chore(orchestrator): Phase 7 complete — v0.0.8 verified (#154 )

Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>
docs(deploy): add deployment guide and expand .env.example (#153 )
2026-03-15 19:50:15 +00:00 · 2026-03-15 19:46:38 +00:00 · 2026-03-15 19:46:13 +00:00 · 2026-03-15 19:40:44 +00:00 · 2026-03-15 19:18:47 +00:00 · 2026-03-15 19:18:18 +00:00
95 changed files with 11484 additions and 451 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,34 +1,129 @@
-# Database (port 5433 avoids conflict with host PostgreSQL)
+# ─────────────────────────────────────────────────────────────────────────────
 # Mosaic — Environment Variables Reference
 # Copy this file to .env and fill in the values for your deployment.
 # Lines beginning with # are comments; optional vars are commented out.
 # ─────────────────────────────────────────────────────────────────────────────
 # ─── Database (PostgreSQL 17 + pgvector) ─────────────────────────────────────
 # Full connection string used by the gateway, ORM, and migration runner.
 # Port 5433 avoids conflict with a host-side PostgreSQL instance.
 DATABASE_URL=postgresql://mosaic:mosaic@localhost:5433/mosaic
-# Valkey (Redis-compatible, port 6380 avoids conflict with host Redis/Valkey)
+# Docker Compose host-port override for the PostgreSQL container (default: 5433)
 # PG_HOST_PORT=5433
 # ─── Queue (Valkey 8 / Redis-compatible) ─────────────────────────────────────
 # Port 6380 avoids conflict with a host-side Redis/Valkey instance.
 VALKEY_URL=redis://localhost:6380
-# Docker Compose host port overrides (optional)
+# Docker Compose host-port override for the Valkey container (default: 6380)
 # PG_HOST_PORT=5433
 # VALKEY_HOST_PORT=6380
 # OpenTelemetry
 OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
 OTEL_SERVICE_NAME=mosaic-gateway
-# Auth (BetterAuth)
+# ─── Gateway ─────────────────────────────────────────────────────────────────
-BETTER_AUTH_SECRET=change-me-to-a-random-32-char-string
+# TCP port the NestJS/Fastify gateway listens on (default: 4000)
 BETTER_AUTH_URL=http://localhost:4000
 # Gateway
 GATEWAY_PORT=4000
-# Discord Plugin (optional — set DISCORD_BOT_TOKEN to enable)
+# Comma-separated list of allowed CORS origins.
 # Must include the web app origin in production.
 GATEWAY_CORS_ORIGIN=http://localhost:3000
 # ─── Auth (BetterAuth) ───────────────────────────────────────────────────────
 # REQUIRED — random secret used to sign sessions and tokens.
 # Generate with: openssl rand -base64 32
 BETTER_AUTH_SECRET=change-me-to-a-random-32-char-string
 # Public base URL of the gateway (used by BetterAuth for callback URLs)
 BETTER_AUTH_URL=http://localhost:4000
 # ─── Web App (Next.js) ───────────────────────────────────────────────────────
 # Public gateway URL — accessible from the browser, not just the server.
 NEXT_PUBLIC_GATEWAY_URL=http://localhost:4000
 # ─── OpenTelemetry ───────────────────────────────────────────────────────────
 # OTLP HTTP endpoint (otel-collector or any OpenTelemetry-compatible backend)
 OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
 # Service name shown in traces
 OTEL_SERVICE_NAME=mosaic-gateway
 # ─── AI Providers ────────────────────────────────────────────────────────────
 # Ollama (local models — set OLLAMA_BASE_URL to enable)
 # OLLAMA_BASE_URL=http://localhost:11434
 # OLLAMA_HOST is a legacy alias for OLLAMA_BASE_URL
 # OLLAMA_HOST=http://localhost:11434
 # Comma-separated list of Ollama model IDs to register (default: llama3.2,codellama,mistral)
 # OLLAMA_MODELS=llama3.2,codellama,mistral
 # OpenAI — required for embedding and log-summarization features
 # OPENAI_API_KEY=sk-...
 # Custom providers — JSON array of provider configs
 # Format: [{"id":"<id>","baseUrl":"<url>","apiKey":"<key>","models":[{"id":"<model-id>","name":"<label>"}]}]
 # MOSAIC_CUSTOM_PROVIDERS=
 # ─── Embedding Service ───────────────────────────────────────────────────────
 # OpenAI-compatible embeddings endpoint (default: OpenAI)
 # EMBEDDING_API_URL=https://api.openai.com/v1
 # EMBEDDING_MODEL=text-embedding-3-small
 # ─── Log Summarization Service ───────────────────────────────────────────────
 # OpenAI-compatible chat completions endpoint for log summarization (default: OpenAI)
 # SUMMARIZATION_API_URL=https://api.openai.com/v1
 # SUMMARIZATION_MODEL=gpt-4o-mini
 # Cron schedule for summarization job (default: every 6 hours)
 # SUMMARIZATION_CRON=0 */6 * * *
 # Cron schedule for log tier management (default: daily at 03:00)
 # TIER_MANAGEMENT_CRON=0 3 * * *
 # ─── Agent ───────────────────────────────────────────────────────────────────
 # Filesystem sandbox root for agent file tools (default: process.cwd())
 # AGENT_FILE_SANDBOX_DIR=/var/lib/mosaic/sandbox
 # Comma-separated list of tool names available to non-admin users.
 # Leave unset to allow all tools for all authenticated users.
 # AGENT_USER_TOOLS=read_file,list_directory,search_files
 # System prompt injected into every agent session (optional)
 # AGENT_SYSTEM_PROMPT=You are a helpful assistant.
 # ─── MCP Servers ─────────────────────────────────────────────────────────────
 # JSON array of MCP server configs — set to enable MCP tool integration.
 # Each entry: {"name":"<id>","url":"<http-or-sse-url>"}
 # MCP_SERVERS=[{"name":"my-mcp","url":"http://localhost:3100/sse"}]
 # ─── Coordinator ─────────────────────────────────────────────────────────────
 # Root directory used to scope coordinator (worktree/repo) operations.
 # Defaults to the monorepo root auto-detected from process.cwd().
 # MOSAIC_WORKSPACE_ROOT=/home/user/projects/mosaic
 # ─── Discord Plugin (optional — set DISCORD_BOT_TOKEN to enable) ─────────────
 # DISCORD_BOT_TOKEN=
 # DISCORD_GUILD_ID=
 # DISCORD_GATEWAY_URL=http://localhost:4000
-# Telegram Plugin (optional — set TELEGRAM_BOT_TOKEN to enable)
+
 # ─── Telegram Plugin (optional — set TELEGRAM_BOT_TOKEN to enable) ───────────
 # TELEGRAM_BOT_TOKEN=
 # TELEGRAM_GATEWAY_URL=http://localhost:4000
-# Authentik SSO (optional — set AUTHENTIK_CLIENT_ID to enable)
+
-# AUTHENTIK_ISSUER=https://auth.example.com
+# ─── Authentik SSO (optional — set AUTHENTIK_CLIENT_ID to enable) ────────────
 # AUTHENTIK_ISSUER=https://auth.example.com/application/o/mosaic/
 # AUTHENTIK_CLIENT_ID=
 # AUTHENTIK_CLIENT_SECRET=
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1,4 +1 @@
 #!/bin/sh
 . "$(dirname "$0")/_/husky.sh"
 npx lint-staged
--- a/.husky/pre-push
+++ b/.husky/pre-push
@@ -1,4 +1 @@
 #!/bin/sh
 . "$(dirname "$0")/_/husky.sh"
 pnpm typecheck && pnpm lint && pnpm format:check
--- a/.prettierignore
+++ b/.prettierignore
@@ -4,3 +4,4 @@ pnpm-lock.yaml
 **/node_modules
 **/drizzle
 **/.next
 .claude/
--- a/.woodpecker/ci.yml
+++ b/.woodpecker/ci.yml
@@ -5,9 +5,9 @@ variables:
 when:
  - event: [push, pull_request, manual]
-# Steps run sequentially to avoid OOM on the CI runner.
+# Turbo remote cache is at turbo.mosaicstack.dev (ducktors/turborepo-remote-cache).
-# node_modules is installed once by the install step and shared across
+# TURBO_TOKEN is a Woodpecker secret injected via from_secret into the environment.
-# all subsequent steps via Woodpecker's shared workspace volume.
+# Turbo picks up TURBO_API, TURBO_TOKEN, and TURBO_TEAM automatically.
 steps:
  install:
@@ -18,14 +18,25 @@ steps:
  typecheck:
    image: *node_image
    environment:
      TURBO_API: https://turbo.mosaicstack.dev
      TURBO_TEAM: mosaic
      TURBO_TOKEN:
        from_secret: turbo_token
    commands:
      - *enable_pnpm
      - pnpm typecheck
    depends_on:
      - install
  # lint, format, and test are independent — run in parallel after typecheck
  lint:
    image: *node_image
    environment:
      TURBO_API: https://turbo.mosaicstack.dev
      TURBO_TEAM: mosaic
      TURBO_TOKEN:
        from_secret: turbo_token
    commands:
      - *enable_pnpm
      - pnpm lint
@@ -38,20 +49,32 @@ steps:
      - *enable_pnpm
      - pnpm format:check
    depends_on:
-      - lint
+      - typecheck
  test:
    image: *node_image
    environment:
      TURBO_API: https://turbo.mosaicstack.dev
      TURBO_TEAM: mosaic
      TURBO_TOKEN:
        from_secret: turbo_token
    commands:
      - *enable_pnpm
      - pnpm test
    depends_on:
-      - format
+      - typecheck
  build:
    image: *node_image
    environment:
      TURBO_API: https://turbo.mosaicstack.dev
      TURBO_TEAM: mosaic
      TURBO_TOKEN:
        from_secret: turbo_token
    commands:
      - *enable_pnpm
      - pnpm build
    depends_on:
      - lint
      - format
      - test
--- a/apps/gateway/package.json
+++ b/apps/gateway/package.json
@@ -15,14 +15,16 @@
    "@fastify/helmet": "^13.0.2",
    "@mariozechner/pi-ai": "~0.57.1",
    "@mariozechner/pi-coding-agent": "~0.57.1",
    "@modelcontextprotocol/sdk": "^1.27.1",
    "@mosaic/auth": "workspace:^",
    "@mosaic/queue": "workspace:^",
    "@mosaic/brain": "workspace:^",
    "@mosaic/coord": "workspace:^",
    "@mosaic/db": "workspace:^",
    "@mosaic/discord-plugin": "workspace:^",
    "@mosaic/telegram-plugin": "workspace:^",
    "@mosaic/log": "workspace:^",
    "@mosaic/memory": "workspace:^",
    "@mosaic/telegram-plugin": "workspace:^",
    "@mosaic/types": "workspace:^",
    "@nestjs/common": "^11.0.0",
    "@nestjs/core": "^11.0.0",
@@ -41,12 +43,14 @@
    "better-auth": "^1.5.5",
    "class-transformer": "^0.5.1",
    "class-validator": "^0.15.1",
    "dotenv": "^17.3.1",
    "fastify": "^5.0.0",
    "node-cron": "^4.2.1",
    "reflect-metadata": "^0.2.0",
    "rxjs": "^7.8.0",
    "socket.io": "^4.8.0",
-    "uuid": "^11.0.0"
+    "uuid": "^11.0.0",
    "zod": "^4.3.6"
  },
  "devDependencies": {
    "@types/node": "^22.0.0",
--- a/apps/gateway/src/admin/admin-health.controller.ts
+++ b/apps/gateway/src/admin/admin-health.controller.ts
@@ -0,0 +1,73 @@
 import { Controller, Get, Inject, UseGuards } from '@nestjs/common';
 import { sql, type Db } from '@mosaic/db';
 import { createQueue } from '@mosaic/queue';
 import { DB } from '../database/database.module.js';
 import { AgentService } from '../agent/agent.service.js';
 import { ProviderService } from '../agent/provider.service.js';
 import { AdminGuard } from './admin.guard.js';
 import type { HealthStatusDto, ServiceStatusDto } from './admin.dto.js';
@Controller('api/admin/health')
@UseGuards(AdminGuard)
 export class AdminHealthController {
  constructor(
    @Inject(DB) private readonly db: Db,
    @Inject(AgentService) private readonly agentService: AgentService,
    @Inject(ProviderService) private readonly providerService: ProviderService,
  ) {}
  @Get()
  async check(): Promise<HealthStatusDto> {
    const [database, cache] = await Promise.all([this.checkDatabase(), this.checkCache()]);
    const sessions = this.agentService.listSessions();
    const providers = this.providerService.listProviders();
    const allOk = database.status === 'ok' && cache.status === 'ok';
    return {
      status: allOk ? 'ok' : 'degraded',
      database,
      cache,
      agentPool: { activeSessions: sessions.length },
      providers: providers.map((p) => ({
        id: p.id,
        name: p.name,
        available: p.available,
        modelCount: p.models.length,
      })),
      checkedAt: new Date().toISOString(),
    };
  }
  private async checkDatabase(): Promise<ServiceStatusDto> {
    const start = Date.now();
    try {
      await this.db.execute(sql`SELECT 1`);
      return { status: 'ok', latencyMs: Date.now() - start };
    } catch (err) {
      return {
        status: 'error',
        latencyMs: Date.now() - start,
        error: err instanceof Error ? err.message : String(err),
      };
    }
  }
  private async checkCache(): Promise<ServiceStatusDto> {
    const start = Date.now();
    const handle = createQueue();
    try {
      await handle.redis.ping();
      return { status: 'ok', latencyMs: Date.now() - start };
    } catch (err) {
      return {
        status: 'error',
        latencyMs: Date.now() - start,
        error: err instanceof Error ? err.message : String(err),
      };
    } finally {
      await handle.close().catch(() => {});
    }
  }
 }
--- a/apps/gateway/src/admin/admin.controller.ts
+++ b/apps/gateway/src/admin/admin.controller.ts
@@ -0,0 +1,146 @@
 import {
  Body,
  Controller,
  Delete,
  Get,
  HttpCode,
  HttpStatus,
  Inject,
  InternalServerErrorException,
  NotFoundException,
  Param,
  Patch,
  Post,
  UseGuards,
 } from '@nestjs/common';
 import { eq, type Db, users as usersTable } from '@mosaic/db';
 import type { Auth } from '@mosaic/auth';
 import { AUTH } from '../auth/auth.tokens.js';
 import { DB } from '../database/database.module.js';
 import { AdminGuard } from './admin.guard.js';
 import type {
  BanUserDto,
  CreateUserDto,
  UpdateUserRoleDto,
  UserDto,
  UserListDto,
 } from './admin.dto.js';
 type UserRow = typeof usersTable.$inferSelect;
 function toUserDto(u: UserRow): UserDto {
  return {
    id: u.id,
    name: u.name,
    email: u.email,
    role: u.role,
    banned: u.banned ?? false,
    banReason: u.banReason ?? null,
    createdAt: u.createdAt.toISOString(),
    updatedAt: u.updatedAt.toISOString(),
  };
 }
 async function requireUpdated(
  db: Db,
  id: string,
  update: Partial<Omit<UserRow, 'id' | 'createdAt'>>,
 ): Promise<UserDto> {
  const [updated] = await db
    .update(usersTable)
    .set({ ...update, updatedAt: new Date() })
    .where(eq(usersTable.id, id))
    .returning();
  if (!updated) throw new InternalServerErrorException('Update returned no rows');
  return toUserDto(updated);
 }
@Controller('api/admin/users')
@UseGuards(AdminGuard)
 export class AdminController {
  constructor(
    @Inject(DB) private readonly db: Db,
    @Inject(AUTH) private readonly auth: Auth,
  ) {}
  @Get()
  async listUsers(): Promise<UserListDto> {
    const rows = await this.db.select().from(usersTable).orderBy(usersTable.createdAt);
    const userList: UserDto[] = rows.map(toUserDto);
    return { users: userList, total: userList.length };
  }
  @Get(':id')
  async getUser(@Param('id') id: string): Promise<UserDto> {
    const [user] = await this.db.select().from(usersTable).where(eq(usersTable.id, id)).limit(1);
    if (!user) throw new NotFoundException('User not found');
    return toUserDto(user);
  }
  @Post()
  async createUser(@Body() body: CreateUserDto): Promise<UserDto> {
    // Use auth API to create user so password is properly hashed
    const authApi = this.auth.api as unknown as {
      createUser: (opts: {
        body: { name: string; email: string; password: string; role?: string };
      }) => Promise<{
        user: { id: string; name: string; email: string; createdAt: unknown; updatedAt: unknown };
      }>;
    };
    const result = await authApi.createUser({
      body: {
        name: body.name,
        email: body.email,
        password: body.password,
        role: body.role ?? 'member',
      },
    });
    // Re-fetch from DB to get full row with our schema
    const [user] = await this.db
      .select()
      .from(usersTable)
      .where(eq(usersTable.id, result.user.id))
      .limit(1);
    if (!user) throw new InternalServerErrorException('User created but not found in DB');
    return toUserDto(user);
  }
  @Patch(':id/role')
  async setRole(@Param('id') id: string, @Body() body: UpdateUserRoleDto): Promise<UserDto> {
    await this.ensureExists(id);
    return requireUpdated(this.db, id, { role: body.role });
  }
  @Post(':id/ban')
  @HttpCode(HttpStatus.OK)
  async banUser(@Param('id') id: string, @Body() body: BanUserDto): Promise<UserDto> {
    await this.ensureExists(id);
    return requireUpdated(this.db, id, { banned: true, banReason: body.reason ?? null });
  }
  @Post(':id/unban')
  @HttpCode(HttpStatus.OK)
  async unbanUser(@Param('id') id: string): Promise<UserDto> {
    await this.ensureExists(id);
    return requireUpdated(this.db, id, { banned: false, banReason: null, banExpires: null });
  }
  @Delete(':id')
  @HttpCode(HttpStatus.NO_CONTENT)
  async deleteUser(@Param('id') id: string): Promise<void> {
    await this.ensureExists(id);
    await this.db.delete(usersTable).where(eq(usersTable.id, id));
  }
  private async ensureExists(id: string): Promise<void> {
    const [existing] = await this.db
      .select({ id: usersTable.id })
      .from(usersTable)
      .where(eq(usersTable.id, id))
      .limit(1);
    if (!existing) throw new NotFoundException('User not found');
  }
 }
--- a/apps/gateway/src/admin/admin.dto.ts
+++ b/apps/gateway/src/admin/admin.dto.ts
@@ -0,0 +1,56 @@
 export interface UserDto {
  id: string;
  name: string;
  email: string;
  role: string;
  banned: boolean;
  banReason: string | null;
  createdAt: string;
  updatedAt: string;
 }
 export interface UserListDto {
  users: UserDto[];
  total: number;
 }
 export interface CreateUserDto {
  name: string;
  email: string;
  password: string;
  role?: string;
 }
 export interface UpdateUserRoleDto {
  role: string;
 }
 export interface BanUserDto {
  reason?: string;
 }
 export interface HealthStatusDto {
  status: 'ok' | 'degraded' | 'error';
  database: ServiceStatusDto;
  cache: ServiceStatusDto;
  agentPool: AgentPoolStatusDto;
  providers: ProviderStatusDto[];
  checkedAt: string;
 }
 export interface ServiceStatusDto {
  status: 'ok' | 'error';
  latencyMs?: number;
  error?: string;
 }
 export interface AgentPoolStatusDto {
  activeSessions: number;
 }
 export interface ProviderStatusDto {
  id: string;
  name: string;
  available: boolean;
  modelCount: number;
 }
--- a/apps/gateway/src/admin/admin.guard.ts
+++ b/apps/gateway/src/admin/admin.guard.ts
@@ -0,0 +1,44 @@
 import {
  CanActivate,
  ExecutionContext,
  ForbiddenException,
  Inject,
  Injectable,
  UnauthorizedException,
 } from '@nestjs/common';
 import { fromNodeHeaders } from 'better-auth/node';
 import type { Auth } from '@mosaic/auth';
 import type { FastifyRequest } from 'fastify';
 import { AUTH } from '../auth/auth.tokens.js';
 interface UserWithRole {
  id: string;
  role?: string;
 }
@Injectable()
 export class AdminGuard implements CanActivate {
  constructor(@Inject(AUTH) private readonly auth: Auth) {}
  async canActivate(context: ExecutionContext): Promise<boolean> {
    const request = context.switchToHttp().getRequest<FastifyRequest>();
    const headers = fromNodeHeaders(request.raw.headers);
    const result = await this.auth.api.getSession({ headers });
    if (!result) {
      throw new UnauthorizedException('Invalid or expired session');
    }
    const user = result.user as UserWithRole;
    if (user.role !== 'admin') {
      throw new ForbiddenException('Admin access required');
    }
    (request as FastifyRequest & { user: unknown; session: unknown }).user = result.user;
    (request as FastifyRequest & { user: unknown; session: unknown }).session = result.session;
    return true;
  }
 }
--- a/apps/gateway/src/admin/admin.module.ts
+++ b/apps/gateway/src/admin/admin.module.ts
@@ -0,0 +1,10 @@
 import { Module } from '@nestjs/common';
 import { AdminController } from './admin.controller.js';
 import { AdminHealthController } from './admin-health.controller.js';
 import { AdminGuard } from './admin.guard.js';
@Module({
  controllers: [AdminController, AdminHealthController],
  providers: [AdminGuard],
 })
 export class AdminModule {}
--- a/apps/gateway/src/agent/agent.module.ts
+++ b/apps/gateway/src/agent/agent.module.ts
@@ -2,15 +2,18 @@ import { Global, Module } from '@nestjs/common';
 import { AgentService } from './agent.service.js';
 import { ProviderService } from './provider.service.js';
 import { RoutingService } from './routing.service.js';
 import { SkillLoaderService } from './skill-loader.service.js';
 import { ProvidersController } from './providers.controller.js';
 import { SessionsController } from './sessions.controller.js';
 import { CoordModule } from '../coord/coord.module.js';
 import { McpClientModule } from '../mcp-client/mcp-client.module.js';
 import { SkillsModule } from '../skills/skills.module.js';
@Global()
@Module({
-  imports: [CoordModule],
+  imports: [CoordModule, McpClientModule, SkillsModule],
-  providers: [ProviderService, RoutingService, AgentService],
+  providers: [ProviderService, RoutingService, SkillLoaderService, AgentService],
  controllers: [ProvidersController, SessionsController],
-  exports: [AgentService, ProviderService, RoutingService],
+  exports: [AgentService, ProviderService, RoutingService, SkillLoaderService],
 })
 export class AgentModule {}
--- a/apps/gateway/src/agent/agent.service.ts
+++ b/apps/gateway/src/agent/agent.service.ts
@@ -1,6 +1,7 @@
 import { Inject, Injectable, Logger, type OnModuleDestroy } from '@nestjs/common';
 import {
  createAgentSession,
  DefaultResourceLoader,
  SessionManager,
  type AgentSession as PiAgentSession,
  type AgentSessionEvent,
@@ -13,14 +14,41 @@ import { MEMORY } from '../memory/memory.tokens.js';
 import { EmbeddingService } from '../memory/embedding.service.js';
 import { CoordService } from '../coord/coord.service.js';
 import { ProviderService } from './provider.service.js';
 import { McpClientService } from '../mcp-client/mcp-client.service.js';
 import { SkillLoaderService } from './skill-loader.service.js';
 import { createBrainTools } from './tools/brain-tools.js';
 import { createCoordTools } from './tools/coord-tools.js';
 import { createMemoryTools } from './tools/memory-tools.js';
 import { createFileTools } from './tools/file-tools.js';
 import { createGitTools } from './tools/git-tools.js';
 import { createShellTools } from './tools/shell-tools.js';
 import { createWebTools } from './tools/web-tools.js';
 import type { SessionInfoDto } from './session.dto.js';
 export interface AgentSessionOptions {
  provider?: string;
  modelId?: string;
  /**
   * Sandbox working directory for the session.
   * File, git, and shell tools will be restricted to this directory.
   * Falls back to AGENT_FILE_SANDBOX_DIR env var or process.cwd().
   */
  sandboxDir?: string;
  /**
   * Platform-level system prompt for this session.
   * Merged with skill prompt additions (platform prompt first, then skills).
   * Falls back to AGENT_SYSTEM_PROMPT env var when omitted.
   */
  systemPrompt?: string;
  /**
   * Explicit allowlist of tool names available in this session.
   * When set, only listed tools are registered with the agent.
   * When omitted for non-admin users, falls back to AGENT_USER_TOOLS env var.
   * Admins (isAdmin=true) always receive the full tool set unless explicitly restricted.
   */
  allowedTools?: string[];
  /** Whether the requesting user has admin privileges. Controls default tool access. */
  isAdmin?: boolean;
 }
 export interface AgentSession {
@@ -33,6 +61,12 @@ export interface AgentSession {
  createdAt: number;
  promptCount: number;
  channels: Set<string>;
  /** System prompt additions injected from enabled prompt-type skills. */
  skillPromptAdditions: string[];
  /** Resolved sandbox directory for this session. */
  sandboxDir: string;
  /** Tool names available in this session, or null when all tools are available. */
  allowedTools: string[] | null;
 }
@Injectable()
@@ -41,21 +75,57 @@ export class AgentService implements OnModuleDestroy {
  private readonly sessions = new Map<string, AgentSession>();
  private readonly creating = new Map<string, Promise<AgentSession>>();
  private readonly customTools: ToolDefinition[];
  constructor(
    @Inject(ProviderService) private readonly providerService: ProviderService,
    @Inject(BRAIN) private readonly brain: Brain,
    @Inject(MEMORY) private readonly memory: Memory,
    @Inject(EmbeddingService) private readonly embeddingService: EmbeddingService,
    @Inject(CoordService) private readonly coordService: CoordService,
-  ) {
+    @Inject(McpClientService) private readonly mcpClientService: McpClientService,
-    this.customTools = [
+    @Inject(SkillLoaderService) private readonly skillLoaderService: SkillLoaderService,
-      ...createBrainTools(brain),
+  ) {}
-      ...createCoordTools(coordService),
+
-      ...createMemoryTools(memory, embeddingService.available ? embeddingService : null),
+  /**
   * Build the full set of custom tools scoped to the given sandbox directory.
   * Brain/coord/memory/web tools are stateless with respect to cwd; file/git/shell
   * tools receive the resolved sandboxDir so they operate within the sandbox.
   */
  private buildToolsForSandbox(sandboxDir: string): ToolDefinition[] {
    return [
      ...createBrainTools(this.brain),
      ...createCoordTools(this.coordService),
      ...createMemoryTools(
        this.memory,
        this.embeddingService.available ? this.embeddingService : null,
      ),
      ...createFileTools(sandboxDir),
      ...createGitTools(sandboxDir),
      ...createShellTools(sandboxDir),
      ...createWebTools(),
    ];
-    this.logger.log(`Registered ${this.customTools.length} custom tools`);
+  }
  /**
   * Resolve the tool allowlist for a session.
   * - Admin users: all tools unless an explicit allowedTools list is passed.
   * - Regular users: use allowedTools if provided, otherwise parse AGENT_USER_TOOLS env var.
   * Returns null when all tools should be available.
   */
  private resolveAllowedTools(isAdmin: boolean, allowedTools?: string[]): string[] | null {
    if (allowedTools !== undefined) {
      return allowedTools.length === 0 ? [] : allowedTools;
    }
    if (isAdmin) {
      return null; // admins get everything
    }
    const envTools = process.env['AGENT_USER_TOOLS'];
    if (!envTools) {
      return null; // no restriction configured
    }
    return envTools
      .split(',')
      .map((t) => t.trim())
      .filter((t) => t.length > 0);
  }
  async createSession(sessionId: string, options?: AgentSessionOptions): Promise<AgentSession> {
@@ -80,18 +150,76 @@ export class AgentService implements OnModuleDestroy {
    const providerName = model?.provider ?? 'default';
    const modelId = model?.id ?? 'default';
    // Resolve sandbox directory: option > env var > process.cwd()
    const sandboxDir =
      options?.sandboxDir ?? process.env['AGENT_FILE_SANDBOX_DIR'] ?? process.cwd();
    // Resolve allowed tool set
    const allowedTools = this.resolveAllowedTools(options?.isAdmin ?? false, options?.allowedTools);
    this.logger.log(
-      `Creating agent session: ${sessionId} (provider=${providerName}, model=${modelId})`,
+      `Creating agent session: ${sessionId} (provider=${providerName}, model=${modelId}, sandbox=${sandboxDir}, tools=${allowedTools === null ? 'all' : allowedTools.join(',') || 'none'})`,
    );
    // Load skill tools from the catalog
    const { metaTools: skillMetaTools, promptAdditions } =
      await this.skillLoaderService.loadForSession();
    if (skillMetaTools.length > 0) {
      this.logger.log(`Attaching ${skillMetaTools.length} skill tool(s) to session ${sessionId}`);
    }
    if (promptAdditions.length > 0) {
      this.logger.log(
        `Injecting ${promptAdditions.length} skill prompt addition(s) into session ${sessionId}`,
      );
    }
    // Build per-session tools scoped to the sandbox directory
    const sandboxTools = this.buildToolsForSandbox(sandboxDir);
    // Combine static tools with dynamically discovered MCP client tools and skill tools
    const mcpTools = this.mcpClientService.getToolDefinitions();
    let allCustomTools = [...sandboxTools, ...skillMetaTools, ...mcpTools];
    if (mcpTools.length > 0) {
      this.logger.log(`Attaching ${mcpTools.length} MCP client tool(s) to session ${sessionId}`);
    }
    // Filter tools by allowlist when a restriction is in effect
    if (allowedTools !== null) {
      const allowedSet = new Set(allowedTools);
      const before = allCustomTools.length;
      allCustomTools = allCustomTools.filter((t) => allowedSet.has(t.name));
      this.logger.log(
        `Tool restriction applied: ${allCustomTools.length}/${before} tools allowed for session ${sessionId}`,
      );
    }
    // Build system prompt: platform prompt + skill additions appended
    const platformPrompt = options?.systemPrompt ?? process.env['AGENT_SYSTEM_PROMPT'] ?? undefined;
    const appendSystemPrompt =
      promptAdditions.length > 0 ? promptAdditions.join('\n\n') : undefined;
    // Construct a resource loader that injects the configured system prompt
    const resourceLoader = new DefaultResourceLoader({
      cwd: sandboxDir,
      noExtensions: true,
      noSkills: true,
      noPromptTemplates: true,
      noThemes: true,
      systemPrompt: platformPrompt,
      appendSystemPrompt: appendSystemPrompt,
    });
    await resourceLoader.reload();
    let piSession: PiAgentSession;
    try {
      const result = await createAgentSession({
        sessionManager: SessionManager.inMemory(),
        modelRegistry: this.providerService.getRegistry(),
        model: model ?? undefined,
        cwd: sandboxDir,
        tools: [],
-        customTools: this.customTools,
+        customTools: allCustomTools,
        resourceLoader,
      });
      piSession = result.session;
    } catch (err) {
@@ -124,6 +252,9 @@ export class AgentService implements OnModuleDestroy {
      createdAt: Date.now(),
      promptCount: 0,
      channels: new Set(),
      skillPromptAdditions: promptAdditions,
      sandboxDir,
      allowedTools,
    };
    this.sessions.set(sessionId, session);
--- a/apps/gateway/src/agent/provider.dto.ts
+++ b/apps/gateway/src/agent/provider.dto.ts
@@ -0,0 +1,17 @@
 export interface TestConnectionDto {
  /** Provider identifier to test (e.g. 'ollama', custom provider id) */
  providerId: string;
  /** Optional base URL override for ad-hoc testing */
  baseUrl?: string;
 }
 export interface TestConnectionResultDto {
  providerId: string;
  reachable: boolean;
  /** Round-trip latency in milliseconds (present when reachable) */
  latencyMs?: number;
  /** Human-readable error when unreachable */
  error?: string;
  /** Model ids discovered at the remote endpoint (present when reachable) */
  discoveredModels?: string[];
 }
--- a/apps/gateway/src/agent/provider.service.ts
+++ b/apps/gateway/src/agent/provider.service.ts
@@ -2,13 +2,14 @@ import { Injectable, Logger, type OnModuleInit } from '@nestjs/common';
 import { ModelRegistry, AuthStorage } from '@mariozechner/pi-coding-agent';
 import type { Model, Api } from '@mariozechner/pi-ai';
 import type { ModelInfo, ProviderInfo, CustomProviderConfig } from '@mosaic/types';
 import type { TestConnectionResultDto } from './provider.dto.js';
@Injectable()
 export class ProviderService implements OnModuleInit {
  private readonly logger = new Logger(ProviderService.name);
  private registry!: ModelRegistry;
-  async onModuleInit(): Promise<void> {
+  onModuleInit(): void {
    const authStorage = AuthStorage.inMemory();
    this.registry = new ModelRegistry(authStorage);
@@ -64,6 +65,63 @@ export class ProviderService implements OnModuleInit {
    return this.registry.getAvailable().map((m) => this.toModelInfo(m));
  }
  async testConnection(providerId: string, baseUrl?: string): Promise<TestConnectionResultDto> {
    // Resolve baseUrl: explicit override > registered provider > ollama env
    let resolvedUrl = baseUrl;
    if (!resolvedUrl) {
      const allModels = this.registry.getAll();
      const providerModels = allModels.filter((m) => m.provider === providerId);
      if (providerModels.length === 0) {
        return { providerId, reachable: false, error: `Provider '${providerId}' not found` };
      }
      // For Ollama, derive the base URL from environment
      if (providerId === 'ollama') {
        const ollamaUrl = process.env['OLLAMA_BASE_URL'] ?? process.env['OLLAMA_HOST'];
        if (!ollamaUrl) {
          return { providerId, reachable: false, error: 'OLLAMA_BASE_URL not configured' };
        }
        resolvedUrl = `${ollamaUrl}/v1/models`;
      } else {
        // For other providers, we can only do a basic check
        return { providerId, reachable: true, discoveredModels: providerModels.map((m) => m.id) };
      }
    } else {
      resolvedUrl = resolvedUrl.replace(/\/?$/, '') + '/models';
    }
    const start = Date.now();
    try {
      const res = await fetch(resolvedUrl, {
        method: 'GET',
        headers: { Accept: 'application/json' },
        signal: AbortSignal.timeout(5000),
      });
      const latencyMs = Date.now() - start;
      if (!res.ok) {
        return { providerId, reachable: false, latencyMs, error: `HTTP ${res.status}` };
      }
      let discoveredModels: string[] | undefined;
      try {
        const json = (await res.json()) as { models?: Array<{ id?: string; name?: string }> };
        if (Array.isArray(json.models)) {
          discoveredModels = json.models.map((m) => m.id ?? m.name ?? '').filter(Boolean);
        }
      } catch {
        // ignore parse errors — endpoint was reachable
      }
      return { providerId, reachable: true, latencyMs, discoveredModels };
    } catch (err) {
      const latencyMs = Date.now() - start;
      const message = err instanceof Error ? err.message : String(err);
      return { providerId, reachable: false, latencyMs, error: message };
    }
  }
  registerCustomProvider(config: CustomProviderConfig): void {
    this.registry.registerProvider(config.id, {
      baseUrl: config.baseUrl,
@@ -92,14 +150,16 @@ export class ProviderService implements OnModuleInit {
      .map((modelId: string) => modelId.trim())
      .filter(Boolean);
-    this.registerCustomProvider({
+    this.registry.registerProvider('ollama', {
      id: 'ollama',
      name: 'Ollama',
      baseUrl: `${ollamaUrl}/v1`,
      apiKey: 'ollama',
      api: 'openai-completions' as never,
      models: modelIds.map((id) => ({
        id,
        name: id,
        reasoning: false,
        input: ['text'] as ('text' | 'image')[],
        cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
        contextWindow: 8192,
        maxTokens: 4096,
      })),
--- a/apps/gateway/src/agent/providers.controller.ts
+++ b/apps/gateway/src/agent/providers.controller.ts
@@ -3,6 +3,7 @@ import type { RoutingCriteria } from '@mosaic/types';
 import { AuthGuard } from '../auth/auth.guard.js';
 import { ProviderService } from './provider.service.js';
 import { RoutingService } from './routing.service.js';
 import type { TestConnectionDto, TestConnectionResultDto } from './provider.dto.js';
@Controller('api/providers')
@UseGuards(AuthGuard)
@@ -22,6 +23,11 @@ export class ProvidersController {
    return this.providerService.listAvailableModels();
  }
  @Post('test')
  testConnection(@Body() body: TestConnectionDto): Promise<TestConnectionResultDto> {
    return this.providerService.testConnection(body.providerId, body.baseUrl);
  }
  @Post('route')
  route(@Body() criteria: RoutingCriteria) {
    return this.routingService.route(criteria);
--- a/apps/gateway/src/agent/session.dto.ts
+++ b/apps/gateway/src/agent/session.dto.ts
@@ -12,3 +12,33 @@ export interface SessionListDto {
  sessions: SessionInfoDto[];
  total: number;
 }
 /**
 * Options accepted when creating an agent session.
 * All fields are optional; omitting them falls back to env-var or process defaults.
 */
 export interface CreateSessionOptionsDto {
  /** Provider name (e.g. "anthropic", "openai"). */
  provider?: string;
  /** Model ID to use for this session. */
  modelId?: string;
  /**
   * Sandbox working directory for the session.
   * File, git, and shell tools will be restricted to this directory.
   * Defaults to AGENT_FILE_SANDBOX_DIR env var or process.cwd().
   */
  sandboxDir?: string;
  /**
   * Platform-level system prompt for this session.
   * Merged with skill prompt additions (platform prompt first, then skills).
   * Falls back to AGENT_SYSTEM_PROMPT env var when omitted.
   */
  systemPrompt?: string;
  /**
   * Explicit allowlist of tool names available in this session.
   * When provided, only listed tools are registered with the agent.
   * Admins receive all tools; regular users fall back to AGENT_USER_TOOLS
   * env var (comma-separated) when this field is not supplied.
   */
  allowedTools?: string[];
 }
--- a/apps/gateway/src/agent/skill-loader.service.ts
+++ b/apps/gateway/src/agent/skill-loader.service.ts
@@ -0,0 +1,59 @@
 import { Inject, Injectable, Logger } from '@nestjs/common';
 import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
 import { SkillsService } from '../skills/skills.service.js';
 import { createSkillTools } from './tools/skill-tools.js';
 export interface LoadedSkills {
  /** Meta-tools: skill_list + skill_invoke */
  metaTools: ToolDefinition[];
  /**
   * System prompt additions from enabled prompt-type skills.
   * Callers may prepend these to the session system prompt.
   */
  promptAdditions: string[];
 }
 /**
 * SkillLoaderService is responsible for:
 * 1. Providing the skill meta-tools (skill_list, skill_invoke) to agent sessions.
 * 2. Collecting system-prompt additions from enabled prompt-type skills.
 */
@Injectable()
 export class SkillLoaderService {
  private readonly logger = new Logger(SkillLoaderService.name);
  constructor(@Inject(SkillsService) private readonly skillsService: SkillsService) {}
  /**
   * Load enabled skills and return tools + prompt additions for a new session.
   */
  async loadForSession(): Promise<LoadedSkills> {
    const metaTools = createSkillTools(this.skillsService);
    let promptAdditions: string[] = [];
    try {
      const enabledSkills = await this.skillsService.findEnabled();
      promptAdditions = enabledSkills.flatMap((skill) => {
        const config = (skill.config ?? {}) as Record<string, unknown>;
        const skillType = (config['type'] as string | undefined) ?? 'prompt';
        if (skillType === 'prompt') {
          const addition = (config['prompt'] as string | undefined) ?? skill.description;
          return addition ? [addition] : [];
        }
        return [];
      });
      this.logger.log(
        `Loaded ${enabledSkills.length} enabled skill(s), ` +
          `${promptAdditions.length} prompt addition(s)`,
      );
    } catch (err) {
      // Non-fatal: log and continue without prompt additions
      this.logger.warn(
        `Failed to load skill prompt additions: ${err instanceof Error ? err.message : String(err)}`,
      );
    }
    return { metaTools, promptAdditions };
  }
 }
--- a/apps/gateway/src/agent/tools/file-tools.ts
+++ b/apps/gateway/src/agent/tools/file-tools.ts
@@ -0,0 +1,189 @@
 import { Type } from '@sinclair/typebox';
 import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
 import { readFile, writeFile, readdir, stat } from 'node:fs/promises';
 import { resolve, relative, join } from 'node:path';
 /**
 * Safety constraint: all file operations are restricted to a base directory.
 * Paths that escape the sandbox via ../ traversal are rejected.
 */
 function resolveSafe(baseDir: string, inputPath: string): string {
  const resolved = resolve(baseDir, inputPath);
  const rel = relative(baseDir, resolved);
  if (rel.startsWith('..') || resolve(resolved) !== resolve(join(baseDir, rel))) {
    throw new Error(`Path escape detected: "${inputPath}" resolves outside base directory`);
  }
  return resolved;
 }
 const MAX_READ_BYTES = 512 * 1024; // 512 KB read limit
 const MAX_WRITE_BYTES = 1024 * 1024; // 1 MB write limit
 export function createFileTools(baseDir: string): ToolDefinition[] {
  const readFileTool: ToolDefinition = {
    name: 'fs_read_file',
    label: 'Read File',
    description:
      'Read the contents of a file. Path is resolved relative to the sandbox base directory.',
    parameters: Type.Object({
      path: Type.String({
        description: 'File path (relative to sandbox base or absolute within it)',
      }),
      encoding: Type.Optional(
        Type.String({ description: 'Encoding: utf8 (default), base64, hex' }),
      ),
    }),
    async execute(_toolCallId, params) {
      const { path, encoding } = params as { path: string; encoding?: string };
      let safePath: string;
      try {
        safePath = resolveSafe(baseDir, path);
      } catch (err) {
        return {
          content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
          details: undefined,
        };
      }
      try {
        const info = await stat(safePath);
        if (!info.isFile()) {
          return {
            content: [{ type: 'text' as const, text: `Error: path is not a file: ${path}` }],
            details: undefined,
          };
        }
        if (info.size > MAX_READ_BYTES) {
          return {
            content: [
              {
                type: 'text' as const,
                text: `Error: file too large (${info.size} bytes, limit ${MAX_READ_BYTES} bytes)`,
              },
            ],
            details: undefined,
          };
        }
        const enc = (encoding ?? 'utf8') as BufferEncoding;
        const content = await readFile(safePath, { encoding: enc });
        return {
          content: [{ type: 'text' as const, text: String(content) }],
          details: undefined,
        };
      } catch (err) {
        return {
          content: [{ type: 'text' as const, text: `Error reading file: ${String(err)}` }],
          details: undefined,
        };
      }
    },
  };
  const writeFileTool: ToolDefinition = {
    name: 'fs_write_file',
    label: 'Write File',
    description:
      'Write content to a file. Path is resolved relative to the sandbox base directory. Overwrites existing file.',
    parameters: Type.Object({
      path: Type.String({
        description: 'File path (relative to sandbox base or absolute within it)',
      }),
      content: Type.String({ description: 'Content to write' }),
      encoding: Type.Optional(Type.String({ description: 'Encoding: utf8 (default), base64' })),
    }),
    async execute(_toolCallId, params) {
      const { path, content, encoding } = params as {
        path: string;
        content: string;
        encoding?: string;
      };
      let safePath: string;
      try {
        safePath = resolveSafe(baseDir, path);
      } catch (err) {
        return {
          content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
          details: undefined,
        };
      }
      if (Buffer.byteLength(content, 'utf8') > MAX_WRITE_BYTES) {
        return {
          content: [
            {
              type: 'text' as const,
              text: `Error: content too large (limit ${MAX_WRITE_BYTES} bytes)`,
            },
          ],
          details: undefined,
        };
      }
      try {
        const enc = (encoding ?? 'utf8') as BufferEncoding;
        await writeFile(safePath, content, { encoding: enc });
        return {
          content: [{ type: 'text' as const, text: `File written successfully: ${path}` }],
          details: undefined,
        };
      } catch (err) {
        return {
          content: [{ type: 'text' as const, text: `Error writing file: ${String(err)}` }],
          details: undefined,
        };
      }
    },
  };
  const listDirectoryTool: ToolDefinition = {
    name: 'fs_list_directory',
    label: 'List Directory',
    description: 'List files and directories at a given path within the sandbox base directory.',
    parameters: Type.Object({
      path: Type.Optional(
        Type.String({
          description: 'Directory path (relative to sandbox base). Defaults to base directory.',
        }),
      ),
    }),
    async execute(_toolCallId, params) {
      const { path } = params as { path?: string };
      const target = path ?? '.';
      let safePath: string;
      try {
        safePath = resolveSafe(baseDir, target);
      } catch (err) {
        return {
          content: [{ type: 'text' as const, text: `Error: ${String(err)}` }],
          details: undefined,
        };
      }
      try {
        const info = await stat(safePath);
        if (!info.isDirectory()) {
          return {
            content: [{ type: 'text' as const, text: `Error: path is not a directory: ${target}` }],
            details: undefined,
          };
        }
        const entries = await readdir(safePath, { withFileTypes: true });
        const items = entries.map((e) => ({
          name: e.name,
          type: e.isDirectory() ? 'directory' : e.isSymbolicLink() ? 'symlink' : 'file',
        }));
        return {
          content: [{ type: 'text' as const, text: JSON.stringify(items, null, 2) }],
          details: undefined,
        };
      } catch (err) {
        return {
          content: [{ type: 'text' as const, text: `Error listing directory: ${String(err)}` }],
          details: undefined,
        };
      }
    },
  };
  return [readFileTool, writeFileTool, listDirectoryTool];
 }
--- a/apps/gateway/src/agent/tools/git-tools.ts
+++ b/apps/gateway/src/agent/tools/git-tools.ts
@@ -0,0 +1,169 @@
 import { Type } from '@sinclair/typebox';
 import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
 import { exec } from 'node:child_process';
 import { promisify } from 'node:util';
 import { resolve, relative } from 'node:path';
 const execAsync = promisify(exec);
 const GIT_TIMEOUT_MS = 15_000;
 const MAX_OUTPUT_BYTES = 100 * 1024; // 100 KB
 /**
 * Clamp a user-supplied cwd to within the sandbox directory.
 * If the resolved path escapes the sandbox (via ../ or absolute path outside),
 * falls back to the sandbox directory itself.
 */
 function clampCwd(sandboxDir: string, requestedCwd?: string): string {
  if (!requestedCwd) return sandboxDir;
  const resolved = resolve(sandboxDir, requestedCwd);
  const rel = relative(sandboxDir, resolved);
  if (rel.startsWith('..') || rel.startsWith('/')) {
    // Escape attempt — fall back to sandbox root
    return sandboxDir;
  }
  return resolved;
 }
 async function runGit(
  args: string[],
  cwd?: string,
 ): Promise<{ stdout: string; stderr: string; error?: string }> {
  // Only allow specific safe read-only git subcommands
  const allowedSubcommands = ['status', 'log', 'diff', 'show', 'branch', 'tag', 'ls-files'];
  const subcommand = args[0];
  if (!subcommand || !allowedSubcommands.includes(subcommand)) {
    return {
      stdout: '',
      stderr: '',
      error: `Blocked: git subcommand "${subcommand}" is not allowed. Permitted: ${allowedSubcommands.join(', ')}`,
    };
  }
  const cmd = `git ${args.map((a) => JSON.stringify(a)).join(' ')}`;
  try {
    const { stdout, stderr } = await execAsync(cmd, {
      cwd,
      timeout: GIT_TIMEOUT_MS,
      maxBuffer: MAX_OUTPUT_BYTES,
    });
    return { stdout, stderr };
  } catch (err: unknown) {
    const e = err as { stdout?: string; stderr?: string; message?: string };
    return {
      stdout: e.stdout ?? '',
      stderr: e.stderr ?? '',
      error: e.message ?? String(err),
    };
  }
 }
 export function createGitTools(sandboxDir?: string): ToolDefinition[] {
  const defaultCwd = sandboxDir ?? process.cwd();
  const gitStatus: ToolDefinition = {
    name: 'git_status',
    label: 'Git Status',
    description: 'Show the working tree status (staged, unstaged, untracked files).',
    parameters: Type.Object({
      cwd: Type.Optional(
        Type.String({
          description: 'Repository working directory (relative to sandbox or absolute within it).',
        }),
      ),
    }),
    async execute(_toolCallId, params) {
      const { cwd } = params as { cwd?: string };
      const safeCwd = clampCwd(defaultCwd, cwd);
      const result = await runGit(['status', '--short', '--branch'], safeCwd);
      const text = result.error
        ? `Error: ${result.error}\n${result.stderr}`
        : result.stdout || '(no output)';
      return {
        content: [{ type: 'text' as const, text: text }],
        details: undefined,
      };
    },
  };
  const gitLog: ToolDefinition = {
    name: 'git_log',
    label: 'Git Log',
    description: 'Show recent commit history.',
    parameters: Type.Object({
      limit: Type.Optional(Type.Number({ description: 'Number of commits to show (default 20)' })),
      oneline: Type.Optional(
        Type.Boolean({ description: 'Compact one-line format (default true)' }),
      ),
      cwd: Type.Optional(
        Type.String({
          description: 'Repository working directory (relative to sandbox or absolute within it).',
        }),
      ),
    }),
    async execute(_toolCallId, params) {
      const { limit, oneline, cwd } = params as {
        limit?: number;
        oneline?: boolean;
        cwd?: string;
      };
      const safeCwd = clampCwd(defaultCwd, cwd);
      const args = ['log', `--max-count=${limit ?? 20}`];
      if (oneline !== false) args.push('--oneline');
      const result = await runGit(args, safeCwd);
      const text = result.error
        ? `Error: ${result.error}\n${result.stderr}`
        : result.stdout || '(no commits)';
      return {
        content: [{ type: 'text' as const, text: text }],
        details: undefined,
      };
    },
  };
  const gitDiff: ToolDefinition = {
    name: 'git_diff',
    label: 'Git Diff',
    description: 'Show changes between commits, working tree, or staged changes.',
    parameters: Type.Object({
      staged: Type.Optional(
        Type.Boolean({ description: 'Show staged (cached) changes instead of unstaged' }),
      ),
      ref: Type.Optional(
        Type.String({ description: 'Compare against this ref (commit SHA, branch, or tag)' }),
      ),
      path: Type.Optional(
        Type.String({ description: 'Limit diff to a specific file or directory' }),
      ),
      cwd: Type.Optional(
        Type.String({
          description: 'Repository working directory (relative to sandbox or absolute within it).',
        }),
      ),
    }),
    async execute(_toolCallId, params) {
      const { staged, ref, path, cwd } = params as {
        staged?: boolean;
        ref?: string;
        path?: string;
        cwd?: string;
      };
      const safeCwd = clampCwd(defaultCwd, cwd);
      const args = ['diff'];
      if (staged) args.push('--cached');
      if (ref) args.push(ref);
      args.push('--');
      if (path) args.push(path);
      const result = await runGit(args, safeCwd);
      const text = result.error
        ? `Error: ${result.error}\n${result.stderr}`
        : result.stdout || '(no diff)';
      return {
        content: [{ type: 'text' as const, text: text }],
        details: undefined,
      };
    },
  };
  return [gitStatus, gitLog, gitDiff];
 }
--- a/apps/gateway/src/agent/tools/index.ts
+++ b/apps/gateway/src/agent/tools/index.ts
@@ -1,2 +1,7 @@
 export { createBrainTools } from './brain-tools.js';
 export { createCoordTools } from './coord-tools.js';
 export { createFileTools } from './file-tools.js';
 export { createGitTools } from './git-tools.js';
 export { createShellTools } from './shell-tools.js';
 export { createWebTools } from './web-tools.js';
 export { createSkillTools } from './skill-tools.js';
--- a/apps/gateway/src/agent/tools/shell-tools.ts
+++ b/apps/gateway/src/agent/tools/shell-tools.ts
@@ -0,0 +1,220 @@
 import { Type } from '@sinclair/typebox';
 import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
 import { spawn } from 'node:child_process';
 import { resolve, relative } from 'node:path';
 const DEFAULT_TIMEOUT_MS = 30_000;
 const MAX_OUTPUT_BYTES = 100 * 1024; // 100 KB
 /**
 * Commands that are outright blocked for safety.
 * This is a denylist; the agent should be instructed to use
 * the least-privilege command necessary.
 */
 const BLOCKED_COMMANDS = new Set([
  'rm',
  'rmdir',
  'mkfs',
  'dd',
  'format',
  'fdisk',
  'parted',
  'shred',
  'wipefs',
  'sudo',
  'su',
  'chown',
  'chmod',
  'passwd',
  'useradd',
  'userdel',
  'groupadd',
  'shutdown',
  'reboot',
  'halt',
  'poweroff',
  'kill',
  'killall',
  'pkill',
  'curl',
  'wget',
  'nc',
  'netcat',
  'ncat',
  'ssh',
  'scp',
  'sftp',
  'rsync',
  'iptables',
  'ip6tables',
  'nft',
  'ufw',
  'firewall-cmd',
  'docker',
  'podman',
  'kubectl',
  'helm',
  'terraform',
  'ansible',
  'crontab',
  'at',
  'batch',
 ]);
 function extractBaseCommand(command: string): string {
  // Extract the first word (the binary name), stripping path
  const trimmed = command.trim();
  const firstToken = trimmed.split(/\s+/)[0] ?? '';
  return firstToken.split('/').pop() ?? firstToken;
 }
 /**
 * Clamp a user-supplied cwd to within the sandbox directory.
 * If the resolved path escapes the sandbox (via ../ or absolute path outside),
 * falls back to the sandbox directory itself.
 */
 function clampCwd(sandboxDir: string, requestedCwd?: string): string {
  if (!requestedCwd) return sandboxDir;
  const resolved = resolve(sandboxDir, requestedCwd);
  const rel = relative(sandboxDir, resolved);
  if (rel.startsWith('..') || rel.startsWith('/')) {
    // Escape attempt — fall back to sandbox root
    return sandboxDir;
  }
  return resolved;
 }
 function runCommand(
  command: string,
  options: { timeoutMs: number; cwd?: string },
 ): Promise<{ stdout: string; stderr: string; exitCode: number | null; timedOut: boolean }> {
  return new Promise((resolve) => {
    const child = spawn('sh', ['-c', command], {
      cwd: options.cwd,
      stdio: ['ignore', 'pipe', 'pipe'],
      detached: false,
    });
    let stdout = '';
    let stderr = '';
    let timedOut = false;
    let totalBytes = 0;
    let truncated = false;
    child.stdout?.on('data', (chunk: Buffer) => {
      if (truncated) return;
      totalBytes += chunk.length;
      if (totalBytes > MAX_OUTPUT_BYTES) {
        stdout += chunk.subarray(0, MAX_OUTPUT_BYTES - (totalBytes - chunk.length)).toString();
        stdout += '\n[output truncated at 100 KB limit]';
        truncated = true;
        child.kill('SIGTERM');
      } else {
        stdout += chunk.toString();
      }
    });
    child.stderr?.on('data', (chunk: Buffer) => {
      if (stderr.length < MAX_OUTPUT_BYTES) {
        stderr += chunk.toString();
      }
    });
    const timer = setTimeout(() => {
      timedOut = true;
      child.kill('SIGTERM');
      setTimeout(() => {
        try {
          child.kill('SIGKILL');
        } catch {
          // already exited
        }
      }, 2000);
    }, options.timeoutMs);
    child.on('close', (exitCode) => {
      clearTimeout(timer);
      resolve({ stdout, stderr, exitCode, timedOut });
    });
    child.on('error', (err) => {
      clearTimeout(timer);
      resolve({ stdout, stderr: stderr + String(err), exitCode: null, timedOut: false });
    });
  });
 }
 export function createShellTools(sandboxDir?: string): ToolDefinition[] {
  const defaultCwd = sandboxDir ?? process.cwd();
  const shellExec: ToolDefinition = {
    name: 'shell_exec',
    label: 'Shell Execute',
    description:
      'Execute a shell command with timeout and output limits. Dangerous commands (rm, sudo, docker, etc.) are blocked. Working directory is restricted to the session sandbox.',
    parameters: Type.Object({
      command: Type.String({ description: 'Shell command to execute' }),
      cwd: Type.Optional(
        Type.String({
          description:
            'Working directory for the command (relative to sandbox or absolute within it).',
        }),
      ),
      timeout: Type.Optional(
        Type.Number({ description: 'Timeout in milliseconds (default 30000, max 60000)' }),
      ),
    }),
    async execute(_toolCallId, params) {
      const { command, cwd, timeout } = params as {
        command: string;
        cwd?: string;
        timeout?: number;
      };
      const base = extractBaseCommand(command);
      if (BLOCKED_COMMANDS.has(base)) {
        return {
          content: [
            {
              type: 'text' as const,
              text: `Error: command "${base}" is blocked for safety reasons.`,
            },
          ],
          details: undefined,
        };
      }
      const timeoutMs = Math.min(timeout ?? DEFAULT_TIMEOUT_MS, 60_000);
      const safeCwd = clampCwd(defaultCwd, cwd);
      const result = await runCommand(command, {
        timeoutMs,
        cwd: safeCwd,
      });
      if (result.timedOut) {
        return {
          content: [
            {
              type: 'text' as const,
              text: `Command timed out after ${timeoutMs}ms.\nPartial stdout:\n${result.stdout}\nPartial stderr:\n${result.stderr}`,
            },
          ],
          details: undefined,
        };
      }
      const parts: string[] = [];
      if (result.stdout) parts.push(`stdout:\n${result.stdout}`);
      if (result.stderr) parts.push(`stderr:\n${result.stderr}`);
      parts.push(`exit code: ${result.exitCode ?? 'null'}`);
      return {
        content: [{ type: 'text' as const, text: parts.join('\n') }],
        details: undefined,
      };
    },
  };
  return [shellExec];
 }
--- a/apps/gateway/src/agent/tools/skill-tools.ts
+++ b/apps/gateway/src/agent/tools/skill-tools.ts
@@ -0,0 +1,180 @@
 import { Type } from '@sinclair/typebox';
 import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
 import type { SkillsService } from '../../skills/skills.service.js';
 /**
 * Creates meta-tools that allow agents to list and invoke skills from the catalog.
 *
 * skill_list  — list all enabled skills
 * skill_invoke — execute a skill by name with parameters
 */
 export function createSkillTools(skillsService: SkillsService): ToolDefinition[] {
  const skillList: ToolDefinition = {
    name: 'skill_list',
    label: 'List Skills',
    description:
      'List all enabled skills available in the catalog. Returns name, description, type, and config for each skill.',
    parameters: Type.Object({}),
    async execute() {
      const skills = await skillsService.findEnabled();
      const summary = skills.map((s) => ({
        name: s.name,
        description: s.description,
        version: s.version,
        source: s.source,
        config: s.config,
      }));
      return {
        content: [
          {
            type: 'text' as const,
            text:
              summary.length > 0
                ? JSON.stringify(summary, null, 2)
                : 'No enabled skills found in catalog.',
          },
        ],
        details: undefined,
      };
    },
  };
  const skillInvoke: ToolDefinition = {
    name: 'skill_invoke',
    label: 'Invoke Skill',
    description:
      'Invoke a skill from the catalog by name. For prompt skills, returns the prompt addition. ' +
      'For tool skills, executes the embedded logic. For workflow skills, returns the workflow steps.',
    parameters: Type.Object({
      name: Type.String({ description: 'Skill name to invoke' }),
      params: Type.Optional(
        Type.Record(Type.String(), Type.Unknown(), {
          description: 'Parameters to pass to the skill (if applicable)',
        }),
      ),
    }),
    async execute(_toolCallId, rawParams) {
      const { name, params } = rawParams as {
        name: string;
        params?: Record<string, unknown>;
      };
      const skill = await skillsService.findByName(name);
      if (!skill) {
        return {
          content: [{ type: 'text' as const, text: `Skill not found: ${name}` }],
          details: undefined,
        };
      }
      if (!skill.enabled) {
        return {
          content: [{ type: 'text' as const, text: `Skill is disabled: ${name}` }],
          details: undefined,
        };
      }
      const config = (skill.config ?? {}) as Record<string, unknown>;
      const skillType = (config['type'] as string | undefined) ?? 'prompt';
      switch (skillType) {
        case 'prompt': {
          const promptAddition =
            (config['prompt'] as string | undefined) ?? skill.description ?? '';
          return {
            content: [
              {
                type: 'text' as const,
                text: promptAddition
                  ? `[Skill: ${name}] ${promptAddition}`
                  : `[Skill: ${name}] No prompt content defined.`,
              },
            ],
            details: undefined,
          };
        }
        case 'tool': {
          const toolLogic = config['logic'] as string | undefined;
          if (!toolLogic) {
            return {
              content: [
                {
                  type: 'text' as const,
                  text: `[Skill: ${name}] Tool skill has no logic defined.`,
                },
              ],
              details: undefined,
            };
          }
          // Inline tool skill execution: the logic field holds a JS expression or template
          // For safety, treat it as a template that can reference params
          const result = renderTemplate(toolLogic, { params: params ?? {}, skill });
          return {
            content: [{ type: 'text' as const, text: `[Skill: ${name}]\n${result}` }],
            details: undefined,
          };
        }
        case 'workflow': {
          const steps = config['steps'] as unknown[] | undefined;
          if (!steps || steps.length === 0) {
            return {
              content: [
                {
                  type: 'text' as const,
                  text: `[Skill: ${name}] Workflow has no steps defined.`,
                },
              ],
              details: undefined,
            };
          }
          return {
            content: [
              {
                type: 'text' as const,
                text: `[Skill: ${name}] Workflow steps:\n${JSON.stringify(steps, null, 2)}`,
              },
            ],
            details: undefined,
          };
        }
        default: {
          // Unknown type — return full config so the agent can decide what to do
          return {
            content: [
              {
                type: 'text' as const,
                text: `[Skill: ${name}] (type: ${skillType})\n${JSON.stringify(config, null, 2)}`,
              },
            ],
            details: undefined,
          };
        }
      }
    },
  };
  return [skillList, skillInvoke];
 }
 /**
 * Minimal template renderer — replaces {{key}} with values from the context.
 * Used for tool skill logic templates.
 */
 function renderTemplate(template: string, context: Record<string, unknown>): string {
  return template.replace(/\{\{(\w+(?:\.\w+)*)\}\}/g, (_match, path: string) => {
    const parts = path.split('.');
    let value: unknown = context;
    for (const part of parts) {
      if (value != null && typeof value === 'object') {
        value = (value as Record<string, unknown>)[part];
      } else {
        value = undefined;
        break;
      }
    }
    return value !== undefined && value !== null ? String(value) : '';
  });
 }
--- a/apps/gateway/src/agent/tools/web-tools.ts
+++ b/apps/gateway/src/agent/tools/web-tools.ts
@@ -0,0 +1,225 @@
 import { Type } from '@sinclair/typebox';
 import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
 const DEFAULT_TIMEOUT_MS = 15_000;
 const MAX_RESPONSE_BYTES = 512 * 1024; // 512 KB
 /**
 * Blocked URL patterns (private IP ranges, localhost, link-local).
 */
 const BLOCKED_HOSTNAMES = [
  /^localhost$/i,
  /^127\./,
  /^10\./,
  /^172\.(1[6-9]|2\d|3[01])\./,
  /^192\.168\./,
  /^::1$/,
  /^fc[0-9a-f][0-9a-f]:/i,
  /^fe80:/i,
  /^0\.0\.0\.0$/,
  /^169\.254\./,
 ];
 function isBlockedUrl(urlString: string): string | null {
  let parsed: URL;
  try {
    parsed = new URL(urlString);
  } catch {
    return `Invalid URL: ${urlString}`;
  }
  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
    return `Unsupported protocol: ${parsed.protocol}. Only http and https are allowed.`;
  }
  const hostname = parsed.hostname;
  for (const pattern of BLOCKED_HOSTNAMES) {
    if (pattern.test(hostname)) {
      return `Blocked: requests to "${hostname}" are not allowed (private/local addresses).`;
    }
  }
  return null;
 }
 async function fetchWithLimit(
  url: string,
  options: RequestInit,
  timeoutMs: number,
 ): Promise<{ text: string; status: number; contentType: string }> {
  const controller = new AbortController();
  const timer = setTimeout(() => controller.abort(), timeoutMs);
  try {
    const response = await fetch(url, { ...options, signal: controller.signal });
    const contentType = response.headers.get('content-type') ?? '';
    // Stream response and enforce size limit
    const reader = response.body?.getReader();
    if (!reader) {
      return { text: '', status: response.status, contentType };
    }
    const chunks: Uint8Array[] = [];
    let totalBytes = 0;
    let truncated = false;
    while (true) {
      const { done, value } = await reader.read();
      if (done) break;
      totalBytes += value.length;
      if (totalBytes > MAX_RESPONSE_BYTES) {
        const remaining = MAX_RESPONSE_BYTES - (totalBytes - value.length);
        chunks.push(value.subarray(0, remaining));
        truncated = true;
        reader.cancel();
        break;
      }
      chunks.push(value);
    }
    const combined = new Uint8Array(chunks.reduce((acc, c) => acc + c.length, 0));
    let offset = 0;
    for (const chunk of chunks) {
      combined.set(chunk, offset);
      offset += chunk.length;
    }
    let text = new TextDecoder().decode(combined);
    if (truncated) {
      text += '\n[response truncated at 512 KB limit]';
    }
    return { text, status: response.status, contentType };
  } finally {
    clearTimeout(timer);
  }
 }
 export function createWebTools(): ToolDefinition[] {
  const webGet: ToolDefinition = {
    name: 'web_get',
    label: 'HTTP GET',
    description:
      'Perform an HTTP GET request and return the response body. Private/local addresses are blocked.',
    parameters: Type.Object({
      url: Type.String({ description: 'URL to fetch (http/https only)' }),
      headers: Type.Optional(
        Type.Record(Type.String(), Type.String(), {
          description: 'Optional request headers as key-value pairs',
        }),
      ),
      timeout: Type.Optional(
        Type.Number({ description: 'Timeout in milliseconds (default 15000, max 30000)' }),
      ),
    }),
    async execute(_toolCallId, params) {
      const { url, headers, timeout } = params as {
        url: string;
        headers?: Record<string, string>;
        timeout?: number;
      };
      const blocked = isBlockedUrl(url);
      if (blocked) {
        return {
          content: [{ type: 'text' as const, text: `Error: ${blocked}` }],
          details: undefined,
        };
      }
      const timeoutMs = Math.min(timeout ?? DEFAULT_TIMEOUT_MS, 30_000);
      try {
        const result = await fetchWithLimit(
          url,
          { method: 'GET', headers: headers ?? {} },
          timeoutMs,
        );
        return {
          content: [
            {
              type: 'text' as const,
              text: `HTTP ${result.status} (${result.contentType})\n\n${result.text}`,
            },
          ],
          details: undefined,
        };
      } catch (err) {
        const msg = err instanceof Error ? err.message : String(err);
        return {
          content: [{ type: 'text' as const, text: `Error fetching URL: ${msg}` }],
          details: undefined,
        };
      }
    },
  };
  const webPost: ToolDefinition = {
    name: 'web_post',
    label: 'HTTP POST',
    description:
      'Perform an HTTP POST request with a JSON or text body. Private/local addresses are blocked.',
    parameters: Type.Object({
      url: Type.String({ description: 'URL to POST to (http/https only)' }),
      body: Type.String({ description: 'Request body (JSON string or plain text)' }),
      contentType: Type.Optional(
        Type.String({ description: 'Content-Type header (default: application/json)' }),
      ),
      headers: Type.Optional(
        Type.Record(Type.String(), Type.String(), {
          description: 'Optional additional request headers',
        }),
      ),
      timeout: Type.Optional(
        Type.Number({ description: 'Timeout in milliseconds (default 15000, max 30000)' }),
      ),
    }),
    async execute(_toolCallId, params) {
      const { url, body, contentType, headers, timeout } = params as {
        url: string;
        body: string;
        contentType?: string;
        headers?: Record<string, string>;
        timeout?: number;
      };
      const blocked = isBlockedUrl(url);
      if (blocked) {
        return {
          content: [{ type: 'text' as const, text: `Error: ${blocked}` }],
          details: undefined,
        };
      }
      const timeoutMs = Math.min(timeout ?? DEFAULT_TIMEOUT_MS, 30_000);
      const ct = contentType ?? 'application/json';
      try {
        const result = await fetchWithLimit(
          url,
          {
            method: 'POST',
            headers: { 'Content-Type': ct, ...(headers ?? {}) },
            body,
          },
          timeoutMs,
        );
        return {
          content: [
            {
              type: 'text' as const,
              text: `HTTP ${result.status} (${result.contentType})\n\n${result.text}`,
            },
          ],
          details: undefined,
        };
      } catch (err) {
        const msg = err instanceof Error ? err.message : String(err);
        return {
          content: [{ type: 'text' as const, text: `Error posting to URL: ${msg}` }],
          details: undefined,
        };
      }
    },
  };
  return [webGet, webPost];
 }
--- a/apps/gateway/src/app.module.ts
+++ b/apps/gateway/src/app.module.ts
@@ -15,6 +15,8 @@ import { MemoryModule } from './memory/memory.module.js';
 import { LogModule } from './log/log.module.js';
 import { SkillsModule } from './skills/skills.module.js';
 import { PluginModule } from './plugin/plugin.module.js';
 import { McpModule } from './mcp/mcp.module.js';
 import { AdminModule } from './admin/admin.module.js';
 import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
@Module({
@@ -34,6 +36,8 @@ import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
    LogModule,
    SkillsModule,
    PluginModule,
    McpModule,
    AdminModule,
  ],
  controllers: [HealthController],
  providers: [
--- a/apps/gateway/src/auth/auth.controller.ts
+++ b/apps/gateway/src/auth/auth.controller.ts
@@ -7,16 +7,17 @@ import { AUTH } from './auth.tokens.js';
 export function mountAuthHandler(app: NestFastifyApplication): void {
  const auth = app.get<Auth>(AUTH);
  const nodeHandler = toNodeHandler(auth);
  const corsOrigin = process.env['GATEWAY_CORS_ORIGIN'] ?? 'http://localhost:3000';
  const fastify = app.getHttpAdapter().getInstance();
-  // Use Fastify's addHook to intercept auth requests at the raw HTTP level,
+  // BetterAuth is mounted at the raw HTTP level via Fastify's onRequest hook,
-  // before Fastify's body parser runs. This avoids conflicts with NestJS's
+  // bypassing NestJS middleware (including CORS). We must set CORS headers
-  // custom content-type parser.
+  // manually on the raw response before handing off to BetterAuth.
  fastify.addHook(
    'onRequest',
    (
-      req: { raw: IncomingMessage; url: string },
+      req: { raw: IncomingMessage; url: string; method: string },
      reply: { raw: ServerResponse; hijack: () => void },
      done: () => void,
    ) => {
@@ -25,6 +26,27 @@ export function mountAuthHandler(app: NestFastifyApplication): void {
        return;
      }
      const origin = req.raw.headers.origin;
      const allowed = corsOrigin.split(',').map((o) => o.trim());
      if (origin && allowed.includes(origin)) {
        reply.raw.setHeader('Access-Control-Allow-Origin', origin);
        reply.raw.setHeader('Access-Control-Allow-Credentials', 'true');
        reply.raw.setHeader(
          'Access-Control-Allow-Methods',
          'GET, POST, PUT, PATCH, DELETE, OPTIONS',
        );
        reply.raw.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Cookie');
      }
      // Handle preflight
      if (req.method === 'OPTIONS') {
        reply.hijack();
        reply.raw.writeHead(204);
        reply.raw.end();
        return;
      }
      reply.hijack();
      nodeHandler(req.raw as IncomingMessage, reply.raw as ServerResponse)
        .then(() => {
--- a/apps/gateway/src/conversations/conversations.dto.ts
+++ b/apps/gateway/src/conversations/conversations.dto.ts
@@ -1,4 +1,12 @@
-import { IsIn, IsObject, IsOptional, IsString, IsUUID, MaxLength } from 'class-validator';
+import {
  IsBoolean,
  IsIn,
  IsObject,
  IsOptional,
  IsString,
  IsUUID,
  MaxLength,
 } from 'class-validator';
 export class CreateConversationDto {
  @IsOptional()
@@ -20,6 +28,10 @@ export class UpdateConversationDto {
  @IsOptional()
  @IsUUID()
  projectId?: string | null;
  @IsOptional()
  @IsBoolean()
  archived?: boolean;
 }
 export class SendMessageDto {
--- a/apps/gateway/src/coord/coord.controller.ts
+++ b/apps/gateway/src/coord/coord.controller.ts
@@ -1,17 +1,30 @@
 import {
  BadRequestException,
  Body,
  Controller,
  Delete,
  Get,
  HttpCode,
  HttpStatus,
  Inject,
  NotFoundException,
  Param,
  Patch,
  Post,
  Query,
  UseGuards,
 } from '@nestjs/common';
 import fs from 'node:fs';
 import path from 'node:path';
 import { AuthGuard } from '../auth/auth.guard.js';
 import { CurrentUser } from '../auth/current-user.decorator.js';
 import { CoordService } from './coord.service.js';
 import type {
  CreateDbMissionDto,
  UpdateDbMissionDto,
  CreateMissionTaskDto,
  UpdateMissionTaskDto,
 } from './coord.dto.js';
 /** Walk up from cwd to find the monorepo root (has pnpm-workspace.yaml). */
 function findMonorepoRoot(start: string): string {
@@ -49,6 +62,8 @@ function resolveAndValidatePath(raw: string | undefined): string {
 export class CoordController {
  constructor(@Inject(CoordService) private readonly coordService: CoordService) {}
  // ── File-based coord endpoints (legacy) ──
  @Get('status')
  async missionStatus(@Query('projectPath') projectPath?: string) {
    const resolvedPath = resolveAndValidatePath(projectPath);
@@ -70,4 +85,121 @@ export class CoordController {
    if (!detail) throw new NotFoundException(`Task ${taskId} not found in coord mission`);
    return detail;
  }
  // ── DB-backed mission endpoints ──
  @Get('missions')
  async listDbMissions(@CurrentUser() user: { id: string }) {
    return this.coordService.getMissionsByUser(user.id);
  }
  @Get('missions/:id')
  async getDbMission(@Param('id') id: string, @CurrentUser() user: { id: string }) {
    const mission = await this.coordService.getMissionByIdAndUser(id, user.id);
    if (!mission) throw new NotFoundException('Mission not found');
    return mission;
  }
  @Post('missions')
  async createDbMission(@Body() dto: CreateDbMissionDto, @CurrentUser() user: { id: string }) {
    return this.coordService.createDbMission({
      name: dto.name,
      description: dto.description,
      projectId: dto.projectId,
      userId: user.id,
      phase: dto.phase,
      milestones: dto.milestones,
      config: dto.config,
      status: dto.status,
    });
  }
  @Patch('missions/:id')
  async updateDbMission(
    @Param('id') id: string,
    @Body() dto: UpdateDbMissionDto,
    @CurrentUser() user: { id: string },
  ) {
    const mission = await this.coordService.updateDbMission(id, user.id, dto);
    if (!mission) throw new NotFoundException('Mission not found');
    return mission;
  }
  @Delete('missions/:id')
  @HttpCode(HttpStatus.NO_CONTENT)
  async deleteDbMission(@Param('id') id: string, @CurrentUser() user: { id: string }) {
    const deleted = await this.coordService.deleteDbMission(id, user.id);
    if (!deleted) throw new NotFoundException('Mission not found');
  }
  // ── DB-backed mission task endpoints ──
  @Get('missions/:missionId/mission-tasks')
  async listMissionTasks(
    @Param('missionId') missionId: string,
    @CurrentUser() user: { id: string },
  ) {
    const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
    if (!mission) throw new NotFoundException('Mission not found');
    return this.coordService.getMissionTasksByMissionAndUser(missionId, user.id);
  }
  @Get('missions/:missionId/mission-tasks/:taskId')
  async getMissionTask(
    @Param('missionId') missionId: string,
    @Param('taskId') taskId: string,
    @CurrentUser() user: { id: string },
  ) {
    const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
    if (!mission) throw new NotFoundException('Mission not found');
    const task = await this.coordService.getMissionTaskByIdAndUser(taskId, user.id);
    if (!task) throw new NotFoundException('Mission task not found');
    return task;
  }
  @Post('missions/:missionId/mission-tasks')
  async createMissionTask(
    @Param('missionId') missionId: string,
    @Body() dto: CreateMissionTaskDto,
    @CurrentUser() user: { id: string },
  ) {
    const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
    if (!mission) throw new NotFoundException('Mission not found');
    return this.coordService.createMissionTask({
      missionId,
      taskId: dto.taskId,
      userId: user.id,
      status: dto.status,
      description: dto.description,
      notes: dto.notes,
      pr: dto.pr,
    });
  }
  @Patch('missions/:missionId/mission-tasks/:taskId')
  async updateMissionTask(
    @Param('missionId') missionId: string,
    @Param('taskId') taskId: string,
    @Body() dto: UpdateMissionTaskDto,
    @CurrentUser() user: { id: string },
  ) {
    const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
    if (!mission) throw new NotFoundException('Mission not found');
    const updated = await this.coordService.updateMissionTask(taskId, user.id, dto);
    if (!updated) throw new NotFoundException('Mission task not found');
    return updated;
  }
  @Delete('missions/:missionId/mission-tasks/:taskId')
  @HttpCode(HttpStatus.NO_CONTENT)
  async deleteMissionTask(
    @Param('missionId') missionId: string,
    @Param('taskId') taskId: string,
    @CurrentUser() user: { id: string },
  ) {
    const mission = await this.coordService.getMissionByIdAndUser(missionId, user.id);
    if (!mission) throw new NotFoundException('Mission not found');
    const deleted = await this.coordService.deleteMissionTask(taskId, user.id);
    if (!deleted) throw new NotFoundException('Mission task not found');
  }
 }
--- a/apps/gateway/src/coord/coord.dto.ts
+++ b/apps/gateway/src/coord/coord.dto.ts
@@ -1,3 +1,5 @@
 // ── File-based coord DTOs (legacy file-system backed) ──
 export interface CoordMissionStatusDto {
  mission: {
    id: string;
@@ -47,3 +49,42 @@ export interface CoordTaskDetailDto {
    startedAt: string;
  };
 }
 // ── DB-backed coord DTOs ──
 export interface CreateDbMissionDto {
  name: string;
  description?: string;
  projectId?: string;
  phase?: string;
  milestones?: Record<string, unknown>[];
  config?: Record<string, unknown>;
  status?: 'planning' | 'active' | 'paused' | 'completed' | 'failed';
 }
 export interface UpdateDbMissionDto {
  name?: string;
  description?: string;
  projectId?: string;
  phase?: string;
  milestones?: Record<string, unknown>[];
  config?: Record<string, unknown>;
  status?: 'planning' | 'active' | 'paused' | 'completed' | 'failed';
 }
 export interface CreateMissionTaskDto {
  missionId: string;
  taskId?: string;
  status?: 'not-started' | 'in-progress' | 'blocked' | 'done' | 'cancelled';
  description?: string;
  notes?: string;
  pr?: string;
 }
 export interface UpdateMissionTaskDto {
  taskId?: string;
  status?: 'not-started' | 'in-progress' | 'blocked' | 'done' | 'cancelled';
  description?: string;
  notes?: string;
  pr?: string;
 }
--- a/apps/gateway/src/coord/coord.service.ts
+++ b/apps/gateway/src/coord/coord.service.ts
@@ -1,4 +1,6 @@
-import { Injectable, Logger } from '@nestjs/common';
+import { Injectable, Logger, Inject } from '@nestjs/common';
 import type { Brain } from '@mosaic/brain';
 import { BRAIN } from '../brain/brain.tokens.js';
 import {
  loadMission,
  getMissionStatus,
@@ -16,6 +18,8 @@ import path from 'node:path';
 export class CoordService {
  private readonly logger = new Logger(CoordService.name);
  constructor(@Inject(BRAIN) private readonly brain: Brain) {}
  async loadMission(projectPath: string): Promise<Mission | null> {
    try {
      return await loadMission(projectPath);
@@ -70,4 +74,68 @@ export class CoordService {
      return [];
    }
  }
  // ── DB-backed methods for multi-tenant mission management ──
  async getMissionsByUser(userId: string) {
    return this.brain.missions.findAllByUser(userId);
  }
  async getMissionByIdAndUser(id: string, userId: string) {
    return this.brain.missions.findByIdAndUser(id, userId);
  }
  async getMissionsByProjectAndUser(projectId: string, userId: string) {
    return this.brain.missions.findByProjectAndUser(projectId, userId);
  }
  async createDbMission(data: Parameters<Brain['missions']['create']>[0]) {
    return this.brain.missions.create(data);
  }
  async updateDbMission(
    id: string,
    userId: string,
    data: Parameters<Brain['missions']['update']>[1],
  ) {
    const existing = await this.brain.missions.findByIdAndUser(id, userId);
    if (!existing) return null;
    return this.brain.missions.update(id, data);
  }
  async deleteDbMission(id: string, userId: string) {
    const existing = await this.brain.missions.findByIdAndUser(id, userId);
    if (!existing) return false;
    return this.brain.missions.remove(id);
  }
  // ── DB-backed methods for mission tasks (coord tracking) ──
  async getMissionTasksByMissionAndUser(missionId: string, userId: string) {
    return this.brain.missionTasks.findByMissionAndUser(missionId, userId);
  }
  async getMissionTaskByIdAndUser(id: string, userId: string) {
    return this.brain.missionTasks.findByIdAndUser(id, userId);
  }
  async createMissionTask(data: Parameters<Brain['missionTasks']['create']>[0]) {
    return this.brain.missionTasks.create(data);
  }
  async updateMissionTask(
    id: string,
    userId: string,
    data: Parameters<Brain['missionTasks']['update']>[1],
  ) {
    const existing = await this.brain.missionTasks.findByIdAndUser(id, userId);
    if (!existing) return null;
    return this.brain.missionTasks.update(id, data);
  }
  async deleteMissionTask(id: string, userId: string) {
    const existing = await this.brain.missionTasks.findByIdAndUser(id, userId);
    if (!existing) return false;
    return this.brain.missionTasks.remove(id);
  }
 }
--- a/apps/gateway/src/log/cron.service.ts
+++ b/apps/gateway/src/log/cron.service.ts
@@ -1,4 +1,10 @@
-import { Injectable, Logger, type OnModuleInit, type OnModuleDestroy } from '@nestjs/common';
+import {
  Inject,
  Injectable,
  Logger,
  type OnModuleInit,
  type OnModuleDestroy,
 } from '@nestjs/common';
 import cron from 'node-cron';
 import { SummarizationService } from './summarization.service.js';
@@ -7,7 +13,7 @@ export class CronService implements OnModuleInit, OnModuleDestroy {
  private readonly logger = new Logger(CronService.name);
  private readonly tasks: cron.ScheduledTask[] = [];
-  constructor(private readonly summarization: SummarizationService) {}
+  constructor(@Inject(SummarizationService) private readonly summarization: SummarizationService) {}
  onModuleInit(): void {
    const summarizationSchedule = process.env['SUMMARIZATION_CRON'] ?? '0 */6 * * *'; // every 6 hours
--- a/apps/gateway/src/log/summarization.service.ts
+++ b/apps/gateway/src/log/summarization.service.ts
@@ -29,7 +29,7 @@ export class SummarizationService {
  constructor(
    @Inject(LOG_SERVICE) private readonly logService: LogService,
    @Inject(MEMORY) private readonly memory: Memory,
-    private readonly embeddings: EmbeddingService,
+    @Inject(EmbeddingService) private readonly embeddings: EmbeddingService,
    @Inject(DB) private readonly db: Db,
  ) {
    this.apiKey = process.env['OPENAI_API_KEY'];
--- a/apps/gateway/src/main.ts
+++ b/apps/gateway/src/main.ts
@@ -1,3 +1,10 @@
 import { config } from 'dotenv';
 import { resolve } from 'node:path';
 // Load .env from monorepo root (cwd is apps/gateway when run via pnpm filter)
 config({ path: resolve(process.cwd(), '../../.env') });
 config(); // Also load apps/gateway/.env if present (overrides)
 import './tracing.js';
 import 'reflect-metadata';
 import { NestFactory } from '@nestjs/core';
@@ -6,8 +13,12 @@ import { FastifyAdapter, type NestFastifyApplication } from '@nestjs/platform-fa
 import helmet from '@fastify/helmet';
 import { AppModule } from './app.module.js';
 import { mountAuthHandler } from './auth/auth.controller.js';
 import { mountMcpHandler } from './mcp/mcp.controller.js';
 import { McpService } from './mcp/mcp.service.js';
 async function bootstrap(): Promise<void> {
  const logger = new Logger('Bootstrap');
  if (!process.env['BETTER_AUTH_SECRET']) {
    throw new Error('BETTER_AUTH_SECRET is required');
  }
@@ -21,12 +32,16 @@ async function bootstrap(): Promise<void> {
    );
  }
  const logger = new Logger('Bootstrap');
  const app = await NestFactory.create<NestFastifyApplication>(
    AppModule,
    new FastifyAdapter({ bodyLimit: 1_048_576 }),
  );
  app.enableCors({
    origin: process.env['GATEWAY_CORS_ORIGIN'] ?? 'http://localhost:3000',
    credentials: true,
  });
  await app.register(helmet as never, { contentSecurityPolicy: false });
  app.useGlobalPipes(
    new ValidationPipe({
@@ -37,6 +52,7 @@ async function bootstrap(): Promise<void> {
  );
  mountAuthHandler(app);
  mountMcpHandler(app, app.get(McpService));
  const port = Number(process.env['GATEWAY_PORT'] ?? 4000);
  await app.listen(port, '0.0.0.0');
--- a/apps/gateway/src/mcp-client/mcp-client.dto.ts
+++ b/apps/gateway/src/mcp-client/mcp-client.dto.ts
@@ -0,0 +1,33 @@
 /**
 * DTOs for MCP client configuration and tool discovery.
 */
 export interface McpServerConfigDto {
  /** Unique name identifying this MCP server */
  name: string;
  /** URL of the MCP server (streamable HTTP or SSE endpoint) */
  url: string;
  /** Optional HTTP headers to send with requests (e.g., Authorization) */
  headers?: Record<string, string>;
 }
 export interface McpToolDto {
  /** Namespaced tool name: "<serverName>__<toolName>" */
  name: string;
  /** Human-readable description of the tool */
  description: string;
  /** JSON Schema for tool input parameters */
  inputSchema: Record<string, unknown>;
  /** MCP server this tool belongs to */
  serverName: string;
  /** Original tool name on the remote server */
  remoteName: string;
 }
 export interface McpServerStatusDto {
  name: string;
  url: string;
  connected: boolean;
  toolCount: number;
  error?: string;
 }
--- a/apps/gateway/src/mcp-client/mcp-client.module.ts
+++ b/apps/gateway/src/mcp-client/mcp-client.module.ts
@@ -0,0 +1,8 @@
 import { Module } from '@nestjs/common';
 import { McpClientService } from './mcp-client.service.js';
@Module({
  providers: [McpClientService],
  exports: [McpClientService],
 })
 export class McpClientModule {}
--- a/apps/gateway/src/mcp-client/mcp-client.service.ts
+++ b/apps/gateway/src/mcp-client/mcp-client.service.ts
@@ -0,0 +1,331 @@
 import { Injectable, Logger, OnModuleInit, OnModuleDestroy } from '@nestjs/common';
 import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
 import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse.js';
 import { Type } from '@sinclair/typebox';
 import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
 import type { McpServerConfigDto, McpToolDto, McpServerStatusDto } from './mcp-client.dto.js';
 interface ConnectedServer {
  config: McpServerConfigDto;
  client: Client;
  tools: McpToolDto[];
  connected: boolean;
  error?: string;
 }
 /**
 * McpClientService connects to external MCP servers, discovers their tools,
 * and bridges them into Pi SDK ToolDefinition format for agent sessions.
 *
 * Configuration is read from the MCP_SERVERS environment variable:
 *   MCP_SERVERS='[{"name":"my-server","url":"http://localhost:3001/mcp","headers":{"Authorization":"Bearer token"}}]'
 */
@Injectable()
 export class McpClientService implements OnModuleInit, OnModuleDestroy {
  private readonly logger = new Logger(McpClientService.name);
  private readonly servers = new Map<string, ConnectedServer>();
  async onModuleInit(): Promise<void> {
    const configs = this.loadConfigs();
    if (configs.length === 0) {
      this.logger.log('No external MCP servers configured (MCP_SERVERS not set)');
      return;
    }
    this.logger.log(`Connecting to ${configs.length} external MCP server(s)`);
    await Promise.allSettled(configs.map((cfg) => this.connectServer(cfg)));
  }
  async onModuleDestroy(): Promise<void> {
    this.logger.log(`Disconnecting from ${this.servers.size} MCP server(s)`);
    const disconnects = Array.from(this.servers.values()).map((s) => this.disconnectServer(s));
    await Promise.allSettled(disconnects);
    this.servers.clear();
  }
  /**
   * Returns all bridged Pi SDK ToolDefinitions from all connected MCP servers.
   */
  getToolDefinitions(): ToolDefinition[] {
    const tools: ToolDefinition[] = [];
    for (const server of this.servers.values()) {
      if (!server.connected) continue;
      for (const mcpTool of server.tools) {
        tools.push(this.bridgeTool(server.client, mcpTool));
      }
    }
    return tools;
  }
  /**
   * Returns status information for all configured MCP servers.
   */
  getServerStatuses(): McpServerStatusDto[] {
    return Array.from(this.servers.values()).map((s) => ({
      name: s.config.name,
      url: s.config.url,
      connected: s.connected,
      toolCount: s.tools.length,
      error: s.error,
    }));
  }
  /**
   * Attempts to reconnect a server that has been disconnected.
   */
  async reconnectServer(serverName: string): Promise<void> {
    const existing = this.servers.get(serverName);
    if (!existing) {
      throw new Error(`MCP server not found: ${serverName}`);
    }
    if (existing.connected) return;
    this.logger.log(`Reconnecting to MCP server: ${serverName}`);
    await this.connectServer(existing.config);
  }
  // ─── Private helpers ──────────────────────────────────────────────────────
  private loadConfigs(): McpServerConfigDto[] {
    const raw = process.env['MCP_SERVERS'];
    if (!raw) return [];
    try {
      const parsed: unknown = JSON.parse(raw);
      if (!Array.isArray(parsed)) {
        this.logger.warn('MCP_SERVERS must be a JSON array — ignoring');
        return [];
      }
      const configs: McpServerConfigDto[] = [];
      for (const item of parsed) {
        if (
          typeof item === 'object' &&
          item !== null &&
          'name' in item &&
          typeof (item as Record<string, unknown>)['name'] === 'string' &&
          'url' in item &&
          typeof (item as Record<string, unknown>)['url'] === 'string'
        ) {
          const cfg = item as McpServerConfigDto;
          configs.push({
            name: cfg.name,
            url: cfg.url,
            headers: cfg.headers,
          });
        } else {
          this.logger.warn(`Skipping invalid MCP server config entry: ${JSON.stringify(item)}`);
        }
      }
      return configs;
    } catch (err) {
      this.logger.error(
        `Failed to parse MCP_SERVERS: ${err instanceof Error ? err.message : String(err)}`,
      );
      return [];
    }
  }
  private async connectServer(config: McpServerConfigDto): Promise<void> {
    const serverEntry: ConnectedServer = {
      config,
      client: new Client({ name: 'mosaic-gateway', version: '1.0.0' }),
      tools: [],
      connected: false,
    };
    // Preserve existing entry if reconnecting
    this.servers.set(config.name, serverEntry);
    try {
      const url = new URL(config.url);
      const headers = config.headers ?? {};
      // Attempt StreamableHTTP first, fall back to SSE
      let connected = false;
      try {
        const transport = new StreamableHTTPClientTransport(url, { requestInit: { headers } });
        await serverEntry.client.connect(transport);
        connected = true;
        this.logger.log(`Connected to MCP server "${config.name}" via StreamableHTTP`);
      } catch (streamErr) {
        this.logger.warn(
          `StreamableHTTP failed for "${config.name}", trying SSE: ${streamErr instanceof Error ? streamErr.message : String(streamErr)}`,
        );
        // Reset client for SSE attempt
        serverEntry.client = new Client({ name: 'mosaic-gateway', version: '1.0.0' });
        try {
          const transport = new SSEClientTransport(url, { requestInit: { headers } });
          await serverEntry.client.connect(transport);
          connected = true;
          this.logger.log(`Connected to MCP server "${config.name}" via SSE`);
        } catch (sseErr) {
          throw new Error(
            `Both transports failed for "${config.name}": SSE error: ${sseErr instanceof Error ? sseErr.message : String(sseErr)}`,
          );
        }
      }
      if (!connected) return;
      // Discover tools
      const toolsResult = await serverEntry.client.listTools();
      serverEntry.tools = toolsResult.tools.map((t) => ({
        name: `${config.name}__${t.name}`,
        description: t.description ?? `Tool ${t.name} from MCP server ${config.name}`,
        inputSchema: (t.inputSchema as Record<string, unknown>) ?? {},
        serverName: config.name,
        remoteName: t.name,
      }));
      serverEntry.connected = true;
      this.logger.log(
        `Discovered ${serverEntry.tools.length} tool(s) from MCP server "${config.name}"`,
      );
    } catch (err) {
      const message = err instanceof Error ? err.message : String(err);
      serverEntry.error = message;
      serverEntry.connected = false;
      this.logger.error(`Failed to connect to MCP server "${config.name}": ${message}`);
    }
  }
  private async disconnectServer(server: ConnectedServer): Promise<void> {
    try {
      await server.client.close();
    } catch (err) {
      this.logger.warn(
        `Error closing MCP client for "${server.config.name}": ${err instanceof Error ? err.message : String(err)}`,
      );
    }
  }
  /**
   * Bridges a single McpToolDto into a Pi SDK ToolDefinition.
   * The MCP inputSchema is converted to a TypeBox schema representation.
   */
  private bridgeTool(client: Client, mcpTool: McpToolDto): ToolDefinition {
    const schema = this.inputSchemaToTypeBox(mcpTool.inputSchema);
    return {
      name: mcpTool.name,
      label: mcpTool.remoteName,
      description: mcpTool.description,
      parameters: schema,
      execute: async (_toolCallId: string, params: unknown) => {
        try {
          const result = await client.callTool({
            name: mcpTool.remoteName,
            arguments: (params as Record<string, unknown>) ?? {},
          });
          // MCP callTool returns { content: [...], isError?: boolean }
          const content = Array.isArray(result.content) ? result.content : [];
          const textParts = content
            .filter((c): c is { type: 'text'; text: string } => c.type === 'text')
            .map((c) => c.text)
            .join('\n');
          if (result.isError) {
            return {
              content: [
                {
                  type: 'text' as const,
                  text: `MCP tool error from "${mcpTool.serverName}/${mcpTool.remoteName}": ${textParts || 'Unknown error'}`,
                },
              ],
              details: undefined,
            };
          }
          return {
            content:
              content.length > 0
                ? (content as { type: 'text'; text: string }[])
                : [{ type: 'text' as const, text: '' }],
            details: undefined,
          };
        } catch (err) {
          const message = err instanceof Error ? err.message : String(err);
          this.logger.error(
            `MCP tool call failed: ${mcpTool.serverName}/${mcpTool.remoteName}: ${message}`,
          );
          return {
            content: [
              {
                type: 'text' as const,
                text: `Failed to call MCP tool "${mcpTool.name}": ${message}`,
              },
            ],
            details: undefined,
          };
        }
      },
    };
  }
  /**
   * Converts a JSON Schema object to a TypeBox-compatible schema.
   * For simplicity, maps the inputSchema properties to TypeBox Type.Object.
   * Unknown/complex schemas fall back to Type.Object with Type.Unknown values.
   */
  private inputSchemaToTypeBox(
    inputSchema: Record<string, unknown>,
  ): ReturnType<typeof Type.Object> {
    const properties = inputSchema['properties'];
    if (!properties || typeof properties !== 'object') {
      return Type.Object({});
    }
    const required: string[] = Array.isArray(inputSchema['required'])
      ? (inputSchema['required'] as string[])
      : [];
    const tbProps: Record<string, ReturnType<typeof Type.String>> = {};
    for (const [key, schemaDef] of Object.entries(properties as Record<string, unknown>)) {
      const def = schemaDef as Record<string, unknown>;
      const desc = typeof def['description'] === 'string' ? def['description'] : undefined;
      const isOptional = !required.includes(key);
      const base = this.jsonSchemaToTypeBox(def);
      tbProps[key] = isOptional
        ? (Type.Optional(base) as unknown as ReturnType<typeof Type.String>)
        : (base as unknown as ReturnType<typeof Type.String>);
      if (desc && tbProps[key]) {
        // Attach description via metadata
        (tbProps[key] as Record<string, unknown>)['description'] = desc;
      }
    }
    return Type.Object(tbProps as Parameters<typeof Type.Object>[0]);
  }
  private jsonSchemaToTypeBox(
    def: Record<string, unknown>,
  ):
    | ReturnType<typeof Type.String>
    | ReturnType<typeof Type.Number>
    | ReturnType<typeof Type.Boolean>
    | ReturnType<typeof Type.Unknown> {
    const type = def['type'];
    const desc = typeof def['description'] === 'string' ? { description: def['description'] } : {};
    switch (type) {
      case 'string':
        return Type.String(desc);
      case 'number':
      case 'integer':
        return Type.Number(desc);
      case 'boolean':
        return Type.Boolean(desc);
      default:
        return Type.Unknown(desc);
    }
  }
 }
--- a/apps/gateway/src/mcp-client/mcp-client.tokens.ts
+++ b/apps/gateway/src/mcp-client/mcp-client.tokens.ts
@@ -0,0 +1 @@
 export const MCP_CLIENT_SERVICE = 'MCP_CLIENT_SERVICE';
--- a/apps/gateway/src/mcp/mcp.controller.ts
+++ b/apps/gateway/src/mcp/mcp.controller.ts
@@ -0,0 +1,142 @@
 import type { IncomingMessage, ServerResponse } from 'node:http';
 import { Logger } from '@nestjs/common';
 import { fromNodeHeaders } from 'better-auth/node';
 import type { Auth } from '@mosaic/auth';
 import type { NestFastifyApplication } from '@nestjs/platform-fastify';
 import type { McpService } from './mcp.service.js';
 import { AUTH } from '../auth/auth.tokens.js';
 /**
 * Mounts the MCP streamable HTTP transport endpoint at /mcp on the Fastify instance.
 *
 * This follows the same low-level Fastify hook pattern used by the auth controller,
 * bypassing NestJS routing to directly delegate to the MCP SDK transport handlers.
 *
 * Endpoint: POST /mcp (and GET /mcp for SSE stream reconnect)
 * Auth: Requires a valid BetterAuth session (cookie or Authorization header).
 * Session: Stateful — each initialized client gets a session ID via Mcp-Session-Id header.
 */
 export function mountMcpHandler(app: NestFastifyApplication, mcpService: McpService): void {
  const auth = app.get<Auth>(AUTH);
  const logger = new Logger('McpController');
  const fastify = app.getHttpAdapter().getInstance();
  fastify.addHook(
    'onRequest',
    (
      req: { raw: IncomingMessage; url: string; method: string },
      reply: { raw: ServerResponse; hijack: () => void },
      done: () => void,
    ) => {
      if (!req.url.startsWith('/mcp')) {
        done();
        return;
      }
      reply.hijack();
      handleMcpRequest(req, reply, auth, mcpService, logger).catch((err: unknown) => {
        logger.error(
          `MCP request handler error: ${err instanceof Error ? err.message : String(err)}`,
        );
        if (!reply.raw.headersSent) {
          reply.raw.writeHead(500, { 'Content-Type': 'application/json' });
        }
        if (!reply.raw.writableEnded) {
          reply.raw.end(JSON.stringify({ error: 'Internal server error' }));
        }
      });
    },
  );
 }
 async function handleMcpRequest(
  req: { raw: IncomingMessage; url: string; method: string },
  reply: { raw: ServerResponse; hijack: () => void },
  auth: Auth,
  mcpService: McpService,
  logger: Logger,
 ): Promise<void> {
  // ─── Authentication ─────────────────────────────────────────────────────
  const headers = fromNodeHeaders(req.raw.headers);
  const result = await auth.api.getSession({ headers });
  if (!result) {
    reply.raw.writeHead(401, { 'Content-Type': 'application/json' });
    reply.raw.end(JSON.stringify({ error: 'Unauthorized: valid session required' }));
    return;
  }
  const userId = result.user.id;
  // ─── Session routing ─────────────────────────────────────────────────────
  const sessionId = req.raw.headers['mcp-session-id'];
  if (typeof sessionId === 'string' && sessionId.length > 0) {
    // Existing session request
    const transport = mcpService.getSession(sessionId);
    if (!transport) {
      logger.warn(`MCP session not found: ${sessionId}`);
      reply.raw.writeHead(404, { 'Content-Type': 'application/json' });
      reply.raw.end(JSON.stringify({ error: 'Session not found' }));
      return;
    }
    await transport.handleRequest(req.raw, reply.raw);
    return;
  }
  // ─── Initialize new session ───────────────────────────────────────────────
  // Only POST requests can initialize a new session (must be initialize message)
  if (req.method !== 'POST') {
    reply.raw.writeHead(400, { 'Content-Type': 'application/json' });
    reply.raw.end(
      JSON.stringify({
        error: 'New session must be established via POST with initialize message',
      }),
    );
    return;
  }
  // Parse body to verify this is an initialize request before creating a session
  let body: unknown;
  try {
    body = await readRequestBody(req.raw);
  } catch (err) {
    logger.warn(
      `Failed to parse MCP request body: ${err instanceof Error ? err.message : String(err)}`,
    );
    reply.raw.writeHead(400, { 'Content-Type': 'application/json' });
    reply.raw.end(JSON.stringify({ error: 'Invalid request body' }));
    return;
  }
  // Create new session and handle this initializing request
  const { transport } = mcpService.createSession(userId);
  logger.log(`New MCP session created for user ${userId}`);
  await transport.handleRequest(req.raw, reply.raw, body);
 }
 /**
 * Reads and parses the JSON body from a Node.js IncomingMessage.
 */
 function readRequestBody(req: IncomingMessage): Promise<unknown> {
  return new Promise((resolve, reject) => {
    const chunks: Buffer[] = [];
    req.on('data', (chunk: Buffer) => chunks.push(chunk));
    req.on('end', () => {
      const raw = Buffer.concat(chunks).toString('utf8');
      if (!raw) {
        resolve(undefined);
        return;
      }
      try {
        resolve(JSON.parse(raw));
      } catch (err) {
        reject(err);
      }
    });
    req.on('error', reject);
  });
 }
--- a/apps/gateway/src/mcp/mcp.dto.ts
+++ b/apps/gateway/src/mcp/mcp.dto.ts
@@ -0,0 +1,19 @@
 /**
 * MCP (Model Context Protocol) DTOs
 *
 * Defines the data transfer objects for the MCP streamable HTTP transport.
 * See: https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http
 */
 export interface McpToolDescriptor {
  name: string;
  description: string;
  inputSchema: Record<string, unknown>;
 }
 export interface McpServerInfo {
  name: string;
  version: string;
  protocolVersion: string;
  tools: McpToolDescriptor[];
 }
--- a/apps/gateway/src/mcp/mcp.module.ts
+++ b/apps/gateway/src/mcp/mcp.module.ts
@@ -0,0 +1,10 @@
 import { Module } from '@nestjs/common';
 import { McpService } from './mcp.service.js';
 import { CoordModule } from '../coord/coord.module.js';
@Module({
  imports: [CoordModule],
  providers: [McpService],
  exports: [McpService],
 })
 export class McpModule {}
--- a/apps/gateway/src/mcp/mcp.service.ts
+++ b/apps/gateway/src/mcp/mcp.service.ts
@@ -0,0 +1,429 @@
 import { Injectable, Logger, Inject, OnModuleDestroy } from '@nestjs/common';
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { randomUUID } from 'node:crypto';
 import { z } from 'zod';
 import type { Brain } from '@mosaic/brain';
 import type { Memory } from '@mosaic/memory';
 import { BRAIN } from '../brain/brain.tokens.js';
 import { MEMORY } from '../memory/memory.tokens.js';
 import { EmbeddingService } from '../memory/embedding.service.js';
 import { CoordService } from '../coord/coord.service.js';
 interface SessionEntry {
  server: McpServer;
  transport: StreamableHTTPServerTransport;
  createdAt: Date;
  userId: string;
 }
@Injectable()
 export class McpService implements OnModuleDestroy {
  private readonly logger = new Logger(McpService.name);
  private readonly sessions = new Map<string, SessionEntry>();
  constructor(
    @Inject(BRAIN) private readonly brain: Brain,
    @Inject(MEMORY) private readonly memory: Memory,
    @Inject(EmbeddingService) private readonly embeddings: EmbeddingService,
    @Inject(CoordService) private readonly coordService: CoordService,
  ) {}
  /**
   * Creates a new MCP session with its own server + transport pair.
   * Returns the transport for use by the controller.
   */
  createSession(userId: string): { sessionId: string; transport: StreamableHTTPServerTransport } {
    const sessionId = randomUUID();
    const transport = new StreamableHTTPServerTransport({
      sessionIdGenerator: () => sessionId,
      onsessioninitialized: (id) => {
        this.logger.log(`MCP session initialized: ${id} for user ${userId}`);
      },
    });
    const server = new McpServer(
      { name: 'mosaic-gateway', version: '1.0.0' },
      { capabilities: { tools: {} } },
    );
    this.registerTools(server, userId);
    transport.onclose = () => {
      this.logger.log(`MCP session closed: ${sessionId}`);
      this.sessions.delete(sessionId);
    };
    server.connect(transport).catch((err: unknown) => {
      this.logger.error(
        `MCP server connect error for session ${sessionId}: ${err instanceof Error ? err.message : String(err)}`,
      );
    });
    this.sessions.set(sessionId, { server, transport, createdAt: new Date(), userId });
    return { sessionId, transport };
  }
  /**
   * Returns the transport for an existing session, or null if not found.
   */
  getSession(sessionId: string): StreamableHTTPServerTransport | null {
    return this.sessions.get(sessionId)?.transport ?? null;
  }
  /**
   * Registers all platform tools on the given McpServer instance.
   */
  private registerTools(server: McpServer, _userId: string): void {
    // ─── Brain: Project tools ────────────────────────────────────────────
    server.registerTool(
      'brain_list_projects',
      {
        description: 'List all projects in the brain.',
        inputSchema: z.object({}),
      },
      async () => {
        const projects = await this.brain.projects.findAll();
        return {
          content: [{ type: 'text' as const, text: JSON.stringify(projects, null, 2) }],
        };
      },
    );
    server.registerTool(
      'brain_get_project',
      {
        description: 'Get a project by ID.',
        inputSchema: z.object({
          id: z.string().describe('Project ID (UUID)'),
        }),
      },
      async ({ id }) => {
        const project = await this.brain.projects.findById(id);
        return {
          content: [
            {
              type: 'text' as const,
              text: project ? JSON.stringify(project, null, 2) : `Project not found: ${id}`,
            },
          ],
        };
      },
    );
    // ─── Brain: Task tools ───────────────────────────────────────────────
    server.registerTool(
      'brain_list_tasks',
      {
        description: 'List tasks, optionally filtered by project, mission, or status.',
        inputSchema: z.object({
          projectId: z.string().optional().describe('Filter by project ID'),
          missionId: z.string().optional().describe('Filter by mission ID'),
          status: z.string().optional().describe('Filter by status'),
        }),
      },
      async ({ projectId, missionId, status }) => {
        type TaskStatus = 'not-started' | 'in-progress' | 'blocked' | 'done' | 'cancelled';
        let tasks;
        if (projectId) tasks = await this.brain.tasks.findByProject(projectId);
        else if (missionId) tasks = await this.brain.tasks.findByMission(missionId);
        else if (status) tasks = await this.brain.tasks.findByStatus(status as TaskStatus);
        else tasks = await this.brain.tasks.findAll();
        return { content: [{ type: 'text' as const, text: JSON.stringify(tasks, null, 2) }] };
      },
    );
    server.registerTool(
      'brain_create_task',
      {
        description: 'Create a new task in the brain.',
        inputSchema: z.object({
          title: z.string().describe('Task title'),
          description: z.string().optional().describe('Task description'),
          projectId: z.string().optional().describe('Project ID'),
          missionId: z.string().optional().describe('Mission ID'),
          priority: z.string().optional().describe('Priority: low, medium, high, critical'),
        }),
      },
      async (params) => {
        type Priority = 'low' | 'medium' | 'high' | 'critical';
        const task = await this.brain.tasks.create({
          ...params,
          priority: params.priority as Priority | undefined,
        });
        return { content: [{ type: 'text' as const, text: JSON.stringify(task, null, 2) }] };
      },
    );
    server.registerTool(
      'brain_update_task',
      {
        description: 'Update an existing task.',
        inputSchema: z.object({
          id: z.string().describe('Task ID'),
          title: z.string().optional(),
          description: z.string().optional(),
          status: z
            .string()
            .optional()
            .describe('not-started, in-progress, blocked, done, cancelled'),
          priority: z.string().optional(),
        }),
      },
      async ({ id, ...updates }) => {
        type TaskStatus = 'not-started' | 'in-progress' | 'blocked' | 'done' | 'cancelled';
        type Priority = 'low' | 'medium' | 'high' | 'critical';
        const task = await this.brain.tasks.update(id, {
          ...updates,
          status: updates.status as TaskStatus | undefined,
          priority: updates.priority as Priority | undefined,
        });
        return {
          content: [
            {
              type: 'text' as const,
              text: task ? JSON.stringify(task, null, 2) : `Task not found: ${id}`,
            },
          ],
        };
      },
    );
    // ─── Brain: Mission tools ────────────────────────────────────────────
    server.registerTool(
      'brain_list_missions',
      {
        description: 'List all missions, optionally filtered by project.',
        inputSchema: z.object({
          projectId: z.string().optional().describe('Filter by project ID'),
        }),
      },
      async ({ projectId }) => {
        const missions = projectId
          ? await this.brain.missions.findByProject(projectId)
          : await this.brain.missions.findAll();
        return { content: [{ type: 'text' as const, text: JSON.stringify(missions, null, 2) }] };
      },
    );
    server.registerTool(
      'brain_list_conversations',
      {
        description: 'List conversations for a user.',
        inputSchema: z.object({
          userId: z.string().describe('User ID'),
        }),
      },
      async ({ userId }) => {
        const conversations = await this.brain.conversations.findAll(userId);
        return {
          content: [{ type: 'text' as const, text: JSON.stringify(conversations, null, 2) }],
        };
      },
    );
    // ─── Memory tools ────────────────────────────────────────────────────
    server.registerTool(
      'memory_search',
      {
        description:
          'Search across stored insights and knowledge using natural language. Returns semantically similar results.',
        inputSchema: z.object({
          userId: z.string().describe('User ID to search memory for'),
          query: z.string().describe('Natural language search query'),
          limit: z.number().optional().describe('Max results (default 5)'),
        }),
      },
      async ({ userId, query, limit }) => {
        if (!this.embeddings.available) {
          return {
            content: [
              {
                type: 'text' as const,
                text: 'Semantic search unavailable — no embedding provider configured',
              },
            ],
          };
        }
        const embedding = await this.embeddings.embed(query);
        const results = await this.memory.insights.searchByEmbedding(userId, embedding, limit ?? 5);
        return { content: [{ type: 'text' as const, text: JSON.stringify(results, null, 2) }] };
      },
    );
    server.registerTool(
      'memory_get_preferences',
      {
        description: 'Retrieve stored preferences for a user.',
        inputSchema: z.object({
          userId: z.string().describe('User ID'),
          category: z
            .string()
            .optional()
            .describe('Filter by category: communication, coding, workflow, appearance, general'),
        }),
      },
      async ({ userId, category }) => {
        type Cat = 'communication' | 'coding' | 'workflow' | 'appearance' | 'general';
        const prefs = category
          ? await this.memory.preferences.findByUserAndCategory(userId, category as Cat)
          : await this.memory.preferences.findByUser(userId);
        return { content: [{ type: 'text' as const, text: JSON.stringify(prefs, null, 2) }] };
      },
    );
    server.registerTool(
      'memory_save_preference',
      {
        description:
          'Store a learned user preference (e.g., "prefers tables over paragraphs", "timezone: America/Chicago").',
        inputSchema: z.object({
          userId: z.string().describe('User ID'),
          key: z.string().describe('Preference key'),
          value: z.string().describe('Preference value (JSON string)'),
          category: z
            .string()
            .optional()
            .describe('Category: communication, coding, workflow, appearance, general'),
        }),
      },
      async ({ userId, key, value, category }) => {
        type Cat = 'communication' | 'coding' | 'workflow' | 'appearance' | 'general';
        let parsedValue: unknown;
        try {
          parsedValue = JSON.parse(value);
        } catch {
          parsedValue = value;
        }
        const pref = await this.memory.preferences.upsert({
          userId,
          key,
          value: parsedValue,
          category: (category as Cat) ?? 'general',
          source: 'agent',
        });
        return { content: [{ type: 'text' as const, text: JSON.stringify(pref, null, 2) }] };
      },
    );
    server.registerTool(
      'memory_save_insight',
      {
        description:
          'Store a learned insight, decision, or knowledge extracted from the current interaction.',
        inputSchema: z.object({
          userId: z.string().describe('User ID'),
          content: z.string().describe('The insight or knowledge to store'),
          category: z
            .string()
            .optional()
            .describe('Category: decision, learning, preference, fact, pattern, general'),
        }),
      },
      async ({ userId, content, category }) => {
        type Cat = 'decision' | 'learning' | 'preference' | 'fact' | 'pattern' | 'general';
        const embedding = this.embeddings.available ? await this.embeddings.embed(content) : null;
        const insight = await this.memory.insights.create({
          userId,
          content,
          embedding,
          source: 'agent',
          category: (category as Cat) ?? 'learning',
        });
        return { content: [{ type: 'text' as const, text: JSON.stringify(insight, null, 2) }] };
      },
    );
    // ─── Coord tools ─────────────────────────────────────────────────────
    server.registerTool(
      'coord_mission_status',
      {
        description:
          'Get the current orchestration mission status including milestones, tasks, and active session.',
        inputSchema: z.object({
          projectPath: z
            .string()
            .optional()
            .describe('Project path. Defaults to gateway working directory.'),
        }),
      },
      async ({ projectPath }) => {
        const resolvedPath = projectPath ?? process.cwd();
        const status = await this.coordService.getMissionStatus(resolvedPath);
        return {
          content: [
            {
              type: 'text' as const,
              text: status ? JSON.stringify(status, null, 2) : 'No active coord mission found.',
            },
          ],
        };
      },
    );
    server.registerTool(
      'coord_list_tasks',
      {
        description: 'List all tasks from the orchestration TASKS.md file.',
        inputSchema: z.object({
          projectPath: z
            .string()
            .optional()
            .describe('Project path. Defaults to gateway working directory.'),
        }),
      },
      async ({ projectPath }) => {
        const resolvedPath = projectPath ?? process.cwd();
        const tasks = await this.coordService.listTasks(resolvedPath);
        return { content: [{ type: 'text' as const, text: JSON.stringify(tasks, null, 2) }] };
      },
    );
    server.registerTool(
      'coord_task_detail',
      {
        description: 'Get detailed status for a specific orchestration task.',
        inputSchema: z.object({
          taskId: z.string().describe('Task ID (e.g. P2-005)'),
          projectPath: z
            .string()
            .optional()
            .describe('Project path. Defaults to gateway working directory.'),
        }),
      },
      async ({ taskId, projectPath }) => {
        const resolvedPath = projectPath ?? process.cwd();
        const detail = await this.coordService.getTaskStatus(resolvedPath, taskId);
        return {
          content: [
            {
              type: 'text' as const,
              text: detail
                ? JSON.stringify(detail, null, 2)
                : `Task ${taskId} not found in coord mission.`,
            },
          ],
        };
      },
    );
  }
  async onModuleDestroy(): Promise<void> {
    this.logger.log(`Closing ${this.sessions.size} MCP sessions on shutdown`);
    const closePromises = Array.from(this.sessions.values()).map(({ transport }) =>
      transport.close().catch((err: unknown) => {
        this.logger.warn(
          `Error closing MCP transport: ${err instanceof Error ? err.message : String(err)}`,
        );
      }),
    );
    await Promise.all(closePromises);
    this.sessions.clear();
  }
 }
--- a/apps/gateway/src/mcp/mcp.tokens.ts
+++ b/apps/gateway/src/mcp/mcp.tokens.ts
@@ -0,0 +1 @@
 export const MCP_SERVICE = 'MCP_SERVICE';
--- a/apps/gateway/src/memory/memory.controller.ts
+++ b/apps/gateway/src/memory/memory.controller.ts
@@ -15,6 +15,7 @@ import {
 import type { Memory } from '@mosaic/memory';
 import { MEMORY } from './memory.tokens.js';
 import { AuthGuard } from '../auth/auth.guard.js';
 import { CurrentUser } from '../auth/current-user.decorator.js';
 import { EmbeddingService } from './embedding.service.js';
 import type { UpsertPreferenceDto, CreateInsightDto, SearchMemoryDto } from './memory.dto.js';
@@ -23,33 +24,33 @@ import type { UpsertPreferenceDto, CreateInsightDto, SearchMemoryDto } from './m
 export class MemoryController {
  constructor(
    @Inject(MEMORY) private readonly memory: Memory,
-    private readonly embeddings: EmbeddingService,
+    @Inject(EmbeddingService) private readonly embeddings: EmbeddingService,
  ) {}
  // ─── Preferences ────────────────────────────────────────────────────
  @Get('preferences')
-  async listPreferences(@Query('userId') userId: string, @Query('category') category?: string) {
+  async listPreferences(@CurrentUser() user: { id: string }, @Query('category') category?: string) {
    if (category) {
      return this.memory.preferences.findByUserAndCategory(
-        userId,
+        user.id,
        category as Parameters<typeof this.memory.preferences.findByUserAndCategory>[1],
      );
    }
-    return this.memory.preferences.findByUser(userId);
+    return this.memory.preferences.findByUser(user.id);
  }
  @Get('preferences/:key')
-  async getPreference(@Query('userId') userId: string, @Param('key') key: string) {
+  async getPreference(@CurrentUser() user: { id: string }, @Param('key') key: string) {
-    const pref = await this.memory.preferences.findByUserAndKey(userId, key);
+    const pref = await this.memory.preferences.findByUserAndKey(user.id, key);
    if (!pref) throw new NotFoundException('Preference not found');
    return pref;
  }
  @Post('preferences')
-  async upsertPreference(@Query('userId') userId: string, @Body() dto: UpsertPreferenceDto) {
+  async upsertPreference(@CurrentUser() user: { id: string }, @Body() dto: UpsertPreferenceDto) {
    return this.memory.preferences.upsert({
-      userId,
+      userId: user.id,
      key: dto.key,
      value: dto.value,
      category: dto.category,
@@ -59,16 +60,16 @@ export class MemoryController {
  @Delete('preferences/:key')
  @HttpCode(HttpStatus.NO_CONTENT)
-  async removePreference(@Query('userId') userId: string, @Param('key') key: string) {
+  async removePreference(@CurrentUser() user: { id: string }, @Param('key') key: string) {
-    const deleted = await this.memory.preferences.remove(userId, key);
+    const deleted = await this.memory.preferences.remove(user.id, key);
    if (!deleted) throw new NotFoundException('Preference not found');
  }
  // ─── Insights ───────────────────────────────────────────────────────
  @Get('insights')
-  async listInsights(@Query('userId') userId: string, @Query('limit') limit?: string) {
+  async listInsights(@CurrentUser() user: { id: string }, @Query('limit') limit?: string) {
-    return this.memory.insights.findByUser(userId, limit ? Number(limit) : undefined);
+    return this.memory.insights.findByUser(user.id, limit ? Number(limit) : undefined);
  }
  @Get('insights/:id')
@@ -79,13 +80,13 @@ export class MemoryController {
  }
  @Post('insights')
-  async createInsight(@Query('userId') userId: string, @Body() dto: CreateInsightDto) {
+  async createInsight(@CurrentUser() user: { id: string }, @Body() dto: CreateInsightDto) {
    const embedding = this.embeddings.available
      ? await this.embeddings.embed(dto.content)
      : undefined;
    return this.memory.insights.create({
-      userId,
+      userId: user.id,
      content: dto.content,
      source: dto.source,
      category: dto.category,
@@ -104,7 +105,7 @@ export class MemoryController {
  // ─── Search ─────────────────────────────────────────────────────────
  @Post('search')
-  async searchMemory(@Query('userId') userId: string, @Body() dto: SearchMemoryDto) {
+  async searchMemory(@CurrentUser() user: { id: string }, @Body() dto: SearchMemoryDto) {
    if (!this.embeddings.available) {
      return {
        query: dto.query,
@@ -115,7 +116,7 @@ export class MemoryController {
    const queryEmbedding = await this.embeddings.embed(dto.query);
    const results = await this.memory.insights.searchByEmbedding(
-      userId,
+      user.id,
      queryEmbedding,
      dto.limit ?? 10,
      dto.maxDistance ?? 0.8,
--- a/apps/gateway/src/skills/skills.controller.ts
+++ b/apps/gateway/src/skills/skills.controller.ts
@@ -5,6 +5,7 @@ import {
  Get,
  HttpCode,
  HttpStatus,
  Inject,
  NotFoundException,
  Param,
  Patch,
@@ -18,7 +19,7 @@ import type { CreateSkillDto, UpdateSkillDto } from './skills.dto.js';
@Controller('api/skills')
@UseGuards(AuthGuard)
 export class SkillsController {
-  constructor(private readonly skills: SkillsService) {}
+  constructor(@Inject(SkillsService) private readonly skills: SkillsService) {}
  @Get()
  async list() {
--- a/apps/web/e2e/admin.spec.ts
+++ b/apps/web/e2e/admin.spec.ts
@@ -0,0 +1,72 @@
 import { test, expect } from '@playwright/test';
 import { loginAs, ADMIN_USER, TEST_USER } from './helpers/auth.js';
 test.describe('Admin page — admin user', () => {
  test.beforeEach(async ({ page }) => {
    await loginAs(page, ADMIN_USER.email, ADMIN_USER.password);
    const url = page.url();
    test.skip(!url.includes('/chat'), 'No seeded admin user — skipping admin tests');
  });
  test('admin page loads with the Admin Panel heading', async ({ page }) => {
    await page.goto('/admin');
    await expect(page.getByRole('heading', { name: /admin panel/i })).toBeVisible({
      timeout: 10_000,
    });
  });
  test('shows User Management and System Health tabs', async ({ page }) => {
    await page.goto('/admin');
    await expect(page.getByRole('button', { name: /user management/i })).toBeVisible();
    await expect(page.getByRole('button', { name: /system health/i })).toBeVisible();
  });
  test('User Management tab is active by default', async ({ page }) => {
    await page.goto('/admin');
    // The users tab shows a "+ New User" button
    await expect(page.getByRole('button', { name: /new user/i })).toBeVisible({ timeout: 10_000 });
  });
  test('clicking System Health tab switches to health view', async ({ page }) => {
    await page.goto('/admin');
    await page.getByRole('button', { name: /system health/i }).click();
    // Health cards or loading indicator should appear
    const hasLoading = await page
      .getByText(/loading health/i)
      .isVisible()
      .catch(() => false);
    const hasCard = await page
      .getByText(/database/i)
      .isVisible()
      .catch(() => false);
    expect(hasLoading || hasCard).toBe(true);
  });
 });
 test.describe('Admin page — non-admin user', () => {
  test.beforeEach(async ({ page }) => {
    await loginAs(page, TEST_USER.email, TEST_USER.password);
    const url = page.url();
    test.skip(!url.includes('/chat'), 'No seeded test user — skipping non-admin tests');
  });
  test('non-admin visiting /admin sees access denied or is redirected', async ({ page }) => {
    await page.goto('/admin');
    // Either redirected away or shown an access-denied message
    const onAdmin = page.url().includes('/admin');
    if (onAdmin) {
      // Should show some access-denied content rather than the full admin panel
      const hasPanel = await page
        .getByRole('heading', { name: /admin panel/i })
        .isVisible()
        .catch(() => false);
      // If heading is visible, the guard allowed access (user may have admin role in this env)
      // — not a failure, just informational
      if (!hasPanel) {
        // access denied message, redirect, or guard placeholder
        const url = page.url();
        expect(url).toBeTruthy(); // environment-dependent — no hard assertion
      }
    }
  });
 });
--- a/apps/web/e2e/auth.spec.ts
+++ b/apps/web/e2e/auth.spec.ts
@@ -0,0 +1,119 @@
 import { test, expect } from '@playwright/test';
 import { TEST_USER } from './helpers/auth.js';
 // ── Login page ────────────────────────────────────────────────────────────────
 test.describe('Login page', () => {
  test('loads and shows the sign-in heading', async ({ page }) => {
    await page.goto('/login');
    await expect(page).toHaveTitle(/mosaic/i);
    await expect(page.getByRole('heading', { name: /sign in/i })).toBeVisible();
  });
  test('shows email and password fields', async ({ page }) => {
    await page.goto('/login');
    await expect(page.getByLabel('Email')).toBeVisible();
    await expect(page.getByLabel('Password')).toBeVisible();
  });
  test('shows submit button', async ({ page }) => {
    await page.goto('/login');
    await expect(page.getByRole('button', { name: /sign in/i })).toBeVisible();
  });
  test('shows link to registration page', async ({ page }) => {
    await page.goto('/login');
    const signUpLink = page.getByRole('link', { name: /sign up/i });
    await expect(signUpLink).toBeVisible();
    await signUpLink.click();
    await expect(page).toHaveURL(/\/register/);
  });
  test('shows an error alert for invalid credentials', async ({ page }) => {
    await page.goto('/login');
    await page.getByLabel('Email').fill('nobody@nowhere.invalid');
    await page.getByLabel('Password').fill('wrongpassword');
    await page.getByRole('button', { name: /sign in/i }).click();
    // The error banner should appear; it has role="alert"
    await expect(page.getByRole('alert')).toBeVisible({ timeout: 10_000 });
  });
  test('email field requires valid format (HTML5 validation)', async ({ page }) => {
    await page.goto('/login');
    // Fill a non-email value — browser prevents submission
    await page.getByLabel('Email').fill('notanemail');
    await page.getByLabel('Password').fill('somepass');
    await page.getByRole('button', { name: /sign in/i }).click();
    // Still on the login page
    await expect(page).toHaveURL(/\/login/);
  });
  test('redirects to /chat after successful login', async ({ page }) => {
    await page.goto('/login');
    await page.getByLabel('Email').fill(TEST_USER.email);
    await page.getByLabel('Password').fill(TEST_USER.password);
    await page.getByRole('button', { name: /sign in/i }).click();
    // Either reaches /chat or shows an error (if credentials are wrong in this env).
    // We assert a navigation away from /login, or the alert is shown.
    await Promise.race([
      expect(page).toHaveURL(/\/chat/, { timeout: 10_000 }),
      expect(page.getByRole('alert')).toBeVisible({ timeout: 10_000 }),
    ]).catch(() => {
      // Acceptable — environment may not have seeded credentials
    });
  });
 });
 // ── Registration page ─────────────────────────────────────────────────────────
 test.describe('Registration page', () => {
  test('loads and shows the create account heading', async ({ page }) => {
    await page.goto('/register');
    await expect(page.getByRole('heading', { name: /create account/i })).toBeVisible();
  });
  test('shows name, email and password fields', async ({ page }) => {
    await page.goto('/register');
    await expect(page.getByLabel('Name')).toBeVisible();
    await expect(page.getByLabel('Email')).toBeVisible();
    await expect(page.getByLabel('Password')).toBeVisible();
  });
  test('shows submit button', async ({ page }) => {
    await page.goto('/register');
    await expect(page.getByRole('button', { name: /create account/i })).toBeVisible();
  });
  test('shows link to login page', async ({ page }) => {
    await page.goto('/register');
    const signInLink = page.getByRole('link', { name: /sign in/i });
    await expect(signInLink).toBeVisible();
    await signInLink.click();
    await expect(page).toHaveURL(/\/login/);
  });
  test('name field is required — empty form stays on page', async ({ page }) => {
    await page.goto('/register');
    // Submit with nothing filled in — browser required validation blocks it
    await page.getByRole('button', { name: /create account/i }).click();
    await expect(page).toHaveURL(/\/register/);
  });
  test('all required fields must be filled (HTML5 validation)', async ({ page }) => {
    await page.goto('/register');
    await page.getByLabel('Name').fill('Test User');
    // Do NOT fill email or password — still on page
    await page.getByRole('button', { name: /create account/i }).click();
    await expect(page).toHaveURL(/\/register/);
  });
 });
 // ── Root redirect ─────────────────────────────────────────────────────────────
 test.describe('Root route', () => {
  test('visiting / redirects to /login or /chat', async ({ page }) => {
    await page.goto('/');
    // Unauthenticated users should land on /login; authenticated on /chat
    await expect(page).toHaveURL(/\/(login|chat)/, { timeout: 10_000 });
  });
 });
--- a/apps/web/e2e/chat.spec.ts
+++ b/apps/web/e2e/chat.spec.ts
@@ -0,0 +1,50 @@
 import { test, expect } from '@playwright/test';
 import { loginAs, TEST_USER } from './helpers/auth.js';
 test.describe('Chat page', () => {
  test.beforeEach(async ({ page }) => {
    await loginAs(page, TEST_USER.email, TEST_USER.password);
    // If login failed (no seeded user in env) we may be on /login — skip
    const url = page.url();
    test.skip(!url.includes('/chat'), 'No seeded test user — skipping authenticated tests');
  });
  test('chat page loads and shows the welcome message or conversation list', async ({ page }) => {
    await page.goto('/chat');
    // Either there are conversations listed or the welcome empty-state is shown
    const hasWelcome = await page
      .getByRole('heading', { name: /welcome to mosaic chat/i })
      .isVisible()
      .catch(() => false);
    const hasConversationPanel = await page
      .locator('[data-testid="conversation-list"], nav, aside')
      .first()
      .isVisible()
      .catch(() => false);
    expect(hasWelcome || hasConversationPanel).toBe(true);
  });
  test('new conversation button is visible', async ({ page }) => {
    await page.goto('/chat');
    // "Start new conversation" button or a "+" button in the sidebar
    const newConvButton = page.getByRole('button', { name: /new conversation|start new/i }).first();
    await expect(newConvButton).toBeVisible({ timeout: 10_000 });
  });
  test('clicking new conversation shows a chat input area', async ({ page }) => {
    await page.goto('/chat');
    // Find any button that creates a new conversation
    const newBtn = page.getByRole('button', { name: /new conversation|start new/i }).first();
    await newBtn.click();
    // After creating, a text input for sending messages should appear
    const chatInput = page.getByRole('textbox').or(page.locator('textarea')).first();
    await expect(chatInput).toBeVisible({ timeout: 10_000 });
  });
  test('sidebar navigation is present on chat page', async ({ page }) => {
    await page.goto('/chat');
    // The app-shell sidebar should be visible
    await expect(page.getByRole('link', { name: /chat/i }).first()).toBeVisible();
  });
 });
--- a/apps/web/e2e/helpers/auth.ts
+++ b/apps/web/e2e/helpers/auth.ts
@@ -0,0 +1,23 @@
 import type { Page } from '@playwright/test';
 export const TEST_USER = {
  email: process.env['E2E_USER_EMAIL'] ?? 'e2e@example.com',
  password: process.env['E2E_USER_PASSWORD'] ?? 'password123',
  name: 'E2E Test User',
 };
 export const ADMIN_USER = {
  email: process.env['E2E_ADMIN_EMAIL'] ?? 'admin@example.com',
  password: process.env['E2E_ADMIN_PASSWORD'] ?? 'adminpass123',
  name: 'E2E Admin User',
 };
 /**
 * Fill the login form and submit. Waits for navigation after success.
 */
 export async function loginAs(page: Page, email: string, password: string): Promise<void> {
  await page.goto('/login');
  await page.getByLabel('Email').fill(email);
  await page.getByLabel('Password').fill(password);
  await page.getByRole('button', { name: /sign in/i }).click();
 }
--- a/apps/web/e2e/navigation.spec.ts
+++ b/apps/web/e2e/navigation.spec.ts
@@ -0,0 +1,86 @@
 import { test, expect } from '@playwright/test';
 import { loginAs, TEST_USER } from './helpers/auth.js';
 test.describe('Sidebar navigation', () => {
  test.beforeEach(async ({ page }) => {
    await loginAs(page, TEST_USER.email, TEST_USER.password);
    const url = page.url();
    test.skip(!url.includes('/chat'), 'No seeded test user — skipping authenticated tests');
  });
  test('sidebar shows Mosaic brand link', async ({ page }) => {
    await page.goto('/chat');
    await expect(page.getByRole('link', { name: /mosaic/i }).first()).toBeVisible();
  });
  test('Chat nav link navigates to /chat', async ({ page }) => {
    await page.goto('/settings');
    await page
      .getByRole('link', { name: /^chat$/i })
      .first()
      .click();
    await expect(page).toHaveURL(/\/chat/);
  });
  test('Projects nav link navigates to /projects', async ({ page }) => {
    await page.goto('/chat');
    await page
      .getByRole('link', { name: /projects/i })
      .first()
      .click();
    await expect(page).toHaveURL(/\/projects/);
  });
  test('Settings nav link navigates to /settings', async ({ page }) => {
    await page.goto('/chat');
    await page
      .getByRole('link', { name: /settings/i })
      .first()
      .click();
    await expect(page).toHaveURL(/\/settings/);
  });
  test('Tasks nav link navigates to /tasks', async ({ page }) => {
    await page.goto('/chat');
    await page.getByRole('link', { name: /tasks/i }).first().click();
    await expect(page).toHaveURL(/\/tasks/);
  });
  test('active link is visually highlighted', async ({ page }) => {
    await page.goto('/chat');
    // The active link should have a distinct class — check that the Chat link
    // has the active style class (bg-blue-600/20 text-blue-400)
    const chatLink = page.getByRole('link', { name: /^chat$/i }).first();
    const cls = await chatLink.getAttribute('class');
    expect(cls).toContain('blue');
  });
 });
 test.describe('Route transitions', () => {
  test.beforeEach(async ({ page }) => {
    await loginAs(page, TEST_USER.email, TEST_USER.password);
    const url = page.url();
    test.skip(!url.includes('/chat'), 'No seeded test user — skipping authenticated tests');
  });
  test('navigating chat → projects → settings → chat works without errors', async ({ page }) => {
    await page.goto('/chat');
    await expect(page).toHaveURL(/\/chat/);
    await page.goto('/projects');
    await expect(page.getByRole('heading', { name: /projects/i })).toBeVisible();
    await page.goto('/settings');
    await expect(page.getByRole('heading', { name: /settings/i })).toBeVisible();
    await page.goto('/chat');
    await expect(page).toHaveURL(/\/chat/);
  });
  test('back-button navigation works between pages', async ({ page }) => {
    await page.goto('/chat');
    await page.goto('/projects');
    await page.goBack();
    await expect(page).toHaveURL(/\/chat/);
  });
 });
--- a/apps/web/e2e/projects.spec.ts
+++ b/apps/web/e2e/projects.spec.ts
@@ -0,0 +1,44 @@
 import { test, expect } from '@playwright/test';
 import { loginAs, TEST_USER } from './helpers/auth.js';
 test.describe('Projects page', () => {
  test.beforeEach(async ({ page }) => {
    await loginAs(page, TEST_USER.email, TEST_USER.password);
    const url = page.url();
    test.skip(!url.includes('/chat'), 'No seeded test user — skipping authenticated tests');
  });
  test('projects page loads with heading', async ({ page }) => {
    await page.goto('/projects');
    await expect(page.getByRole('heading', { name: /projects/i })).toBeVisible({ timeout: 10_000 });
  });
  test('shows empty state or project cards when loaded', async ({ page }) => {
    await page.goto('/projects');
    // Wait for loading state to clear
    await expect(page.getByText(/loading projects/i)).not.toBeVisible({ timeout: 10_000 });
    const hasProjects = await page
      .locator('[class*="grid"]')
      .isVisible()
      .catch(() => false);
    const hasEmpty = await page
      .getByText(/no projects yet/i)
      .isVisible()
      .catch(() => false);
    expect(hasProjects || hasEmpty).toBe(true);
  });
  test('shows Active Mission section', async ({ page }) => {
    await page.goto('/projects');
    await expect(page.getByRole('heading', { name: /active mission/i })).toBeVisible({
      timeout: 10_000,
    });
  });
  test('sidebar navigation is present', async ({ page }) => {
    await page.goto('/projects');
    await expect(page.getByRole('link', { name: /projects/i }).first()).toBeVisible();
  });
 });
--- a/apps/web/e2e/settings.spec.ts
+++ b/apps/web/e2e/settings.spec.ts
@@ -0,0 +1,56 @@
 import { test, expect } from '@playwright/test';
 import { loginAs, TEST_USER } from './helpers/auth.js';
 test.describe('Settings page', () => {
  test.beforeEach(async ({ page }) => {
    await loginAs(page, TEST_USER.email, TEST_USER.password);
    const url = page.url();
    test.skip(!url.includes('/chat'), 'No seeded test user — skipping authenticated tests');
  });
  test('settings page loads with heading', async ({ page }) => {
    await page.goto('/settings');
    await expect(page.getByRole('heading', { name: /^settings$/i })).toBeVisible({
      timeout: 10_000,
    });
  });
  test('shows the four settings tabs', async ({ page }) => {
    await page.goto('/settings');
    await expect(page.getByRole('button', { name: /profile/i })).toBeVisible();
    await expect(page.getByRole('button', { name: /appearance/i })).toBeVisible();
    await expect(page.getByRole('button', { name: /notifications/i })).toBeVisible();
    await expect(page.getByRole('button', { name: /providers/i })).toBeVisible();
  });
  test('profile tab is active by default', async ({ page }) => {
    await page.goto('/settings');
    await expect(page.getByRole('heading', { name: /^profile$/i })).toBeVisible({
      timeout: 10_000,
    });
  });
  test('clicking Appearance tab switches content', async ({ page }) => {
    await page.goto('/settings');
    await page.getByRole('button', { name: /appearance/i }).click();
    await expect(page.getByRole('heading', { name: /appearance/i })).toBeVisible({
      timeout: 5_000,
    });
  });
  test('clicking Notifications tab switches content', async ({ page }) => {
    await page.goto('/settings');
    await page.getByRole('button', { name: /notifications/i }).click();
    await expect(page.getByRole('heading', { name: /notifications/i })).toBeVisible({
      timeout: 5_000,
    });
  });
  test('clicking Providers tab switches content', async ({ page }) => {
    await page.goto('/settings');
    await page.getByRole('button', { name: /providers/i }).click();
    await expect(page.getByRole('heading', { name: /llm providers/i })).toBeVisible({
      timeout: 5_000,
    });
  });
 });
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -8,6 +8,7 @@
    "lint": "eslint src",
    "typecheck": "tsc --noEmit",
    "test": "vitest run --passWithNoTests",
    "test:e2e": "playwright test",
    "start": "next start"
  },
  "dependencies": {
@@ -21,6 +22,7 @@
    "tailwind-merge": "^3.5.0"
  },
  "devDependencies": {
    "@playwright/test": "^1.58.2",
    "@tailwindcss/postcss": "^4.0.0",
    "@types/node": "^22.0.0",
    "@types/react": "^19.0.0",
--- a/apps/web/playwright.config.ts
+++ b/apps/web/playwright.config.ts
@@ -0,0 +1,32 @@
 import { defineConfig, devices } from '@playwright/test';
 /**
 * Playwright E2E configuration for Mosaic web app.
 *
 * Assumes:
 *   - Next.js web app running on http://localhost:3000
 *   - NestJS gateway running on http://localhost:4000
 *
 * Run with:   pnpm --filter @mosaic/web test:e2e
 */
 export default defineConfig({
  testDir: './e2e',
  fullyParallel: true,
  forbidOnly: !!process.env['CI'],
  retries: process.env['CI'] ? 2 : 0,
  workers: process.env['CI'] ? 1 : undefined,
  reporter: 'html',
  use: {
    baseURL: process.env['PLAYWRIGHT_BASE_URL'] ?? 'http://localhost:3000',
    trace: 'on-first-retry',
    screenshot: 'only-on-failure',
  },
  projects: [
    {
      name: 'chromium',
      use: { ...devices['Desktop Chrome'] },
    },
  ],
  // Do NOT auto-start the dev server — tests assume it is already running.
  // webServer is intentionally omitted so tests can run against a live env.
 });
--- a/apps/web/src/app/(dashboard)/admin/page.tsx
+++ b/apps/web/src/app/(dashboard)/admin/page.tsx
@@ -1,99 +1,531 @@
 'use client';
-import { useEffect, useState } from 'react';
+import { useEffect, useState, useCallback } from 'react';
 import { AdminRoleGuard } from '@/components/admin-role-guard';
 import { api } from '@/lib/api';
 import { cn } from '@/lib/cn';
-interface SessionInfo {
+// ── Types ──────────────────────────────────────────────────────────────────────
 interface UserDto {
  id: string;
-  provider: string;
+  name: string;
-  modelId: string;
+  email: string;
  role: string;
  banned: boolean;
  banReason: string | null;
  createdAt: string;
-  promptCount: number;
+  updatedAt: string;
  channels: string[];
  durationMs: number;
 }
-interface SessionsResponse {
+interface UserListDto {
-  sessions: SessionInfo[];
+  users: UserDto[];
  total: number;
 }
-export default function AdminPage(): React.ReactElement {
+interface ServiceStatusDto {
-  const [sessions, setSessions] = useState<SessionInfo[]>([]);
+  status: 'ok' | 'error';
-  const [loading, setLoading] = useState(true);
+  latencyMs?: number;
  error?: string;
 }
-  useEffect(() => {
+interface ProviderStatusDto {
-    api<SessionsResponse>('/api/sessions')
+  id: string;
-      .then((res) => setSessions(res.sessions))
+  name: string;
-      .catch(() => {})
+  available: boolean;
-      .finally(() => setLoading(false));
+  modelCount: number;
-  }, []);
+}
 interface HealthStatusDto {
  status: 'ok' | 'degraded' | 'error';
  database: ServiceStatusDto;
  cache: ServiceStatusDto;
  agentPool: { activeSessions: number };
  providers: ProviderStatusDto[];
  checkedAt: string;
 }
 // ── Admin Page ─────────────────────────────────────────────────────────────────
 export default function AdminPage(): React.ReactElement {
  return (
    <AdminRoleGuard>
      <AdminContent />
    </AdminRoleGuard>
  );
 }
 function AdminContent(): React.ReactElement {
  const [activeTab, setActiveTab] = useState<'users' | 'health'>('users');
  return (
-    <div className="mx-auto max-w-4xl space-y-8">
+    <div className="mx-auto max-w-5xl space-y-6">
-      <h1 className="text-2xl font-semibold">Admin</h1>
+      <div className="flex items-center justify-between">
        <h1 className="text-2xl font-semibold text-text-primary">Admin Panel</h1>
      </div>
-      {/* User Management placeholder */}
+      <div className="flex gap-1 border-b border-surface-border">
-      <section>
+        {(['users', 'health'] as const).map((tab) => (
-        <h2 className="mb-4 text-lg font-medium text-text-secondary">User Management</h2>
+          <button
-        <div className="rounded-lg border border-surface-border bg-surface-card p-6 text-center">
+            key={tab}
-          <p className="text-sm text-text-muted">
+            type="button"
-            User management will be available when the admin API is implemented
+            onClick={() => setActiveTab(tab)}
-          </p>
+            className={cn(
-        </div>
+              'px-4 py-2 text-sm font-medium capitalize transition-colors',
-      </section>
+              activeTab === tab
                ? 'border-b-2 border-blue-500 text-blue-400'
                : 'text-text-secondary hover:text-text-primary',
            )}
          >
            {tab === 'users' ? 'User Management' : 'System Health'}
          </button>
        ))}
      </div>
-      {/* Active Agent Sessions */}
+      {activeTab === 'users' ? <UsersTab /> : <HealthTab />}
      <section>
        <h2 className="mb-4 text-lg font-medium text-text-secondary">Active Agent Sessions</h2>
        {loading ? (
          <p className="text-sm text-text-muted">Loading sessions...</p>
        ) : sessions.length === 0 ? (
          <div className="rounded-lg border border-surface-border bg-surface-card p-4">
            <p className="text-sm text-text-muted">No active sessions</p>
          </div>
        ) : (
          <div className="overflow-hidden rounded-lg border border-surface-border">
            <table className="w-full">
              <thead>
                <tr className="border-b border-surface-border bg-surface-elevated text-left text-xs text-text-muted">
                  <th className="px-4 py-2 font-medium">Session ID</th>
                  <th className="px-4 py-2 font-medium">Provider</th>
                  <th className="px-4 py-2 font-medium">Model</th>
                  <th className="hidden px-4 py-2 font-medium md:table-cell">Prompts</th>
                  <th className="hidden px-4 py-2 font-medium md:table-cell">Duration</th>
                </tr>
              </thead>
              <tbody>
                {sessions.map((s) => (
                  <tr key={s.id} className="border-b border-surface-border last:border-b-0">
                    <td className="max-w-[200px] truncate px-4 py-2 font-mono text-xs text-text-primary">
                      {s.id}
                    </td>
                    <td className="px-4 py-2 text-xs text-text-muted">{s.provider}</td>
                    <td className="px-4 py-2 text-xs text-text-muted">{s.modelId}</td>
                    <td className="hidden px-4 py-2 text-xs text-text-muted md:table-cell">
                      {s.promptCount}
                    </td>
                    <td className="hidden px-4 py-2 text-xs text-text-muted md:table-cell">
                      {formatDuration(s.durationMs)}
                    </td>
                  </tr>
                ))}
              </tbody>
            </table>
          </div>
        )}
      </section>
    </div>
  );
 }
-function formatDuration(ms: number): string {
+// ── Users Tab ──────────────────────────────────────────────────────────────────
-  const seconds = Math.floor(ms / 1000);
+
-  if (seconds < 60) return `${seconds}s`;
+function UsersTab(): React.ReactElement {
-  const minutes = Math.floor(seconds / 60);
+  const [users, setUsers] = useState<UserDto[]>([]);
-  if (minutes < 60) return `${minutes}m ${seconds % 60}s`;
+  const [loading, setLoading] = useState(true);
-  const hours = Math.floor(minutes / 60);
+  const [error, setError] = useState<string | null>(null);
-  return `${hours}h ${minutes % 60}m`;
+  const [showCreate, setShowCreate] = useState(false);
  const loadUsers = useCallback(async () => {
    setLoading(true);
    setError(null);
    try {
      const data = await api<UserListDto>('/api/admin/users');
      setUsers(data.users);
    } catch (err) {
      setError(err instanceof Error ? err.message : 'Failed to load users');
    } finally {
      setLoading(false);
    }
  }, []);
  useEffect(() => {
    void loadUsers();
  }, [loadUsers]);
  async function handleRoleToggle(user: UserDto): Promise<void> {
    const newRole = user.role === 'admin' ? 'member' : 'admin';
    try {
      await api(`/api/admin/users/${user.id}/role`, {
        method: 'PATCH',
        body: { role: newRole },
      });
      await loadUsers();
    } catch (err) {
      alert(err instanceof Error ? err.message : 'Failed to update role');
    }
  }
  async function handleBanToggle(user: UserDto): Promise<void> {
    const endpoint = user.banned ? 'unban' : 'ban';
    try {
      await api(`/api/admin/users/${user.id}/${endpoint}`, { method: 'POST' });
      await loadUsers();
    } catch (err) {
      alert(err instanceof Error ? err.message : 'Failed to update ban status');
    }
  }
  async function handleDelete(user: UserDto): Promise<void> {
    if (!confirm(`Delete user ${user.email}? This cannot be undone.`)) return;
    try {
      await api(`/api/admin/users/${user.id}`, { method: 'DELETE' });
      await loadUsers();
    } catch (err) {
      alert(err instanceof Error ? err.message : 'Failed to delete user');
    }
  }
  if (loading) {
    return <p className="text-sm text-text-muted">Loading users...</p>;
  }
  if (error) {
    return (
      <div className="rounded-lg border border-red-500/30 bg-red-500/10 p-4">
        <p className="text-sm text-red-400">{error}</p>
        <button
          type="button"
          onClick={() => void loadUsers()}
          className="mt-2 text-xs text-red-300 underline hover:no-underline"
        >
          Retry
        </button>
      </div>
    );
  }
  return (
    <div className="space-y-4">
      <div className="flex items-center justify-between">
        <p className="text-sm text-text-muted">{users.length} user(s)</p>
        <button
          type="button"
          onClick={() => setShowCreate(true)}
          className="rounded-md bg-blue-600 px-3 py-1.5 text-sm text-white transition-colors hover:bg-blue-700"
        >
          + New User
        </button>
      </div>
      {showCreate && (
        <CreateUserForm
          onCancel={() => setShowCreate(false)}
          onCreated={() => {
            setShowCreate(false);
            void loadUsers();
          }}
        />
      )}
      {users.length === 0 ? (
        <div className="rounded-lg border border-surface-border bg-surface-card p-6 text-center">
          <p className="text-sm text-text-muted">No users found</p>
        </div>
      ) : (
        <div className="overflow-hidden rounded-lg border border-surface-border">
          <table className="w-full">
            <thead>
              <tr className="border-b border-surface-border bg-surface-elevated text-left text-xs text-text-muted">
                <th className="px-4 py-2 font-medium">Name / Email</th>
                <th className="px-4 py-2 font-medium">Role</th>
                <th className="hidden px-4 py-2 font-medium md:table-cell">Status</th>
                <th className="hidden px-4 py-2 font-medium md:table-cell">Created</th>
                <th className="px-4 py-2 font-medium">Actions</th>
              </tr>
            </thead>
            <tbody>
              {users.map((user) => (
                <tr key={user.id} className="border-b border-surface-border last:border-b-0">
                  <td className="px-4 py-3">
                    <div className="text-sm font-medium text-text-primary">{user.name}</div>
                    <div className="text-xs text-text-muted">{user.email}</div>
                  </td>
                  <td className="px-4 py-3">
                    <span
                      className={cn(
                        'inline-flex rounded-full px-2 py-0.5 text-xs font-medium',
                        user.role === 'admin'
                          ? 'bg-purple-500/20 text-purple-400'
                          : 'bg-surface-elevated text-text-secondary',
                      )}
                    >
                      {user.role}
                    </span>
                  </td>
                  <td className="hidden px-4 py-3 md:table-cell">
                    {user.banned ? (
                      <span className="inline-flex rounded-full bg-red-500/20 px-2 py-0.5 text-xs font-medium text-red-400">
                        Banned
                      </span>
                    ) : (
                      <span className="inline-flex rounded-full bg-green-500/20 px-2 py-0.5 text-xs font-medium text-green-400">
                        Active
                      </span>
                    )}
                  </td>
                  <td className="hidden px-4 py-3 text-xs text-text-muted md:table-cell">
                    {new Date(user.createdAt).toLocaleDateString()}
                  </td>
                  <td className="px-4 py-3">
                    <div className="flex items-center gap-2">
                      <button
                        type="button"
                        onClick={() => void handleRoleToggle(user)}
                        className="text-xs text-blue-400 hover:text-blue-300"
                        title={user.role === 'admin' ? 'Demote to member' : 'Promote to admin'}
                      >
                        {user.role === 'admin' ? 'Demote' : 'Promote'}
                      </button>
                      <button
                        type="button"
                        onClick={() => void handleBanToggle(user)}
                        className={cn(
                          'text-xs',
                          user.banned
                            ? 'text-green-400 hover:text-green-300'
                            : 'text-yellow-400 hover:text-yellow-300',
                        )}
                      >
                        {user.banned ? 'Unban' : 'Ban'}
                      </button>
                      <button
                        type="button"
                        onClick={() => void handleDelete(user)}
                        className="text-xs text-red-400 hover:text-red-300"
                      >
                        Delete
                      </button>
                    </div>
                  </td>
                </tr>
              ))}
            </tbody>
          </table>
        </div>
      )}
    </div>
  );
 }
 // ── Create User Form ──────────────────────────────────────────────────────────
 interface CreateUserFormProps {
  onCancel: () => void;
  onCreated: () => void;
 }
 function CreateUserForm({ onCancel, onCreated }: CreateUserFormProps): React.ReactElement {
  const [name, setName] = useState('');
  const [email, setEmail] = useState('');
  const [password, setPassword] = useState('');
  const [role, setRole] = useState('member');
  const [submitting, setSubmitting] = useState(false);
  const [error, setError] = useState<string | null>(null);
  async function handleSubmit(e: React.FormEvent): Promise<void> {
    e.preventDefault();
    setSubmitting(true);
    setError(null);
    try {
      await api('/api/admin/users', {
        method: 'POST',
        body: { name, email, password, role },
      });
      onCreated();
    } catch (err) {
      setError(err instanceof Error ? err.message : 'Failed to create user');
    } finally {
      setSubmitting(false);
    }
  }
  return (
    <div className="rounded-lg border border-surface-border bg-surface-card p-4">
      <h3 className="mb-3 text-sm font-medium text-text-primary">Create New User</h3>
      <form onSubmit={(e) => void handleSubmit(e)} className="space-y-3">
        {error && <p className="text-xs text-red-400">{error}</p>}
        <div className="grid grid-cols-2 gap-3">
          <div>
            <label className="mb-1 block text-xs text-text-muted">Name</label>
            <input
              type="text"
              required
              value={name}
              onChange={(e) => setName(e.target.value)}
              className="w-full rounded-md border border-surface-border bg-surface-elevated px-3 py-1.5 text-sm text-text-primary focus:outline-none focus:ring-1 focus:ring-blue-500"
            />
          </div>
          <div>
            <label className="mb-1 block text-xs text-text-muted">Email</label>
            <input
              type="email"
              required
              value={email}
              onChange={(e) => setEmail(e.target.value)}
              className="w-full rounded-md border border-surface-border bg-surface-elevated px-3 py-1.5 text-sm text-text-primary focus:outline-none focus:ring-1 focus:ring-blue-500"
            />
          </div>
          <div>
            <label className="mb-1 block text-xs text-text-muted">Password</label>
            <input
              type="password"
              required
              value={password}
              onChange={(e) => setPassword(e.target.value)}
              className="w-full rounded-md border border-surface-border bg-surface-elevated px-3 py-1.5 text-sm text-text-primary focus:outline-none focus:ring-1 focus:ring-blue-500"
            />
          </div>
          <div>
            <label className="mb-1 block text-xs text-text-muted">Role</label>
            <select
              value={role}
              onChange={(e) => setRole(e.target.value)}
              className="w-full rounded-md border border-surface-border bg-surface-elevated px-3 py-1.5 text-sm text-text-primary focus:outline-none focus:ring-1 focus:ring-blue-500"
            >
              <option value="member">member</option>
              <option value="admin">admin</option>
            </select>
          </div>
        </div>
        <div className="flex justify-end gap-2">
          <button
            type="button"
            onClick={onCancel}
            className="rounded-md px-3 py-1.5 text-sm text-text-muted hover:text-text-primary"
          >
            Cancel
          </button>
          <button
            type="submit"
            disabled={submitting}
            className="rounded-md bg-blue-600 px-3 py-1.5 text-sm text-white hover:bg-blue-700 disabled:opacity-50"
          >
            {submitting ? 'Creating...' : 'Create'}
          </button>
        </div>
      </form>
    </div>
  );
 }
 // ── Health Tab ────────────────────────────────────────────────────────────────
 function HealthTab(): React.ReactElement {
  const [health, setHealth] = useState<HealthStatusDto | null>(null);
  const [loading, setLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);
  const loadHealth = useCallback(async () => {
    setLoading(true);
    setError(null);
    try {
      const data = await api<HealthStatusDto>('/api/admin/health');
      setHealth(data);
    } catch (err) {
      setError(err instanceof Error ? err.message : 'Failed to load health');
    } finally {
      setLoading(false);
    }
  }, []);
  useEffect(() => {
    void loadHealth();
  }, [loadHealth]);
  if (loading) {
    return <p className="text-sm text-text-muted">Loading health status...</p>;
  }
  if (error) {
    return (
      <div className="rounded-lg border border-red-500/30 bg-red-500/10 p-4">
        <p className="text-sm text-red-400">{error}</p>
        <button
          type="button"
          onClick={() => void loadHealth()}
          className="mt-2 text-xs text-red-300 underline hover:no-underline"
        >
          Retry
        </button>
      </div>
    );
  }
  if (!health) return <></>;
  return (
    <div className="space-y-6">
      <div className="flex items-center justify-between">
        <div className="flex items-center gap-2">
          <StatusBadge status={health.status} />
          <span className="text-sm text-text-muted">
            Last checked: {new Date(health.checkedAt).toLocaleTimeString()}
          </span>
        </div>
        <button
          type="button"
          onClick={() => void loadHealth()}
          className="text-xs text-blue-400 hover:text-blue-300"
        >
          Refresh
        </button>
      </div>
      <div className="grid grid-cols-1 gap-4 sm:grid-cols-2">
        {/* Database */}
        <HealthCard title="Database (PostgreSQL)" status={health.database.status}>
          {health.database.latencyMs !== undefined && (
            <p className="text-xs text-text-muted">Latency: {health.database.latencyMs}ms</p>
          )}
          {health.database.error && <p className="text-xs text-red-400">{health.database.error}</p>}
        </HealthCard>
        {/* Cache */}
        <HealthCard title="Cache (Valkey)" status={health.cache.status}>
          {health.cache.latencyMs !== undefined && (
            <p className="text-xs text-text-muted">Latency: {health.cache.latencyMs}ms</p>
          )}
          {health.cache.error && <p className="text-xs text-red-400">{health.cache.error}</p>}
        </HealthCard>
        {/* Agent Pool */}
        <HealthCard title="Agent Pool" status="ok">
          <p className="text-xs text-text-muted">
            Active sessions: {health.agentPool.activeSessions}
          </p>
        </HealthCard>
        {/* Providers */}
        <HealthCard
          title="LLM Providers"
          status={health.providers.some((p) => p.available) ? 'ok' : 'error'}
        >
          {health.providers.length === 0 ? (
            <p className="text-xs text-text-muted">No providers configured</p>
          ) : (
            <ul className="space-y-1">
              {health.providers.map((p) => (
                <li key={p.id} className="flex items-center justify-between text-xs">
                  <span className="text-text-secondary">{p.name}</span>
                  <span
                    className={cn(
                      'rounded-full px-1.5 py-0.5',
                      p.available ? 'bg-green-500/20 text-green-400' : 'bg-red-500/20 text-red-400',
                    )}
                  >
                    {p.available ? `${p.modelCount} models` : 'unavailable'}
                  </span>
                </li>
              ))}
            </ul>
          )}
        </HealthCard>
      </div>
    </div>
  );
 }
 // ── Helper Components ─────────────────────────────────────────────────────────
 function StatusBadge({ status }: { status: 'ok' | 'degraded' | 'error' }): React.ReactElement {
  const map = {
    ok: 'bg-green-500/20 text-green-400',
    degraded: 'bg-yellow-500/20 text-yellow-400',
    error: 'bg-red-500/20 text-red-400',
  };
  return (
    <span className={cn('rounded-full px-2 py-0.5 text-xs font-medium capitalize', map[status])}>
      {status}
    </span>
  );
 }
 interface HealthCardProps {
  title: string;
  status: 'ok' | 'error';
  children?: React.ReactNode;
 }
 function HealthCard({ title, status, children }: HealthCardProps): React.ReactElement {
  return (
    <div className="rounded-lg border border-surface-border bg-surface-card p-4">
      <div className="mb-2 flex items-center justify-between">
        <h3 className="text-sm font-medium text-text-primary">{title}</h3>
        <span
          className={cn('h-2 w-2 rounded-full', status === 'ok' ? 'bg-green-400' : 'bg-red-400')}
        />
      </div>
      {children}
    </div>
  );
 }
--- a/apps/web/src/app/(dashboard)/chat/page.tsx
+++ b/apps/web/src/app/(dashboard)/chat/page.tsx
@@ -2,7 +2,7 @@
 import { useCallback, useEffect, useRef, useState } from 'react';
 import { api } from '@/lib/api';
-import { getSocket } from '@/lib/socket';
+import { destroySocket, getSocket } from '@/lib/socket';
 import type { Conversation, Message } from '@/lib/types';
 import { ConversationList } from '@/components/chat/conversation-list';
 import { MessageBubble } from '@/components/chat/message-bubble';
@@ -17,6 +17,15 @@ export default function ChatPage(): React.ReactElement {
  const [isStreaming, setIsStreaming] = useState(false);
  const messagesEndRef = useRef<HTMLDivElement>(null);
  // Track the active conversation ID in a ref so socket event handlers always
  // see the current value without needing to be re-registered.
  const activeIdRef = useRef<string | null>(null);
  activeIdRef.current = activeId;
  // Accumulate streamed text in a ref so agent:end can read the full content
  // without stale-closure issues.
  const streamingTextRef = useRef('');
  // Load conversations on mount
  useEffect(() => {
    api<Conversation[]>('/api/conversations')
@@ -30,6 +39,10 @@ export default function ChatPage(): React.ReactElement {
      setMessages([]);
      return;
    }
    // Clear streaming state when switching conversations
    setIsStreaming(false);
    setStreamingText('');
    streamingTextRef.current = '';
    api<Message[]>(`/api/conversations/${activeId}/messages`)
      .then(setMessages)
      .catch(() => {});
@@ -40,50 +53,81 @@ export default function ChatPage(): React.ReactElement {
    messagesEndRef.current?.scrollIntoView({ behavior: 'smooth' });
  }, [messages, streamingText]);
-  // Socket.io setup
+  // Socket.io setup — connect once for the page lifetime
  useEffect(() => {
    const socket = getSocket();
    socket.connect();
-    socket.on('agent:text', (data: { conversationId: string; text: string }) => {
+    function onAgentStart(data: { conversationId: string }): void {
-      setStreamingText((prev) => prev + data.text);
+      // Only update state if the event belongs to the currently viewed conversation
-    });
+      if (activeIdRef.current !== data.conversationId) return;
    socket.on('agent:start', () => {
      setIsStreaming(true);
      setStreamingText('');
-    });
+      streamingTextRef.current = '';
    }
-    socket.on('agent:end', (data: { conversationId: string }) => {
+    function onAgentText(data: { conversationId: string; text: string }): void {
      if (activeIdRef.current !== data.conversationId) return;
      streamingTextRef.current += data.text;
      setStreamingText((prev) => prev + data.text);
    }
    function onAgentEnd(data: { conversationId: string }): void {
      if (activeIdRef.current !== data.conversationId) return;
      const finalText = streamingTextRef.current;
      setIsStreaming(false);
      setStreamingText('');
-      // Reload messages to get the final persisted version
+      streamingTextRef.current = '';
-      api<Message[]>(`/api/conversations/${data.conversationId}/messages`)
+      // Append the completed assistant message to the local message list.
-        .then(setMessages)
+      // The Pi agent session is in-memory so the assistant response is not
-        .catch(() => {});
+      // persisted to the DB — we build the local UI state instead.
-    });
+      if (finalText) {
        setMessages((prev) => [
          ...prev,
          {
            id: `assistant-${Date.now()}`,
            conversationId: data.conversationId,
            role: 'assistant' as const,
            content: finalText,
            createdAt: new Date().toISOString(),
          },
        ]);
      }
    }
-    socket.on('error', (data: { error: string }) => {
+    function onError(data: { error: string; conversationId?: string }): void {
      setIsStreaming(false);
      setStreamingText('');
      streamingTextRef.current = '';
      setMessages((prev) => [
        ...prev,
        {
          id: `error-${Date.now()}`,
-          conversationId: '',
+          conversationId: data.conversationId ?? '',
-          role: 'system',
+          role: 'system' as const,
          content: `Error: ${data.error}`,
          createdAt: new Date().toISOString(),
        },
      ]);
-    });
+    }
    socket.on('agent:start', onAgentStart);
    socket.on('agent:text', onAgentText);
    socket.on('agent:end', onAgentEnd);
    socket.on('error', onError);
    // Connect if not already connected
    if (!socket.connected) {
      socket.connect();
    }
    return () => {
-      socket.off('agent:text');
+      socket.off('agent:start', onAgentStart);
-      socket.off('agent:start');
+      socket.off('agent:text', onAgentText);
-      socket.off('agent:end');
+      socket.off('agent:end', onAgentEnd);
-      socket.off('error');
+      socket.off('error', onError);
-      socket.disconnect();
+      // Fully tear down the socket when the chat page unmounts so we get a
      // fresh authenticated connection next time the page is visited.
      destroySocket();
    };
  }, []);
@@ -97,42 +141,105 @@ export default function ChatPage(): React.ReactElement {
    setMessages([]);
  }, []);
  const handleRename = useCallback(async (id: string, title: string) => {
    const updated = await api<Conversation>(`/api/conversations/${id}`, {
      method: 'PATCH',
      body: { title },
    });
    setConversations((prev) => prev.map((c) => (c.id === id ? updated : c)));
  }, []);
  const handleDelete = useCallback(
    async (id: string) => {
      await api<void>(`/api/conversations/${id}`, { method: 'DELETE' });
      setConversations((prev) => prev.filter((c) => c.id !== id));
      if (activeId === id) {
        setActiveId(null);
        setMessages([]);
      }
    },
    [activeId],
  );
  const handleArchive = useCallback(
    async (id: string, archived: boolean) => {
      const updated = await api<Conversation>(`/api/conversations/${id}`, {
        method: 'PATCH',
        body: { archived },
      });
      setConversations((prev) => prev.map((c) => (c.id === id ? updated : c)));
      // If archiving the active conversation, deselect it
      if (archived && activeId === id) {
        setActiveId(null);
        setMessages([]);
      }
    },
    [activeId],
  );
  const handleSend = useCallback(
    async (content: string) => {
      let convId = activeId;
      // Auto-create conversation if none selected
      if (!convId) {
        const autoTitle = content.slice(0, 60);
        const conv = await api<Conversation>('/api/conversations', {
          method: 'POST',
-          body: { title: content.slice(0, 50) },
+          body: { title: autoTitle },
        });
        setConversations((prev) => [conv, ...prev]);
        setActiveId(conv.id);
        convId = conv.id;
      } else {
        // Auto-title: if the active conversation still has the default "New
        // conversation" title and this is the first message, update the title
        // from the message content.
        const activeConv = conversations.find((c) => c.id === convId);
        if (activeConv?.title === 'New conversation' && messages.length === 0) {
          const autoTitle = content.slice(0, 60);
          api<Conversation>(`/api/conversations/${convId}`, {
            method: 'PATCH',
            body: { title: autoTitle },
          })
            .then((updated) => {
              setConversations((prev) => prev.map((c) => (c.id === convId ? updated : c)));
            })
            .catch(() => {});
        }
      }
-      // Optimistic user message
+      // Optimistic user message in local UI state
-      const userMsg: Message = {
+      setMessages((prev) => [
-        id: `temp-${Date.now()}`,
+        ...prev,
-        conversationId: convId,
+        {
-        role: 'user',
+          id: `user-${Date.now()}`,
-        content,
+          conversationId: convId,
-        createdAt: new Date().toISOString(),
+          role: 'user' as const,
-      };
+          content,
-      setMessages((prev) => [...prev, userMsg]);
+          createdAt: new Date().toISOString(),
        },
      ]);
-      // Persist user message
+      // Persist the user message to the DB so conversation history is
-      await api<Message>(`/api/conversations/${convId}/messages`, {
+      // available when the page is reloaded or a new session starts.
      api<Message>(`/api/conversations/${convId}/messages`, {
        method: 'POST',
        body: { role: 'user', content },
      }).catch(() => {
        // Non-fatal: the agent can still process the message even if
        // REST persistence fails.
      });
-      // Send to WebSocket for streaming response
+      // Send to WebSocket — gateway creates/resumes the agent session and
      // streams the response back via agent:start / agent:text / agent:end.
      const socket = getSocket();
      if (!socket.connected) {
        socket.connect();
      }
      socket.emit('message', { conversationId: convId, content });
    },
-    [activeId],
+    [activeId, conversations, messages],
  );
  return (
@@ -142,6 +249,9 @@ export default function ChatPage(): React.ReactElement {
        activeId={activeId}
        onSelect={setActiveId}
        onNew={handleNewConversation}
        onRename={handleRename}
        onDelete={handleDelete}
        onArchive={handleArchive}
      />
      <div className="flex flex-1 flex-col">
--- a/apps/web/src/app/(dashboard)/projects/[id]/page.tsx
+++ b/apps/web/src/app/(dashboard)/projects/[id]/page.tsx
@@ -0,0 +1,338 @@
 'use client';
 import { useCallback, useEffect, useState } from 'react';
 import { useParams, useRouter } from 'next/navigation';
 import { api } from '@/lib/api';
 import { cn } from '@/lib/cn';
 import type { Mission, Project, Task, TaskStatus } from '@/lib/types';
 import { MissionTimeline } from '@/components/projects/mission-timeline';
 import { PrdViewer } from '@/components/projects/prd-viewer';
 import { TaskDetailModal } from '@/components/tasks/task-detail-modal';
 import { TaskListView } from '@/components/tasks/task-list-view';
 import { TaskStatusSummary } from '@/components/tasks/task-status-summary';
 type Tab = 'overview' | 'tasks' | 'missions' | 'prd';
 const statusColors: Record<string, string> = {
  active: 'bg-success/20 text-success',
  paused: 'bg-warning/20 text-warning',
  completed: 'bg-blue-600/20 text-blue-400',
  archived: 'bg-gray-600/20 text-gray-400',
 };
 interface TabButtonProps {
  id: Tab;
  label: string;
  activeTab: Tab;
  onClick: (tab: Tab) => void;
 }
 function TabButton({ id, label, activeTab, onClick }: TabButtonProps): React.ReactElement {
  return (
    <button
      type="button"
      onClick={() => onClick(id)}
      className={cn(
        'border-b-2 px-4 py-2 text-sm transition-colors',
        activeTab === id
          ? 'border-text-primary text-text-primary'
          : 'border-transparent text-text-muted hover:text-text-secondary',
      )}
    >
      {label}
    </button>
  );
 }
 export default function ProjectDetailPage(): React.ReactElement {
  const params = useParams();
  const router = useRouter();
  const id = typeof params['id'] === 'string' ? params['id'] : '';
  const [project, setProject] = useState<Project | null>(null);
  const [missions, setMissions] = useState<Mission[]>([]);
  const [tasks, setTasks] = useState<Task[]>([]);
  const [loading, setLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);
  const [activeTab, setActiveTab] = useState<Tab>('overview');
  const [taskFilter, setTaskFilter] = useState<TaskStatus | 'all'>('all');
  const [selectedTask, setSelectedTask] = useState<Task | null>(null);
  useEffect(() => {
    if (!id) return;
    setLoading(true);
    setError(null);
    Promise.all([
      api<Project>(`/api/projects/${id}`),
      api<Mission[]>('/api/missions').catch(() => [] as Mission[]),
      api<Task[]>(`/api/tasks?projectId=${id}`).catch(() => [] as Task[]),
    ])
      .then(([proj, allMissions, tks]) => {
        setProject(proj);
        setMissions(allMissions.filter((m) => m.projectId === id));
        setTasks(tks);
      })
      .catch((err: Error) => {
        setError(err.message ?? 'Failed to load project');
      })
      .finally(() => setLoading(false));
  }, [id]);
  const handleTaskClick = useCallback((task: Task) => {
    setSelectedTask(task);
  }, []);
  const handleCloseTaskModal = useCallback(() => {
    setSelectedTask(null);
  }, []);
  if (loading) {
    return (
      <div className="py-16 text-center">
        <p className="text-sm text-text-muted">Loading project...</p>
      </div>
    );
  }
  if (error || !project) {
    return (
      <div className="py-16 text-center">
        <p className="text-sm text-error">{error ?? 'Project not found'}</p>
        <button
          type="button"
          onClick={() => router.push('/projects')}
          className="mt-4 text-sm text-text-muted underline hover:text-text-secondary"
        >
          Back to projects
        </button>
      </div>
    );
  }
  const filteredTasks = taskFilter === 'all' ? tasks : tasks.filter((t) => t.status === taskFilter);
  const prdContent = getPrdContent(project);
  const hasPrd = Boolean(prdContent);
  const tabs: { id: Tab; label: string }[] = [
    { id: 'overview', label: 'Overview' },
    { id: 'tasks', label: `Tasks (${tasks.length})` },
    { id: 'missions', label: `Missions (${missions.length})` },
    ...(hasPrd ? [{ id: 'prd' as Tab, label: 'PRD' }] : []),
  ];
  return (
    <div>
      {/* Breadcrumb */}
      <nav className="mb-4 flex items-center gap-2 text-sm text-text-muted">
        <button
          type="button"
          onClick={() => router.push('/projects')}
          className="hover:text-text-secondary"
        >
          Projects
        </button>
        <span>/</span>
        <span className="text-text-primary">{project.name}</span>
      </nav>
      {/* Project header */}
      <div className="mb-6 flex items-start justify-between gap-4">
        <div>
          <div className="flex items-center gap-3">
            <h1 className="text-2xl font-semibold text-text-primary">{project.name}</h1>
            <span
              className={cn(
                'rounded-full px-2 py-0.5 text-xs',
                statusColors[project.status] ?? 'bg-gray-600/20 text-gray-400',
              )}
            >
              {project.status}
            </span>
          </div>
          {project.description && (
            <p className="mt-1 text-sm text-text-muted">{project.description}</p>
          )}
          <p className="mt-2 text-xs text-text-muted">
            Created {new Date(project.createdAt).toLocaleDateString()} · Updated{' '}
            {new Date(project.updatedAt).toLocaleDateString()}
          </p>
        </div>
      </div>
      {/* Stats bar */}
      <div className="mb-6 grid grid-cols-2 gap-3 sm:grid-cols-4">
        <StatCard label="Tasks" value={String(tasks.length)} />
        <StatCard
          label="Done"
          value={String(tasks.filter((t) => t.status === 'done').length)}
          valueClass="text-success"
        />
        <StatCard
          label="In Progress"
          value={String(tasks.filter((t) => t.status === 'in-progress').length)}
          valueClass="text-blue-400"
        />
        <StatCard
          label="Blocked"
          value={String(tasks.filter((t) => t.status === 'blocked').length)}
          valueClass={tasks.some((t) => t.status === 'blocked') ? 'text-error' : undefined}
        />
      </div>
      {/* Tabs */}
      <div className="mb-6 flex gap-0 border-b border-surface-border">
        {tabs.map((tab) => (
          <TabButton
            key={tab.id}
            id={tab.id}
            label={tab.label}
            activeTab={activeTab}
            onClick={setActiveTab}
          />
        ))}
      </div>
      {/* Tab content */}
      {activeTab === 'overview' && (
        <OverviewTab project={project} missions={missions} tasks={tasks} />
      )}
      {activeTab === 'tasks' && (
        <div>
          <div className="mb-4">
            <TaskStatusSummary
              tasks={tasks}
              activeFilter={taskFilter}
              onFilterChange={setTaskFilter}
            />
          </div>
          <TaskListView tasks={filteredTasks} onTaskClick={handleTaskClick} />
        </div>
      )}
      {activeTab === 'missions' && <MissionTimeline missions={missions} />}
      {activeTab === 'prd' && prdContent && (
        <div className="rounded-lg border border-surface-border bg-surface-card p-6">
          <PrdViewer content={prdContent} />
        </div>
      )}
      {/* Task detail modal */}
      {selectedTask && <TaskDetailModal task={selectedTask} onClose={handleCloseTaskModal} />}
    </div>
  );
 }
 interface OverviewTabProps {
  project: Project;
  missions: Mission[];
  tasks: Task[];
 }
 function OverviewTab({ project, missions, tasks }: OverviewTabProps): React.ReactElement {
  const recentTasks = [...tasks]
    .sort((a, b) => new Date(b.updatedAt).getTime() - new Date(a.updatedAt).getTime())
    .slice(0, 5);
  return (
    <div className="grid gap-6 lg:grid-cols-2">
      {/* Recent tasks */}
      <section>
        <h2 className="mb-3 text-sm font-semibold text-text-secondary">Recent Tasks</h2>
        {recentTasks.length === 0 ? (
          <div className="rounded-lg border border-surface-border bg-surface-card p-4 text-center">
            <p className="text-sm text-text-muted">No tasks yet</p>
          </div>
        ) : (
          <div className="space-y-2">
            {recentTasks.map((task) => (
              <TaskSummaryRow key={task.id} task={task} />
            ))}
          </div>
        )}
      </section>
      {/* Mission summary */}
      <section>
        <h2 className="mb-3 text-sm font-semibold text-text-secondary">Missions</h2>
        {missions.length === 0 ? (
          <div className="rounded-lg border border-surface-border bg-surface-card p-4 text-center">
            <p className="text-sm text-text-muted">No missions yet</p>
          </div>
        ) : (
          <MissionTimeline missions={missions.slice(0, 4)} />
        )}
      </section>
      {/* Metadata */}
      {project.metadata && Object.keys(project.metadata).length > 0 && (
        <section className="lg:col-span-2">
          <h2 className="mb-3 text-sm font-semibold text-text-secondary">Project Metadata</h2>
          <div className="rounded-lg border border-surface-border bg-surface-card p-4">
            <pre className="overflow-x-auto text-xs text-text-muted">
              {JSON.stringify(project.metadata, null, 2)}
            </pre>
          </div>
        </section>
      )}
    </div>
  );
 }
 const taskStatusColors: Record<string, string> = {
  'not-started': 'bg-gray-600/20 text-gray-300',
  'in-progress': 'bg-blue-600/20 text-blue-400',
  blocked: 'bg-error/20 text-error',
  done: 'bg-success/20 text-success',
  cancelled: 'bg-gray-600/20 text-gray-500',
 };
 function TaskSummaryRow({ task }: { task: Task }): React.ReactElement {
  return (
    <div className="flex items-center justify-between gap-2 rounded-lg border border-surface-border bg-surface-card px-3 py-2">
      <span className="truncate text-sm text-text-primary">{task.title}</span>
      <span
        className={cn(
          'shrink-0 rounded-full px-2 py-0.5 text-xs',
          taskStatusColors[task.status] ?? 'bg-gray-600/20 text-gray-400',
        )}
      >
        {task.status}
      </span>
    </div>
  );
 }
 function StatCard({
  label,
  value,
  valueClass,
 }: {
  label: string;
  value: string;
  valueClass?: string;
 }): React.ReactElement {
  return (
    <div className="rounded-lg border border-surface-border bg-surface-card p-3">
      <p className="text-xs text-text-muted">{label}</p>
      <p className={cn('mt-1 text-lg font-semibold', valueClass ?? 'text-text-primary')}>{value}</p>
    </div>
  );
 }
 function getPrdContent(project: Project): string | null {
  if (!project.metadata) return null;
  const prd = project.metadata['prd'];
  if (typeof prd === 'string' && prd.trim().length > 0) return prd;
  const prdContent = project.metadata['prdContent'];
  if (typeof prdContent === 'string' && prdContent.trim().length > 0) return prdContent;
  return null;
 }
--- a/apps/web/src/app/(dashboard)/projects/page.tsx
+++ b/apps/web/src/app/(dashboard)/projects/page.tsx
@@ -1,6 +1,7 @@
 'use client';
 import { useCallback, useEffect, useState } from 'react';
 import { useRouter } from 'next/navigation';
 import { api } from '@/lib/api';
 import type { Project } from '@/lib/types';
 import { ProjectCard } from '@/components/projects/project-card';
@@ -8,6 +9,7 @@ import { ProjectCard } from '@/components/projects/project-card';
 export default function ProjectsPage(): React.ReactElement {
  const [projects, setProjects] = useState<Project[]>([]);
  const [loading, setLoading] = useState(true);
  const router = useRouter();
  useEffect(() => {
    api<Project[]>('/api/projects')
@@ -16,9 +18,12 @@ export default function ProjectsPage(): React.ReactElement {
      .finally(() => setLoading(false));
  }, []);
-  const handleProjectClick = useCallback((project: Project) => {
+  const handleProjectClick = useCallback(
-    console.log('Project clicked:', project.id);
+    (project: Project) => {
-  }, []);
+      router.push(`/projects/${project.id}`);
    },
    [router],
  );
  return (
    <div>
--- a/apps/web/src/app/(dashboard)/settings/page.tsx
+++ b/apps/web/src/app/(dashboard)/settings/page.tsx
@@ -1,150 +1,808 @@
 'use client';
-import { useEffect, useState } from 'react';
+import { useCallback, useEffect, useState } from 'react';
 import { api } from '@/lib/api';
-import { useSession } from '@/lib/auth-client';
+import { authClient, useSession } from '@/lib/auth-client';
-interface ProviderInfo {
+// ─── Types ────────────────────────────────────────────────────────────────────
  name: string;
  enabled: boolean;
  modelCount: number;
 }
 interface ModelInfo {
  id: string;
  name: string;
  provider: string;
-  contextWindow: number;
+  name: string;
  reasoning: boolean;
-  cost: { input: number; output: number };
+  contextWindow: number;
  maxTokens: number;
  inputTypes: ('text' | 'image')[];
  cost: { input: number; output: number; cacheRead: number; cacheWrite: number };
 }
 interface ProviderInfo {
  id: string;
  name: string;
  available: boolean;
  models: ModelInfo[];
 }
 interface TestConnectionResult {
  providerId: string;
  reachable: boolean;
  latencyMs?: number;
  error?: string;
  discoveredModels?: string[];
 }
 type TestState = 'idle' | 'testing' | 'success' | 'error';
 interface ProviderTestStatus {
  state: TestState;
  result?: TestConnectionResult;
 }
 interface Preference {
  key: string;
  value: unknown;
  category: string;
 }
 type Theme = 'light' | 'dark' | 'system';
 type SaveState = 'idle' | 'saving' | 'saved' | 'error';
 type Tab = 'profile' | 'appearance' | 'notifications' | 'providers';
 // ─── Helpers ──────────────────────────────────────────────────────────────────
 function prefValue<T>(prefs: Preference[], key: string, fallback: T): T {
  const p = prefs.find((x) => x.key === key);
  if (p === undefined) return fallback;
  return p.value as T;
 }
 // ─── Main Page ────────────────────────────────────────────────────────────────
 export default function SettingsPage(): React.ReactElement {
  const { data: session } = useSession();
-  const [providers, setProviders] = useState<ProviderInfo[]>([]);
+  const [activeTab, setActiveTab] = useState<Tab>('profile');
-  const [models, setModels] = useState<ModelInfo[]>([]);
+
  const tabs: { id: Tab; label: string }[] = [
    { id: 'profile', label: 'Profile' },
    { id: 'appearance', label: 'Appearance' },
    { id: 'notifications', label: 'Notifications' },
    { id: 'providers', label: 'Providers' },
  ];
  return (
    <div className="mx-auto max-w-3xl space-y-6">
      <h1 className="text-2xl font-semibold">Settings</h1>
      {/* Tab bar */}
      <div className="flex gap-1 border-b border-surface-border">
        {tabs.map((tab) => (
          <button
            key={tab.id}
            type="button"
            onClick={() => setActiveTab(tab.id)}
            className={`px-4 py-2 text-sm font-medium transition-colors ${
              activeTab === tab.id
                ? 'border-b-2 border-accent text-accent'
                : 'text-text-secondary hover:text-text-primary'
            }`}
          >
            {tab.label}
          </button>
        ))}
      </div>
      {activeTab === 'profile' && <ProfileTab session={session} />}
      {activeTab === 'appearance' && <AppearanceTab />}
      {activeTab === 'notifications' && <NotificationsTab />}
      {activeTab === 'providers' && <ProvidersTab />}
    </div>
  );
 }
 // ─── Profile Tab ──────────────────────────────────────────────────────────────
 function ProfileTab({
  session,
 }: {
  session: { user: { id: string; name: string; email: string; image?: string | null } } | null;
 }): React.ReactElement {
  const [name, setName] = useState(session?.user.name ?? '');
  const [image, setImage] = useState(session?.user.image ?? '');
  const [saveState, setSaveState] = useState<SaveState>('idle');
  const [errorMsg, setErrorMsg] = useState('');
  // Sync from session when it loads
  useEffect(() => {
    if (session?.user) {
      setName(session.user.name ?? '');
      setImage(session.user.image ?? '');
    }
  }, [session]);
  const handleSave = async (): Promise<void> => {
    setSaveState('saving');
    setErrorMsg('');
    try {
      const result = await authClient.updateUser({ name, image: image || null });
      if (result.error) {
        setErrorMsg(result.error.message ?? 'Failed to update profile');
        setSaveState('error');
        return;
      }
      setSaveState('saved');
      setTimeout(() => setSaveState('idle'), 2000);
    } catch (err: unknown) {
      const message = err instanceof Error ? err.message : 'Failed to update profile';
      setErrorMsg(message);
      setSaveState('error');
    }
  };
  return (
    <section className="space-y-4">
      <h2 className="text-lg font-medium text-text-secondary">Profile</h2>
      <div className="rounded-lg border border-surface-border bg-surface-card p-6 space-y-4">
        <FormField label="Display Name" id="profile-name">
          <input
            id="profile-name"
            type="text"
            value={name}
            onChange={(e) => setName(e.target.value)}
            placeholder="Your name"
            className="mt-1 block w-full rounded-lg border border-surface-border bg-surface-elevated px-3 py-2 text-sm text-text-primary placeholder:text-text-muted focus:border-accent focus:outline-none focus:ring-1 focus:ring-accent"
          />
        </FormField>
        <FormField label="Email" id="profile-email">
          <input
            id="profile-email"
            type="email"
            value={session?.user.email ?? ''}
            disabled
            className="mt-1 block w-full rounded-lg border border-surface-border bg-surface-elevated px-3 py-2 text-sm text-text-muted opacity-60 cursor-not-allowed"
          />
          <p className="mt-1 text-xs text-text-muted">Email cannot be changed here.</p>
        </FormField>
        <FormField label="Avatar URL" id="profile-image">
          <input
            id="profile-image"
            type="url"
            value={image}
            onChange={(e) => setImage(e.target.value)}
            placeholder="https://example.com/avatar.png"
            className="mt-1 block w-full rounded-lg border border-surface-border bg-surface-elevated px-3 py-2 text-sm text-text-primary placeholder:text-text-muted focus:border-accent focus:outline-none focus:ring-1 focus:ring-accent"
          />
        </FormField>
        <div className="flex items-center gap-3 pt-2">
          <SaveButton state={saveState} onClick={handleSave} />
          {saveState === 'error' && errorMsg && <p className="text-sm text-error">{errorMsg}</p>}
        </div>
      </div>
    </section>
  );
 }
 // ─── Appearance Tab ───────────────────────────────────────────────────────────
 function AppearanceTab(): React.ReactElement {
  const [loading, setLoading] = useState(true);
  const [theme, setTheme] = useState<Theme>('system');
  const [sidebarCollapsed, setSidebarCollapsed] = useState(false);
  const [defaultModel, setDefaultModel] = useState('');
  const [saveState, setSaveState] = useState<SaveState>('idle');
  const [errorMsg, setErrorMsg] = useState('');
  useEffect(() => {
-    Promise.all([
+    api<Preference[]>('/api/memory/preferences?category=appearance')
-      api<ProviderInfo[]>('/api/providers').catch(() => []),
+      .catch(() => [] as Preference[])
-      api<ModelInfo[]>('/api/providers/models').catch(() => []),
+      .then((p) => {
-    ])
+        setTheme(prefValue<Theme>(p, 'ui.theme', 'system'));
-      .then(([p, m]) => {
+        setSidebarCollapsed(prefValue<boolean>(p, 'ui.sidebar_collapsed', false));
-        setProviders(p);
+        setDefaultModel(prefValue<string>(p, 'ui.default_model', ''));
        setModels(m);
      })
      .finally(() => setLoading(false));
  }, []);
-  return (
+  const handleSave = async (): Promise<void> => {
-    <div className="mx-auto max-w-3xl space-y-8">
+    setSaveState('saving');
-      <h1 className="text-2xl font-semibold">Settings</h1>
+    setErrorMsg('');
    try {
      await Promise.all([
        api('/api/memory/preferences', {
          method: 'POST',
          body: { key: 'ui.theme', value: theme, category: 'appearance', source: 'user' },
        }),
        api('/api/memory/preferences', {
          method: 'POST',
          body: {
            key: 'ui.sidebar_collapsed',
            value: sidebarCollapsed,
            category: 'appearance',
            source: 'user',
          },
        }),
        ...(defaultModel
          ? [
              api('/api/memory/preferences', {
                method: 'POST',
                body: {
                  key: 'ui.default_model',
                  value: defaultModel,
                  category: 'appearance',
                  source: 'user',
                },
              }),
            ]
          : []),
      ]);
      setSaveState('saved');
      setTimeout(() => setSaveState('idle'), 2000);
    } catch (err: unknown) {
      const message = err instanceof Error ? err.message : 'Failed to save preferences';
      setErrorMsg(message);
      setSaveState('error');
    }
  };
-      {/* Profile */}
+  if (loading) {
    return (
      <section>
-        <h2 className="mb-4 text-lg font-medium text-text-secondary">Profile</h2>
+        <h2 className="mb-4 text-lg font-medium text-text-secondary">Appearance</h2>
-        <div className="rounded-lg border border-surface-border bg-surface-card p-4">
+        <p className="text-sm text-text-muted">Loading preferences...</p>
          {session?.user ? (
            <div className="space-y-3">
              <Field label="Name" value={session.user.name ?? '—'} />
              <Field label="Email" value={session.user.email} />
              <Field label="User ID" value={session.user.id} />
            </div>
          ) : (
            <p className="text-sm text-text-muted">Not signed in</p>
          )}
        </div>
      </section>
    );
  }
-      {/* Providers */}
+  return (
-      <section>
+    <section className="space-y-4">
-        <h2 className="mb-4 text-lg font-medium text-text-secondary">LLM Providers</h2>
+      <h2 className="text-lg font-medium text-text-secondary">Appearance</h2>
-        {loading ? (
+      <div className="rounded-lg border border-surface-border bg-surface-card p-6 space-y-6">
-          <p className="text-sm text-text-muted">Loading providers...</p>
+        {/* Theme */}
-        ) : providers.length === 0 ? (
+        <div>
-          <div className="rounded-lg border border-surface-border bg-surface-card p-4">
+          <label className="block text-sm font-medium text-text-primary mb-2">Theme</label>
-            <p className="text-sm text-text-muted">No providers configured</p>
+          <div className="flex gap-3">
-          </div>
+            {(['system', 'light', 'dark'] as Theme[]).map((t) => (
-        ) : (
+              <button
-          <div className="space-y-3">
+                key={t}
-            {providers.map((p) => (
+                type="button"
-              <div
+                onClick={() => setTheme(t)}
-                key={p.name}
+                className={`rounded-lg border px-4 py-2 text-sm capitalize transition-colors ${
-                className="flex items-center justify-between rounded-lg border border-surface-border bg-surface-card p-4"
+                  theme === t
                    ? 'border-accent bg-accent/10 text-accent'
                    : 'border-surface-border bg-surface-elevated text-text-secondary hover:border-accent/50'
                }`}
              >
-                <div>
+                {t}
-                  <p className="text-sm font-medium text-text-primary">{p.name}</p>
+              </button>
                  <p className="text-xs text-text-muted">{p.modelCount} models available</p>
                </div>
                <span
                  className={`rounded-full px-2 py-0.5 text-xs ${
                    p.enabled ? 'bg-success/20 text-success' : 'bg-gray-600/20 text-gray-400'
                  }`}
                >
                  {p.enabled ? 'Active' : 'Disabled'}
                </span>
              </div>
            ))}
          </div>
-        )}
+        </div>
      </section>
-      {/* Models */}
+        {/* Sidebar collapsed default */}
        <div className="flex items-center justify-between">
          <div>
            <p className="text-sm font-medium text-text-primary">Collapse sidebar by default</p>
            <p className="text-xs text-text-muted">Start with sidebar collapsed on page load</p>
          </div>
          <Toggle checked={sidebarCollapsed} onChange={setSidebarCollapsed} />
        </div>
        {/* Default model */}
        <FormField label="Default Model" id="default-model">
          <input
            id="default-model"
            type="text"
            value={defaultModel}
            onChange={(e) => setDefaultModel(e.target.value)}
            placeholder="e.g. ollama/llama3.2"
            className="mt-1 block w-full rounded-lg border border-surface-border bg-surface-elevated px-3 py-2 text-sm text-text-primary placeholder:text-text-muted focus:border-accent focus:outline-none focus:ring-1 focus:ring-accent"
          />
          <p className="mt-1 text-xs text-text-muted">
            Model ID to pre-select for new conversations.
          </p>
        </FormField>
        <div className="flex items-center gap-3 pt-2">
          <SaveButton state={saveState} onClick={handleSave} />
          {saveState === 'error' && errorMsg && <p className="text-sm text-error">{errorMsg}</p>}
        </div>
      </div>
    </section>
  );
 }
 // ─── Notifications Tab ────────────────────────────────────────────────────────
 function NotificationsTab(): React.ReactElement {
  const [loading, setLoading] = useState(true);
  const [emailAgentComplete, setEmailAgentComplete] = useState(false);
  const [emailMentions, setEmailMentions] = useState(true);
  const [emailDigest, setEmailDigest] = useState(false);
  const [saveState, setSaveState] = useState<SaveState>('idle');
  const [errorMsg, setErrorMsg] = useState('');
  useEffect(() => {
    api<Preference[]>('/api/memory/preferences?category=communication')
      .catch(() => [] as Preference[])
      .then((p) => {
        setEmailAgentComplete(prefValue<boolean>(p, 'notify.email_agent_complete', false));
        setEmailMentions(prefValue<boolean>(p, 'notify.email_mentions', true));
        setEmailDigest(prefValue<boolean>(p, 'notify.email_digest', false));
      })
      .finally(() => setLoading(false));
  }, []);
  const handleSave = async (): Promise<void> => {
    setSaveState('saving');
    setErrorMsg('');
    try {
      await Promise.all([
        api('/api/memory/preferences', {
          method: 'POST',
          body: {
            key: 'notify.email_agent_complete',
            value: emailAgentComplete,
            category: 'communication',
            source: 'user',
          },
        }),
        api('/api/memory/preferences', {
          method: 'POST',
          body: {
            key: 'notify.email_mentions',
            value: emailMentions,
            category: 'communication',
            source: 'user',
          },
        }),
        api('/api/memory/preferences', {
          method: 'POST',
          body: {
            key: 'notify.email_digest',
            value: emailDigest,
            category: 'communication',
            source: 'user',
          },
        }),
      ]);
      setSaveState('saved');
      setTimeout(() => setSaveState('idle'), 2000);
    } catch (err: unknown) {
      const message = err instanceof Error ? err.message : 'Failed to save preferences';
      setErrorMsg(message);
      setSaveState('error');
    }
  };
  if (loading) {
    return (
      <section>
-        <h2 className="mb-4 text-lg font-medium text-text-secondary">Available Models</h2>
+        <h2 className="mb-4 text-lg font-medium text-text-secondary">Notifications</h2>
-        {loading ? (
+        <p className="text-sm text-text-muted">Loading preferences...</p>
          <p className="text-sm text-text-muted">Loading models...</p>
        ) : models.length === 0 ? (
          <div className="rounded-lg border border-surface-border bg-surface-card p-4">
            <p className="text-sm text-text-muted">No models available</p>
          </div>
        ) : (
          <div className="overflow-hidden rounded-lg border border-surface-border">
            <table className="w-full">
              <thead>
                <tr className="border-b border-surface-border bg-surface-elevated text-left text-xs text-text-muted">
                  <th className="px-4 py-2 font-medium">Model</th>
                  <th className="px-4 py-2 font-medium">Provider</th>
                  <th className="hidden px-4 py-2 font-medium md:table-cell">Context</th>
                  <th className="hidden px-4 py-2 font-medium md:table-cell">Cost (in/out)</th>
                </tr>
              </thead>
              <tbody>
                {models.map((m) => (
                  <tr
                    key={`${m.provider}-${m.id}`}
                    className="border-b border-surface-border last:border-b-0"
                  >
                    <td className="px-4 py-2 text-sm text-text-primary">
                      {m.name}
                      {m.reasoning && (
                        <span className="ml-2 text-xs text-purple-400">reasoning</span>
                      )}
                    </td>
                    <td className="px-4 py-2 text-xs text-text-muted">{m.provider}</td>
                    <td className="hidden px-4 py-2 text-xs text-text-muted md:table-cell">
                      {(m.contextWindow / 1000).toFixed(0)}k
                    </td>
                    <td className="hidden px-4 py-2 text-xs text-text-muted md:table-cell">
                      ${m.cost.input} / ${m.cost.output}
                    </td>
                  </tr>
                ))}
              </tbody>
            </table>
          </div>
        )}
      </section>
    );
  }
  return (
    <section className="space-y-4">
      <h2 className="text-lg font-medium text-text-secondary">Notifications</h2>
      <div className="rounded-lg border border-surface-border bg-surface-card p-6 space-y-6">
        <p className="text-xs text-text-muted">Configure when you receive email notifications.</p>
        <NotifyRow
          label="Agent task completed"
          description="Email when an agent finishes a task"
          checked={emailAgentComplete}
          onChange={setEmailAgentComplete}
        />
        <NotifyRow
          label="Mentions"
          description="Email when you are mentioned in a conversation"
          checked={emailMentions}
          onChange={setEmailMentions}
        />
        <NotifyRow
          label="Weekly digest"
          description="Weekly summary of activity"
          checked={emailDigest}
          onChange={setEmailDigest}
        />
        <div className="flex items-center gap-3 pt-2">
          <SaveButton state={saveState} onClick={handleSave} />
          {saveState === 'error' && errorMsg && <p className="text-sm text-error">{errorMsg}</p>}
        </div>
      </div>
    </section>
  );
 }
 // ─── Providers Tab ────────────────────────────────────────────────────────────
 function ProvidersTab(): React.ReactElement {
  const [providers, setProviders] = useState<ProviderInfo[]>([]);
  const [loading, setLoading] = useState(true);
  const [testStatuses, setTestStatuses] = useState<Record<string, ProviderTestStatus>>({});
  useEffect(() => {
    api<ProviderInfo[]>('/api/providers')
      .catch(() => [] as ProviderInfo[])
      .then((p) => setProviders(p))
      .finally(() => setLoading(false));
  }, []);
  const testConnection = useCallback(async (providerId: string): Promise<void> => {
    setTestStatuses((prev) => ({
      ...prev,
      [providerId]: { state: 'testing' },
    }));
    try {
      const result = await api<TestConnectionResult>('/api/providers/test', {
        method: 'POST',
        body: { providerId },
      });
      setTestStatuses((prev) => ({
        ...prev,
        [providerId]: { state: result.reachable ? 'success' : 'error', result },
      }));
    } catch {
      setTestStatuses((prev) => ({
        ...prev,
        [providerId]: {
          state: 'error',
          result: { providerId, reachable: false, error: 'Request failed' },
        },
      }));
    }
  }, []);
  const defaultModel: ModelInfo | undefined = providers
    .flatMap((p) => p.models)
    .find((m) => providers.find((p) => p.id === m.provider)?.available);
  return (
    <section className="space-y-4">
      <h2 className="text-lg font-medium text-text-secondary">LLM Providers</h2>
      {loading ? (
        <p className="text-sm text-text-muted">Loading providers...</p>
      ) : providers.length === 0 ? (
        <div className="rounded-lg border border-surface-border bg-surface-card p-4">
          <p className="text-sm text-text-muted">
            No providers configured. Set{' '}
            <code className="rounded bg-surface-elevated px-1 py-0.5 text-xs">OLLAMA_BASE_URL</code>{' '}
            or{' '}
            <code className="rounded bg-surface-elevated px-1 py-0.5 text-xs">
              MOSAIC_CUSTOM_PROVIDERS
            </code>{' '}
            to add providers.
          </p>
        </div>
      ) : (
        <div className="space-y-4">
          {providers.map((provider) => (
            <ProviderCard
              key={provider.id}
              provider={provider}
              defaultModel={defaultModel}
              testStatus={testStatuses[provider.id] ?? { state: 'idle' }}
              onTest={() => void testConnection(provider.id)}
            />
          ))}
        </div>
      )}
    </section>
  );
 }
 // ─── Shared UI Components ─────────────────────────────────────────────────────
 function FormField({
  label,
  id,
  children,
 }: {
  label: string;
  id: string;
  children: React.ReactNode;
 }): React.ReactElement {
  return (
    <div>
      <label htmlFor={id} className="block text-sm font-medium text-text-primary">
        {label}
      </label>
      {children}
    </div>
  );
 }
-function Field({ label, value }: { label: string; value: string }): React.ReactElement {
+function Toggle({
  checked,
  onChange,
 }: {
  checked: boolean;
  onChange: (v: boolean) => void;
 }): React.ReactElement {
  return (
    <button
      type="button"
      role="switch"
      aria-checked={checked}
      onClick={() => onChange(!checked)}
      className={`relative inline-flex h-6 w-11 items-center rounded-full transition-colors focus:outline-none focus:ring-2 focus:ring-accent focus:ring-offset-2 focus:ring-offset-surface-card ${
        checked ? 'bg-accent' : 'bg-surface-border'
      }`}
    >
      <span
        className={`inline-block h-4 w-4 transform rounded-full bg-white transition-transform ${
          checked ? 'translate-x-6' : 'translate-x-1'
        }`}
      />
    </button>
  );
 }
 function NotifyRow({
  label,
  description,
  checked,
  onChange,
 }: {
  label: string;
  description: string;
  checked: boolean;
  onChange: (v: boolean) => void;
 }): React.ReactElement {
  return (
    <div className="flex items-center justify-between">
-      <span className="text-sm text-text-muted">{label}</span>
+      <div>
-      <span className="text-sm text-text-primary">{value}</span>
+        <p className="text-sm font-medium text-text-primary">{label}</p>
        <p className="text-xs text-text-muted">{description}</p>
      </div>
      <Toggle checked={checked} onChange={onChange} />
    </div>
  );
 }
 function SaveButton({
  state,
  onClick,
 }: {
  state: SaveState;
  onClick: () => void;
 }): React.ReactElement {
  return (
    <button
      type="button"
      onClick={onClick}
      disabled={state === 'saving'}
      className="rounded-lg bg-accent px-4 py-2 text-sm font-medium text-white transition-colors hover:bg-accent/90 disabled:cursor-not-allowed disabled:opacity-50"
    >
      {state === 'saving' ? 'Saving...' : state === 'saved' ? 'Saved!' : 'Save changes'}
    </button>
  );
 }
 // ─── Provider Card (from original page) ──────────────────────────────────────
 interface ProviderCardProps {
  provider: ProviderInfo;
  defaultModel: ModelInfo | undefined;
  testStatus: ProviderTestStatus;
  onTest: () => void;
 }
 function ProviderCard({
  provider,
  defaultModel,
  testStatus,
  onTest,
 }: ProviderCardProps): React.ReactElement {
  const [expanded, setExpanded] = useState(false);
  return (
    <div className="rounded-lg border border-surface-border bg-surface-card">
      {/* Header row */}
      <div className="flex items-center justify-between px-4 py-3">
        <div className="flex items-center gap-3">
          <ProviderAvatar id={provider.id} />
          <div>
            <div className="flex items-center gap-2">
              <span className="text-sm font-medium text-text-primary">{provider.name}</span>
              <ProviderStatusBadge available={provider.available} />
            </div>
            <p className="text-xs text-text-muted">
              {provider.models.length} model{provider.models.length !== 1 ? 's' : ''}
            </p>
          </div>
        </div>
        <div className="flex items-center gap-2">
          <TestConnectionButton status={testStatus} onTest={onTest} />
          <button
            type="button"
            onClick={() => setExpanded((v) => !v)}
            className="rounded px-2 py-1 text-xs text-text-muted transition-colors hover:bg-surface-elevated hover:text-text-primary"
            aria-expanded={expanded}
            aria-label={expanded ? 'Collapse models' : 'Expand models'}
          >
            {expanded ? '▲ Hide' : '▼ Models'}
          </button>
        </div>
      </div>
      {/* Test result banner */}
      {testStatus.state !== 'idle' && testStatus.state !== 'testing' && testStatus.result && (
        <TestResultBanner result={testStatus.result} />
      )}
      {/* Model list */}
      {expanded && (
        <div className="border-t border-surface-border">
          <table className="w-full">
            <thead>
              <tr className="bg-surface-elevated text-left text-xs text-text-muted">
                <th className="px-4 py-2 font-medium">Model</th>
                <th className="hidden px-4 py-2 font-medium md:table-cell">Capabilities</th>
                <th className="hidden px-4 py-2 font-medium md:table-cell">Context</th>
                <th className="hidden px-4 py-2 font-medium md:table-cell">Cost (in/out)</th>
                <th className="px-4 py-2 font-medium">Default</th>
              </tr>
            </thead>
            <tbody>
              {provider.models.map((model) => (
                <ModelRow
                  key={model.id}
                  model={model}
                  isDefault={
                    defaultModel?.id === model.id && defaultModel?.provider === model.provider
                  }
                />
              ))}
            </tbody>
          </table>
        </div>
      )}
    </div>
  );
 }
 interface ModelRowProps {
  model: ModelInfo;
  isDefault: boolean;
 }
 function ModelRow({ model, isDefault }: ModelRowProps): React.ReactElement {
  return (
    <tr className="border-t border-surface-border">
      <td className="px-4 py-2">
        <span className="text-sm text-text-primary">{model.name}</span>
      </td>
      <td className="hidden px-4 py-2 md:table-cell">
        <div className="flex flex-wrap gap-1">
          <CapabilityBadge label="chat" />
          {model.reasoning && <CapabilityBadge label="reasoning" color="purple" />}
          {model.inputTypes.includes('image') && <CapabilityBadge label="vision" color="blue" />}
        </div>
      </td>
      <td className="hidden px-4 py-2 text-xs text-text-muted md:table-cell">
        {formatContext(model.contextWindow)}
      </td>
      <td className="hidden px-4 py-2 text-xs text-text-muted md:table-cell">
        {model.cost.input === 0 && model.cost.output === 0
          ? 'free'
          : `$${model.cost.input} / $${model.cost.output}`}
      </td>
      <td className="px-4 py-2 text-center">
        {isDefault && (
          <span
            className="inline-block rounded-full bg-accent/20 px-2 py-0.5 text-xs font-medium text-accent"
            title="Default model used for new sessions"
          >
            default
          </span>
        )}
      </td>
    </tr>
  );
 }
 function ProviderAvatar({ id }: { id: string }): React.ReactElement {
  const letter = id.charAt(0).toUpperCase();
  return (
    <div className="flex h-8 w-8 items-center justify-center rounded-full bg-surface-elevated text-sm font-semibold text-text-secondary">
      {letter}
    </div>
  );
 }
 function ProviderStatusBadge({ available }: { available: boolean }): React.ReactElement {
  return (
    <span
      className={`rounded-full px-2 py-0.5 text-xs font-medium ${
        available ? 'bg-success/20 text-success' : 'bg-surface-elevated text-text-muted'
      }`}
    >
      {available ? 'Active' : 'Inactive'}
    </span>
  );
 }
 interface TestConnectionButtonProps {
  status: ProviderTestStatus;
  onTest: () => void;
 }
 function TestConnectionButton({ status, onTest }: TestConnectionButtonProps): React.ReactElement {
  const isTesting = status.state === 'testing';
  return (
    <button
      type="button"
      onClick={onTest}
      disabled={isTesting}
      className="rounded px-2 py-1 text-xs transition-colors hover:bg-surface-elevated disabled:cursor-not-allowed disabled:opacity-50"
      title="Test connection"
    >
      {isTesting ? (
        <span className="text-text-muted">Testing…</span>
      ) : status.state === 'success' ? (
        <span className="text-success">✓ Reachable</span>
      ) : status.state === 'error' ? (
        <span className="text-error">✗ Unreachable</span>
      ) : (
        <span className="text-text-muted">Test</span>
      )}
    </button>
  );
 }
 function TestResultBanner({ result }: { result: TestConnectionResult }): React.ReactElement {
  return (
    <div
      className={`px-4 py-2 text-xs ${
        result.reachable ? 'bg-success/10 text-success' : 'bg-error/10 text-error'
      }`}
    >
      {result.reachable ? (
        <>
          Connected
          {result.latencyMs !== undefined && (
            <span className="ml-1 opacity-70">({result.latencyMs}ms)</span>
          )}
          {result.discoveredModels && result.discoveredModels.length > 0 && (
            <span className="ml-2 opacity-70">
              — {result.discoveredModels.length} model
              {result.discoveredModels.length !== 1 ? 's' : ''} discovered
            </span>
          )}
        </>
      ) : (
        <>Connection failed{result.error ? `: ${result.error}` : ''}</>
      )}
    </div>
  );
 }
 function CapabilityBadge({
  label,
  color = 'default',
 }: {
  label: string;
  color?: 'default' | 'purple' | 'blue';
 }): React.ReactElement {
  const colorClass =
    color === 'purple'
      ? 'bg-purple-500/20 text-purple-400'
      : color === 'blue'
        ? 'bg-blue-500/20 text-blue-400'
        : 'bg-surface-elevated text-text-muted';
  return <span className={`rounded px-1.5 py-0.5 text-xs ${colorClass}`}>{label}</span>;
 }
 function formatContext(tokens: number): string {
  if (tokens >= 1_000_000) return `${(tokens / 1_000_000).toFixed(1)}M`;
  if (tokens >= 1_000) return `${Math.round(tokens / 1_000)}k`;
  return String(tokens);
 }
--- a/apps/web/src/components/admin-role-guard.tsx
+++ b/apps/web/src/components/admin-role-guard.tsx
@@ -0,0 +1,40 @@
 'use client';
 import { useRouter } from 'next/navigation';
 import { useEffect } from 'react';
 import { useSession } from '@/lib/auth-client';
 interface AdminRoleGuardProps {
  children: React.ReactNode;
 }
 export function AdminRoleGuard({ children }: AdminRoleGuardProps): React.ReactElement | null {
  const { data: session, isPending } = useSession();
  const router = useRouter();
  const user = session?.user as
    | (NonNullable<typeof session>['user'] & { role?: string })
    | undefined;
  useEffect(() => {
    if (!isPending && !session) {
      router.replace('/login');
    } else if (!isPending && session && user?.role !== 'admin') {
      router.replace('/');
    }
  }, [isPending, session, user?.role, router]);
  if (isPending) {
    return (
      <div className="flex min-h-screen items-center justify-center">
        <div className="text-sm text-text-muted">Loading...</div>
      </div>
    );
  }
  if (!session || user?.role !== 'admin') {
    return null;
  }
  return <>{children}</>;
 }
--- a/apps/web/src/components/chat/conversation-list.tsx
+++ b/apps/web/src/components/chat/conversation-list.tsx
@@ -1,5 +1,6 @@
 'use client';
 import { useCallback, useRef, useState } from 'react';
 import { cn } from '@/lib/cn';
 import type { Conversation } from '@/lib/types';
@@ -8,6 +9,32 @@ interface ConversationListProps {
  activeId: string | null;
  onSelect: (id: string) => void;
  onNew: () => void;
  onRename: (id: string, title: string) => void;
  onDelete: (id: string) => void;
  onArchive: (id: string, archived: boolean) => void;
 }
 interface ContextMenuState {
  conversationId: string;
  x: number;
  y: number;
 }
 /** Format a date as relative time (e.g. "2h ago", "Yesterday"). */
 function formatRelativeTime(dateStr: string): string {
  const date = new Date(dateStr);
  const now = new Date();
  const diffMs = now.getTime() - date.getTime();
  const diffMinutes = Math.floor(diffMs / 60_000);
  const diffHours = Math.floor(diffMs / 3_600_000);
  const diffDays = Math.floor(diffMs / 86_400_000);
  if (diffMinutes < 1) return 'Just now';
  if (diffMinutes < 60) return `${diffMinutes}m ago`;
  if (diffHours < 24) return `${diffHours}h ago`;
  if (diffDays === 1) return 'Yesterday';
  if (diffDays < 7) return `${diffDays}d ago`;
  return date.toLocaleDateString();
 }
 export function ConversationList({
@@ -15,43 +42,265 @@ export function ConversationList({
  activeId,
  onSelect,
  onNew,
  onRename,
  onDelete,
  onArchive,
 }: ConversationListProps): React.ReactElement {
-  return (
+  const [searchQuery, setSearchQuery] = useState('');
-    <div className="flex h-full w-64 flex-col border-r border-surface-border bg-surface-card">
+  const [renamingId, setRenamingId] = useState<string | null>(null);
-      <div className="flex items-center justify-between p-3">
+  const [renameValue, setRenameValue] = useState('');
-        <h2 className="text-sm font-medium text-text-secondary">Conversations</h2>
+  const [contextMenu, setContextMenu] = useState<ContextMenuState | null>(null);
-        <button
+  const [deleteConfirmId, setDeleteConfirmId] = useState<string | null>(null);
-          type="button"
+  const [showArchived, setShowArchived] = useState(false);
-          onClick={onNew}
+  const renameInputRef = useRef<HTMLInputElement>(null);
          className="rounded-md px-2 py-1 text-xs text-blue-400 transition-colors hover:bg-surface-elevated"
        >
          + New
        </button>
      </div>
-      <div className="flex-1 overflow-y-auto">
+  const activeConversations = conversations.filter((c) => !c.archived);
-        {conversations.length === 0 && (
+  const archivedConversations = conversations.filter((c) => c.archived);
-          <p className="px-3 py-2 text-xs text-text-muted">No conversations yet</p>
+
-        )}
+  const filteredActive = searchQuery
-        {conversations.map((conv) => (
+    ? activeConversations.filter((c) =>
        (c.title ?? 'Untitled').toLowerCase().includes(searchQuery.toLowerCase()),
      )
    : activeConversations;
  const filteredArchived = searchQuery
    ? archivedConversations.filter((c) =>
        (c.title ?? 'Untitled').toLowerCase().includes(searchQuery.toLowerCase()),
      )
    : archivedConversations;
  const handleContextMenu = useCallback((e: React.MouseEvent, conversationId: string) => {
    e.preventDefault();
    setContextMenu({ conversationId, x: e.clientX, y: e.clientY });
    setDeleteConfirmId(null);
  }, []);
  const closeContextMenu = useCallback(() => {
    setContextMenu(null);
    setDeleteConfirmId(null);
  }, []);
  const startRename = useCallback(
    (id: string, currentTitle: string | null) => {
      setRenamingId(id);
      setRenameValue(currentTitle ?? '');
      closeContextMenu();
      setTimeout(() => renameInputRef.current?.focus(), 0);
    },
    [closeContextMenu],
  );
  const commitRename = useCallback(() => {
    if (renamingId) {
      const trimmed = renameValue.trim();
      onRename(renamingId, trimmed || 'Untitled');
    }
    setRenamingId(null);
    setRenameValue('');
  }, [renamingId, renameValue, onRename]);
  const cancelRename = useCallback(() => {
    setRenamingId(null);
    setRenameValue('');
  }, []);
  const handleRenameKeyDown = useCallback(
    (e: React.KeyboardEvent<HTMLInputElement>) => {
      if (e.key === 'Enter') commitRename();
      if (e.key === 'Escape') cancelRename();
    },
    [commitRename, cancelRename],
  );
  const handleDeleteClick = useCallback((id: string) => {
    setDeleteConfirmId(id);
  }, []);
  const confirmDelete = useCallback(
    (id: string) => {
      onDelete(id);
      setDeleteConfirmId(null);
      closeContextMenu();
    },
    [onDelete, closeContextMenu],
  );
  const handleArchiveToggle = useCallback(
    (id: string, archived: boolean) => {
      onArchive(id, archived);
      closeContextMenu();
    },
    [onArchive, closeContextMenu],
  );
  const contextConv = contextMenu
    ? conversations.find((c) => c.id === contextMenu.conversationId)
    : null;
  function renderConversationItem(conv: Conversation): React.ReactElement {
    const isActive = activeId === conv.id;
    const isRenaming = renamingId === conv.id;
    return (
      <div key={conv.id} className="group relative">
        {isRenaming ? (
          <div className="px-3 py-2">
            <input
              ref={renameInputRef}
              value={renameValue}
              onChange={(e) => setRenameValue(e.target.value)}
              onBlur={commitRename}
              onKeyDown={handleRenameKeyDown}
              className="w-full rounded border border-blue-500 bg-surface-elevated px-2 py-0.5 text-sm text-text-primary outline-none"
              maxLength={255}
            />
          </div>
        ) : (
          <button
            key={conv.id}
            type="button"
            onClick={() => onSelect(conv.id)}
            onDoubleClick={() => startRename(conv.id, conv.title)}
            onContextMenu={(e) => handleContextMenu(e, conv.id)}
            className={cn(
              'w-full px-3 py-2 text-left text-sm transition-colors',
-              activeId === conv.id
+              isActive
                ? 'bg-blue-600/20 text-blue-400'
                : 'text-text-secondary hover:bg-surface-elevated',
            )}
          >
            <span className="block truncate">{conv.title ?? 'Untitled'}</span>
            <span className="block text-xs text-text-muted">
-              {new Date(conv.updatedAt).toLocaleDateString()}
+              {formatRelativeTime(conv.updatedAt)}
            </span>
          </button>
-        ))}
+        )}
      </div>
-    </div>
+    );
  }
  return (
    <>
      {/* Backdrop to close context menu */}
      {contextMenu && (
        <div className="fixed inset-0 z-10" onClick={closeContextMenu} aria-hidden="true" />
      )}
      <div className="flex h-full w-64 flex-col border-r border-surface-border bg-surface-card">
        {/* Header */}
        <div className="flex items-center justify-between p-3">
          <h2 className="text-sm font-medium text-text-secondary">Conversations</h2>
          <button
            type="button"
            onClick={onNew}
            className="rounded-md px-2 py-1 text-xs text-blue-400 transition-colors hover:bg-surface-elevated"
          >
            + New
          </button>
        </div>
        {/* Search input */}
        <div className="px-3 pb-2">
          <input
            type="search"
            value={searchQuery}
            onChange={(e) => setSearchQuery(e.target.value)}
            placeholder="Search conversations\u2026"
            className="w-full rounded-md border border-surface-border bg-surface-elevated px-3 py-1.5 text-xs text-text-primary placeholder:text-text-muted focus:border-blue-500 focus:outline-none"
          />
        </div>
        {/* Conversation list */}
        <div className="flex-1 overflow-y-auto">
          {filteredActive.length === 0 && !searchQuery && (
            <p className="px-3 py-2 text-xs text-text-muted">No conversations yet</p>
          )}
          {filteredActive.length === 0 && searchQuery && (
            <p className="px-3 py-2 text-xs text-text-muted">
              No results for &ldquo;{searchQuery}&rdquo;
            </p>
          )}
          {filteredActive.map((conv) => renderConversationItem(conv))}
          {/* Archived section */}
          {archivedConversations.length > 0 && (
            <div className="mt-2">
              <button
                type="button"
                onClick={() => setShowArchived((v) => !v)}
                className="flex w-full items-center gap-1 px-3 py-1 text-xs text-text-muted transition-colors hover:text-text-secondary"
              >
                <span
                  className={cn(
                    'inline-block transition-transform',
                    showArchived ? 'rotate-90' : '',
                  )}
                >
                  &#9658;
                </span>
                Archived ({archivedConversations.length})
              </button>
              {showArchived && (
                <div className="opacity-60">
                  {filteredArchived.map((conv) => renderConversationItem(conv))}
                </div>
              )}
            </div>
          )}
        </div>
      </div>
      {/* Context menu */}
      {contextMenu && contextConv && (
        <div
          className="fixed z-20 min-w-36 rounded-md border border-surface-border bg-surface-card py-1 shadow-lg"
          style={{ top: contextMenu.y, left: contextMenu.x }}
        >
          <button
            type="button"
            className="w-full px-3 py-1.5 text-left text-sm text-text-secondary hover:bg-surface-elevated"
            onClick={() => startRename(contextConv.id, contextConv.title)}
          >
            Rename
          </button>
          <button
            type="button"
            className="w-full px-3 py-1.5 text-left text-sm text-text-secondary hover:bg-surface-elevated"
            onClick={() => handleArchiveToggle(contextConv.id, !contextConv.archived)}
          >
            {contextConv.archived ? 'Unarchive' : 'Archive'}
          </button>
          <hr className="my-1 border-surface-border" />
          {deleteConfirmId === contextConv.id ? (
            <div className="px-3 py-1.5">
              <p className="mb-1.5 text-xs text-red-400">Delete this conversation?</p>
              <div className="flex gap-2">
                <button
                  type="button"
                  className="rounded bg-red-600 px-2 py-0.5 text-xs text-white hover:bg-red-700"
                  onClick={() => confirmDelete(contextConv.id)}
                >
                  Delete
                </button>
                <button
                  type="button"
                  className="rounded px-2 py-0.5 text-xs text-text-muted hover:bg-surface-elevated"
                  onClick={() => setDeleteConfirmId(null)}
                >
                  Cancel
                </button>
              </div>
            </div>
          ) : (
            <button
              type="button"
              className="w-full px-3 py-1.5 text-left text-sm text-red-400 hover:bg-surface-elevated"
              onClick={() => handleDeleteClick(contextConv.id)}
            >
              Delete
            </button>
          )}
        </div>
      )}
    </>
  );
 }
--- a/apps/web/src/components/chat/streaming-message.tsx
+++ b/apps/web/src/components/chat/streaming-message.tsx
@@ -5,16 +5,22 @@ interface StreamingMessageProps {
  text: string;
 }
-export function StreamingMessage({ text }: StreamingMessageProps): React.ReactElement | null {
+export function StreamingMessage({ text }: StreamingMessageProps): React.ReactElement {
  if (!text) return null;
  return (
    <div className="flex justify-start">
      <div className="max-w-[75%] rounded-xl border border-surface-border bg-surface-elevated px-4 py-3 text-sm text-text-primary">
-        <div className="whitespace-pre-wrap break-words">{text}</div>
+        {text ? (
          <div className="whitespace-pre-wrap break-words">{text}</div>
        ) : (
          <div className="flex items-center gap-2 text-text-muted">
            <span className="inline-block h-2 w-2 animate-pulse rounded-full bg-blue-500" />
            <span className="inline-block h-2 w-2 animate-pulse rounded-full bg-blue-500 [animation-delay:0.2s]" />
            <span className="inline-block h-2 w-2 animate-pulse rounded-full bg-blue-500 [animation-delay:0.4s]" />
          </div>
        )}
        <div className="mt-1 flex items-center gap-1 text-xs text-text-muted">
-          <span className="inline-block h-2 w-2 animate-pulse rounded-full bg-blue-500" />
+          <span className="inline-block h-1.5 w-1.5 animate-pulse rounded-full bg-blue-500" />
-          Thinking...
+          {text ? 'Responding...' : 'Thinking...'}
        </div>
      </div>
    </div>
--- a/apps/web/src/components/projects/mission-timeline.tsx
+++ b/apps/web/src/components/projects/mission-timeline.tsx
@@ -0,0 +1,92 @@
 'use client';
 import { cn } from '@/lib/cn';
 import type { Mission, MissionStatus } from '@/lib/types';
 interface MissionTimelineProps {
  missions: Mission[];
 }
 const statusOrder: MissionStatus[] = ['planning', 'active', 'paused', 'completed', 'failed'];
 const statusStyles: Record<MissionStatus, { dot: string; label: string; badge: string }> = {
  planning: {
    dot: 'bg-gray-400',
    label: 'text-gray-400',
    badge: 'bg-gray-600/20 text-gray-300',
  },
  active: {
    dot: 'bg-blue-400',
    label: 'text-blue-400',
    badge: 'bg-blue-600/20 text-blue-400',
  },
  paused: {
    dot: 'bg-warning',
    label: 'text-warning',
    badge: 'bg-warning/20 text-warning',
  },
  completed: {
    dot: 'bg-success',
    label: 'text-success',
    badge: 'bg-success/20 text-success',
  },
  failed: {
    dot: 'bg-error',
    label: 'text-error',
    badge: 'bg-error/20 text-error',
  },
 };
 function sortMissions(missions: Mission[]): Mission[] {
  return [...missions].sort((a, b) => {
    const aIdx = statusOrder.indexOf(a.status);
    const bIdx = statusOrder.indexOf(b.status);
    if (aIdx !== bIdx) return aIdx - bIdx;
    return new Date(a.createdAt).getTime() - new Date(b.createdAt).getTime();
  });
 }
 export function MissionTimeline({ missions }: MissionTimelineProps): React.ReactElement {
  if (missions.length === 0) {
    return (
      <div className="py-6 text-center">
        <p className="text-sm text-text-muted">No missions for this project</p>
      </div>
    );
  }
  const sorted = sortMissions(missions);
  return (
    <ol className="relative space-y-0">
      {sorted.map((mission, idx) => {
        const styles = statusStyles[mission.status] ?? statusStyles.planning;
        const isLast = idx === sorted.length - 1;
        return (
          <li key={mission.id} className="relative flex gap-4 pb-6 last:pb-0">
            {/* Vertical line */}
            {!isLast && <div className="absolute left-2.5 top-5 h-full w-px bg-surface-border" />}
            {/* Status dot */}
            <div
              className={cn('mt-1 h-5 w-5 shrink-0 rounded-full border-2 border-bg', styles.dot)}
            />
            <div className="flex-1 rounded-lg border border-surface-border bg-surface-card p-3">
              <div className="flex items-start justify-between gap-2">
                <span className="text-sm font-medium text-text-primary">{mission.name}</span>
                <span className={cn('shrink-0 rounded-full px-2 py-0.5 text-xs', styles.badge)}>
                  {mission.status}
                </span>
              </div>
              {mission.description && (
                <p className="mt-1 text-xs text-text-muted">{mission.description}</p>
              )}
              <p className="mt-2 text-xs text-text-muted">
                Created {new Date(mission.createdAt).toLocaleDateString()}
              </p>
            </div>
          </li>
        );
      })}
    </ol>
  );
 }
--- a/apps/web/src/components/projects/prd-viewer.tsx
+++ b/apps/web/src/components/projects/prd-viewer.tsx
@@ -0,0 +1,99 @@
 'use client';
 interface PrdViewerProps {
  content: string;
 }
 /**
 * Lightweight markdown-to-HTML renderer for PRD content.
 * Supports headings, bold, italic, inline code, code blocks, and lists.
 * No external dependency — keeps bundle size minimal.
 */
 function renderMarkdown(md: string): string {
  let html = md
    // Escape HTML entities first to prevent XSS
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;');
  // Code blocks (must run before inline code)
  html = html.replace(/```[\w]*\n?([\s\S]*?)```/g, (_match, code: string) => {
    return `<pre class="overflow-x-auto rounded-lg bg-surface-elevated p-4 my-4"><code class="text-xs text-text-secondary whitespace-pre">${code.trim()}</code></pre>`;
  });
  // Headings
  html = html.replace(
    /^#### (.+)$/gm,
    '<h4 class="text-sm font-semibold text-text-primary mt-4 mb-1">$1</h4>',
  );
  html = html.replace(
    /^### (.+)$/gm,
    '<h3 class="text-base font-semibold text-text-primary mt-6 mb-2">$1</h3>',
  );
  html = html.replace(
    /^## (.+)$/gm,
    '<h2 class="text-lg font-semibold text-text-primary mt-8 mb-3">$1</h2>',
  );
  html = html.replace(
    /^# (.+)$/gm,
    '<h1 class="text-xl font-bold text-text-primary mt-8 mb-4">$1</h1>',
  );
  // Horizontal rule
  html = html.replace(/^---$/gm, '<hr class="my-6 border-surface-border" />');
  // Unordered list items
  html = html.replace(
    /^[-*] (.+)$/gm,
    '<li class="ml-4 text-sm text-text-secondary list-disc">$1</li>',
  );
  // Ordered list items
  html = html.replace(
    /^\d+\. (.+)$/gm,
    '<li class="ml-4 text-sm text-text-secondary list-decimal">$1</li>',
  );
  // Bold + italic
  html = html.replace(/\*\*\*(.+?)\*\*\*/g, '<strong><em>$1</em></strong>');
  // Bold
  html = html.replace(
    /\*\*(.+?)\*\*/g,
    '<strong class="font-semibold text-text-primary">$1</strong>',
  );
  // Italic
  html = html.replace(/\*(.+?)\*/g, '<em class="italic text-text-secondary">$1</em>');
  // Inline code
  html = html.replace(
    /`([^`]+)`/g,
    '<code class="rounded bg-surface-elevated px-1 py-0.5 text-xs text-text-secondary">$1</code>',
  );
  // Paragraphs — wrap lines that aren't already wrapped in a block element
  const lines = html.split('\n');
  const result: string[] = [];
  for (const line of lines) {
    const trimmed = line.trim();
    if (trimmed === '') {
      result.push('');
    } else if (
      trimmed.startsWith('<h') ||
      trimmed.startsWith('<pre') ||
      trimmed.startsWith('<li') ||
      trimmed.startsWith('<hr')
    ) {
      result.push(trimmed);
    } else {
      result.push(`<p class="text-sm text-text-secondary leading-relaxed my-2">${trimmed}</p>`);
    }
  }
  return result.join('\n');
 }
 export function PrdViewer({ content }: PrdViewerProps): React.ReactElement {
  const html = renderMarkdown(content);
  return <div className="prose prose-sm max-w-none" dangerouslySetInnerHTML={{ __html: html }} />;
 }
--- a/apps/web/src/components/tasks/task-detail-modal.tsx
+++ b/apps/web/src/components/tasks/task-detail-modal.tsx
@@ -0,0 +1,231 @@
 'use client';
 import { useEffect, useRef } from 'react';
 import type { ReactNode } from 'react';
 import { cn } from '@/lib/cn';
 import type { Task } from '@/lib/types';
 interface TaskDetailModalProps {
  task: Task;
  onClose: () => void;
 }
 const priorityColors: Record<string, string> = {
  critical: 'text-error',
  high: 'text-warning',
  medium: 'text-blue-400',
  low: 'text-text-muted',
 };
 const statusBadgeColors: Record<string, string> = {
  'not-started': 'bg-gray-600/20 text-gray-300',
  'in-progress': 'bg-blue-600/20 text-blue-400',
  blocked: 'bg-error/20 text-error',
  done: 'bg-success/20 text-success',
  cancelled: 'bg-gray-600/20 text-gray-500',
 };
 function DetailRow({
  label,
  children,
 }: {
  label: string;
  children: ReactNode;
 }): React.ReactElement {
  return (
    <div className="flex gap-2 py-2 text-sm">
      <span className="w-24 shrink-0 text-text-muted">{label}</span>
      <span className="text-text-primary">{children}</span>
    </div>
  );
 }
 export function TaskDetailModal({ task, onClose }: TaskDetailModalProps): React.ReactElement {
  const dialogRef = useRef<HTMLDivElement>(null);
  useEffect(() => {
    function handleKeyDown(e: KeyboardEvent): void {
      if (e.key === 'Escape') onClose();
    }
    document.addEventListener('keydown', handleKeyDown);
    return () => document.removeEventListener('keydown', handleKeyDown);
  }, [onClose]);
  // Trap focus on mount
  useEffect(() => {
    dialogRef.current?.focus();
  }, []);
  const prLinks = extractPrLinks(task.metadata);
  return (
    /* backdrop */
    <div
      className="fixed inset-0 z-50 flex items-center justify-center bg-black/60 p-4"
      onClick={(e) => {
        if (e.target === e.currentTarget) onClose();
      }}
      role="presentation"
    >
      <div
        ref={dialogRef}
        role="dialog"
        aria-modal="true"
        aria-labelledby="task-detail-title"
        tabIndex={-1}
        className="flex max-h-[90vh] w-full max-w-lg flex-col overflow-hidden rounded-xl border border-surface-border bg-surface-card outline-none"
      >
        {/* Header */}
        <div className="flex items-start justify-between gap-3 border-b border-surface-border p-4">
          <h2 id="task-detail-title" className="text-base font-semibold text-text-primary">
            {task.title}
          </h2>
          <button
            type="button"
            onClick={onClose}
            aria-label="Close task details"
            className="shrink-0 rounded p-1 text-text-muted hover:text-text-primary"
          >
            ✕
          </button>
        </div>
        {/* Body */}
        <div className="flex-1 overflow-y-auto p-4">
          {/* Badges */}
          <div className="mb-4 flex flex-wrap gap-2">
            <span
              className={cn(
                'rounded-full px-2 py-0.5 text-xs',
                statusBadgeColors[task.status] ?? 'bg-gray-600/20 text-gray-400',
              )}
            >
              {task.status}
            </span>
            <span className={cn('text-xs', priorityColors[task.priority])}>
              {task.priority} priority
            </span>
          </div>
          {/* Description */}
          {task.description && (
            <div className="mb-4 rounded-lg bg-surface-elevated p-3">
              <p className="text-sm text-text-secondary">{task.description}</p>
            </div>
          )}
          {/* Details */}
          <div className="divide-y divide-surface-border rounded-lg border border-surface-border px-3">
            {task.assignee ? <DetailRow label="Assignee">{task.assignee}</DetailRow> : null}
            {task.dueDate ? (
              <DetailRow label="Due date">
                {new Date(task.dueDate).toLocaleDateString(undefined, {
                  year: 'numeric',
                  month: 'long',
                  day: 'numeric',
                })}
              </DetailRow>
            ) : null}
            <DetailRow label="Created">
              {new Date(task.createdAt).toLocaleDateString(undefined, {
                year: 'numeric',
                month: 'long',
                day: 'numeric',
              })}
            </DetailRow>
            <DetailRow label="Updated">
              {new Date(task.updatedAt).toLocaleDateString(undefined, {
                year: 'numeric',
                month: 'long',
                day: 'numeric',
              })}
            </DetailRow>
          </div>
          {/* Tags */}
          {task.tags != null && task.tags.length > 0 ? (
            <div className="mt-4">
              <p className="mb-2 text-xs text-text-muted">Tags</p>
              <div className="flex flex-wrap gap-1">
                {task.tags.map((tag) => (
                  <span
                    key={tag}
                    className="rounded-full bg-surface-elevated px-2 py-0.5 text-xs text-text-secondary"
                  >
                    {tag}
                  </span>
                ))}
              </div>
            </div>
          ) : null}
          {/* PR Links */}
          {prLinks.length > 0 ? (
            <div className="mt-4">
              <p className="mb-2 text-xs text-text-muted">Pull Requests</p>
              <ul className="space-y-1">
                {prLinks.map((link) => (
                  <li key={link.url}>
                    <a
                      href={link.url}
                      target="_blank"
                      rel="noopener noreferrer"
                      className="text-xs text-blue-400 underline hover:text-blue-300"
                    >
                      {link.label ?? link.url}
                    </a>
                  </li>
                ))}
              </ul>
            </div>
          ) : null}
          {/* Notes from metadata */}
          <NotesSection notes={getNotesString(task.metadata)} />
        </div>
      </div>
    </div>
  );
 }
 interface PrLink {
  url: string;
  label?: string;
 }
 function extractPrLinks(metadata: Record<string, unknown> | null): PrLink[] {
  if (!metadata) return [];
  const raw = metadata['pr_links'] ?? metadata['prLinks'];
  if (!Array.isArray(raw)) return [];
  return raw
    .filter((item): item is PrLink => {
      if (typeof item === 'string') return true;
      if (typeof item === 'object' && item !== null && 'url' in item) return true;
      return false;
    })
    .map((item): PrLink => {
      if (typeof item === 'string') return { url: item };
      return item as PrLink;
    });
 }
 function getNotesString(metadata: Record<string, unknown> | null): string | null {
  if (!metadata) return null;
  const notes = metadata['notes'];
  if (typeof notes === 'string' && notes.trim().length > 0) return notes;
  return null;
 }
 function NotesSection({ notes }: { notes: string | null }): React.ReactElement | null {
  if (!notes) return null;
  return (
    <div className="mt-4">
      <p className="mb-2 text-xs text-text-muted">Notes</p>
      <div className="rounded-lg bg-surface-elevated p-3">
        <p className="whitespace-pre-wrap text-xs text-text-secondary">{notes}</p>
      </div>
    </div>
  );
 }
--- a/apps/web/src/components/tasks/task-status-summary.tsx
+++ b/apps/web/src/components/tasks/task-status-summary.tsx
@@ -0,0 +1,99 @@
 'use client';
 import { cn } from '@/lib/cn';
 import type { Task, TaskStatus } from '@/lib/types';
 interface TaskStatusSummaryProps {
  tasks: Task[];
  activeFilter: TaskStatus | 'all';
  onFilterChange: (filter: TaskStatus | 'all') => void;
 }
 const statusConfig: {
  id: TaskStatus | 'all';
  label: string;
  color: string;
  activeColor: string;
 }[] = [
  {
    id: 'all',
    label: 'All',
    color: 'text-text-muted',
    activeColor: 'bg-surface-elevated text-text-primary',
  },
  {
    id: 'not-started',
    label: 'Not Started',
    color: 'text-gray-400',
    activeColor: 'bg-gray-600/20 text-gray-300',
  },
  {
    id: 'in-progress',
    label: 'In Progress',
    color: 'text-blue-400',
    activeColor: 'bg-blue-600/20 text-blue-400',
  },
  {
    id: 'blocked',
    label: 'Blocked',
    color: 'text-error',
    activeColor: 'bg-error/20 text-error',
  },
  {
    id: 'done',
    label: 'Done',
    color: 'text-success',
    activeColor: 'bg-success/20 text-success',
  },
 ];
 export function TaskStatusSummary({
  tasks,
  activeFilter,
  onFilterChange,
 }: TaskStatusSummaryProps): React.ReactElement {
  const counts: Record<TaskStatus | 'all', number> = {
    all: tasks.length,
    'not-started': 0,
    'in-progress': 0,
    blocked: 0,
    done: 0,
    cancelled: 0,
  };
  for (const task of tasks) {
    counts[task.status] = (counts[task.status] ?? 0) + 1;
  }
  return (
    <div className="flex flex-wrap gap-2">
      {statusConfig.map((config) => {
        const count = counts[config.id];
        const isActive = activeFilter === config.id;
        return (
          <button
            key={config.id}
            type="button"
            onClick={() => onFilterChange(config.id)}
            className={cn(
              'flex items-center gap-1.5 rounded-full border px-3 py-1 text-xs transition-colors',
              isActive
                ? cn('border-transparent', config.activeColor)
                : 'border-surface-border text-text-muted hover:border-gray-500',
            )}
          >
            <span>{config.label}</span>
            <span
              className={cn(
                'rounded-full px-1.5 py-0.5 text-xs font-medium',
                isActive ? 'bg-black/20' : 'bg-surface-elevated',
              )}
            >
              {count}
            </span>
          </button>
        );
      })}
    </div>
  );
 }
--- a/apps/web/src/lib/auth-client.ts
+++ b/apps/web/src/lib/auth-client.ts
@@ -1,7 +1,9 @@
 import { createAuthClient } from 'better-auth/react';
 import { adminClient } from 'better-auth/client/plugins';
-export const authClient: ReturnType<typeof createAuthClient> = createAuthClient({
+export const authClient = createAuthClient({
  baseURL: process.env['NEXT_PUBLIC_GATEWAY_URL'] ?? 'http://localhost:4000',
  plugins: [adminClient()],
 });
 export const { useSession, signIn, signUp, signOut } = authClient;
--- a/apps/web/src/lib/socket.ts
+++ b/apps/web/src/lib/socket.ts
@@ -9,7 +9,24 @@ export function getSocket(): Socket {
    socket = io(`${GATEWAY_URL}/chat`, {
      withCredentials: true,
      autoConnect: false,
      transports: ['websocket', 'polling'],
    });
    // Reset singleton reference when socket is fully closed so the next
    // getSocket() call creates a fresh instance instead of returning a
    // closed/dead socket.
    socket.on('disconnect', () => {
      socket = null;
    });
  }
  return socket;
 }
 /** Tear down the singleton socket and reset the reference. */
 export function destroySocket(): void {
  if (socket) {
    socket.offAny();
    socket.disconnect();
    socket = null;
  }
 }
--- a/apps/web/src/lib/types.ts
+++ b/apps/web/src/lib/types.ts
@@ -4,6 +4,7 @@ export interface Conversation {
  userId: string;
  title: string | null;
  projectId: string | null;
  archived: boolean;
  createdAt: string;
  updatedAt: string;
 }
@@ -51,6 +52,22 @@ export interface Project {
  description: string | null;
  status: ProjectStatus;
  userId: string;
  ownerId?: string;
  metadata: Record<string, unknown> | null;
  createdAt: string;
  updatedAt: string;
 }
 /** Mission statuses. */
 export type MissionStatus = 'planning' | 'active' | 'paused' | 'completed' | 'failed';
 /** Mission returned by the gateway API. */
 export interface Mission {
  id: string;
  name: string;
  description: string | null;
  status: MissionStatus;
  projectId: string | null;
  metadata: Record<string, unknown> | null;
  createdAt: string;
  updatedAt: string;
--- a/apps/web/tsconfig.e2e.json
+++ b/apps/web/tsconfig.e2e.json
@@ -0,0 +1,11 @@
 {
  "extends": "../../tsconfig.base.json",
  "compilerOptions": {
    "target": "ES2022",
    "module": "NodeNext",
    "moduleResolution": "NodeNext",
    "types": ["node"],
    "noEmit": true
  },
  "include": ["e2e/**/*.ts", "playwright.config.ts"]
 }
--- a/apps/web/tsconfig.json
+++ b/apps/web/tsconfig.json
@@ -12,5 +12,5 @@
    }
  },
  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
-  "exclude": ["node_modules"]
+  "exclude": ["node_modules", "e2e", "playwright.config.ts"]
 }
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,6 +9,7 @@ services:
      POSTGRES_DB: mosaic
    volumes:
      - pg_data:/var/lib/postgresql/data
      - ./infra/pg-init:/docker-entrypoint-initdb.d:ro
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -U mosaic']
      interval: 5s
--- a/docs/MISSION-MANIFEST.md
+++ b/docs/MISSION-MANIFEST.md
@@ -8,10 +8,10 @@
 **ID:** mvp-20260312
 **Statement:** Build Mosaic Stack v0.1.0 — a self-hosted, multi-user AI agent platform with web dashboard, TUI, remote control, shared memory, mission orchestration, and extensible skill/plugin architecture. All TypeScript. Pi as agent harness. Brain as knowledge layer. Queue as coordination backbone.
 **Phase:** Execution
-**Current Milestone:** Phase 7: Polish & Beta (v0.1.0)
+**Current Milestone:** Phase 8: Polish & Beta (v0.1.0)
-**Progress:** 7 / 8 milestones
+**Progress:** 8 / 9 milestones
 **Status:** active
-**Last Updated:** 2026-03-14 UTC
+**Last Updated:** 2026-03-15 UTC
 ## Success Criteria
@@ -38,7 +38,8 @@
 | 4   | ms-161 | Phase 4: Memory & Intelligence (v0.0.5) | done        | —      | —     | 2026-03-13 | 2026-03-13 |
 | 5   | ms-162 | Phase 5: Remote Control (v0.0.6)        | done        | —      | #99   | 2026-03-14 | 2026-03-14 |
 | 6   | ms-163 | Phase 6: CLI & Tools (v0.0.7)           | done        | —      | #104  | 2026-03-14 | 2026-03-14 |
-| 7   | ms-164 | Phase 7: Polish & Beta (v0.1.0)         | not-started | —      | —     | —          | —          |
+| 7   | ms-164 | Phase 7: Feature Completion (v0.0.8)    | done        | —      | —     | 2026-03-15 | 2026-03-15 |
 | 8   | ms-165 | Phase 8: Polish & Beta (v0.1.0)         | not-started | —      | —     | —          | —          |
 ## Deployment
@@ -69,7 +70,8 @@
 | 8       | claude-opus-4-6 | 2026-03-12           | —        | context limit | Phase 2 complete |
 | 9       | claude-opus-4-6 | 2026-03-12           | —        | context limit | P3-007           |
 | 10      | claude-opus-4-6 | 2026-03-13           | —        | context limit | P3-008           |
-| 11      | claude-opus-4-6 | 2026-03-14           | —        | active        | P5-005           |
+| 11      | claude-opus-4-6 | 2026-03-14           | —        | context limit | P7 rescope       |
 | 12      | claude-opus-4-6 | 2026-03-15           | —        | active        | P7 planning      |
 ## Scratchpad
--- a/docs/TASKS.md
+++ b/docs/TASKS.md
@@ -2,67 +2,80 @@
 > Single-writer: orchestrator only. Workers read but never modify.
-| id     | status      | milestone | description                                                   | pr   | notes |
+| id     | status      | milestone | description                                                         | pr   | notes         |
-| ------ | ----------- | --------- | ------------------------------------------------------------- | ---- | ----- |
+| ------ | ----------- | --------- | ------------------------------------------------------------------- | ---- | ------------- |
-| P0-001 | done        | Phase 0   | Scaffold monorepo                                             | #60  | #1    |
+| P0-001 | done        | Phase 0   | Scaffold monorepo                                                   | #60  | #1            |
-| P0-002 | done        | Phase 0   | @mosaic/types — migrate and extend shared types               | #65  | #2    |
+| P0-002 | done        | Phase 0   | @mosaic/types — migrate and extend shared types                     | #65  | #2            |
-| P0-003 | done        | Phase 0   | @mosaic/db — Drizzle schema and PG connection                 | #67  | #3    |
+| P0-003 | done        | Phase 0   | @mosaic/db — Drizzle schema and PG connection                       | #67  | #3            |
-| P0-004 | done        | Phase 0   | @mosaic/auth — BetterAuth email/password setup                | #68  | #4    |
+| P0-004 | done        | Phase 0   | @mosaic/auth — BetterAuth email/password setup                      | #68  | #4            |
-| P0-005 | done        | Phase 0   | Docker Compose — PG 17, Valkey 8, SigNoz                      | #65  | #5    |
+| P0-005 | done        | Phase 0   | Docker Compose — PG 17, Valkey 8, SigNoz                            | #65  | #5            |
-| P0-006 | done        | Phase 0   | OTEL foundation — OpenTelemetry SDK setup                     | #65  | #6    |
+| P0-006 | done        | Phase 0   | OTEL foundation — OpenTelemetry SDK setup                           | #65  | #6            |
-| P0-007 | done        | Phase 0   | CI pipeline — Woodpecker config                               | #69  | #7    |
+| P0-007 | done        | Phase 0   | CI pipeline — Woodpecker config                                     | #69  | #7            |
-| P0-008 | done        | Phase 0   | Project docs — AGENTS.md, CLAUDE.md, README                   | #69  | #8    |
+| P0-008 | done        | Phase 0   | Project docs — AGENTS.md, CLAUDE.md, README                         | #69  | #8            |
-| P0-009 | done        | Phase 0   | Verify Phase 0 — CI green, all packages build                 | #70  | #9    |
+| P0-009 | done        | Phase 0   | Verify Phase 0 — CI green, all packages build                       | #70  | #9            |
-| P1-001 | done        | Phase 1   | apps/gateway scaffold — NestJS + Fastify adapter              | #61  | #10   |
+| P1-001 | done        | Phase 1   | apps/gateway scaffold — NestJS + Fastify adapter                    | #61  | #10           |
-| P1-002 | done        | Phase 1   | Auth middleware — BetterAuth session validation               | #71  | #11   |
+| P1-002 | done        | Phase 1   | Auth middleware — BetterAuth session validation                     | #71  | #11           |
-| P1-003 | done        | Phase 1   | @mosaic/brain — migrate from v0, PG backend                   | #71  | #12   |
+| P1-003 | done        | Phase 1   | @mosaic/brain — migrate from v0, PG backend                         | #71  | #12           |
-| P1-004 | done        | Phase 1   | @mosaic/queue — migrate from v0                               | #71  | #13   |
+| P1-004 | done        | Phase 1   | @mosaic/queue — migrate from v0                                     | #71  | #13           |
-| P1-005 | done        | Phase 1   | Gateway routes — conversations CRUD + messages                | #72  | #14   |
+| P1-005 | done        | Phase 1   | Gateway routes — conversations CRUD + messages                      | #72  | #14           |
-| P1-006 | done        | Phase 1   | Gateway routes — tasks, projects, missions CRUD               | #72  | #15   |
+| P1-006 | done        | Phase 1   | Gateway routes — tasks, projects, missions CRUD                     | #72  | #15           |
-| P1-007 | done        | Phase 1   | WebSocket server — chat streaming                             | #61  | #16   |
+| P1-007 | done        | Phase 1   | WebSocket server — chat streaming                                   | #61  | #16           |
-| P1-008 | done        | Phase 1   | Basic agent dispatch — single provider                        | #61  | #17   |
+| P1-008 | done        | Phase 1   | Basic agent dispatch — single provider                              | #61  | #17           |
-| P1-009 | done        | Phase 1   | Verify Phase 1 — gateway functional, API tested               | #73  | #18   |
+| P1-009 | done        | Phase 1   | Verify Phase 1 — gateway functional, API tested                     | #73  | #18           |
-| P2-001 | done        | Phase 2   | @mosaic/agent — Pi SDK integration + agent pool               | #61  | #19   |
+| P2-001 | done        | Phase 2   | @mosaic/agent — Pi SDK integration + agent pool                     | #61  | #19           |
-| P2-002 | done        | Phase 2   | Multi-provider support — Anthropic + Ollama                   | #74  | #20   |
+| P2-002 | done        | Phase 2   | Multi-provider support — Anthropic + Ollama                         | #74  | #20           |
-| P2-003 | done        | Phase 2   | Agent routing engine — cost/capability matrix                 | #75  | #21   |
+| P2-003 | done        | Phase 2   | Agent routing engine — cost/capability matrix                       | #75  | #21           |
-| P2-004 | done        | Phase 2   | Tool registration — brain, queue, memory tools                | #76  | #22   |
+| P2-004 | done        | Phase 2   | Tool registration — brain, queue, memory tools                      | #76  | #22           |
-| P2-005 | done        | Phase 2   | @mosaic/coord — migrate from v0, gateway integration          | #77  | #23   |
+| P2-005 | done        | Phase 2   | @mosaic/coord — migrate from v0, gateway integration                | #77  | #23           |
-| P2-006 | done        | Phase 2   | Agent session management — tmux + monitoring                  | #78  | #24   |
+| P2-006 | done        | Phase 2   | Agent session management — tmux + monitoring                        | #78  | #24           |
-| P2-007 | done        | Phase 2   | Verify Phase 2 — multi-provider routing works                 | #79  | #25   |
+| P2-007 | done        | Phase 2   | Verify Phase 2 — multi-provider routing works                       | #79  | #25           |
-| P3-001 | done        | Phase 3   | apps/web scaffold — Next.js 16 + BetterAuth + Tailwind        | #82  | #26   |
+| P3-001 | done        | Phase 3   | apps/web scaffold — Next.js 16 + BetterAuth + Tailwind              | #82  | #26           |
-| P3-002 | done        | Phase 3   | Auth pages — login, registration, SSO redirect                | #83  | #27   |
+| P3-002 | done        | Phase 3   | Auth pages — login, registration, SSO redirect                      | #83  | #27           |
-| P3-003 | done        | Phase 3   | Chat UI — conversations, messages, streaming                  | #84  | #28   |
+| P3-003 | done        | Phase 3   | Chat UI — conversations, messages, streaming                        | #84  | #28           |
-| P3-004 | done        | Phase 3   | Task management — list view + kanban board                    | #86  | #29   |
+| P3-004 | done        | Phase 3   | Task management — list view + kanban board                          | #86  | #29           |
-| P3-005 | done        | Phase 3   | Project & mission views — dashboard + PRD viewer              | #87  | #30   |
+| P3-005 | done        | Phase 3   | Project & mission views — dashboard + PRD viewer                    | #87  | #30           |
-| P3-006 | done        | Phase 3   | Settings — provider config, profile, integrations             | #88  | #31   |
+| P3-006 | done        | Phase 3   | Settings — provider config, profile, integrations                   | #88  | #31           |
-| P3-007 | done        | Phase 3   | Admin panel — user management, RBAC                           | #89  | #32   |
+| P3-007 | done        | Phase 3   | Admin panel — user management, RBAC                                 | #89  | #32           |
-| P3-008 | done        | Phase 3   | Verify Phase 3 — web dashboard functional E2E                 | —    | #33   |
+| P3-008 | done        | Phase 3   | Verify Phase 3 — web dashboard functional E2E                       | —    | #33           |
-| P4-001 | done        | Phase 4   | @mosaic/memory — preference + insight stores                  | —    | #34   |
+| P4-001 | done        | Phase 4   | @mosaic/memory — preference + insight stores                        | —    | #34           |
-| P4-002 | done        | Phase 4   | Semantic search — pgvector embeddings + search API            | —    | #35   |
+| P4-002 | done        | Phase 4   | Semantic search — pgvector embeddings + search API                  | —    | #35           |
-| P4-003 | done        | Phase 4   | @mosaic/log — log ingest, parsing, tiered storage             | —    | #36   |
+| P4-003 | done        | Phase 4   | @mosaic/log — log ingest, parsing, tiered storage                   | —    | #36           |
-| P4-004 | done        | Phase 4   | Summarization pipeline — Haiku-tier LLM + cron                | —    | #37   |
+| P4-004 | done        | Phase 4   | Summarization pipeline — Haiku-tier LLM + cron                      | —    | #37           |
-| P4-005 | done        | Phase 4   | Memory integration — inject into agent sessions               | —    | #38   |
+| P4-005 | done        | Phase 4   | Memory integration — inject into agent sessions                     | —    | #38           |
-| P4-006 | done        | Phase 4   | Skill management — catalog, install, config                   | —    | #39   |
+| P4-006 | done        | Phase 4   | Skill management — catalog, install, config                         | —    | #39           |
-| P4-007 | done        | Phase 4   | Verify Phase 4 — memory + log pipeline working                | —    | #40   |
+| P4-007 | done        | Phase 4   | Verify Phase 4 — memory + log pipeline working                      | —    | #40           |
-| P5-001 | done        | Phase 5   | Plugin host — gateway plugin loading + channel interface      | —    | #41   |
+| P5-001 | done        | Phase 5   | Plugin host — gateway plugin loading + channel interface            | —    | #41           |
-| P5-002 | done        | Phase 5   | @mosaic/discord-plugin — Discord bot + channel plugin         | #61  | #42   |
+| P5-002 | done        | Phase 5   | @mosaic/discord-plugin — Discord bot + channel plugin               | #61  | #42           |
-| P5-003 | done        | Phase 5   | @mosaic/telegram-plugin — Telegraf bot + channel plugin       | —    | #43   |
+| P5-003 | done        | Phase 5   | @mosaic/telegram-plugin — Telegraf bot + channel plugin             | —    | #43           |
-| P5-004 | done        | Phase 5   | SSO — Authentik OIDC adapter end-to-end                       | —    | #44   |
+| P5-004 | done        | Phase 5   | SSO — Authentik OIDC adapter end-to-end                             | —    | #44           |
-| P5-005 | done        | Phase 5   | Verify Phase 5 — Discord + Telegram + SSO working             | #99  | #45   |
+| P5-005 | done        | Phase 5   | Verify Phase 5 — Discord + Telegram + SSO working                   | #99  | #45           |
-| P6-001 | done        | Phase 6   | @mosaic/cli — unified CLI binary + subcommands                | #104 | #46   |
+| P6-001 | done        | Phase 6   | @mosaic/cli — unified CLI binary + subcommands                      | #104 | #46           |
-| P6-002 | done        | Phase 6   | @mosaic/prdy — migrate PRD wizard from v0                     | #101 | #47   |
+| P6-002 | done        | Phase 6   | @mosaic/prdy — migrate PRD wizard from v0                           | #101 | #47           |
-| P6-003 | done        | Phase 6   | @mosaic/quality-rails — migrate scaffolder from v0            | #100 | #48   |
+| P6-003 | done        | Phase 6   | @mosaic/quality-rails — migrate scaffolder from v0                  | #100 | #48           |
-| P6-004 | done        | Phase 6   | @mosaic/mosaic — install wizard for v1                        | #103 | #49   |
+| P6-004 | done        | Phase 6   | @mosaic/mosaic — install wizard for v1                              | #103 | #49           |
-| P6-005 | done        | Phase 6   | Pi TUI integration — mosaic tui                               | #61  | #50   |
+| P6-005 | done        | Phase 6   | Pi TUI integration — mosaic tui                                     | #61  | #50           |
-| P6-006 | done        | Phase 6   | Verify Phase 6 — CLI functional, all subcommands              | —    | #51   |
+| P6-006 | done        | Phase 6   | Verify Phase 6 — CLI functional, all subcommands                    | —    | #51           |
-| P7-001 | not-started | Phase 7   | MCP endpoint hardening — streamable HTTP transport            | —    | #52   |
+| P7-009 | done        | Phase 7   | Web chat — WebSocket integration, streaming, conversation switching | #136 | #120 W1 done  |
-| P7-002 | not-started | Phase 7   | Additional SSO providers — WorkOS + Keycloak                  | —    | #53   |
+| P7-001 | done        | Phase 7   | MCP endpoint hardening — streamable HTTP transport                  | #137 | #52 W1 done   |
-| P7-003 | not-started | Phase 7   | Additional LLM providers — Codex, Z.ai, LM Studio, llama.cpp  | —    | #54   |
+| P7-010 | done        | Phase 7   | Web conversation management — list, search, rename, delete, archive | #139 | #121 W2 done  |
-| P7-004 | not-started | Phase 7   | E2E test suite — Playwright critical paths                    | —    | #55   |
+| P7-015 | done        | Phase 7   | Agent tool expansion — file ops, git, shell exec, web fetch         | #138 | #126 W2 done  |
-| P7-005 | not-started | Phase 7   | Performance optimization                                      | —    | #56   |
+| P7-011 | done        | Phase 7   | Web project detail views — missions, tasks, PRDs, dashboards        | #140 | #122 W3 done  |
-| P7-006 | not-started | Phase 7   | Documentation — user guide, admin guide, dev guide            | —    | #57   |
+| P7-016 | done        | Phase 7   | MCP client — gateway connects to external MCP servers as tools      | #141 | #127 W3 done  |
-| P7-007 | not-started | Phase 7   | Bare-metal deployment docs + .env.example                     | —    | #58   |
+| P7-012 | done        | Phase 7   | Web provider management UI — add, configure, test LLM providers     | #142 | #123 W4 done  |
-| P7-008 | not-started | Phase 7   | Beta release gate — v0.1.0 tag                                | —    | #59   |
+| P7-017 | done        | Phase 7   | Agent skill invocation — load and execute skills from catalog       | #143 | #128 W4 done  |
-| FIX-01 | done        | Backlog   | Call piSession.dispose() in AgentService.destroySession       | #78  | #62   |
+| P7-013 | done        | Phase 7   | Web settings persistence — profile, preferences save to DB          | #145 | #124 W5 done  |
-| FIX-02 | not-started | Backlog   | TUI agent:end — fix React state updater side-effect           | —    | #63   |
+| P7-018 | done        | Phase 7   | CLI model/provider switching — --model, --provider, /model in TUI   | #144 | #129 W5 done  |
-| FIX-03 | not-started | Backlog   | Agent session — cwd sandbox, system prompt, tool restrictions | —    | #64   |
+| P7-014 | done        | Phase 7   | Web admin panel — user CRUD, role assignment, system health         | #150 | #125 W6 done  |
 | P7-019 | done        | Phase 7   | CLI session management — list, resume, destroy sessions             | #146 | #130 W6 done  |
 | P7-020 | done        | Phase 7   | Coord DB migration — project-scoped missions, multi-tenant RBAC     | #149 | #131 W7 done  |
 | FIX-02 | done        | Backlog   | TUI agent:end — fix React state updater side-effect                 | #147 | #133 W8 done  |
 | FIX-03 | done        | Backlog   | Agent session — cwd sandbox, system prompt, tool restrictions       | #148 | #134 W8 done  |
 | P7-004 | done        | Phase 7   | E2E test suite — Playwright critical paths                          | #152 | #55 W9 done   |
 | P7-006 | done        | Phase 7   | Documentation — user guide, admin guide, dev guide                  | #151 | #57 W9 done   |
 | P7-007 | done        | Phase 7   | Bare-metal deployment docs + .env.example                           | #153 | #58 W9 done   |
 | P7-021 | done        | Phase 7   | Verify Phase 7 — feature-complete platform E2E                      | —    | #132 W10 done |
 | P8-001 | not-started | Phase 8   | Additional SSO providers — WorkOS + Keycloak                        | —    | #53           |
 | P8-002 | not-started | Phase 8   | Additional LLM providers — Codex, Z.ai, LM Studio, llama.cpp        | —    | #54           |
 | P8-003 | not-started | Phase 8   | Performance optimization                                            | —    | #56           |
 | P8-004 | not-started | Phase 8   | Beta release gate — v0.1.0 tag                                      | —    | #59           |
 | FIX-01 | done        | Backlog   | Call piSession.dispose() in AgentService.destroySession             | #78  | #62           |
--- a/docs/guides/admin-guide.md
+++ b/docs/guides/admin-guide.md
@@ -0,0 +1,311 @@
 # Mosaic Stack — Admin Guide
 ## Table of Contents
 1. [User Management](#user-management)
 2. [System Health Monitoring](#system-health-monitoring)
 3. [Provider Configuration](#provider-configuration)
 4. [MCP Server Configuration](#mcp-server-configuration)
 5. [Environment Variables Reference](#environment-variables-reference)
 ---
 ## User Management
 Admins access user management at `/admin` in the web dashboard. All admin
 endpoints require a session with `role = admin`.
 ### Creating a User
 **Via the web admin panel:**
 1. Navigate to `/admin`.
 2. Click **Create User**.
 3. Enter name, email, password, and role (`admin` or `member`).
 4. Submit.
 **Via the API:**
 ```http
 POST /api/admin/users
 Content-Type: application/json
 {
  "name": "Jane Doe",
  "email": "jane@example.com",
  "password": "securepassword",
  "role": "member"
 }
 ```
 Passwords are hashed by BetterAuth before storage. Passwords are never stored in
 plaintext.
 ### Roles
 | Role     | Permissions                                                           |
 | -------- | --------------------------------------------------------------------- |
 | `admin`  | Full access: user management, health, all agent tools                 |
 | `member` | Standard user access; agent tool set restricted by `AGENT_USER_TOOLS` |
 ### Updating a User's Role
 ```http
 PATCH /api/admin/users/:id/role
 Content-Type: application/json
 { "role": "admin" }
 ```
 ### Banning and Unbanning
 Banned users cannot sign in. Provide an optional reason:
 ```http
 POST /api/admin/users/:id/ban
 Content-Type: application/json
 { "reason": "Violated terms of service" }
 ```
 To lift a ban:
 ```http
 POST /api/admin/users/:id/unban
 ```
 ### Deleting a User
 ```http
 DELETE /api/admin/users/:id
 ```
 This permanently deletes the user. Related data (sessions, accounts) is
 cascade-deleted. Conversations and tasks reference the user via `owner_id`
 which is set to `NULL` on delete (`set null`).
 ---
 ## System Health Monitoring
 The health endpoint is available to admin users only.
 ```http
 GET /api/admin/health
 ```
 Sample response:
 ```json
 {
  "status": "ok",
  "database": { "status": "ok", "latencyMs": 2 },
  "cache": { "status": "ok", "latencyMs": 1 },
  "agentPool": { "activeSessions": 3 },
  "providers": [{ "id": "ollama", "name": "ollama", "available": true, "modelCount": 3 }],
  "checkedAt": "2026-03-15T12:00:00.000Z"
 }
 ```
 `status` is `ok` when both database and cache pass. It is `degraded` when either
 service fails.
 The web admin panel at `/admin` polls this endpoint and renders the results in a
 status dashboard.
 ---
 ## Provider Configuration
 Providers are configured via environment variables and loaded at gateway startup.
 No restart-free hot reload is supported; the gateway must be restarted after
 changing provider env vars.
 ### Ollama
 Set `OLLAMA_BASE_URL` (or the legacy `OLLAMA_HOST`) to the base URL of your
 Ollama instance:
 ```env
 OLLAMA_BASE_URL=http://localhost:11434
 ```
 Specify which models to expose (comma-separated):
 ```env
 OLLAMA_MODELS=llama3.2,codellama,mistral
 ```
 Default when unset: `llama3.2,codellama,mistral`.
 The gateway registers Ollama models using the OpenAI-compatible completions API
 (`/v1/chat/completions`).
 ### Custom Providers (OpenAI-compatible APIs)
 Any OpenAI-compatible API (LM Studio, llama.cpp HTTP server, etc.) can be
 registered via `MOSAIC_CUSTOM_PROVIDERS`. The value is a JSON array:
 ```env
 MOSAIC_CUSTOM_PROVIDERS='[
  {
    "id": "lmstudio",
    "name": "LM Studio",
    "baseUrl": "http://localhost:1234",
    "models": ["mistral-7b-instruct"]
  }
 ]'
 ```
 Each entry must include:
 | Field     | Required | Description                         |
 | --------- | -------- | ----------------------------------- |
 | `id`      | Yes      | Unique provider identifier          |
 | `name`    | Yes      | Display name                        |
 | `baseUrl` | Yes      | API base URL (no trailing slash)    |
 | `models`  | Yes      | Array of model ID strings to expose |
 | `apiKey`  | No       | API key if required by the endpoint |
 ### Testing Provider Connectivity
 From the web admin panel or settings page, click **Test** next to a provider.
 This calls:
 ```http
 POST /api/agent/providers/:id/test
 ```
 The response includes `reachable`, `latencyMs`, and optionally
 `discoveredModels`.
 ---
 ## MCP Server Configuration
 The gateway can connect to external MCP (Model Context Protocol) servers and
 expose their tools to agent sessions.
 Set `MCP_SERVERS` to a JSON array of server configurations:
 ```env
 MCP_SERVERS='[
  {
    "name": "my-tools",
    "url": "http://localhost:3001/mcp",
    "headers": {
      "Authorization": "Bearer my-token"
    }
  }
 ]'
 ```
 Each entry:
 | Field     | Required | Description                         |
 | --------- | -------- | ----------------------------------- |
 | `name`    | Yes      | Unique server name                  |
 | `url`     | Yes      | MCP server URL (`/mcp` endpoint)    |
 | `headers` | No       | Additional HTTP headers (e.g. auth) |
 On gateway startup, each configured server is connected and its tools are
 discovered. Tools are bridged into the Pi SDK tool format and become available
 in agent sessions.
 The gateway itself also exposes an MCP server endpoint at `POST /mcp` for
 external clients. Authentication requires a valid BetterAuth session (cookie or
 `Authorization` header).
 ---
 ## Environment Variables Reference
 ### Required
 | Variable             | Description                                                                               |
 | -------------------- | ----------------------------------------------------------------------------------------- |
 | `BETTER_AUTH_SECRET` | Secret key for BetterAuth session signing. Must be set or gateway will not start.         |
 | `DATABASE_URL`       | PostgreSQL connection string. Default: `postgresql://mosaic:mosaic@localhost:5433/mosaic` |
 ### Gateway
 | Variable              | Default                 | Description                                    |
 | --------------------- | ----------------------- | ---------------------------------------------- |
 | `GATEWAY_PORT`        | `4000`                  | Port the gateway listens on                    |
 | `GATEWAY_CORS_ORIGIN` | `http://localhost:3000` | Allowed CORS origin for browser clients        |
 | `BETTER_AUTH_URL`     | `http://localhost:4000` | Public URL of the gateway (used by BetterAuth) |
 ### SSO (Optional)
 | Variable                  | Description                    |
 | ------------------------- | ------------------------------ |
 | `AUTHENTIK_CLIENT_ID`     | Authentik OAuth2 client ID     |
 | `AUTHENTIK_CLIENT_SECRET` | Authentik OAuth2 client secret |
 | `AUTHENTIK_ISSUER`        | Authentik OIDC issuer URL      |
 All three Authentik variables must be set together. If only `AUTHENTIK_CLIENT_ID`
 is set, a warning is logged and SSO is disabled.
 ### Agent
 | Variable                 | Default         | Description                                             |
 | ------------------------ | --------------- | ------------------------------------------------------- |
 | `AGENT_FILE_SANDBOX_DIR` | `process.cwd()` | Root directory for file/git/shell tool access           |
 | `AGENT_SYSTEM_PROMPT`    | —               | Platform-level system prompt injected into all sessions |
 | `AGENT_USER_TOOLS`       | all tools       | Comma-separated allowlist of tools for non-admin users  |
 ### Providers
 | Variable                  | Default                      | Description                                      |
 | ------------------------- | ---------------------------- | ------------------------------------------------ |
 | `OLLAMA_BASE_URL`         | —                            | Ollama API base URL                              |
 | `OLLAMA_HOST`             | —                            | Alias for `OLLAMA_BASE_URL` (legacy)             |
 | `OLLAMA_MODELS`           | `llama3.2,codellama,mistral` | Comma-separated Ollama model IDs                 |
 | `MOSAIC_CUSTOM_PROVIDERS` | —                            | JSON array of custom OpenAI-compatible providers |
 ### Memory and Embeddings
 | Variable                | Default                     | Description                                          |
 | ----------------------- | --------------------------- | ---------------------------------------------------- |
 | `OPENAI_API_KEY`        | —                           | API key for OpenAI embedding and summarization calls |
 | `EMBEDDING_API_URL`     | `https://api.openai.com/v1` | Base URL for embedding API                           |
 | `EMBEDDING_MODEL`       | `text-embedding-3-small`    | Embedding model ID                                   |
 | `SUMMARIZATION_API_URL` | `https://api.openai.com/v1` | Base URL for log summarization API                   |
 | `SUMMARIZATION_MODEL`   | `gpt-4o-mini`               | Model used for log summarization                     |
 | `SUMMARIZATION_CRON`    | `0 */6 * * *`               | Cron schedule for log summarization (every 6 hours)  |
 | `TIER_MANAGEMENT_CRON`  | `0 3 * * *`                 | Cron schedule for log tier management (daily at 3am) |
 ### MCP
 | Variable      | Description                                      |
 | ------------- | ------------------------------------------------ |
 | `MCP_SERVERS` | JSON array of external MCP server configurations |
 ### Plugins
 | Variable               | Description                                                               |
 | ---------------------- | ------------------------------------------------------------------------- |
 | `DISCORD_BOT_TOKEN`    | Discord bot token (enables Discord plugin)                                |
 | `DISCORD_GUILD_ID`     | Discord guild/server ID                                                   |
 | `DISCORD_GATEWAY_URL`  | Gateway URL for Discord plugin to call (default: `http://localhost:4000`) |
 | `TELEGRAM_BOT_TOKEN`   | Telegram bot token (enables Telegram plugin)                              |
 | `TELEGRAM_GATEWAY_URL` | Gateway URL for Telegram plugin to call                                   |
 ### Observability
 | Variable                      | Default                 | Description                      |
 | ----------------------------- | ----------------------- | -------------------------------- |
 | `OTEL_EXPORTER_OTLP_ENDPOINT` | `http://localhost:4318` | OpenTelemetry collector endpoint |
 | `OTEL_SERVICE_NAME`           | `mosaic-gateway`        | Service name in traces           |
 ### Web App
 | Variable                  | Default                 | Description                            |
 | ------------------------- | ----------------------- | -------------------------------------- |
 | `NEXT_PUBLIC_GATEWAY_URL` | `http://localhost:4000` | Gateway URL used by the Next.js client |
 ### Coordination
 | Variable                | Default                       | Description                                |
 | ----------------------- | ----------------------------- | ------------------------------------------ |
 | `MOSAIC_WORKSPACE_ROOT` | monorepo root (auto-detected) | Root path for mission workspace operations |
--- a/docs/guides/deployment.md
+++ b/docs/guides/deployment.md
@@ -0,0 +1,384 @@
 # Deployment Guide
 This guide covers deploying Mosaic in two modes: **Docker Compose** (recommended for quick setup) and **bare-metal** (production, full control).
 ---
 ## Prerequisites
 | Dependency       | Minimum version | Notes                                          |
 | ---------------- | --------------- | ---------------------------------------------- |
 | Node.js          | 22 LTS          | Required for ESM + `--experimental-vm-modules` |
 | pnpm             | 9               | `npm install -g pnpm`                          |
 | PostgreSQL       | 17              | Must have the `pgvector` extension             |
 | Valkey           | 8               | Redis-compatible; Redis 7+ also works          |
 | Docker + Compose | v2              | For the Docker Compose path only               |
 ---
 ## Docker Compose Deployment (Quick Start)
 The `docker-compose.yml` at the repository root starts PostgreSQL 17 (with pgvector), Valkey 8, an OpenTelemetry Collector, and Jaeger.
 ### 1. Clone and configure
 ```bash
 git clone <repo-url> mosaic
 cd mosaic
 cp .env.example .env
 ```
 Edit `.env`. The minimum required change is:
 ```dotenv
 BETTER_AUTH_SECRET=<output of: openssl rand -base64 32>
 ```
 ### 2. Start infrastructure services
 ```bash
 docker compose up -d
 ```
 Services and their ports:
 | Service               | Default port             |
 | --------------------- | ------------------------ |
 | PostgreSQL            | `localhost:5433`         |
 | Valkey                | `localhost:6380`         |
 | OTEL Collector (HTTP) | `localhost:4318`         |
 | OTEL Collector (gRPC) | `localhost:4317`         |
 | Jaeger UI             | `http://localhost:16686` |
 Override host ports via `PG_HOST_PORT` and `VALKEY_HOST_PORT` in `.env` if the defaults conflict.
 ### 3. Install dependencies
 ```bash
 pnpm install
 ```
 ### 4. Initialize the database
 ```bash
 pnpm --filter @mosaic/db db:migrate
 ```
 ### 5. Build all packages
 ```bash
 pnpm build
 ```
 ### 6. Start the gateway
 ```bash
 pnpm --filter @mosaic/gateway dev
 ```
 Or for production (after build):
 ```bash
 node apps/gateway/dist/main.js
 ```
 ### 7. Start the web app
 ```bash
 # Development
 pnpm --filter @mosaic/web dev
 # Production (after build)
 pnpm --filter @mosaic/web start
 ```
 The web app runs on port `3000` by default.
 ---
 ## Bare-Metal Deployment
 Use this path when you want to manage PostgreSQL and Valkey yourself (e.g., existing infrastructure, managed cloud databases).
 ### Step 1 — Install system dependencies
 ```bash
 # Node.js 22 via nvm
 curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
 nvm install 22
 nvm use 22
 # pnpm
 npm install -g pnpm
 # PostgreSQL 17 with pgvector (Debian/Ubuntu example)
 sudo apt-get install -y postgresql-17 postgresql-17-pgvector
 # Valkey
 # Follow https://valkey.io/download/ for your distribution
 ```
 ### Step 2 — Create the database
 ```sql
 -- Run as the postgres superuser
 CREATE USER mosaic WITH PASSWORD 'change-me';
 CREATE DATABASE mosaic OWNER mosaic;
 \c mosaic
 CREATE EXTENSION IF NOT EXISTS vector;
 ```
 ### Step 3 — Clone and configure
 ```bash
 git clone <repo-url> /opt/mosaic
 cd /opt/mosaic
 cp .env.example .env
 ```
 Edit `/opt/mosaic/.env`. Required fields:
 ```dotenv
 DATABASE_URL=postgresql://mosaic:<password>@localhost:5432/mosaic
 VALKEY_URL=redis://localhost:6379
 BETTER_AUTH_SECRET=<openssl rand -base64 32>
 BETTER_AUTH_URL=https://your-domain.example.com
 GATEWAY_CORS_ORIGIN=https://your-domain.example.com
 NEXT_PUBLIC_GATEWAY_URL=https://your-domain.example.com
 ```
 ### Step 4 — Install dependencies and build
 ```bash
 pnpm install
 pnpm build
 ```
 ### Step 5 — Run database migrations
 ```bash
 pnpm --filter @mosaic/db db:migrate
 ```
 ### Step 6 — Start the gateway
 ```bash
 node apps/gateway/dist/main.js
 ```
 The gateway reads `.env` from the monorepo root automatically (via `dotenv` in `main.ts`).
 ### Step 7 — Start the web app
 ```bash
 # Next.js standalone output
 node apps/web/.next/standalone/server.js
 ```
 The standalone build is self-contained; it does not require `node_modules` to be present at runtime.
 ### Step 8 — Configure a reverse proxy
 #### Nginx example
 ```nginx
 # /etc/nginx/sites-available/mosaic
 # Gateway API
 server {
    listen 443 ssl;
    server_name your-domain.example.com;
    ssl_certificate     /etc/ssl/certs/your-domain.crt;
    ssl_certificate_key /etc/ssl/private/your-domain.key;
    # WebSocket support (for chat.gateway.ts / Socket.IO)
    location /socket.io/ {
        proxy_pass http://127.0.0.1:4000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
    # REST + auth
    location / {
        proxy_pass http://127.0.0.1:4000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
 }
 # Web app (optional — serve on a subdomain or a separate server block)
 server {
    listen 443 ssl;
    server_name app.your-domain.example.com;
    ssl_certificate     /etc/ssl/certs/your-domain.crt;
    ssl_certificate_key /etc/ssl/private/your-domain.key;
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
 }
 ```
 #### Caddy example
 ```caddyfile
 # /etc/caddy/Caddyfile
 your-domain.example.com {
    reverse_proxy /socket.io/* localhost:4000 {
        header_up Upgrade {http.upgrade}
        header_up Connection {http.connection}
    }
    reverse_proxy localhost:4000
 }
 app.your-domain.example.com {
    reverse_proxy localhost:3000
 }
 ```
 ---
 ## Production Considerations
 ### systemd Services
 Create a service unit for each process.
 **Gateway** — `/etc/systemd/system/mosaic-gateway.service`:
 ```ini
 [Unit]
 Description=Mosaic Gateway
 After=network.target postgresql.service
 [Service]
 Type=simple
 User=mosaic
 WorkingDirectory=/opt/mosaic
 EnvironmentFile=/opt/mosaic/.env
 ExecStart=/usr/bin/node apps/gateway/dist/main.js
 Restart=on-failure
 RestartSec=5
 StandardOutput=journal
 StandardError=journal
 [Install]
 WantedBy=multi-user.target
 ```
 **Web app** — `/etc/systemd/system/mosaic-web.service`:
 ```ini
 [Unit]
 Description=Mosaic Web App
 After=network.target mosaic-gateway.service
 [Service]
 Type=simple
 User=mosaic
 WorkingDirectory=/opt/mosaic/apps/web
 EnvironmentFile=/opt/mosaic/.env
 ExecStart=/usr/bin/node .next/standalone/server.js
 Environment=PORT=3000
 Environment=HOSTNAME=127.0.0.1
 Restart=on-failure
 RestartSec=5
 StandardOutput=journal
 StandardError=journal
 [Install]
 WantedBy=multi-user.target
 ```
 Enable and start:
 ```bash
 sudo systemctl daemon-reload
 sudo systemctl enable --now mosaic-gateway mosaic-web
 ```
 ### Log Management
 Gateway and web app logs go to systemd journal by default. View with:
 ```bash
 journalctl -u mosaic-gateway -f
 journalctl -u mosaic-web -f
 ```
 Rotate logs by configuring `journald` in `/etc/systemd/journald.conf`:
 ```ini
 SystemMaxUse=500M
 MaxRetentionSec=30day
 ```
 ### Security Checklist
 - Set `BETTER_AUTH_SECRET` to a cryptographically random value (`openssl rand -base64 32`).
 - Restrict `GATEWAY_CORS_ORIGIN` to your exact frontend origin — do not use `*`.
 - Run services as a dedicated non-root system user (e.g., `mosaic`).
 - Firewall: only expose ports 80/443 externally; keep 4000 and 3000 bound to `127.0.0.1`.
 - Set `AGENT_FILE_SANDBOX_DIR` to a directory outside the application root to prevent agent tools from accessing source code.
 - If using `AGENT_USER_TOOLS`, enumerate only the tools non-admin users need.
 ---
 ## Troubleshooting
 ### Gateway fails to start — "BETTER_AUTH_SECRET is required"
 `BETTER_AUTH_SECRET` is missing or empty. Set it in `.env` and restart.
 ### `DATABASE_URL` connection refused
 Verify PostgreSQL is running and the port matches. The Docker Compose default is `5433`; bare-metal typically uses `5432`.
 ```bash
 psql "$DATABASE_URL" -c '\conninfo'
 ```
 ### pgvector extension missing
 ```sql
 \c mosaic
 CREATE EXTENSION IF NOT EXISTS vector;
 ```
 ### Valkey / Redis connection refused
 Check the URL in `VALKEY_URL`. The Docker Compose default is port `6380`.
 ```bash
 redis-cli -u "$VALKEY_URL" ping
 ```
 ### WebSocket connections fail in production
 Ensure your reverse proxy forwards the `Upgrade` and `Connection` headers. See the Nginx/Caddy examples above.
 ### Ollama models not appearing
 Set `OLLAMA_BASE_URL` to the URL where Ollama is running (e.g., `http://localhost:11434`) and set `OLLAMA_MODELS` to a comma-separated list of model IDs you have pulled.
 ```bash
 ollama pull llama3.2
 ```
 ### OTEL traces not appearing in Jaeger
 Verify the collector is reachable at `OTEL_EXPORTER_OTLP_ENDPOINT`. With Docker Compose the default is `http://localhost:4318`. Check `docker compose ps` and `docker compose logs otel-collector`.
 ### Summarization / embedding features not working
 These features require `OPENAI_API_KEY` to be set, or you must point `SUMMARIZATION_API_URL` / `EMBEDDING_API_URL` to an OpenAI-compatible endpoint (e.g., a local Ollama instance with an embeddings model).
--- a/docs/guides/dev-guide.md
+++ b/docs/guides/dev-guide.md
@@ -0,0 +1,515 @@
 # Mosaic Stack — Developer Guide
 ## Table of Contents
 1. [Architecture Overview](#architecture-overview)
 2. [Local Development Setup](#local-development-setup)
 3. [Building and Testing](#building-and-testing)
 4. [Adding New Agent Tools](#adding-new-agent-tools)
 5. [Adding New MCP Tools](#adding-new-mcp-tools)
 6. [Database Schema and Migrations](#database-schema-and-migrations)
 7. [API Endpoint Reference](#api-endpoint-reference)
 ---
 ## Architecture Overview
 Mosaic Stack is a TypeScript monorepo managed with **pnpm workspaces** and
 **Turborepo**.
 ```
 mosaic-mono-v1/
 ├── apps/
 │   ├── gateway/          # NestJS + Fastify API server
 │   └── web/              # Next.js 16 + React 19 web dashboard
 ├── packages/
 │   ├── agent/            # Agent session types (shared)
 │   ├── auth/             # BetterAuth configuration
 │   ├── brain/            # Structured data layer (projects, tasks, missions)
 │   ├── cli/              # mosaic CLI and TUI (Ink)
 │   ├── coord/            # Mission coordination engine
 │   ├── db/               # Drizzle ORM schema, migrations, client
 │   ├── design-tokens/    # Shared design system tokens
 │   ├── log/              # Agent log ingestion and tiering
 │   ├── memory/           # Preference and insight storage
 │   ├── mosaic/           # Install wizard and bootstrap utilities
 │   ├── prdy/             # PRD wizard CLI
 │   ├── quality-rails/    # Code quality scaffolder CLI
 │   ├── queue/            # Valkey-backed task queue
 │   └── types/            # Shared TypeScript types
 ├── docker/               # Dockerfile(s) for containerized deployment
 ├── infra/                # Infra config (OTEL collector, pg-init scripts)
 ├── docker-compose.yml    # Local services (Postgres, Valkey, OTEL, Jaeger)
 └── CLAUDE.md             # Project conventions for AI coding agents
 ```
 ### Key Technology Choices
 | Concern           | Technology                               |
 | ----------------- | ---------------------------------------- |
 | API framework     | NestJS with Fastify adapter              |
 | Web framework     | Next.js 16 (App Router), React 19        |
 | ORM               | Drizzle ORM                              |
 | Database          | PostgreSQL 17 + pgvector extension       |
 | Auth              | BetterAuth                               |
 | Agent harness     | Pi SDK (`@mariozechner/pi-coding-agent`) |
 | Queue             | Valkey 8 (Redis-compatible)              |
 | Build             | pnpm workspaces + Turborepo              |
 | CI                | Woodpecker CI                            |
 | Observability     | OpenTelemetry → Jaeger                   |
 | Module resolution | NodeNext (ESM everywhere)                |
 ### Module System
 All packages use `"type": "module"` and NodeNext resolution. Import paths must
 include the `.js` extension even when the source file is `.ts`.
 NestJS `@Inject()` decorators must be used explicitly because `tsx`/`esbuild`
 does not support `emitDecoratorMetadata`.
 ---
 ## Local Development Setup
 ### Prerequisites
 - Node.js 20+
 - pnpm 9+
 - Docker and Docker Compose
 ### 1. Clone and Install Dependencies
 ```bash
 git clone <repo-url> mosaic-mono-v1
 cd mosaic-mono-v1
 pnpm install
 ```
 ### 2. Start Infrastructure Services
 ```bash
 docker compose up -d
 ```
 This starts:
 | Service                  | Port           | Description          |
 | ------------------------ | -------------- | -------------------- |
 | PostgreSQL 17 + pgvector | `5433` (host)  | Primary database     |
 | Valkey 8                 | `6380` (host)  | Queue and cache      |
 | OpenTelemetry Collector  | `4317`, `4318` | OTEL gRPC and HTTP   |
 | Jaeger                   | `16686`        | Distributed trace UI |
 ### 3. Configure Environment
 Create a `.env` file in the monorepo root:
 ```env
 # Database (matches docker-compose defaults)
 DATABASE_URL=postgresql://mosaic:mosaic@localhost:5433/mosaic
 # Auth (required — generate a random 32+ char string)
 BETTER_AUTH_SECRET=change-me-to-a-random-secret
 # Gateway
 GATEWAY_PORT=4000
 GATEWAY_CORS_ORIGIN=http://localhost:3000
 # Web
 NEXT_PUBLIC_GATEWAY_URL=http://localhost:4000
 # Optional: Ollama
 OLLAMA_BASE_URL=http://localhost:11434
 OLLAMA_MODELS=llama3.2
 ```
 The gateway loads `.env` from the monorepo root via `dotenv` at startup
 (`apps/gateway/src/main.ts`).
 ### 4. Push the Database Schema
 ```bash
 pnpm --filter @mosaic/db db:push
 ```
 This applies the Drizzle schema directly to the database (development only; use
 migrations in production).
 ### 5. Start the Gateway
 ```bash
 pnpm --filter @mosaic/gateway exec tsx src/main.ts
 ```
 The gateway starts on port `4000` by default.
 ### 6. Start the Web App
 ```bash
 pnpm --filter @mosaic/web dev
 ```
 The web app starts on port `3000` by default.
 ---
 ## Building and Testing
 ### TypeScript Typecheck
 ```bash
 pnpm typecheck
 ```
 Runs `tsc --noEmit` across all packages in dependency order via Turborepo.
 ### Lint
 ```bash
 pnpm lint
 ```
 Runs ESLint across all packages. Config is in `eslint.config.mjs` at the root.
 ### Format Check
 ```bash
 pnpm format:check
 ```
 Runs Prettier in check mode. To auto-fix:
 ```bash
 pnpm format
 ```
 ### Tests
 ```bash
 pnpm test
 ```
 Runs Vitest across all packages. The workspace config is at
 `vitest.workspace.ts`.
 ### Build
 ```bash
 pnpm build
 ```
 Builds all packages and apps in dependency order.
 ### Pre-Push Gates (MANDATORY)
 All three must pass before any push:
 ```bash
 pnpm format:check && pnpm typecheck && pnpm lint
 ```
 A pre-push hook enforces this mechanically.
 ---
 ## Adding New Agent Tools
 Agent tools are Pi SDK `ToolDefinition` objects registered in
 `apps/gateway/src/agent/agent.service.ts`.
 ### 1. Create a Tool Factory File
 Add a new file in `apps/gateway/src/agent/tools/`:
 ```typescript
 // apps/gateway/src/agent/tools/my-tools.ts
 import { Type } from '@sinclair/typebox';
 import type { ToolDefinition } from '@mariozechner/pi-coding-agent';
 export function createMyTools(): ToolDefinition[] {
  const myTool: ToolDefinition = {
    name: 'my_tool_name',
    label: 'Human Readable Label',
    description: 'What this tool does.',
    parameters: Type.Object({
      input: Type.String({ description: 'The input parameter' }),
    }),
    async execute(_toolCallId, params) {
      const { input } = params as { input: string };
      const result = `Processed: ${input}`;
      return {
        content: [{ type: 'text' as const, text: result }],
        details: undefined,
      };
    },
  };
  return [myTool];
 }
 ```
 ### 2. Register the Tools in AgentService
 In `apps/gateway/src/agent/agent.service.ts`, import and call your factory
 alongside the existing tool registrations:
 ```typescript
 import { createMyTools } from './tools/my-tools.js';
 // Inside the session creation logic where tools are assembled:
 const tools: ToolDefinition[] = [
  ...createBrainTools(this.brain),
  ...createCoordTools(this.coordService),
  ...createMemoryTools(this.memory, this.embeddingService),
  ...createFileTools(sandboxDir),
  ...createGitTools(sandboxDir),
  ...createShellTools(sandboxDir),
  ...createWebTools(),
  ...createMyTools(), // Add this line
  ...mcpTools,
  ...skillTools,
 ];
 ```
 ### 3. Export from the Tools Index
 Add an export to `apps/gateway/src/agent/tools/index.ts`:
 ```typescript
 export { createMyTools } from './my-tools.js';
 ```
 ### 4. Typecheck and Test
 ```bash
 pnpm typecheck
 pnpm test
 ```
 ---
 ## Adding New MCP Tools
 Mosaic connects to external MCP servers via `McpClientService`. To expose tools
 from a new MCP server:
 ### 1. Run an MCP Server
 Implement a standard MCP server that exposes tools via the streamable HTTP
 transport or SSE transport. The server must accept connections at a `/mcp`
 endpoint.
 ### 2. Configure `MCP_SERVERS`
 In your `.env`:
 ```env
 MCP_SERVERS='[{"name":"my-server","url":"http://localhost:3001/mcp"}]'
 ```
 With authentication:
 ```env
 MCP_SERVERS='[{"name":"secure-server","url":"http://my-server/mcp","headers":{"Authorization":"Bearer token"}}]'
 ```
 ### 3. Restart the Gateway
 On startup, `McpClientService` (`apps/gateway/src/mcp-client/mcp-client.service.ts`)
 connects to each configured server, calls `tools/list`, and bridges the results
 to Pi SDK `ToolDefinition` format. These tools become available in all new agent
 sessions.
 ### Tool Naming
 Bridged MCP tool names are taken directly from the MCP server's tool manifest.
 Ensure names do not conflict with built-in tools (check
 `apps/gateway/src/agent/tools/`).
 ---
 ## Database Schema and Migrations
 The schema lives in a single file:
 `packages/db/src/schema.ts`
 ### Schema Overview
 | Table                | Purpose                                           |
 | -------------------- | ------------------------------------------------- |
 | `users`              | User accounts (BetterAuth-compatible)             |
 | `sessions`           | Auth sessions                                     |
 | `accounts`           | OAuth accounts                                    |
 | `verifications`      | Email verification tokens                         |
 | `projects`           | Project records                                   |
 | `missions`           | Mission records (linked to projects)              |
 | `tasks`              | Task records (linked to projects and/or missions) |
 | `conversations`      | Chat conversation metadata                        |
 | `messages`           | Individual chat messages                          |
 | `preferences`        | Per-user key-value preference store               |
 | `insights`           | Vector-embedded memory insights                   |
 | `agent_logs`         | Agent interaction logs (hot/warm/cold tiers)      |
 | `skills`             | Installed agent skills                            |
 | `summarization_jobs` | Log summarization job tracking                    |
 The `insights` table uses a `vector(1536)` column (pgvector) for semantic search.
 ### Development: Push Schema
 Apply schema changes directly to the dev database (no migration files created):
 ```bash
 pnpm --filter @mosaic/db db:push
 ```
 ### Generating Migrations
 For production-safe, versioned changes:
 ```bash
 pnpm --filter @mosaic/db db:generate
 ```
 This creates a new SQL migration file in `packages/db/drizzle/`.
 ### Running Migrations
 ```bash
 pnpm --filter @mosaic/db db:migrate
 ```
 ### Drizzle Config
 Config is at `packages/db/drizzle.config.ts`. The schema file path and output
 directory are defined there.
 ### Adding a New Table
 1. Add the table definition to `packages/db/src/schema.ts`.
 2. Export it from `packages/db/src/index.ts`.
 3. Run `pnpm --filter @mosaic/db db:push` (dev) or
   `pnpm --filter @mosaic/db db:generate && pnpm --filter @mosaic/db db:migrate`
   (production).
 ---
 ## API Endpoint Reference
 All endpoints are served by the gateway at `http://localhost:4000` by default.
 ### Authentication
 Authentication uses BetterAuth session cookies. The auth handler is mounted at
 `/api/auth/*` via a Fastify low-level hook in
 `apps/gateway/src/auth/auth.controller.ts`.
 | Endpoint                  | Method | Description                      |
 | ------------------------- | ------ | -------------------------------- |
 | `/api/auth/sign-in/email` | POST   | Sign in with email/password      |
 | `/api/auth/sign-up/email` | POST   | Register a new account           |
 | `/api/auth/sign-out`      | POST   | Sign out (clears session cookie) |
 | `/api/auth/get-session`   | GET    | Returns the current session      |
 ### Chat
 WebSocket namespace `/chat` (Socket.IO). Authentication via session cookie.
 Events sent by the client:
 | Event     | Payload                                             | Description    |
 | --------- | --------------------------------------------------- | -------------- |
 | `message` | `{ content, conversationId?, provider?, modelId? }` | Send a message |
 Events emitted by the server:
 | Event   | Payload                     | Description            |
 | ------- | --------------------------- | ---------------------- |
 | `token` | `{ token, conversationId }` | Streaming token        |
 | `end`   | `{ conversationId }`        | Stream complete        |
 | `error` | `{ message }`               | Error during streaming |
 HTTP endpoints (`apps/gateway/src/chat/chat.controller.ts`):
 | Endpoint                               | Method | Auth | Description                     |
 | -------------------------------------- | ------ | ---- | ------------------------------- |
 | `/api/chat/conversations`              | GET    | User | List conversations              |
 | `/api/chat/conversations/:id/messages` | GET    | User | Get messages for a conversation |
 ### Admin
 All admin endpoints require `role = admin`.
 | Endpoint                          | Method | Description          |
 | --------------------------------- | ------ | -------------------- |
 | `GET /api/admin/users`            | GET    | List all users       |
 | `GET /api/admin/users/:id`        | GET    | Get a single user    |
 | `POST /api/admin/users`           | POST   | Create a user        |
 | `PATCH /api/admin/users/:id/role` | PATCH  | Update user role     |
 | `POST /api/admin/users/:id/ban`   | POST   | Ban a user           |
 | `POST /api/admin/users/:id/unban` | POST   | Unban a user         |
 | `DELETE /api/admin/users/:id`     | DELETE | Delete a user        |
 | `GET /api/admin/health`           | GET    | System health status |
 ### Agent / Providers
 | Endpoint                             | Method | Auth | Description                         |
 | ------------------------------------ | ------ | ---- | ----------------------------------- |
 | `GET /api/agent/providers`           | GET    | User | List all providers and their models |
 | `GET /api/agent/providers/models`    | GET    | User | List available models               |
 | `POST /api/agent/providers/:id/test` | POST   | User | Test provider connectivity          |
 ### Projects / Brain
 | Endpoint                         | Method | Auth | Description      |
 | -------------------------------- | ------ | ---- | ---------------- |
 | `GET /api/brain/projects`        | GET    | User | List projects    |
 | `POST /api/brain/projects`       | POST   | User | Create a project |
 | `GET /api/brain/projects/:id`    | GET    | User | Get a project    |
 | `PATCH /api/brain/projects/:id`  | PATCH  | User | Update a project |
 | `DELETE /api/brain/projects/:id` | DELETE | User | Delete a project |
 | `GET /api/brain/tasks`           | GET    | User | List tasks       |
 | `POST /api/brain/tasks`          | POST   | User | Create a task    |
 | `GET /api/brain/tasks/:id`       | GET    | User | Get a task       |
 | `PATCH /api/brain/tasks/:id`     | PATCH  | User | Update a task    |
 | `DELETE /api/brain/tasks/:id`    | DELETE | User | Delete a task    |
 ### Memory / Preferences
 | Endpoint                      | Method | Auth | Description          |
 | ----------------------------- | ------ | ---- | -------------------- |
 | `GET /api/memory/preferences` | GET    | User | Get user preferences |
 | `PUT /api/memory/preferences` | PUT    | User | Upsert a preference  |
 ### MCP Server (Gateway-side)
 | Endpoint    | Method | Auth                                          | Description                   |
 | ----------- | ------ | --------------------------------------------- | ----------------------------- |
 | `POST /mcp` | POST   | User (session cookie or Authorization header) | MCP streamable HTTP transport |
 | `GET /mcp`  | GET    | User                                          | MCP SSE stream reconnect      |
 ### Skills
 | Endpoint                 | Method | Auth  | Description           |
 | ------------------------ | ------ | ----- | --------------------- |
 | `GET /api/skills`        | GET    | User  | List installed skills |
 | `POST /api/skills`       | POST   | Admin | Install a skill       |
 | `PATCH /api/skills/:id`  | PATCH  | Admin | Update a skill        |
 | `DELETE /api/skills/:id` | DELETE | Admin | Remove a skill        |
 ### Coord (Mission Coordination)
 | Endpoint                        | Method | Auth | Description      |
 | ------------------------------- | ------ | ---- | ---------------- |
 | `GET /api/coord/missions`       | GET    | User | List missions    |
 | `POST /api/coord/missions`      | POST   | User | Create a mission |
 | `GET /api/coord/missions/:id`   | GET    | User | Get a mission    |
 | `PATCH /api/coord/missions/:id` | PATCH  | User | Update a mission |
 ### Observability
 OpenTelemetry traces are exported to the OTEL collector (`OTEL_EXPORTER_OTLP_ENDPOINT`).
 View traces in Jaeger at `http://localhost:16686`.
 Tracing is initialized before NestJS bootstrap in
 `apps/gateway/src/tracing.ts`. The import order in `apps/gateway/src/main.ts`
 is intentional: `import './tracing.js'` must come before any NestJS imports.
--- a/docs/guides/user-guide.md
+++ b/docs/guides/user-guide.md
@@ -0,0 +1,238 @@
 # Mosaic Stack — User Guide
 ## Table of Contents
 1. [Getting Started](#getting-started)
 2. [Chat Interface](#chat-interface)
 3. [Projects](#projects)
 4. [Tasks](#tasks)
 5. [Settings](#settings)
 6. [CLI Usage](#cli-usage)
 ---
 ## Getting Started
 ### Prerequisites
 Mosaic Stack requires a running gateway. Your administrator provides the URL
 (default: `http://localhost:4000`) and creates your account.
 ### Logging In (Web)
 1. Navigate to the Mosaic web app (default: `http://localhost:3000`).
 2. You are redirected to `/login` automatically.
 3. Enter your email and password, then click **Sign in**.
 4. On success you land on the **Chat** page.
 ### Registering an Account
 If self-registration is enabled:
 1. Go to `/register`.
 2. Enter your name, email, and password.
 3. Submit. You are signed in and redirected to Chat.
 ---
 ## Chat Interface
 ### Sending a Message
 1. Type your message in the input bar at the bottom of the Chat page.
 2. Press **Enter** to send.
 3. The assistant response streams in real time. A spinner indicates the agent is
   processing.
 ### Streaming Responses
 Responses appear token by token as the model generates them. You can read the
 response while it is still being produced. The streaming indicator clears when
 the response is complete.
 ### Conversation Management
 - **New conversation**: Navigate to `/chat` or click **New Chat** in the sidebar.
  A new conversation ID is created automatically on your first message.
 - **Resume a conversation**: Conversations are stored server-side. Refresh the
  page or navigate away and back to continue where you left off. The current
  conversation ID is shown in the URL.
 - **Conversation list**: The sidebar shows recent conversations. Click any entry
  to switch.
 ### Model and Provider
 The current model and provider are displayed in the chat header. To change them,
 use the Settings page (see [Provider Settings](#providers)) or the CLI
 `/model` and `/provider` commands.
 ---
 ## Projects
 Projects group related missions and tasks. Navigate to **Projects** in the
 sidebar.
 ### Creating a Project
 1. Go to `/projects`.
 2. Click **New Project**.
 3. Enter a name and optional description.
 4. Select a status: `active`, `paused`, `completed`, or `archived`.
 5. Save. The project appears in the list.
 ### Viewing a Project
 Click a project card to open its detail view at `/projects/<id>`. From here you
 can see the project's missions, tasks, and metadata.
 ### Managing Tasks within a Project
 Tasks are linked to projects and optionally to missions. See [Tasks](#tasks) for
 full details. On the project detail page, the task list is filtered to the
 selected project.
 ---
 ## Tasks
 Navigate to **Tasks** in the sidebar to see all tasks across all projects.
 ### Task Statuses
 | Status        | Meaning                  |
 | ------------- | ------------------------ |
 | `not-started` | Not yet started          |
 | `in-progress` | Actively being worked on |
 | `blocked`     | Waiting on something     |
 | `done`        | Completed                |
 | `cancelled`   | No longer needed         |
 ### Creating a Task
 1. Go to `/tasks`.
 2. Click **New Task**.
 3. Enter a title, optional description, and link to a project or mission.
 4. Set the status and priority.
 5. Save.
 ### Updating a Task
 Click a task to open its detail panel. Edit the fields inline and save.
 ---
 ## Settings
 Navigate to **Settings** in the sidebar (or `/settings`) to manage your profile,
 appearance, and providers.
 ### Profile Tab
 - **Name**: Display name shown in the UI.
 - **Email**: Read-only; contact your administrator to change email.
 - Changes save automatically when you click **Save Profile**.
 ### Appearance Tab
 - **Theme**: Choose `light`, `dark`, or `system`.
 - The theme preference is saved to your account and applies on all devices.
 ### Notifications Tab
 Configure notification preferences (future feature; placeholder in the current
 release).
 ### Providers Tab
 View all configured LLM providers and their models.
 - **Test Connection**: Click **Test** next to a provider to check reachability.
  The result shows latency and discovered models.
 - Provider configuration is managed by your administrator via environment
  variables. See the [Admin Guide](./admin-guide.md) for setup.
 ---
 ## CLI Usage
 The `mosaic` CLI provides a terminal interface to the same gateway API.
 ### Installation
 The CLI ships as part of the `@mosaic/cli` package:
 ```bash
 # From the monorepo root
 pnpm --filter @mosaic/cli build
 node packages/cli/dist/cli.js --help
 ```
 Or if installed globally:
 ```bash
 mosaic --help
 ```
 ### Signing In
 ```bash
 mosaic login --gateway http://localhost:4000 --email you@example.com
 ```
 You are prompted for a password if `--password` is not supplied. The session
 cookie is saved locally and reused on subsequent commands.
 ### Launching the TUI
 ```bash
 mosaic tui
 ```
 Options:
 | Flag                    | Default                 | Description                        |
 | ----------------------- | ----------------------- | ---------------------------------- |
 | `--gateway <url>`       | `http://localhost:4000` | Gateway URL                        |
 | `--conversation <id>`   | —                       | Resume a specific conversation     |
 | `--model <modelId>`     | server default          | Model to use (e.g. `llama3.2`)     |
 | `--provider <provider>` | server default          | Provider (e.g. `ollama`, `openai`) |
 If no valid session exists you are prompted to sign in before the TUI launches.
 ### TUI Slash Commands
 Inside the TUI, type a `/` command and press Enter:
 | Command                | Description                    |
 | ---------------------- | ------------------------------ |
 | `/model <modelId>`     | Switch to a different model    |
 | `/provider <provider>` | Switch to a different provider |
 | `/models`              | List available models          |
 | `/exit` or `/quit`     | Exit the TUI                   |
 ### Session Management
 ```bash
 # List saved sessions
 mosaic sessions list
 # Resume a session
 mosaic sessions resume <sessionId>
 # Destroy a session
 mosaic sessions destroy <sessionId>
 ```
 ### Other Commands
 ```bash
 # Run the Mosaic installation wizard
 mosaic wizard
 # PRD wizard (generate product requirement documents)
 mosaic prdy
 # Quality rails scaffolder
 mosaic quality-rails
 ```
--- a/docs/scratchpads/mvp-20260312.md
+++ b/docs/scratchpads/mvp-20260312.md
@@ -101,6 +101,36 @@ User confirmed: start the planning gate.
 - BUG-1: PLUGIN_REGISTRY circular import fixed via plugin.tokens.ts. PR #102.
 - BUG-2: AuthStorage.create() → .inMemory() to prevent silent exit. PR #102.
 ### Session 11 (continued) — E2E testing + bug fixes + Phase 7 rescope
 **Bug fixes merged during E2E testing (PRs #107-#117):**
 - CI: from_secret syntax for Woodpecker v2 (#107)
 - Gateway: dotenv loading from monorepo root (#108)
 - Gateway: missing @Inject() decorators causing silent hang (#109)
 - Gateway: CORS + memory userId + pgvector auto-init (#110)
 - Auth: BetterAuth trustedOrigins for web dashboard (#111)
 - Auth: CORS headers on raw BetterAuth HTTP handler (#112)
 - Husky: removed deprecated v9 shim lines (#113)
 - CLI: login command + authenticated TUI sessions (#114)
 - CLI: Origin header on auth requests (#115)
 - Agent: Ollama provider registration with openai-completions API (#116, #117)
 **E2E testing results:**
 - Web UI: login works, projects list, chats list (but chat doesn't function)
 - TUI: authenticated connection works, agent responds via Ollama llama3.2
 - Agent tools: brain, coord, memory tools confirmed working
 - Gateway: all routes mapped, providers register correctly
 **Phase 7 rescoped (Jason directed):**
 - Phase 7 renamed from "Polish & Beta" to "Feature Completion (v0.0.8)"
 - Added 13 new tasks (P7-009 through P7-021): web UI, agent tools, CLI, coord architecture
 - P7-002 (extra SSO), P7-003 (extra LLM), P7-005 (perf), P7-008 (v0.1.0 tag) moved to Phase 8
 - Phase 8 added as "Polish & Beta (v0.1.0)"
 - Reason: platform isn't feature-complete enough for beta — web UI is scaffolded but non-functional for real use, agent tooling is minimal, CLI needs model switching
 ## Open Questions
 (none at this time)
@@ -148,3 +178,47 @@ User confirmed: start the planning gate.
 | Session | Date       | Milestone | Tasks Done            | Outcome                                                                                                                                                                                                                                                                            |
 | ------- | ---------- | --------- | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | 10      | 2026-03-13 | Phase 4   | P4-001 through P4-007 | Full memory + log system: DB schema (preferences, insights w/ pgvector, agent_logs, skills, summarization_jobs), @mosaic/memory + @mosaic/log packages, embedding service, summarization pipeline w/ cron, memory tools in agent sessions, skill management CRUD. All gates green. |
 ### Session 12 — Phase 7 planning + execution start
 | Session | Date       | Milestone | Tasks Done | Outcome                                                                                                                                                           |
 | ------- | ---------- | --------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | 12      | 2026-03-15 | Phase 7   | Planning   | Merged rescope PR #119. Created 15 Gitea issues (#120-#134) for P7-009 through P7-021 + FIX-02/FIX-03. Planned 10-wave execution order with 2-worker parallelism. |
 **Phase 7 execution plan (10 waves, max 2 parallel workers):**
 | Wave | Task A                          | Task B                                       |
 | ---- | ------------------------------- | -------------------------------------------- |
 | 1    | P7-009 Web chat WS (#120)       | P7-001 MCP hardening (#52)                   |
 | 2    | P7-010 Conversation mgmt (#121) | P7-015 Agent tools (#126)                    |
 | 3    | P7-011 Project views (#122)     | P7-016 MCP client (#127)                     |
 | 4    | P7-012 Provider UI (#123)       | P7-017 Skill invocation (#128)               |
 | 5    | P7-013 Settings persist (#124)  | P7-018 CLI model switch (#129)               |
 | 6    | P7-014 Admin panel (#125)       | P7-019 CLI sessions (#130)                   |
 | 7    | P7-020 Coord DB (#131)          | —                                            |
 | 8    | FIX-02 TUI state (#133)         | FIX-03 Agent sandbox (#134)                  |
 | 9    | P7-004 E2E Playwright (#55)     | P7-006 Docs (#57) + P7-007 Deploy docs (#58) |
 | 10   | P7-021 Verify Phase 7 (#132)    | —                                            |
 ### Session 12 — Phase 7 completion summary
 **All 17 Phase 7 tasks + 2 backlog fixes completed in a single session.**
 PRs merged: #136, #137, #138, #139, #140, #141, #142, #143, #144, #145, #146, #147, #148, #149, #150, #151, #152, #153
 Issues closed: #52, #55, #57, #58, #120-#134
 **Verification evidence:**
 - Typecheck: 32/32 tasks green
 - Lint: 18/18 packages green
 - Format: All files clean
 - 19 PRs squash-merged to main, all quality gates passed
 **Phase 7 delivered:**
 - Web: functional chat (WS streaming), conversation management, project detail views, provider UI, settings persistence, admin panel
 - Agent: 7 new tools (file/git/shell/web), MCP server (14 tools), MCP client (external server bridge), skill invocation
 - CLI: model/provider switching, session management
 - Infrastructure: coord DB migration, agent sandbox hardening
 - Quality: E2E Playwright suite (~35 tests), comprehensive docs (user/admin/dev/deployment)
 - Fixes: TUI state updater, agent session sandboxing
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@@ -20,7 +20,13 @@ export default tseslint.config(
    languageOptions: {
      parser: tsParser,
      parserOptions: {
-        projectService: true,
+        projectService: {
          allowDefaultProject: [
            'apps/web/e2e/*.ts',
            'apps/web/e2e/helpers/*.ts',
            'apps/web/playwright.config.ts',
          ],
        },
      },
    },
    rules: {
--- a/infra/pg-init/01-extensions.sql
+++ b/infra/pg-init/01-extensions.sql
@@ -0,0 +1 @@
 CREATE EXTENSION IF NOT EXISTS vector;
--- a/packages/auth/src/auth.ts
+++ b/packages/auth/src/auth.ts
@@ -1,6 +1,6 @@
 import { betterAuth } from 'better-auth';
 import { drizzleAdapter } from 'better-auth/adapters/drizzle';
-import { genericOAuth } from 'better-auth/plugins';
+import { admin, genericOAuth } from 'better-auth/plugins';
 import type { Db } from '@mosaic/db';
 export interface AuthConfig {
@@ -39,6 +39,9 @@ export function createAuth(config: AuthConfig) {
      ]
    : undefined;
  const corsOrigin = process.env['GATEWAY_CORS_ORIGIN'] ?? 'http://localhost:3000';
  const trustedOrigins = corsOrigin.split(',').map((o) => o.trim());
  return betterAuth({
    database: drizzleAdapter(db, {
      provider: 'pg',
@@ -47,6 +50,7 @@ export function createAuth(config: AuthConfig) {
    baseURL: baseURL ?? process.env['BETTER_AUTH_URL'] ?? 'http://localhost:4000',
    secret: secret ?? process.env['BETTER_AUTH_SECRET'],
    basePath: '/api/auth',
    trustedOrigins,
    emailAndPassword: {
      enabled: true,
    },
@@ -64,7 +68,7 @@ export function createAuth(config: AuthConfig) {
      expiresIn: 60 * 60 * 24 * 7, // 7 days
      updateAge: 60 * 60 * 24, // refresh daily
    },
-    plugins,
+    plugins: [...(plugins ?? []), admin({ defaultRole: 'member', adminRoles: ['admin'] })],
  });
 }
--- a/packages/brain/src/brain.ts
+++ b/packages/brain/src/brain.ts
@@ -1,12 +1,14 @@
 import type { Db } from '@mosaic/db';
 import { createProjectsRepo, type ProjectsRepo } from './projects.js';
 import { createMissionsRepo, type MissionsRepo } from './missions.js';
 import { createMissionTasksRepo, type MissionTasksRepo } from './mission-tasks.js';
 import { createTasksRepo, type TasksRepo } from './tasks.js';
 import { createConversationsRepo, type ConversationsRepo } from './conversations.js';
 export interface Brain {
  projects: ProjectsRepo;
  missions: MissionsRepo;
  missionTasks: MissionTasksRepo;
  tasks: TasksRepo;
  conversations: ConversationsRepo;
 }
@@ -15,6 +17,7 @@ export function createBrain(db: Db): Brain {
  return {
    projects: createProjectsRepo(db),
    missions: createMissionsRepo(db),
    missionTasks: createMissionTasksRepo(db),
    tasks: createTasksRepo(db),
    conversations: createConversationsRepo(db),
  };
--- a/packages/brain/src/index.ts
+++ b/packages/brain/src/index.ts
@@ -11,6 +11,12 @@ export {
  type Mission,
  type NewMission,
 } from './missions.js';
 export {
  createMissionTasksRepo,
  type MissionTasksRepo,
  type MissionTask,
  type NewMissionTask,
 } from './mission-tasks.js';
 export { createTasksRepo, type TasksRepo, type Task, type NewTask } from './tasks.js';
 export {
  createConversationsRepo,
--- a/packages/brain/src/mission-tasks.ts
+++ b/packages/brain/src/mission-tasks.ts
@@ -0,0 +1,61 @@
 import { eq, and, type Db, missionTasks } from '@mosaic/db';
 export type MissionTask = typeof missionTasks.$inferSelect;
 export type NewMissionTask = typeof missionTasks.$inferInsert;
 export function createMissionTasksRepo(db: Db) {
  return {
    async findByMission(missionId: string): Promise<MissionTask[]> {
      return db.select().from(missionTasks).where(eq(missionTasks.missionId, missionId));
    },
    async findByMissionAndUser(missionId: string, userId: string): Promise<MissionTask[]> {
      return db
        .select()
        .from(missionTasks)
        .where(and(eq(missionTasks.missionId, missionId), eq(missionTasks.userId, userId)));
    },
    async findById(id: string): Promise<MissionTask | undefined> {
      const rows = await db.select().from(missionTasks).where(eq(missionTasks.id, id));
      return rows[0];
    },
    async findByIdAndUser(id: string, userId: string): Promise<MissionTask | undefined> {
      const rows = await db
        .select()
        .from(missionTasks)
        .where(and(eq(missionTasks.id, id), eq(missionTasks.userId, userId)));
      return rows[0];
    },
    async create(data: NewMissionTask): Promise<MissionTask> {
      const rows = await db.insert(missionTasks).values(data).returning();
      return rows[0]!;
    },
    async update(id: string, data: Partial<NewMissionTask>): Promise<MissionTask | undefined> {
      const rows = await db
        .update(missionTasks)
        .set({ ...data, updatedAt: new Date() })
        .where(eq(missionTasks.id, id))
        .returning();
      return rows[0];
    },
    async remove(id: string): Promise<boolean> {
      const rows = await db.delete(missionTasks).where(eq(missionTasks.id, id)).returning();
      return rows.length > 0;
    },
    async removeByMission(missionId: string): Promise<number> {
      const rows = await db
        .delete(missionTasks)
        .where(eq(missionTasks.missionId, missionId))
        .returning();
      return rows.length;
    },
  };
 }
 export type MissionTasksRepo = ReturnType<typeof createMissionTasksRepo>;
--- a/packages/brain/src/missions.ts
+++ b/packages/brain/src/missions.ts
@@ -1,4 +1,4 @@
-import { eq, type Db, missions } from '@mosaic/db';
+import { eq, and, type Db, missions } from '@mosaic/db';
 export type Mission = typeof missions.$inferSelect;
 export type NewMission = typeof missions.$inferInsert;
@@ -9,15 +9,34 @@ export function createMissionsRepo(db: Db) {
      return db.select().from(missions);
    },
    async findAllByUser(userId: string): Promise<Mission[]> {
      return db.select().from(missions).where(eq(missions.userId, userId));
    },
    async findById(id: string): Promise<Mission | undefined> {
      const rows = await db.select().from(missions).where(eq(missions.id, id));
      return rows[0];
    },
    async findByIdAndUser(id: string, userId: string): Promise<Mission | undefined> {
      const rows = await db
        .select()
        .from(missions)
        .where(and(eq(missions.id, id), eq(missions.userId, userId)));
      return rows[0];
    },
    async findByProject(projectId: string): Promise<Mission[]> {
      return db.select().from(missions).where(eq(missions.projectId, projectId));
    },
    async findByProjectAndUser(projectId: string, userId: string): Promise<Mission[]> {
      return db
        .select()
        .from(missions)
        .where(and(eq(missions.projectId, projectId), eq(missions.userId, userId)));
    },
    async create(data: NewMission): Promise<Mission> {
      const rows = await db.insert(missions).values(data).returning();
      return rows[0]!;
--- a/packages/cli/src/auth.ts
+++ b/packages/cli/src/auth.ts
@@ -0,0 +1,115 @@
 import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'node:fs';
 import { resolve } from 'node:path';
 import { homedir } from 'node:os';
 const SESSION_DIR = resolve(homedir(), '.mosaic');
 const SESSION_FILE = resolve(SESSION_DIR, 'session.json');
 interface StoredSession {
  gatewayUrl: string;
  cookie: string;
  userId: string;
  email: string;
  expiresAt: string;
 }
 export interface AuthResult {
  cookie: string;
  userId: string;
  email: string;
 }
 /**
 * Sign in to the gateway and return the session cookie.
 */
 export async function signIn(
  gatewayUrl: string,
  email: string,
  password: string,
 ): Promise<AuthResult> {
  const res = await fetch(`${gatewayUrl}/api/auth/sign-in/email`, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json', Origin: gatewayUrl },
    body: JSON.stringify({ email, password }),
    redirect: 'manual',
  });
  if (!res.ok) {
    const body = await res.text().catch(() => '');
    throw new Error(`Sign-in failed (${res.status}): ${body}`);
  }
  // Extract set-cookie header
  const setCookieHeader = res.headers.getSetCookie?.() ?? [];
  const sessionCookie = setCookieHeader
    .map((c) => c.split(';')[0]!)
    .filter((c) => c.startsWith('better-auth.session_token='))
    .join('; ');
  if (!sessionCookie) {
    throw new Error('No session cookie returned from sign-in');
  }
  // Parse the response body for user info
  const data = (await res.json()) as { user?: { id: string; email: string } };
  const userId = data.user?.id ?? 'unknown';
  const userEmail = data.user?.email ?? email;
  return { cookie: sessionCookie, userId, email: userEmail };
 }
 /**
 * Save session to ~/.mosaic/session.json
 */
 export function saveSession(gatewayUrl: string, auth: AuthResult): void {
  if (!existsSync(SESSION_DIR)) {
    mkdirSync(SESSION_DIR, { recursive: true });
  }
  const session: StoredSession = {
    gatewayUrl,
    cookie: auth.cookie,
    userId: auth.userId,
    email: auth.email,
    expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(), // 7 days
  };
  writeFileSync(SESSION_FILE, JSON.stringify(session, null, 2), 'utf-8');
 }
 /**
 * Load a saved session. Returns null if no session, expired, or wrong gateway.
 */
 export function loadSession(gatewayUrl: string): AuthResult | null {
  if (!existsSync(SESSION_FILE)) return null;
  try {
    const raw = readFileSync(SESSION_FILE, 'utf-8');
    const session = JSON.parse(raw) as StoredSession;
    if (session.gatewayUrl !== gatewayUrl) return null;
    if (new Date(session.expiresAt) < new Date()) return null;
    return {
      cookie: session.cookie,
      userId: session.userId,
      email: session.email,
    };
  } catch {
    return null;
  }
 }
 /**
 * Validate that a stored session is still active by hitting get-session.
 */
 export async function validateSession(gatewayUrl: string, cookie: string): Promise<boolean> {
  try {
    const res = await fetch(`${gatewayUrl}/api/auth/get-session`, {
      headers: { Cookie: cookie, Origin: gatewayUrl },
    });
    return res.ok;
  } catch {
    return false;
  }
 }
--- a/packages/cli/src/cli.ts
+++ b/packages/cli/src/cli.ts
@@ -8,13 +8,173 @@ const program = new Command();
 program.name('mosaic').description('Mosaic Stack CLI').version('0.0.0');
 // ─── login ──────────────────────────────────────────────────────────────
 program
  .command('login')
  .description('Sign in to a Mosaic gateway')
  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
  .option('-e, --email <email>', 'Email address')
  .option('-p, --password <password>', 'Password')
  .action(async (opts: { gateway: string; email?: string; password?: string }) => {
    const { signIn, saveSession } = await import('./auth.js');
    let email = opts.email;
    let password = opts.password;
    if (!email || !password) {
      const readline = await import('node:readline');
      const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
      const ask = (q: string): Promise<string> => new Promise((resolve) => rl.question(q, resolve));
      if (!email) email = await ask('Email: ');
      if (!password) password = await ask('Password: ');
      rl.close();
    }
    try {
      const auth = await signIn(opts.gateway, email, password);
      saveSession(opts.gateway, auth);
      console.log(`Signed in as ${auth.email} (${opts.gateway})`);
    } catch (err) {
      console.error(err instanceof Error ? err.message : String(err));
      process.exit(1);
    }
  });
 // ─── tui ────────────────────────────────────────────────────────────────
 program
  .command('tui')
  .description('Launch interactive TUI connected to the gateway')
  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
  .option('-c, --conversation <id>', 'Resume a conversation by ID')
-  .action(async (opts: { gateway: string; conversation?: string }) => {
+  .option('-m, --model <modelId>', 'Model ID to use (e.g. gpt-4o, llama3.2)')
-    // Dynamic import to avoid loading React/Ink for other commands
+  .option('-p, --provider <provider>', 'Provider to use (e.g. openai, ollama)')
  .action(
    async (opts: { gateway: string; conversation?: string; model?: string; provider?: string }) => {
      const { loadSession, validateSession, signIn, saveSession } = await import('./auth.js');
      // Try loading saved session
      let session = loadSession(opts.gateway);
      if (session) {
        const valid = await validateSession(opts.gateway, session.cookie);
        if (!valid) {
          console.log('Session expired. Please sign in again.');
          session = null;
        }
      }
      // No valid session — prompt for credentials
      if (!session) {
        const readline = await import('node:readline');
        const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
        const ask = (q: string): Promise<string> =>
          new Promise((resolve) => rl.question(q, resolve));
        console.log(`Sign in to ${opts.gateway}`);
        const email = await ask('Email: ');
        const password = await ask('Password: ');
        rl.close();
        try {
          const auth = await signIn(opts.gateway, email, password);
          saveSession(opts.gateway, auth);
          session = auth;
          console.log(`Signed in as ${auth.email}\n`);
        } catch (err) {
          console.error(err instanceof Error ? err.message : String(err));
          process.exit(1);
        }
      }
      // Dynamic import to avoid loading React/Ink for other commands
      const { render } = await import('ink');
      const React = await import('react');
      const { TuiApp } = await import('./tui/app.js');
      render(
        React.createElement(TuiApp, {
          gatewayUrl: opts.gateway,
          conversationId: opts.conversation,
          sessionCookie: session.cookie,
          initialModel: opts.model,
          initialProvider: opts.provider,
        }),
      );
    },
  );
 // ─── sessions ───────────────────────────────────────────────────────────
 const sessionsCmd = program.command('sessions').description('Manage active agent sessions');
 sessionsCmd
  .command('list')
  .description('List active agent sessions')
  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
  .action(async (opts: { gateway: string }) => {
    const { loadSession, validateSession } = await import('./auth.js');
    const { fetchSessions } = await import('./tui/gateway-api.js');
    const session = loadSession(opts.gateway);
    if (!session) {
      console.error('Not signed in. Run `mosaic login` first.');
      process.exit(1);
    }
    const valid = await validateSession(opts.gateway, session.cookie);
    if (!valid) {
      console.error('Session expired. Run `mosaic login` again.');
      process.exit(1);
    }
    try {
      const result = await fetchSessions(opts.gateway, session.cookie);
      if (result.total === 0) {
        console.log('No active sessions.');
        return;
      }
      console.log(`Active sessions (${result.total}):\n`);
      for (const s of result.sessions) {
        const created = new Date(s.createdAt).toLocaleString();
        const durationSec = Math.round(s.durationMs / 1000);
        console.log(`  ID:       ${s.id}`);
        console.log(`  Model:    ${s.provider}/${s.modelId}`);
        console.log(`  Created:  ${created}`);
        console.log(`  Prompts:  ${s.promptCount}`);
        console.log(`  Duration: ${durationSec}s`);
        if (s.channels.length > 0) {
          console.log(`  Channels: ${s.channels.join(', ')}`);
        }
        console.log('');
      }
    } catch (err) {
      console.error(err instanceof Error ? err.message : String(err));
      process.exit(1);
    }
  });
 sessionsCmd
  .command('resume <id>')
  .description('Resume an existing agent session in the TUI')
  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
  .action(async (id: string, opts: { gateway: string }) => {
    const { loadSession, validateSession } = await import('./auth.js');
    const session = loadSession(opts.gateway);
    if (!session) {
      console.error('Not signed in. Run `mosaic login` first.');
      process.exit(1);
    }
    const valid = await validateSession(opts.gateway, session.cookie);
    if (!valid) {
      console.error('Session expired. Run `mosaic login` again.');
      process.exit(1);
    }
    const { render } = await import('ink');
    const React = await import('react');
    const { TuiApp } = await import('./tui/app.js');
@@ -22,29 +182,59 @@ program
    render(
      React.createElement(TuiApp, {
        gatewayUrl: opts.gateway,
-        conversationId: opts.conversation,
+        conversationId: id,
        sessionCookie: session.cookie,
      }),
    );
  });
-// prdy subcommand
+sessionsCmd
-// buildPrdyCli() returns a wrapper Command; extract the 'prdy' subcommand from it.
+  .command('destroy <id>')
-// Type cast is required because @mosaic/prdy uses commander@12 while @mosaic/cli uses commander@13.
+  .description('Terminate an active agent session')
  .option('-g, --gateway <url>', 'Gateway URL', 'http://localhost:4000')
  .action(async (id: string, opts: { gateway: string }) => {
    const { loadSession, validateSession } = await import('./auth.js');
    const { deleteSession } = await import('./tui/gateway-api.js');
    const session = loadSession(opts.gateway);
    if (!session) {
      console.error('Not signed in. Run `mosaic login` first.');
      process.exit(1);
    }
    const valid = await validateSession(opts.gateway, session.cookie);
    if (!valid) {
      console.error('Session expired. Run `mosaic login` again.');
      process.exit(1);
    }
    try {
      await deleteSession(opts.gateway, session.cookie, id);
      console.log(`Session ${id} destroyed.`);
    } catch (err) {
      console.error(err instanceof Error ? err.message : String(err));
      process.exit(1);
    }
  });
 // ─── prdy ───────────────────────────────────────────────────────────────
 const prdyWrapper = buildPrdyCli();
 const prdyCmd = prdyWrapper.commands.find((c) => c.name() === 'prdy');
 if (prdyCmd !== undefined) {
  program.addCommand(prdyCmd as unknown as Command);
 }
-// quality-rails subcommand
+// ─── quality-rails ──────────────────────────────────────────────────────
-// createQualityRailsCli() returns a wrapper Command; extract the 'quality-rails' subcommand.
+
 const qrWrapper = createQualityRailsCli();
 const qrCmd = qrWrapper.commands.find((c) => c.name() === 'quality-rails');
 if (qrCmd !== undefined) {
  program.addCommand(qrCmd as unknown as Command);
 }
-// wizard subcommand — wraps @mosaic/mosaic installation wizard
+// ─── wizard ─────────────────────────────────────────────────────────────
 program
  .command('wizard')
  .description('Run the Mosaic installation wizard')
@@ -60,7 +250,6 @@ program
  .option('--pronouns <pronouns>', 'Your pronouns')
  .option('--timezone <tz>', 'Your timezone')
  .action(async (opts: Record<string, string | boolean | undefined>) => {
    // Dynamic import to avoid loading wizard deps for other commands
    const {
      runWizard,
      ClackPrompter,
--- a/packages/cli/src/tui/app.tsx
+++ b/packages/cli/src/tui/app.tsx
@@ -3,18 +3,41 @@ import { Box, Text, useInput, useApp } from 'ink';
 import TextInput from 'ink-text-input';
 import Spinner from 'ink-spinner';
 import { io, type Socket } from 'socket.io-client';
 import { fetchAvailableModels, type ModelInfo } from './gateway-api.js';
 interface Message {
-  role: 'user' | 'assistant';
+  role: 'user' | 'assistant' | 'system';
  content: string;
 }
 interface TuiAppProps {
  gatewayUrl: string;
  conversationId?: string;
  sessionCookie?: string;
  initialModel?: string;
  initialProvider?: string;
 }
-export function TuiApp({ gatewayUrl, conversationId: initialConversationId }: TuiAppProps) {
+/**
 * Parse a slash command from user input.
 * Returns null if the input is not a slash command.
 */
 function parseSlashCommand(value: string): { command: string; args: string[] } | null {
  const trimmed = value.trim();
  if (!trimmed.startsWith('/')) return null;
  const parts = trimmed.slice(1).split(/\s+/);
  const command = parts[0]?.toLowerCase() ?? '';
  const args = parts.slice(1);
  return { command, args };
 }
 export function TuiApp({
  gatewayUrl,
  conversationId: initialConversationId,
  sessionCookie,
  initialModel,
  initialProvider,
 }: TuiAppProps) {
  const { exit } = useApp();
  const [messages, setMessages] = useState<Message[]>([]);
  const [input, setInput] = useState('');
@@ -22,11 +45,38 @@ export function TuiApp({ gatewayUrl, conversationId: initialConversationId }: Tu
  const [connected, setConnected] = useState(false);
  const [conversationId, setConversationId] = useState(initialConversationId);
  const [currentStreamText, setCurrentStreamText] = useState('');
  // Model/provider state
  const [currentModel, setCurrentModel] = useState<string | undefined>(initialModel);
  const [currentProvider, setCurrentProvider] = useState<string | undefined>(initialProvider);
  const [availableModels, setAvailableModels] = useState<ModelInfo[]>([]);
  const socketRef = useRef<Socket | null>(null);
  const currentStreamTextRef = useRef('');
  // Fetch available models on mount
  useEffect(() => {
    fetchAvailableModels(gatewayUrl, sessionCookie)
      .then((models) => {
        setAvailableModels(models);
        // If no model/provider specified and models are available, show the default
        if (!initialModel && !initialProvider && models.length > 0) {
          const first = models[0];
          if (first) {
            setCurrentModel(first.id);
            setCurrentProvider(first.provider);
          }
        }
      })
      .catch(() => {
        // Non-fatal: TUI works without model list
      });
  }, [gatewayUrl, sessionCookie, initialModel, initialProvider]);
  useEffect(() => {
    const socket = io(`${gatewayUrl}/chat`, {
      transports: ['websocket'],
      extraHeaders: sessionCookie ? { Cookie: sessionCookie } : undefined,
    });
    socketRef.current = socket;
@@ -53,20 +103,22 @@ export function TuiApp({ gatewayUrl, conversationId: initialConversationId }: Tu
    socket.on('agent:start', () => {
      setIsStreaming(true);
      currentStreamTextRef.current = '';
      setCurrentStreamText('');
    });
    socket.on('agent:text', (data: { text: string }) => {
-      setCurrentStreamText((prev) => prev + data.text);
+      currentStreamTextRef.current += data.text;
      setCurrentStreamText(currentStreamTextRef.current);
    });
    socket.on('agent:end', () => {
-      setCurrentStreamText((prev) => {
+      const finalText = currentStreamTextRef.current;
-        if (prev) {
+      currentStreamTextRef.current = '';
-          setMessages((msgs) => [...msgs, { role: 'assistant', content: prev }]);
+      setCurrentStreamText('');
-        }
+      if (finalText) {
-        return '';
+        setMessages((msgs) => [...msgs, { role: 'assistant', content: finalText }]);
-      });
+      }
      setIsStreaming(false);
    });
@@ -80,9 +132,164 @@ export function TuiApp({ gatewayUrl, conversationId: initialConversationId }: Tu
    };
  }, [gatewayUrl]);
  /**
   * Handle /model and /provider slash commands.
   * Returns true if the input was a handled slash command (should not be sent to gateway).
   */
  const handleSlashCommand = useCallback(
    (value: string): boolean => {
      const parsed = parseSlashCommand(value);
      if (!parsed) return false;
      const { command, args } = parsed;
      if (command === 'model') {
        if (args.length === 0) {
          // List available models
          if (availableModels.length === 0) {
            setMessages((msgs) => [
              ...msgs,
              {
                role: 'system',
                content:
                  'No models available (could not reach gateway). Use /model <modelId> to set one manually.',
              },
            ]);
          } else {
            const lines = availableModels.map(
              (m) =>
                `  ${m.provider}/${m.id}${m.id === currentModel && m.provider === currentProvider ? ' (active)' : ''}`,
            );
            setMessages((msgs) => [
              ...msgs,
              {
                role: 'system',
                content: `Available models:\n${lines.join('\n')}`,
              },
            ]);
          }
        } else {
          // Switch model: /model <modelId> or /model <provider>/<modelId>
          const arg = args[0]!;
          const slashIdx = arg.indexOf('/');
          let newProvider: string | undefined;
          let newModelId: string;
          if (slashIdx !== -1) {
            newProvider = arg.slice(0, slashIdx);
            newModelId = arg.slice(slashIdx + 1);
          } else {
            newModelId = arg;
            // Try to find provider from available models list
            const match = availableModels.find((m) => m.id === newModelId);
            newProvider = match?.provider ?? currentProvider;
          }
          setCurrentModel(newModelId);
          if (newProvider) setCurrentProvider(newProvider);
          setMessages((msgs) => [
            ...msgs,
            {
              role: 'system',
              content: `Switched to model: ${newProvider ? `${newProvider}/` : ''}${newModelId}. Takes effect on next message.`,
            },
          ]);
        }
        return true;
      }
      if (command === 'provider') {
        if (args.length === 0) {
          // List providers from available models
          const providers = [...new Set(availableModels.map((m) => m.provider))];
          if (providers.length === 0) {
            setMessages((msgs) => [
              ...msgs,
              {
                role: 'system',
                content:
                  'No providers available (could not reach gateway). Use /provider <name> to set one manually.',
              },
            ]);
          } else {
            const lines = providers.map((p) => `  ${p}${p === currentProvider ? ' (active)' : ''}`);
            setMessages((msgs) => [
              ...msgs,
              {
                role: 'system',
                content: `Available providers:\n${lines.join('\n')}`,
              },
            ]);
          }
        } else {
          const newProvider = args[0]!;
          setCurrentProvider(newProvider);
          // If switching provider, auto-select first model for that provider
          const providerModels = availableModels.filter((m) => m.provider === newProvider);
          if (providerModels.length > 0 && providerModels[0]) {
            setCurrentModel(providerModels[0].id);
            setMessages((msgs) => [
              ...msgs,
              {
                role: 'system',
                content: `Switched to provider: ${newProvider} (model: ${providerModels[0]!.id}). Takes effect on next message.`,
              },
            ]);
          } else {
            setMessages((msgs) => [
              ...msgs,
              {
                role: 'system',
                content: `Switched to provider: ${newProvider}. Takes effect on next message.`,
              },
            ]);
          }
        }
        return true;
      }
      if (command === 'help') {
        setMessages((msgs) => [
          ...msgs,
          {
            role: 'system',
            content: [
              'Available commands:',
              '  /model              — list available models',
              '  /model <id>         — switch model (e.g. /model gpt-4o)',
              '  /model <p>/<id>     — switch model with provider (e.g. /model ollama/llama3.2)',
              '  /provider           — list available providers',
              '  /provider <name>    — switch provider (e.g. /provider ollama)',
              '  /help               — show this help',
            ].join('\n'),
          },
        ]);
        return true;
      }
      // Unknown slash command — let the user know
      setMessages((msgs) => [
        ...msgs,
        {
          role: 'system',
          content: `Unknown command: /${command}. Type /help for available commands.`,
        },
      ]);
      return true;
    },
    [availableModels, currentModel, currentProvider],
  );
  const handleSubmit = useCallback(
    (value: string) => {
      if (!value.trim() || isStreaming) return;
      setInput('');
      // Handle slash commands first
      if (handleSlashCommand(value)) return;
      if (!socketRef.current?.connected) {
        setMessages((msgs) => [
          ...msgs,
@@ -92,14 +299,15 @@ export function TuiApp({ gatewayUrl, conversationId: initialConversationId }: Tu
      }
      setMessages((msgs) => [...msgs, { role: 'user', content: value }]);
      setInput('');
      socketRef.current.emit('message', {
        conversationId,
        content: value,
        provider: currentProvider,
        modelId: currentModel,
      });
    },
-    [conversationId, isStreaming],
+    [conversationId, isStreaming, currentModel, currentProvider, handleSlashCommand],
  );
  useInput((ch, key) => {
@@ -108,6 +316,12 @@ export function TuiApp({ gatewayUrl, conversationId: initialConversationId }: Tu
    }
  });
  const modelLabel = currentModel
    ? currentProvider
      ? `${currentProvider}/${currentModel}`
      : currentModel
    : null;
  return (
    <Box flexDirection="column" padding={1}>
      <Box marginBottom={1}>
@@ -117,15 +331,29 @@ export function TuiApp({ gatewayUrl, conversationId: initialConversationId }: Tu
        <Text> </Text>
        <Text dimColor>{connected ? `connected` : 'connecting...'}</Text>
        {conversationId && <Text dimColor> | {conversationId.slice(0, 8)}</Text>}
        {modelLabel && (
          <>
            <Text dimColor> | </Text>
            <Text color="yellow">{modelLabel}</Text>
          </>
        )}
      </Box>
      <Box flexDirection="column" marginBottom={1}>
        {messages.map((msg, i) => (
          <Box key={i} marginBottom={1}>
-            <Text bold color={msg.role === 'user' ? 'green' : 'cyan'}>
+            {msg.role === 'system' ? (
-              {msg.role === 'user' ? '> ' : '  '}
+              <Text dimColor italic>
-            </Text>
+                {msg.content}
-            <Text wrap="wrap">{msg.content}</Text>
+              </Text>
            ) : (
              <>
                <Text bold color={msg.role === 'user' ? 'green' : 'cyan'}>
                  {msg.role === 'user' ? '> ' : '  '}
                </Text>
                <Text wrap="wrap">{msg.content}</Text>
              </>
            )}
          </Box>
        ))}
@@ -156,7 +384,7 @@ export function TuiApp({ gatewayUrl, conversationId: initialConversationId }: Tu
          value={input}
          onChange={setInput}
          onSubmit={handleSubmit}
-          placeholder={isStreaming ? 'waiting...' : 'type a message'}
+          placeholder={isStreaming ? 'waiting...' : 'type a message or /help'}
        />
      </Box>
    </Box>
--- a/packages/cli/src/tui/gateway-api.ts
+++ b/packages/cli/src/tui/gateway-api.ts
@@ -0,0 +1,114 @@
 /**
 * Minimal gateway REST API client for the TUI.
 */
 export interface ModelInfo {
  id: string;
  provider: string;
  name: string;
 }
 export interface ProviderInfo {
  id: string;
  name: string;
  available: boolean;
  models: ModelInfo[];
 }
 export interface SessionInfo {
  id: string;
  provider: string;
  modelId: string;
  createdAt: string;
  promptCount: number;
  channels: string[];
  durationMs: number;
 }
 export interface SessionListResult {
  sessions: SessionInfo[];
  total: number;
 }
 /**
 * Fetch the list of available models from the gateway.
 * Returns an empty array on network or auth errors so the TUI can still function.
 */
 export async function fetchAvailableModels(
  gatewayUrl: string,
  sessionCookie?: string,
 ): Promise<ModelInfo[]> {
  try {
    const res = await fetch(`${gatewayUrl}/api/providers/models`, {
      headers: {
        ...(sessionCookie ? { Cookie: sessionCookie } : {}),
        Origin: gatewayUrl,
      },
    });
    if (!res.ok) return [];
    const data = (await res.json()) as ModelInfo[];
    return Array.isArray(data) ? data : [];
  } catch {
    return [];
  }
 }
 /**
 * Fetch the list of providers (with their models) from the gateway.
 * Returns an empty array on network or auth errors.
 */
 export async function fetchProviders(
  gatewayUrl: string,
  sessionCookie?: string,
 ): Promise<ProviderInfo[]> {
  try {
    const res = await fetch(`${gatewayUrl}/api/providers`, {
      headers: {
        ...(sessionCookie ? { Cookie: sessionCookie } : {}),
        Origin: gatewayUrl,
      },
    });
    if (!res.ok) return [];
    const data = (await res.json()) as ProviderInfo[];
    return Array.isArray(data) ? data : [];
  } catch {
    return [];
  }
 }
 /**
 * Fetch the list of active agent sessions from the gateway.
 * Throws on network or auth errors.
 */
 export async function fetchSessions(
  gatewayUrl: string,
  sessionCookie: string,
 ): Promise<SessionListResult> {
  const res = await fetch(`${gatewayUrl}/api/sessions`, {
    headers: { Cookie: sessionCookie, Origin: gatewayUrl },
  });
  if (!res.ok) {
    const body = await res.text().catch(() => '');
    throw new Error(`Failed to list sessions (${res.status}): ${body}`);
  }
  return (await res.json()) as SessionListResult;
 }
 /**
 * Destroy (terminate) an agent session on the gateway.
 * Throws on network or auth errors.
 */
 export async function deleteSession(
  gatewayUrl: string,
  sessionCookie: string,
  sessionId: string,
 ): Promise<void> {
  const res = await fetch(`${gatewayUrl}/api/sessions/${encodeURIComponent(sessionId)}`, {
    method: 'DELETE',
    headers: { Cookie: sessionCookie, Origin: gatewayUrl },
  });
  if (!res.ok && res.status !== 204) {
    const body = await res.text().catch(() => '');
    throw new Error(`Failed to destroy session (${res.status}): ${body}`);
  }
 }
--- a/packages/db/drizzle/0001_cynical_ultimatum.sql
+++ b/packages/db/drizzle/0001_cynical_ultimatum.sql
@@ -0,0 +1,81 @@
 CREATE TABLE "agent_logs" (
 	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
 	"session_id" text NOT NULL,
 	"user_id" text,
 	"level" text DEFAULT 'info' NOT NULL,
 	"category" text DEFAULT 'general' NOT NULL,
 	"content" text NOT NULL,
 	"metadata" jsonb,
 	"tier" text DEFAULT 'hot' NOT NULL,
 	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
 	"summarized_at" timestamp with time zone,
 	"archived_at" timestamp with time zone
 );
 --> statement-breakpoint
 CREATE TABLE "insights" (
 	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
 	"user_id" text NOT NULL,
 	"content" text NOT NULL,
 	"embedding" vector(1536),
 	"source" text DEFAULT 'agent' NOT NULL,
 	"category" text DEFAULT 'general' NOT NULL,
 	"relevance_score" real DEFAULT 1 NOT NULL,
 	"metadata" jsonb,
 	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
 	"updated_at" timestamp with time zone DEFAULT now() NOT NULL,
 	"decayed_at" timestamp with time zone
 );
 --> statement-breakpoint
 CREATE TABLE "preferences" (
 	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
 	"user_id" text NOT NULL,
 	"key" text NOT NULL,
 	"value" jsonb NOT NULL,
 	"category" text DEFAULT 'general' NOT NULL,
 	"source" text,
 	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
 	"updated_at" timestamp with time zone DEFAULT now() NOT NULL
 );
 --> statement-breakpoint
 CREATE TABLE "skills" (
 	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
 	"name" text NOT NULL,
 	"description" text,
 	"version" text,
 	"source" text DEFAULT 'custom' NOT NULL,
 	"config" jsonb,
 	"enabled" boolean DEFAULT true NOT NULL,
 	"installed_by" text,
 	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
 	"updated_at" timestamp with time zone DEFAULT now() NOT NULL,
 	CONSTRAINT "skills_name_unique" UNIQUE("name")
 );
 --> statement-breakpoint
 CREATE TABLE "summarization_jobs" (
 	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
 	"status" text DEFAULT 'pending' NOT NULL,
 	"logs_processed" integer DEFAULT 0 NOT NULL,
 	"insights_created" integer DEFAULT 0 NOT NULL,
 	"error_message" text,
 	"started_at" timestamp with time zone,
 	"completed_at" timestamp with time zone,
 	"created_at" timestamp with time zone DEFAULT now() NOT NULL
 );
 --> statement-breakpoint
 ALTER TABLE "conversations" ADD COLUMN "archived" boolean DEFAULT false NOT NULL;--> statement-breakpoint
 ALTER TABLE "agent_logs" ADD CONSTRAINT "agent_logs_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "insights" ADD CONSTRAINT "insights_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "preferences" ADD CONSTRAINT "preferences_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "skills" ADD CONSTRAINT "skills_installed_by_users_id_fk" FOREIGN KEY ("installed_by") REFERENCES "public"."users"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
 CREATE INDEX "agent_logs_session_id_idx" ON "agent_logs" USING btree ("session_id");--> statement-breakpoint
 CREATE INDEX "agent_logs_user_id_idx" ON "agent_logs" USING btree ("user_id");--> statement-breakpoint
 CREATE INDEX "agent_logs_tier_idx" ON "agent_logs" USING btree ("tier");--> statement-breakpoint
 CREATE INDEX "agent_logs_created_at_idx" ON "agent_logs" USING btree ("created_at");--> statement-breakpoint
 CREATE INDEX "insights_user_id_idx" ON "insights" USING btree ("user_id");--> statement-breakpoint
 CREATE INDEX "insights_category_idx" ON "insights" USING btree ("category");--> statement-breakpoint
 CREATE INDEX "insights_relevance_idx" ON "insights" USING btree ("relevance_score");--> statement-breakpoint
 CREATE INDEX "preferences_user_id_idx" ON "preferences" USING btree ("user_id");--> statement-breakpoint
 CREATE INDEX "preferences_user_key_idx" ON "preferences" USING btree ("user_id","key");--> statement-breakpoint
 CREATE INDEX "skills_enabled_idx" ON "skills" USING btree ("enabled");--> statement-breakpoint
 CREATE INDEX "summarization_jobs_status_idx" ON "summarization_jobs" USING btree ("status");--> statement-breakpoint
 CREATE INDEX "conversations_archived_idx" ON "conversations" USING btree ("archived");
--- a/packages/db/drizzle/0001_magical_rattler.sql
+++ b/packages/db/drizzle/0001_magical_rattler.sql
@@ -0,0 +1,29 @@
 CREATE TABLE "mission_tasks" (
 	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
 	"mission_id" uuid NOT NULL,
 	"task_id" uuid,
 	"user_id" text NOT NULL,
 	"status" text DEFAULT 'not-started' NOT NULL,
 	"description" text,
 	"notes" text,
 	"pr" text,
 	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
 	"updated_at" timestamp with time zone DEFAULT now() NOT NULL
 );
 --> statement-breakpoint
 ALTER TABLE "missions" ADD COLUMN "user_id" text;--> statement-breakpoint
 ALTER TABLE "missions" ADD COLUMN "phase" text;--> statement-breakpoint
 ALTER TABLE "missions" ADD COLUMN "milestones" jsonb;--> statement-breakpoint
 ALTER TABLE "missions" ADD COLUMN "config" jsonb;--> statement-breakpoint
 ALTER TABLE "users" ADD COLUMN "banned" boolean DEFAULT false;--> statement-breakpoint
 ALTER TABLE "users" ADD COLUMN "ban_reason" text;--> statement-breakpoint
 ALTER TABLE "users" ADD COLUMN "ban_expires" timestamp with time zone;--> statement-breakpoint
 ALTER TABLE "mission_tasks" ADD CONSTRAINT "mission_tasks_mission_id_missions_id_fk" FOREIGN KEY ("mission_id") REFERENCES "public"."missions"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "mission_tasks" ADD CONSTRAINT "mission_tasks_task_id_tasks_id_fk" FOREIGN KEY ("task_id") REFERENCES "public"."tasks"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
 ALTER TABLE "mission_tasks" ADD CONSTRAINT "mission_tasks_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
 CREATE INDEX "mission_tasks_mission_id_idx" ON "mission_tasks" USING btree ("mission_id");--> statement-breakpoint
 CREATE INDEX "mission_tasks_task_id_idx" ON "mission_tasks" USING btree ("task_id");--> statement-breakpoint
 CREATE INDEX "mission_tasks_user_id_idx" ON "mission_tasks" USING btree ("user_id");--> statement-breakpoint
 CREATE INDEX "mission_tasks_status_idx" ON "mission_tasks" USING btree ("status");--> statement-breakpoint
 ALTER TABLE "missions" ADD CONSTRAINT "missions_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
 CREATE INDEX "missions_user_id_idx" ON "missions" USING btree ("user_id");
--- a/packages/db/drizzle/meta/0001_snapshot.json
+++ b/packages/db/drizzle/meta/0001_snapshot.json
--- a/packages/db/drizzle/meta/_journal.json
+++ b/packages/db/drizzle/meta/_journal.json
@@ -8,6 +8,13 @@
      "when": 1773368153122,
      "tag": "0000_loud_ezekiel_stane",
      "breakpoints": true
    },
    {
      "idx": 1,
      "version": "7",
      "when": 1773602195609,
      "tag": "0001_magical_rattler",
      "breakpoints": true
    }
  ]
-}
+}
--- a/packages/db/src/schema.ts
+++ b/packages/db/src/schema.ts
@@ -25,6 +25,9 @@ export const users = pgTable('users', {
  emailVerified: boolean('email_verified').notNull().default(false),
  image: text('image'),
  role: text('role').notNull().default('member'),
  banned: boolean('banned').default(false),
  banReason: text('ban_reason'),
  banExpires: timestamp('ban_expires', { withTimezone: true }),
  createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
  updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
 });
@@ -95,11 +98,18 @@ export const missions = pgTable(
      .notNull()
      .default('planning'),
    projectId: uuid('project_id').references(() => projects.id, { onDelete: 'set null' }),
    userId: text('user_id').references(() => users.id, { onDelete: 'cascade' }),
    phase: text('phase'),
    milestones: jsonb('milestones').$type<Record<string, unknown>[]>(),
    config: jsonb('config'),
    metadata: jsonb('metadata'),
    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
    updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
  },
-  (t) => [index('missions_project_id_idx').on(t.projectId)],
+  (t) => [
    index('missions_project_id_idx').on(t.projectId),
    index('missions_user_id_idx').on(t.userId),
  ],
 );
 export const tasks = pgTable(
@@ -132,6 +142,40 @@ export const tasks = pgTable(
  ],
 );
 // ─── Coord Mission Tasks ─────────────────────────────────────────────────────
 // Join table tracking coord-managed tasks within a mission.
 // Scoped to userId for multi-tenant RBAC isolation.
 export const missionTasks = pgTable(
  'mission_tasks',
  {
    id: uuid('id').primaryKey().defaultRandom(),
    missionId: uuid('mission_id')
      .notNull()
      .references(() => missions.id, { onDelete: 'cascade' }),
    taskId: uuid('task_id').references(() => tasks.id, { onDelete: 'set null' }),
    userId: text('user_id')
      .notNull()
      .references(() => users.id, { onDelete: 'cascade' }),
    status: text('status', {
      enum: ['not-started', 'in-progress', 'blocked', 'done', 'cancelled'],
    })
      .notNull()
      .default('not-started'),
    description: text('description'),
    notes: text('notes'),
    pr: text('pr'),
    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
    updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
  },
  (t) => [
    index('mission_tasks_mission_id_idx').on(t.missionId),
    index('mission_tasks_task_id_idx').on(t.taskId),
    index('mission_tasks_user_id_idx').on(t.userId),
    index('mission_tasks_status_idx').on(t.status),
  ],
 );
 export const events = pgTable(
  'events',
  {
@@ -199,12 +243,14 @@ export const conversations = pgTable(
      .notNull()
      .references(() => users.id, { onDelete: 'cascade' }),
    projectId: uuid('project_id').references(() => projects.id, { onDelete: 'set null' }),
    archived: boolean('archived').notNull().default(false),
    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
    updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
  },
  (t) => [
    index('conversations_user_id_idx').on(t.userId),
    index('conversations_project_id_idx').on(t.projectId),
    index('conversations_archived_idx').on(t.archived),
  ],
 );
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
Author	SHA1	Message	Date
Jason Woltje	cd57c75e41	chore(orchestrator): Phase 7 complete — v0.0.8 verified (#154 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 19:50:15 +00:00
Jason Woltje	237a863dfd	docs(deploy): add deployment guide and expand .env.example (#153 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 19:46:38 +00:00
Jason Woltje	cb92ba16c1	feat(web): Playwright E2E test suite for critical paths (#152 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 19:46:13 +00:00
Jason Woltje	70e9f2c6bc	docs: user guide, admin guide, dev guide (closes #57 ) (#151 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 19:40:44 +00:00
Jason Woltje	a760401407	feat(admin): web admin panel — user CRUD, role assignment, system health (#150 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 19:18:47 +00:00
Jason Woltje	22a5e9791c	feat(coord): DB migration — project-scoped missions, multi-tenant RBAC (#149 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 19:18:18 +00:00
Jason Woltje	d1bef49b4e	feat(agent): session cwd sandbox, system prompt config, tool restrictions (#148 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 19:15:05 +00:00
Jason Woltje	76abf11eba	fix(cli): remove side-effect from agent:end state updater (#133 ) (#147 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 19:09:13 +00:00
Jason Woltje	c4850fe6c1	feat(cli): add sessions list/resume/destroy subcommands (#146 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 19:04:10 +00:00
Jason Woltje	0809f4e787	feat(web): settings persistence — profile, preferences save to DB (#124 ) (#145 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 18:43:52 +00:00
Jason Woltje	6a4c020179	feat(cli): add --model/--provider flags and /model /provider TUI commands (#144 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 18:41:36 +00:00
Jason Woltje	3bb401641e	feat(agent): skill invocation — load and execute skills from catalog (#128 ) (#143 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 18:36:58 +00:00
Jason Woltje	54b821d8bd	feat(web): provider management UI — list, test, model capabilities (#123 ) (#142 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 18:33:55 +00:00
Jason Woltje	09e649fc7e	feat(gateway): MCP client — connect to external MCP servers as agent tools (#127 ) (#141 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 18:28:31 +00:00
Jason Woltje	f208f72dc0	feat(web): project detail views — missions, tasks, PRD viewer (#122 ) (#140 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 18:28:14 +00:00
Jason Woltje	d42cd68ea4	feat(web): conversation management — search, rename, delete, archive (#121 ) (#139 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 18:20:15 +00:00
Jason Woltje	07647c8382	feat(agent): expand tool registry — file, git, shell, web fetch (#126 ) (#138 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 18:17:17 +00:00
Jason Woltje	8633823257	feat(gateway): add MCP server endpoint with streamable HTTP transport (#137 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 18:11:50 +00:00
Jason Woltje	d0999a8e37	feat(web): wire WebSocket chat with streaming and conversation switching (#120 ) (#136 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 18:09:14 +00:00
Jason Woltje	ea800e3f14	chore(orchestrator): Phase 7 planning — 10-wave execution plan (#135 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 17:47:55 +00:00
Jason Woltje	5d2e6fae63	chore(orchestrator): rescope Phase 7 as Feature Completion, add Phase 8 (#119 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 17:44:35 +00:00
Jason Woltje	fcd22c788a	chore(orchestrator): rescope Phase 7 + add Phase 8 (#118 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 17:32:37 +00:00
Jason Woltje	ab61a15edc	fix(agent): register Ollama with api: openai-completions (#117 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 17:10:32 +00:00
Jason Woltje	2c60459851	fix(agent): pass dummy apiKey for Ollama provider registration (#116 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 17:08:19 +00:00
Jason Woltje	ea524a6ba1	fix(cli): add Origin header to auth requests (#115 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 17:03:42 +00:00
Jason Woltje	997a6d134f	feat(cli): add login command and authenticated TUI sessions (#114 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 17:00:08 +00:00
Jason Woltje	8aaf229483	chore: remove deprecated husky v9 shim lines (#113 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 16:48:51 +00:00
Jason Woltje	049bb719e8	fix(auth): add CORS headers to BetterAuth raw HTTP handler (#112 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 16:47:27 +00:00
Jason Woltje	014ebdacda	fix(auth): add trustedOrigins to BetterAuth for cross-origin web dashboard (#111 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 16:44:20 +00:00
Jason Woltje	72a73c859c	fix(gateway): CORS, memory userId from session, pgvector auto-init (#110 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 16:40:28 +00:00
Jason Woltje	6d2b81f6e4	fix(gateway): add missing @Inject() decorators causing silent startup hang (#109 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 01:52:01 +00:00
Jason Woltje	9d01a0d484	fix(gateway): load .env from monorepo root via dotenv (#108 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 01:25:09 +00:00
Jason Woltje	d5102f62fa	fix(ci): use from_secret syntax for Woodpecker v2 (#107 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 01:16:36 +00:00
Jason Woltje	a881e707e2	ci: enable Turbo remote cache + parallelize pipeline steps (#106 ) Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-15 01:14:56 +00:00
		`@@ -0,0 +1 @@`
							`export const MCP_CLIENT_SERVICE = 'MCP_CLIENT_SERVICE';`