smol-symphony 0.1.0

package/dist/http.js

@@ -0,0 +1,1189 @@
+// HTTP server extension (SPEC §13.7) plus the local-tracker UI for creating issues and
+// watching status. The UI polls `/api/v1/state` so no SSE/WebSocket infrastructure is
+// needed.
+import { createServer } from 'node:http';
+import { mkdir, readdir, readFile, writeFile, stat } from 'node:fs/promises';
+import path from 'node:path';
+import { sanitizeWorkspaceKey } from './workspace.js';
+import { log } from './logging.js';
+function jsonResponse(res, status, body) {
+    const text = JSON.stringify(body);
+    res.statusCode = status;
+    res.setHeader('content-type', 'application/json; charset=utf-8');
+    res.setHeader('content-length', Buffer.byteLength(text));
+    res.end(text);
+}
+function methodNotAllowed(res) {
+    jsonResponse(res, 405, { error: { code: 'method_not_allowed', message: 'method not allowed' } });
+}
+function notFound(res, code = 'not_found', message = 'not found') {
+    jsonResponse(res, 404, { error: { code, message } });
+}
+function badRequest(res, message) {
+    jsonResponse(res, 400, { error: { code: 'bad_request', message } });
+}
+async function readJsonBody(req, maxBytes = 1_000_000) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let size = 0;
+        req.on('data', (chunk) => {
+            size += chunk.length;
+            if (size > maxBytes) {
+                req.destroy();
+                reject(new Error('request body too large'));
+                return;
+            }
+            chunks.push(chunk);
+        });
+        req.on('end', () => {
+            const text = Buffer.concat(chunks).toString('utf8');
+            if (text.length === 0)
+                return resolve({});
+            try {
+                resolve(JSON.parse(text));
+            }
+            catch (err) {
+                reject(new Error(`invalid JSON: ${err.message}`));
+            }
+        });
+        req.on('error', reject);
+    });
+}
+// Cross-site form POSTs are "simple" CORS requests that bypass preflight, so an
+// unauthenticated endpoint that accepts form-encoded bodies is CSRFable from any
+// origin. Steering reply uses this check (in addition to requiring HX-Request) to
+// reject form bodies whose Origin doesn't match the Host the request hit.
+//
+// We treat the request as same-origin if either:
+//   • An Origin header is present and its host:port equals the Host header (the
+//     normal browser case), or
+//   • There is no Origin header at all AND no Referer header (curl, internal calls,
+//     non-browser tools). Browsers always send Origin on cross-origin form POSTs.
+function isSameOriginRequest(req) {
+    const host = (req.headers['host'] ?? '').toString().trim();
+    const origin = (req.headers['origin'] ?? '').toString().trim();
+    if (origin) {
+        try {
+            const parsed = new URL(origin);
+            return parsed.host === host;
+        }
+        catch {
+            return false;
+        }
+    }
+    // No Origin header — only trust if there's no Referer either (a real browser
+    // form POST sets at least one).
+    return !(req.headers['referer'] && req.headers['referer'].length > 0);
+}
+// HTMX's default response handling does not swap content on 4xx/5xx responses, so
+// returning a 4xx with an HTML partial silently leaves the panel stale. For HTMX
+// callers we therefore return 200 with the attention partial plus a one-line error
+// banner; the operator's textarea text survives via hx-preserve. JSON callers still
+// get the appropriate status code and a structured error.
+async function htmxOrJsonError(res, isHtmx, orch, view, jsonStatus, code, message) {
+    if (isHtmx) {
+        const p = await gatherPartialInputs(orch, view);
+        res.statusCode = 200;
+        res.setHeader('content-type', 'text/html; charset=utf-8');
+        res.setHeader('cache-control', 'no-store');
+        res.end(renderAttentionPartial(p, { errorMessage: message }));
+        return;
+    }
+    jsonResponse(res, jsonStatus, { error: { code, message } });
+}
+async function readTextBody(req, maxBytes = 1_000_000) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let size = 0;
+        req.on('data', (chunk) => {
+            size += chunk.length;
+            if (size > maxBytes) {
+                req.destroy();
+                reject(new Error('request body too large'));
+                return;
+            }
+            chunks.push(chunk);
+        });
+        req.on('end', () => resolve(Buffer.concat(chunks).toString('utf8')));
+        req.on('error', reject);
+    });
+}
+// Used by the dashboard form. The local tracker stores issues at:
+//   <tracker.root>/<state>/<identifier>.md
+// with YAML front matter. Identifier sanitization re-uses the workspace key rules so the
+// file name is always safe across the rest of the orchestrator.
+async function writeIssueFile(input) {
+    const ident = sanitizeWorkspaceKey(input.identifier);
+    if (!ident)
+        throw new Error('identifier must contain at least one allowed character');
+    const stateDir = path.join(input.trackerRoot, input.state);
+    await mkdir(stateDir, { recursive: true });
+    const filePath = path.join(stateDir, `${ident}.md`);
+    try {
+        await stat(filePath);
+        throw new Error(`issue ${ident} already exists at ${filePath}`);
+    }
+    catch (err) {
+        if (err.code !== 'ENOENT')
+            throw err;
+    }
+    const now = new Date().toISOString();
+    const fm = {
+        id: ident,
+        identifier: ident,
+        title: input.title,
+        created_at: now,
+        updated_at: now,
+    };
+    if (typeof input.priority === 'number')
+        fm.priority = input.priority;
+    if (input.labels && input.labels.length > 0)
+        fm.labels = input.labels;
+    if (input.blocked_by && input.blocked_by.length > 0)
+        fm.blocked_by = input.blocked_by;
+    const yamlLines = ['---'];
+    for (const [k, v] of Object.entries(fm)) {
+        if (Array.isArray(v)) {
+            yamlLines.push(`${k}: [${v.map((x) => JSON.stringify(x)).join(', ')}]`);
+        }
+        else if (typeof v === 'string') {
+            yamlLines.push(`${k}: ${JSON.stringify(v)}`);
+        }
+        else {
+            yamlLines.push(`${k}: ${String(v)}`);
+        }
+    }
+    yamlLines.push('---', '');
+    const body = (input.description ?? '').trim();
+    const content = yamlLines.join('\n') + (body.length > 0 ? body + '\n' : '');
+    await writeFile(filePath, content, 'utf8');
+    return { path: filePath, identifier: ident, state: input.state };
+}
+// Browse current issues directly from disk so the UI can show items that are neither
+// currently running nor in the retry queue.
+async function listIssuesFromDisk(trackerRoot) {
+    const out = [];
+    let entries;
+    try {
+        entries = await readdir(trackerRoot);
+    }
+    catch {
+        return out;
+    }
+    for (const stateDir of entries) {
+        const dirPath = path.join(trackerRoot, stateDir);
+        let st;
+        try {
+            st = await stat(dirPath);
+        }
+        catch {
+            continue;
+        }
+        if (!st.isDirectory())
+            continue;
+        let files;
+        try {
+            files = await readdir(dirPath);
+        }
+        catch {
+            continue;
+        }
+        for (const f of files) {
+            if (!f.endsWith('.md'))
+                continue;
+            const filePath = path.join(dirPath, f);
+            let text;
+            try {
+                text = await readFile(filePath, 'utf8');
+            }
+            catch {
+                continue;
+            }
+            let title = f.slice(0, -3);
+            const titleMatch = /^---[\s\S]*?\ntitle:\s*(.+)\n[\s\S]*?---/m.exec(text);
+            if (titleMatch) {
+                title = titleMatch[1].trim().replace(/^["'](.*)["']$/, '$1');
+            }
+            out.push({ identifier: f.slice(0, -3), state: stateDir, title });
+        }
+    }
+    out.sort((a, b) => a.identifier.localeCompare(b.identifier));
+    return out;
+}
+async function gatherPartialInputs(orch, view) {
+    const trackerRoot = view.trackerRoot ?? '(unset)';
+    let diskIssues = [];
+    if (view.trackerRoot) {
+        try {
+            diskIssues = await listIssuesFromDisk(view.trackerRoot);
+        }
+        catch {
+            diskIssues = [];
+        }
+    }
+    return {
+        workflowName: path.basename(view.workflowPath || 'workflow.md'),
+        workflowPath: view.workflowPath || '',
+        trackerRoot,
+        activeStates: view.activeStates,
+        terminalStates: view.terminalStates,
+        snapshot: orch.snapshot(),
+        diskIssues,
+    };
+}
+function trackerStatus(snap) {
+    const awaiting = snap.running.some((r) => r.steering_requested);
+    if (awaiting || snap.retrying.length > 0)
+        return 'attention';
+    if (snap.running.length > 0)
+        return 'working';
+    return 'idle';
+}
+function formatTokens(n) {
+    if (n < 1000)
+        return String(n);
+    if (n < 1_000_000)
+        return `${(n / 1000).toFixed(n < 10_000 ? 1 : 0)}k`;
+    return `${(n / 1_000_000).toFixed(1)}M`;
+}
+function formatRuntime(seconds) {
+    const s = Math.max(0, Math.round(seconds));
+    if (s < 60)
+        return `${s}s`;
+    const m = Math.floor(s / 60);
+    if (m < 60)
+        return `${m}m`;
+    const h = Math.floor(m / 60);
+    const rem = m % 60;
+    return rem === 0 ? `${h}h` : `${h}h${rem}m`;
+}
+function formatTimeShort(iso) {
+    if (!iso)
+        return '';
+    const d = new Date(iso);
+    if (Number.isNaN(d.getTime()))
+        return '';
+    return d.toLocaleTimeString(undefined, { hour: '2-digit', minute: '2-digit', second: '2-digit' });
+}
+function truncate(text, max) {
+    if (!text)
+        return '';
+    const trimmed = text.replace(/\s+/g, ' ').trim();
+    return trimmed.length > max ? trimmed.slice(0, max - 1) + '…' : trimmed;
+}
+// The header partial returns ONLY the tracker-state badge content. Brand, workflow name,
+// tracker root, and the refresh button live in the static shell and never repoll, so the
+// 2s heartbeat doesn't flash the whole strip.
+function renderHeaderPartial(p) {
+    const status = trackerStatus(p.snapshot);
+    const statusLabel = status === 'attention' ? 'attention' : status === 'working' ? 'working' : 'idle';
+    return `<span class="badge badge-${status}" aria-label="tracker state: ${statusLabel}">${statusLabel}</span>`;
+}
+function renderAttentionPartial(p, opts) {
+    const awaiting = p.snapshot.running.filter((r) => r.steering_requested);
+    const retrying = p.snapshot.retrying;
+    const errorMessage = opts?.errorMessage?.trim() ?? '';
+    if (awaiting.length === 0 && retrying.length === 0 && !errorMessage)
+        return '';
+    const errorBanner = errorMessage
+        ? `<div class="steering-error" role="alert">${escapeHtml(errorMessage)}</div>`
+        : '';
+    const steeringBlocks = awaiting.map((r) => renderSteeringBlock(r)).join('');
+    const retryBlocks = retrying.length > 0 ? renderRetryBlock(retrying) : '';
+    return `<h2 class="attention-title">attention</h2>
+${errorBanner}${steeringBlocks}${retryBlocks}`;
+}
+function renderSteeringBlock(r) {
+    const question = (r.steering_question ?? '').trim() || '(no question text)';
+    const context = (r.steering_context ?? '').trim();
+    const issueTitle = (r.issue_title ?? '').trim();
+    const issueBody = (r.issue_body ?? '').trim();
+    const hasOriginalTask = issueTitle.length > 0 || issueBody.length > 0;
+    const hasAnyExtra = hasOriginalTask || context.length > 0;
+    // The textarea is given a stable id and hx-preserve="true" so the every-2s repoll of
+    // the attention zone doesn't wipe the operator's in-progress reply.
+    const textareaId = `reply-${r.issue_identifier}`;
+    const summaryLabel = hasOriginalTask && context ? 'original task & agent’s context'
+        : hasOriginalTask ? 'original task'
+            : 'agent’s context';
+    return `<article class="steering" data-identifier="${escapeHtml(r.issue_identifier)}">
+  <header class="steering-head">
+    <strong class="ident">${escapeHtml(r.issue_identifier)}</strong>
+    <span class="pill awaiting">awaiting</span>
+    <span class="turn"><span class="dim">turn</span> ${r.turn_count}</span>
+  </header>
+  <p class="question-primary">${escapeHtml(question)}</p>
+  ${hasAnyExtra ? `<details class="steering-task">
+    <summary>${escapeHtml(summaryLabel)}</summary>
+    <div class="steering-task-body">
+      ${hasOriginalTask ? `<div class="steering-task-label">issue</div>
+      ${issueTitle ? `<h3 class="issue-title">${escapeHtml(issueTitle)}</h3>` : ''}
+      ${issueBody ? `<p class="issue-body">${escapeHtml(issueBody)}</p>` : ''}` : ''}
+      ${context ? `<div class="steering-task-label">agent’s context</div>
+      <pre class="context">${escapeHtml(context)}</pre>` : ''}
+    </div>
+  </details>` : ''}
+  <form class="reply"
+        hx-post="/api/v1/issues/${encodeURIComponent(r.issue_identifier)}/steering-reply"
+        hx-target="#attention" hx-swap="morph:innerHTML">
+    <textarea id="${escapeHtml(textareaId)}" name="text" required
+              placeholder="your reply…"
+              aria-label="reply to ${escapeHtml(r.issue_identifier)}"
+              hx-preserve="true"></textarea>
+    <div class="reply-row">
+      <span class="hint dim">enter to send · shift+enter for newline</span>
+      <button type="submit" class="ghost">send reply</button>
+    </div>
+  </form>
+</article>`;
+}
+function renderRetryBlock(rows) {
+    const items = rows.map((r) => `<li>
+    <strong class="ident">${escapeHtml(r.issue_identifier)}</strong>
+    <span class="pill retrying">retrying</span>
+    <span class="dim">attempt ${r.attempt}</span>
+    <span class="dim">due ${escapeHtml(formatTimeShort(r.due_at) || '—')}</span>
+    ${r.error ? `<div class="retry-err">${escapeHtml(truncate(r.error, 200))}</div>` : ''}
+  </li>`).join('');
+    return `<ul class="retry-list" aria-label="retry queue">${items}</ul>`;
+}
+function renderSessionsPartial(p) {
+    const rows = p.snapshot.running;
+    if (rows.length === 0) {
+        return `<h2>sessions</h2>
+<p class="empty dim">no sessions running. agents wake when an issue lands in <code>${escapeHtml(p.activeStates[0] ?? 'Todo')}/</code>.</p>`;
+    }
+    const sessionItems = rows.map((r) => renderSessionRow(r)).join('');
+    return `<h2>sessions <span class="count dim">(${rows.length})</span></h2>
+<ul class="sessions">${sessionItems}</ul>`;
+}
+function renderSessionRow(r) {
+    const awaiting = r.steering_requested;
+    const pill = awaiting
+        ? '<span class="pill awaiting">awaiting</span>'
+        : r.marked_done
+            ? '<span class="pill done">done</span>'
+            : '<span class="pill running">running</span>';
+    const tokens = r.tokens.total_tokens || 0;
+    const sessionId = r.session_id ? r.session_id.slice(0, 8) : '—';
+    const lastMsg = truncate(r.last_message ?? r.last_event ?? '', 140);
+    // The session row is two lines max: identifier + pill + turn + tokens + time on top,
+    // last-message on bottom. Session id / state / last-event detail is surfaced via the
+    // row's title attr so it's available on hover without adding a third line of noise.
+    const rowTitle = [
+        `session ${sessionId}`,
+        r.state,
+        r.last_event ?? null,
+        `started ${formatTimeShort(r.started_at) || '—'}`,
+    ]
+        .filter(Boolean)
+        .join(' · ');
+    return `<li class="session" title="${escapeHtml(rowTitle)}">
+  <div class="session-row">
+    <strong class="ident">${escapeHtml(r.issue_identifier)}</strong>
+    ${pill}
+    <span class="turn"><span class="dim">turn</span> ${r.turn_count}</span>
+    <span class="grow"></span>
+    <span class="tokens dim">${formatTokens(tokens)} tok</span>
+  </div>
+  ${lastMsg ? `<div class="session-msg dim">${escapeHtml(lastMsg)}</div>` : ''}
+</li>`;
+}
+function renderDiskPartial(p) {
+    const runIds = new Set(p.snapshot.running.map((r) => r.issue_identifier));
+    const retryIds = new Set(p.snapshot.retrying.map((r) => r.issue_identifier));
+    const active = new Set(p.activeStates);
+    const filtered = p.diskIssues.filter((i) => active.has(i.state) && !runIds.has(i.identifier) && !retryIds.has(i.identifier));
+    if (filtered.length === 0) {
+        return `<h2>on disk</h2>
+<p class="empty dim">tracker is clean. drop a markdown file into <code>${escapeHtml(p.activeStates[0] ?? 'Todo')}/</code> or open <em>new issue</em> below.</p>`;
+    }
+    const items = filtered.map((i) => `<li>
+    <span class="ident">${escapeHtml(i.identifier)}</span>
+    <span class="state dim">${escapeHtml(i.state)}</span>
+    <span class="title">${escapeHtml(i.title)}</span>
+  </li>`).join('');
+    return `<h2>on disk <span class="count dim">(${filtered.length})</span></h2>
+<ul class="disk">${items}</ul>`;
+}
+function renderTotalsPartial(p) {
+    const t = p.snapshot.codex_totals;
+    if (!t || (t.input_tokens === 0 && t.output_tokens === 0 && t.seconds_running === 0))
+        return '';
+    return `${formatTokens(t.input_tokens)} in · ${formatTokens(t.output_tokens)} out · ${formatTokens(t.total_tokens)} total · ${formatRuntime(t.seconds_running)} runtime`;
+}
+function renderDashboardHtml(p) {
+    const allStates = Array.from(new Set([...p.activeStates, ...p.terminalStates]));
+    const stateOptions = allStates
+        .map((s) => `<option value="${escapeHtml(s)}">${escapeHtml(s)}</option>`)
+        .join('');
+    const diskCount = p.diskIssues.filter((i) => p.activeStates.includes(i.state)).length;
+    const formOpen = diskCount === 0 && p.snapshot.running.length === 0 && p.snapshot.retrying.length === 0;
+    return `<!doctype html>
+<html lang="en"><head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>symphony · ${escapeHtml(p.workflowName)}</title>
+<style>
+:root {
+  color-scheme: dark;
+  --inset: #0c0f15; --bench: #0f1115; --raised: #161a22; --chip: #20242c;
+  --rule-soft: #1c2029; --rule-firm: #2a2e36;
+  --dim: #6b7280; --muted: #9aa4b2; --base: #dfe2e7; --strong: #e6ebf2;
+  --accent: #2a6df4;
+  --run-bg: #1f3a26; --run-fg: #58d68d;
+  --retry-bg: #3a2f1f; --retry-fg: #f0c060;
+  --idle-bg: #20242c; --idle-fg: #9aa4b2;
+  --await-bg: #1f2a36; --await-fg: #7fb5d4;
+  --done-bg: #1c2a1f; --done-fg: #82c896;
+  --err: #ff7676;
+}
+* { box-sizing: border-box; }
+html, body { background: var(--bench); color: var(--base); }
+body {
+  font: 14px/1.45 ui-sans-serif, system-ui, sans-serif;
+  margin: 0; padding: 0;
+  display: flex; flex-direction: column; min-height: 100vh;
+}
+main {
+  width: 100%; max-width: 1080px; margin: 0 auto;
+  padding: 1rem 1.5rem 2rem; flex: 1;
+}
+code { font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; font-size: 0.92em; color: var(--strong); }
+.dim { color: var(--dim); }
+.grow { flex: 1; }
+h2 {
+  font-size: 1rem; font-weight: 500; margin: 1.6rem 0 0.5rem;
+  padding-bottom: 0.35rem; border-bottom: 1px solid var(--rule-firm);
+  letter-spacing: 0.01em;
+}
+h2:first-child { margin-top: 0.4rem; }
+
+/* ── header strip ─────────────────────────────────────────────────────── */
+#header {
+  display: flex; align-items: center; gap: 0.5rem;
+  padding: 0.65rem 1.5rem;
+  background: var(--bench); border-bottom: 1px solid var(--rule-firm);
+  font-size: 13px;
+  position: sticky; top: 0; z-index: 10;
+}
+#header .brand { font-weight: 600; color: var(--strong); letter-spacing: 0.01em; }
+#header .rule { color: var(--dim); }
+#header .workflow { color: var(--base); }
+#header .tracker-root {
+  color: var(--dim); font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+  font-size: 12px;
+  white-space: nowrap; overflow: hidden; text-overflow: ellipsis;
+  margin-left: 0.75rem;
+  flex: 1 1 auto; min-width: 0;
+}
+#header .badge {
+  display: inline-block; padding: 0.1rem 0.55rem; border-radius: 999px;
+  font-size: 0.78em; letter-spacing: 0.04em; text-transform: uppercase;
+  background: var(--idle-bg); color: var(--idle-fg);
+}
+#header .badge-working { background: var(--run-bg); color: var(--run-fg); }
+#header .badge-attention { background: var(--await-bg); color: var(--await-fg); }
+#header .badge-idle { background: var(--idle-bg); color: var(--idle-fg); }
+#header .refresh {
+  background: var(--chip); color: var(--base);
+  border: 1px solid var(--rule-firm); border-radius: 4px;
+  width: 28px; height: 28px;
+  display: inline-flex; align-items: center; justify-content: center;
+  cursor: pointer; font: inherit; font-size: 14px;
+  transition: border-color 180ms cubic-bezier(.22,1,.36,1);
+}
+#header .refresh:hover { border-color: var(--muted); }
+#header .refresh:focus-visible { outline: 2px solid var(--accent); outline-offset: 1px; }
+
+/* ── pills ────────────────────────────────────────────────────────────── */
+.pill {
+  display: inline-block; padding: 0.1rem 0.55rem; border-radius: 999px;
+  font-size: 0.82em; line-height: 1.4;
+  font-variant-numeric: tabular-nums;
+}
+.pill.running { background: var(--run-bg); color: var(--run-fg); }
+.pill.retrying { background: var(--retry-bg); color: var(--retry-fg); }
+.pill.idle { background: var(--idle-bg); color: var(--idle-fg); }
+.pill.awaiting { background: var(--await-bg); color: var(--await-fg); }
+.pill.done { background: var(--done-bg); color: var(--done-fg); }
+
+/* ── attention zone ───────────────────────────────────────────────────── */
+/* Animated open/close: max-height transitions between 0 (empty) and a generous cap
+   (populated) so the section eases in and out rather than snapping the page up/down
+   when steering arrives or is resolved. */
+#attention {
+  display: block;
+  overflow: hidden;
+  max-height: 0;
+  margin-bottom: 0;
+  transition: max-height 280ms cubic-bezier(.22, 1, .36, 1),
+              margin-bottom 280ms cubic-bezier(.22, 1, .36, 1);
+}
+#attention:not(:empty) {
+  max-height: 1500px;
+  margin-bottom: 0.4rem;
+}
+.attention-title { color: var(--await-fg); border-bottom-color: var(--await-bg); }
+.steering-error {
+  margin: 0.4rem 0; padding: 0.5rem 0.7rem;
+  background: var(--inset); border: 1px solid var(--rule-firm); border-radius: 4px;
+  color: var(--err); font-size: 0.9em; line-height: 1.4;
+}
+/* The steering panel: question-first layout. Selected via /impeccable live (variant 3,
+   question-scale=1.1, density=snug). The agent's prompt sits proud and unscaled, and the
+   original issue + agent context tuck into a disclosure so the panel reads small until
+   the operator wants depth. */
+.steering {
+  background: var(--raised); padding: 0.55rem 0.8rem; margin: 0.5rem 0;
+  border-radius: 6px;
+  display: grid; gap: 0.4rem;
+}
+.steering-head {
+  display: flex; align-items: center; gap: 0.6rem;
+}
+.steering .ident { color: var(--strong); font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; }
+.steering .turn { font-size: 0.88em; }
+.steering .question-primary {
+  margin: 0;
+  font-size: calc(14px * 1.1);
+  line-height: 1.4; color: var(--strong); font-weight: 400;
+}
+.steering details.steering-task { font-size: 0.92em; }
+.steering details.steering-task > summary {
+  cursor: pointer; list-style: none;
+  color: var(--muted); padding: 0.3rem 0; user-select: none;
+  font-size: 0.88em;
+}
+.steering details.steering-task > summary::-webkit-details-marker { display: none; }
+.steering details.steering-task > summary::before {
+  content: "▸"; padding-right: 0.4rem;
+  transition: transform 180ms cubic-bezier(.22,1,.36,1);
+  display: inline-block; color: var(--dim);
+}
+.steering details.steering-task[open] > summary::before { transform: rotate(90deg); }
+.steering .steering-task-body {
+  display: grid; gap: 0.45rem;
+  padding: 0.35rem 0 0 0.85rem;
+  border-left: 1px solid var(--rule-soft);
+}
+.steering .steering-task-label {
+  font-size: 0.72em; color: var(--dim);
+  letter-spacing: 0.09em; text-transform: uppercase;
+}
+.steering .steering-task-body .issue-title {
+  margin: 0; font-size: 0.95em; font-weight: 500; color: var(--base);
+}
+.steering .steering-task-body .issue-body {
+  margin: 0; color: var(--muted); font-size: 0.92em; line-height: 1.5;
+}
+.steering .context {
+  margin: 0; padding: 0.5rem 0.65rem;
+  background: var(--inset); border: 1px solid var(--rule-firm); border-radius: 4px;
+  font: 12.5px/1.5 ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+  color: var(--muted); white-space: pre-wrap; word-break: break-word;
+  max-height: 12em; overflow: auto;
+}
+.steering form.reply { display: grid; gap: 0.45rem; }
+.steering textarea {
+  background: var(--inset); color: var(--strong);
+  border: 1px solid var(--rule-firm); border-radius: 4px;
+  padding: 0.5rem 0.65rem;
+  font: 14px/1.5 ui-sans-serif, system-ui, sans-serif;
+  width: 100%; min-height: 64px; resize: vertical;
+}
+.steering textarea:focus-visible { outline: 1px solid var(--accent); outline-offset: 0; border-color: var(--accent); }
+.steering .reply-row { display: flex; align-items: center; gap: 0.75rem; }
+.steering .hint { font-size: 0.82em; }
+.ghost {
+  background: var(--chip); color: var(--base);
+  border: 1px solid var(--rule-firm); border-radius: 4px;
+  padding: 0.35rem 0.85rem; font: inherit; cursor: pointer;
+  transition: border-color 180ms cubic-bezier(.22,1,.36,1);
+}
+.ghost:hover { border-color: var(--muted); }
+.ghost:focus-visible { outline: 2px solid var(--accent); outline-offset: 1px; }
+.ghost:disabled { color: var(--dim); cursor: not-allowed; }
+
+.retry-list { list-style: none; padding: 0; margin: 0.4rem 0 0; }
+.retry-list li {
+  display: grid;
+  grid-template-columns: max-content max-content max-content max-content;
+  gap: 0.55rem; align-items: center;
+  padding: 0.4rem 0; border-bottom: 1px solid var(--rule-soft);
+  font-variant-numeric: tabular-nums;
+}
+.retry-list li:last-child { border-bottom: 0; }
+.retry-list .ident { font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; }
+.retry-list .retry-err {
+  grid-column: 1 / -1; color: var(--err); font-size: 0.88em;
+  padding-top: 0.15rem;
+  word-break: break-word;
+}
+
+/* ── sessions ─────────────────────────────────────────────────────────── */
+.sessions { list-style: none; padding: 0; margin: 0; }
+.sessions li.session {
+  padding: 0.5rem 0; border-bottom: 1px solid var(--rule-soft);
+}
+.sessions li.session:last-child { border-bottom: 0; }
+.session-row {
+  display: flex; align-items: baseline; gap: 0.65rem;
+  font-variant-numeric: tabular-nums;
+}
+.session-row .ident { font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; color: var(--strong); }
+.session-row .turn { font-size: 0.88em; color: var(--muted); }
+.session-row .tokens { font-size: 0.88em; }
+.session-msg {
+  margin-top: 0.2rem; padding-left: 0.05rem;
+  font-size: 0.9em; line-height: 1.45;
+  overflow-wrap: anywhere;
+  max-height: 2.9em; overflow: hidden;
+}
+
+/* ── on disk ──────────────────────────────────────────────────────────── */
+.disk { list-style: none; padding: 0; margin: 0; }
+.disk li {
+  display: grid;
+  grid-template-columns: 10rem 5.5rem 1fr;
+  gap: 0.5rem; align-items: baseline;
+  padding: 0.35rem 0; border-bottom: 1px solid var(--rule-soft);
+  font-variant-numeric: tabular-nums;
+}
+.disk li:last-child { border-bottom: 0; }
+.disk .ident { font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; color: var(--strong); }
+.disk .state { font-size: 0.85em; }
+.disk .title { color: var(--base); overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
+.count { font-weight: 400; font-size: 0.88em; margin-left: 0.4rem; }
+
+/* ── new issue (collapsed) ────────────────────────────────────────────── */
+details.new-issue {
+  margin-top: 1.4rem;
+}
+details.new-issue > summary {
+  cursor: pointer; list-style: none; padding: 0.55rem 0;
+  border-bottom: 1px solid var(--rule-firm);
+  font-size: 1rem; font-weight: 500;
+  display: flex; align-items: center; gap: 0.5rem;
+  user-select: none;
+}
+details.new-issue > summary::-webkit-details-marker { display: none; }
+details.new-issue > summary::before {
+  content: "▸"; color: var(--dim); font-size: 0.85em;
+  transition: transform 180ms cubic-bezier(.22,1,.36,1);
+  display: inline-block;
+}
+details.new-issue[open] > summary::before { transform: rotate(90deg); }
+details.new-issue[open] > summary { border-bottom-color: var(--rule-firm); }
+form.create {
+  display: grid; grid-template-columns: max-content 1fr; gap: 0.5rem 1rem;
+  align-items: center; padding: 1rem 0 0; margin-top: 0.4rem;
+}
+form.create label { color: var(--muted); }
+form.create input, form.create select, form.create textarea {
+  background: var(--inset); color: var(--strong);
+  border: 1px solid var(--rule-firm); border-radius: 4px;
+  padding: 0.4rem 0.6rem; font: inherit; width: 100%;
+}
+form.create input:focus-visible, form.create select:focus-visible, form.create textarea:focus-visible {
+  outline: 1px solid var(--accent); outline-offset: 0; border-color: var(--accent);
+}
+form.create textarea { min-height: 80px; resize: vertical; }
+form.create .submit-row {
+  grid-column: 2; display: flex; align-items: center; gap: 0.85rem;
+}
+form.create button {
+  background: var(--accent); color: #f4f6fb; border: 0;
+  padding: 0.5rem 1rem; border-radius: 4px; font: inherit; cursor: pointer;
+  transition: filter 180ms cubic-bezier(.22,1,.36,1);
+  flex: 0 0 auto;
+}
+form.create button:hover { filter: brightness(1.08); }
+form.create button:focus-visible { outline: 2px solid var(--strong); outline-offset: 2px; }
+form.create .msg { min-height: 1.2em; color: var(--muted); font-size: 0.9em; line-height: 1.2; }
+form.create .msg.err { color: var(--err); }
+form.create .msg.ok { color: var(--run-fg); }
+
+/* ── totals footer ────────────────────────────────────────────────────── */
+footer.totals {
+  margin-top: 2.5rem; padding-top: 0.85rem;
+  border-top: 1px solid var(--rule-soft);
+  color: var(--dim); font-size: 0.88em;
+  font-variant-numeric: tabular-nums;
+  display: flex; gap: 0.65rem; flex-wrap: wrap;
+}
+footer.totals:empty { display: none; }
+
+.empty { padding: 0.5rem 0; }
+
+/* htmx ergonomics */
+.htmx-request .refresh { opacity: 0.6; }
+.htmx-settling .session-msg { opacity: 0.85; }
+</style>
+<script src="https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"></script>
+<script src="https://unpkg.com/idiomorph@0.7.4/dist/idiomorph-ext.min.js"></script>
+</head><body hx-ext="morph">
+
+<header id="header">
+  <span class="brand">symphony</span>
+  <span class="rule" aria-hidden="true">·</span>
+  <span class="workflow" title="${escapeHtml(p.workflowPath)}">${escapeHtml(p.workflowName)}</span>
+  <span class="tracker-root" title="${escapeHtml(p.trackerRoot)}">${escapeHtml(p.trackerRoot)}</span>
+  <span id="tracker-state"
+        hx-get="/api/v1/partials/header" hx-trigger="every 2s, refreshed from:body"
+        hx-swap="morph:innerHTML">${renderHeaderPartial(p)}</span>
+  <button type="button" class="refresh"
+          hx-post="/api/v1/refresh" hx-swap="none"
+          aria-label="refresh now" title="poll &amp; reconcile">⟳</button>
+</header>
+
+<main>
+
+<section id="attention"
+         hx-get="/api/v1/partials/attention" hx-trigger="every 2s, refreshed from:body"
+         hx-swap="morph:innerHTML">${renderAttentionPartial(p)}</section>
+
+<section id="sessions"
+         hx-get="/api/v1/partials/sessions" hx-trigger="every 2s, refreshed from:body"
+         hx-swap="morph:innerHTML">${renderSessionsPartial(p)}</section>
+
+<section id="disk"
+         hx-get="/api/v1/partials/disk" hx-trigger="every 2s, refreshed from:body"
+         hx-swap="morph:innerHTML">${renderDiskPartial(p)}</section>
+
+<details class="new-issue"${formOpen ? ' open' : ''}>
+  <summary>new issue</summary>
+  <form class="create" id="create-form">
+    <label for="identifier">identifier</label>
+    <input id="identifier" name="identifier" required placeholder="ABC-42" autocomplete="off" />
+    <label for="title">title</label>
+    <input id="title" name="title" required autocomplete="off" />
+    <label for="state">state</label>
+    <select id="state" name="state">${stateOptions}</select>
+    <label for="priority">priority</label>
+    <input id="priority" name="priority" type="number" min="0" max="10" placeholder="2" />
+    <label for="labels">labels</label>
+    <input id="labels" name="labels" placeholder="bug, urgent" autocomplete="off" />
+    <label for="description">description</label>
+    <textarea id="description" name="description" placeholder="what needs to be done?"></textarea>
+    <div class="submit-row">
+      <button type="submit">create issue</button>
+      <span class="msg" id="create-msg" role="status" aria-live="polite"></span>
+    </div>
+  </form>
+</details>
+
+<footer class="totals"
+        hx-get="/api/v1/partials/totals" hx-trigger="every 2s, refreshed from:body"
+        hx-swap="morph:innerHTML">${renderTotalsPartial(p)}</footer>
+
+</main>
+
+<script>
+const $ = (id) => document.getElementById(id);
+
+// Enter-to-send on steering textareas. HTMX submits the form; shift+enter still inserts a newline.
+document.addEventListener('keydown', (ev) => {
+  const t = ev.target;
+  if (!(t instanceof HTMLTextAreaElement)) return;
+  if (!t.closest('form.reply')) return;
+  if (ev.key === 'Enter' && !ev.shiftKey && !ev.isComposing) {
+    ev.preventDefault();
+    t.form && t.form.requestSubmit();
+  }
+});
+
+// Create-issue form: stays on fetch+JSON (the create POST takes structured arrays). After
+// success we fire a custom event the polling regions listen to via hx-trigger.
+$('create-form').addEventListener('submit', async (ev) => {
+  ev.preventDefault();
+  const msg = $('create-msg');
+  msg.className = 'msg'; msg.textContent = 'creating…';
+  const labels = $('labels').value.split(',').map((s) => s.trim()).filter(Boolean);
+  const priorityRaw = $('priority').value.trim();
+  const body = {
+    identifier: $('identifier').value.trim(),
+    title: $('title').value.trim(),
+    state: $('state').value,
+    description: $('description').value,
+    labels,
+    priority: priorityRaw === '' ? null : Number(priorityRaw),
+  };
+  try {
+    const res = await fetch('/api/v1/issues', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify(body),
+    });
+    const data = await res.json();
+    if (!res.ok) throw new Error((data && data.error && data.error.message) || ('HTTP ' + res.status));
+    msg.className = 'msg ok';
+    msg.textContent = 'created ' + data.identifier;
+    $('create-form').reset();
+    fetch('/api/v1/refresh', { method: 'POST' }).catch(() => {});
+    document.body.dispatchEvent(new CustomEvent('refreshed', { bubbles: true }));
+  } catch (err) {
+    msg.className = 'msg err';
+    msg.textContent = err.message;
+  }
+});
+</script>
+
+</body></html>`;
+}
+function escapeHtml(s) {
+    return s.replace(/[&<>"']/g, (c) => ({ '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;' })[c]);
+}
+// Resolves once the server has either bound the requested port or rejected with the bind
+// error so CLI startup can surface EADDRINUSE / EACCES instead of an unhandled rejection.
+// Returns the *actually bound* port (relevant for --port 0, where the kernel picks an
+// ephemeral port) so callers can advertise the live address.
+export async function startHttpServer(orch, opts) {
+    const server = createServer((req, res) => {
+        void handleRequest(req, res, orch, opts).catch((err) => {
+            log.error('http handler error', { error: err.message });
+            try {
+                jsonResponse(res, 500, {
+                    error: { code: 'internal_error', message: err.message },
+                });
+            }
+            catch {
+                /* response already started */
+            }
+        });
+    });
+    server.on('clientError', (err, socket) => {
+        log.debug('http client error', { error: err.message });
+        try {
+            socket.end('HTTP/1.1 400 Bad Request\r\n\r\n');
+        }
+        catch {
+            /* socket may already be closed */
+        }
+    });
+    let boundPort = opts.port;
+    await new Promise((resolve, reject) => {
+        const onError = (err) => {
+            server.removeListener('listening', onListening);
+            reject(err);
+        };
+        const onListening = () => {
+            server.removeListener('error', onError);
+            const addr = server.address();
+            const port = typeof addr === 'object' && addr ? addr.port : opts.port;
+            boundPort = port;
+            log.info('http server listening', { host: opts.host, port });
+            resolve();
+        };
+        server.once('error', onError);
+        server.once('listening', onListening);
+        server.listen(opts.port, opts.host);
+    });
+    // After bind succeeds, install a permanent error handler so later runtime errors
+    // (sockets resetting, ENOTCONN, etc.) are logged rather than crashing the process.
+    server.on('error', (err) => {
+        log.warn('http server error', { error: err.message });
+    });
+    return {
+        port: boundPort,
+        close: () => new Promise((resolve) => {
+            server.close(() => resolve());
+        }),
+    };
+}
+async function handleRequest(req, res, orch, opts) {
+    // URL parsing inside the handler so a malformed Host header doesn't crash the listener.
+    let pathname;
+    try {
+        const url = new URL(req.url ?? '/', 'http://symphony.local');
+        pathname = url.pathname;
+    }
+    catch {
+        return badRequest(res, 'invalid request URL');
+    }
+    const method = (req.method ?? 'GET').toUpperCase();
+    const view = opts.getTrackerView();
+    if (pathname === '/') {
+        if (method !== 'GET')
+            return methodNotAllowed(res);
+        const p = await gatherPartialInputs(orch, view);
+        const html = renderDashboardHtml(p);
+        res.statusCode = 200;
+        res.setHeader('content-type', 'text/html; charset=utf-8');
+        res.end(html);
+        return;
+    }
+    // Static preview for impeccable live mode. The file under .impeccable/preview/ is a
+    // captured snapshot of the dashboard with polling disabled, used as a variant playground.
+    // Read on every request so live-wrap edits land immediately.
+    if (pathname === '/preview' || pathname === '/preview/') {
+        if (method !== 'GET')
+            return methodNotAllowed(res);
+        try {
+            const html = await readFile('.impeccable/preview/dashboard.html', 'utf8');
+            res.statusCode = 200;
+            res.setHeader('content-type', 'text/html; charset=utf-8');
+            res.setHeader('cache-control', 'no-store');
+            res.end(html);
+        }
+        catch (err) {
+            return notFound(res, 'preview_missing', `preview not available: ${err.message}`);
+        }
+        return;
+    }
+    // HTMX partials. Each region polls its own endpoint at 2s; this is what the dashboard
+    // <section hx-get=...> elements consume. They return only the inner HTML; the outer
+    // wrapper is in the dashboard shell.
+    if (pathname.startsWith('/api/v1/partials/')) {
+        if (method !== 'GET')
+            return methodNotAllowed(res);
+        const p = await gatherPartialInputs(orch, view);
+        const slug = pathname.slice('/api/v1/partials/'.length);
+        let body = null;
+        if (slug === 'header')
+            body = renderHeaderPartial(p);
+        else if (slug === 'attention')
+            body = renderAttentionPartial(p);
+        else if (slug === 'sessions')
+            body = renderSessionsPartial(p);
+        else if (slug === 'disk')
+            body = renderDiskPartial(p);
+        else if (slug === 'totals')
+            body = renderTotalsPartial(p);
+        if (body === null)
+            return notFound(res, 'partial_not_found', `partial ${slug} does not exist`);
+        res.statusCode = 200;
+        res.setHeader('content-type', 'text/html; charset=utf-8');
+        res.setHeader('cache-control', 'no-store');
+        res.end(body);
+        return;
+    }
+    if (pathname === '/api/v1/state') {
+        if (method !== 'GET')
+            return methodNotAllowed(res);
+        return jsonResponse(res, 200, orch.snapshot());
+    }
+    if (pathname === '/api/v1/refresh') {
+        if (method !== 'POST')
+            return methodNotAllowed(res);
+        const status = orch.triggerRefresh();
+        return jsonResponse(res, 202, {
+            ...status,
+            requested_at: new Date().toISOString(),
+            operations: ['poll', 'reconcile'],
+        });
+    }
+    if (pathname === '/api/v1/issues') {
+        if (method === 'GET') {
+            const root = view.trackerRoot;
+            if (!root)
+                return jsonResponse(res, 200, { issues: [] });
+            const issues = await listIssuesFromDisk(root);
+            return jsonResponse(res, 200, { issues });
+        }
+        if (method === 'POST') {
+            const root = view.trackerRoot;
+            if (!root)
+                return badRequest(res, 'tracker.root not configured');
+            let body;
+            try {
+                body = await readJsonBody(req);
+            }
+            catch (err) {
+                return badRequest(res, err.message);
+            }
+            if (!body || typeof body !== 'object' || Array.isArray(body)) {
+                return badRequest(res, 'body must be a JSON object');
+            }
+            const b = body;
+            const identifier = typeof b.identifier === 'string' ? b.identifier.trim() : '';
+            const title = typeof b.title === 'string' ? b.title.trim() : '';
+            const state = typeof b.state === 'string' ? b.state.trim() : '';
+            if (!identifier)
+                return badRequest(res, 'identifier is required');
+            if (!title)
+                return badRequest(res, 'title is required');
+            if (!state)
+                return badRequest(res, 'state is required');
+            // Restrict `state` to one of the configured active/terminal states. Anything else
+            // (or values containing path separators / `..`) is rejected so the request cannot
+            // escape the tracker root via `path.join`.
+            const allowedStates = new Set([...view.activeStates, ...view.terminalStates]);
+            if (!allowedStates.has(state)) {
+                return badRequest(res, `state must be one of: ${[...allowedStates].join(', ') || '<none configured>'}`);
+            }
+            const description = typeof b.description === 'string' ? b.description : undefined;
+            const priority = typeof b.priority === 'number' && Number.isFinite(b.priority) ? b.priority : null;
+            const labels = Array.isArray(b.labels)
+                ? b.labels.filter((x) => typeof x === 'string')
+                : [];
+            const blockedBy = Array.isArray(b.blocked_by)
+                ? b.blocked_by.filter((x) => typeof x === 'string')
+                : [];
+            try {
+                const created = await writeIssueFile({
+                    trackerRoot: root,
+                    identifier,
+                    title,
+                    state,
+                    description,
+                    priority,
+                    labels,
+                    blocked_by: blockedBy,
+                });
+                log.info('issue created via http', { identifier: created.identifier, state: created.state });
+                return jsonResponse(res, 201, created);
+            }
+            catch (err) {
+                return jsonResponse(res, 409, {
+                    error: { code: 'create_failed', message: err.message },
+                });
+            }
+        }
+        return methodNotAllowed(res);
+    }
+    // MCP JSON-RPC endpoint: agent (inside the smolvm) POSTs JSON-RPC envelopes here. The
+    // URL is per-issue (the agent only knows its own /<id>/mcp), backed by a bearer token
+    // generated at dispatch. Both layers are belt-and-braces against the no-auth 8787 socket.
+    const mcpMatch = /^\/api\/v1\/issues\/([^/]+)\/mcp$/.exec(pathname);
+    if (mcpMatch) {
+        if (method !== 'POST')
+            return methodNotAllowed(res);
+        const mcp = opts.mcp;
+        if (!mcp)
+            return notFound(res, 'mcp_disabled', 'mcp endpoint not enabled');
+        const identifier = decodeURIComponent(mcpMatch[1]);
+        const auth = (req.headers['authorization'] ?? req.headers['Authorization']);
+        const token = auth && auth.startsWith('Bearer ') ? auth.slice('Bearer '.length).trim() : '';
+        if (!token) {
+            res.statusCode = 401;
+            res.setHeader('content-type', 'application/json; charset=utf-8');
+            res.end(JSON.stringify({ error: { code: 'unauthorized', message: 'bearer token required' } }));
+            return;
+        }
+        if (!mcp.isActive(identifier, token)) {
+            res.statusCode = 404;
+            res.setHeader('content-type', 'application/json; charset=utf-8');
+            res.end(JSON.stringify({ error: { code: 'not_found', message: 'issue not active or token mismatch' } }));
+            return;
+        }
+        let body;
+        try {
+            body = await readJsonBody(req);
+        }
+        catch (err) {
+            return badRequest(res, err.message);
+        }
+        const reply = await mcp.handleJsonRpc(identifier, token, body);
+        if (reply === null) {
+            // JSON-RPC notification (no id) → 204 No Content
+            res.statusCode = 204;
+            res.end();
+            return;
+        }
+        return jsonResponse(res, 200, reply);
+    }
+    // Steering reply: the dashboard (or any operator with access) submits the human's
+    // response to a queued request_human_steering call. The orchestrator-side runner is
+    // awaiting on the registry; this POST unblocks it.
+    //
+    // Two callers:
+    //  • Dashboard via HTMX (form-encoded body, `HX-Request: true`, same-origin). We accept
+    //    only this combination for form bodies and reply with an HTML partial that swaps
+    //    into #attention.
+    //  • Direct API client (JSON body). Replies with a structured JSON acknowledgement.
+    //
+    // The form-encoded branch is gated on `HX-Request: true` and a same-origin check so a
+    // simple cross-site form POST cannot inject a steering reply: form-encoded is a "simple"
+    // CORS request that bypasses preflight, and the steering endpoint is unauthenticated.
+    // HTMX errors land at 200 OK with an inline `.steering-error` message because HTMX's
+    // default response-handling does not swap on 4xx/5xx; returning 200 keeps the operator's
+    // form in sync with reality (their textarea text is preserved by hx-preserve regardless).
+    const steeringMatch = /^\/api\/v1\/issues\/([^/]+)\/steering-reply$/.exec(pathname);
+    if (steeringMatch) {
+        if (method !== 'POST')
+            return methodNotAllowed(res);
+        const mcp = opts.mcp;
+        if (!mcp)
+            return notFound(res, 'mcp_disabled', 'steering endpoint not enabled');
+        const identifier = decodeURIComponent(steeringMatch[1]);
+        const isHtmx = req.headers['hx-request'] === 'true';
+        const ctype = (req.headers['content-type'] ?? '').toLowerCase();
+        const baseCtype = ctype.split(';', 1)[0].trim();
+        const isFormBody = baseCtype === 'application/x-www-form-urlencoded';
+        const isJsonBody = baseCtype === 'application/json';
+        // Content-type gates against CSRF: form-urlencoded, text/plain, and multipart/form-data
+        // are "simple" CORS requests and bypass preflight. Only application/json (non-simple,
+        // triggers preflight) is accepted on the JSON path; the form path is additionally
+        // gated on HX-Request + same-origin. Anything else is rejected outright.
+        if (!isFormBody && !isJsonBody) {
+            return jsonResponse(res, 415, {
+                error: {
+                    code: 'unsupported_media_type',
+                    message: 'content-type must be application/json or application/x-www-form-urlencoded',
+                },
+            });
+        }
+        if (isFormBody) {
+            if (!isHtmx || !isSameOriginRequest(req)) {
+                return jsonResponse(res, 403, {
+                    error: {
+                        code: 'forbidden',
+                        message: 'form-encoded steering replies require an HTMX same-origin request',
+                    },
+                });
+            }
+        }
+        let text = '';
+        if (isFormBody) {
+            try {
+                const raw = await readTextBody(req);
+                const params = new URLSearchParams(raw);
+                text = (params.get('text') ?? '').trim();
+            }
+            catch (err) {
+                return htmxOrJsonError(res, isHtmx, orch, view, 400, 'bad_request', err.message);
+            }
+        }
+        else {
+            let body;
+            try {
+                body = await readJsonBody(req);
+            }
+            catch (err) {
+                return badRequest(res, err.message);
+            }
+            text =
+                body && typeof body === 'object' && !Array.isArray(body) && typeof body.text === 'string'
+                    ? body.text.trim()
+                    : '';
+        }
+        if (!text) {
+            return htmxOrJsonError(res, isHtmx, orch, view, 400, 'bad_request', 'text is required and must be a non-empty string');
+        }
+        const ok = mcp.submitSteeringReply(identifier, text);
+        if (!ok) {
+            return htmxOrJsonError(res, isHtmx, orch, view, 409, 'no_pending_steering', 'no agent is awaiting steering for this issue');
+        }
+        if (isHtmx) {
+            const p = await gatherPartialInputs(orch, view);
+            res.statusCode = 200;
+            res.setHeader('content-type', 'text/html; charset=utf-8');
+            res.end(renderAttentionPartial(p));
+            return;
+        }
+        return jsonResponse(res, 202, { identifier, accepted_at: new Date().toISOString() });
+    }
+    const m = /^\/api\/v1\/([^/]+)$/.exec(pathname);
+    if (m) {
+        if (method !== 'GET')
+            return methodNotAllowed(res);
+        const identifier = decodeURIComponent(m[1]);
+        const detail = orch.detailByIdentifier(identifier);
+        if (!detail)
+            return notFound(res, 'issue_not_found', `issue ${identifier} is not tracked`);
+        return jsonResponse(res, 200, detail);
+    }
+    notFound(res);
+}
+//# sourceMappingURL=http.js.map