patchwork-os 0.2.0-alpha.2 → 0.2.0-alpha.22

package/dist/server.js

@@ -5,6 +5,7 @@ import path from "node:path";
 import { WebSocket, WebSocketServer as WsServer } from "ws";
 import { routeApprovalRequest } from "./approvalHttp.js";
 import { getApprovalQueue } from "./approvalQueue.js";
+import { saveBridgeConfigDriver } from "./config.js";
 import { timingSafeStringEqual } from "./crypto.js";
 import { renderDashboardHtml } from "./dashboard.js";
 import { loadConfig as loadPatchworkConfig, defaultConfigPath as patchworkConfigPath, saveConfig as savePatchworkConfig, } from "./patchworkConfig.js";
@@ -93,14 +94,26 @@ export class Server extends EventEmitter {
     saveRecipeFn = null;
     /** Patchwork: set by bridge to query the recipe run audit log. */
     runsFn = null;
+    /** Patchwork: set by bridge to fetch a single run by seq for the detail page. */
+    runDetailFn = null;
+    /** Patchwork: set by bridge to generate a dry-run plan for a recipe by name. */
+    runPlanFn = null;
     /** Patchwork: set by bridge to launch a named recipe via the orchestrator. */
     runRecipeFn = null;
     /** Patchwork: admin-controlled managed settings path (highest rule precedence). */
     managedSettingsPath = undefined;
+    /** Effective bridge config path to update when dashboard saves driver changes. */
+    bridgeConfigPath = undefined;
     /** Patchwork: live approval gate level — mutated by POST /settings, read by bridge per-session setup. */
     approvalGate = "off";
     /** Patchwork: outbound webhook URL for approval notifications (from dashboard.webhookUrl in config). */
     approvalWebhookUrl = undefined;
+    /** Patchwork: push relay service URL — when set, per-callId approval tokens are generated. */
+    pushServiceUrl = undefined;
+    /** Patchwork: bearer token for the push relay service. */
+    pushServiceToken = undefined;
+    /** Patchwork: public base URL of this bridge, embedded in push payloads as callback base. */
+    pushServiceBaseUrl = undefined;
     /** Patchwork: approval decision audit callback wired to activityLog.recordEvent. */
     onApprovalDecision = undefined;
     /** Patchwork: set by bridge to match + fire webhook-triggered recipes. */
@@ -127,6 +140,7 @@ export class Server extends EventEmitter {
     sessionDetailFn = null;
     /** Set by bridge to handle POST /launch-quick-task — invokes launchQuickTask tool in-process. */
     launchQuickTaskFn = null;
+    setRecipeEnabledFn = null;
     /**
      * Attach an OAuth 2.0 Authorization Server.
      * When set, the bridge exposes:
@@ -355,6 +369,144 @@ export class Server extends EventEmitter {
                 res.end(JSON.stringify({ ok: true, v: PACKAGE_VERSION }));
                 return;
             }
+            // ── Connector OAuth callbacks (unauthenticated — browser redirect from vendor) ──
+            if (parsedUrl.pathname === "/connections/github/callback" &&
+                req.method === "GET") {
+                void (async () => {
+                    const { handleGithubCallback } = await import("./connectors/github.js");
+                    const code = parsedUrl.searchParams.get("code");
+                    const state = parsedUrl.searchParams.get("state");
+                    const error = parsedUrl.searchParams.get("error");
+                    const result = await handleGithubCallback(code, state, error);
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/linear/callback" &&
+                req.method === "GET") {
+                void (async () => {
+                    const { handleLinearCallback } = await import("./connectors/linear.js");
+                    const code = parsedUrl.searchParams.get("code");
+                    const state = parsedUrl.searchParams.get("state");
+                    const error = parsedUrl.searchParams.get("error");
+                    const result = await handleLinearCallback(code, state, error);
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/sentry/callback" &&
+                req.method === "GET") {
+                void (async () => {
+                    const { handleSentryCallback } = await import("./connectors/sentry.js");
+                    const code = parsedUrl.searchParams.get("code");
+                    const state = parsedUrl.searchParams.get("state");
+                    const error = parsedUrl.searchParams.get("error");
+                    const result = await handleSentryCallback(code, state, error);
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/google-calendar/callback" &&
+                req.method === "GET") {
+                void (async () => {
+                    const { handleCalendarCallback } = await import("./connectors/googleCalendar.js");
+                    const code = parsedUrl.searchParams.get("code");
+                    const state = parsedUrl.searchParams.get("state");
+                    const error = parsedUrl.searchParams.get("error");
+                    const result = await handleCalendarCallback(code, state, error);
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/slack/callback" &&
+                req.method === "GET") {
+                void (async () => {
+                    const { handleSlackCallback } = await import("./connectors/slack.js");
+                    const code = parsedUrl.searchParams.get("code");
+                    const state = parsedUrl.searchParams.get("state");
+                    const error = parsedUrl.searchParams.get("error");
+                    const result = await handleSlackCallback(code, state, error);
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/gmail/callback" &&
+                req.method === "GET") {
+                void (async () => {
+                    const { handleGmailCallback } = await import("./connectors/gmail.js");
+                    const code = parsedUrl.searchParams.get("code");
+                    const state = parsedUrl.searchParams.get("state");
+                    const error = parsedUrl.searchParams.get("error");
+                    const result = await handleGmailCallback(code, state, error);
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "text/html",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            // ── /schemas/* — unauthenticated registry-derived JSON Schemas ────────
+            // Serves recipe.v1.json, dry-run-plan.v1.json, tools/<ns>.json so YAML-LSP
+            // editors can resolve `$schema:` headers against a running bridge. No
+            // secrets — schemas are generated from the tool registry.
+            if (parsedUrl.pathname?.startsWith("/schemas/") && req.method === "GET") {
+                try {
+                    await import("./recipes/tools/index.js");
+                    const { generateSchemaSet } = await import("./recipes/schemaGenerator.js");
+                    const schemas = generateSchemaSet();
+                    const rest = parsedUrl.pathname.slice("/schemas/".length);
+                    let body;
+                    if (rest === "recipe.v1.json") {
+                        body = schemas.recipe;
+                    }
+                    else if (rest === "dry-run-plan.v1.json") {
+                        body = schemas.dryRunPlan;
+                    }
+                    else if (rest.startsWith("tools/") && rest.endsWith(".json")) {
+                        const ns = rest.slice("tools/".length, -".json".length);
+                        body = schemas.namespaces[ns];
+                    }
+                    else if (rest === "" || rest === "index.json") {
+                        body = {
+                            recipe: "/schemas/recipe.v1.json",
+                            dryRunPlan: "/schemas/dry-run-plan.v1.json",
+                            tools: Object.keys(schemas.namespaces).map((ns) => `/schemas/tools/${ns}.json`),
+                        };
+                    }
+                    if (body === undefined) {
+                        res.writeHead(404, { "Content-Type": "application/json" });
+                        res.end(JSON.stringify({ error: `schema not found: ${rest}` }));
+                        return;
+                    }
+                    res.writeHead(200, {
+                        "Content-Type": "application/schema+json",
+                        "Cache-Control": "public, max-age=60",
+                    });
+                    res.end(JSON.stringify(body, null, 2));
+                }
+                catch (err) {
+                    res.writeHead(500, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({
+                        error: err instanceof Error ? err.message : String(err),
+                    }));
+                }
+                return;
+            }
             // ── Bearer token authentication ───────────────────────────────────────
             // All other HTTP endpoints require a valid Bearer token.
             // Accepts either:
@@ -372,8 +524,13 @@ export class Server extends EventEmitter {
             const oauthResolved = !isStaticToken && this.oauthServer
                 ? this.oauthServer.resolveBearerToken(bearer)
                 : null;
+            // Phone-path: approve/reject with x-approval-token bypass bearer check.
+            // The token itself is validated inside routeApprovalRequest via queue.validateToken.
+            const isPhoneApprovalPath = req.method === "POST" &&
+                /^\/(approve|reject)\/[A-Za-z0-9-]+$/.test(parsedUrl.pathname) &&
+                !!req.headers["x-approval-token"];
             // oauthResolved is the bridge token if the OAuth token is valid; null otherwise
-            if (!isStaticToken && !oauthResolved) {
+            if (!isStaticToken && !oauthResolved && !isPhoneApprovalPath) {
                 // RFC 6750: only include error= when a token was actually presented but invalid
                 const tokenPresented = bearer.length > 0;
                 const wwwAuth = this.oauthServer && this.oauthIssuerUrl
@@ -675,26 +832,124 @@ export class Server extends EventEmitter {
                 })();
                 return;
             }
-            if (parsedUrl.pathname === "/connections/gmail/callback" &&
+            if (parsedUrl.pathname === "/connections/gmail" &&
+                req.method === "DELETE") {
+                void (async () => {
+                    const { handleGmailDisconnect } = await import("./connectors/gmail.js");
+                    const result = await handleGmailDisconnect();
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/gmail/test" &&
+                req.method === "POST") {
+                void (async () => {
+                    const { handleGmailTest } = await import("./connectors/gmail.js");
+                    const result = await handleGmailTest();
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            // ── GitHub MCP connector routes ─────────────────────────────────────
+            if (parsedUrl.pathname === "/connections/github/auth" &&
                 req.method === "GET") {
                 void (async () => {
-                    const { handleGmailCallback } = await import("./connectors/gmail.js");
+                    const { handleGithubAuthorize } = await import("./connectors/github.js");
+                    const result = await handleGithubAuthorize();
+                    if (result.redirect) {
+                        res.writeHead(302, { Location: result.redirect });
+                        res.end();
+                    }
+                    else {
+                        res.writeHead(result.status, {
+                            "Content-Type": result.contentType ?? "application/json",
+                        });
+                        res.end(result.body);
+                    }
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/github/test" &&
+                req.method === "POST") {
+                void (async () => {
+                    const { handleGithubTest } = await import("./connectors/github.js");
+                    const result = await handleGithubTest();
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/github" &&
+                req.method === "DELETE") {
+                void (async () => {
+                    const { handleGithubDisconnect } = await import("./connectors/github.js");
+                    const result = await handleGithubDisconnect();
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            // ── Sentry MCP connector routes ─────────────────────────────────────
+            if (parsedUrl.pathname === "/connections/sentry/auth" &&
+                req.method === "GET") {
+                void (async () => {
+                    const { handleSentryAuthorize } = await import("./connectors/sentry.js");
+                    const result = await handleSentryAuthorize();
+                    if (result.redirect) {
+                        res.writeHead(302, { Location: result.redirect });
+                        res.end();
+                    }
+                    else {
+                        res.writeHead(result.status, {
+                            "Content-Type": result.contentType ?? "application/json",
+                        });
+                        res.end(result.body);
+                    }
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/sentry/callback" &&
+                req.method === "GET") {
+                void (async () => {
+                    const { handleSentryCallback } = await import("./connectors/sentry.js");
                     const code = parsedUrl.searchParams.get("code");
                     const state = parsedUrl.searchParams.get("state");
                     const error = parsedUrl.searchParams.get("error");
-                    const result = await handleGmailCallback(code, state, error);
+                    const result = await handleSentryCallback(code, state, error);
                     res.writeHead(result.status, {
-                        "Content-Type": result.contentType ?? "text/html",
+                        "Content-Type": result.contentType ?? "application/json",
                     });
                     res.end(result.body);
                 })();
                 return;
             }
-            if (parsedUrl.pathname === "/connections/gmail" &&
+            if (parsedUrl.pathname === "/connections/sentry/test" &&
+                req.method === "POST") {
+                void (async () => {
+                    const { handleSentryTest } = await import("./connectors/sentry.js");
+                    const result = await handleSentryTest();
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/sentry" &&
                 req.method === "DELETE") {
                 void (async () => {
-                    const { handleGmailDisconnect } = await import("./connectors/gmail.js");
-                    const result = await handleGmailDisconnect();
+                    const { handleSentryDisconnect } = await import("./connectors/sentry.js");
+                    const result = await handleSentryDisconnect();
                     res.writeHead(result.status, {
                         "Content-Type": result.contentType ?? "application/json",
                     });
@@ -702,11 +957,45 @@ export class Server extends EventEmitter {
                 })();
                 return;
             }
-            if (parsedUrl.pathname === "/connections/gmail/test" &&
+            // ── Linear MCP connector routes ─────────────────────────────────────
+            if (parsedUrl.pathname === "/connections/linear/auth" &&
+                req.method === "GET") {
+                void (async () => {
+                    const { handleLinearAuthorize } = await import("./connectors/linear.js");
+                    const result = await handleLinearAuthorize();
+                    if (result.redirect) {
+                        res.writeHead(302, { Location: result.redirect });
+                        res.end();
+                    }
+                    else {
+                        res.writeHead(result.status, {
+                            "Content-Type": result.contentType ?? "application/json",
+                        });
+                        res.end(result.body);
+                    }
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/linear/callback" &&
+                req.method === "GET") {
+                void (async () => {
+                    const { handleLinearCallback } = await import("./connectors/linear.js");
+                    const code = parsedUrl.searchParams.get("code");
+                    const state = parsedUrl.searchParams.get("state");
+                    const error = parsedUrl.searchParams.get("error");
+                    const result = await handleLinearCallback(code, state, error);
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/linear/test" &&
                 req.method === "POST") {
                 void (async () => {
-                    const { handleGmailTest } = await import("./connectors/gmail.js");
-                    const result = await handleGmailTest();
+                    const { handleLinearTest } = await import("./connectors/linear.js");
+                    const result = await handleLinearTest();
                     res.writeHead(result.status, {
                         "Content-Type": result.contentType ?? "application/json",
                     });
@@ -714,28 +1003,233 @@ export class Server extends EventEmitter {
                 })();
                 return;
             }
-            if (parsedUrl.pathname === "/connections/github/test" &&
+            if (parsedUrl.pathname === "/connections/linear" &&
+                req.method === "DELETE") {
+                void (async () => {
+                    const { handleLinearDisconnect } = await import("./connectors/linear.js");
+                    const result = await handleLinearDisconnect();
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            // ── Slack connector routes ──────────────────────────────────────
+            if ((parsedUrl.pathname === "/connections/slack/auth" ||
+                parsedUrl.pathname === "/connections/slack/authorize") &&
+                req.method === "GET") {
+                const { handleSlackAuthorize } = await import("./connectors/slack.js");
+                const result = handleSlackAuthorize();
+                if (result.redirect) {
+                    res.writeHead(302, { Location: result.redirect });
+                    res.end();
+                }
+                else {
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                }
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/slack/test" &&
                 req.method === "POST") {
                 void (async () => {
-                    const { getStatus } = await import("./connectors/github.js");
-                    const s = getStatus();
-                    if (s.connected) {
-                        res.writeHead(200, { "Content-Type": "application/json" });
-                        res.end(JSON.stringify({
-                            ok: true,
-                            message: `Connected as ${s.user ?? "unknown"}`,
-                        }));
+                    const { handleSlackTest } = await import("./connectors/slack.js");
+                    const result = await handleSlackTest();
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/slack" &&
+                req.method === "DELETE") {
+                const { handleSlackDisconnect } = await import("./connectors/slack.js");
+                const result = handleSlackDisconnect();
+                res.writeHead(result.status, {
+                    "Content-Type": result.contentType ?? "application/json",
+                });
+                res.end(result.body);
+                return;
+            }
+            // ── Notion routes ──────────────────────────────────────────────
+            if (parsedUrl.pathname === "/connections/notion/connect" &&
+                req.method === "POST") {
+                const chunks = [];
+                req.on("data", (c) => chunks.push(c));
+                req.on("end", () => {
+                    void (async () => {
+                        const { handleNotionConnect } = await import("./connectors/notion.js");
+                        const result = await handleNotionConnect(Buffer.concat(chunks).toString("utf-8"));
+                        res.writeHead(result.status, {
+                            "Content-Type": result.contentType ?? "application/json",
+                        });
+                        res.end(result.body);
+                    })();
+                });
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/notion/test" &&
+                req.method === "POST") {
+                void (async () => {
+                    const { handleNotionTest } = await import("./connectors/notion.js");
+                    const result = await handleNotionTest();
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/notion" &&
+                req.method === "DELETE") {
+                const { handleNotionDisconnect } = await import("./connectors/notion.js");
+                const result = handleNotionDisconnect();
+                res.writeHead(result.status, {
+                    "Content-Type": result.contentType ?? "application/json",
+                });
+                res.end(result.body);
+                return;
+            }
+            // ── Confluence routes ───────────────────────────────────────────
+            if (parsedUrl.pathname === "/connections/confluence/connect" &&
+                req.method === "POST") {
+                const chunks = [];
+                req.on("data", (c) => chunks.push(c));
+                req.on("end", () => {
+                    void (async () => {
+                        const { handleConfluenceConnect } = await import("./connectors/confluence.js");
+                        const result = await handleConfluenceConnect(Buffer.concat(chunks).toString("utf-8"));
+                        res.writeHead(result.status, {
+                            "Content-Type": result.contentType ?? "application/json",
+                        });
+                        res.end(result.body);
+                    })();
+                });
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/confluence/test" &&
+                req.method === "POST") {
+                void (async () => {
+                    const { handleConfluenceTest } = await import("./connectors/confluence.js");
+                    const result = await handleConfluenceTest();
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/confluence" &&
+                req.method === "DELETE") {
+                const { handleConfluenceDisconnect } = await import("./connectors/confluence.js");
+                const result = handleConfluenceDisconnect();
+                res.writeHead(result.status, {
+                    "Content-Type": result.contentType ?? "application/json",
+                });
+                res.end(result.body);
+                return;
+            }
+            // ── Zendesk routes ──────────────────────────────────────────────
+            if (parsedUrl.pathname === "/connections/zendesk/connect" &&
+                req.method === "POST") {
+                const chunks = [];
+                req.on("data", (c) => chunks.push(c));
+                req.on("end", () => {
+                    void (async () => {
+                        const { handleZendeskConnect } = await import("./connectors/zendesk.js");
+                        const result = await handleZendeskConnect(Buffer.concat(chunks).toString("utf-8"));
+                        res.writeHead(result.status, {
+                            "Content-Type": result.contentType ?? "application/json",
+                        });
+                        res.end(result.body);
+                    })();
+                });
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/zendesk/test" &&
+                req.method === "POST") {
+                void (async () => {
+                    const { handleZendeskTest } = await import("./connectors/zendesk.js");
+                    const result = await handleZendeskTest();
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/zendesk" &&
+                req.method === "DELETE") {
+                const { handleZendeskDisconnect } = await import("./connectors/zendesk.js");
+                const result = handleZendeskDisconnect();
+                res.writeHead(result.status, {
+                    "Content-Type": result.contentType ?? "application/json",
+                });
+                res.end(result.body);
+                return;
+            }
+            // ── Google Calendar routes ──────────────────────────────────────
+            if (parsedUrl.pathname === "/connections/google-calendar/auth" &&
+                req.method === "GET") {
+                void (async () => {
+                    const { handleCalendarAuthRedirect } = await import("./connectors/googleCalendar.js");
+                    const result = handleCalendarAuthRedirect();
+                    if (result.redirect) {
+                        res.writeHead(302, { Location: result.redirect });
+                        res.end();
                     }
                     else {
-                        res.writeHead(200, { "Content-Type": "application/json" });
-                        res.end(JSON.stringify({
-                            ok: false,
-                            message: "Not connected — run: gh auth login",
-                        }));
+                        res.writeHead(result.status, {
+                            "Content-Type": result.contentType ?? "application/json",
+                        });
+                        res.end(result.body);
                     }
                 })();
                 return;
             }
+            if (parsedUrl.pathname === "/connections/google-calendar/callback" &&
+                req.method === "GET") {
+                void (async () => {
+                    const { handleCalendarCallback } = await import("./connectors/googleCalendar.js");
+                    const code = parsedUrl.searchParams.get("code");
+                    const state = parsedUrl.searchParams.get("state");
+                    const error = parsedUrl.searchParams.get("error");
+                    const result = await handleCalendarCallback(code, state, error);
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/google-calendar/test" &&
+                req.method === "POST") {
+                void (async () => {
+                    const { handleCalendarTest } = await import("./connectors/googleCalendar.js");
+                    const result = await handleCalendarTest();
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
+            if (parsedUrl.pathname === "/connections/google-calendar" &&
+                req.method === "DELETE") {
+                void (async () => {
+                    const { handleCalendarDisconnect } = await import("./connectors/googleCalendar.js");
+                    const result = await handleCalendarDisconnect();
+                    res.writeHead(result.status, {
+                        "Content-Type": result.contentType ?? "application/json",
+                    });
+                    res.end(result.body);
+                })();
+                return;
+            }
             // ── Inbox routes ────────────────────────────────────────────────────
             if (parsedUrl.pathname === "/inbox" && req.method === "GET") {
                 void (async () => {
@@ -831,6 +1325,11 @@ export class Server extends EventEmitter {
                             const body = Buffer.concat(chunks).toString("utf-8");
                             const parsed = JSON.parse(body || "{}");
                             const name = parsed.name;
+                            const vars = parsed.vars &&
+                                typeof parsed.vars === "object" &&
+                                !Array.isArray(parsed.vars)
+                                ? parsed.vars
+                                : undefined;
                             if (typeof name !== "string" || !name) {
                                 res.writeHead(400, { "Content-Type": "application/json" });
                                 res.end(JSON.stringify({ ok: false, error: "name required" }));
@@ -844,7 +1343,7 @@ export class Server extends EventEmitter {
                                 }));
                                 return;
                             }
-                            const result = await this.runRecipeFn(name);
+                            const result = await this.runRecipeFn(name, vars);
                             res.writeHead(result.ok ? 200 : 400, {
                                 "Content-Type": "application/json",
                             });
@@ -886,6 +1385,62 @@ export class Server extends EventEmitter {
                 }
                 return;
             }
+            // GET /runs/:seq — single run detail (includes stepResults if present)
+            const runDetailMatch = req.method === "GET"
+                ? /^\/runs\/(\d+)$/.exec(parsedUrl.pathname)
+                : null;
+            if (runDetailMatch?.[1]) {
+                const seq = Number.parseInt(runDetailMatch[1], 10);
+                try {
+                    const run = this.runDetailFn?.(seq) ?? null;
+                    if (!run) {
+                        res.writeHead(404, { "Content-Type": "application/json" });
+                        res.end(JSON.stringify({ error: "not_found" }));
+                    }
+                    else {
+                        res.writeHead(200, { "Content-Type": "application/json" });
+                        res.end(JSON.stringify({ run }));
+                    }
+                }
+                catch (err) {
+                    res.writeHead(500, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({
+                        error: err instanceof Error ? err.message : String(err),
+                    }));
+                }
+                return;
+            }
+            // GET /runs/:seq/plan — dry-run plan for the recipe that produced this run
+            const runPlanMatch = req.method === "GET"
+                ? /^\/runs\/(\d+)\/plan$/.exec(parsedUrl.pathname)
+                : null;
+            if (runPlanMatch?.[1]) {
+                const seq = Number.parseInt(runPlanMatch[1], 10);
+                try {
+                    const run = this.runDetailFn?.(seq) ?? null;
+                    if (!run) {
+                        res.writeHead(404, { "Content-Type": "application/json" });
+                        res.end(JSON.stringify({ error: "run_not_found" }));
+                        return;
+                    }
+                    if (!this.runPlanFn) {
+                        res.writeHead(503, { "Content-Type": "application/json" });
+                        res.end(JSON.stringify({ error: "plan_unavailable" }));
+                        return;
+                    }
+                    const recipeName = run["recipeName"];
+                    const plan = await this.runPlanFn(recipeName);
+                    res.writeHead(200, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ plan }));
+                }
+                catch (err) {
+                    const msg = err instanceof Error ? err.message : String(err);
+                    const status = msg.includes("not found") || msg.includes("ENOENT") ? 404 : 500;
+                    res.writeHead(status, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: msg }));
+                }
+                return;
+            }
             if (req.url === "/recipes" && req.method === "POST") {
                 const chunks = [];
                 req.on("data", (c) => chunks.push(c));
@@ -919,6 +1474,40 @@ export class Server extends EventEmitter {
                 });
                 return;
             }
+            const recipePatchMatch = /^\/recipes\/([^/]+)$/.exec(parsedUrl.pathname);
+            if (recipePatchMatch && req.method === "PATCH") {
+                const name = decodeURIComponent(recipePatchMatch[1]);
+                const chunks = [];
+                req.on("data", (c) => chunks.push(c));
+                req.on("end", () => {
+                    try {
+                        const body = JSON.parse(Buffer.concat(chunks).toString("utf-8"));
+                        if (typeof body.enabled !== "boolean") {
+                            res.writeHead(400, { "Content-Type": "application/json" });
+                            res.end(JSON.stringify({
+                                ok: false,
+                                error: "enabled (boolean) required",
+                            }));
+                            return;
+                        }
+                        if (!this.setRecipeEnabledFn) {
+                            res.writeHead(503, { "Content-Type": "application/json" });
+                            res.end(JSON.stringify({ ok: false, error: "Not available" }));
+                            return;
+                        }
+                        const result = this.setRecipeEnabledFn(name, body.enabled);
+                        res.writeHead(result.ok ? 200 : 400, {
+                            "Content-Type": "application/json",
+                        });
+                        res.end(JSON.stringify(result));
+                    }
+                    catch {
+                        res.writeHead(400, { "Content-Type": "application/json" });
+                        res.end(JSON.stringify({ ok: false, error: "Invalid JSON" }));
+                    }
+                });
+                return;
+            }
             if (req.url === "/recipes" && req.method === "GET") {
                 try {
                     const data = this.recipesFn?.() ?? { recipesDir: null, recipes: [] };
@@ -979,8 +1568,11 @@ export class Server extends EventEmitter {
                 req.on("end", () => {
                     try {
                         const body = JSON.parse(Buffer.concat(chunks).toString("utf-8"));
-                        const raw = body.webhookUrl?.trim() ?? "";
-                        if (raw !== "" && !/^https:\/\/.+/.test(raw)) {
+                        const hasWebhookUpdate = body.webhookUrl !== undefined;
+                        const raw = hasWebhookUpdate
+                            ? (body.webhookUrl?.trim() ?? "")
+                            : undefined;
+                        if (raw !== undefined && raw !== "" && !/^https:\/\/.+/.test(raw)) {
                             res.writeHead(400, { "Content-Type": "application/json" });
                             res.end(JSON.stringify({ error: "webhookUrl must be HTTPS" }));
                             return;
@@ -1002,16 +1594,69 @@ export class Server extends EventEmitter {
                             port: cfg.dashboard?.port ?? 3000,
                             requireApproval: cfg.dashboard?.requireApproval ?? ["high"],
                             pushNotifications: cfg.dashboard?.pushNotifications ?? false,
-                            webhookUrl: raw || undefined,
+                            webhookUrl: hasWebhookUpdate
+                                ? raw || undefined
+                                : cfg.dashboard?.webhookUrl,
                         };
                         if (gateRaw !== undefined) {
                             cfg.approvalGate = gateRaw;
                             this.approvalGate = gateRaw;
                         }
+                        const driverRaw = body.driver;
+                        if (driverRaw !== undefined) {
+                            const validDrivers = [
+                                "subprocess",
+                                "api",
+                                "openai",
+                                "grok",
+                                "gemini",
+                                "none",
+                            ];
+                            if (!validDrivers.includes(driverRaw)) {
+                                res.writeHead(400, { "Content-Type": "application/json" });
+                                res.end(JSON.stringify({
+                                    error: `driver must be one of: ${validDrivers.join(", ")}`,
+                                }));
+                                return;
+                            }
+                            const driver = driverRaw;
+                            cfg.driver = driver;
+                            saveBridgeConfigDriver(driver, this.bridgeConfigPath);
+                        }
+                        if (body.apiKey) {
+                            const { provider, key } = body.apiKey;
+                            const validProviders = ["anthropic", "openai", "google", "xai"];
+                            if (!validProviders.includes(provider) ||
+                                typeof key !== "string") {
+                                res.writeHead(400, { "Content-Type": "application/json" });
+                                res.end(JSON.stringify({ error: "Invalid apiKey provider or key" }));
+                                return;
+                            }
+                            cfg.apiKeys = { ...cfg.apiKeys, [provider]: key || undefined };
+                        }
                         savePatchworkConfig(cfg, configPath);
-                        this.approvalWebhookUrl = raw || undefined;
+                        if (hasWebhookUpdate) {
+                            this.approvalWebhookUrl = raw || undefined;
+                        }
+                        if (body.pushServiceUrl !== undefined) {
+                            const pushUrl = body.pushServiceUrl.trim();
+                            if (pushUrl && !pushUrl.startsWith("https://")) {
+                                res.writeHead(400, { "Content-Type": "application/json" });
+                                res.end(JSON.stringify({ error: "pushServiceUrl must be HTTPS" }));
+                                return;
+                            }
+                            this.pushServiceUrl = pushUrl || undefined;
+                        }
+                        if (body.pushServiceToken !== undefined) {
+                            this.pushServiceToken = body.pushServiceToken.trim() || undefined;
+                        }
+                        if (body.pushServiceBaseUrl !== undefined) {
+                            this.pushServiceBaseUrl =
+                                body.pushServiceBaseUrl.trim() || undefined;
+                        }
+                        const restartRequired = driverRaw !== undefined || body.apiKey !== undefined;
                         res.writeHead(200, { "Content-Type": "application/json" });
-                        res.end(JSON.stringify({ ok: true }));
+                        res.end(JSON.stringify({ ok: true, restartRequired }));
                     }
                     catch (err) {
                         res.writeHead(400, { "Content-Type": "application/json" });
@@ -1100,6 +1745,7 @@ export class Server extends EventEmitter {
                             path: parsedUrl.pathname,
                             body: parsedBody,
                             query: parsedUrl.searchParams,
+                            approvalToken: req.headers["x-approval-token"],
                         }, {
                             queue: getApprovalQueue(),
                             workspace: process.cwd(),
@@ -1107,6 +1753,9 @@ export class Server extends EventEmitter {
                             onDecision: this.onApprovalDecision,
                             webhookUrl: this.approvalWebhookUrl,
                             approvalGate: this.approvalGate,
+                            pushServiceUrl: this.pushServiceUrl,
+                            pushServiceToken: this.pushServiceToken,
+                            pushServiceBaseUrl: this.pushServiceBaseUrl,
                         });
                         res.writeHead(result.status, {
                             "Content-Type": "application/json",
@@ -1305,6 +1954,8 @@ export class Server extends EventEmitter {
             ws.on("error", (err) => {
                 this.logger.error(`WebSocket client error: ${err.message}`);
             });
+            ws.remoteAddr =
+                req.socket.remoteAddress;
             this.emit("connection", ws);
         });
     }