agentdev-webui 1.0.0

package/server.js

@@ -0,0 +1,1450 @@
+#!/usr/bin/env node
+const http = require('http');
+const fs = require('fs');
+const path = require('path');
+const config = require('./lib/config');
+const history = require('./lib/history');
+const github = require('./lib/github');
+const pwa = require('./lib/pwa');
+const auth = require('./lib/auth');
+const routes = require('./lib/routes');
+const db = require('./lib/database');
+const emailService = require('./lib/email');
+const agentApi = require('./lib/agent-api');
+const deviceFlow = require('./lib/device-flow');
+const encryption = require('./lib/encryption');
+const crypto = require('crypto');
+const redisLogs = require('./lib/redis-logs');
+
+// Ensure directories exist
+if (!fs.existsSync(config.LOG_FILE)) {
+  fs.writeFileSync(config.LOG_FILE, '');
+}
+if (!fs.existsSync(config.AGENT_LOGS_DIR)) {
+  fs.mkdirSync(config.AGENT_LOGS_DIR, { recursive: true });
+}
+
+// Initialize history
+history.loadHistory();
+history.importExistingLogs();
+
+const clients = new Set();
+const agentSizes = new Map();
+let mainLogSize = 0;
+let proc = null;
+
+// Ring buffer for recent log lines (sent to newly connecting clients)
+const MAX_LOG_BUFFER = 200;
+const logBuffer = [];
+
+function bufferLog(entry) {
+  logBuffer.push(entry);
+  if (logBuffer.length > MAX_LOG_BUFFER) {
+    logBuffer.shift();
+  }
+}
+
+// Track previously active agents to detect completion
+const previousActiveAgents = new Map();
+
+// Watch main log file
+fs.watchFile(config.LOG_FILE, { interval: 500 }, (curr) => {
+  if (curr.size > mainLogSize) {
+    const s = fs.createReadStream(config.LOG_FILE, { start: mainLogSize, end: curr.size });
+    let d = '';
+    s.on('data', c => d += c);
+    s.on('end', () => d.split('\n').filter(l => l.trim()).forEach(l => {
+      const entry = { type: 'log', content: l };
+      bufferLog(entry);
+      broadcast(entry);
+    }));
+  }
+  mainLogSize = curr.size;
+});
+
+// Seed log buffer with last lines from main log file on startup
+try {
+  const logContent = fs.readFileSync(config.LOG_FILE, 'utf8');
+  const lines = logContent.split('\n').filter(l => l.trim());
+  const recentLines = lines.slice(-MAX_LOG_BUFFER);
+  recentLines.forEach(l => bufferLog({ type: 'log', content: l }));
+} catch (e) { /* ignore */ }
+
+// Watch agent logs directory
+function watchAgentLogs() {
+  try {
+    if (!fs.existsSync(config.AGENT_LOGS_DIR)) return;
+
+    const files = fs.readdirSync(config.AGENT_LOGS_DIR).filter(f => f.endsWith('.log'));
+
+    files.forEach(file => {
+      const filePath = path.join(config.AGENT_LOGS_DIR, file);
+      const agentId = file.replace('.log', '');
+
+      if (!agentSizes.has(filePath)) {
+        agentSizes.set(filePath, 0);
+
+        try {
+          fs.watchFile(filePath, { interval: 500 }, (curr) => {
+            const lastSize = agentSizes.get(filePath) || 0;
+            if (curr.size > lastSize) {
+              const s = fs.createReadStream(filePath, { start: lastSize, end: curr.size });
+              let d = '';
+              s.on('data', c => d += c);
+              s.on('end', () => {
+                d.split('\n').filter(l => l.trim()).forEach(l => {
+                  const entry = { type: 'log', content: l, agent: agentId };
+                  bufferLog(entry);
+                  broadcast(entry);
+                });
+              });
+            }
+            agentSizes.set(filePath, curr.size);
+          });
+        } catch (err) {
+          console.error(`Failed to watch file ${filePath}:`, err.message);
+        }
+
+        if (fs.existsSync(filePath)) {
+          const content = fs.readFileSync(filePath, 'utf8');
+          agentSizes.set(filePath, content.length);
+        }
+      }
+    });
+  } catch (error) {
+    console.error('Error in watchAgentLogs:', error.message);
+  }
+}
+
+async function broadcastAgents() {
+  console.log('[broadcastAgents] Function called at', new Date().toISOString());
+  try {
+    console.log('[broadcastAgents] Starting query...');
+    // Get active agents from database (heartbeat within last 2 minutes)
+    const activeAgents = await db.getActiveAgents();
+    console.log(`[broadcastAgents] Found ${activeAgents.length} active agents from DB`);
+
+    const currentActiveIds = new Set();
+    const agents = [];
+
+    for (const agentRow of activeAgents) {
+      const agentId = agentRow.id;
+      const ticket = agentRow.github_issue_number;
+      const repo = agentRow.github_repo;
+
+      let title = null;
+      let description = null;
+      let ticketStatus = agentRow.ticket_status || 'OPEN';
+      let authorName = null;
+      let authorAvatar = null;
+      let createdAt = null;
+
+      // Fetch GitHub ticket details
+      if (repo && ticket) {
+        try {
+          const details = await github.fetchTicketDetails(repo, ticket);
+          if (details) {
+            title = details.title;
+            description = details.body || '';
+            ticketStatus = details.state || 'OPEN';
+            if (details.author) {
+              authorName = details.author.login || details.author.name;
+              authorAvatar = details.author.avatarUrl;
+            }
+            createdAt = details.createdAt;
+          }
+        } catch (err) {
+          console.error(`[broadcastAgents] Failed to fetch ticket details for ${repo}#${ticket}:`, err.message);
+          // Continue without GitHub details
+        }
+      }
+
+      const agent = {
+        id: agentId,
+        ticket,
+        repo,
+        title,
+        active: true,
+        startTime: agentRow.registered_at?.toISOString(),
+        description,
+        ticketStatus,
+        authorName,
+        authorAvatar,
+        createdAt,
+        status: agentRow.status,
+        project_id: agentRow.project_id
+      };
+
+      agents.push(agent);
+      currentActiveIds.add(agentId);
+      previousActiveAgents.set(agentId, agent);
+    }
+
+    // Check for agents that were active but are now complete
+    for (const [agentId, agent] of previousActiveAgents) {
+      if (!currentActiveIds.has(agentId)) {
+        // Agent completed - it will appear in history via database query
+        previousActiveAgents.delete(agentId);
+      }
+    }
+
+    console.log(`Broadcasting ${agents.length} active agents`);
+    broadcast({ type: 'agents', list: agents });
+
+    // Get history from database (inactive agents)
+    const historyAgents = await db.getAgentHistory(100);
+    const historyList = historyAgents.map(a => ({
+      id: a.id,
+      ticket: a.github_issue_number,
+      repo: a.github_repo,
+      title: null, // Will be fetched from GitHub if needed
+      time: a.last_heartbeat ? new Date(a.last_heartbeat).toLocaleString() : 'Unknown',
+      completedAt: a.last_heartbeat ? new Date(a.last_heartbeat).toLocaleString() : null,
+      active: false,
+      status: a.status,
+      project_id: a.project_id
+    }));
+
+    console.log(`Broadcasting ${historyList.length} history items`);
+    broadcast({ type: 'history', list: historyList });
+  } catch (error) {
+    console.error('Error broadcasting agents:', error);
+  }
+}
+
+setInterval(watchAgentLogs, 2000);
+watchAgentLogs();
+
+// Broadcast agent status every 5 seconds
+setInterval(broadcastAgents, 5000);
+broadcastAgents();
+
+// Reclaim stale/failed tickets every 2 minutes
+setInterval(async () => {
+  try {
+    const reclaimed = await db.reclaimStaleTickets(3, 3);
+    if (reclaimed.length > 0) {
+      for (const t of reclaimed) {
+        if (t.reason === 'retry') {
+          console.log(`[ticket-reclaim] Retrying failed ticket #${t.github_issue_number} (attempt ${t.retry_count}/3)`);
+        } else if (t.reason === 'idle_agent') {
+          console.log(`[ticket-reclaim] Reset ticket #${t.github_issue_number} (agent alive but idle)`);
+        } else {
+          console.log(`[ticket-reclaim] Reset stale ticket #${t.github_issue_number}`);
+        }
+      }
+    }
+  } catch (err) {
+    console.error('[ticket-reclaim] Error:', err.message);
+  }
+}, 120000);
+
+// Broadcast project tickets from GitHub every 10 seconds (all projects)
+async function resolveProjectToken(project) {
+  // 1. Project-specific token
+  if (project.github_token) return project.github_token;
+  // 2. Project creator's unified OAuth token
+  if (project.created_by) {
+    try {
+      const oauthProvider = await db.getOAuthProvider(project.created_by, 'github');
+      if (oauthProvider?.access_token) {
+        return encryption.decrypt(oauthProvider.access_token);
+      }
+      // Fallback to legacy column
+      const user = await db.getUserById(project.created_by);
+      if (user?.github_token_encrypted) {
+        return encryption.decrypt(user.github_token_encrypted);
+      }
+    } catch (e) { /* ignore */ }
+  }
+  // 3. Any user's OAuth token (first available)
+  try {
+    const result = await db.query('SELECT access_token FROM agentdev_oauth_providers WHERE provider_key = $1 AND access_token IS NOT NULL AND status = $2 LIMIT 1', ['github', 'active']);
+    if (result.rows.length > 0) {
+      return encryption.decrypt(result.rows[0].access_token);
+    }
+    // Fallback to legacy column
+    const legacyResult = await db.query('SELECT github_token_encrypted FROM agentdev_users WHERE github_token_encrypted IS NOT NULL LIMIT 1');
+    if (legacyResult.rows.length > 0) {
+      return encryption.decrypt(legacyResult.rows[0].github_token_encrypted);
+    }
+  } catch (e) { /* ignore */ }
+  // 4. Env var fallback
+  return process.env.GH_TOKEN || process.env.GITHUB_DEFAULT_TOKEN || null;
+}
+
+async function broadcastTodoTickets() {
+  try {
+    let allTickets = [];
+    let projects = [];
+    try {
+      const result = await db.query('SELECT * FROM agentdev_projects ORDER BY id ASC');
+      projects = result.rows;
+    } catch (e) {
+      // DB not ready yet, fallback to single project from config
+    }
+
+    if (projects.length > 0) {
+      for (const project of projects) {
+        const projectConfig = {
+          github_org: project.github_org,
+          project_number: project.project_number,
+          github_project_id: project.github_project_id,
+          status_field_id: project.status_field_id,
+          status_options: typeof project.status_options === 'string'
+            ? JSON.parse(project.status_options)
+            : project.status_options,
+        };
+        const token = await resolveProjectToken(project);
+        const tickets = await github.fetchProjectTickets(projectConfig, token, { claudeOnly: false });
+        tickets.forEach(t => { t.project_id = project.id; });
+        allTickets.push(...tickets);
+      }
+    } else {
+      // Fallback: no projects in DB yet, use default config
+      allTickets = await github.fetchProjectTickets();
+    }
+
+    broadcast({ type: 'todos', list: allTickets });
+  } catch (error) {
+    console.error('Error broadcasting project tickets:', error.message);
+  }
+}
+setInterval(broadcastTodoTickets, 10000);
+broadcastTodoTickets();
+
+function broadcast(data) {
+  const m = 'data: ' + JSON.stringify(data) + '\n\n';
+  clients.forEach(c => c.write(m));
+}
+
+// Listen for ticket completion events from agent-api and broadcast via SSE
+agentApi.events.on('ticket-completed', (data) => {
+  broadcast({ type: 'ticket-completed', ticket: data });
+});
+
+// Static file serving
+const MIME_TYPES = {
+  '.html': 'text/html',
+  '.css': 'text/css',
+  '.js': 'application/javascript',
+  '.json': 'application/json',
+  '.png': 'image/png',
+  '.svg': 'image/svg+xml',
+  '.md': 'text/markdown; charset=utf-8'
+};
+
+function serveStaticFile(filePath, res) {
+  const ext = path.extname(filePath);
+  const contentType = MIME_TYPES[ext] || 'application/octet-stream';
+
+  fs.readFile(filePath, (err, content) => {
+    if (err) {
+      res.writeHead(404);
+      res.end('Not found');
+    } else {
+      res.writeHead(200, { 'Content-Type': contentType });
+      res.end(content);
+    }
+  });
+}
+
+http.createServer(async (req, res) => {
+  const url = req.url.split('?')[0];
+
+  // ============================================================================
+  // Try new agent API routes first (from lib/routes.js)
+  // ============================================================================
+
+  const handled = routes.registerRoutes(req, res);
+  if (handled) {
+    return; // Route was handled by new API
+  }
+
+  // ============================================================================
+  // Existing routes (authentication, PWA, GitHub integration)
+  // ============================================================================
+
+  // Login page
+  if (url === '/login' || url === '/login.html') {
+    serveStaticFile(path.join(__dirname, 'public', 'login.html'), res);
+    return;
+  }
+
+  // Login endpoint
+  if (url === '/api/login' && req.method === 'POST') {
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { username, password } = JSON.parse(body);
+        const user = await auth.validateCredentials(username, password);
+        if (user) {
+          // Check if email is verified
+          if (!user.email_verified) {
+            res.writeHead(403, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ success: false, error: 'Please verify your email before logging in' }));
+            return;
+          }
+          const sessionId = auth.createSession(user.id, user.email);
+          // Add Secure flag for HTTPS (production)
+          const isSecure = process.env.NODE_ENV === 'production' || process.env.BASE_URL?.startsWith('https://');
+          const secureCookie = isSecure ? '; Secure' : '';
+          res.writeHead(200, {
+            'Content-Type': 'application/json',
+            'Set-Cookie': `session=${sessionId}; Path=/; HttpOnly; SameSite=Strict${secureCookie}; Max-Age=${config.AUTH.SESSION_TTL / 1000}`
+          });
+          res.end(JSON.stringify({ success: true }));
+        } else {
+          res.writeHead(401, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Invalid credentials' }));
+        }
+      } catch (e) {
+        console.error('Login error:', e);
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: false, error: 'Invalid request' }));
+      }
+    });
+    return;
+  }
+
+  // Registration endpoint
+  if (url === '/api/register' && req.method === 'POST') {
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { email, password, maxAgents } = JSON.parse(body);
+
+        // Validation
+        if (!email || !password) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Email and password are required' }));
+          return;
+        }
+
+        // Email validation
+        const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+        if (!emailRegex.test(email)) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Invalid email format' }));
+          return;
+        }
+
+        // Password validation
+        if (password.length < 8) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Password must be at least 8 characters' }));
+          return;
+        }
+
+        if (!/[A-Z]/.test(password) || !/[a-z]/.test(password) || !/[0-9]/.test(password)) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Password must contain uppercase, lowercase, and number' }));
+          return;
+        }
+
+        // Max agents validation
+        const agentLimit = maxAgents ? parseInt(maxAgents) : 3;
+        if (agentLimit < 1 || agentLimit > 10) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Max agents must be between 1 and 10' }));
+          return;
+        }
+
+        // Hash password and create user
+        const passwordHash = auth.hashPassword(password);
+        const verificationToken = crypto.randomBytes(32).toString('hex');
+        const verificationExpires = new Date(Date.now() + 24 * 60 * 60 * 1000); // 24 hours
+
+        const user = await db.createUser(email, passwordHash, {
+          maxAgents: agentLimit
+        });
+
+        // Set verification token
+        await db.query(
+          'UPDATE agentdev_users SET email_verification_token = $1, email_verification_expires = $2 WHERE id = $3',
+          [verificationToken, verificationExpires, user.id]
+        );
+
+        // Send verification email
+        await emailService.sendVerificationEmail(email, verificationToken, config.BASE_URL);
+
+        res.writeHead(201, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({
+          success: true,
+          message: 'Registration successful! Please check your email to verify your account.',
+          user: {
+            id: user.id,
+            email: user.email,
+            maxAgents: user.max_agents
+          }
+        }));
+      } catch (error) {
+        console.error('Registration error:', error);
+
+        // Handle duplicate email
+        if (error.code === '23505') {
+          res.writeHead(409, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Email already registered' }));
+          return;
+        }
+
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: false, error: 'Registration failed' }));
+      }
+    });
+    return;
+  }
+
+  // Password reset request endpoint
+  if (url === '/api/reset-password/request' && req.method === 'POST') {
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { email: userEmail } = JSON.parse(body);
+        if (!userEmail) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Email is required' }));
+          return;
+        }
+        const user = await db.getUserByEmail(userEmail);
+        if (!user) {
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: true }));
+          return;
+        }
+        const resetToken = crypto.randomBytes(32).toString('hex');
+        const expiresAt = new Date(Date.now() + 60 * 60 * 1000);
+        await db.query(
+          'INSERT INTO agentdev_password_resets (user_id, token, expires_at) VALUES ($1, $2, $3)',
+          [user.id, resetToken, expiresAt]
+        );
+        await emailService.sendPasswordResetEmail(userEmail, resetToken, config.BASE_URL);
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true }));
+      } catch (error) {
+        console.error('Password reset request error:', error);
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: false, error: 'Failed to process request' }));
+      }
+    });
+    return;
+  }
+
+  // Password reset confirm endpoint
+  if (url === '/api/reset-password/confirm' && req.method === 'POST') {
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { token, password } = JSON.parse(body);
+        if (!token || !password) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Token and password required' }));
+          return;
+        }
+        if (password.length < 8) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Password must be at least 8 characters' }));
+          return;
+        }
+        const result = await db.query(
+          `SELECT pr.id, pr.user_id FROM agentdev_password_resets pr
+           WHERE pr.token = $1 AND pr.expires_at > NOW() AND pr.used_at IS NULL`,
+          [token]
+        );
+        if (result.rows.length === 0) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Invalid or expired reset token' }));
+          return;
+        }
+        const resetRecord = result.rows[0];
+        const passwordHash = auth.hashPassword(password);
+        await db.query(
+          'UPDATE agentdev_users SET password_hash = $1, updated_at = NOW() WHERE id = $2',
+          [passwordHash, resetRecord.user_id]
+        );
+        await db.query(
+          'UPDATE agentdev_password_resets SET used_at = NOW() WHERE id = $1',
+          [resetRecord.id]
+        );
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true }));
+      } catch (error) {
+        console.error('Password reset confirm error:', error);
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: false, error: 'Failed to reset password' }));
+      }
+    });
+    return;
+  }
+
+  // Email verification endpoint
+  if (url === '/api/verify-email' && req.method === 'POST') {
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { token } = JSON.parse(body);
+        if (!token) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Token is required' }));
+          return;
+        }
+        const result = await db.query(
+          `SELECT id, email FROM agentdev_users
+           WHERE email_verification_token = $1 AND email_verification_expires > NOW() AND email_verified = FALSE`,
+          [token]
+        );
+        if (result.rows.length === 0) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Invalid or expired verification token' }));
+          return;
+        }
+        const user = result.rows[0];
+        await db.query(
+          'UPDATE agentdev_users SET email_verified = TRUE, email_verification_token = NULL, email_verification_expires = NULL WHERE id = $1',
+          [user.id]
+        );
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true, message: 'Email verified successfully' }));
+      } catch (error) {
+        console.error('Email verification error:', error);
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: false, error: 'Verification failed' }));
+      }
+    });
+    return;
+  }
+
+  // Logout endpoint
+  if (url === '/api/logout' && req.method === 'POST') {
+    const sessionId = auth.getSessionFromRequest(req);
+    if (sessionId) {
+      auth.destroySession(sessionId);
+    }
+    res.writeHead(200, {
+      'Content-Type': 'application/json',
+      'Set-Cookie': 'session=; Path=/; HttpOnly; Max-Age=0'
+    });
+    res.end(JSON.stringify({ success: true }));
+    return;
+  }
+
+  // SSE logs endpoint (before auth check so authenticated users can access)
+  if (url === '/logs') {
+    // Check if user is authenticated
+    if (!auth.isAuthenticated(req)) {
+      res.writeHead(401, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Unauthorized' }));
+      return;
+    }
+
+    res.writeHead(200, { 'Content-Type': 'text/event-stream', 'Cache-Control': 'no-cache', 'Connection': 'keep-alive' });
+    clients.add(res);
+
+    // Subscribe to all agent logs (pattern: agentdev:logs:*)
+    const logCallback = (agentId, logData) => {
+      try {
+        res.write('data: ' + JSON.stringify({
+          type: 'log',
+          content: logData.content,
+          agent: agentId,
+          level: logData.level || 'INFO'
+        }) + '\n\n');
+      } catch (error) {
+        console.error('Error sending log to client:', error);
+      }
+    };
+
+    // Subscribe to all agent logs
+    redisLogs.subscribeToLogs('*', logCallback).catch(err => {
+      console.error('Failed to subscribe to logs:', err);
+    });
+
+    // Send recent logs from database
+    db.getRecentLogs(50).then(logs => {
+      logs.forEach(log => {
+        res.write('data: ' + JSON.stringify({
+          type: 'log',
+          content: log.content,
+          agent: log.agent_id,
+          level: log.level
+        }) + '\n\n');
+      });
+
+      // If no DB logs, send buffered file-based logs
+      if (logs.length === 0 && logBuffer.length > 0) {
+        logBuffer.forEach(entry => {
+          try {
+            res.write('data: ' + JSON.stringify(entry) + '\n\n');
+          } catch (e) { /* client may have disconnected */ }
+        });
+      }
+    }).catch(err => {
+      console.error('Failed to load recent logs:', err);
+      // Fallback: send buffered logs even if DB query fails
+      logBuffer.forEach(entry => {
+        try {
+          res.write('data: ' + JSON.stringify(entry) + '\n\n');
+        } catch (e) { /* client may have disconnected */ }
+      });
+    });
+
+    broadcastAgents();
+    broadcastTodoTickets();
+
+    req.on('close', () => {
+      clients.delete(res);
+      redisLogs.unsubscribeFromLogs('agentdev:logs:*', logCallback).catch(err => {
+        console.error('Failed to unsubscribe:', err);
+      });
+    });
+    return;
+  }
+
+  // Check authentication for all other routes (except public paths)
+  if (auth.requireAuth(req, res)) {
+    return; // Not authenticated, response already sent
+  }
+
+  // Profile API endpoints
+  if (url === '/api/profile' && req.method === 'GET') {
+    const sessionId = auth.getSessionFromRequest(req);
+    if (!auth.validateSession(sessionId)) {
+      res.writeHead(401, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Unauthorized' }));
+      return;
+    }
+    const session = auth.getSession(sessionId);
+
+    try {
+      const user = await db.getUserById(session.userId);
+      // Check unified OAuth table for GitHub token
+      const oauthProvider = await db.getOAuthProvider(session.userId, 'github');
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({
+        email: user.email,
+        max_agents: user.max_agents || 3,
+        has_github_token: !!(oauthProvider?.access_token) || !!user.github_token_encrypted
+      }));
+    } catch (error) {
+      res.writeHead(500, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Failed to load profile' }));
+    }
+    return;
+  }
+
+  // Notification API endpoints
+  if (url === '/api/notifications' && req.method === 'GET') {
+    const sessionId = auth.getSessionFromRequest(req);
+    if (!auth.validateSession(sessionId)) {
+      res.writeHead(401, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Unauthorized' }));
+      return;
+    }
+    const session = auth.getSession(sessionId);
+    try {
+      const notifications = await db.getUnreadNotifications(session.userId);
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ notifications }));
+    } catch (error) {
+      res.writeHead(500, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Failed to load notifications' }));
+    }
+    return;
+  }
+
+  if (url === '/api/notifications/read' && req.method === 'POST') {
+    const sessionId = auth.getSessionFromRequest(req);
+    if (!auth.validateSession(sessionId)) {
+      res.writeHead(401, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Unauthorized' }));
+      return;
+    }
+    const session = auth.getSession(sessionId);
+    try {
+      await db.markNotificationsRead(session.userId);
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ success: true }));
+    } catch (error) {
+      res.writeHead(500, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Failed to mark notifications read' }));
+    }
+    return;
+  }
+
+  if (url === '/api/profile/limits' && req.method === 'POST') {
+    const sessionId = auth.getSessionFromRequest(req);
+    if (!auth.validateSession(sessionId)) {
+      res.writeHead(401, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Unauthorized' }));
+      return;
+    }
+    const session = auth.getSession(sessionId);
+
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { max_agents } = JSON.parse(body);
+        await db.updateUserLimits(session.userId, { max_agents });
+
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true }));
+      } catch (error) {
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Failed to save limits' }));
+      }
+    });
+    return;
+  }
+
+  if (url === '/api/profile/token' && req.method === 'POST') {
+    const sessionId = auth.getSessionFromRequest(req);
+    if (!auth.validateSession(sessionId)) {
+      res.writeHead(401, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Unauthorized' }));
+      return;
+    }
+    const session = auth.getSession(sessionId);
+
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { github_token } = JSON.parse(body);
+
+        if (!github_token || !github_token.trim()) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'GitHub token is required' }));
+          return;
+        }
+
+        // Encrypt GitHub token
+        const encryptedToken = encryption.encrypt(github_token);
+
+        console.log(`Saving GitHub token for user ID: ${session.userId}`);
+
+        // Save to unified OAuth providers table
+        try {
+          const githubConfig = await db.getOAuthProviderConfig('github');
+          if (githubConfig) {
+            await db.upsertOAuthProvider({
+              userId: session.userId,
+              configId: githubConfig.id,
+              providerKey: 'github',
+              accessToken: encryptedToken,
+              scopes: ['repo', 'read:org', 'project']
+            });
+            console.log(`Saved to unified OAuth table for user ${session.userId}`);
+          }
+        } catch (oauthErr) {
+          console.error('Failed to save to unified OAuth table (will use legacy):', oauthErr.message);
+        }
+
+        // Also save to legacy column for backward compatibility
+        const result = await db.updateUserGitHubToken(session.userId, encryptedToken);
+        console.log(`Update result:`, result);
+
+        if (!result) {
+          console.error(`No user found with ID: ${session.userId}`);
+          res.writeHead(404, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'User not found' }));
+          return;
+        }
+
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true }));
+      } catch (error) {
+        console.error('GitHub token save error:', error);
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Failed to save GitHub token' }));
+      }
+    });
+    return;
+  }
+
+  if (url === '/api/agents' && req.method === 'GET') {
+    const sessionId = auth.getSessionFromRequest(req);
+    if (!auth.validateSession(sessionId)) {
+      res.writeHead(401, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Unauthorized' }));
+      return;
+    }
+    const session = auth.getSession(sessionId);
+
+    try {
+      const agents = await db.getAgentsByUser(session.userId);
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify(agents));
+    } catch (error) {
+      res.writeHead(500, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Failed to load agents' }));
+    }
+    return;
+  }
+
+  // Stop a running agent's ticket
+  if (url === '/api/agent/stop' && req.method === 'POST') {
+    const sessionId = auth.getSessionFromRequest(req);
+    if (!auth.validateSession(sessionId)) {
+      res.writeHead(401, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Unauthorized' }));
+      return;
+    }
+
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { agent_id } = JSON.parse(body);
+        if (!agent_id) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'agent_id is required' }));
+          return;
+        }
+
+        const agent = await db.getAgentById(agent_id);
+        if (!agent) {
+          res.writeHead(404, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Agent not found' }));
+          return;
+        }
+
+        // Mark ticket as failed if agent has one
+        if (agent.current_ticket_id) {
+          await db.updateTicketStatus(agent.current_ticket_id, 'failed', 'Stopped by user');
+
+          // Set stop signal in Redis (TTL 60s)
+          await redisLogs.set(`agentdev:stop:${agent.current_ticket_id}`, '1', 60);
+        }
+
+        // Set agent to idle
+        await db.updateAgentHeartbeat(agent_id, 'idle', null);
+
+        // Broadcast updated agent list
+        broadcastAgents();
+
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true }));
+      } catch (error) {
+        console.error('Stop agent error:', error);
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: false, error: error.message }));
+      }
+    });
+    return;
+  }
+
+  // Device approval endpoints
+  if (url === '/api/device/info' && req.method === 'POST') {
+    const sessionId = auth.getSessionFromRequest(req);
+    if (!auth.validateSession(sessionId)) {
+      res.writeHead(401, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Unauthorized' }));
+      return;
+    }
+
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { user_code } = JSON.parse(body);
+        const deviceInfo = await deviceFlow.getDeviceCodeByUserCode(user_code);
+
+        if (!deviceInfo) {
+          res.writeHead(404, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Invalid or expired code' }));
+          return;
+        }
+
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify(deviceInfo));
+      } catch (error) {
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Failed to get device info' }));
+      }
+    });
+    return;
+  }
+
+  if (url === '/api/device/approve' && req.method === 'POST') {
+    const sessionId = auth.getSessionFromRequest(req);
+    if (!auth.validateSession(sessionId)) {
+      res.writeHead(401, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Unauthorized' }));
+      return;
+    }
+    const session = auth.getSession(sessionId);
+
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { user_code, project_id } = JSON.parse(body);
+        await deviceFlow.approveDeviceCode(user_code, session.userId, project_id || null);
+
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true }));
+      } catch (error) {
+        console.error('Device approval error:', error);
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Failed to approve device' }));
+      }
+    });
+    return;
+  }
+
+  // Agent API endpoints are handled by routes.js (before requireAuth)
+  // SSE broadcast for ticket-completed is handled via agentApi.events listener above
+
+  // Serve index.html for root
+  if (url === '/') {
+    serveStaticFile(path.join(__dirname, 'public', 'index.html'), res);
+  }
+  // Profile page
+  else if (url === '/profile' || url === '/profile.html') {
+    serveStaticFile(path.join(__dirname, 'public', 'profile.html'), res);
+  }
+  // Device authorization page
+  else if (url === '/device' || url === '/device.html') {
+    serveStaticFile(path.join(__dirname, 'public', 'device.html'), res);
+  }
+  // Registration page
+  else if (url === '/register' || url === '/register.html') {
+    serveStaticFile(path.join(__dirname, 'public', 'register.html'), res);
+  }
+  // Password reset page
+  else if (url === '/reset-password' || url === '/reset-password.html') {
+    serveStaticFile(path.join(__dirname, 'public', 'reset-password.html'), res);
+  }
+  // Email verification page
+  else if (url === '/verify-email' || url === '/verify-email.html') {
+    serveStaticFile(path.join(__dirname, 'public', 'verify-email.html'), res);
+  }
+  // Documentation page (public, no auth required)
+  else if (url === '/docs' || url === '/docs.html') {
+    serveStaticFile(path.join(__dirname, 'public', 'docs.html'), res);
+  }
+  // Documentation in markdown format
+  else if (url === '/docs.md') {
+    serveStaticFile(path.join(__dirname, 'public', 'docs.md'), res);
+  }
+  // Serve static files from public directory
+  else if (url.startsWith('/css/') || url.startsWith('/js/')) {
+    serveStaticFile(path.join(__dirname, 'public', url), res);
+  }
+  // PWA manifest
+  else if (url === '/manifest.json') {
+    res.writeHead(200, { 'Content-Type': 'application/manifest+json' });
+    res.end(JSON.stringify(pwa.getManifest()));
+  }
+  // Service worker
+  else if (url === '/sw.js') {
+    res.writeHead(200, { 'Content-Type': 'application/javascript', 'Cache-Control': 'no-cache, no-store, must-revalidate' });
+    res.end(pwa.getServiceWorkerCode());
+  }
+  // Favicon
+  else if (url === '/favicon.svg' || url === '/favicon.ico') {
+    res.writeHead(200, { 'Content-Type': 'image/svg+xml', 'Cache-Control': 'public, max-age=86400' });
+    res.end(pwa.getIconSvg(32));
+  }
+  // PWA icons
+  else if (url === '/icon-192.png' || url === '/icon-512.png') {
+    const size = url.includes('192') ? 192 : 512;
+    res.writeHead(200, { 'Content-Type': 'image/svg+xml' });
+    res.end(pwa.getIconSvg(size));
+  }
+  // OG image for social sharing
+  else if (url === '/og-image.svg') {
+    res.writeHead(200, { 'Content-Type': 'image/svg+xml', 'Cache-Control': 'public, max-age=86400' });
+    res.end(pwa.getOgImageSvg());
+  }
+  // Create ticket endpoint
+  else if (url === '/create-ticket' && req.method === 'POST') {
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { repo, title, body: ticketBody, project_id } = JSON.parse(body);
+
+        if (!repo || !title || !ticketBody) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Missing required fields' }));
+          return;
+        }
+
+        // Get user's GitHub token from session
+        const sessionId = auth.getSessionFromRequest(req);
+        if (!auth.validateSession(sessionId)) {
+          res.writeHead(401, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Not authenticated' }));
+          return;
+        }
+        const session = auth.getSession(sessionId);
+
+        const user = await db.getUserById(session.userId);
+
+        // Look up project config from DB (with token)
+        let projectConfig = null;
+        let projectId = project_id ? parseInt(project_id) : null;
+
+        // Default to first project if none specified
+        if (!projectId) {
+          const projects = await db.getProjects();
+          if (projects.length > 0) {
+            projectId = projects[0].id;
+          }
+        }
+
+        if (projectId) {
+          const project = await db.getProjectWithToken(projectId);
+          if (project) {
+            projectConfig = {
+              github_org: project.github_org,
+              project_number: project.project_number,
+              github_project_id: project.github_project_id,
+              status_field_id: project.status_field_id,
+              status_options: typeof project.status_options === 'string'
+                ? JSON.parse(project.status_options)
+                : project.status_options,
+            };
+          }
+        }
+
+        // Resolve GitHub token: unified OAuth table > legacy column > project token > default
+        let githubToken = null;
+        const oauthProvider = await db.getOAuthProvider(session.userId, 'github');
+        if (oauthProvider?.access_token) {
+          githubToken = encryption.decrypt(oauthProvider.access_token);
+        }
+        if (!githubToken && user?.github_token_encrypted) {
+          githubToken = encryption.decrypt(user.github_token_encrypted);
+        }
+        if (!githubToken && projectId) {
+          const projectFull = await db.getProjectWithToken(projectId);
+          if (projectFull?.github_token) {
+            githubToken = projectFull.github_token;
+          }
+        }
+
+        if (!githubToken) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'No GitHub token available. Add one in your profile or in the project settings.' }));
+          return;
+        }
+
+        console.log(`Using GitHub token for user ${session.userId}, token starts with: ${githubToken.substring(0, 10)}...`);
+
+        const issue = await github.createTicket(repo, title, ticketBody, githubToken, projectConfig);
+
+        // Add to project board
+        const addedToProject = await github.addToProject(repo, issue.number, githubToken, projectConfig);
+        console.log('Ticket #' + issue.number + ' created and added to project');
+
+        // Insert into database so agents can find it
+        if (addedToProject) {
+          const projectItemId = await github.getProjectItemId(repo, issue.number, githubToken, projectConfig);
+          await db.createTicket({
+            issueNumber: issue.number,
+            repo: repo,
+            projectItemId: projectItemId,
+            priority: 5,
+            projectId: projectId
+          });
+          console.log('Ticket #' + issue.number + ' added to database');
+        }
+
+        // Clear cache and broadcast updated board immediately
+        github.clearTicketCache();
+        broadcastTodoTickets();
+
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true, number: issue.number, url: issue.url, repo }));
+
+      } catch (e) {
+        console.error('Error creating ticket:', e.message);
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: false, error: e.message }));
+      }
+    });
+  }
+  // Add comment endpoint
+  else if (url === '/add-comment' && req.method === 'POST') {
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { repo, issue, comment, project_id } = JSON.parse(body);
+
+        if (!repo || !issue || !comment) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ success: false, error: 'Missing required fields' }));
+          return;
+        }
+
+        // Look up project config from DB (with token)
+        let projectConfig = null;
+        let statusOptions = config.STATUS_OPTIONS;
+        let projectId = project_id ? parseInt(project_id) : null;
+
+        // Default to first project if none specified
+        if (!projectId) {
+          const projects = await db.getProjects();
+          if (projects.length > 0) {
+            projectId = projects[0].id;
+          }
+        }
+
+        if (projectId) {
+          const project = await db.getProjectWithToken(projectId);
+          if (project) {
+            projectConfig = {
+              github_org: project.github_org,
+              project_number: project.project_number,
+              github_project_id: project.github_project_id,
+              status_field_id: project.status_field_id,
+              status_options: typeof project.status_options === 'string'
+                ? JSON.parse(project.status_options)
+                : project.status_options,
+            };
+            statusOptions = projectConfig.status_options;
+          }
+        }
+
+        // Resolve GitHub token: unified OAuth table > legacy column > project token > default
+        const sessionId = auth.getSessionFromRequest(req);
+        const session = auth.getSession(sessionId);
+        let githubToken = null;
+        if (session?.userId) {
+          const oauthProvider = await db.getOAuthProvider(session.userId, 'github');
+          if (oauthProvider?.access_token) {
+            githubToken = encryption.decrypt(oauthProvider.access_token);
+          }
+          if (!githubToken) {
+            const user = await db.getUserById(session.userId);
+            if (user?.github_token_encrypted) {
+              githubToken = encryption.decrypt(user.github_token_encrypted);
+            }
+          }
+        }
+        if (!githubToken && projectId) {
+          const projectFull = await db.getProjectWithToken(projectId);
+          if (projectFull?.github_token) {
+            githubToken = projectFull.github_token;
+          }
+        }
+
+        let reopened = false;
+
+        // Check if issue is closed
+        const issueState = await github.getIssueState(repo, issue, githubToken, projectConfig);
+
+        if (issueState === 'CLOSED') {
+          // Reopen the issue
+          await github.reopenIssue(repo, issue, githubToken, projectConfig);
+          console.log('Reopened issue #' + issue);
+          reopened = true;
+
+          // Move to Todo in project board
+          const itemId = await github.getProjectItemId(repo, issue, githubToken, projectConfig);
+          if (itemId) {
+            const todoOptionId = statusOptions.TODO || statusOptions.todo;
+            await github.moveToStatus(itemId, todoOptionId, githubToken, projectConfig);
+            console.log('Moved issue #' + issue + ' to Todo');
+          }
+        }
+
+        // Add the comment
+        await github.addComment(repo, issue, comment, githubToken, projectConfig);
+        console.log('Comment added to issue #' + issue);
+
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true, reopened }));
+
+      } catch (e) {
+        console.error('Error adding comment:', e.message);
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: false, error: e.message }));
+      }
+    });
+  }
+  // Move ticket between board columns
+  else if (url === '/api/tickets/move' && req.method === 'POST') {
+    if (!auth.isAuthenticated(req)) {
+      res.writeHead(401, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Unauthorized' }));
+      return;
+    }
+
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { projectItemId, targetStatus, projectId } = JSON.parse(body);
+        if (!projectItemId || !targetStatus) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Missing projectItemId or targetStatus' }));
+          return;
+        }
+
+        // Map display status to internal key
+        const STATUS_KEY_MAP = { 'Todo': 'TODO', 'In Progress': 'IN_PROGRESS', 'test': 'TEST', 'Done': 'DONE' };
+        const statusKey = STATUS_KEY_MAP[targetStatus];
+        if (!statusKey) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Invalid target status: ' + targetStatus }));
+          return;
+        }
+
+        // Look up project config
+        let projectConfig = null;
+        let statusOptions = config.STATUS_OPTIONS;
+        const pid = projectId ? parseInt(projectId) : null;
+        if (pid) {
+          const project = await db.getProjectWithToken(pid);
+          if (project) {
+            projectConfig = {
+              github_org: project.github_org,
+              project_number: project.project_number,
+              github_project_id: project.github_project_id,
+              status_field_id: project.status_field_id,
+              status_options: typeof project.status_options === 'string'
+                ? JSON.parse(project.status_options)
+                : project.status_options,
+            };
+            statusOptions = projectConfig.status_options;
+          }
+        }
+
+        const statusOptionId = statusOptions[statusKey];
+        if (!statusOptionId) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'No option ID for status: ' + statusKey }));
+          return;
+        }
+
+        // Resolve token
+        const token = await resolveProjectToken(
+          pid ? (await db.query('SELECT * FROM agentdev_projects WHERE id=$1', [pid])).rows[0] || {} : {}
+        );
+
+        await github.moveToStatus(projectItemId, statusOptionId, token, projectConfig);
+
+        // Clear ticket cache and re-broadcast
+        github.clearTicketCache();
+        broadcastTodoTickets();
+
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true }));
+      } catch (e) {
+        console.error('Error moving ticket:', e.message);
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: e.message }));
+      }
+    });
+  }
+  // Update ticket (title/body)
+  else if (url === '/api/tickets/update' && req.method === 'POST') {
+    if (!auth.isAuthenticated(req)) {
+      res.writeHead(401, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Unauthorized' }));
+      return;
+    }
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { repo, issue, title, body: issueBody, state, projectId } = JSON.parse(body);
+        if (!repo || !issue) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Missing repo or issue' }));
+          return;
+        }
+        const updates = {};
+        if (title !== undefined) updates.title = title;
+        if (issueBody !== undefined) updates.body = issueBody;
+        if (state !== undefined) updates.state = state;
+
+        const project = projectId ? (await db.query('SELECT * FROM agentdev_projects WHERE id=$1', [projectId])).rows[0] : null;
+        const token = await resolveProjectToken(project || {});
+        const projectConfig = project ? {
+          github_org: project.github_org,
+          project_number: project.project_number,
+        } : null;
+
+        await github.updateIssue(repo, issue, updates, token, projectConfig);
+        github.clearTicketCache();
+        broadcastTodoTickets();
+
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true }));
+      } catch (e) {
+        console.error('Error updating ticket:', e.message);
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: e.message }));
+      }
+    });
+  }
+  // Add comment from ticket panel
+  else if (url === '/api/tickets/comment' && req.method === 'POST') {
+    if (!auth.isAuthenticated(req)) {
+      res.writeHead(401, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Unauthorized' }));
+      return;
+    }
+    let body = '';
+    req.on('data', chunk => body += chunk);
+    req.on('end', async () => {
+      try {
+        const { repo, issue, comment, projectId } = JSON.parse(body);
+        if (!repo || !issue || !comment) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Missing repo, issue, or comment' }));
+          return;
+        }
+        const project = projectId ? (await db.query('SELECT * FROM agentdev_projects WHERE id=$1', [projectId])).rows[0] : null;
+        const token = await resolveProjectToken(project || {});
+        const projectConfig = project ? { github_org: project.github_org } : null;
+
+        await github.addComment(repo, issue, comment, token, projectConfig);
+        github.clearTicketCache();
+        broadcastTodoTickets();
+
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true }));
+      } catch (e) {
+        console.error('Error adding comment:', e.message);
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: e.message }));
+      }
+    });
+  }
+  else {
+    res.writeHead(404);
+    res.end('Not found');
+  }
+}).listen(config.PORT, () => {
+  // Initialize GitHub default token from environment
+  if (process.env.GH_TOKEN) {
+    github.setDefaultToken(process.env.GH_TOKEN);
+  }
+  console.log('AgentDev Web UI running on http://localhost:' + config.PORT);
+
+  // Run ticket sync every 5 minutes (checks for new tickets + re-queues completed tickets with new @claude comments)
+  const { execFile } = require('child_process');
+  setInterval(() => {
+    execFile('node', [path.join(__dirname, 'sync-github-tickets.js')], {
+      env: { ...process.env }
+    }, (err, stdout, stderr) => {
+      if (err) {
+        console.error('[sync] Error:', err.message);
+        return;
+      }
+      if (stdout.includes('Re-queued')) console.log('[sync]', stdout.trim());
+    });
+  }, 5 * 60 * 1000);
+});