tanuki-telemetry 1.1.0

package/src/dashboard.ts

@@ -0,0 +1,826 @@
+import express from "express";
+import path from "path";
+import fs from "fs";
+import http from "http";
+import { WebSocketServer, WebSocket } from "ws";
+import multer from "multer";
+import session from "express-session";
+import passport from "passport";
+import Database from "better-sqlite3";
+import BetterSqlite3SessionStore from "better-sqlite3-session-store";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
+import { getDb, listSessions } from "./db.js";
+import { registerTools } from "./tools.js";
+import { initAuthTables, setupPassport, createAuthRouter } from "./auth.js";
+import { createApiKeyRouter } from "./api-keys.js";
+import { dashboardAuthMiddleware, apiKeyMiddleware, wsAuthCheck, getUserEmailFromRequest, AUTH_ENABLED } from "./middleware.js";
+import type { Session, Event, Iteration, Screenshot, Artifact, Insight, PlanStep } from "./types.js";
+import { listCoordinatorSessions, getCoordinatorState, getCoordinatorHistory } from "./coordinator.js";
+import { fileURLToPath } from "url";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+const app = express();
+app.set("trust proxy", 1); // Trust Railway's reverse proxy for secure cookies
+app.use(express.json());
+const DASHBOARD_PORT = parseInt(process.env.PORT || "3333", 10);
+const POLL_INTERVAL_MS = 1000;
+
+// --- Auth setup ---
+if (AUTH_ENABLED) {
+  initAuthTables();
+  setupPassport();
+}
+
+const SqliteStore = BetterSqlite3SessionStore(session);
+
+// Use a separate SQLite DB for session store to avoid table name conflict
+// (the store hardcodes table name "sessions" which conflicts with our telemetry sessions table)
+let sessionStoreInstance: InstanceType<typeof SqliteStore> | undefined;
+if (AUTH_ENABLED) {
+  const dbPath = process.env.DB_PATH || "/data/telemetry.db";
+  const sessionDbPath = dbPath.replace(/\.db$/, "-sessions.db");
+  const sessionDb = new Database(sessionDbPath);
+  sessionDb.pragma("journal_mode = WAL");
+  sessionStoreInstance = new SqliteStore({
+    client: sessionDb,
+    expired: { clear: true, intervalMs: 900000 },
+  });
+}
+
+app.use(
+  session({
+    store: sessionStoreInstance,
+    secret: process.env.SESSION_SECRET || "telemetry-local-dev-secret",
+    resave: false,
+    saveUninitialized: false,
+    cookie: {
+      secure: process.env.NODE_ENV === "production",
+      httpOnly: true,
+      maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
+      sameSite: "lax",
+    },
+  })
+);
+
+if (AUTH_ENABLED) {
+  app.use(passport.initialize());
+  app.use(passport.session());
+  app.use("/auth", createAuthRouter());
+}
+
+const TANUKI_VERSION = "1.1.0";
+
+// Health check (unauthenticated — for Railway)
+app.get("/health", (_req, res) => {
+  res.json({ ok: true, version: TANUKI_VERSION });
+});
+
+// Version endpoint
+app.get("/api/version", (_req, res) => {
+  res.json({ version: TANUKI_VERSION });
+});
+
+// API key management routes
+app.use("/api/keys", createApiKeyRouter());
+
+// Apply MCP auth
+app.use("/mcp", apiKeyMiddleware);
+
+// Configure multer for screenshot uploads
+const upload = multer({
+  storage: multer.diskStorage({
+    destination: (_req, _file, cb) => {
+      const sessionId = String(_req.params.sessionId || "unknown");
+      // Look up the session to get worktree_name for directory
+      const d = getDb();
+      const session = d.prepare("SELECT worktree_name FROM sessions WHERE id = ?").get(sessionId) as { worktree_name: string } | undefined;
+      const dirName = session?.worktree_name || sessionId;
+      const dir = path.join("/data", dirName, "screenshots");
+      fs.mkdirSync(dir, { recursive: true });
+      cb(null, dir);
+    },
+    filename: (_req, file, cb) => {
+      // Preserve original name or generate timestamp-based name
+      const ext = path.extname(file.originalname) || ".png";
+      const base = path.basename(file.originalname, ext).replace(/[^a-zA-Z0-9_-]/g, "_");
+      const timestamp = Date.now();
+      cb(null, `${base}-${timestamp}${ext}`);
+    },
+  }),
+  limits: { fileSize: 20 * 1024 * 1024 }, // 20MB max
+  fileFilter: (_req, file, cb) => {
+    if (file.mimetype.startsWith("image/")) {
+      cb(null, true);
+    } else {
+      cb(new Error("Only image files allowed"));
+    }
+  },
+});
+
+// --- API Routes (protected by dashboard auth) ---
+
+app.use("/api", dashboardAuthMiddleware);
+
+app.get("/api/sessions", (_req, res) => {
+  const limit = parseInt(_req.query.limit as string) || 20;
+  const status = _req.query.status as string | undefined;
+  const parentId = _req.query.parent_session_id as string | undefined;
+  const userEmail = _req.query.user_email as string | undefined;
+
+  const sessions = listSessions(limit, status, parentId, userEmail);
+  res.json(sessions);
+});
+
+app.get("/api/sessions/:id", (req, res) => {
+  const d = getDb();
+  const session = d
+    .prepare("SELECT * FROM sessions WHERE id = ?")
+    .get(req.params.id) as Session | undefined;
+
+  if (!session) {
+    res.status(404).json({ error: "Session not found" });
+    return;
+  }
+
+  const events = d
+    .prepare("SELECT * FROM events WHERE session_id = ? ORDER BY timestamp ASC")
+    .all(session.id) as Event[];
+
+  const iterations = d
+    .prepare(
+      "SELECT * FROM iterations WHERE session_id = ? ORDER BY iteration_number ASC"
+    )
+    .all(session.id) as Iteration[];
+
+  const screenshots = d
+    .prepare(
+      "SELECT * FROM screenshots WHERE session_id = ? ORDER BY timestamp ASC"
+    )
+    .all(session.id) as Screenshot[];
+
+  const artifacts = d
+    .prepare(
+      "SELECT * FROM artifacts WHERE session_id = ? ORDER BY timestamp ASC"
+    )
+    .all(session.id) as Artifact[];
+
+  const insights = d
+    .prepare(
+      "SELECT * FROM insights WHERE session_id = ? ORDER BY confidence DESC"
+    )
+    .all(session.id) as Insight[];
+
+  const plan_steps = d
+    .prepare(
+      "SELECT * FROM plan_steps WHERE session_id = ? ORDER BY step_number ASC"
+    )
+    .all(session.id) as PlanStep[];
+
+  const child_sessions = d
+    .prepare(
+      "SELECT * FROM sessions WHERE parent_session_id = ? ORDER BY created_at ASC"
+    )
+    .all(session.id) as Session[];
+
+  res.json({ session, events, iterations, screenshots, artifacts, insights, plan_steps, child_sessions });
+});
+
+app.get("/api/stats", (_req, res) => {
+  const d = getDb();
+
+  const total = (
+    d.prepare("SELECT COUNT(*) as count FROM sessions").get() as {
+      count: number;
+    }
+  ).count;
+
+  const avgIterations = (
+    d
+      .prepare(
+        "SELECT AVG(total_iterations) as avg FROM sessions WHERE status IN ('completed','failed')"
+      )
+      .get() as { avg: number | null }
+  ).avg;
+
+  const avgDuration = (
+    d
+      .prepare(
+        "SELECT AVG(duration_seconds) as avg FROM sessions WHERE duration_seconds IS NOT NULL"
+      )
+      .get() as { avg: number | null }
+  ).avg;
+
+  const totalTokens = (
+    d
+      .prepare(
+        "SELECT SUM(total_input_tokens + total_output_tokens) as total FROM sessions"
+      )
+      .get() as { total: number | null }
+  ).total;
+
+  const completed = (
+    d
+      .prepare("SELECT COUNT(*) as count FROM sessions WHERE status = 'completed'")
+      .get() as { count: number }
+  ).count;
+
+  const failed = (
+    d
+      .prepare("SELECT COUNT(*) as count FROM sessions WHERE status = 'failed'")
+      .get() as { count: number }
+  ).count;
+
+  res.json({
+    total_sessions: total,
+    avg_iterations: avgIterations ? Math.round(avgIterations * 10) / 10 : 0,
+    avg_duration_seconds: avgDuration ? Math.round(avgDuration) : 0,
+    total_tokens: totalTokens ?? 0,
+    completed,
+    failed,
+    pass_rate:
+      completed + failed > 0
+        ? Math.round((completed / (completed + failed)) * 100)
+        : 0,
+  });
+});
+
+// Knowledge API
+app.get("/api/knowledge", (_req, res) => {
+  const d = getDb();
+  const category = _req.query.category as string | undefined;
+  const limit = parseInt(_req.query.limit as string) || 50;
+
+  let insights: Insight[];
+  if (category) {
+    insights = d
+      .prepare(
+        "SELECT * FROM insights WHERE category = ? ORDER BY confidence DESC, times_validated DESC LIMIT ?"
+      )
+      .all(category, limit) as Insight[];
+  } else {
+    insights = d
+      .prepare(
+        "SELECT * FROM insights ORDER BY confidence DESC, times_validated DESC LIMIT ?"
+      )
+      .all(limit) as Insight[];
+  }
+
+  const categories = d
+    .prepare(
+      "SELECT category, COUNT(*) as count, AVG(confidence) as avg_confidence FROM insights GROUP BY category ORDER BY count DESC"
+    )
+    .all() as Array<{ category: string; count: number; avg_confidence: number }>;
+
+  res.json({ insights, categories, total: insights.length });
+});
+
+// Upload screenshot
+app.post("/api/sessions/:sessionId/screenshots", upload.single("file"), (req, res) => {
+  const d = getDb();
+  const { sessionId } = req.params;
+  const file = req.file;
+
+  if (!file) {
+    res.status(400).json({ error: "No file uploaded" });
+    return;
+  }
+
+  // Verify session exists
+  const session = d.prepare("SELECT id, worktree_name FROM sessions WHERE id = ?").get(sessionId) as { id: string; worktree_name: string } | undefined;
+  if (!session) {
+    // Clean up uploaded file
+    fs.unlinkSync(file.path);
+    res.status(404).json({ error: "Session not found" });
+    return;
+  }
+
+  const description = (req.body?.description as string) || file.originalname;
+  const phase = (req.body?.phase as string) || "verification";
+  const iterationNumber = req.body?.iteration_number ? parseInt(req.body.iteration_number) : null;
+
+  // Insert into screenshots table
+  const stmt = d.prepare(`
+    INSERT INTO screenshots (session_id, iteration_number, phase, description, file_path)
+    VALUES (?, ?, ?, ?, ?)
+  `);
+  const result = stmt.run(
+    sessionId,
+    iterationNumber,
+    phase,
+    description,
+    file.path
+  );
+
+  res.json({
+    screenshot_id: Number(result.lastInsertRowid),
+    file_path: file.path,
+    url: `/api/screenshots/${session.worktree_name}/screenshots/${file.filename}`,
+  });
+});
+
+// Coordinator API
+app.get("/api/coordinator/sessions", (_req, res) => {
+  const limit = parseInt(_req.query.limit as string) || 10;
+  const sessions = listCoordinatorSessions(limit);
+  res.json(sessions);
+});
+
+app.get("/api/coordinator/sessions/:id", (req, res) => {
+  const state = getCoordinatorState(req.params.id);
+  if (!state) {
+    res.status(404).json({ error: "Coordinator session not found" });
+    return;
+  }
+  const history = getCoordinatorHistory(state.session_id);
+  res.json({ state, history });
+});
+
+// Coordinator live feed — latest events across all workspace sessions
+app.get("/api/coordinator/sessions/:id/live", (req, res) => {
+  const state = getCoordinatorState(req.params.id);
+  if (!state) {
+    res.status(404).json({ error: "Coordinator session not found" });
+    return;
+  }
+
+  const d = getDb();
+  const sessionIds = Object.values(state.workspaces)
+    .map((ws) => ws.session_id)
+    .filter(Boolean) as string[];
+
+  if (sessionIds.length === 0) {
+    res.json({ events: [], workspace_events: {} });
+    return;
+  }
+
+  const placeholders = sessionIds.map(() => "?").join(",");
+
+  // Last 50 events across all workspace sessions
+  const events = d.prepare(`
+    SELECT e.*, s.worktree_name FROM events e
+    JOIN sessions s ON e.session_id = s.id
+    WHERE e.session_id IN (${placeholders})
+    ORDER BY e.timestamp DESC LIMIT 50
+  `).all(...sessionIds) as Array<Event & { worktree_name: string }>;
+
+  // Last event per workspace session
+  const workspaceEvents: Record<string, Event & { worktree_name: string }> = {};
+  for (const sid of sessionIds) {
+    const last = d.prepare(`
+      SELECT e.*, s.worktree_name FROM events e
+      JOIN sessions s ON e.session_id = s.id
+      WHERE e.session_id = ?
+      ORDER BY e.timestamp DESC LIMIT 1
+    `).get(sid) as (Event & { worktree_name: string }) | undefined;
+    if (last) workspaceEvents[sid] = last;
+  }
+
+  res.json({ events: events.reverse(), workspace_events: workspaceEvents });
+});
+
+// Serve artifact by database ID
+app.get("/api/artifacts/by-id/:id", (req, res) => {
+  const d = getDb();
+  const artifact = d.prepare("SELECT stored_path, file_path, mime_type FROM artifacts WHERE id = ?").get(req.params.id) as { stored_path: string | null; file_path: string; mime_type: string | null } | undefined;
+
+  if (!artifact) {
+    res.status(404).json({ error: "Artifact not found" });
+    return;
+  }
+
+  const candidates = [
+    artifact.stored_path,
+    artifact.file_path,
+    artifact.file_path?.replace(/^.*?outputs\//, "/data/"),
+  ].filter(Boolean) as string[];
+
+  for (const candidate of candidates) {
+    if (fs.existsSync(candidate)) {
+      if (artifact.mime_type) {
+        res.type(artifact.mime_type);
+      }
+      res.sendFile(path.resolve(candidate));
+      return;
+    }
+  }
+
+  res.status(404).json({ error: "Artifact file not found on disk" });
+});
+
+// Serve screenshot by database ID — self-contained, doesn't need volume path mapping
+app.get("/api/screenshots/by-id/:id", (req, res) => {
+  const d = getDb();
+  const screenshot = d.prepare("SELECT stored_path, thumb_path, file_path FROM screenshots WHERE id = ?").get(req.params.id) as { stored_path: string | null; thumb_path: string | null; file_path: string } | undefined;
+
+  if (!screenshot) {
+    res.status(404).json({ error: "Screenshot not found" });
+    return;
+  }
+
+  const wantThumb = req.query.size === "thumb";
+
+  // If thumbnail requested and available, serve it
+  if (wantThumb && screenshot.thumb_path && fs.existsSync(screenshot.thumb_path)) {
+    res.sendFile(path.resolve(screenshot.thumb_path));
+    return;
+  }
+
+  // Serve full-size: prefer stored_path, fall back to file_path via volume
+  const candidates = [
+    screenshot.stored_path,
+    screenshot.file_path,
+    screenshot.file_path?.replace(/^.*?outputs\//, "/data/"),
+  ].filter(Boolean) as string[];
+
+  for (const candidate of candidates) {
+    if (fs.existsSync(candidate)) {
+      res.sendFile(path.resolve(candidate));
+      return;
+    }
+  }
+
+  res.status(404).json({ error: "Screenshot file not found on disk" });
+});
+
+// --- Walkthrough API (must be before /api/screenshots/* wildcard) ---
+
+app.get("/api/walkthroughs", (_req, res) => {
+  const d = getDb();
+  const limit = parseInt(_req.query.limit as string) || 50;
+  const walkthroughs = d.prepare(
+    "SELECT * FROM walkthroughs ORDER BY started_at DESC LIMIT ?"
+  ).all(limit);
+  res.json({ walkthroughs });
+});
+
+app.get("/api/walkthroughs/:id", (req, res) => {
+  const d = getDb();
+  const id = parseInt(req.params.id, 10);
+  if (isNaN(id)) {
+    res.status(400).json({ error: "Invalid walkthrough ID" });
+    return;
+  }
+
+  const walkthrough = d.prepare("SELECT * FROM walkthroughs WHERE id = ?").get(id);
+  if (!walkthrough) {
+    res.status(404).json({ error: "Walkthrough not found" });
+    return;
+  }
+
+  const actions = d.prepare(
+    "SELECT * FROM walkthrough_actions WHERE walkthrough_id = ? ORDER BY timestamp ASC"
+  ).all(id);
+
+  const screenshots = d.prepare(
+    "SELECT * FROM walkthrough_screenshots WHERE walkthrough_id = ? ORDER BY timestamp ASC"
+  ).all(id);
+
+  res.json({ walkthrough, actions, screenshots });
+});
+
+app.get("/api/walkthroughs/:id/screenshots/:screenshotId", (req, res) => {
+  const d = getDb();
+  const screenshotId = parseInt(req.params.screenshotId, 10);
+  if (isNaN(screenshotId)) {
+    res.status(400).json({ error: "Invalid screenshot ID" });
+    return;
+  }
+
+  const screenshot = d.prepare(
+    "SELECT stored_path FROM walkthrough_screenshots WHERE id = ? AND walkthrough_id = ?"
+  ).get(screenshotId, parseInt(req.params.id, 10)) as { stored_path: string } | undefined;
+
+  if (!screenshot || !fs.existsSync(screenshot.stored_path)) {
+    res.status(404).json({ error: "Screenshot not found" });
+    return;
+  }
+
+  res.sendFile(path.resolve(screenshot.stored_path));
+});
+
+// Serve screenshot files from /data mount (legacy path-based)
+app.get("/api/screenshots/*", (req, res) => {
+  const requestedPath = (req.params as unknown as Record<string, string>)["0"];
+  let filePath: string;
+  if (requestedPath.startsWith("/")) {
+    filePath = requestedPath;
+  } else {
+    filePath = path.join("/data", requestedPath);
+  }
+
+  const resolved = path.resolve(filePath);
+  if (!resolved.startsWith("/data")) {
+    res.status(403).json({ error: "Access denied" });
+    return;
+  }
+
+  if (!fs.existsSync(resolved)) {
+    res.status(404).json({ error: "File not found" });
+    return;
+  }
+
+  res.sendFile(resolved);
+});
+
+// --- MCP SSE Transport ---
+
+const mcpTransports: Record<string, SSEServerTransport> = {};
+
+// SSE endpoint — clients connect here to establish the MCP stream
+app.get("/mcp/sse", async (req, res) => {
+  console.error("[telemetry] New MCP SSE connection");
+  try {
+    const transport = new SSEServerTransport("/mcp/messages", res);
+    const sessionId = transport.sessionId;
+    mcpTransports[sessionId] = transport;
+
+    transport.onclose = () => {
+      console.error(`[telemetry] MCP SSE closed: ${sessionId}`);
+      delete mcpTransports[sessionId];
+    };
+
+    // Create a fresh MCP server for this connection, injecting the authenticated user's email
+    const connUserEmail = getUserEmailFromRequest(req);
+    const mcpServer = new McpServer({
+      name: "telemetry-mcp",
+      version: "1.0.0",
+    });
+    registerTools(mcpServer, connUserEmail);
+    await mcpServer.connect(transport);
+
+    console.error(`[telemetry] MCP SSE established: ${sessionId}`);
+  } catch (error) {
+    console.error("[telemetry] Error establishing MCP SSE:", error);
+    if (!res.headersSent) {
+      res.status(500).send("Error establishing SSE stream");
+    }
+  }
+});
+
+// Messages endpoint — clients POST JSON-RPC messages here
+app.post("/mcp/messages", async (req, res) => {
+  const sessionId = req.query.sessionId as string;
+  const transport = mcpTransports[sessionId];
+
+  if (!transport) {
+    res.status(400).json({ error: "Unknown session ID" });
+    return;
+  }
+
+  try {
+    await transport.handlePostMessage(req, res, req.body);
+  } catch (error) {
+    console.error("[telemetry] Error handling MCP message:", error);
+    if (!res.headersSent) {
+      res.status(500).send("Error handling request");
+    }
+  }
+});
+
+// --- Serve React frontend ---
+
+const frontendDist = path.resolve(__dirname, "../frontend/dist");
+
+if (fs.existsSync(frontendDist)) {
+  app.use(express.static(frontendDist));
+
+  // SPA fallback — serve index.html for non-API routes
+  app.get("*", (_req, res) => {
+    res.sendFile(path.join(frontendDist, "index.html"));
+  });
+} else {
+  app.get("/", (_req, res) => {
+    res.type("html").send(`<!DOCTYPE html>
+<html><head><title>tanuki</title></head>
+<body style="background:#0a0a0a;color:#666;font-family:monospace;display:flex;align-items:center;justify-content:center;height:100vh;">
+<pre>frontend not built — run: cd frontend && npm run build</pre>
+</body></html>`);
+  });
+}
+
+// --- WebSocket live feed ---
+
+interface WaterMark {
+  lastEventId: number;
+  lastIterationId: number;
+  lastScreenshotId: number;
+  lastArtifactId: number;
+  lastInsightId: number;
+  lastPlanStepId: number;
+  planStepVersions: Map<number, string>;
+  sessionVersions: Map<string, string>;
+  coordinatorVersions: Map<string, string>; // session_id -> updated_at
+}
+
+function getWaterMark(): WaterMark {
+  const d = getDb();
+  const lastEvent = d.prepare("SELECT MAX(id) as id FROM events").get() as { id: number | null };
+  const lastIteration = d.prepare("SELECT MAX(id) as id FROM iterations").get() as { id: number | null };
+  const lastScreenshot = d.prepare("SELECT MAX(id) as id FROM screenshots").get() as { id: number | null };
+  const lastArtifact = d.prepare("SELECT MAX(id) as id FROM artifacts").get() as { id: number | null };
+  const lastInsight = d.prepare("SELECT MAX(id) as id FROM insights").get() as { id: number | null };
+  const lastPlanStep = d.prepare("SELECT MAX(id) as id FROM plan_steps").get() as { id: number | null };
+
+  const sessions = d.prepare(
+    "SELECT id, status, total_input_tokens, total_output_tokens, total_iterations, duration_seconds FROM sessions ORDER BY created_at DESC LIMIT 20"
+  ).all() as Array<{ id: string; status: string; total_input_tokens: number; total_output_tokens: number; total_iterations: number; duration_seconds: number | null }>;
+
+  const sessionVersions = new Map<string, string>();
+  for (const s of sessions) {
+    sessionVersions.set(s.id, `${s.status}:${s.total_input_tokens}:${s.total_output_tokens}:${s.total_iterations}:${s.duration_seconds}`);
+  }
+
+  // Track plan step statuses for change detection
+  const planSteps = d.prepare(
+    "SELECT id, status, outcome FROM plan_steps ORDER BY id DESC LIMIT 100"
+  ).all() as Array<{ id: number; status: string; outcome: string | null }>;
+
+  const planStepVersions = new Map<number, string>();
+  for (const ps of planSteps) {
+    planStepVersions.set(ps.id, `${ps.status}:${ps.outcome ?? ""}`);
+  }
+
+  // Track coordinator state changes
+  const coordinatorRows = d.prepare(
+    "SELECT session_id, updated_at FROM coordinator_state"
+  ).all() as Array<{ session_id: string; updated_at: string }>;
+
+  const coordinatorVersions = new Map<string, string>();
+  for (const cr of coordinatorRows) {
+    coordinatorVersions.set(cr.session_id, cr.updated_at);
+  }
+
+  return {
+    lastEventId: lastEvent.id ?? 0,
+    lastIterationId: lastIteration.id ?? 0,
+    lastScreenshotId: lastScreenshot.id ?? 0,
+    lastArtifactId: lastArtifact.id ?? 0,
+    lastInsightId: lastInsight.id ?? 0,
+    lastPlanStepId: lastPlanStep.id ?? 0,
+    planStepVersions,
+    sessionVersions,
+    coordinatorVersions,
+  };
+}
+
+function diffAndBroadcast(wss: WebSocketServer, prev: WaterMark): WaterMark {
+  const d = getDb();
+  const current = getWaterMark();
+  const messages: Array<{ type: string; data: unknown }> = [];
+
+  // New events
+  if (current.lastEventId > prev.lastEventId) {
+    const newEvents = d.prepare(
+      "SELECT * FROM events WHERE id > ? ORDER BY id ASC"
+    ).all(prev.lastEventId) as Event[];
+    for (const ev of newEvents) {
+      messages.push({ type: "event", data: ev });
+    }
+  }
+
+  // New iterations
+  if (current.lastIterationId > prev.lastIterationId) {
+    const newIterations = d.prepare(
+      "SELECT * FROM iterations WHERE id > ? ORDER BY id ASC"
+    ).all(prev.lastIterationId) as import("./types.js").Iteration[];
+    for (const it of newIterations) {
+      messages.push({ type: "iteration", data: it });
+    }
+  }
+
+  // New screenshots
+  if (current.lastScreenshotId > prev.lastScreenshotId) {
+    const newScreenshots = d.prepare(
+      "SELECT * FROM screenshots WHERE id > ? ORDER BY id ASC"
+    ).all(prev.lastScreenshotId) as Screenshot[];
+    for (const sc of newScreenshots) {
+      messages.push({ type: "screenshot", data: sc });
+    }
+  }
+
+  // New artifacts
+  if (current.lastArtifactId > prev.lastArtifactId) {
+    const newArtifacts = d.prepare(
+      "SELECT * FROM artifacts WHERE id > ? ORDER BY id ASC"
+    ).all(prev.lastArtifactId) as Artifact[];
+    for (const art of newArtifacts) {
+      messages.push({ type: "artifact", data: art });
+    }
+  }
+
+  // New insights
+  if (current.lastInsightId > prev.lastInsightId) {
+    const newInsights = d.prepare(
+      "SELECT * FROM insights WHERE id > ? ORDER BY id ASC"
+    ).all(prev.lastInsightId) as Insight[];
+    for (const ins of newInsights) {
+      messages.push({ type: "insight", data: ins });
+    }
+  }
+
+  // New plan steps
+  if (current.lastPlanStepId > prev.lastPlanStepId) {
+    const newSteps = d.prepare(
+      "SELECT * FROM plan_steps WHERE id > ? ORDER BY id ASC"
+    ).all(prev.lastPlanStepId) as PlanStep[];
+    for (const step of newSteps) {
+      messages.push({ type: "plan_step_new", data: step });
+    }
+  }
+
+  // Plan step status changes
+  for (const [id, version] of current.planStepVersions) {
+    const prevVersion = prev.planStepVersions.get(id);
+    if (prevVersion !== undefined && prevVersion !== version) {
+      const step = d.prepare("SELECT * FROM plan_steps WHERE id = ?").get(id) as PlanStep;
+      messages.push({ type: "plan_step_update", data: step });
+    }
+  }
+
+  // Coordinator state changes
+  for (const [id, updatedAt] of current.coordinatorVersions) {
+    const prevUpdatedAt = prev.coordinatorVersions.get(id);
+    if (prevUpdatedAt !== updatedAt) {
+      messages.push({ type: "coordinator_update", data: { session_id: id, updated_at: updatedAt } });
+    }
+  }
+
+  // Session status changes
+  for (const [id, version] of current.sessionVersions) {
+    const prevVersion = prev.sessionVersions.get(id);
+    if (prevVersion !== version) {
+      const session = d.prepare("SELECT * FROM sessions WHERE id = ?").get(id) as Session;
+      messages.push({ type: "session_update", data: session });
+    }
+  }
+
+  // New sessions (in current but not in prev)
+  for (const [id] of current.sessionVersions) {
+    if (!prev.sessionVersions.has(id)) {
+      const session = d.prepare("SELECT * FROM sessions WHERE id = ?").get(id) as Session;
+      messages.push({ type: "session_new", data: session });
+    }
+  }
+
+  // Broadcast
+  if (messages.length > 0) {
+    const payload = JSON.stringify({ messages });
+    for (const client of wss.clients) {
+      if (client.readyState === WebSocket.OPEN) {
+        client.send(payload);
+      }
+    }
+  }
+
+  return current;
+}
+
+export function startDashboard(): void {
+  const server = http.createServer(app);
+  const wss = new WebSocketServer({ server, path: "/ws" });
+
+  let waterMark = getWaterMark();
+
+  // Poll for changes and broadcast
+  setInterval(() => {
+    try {
+      waterMark = diffAndBroadcast(wss, waterMark);
+    } catch (e) {
+      // DB might not be ready yet
+    }
+  }, POLL_INTERVAL_MS);
+
+  wss.on("connection", (ws, req) => {
+    // Check WebSocket auth
+    if (!wsAuthCheck(req as unknown as import("express").Request)) {
+      ws.close(4001, "Unauthorized");
+      return;
+    }
+
+    // Send current state snapshot on connect
+    const d = getDb();
+    const activeSessions = d.prepare(
+      "SELECT * FROM sessions WHERE status = 'in_progress' ORDER BY created_at DESC LIMIT 5"
+    ).all() as Session[];
+
+    ws.send(JSON.stringify({
+      type: "connected",
+      active_sessions: activeSessions,
+      timestamp: new Date().toISOString(),
+    }));
+  });
+
+  server.listen(DASHBOARD_PORT, "0.0.0.0", () => {
+    console.error(
+      `[telemetry] Dashboard running at http://localhost:${DASHBOARD_PORT}`
+    );
+    console.error(
+      `[telemetry] MCP SSE endpoint at http://localhost:${DASHBOARD_PORT}/mcp/sse`
+    );
+    console.error(
+      `[telemetry] WebSocket live feed at ws://localhost:${DASHBOARD_PORT}/ws`
+    );
+  });
+}