
+  title.textContent = 'Drafted test — (loading…)';
+  header.appendChild(title);
+  const closeBtn = document.createElement('button');
+  closeBtn.type = 'button';
+  closeBtn.className = 'qa-btn-ghost qa-modal-close';
+  closeBtn.setAttribute('aria-label', 'Close');
+  closeBtn.textContent = '×';
+  closeBtn.addEventListener('click', _qaModalClose);
+  header.appendChild(closeBtn);
+  shell.appendChild(header);
+
+  // Meta strip
+  const meta = document.createElement('div');
+  meta.className = 'qa-modal-meta';
+  meta.setAttribute('data-qa-modal-region', 'meta');
+  const metaSession = document.createElement('span');
+  metaSession.className = 'qa-modal-meta-item';
+  metaSession.textContent = 'session: ' + sessionId;
+  meta.appendChild(metaSession);
+  shell.appendChild(meta);
+
+  // Body
+  const body = document.createElement('div');
+  body.className = 'qa-modal-body';
+  body.setAttribute('data-qa-modal-region', 'body');
+  const loading = document.createElement('p');
+  loading.className = 'qa-modal-loading';
+  loading.textContent = 'Loading draft…';
+  body.appendChild(loading);
+  shell.appendChild(body);
+
+  // Footer
+  const footer = document.createElement('div');
+  footer.className = 'qa-modal-footer';
+  footer.setAttribute('data-qa-modal-region', 'footer');
+  shell.appendChild(footer);
+
+  return backdrop;
+}
+
+function _qaModalRenderError(message) {
+  if (!_qaModalState) return;
+  const body = _qaModalState.root.querySelector('[data-qa-modal-region="body"]');
+  if (!body) return;
+  body.textContent = '';
+  const err = document.createElement('p');
+  err.className = 'qa-modal-error';
+  err.textContent = message;
+  body.appendChild(err);
+}
+
+function _qaModalRenderBody(payload) {
+  if (!_qaModalState) return;
+  const id = _qaModalState.sessionId;
+  const root = _qaModalState.root;
+  // Update header title with the test file path.
+  const title = root.querySelector('.qa-modal-title');
+  if (title) title.textContent = 'Drafted test — ' + (payload.path || '(unknown file)');
+
+  // Augment meta strip with language + size.
+  const meta = root.querySelector('[data-qa-modal-region="meta"]');
+  if (meta) {
+    const lang = document.createElement('span');
+    lang.className = 'qa-modal-meta-item';
+    lang.textContent = 'language: ' + (payload.language || 'plaintext');
+    meta.appendChild(lang);
+    const size = document.createElement('span');
+    size.className = 'qa-modal-meta-item';
+    size.textContent = 'size: ' + (typeof payload.size === 'number' ? payload.size + ' bytes' : 'unknown');
+    meta.appendChild(size);
+  }
+
+  // Body: either code block or "too large" placeholder.
+  const body = root.querySelector('[data-qa-modal-region="body"]');
+  if (body) {
+    body.textContent = '';
+    if (payload.truncated) {
+      const tooBig = document.createElement('p');
+      tooBig.className = 'qa-modal-too-big';
+      // payload.path is the relative session.testFile from the API; render the
+      // hint with textContent so escHtml-style XSS is impossible by construction.
+      tooBig.textContent = 'File is ' + (payload.size || 0) +
+        ' bytes — open engine/qa-tests/' + id + '/' + (payload.path || '') +
+        ' to review.';
+      body.appendChild(tooBig);
+    } else {
+      const pre = document.createElement('pre');
+      pre.className = 'qa-modal-code';
+      const code = document.createElement('code');
+      // Assign the raw file content via textContent — the DOM treats the value
+      // as literal text and neutralizes any HTML/script for free. Do NOT wrap
+      // with escHtml(): textContent would then render the escape entities
+      // (&lt;, &gt;, &#39;, &amp;) verbatim, defeating the source preview for
+      // any TS/JS/Py file with <, >, &, or ' characters (W-mpxpvpwn000ra419).
+      code.textContent = String(payload.content || '');
+      pre.appendChild(code);
+      body.appendChild(pre);
+    }
+  }
+
+  // Footer: Approve & run + Request edit + Close. Approve is suppressed when
+  // the file is truncated (>256KB) so users can't blind-approve a megabyte.
+  const footer = root.querySelector('[data-qa-modal-region="footer"]');
+  if (footer) {
+    footer.textContent = '';
+    if (!payload.truncated) {
+      const approve = document.createElement('button');
+      approve.type = 'button';
+      approve.className = 'qa-btn-primary';
+      approve.textContent = 'Approve & run';
+      approve.addEventListener('click', () => {
+        _qaModalClose();
+        qaSessionApprove(id);
+      });
+      footer.appendChild(approve);
+    }
+    const editBtn = document.createElement('button');
+    editBtn.type = 'button';
+    editBtn.className = 'qa-btn-ghost';
+    editBtn.textContent = 'Request edit';
+    editBtn.addEventListener('click', () => {
+      _qaModalClose();
+      qaSessionEditPrompt(id);
+    });
+    footer.appendChild(editBtn);
+    const closeBtn = document.createElement('button');
+    closeBtn.type = 'button';
+    closeBtn.className = 'qa-btn-ghost';
+    closeBtn.textContent = 'Close';
+    closeBtn.addEventListener('click', _qaModalClose);
+    footer.appendChild(closeBtn);
+  }
+}
+
+// Inject modal CSS once. Keyed off a data attribute on the <style> tag so
+// repeated calls (e.g. from a re-rendered card) don't duplicate the block.
+function _qaInstallModalStyle() {
+  if (document.querySelector('style[data-qa-modal-style]')) return;
+  const style = document.createElement('style');
+  style.setAttribute('data-qa-modal-style', '1');
+  style.textContent = [
+    '.qa-modal-backdrop {',
+    '  position: fixed; inset: 0; z-index: 9999;',
+    '  background: rgba(0,0,0,0.5);',
+    '  display: flex; align-items: center; justify-content: center;',
+    '}',
+    '.qa-modal-shell {',
+    '  background: var(--surface, #fff);',
+    '  color: var(--text, #111);',
+    '  border-radius: 8px;',
+    '  max-width: 80vw; max-height: 80vh;',
+    '  width: 800px;',
+    '  display: flex; flex-direction: column;',
+    '  box-shadow: 0 8px 32px rgba(0,0,0,0.3);',
+    '  border: 1px solid var(--border, #ddd);',
+    '}',
+    '.qa-modal-header {',
+    '  display: flex; align-items: center; justify-content: space-between;',
+    '  padding: 12px 16px; border-bottom: 1px solid var(--border, #ddd);',
+    '}',
+    '.qa-modal-title { font-weight: 600; }',
+    '.qa-modal-close { font-size: 20px; padding: 0 8px; }',
+    '.qa-modal-meta {',
+    '  display: flex; gap: 12px; flex-wrap: wrap;',
+    '  padding: 8px 16px; border-bottom: 1px solid var(--border, #ddd);',
+    '  font-size: 12px; color: var(--muted, #666);',
+    '}',
+    '.qa-modal-meta-item { white-space: nowrap; }',
+    '.qa-modal-body { flex: 1; overflow: auto; padding: 12px 16px; }',
+    '.qa-modal-code {',
+    '  font-family: ui-monospace, Menlo, Consolas, monospace;',
+    '  font-size: 12px; line-height: 1.5;',
+    '  background: var(--surface2, #f6f6f6);',
+    '  border: 1px solid var(--border, #ddd);',
+    '  border-radius: 4px; padding: 12px;',
+    '  white-space: pre; overflow: auto;',
+    '  margin: 0;',
+    '}',
+    '.qa-modal-too-big { color: var(--muted, #666); font-style: italic; }',
+    '.qa-modal-error { color: var(--red, #c00); }',
+    '.qa-modal-loading { color: var(--muted, #666); }',
+    '.qa-modal-footer {',
+    '  display: flex; gap: 8px; justify-content: flex-end;',
+    '  padding: 12px 16px; border-top: 1px solid var(--border, #ddd);',
+    '}',
+  ].join('\n');
+  document.head.appendChild(style);
+}

package/dashboard/pages/qa.html

@@ -1,131 +1,56 @@
       <section>
         <h2>QA</h2>
-        <p class="empty" style="margin:4px 0 12px 0">Validation runbooks dispatched against live managed instances. Targets, runbooks, and run history with artifact previews.</p>
+        <p class="empty" style="margin:4px 0 12px 0">Passive monitor for QA sessions, live targets, runs, and saved runbooks. Create new sessions or runbooks from <button type="button" class="qa-inline-link" onclick="qaFocusCommandCenter()">Command Center</button>.</p>
       </section>
       <section id="qa-sessions-section" class="qa-section">
-        <h2>QA Sessions <span class="qa-section-subtitle">natural-language smoke tests — engine sets up a live target, drafts a runner-native test, and (with your approval) executes it</span></h2>
-        <div class="qa-session-form-wrap">
-          <form id="qa-session-form" onsubmit="event.preventDefault();qaSubmitSessionForm();">
-            <div class="qa-form-row qa-form-row--grid">
-              <div>
-                <label class="qa-form-label" for="qa-session-target-kind">Target</label>
-                <select id="qa-session-target-kind" class="qa-form-input" onchange="qaSessionTargetKindChanged()">
-                  <option value="current">Current worktree</option>
-                  <option value="pr">Pull request</option>
-                  <option value="branch">Branch</option>
-                  <option value="commit">Commit SHA</option>
-                </select>
-              </div>
-              <div>
-                <label class="qa-form-label" for="qa-session-projects">Projects</label>
-                <select id="qa-session-projects" class="qa-form-input" multiple size="3"></select>
-                <p class="empty" style="margin-top:4px;font-size:0.85em">Hold Ctrl/Cmd to select multiple. First selected = primary (drives DRAFT/EXECUTE). Others = co-services (dev-up only). Leave empty = central.</p>
-              </div>
-            </div>
-            <div class="qa-form-row qa-session-target-fields">
-              <div id="qa-session-target-pr-wrap" class="qa-session-target-sub" style="display:none">
-                <label class="qa-form-label" for="qa-session-target-pr-id">PR id</label>
-                <input id="qa-session-target-pr-id" type="text" class="qa-form-input" placeholder="2887">
-              </div>
-              <div id="qa-session-target-branch-wrap" class="qa-session-target-sub" style="display:none">
-                <label class="qa-form-label" for="qa-session-target-branch">Branch</label>
-                <input id="qa-session-target-branch" type="text" class="qa-form-input" placeholder="work/my-feature">
-              </div>
-              <div id="qa-session-target-sha-wrap" class="qa-session-target-sub" style="display:none">
-                <label class="qa-form-label" for="qa-session-target-sha">Commit SHA</label>
-                <input id="qa-session-target-sha" type="text" class="qa-form-input" placeholder="abc1234">
-              </div>
-              <div id="qa-session-target-worktree-wrap" class="qa-session-target-sub">
-                <label class="qa-form-label" for="qa-session-target-worktree">Worktree path</label>
-                <input id="qa-session-target-worktree" type="text" class="qa-form-input" placeholder="(blank = $MINIONS_AGENT_CWD)">
-              </div>
-            </div>
-            <div class="qa-form-row">
-              <label class="qa-form-label" for="qa-session-flows">Flows</label>
-              <textarea id="qa-session-flows" class="qa-form-input qa-form-textarea" placeholder="open the homepage, click login, verify the dashboard renders" required></textarea>
-            </div>
-            <div class="qa-form-row qa-form-row--inline">
-              <div>
-                <label class="qa-form-label" for="qa-session-mode">Mode</label>
-                <select id="qa-session-mode" class="qa-form-input">
-                  <option value="confirm">Confirm (review draft first)</option>
-                  <option value="auto">Auto (skip approval)</option>
-                </select>
-              </div>
-              <div>
-                <label class="qa-form-label" for="qa-session-runner">Runner</label>
-                <select id="qa-session-runner" class="qa-form-input">
-                  <option value="">Auto-detect</option>
-                </select>
-              </div>
-              <div class="qa-session-capture-group">
-                <label class="qa-form-label">Capture</label>
-                <label class="qa-session-capture-item"><input id="qa-session-capture-screenshots" type="checkbox" checked> screenshots</label>
-                <label class="qa-session-capture-item"><input id="qa-session-capture-video" type="checkbox"> video</label>
-                <label class="qa-session-capture-item"><input id="qa-session-capture-logs" type="checkbox" checked> logs</label>
-              </div>
-            </div>
-            <div class="qa-form-row qa-form-actions">
-              <button type="submit" id="qa-session-submit" class="qa-btn-primary">Start QA Session</button>
-              <span id="qa-session-form-msg" class="qa-form-msg"></span>
-            </div>
-          </form>
+        <h2>Active QA Sessions <span class="qa-section-subtitle">live, non-terminal runs — engine sets up a target, drafts a runner-native test, and (with your approval) executes it</span></h2>
+        <div id="qa-cc-pitch" class="qa-cc-pitch" style="border:1px solid var(--border);border-radius:var(--radius-md);background:var(--surface2);padding:var(--space-5);margin-bottom:var(--space-5);display:flex;flex-direction:column;gap:var(--space-3)">
+          <div style="font-weight:600;color:var(--text);display:flex;align-items:center;gap:var(--space-2)">💬 Ask Command Center to start a QA session</div>
+          <div style="color:var(--muted);font-size:var(--text-base);line-height:1.5">
+            Examples:
+            <ul style="margin:var(--space-2) 0 0 var(--space-5);padding:0;color:var(--muted)">
+              <li><code>QA the login flow on PR #1234</code></li>
+              <li><code>Smoke test the checkout flow on develop</code></li>
+              <li><code>Validate the signup journey on my current worktree</code></li>
+            </ul>
+          </div>
+          <div style="display:flex;gap:var(--space-3);align-items:center;margin-top:var(--space-2)">
+            <button type="button" id="qa-cc-pitch-open" class="qa-btn-primary" onclick="qaFocusCommandCenter()">Open Command Center →</button>
+            <a href="/state/docs/qa-runbook-lifecycle.md" target="_blank" rel="noopener" class="qa-cc-pitch-docs" style="color:var(--blue);font-size:var(--text-base)">Docs →</a>
+          </div>
         </div>
         <div id="qa-sessions-content" class="qa-sessions-list">
           <p class="empty">Loading sessions…</p>
         </div>
+        <details id="qa-sessions-recent" class="qa-disclosure" style="margin-top:var(--space-5);border-top:1px solid var(--border);padding-top:var(--space-4)">
+          <summary id="qa-sessions-recent-summary" style="cursor:pointer;font-size:var(--text-base);color:var(--muted)">Recent sessions (last 10)</summary>
+          <div id="qa-sessions-recent-content" class="qa-sessions-list" style="margin-top:var(--space-3)">
+            <p class="empty">No recent sessions.</p>
+          </div>
+        </details>
       </section>
       <section id="qa-targets-section" class="qa-section">
-        <h2>Targets <span class="qa-section-subtitle">live managed/keep processes available as runbook targets — full inventory lives on <a href="/engine" class="qa-engine-link">/engine</a></span></h2>
+        <h2>Live Targets <span class="qa-section-subtitle">managed/keep processes available as runbook targets — full inventory on <a href="/engine" class="qa-engine-link">/engine</a></span></h2>
         <div id="qa-targets-content" class="qa-targets-list">
           <p class="empty">Loading targets…</p>
         </div>
       </section>
-      <section id="qa-runbooks-section" class="qa-section">
-        <h2>Validation Runbooks <span class="qa-section-subtitle">human or agent-driven smoke / E2E flows against the targets above</span></h2>
-        <div class="qa-runbooks-actions">
-          <button id="qa-new-runbook-btn" class="qa-btn-primary" onclick="qaShowNewRunbookForm()">+ New runbook</button>
-        </div>
-        <div id="qa-runbook-form-wrap" class="qa-runbook-form" style="display:none">
-          <form id="qa-runbook-form" onsubmit="event.preventDefault();qaSaveRunbook();">
-            <div class="qa-form-row">
-              <label class="qa-form-label" for="qa-runbook-name">Name</label>
-              <input id="qa-runbook-name" type="text" class="qa-form-input" placeholder="login-smoke" required>
-            </div>
-            <div class="qa-form-row">
-              <label class="qa-form-label" for="qa-runbook-target">Target</label>
-              <select id="qa-runbook-target" class="qa-form-input" required>
-                <option value="">— select a target —</option>
-              </select>
-            </div>
-            <div class="qa-form-row">
-              <label class="qa-form-label" for="qa-runbook-steps">Steps</label>
-              <textarea id="qa-runbook-steps" class="qa-form-input qa-form-textarea" placeholder="1. Open the app&#10;2. Click login&#10;3. Verify dashboard loads" required></textarea>
-            </div>
-            <div class="qa-form-row">
-              <label class="qa-form-label">Expected artifacts</label>
-              <div id="qa-runbook-artifacts" class="qa-artifacts-repeater">
-                <div class="qa-artifact-row">
-                  <input type="text" class="qa-form-input qa-artifact-input" placeholder="screenshot:dashboard.png">
-                  <button type="button" class="qa-btn-ghost" onclick="qaRemoveArtifactRow(this)">−</button>
-                </div>
-              </div>
-              <button type="button" class="qa-btn-ghost qa-add-artifact-btn" onclick="qaAddArtifactRow()">+ Add artifact</button>
-            </div>
-            <div class="qa-form-row qa-form-actions">
-              <button type="submit" class="qa-btn-primary">Save</button>
-              <button type="button" class="qa-btn-ghost" onclick="qaHideNewRunbookForm()">Cancel</button>
-              <span id="qa-runbook-form-msg" class="qa-form-msg"></span>
-            </div>
-          </form>
-        </div>
-        <div id="qa-runbooks-content" class="qa-runbooks-list">
-          <p class="empty">Loading runbooks…</p>
-        </div>
-      </section>
       <section id="qa-runs-section" class="qa-section">
-        <h2>Recent Runs <span class="qa-section-subtitle">latest 50 dispatched validation runs — polled every 5s while this page is active</span></h2>
+        <h2>Recent Runs <span class="qa-section-subtitle">latest 20 validation runs — polled every 5s while this page is active</span></h2>
         <div id="qa-runs-content" class="qa-runs-list">
           <p class="empty">Loading runs…</p>
         </div>
       </section>
+      <section id="qa-runbooks-section" class="qa-section">
+        <details id="qa-runbooks-disclosure" class="qa-disclosure">
+          <summary id="qa-runbooks-disclosure-summary" style="cursor:pointer;font-size:var(--text-md);font-weight:600;color:var(--text)">Show saved runbooks (0)</summary>
+          <div style="margin-top:var(--space-4);display:flex;flex-direction:column;gap:var(--space-3)">
+            <div class="qa-cc-pitch qa-cc-pitch--small" style="border:1px solid var(--border);border-radius:var(--radius-md);background:var(--surface2);padding:var(--space-4);color:var(--muted);font-size:var(--text-base)">
+              💬 Ask Command Center to create a new runbook — e.g. <code>save a runbook that opens the cart and clicks checkout</code>. <button type="button" class="qa-inline-link" onclick="qaFocusCommandCenter()">Open Command Center →</button>
+            </div>
+            <div id="qa-runbooks-content" class="qa-runbooks-list">
+              <p class="empty">Loading runbooks…</p>
+            </div>
+          </div>
+        </details>
+      </section>

package/dashboard.js

@@ -10484,6 +10484,37 @@ What would you like to discuss or change? When you're happy, say "approve" and I
     }
   }
 
+  // GET /api/qa/sessions/<id>/test — read-only fetch of the drafted test file
+  // for the Review draft modal (W-mpxpvpwn000ra419). Sandboxed at two layers:
+  // the per-segment _qaIsSafeSegment guard rejects hostile ids before they
+  // reach qaSessions, and qaSessions.getSessionTestFile() repeats the path
+  // resolution + prefix check internally so anything that slips through
+  // (e.g. a session record whose testFile field already escapes the sandbox)
+  // still returns null instead of leaking bytes. Read-only, so no CSRF gate.
+  function handleQaSessionTestFile(req, res, match) {
+    try {
+      const qaSessions = require('./engine/qa-sessions');
+      const id = decodeURIComponent(match[1] || '');
+      if (!_qaIsSafeSegment(id)) return jsonReply(res, 400, { error: 'invalid session id' }, req);
+      const session = qaSessions.getSession(id);
+      if (!session) return jsonReply(res, 404, { error: 'qa session not found' }, req);
+      const result = qaSessions.getSessionTestFile(id);
+      if (!result) {
+        return jsonReply(res, 404, { error: 'qa session test file not available' }, req);
+      }
+      return jsonReply(res, 200, {
+        ok: true,
+        path: session.testFile,
+        content: result.content,
+        language: result.language,
+        truncated: !!result.truncated,
+        size: result.size,
+      }, req);
+    } catch (e) {
+      return jsonReply(res, 500, { error: e.message }, req);
+    }
+  }
+
   // Shared helper for approve + edit + cancel + kill + dismiss — each takes
   // a sessionId from the URL and a body, delegates to qaSessions.* and maps
   // module errors to HTTP statuses.
@@ -10964,6 +10995,7 @@ What would you like to discuss or change? When you're happy, say "approve" and I
     { method: 'POST', path: /^\/api\/qa\/sessions\/([^/?]+)\/cancel$/, template: '/api/qa/sessions/<id>/cancel', desc: 'Cancel a session (non-terminal → killed). Does NOT touch the managed-spawn — use /kill for that.', params: 'reason?', handler: handleQaSessionCancel },
     { method: 'POST', path: /^\/api\/qa\/sessions\/([^/?]+)\/kill$/, template: '/api/qa/sessions/<id>/kill', desc: 'Kill a session and its managed-spawn (non-terminal → killed). Best-effort on the spawn kill.', params: 'reason?', handler: handleQaSessionKill },
     { method: 'POST', path: /^\/api\/qa\/sessions\/([^/?]+)\/dismiss$/, template: '/api/qa/sessions/<id>/dismiss', desc: 'Mark a session done without running EXECUTE (non-terminal → done).', params: 'summary?', handler: handleQaSessionDismiss },
+    { method: 'GET',  path: /^\/api\/qa\/sessions\/([^/?]+)\/test$/, template: '/api/qa/sessions/<id>/test', desc: 'Fetch the drafted test file for the Review draft modal. Read-only; returns { ok, path, content, language, truncated, size }. Files > 256KB return truncated:true with content:null.', handler: handleQaSessionTestFile },
     { method: 'GET',  path: /^\/api\/qa\/sessions\/([^/?]+)$/, template: '/api/qa/sessions/<id>', desc: 'Fetch a single QA session record by id.', handler: handleQaSessionsById },
     // QA Runners endpoints (P-d2f5a8c9). Pluggable runner-adapter registry.
     { method: 'GET',  path: '/api/qa/runners', desc: 'List registered QA runner adapters (built-ins + qa-runners.d/ plugins). Returns metadata only (no hooks).', handler: handleQaRunnersList },

package/engine/qa-sessions.js

@@ -452,6 +452,70 @@ function getSession(id) {
   return sessions.find(s => s && s.id === id) || null;
 }
 
+// W-mpxpvpwn000ra419 — Review draft modal: pure read helper that resolves
+// session.testFile against qa-tests/<id>/ with the same sandbox guards as
+// dashboard.js#handleQaArtifact (the canonical traversal-defense pattern).
+// Used by GET /api/qa/sessions/<id>/test to feed the read-only Review draft
+// modal on the /qa page.
+//
+// Contract (matches the work-item description, kept tight on purpose):
+//   - Returns null when session missing, session.testFile is null/empty, the
+//     resolved path escapes qa-tests/<id>/, or the file doesn't exist on disk.
+//     Never throws on hostile input — _isSafeSessionId + path.resolve + the
+//     baseWithSep prefix check together absorb every traversal shape.
+//   - Returns { path, content, language, truncated:false, size } on a normal
+//     file. `path` is the resolved absolute path (so callers can log it); the
+//     dashboard handler echoes the relative session.testFile back to clients.
+//   - Returns { path, content:null, language, truncated:true, size } when the
+//     file exceeds GET_SESSION_TEST_FILE_MAX_BYTES (256KB). The modal shows a
+//     "file too large" placeholder and suppresses in-modal Approve so users
+//     can't blind-approve a megabyte test.
+//   - Language inferred from extension: .spec.ts/.test.ts → typescript,
+//     .spec.js/.test.js/.js → javascript, .ts → typescript, .py → python,
+//     anything else → plaintext. Used by the dashboard to pick a syntax theme.
+const GET_SESSION_TEST_FILE_MAX_BYTES = 256 * 1024;
+
+function _inferTestLanguage(relPath) {
+  const lower = String(relPath || '').toLowerCase();
+  if (lower.endsWith('.spec.ts') || lower.endsWith('.test.ts') || lower.endsWith('.ts')) return 'typescript';
+  if (lower.endsWith('.spec.js') || lower.endsWith('.test.js') || lower.endsWith('.js')) return 'javascript';
+  if (lower.endsWith('.py')) return 'python';
+  return 'plaintext';
+}
+
+function getSessionTestFile(sessionId) {
+  if (!_isSafeSessionId(sessionId)) return null;
+  const session = getSession(sessionId);
+  if (!session) return null;
+  const rel = session.testFile;
+  if (!_isNonEmptyString(rel)) return null;
+  // Reject early on null bytes — path.resolve does not strip them and the fs
+  // call would either throw or be silently truncated on some platforms.
+  if (rel.indexOf('\0') !== -1) return null;
+  // Reject absolute paths and Windows drive-letter paths before resolution.
+  // path.resolve(base, '/etc/passwd') returns '/etc/passwd' which would
+  // bypass the suffix check below if base happened to share a leading
+  // prefix; reject pre-resolution to make the intent obvious.
+  if (path.isAbsolute(rel)) return null;
+  if (/^[a-zA-Z]:/.test(rel)) return null;
+  const base = path.resolve(qaTestsDirForSession(sessionId));
+  const target = path.resolve(base, rel);
+  const baseWithSep = base.endsWith(path.sep) ? base : base + path.sep;
+  if (target !== base && !target.startsWith(baseWithSep)) return null;
+  let stat;
+  try { stat = fs.statSync(target); }
+  catch (e) { return null; }
+  if (!stat.isFile()) return null;
+  const language = _inferTestLanguage(rel);
+  if (stat.size > GET_SESSION_TEST_FILE_MAX_BYTES) {
+    return { path: target, content: null, language, truncated: true, size: stat.size };
+  }
+  let content;
+  try { content = fs.readFileSync(target, 'utf8'); }
+  catch (e) { return null; }
+  return { path: target, content, language, truncated: false, size: stat.size };
+}
+
 /**
  * List sessions, newest first, optionally filtered by state, capped by limit.
  */
@@ -1247,6 +1311,7 @@ module.exports = {
   // CRUD
   createSession,
   getSession,
+  getSessionTestFile,
   listSessions,
   setSessionWorkItem,
   setSessionQaRunId,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yemi33/minions",
-  "version": "0.1.2105",
+  "version": "0.1.2106",
   "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
   "bin": {
     "minions": "bin/minions.js"