quadwork 1.2.5 → 1.4.0

package/server/routes.js

@@ -43,7 +43,17 @@ function writeConfigFile(cfg) {
 router.get("/api/config", (_req, res) => {
   try {
     const raw = fs.readFileSync(CONFIG_PATH, "utf-8");
-    res.json(JSON.parse(raw));
+    const parsed = JSON.parse(raw);
+    // #409 / quadwork#273: overlay the sanitized operator_name so
+    // the chat panel's self-message filter compares against the same
+    // sender /api/chat actually stamps. The on-disk file keeps the
+    // raw value the operator typed (so a future feature can show
+    // both raw + effective), but every reader sees the effective
+    // value here — including SettingsPage, which now reflects what
+    // chat actually sends. This also makes a hand-edited file with
+    // garbage characters self-correct visibly on next reload.
+    parsed.operator_name = sanitizeOperatorName(parsed.operator_name);
+    res.json(parsed);
   } catch (err) {
     if (err.code === "ENOENT") return res.json(DEFAULT_CONFIG);
     res.status(500).json({ error: "Failed to read config", detail: err.message });
@@ -68,7 +78,7 @@ router.put("/api/config", (req, res) => {
 
 // ─── Chat (AgentChattr proxy) ──────────────────────────────────────────────
 
-const { resolveProjectChattr } = require("./config");
+const { resolveProjectChattr, sanitizeOperatorName } = require("./config");
 const { installAgentChattr, findAgentChattr } = require("./install-agentchattr");
 
 /**
@@ -174,6 +184,636 @@ function sendViaWebSocket(baseUrl, sessionToken, message) {
   });
 }
 
+/**
+ * #403 / quadwork#274: send an arbitrary AC ws event (not a chat
+ * message). Used for `update_settings` so the loop guard widget can
+ * push the new max_agent_hops to the running AgentChattr without a
+ * full restart. Mirrors sendViaWebSocket but lets the caller pick
+ * the event type.
+ */
+function sendWsEvent(baseUrl, sessionToken, event) {
+  return new Promise((resolve, reject) => {
+    const wsUrl = `${baseUrl.replace(/^http/, "ws")}/ws?token=${encodeURIComponent(sessionToken || "")}`;
+    const ws = new NodeWebSocket(wsUrl);
+    let settled = false;
+    const finish = (err, value) => {
+      if (settled) return;
+      settled = true;
+      try { ws.close(); } catch {}
+      if (err) reject(err); else resolve(value);
+    };
+    const giveUp = setTimeout(() => finish(new Error("websocket send timeout")), 4000);
+    ws.on("open", () => {
+      try {
+        ws.send(JSON.stringify(event));
+        setTimeout(() => { clearTimeout(giveUp); finish(null, { ok: true }); }, 250);
+      } catch (err) { clearTimeout(giveUp); finish(err); }
+    });
+    ws.on("error", (err) => { clearTimeout(giveUp); finish(err); });
+    ws.on("close", (code, reason) => {
+      if (!settled && code === 4003) {
+        clearTimeout(giveUp);
+        const msg = (reason && reason.toString()) || "forbidden: invalid session token";
+        const e = new Error(msg);
+        e.code = "EAGENTCHATTR_401";
+        finish(e);
+      }
+    });
+  });
+}
+
+// #403 / quadwork#274: read/write the loop guard for a given project.
+// Source of truth at rest is the project's config.toml [routing]
+// max_agent_hops. The PUT also pushes the value to the running AC via
+// `update_settings` so the change is live without a daemon restart.
+// Resolve the per-project config.toml path through resolveProjectChattr
+// so we honor `project.agentchattr_dir` (web wizard sets this; legacy
+// imports can have arbitrary paths) and don't drift from the rest of
+// the codebase that already goes through that helper.
+function resolveProjectConfigToml(projectId) {
+  const resolved = resolveProjectChattr(projectId);
+  if (!resolved || !resolved.dir) return null;
+  return path.join(resolved.dir, "config.toml");
+}
+
+router.get("/api/loop-guard", (req, res) => {
+  const projectId = req.query.project;
+  if (!projectId) return res.status(400).json({ error: "Missing project" });
+  const tomlPath = resolveProjectConfigToml(projectId);
+  if (!tomlPath || !fs.existsSync(tomlPath)) return res.json({ value: 30, source: "default" });
+  try {
+    const content = fs.readFileSync(tomlPath, "utf-8");
+    const m = content.match(/^\s*max_agent_hops\s*=\s*(\d+)/m);
+    const value = m ? parseInt(m[1], 10) : 30;
+    res.json({ value, source: m ? "toml" : "default" });
+  } catch (err) {
+    res.status(500).json({ error: "Failed to read config.toml", detail: err.message });
+  }
+});
+
+router.put("/api/loop-guard", async (req, res) => {
+  const projectId = req.query.project || req.body?.project;
+  if (!projectId) return res.status(400).json({ error: "Missing project" });
+  const raw = req.body?.value;
+  const value = typeof raw === "number" ? raw : parseInt(raw, 10);
+  // AC's update_settings handler clamps to [1, 50]; mirror that
+  // here so we don't write a value AC will silently rewrite.
+  if (!Number.isInteger(value) || value < 4 || value > 50) {
+    return res.status(400).json({ error: "value must be an integer between 4 and 50" });
+  }
+
+  // 1. Persist to config.toml so the next restart picks it up.
+  const tomlPath = resolveProjectConfigToml(projectId);
+  if (!tomlPath || !fs.existsSync(tomlPath)) {
+    return res.status(404).json({ error: "config.toml not found for project" });
+  }
+  // Capture the previous value before rewriting so we can decide
+  // whether the /continue auto-resume should fire (only when the
+  // operator is RAISING the limit — lowering it means they want
+  // the runaway loop to stay paused).
+  let previousValue = null;
+  try {
+    const previousContent = fs.readFileSync(tomlPath, "utf-8");
+    const prevMatch = previousContent.match(/^\s*max_agent_hops\s*=\s*(\d+)/m);
+    if (prevMatch) previousValue = parseInt(prevMatch[1], 10);
+  } catch {
+    // fall through — previousValue stays null, auto-resume will skip
+  }
+  try {
+    let content = fs.readFileSync(tomlPath, "utf-8");
+    if (/^\s*max_agent_hops\s*=/m.test(content)) {
+      content = content.replace(/^\s*max_agent_hops\s*=.*$/m, `max_agent_hops = ${value}`);
+    } else if (/^\s*\[routing\]/m.test(content)) {
+      // Section exists but the key doesn't — append the key on the
+      // line right after the [routing] header to keep it scoped.
+      content = content.replace(/^(\s*\[routing\]\s*\n)/m, `$1max_agent_hops = ${value}\n`);
+    } else {
+      const trailing = content.endsWith("\n") ? "" : "\n";
+      content += `${trailing}\n[routing]\ndefault = "none"\nmax_agent_hops = ${value}\n`;
+    }
+    fs.writeFileSync(tomlPath, content);
+  } catch (err) {
+    return res.status(500).json({ error: "Failed to write config.toml", detail: err.message });
+  }
+
+  // 2. Best-effort push to the running AC so the change is live.
+  // On stale-token (4003 → EAGENTCHATTR_401) recover the same way
+  // /api/chat does (#230): re-sync the session token from AC and
+  // retry once. Other failures stay non-fatal — the persisted value
+  // still takes effect on next AC restart.
+  //
+  // #417 / quadwork#309: the update_settings ws event correctly
+  // updates router.max_hops in the running AC (verified in AC's
+  // app.py:1249), AND writes settings.json via _save_settings. But
+  // AC's router stays paused once it has tripped the guard — raising
+  // max_hops at runtime does NOT resurrect an already-paused channel
+  // (router.py:76-77 → `paused = True`). The operator typically
+  // raises the limit precisely BECAUSE the channel is stuck paused,
+  // so we immediately follow the update_settings event with a
+  // `/continue` chat message (the same path AC's own slash command
+  // handler uses at app.py:1106-1110) to resume routing. This is the
+  // whole fix: the previous version updated max_hops live but left
+  // the channel frozen, which made the widget look like a no-op.
+  let live = false;
+  let autoResumed = false;
+  // Only auto-resume when ALL of:
+  //   (a) operator is RAISING the limit (lowering = "make it
+  //       stricter", must leave a paused runaway alone)
+  //   (b) the router is currently paused (AC's continue_routing
+  //       resets hop_count + paused + guard_emitted unconditionally,
+  //       so firing it on an actively-running chain would silently
+  //       extend the chain beyond the new limit — t2a finding)
+  //   (c) previousValue is known (null means we can't prove it's a
+  //       raise, so err on the side of not touching router state)
+  const isRaising = previousValue !== null && value > previousValue;
+  const ensureLive = async (sessionToken) => {
+    await sendWsEvent(base, sessionToken, { type: "update_settings", data: { max_agent_hops: value } });
+    if (isRaising) {
+      // Check AC's /api/status before firing /continue so we don't
+      // reset hop_count on a running (unpaused) chain. The endpoint
+      // exposes `paused: true` iff ANY channel currently paused.
+      let isPaused = false;
+      try {
+        // AC's security middleware (app.py:212-224) only accepts
+        // bearer auth for /api/messages, /api/send, and /api/rules/*.
+        // /api/status requires x-session-token header (or ?token=),
+        // so pass that instead — a bearer header silently 403s and
+        // leaves isPaused stuck at false, defeating the gate.
+        const statusUrl = `${base}/api/status`;
+        const statusRes = await fetch(statusUrl, {
+          headers: sessionToken ? { "x-session-token": sessionToken } : {},
+          signal: AbortSignal.timeout(5000),
+        });
+        if (statusRes.ok) {
+          const statusJson = await statusRes.json();
+          isPaused = !!(statusJson && statusJson.paused);
+        }
+      } catch {
+        // Status fetch failed — err toward "don't auto-resume". The
+        // operator can always type /continue manually.
+      }
+      if (isPaused) {
+        // Resume paused channels. /continue is routed by AC's ws
+        // message handler when the buffer starts with /continue;
+        // the handler calls router.continue_routing() which
+        // unpauses AND resets hop_count — which is why we gate on
+        // isPaused to avoid wiping the counter on a live chain.
+        await sendWsEvent(base, sessionToken, { type: "message", text: "/continue", channel: "general", sender: "user" });
+        autoResumed = true;
+      }
+    }
+    live = true;
+  };
+  let base = null;
+  try {
+    const chattr = getChattrConfig(projectId);
+    base = chattr.url;
+    const sessionToken = chattr.token;
+    if (base) {
+      try {
+        await ensureLive(sessionToken);
+      } catch (err) {
+        if (err && err.code === "EAGENTCHATTR_401") {
+          console.warn(`[loop-guard] ws auth failed for ${projectId}, re-syncing session token and retrying...`);
+          try { await syncChattrToken(projectId); }
+          catch (syncErr) { console.warn(`[loop-guard] syncChattrToken failed: ${syncErr.message}`); }
+          const { token: refreshed } = getChattrConfig(projectId);
+          if (refreshed && refreshed !== sessionToken) {
+            try {
+              await ensureLive(refreshed);
+            } catch (retryErr) {
+              console.warn(`[loop-guard] retry after token resync failed: ${retryErr.message || retryErr}`);
+            }
+          }
+        } else {
+          throw err;
+        }
+      }
+    }
+  } catch (err) {
+    console.warn(`[loop-guard] live update failed for ${projectId}: ${err.message || err}`);
+  }
+
+  res.json({ ok: true, value, live, previousValue, resumed: autoResumed });
+});
+
+// #412 / quadwork#279: project history export + import.
+//
+// Export proxies AC's /api/messages for the project channel and
+// wraps the array in a small metadata envelope so future imports
+// can warn on project-id mismatch and so a future schema bump can
+// be detected client-side.
+//
+// Import accepts the same envelope, validates the shape + size,
+// and replays each message back into the project's AgentChattr
+// instance via sendViaWebSocket — preserving the original sender
+// field for cross-tool consistency. Originals' message IDs are NOT
+// preserved (AC re-assigns on insert), which is a known v1 limit
+// and matches the issue's "AgentChattr will tell us" note.
+
+const PROJECT_HISTORY_VERSION = 1;
+const PROJECT_HISTORY_MAX_BYTES = 10 * 1024 * 1024; // 10 MB cap per issue
+const PROJECT_HISTORY_REPLAY_DELAY_MS = 25; // pace AC ws inserts
+
+// #414 / quadwork#297: reject imports whose messages claim a
+// reserved agent / system sender by default. This closes the only
+// path in QuadWork that lets a client-supplied sender reach AC
+// (every other route hardcodes / sanitizes to operator). Mirrors
+// the RESERVED_OPERATOR_NAMES denylist from sanitizeOperatorName so
+// the same identities are blocked across the codebase.
+const RESERVED_HISTORY_SENDERS = new Set([
+  "head",
+  "dev",
+  "reviewer1",
+  "reviewer2",
+  "t1",
+  "t2a",
+  "t2b",
+  "t3",
+  "system",
+]);
+
+router.get("/api/project-history", async (req, res) => {
+  const projectId = req.query.project;
+  if (!projectId) return res.status(400).json({ error: "Missing project" });
+  const { url: base, token: sessionToken } = getChattrConfig(projectId);
+  if (!base) return res.status(400).json({ error: "No AgentChattr configured for project" });
+  try {
+    // AC's /api/messages accepts a bearer token in the Authorization
+    // header; the session token is what the chat panel already uses.
+    const target = `${base}/api/messages?channel=general&limit=100000`;
+    const r = await fetch(target, {
+      headers: sessionToken ? { Authorization: `Bearer ${sessionToken}` } : {},
+      // Cap the AC fetch at 30s so a hung daemon doesn't park the
+      // export request indefinitely.
+      signal: AbortSignal.timeout(30000),
+    });
+    if (!r.ok) {
+      const detail = await r.text().catch(() => "");
+      return res.status(502).json({ error: `AgentChattr /api/messages returned ${r.status}`, detail: detail.slice(0, 200) });
+    }
+    const raw = await r.json();
+    // AC returns either a bare array or { messages: [...] } depending
+    // on version — handle both.
+    const messages = Array.isArray(raw) ? raw : Array.isArray(raw && raw.messages) ? raw.messages : [];
+    res.json({
+      version: PROJECT_HISTORY_VERSION,
+      project_id: projectId,
+      exported_at: new Date().toISOString(),
+      message_count: messages.length,
+      messages,
+    });
+  } catch (err) {
+    res.status(502).json({ error: "Project history export failed", detail: err.message || String(err) });
+  }
+});
+
+// Global express.json() in server/index.js is bumped to 10mb to
+// cover this route — see the comment there. The route handler still
+// double-checks the byte size of the parsed body below as a defense
+// in depth (e.g. if a future change scopes the global parser back
+// down without updating this comment).
+router.post("/api/project-history", async (req, res) => {
+  const projectId = req.query.project || req.body?.project_id;
+  if (!projectId) return res.status(400).json({ error: "Missing project" });
+
+  const body = req.body;
+  if (!body || typeof body !== "object") {
+    return res.status(400).json({ error: "Invalid JSON body" });
+  }
+  // Body size guard — express.json() respects its own limit too,
+  // but stamp the explicit cap from the issue here so the error
+  // message is operator-readable.
+  try {
+    const approxBytes = Buffer.byteLength(JSON.stringify(body));
+    if (approxBytes > PROJECT_HISTORY_MAX_BYTES) {
+      return res.status(413).json({ error: `History file too large (${approxBytes} bytes; limit ${PROJECT_HISTORY_MAX_BYTES})` });
+    }
+  } catch {
+    // JSON.stringify circular — already invalid, fall through
+  }
+
+  if (!Array.isArray(body.messages)) {
+    return res.status(400).json({ error: "Missing or invalid 'messages' array" });
+  }
+  if (body.version && body.version !== PROJECT_HISTORY_VERSION) {
+    return res.status(400).json({ error: `Unsupported export version ${body.version} (expected ${PROJECT_HISTORY_VERSION})` });
+  }
+  // Soft project-id mismatch warning. The client UI should confirm
+  // before POSTing when the IDs differ; if it didn't (e.g. curl),
+  // require an explicit override flag so we can't silently merge
+  // foreign chat into the wrong project.
+  if (body.project_id && body.project_id !== projectId && body.allow_project_mismatch !== true) {
+    return res.status(409).json({
+      error: `Project mismatch: file is from '${body.project_id}', target is '${projectId}'. Resend with allow_project_mismatch=true to override.`,
+    });
+  }
+
+  // #414 / quadwork#297 — Issue 1: agent/system sender denylist.
+  // Pre-scan the messages array; if any line claims a reserved
+  // identity, reject the entire import unless the operator opted
+  // in via allow_agent_senders=true. Default-safe so a leaked or
+  // crafted export file can't post as Head from the dashboard.
+  if (body.allow_agent_senders !== true) {
+    const offenders = new Set();
+    for (const m of body.messages) {
+      if (m && typeof m === "object" && typeof m.sender === "string") {
+        if (RESERVED_HISTORY_SENDERS.has(m.sender.toLowerCase())) {
+          offenders.add(m.sender);
+          if (offenders.size >= 5) break;
+        }
+      }
+    }
+    if (offenders.size > 0) {
+      return res.status(400).json({
+        error: `Import contains messages attributed to reserved agent/system identities: ${[...offenders].join(", ")}. Resend with allow_agent_senders=true to override (e.g. legitimate disaster-recovery restore).`,
+      });
+    }
+  }
+
+  // #414 / quadwork#297 — Issue 2: duplicate import detection.
+  // Persist the most recent imported `exported_at` on the project
+  // entry in config.json. If the file's marker matches, refuse the
+  // import unless allow_duplicate=true. Re-importing the same file
+  // would otherwise replay every message a second time and double
+  // the chat history.
+  const cfg = readConfigFile();
+  const project = cfg.projects?.find((p) => p.id === projectId);
+  const incomingExportedAt = typeof body.exported_at === "string" ? body.exported_at : null;
+  if (body.allow_duplicate !== true && project && incomingExportedAt) {
+    if (project.history_last_imported_at === incomingExportedAt) {
+      return res.status(409).json({
+        error: `This export was already imported (exported_at=${incomingExportedAt}). Resend with allow_duplicate=true to import again.`,
+      });
+    }
+  }
+
+  const { url: base, token: sessionToken } = getChattrConfig(projectId);
+  if (!base) return res.status(400).json({ error: "No AgentChattr configured for project" });
+
+  // Replay each message via the existing ws send helper. Preserve
+  // the original sender so the imported transcript still attributes
+  // each line correctly. Pace the writes so AC's ws handler isn't
+  // overloaded on a multi-thousand-message import.
+  //
+  // SECURITY NOTE: This deliberately bypasses /api/chat's #230/#288
+  // sanitize-as-user lockdown — the imported sender field is sent
+  // straight to AC's ws, so a crafted import file CAN post as
+  // `head` / `dev` / etc. That's intentional: imports must round-
+  // trip the original attribution to be useful (otherwise every
+  // restored message would say `user` and the transcript would be
+  // worthless). The trade-off is acceptable because the only entry
+  // point is an authenticated dashboard operator picking a file by
+  // hand and clicking through the project-mismatch confirm. Don't
+  // expose this route from a less-trusted surface without revisiting.
+  let imported = 0;
+  let skipped = 0;
+  const errors = [];
+  for (const m of body.messages) {
+    if (!m || typeof m !== "object" || typeof m.text !== "string" || !m.text) {
+      skipped++;
+      continue;
+    }
+    const msg = {
+      text: m.text,
+      channel: typeof m.channel === "string" && m.channel ? m.channel : "general",
+      sender: typeof m.sender === "string" && m.sender ? m.sender : "user",
+    };
+    try {
+      await sendViaWebSocket(base, sessionToken, msg);
+      imported++;
+    } catch (err) {
+      errors.push(`#${m.id ?? "?"}: ${err.message || String(err)}`);
+      // Stop on the first error to avoid spamming AC if its ws is down.
+      if (errors.length > 5) break;
+    }
+    // Tiny delay between sends — AC's ws handler can keep up but
+    // 10k messages back-to-back hit the recv buffer hard.
+    if (PROJECT_HISTORY_REPLAY_DELAY_MS > 0) {
+      await new Promise((r) => setTimeout(r, PROJECT_HISTORY_REPLAY_DELAY_MS));
+    }
+  }
+  // #414 / quadwork#297 — Issue 2: stamp the import marker on the
+  // project so a re-import of the same file is caught next time.
+  // Only update on a successful (no errors) replay so a half-broken
+  // import can be retried without the duplicate guard tripping.
+  if (incomingExportedAt && errors.length === 0 && project) {
+    project.history_last_imported_at = incomingExportedAt;
+    try { writeConfigFile(cfg); }
+    catch (err) { console.warn(`[history] failed to persist history_last_imported_at: ${err.message || err}`); }
+  }
+
+  res.json({ ok: errors.length === 0, imported, skipped, total: body.messages.length, errors });
+});
+
+// #424 / quadwork#304 Phase 4: list + restore auto-snapshots.
+// snapshotProjectHistory() in server/index.js writes envelope
+// files to ~/.quadwork/{id}/history-snapshots/{ISO}.json before
+// destructive restart/update operations. These endpoints let the
+// Project History widget surface them with a restore button so
+// the operator can roll back a bad /clear or botched update.
+router.get("/api/project-history/snapshots", (req, res) => {
+  const projectId = req.query.project;
+  if (!projectId) return res.status(400).json({ error: "Missing project" });
+  const snapDir = path.join(CONFIG_DIR, projectId, "history-snapshots");
+  if (!fs.existsSync(snapDir)) return res.json({ snapshots: [] });
+  try {
+    const entries = fs.readdirSync(snapDir)
+      .filter((f) => f.endsWith(".json"))
+      .map((f) => {
+        const st = fs.statSync(path.join(snapDir, f));
+        return { name: f, size: st.size, mtime: st.mtimeMs };
+      })
+      .sort((a, b) => b.mtime - a.mtime);
+    res.json({ snapshots: entries });
+  } catch (err) {
+    res.status(500).json({ error: "Failed to list snapshots", detail: err.message });
+  }
+});
+
+router.post("/api/project-history/restore", async (req, res) => {
+  const projectId = req.query.project;
+  const name = req.query.name || req.body?.name;
+  if (!projectId || !name) return res.status(400).json({ error: "Missing project or name" });
+  // Prevent path traversal — only allow basenames from the snapshot
+  // directory; reject anything with a separator or ".." segment.
+  if (name !== path.basename(name) || name.includes("..") || !name.endsWith(".json")) {
+    return res.status(400).json({ error: "Invalid snapshot name" });
+  }
+  const snapPath = path.join(CONFIG_DIR, projectId, "history-snapshots", name);
+  if (!fs.existsSync(snapPath)) {
+    return res.status(404).json({ error: "Snapshot not found" });
+  }
+  let body;
+  try {
+    const text = fs.readFileSync(snapPath, "utf-8");
+    body = JSON.parse(text);
+  } catch (err) {
+    return res.status(500).json({ error: "Failed to read snapshot", detail: err.message });
+  }
+  // Post the snapshot back through the existing import endpoint
+  // with both bypass flags — the snapshot contains real agent
+  // senders (so allow_agent_senders) and may match a previous
+  // restore's exported_at (so allow_duplicate). This is the
+  // legitimate disaster-recovery case the #297 denylist expected.
+  try {
+    const cfg = JSON.parse(fs.readFileSync(CONFIG_PATH, "utf-8"));
+    const qwPort = cfg.port || 8400;
+    const r = await fetch(`http://127.0.0.1:${qwPort}/api/project-history?project=${encodeURIComponent(projectId)}`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ ...body, allow_agent_senders: true, allow_duplicate: true }),
+    });
+    const data = await r.json().catch(() => null);
+    if (!r.ok) {
+      return res.status(r.status).json(data || { error: `import returned ${r.status}` });
+    }
+    res.json({ ok: true, ...(data || {}) });
+  } catch (err) {
+    res.status(502).json({ error: "Restore failed", detail: err.message });
+  }
+});
+
+// #430 / quadwork#312: AI team work-hours tracking.
+//
+// The frontend's TerminalGrid detects per-agent activity transitions
+// (idle → active, active → idle) via the existing activity ref and
+// POSTs them to /api/activity/log. We buffer `start` events in
+// memory keyed by `${project}/${agent}`; an `end` event looks up the
+// matching buffered start, computes the duration, and appends a
+// complete session row to ~/.quadwork/{project}/activity.jsonl.
+//
+// /api/activity/stats aggregates across all projects with a 30s
+// cache so the dashboard can poll it every minute without thrashing
+// the filesystem.
+
+const _activityStarts = new Map(); // `${project}/${agent}` → startTimestamp
+const _activityStatsCache = { ts: 0, data: null };
+const ACTIVITY_STATS_TTL_MS = 30000;
+
+function activityLogPath(projectId) {
+  return path.join(CONFIG_DIR, projectId, "activity.jsonl");
+}
+
+router.post("/api/activity/log", (req, res) => {
+  const { project, agent, type, timestamp } = req.body || {};
+  if (typeof project !== "string" || !project) return res.status(400).json({ error: "Missing project" });
+  if (typeof agent !== "string" || !agent) return res.status(400).json({ error: "Missing agent" });
+  if (type !== "start" && type !== "end") return res.status(400).json({ error: "type must be start|end" });
+  const ts = typeof timestamp === "number" && Number.isFinite(timestamp) ? timestamp : Date.now();
+  const key = `${project}/${agent}`;
+
+  if (type === "start") {
+    // Only remember the first start per session — duplicate starts
+    // are possible if the frontend re-mounts mid-stream; ignore
+    // them so the session duration reflects the original onset.
+    if (!_activityStarts.has(key)) _activityStarts.set(key, ts);
+    return res.json({ ok: true });
+  }
+
+  // type === "end"
+  const start = _activityStarts.get(key);
+  if (start === undefined) {
+    // Orphan end (missed start — probably happens on server
+    // restart while a session was live). Drop it silently so we
+    // don't write a row with an unknown start timestamp.
+    return res.json({ ok: true, dropped: "orphan" });
+  }
+  _activityStarts.delete(key);
+  const row = { agent, start, end: ts, duration_ms: Math.max(0, ts - start) };
+  try {
+    const p = activityLogPath(project);
+    fs.mkdirSync(path.dirname(p), { recursive: true });
+    fs.appendFileSync(p, JSON.stringify(row) + "\n");
+    // Invalidate the stats cache so the next read sees the new row.
+    _activityStatsCache.ts = 0;
+  } catch (err) {
+    console.warn(`[activity] failed to append ${project}/${agent}: ${err.message || err}`);
+  }
+  res.json({ ok: true, duration_ms: row.duration_ms });
+});
+
+// Aggregate all activity.jsonl files under ~/.quadwork/*/activity.jsonl.
+// `today`, `week`, `month` boundaries use the operator's local
+// timezone rather than UTC — "this week" should mean the week the
+// operator is living in, not a UTC-offset week that starts at
+// 16:00 local time.
+function computeActivityStats() {
+  if (Date.now() - _activityStatsCache.ts < ACTIVITY_STATS_TTL_MS && _activityStatsCache.data) {
+    return _activityStatsCache.data;
+  }
+  const now = new Date();
+  const startOfToday = new Date(now.getFullYear(), now.getMonth(), now.getDate()).getTime();
+  // Start of this week = local Monday 00:00. JS: getDay() → 0-Sun..6-Sat.
+  const day = now.getDay();
+  const mondayOffset = day === 0 ? -6 : 1 - day; // Sun → -6, Mon → 0, Tue → -1, …
+  const startOfWeek = new Date(now.getFullYear(), now.getMonth(), now.getDate() + mondayOffset).getTime();
+  const startOfMonth = new Date(now.getFullYear(), now.getMonth(), 1).getTime();
+
+  const totals = { today_ms: 0, week_ms: 0, month_ms: 0, total_ms: 0 };
+  const byProject = {};
+  // #430 / quadwork#312: only count projects registered in
+  // config.json, not every directory under ~/.quadwork/. Stray
+  // folders from deleted / unconfigured projects must not inflate
+  // the stats — that's explicit in #312's acceptance.
+  let projectIds = [];
+  try {
+    const cfg = JSON.parse(fs.readFileSync(CONFIG_PATH, "utf-8"));
+    if (Array.isArray(cfg.projects)) {
+      projectIds = cfg.projects.map((p) => p && p.id).filter((id) => typeof id === "string" && id);
+    }
+  } catch {
+    // config unreadable → no projects → empty stats (safe fallback)
+  }
+  for (const projectId of projectIds) {
+    const p = activityLogPath(projectId);
+    if (!fs.existsSync(p)) continue;
+    const projectTotals = { today_ms: 0, week_ms: 0, month_ms: 0, total_ms: 0 };
+    let text;
+    try { text = fs.readFileSync(p, "utf-8"); } catch { continue; }
+    for (const line of text.split("\n")) {
+      if (!line.trim()) continue;
+      let row;
+      try { row = JSON.parse(line); } catch { continue; }
+      const d = row && typeof row.duration_ms === "number" ? row.duration_ms : 0;
+      const start = row && typeof row.start === "number" ? row.start : 0;
+      if (d <= 0 || !start) continue;
+      projectTotals.total_ms += d;
+      if (start >= startOfToday) projectTotals.today_ms += d;
+      if (start >= startOfWeek)  projectTotals.week_ms  += d;
+      if (start >= startOfMonth) projectTotals.month_ms += d;
+    }
+    byProject[projectId] = {
+      today: Math.round(projectTotals.today_ms / 3600) / 1000,
+      week:  Math.round(projectTotals.week_ms  / 3600) / 1000,
+      month: Math.round(projectTotals.month_ms / 3600) / 1000,
+      total: Math.round(projectTotals.total_ms / 3600) / 1000,
+    };
+    totals.today_ms += projectTotals.today_ms;
+    totals.week_ms  += projectTotals.week_ms;
+    totals.month_ms += projectTotals.month_ms;
+    totals.total_ms += projectTotals.total_ms;
+  }
+  const data = {
+    today: Math.round(totals.today_ms / 3600) / 1000,
+    week:  Math.round(totals.week_ms  / 3600) / 1000,
+    month: Math.round(totals.month_ms / 3600) / 1000,
+    total: Math.round(totals.total_ms / 3600) / 1000,
+    by_project: byProject,
+  };
+  _activityStatsCache.ts = Date.now();
+  _activityStatsCache.data = data;
+  return data;
+}
+
+router.get("/api/activity/stats", (_req, res) => {
+  try {
+    res.json(computeActivityStats());
+  } catch (err) {
+    res.status(500).json({ error: "Failed to compute activity stats", detail: err.message });
+  }
+});
+
 router.post("/api/chat", async (req, res) => {
   const projectId = req.query.project || req.body.project;
   const { url: base, token: sessionToken } = getChattrConfig(projectId);
@@ -181,15 +821,38 @@ router.post("/api/chat", async (req, res) => {
 
   // #230: ignore any client-supplied sender. /api/chat is the
   // dashboard's send path, so the message must always be attributed
-  // to "user". Forwarding `req.body.sender` would let any caller
-  // hitting QuadWork's /api/chat impersonate an agent identity (t1,
-  // t3, …) over the AgentChattr ws path, which the old /api/send
-  // flow could not do.
+  // to a server-controlled value. Forwarding `req.body.sender` would
+  // let any caller hitting QuadWork's /api/chat impersonate an agent
+  // identity (t1, t3, …) over the AgentChattr ws path, which the
+  // old /api/send flow could not do.
+  //
+  // #405 / quadwork#278: read the operator's display name from the
+  // server-side config file rather than hardcoding "user". The
+  // sanitizer matches AC's registry name validator (1–32 alnum +
+  // dash + underscore) so even a hand-edited config can't post a
+  // value AC will reject (or impersonate an agent), and an empty /
+  // missing value falls back to "user".
+  let operatorSender = "user";
+  try {
+    const cfg = readConfigFile();
+    operatorSender = sanitizeOperatorName(cfg.operator_name);
+  } catch {
+    // non-fatal — fall through to "user"
+  }
+  // #397 / quadwork#262: pass reply_to through to AgentChattr so the
+  // dashboard's reply button mirrors AC's native threaded-reply
+  // behavior. Only forward when it's a real positive integer — guards
+  // against arbitrary client payloads.
+  const replyToRaw = req.body?.reply_to;
+  const replyTo = (typeof replyToRaw === "number" && Number.isInteger(replyToRaw) && replyToRaw > 0)
+    ? replyToRaw
+    : null;
   const message = {
     text: typeof req.body?.text === "string" ? req.body.text : "",
     channel: req.body?.channel || "general",
-    sender: "user",
+    sender: operatorSender,
     attachments: Array.isArray(req.body?.attachments) ? req.body.attachments : [],
+    ...(replyTo !== null ? { reply_to: replyTo } : {}),
   };
   if (!message.text && message.attachments.length === 0) {
     return res.status(400).json({ error: "text or attachments required" });
@@ -378,6 +1041,434 @@ router.get("/api/github/prs", (req, res) => {
   }
 });
 
+// #411 / quadwork#281: recently closed issues + merged PRs for the
+// "Recently closed" / "Recently merged" sub-sections under each
+// list in GitHubPanel. Limit 5 items each, ordered by closedAt
+// descending so the freshest activity sits at the top.
+// gh CLI's default ordering for `issue list --state closed` and
+// `pr list --state merged` is createdAt-desc, not closedAt/mergedAt-desc,
+// so a stale-but-recently-closed item can sit below a fresh-but-
+// older one. We pull a wider window and re-sort by close/merge time
+// before truncating to 5 to honor #281's "newest first" requirement.
+const RECENT_FETCH_LIMIT = 20;
+const RECENT_DISPLAY_LIMIT = 5;
+
+router.get("/api/github/closed-issues", (req, res) => {
+  const repo = getRepo(req.query.project || "");
+  if (!repo) return res.status(400).json({ error: "No repo configured for project" });
+  try {
+    const out = execFileSync(
+      "gh",
+      ["issue", "list", "-R", repo, "--state", "closed", "--json", "number,title,state,url,closedAt", "--limit", String(RECENT_FETCH_LIMIT)],
+      { encoding: "utf-8", timeout: 15000 },
+    );
+    const items = JSON.parse(out);
+    const sorted = Array.isArray(items)
+      ? items
+          .slice()
+          .sort((a, b) => {
+            const ta = a && a.closedAt ? Date.parse(a.closedAt) : 0;
+            const tb = b && b.closedAt ? Date.parse(b.closedAt) : 0;
+            return tb - ta;
+          })
+          .slice(0, RECENT_DISPLAY_LIMIT)
+      : items;
+    res.json(sorted);
+  } catch (err) {
+    res.status(502).json({ error: "gh issue list (closed) failed", detail: err.message });
+  }
+});
+
+router.get("/api/github/merged-prs", (req, res) => {
+  const repo = getRepo(req.query.project || "");
+  if (!repo) return res.status(400).json({ error: "No repo configured for project" });
+  try {
+    // gh pr list with `--state merged` filters server-side so we
+    // don't have to pull every closed PR and discard the un-merged
+    // ones (closed-without-merge). Same fetch-wider-then-sort
+    // strategy as closed-issues so the newest merge always wins.
+    const out = execFileSync(
+      "gh",
+      ["pr", "list", "-R", repo, "--state", "merged", "--json", "number,title,state,url,mergedAt,author", "--limit", String(RECENT_FETCH_LIMIT)],
+      { encoding: "utf-8", timeout: 15000 },
+    );
+    const items = JSON.parse(out);
+    const sorted = Array.isArray(items)
+      ? items
+          .slice()
+          .sort((a, b) => {
+            const ta = a && a.mergedAt ? Date.parse(a.mergedAt) : 0;
+            const tb = b && b.mergedAt ? Date.parse(b.mergedAt) : 0;
+            return tb - ta;
+          })
+          .slice(0, RECENT_DISPLAY_LIMIT)
+      : items;
+    res.json(sorted);
+  } catch (err) {
+    res.status(502).json({ error: "gh pr list (merged) failed", detail: err.message });
+  }
+});
+
+// #413 / quadwork#282: Current Batch Progress panel.
+//
+// Reads ~/.quadwork/{project}/OVERNIGHT-QUEUE.md, parses the
+// `## Active Batch` section for `Batch: N` + issue numbers, and
+// resolves each issue against GitHub (state + linked PR + review
+// counts) to compute a progress state. The 5 progress buckets are
+// deterministic from issue/PR state — no agent inference.
+//
+// Progress mapping (from upstream issue):
+//   queued    0%   issue exists, no linked PR
+//   in_review 20%  PR open, 0 approvals
+//   approved1 50%  PR open, 1 approval
+//   ready     80%  PR open, 2+ approvals
+//   merged   100%  PR merged AND issue closed
+//
+// Cached for 10s per project to avoid hammering gh on every poll.
+
+const _batchProgressCache = new Map(); // projectId -> { ts, data }
+
+// #429 / quadwork#316: persistent batch snapshot on disk so the
+// Batch Progress panel keeps showing merged items after Head moves
+// them from Active Batch to Done. The in-memory `_batchProgressCache`
+// above is a 10s TTL cache of the rendered rows; this new cache is
+// the *set of issue numbers* we currently consider "the active
+// batch", and it survives restarts + lives across polls.
+function batchSnapshotPath(projectId) {
+  return path.join(CONFIG_DIR, projectId, "batch-progress-cache.json");
+}
+function readBatchSnapshot(projectId) {
+  try {
+    return JSON.parse(fs.readFileSync(batchSnapshotPath(projectId), "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function writeBatchSnapshot(projectId, snapshot) {
+  try {
+    const p = batchSnapshotPath(projectId);
+    fs.mkdirSync(path.dirname(p), { recursive: true });
+    fs.writeFileSync(p, JSON.stringify(snapshot));
+  } catch {
+    // Non-fatal — panel still works from the live parse.
+  }
+}
+
+// Decide which batch to render, combining the live parse of
+// OVERNIGHT-QUEUE.md with the persistent snapshot. The snapshot is
+// replaced whenever a new batch starts (explicit Batch: N bump OR
+// the live Active Batch contains items the snapshot doesn't); in
+// all other cases the snapshot wins, so items Head moved to Done
+// stay visible until the operator starts the next batch.
+function resolveDisplayedBatch(queueText, projectId, { queueReadOk = true } = {}) {
+  // Queue file deleted / unreadable → fall back to empty state per
+  // #316's edge case. Returning the snapshot here would "heal" a
+  // genuinely missing file into stale data the operator can't
+  // reconcile without nuking ~/.quadwork/{id}/batch-progress-cache.json
+  // manually.
+  if (!queueReadOk) return { batchNumber: null, issueNumbers: [] };
+  const current = parseActiveBatch(queueText);
+  const snapshot = readBatchSnapshot(projectId);
+  const hasExplicitBump =
+    current.batchNumber !== null &&
+    (!snapshot || snapshot.batchNumber === null || current.batchNumber > snapshot.batchNumber);
+  const hasNewItems =
+    current.issueNumbers.length > 0 &&
+    (!snapshot || current.issueNumbers.some((n) => !snapshot.issueNumbers.includes(n)));
+  let next;
+  if (hasExplicitBump || hasNewItems) {
+    next = { batchNumber: current.batchNumber, issueNumbers: current.issueNumbers.slice() };
+  } else if (snapshot && Array.isArray(snapshot.issueNumbers) && snapshot.issueNumbers.length > 0) {
+    next = {
+      batchNumber: snapshot.batchNumber ?? null,
+      issueNumbers: snapshot.issueNumbers.slice(),
+    };
+  } else {
+    next = { batchNumber: current.batchNumber, issueNumbers: current.issueNumbers.slice() };
+  }
+  if (next.issueNumbers.length > 0) writeBatchSnapshot(projectId, next);
+  return next;
+}
+const BATCH_PROGRESS_TTL_MS = 10000;
+
+function parseActiveBatch(queueText) {
+  if (typeof queueText !== "string" || !queueText) {
+    return { batchNumber: null, issueNumbers: [] };
+  }
+  // Pull just the Active Batch section so a stray `#123` in Backlog
+  // or Done doesn't leak into the active list.
+  const m = queueText.match(/##\s+Active Batch[\s\S]*?(?=\n##\s|$)/i);
+  if (!m) return { batchNumber: null, issueNumbers: [] };
+  const section = m[0];
+  const batchMatch = section.match(/\*\*Batch:\*\*\s*(\d+)/i) || section.match(/Batch:\s*(\d+)/i);
+  const batchNumber = batchMatch ? parseInt(batchMatch[1], 10) : null;
+  // Only collect issue numbers from lines that look like list-item
+  // entries — i.e. lines whose first content token is either `#N`
+  // or `[#N]` after an optional list marker. This rejects prose
+  // like "Tracking umbrella: #293", "next after #294 merged", and
+  // similar dependency / commentary references that t2a flagged on
+  // realproject7/dropcast's queue.
+  //
+  // Accepted line shapes:
+  //   - #295 sub-A heartbeat
+  //   * #295 sub-A heartbeat
+  //   1. #295 sub-A heartbeat
+  //   #295 sub-A heartbeat
+  //   - [#295] sub-A heartbeat
+  //   [#295] sub-A heartbeat
+  //
+  // Rejected:
+  //   Tracking umbrella: #293
+  //   Assigned next after #294 merged.
+  //   See #295 for context.
+  const ITEM_LINE_RE = /^\s*(?:[-*]\s+|\d+\.\s+)?\[?#(\d{1,6})\]?\b/;
+  const seen = new Set();
+  const issueNumbers = [];
+  for (const line of section.split("\n")) {
+    const lineMatch = line.match(ITEM_LINE_RE);
+    if (!lineMatch) continue;
+    const n = parseInt(lineMatch[1], 10);
+    if (!seen.has(n)) {
+      seen.add(n);
+      issueNumbers.push(n);
+    }
+  }
+  return { batchNumber, issueNumbers };
+}
+
+// #416 / quadwork#299: async variant used by the parallelized batch
+// progress fetcher. Wraps node's execFile in a promise.
+//
+// THROWS on subprocess failure (non-zero exit, timeout, JSON parse,
+// network) so progressForItemAsync can decide which subset of
+// failures should bubble up to the Promise.allSettled "fetch failed"
+// row vs. which should fall through to a softer state. The previous
+// catch-all-and-return-null contract collapsed real subprocess
+// errors into the "not found" branch, making the new failure-row
+// fallback unreachable for genuine command failures (t2a review).
+const { execFile: _execFile } = require("child_process");
+const _execFileAsync = require("util").promisify(_execFile);
+async function ghJsonExecAsync(args) {
+  const { stdout } = await _execFileAsync("gh", args, { encoding: "utf-8", timeout: 10000 });
+  return JSON.parse(stdout);
+}
+
+async function progressForItemAsync(repo, issueNumber) {
+  // Pull issue state + linked PRs in one call. closedByPullRequestsReferences
+  // is gh's serializer for the GraphQL `closedByPullRequestsReferences`
+  // edge — only present when a PR with `Fixes #N` / `Closes #N`
+  // (or the link UI) targets the issue.
+  // Issue fetch is the load-bearing call — if gh can't read the
+  // issue at all (404, network, auth, timeout) we can't compute a
+  // meaningful progress row. Let the rejection propagate to the
+  // route's Promise.allSettled so the operator sees a single
+  // "fetch failed" row instead of a misleading "queued" entry.
+  const issue = await ghJsonExecAsync([
+    "issue",
+    "view",
+    String(issueNumber),
+    "-R",
+    repo,
+    "--json",
+    "number,title,state,url,closedByPullRequestsReferences",
+  ]);
+  const linked = Array.isArray(issue.closedByPullRequestsReferences)
+    ? issue.closedByPullRequestsReferences
+    : [];
+  // Pick the freshest linked PR (highest number) if there are multiple.
+  const pr = linked.length > 0
+    ? linked.slice().sort((a, b) => (b.number || 0) - (a.number || 0))[0]
+    : null;
+  // No linked PR yet — queued.
+  if (!pr) {
+    return {
+      issue_number: issue.number,
+      title: issue.title,
+      url: issue.url,
+      status: "queued",
+      progress: 0,
+      label: "Issue · queued",
+    };
+  }
+  // Re-fetch the PR to get reviewDecision + reviews + state, since
+  // the issue's closedByPullRequestsReferences edge only carries
+  // number/state/url. The PR fetch is intentionally soft: if gh
+  // glitches on this single call we still know the PR exists (we
+  // got the link from the issue) and can render a partial
+  // "in_review" row, which is more useful than dropping the whole
+  // item to "fetch failed". A persistent failure here will still
+  // surface on the next cache miss because the issue fetch above
+  // is the load-bearing one that controls the per-item rejection.
+  let prData = null;
+  try {
+    prData = await ghJsonExecAsync([
+      "pr",
+      "view",
+      String(pr.number),
+      "-R",
+      repo,
+      "--json",
+      "number,state,url,reviewDecision,reviews",
+    ]);
+  } catch {
+    // soft fall-through to the in_review row below
+  }
+  if (!prData) {
+    return {
+      issue_number: issue.number,
+      title: issue.title,
+      url: pr.url || issue.url,
+      pr_number: pr.number,
+      status: "in_review",
+      progress: 20,
+      label: `PR #${pr.number} · waiting on review`,
+    };
+  }
+  const merged = prData.state === "MERGED" && issue.state === "CLOSED";
+  if (merged) {
+    return {
+      issue_number: issue.number,
+      title: issue.title,
+      url: prData.url || issue.url,
+      pr_number: prData.number,
+      status: "merged",
+      progress: 100,
+      label: "Merged ✓",
+    };
+  }
+  // Count distinct APPROVED reviews per author so a stale APPROVED
+  // followed by REQUEST_CHANGES doesn't double-count. Sort by
+  // submittedAt ascending first so the Map's "last write wins"
+  // genuinely lands on the freshest review per author — gh's
+  // current ordering is chronological in practice but undocumented,
+  // so the explicit sort keeps us safe if that ever changes.
+  const reviews = Array.isArray(prData.reviews) ? prData.reviews.slice() : [];
+  reviews.sort((a, b) => {
+    const ta = (a && a.submittedAt) ? Date.parse(a.submittedAt) : 0;
+    const tb = (b && b.submittedAt) ? Date.parse(b.submittedAt) : 0;
+    return ta - tb;
+  });
+  const latestByAuthor = new Map();
+  for (const r of reviews) {
+    const author = (r && r.author && r.author.login) || "";
+    if (!author) continue;
+    latestByAuthor.set(author, r.state);
+  }
+  let approvalCount = 0;
+  for (const state of latestByAuthor.values()) {
+    if (state === "APPROVED") approvalCount++;
+  }
+  if (approvalCount >= 2) {
+    return {
+      issue_number: issue.number,
+      title: issue.title,
+      url: prData.url || issue.url,
+      pr_number: prData.number,
+      status: "ready",
+      progress: 80,
+      label: `PR #${prData.number} · 2 approvals · ready`,
+    };
+  }
+  if (approvalCount === 1) {
+    return {
+      issue_number: issue.number,
+      title: issue.title,
+      url: prData.url || issue.url,
+      pr_number: prData.number,
+      status: "approved1",
+      progress: 50,
+      label: `PR #${prData.number} · 1 approval`,
+    };
+  }
+  return {
+    issue_number: issue.number,
+    title: issue.title,
+    url: prData.url || issue.url,
+    pr_number: prData.number,
+    status: "in_review",
+    progress: 20,
+    label: `PR #${prData.number} · waiting on review`,
+  };
+}
+
+function summarizeItems(items) {
+  let merged = 0, ready = 0, approved1 = 0, inReview = 0, queued = 0;
+  for (const it of items) {
+    if (it.status === "merged") merged++;
+    else if (it.status === "ready") ready++;
+    else if (it.status === "approved1") approved1++;
+    else if (it.status === "in_review") inReview++;
+    else if (it.status === "queued") queued++;
+  }
+  const parts = [`${merged}/${items.length} merged`];
+  if (ready > 0) parts.push(`${ready} ready to merge`);
+  if (approved1 > 0) parts.push(`${approved1} needs 2nd approval`);
+  if (inReview > 0) parts.push(`${inReview} in review`);
+  if (queued > 0) parts.push(`${queued} queued`);
+  return parts.join(" · ");
+}
+
+router.get("/api/batch-progress", async (req, res) => {
+  const projectId = req.query.project;
+  if (!projectId) return res.status(400).json({ error: "Missing project" });
+
+  const cached = _batchProgressCache.get(projectId);
+  if (cached && Date.now() - cached.ts < BATCH_PROGRESS_TTL_MS) {
+    return res.json(cached.data);
+  }
+
+  const repo = getRepo(projectId);
+  if (!repo) return res.status(400).json({ error: "No repo configured for project" });
+
+  const queuePath = path.join(CONFIG_DIR, projectId, "OVERNIGHT-QUEUE.md");
+  let queueText = "";
+  let queueReadOk = false;
+  try {
+    queueText = fs.readFileSync(queuePath, "utf-8");
+    queueReadOk = true;
+  } catch {
+    // Missing / unreadable file — pass queueReadOk=false so the
+    // resolver bypasses the snapshot and returns the empty state
+    // per #316's edge case.
+  }
+
+  // #429 / quadwork#316: resolve the displayed batch through the
+  // snapshot-aware helper so merged items stay visible after Head
+  // moves them from Active Batch to Done, until a new batch starts.
+  const { batchNumber, issueNumbers } = resolveDisplayedBatch(queueText, projectId, { queueReadOk });
+  if (issueNumbers.length === 0) {
+    const data = { batch_number: batchNumber, items: [], summary: "", complete: false };
+    _batchProgressCache.set(projectId, { ts: Date.now(), data });
+    return res.json(data);
+  }
+
+  // #416 / quadwork#299: parallelize the per-item gh fetches.
+  // Sequential execFileSync was costing ~10s on a cold cache for a
+  // 5-item batch (2 gh calls per item, ~1s each); Promise.allSettled
+  // over progressForItemAsync drops that to roughly the time of the
+  // slowest single item-pair (~2s). One failed item resolves with a
+  // synthetic "unknown" row instead of failing the whole response.
+  const settled = await Promise.allSettled(
+    issueNumbers.map((n) => progressForItemAsync(repo, n)),
+  );
+  const items = settled.map((r, i) => {
+    if (r.status === "fulfilled") return r.value;
+    return {
+      issue_number: issueNumbers[i],
+      title: `#${issueNumbers[i]} (fetch failed)`,
+      url: null,
+      status: "unknown",
+      progress: 0,
+      label: "fetch failed",
+    };
+  });
+  const summary = summarizeItems(items);
+  const complete = items.length > 0 && items.every((it) => it.status === "merged");
+  const data = { batch_number: batchNumber, items, summary, complete };
+  _batchProgressCache.set(projectId, { ts: Date.now(), data });
+  res.json(data);
+});
+
 // ─── Memory ────────────────────────────────────────────────────────────────
 
 function getProject(projectId) {
@@ -830,6 +1921,11 @@ router.post("/api/setup", (req, res) => {
         const wtDir = path.join(parentDir, `${dirName}-${agent}`);
         content += `[agents.${agent}]\ncommand = "${(backends && backends[agent]) || "claude"}"\ncwd = "${wtDir}"\ncolor = "${colors[i]}"\nlabel = "${agent.charAt(0).toUpperCase() + agent.slice(1)} ${labels[i]}"\nmcp_inject = "flag"\n\n`;
       });
+      // #403 / quadwork#274: raise the loop guard from AC's default
+      // of 4 to 30 so autonomous PR review cycles (head→dev→re1+re2→
+      // dev→head, ~5 hops) don't fire mid-batch and force the
+      // operator to type /continue. AC clamps to [1, 50] internally.
+      content += `[routing]\ndefault = "none"\nmax_agent_hops = 30\n\n`;
       content += `[mcp]\nhttp_port = ${mcp_http}\nsse_port = ${mcp_sse}\n`;
       fs.writeFileSync(tomlPath, content);