@yemi33/minions 0.1.2105 → 0.1.2107

package/dashboard/js/render-dispatch.js

@@ -402,8 +402,9 @@ function shortTime(t) {
 // pre-spawn state (worktree-setup, spawning, ready) without progressing for >2
 // minutes, the agent appears idle but is silently re-dispatching every tick.
 // Surface a STUCK chip so the operator notices instead of waiting for the
-// engine log. The threshold is 2 minutes — engine ticks every 60s, so 2 ticks
-// is enough to distinguish a slow spawn from a wedged one.
+// engine log. Threshold is 2 wall-clock minutes — engine ticks every 10s
+// (W-mpxpckey000laa4f), so a 2-minute floor distinguishes a slow spawn from
+// a wedged one regardless of tick cadence.
 const _STUCK_PRE_SPAWN_STATES = new Set(['spawning', 'worktree-setup', 'ready']);
 const _STUCK_THRESHOLD_MS = 2 * 60 * 1000;
 

package/dashboard/js/render-prd.js

@@ -785,7 +785,7 @@ async function prdItemEdit(source, itemId) {
 
     completionHtml = '<div style="background:var(--surface);border:1px solid var(--border);border-left:3px solid ' + statusColor + ';border-radius:4px;padding:10px 12px;margin-bottom:12px">' +
       '<div style="display:flex;align-items:center;gap:8px;margin-bottom:6px">' +
-        '<span style="font-size:11px;font-weight:700;color:' + statusColor + '">' + statusLabel + '</span>' +
+        (wi ? '<a href="#" onclick="event.preventDefault();event.stopPropagation();openWorkItemDetail(\'' + escHtml(wi.id) + '\')" title="Open ' + escHtml(wi.id) + ' detail" style="font-size:11px;font-weight:700;color:' + statusColor + ';text-decoration:none;cursor:pointer" onmouseover="this.style.textDecoration=\'underline\'" onmouseout="this.style.textDecoration=\'none\'">' + statusLabel + ' &rarr;</a>' : '<span style="font-size:11px;font-weight:700;color:' + statusColor + '">' + statusLabel + '</span>') +
         (agent ? '<span style="font-size:11px;color:var(--muted)">by ' + escHtml(agent) + '</span>' : '') +
         (completedAt ? '<span style="font-size:10px;color:var(--muted)">' + escHtml(completedAt.slice(0, 16).replace('T', ' ')) + '</span>' : '') +
       '</div>' +

package/dashboard/js/settings.js

@@ -265,7 +265,7 @@ async function openSettings() {
     '<div class="settings-pane-sub">How many agents run at once and how long they get before being killed for silence or runaway duration.</div>' +
     '<div class="settings-grid-2">' +
       settingsField('Max Concurrent Agents', 'set-maxConcurrent', e.maxConcurrent || 5, '', 'Max agents working simultaneously') +
-      settingsField('Min Tick Interval', 'set-tickInterval', e.tickInterval || 60000, 'ms', 'Minimum gap between tick starts. Slow ticks (PR polls, reconcilers) may delay the next slot — see `running` indicator on /engine.') +
+      settingsField('Min Tick Interval', 'set-tickInterval', e.tickInterval || 10000, 'ms', 'Minimum gap between tick starts. Slow ticks (PR polls, reconcilers) may delay the next slot — see `running` indicator on /engine.') +
       settingsField('Agent Timeout', 'set-agentTimeout', e.agentTimeout || 18000000, 'ms', 'Kill agent after this duration') +
       settingsField('Heartbeat Timeout', 'set-heartbeatTimeout', e.heartbeatTimeout || 300000, 'ms', 'No output = dead after this') +
       settingsField('Idle Alert', 'set-idleAlertMinutes', e.idleAlertMinutes || 15, 'min', 'Alert after agent idle this long') +

package/dashboard/pages/qa.html

@@ -1,131 +1,56 @@
       <section>
         <h2>QA</h2>
-        <p class="empty" style="margin:4px 0 12px 0">Validation runbooks dispatched against live managed instances. Targets, runbooks, and run history with artifact previews.</p>
+        <p class="empty" style="margin:4px 0 12px 0">Passive monitor for QA sessions, live targets, runs, and saved runbooks. Create new sessions or runbooks from <button type="button" class="qa-inline-link" onclick="qaFocusCommandCenter()">Command Center</button>.</p>
       </section>
       <section id="qa-sessions-section" class="qa-section">
-        <h2>QA Sessions <span class="qa-section-subtitle">natural-language smoke tests — engine sets up a live target, drafts a runner-native test, and (with your approval) executes it</span></h2>
-        <div class="qa-session-form-wrap">
-          <form id="qa-session-form" onsubmit="event.preventDefault();qaSubmitSessionForm();">
-            <div class="qa-form-row qa-form-row--grid">
-              <div>
-                <label class="qa-form-label" for="qa-session-target-kind">Target</label>
-                <select id="qa-session-target-kind" class="qa-form-input" onchange="qaSessionTargetKindChanged()">
-                  <option value="current">Current worktree</option>
-                  <option value="pr">Pull request</option>
-                  <option value="branch">Branch</option>
-                  <option value="commit">Commit SHA</option>
-                </select>
-              </div>
-              <div>
-                <label class="qa-form-label" for="qa-session-projects">Projects</label>
-                <select id="qa-session-projects" class="qa-form-input" multiple size="3"></select>
-                <p class="empty" style="margin-top:4px;font-size:0.85em">Hold Ctrl/Cmd to select multiple. First selected = primary (drives DRAFT/EXECUTE). Others = co-services (dev-up only). Leave empty = central.</p>
-              </div>
-            </div>
-            <div class="qa-form-row qa-session-target-fields">
-              <div id="qa-session-target-pr-wrap" class="qa-session-target-sub" style="display:none">
-                <label class="qa-form-label" for="qa-session-target-pr-id">PR id</label>
-                <input id="qa-session-target-pr-id" type="text" class="qa-form-input" placeholder="2887">
-              </div>
-              <div id="qa-session-target-branch-wrap" class="qa-session-target-sub" style="display:none">
-                <label class="qa-form-label" for="qa-session-target-branch">Branch</label>
-                <input id="qa-session-target-branch" type="text" class="qa-form-input" placeholder="work/my-feature">
-              </div>
-              <div id="qa-session-target-sha-wrap" class="qa-session-target-sub" style="display:none">
-                <label class="qa-form-label" for="qa-session-target-sha">Commit SHA</label>
-                <input id="qa-session-target-sha" type="text" class="qa-form-input" placeholder="abc1234">
-              </div>
-              <div id="qa-session-target-worktree-wrap" class="qa-session-target-sub">
-                <label class="qa-form-label" for="qa-session-target-worktree">Worktree path</label>
-                <input id="qa-session-target-worktree" type="text" class="qa-form-input" placeholder="(blank = $MINIONS_AGENT_CWD)">
-              </div>
-            </div>
-            <div class="qa-form-row">
-              <label class="qa-form-label" for="qa-session-flows">Flows</label>
-              <textarea id="qa-session-flows" class="qa-form-input qa-form-textarea" placeholder="open the homepage, click login, verify the dashboard renders" required></textarea>
-            </div>
-            <div class="qa-form-row qa-form-row--inline">
-              <div>
-                <label class="qa-form-label" for="qa-session-mode">Mode</label>
-                <select id="qa-session-mode" class="qa-form-input">
-                  <option value="confirm">Confirm (review draft first)</option>
-                  <option value="auto">Auto (skip approval)</option>
-                </select>
-              </div>
-              <div>
-                <label class="qa-form-label" for="qa-session-runner">Runner</label>
-                <select id="qa-session-runner" class="qa-form-input">
-                  <option value="">Auto-detect</option>
-                </select>
-              </div>
-              <div class="qa-session-capture-group">
-                <label class="qa-form-label">Capture</label>
-                <label class="qa-session-capture-item"><input id="qa-session-capture-screenshots" type="checkbox" checked> screenshots</label>
-                <label class="qa-session-capture-item"><input id="qa-session-capture-video" type="checkbox"> video</label>
-                <label class="qa-session-capture-item"><input id="qa-session-capture-logs" type="checkbox" checked> logs</label>
-              </div>
-            </div>
-            <div class="qa-form-row qa-form-actions">
-              <button type="submit" id="qa-session-submit" class="qa-btn-primary">Start QA Session</button>
-              <span id="qa-session-form-msg" class="qa-form-msg"></span>
-            </div>
-          </form>
+        <h2>Active QA Sessions <span class="qa-section-subtitle">live, non-terminal runs — engine sets up a target, drafts a runner-native test, and (with your approval) executes it</span></h2>
+        <div id="qa-cc-pitch" class="qa-cc-pitch" style="border:1px solid var(--border);border-radius:var(--radius-md);background:var(--surface2);padding:var(--space-5);margin-bottom:var(--space-5);display:flex;flex-direction:column;gap:var(--space-3)">
+          <div style="font-weight:600;color:var(--text);display:flex;align-items:center;gap:var(--space-2)">💬 Ask Command Center to start a QA session</div>
+          <div style="color:var(--muted);font-size:var(--text-base);line-height:1.5">
+            Examples:
+            <ul style="margin:var(--space-2) 0 0 var(--space-5);padding:0;color:var(--muted)">
+              <li><code>QA the login flow on PR #1234</code></li>
+              <li><code>Smoke test the checkout flow on develop</code></li>
+              <li><code>Validate the signup journey on my current worktree</code></li>
+            </ul>
+          </div>
+          <div style="display:flex;gap:var(--space-3);align-items:center;margin-top:var(--space-2)">
+            <button type="button" id="qa-cc-pitch-open" class="qa-btn-primary" onclick="qaFocusCommandCenter()">Open Command Center →</button>
+            <a href="/state/docs/qa-runbook-lifecycle.md" target="_blank" rel="noopener" class="qa-cc-pitch-docs" style="color:var(--blue);font-size:var(--text-base)">Docs →</a>
+          </div>
         </div>
         <div id="qa-sessions-content" class="qa-sessions-list">
           <p class="empty">Loading sessions…</p>
         </div>
+        <details id="qa-sessions-recent" class="qa-disclosure" style="margin-top:var(--space-5);border-top:1px solid var(--border);padding-top:var(--space-4)">
+          <summary id="qa-sessions-recent-summary" style="cursor:pointer;font-size:var(--text-base);color:var(--muted)">Recent sessions (last 10)</summary>
+          <div id="qa-sessions-recent-content" class="qa-sessions-list" style="margin-top:var(--space-3)">
+            <p class="empty">No recent sessions.</p>
+          </div>
+        </details>
       </section>
       <section id="qa-targets-section" class="qa-section">
-        <h2>Targets <span class="qa-section-subtitle">live managed/keep processes available as runbook targets — full inventory lives on <a href="/engine" class="qa-engine-link">/engine</a></span></h2>
+        <h2>Live Targets <span class="qa-section-subtitle">managed/keep processes available as runbook targets — full inventory on <a href="/engine" class="qa-engine-link">/engine</a></span></h2>
         <div id="qa-targets-content" class="qa-targets-list">
           <p class="empty">Loading targets…</p>
         </div>
       </section>
-      <section id="qa-runbooks-section" class="qa-section">
-        <h2>Validation Runbooks <span class="qa-section-subtitle">human or agent-driven smoke / E2E flows against the targets above</span></h2>
-        <div class="qa-runbooks-actions">
-          <button id="qa-new-runbook-btn" class="qa-btn-primary" onclick="qaShowNewRunbookForm()">+ New runbook</button>
-        </div>
-        <div id="qa-runbook-form-wrap" class="qa-runbook-form" style="display:none">
-          <form id="qa-runbook-form" onsubmit="event.preventDefault();qaSaveRunbook();">
-            <div class="qa-form-row">
-              <label class="qa-form-label" for="qa-runbook-name">Name</label>
-              <input id="qa-runbook-name" type="text" class="qa-form-input" placeholder="login-smoke" required>
-            </div>
-            <div class="qa-form-row">
-              <label class="qa-form-label" for="qa-runbook-target">Target</label>
-              <select id="qa-runbook-target" class="qa-form-input" required>
-                <option value="">— select a target —</option>
-              </select>
-            </div>
-            <div class="qa-form-row">
-              <label class="qa-form-label" for="qa-runbook-steps">Steps</label>
-              <textarea id="qa-runbook-steps" class="qa-form-input qa-form-textarea" placeholder="1. Open the app&#10;2. Click login&#10;3. Verify dashboard loads" required></textarea>
-            </div>
-            <div class="qa-form-row">
-              <label class="qa-form-label">Expected artifacts</label>
-              <div id="qa-runbook-artifacts" class="qa-artifacts-repeater">
-                <div class="qa-artifact-row">
-                  <input type="text" class="qa-form-input qa-artifact-input" placeholder="screenshot:dashboard.png">
-                  <button type="button" class="qa-btn-ghost" onclick="qaRemoveArtifactRow(this)">−</button>
-                </div>
-              </div>
-              <button type="button" class="qa-btn-ghost qa-add-artifact-btn" onclick="qaAddArtifactRow()">+ Add artifact</button>
-            </div>
-            <div class="qa-form-row qa-form-actions">
-              <button type="submit" class="qa-btn-primary">Save</button>
-              <button type="button" class="qa-btn-ghost" onclick="qaHideNewRunbookForm()">Cancel</button>
-              <span id="qa-runbook-form-msg" class="qa-form-msg"></span>
-            </div>
-          </form>
-        </div>
-        <div id="qa-runbooks-content" class="qa-runbooks-list">
-          <p class="empty">Loading runbooks…</p>
-        </div>
-      </section>
       <section id="qa-runs-section" class="qa-section">
-        <h2>Recent Runs <span class="qa-section-subtitle">latest 50 dispatched validation runs — polled every 5s while this page is active</span></h2>
+        <h2>Recent Runs <span class="qa-section-subtitle">latest 20 validation runs — polled every 5s while this page is active</span></h2>
         <div id="qa-runs-content" class="qa-runs-list">
           <p class="empty">Loading runs…</p>
         </div>
       </section>
+      <section id="qa-runbooks-section" class="qa-section">
+        <details id="qa-runbooks-disclosure" class="qa-disclosure">
+          <summary id="qa-runbooks-disclosure-summary" style="cursor:pointer;font-size:var(--text-md);font-weight:600;color:var(--text)">Show saved runbooks (0)</summary>
+          <div style="margin-top:var(--space-4);display:flex;flex-direction:column;gap:var(--space-3)">
+            <div class="qa-cc-pitch qa-cc-pitch--small" style="border:1px solid var(--border);border-radius:var(--radius-md);background:var(--surface2);padding:var(--space-4);color:var(--muted);font-size:var(--text-base)">
+              💬 Ask Command Center to create a new runbook — e.g. <code>save a runbook that opens the cart and clicks checkout</code>. <button type="button" class="qa-inline-link" onclick="qaFocusCommandCenter()">Open Command Center →</button>
+            </div>
+            <div id="qa-runbooks-content" class="qa-runbooks-list">
+              <p class="empty">Loading runbooks…</p>
+            </div>
+          </div>
+        </details>
+      </section>

package/dashboard.js

@@ -5109,10 +5109,13 @@ const server = http.createServer(async (req, res) => {
         // Create new work item from PRD item definition (same logic as materializePlansAsWorkItems)
         const complexity = prdItem.estimated_complexity || 'medium';
         const criteria = (prdItem.acceptance_criteria || []).map(c => `- ${c}`).join('\n');
+        // W-mpxqkkn300121d21 — mirror the engine materializer's resolution so a
+        // dashboard retry honors structured `type` / prose `Type:` exactly the
+        // same way the engine sweep does.
         const newItem = {
           id,
           title: `Implement: ${prdItem.name}`,
-          type: complexity === 'large' ? 'implement:large' : 'implement',
+          type: shared.resolveWorkItemTypeFromPrdItem(prdItem),
           priority: prdItem.priority || 'medium',
           description: `${prdItem.description || ''}\n\n**Plan:** ${prdFile}\n**Plan Item:** ${prdItem.id}\n**Complexity:** ${complexity}${criteria ? '\n\n**Acceptance Criteria:**\n' + criteria : ''}`,
           status: WI_STATUS.PENDING,
@@ -7996,6 +7999,79 @@ What would you like to discuss or change? When you're happy, say "approve" and I
     } catch (e) { _releaseCCTab(tabId); return jsonReply(res, e.statusCode || 500, { error: e.message, code: 'handler-exception', retriable: false }); }
   }
 
+  // W-mpxq9sjq000z794b — Watch-driven CC invocation. Internal-only endpoint
+  // wired from engine/watch-actions.js#cc-triage handler. Behavior diff vs.
+  // /api/command-center:
+  //   - No session resume / no session persist (each call is a fresh CC turn).
+  //     This isolation is the whole point — a watch firing must not pollute
+  //     the user's interactive ccSession or surface in their tab list.
+  //   - Separate rate-limit lane (`cc-triage`) so a noisy watch can't starve
+  //     the user's CC bucket (or vice-versa).
+  //   - Uses CC_STATIC_SYSTEM_PROMPT verbatim (no per-turn header) and
+  //     prepends the standard buildCCStatePreamble so CC can read live state.
+  //   - Reasoning effort can be overridden per-call (defaults to engine.ccEffort).
+  async function handleCommandCenterTriage(req, res) {
+    if (checkRateLimit('cc-triage', 10)) return jsonReply(res, 429, { error: 'Rate limited — max 10 cc-triage requests/minute' });
+    try {
+      const body = await readBody(req);
+      const message = body && typeof body.message === 'string' ? body.message : '';
+      if (!message.trim()) return jsonReply(res, 400, { error: 'message required' });
+      const watchId = body.watchId ? String(body.watchId) : '';
+      const label = watchId ? `watch-cc-triage:${watchId}` : 'watch-cc-triage';
+
+      const model = CONFIG.engine?.ccModel || shared.ENGINE_DEFAULTS.ccModel;
+      const maxTurns = CONFIG.engine?.ccMaxTurns || shared.ENGINE_DEFAULTS.ccMaxTurns;
+      const engineEffort = CONFIG.engine?.ccEffort || shared.ENGINE_DEFAULTS.ccEffort;
+      const requestedEffort = typeof body.effort === 'string' && body.effort.trim() ? body.effort.trim().toLowerCase() : '';
+      const effort = ['low', 'medium', 'high'].includes(requestedEffort) ? requestedEffort : engineEffort;
+
+      const preflight = await _preflightModelCheck({ model, engineConfig: CONFIG.engine });
+      if (preflight) {
+        console.warn(`[${label}] Pre-flight rejected: ${preflight.errorMessage}`);
+        return jsonReply(res, 503, {
+          error: preflight.errorMessage || 'CC runtime unavailable',
+          code: preflight.errorClass || 'runtime-unavailable',
+          retriable: false,
+        });
+      }
+
+      const preamble = `## Current Minions State (${new Date().toISOString().slice(0, 16)})\n\n${buildCCStatePreamble()}`;
+      const fullPrompt = `${preamble}\n\n---\n\n${message}`;
+
+      const result = await llm.callLLM(fullPrompt, CC_STATIC_SYSTEM_PROMPT, {
+        timeout: CC_CALL_TIMEOUT_MS,
+        label, model, maxTurns,
+        allowedTools: 'Bash,Read,Write,Edit,Glob,Grep,WebFetch,WebSearch',
+        effort, direct: true,
+        engineConfig: CONFIG.engine,
+      });
+      llm.trackEngineUsage(label, result.usage);
+
+      if (!result.text || result.error) {
+        const errEnvelope = result.error || (result.errorMessage
+          ? { message: result.errorMessage, code: result.errorClass || 'unknown', retriable: true }
+          : { message: 'cc-triage returned no output', code: 'empty-output', retriable: true });
+        llm.trackEngineError(label, errEnvelope.code);
+        const status = result.missingRuntime ? 503
+          : errEnvelope.code === 'auth-failure' ? 503
+            : 502;
+        return jsonReply(res, status, {
+          error: errEnvelope.message,
+          code: errEnvelope.code,
+          retriable: !!errEnvelope.retriable,
+        });
+      }
+
+      return jsonReply(res, 200, {
+        text: result.text,
+        sessionId: result.sessionId || null,
+        usage: result.usage || null,
+      });
+    } catch (e) {
+      return jsonReply(res, e.statusCode || 500, { error: e.message, code: 'handler-exception', retriable: false });
+    }
+  }
+
   /** Build a lightweight input object for SSE tool events — keeps only the fields formatToolSummary needs, with truncated string values. */
   function _lightToolInput(input) {
     if (!input || typeof input !== 'object') return {};
@@ -10484,6 +10560,37 @@ What would you like to discuss or change? When you're happy, say "approve" and I
     }
   }
 
+  // GET /api/qa/sessions/<id>/test — read-only fetch of the drafted test file
+  // for the Review draft modal (W-mpxpvpwn000ra419). Sandboxed at two layers:
+  // the per-segment _qaIsSafeSegment guard rejects hostile ids before they
+  // reach qaSessions, and qaSessions.getSessionTestFile() repeats the path
+  // resolution + prefix check internally so anything that slips through
+  // (e.g. a session record whose testFile field already escapes the sandbox)
+  // still returns null instead of leaking bytes. Read-only, so no CSRF gate.
+  function handleQaSessionTestFile(req, res, match) {
+    try {
+      const qaSessions = require('./engine/qa-sessions');
+      const id = decodeURIComponent(match[1] || '');
+      if (!_qaIsSafeSegment(id)) return jsonReply(res, 400, { error: 'invalid session id' }, req);
+      const session = qaSessions.getSession(id);
+      if (!session) return jsonReply(res, 404, { error: 'qa session not found' }, req);
+      const result = qaSessions.getSessionTestFile(id);
+      if (!result) {
+        return jsonReply(res, 404, { error: 'qa session test file not available' }, req);
+      }
+      return jsonReply(res, 200, {
+        ok: true,
+        path: session.testFile,
+        content: result.content,
+        language: result.language,
+        truncated: !!result.truncated,
+        size: result.size,
+      }, req);
+    } catch (e) {
+      return jsonReply(res, 500, { error: e.message }, req);
+    }
+  }
+
   // Shared helper for approve + edit + cancel + kill + dismiss — each takes
   // a sessionId from the URL and a body, delegates to qaSessions.* and maps
   // module errors to HTTP statuses.
@@ -10964,6 +11071,7 @@ What would you like to discuss or change? When you're happy, say "approve" and I
     { method: 'POST', path: /^\/api\/qa\/sessions\/([^/?]+)\/cancel$/, template: '/api/qa/sessions/<id>/cancel', desc: 'Cancel a session (non-terminal → killed). Does NOT touch the managed-spawn — use /kill for that.', params: 'reason?', handler: handleQaSessionCancel },
     { method: 'POST', path: /^\/api\/qa\/sessions\/([^/?]+)\/kill$/, template: '/api/qa/sessions/<id>/kill', desc: 'Kill a session and its managed-spawn (non-terminal → killed). Best-effort on the spawn kill.', params: 'reason?', handler: handleQaSessionKill },
     { method: 'POST', path: /^\/api\/qa\/sessions\/([^/?]+)\/dismiss$/, template: '/api/qa/sessions/<id>/dismiss', desc: 'Mark a session done without running EXECUTE (non-terminal → done).', params: 'summary?', handler: handleQaSessionDismiss },
+    { method: 'GET',  path: /^\/api\/qa\/sessions\/([^/?]+)\/test$/, template: '/api/qa/sessions/<id>/test', desc: 'Fetch the drafted test file for the Review draft modal. Read-only; returns { ok, path, content, language, truncated, size }. Files > 256KB return truncated:true with content:null.', handler: handleQaSessionTestFile },
     { method: 'GET',  path: /^\/api\/qa\/sessions\/([^/?]+)$/, template: '/api/qa/sessions/<id>', desc: 'Fetch a single QA session record by id.', handler: handleQaSessionsById },
     // QA Runners endpoints (P-d2f5a8c9). Pluggable runner-adapter registry.
     { method: 'GET',  path: '/api/qa/runners', desc: 'List registered QA runner adapters (built-ins + qa-runners.d/ plugins). Returns metadata only (no hooks).', handler: handleQaRunnersList },
@@ -11405,6 +11513,7 @@ What would you like to discuss or change? When you're happy, say "approve" and I
     { method: 'POST', path: '/api/command-center/new-session', desc: 'Clear active CC session', handler: handleCommandCenterNewSession },
     { method: 'POST', path: '/api/command-center/abort', desc: 'Abort an in-flight CC request for a tab', params: 'tabId?', handler: handleCommandCenterAbort },
     { method: 'POST', path: '/api/command-center', desc: 'Conversational command center with full minions context', params: 'message, tabId?, sessionId?, transcript?', handler: handleCommandCenter },
+    { method: 'POST', path: '/api/command-center/triage', desc: 'Headless CC invocation for watch-driven triage (internal). Isolated from user ccSession.', params: 'message, watchId?, effort?', handler: handleCommandCenterTriage },
     { method: 'POST', path: '/api/command-center/stream', desc: 'Streaming CC — SSE with text chunks as they arrive', params: 'message, tabId?, sessionId?, transcript?', handler: handleCommandCenterStream },
     { method: 'GET', path: '/api/cc-sessions', desc: 'List CC session metadata for all tabs', handler: handleCCSessionsList },
     { method: 'POST', path: '/api/cc-sessions/warm', desc: 'Pre-warm the worker pool for a CC tab (process + MCP init, no LLM call). No-op when pool is off.', params: 'tabId', handler: handleCcSessionWarm },

package/docs/auto-discovery.md

@@ -6,7 +6,7 @@ How the minions engine finds work and dispatches agents automatically.
 
 ## The Tick Loop
 
-The engine runs a tick every 60 seconds (configurable via `config.json` → `engine.tickInterval`). Each tick:
+The engine runs a tick every 10 seconds (configurable via `config.json` → `engine.tickInterval`). Each tick:
 
 ```
 tick()
@@ -17,16 +17,16 @@ tick()
   2.  consolidateInbox()         Merge learnings into notes.md (Haiku-powered)
   2.1 autoSweepKb()              Periodic KB sweep (opt-in via engine.autoConsolidateMemory, 4h cadence)
   2.5 runCleanup()               Periodic cleanup (every 10 ticks ≈ 10min)
-  2.52 sweepKeepProcesses()      keep_processes TTL/dead-PID sweep (every 30 ticks)
-  2.53 sweepManagedSpawn()       managed_spawn TTL/dead-PID/log-rotate sweep (every 30 ticks)
-  2.55 checkWatches()            Persistent watch jobs (every 3 tick-equivalents)
+  2.52 sweepKeepProcesses()      keep_processes TTL/dead-PID sweep (every 180 ticks)
+  2.53 sweepManagedSpawn()       managed_spawn TTL/dead-PID/log-rotate sweep (every 180 ticks)
+  2.55 checkWatches()            Persistent watch jobs (every 18 tick-equivalents)
   2.6 pollPrStatus()             Poll ADO + GitHub for build, review, merge status (wall-clock cadence from prPollStatusEvery × tickInterval, default ≈ 12min)
        processPendingRebases()   Run any rebase work queued from the previous tick
        syncPrdFromPrs()          Backfill PRD item status from active PRs
        checkPlanCompletion()     Mark plans completed when all features done/in-pr
   2.7 pollPrHumanComments()      Poll PR threads for human comments (wall-clock cadence from prPollCommentsEvery × tickInterval, default ≈ 12min)
        reconcilePrs() (ADO+GH)   Reconciliation sweep (runs regardless of poll flags)
-  2.9 stallRecovery()            Auto-retry failed items blocking pending deps (every 20 ticks)
+  2.9 stallRecovery()            Auto-retry failed items blocking pending deps (every 120 ticks)
   3a. pruneStalePrDispatches()   Clear pending PR dispatches whose underlying PRs no longer warrant action
   3.  discoverWork()             Scan ALL linked projects for new tasks
   4.  updateSnapshot()           Write identity/now.md
@@ -141,7 +141,7 @@ Both write to `work-items.json` and are picked up by Source 3 on the same or nex
 
 ## PR Status Polling (`pollPrStatus`)
 
-**Runs:** On a wall-clock cadence derived from `prPollStatusEvery × engine.tickInterval` (default 12 × 60s, ≈ 12 minutes), independently of work discovery or file-change wakeups. ADO polling lives in `engine/ado.js`; GitHub polling lives in `engine/github.js` — both run in parallel each cycle (`Promise.allSettled`) and write to the same per-project `pull-requests.json` schema. Replaces the retired agent-based `pr-sync`.
+**Runs:** On a wall-clock cadence derived from `prPollStatusEvery × engine.tickInterval` (default 72 × 10s, ≈ 12 minutes), independently of work discovery or file-change wakeups. ADO polling lives in `engine/ado.js`; GitHub polling lives in `engine/github.js` — both run in parallel each cycle (`Promise.allSettled`) and write to the same per-project `pull-requests.json` schema. Replaces the retired agent-based `pr-sync`.
 
 The engine directly polls the host REST API for **all** PR metadata: build/CI status, human review votes, and completion state. Two API calls per PR — no agent dispatch needed.
 
@@ -413,7 +413,7 @@ All discovery behavior is controlled via `config.json`:
 ```json
 {
   "engine": {
-    "tickInterval": 60000,       // ms between ticks
+    "tickInterval": 10000,       // ms between ticks
     "maxConcurrent": 5,          // max agents running at once
     "agentTimeout": 18000000,     // 5 hours — hard runtime limit
     "heartbeatTimeout": 300000,  // 5min — stale-orphan grace after process tracking is lost

package/docs/human-vs-automated.md

@@ -43,7 +43,7 @@ This is the only point where you decide if the *quality* is good enough.
 
 These run continuously without you:
 
-- **Work discovery** — engine scans all project queues every tick (~60s)
+- **Work discovery** — engine scans all project queues every tick (~10s)
 - **Agent dispatch** — engine picks the right agent, builds the prompt, spawns Claude
 - **Worktree management** — create on dispatch, pull on shared-branch, clean after merge
 - **PR status polling** — checks ADO + GitHub for build status, review votes, merge state every ~12 min
@@ -94,7 +94,7 @@ These are entirely on you:
 
 If you start the engine and dashboard, then leave:
 
-1. Engine ticks every 60 seconds
+1. Engine ticks every 10 seconds
 2. Discovers pending work items, PRD gaps, PR reviews needed
 3. Dispatches agents (up to max concurrent)
 4. Agents create worktrees, write code, create PRs

package/docs/index.html

@@ -250,7 +250,7 @@ minions update</pre>
   +-----------------------------------------------------+
   |                  ~/.minions/ (central hub)          |
   |                                                     |
-  |   engine.js ---- 60s tick loop ----+                |
+  |   engine.js ---- 10s tick loop ----+                |
   |       |                            |                |
   |   discover work    spawn agents    poll PRs/comments|
   |       |                |              |             |

package/docs/managed-spawn.md

@@ -211,7 +211,7 @@ All knobs live under `engine.managedSpawn` in `engine/shared.js:1500` (`ENGINE_D
 | `maxSpecsPerFile` | `5` | Per-agent cap. |
 | `maxTtlMinutes` | `1440` | Hard cap (24h). |
 | `defaultTtlMinutes` | `720` | Fallback when `ttl_minutes` omitted (12h). |
-| `sweepEvery` | `30` | Ticks between sweeps. Default tick = 60s ⇒ ~30 min. |
+| `sweepEvery` | `180` | Ticks between sweeps. Default tick = 10s ⇒ ~30 min. |
 | `defaultHealthIntervalSec` | `1` | Healthcheck cadence pre-first-healthy. |
 | `healthBackoffSec` | `30` | Healthcheck cadence post-first-healthy. |
 | `logRotateBytes` | `10485760` | Rotation threshold for `<name>.log`. |

package/docs/onboarding.md

@@ -133,7 +133,7 @@ A quick tour of the panels you will use most often during onboarding:
 | **Pull Requests** | Cached PR status (build, review, merge) | Track the PRs your agents create |
 | **Engine** | Dispatch queue, engine log, LLM call performance | Diagnose timing / token issues |
 
-The engine ticks every 60 seconds. If the dashboard says "Engine: stopped", run `minions restart` again — the dashboard auto-restarts a dead engine on its next health check, but a manual restart is faster.
+The engine ticks every 10 seconds. If the dashboard says "Engine: stopped", run `minions restart` again — the dashboard auto-restarts a dead engine on its next health check, but a manual restart is faster.
 
 ---
 
@@ -148,7 +148,7 @@ The fastest way to give Minions a task is the Command Center (CC).
    ```
 3. CC will propose an action (usually `POST /api/work-items` or `POST /api/plan`). Confirm.
 
-Within one tick (≤60 s), the engine will:
+Within one tick (≤10 s), the engine will:
 
 1. Pick an idle agent that matches the work type (per `routing.md`).
 2. Create a git worktree for that agent under `<your-repo>/.worktrees/<work-item-id>/`.

package/docs/pr-review-fix-loop.md

@@ -9,7 +9,7 @@ How the engine manages the lifecycle of a PR from creation through review, fix,
 
 ## 2. Engine discovers PR needs review
 
-- `discoverFromPrs()` (engine.js) runs each tick (~60s)
+- `discoverFromPrs()` (engine.js) runs each tick (~10s)
 - Gates: `status === 'active'` + `reviewStatus === 'pending'` + not reviewed since last push + not dispatched + not on cooldown
 - Pre-dispatch: `checkLiveReviewStatus()` hits GitHub/ADO API to catch stale cached status
 - Routes to reviewer via `resolveAgent('review')`, dispatches with `review.md` playbook

package/docs/self-improvement.md

@@ -24,7 +24,7 @@ Agent completes task
 ```
 Agent finishes task
   → writes notes/inbox/<agent>-<date>.md
-  → engine checks inbox on next tick (~60s)
+  → engine checks inbox on next tick (~10s)
   → consolidateInbox() fires (threshold: 5 files)
   → spawns Claude Haiku for LLM-powered summarization
   → Haiku reads all inbox notes + existing notes.md

package/docs/slim-ux/concepts.md

@@ -302,7 +302,7 @@ consolidate-now button.
 ## 9. Schedule (cron)
 
 **What it is.** A recurring trigger that creates a Work Item on a cron pattern. The engine ticks
-every 60 s; if a schedule's last-run was ≥ its interval ago and the cron pattern matches, the
+every 10 s; if a schedule's last-run was ≥ its interval ago and the cron pattern matches, the
 engine drops a Work Item into the queue.
 
 **Where it lives.**
@@ -631,7 +631,7 @@ Skill is unrelated; skills are prompt-level, MCPs are tool-level.
 
 ## 20. Engine
 
-**What it is.** The orchestrator daemon. One Node process; runs a 60 s tick that drains the
+**What it is.** The orchestrator daemon. One Node process; runs a 10 s tick that drains the
 **Dispatch Queue**, polls **PRs**, evaluates **Watches** every 3 ticks, runs **Schedules**,
 consolidates the **Inbox**, and so on. It's also the gatekeeper for control state
 (`paused | running | stopping`).

package/docs/watches.md

@@ -133,7 +133,7 @@ Resolution is `path.join(shared.MINIONS_DIR, 'watches.d')` so it works in both d
 
 ## Tick Integration
 
-`engine.js` calls `checkWatches(config, state)` every 3 ticks (~3 min at the default 60s tick) inside its own `safe('checkWatches', ...)` block *(source: `engine.js:6386-6440`)*. The engine builds the state object from cached project files + module reads:
+`engine.js` calls `checkWatches(config, state)` every `ENGINE_DEFAULTS.watchPollEvery` ticks (default 18 ⇒ ~3 min at the default 10s tick) inside its own `safe('checkWatches', ...)` block *(source: `engine.js:6386-6440`)*. The engine builds the state object from cached project files + module reads:
 
 ```
 {

package/engine/cli.js

@@ -1238,7 +1238,7 @@ const commands = {
     }
 
     console.log('');
-    const metrics = shared.safeJson(path.join(__dirname, 'metrics.json')) || {};
+    const metrics = shared.safeJson(path.join(ENGINE_DIR, 'metrics.json')) || {};
     const lifetimeCompleted = Object.entries(metrics).filter(([k]) => !k.startsWith('_')).reduce((sum, [, m]) => sum + (m.tasksCompleted || 0) + (m.tasksErrored || 0), 0);
     console.log(`Dispatch: ${dispatch.pending.length} pending | ${(dispatch.active || []).length} active | ${lifetimeCompleted} completed`);
     const pidSummary = summarizeActiveDispatchPids(dispatch.active || []);

package/engine/qa-sessions.js

@@ -452,6 +452,70 @@ function getSession(id) {
   return sessions.find(s => s && s.id === id) || null;
 }
 
+// W-mpxpvpwn000ra419 — Review draft modal: pure read helper that resolves
+// session.testFile against qa-tests/<id>/ with the same sandbox guards as
+// dashboard.js#handleQaArtifact (the canonical traversal-defense pattern).
+// Used by GET /api/qa/sessions/<id>/test to feed the read-only Review draft
+// modal on the /qa page.
+//
+// Contract (matches the work-item description, kept tight on purpose):
+//   - Returns null when session missing, session.testFile is null/empty, the
+//     resolved path escapes qa-tests/<id>/, or the file doesn't exist on disk.
+//     Never throws on hostile input — _isSafeSessionId + path.resolve + the
+//     baseWithSep prefix check together absorb every traversal shape.
+//   - Returns { path, content, language, truncated:false, size } on a normal
+//     file. `path` is the resolved absolute path (so callers can log it); the
+//     dashboard handler echoes the relative session.testFile back to clients.
+//   - Returns { path, content:null, language, truncated:true, size } when the
+//     file exceeds GET_SESSION_TEST_FILE_MAX_BYTES (256KB). The modal shows a
+//     "file too large" placeholder and suppresses in-modal Approve so users
+//     can't blind-approve a megabyte test.
+//   - Language inferred from extension: .spec.ts/.test.ts → typescript,
+//     .spec.js/.test.js/.js → javascript, .ts → typescript, .py → python,
+//     anything else → plaintext. Used by the dashboard to pick a syntax theme.
+const GET_SESSION_TEST_FILE_MAX_BYTES = 256 * 1024;
+
+function _inferTestLanguage(relPath) {
+  const lower = String(relPath || '').toLowerCase();
+  if (lower.endsWith('.spec.ts') || lower.endsWith('.test.ts') || lower.endsWith('.ts')) return 'typescript';
+  if (lower.endsWith('.spec.js') || lower.endsWith('.test.js') || lower.endsWith('.js')) return 'javascript';
+  if (lower.endsWith('.py')) return 'python';
+  return 'plaintext';
+}
+
+function getSessionTestFile(sessionId) {
+  if (!_isSafeSessionId(sessionId)) return null;
+  const session = getSession(sessionId);
+  if (!session) return null;
+  const rel = session.testFile;
+  if (!_isNonEmptyString(rel)) return null;
+  // Reject early on null bytes — path.resolve does not strip them and the fs
+  // call would either throw or be silently truncated on some platforms.
+  if (rel.indexOf('\0') !== -1) return null;
+  // Reject absolute paths and Windows drive-letter paths before resolution.
+  // path.resolve(base, '/etc/passwd') returns '/etc/passwd' which would
+  // bypass the suffix check below if base happened to share a leading
+  // prefix; reject pre-resolution to make the intent obvious.
+  if (path.isAbsolute(rel)) return null;
+  if (/^[a-zA-Z]:/.test(rel)) return null;
+  const base = path.resolve(qaTestsDirForSession(sessionId));
+  const target = path.resolve(base, rel);
+  const baseWithSep = base.endsWith(path.sep) ? base : base + path.sep;
+  if (target !== base && !target.startsWith(baseWithSep)) return null;
+  let stat;
+  try { stat = fs.statSync(target); }
+  catch (e) { return null; }
+  if (!stat.isFile()) return null;
+  const language = _inferTestLanguage(rel);
+  if (stat.size > GET_SESSION_TEST_FILE_MAX_BYTES) {
+    return { path: target, content: null, language, truncated: true, size: stat.size };
+  }
+  let content;
+  try { content = fs.readFileSync(target, 'utf8'); }
+  catch (e) { return null; }
+  return { path: target, content, language, truncated: false, size: stat.size };
+}
+
 /**
  * List sessions, newest first, optionally filtered by state, capped by limit.
  */
@@ -1247,6 +1311,7 @@ module.exports = {
   // CRUD
   createSession,
   getSession,
+  getSessionTestFile,
   listSessions,
   setSessionWorkItem,
   setSessionQaRunId,