npm - circuschief - Versions diffs - 0.6.0 → 0.8.0 - Mend

circuschief 0.6.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (187) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "circuschief",
-  "version": "0.6.0",
+  "version": "0.8.0",
   "description": "Local-first web UI for managing Claude Code sessions",
   "type": "module",
   "bin": {

package/packages/server/src/agents/adapters/CodexAdapter.js CHANGED Viewed

@@ -14,16 +14,17 @@ let codexCliUnavailable = false;
  *
  * Two execution paths:
  *
- *   1. CLI path (default) — spawns the `codex --json ...` CLI and parses its
+ *   1. CLI path (default) — spawns `codex exec --json ...` and parses its
  *      line-delimited JSON stdout. Uses {@link createCodexEventMapper} to
  *      normalize events into the SDK-shaped envelope the rest of the app
  *      already understands.
  *
  *   2. Direct-API path — activated by {@code USE_CODEX_DIRECT_API=1}. Uses
  *      the official {@code openai} SDK with Chat Completions streaming
- *      against the provider's configured baseURL/apiKey. Intended for
- *      environments where the Codex CLI isn't installable and for the
- *      Step-0 contingency path in the implementation plan.
+ *      against the provider's configured baseURL/apiKey. It bypasses
+ *      CLI-specific behavior such as sandbox enforcement and Codex
+ *      commit-attribution config. Intended for
+ *      environments where the Codex CLI isn't installable.
  *
  * Capabilities in v1:
  *   - streaming:   true

package/packages/server/src/api/canvas.js CHANGED Viewed

@@ -2,10 +2,11 @@ import { Router } from 'express';
 import { readFileSync, existsSync, statSync } from 'fs';
 import { mkdir } from 'fs/promises';
 import { extname, join, basename } from 'path';
-import { sessions, canvasItems } from '../database.js';
+import { canvasItems } from '../database.js';
 import { broadcastToSession } from '../websocket.js';
 import { WS_MESSAGE_TYPES, UpdateCanvasItemRequest } from '../../../shared/src/index.js';
 import { upload, handleUploadError } from '../middleware/upload.js';
+import { requireRootSessionAndProject } from '../middleware/sessionLookup.js';
 import {
   isBinaryContent,
   getTypeFromExtension,
@@ -19,8 +20,6 @@ import {
 import trashRoutes from './canvas-trash-routes.js';
 // Error message constants
-const ERR_SESSION_NOT_FOUND = 'Session not found';
 /**
  * Process multipart file upload (Mode 1)
  * @param {Express.Multer.File} file - The uploaded file from multer
@@ -84,12 +83,7 @@ router.use('/', trashRoutes);
 // 1. Multipart mode: FormData with 'file' field - from browser file uploads
 // 2. File mode: { filePath } - reads file from disk
 // 3. Inline mode: { type, content, filename } - uses provided content directly
-router.post('/:id/canvas', upload.single('file'), handleUploadError, (req, res) => {
-  const session = sessions.getById(req.params.id);
-  if (!session) {
-    return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-  }
+router.post('/:id/canvas', requireRootSessionAndProject, upload.single('file'), handleUploadError, (req, res) => {
   const { filePath, type, content, filename } = req.body;
   let result;
@@ -110,21 +104,16 @@ router.post('/:id/canvas', upload.single('file'), handleUploadError, (req, res)
     return res.status(400).json({ error: result.error });
   }
-  const item = canvasItems.create(req.params.id, result.itemData);
+  const item = canvasItems.create(req.rootSessionId, result.itemData);
   // Broadcast to session subscribers
-  broadcastCanvasUpdate(req.params.id, item);
+  broadcastCanvasUpdate(req.rootSessionId, item);
   res.status(201).json(item);
 });
 // PUT /api/sessions/:id/canvas/:itemId - Update canvas item content in-place
-router.put('/:id/canvas/:itemId', (req, res) => {
-  const session = sessions.getById(req.params.id);
-  if (!session) {
-    return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-  }
+router.put('/:id/canvas/:itemId', requireRootSessionAndProject, (req, res) => {
   const parsed = UpdateCanvasItemRequest.safeParse(req.body);
   if (!parsed.success) {
     return res.status(400).json({ error: 'Invalid request body', details: parsed.error.issues });
@@ -135,7 +124,7 @@ router.put('/:id/canvas/:itemId', (req, res) => {
     return res.status(404).json({ error: 'Canvas item not found' });
   }
-  if (item.sessionId !== req.params.id) {
+  if (item.sessionId !== req.rootSessionId) {
     return res.status(400).json({ error: 'Canvas item does not belong to this session' });
   }
@@ -144,20 +133,15 @@ router.put('/:id/canvas/:itemId', (req, res) => {
   }
   const updatedItem = canvasItems.updateContent(req.params.itemId, parsed.data.content);
-  broadcastToSession(req.params.id, WS_MESSAGE_TYPES.CANVAS_UPDATE, { item: updatedItem });
+  broadcastToSession(req.rootSessionId, WS_MESSAGE_TYPES.CANVAS_UPDATE, { item: updatedItem });
   res.json(updatedItem);
 });
 // GET /api/sessions/:id/canvas - List canvas items
 // Returns only latest version of each file (no version metadata exposed)
-router.get('/:id/canvas', (req, res) => {
-  const session = sessions.getById(req.params.id);
-  if (!session) {
-    return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-  }
+router.get('/:id/canvas', requireRootSessionAndProject, (req, res) => {
   // Get only latest versions (one per filename)
-  const items = canvasItems.getLatestVersionsBySessionId(req.params.id);
+  const items = canvasItems.getLatestVersionsBySessionId(req.rootSessionId);
   // Strip content/data from list responses to reduce payload size.
   // Clients should use GET /canvas/file/:filename/content for inline content.
@@ -166,14 +150,9 @@ router.get('/:id/canvas', (req, res) => {
 // GET /api/sessions/:id/canvas/all - List ALL canvas items (including all versions)
 // Returns all versions of each file for the frontend UI
-router.get('/:id/canvas/all', (req, res) => {
-  const session = sessions.getById(req.params.id);
-  if (!session) {
-    return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-  }
+router.get('/:id/canvas/all', requireRootSessionAndProject, (req, res) => {
   // Get ALL versions (not just latest)
-  const items = canvasItems.getBySessionId(req.params.id);
+  const items = canvasItems.getBySessionId(req.rootSessionId);
   // Strip content/data from list responses to reduce payload size.
   res.json(items.map(({ content: _content, data: _data, ...meta }) => meta));
@@ -182,15 +161,11 @@ router.get('/:id/canvas/all', (req, res) => {
 // GET /api/sessions/:id/canvas/file/:filename/history/:version - Get historical version of canvas file
 // Uses standard versioning: version 1 = oldest, version N = latest (where N = totalVersions)
 // NOTE: This route must be defined BEFORE the main file route to match correctly
-router.get('/:id/canvas/file/:filename/history/:version', async (req, res) => {
-  const { id: sessionId, filename, version } = req.params;
+router.get('/:id/canvas/file/:filename/history/:version', requireRootSessionAndProject, async (req, res) => {
+  const { filename, version } = req.params;
+  const sessionId = req.rootSessionId;
   const versionNum = parseInt(version, 10);
-  const session = sessions.getById(sessionId);
-  if (!session) {
-    return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-  }
   // Get all versions of this file (newest first)
   const allVersions = canvasItems.getAllVersionsByFilename(sessionId, filename);
   if (allVersions.length === 0) {
@@ -247,11 +222,8 @@ router.get('/:id/canvas/file/:filename/history/:version', async (req, res) => {
 // GET /api/sessions/:id/canvas/file/:filename/content - Get canvas file content inline
 // Returns content/data inline in JSON for browser consumption (unlike the temp-file endpoint below)
 // Supports ?version=N query param (1-based, 1 = oldest)
-router.get('/:id/canvas/file/:filename/content', (req, res) => {
-  const session = sessions.getById(req.params.id);
-  if (!session) return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-  const allVersions = canvasItems.getAllVersionsByFilename(req.params.id, req.params.filename);
+router.get('/:id/canvas/file/:filename/content', requireRootSessionAndProject, (req, res) => {
+  const allVersions = canvasItems.getAllVersionsByFilename(req.rootSessionId, req.params.filename);
   if (allVersions.length === 0) return res.status(404).json({ error: 'File not found' });
   // Support ?version=N (1-based, 1 = oldest)
@@ -280,13 +252,10 @@ router.get('/:id/canvas/file/:filename/content', (req, res) => {
 });
 // GET /api/sessions/:id/canvas/:itemId/content - Get one canvas item content inline
-router.get('/:id/canvas/:itemId/content', (req, res) => {
-  const session = sessions.getById(req.params.id);
-  if (!session) return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
+router.get('/:id/canvas/:itemId/content', requireRootSessionAndProject, (req, res) => {
   const item = canvasItems.getById(req.params.itemId);
   if (!item) return res.status(404).json({ error: 'Canvas item not found' });
-  if (item.sessionId !== req.params.id) {
+  if (item.sessionId !== req.rootSessionId) {
     return res.status(400).json({ error: 'Canvas item does not belong to this session' });
   }
@@ -302,13 +271,9 @@ router.get('/:id/canvas/:itemId/content', (req, res) => {
 // GET /api/sessions/:id/canvas/file/:filename - Get canvas file by filename
 // Writes the file to /tmp and returns the file path for Claude's Read tool
 // Always returns the latest version
-router.get('/:id/canvas/file/:filename', async (req, res) => {
-  const { id: sessionId, filename } = req.params;
-  const session = sessions.getById(sessionId);
-  if (!session) {
-    return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-  }
+router.get('/:id/canvas/file/:filename', requireRootSessionAndProject, async (req, res) => {
+  const { filename } = req.params;
+  const sessionId = req.rootSessionId;
   // Get all versions of this file (newest first)
   const allVersions = canvasItems.getAllVersionsByFilename(sessionId, filename);

package/packages/server/src/api/index.js CHANGED Viewed

@@ -14,6 +14,7 @@ import kanbanRouter from './kanban.js';
 import agentsRouter from './agents.js';
 import { getDbPath } from '../database.js';
 import { schedulerService } from '../services/schedulerService.js';
+import { isE2ESpawnCaptureEnabled } from '../services/e2eSpawnCapture.js';
 const router = Router();
@@ -29,6 +30,7 @@ router.get('/server-info', (_req, res) => {
     dbPath: getDbPath(),
     vcrMode: vcr && vcr.length > 0 ? vcr : null,
     schedulerRunning: schedulerService.isRunning(),
+    e2eSpawnCaptureEnabled: isE2ESpawnCaptureEnabled(),
   });
 });

package/packages/server/src/api/kanban.js CHANGED Viewed

@@ -11,6 +11,7 @@ import {
   ReorderKanbanCardsRequest,
 } from '../../../shared/src/contracts/kanban.js';
 import { moveCard as moveCardService } from '../services/kanbanService.js';
+import { resolveBodyRootSessionForProject } from '../middleware/sessionLookup.js';
 const router = Router({ mergeParams: true });
@@ -215,7 +216,7 @@ router.put('/lanes/reorder', (req, res) => {
  * POST /api/projects/:projectId/kanban/cards
  * Add a session to the board (create card in a lane)
  */
-router.post('/cards', (req, res) => {
+router.post('/cards', resolveBodyRootSessionForProject('projectId'), (req, res) => {
   const { projectId } = req.params;
   const result = CreateKanbanCardRequest.safeParse(req.body);
@@ -223,7 +224,8 @@ router.post('/cards', (req, res) => {
     return res.status(400).json({ error: result.error.issues[0].message });
   }
-  const { sessionId, laneId } = result.data;
+  const { laneId } = result.data;
+  const sessionId = req.bodyRootSessionId;
   // Check if session already has a card
   const existingCard = kanbanCards.getBySessionId(sessionId);

package/packages/server/src/api/projects-helpers.js CHANGED Viewed

@@ -1,22 +1,39 @@
+import { generateWorktreeBranch } from '../../../shared/src/index.js';
 import { isGitRepo } from '../services/gitService.js';
 /**
  * Validate and default git settings for git-backed projects.
  * If gitMode or gitBranch are missing for a git project, defaults are applied
- * (gitMode: 'none', gitBranch: 'main') instead of rejecting the request.
+ * instead of rejecting the request. Worktree sessions receive a generated branch
+ * so they never try to check out an already-active branch such as main.
+ * Current-mode sessions skip branch generation entirely.
  * @param {Object} config - The session configuration
  * @param {Object} project - The project object
  * @returns {Promise<{config: Object, error: string|null}>} Updated config and error message if validation fails.
  */
 export async function validateGitSettings(config, project) {
+  // Current mode: no branch needed, pass through as-is
+  if (config.gitMode === 'current') {
+    return {
+      config: {
+        ...config,
+        gitBranch: null,
+      },
+      error: null,
+    };
+  }
   if (!config.gitMode || !config.gitBranch) {
     const isGit = await isGitRepo(project.workingDirectory);
     if (isGit) {
+      const gitMode = config.gitMode || 'none';
       return {
         config: {
           ...config,
-          gitMode: config.gitMode || 'none',
-          gitBranch: config.gitBranch || 'main',
+          gitMode,
+          gitBranch: config.gitBranch || (gitMode === 'worktree'
+            ? generateWorktreeBranch(config.name, config.prompt)
+            : 'main'),
         },
         error: null,
       };

package/packages/server/src/api/projects-session-helpers.js CHANGED Viewed

@@ -1,9 +1,10 @@
 import { sessions, sessionTemplates, attachments } from '../database.js';
 import * as slashCommandService from '../services/slashCommandService.js';
 import { setupGitForSession } from '../services/gitSessionSetup.js';
+import { resolveProviderMetadataFromModel } from '../services/sessionProvider.js';
 import { executeHookAsync } from '../services/hookService.js';
 import { broadcastToProject } from '../websocket.js';
-import { WS_MESSAGE_TYPES } from '../../../shared/src/index.js';
+import { WS_MESSAGE_TYPES, DEFAULT_RESCHEDULE_DELAY_MINUTES } from '../../../shared/src/index.js';
 /**
  * Generate an initial session name from the prompt
@@ -44,6 +45,26 @@ export function resolveDefault(explicit, projectDefault, systemDefault) {
   return systemDefault;
 }
+/**
+ * Normalize provider IDs from JSON or multipart request fields.
+ * @param {*} value - Raw providerId value
+ * @returns {string|null|undefined}
+ */
+export function normalizeProviderId(value) {
+  if (value === undefined) return undefined;
+  if (value === null || value === '') return null;
+  if (typeof value !== 'string') {
+    throw new TypeError('providerId must be a string or null');
+  }
+  return value;
+}
+function resolveProviderDefault(explicit, projectDefault, systemDefault) {
+  if (explicit !== undefined) return explicit;
+  if (projectDefault !== undefined && projectDefault !== null) return projectDefault;
+  return systemDefault ?? null;
+}
 /**
  * Resolve thinkingEnabled with special boolean handling.
  * @param {object} body - Request body
@@ -71,7 +92,7 @@ export function parseSchedulingConfig(body) {
   return {
     scheduledAt: body.scheduledAt ? parseInt(body.scheduledAt, 10) : undefined,
     autoRescheduleEnabled: body.autoRescheduleEnabled === true || body.autoRescheduleEnabled === 'true',
-    rescheduleDelayMinutes: body.rescheduleDelayMinutes ? parseInt(body.rescheduleDelayMinutes, 10) : 15,
+    rescheduleDelayMinutes: body.rescheduleDelayMinutes ? parseInt(body.rescheduleDelayMinutes, 10) : DEFAULT_RESCHEDULE_DELAY_MINUTES,
     rescheduleOnTokenLimit: body.rescheduleOnTokenLimit !== false && body.rescheduleOnTokenLimit !== 'false',
     rescheduleOnServiceError: body.rescheduleOnServiceError !== false && body.rescheduleOnServiceError !== 'false',
     maxRescheduleCount: body.maxRescheduleCount ? parseInt(body.maxRescheduleCount, 10) : null,
@@ -114,14 +135,19 @@ export function prepareSessionConfig(body, projectDefs, systemDefaults) {
     effortLevel = null;
   }
+  const explicitProviderId = normalizeProviderId(body.providerId);
+  const projectProviderId = normalizeProviderId(projectDefs?.providerId);
+  const systemProviderId = normalizeProviderId(systemDefaults.providerId);
   return {
     prompt: body.prompt,
     name: body.name,
     mode: resolveDefault(body.mode, projectDefs?.mode, systemDefaults.mode),
     model: resolveDefault(body.model, projectDefs?.model, systemDefaults.model || null),
+    providerId: resolveProviderDefault(explicitProviderId, projectProviderId, systemProviderId),
     effortLevel,
     gitBranch: resolveDefault(body.gitBranch, projectDefs?.gitBranch, null),
-    gitMode: resolveDefault(body.gitMode, projectDefs?.gitMode, null),
+    gitMode: resolveDefault(body.gitMode, projectDefs?.gitMode, systemDefaults.gitMode),
     templateId: body.templateId,
     parentSessionId: body.parentSessionId || null,
     files: [],
@@ -235,12 +261,17 @@ async function resolveSessionWorkingDirectory({ session, config, project }) {
     };
   }
+  // Normalize 'current' mode to null (no git isolation) for setupGitForSession
+  const normalizedGitMode = (config.gitMode === 'current') ? null : (config.gitMode || null);
   const gitSetup = await setupGitForSession({
     projectDir: project.workingDirectory,
-    gitMode: config.gitMode || null,
+    gitMode: normalizedGitMode,
     gitBranch: config.gitBranch || null,
     sessionId: session.id,
     worktreeBasePath: project.worktreePath || null,
+    commitAttributionOverride:
+      resolveProviderMetadataFromModel(config.model)?.commitAttributionOverride ?? null,
   });
   return { workingDirectory: gitSetup.workingDirectory, gitWorktree: gitSetup.gitWorktree };
 }

package/packages/server/src/api/projects.js CHANGED Viewed

@@ -212,6 +212,16 @@ async function validateAndPrepareSessionConfig(reqBody, reqFiles, projectId, pro
     return { error: 'Prompt is required', status: 400 };
   }
+  if (config.parentSessionId) {
+    const parentSession = sessions.getById(config.parentSessionId);
+    if (!parentSession) {
+      return { error: 'Parent session not found', status: 404 };
+    }
+    if (parentSession.projectId !== projectId) {
+      return { error: 'Parent session does not belong to this project', status: 400 };
+    }
+  }
   // Apply template overrides and resolve nextTemplateId
   applyTemplateOverrides(config);
   const { nextTemplateId, error: nextTemplateError } = resolveNextTemplateId(reqBody, config.nextTemplateId || null);
@@ -243,6 +253,7 @@ function createSessionRow(projectId, config, nextTemplateId, initialStatus) {
     parentSessionId: config.parentSessionId,
     status: initialStatus,
     model: config.model,
+    providerId: config.providerId,
     effortLevel: config.effortLevel,
     agentType: config.agentType,
   });

package/packages/server/src/api/providers.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import { Router } from 'express';
 import { modelProviders } from '../database.js';
 import {
+  COMMIT_ATTRIBUTION_VALIDATION_MESSAGE,
   CreateProviderRequest,
   UpdateProviderRequest,
   CreateProviderModelRequest,
@@ -34,6 +35,9 @@ router.get('/', (_req, res) => {
     const sanitized = allProviders.map(redactAuthToken);
     res.json(sanitized);
   } catch (error) {
+    if (error.message === COMMIT_ATTRIBUTION_VALIDATION_MESSAGE) {
+      return res.status(400).json({ error: error.message });
+    }
     res.status(500).json({ error: error.message });
   }
 });
@@ -82,9 +86,15 @@ router.patch('/:id', (req, res) => {
     const updated = modelProviders.update(req.params.id, result.data);
     res.json(redactAuthToken(updated));
   } catch (error) {
-    if (error.message === 'Cannot delete built-in provider') {
+    if (
+      error.message === 'Cannot delete built-in provider' ||
+      error.message.startsWith('Built-in providers can only update')
+    ) {
       return res.status(403).json({ error: error.message });
     }
+    if (error.message === COMMIT_ATTRIBUTION_VALIDATION_MESSAGE) {
+      return res.status(400).json({ error: error.message });
+    }
     res.status(500).json({ error: error.message });
   }
 });

package/packages/server/src/api/sessions-commands.js CHANGED Viewed

@@ -2,7 +2,7 @@ import { Router } from 'express';
 import { commandButtons, commandRuns } from '../database.js';
 import { broadcastToSession, broadcastToProject } from '../websocket.js';
 import { WS_MESSAGE_TYPES } from '../../../shared/src/index.js';
-import { requireSession, requireSessionAndProject } from '../middleware/sessionLookup.js';
+import { requireRootSessionAndProject } from '../middleware/sessionLookup.js';
 import { commandRunner } from '../services/commandRunner.js';
 import { databaseManager } from '../db/DatabaseManager.js';
@@ -46,9 +46,14 @@ function broadcastCommandError(ctx, errorMessage) {
   broadcastToProject(projectId, WS_MESSAGE_TYPES.COMMAND_RUN_ERROR, { projectId, sessionId, runId, buttonId, error: errorMessage });
 }
+// GET /api/sessions/:id/command-buttons - List command buttons for the workflow project
+router.get('/:id/command-buttons', requireRootSessionAndProject, (req, res) => {
+  res.json(commandButtons.getByProjectId(req.rootSession_.projectId));
+});
 // POST /api/sessions/:id/command-buttons/:buttonId/run - Execute button command
-router.post('/:id/command-buttons/:buttonId/run', requireSessionAndProject, (req, res) => {
-  const sessionId = req.params.id;
+router.post('/:id/command-buttons/:buttonId/run', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
   const buttonId = req.params.buttonId;
   console.log(`[RUN] Starting command for buttonId: ${buttonId}, sessionId: ${sessionId}`);
@@ -57,6 +62,9 @@ router.post('/:id/command-buttons/:buttonId/run', requireSessionAndProject, (req
   if (!button) {
     return res.status(404).json({ error: 'Command button not found' });
   }
+  if (button.projectId !== req.rootSession_.projectId) {
+    return res.status(404).json({ error: 'Command button not found' });
+  }
   // Generate run ID
   const runId = databaseManager.generateId();
@@ -67,8 +75,8 @@ router.post('/:id/command-buttons/:buttonId/run', requireSessionAndProject, (req
   res.json({ runId, buttonId, status: 'running', output: '' });
   // Capture middleware values for use in async callbacks
-  const projectId = req.session_.projectId;
-  const workingDirectory = req.workingDirectory;
+  const projectId = req.rootSession_.projectId;
+  const workingDirectory = req.rootWorkingDirectory;
   const ctx = { sessionId, projectId, runId, buttonId };
   // Broadcast initial "running" status immediately so session list can show the running indicator
@@ -98,16 +106,17 @@ router.post('/:id/command-buttons/:buttonId/run', requireSessionAndProject, (req
 });
 // GET /api/sessions/:id/command-buttons/runs - Get active runs for session
-router.get('/:id/command-buttons/runs', requireSession, (req, res) => {
-  const sessionId = req.params.id;
+router.get('/:id/command-buttons/runs', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
   const activeRuns = commandRunner.getRunsBySession(sessionId);
   res.json(activeRuns);
 });
 // GET /api/sessions/:id/command-buttons/runs/:runId - Get single run by ID
-router.get('/:id/command-buttons/runs/:runId', requireSession, (req, res) => {
-  const { id: sessionId, runId } = req.params;
+router.get('/:id/command-buttons/runs/:runId', requireRootSessionAndProject, (req, res) => {
+  const { runId } = req.params;
+  const sessionId = req.rootSessionId;
   // Check if run is currently running (in memory)
   if (commandRunner.isRunning(runId)) {
@@ -136,8 +145,8 @@ router.get('/:id/command-buttons/runs/:runId', requireSession, (req, res) => {
 });
 // DELETE /api/sessions/:id/command-buttons/runs/:runId - Delete a command run record
-router.delete('/:id/command-buttons/runs/:runId', requireSessionAndProject, (req, res) => {
-  const sessionId = req.params.id;
+router.delete('/:id/command-buttons/runs/:runId', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
   const { runId } = req.params;
   const run = commandRuns.getById(runId);
@@ -151,7 +160,7 @@ router.delete('/:id/command-buttons/runs/:runId', requireSessionAndProject, (req
   commandRuns.deleteById(runId);
-  const projectId = req.session_.projectId;
+  const projectId = req.rootSession_.projectId;
   // Broadcast deletion to session and project subscribers
   broadcastToSession(sessionId, WS_MESSAGE_TYPES.COMMAND_RUN_DELETED, {
@@ -170,18 +179,21 @@ router.delete('/:id/command-buttons/runs/:runId', requireSessionAndProject, (req
 });
 // DELETE /api/sessions/:id/command-buttons/:buttonId/runs/all - Delete all runs for a button in a session
-router.delete('/:id/command-buttons/:buttonId/runs/all', requireSessionAndProject, (req, res) => {
-  const sessionId = req.params.id;
+router.delete('/:id/command-buttons/:buttonId/runs/all', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
   const { buttonId } = req.params;
   const button = commandButtons.getById(buttonId);
   if (!button) {
     return res.status(404).json({ error: 'Command button not found' });
   }
+  if (button.projectId !== req.rootSession_.projectId) {
+    return res.status(404).json({ error: 'Command button not found' });
+  }
   const { deletedRuns } = commandRuns.deleteByButtonAndSession(buttonId, sessionId);
-  const projectId = req.session_.projectId;
+  const projectId = req.rootSession_.projectId;
   // Broadcast individual COMMAND_RUN_DELETED events for each deleted run
   for (const run of deletedRuns) {
@@ -202,12 +214,18 @@ router.delete('/:id/command-buttons/:buttonId/runs/all', requireSessionAndProjec
 });
 // POST /api/sessions/:id/command-buttons/runs/:runId/kill - Kill running command
-router.post('/:id/command-buttons/runs/:runId/kill', requireSession, (req, res) => {
-  const sessionId = req.params.id;
+router.post('/:id/command-buttons/runs/:runId/kill', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
   const runId = req.params.runId;
   console.log(`[KILL] Kill request for runId: ${runId}, sessionId: ${sessionId}`);
+  const activeRuns = commandRunner.getRunsBySession(sessionId);
+  const activeRun = activeRuns.find((run) => run.runId === runId);
+  if (!activeRun) {
+    return res.status(404).json({ error: 'Run not found or already completed' });
+  }
   const killed = commandRunner.kill(runId);
   console.log(`[KILL] Kill result: ${killed} for runId: ${runId}`);
   if (!killed) {

package/packages/server/src/api/sessions-draft.js CHANGED Viewed

@@ -57,6 +57,7 @@ router.post('/:id/start', requireSession, async (req, res) => {
     const updatedSession = await startDraft(req.session_, {
       prompt: req.body.prompt,
       model: req.body.model,
+      providerId: req.body.providerId,
     });
     res.json({ success: true, session: updatedSession });

package/packages/server/src/api/sessions-lifecycle.js CHANGED Viewed

@@ -6,19 +6,19 @@ import { WS_MESSAGE_TYPES } from '../../../shared/src/index.js';
 import * as gitService from '../services/gitService.js';
 import * as summaryService from '../services/summaryService.js';
 import { executeHookAsync } from '../services/hookService.js';
-import { requireSession, requireSessionAndProject } from '../middleware/sessionLookup.js';
+import { requireRootSessionAndProject, requireSession, requireSessionAndProject } from '../middleware/sessionLookup.js';
 import { duplicateSession } from '../services/sessionDuplicator.js';
 import { configureSchedule, ScheduleError } from '../services/scheduleService.js';
 const router = Router();
-// GET /api/sessions/:id/summary - Get session summary
-router.get('/:id/summary', requireSession, async (req, res) => {
+// GET /api/sessions/:id/summary - Get workflow summary
+router.get('/:id/summary', requireRootSessionAndProject, async (req, res) => {
   // Check if generateIfMissing query param is set
   const generateIfMissing = req.query.generate === 'true';
   try {
-    const summary = await summaryService.getSummary(req.params.id, generateIfMissing);
+    const summary = await summaryService.getSummary(req.rootSessionId, generateIfMissing);
     if (!summary) {
       return res.status(404).json({ error: 'Summary not found' });
     }
@@ -28,10 +28,10 @@ router.get('/:id/summary', requireSession, async (req, res) => {
   }
 });
-// POST /api/sessions/:id/summary - Generate/regenerate session summary
-router.post('/:id/summary', requireSession, async (req, res) => {
+// POST /api/sessions/:id/summary - Generate/regenerate workflow summary
+router.post('/:id/summary', requireRootSessionAndProject, async (req, res) => {
   try {
-    const summary = await summaryService.regenerateSummary(req.params.id);
+    const summary = await summaryService.regenerateSummary(req.rootSessionId);
     if (!summary) {
       return res.status(500).json({ error: 'Failed to generate summary' });
     }
@@ -41,10 +41,10 @@ router.post('/:id/summary', requireSession, async (req, res) => {
   }
 });
-// PUT /api/sessions/:id/summary - Directly set summary data (for testing/seeding)
-router.put('/:id/summary', requireSession, async (req, res) => {
+// PUT /api/sessions/:id/summary - Directly set workflow summary data (for testing/seeding)
+router.put('/:id/summary', requireRootSessionAndProject, async (req, res) => {
   try {
-    const summary = sessionSummaries.upsert(req.params.id, req.body);
+    const summary = sessionSummaries.upsert(req.rootSessionId, req.body);
     res.json(summary);
   } catch (error) {
     res.status(500).json({ error: error.message });

package/packages/server/src/api/sessions-patch.js CHANGED Viewed

@@ -158,6 +158,10 @@ function buildUpdateData(body) {
     updateData.manuallyNamed = true;
   }
+  if (body.prUrl !== undefined) {
+    updateData.prUrlAutoLinkDisabled = updateData.prUrl === null;
+  }
   return { updateData };
 }