circuschief 0.7.0 → 0.8.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circuschief",
-  "version": "0.7.0",
+  "version": "0.8.0",
   "description": "Local-first web UI for managing Claude Code sessions",
   "type": "module",
   "bin": {

package/packages/server/src/agents/adapters/CodexAdapter.js

@@ -14,16 +14,17 @@ let codexCliUnavailable = false;
  *
  * Two execution paths:
  *
- *   1. CLI path (default) — spawns the `codex --json ...` CLI and parses its
+ *   1. CLI path (default) — spawns `codex exec --json ...` and parses its
  *      line-delimited JSON stdout. Uses {@link createCodexEventMapper} to
  *      normalize events into the SDK-shaped envelope the rest of the app
  *      already understands.
  *
  *   2. Direct-API path — activated by {@code USE_CODEX_DIRECT_API=1}. Uses
  *      the official {@code openai} SDK with Chat Completions streaming
- *      against the provider's configured baseURL/apiKey. Intended for
- *      environments where the Codex CLI isn't installable and for the
- *      Step-0 contingency path in the implementation plan.
+ *      against the provider's configured baseURL/apiKey. It bypasses
+ *      CLI-specific behavior such as sandbox enforcement and Codex
+ *      commit-attribution config. Intended for
+ *      environments where the Codex CLI isn't installable.
  *
  * Capabilities in v1:
  *   - streaming:   true

package/packages/server/src/api/canvas.js

@@ -2,10 +2,11 @@ import { Router } from 'express';
 import { readFileSync, existsSync, statSync } from 'fs';
 import { mkdir } from 'fs/promises';
 import { extname, join, basename } from 'path';
-import { sessions, canvasItems } from '../database.js';
+import { canvasItems } from '../database.js';
 import { broadcastToSession } from '../websocket.js';
 import { WS_MESSAGE_TYPES, UpdateCanvasItemRequest } from '../../../shared/src/index.js';
 import { upload, handleUploadError } from '../middleware/upload.js';
+import { requireRootSessionAndProject } from '../middleware/sessionLookup.js';
 import {
   isBinaryContent,
   getTypeFromExtension,
@@ -19,8 +20,6 @@ import {
 import trashRoutes from './canvas-trash-routes.js';
 
 // Error message constants
-const ERR_SESSION_NOT_FOUND = 'Session not found';
-
 /**
  * Process multipart file upload (Mode 1)
  * @param {Express.Multer.File} file - The uploaded file from multer
@@ -84,12 +83,7 @@ router.use('/', trashRoutes);
 // 1. Multipart mode: FormData with 'file' field - from browser file uploads
 // 2. File mode: { filePath } - reads file from disk
 // 3. Inline mode: { type, content, filename } - uses provided content directly
-router.post('/:id/canvas', upload.single('file'), handleUploadError, (req, res) => {
-  const session = sessions.getById(req.params.id);
-  if (!session) {
-    return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-  }
-
+router.post('/:id/canvas', requireRootSessionAndProject, upload.single('file'), handleUploadError, (req, res) => {
   const { filePath, type, content, filename } = req.body;
   let result;
 
@@ -110,21 +104,16 @@ router.post('/:id/canvas', upload.single('file'), handleUploadError, (req, res)
     return res.status(400).json({ error: result.error });
   }
 
-  const item = canvasItems.create(req.params.id, result.itemData);
+  const item = canvasItems.create(req.rootSessionId, result.itemData);
 
   // Broadcast to session subscribers
-  broadcastCanvasUpdate(req.params.id, item);
+  broadcastCanvasUpdate(req.rootSessionId, item);
 
   res.status(201).json(item);
 });
 
 // PUT /api/sessions/:id/canvas/:itemId - Update canvas item content in-place
-router.put('/:id/canvas/:itemId', (req, res) => {
-  const session = sessions.getById(req.params.id);
-  if (!session) {
-    return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-  }
-
+router.put('/:id/canvas/:itemId', requireRootSessionAndProject, (req, res) => {
   const parsed = UpdateCanvasItemRequest.safeParse(req.body);
   if (!parsed.success) {
     return res.status(400).json({ error: 'Invalid request body', details: parsed.error.issues });
@@ -135,7 +124,7 @@ router.put('/:id/canvas/:itemId', (req, res) => {
     return res.status(404).json({ error: 'Canvas item not found' });
   }
 
-  if (item.sessionId !== req.params.id) {
+  if (item.sessionId !== req.rootSessionId) {
     return res.status(400).json({ error: 'Canvas item does not belong to this session' });
   }
 
@@ -144,20 +133,15 @@ router.put('/:id/canvas/:itemId', (req, res) => {
   }
 
   const updatedItem = canvasItems.updateContent(req.params.itemId, parsed.data.content);
-  broadcastToSession(req.params.id, WS_MESSAGE_TYPES.CANVAS_UPDATE, { item: updatedItem });
+  broadcastToSession(req.rootSessionId, WS_MESSAGE_TYPES.CANVAS_UPDATE, { item: updatedItem });
   res.json(updatedItem);
 });
 
 // GET /api/sessions/:id/canvas - List canvas items
 // Returns only latest version of each file (no version metadata exposed)
-router.get('/:id/canvas', (req, res) => {
-  const session = sessions.getById(req.params.id);
-  if (!session) {
-    return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-  }
-
+router.get('/:id/canvas', requireRootSessionAndProject, (req, res) => {
   // Get only latest versions (one per filename)
-  const items = canvasItems.getLatestVersionsBySessionId(req.params.id);
+  const items = canvasItems.getLatestVersionsBySessionId(req.rootSessionId);
 
   // Strip content/data from list responses to reduce payload size.
   // Clients should use GET /canvas/file/:filename/content for inline content.
@@ -166,14 +150,9 @@ router.get('/:id/canvas', (req, res) => {
 
 // GET /api/sessions/:id/canvas/all - List ALL canvas items (including all versions)
 // Returns all versions of each file for the frontend UI
-router.get('/:id/canvas/all', (req, res) => {
-  const session = sessions.getById(req.params.id);
-  if (!session) {
-    return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-  }
-
+router.get('/:id/canvas/all', requireRootSessionAndProject, (req, res) => {
   // Get ALL versions (not just latest)
-  const items = canvasItems.getBySessionId(req.params.id);
+  const items = canvasItems.getBySessionId(req.rootSessionId);
 
   // Strip content/data from list responses to reduce payload size.
   res.json(items.map(({ content: _content, data: _data, ...meta }) => meta));
@@ -182,15 +161,11 @@ router.get('/:id/canvas/all', (req, res) => {
 // GET /api/sessions/:id/canvas/file/:filename/history/:version - Get historical version of canvas file
 // Uses standard versioning: version 1 = oldest, version N = latest (where N = totalVersions)
 // NOTE: This route must be defined BEFORE the main file route to match correctly
-router.get('/:id/canvas/file/:filename/history/:version', async (req, res) => {
-  const { id: sessionId, filename, version } = req.params;
+router.get('/:id/canvas/file/:filename/history/:version', requireRootSessionAndProject, async (req, res) => {
+  const { filename, version } = req.params;
+  const sessionId = req.rootSessionId;
   const versionNum = parseInt(version, 10);
 
-  const session = sessions.getById(sessionId);
-  if (!session) {
-    return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-  }
-
   // Get all versions of this file (newest first)
   const allVersions = canvasItems.getAllVersionsByFilename(sessionId, filename);
   if (allVersions.length === 0) {
@@ -247,11 +222,8 @@ router.get('/:id/canvas/file/:filename/history/:version', async (req, res) => {
 // GET /api/sessions/:id/canvas/file/:filename/content - Get canvas file content inline
 // Returns content/data inline in JSON for browser consumption (unlike the temp-file endpoint below)
 // Supports ?version=N query param (1-based, 1 = oldest)
-router.get('/:id/canvas/file/:filename/content', (req, res) => {
-  const session = sessions.getById(req.params.id);
-  if (!session) return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-
-  const allVersions = canvasItems.getAllVersionsByFilename(req.params.id, req.params.filename);
+router.get('/:id/canvas/file/:filename/content', requireRootSessionAndProject, (req, res) => {
+  const allVersions = canvasItems.getAllVersionsByFilename(req.rootSessionId, req.params.filename);
   if (allVersions.length === 0) return res.status(404).json({ error: 'File not found' });
 
   // Support ?version=N (1-based, 1 = oldest)
@@ -280,13 +252,10 @@ router.get('/:id/canvas/file/:filename/content', (req, res) => {
 });
 
 // GET /api/sessions/:id/canvas/:itemId/content - Get one canvas item content inline
-router.get('/:id/canvas/:itemId/content', (req, res) => {
-  const session = sessions.getById(req.params.id);
-  if (!session) return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-
+router.get('/:id/canvas/:itemId/content', requireRootSessionAndProject, (req, res) => {
   const item = canvasItems.getById(req.params.itemId);
   if (!item) return res.status(404).json({ error: 'Canvas item not found' });
-  if (item.sessionId !== req.params.id) {
+  if (item.sessionId !== req.rootSessionId) {
     return res.status(400).json({ error: 'Canvas item does not belong to this session' });
   }
 
@@ -302,13 +271,9 @@ router.get('/:id/canvas/:itemId/content', (req, res) => {
 // GET /api/sessions/:id/canvas/file/:filename - Get canvas file by filename
 // Writes the file to /tmp and returns the file path for Claude's Read tool
 // Always returns the latest version
-router.get('/:id/canvas/file/:filename', async (req, res) => {
-  const { id: sessionId, filename } = req.params;
-
-  const session = sessions.getById(sessionId);
-  if (!session) {
-    return res.status(404).json({ error: ERR_SESSION_NOT_FOUND });
-  }
+router.get('/:id/canvas/file/:filename', requireRootSessionAndProject, async (req, res) => {
+  const { filename } = req.params;
+  const sessionId = req.rootSessionId;
 
   // Get all versions of this file (newest first)
   const allVersions = canvasItems.getAllVersionsByFilename(sessionId, filename);

package/packages/server/src/api/index.js

@@ -14,6 +14,7 @@ import kanbanRouter from './kanban.js';
 import agentsRouter from './agents.js';
 import { getDbPath } from '../database.js';
 import { schedulerService } from '../services/schedulerService.js';
+import { isE2ESpawnCaptureEnabled } from '../services/e2eSpawnCapture.js';
 
 const router = Router();
 
@@ -29,6 +30,7 @@ router.get('/server-info', (_req, res) => {
     dbPath: getDbPath(),
     vcrMode: vcr && vcr.length > 0 ? vcr : null,
     schedulerRunning: schedulerService.isRunning(),
+    e2eSpawnCaptureEnabled: isE2ESpawnCaptureEnabled(),
   });
 });
 

package/packages/server/src/api/kanban.js

@@ -11,6 +11,7 @@ import {
   ReorderKanbanCardsRequest,
 } from '../../../shared/src/contracts/kanban.js';
 import { moveCard as moveCardService } from '../services/kanbanService.js';
+import { resolveBodyRootSessionForProject } from '../middleware/sessionLookup.js';
 
 const router = Router({ mergeParams: true });
 
@@ -215,7 +216,7 @@ router.put('/lanes/reorder', (req, res) => {
  * POST /api/projects/:projectId/kanban/cards
  * Add a session to the board (create card in a lane)
  */
-router.post('/cards', (req, res) => {
+router.post('/cards', resolveBodyRootSessionForProject('projectId'), (req, res) => {
   const { projectId } = req.params;
 
   const result = CreateKanbanCardRequest.safeParse(req.body);
@@ -223,7 +224,8 @@ router.post('/cards', (req, res) => {
     return res.status(400).json({ error: result.error.issues[0].message });
   }
 
-  const { sessionId, laneId } = result.data;
+  const { laneId } = result.data;
+  const sessionId = req.bodyRootSessionId;
 
   // Check if session already has a card
   const existingCard = kanbanCards.getBySessionId(sessionId);

package/packages/server/src/api/projects-helpers.js

@@ -1,22 +1,39 @@
+import { generateWorktreeBranch } from '../../../shared/src/index.js';
 import { isGitRepo } from '../services/gitService.js';
 
 /**
  * Validate and default git settings for git-backed projects.
  * If gitMode or gitBranch are missing for a git project, defaults are applied
- * (gitMode: 'none', gitBranch: 'main') instead of rejecting the request.
+ * instead of rejecting the request. Worktree sessions receive a generated branch
+ * so they never try to check out an already-active branch such as main.
+ * Current-mode sessions skip branch generation entirely.
  * @param {Object} config - The session configuration
  * @param {Object} project - The project object
  * @returns {Promise<{config: Object, error: string|null}>} Updated config and error message if validation fails.
  */
 export async function validateGitSettings(config, project) {
+  // Current mode: no branch needed, pass through as-is
+  if (config.gitMode === 'current') {
+    return {
+      config: {
+        ...config,
+        gitBranch: null,
+      },
+      error: null,
+    };
+  }
+
   if (!config.gitMode || !config.gitBranch) {
     const isGit = await isGitRepo(project.workingDirectory);
     if (isGit) {
+      const gitMode = config.gitMode || 'none';
       return {
         config: {
           ...config,
-          gitMode: config.gitMode || 'none',
-          gitBranch: config.gitBranch || 'main',
+          gitMode,
+          gitBranch: config.gitBranch || (gitMode === 'worktree'
+            ? generateWorktreeBranch(config.name, config.prompt)
+            : 'main'),
         },
         error: null,
       };

package/packages/server/src/api/projects-session-helpers.js

@@ -1,9 +1,10 @@
 import { sessions, sessionTemplates, attachments } from '../database.js';
 import * as slashCommandService from '../services/slashCommandService.js';
 import { setupGitForSession } from '../services/gitSessionSetup.js';
+import { resolveProviderMetadataFromModel } from '../services/sessionProvider.js';
 import { executeHookAsync } from '../services/hookService.js';
 import { broadcastToProject } from '../websocket.js';
-import { WS_MESSAGE_TYPES } from '../../../shared/src/index.js';
+import { WS_MESSAGE_TYPES, DEFAULT_RESCHEDULE_DELAY_MINUTES } from '../../../shared/src/index.js';
 
 /**
  * Generate an initial session name from the prompt
@@ -91,7 +92,7 @@ export function parseSchedulingConfig(body) {
   return {
     scheduledAt: body.scheduledAt ? parseInt(body.scheduledAt, 10) : undefined,
     autoRescheduleEnabled: body.autoRescheduleEnabled === true || body.autoRescheduleEnabled === 'true',
-    rescheduleDelayMinutes: body.rescheduleDelayMinutes ? parseInt(body.rescheduleDelayMinutes, 10) : 15,
+    rescheduleDelayMinutes: body.rescheduleDelayMinutes ? parseInt(body.rescheduleDelayMinutes, 10) : DEFAULT_RESCHEDULE_DELAY_MINUTES,
     rescheduleOnTokenLimit: body.rescheduleOnTokenLimit !== false && body.rescheduleOnTokenLimit !== 'false',
     rescheduleOnServiceError: body.rescheduleOnServiceError !== false && body.rescheduleOnServiceError !== 'false',
     maxRescheduleCount: body.maxRescheduleCount ? parseInt(body.maxRescheduleCount, 10) : null,
@@ -146,7 +147,7 @@ export function prepareSessionConfig(body, projectDefs, systemDefaults) {
     providerId: resolveProviderDefault(explicitProviderId, projectProviderId, systemProviderId),
     effortLevel,
     gitBranch: resolveDefault(body.gitBranch, projectDefs?.gitBranch, null),
-    gitMode: resolveDefault(body.gitMode, projectDefs?.gitMode, null),
+    gitMode: resolveDefault(body.gitMode, projectDefs?.gitMode, systemDefaults.gitMode),
     templateId: body.templateId,
     parentSessionId: body.parentSessionId || null,
     files: [],
@@ -260,12 +261,17 @@ async function resolveSessionWorkingDirectory({ session, config, project }) {
     };
   }
 
+  // Normalize 'current' mode to null (no git isolation) for setupGitForSession
+  const normalizedGitMode = (config.gitMode === 'current') ? null : (config.gitMode || null);
+
   const gitSetup = await setupGitForSession({
     projectDir: project.workingDirectory,
-    gitMode: config.gitMode || null,
+    gitMode: normalizedGitMode,
     gitBranch: config.gitBranch || null,
     sessionId: session.id,
     worktreeBasePath: project.worktreePath || null,
+    commitAttributionOverride:
+      resolveProviderMetadataFromModel(config.model)?.commitAttributionOverride ?? null,
   });
   return { workingDirectory: gitSetup.workingDirectory, gitWorktree: gitSetup.gitWorktree };
 }

package/packages/server/src/api/projects.js

@@ -212,6 +212,16 @@ async function validateAndPrepareSessionConfig(reqBody, reqFiles, projectId, pro
     return { error: 'Prompt is required', status: 400 };
   }
 
+  if (config.parentSessionId) {
+    const parentSession = sessions.getById(config.parentSessionId);
+    if (!parentSession) {
+      return { error: 'Parent session not found', status: 404 };
+    }
+    if (parentSession.projectId !== projectId) {
+      return { error: 'Parent session does not belong to this project', status: 400 };
+    }
+  }
+
   // Apply template overrides and resolve nextTemplateId
   applyTemplateOverrides(config);
   const { nextTemplateId, error: nextTemplateError } = resolveNextTemplateId(reqBody, config.nextTemplateId || null);

package/packages/server/src/api/providers.js

@@ -1,6 +1,7 @@
 import { Router } from 'express';
 import { modelProviders } from '../database.js';
 import {
+  COMMIT_ATTRIBUTION_VALIDATION_MESSAGE,
   CreateProviderRequest,
   UpdateProviderRequest,
   CreateProviderModelRequest,
@@ -34,6 +35,9 @@ router.get('/', (_req, res) => {
     const sanitized = allProviders.map(redactAuthToken);
     res.json(sanitized);
   } catch (error) {
+    if (error.message === COMMIT_ATTRIBUTION_VALIDATION_MESSAGE) {
+      return res.status(400).json({ error: error.message });
+    }
     res.status(500).json({ error: error.message });
   }
 });
@@ -82,9 +86,15 @@ router.patch('/:id', (req, res) => {
     const updated = modelProviders.update(req.params.id, result.data);
     res.json(redactAuthToken(updated));
   } catch (error) {
-    if (error.message === 'Cannot delete built-in provider') {
+    if (
+      error.message === 'Cannot delete built-in provider' ||
+      error.message.startsWith('Built-in providers can only update')
+    ) {
       return res.status(403).json({ error: error.message });
     }
+    if (error.message === COMMIT_ATTRIBUTION_VALIDATION_MESSAGE) {
+      return res.status(400).json({ error: error.message });
+    }
     res.status(500).json({ error: error.message });
   }
 });

package/packages/server/src/api/sessions-commands.js

@@ -2,7 +2,7 @@ import { Router } from 'express';
 import { commandButtons, commandRuns } from '../database.js';
 import { broadcastToSession, broadcastToProject } from '../websocket.js';
 import { WS_MESSAGE_TYPES } from '../../../shared/src/index.js';
-import { requireSession, requireSessionAndProject } from '../middleware/sessionLookup.js';
+import { requireRootSessionAndProject } from '../middleware/sessionLookup.js';
 import { commandRunner } from '../services/commandRunner.js';
 import { databaseManager } from '../db/DatabaseManager.js';
 
@@ -46,9 +46,14 @@ function broadcastCommandError(ctx, errorMessage) {
   broadcastToProject(projectId, WS_MESSAGE_TYPES.COMMAND_RUN_ERROR, { projectId, sessionId, runId, buttonId, error: errorMessage });
 }
 
+// GET /api/sessions/:id/command-buttons - List command buttons for the workflow project
+router.get('/:id/command-buttons', requireRootSessionAndProject, (req, res) => {
+  res.json(commandButtons.getByProjectId(req.rootSession_.projectId));
+});
+
 // POST /api/sessions/:id/command-buttons/:buttonId/run - Execute button command
-router.post('/:id/command-buttons/:buttonId/run', requireSessionAndProject, (req, res) => {
-  const sessionId = req.params.id;
+router.post('/:id/command-buttons/:buttonId/run', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
   const buttonId = req.params.buttonId;
 
   console.log(`[RUN] Starting command for buttonId: ${buttonId}, sessionId: ${sessionId}`);
@@ -57,6 +62,9 @@ router.post('/:id/command-buttons/:buttonId/run', requireSessionAndProject, (req
   if (!button) {
     return res.status(404).json({ error: 'Command button not found' });
   }
+  if (button.projectId !== req.rootSession_.projectId) {
+    return res.status(404).json({ error: 'Command button not found' });
+  }
 
   // Generate run ID
   const runId = databaseManager.generateId();
@@ -67,8 +75,8 @@ router.post('/:id/command-buttons/:buttonId/run', requireSessionAndProject, (req
   res.json({ runId, buttonId, status: 'running', output: '' });
 
   // Capture middleware values for use in async callbacks
-  const projectId = req.session_.projectId;
-  const workingDirectory = req.workingDirectory;
+  const projectId = req.rootSession_.projectId;
+  const workingDirectory = req.rootWorkingDirectory;
   const ctx = { sessionId, projectId, runId, buttonId };
 
   // Broadcast initial "running" status immediately so session list can show the running indicator
@@ -98,16 +106,17 @@ router.post('/:id/command-buttons/:buttonId/run', requireSessionAndProject, (req
 });
 
 // GET /api/sessions/:id/command-buttons/runs - Get active runs for session
-router.get('/:id/command-buttons/runs', requireSession, (req, res) => {
-  const sessionId = req.params.id;
+router.get('/:id/command-buttons/runs', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
 
   const activeRuns = commandRunner.getRunsBySession(sessionId);
   res.json(activeRuns);
 });
 
 // GET /api/sessions/:id/command-buttons/runs/:runId - Get single run by ID
-router.get('/:id/command-buttons/runs/:runId', requireSession, (req, res) => {
-  const { id: sessionId, runId } = req.params;
+router.get('/:id/command-buttons/runs/:runId', requireRootSessionAndProject, (req, res) => {
+  const { runId } = req.params;
+  const sessionId = req.rootSessionId;
 
   // Check if run is currently running (in memory)
   if (commandRunner.isRunning(runId)) {
@@ -136,8 +145,8 @@ router.get('/:id/command-buttons/runs/:runId', requireSession, (req, res) => {
 });
 
 // DELETE /api/sessions/:id/command-buttons/runs/:runId - Delete a command run record
-router.delete('/:id/command-buttons/runs/:runId', requireSessionAndProject, (req, res) => {
-  const sessionId = req.params.id;
+router.delete('/:id/command-buttons/runs/:runId', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
   const { runId } = req.params;
 
   const run = commandRuns.getById(runId);
@@ -151,7 +160,7 @@ router.delete('/:id/command-buttons/runs/:runId', requireSessionAndProject, (req
 
   commandRuns.deleteById(runId);
 
-  const projectId = req.session_.projectId;
+  const projectId = req.rootSession_.projectId;
 
   // Broadcast deletion to session and project subscribers
   broadcastToSession(sessionId, WS_MESSAGE_TYPES.COMMAND_RUN_DELETED, {
@@ -170,18 +179,21 @@ router.delete('/:id/command-buttons/runs/:runId', requireSessionAndProject, (req
 });
 
 // DELETE /api/sessions/:id/command-buttons/:buttonId/runs/all - Delete all runs for a button in a session
-router.delete('/:id/command-buttons/:buttonId/runs/all', requireSessionAndProject, (req, res) => {
-  const sessionId = req.params.id;
+router.delete('/:id/command-buttons/:buttonId/runs/all', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
   const { buttonId } = req.params;
 
   const button = commandButtons.getById(buttonId);
   if (!button) {
     return res.status(404).json({ error: 'Command button not found' });
   }
+  if (button.projectId !== req.rootSession_.projectId) {
+    return res.status(404).json({ error: 'Command button not found' });
+  }
 
   const { deletedRuns } = commandRuns.deleteByButtonAndSession(buttonId, sessionId);
 
-  const projectId = req.session_.projectId;
+  const projectId = req.rootSession_.projectId;
 
   // Broadcast individual COMMAND_RUN_DELETED events for each deleted run
   for (const run of deletedRuns) {
@@ -202,12 +214,18 @@ router.delete('/:id/command-buttons/:buttonId/runs/all', requireSessionAndProjec
 });
 
 // POST /api/sessions/:id/command-buttons/runs/:runId/kill - Kill running command
-router.post('/:id/command-buttons/runs/:runId/kill', requireSession, (req, res) => {
-  const sessionId = req.params.id;
+router.post('/:id/command-buttons/runs/:runId/kill', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
   const runId = req.params.runId;
 
   console.log(`[KILL] Kill request for runId: ${runId}, sessionId: ${sessionId}`);
 
+  const activeRuns = commandRunner.getRunsBySession(sessionId);
+  const activeRun = activeRuns.find((run) => run.runId === runId);
+  if (!activeRun) {
+    return res.status(404).json({ error: 'Run not found or already completed' });
+  }
+
   const killed = commandRunner.kill(runId);
   console.log(`[KILL] Kill result: ${killed} for runId: ${runId}`);
   if (!killed) {

package/packages/server/src/api/sessions-lifecycle.js

@@ -6,19 +6,19 @@ import { WS_MESSAGE_TYPES } from '../../../shared/src/index.js';
 import * as gitService from '../services/gitService.js';
 import * as summaryService from '../services/summaryService.js';
 import { executeHookAsync } from '../services/hookService.js';
-import { requireSession, requireSessionAndProject } from '../middleware/sessionLookup.js';
+import { requireRootSessionAndProject, requireSession, requireSessionAndProject } from '../middleware/sessionLookup.js';
 import { duplicateSession } from '../services/sessionDuplicator.js';
 import { configureSchedule, ScheduleError } from '../services/scheduleService.js';
 
 const router = Router();
 
-// GET /api/sessions/:id/summary - Get session summary
-router.get('/:id/summary', requireSession, async (req, res) => {
+// GET /api/sessions/:id/summary - Get workflow summary
+router.get('/:id/summary', requireRootSessionAndProject, async (req, res) => {
   // Check if generateIfMissing query param is set
   const generateIfMissing = req.query.generate === 'true';
 
   try {
-    const summary = await summaryService.getSummary(req.params.id, generateIfMissing);
+    const summary = await summaryService.getSummary(req.rootSessionId, generateIfMissing);
     if (!summary) {
       return res.status(404).json({ error: 'Summary not found' });
     }
@@ -28,10 +28,10 @@ router.get('/:id/summary', requireSession, async (req, res) => {
   }
 });
 
-// POST /api/sessions/:id/summary - Generate/regenerate session summary
-router.post('/:id/summary', requireSession, async (req, res) => {
+// POST /api/sessions/:id/summary - Generate/regenerate workflow summary
+router.post('/:id/summary', requireRootSessionAndProject, async (req, res) => {
   try {
-    const summary = await summaryService.regenerateSummary(req.params.id);
+    const summary = await summaryService.regenerateSummary(req.rootSessionId);
     if (!summary) {
       return res.status(500).json({ error: 'Failed to generate summary' });
     }
@@ -41,10 +41,10 @@ router.post('/:id/summary', requireSession, async (req, res) => {
   }
 });
 
-// PUT /api/sessions/:id/summary - Directly set summary data (for testing/seeding)
-router.put('/:id/summary', requireSession, async (req, res) => {
+// PUT /api/sessions/:id/summary - Directly set workflow summary data (for testing/seeding)
+router.put('/:id/summary', requireRootSessionAndProject, async (req, res) => {
   try {
-    const summary = sessionSummaries.upsert(req.params.id, req.body);
+    const summary = sessionSummaries.upsert(req.rootSessionId, req.body);
     res.json(summary);
   } catch (error) {
     res.status(500).json({ error: error.message });

package/packages/server/src/api/sessions-patch.js

@@ -158,6 +158,10 @@ function buildUpdateData(body) {
     updateData.manuallyNamed = true;
   }
 
+  if (body.prUrl !== undefined) {
+    updateData.prUrlAutoLinkDisabled = updateData.prUrl === null;
+  }
+
   return { updateData };
 }
 

package/packages/server/src/api/sessions.js

@@ -8,7 +8,6 @@ import { requireSession, requireSessionAndProject } from '../middleware/sessionL
 import { commandRunner } from '../services/commandRunner.js';
 
 // Import sub-routers
-import notesRouter from './sessions-notes.js';
 import conversationsRouter from './sessions-conversations.js';
 import commandsRouter from './sessions-commands.js';
 import patchRouter from './sessions-patch.js';
@@ -21,7 +20,6 @@ import draftRouter from './sessions-draft.js';
 const router = Router();
 
 // Mount sub-routers
-router.use('/', notesRouter);
 router.use('/', conversationsRouter);
 router.use('/', commandsRouter);
 router.use('/', patchRouter);
@@ -108,11 +106,14 @@ router.get('/:id', requireSession, (req, res) => {
   const allMessages = messages.getBySessionId(req.params.id);
   const hasResponses = allMessages.some(msg => msg.role === 'assistant');
 
-  // Get command run statuses (latest run per button for this session)
+  // Session details are for the requested session; command runs are workflow-root scoped.
+  const commandRunSessionId = sessions.getRootSessionId(req.params.id) || req.params.id;
+
+  // Get command run statuses (latest run per button for this workflow)
   // Completed runs from DB
-  const dbRuns = commandRuns.getLatestRunsForSession(req.params.id);
+  const dbRuns = commandRuns.getLatestRunsForSession(commandRunSessionId);
   // Currently running commands from memory - filter all runs for this session
-  const allRunning = commandRunner.getRunsBySession(req.params.id);
+  const allRunning = commandRunner.getRunsBySession(commandRunSessionId);
   const runningRuns = allRunning.filter(run => run.status === 'running');
 
   // Build map of buttonId -> run data

package/packages/server/src/database.js

@@ -10,7 +10,6 @@ export {
   MessageRepository,
   ConversationRepository,
   CanvasItemRepository,
-  SessionNoteRepository,
   TodoRepository,
   WorkLogRepository,
   SessionSummaryRepository,
@@ -35,7 +34,6 @@ export {
   messages,
   conversations,
   canvasItems,
-  sessionNotes,
   todos,
   workLogs,
   sessionSummaries,