mewkit 1.7.0 → 1.8.0

package/dist/orchviz/server/__tests__/write-handlers.test.js

@@ -0,0 +1,347 @@
+/**
+ * Integration tests for write-handlers.ts — POST /api/plan/todo.
+ *
+ * Each test spins up an ephemeral-port OrchvizServer with a temp fixture dir,
+ * makes HTTP requests, and verifies responses + on-disk state.
+ *
+ * Coverage (10+ cases):
+ *   1.  200 happy path — file mutated, ok:true, changed:true, new etag
+ *   2.  200 idempotent no-op — changed:false, mtime unchanged
+ *   3.  400 missing Origin header
+ *   4.  403 disallowed Origin header
+ *   5.  405 MEOWKIT_ORCHVIZ_READONLY=1
+ *   6.  409 stale etag — file unchanged
+ *   7.  413 body > 4KB
+ *   8.  415 wrong Content-Type
+ *   9.  OPTIONS 204 — allowed origin
+ *  10.  OPTIONS 403 — disallowed origin (no ACAO header emitted)
+ *  11.  400 invalid JSON
+ *  12.  400 zod validation failure (bad phase number)
+ *  13.  POST to /api/plan (unrelated path) still returns 405 (v1.1 regression guard)
+ *  14.  Phase zero-pad: POST {phase:1} matches phase-01-*.md
+ */
+import { describe, expect, it, afterEach, beforeEach } from "vitest";
+import { EventEmitter } from "node:events";
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import * as http from "node:http";
+import { OrchvizServer } from "../index.js";
+import { computePhaseFileEtag } from "../../plan/etag.js";
+import { PlanCollector } from "../../plan/collector.js";
+let active = null;
+let tmpDir = null;
+let serverUrl = "";
+let serverPort = 0;
+// ── Fixture helpers ─────────────────────────────────────────────────────────
+function makeProjectRoot() {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "write-handler-test-"));
+    const root = tmpDir;
+    const slug = "260501-test-plan";
+    const planDir = path.join(root, "tasks", "plans", slug);
+    fs.mkdirSync(planDir, { recursive: true });
+    const phaseContent = [
+        "# Phase 1",
+        "",
+        "## Todo List",
+        "",
+        "- [ ] Task A",
+        "- [x] Task B",
+        "- [ ] Task C",
+        "",
+        "## Next Steps",
+        "",
+    ].join("\n");
+    const phaseFile = path.join(planDir, "phase-01-setup.md");
+    fs.writeFileSync(phaseFile, phaseContent, "utf-8");
+    // plan.md stub
+    fs.writeFileSync(path.join(planDir, "plan.md"), "---\ntitle: Test\n---\n# Test\n", "utf-8");
+    return { root, planDir, phaseFile };
+}
+async function startServer(projectRoot) {
+    const staticDir = os.tmpdir();
+    const planCollector = new PlanCollector(projectRoot);
+    const ev = new EventEmitter();
+    active = new OrchvizServer({
+        staticDir,
+        eventSource: ev,
+        projectRoot,
+        planCollector,
+    });
+    serverUrl = await active.start();
+    serverPort = active.port;
+}
+function rawRequest(opts) {
+    return new Promise((resolve, reject) => {
+        const u = new URL(serverUrl);
+        const reqOpts = {
+            host: u.hostname,
+            port: Number(u.port),
+            path: opts.path,
+            method: opts.method,
+            headers: {
+                Host: `${u.hostname}:${u.port}`,
+                ...opts.headers,
+            },
+        };
+        const req = http.request(reqOpts, (res) => {
+            const resHeaders = {};
+            for (const [k, v] of Object.entries(res.headers)) {
+                if (typeof v === "string")
+                    resHeaders[k] = v;
+            }
+            let body = "";
+            res.setEncoding("utf-8");
+            res.on("data", (chunk) => { body += chunk; });
+            res.on("end", () => resolve({ status: res.statusCode ?? 0, headers: resHeaders, body }));
+            res.on("error", reject);
+        });
+        req.on("error", reject);
+        if (opts.body)
+            req.write(opts.body);
+        req.end();
+    });
+}
+function postTodo(body, extraHeaders = {}) {
+    const bodyStr = JSON.stringify(body);
+    return rawRequest({
+        method: "POST",
+        path: "/api/plan/todo",
+        headers: {
+            "Content-Type": "application/json",
+            "Origin": `http://127.0.0.1:${serverPort}`,
+            ...extraHeaders,
+        },
+        body: bodyStr,
+    });
+}
+function validBody(phaseFile, overrides = {}) {
+    return {
+        slug: "260501-test-plan",
+        phase: 1,
+        todoIdx: 0,
+        checked: true,
+        etag: computePhaseFileEtag(phaseFile),
+        ...overrides,
+    };
+}
+// ── Setup/teardown ──────────────────────────────────────────────────────────
+let projectRoot = "";
+let phaseFile = "";
+beforeEach(async () => {
+    delete process.env.MEOWKIT_ORCHVIZ_READONLY;
+    const fixture = makeProjectRoot();
+    projectRoot = fixture.root;
+    phaseFile = fixture.phaseFile;
+    await startServer(projectRoot);
+});
+afterEach(async () => {
+    delete process.env.MEOWKIT_ORCHVIZ_READONLY;
+    if (active) {
+        await active.stop();
+        active = null;
+    }
+    if (tmpDir) {
+        fs.rmSync(tmpDir, { recursive: true, force: true });
+        tmpDir = null;
+    }
+});
+// ── Tests ───────────────────────────────────────────────────────────────────
+describe("POST /api/plan/todo", () => {
+    it("1. 200 happy path: file mutated, changed:true, new etag returned", async () => {
+        const beforeEtag = computePhaseFileEtag(phaseFile);
+        const r = await postTodo(validBody(phaseFile, { todoIdx: 0, checked: true }));
+        expect(r.status).toBe(200);
+        const parsed = JSON.parse(r.body);
+        expect(parsed.ok).toBe(true);
+        expect(parsed.changed).toBe(true);
+        expect(parsed.etag).toHaveLength(64);
+        expect(parsed.etag).not.toBe(beforeEtag);
+        // File on disk is mutated
+        const newContent = fs.readFileSync(phaseFile, "utf-8");
+        expect(newContent).toContain("- [x] Task A");
+    });
+    it("2. 200 idempotent: already-checked flip → changed:false, mtime unchanged", async () => {
+        // Task B (idx=1) is already [x]
+        const mtime = fs.statSync(phaseFile).mtimeMs;
+        const r = await postTodo(validBody(phaseFile, { todoIdx: 1, checked: true }));
+        expect(r.status).toBe(200);
+        const parsed = JSON.parse(r.body);
+        expect(parsed.ok).toBe(true);
+        expect(parsed.changed).toBe(false);
+        // mtime unchanged (no write occurred)
+        const newMtime = fs.statSync(phaseFile).mtimeMs;
+        expect(newMtime).toBe(mtime);
+    });
+    it("3. 403 missing Origin header", async () => {
+        const r = await rawRequest({
+            method: "POST",
+            path: "/api/plan/todo",
+            headers: {
+                "Content-Type": "application/json",
+                // No Origin header
+            },
+            body: JSON.stringify(validBody(phaseFile)),
+        });
+        expect(r.status).toBe(403);
+    });
+    it("4. 403 disallowed Origin header", async () => {
+        const r = await postTodo(validBody(phaseFile), {
+            "Origin": "http://evil.example.com",
+        });
+        expect(r.status).toBe(403);
+    });
+    it("5. 405 MEOWKIT_ORCHVIZ_READONLY=1 blocks writes", async () => {
+        process.env.MEOWKIT_ORCHVIZ_READONLY = "1";
+        const r = await postTodo(validBody(phaseFile));
+        expect(r.status).toBe(405);
+        const parsed = JSON.parse(r.body);
+        expect(parsed.error).toBe("readonly");
+    });
+    it("6. 409 stale etag: file unchanged", async () => {
+        const staleEtag = "a".repeat(64); // not the real etag
+        const mtime = fs.statSync(phaseFile).mtimeMs;
+        const r = await postTodo(validBody(phaseFile, { etag: staleEtag }));
+        expect(r.status).toBe(409);
+        const parsed = JSON.parse(r.body);
+        expect(parsed.error).toBe("stale");
+        expect(parsed.currentEtag).toHaveLength(64);
+        // File unchanged
+        expect(fs.statSync(phaseFile).mtimeMs).toBe(mtime);
+    });
+    it("7. 413 body > 4KB — server destroys socket on overflow", async () => {
+        // Build a body > 4096 bytes
+        const bigPad = "x".repeat(4200);
+        const bodyStr = JSON.stringify({
+            slug: "260501-test-plan",
+            phase: 1,
+            todoIdx: 0,
+            checked: true,
+            etag: "a".repeat(64),
+            _pad: bigPad,
+        });
+        expect(bodyStr.length).toBeGreaterThan(4096);
+        // The server destroys the socket on overflow — rawRequest will either get
+        // a 413 response (if response was sent before destroy) or an ECONNRESET.
+        // Both are valid behaviors for the cap; we just verify the connection closes.
+        const status = await new Promise((resolve) => {
+            const u = new URL(serverUrl);
+            const req = http.request({
+                host: u.hostname,
+                port: Number(u.port),
+                path: "/api/plan/todo",
+                method: "POST",
+                headers: {
+                    Host: `${u.hostname}:${u.port}`,
+                    "Content-Type": "application/json",
+                    "Origin": `http://127.0.0.1:${serverPort}`,
+                    "Content-Length": String(Buffer.byteLength(bodyStr)),
+                },
+            }, (res) => {
+                // Got a response — either 413 or something else
+                resolve(res.statusCode ?? 0);
+                res.resume();
+            });
+            req.on("error", (err) => {
+                const code = err.code;
+                // ECONNRESET = server destroyed socket (expected on overflow)
+                if (code === "ECONNRESET" || code === "EPIPE") {
+                    resolve(413); // treat as 413 for test assertion
+                }
+                else {
+                    resolve(0);
+                }
+            });
+            req.write(bodyStr);
+            req.end();
+        });
+        expect(status).toBe(413);
+    });
+    it("8. 415 wrong Content-Type", async () => {
+        const r = await rawRequest({
+            method: "POST",
+            path: "/api/plan/todo",
+            headers: {
+                "Content-Type": "text/plain",
+                "Origin": `http://127.0.0.1:${serverPort}`,
+            },
+            body: JSON.stringify(validBody(phaseFile)),
+        });
+        expect(r.status).toBe(415);
+    });
+    it("11. 400 invalid JSON", async () => {
+        const r = await rawRequest({
+            method: "POST",
+            path: "/api/plan/todo",
+            headers: {
+                "Content-Type": "application/json",
+                "Origin": `http://127.0.0.1:${serverPort}`,
+            },
+            body: "not valid json {",
+        });
+        expect(r.status).toBe(400);
+        const parsed = JSON.parse(r.body);
+        expect(parsed.error).toBe("invalid-json");
+    });
+    it("12. 400 zod validation failure (phase out of range)", async () => {
+        const r = await postTodo({ ...validBody(phaseFile), phase: 200 }); // max is 99
+        expect(r.status).toBe(400);
+        const parsed = JSON.parse(r.body);
+        expect(parsed.error).toBe("validation-failed");
+    });
+    it("13. POST to /api/plan still returns 405 (v1.1 regression guard)", async () => {
+        const r = await rawRequest({
+            method: "POST",
+            path: "/api/plan",
+            headers: { "Content-Type": "application/json" },
+            body: "{}",
+        });
+        expect(r.status).toBe(405);
+    });
+    it("14. Phase zero-pad: POST {phase:1} matches phase-01-setup.md (not phase-10-*)", async () => {
+        // Verify: phase:1 unambiguously matches phase-01-setup.md.
+        // phaseFile IS phase-01-setup.md, so the etag is fresh → expect 200.
+        const body = validBody(phaseFile, { phase: 1 });
+        const r = await postTodo(body);
+        const parsed = JSON.parse(r.body);
+        // Must NOT be ambiguous-phase error (phase-01-setup.md is the only match)
+        expect(parsed.error).not.toBe("ambiguous-phase");
+        // Must succeed: phase:1 → regex /^phase-0*1-.*\.md$/i matches "phase-01-setup.md"
+        // and does NOT match "phase-10-*.md" (zero-pad correct)
+        expect(r.status).toBe(200);
+        // Verify the matched file ends with phase-01-setup.md (not phase-1-anything or phase-10-*)
+        const updatedContent = fs.readFileSync(phaseFile, "utf-8");
+        // File content changed means phase-01-setup.md was correctly targeted
+        expect(updatedContent).toContain("- [x] Task A");
+        expect(phaseFile.endsWith("phase-01-setup.md")).toBe(true);
+    });
+});
+describe("OPTIONS /api/plan/todo", () => {
+    it("9. OPTIONS 204 with allowed origin — emits ACAO header", async () => {
+        const r = await rawRequest({
+            method: "OPTIONS",
+            path: "/api/plan/todo",
+            headers: {
+                "Origin": `http://127.0.0.1:${serverPort}`,
+                "Access-Control-Request-Method": "POST",
+            },
+        });
+        expect(r.status).toBe(204);
+        expect(r.headers["access-control-allow-origin"]).toBe(`http://127.0.0.1:${serverPort}`);
+        expect(r.headers["access-control-allow-methods"]).toContain("POST");
+    });
+    it("10. OPTIONS 403 with disallowed origin — NO ACAO header emitted", async () => {
+        const r = await rawRequest({
+            method: "OPTIONS",
+            path: "/api/plan/todo",
+            headers: {
+                "Origin": "http://evil.example.com",
+                "Access-Control-Request-Method": "POST",
+            },
+        });
+        expect(r.status).toBe(403);
+        // CRITICAL: no ACAO header on rejected origin
+        expect(r.headers["access-control-allow-origin"]).toBeUndefined();
+    });
+});
+//# sourceMappingURL=write-handlers.test.js.map

package/dist/orchviz/server/__tests__/write-handlers.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"write-handlers.test.js","sourceRoot":"","sources":["../../../../src/orchviz/server/__tests__/write-handlers.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAExD,IAAI,MAAM,GAAyB,IAAI,CAAC;AACxC,IAAI,MAAM,GAAkB,IAAI,CAAC;AACjC,IAAI,SAAS,GAAG,EAAE,CAAC;AACnB,IAAI,UAAU,GAAG,CAAC,CAAC;AAEnB,+EAA+E;AAE/E,SAAS,eAAe;IACvB,MAAM,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,qBAAqB,CAAC,CAAC,CAAC;IACvE,MAAM,IAAI,GAAG,MAAM,CAAC;IACpB,MAAM,IAAI,GAAG,kBAAkB,CAAC;IAChC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IACxD,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3C,MAAM,YAAY,GAAG;QACpB,WAAW;QACX,EAAE;QACF,cAAc;QACd,EAAE;QACF,cAAc;QACd,cAAc;QACd,cAAc;QACd,EAAE;QACF,eAAe;QACf,EAAE;KACF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACb,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IAC1D,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,YAAY,EAAE,OAAO,CAAC,CAAC;IACnD,eAAe;IACf,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,iCAAiC,EAAE,OAAO,CAAC,CAAC;IAC5F,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AACrC,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,WAAmB;IAC7C,MAAM,SAAS,GAAG,EAAE,CAAC,MAAM,EAAE,CAAC;IAC9B,MAAM,aAAa,GAAG,IAAI,aAAa,CAAC,WAAW,CAAC,CAAC;IACrD,MAAM,EAAE,GAAG,IAAI,YAAY,EAAE,CAAC;IAC9B,MAAM,GAAG,IAAI,aAAa,CAAC;QAC1B,SAAS;QACT,WAAW,EAAE,EAAE;QACf,WAAW;QACX,aAAa;KACb,CAAC,CAAC;IACH,SAAS,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;IACjC,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC;AAC1B,CAAC;AAUD,SAAS,UAAU,CAAC,IAKnB;IACA,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACtC,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAwB;YACpC,IAAI,EAAE,CAAC,CAAC,QAAQ;YAChB,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;YACpB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO,EAAE;gBACR,IAAI,EAAE,GAAG,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,IAAI,EAAE;gBAC/B,GAAG,IAAI,CAAC,OAAO;aACf;SACD,CAAC;QACF,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzC,MAAM,UAAU,GAA2B,EAAE,CAAC;YAC9C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClD,IAAI,OAAO,CAAC,KAAK,QAAQ;oBAAE,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC;YACD,IAAI,IAAI,GAAG,EAAE,CAAC;YACd,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YACzB,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,GAAG,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACtD,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,UAAU,IAAI,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YACzF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACzB,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACxB,IAAI,IAAI,CAAC,IAAI;YAAE,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpC,GAAG,CAAC,GAAG,EAAE,CAAC;IACX,CAAC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAChB,IAAa,EACb,eAAuC,EAAE;IAEzC,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACrC,OAAO,UAAU,CAAC;QACjB,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE;YACR,cAAc,EAAE,kBAAkB;YAClC,QAAQ,EAAE,oBAAoB,UAAU,EAAE;YAC1C,GAAG,YAAY;SACf;QACD,IAAI,EAAE,OAAO;KACb,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,SAAiB,EAAE,YAAqC,EAAE;IAC5E,OAAO;QACN,IAAI,EAAE,kBAAkB;QACxB,KAAK,EAAE,CAAC;QACR,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,oBAAoB,CAAC,SAAS,CAAC;QACrC,GAAG,SAAS;KACZ,CAAC;AACH,CAAC;AAED,+EAA+E;AAE/E,IAAI,WAAW,GAAG,EAAE,CAAC;AACrB,IAAI,SAAS,GAAG,EAAE,CAAC;AAEnB,UAAU,CAAC,KAAK,IAAI,EAAE;IACrB,OAAO,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;IAC5C,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;IAClC,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAC3B,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;IAC9B,MAAM,WAAW,CAAC,WAAW,CAAC,CAAC;AAChC,CAAC,CAAC,CAAC;AAEH,SAAS,CAAC,KAAK,IAAI,EAAE;IACpB,OAAO,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;IAC5C,IAAI,MAAM,EAAE,CAAC;QACZ,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;QACpB,MAAM,GAAG,IAAI,CAAC;IACf,CAAC;IACD,IAAI,MAAM,EAAE,CAAC;QACZ,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,MAAM,GAAG,IAAI,CAAC;IACf,CAAC;AACF,CAAC,CAAC,CAAC;AAEH,+EAA+E;AAE/E,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACpC,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QACjF,MAAM,UAAU,GAAG,oBAAoB,CAAC,SAAS,CAAC,CAAC;QACnD,MAAM,CAAC,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC9E,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACzC,0BAA0B;QAC1B,MAAM,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACvD,MAAM,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,KAAK,IAAI,EAAE;QACzF,gCAAgC;QAChC,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC;QAC7C,MAAM,CAAC,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC9E,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,sCAAsC;QACtC,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC;QAChD,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,CAAC,GAAG,MAAM,UAAU,CAAC;YAC1B,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,gBAAgB;YACtB,OAAO,EAAE;gBACR,cAAc,EAAE,kBAAkB;gBAClC,mBAAmB;aACnB;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;SAC1C,CAAC,CAAC;QACH,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAChD,MAAM,CAAC,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE;YAC9C,QAAQ,EAAE,yBAAyB;SACnC,CAAC,CAAC;QACH,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAChE,OAAO,CAAC,GAAG,CAAC,wBAAwB,GAAG,GAAG,CAAC;QAC3C,MAAM,CAAC,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC;QAC/C,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,oBAAoB;QACtD,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC;QAC7C,MAAM,CAAC,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QACpE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QAC5C,iBAAiB;QACjB,MAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACvE,4BAA4B;QAC5B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;YAC9B,IAAI,EAAE,kBAAkB;YACxB,KAAK,EAAE,CAAC;YACR,OAAO,EAAE,CAAC;YACV,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACpB,IAAI,EAAE,MAAM;SACZ,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QAE7C,0EAA0E;QAC1E,yEAAyE;QACzE,8EAA8E;QAC9E,MAAM,MAAM,GAAG,MAAM,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,EAAE;YACpD,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;YAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CACvB;gBACC,IAAI,EAAE,CAAC,CAAC,QAAQ;gBAChB,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;gBACpB,IAAI,EAAE,gBAAgB;gBACtB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACR,IAAI,EAAE,GAAG,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,IAAI,EAAE;oBAC/B,cAAc,EAAE,kBAAkB;oBAClC,QAAQ,EAAE,oBAAoB,UAAU,EAAE;oBAC1C,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;iBACpD;aACD,EACD,CAAC,GAAG,EAAE,EAAE;gBACP,gDAAgD;gBAChD,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,CAAC,CAAC,CAAC;gBAC7B,GAAG,CAAC,MAAM,EAAE,CAAC;YACd,CAAC,CACD,CAAC;YACF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACvB,MAAM,IAAI,GAAI,GAA6B,CAAC,IAAI,CAAC;gBACjD,8DAA8D;gBAC9D,IAAI,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;oBAC/C,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,kCAAkC;gBACjD,CAAC;qBAAM,CAAC;oBACP,OAAO,CAAC,CAAC,CAAC,CAAC;gBACZ,CAAC;YACF,CAAC,CAAC,CAAC;YACH,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,EAAE,CAAC;QACX,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,KAAK,IAAI,EAAE;QAC1C,MAAM,CAAC,GAAG,MAAM,UAAU,CAAC;YAC1B,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,gBAAgB;YACtB,OAAO,EAAE;gBACR,cAAc,EAAE,YAAY;gBAC5B,QAAQ,EAAE,oBAAoB,UAAU,EAAE;aAC1C;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;SAC1C,CAAC,CAAC;QACH,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;QACrC,MAAM,CAAC,GAAG,MAAM,UAAU,CAAC;YAC1B,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,gBAAgB;YACtB,OAAO,EAAE;gBACR,cAAc,EAAE,kBAAkB;gBAClC,QAAQ,EAAE,oBAAoB,UAAU,EAAE;aAC1C;YACD,IAAI,EAAE,kBAAkB;SACxB,CAAC,CAAC;QACH,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,CAAC,GAAG,MAAM,QAAQ,CAAC,EAAE,GAAG,SAAS,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,YAAY;QAC/E,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,CAAC,GAAG,MAAM,UAAU,CAAC;YAC1B,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,WAAW;YACjB,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI;SACV,CAAC,CAAC;QACH,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+EAA+E,EAAE,KAAK,IAAI,EAAE;QAC9F,2DAA2D;QAC3D,qEAAqE;QACrE,MAAM,IAAI,GAAG,SAAS,CAAC,SAAS,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;QAChD,MAAM,CAAC,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAElC,0EAA0E;QAC1E,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAEjD,kFAAkF;QAClF,wDAAwD;QACxD,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAE3B,2FAA2F;QAC3F,MAAM,cAAc,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC3D,sEAAsE;QACtE,MAAM,CAAC,cAAc,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QACjD,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACvC,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,CAAC,GAAG,MAAM,UAAU,CAAC;YAC1B,MAAM,EAAE,SAAS;YACjB,IAAI,EAAE,gBAAgB;YACtB,OAAO,EAAE;gBACR,QAAQ,EAAE,oBAAoB,UAAU,EAAE;gBAC1C,+BAA+B,EAAE,MAAM;aACvC;SACD,CAAC,CAAC;QACH,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3B,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,6BAA6B,CAAC,CAAC,CAAC,IAAI,CAAC,oBAAoB,UAAU,EAAE,CAAC,CAAC;QACxF,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,8BAA8B,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,CAAC,GAAG,MAAM,UAAU,CAAC;YAC1B,MAAM,EAAE,SAAS;YACjB,IAAI,EAAE,gBAAgB;YACtB,OAAO,EAAE;gBACR,QAAQ,EAAE,yBAAyB;gBACnC,+BAA+B,EAAE,MAAM;aACvC;SACD,CAAC,CAAC;QACH,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3B,8CAA8C;QAC9C,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,6BAA6B,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IAClE,CAAC,CAAC,CAAC;AACJ,CAAC,CAAC,CAAC"}

package/dist/orchviz/server/api-handlers.d.ts

@@ -0,0 +1,55 @@
+/**
+ * /api/overlays + /api/plan + /api/plans — JSON endpoints backed by collectors.
+ */
+import type { ServerResponse } from "node:http";
+import { PlanCollector, type PlanSnapshot } from "../plan/collector.js";
+export interface OverlayState {
+    gate1?: {
+        name: string;
+        approved: boolean;
+    } | null;
+    gate2?: {
+        name: string;
+        verdict: string;
+    } | null;
+    model?: string | null;
+    cost?: {
+        tokens: number;
+        usd: number;
+    } | null;
+    phase?: string | null;
+}
+export type OverlayProvider = () => OverlayState;
+export declare function writeJson(res: ServerResponse, status: number, body: unknown): void;
+export declare function handleOverlays(res: ServerResponse, provider: OverlayProvider): void;
+export declare const PLACEHOLDER_OVERLAYS: OverlayProvider;
+export declare function makeOverlayProvider(projectRoot: string): OverlayProvider;
+/**
+ * PlanProvider now accepts an optional slug string.
+ * PlanCollector.snapshot(slug?) maps to this signature.
+ */
+export type PlanProvider = (slug?: string) => PlanSnapshot;
+/**
+ * Handle GET /api/plan — optionally targeted by ?slug=<slug> query param.
+ *
+ * Error mapping (R2-8):
+ *   snapshot.error === "invalid-slug"   → 400
+ *   snapshot.error === "forbidden-path" → 403
+ *   snapshot.error === "not-found"      → 404
+ *   no error                            → 200
+ */
+export declare function handlePlan(res: ServerResponse, provider: PlanProvider, query: URLSearchParams): void;
+export declare const PLACEHOLDER_PLAN: PlanProvider;
+export declare function makePlanProvider(projectRoot: string): PlanProvider;
+/**
+ * Create a standalone PlanCollector instance for injection into the write handler.
+ * The write handler calls collector.invalidate() after every successful write,
+ * invalidating the cache so the next GET returns fresh data (R2-4).
+ */
+export declare function makePlanCollector(projectRoot: string): PlanCollector;
+/**
+ * Handle GET /api/plans — returns all non-archived plan summaries sorted mtime desc.
+ * HTML-tag scrub applied to all string fields (red-team H2).
+ */
+export declare function handlePlans(res: ServerResponse, projectRoot: string): void;
+//# sourceMappingURL=api-handlers.d.ts.map

package/dist/orchviz/server/api-handlers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-handlers.d.ts","sourceRoot":"","sources":["../../../src/orchviz/server/api-handlers.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEhD,OAAO,EAAE,aAAa,EAAE,KAAK,YAAY,EAA0B,MAAM,sBAAsB,CAAC;AAyBhG,MAAM,WAAW,YAAY;IAC5B,KAAK,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAA;KAAE,GAAG,IAAI,CAAC;IACnD,KAAK,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IACjD,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,IAAI,CAAC,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IAC9C,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,MAAM,MAAM,eAAe,GAAG,MAAM,YAAY,CAAC;AAEjD,wBAAgB,SAAS,CAAC,GAAG,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,IAAI,CAQlF;AAED,wBAAgB,cAAc,CAAC,GAAG,EAAE,cAAc,EAAE,QAAQ,EAAE,eAAe,GAAG,IAAI,CAMnF;AAED,eAAO,MAAM,oBAAoB,EAAE,eAMjC,CAAC;AAEH,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,eAAe,CAGxE;AAED;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,KAAK,YAAY,CAAC;AAE3D;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CACzB,GAAG,EAAE,cAAc,EACnB,QAAQ,EAAE,YAAY,EACtB,KAAK,EAAE,eAAe,GACpB,IAAI,CAaN;AAED,eAAO,MAAM,gBAAgB,EAAE,YAK7B,CAAC;AAEH,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,YAAY,CAGlE;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,aAAa,CAEpE;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAQ1E"}

package/dist/orchviz/server/api-handlers.js

@@ -0,0 +1,112 @@
+/**
+ * /api/overlays + /api/plan + /api/plans — JSON endpoints backed by collectors.
+ */
+import { OverlayCollector } from "../overlay/collector.js";
+import { PlanCollector } from "../plan/collector.js";
+import { listPlans } from "../plan/list-plans.js";
+const PLAN_ERROR_HTTP = {
+    "invalid-slug": 400,
+    "forbidden-path": 403,
+    "not-found": 404,
+};
+const HTML_TAG_RE = /<[^>]*>/g;
+/** Recursively strip HTML tags from string fields. Defense-in-depth (red-team H2). */
+function stripHtmlDeep(value) {
+    if (typeof value === "string")
+        return value.replace(HTML_TAG_RE, "");
+    if (Array.isArray(value))
+        return value.map(stripHtmlDeep);
+    if (value && typeof value === "object") {
+        const out = {};
+        for (const [k, v] of Object.entries(value)) {
+            out[k] = stripHtmlDeep(v);
+        }
+        return out;
+    }
+    return value;
+}
+export function writeJson(res, status, body) {
+    const payload = JSON.stringify(body);
+    res.writeHead(status, {
+        "Content-Type": "application/json; charset=utf-8",
+        "Content-Length": String(Buffer.byteLength(payload)),
+        "Cache-Control": "no-cache",
+    });
+    res.end(payload);
+}
+export function handleOverlays(res, provider) {
+    try {
+        writeJson(res, 200, provider());
+    }
+    catch {
+        writeJson(res, 500, { error: "overlay-read-failed" });
+    }
+}
+export const PLACEHOLDER_OVERLAYS = () => ({
+    gate1: null,
+    gate2: null,
+    model: null,
+    cost: null,
+    phase: null,
+});
+export function makeOverlayProvider(projectRoot) {
+    const collector = new OverlayCollector(projectRoot);
+    return () => collector.snapshot();
+}
+/**
+ * Handle GET /api/plan — optionally targeted by ?slug=<slug> query param.
+ *
+ * Error mapping (R2-8):
+ *   snapshot.error === "invalid-slug"   → 400
+ *   snapshot.error === "forbidden-path" → 403
+ *   snapshot.error === "not-found"      → 404
+ *   no error                            → 200
+ */
+export function handlePlan(res, provider, query) {
+    try {
+        const slug = query.get("slug") ?? undefined;
+        const snapshot = provider(slug);
+        if (snapshot.error) {
+            writeJson(res, PLAN_ERROR_HTTP[snapshot.error], { error: snapshot.error });
+            return;
+        }
+        const safe = stripHtmlDeep(snapshot);
+        writeJson(res, 200, safe);
+    }
+    catch {
+        writeJson(res, 500, { error: "plan-read-failed" });
+    }
+}
+export const PLACEHOLDER_PLAN = () => ({
+    plan: null,
+    phaseEtags: null,
+    readonly: false,
+    generatedAt: new Date().toISOString(),
+});
+export function makePlanProvider(projectRoot) {
+    const collector = new PlanCollector(projectRoot);
+    return (slug) => collector.snapshot(slug);
+}
+/**
+ * Create a standalone PlanCollector instance for injection into the write handler.
+ * The write handler calls collector.invalidate() after every successful write,
+ * invalidating the cache so the next GET returns fresh data (R2-4).
+ */
+export function makePlanCollector(projectRoot) {
+    return new PlanCollector(projectRoot);
+}
+/**
+ * Handle GET /api/plans — returns all non-archived plan summaries sorted mtime desc.
+ * HTML-tag scrub applied to all string fields (red-team H2).
+ */
+export function handlePlans(res, projectRoot) {
+    try {
+        const plans = listPlans(projectRoot);
+        const safe = stripHtmlDeep(plans);
+        writeJson(res, 200, { plans: safe, generatedAt: new Date().toISOString() });
+    }
+    catch {
+        writeJson(res, 500, { error: "plans-read-failed" });
+    }
+}
+//# sourceMappingURL=api-handlers.js.map

package/dist/orchviz/server/api-handlers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-handlers.js","sourceRoot":"","sources":["../../../src/orchviz/server/api-handlers.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAA6C,MAAM,sBAAsB,CAAC;AAChG,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAElD,MAAM,eAAe,GAAsC;IAC1D,cAAc,EAAE,GAAG;IACnB,gBAAgB,EAAE,GAAG;IACrB,WAAW,EAAE,GAAG;CAChB,CAAC;AAEF,MAAM,WAAW,GAAG,UAAU,CAAC;AAE/B,sFAAsF;AACtF,SAAS,aAAa,CAAI,KAAQ;IACjC,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAiB,CAAC;IACrF,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,aAAa,CAAiB,CAAC;IAC1E,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,EAAE,CAAC;YACvE,GAAG,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QACD,OAAO,GAAmB,CAAC;IAC5B,CAAC;IACD,OAAO,KAAK,CAAC;AACd,CAAC;AAYD,MAAM,UAAU,SAAS,CAAC,GAAmB,EAAE,MAAc,EAAE,IAAa;IAC3E,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACrC,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE;QACrB,cAAc,EAAE,iCAAiC;QACjD,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACpD,eAAe,EAAE,UAAU;KAC3B,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,GAAmB,EAAE,QAAyB;IAC5E,IAAI,CAAC;QACJ,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACR,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,CAAC;IACvD,CAAC;AACF,CAAC;AAED,MAAM,CAAC,MAAM,oBAAoB,GAAoB,GAAG,EAAE,CAAC,CAAC;IAC3D,KAAK,EAAE,IAAI;IACX,KAAK,EAAE,IAAI;IACX,KAAK,EAAE,IAAI;IACX,IAAI,EAAE,IAAI;IACV,KAAK,EAAE,IAAI;CACX,CAAC,CAAC;AAEH,MAAM,UAAU,mBAAmB,CAAC,WAAmB;IACtD,MAAM,SAAS,GAAG,IAAI,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACpD,OAAO,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;AACnC,CAAC;AAQD;;;;;;;;GAQG;AACH,MAAM,UAAU,UAAU,CACzB,GAAmB,EACnB,QAAsB,EACtB,KAAsB;IAEtB,IAAI,CAAC;QACJ,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC;QAC5C,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;QAChC,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpB,SAAS,CAAC,GAAG,EAAE,eAAe,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC;YAC3E,OAAO;QACR,CAAC;QACD,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACrC,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACR,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC,CAAC;IACpD,CAAC;AACF,CAAC;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAiB,GAAG,EAAE,CAAC,CAAC;IACpD,IAAI,EAAE,IAAI;IACV,UAAU,EAAE,IAAI;IAChB,QAAQ,EAAE,KAAK;IACf,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;CACrC,CAAC,CAAC;AAEH,MAAM,UAAU,gBAAgB,CAAC,WAAmB;IACnD,MAAM,SAAS,GAAG,IAAI,aAAa,CAAC,WAAW,CAAC,CAAC;IACjD,OAAO,CAAC,IAAa,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACpD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAAmB;IACpD,OAAO,IAAI,aAAa,CAAC,WAAW,CAAC,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,GAAmB,EAAE,WAAmB;IACnE,IAAI,CAAC;QACJ,MAAM,KAAK,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QAClC,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAC7E,CAAC;IAAC,MAAM,CAAC;QACR,SAAS,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;IACrD,CAAC;AACF,CAAC"}

package/dist/orchviz/server/index.d.ts

@@ -0,0 +1,36 @@
+/**
+ * OrchvizServer — node:http server bound 127.0.0.1 with SSE relay + static UI.
+ *
+ * Architecture ported from patoles/agent-flow @ 59ccf4e (app/src/server.ts +
+ * scripts/relay.ts SSE block). License Apache-2.0 (see ../../NOTICE).
+ */
+import { EventEmitter } from "node:events";
+import { type OverlayProvider, type PlanProvider } from "./api-handlers.js";
+import type { PlanCollector } from "../plan/collector.js";
+export interface OrchvizServerOptions {
+    port?: number;
+    staticDir: string;
+    eventSource: EventEmitter;
+    overlayProvider?: OverlayProvider;
+    planProvider?: PlanProvider;
+    /** Required for /api/plans endpoint. Falls back to no-op if absent. */
+    projectRoot?: string;
+    /** Required for POST /api/plan/todo cache invalidation (red-team M4 / R2-4). */
+    planCollector?: PlanCollector;
+    verbose?: boolean;
+}
+export declare class OrchvizServer {
+    private server;
+    private readonly relay;
+    private actualPort;
+    private readonly opts;
+    private readonly forwardEvent;
+    constructor(opts: OrchvizServerOptions);
+    get port(): number;
+    get url(): string;
+    start(onListening?: (url: string) => void): Promise<string>;
+    stop(): Promise<void>;
+    private routeRequest;
+    private isHostAllowed;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/orchviz/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/orchviz/server/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAM3C,OAAO,EAON,KAAK,eAAe,EACpB,KAAK,YAAY,EACjB,MAAM,mBAAmB,CAAC;AAM3B,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAE1D,MAAM,WAAW,oBAAoB;IACpC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,YAAY,CAAC;IAC1B,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,uEAAuE;IACvE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gFAAgF;IAChF,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,OAAO,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,aAAa;IACzB,OAAO,CAAC,MAAM,CAA4B;IAC1C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAkB;IACxC,OAAO,CAAC,UAAU,CAAK;IACvB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAuB;IAC5C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAA0B;gBAE3C,IAAI,EAAE,oBAAoB;IAOtC,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED,IAAI,GAAG,IAAI,MAAM,CAEhB;IAEK,KAAK,CAAC,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC;IAoC3D,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAgB3B,OAAO,CAAC,YAAY;IAqDpB,OAAO,CAAC,aAAa;CAUrB"}