{"id":"bd-11y","title":"Unit tests for SpawnMixin validation","description":"## Overview\nCreate tests/test_spawn.py with comprehensive tests for SpawnMixin validation logic.\n\n## Background\nThe spawn validation is security-critical. Tests must cover:\n- Path traversal attacks\n- Symlink escape attempts\n- Invalid project names\n- Invalid agent types\n- Rate limiting behavior\n- Auth token validation\n\n## Test Structure\n```python\nimport pytest\nfrom pathlib import Path\nfrom unittest.mock import patch, MagicMock\n\nfrom amc_server.mixins.spawn import SpawnMixin, load_projects_cache, _projects_cache\n\n\nclass TestValidateSpawnParams:\n \"\"\"Tests for _validate_spawn_params security validation.\"\"\"\n\n def test_missing_project_returns_error(self):\n mixin = SpawnMixin()\n result = mixin._validate_spawn_params('', 'claude')\n assert result == {'error': 'project is required', 'code': 'MISSING_PROJECT'}\n\n def test_path_traversal_slash_rejected(self):\n mixin = SpawnMixin()\n result = mixin._validate_spawn_params('../etc', 'claude')\n assert result['code'] == 'INVALID_PROJECT'\n\n def test_path_traversal_dotdot_rejected(self):\n mixin = SpawnMixin()\n result = mixin._validate_spawn_params('foo..bar', 'claude')\n # Should be rejected because '..' in name\n assert result['code'] == 'INVALID_PROJECT'\n\n def test_backslash_rejected(self):\n mixin = SpawnMixin()\n result = mixin._validate_spawn_params('foo\\\\bar', 'claude')\n assert result['code'] == 'INVALID_PROJECT'\n\n @patch('amc_server.mixins.spawn.PROJECTS_DIR')\n def test_symlink_escape_rejected(self, mock_projects_dir):\n \"\"\"Symlink pointing outside projects dir should be rejected.\"\"\"\n # Setup: create mock that resolves to /etc/passwd\n mock_projects_dir.resolve.return_value = Path('/home/user/projects')\n # ... test symlink that escapes\n\n @patch('amc_server.mixins.spawn.PROJECTS_DIR')\n def test_nonexistent_project_rejected(self, mock_projects_dir):\n mock_projects_dir.__truediv__.return_value.resolve.side_effect = OSError\n mixin = SpawnMixin()\n result = mixin._validate_spawn_params('nonexistent', 'claude')\n assert result['code'] == 'PROJECT_NOT_FOUND'\n\n def test_invalid_agent_type_rejected(self):\n mixin = SpawnMixin()\n # Assume valid project exists\n with patch.object(mixin, '_validate_spawn_params') as mock:\n # Test that invalid agent type is caught\n pass\n\n @patch('amc_server.mixins.spawn.PROJECTS_DIR')\n def test_valid_project_returns_resolved_path(self, mock_projects_dir):\n \"\"\"Valid project returns resolved path for TOCTOU prevention.\"\"\"\n resolved = Path('/home/user/projects/amc')\n mock_projects_dir.resolve.return_value = Path('/home/user/projects')\n mock_projects_dir.__truediv__.return_value.resolve.return_value = resolved\n mock_projects_dir.__truediv__.return_value.resolve.return_value.is_dir.return_value = True\n # ... verify resolved_path in result\n\n\nclass TestProjectsCache:\n \"\"\"Tests for projects cache loading.\"\"\"\n\n @patch('amc_server.mixins.spawn.PROJECTS_DIR')\n def test_load_excludes_hidden_directories(self, mock_projects_dir):\n \"\"\"Hidden directories (.git, etc) should be excluded.\"\"\"\n pass\n\n @patch('amc_server.mixins.spawn.PROJECTS_DIR')\n def test_load_only_includes_directories(self, mock_projects_dir):\n \"\"\"Files should be excluded, only directories listed.\"\"\"\n pass\n\n @patch('amc_server.mixins.spawn.PROJECTS_DIR')\n def test_load_handles_oserror_gracefully(self, mock_projects_dir):\n \"\"\"OSError should result in empty cache, not crash.\"\"\"\n mock_projects_dir.iterdir.side_effect = OSError\n load_projects_cache()\n assert _projects_cache == []\n\n\nclass TestRateLimiting:\n \"\"\"Tests for per-project rate limiting.\"\"\"\n\n def test_first_spawn_allowed(self):\n pass\n\n def test_rapid_spawn_same_project_rejected(self):\n pass\n\n def test_spawn_different_project_allowed(self):\n pass\n\n def test_spawn_after_cooldown_allowed(self):\n pass\n\n\nclass TestAuthToken:\n \"\"\"Tests for auth token validation.\"\"\"\n\n def test_valid_bearer_token_accepted(self):\n pass\n\n def test_missing_auth_header_rejected(self):\n pass\n\n def test_wrong_token_rejected(self):\n pass\n\n def test_malformed_bearer_rejected(self):\n pass\n```\n\n## Security Test Coverage\nMust test these attack vectors:\n1. Path traversal: ../, ..\\, /../\n2. Symlink escape: symlink -> /etc/passwd\n3. Unicode attacks: project names with special chars\n4. Empty/whitespace project names\n5. Very long project names\n\n## Mocking Strategy\n- PROJECTS_DIR: Mock to test path validation without real filesystem\n- subprocess.run: Mock Zellij commands\n- time.time: Mock for rate limiting tests\n- _spawn_lock: Verify lock behavior\n\n## Success Criteria\n- All validation paths tested\n- All error codes verified\n- Security vectors covered\n- No test pollution (cleanup mocks)","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T21:42:21.597651Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:04:07.723410Z","closed_at":"2026-02-26T22:04:07.723357Z","close_reason":"Implemented 36 tests across 8 test classes covering: validation (path traversal, symlink escape, agent types), projects cache, rate limiting, auth tokens, JSON parsing, lock contention, projects/health endpoints","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-11y","depends_on_id":"bd-5m4","type":"blocks","created_at":"2026-02-26T21:42:24.992165Z","created_by":"tayloreernisse"}]} {"id":"bd-14p","title":"Test and handle special characters in project names","description":"## Overview\nVerify spawn works correctly with projects that have special characters in their names.\n\n## Background\nProject names may contain:\n- Hyphens: my-project\n- Underscores: my_project\n- Numbers: project2\n- Spaces: my project (though uncommon)\n- Unicode: 日本語project\n\n## Current Validation\n_validate_spawn_params() rejects:\n- / (path separator)\n- \\ (Windows path separator)\n- .. (path traversal)\n\nOther characters are allowed as long as the resolved path exists and is under PROJECTS_DIR.\n\n## Testing Required\n\n### Safe Characters (should work)\n```bash\n# Hyphen\ncurl -X POST http://localhost:7400/api/spawn \\\n -d '{\"project\":\"my-project\",\"agent_type\":\"claude\"}'\n\n# Underscore\ncurl -X POST http://localhost:7400/api/spawn \\\n -d '{\"project\":\"my_project\",\"agent_type\":\"claude\"}'\n\n# Numbers\ncurl -X POST http://localhost:7400/api/spawn \\\n -d '{\"project\":\"project2\",\"agent_type\":\"claude\"}'\n```\n\n### Potentially Problematic (test carefully)\n```bash\n# Space (if project exists)\ncurl -X POST http://localhost:7400/api/spawn \\\n -d '{\"project\":\"my project\",\"agent_type\":\"claude\"}'\n\n# Unicode\ncurl -X POST http://localhost:7400/api/spawn \\\n -d '{\"project\":\"日本語\",\"agent_type\":\"claude\"}'\n```\n\n### Should Fail\n```bash\n# Path traversal\ncurl -X POST http://localhost:7400/api/spawn \\\n -d '{\"project\":\"../etc\",\"agent_type\":\"claude\"}'\n\n# Slash in name\ncurl -X POST http://localhost:7400/api/spawn \\\n -d '{\"project\":\"foo/bar\",\"agent_type\":\"claude\"}'\n```\n\n## Potential Issues\n1. **Zellij tab names**: May have restrictions on tab naming\n2. **Shell escaping**: Pane commands may need escaping\n3. **Filesystem encoding**: Unicode paths on different filesystems\n\n## Implementation\nIf issues found:\n1. Add character filtering to validation\n2. Sanitize tab/pane names for Zellij\n3. Document supported characters\n\n## Test Plan\nCreate test projects with various names:\n```bash\nmkdir -p ~/projects/{test-hyphen,test_underscore,test123,'test space','test日本語'}\n# Run spawn tests for each\n```\n\n## Success Criteria\n- Hyphen, underscore, number projects work\n- Space projects work if they exist\n- Unsupported characters fail gracefully with clear error\n- No shell injection possible","status":"closed","priority":2,"issue_type":"task","created_at":"2026-02-26T21:43:48.133328Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:09:42.715424Z","closed_at":"2026-02-26T22:09:42.715379Z","close_reason":"Implemented and tested: reject control chars/null bytes in validation, sanitize Zellij pane names (strip quotes/backticks/control chars, truncate to 64), added 44 new tests covering safe chars, dangerous chars, shell metacharacters, pane name sanitization, and spawn command construction","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-14p","depends_on_id":"bd-5m4","type":"blocks","created_at":"2026-02-26T21:43:51.288324Z","created_by":"tayloreernisse"}]} {"id":"bd-15z","title":"Implement SpawnModal component","description":"## Overview\nCreate dashboard/components/SpawnModal.js - a modal for spawning new agents.\n\n## Background\nThe SpawnModal is context-aware:\n- When on a specific project tab: shows only agent type selector\n- When on 'All Projects' tab: shows project dropdown + agent type selector\n\nThis enables two workflows from the plan:\n1. Quick spawn from project tab (no project selection needed)\n2. Spawn for any project from All Projects view\n\n## Component Structure\n```javascript\nimport { html, useState, useEffect, useCallback } from '../lib/preact.js';\nimport { API_PROJECTS, API_SPAWN, fetchWithTimeout } from '../utils/api.js';\n\nexport function SpawnModal({ isOpen, onClose, onSpawn, currentProject }) {\n // State\n const [projects, setProjects] = useState([]);\n const [selectedProject, setSelectedProject] = useState('');\n const [agentType, setAgentType] = useState('claude');\n const [loading, setLoading] = useState(false);\n const [loadingProjects, setLoadingProjects] = useState(false);\n const [closing, setClosing] = useState(false);\n const [error, setError] = useState(null);\n\n const needsProjectPicker = \\!currentProject;\n // ...\n}\n```\n\n## Implementation (IMP-4)\n\n### Props\n- **isOpen**: boolean - whether modal is visible\n- **onClose**: () => void - callback when modal closes\n- **onSpawn**: (result) => void - callback with spawn result\n- **currentProject**: string | null - current project if on project tab, null for All Projects\n\n### State Management\n- projects: array of project names from /api/projects\n- selectedProject: selected project (only used when needsProjectPicker)\n- agentType: 'claude' | 'codex'\n- loading: spawn request in progress\n- loadingProjects: fetching projects list\n- closing: animation state for exit\n- error: error message to display\n\n### Effects\n\n1. **Body scroll lock** (matches Modal.js):\n```javascript\nuseEffect(() => {\n if (\\!isOpen) return;\n document.body.style.overflow = 'hidden';\n return () => { document.body.style.overflow = ''; };\n}, [isOpen]);\n```\n\n2. **Escape key handler**:\n```javascript\nuseEffect(() => {\n if (\\!isOpen) return;\n const handleKeyDown = (e) => {\n if (e.key === 'Escape') handleClose();\n };\n document.addEventListener('keydown', handleKeyDown);\n return () => document.removeEventListener('keydown', handleKeyDown);\n}, [isOpen, handleClose]);\n```\n\n3. **Fetch projects when needed**:\n```javascript\nuseEffect(() => {\n if (isOpen && needsProjectPicker) {\n setLoadingProjects(true);\n fetchWithTimeout(API_PROJECTS)\n .then(r => r.json())\n .then(data => {\n setProjects(data.projects || []);\n setSelectedProject('');\n })\n .catch(err => setError(err.message))\n .finally(() => setLoadingProjects(false));\n }\n}, [isOpen, needsProjectPicker]);\n```\n\n4. **Reset state on open**:\n```javascript\nuseEffect(() => {\n if (isOpen) {\n setAgentType('claude');\n setError(null);\n setLoading(false);\n setClosing(false);\n }\n}, [isOpen]);\n```\n\n### Animated Close\n```javascript\nconst handleClose = useCallback(() => {\n if (loading) return;\n setClosing(true);\n setTimeout(() => {\n setClosing(false);\n onClose();\n }, 200);\n}, [loading, onClose]);\n```\n\n### Spawn Handler\n```javascript\nconst handleSpawn = async () => {\n const project = currentProject || selectedProject;\n if (\\!project) {\n setError('Please select a project');\n return;\n }\n\n setLoading(true);\n setError(null);\n\n try {\n const response = await fetchWithTimeout(API_SPAWN, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n 'Authorization': `Bearer ${window.AMC_AUTH_TOKEN}`,\n },\n body: JSON.stringify({ project, agent_type: agentType })\n });\n const data = await response.json();\n\n if (data.ok) {\n onSpawn({ success: true, project, agentType });\n handleClose();\n } else {\n setError(data.error || 'Spawn failed');\n onSpawn({ error: data.error });\n }\n } catch (err) {\n const msg = err.name === 'AbortError' ? 'Request timed out' : err.message;\n setError(msg);\n onSpawn({ error: msg });\n } finally {\n setLoading(false);\n }\n};\n```\n\n### Render\nSee plan IMP-4 for full JSX structure. Key elements:\n- Backdrop with click-outside dismiss\n- Glass panel with animations\n- Project dropdown (conditional)\n- Agent type toggle buttons\n- Error display\n- Cancel/Spawn buttons\n\n## Styling Classes\nUses existing Tailwind classes from dashboard:\n- glass-panel: background blur effect\n- modal-backdrop-in/out: fade animations\n- modal-panel-in/out: slide animations\n- text-bright, text-dim: color hierarchy\n- border-active, bg-active: selection states\n\n## Auth Token (AC-38)\nUses window.AMC_AUTH_TOKEN injected by server:\n```javascript\n'Authorization': `Bearer ${window.AMC_AUTH_TOKEN}`\n```\n\n## Acceptance Criteria\n- AC-2: Project picker hidden when on project tab\n- AC-3: Project picker shown when on All Projects\n- AC-6: No default selection for project dropdown\n- AC-7: Agent type selector (Claude/Codex)\n- AC-20: Error display in modal\n- AC-25: Spawn button disabled while loading\n- AC-31: Dismiss via Escape, click-outside, Cancel\n- AC-32: Loading state for projects dropdown\n\n## Success Criteria\n- Modal opens/closes with animations\n- Project dropdown loads projects\n- Agent type toggle works\n- Spawn request sends correct payload\n- Auth token included in request\n- Errors display clearly\n- All dismiss methods work","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T21:41:30.654681Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:00:47.721958Z","closed_at":"2026-02-26T22:00:47.721907Z","close_reason":"Implemented SpawnModal component with project picker, agent type selector, spawn handler, animated close, escape/click-outside dismiss, loading states, and error feedback","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-15z","depends_on_id":"bd-mjo","type":"blocks","created_at":"2026-02-26T21:41:34.006897Z","created_by":"tayloreernisse"}]} {"id":"bd-196","title":"Update server.py startup for spawn feature","description":"## Overview\nModify amc_server/server.py to initialize spawn-related functionality on startup.\n\n## Background\nThe spawn feature requires several initialization steps at server start:\n1. Load projects cache so /api/projects responds immediately\n2. Generate auth token for spawn endpoint security\n3. Start background thread for periodic projects cache refresh\n\n## Implementation (IMP-2b)\nAdd to server initialization, before starting HTTP server:\n\n```python\nfrom amc_server.mixins.spawn import load_projects_cache\nfrom amc_server.context import generate_auth_token, start_projects_watcher\n\n# In server startup, before starting HTTP server:\nload_projects_cache()\nauth_token = generate_auth_token() # AC-37: Generate one-time token\nstart_projects_watcher() # AC-40: Auto-refresh every 5 minutes\n# Token is injected into dashboard HTML via template variable\n```\n\n## Initialization Order\n1. load_projects_cache() - Populate cache before any requests\n2. generate_auth_token() - Create token before dashboard serves\n3. start_projects_watcher() - Start background refresh\n\n## Auth Token Injection (IMP-2d)\nThe auth token must be injected into dashboard HTML for JavaScript access:\n\nIn HTTP mixin's dashboard serving code:\n```python\n# When serving index.html:\nfrom amc_server.context import _auth_token\nhtml_content = html_content.replace(\n '',\n f''\n)\n```\n\nAdd placeholder in dashboard/index.html :\n```html\n\n```\n\n## Why Inline Script\nThe auth token changes each server restart, so it must be injected at runtime. An inline script sets window.AMC_AUTH_TOKEN for JavaScript access. This is acceptable for localhost dev tool; secure cookie alternative is more complex.\n\n## Acceptance Criteria\n- AC-33: Projects cache loaded on start\n- AC-37: Auth token generated on start\n- AC-40: Background watcher started\n\n## Verification\n1. Start server\n2. Check logs for cache load message\n3. Check /api/projects returns immediately\n4. Check /api/health returns status\n5. View page source to verify AMC_AUTH_TOKEN script tag\n\n## Success Criteria\n- Server starts without error\n- Projects cache populated before first request\n- Auth token available in dashboard\n- Background watcher running","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T21:40:49.453041Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:03:11.090299Z","closed_at":"2026-02-26T22:03:11.090252Z","close_reason":"Implemented server.py startup: load_projects_cache, generate_auth_token, start_projects_watcher; auth token injected into dashboard HTML via placeholder replacement","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-196","depends_on_id":"bd-3oo","type":"blocks","created_at":"2026-02-26T21:40:54.281501Z","created_by":"tayloreernisse"},{"issue_id":"bd-196","depends_on_id":"bd-5m4","type":"blocks","created_at":"2026-02-26T21:40:54.305954Z","created_by":"tayloreernisse"}]} {"id":"bd-1ba","title":"Add fetchSkills API helper","description":"## Overview\nAdd fetchSkills() function to dashboard/utils/api.js for calling the skills endpoint.\n\n## Background\nThis is the client-side helper that fetches the autocomplete config. It's a simple wrapper around fetch() following the existing API pattern in the file.\n\n## Implementation (from plan IMP-3)\n```javascript\nexport const API_SKILLS = '/api/skills';\n\nexport async function fetchSkills(agent) {\n const url = \\`\\${API_SKILLS}?agent=\\${encodeURIComponent(agent)}\\`;\n const response = await fetch(url);\n if (\\!response.ok) return null;\n return response.json();\n}\n```\n\n## Return Type\n```typescript\ntype AutocompleteConfig = {\n trigger: '/' | '$';\n skills: Array<{ name: string; description: string }>;\n}\n```\n\n## Error Handling\n- HTTP error: return null (graceful degradation, no autocomplete)\n- Network failure: returns null via failed fetch\n\n## Why Return null on Error\n- Autocomplete is a convenience feature, not critical\n- Modal should still work without autocomplete\n- Avoids error toasts for non-critical failure\n\n## Success Criteria\n- Function exported from api.js\n- Agent param properly encoded in URL\n- Returns parsed JSON on success\n- Returns null on any failure","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T20:08:42.713976Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:45:08.245545Z","closed_at":"2026-02-26T21:45:08.245502Z","close_reason":"Added API_SKILLS constant and fetchSkills() helper with error handling","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-1ba","depends_on_id":"bd-30p","type":"blocks","created_at":"2026-02-26T20:08:47.543493Z","created_by":"tayloreernisse"}]} {"id":"bd-1jo","title":"E2E test script for spawn workflow","description":"## Overview\nCreate tests/e2e_spawn.sh - end-to-end test script for the complete spawn workflow.\n\n## Background\nE2E tests verify the full spawn flow from API call to agent appearance in dashboard. This is critical because:\n- Unit tests can't catch integration issues\n- Zellij subprocess behavior is hard to mock\n- Session file correlation must work in practice\n\n## Test Script Structure\n```bash\n#\\!/usr/bin/env bash\nset -euo pipefail\n\n# Configuration\nSERVER_URL=\"http://localhost:7400\"\nTEST_PROJECT=\"amc\" # Must exist in ~/projects/\nAUTH_TOKEN=\"\" # Will be extracted from dashboard HTML\n\n# Colors for output\nRED='\\033[0;31m'\nGREEN='\\033[0;32m'\nYELLOW='\\033[1;33m'\nNC='\\033[0m'\n\nlog_info() { echo -e \"${GREEN}[INFO]${NC} $1\"; }\nlog_warn() { echo -e \"${YELLOW}[WARN]${NC} $1\"; }\nlog_error() { echo -e \"${RED}[ERROR]${NC} $1\"; }\nlog_test() { echo -e \"\\n${GREEN}[TEST]${NC} $1\"; }\n\n# Cleanup function\ncleanup() {\n log_info \"Cleaning up...\"\n # Kill any test-spawned agents\n # Remove test session files\n}\ntrap cleanup EXIT\n\n# Pre-flight checks\npreflight() {\n log_test \"Pre-flight checks\"\n \n # Server running?\n if \\! curl -s \"${SERVER_URL}/api/health\" > /dev/null; then\n log_error \"Server not running at ${SERVER_URL}\"\n exit 1\n fi\n \n # Zellij session exists?\n if \\! zellij list-sessions | grep -q \"^infra\"; then\n log_error \"Zellij session 'infra' not found\"\n exit 1\n fi\n \n # Test project exists?\n if [[ \\! -d \"$HOME/projects/${TEST_PROJECT}\" ]]; then\n log_error \"Test project '${TEST_PROJECT}' not found\"\n exit 1\n fi\n \n log_info \"Pre-flight checks passed\"\n}\n\n# Extract auth token from dashboard\nextract_auth_token() {\n log_test \"Extracting auth token\"\n AUTH_TOKEN=$(curl -s \"${SERVER_URL}/\" | grep -o 'AMC_AUTH_TOKEN = \"[^\"]*\"' | cut -d'\"' -f2)\n if [[ -z \"$AUTH_TOKEN\" ]]; then\n log_error \"Could not extract auth token\"\n exit 1\n fi\n log_info \"Auth token extracted: ${AUTH_TOKEN:0:8}...\"\n}\n\n# Test: Projects endpoint\ntest_projects_endpoint() {\n log_test \"GET /api/projects\"\n \n response=$(curl -s \"${SERVER_URL}/api/projects\")\n if \\! echo \"$response\" | jq -e '.projects' > /dev/null; then\n log_error \"Invalid response: $response\"\n return 1\n fi\n \n project_count=$(echo \"$response\" | jq '.projects | length')\n log_info \"Found $project_count projects\"\n}\n\n# Test: Health endpoint\ntest_health_endpoint() {\n log_test \"GET /api/health\"\n \n response=$(curl -s \"${SERVER_URL}/api/health\")\n if \\! echo \"$response\" | jq -e '.ok' > /dev/null; then\n log_error \"Invalid response: $response\"\n return 1\n fi\n \n zellij_available=$(echo \"$response\" | jq -r '.zellij_available')\n log_info \"Zellij available: $zellij_available\"\n}\n\n# Test: Spawn without auth (should fail)\ntest_spawn_no_auth() {\n log_test \"Spawn without auth (should fail)\"\n \n response=$(curl -s -X POST \"${SERVER_URL}/api/spawn\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"project\":\"amc\",\"agent_type\":\"claude\"}')\n \n code=$(echo \"$response\" | jq -r '.code')\n if [[ \"$code\" \\!= \"UNAUTHORIZED\" ]]; then\n log_error \"Expected UNAUTHORIZED, got: $code\"\n return 1\n fi\n log_info \"Correctly rejected unauthorized request\"\n}\n\n# Test: Spawn with invalid project\ntest_spawn_invalid_project() {\n log_test \"Spawn with invalid project\"\n \n response=$(curl -s -X POST \"${SERVER_URL}/api/spawn\" \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer ${AUTH_TOKEN}\" \\\n -d '{\"project\":\"../etc/passwd\",\"agent_type\":\"claude\"}')\n \n code=$(echo \"$response\" | jq -r '.code')\n if [[ \"$code\" \\!= \"INVALID_PROJECT\" ]]; then\n log_error \"Expected INVALID_PROJECT, got: $code\"\n return 1\n fi\n log_info \"Correctly rejected path traversal\"\n}\n\n# Test: Spawn with valid project\ntest_spawn_valid() {\n log_test \"Spawn with valid project\"\n \n # Record session count before\n session_count_before=$(ls -1 ~/.local/share/amc/sessions/*.json 2>/dev/null | wc -l)\n \n response=$(curl -s -X POST \"${SERVER_URL}/api/spawn\" \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer ${AUTH_TOKEN}\" \\\n -d \"{\\\"project\\\":\\\"${TEST_PROJECT}\\\",\\\"agent_type\\\":\\\"claude\\\"}\")\n \n ok=$(echo \"$response\" | jq -r '.ok')\n if [[ \"$ok\" \\!= \"true\" ]]; then\n log_error \"Spawn failed: $(echo \"$response\" | jq -r '.error')\"\n return 1\n fi\n \n # Verify session file created\n session_count_after=$(ls -1 ~/.local/share/amc/sessions/*.json 2>/dev/null | wc -l)\n if [[ $session_count_after -le $session_count_before ]]; then\n log_warn \"No new session file detected\"\n fi\n \n log_info \"Spawn successful\"\n}\n\n# Test: Rate limiting\ntest_rate_limiting() {\n log_test \"Rate limiting\"\n \n # First spawn should succeed (or fail due to recent test)\n # Second immediate spawn should be rate limited\n response=$(curl -s -X POST \"${SERVER_URL}/api/spawn\" \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer ${AUTH_TOKEN}\" \\\n -d \"{\\\"project\\\":\\\"${TEST_PROJECT}\\\",\\\"agent_type\\\":\\\"claude\\\"}\")\n \n code=$(echo \"$response\" | jq -r '.code')\n # Either RATE_LIMITED or success (if cooldown passed)\n log_info \"Second spawn result: $code\"\n}\n\n# Main\nmain() {\n preflight\n extract_auth_token\n \n test_projects_endpoint\n test_health_endpoint\n test_spawn_no_auth\n test_spawn_invalid_project\n # test_spawn_valid # Uncomment to actually spawn\n # test_rate_limiting\n \n log_info \"\\n=== All tests passed ===\"\n}\n\nmain \"$@\"\n```\n\n## Test Coverage\n1. **Pre-flight**: Server running, Zellij session exists, test project exists\n2. **Auth extraction**: Token injectable into requests\n3. **Projects endpoint**: Returns valid JSON with projects array\n4. **Health endpoint**: Returns status with Zellij availability\n5. **Auth rejection**: Spawn without token returns UNAUTHORIZED\n6. **Path traversal rejection**: Invalid project returns INVALID_PROJECT\n7. **Valid spawn**: Creates session file (optional - actually spawns)\n8. **Rate limiting**: Second spawn returns RATE_LIMITED\n\n## Running\n```bash\n# Dry run (no actual spawning)\n./tests/e2e_spawn.sh\n\n# Full test with spawning\n./tests/e2e_spawn.sh --spawn\n```\n\n## Logging\nDetailed output with colored prefixes:\n- [INFO] Normal operations\n- [WARN] Non-fatal issues\n- [ERROR] Failures\n- [TEST] Test case headers\n\n## Cleanup\ntrap ensures cleanup on exit:\n- Kills any test-spawned agents\n- Removes test session files\n- Restores state\n\n## Success Criteria\n- All pre-flight checks pass\n- All endpoint tests pass\n- Error cases handled correctly\n- Clean exit with summary","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T21:42:57.413609Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:09:41.968565Z","closed_at":"2026-02-26T22:09:41.968516Z","close_reason":"Implemented E2E spawn workflow tests in tests/e2e_spawn.sh covering: preflight checks, auth token extraction, health/projects endpoints, auth rejection (no token, wrong token, malformed auth), input validation (invalid JSON, path traversal, nonexistent project, invalid agent type, missing project, backslash), CORS preflight, live spawn with session verification, rate limiting, and dashboard visibility. Safe by default with --spawn flag for live tests.","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-1jo","depends_on_id":"bd-196","type":"blocks","created_at":"2026-02-26T21:43:01.408003Z","created_by":"tayloreernisse"},{"issue_id":"bd-1jo","depends_on_id":"bd-1tu","type":"blocks","created_at":"2026-02-26T21:43:01.378693Z","created_by":"tayloreernisse"}]} {"id":"bd-1jt","title":"Slice 1 Integration: Server-side spawning verification","description":"## Overview\nIntegration checkpoint verifying all Slice 1 (backend) components work together.\n\n## Background\nSlice 1 delivers the complete server-side spawn capability, testable via curl without the UI. This bead verifies the integration of:\n- context.py constants\n- SpawnMixin\n- amc-hook spawn_id support\n- HTTP routing\n- Handler integration\n- Server startup initialization\n\n## Verification Checklist\n\n### 1. Server Starts Clean\n```bash\n# Start server\n./bin/amc-server\n\n# Verify no errors in startup log\n# Verify 'Projects cache loaded' message\n```\n\n### 2. Health Endpoint\n```bash\ncurl http://localhost:7400/api/health | jq\n# Expected: {\"ok\": true, \"zellij_session\": \"infra\", \"zellij_available\": true, \"projects_count\": N}\n```\n\n### 3. Projects Endpoint\n```bash\ncurl http://localhost:7400/api/projects | jq\n# Expected: {\"projects\": [\"amc\", \"gitlore\", ...]}\n```\n\n### 4. Auth Token Injection\n```bash\ncurl http://localhost:7400/ | grep AMC_AUTH_TOKEN\n# Expected: \n```\n\n### 5. Spawn Without Auth (Should Fail)\n```bash\ncurl -X POST http://localhost:7400/api/spawn \\\n -H 'Content-Type: application/json' \\\n -d '{\"project\":\"amc\",\"agent_type\":\"claude\"}'\n# Expected: {\"ok\": false, \"code\": \"UNAUTHORIZED\"}\n```\n\n### 6. Spawn With Auth (Path Traversal - Should Fail)\n```bash\nTOKEN=$(curl -s http://localhost:7400/ | grep -o 'AMC_AUTH_TOKEN = \"[^\"]*\"' | cut -d'\"' -f2)\ncurl -X POST http://localhost:7400/api/spawn \\\n -H 'Content-Type: application/json' \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '{\"project\":\"../etc\",\"agent_type\":\"claude\"}'\n# Expected: {\"ok\": false, \"code\": \"INVALID_PROJECT\"}\n```\n\n### 7. Spawn With Auth (Valid - Should Succeed)\n```bash\ncurl -X POST http://localhost:7400/api/spawn \\\n -H 'Content-Type: application/json' \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '{\"project\":\"amc\",\"agent_type\":\"claude\"}'\n# Expected: {\"ok\": true, \"project\": \"amc\", \"agent_type\": \"claude\", \"spawn_id\": \"...\"}\n# Agent should appear in Zellij 'infra' session, 'amc' tab\n```\n\n### 8. Verify Session File\n```bash\n# Find newest session file\nls -lt ~/.local/share/amc/sessions/*.json | head -1\n# Check for spawn_id\ncat | jq .spawn_id\n# Should match spawn_id from response\n```\n\n### 9. Rate Limiting\n```bash\n# Immediate second request should be rate limited\ncurl -X POST http://localhost:7400/api/spawn \\\n -H 'Content-Type: application/json' \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '{\"project\":\"amc\",\"agent_type\":\"claude\"}'\n# Expected: {\"ok\": false, \"code\": \"RATE_LIMITED\", \"retry_after\": N}\n```\n\n### 10. Projects Refresh\n```bash\ncurl -X POST http://localhost:7400/api/projects/refresh | jq\n# Expected: {\"ok\": true, \"projects\": [...]}\n```\n\n## Acceptance Criteria Covered\n- AC-4, AC-5: Projects listing\n- AC-8, AC-9: Agent commands\n- AC-10, AC-11, AC-12: Zellij tab targeting\n- AC-13, AC-14: Pane cwd and naming\n- AC-18, AC-19: Graceful failure handling\n- AC-22, AC-23, AC-24: Security\n- AC-26-30: Spawn lifecycle\n- AC-33-36: Projects caching and rate limiting\n- AC-37-39: Auth token\n- AC-40, AC-41: Background refresh and health\n\n## Success Criteria\nAll 10 verification steps pass without error. Spawned agent appears in Zellij with correct session file.","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T21:44:51.258812Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:10:56.931500Z","closed_at":"2026-02-26T22:10:56.931439Z","close_reason":"All Slice 1 integration verified. 406/406 unit tests pass. Verified: (1) context.py spawn constants/auth/lock/rate-limit (2) SpawnMixin fully integrated into AMCHandler via MRO (3) HTTP routes wired for GET /api/projects, GET /api/health, POST /api/spawn, POST /api/projects/refresh (4) CORS preflight includes Authorization header (5) Auth token generation/validation/injection into index.html (6) Security: path traversal, null bytes, control chars, symlink escape, unknown agent types all rejected (7) Rate limiting per-project with 10s cooldown (8) amc-hook spawn_id correlation (9) Server startup calls load_projects_cache, generate_auth_token, start_projects_watcher (10) Pane name sanitization handles control chars/quotes/length","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-1jt","depends_on_id":"bd-11y","type":"blocks","created_at":"2026-02-26T21:44:56.941809Z","created_by":"tayloreernisse"},{"issue_id":"bd-1jt","depends_on_id":"bd-196","type":"blocks","created_at":"2026-02-26T21:44:56.889486Z","created_by":"tayloreernisse"},{"issue_id":"bd-1jt","depends_on_id":"bd-1tu","type":"blocks","created_at":"2026-02-26T21:44:56.859319Z","created_by":"tayloreernisse"},{"issue_id":"bd-1jt","depends_on_id":"bd-1zy","type":"blocks","created_at":"2026-02-26T21:44:56.915974Z","created_by":"tayloreernisse"}]} {"id":"bd-1tu","title":"Integrate SpawnMixin into AMCHandler","description":"## Overview\nAdd SpawnMixin to the handler inheritance chain in amc_server/handler.py.\n\n## Background\nAMCHandler composes functionality from multiple mixins. SpawnMixin must be added to enable the spawn API endpoints.\n\n## Implementation (IMP-3)\n```python\nfrom amc_server.mixins.spawn import SpawnMixin\n\nclass AMCHandler(\n HttpMixin,\n StateMixin,\n ConversationMixin,\n SessionControlMixin,\n SessionDiscoveryMixin,\n SessionParsingMixin,\n SpawnMixin, # Add this\n BaseHTTPRequestHandler,\n):\n \"\"\"HTTP handler composed from focused mixins.\"\"\"\n```\n\n## Mixin Order Consideration\nPlace SpawnMixin before BaseHTTPRequestHandler (at end of mixins) but after the other mixins. Order matters for MRO (Method Resolution Order) but SpawnMixin methods don't override anything in other mixins.\n\n## Acceptance Criteria\n- AC-2, AC-3: Spawn endpoints accessible via handler\n\n## Verification\n```python\nfrom amc_server.handler import AMCHandler\nassert hasattr(AMCHandler, '_handle_spawn')\nassert hasattr(AMCHandler, '_handle_projects')\nassert hasattr(AMCHandler, '_handle_health')\n```\n\n## Success Criteria\n- SpawnMixin methods available on handler\n- No import errors\n- Existing handler functionality unchanged","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T21:40:31.775030Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:07:32.213024Z","closed_at":"2026-02-26T22:07:32.212979Z","close_reason":"SpawnMixin integrated into AMCHandler class inheritance; all spawn endpoints accessible","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-1tu","depends_on_id":"bd-2al","type":"blocks","created_at":"2026-02-26T21:40:34.759299Z","created_by":"tayloreernisse"},{"issue_id":"bd-1tu","depends_on_id":"bd-5m4","type":"blocks","created_at":"2026-02-26T21:40:34.737815Z","created_by":"tayloreernisse"}]} {"id":"bd-1y3","title":"Add autocomplete state management","description":"## Overview\nAdd state variables and refs for managing autocomplete visibility and selection in SimpleInput.js.\n\n## Background\nThe autocomplete dropdown needs state to track:\n- Whether it's currently visible\n- Which item is highlighted (for keyboard navigation)\n- The current trigger info (for insertion)\n- Refs for DOM elements (for click-outside detection)\n\n## Implementation\nAdd to SimpleInput component:\n```javascript\n// State\nconst [showAutocomplete, setShowAutocomplete] = useState(false);\nconst [selectedIndex, setSelectedIndex] = useState(0);\n\n// Refs for click-outside detection\nconst autocompleteRef = useRef(null);\n\n// Compute triggerInfo on input change\nconst [triggerInfo, setTriggerInfo] = useState(null);\n\n// Update trigger info and visibility on text/cursor change\nuseEffect(() => {\n const textarea = textareaRef.current;\n if (!textarea) return;\n \n const info = getTriggerInfo(text, textarea.selectionStart);\n setTriggerInfo(info);\n setShowAutocomplete(!!info);\n \n // Reset selection when dropdown opens\n if (info && !triggerInfo) {\n setSelectedIndex(0);\n }\n}, [text, getTriggerInfo]);\n```\n\n## State Flow\n1. User types -> text state updates\n2. useEffect computes triggerInfo\n3. If trigger detected -> showAutocomplete = true\n4. selectedIndex tracks keyboard navigation\n5. On selection/dismiss -> showAutocomplete = false\n\n## Reset Behavior\n- selectedIndex resets to 0 when dropdown opens\n- When filter changes, clamp selectedIndex to valid range\n\n## Success Criteria\n- showAutocomplete correctly reflects trigger state\n- selectedIndex tracks current selection\n- State resets appropriately on open/close\n- Refs available for DOM interaction","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T20:09:43.067983Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:49:53.949477Z","closed_at":"2026-02-26T21:49:53.949427Z","close_reason":"Added showAutocomplete, selectedIndex state, autocompleteRef, and useEffects for visibility management","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-1y3","depends_on_id":"bd-29o","type":"blocks","created_at":"2026-02-26T20:09:45.583055Z","created_by":"tayloreernisse"}]} {"id":"bd-1zy","title":"Update amc-hook to write spawn_id for spawn correlation","description":"## Overview\nModify bin/amc-hook to include spawn_id in session JSON when AMC_SPAWN_ID env var is present.\n\n## Background\nWhen the server spawns an agent, it generates a unique spawn_id and passes it via AMC_SPAWN_ID env var. The hook must write this to the session file so the server can correlate the spawned agent with its request.\n\nThis enables **deterministic spawn correlation**: instead of polling for 'any new session file' (which could match unrelated agent activity), the server waits for a file containing the specific spawn_id it generated.\n\n## Implementation (IMP-1b)\nAdd after reading hook JSON and before writing session file:\n\n```python\n# Include spawn_id if present in environment (for spawn correlation)\nspawn_id = os.environ.get('AMC_SPAWN_ID')\nif spawn_id:\n session_data['spawn_id'] = spawn_id\n```\n\n## Integration Flow\n1. Server generates spawn_id (UUID)\n2. Server passes AMC_SPAWN_ID= to Zellij new-pane via env dict\n3. Zellij spawns agent process with env var inherited\n4. Agent starts, Claude Code fires SessionStart hook\n5. amc-hook runs, reads AMC_SPAWN_ID from os.environ\n6. Hook writes session JSON including spawn_id field\n7. Server polls SESSIONS_DIR for file with matching spawn_id\n8. Server confirms spawn success\n\n## Why env var (not CLI arg)\n- env vars propagate naturally through subprocess tree\n- No need to modify agent command structure\n- Works identically for Claude and Codex\n\n## Existing amc-hook Structure\nThe hook already:\n- Parses Claude Code hook JSON from stdin\n- Extracts session_id, cwd, etc.\n- Resolves project name from cwd\n- Writes JSON to ~/.local/share/amc/sessions/{session_id}.json\n\nThis change adds one field to the output JSON.\n\n## Session JSON Structure (after change)\n```json\n{\n \"session_id\": \"abc123\",\n \"project\": \"amc\",\n \"status\": \"active\",\n \"started_at\": \"2026-02-26T21:00:00Z\",\n \"cwd\": \"/Users/taylor/projects/amc\",\n \"spawn_id\": \"550e8400-e29b-41d4-a716-446655440000\"\n}\n```\n\nNote: spawn_id is only present for spawned agents, not manually started ones.\n\n## Acceptance Criteria\n- AC-28: amc-hook writes spawn_id to session file when present in environment\n\n## Testing\n```bash\n# Manual test\nAMC_SPAWN_ID='test-uuid' bin/amc-hook <<< '{\"type\":\"SessionStart\",\"session_id\":\"test\",\"cwd\":\"/tmp\"}'\ncat ~/.local/share/amc/sessions/test.json | jq .spawn_id\n# Should output: \"test-uuid\"\n```\n\n## Success Criteria\n- spawn_id field present in session JSON when AMC_SPAWN_ID set\n- spawn_id field absent when AMC_SPAWN_ID not set\n- Existing hook functionality unchanged","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T21:40:04.199087Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:58:14.886530Z","closed_at":"2026-02-26T21:58:14.886415Z","close_reason":"Implemented spawn_id correlation in amc-hook. AMC_SPAWN_ID env var is read and included in session JSON when present, absent when not set.","compaction_level":0,"original_size":0} {"id":"bd-253","title":"Implement autocomplete dropdown UI","description":"## Overview\nAdd the autocomplete dropdown JSX to SimpleInput.js render method, positioned above the input.\n\n## Background\nThe dropdown shows filtered skills with visual highlighting. Per AC-11, AC-15, AC-16-19:\n- Positioned above input (bottom-anchored)\n- Left-aligned\n- Max height with scroll\n- Highlighted item visually distinct\n- Respects color scheme\n- Handles both \"no skills available\" AND \"no matching skills\"\n\n## Implementation (from plan IMP-9, with AC-15 fix)\n```javascript\n${showAutocomplete && html`\n \n ${autocompleteConfig.skills.length === 0 ? html`\n \n
No skills available
\n ` : filteredSkills.length === 0 ? html`\n \n
No matching skills
\n ` : filteredSkills.map((skill, i) => html`\n insertSkill(skill)}\n onMouseEnter=${() => setSelectedIndex(i)}\n >\n
\n ${autocompleteConfig.trigger}${skill.name}\n
\n
${skill.description}
\n \n `)}\n \n`}\n```\n\n## Two Empty States (IMPORTANT)\n1. **\"No skills available\"** (AC-15): `autocompleteConfig.skills.length === 0`\n - Agent has zero skills installed\n - Dropdown still appears to inform user\n \n2. **\"No matching skills\"** (AC-11): `filteredSkills.length === 0`\n - Skills exist, but filter text matches none\n - User typed something that does not match any skill\n\n## Styling Decisions\n- **bottom-full mb-1**: Positions above input with 4px gap\n- **max-h-48**: ~192px max height (AC-17)\n- **overflow-y-auto**: Vertical scroll for long lists\n- **z-50**: Ensures dropdown above other content\n- **bg-selection/50**: Highlighted item background\n- **text-dim/text-bright**: Color hierarchy\n\n## Key Details\n- Uses index as key (plan note: handles duplicate skill names from curated + user)\n- onMouseEnter updates selectedIndex (mouse hover selection)\n- onClick calls insertSkill directly\n- Nested ternary: skills.length → filteredSkills.length → map\n\n## Container Requirements\nSimpleInput outer container needs position: relative for absolute positioning.\n\n## Success Criteria\n- Dropdown appears above input when showAutocomplete true\n- \"No skills available\" when agent has zero skills\n- \"No matching skills\" when filter matches nothing\n- Selected item visually highlighted\n- Scrollable when many skills\n- Mouse hover updates selection\n- Click inserts skill","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T20:10:35.317055Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:52:25.639932Z","closed_at":"2026-02-26T21:52:25.639671Z","close_reason":"Added autocomplete dropdown UI with empty states, mouse hover, click selection","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-253","depends_on_id":"bd-2uj","type":"blocks","created_at":"2026-02-26T20:10:38.204758Z","created_by":"tayloreernisse"},{"issue_id":"bd-253","depends_on_id":"bd-3us","type":"blocks","created_at":"2026-02-26T20:12:27.289036Z","created_by":"tayloreernisse"}]} {"id":"bd-29o","title":"Implement filtered skills computation","description":"## Overview\nAdd useMemo for filteredSkills in SimpleInput.js that filters the skills list based on user input.\n\n## Background\nAs the user types after the trigger character, the list should filter to show only matching skills. This provides instant feedback and makes finding skills faster.\n\n## Implementation (from plan IMP-6)\n```javascript\nconst filteredSkills = useMemo(() => {\n if (!autocompleteConfig || !triggerInfo) return [];\n \n const { skills } = autocompleteConfig;\n const { filterText } = triggerInfo;\n \n let filtered = skills;\n if (filterText) {\n filtered = skills.filter(s =>\n s.name.toLowerCase().includes(filterText)\n );\n }\n \n // Already sorted by server, but ensure alphabetical\n return filtered.sort((a, b) => a.name.localeCompare(b.name));\n}, [autocompleteConfig, triggerInfo]);\n```\n\n## Filtering Behavior (from AC-6)\n- Case-insensitive matching\n- Matches anywhere in skill name (not just prefix)\n- Empty filterText shows all skills\n- No matches returns empty array (handled by UI)\n\n## Why useMemo\n- Skills list could be large (50+)\n- Filter runs on every keystroke\n- Sorting on each render would be wasteful\n- Memoization prevents unnecessary recalculation\n\n## Key Details\n- triggerInfo.filterText is already lowercase\n- Server pre-sorts, but we re-sort after filtering (stability)\n- localeCompare for proper alphabetical ordering\n\n## Success Criteria\n- Returns empty array when no autocompleteConfig\n- Filters based on filterText (case-insensitive)\n- Results sorted alphabetically\n- Empty input shows all skills\n- Memoized to prevent unnecessary recalculation","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T20:09:29.436812Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:49:16.259177Z","closed_at":"2026-02-26T21:49:16.258997Z","close_reason":"Added triggerInfo state and filteredSkills useMemo with case-insensitive filtering","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-29o","depends_on_id":"bd-3s3","type":"blocks","created_at":"2026-02-26T20:09:31.898778Z","created_by":"tayloreernisse"}]} {"id":"bd-2a1","title":"Implement backspace dismissal of autocomplete","description":"## Overview\nEnsure that backspacing over the trigger character dismisses the autocomplete dropdown (AC-9).\n\n## Background\nWhen the user types '/com' and then backspaces to '/', they might continue backspacing to remove the '/'. At that point, the autocomplete should dismiss.\n\n## Implementation\nThis is already handled by the existing trigger detection:\n- When text changes, triggerInfo is recomputed\n- If cursor is before the trigger char, getTriggerInfo returns null\n- showAutocomplete becomes false\n\n## Verification Needed\n- Type '/com'\n- Backspace to '/'\n- Backspace to ''\n- Dropdown should dismiss when '/' is deleted\n\n## Success Criteria\n- Backspacing past trigger dismisses dropdown\n- No special code needed if detection is correct\n- Add test case if not already covered","status":"closed","priority":3,"issue_type":"task","created_at":"2026-02-26T20:12:00.191481Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:55:09.492178Z","closed_at":"2026-02-26T21:55:09.492131Z","close_reason":"Already works via trigger detection - backspacing past trigger naturally returns null from getTriggerInfo","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-2a1","depends_on_id":"bd-3s3","type":"blocks","created_at":"2026-02-26T20:12:03.544203Z","created_by":"tayloreernisse"}]} {"id":"bd-2al","title":"Add HTTP routes for spawn API endpoints","description":"## Overview\nAdd routes for /api/spawn, /api/projects, /api/projects/refresh, and /api/health to amc_server/mixins/http.py.\n\n## Background\nThe spawn feature requires four new API endpoints:\n- POST /api/spawn - Spawn a new agent\n- GET /api/projects - List available projects\n- POST /api/projects/refresh - Refresh projects cache\n- GET /api/health - Server health check with Zellij status\n\n## Implementation (IMP-2)\n\n### Add to do_GET:\n```python\nelif self.path == '/api/projects':\n self._handle_projects()\nelif self.path == '/api/health':\n self._handle_health()\n```\n\n### Add to do_POST:\n```python\nelif self.path == '/api/spawn':\n self._handle_spawn()\nelif self.path == '/api/projects/refresh':\n self._handle_projects_refresh()\n```\n\n### Update do_OPTIONS for CORS:\n```python\ndef do_OPTIONS(self):\n # CORS preflight for API endpoints\n # AC-39: Keep wildcard CORS consistent with existing endpoints;\n # localhost-only binding (AC-24) is the real security boundary\n self.send_response(204)\n self.send_header('Access-Control-Allow-Origin', '*')\n self.send_header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS')\n self.send_header('Access-Control-Allow-Headers', 'Content-Type, Authorization')\n self.end_headers()\n```\n\n## CORS Design Decision\nAC-39 specifies consistent wildcard CORS across all endpoints. The security boundary is localhost-only binding (AC-24), not CORS headers. This is appropriate for a dev-machine tool where:\n- Server binds to 127.0.0.1 only\n- External network access not possible\n- Auth token provides additional protection for spawn endpoint\n\n## Route Ordering\nPlace new routes after existing API routes but before catch-all/404 handling to maintain consistency with existing patterns.\n\n## Acceptance Criteria\n- AC-1, AC-3, AC-4: Routes accessible\n- AC-34: projects/refresh endpoint\n- AC-39: Consistent CORS headers\n\n## Verification\n```bash\n# Test routes\ncurl http://localhost:7400/api/projects\ncurl http://localhost:7400/api/health\ncurl -X POST http://localhost:7400/api/projects/refresh\ncurl -X OPTIONS http://localhost:7400/api/spawn -v\n```\n\n## Success Criteria\n- All four endpoints respond correctly\n- CORS preflight returns correct headers\n- No 404s for new routes","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T21:40:18.578864Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:02:54.270477Z","closed_at":"2026-02-26T22:02:54.270416Z","close_reason":"Added GET /api/projects, GET /api/health, POST /api/spawn, POST /api/projects/refresh routes to http.py. Updated CORS preflight to include GET method and Authorization header. All 366 tests pass.","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-2al","depends_on_id":"bd-5m4","type":"blocks","created_at":"2026-02-26T21:40:21.977425Z","created_by":"tayloreernisse"}]} {"id":"bd-2cw","title":"Add visual feedback when spawned agent appears in dashboard","description":"## Overview\nAdd visual feedback (highlight animation) when a newly spawned agent's session card appears in the dashboard.\n\n## Background\nAfter spawning, users need confirmation that the agent appeared. Currently:\n- Toast shows 'agent spawned for project'\n- Session card appears on next poll\n\nThe gap between toast and card appearance could be confusing. Visual feedback bridges this.\n\n## Implementation Options\n\n### Option A: Highlight Animation\nAdd CSS animation to new session cards:\n```css\n@keyframes spawn-highlight {\n 0% { box-shadow: 0 0 0 2px var(--color-active); }\n 100% { box-shadow: 0 0 0 0 transparent; }\n}\n\n.session-card-new {\n animation: spawn-highlight 2s ease-out;\n}\n```\n\nTrack which sessions are 'new' in App.js state:\n```javascript\nconst [newSessionIds, setNewSessionIds] = useState(new Set());\n\n// After successful spawn\nonSpawn={(result) => {\n if (result.success) {\n // Mark spawn_id as 'new'\n // When session with matching spawn_id appears, add highlight class\n }\n}}\n```\n\n### Option B: 'Just spawned' Badge\nShow temporary badge on new session card:\n```javascript\n{isNew && html`\n \n Just spawned\n \n`}\n```\n\n### Chosen Approach: Option A\nHighlight animation is less intrusive and automatically fades.\n\n## Integration\n1. Spawn returns spawn_id in response\n2. Store spawn_id in App.js state\n3. On session data update, check for session with matching spawn_id\n4. Apply animation class to that card\n5. Remove from tracked set after animation\n\n## Acceptance Criteria\n- AC-15: Spawned agent appears in dashboard within 10 seconds\n- (implied) User can see which session was just spawned\n\n## Success Criteria\n- Session card has visible highlight on appearance\n- Animation fades naturally (2s)\n- Works for both Claude and Codex agents","status":"closed","priority":2,"issue_type":"task","created_at":"2026-02-26T21:43:30.558124Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:09:48.248388Z","closed_at":"2026-02-26T22:09:48.248341Z","close_reason":"Implemented spawn highlight animation: CSS keyframe animation on session cards, spawn_id tracking in App.js state, auto-clears after 2.5s, respects prefers-reduced-motion","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-2cw","depends_on_id":"bd-3v5","type":"blocks","created_at":"2026-02-26T21:43:33.390359Z","created_by":"tayloreernisse"}]} {"id":"bd-2n7","title":"Load autocomplete config in Modal","description":"## Overview\nAdd useEffect in Modal.js to load skills when a session is opened, and pass autocompleteConfig to SimpleInput.\n\n## Background\nSkills are agent-global, not session-specific. We fetch once when session.agent changes and cache client-side. This follows the plan's data flow: Modal opens -> GET /api/skills -> SimpleInput gets config.\n\n## Implementation (from plan IMP-4)\n```javascript\nconst [autocompleteConfig, setAutocompleteConfig] = useState(null);\n\n// Load skills when agent type changes\nuseEffect(() => {\n if (!session) {\n setAutocompleteConfig(null);\n return;\n }\n \n const agent = session.agent || 'claude';\n fetchSkills(agent)\n .then(config => setAutocompleteConfig(config))\n .catch(() => setAutocompleteConfig(null));\n}, [session?.agent]);\n\n// In render, pass to SimpleInput:\n<\\${SimpleInput}\n ...\n autocompleteConfig=\\${autocompleteConfig}\n/>\n```\n\n## Dependency Array\n- Uses session?.agent to re-fetch when agent type changes\n- NOT session.id (would refetch on every session switch unnecessarily)\n- Skills are agent-global, so same agent = same skills\n\n## Error Handling\n- fetch failure: autocompleteConfig stays null\n- null config: SimpleInput disables autocomplete silently\n\n## Props to Add\nSimpleInput gets new optional prop:\n- autocompleteConfig: { trigger, skills } | null\n\n## Success Criteria\n- useEffect fetches on session.agent change\n- autocompleteConfig state managed correctly\n- Passed to SimpleInput as prop\n- Null on error (graceful degradation)","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T20:08:58.959680Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:46:27.279511Z","closed_at":"2026-02-26T21:46:27.279344Z","close_reason":"Added useEffect to load skills, state management, and prop passing through SessionCard to SimpleInput","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-2n7","depends_on_id":"bd-1ba","type":"blocks","created_at":"2026-02-26T20:09:01.617198Z","created_by":"tayloreernisse"}]} {"id":"bd-2uj","title":"Implement skill insertion","description":"## Overview\nAdd insertSkill() function in SimpleInput.js that replaces the trigger+filter text with the full skill name.\n\n## Background\nWhen user selects a skill (Enter, Tab, or click), we need to:\n1. Replace the trigger+partial text with trigger+full skill name\n2. Add a trailing space\n3. Position cursor after the inserted text\n\n## Implementation (from plan IMP-8)\n```javascript\nconst insertSkill = useCallback((skill) => {\n if (\\!triggerInfo || \\!autocompleteConfig) return;\n \n const { trigger } = autocompleteConfig;\n const { replaceStart, replaceEnd } = triggerInfo;\n \n const before = text.slice(0, replaceStart);\n const after = text.slice(replaceEnd);\n const inserted = \\`\\${trigger}\\${skill.name} \\`;\n \n setText(before + inserted + after);\n setShowAutocomplete(false);\n \n // Move cursor after inserted text\n const newCursorPos = replaceStart + inserted.length;\n setTimeout(() => {\n if (textareaRef.current) {\n textareaRef.current.selectionStart = newCursorPos;\n textareaRef.current.selectionEnd = newCursorPos;\n textareaRef.current.focus();\n }\n }, 0);\n}, [text, triggerInfo, autocompleteConfig]);\n```\n\n## Example\nUser types: 'please run /com|' (cursor at |)\nUser selects 'commit'\nResult: 'please run /commit |'\n\n## Why setTimeout for Cursor\n- React may not have updated the textarea value yet\n- setTimeout(0) defers until after React render\n- Ensures cursor positioning happens on updated DOM\n\n## AC-20 Compliance\n'After skill insertion, cursor is positioned after the trailing space, ready to continue typing.'\n\n## Success Criteria\n- Replaces trigger+filter with trigger+skill+space\n- Preserves text before and after\n- Cursor positioned at end of insertion\n- Dropdown closes after insertion\n- Focus remains on textarea","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T20:10:14.663971Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:51:14.464158Z","closed_at":"2026-02-26T21:51:14.463898Z","close_reason":"Already implemented insertSkill callback in bd-3vd","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-2uj","depends_on_id":"bd-3vd","type":"blocks","created_at":"2026-02-26T20:10:18.401490Z","created_by":"tayloreernisse"}]} {"id":"bd-30o","title":"Verify spawned agents have correct Zellij metadata","description":"## Overview\nEnsure spawned agent session files contain correct zellij_session and zellij_pane values.\n\n## Background\nPer AC-16 and AC-17:\n- Session data must include correct zellij_session\n- Session data must include correct zellij_pane\n- Dashboard must be able to send responses to spawned agents\n\nThis enables the dashboard to target the correct Zellij pane when sending responses.\n\n## Current Implementation\nThe amc-hook writes Zellij metadata by detecting:\n- ZELLIJ env var (set by Zellij for all panes)\n- ZELLIJ_SESSION_NAME (session name)\n- ZELLIJ_PANE_ID (pane ID within session)\n\n## Verification Steps\n1. Spawn an agent via API\n2. Find the session file (by spawn_id)\n3. Verify JSON contains:\n - zellij_session == 'infra'\n - zellij_pane is present and valid\n\n```bash\n# After spawn\ncat ~/.local/share/amc/sessions/*.json | jq 'select(.spawn_id \\!= null) | {session: .zellij_session, pane: .zellij_pane}'\n```\n\n## Hook Requirements\namc-hook must read and write these env vars:\n```python\nsession_data['zellij_session'] = os.environ.get('ZELLIJ_SESSION_NAME')\nsession_data['zellij_pane'] = os.environ.get('ZELLIJ_PANE_ID')\n```\n\n## Response Test\nAfter verifying metadata, test that dashboard can send responses:\n1. Open spawned agent's session in dashboard\n2. Wait for AskUserQuestion prompt\n3. Submit response\n4. Verify response appears in Zellij pane\n\n## Edge Cases\n1. Agent started outside Zellij -> no metadata (handled gracefully)\n2. Zellij env vars missing -> fields null or missing\n3. Multiple agents in same pane (rare) -> same pane ID\n\n## Success Criteria\n- Spawned agents have correct zellij_session in session file\n- Spawned agents have correct zellij_pane in session file\n- Dashboard can successfully send responses to spawned agents\n- Non-Zellij agents handled gracefully (no crash)","status":"closed","priority":2,"issue_type":"task","created_at":"2026-02-26T21:44:05.261736Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:10:36.694103Z","closed_at":"2026-02-26T22:10:36.693914Z","close_reason":"Added 18 unit tests in test_zellij_metadata.py verifying: hook writes zellij_session/zellij_pane from env vars, hook writes spawn_id from AMC_SPAWN_ID, non-Zellij agents get empty strings gracefully, spawn mixin passes AMC_SPAWN_ID and correct pane name to Zellij, _wait_for_session_file matches by spawn_id, and end-to-end metadata flow","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-30o","depends_on_id":"bd-1zy","type":"blocks","created_at":"2026-02-26T21:44:08.335083Z","created_by":"tayloreernisse"}]} {"id":"bd-30p","title":"Add /api/skills route to HttpMixin","description":"## Overview\nAdd the GET /api/skills endpoint to HttpMixin.do_GET that routes to SkillsMixin._serve_skills().\n\n## Background\nThe skills endpoint lives in HttpMixin because that's where all GET routing is handled. The handler just composes mixins. This follows the existing architecture pattern.\n\n## Implementation (from plan IMP-2)\nIn amc_server/mixins/http.py, add to do_GET method:\n```python\nelif path == '/api/skills':\n agent = query_params.get('agent', ['claude'])[0]\n self._serve_skills(agent)\n```\n\n## API Design\n- **Endpoint**: GET /api/skills?agent={claude|codex}\n- **Default agent**: 'claude' (if param missing)\n- **Response**: JSON from _serve_skills()\n\n## Why This Location\n- HttpMixin.do_GET handles ALL GET routing\n- Keeps routing logic centralized\n- SkillsMixin provides the implementation\n- Handler composes both mixins\n\n## Required Import\nAdd SkillsMixin to handler.py mixin list:\n```python\nfrom amc_server.mixins.skills import SkillsMixin\n# Add to AMCHandler class inheritance\n```\n\n## Success Criteria\n- Route /api/skills accessible via GET\n- Query param 'agent' passed to _serve_skills\n- Missing agent param defaults to 'claude'\n- Follows existing routing patterns in do_GET","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T20:08:29.491653Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:44:28.599198Z","closed_at":"2026-02-26T21:44:28.599149Z","close_reason":"Added /api/skills route to HttpMixin.do_GET with agent query param parsing","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-30p","depends_on_id":"bd-g9t","type":"blocks","created_at":"2026-02-26T20:08:32.597460Z","created_by":"tayloreernisse"}]} {"id":"bd-35a","title":"Integration: Wire up complete autocomplete feature","description":"## Overview\nFinal integration step: ensure all pieces work together in Modal.js and SimpleInput.js.\n\n## Background\nThis is the capstone bead that verifies the complete feature is wired up correctly. All previous beads implement individual pieces; this ensures they connect.\n\n## Checklist\n1. **SkillsMixin added to handler**\n - Import SkillsMixin in handler.py\n - Add to AMCHandler class inheritance\n\n2. **Modal loads config**\n - fetchSkills called on session.agent change\n - autocompleteConfig passed to SimpleInput\n\n3. **SimpleInput receives config**\n - New prop: autocompleteConfig\n - State management wired up\n - Keyboard handlers connected\n - Dropdown renders correctly\n\n## Verification Steps\n1. Start dev server\n2. Open a session modal\n3. Type '/' -> dropdown should appear\n4. Arrow down, Enter -> skill inserted\n5. Check Codex session with '$'\n\n## Common Issues to Check\n- Import paths correct\n- Mixin in correct position in inheritance\n- Props threaded through correctly\n- No console errors\n\n## Success Criteria\n- Feature works end-to-end\n- No console errors\n- Both Claude and Codex agents work\n- Manual testing checklist passes","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T20:12:39.799374Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:00:06.041741Z","closed_at":"2026-02-26T22:00:06.041691Z","close_reason":"Full integration complete with all blockers closed: skills enumeration, UI, click-outside, scroll-into-view, unit tests","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-35a","depends_on_id":"bd-2a1","type":"blocks","created_at":"2026-02-26T20:12:43.160167Z","created_by":"tayloreernisse"},{"issue_id":"bd-35a","depends_on_id":"bd-362","type":"blocks","created_at":"2026-02-26T20:12:43.135755Z","created_by":"tayloreernisse"},{"issue_id":"bd-35a","depends_on_id":"bd-3ny","type":"blocks","created_at":"2026-02-26T20:12:43.111964Z","created_by":"tayloreernisse"},{"issue_id":"bd-35a","depends_on_id":"bd-4lc","type":"blocks","created_at":"2026-02-26T20:12:43.180034Z","created_by":"tayloreernisse"}]} {"id":"bd-362","title":"Unit tests for SkillsMixin","description":"## Overview\nAdd comprehensive unit tests for amc_server/mixins/skills.py in tests/test_skills.py.\n\n## Background\nThe skill enumeration is the foundation of autocomplete. We need to test:\n- Both enumeration methods\n- Edge cases (missing files, bad JSON, empty directories)\n- Sorting behavior\n- Response format\n\n## Test Cases\n\n### Claude Enumeration\n```python\ndef test_enumerate_claude_skills_empty_directory(tmp_home):\n '''Returns empty list when ~/.claude/skills doesn't exist'''\n \ndef test_enumerate_claude_skills_reads_skill_md(tmp_home, claude_skill):\n '''Reads description from SKILL.md'''\n \ndef test_enumerate_claude_skills_fallback_to_readme(tmp_home):\n '''Falls back to README.md when SKILL.md missing'''\n \ndef test_enumerate_claude_skills_skips_hidden_dirs(tmp_home):\n '''Ignores directories starting with .'''\n \ndef test_enumerate_claude_skills_truncates_description(tmp_home):\n '''Description truncated to 100 chars'''\n \ndef test_enumerate_claude_skills_skips_headers(tmp_home):\n '''First non-header line used as description'''\n```\n\n### Codex Enumeration\n```python\ndef test_enumerate_codex_skills_reads_cache(tmp_home):\n '''Reads from skills-curated-cache.json'''\n \ndef test_enumerate_codex_skills_invalid_json(tmp_home):\n '''Continues without cache if JSON invalid'''\n \ndef test_enumerate_codex_skills_combines_cache_and_user(tmp_home):\n '''Returns both curated and user skills'''\n \ndef test_enumerate_codex_skills_no_deduplication(tmp_home):\n '''Duplicate names from cache and user both appear'''\n```\n\n### Serve Skills\n```python\ndef test_serve_skills_claude_trigger(mock_handler):\n '''Returns / trigger for claude agent'''\n \ndef test_serve_skills_codex_trigger(mock_handler):\n '''Returns $ trigger for codex agent'''\n \ndef test_serve_skills_default_to_claude(mock_handler):\n '''Unknown agent defaults to claude'''\n \ndef test_serve_skills_alphabetical_sort(mock_handler, skills_fixture):\n '''Skills sorted alphabetically (case-insensitive)'''\n```\n\n## Fixtures\n- tmp_home: pytest fixture that sets HOME to temp directory\n- claude_skill: creates a skill directory with SKILL.md\n- mock_handler: SkillsMixin instance with mocked _send_json\n\n## Success Criteria\n- All enumeration paths tested\n- Error handling verified (bad JSON, missing files)\n- Sorting correctness verified\n- Response format validated","status":"closed","priority":2,"issue_type":"task","created_at":"2026-02-26T20:11:15.502753Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:59:33.202383Z","closed_at":"2026-02-26T21:59:33.202340Z","close_reason":"Implemented 46 comprehensive unit tests covering all SkillsMixin methods","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-362","depends_on_id":"bd-30p","type":"blocks","created_at":"2026-02-26T20:11:18.589458Z","created_by":"tayloreernisse"}]} {"id":"bd-3c7","title":"Handle edge case: empty or missing ~/projects/ directory","description":"## Overview\nHandle the case where ~/projects/ doesn't exist or is empty gracefully.\n\n## Background\nNot all users will have ~/projects/ configured. The spawn feature should degrade gracefully:\n- Return empty projects list (not error)\n- Dashboard shows helpful message\n- No crashes or confusing errors\n\n## Server Side\nload_projects_cache() already handles this:\n```python\nexcept OSError:\n _projects_cache = []\n```\n\n## Dashboard Side\nSpawnModal should handle empty projects list:\n1. Projects dropdown is empty\n2. Show message: 'No projects found in ~/projects/'\n3. Spawn button remains disabled (no selection possible)\n\n## Implementation\nIn SpawnModal.js, add condition:\n```javascript\n${projects.length === 0 && !loadingProjects && html`\n

\n No projects found in ~/projects/\n

\n`}\n```\n\n## Edge Cases\n1. ~/projects/ doesn't exist -> empty list\n2. ~/projects/ exists but empty -> empty list\n3. ~/projects/ exists, only hidden dirs -> empty list (they're excluded)\n4. ~/projects/ exists with permission error -> empty list (OSError caught)\n\n## Testing\n1. Temporarily rename ~/projects/\n2. Restart server\n3. Open spawn modal on All Projects\n4. Verify helpful message shown\n5. Verify no crash\n6. Restore ~/projects/\n\n## Success Criteria\n- Server doesn't crash without ~/projects/\n- Dashboard shows informative message\n- No confusing error toasts","status":"closed","priority":2,"issue_type":"task","created_at":"2026-02-26T21:43:13.655184Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:08:26.546217Z","closed_at":"2026-02-26T22:08:26.546165Z","close_reason":"Implemented empty projects edge case: server already handled OSError/missing dir gracefully, added empty-state message to SpawnModal, added tests for missing dir + only-hidden-dirs + empty API responses","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-3c7","depends_on_id":"bd-15z","type":"blocks","created_at":"2026-02-26T21:43:16.434386Z","created_by":"tayloreernisse"}]} {"id":"bd-3cc","title":"E2E tests for autocomplete workflow","description":"## Overview\nCreate end-to-end test script that validates the complete autocomplete workflow from typing to insertion.\n\n## Background\nThe plan includes a manual testing checklist (lines 462-480). We should automate key workflows to ensure the feature works end-to-end.\n\n## Test Scenarios (from plan's testing checklist)\n\n### Core Flow\n```\n1. Claude session: Type \"/\" -> dropdown appears with Claude skills\n2. Codex session: Type \"$\" -> dropdown appears with Codex skills\n3. Claude session: Type \"$\" -> nothing happens (wrong trigger)\n4. Type \"/com\" -> list filters to skills containing \"com\"\n5. Mid-message: Type \"please run /commit\" -> autocomplete triggers on \"/\"\n6. Arrow keys navigate, Enter selects\n7. Escape dismisses without selection\n8. Click outside dismisses\n9. Selected skill shows as \"{trigger}skill-name \" in input\n10. Verify alphabetical ordering of skills\n11. Verify vertical scroll with many skills\n```\n\n### Edge Cases (from plan section)\n```\n- Session without skills (dropdown shows \"No skills available\")\n- Single skill (still shows dropdown)\n- Very long skill descriptions (CSS truncates with ellipsis - visual check)\n- Multiple triggers in one message (each \"/\" can trigger independently)\n- Backspace over trigger (dismisses autocomplete)\n```\n\n### Multiple Triggers Test (important edge case)\nUser types: \"first /commit then /review-pr finally\"\n- First \"/\" at position 6 can trigger\n- After inserting \"/commit \", cursor at position 14\n- Second \"/\" at position after text can trigger again\n- Verify each trigger works independently\n\n## Implementation Approach\nUse the Playwright MCP tools to:\n1. Navigate to dashboard\n2. Open a session modal\n3. Type trigger character\n4. Verify dropdown appears\n5. Navigate with arrows\n6. Select with Enter\n7. Verify insertion\n\n## Logging Requirements\n- Log each step being performed\n- Log expected vs actual behavior\n- Log timing for performance visibility\n- Log any errors with context\n\n## Test Script Location\ntests/e2e/test_autocomplete.py or similar\n\n## Success Criteria\n- All core scenarios pass\n- Edge cases handled\n- Detailed logging for debugging\n- Can run in CI environment","status":"closed","priority":2,"issue_type":"task","created_at":"2026-02-26T20:11:47.556903Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:04:06.299931Z","closed_at":"2026-02-26T22:04:06.299744Z","close_reason":"Implemented 50 E2E tests (14 server-side Python, 36 client-side JS) covering: /api/skills endpoint, trigger detection, keyboard navigation, skill insertion, alphabetical ordering, cross-agent isolation, edge cases, and full workflow simulation","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-3cc","depends_on_id":"bd-3ny","type":"blocks","created_at":"2026-02-26T20:11:50.670698Z","created_by":"tayloreernisse"}]} {"id":"bd-3eu","title":"Implement Codex skill enumeration","description":"## Overview\nImplement _enumerate_codex_skills() method in SkillsMixin to discover skills from both the curated cache and user directory.\n\n## Background\nCodex stores skills in two locations:\n1. **Curated cache**: ~/.codex/vendor_imports/skills-curated-cache.json (pre-installed skills)\n2. **User skills**: ~/.codex/skills/*/ (user-created or installed)\n\nBoth need to be combined for the full skills list.\n\n## Implementation (from plan IMP-1)\n```python\ndef _enumerate_codex_skills(self):\n skills = []\n \n # 1. Curated skills from cache\n cache_file = Path.home() / '.codex/vendor_imports/skills-curated-cache.json'\n if cache_file.exists():\n try:\n data = json.loads(cache_file.read_text())\n for skill in data.get('skills', []):\n skills.append({\n 'name': skill.get('id', skill.get('name', '')),\n 'description': skill.get('shortDescription', skill.get('description', ''))[:100]\n })\n except (json.JSONDecodeError, OSError):\n pass # Continue without curated skills\n \n # 2. User-installed skills\n user_skills_dir = Path.home() / '.codex/skills'\n if user_skills_dir.exists():\n for skill_dir in user_skills_dir.iterdir():\n if skill_dir.is_dir() and not skill_dir.name.startswith('.'):\n skill_md = skill_dir / 'SKILL.md'\n description = ''\n if skill_md.exists():\n try:\n for line in skill_md.read_text().splitlines():\n line = line.strip()\n if line and not line.startswith('#'):\n description = line[:100]\n break\n except OSError:\n pass\n skills.append({\n 'name': skill_dir.name,\n 'description': description or f'User skill: {skill_dir.name}'\n })\n \n return skills\n```\n\n## Key Decisions\n- **Cache file structure**: Expected format {skills: [{id, shortDescription}, ...]}\n- **Fallback for missing fields**: Use 'name' if 'id' missing, 'description' if 'shortDescription' missing\n- **No deduplication**: If curated and user skills share a name, both appear (per Known Limitations)\n- **Error resilience**: JSON parse errors don't prevent user skills from loading\n\n## Out of Scope (per plan)\n- Duplicate skill names are NOT deduplicated\n- Server-side caching of enumeration results\n\n## Success Criteria\n- Returns combined list from cache + user directory\n- Handles missing files/directories gracefully\n- Truncates descriptions to 100 chars\n- JSON parse errors don't crash enumeration","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T20:07:58.579276Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:43:21.057360Z","closed_at":"2026-02-26T21:43:21.057312Z","close_reason":"Implemented _enumerate_codex_skills: reads curated cache + user skills directory, handles JSON errors gracefully","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-3eu","depends_on_id":"bd-3q1","type":"blocks","created_at":"2026-02-26T20:08:01.832043Z","created_by":"tayloreernisse"}]} {"id":"bd-3g8","title":"Slice 3 Integration: Polish and edge cases complete","description":"## Overview\nFinal integration checkpoint verifying all polish and edge case handling.\n\n## Background\nSlice 3 ensures the feature handles edge cases gracefully and provides a polished UX. This bead verifies:\n- Empty projects handling\n- Visual feedback for new agents\n- Special character support\n- Zellij metadata correctness\n- Warning banners\n\n## Verification Checklist\n\n### 1. Empty Projects Directory\n- [ ] Test with empty ~/projects/\n- [ ] Modal shows 'No projects found' message\n- [ ] No crash or confusing error\n\n### 2. Visual Feedback\n- [ ] Spawn an agent\n- [ ] Watch session cards area\n- [ ] New card has highlight animation\n- [ ] Animation fades after ~2s\n\n### 3. Special Characters\n- [ ] Create test project with hyphen: my-test\n- [ ] Spawn agent for it -> success\n- [ ] Create test project with underscore: my_test\n- [ ] Spawn agent for it -> success\n- [ ] Test with path traversal ../etc -> rejected\n\n### 4. Zellij Metadata\n- [ ] Spawn agent\n- [ ] Check session file: jq '.zellij_session' \n- [ ] Should be 'infra'\n- [ ] Check session file: jq '.zellij_pane'\n- [ ] Should be valid pane ID\n\n### 5. Dashboard Response\n- [ ] Spawn agent\n- [ ] Wait for AskUserQuestion\n- [ ] Submit response via dashboard\n- [ ] Response appears in Zellij pane\n\n### 6. Zellij Unavailable Warning\n- [ ] Stop Zellij session (zellij kill-session infra)\n- [ ] Reload dashboard\n- [ ] Warning banner should appear\n- [ ] Banner text clear and actionable\n- [ ] Start Zellij session\n- [ ] Warning banner disappears\n\n### 7. Projects Cache Refresh\n- [ ] Add new project to ~/projects/\n- [ ] POST /api/projects/refresh\n- [ ] New project appears in dropdown\n\n### 8. Background Refresh\n- [ ] Add project without manual refresh\n- [ ] Wait 5 minutes\n- [ ] Project appears in dropdown\n\n## Full Feature Walkthrough\n1. Start Zellij session 'infra'\n2. Start AMC server\n3. Open dashboard\n4. Select project in sidebar\n5. Click '+ New Agent'\n6. Select 'Claude'\n7. Click 'Spawn'\n8. See success toast\n9. See agent appear in Zellij\n10. See agent card in dashboard (possibly with highlight)\n11. Wait for AskUserQuestion\n12. Submit response\n13. Response appears in agent\n\n## Acceptance Criteria Covered\n- AC-15: Agent appears within 10 seconds\n- AC-16, AC-17: Correct Zellij metadata\n- AC-42: Warning banner\n\n## Success Criteria\nComplete feature works end-to-end with all edge cases handled gracefully.","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T21:45:39.460751Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:18:20.391913Z","closed_at":"2026-02-26T22:18:20.391866Z","close_reason":"All polish and edge cases verified: Empty projects shows friendly message, newlySpawned animation works, path traversal/special chars validated in spawn.py, zellij metadata fully supported, warning banner when Zellij unavailable. Feature complete.","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-3g8","depends_on_id":"bd-14p","type":"blocks","created_at":"2026-02-26T21:45:44.875703Z","created_by":"tayloreernisse"},{"issue_id":"bd-3g8","depends_on_id":"bd-2cw","type":"blocks","created_at":"2026-02-26T21:45:44.790681Z","created_by":"tayloreernisse"},{"issue_id":"bd-3g8","depends_on_id":"bd-30o","type":"blocks","created_at":"2026-02-26T21:45:44.962392Z","created_by":"tayloreernisse"},{"issue_id":"bd-3g8","depends_on_id":"bd-3c7","type":"blocks","created_at":"2026-02-26T21:45:44.730490Z","created_by":"tayloreernisse"},{"issue_id":"bd-3g8","depends_on_id":"bd-3ke","type":"blocks","created_at":"2026-02-26T21:45:45.059877Z","created_by":"tayloreernisse"},{"issue_id":"bd-3g8","depends_on_id":"bd-zgt","type":"blocks","created_at":"2026-02-26T21:45:44.592034Z","created_by":"tayloreernisse"}]} {"id":"bd-3ke","title":"Dashboard warning banner when Zellij session unavailable","description":"## Overview\nShow warning banner in dashboard when Zellij session 'infra' is unavailable.\n\n## Background\nPer AC-42, the dashboard should warn users when spawning won't work because the Zellij session doesn't exist. This prevents confusion when spawn attempts fail.\n\n## Implementation\n\n### Health Polling\nAdd periodic health check in App.js:\n```javascript\nconst [zelijAvailable, setZelijAvailable] = useState(true);\n\nuseEffect(() => {\n const checkHealth = async () => {\n try {\n const response = await fetch('/api/health');\n const data = await response.json();\n setZelijAvailable(data.zellij_available);\n } catch {\n // Server unreachable - handled elsewhere\n }\n };\n \n checkHealth();\n const interval = setInterval(checkHealth, 30000); // Check every 30s\n return () => clearInterval(interval);\n}, []);\n```\n\n### Warning Banner\nAdd before main content:\n```javascript\n${!zelijAvailable && html`\n
\n Zellij session 'infra' not found.\n Agent spawning is unavailable. Start Zellij with: zellij attach infra\n
\n`}\n```\n\n### Spawn Button State\nOptionally disable spawn button when Zellij unavailable:\n```javascript\n\n + New Agent\n\n```\n\n## Banner Styling\n- bg-attention/20: Light warning background\n- border-attention/50: Warning border\n- text-attention: Warning text color\n- Positioned above main content (not fixed)\n\n## UX Considerations\n1. Banner doesn't block dashboard usage\n2. Clear actionable message with command to fix\n3. Automatically disappears when Zellij available\n4. Doesn't spam with repeated warnings\n\n## Success Criteria\n- Banner appears when Zellij unavailable\n- Banner disappears when Zellij becomes available\n- Spawn button disabled (optional)\n- Clear instructions to fix","status":"closed","priority":2,"issue_type":"task","created_at":"2026-02-26T21:44:21.824784Z","created_by":"tayloreernisse","updated_at":"2026-02-26T22:09:20.267822Z","closed_at":"2026-02-26T22:09:20.267777Z","close_reason":"Implemented Zellij unavailable warning banner with health polling, spawn button disable, and actionable fix message","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-3ke","depends_on_id":"bd-3v5","type":"blocks","created_at":"2026-02-26T21:44:26.508776Z","created_by":"tayloreernisse"}]} {"id":"bd-3ny","title":"Implement click-outside dismissal","description":"## Overview\nAdd useEffect in SimpleInput.js that dismisses the autocomplete dropdown when clicking outside.\n\n## Background\nAC-9 requires clicking outside to dismiss the dropdown. This is a common UX pattern that requires:\n- Event listener on document\n- Check if click target is inside dropdown or textarea\n- Cleanup on unmount\n\n## Implementation (from plan IMP-10)\n```javascript\nuseEffect(() => {\n if (!showAutocomplete) return;\n \n const handleClickOutside = (e) => {\n if (autocompleteRef.current && !autocompleteRef.current.contains(e.target) &&\n textareaRef.current && !textareaRef.current.contains(e.target)) {\n setShowAutocomplete(false);\n }\n };\n \n document.addEventListener('mousedown', handleClickOutside);\n return () => document.removeEventListener('mousedown', handleClickOutside);\n}, [showAutocomplete]);\n```\n\n## Why mousedown (not click)\n- mousedown fires immediately on press\n- click fires after release (feels sluggish)\n- Standard pattern for dropdown dismissal\n\n## What Counts as 'Inside'\n- Inside autocompleteRef (the dropdown)\n- Inside textareaRef (the input)\n- Both should keep dropdown open\n\n## Cleanup\n- Effect only adds listener when dropdown is visible\n- Cleanup removes listener when:\n - Dropdown closes\n - Component unmounts\n - Dependencies change\n\n## Success Criteria\n- Clicking outside dropdown+textarea dismisses\n- Clicking inside dropdown doesn't dismiss (onClick handles selection)\n- Clicking in textarea doesn't dismiss (keeps typing)\n- Listener cleaned up properly","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T20:10:49.738217Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:54:17.702299Z","closed_at":"2026-02-26T21:54:17.702245Z","close_reason":"Added click-outside dismissal useEffect with mousedown listener","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-3ny","depends_on_id":"bd-253","type":"blocks","created_at":"2026-02-26T20:10:52.252341Z","created_by":"tayloreernisse"}]} {"id":"bd-3oo","title":"Add spawn constants to context.py","description":"## Overview\nAdd constants and utilities needed by SpawnMixin to amc_server/context.py.\n\n## Background\nThe spawn feature requires several shared constants and utilities that belong in context.py alongside existing path constants like SESSIONS_DIR. These enable:\n- Locating the projects directory for agent spawning\n- Targeting the correct Zellij session\n- Serializing concurrent spawn requests to prevent race conditions\n- Per-project rate limiting to prevent spam\n- Auth token generation for spawn endpoint security\n\n## Implementation (IMP-0)\nAdd after existing path constants:\n\n```python\nimport secrets\nimport threading\n\n# Projects directory for spawning agents\nPROJECTS_DIR = Path.home() / 'projects'\n\n# Default Zellij session for spawning\nZELLIJ_SESSION = 'infra'\n\n# Lock for serializing spawn operations (prevents Zellij race conditions)\n_spawn_lock = threading.Lock()\n\n# Rate limiting: track last spawn time per project (prevents spam)\n_spawn_timestamps: dict[str, float] = {}\nSPAWN_COOLDOWN_SEC = 10.0\n\n# Auth token for spawn endpoint (AC-37, AC-38)\n# Generated on server start, injected into dashboard HTML\n_auth_token: str = ''\n\n\ndef generate_auth_token():\n \"\"\"Generate a one-time auth token for this server instance.\"\"\"\n global _auth_token\n _auth_token = secrets.token_urlsafe(32)\n return _auth_token\n\n\ndef validate_auth_token(request_token: str) -> bool:\n \"\"\"Validate the Authorization header token.\"\"\"\n return request_token == f'Bearer {_auth_token}'\n\n\ndef start_projects_watcher():\n \"\"\"Start background thread to refresh projects cache every 5 minutes (AC-40).\"\"\"\n import logging\n from amc_server.mixins.spawn import load_projects_cache\n\n def _watch_loop():\n import time\n while True:\n try:\n time.sleep(300) # 5 minutes\n load_projects_cache()\n except Exception:\n logging.exception('Projects cache refresh failed')\n\n thread = threading.Thread(target=_watch_loop, daemon=True)\n thread.start()\n```\n\n## Design Decisions\n- **_spawn_lock**: Process-local threading.Lock is sufficient because AMC is single-process by design. Multi-worker would need file-based locking.\n- **_spawn_timestamps dict**: In-memory dict resets on restart, which is acceptable for rate limiting (no persistence needed).\n- **SPAWN_COOLDOWN_SEC = 10.0**: Prevents accidental spam while allowing reasonable iteration speed.\n- **Auth token**: Single-use per server lifetime prevents CSRF on localhost (defense in depth with localhost binding).\n- **Daemon thread**: Projects watcher exits automatically when main thread exits.\n\n## Acceptance Criteria\n- AC-33: Projects list loaded on server start\n- AC-35, AC-36: Rate limiting infrastructure\n- AC-37: Auth token generation\n- AC-40: Background projects refresh\n\n## Verification\n```python\nfrom amc_server.context import PROJECTS_DIR, ZELLIJ_SESSION, generate_auth_token\nassert PROJECTS_DIR.exists()\nassert ZELLIJ_SESSION == 'infra'\ntoken = generate_auth_token()\nassert len(token) > 20\n```\n\n## Success Criteria\n- All constants importable from context.py\n- generate_auth_token() returns unique token each call\n- validate_auth_token() correctly validates Bearer token format\n- start_projects_watcher() starts daemon thread without error","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T21:39:03.658826Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:58:00.710511Z","closed_at":"2026-02-26T21:58:00.710456Z","close_reason":"Added spawn constants, auth token functions, rate limiting, and projects watcher to context.py. All 302 tests pass.","compaction_level":0,"original_size":0} {"id":"bd-3q1","title":"Create SkillsMixin class for skill enumeration","description":"## Overview\nCreate a new SkillsMixin class in amc_server/mixins/skills.py that handles enumerating available skills for both Claude and Codex agents.\n\n## Background & Rationale\nThe autocomplete feature needs to know what skills are available for each agent type. Skills are agent-global (not session-specific), so we enumerate them from well-known filesystem locations. This follows the existing mixin pattern used throughout the server (HttpMixin, StateMixin, etc.).\n\n## Implementation Details\n- Create new file: amc_server/mixins/skills.py\n- Class: SkillsMixin with methods:\n - _serve_skills(agent: str) -> serves JSON response\n - _enumerate_claude_skills() -> list of {name, description}\n - _enumerate_codex_skills() -> list of {name, description}\n- Sort skills alphabetically by name (case-insensitive)\n- Return JSON: {trigger: '/' or '$', skills: [...]}\n\n## File Locations\n- Claude skills: ~/.claude/skills/*/\n- Codex curated: ~/.codex/vendor_imports/skills-curated-cache.json\n- Codex user: ~/.codex/skills/*/\n\n## Acceptance Criteria (from plan)\n- AC-12: On session open, agent-specific config loaded with trigger + skills\n- AC-13: Claude skills from ~/.claude/skills/\n- AC-14: Codex skills from cache + user directory\n- AC-15: Empty skills list handled gracefully\n\n## Error Handling\n- Directory doesn't exist: return empty list\n- JSON parse error (Codex cache): skip cache, continue with user skills\n- File read error: skip that skill, continue enumeration\n\n## Success Criteria\n- SkillsMixin class exists with all three methods\n- Claude enumeration reads SKILL.md (canonical), falls back to skill.md, prompt.md, README.md\n- Codex enumeration reads curated cache + user skills directory\n- All skills sorted alphabetically\n- Empty directories return empty list (no error)","status":"closed","priority":1,"issue_type":"feature","created_at":"2026-02-26T20:07:30.389323Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:41:09.021625Z","closed_at":"2026-02-26T21:41:09.021577Z","close_reason":"Created SkillsMixin class with _serve_skills orchestrator and stub enumeration methods","compaction_level":0,"original_size":0} {"id":"bd-3s3","title":"Implement trigger detection logic","description":"## Overview\nAdd getTriggerInfo() function in SimpleInput.js that detects when autocomplete should activate.\n\n## Background\nAutocomplete triggers when the agent-specific trigger character (/ for Claude, $ for Codex) appears at:\n1. Position 0 (start of input)\n2. After whitespace (space, newline, tab)\n\nThis enables mid-message skill invocation like \"please run /commit\".\n\n## Acceptance Criteria Covered\n- **AC-1**: Triggers at position 0 or after whitespace\n- **AC-2**: Claude uses /, Codex uses $ (from autocompleteConfig.trigger)\n- **AC-3**: Wrong trigger for agent type is ignored (returns null)\n\n## Implementation (from plan IMP-5)\n```javascript\nconst getTriggerInfo = useCallback((value, cursorPos) => {\n // AC-3: If no config, ignore all triggers\n if (\\!autocompleteConfig) return null;\n \n const { trigger } = autocompleteConfig;\n \n // Find the start of the current \"word\" (after last whitespace before cursor)\n let wordStart = cursorPos;\n while (wordStart > 0 && \\!/\\s/.test(value[wordStart - 1])) {\n wordStart--;\n }\n \n // AC-3: Only match THIS agent's trigger, ignore others\n // Claude session typing \"$\" returns null (no autocomplete)\n // Codex session typing \"/\" returns null (no autocomplete)\n if (value[wordStart] === trigger) {\n return {\n trigger,\n filterText: value.slice(wordStart + 1, cursorPos).toLowerCase(),\n replaceStart: wordStart,\n replaceEnd: cursorPos\n };\n }\n \n return null;\n}, [autocompleteConfig]);\n```\n\n## Return Value\n```typescript\ntype TriggerInfo = {\n trigger: string; // The trigger char (/ or $)\n filterText: string; // Text after trigger for filtering (lowercase)\n replaceStart: number; // Start position for replacement\n replaceEnd: number; // End position for replacement (cursor pos)\n} | null;\n```\n\n## AC-3 Behavior (Wrong Trigger Ignored)\nThe function only checks for `autocompleteConfig.trigger`. If user types a different character:\n- Claude session: \"$\" is just a dollar sign, no autocomplete\n- Codex session: \"/\" is just a slash, no autocomplete\n\nThis is implicit in the implementation - we compare against ONE trigger character only.\n\n## Edge Cases\n- Empty input: wordStart = 0, checks value[0]\n- Mid-word: wordStart finds last whitespace, checks that position\n- Multiple triggers in message: each \"/\" or \"$\" can independently trigger\n- Backspace over trigger: cursorPos moves, wordStart recalculates\n\n## When This Returns null\n1. No autocompleteConfig (not loaded yet)\n2. Cursor not preceded by trigger character\n3. Wrong trigger for this agent type (AC-3)\n\n## Success Criteria\n- Returns TriggerInfo when trigger at valid position\n- Returns null for wrong trigger (AC-3)\n- Returns null when no config\n- filterText is lowercase for case-insensitive matching\n- replaceStart/End correct for skill insertion","status":"closed","priority":1,"issue_type":"task","created_at":"2026-02-26T20:09:15.230355Z","created_by":"tayloreernisse","updated_at":"2026-02-26T21:48:05.753400Z","closed_at":"2026-02-26T21:48:05.753210Z","close_reason":"Added getTriggerInfo callback that detects trigger at position 0 or after whitespace, returns filter info","compaction_level":0,"original_size":0,"dependencies":[{"issue_id":"bd-3s3","depends_on_id":"bd-2n7","type":"blocks","created_at":"2026-02-26T20:09:18.843732Z","created_by":"tayloreernisse"}]} {"id":"bd-3us","title":"Ensure SimpleInput container has relative positioning","description":"## Overview\nVerify/add position: relative to SimpleInput's container for proper dropdown positioning.\n\n## Background\nThe autocomplete dropdown uses absolute positioning with 'bottom-full'. This requires the parent container to have position: relative.\n\n## Implementation\nCheck SimpleInput.js render:\n```javascript\n// The outer wrapper needs position: relative\n
\n