codekin 0.4.1 → 0.5.0

package/server/dist/orchestrator-reports.js

@@ -0,0 +1,124 @@
+/**
+ * Orchestrator report reader — scans .codekin/reports/ across managed repos.
+ *
+ * Discovers audit reports, parses their metadata, and provides them
+ * to the orchestrator session for triage and action.
+ */
+import { existsSync, readdirSync, readFileSync, statSync } from 'fs';
+import { join, basename, resolve } from 'path';
+import { REPOS_ROOT, DATA_DIR } from './config.js';
+// ---------------------------------------------------------------------------
+// Scanner
+// ---------------------------------------------------------------------------
+const REPORTS_DIR = '.codekin/reports';
+/** Known report categories. */
+const REPORT_CATEGORIES = [
+    'code-review',
+    'comments',
+    'complexity',
+    'dependencies',
+    'docs-audit',
+    'repo-health',
+    'security',
+    'test-coverage',
+];
+/**
+ * Scan a single repo for all available reports.
+ * Returns metadata only (no content) for efficiency.
+ */
+export function scanRepoReports(repoPath) {
+    const reportsDir = join(repoPath, REPORTS_DIR);
+    if (!existsSync(reportsDir))
+        return [];
+    const results = [];
+    for (const category of REPORT_CATEGORIES) {
+        const categoryDir = join(reportsDir, category);
+        if (!existsSync(categoryDir))
+            continue;
+        let entries;
+        try {
+            entries = readdirSync(categoryDir);
+        }
+        catch {
+            continue;
+        }
+        for (const file of entries) {
+            if (!file.endsWith('.md'))
+                continue;
+            const filePath = join(categoryDir, file);
+            const stat = statSync(filePath);
+            const dateMatch = basename(file).match(/^(\d{4}-\d{2}-\d{2})/);
+            const date = dateMatch ? dateMatch[1] : 'unknown';
+            results.push({
+                filePath,
+                category,
+                date,
+                repoPath,
+                size: stat.size,
+                mtime: stat.mtime.toISOString(),
+            });
+        }
+    }
+    // Sort by date descending (most recent first)
+    results.sort((a, b) => b.date.localeCompare(a.date));
+    return results;
+}
+/**
+ * Scan multiple repos for reports.
+ */
+export function scanAllReports(repoPaths) {
+    const all = [];
+    for (const repoPath of repoPaths) {
+        all.push(...scanRepoReports(repoPath));
+    }
+    all.sort((a, b) => b.date.localeCompare(a.date));
+    return all;
+}
+/**
+ * Read a report's full content.
+ */
+export function readReport(filePath) {
+    const resolved = resolve(filePath);
+    // Verify the path is within a known reports directory (anchored startsWith, not includes)
+    const isDataReport = resolved.startsWith(DATA_DIR + '/reports/');
+    const isRepoReport = resolved.startsWith(REPOS_ROOT + '/') &&
+        /^[^/]+\/\.codekin\/reports\//.test(resolved.slice(REPOS_ROOT.length + 1));
+    if (!isDataReport && !isRepoReport)
+        return null;
+    if (!existsSync(resolved))
+        return null;
+    const content = readFileSync(resolved, 'utf-8');
+    const stat = statSync(filePath);
+    // Extract metadata from path
+    const parts = filePath.split('/');
+    const reportsIdx = parts.indexOf('reports');
+    const category = reportsIdx >= 0 ? parts[reportsIdx + 1] : 'unknown';
+    // Find repo path (everything before .codekin/reports)
+    const codekinIdx = filePath.indexOf('.codekin/reports');
+    const repoPath = codekinIdx >= 0 ? filePath.substring(0, codekinIdx - 1) : '';
+    const dateMatch = basename(filePath).match(/^(\d{4}-\d{2}-\d{2})/);
+    const date = dateMatch ? dateMatch[1] : 'unknown';
+    return {
+        filePath,
+        category,
+        date,
+        repoPath,
+        size: stat.size,
+        mtime: stat.mtime.toISOString(),
+        content,
+    };
+}
+/**
+ * Get the latest report for a given repo and category.
+ */
+export function getLatestReport(repoPath, category) {
+    const reports = scanRepoReports(repoPath);
+    return reports.find(r => r.category === category) ?? null;
+}
+/**
+ * Get reports that are newer than a given date.
+ */
+export function getReportsSince(repoPaths, sinceDate) {
+    return scanAllReports(repoPaths).filter(r => r.date >= sinceDate);
+}
+//# sourceMappingURL=orchestrator-reports.js.map

package/server/dist/orchestrator-reports.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"orchestrator-reports.js","sourceRoot":"","sources":["../orchestrator-reports.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAA;AACpE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAA;AA0BlD,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,MAAM,WAAW,GAAG,kBAAkB,CAAA;AAEtC,+BAA+B;AAC/B,MAAM,iBAAiB,GAAG;IACxB,aAAa;IACb,UAAU;IACV,YAAY;IACZ,cAAc;IACd,YAAY;IACZ,aAAa;IACb,UAAU;IACV,eAAe;CAChB,CAAA;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB;IAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;IAC9C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,EAAE,CAAA;IAEtC,MAAM,OAAO,GAAiB,EAAE,CAAA;IAEhC,KAAK,MAAM,QAAQ,IAAI,iBAAiB,EAAE,CAAC;QACzC,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;QAC9C,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;YAAE,SAAQ;QAEtC,IAAI,OAAiB,CAAA;QACrB,IAAI,CAAC;YACH,OAAO,GAAG,WAAW,CAAC,WAAW,CAAC,CAAA;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,SAAQ;QACV,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;YAC3B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,SAAQ;YAEnC,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,CAAA;YACxC,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAA;YAC/B,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAA;YAC9D,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;YAEjD,OAAO,CAAC,IAAI,CAAC;gBACX,QAAQ;gBACR,QAAQ;gBACR,IAAI;gBACJ,QAAQ;gBACR,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE;aAChC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,8CAA8C;IAC9C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAA;IACpD,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,SAAmB;IAChD,MAAM,GAAG,GAAiB,EAAE,CAAA;IAC5B,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,GAAG,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAA;IACxC,CAAC;IACD,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAA;IAChD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,QAAgB;IACzC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IAClC,0FAA0F;IAC1F,MAAM,YAAY,GAAG,QAAQ,CAAC,UAAU,CAAC,QAAQ,GAAG,WAAW,CAAC,CAAA;IAChE,MAAM,YAAY,GAAG,QAAQ,CAAC,UAAU,CAAC,UAAU,GAAG,GAAG,CAAC;QACxD,8BAA8B,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAA;IAC5E,IAAI,CAAC,YAAY,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAA;IAC/C,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAA;IAEtC,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;IAC/C,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAA;IAE/B,6BAA6B;IAC7B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACjC,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;IAC3C,MAAM,QAAQ,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IAEpE,sDAAsD;IACtD,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAA;IACvD,MAAM,QAAQ,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAE7E,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAA;IAClE,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IAEjD,OAAO;QACL,QAAQ;QACR,QAAQ;QACR,IAAI;QACJ,QAAQ;QACR,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE;QAC/B,OAAO;KACR,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB,EAAE,QAAgB;IAChE,MAAM,OAAO,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAA;IACzC,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,IAAI,IAAI,CAAA;AAC3D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,SAAmB,EAAE,SAAiB;IACpE,OAAO,cAAc,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,SAAS,CAAC,CAAA;AACnE,CAAC"}

package/server/dist/orchestrator-routes.d.ts

@@ -0,0 +1,17 @@
+/**
+ * REST routes for the orchestrator session.
+ *
+ * Provides status, start, report scanning, child session management,
+ * memory querying, and trust record endpoints.
+ */
+import { Router } from 'express';
+import type { Request } from 'express';
+import type { SessionManager } from './session-manager.js';
+import type { OrchestratorMonitor } from './orchestrator-monitor.js';
+type VerifyFn = (token: string | undefined) => boolean;
+type VerifySessionFn = (token: string | undefined, sessionId: string | undefined) => boolean;
+type ExtractFn = (req: Request) => string | undefined;
+export declare function createOrchestratorRouter(verifyToken: VerifyFn, extractToken: ExtractFn, sessions: SessionManager, monitorRef?: {
+    current: OrchestratorMonitor | null;
+}, verifyTokenOrSessionToken?: VerifySessionFn): Router;
+export {};

package/server/dist/orchestrator-routes.js

@@ -0,0 +1,526 @@
+/**
+ * REST routes for the orchestrator session.
+ *
+ * Provides status, start, report scanning, child session management,
+ * memory querying, and trust record endpoints.
+ */
+import { Router } from 'express';
+import { resolve } from 'path';
+import { existsSync, statSync } from 'fs';
+import { ensureOrchestratorRunning, getOrchestratorSessionId, getOrCreateOrchestratorId } from './orchestrator-manager.js';
+import { getAgentDisplayName, REPOS_ROOT } from './config.js';
+import { scanRepoReports, readReport, getReportsSince } from './orchestrator-reports.js';
+import { OrchestratorMemory } from './orchestrator-memory.js';
+import { OrchestratorChildManager } from './orchestrator-children.js';
+import { extractMemoryCandidates, smartUpsert, runAgingCycle, recordFindingOutcome, getTriageRecommendation, loadSkillProfile, updateSkillLevel, getGuidanceStyle, recordDecision, assessDecisionOutcome, getPendingOutcomeAssessments, } from './orchestrator-learning.js';
+export function createOrchestratorRouter(verifyToken, extractToken, sessions, monitorRef, verifyTokenOrSessionToken) {
+    const router = Router();
+    const memory = new OrchestratorMemory();
+    const children = new OrchestratorChildManager(sessions);
+    /**
+     * Verify that the request is authorized — accepts either the master auth
+     * token OR the orchestrator session's scoped token.  This allows the
+     * orchestrator's Claude process (which only has a session-scoped token)
+     * to call its own management endpoints (spawn children, update memory, etc.).
+     */
+    function verifyOrchestratorAuth(req) {
+        const token = extractToken(req);
+        if (verifyToken(token))
+            return true;
+        if (verifyTokenOrSessionToken) {
+            const orchestratorId = getOrCreateOrchestratorId();
+            return verifyTokenOrSessionToken(token, orchestratorId);
+        }
+        return false;
+    }
+    // -------------------------------------------------------------------------
+    // Session lifecycle
+    // -------------------------------------------------------------------------
+    /** Get orchestrator session status. */
+    router.get('/api/orchestrator/status', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const sessionId = getOrchestratorSessionId(sessions);
+        if (!sessionId) {
+            return res.json({ sessionId: null, status: 'stopped', agentName: getAgentDisplayName() });
+        }
+        const session = sessions.get(sessionId);
+        const status = session?.claudeProcess?.isAlive() ? 'active' : 'idle';
+        res.json({
+            sessionId,
+            status,
+            childSessions: children.activeCount(),
+            agentName: getAgentDisplayName(),
+        });
+    });
+    /** Ensure orchestrator is running and return its session ID. */
+    router.post('/api/orchestrator/start', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        try {
+            const sessionId = ensureOrchestratorRunning(sessions);
+            res.json({ sessionId, status: 'active', agentName: getAgentDisplayName() });
+        }
+        catch (err) {
+            console.error('[orchestrator] Failed to start:', err);
+            res.status(500).json({ error: `Failed to start Agent ${getAgentDisplayName()}` });
+        }
+    });
+    // -------------------------------------------------------------------------
+    // Reports
+    // -------------------------------------------------------------------------
+    /** Scan reports for a single repo. */
+    router.get('/api/orchestrator/reports', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const repoPath = req.query.repo;
+        const since = req.query.since;
+        if (repoPath) {
+            const reports = scanRepoReports(repoPath);
+            res.json({ reports });
+        }
+        else if (since) {
+            // Scan all managed repos — get paths from memory
+            const repoItems = memory.list({ memoryType: 'repo_context' });
+            const repoPaths = repoItems.map(r => r.scope).filter((s) => !!s);
+            const reports = getReportsSince(repoPaths, since);
+            res.json({ reports });
+        }
+        else {
+            res.status(400).json({ error: 'Provide ?repo=<path> or ?since=<YYYY-MM-DD>' });
+        }
+    });
+    /** Read a specific report's content. */
+    router.get('/api/orchestrator/reports/read', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const filePath = req.query.path;
+        if (!filePath)
+            return res.status(400).json({ error: 'Provide ?path=<filePath>' });
+        const report = readReport(filePath);
+        if (!report)
+            return res.status(404).json({ error: 'Report not found' });
+        res.json({ report });
+    });
+    // -------------------------------------------------------------------------
+    // Child sessions
+    // -------------------------------------------------------------------------
+    /** List child sessions. */
+    router.get('/api/orchestrator/children', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        res.json({ children: children.list() });
+    });
+    /** Spawn a child session. */
+    router.post('/api/orchestrator/children', async (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const { repo, task, branchName, completionPolicy, deployAfter, useWorktree, model } = req.body;
+        if (!repo || !task || !branchName) {
+            return res.status(400).json({ error: 'Missing required fields: repo, task, branchName' });
+        }
+        // Validate branchName to prevent prompt injection
+        if (!/^[a-zA-Z0-9][a-zA-Z0-9/_.-]*$/.test(branchName)) {
+            return res.status(400).json({ error: 'Invalid branchName: only alphanumeric, /, _, ., and - are allowed' });
+        }
+        // Validate repo path: must resolve under REPOS_ROOT and be an existing directory
+        const resolvedRepo = resolve(repo);
+        if (!resolvedRepo.startsWith(REPOS_ROOT + '/') && resolvedRepo !== REPOS_ROOT) {
+            return res.status(400).json({ error: 'Invalid repo path: must be under configured repos root' });
+        }
+        if (!existsSync(resolvedRepo) || !statSync(resolvedRepo).isDirectory()) {
+            return res.status(400).json({ error: 'Invalid repo path: directory does not exist' });
+        }
+        try {
+            const child = await children.spawn({
+                repo,
+                task,
+                branchName,
+                completionPolicy: completionPolicy ?? 'pr',
+                deployAfter: deployAfter ?? false,
+                useWorktree: useWorktree ?? true,
+                model,
+            });
+            res.json({ child });
+        }
+        catch (err) {
+            res.status(503).json({ error: err instanceof Error ? err.message : 'Failed to spawn child session' });
+        }
+    });
+    /** Get a specific child session. */
+    router.get('/api/orchestrator/children/:id', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const child = children.get(req.params.id);
+        if (!child)
+            return res.status(404).json({ error: 'Child session not found' });
+        res.json({ child });
+    });
+    // -------------------------------------------------------------------------
+    // Memory
+    // -------------------------------------------------------------------------
+    /** Search memory. */
+    router.get('/api/orchestrator/memory', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const query = req.query.q;
+        const type = req.query.type;
+        const limit = parseInt(req.query.limit || '20', 10);
+        if (query) {
+            const items = memory.search(query, limit);
+            res.json({ items });
+        }
+        else {
+            const items = memory.list({
+                memoryType: type,
+                limit,
+            });
+            res.json({ items });
+        }
+    });
+    /** Add or update a memory item. */
+    router.post('/api/orchestrator/memory', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const { id, memoryType, scope, title, content, sourceRef, confidence, expiresAt, isPinned, tags } = req.body;
+        if (!memoryType || !content) {
+            return res.status(400).json({ error: 'Missing required fields: memoryType, content' });
+        }
+        const itemId = memory.upsert({
+            id,
+            memoryType,
+            scope: scope ?? null,
+            title: title ?? null,
+            content,
+            sourceRef: sourceRef ?? null,
+            confidence: confidence ?? 0.8,
+            expiresAt: expiresAt ?? null,
+            isPinned: isPinned ?? false,
+            tags: tags ?? [],
+        });
+        res.json({ id: itemId });
+    });
+    /** Delete a memory item. */
+    router.delete('/api/orchestrator/memory/:id', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const deleted = memory.delete(req.params.id);
+        res.json({ deleted });
+    });
+    // -------------------------------------------------------------------------
+    // Trust
+    // -------------------------------------------------------------------------
+    /** List all trust records. */
+    router.get('/api/orchestrator/trust', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        res.json({ records: memory.listTrustRecords() });
+    });
+    /** Compute trust level for an action. */
+    router.get('/api/orchestrator/trust/level', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const { action, category, severity, repo } = req.query;
+        if (!action || !category) {
+            return res.status(400).json({ error: 'Provide ?action=X&category=Y' });
+        }
+        const level = memory.computeTrustLevel(action, category, severity ?? 'medium', repo ?? null);
+        res.json({ level });
+    });
+    /** Record an approval. */
+    router.post('/api/orchestrator/trust/approve', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const { action, category, repo } = req.body;
+        if (!action || !category) {
+            return res.status(400).json({ error: 'Missing required fields: action, category' });
+        }
+        const record = memory.recordApproval(action, category, repo ?? null);
+        res.json({ record });
+    });
+    /** Record a rejection (resets trust to ASK). */
+    router.post('/api/orchestrator/trust/reject', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const { action, category, repo } = req.body;
+        if (!action || !category) {
+            return res.status(400).json({ error: 'Missing required fields: action, category' });
+        }
+        const record = memory.recordRejection(action, category, repo ?? null);
+        res.json({ record });
+    });
+    /** Pin trust to a specific level (user override). */
+    router.post('/api/orchestrator/trust/pin', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const { action, category, repo, level } = req.body;
+        if (!action || !category || !level) {
+            return res.status(400).json({ error: 'Missing required fields: action, category, level' });
+        }
+        memory.pinTrust(action, category, repo ?? null, level);
+        res.json({ ok: true });
+    });
+    /** Reset all trust records. */
+    router.post('/api/orchestrator/trust/reset', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        memory.resetAllTrust();
+        res.json({ ok: true });
+    });
+    // -------------------------------------------------------------------------
+    // Notifications
+    // -------------------------------------------------------------------------
+    /** Get pending notifications from the monitor. */
+    router.get('/api/orchestrator/notifications', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const monitor = monitorRef?.current;
+        if (!monitor)
+            return res.json({ notifications: [] });
+        const all = req.query.all === 'true';
+        res.json({ notifications: all ? monitor.getAll() : monitor.getPending() });
+    });
+    /** Mark notifications as delivered. */
+    router.post('/api/orchestrator/notifications/mark-delivered', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const monitor = monitorRef?.current;
+        if (!monitor)
+            return res.json({ ok: true });
+        const { ids } = req.body;
+        if (Array.isArray(ids))
+            monitor.markDelivered(ids);
+        res.json({ ok: true });
+    });
+    // -------------------------------------------------------------------------
+    // Dashboard stats
+    // -------------------------------------------------------------------------
+    /** Get summary stats for the dashboard header. */
+    router.get('/api/orchestrator/dashboard', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const repoItems = memory.list({ memoryType: 'repo_context' });
+        const pendingNotifications = monitorRef?.current?.getPending() ?? [];
+        const activeChildren = children.activeCount();
+        const trustRecords = memory.listTrustRecords();
+        const autoApproved = trustRecords.filter(t => t.effectiveLevel !== 'ask').length;
+        res.json({
+            stats: {
+                managedRepos: repoItems.length,
+                pendingNotifications: pendingNotifications.length,
+                activeChildSessions: activeChildren,
+                totalChildSessions: children.list().length,
+                trustRecords: trustRecords.length,
+                autoApprovedActions: autoApproved,
+                memoryItems: memory.list().length,
+            },
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Memory extraction & learning (Phase 4)
+    // -------------------------------------------------------------------------
+    /** Extract memory candidates from a session interaction. */
+    router.post('/api/orchestrator/memory/extract', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const { userMessage, assistantResponse, repo, sourceRef } = req.body;
+        if (!userMessage || !assistantResponse) {
+            return res.status(400).json({ error: 'Missing required fields: userMessage, assistantResponse' });
+        }
+        const candidates = extractMemoryCandidates(userMessage, assistantResponse, repo ?? null);
+        const results = candidates.map(c => smartUpsert(memory, c, sourceRef ?? null));
+        res.json({ candidates: candidates.length, results });
+    });
+    /** Run the aging/decay cycle. */
+    router.post('/api/orchestrator/memory/age', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const result = runAgingCycle(memory);
+        res.json(result);
+    });
+    // -------------------------------------------------------------------------
+    // Finding outcomes & triage recommendations
+    // -------------------------------------------------------------------------
+    /** Record a finding outcome. */
+    router.post('/api/orchestrator/findings/outcome', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const { findingId, repo, category, severity, action, reason, sessionId, outcome } = req.body;
+        if (!findingId || !repo || !category || !action) {
+            return res.status(400).json({ error: 'Missing required fields' });
+        }
+        const id = recordFindingOutcome(memory, {
+            findingId, repo, category,
+            severity: severity ?? 'medium',
+            action, reason: reason ?? '',
+            sessionId: sessionId ?? null,
+            outcome: outcome ?? null,
+            timestamp: new Date().toISOString(),
+        });
+        res.json({ id });
+    });
+    /** Get triage recommendation based on historical patterns. */
+    router.get('/api/orchestrator/findings/recommend', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const { category, severity, repo } = req.query;
+        if (!category)
+            return res.status(400).json({ error: 'Provide ?category=X' });
+        const recommendation = getTriageRecommendation(memory, category, severity ?? 'medium', repo ?? null);
+        res.json(recommendation);
+    });
+    // -------------------------------------------------------------------------
+    // User skill model
+    // -------------------------------------------------------------------------
+    /** Get the user's skill profile. */
+    router.get('/api/orchestrator/skills', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        res.json({
+            profile: loadSkillProfile(),
+            guidanceStyle: getGuidanceStyle(),
+        });
+    });
+    /** Update a skill level based on an observed signal. */
+    router.post('/api/orchestrator/skills', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const { domain, signal, level } = req.body;
+        if (!domain || !signal || !level) {
+            return res.status(400).json({ error: 'Missing required fields: domain, signal, level' });
+        }
+        const updated = updateSkillLevel(domain, signal, level);
+        res.json({ skill: updated, guidanceStyle: getGuidanceStyle() });
+    });
+    // -------------------------------------------------------------------------
+    // Decision history
+    // -------------------------------------------------------------------------
+    /** Record a decision. */
+    router.post('/api/orchestrator/decisions', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const { decision, rationale, repo, relatedFinding, expectedOutcome } = req.body;
+        if (!decision || !rationale) {
+            return res.status(400).json({ error: 'Missing required fields: decision, rationale' });
+        }
+        const id = recordDecision(memory, {
+            decision, rationale,
+            repo: repo ?? null,
+            relatedFinding: relatedFinding ?? null,
+            expectedOutcome: expectedOutcome ?? '',
+        });
+        res.json({ id });
+    });
+    /** Assess a decision's outcome. */
+    router.post('/api/orchestrator/decisions/:id/assess', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const { actualOutcome } = req.body;
+        if (!actualOutcome)
+            return res.status(400).json({ error: 'Missing required field: actualOutcome' });
+        const updated = assessDecisionOutcome(memory, req.params.id, actualOutcome);
+        res.json({ updated });
+    });
+    /** Get decisions pending outcome assessment. */
+    router.get('/api/orchestrator/decisions/pending', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        res.json({ decisions: getPendingOutcomeAssessments(memory) });
+    });
+    // -------------------------------------------------------------------------
+    // Session prompts & approvals
+    // -------------------------------------------------------------------------
+    /** Get all sessions with pending prompts (waiting for approval or answer). */
+    router.get('/api/orchestrator/sessions/pending-prompts', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        res.json({ sessions: sessions.getPendingPrompts() });
+    });
+    /** Approve or deny a pending prompt in any session. */
+    router.post('/api/orchestrator/sessions/:id/respond', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const sessionId = req.params.id;
+        const { requestId, value } = req.body;
+        if (!value) {
+            return res.status(400).json({ error: 'Missing required field: value (e.g. "allow", "deny", or answer text)' });
+        }
+        const session = sessions.get(sessionId);
+        if (!session)
+            return res.status(404).json({ error: 'Session not found' });
+        // Verify there's actually a pending prompt (optionally for the specific requestId)
+        const hasPending = requestId
+            ? (session.pendingToolApprovals.has(requestId) || session.pendingControlRequests.has(requestId))
+            : (session.pendingToolApprovals.size > 0 || session.pendingControlRequests.size > 0);
+        if (!hasPending) {
+            return res.status(409).json({ error: 'No pending prompt to respond to' });
+        }
+        // Capture prompt details before responding (response clears them)
+        let promptToolName = 'unknown';
+        let promptType = 'permission';
+        if (requestId) {
+            const toolApproval = session.pendingToolApprovals.get(requestId);
+            const controlReq = session.pendingControlRequests.get(requestId);
+            if (toolApproval) {
+                promptToolName = toolApproval.toolName;
+                promptType = toolApproval.toolName === 'AskUserQuestion' ? 'question' : 'permission';
+            }
+            else if (controlReq) {
+                promptToolName = controlReq.toolName;
+                promptType = controlReq.toolName === 'AskUserQuestion' ? 'question' : 'permission';
+            }
+        }
+        sessions.sendPromptResponse(sessionId, value, requestId);
+        // Broadcast a notification to the orchestrator channel so users can see
+        // what the orchestrator approved/denied/answered.
+        const orchestratorId = getOrCreateOrchestratorId();
+        const orchestratorSession = sessions.get(orchestratorId);
+        if (orchestratorSession && orchestratorSession.clients.size > 0) {
+            const actionLabel = promptType === 'question'
+                ? `answered question from ${promptToolName}`
+                : `responded "${value}" to ${promptToolName}`;
+            const notifMsg = {
+                type: 'system_message',
+                subtype: 'info',
+                text: `[${getAgentDisplayName()}] ${actionLabel} in session "${session.name}"`,
+            };
+            for (const ws of orchestratorSession.clients) {
+                ws.send(JSON.stringify(notifMsg));
+            }
+        }
+        res.json({ ok: true });
+    });
+    // -------------------------------------------------------------------------
+    // Session cleanup
+    // -------------------------------------------------------------------------
+    /** List all sessions (unfiltered, includes source field). */
+    router.get('/api/orchestrator/sessions', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        res.json({ sessions: sessions.listAll() });
+    });
+    /** Delete all automated sessions (source: workflow, webhook, stepflow, agent). */
+    router.delete('/api/orchestrator/sessions/cleanup', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const automatedSources = new Set(['workflow', 'webhook', 'stepflow', 'agent']);
+        const toDelete = sessions.listAll().filter((s) => automatedSources.has(s.source ?? ''));
+        let deleted = 0;
+        for (const s of toDelete) {
+            if (sessions.delete(s.id))
+                deleted++;
+        }
+        res.json({ deleted });
+    });
+    /** Delete a specific session by ID. */
+    router.delete('/api/orchestrator/sessions/:id', (req, res) => {
+        if (!verifyOrchestratorAuth(req))
+            return res.status(401).json({ error: 'Unauthorized' });
+        const success = sessions.delete(req.params.id);
+        if (!success)
+            return res.status(404).json({ error: 'Session not found' });
+        res.json({ deleted: true });
+    });
+    return router;
+}
+//# sourceMappingURL=orchestrator-routes.js.map