quadwork 1.2.5 → 1.3.0

package/server/routes.js

@@ -43,7 +43,17 @@ function writeConfigFile(cfg) {
 router.get("/api/config", (_req, res) => {
   try {
     const raw = fs.readFileSync(CONFIG_PATH, "utf-8");
-    res.json(JSON.parse(raw));
+    const parsed = JSON.parse(raw);
+    // #409 / quadwork#273: overlay the sanitized operator_name so
+    // the chat panel's self-message filter compares against the same
+    // sender /api/chat actually stamps. The on-disk file keeps the
+    // raw value the operator typed (so a future feature can show
+    // both raw + effective), but every reader sees the effective
+    // value here — including SettingsPage, which now reflects what
+    // chat actually sends. This also makes a hand-edited file with
+    // garbage characters self-correct visibly on next reload.
+    parsed.operator_name = sanitizeOperatorName(parsed.operator_name);
+    res.json(parsed);
   } catch (err) {
     if (err.code === "ENOENT") return res.json(DEFAULT_CONFIG);
     res.status(500).json({ error: "Failed to read config", detail: err.message });
@@ -68,7 +78,7 @@ router.put("/api/config", (req, res) => {
 
 // ─── Chat (AgentChattr proxy) ──────────────────────────────────────────────
 
-const { resolveProjectChattr } = require("./config");
+const { resolveProjectChattr, sanitizeOperatorName } = require("./config");
 const { installAgentChattr, findAgentChattr } = require("./install-agentchattr");
 
 /**
@@ -174,6 +184,354 @@ function sendViaWebSocket(baseUrl, sessionToken, message) {
   });
 }
 
+/**
+ * #403 / quadwork#274: send an arbitrary AC ws event (not a chat
+ * message). Used for `update_settings` so the loop guard widget can
+ * push the new max_agent_hops to the running AgentChattr without a
+ * full restart. Mirrors sendViaWebSocket but lets the caller pick
+ * the event type.
+ */
+function sendWsEvent(baseUrl, sessionToken, event) {
+  return new Promise((resolve, reject) => {
+    const wsUrl = `${baseUrl.replace(/^http/, "ws")}/ws?token=${encodeURIComponent(sessionToken || "")}`;
+    const ws = new NodeWebSocket(wsUrl);
+    let settled = false;
+    const finish = (err, value) => {
+      if (settled) return;
+      settled = true;
+      try { ws.close(); } catch {}
+      if (err) reject(err); else resolve(value);
+    };
+    const giveUp = setTimeout(() => finish(new Error("websocket send timeout")), 4000);
+    ws.on("open", () => {
+      try {
+        ws.send(JSON.stringify(event));
+        setTimeout(() => { clearTimeout(giveUp); finish(null, { ok: true }); }, 250);
+      } catch (err) { clearTimeout(giveUp); finish(err); }
+    });
+    ws.on("error", (err) => { clearTimeout(giveUp); finish(err); });
+    ws.on("close", (code, reason) => {
+      if (!settled && code === 4003) {
+        clearTimeout(giveUp);
+        const msg = (reason && reason.toString()) || "forbidden: invalid session token";
+        const e = new Error(msg);
+        e.code = "EAGENTCHATTR_401";
+        finish(e);
+      }
+    });
+  });
+}
+
+// #403 / quadwork#274: read/write the loop guard for a given project.
+// Source of truth at rest is the project's config.toml [routing]
+// max_agent_hops. The PUT also pushes the value to the running AC via
+// `update_settings` so the change is live without a daemon restart.
+// Resolve the per-project config.toml path through resolveProjectChattr
+// so we honor `project.agentchattr_dir` (web wizard sets this; legacy
+// imports can have arbitrary paths) and don't drift from the rest of
+// the codebase that already goes through that helper.
+function resolveProjectConfigToml(projectId) {
+  const resolved = resolveProjectChattr(projectId);
+  if (!resolved || !resolved.dir) return null;
+  return path.join(resolved.dir, "config.toml");
+}
+
+router.get("/api/loop-guard", (req, res) => {
+  const projectId = req.query.project;
+  if (!projectId) return res.status(400).json({ error: "Missing project" });
+  const tomlPath = resolveProjectConfigToml(projectId);
+  if (!tomlPath || !fs.existsSync(tomlPath)) return res.json({ value: 30, source: "default" });
+  try {
+    const content = fs.readFileSync(tomlPath, "utf-8");
+    const m = content.match(/^\s*max_agent_hops\s*=\s*(\d+)/m);
+    const value = m ? parseInt(m[1], 10) : 30;
+    res.json({ value, source: m ? "toml" : "default" });
+  } catch (err) {
+    res.status(500).json({ error: "Failed to read config.toml", detail: err.message });
+  }
+});
+
+router.put("/api/loop-guard", async (req, res) => {
+  const projectId = req.query.project || req.body?.project;
+  if (!projectId) return res.status(400).json({ error: "Missing project" });
+  const raw = req.body?.value;
+  const value = typeof raw === "number" ? raw : parseInt(raw, 10);
+  // AC's update_settings handler clamps to [1, 50]; mirror that
+  // here so we don't write a value AC will silently rewrite.
+  if (!Number.isInteger(value) || value < 4 || value > 50) {
+    return res.status(400).json({ error: "value must be an integer between 4 and 50" });
+  }
+
+  // 1. Persist to config.toml so the next restart picks it up.
+  const tomlPath = resolveProjectConfigToml(projectId);
+  if (!tomlPath || !fs.existsSync(tomlPath)) {
+    return res.status(404).json({ error: "config.toml not found for project" });
+  }
+  try {
+    let content = fs.readFileSync(tomlPath, "utf-8");
+    if (/^\s*max_agent_hops\s*=/m.test(content)) {
+      content = content.replace(/^\s*max_agent_hops\s*=.*$/m, `max_agent_hops = ${value}`);
+    } else if (/^\s*\[routing\]/m.test(content)) {
+      // Section exists but the key doesn't — append the key on the
+      // line right after the [routing] header to keep it scoped.
+      content = content.replace(/^(\s*\[routing\]\s*\n)/m, `$1max_agent_hops = ${value}\n`);
+    } else {
+      const trailing = content.endsWith("\n") ? "" : "\n";
+      content += `${trailing}\n[routing]\ndefault = "none"\nmax_agent_hops = ${value}\n`;
+    }
+    fs.writeFileSync(tomlPath, content);
+  } catch (err) {
+    return res.status(500).json({ error: "Failed to write config.toml", detail: err.message });
+  }
+
+  // 2. Best-effort push to the running AC so the change is live.
+  // On stale-token (4003 → EAGENTCHATTR_401) recover the same way
+  // /api/chat does (#230): re-sync the session token from AC and
+  // retry once. Other failures stay non-fatal — the persisted value
+  // still takes effect on next AC restart.
+  let live = false;
+  try {
+    const { url: base, token: sessionToken } = getChattrConfig(projectId);
+    if (base) {
+      const event = { type: "update_settings", data: { max_agent_hops: value } };
+      try {
+        await sendWsEvent(base, sessionToken, event);
+        live = true;
+      } catch (err) {
+        if (err && err.code === "EAGENTCHATTR_401") {
+          console.warn(`[loop-guard] ws auth failed for ${projectId}, re-syncing session token and retrying...`);
+          try { await syncChattrToken(projectId); }
+          catch (syncErr) { console.warn(`[loop-guard] syncChattrToken failed: ${syncErr.message}`); }
+          const { token: refreshed } = getChattrConfig(projectId);
+          if (refreshed && refreshed !== sessionToken) {
+            try {
+              await sendWsEvent(base, refreshed, event);
+              live = true;
+            } catch (retryErr) {
+              console.warn(`[loop-guard] retry after token resync failed: ${retryErr.message || retryErr}`);
+            }
+          }
+        } else {
+          throw err;
+        }
+      }
+    }
+  } catch (err) {
+    console.warn(`[loop-guard] live update failed for ${projectId}: ${err.message || err}`);
+  }
+
+  res.json({ ok: true, value, live });
+});
+
+// #412 / quadwork#279: project history export + import.
+//
+// Export proxies AC's /api/messages for the project channel and
+// wraps the array in a small metadata envelope so future imports
+// can warn on project-id mismatch and so a future schema bump can
+// be detected client-side.
+//
+// Import accepts the same envelope, validates the shape + size,
+// and replays each message back into the project's AgentChattr
+// instance via sendViaWebSocket — preserving the original sender
+// field for cross-tool consistency. Originals' message IDs are NOT
+// preserved (AC re-assigns on insert), which is a known v1 limit
+// and matches the issue's "AgentChattr will tell us" note.
+
+const PROJECT_HISTORY_VERSION = 1;
+const PROJECT_HISTORY_MAX_BYTES = 10 * 1024 * 1024; // 10 MB cap per issue
+const PROJECT_HISTORY_REPLAY_DELAY_MS = 25; // pace AC ws inserts
+
+// #414 / quadwork#297: reject imports whose messages claim a
+// reserved agent / system sender by default. This closes the only
+// path in QuadWork that lets a client-supplied sender reach AC
+// (every other route hardcodes / sanitizes to operator). Mirrors
+// the RESERVED_OPERATOR_NAMES denylist from sanitizeOperatorName so
+// the same identities are blocked across the codebase.
+const RESERVED_HISTORY_SENDERS = new Set([
+  "head",
+  "dev",
+  "reviewer1",
+  "reviewer2",
+  "t1",
+  "t2a",
+  "t2b",
+  "t3",
+  "system",
+]);
+
+router.get("/api/project-history", async (req, res) => {
+  const projectId = req.query.project;
+  if (!projectId) return res.status(400).json({ error: "Missing project" });
+  const { url: base, token: sessionToken } = getChattrConfig(projectId);
+  if (!base) return res.status(400).json({ error: "No AgentChattr configured for project" });
+  try {
+    // AC's /api/messages accepts a bearer token in the Authorization
+    // header; the session token is what the chat panel already uses.
+    const target = `${base}/api/messages?channel=general&limit=100000`;
+    const r = await fetch(target, {
+      headers: sessionToken ? { Authorization: `Bearer ${sessionToken}` } : {},
+      // Cap the AC fetch at 30s so a hung daemon doesn't park the
+      // export request indefinitely.
+      signal: AbortSignal.timeout(30000),
+    });
+    if (!r.ok) {
+      const detail = await r.text().catch(() => "");
+      return res.status(502).json({ error: `AgentChattr /api/messages returned ${r.status}`, detail: detail.slice(0, 200) });
+    }
+    const raw = await r.json();
+    // AC returns either a bare array or { messages: [...] } depending
+    // on version — handle both.
+    const messages = Array.isArray(raw) ? raw : Array.isArray(raw && raw.messages) ? raw.messages : [];
+    res.json({
+      version: PROJECT_HISTORY_VERSION,
+      project_id: projectId,
+      exported_at: new Date().toISOString(),
+      message_count: messages.length,
+      messages,
+    });
+  } catch (err) {
+    res.status(502).json({ error: "Project history export failed", detail: err.message || String(err) });
+  }
+});
+
+// Global express.json() in server/index.js is bumped to 10mb to
+// cover this route — see the comment there. The route handler still
+// double-checks the byte size of the parsed body below as a defense
+// in depth (e.g. if a future change scopes the global parser back
+// down without updating this comment).
+router.post("/api/project-history", async (req, res) => {
+  const projectId = req.query.project || req.body?.project_id;
+  if (!projectId) return res.status(400).json({ error: "Missing project" });
+
+  const body = req.body;
+  if (!body || typeof body !== "object") {
+    return res.status(400).json({ error: "Invalid JSON body" });
+  }
+  // Body size guard — express.json() respects its own limit too,
+  // but stamp the explicit cap from the issue here so the error
+  // message is operator-readable.
+  try {
+    const approxBytes = Buffer.byteLength(JSON.stringify(body));
+    if (approxBytes > PROJECT_HISTORY_MAX_BYTES) {
+      return res.status(413).json({ error: `History file too large (${approxBytes} bytes; limit ${PROJECT_HISTORY_MAX_BYTES})` });
+    }
+  } catch {
+    // JSON.stringify circular — already invalid, fall through
+  }
+
+  if (!Array.isArray(body.messages)) {
+    return res.status(400).json({ error: "Missing or invalid 'messages' array" });
+  }
+  if (body.version && body.version !== PROJECT_HISTORY_VERSION) {
+    return res.status(400).json({ error: `Unsupported export version ${body.version} (expected ${PROJECT_HISTORY_VERSION})` });
+  }
+  // Soft project-id mismatch warning. The client UI should confirm
+  // before POSTing when the IDs differ; if it didn't (e.g. curl),
+  // require an explicit override flag so we can't silently merge
+  // foreign chat into the wrong project.
+  if (body.project_id && body.project_id !== projectId && body.allow_project_mismatch !== true) {
+    return res.status(409).json({
+      error: `Project mismatch: file is from '${body.project_id}', target is '${projectId}'. Resend with allow_project_mismatch=true to override.`,
+    });
+  }
+
+  // #414 / quadwork#297 — Issue 1: agent/system sender denylist.
+  // Pre-scan the messages array; if any line claims a reserved
+  // identity, reject the entire import unless the operator opted
+  // in via allow_agent_senders=true. Default-safe so a leaked or
+  // crafted export file can't post as Head from the dashboard.
+  if (body.allow_agent_senders !== true) {
+    const offenders = new Set();
+    for (const m of body.messages) {
+      if (m && typeof m === "object" && typeof m.sender === "string") {
+        if (RESERVED_HISTORY_SENDERS.has(m.sender.toLowerCase())) {
+          offenders.add(m.sender);
+          if (offenders.size >= 5) break;
+        }
+      }
+    }
+    if (offenders.size > 0) {
+      return res.status(400).json({
+        error: `Import contains messages attributed to reserved agent/system identities: ${[...offenders].join(", ")}. Resend with allow_agent_senders=true to override (e.g. legitimate disaster-recovery restore).`,
+      });
+    }
+  }
+
+  // #414 / quadwork#297 — Issue 2: duplicate import detection.
+  // Persist the most recent imported `exported_at` on the project
+  // entry in config.json. If the file's marker matches, refuse the
+  // import unless allow_duplicate=true. Re-importing the same file
+  // would otherwise replay every message a second time and double
+  // the chat history.
+  const cfg = readConfigFile();
+  const project = cfg.projects?.find((p) => p.id === projectId);
+  const incomingExportedAt = typeof body.exported_at === "string" ? body.exported_at : null;
+  if (body.allow_duplicate !== true && project && incomingExportedAt) {
+    if (project.history_last_imported_at === incomingExportedAt) {
+      return res.status(409).json({
+        error: `This export was already imported (exported_at=${incomingExportedAt}). Resend with allow_duplicate=true to import again.`,
+      });
+    }
+  }
+
+  const { url: base, token: sessionToken } = getChattrConfig(projectId);
+  if (!base) return res.status(400).json({ error: "No AgentChattr configured for project" });
+
+  // Replay each message via the existing ws send helper. Preserve
+  // the original sender so the imported transcript still attributes
+  // each line correctly. Pace the writes so AC's ws handler isn't
+  // overloaded on a multi-thousand-message import.
+  //
+  // SECURITY NOTE: This deliberately bypasses /api/chat's #230/#288
+  // sanitize-as-user lockdown — the imported sender field is sent
+  // straight to AC's ws, so a crafted import file CAN post as
+  // `head` / `dev` / etc. That's intentional: imports must round-
+  // trip the original attribution to be useful (otherwise every
+  // restored message would say `user` and the transcript would be
+  // worthless). The trade-off is acceptable because the only entry
+  // point is an authenticated dashboard operator picking a file by
+  // hand and clicking through the project-mismatch confirm. Don't
+  // expose this route from a less-trusted surface without revisiting.
+  let imported = 0;
+  let skipped = 0;
+  const errors = [];
+  for (const m of body.messages) {
+    if (!m || typeof m !== "object" || typeof m.text !== "string" || !m.text) {
+      skipped++;
+      continue;
+    }
+    const msg = {
+      text: m.text,
+      channel: typeof m.channel === "string" && m.channel ? m.channel : "general",
+      sender: typeof m.sender === "string" && m.sender ? m.sender : "user",
+    };
+    try {
+      await sendViaWebSocket(base, sessionToken, msg);
+      imported++;
+    } catch (err) {
+      errors.push(`#${m.id ?? "?"}: ${err.message || String(err)}`);
+      // Stop on the first error to avoid spamming AC if its ws is down.
+      if (errors.length > 5) break;
+    }
+    // Tiny delay between sends — AC's ws handler can keep up but
+    // 10k messages back-to-back hit the recv buffer hard.
+    if (PROJECT_HISTORY_REPLAY_DELAY_MS > 0) {
+      await new Promise((r) => setTimeout(r, PROJECT_HISTORY_REPLAY_DELAY_MS));
+    }
+  }
+  // #414 / quadwork#297 — Issue 2: stamp the import marker on the
+  // project so a re-import of the same file is caught next time.
+  // Only update on a successful (no errors) replay so a half-broken
+  // import can be retried without the duplicate guard tripping.
+  if (incomingExportedAt && errors.length === 0 && project) {
+    project.history_last_imported_at = incomingExportedAt;
+    try { writeConfigFile(cfg); }
+    catch (err) { console.warn(`[history] failed to persist history_last_imported_at: ${err.message || err}`); }
+  }
+
+  res.json({ ok: errors.length === 0, imported, skipped, total: body.messages.length, errors });
+});
+
 router.post("/api/chat", async (req, res) => {
   const projectId = req.query.project || req.body.project;
   const { url: base, token: sessionToken } = getChattrConfig(projectId);
@@ -181,15 +539,38 @@ router.post("/api/chat", async (req, res) => {
 
   // #230: ignore any client-supplied sender. /api/chat is the
   // dashboard's send path, so the message must always be attributed
-  // to "user". Forwarding `req.body.sender` would let any caller
-  // hitting QuadWork's /api/chat impersonate an agent identity (t1,
-  // t3, …) over the AgentChattr ws path, which the old /api/send
-  // flow could not do.
+  // to a server-controlled value. Forwarding `req.body.sender` would
+  // let any caller hitting QuadWork's /api/chat impersonate an agent
+  // identity (t1, t3, …) over the AgentChattr ws path, which the
+  // old /api/send flow could not do.
+  //
+  // #405 / quadwork#278: read the operator's display name from the
+  // server-side config file rather than hardcoding "user". The
+  // sanitizer matches AC's registry name validator (1–32 alnum +
+  // dash + underscore) so even a hand-edited config can't post a
+  // value AC will reject (or impersonate an agent), and an empty /
+  // missing value falls back to "user".
+  let operatorSender = "user";
+  try {
+    const cfg = readConfigFile();
+    operatorSender = sanitizeOperatorName(cfg.operator_name);
+  } catch {
+    // non-fatal — fall through to "user"
+  }
+  // #397 / quadwork#262: pass reply_to through to AgentChattr so the
+  // dashboard's reply button mirrors AC's native threaded-reply
+  // behavior. Only forward when it's a real positive integer — guards
+  // against arbitrary client payloads.
+  const replyToRaw = req.body?.reply_to;
+  const replyTo = (typeof replyToRaw === "number" && Number.isInteger(replyToRaw) && replyToRaw > 0)
+    ? replyToRaw
+    : null;
   const message = {
     text: typeof req.body?.text === "string" ? req.body.text : "",
     channel: req.body?.channel || "general",
-    sender: "user",
+    sender: operatorSender,
     attachments: Array.isArray(req.body?.attachments) ? req.body.attachments : [],
+    ...(replyTo !== null ? { reply_to: replyTo } : {}),
   };
   if (!message.text && message.attachments.length === 0) {
     return res.status(400).json({ error: "text or attachments required" });
@@ -378,6 +759,362 @@ router.get("/api/github/prs", (req, res) => {
   }
 });
 
+// #411 / quadwork#281: recently closed issues + merged PRs for the
+// "Recently closed" / "Recently merged" sub-sections under each
+// list in GitHubPanel. Limit 5 items each, ordered by closedAt
+// descending so the freshest activity sits at the top.
+// gh CLI's default ordering for `issue list --state closed` and
+// `pr list --state merged` is createdAt-desc, not closedAt/mergedAt-desc,
+// so a stale-but-recently-closed item can sit below a fresh-but-
+// older one. We pull a wider window and re-sort by close/merge time
+// before truncating to 5 to honor #281's "newest first" requirement.
+const RECENT_FETCH_LIMIT = 20;
+const RECENT_DISPLAY_LIMIT = 5;
+
+router.get("/api/github/closed-issues", (req, res) => {
+  const repo = getRepo(req.query.project || "");
+  if (!repo) return res.status(400).json({ error: "No repo configured for project" });
+  try {
+    const out = execFileSync(
+      "gh",
+      ["issue", "list", "-R", repo, "--state", "closed", "--json", "number,title,state,url,closedAt", "--limit", String(RECENT_FETCH_LIMIT)],
+      { encoding: "utf-8", timeout: 15000 },
+    );
+    const items = JSON.parse(out);
+    const sorted = Array.isArray(items)
+      ? items
+          .slice()
+          .sort((a, b) => {
+            const ta = a && a.closedAt ? Date.parse(a.closedAt) : 0;
+            const tb = b && b.closedAt ? Date.parse(b.closedAt) : 0;
+            return tb - ta;
+          })
+          .slice(0, RECENT_DISPLAY_LIMIT)
+      : items;
+    res.json(sorted);
+  } catch (err) {
+    res.status(502).json({ error: "gh issue list (closed) failed", detail: err.message });
+  }
+});
+
+router.get("/api/github/merged-prs", (req, res) => {
+  const repo = getRepo(req.query.project || "");
+  if (!repo) return res.status(400).json({ error: "No repo configured for project" });
+  try {
+    // gh pr list with `--state merged` filters server-side so we
+    // don't have to pull every closed PR and discard the un-merged
+    // ones (closed-without-merge). Same fetch-wider-then-sort
+    // strategy as closed-issues so the newest merge always wins.
+    const out = execFileSync(
+      "gh",
+      ["pr", "list", "-R", repo, "--state", "merged", "--json", "number,title,state,url,mergedAt,author", "--limit", String(RECENT_FETCH_LIMIT)],
+      { encoding: "utf-8", timeout: 15000 },
+    );
+    const items = JSON.parse(out);
+    const sorted = Array.isArray(items)
+      ? items
+          .slice()
+          .sort((a, b) => {
+            const ta = a && a.mergedAt ? Date.parse(a.mergedAt) : 0;
+            const tb = b && b.mergedAt ? Date.parse(b.mergedAt) : 0;
+            return tb - ta;
+          })
+          .slice(0, RECENT_DISPLAY_LIMIT)
+      : items;
+    res.json(sorted);
+  } catch (err) {
+    res.status(502).json({ error: "gh pr list (merged) failed", detail: err.message });
+  }
+});
+
+// #413 / quadwork#282: Current Batch Progress panel.
+//
+// Reads ~/.quadwork/{project}/OVERNIGHT-QUEUE.md, parses the
+// `## Active Batch` section for `Batch: N` + issue numbers, and
+// resolves each issue against GitHub (state + linked PR + review
+// counts) to compute a progress state. The 5 progress buckets are
+// deterministic from issue/PR state — no agent inference.
+//
+// Progress mapping (from upstream issue):
+//   queued    0%   issue exists, no linked PR
+//   in_review 20%  PR open, 0 approvals
+//   approved1 50%  PR open, 1 approval
+//   ready     80%  PR open, 2+ approvals
+//   merged   100%  PR merged AND issue closed
+//
+// Cached for 10s per project to avoid hammering gh on every poll.
+
+const _batchProgressCache = new Map(); // projectId -> { ts, data }
+const BATCH_PROGRESS_TTL_MS = 10000;
+
+function parseActiveBatch(queueText) {
+  if (typeof queueText !== "string" || !queueText) {
+    return { batchNumber: null, issueNumbers: [] };
+  }
+  // Pull just the Active Batch section so a stray `#123` in Backlog
+  // or Done doesn't leak into the active list.
+  const m = queueText.match(/##\s+Active Batch[\s\S]*?(?=\n##\s|$)/i);
+  if (!m) return { batchNumber: null, issueNumbers: [] };
+  const section = m[0];
+  const batchMatch = section.match(/\*\*Batch:\*\*\s*(\d+)/i) || section.match(/Batch:\s*(\d+)/i);
+  const batchNumber = batchMatch ? parseInt(batchMatch[1], 10) : null;
+  // Only collect issue numbers from lines that look like list-item
+  // entries — i.e. lines whose first content token is either `#N`
+  // or `[#N]` after an optional list marker. This rejects prose
+  // like "Tracking umbrella: #293", "next after #294 merged", and
+  // similar dependency / commentary references that t2a flagged on
+  // realproject7/dropcast's queue.
+  //
+  // Accepted line shapes:
+  //   - #295 sub-A heartbeat
+  //   * #295 sub-A heartbeat
+  //   1. #295 sub-A heartbeat
+  //   #295 sub-A heartbeat
+  //   - [#295] sub-A heartbeat
+  //   [#295] sub-A heartbeat
+  //
+  // Rejected:
+  //   Tracking umbrella: #293
+  //   Assigned next after #294 merged.
+  //   See #295 for context.
+  const ITEM_LINE_RE = /^\s*(?:[-*]\s+|\d+\.\s+)?\[?#(\d{1,6})\]?\b/;
+  const seen = new Set();
+  const issueNumbers = [];
+  for (const line of section.split("\n")) {
+    const lineMatch = line.match(ITEM_LINE_RE);
+    if (!lineMatch) continue;
+    const n = parseInt(lineMatch[1], 10);
+    if (!seen.has(n)) {
+      seen.add(n);
+      issueNumbers.push(n);
+    }
+  }
+  return { batchNumber, issueNumbers };
+}
+
+// #416 / quadwork#299: async variant used by the parallelized batch
+// progress fetcher. Wraps node's execFile in a promise.
+//
+// THROWS on subprocess failure (non-zero exit, timeout, JSON parse,
+// network) so progressForItemAsync can decide which subset of
+// failures should bubble up to the Promise.allSettled "fetch failed"
+// row vs. which should fall through to a softer state. The previous
+// catch-all-and-return-null contract collapsed real subprocess
+// errors into the "not found" branch, making the new failure-row
+// fallback unreachable for genuine command failures (t2a review).
+const { execFile: _execFile } = require("child_process");
+const _execFileAsync = require("util").promisify(_execFile);
+async function ghJsonExecAsync(args) {
+  const { stdout } = await _execFileAsync("gh", args, { encoding: "utf-8", timeout: 10000 });
+  return JSON.parse(stdout);
+}
+
+async function progressForItemAsync(repo, issueNumber) {
+  // Pull issue state + linked PRs in one call. closedByPullRequestsReferences
+  // is gh's serializer for the GraphQL `closedByPullRequestsReferences`
+  // edge — only present when a PR with `Fixes #N` / `Closes #N`
+  // (or the link UI) targets the issue.
+  // Issue fetch is the load-bearing call — if gh can't read the
+  // issue at all (404, network, auth, timeout) we can't compute a
+  // meaningful progress row. Let the rejection propagate to the
+  // route's Promise.allSettled so the operator sees a single
+  // "fetch failed" row instead of a misleading "queued" entry.
+  const issue = await ghJsonExecAsync([
+    "issue",
+    "view",
+    String(issueNumber),
+    "-R",
+    repo,
+    "--json",
+    "number,title,state,url,closedByPullRequestsReferences",
+  ]);
+  const linked = Array.isArray(issue.closedByPullRequestsReferences)
+    ? issue.closedByPullRequestsReferences
+    : [];
+  // Pick the freshest linked PR (highest number) if there are multiple.
+  const pr = linked.length > 0
+    ? linked.slice().sort((a, b) => (b.number || 0) - (a.number || 0))[0]
+    : null;
+  // No linked PR yet — queued.
+  if (!pr) {
+    return {
+      issue_number: issue.number,
+      title: issue.title,
+      url: issue.url,
+      status: "queued",
+      progress: 0,
+      label: "Issue · queued",
+    };
+  }
+  // Re-fetch the PR to get reviewDecision + reviews + state, since
+  // the issue's closedByPullRequestsReferences edge only carries
+  // number/state/url. The PR fetch is intentionally soft: if gh
+  // glitches on this single call we still know the PR exists (we
+  // got the link from the issue) and can render a partial
+  // "in_review" row, which is more useful than dropping the whole
+  // item to "fetch failed". A persistent failure here will still
+  // surface on the next cache miss because the issue fetch above
+  // is the load-bearing one that controls the per-item rejection.
+  let prData = null;
+  try {
+    prData = await ghJsonExecAsync([
+      "pr",
+      "view",
+      String(pr.number),
+      "-R",
+      repo,
+      "--json",
+      "number,state,url,reviewDecision,reviews",
+    ]);
+  } catch {
+    // soft fall-through to the in_review row below
+  }
+  if (!prData) {
+    return {
+      issue_number: issue.number,
+      title: issue.title,
+      url: pr.url || issue.url,
+      pr_number: pr.number,
+      status: "in_review",
+      progress: 20,
+      label: `PR #${pr.number} · waiting on review`,
+    };
+  }
+  const merged = prData.state === "MERGED" && issue.state === "CLOSED";
+  if (merged) {
+    return {
+      issue_number: issue.number,
+      title: issue.title,
+      url: prData.url || issue.url,
+      pr_number: prData.number,
+      status: "merged",
+      progress: 100,
+      label: "Merged ✓",
+    };
+  }
+  // Count distinct APPROVED reviews per author so a stale APPROVED
+  // followed by REQUEST_CHANGES doesn't double-count. Sort by
+  // submittedAt ascending first so the Map's "last write wins"
+  // genuinely lands on the freshest review per author — gh's
+  // current ordering is chronological in practice but undocumented,
+  // so the explicit sort keeps us safe if that ever changes.
+  const reviews = Array.isArray(prData.reviews) ? prData.reviews.slice() : [];
+  reviews.sort((a, b) => {
+    const ta = (a && a.submittedAt) ? Date.parse(a.submittedAt) : 0;
+    const tb = (b && b.submittedAt) ? Date.parse(b.submittedAt) : 0;
+    return ta - tb;
+  });
+  const latestByAuthor = new Map();
+  for (const r of reviews) {
+    const author = (r && r.author && r.author.login) || "";
+    if (!author) continue;
+    latestByAuthor.set(author, r.state);
+  }
+  let approvalCount = 0;
+  for (const state of latestByAuthor.values()) {
+    if (state === "APPROVED") approvalCount++;
+  }
+  if (approvalCount >= 2) {
+    return {
+      issue_number: issue.number,
+      title: issue.title,
+      url: prData.url || issue.url,
+      pr_number: prData.number,
+      status: "ready",
+      progress: 80,
+      label: `PR #${prData.number} · 2 approvals · ready`,
+    };
+  }
+  if (approvalCount === 1) {
+    return {
+      issue_number: issue.number,
+      title: issue.title,
+      url: prData.url || issue.url,
+      pr_number: prData.number,
+      status: "approved1",
+      progress: 50,
+      label: `PR #${prData.number} · 1 approval`,
+    };
+  }
+  return {
+    issue_number: issue.number,
+    title: issue.title,
+    url: prData.url || issue.url,
+    pr_number: prData.number,
+    status: "in_review",
+    progress: 20,
+    label: `PR #${prData.number} · waiting on review`,
+  };
+}
+
+function summarizeItems(items) {
+  let merged = 0, ready = 0, approved1 = 0, inReview = 0, queued = 0;
+  for (const it of items) {
+    if (it.status === "merged") merged++;
+    else if (it.status === "ready") ready++;
+    else if (it.status === "approved1") approved1++;
+    else if (it.status === "in_review") inReview++;
+    else if (it.status === "queued") queued++;
+  }
+  const parts = [`${merged}/${items.length} merged`];
+  if (ready > 0) parts.push(`${ready} ready to merge`);
+  if (approved1 > 0) parts.push(`${approved1} needs 2nd approval`);
+  if (inReview > 0) parts.push(`${inReview} in review`);
+  if (queued > 0) parts.push(`${queued} queued`);
+  return parts.join(" · ");
+}
+
+router.get("/api/batch-progress", async (req, res) => {
+  const projectId = req.query.project;
+  if (!projectId) return res.status(400).json({ error: "Missing project" });
+
+  const cached = _batchProgressCache.get(projectId);
+  if (cached && Date.now() - cached.ts < BATCH_PROGRESS_TTL_MS) {
+    return res.json(cached.data);
+  }
+
+  const repo = getRepo(projectId);
+  if (!repo) return res.status(400).json({ error: "No repo configured for project" });
+
+  const queuePath = path.join(CONFIG_DIR, projectId, "OVERNIGHT-QUEUE.md");
+  let queueText = "";
+  try { queueText = fs.readFileSync(queuePath, "utf-8"); }
+  catch { /* missing file → empty active batch */ }
+
+  const { batchNumber, issueNumbers } = parseActiveBatch(queueText);
+  if (issueNumbers.length === 0) {
+    const data = { batch_number: batchNumber, items: [], summary: "", complete: false };
+    _batchProgressCache.set(projectId, { ts: Date.now(), data });
+    return res.json(data);
+  }
+
+  // #416 / quadwork#299: parallelize the per-item gh fetches.
+  // Sequential execFileSync was costing ~10s on a cold cache for a
+  // 5-item batch (2 gh calls per item, ~1s each); Promise.allSettled
+  // over progressForItemAsync drops that to roughly the time of the
+  // slowest single item-pair (~2s). One failed item resolves with a
+  // synthetic "unknown" row instead of failing the whole response.
+  const settled = await Promise.allSettled(
+    issueNumbers.map((n) => progressForItemAsync(repo, n)),
+  );
+  const items = settled.map((r, i) => {
+    if (r.status === "fulfilled") return r.value;
+    return {
+      issue_number: issueNumbers[i],
+      title: `#${issueNumbers[i]} (fetch failed)`,
+      url: null,
+      status: "unknown",
+      progress: 0,
+      label: "fetch failed",
+    };
+  });
+  const summary = summarizeItems(items);
+  const complete = items.length > 0 && items.every((it) => it.status === "merged");
+  const data = { batch_number: batchNumber, items, summary, complete };
+  _batchProgressCache.set(projectId, { ts: Date.now(), data });
+  res.json(data);
+});
+
 // ─── Memory ────────────────────────────────────────────────────────────────
 
 function getProject(projectId) {
@@ -830,6 +1567,11 @@ router.post("/api/setup", (req, res) => {
         const wtDir = path.join(parentDir, `${dirName}-${agent}`);
         content += `[agents.${agent}]\ncommand = "${(backends && backends[agent]) || "claude"}"\ncwd = "${wtDir}"\ncolor = "${colors[i]}"\nlabel = "${agent.charAt(0).toUpperCase() + agent.slice(1)} ${labels[i]}"\nmcp_inject = "flag"\n\n`;
       });
+      // #403 / quadwork#274: raise the loop guard from AC's default
+      // of 4 to 30 so autonomous PR review cycles (head→dev→re1+re2→
+      // dev→head, ~5 hops) don't fire mid-batch and force the
+      // operator to type /continue. AC clamps to [1, 50] internally.
+      content += `[routing]\ndefault = "none"\nmax_agent_hops = 30\n\n`;
       content += `[mcp]\nhttp_port = ${mcp_http}\nsse_port = ${mcp_sse}\n`;
       fs.writeFileSync(tomlPath, content);