beadboard/src/app/api/sessions/route.ts

import { NextResponse } from 'next/server';
import { readIssuesFromDisk } from '../../../lib/read-issues';
import { activityEventBus } from '../../../lib/realtime';
import { buildSessionTaskFeed, getCommunicationSummary } from '../../../lib/agent-sessions';

function isValidProjectRoot(root: string): boolean {
  // Basic validation: path should not contain traversal patterns
  // and should resolve to an absolute path
  try {
    const resolved = require('path').resolve(root);
    return require('path').isAbsolute(resolved);
  } catch {
    return false;
  }
}

export const dynamic = 'force-dynamic';

export async function GET(request: Request): Promise<Response> {
  const url = new URL(request.url);
  const projectRootParam = url.searchParams.get('projectRoot');
  const projectRoot = projectRootParam ?? process.cwd();

  if (projectRootParam && !isValidProjectRoot(projectRoot)) {
    return NextResponse.json(
      { ok: false, error: { classification: 'validation', message: 'Invalid projectRoot path' } },
      { status: 400 }
    );
  }

  try {
    const issues = await readIssuesFromDisk({ projectRoot, preferBd: true });
    const activity = activityEventBus.getHistory(projectRoot);
    const communication = await getCommunicationSummary();

    const feed = buildSessionTaskFeed(issues, activity, communication);

    return NextResponse.json({ ok: true, feed });
  } catch (error) {
    console.error('[API/Sessions] Failed to load session feed:', error);
    return NextResponse.json(
      {
        ok: false,
        error: {
          classification: 'unknown',
          message: error instanceof Error ? error.message : 'Failed to load session feed.',
        },
      },
      { status: 500 },
    );
  }
}
feat(ui): deliver Social-Dense Agent Sessions Hub This is our biggest UX pivot of the project. We abandoned the 'Page' model for a 'Command Workspace'. Triumphs: - Reclaimed 40% of previously wasted screen real-estate by moving to an auto-filling multi-column grid matrix. - Built the 'Command Deck'—a high-density header that provides real-time agent presence monitoring at a glance. - Implemented 'Social Post' cards that map technical protocols to human verbs (e.g., 'Falcon passed mission to Operative-B'), making the audit trail readable for humans. - Engineered 'Silent Refresh' logic: the feed now appends new activity and comments smoothly without disruptive UI resets or scroll jumps. Raw Honest Moment: The original card-based social feed was a failure. It was beautiful in isolation but useless for actual supervision. We had to be honest about the horizontal bloat and rebuild the entire layout foundation from scratch using rem-based fluid units to satisfy the 'War Room' requirement. 2026-02-14 00:20:41 -08:00			`import { NextResponse } from 'next/server';`
			`import { readIssuesFromDisk } from '../../../lib/read-issues';`
			`import { activityEventBus } from '../../../lib/realtime';`
			`import { buildSessionTaskFeed, getCommunicationSummary } from '../../../lib/agent-sessions';`

fix: address Qodo code review findings - Add missing snapshot-differ.test.ts to npm test script - Fix path traversal vulnerability in agent-mail.ts with message ID validation - Fix readLastTouchedVersion to log errors instead of silently swallowing them - Sanitize log statements to not leak full paths - Add projectRoot validation to all API routes - Fix activity persistence write race conditions with promise chaining Co-authored-by: openhands <openhands@all-hands.dev> 2026-02-14 08:43:04 +00:00			`function isValidProjectRoot(root: string): boolean {`
			`// Basic validation: path should not contain traversal patterns`
			`// and should resolve to an absolute path`
			`try {`
			`const resolved = require('path').resolve(root);`
			`return require('path').isAbsolute(resolved);`
			`} catch {`
			`return false;`
			`}`
			`}`

feat(ui): deliver Social-Dense Agent Sessions Hub This is our biggest UX pivot of the project. We abandoned the 'Page' model for a 'Command Workspace'. Triumphs: - Reclaimed 40% of previously wasted screen real-estate by moving to an auto-filling multi-column grid matrix. - Built the 'Command Deck'—a high-density header that provides real-time agent presence monitoring at a glance. - Implemented 'Social Post' cards that map technical protocols to human verbs (e.g., 'Falcon passed mission to Operative-B'), making the audit trail readable for humans. - Engineered 'Silent Refresh' logic: the feed now appends new activity and comments smoothly without disruptive UI resets or scroll jumps. Raw Honest Moment: The original card-based social feed was a failure. It was beautiful in isolation but useless for actual supervision. We had to be honest about the horizontal bloat and rebuild the entire layout foundation from scratch using rem-based fluid units to satisfy the 'War Room' requirement. 2026-02-14 00:20:41 -08:00			`export const dynamic = 'force-dynamic';`

			`export async function GET(request: Request): Promise<Response> {`
			`const url = new URL(request.url);`
fix: address Qodo code review findings - Add missing snapshot-differ.test.ts to npm test script - Fix path traversal vulnerability in agent-mail.ts with message ID validation - Fix readLastTouchedVersion to log errors instead of silently swallowing them - Sanitize log statements to not leak full paths - Add projectRoot validation to all API routes - Fix activity persistence write race conditions with promise chaining Co-authored-by: openhands <openhands@all-hands.dev> 2026-02-14 08:43:04 +00:00			`const projectRootParam = url.searchParams.get('projectRoot');`
			`const projectRoot = projectRootParam ?? process.cwd();`

			`if (projectRootParam && !isValidProjectRoot(projectRoot)) {`
			`return NextResponse.json(`
			`{ ok: false, error: { classification: 'validation', message: 'Invalid projectRoot path' } },`
			`{ status: 400 }`
			`);`
			`}`
feat(ui): deliver Social-Dense Agent Sessions Hub This is our biggest UX pivot of the project. We abandoned the 'Page' model for a 'Command Workspace'. Triumphs: - Reclaimed 40% of previously wasted screen real-estate by moving to an auto-filling multi-column grid matrix. - Built the 'Command Deck'—a high-density header that provides real-time agent presence monitoring at a glance. - Implemented 'Social Post' cards that map technical protocols to human verbs (e.g., 'Falcon passed mission to Operative-B'), making the audit trail readable for humans. - Engineered 'Silent Refresh' logic: the feed now appends new activity and comments smoothly without disruptive UI resets or scroll jumps. Raw Honest Moment: The original card-based social feed was a failure. It was beautiful in isolation but useless for actual supervision. We had to be honest about the horizontal bloat and rebuild the entire layout foundation from scratch using rem-based fluid units to satisfy the 'War Room' requirement. 2026-02-14 00:20:41 -08:00
			`try {`
			`const issues = await readIssuesFromDisk({ projectRoot, preferBd: true });`
			`const activity = activityEventBus.getHistory(projectRoot);`
			`const communication = await getCommunicationSummary();`

			`const feed = buildSessionTaskFeed(issues, activity, communication);`

			`return NextResponse.json({ ok: true, feed });`
			`} catch (error) {`
			`console.error('[API/Sessions] Failed to load session feed:', error);`
			`return NextResponse.json(`
			`{`
			`ok: false,`
			`error: {`
			`classification: 'unknown',`
			`message: error instanceof Error ? error.message : 'Failed to load session feed.',`
			`},`
			`},`
			`{ status: 500 },`
			`);`
			`}`
			`}`