create-walle 0.1.0

package/template/claude-task-manager/api-prompts.js

@@ -0,0 +1,1841 @@
+// --- Prompt Editor & Manager API Routes ---
+const path = require('path');
+const fs = require('fs');
+const db = require('./db');
+const queueEngine = require('./queue-engine');
+const harvest = require('./prompt-harvest');
+// AI search uses direct HTTP calls to Claude API (supports Portkey proxy)
+
+function readBody(req, limit = 1024 * 1024) {
+  return new Promise((resolve, reject) => {
+    let body = '';
+    req.on('data', chunk => {
+      body += chunk;
+      if (body.length > limit) { req.destroy(); reject(new Error('Body too large')); }
+    });
+    req.on('end', () => {
+      try { resolve(JSON.parse(body)); } catch (e) { reject(e); }
+    });
+    req.on('error', reject);
+  });
+}
+
+function readRawBody(req, limit = 10 * 1024 * 1024) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let size = 0;
+    req.on('data', chunk => {
+      size += chunk.length;
+      if (size > limit) { reject(new Error('Body too large')); return; }
+      chunks.push(chunk);
+    });
+    req.on('end', () => resolve(Buffer.concat(chunks)));
+    req.on('error', reject);
+  });
+}
+
+function jsonResponse(res, status, data) {
+  res.writeHead(status, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify(data));
+}
+
+function handlePromptApi(req, res, url) {
+  const p = url.pathname;
+  const m = req.method;
+
+  // --- Prompts ---
+  if (p === '/api/prompts' && m === 'GET') return handleListPrompts(req, res, url);
+  if (p === '/api/prompts' && m === 'POST') return handleCreatePrompt(req, res);
+  if (p.match(/^\/api\/prompts\/\d+$/) && m === 'GET') return handleGetPrompt(req, res, url);
+  if (p.match(/^\/api\/prompts\/\d+$/) && m === 'PUT') return handleUpdatePrompt(req, res, url);
+  if (p.match(/^\/api\/prompts\/\d+$/) && m === 'DELETE') return handleDeletePrompt(req, res, url);
+  if (p === '/api/prompts/reorder' && m === 'POST') return handleReorderPrompts(req, res);
+  if (p === '/api/prompts/ai-search' && m === 'POST') return handleAiSearch(req, res);
+  if (p.match(/^\/api\/prompts\/\d+\/duplicate$/) && m === 'POST') return handleDuplicatePrompt(req, res, url);
+  if (p.match(/^\/api\/prompts\/\d+\/versions$/) && m === 'GET') return handleGetVersions(req, res, url);
+  if (p.match(/^\/api\/prompts\/\d+\/restore$/) && m === 'POST') return handleRestoreVersion(req, res, url);
+  if (p.match(/^\/api\/prompts\/\d+\/usage$/) && m === 'GET') return handleGetUsage(req, res, url);
+  if (p.match(/^\/api\/prompts\/\d+\/usage$/) && m === 'POST') return handleTrackUsage(req, res, url);
+  if (p.match(/^\/api\/prompts\/\d+\/usage\/sessions$/) && m === 'GET') return handleGetUsageSessions(req, res, url);
+  if (p.match(/^\/api\/prompts\/\d+\/children$/) && m === 'GET') return handleListChildren(req, res, url);
+  if (p.match(/^\/api\/prompts\/\d+\/parent$/) && m === 'PUT') return handleSetParent(req, res, url);
+  if (p === '/api/prompts/create-group' && m === 'POST') return handleCreateGroup(req, res);
+
+  // --- Folders ---
+  if (p === '/api/folders' && m === 'GET') return handleListFolders(req, res);
+  if (p === '/api/folders' && m === 'POST') return handleCreateFolder(req, res);
+  if (p.match(/^\/api\/folders\/\d+$/) && m === 'PUT') return handleUpdateFolder(req, res, url);
+  if (p.match(/^\/api\/folders\/\d+$/) && m === 'DELETE') return handleDeleteFolder(req, res, url);
+  if (p === '/api/folders/reorder' && m === 'POST') return handleReorderFolders(req, res);
+
+  // --- Images ---
+  if (p === '/api/images/upload' && m === 'POST') return handleUploadImage(req, res, url);
+  if (p.match(/^\/api\/images\/\d+$/) && m === 'GET') return handleGetImage(req, res, url);
+  if (p.match(/^\/api\/images\/\d+\/annotations$/) && m === 'PUT') return handleUpdateAnnotations(req, res, url);
+  if (p.match(/^\/api\/images\/\d+$/) && m === 'DELETE') return handleDeleteImage(req, res, url);
+  if (p.match(/^\/api\/images\/file\//)) return handleServeImage(req, res, url);
+
+  // --- Chains ---
+  if (p === '/api/chains' && m === 'GET') return handleListChains(req, res);
+  if (p === '/api/chains' && m === 'POST') return handleCreateChain(req, res);
+  if (p.match(/^\/api\/chains\/\d+$/) && m === 'GET') return handleGetChain(req, res, url);
+  if (p.match(/^\/api\/chains\/\d+$/) && m === 'PUT') return handleUpdateChain(req, res, url);
+  if (p.match(/^\/api\/chains\/\d+$/) && m === 'DELETE') return handleDeleteChain(req, res, url);
+
+  // --- Permissions ---
+  if (p === '/api/permissions/rules' && m === 'GET') return handleListPermRules(req, res);
+  if (p === '/api/permissions/rules' && m === 'POST') return handleUpsertPermRule(req, res);
+  if (p.match(/^\/api\/permissions\/rules\/\d+$/) && m === 'DELETE') return handleDeletePermRule(req, res, url);
+  if (p === '/api/permissions/log' && m === 'GET') return handleListPermLog(req, res, url);
+
+  // --- Session Conversations ---
+  if (p === '/api/conversations' && m === 'GET') return handleListConversations(req, res, url);
+  if (p === '/api/conversations/import' && m === 'POST') return handleImportConversations(req, res);
+  if (p.match(/^\/api\/conversations\/[a-f0-9-]+$/) && m === 'GET') return handleGetConversation(req, res, url);
+
+  // --- Templates ---
+  if (p === '/api/templates' && m === 'GET') return handleListTemplates(req, res);
+  if (p === '/api/templates' && m === 'POST') return handleCreateTemplate(req, res);
+  if (p.match(/^\/api\/templates\/\d+$/) && m === 'GET') return handleGetTemplate(req, res, url);
+  if (p.match(/^\/api\/templates\/\d+$/) && m === 'DELETE') return handleDeleteTemplate(req, res, url);
+
+  // --- Prompt Usage by Session ---
+  if (p === '/api/session-prompts' && m === 'GET') return handleSessionPrompts(req, res, url);
+
+  // --- Settings ---
+  if (p === '/api/settings' && m === 'GET') return handleGetSettings(req, res, url);
+  if (p === '/api/settings' && m === 'PUT') return handlePutSettings(req, res);
+
+  // --- Screenshot ---
+  if (p === '/api/screenshot' && m === 'POST') return handleScreenshot(req, res);
+
+  // --- Backups ---
+  if (p === '/api/backups' && m === 'GET') return handleListBackups(req, res);
+  if (p === '/api/backups' && m === 'POST') return handleCreateBackup(req, res);
+  if (p === '/api/backups/restore' && m === 'POST') return handleRestoreBackup(req, res);
+  if (p.match(/^\/api\/backups\/[^/]+$/) && m === 'DELETE') return handleDeleteBackup(req, res, url);
+
+  // --- Tool Permissions (Claude Code native) ---
+  if (p === '/api/tool-permissions/scan' && m === 'POST') return handleScanToolUsage(req, res);
+  if (p === '/api/tool-permissions/scan-cache' && m === 'GET') return handleGetScanCache(req, res);
+  if (p === '/api/tool-permissions/rules' && m === 'GET') return handleGetToolPermRules(req, res);
+  if (p === '/api/tool-permissions/rules' && m === 'POST') return handleSetToolPermRules(req, res);
+  if (p === '/api/tool-permissions/projects' && m === 'GET') return handleGetProjects(req, res);
+  if (p === '/api/tool-permissions/always-ask' && m === 'GET') return handleGetAlwaysAsk(req, res);
+  if (p === '/api/tool-permissions/always-ask' && m === 'POST') return handleSetAlwaysAsk(req, res);
+  if (p === '/api/tool-permissions/cache' && m === 'GET') return handleGetPermCache(req, res);
+  if (p === '/api/tool-permissions/ai-suggest' && m === 'POST') return handlePermAISuggest(req, res);
+
+  // --- Auto Approvals ---
+  if (p === '/api/auto-approvals' && m === 'GET') return handleListAutoApprovals(req, res);
+  if (p === '/api/auto-approvals' && m === 'POST') return handleUpsertAutoApproval(req, res);
+  if (p === '/api/auto-approvals/scan' && m === 'POST') return handleScanAutoApprovals(req, res);
+  if (p === '/api/auto-approvals/toggle' && m === 'POST') return handleToggleAutoApproval(req, res);
+  if (p.match(/^\/api\/auto-approvals\/\d+$/) && m === 'DELETE') {
+    const aaId = parseInt(p.split('/').pop());
+    return handleDeleteAutoApproval(req, res, aaId);
+  }
+
+  // --- Approval Rules (AI Agent) ---
+  if (p === '/api/approval-rules' && m === 'GET') return handleListApprovalRules(req, res);
+  if (p === '/api/approval-rules' && m === 'POST') return handleUpsertApprovalRule(req, res);
+  if (p === '/api/approval-rules/toggle' && m === 'POST') return handleToggleApprovalRule(req, res);
+  if (p.match(/^\/api\/approval-rules\/\d+$/) && m === 'DELETE') {
+    return handleDeleteApprovalRule(req, res, parseInt(p.split('/').pop()));
+  }
+  if (p === '/api/approval-decisions' && m === 'GET') return handleListApprovalDecisions(req, res);
+  if (p.match(/^\/api\/approval-decisions\/\d+\/resolve$/) && m === 'POST') {
+    return handleResolveApprovalDecision(req, res, parseInt(p.split('/')[3]));
+  }
+
+  // --- Prompt Queue ---
+  if (p === '/api/queues' && m === 'GET') return handleListQueues(req, res);
+  if (p === '/api/queues' && m === 'POST') return handleCreateQueue(req, res);
+  const queueLinkedMatch = p.match(/^\/api\/queue-linked-prompts\/(\d+)$/);
+  if (queueLinkedMatch && m === 'GET') return handleGetQueueLinkedItems(req, res, parseInt(queueLinkedMatch[1]));
+  if (queueLinkedMatch && m === 'DELETE') return handleDeleteQueueLinkedItems(req, res, parseInt(queueLinkedMatch[1]));
+  const draftMatch = p.match(/^\/api\/queue-draft\/([^/]+)$/);
+  if (draftMatch && m === 'GET') return handleGetQueueDraft(req, res, draftMatch[1]);
+  if (draftMatch && m === 'PUT') return handleSaveQueueDraft(req, res, draftMatch[1]);
+  if (draftMatch && m === 'DELETE') return handleDeleteQueueDraft(req, res, draftMatch[1]);
+  const queueMatch = p.match(/^\/api\/queues\/([^/]+)$/);
+  const queueActionMatch = p.match(/^\/api\/queues\/([^/]+)\/(start|pause|resume|next|skip|stop|mode)$/);
+  if (queueMatch && !queueActionMatch && m === 'GET') return handleGetQueue(req, res, queueMatch[1]);
+  if (queueMatch && !queueActionMatch && m === 'DELETE') return handleDeleteQueue(req, res, queueMatch[1]);
+  if (queueActionMatch && m === 'POST') return handleQueueAction(req, res, queueActionMatch[1], queueActionMatch[2]);
+
+  // --- Harvest & Autocomplete & Copilot ---
+  if (p === '/api/harvest/preview' && m === 'GET') return handleHarvestPreview(req, res);
+  if (p === '/api/harvest' && m === 'POST') return handleRunHarvest(req, res);
+  if (p === '/api/autocomplete' && m === 'GET') return handleAutocomplete(req, res, url);
+  if (p === '/api/similar' && m === 'GET') return handleSimilarPrompts(req, res, url);
+  if (p === '/api/patterns' && m === 'GET') return handleListPatterns(req, res);
+  if (p === '/api/patterns/detect' && m === 'POST') return handleDetectPatterns(req, res);
+  if (p === '/api/copilot/suggest' && m === 'POST') return handleCopilotSuggest(req, res);
+  if (p === '/api/copilot/chat' && m === 'POST') return handleCopilotChat(req, res);
+  if (p === '/api/prompt-executions' && m === 'GET') return handleListExecutions(req, res, url);
+  const execSessionMatch = p.match(/^\/api\/prompt-executions\/session\/([^/]+)$/);
+  if (execSessionMatch && m === 'GET') return handleSessionExecutions(req, res, execSessionMatch[1]);
+  const execOutcomeMatch = p.match(/^\/api\/prompt-executions\/(\d+)\/outcome$/);
+  if (execOutcomeMatch && m === 'POST') return handleSetOutcome(req, res, parseInt(execOutcomeMatch[1]));
+  const promptSessionsMatch = p.match(/^\/api\/prompts\/(\d+)\/sessions$/);
+  if (promptSessionsMatch && m === 'GET') return handlePromptSessions(req, res, parseInt(promptSessionsMatch[1]));
+  if (p === '/api/frequent-questions' && m === 'GET') return handleFrequentQuestions(req, res, url);
+  if (p === '/api/lifecycle/refresh' && m === 'POST') return handleLifecycleRefresh(req, res);
+
+  return false;
+}
+
+// --- Prompts ---
+function handleListPrompts(req, res, url) {
+  const opts = {};
+  if (url.searchParams.has('folder_id')) opts.folder_id = parseInt(url.searchParams.get('folder_id'));
+  if (url.searchParams.has('context_type')) opts.context_type = url.searchParams.get('context_type');
+  if (url.searchParams.has('search')) opts.search = url.searchParams.get('search');
+  if (url.searchParams.has('starred')) opts.starred = true;
+  if (url.searchParams.has('lifecycle_status')) opts.lifecycle_status = url.searchParams.get('lifecycle_status');
+  if (url.searchParams.has('include_children')) opts.include_children = true;
+  if (url.searchParams.has('limit')) opts.limit = parseInt(url.searchParams.get('limit'));
+  if (url.searchParams.has('offset')) opts.offset = parseInt(url.searchParams.get('offset'));
+  jsonResponse(res, 200, db.listPrompts(opts));
+}
+
+async function handleCreatePrompt(req, res) {
+  try {
+    const data = await readBody(req);
+    const id = db.createPrompt(data);
+    jsonResponse(res, 201, { id, ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handleGetPrompt(req, res, url) {
+  const id = parseInt(url.pathname.split('/').pop());
+  const prompt = db.getPrompt(id);
+  if (!prompt) return jsonResponse(res, 404, { error: 'Not found' });
+  prompt.images = db.listImages(id);
+  prompt.usage = db.getPromptUsageStats(id);
+  prompt.children = db.listChildPrompts(id);
+  jsonResponse(res, 200, prompt);
+}
+
+async function handleUpdatePrompt(req, res, url) {
+  try {
+    const id = parseInt(url.pathname.split('/').pop());
+    const data = await readBody(req);
+    db.updatePrompt(id, data);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handleDeletePrompt(req, res, url) {
+  const id = parseInt(url.pathname.split('/').pop());
+  db.deletePrompt(id);
+  jsonResponse(res, 200, { ok: true });
+}
+
+function handleGetVersions(req, res, url) {
+  const id = parseInt(url.pathname.split('/')[3]);
+  jsonResponse(res, 200, db.getPromptVersions(id));
+}
+
+async function handleRestoreVersion(req, res, url) {
+  try {
+    const promptId = parseInt(url.pathname.split('/')[3]);
+    const data = await readBody(req);
+    db.restorePromptVersion(promptId, data.version_id);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handleGetUsage(req, res, url) {
+  const id = parseInt(url.pathname.split('/')[3]);
+  jsonResponse(res, 200, db.getPromptUsageStats(id));
+}
+
+async function handleTrackUsage(req, res, url) {
+  const id = parseInt(url.pathname.split('/')[3]);
+  const body = await readBody(req);
+  db.trackPromptUsage({
+    prompt_id: id,
+    session_id: body.session_id || '',
+    result: body.result || '',
+    effectiveness_score: body.effectiveness_score || null,
+  });
+  jsonResponse(res, 200, { ok: true });
+}
+
+function handleGetUsageSessions(req, res, url) {
+  const id = parseInt(url.pathname.split('/')[3]);
+  const rows = db.getDb().prepare(
+    'SELECT session_id, used_at, result FROM prompt_usage WHERE prompt_id = ? ORDER BY used_at DESC LIMIT 50'
+  ).all(id);
+  jsonResponse(res, 200, rows);
+}
+
+function handleSessionPrompts(req, res, url) {
+  const sessionId = url.searchParams.get('session_id');
+  if (!sessionId) {
+    jsonResponse(res, 400, { error: 'Missing session_id' });
+    return;
+  }
+  const rows = db.getDb().prepare(
+    `SELECT pu.prompt_id, pu.used_at, pu.result, p.title
+     FROM prompt_usage pu
+     LEFT JOIN prompts p ON p.id = pu.prompt_id
+     WHERE pu.session_id = ?
+     ORDER BY pu.used_at DESC`
+  ).all(sessionId);
+  jsonResponse(res, 200, rows);
+}
+
+// --- Folders ---
+function handleListFolders(req, res) {
+  jsonResponse(res, 200, db.listFolders());
+}
+
+async function handleCreateFolder(req, res) {
+  try {
+    const data = await readBody(req);
+    const id = db.createFolder(data);
+    jsonResponse(res, 201, { id, ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+async function handleUpdateFolder(req, res, url) {
+  try {
+    const id = parseInt(url.pathname.split('/').pop());
+    const data = await readBody(req);
+    db.updateFolder(id, data);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handleDeleteFolder(req, res, url) {
+  const id = parseInt(url.pathname.split('/').pop());
+  db.deleteFolder(id);
+  jsonResponse(res, 200, { ok: true });
+}
+
+async function handleReorderPrompts(req, res) {
+  try {
+    const { ids } = await readBody(req);
+    db.reorderPrompts(ids);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+async function handleDuplicatePrompt(req, res, url) {
+  try {
+    const id = parseInt(url.pathname.split('/')[3]);
+    const newId = db.duplicatePrompt(id);
+    jsonResponse(res, 201, { id: newId, ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handleListChildren(req, res, url) {
+  const id = parseInt(url.pathname.split('/')[3]);
+  jsonResponse(res, 200, db.listChildPrompts(id));
+}
+
+async function handleSetParent(req, res, url) {
+  try {
+    const id = parseInt(url.pathname.split('/')[3]);
+    const { parent_id } = await readBody(req);
+    db.setPromptParent(id, parent_id);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+async function handleCreateGroup(req, res) {
+  try {
+    const { ids } = await readBody(req);
+    if (!ids || ids.length < 2) return jsonResponse(res, 400, { error: 'Need at least 2 prompt ids' });
+
+    // Fetch prompts to build AI context
+    const prompts = ids.map(id => db.getPrompt(id)).filter(Boolean);
+    if (prompts.length < 2) return jsonResponse(res, 400, { error: 'Prompts not found' });
+
+    // Generate AI summary for the group
+    let title, content, contentHtml;
+    try {
+      const promptDescriptions = prompts.map(p => {
+        const snippet = (p.content || '').slice(0, 500).trim();
+        return `Title: ${p.title || 'Untitled'}\nContent: ${snippet || '(empty)'}`;
+      }).join('\n\n---\n\n');
+
+      const aiResponse = await callClaude([{
+        role: 'user',
+        content: `You are summarizing a group of prompts that a user wants to organize together. Generate a concise group title and a brief summary describing what these prompts have in common or what they collectively do.
+
+Here are the prompts being grouped:
+
+${promptDescriptions}
+
+Respond in this exact JSON format (no markdown, no code fences):
+{"title": "short group title (max 60 chars)", "summary": "1-2 sentence summary of what these prompts do together"}`
+      }], 256);
+
+      const aiText = aiResponse.content?.[0]?.text || '';
+      const parsed = JSON.parse(aiText);
+      title = parsed.title;
+      content = parsed.summary;
+      const safeSummary = (parsed.summary || '').replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+      contentHtml = `<p>${safeSummary}</p>`;
+    } catch (aiErr) {
+      // AI failed — fall through to DB fallback (concatenated titles)
+      console.error('[create-group] AI summary failed, using fallback:', aiErr.message);
+    }
+
+    const groupId = db.createGroupFromPrompts(ids, { title, content, contentHtml });
+    jsonResponse(res, 201, { id: groupId, ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+async function handleReorderFolders(req, res) {
+  try {
+    const { ids } = await readBody(req);
+    db.reorderFolders(ids);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+// --- AI Search ---
+function parseCustomHeaders() {
+  const headers = {};
+  const b64 = process.env.ANTHROPIC_CUSTOM_HEADERS_B64;
+  if (b64) {
+    const decoded = Buffer.from(b64, 'base64').toString();
+    for (const line of decoded.split('\n')) {
+      const idx = line.indexOf(':');
+      if (idx > 0) headers[line.slice(0, idx).trim()] = line.slice(idx + 1).trim();
+    }
+  }
+  return headers;
+}
+
+async function callClaude(messages, maxTokens = 1024) {
+  const baseUrl = process.env.ANTHROPIC_BASE_URL || 'https://api.anthropic.com';
+  const apiKey = process.env.ANTHROPIC_API_KEY || 'dummy';
+  const customHeaders = parseCustomHeaders();
+
+  const res = await fetch(`${baseUrl}/messages`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'x-api-key': apiKey,
+      'anthropic-version': '2023-06-01',
+      ...customHeaders,
+    },
+    body: JSON.stringify({
+      model: 'claude-sonnet-4-20250514',
+      max_tokens: maxTokens,
+      messages,
+    }),
+  });
+
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Claude API ${res.status}: ${text}`);
+  }
+  return await res.json();
+}
+
+async function handleAiSearch(req, res) {
+  try {
+    const { query } = await readBody(req);
+    if (!query || !query.trim()) return jsonResponse(res, 400, { error: 'Query required' });
+
+    // Get all prompts with summaries
+    const allPrompts = db.listPrompts();
+    if (!allPrompts.length) return jsonResponse(res, 200, { results: [] });
+
+    // Build prompt catalog for Claude
+    const catalog = allPrompts.map(p => {
+      const snippet = (p.content || '').slice(0, 300).replace(/\n+/g, ' ').trim();
+      const tags = p.tags || '[]';
+      return `[ID:${p.id}] "${p.title}" (${p.context_type}) tags:${tags}\n  ${snippet}`;
+    }).join('\n\n');
+
+    const response = await callClaude([{
+      role: 'user',
+      content: `You are a search engine for a prompt library. Given the user's search query, find the most relevant prompts from the catalog below and return them ranked by relevance.
+
+Search query: "${query.trim()}"
+
+Prompt catalog:
+${catalog}
+
+Return a JSON array of objects with these fields:
+- id: the prompt ID number
+- relevance: a score from 0-100
+- reason: a brief explanation (1 sentence) of why this prompt matches
+
+Only include prompts with relevance >= 30. Return at most 10 results, sorted by relevance descending.
+Return ONLY the JSON array, no other text.`
+    }]);
+
+    const text = response.content?.[0]?.text || '[]';
+    // Extract JSON from response (handle markdown code blocks)
+    const jsonMatch = text.match(/\[[\s\S]*\]/);
+    const results = jsonMatch ? JSON.parse(jsonMatch[0]) : [];
+
+    // Enrich results with prompt data
+    const enriched = results.map(r => {
+      const prompt = allPrompts.find(p => p.id === r.id);
+      if (!prompt) return null;
+      return {
+        id: r.id,
+        title: prompt.title,
+        context_type: prompt.context_type,
+        tags: prompt.tags,
+        updated_at: prompt.updated_at,
+        pinned: prompt.pinned,
+        starred: prompt.starred,
+        relevance: r.relevance,
+        reason: r.reason,
+      };
+    }).filter(Boolean);
+
+    jsonResponse(res, 200, { results: enriched });
+  } catch (e) {
+    console.error('AI Search error:', e.message);
+    jsonResponse(res, 500, { error: 'AI search failed: ' + e.message });
+  }
+}
+
+// --- Images ---
+async function handleUploadImage(req, res, url) {
+  try {
+    const promptId = parseInt(url.searchParams.get('prompt_id') || '0');
+    const filename = url.searchParams.get('filename') || 'image.png';
+    const mimeType = req.headers['content-type'] || 'image/png';
+    const buffer = await readRawBody(req);
+    const result = db.saveImage(promptId, buffer, filename, mimeType);
+    jsonResponse(res, 201, result);
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handleGetImage(req, res, url) {
+  const id = parseInt(url.pathname.split('/').pop());
+  const img = db.getImage(id);
+  if (!img) return jsonResponse(res, 404, { error: 'Not found' });
+  jsonResponse(res, 200, img);
+}
+
+function handleServeImage(req, res, url) {
+  const rawFilename = url.pathname.replace('/api/images/file/', '');
+  const safeFilename = path.basename(rawFilename);
+  let filePath = path.join(db.DEFAULT_IMAGES_DIR, safeFilename);
+  if (!fs.existsSync(filePath)) {
+    // Filename might be the original upload name — look up actual file_path from DB
+    const img = db.getDb().prepare('SELECT file_path FROM images WHERE filename = ? LIMIT 1').get(safeFilename);
+    const resolvedImgPath = img ? path.resolve(img.file_path) : null;
+    if (resolvedImgPath && resolvedImgPath.startsWith(path.resolve(db.DEFAULT_IMAGES_DIR) + path.sep) && fs.existsSync(resolvedImgPath)) {
+      filePath = resolvedImgPath;
+    } else {
+      res.writeHead(404); res.end('Not found'); return;
+    }
+  }
+  const ext = path.extname(filePath).toLowerCase();
+  const mimeMap = { '.png': 'image/png', '.jpg': 'image/jpeg', '.jpeg': 'image/jpeg', '.gif': 'image/gif', '.webp': 'image/webp', '.svg': 'image/svg+xml' };
+  res.writeHead(200, {
+    'Content-Type': mimeMap[ext] || 'application/octet-stream',
+    'Cache-Control': 'public, max-age=86400'
+  });
+  fs.createReadStream(filePath).pipe(res);
+}
+
+async function handleUpdateAnnotations(req, res, url) {
+  try {
+    const id = parseInt(url.pathname.split('/')[3]);
+    const data = await readBody(req);
+    db.updateImageAnnotations(id, data.annotations);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handleDeleteImage(req, res, url) {
+  const id = parseInt(url.pathname.split('/').pop());
+  db.deleteImage(id);
+  jsonResponse(res, 200, { ok: true });
+}
+
+// --- Chains ---
+function handleListChains(req, res) {
+  jsonResponse(res, 200, db.listChains());
+}
+
+async function handleCreateChain(req, res) {
+  try {
+    const data = await readBody(req);
+    const id = db.createChain(data);
+    jsonResponse(res, 201, { id, ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handleGetChain(req, res, url) {
+  const id = parseInt(url.pathname.split('/').pop());
+  const chain = db.getChain(id);
+  if (!chain) return jsonResponse(res, 404, { error: 'Not found' });
+  jsonResponse(res, 200, chain);
+}
+
+async function handleUpdateChain(req, res, url) {
+  try {
+    const id = parseInt(url.pathname.split('/').pop());
+    const data = await readBody(req);
+    db.updateChain(id, data);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handleDeleteChain(req, res, url) {
+  const id = parseInt(url.pathname.split('/').pop());
+  db.deleteChain(id);
+  jsonResponse(res, 200, { ok: true });
+}
+
+// --- Permissions ---
+function handleListPermRules(req, res) {
+  jsonResponse(res, 200, db.listPermissionRules());
+}
+
+async function handleUpsertPermRule(req, res) {
+  try {
+    const data = await readBody(req);
+    db.upsertPermissionRule(data);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handleDeletePermRule(req, res, url) {
+  const id = parseInt(url.pathname.split('/').pop());
+  db.deletePermissionRule(id);
+  jsonResponse(res, 200, { ok: true });
+}
+
+function handleListPermLog(req, res, url) {
+  const opts = {};
+  if (url.searchParams.has('session_id')) opts.session_id = url.searchParams.get('session_id');
+  if (url.searchParams.has('tool_name')) opts.tool_name = url.searchParams.get('tool_name');
+  if (url.searchParams.has('limit')) opts.limit = parseInt(url.searchParams.get('limit'));
+  jsonResponse(res, 200, db.listPermissionLog(opts));
+}
+
+// --- Session Conversations ---
+function handleListConversations(req, res, url) {
+  const opts = {};
+  if (url.searchParams.has('search')) opts.search = url.searchParams.get('search');
+  if (url.searchParams.has('limit')) opts.limit = parseInt(url.searchParams.get('limit'));
+  if (url.searchParams.has('offset')) opts.offset = parseInt(url.searchParams.get('offset'));
+  jsonResponse(res, 200, db.listSessionConversations(opts));
+}
+
+async function handleImportConversations(req, res) {
+  // Import all sessions from ~/.claude/projects/ into the DB
+  try {
+    const { getAllSessionFiles, parseSessionFile } = require('./session-utils');
+    let imported = 0;
+    const allFiles = getAllSessionFiles();
+
+    for (const { filePath, projectPath, projectEntry } of allFiles) {
+      try {
+        const parsed = parseSessionFile(filePath, projectPath, projectEntry);
+        if (parsed.isEmpty) continue;
+
+        const existing = db.getSessionConversation(parsed.sessionId);
+        if (existing && existing.file_size === parsed.fileSize) continue;
+
+        // Read full messages
+        const content = fs.readFileSync(filePath, 'utf8');
+        const lines = content.split('\n').filter(Boolean);
+        const messages = [];
+        let assistantCount = 0;
+
+        for (const line of lines) {
+          try {
+            const entry = JSON.parse(line);
+            if (entry.type === 'user' && entry.message?.role === 'user') {
+              const c = entry.message.content;
+              const text = typeof c === 'string' ? c
+                : Array.isArray(c) ? c.filter(b => b.type === 'text').map(b => b.text).join('\n') : '';
+              if (text) messages.push({ role: 'user', text: text.slice(0, 5000), timestamp: entry.timestamp });
+            } else if (entry.type === 'assistant' && entry.message?.role === 'assistant') {
+              const c = entry.message.content;
+              if (!Array.isArray(c)) continue;
+              const parts = [];
+              for (const block of c) {
+                if (block.type === 'text' && block.text) parts.push(block.text);
+                else if (block.type === 'tool_use') parts.push(`[Tool: ${block.name}]`);
+              }
+              if (parts.length > 0) {
+                const lastMsg = messages[messages.length - 1];
+                if (lastMsg && lastMsg.role === 'assistant' && lastMsg._parent === entry.parentUuid) {
+                  lastMsg.text = parts.join('\n').slice(0, 5000);
+                } else {
+                  messages.push({ role: 'assistant', text: parts.join('\n').slice(0, 5000), timestamp: entry.timestamp, _parent: entry.parentUuid });
+                  assistantCount++;
+                }
+              }
+            }
+          } catch {}
+        }
+        messages.forEach(m => delete m._parent);
+
+        db.importSessionConversation({
+          session_id: parsed.sessionId,
+          project_path: parsed.project,
+          messages,
+          user_msg_count: parsed.userMsgCount,
+          assistant_msg_count: assistantCount,
+          title: parsed.title,
+          first_message: parsed.firstMessage,
+          git_branch: parsed.gitBranch,
+          file_size: parsed.fileSize,
+          session_created_at: parsed.timestamp,
+        });
+        imported++;
+      } catch {}
+    }
+
+    jsonResponse(res, 200, { ok: true, imported });
+  } catch (e) { jsonResponse(res, 500, { error: e.message }); }
+}
+
+function handleGetConversation(req, res, url) {
+  const sessionId = url.pathname.split('/').pop();
+  const conv = db.getSessionConversation(sessionId);
+  if (!conv) return jsonResponse(res, 404, { error: 'Not found' });
+  jsonResponse(res, 200, conv);
+}
+
+// --- Templates ---
+function handleListTemplates(req, res) {
+  jsonResponse(res, 200, db.listTemplates());
+}
+
+async function handleCreateTemplate(req, res) {
+  try {
+    const data = await readBody(req);
+    const id = db.createTemplate(data);
+    jsonResponse(res, 201, { id, ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handleGetTemplate(req, res, url) {
+  const id = parseInt(url.pathname.split('/').pop());
+  const t = db.getTemplate(id);
+  if (!t) return jsonResponse(res, 404, { error: 'Not found' });
+  jsonResponse(res, 200, t);
+}
+
+function handleDeleteTemplate(req, res, url) {
+  const id = parseInt(url.pathname.split('/').pop());
+  db.deleteTemplate(id);
+  jsonResponse(res, 200, { ok: true });
+}
+
+// --- Settings ---
+function handleGetSettings(req, res, url) {
+  const key = url.searchParams.get('key');
+  const prefix = url.searchParams.get('prefix');
+  if (key) {
+    jsonResponse(res, 200, { key, value: db.getSetting(key) });
+  } else if (prefix) {
+    const rows = db.getSettingsByPrefix(prefix);
+    const result = {};
+    for (const r of rows) result[r.key] = r.value;
+    jsonResponse(res, 200, result);
+  } else {
+    const allKeys = ['db_path', 'images_dir', 'default_context_type', 'editor_theme', 'auto_version'];
+    const settings = {};
+    for (const k of allKeys) settings[k] = db.getSetting(k);
+    jsonResponse(res, 200, settings);
+  }
+}
+
+async function handlePutSettings(req, res) {
+  try {
+    const data = await readBody(req);
+    for (const [k, v] of Object.entries(data)) {
+      db.setSetting(k, v);
+    }
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+// --- Screenshot (macOS) ---
+async function handleScreenshot(req, res) {
+  try {
+    const { execSync } = require('child_process');
+    const tmpFile = path.join(db.DEFAULT_IMAGES_DIR, `screenshot-${Date.now()}.png`);
+    execSync(`screencapture -i "${tmpFile}"`, { timeout: 30000 });
+    if (!fs.existsSync(tmpFile)) {
+      return jsonResponse(res, 400, { error: 'Screenshot cancelled' });
+    }
+    const buffer = fs.readFileSync(tmpFile);
+    const result = db.saveImage(0, buffer, path.basename(tmpFile), 'image/png');
+    jsonResponse(res, 201, result);
+  } catch (e) { jsonResponse(res, 500, { error: e.message }); }
+}
+
+// --- Backups ---
+function handleListBackups(req, res) {
+  jsonResponse(res, 200, db.listBackups());
+}
+
+async function handleCreateBackup(req, res) {
+  try {
+    const data = await readBody(req).catch(() => ({}));
+    const result = db.createBackupSync(data.label || 'manual');
+    jsonResponse(res, 201, result);
+  } catch (e) { jsonResponse(res, 500, { error: e.message }); }
+}
+
+async function handleRestoreBackup(req, res) {
+  try {
+    const data = await readBody(req);
+    if (!data.name) return jsonResponse(res, 400, { error: 'Missing backup name' });
+    const result = db.restoreBackup(data.name);
+    jsonResponse(res, 200, result);
+  } catch (e) { jsonResponse(res, 500, { error: e.message }); }
+}
+
+function handleDeleteBackup(req, res, url) {
+  const name = decodeURIComponent(url.pathname.split('/').pop());
+  db.deleteBackup(name);
+  jsonResponse(res, 200, { ok: true });
+}
+
+// ============================================================
+// Tool Permissions (reads/writes .claude/settings.local.json)
+// ============================================================
+// Claude Code reads pre-authorized permissions from:
+//   Global: ~/.claude/settings.local.json -> permissions.allow[]
+//   Per-project: <project>/.claude/settings.local.json -> permissions.allow[]
+// Legacy: ~/.claude.json -> projects[path].allowedTools[] (session approval history, read-only)
+
+const CLAUDE_JSON_PATH = path.join(process.env.HOME, '.claude.json');
+const GLOBAL_SETTINGS_PATH = path.join(process.env.HOME, '.claude', 'settings.local.json');
+
+function readJsonFile(filePath) {
+  try {
+    return JSON.parse(fs.readFileSync(filePath, 'utf8'));
+  } catch { return {}; }
+}
+
+function writeJsonFile(filePath, data) {
+  const dir = path.dirname(filePath);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(filePath, JSON.stringify(data, null, 2));
+}
+
+function getProjectSettingsPath(projectPath) {
+  return path.join(projectPath, '.claude', 'settings.local.json');
+}
+
+// Validate permission rule patterns — Claude Code rejects rules where :* is not at the end
+function isValidPermRule(rule) {
+  // Match Bash(prefix:*suffix) — :* must be followed only by )
+  const m = rule.match(/^Bash\(.*:\*(.*)?\)$/);
+  if (m && m[1]) return false; // something after :* before )
+  return true;
+}
+
+function getSettingsAllowList(settingsPath) {
+  const settings = readJsonFile(settingsPath);
+  return (settings.permissions && settings.permissions.allow) || [];
+}
+
+function getSettingsDenyList(settingsPath) {
+  const settings = readJsonFile(settingsPath);
+  return (settings.permissions && settings.permissions.deny) || [];
+}
+
+// --- Collect all rules from JSON files ---
+function collectJsonRules() {
+  const rules = [];
+
+  // Global allow/deny from ~/.claude/settings.local.json
+  for (const tool of getSettingsAllowList(GLOBAL_SETTINGS_PATH)) {
+    if (!isValidPermRule(tool)) { console.warn(`  Skipping invalid perm rule: ${tool}`); continue; }
+    rules.push({ rule: tool, listType: 'allow', scope: 'global', project: '__global__' });
+  }
+  for (const tool of getSettingsDenyList(GLOBAL_SETTINGS_PATH)) {
+    if (!isValidPermRule(tool)) continue;
+    rules.push({ rule: tool, listType: 'deny', scope: 'global', project: '__global__' });
+  }
+
+  // Per-project from <project>/.claude/settings.local.json
+  const claudeJson = readJsonFile(CLAUDE_JSON_PATH);
+  const projectPaths = Object.keys(claudeJson.projects || {});
+  for (const projectPath of projectPaths) {
+    const settingsPath = getProjectSettingsPath(projectPath);
+    for (const tool of getSettingsAllowList(settingsPath)) {
+      if (!isValidPermRule(tool)) { console.warn(`  Skipping invalid perm rule: ${tool}`); continue; }
+      rules.push({ rule: tool, listType: 'allow', scope: 'project', project: projectPath });
+    }
+    for (const tool of getSettingsDenyList(settingsPath)) {
+      if (!isValidPermRule(tool)) continue;
+      rules.push({ rule: tool, listType: 'deny', scope: 'project', project: projectPath });
+    }
+  }
+
+  // Legacy: ~/.claude.json projects[].allowedTools
+  for (const [projectPath, projectData] of Object.entries(claudeJson.projects || {})) {
+    const allowedTools = projectData.allowedTools || [];
+    for (const tool of allowedTools) {
+      if (!isValidPermRule(tool)) continue;
+      rules.push({ rule: tool, listType: 'allow', scope: 'project', project: projectPath });
+    }
+  }
+
+  return rules;
+}
+
+// --- Merge JSON rules into DB (import any new ones Claude Code added) ---
+function mergeJsonRulesIntoDb() {
+  const jsonRules = collectJsonRules();
+  const before = db.listPermRules().length;
+  for (const r of jsonRules) {
+    db.addPermRule(r); // INSERT OR IGNORE — skips duplicates
+  }
+  const after = db.listPermRules().length;
+  const imported = after - before;
+  if (imported > 0) {
+    console.log(`  Merged ${imported} new permission rules from JSON files into DB`);
+  }
+  return imported;
+}
+
+// --- Import JSON files into SQLite (run on startup) ---
+function importPermissionsToDb() {
+  const existing = db.listPermRules();
+  if (existing.length > 0) {
+    // DB already has rules. Merge any new rules Claude Code added to JSON files.
+    mergeJsonRulesIntoDb();
+    // Then sync DB (now the complete set) back to JSON files.
+    syncDbToJsonFiles();
+    return;
+  }
+
+  // First time: seed DB from JSON files
+  const rules = collectJsonRules();
+
+  if (rules.length > 0) {
+    db.bulkSetPermRules(rules);
+    console.log(`  Imported ${rules.length} permission rules from JSON files into DB`);
+    syncDbToJsonFiles();
+  }
+}
+
+// --- Sync SQLite → JSON files (merge first, then write) ---
+function syncDbToJsonFiles() {
+  // First: import any new rules Claude Code added directly to JSON files
+  const jsonRules = collectJsonRules();
+  for (const r of jsonRules) {
+    db.addPermRule(r); // INSERT OR IGNORE — skips duplicates
+  }
+  // Scrub invalid rules from DB (Claude Code sometimes writes bad patterns like "node:*1")
+  for (const r of db.listPermRules()) {
+    if (!isValidPermRule(r.rule)) {
+      console.warn(`  Removing invalid perm rule from DB: ${r.rule}`);
+      db.removePermRule({ rule: r.rule, listType: r.list_type, project: r.project });
+    }
+  }
+
+  // Now write the complete DB state to all JSON files
+  const byProject = db.getPermRulesByProject();
+
+  // Global rules → ~/.claude/settings.local.json
+  const globalRules = byProject['__global__'] || { allow: [], deny: [] };
+  const globalSettings = readJsonFile(GLOBAL_SETTINGS_PATH);
+  if (!globalSettings.permissions) globalSettings.permissions = {};
+  globalSettings.permissions.allow = globalRules.allow.filter(isValidPermRule);
+  globalSettings.permissions.deny = globalRules.deny.filter(isValidPermRule);
+  writeJsonFile(GLOBAL_SETTINGS_PATH, globalSettings);
+
+  // Per-project rules → <project>/.claude/settings.local.json
+  for (const [project, lists] of Object.entries(byProject)) {
+    if (project === '__global__') continue;
+    const settingsPath = getProjectSettingsPath(project);
+    try {
+      const settings = readJsonFile(settingsPath);
+      if (!settings.permissions) settings.permissions = {};
+      settings.permissions.allow = lists.allow.filter(isValidPermRule);
+      settings.permissions.deny = lists.deny.filter(isValidPermRule);
+      writeJsonFile(settingsPath, settings);
+    } catch (e) {
+      // Project dir may not exist — skip
+    }
+  }
+}
+
+function handleGetProjects(req, res) {
+  const claudeJson = readJsonFile(CLAUDE_JSON_PATH);
+  const projects = claudeJson.projects || {};
+  const dbRules = db.listPermRules({ listType: 'allow' });
+  const result = Object.entries(projects).map(([projectPath]) => {
+    const allowedTools = dbRules.filter(r => r.project === projectPath).map(r => r.rule);
+    return { path: projectPath, allowedTools };
+  });
+  jsonResponse(res, 200, result);
+}
+
+function handleGetToolPermRules(req, res) {
+  // Merge any new rules Claude Code may have added to JSON files
+  for (const r of collectJsonRules()) {
+    db.addPermRule(r); // INSERT OR IGNORE
+  }
+  // Read from SQLite (source of truth)
+  const allRules = db.listPermRules();
+
+  const rules = [];
+  const denyRules = [];
+  const projectSet = new Set();
+
+  for (const r of allRules) {
+    const entry = { scope: r.scope, project: r.project, rule: r.rule };
+    if (r.list_type === 'allow') rules.push(entry);
+    else denyRules.push(entry);
+    if (r.project !== '__global__') projectSet.add(r.project);
+  }
+
+  // Also include projects from ~/.claude.json that might not have rules
+  const claudeJson = readJsonFile(CLAUDE_JSON_PATH);
+  for (const p of Object.keys(claudeJson.projects || {})) {
+    projectSet.add(p);
+  }
+
+  jsonResponse(res, 200, { rules, denyRules, projects: Array.from(projectSet) });
+}
+
+async function handleSetToolPermRules(req, res) {
+  try {
+    const body = await readBody(req);
+    const { action, rule, project, listType } = body;
+    const lt = listType === 'deny' ? 'deny' : 'allow';
+    const proj = project || '__global__';
+    const scope = proj === '__global__' ? 'global' : 'project';
+
+    if (action === 'add') {
+      db.addPermRule({ rule, listType: lt, scope, project: proj });
+    } else if (action === 'remove') {
+      db.removePermRule({ rule, listType: lt, project: proj });
+    }
+
+    // Sync DB → JSON files
+    syncDbToJsonFiles();
+
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) {
+    jsonResponse(res, 500, { error: e.message });
+  }
+}
+
+async function handlePermAISuggest(req, res) {
+  try {
+    const body = await readBody(req);
+    const query = (body.query || '').toLowerCase().trim();
+    if (!query) return jsonResponse(res, 400, { error: 'No query provided' });
+
+    // Exception mode: context is the parent rule we're adding exceptions to
+    const parentRule = body.parentRule || null;
+    if (parentRule) {
+      return handlePermAIException(res, query, parentRule, body);
+    }
+
+    // Use LLM to interpret the natural language permission request
+    const result = await classifyPermissionIntent(body.query || '');
+    jsonResponse(res, 200, result);
+  } catch (e) {
+    jsonResponse(res, 500, { error: e.message });
+  }
+}
+
+async function classifyPermissionIntent(query) {
+  const prompt = `You are a Claude Code permission rule generator. Given a user's natural language request, output a JSON object with:
+- "listType": "allow" or "deny" (does the user want to ALLOW or BLOCK/DENY this action?)
+- "rules": array of Claude Code permission rule strings
+- "explanation": short explanation of what the rules do
+
+Claude Code permission rule syntax:
+- Bash(command:*) - match any bash command starting with "command" (e.g. Bash(git:*) matches all git commands)
+- Bash(git push:*) - match "git push" with any args
+- Bash(git push) - match bare "git push" with no args
+- Bash(*) - match ALL bash commands
+- Read - allow reading files
+- Edit - allow editing files
+- Write - allow creating/writing files
+- Grep - allow searching file contents
+- Glob - allow finding files by name
+- Agent - allow sub-agents
+- WebSearch - allow web search
+- WebFetch - allow fetching URLs
+- mcp__<server>__* - allow all tools from an MCP server (e.g. mcp__sendgrid__*, mcp__plugin_slack_slack__*)
+
+Deny intent indicators: "stop", "block", "deny", "prevent", "no", "never", "don't allow", "disable", "forbid", "ban"
+Allow intent indicators: "allow", "enable", "approve", "let", "permit", "auto-approve"
+
+For deny rules, be SPECIFIC (e.g. "no push" -> Bash(git push:*), NOT Bash(git:*)).
+For allow rules, match the scope the user requests.
+
+IMPORTANT: Output ONLY the JSON object, no markdown fencing.
+
+User request: "${query.replace(/"/g, '\\"')}"`;
+
+  try {
+    const result = await callClaude([{ role: 'user', content: prompt }], 256);
+    const text = result.content?.[0]?.text || '';
+    const parsed = JSON.parse(text);
+    return {
+      rules: Array.isArray(parsed.rules) ? parsed.rules : [],
+      explanation: parsed.explanation || '',
+      listType: parsed.listType === 'deny' ? 'deny' : 'allow',
+    };
+  } catch (e) {
+    // Fallback: treat as raw rule if it looks like one
+    return { rules: [], explanation: `Failed to interpret: ${e.message}`, listType: 'allow' };
+  }
+}
+
+function handlePermAIException(res, query, parentRule, body) {
+  const rules = [];
+  let explanation = '';
+
+  // Extract the binary from the parent rule (e.g., "git" from "Bash(git:*)")
+  const parentMatch = parentRule.match(/^Bash\(([a-zA-Z0-9_./-]+)/);
+  const parentBin = parentMatch ? parentMatch[1] : null;
+
+  // Check if it looks like a direct rule pattern already
+  if (/^Bash\(/.test(body.query || '')) {
+    rules.push(body.query.trim());
+    explanation = `Add deny rule: ${body.query.trim()}`;
+    return jsonResponse(res, 200, { rules, explanation });
+  }
+
+  if (parentBin) {
+    // Common dangerous subcommand patterns
+    const dangerousPatterns = {
+      'git': {
+        'force push': [`Bash(git push --force:*)`, `Bash(git push -f:*)`],
+        'force': [`Bash(git push --force:*)`, `Bash(git push -f:*)`],
+        'reset hard': [`Bash(git reset --hard:*)`],
+        'clean': [`Bash(git clean -f:*)`, `Bash(git clean -fd:*)`],
+        'delete branch': [`Bash(git branch -D:*)`, `Bash(git branch -d:*)`],
+        'push': [`Bash(git push:*)`],
+        'checkout discard': [`Bash(git checkout -- :*)`],
+        'rebase': [`Bash(git rebase:*)`],
+      },
+      'rm': {
+        'recursive': [`Bash(rm -rf:*)`, `Bash(rm -r:*)`],
+        'force': [`Bash(rm -f:*)`, `Bash(rm -rf:*)`],
+      },
+      'docker': {
+        'prune': [`Bash(docker system prune:*)`, `Bash(docker image prune:*)`],
+        'remove': [`Bash(docker rm:*)`, `Bash(docker rmi:*)`],
+      },
+      'kubectl': {
+        'delete': [`Bash(kubectl delete:*)`],
+        'exec': [`Bash(kubectl exec:*)`],
+      },
+      'npm': {
+        'publish': [`Bash(npm publish:*)`],
+      },
+    };
+
+    // Try to match known dangerous patterns
+    const binPatterns = dangerousPatterns[parentBin] || {};
+    for (const [key, denyRules] of Object.entries(binPatterns)) {
+      if (query.includes(key)) {
+        rules.push(...denyRules);
+        explanation = `Deny ${key} operations for ${parentBin}.`;
+      }
+    }
+
+    // If no pattern matched, try to extract subcommand from the query
+    if (rules.length === 0) {
+      // Remove common filler words
+      const cleaned = query.replace(/\b(don't|dont|do not|no|never|block|deny|prevent|forbid|disallow|except|exclude|ban)\b/g, '').trim();
+      const subWords = cleaned.split(/\s+/).filter(w => w.length > 1 && !/^(the|and|or|a|an|for|to|of|in|with|that|this|from|all|any)$/.test(w));
+
+      if (subWords.length > 0) {
+        const subCmd = subWords.join(' ');
+        rules.push(`Bash(${parentBin} ${subCmd}:*)`);
+        explanation = `Deny "${parentBin} ${subCmd}" commands.`;
+      } else {
+        explanation = `Couldn't parse an exception from "${body.query}". Try specifying a subcommand like "push --force" or "reset --hard".`;
+      }
+    }
+  } else {
+    // Non-Bash rule — just use the raw query as a deny pattern
+    const cleaned = query.replace(/\b(don't|dont|do not|no|never|block|deny|prevent|forbid|disallow|except|exclude|ban)\b/g, '').trim();
+    if (cleaned) {
+      rules.push(cleaned);
+      explanation = `Deny: ${cleaned}`;
+    } else {
+      explanation = `Couldn't parse an exception. Try a specific pattern.`;
+    }
+  }
+
+  jsonResponse(res, 200, { rules, explanation });
+}
+
+function handleGetAlwaysAsk(req, res) {
+  const tools = db.getAlwaysAskTools();
+  jsonResponse(res, 200, { tools });
+}
+
+async function handleSetAlwaysAsk(req, res) {
+  try {
+    const body = await readBody(req);
+    const { tool, alwaysAsk } = body;
+    if (!tool) { jsonResponse(res, 400, { error: 'Missing tool' }); return; }
+    db.setAlwaysAsk(tool, !!alwaysAsk);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) {
+    jsonResponse(res, 500, { error: e.message });
+  }
+}
+
+function handleGetPermCache(req, res) {
+  // Return perm_rules as cache (unified table)
+  const allRules = db.listPermRules({ listType: 'allow' });
+  const cache = allRules.map(r => ({
+    id: r.id,
+    tool_name: r.rule,
+    project_path: r.project,
+    always_ask: r.always_ask || 0,
+    synced_at: r.created_at,
+  }));
+  const alwaysAsk = db.getAlwaysAskTools();
+  jsonResponse(res, 200, { cache, alwaysAsk });
+}
+
+function handleGetScanCache(req, res) {
+  const cached = db.getSetting('perm_scan_cache', null);
+  if (cached) {
+    jsonResponse(res, 200, cached);
+  } else {
+    jsonResponse(res, 200, { tools: [], scannedFiles: 0 });
+  }
+}
+
+function handleScanToolUsage(req, res) {
+  // Scan session JSONL files and extract tool usage, then generalize into rules
+  const { getAllSessionFiles } = require('./session-utils');
+  const allFiles = getAllSessionFiles();
+  const toolUsage = {}; // tool_name -> { count, commands: Map<binary, Set<subcmds>>, projects: Set }
+
+  const recentFiles = allFiles
+    .map(f => ({ ...f, mtime: fs.statSync(f.filePath).mtime }))
+    .sort((a, b) => b.mtime - a.mtime)
+    .slice(0, 50);
+
+  for (const { filePath, projectPath } of recentFiles) {
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      for (const line of content.split('\n')) {
+        if (!line.includes('tool_use')) continue;
+        try {
+          const obj = JSON.parse(line);
+          const msg = obj.message;
+          if (!msg || !Array.isArray(msg.content)) continue;
+          for (const block of msg.content) {
+            if (block.type !== 'tool_use') continue;
+            const name = block.name;
+            if (!name) continue;
+            if (!toolUsage[name]) toolUsage[name] = { count: 0, commands: new Map(), projects: new Set() };
+            toolUsage[name].count++;
+            toolUsage[name].projects.add(projectPath);
+            const inp = block.input || {};
+            if (inp.command) {
+              // Extract the first pipeline segment, get binary + subcommand
+              const firstCmd = inp.command.trim().split(/[|;&\n]/)[0].trim();
+              const parts = firstCmd.split(/\s+/);
+              let binary = parts[0] || '';
+              // Skip noise: comments, env vars, cd, shell builtins
+              if (/^[#$]/.test(binary) || ['cd', 'echo', 'export', 'source', 'true', 'false', 'set', 'unset', 'if', 'then', 'else', 'fi', 'for', 'do', 'done', 'while', 'test', '[', '[['].includes(binary)) binary = '';
+              // Handle env-prefixed commands: VAR=val command -> command
+              if (binary && /^[A-Z_]+=/.test(binary)) {
+                const envIdx = parts.findIndex(p => !/^[A-Z_]+=/.test(p));
+                if (envIdx > 0) binary = parts[envIdx] || '';
+                else binary = ''; // pure env assignment, skip
+              }
+              // Skip strings that look like tokens, hashes, or paths with = signs
+              if (/[0-9a-f]{16,}/.test(binary) || binary.includes('=')) binary = '';
+              const binIdx = parts.indexOf(binary);
+              const subcmd = binIdx >= 0 ? parts.slice(binIdx + 1, binIdx + 3).join(' ') : '';
+              if (binary && /^[a-zA-Z]/.test(binary)) {
+                if (!toolUsage[name].commands.has(binary)) {
+                  toolUsage[name].commands.set(binary, new Set());
+                }
+                if (subcmd) toolUsage[name].commands.get(binary).add(subcmd);
+              }
+            }
+          }
+        } catch {}
+      }
+    } catch {}
+  }
+
+  // Read existing rules from SQLite (source of truth)
+  const existingRules = new Set();
+  for (const r of db.listPermRules({ listType: 'allow' })) {
+    existingRules.add(r.rule);
+  }
+
+  // Build generalized suggestions
+  const result = Object.entries(toolUsage)
+    .map(([name, data]) => {
+      const suggestions = [];
+
+      if (name === 'Bash' && data.commands.size > 0) {
+        // Group Bash commands by binary and suggest generalized rules
+        for (const [binary, subcmds] of data.commands) {
+          const broadRule = `Bash(${binary}:*)`;
+          const altBroadRule = `Bash(${binary} *)`;
+          // Check if any existing rule already covers this binary
+          const coveredBy = Array.from(existingRules).find(r => {
+            if (r === 'Bash' || r === 'Bash(*)') return true;
+            if (r === broadRule || r === altBroadRule) return true;
+            // Check patterns like Bash(git:*) or Bash(git *)
+            const m = r.match(/^Bash\((.+?)[\s:]\*\)$/);
+            if (m && m[1] === binary) return true;
+            return false;
+          });
+          suggestions.push({
+            rule: broadRule,
+            label: binary,
+            subcmds: Array.from(subcmds).slice(0, 8),
+            count: subcmds.size + 1,
+            covered: !!coveredBy,
+            coveredBy: coveredBy || null,
+          });
+        }
+        // Sort: uncovered first, then by subcommand count
+        suggestions.sort((a, b) => (a.covered - b.covered) || (b.count - a.count));
+      } else {
+        // Non-Bash tools: just check if the tool name is already approved
+        const covered = existingRules.has(name);
+        suggestions.push({
+          rule: name,
+          label: name,
+          subcmds: [],
+          count: data.count,
+          covered,
+          coveredBy: covered ? name : null,
+        });
+      }
+
+      return {
+        name,
+        count: data.count,
+        suggestions,
+        projects: Array.from(data.projects),
+      };
+    })
+    .sort((a, b) => b.count - a.count);
+
+  // Cache scan results in DB
+  const scanData = { tools: result, scannedFiles: recentFiles.length, scannedAt: new Date().toISOString() };
+  db.setSetting('perm_scan_cache', scanData);
+
+  jsonResponse(res, 200, scanData);
+}
+
+// --- Auto Approvals ---
+function handleListAutoApprovals(req, res) {
+  jsonResponse(res, 200, { rules: db.listAutoApprovals() });
+}
+
+async function handleUpsertAutoApproval(req, res) {
+  try {
+    const body = await readBody(req);
+    db.upsertAutoApproval(body);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+async function handleToggleAutoApproval(req, res) {
+  try {
+    const { id, enabled } = await readBody(req);
+    db.toggleAutoApproval(id, enabled);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handleDeleteAutoApproval(req, res, id) {
+  db.deleteAutoApproval(id);
+  jsonResponse(res, 200, { ok: true });
+}
+
+async function handleScanAutoApprovals(req, res) {
+  // Scan session JSONL files and find approval patterns:
+  // assistant asks a question -> user responds with short affirmative
+  const { getAllSessionFiles } = require('./session-utils');
+  const allFiles = getAllSessionFiles();
+  const recentFiles = allFiles
+    .map(f => { try { return { ...f, mtime: fs.statSync(f.filePath).mtime }; } catch { return null; } })
+    .filter(Boolean)
+    .sort((a, b) => b.mtime - a.mtime)
+    .slice(0, 200);
+
+  const AFFIRMATIVES = new Set([
+    'y', 'yes', 'yes please', 'yes, please', 'go ahead', 'proceed',
+    'ok', 'sure', 'do it', 'yep', 'yeah', 'confirm', 'approved',
+    'continue', 'looks good', 'lgtm', 'go for it',
+  ]);
+
+  const approvalPairs = []; // { question, response, file }
+
+  for (const { filePath } of recentFiles) {
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      const entries = [];
+      for (const line of content.split('\n')) {
+        if (!line) continue;
+        try { entries.push(JSON.parse(line)); } catch {}
+      }
+
+      for (let i = 0; i < entries.length; i++) {
+        const obj = entries[i];
+        if (obj.type !== 'user') continue;
+        const msg = obj.message;
+        if (!msg) continue;
+        const ct = msg.content;
+        let text = '';
+        if (typeof ct === 'string') text = ct.trim();
+        else if (Array.isArray(ct)) {
+          text = ct.filter(c => c.type === 'text').map(c => c.text).join(' ').trim();
+        }
+        if (!text || text.length > 40) continue;
+        if (!AFFIRMATIVES.has(text.toLowerCase().replace(/[!.,?]+$/, '').trim())) continue;
+
+        // Find preceding assistant message
+        for (let j = i - 1; j >= Math.max(i - 5, 0); j--) {
+          if (entries[j].type !== 'assistant') continue;
+          const amsg = entries[j].message;
+          if (!amsg) break;
+          const act = amsg.content;
+          let atext = '';
+          if (typeof act === 'string') atext = act;
+          else if (Array.isArray(act)) {
+            atext = act.filter(c => c.type === 'text').map(c => c.text).join(' ');
+          }
+          if (!atext) break;
+          // Get the last portion that likely contains the question
+          const lastPart = atext.slice(-500).trim();
+          if (lastPart) {
+            approvalPairs.push({
+              question: lastPart,
+              response: text,
+              file: path.basename(filePath, '.jsonl').slice(0, 12),
+            });
+          }
+          break;
+        }
+      }
+    } catch {}
+  }
+
+  if (approvalPairs.length === 0) {
+    jsonResponse(res, 200, { suggestions: [], scannedFiles: recentFiles.length });
+    return;
+  }
+
+  // Use Claude to categorize and propose auto-approval rules
+  try {
+    const samplePairs = approvalPairs.slice(0, 30);
+    const prompt = `Analyze these approval interactions from Claude Code sessions. Each pair shows what Claude asked and the user's approval response.
+
+${samplePairs.map((p, i) => `${i + 1}. Claude asked (last part): "${p.question.slice(-300)}"
+   User responded: "${p.response}"`).join('\n\n')}
+
+Categorize these into distinct auto-approval SCENARIOS. For each scenario:
+1. Give it a short label (e.g. "Commit changes", "Create file", "Run tests")
+2. Give it a category (one of: "git", "file-ops", "code-changes", "testing", "deployment", "other")
+3. Create a regex pattern that would match the assistant's question text (match the last line or key phrase). Use simple patterns.
+4. Count how many of the ${samplePairs.length} examples match this scenario
+
+Return ONLY a JSON array (no markdown fences) of objects:
+[{"label": "...", "category": "...", "pattern": "...", "count": N, "example": "short example of what Claude asks"}]
+
+Merge similar scenarios. Aim for 3-10 distinct scenarios. Only include scenarios with count >= 1.`;
+
+    const result = await callClaude([{ role: 'user', content: prompt }], 2048);
+    const text = result.content?.[0]?.text || result;
+    const match = (typeof text === 'string' ? text : '').match(/\[[\s\S]*\]/);
+    if (!match) {
+      jsonResponse(res, 200, { suggestions: [], scannedFiles: recentFiles.length, rawPairs: approvalPairs.length });
+      return;
+    }
+    const suggestions = JSON.parse(match[0]);
+    // Add default response
+    for (const s of suggestions) {
+      s.response = 'yes';
+      s.occurrences = s.count || 0;
+    }
+    jsonResponse(res, 200, { suggestions, scannedFiles: recentFiles.length, rawPairs: approvalPairs.length });
+  } catch (e) {
+    // Fallback: generate basic suggestions from raw pairs without AI
+    const suggestions = generateFallbackSuggestions(approvalPairs);
+    jsonResponse(res, 200, {
+      suggestions,
+      scannedFiles: recentFiles.length,
+      rawPairs: approvalPairs.length,
+      warning: 'AI categorization unavailable, using pattern matching: ' + e.message,
+    });
+  }
+}
+
+function generateFallbackSuggestions(pairs) {
+  // Categorize pairs by simple keyword matching on the question
+  const categories = [
+    { label: 'Commit changes', category: 'git', keywords: ['commit', 'shall i commit', 'go ahead and commit'], pattern: 'Shall I (go ahead and )?commit' },
+    { label: 'Proceed with changes', category: 'code-changes', keywords: ['proceed', 'shall i proceed', 'should i proceed'], pattern: 'Shall I proceed' },
+    { label: 'Create files', category: 'file-ops', keywords: ['create', 'shall i create', 'create the file', 'create these files'], pattern: 'Shall I create' },
+    { label: 'Run tests', category: 'testing', keywords: ['run the test', 'run tests', 'execute test'], pattern: 'run (the )?tests?' },
+    { label: 'Push changes', category: 'git', keywords: ['push', 'shall i push', 'go ahead and push'], pattern: 'Shall I (go ahead and )?push' },
+    { label: 'Delete/remove', category: 'file-ops', keywords: ['delete', 'remove', 'shall i delete', 'shall i remove'], pattern: 'Shall I (delete|remove)' },
+    { label: 'Install dependencies', category: 'deployment', keywords: ['install', 'npm install', 'pip install'], pattern: '(npm|pip|yarn) install' },
+    { label: 'Continue task', category: 'other', keywords: ['continue', 'shall i continue', 'should i continue'], pattern: 'Shall I continue' },
+  ];
+
+  const results = [];
+  const unmatched = [];
+
+  for (const pair of pairs) {
+    const q = pair.question.toLowerCase();
+    let matched = false;
+    for (const cat of categories) {
+      if (cat.keywords.some(k => q.includes(k))) {
+        cat._count = (cat._count || 0) + 1;
+        cat._example = pair.question.slice(-100);
+        matched = true;
+        break;
+      }
+    }
+    if (!matched) unmatched.push(pair);
+  }
+
+  for (const cat of categories) {
+    if (cat._count > 0) {
+      results.push({
+        label: cat.label,
+        category: cat.category,
+        pattern: cat.pattern,
+        count: cat._count,
+        occurrences: cat._count,
+        response: 'yes',
+        example: cat._example,
+      });
+    }
+  }
+
+  // Group remaining unmatched by last sentence pattern
+  if (unmatched.length > 0) {
+    results.push({
+      label: 'Other confirmations',
+      category: 'other',
+      pattern: '(Shall|Should) I',
+      count: unmatched.length,
+      occurrences: unmatched.length,
+      response: 'yes',
+      example: unmatched[0].question.slice(-100),
+    });
+  }
+
+  return results;
+}
+
+// --- Prompt Queue ---
+function handleListQueues(req, res) {
+  jsonResponse(res, 200, queueEngine.getAllStates());
+}
+
+async function handleCreateQueue(req, res) {
+  try {
+    const body = await readBody(req);
+    const { sessionId, mode, items, idleTimeoutMs, autoStart } = body;
+    if (!sessionId || !Array.isArray(items) || items.length === 0) {
+      return jsonResponse(res, 400, { error: 'sessionId and non-empty items[] required' });
+    }
+    let state = queueEngine.createQueue(sessionId, { mode, items, idleTimeoutMs });
+    if (autoStart) {
+      state = queueEngine.start(sessionId) || state;
+    }
+    jsonResponse(res, 201, state);
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handleGetQueue(req, res, sessionId) {
+  const state = queueEngine.getState(sessionId);
+  if (!state) return jsonResponse(res, 404, { error: 'No queue for this session' });
+  jsonResponse(res, 200, state);
+}
+
+function handleDeleteQueue(req, res, sessionId) {
+  queueEngine.deleteQueue(sessionId);
+  jsonResponse(res, 200, { ok: true });
+}
+
+async function handleQueueAction(req, res, sessionId, action) {
+  let state;
+  switch (action) {
+    case 'start': state = queueEngine.start(sessionId); break;
+    case 'pause': state = queueEngine.pause(sessionId); break;
+    case 'resume': state = queueEngine.resume(sessionId); break;
+    case 'next': state = queueEngine.sendNext(sessionId); break;
+    case 'skip': state = queueEngine.skip(sessionId); break;
+    case 'stop': state = queueEngine.stop(sessionId); break;
+    case 'mode': {
+      try {
+        const body = await readBody(req);
+        state = queueEngine.setMode(sessionId, body.mode);
+      } catch (e) { return jsonResponse(res, 400, { error: e.message }); }
+      break;
+    }
+  }
+  if (!state) return jsonResponse(res, 404, { error: 'No queue for this session' });
+  jsonResponse(res, 200, state);
+}
+
+// --- Queue-Prompt Linked Items (cross-session search) ---
+
+function handleGetQueueLinkedItems(req, res, promptId) {
+  const drafts = db.getSettingsByPrefix('queue_draft_');
+  const linked = [];
+  for (const { key, value } of drafts) {
+    const sessionId = key.replace('queue_draft_', '');
+    const items = value.items || [];
+    // Use == for loose comparison (promptId may be string or number in stored JSON)
+    const matches = items.filter(i => i.type === 'prompt' && i.promptId == promptId);
+    if (matches.length > 0) {
+      linked.push({ sessionId, count: matches.length });
+    }
+  }
+  jsonResponse(res, 200, { promptId, linked, totalCount: linked.reduce((s, l) => s + l.count, 0) });
+}
+
+function handleDeleteQueueLinkedItems(req, res, promptId) {
+  const drafts = db.getSettingsByPrefix('queue_draft_');
+  let totalRemoved = 0;
+  for (const { key, value } of drafts) {
+    const items = value.items || [];
+    const filtered = items.filter(i => !(i.type === 'prompt' && i.promptId == promptId));
+    if (filtered.length !== items.length) {
+      totalRemoved += items.length - filtered.length;
+      value.items = filtered;
+      db.setSetting(key, value);
+    }
+  }
+  jsonResponse(res, 200, { ok: true, removed: totalRemoved });
+}
+
+// --- Queue Draft (per-session builder state persisted to DB) ---
+
+function handleGetQueueDraft(req, res, sessionId) {
+  const key = 'queue_draft_' + sessionId;
+  const draft = db.getSetting(key, { items: [], mode: 'manual' });
+  jsonResponse(res, 200, draft);
+}
+
+async function handleSaveQueueDraft(req, res, sessionId) {
+  const body = await readBody(req);
+  const key = 'queue_draft_' + sessionId;
+  const existing = db.getSetting(key, { items: [], mode: 'manual' });
+  if (body.items !== undefined) existing.items = body.items;
+  if (body.mode !== undefined) existing.mode = body.mode;
+  db.setSetting(key, existing);
+  jsonResponse(res, 200, { ok: true });
+}
+
+function handleDeleteQueueDraft(req, res, sessionId) {
+  const key = 'queue_draft_' + sessionId;
+  db.setSetting(key, { items: [], mode: 'manual' });
+  jsonResponse(res, 200, { ok: true });
+}
+
+// --- Approval Rules (AI Agent) handlers ---
+function handleListApprovalRules(req, res) {
+  jsonResponse(res, 200, {
+    rules: db.listApprovalRules(),
+    decisions: db.listApprovalDecisions({ limit: 20 }),
+    pending: db.getPendingEscalations(),
+  });
+}
+
+async function handleUpsertApprovalRule(req, res) {
+  try {
+    const body = await readBody(req);
+    db.upsertApprovalRule(body);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+async function handleToggleApprovalRule(req, res) {
+  try {
+    const { id, enabled } = await readBody(req);
+    db.toggleApprovalRule(id, enabled);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handleDeleteApprovalRule(req, res, id) {
+  db.deleteApprovalRule(id);
+  jsonResponse(res, 200, { ok: true });
+}
+
+function handleListApprovalDecisions(req, res) {
+  const url = new URL(req.url, `http://${req.headers.host}`);
+  const limit = parseInt(url.searchParams.get('limit')) || 50;
+  const sessionId = url.searchParams.get('sessionId') || null;
+  jsonResponse(res, 200, { decisions: db.listApprovalDecisions({ limit, sessionId }) });
+}
+
+async function handleResolveApprovalDecision(req, res, id) {
+  try {
+    const { decision, sessionId } = await readBody(req);
+    db.resolveApprovalDecision(id, decision);
+
+    // If user approved, send "1" to the session terminal
+    if (decision === 'approved' && sessionId) {
+      const { sessions } = require('./server-state');
+      const session = sessions?.get(sessionId);
+      if (session?.ptyProcess) {
+        session.ptyProcess.write('1\n');
+      }
+    }
+    // If user denied, send "2" to the session terminal
+    if (decision === 'denied' && sessionId) {
+      const { sessions } = require('./server-state');
+      const session = sessions?.get(sessionId);
+      if (session?.ptyProcess) {
+        session.ptyProcess.write('2\n');
+      }
+    }
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+// --- Harvest & Autocomplete & Copilot ---
+
+function handleHarvestPreview(req, res) {
+  try {
+    jsonResponse(res, 200, harvest.getHarvestPreview());
+  } catch (e) { jsonResponse(res, 500, { error: e.message }); }
+}
+
+async function handleRunHarvest(req, res) {
+  try {
+    const body = await readBody(req);
+    const result = harvest.runHarvest({
+      scope: body.scope || 'incremental',
+      maxDays: body.maxDays,
+      projectFilter: body.projectFilter,
+    });
+    harvest.invalidateAutocompleteCache();
+    jsonResponse(res, 200, result);
+  } catch (e) { jsonResponse(res, 500, { error: e.message }); }
+}
+
+function handleAutocomplete(req, res, url) {
+  const q = url.searchParams.get('q') || '';
+  const limit = parseInt(url.searchParams.get('limit')) || 8;
+  jsonResponse(res, 200, { results: harvest.searchAutocomplete(q, limit) });
+}
+
+function handleSimilarPrompts(req, res, url) {
+  const text = url.searchParams.get('text') || '';
+  const limit = parseInt(url.searchParams.get('limit')) || 5;
+  jsonResponse(res, 200, { results: harvest.findSimilarPrompts(text, limit) });
+}
+
+function handleListPatterns(req, res) {
+  try {
+    const d = db.getDb();
+    const patterns = d.prepare('SELECT * FROM prompt_patterns ORDER BY frequency DESC LIMIT 50').all();
+    jsonResponse(res, 200, { patterns });
+  } catch (e) { jsonResponse(res, 200, { patterns: [] }); }
+}
+
+function handleDetectPatterns(req, res) {
+  try {
+    const patterns = harvest.detectPatterns();
+    jsonResponse(res, 200, { patterns, count: patterns.length });
+  } catch (e) { jsonResponse(res, 500, { error: e.message }); }
+}
+
+async function handleCopilotSuggest(req, res) {
+  try {
+    const body = await readBody(req);
+    const result = await harvest.getCopilotSuggestion(body.text || '', {
+      projectPath: body.projectPath,
+      promptId: body.promptId,
+    });
+    jsonResponse(res, 200, result || { suggestion: null });
+  } catch (e) { jsonResponse(res, 500, { error: e.message }); }
+}
+
+async function handleCopilotChat(req, res) {
+  try {
+    const body = await readBody(req);
+    const result = await harvest.copilotChat(body.message || '', body.history || []);
+    jsonResponse(res, 200, result);
+  } catch (e) { jsonResponse(res, 500, { error: e.message }); }
+}
+
+function handleListExecutions(req, res, url) {
+  try {
+    const d = db.getDb();
+    const limit = parseInt(url.searchParams.get('limit')) || 50;
+    const role = url.searchParams.get('role') || null;
+    const project = url.searchParams.get('project') || null;
+    let sql = 'SELECT * FROM prompt_executions WHERE 1=1';
+    const params = [];
+    if (role) { sql += ' AND role = ?'; params.push(role); }
+    if (project) { sql += ' AND project_path LIKE ?'; params.push('%' + project + '%'); }
+    sql += ' ORDER BY executed_at DESC LIMIT ?';
+    params.push(limit);
+    jsonResponse(res, 200, { executions: d.prepare(sql).all(...params) });
+  } catch (e) { jsonResponse(res, 200, { executions: [] }); }
+}
+
+function handleSessionExecutions(req, res, sessionId) {
+  try {
+    const result = harvest.getPromptsForSession(sessionId);
+    jsonResponse(res, 200, result);
+  } catch (e) { jsonResponse(res, 200, { executions: [], sentPrompts: [] }); }
+}
+
+async function handleSetOutcome(req, res, id) {
+  try {
+    const body = await readBody(req);
+    harvest.setExecutionOutcome(id, body.outcome, body.notes);
+    jsonResponse(res, 200, { ok: true });
+  } catch (e) { jsonResponse(res, 400, { error: e.message }); }
+}
+
+function handlePromptSessions(req, res, promptId) {
+  try {
+    const sessions = harvest.getSessionsForPrompt(promptId);
+    jsonResponse(res, 200, { sessions });
+  } catch (e) { jsonResponse(res, 200, { sessions: [] }); }
+}
+
+function handleFrequentQuestions(req, res, url) {
+  try {
+    const limit = parseInt(url.searchParams.get('limit')) || 20;
+    jsonResponse(res, 200, { questions: harvest.getFrequentQuestions(limit) });
+  } catch (e) { jsonResponse(res, 200, { questions: [] }); }
+}
+
+function handleLifecycleRefresh(req, res) {
+  try {
+    const result = harvest.refreshLifecycleStatuses();
+    jsonResponse(res, 200, result);
+  } catch (e) { jsonResponse(res, 500, { error: e.message }); }
+}
+
+module.exports = { handlePromptApi, queueEngine, importPermissionsToDb };