mcp-coordinator 0.3.0 → 0.5.0

package/dist/src/dependency-map.js

@@ -1,4 +1,5 @@
 import { getDb } from "./database.js";
+import { withTransaction } from "./db-adapter.js";
 export class DependencyMapper {
     getMap() {
         const db = getDb();
@@ -20,12 +21,11 @@ export class DependencyMapper {
        VALUES (?, ?, ?, ?)
        ON CONFLICT(module_id) DO UPDATE SET
          depends_on = excluded.depends_on, exports = excluded.exports, owners = excluded.owners`);
-        const tx = db.transaction(() => {
+        withTransaction(db, () => {
             for (const [id, info] of Object.entries(map)) {
                 stmt.run(id, JSON.stringify(info.depends_on), JSON.stringify(info.exports), JSON.stringify(info.owners));
             }
         });
-        tx();
     }
     getModuleInfo(moduleId) {
         const db = getDb();

package/dist/src/file-tracker.d.ts

@@ -6,6 +6,8 @@ export declare class FileTracker {
         agent_name?: string;
         tool_name: string;
         file_path: string;
+        content_hash?: string | null;
+        symbols_touched?: string[] | null;
     }): void;
     getBySession(sessionId: string): FileActivity[];
     getHotFiles(sinceMinutes?: number): {
@@ -17,5 +19,15 @@ export declare class FileTracker {
         conflict: boolean;
         agents: string[];
     };
+    /**
+     * P2 perf: batch lookup of recent file→agents activity. Replaces N
+     * `checkFileConflict` calls (one per file) with a single SQL query, then
+     * builds an in-memory reverse index. The impact scorer uses this so its
+     * per-file inner loop is O(1) Map.get() rather than O(F) SQL round-trips.
+     *
+     * Excludes the calling agent (so the scorer doesn't flag the announcer
+     * against themselves). Returns Map<file_path, Set<agent_id>>.
+     */
+    getFileToAgentsIndex(filePaths: string[], excludeAgentId: string, withinMinutes?: number): Map<string, Set<string>>;
     fileToModule(filePath: string): string;
 }

package/dist/src/file-tracker.js

@@ -3,8 +3,9 @@ export class FileTracker {
     log(params) {
         const db = getDb();
         const module = this.fileToModule(params.file_path);
-        db.prepare(`INSERT INTO file_activity (session_id, agent_id, agent_name, tool_name, file_path, module)
-       VALUES (?, ?, ?, ?, ?, ?)`).run(params.session_id, params.agent_id, params.agent_name || null, params.tool_name, params.file_path, module);
+        db.prepare(`INSERT INTO file_activity
+       (session_id, agent_id, agent_name, tool_name, file_path, module, content_hash, symbols_touched)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?)`).run(params.session_id, params.agent_id, params.agent_name || null, params.tool_name, params.file_path, module, params.content_hash || null, params.symbols_touched ? JSON.stringify(params.symbols_touched) : null);
     }
     getBySession(sessionId) {
         const db = getDb();
@@ -31,6 +32,38 @@ export class FileTracker {
        AND created_at > datetime('now', '-' || ? || ' minutes')`).all(filePath, agentId, withinMinutes);
         return { conflict: rows.length > 0, agents: rows.map((r) => r.agent_id) };
     }
+    /**
+     * P2 perf: batch lookup of recent file→agents activity. Replaces N
+     * `checkFileConflict` calls (one per file) with a single SQL query, then
+     * builds an in-memory reverse index. The impact scorer uses this so its
+     * per-file inner loop is O(1) Map.get() rather than O(F) SQL round-trips.
+     *
+     * Excludes the calling agent (so the scorer doesn't flag the announcer
+     * against themselves). Returns Map<file_path, Set<agent_id>>.
+     */
+    getFileToAgentsIndex(filePaths, excludeAgentId, withinMinutes = 30) {
+        const index = new Map();
+        if (filePaths.length === 0)
+            return index;
+        const db = getDb();
+        // Dynamic IN-list — better-sqlite3 binds each ? positionally. Cheap because
+        // the impact scorer only passes target_files + depends_on_files (typically
+        // a handful of files per announce_work call).
+        const placeholders = filePaths.map(() => "?").join(",");
+        const rows = db.prepare(`SELECT DISTINCT file_path, agent_id FROM file_activity
+       WHERE file_path IN (${placeholders})
+       AND agent_id != ?
+       AND created_at > datetime('now', '-' || ? || ' minutes')`).all(...filePaths, excludeAgentId, withinMinutes);
+        for (const r of rows) {
+            let set = index.get(r.file_path);
+            if (!set) {
+                set = new Set();
+                index.set(r.file_path, set);
+            }
+            set.add(r.agent_id);
+        }
+        return index;
+    }
     fileToModule(filePath) {
         // Strip leading / so "/server/src/x.ts" and "server/src/x.ts" produce the
         // same module name. Without this, split("/") on an absolute path yields

package/dist/src/git-cochange-builder.d.ts

@@ -0,0 +1,32 @@
+import { type Logger } from "./logger.js";
+import type { Metrics } from "./metrics.js";
+interface BuilderOpts {
+    repoRoot: string;
+    sinceDays?: number;
+    maxCount?: number;
+    timeoutMs?: number;
+    refreshMs?: number;
+    retryMs?: number;
+    logger?: Logger;
+    metrics?: Metrics;
+}
+export declare class GitCochangeBuilder {
+    private repoRoot;
+    private sinceDays;
+    private maxCount;
+    private timeoutMs;
+    private refreshMs;
+    private retryMs;
+    private log;
+    private metrics?;
+    private timer;
+    constructor(opts: BuilderOpts);
+    /** Build once. Resolves after persistence. */
+    build(): Promise<void>;
+    private runGitLog;
+    private parseLog;
+    /** Schedule a refresh loop. unref() so it doesn't keep the loop alive. */
+    startScheduler(): void;
+    stopScheduler(): void;
+}
+export {};

package/dist/src/git-cochange-builder.js

@@ -0,0 +1,238 @@
+// src/git-cochange-builder.ts
+import { spawn } from "child_process";
+import { existsSync } from "fs";
+import path from "path";
+import { getDb } from "./database.js";
+import { silentLogger } from "./logger.js";
+const DEFAULT_DENYLIST = [
+    /package-lock\.json$/, /pnpm-lock\.yaml$/, /yarn\.lock$/, /\.lock$/,
+    /\/dist\//, /\/build\//, /\/\.next\//, /\/__snapshots__\//,
+    /\.min\.js$/, /\.map$/, /\/coverage\//, /\/node_modules\//, /\.snap$/,
+];
+export class GitCochangeBuilder {
+    repoRoot;
+    sinceDays;
+    maxCount;
+    timeoutMs;
+    refreshMs;
+    retryMs;
+    log;
+    metrics;
+    timer = null;
+    constructor(opts) {
+        this.repoRoot = opts.repoRoot;
+        this.sinceDays = opts.sinceDays ?? 7;
+        this.maxCount = opts.maxCount ?? 2000;
+        this.timeoutMs = opts.timeoutMs ?? 5000;
+        this.refreshMs = opts.refreshMs ?? 1800000;
+        this.retryMs = opts.retryMs ?? 300000;
+        this.log = opts.logger || silentLogger;
+        this.metrics = opts.metrics;
+    }
+    /** Build once. Resolves after persistence. */
+    async build() {
+        const db = getDb();
+        const setMeta = (k, v) => db.prepare("INSERT OR REPLACE INTO git_cochange_meta (k, v) VALUES (?, ?)").run(k, v);
+        if (!existsSync(path.join(this.repoRoot, ".git"))) {
+            this.log.info({}, "Layer 4 unavailable: no .git");
+            setMeta("available", "false");
+            this.metrics?.gitCochangeBuilds.inc({ outcome: "failed" });
+            return;
+        }
+        if (existsSync(path.join(this.repoRoot, ".git", "shallow"))) {
+            this.log.info({}, "Layer 4 unavailable: shallow clone");
+            setMeta("available", "false");
+            this.metrics?.gitCochangeBuilds.inc({ outcome: "shallow_skipped" });
+            return;
+        }
+        let stdout = null;
+        try {
+            stdout = await this.runGitLog();
+        }
+        catch (err) {
+            this.log.warn({ err }, "git log failed");
+            setMeta("available", "false");
+            setMeta("last_error", String(err.message));
+            this.metrics?.gitCochangeBuilds.inc({ outcome: "failed" });
+            return;
+        }
+        if (stdout === "TIMEOUT") {
+            setMeta("available", "stale_partial");
+            this.log.warn({}, "git log timed out — Layer 4 stale_partial");
+            this.metrics?.gitCochangeBuilds.inc({ outcome: "timeout" });
+            return;
+        }
+        const { pairs, totalCommits } = this.parseLog(stdout);
+        // Dynamic predictor cap: any file appearing in > 40% of effective commits is
+        // excluded as a *predictor* (still allowed as a *target*). Prevents hotspot files
+        // like config or barrel index from saturating co-change with every other file.
+        const PREDICTOR_CAP_RATIO = 0.4;
+        const fileCommitCount = new Map();
+        for (const key of pairs.keys()) {
+            const [a, b] = key.split("|");
+            fileCommitCount.set(a, (fileCommitCount.get(a) ?? 0) + (pairs.get(key) ?? 0));
+            fileCommitCount.set(b, (fileCommitCount.get(b) ?? 0) + (pairs.get(key) ?? 0));
+        }
+        const promiscuous = new Set();
+        for (const [file, count] of fileCommitCount) {
+            // count is total times the file appeared in any pair; max possible is roughly
+            // (totalCommits) per file. Use raw count / totalCommits as an approximation
+            // of the file's commit frequency.
+            if (totalCommits > 0 && count / totalCommits > PREDICTOR_CAP_RATIO) {
+                promiscuous.add(file);
+            }
+        }
+        if (promiscuous.size > 0) {
+            this.log.info({ count: promiscuous.size, files: Array.from(promiscuous) }, "Layer 4 dynamic predictor cap excluded files");
+        }
+        db.exec("DELETE FROM git_cochange");
+        const stmt = db.prepare("INSERT INTO git_cochange (file_a, file_b, count, total_commits, computed_at) VALUES (?, ?, ?, ?, datetime('now'))");
+        const insertMany = db.transaction(() => {
+            for (const [key, count] of pairs.entries()) {
+                const [a, b] = key.split("|");
+                // Skip pairs where EITHER file is a promiscuous predictor (file is allowed
+                // as target only, but a pair where it's a predictor is dropped). For the
+                // index entry to be useful, both files must be non-promiscuous predictors.
+                if (promiscuous.has(a) || promiscuous.has(b))
+                    continue;
+                if (a < b)
+                    stmt.run(a, b, count, totalCommits);
+            }
+        });
+        insertMany();
+        setMeta("available", "true");
+        setMeta("last_built_at", new Date().toISOString());
+        this.metrics?.gitCochangeBuilds.inc({ outcome: "success" });
+        this.metrics?.gitCochangePairs.set(pairs.size);
+    }
+    runGitLog() {
+        return new Promise((resolve, reject) => {
+            const args = [
+                "log",
+                `--max-count=${this.maxCount}`,
+                "--diff-filter=AMRD",
+                `--since=${this.sinceDays} days ago`,
+                "--no-renames",
+                "--pretty=format:%H",
+                "--name-only",
+                "-z",
+            ];
+            const proc = spawn("git", args, { cwd: this.repoRoot });
+            let buf = "";
+            const timer = setTimeout(() => {
+                proc.kill();
+                resolve("TIMEOUT");
+            }, this.timeoutMs);
+            proc.stdout.on("data", (c) => (buf += c.toString("utf-8")));
+            proc.on("error", (err) => { clearTimeout(timer); reject(err); });
+            proc.on("close", (code) => {
+                clearTimeout(timer);
+                if (code === 0)
+                    resolve(buf);
+                else
+                    reject(new Error(`git log exit ${code}`));
+            });
+        });
+    }
+    parseLog(stdout) {
+        // git log -z --pretty=format:%H --name-only output format:
+        // Each commit entry: <SHA>\n<file1>\0<file2>\0...\0
+        // Between commits the NUL separator also acts as delimiter.
+        // We split on NUL first, then detect SHA boundaries within tokens.
+        const tokens = stdout.split("\0").filter(t => t.length > 0);
+        const pairs = new Map();
+        let totalCommits = 0;
+        let currentFiles = [];
+        const flush = () => {
+            if (currentFiles.length === 0)
+                return;
+            // Skip massive commits (likely sweeps)
+            if (currentFiles.length > 200) {
+                currentFiles = [];
+                return;
+            }
+            // Apply denylist
+            const eligible = currentFiles.filter(f => !DEFAULT_DENYLIST.some(re => re.test(f)));
+            for (let i = 0; i < eligible.length; i++) {
+                for (let j = i + 1; j < eligible.length; j++) {
+                    const [a, b] = eligible[i] < eligible[j] ? [eligible[i], eligible[j]] : [eligible[j], eligible[i]];
+                    const key = `${a}|${b}`;
+                    pairs.set(key, (pairs.get(key) ?? 0) + 1);
+                }
+            }
+            totalCommits++;
+            currentFiles = [];
+        };
+        // SHA pattern: 40 hex chars
+        const shaRe = /^([0-9a-f]{40})\n(.*)$/s;
+        for (const t of tokens) {
+            // Each token after splitting on \0 may look like:
+            // "\nSHA40\npath" (commit boundary with preceding newline)
+            // "SHA40\npath"  (commit boundary at start)
+            // "path"         (file path continuation)
+            // "\nSHA40"      (SHA only, no file on same token)
+            // Strip leading newlines to normalize
+            const stripped = t.replace(/^\n+/, "");
+            const shaMatch = stripped.match(shaRe);
+            if (shaMatch) {
+                // We found a SHA — flush the previous commit's files
+                flush();
+                const trailingPath = shaMatch[2].trim();
+                if (trailingPath)
+                    currentFiles.push(trailingPath);
+            }
+            else {
+                // Check if this token itself IS a SHA (no file attached, happens when
+                // --pretty=format:%H emits the SHA on its own NUL-terminated chunk)
+                const pureSha = stripped.match(/^[0-9a-f]{40}$/);
+                if (pureSha) {
+                    flush();
+                }
+                else {
+                    // It's a file path (or part of one); newlines indicate embedded commit
+                    // boundaries when a file is on the same NUL chunk as the next SHA.
+                    // Handle the case where "path\nSHA\npath" might appear.
+                    const parts = stripped.split("\n");
+                    for (let i = 0; i < parts.length; i++) {
+                        const part = parts[i].trim();
+                        if (!part)
+                            continue;
+                        if (/^[0-9a-f]{40}$/.test(part)) {
+                            flush();
+                        }
+                        else {
+                            currentFiles.push(part);
+                        }
+                    }
+                }
+            }
+        }
+        flush();
+        return { pairs, totalCommits };
+    }
+    /** Schedule a refresh loop. unref() so it doesn't keep the loop alive. */
+    startScheduler() {
+        const tick = async () => {
+            try {
+                await this.build();
+                this.timer = setTimeout(tick, this.refreshMs);
+            }
+            catch (err) {
+                this.log.warn({ err }, "build failed, retrying");
+                this.timer = setTimeout(tick, this.retryMs);
+            }
+            if (this.timer && typeof this.timer.unref === "function")
+                this.timer.unref();
+        };
+        // First build after 5s grace
+        this.timer = setTimeout(tick, 5000);
+        if (this.timer && typeof this.timer.unref === "function")
+            this.timer.unref();
+    }
+    stopScheduler() {
+        if (this.timer) {
+            clearTimeout(this.timer);
+            this.timer = null;
+        }
+    }
+}

package/dist/src/http/handle-health.d.ts

@@ -0,0 +1,23 @@
+import type { IncomingMessage, ServerResponse } from "http";
+import type { CoordinatorServices } from "../server-setup.js";
+/**
+ * Liveness probe — process is alive. Always returns 200 with no dep checks
+ * so orchestrators don't restart the pod over transient downstream failures.
+ */
+export declare function handleLivez(_req: IncomingMessage, res: ServerResponse): void;
+/**
+ * Readiness probe — downstream deps must all be green for the LB to route
+ * traffic here. 503 when any check fails so the pod is drained until ready.
+ *
+ * Each check is wrapped in try/catch so a thrown DB/MQTT error becomes a
+ * structured `{ok:false,error:"…"}` instead of a 500. The response shape is
+ * identical between 200 and 503 so consumers can parse uniformly.
+ */
+export declare function handleReadyz(_req: IncomingMessage, res: ServerResponse, services: Pick<CoordinatorServices, "mqttBridge" | "treeSitter" | "gitCochange">): void;
+/**
+ * Backwards-compatible alias. The original /health route returned a fixed
+ * {status:"ok",version} payload with no dep checks; semantically that is a
+ * liveness probe, so we delegate. Anything that polled /health for "is the
+ * process up" continues to work without changes.
+ */
+export declare function handleHealth(req: IncomingMessage, res: ServerResponse): void;

package/dist/src/http/handle-health.js

@@ -0,0 +1,112 @@
+import { getDb } from "../database.js";
+import { json } from "./utils.js";
+import { getVersion } from "../../cli/version.js";
+/**
+ * v0.4 Operability: Kubernetes-style health probes.
+ *
+ * - /livez   → is the process alive? Used by an orchestrator (k8s, systemd,
+ *             docker swarm) to decide whether to restart the pod. MUST NOT
+ *             check downstream deps; an unreachable DB does not mean the
+ *             coordinator process should be killed and restarted.
+ *
+ * - /readyz  → are downstream deps ready? Used by a load balancer / service
+ *             mesh to decide whether to add this pod to rotation. Returns 503
+ *             when the DB or MQTT broker is not reachable so the LB drains
+ *             traffic until the coordinator can actually serve it.
+ *
+ * - /health  → backwards-compat alias for /livez. The original stub returned
+ *             {status:"ok",version} unconditionally; preserving alive-only
+ *             semantics keeps existing dashboards and uptime probes green
+ *             without forcing them to migrate.
+ */
+const STARTED_AT_MS = Date.now();
+const VERSION = getVersion();
+function uptimeSeconds() {
+    return Math.floor((Date.now() - STARTED_AT_MS) / 1000);
+}
+/**
+ * Liveness probe — process is alive. Always returns 200 with no dep checks
+ * so orchestrators don't restart the pod over transient downstream failures.
+ */
+export function handleLivez(_req, res) {
+    json(res, {
+        status: "alive",
+        uptime_seconds: uptimeSeconds(),
+        version: VERSION,
+    });
+}
+/**
+ * Readiness probe — downstream deps must all be green for the LB to route
+ * traffic here. 503 when any check fails so the pod is drained until ready.
+ *
+ * Each check is wrapped in try/catch so a thrown DB/MQTT error becomes a
+ * structured `{ok:false,error:"…"}` instead of a 500. The response shape is
+ * identical between 200 and 503 so consumers can parse uniformly.
+ */
+export function handleReadyz(_req, res, services) {
+    const checks = {
+        db: { ok: false },
+        mqtt: { ok: false },
+        tree_sitter: { ok: false, grammars_loaded: 0, total_grammars: 7, optional: true },
+        git_cochange: { available: false, status: "unavailable", optional: true },
+    };
+    try {
+        // Cheapest possible round-trip that exercises the connection without
+        // touching application tables. Throws if the handle is closed or the
+        // file is locked beyond busy_timeout.
+        getDb().prepare("SELECT 1").get();
+        checks.db.ok = true;
+    }
+    catch (err) {
+        checks.db.error = err.message;
+    }
+    try {
+        if (services.mqttBridge.isConnected()) {
+            checks.mqtt.ok = true;
+        }
+        else {
+            checks.mqtt.error = "not connected";
+        }
+    }
+    catch (err) {
+        checks.mqtt.error = err.message;
+    }
+    // Optional: tree-sitter status (does NOT gate readiness — Layer 0.5 degrades gracefully)
+    try {
+        if (services.treeSitter) {
+            checks.tree_sitter = services.treeSitter.status();
+        }
+    }
+    catch {
+        // keep default { ok: false, grammars_loaded: 0, total_grammars: 7, optional: true }
+    }
+    // Optional: git_cochange availability (does NOT gate readiness — Layer 4 degrades gracefully)
+    try {
+        const row = getDb()
+            .prepare("SELECT v FROM git_cochange_meta WHERE k = ?")
+            .get("available");
+        checks.git_cochange = {
+            available: row?.v === "true",
+            status: row?.v ?? "unavailable",
+            optional: true,
+        };
+    }
+    catch {
+        // keep default { available: false, status: "unavailable", optional: true }
+    }
+    // Gating: only db + mqtt block readiness. tree_sitter and git_cochange are reported but optional.
+    const allOk = checks.db.ok && checks.mqtt.ok;
+    json(res, {
+        status: allOk ? "ready" : "not_ready",
+        checks,
+    }, allOk ? 200 : 503);
+}
+/**
+ * Backwards-compatible alias. The original /health route returned a fixed
+ * {status:"ok",version} payload with no dep checks; semantically that is a
+ * liveness probe, so we delegate. Anything that polled /health for "is the
+ * process up" continues to work without changes.
+ */
+export function handleHealth(req, res) {
+    return handleLivez(req, res);
+}

package/dist/src/http/handle-rest.js

@@ -1,3 +1,4 @@
+import { createHash } from "crypto";
 import { getDb } from "../database.js";
 import { runCommonAnnounceFlow } from "../announce-workflow.js";
 import { canResetDb } from "../reset-guard.js";
@@ -5,7 +6,15 @@ import { parseBody, json } from "./utils.js";
 export async function handleRest(req, res, ctx) {
     const { services, httpLog, authEnabled, getRunConfig, setRunConfig } = ctx;
     const url = req.url || "";
-    const body = await parseBody(req);
+    let body;
+    try {
+        body = await parseBody(req);
+    }
+    catch (err) {
+        const e = err;
+        json(res, { error: e.message || "Invalid request" }, e.statusCode || 400);
+        return;
+    }
     const agentId = body.agent_id;
     // Dashboard/work-stealing polls these endpoints every few seconds — demote to debug
     // to keep the info log focused on coordination events (announce, claim, resolve, etc).
@@ -61,7 +70,7 @@ export async function handleRest(req, res, ctx) {
         json(res, { ok: true });
     }
     else if (url === "/api/announce") {
-        const { agent_id, subject, plan, target_modules, target_files, depends_on_files, exports_affected, keep_open, assigned_to } = body;
+        const { agent_id, subject, plan, target_modules, target_files, depends_on_files, exports_affected, keep_open, assigned_to, target_symbols } = body;
         const thread = consultation.announceWork({ agent_id, subject, plan, target_modules, target_files, depends_on_files, exports_affected, keep_open, assigned_to });
         const agentInfo = registry.get(agent_id);
         // S2 fix: shared workflow (impact scoring, override respondents, auto-resolve,
@@ -69,6 +78,7 @@ export async function handleRest(req, res, ctx) {
         // function used by the MCP announce_work tool path.
         const { updated, categorized, respondents, planQuality } = runCommonAnnounceFlow(services, thread.id, {
             agent_id, subject, plan, target_modules, target_files, depends_on_files, exports_affected, keep_open,
+            target_symbols,
         });
         // REST-specific thread_opened SSE shape (different field set than MCP — kept
         // divergent because consumers may depend on this exact contract).
@@ -358,6 +368,77 @@ export async function handleRest(req, res, ctx) {
             json(res, { registered: true, status: agent.status, activity: activity.activity_status });
         }
     }
+    else if (url === "/api/file-activity" && req.method === "POST") {
+        if (typeof body.session_id !== "string" || typeof body.agent_id !== "string"
+            || typeof body.tool_name !== "string" || typeof body.file_path !== "string") {
+            json(res, { error: "missing required fields" }, 400);
+            return;
+        }
+        if (body.agent_name !== undefined && typeof body.agent_name !== "string") {
+            json(res, { error: "agent_name must be string when present" }, 400);
+            return;
+        }
+        const MAX_CONTENT = 262144;
+        let symbols = null;
+        let contentHash = null;
+        if (typeof body.content === "string") {
+            if (body.content.length > MAX_CONTENT) {
+                json(res, { error: "content exceeds 256 KB" }, 400);
+                return;
+            }
+            contentHash = createHash("sha256").update(body.content).digest("hex");
+            symbols = ctx.services.treeSitter.extract(body.file_path, body.content, null);
+        }
+        ctx.services.fileTracker.log({
+            session_id: body.session_id,
+            agent_id: body.agent_id,
+            agent_name: body.agent_name,
+            tool_name: body.tool_name,
+            file_path: body.file_path,
+            content_hash: contentHash,
+            symbols_touched: symbols,
+        });
+        json(res, { ok: true });
+    }
+    else if (url === "/api/working-files/start" && req.method === "POST") {
+        if (typeof body.agent_id !== "string" || typeof body.file_path !== "string") {
+            json(res, { error: "agent_id and file_path required" }, 400);
+            return;
+        }
+        const ttl = parseInt(process.env.COORDINATOR_WORKING_FILES_TTL_MIN || "30", 10);
+        services.workingFiles.start(body.agent_id, body.file_path, ttl);
+        json(res, { ok: true });
+    }
+    else if (url === "/api/working-files/stop" && req.method === "POST") {
+        if (typeof body.agent_id !== "string" || typeof body.file_path !== "string") {
+            json(res, { error: "agent_id and file_path required" }, 400);
+            return;
+        }
+        services.workingFiles.stop(body.agent_id, body.file_path);
+        json(res, { ok: true });
+    }
+    else if (url?.startsWith("/api/scoring-stats") && req.method === "GET") {
+        const u = new URL(url, "http://localhost");
+        const sinceParam = u.searchParams.get("since") || "24h";
+        const sinceMin = sinceParam.endsWith("h") ? parseInt(sinceParam) * 60
+            : sinceParam.endsWith("d") ? parseInt(sinceParam) * 60 * 24
+                : 60 * 24;
+        const db = getDb();
+        const layers = db.prepare(`SELECT layer, COUNT(*) AS fire_count, AVG(score) AS avg_score
+       FROM layer_firings
+       WHERE fired_at > datetime('now', '-' || ? || ' minutes')
+       GROUP BY layer
+       ORDER BY fire_count DESC`).all(sinceMin);
+        json(res, {
+            window: { since: sinceParam, now: new Date().toISOString() },
+            layers: layers.map(l => ({
+                layer: l.layer,
+                fire_count: l.fire_count,
+                avg_score: l.avg_score,
+                outcomes: { auto_resolved: 0, consensus: 0, timeout: 0, cancelled: 0 },
+            })),
+        });
+    }
     else if (url === "/api/status") {
         const online = registry.listOnline();
         const openThreads = consultation.listThreads({ status: "open" });

package/dist/src/http/utils.d.ts

@@ -1,8 +1,4 @@
 import type { IncomingMessage, ServerResponse } from "http";
-/**
- * S1: shared HTTP helpers extracted from serve-http.ts.
- * parseBody, json, decodeJwtPayload, safeEqual.
- */
 export declare function parseBody(req: IncomingMessage): Promise<Record<string, unknown>>;
 export declare function json(res: ServerResponse, data: unknown, status?: number): void;
 /**

package/dist/src/http/utils.js

@@ -3,11 +3,25 @@ import { timingSafeEqual } from "crypto";
  * S1: shared HTTP helpers extracted from serve-http.ts.
  * parseBody, json, decodeJwtPayload, safeEqual.
  */
+const MAX_BODY_BYTES = parseInt(process.env.COORDINATOR_MAX_BODY_BYTES || "1048576", 10);
 export function parseBody(req) {
     return new Promise((resolve, reject) => {
-        let body = "";
-        req.on("data", (chunk) => (body += chunk.toString()));
+        let bytes = 0;
+        const chunks = [];
+        req.on("data", (chunk) => {
+            bytes += chunk.length;
+            if (bytes > MAX_BODY_BYTES) {
+                const err = new Error("Payload too large");
+                err.statusCode = 413;
+                // destroy() may not exist on every IncomingMessage-like input (test stub).
+                req.destroy?.(err);
+                reject(err);
+                return;
+            }
+            chunks.push(chunk);
+        });
         req.on("end", () => {
+            const body = Buffer.concat(chunks).toString("utf-8");
             try {
                 resolve(body ? JSON.parse(body) : {});
             }