neohive 6.0.3 → 6.1.0

package/dashboard.js

@@ -4,6 +4,9 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 const { spawn } = require('child_process');
+const { upsertNeohiveMcpInToml } = require('./lib/codex-neohive-toml');
+const { readIdeActivity, applyIdeActivityHint } = require('./lib/ide-activity');
+const _audit = require('./lib/audit');
 
 function findCursorProjectRootWithNeohive(startDir) {
   let dir = path.resolve(startDir);
@@ -201,7 +204,11 @@ if (!fs.existsSync(DEFAULT_DATA_DIR) && fs.existsSync(_legacyDir)) {
 }
 
 const HTML_FILE = path.join(__dirname, 'dashboard.html');
-const LOGO_FILE = path.join(__dirname, 'logo.png');
+const DESIGN_SYSTEM_CSS = path.join(__dirname, 'design-system.css');
+const DESIGN_SYSTEM_HTML = path.join(__dirname, 'design-system.html');
+const LOGO_FILE = path.join(__dirname, 'logo.svg');
+const LOGO_SVG_FILE = path.join(__dirname, 'logo.svg');
+const FAVICON_FILE = path.join(__dirname, 'favicon.png');
 const PROJECTS_FILE = path.join(__dirname, 'projects.json');
 
 // --- Multi-project support ---
@@ -212,7 +219,12 @@ function getProjects() {
 }
 
 function saveProjects(projects) {
-  fs.writeFileSync(PROJECTS_FILE, JSON.stringify(projects, null, 2));
+  try {
+    fs.writeFileSync(PROJECTS_FILE, JSON.stringify(projects, null, 2));
+  } catch (e) {
+    console.error('[saveProjects] Failed to write projects file:', e.message);
+    throw new Error('Failed to save projects: ' + e.message);
+  }
 }
 
 // Multi-project paths must be the repo root, not .../project/.neohive (otherwise we join .neohive twice).
@@ -442,6 +454,7 @@ function apiAgents(query) {
           const hb = JSON.parse(fs.readFileSync(path.join(dataDir, f), 'utf8'));
           if (hb.last_activity) agents[name].last_activity = hb.last_activity;
           if (hb.pid) agents[name].pid = hb.pid;
+          if (hb.ppid) agents[name].ppid = hb.ppid;
         } catch {}
       }
     }
@@ -459,16 +472,46 @@ function apiAgents(query) {
     const alive = isPidAlive(info.pid, info.last_activity);
     const lastActivity = info.last_activity || info.timestamp;
     const idleSeconds = Math.floor((Date.now() - new Date(lastActivity).getTime()) / 1000);
+    const hasHeartbeat = fs.existsSync(path.join(resolveDataDir(projectPath), `heartbeat-${name}.json`));
     const profile = profiles[name] || {};
     const isLocal = (() => { try { process.kill(info.pid, 0); return true; } catch { return false; } })();
+
+    let status;
+    if (alive) {
+      if (info.listening_since) {
+        status = 'listening';
+      } else {
+        // Detect stuck/unresponsive: agent is alive but hasn't called listen() recently
+        const lastListened = info.last_listened_at;
+        const sinceLastListen = lastListened ? Math.floor((Date.now() - new Date(lastListened).getTime()) / 1000) : Infinity;
+        if (sinceLastListen > 600) {
+          status = 'stuck'; // > 10 minutes without listen() call
+        } else if (sinceLastListen > 120) {
+          status = 'unresponsive'; // > 2 minutes without listen() call
+        } else if (idleSeconds > 30) {
+          status = 'idle';
+        } else {
+          status = 'working';
+        }
+      }
+    } else if (!hasHeartbeat) {
+      status = 'unknown';
+    } else if (idleSeconds <= 120) {
+      status = 'stale';
+    } else {
+      status = 'offline';
+    }
+
     result[name] = {
       pid: info.pid,
+      ppid: info.ppid || null,
       alive,
       registered_at: info.timestamp,
       last_activity: lastActivity,
       last_message: lastMessageTime[name] || null,
       idle_seconds: alive ? idleSeconds : null,
-      status: !alive ? 'offline' : (info.listening_since && alive) ? 'listening' : idleSeconds > 30 ? 'idle' : 'working',
+      last_listened_at: info.last_listened_at || null,
+      status,
       listening_since: info.listening_since || null,
       is_listening: !!(info.listening_since && alive),
       provider: info.provider || 'unknown',
@@ -480,6 +523,7 @@ function apiAgents(query) {
       appearance: profile.appearance || {},
       hostname: info.hostname || null,
       is_remote: !isLocal && alive,
+      platform_skills: (cards && cards[name] && cards[name].platform_skills) || [],
       skills: (cards && cards[name] && cards[name].skills) || [],
     };
     // Include workspace status for agent intent board
@@ -490,6 +534,10 @@ function apiAgents(query) {
         if (ws._status) result[name].current_status = ws._status;
       }
     } catch {}
+
+    const dataDir = resolveDataDir(projectPath);
+    const ide = readIdeActivity(dataDir, name);
+    if (ide) applyIdeActivityHint(result[name], ide, { dataDir, agentName: name });
   }
   return result;
 }
@@ -647,6 +695,44 @@ function generateNotifications(currentAgents) {
 }
 
 // --- Token Usage Tracking ---
+
+// Walk the process tree upward from startPid, returning the first PID
+// that has a session file in sessionsDir. At each level also checks
+// sibling processes (children of the same parent) to handle the VS Code
+// MCP topology where the claude binary and MCP server share a parent.
+function findSessionPidInTree(startPid, sessionsDir, maxDepth = 5) {
+  const { execSync } = require('child_process');
+  const getParent = (pid) => {
+    try {
+      const s = execSync(`ps -o ppid= -p ${pid} 2>/dev/null`, { timeout: 1000 }).toString().trim();
+      const n = parseInt(s, 10);
+      return (n && n !== pid) ? n : null;
+    } catch { return null; }
+  };
+  const getSiblings = (parentPid) => {
+    try {
+      return execSync(`pgrep -P ${parentPid} 2>/dev/null`, { timeout: 1000 })
+        .toString().trim().split('\n').map(s => parseInt(s, 10)).filter(Boolean);
+    } catch { return []; }
+  };
+
+  let pid = startPid;
+  for (let i = 0; i < maxDepth; i++) {
+    if (!pid || pid <= 1) break;
+    // Check this pid directly
+    if (fs.existsSync(path.join(sessionsDir, pid + '.json'))) return pid;
+    const parent = getParent(pid);
+    if (!parent) break;
+    // Check siblings (handles VS Code: MCP server and claude binary share same parent)
+    for (const sibling of getSiblings(parent)) {
+      if (sibling === pid) continue;
+      if (fs.existsSync(path.join(sessionsDir, sibling + '.json'))) return sibling;
+    }
+    pid = parent;
+  }
+  return null;
+}
+
 // Pricing per 1M tokens (USD)
 const TOKEN_PRICING = {
   'claude-opus-4-6': { input: 15.00, output: 75.00, cache_write: 18.75, cache_read: 1.50 },
@@ -687,33 +773,109 @@ function parseSessionUsage(sessionFile, maxBytes) {
   return usage;
 }
 
+/**
+ * Score all .jsonl session files in the project dir by birthtime proximity to
+ * an agent's started_at. Returns sorted array of { file, delta } (ascending).
+ */
+function scoreSessionsByProximity(projectSessionDir, agentStartedAt) {
+  if (!agentStartedAt || !fs.existsSync(projectSessionDir)) return [];
+  const agentTs = new Date(agentStartedAt).getTime();
+  if (isNaN(agentTs)) return [];
+
+  const scored = [];
+  try {
+    const files = fs.readdirSync(projectSessionDir).filter(f => f.endsWith('.jsonl'));
+    for (const f of files) {
+      const fp = path.join(projectSessionDir, f);
+      try {
+        const stat = fs.statSync(fp);
+        scored.push({ file: fp, delta: Math.abs(stat.birthtimeMs - agentTs) });
+      } catch { /* skip unreadable */ }
+    }
+  } catch { return []; }
+  scored.sort((a, b) => a.delta - b.delta);
+  return scored;
+}
+
 function apiTokenUsage(query) {
   const projectPath = query.get('project') || null;
   const dataDir = resolveDataDir(projectPath);
   const agents = readJson(filePath('agents.json', projectPath));
   const home = os.homedir();
   const sessionsDir = path.join(home, '.claude', 'sessions');
-  // Build project slug matching Claude Code's format
   const projectAbsPath = projectPath ? path.resolve(projectPath) : path.resolve(process.cwd());
   const projectSlug = projectAbsPath.replace(/\//g, '-');
   const projectSessionDir = path.join(home, '.claude', 'projects', projectSlug);
 
   const result = { agents: {}, total_cost_usd: 0, total_tokens: 0 };
 
+  const agentSessions = {};
+  const claimedFiles = new Set();
+
   for (const [name, info] of Object.entries(agents)) {
     if (!info.pid) continue;
     try {
-      // Map CLI PID (ppid) → session ID → session file. Fall back to pid if ppid not available.
-      const cliPid = info.ppid || info.pid;
-      const pidFile = path.join(sessionsDir, cliPid + '.json');
-      if (!fs.existsSync(pidFile)) continue;
-      const session = readJson(pidFile);
-      if (!session || !session.sessionId) continue;
-      const sessionFile = path.join(projectSessionDir, session.sessionId + '.jsonl');
-      if (!fs.existsSync(sessionFile)) continue;
+      // Priority 0: direct session ID from env var (written to agents.json + heartbeat)
+      const sessionId = info.claude_session_id || (() => {
+        try {
+          const hb = JSON.parse(fs.readFileSync(path.join(dataDir, `heartbeat-${name}.json`), 'utf8'));
+          return hb.claude_session_id || null;
+        } catch { return null; }
+      })();
+      if (sessionId) {
+        const candidate = path.join(projectSessionDir, sessionId + '.jsonl');
+        if (fs.existsSync(candidate)) {
+          agentSessions[name] = candidate;
+          claimedFiles.add(candidate);
+          continue;
+        }
+      }
+
+      // Priority 1: process-tree lookup
+      const cliPid = findSessionPidInTree(info.pid, sessionsDir) ||
+                     (info.ppid ? findSessionPidInTree(info.ppid, sessionsDir) : null);
+      if (cliPid) {
+        const pidFile = path.join(sessionsDir, cliPid + '.json');
+        const session = readJson(pidFile);
+        if (session && session.sessionId) {
+          const candidate = path.join(projectSessionDir, session.sessionId + '.jsonl');
+          if (fs.existsSync(candidate)) {
+            agentSessions[name] = candidate;
+            claimedFiles.add(candidate);
+          }
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  // Phase 2: fallback — greedy assignment by birthtime proximity (closest-first wins)
+  const needFallback = Object.entries(agents)
+    .filter(([name, info]) => info.pid && !agentSessions[name])
+    .map(([name, info]) => {
+      const scored = scoreSessionsByProximity(projectSessionDir, info.started_at || info.timestamp);
+      return { name, scored };
+    })
+    .sort((a, b) => {
+      const aMin = a.scored.length ? a.scored[0].delta : Infinity;
+      const bMin = b.scored.length ? b.scored[0].delta : Infinity;
+      return aMin - bMin;
+    });
+
+  for (const { name, scored } of needFallback) {
+    for (const { file } of scored) {
+      if (!claimedFiles.has(file)) {
+        agentSessions[name] = file;
+        claimedFiles.add(file);
+        break;
+      }
+    }
+  }
 
+  // Phase 3: compute usage + cost
+  for (const [name, sessionFile] of Object.entries(agentSessions)) {
+    try {
+      const info = agents[name];
       const usage = parseSessionUsage(sessionFile);
-      // Calculate cost
       const pricing = TOKEN_PRICING[usage.model] || TOKEN_PRICING['claude-opus-4-6'];
       const cost = (usage.input_tokens * pricing.input + usage.output_tokens * pricing.output + usage.cache_creation_tokens * pricing.cache_write + usage.cache_read_tokens * pricing.cache_read) / 1000000;
 
@@ -730,7 +892,7 @@ function apiTokenUsage(query) {
       };
       result.total_cost_usd += cost;
       result.total_tokens += result.agents[name].total_tokens;
-    } catch { /* skip agents without session data */ }
+    } catch { /* skip */ }
   }
   result.total_cost_usd = Math.round(result.total_cost_usd * 100) / 100;
   return result;
@@ -1076,6 +1238,9 @@ function apiLoadConversation(query) {
   return { success: true };
 }
 
+// Sender names API callers must not use for /api/inject (prevents forged system/group traffic)
+const INJECT_FROM_BLOCKLIST = new Set(['__system__', '__all__', '__open__', '__close__', '__group__']);
+
 // Inject a message from the dashboard (system message or nudge to an agent)
 function apiInjectMessage(body, query) {
   const projectPath = query.get('project') || null;
@@ -1095,10 +1260,39 @@ function apiInjectMessage(body, query) {
     return { error: 'Invalid agent name' };
   }
 
+  let fromName = '__user__';
+  if (body.from !== undefined && body.from !== null && String(body.from).trim() !== '') {
+    if (typeof body.from !== 'string' || !/^[a-zA-Z0-9_-]{1,20}$/.test(body.from.trim())) {
+      return { error: 'Invalid "from" — must be 1–20 alphanumeric, underscore, or hyphen' };
+    }
+    fromName = body.from.trim();
+    if (INJECT_FROM_BLOCKLIST.has(fromName)) {
+      return { error: 'Invalid "from" — reserved name' };
+    }
+  }
+
   if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
-  const fromName = '__user__';
   const now = new Date().toISOString();
 
+  // Touch sender's heartbeat so inject activity keeps the agent alive in the dashboard
+  if (fromName !== '__user__') {
+    try {
+      const hbFile = path.join(dataDir, `heartbeat-${fromName}.json`);
+      const agentsFile = path.join(dataDir, 'agents.json');
+      const payload = { last_activity: now, pid: process.pid };
+      const tmp = hbFile + '.tmp';
+      fs.writeFileSync(tmp, JSON.stringify(payload));
+      fs.renameSync(tmp, hbFile);
+      if (fs.existsSync(agentsFile)) {
+        const agents = JSON.parse(fs.readFileSync(agentsFile, 'utf8'));
+        if (agents[fromName]) {
+          agents[fromName].last_activity = now;
+          fs.writeFileSync(agentsFile, JSON.stringify(agents, null, 2));
+        }
+      }
+    } catch {}
+  }
+
   // Broadcast to all agents — single __group__ message instead of per-agent
   if (body.to === '__all__') {
     const msg = {
@@ -1214,7 +1408,11 @@ function apiAddProject(body) {
   ensureMCPConfig('cursor', serverPath, absPath);
 
   projects.push({ name, path: absPath, added_at: new Date().toISOString() });
-  saveProjects(projects);
+  try {
+    saveProjects(projects);
+  } catch (e) {
+    return { error: 'Failed to save project: ' + e.message };
+  }
   return { success: true, project: { name, path: absPath } };
 }
 
@@ -1225,7 +1423,11 @@ function apiRemoveProject(body) {
   const before = projects.length;
   projects = projects.filter(p => normalizeMonitoredProjectRoot(path.resolve(p.path)) !== absPath);
   if (projects.length === before) return { error: 'Project not found' };
-  saveProjects(projects);
+  try {
+    saveProjects(projects);
+  } catch (e) {
+    return { error: 'Failed to save project changes: ' + e.message };
+  }
   return { success: true };
 }
 
@@ -1425,6 +1627,26 @@ function apiRules(query) {
   try { return JSON.parse(fs.readFileSync(rulesFile, 'utf8')); } catch { return []; }
 }
 
+function parseScope(scope) {
+  const result = { role: undefined, provider: undefined, agent: undefined };
+  if (!scope) return result;
+  if (typeof scope === 'object') {
+    if (scope.role) result.role = String(scope.role).toLowerCase();
+    if (scope.provider) result.provider = String(scope.provider).toLowerCase();
+    if (scope.agent) result.agent = String(scope.agent);
+  } else if (typeof scope === 'string' && scope !== 'global') {
+    const parts = scope.split(':');
+    if (parts.length === 2) {
+      const type = parts[0].toLowerCase();
+      const val = parts[1];
+      if (type === 'role') result.role = val.toLowerCase();
+      else if (type === 'platform' || type === 'provider') result.provider = val.toLowerCase();
+      else if (type === 'agent') result.agent = val;
+    }
+  }
+  return result;
+}
+
 function apiAddRule(body, query) {
   const projectPath = query.get('project') || null;
   const rulesFile = filePath('rules.json', projectPath);
@@ -1436,11 +1658,15 @@ function apiAddRule(body, query) {
     try { rules = JSON.parse(fs.readFileSync(rulesFile, 'utf8')); } catch {}
   }
 
+  const parsedScope = parseScope(body.scope);
   const rule = {
     id: 'rule_' + crypto.randomBytes(6).toString('hex'),
     text: body.text.trim(),
     category: body.category || 'general',
     priority: body.priority || 'normal',
+    scope_role: parsedScope.role,
+    scope_provider: parsedScope.provider,
+    scope_agent: parsedScope.agent,
     created_by: body.created_by || 'Dashboard',
     created_at: new Date().toISOString(),
     active: true
@@ -1466,6 +1692,12 @@ function apiUpdateRule(body, query) {
   if (body.text !== undefined) rule.text = body.text.trim();
   if (body.category !== undefined) rule.category = body.category;
   if (body.priority !== undefined) rule.priority = body.priority;
+  if (body.scope !== undefined) {
+    const parsedScope = parseScope(body.scope);
+    rule.scope_role = parsedScope.role;
+    rule.scope_provider = parsedScope.provider;
+    rule.scope_agent = parsedScope.agent;
+  }
   if (body.active !== undefined) rule.active = body.active;
   rule.updated_at = new Date().toISOString();
 
@@ -1491,6 +1723,63 @@ function apiDeleteRule(body, query) {
   return { success: true };
 }
 
+// Audit Log API
+function apiAuditLog(query) {
+  const projectPath = query.get('project') || null;
+  
+  // For backward compatibility, if no enhanced filters are used, use old method
+  const hasFilters = query.get('agent') || query.get('tool') || query.get('category') || 
+                    query.get('since') || query.get('until') || query.get('limit');
+  
+  if (!hasFilters) {
+    // Legacy behavior: Read entries, take last 100, newest first
+    return readJsonl(filePath('audit_log.jsonl', projectPath)).slice(-100).reverse();
+  }
+  
+  // Enhanced audit log with filters using audit module
+  const filters = {
+    agent: query.get('agent') || undefined,
+    tool: query.get('tool') || undefined,
+    category: query.get('category') || undefined,
+    since: query.get('since') || undefined,
+    until: query.get('until') || undefined,
+    limit: query.get('limit') || undefined
+  };
+  
+  // Initialize audit module with project path if needed
+  if (projectPath) {
+    const auditDataDir = path.join(projectPath, '.neohive');
+    if (fs.existsSync(auditDataDir)) {
+      _audit.init(auditDataDir);
+    }
+  }
+  
+  return _audit.readAuditLog(filters);
+}
+
+// Audit Stats API
+function apiAuditStats(query) {
+  const projectPath = query.get('project') || null;
+  
+  const filters = {
+    agent: query.get('agent') || undefined,
+    tool: query.get('tool') || undefined,
+    category: query.get('category') || undefined,
+    since: query.get('since') || undefined,
+    until: query.get('until') || undefined
+  };
+  
+  // Initialize audit module with project path if needed
+  if (projectPath) {
+    const auditDataDir = path.join(projectPath, '.neohive');
+    if (fs.existsSync(auditDataDir)) {
+      _audit.init(auditDataDir);
+    }
+  }
+  
+  return _audit.getAuditStats(filters);
+}
+
 // Auto-discover .neohive directories nearby
 function apiDiscover() {
   const found = [];
@@ -1539,6 +1828,11 @@ function apiDiscover() {
 
 // --- Agent Launcher ---
 
+/** Same as cli.js: absolute Node path so MCP spawns work when PATH omits Volta/nvm. */
+function mcpNodeCommand() {
+  return process.execPath;
+}
+
 function ensureMCPConfig(cli, serverPath, projectDir) {
   const abDir = path.join(projectDir, '.neohive').replace(/\\/g, '/');
   if (cli === 'claude') {
@@ -1548,7 +1842,7 @@ function ensureMCPConfig(cli, serverPath, projectDir) {
       try { mcpConfig = JSON.parse(fs.readFileSync(mcpConfigPath, 'utf8')); if (!mcpConfig.mcpServers) mcpConfig.mcpServers = {}; } catch {}
     }
     if (!mcpConfig.mcpServers['neohive']) {
-      mcpConfig.mcpServers['neohive'] = { command: 'node', args: [serverPath], env: { NEOHIVE_DATA_DIR: abDir } };
+      mcpConfig.mcpServers['neohive'] = { command: mcpNodeCommand(), args: [serverPath], env: { NEOHIVE_DATA_DIR: abDir } };
       fs.writeFileSync(mcpConfigPath, JSON.stringify(mcpConfig, null, 2) + '\n');
     }
   } else if (cli === 'gemini') {
@@ -1560,7 +1854,7 @@ function ensureMCPConfig(cli, serverPath, projectDir) {
       try { settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8')); if (!settings.mcpServers) settings.mcpServers = {}; } catch {}
     }
     if (!settings.mcpServers['neohive']) {
-      settings.mcpServers['neohive'] = { command: 'node', args: [serverPath], env: { NEOHIVE_DATA_DIR: abDir } };
+      settings.mcpServers['neohive'] = { command: mcpNodeCommand(), args: [serverPath], env: { NEOHIVE_DATA_DIR: abDir } };
       fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n');
     }
   } else if (cli === 'codex') {
@@ -1569,10 +1863,16 @@ function ensureMCPConfig(cli, serverPath, projectDir) {
     if (!fs.existsSync(codexDir)) fs.mkdirSync(codexDir, { recursive: true });
     let config = '';
     if (fs.existsSync(configPath)) config = fs.readFileSync(configPath, 'utf8');
-    if (!config.includes('[mcp_servers.neohive]')) {
-      config += `\n[mcp_servers.neohive]\ncommand = "node"\nargs = [${JSON.stringify(serverPath)}]\n\n[mcp_servers.neohive.env]\nNEOHIVE_DATA_DIR = ${JSON.stringify(abDir)}\n`;
-      fs.writeFileSync(configPath, config);
-    }
+    const envSection =
+      `[mcp_servers.neohive.env]\nNEOHIVE_DATA_DIR = ${JSON.stringify(abDir)}\n`;
+    const hadNeohive = config.includes('[mcp_servers.neohive]');
+    config = upsertNeohiveMcpInToml(config, {
+      command: mcpNodeCommand(),
+      serverPath,
+      timeout: 300,
+      envSection: hadNeohive ? undefined : envSection,
+    });
+    fs.writeFileSync(configPath, config);
   } else if (cli === 'cursor') {
     const cursorDir = path.join(projectDir, '.cursor');
     const mcpConfigPath = path.join(cursorDir, 'mcp.json');
@@ -1583,7 +1883,7 @@ function ensureMCPConfig(cli, serverPath, projectDir) {
     }
     if (!mcpConfig.mcpServers['neohive']) {
       mcpConfig.mcpServers['neohive'] = {
-        command: 'node',
+        command: mcpNodeCommand(),
         args: [serverPath],
         env: { NEOHIVE_DATA_DIR: abDir },
         timeout: 300,
@@ -1926,6 +2226,57 @@ setInterval(() => {
   }
 }, 300000).unref(); // Clean every 5 minutes, .unref() prevents zombie process
 
+// ─────────────────────────────────────────────────────────────────────────────
+// ROUTE DISPATCH TABLE
+// Simple GET/POST routes are registered here as { method, handler } entries.
+// Complex routes (body parsing, SSE, multi-step logic) remain inline below.
+// Key format: 'METHOD /path'  e.g. 'GET /api/agents'
+// ─────────────────────────────────────────────────────────────────────────────
+function routeKey(method, pathname) { return method + ' ' + pathname; }
+
+/** @type {Map<string, (req: any, res: any, url: URL) => void | Promise<void>>} */
+const ROUTE_TABLE = new Map([
+  // Simple GET routes — each maps to a standalone API function
+  [routeKey('GET', '/api/history'),         (req, res, url) => jsonOk(res, apiHistory(url.searchParams))],
+  [routeKey('GET', '/api/agents'),          (req, res, url) => jsonOk(res, apiAgents(url.searchParams))],
+  [routeKey('GET', '/api/channels'),        (req, res, url) => jsonOk(res, apiChannels(url.searchParams))],
+  [routeKey('GET', '/api/decisions'),       (req, res, url) => jsonOk(res, readJson(filePath('decisions.json', url.searchParams.get('project') || null)) || [])],
+  [routeKey('GET', '/api/status'),          (req, res, url) => jsonOk(res, apiStatus(url.searchParams))],
+  [routeKey('GET', '/api/stats'),           (req, res, url) => jsonOk(res, apiStats(url.searchParams))],
+  [routeKey('GET', '/api/token-usage'),     (req, res, url) => jsonOk(res, apiTokenUsage(url.searchParams))],
+  [routeKey('GET', '/api/coordinator-mode'),(req, res, url) => {
+    const config = readJson(filePath('config.json', url.searchParams.get('project') || null));
+    jsonOk(res, { mode: config.coordinator_mode || 'autonomous', config });
+  }],
+  [routeKey('GET', '/api/projects'),        (req, res, url) => jsonOk(res, apiProjects())],
+  [routeKey('GET', '/api/timeline'),        (req, res, url) => jsonOk(res, apiTimeline(url.searchParams))],
+  [routeKey('GET', '/api/tasks'),           (req, res, url) => jsonOk(res, apiTasks(url.searchParams))],
+  [routeKey('GET', '/api/rules'),           (req, res, url) => jsonOk(res, apiRules(url.searchParams))],
+  [routeKey('GET', '/api/audit-log'),       (req, res, url) => jsonOk(res, apiAuditLog(url.searchParams))],
+  [routeKey('GET', '/api/audit-stats'),     (req, res, url) => jsonOk(res, apiAuditStats(url.searchParams))],
+  [routeKey('GET', '/api/notifications'),   (req, res, url) => jsonOk(res, apiNotifications())],
+  [routeKey('GET', '/api/scores'),          (req, res, url) => jsonOk(res, apiScores(url.searchParams))],
+  [routeKey('GET', '/api/search-all'),      (req, res, url) => jsonOk(res, apiSearchAll(url.searchParams))],
+  [routeKey('GET', '/api/hooks'),           (req, res, url) => {
+    try { const hooksLib = require('./lib/hooks'); jsonOk(res, hooksLib.listHooks(null)); }
+    catch (e) { jsonOk(res, { count: 0, hooks: [], error: e.message }); }
+  }],
+  [routeKey('GET', '/api/export-replay'),   (req, res, url) => jsonOk(res, apiExportReplay(url.searchParams))],
+  // Routes below have complex inline logic and remain in the else-if chain for safety.
+  // TODO: extract to standalone functions in a future refactor:
+  //   /api/search, /api/export-json, /api/conversations, /api/profiles, /api/workspaces,
+  //   /api/workflows, /api/plan/*, /api/monitor/health, /api/reputation, /api/branches,
+  //   /api/conversation-templates, /api/permissions, /api/read-receipts, /api/server-info,
+  //   /api/templates
+]);
+
+/** Send a 200 JSON response — shared helper for route table handlers */
+function jsonOk(res, data) {
+  res.writeHead(200, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify(data));
+}
+
+
 const server = http.createServer(async (req, res) => {
   const url = new URL(req.url, 'http://localhost:' + PORT);
 
@@ -2059,11 +2410,35 @@ const server = http.createServer(async (req, res) => {
       return;
     }
 
-    // Serve logo image
+    // Serve logo images
+    if (url.pathname === '/favicon.png') {
+      if (fs.existsSync(FAVICON_FILE)) {
+        const favicon = fs.readFileSync(FAVICON_FILE);
+        res.writeHead(200, { 'Content-Type': 'image/png', 'Cache-Control': 'public, max-age=86400' });
+        res.end(favicon);
+      } else {
+        res.writeHead(404);
+        res.end('Favicon not found');
+      }
+      return;
+    }
+
+    if (url.pathname === '/logo.svg') {
+      if (fs.existsSync(LOGO_SVG_FILE)) {
+        const logo = fs.readFileSync(LOGO_SVG_FILE);
+        res.writeHead(200, { 'Content-Type': 'image/svg+xml', 'Cache-Control': 'public, max-age=86400' });
+        res.end(logo);
+      } else {
+        res.writeHead(404);
+        res.end('Logo not found');
+      }
+      return;
+    }
+
     if (url.pathname === '/logo.png') {
       if (fs.existsSync(LOGO_FILE)) {
         const logo = fs.readFileSync(LOGO_FILE);
-        res.writeHead(200, { 'Content-Type': 'image/png', 'Cache-Control': 'public, max-age=86400' });
+        res.writeHead(200, { 'Content-Type': 'image/svg+xml', 'Cache-Control': 'public, max-age=86400' });
         res.end(logo);
       } else {
         res.writeHead(404);
@@ -2072,12 +2447,46 @@ const server = http.createServer(async (req, res) => {
       return;
     }
 
+    if (url.pathname === '/design-system.css' && req.method === 'GET') {
+      if (fs.existsSync(DESIGN_SYSTEM_CSS)) {
+        const css = fs.readFileSync(DESIGN_SYSTEM_CSS, 'utf8');
+        res.writeHead(200, {
+          'Content-Type': 'text/css; charset=utf-8',
+          'Cache-Control': 'public, max-age=3600',
+        });
+        res.end(css);
+      } else {
+        res.writeHead(404);
+        res.end('Not found');
+      }
+      return;
+    }
+
+    if (url.pathname === '/design-system.html' && req.method === 'GET') {
+      if (fs.existsSync(DESIGN_SYSTEM_HTML)) {
+        const html = fs.readFileSync(DESIGN_SYSTEM_HTML, 'utf8');
+        res.writeHead(200, {
+          'Content-Type': 'text/html; charset=utf-8',
+          'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; font-src https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; object-src 'none'; base-uri 'self'",
+          'X-Frame-Options': 'DENY',
+          'X-Content-Type-Options': 'nosniff',
+          'Referrer-Policy': 'no-referrer',
+          'Cache-Control': 'no-cache, no-store, must-revalidate',
+        });
+        res.end(html);
+      } else {
+        res.writeHead(404);
+        res.end('Not found');
+      }
+      return;
+    }
+
     // Serve dashboard HTML (always re-read for hot reload)
     if (url.pathname === '/' || url.pathname === '/index.html') {
       const html = fs.readFileSync(HTML_FILE, 'utf8');
       res.writeHead(200, {
         'Content-Type': 'text/html; charset=utf-8',
-        'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; object-src 'none'; base-uri 'self'",
+        'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; font-src https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; object-src 'none'; base-uri 'self'",
         'X-Frame-Options': 'DENY',
         'X-Content-Type-Options': 'nosniff',
         'Referrer-Policy': 'no-referrer',
@@ -2087,26 +2496,11 @@ const server = http.createServer(async (req, res) => {
       });
       res.end(html);
     }
-    // Existing APIs (now with ?project= param support)
-    else if (url.pathname === '/api/history' && req.method === 'GET') {
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(apiHistory(url.searchParams)));
-    }
-    else if (url.pathname === '/api/agents' && req.method === 'GET') {
-      const payload = apiAgents(url.searchParams);
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(payload));
-    }
-    else if (url.pathname === '/api/channels' && req.method === 'GET') {
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(apiChannels(url.searchParams)));
-    }
-    else if (url.pathname === '/api/decisions' && req.method === 'GET') {
-      const projectPath = url.searchParams.get('project') || null;
-      const decisions = readJson(filePath('decisions.json', projectPath));
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(decisions || []));
+    // ── Route table dispatch (simple GET routes) ──────────────────────────────
+    else if (ROUTE_TABLE.has(routeKey(req.method, url.pathname))) {
+      await ROUTE_TABLE.get(routeKey(req.method, url.pathname))(req, res, url);
     }
+    // ── Complex routes (body parsing, SSE, multi-step logic) ──────────────────
     else if (url.pathname === '/api/agents' && req.method === 'DELETE') {
       const body = await parseBody(req);
       if (!body.name) {
@@ -2489,6 +2883,10 @@ const server = http.createServer(async (req, res) => {
       res.writeHead(result.error ? 400 : 200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify(result));
     }
+    else if (url.pathname === '/api/audit-log' && req.method === 'GET') {
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify(apiAuditLog(url.searchParams)));
+    }
     else if (url.pathname === '/api/search' && req.method === 'GET') {
       const projectPath = url.searchParams.get('project') || null;
       const query = (url.searchParams.get('q') || '').trim();
@@ -2576,6 +2974,29 @@ const server = http.createServer(async (req, res) => {
       res.writeHead(200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify(apiDiscover()));
     }
+    // --- GitHub Projects sync ---
+    else if (url.pathname === '/api/github-sync' && req.method === 'GET') {
+      try {
+        const ghSync = require('./lib/github-sync');
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify(ghSync.getSyncStatus()));
+      } catch (e) { res.writeHead(500, { 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: e.message })); }
+    }
+    else if (url.pathname === '/api/github-sync' && req.method === 'POST') {
+      try {
+        const ghSync = require('./lib/github-sync');
+        const body = await parseBody(req);
+        if (body.action === 'discover') {
+          const result = await ghSync.discoverFields();
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify(result));
+        } else {
+          const result = await ghSync.syncAllTasks();
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify(result));
+        }
+      } catch (e) { res.writeHead(500, { 'Content-Type': 'application/json' }); res.end(JSON.stringify({ error: e.message })); }
+    }
     // --- v3.0 API endpoints ---
     else if (url.pathname === '/api/profiles' && req.method === 'GET') {
       const projectPath = url.searchParams.get('project') || null;
@@ -2601,6 +3022,29 @@ const server = http.createServer(async (req, res) => {
       res.writeHead(200, { 'Content-Type': 'application/json' });
       res.end(JSON.stringify({ success: true }));
     }
+    else if (url.pathname === '/api/agent-cards' && req.method === 'POST') {
+      const body = await parseBody(req);
+      const projectPath = url.searchParams.get('project') || null;
+      const cardsFile = filePath('agent-cards.json', projectPath);
+      const cards = readJson(cardsFile);
+      if (!body.name || !/^[a-zA-Z0-9_-]{1,20}$/.test(body.name)) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Invalid agent name' }));
+        return;
+      }
+      if (body.skills !== undefined && !Array.isArray(body.skills)) {
+        res.writeHead(400, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'skills must be an array' }));
+        return;
+      }
+      if (!cards[body.name]) cards[body.name] = {};
+      if (body.skills !== undefined) {
+        cards[body.name].skills = body.skills.map(s => String(s).toLowerCase().substring(0, 50));
+      }
+      fs.writeFileSync(cardsFile, JSON.stringify(cards, null, 2));
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ success: true }));
+    }
     else if (url.pathname === '/api/workspaces' && req.method === 'GET') {
       const projectPath = url.searchParams.get('project') || null;
       const agentParam = url.searchParams.get('agent');
@@ -3152,65 +3596,6 @@ const server = http.createServer(async (req, res) => {
       }));
     }
 
-    // ========== Rules API ==========
-
-    else if (url.pathname === '/api/rules' && req.method === 'GET') {
-      const projectPath = url.searchParams.get('project') || null;
-      const rulesFile = filePath('rules.json', projectPath);
-      const rules = fs.existsSync(rulesFile) ? readJson(rulesFile) : [];
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(Array.isArray(rules) ? rules : []));
-    }
-
-    else if (url.pathname === '/api/rules' && req.method === 'POST') {
-      const projectPath = url.searchParams.get('project') || null;
-      const rulesFile = filePath('rules.json', projectPath);
-      try {
-        const body = await parseBody(req);
-        const { text, category } = body;
-        if (!text || !text.trim()) { res.writeHead(400); res.end(JSON.stringify({ error: 'Rule text required' })); return; }
-        const rules = fs.existsSync(rulesFile) ? readJson(rulesFile) : [];
-        const rule = {
-          id: 'rule_' + Date.now().toString(36) + Math.random().toString(36).slice(2, 6),
-          text: text.trim(),
-          category: category || 'custom',
-          created_by: 'dashboard',
-          created_at: new Date().toISOString(),
-          active: true,
-        };
-        rules.push(rule);
-        fs.writeFileSync(rulesFile, JSON.stringify(rules));
-        res.writeHead(201, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify(rule));
-      } catch (e) { res.writeHead(400); res.end(JSON.stringify({ error: e.message })); }
-    }
-
-    else if (url.pathname.startsWith('/api/rules/') && req.method === 'DELETE') {
-      const projectPath = url.searchParams.get('project') || null;
-      const rulesFile = filePath('rules.json', projectPath);
-      const ruleId = url.pathname.split('/api/rules/')[1];
-      const rules = fs.existsSync(rulesFile) ? readJson(rulesFile) : [];
-      const idx = rules.findIndex(r => r.id === ruleId);
-      if (idx === -1) { res.writeHead(404); res.end(JSON.stringify({ error: 'Rule not found' })); return; }
-      rules.splice(idx, 1);
-      fs.writeFileSync(rulesFile, JSON.stringify(rules));
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({ success: true }));
-    }
-
-    else if (url.pathname.startsWith('/api/rules/') && url.pathname.endsWith('/toggle') && req.method === 'POST') {
-      const projectPath = url.searchParams.get('project') || null;
-      const rulesFile = filePath('rules.json', projectPath);
-      const ruleId = url.pathname.split('/api/rules/')[1].replace('/toggle', '');
-      const rules = fs.existsSync(rulesFile) ? readJson(rulesFile) : [];
-      const rule = rules.find(r => r.id === ruleId);
-      if (!rule) { res.writeHead(404); res.end(JSON.stringify({ error: 'Rule not found' })); return; }
-      rule.active = !rule.active;
-      fs.writeFileSync(rulesFile, JSON.stringify(rules));
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify(rule));
-    }
-
     // ========== End Rules API ==========
 
     else if (url.pathname === '/api/branches' && req.method === 'GET') {
@@ -3557,6 +3942,8 @@ function startFileWatcher() {
         pendingChangeTypes.add('tasks');
       } else if (filename === 'workflows.json') {
         pendingChangeTypes.add('workflows');
+      } else if (filename === 'hooks.json') {
+        pendingChangeTypes.add('hooks');
       } else {
         pendingChangeTypes.add('update');
       }