reflectt-node 0.1.3 → 0.1.5

package/dist/server.js

@@ -13,7 +13,7 @@ import { resolve, sep, join } from 'path';
 import { execSync } from 'child_process';
 import { serverConfig, openclawConfig, isDev, REFLECTT_HOME } from './config.js';
 import { trackRequest, getRequestMetrics } from './request-tracker.js';
-import { getPreflightMetrics } from './alert-preflight.js';
+import { getPreflightMetrics, snapshotDailyMetrics, getDailySnapshots, startAutoSnapshot } from './alert-preflight.js';
 // ── Build info (read once at startup) ──────────────────────────────────────
 const BUILD_VERSION = (() => {
     try {
@@ -38,6 +38,7 @@ import { taskManager } from './tasks.js';
 import { detectApproval, applyApproval } from './chat-approval-detector.js';
 import { inboxManager } from './inbox.js';
 import { getDb } from './db.js';
+import { isTestHarnessTask } from './test-task-filter.js';
 import { handleMCPRequest, handleSSERequest, handleMessagesRequest } from './mcp.js';
 import { memoryManager } from './memory.js';
 import { buildContextInjection, getContextBudgets, getContextMemo, upsertContextMemo } from './context-budget.js';
@@ -54,6 +55,7 @@ import { emitActivationEvent, getUserFunnelState, getFunnelSummary, hasCompleted
 import { alertUnauthorizedApproval, alertFlipAttempt, getMutationAlertStatus, pruneOldAttempts } from './mutationAlert.js';
 import { mentionAckTracker } from './mention-ack.js';
 import { analyticsManager } from './analytics.js';
+import { processRequest as complianceProcessRequest, queryViolations, getViolationSummary } from './compliance-detector.js';
 import { getDashboardHTML } from './dashboard.js';
 import { healthMonitor, computeActiveLane } from './health.js';
 import { getSystemLoopTicks, recordSystemLoopTick } from './system-loop-state.js';
@@ -140,7 +142,7 @@ const CreateTaskSchema = z.object({
     title: z.string().min(1),
     type: z.enum(TASK_TYPES).optional(), // optional for backward compat, validated when present
     description: z.string().optional(),
-    status: z.enum(['todo', 'doing', 'blocked', 'validating', 'done']).default('todo'),
+    status: z.enum(['todo', 'doing', 'blocked', 'validating', 'done', 'cancelled']).default('todo'),
     assignee: z.string().trim().min(1).optional().default('unassigned'),
     reviewer: z.string().trim().min(1).or(z.literal('auto')).default('auto'), // 'auto' triggers load-balanced assignment
     done_criteria: z.array(z.string().trim().min(1)).optional().default([]),
@@ -267,7 +269,7 @@ function normalizeConfiguredModel(value) {
 const UpdateTaskSchema = z.object({
     title: z.string().min(1).optional(),
     description: z.string().optional(),
-    status: z.enum(['todo', 'doing', 'blocked', 'validating', 'done']).optional(),
+    status: z.enum(['todo', 'doing', 'blocked', 'validating', 'done', 'cancelled']).optional(),
     assignee: z.string().optional(),
     reviewer: z.string().optional(),
     done_criteria: z.array(z.string().min(1)).optional(),
@@ -328,7 +330,7 @@ const CreateRecurringTaskSchema = z.object({
     metadata: z.record(z.unknown()).optional(),
     schedule: RecurringTaskScheduleSchema,
     enabled: z.boolean().optional(),
-    status: z.enum(['todo', 'doing', 'blocked', 'validating', 'done']).optional(),
+    status: z.enum(['todo', 'doing', 'blocked', 'validating', 'done', 'cancelled']).optional(),
 });
 const UpdateRecurringTaskSchema = z.object({
     enabled: z.boolean().optional(),
@@ -1325,33 +1327,47 @@ function extractMentions(content) {
         return resolveAgentMention(raw) || raw;
     }).filter(Boolean)));
 }
-function buildAutonomyWarnings(content) {
-    const mentions = extractMentions(content);
-    if (mentions.length === 0)
+function getOwnerHandlesFromEnv() {
+    const raw = String(process.env.REFLECTT_OWNER_HANDLES || '').trim();
+    if (!raw)
         return [];
-    // Only warn when the message is explicitly directed at Ryan.
-    const directedAtRyan = mentions.includes('ryan') || mentions.includes('ryancampbell');
-    if (!directedAtRyan)
+    return raw
+        .split(',')
+        .map(s => s.trim().toLowerCase())
+        .filter(Boolean);
+}
+function isDirectedAtConfiguredOwner(content) {
+    const owners = getOwnerHandlesFromEnv();
+    if (owners.length === 0)
+        return false;
+    const mentions = extractMentions(content);
+    return owners.some(o => mentions.includes(o));
+}
+function buildAutonomyWarnings(content) {
+    // If no owner handles are configured, keep this feature off by default.
+    // reflectt-node must remain generic for customers.
+    if (!isDirectedAtConfiguredOwner(content))
         return [];
     const normalized = content.toLowerCase();
-    // Detect the specific anti-pattern: asking leadership what to do next.
+    // Detect the specific anti-pattern: asking a human leader/operator what to do next.
     // Keep the pattern narrow to avoid false positives on legitimate asks.
     const approvalSeeking = /\b(what should i (do|work on) next|what(?:['’]?s) next(?: for me)?|what do i do next|what do you want me to do next|should i (do|work on)( [^\n\r]{0,80})? next)\b/i;
     if (!approvalSeeking.test(normalized))
         return [];
     return [
-        'Autonomy guardrail: avoid asking Ryan what to do next. Pull from the board (/tasks/next) or pick the highest-priority task and ship. Escalate to Ryan only if blocked on a decision only a human can make.',
+        'Autonomy guardrail: avoid asking a human operator what to do next. Pull from the board (/tasks/next) or pick the highest-priority task and ship. Escalate only if you are blocked on a decision or permission that only a human can provide.',
     ];
 }
-function validateRyanApprovalPing(content, from, channel) {
-    // Only gate messages directed at Ryan.
-    const mentions = extractMentions(content);
-    const directedAtRyan = mentions.includes('ryan') || mentions.includes('ryancampbell');
-    if (!directedAtRyan)
+function validateOwnerApprovalPing(content, from, channel) {
+    const owners = getOwnerHandlesFromEnv();
+    if (owners.length === 0)
+        return {};
+    // Only gate messages directed at configured owner handles.
+    if (!isDirectedAtConfiguredOwner(content))
         return {};
-    // Don't gate Ryan/system talking to themselves.
+    // Don't gate the owner/system talking to themselves.
     const sender = String(from || '').toLowerCase();
-    if (sender === 'ryan' || sender === 'system')
+    if (owners.includes(sender) || sender === 'system')
         return {};
     const normalized = content.toLowerCase();
     // We only care about PR approval/merge requests.
@@ -1359,15 +1375,15 @@ function validateRyanApprovalPing(content, from, channel) {
         (/(\bpr\b|pull request|github\.com\/[^\s]+\/pull\/[0-9]+|#\d+)/i.test(normalized));
     if (!looksLikePrRequest)
         return {};
-    // Allow if the message explicitly explains why Ryan is required and references a task id.
+    // Allow if the message explicitly explains why a human is required and references a task id.
     const hasTaskId = hasTaskIdReference(content);
     const hasPermissionsReason = /(permission|permissions|auth|authed|rights|cannot|can\s*not|can't|blocked|branch protection|required)/i.test(normalized);
     if (hasTaskId && hasPermissionsReason)
         return {};
     const normalizedChannel = (channel || 'general').toLowerCase();
     return {
-        blockingError: `Don't ask @ryan to approve/merge PRs by default (channel=${normalizedChannel}). Ask the assigned reviewer, or merge it yourself. Escalate to Ryan only when truly blocked by permissions/auth.`,
-        hint: 'If Ryan is genuinely required: include task-<id> and a short permissions/auth reason (e.g., "no merge rights" / "branch protection"), plus the PR link.',
+        blockingError: `Don't ask a human operator to approve/merge PRs by default (channel=${normalizedChannel}). Ask the assigned reviewer, or merge it yourself. Escalate only when truly blocked by permissions/auth.`,
+        hint: 'If a human is genuinely required: include task-<id> and a short permissions/auth reason (e.g., "no merge rights" / "branch protection"), plus the PR link.',
     };
 }
 function buildMentionWarnings(content) {
@@ -1553,6 +1569,11 @@ export async function createServer() {
         healthMonitor.trackRequest(duration);
         trackTelemetryRequest(request.method, request.url, reply.statusCode, duration);
         trackRequest(request.method, request.url, reply.statusCode, request.headers['user-agent']);
+        // Compliance detector: flag state-read-before-assertion violations
+        try {
+            complianceProcessRequest(request.method, request.url, reply.statusCode, request.query ?? {}, request.body, request.headers);
+        }
+        catch { /* never let compliance logging break a request */ }
         if (reply.statusCode >= 400) {
             healthMonitor.trackError();
             // Normalize URL before telemetry to prevent PII leaks in query params
@@ -1758,7 +1779,7 @@ export async function createServer() {
         reflectionPipelineHealth.recentPromotions = recentPromotions;
         reflectionPipelineHealth.lastCheckedAt = now;
         if (recentReflections === 0) {
-            reflectionPipelineHealth.status = 'healthy';
+            reflectionPipelineHealth.status = 'idle';
             reflectionPipelineHealth.firstZeroInsightAt = 0;
             return reflectionPipelineHealth;
         }
@@ -1791,7 +1812,7 @@ export async function createServer() {
                 chatManager.sendMessage({
                     channel: 'general',
                     from: 'system',
-                    content: `🚨 Reflection pipeline broken: ${health.recentReflections} reflections in last ${health.windowMin}m but 0 insights created. @link @sage investigate ingestion/listener path.`,
+                    content: `🚨 Reflection pipeline broken: ${health.recentReflections} reflections in last ${health.windowMin}m but 0 recentInsightActivity (created+updated). @link @sage investigate ingestion/listener path.`,
                 }).catch(() => { });
             }
         }
@@ -1895,7 +1916,7 @@ export async function createServer() {
             inbox: inboxManager.getStats(),
             request_counts: (() => {
                 const m = getRequestMetrics();
-                return { total: m.total, errors: m.errors, rps: m.rps, byGroup: m.byGroup };
+                return { total: m.total, errors: m.errors, rps: m.rps, byGroup: m.byGroup, rolling: m.rolling };
             })(),
             timestamp: Date.now(),
         };
@@ -1907,7 +1928,9 @@ export async function createServer() {
             total_errors: m.errors,
             total_requests: m.total,
             error_rate: m.total > 0 ? Math.round((m.errors / m.total) * 10000) / 100 : 0,
+            rolling: m.rolling,
             recent: m.recentErrors.slice(0, 20),
+            top_buckets: m.topErrorBuckets,
             timestamp: Date.now(),
         };
     });
@@ -2187,8 +2210,25 @@ export async function createServer() {
     });
     // ─── Alert preflight metrics ───
     app.get('/health/alert-preflight', async () => {
+        snapshotDailyMetrics(); // Persist daily checkpoint on health check
         return { ...getPreflightMetrics(), timestamp: Date.now() };
     });
+    app.get('/health/alert-preflight/history', async () => {
+        snapshotDailyMetrics();
+        return { snapshots: getDailySnapshots(), currentSession: getPreflightMetrics() };
+    });
+    // ─── Todo hoarding health: orphan detection + auto-unassign status ───
+    app.get('/health/hoarding', async (request) => {
+        const query = request.query;
+        const dryRun = query.dry_run !== '0' && query.dry_run !== 'false'; // default: dry run
+        const { sweepTodoHoarding, TODO_CAP, IDLE_THRESHOLD_MS } = await import('./todoHoardingGuard.js');
+        const result = await sweepTodoHoarding({ dryRun });
+        return {
+            ...result,
+            config: { todoCap: TODO_CAP, idleThresholdMinutes: Math.round(IDLE_THRESHOLD_MS / 60000) },
+            dryRun,
+        };
+    });
     // ─── Backlog health: ready counts per lane, breach status, floor compliance ───
     app.get('/health/backlog', async (request, reply) => {
         const query = request.query;
@@ -2205,7 +2245,7 @@ export async function createServer() {
                 return false;
             return task.blocked_by.some((blockerId) => {
                 const blocker = taskManager.getTask(blockerId);
-                return blocker && blocker.status !== 'done';
+                return blocker && !['done', 'resolved_externally', 'cancelled'].includes(blocker.status);
             });
         };
         // Definition-of-ready gate for backlog readiness: todo + required fields + unblocked
@@ -2216,14 +2256,23 @@ export async function createServer() {
             const hasDoneCriteria = Array.isArray(task.done_criteria) && task.done_criteria.length > 0;
             return hasTitle && hasPriority && hasReviewer && hasDoneCriteria;
         };
+        // Count tasks missing metadata.lane for visibility
+        const missingLaneCount = allTasks.filter(t => !t.metadata?.lane && !['done', 'cancelled', 'resolved_externally'].includes(t.status)).length;
         // Build per-lane health
+        // Task belongs to a lane if: (1) metadata.lane matches, OR (2) assignee is in lane agents (fallback)
         const laneHealth = Object.entries(lanes).map(([laneName, config]) => {
-            const laneTasks = allTasks.filter(t => config.agents.includes(t.assignee || ''));
+            const laneTasks = allTasks.filter(t => {
+                const taskLane = t.metadata?.lane;
+                if (taskLane)
+                    return taskLane === laneName;
+                return config.agents.includes(t.assignee || '');
+            });
             const todo = laneTasks.filter(t => t.status === 'todo');
             const doing = laneTasks.filter(t => t.status === 'doing');
             const validating = laneTasks.filter(t => t.status === 'validating');
             const blocked = laneTasks.filter(t => t.status === 'blocked' || (t.status === 'todo' && isBlocked(t)));
             const done = laneTasks.filter(t => t.status === 'done');
+            const resolvedExternally = laneTasks.filter(t => t.status === 'resolved_externally');
             // Ready = todo + required fields + unblocked
             const ready = todo.filter(t => !isBlocked(t) && hasRequiredFields(t));
             const notReady = todo.filter(t => isBlocked(t) || !hasRequiredFields(t));
@@ -2259,6 +2308,7 @@ export async function createServer() {
                     validating: validating.length,
                     blocked: blocked.length,
                     done: done.length,
+                    resolvedExternally: resolvedExternally.length,
                 },
                 compliance: {
                     status: floorBreaches.length > 0 ? 'breach' : ready.length >= config.readyFloor ? 'healthy' : 'warning',
@@ -2306,6 +2356,7 @@ export async function createServer() {
                 breachedLaneCount: breachedLanes.length,
                 overallStatus: breachedLanes.length > 0 ? 'breach' : totalReady === 0 ? 'critical' : 'healthy',
                 staleValidatingCount: staleValidating.length,
+                missingLaneMetadata: missingLaneCount,
             },
             lanes: laneHealth,
             staleValidating,
@@ -2732,8 +2783,11 @@ export async function createServer() {
     app.get('/', async (_request, reply) => {
         reply.redirect('/dashboard');
     });
-    app.get('/dashboard', async (_request, reply) => {
-        reply.type('text/html').send(getDashboardHTML());
+    app.get('/dashboard', async (request, reply) => {
+        const envFlag = process.env.REFLECTT_INTERNAL_UI === '1';
+        const queryFlag = request.query?.internal === '1';
+        const internalMode = envFlag && queryFlag;
+        reply.type('text/html').send(getDashboardHTML({ internalMode }));
     });
     // API docs page (markdown — token-efficient for agents)
     // UI Kit reference page — living component/states documentation
@@ -2767,13 +2821,13 @@ export async function createServer() {
             reply.code(500).send({ error: 'Failed to load docs' });
         }
     });
-    // Serve avatar images
+    // Serve avatar images (with fallback for missing avatars)
     app.get('/avatars/:filename', async (request, reply) => {
         const { filename } = request.params;
-        // Basic security: only allow .png files with alphanumeric names
-        if (!/^[a-z]+\.png$/.test(filename)) {
-            return reply.code(404).send({ error: 'Not found' });
-        }
+        // Security: allow alphanumeric, hyphens, underscores + .png/.svg extension
+        // (no slashes / traversal). If invalid, still return a safe default avatar (200)
+        // to avoid error-rate pollution from bad/mismatched filenames.
+        const safe = /^[a-z0-9_-]+\.(png|svg)$/i.test(filename);
         try {
             const { promises: fs } = await import('fs');
             const { join } = await import('path');
@@ -2782,13 +2836,24 @@ export async function createServer() {
             const __filename = fileURLToPath(import.meta.url);
             const __dirname = dirname(__filename);
             const publicDir = join(__dirname, '..', 'public', 'avatars');
-            const filePath = join(publicDir, filename);
-            const data = await fs.readFile(filePath);
-            reply.type('image/png').send(data);
+            if (safe) {
+                const filePath = join(publicDir, filename);
+                const data = await fs.readFile(filePath);
+                const ext = filename.toLowerCase().endsWith('.svg') ? 'image/svg+xml' : 'image/png';
+                reply.type(ext).header('Cache-Control', 'public, max-age=3600').send(data);
+                return;
+            }
         }
-        catch (err) {
-            reply.code(404).send({ error: 'Avatar not found' });
+        catch {
+            // fall through to default avatar below
         }
+        // Default avatar: render an initial when possible, else '?'
+        const initial = safe ? (filename.replace(/\.(png|svg)$/i, '').charAt(0) || '?').toUpperCase() : '?';
+        const svg = `<svg xmlns="http://www.w3.org/2000/svg" width="64" height="64" viewBox="0 0 64 64">
+      <rect width="64" height="64" rx="12" fill="#21262d"/>
+      <text x="32" y="38" text-anchor="middle" font-family="system-ui,sans-serif" font-size="24" font-weight="600" fill="#8d96a0">${initial}</text>
+    </svg>`;
+        reply.type('image/svg+xml').header('Cache-Control', 'public, max-age=3600').send(svg);
     });
     // Serve dashboard JS (extracted from inline template)
     app.get('/dashboard.js', async (_request, reply) => {
@@ -2932,14 +2997,14 @@ export async function createServer() {
                 hint: actionValidation.hint,
             };
         }
-        const ryanApprovalGate = validateRyanApprovalPing(data.content, data.from, data.channel);
-        if (ryanApprovalGate.blockingError) {
+        const ownerApprovalGate = validateOwnerApprovalPing(data.content, data.from, data.channel);
+        if (ownerApprovalGate.blockingError) {
             reply.code(400);
             return {
                 success: false,
-                error: ryanApprovalGate.blockingError,
-                gate: 'ryan_approval_gate',
-                hint: ryanApprovalGate.hint,
+                error: ownerApprovalGate.blockingError,
+                gate: 'owner_approval_gate',
+                hint: ownerApprovalGate.hint,
             };
         }
         const message = await chatManager.sendMessage(data);
@@ -3149,7 +3214,7 @@ export async function createServer() {
                     return false;
                 return t.blocked_by.some((blockerId) => {
                     const blocker = taskManager.getTask(blockerId);
-                    return blocker && blocker.status !== 'done';
+                    return blocker && !['done', 'resolved_externally', 'cancelled'].includes(blocker.status);
                 });
             };
             const nextTodo = taskManager
@@ -4826,7 +4891,13 @@ export async function createServer() {
             // fan out inbox-visible notifications to assignee/reviewer + explicit @mentions.
             // Notification routing respects per-agent preferences (quiet hours, mute, filters).
             const task = taskManager.getTask(resolved.resolvedId);
-            if (task && !comment.suppressed) {
+            // Never fan out notifications for test-harness tasks.
+            // Our repo contains a few "LIVE server" tests (BASE=127.0.0.1:4445) that create
+            // tasks/comments with metadata.is_test=true. Without this guard, running `npm test`
+            // on a machine with a live node will spam real chat channels and look like a human
+            // (e.g. @link) posted the comment.
+            const shouldFanOut = task ? !isTestHarnessTask(task) : false;
+            if (task && !comment.suppressed && shouldFanOut) {
                 const targets = new Set();
                 if (task.assignee)
                     targets.add(task.assignee);
@@ -5397,7 +5468,7 @@ export async function createServer() {
                     // Deduplication: check existing tasks for similar titles
                     if (data.deduplicate) {
                         const existingTasks = taskManager.listTasks({});
-                        const activeTasks = existingTasks.filter(t => t.status !== 'done');
+                        const activeTasks = existingTasks.filter(t => t.status !== 'done' && t.status !== 'cancelled' && t.status !== 'resolved_externally');
                         const normalizedNew = taskData.title.toLowerCase().trim();
                         // Exact title match
                         const exactMatch = activeTasks.find(t => t.title.toLowerCase().trim() === normalizedNew);
@@ -5884,12 +5955,13 @@ export async function createServer() {
             // Must run before all other gates to give a clear rejection message.
             if (parsed.status && parsed.status !== existing.status) {
                 const ALLOWED_TRANSITIONS = {
-                    'todo': ['doing'],
-                    'doing': ['blocked', 'validating'],
-                    'blocked': ['doing', 'todo'],
+                    'todo': ['doing', 'cancelled'],
+                    'doing': ['blocked', 'validating', 'cancelled'],
+                    'blocked': ['doing', 'todo', 'cancelled'],
                     'validating': ['done', 'doing'], // doing = reviewer rejection / rework
                     'done': [], // all exits require reopen
-                    'in-progress': ['blocked', 'validating', 'done', 'doing', 'todo'], // legacy, permissive
+                    'cancelled': [], // terminal state, like done — requires reopen to revive
+                    'in-progress': ['blocked', 'validating', 'done', 'doing', 'todo', 'cancelled'], // legacy, permissive
                 };
                 const allowed = ALLOWED_TRANSITIONS[existing.status] ?? [];
                 if (!allowed.includes(parsed.status)) {
@@ -5914,6 +5986,24 @@ export async function createServer() {
                     mergedMeta.reopened_from = existing.status;
                 }
             }
+            // ── Cancel reason gate: require cancel_reason when transitioning to cancelled ──
+            if (parsed.status === 'cancelled') {
+                const meta = (incomingMeta ?? {});
+                const cancelReason = typeof meta.cancel_reason === 'string' ? String(meta.cancel_reason).trim() : '';
+                if (!cancelReason) {
+                    reply.code(422);
+                    return {
+                        success: false,
+                        error: 'Cancellation requires a cancel_reason in metadata (e.g. "duplicate", "out of scope", "won\'t fix").',
+                        code: 'CANCEL_REASON_REQUIRED',
+                        gate: 'cancel_reason',
+                        hint: 'Include metadata.cancel_reason explaining why this task is being cancelled.',
+                    };
+                }
+                mergedMeta.cancel_reason = cancelReason;
+                mergedMeta.cancelled_at = Date.now();
+                mergedMeta.cancelled_from = existing.status;
+            }
             // Reviewer-identity gate: only assigned reviewer can set reviewer_approved=true.
             const incomingReviewerApproved = incomingMeta.reviewer_approved;
             if (incomingReviewerApproved === true) {
@@ -6432,7 +6522,21 @@ export async function createServer() {
                 if (task.reviewer)
                     statusNotifTargets.push({ agent: task.reviewer, type: 'taskCompleted' });
             }
+            // Dedupe guard: prevent stale/out-of-order notification events
+            const { shouldEmitNotification } = await import('./notificationDedupeGuard.js');
             for (const target of statusNotifTargets) {
+                // Check dedupe guard before emitting
+                const dedupeCheck = shouldEmitNotification({
+                    taskId: task.id,
+                    eventUpdatedAt: task.updatedAt,
+                    eventStatus: parsed.status,
+                    currentTaskStatus: task.status,
+                    currentTaskUpdatedAt: task.updatedAt,
+                });
+                if (!dedupeCheck.emit) {
+                    console.log(`[NotifDedupe] Suppressed: ${dedupeCheck.reason}`);
+                    continue;
+                }
                 const routing = notifMgr.shouldNotify({
                     type: target.type,
                     agent: target.agent,
@@ -6449,6 +6553,7 @@ export async function createServer() {
                             kind: target.type,
                             taskId: task.id,
                             status: parsed.status,
+                            updatedAt: task.updatedAt,
                             deliveryMethod: routing.deliveryMethod,
                         },
                     }).catch(() => { }); // Non-blocking
@@ -6733,6 +6838,40 @@ export async function createServer() {
         }
         return { success: true, agent, displayName };
     });
+    // ── Write TEAM-ROLES.yaml (used by bootstrap agent to configure the team) ──
+    app.put('/config/team-roles', async (request, reply) => {
+        const body = request.body;
+        const yaml = typeof body.yaml === 'string' ? body.yaml.trim() : '';
+        if (!yaml) {
+            reply.code(400);
+            return { success: false, error: 'yaml field is required (TEAM-ROLES.yaml content)' };
+        }
+        // Basic validation: must contain 'agents:' and at least one agent name
+        if (!yaml.includes('agents:')) {
+            reply.code(400);
+            return { success: false, error: 'Invalid TEAM-ROLES.yaml: must contain "agents:" section' };
+        }
+        try {
+            const { writeFileSync } = await import('node:fs');
+            const { join } = await import('node:path');
+            const filePath = join(REFLECTT_HOME, 'TEAM-ROLES.yaml');
+            writeFileSync(filePath, yaml, 'utf-8');
+            // Hot-reload the team config
+            const { loadAgentRoles } = await import('./assignment.js');
+            const reloaded = loadAgentRoles();
+            return {
+                success: true,
+                path: filePath,
+                agents: reloaded.roles.length,
+                hint: 'TEAM-ROLES.yaml saved and hot-reloaded. Agents will pick up new routing immediately.',
+            };
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : 'Failed to write TEAM-ROLES.yaml';
+            reply.code(500);
+            return { success: false, error: msg };
+        }
+    });
     // Resolve a mention string (name, displayName, or alias) to an agent ID
     app.get('/resolve/mention/:mention', async (request) => {
         const agentName = resolveAgentMention(request.params.mention);
@@ -8275,6 +8414,16 @@ export async function createServer() {
         if (!task) {
             return { task: null, message: 'No available tasks' };
         }
+        // Rule C: auto-claim (todo→doing) when ?claim=1
+        const shouldClaim = query.claim === '1' || query.claim === 'true';
+        if (shouldClaim && agent && task.status === 'todo') {
+            const { claimTask } = await import('./todoHoardingGuard.js');
+            const claimed = await claimTask(task.id, agent);
+            if (claimed) {
+                const enriched = enrichTaskWithComments(claimed);
+                return { task: isCompact(query) ? compactTask(enriched) : enriched, claimed: true };
+            }
+        }
         const enriched = enrichTaskWithComments(task);
         return { task: isCompact(query) ? compactTask(enriched) : enriched };
     });
@@ -8412,12 +8561,22 @@ export async function createServer() {
 3. If inbox has messages, respond to direct mentions.
 4. **Never report task status from memory alone** — always query the API first.
 
-## Comms Protocol (required)
+## No-Task Idle Loop (recommended)
+If your heartbeat shows **no active task** and **no next task**:
+1. Post a brief status in team chat **once per hour max**: "[no task] checking board + signals".
+2. Check the board + top signals:
+   - \`curl -s "${baseUrl}/tasks?status=todo&limit=5&compact=true"\`
+   - \`curl -s "${baseUrl}/loop/summary?compact=true"\`
+3. If there’s a clear next task for your lane, claim it and start work. If a signal/insight is actionable, create/claim a task and start work.
+4. If the board + signals are empty, write up what you checked and propose a next step in a problems/ideas channel if your team has one (otherwise use \`#general\`).
+5. If you’re still idle after checking, propose the next highest-leverage work item with evidence — don’t wait for someone else to assign it.
+
+## Comms Protocol (recommended)
 1. **Status updates belong in task comments first** (\`POST /tasks/:id/comments\`).
-2. **Shipped artifacts go to \`#shipping\`** and must include \`@reviewer\` + task ID + PR/artifact link.
-3. **Review requests go to \`#reviews\`** and must include \`@reviewer\` + task ID + exact ask.
-4. **Blockers go to \`#blockers\`** and must include \`@kai\` + task ID + concrete unblock needed.
-5. **\`#general\` is decisions/cross-team coordination only** (not routine heartbeat chatter).
+2. **Shipped artifacts**: post in a shipping/release channel (if your team uses one) and include \`@reviewer\` + task ID + PR/artifact link.
+3. **Review requests**: post in a reviews channel (if your team uses one) and include \`@reviewer\` + task ID + exact ask.
+4. **Blockers**: post in a blockers channel (if your team uses one) and include **who you need** + task ID + concrete unblock needed.
+5. Keep \`#general\` for decisions/cross-team coordination (not routine heartbeat chatter).
 
 ## API Quick Reference
 - Heartbeat check: \`GET /heartbeat/${agent}\`
@@ -9818,8 +9977,17 @@ export async function createServer() {
     });
     // ============ CLOUD INTEGRATION (see docs/CLOUD_ENDPOINTS.md) ============
     app.get('/cloud/status', async () => {
-        const { getCloudStatus } = await import('./cloud.js');
-        return getCloudStatus();
+        const { getCloudStatus, getConnectionHealth, getConnectionEvents } = await import('./cloud.js');
+        return {
+            ...getCloudStatus(),
+            connectionHealth: getConnectionHealth(),
+        };
+    });
+    app.get('/cloud/events', async (request) => {
+        const { getConnectionEvents } = await import('./cloud.js');
+        const url = new URL(request.url, 'http://localhost');
+        const limit = Math.min(Number(url.searchParams.get('limit')) || 50, 100);
+        return { events: getConnectionEvents(limit) };
     });
     app.post('/cloud/reload', async () => {
         const { stopCloudIntegration, startCloudIntegration, getCloudStatus } = await import('./cloud.js');
@@ -10416,6 +10584,22 @@ export async function createServer() {
     // Prune old mutation alert tracking every 30 minutes
     const pruneTimer = setInterval(pruneOldAttempts, 30 * 60 * 1000);
     pruneTimer.unref();
+    // GET /compliance/violations — state-read-before-assertion compliance violations
+    app.get('/compliance/violations', async (request, reply) => {
+        const query = request.query;
+        const agent = query.agent || undefined;
+        const severity = query.severity || undefined;
+        const limit = Math.min(parseInt(query.limit || '100', 10) || 100, 1000);
+        const since = query.since ? parseInt(query.since, 10) : undefined;
+        const violations = queryViolations({ agent, severity, limit, since });
+        const summary = getViolationSummary(since);
+        reply.send({
+            violations,
+            count: violations.length,
+            summary,
+            query: { agent: agent ?? null, severity: severity ?? null, limit, since: since ?? null },
+        });
+    });
     // GET /audit/reviews — review-field mutation audit ledger
     app.get('/audit/reviews', async (request, reply) => {
         const query = request.query;
@@ -10882,6 +11066,8 @@ export async function createServer() {
         const result = calendarEvents.getAgentNextEvent(query.agent);
         return { agent: query.agent, next_event: result?.event || null, starts_at: result?.starts_at || null };
     });
+    // Start hourly auto-snapshot for alert-preflight daily metrics
+    startAutoSnapshot();
     return app;
 }
 //# sourceMappingURL=server.js.map