Merge origin/main into feat/cursor-cli

Merges latest main branch changes including: - MCP server support and configuration - Pipeline configuration system - Prompt customization settings - GitHub issue comments in validation - Auth middleware improvements - Various UI/UX improvements All Cursor CLI features preserved: - Multi-provider support (Claude + Cursor) - Model override capabilities - Phase model configuration - Provider tabs in settings 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 08:13:37 +00:00 · 2025-12-31 01:22:18 +01:00
parent 853292af45 847a8ff327
commit d539f7e3b7
163 changed files with 15300 additions and 1045 deletions
--- a/apps/server/src/routes/agent/routes/send.ts
+++ b/apps/server/src/routes/agent/routes/send.ts
@@ -19,7 +19,16 @@ export function createSendHandler(agentService: AgentService) {
        model?: string;
      };

+      console.log('[Send Handler] Received request:', {
+        sessionId,
+        messageLength: message?.length,
+        workingDirectory,
+        imageCount: imagePaths?.length || 0,
+        model,
+      });
+
      if (!sessionId || !message) {
+        console.log('[Send Handler] ERROR: Validation failed - missing sessionId or message');
        res.status(400).json({
          success: false,
          error: 'sessionId and message are required',
@@ -27,6 +36,8 @@ export function createSendHandler(agentService: AgentService) {
        return;
      }

+      console.log('[Send Handler] Validation passed, calling agentService.sendMessage()');
+
      // Start the message processing (don't await - it streams via WebSocket)
      agentService
        .sendMessage({
@@ -37,12 +48,16 @@ export function createSendHandler(agentService: AgentService) {
          model,
        })
        .catch((error) => {
+          console.error('[Send Handler] ERROR: Background error in sendMessage():', error);
          logError(error, 'Send message failed (background)');
        });

+      console.log('[Send Handler] Returning immediate response to client');
+
      // Return immediately - responses come via WebSocket
      res.json({ success: true, message: 'Message sent' });
    } catch (error) {
+      console.error('[Send Handler] ERROR: Synchronous error:', error);
      logError(error, 'Send message failed');
      res.status(500).json({ success: false, error: getErrorMessage(error) });
    }
--- a/apps/server/src/routes/auth/index.ts
+++ b/apps/server/src/routes/auth/index.ts
@@ -0,0 +1,247 @@
+/**
+ * Auth routes - Login, logout, and status endpoints
+ *
+ * Security model:
+ * - Web mode: User enters API key (shown on server console) to get HTTP-only session cookie
+ * - Electron mode: Uses X-API-Key header (handled automatically via IPC)
+ *
+ * The session cookie is:
+ * - HTTP-only: JavaScript cannot read it (protects against XSS)
+ * - SameSite=Strict: Only sent for same-site requests (protects against CSRF)
+ *
+ * Mounted at /api/auth in the main server (BEFORE auth middleware).
+ */
+
+import { Router } from 'express';
+import type { Request } from 'express';
+import {
+  validateApiKey,
+  createSession,
+  invalidateSession,
+  getSessionCookieOptions,
+  getSessionCookieName,
+  isRequestAuthenticated,
+  createWsConnectionToken,
+} from '../../lib/auth.js';
+
+// Rate limiting configuration
+const RATE_LIMIT_WINDOW_MS = 60 * 1000; // 1 minute window
+const RATE_LIMIT_MAX_ATTEMPTS = 5; // Max 5 attempts per window
+
+// Check if we're in test mode - disable rate limiting for E2E tests
+const isTestMode = process.env.AUTOMAKER_MOCK_AGENT === 'true';
+
+// In-memory rate limit tracking (resets on server restart)
+const loginAttempts = new Map<string, { count: number; windowStart: number }>();
+
+// Clean up old rate limit entries periodically (every 5 minutes)
+setInterval(
+  () => {
+    const now = Date.now();
+    loginAttempts.forEach((data, ip) => {
+      if (now - data.windowStart > RATE_LIMIT_WINDOW_MS * 2) {
+        loginAttempts.delete(ip);
+      }
+    });
+  },
+  5 * 60 * 1000
+);
+
+/**
+ * Get client IP address from request
+ * Handles X-Forwarded-For header for reverse proxy setups
+ */
+function getClientIp(req: Request): string {
+  const forwarded = req.headers['x-forwarded-for'];
+  if (forwarded) {
+    // X-Forwarded-For can be a comma-separated list; take the first (original client)
+    const forwardedIp = Array.isArray(forwarded) ? forwarded[0] : forwarded.split(',')[0];
+    return forwardedIp.trim();
+  }
+  return req.ip || req.socket.remoteAddress || 'unknown';
+}
+
+/**
+ * Check if an IP is rate limited
+ * Returns { limited: boolean, retryAfter?: number }
+ */
+function checkRateLimit(ip: string): { limited: boolean; retryAfter?: number } {
+  const now = Date.now();
+  const attempt = loginAttempts.get(ip);
+
+  if (!attempt) {
+    return { limited: false };
+  }
+
+  // Check if window has expired
+  if (now - attempt.windowStart > RATE_LIMIT_WINDOW_MS) {
+    loginAttempts.delete(ip);
+    return { limited: false };
+  }
+
+  // Check if over limit
+  if (attempt.count >= RATE_LIMIT_MAX_ATTEMPTS) {
+    const retryAfter = Math.ceil((RATE_LIMIT_WINDOW_MS - (now - attempt.windowStart)) / 1000);
+    return { limited: true, retryAfter };
+  }
+
+  return { limited: false };
+}
+
+/**
+ * Record a login attempt for rate limiting
+ */
+function recordLoginAttempt(ip: string): void {
+  const now = Date.now();
+  const attempt = loginAttempts.get(ip);
+
+  if (!attempt || now - attempt.windowStart > RATE_LIMIT_WINDOW_MS) {
+    // Start new window
+    loginAttempts.set(ip, { count: 1, windowStart: now });
+  } else {
+    // Increment existing window
+    attempt.count++;
+  }
+}
+
+/**
+ * Create auth routes
+ *
+ * @returns Express Router with auth endpoints
+ */
+export function createAuthRoutes(): Router {
+  const router = Router();
+
+  /**
+   * GET /api/auth/status
+   *
+   * Returns whether the current request is authenticated.
+   * Used by the UI to determine if login is needed.
+   */
+  router.get('/status', (req, res) => {
+    const authenticated = isRequestAuthenticated(req);
+    res.json({
+      success: true,
+      authenticated,
+      required: true,
+    });
+  });
+
+  /**
+   * POST /api/auth/login
+   *
+   * Validates the API key and sets a session cookie.
+   * Body: { apiKey: string }
+   *
+   * Rate limited to 5 attempts per minute per IP to prevent brute force attacks.
+   */
+  router.post('/login', async (req, res) => {
+    const clientIp = getClientIp(req);
+
+    // Skip rate limiting in test mode to allow parallel E2E tests
+    if (!isTestMode) {
+      // Check rate limit before processing
+      const rateLimit = checkRateLimit(clientIp);
+      if (rateLimit.limited) {
+        res.status(429).json({
+          success: false,
+          error: 'Too many login attempts. Please try again later.',
+          retryAfter: rateLimit.retryAfter,
+        });
+        return;
+      }
+    }
+
+    const { apiKey } = req.body as { apiKey?: string };
+
+    if (!apiKey) {
+      res.status(400).json({
+        success: false,
+        error: 'API key is required.',
+      });
+      return;
+    }
+
+    // Record this attempt (only for actual API key validation attempts, skip in test mode)
+    if (!isTestMode) {
+      recordLoginAttempt(clientIp);
+    }
+
+    if (!validateApiKey(apiKey)) {
+      res.status(401).json({
+        success: false,
+        error: 'Invalid API key.',
+      });
+      return;
+    }
+
+    // Create session and set cookie
+    const sessionToken = await createSession();
+    const cookieOptions = getSessionCookieOptions();
+    const cookieName = getSessionCookieName();
+
+    res.cookie(cookieName, sessionToken, cookieOptions);
+    res.json({
+      success: true,
+      message: 'Logged in successfully.',
+      // Return token for explicit header-based auth (works around cross-origin cookie issues)
+      token: sessionToken,
+    });
+  });
+
+  /**
+   * GET /api/auth/token
+   *
+   * Generates a short-lived WebSocket connection token if the user has a valid session.
+   * This token is used for initial WebSocket handshake authentication and expires in 5 minutes.
+   * The token is NOT the session cookie value - it's a separate, short-lived token.
+   */
+  router.get('/token', (req, res) => {
+    // Validate the session is still valid (via cookie, API key, or session token header)
+    if (!isRequestAuthenticated(req)) {
+      res.status(401).json({
+        success: false,
+        error: 'Authentication required.',
+      });
+      return;
+    }
+
+    // Generate a new short-lived WebSocket connection token
+    const wsToken = createWsConnectionToken();
+
+    res.json({
+      success: true,
+      token: wsToken,
+      expiresIn: 300, // 5 minutes in seconds
+    });
+  });
+
+  /**
+   * POST /api/auth/logout
+   *
+   * Clears the session cookie and invalidates the session.
+   */
+  router.post('/logout', async (req, res) => {
+    const cookieName = getSessionCookieName();
+    const sessionToken = req.cookies?.[cookieName] as string | undefined;
+
+    if (sessionToken) {
+      await invalidateSession(sessionToken);
+    }
+
+    // Clear the cookie
+    res.clearCookie(cookieName, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'strict',
+      path: '/',
+    });
+
+    res.json({
+      success: true,
+      message: 'Logged out successfully.',
+    });
+  });
+
+  return router;
+}
--- a/apps/server/src/routes/backlog-plan/generate-plan.ts
+++ b/apps/server/src/routes/backlog-plan/generate-plan.ts
@@ -13,7 +13,7 @@ import { ProviderFactory } from '../../providers/provider-factory.js';
 import { extractJson } from '../../lib/json-extractor.js';
 import { logger, setRunningState, getErrorMessage } from './common.js';
 import type { SettingsService } from '../../services/settings-service.js';
-import { getAutoLoadClaudeMdSetting } from '../../lib/settings-helpers.js';
+import { getAutoLoadClaudeMdSetting, getPromptCustomization } from '../../lib/settings-helpers.js';

 const featureLoader = new FeatureLoader();

@@ -83,72 +83,17 @@ export async function generateBacklogPlan(
      content: `Loaded ${features.length} features from backlog`,
    });

+    // Load prompts from settings
+    const prompts = await getPromptCustomization(settingsService, '[BacklogPlan]');
+
    // Build the system prompt
-    const systemPrompt = `You are an AI assistant helping to modify a software project's feature backlog.
-You will be given the current list of features and a user request to modify the backlog.
+    const systemPrompt = prompts.backlogPlan.systemPrompt;

-IMPORTANT CONTEXT (automatically injected):
- Remember to update the dependency graph if deleting existing features
- Remember to define dependencies on new features hooked into relevant existing ones
- Maintain dependency graph integrity (no orphaned dependencies)
- When deleting a feature, identify which other features depend on it
-
-Your task is to analyze the request and produce a structured JSON plan with:
-1. Features to ADD (include title, description, category, and dependencies)
-2. Features to UPDATE (specify featureId and the updates)
-3. Features to DELETE (specify featureId)
-4. A summary of the changes
-5. Any dependency updates needed (removed dependencies due to deletions, new dependencies for new features)
-
-Respond with ONLY a JSON object in this exact format:
-\`\`\`json
-{
-  "changes": [
-    {
-      "type": "add",
-      "feature": {
-        "title": "Feature title",
-        "description": "Feature description",
-        "category": "Category name",
-        "dependencies": ["existing-feature-id"],
-        "priority": 1
-      },
-      "reason": "Why this feature should be added"
-    },
-    {
-      "type": "update",
-      "featureId": "existing-feature-id",
-      "feature": {
-        "title": "Updated title"
-      },
-      "reason": "Why this feature should be updated"
-    },
-    {
-      "type": "delete",
-      "featureId": "feature-id-to-delete",
-      "reason": "Why this feature should be deleted"
-    }
-  ],
-  "summary": "Brief overview of all proposed changes",
-  "dependencyUpdates": [
-    {
-      "featureId": "feature-that-depended-on-deleted",
-      "removedDependencies": ["deleted-feature-id"],
-      "addedDependencies": []
-    }
-  ]
-}
-\`\`\``;
-
-    // Build the user prompt
-    const userPrompt = `Current Features in Backlog:
-${formatFeaturesForPrompt(features)}
-
---
-
-User Request: ${prompt}
-
-Please analyze the current backlog and the user's request, then provide a JSON plan for the modifications.`;
+    // Build the user prompt from template
+    const currentFeatures = formatFeaturesForPrompt(features);
+    const userPrompt = prompts.backlogPlan.userPromptTemplate
+      .replace('{{currentFeatures}}', currentFeatures)
+      .replace('{{userRequest}}', prompt);

    events.emit('backlog-plan:event', {
      type: 'backlog_plan_progress',
--- a/apps/server/src/routes/enhance-prompt/index.ts
+++ b/apps/server/src/routes/enhance-prompt/index.ts
@@ -6,17 +6,19 @@
 */

 import { Router } from 'express';
+import type { SettingsService } from '../../services/settings-service.js';
 import { createEnhanceHandler } from './routes/enhance.js';

 /**
 * Create the enhance-prompt router
 *
+ * @param settingsService - Settings service for loading custom prompts
 * @returns Express router with enhance-prompt endpoints
 */
-export function createEnhancePromptRoutes(): Router {
+export function createEnhancePromptRoutes(settingsService?: SettingsService): Router {
  const router = Router();

-  router.post('/', createEnhanceHandler());
+  router.post('/', createEnhanceHandler(settingsService));

  return router;
 }
--- a/apps/server/src/routes/enhance-prompt/routes/enhance.ts
+++ b/apps/server/src/routes/enhance-prompt/routes/enhance.ts
@@ -11,8 +11,9 @@ import { createLogger } from '@automaker/utils';
 import { resolveModelString } from '@automaker/model-resolver';
 import { CLAUDE_MODEL_MAP, isCursorModel } from '@automaker/types';
 import { ProviderFactory } from '../../../providers/provider-factory.js';
+import type { SettingsService } from '../../../services/settings-service.js';
+import { getPromptCustomization } from '../../../lib/settings-helpers.js';
 import {
-  getSystemPrompt,
  buildUserPrompt,
  isValidEnhancementMode,
  type EnhancementMode,
@@ -119,9 +120,12 @@ async function executeWithCursor(prompt: string, model: string): Promise<string>
 /**
 * Create the enhance request handler
 *
+ * @param settingsService - Optional settings service for loading custom prompts
 * @returns Express request handler for text enhancement
 */
-export function createEnhanceHandler(): (req: Request, res: Response) => Promise<void> {
+export function createEnhanceHandler(
+  settingsService?: SettingsService
+): (req: Request, res: Response) => Promise<void> {
  return async (req: Request, res: Response): Promise<void> => {
    try {
      const { originalText, enhancementMode, model } = req.body as EnhanceRequestBody;
@@ -164,8 +168,19 @@ export function createEnhanceHandler(): (req: Request, res: Response) => Promise

      logger.info(`Enhancing text with mode: ${validMode}, length: ${trimmedText.length} chars`);

-      // Get the system prompt for this mode
-      const systemPrompt = getSystemPrompt(validMode);
+      // Load enhancement prompts from settings (merges custom + defaults)
+      const prompts = await getPromptCustomization(settingsService, '[EnhancePrompt]');
+
+      // Get the system prompt for this mode from merged prompts
+      const systemPromptMap: Record<EnhancementMode, string> = {
+        improve: prompts.enhancement.improveSystemPrompt,
+        technical: prompts.enhancement.technicalSystemPrompt,
+        simplify: prompts.enhancement.simplifySystemPrompt,
+        acceptance: prompts.enhancement.acceptanceSystemPrompt,
+      };
+      const systemPrompt = systemPromptMap[validMode];
+
+      logger.debug(`Using ${validMode} system prompt (length: ${systemPrompt.length} chars)`);

      // Build the user prompt with few-shot examples
      // This helps the model understand this is text transformation, not a coding task
--- a/apps/server/src/routes/github/index.ts
+++ b/apps/server/src/routes/github/index.ts
@@ -8,6 +8,7 @@ import { validatePathParams } from '../../middleware/validate-paths.js';
 import { createCheckGitHubRemoteHandler } from './routes/check-github-remote.js';
 import { createListIssuesHandler } from './routes/list-issues.js';
 import { createListPRsHandler } from './routes/list-prs.js';
+import { createListCommentsHandler } from './routes/list-comments.js';
 import { createValidateIssueHandler } from './routes/validate-issue.js';
 import {
  createValidationStatusHandler,
@@ -27,6 +28,7 @@ export function createGitHubRoutes(
  router.post('/check-remote', validatePathParams('projectPath'), createCheckGitHubRemoteHandler());
  router.post('/issues', validatePathParams('projectPath'), createListIssuesHandler());
  router.post('/prs', validatePathParams('projectPath'), createListPRsHandler());
+  router.post('/issue-comments', validatePathParams('projectPath'), createListCommentsHandler());
  router.post(
    '/validate-issue',
    validatePathParams('projectPath'),
--- a/apps/server/src/routes/github/routes/list-comments.ts
+++ b/apps/server/src/routes/github/routes/list-comments.ts
@@ -0,0 +1,212 @@
+/**
+ * POST /issue-comments endpoint - Fetch comments for a GitHub issue
+ */
+
+import { spawn } from 'child_process';
+import type { Request, Response } from 'express';
+import type { GitHubComment, IssueCommentsResult } from '@automaker/types';
+import { execEnv, getErrorMessage, logError } from './common.js';
+import { checkGitHubRemote } from './check-github-remote.js';
+
+interface ListCommentsRequest {
+  projectPath: string;
+  issueNumber: number;
+  cursor?: string;
+}
+
+interface GraphQLComment {
+  id: string;
+  author: {
+    login: string;
+    avatarUrl?: string;
+  } | null;
+  body: string;
+  createdAt: string;
+  updatedAt: string;
+}
+
+interface GraphQLResponse {
+  data?: {
+    repository?: {
+      issue?: {
+        comments: {
+          totalCount: number;
+          pageInfo: {
+            hasNextPage: boolean;
+            endCursor: string | null;
+          };
+          nodes: GraphQLComment[];
+        };
+      };
+    };
+  };
+  errors?: Array<{ message: string }>;
+}
+
+/** Timeout for GitHub API requests in milliseconds */
+const GITHUB_API_TIMEOUT_MS = 30000;
+
+/**
+ * Validate cursor format (GraphQL cursors are typically base64 strings)
+ */
+function isValidCursor(cursor: string): boolean {
+  return /^[A-Za-z0-9+/=]+$/.test(cursor);
+}
+
+/**
+ * Fetch comments for a specific issue using GitHub GraphQL API
+ */
+async function fetchIssueComments(
+  projectPath: string,
+  owner: string,
+  repo: string,
+  issueNumber: number,
+  cursor?: string
+): Promise<IssueCommentsResult> {
+  // Validate cursor format to prevent potential injection
+  if (cursor && !isValidCursor(cursor)) {
+    throw new Error('Invalid cursor format');
+  }
+
+  // Use GraphQL variables instead of string interpolation for safety
+  const query = `
+    query GetIssueComments($owner: String!, $repo: String!, $issueNumber: Int!, $cursor: String) {
+      repository(owner: $owner, name: $repo) {
+        issue(number: $issueNumber) {
+          comments(first: 50, after: $cursor) {
+            totalCount
+            pageInfo {
+              hasNextPage
+              endCursor
+            }
+            nodes {
+              id
+              author {
+                login
+                avatarUrl
+              }
+              body
+              createdAt
+              updatedAt
+            }
+          }
+        }
+      }
+    }`;
+
+  const variables = {
+    owner,
+    repo,
+    issueNumber,
+    cursor: cursor || null,
+  };
+
+  const requestBody = JSON.stringify({ query, variables });
+
+  const response = await new Promise<GraphQLResponse>((resolve, reject) => {
+    const gh = spawn('gh', ['api', 'graphql', '--input', '-'], {
+      cwd: projectPath,
+      env: execEnv,
+    });
+
+    // Add timeout to prevent hanging indefinitely
+    const timeoutId = setTimeout(() => {
+      gh.kill();
+      reject(new Error('GitHub API request timed out'));
+    }, GITHUB_API_TIMEOUT_MS);
+
+    let stdout = '';
+    let stderr = '';
+    gh.stdout.on('data', (data: Buffer) => (stdout += data.toString()));
+    gh.stderr.on('data', (data: Buffer) => (stderr += data.toString()));
+
+    gh.on('close', (code) => {
+      clearTimeout(timeoutId);
+      if (code !== 0) {
+        return reject(new Error(`gh process exited with code ${code}: ${stderr}`));
+      }
+      try {
+        resolve(JSON.parse(stdout));
+      } catch (e) {
+        reject(e);
+      }
+    });
+
+    gh.stdin.write(requestBody);
+    gh.stdin.end();
+  });
+
+  if (response.errors && response.errors.length > 0) {
+    throw new Error(response.errors[0].message);
+  }
+
+  const commentsData = response.data?.repository?.issue?.comments;
+
+  if (!commentsData) {
+    throw new Error('Issue not found or no comments data available');
+  }
+
+  const comments: GitHubComment[] = commentsData.nodes.map((node) => ({
+    id: node.id,
+    author: {
+      login: node.author?.login || 'ghost',
+      avatarUrl: node.author?.avatarUrl,
+    },
+    body: node.body,
+    createdAt: node.createdAt,
+    updatedAt: node.updatedAt,
+  }));
+
+  return {
+    comments,
+    totalCount: commentsData.totalCount,
+    hasNextPage: commentsData.pageInfo.hasNextPage,
+    endCursor: commentsData.pageInfo.endCursor || undefined,
+  };
+}
+
+export function createListCommentsHandler() {
+  return async (req: Request, res: Response): Promise<void> => {
+    try {
+      const { projectPath, issueNumber, cursor } = req.body as ListCommentsRequest;
+
+      if (!projectPath) {
+        res.status(400).json({ success: false, error: 'projectPath is required' });
+        return;
+      }
+
+      if (!issueNumber || typeof issueNumber !== 'number') {
+        res
+          .status(400)
+          .json({ success: false, error: 'issueNumber is required and must be a number' });
+        return;
+      }
+
+      // First check if this is a GitHub repo and get owner/repo
+      const remoteStatus = await checkGitHubRemote(projectPath);
+      if (!remoteStatus.hasGitHubRemote || !remoteStatus.owner || !remoteStatus.repo) {
+        res.status(400).json({
+          success: false,
+          error: 'Project does not have a GitHub remote',
+        });
+        return;
+      }
+
+      const result = await fetchIssueComments(
+        projectPath,
+        remoteStatus.owner,
+        remoteStatus.repo,
+        issueNumber,
+        cursor
+      );
+
+      res.json({
+        success: true,
+        ...result,
+      });
+    } catch (error) {
+      logError(error, `Fetch comments for issue failed`);
+      res.status(500).json({ success: false, error: getErrorMessage(error) });
+    }
+  };
+}
--- a/apps/server/src/routes/github/routes/validate-issue.ts
+++ b/apps/server/src/routes/github/routes/validate-issue.ts
@@ -14,6 +14,8 @@ import type {
  IssueValidationEvent,
  ModelAlias,
  CursorModelId,
+  GitHubComment,
+  LinkedPRInfo,
 } from '@automaker/types';
 import { isCursorModel } from '@automaker/types';
 import { createSuggestionsOptions } from '../../../lib/sdk-options.js';
@@ -24,6 +26,8 @@ import {
  issueValidationSchema,
  ISSUE_VALIDATION_SYSTEM_PROMPT,
  buildValidationPrompt,
+  ValidationComment,
+  ValidationLinkedPR,
 } from './validation-schema.js';
 import {
  trySetValidationRunning,
@@ -49,6 +53,10 @@ interface ValidateIssueRequestBody {
  issueLabels?: string[];
  /** Model to use for validation (opus, sonnet, haiku, or cursor model IDs) */
  model?: ModelAlias | CursorModelId;
+  /** Comments to include in validation analysis */
+  comments?: GitHubComment[];
+  /** Linked pull requests for this issue */
+  linkedPRs?: LinkedPRInfo[];
 }

 /**
@@ -67,7 +75,9 @@ async function runValidation(
  model: ModelAlias | CursorModelId,
  events: EventEmitter,
  abortController: AbortController,
-  settingsService?: SettingsService
+  settingsService?: SettingsService,
+  comments?: ValidationComment[],
+  linkedPRs?: ValidationLinkedPR[]
 ): Promise<void> {
  // Emit start event
  const startEvent: IssueValidationEvent = {
@@ -86,8 +96,15 @@ async function runValidation(
  }, VALIDATION_TIMEOUT_MS);

  try {
-    // Build the prompt
-    const prompt = buildValidationPrompt(issueNumber, issueTitle, issueBody, issueLabels);
+    // Build the prompt (include comments and linked PRs if provided)
+    const prompt = buildValidationPrompt(
+      issueNumber,
+      issueTitle,
+      issueBody,
+      issueLabels,
+      comments,
+      linkedPRs
+    );

    let validationResult: IssueValidationResult | null = null;
    let responseText = '';
@@ -218,7 +235,6 @@ ${prompt}`;
    // Require validation result
    if (!validationResult) {
      logger.error('No validation result received from AI provider');
-      logger.debug('Raw response text:', responseText);
      throw new Error('Validation failed: no valid result received');
    }

@@ -284,8 +300,30 @@ export function createValidateIssueHandler(
        issueBody,
        issueLabels,
        model = 'opus',
+        comments: rawComments,
+        linkedPRs: rawLinkedPRs,
      } = req.body as ValidateIssueRequestBody;

+      // Transform GitHubComment[] to ValidationComment[] if provided
+      const validationComments: ValidationComment[] | undefined = rawComments?.map((c) => ({
+        author: c.author?.login || 'ghost',
+        createdAt: c.createdAt,
+        body: c.body,
+      }));
+
+      // Transform LinkedPRInfo[] to ValidationLinkedPR[] if provided
+      const validationLinkedPRs: ValidationLinkedPR[] | undefined = rawLinkedPRs?.map((pr) => ({
+        number: pr.number,
+        title: pr.title,
+        state: pr.state,
+      }));
+
+      logger.info(
+        `[ValidateIssue] Received validation request for issue #${issueNumber}` +
+          (rawComments?.length ? ` with ${rawComments.length} comments` : ' (no comments)') +
+          (rawLinkedPRs?.length ? ` and ${rawLinkedPRs.length} linked PRs` : '')
+      );
+
      // Validate required fields
      if (!projectPath) {
        res.status(400).json({ success: false, error: 'projectPath is required' });
@@ -344,11 +382,12 @@ export function createValidateIssueHandler(
        model,
        events,
        abortController,
-        settingsService
+        settingsService,
+        validationComments,
+        validationLinkedPRs
      )
-        .catch((error) => {
+        .catch(() => {
          // Error is already handled inside runValidation (event emitted)
-          logger.debug('Validation error caught in background handler:', error);
        })
        .finally(() => {
          clearValidationStatus(projectPath, issueNumber);
--- a/apps/server/src/routes/github/routes/validation-schema.ts
+++ b/apps/server/src/routes/github/routes/validation-schema.ts
@@ -49,6 +49,34 @@ export const issueValidationSchema = {
      enum: ['trivial', 'simple', 'moderate', 'complex', 'very_complex'],
      description: 'Estimated effort to address the issue',
    },
+    prAnalysis: {
+      type: 'object',
+      properties: {
+        hasOpenPR: {
+          type: 'boolean',
+          description: 'Whether there is an open PR linked to this issue',
+        },
+        prFixesIssue: {
+          type: 'boolean',
+          description: 'Whether the PR appears to fix the issue based on the diff',
+        },
+        prNumber: {
+          type: 'number',
+          description: 'The PR number that was analyzed',
+        },
+        prSummary: {
+          type: 'string',
+          description: 'Brief summary of what the PR changes',
+        },
+        recommendation: {
+          type: 'string',
+          enum: ['wait_for_merge', 'pr_needs_work', 'no_pr'],
+          description:
+            'Recommendation: wait for PR to merge, PR needs more work, or no relevant PR',
+        },
+      },
+      description: 'Analysis of linked pull requests if any exist',
+    },
  },
  required: ['verdict', 'confidence', 'reasoning'],
  additionalProperties: false,
@@ -67,7 +95,8 @@ Your task is to analyze a GitHub issue and determine if it's valid by scanning t
 1. **Read the issue carefully** - Understand what is being reported or requested
 2. **Search the codebase** - Use Glob to find relevant files by pattern, Grep to search for keywords
 3. **Examine the code** - Use Read to look at the actual implementation in relevant files
-4. **Form your verdict** - Based on your analysis, determine if the issue is valid
+4. **Check linked PRs** - If there are linked pull requests, use \`gh pr diff <PR_NUMBER>\` to review the changes
+5. **Form your verdict** - Based on your analysis, determine if the issue is valid

 ## Verdicts

@@ -88,12 +117,32 @@ Your task is to analyze a GitHub issue and determine if it's valid by scanning t
 - Is the implementation location clear?
 - Is the request technically feasible given the codebase structure?

+## Analyzing Linked Pull Requests
+
+When an issue has linked PRs (especially open ones), you MUST analyze them:
+
+1. **Run \`gh pr diff <PR_NUMBER>\`** to see what changes the PR makes
+2. **Run \`gh pr view <PR_NUMBER>\`** to see PR description and status
+3. **Evaluate if the PR fixes the issue** - Does the diff address the reported problem?
+4. **Provide a recommendation**:
+   - \`wait_for_merge\`: The PR appears to fix the issue correctly. No additional work needed - just wait for it to be merged.
+   - \`pr_needs_work\`: The PR attempts to fix the issue but is incomplete or has problems.
+   - \`no_pr\`: No relevant PR exists for this issue.
+
+5. **Include prAnalysis in your response** with:
+   - hasOpenPR: true/false
+   - prFixesIssue: true/false (based on diff analysis)
+   - prNumber: the PR number you analyzed
+   - prSummary: brief description of what the PR changes
+   - recommendation: one of the above values
+
 ## Response Guidelines

 - **Always include relatedFiles** when you find relevant code
 - **Set bugConfirmed to true** only if you can definitively confirm a bug exists in the code
 - **Provide a suggestedFix** when you have a clear idea of how to address the issue
 - **Use missingInfo** when the verdict is needs_clarification to list what's needed
+- **Include prAnalysis** when there are linked PRs - this is critical for avoiding duplicate work
 - **Set estimatedComplexity** to help prioritize:
  - trivial: Simple text changes, one-line fixes
  - simple: Small changes to one file
@@ -103,6 +152,24 @@ Your task is to analyze a GitHub issue and determine if it's valid by scanning t

 Be thorough in your analysis but focus on files that are directly relevant to the issue.`;

+/**
+ * Comment data structure for validation prompt
+ */
+export interface ValidationComment {
+  author: string;
+  createdAt: string;
+  body: string;
+}
+
+/**
+ * Linked PR data structure for validation prompt
+ */
+export interface ValidationLinkedPR {
+  number: number;
+  title: string;
+  state: string;
+}
+
 /**
 * Build the user prompt for issue validation.
 *
@@ -113,26 +180,60 @@ Be thorough in your analysis but focus on files that are directly relevant to th
 * @param issueTitle - The issue title
 * @param issueBody - The issue body/description
 * @param issueLabels - Optional array of label names
+ * @param comments - Optional array of comments to include in analysis
+ * @param linkedPRs - Optional array of linked pull requests
 * @returns Formatted prompt string for the validation request
 */
 export function buildValidationPrompt(
  issueNumber: number,
  issueTitle: string,
  issueBody: string,
-  issueLabels?: string[]
+  issueLabels?: string[],
+  comments?: ValidationComment[],
+  linkedPRs?: ValidationLinkedPR[]
 ): string {
  const labelsSection = issueLabels?.length ? `\n\n**Labels:** ${issueLabels.join(', ')}` : '';

+  let linkedPRsSection = '';
+  if (linkedPRs && linkedPRs.length > 0) {
+    const prsText = linkedPRs
+      .map((pr) => `- PR #${pr.number} (${pr.state}): ${pr.title}`)
+      .join('\n');
+    linkedPRsSection = `\n\n### Linked Pull Requests\n\n${prsText}`;
+  }
+
+  let commentsSection = '';
+  if (comments && comments.length > 0) {
+    // Limit to most recent 10 comments to control prompt size
+    const recentComments = comments.slice(-10);
+    const commentsText = recentComments
+      .map(
+        (c) => `**${c.author}** (${new Date(c.createdAt).toISOString().slice(0, 10)}):\n${c.body}`
+      )
+      .join('\n\n---\n\n');
+
+    commentsSection = `\n\n### Comments (${comments.length} total${comments.length > 10 ? ', showing last 10' : ''})\n\n${commentsText}`;
+  }
+
+  const hasWorkInProgress =
+    linkedPRs && linkedPRs.some((pr) => pr.state === 'open' || pr.state === 'OPEN');
+  const workInProgressNote = hasWorkInProgress
+    ? '\n\n**Note:** This issue has an open pull request linked. Consider that someone may already be working on a fix.'
+    : '';
+
  return `Please validate the following GitHub issue by analyzing the codebase:

 ## Issue #${issueNumber}: ${issueTitle}
 ${labelsSection}
+${linkedPRsSection}

 ### Description

 ${issueBody || '(No description provided)'}
+${commentsSection}
+${workInProgressNote}

 ---

-Scan the codebase to verify this issue. Look for the files, components, or functionality mentioned. Determine if this issue is valid, invalid, or needs clarification.`;
+Scan the codebase to verify this issue. Look for the files, components, or functionality mentioned. Determine if this issue is valid, invalid, or needs clarification.${comments && comments.length > 0 ? ' Consider the context provided in the comments as well.' : ''}${hasWorkInProgress ? ' Also note in your analysis if there is already work in progress on this issue.' : ''}`;
 }
--- a/apps/server/src/routes/health/index.ts
+++ b/apps/server/src/routes/health/index.ts
@@ -1,16 +1,25 @@
 /**
 * Health check routes
+ *
+ * NOTE: Only the basic health check (/) is unauthenticated.
+ * The /detailed endpoint requires authentication.
 */

 import { Router } from 'express';
 import { createIndexHandler } from './routes/index.js';
-import { createDetailedHandler } from './routes/detailed.js';

+/**
+ * Create unauthenticated health routes (basic check only)
+ * Used by load balancers and container orchestration
+ */
 export function createHealthRoutes(): Router {
  const router = Router();

+  // Basic health check - no sensitive info
  router.get('/', createIndexHandler());
-  router.get('/detailed', createDetailedHandler());

  return router;
 }
+
+// Re-export detailed handler for use in authenticated routes
+export { createDetailedHandler } from './routes/detailed.js';
--- a/apps/server/src/routes/mcp/common.ts
+++ b/apps/server/src/routes/mcp/common.ts
@@ -0,0 +1,20 @@
+/**
+ * Common utilities for MCP routes
+ */
+
+/**
+ * Extract error message from unknown error
+ */
+export function getErrorMessage(error: unknown): string {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return String(error);
+}
+
+/**
+ * Log error with prefix
+ */
+export function logError(error: unknown, message: string): void {
+  console.error(`[MCP] ${message}:`, error);
+}
--- a/apps/server/src/routes/mcp/index.ts
+++ b/apps/server/src/routes/mcp/index.ts
@@ -0,0 +1,36 @@
+/**
+ * MCP routes - HTTP API for testing MCP servers
+ *
+ * Provides endpoints for:
+ * - Testing MCP server connections
+ * - Listing available tools from MCP servers
+ *
+ * Mounted at /api/mcp in the main server.
+ */
+
+import { Router } from 'express';
+import type { MCPTestService } from '../../services/mcp-test-service.js';
+import { createTestServerHandler } from './routes/test-server.js';
+import { createListToolsHandler } from './routes/list-tools.js';
+
+/**
+ * Create MCP router with all endpoints
+ *
+ * Endpoints:
+ * - POST /test - Test MCP server connection
+ * - POST /tools - List tools from MCP server
+ *
+ * @param mcpTestService - Instance of MCPTestService for testing connections
+ * @returns Express Router configured with all MCP endpoints
+ */
+export function createMCPRoutes(mcpTestService: MCPTestService): Router {
+  const router = Router();
+
+  // Test MCP server connection
+  router.post('/test', createTestServerHandler(mcpTestService));
+
+  // List tools from MCP server
+  router.post('/tools', createListToolsHandler(mcpTestService));
+
+  return router;
+}
--- a/apps/server/src/routes/mcp/routes/list-tools.ts
+++ b/apps/server/src/routes/mcp/routes/list-tools.ts
@@ -0,0 +1,57 @@
+/**
+ * POST /api/mcp/tools - List tools for an MCP server
+ *
+ * Lists available tools for an MCP server.
+ * Similar to test but focused on tool discovery.
+ *
+ * SECURITY: Only accepts serverId to look up saved configs. Does NOT accept
+ * arbitrary serverConfig to prevent drive-by command execution attacks.
+ * Users must explicitly save a server config through the UI before testing.
+ *
+ * Request body:
+ *   { serverId: string } - Get tools by server ID from settings
+ *
+ * Response: { success: boolean, tools?: MCPToolInfo[], error?: string }
+ */
+
+import type { Request, Response } from 'express';
+import type { MCPTestService } from '../../../services/mcp-test-service.js';
+import { getErrorMessage, logError } from '../common.js';
+
+interface ListToolsRequest {
+  serverId: string;
+}
+
+/**
+ * Create handler factory for POST /api/mcp/tools
+ */
+export function createListToolsHandler(mcpTestService: MCPTestService) {
+  return async (req: Request, res: Response): Promise<void> => {
+    try {
+      const body = req.body as ListToolsRequest;
+
+      if (!body.serverId || typeof body.serverId !== 'string') {
+        res.status(400).json({
+          success: false,
+          error: 'serverId is required',
+        });
+        return;
+      }
+
+      const result = await mcpTestService.testServerById(body.serverId);
+
+      // Return only tool-related information
+      res.json({
+        success: result.success,
+        tools: result.tools,
+        error: result.error,
+      });
+    } catch (error) {
+      logError(error, 'List tools failed');
+      res.status(500).json({
+        success: false,
+        error: getErrorMessage(error),
+      });
+    }
+  };
+}
--- a/apps/server/src/routes/mcp/routes/test-server.ts
+++ b/apps/server/src/routes/mcp/routes/test-server.ts
@@ -0,0 +1,50 @@
+/**
+ * POST /api/mcp/test - Test MCP server connection and list tools
+ *
+ * Tests connection to an MCP server and returns available tools.
+ *
+ * SECURITY: Only accepts serverId to look up saved configs. Does NOT accept
+ * arbitrary serverConfig to prevent drive-by command execution attacks.
+ * Users must explicitly save a server config through the UI before testing.
+ *
+ * Request body:
+ *   { serverId: string } - Test server by ID from settings
+ *
+ * Response: { success: boolean, tools?: MCPToolInfo[], error?: string, connectionTime?: number }
+ */
+
+import type { Request, Response } from 'express';
+import type { MCPTestService } from '../../../services/mcp-test-service.js';
+import { getErrorMessage, logError } from '../common.js';
+
+interface TestServerRequest {
+  serverId: string;
+}
+
+/**
+ * Create handler factory for POST /api/mcp/test
+ */
+export function createTestServerHandler(mcpTestService: MCPTestService) {
+  return async (req: Request, res: Response): Promise<void> => {
+    try {
+      const body = req.body as TestServerRequest;
+
+      if (!body.serverId || typeof body.serverId !== 'string') {
+        res.status(400).json({
+          success: false,
+          error: 'serverId is required',
+        });
+        return;
+      }
+
+      const result = await mcpTestService.testServerById(body.serverId);
+      res.json(result);
+    } catch (error) {
+      logError(error, 'Test server failed');
+      res.status(500).json({
+        success: false,
+        error: getErrorMessage(error),
+      });
+    }
+  };
+}
--- a/apps/server/src/routes/pipeline/common.ts
+++ b/apps/server/src/routes/pipeline/common.ts
@@ -0,0 +1,21 @@
+/**
+ * Common utilities for pipeline routes
+ *
+ * Provides logger and error handling utilities shared across all pipeline endpoints.
+ */
+
+import { createLogger } from '@automaker/utils';
+import { getErrorMessage as getErrorMessageShared, createLogError } from '../common.js';
+
+/** Logger instance for pipeline-related operations */
+export const logger = createLogger('Pipeline');
+
+/**
+ * Extract user-friendly error message from error objects
+ */
+export { getErrorMessageShared as getErrorMessage };
+
+/**
+ * Log error with automatic logger binding
+ */
+export const logError = createLogError(logger);
--- a/apps/server/src/routes/pipeline/index.ts
+++ b/apps/server/src/routes/pipeline/index.ts
@@ -0,0 +1,77 @@
+/**
+ * Pipeline routes - HTTP API for pipeline configuration management
+ *
+ * Provides endpoints for:
+ * - Getting pipeline configuration
+ * - Saving pipeline configuration
+ * - Adding, updating, deleting, and reordering pipeline steps
+ *
+ * All endpoints use handler factories that receive the PipelineService instance.
+ * Mounted at /api/pipeline in the main server.
+ */
+
+import { Router } from 'express';
+import type { PipelineService } from '../../services/pipeline-service.js';
+import { validatePathParams } from '../../middleware/validate-paths.js';
+import { createGetConfigHandler } from './routes/get-config.js';
+import { createSaveConfigHandler } from './routes/save-config.js';
+import { createAddStepHandler } from './routes/add-step.js';
+import { createUpdateStepHandler } from './routes/update-step.js';
+import { createDeleteStepHandler } from './routes/delete-step.js';
+import { createReorderStepsHandler } from './routes/reorder-steps.js';
+
+/**
+ * Create pipeline router with all endpoints
+ *
+ * Endpoints:
+ * - POST /config - Get pipeline configuration
+ * - POST /config/save - Save entire pipeline configuration
+ * - POST /steps/add - Add a new pipeline step
+ * - POST /steps/update - Update an existing pipeline step
+ * - POST /steps/delete - Delete a pipeline step
+ * - POST /steps/reorder - Reorder pipeline steps
+ *
+ * @param pipelineService - Instance of PipelineService for file I/O
+ * @returns Express Router configured with all pipeline endpoints
+ */
+export function createPipelineRoutes(pipelineService: PipelineService): Router {
+  const router = Router();
+
+  // Get pipeline configuration
+  router.post(
+    '/config',
+    validatePathParams('projectPath'),
+    createGetConfigHandler(pipelineService)
+  );
+
+  // Save entire pipeline configuration
+  router.post(
+    '/config/save',
+    validatePathParams('projectPath'),
+    createSaveConfigHandler(pipelineService)
+  );
+
+  // Pipeline step operations
+  router.post(
+    '/steps/add',
+    validatePathParams('projectPath'),
+    createAddStepHandler(pipelineService)
+  );
+  router.post(
+    '/steps/update',
+    validatePathParams('projectPath'),
+    createUpdateStepHandler(pipelineService)
+  );
+  router.post(
+    '/steps/delete',
+    validatePathParams('projectPath'),
+    createDeleteStepHandler(pipelineService)
+  );
+  router.post(
+    '/steps/reorder',
+    validatePathParams('projectPath'),
+    createReorderStepsHandler(pipelineService)
+  );
+
+  return router;
+}
--- a/apps/server/src/routes/pipeline/routes/add-step.ts
+++ b/apps/server/src/routes/pipeline/routes/add-step.ts
@@ -0,0 +1,54 @@
+/**
+ * POST /api/pipeline/steps/add - Add a new pipeline step
+ *
+ * Adds a new step to the pipeline configuration.
+ *
+ * Request body: { projectPath: string, step: { name, order, instructions, colorClass } }
+ * Response: { success: true, step: PipelineStep }
+ */
+
+import type { Request, Response } from 'express';
+import type { PipelineService } from '../../../services/pipeline-service.js';
+import type { PipelineStep } from '@automaker/types';
+import { getErrorMessage, logError } from '../common.js';
+
+export function createAddStepHandler(pipelineService: PipelineService) {
+  return async (req: Request, res: Response): Promise<void> => {
+    try {
+      const { projectPath, step } = req.body as {
+        projectPath: string;
+        step: Omit<PipelineStep, 'id' | 'createdAt' | 'updatedAt'>;
+      };
+
+      if (!projectPath) {
+        res.status(400).json({ success: false, error: 'projectPath is required' });
+        return;
+      }
+
+      if (!step) {
+        res.status(400).json({ success: false, error: 'step is required' });
+        return;
+      }
+
+      if (!step.name) {
+        res.status(400).json({ success: false, error: 'step.name is required' });
+        return;
+      }
+
+      if (step.instructions === undefined) {
+        res.status(400).json({ success: false, error: 'step.instructions is required' });
+        return;
+      }
+
+      const newStep = await pipelineService.addStep(projectPath, step);
+
+      res.json({
+        success: true,
+        step: newStep,
+      });
+    } catch (error) {
+      logError(error, 'Add pipeline step failed');
+      res.status(500).json({ success: false, error: getErrorMessage(error) });
+    }
+  };
+}
--- a/apps/server/src/routes/pipeline/routes/delete-step.ts
+++ b/apps/server/src/routes/pipeline/routes/delete-step.ts
@@ -0,0 +1,42 @@
+/**
+ * POST /api/pipeline/steps/delete - Delete a pipeline step
+ *
+ * Removes a step from the pipeline configuration.
+ *
+ * Request body: { projectPath: string, stepId: string }
+ * Response: { success: true }
+ */
+
+import type { Request, Response } from 'express';
+import type { PipelineService } from '../../../services/pipeline-service.js';
+import { getErrorMessage, logError } from '../common.js';
+
+export function createDeleteStepHandler(pipelineService: PipelineService) {
+  return async (req: Request, res: Response): Promise<void> => {
+    try {
+      const { projectPath, stepId } = req.body as {
+        projectPath: string;
+        stepId: string;
+      };
+
+      if (!projectPath) {
+        res.status(400).json({ success: false, error: 'projectPath is required' });
+        return;
+      }
+
+      if (!stepId) {
+        res.status(400).json({ success: false, error: 'stepId is required' });
+        return;
+      }
+
+      await pipelineService.deleteStep(projectPath, stepId);
+
+      res.json({
+        success: true,
+      });
+    } catch (error) {
+      logError(error, 'Delete pipeline step failed');
+      res.status(500).json({ success: false, error: getErrorMessage(error) });
+    }
+  };
+}
--- a/apps/server/src/routes/pipeline/routes/get-config.ts
+++ b/apps/server/src/routes/pipeline/routes/get-config.ts
@@ -0,0 +1,35 @@
+/**
+ * POST /api/pipeline/config - Get pipeline configuration
+ *
+ * Returns the pipeline configuration for a project.
+ *
+ * Request body: { projectPath: string }
+ * Response: { success: true, config: PipelineConfig }
+ */
+
+import type { Request, Response } from 'express';
+import type { PipelineService } from '../../../services/pipeline-service.js';
+import { getErrorMessage, logError } from '../common.js';
+
+export function createGetConfigHandler(pipelineService: PipelineService) {
+  return async (req: Request, res: Response): Promise<void> => {
+    try {
+      const { projectPath } = req.body;
+
+      if (!projectPath) {
+        res.status(400).json({ success: false, error: 'projectPath is required' });
+        return;
+      }
+
+      const config = await pipelineService.getPipelineConfig(projectPath);
+
+      res.json({
+        success: true,
+        config,
+      });
+    } catch (error) {
+      logError(error, 'Get pipeline config failed');
+      res.status(500).json({ success: false, error: getErrorMessage(error) });
+    }
+  };
+}
--- a/apps/server/src/routes/pipeline/routes/reorder-steps.ts
+++ b/apps/server/src/routes/pipeline/routes/reorder-steps.ts
@@ -0,0 +1,42 @@
+/**
+ * POST /api/pipeline/steps/reorder - Reorder pipeline steps
+ *
+ * Reorders the steps in the pipeline configuration.
+ *
+ * Request body: { projectPath: string, stepIds: string[] }
+ * Response: { success: true }
+ */
+
+import type { Request, Response } from 'express';
+import type { PipelineService } from '../../../services/pipeline-service.js';
+import { getErrorMessage, logError } from '../common.js';
+
+export function createReorderStepsHandler(pipelineService: PipelineService) {
+  return async (req: Request, res: Response): Promise<void> => {
+    try {
+      const { projectPath, stepIds } = req.body as {
+        projectPath: string;
+        stepIds: string[];
+      };
+
+      if (!projectPath) {
+        res.status(400).json({ success: false, error: 'projectPath is required' });
+        return;
+      }
+
+      if (!stepIds || !Array.isArray(stepIds)) {
+        res.status(400).json({ success: false, error: 'stepIds array is required' });
+        return;
+      }
+
+      await pipelineService.reorderSteps(projectPath, stepIds);
+
+      res.json({
+        success: true,
+      });
+    } catch (error) {
+      logError(error, 'Reorder pipeline steps failed');
+      res.status(500).json({ success: false, error: getErrorMessage(error) });
+    }
+  };
+}
--- a/apps/server/src/routes/pipeline/routes/save-config.ts
+++ b/apps/server/src/routes/pipeline/routes/save-config.ts
@@ -0,0 +1,43 @@
+/**
+ * POST /api/pipeline/config/save - Save entire pipeline configuration
+ *
+ * Saves the complete pipeline configuration for a project.
+ *
+ * Request body: { projectPath: string, config: PipelineConfig }
+ * Response: { success: true }
+ */
+
+import type { Request, Response } from 'express';
+import type { PipelineService } from '../../../services/pipeline-service.js';
+import type { PipelineConfig } from '@automaker/types';
+import { getErrorMessage, logError } from '../common.js';
+
+export function createSaveConfigHandler(pipelineService: PipelineService) {
+  return async (req: Request, res: Response): Promise<void> => {
+    try {
+      const { projectPath, config } = req.body as {
+        projectPath: string;
+        config: PipelineConfig;
+      };
+
+      if (!projectPath) {
+        res.status(400).json({ success: false, error: 'projectPath is required' });
+        return;
+      }
+
+      if (!config) {
+        res.status(400).json({ success: false, error: 'config is required' });
+        return;
+      }
+
+      await pipelineService.savePipelineConfig(projectPath, config);
+
+      res.json({
+        success: true,
+      });
+    } catch (error) {
+      logError(error, 'Save pipeline config failed');
+      res.status(500).json({ success: false, error: getErrorMessage(error) });
+    }
+  };
+}
--- a/apps/server/src/routes/pipeline/routes/update-step.ts
+++ b/apps/server/src/routes/pipeline/routes/update-step.ts
@@ -0,0 +1,50 @@
+/**
+ * POST /api/pipeline/steps/update - Update an existing pipeline step
+ *
+ * Updates a step in the pipeline configuration.
+ *
+ * Request body: { projectPath: string, stepId: string, updates: Partial<PipelineStep> }
+ * Response: { success: true, step: PipelineStep }
+ */
+
+import type { Request, Response } from 'express';
+import type { PipelineService } from '../../../services/pipeline-service.js';
+import type { PipelineStep } from '@automaker/types';
+import { getErrorMessage, logError } from '../common.js';
+
+export function createUpdateStepHandler(pipelineService: PipelineService) {
+  return async (req: Request, res: Response): Promise<void> => {
+    try {
+      const { projectPath, stepId, updates } = req.body as {
+        projectPath: string;
+        stepId: string;
+        updates: Partial<Omit<PipelineStep, 'id' | 'createdAt'>>;
+      };
+
+      if (!projectPath) {
+        res.status(400).json({ success: false, error: 'projectPath is required' });
+        return;
+      }
+
+      if (!stepId) {
+        res.status(400).json({ success: false, error: 'stepId is required' });
+        return;
+      }
+
+      if (!updates || Object.keys(updates).length === 0) {
+        res.status(400).json({ success: false, error: 'updates is required' });
+        return;
+      }
+
+      const updatedStep = await pipelineService.updateStep(projectPath, stepId, updates);
+
+      res.json({
+        success: true,
+        step: updatedStep,
+      });
+    } catch (error) {
+      logError(error, 'Update pipeline step failed');
+      res.status(500).json({ success: false, error: getErrorMessage(error) });
+    }
+  };
+}
--- a/apps/server/src/routes/running-agents/routes/index.ts
+++ b/apps/server/src/routes/running-agents/routes/index.ts
@@ -9,8 +9,7 @@ import { getErrorMessage, logError } from '../common.js';
 export function createIndexHandler(autoModeService: AutoModeService) {
  return async (_req: Request, res: Response): Promise<void> => {
    try {
-      const runningAgents = autoModeService.getRunningAgents();
-      const status = autoModeService.getStatus();
+      const runningAgents = await autoModeService.getRunningAgents();

      res.json({
        success: true,
--- a/apps/server/src/routes/setup/routes/gh-status.ts
+++ b/apps/server/src/routes/setup/routes/gh-status.ts
@@ -94,23 +94,37 @@ async function getGhStatus(): Promise<GhStatus> {
    // Version command failed
  }

-  // Check authentication status
+  // Check authentication status by actually making an API call
+  // gh auth status can return non-zero even when GH_TOKEN is valid
+  let apiCallSucceeded = false;
  try {
-    const { stdout } = await execAsync('gh auth status', { env: execEnv });
-    // If this succeeds without error, we're authenticated
-    status.authenticated = true;
-
-    // Try to extract username from output
-    const userMatch =
-      stdout.match(/Logged in to [^\s]+ account ([^\s]+)/i) ||
-      stdout.match(/Logged in to [^\s]+ as ([^\s]+)/i);
-    if (userMatch) {
-      status.user = userMatch[1];
+    const { stdout } = await execAsync('gh api user --jq ".login"', { env: execEnv });
+    const user = stdout.trim();
+    if (user) {
+      status.authenticated = true;
+      status.user = user;
+      apiCallSucceeded = true;
    }
-  } catch (error: unknown) {
-    // Auth status returns non-zero if not authenticated
-    const err = error as { stderr?: string };
-    if (err.stderr?.includes('not logged in')) {
+    // If stdout is empty, fall through to gh auth status fallback
+  } catch {
+    // API call failed - fall through to gh auth status fallback
+  }
+
+  // Fallback: try gh auth status if API call didn't succeed
+  if (!apiCallSucceeded) {
+    try {
+      const { stdout } = await execAsync('gh auth status', { env: execEnv });
+      status.authenticated = true;
+
+      // Try to extract username from output
+      const userMatch =
+        stdout.match(/Logged in to [^\s]+ account ([^\s]+)/i) ||
+        stdout.match(/Logged in to [^\s]+ as ([^\s]+)/i);
+      if (userMatch) {
+        status.user = userMatch[1];
+      }
+    } catch {
+      // Auth status returns non-zero if not authenticated
      status.authenticated = false;
    }
  }