circuschief 0.7.0 → 1.0.0

package/packages/server/src/api/projects-session-helpers.js

@@ -1,9 +1,13 @@
 import { sessions, sessionTemplates, attachments } from '../database.js';
 import * as slashCommandService from '../services/slashCommandService.js';
 import { setupGitForSession } from '../services/gitSessionSetup.js';
+import { resolveProviderMetadataFromModel } from '../services/sessionProvider.js';
 import { executeHookAsync } from '../services/hookService.js';
 import { broadcastToProject } from '../websocket.js';
-import { WS_MESSAGE_TYPES } from '../../../shared/src/index.js';
+import { WS_MESSAGE_TYPES, DEFAULT_RESCHEDULE_DELAY_MINUTES } from '../../../shared/src/index.js';
+
+const SCHEDULED_AT_FORMAT_MESSAGE = 'scheduledAt must be a valid ISO 8601 date-time string with a timezone, for example "2026-06-12T14:00:00Z".';
+const ISO_8601_DATE_TIME_WITH_TIMEZONE = /^(\d{4})-(\d{2})-(\d{2})T([01]\d|2[0-3]):([0-5]\d):([0-5]\d)(?:\.\d+)?(Z|[+-](?:[01]\d|2[0-3]):[0-5]\d)$/;
 
 /**
  * Generate an initial session name from the prompt
@@ -82,16 +86,59 @@ export function resolveThinkingEnabled(body, projectDefs, systemDefaults) {
   return systemDefaults.thinkingEnabled;
 }
 
+function hasValidDateParts(year, month, day) {
+  const parsed = new Date(Date.UTC(year, month - 1, day));
+  return parsed.getUTCFullYear() === year
+    && parsed.getUTCMonth() === month - 1
+    && parsed.getUTCDate() === day;
+}
+
+/**
+ * Parse scheduledAt from the public API contract.
+ * @param {*} value - Raw scheduledAt value
+ * @returns {{ value: number|undefined, error: string|null }}
+ */
+export function parseScheduledAt(value) {
+  if (value === undefined || value === null || value === '') {
+    return { value: undefined, error: null };
+  }
+
+  if (typeof value !== 'string') {
+    return { value: undefined, error: SCHEDULED_AT_FORMAT_MESSAGE };
+  }
+
+  const match = ISO_8601_DATE_TIME_WITH_TIMEZONE.exec(value);
+  if (!match) {
+    return { value: undefined, error: SCHEDULED_AT_FORMAT_MESSAGE };
+  }
+
+  const year = Number(match[1]);
+  const month = Number(match[2]);
+  const day = Number(match[3]);
+  if (!hasValidDateParts(year, month, day)) {
+    return { value: undefined, error: SCHEDULED_AT_FORMAT_MESSAGE };
+  }
+
+  const timestamp = Date.parse(value);
+  if (!Number.isFinite(timestamp)) {
+    return { value: undefined, error: SCHEDULED_AT_FORMAT_MESSAGE };
+  }
+
+  return { value: timestamp, error: null };
+}
+
 /**
  * Parse scheduling fields from request body.
  * @param {object} body - Request body
  * @returns {object} Scheduling configuration
  */
 export function parseSchedulingConfig(body) {
+  const scheduledAt = parseScheduledAt(body.scheduledAt);
   return {
-    scheduledAt: body.scheduledAt ? parseInt(body.scheduledAt, 10) : undefined,
+    scheduledAt: scheduledAt.value,
+    schedulingError: scheduledAt.error,
     autoRescheduleEnabled: body.autoRescheduleEnabled === true || body.autoRescheduleEnabled === 'true',
-    rescheduleDelayMinutes: body.rescheduleDelayMinutes ? parseInt(body.rescheduleDelayMinutes, 10) : 15,
+    rescheduleDelayMinutes: body.rescheduleDelayMinutes ? parseInt(body.rescheduleDelayMinutes, 10) : DEFAULT_RESCHEDULE_DELAY_MINUTES,
     rescheduleOnTokenLimit: body.rescheduleOnTokenLimit !== false && body.rescheduleOnTokenLimit !== 'false',
     rescheduleOnServiceError: body.rescheduleOnServiceError !== false && body.rescheduleOnServiceError !== 'false',
     maxRescheduleCount: body.maxRescheduleCount ? parseInt(body.maxRescheduleCount, 10) : null,
@@ -146,7 +193,7 @@ export function prepareSessionConfig(body, projectDefs, systemDefaults) {
     providerId: resolveProviderDefault(explicitProviderId, projectProviderId, systemProviderId),
     effortLevel,
     gitBranch: resolveDefault(body.gitBranch, projectDefs?.gitBranch, null),
-    gitMode: resolveDefault(body.gitMode, projectDefs?.gitMode, null),
+    gitMode: resolveDefault(body.gitMode, projectDefs?.gitMode, systemDefaults.gitMode),
     templateId: body.templateId,
     parentSessionId: body.parentSessionId || null,
     files: [],
@@ -260,12 +307,17 @@ async function resolveSessionWorkingDirectory({ session, config, project }) {
     };
   }
 
+  // Normalize 'current' mode to null (no git isolation) for setupGitForSession
+  const normalizedGitMode = (config.gitMode === 'current') ? null : (config.gitMode || null);
+
   const gitSetup = await setupGitForSession({
     projectDir: project.workingDirectory,
-    gitMode: config.gitMode || null,
+    gitMode: normalizedGitMode,
     gitBranch: config.gitBranch || null,
     sessionId: session.id,
     worktreeBasePath: project.worktreePath || null,
+    commitAttributionOverride:
+      resolveProviderMetadataFromModel(config.model)?.commitAttributionOverride ?? null,
   });
   return { workingDirectory: gitSetup.workingDirectory, gitWorktree: gitSetup.gitWorktree };
 }

package/packages/server/src/api/projects-templates.js

@@ -0,0 +1,38 @@
+import { Router } from 'express';
+import { projects, sessionTemplates } from '../database.js';
+import { CreateSessionTemplateRequest } from '../../../shared/src/contracts/templates.js';
+
+const ERR_PROJECT_NOT_FOUND = 'Project not found';
+const router = Router({ mergeParams: true });
+
+// GET - List available templates for project (project + global)
+router.get('/', (req, res) => {
+  const project = projects.getById(req.params.id);
+  if (!project) {
+    return res.status(404).json({ error: ERR_PROJECT_NOT_FOUND });
+  }
+
+  const available = sessionTemplates.getAvailableForProject(req.params.id);
+  res.json(available);
+});
+
+// POST - Create project template
+router.post('/', (req, res) => {
+  const project = projects.getById(req.params.id);
+  if (!project) {
+    return res.status(404).json({ error: ERR_PROJECT_NOT_FOUND });
+  }
+
+  const result = CreateSessionTemplateRequest.safeParse(req.body);
+  if (!result.success) {
+    return res.status(400).json({ error: result.error.issues[0].message });
+  }
+
+  const template = sessionTemplates.create({
+    projectId: req.params.id,
+    ...result.data,
+  });
+  res.status(201).json(template);
+});
+
+export default router;

package/packages/server/src/api/projects.js

@@ -1,26 +1,18 @@
 import { Router } from 'express';
-import { projects, sessions, sessionTemplates, projectDefaults, commandRuns } from '../database.js';
+import { projects, sessions, commandRuns } from '../database.js';
 import { commandRunner } from '../services/commandRunner.js';
-import { CreateProjectRequest, UpdateProjectRequest, ProjectSessionDefaultsRequest } from '../../../shared/src/contracts/projects.js';
-import { ProjectDefaultsRepository } from '../db/ProjectDefaultsRepository.js';
-import { CreateSessionTemplateRequest } from '../../../shared/src/contracts/templates.js';
-import { broadcastToProject } from '../websocket.js';
+import { CreateProjectRequest, UpdateProjectRequest } from '../../../shared/src/contracts/projects.js';
 import projectCommandButtonsRouter from './projects-commandButtons.js';
-import { WS_MESSAGE_TYPES } from '../../../shared/src/index.js';
+import projectSessionDefaultsRouter from './projects-session-defaults.js';
+import projectTemplatesRouter from './projects-templates.js';
 import { handleUploadError, uploadMiddleware } from '../middleware/upload.js';
-import {
-  generateInitialName,
-  prepareSessionConfig,
-  applyTemplateOverrides,
-  resolveNextTemplateId,
-  determineInitialStatus,
-  buildSchedulingUpdate,
-  setupAndStartSession,
-} from './projects-session-helpers.js';
-import { validateGitSettings, buildRunsBySession } from './projects-helpers.js';
+import { determineInitialStatus } from './projects-session-helpers.js';
+import { buildRunsBySession } from './projects-helpers.js';
 import { resolveAgentTypeFromModel } from '../services/sessionProvider.js';
 import { access, constants } from 'fs/promises';
 import { dirname, isAbsolute } from 'path';
+import { getRepositoryUrl } from '../services/gitService.js';
+import { validateAndPrepareSessionConfig, createSessionRow, startSessionOrFail } from './projects-session-create.js';
 
 // Error message constants
 const ERR_PROJECT_NOT_FOUND = 'Project not found';
@@ -65,17 +57,31 @@ router.post('/', async (req, res) => {
     return res.status(400).json({ error: result.error.issues[0].message });
   }
 
-  const { name, workingDirectory, systemPrompt, onSessionCreated, onSessionDeleted, worktreePath, kanbanEnabled } = result.data;
+  const { name, workingDirectory, systemPrompt, onSessionCreated, onSessionDeleted, worktreePath, kanbanEnabled, repoUrl } = result.data;
 
   const pathError = await validateWorktreePath(worktreePath);
   if (pathError) {
     return res.status(400).json({ error: pathError });
   }
 
+  // Resolve repoUrl:
+  // - string: use as-is (explicitly provided)
+  // - null: suppress detection (explicitly sent as null)
+  // - undefined: auto-detect from git remote
+  let resolvedRepoUrl = repoUrl;
+  if (resolvedRepoUrl === undefined) {
+    try {
+      resolvedRepoUrl = await getRepositoryUrl(workingDirectory);
+    } catch {
+      resolvedRepoUrl = null;
+    }
+  }
+
   const createOptions = {
     onSessionCreated: onSessionCreated || null,
     onSessionDeleted: onSessionDeleted || null,
     worktreePath: worktreePath || null,
+    repoUrl: resolvedRepoUrl,
   };
   if (kanbanEnabled !== undefined) {
     createOptions.kanbanEnabled = kanbanEnabled;
@@ -198,88 +204,6 @@ router.get('/:id/sessions', (req, res) => {
   }
 });
 
-/**
- * Validate and prepare the session configuration from the request body.
- * Returns { config, nextTemplateId } on success, or { error, status } on failure.
- */
-async function validateAndPrepareSessionConfig(reqBody, reqFiles, projectId, project) {
-  const projectDefs = projectDefaults.getByProjectId(projectId);
-  const systemDefaults = ProjectDefaultsRepository.getSystemDefaults();
-  const config = prepareSessionConfig(reqBody, projectDefs, systemDefaults);
-  config.files = reqFiles || [];
-
-  if (!config.prompt) {
-    return { error: 'Prompt is required', status: 400 };
-  }
-
-  // Apply template overrides and resolve nextTemplateId
-  applyTemplateOverrides(config);
-  const { nextTemplateId, error: nextTemplateError } = resolveNextTemplateId(reqBody, config.nextTemplateId || null);
-  if (nextTemplateError) {
-    return { error: nextTemplateError, status: 400 };
-  }
-  config.nextTemplateId = nextTemplateId;
-
-  // Validate git settings for git repos
-  const { config: updatedConfig, error: gitError } = await validateGitSettings(config, project);
-  if (gitError) {
-    return { error: gitError, status: 400 };
-  }
-  Object.assign(config, updatedConfig);
-
-  return { config, nextTemplateId };
-}
-
-/**
- * Create the session row and apply any post-create updates.
- * Returns the created session (already persisted in DB).
- */
-function createSessionRow(projectId, config, nextTemplateId, initialStatus) {
-  const sessionName = config.name || generateInitialName(config.prompt);
-  const session = sessions.create(projectId, sessionName, config.prompt, {
-    mode: config.mode,
-    thinkingEnabled: config.thinkingEnabled,
-    gitBranch: config.gitBranch,
-    parentSessionId: config.parentSessionId,
-    status: initialStatus,
-    model: config.model,
-    providerId: config.providerId,
-    effortLevel: config.effortLevel,
-    agentType: config.agentType,
-  });
-
-  const postCreateUpdate = {
-    ...(nextTemplateId ? { nextTemplateId } : {}),
-    ...buildSchedulingUpdate(config, initialStatus),
-  };
-  if (Object.keys(postCreateUpdate).length > 0) {
-    sessions.update(session.id, postCreateUpdate);
-  }
-  return session;
-}
-
-/**
- * Run setupAndStartSession and translate any failure into an error response,
- * marking the session as errored and broadcasting the update.
- */
-async function startSessionOrFail(req, res, { session, config, project }) {
-  try {
-    const { updatedSession } = await setupAndStartSession({
-      session, config, project, projectId: req.params.id, files: config.files,
-    });
-    return res.status(201).json(updatedSession);
-  } catch (error) {
-    console.error('Git setup error:', error);
-    const updatedSession = sessions.update(session.id, { status: 'error', error: error.message });
-    broadcastToProject(req.params.id, WS_MESSAGE_TYPES.SESSION_UPDATED, {
-      projectId: req.params.id,
-      sessionId: session.id,
-      session: updatedSession,
-    });
-    return res.status(500).json({ error: `Git setup failed: ${error.message}` });
-  }
-}
-
 // POST /api/projects/:id/sessions - Create session
 // Supports both JSON and multipart/form-data (for file attachments)
 router.post('/:id/sessions', uploadMiddleware('files', 10), handleUploadError, async (req, res) => {
@@ -325,79 +249,13 @@ router.post('/:id/sessions', uploadMiddleware('files', 10), handleUploadError, a
   }
 });
 
-// GET /api/projects/:id/templates - List available templates for project (project + global)
-router.get('/:id/templates', (req, res) => {
-  const project = projects.getById(req.params.id);
-  if (!project) {
-    return res.status(404).json({ error: ERR_PROJECT_NOT_FOUND });
-  }
-
-  const available = sessionTemplates.getAvailableForProject(req.params.id);
-  res.json(available);
-});
-
-// POST /api/projects/:id/templates - Create project template
-router.post('/:id/templates', (req, res) => {
-  const project = projects.getById(req.params.id);
-  if (!project) {
-    return res.status(404).json({ error: ERR_PROJECT_NOT_FOUND });
-  }
-
-  const result = CreateSessionTemplateRequest.safeParse(req.body);
-  if (!result.success) {
-    return res.status(400).json({ error: result.error.issues[0].message });
-  }
-
-  const template = sessionTemplates.create({
-    projectId: req.params.id,
-    ...result.data,
-  });
-  res.status(201).json(template);
-});
+// Template routes are mounted as a sub-router
+router.use('/:id/templates', projectTemplatesRouter);
 
 // Command button routes are mounted as a sub-router
-router.use('/:id/command-buttons', projectCommandButtonsRouter);
+router.use('/:id/circus-commands', projectCommandButtonsRouter);
 
-// GET /api/projects/:id/session-defaults - Get session defaults for project
-router.get('/:id/session-defaults', (req, res) => {
-  const project = projects.getById(req.params.id);
-  if (!project) {
-    return res.status(404).json({ error: ERR_PROJECT_NOT_FOUND });
-  }
-
-  const defaults = projectDefaults.getByProjectId(req.params.id);
-  if (!defaults) {
-    return res.json(null);
-  }
-
-  res.json(defaults);
-});
-
-// POST /api/projects/:id/session-defaults - Update/create session defaults for project
-router.post('/:id/session-defaults', (req, res) => {
-  const project = projects.getById(req.params.id);
-  if (!project) {
-    return res.status(404).json({ error: ERR_PROJECT_NOT_FOUND });
-  }
-
-  const result = ProjectSessionDefaultsRequest.safeParse(req.body);
-  if (!result.success) {
-    return res.status(400).json({ error: result.error.issues[0].message });
-  }
-
-  const updated = projectDefaults.upsert(req.params.id, result.data);
-  res.status(200).json(updated);
-});
-
-// DELETE /api/projects/:id/session-defaults - Reset session defaults for project
-router.delete('/:id/session-defaults', (req, res) => {
-  const project = projects.getById(req.params.id);
-  if (!project) {
-    return res.status(404).json({ error: ERR_PROJECT_NOT_FOUND });
-  }
-
-  projectDefaults.resetToDefaults(req.params.id);
-  res.json({ message: 'Session defaults reset to system defaults' });
-});
+// Session defaults routes are mounted as a sub-router
+router.use('/:id/session-defaults', projectSessionDefaultsRouter);
 
 export default router;

package/packages/server/src/api/providers.js

@@ -1,6 +1,7 @@
 import { Router } from 'express';
 import { modelProviders } from '../database.js';
 import {
+  COMMIT_ATTRIBUTION_VALIDATION_MESSAGE,
   CreateProviderRequest,
   UpdateProviderRequest,
   CreateProviderModelRequest,
@@ -34,6 +35,9 @@ router.get('/', (_req, res) => {
     const sanitized = allProviders.map(redactAuthToken);
     res.json(sanitized);
   } catch (error) {
+    if (error.message === COMMIT_ATTRIBUTION_VALIDATION_MESSAGE) {
+      return res.status(400).json({ error: error.message });
+    }
     res.status(500).json({ error: error.message });
   }
 });
@@ -82,9 +86,15 @@ router.patch('/:id', (req, res) => {
     const updated = modelProviders.update(req.params.id, result.data);
     res.json(redactAuthToken(updated));
   } catch (error) {
-    if (error.message === 'Cannot delete built-in provider') {
+    if (
+      error.message === 'Cannot delete built-in provider' ||
+      error.message.startsWith('Built-in providers can only update')
+    ) {
       return res.status(403).json({ error: error.message });
     }
+    if (error.message === COMMIT_ATTRIBUTION_VALIDATION_MESSAGE) {
+      return res.status(400).json({ error: error.message });
+    }
     res.status(500).json({ error: error.message });
   }
 });

package/packages/server/src/api/sessions-commands.js

@@ -2,10 +2,13 @@ import { Router } from 'express';
 import { commandButtons, commandRuns } from '../database.js';
 import { broadcastToSession, broadcastToProject } from '../websocket.js';
 import { WS_MESSAGE_TYPES } from '../../../shared/src/index.js';
-import { requireSession, requireSessionAndProject } from '../middleware/sessionLookup.js';
+import { requireRootSessionAndProject } from '../middleware/sessionLookup.js';
 import { commandRunner } from '../services/commandRunner.js';
 import { databaseManager } from '../db/DatabaseManager.js';
 
+// Error message constants
+const ERR_BUTTON_NOT_FOUND = 'Circus Command not found';
+
 const router = Router();
 
 /**
@@ -46,16 +49,24 @@ function broadcastCommandError(ctx, errorMessage) {
   broadcastToProject(projectId, WS_MESSAGE_TYPES.COMMAND_RUN_ERROR, { projectId, sessionId, runId, buttonId, error: errorMessage });
 }
 
-// POST /api/sessions/:id/command-buttons/:buttonId/run - Execute button command
-router.post('/:id/command-buttons/:buttonId/run', requireSessionAndProject, (req, res) => {
-  const sessionId = req.params.id;
+// GET /api/sessions/:id/circus-commands - List command buttons for the workflow project
+router.get('/:id/circus-commands', requireRootSessionAndProject, (req, res) => {
+  res.json(commandButtons.getByProjectId(req.rootSession_.projectId));
+});
+
+// POST /api/sessions/:id/circus-commands/:buttonId/run - Execute button command
+router.post('/:id/circus-commands/:buttonId/run', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
   const buttonId = req.params.buttonId;
 
   console.log(`[RUN] Starting command for buttonId: ${buttonId}, sessionId: ${sessionId}`);
 
   const button = commandButtons.getById(buttonId);
   if (!button) {
-    return res.status(404).json({ error: 'Command button not found' });
+    return res.status(404).json({ error: ERR_BUTTON_NOT_FOUND });
+  }
+  if (button.projectId !== req.rootSession_.projectId) {
+    return res.status(404).json({ error: ERR_BUTTON_NOT_FOUND });
   }
 
   // Generate run ID
@@ -67,8 +78,8 @@ router.post('/:id/command-buttons/:buttonId/run', requireSessionAndProject, (req
   res.json({ runId, buttonId, status: 'running', output: '' });
 
   // Capture middleware values for use in async callbacks
-  const projectId = req.session_.projectId;
-  const workingDirectory = req.workingDirectory;
+  const projectId = req.rootSession_.projectId;
+  const workingDirectory = req.rootWorkingDirectory;
   const ctx = { sessionId, projectId, runId, buttonId };
 
   // Broadcast initial "running" status immediately so session list can show the running indicator
@@ -97,17 +108,18 @@ router.post('/:id/command-buttons/:buttonId/run', requireSessionAndProject, (req
   })();
 });
 
-// GET /api/sessions/:id/command-buttons/runs - Get active runs for session
-router.get('/:id/command-buttons/runs', requireSession, (req, res) => {
-  const sessionId = req.params.id;
+// GET /api/sessions/:id/circus-commands/runs - Get active runs for session
+router.get('/:id/circus-commands/runs', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
 
   const activeRuns = commandRunner.getRunsBySession(sessionId);
   res.json(activeRuns);
 });
 
-// GET /api/sessions/:id/command-buttons/runs/:runId - Get single run by ID
-router.get('/:id/command-buttons/runs/:runId', requireSession, (req, res) => {
-  const { id: sessionId, runId } = req.params;
+// GET /api/sessions/:id/circus-commands/runs/:runId - Get single run by ID
+router.get('/:id/circus-commands/runs/:runId', requireRootSessionAndProject, (req, res) => {
+  const { runId } = req.params;
+  const sessionId = req.rootSessionId;
 
   // Check if run is currently running (in memory)
   if (commandRunner.isRunning(runId)) {
@@ -135,9 +147,9 @@ router.get('/:id/command-buttons/runs/:runId', requireSession, (req, res) => {
   });
 });
 
-// DELETE /api/sessions/:id/command-buttons/runs/:runId - Delete a command run record
-router.delete('/:id/command-buttons/runs/:runId', requireSessionAndProject, (req, res) => {
-  const sessionId = req.params.id;
+// DELETE /api/sessions/:id/circus-commands/runs/:runId - Delete a command run record
+router.delete('/:id/circus-commands/runs/:runId', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
   const { runId } = req.params;
 
   const run = commandRuns.getById(runId);
@@ -151,7 +163,7 @@ router.delete('/:id/command-buttons/runs/:runId', requireSessionAndProject, (req
 
   commandRuns.deleteById(runId);
 
-  const projectId = req.session_.projectId;
+  const projectId = req.rootSession_.projectId;
 
   // Broadcast deletion to session and project subscribers
   broadcastToSession(sessionId, WS_MESSAGE_TYPES.COMMAND_RUN_DELETED, {
@@ -169,19 +181,22 @@ router.delete('/:id/command-buttons/runs/:runId', requireSessionAndProject, (req
   res.status(204).send();
 });
 
-// DELETE /api/sessions/:id/command-buttons/:buttonId/runs/all - Delete all runs for a button in a session
-router.delete('/:id/command-buttons/:buttonId/runs/all', requireSessionAndProject, (req, res) => {
-  const sessionId = req.params.id;
+// DELETE /api/sessions/:id/circus-commands/:buttonId/runs/all - Delete all runs for a button in a session
+router.delete('/:id/circus-commands/:buttonId/runs/all', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
   const { buttonId } = req.params;
 
   const button = commandButtons.getById(buttonId);
   if (!button) {
-    return res.status(404).json({ error: 'Command button not found' });
+    return res.status(404).json({ error: ERR_BUTTON_NOT_FOUND });
+  }
+  if (button.projectId !== req.rootSession_.projectId) {
+    return res.status(404).json({ error: ERR_BUTTON_NOT_FOUND });
   }
 
   const { deletedRuns } = commandRuns.deleteByButtonAndSession(buttonId, sessionId);
 
-  const projectId = req.session_.projectId;
+  const projectId = req.rootSession_.projectId;
 
   // Broadcast individual COMMAND_RUN_DELETED events for each deleted run
   for (const run of deletedRuns) {
@@ -201,13 +216,19 @@ router.delete('/:id/command-buttons/:buttonId/runs/all', requireSessionAndProjec
   res.status(204).send();
 });
 
-// POST /api/sessions/:id/command-buttons/runs/:runId/kill - Kill running command
-router.post('/:id/command-buttons/runs/:runId/kill', requireSession, (req, res) => {
-  const sessionId = req.params.id;
+// POST /api/sessions/:id/circus-commands/runs/:runId/kill - Kill running command
+router.post('/:id/circus-commands/runs/:runId/kill', requireRootSessionAndProject, (req, res) => {
+  const sessionId = req.rootSessionId;
   const runId = req.params.runId;
 
   console.log(`[KILL] Kill request for runId: ${runId}, sessionId: ${sessionId}`);
 
+  const activeRuns = commandRunner.getRunsBySession(sessionId);
+  const activeRun = activeRuns.find((run) => run.runId === runId);
+  if (!activeRun) {
+    return res.status(404).json({ error: 'Run not found or already completed' });
+  }
+
   const killed = commandRunner.kill(runId);
   console.log(`[KILL] Kill result: ${killed} for runId: ${runId}`);
   if (!killed) {

package/packages/server/src/api/sessions-lifecycle.js

@@ -6,19 +6,19 @@ import { WS_MESSAGE_TYPES } from '../../../shared/src/index.js';
 import * as gitService from '../services/gitService.js';
 import * as summaryService from '../services/summaryService.js';
 import { executeHookAsync } from '../services/hookService.js';
-import { requireSession, requireSessionAndProject } from '../middleware/sessionLookup.js';
+import { requireRootSessionAndProject, requireSession, requireSessionAndProject } from '../middleware/sessionLookup.js';
 import { duplicateSession } from '../services/sessionDuplicator.js';
 import { configureSchedule, ScheduleError } from '../services/scheduleService.js';
 
 const router = Router();
 
-// GET /api/sessions/:id/summary - Get session summary
-router.get('/:id/summary', requireSession, async (req, res) => {
+// GET /api/sessions/:id/summary - Get workflow summary
+router.get('/:id/summary', requireRootSessionAndProject, async (req, res) => {
   // Check if generateIfMissing query param is set
   const generateIfMissing = req.query.generate === 'true';
 
   try {
-    const summary = await summaryService.getSummary(req.params.id, generateIfMissing);
+    const summary = await summaryService.getSummary(req.rootSessionId, generateIfMissing);
     if (!summary) {
       return res.status(404).json({ error: 'Summary not found' });
     }
@@ -28,10 +28,10 @@ router.get('/:id/summary', requireSession, async (req, res) => {
   }
 });
 
-// POST /api/sessions/:id/summary - Generate/regenerate session summary
-router.post('/:id/summary', requireSession, async (req, res) => {
+// POST /api/sessions/:id/summary - Generate/regenerate workflow summary
+router.post('/:id/summary', requireRootSessionAndProject, async (req, res) => {
   try {
-    const summary = await summaryService.regenerateSummary(req.params.id);
+    const summary = await summaryService.regenerateSummary(req.rootSessionId);
     if (!summary) {
       return res.status(500).json({ error: 'Failed to generate summary' });
     }
@@ -41,10 +41,10 @@ router.post('/:id/summary', requireSession, async (req, res) => {
   }
 });
 
-// PUT /api/sessions/:id/summary - Directly set summary data (for testing/seeding)
-router.put('/:id/summary', requireSession, async (req, res) => {
+// PUT /api/sessions/:id/summary - Directly set workflow summary data (for testing/seeding)
+router.put('/:id/summary', requireRootSessionAndProject, async (req, res) => {
   try {
-    const summary = sessionSummaries.upsert(req.params.id, req.body);
+    const summary = sessionSummaries.upsert(req.rootSessionId, req.body);
     res.json(summary);
   } catch (error) {
     res.status(500).json({ error: error.message });