neohive 6.0.2 → 6.1.0

package/dashboard.js

@@ -4,6 +4,34 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 const { spawn } = require('child_process');
+const { upsertNeohiveMcpInToml } = require('./lib/codex-neohive-toml');
+const { readIdeActivity, applyIdeActivityHint } = require('./lib/ide-activity');
+const _audit = require('./lib/audit');
+
+function findCursorProjectRootWithNeohive(startDir) {
+  let dir = path.resolve(startDir);
+  const root = path.parse(dir).root;
+  while (true) {
+    const mcpPath = path.join(dir, '.cursor', 'mcp.json');
+    if (fs.existsSync(mcpPath)) {
+      try {
+        const j = JSON.parse(fs.readFileSync(mcpPath, 'utf8'));
+        if (j.mcpServers && j.mcpServers.neohive) return dir;
+      } catch {}
+    }
+    if (dir === root) break;
+    dir = path.dirname(dir);
+  }
+  return null;
+}
+
+function normalizeNeohiveDataDirString(raw, workspaceRoot) {
+  if (raw == null || typeof raw !== 'string') return null;
+  let d = raw.trim();
+  if (!d) return null;
+  d = d.replace(/\$\{workspaceFolder\}/gi, workspaceRoot);
+  return path.isAbsolute(d) ? path.resolve(d) : path.resolve(workspaceRoot, d);
+}
 
 // --- File-level mutex for serializing read-then-write operations ---
 const lockMap = new Map();
@@ -15,6 +43,7 @@ function withFileLock(filePath, fn) {
 }
 
 const PORT = parseInt(process.env.NEOHIVE_PORT || '3000', 10);
+const SERVER_START_TIME = Date.now();
 const LAN_STATE_FILE = path.join(__dirname, '.lan-mode');
 let LAN_MODE = process.env.NEOHIVE_LAN === 'true' || (fs.existsSync(LAN_STATE_FILE) && fs.readFileSync(LAN_STATE_FILE, 'utf8').trim() === 'true');
 
@@ -56,9 +85,130 @@ function getLanIP() {
   }
   return fallback;
 }
-const DEFAULT_DATA_DIR = process.env.NEOHIVE_DATA || path.join(process.cwd(), '.neohive');
+
+// Check if a directory has actual data files (not just an empty dir)
+function hasDataFiles(dir) {
+  if (!fs.existsSync(dir)) return false;
+  try {
+    const files = fs.readdirSync(dir);
+    return files.some(f => f.endsWith('.jsonl') || f === 'agents.json');
+  } catch { return false; }
+}
+
+function countAgentsInNeohiveDir(nhDir) {
+  if (!fs.existsSync(nhDir)) return 0;
+  const ag = path.join(nhDir, 'agents.json');
+  if (!fs.existsSync(ag)) return 0;
+  try {
+    const j = JSON.parse(fs.readFileSync(ag, 'utf8'));
+    return j && typeof j === 'object' ? Object.keys(j).length : 0;
+  } catch { return 0; }
+}
+
+function countNeohiveJsonArray(filePath) {
+  if (!fs.existsSync(filePath)) return 0;
+  try {
+    const j = JSON.parse(fs.readFileSync(filePath, 'utf8'));
+    return Array.isArray(j) ? j.length : 0;
+  } catch { return 0; }
+}
+
+function neohiveHasTasksOrWorkflows(nhDir) {
+  return countNeohiveJsonArray(path.join(nhDir, 'tasks.json')) > 0
+    || countNeohiveJsonArray(path.join(nhDir, 'workflows.json')) > 0;
+}
+
+// Score each ancestor’s .neohive so we prefer the hive that has tasks/workflows (not the first with only agents).
+function scoreNeohiveDataDir(nhDir) {
+  if (!fs.existsSync(nhDir)) return -1;
+  let s = countAgentsInNeohiveDir(nhDir) * 10;
+  s += countNeohiveJsonArray(path.join(nhDir, 'tasks.json'));
+  s += countNeohiveJsonArray(path.join(nhDir, 'workflows.json')) * 3;
+  if (hasDataFiles(nhDir)) s += 5;
+  return s;
+}
+
+function bestNeohiveAmongAncestors(startDir) {
+  let dir = path.resolve(startDir);
+  const root = path.parse(dir).root;
+  let best = null;
+  let bestScore = -1;
+  for (let d = 0; d < 24 && dir !== root; d++) {
+    const nh = path.join(dir, '.neohive');
+    const sc = scoreNeohiveDataDir(nh);
+    if (sc > bestScore) {
+      bestScore = sc;
+      best = nh;
+    }
+    dir = path.dirname(dir);
+  }
+  if (bestScore <= 0) return null;
+  return best;
+}
+
+// Read NEOHIVE_DATA_DIR from project-local MCP configs (same files init writes).
+// Cursor uses ${workspaceFolder} in .cursor/mcp.json — expand using projectRoot when parsing files.
+function readNeohiveDataDirFromMcpConfigs(projectRoot) {
+  const candidates = [
+    path.join(projectRoot, '.cursor', 'mcp.json'),
+    path.join(projectRoot, '.mcp.json'),
+    path.join(projectRoot, '.gemini', 'settings.json'),
+  ];
+  for (const filePath of candidates) {
+    if (!fs.existsSync(filePath)) continue;
+    try {
+      const j = JSON.parse(fs.readFileSync(filePath, 'utf8'));
+      const nh = j.mcpServers && j.mcpServers.neohive;
+      const raw = nh && nh.env && nh.env.NEOHIVE_DATA_DIR;
+      const out = normalizeNeohiveDataDirString(raw, projectRoot);
+      if (out) return out;
+    } catch {}
+  }
+  return null;
+}
+
+function resolveDashboardDefaultDataDir() {
+  let envData = process.env.NEOHIVE_DATA_DIR || process.env.NEOHIVE_DATA;
+  if (envData && String(envData).trim()) {
+    let s = String(envData).trim();
+    if (/\$\{workspaceFolder\}/i.test(s)) {
+      const root = findCursorProjectRootWithNeohive(process.cwd());
+      if (root) s = s.replace(/\$\{workspaceFolder\}/gi, root);
+    }
+    return { path: path.resolve(s), source: 'environment' };
+  }
+  const fromWalk = bestNeohiveAmongAncestors(process.cwd());
+  if (fromWalk) {
+    return { path: fromWalk, source: 'walk-up' };
+  }
+  let dir = path.resolve(process.cwd());
+  const root = path.parse(dir).root;
+  while (true) {
+    const fromMcp = readNeohiveDataDirFromMcpConfigs(dir);
+    if (fromMcp) {
+      return { path: fromMcp, source: 'mcp-config', configAt: dir };
+    }
+    if (dir === root) break;
+    dir = path.dirname(dir);
+  }
+  return { path: path.join(process.cwd(), '.neohive'), source: 'cwd' };
+}
+
+const _defaultDataResolved = resolveDashboardDefaultDataDir();
+const DEFAULT_DATA_DIR = _defaultDataResolved.path;
+
+// Auto-migrate from .agent-bridge/ to .neohive/ (v5 → v6 rename)
+const _legacyDir = path.join(path.dirname(DEFAULT_DATA_DIR), '.agent-bridge');
+if (!fs.existsSync(DEFAULT_DATA_DIR) && fs.existsSync(_legacyDir)) {
+  try { fs.renameSync(_legacyDir, DEFAULT_DATA_DIR); } catch {}
+}
+
 const HTML_FILE = path.join(__dirname, 'dashboard.html');
-const LOGO_FILE = path.join(__dirname, 'logo.png');
+const DESIGN_SYSTEM_CSS = path.join(__dirname, 'design-system.css');
+const DESIGN_SYSTEM_HTML = path.join(__dirname, 'design-system.html');
+const LOGO_FILE = path.join(__dirname, 'logo.svg');
+const LOGO_SVG_FILE = path.join(__dirname, 'logo.svg');
+const FAVICON_FILE = path.join(__dirname, 'favicon.png');
 const PROJECTS_FILE = path.join(__dirname, 'projects.json');
 
 // --- Multi-project support ---
@@ -69,25 +219,32 @@ function getProjects() {
 }
 
 function saveProjects(projects) {
-  fs.writeFileSync(PROJECTS_FILE, JSON.stringify(projects, null, 2));
+  try {
+    fs.writeFileSync(PROJECTS_FILE, JSON.stringify(projects, null, 2));
+  } catch (e) {
+    console.error('[saveProjects] Failed to write projects file:', e.message);
+    throw new Error('Failed to save projects: ' + e.message);
+  }
 }
 
-// Check if a directory has actual data files (not just an empty dir)
-function hasDataFiles(dir) {
-  if (!fs.existsSync(dir)) return false;
-  try {
-    const files = fs.readdirSync(dir);
-    return files.some(f => f.endsWith('.jsonl') || f === 'agents.json');
-  } catch { return false; }
+// Multi-project paths must be the repo root, not .../project/.neohive (otherwise we join .neohive twice).
+function normalizeMonitoredProjectRoot(projectPath) {
+  if (!projectPath) return projectPath;
+  const p = path.resolve(projectPath);
+  if (path.basename(p) === '.neohive') {
+    return path.dirname(p);
+  }
+  return p;
 }
 
 // Resolve data dir: explicit project path > env var > cwd > legacy fallback
 // Prefers directories with actual data files over empty ones
 function resolveDataDir(projectPath) {
   if (projectPath) {
-    const dir = path.join(projectPath, '.neohive');
+    projectPath = normalizeMonitoredProjectRoot(projectPath);
+    let dir = path.join(projectPath, '.neohive');
     const dataDir = path.join(projectPath, 'data');
-    // Prefer whichever has data
+    // Prefer whichever has data (local hive only — do not redirect agents/messages to parent)
     if (hasDataFiles(dir)) return dir;
     if (hasDataFiles(dataDir)) return dataDir;
     if (fs.existsSync(dir)) return dir;
@@ -103,19 +260,35 @@ function resolveDataDir(projectPath) {
   return DEFAULT_DATA_DIR;
 }
 
+// Monorepo: tasks/workflows may live in parent .neohive while agents.json stays in the subfolder.
+// Using parent for *all* files hid agents (empty parent agents.json). Only tasks + workflows use this.
+function resolveTasksWorkflowsDataDir(projectPath) {
+  if (!projectPath) return resolveDataDir(null);
+  projectPath = normalizeMonitoredProjectRoot(projectPath);
+  const localHive = path.join(projectPath, '.neohive');
+  const parentHive = path.join(path.dirname(projectPath), '.neohive');
+  if (!neohiveHasTasksOrWorkflows(localHive) && neohiveHasTasksOrWorkflows(parentHive)) {
+    return parentHive;
+  }
+  return resolveDataDir(projectPath);
+}
+
 function filePath(name, projectPath) {
-  return path.join(resolveDataDir(projectPath), name);
+  const dir = (name === 'tasks.json' || name === 'workflows.json')
+    ? resolveTasksWorkflowsDataDir(projectPath)
+    : resolveDataDir(projectPath);
+  return path.join(dir, name);
 }
 
 // Validate project path is registered or is the default
 function validateProjectPath(projectPath) {
   if (!projectPath) return true;
-  const absPath = path.resolve(projectPath);
+  const absPath = normalizeMonitoredProjectRoot(path.resolve(projectPath));
   const projects = getProjects();
   const cwd = path.resolve(process.cwd());
   const scriptDir = path.resolve(__dirname);
   if (absPath === cwd || absPath === scriptDir) return true;
-  return projects.some(p => path.resolve(p.path) === absPath);
+  return projects.some(p => normalizeMonitoredProjectRoot(path.resolve(p.path)) === absPath);
 }
 
 function htmlEscape(s) {
@@ -139,7 +312,7 @@ function readJson(file) {
 }
 
 function isPidAlive(pid, lastActivity) {
-  const STALE_THRESHOLD = 60000; // 60s — if heartbeat updated within this, agent is alive
+  const STALE_THRESHOLD = 30000; // 30s — 3x heartbeat interval, catches dead agents faster
 
   // PRIORITY 1: Trust heartbeat freshness over PID status
   // Heartbeats are written by the actual running process — if fresh, agent is alive
@@ -160,18 +333,18 @@ function isPidAlive(pid, lastActivity) {
 
 // --- Default avatar helpers ---
 const BUILT_IN_AVATARS = [
-  "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%2358a6ff'/%3E%3Ccircle cx='22' cy='26' r='4' fill='%23fff'/%3E%3Ccircle cx='42' cy='26' r='4' fill='%23fff'/%3E%3Crect x='20' y='38' width='24' height='4' rx='2' fill='%23fff'/%3E%3Crect x='14' y='12' width='6' height='10' rx='3' fill='%2358a6ff' stroke='%23fff' stroke-width='1.5'/%3E%3Crect x='44' y='12' width='6' height='10' rx='3' fill='%2358a6ff' stroke='%23fff' stroke-width='1.5'/%3E%3C/svg%3E",
+  "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%23f59e0b'/%3E%3Ccircle cx='22' cy='26' r='4' fill='%23fff'/%3E%3Ccircle cx='42' cy='26' r='4' fill='%23fff'/%3E%3Crect x='20' y='38' width='24' height='4' rx='2' fill='%23fff'/%3E%3Crect x='14' y='12' width='6' height='10' rx='3' fill='%23f59e0b' stroke='%23fff' stroke-width='1.5'/%3E%3Crect x='44' y='12' width='6' height='10' rx='3' fill='%23f59e0b' stroke='%23fff' stroke-width='1.5'/%3E%3C/svg%3E",
   "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%233fb950'/%3E%3Ccircle cx='22' cy='26' r='5' fill='%23fff'/%3E%3Ccircle cx='42' cy='26' r='5' fill='%23fff'/%3E%3Ccircle cx='22' cy='26' r='2' fill='%23333'/%3E%3Ccircle cx='42' cy='26' r='2' fill='%23333'/%3E%3Cpath d='M20 38 Q32 46 44 38' stroke='%23fff' fill='none' stroke-width='2.5' stroke-linecap='round'/%3E%3C/svg%3E",
   "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%23d29922'/%3E%3Crect x='16' y='22' width='12' height='8' rx='2' fill='%23fff'/%3E%3Crect x='36' y='22' width='12' height='8' rx='2' fill='%23fff'/%3E%3Ccircle cx='22' cy='26' r='2' fill='%23333'/%3E%3Ccircle cx='42' cy='26' r='2' fill='%23333'/%3E%3Cpath d='M24 40 H40' stroke='%23fff' stroke-width='2.5' stroke-linecap='round'/%3E%3C/svg%3E",
   "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%23f85149'/%3E%3Ccircle cx='22' cy='26' r='4' fill='%23fff'/%3E%3Ccircle cx='42' cy='26' r='4' fill='%23fff'/%3E%3Ccircle cx='22' cy='26' r='2' fill='%23333'/%3E%3Ccircle cx='42' cy='26' r='2' fill='%23333'/%3E%3Cpath d='M22 40 Q32 34 42 40' stroke='%23fff' fill='none' stroke-width='2.5' stroke-linecap='round'/%3E%3C/svg%3E",
-  "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%23bc8cff'/%3E%3Ccircle cx='22' cy='28' r='4' fill='%23fff'/%3E%3Ccircle cx='42' cy='28' r='4' fill='%23fff'/%3E%3Cpath d='M16 18 L22 24' stroke='%23fff' stroke-width='2' stroke-linecap='round'/%3E%3Cpath d='M48 18 L42 24' stroke='%23fff' stroke-width='2' stroke-linecap='round'/%3E%3Cellipse cx='32' cy='42' rx='8' ry='4' fill='%23fff'/%3E%3C/svg%3E",
+  "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%23fb923c'/%3E%3Ccircle cx='22' cy='28' r='4' fill='%23fff'/%3E%3Ccircle cx='42' cy='28' r='4' fill='%23fff'/%3E%3Cpath d='M16 18 L22 24' stroke='%23fff' stroke-width='2' stroke-linecap='round'/%3E%3Cpath d='M48 18 L42 24' stroke='%23fff' stroke-width='2' stroke-linecap='round'/%3E%3Cellipse cx='32' cy='42' rx='8' ry='4' fill='%23fff'/%3E%3C/svg%3E",
   "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%23f778ba'/%3E%3Ccircle cx='24' cy='26' r='6' fill='%23fff'/%3E%3Ccircle cx='40' cy='26' r='6' fill='%23fff'/%3E%3Ccircle cx='24' cy='26' r='3' fill='%23333'/%3E%3Ccircle cx='40' cy='26' r='3' fill='%23333'/%3E%3Cpath d='M26 40 Q32 46 38 40' stroke='%23fff' fill='none' stroke-width='2' stroke-linecap='round'/%3E%3C/svg%3E",
-  "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%2379c0ff'/%3E%3Crect x='17' y='23' width='10' height='6' rx='3' fill='%23fff'/%3E%3Crect x='37' y='23' width='10' height='6' rx='3' fill='%23fff'/%3E%3Cpath d='M22 38 L32 44 L42 38' stroke='%23fff' fill='none' stroke-width='2.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3C/svg%3E",
+  "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%23fbbf24'/%3E%3Crect x='17' y='23' width='10' height='6' rx='3' fill='%23fff'/%3E%3Crect x='37' y='23' width='10' height='6' rx='3' fill='%23fff'/%3E%3Cpath d='M22 38 L32 44 L42 38' stroke='%23fff' fill='none' stroke-width='2.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3C/svg%3E",
   "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%237ee787'/%3E%3Ccircle cx='22' cy='26' r='4' fill='%23fff'/%3E%3Ccircle cx='42' cy='26' r='4' fill='%23fff'/%3E%3Ccircle cx='23' cy='25' r='2' fill='%23333'/%3E%3Ccircle cx='43' cy='25' r='2' fill='%23333'/%3E%3Cpath d='M20 38 Q32 48 44 38' stroke='%23fff' fill='none' stroke-width='2.5' stroke-linecap='round'/%3E%3C/svg%3E",
   "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%23e3b341'/%3E%3Cpath d='M18 22 L26 30 L18 30Z' fill='%23fff'/%3E%3Cpath d='M46 22 L38 30 L46 30Z' fill='%23fff'/%3E%3Crect x='24' y='38' width='16' height='6' rx='3' fill='%23fff'/%3E%3C/svg%3E",
   "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%23ffa198'/%3E%3Ccircle cx='22' cy='26' r='5' fill='%23fff'/%3E%3Ccircle cx='42' cy='26' r='5' fill='%23fff'/%3E%3Ccircle cx='22' cy='27' r='2.5' fill='%23333'/%3E%3Ccircle cx='42' cy='27' r='2.5' fill='%23333'/%3E%3Cellipse cx='32' cy='42' rx='6' ry='3' fill='%23fff'/%3E%3C/svg%3E",
-  "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%230969da'/%3E%3Crect x='16' y='20' width='14' height='10' rx='2' fill='%23fff'/%3E%3Crect x='34' y='20' width='14' height='10' rx='2' fill='%23fff'/%3E%3Ccircle cx='23' cy='25' r='2' fill='%230969da'/%3E%3Ccircle cx='41' cy='25' r='2' fill='%230969da'/%3E%3Crect x='26' y='38' width='12' height='4' rx='2' fill='%23fff'/%3E%3C/svg%3E",
-  "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%238250df'/%3E%3Ccircle cx='24' cy='24' r='5' fill='%23fff'/%3E%3Ccircle cx='40' cy='24' r='5' fill='%23fff'/%3E%3Ccircle cx='24' cy='24' r='2' fill='%238250df'/%3E%3Ccircle cx='40' cy='24' r='2' fill='%238250df'/%3E%3Cpath d='M20 38 Q32 50 44 38' stroke='%23fff' fill='none' stroke-width='3' stroke-linecap='round'/%3E%3Ccircle cx='32' cy='10' r='4' fill='%23fff'/%3E%3C/svg%3E",
+  "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%23d97706'/%3E%3Crect x='16' y='20' width='14' height='10' rx='2' fill='%23fff'/%3E%3Crect x='34' y='20' width='14' height='10' rx='2' fill='%23fff'/%3E%3Ccircle cx='23' cy='25' r='2' fill='%23d97706'/%3E%3Ccircle cx='41' cy='25' r='2' fill='%23d97706'/%3E%3Crect x='26' y='38' width='12' height='4' rx='2' fill='%23fff'/%3E%3C/svg%3E",
+  "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 64 64'%3E%3Crect width='64' height='64' rx='32' fill='%23b45309'/%3E%3Ccircle cx='24' cy='24' r='5' fill='%23fff'/%3E%3Ccircle cx='40' cy='24' r='5' fill='%23fff'/%3E%3Ccircle cx='24' cy='24' r='2' fill='%23b45309'/%3E%3Ccircle cx='40' cy='24' r='2' fill='%23b45309'/%3E%3Cpath d='M20 38 Q32 50 44 38' stroke='%23fff' fill='none' stroke-width='3' stroke-linecap='round'/%3E%3Ccircle cx='32' cy='10' r='4' fill='%23fff'/%3E%3C/svg%3E",
 ];
 
 function hashName(name) {
@@ -268,24 +441,25 @@ function apiAgents(query) {
   const projectPath = query.get('project') || null;
   const agents = readJson(filePath('agents.json', projectPath));
   const profiles = readJson(filePath('profiles.json', projectPath));
+  const cards = readJson(filePath('agent-cards.json', projectPath));
   const history = readJsonl(filePath('history.jsonl', projectPath));
 
-  // Merge per-agent heartbeat files — agents write these during listen loops
-  // Without this merge, agents show as dead because agents.json has stale last_activity
   const dataDir = resolveDataDir(projectPath);
   try {
     const hbFiles = fs.readdirSync(dataDir).filter(f => f.startsWith('heartbeat-') && f.endsWith('.json'));
     for (const f of hbFiles) {
-      const name = f.slice(10, -5); // 'heartbeat-Backend.json' → 'Backend'
+      const name = f.slice(10, -5);
       if (agents[name]) {
         try {
           const hb = JSON.parse(fs.readFileSync(path.join(dataDir, f), 'utf8'));
           if (hb.last_activity) agents[name].last_activity = hb.last_activity;
           if (hb.pid) agents[name].pid = hb.pid;
+          if (hb.ppid) agents[name].ppid = hb.ppid;
         } catch {}
       }
     }
   } catch {}
+
   const result = {};
 
   // Build last message timestamp per agent from history
@@ -298,16 +472,46 @@ function apiAgents(query) {
     const alive = isPidAlive(info.pid, info.last_activity);
     const lastActivity = info.last_activity || info.timestamp;
     const idleSeconds = Math.floor((Date.now() - new Date(lastActivity).getTime()) / 1000);
+    const hasHeartbeat = fs.existsSync(path.join(resolveDataDir(projectPath), `heartbeat-${name}.json`));
     const profile = profiles[name] || {};
     const isLocal = (() => { try { process.kill(info.pid, 0); return true; } catch { return false; } })();
+
+    let status;
+    if (alive) {
+      if (info.listening_since) {
+        status = 'listening';
+      } else {
+        // Detect stuck/unresponsive: agent is alive but hasn't called listen() recently
+        const lastListened = info.last_listened_at;
+        const sinceLastListen = lastListened ? Math.floor((Date.now() - new Date(lastListened).getTime()) / 1000) : Infinity;
+        if (sinceLastListen > 600) {
+          status = 'stuck'; // > 10 minutes without listen() call
+        } else if (sinceLastListen > 120) {
+          status = 'unresponsive'; // > 2 minutes without listen() call
+        } else if (idleSeconds > 30) {
+          status = 'idle';
+        } else {
+          status = 'working';
+        }
+      }
+    } else if (!hasHeartbeat) {
+      status = 'unknown';
+    } else if (idleSeconds <= 120) {
+      status = 'stale';
+    } else {
+      status = 'offline';
+    }
+
     result[name] = {
       pid: info.pid,
+      ppid: info.ppid || null,
       alive,
       registered_at: info.timestamp,
       last_activity: lastActivity,
       last_message: lastMessageTime[name] || null,
       idle_seconds: alive ? idleSeconds : null,
-      status: !alive ? 'dead' : idleSeconds > 60 ? 'sleeping' : 'active',
+      last_listened_at: info.last_listened_at || null,
+      status,
       listening_since: info.listening_since || null,
       is_listening: !!(info.listening_since && alive),
       provider: info.provider || 'unknown',
@@ -319,6 +523,8 @@ function apiAgents(query) {
       appearance: profile.appearance || {},
       hostname: info.hostname || null,
       is_remote: !isLocal && alive,
+      platform_skills: (cards && cards[name] && cards[name].platform_skills) || [],
+      skills: (cards && cards[name] && cards[name].skills) || [],
     };
     // Include workspace status for agent intent board
     try {
@@ -328,6 +534,10 @@ function apiAgents(query) {
         if (ws._status) result[name].current_status = ws._status;
       }
     } catch {}
+
+    const dataDir = resolveDataDir(projectPath);
+    const ide = readIdeActivity(dataDir, name);
+    if (ide) applyIdeActivityHint(result[name], ide, { dataDir, agentName: name });
   }
   return result;
 }
@@ -345,7 +555,7 @@ function apiStatus(query) {
     if (!isPidAlive(a.pid, a.last_activity)) return false;
     const lastActivity = a.last_activity || a.timestamp;
     const idleSeconds = Math.floor((Date.now() - new Date(lastActivity).getTime()) / 1000);
-    return idleSeconds > 60;
+    return idleSeconds > 30;
   }).length;
 
   // Include managed mode status if active
@@ -357,6 +567,7 @@ function apiStatus(query) {
     sleepingCount,
     threadCount: threads.size,
     conversation_mode: config.conversation_mode || 'direct',
+    coordinator_mode: config.coordinator_mode || 'responsive',
   };
 
   if (config.conversation_mode === 'managed' && config.managed) {
@@ -483,6 +694,210 @@ function generateNotifications(currentAgents) {
   }
 }
 
+// --- Token Usage Tracking ---
+
+// Walk the process tree upward from startPid, returning the first PID
+// that has a session file in sessionsDir. At each level also checks
+// sibling processes (children of the same parent) to handle the VS Code
+// MCP topology where the claude binary and MCP server share a parent.
+function findSessionPidInTree(startPid, sessionsDir, maxDepth = 5) {
+  const { execSync } = require('child_process');
+  const getParent = (pid) => {
+    try {
+      const s = execSync(`ps -o ppid= -p ${pid} 2>/dev/null`, { timeout: 1000 }).toString().trim();
+      const n = parseInt(s, 10);
+      return (n && n !== pid) ? n : null;
+    } catch { return null; }
+  };
+  const getSiblings = (parentPid) => {
+    try {
+      return execSync(`pgrep -P ${parentPid} 2>/dev/null`, { timeout: 1000 })
+        .toString().trim().split('\n').map(s => parseInt(s, 10)).filter(Boolean);
+    } catch { return []; }
+  };
+
+  let pid = startPid;
+  for (let i = 0; i < maxDepth; i++) {
+    if (!pid || pid <= 1) break;
+    // Check this pid directly
+    if (fs.existsSync(path.join(sessionsDir, pid + '.json'))) return pid;
+    const parent = getParent(pid);
+    if (!parent) break;
+    // Check siblings (handles VS Code: MCP server and claude binary share same parent)
+    for (const sibling of getSiblings(parent)) {
+      if (sibling === pid) continue;
+      if (fs.existsSync(path.join(sessionsDir, sibling + '.json'))) return sibling;
+    }
+    pid = parent;
+  }
+  return null;
+}
+
+// Pricing per 1M tokens (USD)
+const TOKEN_PRICING = {
+  'claude-opus-4-6': { input: 15.00, output: 75.00, cache_write: 18.75, cache_read: 1.50 },
+  'claude-sonnet-4-6': { input: 3.00, output: 15.00, cache_write: 3.75, cache_read: 0.30 },
+  'claude-haiku-4-5': { input: 0.80, output: 4.00, cache_write: 1.00, cache_read: 0.08 },
+};
+
+function parseSessionUsage(sessionFile, maxBytes) {
+  const usage = { input_tokens: 0, output_tokens: 0, cache_creation_tokens: 0, cache_read_tokens: 0, messages: 0, model: null };
+  try {
+    const stat = fs.statSync(sessionFile);
+    // For huge files, only read the last portion to avoid memory issues
+    const readSize = Math.min(stat.size, maxBytes || 5 * 1024 * 1024); // 5MB max
+    const fd = fs.openSync(sessionFile, 'r');
+    const buf = Buffer.alloc(readSize);
+    fs.readSync(fd, buf, 0, readSize, Math.max(0, stat.size - readSize));
+    fs.closeSync(fd);
+    const content = buf.toString('utf8');
+    // Find complete lines (skip partial first line if we started mid-file)
+    const lines = content.split('\n');
+    if (stat.size > readSize) lines.shift(); // skip potentially partial first line
+    for (const line of lines) {
+      if (!line.trim() || !line.includes('"usage"')) continue;
+      try {
+        const entry = JSON.parse(line);
+        if (entry.type === 'assistant' && entry.message && entry.message.usage) {
+          const u = entry.message.usage;
+          usage.input_tokens += u.input_tokens || 0;
+          usage.output_tokens += u.output_tokens || 0;
+          usage.cache_creation_tokens += u.cache_creation_input_tokens || 0;
+          usage.cache_read_tokens += u.cache_read_input_tokens || 0;
+          usage.messages++;
+          if (entry.message.model) usage.model = entry.message.model;
+        }
+      } catch { /* skip unparseable lines */ }
+    }
+  } catch (e) { /* session file unreadable */ }
+  return usage;
+}
+
+/**
+ * Score all .jsonl session files in the project dir by birthtime proximity to
+ * an agent's started_at. Returns sorted array of { file, delta } (ascending).
+ */
+function scoreSessionsByProximity(projectSessionDir, agentStartedAt) {
+  if (!agentStartedAt || !fs.existsSync(projectSessionDir)) return [];
+  const agentTs = new Date(agentStartedAt).getTime();
+  if (isNaN(agentTs)) return [];
+
+  const scored = [];
+  try {
+    const files = fs.readdirSync(projectSessionDir).filter(f => f.endsWith('.jsonl'));
+    for (const f of files) {
+      const fp = path.join(projectSessionDir, f);
+      try {
+        const stat = fs.statSync(fp);
+        scored.push({ file: fp, delta: Math.abs(stat.birthtimeMs - agentTs) });
+      } catch { /* skip unreadable */ }
+    }
+  } catch { return []; }
+  scored.sort((a, b) => a.delta - b.delta);
+  return scored;
+}
+
+function apiTokenUsage(query) {
+  const projectPath = query.get('project') || null;
+  const dataDir = resolveDataDir(projectPath);
+  const agents = readJson(filePath('agents.json', projectPath));
+  const home = os.homedir();
+  const sessionsDir = path.join(home, '.claude', 'sessions');
+  const projectAbsPath = projectPath ? path.resolve(projectPath) : path.resolve(process.cwd());
+  const projectSlug = projectAbsPath.replace(/\//g, '-');
+  const projectSessionDir = path.join(home, '.claude', 'projects', projectSlug);
+
+  const result = { agents: {}, total_cost_usd: 0, total_tokens: 0 };
+
+  const agentSessions = {};
+  const claimedFiles = new Set();
+
+  for (const [name, info] of Object.entries(agents)) {
+    if (!info.pid) continue;
+    try {
+      // Priority 0: direct session ID from env var (written to agents.json + heartbeat)
+      const sessionId = info.claude_session_id || (() => {
+        try {
+          const hb = JSON.parse(fs.readFileSync(path.join(dataDir, `heartbeat-${name}.json`), 'utf8'));
+          return hb.claude_session_id || null;
+        } catch { return null; }
+      })();
+      if (sessionId) {
+        const candidate = path.join(projectSessionDir, sessionId + '.jsonl');
+        if (fs.existsSync(candidate)) {
+          agentSessions[name] = candidate;
+          claimedFiles.add(candidate);
+          continue;
+        }
+      }
+
+      // Priority 1: process-tree lookup
+      const cliPid = findSessionPidInTree(info.pid, sessionsDir) ||
+                     (info.ppid ? findSessionPidInTree(info.ppid, sessionsDir) : null);
+      if (cliPid) {
+        const pidFile = path.join(sessionsDir, cliPid + '.json');
+        const session = readJson(pidFile);
+        if (session && session.sessionId) {
+          const candidate = path.join(projectSessionDir, session.sessionId + '.jsonl');
+          if (fs.existsSync(candidate)) {
+            agentSessions[name] = candidate;
+            claimedFiles.add(candidate);
+          }
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  // Phase 2: fallback — greedy assignment by birthtime proximity (closest-first wins)
+  const needFallback = Object.entries(agents)
+    .filter(([name, info]) => info.pid && !agentSessions[name])
+    .map(([name, info]) => {
+      const scored = scoreSessionsByProximity(projectSessionDir, info.started_at || info.timestamp);
+      return { name, scored };
+    })
+    .sort((a, b) => {
+      const aMin = a.scored.length ? a.scored[0].delta : Infinity;
+      const bMin = b.scored.length ? b.scored[0].delta : Infinity;
+      return aMin - bMin;
+    });
+
+  for (const { name, scored } of needFallback) {
+    for (const { file } of scored) {
+      if (!claimedFiles.has(file)) {
+        agentSessions[name] = file;
+        claimedFiles.add(file);
+        break;
+      }
+    }
+  }
+
+  // Phase 3: compute usage + cost
+  for (const [name, sessionFile] of Object.entries(agentSessions)) {
+    try {
+      const info = agents[name];
+      const usage = parseSessionUsage(sessionFile);
+      const pricing = TOKEN_PRICING[usage.model] || TOKEN_PRICING['claude-opus-4-6'];
+      const cost = (usage.input_tokens * pricing.input + usage.output_tokens * pricing.output + usage.cache_creation_tokens * pricing.cache_write + usage.cache_read_tokens * pricing.cache_read) / 1000000;
+
+      result.agents[name] = {
+        model: usage.model,
+        input_tokens: usage.input_tokens,
+        output_tokens: usage.output_tokens,
+        cache_creation_tokens: usage.cache_creation_tokens,
+        cache_read_tokens: usage.cache_read_tokens,
+        total_tokens: usage.input_tokens + usage.output_tokens + usage.cache_creation_tokens + usage.cache_read_tokens,
+        estimated_cost_usd: Math.round(cost * 100) / 100,
+        messages: usage.messages,
+        pid: info.pid,
+      };
+      result.total_cost_usd += cost;
+      result.total_tokens += result.agents[name].total_tokens;
+    } catch { /* skip */ }
+  }
+  result.total_cost_usd = Math.round(result.total_cost_usd * 100) / 100;
+  return result;
+}
+
 function apiNotifications() {
   return notificationHistory;
 }
@@ -619,7 +1034,7 @@ function apiExportReplay(query) {
   const history = readJsonl(filePath('history.jsonl', projectPath));
   const profiles = readJson(filePath('profiles.json', projectPath));
 
-  const colors = ['#58a6ff','#3fb950','#d29922','#bc8cff','#f778ba','#ff7b72','#79c0ff','#7ee787'];
+  const colors = ['#f59e0b','#f97316','#3fb950','#d29922','#f778ba','#7ee787','#e3b341','#14b8a6'];
   const agentColors = {};
   let colorIdx = 0;
   for (const m of history) {
@@ -627,7 +1042,7 @@ function apiExportReplay(query) {
   }
 
   const messagesJson = JSON.stringify(history.map(m => ({
-    from: m.from, to: m.to, content: m.content, timestamp: m.timestamp, color: agentColors[m.from] || '#58a6ff'
+    from: m.from, to: m.to, content: m.content, timestamp: m.timestamp, color: agentColors[m.from] || '#f59e0b'
   })));
 
   return `<!DOCTYPE html>
@@ -823,6 +1238,9 @@ function apiLoadConversation(query) {
   return { success: true };
 }
 
+// Sender names API callers must not use for /api/inject (prevents forged system/group traffic)
+const INJECT_FROM_BLOCKLIST = new Set(['__system__', '__all__', '__open__', '__close__', '__group__']);
+
 // Inject a message from the dashboard (system message or nudge to an agent)
 function apiInjectMessage(body, query) {
   const projectPath = query.get('project') || null;
@@ -842,28 +1260,51 @@ function apiInjectMessage(body, query) {
     return { error: 'Invalid agent name' };
   }
 
+  let fromName = '__user__';
+  if (body.from !== undefined && body.from !== null && String(body.from).trim() !== '') {
+    if (typeof body.from !== 'string' || !/^[a-zA-Z0-9_-]{1,20}$/.test(body.from.trim())) {
+      return { error: 'Invalid "from" — must be 1–20 alphanumeric, underscore, or hyphen' };
+    }
+    fromName = body.from.trim();
+    if (INJECT_FROM_BLOCKLIST.has(fromName)) {
+      return { error: 'Invalid "from" — reserved name' };
+    }
+  }
+
   if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
-  const fromName = 'Dashboard';
   const now = new Date().toISOString();
 
-  // Broadcast to all agents
+  // Touch sender's heartbeat so inject activity keeps the agent alive in the dashboard
+  if (fromName !== '__user__') {
+    try {
+      const hbFile = path.join(dataDir, `heartbeat-${fromName}.json`);
+      const agentsFile = path.join(dataDir, 'agents.json');
+      const payload = { last_activity: now, pid: process.pid };
+      const tmp = hbFile + '.tmp';
+      fs.writeFileSync(tmp, JSON.stringify(payload));
+      fs.renameSync(tmp, hbFile);
+      if (fs.existsSync(agentsFile)) {
+        const agents = JSON.parse(fs.readFileSync(agentsFile, 'utf8'));
+        if (agents[fromName]) {
+          agents[fromName].last_activity = now;
+          fs.writeFileSync(agentsFile, JSON.stringify(agents, null, 2));
+        }
+      }
+    } catch {}
+  }
+
+  // Broadcast to all agents — single __group__ message instead of per-agent
   if (body.to === '__all__') {
-    const agents = readJson(path.join(dataDir, 'agents.json'));
-    const ids = [];
-    for (const name of Object.keys(agents)) {
-      const msg = {
-        id: Date.now().toString(36) + Math.random().toString(36).slice(2, 8),
-        from: fromName,
-        to: name,
-        content: body.content,
-        timestamp: now,
-        system: true,
-      };
-      fs.appendFileSync(messagesFile, JSON.stringify(msg) + '\n');
-      fs.appendFileSync(historyFile, JSON.stringify(msg) + '\n');
-      ids.push(msg.id);
-    }
-    return { success: true, messageIds: ids, broadcast: true };
+    const msg = {
+      id: Date.now().toString(36) + Math.random().toString(36).slice(2, 8),
+      from: fromName,
+      to: '__group__',
+      content: body.content,
+      timestamp: now,
+    };
+    fs.appendFileSync(messagesFile, JSON.stringify(msg) + '\n');
+    fs.appendFileSync(historyFile, JSON.stringify(msg) + '\n');
+    return { success: true, messageId: msg.id, broadcast: true };
   }
 
   const msg = {
@@ -872,7 +1313,6 @@ function apiInjectMessage(body, query) {
     to: body.to,
     content: body.content,
     timestamp: now,
-    system: true,
   };
 
   fs.appendFileSync(messagesFile, JSON.stringify(msg) + '\n');
@@ -883,12 +1323,56 @@ function apiInjectMessage(body, query) {
 
 // Multi-project management
 function apiProjects() {
-  return getProjects();
+  const raw = getProjects();
+  const normalized = raw.map(p => {
+    const np = normalizeMonitoredProjectRoot(p.path);
+    let name = p.name;
+    if (path.resolve(np) !== path.resolve(p.path)) {
+      name = path.basename(np) || p.name;
+    }
+    if (!name || name === '.neohive') {
+      name = path.basename(np) || 'project';
+    }
+    return { ...p, path: np, name };
+  });
+
+  const seen = new Set();
+  const deduped = [];
+  for (const p of normalized) {
+    const key = path.resolve(p.path);
+    if (seen.has(key)) continue;
+    seen.add(key);
+    deduped.push(p);
+  }
+
+  // Drop projects whose hive is the same as “Default (local)” — avoids duplicate rows and agents flickering between two identical paths.
+  const defaultHive = path.resolve(resolveDataDir(null));
+  const nonRedundant = deduped.filter(p => path.resolve(resolveDataDir(p.path)) !== defaultHive);
+
+  const pack = (arr) =>
+    JSON.stringify(
+      [...arr].sort((a, b) => path.resolve(a.path).localeCompare(path.resolve(b.path)))
+        .map(p => ({ p: path.resolve(p.path), n: p.name, a: p.added_at || '' }))
+    );
+  // Compare to on-disk `raw`, not `normalized`: normalized always includes dupes / default-hive
+  // rows that nonRedundant drops, so pack(normalized) !== pack(nonRedundant) would rewrite every
+  // read even when projects.json already matches nonRedundant.
+  if (pack(nonRedundant) !== pack(raw)) {
+    saveProjects(nonRedundant);
+  }
+  return nonRedundant;
 }
 
 function apiAddProject(body) {
   if (!body.path) return { error: 'Missing "path" field' };
-  const absPath = path.resolve(body.path);
+  const rawResolved = path.resolve(String(body.path).trim());
+  if (path.basename(rawResolved) === '.neohive') {
+    return {
+      error:
+        'Add the repository folder (same as your Cursor workspace root), not .neohive. Data is stored in <repo>/.neohive automatically.',
+    };
+  }
+  const absPath = normalizeMonitoredProjectRoot(rawResolved);
 
   // Reject root directories and system paths
   const normalized = absPath.replace(/\\/g, '/');
@@ -898,11 +1382,21 @@ function apiAddProject(body) {
 
   if (!fs.existsSync(absPath)) return { error: `Path does not exist: ${absPath}` };
 
-  // Any existing directory can be added as a project — user explicitly chose it
+  const targetHive = path.resolve(resolveDataDir(absPath));
+  const defaultHive = path.resolve(resolveDataDir(null));
+  if (targetHive === defaultHive) {
+    return {
+      error:
+        'That folder uses the same Neohive data directory as “Default (local)”. No separate project is needed.',
+      same_as_default: true,
+    };
+  }
 
   const projects = getProjects();
   const name = body.name || path.basename(absPath);
-  if (projects.find(p => p.path === absPath)) return { error: 'Project already added' };
+  if (projects.find(p => normalizeMonitoredProjectRoot(path.resolve(p.path)) === absPath)) {
+    return { error: 'Project already added' };
+  }
 
   // Create .neohive directory if it doesn't exist
   const abDir = path.join(absPath, '.neohive');
@@ -911,20 +1405,29 @@ function apiAddProject(body) {
   // Set up MCP config so agents can use it
   const serverPath = path.join(__dirname, 'server.js').replace(/\\/g, '/');
   ensureMCPConfig('claude', serverPath, absPath);
+  ensureMCPConfig('cursor', serverPath, absPath);
 
   projects.push({ name, path: absPath, added_at: new Date().toISOString() });
-  saveProjects(projects);
+  try {
+    saveProjects(projects);
+  } catch (e) {
+    return { error: 'Failed to save project: ' + e.message };
+  }
   return { success: true, project: { name, path: absPath } };
 }
 
 function apiRemoveProject(body) {
   if (!body.path) return { error: 'Missing "path" field' };
-  const absPath = path.resolve(body.path);
+  const absPath = normalizeMonitoredProjectRoot(path.resolve(body.path));
   let projects = getProjects();
   const before = projects.length;
-  projects = projects.filter(p => p.path !== absPath);
+  projects = projects.filter(p => normalizeMonitoredProjectRoot(path.resolve(p.path)) !== absPath);
   if (projects.length === before) return { error: 'Project not found' };
-  saveProjects(projects);
+  try {
+    saveProjects(projects);
+  } catch (e) {
+    return { error: 'Failed to save project changes: ' + e.message };
+  }
   return { success: true };
 }
 
@@ -947,15 +1450,15 @@ function apiExportHtml(query) {
   return `<!DOCTYPE html>
 <html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1.0">
 <title>Neohive — Conversation Export</title>
-<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><rect rx='20' width='100' height='100' fill='%230d1117'/><path d='M20 30 Q20 20 30 20 H70 Q80 20 80 30 V55 Q80 65 70 65 H55 L40 80 V65 H30 Q20 65 20 55Z' fill='%2358a6ff'/><circle cx='38' cy='42' r='5' fill='%230d1117'/><circle cx='55' cy='42' r='5' fill='%230d1117'/></svg>">
+<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><rect rx='20' width='100' height='100' fill='%230d1117'/><path d='M20 30 Q20 20 30 20 H70 Q80 20 80 30 V55 Q80 65 70 65 H55 L40 80 V65 H30 Q20 65 20 55Z' fill='%23f59e0b'/><circle cx='38' cy='42' r='5' fill='%230d1117'/><circle cx='55' cy='42' r='5' fill='%230d1117'/></svg>">
 <style>
 *{margin:0;padding:0;box-sizing:border-box}
 body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;background:#0a0a0f;color:#e6edf3;min-height:100vh}
 .export-header{background:linear-gradient(180deg,#0f0f18 0%,#0a0a0f 100%);padding:40px 24px 32px;text-align:center;border-bottom:1px solid #1e1e2e}
-.logo{font-size:28px;font-weight:800;background:linear-gradient(135deg,#58a6ff,#bc8cff);-webkit-background-clip:text;-webkit-text-fill-color:transparent;letter-spacing:-1px}
+.logo{font-size:28px;font-weight:800;background:linear-gradient(135deg,#f59e0b,#f97316);-webkit-background-clip:text;-webkit-text-fill-color:transparent;letter-spacing:-1px}
 .export-meta{margin-top:12px;display:flex;justify-content:center;gap:20px;flex-wrap:wrap}
 .meta-item{font-size:12px;color:#8888a0}
-.meta-val{color:#58a6ff;font-weight:600}
+.meta-val{color:#f59e0b;font-weight:600}
 .agent-chips{display:flex;gap:8px;justify-content:center;margin-top:16px;flex-wrap:wrap}
 .agent-chip{display:flex;align-items:center;gap:6px;background:#161622;border:1px solid #1e1e2e;border-radius:20px;padding:4px 12px 4px 4px;font-size:12px}
 .agent-chip .dot{width:20px;height:20px;border-radius:50%;display:flex;align-items:center;justify-content:center;font-size:10px;font-weight:700;color:#fff}
@@ -989,7 +1492,7 @@ body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;backgrou
 .date-sep::before,.date-sep::after{content:'';flex:1;height:1px;background:#1e1e2e}
 .footer{border-top:1px solid #1e1e2e;padding:24px;text-align:center;font-size:11px;color:#555568}
 .footer a{color:#8888a0;text-decoration:none}
-.footer a:hover{color:#58a6ff}
+.footer a:hover{color:#f59e0b}
 </style></head><body>
 <div class="export-header">
 <div class="logo">Neohive</div>
@@ -1004,7 +1507,7 @@ body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;backgrou
 <div class="messages" id="messages"></div>
 <div class="footer">Generated by <a href="https://github.com/fakiho/neohive" target="_blank">Neohive</a> &middot; BSL 1.1</div>
 <script>
-var COLORS=['#58a6ff','#3fb950','#d29922','#f85149','#bc8cff','#f778ba','#79c0ff','#7ee787','#e3b341','#ffa198'];
+var COLORS=['#f59e0b','#f97316','#3fb950','#d29922','#f85149','#f778ba','#7ee787','#e3b341','#ffa198','#14b8a6'];
 var colorMap={},ci=0;
 var data=${JSON.stringify(history).replace(/<\//g, '<\\/')};
 function esc(t){var d=document.createElement('div');d.textContent=t;return d.innerHTML}
@@ -1124,6 +1627,26 @@ function apiRules(query) {
   try { return JSON.parse(fs.readFileSync(rulesFile, 'utf8')); } catch { return []; }
 }
 
+function parseScope(scope) {
+  const result = { role: undefined, provider: undefined, agent: undefined };
+  if (!scope) return result;
+  if (typeof scope === 'object') {
+    if (scope.role) result.role = String(scope.role).toLowerCase();
+    if (scope.provider) result.provider = String(scope.provider).toLowerCase();
+    if (scope.agent) result.agent = String(scope.agent);
+  } else if (typeof scope === 'string' && scope !== 'global') {
+    const parts = scope.split(':');
+    if (parts.length === 2) {
+      const type = parts[0].toLowerCase();
+      const val = parts[1];
+      if (type === 'role') result.role = val.toLowerCase();
+      else if (type === 'platform' || type === 'provider') result.provider = val.toLowerCase();
+      else if (type === 'agent') result.agent = val;
+    }
+  }
+  return result;
+}
+
 function apiAddRule(body, query) {
   const projectPath = query.get('project') || null;
   const rulesFile = filePath('rules.json', projectPath);
@@ -1135,11 +1658,15 @@ function apiAddRule(body, query) {
     try { rules = JSON.parse(fs.readFileSync(rulesFile, 'utf8')); } catch {}
   }
 
+  const parsedScope = parseScope(body.scope);
   const rule = {
     id: 'rule_' + crypto.randomBytes(6).toString('hex'),
     text: body.text.trim(),
     category: body.category || 'general',
     priority: body.priority || 'normal',
+    scope_role: parsedScope.role,
+    scope_provider: parsedScope.provider,
+    scope_agent: parsedScope.agent,
     created_by: body.created_by || 'Dashboard',
     created_at: new Date().toISOString(),
     active: true
@@ -1165,6 +1692,12 @@ function apiUpdateRule(body, query) {
   if (body.text !== undefined) rule.text = body.text.trim();
   if (body.category !== undefined) rule.category = body.category;
   if (body.priority !== undefined) rule.priority = body.priority;
+  if (body.scope !== undefined) {
+    const parsedScope = parseScope(body.scope);
+    rule.scope_role = parsedScope.role;
+    rule.scope_provider = parsedScope.provider;
+    rule.scope_agent = parsedScope.agent;
+  }
   if (body.active !== undefined) rule.active = body.active;
   rule.updated_at = new Date().toISOString();
 
@@ -1190,11 +1723,68 @@ function apiDeleteRule(body, query) {
   return { success: true };
 }
 
+// Audit Log API
+function apiAuditLog(query) {
+  const projectPath = query.get('project') || null;
+  
+  // For backward compatibility, if no enhanced filters are used, use old method
+  const hasFilters = query.get('agent') || query.get('tool') || query.get('category') || 
+                    query.get('since') || query.get('until') || query.get('limit');
+  
+  if (!hasFilters) {
+    // Legacy behavior: Read entries, take last 100, newest first
+    return readJsonl(filePath('audit_log.jsonl', projectPath)).slice(-100).reverse();
+  }
+  
+  // Enhanced audit log with filters using audit module
+  const filters = {
+    agent: query.get('agent') || undefined,
+    tool: query.get('tool') || undefined,
+    category: query.get('category') || undefined,
+    since: query.get('since') || undefined,
+    until: query.get('until') || undefined,
+    limit: query.get('limit') || undefined
+  };
+  
+  // Initialize audit module with project path if needed
+  if (projectPath) {
+    const auditDataDir = path.join(projectPath, '.neohive');
+    if (fs.existsSync(auditDataDir)) {
+      _audit.init(auditDataDir);
+    }
+  }
+  
+  return _audit.readAuditLog(filters);
+}
+
+// Audit Stats API
+function apiAuditStats(query) {
+  const projectPath = query.get('project') || null;
+  
+  const filters = {
+    agent: query.get('agent') || undefined,
+    tool: query.get('tool') || undefined,
+    category: query.get('category') || undefined,
+    since: query.get('since') || undefined,
+    until: query.get('until') || undefined
+  };
+  
+  // Initialize audit module with project path if needed
+  if (projectPath) {
+    const auditDataDir = path.join(projectPath, '.neohive');
+    if (fs.existsSync(auditDataDir)) {
+      _audit.init(auditDataDir);
+    }
+  }
+  
+  return _audit.getAuditStats(filters);
+}
+
 // Auto-discover .neohive directories nearby
 function apiDiscover() {
   const found = [];
   const checked = new Set();
-  const existing = new Set(getProjects().map(p => p.path));
+  const existing = new Set(getProjects().map(p => normalizeMonitoredProjectRoot(path.resolve(p.path))));
 
   function scanDir(dir, depth, maxDepth) {
     maxDepth = maxDepth || 3;
@@ -1238,6 +1828,11 @@ function apiDiscover() {
 
 // --- Agent Launcher ---
 
+/** Same as cli.js: absolute Node path so MCP spawns work when PATH omits Volta/nvm. */
+function mcpNodeCommand() {
+  return process.execPath;
+}
+
 function ensureMCPConfig(cli, serverPath, projectDir) {
   const abDir = path.join(projectDir, '.neohive').replace(/\\/g, '/');
   if (cli === 'claude') {
@@ -1247,7 +1842,7 @@ function ensureMCPConfig(cli, serverPath, projectDir) {
       try { mcpConfig = JSON.parse(fs.readFileSync(mcpConfigPath, 'utf8')); if (!mcpConfig.mcpServers) mcpConfig.mcpServers = {}; } catch {}
     }
     if (!mcpConfig.mcpServers['neohive']) {
-      mcpConfig.mcpServers['neohive'] = { command: 'node', args: [serverPath], env: { NEOHIVE_DATA_DIR: abDir } };
+      mcpConfig.mcpServers['neohive'] = { command: mcpNodeCommand(), args: [serverPath], env: { NEOHIVE_DATA_DIR: abDir } };
       fs.writeFileSync(mcpConfigPath, JSON.stringify(mcpConfig, null, 2) + '\n');
     }
   } else if (cli === 'gemini') {
@@ -1259,7 +1854,7 @@ function ensureMCPConfig(cli, serverPath, projectDir) {
       try { settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8')); if (!settings.mcpServers) settings.mcpServers = {}; } catch {}
     }
     if (!settings.mcpServers['neohive']) {
-      settings.mcpServers['neohive'] = { command: 'node', args: [serverPath], env: { NEOHIVE_DATA_DIR: abDir } };
+      settings.mcpServers['neohive'] = { command: mcpNodeCommand(), args: [serverPath], env: { NEOHIVE_DATA_DIR: abDir } };
       fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n');
     }
   } else if (cli === 'codex') {
@@ -1268,17 +1863,40 @@ function ensureMCPConfig(cli, serverPath, projectDir) {
     if (!fs.existsSync(codexDir)) fs.mkdirSync(codexDir, { recursive: true });
     let config = '';
     if (fs.existsSync(configPath)) config = fs.readFileSync(configPath, 'utf8');
-    if (!config.includes('[mcp_servers.neohive]')) {
-      config += `\n[mcp_servers.neohive]\ncommand = "node"\nargs = [${JSON.stringify(serverPath)}]\n\n[mcp_servers.neohive.env]\nNEOHIVE_DATA_DIR = ${JSON.stringify(abDir)}\n`;
-      fs.writeFileSync(configPath, config);
+    const envSection =
+      `[mcp_servers.neohive.env]\nNEOHIVE_DATA_DIR = ${JSON.stringify(abDir)}\n`;
+    const hadNeohive = config.includes('[mcp_servers.neohive]');
+    config = upsertNeohiveMcpInToml(config, {
+      command: mcpNodeCommand(),
+      serverPath,
+      timeout: 300,
+      envSection: hadNeohive ? undefined : envSection,
+    });
+    fs.writeFileSync(configPath, config);
+  } else if (cli === 'cursor') {
+    const cursorDir = path.join(projectDir, '.cursor');
+    const mcpConfigPath = path.join(cursorDir, 'mcp.json');
+    if (!fs.existsSync(cursorDir)) fs.mkdirSync(cursorDir, { recursive: true });
+    let mcpConfig = { mcpServers: {} };
+    if (fs.existsSync(mcpConfigPath)) {
+      try { mcpConfig = JSON.parse(fs.readFileSync(mcpConfigPath, 'utf8')); if (!mcpConfig.mcpServers) mcpConfig.mcpServers = {}; } catch {}
+    }
+    if (!mcpConfig.mcpServers['neohive']) {
+      mcpConfig.mcpServers['neohive'] = {
+        command: mcpNodeCommand(),
+        args: [serverPath],
+        env: { NEOHIVE_DATA_DIR: abDir },
+        timeout: 300,
+      };
+      fs.writeFileSync(mcpConfigPath, JSON.stringify(mcpConfig, null, 2) + '\n');
     }
   }
 }
 
 function apiLaunchAgent(body) {
   const { cli, project_dir, agent_name, prompt } = body;
-  if (!cli || !['claude', 'gemini', 'codex'].includes(cli)) {
-    return { error: 'Invalid cli type. Must be: claude, gemini, or codex' };
+  if (!cli || !['claude', 'gemini', 'codex', 'cursor'].includes(cli)) {
+    return { error: 'Invalid cli type. Must be: claude, gemini, codex, or cursor' };
   }
   if (project_dir && !validateProjectPath(project_dir)) {
     return { error: 'Project directory not registered. Add it via the dashboard first.' };
@@ -1288,13 +1906,25 @@ function apiLaunchAgent(body) {
     return { error: 'Project directory does not exist: ' + projectDir };
   }
 
+  const safeName = (agent_name || '').replace(/[^a-zA-Z0-9]/g, '').substring(0, 20);
+  const launchPrompt = prompt || (safeName ? `You are agent "${safeName}". Use the register tool to register as "${safeName}", then use listen to wait for messages.` : `Register with the neohive MCP tools and use listen to wait for messages.`);
+
   const serverPath = path.join(__dirname, 'server.js').replace(/\\/g, '/');
   ensureMCPConfig(cli, serverPath, projectDir);
 
+  if (cli === 'cursor') {
+    return {
+      success: true,
+      launched: false,
+      cli: 'cursor',
+      project_dir: projectDir,
+      prompt: launchPrompt,
+      message: 'Open this folder in Cursor IDE. .cursor/mcp.json sets NEOHIVE_DATA_DIR to this project’s .neohive (absolute path). Restart Cursor or reload MCP tools, then paste the prompt.',
+    };
+  }
+
   const cliCommands = { claude: 'claude', gemini: 'gemini', codex: 'codex' };
   const cliCmd = cliCommands[cli];
-  const safeName = (agent_name || '').replace(/[^a-zA-Z0-9]/g, '').substring(0, 20);
-  const launchPrompt = prompt || (safeName ? `You are agent "${safeName}". Use the register tool to register as "${safeName}", then use listen to wait for messages.` : `Register with the neohive MCP tools and use listen to wait for messages.`);
 
   // Try to launch terminal — user pastes prompt from clipboard after CLI loads
   if (process.platform === 'win32') {
@@ -1596,6 +2226,57 @@ setInterval(() => {
   }
 }, 300000).unref(); // Clean every 5 minutes, .unref() prevents zombie process
 
+// ─────────────────────────────────────────────────────────────────────────────
+// ROUTE DISPATCH TABLE
+// Simple GET/POST routes are registered here as { method, handler } entries.
+// Complex routes (body parsing, SSE, multi-step logic) remain inline below.
+// Key format: 'METHOD /path'  e.g. 'GET /api/agents'
+// ─────────────────────────────────────────────────────────────────────────────
+function routeKey(method, pathname) { return method + ' ' + pathname; }
+
+/** @type {Map<string, (req: any, res: any, url: URL) => void | Promise<void>>} */
+const ROUTE_TABLE = new Map([
+  // Simple GET routes — each maps to a standalone API function
+  [routeKey('GET', '/api/history'),         (req, res, url) => jsonOk(res, apiHistory(url.searchParams))],
+  [routeKey('GET', '/api/agents'),          (req, res, url) => jsonOk(res, apiAgents(url.searchParams))],
+  [routeKey('GET', '/api/channels'),        (req, res, url) => jsonOk(res, apiChannels(url.searchParams))],
+  [routeKey('GET', '/api/decisions'),       (req, res, url) => jsonOk(res, readJson(filePath('decisions.json', url.searchParams.get('project') || null)) || [])],
+  [routeKey('GET', '/api/status'),          (req, res, url) => jsonOk(res, apiStatus(url.searchParams))],
+  [routeKey('GET', '/api/stats'),           (req, res, url) => jsonOk(res, apiStats(url.searchParams))],
+  [routeKey('GET', '/api/token-usage'),     (req, res, url) => jsonOk(res, apiTokenUsage(url.searchParams))],
+  [routeKey('GET', '/api/coordinator-mode'),(req, res, url) => {
+    const config = readJson(filePath('config.json', url.searchParams.get('project') || null));
+    jsonOk(res, { mode: config.coordinator_mode || 'autonomous', config });
+  }],
+  [routeKey('GET', '/api/projects'),        (req, res, url) => jsonOk(res, apiProjects())],
+  [routeKey('GET', '/api/timeline'),        (req, res, url) => jsonOk(res, apiTimeline(url.searchParams))],
+  [routeKey('GET', '/api/tasks'),           (req, res, url) => jsonOk(res, apiTasks(url.searchParams))],
+  [routeKey('GET', '/api/rules'),           (req, res, url) => jsonOk(res, apiRules(url.searchParams))],
+  [routeKey('GET', '/api/audit-log'),       (req, res, url) => jsonOk(res, apiAuditLog(url.searchParams))],
+  [routeKey('GET', '/api/audit-stats'),     (req, res, url) => jsonOk(res, apiAuditStats(url.searchParams))],
+  [routeKey('GET', '/api/notifications'),   (req, res, url) => jsonOk(res, apiNotifications())],
+  [routeKey('GET', '/api/scores'),          (req, res, url) => jsonOk(res, apiScores(url.searchParams))],
+  [routeKey('GET', '/api/search-all'),      (req, res, url) => jsonOk(res, apiSearchAll(url.searchParams))],
+  [routeKey('GET', '/api/hooks'),           (req, res, url) => {
+    try { const hooksLib = require('./lib/hooks'); jsonOk(res, hooksLib.listHooks(null)); }
+    catch (e) { jsonOk(res, { count: 0, hooks: [], error: e.message }); }
+  }],
+  [routeKey('GET', '/api/export-replay'),   (req, res, url) => jsonOk(res, apiExportReplay(url.searchParams))],
+  // Routes below have complex inline logic and remain in the else-if chain for safety.
+  // TODO: extract to standalone functions in a future refactor:
+  //   /api/search, /api/export-json, /api/conversations, /api/profiles, /api/workspaces,
+  //   /api/workflows, /api/plan/*, /api/monitor/health, /api/reputation, /api/branches,
+  //   /api/conversation-templates, /api/permissions, /api/read-receipts, /api/server-info,
+  //   /api/templates
+]);
+
+/** Send a 200 JSON response — shared helper for route table handlers */
+function jsonOk(res, data) {
+  res.writeHead(200, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify(data));
+}
+
+
 const server = http.createServer(async (req, res) => {
   const url = new URL(req.url, 'http://localhost:' + PORT);
 
@@ -1698,11 +2379,66 @@ const server = http.createServer(async (req, res) => {
       return;
     }
 
-    // Serve logo image
+    // Health check — lightweight, no auth required
+    if (url.pathname === '/health' && req.method === 'GET') {
+      const pkg = readJson(path.join(__dirname, 'package.json')) || {};
+      const defaultDataDir = resolveDataDir(null);
+      const agents = readJson(filePath('agents.json', null));
+      const agentEntries = Object.entries(agents);
+      const aliveCount = agentEntries.filter(([, a]) => isPidAlive(a.pid, a.last_activity)).length;
+      let messageCount = 0;
+      const histFile = filePath('history.jsonl', null);
+      if (fs.existsSync(histFile)) {
+        try { messageCount = Math.round(fs.statSync(histFile).size / 300); } catch {}
+      }
+      let activeWorkflows = 0;
+      const wfFile = filePath('workflows.json', null);
+      if (fs.existsSync(wfFile)) {
+        try { activeWorkflows = JSON.parse(fs.readFileSync(wfFile, 'utf8')).filter(w => w.status === 'active').length; } catch {}
+      }
+      const uptimeMs = Date.now() - SERVER_START_TIME;
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({
+        status: 'ok',
+        version: pkg.version || 'unknown',
+        uptime_seconds: Math.floor(uptimeMs / 1000),
+        agents: { alive: aliveCount, total: agentEntries.length },
+        messages: messageCount,
+        active_workflows: activeWorkflows,
+        timestamp: new Date().toISOString(),
+      }));
+      return;
+    }
+
+    // Serve logo images
+    if (url.pathname === '/favicon.png') {
+      if (fs.existsSync(FAVICON_FILE)) {
+        const favicon = fs.readFileSync(FAVICON_FILE);
+        res.writeHead(200, { 'Content-Type': 'image/png', 'Cache-Control': 'public, max-age=86400' });
+        res.end(favicon);
+      } else {
+        res.writeHead(404);
+        res.end('Favicon not found');
+      }
+      return;
+    }
+
+    if (url.pathname === '/logo.svg') {
+      if (fs.existsSync(LOGO_SVG_FILE)) {
+        const logo = fs.readFileSync(LOGO_SVG_FILE);
+        res.writeHead(200, { 'Content-Type': 'image/svg+xml', 'Cache-Control': 'public, max-age=86400' });
+        res.end(logo);
+      } else {
+        res.writeHead(404);
+        res.end('Logo not found');
+      }
+      return;
+    }
+
     if (url.pathname === '/logo.png') {
       if (fs.existsSync(LOGO_FILE)) {
         const logo = fs.readFileSync(LOGO_FILE);
-        res.writeHead(200, { 'Content-Type': 'image/png', 'Cache-Control': 'public, max-age=86400' });
+        res.writeHead(200, { 'Content-Type': 'image/svg+xml', 'Cache-Control': 'public, max-age=86400' });
         res.end(logo);
       } else {
         res.writeHead(404);
@@ -1711,12 +2447,46 @@ const server = http.createServer(async (req, res) => {
       return;
     }
 
+    if (url.pathname === '/design-system.css' && req.method === 'GET') {
+      if (fs.existsSync(DESIGN_SYSTEM_CSS)) {
+        const css = fs.readFileSync(DESIGN_SYSTEM_CSS, 'utf8');
+        res.writeHead(200, {
+          'Content-Type': 'text/css; charset=utf-8',
+          'Cache-Control': 'public, max-age=3600',
+        });
+        res.end(css);
+      } else {
+        res.writeHead(404);
+        res.end('Not found');
+      }
+      return;
+    }
+
+    if (url.pathname === '/design-system.html' && req.method === 'GET') {
+      if (fs.existsSync(DESIGN_SYSTEM_HTML)) {
+        const html = fs.readFileSync(DESIGN_SYSTEM_HTML, 'utf8');
+        res.writeHead(200, {
+          'Content-Type': 'text/html; charset=utf-8',
+          'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; font-src https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; object-src 'none'; base-uri 'self'",
+          'X-Frame-Options': 'DENY',
+          'X-Content-Type-Options': 'nosniff',
+          'Referrer-Policy': 'no-referrer',
+          'Cache-Control': 'no-cache, no-store, must-revalidate',
+        });
+        res.end(html);
+      } else {
+        res.writeHead(404);
+        res.end('Not found');
+      }
+      return;
+    }
+
     // Serve dashboard HTML (always re-read for hot reload)
     if (url.pathname === '/' || url.pathname === '/index.html') {
       const html = fs.readFileSync(HTML_FILE, 'utf8');
       res.writeHead(200, {
         'Content-Type': 'text/html; charset=utf-8',
-        'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; object-src 'none'; base-uri 'self'",
+        'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; font-src https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; object-src 'none'; base-uri 'self'",
         'X-Frame-Options': 'DENY',
         'X-Content-Type-Options': 'nosniff',
         'Referrer-Policy': 'no-referrer',
@@ -1726,25 +2496,11 @@ const server = http.createServer(async (req, res) => {
       });
       res.end(html);
     }
-    // Existing APIs (now with ?project= param support)
-    else if (url.pathname === '/api/history' && req.method === 'GET') {
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(apiHistory(url.searchParams)));
-    }
-    else if (url.pathname === '/api/agents' && req.method === 'GET') {
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(apiAgents(url.searchParams)));
-    }
-    else if (url.pathname === '/api/channels' && req.method === 'GET') {
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(apiChannels(url.searchParams)));
-    }
-    else if (url.pathname === '/api/decisions' && req.method === 'GET') {
-      const projectPath = url.searchParams.get('project') || null;
-      const decisions = readJson(filePath('decisions.json', projectPath));
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(decisions || []));
+    // ── Route table dispatch (simple GET routes) ──────────────────────────────
+    else if (ROUTE_TABLE.has(routeKey(req.method, url.pathname))) {
+      await ROUTE_TABLE.get(routeKey(req.method, url.pathname))(req, res, url);
     }
+    // ── Complex routes (body parsing, SSE, multi-step logic) ──────────────────
     else if (url.pathname === '/api/agents' && req.method === 'DELETE') {
       const body = await parseBody(req);
       if (!body.name) {
@@ -1916,6 +2672,60 @@ const server = http.createServer(async (req, res) => {
       res.writeHead(200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify(apiStats(url.searchParams)));
     }
+    else if (url.pathname === '/api/token-usage' && req.method === 'GET') {
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify(apiTokenUsage(url.searchParams)));
+    }
+    else if (url.pathname === '/api/coordinator-mode' && req.method === 'GET') {
+      const projectPath = url.searchParams.get('project') || null;
+      const config = readJson(filePath('config.json', projectPath));
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ mode: config.coordinator_mode || 'responsive' }));
+    }
+    else if (url.pathname === '/api/coordinator-mode' && req.method === 'POST') {
+      try {
+        const body = await parseBody(req).catch(() => ({}));
+        const newMode = body.mode;
+        if (!newMode || !['responsive', 'autonomous'].includes(newMode)) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'mode must be "responsive" or "autonomous"' }));
+          return;
+        }
+        const projectPath = url.searchParams.get('project') || null;
+        const dataDir = resolveDataDir(projectPath);
+        if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
+        const configFile = filePath('config.json', projectPath);
+        await withFileLock(configFile, () => {
+          const config = readJson(configFile);
+          config.coordinator_mode = newMode;
+          fs.writeFileSync(configFile, JSON.stringify(config, null, 2));
+        });
+        // Broadcast mode change to all agents + direct message to lead agents
+        try {
+          const messagesFile = filePath('messages.jsonl', projectPath);
+          const historyFile = filePath('history.jsonl', projectPath);
+          const modeText = newMode === 'responsive' ? 'Coordinator stays with human, uses consume_messages().' : 'Coordinator runs autonomously in listen() loop.';
+          const sysMsg = { id: Date.now().toString(36) + Math.random().toString(36).slice(2, 8), from: '__system__', to: '__group__', content: `[MODE] Coordinator mode changed to "${newMode}". ${modeText} Coordinator: call get_guide() to update your instructions.`, timestamp: new Date().toISOString(), system: true };
+          fs.appendFileSync(messagesFile, JSON.stringify(sysMsg) + '\n');
+          fs.appendFileSync(historyFile, JSON.stringify(sysMsg) + '\n');
+          // Also send direct message to lead/coordinator agents so listen() in direct mode picks it up
+          const profiles = readJson(filePath('profiles.json', projectPath));
+          for (const [agentName, prof] of Object.entries(profiles)) {
+            const role = (prof.role || '').toLowerCase();
+            if (role === 'lead' || role === 'manager' || role === 'coordinator') {
+              const directMsg = { id: Date.now().toString(36) + Math.random().toString(36).slice(2, 8), from: '__system__', to: agentName, content: `[MODE CHANGE] Coordinator mode switched to "${newMode}". ${modeText} Call get_guide() now to update your instructions.`, timestamp: new Date().toISOString(), system: true };
+              fs.appendFileSync(messagesFile, JSON.stringify(directMsg) + '\n');
+              fs.appendFileSync(historyFile, JSON.stringify(directMsg) + '\n');
+            }
+          }
+        } catch (e) { /* broadcast is best-effort */ }
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true, mode: newMode }));
+      } catch (e) {
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Failed to set coordinator mode: ' + e.message }));
+      }
+    }
     else if (url.pathname === '/api/reset' && req.method === 'POST') {
       const body = await parseBody(req).catch(() => ({}));
       if (!body.confirm) {
@@ -1987,6 +2797,77 @@ const server = http.createServer(async (req, res) => {
       res.writeHead(result.error ? 400 : 200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify(result));
     }
+    else if (url.pathname === '/api/tasks' && req.method === 'PUT') {
+      const body = await parseBody(req);
+      if (!body.task_id) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Missing task_id' }));
+        return;
+      }
+      const projectPath = url.searchParams.get('project') || null;
+      const tasksDir = resolveTasksWorkflowsDataDir(projectPath);
+      const tasksFile = path.join(tasksDir, 'tasks.json');
+      const msgDir = resolveDataDir(projectPath);
+      let tasks = [];
+      if (fs.existsSync(tasksFile)) try { tasks = JSON.parse(fs.readFileSync(tasksFile, 'utf8')); } catch {}
+      const task = tasks.find(t => t.id === body.task_id);
+      if (!task) {
+        res.writeHead(404, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Task not found' }));
+        return;
+      }
+      const oldAssignee = task.assignee;
+      const msgFile = path.join(msgDir, 'messages.jsonl');
+      const histFile = path.join(msgDir, 'history.jsonl');
+      // Apply edits
+      if (body.title !== undefined) task.title = body.title;
+      if (body.description !== undefined) task.description = body.description;
+      if (body.assignee !== undefined) task.assignee = body.assignee;
+      task.updated_at = new Date().toISOString();
+      fs.writeFileSync(tasksFile, JSON.stringify(tasks, null, 2));
+      // Notify agents on changes
+      const writeMsg = (to, content) => {
+        const msg = JSON.stringify({ id: 'sys_' + Date.now().toString(36) + Math.random().toString(36).slice(2,5), from: '__system__', to, content, timestamp: new Date().toISOString(), system: true }) + '\n';
+        try { fs.appendFileSync(msgFile, msg); fs.appendFileSync(histFile, msg); } catch {}
+      };
+      if (body.assignee !== undefined && body.assignee !== oldAssignee) {
+        if (body.assignee) writeMsg(body.assignee, '[TASK ASSIGNED] Task "' + task.title + '" assigned to you');
+        if (oldAssignee) writeMsg(oldAssignee, '[TASK REASSIGNED] Task "' + task.title + '" reassigned to ' + (body.assignee || 'unassigned'));
+      } else if (body.description !== undefined && task.assignee) {
+        writeMsg(task.assignee, '[TASK UPDATED] Task "' + task.title + '" description updated');
+      }
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ success: true, task_id: task.id }));
+    }
+    else if (url.pathname === '/api/tasks' && req.method === 'DELETE') {
+      const body = await parseBody(req);
+      if (!body.task_id) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Missing task_id' }));
+        return;
+      }
+      const projectPath = url.searchParams.get('project') || null;
+      const tasksDir = resolveTasksWorkflowsDataDir(projectPath);
+      const tasksFile = path.join(tasksDir, 'tasks.json');
+      const msgDir = resolveDataDir(projectPath);
+      let tasks = [];
+      if (fs.existsSync(tasksFile)) try { tasks = JSON.parse(fs.readFileSync(tasksFile, 'utf8')); } catch {}
+      const idx = tasks.findIndex(t => t.id === body.task_id);
+      if (idx === -1) {
+        res.writeHead(404, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Task not found' }));
+        return;
+      }
+      const removed = tasks.splice(idx, 1)[0];
+      fs.writeFileSync(tasksFile, JSON.stringify(tasks, null, 2));
+      // Write system message about deletion
+      const msgFile = path.join(msgDir, 'messages.jsonl');
+      const histFile = path.join(msgDir, 'history.jsonl');
+      const sysMsg = JSON.stringify({ id: 'sys_' + Date.now().toString(36), from: '__system__', to: '__all__', content: '[TASK DELETED] Task "' + (removed.title || '') + '" was removed', timestamp: new Date().toISOString(), system: true }) + '\n';
+      try { fs.appendFileSync(msgFile, sysMsg); fs.appendFileSync(histFile, sysMsg); } catch {}
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ success: true, removed: removed.title }));
+    }
     else if (url.pathname === '/api/rules' && req.method === 'GET') {
       res.writeHead(200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify(apiRules(url.searchParams)));
@@ -2002,6 +2883,10 @@ const server = http.createServer(async (req, res) => {
       res.writeHead(result.error ? 400 : 200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify(result));
     }
+    else if (url.pathname === '/api/audit-log' && req.method === 'GET') {
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify(apiAuditLog(url.searchParams)));
+    }
     else if (url.pathname === '/api/search' && req.method === 'GET') {
       const projectPath = url.searchParams.get('project') || null;
       const query = (url.searchParams.get('q') || '').trim();
@@ -2089,6 +2974,29 @@ const server = http.createServer(async (req, res) => {
       res.writeHead(200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify(apiDiscover()));
     }
+    // --- GitHub Projects sync ---
+    else if (url.pathname === '/api/github-sync' && req.method === 'GET') {
+      try {
+        const ghSync = require('./lib/github-sync');
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify(ghSync.getSyncStatus()));
+      } catch (e) { res.writeHead(500, { 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: e.message })); }
+    }
+    else if (url.pathname === '/api/github-sync' && req.method === 'POST') {
+      try {
+        const ghSync = require('./lib/github-sync');
+        const body = await parseBody(req);
+        if (body.action === 'discover') {
+          const result = await ghSync.discoverFields();
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify(result));
+        } else {
+          const result = await ghSync.syncAllTasks();
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify(result));
+        }
+      } catch (e) { res.writeHead(500, { 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: e.message })); }
+    }
     // --- v3.0 API endpoints ---
     else if (url.pathname === '/api/profiles' && req.method === 'GET') {
       const projectPath = url.searchParams.get('project') || null;
@@ -2114,6 +3022,29 @@ const server = http.createServer(async (req, res) => {
       res.writeHead(200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify({ success: true }));
     }
+    else if (url.pathname === '/api/agent-cards' && req.method === 'POST') {
+      const body = await parseBody(req);
+      const projectPath = url.searchParams.get('project') || null;
+      const cardsFile = filePath('agent-cards.json', projectPath);
+      const cards = readJson(cardsFile);
+      if (!body.name || !/^[a-zA-Z0-9_-]{1,20}$/.test(body.name)) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Invalid agent name' }));
+        return;
+      }
+      if (body.skills !== undefined && !Array.isArray(body.skills)) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'skills must be an array' }));
+        return;
+      }
+      if (!cards[body.name]) cards[body.name] = {};
+      if (body.skills !== undefined) {
+        cards[body.name].skills = body.skills.map(s => String(s).toLowerCase().substring(0, 50));
+      }
+      fs.writeFileSync(cardsFile, JSON.stringify(cards, null, 2));
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ success: true }));
+    }
     else if (url.pathname === '/api/workspaces' && req.method === 'GET') {
       const projectPath = url.searchParams.get('project') || null;
       const agentParam = url.searchParams.get('agent');
@@ -2137,12 +3068,42 @@ const server = http.createServer(async (req, res) => {
       res.writeHead(200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify(result));
     }
+    else if (url.pathname === '/api/notifications' && req.method === 'GET') {
+      const projectPath = url.searchParams.get('project') || null;
+      const notifFile = filePath('notifications.json', projectPath);
+      const notifs = fs.existsSync(notifFile) ? JSON.parse(fs.readFileSync(notifFile, 'utf8')) : [];
+      const limit = parseInt(url.searchParams.get('limit') || '50', 10);
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify(notifs.slice(-limit)));
+    }
     else if (url.pathname === '/api/workflows' && req.method === 'GET') {
       const projectPath = url.searchParams.get('project') || null;
       const wfFile = filePath('workflows.json', projectPath);
       res.writeHead(200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify(fs.existsSync(wfFile) ? JSON.parse(fs.readFileSync(wfFile, 'utf8')) : []));
     }
+    else if (url.pathname === '/api/workflows' && req.method === 'DELETE') {
+      const body = await parseBody(req);
+      if (!body.workflow_id) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Missing workflow_id' }));
+        return;
+      }
+      const projectPath = url.searchParams.get('project') || null;
+      const wfFile = filePath('workflows.json', projectPath);
+      let workflows = [];
+      if (fs.existsSync(wfFile)) try { workflows = JSON.parse(fs.readFileSync(wfFile, 'utf8')); } catch {}
+      const idx = workflows.findIndex(w => w.id === body.workflow_id);
+      if (idx === -1) {
+        res.writeHead(404, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Workflow not found' }));
+        return;
+      }
+      const removed = workflows.splice(idx, 1)[0];
+      fs.writeFileSync(wfFile, JSON.stringify(workflows, null, 2));
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ success: true, removed: removed.name }));
+    }
     else if (url.pathname === '/api/workflows' && req.method === 'POST') {
       const body = await parseBody(req);
       const projectPath = url.searchParams.get('project') || null;
@@ -2168,6 +3129,34 @@ const server = http.createServer(async (req, res) => {
         if (!wf.steps.find(s => s.status === 'pending' || s.status === 'in_progress')) wf.status = 'completed';
         wf.updated_at = new Date().toISOString();
         fs.writeFileSync(wfFile, JSON.stringify(workflows, null, 2));
+      } else if (body.action === 'approve' && body.workflow_id && body.step_id !== undefined) {
+        const wf = workflows.find(w => w.id === body.workflow_id);
+        if (!wf) { res.writeHead(404, { 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: 'Workflow not found' })); return; }
+        const step = wf.steps.find(s => s.id === body.step_id);
+        if (!step || step.status !== 'awaiting_approval') { res.writeHead(400, { 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: 'Step not awaiting approval' })); return; }
+        if (body.approved) {
+          step.status = 'in_progress';
+          step.started_at = new Date().toISOString();
+          step.approved_at = new Date().toISOString();
+          step.approved_by = '__user__';
+          // Notify assignee via message
+          const messagesFile = filePath('messages.jsonl', projectPath);
+          const historyFile = filePath('history.jsonl', projectPath);
+          const notif = { id: Date.now().toString(36) + Math.random().toString(36).slice(2, 8), from: '__user__', to: step.assignee || '__group__', content: `[APPROVED] Step "${step.description}" in workflow "${wf.name}" has been approved. You may proceed.`, timestamp: new Date().toISOString() };
+          fs.appendFileSync(messagesFile, JSON.stringify(notif) + '\n');
+          fs.appendFileSync(historyFile, JSON.stringify(notif) + '\n');
+        } else {
+          step.status = 'pending';
+          step.rejected_at = new Date().toISOString();
+          step.rejection_feedback = body.feedback || '';
+          const messagesFile = filePath('messages.jsonl', projectPath);
+          const historyFile = filePath('history.jsonl', projectPath);
+          const notif = { id: Date.now().toString(36) + Math.random().toString(36).slice(2, 8), from: '__user__', to: step.assignee || '__group__', content: `[REJECTED] Step "${step.description}" rejected: ${body.feedback || 'No feedback'}`, timestamp: new Date().toISOString() };
+          fs.appendFileSync(messagesFile, JSON.stringify(notif) + '\n');
+          fs.appendFileSync(historyFile, JSON.stringify(notif) + '\n');
+        }
+        wf.updated_at = new Date().toISOString();
+        fs.writeFileSync(wfFile, JSON.stringify(workflows, null, 2));
       } else {
         res.writeHead(400, { 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: 'Invalid action' })); return;
       }
@@ -2607,65 +3596,6 @@ const server = http.createServer(async (req, res) => {
       }));
     }
 
-    // ========== Rules API ==========
-
-    else if (url.pathname === '/api/rules' && req.method === 'GET') {
-      const projectPath = url.searchParams.get('project') || null;
-      const rulesFile = filePath('rules.json', projectPath);
-      const rules = fs.existsSync(rulesFile) ? readJson(rulesFile) : [];
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(Array.isArray(rules) ? rules : []));
-    }
-
-    else if (url.pathname === '/api/rules' && req.method === 'POST') {
-      const projectPath = url.searchParams.get('project') || null;
-      const rulesFile = filePath('rules.json', projectPath);
-      try {
-        const body = await parseBody(req);
-        const { text, category } = body;
-        if (!text || !text.trim()) { res.writeHead(400); res.end(JSON.stringify({ error: 'Rule text required' })); return; }
-        const rules = fs.existsSync(rulesFile) ? readJson(rulesFile) : [];
-        const rule = {
-          id: 'rule_' + Date.now().toString(36) + Math.random().toString(36).slice(2, 6),
-          text: text.trim(),
-          category: category || 'custom',
-          created_by: 'dashboard',
-          created_at: new Date().toISOString(),
-          active: true,
-        };
-        rules.push(rule);
-        fs.writeFileSync(rulesFile, JSON.stringify(rules));
-        res.writeHead(201, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify(rule));
-      } catch (e) { res.writeHead(400); res.end(JSON.stringify({ error: e.message })); }
-    }
-
-    else if (url.pathname.startsWith('/api/rules/') && req.method === 'DELETE') {
-      const projectPath = url.searchParams.get('project') || null;
-      const rulesFile = filePath('rules.json', projectPath);
-      const ruleId = url.pathname.split('/api/rules/')[1];
-      const rules = fs.existsSync(rulesFile) ? readJson(rulesFile) : [];
-      const idx = rules.findIndex(r => r.id === ruleId);
-      if (idx === -1) { res.writeHead(404); res.end(JSON.stringify({ error: 'Rule not found' })); return; }
-      rules.splice(idx, 1);
-      fs.writeFileSync(rulesFile, JSON.stringify(rules));
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({ success: true }));
-    }
-
-    else if (url.pathname.startsWith('/api/rules/') && url.pathname.endsWith('/toggle') && req.method === 'POST') {
-      const projectPath = url.searchParams.get('project') || null;
-      const rulesFile = filePath('rules.json', projectPath);
-      const ruleId = url.pathname.split('/api/rules/')[1].replace('/toggle', '');
-      const rules = fs.existsSync(rulesFile) ? readJson(rulesFile) : [];
-      const rule = rules.find(r => r.id === ruleId);
-      if (!rule) { res.writeHead(404); res.end(JSON.stringify({ error: 'Rule not found' })); return; }
-      rule.active = !rule.active;
-      fs.writeFileSync(rulesFile, JSON.stringify(rules));
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(rule));
-    }
-
     // ========== End Rules API ==========
 
     else if (url.pathname === '/api/branches' && req.method === 'GET') {
@@ -2717,6 +3647,91 @@ const server = http.createServer(async (req, res) => {
       res.writeHead(result.error ? 400 : 200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify(result));
     }
+    // --- Custom Templates CRUD ---
+    else if (url.pathname === '/api/custom-templates' && req.method === 'GET') {
+      const projectPath = url.searchParams.get('project') || null;
+      const templates = readJson(filePath('custom-templates.json', projectPath));
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify(Array.isArray(templates) ? templates : []));
+    }
+    else if (url.pathname === '/api/custom-templates' && req.method === 'POST') {
+      try {
+        const body = await parseBody(req);
+        const projectPath = url.searchParams.get('project') || null;
+        const ctFile = filePath('custom-templates.json', projectPath);
+        const dataDir = resolveDataDir(projectPath);
+        if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
+        await withFileLock(ctFile, () => {
+          const templates = readJson(ctFile);
+          const list = Array.isArray(templates) ? templates : [];
+          const id = body.id || ('custom-' + (body.name || 'template').toLowerCase().replace(/[^a-z0-9]+/g, '-').substring(0, 30) + '-' + Date.now().toString(36).slice(-4));
+          if (list.find(t => t.id === id)) {
+            throw new Error('Template with this ID already exists. Use PUT to update.');
+          }
+          const template = {
+            id,
+            name: (body.name || 'Custom Template').substring(0, 100),
+            description: (body.description || '').substring(0, 500),
+            category: body.category || 'custom',
+            conversation_mode: body.conversation_mode || 'direct',
+            source: 'custom',
+            created_at: new Date().toISOString(),
+            updated_at: new Date().toISOString(),
+            agents: Array.isArray(body.agents) ? body.agents.slice(0, 10) : [],
+            ...(body.workflow && { workflow: body.workflow }),
+          };
+          list.push(template);
+          fs.writeFileSync(ctFile, JSON.stringify(list, null, 2));
+        });
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true }));
+      } catch (e) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: e.message }));
+      }
+    }
+    else if (url.pathname === '/api/custom-templates' && req.method === 'PUT') {
+      try {
+        const body = await parseBody(req);
+        if (!body.id) throw new Error('id required');
+        const projectPath = url.searchParams.get('project') || null;
+        const ctFile = filePath('custom-templates.json', projectPath);
+        await withFileLock(ctFile, () => {
+          const list = readJson(ctFile);
+          if (!Array.isArray(list)) throw new Error('No custom templates found');
+          const idx = list.findIndex(t => t.id === body.id);
+          if (idx === -1) throw new Error('Template not found: ' + body.id);
+          list[idx] = { ...list[idx], ...body, updated_at: new Date().toISOString(), source: 'custom' };
+          fs.writeFileSync(ctFile, JSON.stringify(list, null, 2));
+        });
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true }));
+      } catch (e) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: e.message }));
+      }
+    }
+    else if (url.pathname === '/api/custom-templates' && req.method === 'DELETE') {
+      try {
+        const body = await parseBody(req);
+        if (!body.id) throw new Error('id required');
+        const projectPath = url.searchParams.get('project') || null;
+        const ctFile = filePath('custom-templates.json', projectPath);
+        await withFileLock(ctFile, () => {
+          const list = readJson(ctFile);
+          if (!Array.isArray(list)) throw new Error('No custom templates found');
+          const idx = list.findIndex(t => t.id === body.id);
+          if (idx === -1) throw new Error('Template not found: ' + body.id);
+          list.splice(idx, 1);
+          fs.writeFileSync(ctFile, JSON.stringify(list, null, 2));
+        });
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ success: true }));
+      } catch (e) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: e.message }));
+      }
+    }
     // --- v3.4: Agent Permissions ---
     else if (url.pathname === '/api/permissions' && req.method === 'GET') {
       const projectPath = url.searchParams.get('project') || null;
@@ -2773,14 +3788,28 @@ const server = http.createServer(async (req, res) => {
     }
     // Templates API
     else if (url.pathname === '/api/templates' && req.method === 'GET') {
-      const templatesDir = path.join(__dirname, 'templates');
       let templates = [];
+      const templatesDir = path.join(__dirname, 'templates');
       if (fs.existsSync(templatesDir)) {
         templates = fs.readdirSync(templatesDir)
           .filter(f => f.endsWith('.json'))
-          .map(f => { try { return JSON.parse(fs.readFileSync(path.join(templatesDir, f), 'utf8')); } catch { return null; } })
+          .map(f => { try { const t = JSON.parse(fs.readFileSync(path.join(templatesDir, f), 'utf8')); t.source = 'templates'; return t; } catch { return null; } })
           .filter(Boolean);
       }
+      const convDir = path.join(__dirname, 'conversation-templates');
+      if (fs.existsSync(convDir)) {
+        const conv = fs.readdirSync(convDir)
+          .filter(f => f.endsWith('.json'))
+          .map(f => { try { const t = JSON.parse(fs.readFileSync(path.join(convDir, f), 'utf8')); t.source = 'conversation-templates'; return t; } catch { return null; } })
+          .filter(Boolean);
+        templates = templates.concat(conv);
+      }
+      // Merge custom templates from project data dir
+      const projectPath = url.searchParams.get('project') || null;
+      const customTemplates = readJson(filePath('custom-templates.json', projectPath));
+      if (Array.isArray(customTemplates) && customTemplates.length > 0) {
+        templates = templates.concat(customTemplates);
+      }
       res.writeHead(200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify(templates));
     }
@@ -2913,6 +3942,8 @@ function startFileWatcher() {
         pendingChangeTypes.add('tasks');
       } else if (filename === 'workflows.json') {
         pendingChangeTypes.add('workflows');
+      } else if (filename === 'hooks.json') {
+        pendingChangeTypes.add('hooks');
       } else {
         pendingChangeTypes.add('update');
       }
@@ -2955,7 +3986,15 @@ server.listen(PORT, LAN_MODE ? '0.0.0.0' : '127.0.0.1', () => {
     console.log('  LAN access: http://' + lanIP + ':' + PORT);
     console.log('  WARNING:    LAN mode enabled — accessible to anyone on your network');
   }
-  console.log('  Data dir:   ' + dataDir);
+  let dataDirLine = '  Data dir:   ' + dataDir;
+  if (_defaultDataResolved.source === 'walk-up') {
+    dataDirLine += ' (best .neohive among ancestors — tasks/agents/history)';
+  } else if (_defaultDataResolved.source === 'mcp-config' && _defaultDataResolved.configAt) {
+    dataDirLine += ' (from MCP config under ' + _defaultDataResolved.configAt + ')';
+  } else if (_defaultDataResolved.source === 'environment') {
+    dataDirLine += ' (NEOHIVE_DATA_DIR / NEOHIVE_DATA)';
+  }
+  console.log(dataDirLine);
   console.log('  Projects:   ' + getProjects().length + ' registered');
   console.log('  Updates:    SSE (real-time) + polling fallback (2s)');
   console.log('');