npm - crewswarm - Versions diffs - 0.9.1 → 0.9.3 - Mend

crewswarm 0.9.1 → 0.9.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (210) hide show

package/lib/bridges/tmux-bridge.mjs ADDED Viewed

@@ -0,0 +1,200 @@
+/**
+ * tmux-bridge adapter — thin wrapper around smux's tmux-bridge CLI
+ *
+ * Provides agent-to-agent pane communication when running inside a tmux session
+ * with smux installed. All functions degrade to no-ops when unavailable.
+ *
+ * Opt-in: requires $TMUX set, `tmux-bridge` on PATH, and
+ *   CREWSWARM_TMUX_BRIDGE=1 env var (or tmuxBridge: true in system config).
+ */
+import { execFileSync, execSync } from "node:child_process";
+function which(bin) {
+  try { execSync(`which ${bin}`, { stdio: "ignore" }); return true; } catch { return false; }
+}
+// ── Detection & caching ─────────────────────────────────────────────────────
+let _available = null;
+let _ownPaneId = null;
+const _resolveCache = new Map(); // label → { paneId, ts }
+const RESOLVE_TTL_MS = 30_000;
+const TMUX_BRIDGE_BIN = process.env.SMUX_BRIDGE_BIN || "tmux-bridge";
+function exec(args, { timeout = 5000 } = {}) {
+  try {
+    return execFileSync(TMUX_BRIDGE_BIN, args, {
+      encoding: "utf8",
+      timeout,
+      stdio: ["ignore", "pipe", "pipe"],
+    }).trim();
+  } catch {
+    return null;
+  }
+}
+/**
+ * Check if tmux-bridge is available and opted-in.
+ * Result is cached for the process lifetime.
+ */
+export function detect() {
+  if (_available !== null) return _available;
+  // Must be inside a tmux session
+  if (!process.env.TMUX) {
+    _available = false;
+    return false;
+  }
+  // Must have tmux-bridge binary
+  if (!which(TMUX_BRIDGE_BIN)) {
+    _available = false;
+    return false;
+  }
+  // Must be opted-in via env var or config
+  const envFlag = process.env.CREWSWARM_TMUX_BRIDGE;
+  if (!envFlag || envFlag === "0" || envFlag === "false") {
+    _available = false;
+    return false;
+  }
+  _available = true;
+  return true;
+}
+/**
+ * Get this process's own tmux pane ID.
+ * @returns {string|null} e.g. "%3"
+ */
+export function id() {
+  if (!detect()) return null;
+  if (_ownPaneId) return _ownPaneId;
+  _ownPaneId = exec(["id"]);
+  return _ownPaneId;
+}
+/**
+ * Label a pane with an agent ID so other agents can discover it.
+ * @param {string} agentId - CrewSwarm agent ID (e.g. "crew-coder")
+ * @param {string} [paneId] - Target pane ID. Defaults to own pane.
+ * @returns {boolean} success
+ */
+export function label(agentId, paneId) {
+  if (!detect()) return false;
+  const target = paneId || id();
+  if (!target) return false;
+  const result = exec(["name", target, agentId]);
+  if (result !== null) {
+    // Update cache
+    _resolveCache.set(agentId, { paneId: target, ts: Date.now() });
+    return true;
+  }
+  return false;
+}
+/**
+ * Resolve an agent ID to a tmux pane ID.
+ * @param {string} agentId
+ * @returns {string|null} pane ID or null
+ */
+export function resolve(agentId) {
+  if (!detect()) return null;
+  // Check cache
+  const cached = _resolveCache.get(agentId);
+  if (cached && (Date.now() - cached.ts) < RESOLVE_TTL_MS) {
+    return cached.paneId;
+  }
+  const paneId = exec(["resolve", agentId]);
+  if (paneId) {
+    _resolveCache.set(agentId, { paneId, ts: Date.now() });
+  }
+  return paneId;
+}
+/**
+ * Read the last N lines from an agent's pane.
+ * Also satisfies the read-guard requirement for subsequent sends.
+ * @param {string} agentId
+ * @param {number} [lines=50]
+ * @returns {string|null} pane content or null
+ */
+export function read(agentId, lines = 50) {
+  if (!detect()) return null;
+  const paneId = resolve(agentId);
+  if (!paneId) return null;
+  const output = exec(["read", paneId, String(lines)]);
+  return output;
+}
+/**
+ * Send text to an agent's pane followed by Enter.
+ * Reads the pane before each write command to satisfy tmux-bridge's read-guard
+ * (the guard is consumed on every type/keys call).
+ * @param {string} agentId
+ * @param {string} text
+ * @returns {boolean} success
+ */
+export function send(agentId, text) {
+  if (!detect()) return false;
+  const paneId = resolve(agentId);
+  if (!paneId) return false;
+  // Read-guard is consumed on each type/keys call, so read before each one
+  exec(["read", paneId, "1"]);
+  const typeResult = exec(["type", paneId, text]);
+  if (typeResult === null) return false;
+  exec(["read", paneId, "1"]);
+  const keyResult = exec(["keys", paneId, "Enter"]);
+  return keyResult !== null;
+}
+/**
+ * List all tmux panes with their labels and metadata.
+ * @returns {Array<{paneId: string, label: string, raw: string}>}
+ */
+export function list() {
+  if (!detect()) return [];
+  const raw = exec(["list"]);
+  if (!raw) return [];
+  // Parse tmux-bridge list output:
+  //   TARGET   SESSION:WIN      SIZE       PROCESS                   LABEL      CWD
+  //   %0       crewtest:0       120x29     -zsh                      crew-coder ~/CrewSwarm
+  const lines = raw.split("\n").filter(Boolean);
+  // Skip header row (starts with "TARGET")
+  return lines
+    .filter(line => line.trimStart().startsWith("%"))
+    .map(line => {
+      const parts = line.split(/\s+/).filter(Boolean);
+      return {
+        paneId: parts[0] || "",
+        session: parts[1] || "",
+        size: parts[2] || "",
+        process: parts[3] || "",
+        label: (parts[4] && parts[4] !== "-") ? parts[4] : "",
+        cwd: parts[5] || "",
+        raw: line,
+      };
+    });
+}
+/**
+ * Clear the resolve cache (useful after pane layout changes).
+ */
+export function clearCache() {
+  _resolveCache.clear();
+}
+/**
+ * Reset detection state (for testing).
+ */
+export function _reset() {
+  _available = null;
+  _ownPaneId = null;
+  clearCache();
+}

package/lib/cli-process-tracker.mjs CHANGED Viewed

@@ -160,7 +160,8 @@ export function getActiveProcesses() {
     idleFor: now - proc.lastActivity,
     outputLines: proc.outputLines,
     chatId: proc.chatId,
-    sessionId: proc.sessionId
+    sessionId: proc.sessionId,
+    tmuxSessionId: proc.tmuxSessionId || null
   }));
 }

package/lib/crew-lead/chat-handler.mjs CHANGED Viewed

@@ -2577,6 +2577,40 @@ Reply with your answers and I'll turn this into a concrete build plan with file
           ...(usedFallback ? { fallbackReason } : {}),
         },
       });
+      // Route @mentions in assistant replies — crew-lead can autonomously dispatch
+      if (replyMentions.length && channelMode) {
+        try {
+          const {
+            handleAutonomousMentions: routeMentions,
+            detectMentionTargets,
+          } = await import("../chat/autonomous-mentions.mjs");
+          const mentionTargets = detectMentionTargets(historyReply);
+          const mentionRoute = classifySharedChatMention(historyReply);
+          if (mentionTargets.length && mentionRoute.mode === "dispatch") {
+            void routeMentions({
+              message: { content: historyReply },
+              sender: "crew-lead",
+              channel: sharedChannel,
+              projectId: sharedChannel,
+              sessionId,
+              projectDir: explicitProjectDir || activeProjectOutputDir || null,
+              originMessageId: assistantMessageId,
+              originThreadId: sharedThreadId,
+              chatHistory: loadProjectMessages(sharedChannel, {
+                limit: 10,
+                threadId: sharedThreadId,
+                excludeDirect: true,
+              }),
+              broadcastSSE: _deps.broadcastSSE,
+            }).catch((err) => {
+              console.warn(`[chat-handler] Assistant mention routing failed: ${err.message}`);
+            });
+          }
+        } catch (mentionErr) {
+          console.warn(`[chat-handler] Assistant mention dispatch error: ${mentionErr.message}`);
+        }
+      }
     } catch (e) {
       console.warn(
         `[chat-handler] Failed to save assistant message to project store: ${e.message}`,

package/lib/crew-lead/http-server.mjs CHANGED Viewed

@@ -20,7 +20,7 @@ import {
 import { shouldSkipGeminiPassthroughLine } from "../gemini-cli-passthrough-noise.mjs";
 import { applyProjectDirToPipelineSteps } from "../dispatch/parsers.mjs";
 import { normalizeProjectDir } from "../runtime/project-dir.mjs";
-import { CREWSWARM_REPO_ROOT } from "../runtime/config.mjs";
+import { CREWSWARM_REPO_ROOT, loadSwarmConfig } from "../runtime/config.mjs";
 import { resolveCursorLaunchSpec } from "../engines/cursor-launcher.mjs";
 let _deps = {};
@@ -1087,6 +1087,7 @@ export function createAndStartServer(PORT) {
     bgConsciousnessIntervalMs,
     cursorWavesRef,
     claudeCodeRef,
+    tmuxBridgeRef,
   } = _deps;
   // Debug: verify critical deps
@@ -3531,6 +3532,9 @@ export function createAndStartServer(PORT) {
           sessionId: reqSessionId,
           injectHistory,
           model: reqModel,
+          permissionMode: reqPermissionMode,
+          sandbox: reqSandbox,
+          forceL2: reqForceL2,
         } = JSON.parse(body || "{}");
         if (!message) {
           json(res, 400, { ok: false, error: "message required" });
@@ -3761,7 +3765,7 @@ export function createAndStartServer(PORT) {
               "never",
               "exec",
               "--sandbox",
-              "danger-full-access",
+              reqSandbox || "danger-full-access",
               "--skip-git-repo-check",
               "--color",
               "never",
@@ -3858,12 +3862,16 @@ export function createAndStartServer(PORT) {
             "-p",
             "--setting-sources",
             "user",
-            "--dangerously-skip-permissions",
             "--output-format",
             "stream-json",
             "--verbose",
             "--include-partial-messages",
           ];
+          if (reqPermissionMode) {
+            args.push("--permission-mode", reqPermissionMode);
+          } else {
+            args.push("--dangerously-skip-permissions");
+          }
           if (projectDir) args.push("--add-dir", projectDir);
           if (reqModel) args.push("--model", reqModel);
           // Prefer --resume <session-id> for per-project isolation; fall back to --continue (most recent global)
@@ -3876,7 +3884,10 @@ export function createAndStartServer(PORT) {
           } else if (continueSession) {
             args.push("--continue");
           }
-          args.push(finalMessage);
+          // Skip user MCP servers to avoid 30s+ init hangs
+          args.push("--strict-mcp-config", "--mcp-config", path.join(os.homedir(), ".crewswarm", "config", "empty-mcp.json"));
+          // -- separates flags from prompt (--mcp-config is variadic and eats positional args)
+          args.push("--", finalMessage);
         }
         send({ type: "start", engine, message: message.slice(0, 80) });
@@ -3900,9 +3911,22 @@ export function createAndStartServer(PORT) {
         const spawnCwd =
           engine === "claude" && projectDir ? "/tmp" : projectDir;
+        // Merge crewswarm.json env vars into spawn env (crew-cli L2, model overrides, etc.)
+        const spawnEnv = { ...process.env };
+        try {
+          const _sysCfg = loadSwarmConfig();
+          if (_sysCfg?.env && typeof _sysCfg.env === "object") {
+            for (const [k, v] of Object.entries(_sysCfg.env)) {
+              if (!spawnEnv[k] && v != null) spawnEnv[k] = String(v);
+            }
+          }
+        } catch {}
+        // Force L2 planner for crew-cli when requested (enhance-prompt planner path)
+        if (reqForceL2) spawnEnv.CREW_FORCE_L2 = "true";
         const proc = _spawn(bin, args, {
           cwd: spawnCwd,
-          env: process.env,
+          env: spawnEnv,
           stdio: ["ignore", "pipe", "pipe"],
         });
         let lineBuffer = "";
@@ -3915,7 +3939,7 @@ export function createAndStartServer(PORT) {
         let passthroughGracefulEnd = false;
         const passthroughTimeoutMs = Number(
-          process.env.CREWSWARM_PASSTHROUGH_TIMEOUT_MS || "240000",
+          process.env.CREWSWARM_PASSTHROUGH_TIMEOUT_MS || "300000",
         );
         const passthroughWatchdog = setTimeout(() => {
           send({
@@ -4206,15 +4230,33 @@ export function createAndStartServer(PORT) {
           // crew-cli special handling: extract JSON from output (skipping logs) and send only response field
           if (engine === "crew-cli" && fullOutput.trim()) {
             try {
-              // crew-cli may emit logs before JSON - use regex to find the JSON object
-              // Pattern matches: crew chat --json outputs "chat.result"
-              const jsonMatch = fullOutput.match(
-                /\{[\s\S]*"kind":\s*"chat\.result"[\s\S]*\}/,
-              );
-              if (!jsonMatch) {
-                throw new Error("No chat.result JSON found in output");
+              // crew-cli emits logs before JSON — find the JSON by scanning for the last
+              // line that starts with { and contains "chat.result"
+              const lines = fullOutput.split("\n");
+              let jsonStart = -1;
+              for (let i = lines.length - 1; i >= 0; i--) {
+                if (lines[i].trimStart().startsWith("{") && fullOutput.indexOf('"kind"') >= 0) {
+                  jsonStart = i;
+                  break;
+                }
+              }
+              if (jsonStart < 0) {
+                throw new Error("No JSON object found in crew-cli output");
+              }
+              // Collect from jsonStart to end, parse
+              const jsonCandidate = lines.slice(jsonStart).join("\n");
+              let parsed;
+              try {
+                parsed = JSON.parse(jsonCandidate);
+              } catch {
+                // Try to find just the response field with regex
+                const respMatch = jsonCandidate.match(/"response":\s*"((?:[^"\\]|\\.)*)"/);
+                if (respMatch) {
+                  parsed = { response: respMatch[1].replace(/\\n/g, "\n").replace(/\\"/g, '"') };
+                } else {
+                  throw new Error("Failed to parse crew-cli JSON output");
+                }
               }
-              const parsed = JSON.parse(jsonMatch[0]);
               if (parsed.response) {
                 const responseText = typeof parsed.response === 'string'
                   ? parsed.response
@@ -4580,6 +4622,46 @@ export function createAndStartServer(PORT) {
         }
       }
+      // GET/POST /api/settings/tmux-bridge — toggle tmux-bridge session layer at runtime
+      if (url.pathname === "/api/settings/tmux-bridge") {
+        if (!checkBearer(req)) {
+          json(res, 401, { ok: false, error: "Unauthorized" });
+          return;
+        }
+        if (req.method === "GET") {
+          json(res, 200, { ok: true, enabled: tmuxBridgeRef?.enabled ?? false });
+          return;
+        }
+        if (req.method === "POST") {
+          const body = await readBody(req);
+          const enable =
+            typeof body.enabled === "boolean"
+              ? body.enabled
+              : !(tmuxBridgeRef?.enabled ?? false);
+          if (tmuxBridgeRef) tmuxBridgeRef.enabled = enable;
+          try {
+            const cfgPath = path.join(
+              os.homedir(),
+              ".crewswarm",
+              "crewswarm.json",
+            );
+            const cfg = JSON.parse(fs.readFileSync(cfgPath, "utf8"));
+            cfg.tmuxBridge = enable;
+            fs.writeFileSync(cfgPath, JSON.stringify(cfg, null, 2));
+          } catch (e) {
+            console.warn(
+              "[crew-lead] Could not persist tmuxBridge:",
+              e.message,
+            );
+          }
+          console.log(
+            `[crew-lead] tmux-bridge ${enable ? "ENABLED" : "DISABLED"} via dashboard`,
+          );
+          json(res, 200, { ok: true, enabled: tmuxBridgeRef?.enabled ?? enable });
+          return;
+        }
+      }
       // GET/POST /api/settings/global-fallback — set/get global OpenCode fallback model
       if (url.pathname === "/api/settings/global-fallback") {
         if (!checkBearer(req)) {
@@ -4680,6 +4762,250 @@ export function createAndStartServer(PORT) {
         }
       }
+      // ── Missing settings endpoints (bulk implementation) ─────────────────────
+      // Helper: read/write crewswarm.json for simple boolean/string settings
+      const cfgPath = path.join(os.homedir(), ".crewswarm", "crewswarm.json");
+      function readCfg() {
+        try { return JSON.parse(fs.readFileSync(cfgPath, "utf8")); } catch { return {}; }
+      }
+      function writeCfg(cfg) {
+        fs.writeFileSync(cfgPath, JSON.stringify(cfg, null, 2));
+      }
+      function whichBin(bin) {
+        try {
+          const r = spawn("which", [bin], { stdio: "ignore" });
+          // spawn is async but we can check if the binary exists via fs
+          const paths = (process.env.PATH || "").split(":");
+          return paths.some(p => { try { fs.accessSync(path.join(p, bin), fs.constants.X_OK); return true; } catch { return false; } });
+        } catch { return false; }
+      }
+      // GET/POST /api/settings/autonomous-mentions
+      if (url.pathname === "/api/settings/autonomous-mentions") {
+        if (!checkBearer(req)) { json(res, 401, { ok: false, error: "Unauthorized" }); return; }
+        if (req.method === "GET") {
+          const cfg = readCfg();
+          const enabled = cfg.settings?.autonomousMentionsEnabled !== false;
+          json(res, 200, { ok: true, enabled });
+          return;
+        }
+        if (req.method === "POST") {
+          const body = await readBody(req);
+          const cfg = readCfg();
+          if (!cfg.settings) cfg.settings = {};
+          cfg.settings.autonomousMentionsEnabled = typeof body.enabled === "boolean" ? body.enabled : true;
+          writeCfg(cfg);
+          console.log(`[crew-lead] Autonomous mentions ${cfg.settings.autonomousMentionsEnabled ? "ENABLED" : "DISABLED"} via dashboard`);
+          json(res, 200, { ok: true, enabled: cfg.settings.autonomousMentionsEnabled });
+          return;
+        }
+      }
+      // GET/POST /api/settings/codex
+      if (url.pathname === "/api/settings/codex") {
+        if (!checkBearer(req)) { json(res, 401, { ok: false, error: "Unauthorized" }); return; }
+        if (req.method === "GET") {
+          const cfg = readCfg();
+          const enabled = cfg.codexEnabled === true || /^1|true|yes$/i.test(String(process.env.CREWSWARM_CODEX_ENABLED || ""));
+          json(res, 200, { ok: true, enabled });
+          return;
+        }
+        if (req.method === "POST") {
+          const body = await readBody(req);
+          const cfg = readCfg();
+          const enable = typeof body.enabled === "boolean" ? body.enabled : !cfg.codexEnabled;
+          cfg.codexEnabled = enable;
+          writeCfg(cfg);
+          console.log(`[crew-lead] Codex executor ${enable ? "ENABLED" : "DISABLED"} via dashboard`);
+          json(res, 200, { ok: true, enabled: enable });
+          return;
+        }
+      }
+      // GET/POST /api/settings/gemini-cli
+      if (url.pathname === "/api/settings/gemini-cli") {
+        if (!checkBearer(req)) { json(res, 401, { ok: false, error: "Unauthorized" }); return; }
+        if (req.method === "GET") {
+          const cfg = readCfg();
+          const enabled = cfg.geminiCliEnabled === true || /^1|true|yes$/i.test(String(process.env.CREWSWARM_GEMINI_CLI_ENABLED || ""));
+          const installed = whichBin("gemini");
+          json(res, 200, { ok: true, enabled, installed });
+          return;
+        }
+        if (req.method === "POST") {
+          const body = await readBody(req);
+          const cfg = readCfg();
+          const enable = typeof body.enabled === "boolean" ? body.enabled : !cfg.geminiCliEnabled;
+          cfg.geminiCliEnabled = enable;
+          writeCfg(cfg);
+          console.log(`[crew-lead] Gemini CLI ${enable ? "ENABLED" : "DISABLED"} via dashboard`);
+          json(res, 200, { ok: true, enabled: enable, installed: whichBin("gemini") });
+          return;
+        }
+      }
+      // GET/POST /api/settings/crew-cli
+      if (url.pathname === "/api/settings/crew-cli") {
+        if (!checkBearer(req)) { json(res, 401, { ok: false, error: "Unauthorized" }); return; }
+        if (req.method === "GET") {
+          const cfg = readCfg();
+          const enabled = cfg.crewCliEnabled === true || /^1|true|yes$/i.test(String(process.env.CREWSWARM_CREW_CLI_ENABLED || ""));
+          json(res, 200, { ok: true, enabled });
+          return;
+        }
+        if (req.method === "POST") {
+          const body = await readBody(req);
+          const cfg = readCfg();
+          const enable = typeof body.enabled === "boolean" ? body.enabled : !cfg.crewCliEnabled;
+          cfg.crewCliEnabled = enable;
+          writeCfg(cfg);
+          console.log(`[crew-lead] Crew CLI ${enable ? "ENABLED" : "DISABLED"} via dashboard`);
+          json(res, 200, { ok: true, enabled: enable });
+          return;
+        }
+      }
+      // GET/POST /api/settings/opencode
+      if (url.pathname === "/api/settings/opencode") {
+        if (!checkBearer(req)) { json(res, 401, { ok: false, error: "Unauthorized" }); return; }
+        if (req.method === "GET") {
+          const cfg = readCfg();
+          const enabled = cfg.opencodeEnabled === true || /^1|true|yes$/i.test(String(process.env.CREWSWARM_OPENCODE_ENABLED || ""));
+          const installed = whichBin("opencode");
+          json(res, 200, { ok: true, enabled, installed });
+          return;
+        }
+        if (req.method === "POST") {
+          const body = await readBody(req);
+          const cfg = readCfg();
+          const enable = typeof body.enabled === "boolean" ? body.enabled : !cfg.opencodeEnabled;
+          cfg.opencodeEnabled = enable;
+          writeCfg(cfg);
+          console.log(`[crew-lead] OpenCode ${enable ? "ENABLED" : "DISABLED"} via dashboard`);
+          json(res, 200, { ok: true, enabled: enable, installed: whichBin("opencode") });
+          return;
+        }
+      }
+      // GET/POST /api/settings/global-oc-loop
+      if (url.pathname === "/api/settings/global-oc-loop") {
+        if (!checkBearer(req)) { json(res, 401, { ok: false, error: "Unauthorized" }); return; }
+        if (req.method === "GET") {
+          const cfg = readCfg();
+          const enabled = cfg.engineLoop === true || /^1|true|yes$/i.test(String(process.env.CREWSWARM_ENGINE_LOOP || ""));
+          const maxRounds = cfg.engineLoopMaxRounds ?? parseInt(process.env.CREWSWARM_ENGINE_LOOP_MAX_ROUNDS || "10", 10);
+          json(res, 200, { ok: true, enabled, maxRounds });
+          return;
+        }
+        if (req.method === "POST") {
+          const body = await readBody(req);
+          const cfg = readCfg();
+          if (typeof body.enabled === "boolean") cfg.engineLoop = body.enabled;
+          if (body.maxRounds !== undefined) cfg.engineLoopMaxRounds = parseInt(body.maxRounds, 10) || 10;
+          writeCfg(cfg);
+          console.log(`[crew-lead] Engine loop: enabled=${cfg.engineLoop ?? false}, maxRounds=${cfg.engineLoopMaxRounds ?? 10}`);
+          json(res, 200, { ok: true, enabled: cfg.engineLoop ?? false, maxRounds: cfg.engineLoopMaxRounds ?? 10 });
+          return;
+        }
+      }
+      // GET/POST /api/settings/passthrough-notify
+      if (url.pathname === "/api/settings/passthrough-notify") {
+        if (!checkBearer(req)) { json(res, 401, { ok: false, error: "Unauthorized" }); return; }
+        if (req.method === "GET") {
+          const cfg = readCfg();
+          json(res, 200, { ok: true, value: cfg.passthroughNotify || "both" });
+          return;
+        }
+        if (req.method === "POST") {
+          const body = await readBody(req);
+          const cfg = readCfg();
+          cfg.passthroughNotify = body.value || "both";
+          writeCfg(cfg);
+          console.log(`[crew-lead] Passthrough notify → ${cfg.passthroughNotify}`);
+          json(res, 200, { ok: true, value: cfg.passthroughNotify });
+          return;
+        }
+      }
+      // GET/POST /api/settings/loop-brain
+      if (url.pathname === "/api/settings/loop-brain") {
+        if (!checkBearer(req)) { json(res, 401, { ok: false, error: "Unauthorized" }); return; }
+        if (req.method === "GET") {
+          const cfg = readCfg();
+          json(res, 200, { ok: true, loopBrain: cfg.loopBrain || "" });
+          return;
+        }
+        if (req.method === "POST") {
+          const body = await readBody(req);
+          const cfg = readCfg();
+          cfg.loopBrain = body.loopBrain || "";
+          writeCfg(cfg);
+          console.log(`[crew-lead] Loop brain → ${cfg.loopBrain || "(cleared)"}`);
+          json(res, 200, { ok: true, loopBrain: cfg.loopBrain });
+          return;
+        }
+      }
+      // GET /api/settings/openclaw-status
+      if (url.pathname === "/api/settings/openclaw-status" && req.method === "GET") {
+        if (!checkBearer(req)) { json(res, 401, { ok: false, error: "Unauthorized" }); return; }
+        const cfg = readCfg();
+        const installed = !!(cfg.openClaw?.enabled || cfg.openclaw?.gatewayUrl || process.env.OPENCLAW_GATEWAY_URL);
+        json(res, 200, { ok: true, installed });
+        return;
+      }
+      // GET/POST /api/settings/rt-token
+      if (url.pathname === "/api/settings/rt-token") {
+        if (!checkBearer(req)) { json(res, 401, { ok: false, error: "Unauthorized" }); return; }
+        if (req.method === "GET") {
+          const cfg = readCfg();
+          const token = cfg.rtToken || process.env.CREWSWARM_RT_AUTH_TOKEN || "";
+          json(res, 200, { ok: true, token: token ? true : false });
+          return;
+        }
+        if (req.method === "POST") {
+          const body = await readBody(req);
+          if (!body.token) { json(res, 400, { ok: false, error: "No token provided" }); return; }
+          const cfg = readCfg();
+          cfg.rtToken = body.token;
+          writeCfg(cfg);
+          console.log("[crew-lead] RT token saved via dashboard");
+          json(res, 200, { ok: true, saved: true });
+          return;
+        }
+      }
+      // GET /api/config/lock-status, POST /api/config/lock, POST /api/config/unlock
+      if (url.pathname === "/api/config/lock-status" && req.method === "GET") {
+        if (!checkBearer(req)) { json(res, 401, { ok: false, error: "Unauthorized" }); return; }
+        const lockFile = path.join(os.homedir(), ".crewswarm", ".config.lock");
+        json(res, 200, { ok: true, locked: fs.existsSync(lockFile) });
+        return;
+      }
+      if (url.pathname === "/api/config/lock" && req.method === "POST") {
+        if (!checkBearer(req)) { json(res, 401, { ok: false, error: "Unauthorized" }); return; }
+        const lockFile = path.join(os.homedir(), ".crewswarm", ".config.lock");
+        try {
+          fs.writeFileSync(lockFile, new Date().toISOString());
+          console.log("[crew-lead] Config LOCKED via dashboard");
+          json(res, 200, { ok: true, locked: true });
+        } catch (e) { json(res, 500, { ok: false, error: e.message }); }
+        return;
+      }
+      if (url.pathname === "/api/config/unlock" && req.method === "POST") {
+        if (!checkBearer(req)) { json(res, 401, { ok: false, error: "Unauthorized" }); return; }
+        const lockFile = path.join(os.homedir(), ".crewswarm", ".config.lock");
+        try {
+          fs.unlinkSync(lockFile);
+          console.log("[crew-lead] Config UNLOCKED via dashboard");
+        } catch {}
+        json(res, 200, { ok: true, locked: false });
+        return;
+      }
       // POST /api/spending/reset — reset today's spending counters
       if (url.pathname === "/api/spending/reset" && req.method === "POST") {
         if (!checkBearer(req)) {