openclaw-inspector 1.0.1

package/dist/assets/index-DJx37DEV.css

@@ -0,0 +1 @@
+*{margin:0;padding:0;box-sizing:border-box}body{font-family:-apple-system,BlinkMacSystemFont,Segoe UI,system-ui,sans-serif;background:#fafafa;color:#1a1a1a;line-height:1.5}.container{display:flex;height:100vh}.sidebar{width:360px;background:#fff;border-right:1px solid #e5e5e5;overflow:hidden;display:flex;flex-direction:column;flex-shrink:0}.sidebar-header{padding:16px 20px;border-bottom:1px solid #e5e5e5;position:sticky;top:0;background:#fff;z-index:10}.sidebar-header h3{font-size:14px;font-weight:600;color:#666;text-transform:uppercase;letter-spacing:.5px}.sidebar-search{padding:12px 16px;border-bottom:1px solid #e5e5e5;position:sticky;top:52px;background:#fff;z-index:10}.sidebar-search input{width:100%;padding:8px 12px;border:1px solid #ddd;border-radius:6px;font-size:13px;outline:none}.sidebar-search input:focus{border-color:#999}.sidebar-filters{padding:8px 16px;border-bottom:1px solid #e5e5e5;display:flex;flex-direction:column;gap:6px;position:sticky;top:96px;background:#fff;z-index:10}.filter-group{display:flex;flex-direction:column;gap:2px}.filter-label{font-size:10px;color:#999;text-transform:uppercase;letter-spacing:.5px}.filter-row{display:flex;gap:4px;flex-wrap:wrap;align-items:center}.sort-select{font-size:11px;padding:3px 8px;border:1px solid #ddd;border-radius:6px;background:#fff;color:#666;cursor:pointer;outline:none;margin-left:auto}.filter-btn{font-size:11px;padding:3px 10px;border-radius:12px;border:1px solid #ddd;background:#fff;cursor:pointer;color:#666;transition:all .15s}.filter-btn:hover{border-color:#999}.filter-btn.active{background:#4f46e5;color:#fff;border-color:#4f46e5}.session-list{flex:1;overflow:hidden;min-height:0}.session-item{padding:12px 20px;border-bottom:1px solid #f0f0f0;cursor:pointer;transition:background .15s;position:relative}.session-item:hover{background:#f5f5f5}.session-item.selected{background:#eef2ff;border-left:3px solid #4f46e5;padding-left:17px}.session-item .name{font-size:13px;font-weight:600;color:#1a1a1a;margin-bottom:2px;display:flex;align-items:center;gap:6px}.session-item .label{font-size:13px;font-weight:500;color:#4f46e5}.session-item .desc{font-size:12px;color:#888;margin-top:4px;display:-webkit-box;-webkit-line-clamp:2;-webkit-box-orient:vertical;overflow:hidden}.badge{display:inline-block;font-size:10px;padding:1px 6px;border-radius:10px;font-weight:500}.badge.active{background:#dcfce7;color:#166534}.badge.orphan{background:#fef3c7;color:#92400e}.badge.deleted{background:#fee2e2;color:#991b1b}.badge.superseded{background:#e0e7ff;color:#3730a3}.badge.unread{background:#dbeafe;color:#1e40af}.badge.danger{background:#fee2e2;color:#dc2626;font-weight:700}.badge.danger-warn{background:#fef3c7;color:#d97706;font-weight:700}.msg .bubble.has-danger{border:2px solid #dc2626;box-shadow:0 0 8px #dc262626}.msg .bubble.has-warning{border:2px solid #d97706;box-shadow:0 0 8px #d9770626}.danger-chip{display:inline-flex;align-items:center;gap:4px;font-size:11px;padding:3px 8px;border-radius:10px;margin:4px 2px}.danger-chip.critical{background:#fee2e2;color:#dc2626}.danger-chip.warning{background:#fef3c7;color:#d97706}.badge.read-done{background:#dcfce7;color:#166534}.badge.partial{background:#fef3c7;color:#92400e}.stats{padding:12px 20px;border-bottom:1px solid #e5e5e5;font-size:12px;color:#888;display:flex;gap:12px;flex-wrap:wrap}.stats span{white-space:nowrap;cursor:pointer}.main{flex:1;display:flex;flex-direction:column;overflow:hidden;background:#fafafa;position:relative}.main-toolbar{padding:12px 24px;background:#fff;border-bottom:1px solid #e5e5e5}.toolbar-top{display:flex;align-items:center;gap:12px;flex-wrap:wrap}.toolbar-top h2{font-size:15px;font-weight:600;flex-shrink:0}.toolbar-controls{display:flex;align-items:center;gap:8px;flex:1;justify-content:flex-end;flex-wrap:wrap}.toolbar-search{max-width:200px;padding:6px 10px;border:1px solid #ddd;border-radius:6px;font-size:12px;outline:none}.toolbar-search:focus{border-color:#999}.toolbar-meta{display:flex;align-items:center;gap:12px;margin-top:4px}.meta-filename{font-size:11px;color:#aaa;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.metadata-grid{display:flex;gap:24px;flex-wrap:wrap;padding-top:8px}.metadata-grid .item{font-size:12px}.metadata-grid .item .k{color:#888}.metadata-grid .item .v{font-weight:600;color:#1a1a1a}.meta-toggle{display:inline;font-size:12px;color:#4f46e5;cursor:pointer;background:none;border:none;padding:0;font-family:inherit}.meta-toggle:hover{text-decoration:underline}.expand-btn{font-size:12px;padding:6px 14px;border:1px solid #ddd;border-radius:6px;background:#fff;cursor:pointer;color:#666;transition:all .15s;white-space:nowrap}.expand-btn:hover{border-color:#999;background:#f5f5f5}.expand-btn.active{background:#4f46e5;color:#fff;border-color:#4f46e5}.msg-toggle{display:inline-flex;border:1px solid #ddd;border-radius:6px;overflow:hidden}.toggle-opt{font-size:12px;padding:6px 14px;border:none;background:#fff;cursor:pointer;color:#666;transition:all .15s;white-space:nowrap}.toggle-opt:not(:last-child){border-right:1px solid #ddd}.toggle-opt.active{background:#4f46e5;color:#fff}.toggle-opt[data-mode=danger].active{background:#dc2626;color:#fff}.empty{flex:1;display:flex;align-items:center;justify-content:center;color:#bbb;font-size:14px}.messages{flex:1;overflow:hidden;position:relative;min-height:0}.messages [data-virtuoso-scroller]{overflow-x:hidden!important}.messages [data-item-index]{padding:0 24px}.messages [data-item-index]:first-child{padding-top:20px}.messages [data-item-index]:last-child{padding-bottom:20px}.msg{margin-bottom:16px;cursor:pointer;transition:opacity .2s}.msg.read{opacity:.45}.msg:hover{opacity:1!important}.msg{position:relative}.msg-row{display:inline-flex;align-items:center;gap:12px;max-width:70%;overflow:hidden}.mark-read-btn{display:none;flex-shrink:0;border-radius:12px;border:1px solid #ddd;background:#fff;color:#4f46e5;font-size:11px;cursor:pointer;box-shadow:0 1px 4px #0000001a;transition:all .15s;padding:4px 8px;white-space:nowrap;font-family:inherit}.mark-read-btn:hover{background:#4f46e5;color:#fff;border-color:#4f46e5}.msg:hover .mark-read-btn{display:block}.msg.user{display:flex;justify-content:flex-end}.msg.assistant{display:flex;justify-content:flex-start}.bubble{padding:12px 16px;border-radius:12px;font-size:14px;min-width:0;max-width:100%;overflow-wrap:anywhere;word-break:break-word}.msg.user .bubble{background:#4f46e5;color:#fff;border-bottom-right-radius:4px}.msg.assistant .bubble{background:#fff;border:1px solid #e5e5e5;color:#1a1a1a;border-bottom-left-radius:4px}.bubble .time{font-size:11px;opacity:.5;margin-bottom:4px}.bubble .content{white-space:pre-wrap;word-wrap:break-word;line-height:1.6}.bubble .content pre{background:#0000000d;padding:8px;border-radius:4px;overflow-x:auto;font-size:12px;margin:8px 0}.msg.user .bubble .content pre{background:#ffffff26}.read-marker{display:flex;align-items:center;gap:12px;margin:24px 0;color:#4f46e5;font-size:12px;font-weight:500}.read-marker:before,.read-marker:after{content:"";flex:1;height:1px;background:#4f46e5;opacity:.3}.tool-chip{display:inline-flex;align-items:center;gap:4px;font-size:12px;padding:4px 10px;border-radius:12px;background:#f0f0f0;color:#555;cursor:pointer;margin:4px 2px;transition:background .15s}.tool-chip:hover{background:#e5e5e5}.tool-chip.error{background:#fee2e2;color:#991b1b}.tool-detail{display:none;margin-top:8px;padding:10px;background:#f8f8f8;border-radius:6px;border:1px solid #eee;font-size:12px;max-height:300px;overflow-y:auto;white-space:pre-wrap;word-break:break-all}.tool-detail.open{display:block}.thinking-toggle{display:inline-flex;align-items:center;gap:4px;font-size:12px;padding:4px 10px;border-radius:12px;background:#fef3c7;color:#92400e;cursor:pointer;margin:4px 0}.thinking-content{display:none;margin-top:8px;padding:10px;background:#fffbeb;border-radius:6px;border:1px solid #fde68a;font-size:12px;max-height:300px;overflow-y:auto;white-space:pre-wrap}.thinking-content.open{display:block}.sys-msg{text-align:center;padding:8px;font-size:12px;color:#999}.compaction-msg{margin:20px 0;padding:12px 16px;background:#fff7ed;border-left:3px solid #f97316;border-radius:4px;font-size:12px;color:#9a3412}.compaction-msg .title{font-weight:600;margin-bottom:4px}.compaction-msg .summary{color:#78350f;opacity:.8}.custom-msg{text-align:center;padding:4px;font-size:11px;color:#aaa}::-webkit-scrollbar{width:6px}::-webkit-scrollbar-track{background:transparent}::-webkit-scrollbar-thumb{background:#ddd;border-radius:3px}::-webkit-scrollbar-thumb:hover{background:#bbb}@keyframes fadeIn{0%{opacity:0;transform:translateY(-10px)}to{opacity:1;transform:translateY(0)}}@media(max-width:768px){.container{flex-direction:column}.sidebar{width:100%;position:absolute;z-index:20;height:100vh;display:none}.sidebar.mobile-open{display:flex}.main{width:100%}.mobile-toggle{display:block;position:fixed;bottom:20px;left:20px;z-index:30;width:44px;height:44px;border-radius:22px;background:#4f46e5;color:#fff;border:none;font-size:20px;cursor:pointer;box-shadow:0 2px 8px #00000026}.mobile-back{display:block}.sidebar-filters{flex-wrap:wrap;gap:4px}.filter-btn{font-size:10px;padding:2px 7px}.sort-select{font-size:10px;padding:2px 6px;width:100%;margin-top:4px}.toolbar-search{max-width:140px;font-size:11px}.toolbar-top{gap:8px}.msg-toggle{width:100%;display:flex}.toggle-opt{flex:1;font-size:11px;padding:6px 8px;text-align:center}.expand-btn{font-size:11px;padding:4px 10px}.bubble{max-width:95%!important;font-size:13px}.bubble .content pre{font-size:11px}.session-item{padding:10px 14px}.stats{font-size:11px;padding:6px 14px}.empty{font-size:14px;padding:20px}.sidebar-header{padding:12px 16px;display:flex;align-items:center;justify-content:space-between}.metadata-grid{font-size:11px;padding:4px 0}.toast{max-width:85vw;font-size:13px}.msg .bubble .content{font-size:13px}.msg .bubble .content pre{max-width:85vw;overflow-x:auto}.tool-chip{font-size:11px}.read-marker{font-size:11px;margin:8px 0}.msg-header{padding:8px 12px}.msg-header h2{font-size:15px;margin:0}.msg-header .filename{font-size:10px}.toolbar-search{max-width:120px}.expand-btn{font-size:10px;padding:4px 8px}.toggle-opt{font-size:10px;padding:4px 6px}}@media(min-width:769px){.mobile-toggle,.mobile-back{display:none}}.floating-btn{position:absolute;z-index:10;border:none;border-radius:20px;padding:8px 16px;font-size:13px;cursor:pointer;box-shadow:0 2px 8px #00000026;transition:opacity .2s,transform .2s}.floating-btn:hover{transform:translateY(-1px);box-shadow:0 4px 12px #0003}.new-msg-btn{bottom:20px;right:20px;background:#4f46e5;color:#fff}.jump-btn{bottom:20px;left:50%;transform:translate(-50%);background:#f59e0b;color:#1a1a1a;font-weight:600}.jump-btn:hover{transform:translate(-50%) translateY(-1px)}

package/dist/favicon.svg

@@ -0,0 +1,9 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64">
+  <!-- Magnifying glass -->
+  <circle cx="24" cy="30" r="13" fill="none" stroke="#4f46e5" stroke-width="4"/>
+  <line x1="34" y1="40" x2="46" y2="52" stroke="#4f46e5" stroke-width="4" stroke-linecap="round"/>
+  <!-- Warning triangle - big, top right -->
+  <polygon points="48,0 62,24 34,24" fill="#dc2626"/>
+  <line x1="48" y1="7" x2="48" y2="16" stroke="#fff" stroke-width="3" stroke-linecap="round"/>
+  <circle cx="48" cy="20" r="1.8" fill="#fff"/>
+</svg>

package/dist/index.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>OpenClaw Inspector</title>
+    <link rel="icon" type="image/svg+xml" href="/favicon.svg">
+  <script type="module" crossorigin src="/assets/index-Br9n3XxB.js"></script>
+  <link rel="stylesheet" crossorigin href="/assets/index-DJx37DEV.css">
+</head>
+<body>
+    <div id="root"></div>
+</body>
+</html>

package/package.json

@@ -0,0 +1,68 @@
+{
+  "name": "openclaw-inspector",
+  "version": "1.0.1",
+  "description": "Review every conversation your OpenClaw agent has ever had — including deleted sessions — and flag dangerous actions it may have taken without your knowledge.",
+  "main": "server.js",
+  "bin": {
+    "openclaw-inspector": "server.js"
+  },
+  "files": [
+    "dist/",
+    "server.js",
+    "danger-rules.json",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "dev": "vite",
+    "build": "vite build",
+    "preview": "vite preview",
+    "start": "node server.js",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:e2e": "cypress run",
+    "test:e2e:open": "cypress open",
+    "prepublishOnly": "npm run build"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Lukavyi/openclaw-inspector.git"
+  },
+  "keywords": [
+    "openclaw",
+    "clawdbot",
+    "inspector",
+    "session-viewer",
+    "security",
+    "audit",
+    "ai-agent",
+    "cli"
+  ],
+  "author": "Taras Lukavyi",
+  "license": "MIT",
+  "type": "module",
+  "bugs": {
+    "url": "https://github.com/Lukavyi/openclaw-inspector/issues"
+  },
+  "homepage": "https://github.com/Lukavyi/openclaw-inspector#readme",
+  "engines": {
+    "node": ">=18"
+  },
+  "devDependencies": {
+    "@testing-library/jest-dom": "^6.9.1",
+    "@testing-library/react": "^16.3.2",
+    "@types/react": "^19.2.10",
+    "@types/react-dom": "^19.2.3",
+    "@vitejs/plugin-react": "^5.1.2",
+    "cypress": "^15.9.0",
+    "jsdom": "^27.4.0",
+    "react": "^19.2.4",
+    "react-dom": "^19.2.4",
+    "typescript": "^5.9.3",
+    "vite": "^7.3.1",
+    "vitest": "^4.0.18"
+  },
+  "dependencies": {
+    "react-virtuoso": "^4.18.1"
+  }
+}

package/server.js

@@ -0,0 +1,472 @@
+#!/usr/bin/env node
+// Session Viewer Server — serves UI + watches JSONL files via SSE
+import { createServer } from "node:http";
+import { readFileSync, writeFileSync, readdirSync, statSync, watch, existsSync, mkdirSync, copyFileSync } from "node:fs";
+import { join, extname, resolve } from "node:path";
+import { homedir } from "node:os";
+import { execSync } from "node:child_process";
+
+const PORT = parseInt(process.env.PORT || "9100", 10);
+const SESSIONS_DIR = process.env.SESSIONS_DIR || (() => {
+  const openclaw = join(homedir(), ".openclaw", "agents", "main", "sessions");
+  const clawdbot = join(homedir(), ".clawdbot", "agents", "main", "sessions");
+  if (existsSync(openclaw)) return openclaw;
+  if (existsSync(clawdbot)) return clawdbot;
+  return openclaw; // default to .openclaw
+})();
+const PROJECT_DIR = new URL(".", import.meta.url).pathname;
+const STATIC_DIR = join(new URL(".", import.meta.url).pathname, "dist");
+const DATA_DIR = process.env.DATA_DIR || join(homedir(), ".openclaw-inspector");
+
+// Ensure data dir exists and seed defaults
+try {
+  mkdirSync(DATA_DIR, { recursive: true });
+} catch (e) {
+  console.error(`⚠️  Cannot create data dir ${DATA_DIR}: ${e.message}`);
+  console.error("   Set DATA_DIR env to a writable path.");
+  process.exit(1);
+}
+// Ensure DATA_DIR is a git repo
+try {
+  if (!existsSync(join(DATA_DIR, ".git"))) {
+    execSync("git init", { cwd: DATA_DIR, stdio: "ignore" });
+    console.log(`🗂️  Initialized git repo in ${DATA_DIR}`);
+  }
+} catch (e) {
+  console.error(`⚠️  Could not init git in ${DATA_DIR}: ${e.message}`);
+}
+
+function gitCommitProgress(message) {
+  try {
+    execSync("git add progress.json danger-rules.json", { cwd: DATA_DIR, stdio: "ignore" });
+    execSync(`git diff --cached --quiet`, { cwd: DATA_DIR, stdio: "ignore" });
+    // If we reach here, nothing staged — skip commit
+  } catch {
+    // diff --quiet exits 1 when there are staged changes — commit
+    try {
+      execSync(`git commit -m ${JSON.stringify(message)}`, { cwd: DATA_DIR, stdio: "ignore" });
+    } catch {}
+  }
+}
+
+const defaultRulesPath = join(PROJECT_DIR, "danger-rules.json");
+const userRulesPath = join(DATA_DIR, "danger-rules.json");
+if (!existsSync(userRulesPath) && existsSync(defaultRulesPath)) {
+  copyFileSync(defaultRulesPath, userRulesPath);
+}
+// Initial commit if files exist but not yet tracked
+gitCommitProgress("init: initial state");
+
+const CSV_PATH =
+  process.env.CSV_PATH || join(new URL(".", import.meta.url).pathname, "sessions_table.csv");
+
+// --- SSE clients ---
+const sseClients = new Set();
+
+function broadcast(event, data) {
+  const msg = `event: ${event}\ndata: ${JSON.stringify(data)}\n\n`;
+  for (const res of sseClients) {
+    try {
+      res.write(msg);
+    } catch {
+      sseClients.delete(res);
+    }
+  }
+}
+
+// --- Watch sessions dir ---
+let fsWatcher;
+try {
+  fsWatcher = watch(SESSIONS_DIR, { persistent: true }, (eventType, filename) => {
+    if (!filename) return;
+    if (filename.endsWith(".jsonl") || filename.includes(".deleted.")) {
+      broadcast("file-change", { eventType, filename });
+    }
+  });
+  console.log(`👁️  Watching ${SESSIONS_DIR}`);
+} catch (e) {
+  console.error(`Cannot watch ${SESSIONS_DIR}: ${e.message}`);
+}
+
+// --- API ---
+function listSessions() {
+  const files = readdirSync(SESSIONS_DIR).filter(
+    (f) => f.endsWith(".jsonl") || f.includes(".deleted.")
+  );
+  return files.map((f) => {
+    const fullPath = join(SESSIONS_DIR, f);
+    const stat = statSync(fullPath);
+    // Read first line to get session timestamp and sessionId
+    let createdAt = null;
+    let sessionId = null;
+    try {
+      const content = readFileSync(fullPath, "utf-8");
+      const firstLine = content.split("\n")[0];
+      const obj = JSON.parse(firstLine);
+      if (obj.type === "session") {
+        if (obj.timestamp) createdAt = obj.timestamp;
+        sessionId = obj.sessionId || obj.id || null;
+      }
+    } catch {}
+    return {
+      filename: f,
+      size: stat.size,
+      mtime: stat.mtimeMs,
+      createdAt,
+      sessionId,
+      deleted: f.includes(".deleted."),
+    };
+  });
+}
+
+function readSession(filename) {
+  // Sanitize — resolve and verify path stays inside SESSIONS_DIR
+  const fullPath = resolve(SESSIONS_DIR, filename);
+  if (!fullPath.startsWith(SESSIONS_DIR)) return null;
+  if (!existsSync(fullPath)) return null;
+  return readFileSync(fullPath, "utf-8");
+}
+
+function readCSV() {
+  if (!existsSync(CSV_PATH)) return null;
+  return readFileSync(CSV_PATH, "utf-8");
+}
+
+// --- Session status from sessions.json ---
+function getSessionMeta() {
+  const metaPath = join(SESSIONS_DIR, "sessions.json");
+  if (!existsSync(metaPath)) return {};
+  try {
+    const data = JSON.parse(readFileSync(metaPath, "utf-8"));
+    // Build map: sessionId -> { status, label, key }
+    const byId = {};
+    for (const [key, val] of Object.entries(data)) {
+      const sid = val.sessionId;
+      if (sid) {
+        byId[sid] = {
+          status: "active",
+          label: val.label || "",
+          key,
+          updatedAt: val.updatedAt,
+        };
+      }
+    }
+    return byId;
+  } catch { return {}; }
+}
+
+function resolveStatus(filename, metaById) {
+  if (filename.includes(".deleted.")) return { status: "deleted", label: "" };
+  // Extract sessionId from filename (UUID part before -topic or .jsonl)
+  const base = filename.replace(/\.jsonl$/, "").replace(/\.deleted\.\d+$/, "");
+  const meta = metaById[base];
+  if (meta) return { status: "active", label: meta.label || "" };
+  // Try matching by sessionId prefix
+  for (const [sid, m] of Object.entries(metaById)) {
+    if (base.startsWith(sid) || sid.startsWith(base)) return { status: "active", label: m.label || "" };
+  }
+  return { status: "orphan", label: "" };
+}
+
+// --- MIME ---
+const MIME = {
+  ".html": "text/html",
+  ".js": "application/javascript",
+  ".css": "text/css",
+  ".json": "application/json",
+  ".svg": "image/svg+xml",
+};
+
+// --- Server ---
+const server = createServer((req, res) => {
+  const url = new URL(req.url, `http://localhost:${PORT}`);
+  const path = url.pathname;
+
+  // CORS
+  const origin = req.headers.origin || "";
+  if (/^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin)) {
+    res.setHeader("Access-Control-Allow-Origin", origin);
+  }
+
+  // SSE endpoint
+  if (path === "/api/events") {
+    res.writeHead(200, {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      Connection: "keep-alive",
+    });
+    res.write(`event: connected\ndata: "ok"\n\n`);
+    sseClients.add(res);
+    req.on("close", () => sseClients.delete(res));
+    return;
+  }
+
+  // API: list sessions (now includes status + label)
+  if (path === "/api/sessions") {
+    const sessions = listSessions();
+    const meta = getSessionMeta();
+    for (const s of sessions) {
+      const info = resolveStatus(s.filename, meta);
+      s.status = info.status;
+      s.label = info.label;
+    }
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(sessions));
+    return;
+  }
+
+  // API: session meta (status + labels)
+  if (path === "/api/meta") {
+    const files = readdirSync(SESSIONS_DIR).filter(
+      (f) => f.endsWith(".jsonl") || f.includes(".deleted.")
+    );
+    const meta = getSessionMeta();
+    const result = {};
+    for (const f of files) {
+      result[f] = resolveStatus(f, meta);
+    }
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(result));
+    return;
+  }
+
+  // API: message counts for all sessions
+  if (path === "/api/counts") {
+    const files = readdirSync(SESSIONS_DIR).filter(
+      (f) => f.endsWith(".jsonl") || f.includes(".deleted.")
+    );
+    const counts = {};
+    for (const f of files) {
+      try {
+        const content = readFileSync(join(SESSIONS_DIR, f), "utf-8");
+        let total = 0;
+        for (const line of content.split("\n")) {
+          if (!line.trim()) continue;
+          try {
+            const obj = JSON.parse(line);
+            if (obj.type === "message") total++;
+          } catch {}
+        }
+        counts[f] = total;
+      } catch {}
+    }
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(counts));
+    return;
+  }
+
+  // API: danger scan
+  if (path === "/api/danger") {
+    const rulesPath = existsSync(userRulesPath) ? userRulesPath : join(PROJECT_DIR, "danger-rules.json");
+    if (!existsSync(rulesPath)) {
+      res.writeHead(404);
+      res.end("No rules");
+      return;
+    }
+    const rules = JSON.parse(readFileSync(rulesPath, "utf-8")).rules;
+    const compiled = rules.map((r) => ({
+      ...r,
+      regexes: (r.patterns || []).map((p) => new RegExp(p, "i")),
+      toolRules: r.toolRules || null,
+    }));
+
+    const files = readdirSync(SESSIONS_DIR).filter(
+      (f) => f.endsWith(".jsonl") || f.includes(".deleted.")
+    );
+    const results = {};
+    for (const f of files) {
+      const hits = [];
+      try {
+        const content = readFileSync(join(SESSIONS_DIR, f), "utf-8");
+        for (const line of content.split("\n")) {
+          if (!line.trim()) continue;
+          let obj;
+          try { obj = JSON.parse(line); } catch { continue; }
+          if (obj.type !== "message") continue;
+          const msg = obj.message;
+          if (!msg || !msg.content || !Array.isArray(msg.content)) continue;
+          for (const block of msg.content) {
+            // Check ALL string values in toolCall arguments/input recursively
+            if (block.type === "toolCall") {
+              const src = block.arguments || block.input;
+              const toolName = block.name || "";
+              const toolAction = src?.action || "";
+
+              // Tool-based rules (surveillance etc.)
+              for (const rule of compiled) {
+                if (!rule.toolRules) continue;
+                for (const tr of rule.toolRules) {
+                  if (tr.toolName === toolName && (tr.actions === null || (toolAction && tr.actions.includes(toolAction)))) {
+                    hits.push({
+                      msgId: obj.id,
+                      command: `${toolName}${toolAction ? ": " + toolAction : ""}`,
+                      category: rule.category,
+                      severity: rule.severity,
+                      label: rule.label,
+                    });
+                  }
+                }
+              }
+
+              if (!src) continue;
+              // Collect all string values from the object tree
+              const strings = [];
+              const walk = (v) => {
+                if (typeof v === "string") { if (v.length > 2) strings.push(v); }
+                else if (Array.isArray(v)) v.forEach(walk);
+                else if (v && typeof v === "object") Object.values(v).forEach(walk);
+              };
+              walk(src);
+              if (!strings.length) continue;
+              const matched = new Set();
+              for (const s of strings) {
+                for (const rule of compiled) {
+                  if (rule.toolRules) continue; // skip tool-based rules here
+                  if (matched.has(rule.category + s)) continue;
+                  for (const rx of rule.regexes) {
+                    if (rx.test(s)) {
+                      matched.add(rule.category + s);
+                      hits.push({
+                        msgId: obj.id,
+                        command: `${toolName || "?"}: ${s.substring(0, 200)}`,
+                        category: rule.category,
+                        severity: rule.severity,
+                        label: rule.label,
+                      });
+                      break;
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      } catch {}
+      if (hits.length > 0) results[f] = hits;
+    }
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(results));
+    return;
+  }
+
+  // API: read session file
+  if (path.startsWith("/api/session/")) {
+    const filename = decodeURIComponent(path.slice("/api/session/".length));
+    const content = readSession(filename);
+    if (content === null) {
+      res.writeHead(404);
+      res.end("Not found");
+      return;
+    }
+    res.writeHead(200, { "Content-Type": "text/plain" });
+    res.end(content);
+    return;
+  }
+
+  // API: CSV metadata
+  if (path === "/api/csv") {
+    const csv = readCSV();
+    if (csv === null) {
+      res.writeHead(404);
+      res.end("No CSV");
+      return;
+    }
+    res.writeHead(200, { "Content-Type": "text/csv" });
+    res.end(csv);
+    return;
+  }
+
+  // API: read progress
+  if (path === "/api/progress" && req.method === "GET") {
+    const progressPath = join(DATA_DIR, "progress.json");
+    if (!existsSync(progressPath)) {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end("{}");
+      return;
+    }
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(readFileSync(progressPath, "utf-8"));
+    return;
+  }
+
+  // API: save progress
+  if (path === "/api/progress" && req.method === "POST") {
+    const MAX_BODY = 2 * 1024 * 1024; // 2MB
+    let body = "";
+    let tooBig = false;
+    req.on("data", (chunk) => {
+      body += chunk;
+      if (body.length > MAX_BODY) { tooBig = true; req.destroy(); }
+    });
+    req.on("end", () => {
+      if (tooBig) { res.writeHead(413); res.end("Payload too large"); return; }
+      try {
+        JSON.parse(body); // validate
+        const progressPath = join(DATA_DIR, "progress.json");
+        writeFileSync(progressPath, body, "utf-8");
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end('{"ok":true}');
+        // Git commit async (don't block response)
+        const now = new Date().toISOString().replace('T', ' ').slice(0, 19);
+        gitCommitProgress(`review: ${now}`);
+      } catch {
+        res.writeHead(400);
+        res.end("Invalid JSON");
+      }
+    });
+    return;
+  }
+
+  // API: full-text search across all sessions
+  if (path === "/api/search") {
+    const q = (url.searchParams.get("q") || "").toLowerCase().trim();
+    if (!q || q.length < 2) {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end("[]");
+      return;
+    }
+    const matches = [];
+    try {
+      const files = readdirSync(SESSIONS_DIR).filter(f => f.endsWith(".jsonl"));
+      for (const f of files) {
+        try {
+          const fullPath = resolve(SESSIONS_DIR, f);
+          if (!fullPath.startsWith(SESSIONS_DIR)) continue;
+          const content = readFileSync(fullPath, "utf-8").toLowerCase();
+          if (content.includes(q)) {
+            matches.push(f);
+          }
+        } catch {}
+      }
+    } catch {}
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(matches));
+    return;
+  }
+
+  // Static files — with path traversal protection
+  let filePath = path === "/" ? "/index.html" : path;
+  const fullPath = resolve(STATIC_DIR, "." + filePath);
+  if (!fullPath.startsWith(STATIC_DIR)) {
+    res.writeHead(403);
+    res.end("Forbidden");
+    return;
+  }
+  try {
+    const content = readFileSync(fullPath);
+    const ext = extname(filePath);
+    res.writeHead(200, { "Content-Type": MIME[ext] || "application/octet-stream" });
+    res.end(content);
+  } catch {
+    res.writeHead(404);
+    res.end("Not found");
+  }
+});
+
+const HOST = process.env.HOST || "127.0.0.1";
+server.listen(PORT, HOST, () => {
+  console.log(`🖥️  Session Viewer: http://localhost:${PORT}`);
+  console.log(`📂 Sessions: ${SESSIONS_DIR}`);
+  console.log(`📊 CSV: ${CSV_PATH}`);
+  console.log(`💾 Data: ${DATA_DIR}`);
+});